Plus: An “explosion” of AI-generated child abuse images is taking over the web, a Russian professional basketball player is arrested on ransomware charges, and more.

WIRED reported this week on public records that show the United States Department of Homeland Security urging local law enforcement around the country to interpret common protest activities and surrounding logistics—including riding a bike, livestreaming a police encounter, or skateboarding—as “violent tactics.” The guidance could influence cops to use everyday behavior as a pretext for police action.

An AI hiring bot used on the McDonald’s “McHire” site exposed tens of millions of job applicants’ personal data because of a group of web-based security vulnerabilities—including use of the classically guessable password “123456” on an administrator account. The site’s chatbot, known as Olivia, was built by the artificial intelligence software firm Paradox.ai. Meanwhile, in the wake of last week’s devastating floods in Texas that killed at least 120 people, conspiracy theories about the extreme weather event have gained enough traction among anti-government extremists, GOP influencers, and others with large platforms to produce real-world consequences like death threats.

Finally, the metadata of the “full raw” surveillance footage captured near Jeffrey Epstein’s cell the night before the disgraced financier was found hanged shows it’s not “raw” footage at all. Instead, according to a WIRED analysis and digital video forensics experts, the full video is made up of two clips, and it was likely processed using powerful editing software.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**4 Young People Arrested Over Cyberattacks Against UK Retailers**

Earlier this year, three retailers in the UK—Harrods, the Co-Op, and M&S—were disrupted by sprawling cyberattacks. Some shelves were left empty for weeks, and M&S executives expect the attacks will cost around £300 million ($407 million) in total. This week, law enforcement officials at the National Crime Agency (NCA), the country’s equivalent of the FBI, announced the arrest of four people as part of investigations into the three attacks.

A 20-year-old female, two males aged 19, and another aged 17 were all arrested at their homes in the West Midlands and London on Thursday morning. One of the 19-year-old males is from Latvia, while the others are from the UK, the NCA says. They are suspected of potential Computer Misuse Act offenses, blackmail, money laundering, and “participating in the activities of an organized crime group,” the NCA said in a statement. The law enforcement agency has not named the individuals arrested or released precise locations of where they are based; however, NCA’s deputy director Paul Foster said the arrests were a “significant step” in its investigations.

The attacks against the three British retailers have been broadly linked, including partially by the NCA, to the loose cybercriminal group Scattered Spider. The hacking group, which first emerged in 2022, is largely made up of young, English-speaking individuals, and has recently been seen targeting retailers, airlines, and the insurance industry across the UK and the US.

**‘Explosion’ of AI-Generated Child Abuse Images Could Overwhelm the Web, Experts Warn**

It didn’t take criminals long to start using generative AI to create ultra-realistic child sexual abuse images. Now huge volumes of illegal, AI-created content are being found online, with criminals moving to use the technology to create videos as well as still images. During the first six months of this year, analysts at the Internet Watch Foundation, a UK-based organization that removes child sexual abuse material (CSAM) from the web, identified 1,286 AI-generated videos that show abuse—more than 1,000 of the videos showed the most serious type of abuse.

“There is an incredible risk of AI-generated CSAM leading to an absolute explosion that overwhelms the clear web,” said Derek Ray-Hill, the interim chief executive of the Internet Watch Foundation. Separate figures from the US-based National Center for Missing & Exploited Children (NCMEC) say it has received 485,000 reports of AI CSAM in the first half of this year—up from 67,000 for the entirety of last year. Around 35 tech companies have reported finding AI-generated CSAM on their platforms, NCMEC said.

**Italian Police Arrest an Alleged Member of China’s Silk Typhoon Hacking Group**

In a rare instance of Western law enforcement actually laying hands on an alleged Chinese state-sponsored hacker, Italian police arrested Xu Zewei, a 33-year-old from Shanghai, at an airport in Milan on July 3. The police were acting on a warrant issued by the US Department of Justice seeking Xu’s arrest on hacking charges. Authorities allege he’s a member of the espionage group known as Silk Typhoon or Hafnium, which has carried out widespread data theft from Western governments and private sector companies for years. US prosecutors are specifically accusing Xu of taking part in Silk Typhoon’s hacking that targeted researchers working to develop a Covid-19 vaccine in 2020 and 2021. He’s also alleged to have participated in a far less targeted hacking campaign in which the same group broke into tens of thousands of Microsoft exchange servers around the world, leaving behind backdoors for later reconnaissance. Xu’s lawyer denied the charges, saying it’s a case of mistaken identity, and Xu’s wife also has reportedly said that Xu is an IT technician at the company GTA Semi Conductor.

**Russian Pro Basketball Player Arrested on Ransomware Charges**

In more news of alleged hackers arrested in European airports—and a very unusual case of alleged cybercriminal moonlighting—French police this week detained Russian professional basketball player Daniil Kasatkin in the Charles de Gaulle airport in Paris, accusing him of being part of a ransomware group. Authorities haven’t yet named the ransomware crew they claim Kasatkin was a part of, but say that from 2020 to 2022 it hit close to 900 organizations, including two American government agencies. Kasatkin’s lawyer, Frédéric Bélot, denied the accusations, saying his client is “useless with computers and can't even install an application.” Kasatkin, who played for the pro basketball team MBA Moscow, had traveled to France with his fiancée to propose to her.

