WhatsApp has accused professional spyware company Paragon of spying on a select group of users.

WhatsApp has accused the professional spyware company Paragon of spying on a select group of users.

WhatsApp, the Meta-owned, end-to-end encrypted messaging platform, said it has reliable information that nearly 100 journalists and other “members of civil society” were targets of a spyware campaign conducted by the Israeli spyware company.

“Members of civil society” usually refers to individuals and organizations that operate independently from government and business sectors, often those advocating for public interests, influencing policy, or holding governments accountable.

In a statement, a WhatsApp spokesperson said:

> “This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately”

Many such targets use WhatsApp because they rely on the end-to-end encryption (E2EE) that it offers by default to safeguard communications, protect sources, and shield sensitive information from prying eyes.

The targets were spread over two dozen countries, including several in Europe. WhatsApp notified the possibly affected accounts through its own app. The platform has the ability notify users about sensitive matters directly via a WhatsApp chat. In such a case, the chat will include a system message at the top of the chat that verifies that it originates from the official account of WhatsApp Support, and there will be a blue checkmark next to WhatsApp Support at the top of the chat.

A spokesperson stated that WhatsApp was able to identify and block the attack vector which Paragon used in these attacks. Reportedly, the hacking campaign used malicious PDFs sent via WhatsApp groups to compromise targets. The attack apparently required no action from the target, a so-called zero-click attack.

Researchers have often compared Paragon’s Graphite spyware to the Pegasus spyware, a deeply invasive tool developed by a company called NSO that WhatsApp has been fighting in court since 2019. But up until now, Paragon was able to keep a low profile. This is the first time that Paragon has been publicly linked to a hacking campaign that allegedly targeted journalists and members of civil society.

WhatsApp has sent Paragon Solutions a cease-and-desist letter following the series of attempted attacks. Meta also notified Canadian privacy watchdog Citizen Lab. Citizen Lab’s researcher John Scott-Railton says they observed this campaign and have started an investigation.

The attacks reportedly took place in December 2024. If you are a potential target and you received a suspicious PDF you can reach out to Citizen Lab or the non-profit digital security helpline AccessNow.

If you received a WhatsApp notification about the attack, you can contact WhatsApp Support in-app by clicking here.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 WhatsApp says Paragon is spying on specific users 

The ABB Cylon FLXeon BAS controller is vulnerable to authenticated root command execution via the cmds API. An authenticated attacker can execute arbitrary system commands with root privileges.

Title: ABB Cylon FLXeon 9.3.4 (cmds.js) Authenticated Root Remote Code Execution  
Advisory ID: ZSL-2025-5908  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (5/5)  
Release Date: 02.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

The ABB Cylon FLXeon BAS controller is vulnerable to authenticated root command execution via the cmds API. An authenticated attacker can execute arbitrary system commands with root privileges.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[02.02.2025\] Coordinated public security advisory released.

**PoC**

cmdsapi.py

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-48841

**Changelog**

\[02.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 (cmds.js) Authenticated Root Remote Code Execution

WhatsApp recently revealed a targeted spyware campaign linked to the Israeli firm Paragon, which affected 90 individuals, including…

WhatsApp recently revealed a targeted spyware campaign linked to the Israeli firm Paragon, which affected 90 individuals, including journalists and civil society members. The platform confirmed that affected users have been directly notified.

Meta-owned messaging app **WhatsApp** confirmed that it was taking action to stop a spyware attack targeting approximately 90 individuals, including journalists and members of civil society organizations. Those affected have been directly notified about the security breach, however, WhatsApp has not disclosed the location of journalists and civil society members, including if any of them were based in the US.

WhatsApp’s investigation points to Paragon Solutions, an Israeli spyware firm acquired by AE Industrial Partners, as the perpetrator of this attack. Reportedly, the attack vector involved the distribution of malicious PDF files through WhatsApp groups. Experts claim the targeting was a “**zero-click**” attack, requiring no malicious links to be infected. WhatsApp has since released a security update to neutralize this vulnerability.  

This campaign was also independently observed and is under investigation by John Scott-Railton, a senior researcher at The Citizen Lab, as he noted in a post on X (formerly Twitter). 

> NEW: @WhatsApp says Israeli mercenary spyware company #Paragon targeted scores of users around world.
> 
> The infection happened with no interaction. No link to click or attachment to open.
> 
> This is called a "zero-click" attack.
> 
> WA says targets included journalists & members of… pic.twitter.com/TekGNMdkoF
> 
> — John Scott-Railton (@jsrailton) February 1, 2025

WhatsApp believes the campaign occurred in December and has issued a cease and desist letter to Paragon. Since its inception in 2019, Paragon has maintained a low profile and has been embroiled in a hacking controversy for the first time, unlike other spyware makers like Intellexa and NSO Group, which have faced U.S. government sanctions and blocklists.

