The Justice Department claims 10 alleged hackers and two Chinese government officials took part in a wave of cyberattacks around the globe that included breaching the US Treasury Department and more.

Only rarely does the West get a glimpse inside the vast hacker-for-hire contractor ecosystem that enables China's digital intrusion campaigns worldwide. Now a new set of criminal charges against a dozen Chinese nationals, including two government officials, accuses them of a vast espionage campaign that included breaching the US Treasury, and goes as far as revealing the internal communications of some of those alleged hackers, their tools, and their business relationships.

The US Department of Justice on Wednesday announced the indictment of 12 Chinese individuals accused of more than a decade of hacker intrusions around the world, including eight staffers for the contractor i-Soon, two officials at China's Ministry of Public Security who allegedly worked with them, and two other alleged hackers who are said to be part of the Chinese hacker group APT27, or Silk Typhoon, which prosecutors say was involved in the US Treasury breach late last year.

“Today, we are exposing the Chinese government agents directing and fostering indiscriminate and reckless attacks against computers and networks worldwide, as well as the enabling companies and individual hackers that they have unleashed." Sue Bai, who leads the Justice Department’s National Security Division, wrote in a statement, “The Department of Justice will relentlessly pursue those who threaten our cybersecurity by stealing from our government and our people.”

According to prosecutors, the group as a whole has targeted US state and federal agencies, foreign ministries of countries across Asia, Chinese dissidents, US-based media outlets that have criticized the Chinese government, and most recently the US Treasury, which was breached between September and December of last year. An internal Treasury report obtained by Bloomberg News found that hackers had penetrated at least 400 of the agency’s PCs and stole more than 3,000 files in that intrusion.

The indictments highlight how, in some cases, the hackers operated with a surprising degree of autonomy, even choosing targets on their own before selling stolen information to Chinese government clients. The indictment against Yin Kecheng, who was previously sanctioned by the Treasury Department in January for his involvement in the Treasury breach, quotes from his communications with a colleague in which he notes his personal preference for hacking American targets and how he’s seeking to "break into a big target," which he hoped would allow him to make enough money to buy a car.

At one point, Yin notes that “anything within the top 100” of defense contractors would be a preferable target, according to the indictment. When his colleague suggests that he look for victims beyond the US, he replies, “I just like the Americans, nothing else is as good.”

In some cases, Yin and the other alleged hackers sold stolen information directly to Chinese government agencies, according to US officials, while in others they brokered the sale through secondary firms. The hackers’ independence in choosing targets reveals just how loose China’s hacker-for-hire ecosystem can be in some cases, according to one senior DOJ official who asked to remain unnamed because they were only authorized to speak on background.

“The contractors and companies will hack more or less speculatively, motivated by profit to cast a wide net,” the DOJ official says. China, the official says, “is fostering reckless and indiscriminate targeting of vulnerable computers worldwide, even if it doesn’t task or obtain the fruits of those hacks. This leads to a less secure and more vulnerable environment.”

Shanghai-based firm i-Soon, a contractor to China’s Ministry of State Security (MSS) and Ministry of Public Security (MPS) that the DOJ says employed eight of the alleged hackers, charged its Chinese government customers in some cases based on how many email inboxes it was able to breach, earning between $10,000 and $75,000 per inbox, according to prosecutors. The company, which has over 100 employees, earned tens of millions of dollars in revenue in some years, and its executives projected it would have revenue of about $75 million by 2025, according to the indictment. Prosecutors also note that the company worked with 43 different bureaus of the MSS and MPS across 31 provinces of China, which operated independently and often purchased the same products from i-Soon.

i-Soon, whose alleged hacker-for-hire operations were previously revealed in a leak of its internal documents and communications last year, offered its clients a “zero-day vulnerability arsenal” of unpatched, hackable flaws, according to the indictment. It also allegedly sold password-cracking tools and euphemistically named “penetration testing” products—which were, prosecutors says, in fact intended to be used on unwitting victims—which allegedly included targeted phishing tool kits as well as tools for embedding malware in file attachments.

The company also allegedly carried out its own targeting of victims, which the DOJ says included specific media outlets, dissidents, religious leaders, and researchers who had been critical of the Chinese government, as well as the New York State Assembly, one of whose representatives had received an email from members of an unnamed religious group that is banned in China.

Yin Kecheng and Zhou Shuai, an alleged associate in the APT27, or Silk Typhoon, group, are accused of hacking a wide variety of defense contractors, think tanks, a law firm, a managed communications service provider company, and other victims. In December, software contractor firm BeyondTrust alerted the US Treasury that the department had been breached due to an intrusion on BeyondTrust’s network—an operation that was later attributed to Silk Typhoon. In conjunction with the Justice Department’s charges today, Microsoft also released a guide to Silk Typhoon’s operating techniques, highlighting how it seeks to exploit the IT supply chain.

In Yin’s communications with a colleague included in the indictment against him, the colleague suggests that rather than go after large victim organizations directly, they target their subsidiaries, noting that “they are the same and easier to attack.” Yin responds, agreeing that strategy is “correct.”

All of the 12 Chinese nationals charged in the indictments remain at large—and, chances are, will never see the inside of a US courtroom. But the State Department announced rewards for information leading to their arrest between $2 million and $10 million each.

“To those who choose to aid the CCP in its unlawful cyber activities,” Bryan Vorndran, assistant director of the FBI’s Cyber Division, writes in a statement, using the term CCP to refer to the Chinese Communist Party, “these charges should demonstrate that we will use all available tools to identify you, indict you, and expose your malicious activity for all the world to see.”

US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem

New research shows at least a million inexpensive Android devices—from TV streaming boxes to car infotainment systems—are compromised to allow bad actors to commit ad fraud and other cybercrime.

Cheap TV streaming boxes seem like one of the most straightforward gadgets out there, but they can come with hidden costs. In 2023, researchers revealed that tens of thousands of Android TV boxes being used in homes, schools, and businesses were equipped with secret backdoors that allowed them to be used in a host of cybercrime and online fraud. Now, the same researchers have found that the China-based ecosystem behind the compromised devices and the illicit activities they’re used for—collectively dubbed Badbox 2.0—is fueling a next-generation campaign that’s broader in scope and even more sneaky.

At least 1 million Android-based TV streaming boxes, tablets, projectors, and after-sale car infotainment systems are infected with malware that conscripts them into a scammer-controlled botnet, according to new research shared exclusively with WIRED by the cybersecurity firm Human Security. The compromised devices are used for a range of advertising fraud and in so-called residential proxy services, which allow their operators to use victim internet connections for routing and masking web traffic. And all of this activity happens behind the scenes without the owners of compromised devices having any idea of how their streaming boxes are being used.

