Like its predecessor, SparkCat, the new malware appears to be going after sensitive data — such as seed phrases for cryptocurrency wallets — in device photo galleries.

SparkKitty Swipes Pics From iOS, Android Devices

Meta Platforms on Wednesday announced that it's adding support for passkeys, the next-generation password standard, on Facebook.
"Passkeys are a new way to verify your identity and login to your account that's easier and more secure than traditional passwords," the tech giant said in a post.
Support for passkeys is expected to be available "soon" on Android and iOS mobile devices. The feature is

Meta Adds Passkey Login Support to Facebook for Android and iOS Users

Learn how the North Korean-aligned Famous Chollima is using the a new Python-based RAT, "PylangGhost," to target cryptocurrency and blockchain jobseekers in a campaign affecting users primarily in India.

Wednesday, June 18, 2025 06:00

*   In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) we call “PylangGhost,” used exclusively by a North Korean-aligned threat actor. PylangGhost is functionally similar to the previously documented GolangGhost RAT, sharing many of the same capabilities. 
*   In recent campaigns, the threat actor Famous Chollima — potentially made up of multiple groups — has been using a Python-based version of their trojan to target Windows systems, while continuing to deploy a Golang-based version for MacOS users. Linux users are not targeted in these latest campaigns. 
*   The attacks are targeting employees with experience in cryptocurrency and blockchain technologies. 
*   Based on open-source intelligence, only a small number of users, predominantly in India, are affected. Cisco product telemetry does not indicate that there are any affected Cisco users. 

Since mid-2024, the threat actor group Famous Chollima (aka Wagemole), a North Korean-aligned threat actor, has been very active through several well-documented campaigns. These campaigns include using variants of Contagious Interview (aka DeceptiveDevelopment) and creating fake job advertisements and skill-testing pages. In the latter, users are instructed to copy and paste (ClickFix) a malicious command line in order to install drivers necessary to conduct the final skill-testing stage.  

Toward the end of the year, researchers documented Famous Chollima’s remote access trojan (RAT) called “GolangGhost” in its source code format, which was frequently used as the final payload in the threat actor’s ClickFix campaigns. 

In May 2025, Cisco Talos discovered threat actors starting to deploy a functionally equivalent Python variant of GolangGhost trojan, which we call “PylangGhost.” 

**Fake job interview sites mislead users to PylangGhost infection **

Famous Chollima seek financial benefit using a two-pronged approach: first, by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.  

This blog focuses on the first method, where real software engineers, marketing employees, designers and other workers are targeted by fake recruiters and instructed to visit skill-testing pages in order to move forward with their application. 

Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies. The skill-testing sites attempt to impersonate real companies such as Coinbase, Archblock, Robinhood, Parallel Studios, Uniswap and others, which helps with the targeting.  

Figure 1. Examples of initial fake job sites.

Each target is sent an invite code to visit a testing website where, depending on the position, they are instructed to enter their details and answer several questions to test their experience and skills. The sites are created using the React framework and have very similar visual designs, no matter the type of position.  

__Figure 2. Example of questions asked for an illegitimate Business Development Manager position at Robinhood.__

Once the user answers all the questions and provides personal details, the site displays an invitation to record a video for the interviewer, recommending that the user request camera access by pressing a button. 

__Figure 3. A camera setup page displayed once questions are answered.__

Finally, when the user requests camera, the site displays the instructions for the user to copy, paste and execute a command to allegedly install the required video drivers, if the OS is supported. When Talos used Windows and MacOS test systems, the instructions were shown as seen in Figure 4 and 5. The Linux test system led to another error message, without any instructions to download and install the payload.  

Figure 4. Windows instructions to copy, paste and execute a malicious command. 

Figure 5. MacOS instructions to copy, paste and execute a malicious command. 

Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS: PowerShell or Command Shell for Windows, and Bash for MacOS.

__Figure 6. Command Shell, PowerShell or Bash instructions to download a payload.__

**PylangGhost - Python variant of GolangGhost **

As the Golang variant of the RAT is already well-documented, this blog focuses on the Python version and the similarities between the two. The initial stage consists of a command line which the fake webpage tells the unsuspecting user to copy, paste and execute. 

The command line uses either PowerShell Invoke-Webrequest or curl to download a ZIP file containing the PylangGhost modules as well as Visual Basic Script file. This script is responsible for unzipping the Python library stored in the “lib.zip file” and launching the trojan by running a renamed Python interpreter using the file “nvidia.py” as the Python program to run. 

Figure 7. The first stage simply unzips a Python distribution library and launches the RAT. 

 PylangGhost consists of six well-structured Python modules. It is not clear to Talos why the threat actors decided to create two variants using a different programming language, or which was created first. Based on the comments in the code, it is unlikely that the threat actors used a large language model (LLM) to help rewrite the code for Python. One of the strings in the configuration module file (“config.py”) indicates that the Python version is 1.0, while the appropriate configuration variable in the Golang version indicates that the version is 2.0. However, Talos cannot definitively conclude that those two version numbers are comparable. 

 The execution starts with the file “nvidia.py”, which performs several tasks: It creates a registry value to launch the RAT every time user logs onto the system, generates a GUID for the system to be used in communication with command and control (C2) server, connects to the C2 server and enters the command loop for communication with the server.  

__Figure 8. ”nvidia.py” executes the main loop for communication with the C2 server__

 The configuration file “config.py” specifies the commands that can be received from the server, which are identical to the commands previously documented in the Golang version of the RAT. These commands enable remote control the infected system and the theft of cookies and credentials from over 80 browser extensions, including password managers and cryptocurrency wallets, including Metamask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink and MultiverseX. 

The command handling module, “command.py”, defines function handlers and handles the commands received from the C2 server.  

Command 

Functionality 

qwer 

COMMAND\_INFORMATION - collect information about the infected system, username, OS version etc 

asdf 

COMMAND\_FILE\_UPLOAD - file upload 

zxcv 

COMMAND\_FILE\_DOWNLOAD - file download 

vbcx 

COMMAND\_OS\_SHELL - launch an OS shell for remote access and control of the infected system 

ghdj 

COMMAND\_WAIT - sleep for a number of seconds specified by the C2 server 

r4ys 

COMMAND\_AUTO - browser information stealing command 

89io 

AUTO\_CHROME\_GATHER\_COMMAND - subcommand of the browser information stealer command 

gi%# 

AUTO\_CHROME\_COOKIE\_COMMAND - subcommand of the browser information stealer command 

dghh 

COMMAND\_EXIT 

_Table 1. Commands and functionalities._

The module “auto.py” contains the functionality for stealing the stored browser credentials and session cookies, as well as collecting data from various browser extensions.  