 However, the company has been under scrutiny following Wired Magazine’s October **report** of the company signing a $2m contract with the US Immigration and Customs Enforcement’s homeland security investigations division.

This action follows WhatsApp’s successful legal challenge against NSO Group, another Israeli spyware firm, as **reported** by Hackread.com.  In that case, the NSO Group was found liable for exploiting a WhatsApp vulnerability to deploy its Pegasus spyware on at least 1,400 devices, targeting journalists, activists, and government officials. Hackread.com had **previously reported** that WhatsApp discovered the vulnerability exploited in this attack in May 2019.

The recent Paragon campaign targeted individuals across over two dozen countries, particularly in Europe, with the Italian news outlet fanpage.it confirming it was among those targeted. WhatsApp collaborated with The Citizen Lab, a research group based at the University of Toronto, on its investigation. 

According to Scott-Railton, the targeting of journalists and civil society is a systemic issue within the commercial spyware industry, not an isolated incident.  He also highlighted the potential risk to government personnel from such attacks.  

Paragon and AE Industrial Partners have yet to respond to this news.

WhatsApp’s previous legal victory against NSO Group and its ongoing efforts against Paragon demonstrate its commitment to challenging the spyware industry and protecting user privacy.

“This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately,” WhatsApp’s spokesperson stated.

Israeli Spyware Firm Paragon Linked to WhatsApp Zero-Click Attack

Plus: WhatsApp discloses nearly 100 targets of spyware, hackers used the AT&T breach to hunt for details on US politicians, and more.

The rapid rise of DeepSeek, a Chinese generative AI platform, heightened concerns this week over the United States’ AI dominance as Americans increasingly adopt Chinese-owned digital services. With ongoing criticism over alleged security issues posed by TikTok’s relationship to China, DeepSeek’s own privacy policy confirms that it stores user data on servers in the country.

Meanwhile, security researchers at Wiz discovered that DeepSeek left a critical database exposed online, leaking over 1 million records, including user prompts, system logs, and API authentication tokens. As the platform promotes its cheaper R1 reasoning model, security researchers tested 50 well-known jailbreaks against DeepSeek’s chatbot and found lagging safety protections as compared to Western competitors.

Brandon Russell, the 29-year-old cofounder of the Atomwaffen Division, a neo-Nazi guerrilla organization, is on trial this week over an alleged plot to knock out Baltimore’s power grid and trigger a race war. The trial provides a look into federal law enforcement’s investigation into a disturbing propaganda network aiming to inspire mass casualty events in the US and beyond.

An informal group of West African fraudsters calling themselves the Yahoo Boys are using AI-generated news anchors to extort victims, producing fabricated news reports falsely accusing them of crimes. A WIRED review of Telegram posts reveals that these scammers create highly convincing fake news broadcasts to pressure victims into paying ransoms by threatening public humiliation.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

According to a report by The Wall Street Journal, hacking groups with known ties to China, Iran, Russia, and North Korea are leveraging AI chatbots like Google Gemini to assist with tasks such as writing malicious code and researching potential attack targets.

While Western officials and security experts have long warned about AI's potential for malicious use, the Journal, citing a Wednesday report from Google, noted that the dozens of hacking groups across more than 20 countries are primarily using the platform as a research and productivity tool—focusing on efficiency rather than developing sophisticated and novel hacking techniques.

Iranian groups, for instance, used the chatbot to generate phishing content in English, Hebrew, and Farsi. China-linked groups used Gemini for tactical research into technical concepts like data exfiltration and privilege escalation. In North Korea, hackers used it to draft cover letters for remote technology jobs, reportedly in support of the regime’s effort to place spies in tech roles to fund its nuclear program.

This is not the first time foreign hacking groups have been found using chatbots. Last year, OpenAI disclosed that five such groups had used ChatGPT in similar ways.

**WhatsApp Reveals Targets of Paragon Spyware**

On Friday, WhatsApp disclosed that nearly 100 journalists and civil society members were targeted by spyware developed by the Israeli firm Paragon Solutions. The Meta-owned company alerted affected individuals, stating with “high confidence” that at least 90 users had been targeted and “possibly compromised,” according to a statement to The Guardian. WhatsApp did not reveal where the victims were located, including whether any were in the United States.

