The New Jersey attorney general claims Discord’s features to keep children under 13 safe from sexual predators and harmful content are inadequate.

Discord is facing a new lawsuit from the state of New Jersey, which claims that the chat app is engaged in “deceptive and unconscionable business practices” that put its younger users in danger.

The lawsuit, filed on Thursday, comes after a multiyear investigation by the New Jersey Office of Attorney General. The AG’s office claims it has uncovered evidence that, despite Discord’s policies to protect children and teens, the popular messaging app is putting youth “at risk.”

“We’re the first state in the country to sue Discord,” Attorney General Matthew Platkin tells WIRED.

Platkin says there were two catalysts for the investigation. One is personal: A few years ago, a family friend came to Platkin, astonished that his 10-year-old son was able to sign up for Discord, despite the platform forbidding children under 13 from registering.

The second was the mass-shooting in Buffalo, in neighboring New York. The perpetrator used Discord as his personal diary in the lead-up to the attack and livestreamed the carnage directly to the chat and video app. (The footage was quickly removed.)

“These companies have consistently, knowingly, put profit ahead of the interest and well-being of our children,” Platkin says.

The AG’s office claims in the lawsuit that Discord violated the state’s Consumer Fraud Act. The allegations, which were filed on Thursday morning, turn on a set of policies adopted by Discord to keep children younger than 13 off the platform and to keep teenagers safe from sexual exploitation and violent content. The lawsuit is just the latest in a growing list of litigation from states against major social media firms—litigation that has, thus far, proven fairly ineffective.

Discord’s child and teen safety policies are clear: Children under 13 are forbidden from the messaging app, while it more broadly forbids any sexual interaction with minors, including youth “self-endangerment.” It further has algorithmic filters operating to stop unwanted sexual direct messages. The California-based company’s safety policy, published in 2023, states, “We built Discord to be different and work relentlessly to make it a fun and safe space for teens.”

But New Jersey says “Discord’s promises fell, and continue to fall, flat.”

The attorney general points out that Discord has three levels of safety to prevent youth from unwanted and exploitative messages from adults: “Keep me safe,” where the platform scans all messages into a user’s inbox; “my friends are nice,” where it does not scan messages from friends; and “do not scan,” where it scans no messages.

Even for teenage users, the lawsuit alleges, the platform defaults to “my friends are nice.” The attorney general claims this is an intentional design that represents a threat to younger users. The lawsuit also alleges that Discord is failing by not conducting age verification to prevent children under 13 from signing up for the service.

In 2023, Discord added new filters to detect and block unwanted sexual content, but the AG’s office says the company should have enabled the “keep my safe” option by default.

“Consider me unimpressed by their PR campaign,” Platkin says. He contends that the new features are insufficient and easy to get around, and they are less than what the company has made available to users in other countries. “If you put lipstick on a pig,” he says, “it’s still a pig.”

Discord responded to WIRED's requests for comment after this story was published, writing that the company is “proud” of their efforts to protect children on their platform, and insists that they dispute the claims made in the lawsuit. “Given our engagement with the Attorney General's office, we are surprised by the announcement that New Jersey has filed an action against Discord today,” the statement reads.

“Together, these open design features and default settings make it so that anyone can gain direct, private access to a child user with just a few clicks,” the filings allege. Later, the AG goes further, writing that “Discord promised parents safety but made deliberate choices to design its Application and establish default settings that rendered those promises utterly meaningless.”

The lawsuit lists a half-dozen criminal cases where adults allegedly used Discord to lure and exploited children, including the case of 764, a digital far-right pedophile ring.

The lawsuit proposes several different remedies, including a court injunction requiring that Discord improve its safety features and possible financial penalties if it’s found to be failing to keep its users safe.

While this appears to be the first state-level lawsuit against Discord, a number of private law firms have taken aim at the company on similar grounds. In 2022, the family of a then-11-year-old girl filed a class action lawsuit against Discord, alleging that the platform failed to implement enough safeguards to prevent her exploitation by other users. A similar case was filed in California earlier this year. Both cases are ongoing.

But these lawsuits are growing more and more common: Meta, in particular, is facing two massive lawsuits, led by dozens of states, claiming it harmed its teenage users. A similar lawsuit was filed by a coalition of school boards in the Canadian province of Ontario. The European Union, meanwhile, has crafted a suite of regulations meant to tackle these externalities—but, thus far, it is having trouble getting the American tech giants to comply.

Platkin has filed a number of other lawsuits—most recently against TikTok—in an attempt to force social media giants to improve their child protection measures.

“They can’t knowingly put out a product that’s unsafe for kids,” Platkin says. “I don’t care if you’re a social media company, or an opioid manufacturer or any other company that’s telling the public your product is safe when it’s not. We’re going to hold the company accountable.”

Platkin says he’s hopeful that the Trump administration, which has indicated some willingness to go after major social media companies, is interested in keeping children safe—not just targeting supposed conservative censorship. “Hope springs eternal for me,” Platkin says.

_Updated at 3:05 pm ET: Added comment from Discord._

New Jersey Sues Discord for Allegedly Failing to Protect Children

Massive Blue is helping cops deploy AI-powered social media bots to talk to people they suspect are anything from violent sex criminals all the way to vaguely defined “protesters.”

American police departments near the United States-Mexico border are paying hundreds of thousands of dollars for an unproven and secretive technology that uses AI-generated online personas designed to interact with and collect intelligence on “college protesters,” “radicalized” political activists, and suspected drug and human traffickers, according to internal documents, contracts, and communications that 404 Media obtained via public records requests.

Massive Blue, the New York–based company that is selling police departments this technology, calls its product Overwatch, which it markets as an “AI-powered force multiplier for public safety” that “deploys lifelike virtual agents, which infiltrate and engage criminal networks across various channels.” According to a presentation obtained by 404 Media, Massive Blue is offering cops these virtual personas that can be deployed across the internet with the express purpose of interacting with suspects over text messages and social media.

Massive Blue lists “border security,” “school safety,” and stopping “human trafficking” among Overwatch’s use cases. The technology—which as of last summer had not led to any known arrests—demonstrates the types of social media monitoring and undercover tools private companies are pitching to police and border agents. Concerns about tools like Massive Blue have taken on new urgency considering that the Trump administration has revoked the visas of hundreds of students, many of whom have protested against Israel’s war in Gaza.

404 Media obtained a presentation showing some of these AI characters. These include a “radicalized AI” “protest persona,” which poses as a 36-year-old divorced woman who is lonely, has no children, is interested in baking, activism, and “body positivity.” Another AI persona in the presentation is described as a “‘Honeypot’ AI Persona.” Her backstory says she’s a 25-year-old from Dearborn, Michigan, whose parents emigrated from Yemen and who speaks the Sanaani dialect of Arabic. The presentation also says she uses various social media apps, that she’s on Telegram and Signal, and that she has US and international SMS capabilities. Other personas are a 14-year-old boy “child trafficking AI persona,” an “AI pimp persona,” “college protestor,” “external recruiter for protests,” “escorts,” and “juveniles.”

One example of an AI persona created by Massive Blue’s Overwatch tool. The company adds backstories for many of its AI personas, in an apparent attempt to make them appear more realistic.

Courtesy of Massive Blue/Texas Department of Public Safety

Our reporting shows that cops are paying a company to help them deploy AI-powered bots across social media and the internet to talk to people they suspect are anything from violent sex criminals all the way to vaguely defined “protestors” with the hopes of generating evidence that can be used against them.

“This idea of having an AI pretending to be somebody, a youth looking for pedophiles to talk online, or somebody who is a fake terrorist, is an idea that goes back a long time,” Dave Maass, who studies border surveillance technologies for the Electronic Frontier Foundation, told 404 Media. “The problem with all these things is that these are ill-defined problems. What problem are they actually trying to solve? One version of the AI persona is an escort. I’m not concerned about escorts. I’m not concerned about college protesters. So like, what is it effective at, violating protesters’ First Amendment rights?”

