Sweden’s proposal to mandate encryption backdoors faces backlash from Signal, cybersecurity experts, and even its military over privacy and security risks.

Swedish law enforcement and security agencies are advocating for legislation that would compel encrypted messaging services, such as Signal and WhatsApp, to implement backdoors.

This measure aims to grant authorities access to users’ communications for criminal investigations. However, this proposal has met with strong resistance from both the service providers and Sweden’s own military.

Meredith Whittaker, President of the Signal Foundation, has unequivocally stated that Signal would withdraw from the Swedish market rather than compromise its encryption standards. In an interview with SVT Nyheter, Whittaker emphasized that introducing a backdoor would undermine the app’s entire security architecture, stating, “If you create a vulnerability based on Swedish wishes, it would create a way to undermine our entire network.”

She further stated that Signal’s commitment to user privacy and data protection is paramount, and the organization would not acquiesce to demands that jeopardize this principle.

> Signal has announced that it will “leave Sweden” if the Swedish government mandates encryption backdoors. Many are celebrating this as a bold act of resistance. But what does it actually mean?
> 
> Signal has no offices or legal presence in Sweden. Will they block Swedish IP… https://t.co/ffkD1pyz9n
> 
> — Nadim Kobeissi (@kaepora) February 25, 2025

Interestingly, the Swedish Armed Forces, which have recently adopted Signal for secure, non-classified communications, have also expressed concerns regarding the proposed legislation. In a letter to the government, military officials cautioned that mandating backdoors could introduce vulnerabilities exploitable by malicious actors, thereby compromising national security. This stance highlights a discord between Sweden’s defence priorities and the objectives of its law enforcement agencies.

Justice Minister Gunnar Strömmer has defended the proposal, arguing that it is essential for law enforcement to effectively access electronic communications in the fight against serious crimes. The bill, which could be presented to the Riksdag (Swedish Parliament) as early as March next year, seeks to balance the needs of national security with individual privacy rights, a balance that is proving contentious.

William Wright, CEO of Closed Door Security, criticized the move, stating:

_“Building backdoors into software is akin to deliberately creating vulnerabilities. Once embedded, threat actors will focus on finding and exploiting them, putting millions at risk. History has shown that even government-backed backdoors, like those exploited in the Salt Typhoon attack, can be turned against the very institutions that created them. The long-term risks far outweigh any short-term benefits for law enforcement.”_

This development in Sweden is similar to debates in other countries. Notably, the United Kingdom recently demanded that Apple provide access to encrypted iCloud accounts. In response, Apple chose to remove the option for British users to protect their accounts with end-to-end encryption rather than compromise its security protocols.

These situations highlight the constant struggle between governments wanting access to private data for security reasons and the need to protect people’s privacy. As Sweden debates this proposal, the final decision could have a major impact, not just on encrypted messaging within the country but also on global conversations about privacy and digital security.

Signal Threatens to Exit Sweden Over Government’s Backdoor Proposal

An alleged job scam, led by “Aiden” from “OpenAI,” recruited workers in Bangladesh for months before disappearing overnight, according to FTC complaints obtained by WIRED.

A Bangladeshi worker was eager to get started at their new OpenAI job—completing basic online tasks in exchange for consistent income, while getting into cryptocurrency investing at the same time. After connecting with the startup on Telegram and creating an account through a ChatGPT\-branded app, they invested crypto into the platform and began a months-long job working for “Aiden” from “OpenAI.”

The work was performed through the website “OpenAi-etc,” and internal conversations were held on Telegram. It was simple: Invest some crypto, complete a few tasks, and earn daily profits based on what was invested.

Over the course of this worker’s time with the company, mentors continuously encouraged them to invest more money into the fund and recruit more Bangladeshi people to the team. When the worker convinced over 150 to join and the mentors split the growing team of “brokers” into a hierarchy based on seniority, it all felt very real. The total crypto-investment fund for their team was around $50,000. After a devastating cyclone hit Bangladesh in May, company leaders supposedly helped those in need, further earning the trust of employees.

All seemed well until the morning of August 29, 2024, when everyone woke up to find that the website, all of their money, Aiden, and the other fake OpenAI employees had vanished overnight. The job, of course, was never with OpenAI at all, former workers say.

“I’ve seen similar scams where, at the beginning, you think you are making profit, and then basically you invest more and more,” says Shirin Nilizadeh, an associate professor at the University of Texas at Arlington who focuses on security and privacy. “Then, suddenly, you lose everything.”.

The story of the scammed “OpenAI” worker is from just one of 11 complaints about OpenAi-etc submitted to the US Federal Trade Commission by workers from Bangladesh last year, seven of which mention “Aiden.” Analysis of the complaints, obtained by WIRED through a public records request, reveal a potentially widespread job scam that used OpenAI’s name recognition to allegedly trick low-wage workers out of their savings. While some people describe getting started with OpenAi-etc in June or July, others believed they were working for the company for around six months.

The first FTC complaint obtained by WIRED, lodged over two months before the August 29 rug pull, says the complainant was invited by OpenAi-etc to invest around $170 in crypto. The person mentions an American registration number for the business, confirming it was in good standing with Colorado regulators and listing a physical office in Denver. The complaint also highlights a legitimate-looking money service business registered with the US Treasury’s Financial Crimes Enforcement Network, which lists the company’s location as an office inside the Empire State Building in New York City.

A WIRED review of domain name system records for the now-defunct OpenAi-etc website shows that it appears to have been hosted by a China-based web hosting company.

Jay Mayfield, a senior public affairs specialist at the FTC, declined WIRED’s request to confirm whether the group is looking into OpenAi-etc, saying that investigations are nonpublic. Mayfield did not answer additional questions about what steps the FTC is taking to prevent similar scams or provide better assistance for international victims.

“Regrettably, I found no available source online to know more about this organization except for those registrations,” wrote the complainant. “They are collecting huge amounts of investment from third world countries in Asia.”

One of the FTC complaints alleges that over 6,000 people in Bangladesh were potentially impacted by the OpenAi-etc job scam. The ages listed in the FTC complaints range from teenagers to people in their fifties, with locations spread across multiple Bangladesh cities, from Dhaka to Khulna.