“This is all completely unbeknownst to the poor users that have bought this device just to watch Netflix or whatever,” Gavin Reid, Human’s chief information security officer, tells WIRED. “Ad fraud including click fraud is all happening behind the scenes, but the main way they are monetizing the million devices is reselling this proxy service. Victims don't know that they're a proxy, they never agreed to be a proxy service, but they're being used for that. Any bad thing you want to do, scraping, whatever it is, these proxy services are an enabler for that.”

The researchers found that the majority of infected devices are in South America, particularly Brazil. The impacted devices often use generic names and aren’t produced by known brands. For example, there are dozens of impacted streaming boxes, but the majority of Badbox 2.0 targets are in the “TV98” and “X96” device families. Virtually all of the targeted devices are designed using Android’s open source operating system code, meaning they run versions of Android but aren’t part of Google’s ecosystem of protected devices.

Google collaborated with the researchers to address the ad fraud component of the activity, though. The company says it worked to terminate publisher accounts associated with the scams and block the ability of those accounts to generate revenue through Google’s advertising ecosystem.

“Malicious attacks like the one described in this report are expressly prohibited on our platforms,” Google spokesperson Nate Funkhouser told WIRED in a statement. “Bad actors’ tactics are constantly evolving. Partnering with organizations like HUMAN helps us share threat intelligence and expands our collective ability to identify and take swift action against bad actors, as we did here.”

In the original Badbox campaign, scammers focused on installing backdoored firmware in streaming boxes before they arrived in the hands of consumers. The Badbox 2.0 campaign is significant, the researchers say, because it reflects a major change in tactics. Rather than focusing on low-level firmware infections, Badbox 2.0 involves more traditional software-level malware distributed through common tactics like drive-by downloads, in which victims accidentally download malware without realizing it.

Researchers from multiple firms say that the campaign seems to come from a loosely connected ecosystem of fraud groups rather than one single actor. Each group has its own versions of the Badbox 2.0 backdoor and malware modules and distributes the software in a variety of ways. In some cases, malicious apps come preinstalled on compromised devices, but in many examples that the researchers tracked, attackers are tricking users into unknowingly installing compromised apps.

The researchers highlight a technique in which the scammers create a benign app—say, a game—post it in Google's Play Store to show that it’s been vetted, but then trick users into downloading nearly identical versions of the app that are not hosted in official app stores and are malicious. Such “evil twin” apps showed up at least 24 times, the researchers say, allowing the attackers to run ad fraud in the Google Play versions of their apps, and distribute malware in their imposter apps. Human also found that the scammers distributed over 200 compromised, re-bundled versions of popular, mainstream apps as yet another way of spreading their backdoors.

“We saw four different types of fraud modules—two ad fraud ones, one fake click one, and then the residential proxy network one—but it's extensible,” says Lindsay Kaye, Human’s vice president of threat intelligence. “So you can imagine how, if time had gone on and they were able to develop more modules, maybe forge more relationships, there is the opportunity to have additional ones.”

Researchers from the security firm Trend Micro collaborated with Human on the Badbox 2.0 investigation, particularly focusing on the actors behind the activity.

“The scale of the operation is huge,” says Fyodor Yarochkin, a Trend Micro senior threat researcher. He added that while there are “easily up to a million devices online” for any of the groups, “This is only a number of devices that are currently connected to their platform. If you count all the devices that would probably have their payload, it probably would be exceeding a few millions.”

Yarochkin adds that many of the groups involved in the campaigns seem to have some connection to Chinese gray market advertising and marketing firms. More than a decade ago, Yarochkin explains, there were multiple legal cases in China in which companies had installed “silent” plugins on devices and used them for a diverse array of seemingly fraudulent activity.

“The companies that basically survived that age of 2015 were the companies who adapted,” Yarochkin says. He notes that his investigations have now identified multiple “business entities” in China which appear to be linked back to some of the groups involved in Badbox 2. The connections include both economic and technical links. “We identified their addresses, we’ve seen some pictures of their offices, they have accounts of some employees on LinkedIn,” he says.

Human, Trend Micro, and Google also collaborated with the internet security group Shadow Server to neuter as much Badbox 2.0 infrastructure as possible by sinkholing the botnet so it essentially sends its traffic and requests for instructions into a void. But the researchers caution that after scammers pivoted following revelations about the original Badbox scheme, it’s unlikely that exposing Badbox 2.0 will permanently end the activity.

“As a consumer, you should keep in mind that if the device is too cheap to be true, you should be prepared that there might be some additional surprises hidden in the device,” Trend Micro’s Yarochkin says. “There is no free cheese unless the cheese is in a mousetrap.”

1 Million Third-Party Android Devices Have a Secret Backdoor for Scammers

Plus: The FBI pins that ByBit theft on North Korea, a malicious app download breaches Disney, spyware targets a priest close to the pope, and more.

As scam compounds in Southeast Asia continue to drive massive campaigns targeting victims around the world, WIRED took a deeper look at how Elon Musk’s satellite internet service provider Starlink is keeping many of those compounds in Myanmar online. Meanwhile, FTC complaints obtained by WIRED allege that an “OpenAI” job scam used Telegram to recruit workers in Bangladesh for months before the fraudsters suddenly disappeared.

WIRED published the inside story of Russian tech executive Vladislav Klyushin, who—at Vladimir Putin’s behest—was part of a notable US-Russia prisoner swap last summer after he was convicted and incarcerated in the US for insider trading that netted him $93 million. Earlier this week, TVs at the headquarters of the Department of Housing and Urban Development in Washington, DC, showed an apparently AI-generated video on loop of Donald Trump kissing Elon Musk’s feet. The words “LONG LIVE THE REAL KING” were superimposed over the video.

WIRED conducted an investigation into Telegram groups devoted to doxing and harassing women who joined “Are We Dating the Same Guy?” groups on Facebook. And, as female entrepreneurs in tech face ever steeper odds of gaining support for a business, a team of female founders got seed funding and completed a series A round in a matter of months for the cloud container security firm Edera.

But wait, there's more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Trump Administration Backs Off on Countering Russian Cyber Foes**

After years of Russian cyber aggression against the United States and its longtime allies—including repeated election meddling, hack and leak operations, disinformation campaigns, elaborate espionage, and brazen, disruptive cyberattacks—multiple recent actions from the Trump administration have recast the US stance on the cybersecurity threats posed by the Kremlin, downplaying the risks of Russian hackers as US adversaries. The about-face comes as Donald Trump and Russian president Vladimir Putin have increasingly strengthened their ties. Consistent US intelligence community assessments of Russia's activity in cyberspace and the threat it poses to the US would indicate, though, that such a change in approach could put the US at risk.