The attack appears to have used a “zero-click” exploit, meaning victims were infected without needing to open a malicious link or attachment. Once a phone is compromised, the spyware—known as Graphite—grants the operator full access, including the ability to read end-to-end encrypted messages sent via apps like WhatsApp and Signal.

While it remains unclear who orchestrated the attack, Paragon’s spyware is marketed to government clients, and is similar to that of NSO Group, the controversial Israeli firm behind the Pegasus spyware.

In October, WIRED reported that US Immigration and Customs Enforcement had signed a $2 million contract with the Israeli firm. After our reporting, ICE later issued a stop-work order to review whether the deal complied with a Biden administration executive order restricting the use of spyware to limited circumstances. That 2023 executive order remains in effect, despite the Trump administration rescinding dozens of Biden-era policies in Trump’s first two weeks in office.

**Hackers Used AT&T Breach Data to Hunt for Info on US Politicians**

Hackers behind last year’s massive AT&T data breach sifted through stolen records in search of information linked to high-profile figures, including members of the Trump family, Vice President Kamala Harris, and Jeanette Rubio, the wife of Senator Marco Rubio, according to 404 Media.

In April 2024, hackers breached AT&T’s instance of Snowflake, a widely used data warehousing tool, gaining access to 50 billion records of calls and text messages. According to 404Media, the hackers then enriched the dataset using publicly available tools, appending names to phone numbers to make the records more identifiable as part of a plant to launch a lookup tool that would allow anyone to search the stolen records—for a fee.

Two individuals have been identified as allegedly responsible for the breach: Connor Riley Moucka, a Canadian national who was arrested in November; and John Binns, an American hacker residing in Turkey who was previously arrested for a 2021 breach of T-Mobile. They are linked to a loosely connected online network of criminals called the Com.

**Mystery Drones Over New Jersey Were ‘Authorized,’ White House Says**

At the first press briefing of Donald Trump’s second administration, White House press secretary Karoline Leavitt addressed the surge of unexplained drones spotted over New Jersey and other parts of the East Coast late last year. Leavitt said President Trump personally briefed her on the issue in the Oval Office, stating, “After research and study, the drones that were flying over New Jersey in large numbers were authorized to be flown by the FAA for research and various other reasons.”

Leavitt downplayed concerns about a foreign threat, adding, “In time, it got worse due to curiosity. This was not the enemy.”

The wave of sightings began just before Thanksgiving, with witnesses reporting unidentified drones flying in formation night after night. Some were spotted hovering over military installations and water reservoirs. Within weeks, the FBI received more than 5,000 reports of drone activity—only about 100 cases warranted further investigation.

Despite mounting public pressure, officials offered few definitive answers. By mid-December, a coalition of federal agencies—including the Department of Homeland Security, the FBI, and the Department of Defense—issued a joint statement concluding that the reported aerial objects were a mix of lawful drones, airplanes, helicopters, and stars.

Foreign Hackers Are Using Google’s Gemini in Attacks on the US

Meta-owned WhatsApp on Friday said it disrupted a campaign that involved the use of spyware to target journalists and civil society members.
The campaign, which targeted around 90 members, involved the use of spyware from an Israeli company known as Paragon Solutions. The attackers were neutralized in December 2024.
In a statement to The Guardian, the encrypted messaging app said it has reached

Meta Confirms Zero-Click WhatsApp Spyware Attack Targeting 90 Journalists, Activists

The sudden rise of DeepSeek has raised questions of data origin, data destination, and the security of the new AI model.

The sudden rise of DeepSeek has raised concerns and questions, especially about the origin and destination of the training data, as well as the security of the data.

For those returning from a short holiday away from the news, DeepSeek is a new player on the Artificial Intelligence (AI) field. The Chinese startup has certainly taken the app stores by storm: In just a week after the launch it topped the charts as the most downloaded free app in the US. This caused an upset on the stock markets that cost nVidia and Oracle shareholders a lot of money.

DeepSeek has been called an open-source project, however this technically is not true because only the model’s outputs and certain aspects are publicly accessible. This makes it qualify as an open-weight model. Anyway, the important difference is that the underlying training data and code necessary for full reproduction of the models are not fully disclosed.

And it’s the data that pose a concern to many. OpenAI has accused DeepSeek of using its ChatGPT model to train DeepSeek’s AI chatbot, which triggered quite some memes. If only because OpenAI previously suffered accusations of using data that was not its own in order to train ChatGPT.