**Bodyguards Using Strava Leaked the Detailed Locations of Sweden’s Prime Minister**

Here’s your annual reminder, athletic oversharers of the world, to set your Strava account settings to private. This week, Sweden’s Dagens Nyheter newspaper revealed that seven bodyguards for Swedish government officials left their Strava accounts public, revealing their locations as they carried out 1,400 exercise activities—and in many cases, the locations of the people they were protecting, including the Swedish prime minister, Ulf Kristersson. The leaked locations of the prime minister included hotels where he stayed, private addresses, a family vacation, trips abroad, and his private home, which was intended to be secret. Repeat after me, Strava enthusiasts with security clearances: Go to Settings, tap Privacy Controls, then Activities. Future scandal averted.

4 Arrested Over Scattered Spider Hacking Spree

Trellix reveals how the India-linked DoNot APT group launched a sophisticated spear-phishing attack on a European foreign affairs…

Trellix reveals how the India-linked DoNot APT group launched a sophisticated spear-phishing attack on a European foreign affairs ministry. Learn about their tactics, the LoptikMod malware, and why this cyber espionage campaign matters for global diplomacy.

A sophisticated campaign by the notorious DoNot APT group, also known by names like APT-C-35 and Mint Tempest, has recently targeted a European foreign affairs ministry. This attack, uncovered by the Trellix Advanced Research Centre, highlights the group’s expanding reach beyond its traditional focus on South Asia.

Active since at least 2016, the DoNot APT group is a persistent threat, primarily known for targeting government, military, and diplomatic organisations. This group is believed to operate with a focus on South Asian geopolitical interests and has been attributed by several vendors to have links to India. This recent incident, however, reveals a broadening of their operations into Europe.

Trellix’s researchers were able to identify this campaign by blocking the initial email chain, which allowed them to analyse the attack’s Tactics, Techniques, and Procedures (TTPs). Reportedly, the attackers employed a highly deceptive spear-phishing tactic, impersonating European defence officials.

These malicious emails, which mentioned a visit to Bangladesh, aimed to trick targets into clicking on a harmful Google Drive link. This method of using common cloud services for initial infection showcases the group’s adaptability in their approach.

The attack unfolded in several calculated steps. The initial spear-phishing email originated from a Gmail address (int.dte.afd.1@gmailcom). It featured a subject line related to diplomatic activities, specifically “Italian Defence Attaché Visit to Dhaka, Bangladesh.” The attackers even used HTML formatting with UTF-8 encoding to properly display special characters like “é” in “Attaché,” signifying attention to detail to increase legitimacy.

Attackers’ TTPs (Source: Trellix)

Upon clicking the Google Drive link, victims downloaded a malicious RAR archive named ‘SyClrLtr.rar,’ containing an executable file disguised as a PDF (notflog.exe). It deployed a batch file and established persistence, meaning the malware would remain active through a scheduled task set to run every 10 minutes.

The malware involved in this campaign is LoptikMod, a tool exclusively associated with the DoNot APT group since 2018. This malware gathers system details such as CPU model, operating system information, username, and hostname.

This information is then encrypted and sent to a command and control (C2) server, which allows the attackers to maintain communication and potentially exfiltrate sensitive data. It is worth noting that beyond LoptikMod, the DoNot APT group also uses custom-built Windows malware, including backdoors like YTY and GEdit.

The targeting of a European foreign affairs ministry highlights the group’s unwavering interest in collecting sensitive information and its increasing global reach. Such attacks on diplomatic entities are classic examples of espionage operations, aiming to gain unauthorised access to classified state communications, policy documents, and intelligence reports.

Organisations, particularly those in government and diplomacy, are, hence, urged to enhance their cybersecurity measures, including stronger email security, network traffic analysis, and endpoint detection and response (EDR) solutions, to defend against these evolving threats.

DoNot APT Hits European Ministry with New LoptikMod Malware

DHS is urging law enforcement to treat even skateboarding and livestreaming as signs of violent intent during a protest, turning everyday behavior into a pretext for police action.

The Department of Homeland Security is urging local police to consider a wide range of protest activity as violent tactics, including mundane acts like riding a bike or livestreaming a police encounter, WIRED has learned.

Threat bulletins issued during last month’s “No Kings” protests warn that the US government’s aggressive immigration raids are almost certain to accelerate domestic unrest, with DHS saying there’s a “high likeliness” more Americans will soon turn against the agency, which could trigger confrontations near federal sites.

Blaming intense media coverage and backlash to the US military deployment in Los Angeles, DHS expects the demonstrations to “continue and grow across the nation” as protesters focused on other issues shift to immigration, following a broad “embracement of anti-ICE messaging.”

The bulletins—first obtained by the national security nonprofit Property of the People through public records requests—warn that officers could face assaults with fireworks and improvised weapons: paint-filled fire extinguishers, smoke grenades, and projectiles like bottles and rocks.

At the same time, the guidance urges officers to consider a range of nonviolent behavior and common protest gear—like masks, flashlights, and cameras—as potential precursors to violence, telling officers to prepare “from the point of view of an adversary.”