That deprioritization of the Russia threat has come in several different forms. US State Department deputy assistant secretary for international cybersecurity Liesyl Franz said during a speech in a United Nations working group last week that the US is concerned about digital attacks from China and Iran, but did not mention Russia. A recent memo distributed at the Cybersecurity and Infrastructure Security Agency laid out priorities for the agency, focusing on China and defense of US systems but omitted any reference to Russia. And on Friday, the cybersecurity news outlet The Record reported that, last week, Defense Secretary Pete Hegseth ordered US Cyber Command to stop all cyber operational planning against Russia, including offensive digital campaigns.

**Crypto Bounty Hunters Are Racing to Find and Freeze $1.4 Billion Stolen From ByBit**

Eight days have passed since the cryptocurrency exchange ByBit revealed that hackers stole $1.4 billion worth of Ethereum-based assets from the company, a heist that is by some measures the biggest theft of crypto in history. Now the race is on to track the stolen funds across blockchains, prevent its liquidation, or even recover it—and that race is being propelled by $140 million in bounties offered by ByBit itself. ByBit earlier this week launched a website where it’s inviting crypto sleuths to submit tips about the destination of its stolen Ethereum funds and offering as a reward 5 percent of the value of any funds that those tracers can identify and help to freeze or seize. ByBit has offered another 5 percent of the value as a separate reward for any crypto exchange or other platform that obtains the funds.

As of Friday, the website counted a dozen bounty hunters currently registered as part of that crypto-tracing effort and put the tally of paid-out rewards at around $4.3 million. The site also includes a leaderboard of tracers who have successfully identified tranches of the funds by following them across blockchains or frozen funds—as well as a list of crypto exchanges who have, by contrast, liquidated the stolen funds on behalf of the thieves. So far only one exchange, known as eXch, has been flagged as liquidating $94 million of the stolen assets. ByBit notes that eXch has refused to respond to its messages, and the exchange didn’t respond to a BBC request for comment.

**FBI Urges Crypto Industry Not to Launder ByBit Funds for North Korea**

Earlier this week, the FBI took the unusual step of publicly identifying the hackers behind that massive ByBit hack: TraderTraitor, a group of state-sponsored cybercriminals working on behalf of the North Korean government. The FBI asked the crypto industry not to launder the funds of those hackers, a part of the larger umbrella group widely known as Lazarus that has long plagued the cryptocurrency world and has stolen billions in both crypto and non-crypto assets. In its alert, the bureau also released a list of Ethereum addresses associated with the stolen funds in an effort to help the crypto industry identify and seize any part of the $1.4 billion before it can be cashed out. Crypto tracing firm TRM Labs wrote in a post Thursday that around $400 million of the funds have already been moved and may have been successfully liquidated.

**A Disney Staffer Opened the Door for a Slack Hack by Accidentally Downloading Malware**

In July, an entity calling itself “NullBulge” published a 1.1-TB trove of data stolen from Disney's internal Slack archive, tipping off a frenzied cleanup effort as Disney rushed to get a handle on leaked revenue numbers, employee information like passport numbers, and sensitive customer information. The breach occurred after a Disney employee, Matthew Van Andel, inadvertently downloaded malware onto his personal computer that collected his login credentials for a number of services, including, crucially, the password to his 1Password credential vault. “It’s impossible to convey the sense of violation,” he told The Wall Street Journal. Van Andel also had his credit card numbers and other personal data stolen, and then lost his job as well when a Disney audit of his work computer alleged that he had accessed porn from the device. Van Andel denies the accusation. The episode is just one in a series of breaches where malware that infects a worker’s personal computer can have major ramifications for the institution that employs them.

**An Italian Priest Close to the Pope Had His Phone Hacked**

Mattia Ferrari, an Italian priest who works with a migrant-rescue group and has a close relationship with the Pope, revealed this week that he received a warning from Meta that his phone had been hacked with sophisticated spyware from Israeli-based Paragon. The news follows revelations that Luca Casarini, the founder of the NGO Mediterranea Saving Humans, where Ferrari served as a chaplain, also had his phone compromised by spyware, as did Italian investigative reporter Francesco Cancellato. The string of spyware infections targeting Italian activists and a journalist raises the question of who might be carrying out the hacking operations, with opposition leaders calling on the administration of Italian prime minister Giorgia Meloni to address the issue. Meloni’s government has denied being behind the hacking incidents. Pope Francis, who is currently in critical condition with pneumonia, has mentioned speaking to Ferrari on the phone during a TV interview in January, raising the question of whether the spies who hacked Ferrari’s phone eavesdropped on a conversation with the pope himself.

The Trump Administration Is Deprioritizing Russia as a Cyber Threat

A WIRED investigation reveals that criminals who make billions from scam compounds in Myanmar—where tens of thousands of people are enslaved—are using Starlink to get online.

The plea for help arrived last summer. “I am in Myanmar and work for a fraud company,” a Chinese human-trafficking victim wrote in a short email sent from within the Tai Chang scam compound. Like thousands of others in the region, they were promised legitimate work only to find themselves tricked into modern slavery and forced to scam people online for hours every day. Tai Chang, which backs on to the Myanmar-Thailand border, has been linked to incidents of torture. “I’m not safe, I’m chatting with you secretly,” they said. Despite the risk, their first request wasn’t to be rescued.

Tai Chang’s internet connection had recently been cut off from Thailand, the person wrote in the messages to anti-scam group GASO in June 2024. Instead of scamming within the compound grinding to a halt, the organized criminals behind the operation found another way to stay online, they claimed. “Elon Musk’s Starlink is installed above all the buildings in the campus where we are now,” the individual wrote. “Now the fraud work is running normally. If the fraud network here is down, we can regain our freedom.”

Those messages soon landed on the desk of Erin West, then deputy district attorney for Santa Clara County, California. West, a longtime advocate for victims of so-called pig butchering and other types of cryptocurrency scams, wrote to a lawyer at SpaceX, the company behind Musk’s high-speed Starlink satellite internet system. Starlink connections appeared to be helping criminals at Tai Chang to “scam Americans” and “fuel their internet needs,” West alleged at the end of July 2024. She offered to share more information to help the company in “disrupting the work of bad actors.”

SpaceX and Starlink never replied, West claims.

Reports of the use of Starlink at Tai Chang are not a one-off—criminals running multibillion-dollar empires across Southeast Asia appear to be widely using the satellite internet network. At least eight scam compounds based around the Myanmar-Thailand border region are using Starlink devices, according to mobile phone connection data reviewed by WIRED. Between November 2024 and the start of February, hundreds of mobile phones logged their locations and use of Starlink at known scam compounds more than 40,000 times, according to the mobile phone data, which was collected by an online advertising industry tool.

