Plus: A nominee to lead CISA emerges, Elon Musk visits the NSA, a renowned crypto cracking firm’s secret (and problematic) cofounder is revealed, and more.

Knifings, firebombings, shootings, and murder-for-hire plots—all linked to a splinter group of the 764 crime network called “No Lives Matter.” According to its own manifesto, the group seeks to “purify mankind through endless attacks” and has released at least two “kill guides” tied to violent plots in the US and Europe. Intelligence documents reviewed by WIRED reveal growing concern among analysts, but experts remain unsure how to stop the group’s spread.

On Monday, X experienced intermittent outages after a botnet flooded the social network with junk traffic in an attempt to take down its system. Elon Musk stated that the distributed denial-of-service attack originated from Ukrainian IP addresses, implying that the country—already under siege by a Russian invasion and frequently mocked by the centibillionaire—may have been responsible. Security experts tell WIRED that this is not how DDoS attacks work.

Meanwhile, inside the Cybersecurity and Infrastructure Security Agency, mass layoffs are hurting US cyberdefense, weakening protections against foreign adversaries. Vital staff cuts have left employees overworked and strained international partnerships, according to interviews with staff at the agency that helps safeguard cities, businesses, and nonprofits from cyberattacks. “A lot of people are scared,” says one employee. “We’re waiting for that other shoe to drop. We don't know what's coming.” As WIRED takes you inside the agencies at the center of the uncertainty and chaos of the second Trump administration, we've updated our quick and easy guide to using Signal to help you get the most out of the messaging app’s end-to-end encryption.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Those “green bubbles,” the cross-platform text messages that annoy iPhone owners and keep Android users relegated to a group-chat underclass, aren’t just a cultural disconnect. They’re also a security issue: Text messages sent between Android and iOS devices—unlike blue-bubble iMessage texts or Android-to-Android messages—aren’t end-to-end encrypted, leaving them open to surveillance or interception. Now, that may finally be changing.

The GSM Association, responsible for many widely used telecom standards, this week announced that its Rich Communication Services (or RCS) protocol will now support end-to-end encryption for cross-platform texting, and Apple revealed that it will now integrate that feature of RCS into its iOS devices. Until now, Apple and Google had both supported RCS’s other features in texts sent between iOS and Android, but not end-to-end encryption, which ensures that only the devices sending and receiving messages can decrypt them and not any server or snoop that sees them in transit.

Neither Apple nor the GSMA has said exactly when the new privacy features are launching. Until then, anyone sending cross-platform messages would be wise to stick with apps like WhatsApp or Signal that have long provided end-to-end encryption—and have also helped Android and iPhone users avoid personal disputes over bubble colors.

**Sean Plankey Nominated as Head of CISA, America’s Top Cybersecurity Agency**

The White House has tapped Sean Plankey to run CISA, the agency within the Department of Homeland Security primarily responsible for American digital defense. Plankey, long considered the leading contender for the role, served in multiple cybersecurity positions in the first Trump administration and previously held senior roles in US Cyber Command. In that DOD agency focused on cyber offense, he served as a weapons and tactics branch chief and earned a Bronze Star for hacking operations in Afghanistan. CISA, like many federal agencies, has faced hundreds of personnel cuts in recent weeks, and its previous director, Chris Krebs, came under harsh criticism under the previous Trump administration for the agency’s work to counter disinformation and secure elections. Krebs was fired in a Trump tweet near the end of his term after CISA described the 2020 election, whose results Trump baselessly contested, as the “most secure in American history.”

**Elon Musk Visits the National Security Agency**

Not even the National Security Agency has been spared from Elon Musk’s scorched-earth campaign to gut the federal government. On Wednesday, The Wall Street Journal reported that Musk had visited the intelligence agency in Fort Meade, meeting with leadership to discuss staff reductions and operational changes, according to current and former US officials who spoke to the Journal.

Despite being one of the most insulated branches of US intelligence, the NSA has still found itself pulled into Musk’s orbit. The visit to Fort Meade is another sign of the sweeping nature of his influence and the extraordinary access the world’s richest man has been granted over even the most secretive federal operations.

Last month, staff at the intelligence agency received emails offering deferred resignations, signaling impending changes. Then, a week ahead of his visit, Musk publicly called for an overhaul of the intelligence and cybersecurity agency. Posting to his social media site X, Musk wrote, “The NSA needs an overhaul,” alongside an apparent agency recruitment graphic featuring a group of college-aged people of color and a list of universities where the NSA was conducting outreach—seemingly mocking the agency’s recruitment efforts.

**A Buzzy Crypto Cracking Firm Had a Hidden CoFounder Accused of Sexual Assault**

The cryptocurrency recovery firm Unciphered has made headlines with its feats of whitehat wallet cracking on behalf of customers who have lost access to their cryptocurrency fortunes. In the fall of 2023, for instance, the company cracked a model of encrypted IronKey USB drive believed to hold 7,000-plus bitcoins now worth well over half a billion dollars. Now, The Washington Post reports that one of the cofounders of that company was Morgan Marquis-Boire, a once-lauded hacker and security researcher for Google and Citizen Lab who was later accused of sexually assaulting multiple women. The reported involvement of Marquis-Boire, who has largely disappeared from the cybersecurity world after facing the sex crime accusations in 2017, was kept secret from even many of the startup’s staff, and the revelations of his role have left the company in “disarray,” according to the Post.

**A Reporter Behind an Indian Hacker-for-Hire Story Is Fighting to Regain His Citizenship**

In November of 2023, Raphael Satter was one of a team of Reuters reporters who published an in-depth feature on Appin Technology, a startup that allegedly hacked numerous celebrity and civil society targets on behalf of clients. A group with a similar name responded by suing, and obtained a court ruling that for a time successfully censored Reuters’ story—a remarkable case of an Indian judge restricting free speech internationally. Satter is now fighting a different battle following publication of that story. In late 2023, his Overseas Citizen of India (OCI) card—a kind of international citizenship extended to foreign citizens of Indian origin and those married to Indians—was revoked around the same time as the judge filed the injunction. A letter sent to Satter in December of that year accused him of “maliciously creating adverse and biased opinion against Indian institutions in the international arena.” Satter is now petitioning a Delhi court to reverse that revocation, which has prevented him from entering India to visit family there.

End-to-End Encrypted Texts Between Android and iPhone Are Coming

The UK, France, Sweden, and EU have made fresh attacks on end-to-end encryption. Some of the attacks are more “crude” than those in recent years, experts say.

Over the past decade, encrypted communication has become the norm for billions of people. Every day, Signal, iMessage, and WhatsApp keep billions of messages, photos, videos, and calls private by using end-to-end encryption by default—while Zoom, Discord, and various other services all have options to enable the protection. But despite the technology’s mainstream rise, long-standing threats to weaken encryption keep piling up.

Over the past few months, there has been a surge in government and law enforcement efforts that would effectively undermine encryption, privacy advocates and experts say, with some of the emerging threats being the most “blunt” and aggressive of those in recent memory. Officials in the UK, France, and Sweden have all made moves since the start of 2025 that could undermine or eliminate the protections of end-to-end encryption, adding to a multiyear European Union plan to scan private chats and Indian efforts that could damage encryption.

These latest assaults on encryption come as intelligence agencies and law enforcement officials in the United States have recently backtracked on years of anti-encryption attitudes and now recommend that people use encrypted communication platforms whenever they can. The drastic shift in attitude followed the China-backed Salt Typhoon hacker group’s widespread breach of major US telecoms, and it comes as the second Trump administration ramps up potential surveillance of millions of undocumented migrants living in the US. Simultaneously, the administration has been straining longtime, crucial international intelligence-sharing agreements and partnerships.

“The trend is bleak,” says Carmela Troncoso, a longtime privacy and cryptography researcher and the scientific director at the Max-Planck Institute for Security and Privacy in Germany. “We see these new policies coming up as mushrooms trying to undermine encryption.”

End-to-end encryption is designed so only the sender and receiver of messages have access to their contents—governments, tech companies, and telecom providers can’t snoop on what people are saying. Those privacy and security guarantees have made encryption a target for law enforcement and governments for decades, because officials claim that the protection makes it prohibitively difficult to investigate urgent threats such as child sexual abuse material and terrorism.

As a result, governments around the world have frequently proposed technical mechanisms to bypass encryption and allow access to messages for investigations. Cryptographers and technologists have repeatedly and definitively warned, though, that any backdoor created to access end-to-end encrypted communications could be exploited by hackers or authoritarian governments, compromising everyone’s safety. Additionally, it is likely that criminals would find ways to continue to use self-made encryption tools to conceal their messages, meaning that backdoors in mainstream products would succeed at undermining protections for the public without eliminating its use by bad actors.

