OpenAI Bug Bounty program boosts max reward to $100,000, expanding scope and offering new incentives to enhance AI security and reliability.

OpenAI is prioritizing security with a major bug bounty program increase and new AI security research grants. Find out how they’re collaborating with researchers and experts to protect their AI platforms from emerging threats

OpenAI is enhancing its security infrastructure, focusing on a forward-looking approach towards AI, by expanding security initiatives across grant programs, bug bounties, and internal defences.

In its latest **blog post**, OpenAI has unveiled a suite of new cybersecurity initiatives, signalling a bold push towards artificial general intelligence (AGI). A key element of this strategic move is a substantial increase in the maximum reward offered through its bug bounty program, now reaching $100,000 for critical findings.

As previously **reported** by HackRead.com, OpenAI launched its bug bounty program in April 2023 in partnership with Bugcrowd. This program initially focused on **finding flaws** in ChatGPT AI chatbot to enhance its security and reliability, with rewards starting at $200 for low-severity findings and reaching $20,000 for exceptional discoveries.

Now, OpenAI has confirmed that this program is seeing a significant overhaul with the maximum pay-out increased from $20,000 to $100,000 and the scope of program being broadened substantially, a move OpenAI states reflects its commitment to ensuring users’ trust in its systems.

“This increase reflects our commitment to rewarding meaningful, high-impact security research that helps us protect users and maintain trust in our systems,” the company noted in the announcement.

To further incentivize participation, OpenAI is introducing limited-time bonus promotions, with the first focusing on IDOR access control vulnerabilities. This promotion, running from March 26th to April 30th, 2025, also increases the baseline bounty range for these types of vulnerabilities.

The company also plans to expand its Cybersecurity Grant Program, which has already funded 28 research projects focused on both offensive and defensive security strategies. These projects have explored areas such as autonomous cybersecurity defenses, secure code generation, and prompt injection. The grant program is now seeking proposals for five new research areas: software patching, model privacy, detection and response, security integration, and agentic AI security.

OpenAI is also introducing microgrants in the form of API credits to facilitate rapid prototyping of innovative cybersecurity ideas. Furthermore, it plans to engage in open-source security research, collaborating with experts from academic, government, and commercial labs to identify vulnerabilities in open-source software code.

This shift is aimed at improving the ability of OpenAI’s AI models to find and patch security flaws. The company plans to release security disclosures to relevant open-source parties as vulnerabilities are discovered.

In addition, OpenAI is integrating its own AI models into its security infrastructure to enhance real-time threat detection and response. To strengthen its defences, the company has established a new red team partnership with SpecterOps, a cybersecurity firm. This collaboration will involve laborious, simulated attacks across **OpenAI’s infrastructure**, including corporate, cloud, and production environments.

As OpenAI’s user base expands, now serving over 400 million weekly active users, the company acknowledges its growing responsibility to safeguard user data and systems. While it focuses on developing advanced AI agents, the company is also addressing the unique security challenges associated with these technologies. This includes defending against prompt injection attacks, implementing advanced access controls, comprehensive security monitoring, and cryptographic protections, reinforcing their dedication to building secure and trustworthy AI.

OpenAI Bug Bounty Program Increases Top Reward to $100,000

Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands.
DNS intelligence firm Infoblox is tracking the actor behind the PhaaS, the phishing kit, and the related activity under the moniker Morphing Meerkat.
"The threat actor behind

New Morphing Meerkat Phishing Kit Mimics 114 Brands Using Victims’ DNS Email Records

Discover the novel QWCrypt ransomware used by RedCurl in targeted hypervisor attacks. This article details their tactics, including…

Discover the novel QWCrypt ransomware used by RedCurl in targeted hypervisor attacks. This article details their tactics, including DLL sideloading and LOTL abuse, and explores the group’s evolving cybercriminal activities.

Bitdefender Labs has revealed a shift in the operational tactics of the long-standing cyber threat group known as **RedCurl**. This group, also known as Earth Kapre or Red Wolf, has historically maintained a low profile, relying heavily on covert data exfiltration. It has now been linked to a novel ransomware campaign, marking a dramatic change in their activities. This new ransomware strain, dubbed QWCrypt, targets hypervisors, effectively crippling infrastructure while maintaining a stealthy presence.

“This new ransomware…is previously undocumented and distinct from known ransomware families,” the **report** states.

This discovery prompts a reevaluation of RedCurl’s operational model, which has remained largely puzzling since their emergence in 2018. The group’s targeting patterns further complicates their classification.