Protesters on bicycles, skateboards, or even “on foot” are framed as potential “scouts” conducting reconnaissance or searching for “items to be used as weapons.” Livestreaming is listed alongside “doxxing” as a “tactic” for “threatening” police. Online posters are cast as ideological recruiters—or as participants in “surveillance sharing.”

One list of “violent tactics” shared by the Los Angeles–based Joint Regional Intelligence Center—part of a post-9/11 fusion network—includes both protesters’ attempts to avoid identification and efforts to identify police. The memo also alleges that face recognition, normally a tool of law enforcement, was used against officers.

Vera Eidelman, a senior staff attorney with the American Civil Liberties Union, says the government has no business treating constitutionally protected activities—like observing or documenting police—as threats.

DHS did not respond to a request for comment.

“Exercising those rights shouldn't be justification for adverse action or suspicion by the government,” Eidelman says. Labeling something as harmless as skateboarding at a protest as a violent threat is “disturbing and dangerous,” she adds, and could “easily lead to excessive force against people who are simply exercising their First Amendment rights.”

“The DHS report repeatedly conflates basic protest, organizing, and journalism with terroristic violence, thereby justifying ever more authoritarian measures by law enforcement,” says Ryan Shapiro, executive director of Property of the People. “It should be sobering, if unsurprising, that the Trump regime’s response to mass criticism of its police state tactics is to escalate those tactics.”

Fusion centers like JRIC play a central role in how police understand protest movements. The intelligence they produce is rapidly disseminated and draws heavily on open-source data. It often reflects broad, risk-averse assumptions and includes fragmentary and unverified information. In the absence of concrete threats, bulletins often turn to ideological language and social media activity as evidence of emerging risks, even when tied to lawful expression.

DHS’s risk-based approach reflects a broader shift in US law enforcement shaped by post-9/11 security priorities—one that elevates perceived intent over demonstrable wrongdoing and uses behavior cues, affiliations, and other potentially predictive indicators to justify early intervention and expanded surveillance.

A year ago, DHS warned that immigration-related grievances were driving a spike in threats against judges, migrants, and law enforcement, predicting that new laws and high-profile crackdowns would further radicalize individuals. In February, another fusion center reported renewed calls for violence against police and government officials, citing backlash to perceived federal overreach and identifying then-upcoming protests and court rulings as likely triggers.

At times, the sprawling predictions may appear prescient, echoing real-world flashpoints: In Alvarado, Texas, an alleged coordinated ambush at a detention center this week drew ICE agents out with fireworks before gunfire erupted on July 4, leaving a police officer shot in the neck. (Nearly a dozen arrests have been made, at least 10 on charges of attempted murder.)

In advance of protests, agencies increasingly rely on intelligence forecasting to identify groups seen as ideologically subversive or tactically unpredictable. Demonstrators labeled “transgressive” may be monitored, detained without charges, or met with force.

Social movement scholars widely recognize the introduction of preemptive protest policing as a departure from late-20th century approaches that prioritized de-escalation, communication, and facilitation. In its place, authorities have increasingly emphasized control of demonstrations through early intervention, surveillance, and disruption—monitoring organizers, restricting public space, and responding proactively based on perceived risks rather than actual conduct.

Infrastructure initially designed to combat terrorism now often serves to monitor street-level protests, with virtual investigations units targeting demonstrators for scrutiny based on online expression. Fusion centers, funded through DHS grants, have increasingly issued bulletins flagging protest slogans, references to police brutality, and solidarity events as signs of possible violence—disseminating these assessments to law enforcement absent clear evidence of criminal intent.

Surveillance of protesters has included the construction of dossiers (known as “baseball cards”) with analysts using high-tech tools to compile subjects’ social media posts, affiliations, personal networks, and public statements critical of government policy.

Obtained exclusively by WIRED, a DHS dossier on Mahmoud Khalil, the former Columbia graduate student and anti-war activist, shows that analysts drew information from Canary Mission, a shadowy blacklist that anonymously profiles critics of Israeli military action and supporters of Palestinian rights.

In federal court Wednesday, a senior DHS official acknowledged that material from Canary Mission had been used to compile more than 100 dossiers on students and scholars, despite the site's ideological slant, mysterious funding, and unverifiable sourcing.

Threat bulletins can also prime officers to anticipate conflict, shaping their posture and decisions on the ground. In the wake of violent 2020 protests, the San Jose Police Department in California cited the “numerous intelligence bulletins” it received from its local regional fusion center, DHS, and the FBI, among others, as central to understanding “the mindset of the officers in the days leading up to and throughout the civil unrest.”

Specific bulletins cited by the SJPD—whose protest response prompted a $620,000 settlement this month—framed the demonstrations as possible cover for “domestic terrorists,” warned of opportunistic attacks on law enforcement and promoted an “unconfirmed report” of U-Haul vans purportedly being used to ferry weapons and explosives.