Broadly, the recent threats to encryption have come in three forms, says Namrata Maheshwari, the encryption policy lead at international nonprofit Access Now. First, there are those where governments or law enforcement agencies are asking for backdoors to be built into encrypted platforms to gain “lawful access” to content. At the end of February, for example, Apple pulled its encrypted iCloud backup system, called Advanced Data Protection, from use in the UK after the country’s lawmakers reportedly hit the Cupertino company with a secret order demanding Apple provide access to encrypted files. To do so, Apple would have had to create a backdoor. The order, which has been criticized by the Trump administration, is set to be challenged in a secret court hearing on March 14.

Meanwhile, lawmakers in Sweden are also considering legislation that would require encrypted messaging companies, such as Signal and WhatsApp, to keep copies of messages that people send on their platforms so they could allow law enforcement to access suspects’ histories. Signal has said it would pull out of Sweden if the potential law goes ahead. While in France earlier this year, a proposed amendment to a drug trafficking law outlined plans to require encrypted messaging services to hand over decrypted chat messages within 72 hours of a request or face fines of up to 2 percent of annual global revenue. This week, the proposal was reportedly scrapped, while some politicians said they supported the idea.

“We’re seeing some democracies revert back to very crude approaches to circumventing encryption that we maybe thought were something of the past,” Callum Voge, the director of governmental affairs and advocacy at nonprofit Internet Society, says of efforts that could require a backdoor to be created.

In January, the head of EU law enforcement agency Europol told the Financial Times that tech companies have a “social responsibility” to provide access to encrypted messages. “Anonymity is not a fundamental right,” Catherine De Bolle told the publication. The comments expanded upon a previous statement from European police chiefs saying “we do not accept that there need be a binary choice between cybersecurity or privacy on the one hand and public safety on the other.”

The second threat, Maheshwari says, relates to an increase in proposals related to a technology known as “client-side scanning.” The process, which is sometimes called “on-device scanning,” involves scanning messages locally on a person’s device before they are encrypted, and comparing them against a database of prohibited content that is held elsewhere. Client-side scanning is an effort to contort encryption backdoors into something more palatable to privacy proponents by keeping people’s personal data on their own devices.

Ultimately, though, cryptographers and digital rights advocates have repeatedly warned that client-side scanning does not sidestep the fundamental dangers posed by creating a way for a third party to access encrypted data. The Internet Society’s Voge describes such efforts as a more “sophisticated” way that democracies have been trying to circumvent encryption in recent years.

For instance, politicians in the EU have been fiercely debating plans to scan billions of messages for potential child sexual abuse material using client-side scanning for more than three years. The unresolved debates have proved highly controversial, with multiple countries pushing to weaken encryption. “Scanning for one type of content, for instance, opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types,” Apple officials said in a letter first reported by WIRED in August 2023, after the company ditched its own, separate plans to introduce a form of client-side scanning on iPhones.

“It’s very divided in Europe, \[there are\] countries strongly in favor of scanning and countries strongly against it as well,” Voge says of the EU’s long-running chat monitoring plans. In May 2023, WIRED obtained leaked documents that stated many European countries’ positions on encryption. At the time, Spanish officials said they would like to prevent end-to-end encryption entirely in the EU, while many others were in favor of scanning people’s messages. Other countries, such as Germany, were against weakening encryption. Dutch political documentation says the country’s intelligence agency, AIVD, considers client-side scanning to be “too great a security risk for the digital resilience of the Netherlands.”

Finally, Maheshwari says, there is always the looming threat of potential bans or blocks for encrypted services. Toward the end of 2024, Russian officials blocked access to Signal amid the country’s ongoing full-scale war against Ukraine and widescale efforts to censor and control information environments. India has an ongoing lawsuit against WhatsApp, which could threaten its ability to operate in the country or necessitate that the platform retreat from end-to-end encryption in that market. Maheshwari also points out that while all virtual private networks do not specifically use end-to-end encryption, India has already banned multiple VPN services.

While each potential proposal that could undermine encryption is slightly different, the Internet Society’s Voge says that they’ve been met with some “stronger” pro-encryption voices coming from government or law enforcement services around the world, particularly when it comes to protecting national security.

In December, two officials from the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, encouraged more people to use encrypted communications systems after China’s Salt Typhoon hackers gained deep access to US telecoms providers, exposing unencrypted calls and texts. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” one of the officials said.

Voge points out that as well as CISA and the FBI’s calls to use encrypted messaging, the Swedish armed forces has specifically cleared Signal for use with unclassified material, saying it can stop messages and calls from being intercepted by third parties.

Ahead of the UK’s March 14 legal hearing about the backdoor order reportedly made to Apple, US senators and privacy groups urged there to be more transparency about the demands and the risks to global encryption it presents. A bipartisan group of five members of Congress said the “cloak of secrecy” should be removed.

UK civil liberties groups Privacy International and Liberty also filed legal challenges over the secrecy of the proceedings. “While the UK Government seems to have come for Apple today, tomorrow it may be any other big tech companies, such as Google and Microsoft, and the day after it could be Signal, your VPN Provider, Proton and others,” Privacy International said in a statement.

Ultimately, Access Now’s Maheshwari says, efforts to defend encryption will almost certainly continue, as they have for decades, to protect people’s human rights.

“Encryption right now is exceptionally important because it's a crucial enabler of the full spectrum of human rights,” Maheshwari says. “It’s not just privacy. It is what enables you to speak freely, to exercise your freedom of expression, to organize, to assemble, to associate.”

A New Era of Attacks on Encryption Is Starting to Heat Up

Employees at the Cybersecurity and Infrastructure Security Agency tell WIRED they’re struggling to protect the US while the administration dismisses their colleagues and poisons their partnerships.

Mass layoffs and weak leadership are taking a severe toll on the US government’s cyber defense agency, undermining its ability to protect America from foreign adversaries bent on crippling infrastructure and ransomware gangs that are bleeding small businesses dry.

Inside the Cybersecurity and Infrastructure Security Agency, vital support staff are gone, international partnerships have been strained, and workers are afraid to discuss threats to democracy that they’re now prohibited from countering. Employees are even more overworked than usual, and new assignments from the administration are interfering with important tasks. Meanwhile, CISA’s temporary leader is doing everything she can to appease President Donald Trump, infuriating employees who say she’s out of touch and refusing to protect them.

“You've got a lot of people who … are looking over their shoulder as opposed to looking at the enemy right now,” says one CISA employee.

As the Trump administration’s war on the federal bureaucracy throws key agencies into chaos, CISA’s turmoil could have underappreciated consequences for national security and economic prospects. The agency, part of the Department of Homeland Security, has steadily built a reputation as a nonpartisan source of funding, guidance, and even direct defensive support for cities, businesses, and nonprofits reeling from cyberattacks. That mission is now under threat, according to interviews with seven CISA employees and another person familiar with the matter, all of whom requested anonymity to avoid reprisals.

“Our enemies are not slowing their continuous assaults on our systems,” says Suzanne Spaulding, who led CISA’s predecessor during the Obama administration. “We need all hands on deck and focused, not traumatized and distracted.”

**Talent Exodus**

CISA’s mission has grown significantly since its creation in 2018. Established mainly to defend government networks, the agency increasingly embraced new roles supporting private companies and state governments, advocating for secure software, and cooperating with foreign partners. This helped CISA raise its profile and gain credibility. But now, following several rounds of layoffs and new restrictions from the Trump administration, the agency is struggling to sustain its momentum.

The extent of the cuts at CISA is still unclear—employees are only learning about the loss of colleagues through word of mouth—but multiple employees estimate that, between the layoffs and the Office of Personnel Management’s deferred-resignation program, CISA has lost between 300 and 400 staffers—roughly 10 percent of its 3,200-person workforce. Many of those people were hired through DHS’s Cybersecurity Talent Management System (CTMS), a program designed to recruit experts by competing with private-sector salaries. As a result, they were classified as probationary employees for three years, making them vulnerable to layoffs. These layoffs at CISA also hit longtime government workers who had become probationary by transferring into CTMS roles.

Key employees who have left include Kelly Shaw, who oversaw one of CISA’s marquee programs, a voluntary threat-detection service for critical infrastructure operators; David Carroll, who led the Mission Engineering Division, the agency’s technological backbone; and Carroll’s technical director, Duncan McCaskill. “We've had a very large brain drain,” an employee says.

The departures have strained a workforce that was already stretched thin. “We were running into \[a\] critical skills shortage previously,” says a second employee. “Most people are and have been doing the work of two or more full-time \[staffers\].”

The CISA team that helps critical infrastructure operators respond to hacks has been understaffed for years. The agency added support positions for that team after a Government Accountability Office audit, but “most of those people got terminated,” a third employee says.

CISA’s flagship programs have been mostly unscathed so far. That includes the threat-hunting branch, which analyzes threats, searches government networks for intruders, and responds to breaches. But some of the laid-off staffers provided crucial “backend” support for threat hunters and other analysts. “There's enhancements that could be made to the tools that they're using,” the first employee says. But with fewer people developing those improvements, “we're going to start having antiquated systems.”