The eight compounds, spread around the Myawaddy region of war-torn Myanmar, likely have installed multiple Starlink devices. Photos of Tai Chang reviewed by WIRED appear to show dozens of white Starlink satellite dishes on a single rooftop, while human rights watchdogs and other experts say that Starlink use at the scam compounds has increased in the past year.

“I believe that SpaceX must have the capacity to stop this problem,” says Rangsiman Rome, an opposition member of the House of Representatives in Thailand who chairs a parliamentary committee on national security and border issues. At the start of February, Rome tagged Musk in a post on X, saying criminals are “exploiting Starlink for massive fraud” at scam compounds in the region. He did not get a reply, he says.

“We know exactly where the compounds are,” Rome says. “If we can target which compound uses Starlink and collaborate with SpaceX, we can stop the compound using Starlink.”

Starlink’s policies state that SpaceX may terminate services to users if they participate in “fraudulent” activities or if a system is used in unauthorized locations. It has previously emailed users in locations it doesn’t officially offer services to and threatened to shut down accounts.

The use of Starlink comes as officials in Thailand, Myanmar, and China have recently attempted to crack down on scam compounds, freeing thousands. However, support services for trafficking victims have faced USAID funding cuts from Musk’s so-called Department of Government Efficiency, or DOGE. Musk’s ownership of the satellite network while serving as a federal employee has also fallen under increasing scrutiny, with reports suggesting Starlink connections could be turned off in Ukraine. Meanwhile, the US Federal Aviation Administration is reportedly expanding its use of Starklink devices.

“Our own technology is being used against us,” says West, who founded the nonprofit Operation Shamrock to take action against investment scammers. “Starlink is an American company, and it is the backbone for how these bad actors are able to access Americans.”

WIRED sent SpaceX a list of questions about the alleged use of Starlink at scam compounds, including coordinates of suspected scam compounds where phones have connected to the Starlink network. SpaceX did not respond to the request for comment.

“If SpaceX obtains knowledge that a Starlink terminal is being used by a sanctioned or unauthorized party, we investigate the claim and take actions to deactivate the terminal if confirmed,” the company has previously said.

The green, mountainous border separating Myanmar and Thailand runs for 1,500 miles. Around 200 miles of the border follows the Moei River, where dozens of compounds have replaced valley fields over the past five years. Rome, the Thai MP, says officials have identified 75 compounds across Myanmar, Cambodia, and Laos, with 40 of those being in Myanmar’s Myawaddy region.

From the outside, the compounds resemble hotels or apartment blocks, but they are surrounded by high fences, watch towers, and armed guards. People have been trafficked from more than 60 countries. Around 120,000 people are likely held in scam compounds across Myanmar, according to one United Nations report from 2023, with another 100,000 captive in Cambodia. (Starlink has recently agreed to increase its availability in Cambodia, according to local reports.)

Within the compounds, which often have close links to Chinese organized crime groups and online gambling syndicates, victims are typically forced to work day and night to scam hundreds of people at a time. This includes carrying out long-running investment scams that have netted criminals up to $75 billion over the past few years. If the trafficking victims don’t comply, they are often beaten or tortured. Escape or paying a ransom is often the only way out.

Stable internet connections are crucial for the operations to be successful—from the initial targeting of potential human trafficking victims with false job postings to daily scamming and ultimately money laundering. Palm Naripthaphan, an executive adviser at Thailand’s National Broadcasting and Telecommunications Commission (NBTC), says scam centers along the border have historically used mobile connections from cell carriers in Myanmar or Thailand. They can also connect to fiber-optic cables in Thailand or run them across the river Moei, Naripthaphan says. Increasingly, Naripthaphan believes, Starlink has played a role.

The Musk-owned satellite system is composed of multiple elements. More than 6,000 Starlink satellites orbit Earth and beam down internet connectivity to white, rectangular Starlink dishes (dubbed Dishy McFlatface). Some are portable and easy to set up, and they provide internet connections in areas where there is little or no other options, including war zones such as Ukraine.

Starlink is not officially licensed in Myanmar, which has been embroiled in a bloody civil war since a military coup in 2021, and the service has reportedly been banned by the military junta. The company’s coverage map doesn’t list any availability in the country. But this hasn’t stopped Starlink terminals working and being frequently used in Myanmar to combat frequent internet shutdowns.

“It’s really the best thing going,” says David Eubank, the founder of the Free Burma Rangers, a Christian organization that provides humanitarian aid and tracks human rights abuses in Myanmar. The group uses around 80 Starlink systems to coordinate humanitarian relief, he says, adding that any blanket ban would be harmful. “If you can find perpetrators who are misusing it, you penalize them, but you don't just shut the whole network down.”

Across eight known scam compound areas—KK Park, Tai Chang, Dongmei, Huanya, UK Compound, Gate 25, Apolo, and Shwe Kokko—mobile phones have logged thousands of occurrences of getting online using Starklink’s networks in recent months, according to data seen by WIRED. At least 412 devices listed Starlink as their internet provider at the compound locations between November and February, according to an analyst with access to location data from the online advertising industry. In total, 40,800 instances were logged.

“Last summer, when I was pulling data and I started to see Starlink pop up, I was surprised. Now I would be surprised if I pulled data for a compound and it didn’t have at least one Starlink connection pop up,” says the analyst, who was granted anonymity because they don’t have permission to talk publicly about the tools they use. At every compound they have checked, they say, they have found data indicating Starlink usage.

The analyst used an ad-tech tool, which they declined to name, to search areas around known scam compounds for records of mobile phone usage. The murky data broker industry sells highly specific data that’s collected by apps people use on their phones. The tool used by the analyst provides a phone’s IP address, physical coordinates, and the internet service provider they are using. The full results for the compounds included internet and cell providers from Thailand, Myanmar cell carriers, remote servers, and Starlink, the analyst says.

At KK Park, one of the largest and well-known scamming sites, which is shown above, at least 127 devices recorded 24,000 Starlink connections over three months. In total, 2,907 devices were active in the area, although around 800 of these did not list any particular carrier data, the analyst says.

“I am confident that everything that we’re seeing in the data is linked to scams in some way,” the analyst says, noting that the victims who are forced to run scams are often given multiple mobile phones or telephone numbers to run the scams. They say the data is a snapshot and likely an undercount of how often Starlink is used. IP addresses in the data frequently point to Malaysia, the analyst says, indicating that may be where the systems are registered.

While multiple devices can connect to a single Starlink terminal, it’s unclear how many physical Starlink receivers are at the compounds. A standard Starlink kit can cover an area of up to 297 square meters, while a smaller version covers up to 112 square meters, according to Starlink’s website. The analyst suggests that multiple Starlink systems may be used at some compounds because multiple criminal groups work from the same locations.