Subsequent reporting in the wake of BlueLeaks—a 269-gigabyte dump of internal police documents obtained by a source identifying as the hacktivist group Anonymous and published by transparency group Distributed Denial of Secrets—found federal bulletins riddled with unverified claims, vague threat language, and outright misinformation, including alerts about a parody website that supposedly paid protesters and accepted bitcoin to set cars on fire, despite a clear banner labeling the site “FAKE.”

Threat alerts—unclassified and routinely accessible to the press—can help law enforcement shape public perception of protests before they begin, laying the groundwork to legitimize aggressive police responses. Unverified DHS warnings about domestic terrorists infiltrating demonstrations in 2020, publicly echoed by the agency’s acting secretary on Twitter, were widely circulated and amplified in media coverage.

Americans are generally opposed to aggressive protest crackdowns, but when they do support them, fear is often the driving force. Experimental research suggests that support for the use of coercive tactics hinges less on what protesters actually do than on how they’re portrayed—by officials, the media, and through racial and ideological frames.

DHS Tells Police That Common Protest Activities Are ‘Violent Tactics’

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat products.

Thursday, July 10, 2025 11:24

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat products.  

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

**Asus Armoury Crate stack-based buffer overflow and authorization bypass  vulnerabilities**

_Discovered by Marcin &#39;Icewall&#39; Noga of Cisco Talos._   

These vulnerabilities were recently covered in a deep-dive post, Decrement by one to rule them all.

Asus Armoury Crate is a software utility used to manage Asus and ROG lighting, performance, and updates.

TALOS-2025-2144 (CVE-2025-1533) is a stack-based buffer overflow vulnerability in the AsIO3.sys kernel driver of Asus Armoury Crate 5.9.13.0. A specially crafted I/O request packet (IRP) can lead to stack-based buffer overflow. An unprivileged attacker can run a program from user mode to trigger this vulnerability.

TALOS-2025-2150 (CVE-2025-3464) is an authorization bypass vulnerability in the AsIO3.sys functionality of Asus Armoury Crate 5.9.13.0. A specially crafted hard link can lead to an authorization bypass. An attacker can create a hard link to trigger this vulnerability.

**Adobe Acrobat Reader out-of-bounds read and use-after-free vulnerabilities **

_Discovered by Kamlapati Choubey of Cisco Talos._   

Adobe Acrobat Reader is one of the most popular PDF reading software currently available. Talos found an out-of-bounds read vuln, TALOS-2025-2159 (CVE-2025-43578), in the Font functionality of Adobe Acrobat Reader 2025.001.20435. A specially crafted font file embedded into a PDF can trigger this vulnerability which can lead to disclosure of sensitive information.

TALOS-2025-2170 (CVE-2025-43576) is a use-after-free vulnerability in the annotation object processing functionality of Adobe Acrobat Reader 2025.001.20435. A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and could result in arbitrary code execution.

An attacker needs to trick the user into opening the malicious file to trigger either of these vulnerabilities.

Asus and Adobe vulnerabilities

Deepfake attacks aren't just for recruitment and banking fraud; they've now reached the highest levels of government.

Deepfake attacks aren’t just for recruitment and banking fraud; they’ve now reached the highest levels of government. News emerged this week of an AI-powered attack that impersonated US Secretary of State Marco Rubio. Authorities don’t know who was behind the incident.

A US State Department cable seen by the Washington Post warned that someone impersonated Rubio’s voice and writing style in voice and text messages on the Signal messaging app. The attacker reportedly tried to gain access to information or accounts by contacting multiple government officials in Rubio’s name. Their targets included three foreign ministers, a US governor, and a US member of Congress, the cable said.

The attacker created a Signal account with the display name ‘Marco.Rubio@state.gov’ and invited targets to communicate on Signal.

The AI factor in the attacks likely refers to deepfakes. These are a form of digital mimicry, in which attackers use audio or visual footage of a person to create convincing audio or images of them. Many have even created fake video of their targets, using them for deepfake pornography or to impersonate businesspeople.

The Rubio deepfake isn’t the first time that impersonators have targeted government officials. In May, someone impersonated White House Chief of Staff Susie Wiles in calls and texts to her contacts. Several failed to spot the scam initially and interacted with the attacker as though the conversations were legitimate.

This incident wasn’t Rubio’s fault, attacks like these are becoming commonplace with scammers making use of popular messaging tools. Signal is apparently a widely-used app in the executive branch, to the point that Director of National Intelligence Tulsi Gabbard said it came pre-installed on government devices.

This Signal usage culminated in then-national security advisor Mike Waltz accidentally adding a journalist to a group Signal chat containing discussions plans to bomb Yemen. He is now no longer the national security advisor. Misuse of the app extends back to the previous administration, when the Pentagon was forced to release a memo about it.

Why should you worry about such attacks on government high-ups? For one thing, it’s scary to think that foreign states might actually get away with sensitive information this way. But it also shows how easy it can be to impersonate someone with a deepfake. You can mount audio attacks with just a few snippets of audio to train an algorithm on.

You’d be suspicious if Pamela Bondi entered your book club chat, but if someone called an elderly relative pretending to be you, saying you’d been involved in an accident, or begging for ransom money because you’d been kidnapped, would they fall for it? Several have.

