Investigators link the $1.4B Bybit hack to North Korea’s Lazarus Group, exposing a major crypto heist tied to state-backed cybercrime and money laundering.

Bybit, the world’s second-largest cryptocurrency exchange, suffered a devastating $1.4 billion Ethereum (ETH) hack from a cold wallet breach on February 21, 2025. In the days following the attack, independent blockchain investigator ZachXBT traced the stolen funds directly to North Korea’s Lazarus Group, a notorious state-backed hacking organization. His findings were confirmed by Arkham Intelligence, a blockchain analysis firm, and shared with the Bybit team for further investigation.

****ZachXBT Uncovers Lazarus Group’s Crypto Trail****

On February 21 at 19:09 UTC, Arkham tweeted that ZachXBT had submitted definitive proof linking the attack to the Lazarus Group. His submission included detailed test transactions, connected wallet addresses, forensic graphs, and timing analyses; all of which suggested the hack was premeditated.

The next day, February 22, ZachXBT posted further evidence revealing that Lazarus had not only executed the Bybit hack but had also directly connected the stolen funds on-chain to the recent Phemex hack, which occurred on February 20. He identified a key overlapping address **(**0x33d057af74779925c4b2e720a820387cb89f8f65**)** where funds from both hacks had been commingled, effectively proving the same entity was responsible.

****On-Chain Evidence of Lazarus Group’s Activity********Bybit Hack Transactions (Feb 22, 2025):****

*   0xc963e65b9ec39b11076f78990c31f29aaa80705c75312dafd1748479e3e94ed0
*   0x411374feedcfa560335f00c0fcfa0a3906fdcc33687e6f924dd78ebecc45cd00

****Phemex Hack Transactions (Feb 20, 2025):****

*   0x6262a3339842240aeebae4ebfe338dbc771aa0e2df8f5a1ebcd7f9b090bedfe3

ZachXBT later tweeted that, before these transactions surfaced, he and another blockchain investigator, Josh from CF (Cryptoforensic Investigators), had already traced Bybit-related testing addresses that were involved in laundering funds from the Phemex hack via Tron. Their findings helped them secure a bounty from Arkham, which had launched a reward for anyone who could identify the Bybit hackers.

> Lazarus Group just connected the Bybit hack to the Phemex hack directly on-chain commingling funds from the intial theft address for both incidents.
> 
> Overlap address:  
> 0x33d057af74779925c4b2e720a820387cb89f8f65
> 
> Bybit hack txns on Feb 22, 2025:… pic.twitter.com/dh2oHUBCvW
> 
> — ZachXBT (@zachxbt) February 22, 2025

****New Findings Connect Bybit Hack to BingX Hack****

Later on February 22, ZachXBT made another major revelation: Lazarus Group had also linked an address used in the September 2024 BingX hack to the same cluster of addresses responsible for the Bybit and Phemex hacks. This means that the three hacks: Bybit, BingX, and Phemex, are all connected through on-chain transactions.

****Overlap Address:****

*   0xd555789b146256253cd4540da28dcff6e44f6e50

****Bybit Hack Transaction:****

*   0x4a366130118d750715c2d35fdc07509cf943fcc988fa5e6d02211e3d5472796e

****BingX Hack Transaction:****

*   0x93424aa87731bb9b1d8cc1f708d2ac9f3faf914f368a00494d87cba3e7719e8c

> Lazarus Group just linked an address tied to the BingX hack to this same cluster a few minutes ago which now connects the Bybit, BingX, & Phemex hacks on-chain.
> 
> Overlap  
> 0xd555789b146256253cd4540da28dcff6e44f6e50
> 
> Bybit hack txn:… pic.twitter.com/CGh7pB31Xa
> 
> — ZachXBT (@zachxbt) February 22, 2025

****Investigators Publish 920+ Addresses Linked to the Hack****

On February 22 at 9:05 PM UTC, ZachXBT tweeted that he had spent the entire day graphing the laundering movements of the stolen Bybit funds. He also made 920+ theft-linked wallet addresses publicly available to help exchanges and security teams block illicit transactions.

Bybit responded to his findings with a tweet on February 23 at 9:17 AM, thanking ZachXBT for his work, stating: “Big shoutout to @ZachXBT for always keeping the space sharp. 👀🔍 Your work didn’t go unnoticed—much respect.”

****Bybit Resumes Operations and Warns of Scammers****

Despite the massive theft, Bybit announced that deposits and withdrawals on the platform had returned to normal. However, the exchange warned users of scammers impersonating Bybit employees, urging them to verify all communications and avoid sharing personal information.

“Scammers are out there pretending to be Bybit employees. Stay sharp! Bybit will never ask for your personal info, deposits, or passwords,” Bybit tweeted.

****Coordinated Effort Freezes $42.89M in Stolen Funds****

A coordinated global effort among crypto security teams led to the freezing of $42.89 million in stolen assets within a single day. According to ByBit’s tweet, several key players in the industry, including stablecoin issuers and exchanges, helped track and block the movement of the hacked funds.

****Funds Frozen by Various Entities:****

*   **ChangeNOW:** Froze 34 ETH
*   **Circle:** Assisted with crucial clues
*   **THORChain:** Blocked the blacklist
*   **FixedFloat:** Froze 120K USDC + USDT
*   **Avalanche (AVAX):** Froze 0.38755 BTC
*   **Bitget:** Blocked the blacklist and froze 84 USDT
*   **Tether:** Flagged an address and froze 181K USDT
*   **CoinEx:** Blocked the blacklist and provided key insights

Bybit acknowledged and praised these companies for their swift response, stating that their efforts were essential in tracking and freezing the hacked funds.

****Who is the Lazarus Group?****

The Lazarus Group is a state-sponsored North Korean hacking organization responsible for some of the biggest cyber heists in history. First identified in the early 2010s, the group has been linked to multiple high-profile financial and cyber attacks, including the 2014 Sony Pictures hack, the 2017 WannaCry ransomware attack, and a long list of crypto exchange breaches.

Their primary objective is stealing funds to support North Korea’s heavily sanctioned economy, which struggles under international financial restrictions. According to intelligence agencies and blockchain analytics firms, Lazarus has stolen over $3 billion in cryptocurrency since 2018, with much of the funds being funnelled into North Korea’s nuclear weapons program and military operations.

The group typically executes attacks through social engineering, phishing, and exploiting security vulnerabilities in crypto platforms. Their laundering methods often involve mixing services, decentralized exchanges, and cross-chain swaps to cover transaction trails before cashing out.

