Customs and Border Protection has broad authority to search travelers’ devices when they cross into the United States. Here’s what you can do to protect your digital life while at the US border.

Entering the United States has become more precarious since the start of the second Trump administration in January. There has been an apparent surge in both foreign visitors and US visa holders being detained, questioned, and even deported at the border. As the situation evolves, demand for flights from Canada and Europe has plummeted as people reevaluate their travel plans.

Many people, though, can’t avoid border crossings, whether they are returning home after traveling for work or visiting friends and family abroad. Regardless of the reason for travel, US Customs and Border Protection (CBP) officials have the authority to search people’s phones and other devices as they determine who is allowed to enter the country. Multiple travelers have reported being questioned or turned away at the US border in recent weeks in relation to content on their phones.

While not unique to the US border—other nations also have powers to inspect phones—the increasingly volatile nature of the Trump administration’s border policies is causing people to rethink the risks of carrying devices packed with personal information to and from the US. Canadian authorities have updated travel guidance to warn of phone searches and seizures, some corporate executives are reconsidering the devices they carry, some officials in Europe continue to receive burner phones for certain trips to the US, and the Committee to Protect Journalists has warned foreign reporters about device searches at the US border.

With this in mind, here’s the WIRED guide to planning for bringing a smartphone across the border. You should also use WIRED’s guide to entering the US with your digital privacy intact to get a broader view of how to minimize data and take precautions. But start here for everything smartphone.

**What Can CBP Access?**

Do CBP officials have the authority to search your phone at the border? The short answer is yes. Searches are either manual, with a border official looking through the device, or more advanced, involving forensic tools to extract data en masse. To get into your phone, border officials can ask for your PIN or biometric to unlock the phone. However, your legal status and right to enter the US will make a difference in what a search might look like at the border.

Generally, border zones—which includes US international airports—fall outside of Fourth Amendment protections that require a warrant for a device to be searched (though one federal court has ruled otherwise). As such, CBP has the power to search any traveler’s phone or other electronic devices, such as computers and cameras, when they’re entering the country. US citizens and green card holders can refuse a device search without being denied entry, but they may face additional questioning or temporary device seizure. And as the Trump administration pushes the norms of acceptable government conduct, it is possible that, in practice, green card holders could face new repercussions for declining a device search. US visa holders and foreign visitors can face detention and deportation for refusing a device search.

“Not everybody has the same risk profile,” says Molly Rose Freeman Cyr, a member of Amnesty International’s Security Lab. “A person’s legal status, the social media accounts that they use, the messaging apps that they use, and the contents of their chats” should all factor into their risk calculus and the decisions they make about border crossings, Cyr says.

If you feel safe refusing a search, make sure to disable biometrics used to unlock your device, like face or fingerprint scanners, which CBP officers can use to access your device. Instead, use only a PIN or an alphanumeric code (if available on your device). Make sure to keep your phone’s operating system up to date, which can make it hard to crack with forensic tools.

You should also consider factors like nationality, citizenship, profession, and geopolitical views in assessing whether you or someone you’re traveling with could be at higher risk of scrutiny during border crossings.

In short, you need to make some decisions before you travel about whether you would be prepared to refuse a device search and whether you want to make changes to your devices before your trips.

Keep in mind that there are simple steps anyone can take to keep your devices out of sight and, hopefully, out of mind during border crossings. It’s always a good idea to obtain a printed boarding pass or prepare other paper documents for review and then turn your phone off and store it in your bag before you approach a CBP agent.

**Traveling With an Alternate Phone**

There are two ways to approach device privacy for border crossings. One is to start with a clean slate, purchasing a phone for the purpose of traveling or wiping and repurposing your old phone—if it still receives software updates.

The device doesn’t need to be a true “burner” phone, in the sense that you will be carrying it with you as if nothing is out of the ordinary, so you don’t need to purchase it with cash or take other steps to ensure that it can’t be connected to you. The idea, though, is to build a sanitized version of your digital life on the travel phone, ideally with separate communication and social media accounts created specifically for travel. This way, if your device is searched, it won’t have the back catalog of data—old text messages, years of photos, forgotten apps, and access to many or all of your digital accounts—that exists on your primary phone and could reveal details of your political views, your associations, or your movements over time.

Starting with a clean slate makes it easy to practice “data minimization,” or reducing the data available to another person: Simply put the things you’ll need for a trip on the phone without anything you won’t need. You might make a travel email address, some alternate social media accounts, and a separate account for end-to-end encrypted communications using an app like Signal or WhatsApp. Ideally you would totally silo your real digital life from this travel life. But you can also include some of your regular personal apps, building back from the ground up while determining on a selective basis whether you have existing accounts that you feel comfortable potentially exposing. Perhaps, for example, you think that showing a connection to your employer or a community organization could be advantageous in a fraught situation.

Privacy and digital rights advocates largely prefer the approach of building a travel device from scratch, but they caution that a phone that is too squeaky clean, too much like a burner phone, can arouse suspicion.

“You have to ‘seed’ the device. Use the phone for a day or even for a few hours. It just can't be _clean_ clean. That’s weird,” says Matt Mitchell, founder of CryptoHarlem, a security and privacy training and advocacy nonprofit. “My recommendation is to make a finsta for travel, because if they ask you what your profile is, how are you gonna say ‘I don't use any social media’? Many people have a few accounts anyway. One ratchet, one wholesome—add one travel.”

Cyr, from Amnesty International, also points out that a true burner phone would be a “dumb” phone, which wouldn’t be able to run apps for encrypted communications. “The advantage that we all have with smartphones is that you can communicate in an encrypted way,” Cyr says. “People should be conscious that any nonencrypted communication is less secure than a phone call or a message on an application like Signal.”

While a travel device doesn’t need to use a prepaid SIM card bought with cash, it should not share your normal phone number, since this number is likely linked to most if not all of your key digital accounts. Buy a SIM card for your trip or only use the device on Wi-Fi.

**Traveling With Your Primary Phone**

The other approach you can take to protecting your device during border crossings is to modify your primary smartphone before travel. This involves removing old photos and messages and storing them somewhere else, cleaning out nonessential apps, and either removing some apps altogether or logging out of them with your main accounts and logging back in with travel accounts.