“My next trading date was 29 August, 2024,” wrote another complainant. “I made the trade with my whole amount in the evening. But, suddenly, the OpenAI company vanished. I didn’t withdraw any money but lost both capital and profit. Now, I am in a great economic crisis, as I am a normal school teacher.”

Niko Felix, a spokesperson for OpenAI, declined to answer questions about whether the startup was previously aware of the “OpenAi-etc” scam, or if they planned to take action against the fraudsters. But he did share that OpenAI is investigating the matter. The alleged scam website is no longer available online, and WIRED was not able to contact the people behind "OpenAi-etc" prior to publication.

A Telegram spokesperson using the name Remi Vaughn tells WIRED that the company monitors its platform for scams, such as those allegedly carried out by OpenAi-etc, which used the messaging app to communicate with people who believed they were working for the company.

"Telegram actively moderates harmful content on its platform, including scams," Vaughn says in a statement sent to WIRED through the messaging platform. "Moderators empowered with custom Al and machine learning tools proactively monitor public parts of the platform and accept reports from users and organizations in order to remove millions of pieces of harmful content each day."

The usual pattern of a crypto job scam is to trick people into depositing some kind of digital currency into a fake account the victim believes they have control over, until the perpetrator drains it one day without warning. While this specific rug pull used OpenAI’s branding to allegedly dupe its victims, a crypto job scam can happen with the name of any company that has enough widespread recognition for criminals to capitalize on.

“These social engineering scams are designed to lower our natural suspicion and to make us complicit in our own deception,” says Arun Vishwanath, a cybersecurity expert and author of _The Weakest Link_. “For job scams, they try to turn our ambitions and inherent trust in brands into a vulnerability.” Similar to so-called pig butchering investment scams, a key component often includes direct messages over a long period of time to cultivate a sense of trust with the targets.

Although comparable job scams happen all over the world, Vishwanath believes that Asian cultural norms of so-called high power distance, where there’s more acceptance of interpersonal hierarchies, are a contributing factor. "Authorities are expected to ask you things and make you do things," he says. "And you just comply." Scammers are taking advantage of this by imitating authority figures and leaning into the sense of urgency inherent to searching for a job.

Bangladeshi citizens on the difficult hunt for reliable work have increasingly been targeted by job scammers in recent years. Lies about international job opportunities have left throngs of would-be workers stranded in Malaysia, and at least three cases of kidney organ theft were reported by people lured to India with false promises of work.

‘OpenAI’ Job Scam Targeted International Workers Through Telegram

In the epic US-Russian prisoner swap last summer, Vladimir Putin brought home an assassin, spies, and another prized ally: the man behind one of the biggest insider trading cases of all time.

This Russian Tech Bro Helped Steal $93 Million and Landed in US Prison. Then Putin Called

A WIRED investigation goes inside the Telegram groups targeting women who joined “Are We Dating the Same Guy?” groups on Facebook with doxing, harassment, and sharing of nonconsensual intimate images.

In late January, a warning spread through the London-based Facebook group Are We Dating the Same Guy?—but this post wasn’t about a bad date or a cheating ex. A connected network of male-dominated Telegram groups had surfaced, sharing and circulating nonconsensual intimate images of women. Their justification? Retaliation.

On January 23, users in the AWDTSG Facebook group began warning about hidden Telegram groups. Screenshots and TikTok videos surfaced, revealing public Telegram channels where users were sharing nonconsensual intimate images. Further investigation by WIRED identified additional channels linked to the network. By scraping thousands of messages from these groups, it became possible to analyze their content and the patterns of abuse.

AWDTSG, a sprawling web of over 150 regional forums across Facebook alone, with roughly 3 million members worldwide, was designed by Paolo Sanchez in 2022 in New York as a space for women to share warnings about predatory men. But its rapid growth made it a target. Critics argue that the format allows unverified accusations to spiral. Some men have responded with at least three defamation lawsuits filed in recent years against members, administrators, and even Meta, Facebook’s parent company. Others took a different route: organized digital harassment.

Primarily using Telegram group data made available through Telemetr.io, a Telegram analytics tool, WIRED analyzed more than 3,500 messages from a Telegram group linked to a larger misogynistic revenge network. Over 24 hours, WIRED observed users systematically tracking, doxing, and degrading women from AWDTSG, circulating nonconsensual images, phone numbers, usernames, and location data.

From January 26 to 27, the chats became a breeding ground for misogynistic, racist, sexual digital abuse of women, with women of color bearing the brunt of the targeted harassment and abuse. Thousands of users encouraged each other to share nonconsensual intimate images, often referred to as “revenge porn,” and requested and circulated women’s phone numbers, usernames, locations, and other personal identifiers.

As women from AWDTSG began infiltrating the Telegram group, at least one user grew suspicious: “These lot just tryna get back at us for exposing them.”

When women on Facebook tried to alert others of the risk of doxing and leaks of their intimate content, AWDTSG moderators removed their posts. (The group’s moderators did not respond to multiple requests for comment.) Meanwhile, men who had previously coordinated through their own Facebook groups like “Are We Dating the Same Girl” shifted their operations in late January to Telegram's more permissive environment. Their message was clear: If they can do it, so can we.

"In the eyes of some of these men, this is a necessary act of defense against a kind of hostile feminism that they believe is out to ruin their lives," says Carl Miller, cofounder of the Center for the Analysis of Social Media and host of the podcast _Kill List_.

The dozen Telegram groups that WIRED has identified are part of a broader digital ecosystem often referred to as the manosphere, an online network of forums, influencers, and communities that perpetuate misogynistic ideologies.

“Highly isolated online spaces start reinforcing their own worldviews, pulling further and further from the mainstream, and in doing so, legitimizing things that would be unthinkable offline,” Miller says. “Eventually, what was once unthinkable becomes the norm.”

This cycle of reinforcement plays out across multiple platforms. Facebook forums act as the first point of contact, TikTok amplifies the rhetoric in publicly available videos, and Telegram is used to enable illicit activity. The result? A self-sustaining network of harassment that thrives on digital anonymity.