Nevertheless, the ByBit incident is one of the largest crypto hacks in history, backing concerns about security vulnerabilities in centralized exchanges. The rapid response from blockchain investigators like ZachXBT, exchanges, and security teams has helped mitigate the impact, but the attack further highlights the sophisticated tactics of hacking groups like Lazarus.

With Bybit now operational again, the industry remains on high alert as investigations continue into the laundering of the stolen funds.

1.  **North Korean Hackers Team Up with Play Ransomware**
2.  **Lazarus Group Exploits Chrome 0-Day for Crypto Theft**
3.  **KnowBe4 Tricked into Hiring North Korean Hacker as IT Pro**
4.  **Elite North Korean Hackers Breach Russian Missile Developer**
5.  **North Korean APT37 Unleashes Dolphin Backdoor on South Korea**

Investigators Link $1.4B Bybit Hack to North Korea’s Lazarus Group

OpenAI on Friday revealed that it banned a set of accounts that used its ChatGPT tool to develop a suspected artificial intelligence (AI)-powered surveillance tool.
The social media listening tool is said to likely originate from China and is powered by one of Meta's Llama models, with the accounts in question using the AI company's models to generate detailed descriptions and analyze documents

OpenAI Bans Accounts Misusing ChatGPT for Surveillance and Influence Campaigns

Several government departments are investigating TP-Link routers over Chinese cyberattack fears, but the company denies links.

If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED

TP-Link is one of the most popular router manufacturers in the US, but the company is facing a potential ban due to security concerns about its links to China. A December report from The Wall Street Journal revealed that the US Commerce, Defense, and Justice Departments are investigating TP-Link, though no evidence of deliberate wrongdoing has yet emerged.

“We are a US company,” Jeff Barney, president of TP-Link told WIRED, “We have no affiliation with TP-Link Tech, which focuses on mainland China, and we can prove our separateness.”

The investigation was sparked by a letter from John Moolenaar, a Republican for Michigan, and Raja Krishnamoorthi, a Democrat of Illinois. Both are on the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party. They outlined concerns that Chinese state-sponsored hackers may be able to compromise TP-Link’s routers more easily than other brands and thereby infiltrate US systems, and that TP-Link is subject to Chinese law, meaning it can be forced to hand over sensitive US information by Chinese intelligence officials.

Photograph: Simon Hill

TP-Link was founded in China in 1996 by two brothers, and TP-Link USA was established in 2008. It wasn’t until 2022 that the Chinese and US wings began to split. The process of moving the 170 subsidiaries and all the related ownership out of Hong Kong and into the United States was delayed by the pandemic, says Barney, but it was divested and restructured by 2024.

TP-Link now has headquarters in California and Singapore and manufactures in Vietnam. It researches, designs, develops, and manufactures everything except chipsets in-house, according to Barney. “Our entities in China are governed directly by us, our employees badged by us, secured by us, in our own facilities.” He also says TP-Link has shared documentation with investigators and that its factory in Vietnam was audited by US retail partners like Walmart, Best Buy, and Costco.

“Everybody has a Nexus in China,” Barney says. He claims that American rival Netgear uses Chinese ODMs (original device manufacturers) to build its products and that even Apple relies on manufacturing in China. Netgear says its routers are manufactured in Taiwan, Vietnam, and Thailand, not China.

**Competition Concerns**

The WSJ report suggests that TP-Link has a leading 64.9 percent share of the US router market, but TP-Link disputes this. The company claims its share hovered around 20 percent for the last few years, but jumped to a 36.5 percent unit share and a 30.7 percent dollar share in 2024. But even TP-Link’s lower estimate shows a company in the ascendancy. This dominance has been driven by aggressively low prices and a relatively early roll-out of Wi-Fi 7 routers, perceived by some as a concerted effort to flood the US market.

“Technology should not be exorbitant,” Barney says. “We're trying to democratize these products.”

However, the wide product range raises questions, with many wondering how TP-Link can profit from routers sold at such low prices compared to the competition. Former CNET reviewer Dong Ngo explores this point on the in-depth router review website, Dong Knows.

Concerns about the links between Chinese companies and its government are nothing new. The ban on Huawei’s networking equipment and US sanctions came after years of cybersecurity concerns and intellectual property lawsuits brought by US companies. The TikTok ban is not being enforced by President Donald Trump’s administration, but owner ByteDance is still under pressure to divest its US operations. These situations can be tricky for the average person to navigate because the lines between shoddy security, Chinese espionage, US protectionism, and the growing trade war are distinctly blurry and are not mutually exclusive.

It’s no secret that US competitor Netgear has been lobbying the US government on “cybersecurity and strategic competition with China.” Netgear has had a tough couple of years after adopting a premium pricing strategy that did not resonate with consumers. It has also been embroiled in litigation against TP-Link for patent infringement, resulting in TP-Link paying a $135 million settlement in September 2024.

**Are TP-Link Routers Secure?**

TP-Link has signed CISA’s “Secure by Design” pledge and is part of the Technical Exchange Group. It has a vulnerability disclosure program, where independent researchers and the security community can report potential issues to security@tp-link.com. It claims report response time was 8.4 days on average in 2023, with patches released in an average of 38.5 days. The company is also planning to launch a bug bounty program.

Barney claims TP-Link’s rate of vulnerabilities per product is significantly lower than many of its peers, including Netgear and Cisco, citing public data collected by Finite State, an independent US cybersecurity company, from CVE Details, VulDB, and CISA (Cybersecurity and Infrastructure Security Agency), but not everyone agrees.

“TP-Link does not have a great reputation for patching vulnerabilities or working with security researchers, which does raise alarm bells,” Pieter Arntz, malware intelligence researcher for Malwarebytes told WIRED via email.

Photograph: TP-Link; Data Source: U.S. Cybersecurity and Infrastructure Security Agency

TP-Link was criticized in a recent Microsoft report over a “password spraying” hack that mostly impacted its routers, and the report suggested Chinese “nation-state threat actor activity.” Barney says these were end-of-service products and that Asus and Netgear routers were also impacted.

Other incidents include a Check Point Research exposé of a malicious firmware implant for TP-Link routers, linked to a Chinese state-sponsored “advanced persistent threat” group dubbed “Camaro Dragon.” Cyfirma researchers also found TP-Link router vulnerabilities for sale on underground forums.