While telemetry data points to victims primarily in the United States, with additional targets in Germany, Spain, and Mexico, other researchers have reported targets in Russia, a broad geographical scope atypical for state-sponsored actors. The absence of any historical evidence of RedCurl selling stolen data, a common practice in ransomware operations, adds to the mystery.

****Living-off-the-Land (LOTL)****

The group uses sophisticated techniques, including DLL sideloading and the abuse of **Living-off-the-Land** (LOTL) strategies, all while avoiding the use of public leak sites, a critical shift from typical ransomware operations.

The initial access vector used by RedCurl in their ransomware deployment remains consistent with their previous campaigns: phishing emails containing IMG files disguised as CV documents. These files, when opened, execute a malicious screensaver file, which in turn loads a malicious DLL. This DLL then downloads the final payload, using encrypted strings and legitimate Windows tools to evade detection. 

Once inside the network, RedCurl employs lateral movement techniques, utilizing WMI and other built-in Windows tools to gather intelligence and escalate access. The group’s use of a modified wmiexec tool, which bypasses SMB connections, and Chisel, a TCP/UDP tunneling tool, highlights their sophisticated approach.

The ransomware deployment itself is highly targeted. RedCurl uses batch files to disable endpoint security and launch the ransomware’s GO executable, rbcw.exe, which encrypts virtual machines using **XChaCha20-Poly1305** encryption and excludes network gateways.

The file also includes a hardcoded personal ID for victim identification.  The ransom note, researchers claim, is not original, but rather a compilation of sections from other ransomware groups. Additionally, the absence of a dedicated data leak site further complicates the understanding of RedCurl’s motives.Bitdefender

****Bitdefender’s Hypotheses****

Bitdefender proposes two potential hypotheses to explain RedCurl’s unconventional behaviour. The first suggests they may operate as “gun-for-hire” cyber mercenaries, explaining their diverse victimology and inconsistent operational patterns.

The second hypothesis posits that RedCurl prioritizes discreet, direct negotiations with victims, avoiding public attention to maintain extended, low-profile operations. This theory is supported by the group’s targeting of hypervisors while maintaining network gateways, suggesting an attempt to limit disruption and confine the attack to IT departments.

In conclusion, Bitdefender recommends a multilayered defense strategy, enhanced detection and response capabilities, and a focus on preventing LOTL attacks to mitigate the risks posed by groups like RedCurl. They also emphasize the importance of data protection, resilience, and advanced threat intelligence.

RedCurl Uses New QWCrypt Ransomware in Hypervisor Attacks

Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.

Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.

The real website of the Ukrainian paramilitary group “Freedom of Russia” legion. The text has been machine-translated from Russian.

Researchers at the security firm **Silent Push** mapped a network of several dozen phishing domains that spoof the recruitment websites of Ukrainian paramilitary groups, as well as Ukrainian government intelligence sites.

The website **legiohliberty\[.\]army** features a carbon copy of the homepage for the Freedom of Russia Legion (a.k.a. “Free Russia Legion”), a three-year-old Ukraine-based paramilitary unit made up of Russian citizens who oppose Vladimir Putin and his invasion of Ukraine.

The phony version of that website copies the legitimate site — **legionliberty\[.\]army —** providing an interactive **Google Form** where interested applicants can share their contact and personal details. The form asks visitors to provide their name, gender, age, email address and/or Telegram handle, country, citizenship, experience in the armed forces; political views; motivations for joining; and any bad habits.

“Participation in such anti-war actions is considered illegal in the Russian Federation, and participating citizens are regularly charged and arrested,” Silent Push wrote in a report released today. “All observed campaigns had similar traits and shared a common objective: collecting personal information from site-visiting victims. Our team believes it is likely that this campaign is the work of either Russian Intelligence Services or a threat actor with similarly aligned motives.”

Silent Push’s **Zach Edwards** said the fake Legion Liberty site shared multiple connections with **rusvolcorps\[.\]net**. That domain mimics the recruitment page for a Ukrainian far-right paramilitary group called the Russian Volunteer Corps (rusvolcorps\[.\]com), and uses a similar Google Forms page to collect information from would-be members.

Other domains Silent Push connected to the phishing scheme include: **ciagov\[.\]icu**, which mirrors the content on the official website of the **U.S. Central Intelligence Agency**; and **hochuzhitlife\[.\]com**, which spoofs the **Ministry of Defense of Ukraine & General Directorate of Intelligence** (whose actual domain is **hochuzhit\[.\]com**).

According to Edwards, there are no signs that these phishing sites are being advertised via email. Rather, it appears those responsible are promoting them by manipulating the search engine results shown when someone searches for one of these anti-Putin organizations.