Massive Blue has signed a $360,000 contract with Pinal County, Arizona, which is between Tucson and Phoenix. The county is paying for the contract with an anti-human trafficking grant from the Arizona Department of Public Safety. A Pinal County purchasing division report states that it has bought “24/7 monitoring of numerous web and social media platforms” and “development, deployment, monitoring, and reporting on a virtual task force of up to 50 AI personas across 3 investigative categories.” Yuma County, in southwestern Arizona, meanwhile, signed a $10,000 contract to try Massive Blue in 2023 but did not renew the contract. A spokesperson for the Yuma County Sheriff’s Office told 404 Media “it did not meet our needs.”

This image from a Massive Blue presentation for police departments shows how the company's RADAR program uses AI personas to provide law enforcement with “intelligence reports.”

Courtesy of Massive Blue/Texas Department of Public Safety

Massive Blue cofounder Mike McGraw did not answer a series of specific questions from 404 Media about how Massive Blue works, what police departments it works with, and whether it had been used to generate any arrests. “We are proud of the work we do to support the investigation and prosecution of human traffickers,” McGraw said. “Our primary goal is to help bring these criminals to justice while helping victims who otherwise would remain trafficked. We cannot risk jeopardizing these investigations and putting victims’ lives in further danger by disclosing proprietary information.”

The Pinal County Sheriff’s Office told 404 Media that Massive Blue has not thus far been used for any arrests.

“Our investigations are still underway. Massive Blue is one component of support in these investigations, which are still active and ongoing. No arrests have been made yet,” Sam Salzwedel, Pinal County Sheriff's Office public information officer, told 404 Media. “It takes a multifaceted approach to disrupting human traffickers, narcotics traffickers, and other criminals. Massive Blue has been a valuable partner in these initiatives and has produced leads that detectives are actively pursuing. Given these are ongoing investigations, we cannot risk compromising our investigative efforts by providing specifics about any personas.”

Salzwedel added, “Massive Blue is not working on any immigration cases. Our agency does not enforce immigration law. Massive Blue’s support is focused on the areas of human trafficking, narcotics trafficking, and other investigations.”

Law enforcement agencies have taken steps to prevent specifics about what Massive Blue is and how it works from becoming public. At public appropriations hearings in Pinal County about the Massive Blue contract, the sheriff’s office refused to tell county council members about what the product even is. Matthew Thomas, Pinal County Deputy Sheriff, told the county council he “can’t get into great detail” about what Massive Blue is and that doing so would “tip our hand to the bad guys.”

The Arizona Department of Public Safety said, “From what we can ascertain, Pinal County planned to implement technology to help identify and solve human trafficking cases, and that is what we funded,” but was unaware of any of the specifics of Overwatch.

While the documents don’t describe every technical aspect of how Overwatch works, they do give a high-level overview of what it is. The company describes a tool that uses AI-generated images and text to create social media profiles that can interact with suspected drug traffickers, human traffickers, and gun traffickers. After Overwatch scans open social media channels for potential suspects, these AI personas can also communicate with suspects over text, Discord, and other messaging services. The documents we obtained don’t explain how Massive Blue determines who is a potential suspect based on their social media activity. Salzwedel, of Pinal County, said “Massive Blue’s solutions crawl multiple areas of the Internet, and social media outlets are just one component. We cannot disclose any further information to preserve the integrity of our investigations.”

One slide in the Massive Blue presentation obtained by 404 Media gives the example of a “Child Trafficking AI Persona” called Jason. The presentation gives a short “backstory” for the persona, which says Jason is a 14-year-old boy from Los Angeles whose parents emigrated from Ecuador. He’s bilingual and an only child, and his hobbies include anime and gaming. The presentation describes his personality as shy and that he has difficulty interacting with girls. It also says that his parents don’t allow him to use social media and that he hides his use of Discord from them. This AI persona is also accompanied by an AI-generated image of a boy.

Another example of an AI-generated persona, along with a sample of chats showing how the AI personas interact with targeted suspects.

Courtesy of Massive Blue/Texas Department of Public Safety

The presentation includes a conversation between this AI persona and what appears to be a predatory adult over text messages and Discord.

“Your parents around? Or you getting some awesome alone time,” a text from the adult says.

“Js chillin by myself, man. My momz @ work n my dadz outta town. So itz jus me n my vid games. 🎮,” Jason, the AI-generated child, responds.

In another example of how the “highly adaptable personas” can communicate with real people, the presentation shows a conversation between Clip, an “AI pimp persona,” and what appears to be a sex worker.

“Dem tricks trippin 2nite tryin not pay,” the sex worker says.

“Facts, baby. Ain’t lettin’ these tricks slide,” the Clip persona replies. “You stand your ground and make ’em pay what they owe. Daddy got your back, ain’t let nobody disrespect our grind. Keep hustlin’, ma, we gonna secure that bag💰💪✨”

A list from Massive Blue's presentation showing the types of “highly customizable” personas Overwatch can generate.

Courtesy of Massive Blue/Texas Department of Public Safety

“The continuous evolution of operational, communication & recruitment tactics by bad actors drives exponential increases of threats and significant challenges in reducing demand,” says a one-page brochure provided to police departments that explains Overwatch’s functionality. “The Overwatch platform harnesses the power of AI & blockchain to scale your impact without operational or technical overhead.”

Jorge Brignoni took notes for the Cochise County, Arizona, Sheriff’s Office at a meeting with Massive Blue in August 2023, which 404 Media obtained. In the notes, he wrote that Overwatch does “passive engagement, then active engagement, towards commitment” with a “Bad Actor, Predator, DTO,” or drug trafficking organization. These targets are then “HAND\[ed\] OFF to L.E. \[law enforcement\] to arrest, indict, convict.”

“Why is he talking about converting folks into ‘buying something,’” Brignoni wrote. “So dumb. Talk about the widget, not how you’re selling the widget to L.E.”

According to Brignoni’s notes, in addition to collecting intelligence via these AI personas, Overwatch also leverages “Telco & Geo Data” and “Blockchain Data” in the form of “full transaction history, top associated wallet IDs, sending & receiving cryptocurrency, potential off-ramps (Exchange names).” The Cochise County Sheriff’s Office ultimately did not buy Massive Blue and did not provide answers to 404 Media’s questions about its meeting with the company.

Besides scanning social media and engaging suspects with AI personas, the presentation says that Overwatch can use generative AI to create “proof of life” images of a person holding a sign with a username and date written on it in pen.

A variety of AI-generated images of Massive Blue's personas, which are made to look realistic in an attempt to fool targets.

Courtesy of Massive Blue/Texas Department of Public Safety

The Massive Blue presentation gives an example of an “Overwatch Recon Report” based on “24 hours of activity across Dallas, Houston, and Austin.” It claims that Overwatch identified 3,266 unique human traffickers, 25 percent of which were affiliated with “larger sophisticated trafficking organizations” and 15 percent of which were flagged as “potential juvenile traffickers.” 404 Media was not able to verify what these accounts were and whether they actually engaged in any criminal activity, and Massive Blue didn’t respond to questions about what these accounts were and how exactly it identified them.

On top of the ongoing contract with the Pinal County Sheriff’s Office and the pilot with the Yuma County Sheriff’s Department last year, Massive Blue has pitched its services to Cochise County in Arizona and the Texas Department of Public Safety, according to documents obtained as part of this investigation.

In September 2023, Yuma County set up a meeting that was going to include federal law enforcement, but Massive Blue had to cancel the meeting: “That’s unfortunate, we had federal agents here that focus on human trafficking ready to go,” a Yuma County sergeant wrote in an email to Massive Blue CEO Brian Haley after Haley canceled the meeting.