TikTok amplified discussions around the Telegram groups. WIRED reviewed 12 videos in which creators, of all genders, discussed, joked about, or berated the Telegram groups. In the comments section of these videos, users shared invitation links to public and private groups and some public channels on Telegram, making them accessible to a wider audience. While TikTok was not the primary platform for harassment, discussions about the Telegram groups spread there, and in some cases users explicitly acknowledged their illegality.

TikTok tells WIRED that its Community Guidelines prohibit image-based sexual abuse, sexual harassment, and nonconsensual sexual acts, and that violations result in removals and possible account bans. They also stated that TikTok removes links directing people to content that violates its policies and that it continues to invest in Trust and Safety operations.

Intentionally or not, the algorithms powering social media platforms like Facebook can amplify misogynistic content. Hate-driven engagement fuels growth, pulling new users into these communities through viral trends, suggested content, and comment-section recruitment.

As people caught notice on Facebook and TikTok and started reporting the Telegram groups, they didn’t disappear—they simply rebranded. Reactionary groups quickly emerged, signaling that members knew they were being watched but had no intention of stopping. Inside, messages revealed a clear awareness of the risks: Users knew they were breaking the law. They just didn’t care, according to chat logs reviewed by WIRED. To absolve themselves, one user wrote, “I do not condone im \[simply\] here to regulate rules,” while another shared a link to a statement that said: “I am here for only entertainment purposes only and I don’t support any illegal activities.”

Meta did not respond to a request for comment.

Messages from the Telegram group WIRED analyzed show that some chats became hyper-localized, dividing London into four regions to make harassment even more targeted. Members casually sought access to other city-based groups: “Who’s got brum link?” and “Manny link tho?”—British slang referring to Birmingham and Manchester. They weren’t just looking for gossip. “Any info from west?” one user asked, while another requested, “What’s her @?”— hunting for a woman’s social media handle, a first step to tracking her online activity.

The chat logs further reveal how women were discussed as commodities. “She a freak, I’ll give her that,” one user wrote. Another added, “Beautiful. Hide her from me.” Others encouraged sharing explicit material: “Sharing is caring, don’t be greedy.”

Members also bragged about sexual exploits, using coded language to reference encounters in specific locations, and spread degrading, racial abuse, predominantly targeting Black women.

Once a woman was mentioned, her privacy was permanently compromised. Users frequently shared social media handles, which led other members to contact her—soliciting intimate images or sending disparaging texts.

Anonymity can be a protective tool for women navigating online harassment. But it can also be embraced by bad actors who use the same structures to evade accountability.

"It’s ironic," Miller says. "The very privacy structures that women use to protect themselves are being turned against them."

The rise of unmoderated spaces like the abusive Telegram groups makes it nearly impossible to trace perpetrators, exposing a systemic failure in law enforcement and regulation. Without clear jurisdiction or oversight, platforms are able to sidestep accountability.

Sophie Mortimer, manager of the UK-based Revenge Porn Helpline, warned that Telegram has become one of the biggest threats to online safety. She says that the UK charity’s reports to Telegram of nonconsensual intimate image abuse are ignored. “We would consider them to be noncompliant to our requests,” she says. Telegram, however, says it received only “about 10 piece of content” from the Revenge Porn Helpline, “all of which were removed.” Mortimer did not yet respond to WIRED’s questions about the veracity of Telegram’s claims.

Despite recent updates to the UK’s Online Safety Act, legal enforcement of online abuse remains weak. An October 2024 report from the UK-based charity The Cyber Helpline shows that cybercrime victims face significant barriers in reporting abuse, and justice for online crimes is seven times less likely than for offline crimes.

"There’s still this long-standing idea that cybercrime doesn’t have real consequences," says Charlotte Hooper, head of operations of The Cyber Helpline, which helps support victims of cybercrime. "But if you look at victim studies, cybercrime is just as—if not more—psychologically damaging than physical crime."

A Telegram spokesperson tells WIRED that its moderators use “custom AI and machine learning tools” to remove content that violates the platform's rules, “including nonconsensual pornography and doxing.”

“As a result of Telegram's proactive moderation and response to reports, moderators remove millions of pieces of harmful content each day,” the spokesperson says.

Hooper says that survivors of digital harassment often change jobs, move cities, or even retreat from public life due to the trauma of being targeted online. The systemic failure to recognize these cases as serious crimes allows perpetrators to continue operating with impunity.

Yet, as these networks grow more interwoven, social media companies have failed to adequately address gaps in moderation.

Telegram, despite its estimated 950 million monthly active users worldwide, claims it’s too small to qualify as a “Very Large Online Platform” under the European Union’s Digital Service Act, allowing it to sidestep certain regulatory scrutiny. “Telegram takes its responsibilities under the DSA seriously and is in constant communication with the European Commission,” a company spokesperson said.

In the UK, several civil society groups have expressed concern about the use of large private Telegram groups, which allow up to 200,000 members. These groups exploit a loophole by operating under the guise of “private” communication to circumvent legal requirements for removing illegal content, including nonconsensual intimate images.

Without stronger regulation, online abuse will continue to evolve, adapting to new platforms and evading scrutiny.

The digital spaces meant to safeguard privacy are now incubating its most invasive violations. These networks aren’t just growing—they’re adapting, spreading across platforms, and learning how to evade accountability.

Inside the Telegram Groups Doxing Women for Their Facebook Posts

Apple is removing its Advanced Data Protection (ADP) feature for iCloud from the United Kingdom with immediate effect following government demands for backdoor access to encrypted user data.
The development was first reported by Bloomberg.
ADP for iCloud is an optional setting that ensures that users' trusted devices retain sole access to the encryption keys used to unlock data stored in its

Apple Drops iCloud's Advanced Data Protection in the U.K. Amid Encryption Backdoor Demands

Approximately 500 NIST staffers, including at least three lab directors, are expected to lose their jobs at the standards agency as part of the ongoing DOGE purge, sources tell WIRED.