In August 2024, security researcher **Artem Tamoian** posted on Twitter/X about how he received startlingly different results when he searched for “Freedom of Russia legion” in Russia’s largest domestic search engine **Yandex** versus Google.com. The top result returned by Google was the legion’s actual website, while the first result on Yandex was a phishing page targeting the group.

“I think at least some of them are surely promoted via search,” Tamoian said of the phishing domains. “My first thread on that accuses Yandex, but apart from Yandex those websites are consistently ranked above legitimate in DuckDuckGo and Bing. Initially, I didn’t realize the scale of it. They keep appearing to this day.”

Tamoian, a native Russian who left the country in 2019, is the founder of the cyber investigation platform malfors.com. He recently discovered two other sites impersonating the Ukrainian paramilitary groups — **legionliberty\[.\]world** and **rusvolcorps\[.\]ru** — and reported both to Cloudflare. When Cloudflare responded by blocking the sites with a phishing warning, the real Internet address of these sites was exposed as belonging to a known “bulletproof hosting” network called **Stark Industries Solutions Ltd**.

Stark Industries Solutions appeared two weeks before Russia invaded Ukraine in February 2022, materializing out of nowhere with hundreds of thousands of Internet addresses in its stable — many of them originally assigned to Russian government organizations. In May 2024, KrebsOnSecurity published a deep dive on Stark, which has repeatedly been used to host infrastructure for distributed denial-of-service (DDoS) attacks, phishing, malware and disinformation campaigns from Russian intelligence agencies and pro-Kremlin hacker groups.

In March 2023, Russia’s Supreme Court designated the Freedom of Russia legion as a terrorist organization, meaning that Russians caught communicating with the group could face between 10 and 20 years in prison.

Tamoian said those searching online for information about these paramilitary groups have become easy prey for Russian security services.

“I started looking into those phishing websites, because I kept stumbling upon news that someone gets arrested for trying to join \[the\] Ukrainian Army or for trying to help them,” Tamoian told KrebsOnSecurity. “I have also seen reports \[of\] FSB contacting people impersonating Ukrainian officers, as well as using fake Telegram bots, so I thought fake websites might be an option as well.”

Search results showing news articles about people in Russia being sentenced to lengthy prison terms for attempting to aid Ukrainian paramilitary groups.

Tamoian said reports surface regularly in Russia about people being arrested for trying carry out an action requested by a “Ukrainian recruiter,” with the courts unfailingly imposing harsh sentences regardless of the defendant’s age.

“This keeps happening regularly, but usually there are no details about how exactly the person gets caught,” he said. “All cases related to state treason \[and\] terrorism are classified, so there are barely any details.”

Tamoian said while he has no direct evidence linking any of the reported arrests and convictions to these phishing sites, he is certain the sites are part of a larger campaign by the Russian government.

“Considering that they keep them alive and keep spawning more, I assume it might be an efficient thing,” he said. “They are on top of DuckDuckGo and Yandex, so it unfortunately works.”

Further reading: Silent Push report, Russian Intelligence Targeting its Citizens and Informants.

When Getting Phished Puts You in Mortal Danger

A WIRED review shows national security adviser Mike Waltz, White House chief of staff Susie Wiles, and other top officials left sensitive information exposed via Venmo—until WIRED asked about it.

A Venmo account under the name “Michael Waltz,” carrying a profile photo of the national security adviser and connected to accounts bearing the names of people closely associated with him, was left open to the public until Wednesday afternoon. A WIRED analysis shows that the account revealed the names of hundreds of Waltz’s personal and professional associates, including journalists, military officers, lobbyists, and others—information a foreign intelligence service or other actors could exploit for any number of ends, experts say.

Among the accounts linked to “Michael Waltz” are ones that appear to belong to Susie Wiles, the White House chief of staff, and Walker Barrett, a staffer on the United States National Security Council. Both were fellow participants in a now-infamous Signal group chat called “Houthi PC small group.”

The White House declined to comment after being presented with WIRED’s findings, but the accounts appearing to belong to Waltz and Wiles went fully private following WIRED’s inquiry.

Earlier this week, The Atlantic reported that an account with the name “Michael Waltz” accidentally invited the publication’s editor in chief, Jeffrey Goldberg, to the chat, in which senior administration officials discussed plans for a strike on Yemen. (Waltz told Fox News’ Laura Ingraham he takes “full responsibility” for inviting Goldberg, adding, “We have some of the best technology minds looking at how this happened.”) Over the encrypted messaging app, which Department of Defense guidelines bar from being used for the discussion of any nonpublic defense information, the group debated whether a strike should be carried out at all. Hours after an account with the name of defense secretary Pete Hegseth shared missile targets, strike timing, and other highly sensitive operational details of a coming strike, US forces bombed Houthi targets in Yemen, reportedly killing at least 53 people.