In a statement, DHS spokesperson Tricia McLaughlin says CISA remains “committed to the safety and security of the nation’s critical infrastructure” and touted “the critical skills that CISA experts bring to the fight every day.”

National Security Council spokesperson James Hewitt says the reporting in this story is “nonsense,” adding that “there have been no widespread layoffs at CISA and its mission remains fully intact.”

“We continue to strengthen cybersecurity partnerships, advance AI and open-source security, and protect election integrity,” Hewitt says. “Under President Trump’s leadership, our administration will make significant strides in enhancing national cybersecurity.”

**Partnership Problems**

CISA’s external partnerships—the cornerstone of its effort to understand and counter evolving threats—have been especially hard-hit.

International travel has been frozen, two employees say, with trips—and even online communications with foreign partners—requiring high-level approvals. That has hampered CISA’s collaboration with other cyber agencies, including those of “Five Eyes” allies Canada, Australia, New Zealand, and the UK, staffers say.

CISA employees can’t even communicate with people at other federal agencies the way they used to. Previously routine conversations between CISA staffers and high-level officials elsewhere now need special permissions, slowing down important work. “I can’t reach out to a CISO about an emergency situation without approval,” a fourth employee says.

Meanwhile, companies have expressed fears about sharing information with CISA and even using the agency’s free attack-monitoring services due to DOGE’s ransacking of agency computers, according to two employees. “There is advanced concern about all of our services that collect sensitive data,” the third employee says. “Partners \[are\] asking questions about what DOGE can get access to and expressing concern that their sensitive information is in their hands.”

“The wrecking of preestablished relationships will be something that will have long-lasting effects,” the fourth employee says.

CISA’s Joint Cyber Defense Collaborative, a high-profile hub of government-industry cooperation, is also struggling. The JCDC currently works with more than 300 private companies to exchange threat information, draft defensive playbooks, discuss geopolitical challenges, and publish advisories. The unit wants to add hundreds more partners, but it has “had difficulty scaling this,” the first employee says, and recent layoffs have only made things worse. Contractors might be able to help, but the JCDC’s “vendor support contracts run out in less than a year,” the employee says, and as processes across the government have been frozen or paused in recent weeks, CISA doesn’t know if it can pursue new agreements. The JCDC doesn't have enough federal workers to pick up the slack, the fourth CISA employee says.

With fewer staffers to manage its relationships, the JCDC confronts a perilous question: How should it focus its resources without jeopardizing important visibility into the threat landscape? Emphasizing ties with major companies might be more economical, but that would risk overlooking mid-sized firms whose technology is quietly essential to vital US industries.

“CISA continuously evaluates how it works with partners,” McLaughlin says, “and has taken decisive action to maximize impact while being good stewards of taxpayer dollars and aligning with Administration priorities and our authorities.”

**Gutting Security Advocacy**

Other parts of CISA’s mission have also begun to atrophy.

During the Biden administration, CISA vowed to help the tech industry understand and mitigate the risks of open-source software, which is often poorly maintained and has repeatedly been exploited by hackers. But since Trump took office, CISA has lost the three technical luminaries who oversaw that work: Jack Cable, Aeva Black, and Tim Pepper. Open-source security remains a major challenge, but CISA’s efforts to address that challenge are now rudderless.

The new administration has also frozen CISA’s work on artificial intelligence. The agency had been researching ways to use AI for vulnerability detection and networking monitoring, as well as partnering with the private sector to study AI risks. “About 50 percent of \[CISA’s\] AI expert headcount has been let go,” says a person familiar with the matter, which is “severely limiting” CISA’s ability to help the US Artificial Intelligence Safety Institute test AI models before deployment.

The administration also pushed out CISA’s chief AI officer, Lisa Einstein, and closed down her office, the person familiar with the matter says. Einstein’s team oversaw CISA’s use of AI and worked with private companies and foreign governments on AI security.

A large team of DHS and CISA AI staffers was set to accompany Vice President JD Vance to Paris in February for an AI summit, but those experts “were all pulled back” from attending, according to a person familiar with the matter.

**‘Nefarious’ Retribution**

CISA staffers are still reeling from the agency’s suspension of its election security program and the layoffs of most people who worked on that mission. The election security initiative, through which CISA provided free services and guidance to state and local officials and worked with tech companies to track online misinformation, became a target of right-wing conspiracy theories in 2020, which marked it for death after Trump’s return to the White House.

The program—on hold pending CISA’s review of a recently completed internal assessment—was a tiny part of CISA’s budget and operations, but the campaign against it has alarmed agency employees. “This is definitely in the freak-out zone,” says the first employee, who adds that CISA staffers across the political spectrum support the agency’s efforts to track online misinformation campaigns. “All of us recognize that this is a common deception tactic of the enemy.”

The election security purge rippled across the agency, because some of the laid-off staffers had moved from elections to other assignments or were simultaneously working on both missions. Geoff Hale, who led the elections team between 2018 and 2024, was serving as the chief of partnerships at the JCDC when he was placed on administrative leave, setting off a scramble to replace him.

The removal of Hale and his colleagues “was the start to a decline in morale” at CISA, according to the second employee. Now, staffers are afraid to discuss certain topics in public forums: “No one's going to talk about election security right now,” the first employee says.

“The fact that there’s retribution from the president … is kind of frightening,” this employee adds. “A very nefarious place to be.”

**Abandoned and Demoralized**

The layoffs, operational changes, and other disruptions at CISA have severely depleted morale and undermined the agency’s effectiveness. “Even simple tasks feel hard to accomplish because you don't know if your teammates won't be here tomorrow,” says the fourth employee.

The biggest source of stress and frustration is acting CISA director Bridget Bean, a former Trump appointee who, employees say, appears eager to please the president even if it means not defending her agency. Bean “just takes whatever comes down and implements \[it\] without thought of how it will affect \[CISA’s\] mission,” the fifth employee says. Employees describe her as a poor leader and ineffective communicator who has zealously enacted Trump’s agenda. In town-hall meetings with employees, Bean has said CISA must carefully review its its authorities and urged staffers to “assume noble intent” when dealing with Trump officials. While discussing Elon Musk’s mass-buyout program, she allegedly said, “I like to say ‘Fork in the Road’ because it's kind of fun,.” according to the fourth employee. She was so eager to comply with Musk’s “What did you do last week?” email that she instructed staffers to respond to it before DHS had finalized its department-wide approach. DHS later told staff not to respond, and Bean had to walk back her directive.

“Bean feels like she's against the workforce just to please the current administration,” the second employee says. The fourth employee describes her as “not authentic, tone-deaf, spineless, \[and\] devoid of leadership.”

McLaughlin, the DHS spokesperson, says CISA “is not interested in ad hominem attacks against its leadership,” which she says “has doubled down on openness and transparency with the workforce.”

The return-to-office mandate has also caused problems. With all employees on-site, there isn’t enough room in CISA’s offices for the contractors who support the agency’s staff. That has made it “very difficult” to collaborate on projects and hold technical discussions, according to the first employee. “There wasn’t much thought about \[RTO’s\] impact to operations,” says the fourth employee. According to a fifth employee, “executing some of our sensitive operations is now harder.” (“CISA has worked tirelessly to make the return to office as smooth as possible from space to technology,” McLaughlin says.)

Employees are dealing with other stressors, too. They have no idea who’s reading their Musk-mandated performance reports, how they’re being evaluated, or whether AI is analyzing them for future layoffs. And there’s a lot of new paperwork. “The amount of extra shit we have to do to comply with the ‘efficiency measures’ … \[takes\] a lot of time away from doing our job,” says the fifth employee.

**Bracing for More**

When Trump signed the bill creating CISA in November 2018, he said the agency’s workforce would be “on the front lines of our cyber defense” and “make us, I think, much more effective.” Six and a half years later, many CISA employees see Trump as the biggest thing holding them back.

“This administration has declared psychological warfare on this workforce,” the fourth employee says.

With CISA drawing up plans for even larger cuts, staffers know the chaos is far from over.

“A lot of people are scared,” says the first employee. “We’re waiting for that other shoe to drop. We don't know what's coming.”

Entire wings of CISA—like National Risk Management Center and the Stakeholder Engagement Division—could be on the chopping block. Even in offices that survive, some of the government’s most talented cyber experts—people who chose public service over huge sums of money and craved the lifestyle of CISA’s now-eliminated remote-work environment—are starting to see their employment calculus differently. Some of them will likely leave for stabler jobs, further jeopardizing CISA’s mission. “What is the organization going to be capable of doing in the future?” the first employee asks.

If Trump’s confrontational foreign-policy strategy escalates tensions with Russia, China, Iran, or North Korea, it’s likely those nations could step up their use of cyberattacks to exact revenge. In that environment, warns Nitin Natarajan, CISA’s deputy director during the Biden administration, weakening the agency could prove very dangerous.