“Api.py” is responsible for implementing the communications protocol with the C2 server, using RC4 encryption to encrypt packets over otherwise unencrypted HTTP used while communicating with the C2 server. The data in a HTTP packet is encrypted with RC4 algorithm, but the encryption key is also sent within the packet structure. The packet begins with 16 bytes of MD5 checksum for the rest of the packet, for verification of data integrity, followed by 128 bytes containing the RC4 encryption key, followed by an encrypted data blob.  

Finally, “util.py” handles the compression and decompression of files. 

**Comparison of Python and Golang modules **

To assess the similarity between the two versions, Talos compares the names of the modules written in different languages as well as their functionality. The structure, the naming conventions and the function names are very similar, which indicates that the developers of the different versions either worked closely together or are the same person.   

Module 

Python name 

Golang name 

Main function module 

nvidia.py 

cloudfixer.go 

Configuration module 

config.py 

config/constans.go 

Main command loop 

nvidia.py 

core/loop.go 

Command handlers 

command.py 

core/loop.go 

Browser Stealer functionality 

auto.py 

auto/\* modules 

File compression 

util.py 

util/compress.go 

Base64 message encoding 

command.py 

command/stackcmd.go 

Duplicate process check 

nvidia.py 

instance/check.go 

Communications protocol 

api.py 

transport/htxp.go 

_Table 2. Comparison of Python and Golang RAT module names._ 

**Coverage  **

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

ClamAV detections available for this threat:

Win.Backdoor.PyChollima-10045389-0
Win.Backdoor.PyChollima-10045388-0
Win.Backdoor.PyChollima-10045387-0
Win.Backdoor.PyChollima-10045386-0
Win.Backdoor.PyChollima-10045385-0
Win.Backdoor.PyChollima-10045384-0

**IOCs **

The IOCs can also be found in our GitHub repository here.

**SHA256 **

a206ea9b415a0eafd731b4eec762a5b5e8df8d9007e93046029d83316989790a - auto.py  
c2137cd870de0af6662f56c97d27b86004f47b866ab27190a97bde7518a9ac1b - auto.py  
0d14960395a9d396d413c2160570116e835f8b3200033a0e4e150f5e50b68bec - api.py 
8ead05bb10e6ab0627fcb3dd5baa59cdaab79aa3522a38dad0b7f1bc0dada10a - api.py 
5273d68b3aef1f5ebf420b91d66a064e34c4d3495332fd492fecb7ef4b19624e - nvidia.py 
267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3 - nvidia.py 
7ac3ffb78ae1d2d9b5d3d336d2a2409bd8f2f15f5fb371a1337dd487bd471e32 - nvidia.py 
b7ab674c5ce421d9233577806343fc95602ba5385aa4624b42ebd3af6e97d3e5 - util.py 
fb5362c4540a3cbff8cb1c678c00cc39801dc38151edc4a953e66ade3e069225 - util.py 
d029be4142fca334af8fe0f5f467a0e0e1c89d3b881833ee53c1e804dc912cfd - command.py 
b8402db19371db55eebea08cf1c1af984c3786d03ff7eae954de98a5c1186cee - command.py 
1f482ce7e736a8541cc16e3e80c7890d13fb1f561ae38215a98a75dce1333cee - config.py 
ed170975e3fd03440360628f447110e016f176a44f951fcf6bc8cdb47fbd8e0e - config.py 
929c69827cd2b03e7b03f9a53c08268ab37c29ac4bd1b23425f66a62ad74a13b - config.py 
127406b838228c39b368faa9d6903e7e712105b5ad8f43a987a99f7b10c29780 - config.py 
0ec9d355f482a292990055a9074fdabdb75d72630b920a61bdf387f2826f5385 - update.vbs 
c2d2320ae43aaa0798cbcec163a0265cba511f8d42d90d45cd49a43fe1c40be6 - update.vbs 
e7c2b524f5cb0761a973accc9a4163294d678f5ce6aca73a94d4e106f4c8fea4 - nvidiaRelease.zip 
28198494f0ed5033085615a57573e3d748af19e4bd6ea215893ebeacf6e576df - vdriverWin.zip 
fc71a1df2bb4ac2a1cc3f306c3bdf0d754b9fab6d1ac78e4eceba5c6e7aee85d - nvidiaRelease.zip 
d3500266325555c9e777a4c585afc05dfd73b4cbe9dba741c5876593b78059fd - nvidiaRelease.zip 

**C2 servers **

hxxp\[://\]31\[.\]57\[.\]243\[.\]29:8080 
hxxp\[://\]154\[.\]58\[.\]204\[.\]15:8080 
hxxp\[://\]212\[.\]81\[.\]47\[.\]217:8080 
hxxp\[://\] 31\[.\]57\[.\]243\[.\]190:8080

**Download host names **

api\[.\]quickcamfix\[.\]online   
api\[.\]auto-fixer\[.\]online   
api\[.\]quickdriverupdate\[.\]online   
api\[.\]camtuneup\[.\]online   
api\[.\]driversofthub\[.\]online   
api\[.\]drive-release\[.\]cloud   
api\[.\]vcamfixer\[.\]online   
api\[.\]nvidia-drive\[.\]cloud   
api\[.\]nvidia-release\[.\]us   
api\[.\]autodriverfix\[.\]online   
api\[.\]camdriversupport\[.\]com   
api\[.\]smartdriverfix\[.\]cloud   
api\[.\]drivercams\[.\]cloud   
api\[.\]camtechdrivers\[.\]com   
api\[.\]web-cam\[.\]cloud   
api\[.\]camera-drive\[.\]org   
api\[.\]nvidia-release\[.\]org 
api\[.\]fixdiskpro\[.\]online 
api\[.\]autocamfixer\[.\]online

**Fake job interview host names **

krakenhire\[.\]com  
yuga\[.\]skillquestions\[.\]com  
uniswap\[.\]speakure\[.\]com  
doodles\[.\]skillquestions\[.\]com  
www\[.\]hireviavideo\[.\]com  
kraken\[.\]livehiringpro\[.\]com  
quiz-nest\[.\]com  
www\[.\]smartvideohire\[.\]com  
www\[.\]talent-hiringstep\[.\]com  
provevidskillcheck\[.\]com  
skill\[.\]vidintermaster\[.\]com  
digitaltalent\[.\]review  
robinhood\[.\]ecareerscan\[.\]com  
evalswift\[.\]com  
livetalentpro\[.\]com  
quantumnodespro\[.\]com  
evalassesso\[.\]com  
parallel\[.\]eskillora\[.\]com  
coinbase\[.\]talentmonitoringtool\[.\]com  
uniswap\[.\]testforhire\[.\]com  
coinbase\[.\]talenthiringtool\[.\]com  
crosstheages\[.\]skillence360\[.\]com 
parallel \[.\] eskillprov \[.\] com 
assesstrack \[.\] com 
coinbase \[.\] talentmonitoringtool \[.\] com 
talent-hiringtalk\[.\]com 
uniswap\[.\]prehireiq\[.\]com 
fast-video-recording\[.\]com

Famous Chollima deploying Python version of GolangGhost RAT

WhatsApp has announced it will start showing its users targeted ads. Will this be yet another Meta "Pay or OK" choice?