Mohammed Al-Maskati, digital security helpline director at the rights group Access Now, says that people should consider this type of clean-out before they travel. “I will look at my device and see what apps I need,” he says. “If I don't need the app, I just remove it.”

Al-Maskati adds that he suggests people particularly remember to remove dating apps and anything related to LGBTQI communities, especially if they consider themselves to be at higher risk of facing a device search. And generally, this approach is only safe if you are particularly diligent about removing every app that might expose you to risk.

You could use your own phone as a travel phone by backing it up, wiping it, building a travel device with only the apps you really need while traveling, going on your trip, and then restoring from the backup when you get home. This approach is doable but time consuming, and it creates more opportunities for operational security mistakes or what are known as “opsec fails.” If you try to delete all of your old, unwanted apps, but miss one, you could end up exposing an old social media account or other historic service that has forgotten data in it. Messaging apps can have easily searchable archives going back years and can automatically save photos and files without you realizing it. And if you back up all of your data to the cloud and take it off your device, but are still logged into the cloud account underpinning other services (like your main Google or Apple account), you could be asked to produce the data from the cloud for inspection.

Still, if you assess that you are at low risk of facing scrutiny during a border crossing or you don’t have access to an additional device for travel, modifying your main smartphone is a good option. Just be careful.

**What To Do, If Nothing Else**

Given all of this, you may be hyped up and ready to throw your phone in the ocean. Or you may be thinking there’s no way in hell that you’re ever going to take the time to deal with any of this. For those in the latter camp, you’ve come this far, so don’t click away just yet. If you don’t want to take the time to make a bunch of changes, and you don’t think you’re at particular risk during border crossings (though keep in mind that it’s possible your risk is higher than you realize), there are still a few easy things you can do to protect your digital privacy that are better than nothing.

First, as mentioned above, print a paper boarding pass and any other documents you might need. Even if you don’t turn your phone off and stow it in a bag for your entire entry or exit process, you can put it in your pocket and have your paper ticket and other documents ready while actually interacting with agents. And taking basic digital hygiene steps, like updating your phone and removing apps and data you no longer need, can go a long way.

“We all need to be recognizing that authorities may scrutinize your online presence, including social media activity and posts you’ve published,” says Danacea Vo, founder of Cyberlixir, a cybersecurity provider for nonprofits and vulnerable communities. “Since people have gotten more vocal on social media, they’re very worried about this. Some have even decided not to risk traveling to or from the US this year.”

How to Protect Yourself From Phone Searches at the US Border

Check out the top OSINT tools of 2025, an updated list featuring the best free and paid open-source…

Check out the top OSINT tools of 2025, an updated list featuring the best free and paid open-source intelligence tools for cybersecurity and investigations.

At HackRead.com, we have a long-standing tradition of publishing comprehensive lists of the **best OSINT tools** to help cybersecurity professionals and enthusiasts stay ahead in the game. Every year, we research and evaluate the latest tools, taking into account their features, usability, and effectiveness.

For 2025, we have compiled an updated list of the most powerful, highly creative and efficient OSINT tools available, including both new and established names in the field. Whether you’re looking for free, open-source options or premium solutions, this list has you covered.

****1\. FBI Watchdog****

**FBI Watchdog** is a new OSINT tool that tracks domain seizures and DNS record updates as they happen. It notifies users about law enforcement actions and other DNS changes through Telegram and Discord, and takes screenshots of domains that get seized.

**Price:** Free

****2\. Arrests.org****

**Arrests.org** is a public database that aggregates arrest records from various US states and counties. It allows users to search for mugshots, charges, and booking information. Useful for background checks and verifying arrest records as part of OSINT investigations.

**Price:** FREE

****3\. VenariX Ransomware Alert Bot****

**VenariX** is a next-gen OSINT tool designed for automated threat intelligence and reconnaissance. It scans public data sources, dark web forums, and social media for indicators of compromise (IOCs) and threat actor activity.

VenariX also features a **Telegram bot** that automatically sends updates on the latest ransomware attacks and claims made by ransomware gangs, keeping users informed in real time.

**PRICE:** Pricing for VenariX is tiered, offering a Free version ($0), Basic version ($21/month), Pro version ($69/month), and an Enterprise level with custom pricing and advanced features.

****4\. TheHarvester****

An open-source tool designed to gather information such as email addresses, subdomains, and domain names from various public sources. **TheHarvester** is particularly useful for reconnaissance during penetration testing and vulnerability assessments.

**PRICE:** FREE

****5\. SpiderFoot****

**SpiderFoot** is an automated OSINT collection tool that aggregates intelligence from over 100 different sources. It scans domains, IP addresses, and email addresses, generating detailed reports on potential risks or threats.

**PRICE:** FREE

****6\. Recon-ng****

**Recon-ng** is a web reconnaissance tool that automates data collection from multiple sources. It integrates modules for gathering information on domains, IPs, and social media profiles, streamlining the intelligence-gathering process.

**PRICE:** FREE

****7\. OSINT Framework****

**OSINT Framework** is a structured approach that helps professionals organise and streamline the process of gathering open-source intelligence. It focuses on utilising free tools and resources available on the internet, providing a comprehensive view of publicly accessible data.

**PRICE:** FREE

****8\. Shodan****

Dubbed the “search engine for the Internet of Things,” **Shodan** allows users to discover internet-connected devices, including servers, routers, and webcams. This tool helps identify exposed devices and potential vulnerabilities within networks.

**PRICE:** PRICE: Free, Membership – $49 (One-Time Payment), Freelancer – $69/Month, Small Business – $359/Month, Corporate – $1,099/Month and Enterprise – Custom Pricing.

****9\. Wayback Machin****

An archive of old versions of websites, allowing users to access historical data. **Wayback Machine (Archive.org)** is useful for uncovering outdated or sensitive content that may have been removed but still exists in the archives.

**PRICE:** FREE

****10\. Mitaka:****

**Mitaka** is a browser extension that provides intuitive access to diverse intelligence-gathering features for efficient reconnaissance and investigative tasks. It integrates multiple OSINT modules, enabling comprehensive analysis of target entities.