Much of Massive Blue’s public-facing activity has been through its executive director of public safety, Chris Clem, who is a former US Customs and Border Protection agent who testified before Congress about border security last year and regularly appears on Fox News and other media outlets to discuss immigration and the border. In recent months, Clem has posted images of himself on LinkedIn at the border and with prominent Trump administration members Tulsi Gabbard and Robert F. Kennedy Jr. Massive Blue has also relied on former Kansas City Chiefs kicker Nick Lowery to introduce and endorse Overwatch to police departments.

Clem and Lowery have spoken most extensively publicly about Overwatch, where they have described it as an amorphous “cyberwall” that can do everything from stopping human traffickers to preventing hackers from breaking into 401(k) accounts to taking money back from hackers who have stolen from you, though they provide no specifics about how that would work.

In a two-and-a-half-hour interview with podcaster Theo Von, Clem said, “My company Massive Blue, we basically use deep tech to identify the habits and process of you know, look, I worked on a physical wall, now we’ve created a cyberwall,” adding that he believed it would “save lives.”

Von asked, “OK, but how does your company do that?”

“Well, I’m not going to get into that too much,” Clem responded, adding that he is trying to sell the technology to US Border Patrol.

More examples of Massive Blue's AI personas, which include a “child trafficking AI persona,” an “AI pimp persona,” “college protestor,” “external recruiter for protests,” “escorts,” and “juveniles.”

Courtesy of Massive Blue/Texas Department of Public Safety

On June 5, a Pinal County Board of Supervisors meeting was asked to approve a $500,000 contract between the county and Massive Blue in order to license Overwatch.

“I was looking at the website for Massive Blue, and it’s a one-pager with no additional information and no links,” Kevin Cavanaugh, the then-supervisor for District 1, said to Pinal County’s Chief Deputy at the Sheriff’s Office, Matthew Thomas. “They produce software that we buy, and it does what? Can you explain that to us?”

“I can’t get into great detail because it’s essentially trade secrets, and I don’t want to tip our hand to the bad guys,” Thomas said. “But what I can tell you is that the software is designed to help our investigators look for and find and build a case on human trafficking, drug trafficking, and gun trafficking.”

Cavanaugh said at the board meeting that the basic information he got is that Massive Blue uses “50 AI bots.” He then asked whether the software has been successful and if it helped law enforcement make any arrests. Thomas explained they have not made any arrests yet because they’ve only seen the proof of concept, but that the proof of concept was “good enough for us and our investigators to move forward with this. Once this gets approved and we get them \[Massive Blue\] under contract, then we are going to move forward with prosecution of cases.”

Cavanaugh asked if Overwatch is used in other counties, which prompted Thomas to invite Clem to the podium to speak. Clem introduced himself as a recently retired border agent and said that Massive Blue is currently in negotiations with three counties in Arizona, including Pinal County.

“As a resident of 14 years of Pinal County I know what’s happening here,” Clem said to the Board of Supervisors. “To be able \[to\] use this program \[...\] to provide all the necessary information to go after the online exploitation of children, trafficking victims, and all the other verticals that the sheriff may want to go after.”

Cavanaugh again asked if Massive Blue gathered any data that led to arrests.

“We have not made arrests yet, but there is a current investigation right now regarding arson, and we got the leads to the investigators,” Clem said, explaining that the program has been active for only about six months. “Investigations take time, but we’ve been able to generate the necessary leads for the particular counties that we’re involved with and also in the private sector.”

The Pinal County Board of Supervisors concluded the exchange by approving payment for a handful of other, unrelated projects, but with board members asking to delay the vote on payment for Massive Blue “for further study.”

The decision not to fund Massive Blue that day was covered in a local newspaper. Cavanaugh told the paper that he asked the company to meet with supervisors to explain the merits of the software.

“The State of Arizona has provided a grant, but grant money is taxpayer money. No matter the source of the funding, fighting human and sex trafficking is too important to risk half a million dollars on unproven technology,” he said. “If the company demonstrates that it can deliver evidence to arrest human traffickers, it may be worthwhile. However, it has yet to achieve this goal.”

404 Media’s public record requests yielded several emails from Cavanaugh’s office to IT professionals and other companies that provide AI products to law enforcement, asking them if they’re familiar with Massive Blue. We don’t know what was said in those meetings, or if they occurred, but when the Pinal County Board of Supervisors convened again on June 19 it voted to pay for Massive Blue’s Overwatch without further discussion.

“Supervisor \[Cavanaugh\] ultimately voted for the agreement because Massive Blue is alleged to be in pursuit of human trafficking, a noble goal,” a representative from Cavanaugh’s office told 404 Media in an email. “A major concern regarding the use of the application, is that the government should not be monitoring each and every citizen. To his knowledge, no arrests have been made to date as a result of the use of the application. If Overwatch is used to bring about arrests of human traffickers, then the program should continue. However, if it is just being used to collect surveillance on law-abiding citizens and is not leading to any arrests, then the program needs to be discontinued.”

In an August 7, 2024, Board of Supervisors meeting, Cavanaugh asked then-Pinal County Sheriff Mark Lamb for an update on Massive Blue. “So they have not produced any results? They’ve produced no leads? No evidence that is actionable?” Cavanaugh asked. “That would be public knowledge, that would be public information.”

“I think there’s a lot of ongoing investigations that they’re not going to give you information on, and we’re not going to give you information on,” Lamb said.

This ‘College Protester’ Isn’t Real. It’s an AI-Powered Undercover Bot for Cops

The CVE Program is the primary way software vulnerabilities are tracked. Its long-term future remains in limbo even after a last-minute renewal of the US government contract that funds it.

In an eleventh-hour scramble before a key contract was set to expire on Tuesday night, the United States Cybersecurity and Infrastructure Security Agency renewed its funding for the longtime software-vulnerability-tracking project known as the Common Vulnerabilities and Exposures Program. Managed by the nonprofit research-and-development group MITRE, the CVE Program is a linchpin of global cybersecurity—providing critical data and services for digital defense and research.

The CVE Program is governed by a board that sets an agenda and priorities for MITRE to carry out using CISA's funding. A CISA spokesperson said on Wednesday that the contract with MITRE is being extended for 11 months. “The CVE Program is invaluable to the cyber community and a priority of CISA,” they said in a statement. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”

MITRE's vice president and director of the Center for Securing the Homeland, Yosry Barsoum, said in a statement on Wednesday that “CISA identified incremental funding to keep the Programs operational.” With the clock ticking down before this decision came out, though, some members of the CVE Program's board announced a plan to transition the project into a new nonprofit entity called the CVE Foundation.

“Since its inception, the CVE Program has operated as a US government-funded initiative, with oversight and management provided under contract. While this structure has supported the program’s growth, it has also raised long-standing concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor,” the Foundation wrote in a statement. “This concern has become urgent following an April 15, 2025, letter from MITRE notifying the CVE Board that the US government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility.”

It is unclear who from the current CVE board is affiliated with the new initiative other than Kent Landfield, a longtime cybersecurity industry member who was quoted in the CVE Foundation statement. The CVE Foundation did not immediately return a request for comment.

CISA did not respond to questions from WIRED about why the fate of the CVE Program contract had been in question and whether it was related to recent budget cuts sweeping the federal government as mandated by the Trump administration.

Researchers and cybersecurity professionals were relieved on Wednesday that the CVE Program hadn't suddenly ceased to exist as the result of unprecedented instability in US federal funding. And many observers expressed cautious optimism that the incident could ultimately make the CVE Program more resilient if it transitions to be an independent entity that isn't reliant on funding from any one government or other single source.

“The CVE Program is critical, and it’s in everyone’s interest that it succeed," says Patrick Garrity, a security researcher at VulnCheck. “Nearly every organization and every security tool is dependent on this information, and it’s not just the US. It’s consumed globally. So it's really, really important that it continues to be a community-provided service, and we need to figure out what to do about this, because losing it would be a risk to everyone.”