Sweeping layoffs architected by the Trump administration and the so-called Department of Government Efficiency may be coming as soon as this week at the National Institute of Standards and Technology (NIST), a non-regulatory agency responsible for establishing benchmarks that ensure everything from beauty products to quantum computers are safe and reliable.

According to several current and former employees at NIST, the agency has been bracing for cuts since President Donald Trump took office last month and ordered billionaire Elon Musk and DOGE to slash spending across the federal government. The fears were heightened last week when some NIST workers witnessed a handful of people they believed to be associated with DOGE inside Building 225, which houses the NIST Information Technology Laboratory at the agency’s Gaithersburg, Maryland campus, according to multiple people briefed on the sightings. The DOGE staff were seeking access to NIST’s IT systems, one of the people said.

Soon after the purported visit, NIST leadership told employees that DOGE staffers were not currently on campus, but that office space and technology were being provisioned for them, according to the same people.

On Wednesday, Axios and Bloomberg reported that NIST had begun informing some employees that they could soon be laid off. About 500 recent hires who are still in probationary status and can be let go more easily were among those expected to be affected, according to the reports. Three sources tell WIRED that the cuts likely impact lauded technical experts in leadership positions, including three lab directors who were promoted within the last year. One person familiar with the agency tells WIRED that the official layoff notices may come Friday.

The White House and a spokesperson for NIST, which is part of the Department of Commerce, did not yet return requests for comment.

One NIST team that has been fearing cuts because of its number of probationary employees is the US AI Safety Institute (AISI), which was created after former President Joe Biden’s sweeping executive order on AI issued in October 2023. Trump rescinded the order shortly after taking office last month, describing it as a “barrier to American leadership in artificial intelligence.”

The AI Safety Institute and its roughly two dozen staffers has been working closely with AI companies, including rivals to Musk’s startup xAI like OpenAI and Anthropic, to understand and test the capabilities of their most powerful models. Musk was an early investor in OpenAI and is currently suing the startup over its decision to transition from a non-profit to a for-profit corporation.

AISI’s inaugural director, Elizabeth Kelly, announced she was leaving her role earlier this month. Several other high-profile NIST leaders working on AI have also departed in recent weeks, including Reva Schwartz, who led NIST’s Assessing Risks and Impacts of AI program, and Elham Tabassi, NIST’s chief AI advisor. Kelly and Schwartz declined to comment. Tabassi did not respond to a request for comment.

US Vice President JD Vance recently signaled the new administration’s intent to deprioritize AI safety at the AI Action Summit, a major international meeting held in Paris last week that AISI and other government staffers were not invited to attend, according to three familiar with the matter. “I'm not here this morning to talk about AI safety,” Vance said in his first major speech as VP. “I'm here to talk about AI opportunity.”

Though they receive bipartisan support, the AI Safety Institute and other parts of NIST had been preparing for the Trump administration to set new priorities for their work. In anticipation, some NIST teams began moving to deprioritize efforts such as fighting misinformation and racial bias in AI systems, according to two people familiar with the projects. Two other people say that putting even more public emphasis on national security was welcomed among some staffers, since the institute has already engaged in related research efforts.

Overall, the AI Safety Institute has been pressing ahead with working groups and other efforts focused on developing guidelines for studying AI systems. Last week, the startup Scale AI announced it had been selected by the institute as its “first approved third-party evaluator authorized to conduct AI model assessments.” Michael Kratsios, Trump’s pick to direct the White House Office of Science and Technology Policy, was until recently Scale’s managing director.

The feared layoffs at NIST have drawn strong rebuke from civil society groups, such as the Center for AI Policy, and congressional Democrats. NIST’s 2024 budget was about $1.5 billion, approximately .02 percent of federal spending overall, making it perhaps an unlikely target for Musk’s DOGE project. DOGE staffers have dropped into several government agencies this month, gaining access to sensitive systems, promoting the use of AI to boost productivity, and seeding a trail of resignations among long-time government workers. DOGE’s specific goals at NIST couldn’t be immediately learned.

US Representative Jake Auchincloss, a Democrat who serves on the House energy and commerce committee, says any efforts by DOGE to trim NIST rather than focusing instead on parts of government that account for far more spending, such as Department of Defense contracts, amounts to “scrounging for pennies in front of a bank vault.” He called NIST an agency with high returns on investment and warned that hobbling it would be self-defeating for the US. “Imparing NIST’s function is going to harm business productivity and increase costs,” Auchincloss says.

Staff for Democrats on the US House of Representatives Committee on Science, Space, and Technology say they are concerned about the potential for significant economic harm from any cuts to NIST. The agency’s timekeeping is used by stock markets and its research on buildings and pipelines help keep infrastructure intact. DOGE “might throw out things that are crucial to the functioning of the economy,” says one of the Democratic staffers, who all spoke on the condition of anonymity.

Budget cuts at other agencies could also have ripple effects at NIST because they help fund some of its projects, including studies on the accuracy of facial recognition systems and a database of cybersecurity vulnerabilities. “We’re worried about staffing, funding at every research agency in the federal government,” says the science committee staffer.

Earlier this month, California representative Zoe Lofgren, the top Democrat on the Republican-controlled House science committee, and her colleagues sent letters to the heads of several agencies including NIST and National Aeronautics and Space Administration demanding transparency about DOGE activities.

“While NIST does not conduct classified research, its cutting edge work in topics such as AI, quantum sensors and clocks, and semiconductors are world-class, and improper exfiltration to non-secure servers would be a boon for our adversaries,” stated the letter last week to NIST Acting Director Craig Burkhardt. It demanded a response from him by February 18; as of February 19, there had been none, according to Lofgren’s office.

The letter also raised concern about Musk’s potential conflicts of interest at NIST, given the intimate dealings between the AI Safety Institute and his competitors. Representative Auchincloss, who has studied NIST’s biology projects, expressed concern about Musk potentially gaining an unfair advantage and compromising safety by influencing standards that affect his Neuralink brain implant venture.

NIST was originally created in 1901 to help the US science and engineering industries establish scientific norms in areas like measurement. In coordination with the US Naval Observatory, the agency is also responsible for building and maintaining the country’s most accurate atomic clocks. Overall, NIST currently employs about 3,400 scientists, engineers, and technicians, according to its website.