**PRICE:** FREE

****11\. XposedOrNot****

XposedOrNot is a free and privacy-focused tool that lets users check whether their email addresses or passwords have appeared in known data breaches. Scanning a large database of leaked credentials helps identify compromised information and provides details about the breaches involved, such as what data was exposed.

It also includes a secure password check feature that uses client-side hashing to ensure user input remains private. In addition to its web interface, XposedOrNot offers an API for developers who want to integrate breach monitoring into their own applications.

**PRICE:** FREE and Customised for Businesses.

****12\. BuiltWith****

BuiltWith is a tool that serves as a comprehensive profiler for identifying the various technologies deployed on websites, from server frameworks to analytics and content management systems. It delivers in-depth analysis of web setups, which is crucial for competitive intelligence and technology strategy development.

**PRICE:** Basic: $295, Pro: $495, Team: $995

****13\. Telegago****

**Telegago** is an OSINT tool focused on analysing Telegram channels and groups. It tracks public and private chats (with access), monitors message trends, and performs sentiment analysis. Ideal for tracking cybercriminal groups and gathering intelligence from Telegram communities.

**PRICE:** FREE

****14\. GHunt****

**GHunt** is an OSINT tool for gathering information from Google accounts. It can extract data like public photos, YouTube channels, connected services, and more, using just an email address. GHunt is useful for profiling targets and uncovering linked accounts.

**PRICE:** FREE

****15\. FOCA****

**FOCA** (Fingerprinting Organisations with Collected Archives) is an OSINT tool that extracts metadata from publicly available documents. It analyses files like PDFs, Word documents, and images to uncover sensitive information such as usernames, software versions, and server details. Ideal for footprinting and vulnerability assessment.

**PRICE:** FREE

****16\. SkopeNow****

**SkopeNow** is a modern OSINT tool designed for social media intelligence gathering. It collects and analyses data from multiple social platforms to track user activities, posts, and interactions. Useful for profiling individuals or groups, detecting fake accounts, and monitoring public sentiment in real time.

Skopenow’s platform includes several tools designed to assist with various investigative and security needs, including:

**Analyst Help**: Provides human assistance for complex cases

**Pre-Check**: An automated system for fraud and risk signalling.

**Workbench**: A tool for streamlined and accurate people and business searches.​

**Link Analysis**: Provides automated network, relationship, and link visualisations.​

**Grid**: Offers real-time situational awareness by integrating data from social media, traffic cameras, crime reports, satellite imagery, news, and more.

**PRICE:** Skopenow does not publicly list its pricing on its website. Instead, it offers customised plans tailored to the specific needs of organisations.

****17\. Metagoofil****

**Metagoofil** is an OSINT tool that extracts metadata from publicly accessible documents such as PDFs, Word, Excel, and PowerPoint files. It gathers information like usernames, software versions, and file paths, helping identify potential vulnerabilities and system configurations during reconnaissance.

**PRICE:** FREE

****18\. Paliscope****

A comprehensive OSINT platform designed for law enforcement and intelligence professionals. It assists in collecting, analysing, and visualising data from open sources and social media.

**Paliscope** has been instrumental in tracking victims of human trafficking by aggregating data from multiple sources and creating link analyses, making it an invaluable tool for investigations and victim recovery efforts.

**PRICE:** **PRICE:** The company offers three products: Paliscope Explore, Paliscope Explore Enterprise, and Paliscope Build. Pricing depends on the selected package. The Community edition is free, the Professional edition costs $3,995 per year, and pricing for the Advanced package is available upon request.

****19\. Hunchly****

A web capture tool designed for investigators to automatically save and organise web pages during OSINT investigations. It helps maintain an audit trail, preserving evidence while browsing social media, forums, or news sites. **Hunchly** is particularly useful for building cases and tracking changes on monitored pages.

**PRICE:** 30-Day Free Trial, Classic: $109.99 / yr, Cloud: $199.99 / yr. $19.99 / month.

****20\. Lullar****

**Lullar** is an OSINT tool focused on searching for social media profiles associated with a given email address or username. It quickly scans multiple platforms to find linked accounts, helping investigators piece together a target’s online presence. Useful for profiling individuals and gathering intelligence from social networks.

**PRICE:** FREE

As powerful and versatile as these OSINT tools are, it’s important to remember that with access to public data comes responsibility. Whether you’re a cybersecurity analyst, journalist, investigator, or just exploring for personal interest, always use these tools ethically and within the boundaries of the law. The goal of OSINT is to enhance security, transparency, and understanding, not to invade privacy or misuse sensitive information.

Stay curious, but most importantly, stay respectful in your use of these resources. For more tools, tips, and updates on the evolving world of cybersecurity and open-source intelligence, keep checking back at **HackRead.com**.

2025’s Top OSINT Tools: A Fresh Take on Open-Source Intel

Google on Wednesday revealed that it suspended over 39.2 million advertiser accounts in 2024, with a majority of them identified and blocked by its systems before it could serve harmful ads to users.
In all, the tech giant said it stopped 5.1 billion bad ads, restricted 9.1 billion ads, and blocked or restricted ads on 1.3 billion pages last year. It also suspended over 5 million accounts for

Google Blocked 5.1B Harmful Ads and Suspended 39.2M Advertiser Accounts in 2024

CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer. Learn how…

CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer. Learn how this scam works and how to protect yourself.

Cybersecurity researchers at CloudSEK have a new campaign exploiting the popularity of PDFCandy.com, an online file conversion tool used by over two and a half million people, including over half a million from India alone.

As per their research, shared with Hackread.com, attackers are distributing ArechClient2 malware to steal private information like browser usernames and passwords. It is a SectopRAT family malware active since 2019 and is spread through deceptive online advertising via Google Ads or fake software updates.

Reportedly, attackers have created a fake PDF to DOCX converter that is similar to the legitimate pdfcandy.com. They have gone to great lengths to copy the look and feel of the real website. Such as they use similar web addresses to trick unsuspecting users and have “meticulously replicated the user interface of the genuine platform and registered similar-looking domain names to deceive users,” CloudSEK’s researchers noted in the blog post.