“Cuts to CISA’s cyber mission,” Natarajan says, “will only negatively impact our ability to not only protect federal government networks, but those around the nation that Americans depend on every day.”

‘People Are Scared’: Inside CISA as It Reels From Trump’s Purge

“No Lives Matter” has emerged in recent months as a particularly violent splinter group within the extremist crime network known as Com and 764, and experts are at a loss for how to stop its spread.

The kids are all grown up. In the face of international law enforcement pressure, dozens of prosecutions, and worldwide disrepute, the network of young sadists, misanthropes, child predators, and extortionists known as Com and 764 has not shrunk away into obscurity.

Rather, its members have progressed from online extortion and crimes related to child sexual abuse material, to real-world violence, a trajectory that alarms extremism researchers and government officials alike. Knifings, killings, firebombings, drive-by shootings, school shootings, and murder-for-hire plots in North America and Europe have all been connected to a splinter group called “No Lives Matter” that, per the group’s own manifesto, “idolizes death” and “seeks the purification of all mankind through endless attacks.” The group has released at least two “kill guides” that have been connected to violent attacks and plots in Europe and the United States.

The US Department of Justice classifies Com and 764 as a “Tier One” terrorism threat, the highest priority afforded to an extremist group, ideology, or tendency in American law enforcement’s internal rubric. Intelligence documents reviewed by WIRED show a stream of concern from analysts about the group’s harm to juvenile exploitation victims and the growing exhortations to physical violence that embody the No Lives Matter ethos.

However, the phenomenon has proved incredibly hard to combat due to a lack of coherent structure or ideology. Along with the insidious neo-Nazi propaganda group the Terrorgram Collective, over the past four years, Com/764 has morphed into a twisted amalgam of the Columbine Effect and older domestic terror groups like the Atomwaffen Division: Young extortionists and assailants egg each other on to progressively more lurid and debased acts of violence for the sake of internet notoriety and status.

In response, Western governments have employed terrorism charges against young people accused of conspiring to kill homeless people or phoning in bomb threats to schools and religious institutions beyond their own borders. In the United Kingdom, the Crown Prosecution Service recently secured a six-year prison term for 19-year-old Cameron Finnegan, who went by the handle “Acid,” for a raft of 764-related offenses, including possessing CSAM, urging young people to kill themselves, and possessing a “kill manual” authored by No Lives Matter adherents, replete with viable instructions for carrying out lethal attacks with knives, firearms, and vehicles.

"We want to make the public aware of \[Com/764\]," Detective Chief Superintendent Claire Finlay, the head of Counter Terrorism Policing Southeast, told the BBC following Finnegan’s guilty plea in January. "The threat that they pose, not just within the United Kingdom but globally, is immense."

According to senior DOJ officials who were granted anonymity to speak about internal law enforcement matters, the feds have come across related cases in every field office in the US. US authorities are so hell-bent on pursuing this trend that they are trying to extradite a 17-year-old Romanian boy who prosecutors at the Southern District of New York claim took part in exploiting minors and soliciting and distributing CSAM. The teenager also faces US terrorism charges for allegedly phoning in several hundred bomb threats to dozens of schools and institutions in the US as part of 764 and its splinter groups, according to information obtained by this reporter.

"We’ve seen a lot of hybrid movements and ideologies, new trends that we can’t categorize under the traditional categories,” says Bàrbara Molas, a senior analyst at RAND Europe who specializes in far-right extremism and who testified as an expert witness for the prosecution in Finnegan’s recent Com/764-related case.

For Molas, Com/764 represents that type of hybridity, where participants in the network will pick and choose elements from a series of discrete ideologies—neo-Nazism; the satanist group Order of Nine Angles, which has become prevalent throughout the most transgressive spheres of the transnational far right; Ted-Kaczynski-inspired neo-Luddism—and assemble their own belief pantheon.

“When 764 was only about CSAM, their targets tended to be women—but specifically women from diminished social groups, who were seen as the weak party of society,” Molas says. “That ideal of imposing violence on this part of society has carried on and become more violent.” When members of the network commit violence in the name of the group, Molas says, it “helps them rise within the group and advance the larger cause, which is to change society through violence and chaos.”

The lodestar for this transition towards wanton violence is a German teenager named Nino Luciano, who went by the handle “Tobbz” within 764. Sent to live in a foster home in Romania because his mental illnesses overwhelmed the capacity of institutions in his home country, Tobbz was drawn into 764 during the Covid-19 pandemic and quickly became enthralled with the group, daubing its name on a wall in his room and tattooing himself with “764” and a septagram from the Order of Nine Angles. In March 2022, he committed and livestreamed a series of knife attacks, stabbing an elderly woman to death and severely wounding an old man. He was convicted in August 2023 and is serving 14 years in prison.

Tobbz’s behavior inspired other young extremists in the Com/764 network, who have since either tried to emulate his livestreamed attacks or commit similar acts of violence to boost their notoriety and status within their extremist peer group. No Lives Matter’s exhortations to commit mass casualty events and distribution of detailed guides to violence are patterned off Tobbz’s example, according to experts who’ve studied the network.

Baron Martin, a resident of Tucson, Arizona, was charged in federal court with cyberstalking and sexual exploitation of a child that included the production of CSAM. According to court records, the government also accused Martin of soliciting the murder of the grandmother of one of his victims under the handle “Convict.” He allegedly sent the following message to a Discord server, court records show: “know anyone in \[state\] thats willing to do kidnappings or shootings...i need someone to tobbz a grandma. Somebody wanted to dox one of my egirls. now I’m getting their grandma merked.” The use of “Tobbz” as a synonym for murder was not casual: Martin allegedly offered to pay another user to carry out the hit, which was never realized.

According to court documents, Martin, through his handle, was connected to authoring a detailed guide widely distributed in 764’s channels on how to groom victims for extortion, which the FBI claims Martin bragged online was “the catalyst for thousands of extortions.” (Martin has pleaded not guilty.)

Molas, of RAND Europe, says Martin’s alleged path from extortion to soliciting a homicide traces a familiar path of transgressive behavior often seen in Com/764’s online world. “They’ll start with little acts of sin—shoplifting, then robberies, abuse of minors, weapons violations, then all the way up to kidnapping and murder,” Molas says.

In mid-February, Jairo Tinajero, a 25-year-old Arkansas man who took part in the 764 splinter group 8884, pleaded guilty to CSAM and conspiracy charges for extorting an underage girl in Louisville, Kentucky. According to his plea agreement, Tinajero confessed to plotting to kill the girl once she stopped complying with him, posting her address and personal information about her and her family family in 764’s servers, unsuccessfully trying to buy an assault rifle, and talking through a murder plot with other 764 members.

Tinajero also admitted taking part in 764 online chats where prior mass casualty attacks were discussed along with “future attacks on heavily populated areas such as malls or other large gatherings, LGBTQ+ events and gatherings, schools, public places, government buildings and police stations” with the intent to “destabilize society and cause the collapse of governments and rule of law.”

Most recently, neo-Nazi Aidan Harding’s inspiration from 764 was brought up during a mid-February federal court hearing for CSAM possession charges. In addition to participating in public actions with a number of Pittsburgh-area extremist groups, prosecutors claimed that Harding and another man were deeply interested in the Columbine massacre, visiting the memorial in Littleton, Colorado, and posing for a photo in front of a swastika flag while dressed as Dylan Klebold and Eric Harris. “Eric and Dylan were kickstarting a revolution,” Harding wrote in a message, which prosecutors showed in court. Harding and the other man, who hasn’t been charged, also discussed carrying out mass shootings through Instagram direct messages, which were presented in court. “The only thing holding me back is a partner … I don’t want to do it alone or die alone,” Harding wrote.

According to two researchers who attended Harding’s three-and-a-half-hour court appearance related to probable cause on February 12, an FBI agent claimed during questioning that investigators found reams of videos depicting children being raped, ultraviolent videos of executions, and the extremist mass shootings in Buffalo, Nashville, and Columbine, along with a photo on Harding’s phone of a phrase daubed in blood: “I sold my soul to 764,” above a swastika and a Lviathan cross often used by 764. Another photo, handed up to the judge and not shown in court, depicted the naked chest of a young girl wearing a cross, with the words “No Lives Matter” carved into her body with a sharp instrument.” Harding has pleaded not guilty.

The crimes described in court cases this year follow a months-long surge in No Lives Matter–related violence. In October, authorities claim, a 14-year-old Swede committed eight attacks on unsuspecting passersby in Stockholm. The attacker, per national broadcaster SVT, took part in 764 and went by the handle “Slain” in the group. Documents circulated by 764 participants on Telegram and elsewhere claim “Slain764” as one of their own, and identify Sweden, the UK, and Bulgaria as countries where their group has a presence.