Project 2025, an informal plan for the Trump administration crafted by the Heritage Foundation, an influential right-leaning think tank, called for consolidating the research work currently spread across NIST and other agencies and ensuring that it “serves the national interest in a concrete way in line with conservative principles.”

_Additional reporting by Andrew Couts, Kate Knibbs, and Louise Matsakis._

The National Institute of Standards and Technology Braces for Mass Firings

Breeze Liu has been a prominent advocate for victims. But even she struggled to scrub nonconsensual intimate images and videos of herself from the web.

Breeze Liu’s online nightmare started with a phone call. In April 2020, a college classmate rang Liu, then 24 years old, to tell her an explicit video of her was on PornHub under the title “Korean teen.” Liu alleges it had been filmed without her permission when she was 17 and uploaded without her consent.

Over time, the video mushroomed and multiplied: it was saved, posted on other porn websites and, Liu claims, used to create intimate deepfake videos that spread across the web. The impact on Liu was profound. “I honestly had to struggle with suicidal thoughts, and I almost killed myself,” she says.

Wiping around 400 nonconsensual images and videos from the web would require a multiyear, intercontinental effort. During this time, Liu went from working as a venture capitalist to starting her own company to help fight digital abuse. But when dealing with her own content, the entrepreneur faced a wall of silence and continual delays from one of the internet’s biggest gatekeepers: Microsoft.

As images and videos are published on websites like PornHub, they’re often hosted on cloud infrastructure. A series of emails related to Liu’s case reviewed by WIRED, plus interviews with a French victims’ aid organization and other advocates working with her, show how Microsoft, despite repeated pleas, did not remove about 150 explicit images of Liu stored on its Azure cloud services. While other companies took down hundreds of images, Liu and a colleague say Microsoft only took action after the two confronted a senior member of the tech giant’s safety team at a content moderation conference.

The drawn-out process, which prolonged the emotional toll on Liu, provides a detailed illustration of the difficulties victims and survivors of intimate image abuse experience in trying to erase the content from the web. Liu’s ordeal also highlights the void some victims fall into when their age in the imagery is disputed or hard to discern, an overlooked problem that may become more pressing as nudify apps spread in high schools.

“It’s almost impossible for ordinary people to navigate the complex system and do damage control,” Liu says. While she has shared parts of her struggle before, many of the details in this story and the resolution of Microsoft’s prolonged failure to remove the intimate images have not been previously reported. “We’re facing an extremely broken system, and this is a global issue,” Liu says. “This is a huge problem.”

Courtney Gregoire, Microsoft’s chief digital safety officer, says the company has learned from miscommunications in Liu’s case and doesn’t want anyone to go through the agonizing experience she did. “This content is a priority area where we endeavor to be actioning within 12 hours,” Gregoire says. For Liu, the grueling process took eight months.

After being alerted to the first nonconsensual video of her online in April 2020, Liu says, it took her a whole day to calm down. On May 14 of that year, she contacted the Berkeley Police Department, where she lived in California at the time.

The state considers it a misdemeanor crime to share real or spoofed intimate images of someone without their consent while knowing it would cause them distress. Detectives obtained search warrants for some websites but couldn’t identify the people responsible for uploading the content “based on the limited information retained by the internet sites and the overseas nature of the accounts involved,” department spokesperson Byron White says. Liu says she had a suspicion of who was responsible for the uploads, but the detectives weren’t sure how to prove it.

Liu contacted the Cyber Civil Rights Initiative, a US-based nonprofit that helps to tackle abusive content. While the organization found another webpage with violative content of her, the entrepreneur says it couldn’t aid her with takedown requests because she appeared potentially under the age of 18 in the images. The Cyber Civil Rights Initiative declined to comment about Liu but confirmed that it is legally barred from reviewing sexual imagery of minors.

By this point, it had been months since Liu first learned of the images and videos, and she needed a break. The original video hadn’t been quickly removed, and Liu suspected it had already spread far and wide. She felt powerless. She decided to let the case go, citing the stress of the pandemic, her frantic work schedule in venture capital, and the toll on her health. Embarrassed and terrified, the only confidant she told her story to was her cat.

“I always had this gut feeling that there’s more, but I was not mentally stable enough to handle any more brutal truths,” Liu says, adding that she did not feel comfortable searching for them herself. “You don’t want to see that of yourself.” That changed after Liu left her VC job in 2022 and decided to fully pursue her own startup, Alecto AI, which aims to develop face-recognition tools to help people find and remove nonconsensual images that have been shared on digital platforms.

It took about three years before Liu was ready to revisit efforts to get the explicit content of her taken down. Toward the end of 2023, she enlisted the help of her Alecto AI cofounder, Andrea Powell, a longtime trafficking and abuse victims’ advocate. That October, they sought out the help of a researcher at a victim helpline funded by the UK government. The researcher’s manual and automated image searching discovered 832 links appearing to show Liu in intimate states. “I couldn’t even look at the file, because that was just too much,” Liu says. She dialed up her therapist while a friend downloaded the spreadsheet of URLs for her. “She wasn’t even clicking into the content; she was just looking at the name of the URLs and she started crying,” Liu says.

Powell says the links contained “violent Asian-centric” language. But the UK-funded helpline can’t help victims abroad with takedowns, leaving Liu stranded with the spreadsheet. She thought about using StopNCII, a popular tool that uses matching algorithms to find abusive images, but felt it wasn’t a good fit. She feared it might not be able to spot potential deepfakes.

Liu then contacted the FBI, which preserved some of the links as evidence but in her view did not demonstrate further progress toward arresting the original uploader. The agency declined WIRED’s request for comment.

At one point, Liu turned to the National Center for Missing & Exploited Children, or NCMEC, a nonprofit established by the US Congress to work with child sexual abuse imagery, to see if it could help. But the nonprofit could not engage, Liu says. Even though Liu looked young in the content, she could not prove she was under 18 at the time, a prerequisite for NCMEC to pursue takedowns.