“It’s also a challenge because regardless of the home router vendor, there will always be vulnerabilities found,” Arntz says.

A part of the problem with older routers is that the onus is often on the user to download and install updates, and this is rarely automatic or as simple as clicking on “update,” which means many patches are never installed, creating vulnerable devices for any savvy cybercriminals or nation-states. Even months after TP-Link released patches for a vulnerability on its popular Archer AX21 router, hackers continue to scan for and exploit it on unpatched routers.

These security concerns are moot in the face of built-in backdoors. Backdoors can be pieces of code or even hardware added to the circuit board that enables remote parties to gain access and potentially control the device. There’s no evidence that TP-Link devices have backdoors, but, as Ngo points out, when you use an online account with your router, you are already giving the company access through the front door. Whether remote connectivity is justified by the need for automatic software updates, remote control access, or other features for users, it effectively gives the manufacturer access to your router.

**Should You Worry?**

Ultimately, the concern isn’t so much about the Chinese government or other malicious actors spying on your web browsing habits—though that is possible—it’s the idea they might employ your router as a part of a botnet to launch a cyberattack on a US government agency or major service provider.

The NSA has been concerned about Chinese hackers for some time now, and China's Salt Typhoon spies continue to infiltrate US internet service providers and telecommunications companies. Speaking on the _NatSec Tech_ podcast recently, former special assistant to the president and cybersecurity coordinator on the US National Security Council, Rob Joyce, likened TP-Link routers to a Trojan Horse and suggested China is pre-positioning for a potentially devastating attack on US infrastructure.

While some cybersecurity experts suggest a ban is imminent, Barney is confident that TP-Link routers won’t be banned. Investigations are ongoing. Even if the government doesn't find anything or decides against a ban, it won’t publicly clear TP-Link. It’s more likely the investigation will fade from the news.

Photograph: Simon Hill

For owners of a TP-Link router or anyone considering buying one, it all boils down to trust. We've tested and recommend several TP-Link routers and Deco mesh systems in our buying guides because they offer good value and great performance. But we continually update our guides and will monitor the situation before deciding whether we need to reconsider those recommendations.

There’s no easy fix because all the major router manufacturers have issues with vulnerabilities, and most of them require you to use an online account. You can go down the rabbit hole with router security, or seek out security-focused brands like Firewalla, but expect to pay more for your equipment in both time and money.

Even if you stick with what you have, there are steps you can take to be more secure online. We recommend using a VPN service and learning a little about router settings. Malwarebytes’ Arntz says the most secure router is the one on which you are comfortable changing the settings: credentials, firewall options, and especially installing updates.

Here’s his advice for home TP-Link router owners who are concerned:

*   First, update your login credentials. Ensure you have moved away from the default login credentials set by the router manufacturer (or internet provider). Make this password different from your Wi-Fi name and password. And remember, length equals strength when it comes to passwords.
*   Second, patch your device and set a reminder to check regularly for firmware updates.
*   Third, turn on the firewall and Wi-Fi encryption. You can find these settings by logging into your router from its app or website.
*   Finally, consider purchasing a new router from a different vendor with a less problematic history.

TP-Link also manufactures a wide range of smart home devices marketed under the Tapo brand, including everything from security cameras to water leak detectors. These are not part of the current investigation, which seems to be focused solely on routers. TP-Link says it has applied to the FCC’s Cyber Trust Mark program administered by UL Solutions, which ensures that internet-of-things devices are tested and labeled secure. Sadly, there is no such program for routers.

The US Is Considering a TP-Link Router Ban—Should You Worry?

Approximately 500 NIST staffers, including at least three lab directors, are expected to lose their jobs at the standards agency as part of the ongoing DOGE purge, sources tell WIRED.

Sweeping layoffs architected by the Trump administration and the so-called Department of Government Efficiency may be coming as soon as this week at the National Institute of Standards and Technology (NIST), a non-regulatory agency responsible for establishing benchmarks that ensure everything from beauty products to quantum computers are safe and reliable.

According to several current and former employees at NIST, the agency has been bracing for cuts since President Donald Trump took office last month and ordered billionaire Elon Musk and DOGE to slash spending across the federal government. The fears were heightened last week when some NIST workers witnessed a handful of people they believed to be associated with DOGE inside Building 225, which houses the NIST Information Technology Laboratory at the agency’s Gaithersburg, Maryland campus, according to multiple people briefed on the sightings. The DOGE staff were seeking access to NIST’s IT systems, one of the people said.

Soon after the purported visit, NIST leadership told employees that DOGE staffers were not currently on campus, but that office space and technology were being provisioned for them, according to the same people.

On Wednesday, Axios and Bloomberg reported that NIST had begun informing some employees that they could soon be laid off. About 500 recent hires who are still in probationary status and can be let go more easily were among those expected to be affected, according to the reports. Three sources tell WIRED that the cuts likely impact lauded technical experts in leadership positions, including three lab directors who were promoted within the last year. One person familiar with the agency tells WIRED that the official layoff notices may come Friday.

The White House and a spokesperson for NIST, which is part of the Department of Commerce, did not yet return requests for comment.

One NIST team that has been fearing cuts because of its number of probationary employees is the US AI Safety Institute (AISI), which was created after former President Joe Biden’s sweeping executive order on AI issued in October 2023. Trump rescinded the order shortly after taking office last month, describing it as a “barrier to American leadership in artificial intelligence.”

The AI Safety Institute and its roughly two dozen staffers has been working closely with AI companies, including rivals to Musk’s startup xAI like OpenAI and Anthropic, to understand and test the capabilities of their most powerful models. Musk was an early investor in OpenAI and is currently suing the startup over its decision to transition from a non-profit to a for-profit corporation.

AISI’s inaugural director, Elizabeth Kelly, announced she was leaving her role earlier this month. Several other high-profile NIST leaders working on AI have also departed in recent weeks, including Reva Schwartz, who led NIST’s Assessing Risks and Impacts of AI program, and Elham Tabassi, NIST’s chief AI advisor. Kelly and Schwartz declined to comment. Tabassi did not respond to a request for comment.

US Vice President JD Vance recently signaled the new administration’s intent to deprioritize AI safety at the AI Action Summit, a major international meeting held in Paris last week that AISI and other government staffers were not invited to attend, according to three familiar with the matter. “I'm not here this morning to talk about AI safety,” Vance said in his first major speech as VP. “I'm here to talk about AI opportunity.”