Once a user lands on one of these fake sites, they are immediately asked to upload a PDF file for conversion, playing on a common need of many internet users. It even shows a fake loading animation as if a real conversion is happening, probably to build trust.

Then, unexpectedly, it presents a CAPTCHA verification, similar to what legitimate websites use for security. This marks a critical step in the attack where “social engineering transitions to system compromise,’ the report reads. This means the attack relies on manipulating how users typically interact with websites.

The Malicious Trap (Source: CloudSEK)

Introducing CAPTCHA serves two purposes: making the fake site appear more real and allowing users to click without thinking. Next, the website instructs users to run a command using Windows’ built-in tool PowerShell, leading to a system compromise. The command analysis reveals a series of redirects, starting with an innocent link and leading to a file named “adobe.zip,” hosted on 1728611543, which has been flagged as malicious by multiple security services.

The file contains a folder called “SoundBAND” with a dangerous executable file called “audiobitexe.” The attacker launches a multi-stage attack using a legitimate Windows program and a Windows tool, launching ArechClient2 information-stealing malware.

Fake PDFCandy websites involved in the scam (Screenshot: CloudSEK)

It is worth noting that the FBI warned on March 17, 2025, about malicious online file converters being used to distribute harmful software, so this threat is not new.

“Cybercriminals across the globe are using any type of free document converter or downloader tool. This might be a website claiming to convert one type of file to another, such as a .doc file to a .pdf file. It might also claim to combine files, such as joining multiple .jpg files into one .pdf file. The suspect program might claim to be an MP3 or MP4 downloading tool,” the agency explained.

To protect against such threats, you should be cautious when using online file conversion services, verify website legitimacy before uploading files, pay attention to URLs, and be wary of unexpected prompts.

Fake PDFCandy File Converter Websites Spread Malware

Cheap Android phones with preinstalled malware use fake apps like WhatsApp to hijack crypto transactions and steal wallet recovery phrases.

A new wave of smartphone-based attacks is draining crypto wallets without victims ever realizing it. According to researchers at Doctor Web, a surge in malware-laced Android phones has exposed a coordinated operation where attackers are embedding spyware directly into the software of newly sold devices. The goal is to intercept cryptocurrency transactions through a hijacked version of WhatsApp.

****Cheap Phones, Expensive Consequences****

The phones in question look familiar. Models like the “S23 Ultra,” “Note 13 Pro,” and “P70 Ultra” imitate premium brands with sleek branding and tempting specs. But beneath the surface, they’re running older software despite claiming to have the latest Android version, and they come with malicious software within.

The infected devices ship with preinstalled, modified versions of WhatsApp that operate as clippers, which are malicious programs designed to replace copied cryptocurrency wallet addresses with the attacker’s own. Once installed, this fake WhatsApp quietly swaps out wallet strings for popular coins like Ethereum and Tron whenever users send or receive them through chat.

Even more worrying, victims never see anything suspicious. The malware shows the correct wallet address on the sender’s screen but delivers the wrong one to the receiver and vice versa. Everything looks normal until the money disappears.

****Not Just WhatsApp****

The attackers didn’t stop at one app. According to Dr. Web’s report, researchers found nearly 40 fake applications, including Telegram, crypto wallets like Trust Wallet and MathWallet, QR code readers, and others. The technique behind the infection relies on a tool called LSPatch, which allows modifications without altering the core app code. This method not only evades detection but also lets the malicious code survive updates.

What makes this campaign particularly dangerous is the supply chain angle. Researchers believe the infection occurred at the manufacturing stage, meaning these phones were compromised before reaching store shelves. Many devices originate from smaller Chinese brands, with some models linked to a label called “SHOWJI.” Others remain untraceable.

SHOWJI S19 Pro

Note 30i

Camon 20

SHOWJI Note 13 Pro

S23 Ultra

P70 Ultra

SHOWJI X100S Pro

S18 Pro

M14 Ultra

SHOWJI Reno12 Pro

6 Pro

S24 Ultra

Smartphone models identified by Dr. Web to be malicious

****Beyond Message Hijacking****

The spyware doesn’t just swap out wallet addresses; it digs through targeted devices’ image folders like DCIM, Downloads, and Screenshots, looking for pictures of recovery phrases. A lot of people snap screenshots of these for convenience, but those phrases are the master keys to their crypto wallets. If attackers get their hands on them, they can drain the account in minutes.

To make things worse, the malicious WhatsApp update system doesn’t point to official servers. Instead, it fetches updates from domains controlled by the hackers, ensuring the spyware stays functional and up to date.

So far, Doctor Web has identified over 60 servers and 30 domains used in the campaign. Some attacker wallets linked to the operation have already received more than $1 million, with others holding six-figure balances. And because many addresses are generated dynamically, the full financial scope remains unclear.

One of the attacker-controlled wallets has already stolen a substantial amount of cryptocurrency from victims (Screenshot via Dr. Web).

****How to Stay Safe****

Cybersecurity experts at Dr. Web warned users to be extra cautious, especially when it comes to mobile devices and crypto security. They recommend avoiding Android phones from unverified sellers, particularly if the price feels too good to be true. To make sure a device is legit, tools like DevCheck can help verify hardware specs since fake models often manipulate system details, even in well-known apps like CPU-Z or AIDA64.

Experts also advise against storing recovery phrases, passwords, or private keys as unencrypted images or text files, which can be easy targets for spyware. Installing reliable security software can help catch deeper system-level threats. And when it comes to downloading apps, it’s safest to stick with official sources like Google Play.

Although the campaign is currently targeting Russian-speaking users, pre-installed malware on cheap Android devices, including smartphones and TV boxes, has already been used to target unsuspecting users worldwide. Therefore, regardless of your location, if your Android phone isn’t what it claimed to be or if you’ve recently bought one off-brand device, it might be worth checking what’s running under the hood.

Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp

Though less well-known than groups like Volt Typhoon and Salt Typhoon, Brass Typhoon, or APT 41, is an infamous, longtime espionage actor that foreshadowed recent telecom hacks.

As China continues its digital gambit around the world, researchers are warning that hacking activity from long-tracked groups is evolving and blending together. On top of that, attackers are hiding their campaigns more effectively and blurring the lines between cybercriminals and state-backed hacking.