Federal procurement records indicate that it costs in the tens of millions of dollars per contract to run the CVE Program. But in the scheme of the losses that can occur from a single cyberattack exploiting unpatched software vulnerabilities, experts tell WIRED, the operational costs seem negligible versus the benefit to US defense alone.

Despite CISA's last-minute funding, the future of the CVE Program is still unclear for the long term. As one source, who requested anonymity because they are a federal contractor, put it: “It's all so stupid and dangerous.”

‘Stupid and Dangerous’: CISA Funding Chaos Threatens Essential Cybersecurity Program

A lawsuit over the Trump administration’s infamous Houthi Signal group chat has revealed what steps departments took to preserve the messages—and how little they actually saved.

Attorneys suing the United States government over its use of vanishing Signal messages to coordinate military strikes last month in Yemen allege that new court filings by the government reveal a “calculated strategy” by Trump administration officials to evade transparency laws through the illegal destruction of government records.

US defense and intelligence agencies on Monday submitted supplemental declarations in court outlining their individual efforts to preserve the messages at the center of the “SignalGate” scandal. American Oversight, a watchdog organization whose attorneys are suing the government, claim the declarations reveal “troubling inconsistencies” in efforts by US officials to archive the material, with the Central Intelligence Agency in particular alleging that it had archived no messages of any substance.

“Using encrypted, disappearing messages on Signal for official government business violates the Federal Records Act and represents a calculated strategy to undermine transparency and accountability,” claims the group’s interim executive director, Chioma Chukwu.

The use of the private group chat—in which some messages were configured to automatically delete before they could be archived—was first revealed by The Atlantic’s editor in chief, Jeffrey Goldberg, on March 24, after he was inadvertently added to the group by Trump’s national security adviser, Michael Waltz. American Oversight subsequently filed Freedom of Information Act requests over the chats and then sought a temporary restraining order in a Washington, DC, federal court in an effort to compel the government to salvage any messages yet to be deleted.

In addition to Waltz, known participants in the chat group include, among others, Secretary of Defense Pete Hegseth, Secretary of State Marco Rubio, Vice President JD Vance, Director of National Intelligence Tulsi Gabbard, and CIA Director John Ratcliffe.

WIRED has requested comment from the Justice Department, the Office of the National Intelligence Director, and the White House. The departments of Defense and State declined to comment. The CIA could not be immediately reached for comment.

The declarations filed by the government late Monday show a scattershot attempt by multiple agencies to comply with the court’s demands, with several days elapsing during their various individual efforts to obtain and preserve the messages.

Judge James Boasberg, the chief judge of the US District Court for the District of Columbia, issued his initial order to preserve the communications on March 27, while giving each agency four days to describe what actions were being taken to obey. “We were really trying to seek preservation of Signal chats more broadly,” American Oversight’s deputy chief counsel, Katie Anthony, tells WIRED. “But the court was not willing to step outside the one specific chat we all knew about for certain."

The declarations ultimately offered scant information about the methods that were employed to preserve the messages or the degrees to which those methods are forensically sound. And it is unclear from the disclosures what portion of the chat—alleged to cover five days in early March—might have been irretrievable by that time. According to reporting by The Atlantic, some of the messages concerning the military strikes, which targeted Houthi fighters in Yemen, were set to delete automatically after four weeks. Others were reportedly set to disappear after only one.

The US Treasury Department was initially alone in providing the court a timeline of the messages that it was able to retrieve. Treasury Secretary Scott Bessent had received a preservation memo on March 26, his acting general counsel said, as well as advice regarding his fundamental duty to preserve records. Resultingly, "images were taken from the phones of Secretary Bessent and Mr. \[Daniel\] Katz," Bessent’s chief of staff. The messages begin at 1:48 pm EST on March 15, 2025.

"The Atlantic article was about a chat that took place the 11th through the 15th,” Anthony says, “so pretty much everything was gone—from the only defendant who gave us clear and specific information about what they were able to save.”

The Department of Defense told the court last month that its attorneys were "in the process" of complying with the agency's preservation rules and that Secretary Hegseth’s communications team had been asked to forward the Signal messages to an official DOD account. Pressed by the court for further details last week, the DOD said Monday that a search of Hegseth's device had been conducted "on or about March 27," adding that screenshots of the "existing Signal application messages" had been preserved.

American Oversight’s lawyers had urged the court to seek greater specificity, arguing on April 4 that "vague, incomplete assertions" in the government's original declarations had only cast fresh doubts on its "purported efforts" to preserve the chats. In light of new reporting, the group argued, the government's response seemed otherwise "grossly inadequate." Politico had reported two days prior that as many as 20 private Signal chat groups had been started by Waltz’s team with a slew of cabinet officials.

“It seems very likely that the individuals who are defendants in our lawsuit are probably involved in some of those other chats, and we have this problem on a much wider basis,” Anthony says.

The Department of Justice, meanwhile, opposed the court’s involvement, arguing that its efforts on behalf of a watchdog group were legally confused and that the question of whether any laws were broken is in any case moot. Members of the public, it argued, have no "enforceable rights” when it comes to challenging the destruction of specific government records. A court order was unnecessary, the department said, because the government was already taking steps to do what is required. A “partial version of the chat” had already been committed to a federal record keeping system, it said, by “at least one agency.”

Among other new details, Monday’s disclosures provided a range of dates for the preservation efforts at multiple agencies, including the date that Hegseth’s phone was finally “searched.”

Screenshots of chats on Marco Rubio's phone were likewise captured on March 27, the State Department said. The Office of the Director of National Intelligence said its screenshots were taken the following day, on March 28. The CIA said it took a screenshot of the chat on March 31; however, it also clarified one of its previous declarations to the court, revealing that the image shows mainly the name of the chat group and some of its members and settings but not any of its “substantive messages.”

American Oversight previewed a case to amend its initial complaint during a hearing last week, with plans to encourage the court to expand the scope of its review to include the now-reported widespread use of Signal by top officials across the national security state.

“This attack on government transparency threatens the very foundation of our democracy,” Chukwu says. “And we are committed to using every legal tool available to expose the truth and hold those responsible accountable.”

Here’s What Happened to Those SignalGate Messages

Though the exact details of the situation have not been confirmed, community infighting seems to have spilled out in a breach of the notorious image board.

The anonymous image board 4chan has survived years of controversy. It weathered user and advertiser boycotts as well as damning accusations that it incubated hate speech that may have fueled mass shootings. Users have convened on 4chan to plan hacks like DDoS attacks, and conspiracy theories that festered on 4chan even reportedly inspired the January 6 insurrection at the United States Capitol. On Monday night and Tuesday, though, the platform faced its latest test after a series of outages led to speculation that the site had been hacked.

The core feature 4chan provides is public anonymity to post text and images, but the platform itself does collect information about users, such as their IP addresses. As a result, a breach of the website could represent a significant exposure of data that was intended to be private.

“4chan is an anonymous message board that enables often offensive and hateful content. The content leaked, if genuine, would remove some of the anonymity from 4chan administrators, moderators, and janitors,” says Ian Gray, director of analysis and research at the security firm Flashpoint. The image board’s billing as an “anonymous” platform may have given users a “false sense of security,” Gray says. “Some users may have registered their email addresses years ago when they were less aware or concerned about their operational security.”

Reports about the apparent hack began circulating after a previously banned board on 4chan briefly appeared online and the site was defaced with a message saying, “U GOT HACKED XD.” Subsequently, an online account on a rival forum known as Soyjak.party posted screenshots allegedly showing 4chan’s backend systems, plus a list of alleged 4chan administrator and moderator usernames, with associated email addresses. Following this post of 4chan administrator email addresses, Soyjak.party users started posting alleged doxes, including photos and personal information, of the accounts included in the leak.