In mid-February, Italian police arrested a 15-year-old boy on suspicion of planning to murder a homeless man and livestream the act. Police said the teenager was reportedly involved in 764 and faces charges for explosives possession and possession of CSAM material. Italian authorities claim he planned his actions as part of a “week of terror” along with unspecified colleagues.

There is also evidence of 764’s praxis and imagery merging with that of the Terrorgram Collective, a neo-Nazi propaganda network that aims to radicalize young people and inspire solo acts of sabotage and mass murder.

Solomon Henderson, a Tennessee teenager whom police said shot up his high school last month, posted a sprawling manifesto that referenced both mass shooters inspired by Terrorgram as well as homicidal 764 members, including Tobbz. Henderson’s social media accounts also show extensive imagery from 764’s channels as well as the Order of Nine Angles “The influence I see most heavily in that agenda is the Order of Nine Angles,” Molas says.

That confluence of extremist inspirations is highly unpredictable, and may prove influential: There is reportedly evidence that social media accounts connected to Henderson may have communicated with accounts linked to Natalie “Samantha” Rupnow, a young Wisconsin woman who killed two and wounded classmates in a mid-December shooting at her school before dying by suicide. Earlier in December, a high school student in Guadalajara, Mexico, livestreamed an axe attack on his classmates before they were able to subdue him. The young man’s social media posts were rife with O9A influence, including photos of himself with butchered animals and another with a blood pact, a common O9A practice.

The Violent Rise of ‘No Lives Matter’

Elon Musk said a “massive cyberattack” disrupted X on Monday and pointed to “IP addresses originating in the Ukraine area” as the source of the attack. Security experts say that's not how it works.

The social network X suffered intermittent outages on Monday, a situation owner Elon Musk attributed to a “massive cyberattack.” Musk said in an initial X post that the attack was perpetrated by “either a large, coordinated group and/or a country.” In a post on Telegram, a pro-Palestinian group known as Dark Storm Team took credit for the attacks within a few hours. Later on Monday, though, Musk claimed in an interview on Fox Business Network that the attacks had come from Ukrainian IP addresses.

Web traffic analysis experts who tracked the incident on Monday were quick to emphasize that the type of attacks X seemed to face—distributed denial-of-service, or DDoS, attacks—are launched by a coordinated army of computers, or a “botnet,” pummeling a target with junk traffic in an attempt to overwhelm and take down its systems. Botnets are typically dispersed around the world, generating traffic with geographically diverse IP addresses, and they can include mechanisms that make it harder to determine where they are controlled from.

“It’s important to recognize that IP attribution alone is not conclusive. Attackers frequently use compromised devices, VPNs, or proxy networks to obfuscate their true origin," says Shawn Edwards, chief security officer of the network connectivity firm Zayo.

X did not return WIRED's requests for comment about the attacks.

Multiple researchers tell WIRED that they observed five distinct attacks of varying length against X's infrastructure, the first beginning early Monday morning with the final burst on Monday afternoon.

The internet intelligence team at Cisco's ThousandEyes tells WIRED in a statement, “During the disruptions, ThousandEyes observed network conditions that are characteristic of a DDoS attack, including significant traffic loss conditions which would have hindered users from reaching the application.”

DDoS attacks are common, and virtually all modern internet services experience them regularly and must proactively defend themselves. As Musk himself put it on Monday, “We get attacked every day.” Why, then, did these DDoS attacks cause outages for X? Musk said it was because “this was done with a lot of resources,” but independent security researcher Kevin Beaumont and other analysts see evidence that some X origin servers, which respond to web requests, weren't properly secured behind the company's Cloudflare DDoS protection and were publicly visible. As a result, attackers could target them directly. X has since secured the servers.

“The botnet was directly attacking the IP and a bunch more on that X subnet yesterday. It's a botnet of cameras and DVRs,” Beaumont says.

A few hours after the final attack concluded, Musk told Fox Business host Larry Kudlow in an interview, “We're not sure exactly what happened, but there was a massive cyberattack to try to bring down the X system with IP addresses originating in the Ukraine area.”

Musk has mocked Ukraine and its president, Volodymyr Zelensky, repeatedly since Russia invaded its neighbor in February 2022. A major campaign donor to President Donald Trump, Musk now heads the so-called Department of Government Efficiency, or DOGE, which has razed the US federal government and its workforce in the weeks since Trump's inauguration. Meanwhile, the Trump administration has recently warmed relations with Russia and moved the US away from its longtime support of Ukraine. Musk has already been involved in these geopolitics in the context of a different company he owns, SpaceX, which operates the satellite internet service Starlink that many Ukrainians rely on.

DDoS traffic analysis can break down the firehose of junk traffic in different ways, including by listing the countries that had the most IP addresses involved in an attack. But one researcher from a prominent firm, who requested anonymity because they are not authorized to speak about X, noted that they did not even see Ukraine in the breakdown of the top 20 IP address origins involved in the X attacks.

If Ukrainian IP addresses did contribute to the attacks, though, numerous researchers say that the fact alone is not noteworthy.

“What we can conclude from the IP data is the geographic distribution of traffic sources, which may provide insights into botnet composition or infrastructure used,” Zayo’s Edwards says. “What we can’t conclude with certainty is the actual perpetrator’s identity or intent.”

_Additional reporting by Zoë Schiffer._

What Really Happened With the DDoS Attacks That Took Down X

Plus: The world’s “largest illicit online marketplace” gets hit by regulators, police seize the Garantex crypto exchange, and scammers trick targets by making up ransomware attacks.

As Donald Trump’s administration continues its relentless reorganization of the United States federal government, documents obtained by WIRED showed this week that the Department of Defense is looking at cutting as much as three-quarters of its workforce that’s specifically focused on stopping proliferation of chemical, biological, and nuclear weapons. Meanwhile, the US Army is using its “CamoGPT” AI tool to “review” diversity, equity, inclusion, and accessibility policies per Trump administration orders. The military originally developed the AI service to improve productivity and operational readiness.

US civil liberties organizations are pushing the director of national intelligence. Tulsi Gabbard, to declassify details about Section 702 of the Foreign Intelligence Surveillance Act—a central overseas wiretap authority that is notorious for also capturing a large number of calls, texts, and emails made or sent by Americans. And the US Justice Department on Wednesday charged 10 alleged hackers and two Chinese government officials over digital crimes spanning more than a decade as part of China’s extensive hack-for-hire ecosystem.

Ongoing analysis from a consortium of researchers led by Human Security found that at least a million low-price Android devices, like TV streaming boxes and tablets, have been compromised as part of a scamming and ad fraud campaign known as Badbox 2.0. The activity, which the researchers say comes out of China, is an evolution of a previous effort to backdoor similar devices.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Cybercriminals Allegedly Used a Backdoor to Steal Taylor Swift Tickets**

Two people who allegedly worked as part of a group to access nearly 1,000 tickets to concerts and other events—many for Taylor Swift’s Eras Tour—before selling them on for more than $600,000 profit were arrested and charged with the potential crimes in Queens this week. Tyrone Rose, 20, and Shamara P. Simmons, 31, of Jamaica, Queens, were arrested and arraigned in connection to the theft and sales, according to Queens district attorney Melinda Katz.

Between June 2022 and July 2023, it is alleged that 350 orders—totaling 993 tickets—on ticketing platform StubHub were accessed at a third-party contractor called Sutherland. “The Sutherland employees, defendant Tyrone Rose and an unapprehended accomplice, allegedly used their access to StubHub’s computer system to find a backdoor into a secure area of the network where already sold tickets were given a URL and queued to be emailed to the purchaser to download,” the district attorney’s office wrote in a statement.

They then emailed URLs to another accomplice who has since died, the office says, before posting the tickets to StubHub for resale. While the investigations are ongoing, the District Attorney’s office claimed the proceeds of the cybercrime totaled around $635,000 and also involved tickets for Ed Sheeran concerts, NBA games, and the US Open Tennis Championships.

**Payment Provider Linked to ‘Largest Illicit Online Marketplace’ Loses Banking License**

Every year, criminals make billions from the operations of highly organized scam compounds in Southeast Asia. As these operations have grown in sophistication, so has the wider ecosystem that supplies them with the technology and services needed to run the scams. And experts say there’s no bigger marketplace than Huione Guarantee—a Cambodian gray market selling scam services that researchers claim has facilitated more than $24 billion in transactions.

This week, according to a report by Radio Free Asia, the banking arm of Huione Guarantee’s parent company, Huione Group, had its financial license suspended by officials in Cambodia. According to the report, the Huione Pay service had its license withdrawn for failing to comply with “existing regulations.” The United Nations Office on Drugs and Crime and crypto tracing firm Elliptic previously had linked money moving through Huione Pay to cyberscamming. “They are willing facilitators of pig butchering and other fraud, so any regulatory action against them should be welcomed,” Elliptic founder Tom Robinson claimed to Radio Free Asia.