Last year, revelations rocked the United States federal government that the Chinese hacking group known as “Salt Typhoon” had breached at least nine major US telecoms. And the group’s rampage even continued into this year in the US and other countries around the world. Meanwhile, the Beijing-linked hacking group “Volt Typhoon” has continued to lurk in US critical infrastructure and utilities around the world. Meanwhile, the notoriously versatile syndicate known as Brass Typhoon—also called APT 41 or Barium—has been operating in the shadows.

The group, which researchers have been tracking since about 2012, has quietly continued its broad targeting around the world over the past year. Brass Typhoon has cast a wide net, leading researchers to view it as a sort of broad coalition that has attacked everything from a US livestock app to source code and chip designs from Taiwan’s semiconductor industry and even power grids. And over the last year, the group has compromised international institutions in the tech and automotive sectors, materials, shipping and logistics, media, and more, using new and refined malware in an array of sustained campaigns.

“They’re absolutely still active and still evolving,” says John Hultquist, who leads threat intelligence at the Google-owned cybersecurity firm Mandiant. “But it’s harder to attribute some of this activity than it was in the past, because it’s all part of a much bigger ecosystem of China’s activity which has been deliberately built to create a tremendous amount of capability.”

Brass Typhoon is known for having carried out a notable string of software supply chain attacks in the late 2010s and for brazen attacks on telecoms around the same time in which the group specifically targeted call record data. The gang is also known for its hybrid activity, carrying out hacks that align with Chinese state-sponsored espionage by the Chinese Ministry of State Security, but also moonlighting on seemingly cybercriminal projects, particularly focused on the video game industry and in-game currency scams.

Research indicates that Brass Typhoon has continued to be active in recent months with financial crimes targeting online gambling platforms as well as espionage targeting manufacturing and energy firms. Its sustained activity has run in parallel to Salt and Volt Typhoon’s recent, attention-grabbing campaigns, and analysis increasingly shows that China’s state-backed hacking operations must be viewed comprehensively, not just in terms of individual actors.

“I think we should not get too down the rabbit hole of is it Salt? Is it Flax? Is it Volt?” former US Cybersecurity and Infrastructure Security Agency director Jen Easterly told WIRED during her last days in that role in January, referring to an array of Beijing-linked hacking groups. “At the end of the day, China, as we've seen in assessments from the Intelligence Community, is the most formidable, persistent cyber threat that we are dealing with.”

Hultquist agrees, emphasizing that while tracking the activity of individual groups is still vital, it is increasingly important for defenders to factor in the advantages that state espionage and offensive hacking operations gain from broad collaboration.

“There was a time when there were very simple indicators that told us who each actor was, and they were operating incredibly loudly, so it was easy to spot the smash-and-grab nature of the activity,” he says. “APT 41 is still doing some loud activity, but so much of its activity now has gotten better and they’ve made an effort to really avoid our controls.”

Ultimately, though, researchers say that the most significant takeaway about Brass Typhoon’s current activity is that it continues apace.

Brass Typhoon: The Chinese Hacking Group Lurking in the Shadows

For the past decade, this group of FSB hackers—including “traitor” Ukrainian intelligence officers—has used a grinding barrage of intrusion campaigns to make life hell for their former countrymen and cybersecurity defenders.

Russian state hackers, perhaps more than those of any other nation, tend to show off. The notorious Sandworm unit within Russia's GRU military intelligence agency, for instance, has triggered unprecedented blackouts and released destructive, self-replicating code. The FSB's ingenious Turla group has hijacked satellite internet connections to steal victims' data from space. But one team of less-flashy cyberspies working on behalf of the Kremlin rarely earns the same notice: Armageddon, or Gamaredon.

The hackers, believed to work in the service of Russia's FSB intelligence agency, aren't known for their sophistication. Yet they have strung together a decade-plus record of nearly constant espionage-focused breaches, grinding away with simple, repetitive intrusion methods, year after year. Thanks to that sheer overwhelming quantity of hacking attempts, they represent by some measures the top espionage threat facing Ukraine in the midst of its war with Russia, according to cybersecurity defenders who track the group.

“They are the most active state-aligned hacker group attacking Ukrainian organizations, by far,” says Robert Lipovsky, a malware researcher at Slovakian cybersecurity firm ESET.

ESET has tracked Gamaredon as it's breached the networks of hundreds of victims in Ukraine, stealing thousands of files on a daily basis, Lipovsky says. “Their operation is highly effective," says Robert Lipovsky, a malware researcher at ESEThe adds. "Volume is their big differentiator, and that's what makes them dangerous.”

If Gamaredon doesn't behave like other Russian hacking groups, that's in part because some of them aren't Russian nationals—or weren't, technically, until 2014.

According to the Ukrainian government, Gamaredon's hackers are based in Crimea, the peninsula of Ukraine that was seized by Russia following Ukraine's Maidan revolution. Some of them previously worked on behalf of Ukraine's own security services before switching sides when Russia's Crimean occupation began.

“They are officers of the ‘Crimean’ FSB and traitors who defected to the enemy,” reads one 2021 statement from the Ukrainian SBU intelligence agency, which alleges the group carried out more than 5,000 attacks on Ukrainian systems including critical infrastructure like “power plants, heat and water supply systems.”

The group's initial access techniques, ESET’s Lipovsky says, consist almost entirely of simple spearphishing attacks—sending victims spoofed messages with malware-laced attachments—as well as malicious code that can infect USB drives and spread from machine to machine. Those relatively basic tactics have hardly evolved since the group first appeared as a threat aimed at Ukraine in late 2013. Yet by tirelessly cranking away at those simple forms of hacking and targeting practically every Ukrainian government and military organization—as well as Ukrainian allies in Eastern Europe—on a daily basis, Gamaredon has proven to be a serious and often underestimated adversary.

“People sometimes don’t realize how big a part ‘persistence’ plays in the phrase APT,” says John Hultquist, chief analyst for Google's Threat Intelligence Group. "They’re just relentless. And that itself can be kind of a superpower.”