Though they receive bipartisan support, the AI Safety Institute and other parts of NIST had been preparing for the Trump administration to set new priorities for their work. In anticipation, some NIST teams began moving to deprioritize efforts such as fighting misinformation and racial bias in AI systems, according to two people familiar with the projects. Two other people say that putting even more public emphasis on national security was welcomed among some staffers, since the institute has already engaged in related research efforts.

Overall, the AI Safety Institute has been pressing ahead with working groups and other efforts focused on developing guidelines for studying AI systems. Last week, the startup Scale AI announced it had been selected by the institute as its “first approved third-party evaluator authorized to conduct AI model assessments.” Michael Kratsios, Trump’s pick to direct the White House Office of Science and Technology Policy, was until recently Scale’s managing director.

The feared layoffs at NIST have drawn strong rebuke from civil society groups, such as the Center for AI Policy, and congressional Democrats. NIST’s 2024 budget was about $1.5 billion, approximately .02 percent of federal spending overall, making it perhaps an unlikely target for Musk’s DOGE project. DOGE staffers have dropped into several government agencies this month, gaining access to sensitive systems, promoting the use of AI to boost productivity, and seeding a trail of resignations among long-time government workers. DOGE’s specific goals at NIST couldn’t be immediately learned.

US Representative Jake Auchincloss, a Democrat who serves on the House energy and commerce committee, says any efforts by DOGE to trim NIST rather than focusing instead on parts of government that account for far more spending, such as Department of Defense contracts, amounts to “scrounging for pennies in front of a bank vault.” He called NIST an agency with high returns on investment and warned that hobbling it would be self-defeating for the US. “Imparing NIST’s function is going to harm business productivity and increase costs,” Auchincloss says.

Staff for Democrats on the US House of Representatives Committee on Science, Space, and Technology say they are concerned about the potential for significant economic harm from any cuts to NIST. The agency’s timekeeping is used by stock markets and its research on buildings and pipelines help keep infrastructure intact. DOGE “might throw out things that are crucial to the functioning of the economy,” says one of the Democratic staffers, who all spoke on the condition of anonymity.

Budget cuts at other agencies could also have ripple effects at NIST because they help fund some of its projects, including studies on the accuracy of facial recognition systems and a database of cybersecurity vulnerabilities. “We’re worried about staffing, funding at every research agency in the federal government,” says the science committee staffer.

Earlier this month, California representative Zoe Lofgren, the top Democrat on the Republican-controlled House science committee, and her colleagues sent letters to the heads of several agencies including NIST and National Aeronautics and Space Administration demanding transparency about DOGE activities.

“While NIST does not conduct classified research, its cutting edge work in topics such as AI, quantum sensors and clocks, and semiconductors are world-class, and improper exfiltration to non-secure servers would be a boon for our adversaries,” stated the letter last week to NIST Acting Director Craig Burkhardt. It demanded a response from him by February 18; as of February 19, there had been none, according to Lofgren’s office.

The letter also raised concern about Musk’s potential conflicts of interest at NIST, given the intimate dealings between the AI Safety Institute and his competitors. Representative Auchincloss, who has studied NIST’s biology projects, expressed concern about Musk potentially gaining an unfair advantage and compromising safety by influencing standards that affect his Neuralink brain implant venture.

NIST was originally created in 1901 to help the US science and engineering industries establish scientific norms in areas like measurement. In coordination with the US Naval Observatory, the agency is also responsible for building and maintaining the country’s most accurate atomic clocks. Overall, NIST currently employs about 3,400 scientists, engineers, and technicians, according to its website.

Project 2025, an informal plan for the Trump administration crafted by the Heritage Foundation, an influential right-leaning think tank, called for consolidating the research work currently spread across NIST and other agencies and ensuring that it “serves the national interest in a concrete way in line with conservative principles.”

_Additional reporting by Andrew Couts, Kate Knibbs, and Louise Matsakis._

The National Institute of Standards and Technology Braces for Mass Firings

Google enables marketers to target people with serious illnesses and crushing debt—against its policies—as well as the makers of classified defense technology, a WIRED investigation has found.

A WIRED investigation into the inner workings of Google’s advertising ecosystem reveals that a wealth of sensitive information on Americans is being openly served up to some of the world’s largest brands despite the company’s own rules against it. Experts say that when combined with other data, this information could be used to identify and target specific individuals.

Display & Video 360 (DV360), one of the dominant marketing platforms offered by the search giant, is offering companies globally the option of targeting devices in the United States based on lists of internet users believed to suffer from chronic illnesses and financial distress, among other categories of personal data that are ostensibly banned under Google’s public policies.

Other lists of American users accessible for a price across the platform raise serious national security concerns, experts say, as they reveal data brokers striving to isolate millions of mobile devices carried by government workers—from US judges and military service members to executive agency staff and employees on Capitol Hill.

First reviewed by WIRED, an internal spreadsheet obtained from a US-based data broker shows the DV360 platform currently hosting hundreds if not thousands of restricted or otherwise sensitive “audience segments,” each containing a large tranche of data that points to countless mobile devices and online profiles of people in the US. The segments are generated not by Google, but by DV360 customers who upload them to the system, where others can use them to target ads at specific audiences.

The data—first obtained by the Irish Council for Civil Liberties (ICCL), Ireland's oldest independent human rights body—reveals segments targeting hundreds of millions of device users based exclusively on health conditions, from chronic pain and menopause to, among others, fibromyalgia, psoriasis, arthritis, high cholesterol, and hypertension.

“As with other demand-side platforms, advertisers are able to upload audience lists to Display & Video 360, based either on their own first-party data or from segment providers,” says Erica Walsh, a Google spokesperson. “Our policies do not permit audience segments to be used based on sensitive information like employment, health conditions, financial status, etc.”

Despite this, numerous segments contained in the data are clearly targeted at households and businesses based purely on data suggesting they’re experiencing financial hardship—aiming, for instance, to help advertisers identify people who are in the process of bankruptcy or burdened by long-term debt.

Allison Bodack, another Google spokesperson, tells WIRED that when the company detects “non-compliant audience segments, we will take action.” Asked to explain why Google had not detected segments with descriptions such as “Individuals likely to have a Cardiovascular condition,” or “Parents of children likely to have a respiratory disease, like Asthma,” Bodack did not respond.