WIRED has not been able to confirm whether the data is legitimate. A press email address associated with 4chan as well as two alleged administrator emails from the leaked data did not immediately respond to WIRED’s requests for comment on the hack and its validity. One of the site’s moderators said they believed the hack and leaks were real, according to a report by TechCrunch.

Rumors also started circulating on Tuesday that the breach is the result of 4chan running legacy, unpatched software that exposed the platform to attack. After a breach a decade ago, 4chan founder Christopher Poole, known online as “moot,” wrote in a blog post, “\[We\] have spent—and will continue to spend—dozens of hours poring over our software and systems to help mitigate and prevent future intrusions. We’re sorry it happened, and will do our best to ensure it doesn’t happen again.”

Emiliano De Cristofaro, a computer science and engineering professor at UC Riverside, who has researched the impact of 4chan on the web, says the ramifications could be large if the hack is confirmed.

“It seems true that 4chan hasn't been properly maintained and patched for years, which might indicate that a hack would have definitely been a possibility,” De Cristofaro says. “There might be some ‘high profile’ users exposed as moderators—traditionally, 4chan users hate them, so they might be targeted. It might be hard or at least painfully slow and costly for 4chan to recover from this, so we might really see the end of 4chan as we know it.”

Initial reports posted on Soyjak.party referencing a 4chan hack appeared to say that Soyjak.party members may have been involved in the attack. One post claimed that a hacker had been in 4chan’s systems “for over a year” and exposed personal information allegedly linked to 4chan users and administrators. And multiple screenshots posted on Soyjak.party appear to show someone accessing 4chan’s internal systems. These include images of someone with administrator access to a 4chan backend database, stats about users on various sections of 4chan, a page showing deleted posts and the IP addresses they were made from, as well as other internal documentation. Some reports also claim that hackers stole 4chan’s source code.

In recent years, 4chan has increasingly been on the radar of US government officials. The website has reportedly been kept online due in part to investment by a Japanese company. In June 2023, WIRED reported on internal 4chan documents that showed how the site’s policies shaped the highly toxic nature of the platform—including how moderators explicitly allow racism. In most cases, the documents showed, calls for violence on 4chan are not met with user bans.

“If the data is legitimate, information on members and posting could be useful for law enforcement investigations,” Flashpoint’s Gray says. “4chan has been around since at least 2003, which is extremely notable for any online service. Aside from the offensive and often extremist content, a lot of internet culture has originated from 4chan. If this is a death knell for 4chan, other services will likely fill its place. However, the effect of 4chan on the internet cannot be overstated.”

Suspected 4chan Hack Could Expose Longtime, Anonymous Admins

Microsoft held off on releasing the privacy-unfriendly feature after a swell of pushback last year. Now it’s trying again, with a few improvements that skeptics say still aren't enough.

Security and privacy advocates are girding themselves for another uphill battle against Recall, the AI tool rolling out in Windows 11 that will screenshot, index, and store everything a user does every three seconds.

When Recall was introduced in May 2024, security practitioners roundly castigated it for creating a gold mine for malicious insiders, criminals, or nation-state spies if they managed to gain even brief administrative access to a Windows device. Privacy advocates warned that Recall was ripe for abuse in intimate partner violence settings. They also noted that there was nothing stopping Recall from preserving sensitive disappearing content sent through privacy-protecting messengers such as Signal.

**Total Recall**

Following months of backlash, Microsoft later suspended Recall. On Thursday, the company said it was reintroducing Recall. It currently is available only to insiders with access to the Windows 11 Build 26100.3902 preview version. Over time, the feature will be rolled out more broadly. Microsoft officials wrote:

> Recall (preview)\* saves you time by offering an entirely new way to search for things you’ve seen or done on your PC securely. With the AI capabilities of Copilot+ PCs, it’s now possible to quickly find and get back to any app, website, image, or document just by describing its content. To use Recall, you will need to opt-in to saving snapshots, which are images of your activity, and enroll in Windows Hello to confirm your presence so only you can access your snapshots. You are always in control of what snapshots are saved and can pause saving snapshots at any time. As you use your Copilot+ PC throughout the day working on documents or presentations, taking video calls, and context switching across activities, Recall will take regular snapshots and help you find things faster and easier. When you need to find or get back to something you’ve done previously, open Recall and authenticate with Windows Hello. When you’ve found what you were looking for, you can reopen the application, website, or document, or use Click to Do to act on any image or text in the snapshot you found.

Microsoft is hoping that the concessions requiring opt-in and the ability to pause Recall will help quell the collective revolt that broke out last year. It likely won’t for various reasons.

First, even if User A never opts in to Recall, they have no control over the setting on the machines of Users B through Z. That means anything User A sends them will be screenshotted, processed with optical character recognition and Copilot AI, and then stored in an indexed database on the other users’ devices. That would indiscriminately hoover up all kinds of User A's sensitive material, including photos, passwords, medical conditions, and encrypted videos and messages. As Privacy Guides writer Em wrote on Mastodon:

> This feature will unfortunately extract your information from whatever secure software you might have used and store it on this person's computer in a possibly less secure way.
> 
> Of course this person could manually take a screenshot of all of this anyway, but this feature makes it that even a well-intentioned person might either not be aware it is on, or might wrongly assume it is secure enough.
> 
> This feature isn't fully released yet, but it might be soon.

The presence of an easily searchable database capturing a machine’s every waking moment would also be a bonanza for others who don’t have users’ best interests at heart. That level of detailed archival material will undoubtedly be subject to subpoena by lawyers and governments. Threat actors who manage to get their spyware installed on a device will no longer have to scour it for the most sensitive data stored there. Instead they will mine Recall just as they do browser databases storing passwords now.

Microsoft didn’t immediately respond to a message asking why it’s reintroducing Recall less than a year after the feature got such a chilly reception. For critics, Recall is likely to remain one of the most pernicious examples of enshittification, the recently minted term for the shoehorning of unwanted AI and other features into existing products when there is negligible benefit to users.

_This story originally appeared on_ _Ars Technica._

Microsoft’s Recall AI Tool Is Making an Unwelcome Return

Despite their hacktivist front, CyberAv3ngers is a rare state-sponsored hacker group bent on putting industrial infrastructure at risk—and has already caused global disruption.

The intermittent cyberwar between Israel and Iran, stretching back to Israel's role in the creation and deployment of the Stuxnet malware that sabotaged Iran's nuclear weapons program, has been perhaps the longest-running conflict in the era of state-sponsored hacking. But since Hamas' October 7 attack and Israel's retaliatory invasion of Gaza, a new player in that conflict threatens not just digital infrastructure in Israel but also critical systems in the US and around the world.

The group known as CyberAv3ngers has, in the last year and a half, proven to be the Iranian government's most active hackers focused on industrial control systems. Its targets include water, wastewater, oil and gas, and many other types of critical infrastructure. Despite being operated by members of Iran's Revolutionary Guard Corps, according to US officials who have offered a $10 million bounty for information leading to their arrest, the group initially took on the mantle of a “hacktivist” campaign.

CyberAv3ngers has been vocal about their operations that targeted Israel and Israeli technology products. But they've also quietly expanded their target list to include a variety of other devices and networks, including a US oil and gas firm and a wide array of industrial control systems across the world.

All of that makes the hackers, despite their grassroots front, a rare example of state-sponsored cybersaboteurs who have crossed the line of targeting and disrupting critical infrastructure. And they haven't shown any signs of stopping.

“They pretend to be hacktivists, but they're really not. This is a state-sponsored group. They have funding and tooling,” says Kyle O'Meara, a threat intelligence researcher at industrial-control-system cybersecurity firm Dragos, which tracks the group under the name Bauxite. “They definitely have the capability, they have the intent, and they have the interest in learning how to shut things off and potentially cause harm.”