Authorities have started to ask questions as well. The Italian privacy regulator GPDP has asked DeepSeek to provide information about the data it processes in the chatbot, and its training data.  Because it sees a risk to the privacy of millions of Italian citizens, GDPD has demanded DeepSeek answers within 20 days questions about:

*   Which personal data is collected
*   The origin of the data
*   Purpose for the collection
*   Whether the data is stored on servers in China

According to the Italian press agency ANSA, DeepSeek disappeared on January 29, 2025 from Google and Apple’s app stores in Italy.

And if all that isn’t scary enough, researchers at Wiz have found a publicly accessible database belonging to DeepSeek.

> “This database contained a significant volume of chat history, backend data and sensitive information, including log streams, API Secrets, and operational details. “

The database was not just accessible and readable, it was also open to control and privilege escalation within the DeepSeek environment. No authentication was required, so anybody that stumbled over the database was able to run queries to retrieve sensitive logs and actual plaintext chat messages, and even to steal plaintext passwords and local files.

Needless to say, this oversight put DeepSeek and its users at risk.

We have said this before and we’ll probably have to repeat it numerous times, but the need for fast developments in this field is creating privacy risks that we have never seen before, simply because security is an afterthought for the developers. So, no matter which AI chatbot you prefer, always be mindful of the information you feed it: It may find its way to unexpected and undesirable places.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 The DeepSeek controversy: Authorities ask where does the data come from and how safe is it? 

Data analysis has shown which 4-digit pin codes offer the best chances for an attacker. Are you using one of them?

Australian news outlet ABC NEWS analyzed a data set of 29 million 4-digit PIN numbers that people actually used to secure their devices, ATM withdrawals, building access, and more.

What the outlet discovered is both expected and disappointing: Too many people use insecure PIN codes to protect important parts of their lives.

Now, I feel compelled to add that I’ve always considered any four-digit string of numbers as simply too few numbers to secure anything important. It takes only 10,000 tries in a worst-case scenario for the attacker, which is not an awful lot for a determined—and sometimes machine-assisted—attacker.

My (Dutch) bank uses a five-digit number to access the app, although it still uses four digits for payments or to make withdrawals from an ATM. But that might be because that’s how the machines are programmed to work. Also, in those cases, entering the PIN itself could be considered a second factor in a multi-factor authentication (MFA) procedure since you already need to have possession of the card.

That said, ABC’s research shows that many of us are predictable when it comes to picking out our PINs. For example, it should come as no surprise that 0000 is popular since it is the default PIN code for many devices—and apparently many people don’t see the importance of changing it.

Whether this reflects our doubt in our own memory or it reflects a certain degree of laziness would require a deeper psychological analysis, but as with passwords, people tend to pick easy-to-remember options that are, for instance, the same digit repeated four times over, or a predictable sequence of four digits, such as 1234. They also prefer numbers that are easy to type, like the figure “2580” which goes straight down the numberpad.

2580 is ranked 28

Other predictable numbers stem from the fact that we use birthdays and birth-years so we can easily remember the PIN code. This is why we see a lot of pin numbers that start with 19 for a year or where the first digit of a month is either a 0 or a 1 which comes in the first or third place of the code, depending on the way you format your dates.

The worrying part is that by trying the first the options in the list ranked by popularity, an attacker can raise his chances of a breach to 11.7 %.

In some cases the attacker may only have five chances, so guess which ones they will be trying.

I have copied the top 10 PIN codes, so you can get an idea of which codes to avoid or change to improve the security level of them.

**Ranking**

**Code**

**Popularity**

1

**1234**

9.0%

2

**1111**

1.6%

3

**0000**

1.1%

4

**1342**

0.6%

5

**1212**

0.4%

6

**2222**

0.3%

7

**4444**

0.3%

8

**1122**

0.3%

9

**1986**

0.3%

10

**2020**

0.3%

As in many situations, it’s prudent to remember that the option that is easiest to use is almost never the most secure.

 These are the 10 worst PIN codes 

UnitedHealth now estimates that 190 million people were affected by the massive Change Healthcare data breach nearly a year ago.

UnitedHealth says it now estimates that the data breach on its subsidiary Change Healthcare affected 190 million people, nearly doubling its previous estimate from October.

In May, UnitedHealth CEO Andrew Witty estimated that the ransomware attack compromised the data of a third of US individuals when he testified before the Senate Finance Committee on Capitol Hill. In October, this was largely confirmed when Change Healthcare reported a number of 100,000,000 affected individuals.