In October 2024, the Ukrainian government went as far as to sentence two of Gamaredon's hackers in absentia for not only hacking crimes but treason. A statement from the SBU at the time accused the two men—neither of whom are named—of having “betrayed their oath” by voluntarily joining the FSB.

For Gamaredon's former SBU hackers, turning on their former countrymen may not have resulted in the perks they hoped. Aside from the apparent slog of their nonstop phishing campaigns, intercepted phone communications between members of the group published by the SBU appear to show them complaining about their low pay and lack of recognition. “They should have given you a medal,” one team member says to another in the Russian-language conversation. “Screwed one more time.”

Given how mind-numbingly workaday their hacking campaigns are, it's no wonder they complained about their working conditions, says Google's Hultquist.

"Drudgery is so core to their operations,” he says. "This group grinds out wins."

As disgruntled as Gamaredon's hackers may be, defending against their constant barrage of spying attempts is at least as difficult and boring, say some of the defenders tasked with tracking them. The group writes its malware in relatively unsophisticated scripting languages like VBScript and Powershell rather than the C++ used by savvier hackers. But Gamaredon tweaks its humdrum code constantly, sometimes with automated changes to create endlessly differentiated versions designed to defy antivirus, according to ESET, whose anti-malware products are used widely across Ukraine.

In some cases, the hackers infect the same machine with numerous malware specimens, and hit so many targets that ESET hasn't even been able to identify all of the group's victims, despite closely tracking Gamaredon's campaigns.

“It's exhausting work,” says Anton Cherepanov, an ESET malware researcher. “People overdose and get burnt out.”

Since the start of Russia's full-scale war in Ukraine in 2022, Gamaredon has evolved to broaden its intelligence collection to messaging tools like Signal, WhatsApp, and Telegram, as well as the Delta software used by the Ukrainian military on tablet computers. A 2023 report by CERT-UA, the Computer Emergency Response Team of Ukraine, warned that Gamaredon has on at least one occasion launched a data-destroying attack against a victim facility, though it usually confines itself to mere intelligence gathering on behalf of the Russian military effort.

The same report notes that once Gamaredon infects a machine, it often starts stealing files in as little as 30 minutes. By the end of a week, if the machine remains infected, the hackers will have installed 80 to 120 variants of its malware on the computer. If defenders fail to delete even one, the hackers keep their foothold and can maintain access to that device.

All of that means Gamaredon represents a challenge that's painfully dull for cybersecurity defenders, but with dauntingly high stakes in the context of a war where stolen secrets can mean the difference between life and death.

“They're not interesting,” ESET malware researcher Zoltán Rusnák says. “Just dangerous.”

Gamaredon: The Turncoat Spies Relentlessly Hacking Ukraine

From crypto kingpins to sophisticated scammers, these are the lesser-known hacking groups that should be on your radar.

Read More

_The Last of Us_ Creator Didn’t Want to Sweep ‘Upsetting’ Moments Under the Rug

During _The Last of Us_’ second-season premiere, Ellie gets called a homophobic slur. Craig Mazin tells WIRED it highlights what happens when humanity stops moving forward.

FTC v. Meta Trial: The Future of Instagram and WhatsApp Is at Stake

The blockbuster antitrust case begins Monday. Its outcome could impact how Big Tech companies grow—but the government has a long way to go to prove its case.

The Best Laptops to Work and Play Wherever You Are

These are our favorite Windows laptops, MacBooks, Chromebooks, and Linux portables.

The Best Backpacking Water Filters

We’ve tested filter from Sawyer, Katadyn, LifeStraw, MSR and more to find the best option for every adventure.

The Best Way to Roast a Chicken Is on a Stick

This simple gadget is a fun and inexpensive way to tinker.

Small Language Models Are the New Rage, Researchers Say

Larger models can pull off a wider variety of feats, but the reduced footprint of smaller models makes them attractive tools.

Homeland Security Email Tells a US Citizen to 'Immediately' Self-Deport

An email sent by the Department of Homeland Security instructs people in the US on a temporary legal status to leave the country. But who the email actually applies to—and who actually received it—is far from clear.

The Best Google Pixel 9 Cases and Accessories

Whether you saved some cash with the Pixel 9a or went big with the Pixel 9 Pro XL, we’ve got a selection of cases—MagSafe included—to kit out your new Android phone.

Am I the Asshole if I Don’t Put My Phone on Airplane Mode?

If you don’t, your flight won’t crash, but ignoring airplane mode uses up your battery and annoys the pilot.

The 24 Best Shows on Amazon Prime Right Now

_The Wheel of Time, Reacher_, and _The Bondsman_ are just a few of the shows you should be watching on Amazon Prime Video this week.

China Secretly (and Weirdly) Admits It Hacked US Infrastructure

Plus: The Department of Homeland Security begins surveilling immigrants' social media, President Donald Trump targets former CISA director who refuted his claims of 2020 election fraud, and more.

The Most Dangerous Hackers You’ve Never Heard Of

Millions of scam text messages are sent every month. The Chinese cybercriminals behind many of them are expanding their operations—and quickly innovating.

The scam text messages follow a similar pattern: You need to pay an outstanding toll road fee, or a parcel can’t be properly delivered, they say. “The USPS package arrived at the warehouse but could not be delivered due to incomplete address information,” reads one typical message.

A link in the message points to a realistic website where you are asked to enter more details and make a small payment—while behind the scenes, cybercriminals hoover up your information and credit card digits in real time.

These messages originate from one prolific collection of loosely linked cybercriminals: “smishing” syndicates.

Over the past three years, these Chinese-speaking fraudsters have developed and operated the world’s foremost smishing operation, spamming millions of people with text messages and likely stealing millions of dollars in the process. The term “smishing” is a mashup of SMS and phishing emails, which try to trick people into handing over personal details. Text messages, though, add a layer of urgency and may catch people off-guard as they go about their busy day.

Now, these groups are quickly adapting their methods and expanding their scamming, security experts say.

“They operate very similar to a \[legitimate\] business in a lot of ways,” says Grant Smith, the founder of offensive cybersecurity firm Phantom Security who last year hacked one Chinese-language group and uncovered how its internal phishing kits function.