A WIRED review of public data exposed on Venmo accounts associated with senior administration officials suggests that the Signal group chat was not an isolated mistake, but part of a broader pattern of what national security experts describe as reckless behavior by some of the most powerful people in the US government.

The Venmo account under Waltz’s name includes a 328-person friend list. Among them are accounts sharing the names of people closely associated with Waltz, such as Barrett, formerly Waltz’s deputy chief of staff when Waltz was a member of the House of Representatives, and Micah Thomas Ketchel, former chief of staff to Waltz and currently a senior adviser to Waltz and President Donald Trump.

Other accounts carry the names of a wide range of media figures, from on-air personalities like Bret Baier and Brian Kilmeade of Fox News and Brianna Keilar and Kristen Holmes of CNN to a cable news producer, a prominent national security reporter, local news anchors, documentarians, and noted conspiracy theorist Ivan Raiklin, who calls himself the “the secretary of retribution” and once created a deep state target list. (Fox News declined to comment; CNN did not respond to a request for comment.)

Many of the accounts appear to belong to local and national politicians and political operatives ranging from US representative Dan Crenshaw of Texas to a former mayor of Deltona, Florida, as well as venture capitalists, defense industry entrepreneurs, and executives like Christian Brose, the president of defense tech giant Anduril. (Crenshaw’s office and Anduril did not respond to requests for comment.)

One of the most notable appears to belong to Wiles, one of Trump’s most trusted political advisers. That account’s 182-person friend list includes accounts sharing the names of influential figures like Pam Bondi, the US attorney general, and Hope Hicks, Trump’s former White House communications director.

While none of the Venmo transactions for the account listed for Waltz, Wiles, or Barrett were publicly visible, it appears that none of them had opted out of sharing their contact list, allowing their friend lists to remain visible to the public. After WIRED reached out to the White House for comment, both Waltz and Wiles appeared to change their Venmo privacy settings to hide their friend lists.

Venmo spokesperson Erin Mackey said in a statement, “We take our customers’ privacy seriously, which is why we let customers choose their privacy settings on Venmo for both their individual payments and friends lists—and we make it incredibly simple for customers to make these private if they choose to do so.” The comment is nearly identical to the one Venmo provided to WIRED in response to a 2024 story about now-vice president JD Vance’s Venmo.

Last July, WIRED reported that Vance had left his Venmo account public, exposing a network of connections to Project 2025 architects, DOJ officials, Yale Law classmates, and far-right media figures. (While it was not reported at the time, WIRED’s analysis of that public Venmo account—and the networks of his listed friends—found that the Michael Waltz Venmo account appeared in Vance’s extended network, comprising friends and friends of friends.) According to The Atlantic, Vance was also an active participant in the Signal chat alongside Waltz, where he questioned whether the planned military operation in Yemen aligned with President Trump’s broader message on Europe.

When the Michael Waltz account was set up in 2017, the app would display a prompt allowing users to sync their phone contacts, automatically populating their friends list with anyone in their address book already using the platform. Privacy advocates, including the Electronic Frontier Foundation, criticized this design, arguing that it exposes users to unnecessary risks by making social connections public by default. It wasn’t until BuzzFeed News revealed in 2021 that then-president Joe Biden was easily found on the app that Venmo, which is owned by PayPal, added the option to hide friend lists. But that setting remains opt-in. According to its privacy policy, unless users proactively change their privacy settings, their network remains visible to anyone.

Mixed in with the high-profile names connected to the apparent Waltz Venmo account are a number of accounts appearing to belong to ordinary people, such as several doctors, real estate agents, and a tailor. These are the kinds of low-level connections that, experts say, spies look at for basic information—a relationship with a medical specialist could expose that a person is being treated for an illness that hasn’t been made public—as well as patterns, pressure points, or a way in. Experts call them “soft targets”: people who have access but aren’t protected.

For instance, when the US and Israel reportedly sabotaged Iran’s nuclear program with the Stuxnet virus, they used a control engineer’s USB stick, not one belonging to a senior official. Chinese intelligence has used similar tactics, contacting thousands of foreign citizens using LinkedIn or going after university students to get closer to US researchers and companies. While WIRED has found no evidence that foreign adversaries have used Venmo to target a US politician’s network, the platform makes these relationships visible—potentially giving adversaries a searchable map of the people around power.

“The first thing you think of is the counterintelligence issue, right? And the security vulnerabilities. It kind of boggles the mind, in a way,” says Michael Ard, a former intelligence analyst who now runs the masters program in intelligence analysis at Johns Hopkins. “It would be really easy for somebody to spoof a contact, and that is something the security industry has already been issuing notices on.”