Segments accessible through DV360 that target Americans with asthma contain at least hundreds of millions of mobile IDs—among them, a list simply titled, “People who have asthma.” Hundreds of millions more were found on lists for no other reason than the fact that their users are believed to have diabetes. A vast number of devices and user profiles are spread out across lists that target users determined likely to need specific medications, including some controlled substances, such as Ambien. One list links more than 140 million mobile IDs to opioid usage, suggesting the users need relief from a common "opioid-induced" side effect.

Google did not respond when asked whether a data broker had violated its rules by offering advertisers access to a list of people “likely to have an Endocrine disorder.” (The company only stated that its policies “do not permit” such segments “to be used.”) Asked to explain whether it assigns any level of risk to audience segments that target US government employees working in national security jobs, or contractors with access to restricted US defense-related technologies, Google’s spokespeople did not respond.

Among a list of 33,000 audience segments obtained by the ICCL, WIRED identified several that aimed to identify people working sensitive government jobs. One, for instance, targets US government employees who are considered “decision makers” working “specifically in the field of national security.” Another targets individuals who work at companies registered with the State Department to manufacture and export defense-related technologies, from missiles and space launch vehicles to cryptographic systems that house classified military and intelligence data.

Sources with firsthand knowledge of Google’s platform, granted condition of anonymity to protect against retaliation on the job, confirmed the segments were actually accessible to Google’s ad buyers. Unlike Google Ads, which is free and typically used by individuals and small businesses, DV360 is a paid platform primarily aimed at companies that spend over $50,000 in ad buys per month. Google’s DV360 partners include the likes of Disney and NBCUniversal.

“This is exactly the kind of seemingly obscure data that would pique a foreign adversary's interest,” says Justin Sherman, CEO of Global Cyber Strategies, and author of the upcoming book _Navigating Technology and National Security_. “It’s not necessarily held in every dataset, but it speaks to a medical condition, it speaks to use of a powerful drug, and it speaks to something that could potentially be exploited in an intelligence context.”

Over the last decade or so, online advertising has evolved to include technologies capable of “micro-targeting” individuals based on surveillance data gathered from a wide variety of sources. Users are grouped into “segments” by data brokers who aim to isolate individuals with the help of unique mobile identifiers—alphanumeric strings that are assigned to mobile devices and are widely shared across the advertising ecosystem. These mobile IDs are employed to not only track a user’s movements but their online habits, including which apps they use, and are regularly combined with “cookies” that track web browsing behavior and purchasing information.

While the purpose of mobile IDs and other ad-based identifiers is, ostensibly, to help shield users’ identities, it is no secret that when combined with other datasets, it can become trivial to re-identify people whose information has been “anonymized.”

A government report declassified by the US Office of National Intelligence in June 2023 notes that commercial data may be combined to “reverse engineer identities or deanonymize various forms of information.” Advisers to the nation’s top spy at the time, Avril Haines, added in the report: “In the wrong hands, sensitive insights gained through \[commercially available information\] could facilitate blackmail, stalking, harassment, and public shaming.”

Demonstrating the point, many data brokers that exist on the periphery of Google’s advertising exchange work to assist marketers by crafting complex dossiers on individual consumers, “enriching” anonymized profiles with information drawn from a range of public and government sources. Frequently this includes credit card transactions, social media posts, bankruptcy filings, vehicle registration records, employment records, and hoards of web tracking data quietly amassed from websites, apps, and IoT devices.

With such access, data brokers aim to craft customized lists of potential targets, such as people who have “careers in the armed forces” and enjoy “gambling in general,” or those who are an “active conservative voter” likely to “participate in a civil protest,” according to the ICCL-provided data.

The manner in which the data was originally acquired by the ICCL provides a quintessential example of the ease with which rival foreign intelligence agencies can gain access to Americans’ data with minimal effort. Johnny Ryan, director of Enforce, ICCL’s investigative branch, says he was surprised by how easy the access came. “I was prepared for a complex process that would test my cover story,” he says, “but when I signed up there was no questions asked whatsoever.”

To gain access to the data broker’s segments, Ryan created a website for a fake “data analytics” firm. The “company” isn’t registered anywhere officially, but exists solely as a handful of web pages. On them, Ryan placed an image of a Russian soldier, apparently in the midst of combat, alongside a map of Ukraine. The firm’s work is vaguely described as helping “select clients” obtain “real-time” awareness of “targets” in the field. Ryan used this implausible cover while approaching data brokers based in the US.

“I could have been anybody,” he says.

To protect the integrity of ongoing research, WIRED agreed to delay identifying any data brokers being monitored by the ICCL.

Ryan’s research into ad-tech abuse informed a Federal Trade Commission lawsuit brought in 2024 against Mobilewalla, a data broker that, the FTC claims, widely offered access to segments used “specifically” to target “pregnant women and young mothers,” while also selling mobile IDs that tracked people visiting medical facilities and domestic abuse shelters. (Similarly, WIRED identified segments in the ICCL’s data that linked millions of mobile devices to expectant mothers, as well as more than 140 lists that referenced a “propensity” for “disease.” Fifty-one million mobile IDs belong to a segment aimed specifically at women likely to lack preventive care.)

According to the FTC government complaint, Mobilewalla collected more than 183 million mobile IDs in 2021 alone. Between 2018 and 2020, the company sourced roughly 60 percent of its data directly from real-time bidding (RTB) exchanges, marketplaces where advertisers compete for online ad space in lightning-fast auctions.

A complaint filed by Enforce and the Electronic Privacy Information Center (EPIC) last month urges the FTC to launch an investigation into whether Google’s RTB tools have allowed sensitive data to be made available to foreign adversaries—information that Ryan, along with other experts, says includes vast troves of personal data tied to “active military, intelligence personnel, and key leaders.”

Many of the conditions, behaviors, and traits reflected in the data, such as a likelihood of financial debt, propensity for high alcohol use, and certain medical conditions, are criteria that can adversely affect a federal employee’s eligibility to access classified information—illustrating the potential of its use for blackmail purposes.

EPIC and Enforce allege that Google both “directly” and “indirectly” provides foreign adversaries, including China, with “extraordinarily sensitive” commercial data concerning “America’s leaders and sensitive defense personnel,” while pointing the finger at Google as the predominant commercial entity behind a vast and widely ignored “national security crisis.”

“Google’s purported self-regulation cannot protect us,” says EPIC senior counsel Sara Geoghegan, whose complaint points to restrictions on data broker deals cemented last year under a new federal law, the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA). According to Geoghegan, Google’s advertising tools pose a unique national threat, one that Congress has specifically charged the FTC with eliminating.