**Russian Cryptocurrency Exchange Garantex Taken Down in Law Enforcement Action**

The US Department of Justice announced an operation this week with Germany and Finland to disrupt the digital infrastructure behind notorious Russian cryptocurrency exchange Garantex. For years, the platform has allegedly been used for money laundering and other criminal transactions, including sanctions evasion. The DOJ claimed in its announcement that “transnational criminal organizations—including terrorist organizations” have utilized the exchange. Law enforcement said that the platform has processed at least $96 billion in cryptocurrency transactions since April 2019. US authorities said they froze over $26 million in funds used to facilitate money laundering as part of the Garantex takedown.

**Scammers Are Impersonating Notorious Ransomware Attackers to Extort Targets**

The FBI warned this week that scammers pretending to be attackers from the BianLian ransomware gang are demanding ransoms from corporate executives in the US. The demands include claims that the group has breached a company’s network and threaten to publish sensitive information unless a target pays up. Such criminal digital extortion is common enough that scammers apparently feel that they can plausibly make the claims and intimidate targets without even attacking them. The FBI says that the scammers’ ransom demands say that they come from BianLian and range from $250,000 to $500,000 payable via a QR code that links to a Bitcoin wallet. The real BianLian group has links to Russia and has targeted US critical infrastructure since June 2022, according to a November alert from the US Cybersecurity and Infrastructure Security Agency.

Cybercriminals Allegedly Used a StubHub Backdoor to Steal Taylor Swift Tickets

Eleven11bot infects webcams and video recorders, with a large concentration in the US.

A newly discovered network botnet comprising an estimated 30,000 webcams and video recorders—with the largest concentration in the US—has been delivering what is likely to be the biggest denial-of-service attack ever seen, a security researcher inside Nokia said.

The botnet, tracked under the name Eleven11bot, first came to light in late February when researchers inside Nokia’s Deepfield Emergency Response Team observed large numbers of geographically dispersed IP addresses delivering “hyper-volumetric attacks.” Eleven11bot has been delivering large-scale attacks ever since.

Volumetric DDoSes shut down services by consuming all available bandwidth either inside the targeted network or its connection to the Internet. This approach works differently than exhaustion DDoSes, which over-exert the computing resources of a server. Hypervolumetric attacks are volumetric DDoses that deliver staggering amounts of data, typically measured in the terabits per second.

**Johnny-Come-Lately Botnet Sets a New Record**

At 30,000 devices, the Eleven11bot was already exceptionally large (although some botnets exceed well over 100,000 devices). Most of the IP addresses participating, Nokia researcher Jérôme Meyer told me, had never been seen engaging in DDoS attacks.

Besides a 30,000-node botnet seeming to appear overnight, another salient feature of Eleven11bot is the record-size volume of data it sends its targets. The largest one Nokia has seen from Eleven11bot so far occurred on February 27 and peaked at about 6.5 terabits per second. The previous record for a volumetric attack was reported in January at 5.6 Tbps.

"Eleven11bot has targeted diverse sectors, including communications service providers and gaming hosting infrastructure, leveraging a variety of attack vectors," Meyer wrote. While in some cases the attacks are based on the volume of data, others focus on flooding a connection with more data packets than a connection can handle, with numbers ranging from a "few hundred thousand to several hundred million packets per second." Service degradation caused in some attacks has lasted multiple days, with some remaining ongoing as of the time this post went live.

A breakdown showed that the largest concentration of IP addresses, at 24.4 percent, was located in the US. Taiwan was next at 17.7 percent, and the UK at 6.5 percent.

In an online interview, Meyer made the following points:

> *   This botnet is much larger than what we're used to seeing in DDoS attacks (the only precedent I have in mind is an attack from 2022 right after the Ukraine invasion, at ~60k bots, but not public).
> *   The vast majority of its IPs were not involved in DDoS attacks prior to last week.
> *   Most of the IPs are security cameras (Censys thinks Hisilicon, I saw multiple sources talk to a Hikvision NVR too so that is a possibility but not my area of expertise).
> *   Partly because the botnet is larger than average, the attack size is also larger than average.

According to a post updated on Wednesday from security firm Greynoise, Eleven11bot is most likely a variant of Mirai, a family of malware for infecting webcams and other Internet of Things devices. Mirai debuted in 2016, when tens of thousands of IoT devices infected by it delivered what at the time were record-setting DDoSes of about 1 Tbps and took down security news site KrebsOnSecurity for almost a week. Shortly after that, Mirai developers published their source code in a move that made it easy for copycats everywhere to deliver the same massive attacks. Greynoise said that the variant driving Eleven11bot is using a single new exploit to infect TVT-NVMS 9000 digital video recorders that run on HiSilicon chips.

There have been conflicting reports on the number of devices comprising Eleven11bot. Following Nokia's report last Saturday of roughly 30,000 devices, the nonprofit Shadowserver Foundation said Tuesday that the true size was more than 86,000. Then in Wednesday's update, Greynoise said that based on data from fellow security firm Censys, both numbers were inflated and the true number was likely fewer than 5,000.

The upward revision from Shadowserver was likely the result of the belief that all infected devices displayed unique device information. That suspicion now appears to be incorrect. Instead, Meyer believes the information seen on infected devices is displayed on all such hardware, whether infected or not. Researchers from Greynoise and Censys weren't immediately available to explain how they arrived at the much lower estimate of fewer than 5,000.

Meyer said that he has consistently observed as many as 20,000 to 30,000 IP addresses participating in follow-on attacks, although many attacks come from much smaller subsets. He said that he has since sent a list of all 30,000 or so IP addresses he has observed to Censys and plans to also send them to Shadowserver soon in hopes of getting consensus on the true size.

"I am still confident on the estimated count as this is what we keep seeing in attacks and after human review of the source IPs," he wrote.

Mirai-based botnets employ various methods for infecting their targets. One common method is to attempt to log in to device administrator accounts using username/password pairs commonly set as defaults by manufacturers. Mirai botnets have also been known to exploit vulnerabilities that bypass security settings.

In any case, anyone running any sort of IoT devices should position them behind a router or other form of firewall so they're not visible from outside a local network. Remote administration from outside the Internet should be enabled only when needed. Users should also ensure each device is protected by a strong unique password. Last, devices should be updated as soon as security patches become available.

_This story originally appeared on_ _Ars Technica._

A Brand-New Botnet Is Delivering Record-Size DDoS Attacks

Tulsi Gabbard, the director of national intelligence, has long held anti-surveillance views. Now she oversees a key surveillance program she once tried to dismantle.

Former US congresswoman Tulsi Gabbard’s ascendance to director of national intelligence last month signaled a major shift in views toward government surveillance at the highest rung of the US intelligence community. While backing down from some of her more extreme anti-surveillance views in the run-up to her confirmation, Gabbard nevertheless held fast to a few promises of reform that have been traditionally eschewed by federal law enforcement leaders.

Now, some of the nation’s premier civil liberties organizations have begun lobbying America’s “top spy” to follow through on a pledge to bring about new levels of oversight and transparency to a key US surveillance program that’s long been plagued by reports of misuse.

Led by the American Civil Liberties Union, at least 20 major privacy groups this week urged Gabbard to declassify information concerning Section 702 of the Foreign Intelligence Surveillance Act (FISA)—the nation’s cornerstone wiretap authority that, while aimed at collecting intelligence on foreigners overseas, is known to vacuum up large quantities of calls, texts, and emails belonging to Americans.

In a letter first obtained by WIRED, the groups privately urged Gabbard this week to declassify information regarding the types of US businesses that can now be secretly compelled to install wiretaps on the US National Security Agency’s (NSA) behalf.

While it’s no secret that the government routinely compels phone and email service providers like AT&T and Google into conducting wiretaps, Congress passed a new provision last year expanding the range of businesses that can receive such orders. Legal experts had warned in advance that the provision was far too ambiguous and likely to vastly increase the number of Americans whose communications are wiretapped. But their warnings were not heeded.

It is widely assumed that the classified purpose behind the expanded authority is allowing the government to obtain access to communications in US data centers. Lawyers for the US Justice Department attempted to unilaterally expand the reach of the program in 2022, but its efforts were foiled by the secret surveillance court that oversees FISA. Only Congress has the power to expand FISA, the department was told.

As its a matter of secret law, lawmakers were unable to specify much about the limits of the government’s access in the provision they ultimately passed. This inevitably led to the adoption of a vague new definition for what the government calls an “electronic communications service provider” (ECSP)—the term for companies whose cooperation can be compelled under FISA.

Privacy experts and industry leaders had likewise raised concerns about introducing ambiguity into a law that defines the scope of a powerful surveillance tool, warning the changes could expose a near limitless new range of new businesses to secret government demands.

As WIRED reported last spring, opponents of the provision in Washington had cast the surveillance program’s new parameters as effectively “Stasi-like”—a reference to the defunct East German secret police agency notorious for infiltrating industry and forcing private citizens to spy on one another.