Waltz has spent years inside the Republican national security establishment. A former Green Beret—something reflected in the number of apparent veteran Green Berets, Navy SEALs, and other special operators to whom the Venmo account bearing his name is connected—he served as a defense adviser at the Pentagon under former defense secretaries Donald Rumsfeld and Robert Gates, and later counseled US vice president Dick Cheney on counterterrorism. In 2020, following the US drone strike that killed Iranian general Qassem Soleimani, Waltz says he was part of a small group of lawmakers privately briefed at the White House.

Another participant in that thread was Hegseth. A public Venmo account under his name, identified by The American Prospect in February, revealed a similarly elite network—including names matching executives at defense firms like Palantir and Anduril as well as lobbyists and President George W. Bush–era officials. In the Signal chat, the defense secretary directly responded to Vance’s concerns: “VP: I fully share your loathing of European free-loading. It’s PATHETIC.”

Both Vance’s and Hegseth’s Venmo accounts have since been deleted.

_Jake Lahut contributed reporting._

Mike Waltz Left His Venmo Friends List Public

The Trump cabinet’s shocking leak of its plans to bomb Yemen raises myriad confidentiality and legal issues. The security of the encrypted messaging app Signal is not one of them.

The eye-popping scandal surrounding the Trump cabinet’s accidental invitation to The Atlantic’s editor in chief to join a text-message group secretly planning a bombing in Yemen has rolled into its third day, and that controversy now has a name: SignalGate, a reference to the fact that the conversation took place on the end-to-end encrypted free messaging tool Signal.

As that name becomes a shorthand for the biggest public blunder of the second Trump administration to date, however, security and privacy experts who have promoted Signal as the best encrypted messaging tool available to the public want to be clear about one thing: SignalGate is not about Signal.

Since The Atlantic’s editor, Jeffrey Goldberg, revealed Monday that he was mistakenly included in a Signal group chat earlier this month created to plan US airstrikes against the Houthi rebels in Yemen, the reaction from the Trump cabinet’s critics and even the administration itself has in some cases seemed to cast blame on Signal for the security breach. Some commentators have pointed to reports last month of Signal-targeted phishing by Russian spies. National security adviser Michael Waltz, who reportedly invited Goldberg to the Signal group chat, has even suggested that Goldberg may have hacked into it.

On Wednesday afternoon, even President Donald Trump suggested Signal was somehow responsible for the group chat fiasco. “I don't know that Signal works,” Trump told reporters at the White House. “I think Signal could be defective, to be honest with you.”

The real lesson is much simpler, says Kenn White, a security and cryptography researcher who has conducted audits on widely used encryption tools in the past as the director of the Open Crypto Audit Project: Don’t invite untrusted contacts into your Signal group chat. And if you’re a government official working with highly sensitive or classified information, use the encrypted communication tools that run on restricted, often air-gapped devices intended for a top-secret setting rather than the unauthorized devices that can run publicly available apps like Signal.

“Unequivocally, no blame in this falls on Signal,” says White. “Signal is a communication tool designed for confidential conversations. If someone's brought into a conversation who’s not meant to be part of it, that's not a technology problem. That's an operator issue.”

Cryptographer Matt Green, a professor of computer science at Johns Hopkins University, puts it more simply. “Signal is a tool. If you misuse a tool, bad things are going to happen,” says Green. “If you hit yourself in the face with a hammer, it’s not the hammer’s fault. It’s really on you to make sure you know who you’re talking to.”

The only sense in which SignalGate _is_ a Signal-related scandal, White adds, is that the use of Signal suggests that the cabinet-level officials involved in the Houthi bombing plans, including secretary of defense Pete Hegseth and director of national intelligence Tulsi Gabbard, were conducting the conversation on internet-connected devices—possibly even including personal ones—since Signal wouldn’t typically be allowed on the official, highly restricted machines intended for such conversations. “In past administrations, at least, that would be absolutely forbidden, especially for classified communications,” says White.

Indeed, using Signal on internet-connected commercial devices doesn’t just leave communications open to anyone who can somehow exploit a hackable vulnerability in Signal, but anyone who can hack the iOS, Android, Windows, or Mac devices that might be running the Signal mobile or desktop apps.

This is why US agencies in general, and the Department of Defense in particular, conduct business on specially managed federal devices that are specially provisioned to control what software is installed and which features are available. Whether the cabinet members had conducted the discussion on Signal or another consumer platform, the core issue was communicating about incredibly high-stakes, secret military operations using inappropriate devices or software.

