Problems with the important security feature may be some of the first signs that Elon Musk’s social network is fraying at the edges.

Following two weeks of extreme chaos at Twitter, users are joining and fleeing the site in droves. More quietly, many are likely scrutinizing their accounts, checking their security settings, and downloading their data. But some users are reporting problems when they attempt to generate two-factor authentication codes over SMS: Either the texts don't come or they're delayed by hours.

The glitchy SMS two-factor codes mean that users could get locked out of their accounts and lose control of them. They could also find themselves unable to make changes to their security settings or download their data using Twitter's access feature. The situation also provides an early hint that troubles within Twitter's infrastructure are bubbling to the surface.

Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism. But users have been self-reporting issues on Twitter since the weekend, and WIRED confirmed that on at least some accounts, authentication texts are hours delayed or not coming at all. The meltdown comes less than two weeks after Twiter laid off about half of its workers, roughly 3,700 people. Since then, engineers, operations specialists, IT staff, and security teams have been stretched thin attempting to adapt Twitter's offerings and build new features per new owner Elon Musk's agenda.

Reports indicate that the company may have laid off too many employees too quickly and that it has been attempting to hire back some workers. Meanwhile, Musk has said publicly that he is directing staff to disable some portions of the platform. “Part of today will be turning off the ‘microservices’ bloatware,” he tweeted this morning. “Less than 20 percent are actually needed for Twitter to work!”

Twitter’s communications department, which reportedly no longer exists, did not return WIRED's request for comment about problems with SMS two-factor authentication codes. Musk did not reply to a tweet requesting comment.

“Temporary outage of multifactor authentication could have the effect of locking people out of their accounts. But the even more concerning worry is that it will encourage users to just disable multifactor authentication altogether, which makes them less safe,” says Kenneth White, codirector of the Open Crypto Audit Project and a longtime security engineer. “It's hard to say exactly what caused the issue that so many people are reporting, but it certainly could result from large-scale changes to the web services that have been announced."

SMS texts are not the most secure way to receive authentication codes, but many people rely on the mechanism, and security researchers agree that it's better than nothing. As a result, even intermittent or sporadic outages are problematic for users and could put them at risk.

Twitter’s SMS authentication code delivery system has repeatedly had stability issues over the years. In August 2020, for example, Twitter Support tweeted, “We’re looking into account verification codes not being delivered via SMS text or phone call. Sorry for the inconvenience, and we’ll keep you updated as we continue our work to fix this.” Three days later, the company added, “We have more work to do with fixing verification code delivery, but we're making progress. We're sorry for the frustration this has caused and appreciate your patience while we keep working on this. We hope to have it sorted soon for those of you who aren't receiving a code.”

That the issue seems to be recurring now indicates, perhaps, that systems Twitter has long struggled to maintain are among the first to destabilize without adequate maintenance and support. Current and former employees have painted a picture of Twitter as having convoluted and brittle technical infrastructure. Meanwhile, Musk's revisions to Twitter's “blue check” account-authentication policies have led to rampant scams on the site and even more extensive content moderation issues than existed under previous leadership.

If you haven’t already, switch to an app for generating your multifactor authentication codes, such as Google Authenticator. On Twitter go to **“Settings and Support,”** tap **“Settings and privacy,”** then **“Security and account access,”** **“Security,”** and then “**Two-factor authentication.”** Disable **“Text message”** if you have it in and instead toggle **“Authentication app”** and follow the instructions for adding Twitter to your authentication app. Or if you prefer to use a physical authentication token, turn on **“Security key.”**

For users who can't receive their SMS two-factor codes, though, questions about whether Twitter is in decline or what could be coming next are moot—the site already feels broken.

“It’s hugely problematic to require 2FA for something and not be able to fulfill it for authentication, whether it’s SMS or anything else,” says Jim Fenton, an independent identity privacy and security consultant. “It’s problematic, because it’s denying service to Twitter users.”

Twitter’s SMS Two-Factor Authentication Is Melting Down

Mysterious crooks took hundreds of millions of dollars from FTX just as it collapsed. Crypto-tracing blockchain analysis may provide an answer.

Cryptocurrency has always offered a strange mix of temptations and challenges for anyone trying to steal it. As digital cash, held in multibillion-dollar sums on hackable, internet-connected networks, it presents a lucrative target. But once it's stolen, the blockchains that almost every cryptocurrency is built on make it possible to follow that money's every movement and, very often, to identify the thieves. So after a massive heist pulled nearly half a billion dollars worth of funds out of the already collapsing FTX cryptocurrency exchange yesterday, the world's crypto tracers are now closely tracking where that loot ends up—and looking for any clues that reveal the thief to be an FTX insider or just an opportunistic hacker.