Photos of the Tai Chang compound—where the trafficking victim who complained about Starlink is still based—appear to show dozens of Starlink receiver dishes. Dozens of white, small objects are positioned on top of the buildings. “They just put \[Starlink\] on the roof, and we have the photos,” Rome, the Thai politician, alleges.

Naripthaphan, from Thailand’s NBTC regulator, says that officials have been trying to disrupt internet connections to the scam compounds—including limiting cell coverage, cutting connections, and dismantling base stations—since May 2024. “They start using \[Starlink\] when the mobile operators start shutting down the services across the border and we start arresting all the broadband fiber connectivities that are smuggling through the channels,” he says. “We see that increase in Starlink users when those services are being blocked.” Naripthaphan says the NBTC has been talking with SpaceX to get Starlink regulated in the country.

Over the past year, according to a United Nations Office on Drugs and Crime report published in October, officials in Thailand seized 78 Starlink receivers that are believed to have been heading for scam compounds in Myanmar. Other Starlink devices have been seized by Myanmar’s government.

At the start of February, Thailand cut internet connections, electricity, and fuel supplies to some areas around the compounds. Thousands of people have since been rescued by officials in one of the most widespread crackdowns on the compounds so far. Mechelle B Moore, the CEO of anti-trafficking nonprofit Global Alms Incorporated, says some shelters are struggling to cope with the amount of people being freed. But past efforts to disrupt scam operations by shutting off internet connections have not been effective, partly due to Starlink connectivity.

“We have not heard of any companies shutting down or suspending operations because they don’t have access to the internet,” says Moore, who adds that multiple trafficking survivors she has spoken with have mentioned their use of Starlink. “Victims will all confirm that they’re flipped over to Starlink or they use cellular dongles with SIM cards in them. When one doesn’t work, they just flick over to the other. It doesn’t stop operations at all.”

Following the start of the most recent crackdown, the analyst with access to data about Starlink use says, records show that at least six of the compounds have devices accessing Starlink.

Elon Musk’s Starlink Is Keeping Modern Slavery Compounds Online

Cloud “container” defenses have inconsistencies that can give attackers too much access. A new company, Edera, is taking on that challenge and the problem of the male-dominated startup world.

While working on internet-of-things security in the mid-2010s, Alex Zenla realized something troubling.

Unlike PCs and servers that touted the latest, greatest processors, the puny chips in IoT devices couldn't support the cloud protections other computers were using to keep them siloed and protected. As a result, most embedded devices were attached directly to the local network, potentially leaving them more vulnerable to attack. At the time, Zenla was a prodigious teen, working on IoT platforms and open source, and building community in Minecraft IRC channels. After puzzling over the problem for a few years, she started working on a technology to make it possible for nearly any device to run in its own isolated cloud space, known as a “container.” Now, a decade later, she's one of three female cofounders of a security company that's trying to change how cloud infrastructure shares resources.

Known as Edera, the company makes cloud workload isolation tech that may sound like a niche tool, but it aims to address a universal security problem when many applications or even multiple customers are using shared cloud infrastructure. Ever-growing AI workloads, for example, rely on GPUs for raw processing power instead of standard CPUs, but these chips have been designed for maximum efficiency and capacity rather than with guardrails to separate and protect different processes. As a result, an attacker that can compromise one region of a system is much more likely to be able to pivot from there and gain more access.

“These problems are very hard, both on the GPU and the container isolation, but I think people were too wiling to accept trade-offs that were not actually acceptable,” Zenla says.

After a $5 million seed round in October, Edera today announced a $15 million series A led by Microsoft's venture fund, M12. The latest in granular funding news is nothing remarkable in itself, but Edera's momentum is notable given the current, muted VC landscape and, particularly, the company's all-female roster of founders, which includes two trans women.

In the United States and around the world, venture funding for tech startups has always been a boys club with the vast majority of VC dollars going to male founders. Female founders who do get initial backing have a more difficult time raising subsequent rounds than men and face much steeper odds founding another company after one fails. And those headwinds are only getting stronger as the Trump administration in the US and Big Tech mount an assault on diversity, equity, and inclusion initiatives meant to raise awareness about these types of realities and foster inclusivity.

“We can’t ignore the fact that we are a small minority in our industry, and that a lot of the changes that are happening around us are not lifting us up,” says Edera CEO and cofounder Emily Long. “We take great pride and responsibility in continuing to be in the front on this. Since our founding, I can't tell you how many incredibly technical, talented women have proactively asked us to hire them from large institutions. So you start to see that just by existing and being different, you are showing what’s possible.”

For Zenla, Long, and cofounder Ariadne Conill, who has an extensive background in open source software and security, the goal of developing Edera's container isolation technology is to make it easy (at least relatively speaking) for network engineers and IT managers to implement robust guardrails and separation across their systems so an exploited vulnerability in one piece of network equipment or a rogue insider situation won't—and can't—spiral into a disastrous mega-breach.

“People have legacy applications in their infrastructure and use end-of-life software; there’s no way to do security and believe that you can always patch every existing vulnerability,” Long says. “But it inherently creates a pretty large risk profile. And then on top of that, containers were never originally designed to be isolated from each other, so you had to choose between innovation and performance and security, and we don’t want people to have that trade-off anymore.”

A Team of Female Founders Is Launching Cloud Security Tech That Could Overhaul AI Protection

An alleged job scam, led by “Aiden” from “OpenAI,” recruited workers in Bangladesh for months before disappearing overnight, according to FTC complaints obtained by WIRED.

A Bangladeshi worker was eager to get started at their new OpenAI job—completing basic online tasks in exchange for consistent income, while getting into cryptocurrency investing at the same time. After connecting with the startup on Telegram and creating an account through a ChatGPT\-branded app, they invested crypto into the platform and began a months-long job working for “Aiden” from “OpenAI.”

The work was performed through the website “OpenAi-etc,” and internal conversations were held on Telegram. It was simple: Invest some crypto, complete a few tasks, and earn daily profits based on what was invested.

Over the course of this worker’s time with the company, mentors continuously encouraged them to invest more money into the fund and recruit more Bangladeshi people to the team. When the worker convinced over 150 to join and the mentors split the growing team of “brokers” into a hierarchy based on seniority, it all felt very real. The total crypto-investment fund for their team was around $50,000. After a devastating cyclone hit Bangladesh in May, company leaders supposedly helped those in need, further earning the trust of employees.

All seemed well until the morning of August 29, 2024, when everyone woke up to find that the website, all of their money, Aiden, and the other fake OpenAI employees had vanished overnight. The job, of course, was never with OpenAI at all, former workers say.

“I’ve seen similar scams where, at the beginning, you think you are making profit, and then basically you invest more and more,” says Shirin Nilizadeh, an associate professor at the University of Texas at Arlington who focuses on security and privacy. “Then, suddenly, you lose everything.”.