Senator Ron Wyden of Oregon, a renowned privacy hawk who has served on the Senate intelligence committee since just after 9/11, has referred to the new provision as “one of the most dramatic and terrifying expansions of government surveillance authority in history.”

Declassifying the new types of businesses that can actually be considered an ECSP is an essential step in bringing about clarity to an otherwise nebulous change in federal surveillance practices, according to the ACLU and the other organizations joined in its effort. “Without such basic transparency, the law will likely continue to permit sweeping NSA surveillance on domestic soil that threatens the civil liberties of all Americans,” the groups wrote in their letter to Gabbard this week.

The Office of the Director of National Intelligence did not respond to multiple requests for comment.

In addition to urging Gabbard to declassify details about the reach of the 702 program, the ACLU and others are currently pressing Gabbard to publish information to quantify just how many Americans have been “incidentally” wiretapped by their own government. Intelligence officials have long claimed that doing so would be “impossible,” as any analysis of the wiretaps would involve the government accessing them unjustifiably, effectively violating those Americans’ rights.

The privacy groups, however, point to research published in 2022 out of Princeton University, which details a methodology that could effectively solve that issue. “The intelligence community’s refusal to produce the requested estimate undermines trust and weakens the legitimacy of Section 702,” the groups say.

Gabbard is widely reported to have softened her stance against government spying while working to secure her new position as director of the nation’s intelligence apparatus. During the 116th Congress, for instance, Gabbard introduced legislation that sought to completely dismantle the Section 702 program, which is considered the “crown jewel” or US intelligence collection and crucial to keeping tabs on foreign threats abroad, including terrorist organizations and cybersecurity threats—exhibiting a stance far more extreme than those traditionally held by lawmakers and civil society organizations who’ve long campaigned for surveillance reform.

While begging off from this position in January, Gabbard’s newly espoused views have, in fact, brought her more closely in line with mainstream reformers. In response to questions from the US Senate ahead of her confirmation, for example, Gabbard backed the idea of requiring the Federal Bureau of Investigation to obtain warrants before accessing the communications of Americans swept up by the 702 program.

Slews of national security hawks from former House speaker Nancy Pelosi to former House intelligence committee chairman Mike Turner have long opposed this warrant requirement, as traditionally have all directors of the FBI. “This warrant requirement strengthens the \[intelligence community\] by ensuring queries are targeted and justified," Gabbard wrote in response to Senate questions in late January.

The Section 702 program was reauthorized last spring, but only for an additional two years. Early discussions about reauthorizing the program once more are expected to kick off again as early as this summer.

Sean Vitka, executive director of Demand Progress, one of the organizations involved in the lobbying effort, notes that Gabbard has a long history of supporting civil liberties, and refers to her recent statements about secret surveillance programs “encouraging.” “Congress needs to know, and the public deserves to know, what Section 702 is being used for,” Vitka says, “and how many Americans are swept up in that surveillance.”

“Section 702 has been repeatedly used to conduct warrantless surveillance on Americans, including journalists, activists, and even members of Congress,” adds Kia Hamadanchy, senior policy counsel for the ACLU. “Declassifying critical information, as well as providing long-overdue basic data about the number of US persons whose communications are collected under this surveillance are essential steps to increasing transparency as the next reauthorization debate approaches.”

Trump’s Spy Chief Urged to Declassify Details of Secret Surveillance Program

Documents obtained by WIRED show the US Department of Defense is considering cutting up to 75 percent of workers who stop the spread of chemical, biological, and nuclear weapons.

US agencies responsible for preventing the global proliferation of weapons of mass destruction and building security capacity around the world are facing deep cuts, perhaps total abolition, as the Trump administration continues its assault on any and all spending going overseas.

According to a draft working paper provided to WIRED, the Department of Defense is asking all its agencies and services that conduct “security cooperation” programs to consider the impact if the Pentagon were to “realign” its funding. The authors of the paper warn that the cuts could hobble the fight against organized crime in South America, impair the battle against the Islamic State, increase the likelihood of a rogue state producing and using chemical weapons, and defund pandemic surveillance measures.

The working paper is in response to a request for information from Secretary of Defense Pete Hegseth, asking agencies to assess the consequences of four levels of staff reduction—25 percent, 50 percent, and 75 percent cuts, or outright abolition.

This cost-cutting exercise is being conducted in response to a January 20 executive order from President Donald Trump, mandating that departments and agencies review all foreign aid programs. But the DOD review is going well beyond foreign aid. According to the working paper, the Defense Department looks set to make cuts to all humanitarian assistance, security cooperation, and cooperative threat-reduction efforts. The DOD has made clear that all spending ought to align with the secretary’s three priorities: deterring China, increasing border security, and pushing allies to shoulder more of the burden. It is not clear what role, if any, Elon Musk’s so-called Department of Government Efficiency (DOGE) is playing in these workforce reduction decisions.

**Pandemics and Weapons of Mass Destruction**

In response to the Pentagon’s request for information, the agencies contemplated lower bounds of cuts of 20, 40, and 60 percent—a counter-offer, the Pentagon source says, because officials in these agencies see a 60 percent cut as a “red line” that would still severely hurt global and domestic security.

A 20 percent reduction in funding, the memos say, would reduce some mine-clearance efforts in former war zones, significantly hurt programs to surveil and prevent infectious disease outbreaks in Africa, and worsen biosafety and biosecurity programs at biological laboratories worldwide, among other losses.

A 40 percent reduction would limit funding for counter-extremism programs in Africa and the Middle East, close all mine-clearance operations, shut down programs to intercept and prevent the development of weapons of mass destruction, and completely shut down biological surveillance programs.

A 60 percent cut would be significantly more severe, according to the memo. It would fundamentally eliminate America’s role in preventing the spread of chemical, biological, and nuclear weapons, the documents warn, and increase the likelihood of a lab accident or theft of potentially dangerous biological material.

The secretary of defense also asked the agencies to game out the consequences of fully shutting down some of their operations—a move, the agencies claim, that would defund border security measures and anti-drug-trafficking efforts.

One of the agencies targeted by this spending review is the Defense Threat Reduction Agency (DTRA), which leads counter-proliferation efforts on chemical, biological, and nuclear threats, both on its own and with US allies. In recent years, DTRA took the lead on destroying chemical weapons in Syria, helped secure 10 metric tons of highly enriched uranium in Kazakhstan, and worked with the Ukrainian government to upgrade security at its infectious disease laboratories.

A Pentagon source tells WIRED that if cuts on the higher end of the proposed spectrum are made, DTRA will effectively end. “Anything more than a 60 percent cut cripples the program,” they say. The source, who requested anonymity because they are not authorized to discuss the spending review, claims a total elimination of these programs is also on the table.

"All reductions increase risk to US due to pathogen spread and easier adversary pathways to develop WMD,” the memos read.

The secretary of defense declined to comment for this story, with a spokesperson writing, “We will not comment on internal deliberations.”

The cost-savings of these cuts would be relatively marginal compared to the Pentagon’s $850 billion budget. The Department of Defense only spends about $19 billion on humanitarian assistance, security cooperation, and cooperative threat-reduction programs, including DTRA—of that, the proposed cuts would eliminate between $5 billion and $15 billion. Because many of these programs are funded via congressional earmark, it’s not clear the Pentagon has the authority to cut and reappropriate their funding.

Trump and Hegseth have previewed defense cuts, promising to reduce spending by $50 billion—about 8 percent of the Pentagon’s nonlethal budget, Hegseth has said.

These cuts could also have a domino effect on other programs that are run in conjunction with the State Department and other agencies. One long-standing project facing cuts under this review is the State Partnership Program, which sends National Guard members to liaise and train with friendly militaries abroad. This program has historically been particularly popular with Republican members of Congress. But it, like dozens of other Pentagon activities, faces steep cuts or outright abolition.

A source with knowledge of the funding review says that a decision has yet to be made about the exact level of these cuts, and that meetings are ongoing to decide which agencies or programs will be hit and how hard. A final decision is due in mid-April, at the end of the 90-day window set out in the January 20 executive order. Sources inside the Pentagon who work on security cooperation say they are fearful that the cuts will be severe.

**Burst Bubble**

The people who work to stop the spread of dangerous material insist that these programs are not foreign assistance at all—they are all about domestic and global security.

DTRA, for example, currently works with 35 nations, helping to upgrade their biosafety and biosecurity practices while also helping them destroy dangerous biological samples. Much of this work takes place in veterinary clinics, which often treat and collect samples from sick livestock, making them the front line of infectious disease outbreaks. This work, in recent years, has included many of the African nations hit by Ebola.

Partnering with local health authorities not only helps prevent the next epidemic, but it also makes sure that these virological samples are kept secure—“so it's not accidentally going to leak out of these public health facilities or not be stolen by a terrorist,” Robert Pope, director of Cooperative Threat Reduction at DTRA, explained in a 2022 interview.