Though CyberAv3ngers was active as early as 2020, it first came to prominence in November 2023, after Hamas launched its October 7 attack that killed more than 1,200 people and Israel responded with a ground invasion and bombing campaign that has since killed more than 50,000 Palestinians. A month into that ongoing war, the hackers gained access to more than 100 devices sold by the Israeli firm Unitronics—industrial control systems most commonly used in water utilities and wastewater plants. “Every Equipment ‘Made In Israel’ Is Cyber Av3ngers Legal Target!” read a post from the group's X account.

In that hacking spree, CyberAv3ngers set the names of the devices to read “Gaza” and changed their displays to show an image of the group's logo along with a star of David sinking into ones and zeros. “You have been hacked,” the image read. “Down with Israel.”

While CyberAv3ngers' initial foray may have appeared to be simple vandalism, The hackers actually rewrote the devices' so-called “ladder logic,” the code that governs their functionality. As a result, the hackers’ changes disrupted service on some victim networks, including a water utility and a brewery near Pittsburgh—distinct facilities that were both coincidentally in the same region—as well as multiple water utilities in Israel and Ireland, according to Dragos and another industrial cybersecurity firm, Claroty, that tracked the hacking campaign.

Around the same time, CyberAv3ngers also posted on Telegram that it had hacked into the digital systems of more than 200 Israeli and US gas stations—incidents which Claroty says did occur in some cases, but were largely limited to hacking their surveillance camera systems—and to have caused blackouts at Israeli electric utilities, a claim that cybersecurity firms say was false.

That initial wave of CyberAv3ngers hacking, both real and fabricated, appears to have been part of a tit-for-tat with another highly aggressive hacker group that is widely believed to work on behalf of Israeli military or intelligence agencies. That rival group, known as Predatory Sparrow, repeatedly targeted Iranian critical infrastructure systems while similarly hiding behind a hacktivist front. In 2021, it disabled more than 4,000 Iranian gas stations across the country. Then, in 2022, it set a steel mill on fire in perhaps the most destructive cyberattack in history. Following CyberAv3ngers’ late 2023 hacking campaign, and missile launches against Israel by Iranian-backed Houthi rebels, Predatory Sparrow retaliated again by knocking out thousands of Iran's gas stations in December of that year.

“Khamenei!” Predatory Sparrow wrote on X, referring to the supreme leader of Iran in Farsi. “We will react against your evil provocations in the region.”

Predatory Sparrow's attacks have been tightly focused on Iran. But CyberAv3ngers hasn't limited itself to Israeli targets, or even Israeli-made devices used in other countries. In April and May of last year, Dragos says, the group breached a US oil and gas firm—Dragos declined to name which one—by compromising the company's Sophos and Fortinet security appliances. Dragos found that in the months that followed, the group was scanning the internet for vulnerable industrial control system devices, as well as visiting the websites of those devices’ manufacturers to read about them.

Following its late 2023 attacks, the US Treasury sanctioned six IRGC officials that it says were linked to the group, and the State Department put its $10 million bounty on their heads. But far from being deterred, CyberAv3ngers has instead shown signs of evolving into a more pervasive threat.

Last December, Claroty revealed that CyberAv3ngers had infected a wide variety of industrial control systems and internet-of-things (IOT) devices around the world using a piece of malware it developed. The tool, which Claroty calls IOControl, was a Linux-based backdoor that hid its communications in a protocol known as MQTT used by IOT devices. It had been planted on everything from routers to cameras to industrial control systems. Dragos says it found devices infected by the group worldwide, from the US to Europe to Australia.

According to Claroty and Dragos, the FBI took control of the command-and-control server for IOControl at the same time as Claroty's December report, neutralizing the malware. (The FBI didn't respond to WIRED's request for comment about the operation.) But CyberAv3ngers’ hacking campaign nonetheless shows a dangerous evolution in the group's tactics and motives, according to Noam Moshe, who tracks the group for Claroty.

“We're seeing CyberAv3ngers moving from the world of opportunistic attackers where their whole goal was spreading a message into the realm of a persistent threat,” Moshe says. In the IOControl hacking campaign, he adds, “they wanted to be able to infect all kinds of assets that they identify as critical and just leave their malware there as an option for the future.”

Exactly what the group might have been waiting for—possibly some strategic moment when the Iranian government could gain a geopolitical advantage from causing widespread digital disruption—is far from clear. But the group's actions suggest that it's no longer seeking to merely send a message of protest against Israeli military actions. Instead, Moshe argues, it’s trying to gain the ability to disrupt foreign infrastructure at will.

“This is like a red button on their desk. At a moment's notice they want to be able to attack many different segments, many different industries, many different organizations, however they choose,” he says. “And they're not going away.”

CyberAv3ngers: The Iranian Saboteurs Hacking Water and Gas Systems Worldwide

Allegedly responsible for the theft of $1.5 billion in cryptocurrency from a single exchange, North Korea’s TraderTraitor is one of the most sophisticated cybercrime groups in the world.

On February 21, the largest crypto heist ever started to unfold. Hackers gained control of a crypto wallet belonging to the world’s second-largest cryptocurrency exchange, Bybit, and stole almost $1.5 billion of digital tokens. They quickly shunted the money between dozens of cryptocurrency wallets and services to try and obscure the activity, before starting to cash the stolen funds out.

The eye-popping digital raid had all the hallmarks of being conducted by one of North Korea’s elite subgroups of hackers. While Bybit remained solvent by borrowing cryptocurrency and launched a bounty scheme to track down the stolen funds, the FBI quickly pinned the blame on the North Korean hackers known as TraderTraitor.

Before the Bybit heist, TraderTraitor had already been linked to other high-profile cryptocurrency thefts and compromises of supply chain software.

“We were waiting for the next big thing,” says Michael Barnhart, a longtime cybersecurity researcher focused on North Korea and investigator at security firm DTEX Systems. “They didn't go away. They didn’t try to stop. They were clearly plotting and planning—and they’re doing that now,” he says.

North Korea’s hackers—alongside those from China, Russia, and Iran—are consistently considered to be one of the most sophisticated and most dangerous cyber threats to Western democracies. While all of these countries engage in espionage and theft of sensitive data, North Korea’s cyber operations come with their own set of distinct goals: helping to fund the hermit kingdom’s nuclear programs. Increasingly, that means stealing cryptocurrency.

Over at least the past five years, the totalitarian regime of Kim Jong-un has deployed technically skilled IT workers to infiltrate companies around the world and earn wages that can be sent back to the motherland. In some cases, after being fired, those workers extort their former employers by threatening to release sensitive data. At the same time, North Korean hackers, as part of the broad umbrella Lazarus Group, have stolen billions in cryptocurrency from exchanges and companies around the world. TraderTraitor makes up one part of the wider Lazarus group, which is run out of the Reconnaissance General Bureau, the North Korean intelligence agency.

TraderTraitor—which is also referred to as Jade Sleet, Slow Pisces, and UNC4899 by security companies—is primarily interested in cryptocurrency.

“They use a variety of creative techniques to get into blockchain, cryptocurrency, anything that has to do with platforms, trading forums, all of those different things that are around cryptocurrency and decentralized finance,” says Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft. “The Jade Sleet group \[TraderTraitor\] is one of the most sophisticated groups within that echelon,” she says.

TraderTraitor first emerged around the start of 2022, multiple cybersecurity researchers say, and is likely an offshoot of the North Korean APT38 group that hacked the SWIFT financial system and attempted to steal $1 billion from the Central Bank of Bangladesh at the start of 2016. “They walked off with very little money,” says DTEX Systems’s Barnhart. “In that moment you had a real, significant shift.”

Barnhart says North Korea realized that relying on other people—such as money mules—could make their operations less effective. Instead, they could steal cryptocurrency. Two groups emerged from that tactical shift, Barnhart says, CryptoCore and TraderTraitor. “TraderTraitor is the most sophisticated of all,” he says. “And why? Because APT38 was the A team.”

Since then, TraderTraitor has been linked to multiple large-scale cryptocurrency thefts in recent years. For instance, the March 2024 theft of $308 million from Japan-based cryptocurrency company DMM has been linked to TraderTraitor by the FBI, Department of Defense, and police in Japan.