One of the most straightforward reasons that communication apps like Signal and WhatsApp are not suitable for classified government work is that they offer “disappearing message” features—mechanisms to automatically delete messages after a preset amount of time—that are incompatible with federal record retention laws. This issue was on full display in the principals’ chat about the impending strike on Yemen, which was originally set for one-week auto-delete before the Michael Waltz account changed the timer to four-week auto-delete, according to screenshots of the chat published by The Atlantic on Wednesday. Had The Atlantic’s Goldberg not been mistakenly included in the chat, its contents might not have been preserved in accordance with long-standing government requirements.

In congressional testimony on Wednesday, US director of national intelligence Tulsi Gabbard said that Signal can come preinstalled on government devices. Multiple sources tell WIRED that this is not the norm, though, and noted specifically that downloading consumer apps like Signal to Defense Department devices is highly restricted and often banned. The fact that Hegseth, the defense secretary, participated in the chat indicates that he either obtained an extremely unusual waiver to install Signal on a department device, bypassed the standard process for seeking such a waiver, or was using a non-DOD device for the chat. According to political consultant and podcaster FP Wellman, DOD “political appointees” demanded that Signal be installed on their government devices last month.

Core to the Trump administration’s defense of the behavior is the claim that no classified material was discussed in the Signal chat. In particular, Gabbard and others have noted that Hegseth himself is the classification authority for the information. Multiple sources tell WIRED, though, that this authority does not make a consumer application the right forum for such a discussion.

“The way this was being communicated, the conversation had no formal designation like 'for official use only' or something. But whether it should have been classified or not, whatever it was, it was obviously sensitive operational information that no soldier or officer would be expected to release to the public—but they had added a member of the media into the chat,” says Andy Jabbour, a US Army veteran and founder of the domestic security risk-management firm Gate 15.

Jabbour adds that military personnel undergo annual information awareness and security training to reinforce operating procedures for handling all levels of nonpublic information. Multiple sources emphasize to WIRED that while the information in the Yemen strike chat appears to meet the standard for classification, even nonclassified material can be extremely sensitive and is typically carefully protected.

“Putting aside for a moment that classified information should never be discussed over an unclassified system, it’s also just mind-boggling to me that all of these senior folks who were on this line and nobody bothered to even check, security hygiene 101, who are all the names? Who are they?” US senator Mark Warner, a Virginia Democrat, said during Tuesday’s Senate Intelligence Committee hearing.

According to The Atlantic, 12 Trump administration officials were in the Signal group chat, including vice president JD Vance, secretary of state Marco Rubio, and Trump adviser Susie Wiles. Jabbour adds that even with ​​decisionmaking authorities present and participating in a communication, establishing an information designation or declassifying information happens through an established, proactive process. As he puts it, “If you spill milk on the floor, you can’t just say, ‘That’s actually not spilled milk, because I intended to spill it.’”

All of which is to say, SignalGate raises plenty of security, privacy, and legal issues. But the security of Signal itself is not one of them. Despite that, in the wake of The Atlantic’s story on Monday, some have sought tenuous connections between the Trump cabinet’s security breach and Signal vulnerabilities. On Tuesday, for example, a Pentagon adviser echoed a report from Google’s security researchers, who alerted Signal earlier this year to a phishing technique that Russian military intelligence used to target the app’s users in Ukraine. But Signal pushed out an update to make that tactic—which tricks users into adding a hacker as a secondary device on their account—far harder to pull off, and the same tactic also targeted some accounts on the messaging services WhatsApp and Telegram.

“Phishing attacks against people using popular applications and websites are a fact of life on the internet,” Signal spokesperson Jun Harada tells WIRED. “Once we learned that Signal users were being targeted, and how they were being targeted, we introduced additional safeguards and in-app warnings to help protect people from falling victim to phishing attacks. This work was completed months ago."

In fact, says White, the cryptography researcher, if the Trump administration is going to put secret communications at risk by discussing war plans on unapproved commercial devices and freely available messaging apps, they could have done much worse than to choose Signal for those conversations, given its reputation and track record among security experts.

“Signal is the consensus recommendation for highly at-risk communities—human rights activists, attorneys, and confidential sources for journalists,” says White. Just not, as this week has made clear, executive branch officials planning airstrikes.

_Updated at 5:50 pm ET, March 25, 2025: Added remarks about Signal by President Trump._

SignalGate Isn’t About Signal

With its growing popularity, sponsored Google search ads have started impersonating DeepSeek AI.

_The threat intel research used in this post was provided by Malwarebytes Senior Director of Research, Jérôme Segura._

DeepSeek’s rising popularity has not only raised concerns and questions about privacy implications, but cybercriminals are also using it as a lure to trap unsuspecting Google searchers.