Strange though it may seem, modern threats demand some old-school protections. We recommend sharing a family password with close members, who can then request it to confirm each others’ identity. Never send this password anywhere, keep it to yourselves and agree to it in person.

But even family passwords won’t stop your grandma being targeted in deepfake romance scams from fake Mark Ruffalos and Brad Pitts, though. A quiet chat to explain the threats might avert such disasters, though, along with a regular check-in to ensure your less tech-savvy loved ones are safe and sound.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Deepfake criminals impersonate Marco Rubio to uncover government secrets 

Basic security flaws left the personal info of tens of millions of McDonald’s job-seekers vulnerable on the “McHire” site built by AI software firm Paradox.ai.

If you want a job at McDonald’s today, there’s a good chance you'll have to talk to Olivia. Olivia is not, in fact, a human being, but instead an AI chatbot that screens applicants, asks for their contact information and résumé, directs them to a personality test, and occasionally makes them “go insane” by repeatedly misunderstanding their most basic questions.

Until last week, the platform that runs the Olivia chatbot, built by artificial intelligence software firm Paradox.ai, also suffered from absurdly basic security flaws. As a result, virtually any hacker could have accessed the records of every chat Olivia had ever had with McDonald's applicants—including all the personal information they shared in those conversations—with tricks as straightforward as guessing the username and password “123456."

On Wednesday, security researchers Ian Carroll and Sam Curry revealed that they found simple methods to hack into the backend of the AI chatbot platform on McHire.com, McDonald's website that many of its franchisees use to handle job applications. Carroll and Curry, hackers with a long track record of independent security testing, discovered that simple web-based vulnerabilities—including guessing one laughably weak password—allowed them to access a Paradox.ai account and query the company's databases that held every McHire user's chats with Olivia. The data appears to include as many as 64 million records, including applicants' names, email addresses, and phone numbers.

Carroll says he only discovered that appalling lack of security around applicants' information because he was intrigued by McDonald's decision to subject potential new hires to an AI chatbot screener and personality test. “I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that's what made me want to look into it more,” says Carroll. “So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that's ever been made to McDonald's going back years.”

When WIRED reached out to McDonald’s and Paradox.ai for comment, a spokesperson for Paradox.ai shared a blog post the company planned to publish that confirmed Carroll and Curry’s findings. The company noted that only a fraction of the records Carroll and Curry accessed contained personal information, and said it had verified that the account with the “123456” password that exposed the information “was not accessed by any third party” other than the researchers. The company also added that it’s instituting a bug bounty program to better catch security vulnerabilities in the future. “We do not take this matter lightly, even though it was resolved swiftly and effectively,” Paradox.ai’s chief legal officer, Stephanie King, told WIRED in an interview. “We own this.”

In its own statement to WIRED, McDonald’s agreed that Paradox.ai was to blame. “We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us,” the statement reads. “We take our commitment to cyber security seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection.”

One of the exposed interactions between a job applicant and “Olivia.”

Courtesy of Ian Carroll and Sam Curry

Carroll says he became interested in the security of the McHire website after spotting a Reddit post complaining about McDonald's hiring chatbot wasting applicants' time with nonsense responses and misunderstandings. He and Curry started talking to the chatbot themselves, testing it for “prompt injection” vulnerabilities that can enable someone to hijack a large language model and bypass its safeguards by sending it certain commands. When they couldn't find any such flaws, they decided to see what would happen if they signed up as a McDonald's franchisee to get access to the backend of the site, but instead spotted a curious login link on McHire.com for staff at Paradox.ai, the company that built the site.

On a whim, Carroll says he tried two of the most common sets of login credentials: The username and password “admin," and then the username and password “123456.” The second of those two tries worked. “It's more common than you'd think,” Carroll says. There appeared to be no multifactor authentication for that Paradox.ai login page.

With those credentials, Carroll and Curry could see they now had administrator access to a test McDonald's “restaurant” on McHire, and they figured out all the employees listed there appeared to be Paradox.ai developers, seemingly based in Vietnam. They found a link within the platform to apparent test job postings for that nonexistent McDonald's location, clicked on one posting, applied to it, and could see their own application on the backend system they now had access to. (In its blog post, Paradox.ai notes that the test account had “not been logged into since 2019 and frankly, should have been decommissioned.”)

That's when Carroll and Curry discovered the second critical vulnerability in McHire: When they started messing with the applicant ID number for their application—a number somewhere above 64 million—they found that they could increment it down to a smaller number and see someone _else_'s chat logs and contact information.

The two security researchers hesitated to access too many applicants' records for fear of privacy violations or hacking charges, but when they spot-checked a handful of the 64-million-plus IDs, all of them showed very real applicant information. (Paradox.ai says that the researchers accessed seven records in total, and five contained personal information of people who had interacted with the McHire site.) Carroll and Curry also shared with WIRED a small sample of the applicants' names, contact information, and the date of their applications. WIRED got in touch with two applicants via their exposed contact information, and they confirmed they had applied for jobs at McDonald's on the specified dates.