The story of the scammed “OpenAI” worker is from just one of 11 complaints about OpenAi-etc submitted to the US Federal Trade Commission by workers from Bangladesh last year, seven of which mention “Aiden.” Analysis of the complaints, obtained by WIRED through a public records request, reveal a potentially widespread job scam that used OpenAI’s name recognition to allegedly trick low-wage workers out of their savings. While some people describe getting started with OpenAi-etc in June or July, others believed they were working for the company for around six months.

The first FTC complaint obtained by WIRED, lodged over two months before the August 29 rug pull, says the complainant was invited by OpenAi-etc to invest around $170 in crypto. The person mentions an American registration number for the business, confirming it was in good standing with Colorado regulators and listing a physical office in Denver. The complaint also highlights a legitimate-looking money service business registered with the US Treasury’s Financial Crimes Enforcement Network, which lists the company’s location as an office inside the Empire State Building in New York City.

A WIRED review of domain name system records for the now-defunct OpenAi-etc website shows that it appears to have been hosted by a China-based web hosting company.

Jay Mayfield, a senior public affairs specialist at the FTC, declined WIRED’s request to confirm whether the group is looking into OpenAi-etc, saying that investigations are nonpublic. Mayfield did not answer additional questions about what steps the FTC is taking to prevent similar scams or provide better assistance for international victims.

“Regrettably, I found no available source online to know more about this organization except for those registrations,” wrote the complainant. “They are collecting huge amounts of investment from third world countries in Asia.”

One of the FTC complaints alleges that over 6,000 people in Bangladesh were potentially impacted by the OpenAi-etc job scam. The ages listed in the FTC complaints range from teenagers to people in their fifties, with locations spread across multiple Bangladesh cities, from Dhaka to Khulna.

“My next trading date was 29 August, 2024,” wrote another complainant. “I made the trade with my whole amount in the evening. But, suddenly, the OpenAI company vanished. I didn’t withdraw any money but lost both capital and profit. Now, I am in a great economic crisis, as I am a normal school teacher.”

Niko Felix, a spokesperson for OpenAI, declined to answer questions about whether the startup was previously aware of the “OpenAi-etc” scam, or if they planned to take action against the fraudsters. But he did share that OpenAI is investigating the matter. The alleged scam website is no longer available online, and WIRED was not able to contact the people behind "OpenAi-etc" prior to publication.

A Telegram spokesperson using the name Remi Vaughn tells WIRED that the company monitors its platform for scams, such as those allegedly carried out by OpenAi-etc, which used the messaging app to communicate with people who believed they were working for the company.

"Telegram actively moderates harmful content on its platform, including scams," Vaughn says in a statement sent to WIRED through the messaging platform. "Moderators empowered with custom Al and machine learning tools proactively monitor public parts of the platform and accept reports from users and organizations in order to remove millions of pieces of harmful content each day."

The usual pattern of a crypto job scam is to trick people into depositing some kind of digital currency into a fake account the victim believes they have control over, until the perpetrator drains it one day without warning. While this specific rug pull used OpenAI’s branding to allegedly dupe its victims, a crypto job scam can happen with the name of any company that has enough widespread recognition for criminals to capitalize on.

“These social engineering scams are designed to lower our natural suspicion and to make us complicit in our own deception,” says Arun Vishwanath, a cybersecurity expert and author of _The Weakest Link_. “For job scams, they try to turn our ambitions and inherent trust in brands into a vulnerability.” Similar to so-called pig butchering investment scams, a key component often includes direct messages over a long period of time to cultivate a sense of trust with the targets.

Although comparable job scams happen all over the world, Vishwanath believes that Asian cultural norms of so-called high power distance, where there’s more acceptance of interpersonal hierarchies, are a contributing factor. "Authorities are expected to ask you things and make you do things," he says. "And you just comply." Scammers are taking advantage of this by imitating authority figures and leaning into the sense of urgency inherent to searching for a job.

Bangladeshi citizens on the difficult hunt for reliable work have increasingly been targeted by job scammers in recent years. Lies about international job opportunities have left throngs of would-be workers stranded in Malaysia, and at least three cases of kidney organ theft were reported by people lured to India with false promises of work.

‘OpenAI’ Job Scam Targeted International Workers Through Telegram

In the epic US-Russian prisoner swap last summer, Vladimir Putin brought home an assassin, spies, and another prized ally: the man behind one of the biggest insider trading cases of all time.

This Russian Tech Bro Helped Steal $93 Million and Landed in US Prison. Then Putin Called

A WIRED investigation goes inside the Telegram groups targeting women who joined “Are We Dating the Same Guy?” groups on Facebook with doxing, harassment, and sharing of nonconsensual intimate images.

In late January, a warning spread through the London-based Facebook group Are We Dating the Same Guy?—but this post wasn’t about a bad date or a cheating ex. A connected network of male-dominated Telegram groups had surfaced, sharing and circulating nonconsensual intimate images of women. Their justification? Retaliation.

On January 23, users in the AWDTSG Facebook group began warning about hidden Telegram groups. Screenshots and TikTok videos surfaced, revealing public Telegram channels where users were sharing nonconsensual intimate images. Further investigation by WIRED identified additional channels linked to the network. By scraping thousands of messages from these groups, it became possible to analyze their content and the patterns of abuse.

AWDTSG, a sprawling web of over 150 regional forums across Facebook alone, with roughly 3 million members worldwide, was designed by Paolo Sanchez in 2022 in New York as a space for women to share warnings about predatory men. But its rapid growth made it a target. Critics argue that the format allows unverified accusations to spiral. Some men have responded with at least three defamation lawsuits filed in recent years against members, administrators, and even Meta, Facebook’s parent company. Others took a different route: organized digital harassment.

Primarily using Telegram group data made available through Telemetr.io, a Telegram analytics tool, WIRED analyzed more than 3,500 messages from a Telegram group linked to a larger misogynistic revenge network. Over 24 hours, WIRED observed users systematically tracking, doxing, and degrading women from AWDTSG, circulating nonconsensual images, phone numbers, usernames, and location data.

From January 26 to 27, the chats became a breeding ground for misogynistic, racist, sexual digital abuse of women, with women of color bearing the brunt of the targeted harassment and abuse. Thousands of users encouraged each other to share nonconsensual intimate images, often referred to as “revenge porn,” and requested and circulated women’s phone numbers, usernames, locations, and other personal identifiers.

As women from AWDTSG began infiltrating the Telegram group, at least one user grew suspicious: “These lot just tryna get back at us for exposing them.”