WhatsApp has announced that it will start to show you targeted ads on the app. The ads, it says, will appear under the **Updates** tab.

WhatsApp launched the Updates tab a year ago, and now 1.5 billion people visit it every day. Updates has historically been a place for users to follow news and updates from their favorite companies, news organizations and celebrities. 

This is different to the **Chats** tab where users send and receive messages. Chats remain end-to-end encrypted and, according to Meta’s vice president for product management Nikila Srinivasan, will not display ads.

To determine your interests for ad purposes, WhatsApp says:

> “We’ll use limited info like your country or city, language, the Channels you’re following, and how you interact with the ads you see. For people that have chosen to add WhatsApp to Accounts Center, we’ll also use your ad preferences and info from across your Meta accounts.”

That means that anyone who has linked their Facebook or Instagram accounts with their WhatsApp account will now have that data used for ad targeting. This cross-platform integration feels like a significant invasion of privacy, especially for users who expected WhatsApp to remain more private than Facebook or Instagram.

The European privacy group NOYB (None Of Your Business) has already voiced concerns, warning that WhatsApp may soon adopt the same “Pay or OK” model as Facebook and Instagram to obtain the user consent that’s required under EU law.

With Meta’s “Pay or OK” system, users face a choice between two options nobody asked for: either pay a monthly subscription fee to avoid targeted ads and tracking, or accept extensive data collection and personalized advertising in exchange for free access. If you don’t want your data tracked, you must pay. If you don’t pay, you must accept tracking and profiling for ads.

Meta introduced this model in response to strict privacy regulations in Europe, especially the General Data Protection Regulation (GDPR), which requires companies to get clear, “freely given” consent from users before using their data for personalized ads.

In the past, Meta has argued that it had obtained a ruling of the Court of Justice of the European Union (CJEU) that accepted the subscription model as a valid form of consent for an ads funded service.

Meta also said its pricing was in line with those of ad-free services such as YouTube Premium and Spotify Premium. However, it conveniently forgot to consider that ad-free services are not the same as those that gather data about you and sell them to the highest bidder to create personalized ads.

WhatsApp built its reputation on privacy, with end-to-end encryption and minimal data collection. And, as privacy advocates feared, bringing it into the Meta “family” moved the platform away from its privacy-first roots.

Even if WhatsApp says it won’t read your messages, it can still use your usage patterns, contacts, and other metadata to build detailed profiles for advertisers. This increases the risk of data leaks, misuse, or surveillance.

**What can users do?**

A while back I asked whether it was a good idea to move from WhatsApp to Signal. With this new development, the question may be worth reconsidering.

If you’re on iOS 18, you can now allow WhatsApp to access only selected contacts instead of your entire address book. This reduces the amount of data WhatsApp can collect about your network.

On Android, you can technically use WhatsApp without granting access to your contacts, but you’ll need to manually start chats using wa.me links. Or, for convenience, you can use a third-party app that does the work for you.

WhatsApp frequently adds or changes privacy options, so revisit your settings periodically to maintain control.

If you can, disassociate your WhatsApp account from other Meta accounts you may have. Don’t use the same email address, handle, etc. You can remove your WhatsApp account from the Meta Accounts Center, but it is unclear whether Meta will “remember” the link if it once existed.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 WhatsApp to start targeting you with ads 

Consider this: Berkshire Hathaway, Warren Buffett’s $700 billion conglomerate, operates one of the most influential investor websites on…

Consider this: Berkshire Hathaway, Warren Buffett’s $700 billion conglomerate, operates one of the most influential investor websites on the planet, utilizing HTML that predates YouTube, employing table-based layouts and single-color backgrounds that Buffett personally insists on keeping “simple.”

Craigslist processes over 2 billion page views monthly through an interface that hasn’t changed since 2000, deliberately rejecting modern design because founder Craig Newmark believes complexity reduces functionality. Meanwhile, IRS.gov receives 1.4 billion visits annually during tax season through a navigation system so convoluted that TurboTax built a $3 billion business simply by making tax filing less painful.

Healthcare.gov’s initial launch disaster in 2013, where a $400 million website could handle only six users simultaneously, still echoes in government procurement today. The UK’s Gov.uk, conversely, became a global model by ruthlessly prioritizing user needs over departmental politics, saving an estimated £4.1 billion annually through better digital design.

These contrasts reveal a fundamental truth: interface design isn’t cosmetic, it’s economic infrastructure that can make or break trillion-dollar markets.

The Rapid Rebuild Hackathon 2025, organized by Hackathon Raptors, challenged developers to tackle exactly these kinds of functional but frustrating digital experiences. Over 72 hours, twelve teams transformed everything from Berkshire Hathaway’s deliberately minimalist investor portal to revolutionary reimaginings of system-level BIOS interfaces, proving that sometimes the most impactful innovation comes not from building something new, but from fixing what already works, just barely.

****The Art of Digital Resurrection****

“The most impactful solutions don’t always come from building something entirely new,” explains the hackathon’s core philosophy. “Sometimes breakthrough innovation emerges from reimagining what already exists, using modern tools to transform crucial but neglected digital spaces.”

This approach proved prescient when examining the winning submissions. BIOSage, the grand prize winner, didn’t just modernize a website, it completely reimagined how users interact with system-level interfaces. The project integrated a locally hosted LLaMA 3.2 language model to provide offline diagnostics, transforming the traditionally static BIOS experience into an intelligent, multilingual system assistant.

“What sets BIOSage apart is its recognition that even the most fundamental computing interfaces can benefit from modern AI integration,” notes Anand Singh, Technical Lead at Meta and hackathon judge.

Singh’s extensive background in embedded systems and wireless communications, including work on OpenRAN and high-altitude platform systems, provided a unique perspective on the technical challenges of bringing AI to firmware-level interfaces.

Singh’s experience with low-power IoT networks and embedded optimization proved particularly relevant when evaluating BIOSage’s achievement in running complex language models locally without compromising system performance.