Google’s spokesperson Erica Walsh denies any wrongdoing on the part of the company, saying that, for instance, while Google’s ad exchanges continue to accept business from Chinese companies, it has long since ceased sharing data with Russian entities. Last year, she says, Google introduced a new system designed to identify companies with ties to China in order to restrict the types of information they receive about US consumers. “This means we never share data tied to a specific user in the US for bid requests to those known entities,” she says.

While the FTC has yet to introduce any cases based on PADFAA—and also declined to comment for this story—the law notably extends far beyond data that is merely “tied to a specific user.” Google and other US companies are now forbidden under law from providing companies with ties to hostile nations with any information that, no matter how anonymized, can be tied back to a specific user when combined “with other data.”

China is reported to have the world’s largest security and intelligence apparatus, employing a veritable army of hackers that have spent decades infiltrating US corporations and agencies to steal data, most recently compromising at least 11 of the nation’s telecommunications networks.

“It would be a joke for the Chinese government to link a mobile ad ID to a person's name,” says Sherman of Global Cyber Strategies.

Walsh notes that under Google’s new rules, mobile IDs are automatically stripped from RTB data served to Chinese entities. Along with other identifiers, Google also redacts the location data of devices being served the ads, limiting what Chinese companies can see to the name of a city. Google will provide the URL of a web page or the name of an app that an American is using, it says, but only in real time.

To ensure compliance, Walsh says, Google employs an independent company to “regularly” audit its authorized RTB buyers. Google declined to reveal more about the audits, but its public documentation suggests they are conducted at Google’s expense, “no more than once during each 12 month period.”

Zach Edwards, a longtime advertising-industry researcher and senior threat researcher at cybersecurity firm Silent Push, says Google’s efforts to limit the flow of data to China may ultimately have little effect. When a company wins a bid and its ad is served on a web page, he says, it becomes possible to acquire much of the same data that Google preemptively redacts, including a user's full IP address and detailed information about the device they are using. Chinese hackers have reportedly used this technique in the past to execute malicious code on millions of users’ devices—a threat known as “malvertising.”

“Redacting the bid request is totally moot,” Edward says. “If you take tens of millions of dollars from Chinese advertisers and don’t blink at them buying every impression, they outbid everyone and are able to get on the page.” According to recent reports, Chinese companies are spending “huge sums” on ads targeting US consumers, netting major profits for Meta, X, YouTube, and similar Silicon Valley firms that dominate the digital advertising market. In a February 2024 earnings call, Meta said that “China-based advertisers represented 10 percent of our overall revenue” for 2023, which totaled $133 billion.

“Even if Google were to change its practices and only initially broadcast RTB data to entities in the United States,” EPIC’s complaint says, the data would “inevitably” fall into foreign actors’ hands. “Google has no way to control what happens to the data that it broadcasts so freely,” it alleges. This was also the contention of the organization that develops technical standards for the advertising industry. Known as the Interactive Advertising Bureau (IAB), the organization acknowledged in 2018 that there is “no technical way to limit the way data is used after the data is received by a vendor.”

Foreign actors and private surveillance firms have been caught routinely exploiting RTB systems by creating shell advertising companies in order to access bid-stream data: information on users broadcast between the demand and supply sides of an RTB auction. In 2022, Adalytics, a digital ad analysis firm, published a report alleging that Google was sharing RTB data with RuTarget, an ad-tech firm owned by Russia’s largest state bank; activity that Google says it ceased in response. In 2023, Bloomberg reported that, by operating its own demand-side platform, an Israeli surveillance company called Rayzone had gained direct access to Google’s RTB data.

Last year, 404 Media reported on another Israeli tool called Patternz that was for leveraging access to Google’s system in the same manner.

Senator Ron Wyden of Oregon, who has authored legislation that would ban federal agencies from buying data that normally requires a warrant, says the fact that Google’s platform provides overseas companies access to any personal data on military and intelligence personnel is an “outrageous practice.” “Federal regulators should throw the book at Google,” he believes, “and cut off the company from federal contracts until it stops exposing our troops to harm.”

Internal Google communications cited by EPIC and Enforce reveal a historical reluctance by Google to take practical steps to remedy the problem, despite company leaders internally acknowledging the risk. A 2014 exchange, first revealed during a federal antitrust case two years ago, shows one senior executive acknowledging the “difficulty in figuring out what buyers are actually doing with the data we're sending.”

The remark prompted another executive to inquire as to what the “financial impact” may be of actually addressing the problem.

In another document, from late 2021, Google’s chief marketing officer, Lorraine Twohill, advises CEO Sundar Pichai to move the company away from real-time bidding, telling him: “Users point to our ads as THE reason why they can't trust Google and why they think we sell their personal information to 3rd parties.”

Twohill’s letter—sent on International Data Privacy Day—makes clear her opinion of Google’s advertising practices: “real time bidding on user data = bad,” she writes, before signing off, “Your privacy obsessed pal.”

Google Ad-Tech Users Can Target National Security ‘Decision Makers’ and People With Chronic Diseases

A malware campaign distributing the XLoader malware has been observed using the DLL side-loading technique by making use of a legitimate application associated with the Eclipse Foundation.
"The legitimate application used in the attack, jarsigner, is a file created during the installation of the IDE package distributed by the Eclipse Foundation," the AhnLab SEcurity Intelligence Center (ASEC)

Cybercriminals Use Eclipse Jarsigner to Deploy XLoader Malware via ZIP Archives

The continent faces "relentless" military espionage, and increased cyber sabotage at the hands of authoritarian regimes, according to a high-ranking intelligence director.

Source: Christophe Coat via Alamy Stock Photo

Australian intelligence is projecting that foreign nations will increasingly attempt to sabotage its country's critical infrastructure.

On Feb. 19, Mike Burgess, director-general of security in charge of the Australian Security Intelligence Organisation (ASIO), delivered an annual threat assessment encompassing the many national security threats facing Australia. Among the most important, he noted, are the ways in which foreign threat actors are weaponizing artificial intelligence (AI)-enabled disinformation and deepfakes, military espionage, and attacks against critical infrastructure that could cause damage to the military, government, and social cohesion.

"ASIO's report reflects an increasingly combative international relations environment, increasing competition between great powers, and Australia's position in all of this — one which is both strategically critical and geographically fragile," Bugcrowd founder Casey Ellis says. "Critical infrastructure is the primary target \[of nation-states\] in the cyber domain. Eleven percent of cybersecurity incidents in the past year in Australia have focused on critical infrastructure, with mounting evidence of adversaries positioning themselves for opportunistic strikes in a way that mirrors tactics observed targeting the US."