Unfortunately, we are getting so used to sponsored Google search results being abused by criminals that we advise people not to click on them. So, it was to be expected that DeepSeek would show up in our monitoring of fake Google ads.

Here’s the fake ad:

If you put it side by side with the real DeepSeek ads, the difference is relatively easy to spot:

But as an unsuspecting searcher, you aren’t likely to make that comparison, and as you may know from previous posts about fake Google sponsored ads, the criminals behind these campaigns can be a lot more convincing.

In this case, they certainly put a lot more effort into creating the fake website which the advertisement linked to:

It’s different from the real website, but it looks convincing, nonetheless.

Should you happen to click the download button, you will receive a Trojan programmed in Microsoft Intermediate Language (MSIL), which the Artificial Intelligence (AI) module in Malwarebytes/ThreatDown products detects as Malware.AI.1323738514.

**How to avoid these traps**

As we mentioned earlier, Google has demonstrated that it can’t keep fake ads out of its sponsored search results. And apparently the success rate of these fake ads is high enough to allow the criminals to pay Google enough to outrank legitimate brands.

So, our first tip is not to click on sponsored search results. Ever.

The second tip is to look at the advertiser by clicking the three dots behind the URL in the search result and look whether he advertiser listed is the legitimate owner of the brand or not.

Here is one example of another DeepSeek impersonator we found. The advertiser’s name is not in Chinese characters by the way. The language in which the advertiser’s name is written is Hebrew: תמיר כץ.

If you don’t want to see sponsored ads at all then it’s worth considering installing an ad-blocker that will make sure you go straight to the regular search results.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 DeepSeek users targeted with fake sponsored Google ads that deliver malware 

Ramat Gan, Israel, 25th March 2025, CyberNewsWire

**Ramat Gan, Israel, March 25th, 2025, CyberNewsWire**

CYREBRO, the AI-native Managed Detection and Response (MDR), today announced its recognition as a leading detection and response startup in the Gartner report, Emerging Tech: Techscape for Detection and Response Startups. This acknowledgment highlights CYREBRO’s innovative approach to cybersecurity, leveraging advanced technology and expert analysis to combat evolving cyber threats.

Among the key findings in the report:

*   Startups are experimenting with generative AI (GenAI) technologies. The use of AI agents/AI security operations center (SOC) analysts and GenAI remediation recommendations has become crucial for staying ahead of evolving threats.
*   The preemptive cybersecurity approach to detection and response has gained momentum, with startups working across complex threat intelligence, adopting purple team cultures, and improving their strategic industry offerings.

CYREBRO has been identified as a key startup in the preemptive cybersecurity category, which highlights companies with a proactive strategy designed to prevent, disrupt, or deter cyberattacks before they can achieve their goals. CYREBRO’s inclusion validates its commitment to delivering comprehensive future-proof security solutions, providing organizations with a robust defense against diverse risks and cyberattacks.

> “We are honored to be recognized by Gartner for our emerging technology in the detection and response space,” said Ori Arbel, CTO of CYREBRO. “The report highlights the growing need for innovative detection and response solutions that can effectively address the increasing sophistication of cyberattacks. CYREBRO is committed to empower its partners and customers with cutting-edge solutions.”

CYREBRO’s platform leverages advanced proprietary technology, including AI and machine learning, to precisely detect and respond to threats. By automating the correlation and prioritization of security events, CYREBRO ensures that businesses can focus on critical threats, minimizing disruption and maintaining operational continuity.

Gartner, Emerging Tech: Techscape for Detection and Response Startups, 19 March 2025. Gartner is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner members can access the full report here. (For Gartner subscribers only).

**Gartner Disclaimer**

GARTNER is the registered trademark and service mark of Gartner Inc., and/or its affiliates in the U.S. and/or internationally and has been used herein with permission. All rights reserved. Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner’s research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

**About CYREBRO**

CYREBRO is an AI-native, end-to-end Managed Detection and Response (MDR) solution, designed for hands-off or hands-on control through its future-proof SOC platform.

With its advanced Security Data Lake revolutionizing SIEM and SOAR capabilities, CYREBRO includes 24/7 SOC monitoring and threat intelligence, augmented with exceptionally swift incident response and forensic investigations. CYREBRO delivers precision-guided threat detection and response across any tech stack, providing clear, actionable insights to ensure world-class security and compliance.

With comprehensive visibility and expert guidance, CYREBRO empowers over 900 businesses of all sizes to manage threats proactively, enhancing their security posture and delivering full and complete protection.  