“The ability to provide intelligent diagnostics without internet connectivity addresses a critical gap in system administration,” he observed. “This isn’t just a UI improvement, it’s a fundamental advancement in how we approach system-level troubleshooting.”

****Quality Assurance in Rapid Development****

The compressed 72-hour timeline presented unique challenges for maintaining code quality while pushing innovation boundaries. This tension between speed and reliability became a crucial evaluation criterion, drawing heavily on the expertise of Yulia Drogunova, Senior QA Engineer at Raiffeisen Bank.

With over eight years of experience building effective testing processes for major financial institutions, including Raiffeisen Bank and VTB Bank, and her work with international companies such as Luxoft and Lineate, Drogunova brought a critical perspective to evaluating how teams managed quality under extreme time pressure.

“The most impressive projects weren’t just those with flashy features,” Drogunova explained during the evaluation process. “They were the ones that implemented proper testing methodologies even within hackathon constraints.”

Her experience implementing automated tests into CI/CD processes, which has increased development speed and reduced defects in production banking applications, informed her assessment of how teams structured their rapid development cycles.

Drogunova particularly highlighted the Smart Builders team’s approach to their Hacker News reimagining. “They demonstrated an understanding that accessibility testing isn’t an afterthought, it’s integral to the development process,” she noted, referencing their implementation of voice reader capabilities and keyboard navigation. This aligned with her experience in ensuring mobile banking applications meet accessibility standards across diverse user needs.

The winning projects consistently showed evidence of systematic testing approaches. Refreshify, the second-place winner, implemented comprehensive error handling for its AI-powered website transformation engine.

“Sanjay Sah’s team understood that when you’re processing arbitrary URLs and generating real-time previews, robust error handling isn’t optional,” Drogunova observed. Her background in both manual and automated testing for web-based applications informed her appreciation for the defensive programming techniques employed.

****Frontend Architecture Under Pressure****

The hackathon’s focus on user experience transformation highlighted the critical role of frontend architecture in delivering compelling user interfaces rapidly. Vladislav Krushenitskii, a senior front-end developer with over a decade of experience spanning complex management systems and international client projects, evaluated how teams leveraged modern frameworks to achieve maximum impact in the shortest time possible.

Krushenitskii’s background with the Russian Hack Team, a network of 30 elite developers known for exceptional hackathon performance, provided valuable context for assessing rapid development strategies. His experience implementing micro-frontend architectures at EPAM Systems and reducing page load times by 30% through optimized React and Redux implementations informed his evaluation criteria.

“The most successful teams understood that hackathon development isn’t about shortcuts, it’s about intelligent architectural decisions,” Krushenitskii explained. His assessment focused particularly on how teams balanced feature richness with maintainable code structure.

The Delbyte team’s BetterShire Hathaway project caught his attention for its thoughtful component architecture. “They implemented a modular design system that could scale beyond the hackathon scope,” he noted, drawing parallels to his work developing sophisticated management systems with complex components like dynamic trees and filters. “The subsidiary showcase section demonstrated an advanced understanding of data presentation patterns that I’ve seen take weeks to perfect in commercial projects.”

Krushenitskii’s experience with React Native and cross-platform development proved relevant when evaluating mobile-first approaches. Several teams, including the WhaleMatch redesign, implemented responsive design patterns that he recognized from his work on cinema and startup interfaces for clients in the USA and Norway.

“The teams that truly understood modern web development didn’t just make things look better, they fundamentally improved how information flows through the interface,” he observed.

****The Innovation Spectrum: From Extensions to Complete Rebuilds****

The diversity of technical approaches reflected different philosophies about innovation and user experience improvement. Projects ranged from browser extensions enhancing existing platforms to complete ground-up rebuilds, each presenting unique technical challenges and user experience opportunities.

The ReStyle Chrome extension demonstrated how targeted interventions could transform user experiences without requiring comprehensive platform rebuilds. BuildWithKT.dev’s approach to enhancing Stack Overflow’s interface through real-time theme customization showed a sophisticated understanding of browser extension architecture while addressing genuine usability concerns.

At the opposite end of the spectrum, Level One’s Battle City Remastered represented a complete reconstruction of a classic gaming experience using pure Python and Pygame. The technical achievement of recreating complex game mechanics in just 72 hours showcased the team’s deep understanding of game development principles and efficient coding practices.

****Lessons in Scalable Innovation****

The hackathon results revealed consistent patterns among successful projects that extend beyond hackathon contexts into broader software development practices. Teams that achieved top rankings demonstrated several key characteristics that align with industry best practices for rapid innovation.

**Constraint-Driven Creativity**: The most innovative solutions emerged from teams that embraced technical limitations as creative catalysts rather than obstacles. BIOSage’s offline AI diagnostics capability, for instance, turned the constraint of no internet connectivity into a competitive advantage for system administration scenarios.

**User-Centered Problem Solving**: Winning teams consistently prioritized genuine user pain points over technical showcasing. The multiple Hacker News reimaginings each addressed specific usability issues, such as navigation complexity, information density, and accessibility barriers, rather than simply applying modern styling to existing interfaces.

**Architectural Thinking**: Even within hackathon timelines, successful teams implemented architectural patterns that could support future development. This forward-thinking approach distinguished projects with genuine commercial potential from purely demonstrative implementations.

****The Future of Digital Modernization****

The Rapid Rebuild concept addresses a pressing industry need as organizations struggle with legacy systems that serve critical functions, despite their outdated interfaces. The hackathon’s results suggest several emerging trends in how developers approach modernization challenges.

AI integration emerged as a transformative factor, with multiple projects incorporating intelligent features to enhance user experiences. Beyond BIOSage’s diagnostic capabilities, projects like HackerNews-Revamped integrated AI chatbots could discuss articles from the content’s perspective, demonstrating how artificial intelligence can add contextual value to information consumption.

Accessibility considerations became central rather than peripheral to design decisions. Teams consistently implemented features like voice navigation, customizable themes, and keyboard shortcuts as core functionality rather than afterthoughts. This shift reflects growing industry recognition that inclusive design benefits all users while expanding market reach.

The hybrid approach of extension-based enhancements alongside complete rebuilds suggests a pragmatic evolution in how organizations might approach legacy system modernization. Rather than requiring wholesale replacement, targeted improvements through browser extensions or API layers can provide immediate benefits to the user experience while maintaining the underlying system’s stability.

****Implications for Industry Practice****

The 72-hour timeframe compressed typical development cycles while maintaining quality standards, offering insights into rapid innovation methodologies. The most successful teams implemented practices that mirror emerging industry trends toward accelerated development cycles and continuous improvement.

Cross-disciplinary collaboration proved essential, with winning teams effectively combining frontend development, backend architecture, user experience design, and domain expertise. This integration reflects the industry movement toward full-stack competency and collaborative development practices.