The personal information exposed by Paradox.ai's security lapses isn't the most sensitive, Carroll and Curry note. But the risk for the applicants, they argue, was heightened by the fact that the data is associated with the knowledge of their employment at McDonald's—or their intention to get a job there. “Had someone exploited this, the phishing risk would have actually been massive,” says Curry. “It's not just people's personally identifiable information and résumé. It's that information for people who are looking for a job at McDonald's, people who are eager and waiting for emails back.”

That means the data could have been used by fraudsters impersonating McDonald's recruiters and asking for financial information to set up a direct deposit, for instance. “If you wanted to do some sort of payroll scam, this is a good approach,” Curry says.

The exposure of applicants' attempts—and in some cases failures—to get what is often a minimum-wage job could also be a source of embarrassment, the two hackers point out. But Carroll notes that he would never suggest that anyone should be ashamed of working under the Golden Arches.

“I have nothing but respect for McDonald’s workers,” he says. “I go to McDonald's all the time.”

_Updated at 5 pm ET, July 9, 2025 to make clear that the phishing risks would only be possible if someone had the opportunity to exploit the data._

McDonald’s AI Hiring Bot Exposed Millions of Applicants' Data to Hackers Using the Password ‘123456’

A Chinese state-sponsored hacker, Xu Zewei, 33, has been arrested for his alleged role in the widespread HAFNIUM cyber attacks and theft of COVID-19 research. Learn about the charges and China's Ministry of State Security involvement.

In a significant development in international cybercrime efforts, Xu Zewei, a 33-year-old Chinese national, was apprehended in Milan, Italy, on July 3, 2025. The arrest was made at the request of the United States, where Xu faces serious charges related to widespread computer intrusions.

Xu, alongside his co-defendant Zhang Yu, 44, is named in a nine-count indictment unsealed in the Southern District of Texas. The charges stem from their alleged involvement in cyberattacks carried out between February 2020 and June 2021. These intrusions include the notorious HAFNIUM (aka Silk Typhoon) campaign, which compromised thousands of computers globally, including many within the United States.

According to the US Department of Justice’s July 8 press release, Xu Zewei was directed in his hacking activities by officers from China’s Ministry of State Security (MSS), specifically its Shanghai State Security Bureau (SSSB). It must be noted that MSS and SSSB are intelligence agencies responsible for China’s domestic counterintelligence, non-military foreign intelligence, and aspects of its internal security.

Xu was allegedly employed by Shanghai Powerock Network Co. Ltd. (Powerock), a company identified as one of many “enabling” entities that conduct hacking operations for the Chinese government.

“This arrest underscores the United States’ patient and tireless commitment to pursuing hackers who seek to steal information belonging to U.S. companies and universities,” stated Assistant Attorney General John A. Eisenberg. US Attorney Nicholas Ganjei for the Southern District of Texas added that Xu was allegedly “hacking and stealing crucial COVID-19 research at the behest of the Chinese government.”

****Targeting Vital Research and Global Systems****

The indictment (PDF) details how Xu and his co-conspirators targeted US-based universities, immunologists, and virologists involved in COVID-19 vaccine, treatment, and testing research in early 2020. Xu reportedly confirmed compromising a research university in the Southern District of Texas in February 2020 and was directed to access specific email accounts of researchers.

Later, in late 2020, Xu and his associates exploited vulnerabilities in Microsoft Exchange Server, a widely used email product. This exploitation was central to the HAFNIUM campaign, a large-scale intrusion that became public in March 2021 when Microsoft disclosed it.

“Through HAFNIUM, the CCP targeted over 60,000 US entities, successfully victimizing more than 12,700 in order to steal sensitive information,” noted Assistant Director Brett Leatherman of the FBI’s Cyber Division.

Victims of the HAFNIUM campaign included another university in Texas and a global law firm, where information related to US policymakers and government agencies was sought. Xu faces multiple charges, including conspiracy to commit wire fraud, wire fraud, conspiracy to cause damage to protected computers, and aggravated identity theft.

These charges carry significant penalties, with some counts carrying a maximum of 20 years in prison. Xu is currently awaiting extradition to the US whereas his co-defendant, Zhang Yu, remains at large.

US Announces Arresting Chinese Hacker Linked to HAFNIUM Group

Let's Encrypt has started rolling out certificates for IP addresses. Although it's a security solution it also offers cybercriminals opportunities.

Let’s Encrypt has announced its issued its first certificate for an IP address. Why that’s significant deserves a little explanation.

You may have run into Let’s Encrypt certificates many times without realizing it. When you see a padlock icon in your browser’s address bar, it means the site is using a certificate to secure your connection. These certificates are “digital passports” that websites use to prove their identity and to encrypt the data sent between your browser and the website.

Traditionally, these certificates have only been issued for domain names (like malwarebytes.com). Now, Let’s Encrypt has started issuing certificates for IP addresses, which are the numerical labels (like 192.0.66.233) that computers use to find each other on the internet.

Let’s Encrypt is a very popular provider of certificates, and you can find its certificates on hundreds of millions of websites. That’s because:

*   Let’s Encrypt certificates are free.
*   Hosting companies and content delivery networks often provide Let’s Encrypt by default as a service to their customers.
*   Let’s Encrypt is a mission-driven nonprofit aiming to make the web safer and more private for everyone.