When women on Facebook tried to alert others of the risk of doxing and leaks of their intimate content, AWDTSG moderators removed their posts. (The group’s moderators did not respond to multiple requests for comment.) Meanwhile, men who had previously coordinated through their own Facebook groups like “Are We Dating the Same Girl” shifted their operations in late January to Telegram's more permissive environment. Their message was clear: If they can do it, so can we.

"In the eyes of some of these men, this is a necessary act of defense against a kind of hostile feminism that they believe is out to ruin their lives," says Carl Miller, cofounder of the Center for the Analysis of Social Media and host of the podcast _Kill List_.

The dozen Telegram groups that WIRED has identified are part of a broader digital ecosystem often referred to as the manosphere, an online network of forums, influencers, and communities that perpetuate misogynistic ideologies.

“Highly isolated online spaces start reinforcing their own worldviews, pulling further and further from the mainstream, and in doing so, legitimizing things that would be unthinkable offline,” Miller says. “Eventually, what was once unthinkable becomes the norm.”

This cycle of reinforcement plays out across multiple platforms. Facebook forums act as the first point of contact, TikTok amplifies the rhetoric in publicly available videos, and Telegram is used to enable illicit activity. The result? A self-sustaining network of harassment that thrives on digital anonymity.

TikTok amplified discussions around the Telegram groups. WIRED reviewed 12 videos in which creators, of all genders, discussed, joked about, or berated the Telegram groups. In the comments section of these videos, users shared invitation links to public and private groups and some public channels on Telegram, making them accessible to a wider audience. While TikTok was not the primary platform for harassment, discussions about the Telegram groups spread there, and in some cases users explicitly acknowledged their illegality.

TikTok tells WIRED that its Community Guidelines prohibit image-based sexual abuse, sexual harassment, and nonconsensual sexual acts, and that violations result in removals and possible account bans. They also stated that TikTok removes links directing people to content that violates its policies and that it continues to invest in Trust and Safety operations.

Intentionally or not, the algorithms powering social media platforms like Facebook can amplify misogynistic content. Hate-driven engagement fuels growth, pulling new users into these communities through viral trends, suggested content, and comment-section recruitment.

As people caught notice on Facebook and TikTok and started reporting the Telegram groups, they didn’t disappear—they simply rebranded. Reactionary groups quickly emerged, signaling that members knew they were being watched but had no intention of stopping. Inside, messages revealed a clear awareness of the risks: Users knew they were breaking the law. They just didn’t care, according to chat logs reviewed by WIRED. To absolve themselves, one user wrote, “I do not condone im \[simply\] here to regulate rules,” while another shared a link to a statement that said: “I am here for only entertainment purposes only and I don’t support any illegal activities.”

Meta did not respond to a request for comment.

Messages from the Telegram group WIRED analyzed show that some chats became hyper-localized, dividing London into four regions to make harassment even more targeted. Members casually sought access to other city-based groups: “Who’s got brum link?” and “Manny link tho?”—British slang referring to Birmingham and Manchester. They weren’t just looking for gossip. “Any info from west?” one user asked, while another requested, “What’s her @?”— hunting for a woman’s social media handle, a first step to tracking her online activity.

The chat logs further reveal how women were discussed as commodities. “She a freak, I’ll give her that,” one user wrote. Another added, “Beautiful. Hide her from me.” Others encouraged sharing explicit material: “Sharing is caring, don’t be greedy.”

Members also bragged about sexual exploits, using coded language to reference encounters in specific locations, and spread degrading, racial abuse, predominantly targeting Black women.

Once a woman was mentioned, her privacy was permanently compromised. Users frequently shared social media handles, which led other members to contact her—soliciting intimate images or sending disparaging texts.

Anonymity can be a protective tool for women navigating online harassment. But it can also be embraced by bad actors who use the same structures to evade accountability.

"It’s ironic," Miller says. "The very privacy structures that women use to protect themselves are being turned against them."

The rise of unmoderated spaces like the abusive Telegram groups makes it nearly impossible to trace perpetrators, exposing a systemic failure in law enforcement and regulation. Without clear jurisdiction or oversight, platforms are able to sidestep accountability.

Sophie Mortimer, manager of the UK-based Revenge Porn Helpline, warned that Telegram has become one of the biggest threats to online safety. She says that the UK charity’s reports to Telegram of nonconsensual intimate image abuse are ignored. “We would consider them to be noncompliant to our requests,” she says. Telegram, however, says it received only “about 10 piece of content” from the Revenge Porn Helpline, “all of which were removed.” Mortimer did not yet respond to WIRED’s questions about the veracity of Telegram’s claims.

Despite recent updates to the UK’s Online Safety Act, legal enforcement of online abuse remains weak. An October 2024 report from the UK-based charity The Cyber Helpline shows that cybercrime victims face significant barriers in reporting abuse, and justice for online crimes is seven times less likely than for offline crimes.

"There’s still this long-standing idea that cybercrime doesn’t have real consequences," says Charlotte Hooper, head of operations of The Cyber Helpline, which helps support victims of cybercrime. "But if you look at victim studies, cybercrime is just as—if not more—psychologically damaging than physical crime."

A Telegram spokesperson tells WIRED that its moderators use “custom AI and machine learning tools” to remove content that violates the platform's rules, “including nonconsensual pornography and doxing.”

“As a result of Telegram's proactive moderation and response to reports, moderators remove millions of pieces of harmful content each day,” the spokesperson says.

Hooper says that survivors of digital harassment often change jobs, move cities, or even retreat from public life due to the trauma of being targeted online. The systemic failure to recognize these cases as serious crimes allows perpetrators to continue operating with impunity.

Yet, as these networks grow more interwoven, social media companies have failed to adequately address gaps in moderation.

Telegram, despite its estimated 950 million monthly active users worldwide, claims it’s too small to qualify as a “Very Large Online Platform” under the European Union’s Digital Service Act, allowing it to sidestep certain regulatory scrutiny. “Telegram takes its responsibilities under the DSA seriously and is in constant communication with the European Commission,” a company spokesperson said.

In the UK, several civil society groups have expressed concern about the use of large private Telegram groups, which allow up to 200,000 members. These groups exploit a loophole by operating under the guise of “private” communication to circumvent legal requirements for removing illegal content, including nonconsensual intimate images.

Without stronger regulation, online abuse will continue to evolve, adapting to new platforms and evading scrutiny.

The digital spaces meant to safeguard privacy are now incubating its most invasive violations. These networks aren’t just growing—they’re adapting, spreading across platforms, and learning how to evade accountability.

Inside the Telegram Groups Doxing Women for Their Facebook Posts

On Monday morning, TV sets at the headquarters of the Department of Housing and Urban Development played the seemingly AI-generated video on loop, along with the words “LONG LIVE THE REAL KING.”