The emphasis on immediate usability over feature completeness aligns with lean development principles and minimum viable product approaches. Teams that focused on solving specific user problems comprehensively outperformed those attempting to recreate entire feature sets superficially.

****Looking Forward****

The Rapid Rebuild Hackathon 2025 demonstrated that innovation often emerges not from creating entirely new solutions but from applying fresh perspectives and modern tools to existing challenges. As the digital landscape continues evolving, the ability to thoughtfully modernize legacy systems while preserving their essential value becomes increasingly critical.

The projects showcased techniques and approaches that extend far beyond hackathon contexts, offering roadmaps for organizations seeking to modernize user experiences without abandoning functional infrastructure. From AI-enhanced system interfaces to accessibility-first redesigns, the innovations demonstrated paths forward for digital transformation that prioritize user needs while respecting technical constraints.

The success of diverse approaches, from targeted browser extensions to complete system rebuilds, suggests that digital modernization isn’t a one-size-fits-all challenge. Instead, it requires careful assessment of user needs, technical constraints, and organizational capabilities to determine the most effective intervention strategy.

Most importantly, the hackathon reinforced that exceptional user experiences don’t require revolutionary technology, they require thoughtful application of existing tools, a deep understanding of user needs, and the courage to reimagine how digital interfaces can better serve their intended purposes. In an era of rapid technological change, the ability to bridge legacy functionality with modern expectations may prove more valuable than any individual technical skill.

Rapid Rebuild Hackathon 2025: When Legacy Meets Innovation

## Summary

pycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still pending. This results in a fatal Python error and interpreter crash.

## Details

### Root Cause

The vulnerability stems from improper handling of callback references when the Channel object is destroyed:

1. When a DNS query is initiated, pycares stores a callback reference using `ffi.new_handle()`
2. If the Channel object is garbage collected while queries are pending, the callback references become invalid
3. When c-ares attempts to invoke the callback, it accesses freed memory, causing a fatal error

This issue was much more likely to occur when using `event_thread=True` but could happen without it under the right circumstances.

### Technical Details

The core issue is a race condition between Python's garbage collector and c-ares's callback execution:

1. When `__del__` is called from within a c-ares callback context, we cannot immediately call `ares_destroy()` because c-ares is still executing code after the callback returns
2. c-ares needs to execute cleanup code after our Python callback returns (specifically at lines 1422-1429 in ares_process.c)
3. If we destroy the channel too quickly, c-ares accesses freed memory

### Impact

Applications using `pycares` can be crashed remotely by triggering DNS queries that result in `Channel` objects being garbage collected before query completion. This is particularly problematic in scenarios where:

- Channel objects are created per-request
- Multiple failed DNS queries are processed rapidly
- The application doesn't properly manage Channel lifecycle

The error manifests as:
```
Fatal Python error: b_from_handle: ffi.from_handle() detected that the address passed points to garbage
```

## Fix

The vulnerability has been fixed in pycares 4.9.0 by implementing a safe channel destruction mechanism

## Mitigation

### For Application Developers

1. **Upgrade to pycares >= 4.9.0** - This version includes the fix and requires no code changes
2. **Best practices** (optional but recommended):
   ```python
   # Explicit cleanup
   channel.close()
   
   # Or use context manager
   with pycares.Channel() as channel:
       # ... use channel ...
   # Automatically closed
   ```
3. **Avoid creating Channel objects per-request** - Prefer long-lived instances for better performance and safety

The fix is completely transparent - no API changes or code modifications are required.

## Credit

This vulnerability was reported by @vEpiphyte through the aio-libs security program.

**Summary**

pycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still pending. This results in a fatal Python error and interpreter crash.

**Details****Root Cause**

The vulnerability stems from improper handling of callback references when the Channel object is destroyed:

1.  When a DNS query is initiated, pycares stores a callback reference using ffi.new_handle()
2.  If the Channel object is garbage collected while queries are pending, the callback references become invalid
3.  When c-ares attempts to invoke the callback, it accesses freed memory, causing a fatal error

This issue was much more likely to occur when using event_thread=True but could happen without it under the right circumstances.

**Technical Details**

The core issue is a race condition between Python's garbage collector and c-ares's callback execution:

1.  When __del__ is called from within a c-ares callback context, we cannot immediately call ares_destroy() because c-ares is still executing code after the callback returns
2.  c-ares needs to execute cleanup code after our Python callback returns (specifically at lines 1422-1429 in ares\_process.c)
3.  If we destroy the channel too quickly, c-ares accesses freed memory

**Impact**

Applications using pycares can be crashed remotely by triggering DNS queries that result in Channel objects being garbage collected before query completion. This is particularly problematic in scenarios where:

*   Channel objects are created per-request
*   Multiple failed DNS queries are processed rapidly
*   The application doesn't properly manage Channel lifecycle

The error manifests as:

    Fatal Python error: b_from_handle: ffi.from_handle() detected that the address passed points to garbage
    

**Fix**

The vulnerability has been fixed in pycares 4.9.0 by implementing a safe channel destruction mechanism

**Mitigation****For Application Developers**

1.  **Upgrade to pycares >= 4.9.0** - This version includes the fix and requires no code changes
2.  **Best practices** (optional but recommended):
    
    \# Explicit cleanup
    channel.close()
    
    \# Or use context manager
    with pycares.Channel() as channel:
        \# ... use channel ...
    \# Automatically closed
    
3.  **Avoid creating Channel objects per-request** - Prefer long-lived instances for better performance and safety

The fix is completely transparent - no API changes or code modifications are required.

**Credit**

This vulnerability was reported by @vEpiphyte through the aio-libs security program.

**References**

*   GHSA-5qpg-rh4j-qp35
*   saghul/pycares@ebfd7d7

GHSA-5qpg-rh4j-qp35: pycares has a Use-After-Free Vulnerability

Unity is one of the most popular game engines for mobile and cross-platform app development. It powers millions…

Unity is one of the most popular game engines for mobile and cross-platform app development. It powers millions of games and applications across platforms including iOS, Android, and desktop.

While building an engaging app is important, monetization is what turns your development effort into a sustainable business. In this article, we explore the best practices for monetizing Unity apps, with a particular focus on advertising and in-app purchases (IAP).

****Why Monetization Strategy Matters****

Choosing the right monetization strategy from the start can greatly influence your app’s success. A poorly implemented monetization model can frustrate users and result in low retention, while a smart and balanced approach can enhance both user experience and revenue.

Unity supports a range of monetization options, and developers often use a combination of strategies for maximum effect.