The advantages of providing certificates for IP addresses are clear. Since some browsers will refuse to open sites without a certificate, it provides a safer way to access your website if you don’t have a domain name at all. It also allows you to use your browser to remotely access home devices like network-attached storage (NAS) servers and Internet-of-things (IoT) devices.

But most home users are unlikely to access a site by using the IP address. Domain names are much easier to remember (most of them anyway) and Domain Name System (DNS) translates domain names to IP addresses for us without a lot of problems.

And while IP addresses can change, DNS will make sure that our browser can still find the domain we want to visit. This is one reason why Let’s Encrypt will only issue short-term certificates for IP addresses: The certificates will be valid for just six days, a move designed to minimize the risk window in the event of a key compromise and to encourage automated certificate renewal practices.

Domain certificates can be compromised and abused. For example, in 2011, DigiNotar, a Dutch certificate authority, was breached, resulting in the issue of at least 500 fraudulent certificates for high-profile domains such as Gmail, Facebook, and the CIA.

And while you may have never heard of this breach, it spurred some much-needed improvements in the security of our online trust infrastructure.

**Here’s the problem**

If I post a URL online or send it by email, there is a visible part and a part that’s actually where you will be taken. For example <a href="https://malwarebytes.com/blog">example.com</a> will not take you to the displayed example.com, but to our blog’s landing page.

But let’s say that a cybercriminal can get a free certificate for the IP address of a server under their control, they could construct links that look like this <a href=”the server IP address”>payment provider X</a>. Should you click that link, you could end up on a specially crafted copy of the payment provider’s site set up by the cybercriminal which asks for your login credentials. Those credentials would then fall in the hands of the criminals if you entered them.

For an unsuspecting user, who potentially might have noticed the wrong domain in the address bar, an IP address might not raise any red flags, especially since they’ll see the padlock and assume it’s legitimate. But encrypted traffic doesn’t make it trustworthy. It is encrypted between the user and the website, so the receiver can read the credentials the visitor sent them.

At the same time, Let’s Encrypt’s move supports legitimate technical needs for IP-based certificates, so the challenge will be balancing security with accessibility. Defenders should monitor certificate transparency logs for suspicious IP certificates and combine this with other threat intelligence to identify abuse.

In essence, this new capability is a double-edged sword, both offering convenience and security benefits, but also new opportunities for cybercriminals.

**Tips for users**

The tips are basically the same as for any unsolicited link you encounter. The difference is that you should keep in mind that these URLs can now include IP addresses.

*   Don’t click on links in unsolicited emails, messages or on social media.
*   Hover over the link. A mismatch between the displayed domain and the target URL is a red flag.
*   The padlock does not mean the website is safe. It just means the traffic between you and the site is encrypted, so nobody in between can eavesdrop.
*   Enable multi-factor authentication (MFA) so criminals will not have access to your accounts with the credentials alone.
*   Keep your device and the software on it up to date, especially your security software and your browser.
*   Use a security solution that provides active protection, including against malicious domains and IPs.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Free certificates for IP addresses: security problem or solution? 

Cybersecurity threats have emerged so quickly that most companies struggle to keep up and executives are often the…

Cybersecurity threats have emerged so quickly that most companies struggle to keep up and executives are often the first targets. These individuals are known to the public and hold access to sensitive company data with valuable personal and financial information.

Keeping them safe from cyber attacks takes more than standard security measures. That is why Digital Executive Protection (DEP) is becoming an important part of how companies handle cybersecurity today

This article explores how Digital Executive Protection works, why it matters, and how platforms are setting the standard in safeguarding organizational leadership from online threats.

****Why Executives Are High-Value Targets****

Executives are ideal targets for cybercriminals for several reasons:

*   **Access to Sensitive Information:** C-level executives often have the highest level of access to proprietary corporate data, including strategic plans, customer databases, and financial records.

*   **Public Visibility:** Their names and roles are publicly known, making it easy for attackers to impersonate them in phishing and business email compromise (BEC) attacks.

*   **Insufficient Personal Cyber Hygiene:** Despite high professional stakes, many executives do not practice strong personal cybersecurity, leaving their personal devices and social media vulnerable.

These factors make executives not just victims but potential attack vectors that can lead to broader organizational breaches.

****What Is Digital Executive Protection?****

Digital Executive Protection (DEP) refers to the practice of securing executives’ digital identities across both personal and professional spheres. Unlike traditional cybersecurity measures that focus on networks or endpoints, DEP concentrates on the individual’s entire digital footprint, including:

*   Dark web monitoring

*   Social media impersonation

*   Public and private data exposure

*   Data broker tracking and removals DEP is both proactive and continuous, often delivered as a managed service that includes automated scans, real-time alerts, and expert remediation.

****Modern Threat Landscape for Executives****

The range of threats facing executives today includes:

*   **Social Media Impersonation:** Fake profiles are used to scam followers or damage reputations.

*   **Data Broker Exposure:** Personal information such as home addresses, phone numbers, and family data are sold online, increasing risk.

*   **Credential Stuffing and Account Takeovers**: Breached credentials reused across accounts can grant access to sensitive platforms.

*   **Ransomware Targeting:** Some ransomware groups target specific high-profile individuals.