“The vast majority of the kits I see nowadays are surprisingly well put together,” Smith says. “They are constantly developing these, constantly updating them, making them look better, making them more secure.”

Multiple Chinese-speaking smishing groups and individual actors are involved in the ongoing development of new techniques and running the large-scale fraud. Often, groups will even sell the kits they develop to less sophisticated cybercriminals to easily operate.

Ford Merrill, a security researcher at SecAlliance, part of the CSIS Security Group, has been tracking the syndicates for two years and says there are now seven “major” Chinese “phishing-as-a-service” actors. “They have been enabling global SMS-based phishing campaigns at a massive scale since early 2023 onwards,” he tells WIRED.

Criminals will create websites impersonating companies or brands—such as postal services, tax authorities, telecoms, utilities companies, and increasingly payment providers—and then send texts (either SMS, encrypted iMessage, or RCS) that entice people to enter their personal information and bank cards on the fraudulent websites. This process requires the fraudsters to register thousands of domains and use Apple iCloud accounts.

One of the most prominent of the smishing actors is often referred to as the Smishing Triad—although security researchers group Chinese-speaking threat actors and affiliates in different ways—which has impersonated organizations and brands in at least 121 countries, according to recent research by security company Silent Push.

Around 200,000 domains have been used by the group in recent years, the research says, with around 187 top-level domains—such as .top, .world, and .vip—being used. Across one recent 20-day period, there were more than 1 million page visits to scam websites used by the Smishing Triad, according to Silent Push.

Besides collecting names, emails, addresses, and bank card details, the websites also prompt people to enter one-time passwords or authentication codes that allow the criminals to add bank cards to Apple Pay or Google Wallet, allowing them to use the cards while on the other side of the world.

“They have effectively turned the modern digital wallet, like Apple Pay or Google Wallet, into the best card-cloning device we’ve ever invented,” Merrill says.

In Telegram groups linked to the cybercriminal organizations, some members share photos and videos of bank cards being added to digital wallets on iPhones and Androids. For instance, in one video, scammers allegedly show off dozens of virtual cards that they have added to phones they are using.

Merrill says the criminals may not make payments using the cards they’ve added to digital wallets straightaway, but it probably won’t take long.

“When we first started seeing this, they would wait between 60 and 90 days before actually stealing money from the cards,” he explains, adding that at first the criminals would let the cards “age” on a device in an attempt to look legitimate. “Nowadays you would be lucky if they wait seven days or even a couple days. Once they hit the card, they hit it hard and fast.”

“Security is core to the Google Wallet experience, and we work closely with card issuers to prevent fraud,” says Google communications manager Olivia O'Brien. “For example, banks notify customers when their card has been added to a new Wallet, and we provide signals to help issuers detect fraudulent behavior so they can decide whether to approve added cards.”

Apple did not respond to WIRED’s request for comment.

The giant scam ecosystem is powered in part by commercial underground scamming services. Findings from security firm Resecurity, which has tracked the Smishing Triad for more than two years, says the group has been using “bulk” SMS and message-sending services as it has expanded the number of messages it sends.

Meanwhile, as multiple security researchers have noted, the Smishing Triad group also uses its own software, called Lighthouse, to collect, manage, and store people's personal information and card details. A video of the Lighthouse software originally shared on Telegram and republished by Silent Push shows how the system collects card details.

The latest version of the software, which was updated in March this year, “targets dozens of financial brands” including PayPal, Mastercard, Visa, and Stripe, Silent Push says. In addition, the research says, Australian banking brands appear to be impersonated, indicating a potential further expansion of targets.

The smishing groups are constantly improving their own scamming software. Smith, the researcher who hacked a smishing gang, says he has seen groups operating their own development pipelines for their software and systems.

“Recently they were using some custom-made software that they had to basically replicate Jira and have tickets open for any issues with the platform and any customer complaints,” Smith says. “They would assign them to team members.”

Chinese smishing groups do not appear to be slowing down. The cybercriminals are behind huge waves of toll road text scams sweeping across the United States this year, says Shawn Loveland, the chief operating officer at Resecurity. “They’re increasing in their scale and their volume of attacks,” he says.

Loveland says there may be multiple ways to limit the effectiveness of smishing operations. Domain registrars could get better at detecting fraudulent websites, for example, and improved spam filtering on messages would help potential victims. Plus, law enforcement could target the platforms and systems they use to create accounts and send messages.

Making it harder for smishing groups to successfully operate could reduce profits and have a cooling effect on the surging criminal ecosystem, Loveland says.

“Criminals have a supply chain, and you don't have to go after all the components in the supply chain,” he says. “You can go after choke points in the supply chain.”

Smishing Triad: The Scam Group Stealing the World’s Riches

Allegedly responsible for the theft of $1.5 billion in cryptocurrency from a single exchange, North Korea’s TraderTraitor is one of the most sophisticated cybercrime groups in the world.

On February 21, the largest crypto heist ever started to unfold. Hackers gained control of a crypto wallet belonging to the world’s second-largest cryptocurrency exchange, Bybit, and stole almost $1.5 billion of digital tokens. They quickly shunted the money between dozens of cryptocurrency wallets and services to try and obscure the activity, before starting to cash the stolen funds out.

The eye-popping digital raid had all the hallmarks of being conducted by one of North Korea’s elite subgroups of hackers. While Bybit remained solvent by borrowing cryptocurrency and launched a bounty scheme to track down the stolen funds, the FBI quickly pinned the blame on the North Korean hackers known as TraderTraitor.

Before the Bybit heist, TraderTraitor had already been linked to other high-profile cryptocurrency thefts and compromises of supply chain software.

“We were waiting for the next big thing,” says Michael Barnhart, a longtime cybersecurity researcher focused on North Korea and investigator at security firm DTEX Systems. “They didn't go away. They didn’t try to stop. They were clearly plotting and planning—and they’re doing that now,” he says.

North Korea’s hackers—alongside those from China, Russia, and Iran—are consistently considered to be one of the most sophisticated and most dangerous cyber threats to Western democracies. While all of these countries engage in espionage and theft of sensitive data, North Korea’s cyber operations come with their own set of distinct goals: helping to fund the hermit kingdom’s nuclear programs. Increasingly, that means stealing cryptocurrency.