****1\. Advertising in Unity Apps********Types of Ads:****

*   **Interstitial Ads**: Full-screen ads are shown at natural pauses, such as between game levels.
*   **Banner Ads**: Small, less intrusive ads are usually displayed at the top or bottom of the screen.
*   **Rewarded Video Ads**: Popular among free-to-play games. Users watch an ad to receive a reward (e.g., coins or extra lives).

****Best Practices for Ads:****

*   Rewarded ads should offer meaningful incentives.
*   Use **Unity Ads SDK** for smooth integration and optimization.
*   Track ad performance and optimize placements using A/B testing.
*   Don’t overwhelm users with too many ads; prioritize user experience.

****2\. In-App Purchases (IAP)****

In-app purchases are a direct way to monetize your users by offering them value-added items or features.

****Common IAP Models:****

*   **Consumables**: Virtual currency, energy refills, boosters.
*   **Subscriptions**: Ongoing access to premium features.
*   **Non-consumables**: One-time purchases like removing ads or unlocking levels.

****Best Practices for In-App Purchases:****

*   Create urgency and exclusivity using limited-time offers.
*   Ensure IAPs provide genuine value and enhance gameplay.
*   Use visual cues and UI prompts to showcase the benefits of premium items.
*   Offer a mix of price points (e.g., $0.99 to $29.99) to appeal to different user segments.

****Technical Integration:****

*   Unity provides a built-in **IAP package** that supports both Android and iOS.
*   Follow platform-specific guidelines (Google Play Billing, Apple’s StoreKit).

Need help setting up in-app purchases? Check out this step-by-step Unity in-app purchases tutorial to guide your implementation.

****3\. Hybrid Monetization Model****

Many successful apps combine ads and IAPs to maximize their revenue:

*   Use rewarded ads alongside virtual currency purchases.
*   Offer the base game for free with ads, and provide an IAP option to remove ads.
*   Offer a subscription model that includes an ad-free experience and exclusive items.

This hybrid approach caters to both free users and paying users, creating a more inclusive ecosystem.

****4\. Analyze User Behavior and Monetization Funnels****

Tracking and analyzing user data is critical to optimize your monetization strategy:

*   Monitor user retention and churn rate.
*   Segment users into cohorts for personalized offers.
*   Identify points where users are most likely to spend.
*   Use heatmaps and session recordings to study in-app behaviour.

Unity Analytics and third-party tools like Firebase or Adjust can help you gain insights into user behaviour.

****5\. A/B Testing and Optimization****

Don’t rely on guesswork, test everything:

*   Try various ad placements and formats.
*   Test different IAP price points and bundle options.
*   Test UI changes to see what improves conversion rates.

Run A/B tests over a sufficient sample size and make data-backed decisions to improve LTV (lifetime value) and ARPU (average revenue per user).

****Final Thoughts****

Monetizing Unity apps requires more than just plugging in ads or setting up a store. A well-thought-out strategy that balances user satisfaction and revenue potential is key. Whether you’re developing a game or a utility app, combining in-app purchases with ad-based models and continuously optimizing based on user behaviour will help you achieve long-term success.

How to Monetize Unity Apps: Best Practices

Plus: Spyware is found on two Italian journalists’ phones, Ukraine claims to have hacked a Russian aircraft maker, police take down major infostealer infrastructure, and more.

With demonstrations ramping up against the Trump administration, this week was all about protests. With President Donald Trump taking the historic step to deploy US Marines and the National Guard to Los Angeles, we dove into the “long-term dangers” of sending troops to LA, as well as what those troops are permitted to do while they’re there.

Of course, it’s not just the military getting involved in the LA protests against the heavy crackdowns by Immigration and Customs Enforcement (ICE). There’s also Customs and Border Protection (CBP), which further escalated federal involvement by flying Predator drones over LA. And there are local and state authorities, who’ve used “nonlethal” weapons and chemical agents like tear gas against protesters. Even Waymo’s self-driving taxis—some of which were set on fire during last weekend’s LA protests—could be used to investigate people who commit crimes during demonstrations thanks to their surveillance capabilities.

In addition to protests, the undocumented community is pushing back against ICE’s enforcement activities by turning social media platforms into DIY alert systems for ICE raids and other activities. And with thousands of protests scheduled to take place this weekend, we updated our guide to protecting your privacy—in addition to your physical safety—while demonstrating.

Even if you’re not an immigrant nor attending any protests, it’s possible your data is still getting shared with immigration authorities. In partnership with WIRED, 404 Media this week revealed that a data broker owned by major airlines sold domestic US flight data to CBP and instructed the agency to not reveal that it did so. 404 also detailed a bug that allowed a researcher to discover the phone numbers connected to any Google accounts. (The bug has since been fixed.) Finally, we dissected Apple’s AI strategy, which appears to bank more on privacy than on splashy features.

And that’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

The Trump administration quietly ordered the transfer of Medicaid data belonging to undocumented individuals to deportation officials this week, according to the Associated Press, in a move legal experts warn is likely to erode public trust in the government's handling of personal data and result in a chilling effect among undocumented people desperate for medical care.

The transfer, which was reportedly ordered by Health and Human Services secretary Robert F. Kennedy Jr.'s office and included names, addresses, immigration status, and health claims, pertains to millions of enrollees, many in states that pay for the coverage using their own funds, the AP reports. The transfer may also be illegal, violating the Social Security Act and other data-handling statutes. According to the AP, Medicaid officials warned the administration that they did not have legal authority to disclose the records and that doing so would carry legal and reputation risks that could lead states to begin refusing to share information with the federal government, impacting the agency's operational functions.

California governor Gavin Newsom, whose state is occupied by undesired federal military forces and ICE agents conducting continuous sweeps across neighborhoods heavily populated by immigrants, condemned the act, calling it “potentially illegal.” An HHS official rejected the claim, saying the agency acted in full compliance with the law, while declining to clarify to reporters how the data would actually be used.

**2 Italian Journalists’ Phones Hacked With Paragon Spyware**

Move over, NSO Group. Two Italian journalists were hacked with spyware made by Israeli phone-focused surveillance firm Paragon, Citizen Lab revealed this week in a report based on forensic analyses of their phones. Two other Italians, both staffers at the immigrant rescue nonprofit Mediterranea Saving Humans, also had their phones compromised with the same malware. Paragon’s Graphite malware, like NSO’s Pegasus, infects phones with a zero-click technique that requires no interaction from the victim—in this case using a vulnerability in iPhones that was patched in iOS version 18.3 earlier this year. While Citizen Lab couldn’t determine the Paragon customer behind the intrusions, there’s reason to suspect the Italian government, given that an Italian parliamentary committee determined in a report earlier this month that two Italian intelligence agencies are Paragon customers.