Lauren Coffren, NCMEC’s executive director, says it relies on partner law enforcement agencies to assess the age of victims. Age-borderline cases are rare, Coffren says, but “that stinks for a survivor” who should qualify for the organization’s help. “It speaks to just how difficult it is for survivors to be able to navigate this.”

Liu felt stuck between groups that seemingly couldn’t pursue takedowns for her. And she was tired of being judged. “What difference would it make if I was 17 or just two days over 18?” she says. “The damage for me is the same. It’s beyond frustrating.”

That’s when Powell, at the Paris Peace Forum, pleaded to a French victims’ aid organization, Point de Contact, which assists people in reporting illegal content. “I was sort of threatening that I just fly Breeze to France and make the case she’s French,” Powell says. Ultimately, on November 13, 2023, Point de Contact agreed to step up where other organizations had not. In the following days, emails show, the hotline analyzed the URLs and by the middle of December had started to send legal takedown demands to hosting providers. Liu was overcome—progress at last. “I'm literally shaking as I'm typing this,” Liu wrote in an email as the work began.

Etienne Dirani, operations manager at Point de Contact, says it found 395 nonconsensual images in the links Liu provided. The majority of the remaining 437 had already been deleted or made inaccessible. Others did not clearly identify Liu, or did not depict her intimately. Dirani says “tens” of unique images were published across multiple websites and that Point de Contact’s investigation at the time didn’t find any content “likely” generated by AI.

Some companies and hosting providers moved quickly; by the first week of January 2024, 155 URLs were dead. Microsoft, according to emails from Point de Contact to Liu, requested additional identifying information, such as her full name and social media handles, so the company could verify the content was associated with her. Liu provided these details, including a copy of her passport, but nothing happened.

More than a month later, a few dozen additional pieces of content had been removed. Of the 202 that remained online, 142 were hosted on Microsoft’s Azure services. A Point de Contact investigator emailed Liu and alleged, “Microsoft's abuse team did not answer our notification emails” and said the team was trying some of its individual contacts at the company. Around that time, a frustrated Liu mentioned Microsoft’s slow response in an interview with The Street. An unnamed Microsoft spokesperson told the news outlet that the company was investigating and noted that any potential violations of its acceptable use policy are taken seriously. Yet again, no action followed.

“The main issue we had was the lack of response from Microsoft,” Dirani says. He alleges that Microsoft’s abuse team believed that it needed more information, but he says the company never communicated what that information was. Even a higher-up contact wouldn’t give a straight answer on what additional details could trigger a takedown. Point de Contact tried to “push” Microsoft more, including opening a new case, according to Dirani. “We were sending reminders of all the URLs that were still online,” he says. “But unfortunately, even the new reports we sent were not responded to.”

As months went by, Liu could do little but wonder how many people each day were encountering the violative imagery of her. She was terrified about her career being derailed and was generally disheartened. Powell says she was in touch with Microsoft’s director of public policy for digital safety, Liz Thomas, at the time, but she was told it was difficult to verify the content showed Liu.

However, in late July last year, Powell and Liu concocted a plan to speak with Thomas at a San Francisco hotel hosting TrustCon, a conference for people working on online trust and safety issues. They hadn’t registered for the event, but Powell located Thomas at the hotel’s public bar with a group of colleagues. Once the colleagues left, Powell approached Thomas and urged for action, pointing toward Liu as she made her case. Seeing Liu in the same room made an impact.

Within days of the event, a Microsoft staffer emailed Powell that the case had been escalated, and the 142 URLs with Liu’s image started disappearing. “I don't ideally want to be chasing trust and safety people up and down the halls at TrustCon to deal with a case,” Powell says. “But it was what had to be done.”

At the start of last August, Point de Contact told WIRED that only two images on four different Microsoft servers remained. “We deeply regret that this issue took almost 10 months of communication between the victim, Microsoft and us as an NGO to be resolved,” the NGO said in an email at the time.

Microsoft digital safety chief Gregoire says Liu’s situation has spurred her team to try to improve reporting processes and relationships with victim aid groups. Point de Contact initially flagged links over which the company didn’t have control, according to Gregoire. She declined to elaborate on the circumstances. Dirani says this explanation was never communicated to him, and it remains unclear why the links were not “actionable.”

Only after Powell cornered Thomas over Liu’s case did Microsoft obtain the URLs upon which it could act. “We’re thankful, to be perfectly honest, to the spontaneous connection at TrustCon,” Gregoire says. But it shouldn’t be needed again: Point de Contact now has a more direct way to stay in touch, she says.

Other victim aid groups say their relationships with tech giants remain challenging. Last year, a WIRED investigation revealed that executives at Google rejected numerous ideas raised by staff and outside advocates that aimed to proactively counter access to problematic imagery in search results. Some survivors have found that the fastest way to get content removed is by filing copyright claims, a tactic those working in the online safety industry say is inadequate.

The lack of consistency in policies and processes among tech companies contributes to delays in securing takedowns, according to Emma Pickering, the head of technology facilitated abuse at Refuge, the UK’s largest domestic abuse organization. “They all just respond however they choose to—and the response usually is incredibly poor,” she says. (Google introduced new policies in July 2024 to accelerate removals.)

Pickering claims Microsoft, in particular, has been difficult. “I’ve recently been told if I want to engage with them, we need to provide evidence that we use their platform and we promote them,” she says, adding Refuge is trying to engage with as many tech platforms as possible.

Microsoft’s Gregoire says she will look into these concerns and is open to dialogue. The company hopes to stem the need for takedowns, in part, by scaring off perpetrators. This past December, Microsoft sued a group of 10 unknown individuals who allegedly circumvented safeguards on Azure and used an AI tool to generate offensive images, including some Gregoire described as sexually harmful. “We don't want our services to be abused to cause harm,” she says.

For Liu, the challenges haven’t ended. Videos and images depicting her naked remain available on at least one self-styled “free porn” website, according to links reviewed by WIRED. She also has had to pour her savings into developing Alecto AI because investor support has been lackluster. Some investors allegedly told her not to use her own experience in her pitch. Liu says that when she pitched one male-female pair who were considering investing, they burst into laughter at the idea of building a business around the use of AI to detect online image abuse. Even responding that she had almost killed herself after being victimized did little to sway them, Liu says.