**Threats to Australia's Military and Civilians**

Burgess has now made six threat assessments since taking office in 2019, but none quite like his latest. "I think it's fair to say it's the most significant, serious, and sober address so far," he said on Wednesday.

Of the cyber threats to the country, Burgess highlighted a few primary areas of concern.

First, the power that AI gives to malicious governments and criminal threat actors. "Artificial intelligence will enable disinformation and deepfakes that can promote false narratives, undermine factual information, and erode trust in institutions," he explained. "Espionage and foreign interference will be enabled by advances in technology, particularly artificial intelligence and deeper online pools of personal data vulnerable to collection, exploitation, and analysis by foreign intelligence services."

AI has been a source of increasing concern around data collection for years. Major Silicon Valley companies have had no reticence in training their models on unauthorized data around the Web, a practice made even more worrying now that the latest chatbot comes from an authoritarian state.

Burgess also spoke of "greater threats" against Australia's military. "Defence personnel are being targeted in person and online. Some were recently given gifts by international counterparts. The presents contained concealed surveillance devices," he said. He went on to describe the trilateral security partnership between Australia, the UK, and the US (AUKUS) as "a priority target for intelligence collection, including by countries we consider friendly. ASIO has identified foreign services seeking to target AUKUS to position themselves to collect on the capabilities, how Australia intends to use them, and to undermine the confidence of our allies."

**Foreign Nations Eye AUS Critical Infrastructure**

ASIO also assessed that "authoritarian regimes are growing more willing to disrupt or destroy critical infrastructure to impede decision-making, damage war-fighting capabilities, and sow social discord."

Burgess pointed to Russia's war in Ukraine as an obvious case study in how governments can sabotage critical infrastructure to cause both physical and cyber consequences. And it's not like the threat to Australia's infrastructure is merely theoretical, either.

"Cyber units from at least one nation state routinely try to explore and exploit Australia’s critical infrastructure networks, almost certainly mapping systems so they can lay down malware or maintain access in the future," Burgess said. "We recently discovered one of those units targeting critical networks in the US. ASIO worked closely with our American counterpart to evict the hackers and shut down their global accesses, including nodes here in Australia."

Even in times without war, he warned, "foreign regimes are expected to become more determined to, and more capable of, pre-positioning cyber access vectors they can exploit in the future."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Australian Critical Infrastructure Faces 'Acute' Foreign Threats

DOGE technologists Edward Coristine—the 19-year-old known online as “Big Balls”—and Kyle Schutt are now listed as staff at the Cybersecurity and Infrastructure Security Agency.

Edward Coristine, a 19-year-old engineer with Elon Musk’s so-called Department of Government Efficiency (DOGE) known as “Big Balls,” is now on staff at the Cybersecurity and Infrastructure Security Agency (CISA), WIRED has confirmed. He is joined by another member of the DOGE team, 38-year-old software engineer Kyle Schutt, who is now also on the CISA staff, according to a government source.

CISA referred WIRED to the Department of Homeland Security (DHS), of which it’s a component agency, when reached for comment. DHS did not immediately reply to a request for comment.

Coristine—briefly an intern for Musk’s brain-computer interface company, Neuralink, as WIRED has reported—has been working his way through numerous federal agencies and departments as a DOGE operative since January. He has been tracked at the General Services Administration (GSA), the Office of Personnel Management, the State Department, and FEMA. At State’s Bureau of Diplomatic Technology, he potentially had access to systems containing sensitive information about diplomats and many sources and spies around the world who provide the U.S. government with intelligence and expertise.

As the journalist Marisa Kabas was first to report, he has now moved to CISA, a division of DHS. He is listed in the staff directory as a senior advisor.

A second DOGE worker, Schutt, has also joined Coristine at CISA. Schutt has reportedly also been at the GSA. Prior to his work with DOGE, he worked on the launch of WinRed, a fundraising platform for Republicans that helped the party raise $1.8 billion during the 2024 election campaigns.

It’s not clear yet what level of access Coristine might have to data and networks at CISA, but the agency, which is responsible for the defense of civilian federal government networks and works closely with critical infrastructure owners around the country, stores a lot of sensitive and critical security information on its networks. This includes information about software vulnerabilities, breaches, and network risk assessments conducted for local and state election offices. Since 2018, CISA has helped state and local election offices around the country assess vulnerabilities in their networks and help secure them. CISA also works with the Federal Bureau of Investigation and the National Security Agency to notify victims of breaches and process information about software vulnerabilities before the information becomes public.

Coristine, as WIRED has previously reported, worked briefly in 2022 for Path Network, a network monitoring firm known for hiring reformed blackhat hackers. According to security journalist Brian Krebs, an account once associated with him was also previously linked with a loosely-formed cybercriminal community known as The Com, whose members have been responsible for various hacking operations in the last few years, including the hack of numerous Snowflake accounts. Coristine has not been associated with the Snowflake breaches, but as WIRED has reported, an account that has been associated with him did appear to suggest the owner of the account was seeking help to conduct a Distributed Denial of Service attack—a criminal technique that involves launching extensive traffic at a domain to disable it and prevent legitimate traffic from reaching it. Krebs also reported that Path had fired Coristine for allegedly leaking internal company documents to a competitor.

The Washington Post reported last week that Coristine had been assigned to the DHS as a senior advisor, but didn’t indicate what part of the sprawling agency he had joined.

“What’s the point of fighting cybercrime if we’re just going to give access for government networks to people with cybercriminal gang affiliations?” says a cybersecurity researcher who tracks cybercriminal groups.

DOGE Now Has Access to the Top US Cybersecurity Agency

These sorts of attacks reveal growing adversary interest in secure messaging apps used by high-value targets for communication, Google says.

Source: aily\_creativity via Shutterstock

Multiple Russia-aligned threat groups are actively targeting the Signal Messenger application of individuals likely to exchange sensitive military and government communications related to the country's war with Ukraine.

For now, the activity appears limited to persons of interest to Russia's intelligence services, according to researchers at Google's Threat Intelligence Group (GTIG), who spotted it recently. But the tactics the threat actors are using in the campaign could well serve as a blueprint for other groups to follow in broader attacks on Signal, WhatsApp, Telegram, and other popular messaging apps, GTIG warned in a blog post this week.