**Ukraine Says It Hacked a Russian Aircraft Maker That Produces Strategic Bombers**

In its latest salvo against the Russian air force, Ukraine’s HUR military intelligence agency said that it had hacked into the network of Tupolev, an aerospace company that manufactures and services Russia’s strategic bombers. According to the cybersecurity news outlet The Record, the Ukrainian state hackers claim to have stolen 4.4 gigabytes of data, including internal communications, meeting notes, personnel files, and purchase records. Specifically, HUR says it was targeting data about individuals involved in the servicing and maintenance of Russia’s bomber fleet, which has targeted Ukrainian cities. The hackers also defaced the homepage of Tupolev’s website to show an owl clutching a Russian aircraft. “There is nothing secret left in Tupolev's activities for Ukrainian intelligence,” HUR said in a statement. “The result of the operation will be noticeable both on the ground and in the sky.” The move follows Ukraine’s unprecedented drone operation earlier this month that damaged or destroyed 41 Russian aircraft, including bombers and spy planes.

**International Law Enforcement Conducts Major Takedown of Infostealer Infrastructure**

On Wednesday, a consortium of cops from Interpol and 26 countries announced a takedown, dubbed “Operation Secure,” of domains and other digital infrastructure linked to 69 infostealer malware variants. In recent years, malicious hackers have leaned more and more on information-stealing malware, or infostealers, that grab sensitive information like passwords, cookies, and search histories to make it easier for attackers to target specific organizations and individuals. Operation Secure ran from January to April this year, Interpol said, and involved takedowns of more than 20,000 malicious IP addresses or domains and seizure of 41 servers as well as more than 100 GB of data. A total of 32 people were also arrested in connection with the investigation in Vietnam, Sri Lanka, Nauru, and elsewhere. Interpol described the operation as a “regional initiative” organized by the Asia and South Pacific Joint Operations Against Cybercrime Project.

**Meta Sues a Nudify App for Advertising on Instagram**

Meta sued Hong Kong–based Joy Timeline HK Limited for repeatedly advertising an app on Instagram called CrushAI that offers “nudify” deepfakes, using artificial intelligence to remove the clothes from anyone in a photo. Meta said in its announcement of the lawsuit that the company had repeatedly violated its terms of service for advertisers and that the move is part of a larger crackdown on similar deepfake apps pushed by “adversarial advertisers,” as it dubs the companies who violate its terms. “We’ll continue to take the necessary steps—which could include legal action—against those who abuse our platforms like this,” Meta wrote in a statement.

RFK Jr. Orders HHS to Give Undocumented Migrants’ Medicaid Data to DHS

Army intelligence analysts are monitoring civilian-made ICE tracking tools, treating them as potential threats, as immigration protests spread nationwide.

As protests continue to swell across the United States in response to aggressive Immigration and Customs Enforcement actions, civilians are turning to homebrew digital tools to track ICE arrests and raids in real time. But restricted government documents, obtained by the nonprofit watchdog Property of the People, show that US intelligence agencies are now eyeing the same tools as potential threats. A law enforcement investigation involving the maps is also apparently underway.

Details about Saturday’s “No Kings” protest—specifically those in California—are also under watch by domestic intelligence centers, where analysts regularly distribute speculative threat assessments among federal, state, and local agencies, according to an internal alert obtained exclusively by WIRED.

A late-February bulletin distributed by a Vermont-based regional fusion center highlights several websites hosting interactive maps that allow users to drop “pins” indicating encounters with ICE agents.

The bulletin is based on information initially shared by a US Army threat monitoring center known as ARTIC. While it acknowledges that most of the users appear to be civilians working to avoid contact with federal agents, it nevertheless raises the specter of “malicious actors” potentially relying on such open-source transparency tools to physically target law enforcement.

ARTIC, which operates under the umbrella of the Army’s Intelligence and Security Command, could not be immediately reached for comment.

Property of the People, a nonprofit focused on transparency and national security, attempted to obtain additional details about the maps using public records laws. The group was informed by the Northern California Regional Intelligence Center (NCRIC) that all relevant information is “associated with active law enforcement investigations.”

The NCRIC did not immediately respond to WIRED’s request for comment.

“Law enforcement is sounding the alarm over implausible, hypothetical risks allegedly posed by these ICE raid tracking platforms,” Ryan Shapiro, executive director of Property of the People, tells WIRED. “But transparency is not terrorism, and the real security threat is militarized secret police invading our communities and abducting our neighbors.”

The documents identify maps and information shared across Reddit and the website Padlet, which allows users to collaborate and build interactive maps. An “OPSEC” warning concerning the maps was also separately issued in February by the Wisconsin Statewide Intelligence Center (WSIC). That report indicates the sites are being treated as a “strategic threat” and are under monitoring by a special operations division.

WSIC, which could not be immediately reached for comment, warned in its report about persistent online threats aimed at ICE officers, highlighting posts on social media apps like X and TikTok that include messages calling for Americans to stockpile weapons and “shoot back.” While some posts were judged to contain “explicit threats,” most appear to reflect cathartic outrage over the Trump administration’s punitive immigration enforcement tactics, with intelligence analysts noting that many of the users were “discussing hypothetical scenarios.” Nevertheless, the analysts flagged the sheer volume and tone of the content as a genuine officer safety concern.

Each document is marked for law enforcement eyes only—a warning not to discuss details with the public or press.

A separate report obtained by WIRED and dated mid-May shows the Central California Intelligence Center (CCIC) monitoring plans for the upcoming “No Kings” protests. It identifies Sacramento, Fresno, and Stockton, among dozens of other protest sites. The information is widely available online, including on the No Kings website.

The bulletin notes the protests are promoted as a “nonviolent action,” but says the agency plans to produce additional intelligence reports for “threat liaison officers.” It concludes with boilerplate language that states the CCIC recognizes the right of citizens to assemble, speak, and petition the government, but frames the need to gather intelligence on “First Amendment-protected activities” as essential to “assuring the safety of first responders and the public.”

Roughly 2,000 protests are scheduled to take place nationwide concurrent with a military parade in Washington, DC, expected to feature 6,600 US Army soldiers, 150 military vehicles, including 28 M1 Abrams tanks, rocket launchers, and precision-guided missiles.

Protests have erupted in Los Angeles and cities nationwide over the past week in response to a Trump-ordered immigration crackdown and the deployment of federal troops, including Marines and National Guard units, to support law enforcement.

Demonstrators are pushing back against what they view as an authoritarian show of force—as surveillance drones fly overhead and armored vehicles roll through immigrant-heavy neighborhoods. Tensions have flared between protesters and police, fueling concerns about surveillance, civil liberties, and the legality of using military force to suppress civil unrest.