In December 2024, more than four and a half years since her nightmare began, Liu found a glimmer of hope. A proposal she has advocated for in the US Congress to require websites to remove unwanted explicit images within 48 hours nearly ended up on then-President Joe Biden’s desk. It was ultimately shelved, but real progress had never felt so close. Liu and a bipartisan group of over 20 lawmakers haven’t given up; in January, they reintroduced the proposal, which threatens potential penalties of up to $50,000 per violation. Despite objections from rights groups worried about over-censorship, the bill passed the Senate last week. Even Microsoft has gotten behind it.

_If you or someone you know needs help, call 1-800-273-8255_ _for free, 24-hour support from the National Suicide Prevention Lifeline. You can also text HOME to 741-741 for the Crisis Text Line. Outside the US, visit the International Association for Suicide Prevention_ _for crisis centers around the world._

How One AI Startup Founder Cornered Microsoft Into Finally Taking Down Explicit Videos of Her

These sorts of attacks reveal growing adversary interest in secure messaging apps used by high-value targets for communication, Google says.

Source: aily\_creativity via Shutterstock

Multiple Russia-aligned threat groups are actively targeting the Signal Messenger application of individuals likely to exchange sensitive military and government communications related to the country's war with Ukraine.

For now, the activity appears limited to persons of interest to Russia's intelligence services, according to researchers at Google's Threat Intelligence Group (GTIG), who spotted it recently. But the tactics the threat actors are using in the campaign could well serve as a blueprint for other groups to follow in broader attacks on Signal, WhatsApp, Telegram, and other popular messaging apps, GTIG warned in a blog post this week.

**Likely to Become More Prevalent**

"We anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war," Google threat analyst Dan Black wrote in the post.

Two of the Russian cyber-espionage groups that Google observed targeting Signal are UNC5792 — a threat actor that Ukraine's CERT tracks as UAC-0195 — and UNC4221 (aka UAC-0185). The goal of the attackers in both cases is to trick targeted victims into unknowingly linking their Signal account to an attacker-controlled device so any incoming messages are simultaneously available on the linked device.  

The attacks are taking advantage of "linked devices," a feature of the Signal app that allows users to securely connect and synchronize their account across multiple devices. However, the tactics that each threat group uses to get targets to unwittingly link their accounts have been slightly different.

UNC5782's ploy has been to send invitations asking targeted individuals to join a Signal group by sharing a malicious QR code with them. While the invitations look identical to Signal's group invite, the threat actors have modified them so that anyone social-engineered into scanning the QR code ends up linking their account to a UNC592-controlled device instead.

The other threat group, UNC4221, is using a customized phishing kit that impersonates parts of Kropyva, an application that Ukraine's military uses for artillery guidance, to try and social-engineer Signal Messenger users of interest. The threat actor has established Kropyva-themed phishing sites with the QR code directly embedded on them. It has also set up phishing sites pretending to contain legitimate Signal instructions for device linking to encourage scam victims into scanning their malicious QR code.

**Broad Threat Actor Interest**

Google identified UNC4221 and UNC5782 as two of several Russian and Belarusian groups that are targeting Signal Messenger to spy on persons of interest. Not all attacks by UNC4221 and UNC578 have involved device linking. Russia's infamous Sandworm cyber-sabotage group (which Google tracks as APT44) has been stealing Signal messages from a target's Signal database or local storage files, using a combination of malware tools. Similarly, Turla, a threat actor that the US government has tied to Russia's Federal Security Service (FSB), is doing the same using a lightweight PowerShell script that it deploys after gaining access to a target environment. Another threat actor from the region targeting Signal Messenger, according to Google, is Belarus-linked UNC1151, which uses the Robocopy Windows file-copying tool to copy and store Signal messages and attachments for future theft.

The flurry of activity targeting Signal is a sign of broader attacker interest in secure messaging apps used by those in espionage and intelligence gathering, including politicians, military personnel, activists, privacy advocates, and journalists. The apps' security features, which include end-to-end encryption of text, voice, and video with minimal data collection practices, have made it a popular tool for at-risk individuals and communities. It has also made the app "a high-value target for adversaries seeking to intercept sensitive information that could fulfill a range of different intelligence requirements," Google's Black wrote.

Signal is not the only target. Russian groups have also targeted Telegram and WhatsApp users in the same way, Black said. He pointed to a recent Microsoft report on attacks by Russian group Star Blizzard (aka Coldriver, Blue Charlie, Callisto, and UNC4057) that targeted WhatsApp accounts belonging to current and former government officials and diplomats.

Significantly, attacks targeting WhatsApp can affect businesses as well. Although WhatsApp — like Signal, Telegram and other messenger apps — is primarily consumer-focused, numerous businesses worldwide use the app. WhatsApp even has a business version that it has positioned as a tool that businesses can use to engage with customers, accelerate sales, and deliver customer support.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Russian Groups Target Signal Messenger in Spy Campaign

Is your Signal, WhatsApp, or Telegram account safe? Google warns of increasing attacks by Russian state-backed groups. Learn…

Is your Signal, WhatsApp, or Telegram account safe? Google warns of increasing attacks by Russian state-backed groups. Learn how they’re stealing messages and what you can do to defend yourself.

Russian state-backed actors are increasingly targeting secure messaging applications like Signal to intercept sensitive communications, reveals a recent report by Google’s Threat Intelligence Group. These groups, often aligned with Russian intelligence services, are focusing on compromising accounts used by individuals of interest, including military personnel, politicians, journalists, and activists. While the initial focus appears to be related to the conflict in Ukraine, researchers believe that these tactics will spread to other regions and threat actors.  

A primary method employed by these actors in this campaign involves exploiting the “linked devices” feature of Signal. By using phishing techniques, they trick users into scanning malicious QR codes, which then secretly link the victim’s account to a device controlled by the attacker. This allows the attacker to receive all messages in real-time, effectively eavesdropping on conversations without needing to compromise the entire device.