**Contact**

**CMO**  
**Gil Harel**  
**CYREBRO**  
**\[email protected\]**

CYREBRO Recognized in Gartner Emerging Tech Report for Detection and Response Startups

The ad hoc addition to the otherwise tightly controlled White House information environment could create blind spots and security exposures while setting potentially dangerous precedent.

As the Trump administration's Department of Government Efficiency (DOGE) continues to rampage through the United States federal government, essentially guided by Elon Musk, the group has also been upending traditional IT boundaries—evaluating digital systems and allegedly accessing personally identifiable information as well as data that has typically been off-limits to those without specific training. Last week, The New York Times reported that the White House is adding Musk-owned SpaceX’s Starlink Wi-Fi “to improve Wi-Fi connectivity on the complex,” according to a statement from White House press secretary Karoline Leavitt. The White House's Starlink internet service is reportedly being donated by the company.

Spotty internet is an annoying but highly solvable problem that WIRED has reported on extensively. Of course, the White House is a highly complex organization operating out of a historic building, but network security researchers, government contractors, and former intelligence analysts with years of experience in US federal government security all tell WIRED that adding Starlink Wi-Fi in a seemingly rushed and haphazard way is an inefficient and counterproductive approach to solving connectivity issues. And they emphasized that it could set problematic precedents across the US government: that new pieces of technology can simply be layered into an environment at will without adequate oversight and monitoring.

“This is shadow IT, creating a network to bypass existing controls,” alleges Nicholas Weaver, a member of the nonprofit International Computer Science Institute's network security team and a computer science lecturer at UC Davis. He adds that while secret and top secret information is typically (but not always) processed only on special, separate federal networks that have no wireless access, the security and uniformity of White House Wi-Fi is still extremely important to national security. “A network like the White House unclassified side is still going to be very sensitive,” he says.

“Just like the Biden Administration did on numerous occasions, the White House is working to improve WiFi connectivity on the complex,” White House spokesperson Karoline Leavitt tells WIRED in a statement.

A White House source who asked not to be named supported the switch, arguing that in some areas of the campus, “the old Wi-Fi was trash.”

Researchers point out that while Starlink is a robust commercial ISP like any other, it is not clear that it is being implemented in compliance with White House Communication Agency requirements. If the controls on the White House Starlink Wi-Fi are more lax than on other White House Wi-Fi, it could introduce security exposures and blind spots in network monitoring for anomalous activity.

“The only reason they'd need Starlink would be to bypass existing security controls that are in place from WHCA,” claims former NSA hacker Jake Williams. “The biggest issues would be: First, if they don't have full monitoring of the Starlink connection. And second, if it allows remote management tools, so they could get remote access back into the White House networks. Obviously anyone could abuse that access.”

One baffling aspect of the arrangement is that Starlink and other satellite internet is designed to be used in places that have little or no access to terrestrial internet service—in other words, places where there are no reliable fiber lines or no wired infrastructure at all. Instead of a traditional ISP modem, Starlink customers get special panels that they install on a roof or other outdoor place to receive connectivity from orbiting satellites. The New York Times reported, though, that the White House Starlink panels are actually installed miles away at a White House data center that is routing the connectivity over existing fiber lines. Multiple sources emphasized to WIRED that this setup is bizarre.

“It is extra stupid to go satellite to fiber to actual site,” ICSI's Weaver says. “Starlink is inferior service anyplace where you have wire-line internet already available and, even in places which don't, inferior if you have reasonable line of sight to a cell tower.”

Weaver and others note that Starlink is a robust product and isn't inherently unreliable just because it is delivered via satellite. But in a location where fiber lines are highly available and, ultimately, the service is being delivered via those lines anyway, the setup is deeply inefficient.

While Starlink as a service is technically reliable, incorporating it in the White House could create a long-term federal dependence on an Elon Musk–controlled service, which could create future instabilities. After European officials raised concerns earlier this month on whether Starlink might stop serving Ukraine, Musk posted on social media: “To be extremely clear, no matter how much I disagree with the Ukraine policy, Starlink will never turn off its terminals … We would never do such a thing or use it as a bargaining chip.”

_Updated at 3 pm ET, March 24, 2025, to add comment from the White House, additional details from a White House source, and further context around the transmission of classified materials._

Using Starlink Wi-Fi in the White House Is a Slippery Slope for US Federal IT

Microsoft on Monday announced a new feature called inline data protection for its enterprise-focused Edge for Business web browser.
The native data security control is designed to prevent employees from sharing sensitive company-related data into consumer generative artificial intelligence (GenAI) apps like OpenAI ChatGPT, Google Gemini, and DeepSeek. The list will be expanded over time to

Tag

#intel