The use of military-grade equipment and limits on troop authority have emerged as key flashpoints in a broader debate over executive power and immigration enforcement.

The No Kings organizers frame the demonstrations as a nationwide day of defiance: “From city blocks to small towns, from courthouse steps to community parks, we’re taking action to reject authoritarianism—and show the world what democracy really looks like.”

'No Kings’ Protests, Citizen-Run ICE Trackers Trigger Intelligence Warnings

Pentagon rules sharply limit US Marines and National Guard activity in Los Angeles, prohibiting arrests, surveillance, and other customary police work.

For the first time in decades, active-duty US Marines are rolling into Los Angeles—not for disaster relief or training drills, but to guard federal buildings during a protest crackdown that legal experts say threatens long-standing limits on military power at home.

The deployment, announced by President Donald Trump on Monday, involves more than 700 Marines from the 2nd Battalion, 7th Regiment of the 1st Marine Division, based at Camp Pendleton and Twentynine Palms. Mobilized under Title 10 orders, the Marines have been commanded to protect federal property and personnel from mounting protests over aggressive immigration raids and neighborhood sweeps. It is a rare and forceful use of federal military power on US soil.

The mobilization follows Trump’s June 7 order that federalized as many as 4,000 California national guardsmen, overriding the objections of state officials and igniting a high-stakes legal fight.

A US district judge on Thursday ordered Trump to return control of the guardsmen to the state of California, saying the takeover was unlawful, only likely to inflame tensions in the city, and had deprived the state of resources necessary “to fight fires, combat the fentanyl trade, and perform other critical functions.” The injunction was quickly stayed, however, by a federal appeals court, pending a hearing next week.

Protests began Friday in Westlake, an immigrant-heavy neighborhood near downtown LA, where residents rallied in response to sweeping ICE raids that targeted day laborers outside local businesses. Demonstrators marched, held signs, and chanted for several hours before tensions escalated after police declared an unlawful assembly and advanced on the crowd. LAPD officers and federal agents deployed a range of crowd control weapons, including batons, tear gas, pepper spray, and flash-bang grenades. Reports from journalists and observers describe nonviolent protesters—and members of the press—being struck by rubber bullets and stun devices during the crackdown.

Widespread protests are expected in LA and at some 2,000 other locations around the US this weekend.

While the president holds broad emergency powers, legal scholars say that without invoking the Insurrection Act—a statute that permits domestic troop deployments only in cases of a rebellion or civil rights violations—federal law sharply limits what active-duty forces can do. Marines may not act as a _posse comitatus_, or function as law enforcement. They're barred from conducting surveillance and, in general, crowd control, as well as _officially_ arresting people, and may otherwise only support police in narrowly defined ways, according to Defense Department rules.

Pentagon directives governing “civil disturbance operations” reinforce these limits. Federal troops are prohibited from arresting civilians, searching property, and collecting evidence. They may not conduct surveillance of US persons. That includes not just individuals but vehicles, locations, and “transactions.” They may not serve as undercover agents, informants, or interrogators. Unless a crime is committed by a service member or on military property, Title 10 forces are likewise banned from engaging in any kind of forensics for the benefit of civilian police—unless they are willing to put in writing that such evidence was obtained by consent.

US Northern Command, which oversees military support to nonmilitary authorities in the contiguous 48 states, said Friday that Marines would not conduct “arrests” but are authorized to "temporarily hold" people in "specific circumstances" until police arrive to make a _formal_ arrest. The clarification follows the emergence of a video showing Marines in LA detaining a civilian with plastic handcuffs before awaiting police—the first known instance of such an action during the current deployment.

There are numerous other scenarios in which the military can provide assistance to police, including by giving them “information” obtained “in the normal course” of their duties, unless applicable privacy laws prohibit it. Military members can also provide police with a wide variety of assistance so long as it’s in a “private capacity” and they’re off duty. Additionally, they can provide “expert advice,” so long as it doesn’t count as serving a function core to civilian police work.

The Department of Defense did not immediately respond to a request for comment; however, a staff member in the Office of the Under Secretary of Defense for Policy confirmed for WIRED by phone the current set of policies under which deployed federal troops must operate.

There is one major caveat to the military’s restrictions. During an “extraordinary emergency,” military commanders may take limited, immediate action to prevent massive destruction or to restore critical public services, but only so long as presidential approval is “impossible” to obtain in advance. And while military personnel are naturally expected to maintain order and discipline at all times, under no circumstances are they required to stand down when their lives, or the lives of others, are in immediate danger.

Still, enforcement of these rules in the field is far from guaranteed. Legal experts warn that adherence often varies in chaotic environments. Trump administration officials have also demonstrated a willingness to skirt the law. Last week, homeland security secretary Kristi Noem asked the Pentagon to authorize military assistance in conducting arrests and to deploy drone surveillance, according to a letter obtained by The San Francisco Chronicle—a move experts say directly contradicts standing legal prohibitions.

At a press conference on Thursday, Noem stated the federal government was on a mission to “liberate” Los Angeles from “socialists” and the “leadership” of California governor Gavin Newsom and LA mayor Karen Bass. US Senator Alex Padilla, who represents the citizens of California, was forcibly removed from the press conference after attempting to question Noem. Outside the press conference room, federal agents forced the senator to the ground, where he was temporarily placed in handcuffs.

Unlike the National Guard, which is well trained for domestic crowd control, active-duty Marines generally receive relatively little instruction in handling civil unrest. Those who do typically belong to military police or specialized security units. Nonetheless, the Marine Corps has published footage online showing various task forces training with riot-control tactics and “nonlethal” weapons. Constitutional concerns do not arise, however, when Marines face off against foreign mobs—such as in civilian zones during the Afghanistan war or on the rare occasion protesters breach the perimeter of a US embassy. And wartime rules of engagement are far more lenient than the rules of force by which Marines must adhere domestically.

In a statement on Wednesday, Northern Command confirmed the Marines had undergone training in all “mission essential tasks,” including “de-escalation” and “crowd control.” They will reportedly be accompanied by legal and law enforcement experts.

Constitutional experts warn that deploying military forces against civilian demonstrators blurs the line between law enforcement and military power, potentially setting a dangerous precedent for unchecked presidential authority. The risk deepens, they say, if federal troops overstep their legal bounds.

If lines are crossed, it could open a door that may not close easily—clearing the way for future crackdowns that erode Americans’ hard-won civil liberties.

_Updated 7:40 pm ET, June 13, 2025: This story has been updated to include details about the first known arrest in 2025 of a protester by US Marines._

Tag

#ios