*   **Location Tracking:** Publicly available metadata or broker data can expose executives’ real-time locations, creating safety concerns.

****Key Components of Effective DEP****

A robust Digital Executive Protection strategy should include:

1.  **Automated Monitoring:** Continuous scanning of the web, social platforms, and dark web for threats.
2.  **Data Broker Remediation:** Regular removal of PII from broker sites.
3.  **Dark Web Intelligence:** Alerts on credential leaks and sensitive information.
4.  **Impersonation Takedowns**: Rapid response to social media and web impersonations.
5.  **Concierge Support:** A human team for white-glove onboarding and threat remediation.

****How Digital Executive Protection Works in Practice****

According to VanishID, an effective DEP program should combine automation with expert support. Their approach includes features like:

*   Regular privacy reports with actionable insights

*   The option to extend protection to spouses and children

*   Proactive removal of personal data from brokers and exposed sources

*   Quick response to impersonation threats on social media or fake websites

*   Personal privacy monitoring that tracks exposure across data broker sites, breached databases and search engines

Rather than reacting after an incident, VanishID says its focus is on minimizing the attack surface before it can be exploited.

****Why Digital Executive Protection Matters for Businesses****

Strong executive protection can help companies maintain brand integrity by preventing damage from impersonation or breaches. It can also align with requirements from some cyber insurance providers that expect proactive risk management.

Reducing risks like BEC scams or ransomware targeting high-profile individuals supports overall security. Finally, showing top leaders that their privacy and safety are priorities can help build trust and confidence at the highest levels.

****In Conclusion****

Executives play a critical role in an organization’s security and reputation, making their personal online safety impossible to overlook. Digital Executive Protection adds an extra layer to cybersecurity by reducing risks that traditional tools often miss.

If companies prioritise this protection, they can protect their and customer data, leadership, and long-term stability in an environment where cybersecurity threats continue to grow.

How Digital Executive Protection Shields Top Leaders from Modern Threats

Hunters International ransomware gang closes after 55 confirmed and 199 unconfirmed cyberattacks. Read about its rebrand to World…

Hunters International ransomware gang closes after 55 confirmed and 199 unconfirmed cyberattacks. Read about its rebrand to World Leaks and its impact on healthcare and businesses.

A prominent ransomware-as-a-service group ‘Hunters International’ has officially declared its shutdown, effective today, July 4, 2025. Active for approximately two years, and speculated to be a revival or successor to the notorious Hive Ransomware (dismantled by global law enforcement in January 2023 after extorting over $100 million), Hunters International gained notoriety for its double extortion tactics.

This involved both encrypting victim data and stealing it for public release if a ransom wasn’t paid. However, security researchers have indicated that this closure is less a retirement and more a strategic junction, with the group already operating under a new name: World Leaks.

****A Legacy of Breaches and Demands****

Comparitech researchers have investigated and confirmed 55 ransomware attacks claimed by Hunters International, with an additional 199 unconfirmed claims. These confirmed breaches resulted in the compromise of at least 3.25 million personal records.

The healthcare sector was particularly hard hit, accounting for 2.9 million of those compromised records across 19 attacks on hospitals and clinics. Businesses saw 55 confirmed attacks, with manufacturers being the most frequent target (12 attacks). Government entities and schools also fell victim, with 16 and 2 confirmed attacks, respectively.

Hunters International rarely made its ransom demands public. However, two notable instances emerged: Hoya Corporation in Japan was hit with a $10 million demand in March 2024, and Azienda USL di Modena in Italy refused to pay a $3 million ransom in November 2023.

Some of the largest data breaches attributed to Hunters International in the US include Fred Hutchinson Cancer Centre (1,840,927 people affected in November 2023), Omni Family Health (468,344 people in August 2024), and Arisa Health (375,436 people in March 2024). In a daring move, Hunters even contacted individual patients from Fred Hutchinson Cancer Centre, demanding $50 to delete their stolen data.

This RaaS operation claimed 24 victim organizations only in November 2024, Forescout reports, with an average of one per day (10 in the US, 2 in the UK, 7 in the EU, 3 in South America, and 2 in Asia).

****World Leaks****

Threat intelligence firm Group-IB reported in April 2025 that Hunters International was in the process of rebranding to World Leaks. This new operation focuses solely on data theft and extortion, abandoning the encryption aspect of traditional ransomware.

Rebecca Moody, Head of Data Research at Comparitech, commented on this shift, suggesting it’s not a change of heart but rather a move towards a “potentially more lucrative” revenue stream in data theft. She noted that World Leaks is “not a ransomware gang” as the “ware” (encryption) is critically missing from their attacks.

World Leaks has already claimed responsibility for 33 attacks, including on Chain IQ (Switzerland) and Freedom Healthcare in Colorado. In a surprising development, Hunters International has stated it will offer free decryption software to companies that were infected by its ransomware but have not yet paid a ransom.

However, Moody believes many victims will have already restored their systems, rendering the offer largely symbolic given the group’s inactivity in new encryption attacks since May 2025. Nonetheless, this transition marks a significant evolution in the cybercrime community, with data extortion becoming an increasingly prevalent and targeted threat.

Tag

#intel