Besides the enormous number of victims, the story behind this ransomware attack is also very complex, because of the cybercriminals involved and how the first group that received the ransom payment disappeared without paying their affiliates.

The ALPHV/BlackCat ransomware group claimed the initial attack. The UnitedHealth Group reportedly paid $22 million to receive a decryptor and to prevent the attackers from publicly releasing the stolen data.

But shortly after the payment, ALPHV disappeared in an unconvincing exit scam designed to make it look as if the group’s website had been seized by the FBI, forgetting to pay its affiliates in the process. A month later, newcomer ransomware group RansomHub listed Change Healthcare as a victim on its own website, claiming to have the data that ALPHV stole.

According to BleepingComputer, the original attackers joined forces with RansomHub and never deleted the data. A few days later, the listing on the RansomHub leaks site disappeared, which usually means someone paid the ransom.

**Stolen information**

The data breach at Change Healthcare is the largest healthcare data breach in US history. Although Change Healthcare provided details about the types of medical and patient data that was stolen, it can’t provide exact details for every individual. However, the exposed information may include:

*   Contact information: Names, addresses, dates of birth, phone numbers, and email addresses.
*   Health insurance information: Details about primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
*   Health information: Medical record numbers, providers, diagnoses, medicines, test results, images, and details of care and treatment.
*   Billing, claims, and payment information: Claim numbers, account numbers, billing codes, payment card details, financial and banking information, payments made, and balances due.
*   Other personal information: Social Security numbers, driver’s license or state ID numbers, and passport numbers.

Change Healthcare added:

> “The information that may have been involved will not be the same for every impacted individual. To date, we have not yet seen full medical histories appear in the data review.”

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 UnitedHealth almost doubles victim numbers from massive Change Healthcare data breach 

“Yahoo Boy” scammers are impersonating CNN and other news organizations to create videos that pressure victims into making blackmail payments.

When online romance and sextortion scammers sense they’ve found a victim who may send them money, they’ll use all kinds of villainous methods to get paid. They’ll frequently stoop to blackmail—and are constantly creating more devious approaches to incorporate it into their grifts. In recent months, cybercriminals have taken their blackmailing efforts up a notch, creating realistic-looking “news” videos that claim their victims are wanted for crimes.

Scammers based in West Africa, likely in Nigeria, and going under the broad umbrella of the Yahoo Boys, have increasingly been seen sending blackmail victims videos likely using AI-generated news anchors in a bid to pressure victims into paying up. A WIRED review of posts on Telegram by self-styled Yahoo Boys shows the cybercriminals are impersonating television stations based in the US and sharing tutorials about how to create the blackmailing videos.

The videos follow a sinister pattern. One video—which can be seen in the image below—uses CNN’s logo and branding to impersonate the news organization, with text at the bottom of the screen describing the “breaking news.” On the screen, a likely AI-generated newsreader starts talking.

“Good day. My name is Kristina Lawson, reporting from New Jersey,” the anchor says in the nearly minute-long clip. “Just in: We have received a credible report regarding a disturbing incident.” The fake presenter says that a “young lady” has come forward to allege that they were sexually assaulted by an older man. In the video, the man, who is the target of the scam, is named, and a photograph of him appears onscreen.

Other videos seen by WIRED feature different news readers and names of news channels, but they also show more graphic photos of the potential blackmail targets, including nude and explicit images. In one “news” clip, the screen is split in two, with a photo of a man’s face on one side and the other side is a short video clip of him allegedly masturbating.

David Maimon, the head of fraud insights at SentiLink and a professor at Georgia State University who first spotted the CNN video in December, says the fraudsters have made a number of “disturbing” changes to their blackmailing tactics in recent months, including trying to humiliate people and potentially targeting those outside of English-speaking countries.

Photograph Courtesy of Telegram

Typically, Yahoo Boy scammers message hundreds of people online while posing as members of the opposite sex using pictures stolen from social media profiles. They run all types of scams, but for those that involve blackmail, they often attempt to build up a relationship with their potential victim and obtain compromising information—most commonly, nude images. Then they shift gears.

“At some point, they reveal their identity after they get everything that they need, and then they start blackmailing,” Maimon says. They demand money and threaten to release images online or send them to family and friends if they’re not paid. “One of the approaches they use in order to make sure that the blackmail is realistic is actually producing those news clips that they send to the victims and in a way push them, nudge them, to pay the blackmail,” he says. “They try to push you to make decisions under conditions of stress, under conditions of urgency.”