Federal employees at the Department of Housing and Urban Development (HUD) were greeted this morning by television sets at the agency’s Washington, DC, headquarters playing what appears to be an AI-generated video of President Donald Trump kissing the feet of Elon Musk, accompanied by the words “LONG LIVE THE REAL KING.”

A person at HUD headquarters on Monday morning shared a video with WIRED showing the scene playing out on a loop on a TV screen inside the Robert C. Weaver Federal Building. The source, who was granted anonymity over fears of repercussions, says that workers at the building had to manually turn off each TV in order to stop the video playing.

It is currently unclear who was behind the prank. Similar AI-generated videos and still images of Trump kissing Musk’s feet have been shared on social media platforms since last year.

“Another waste of taxpayer dollars and resources,” Kasey Lovett, a HUD spokesperson tells WIRED. “Appropriate action will be taken for all involved.”

The White House did not immediately respond to a request for comment.

The incident came just days after leaked documents showed that Elon Musk’s so-called Department of Government Efficiency (DOGE) project was planning to eradicate 4,000 employees at the agency, which is in the midst of dealing with a US housing crisis.

NPR reported this weekend that HUD’s Office of Community Planning and Development is slated to lose 84 percent of its staff according to leaked documents.

“We’ve decided internally to start notifying our grantees—every mayor, county head, governor, nonprofit CEO, and congressional earmark recipient—that they should anticipate a loss or significant unpredictable delay in funding,” a current HUD employee tells WIRED.

Over the weekend, employees at HUD, like many other federal workers, received an email from the Office of Personnel Management demanding a reply with “approx. 5 bullets of what you accomplished last week.”

Leadership at many of the agencies, as well as federal workers’ union leaders, told their members not to respond to the emails, while HUD leadership told employees to wait until at least noon on Monday before taking any action, a HUD source tells WIRED.

TVs at HUD Played an AI-Generated Video of Donald Trump Kissing Elon Musk’s Feet

Plus: Apple turns off end-to-end encrypted iCloud backups in the UK after pressure to install a backdoor, and two spyware apps expose victim data—and the identities of people who installed the apps.

As the so-called Department of Government Efficiency continues to rampage through the United States government by making sweeping cuts to the federal workforce, numerous ongoing lawsuits allege that the group’s access to sensitive data violates the Watergate-inspired Privacy Act of 1974 and that it needs to halt its activity. Meanwhile, DOGE cut staff this week at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and gained access to CISA’s digital systems after the agency had already frozen its eight-year-old election security initiatives late last week.

The National Institute of Standards and Technology was also bracing this week for roughly 500 staffers to be fired, which could have serious impacts on NIST’s cybersecurity standards and software vulnerability tracking work. And cuts last week at the US Digital Service included the cybersecurity lead for the central Veterans Affairs portal, VA.gov, potentially leaving VA systems and data more vulnerable without someone in his role.

Multiple US government departments are now considering bans on China-made TP-Link routers following recent aggressive Chinese digital espionage campaigns. (The company denies any connection to cyberattacks.) A WIRED investigation found that users of Google’s ad tech can target categories that shouldn’t be available under the company’s policies, including people with chronic diseases or those in debt. Advertisers could also target national security “decision makers” and people involved in the development of classified defense technology.

Google researchers warned this week that hackers tied to Russia have been tricking Ukrainian soldiers with fake QR codes for Signal group invites that exploited a flaw to allow the attackers to spy on target messages. Signal has rolled out updates to stop exploitation. And a WIRED deep dive examines how difficult it can be for even the most connected web users to have nonconsensual intimate images and videos of themselves removed from the web.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Running a cryptocurrency exchange is a risky business, as hacking victims like Mt. Gox, Bitfinex, FTX, and plenty of others can attest. But never before has a platform for buying and selling crypto lost a 10-figure dollar sum in a single heist. That new record belongs to ByBit, which on Friday revealed that thieves hacked its Ethereum-based holdings. The hackers made off with a sum that totals to $1.4 billion, according to an estimate by cryptocurrency tracing firm Elliptic—the largest crypto theft of all time by some measures.

ByBit CEO Ben Zhou wrote on X that the hackers had used a “musked transaction”—likely a misspelling of “masked transaction”—to trick the exchange into cryptographically signing a change in the code of the smart contract controlling a wallet holding its stockpile of Ethereum. “Please rest assured that all other cold wallets are secure,” Zhou wrote, suggesting that the exchange remained solvent. “All withdraws are NORMAL.” Zhou later added in another note on X that the exchange would be able to cover the loss, which if true suggests that no users will lose their funds.

The theft dwarfs other historic hacks of crypto exchanges like Mt. Gox and FTX, each of which lost sums of cryptocurrency that were worth hundreds of millions of dollars at the time the thefts were discovered. Even the stolen loot from the 2016 Bitfinex heist, which was worth close to $4.5 billion at the time the thieves were identified and the majority of the funds recovered in 2022, was only worth $72 million at the time of the theft. ByBit’s $1.4 billion is by that measure a far bigger loss and, considering that all crypto thefts in 2024 totaled to $2.2 billion, according to blockchain analysis firm Chainalysis, a stunning new benchmark in crypto crime.

**Bowing to a Government Demand, Apple Disables iCloud End-to-End Encryption in the UK**

The British government earlier this month raised privacy alarms worldwide when it demanded that Apple give it access to users’ end-to-end encrypted iCloud data. That data had been protected with Apple’s Advanced Data Protection feature, which encrypts stored user information such that no one other than the user can decrypt it—not even Apple. Now Apple has caved to the UK’s pressure, disabling that end-to-end encryption feature for iCloud across the country. Even as it turned off that protection, Apple expressed its reluctance in a statement: "Enhancing the security of cloud storage with end-to-end-encryption is more urgent than ever before," the company said. "Apple remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in future in the UK." Privacy advocates worldwide have argued that the move—and the UK’s push for it—will weaken the security and privacy of British citizens and leave tech companies vulnerable to similar surveillance demands from other governments around the world.

**Cocospy and Spyic Stalkerware Apps Expose Millions of Victims’ Data Online**

The only thing worse than the scourge of stalkerware apps—malware installed on phones by snooping spouses or other hands-on spies to surveil virtually all of the victim’s movements and communications—is when those apps are so badly secured that they also leak victims’ information onto the internet. Stalkerware apps Cocospy and Spyic, which appear to have been developed by someone in China and largely share the same source code, left data stolen from millions of victims exposed, thanks to a security vulnerability in both apps, according to a security researcher who discovered the flaw and shared information about it with TechCrunch. The exposed data included messages, call logs, and photos, TechCrunch found. In a karmic twist, it also included millions of email addresses of the stalkerware’s registered users, who had themselves installed the apps to spy on victims.

Source

Wired