On Friday, hours after the major cryptocurrency exchange FTX had filed for bankruptcy in the wake of its epic, 10-figure collapse, FTX's remaining funds were drained of more than $663 million worth of cryptocurrency, much of which appears to have been stolen. "FTX has been hacked," wrote an administrator in FTX's Telegram channel. "FTX apps are malware. Delete them." Exactly how FTX might have been breached—and whether its apps are, in fact, compromised—is far from clear, and FTX hasn't officially announced any theft. But the company's US general counsel wrote in a tweet that "unauthorized access to certain assets has occurred." (FTX did not respond to WIRED's request for comment.)

Soon, crypto-tracing and blockchain analysis firm Elliptic revealed that the $663 million outflow seemed to be a combination of FTX's movement of coins into its own storage wallets and a mysterious theft. According to Elliptic, fully $477 million of the funds appear to have been stolen, though another crypto-tracing firm, TRM Labs, puts the number at $338 million. Twenty-four hours after the theft, most of that money had moved into just a handful of cryptocurrency addresses—where the entire cryptocurrency tracing industry, a vast community of amateur crypto sleuths, and no doubt law enforcement agencies around the globe are now all watching it with an unblinking gaze.

That observability, for the FTX funds and for other stashes of stolen crypto, presents a serious challenge for any thief trying to cash out their haul into traditional currency. In this case, where regulators and an army of aggrieved creditors are looking for any sign that FTX's staff or owners may themselves be the culprits, it could ultimately help confirm that insiders were responsible for the theft—or instead show that external hackers took advantage of the chaos at FTX to pull off a burglary.

"We’re definitely watching the movements of these funds," says Chris Janczewski, the head of investigations at TRM Labs and a former special agent at the IRS's criminal investigations division. "This potential thief has hundreds of millions of dollars. But it's like they went into a bank, took as much cash as they could carry, and then the dye packs went off. They've got all this money, but now everyone knows it's connected to this bank robbery. What can you actually do with it?"

According to Elliptic's analysis, at least $220 million of funds stolen in the form of a variety of cryptocurrencies were quickly traded through decentralized exchanges—trading platforms that allow users to swap coins without giving identifying information—to convert them into the cryptocurrencies Ethereum and Dai. But cashing out those coins and the rest of the stolen loot will likely require trading it on a centralized exchange, which almost always requires users to hand over identifying information. The thieves may try to put the money through a "mixing" service that launders the coins by blending them with those of other users. But crypto-tracing blockchain analysts have proven they can often defeat those mixers—particularly when users are feeding very large sums into them. And some mixers, like the Tornado Cash service that was sanctioned by the US Treasury in August, render cryptocurrency untouchable for many exchanges or vulnerable to seizure.

That means it will be very difficult for the thieves to abscond with their profits in a spendable form without being identified, says Michelle Lai, a cryptocurrency privacy advocate, investor, and consultant who says she's been tracking the movements of the stolen FTX funds with "morbid fascination." But the real question, Lai says, is whether identifying the thieves will offer any recourse: After all, many of the most prolific cryptocurrency thieves are Russians or North Koreans operating in non-extradition countries, beyond the reach of Western law enforcement. "It's not a question of whether they'll know who did it. It's whether it will be actionable," says Lai. "Whether they're on-shore."

In the meantime, Lai and many other crypto-watchers have been closely eyeing one Ethereum address that is currently holding around $192 million worth of the funds. The account has been sending small sums of Ethereum-based tokens—some of which appear to have little to no value—to a variety of exchange accounts, as well as Ethereum inventor Vitalik Buterin and Ukrainian cryptocurrency fundraiser accounts. But Lai guesses that these transactions are likely meant to simply complicate the picture for law enforcement or other observers before any real attempt to launder or cash out the money.

The pilfering of FTX—whether the theft totals $338 million or $477 million—hardly represents an unprecedented haul in the world of cryptocurrency crime. In the late-March hack of the Ronin bridge, a gaming cryptocurrency exchange, North Korean thieves took $540 million. And earlier this year, cryptocurrency tracing led to the bust of a New York couple accused of laundering $4.5 _billion_ in crypto.

But in the case of the high-profile FTX theft and the exchange's overall collapse, tracing the errant funds might help put to rest—or confirm—swirling suspicions that someone within FTX was responsible for the theft. The company's Bahamas-based CEO, Sam Bankman-Fried, who resigned Friday, lost virtually his entire $16 billion fortune in the collapse. According to an unconfirmed report from CoinTelegraph, he and two other FTX executives are "under supervision" in the Bahamas, preventing them from leaving the country. Reuters also reported late last week that Bankman-Fried possessed a "backdoor" that was built into FTX's compliance system, allowing him to withdraw funds without alerting others at the company.

Despite those suspicions, TRM Labs' Janczewski points out that the chaos of FTX's meltdown might have provided an opportunity for hackers to exploit panicked employees and trick them into, say, clicking on a phishing email. Or, as Michelle Lai notes, bankrupted insider employees might have collaborated with hackers as a means to recover some of their own lost assets.