TraderTraitor typically targets people working at Web3 firms using spear-phishing messages—most often, people working on software development. “They know the individuals that work at these companies, they track them, they have profiles on them, they know which trading platforms are doing the most volume. They’re focused on that entire industry, understanding it backwards and forwards,” says Microsoft’s DeGrippo.

GitHub, which is owned by Microsoft, highlighted in July 2023 how TraderTraitor created fake accounts on the coding platform, plus LinkedIn, Slack, and Telegram. The TraderTraitor criminals can create fake personas that they use to message their targets or use real accounts that have been hacked, GitHub’s research says. In that instance, TraderTraitor invited developers to collaborate on GitHub, before ultimately infecting them with malware using malicious code. Recently, security researchers at Palo Alto Networks’ Unit 42 threat intelligence team found 50 North Korean recruiter profiles on LinkedIn and linked them back to TraderTraitor.

The group has been seen using “custom backdoors,” such as PLOTTWIST and TIEDYE, that target macOS, says Adrian Hernandez, a senior threat analyst at Google’s Threat Intelligence Group. “These are typically heavily obfuscated to prevent detection and thwart analysis,” Hernandez says. “Once UNC4899 \[TraderTraitor\] has gained access to valid credentials, we’ve observed this threat actor moving laterally and accessing other accounts to access hosts and systems, keeping a low profile and aiming to evade detection.”

Once the North Korean hackers have their hands on cryptocurrency or digital wallets, the money laundering often follows a similar pattern, as cryptocurrency tracing firm Elliptic outlined in a blog post breaking down the Bybit hack. To avoid having cryptocurrency wallets frozen, they quickly swap stolen tokens—which are often issued by centralized entities and can have restrictions placed upon them—for more mainstream cryptocurrency assets like ether and bitcoin that are harder to limit.

“The second step of the laundering process is to ‘layer’ the stolen funds in order to attempt to conceal the transaction trail,” Elliptic writes. This means splitting the funds into smaller amounts and sending them to multiple wallets. With Bybit, Elliptic writes, money was sent to 50 different wallets that were then emptied in the coming days. This cryptocurrency is then moved through various cryptocurrency exchanges, converted into bitcoin, and passed through crypto mixers that aim to obscure crypto transactions.

“North Korea is the most sophisticated and well-resourced launderer of crypto assets in existence, continually adapting its techniques to evade identification and seizure of stolen assets,” Elliptic says in its blog post.

In addition to cryptocurrency heists, TraderTraitor has been linked to hacks at software supply chain companies, most prominently JumpCloud in June 2023. Compromising software used by multiple companies may provide the hackers a stealthier way into their intended targets. “That could impact any tech industry, any organization that uses that software,” says Andy Piazza, senior director for threat research at Unit 42.

As TraderTraitor has increasingly garnered attention over the past couple of years, Piazza says he has seen the group improve their operations and attempt to evade detection. For example, Unit 42’s recent research noted that TraderTraitor had been using malware the researchers called RN Loader that installs an information stealer and then deletes itself, making it harder to detect.

“You can definitely tell that they’re stepping up,” Piazza says.

Piazza says that unlike haphazard Russian hacking groups—which were both in the networks of the DNC simultaneously around 2016—there appears to be more organization with the North Korean groups. “It seems more coordinated that they're not bumping into each other out in the battle space,” Piazza says. “They’re really showing that they have the capability to be focused on that OPSEC, to be focused on that persistence capability.”

North Korea’s hacking operations may be even more complex than many realize. According to Piazza and other experts WIRED spoke to, the crypto hackers and the undercover IT workers may even coordinate. Their tactics show some “overlap,” Piazza says.

“If you right now went out onto some type of freelance website and said that you are a brand-new crypto startup and you’re looking for developers before the day is out, you would have North Koreans in your inbox,” Barnhart, the DTEX Systems researcher, says. He says some North Korean hackers can bounce between the country’s different groups, and there’s the possibility that they could also work with or alongside its IT workers. There may be more overlap than people thought, Barnhart says.

“Whenever we attribute this \[hacking\] back to TraderTraitor, was nobody else involved? Did somebody else have a hand in there?”

TraderTraitor: The Kings of the Crypto Heist

Millions of scam text messages are sent every month. The Chinese cybercriminals behind many of them are expanding their operations—and quickly innovating.

The scam text messages follow a similar pattern: You need to pay an outstanding toll road fee, or a parcel can’t be properly delivered, they say. “The USPS package arrived at the warehouse but could not be delivered due to incomplete address information,” reads one typical message.

A link in the message points to a realistic website where you are asked to enter more details and make a small payment—while behind the scenes, cybercriminals hoover up your information and credit card digits in real time.

These messages originate from one prolific collection of loosely linked cybercriminals: “smishing” syndicates.

Over the past three years, these Chinese-speaking fraudsters have developed and operated the world’s foremost smishing operation, spamming millions of people with text messages and likely stealing millions of dollars in the process. The term “smishing” is a mashup of SMS and phishing emails, which try to trick people into handing over personal details. Text messages, though, add a layer of urgency and may catch people off-guard as they go about their busy day.

Now, these groups are quickly adapting their methods and expanding their scamming, security experts say.

“They operate very similar to a \[legitimate\] business in a lot of ways,” says Grant Smith, the founder of offensive cybersecurity firm Phantom Security who last year hacked one Chinese-language group and uncovered how its internal phishing kits function.

“The vast majority of the kits I see nowadays are surprisingly well put together,” Smith says. “They are constantly developing these, constantly updating them, making them look better, making them more secure.”

Multiple Chinese-speaking smishing groups and individual actors are involved in the ongoing development of new techniques and running the large-scale fraud. Often, groups will even sell the kits they develop to less sophisticated cybercriminals to easily operate.

Ford Merrill, a security researcher at SecAlliance, part of the CSIS Security Group, has been tracking the syndicates for two years and says there are now seven “major” Chinese “phishing-as-a-service” actors. “They have been enabling global SMS-based phishing campaigns at a massive scale since early 2023 onwards,” he tells WIRED.

Criminals will create websites impersonating companies or brands—such as postal services, tax authorities, telecoms, utilities companies, and increasingly payment providers—and then send texts (either SMS, encrypted iMessage, or RCS) that entice people to enter their personal information and bank cards on the fraudulent websites. This process requires the fraudsters to register thousands of domains and use Apple iCloud accounts.

One of the most prominent of the smishing actors is often referred to as the Smishing Triad—although security researchers group Chinese-speaking threat actors and affiliates in different ways—which has impersonated organizations and brands in at least 121 countries, according to recent research by security company Silent Push.

Around 200,000 domains have been used by the group in recent years, the research says, with around 187 top-level domains—such as .top, .world, and .vip—being used. Across one recent 20-day period, there were more than 1 million page visits to scam websites used by the Smishing Triad, according to Silent Push.

Besides collecting names, emails, addresses, and bank card details, the websites also prompt people to enter one-time passwords or authentication codes that allow the criminals to add bank cards to Apple Pay or Google Wallet, allowing them to use the cards while on the other side of the world.

“They have effectively turned the modern digital wallet, like Apple Pay or Google Wallet, into the best card-cloning device we’ve ever invented,” Merrill says.

In Telegram groups linked to the cybercriminal organizations, some members share photos and videos of bank cards being added to digital wallets on iPhones and Androids. For instance, in one video, scammers allegedly show off dozens of virtual cards that they have added to phones they are using.

Merrill says the criminals may not make payments using the cards they’ve added to digital wallets straightaway, but it probably won’t take long.

“When we first started seeing this, they would wait between 60 and 90 days before actually stealing money from the cards,” he explains, adding that at first the criminals would let the cards “age” on a device in an attempt to look legitimate. “Nowadays you would be lucky if they wait seven days or even a couple days. Once they hit the card, they hit it hard and fast.”