These malicious QR codes are often disguised as legitimate Signal resources, such as group invites, security alerts, or even device pairing instructions. In some cases, they are incorporated into phishing pages designed to mimic specialized applications, such as those used by the Ukrainian military.

The screenshot shows a Signal app phishing site and one of the malicious QR codes used in the attack (via Google).

In some cases, malicious QR codes are used in close-access scenarios, such as when Russian military forces capture devices on the battlefield.  This method lacks centralized monitoring and can go unnoticed for extended periods, which makes it hard to detect.

One group, identified as UNC5792 (also known as UAC-0195), has been observed modifying legitimate Signal group invite links. These altered links redirect victims to fake pages that initiate the unauthorized linking of their devices to the attacker’s control. The phishing pages are designed to closely resemble official Signal invites, making detection challenging. 

Another group, UNC4221 (UAC-0185), has targeted Ukrainian military personnel by embedding malicious QR codes within phishing sites that mimic artillery guidance applications. They have also used fake Signal security alerts to deceive victims. 

Beyond phishing, APT44 (Sandworm) utilizes malware and scripts to extract Signal messages from compromised Windows and Android devices. Their WAVESIGN script retrieves recent messages, while Infamous Chisel malware searches for Signal database files on Android devices.  

Other groups, like Turla and UNC1151, target the desktop application, using scripts and tools to copy and exfiltrate stored messages. UNC4221 has also used a JavaScript payload called PINPOINT to gather user information and geolocation data.

The popularity of secure messaging apps makes them prime targets for adversaries and other platforms, such as WhatsApp and Telegram, are also facing similar threats.

“The operational emphasis on Signal from multiple threat actors in recent months serves as an important warning for the growing threat to secure messaging applications that is certain to intensify in the near-term,” researchers warned.

Therefore, users are advised to stay cautious. It is important to use strong screen locks with complex passwords, keep operating systems and apps updated, and ensure Google Play Protect is enabled. Regularly auditing linked devices, exercising caution with QR codes and links, and enabling two-factor authentication are also recommended. iPhone users at high risk should consider enabling Lockdown Mode.

Hackers Tricking Users Into Linking Devices to Steal Signal Messages

The authentication bypass vulnerability in the OS for the company's firewall devices is under increasing attack and being chained with other bugs, making it imperative for organizations to mitigate the issue ASAP.

Source: Chiew via Shutterstock

Attackers are actively exploiting an authentication bypass flaw found in the Palo Alto Networks PAN-OS software that lets an unauthenticated attacker bypass authentication of that interface and invoke certain PHP scripts.

Both the Cybersecurity Infrastructure and Security Agency (CISA) and security researchers are warning of increasing attacker activity to exploit the flaw, tracked as CVE-2025-0108 and first revealed in a blog post on Feb. 12 as a zero-day flaw by researchers at Searchlight Cyber AssetNote. PAN-OS is the operating system for Palo Alto's firewall devices; the flaw affects certain versions of PAN-OS v11.2, v11.1 , v10.2, and v10.1 and has been patched for all affected versions.

Patch info is available in Palo Alto's security advisory on CVE-2025-0108, which is rated as 8.8 and therefore of high severity on the CVSS. The company warned that while the PHP scripts that can be invoked do not themselves enable remote code execution, exploiting the flaw "can negatively impact integrity and confidentiality of PAN-OS," potentially giving attackers access to vulnerable systems, where other bugs could be used to achieve further aims.

Indeed, researchers observed attackers making exploit attempts by chaining CVE-2025-0108 with two other PAN-OS Web management interface flaws — CVE-2024-9474, a privilege escalation flaw, and CVE-2025-0111, an authenticated file read vulnerability — on unpatched and unsecured PAN-OS instances.

**Active Exploitation of Palo Alto Firewalls**

Threat actors apparently got the memo on the potential for exploit, as attacks on affected devices are on the rise. As of Feb. 18, 25 malicious IPs are actively exploiting CVE-2025-0108, up from merely two the day after its discovery was made public, according to researchers at GreyNoise. The top three countries for these attacks are the US, Germany, and the Netherlands, according to a blog post on the exploitation.

"Organizations relying on PAN-OS firewalls should assume that unpatched devices are being targeted and take immediate steps to secure them," Noah Stone, head of content at GreyNoise Intelligence, wrote in the post.

The increased activity to exploit the flaw compelled the CISA to add it to the Known Exploited Vulnerabilities Catalog this week and urge those affected to apply Palo Alto's patches for affected device versions.

**Why CVE-2025-0108 in PAN-OS Exists**

The flaw exists because of a common architecture present in PAN-OS, "where authentication is enforced at a proxy layer, but then the request is passed through a second layer with different behavior," security researcher Adam Kues wrote in Searchlight Cyber Assenote's post.

"Fundamentally, these architectures lead to header smuggling and path confusion, which can result in many impactful bugs," he explained.

Specifically, a Web request to the PAN-OS management interface is handled by three separate components: Nginx, Apache, and the PHP application itself. The researchers found that when the authentication by the requester is set at the Nginx level and based on HTTP headers, the request is then reprocessed again in Apache, which may process the path or headers differently to Nginx before finally handing off the request to PHP.

"If there is a difference between what Nginx thinks our request looks like and what Apache thinks our request looks like, we could achieve an authentication bypass," Kues explained.

The risk of exploitation is greatest if a network configuration enables access to the management interface from the Internet (or any untrusted network) either directly or through a dataplane interface that includes a management interface profile, Palo Alto noted in its advisory.

**Eliminate Risk by Patching Auth Bypass Now**

Palo Alto's network devices are widely used and flaws within them are often quickly set upon by attackers, making it imperative that mitigation for CVE-2025-0108 happens sooner rather than later. The best way to eliminate the risk of exploitation completely is to apply Palo Alto's updates to affected devices, according to the CISA and researchers.

Affected organizations also can reduce this risk if network administrators ensure that only trusted internal IP addresses can access the management interface, according to Palo Alto. Defenders can discover any assets that require remediation action by visiting the Assets section of the Customer Support Portal, the company said.

Palo Alto also recommends that organizations whitelist IPs in the management interface to prevent this or similar vulnerabilities from being exploited over the Internet.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#sap