DTRA’s staff operate as an “early warning system,” a congressional staffer tells WIRED, ahead of any deployment of the US military, they say. While it may not be a traditional kind of military power, they add, it should still fit into this administration’s priorities. “It secures our border from pathogens.”

An independent analysis conducted for the Pentagon in 2022 found that these threat reduction programs are “well-positioned to respond quickly to emerging \[weapons of mass destruction\] threats; its authorities are unique and fill an existing gap.”

Programs like DTRA ought to be expanded, not cut, says Gigi Gronvall, a professor at the Johns Hopkins Center for Health Security. These are primarily national security programs, she says, designed to “give ourselves the eyes and ears around the world to put out those fires, or prevent them from happening in the first place.”

If you don’t put out the fire—whether it’s a novel infectious disease or a chemical weapons program in a rogue state—it will keep growing, Gronvall adds. “We have areas of the world that don’t have fire departments,” she says. “By helping them help themselves, we are helping them step up.”

**‘A Fire Sale on Expertise’**

The Pentagon’s threat reduction efforts, and the DTRA itself, stem from the work of former US senators Sam Nunn, a Democrat, and Richard Lugar, a Republican, to secure weapons of mass destruction after the fall of the Soviet Union. America, through their work, destroyed thousands of ballistic missiles and nuclear warheads, disposed of tens of thousands of pounds of chemical weapons, and dismantled Soviet bioweapon laboratories. In 1998, DTRA was formally created and given a more expensive mandate to both track and destroy chemical and biological threats while also helping other nations do the same.

For its work, DTRA has been targeted by Russian disinformation efforts, with Moscow accusing America of producing biological weapons in these DTRA-funded labs. Following the full-scale Russian invasion of Ukraine in 2022, conspiracy theorists in America picked up that thread, suggesting the invasion was cover to destroy these bioweapons labs.

Fears about DTRA’s work have since been raised by Health and Human Services secretary Robert F. Kennedy Jr., director of national intelligence Tulsi Gabbard, and Russia itself. Republican senator Rand Paul has repeatedly issued subpoenas to the DTRA looking for evidence that it has been engaged in dangerous virological research and suggesting that it may have had a hand in creating Covid-19.

“When Russia was attacking that program, it was doing so because it wanted to erode our national security,” Gronvall says. Russia may not believe these lies, she adds, but “they have been enormously successful in getting people with power to believe these things.”

Last year, the United States accused Russia of using prohibited chemical weapons in its war on Ukraine. According to this working paper, the proposed cuts to the DTRA could eliminate America’s ability to investigate and attribute such chemical weapons attacks in Eastern Europe.

Investigating and attributing these attacks is a form of deterrence, Gronvall says. Without this capability, she adds, “it means you’re going to see a lot more chemical weapons used.”

The United States believes that Russia, North Korea, and other rogue states have active biological weapons programs. Despite that, no state has actually deployed a biological weapon since the adoption of the Biological Weapons Convention. Gronvall is worried that dismantling the DTRA could weaken that prohibition. “I would worry that that would be something we would see,” she says.

The working paper warns that reducing this funding could surrender ground to Russia and China, which may try and fill the void left by the US. That could see Moscow and Beijing move in to partner with foreign militaries, cooperate with these biological facilities, and even recruit new scientists.

“It’s going to be a fire sale on expertise,” Gronvall says, “and that is helping China, 100 percent.”

Pentagon Cuts Threaten Programs That Secure Loose Nukes and Weapons of Mass Destruction

Developed to boost productivity and operational readiness, the AI is now being used to “review” diversity, equity, inclusion, and accessibility policies to align them with President Trump’s orders.

The United States Army is employing a prototype generative artificial intelligence tool to identify references to diversity, equity, inclusion, and accessibility (DEIA) for removal from training materials in line with a recent executive order from President Donald Trump.

Officials at the Army’s Training and Doctrine Command (TRADOC)—the major command responsible for training soldiers, developing leaders, and shaping the service’s guidelines, strategies, and concepts—are currently using the AI tool, dubbed CamoGPT, to “review policies, programs, publications, and initiatives for DEIA and report findings,” according to an internal memo reviewed by WIRED.

The memo followed Trump’s signing of a January 27 executive order titled “Restoring America’s Fighting Force,” which directed Defense Secretary Pete Hegseth to eliminate all Pentagon policies seen as promoting what that the commander in chief declared “un-American, divisive, discriminatory, radical, extremist, and irrational theories” regarding race and gender, a linguistic dragnet that extends as far as past social media posts from official US military accounts.

In an email to WIRED, TRADOC spokesman Army Major Chris Robinson confirmed the use of CamoGPT to review DEIA materials.

TRADOC “will fully execute and implement all directives outlined in the Executive Orders issued by the president. We ensure that these directives are carried out with the utmost professionalism, efficiency, and in alignment with national security objectives,” Robinson says. “Specific details about internal policies and tactics cannot be discussed. However, the use of all tools in our portfolio, including CamoGPT, to increase productivity at all levels can and will be used.”

Developed last summer to boost productivity and operational readiness across the US Army, CamoGPT currently has around 4,000 users who “interact” with it on a daily basis, Captain Aidan Doyle, a CamoGPT data engineer, tells WIRED. The tool is used for everything from developing comprehensive training program materials to producing multilingual translations, with TRADOC providing a “proof of concept and demonstration” at last October’s annual Association of the United States Army conference in Washington, DC, according to Robinson.

While Doyle declined to comment on the specifics on how TRADOC officials were likely using the CamoGPT to scan for DEIA-related policies, he described the process of searching through documents as relatively straightforward.

“I would take all the documentation you want to examine, order it all in a collection on CamoGPT, and then ask questions about the documents,” he says. “The way retrieval-augmented generation works is that the more specific your question is to the concepts inside the document, the more detailed information the model will provide back.”

In practical terms, this means that TRADOC officials are likely inputting a large number of documents into CamoGPT and asking the LLM to scan for targeted keywords like “dignity” or “respect” (which, yes, the Army is currently using to screen past digital content) to identify materials for subsequent alteration and bring them in line with Trump’s executive order.

By using CamoGPT, the work of eliminating DEIA-related content will likely result in a rapid change to the US Army’s documentation. “We’re competing with ‘control+F’ in Adobe Acrobat,” Doyle says.

CamoGPT isn’t the only AI chatbot in the Pentagon’s arsenal: The US Air Force’s NIPRGPT has seen extensive use among airmen since its launch in June for “summarization of documents, drafting of documents and coding assistance,” according to DefenseScoop.

The AI-assisted assessment of US military training materials comes amid a government-wide effort to root out DEIA initiated the day Trump returned to the Oval Office in January to start his second term. Detailed in Trump’s January 27 executive order, the Defense Department’s purge has taken the form of the closure of service-specific DEIA offices and program, a department-wide review of past DEI initiatives, and even the removal of historical content related to the famed all-Black Tuskegee Airmen from Air Force basic training materials, the latter of which was swiftly reversed amid public outcry.

Originally inspired by the public release of OpenAI’s ChatGPT in November 2022, CamoGPT is a product of the Army’s Artificial Intelligence Integration Center (AI2C), the organization formed in 2018 as part of Army Future Command to spearhead AI research and development efforts by “leveraging a soldier workforce to build experimental prototypes,” as Eric Schmitz, AI2C’s operations and intelligence portfolio lead, tells WIRED.

“The mission is to make AI accessible to the Army through experimentation, and we have an ethos and culture that is very much a start-up ethos.” Schmitz says. “We are product-centric and believe AI is inherently software-driven: You can do all the research you like in academia, but if you don't have software to deliver it to somebody and find out if it's useful software, then you’ll never know if your AI is useful in the real world.”

In response to the arrival of ChatGPT, AI2C quickly spun up a CamoGPT prototype based on an open-source LLM in June 2024. The center’s approach to CamoGPT is “model agnostic,” according to Schmitz: While the system currently relies on tech giant Meta’s open-source Llama 3.3 70B LLM, the underlying model is “expendable” should a better version hit the market. What really matters is building software that the average soldier will actually use in their day-to-day operations, an achievement that might influence its long-term adoption across the force.

“When you talk about how the Army doesn’t build software well, it’s because user adoption is not a priority, but it’s a massive priority to us,” Schmitz says.

Whether CamoGPT proliferates more broadly across the Army remains to be seen, and Schmitz and Doyle emphasized that AI2C’s role is laser-focused on experimental prototyping rather than building products ready for immediate fielding. But with the entire federal government reorienting itself in the name of “efficiency,” the success of CamoGPT’s application to Trump’s DEIA overhaul may end up cementing its utility for military planners.

“You need to be ruthlessly critical of what you have built and what you plan to build and hyper focused on driving user adoption,” Schmitz says. “The core question is, how do you build something that’s so valuable that people say they can't live without it?”

Source

Wired