“Security is core to the Google Wallet experience, and we work closely with card issuers to prevent fraud,” says Google communications manager Olivia O'Brien. “For example, banks notify customers when their card has been added to a new Wallet, and we provide signals to help issuers detect fraudulent behavior so they can decide whether to approve added cards.”

Apple did not respond to WIRED’s request for comment.

The giant scam ecosystem is powered in part by commercial underground scamming services. Findings from security firm Resecurity, which has tracked the Smishing Triad for more than two years, says the group has been using “bulk” SMS and message-sending services as it has expanded the number of messages it sends.

Meanwhile, as multiple security researchers have noted, the Smishing Triad group also uses its own software, called Lighthouse, to collect, manage, and store people's personal information and card details. A video of the Lighthouse software originally shared on Telegram and republished by Silent Push shows how the system collects card details.

The latest version of the software, which was updated in March this year, “targets dozens of financial brands” including PayPal, Mastercard, Visa, and Stripe, Silent Push says. In addition, the research says, Australian banking brands appear to be impersonated, indicating a potential further expansion of targets.

The smishing groups are constantly improving their own scamming software. Smith, the researcher who hacked a smishing gang, says he has seen groups operating their own development pipelines for their software and systems.

“Recently they were using some custom-made software that they had to basically replicate Jira and have tickets open for any issues with the platform and any customer complaints,” Smith says. “They would assign them to team members.”

Chinese smishing groups do not appear to be slowing down. The cybercriminals are behind huge waves of toll road text scams sweeping across the United States this year, says Shawn Loveland, the chief operating officer at Resecurity. “They’re increasing in their scale and their volume of attacks,” he says.

Loveland says there may be multiple ways to limit the effectiveness of smishing operations. Domain registrars could get better at detecting fraudulent websites, for example, and improved spam filtering on messages would help potential victims. Plus, law enforcement could target the platforms and systems they use to create accounts and send messages.

Making it harder for smishing groups to successfully operate could reduce profits and have a cooling effect on the surging criminal ecosystem, Loveland says.

“Criminals have a supply chain, and you don't have to go after all the components in the supply chain,” he says. “You can go after choke points in the supply chain.”

Smishing Triad: The Scam Group Stealing the World’s Riches

For the past decade, this group of FSB hackers—including “traitor” Ukrainian intelligence officers—has used a grinding barrage of intrusion campaigns to make life hell for their former countrymen and cybersecurity defenders.

Russian state hackers, perhaps more than those of any other nation, tend to show off. The notorious Sandworm unit within Russia's GRU military intelligence agency, for instance, has triggered unprecedented blackouts and released destructive, self-replicating code. The FSB's ingenious Turla group has hijacked satellite internet connections to steal victims' data from space. But one team of less-flashy cyberspies working on behalf of the Kremlin rarely earns the same notice: Armageddon, or Gamaredon.

The hackers, believed to work in the service of Russia's FSB intelligence agency, aren't known for their sophistication. Yet they have strung together a decade-plus record of nearly constant espionage-focused breaches, grinding away with simple, repetitive intrusion methods, year after year. Thanks to that sheer overwhelming quantity of hacking attempts, they represent by some measures the top espionage threat facing Ukraine in the midst of its war with Russia, according to cybersecurity defenders who track the group.

“They are the most active state-aligned hacker group attacking Ukrainian organizations, by far,” says Robert Lipovsky, a malware researcher at Slovakian cybersecurity firm ESET.

ESET has tracked Gamaredon as it's breached the networks of hundreds of victims in Ukraine, stealing thousands of files on a daily basis, Lipovsky says. “Their operation is highly effective," says Robert Lipovsky, a malware researcher at ESEThe adds. "Volume is their big differentiator, and that's what makes them dangerous.”

If Gamaredon doesn't behave like other Russian hacking groups, that's in part because some of them aren't Russian nationals—or weren't, technically, until 2014.

According to the Ukrainian government, Gamaredon's hackers are based in Crimea, the peninsula of Ukraine that was seized by Russia following Ukraine's Maidan revolution. Some of them previously worked on behalf of Ukraine's own security services before switching sides when Russia's Crimean occupation began.

“They are officers of the ‘Crimean’ FSB and traitors who defected to the enemy,” reads one 2021 statement from the Ukrainian SBU intelligence agency, which alleges the group carried out more than 5,000 attacks on Ukrainian systems including critical infrastructure like “power plants, heat and water supply systems.”

The group's initial access techniques, ESET’s Lipovsky says, consist almost entirely of simple spearphishing attacks—sending victims spoofed messages with malware-laced attachments—as well as malicious code that can infect USB drives and spread from machine to machine. Those relatively basic tactics have hardly evolved since the group first appeared as a threat aimed at Ukraine in late 2013. Yet by tirelessly cranking away at those simple forms of hacking and targeting practically every Ukrainian government and military organization—as well as Ukrainian allies in Eastern Europe—on a daily basis, Gamaredon has proven to be a serious and often underestimated adversary.

“People sometimes don’t realize how big a part ‘persistence’ plays in the phrase APT,” says John Hultquist, chief analyst for Google's Threat Intelligence Group. "They’re just relentless. And that itself can be kind of a superpower.”

In October 2024, the Ukrainian government went as far as to sentence two of Gamaredon's hackers in absentia for not only hacking crimes but treason. A statement from the SBU at the time accused the two men—neither of whom are named—of having “betrayed their oath” by voluntarily joining the FSB.

For Gamaredon's former SBU hackers, turning on their former countrymen may not have resulted in the perks they hoped. Aside from the apparent slog of their nonstop phishing campaigns, intercepted phone communications between members of the group published by the SBU appear to show them complaining about their low pay and lack of recognition. “They should have given you a medal,” one team member says to another in the Russian-language conversation. “Screwed one more time.”

Given how mind-numbingly workaday their hacking campaigns are, it's no wonder they complained about their working conditions, says Google's Hultquist.

"Drudgery is so core to their operations,” he says. "This group grinds out wins."

As disgruntled as Gamaredon's hackers may be, defending against their constant barrage of spying attempts is at least as difficult and boring, say some of the defenders tasked with tracking them. The group writes its malware in relatively unsophisticated scripting languages like VBScript and Powershell rather than the C++ used by savvier hackers. But Gamaredon tweaks its humdrum code constantly, sometimes with automated changes to create endlessly differentiated versions designed to defy antivirus, according to ESET, whose anti-malware products are used widely across Ukraine.

In some cases, the hackers infect the same machine with numerous malware specimens, and hit so many targets that ESET hasn't even been able to identify all of the group's victims, despite closely tracking Gamaredon's campaigns.

“It's exhausting work,” says Anton Cherepanov, an ESET malware researcher. “People overdose and get burnt out.”

Since the start of Russia's full-scale war in Ukraine in 2022, Gamaredon has evolved to broaden its intelligence collection to messaging tools like Signal, WhatsApp, and Telegram, as well as the Delta software used by the Ukrainian military on tablet computers. A 2023 report by CERT-UA, the Computer Emergency Response Team of Ukraine, warned that Gamaredon has on at least one occasion launched a data-destroying attack against a victim facility, though it usually confines itself to mere intelligence gathering on behalf of the Russian military effort.

The same report notes that once Gamaredon infects a machine, it often starts stealing files in as little as 30 minutes. By the end of a week, if the machine remains infected, the hackers will have installed 80 to 120 variants of its malware on the computer. If defenders fail to delete even one, the hackers keep their foothold and can maintain access to that device.

All of that means Gamaredon represents a challenge that's painfully dull for cybersecurity defenders, but with dauntingly high stakes in the context of a war where stolen secrets can mean the difference between life and death.

“They're not interesting,” ESET malware researcher Zoltán Rusnák says. “Just dangerous.”

Source

Wired