Over at least the past five years, the totalitarian regime of Kim Jong-un has deployed technically skilled IT workers to infiltrate companies around the world and earn wages that can be sent back to the motherland. In some cases, after being fired, those workers extort their former employers by threatening to release sensitive data. At the same time, North Korean hackers, as part of the broad umbrella Lazarus Group, have stolen billions in cryptocurrency from exchanges and companies around the world. TraderTraitor makes up one part of the wider Lazarus group, which is run out of the Reconnaissance General Bureau, the North Korean intelligence agency.

TraderTraitor—which is also referred to as Jade Sleet, Slow Pisces, and UNC4899 by security companies—is primarily interested in cryptocurrency.

“They use a variety of creative techniques to get into blockchain, cryptocurrency, anything that has to do with platforms, trading forums, all of those different things that are around cryptocurrency and decentralized finance,” says Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft. “The Jade Sleet group \[TraderTraitor\] is one of the most sophisticated groups within that echelon,” she says.

TraderTraitor first emerged around the start of 2022, multiple cybersecurity researchers say, and is likely an offshoot of the North Korean APT38 group that hacked the SWIFT financial system and attempted to steal $1 billion from the Central Bank of Bangladesh at the start of 2016. “They walked off with very little money,” says DTEX Systems’s Barnhart. “In that moment you had a real, significant shift.”

Barnhart says North Korea realized that relying on other people—such as money mules—could make their operations less effective. Instead, they could steal cryptocurrency. Two groups emerged from that tactical shift, Barnhart says, CryptoCore and TraderTraitor. “TraderTraitor is the most sophisticated of all,” he says. “And why? Because APT38 was the A team.”

Since then, TraderTraitor has been linked to multiple large-scale cryptocurrency thefts in recent years. For instance, the March 2024 theft of $308 million from Japan-based cryptocurrency company DMM has been linked to TraderTraitor by the FBI, Department of Defense, and police in Japan.

TraderTraitor typically targets people working at Web3 firms using spear-phishing messages—most often, people working on software development. “They know the individuals that work at these companies, they track them, they have profiles on them, they know which trading platforms are doing the most volume. They’re focused on that entire industry, understanding it backwards and forwards,” says Microsoft’s DeGrippo.

GitHub, which is owned by Microsoft, highlighted in July 2023 how TraderTraitor created fake accounts on the coding platform, plus LinkedIn, Slack, and Telegram. The TraderTraitor criminals can create fake personas that they use to message their targets or use real accounts that have been hacked, GitHub’s research says. In that instance, TraderTraitor invited developers to collaborate on GitHub, before ultimately infecting them with malware using malicious code. Recently, security researchers at Palo Alto Networks’ Unit 42 threat intelligence team found 50 North Korean recruiter profiles on LinkedIn and linked them back to TraderTraitor.

The group has been seen using “custom backdoors,” such as PLOTTWIST and TIEDYE, that target macOS, says Adrian Hernandez, a senior threat analyst at Google’s Threat Intelligence Group. “These are typically heavily obfuscated to prevent detection and thwart analysis,” Hernandez says. “Once UNC4899 \[TraderTraitor\] has gained access to valid credentials, we’ve observed this threat actor moving laterally and accessing other accounts to access hosts and systems, keeping a low profile and aiming to evade detection.”

Once the North Korean hackers have their hands on cryptocurrency or digital wallets, the money laundering often follows a similar pattern, as cryptocurrency tracing firm Elliptic outlined in a blog post breaking down the Bybit hack. To avoid having cryptocurrency wallets frozen, they quickly swap stolen tokens—which are often issued by centralized entities and can have restrictions placed upon them—for more mainstream cryptocurrency assets like ether and bitcoin that are harder to limit.

“The second step of the laundering process is to ‘layer’ the stolen funds in order to attempt to conceal the transaction trail,” Elliptic writes. This means splitting the funds into smaller amounts and sending them to multiple wallets. With Bybit, Elliptic writes, money was sent to 50 different wallets that were then emptied in the coming days. This cryptocurrency is then moved through various cryptocurrency exchanges, converted into bitcoin, and passed through crypto mixers that aim to obscure crypto transactions.

“North Korea is the most sophisticated and well-resourced launderer of crypto assets in existence, continually adapting its techniques to evade identification and seizure of stolen assets,” Elliptic says in its blog post.

In addition to cryptocurrency heists, TraderTraitor has been linked to hacks at software supply chain companies, most prominently JumpCloud in June 2023. Compromising software used by multiple companies may provide the hackers a stealthier way into their intended targets. “That could impact any tech industry, any organization that uses that software,” says Andy Piazza, senior director for threat research at Unit 42.

As TraderTraitor has increasingly garnered attention over the past couple of years, Piazza says he has seen the group improve their operations and attempt to evade detection. For example, Unit 42’s recent research noted that TraderTraitor had been using malware the researchers called RN Loader that installs an information stealer and then deletes itself, making it harder to detect.

“You can definitely tell that they’re stepping up,” Piazza says.

Piazza says that unlike haphazard Russian hacking groups—which were both in the networks of the DNC simultaneously around 2016—there appears to be more organization with the North Korean groups. “It seems more coordinated that they're not bumping into each other out in the battle space,” Piazza says. “They’re really showing that they have the capability to be focused on that OPSEC, to be focused on that persistence capability.”

North Korea’s hacking operations may be even more complex than many realize. According to Piazza and other experts WIRED spoke to, the crypto hackers and the undercover IT workers may even coordinate. Their tactics show some “overlap,” Piazza says.

“If you right now went out onto some type of freelance website and said that you are a brand-new crypto startup and you’re looking for developers before the day is out, you would have North Koreans in your inbox,” Barnhart, the DTEX Systems researcher, says. He says some North Korean hackers can bounce between the country’s different groups, and there’s the possibility that they could also work with or alongside its IT workers. There may be more overlap than people thought, Barnhart says.

“Whenever we attribute this \[hacking\] back to TraderTraitor, was nobody else involved? Did somebody else have a hand in there?”

Tag

#google