**Likely to Become More Prevalent**

"We anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war," Google threat analyst Dan Black wrote in the post.

Two of the Russian cyber-espionage groups that Google observed targeting Signal are UNC5792 — a threat actor that Ukraine's CERT tracks as UAC-0195 — and UNC4221 (aka UAC-0185). The goal of the attackers in both cases is to trick targeted victims into unknowingly linking their Signal account to an attacker-controlled device so any incoming messages are simultaneously available on the linked device.  

The attacks are taking advantage of "linked devices," a feature of the Signal app that allows users to securely connect and synchronize their account across multiple devices. However, the tactics that each threat group uses to get targets to unwittingly link their accounts have been slightly different.

UNC5782's ploy has been to send invitations asking targeted individuals to join a Signal group by sharing a malicious QR code with them. While the invitations look identical to Signal's group invite, the threat actors have modified them so that anyone social-engineered into scanning the QR code ends up linking their account to a UNC592-controlled device instead.

The other threat group, UNC4221, is using a customized phishing kit that impersonates parts of Kropyva, an application that Ukraine's military uses for artillery guidance, to try and social-engineer Signal Messenger users of interest. The threat actor has established Kropyva-themed phishing sites with the QR code directly embedded on them. It has also set up phishing sites pretending to contain legitimate Signal instructions for device linking to encourage scam victims into scanning their malicious QR code.

**Broad Threat Actor Interest**

Google identified UNC4221 and UNC5782 as two of several Russian and Belarusian groups that are targeting Signal Messenger to spy on persons of interest. Not all attacks by UNC4221 and UNC578 have involved device linking. Russia's infamous Sandworm cyber-sabotage group (which Google tracks as APT44) has been stealing Signal messages from a target's Signal database or local storage files, using a combination of malware tools. Similarly, Turla, a threat actor that the US government has tied to Russia's Federal Security Service (FSB), is doing the same using a lightweight PowerShell script that it deploys after gaining access to a target environment. Another threat actor from the region targeting Signal Messenger, according to Google, is Belarus-linked UNC1151, which uses the Robocopy Windows file-copying tool to copy and store Signal messages and attachments for future theft.

The flurry of activity targeting Signal is a sign of broader attacker interest in secure messaging apps used by those in espionage and intelligence gathering, including politicians, military personnel, activists, privacy advocates, and journalists. The apps' security features, which include end-to-end encryption of text, voice, and video with minimal data collection practices, have made it a popular tool for at-risk individuals and communities. It has also made the app "a high-value target for adversaries seeking to intercept sensitive information that could fulfill a range of different intelligence requirements," Google's Black wrote.

Signal is not the only target. Russian groups have also targeted Telegram and WhatsApp users in the same way, Black said. He pointed to a recent Microsoft report on attacks by Russian group Star Blizzard (aka Coldriver, Blue Charlie, Callisto, and UNC4057) that targeted WhatsApp accounts belonging to current and former government officials and diplomats.

Significantly, attacks targeting WhatsApp can affect businesses as well. Although WhatsApp — like Signal, Telegram and other messenger apps — is primarily consumer-focused, numerous businesses worldwide use the app. WhatsApp even has a business version that it has positioned as a tool that businesses can use to engage with customers, accelerate sales, and deliver customer support.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Russian Groups Target Signal Messenger in Spy Campaign

Is your Signal, WhatsApp, or Telegram account safe? Google warns of increasing attacks by Russian state-backed groups. Learn…

Is your Signal, WhatsApp, or Telegram account safe? Google warns of increasing attacks by Russian state-backed groups. Learn how they’re stealing messages and what you can do to defend yourself.

Russian state-backed actors are increasingly targeting secure messaging applications like Signal to intercept sensitive communications, reveals a recent report by Google’s Threat Intelligence Group. These groups, often aligned with Russian intelligence services, are focusing on compromising accounts used by individuals of interest, including military personnel, politicians, journalists, and activists. While the initial focus appears to be related to the conflict in Ukraine, researchers believe that these tactics will spread to other regions and threat actors.  

A primary method employed by these actors in this campaign involves exploiting the “linked devices” feature of Signal. By using phishing techniques, they trick users into scanning malicious QR codes, which then secretly link the victim’s account to a device controlled by the attacker. This allows the attacker to receive all messages in real-time, effectively eavesdropping on conversations without needing to compromise the entire device.

These malicious QR codes are often disguised as legitimate Signal resources, such as group invites, security alerts, or even device pairing instructions. In some cases, they are incorporated into phishing pages designed to mimic specialized applications, such as those used by the Ukrainian military.

The screenshot shows a Signal app phishing site and one of the malicious QR codes used in the attack (via Google).

In some cases, malicious QR codes are used in close-access scenarios, such as when Russian military forces capture devices on the battlefield.  This method lacks centralized monitoring and can go unnoticed for extended periods, which makes it hard to detect.

One group, identified as UNC5792 (also known as UAC-0195), has been observed modifying legitimate Signal group invite links. These altered links redirect victims to fake pages that initiate the unauthorized linking of their devices to the attacker’s control. The phishing pages are designed to closely resemble official Signal invites, making detection challenging. 

Another group, UNC4221 (UAC-0185), has targeted Ukrainian military personnel by embedding malicious QR codes within phishing sites that mimic artillery guidance applications. They have also used fake Signal security alerts to deceive victims. 

Beyond phishing, APT44 (Sandworm) utilizes malware and scripts to extract Signal messages from compromised Windows and Android devices. Their WAVESIGN script retrieves recent messages, while Infamous Chisel malware searches for Signal database files on Android devices.  

Other groups, like Turla and UNC1151, target the desktop application, using scripts and tools to copy and exfiltrate stored messages. UNC4221 has also used a JavaScript payload called PINPOINT to gather user information and geolocation data.

The popularity of secure messaging apps makes them prime targets for adversaries and other platforms, such as WhatsApp and Telegram, are also facing similar threats.

“The operational emphasis on Signal from multiple threat actors in recent months serves as an important warning for the growing threat to secure messaging applications that is certain to intensify in the near-term,” researchers warned.

Therefore, users are advised to stay cautious. It is important to use strong screen locks with complex passwords, keep operating systems and apps updated, and ensure Google Play Protect is enabled. Regularly auditing linked devices, exercising caution with QR codes and links, and enabling two-factor authentication are also recommended. iPhone users at high risk should consider enabling Lockdown Mode.

Tag

#intel