Yahoo Boy fraudsters widely use social media platform Telegram as a way of organizing, chatting with each other, and as a marketplace where they sell knowledge and tutorials about how to operate different types of scams. The “news” videos seen by WIRED appear to include the details and images of real-world victims, although it was not possible to immediately verify the cases.

Brian Mason, a constable with the Edmonton Police Service in Canada who investigates fraud and works with the victims of scams, says he has seen cases where videos or screenshots of fake CNN broadcasts have been sent to victims. “It looks like your typical CNN broadcast,” Mason says. “It's very, very convincing.” Mason says the approach has been utilized in sextortion scams, which commonly target teenagers and have been linked to a series of suicides.

Mason says he has seen incidents where the news clips falsely accuse scam victims of talking with underage females and that police are searching for them or have issued warrants for their arrest. “It makes the victim panic, because now they’re seeing themselves on this broadcast, and it’s a screen capture from when they were actually talking with the scammer from their own webcam,” Mason adds. The effect can potentially push the person into sending money or following demands from the scammers.

Telegram spokesperson Remi Vaughn tells WIRED that activities observed in the scammer channels are a violation of the app's rules and suggested the company would take action against such channels.

“Content encouraging scamming is explicitly forbidden by Telegram's terms of service,” Vaughn says. “Moderators empowered with custom AI and machine learning tools proactively monitor public parts of the platform and accept reports from users and organizations in order to remove millions of pieces of harmful content each day.”

Last year, Telegram removed more than a dozen Yahoo Boy channels after WIRED reported on their public activity; however, the scammers still have a presence on the platform and other social media platforms, including Facebook, WhatsApp, and YouTube.

Messages shared within Telegram channels show how the fraudsters are quick to evolve their cons, use new technologies, and widely share or sell advice with each other. For instance, when people moved to Chinese alternative Rednote ahead of the proposed TikTok ban in the US earlier this month, Yahoo Boys recommended targeting people who had joined the app.

Within one Telegram channel, which has 10,000 subscribers, a scammer explained the steps needed to create false news videos and mocked-up front pages of newspapers over a series of messages. “In blackmailing (BM) work we get two different types which are: TV news \[and\] newspapers,” the first message says.

In subsequent messages, they gave examples of text that can be inserted into the script for the news bulletin, which says the alleged victim has been “accused of distributing nude images and videos without consent.” All a scammer following the tutorial needs to do is substitute the name and town of their victim and add any pictures they have.

The tutorial suggests headlines for news articles, such as “Local Man Accused of Online Blackmail and Harassment.” It also lists the names of US TV news networks, cable news, and “specialized news”—it listed 17 news outlets ranging from ABC News and Fox News to C-Span and Al Jazeera America. One other cybercriminal shared a video of a folder of blackmail scripts and tutorials needed to create fake news items.

In some fabricated news videos, the news anchor appears to be an AI-generated avatar, although it was not possible to determine which software was being used to create the clips. Tutorials shared on Telegram, however, also show that the grifters are not always using sophisticated technology. Some apps they point to are simple “meme generators.”

Last year, WIRED reported on how Yahoo Boys are adopting deepfake face-swapping technology to make video calls with their targets and try to “prove” their false identities are real. However, Maimon also points to one troubling video shared by Yahoo Boy scammers that appears to show a potential victim making a video to apologize for questioning the scammer’s fake identity.

Within the video, the woman says, “I am truly sorry that I called you a fake” and asks the scammer to accept their apology. The individual says they hope they get to meet the person they believe they are in love with in the future, before they start removing their clothes to “make up” for the earlier accusation. “I think that what followed that video was them blackmailing her,” Maimon explains, “and of course posting it on the markets they’re on.”

_Updated 10:45 am EST, January 28, 2025: Added comment from a Telegram spokesperson._

Scammers Are Creating Fake News Videos to Blackmail Victims

Last week on Malwarebytes Labs: Last week on ThreatDown: Stay safe!

January 27, 2025 - UnitedHealth now estimates that 190 million people were affected by the massive Change Healthcare data breach nearly a year ago.

January 24, 2025 - The Texas Attorney General has requested information of four more car manufacturers about their data handling.

January 23, 2025 - iPhones are being offered for sale with TikTok installed after the US ban caused the app to disappear from the app stores.

January 22, 2025 - A vulnerability in 7-Zip that could allow attackers to bypass the MotW security feature in Windows has been patched.

January 21, 2025 - Forget OSINT, AI-supported tool GeoSpy can determine a person's location based on their surroundings in a picture.

Tag

#sap