As the questions mount over whether—or to what degree—FTX's own management might be responsible for the theft, the case has begun to resemble, more than any recent crypto heist, a very old one: the theft of a half billion dollars worth of bitcoins, discovered in 2014, from Mt. Gox, the first cryptocurrency exchange. In that case, blockchain analysis carried out by cryptocurrency tracing firm Chainalysis, along with law enforcement, helped to pin the theft on external hackers rather than Mt. Gox's own staff. Eventually, Alexander Vinnik, a Russian man, was arrested in Greece in 2017 and later convicted of laundering the stolen Mt. Gox funds, exonerating Mt. Gox's embattled executives.

Whether history will repeat itself, and cryptocurrency tracing will prove the innocence of FTX's staff, remains far from clear. But as more eyes than ever scour the cryptocurrency economy's blockchains, it's a surer bet that the whodunit behind the FTX theft will, sooner or later, produce an answer.

The Hunt for the FTX Thieves Has Begun

Plus: US midterms survive disinformation efforts, the government names the alleged Lockbit ransomware attacker, and the Powerball drawing hits a security snag.

The United States took to the polls this week to vote in a high-stakes midterm election. With public trust in election systems at an all-time low, the secret ballot is more important now than ever before. We also took a look at a flawed app built by prominent right-wing provocateurs that has been used to challenge hundreds of thousands of voter registrations.

Meanwhile, the Department of Justice announced that a Georgia man has pleaded guilty to wire fraud nine years after stealing more than 50,000 bitcoins from the Silk Road, the legendary dark-web market. You may have heard that things are chaotic over at Twitter, with a wave of corporate impersonations plaguing the platform hours after the rollout of a service that allows anyone who pays $8 a month to get a blue check mark showing they are “verified.” It’s a gift for scammers and grifters of all shades.

New analysis shows that two large ships, with their trackers off, were detected near the Nord Stream 2 pipeline in the days before the gas leaks were detected. Officials suspect sabotage, and NATO is investigating. Plus, Russian military hackers are pivoting to a new strategy that favors faster attacks with more immediate results.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories.

This week saw even more chaos at Twitter as security executives resigned after clashing with their new boss, Elon Musk, over how the company should meet its obligations to the Federal Trade Commission. After a pair of data breaches in 2009, Twitter agreed to submit regular reports about its privacy practices under the terms of a 2011 settlement with the Federal Trade Commission. The company settled with the FTC earlier this year after it was caught serving ads to user emails and phone numbers, which people supplied as part of their security measures. If Twitter doesn’t comply with its commitments to the agency, the FTC could fine the company billions of dollars.

On Wednesday, a day before the deadline for Twitter to submit a report to the FTC, Twitter’s chief information security officer, chief privacy officer, and chief compliance officer quit. The company’s head of Trust and Safety also left the company the following day.

In a message posted to Twitter’s Slack that was obtained by The Verge, an attorney on the privacy team wrote that engineers could be required to “self-certify” that their projects complied with the settlement, burdening the engineers with “personal, professional, and legal risk.” The employee added that Alex Spiro, Musk’s lawyer, told workers that “Elon puts rockets into space—he’s not afraid of the FTC.”

The resignations came as the company began battling a wave of corporate impersonators who gamed the company’s new paid verification system to shitpost hours after it launched.

About 60 of Maricopa county’s 223 voting locations reported technical issues on Election Day, frustrating voters and fueling conspiracies about election fraud. Technicians were dispatched to polling sites across Arizona’s largest county on Tuesday to fix dozens of malfunctioning vote tabulation machines. Election officials urged frustrated voters to vote at other locations or drop their ballots in a secure box to be counted later. “Everyone is still getting to vote. No one has been disenfranchised,” Bill Gates, chair of the Maricopa County board of supervisors, told reporters on Tuesday morning.

But that didn’t keep right-wing influencers, including former US president Donald Trump, from using the glitch to allege that votes were being suppressed. Researchers at the University of Washington found online chatter about tabulator problems started to trend after Republican activist Charlie Kirk posted about them; later in the day, Trump took to Truth Social to suggest, without evidence, that only “Republican areas” were impacted by the errors. Around 2:30 pm local time, officials in Arizona announced they had fixed the problem by changing the machines’ printer settings.

A Russian Canadian national named Mikhail Vasiliev was arrested in Canada on Wednesday over his alleged participation in the LockBit ransomware campaign, according to the US Justice Department and Europol. LockBit has claimed at least 1,000 victims, according to Deep Instinct’s 2022 Interim Cyber Threat Report, and is responsible for around 44 percent of ransomware campaigns this year. Vasiliev is charged with “conspiracy to intentionally damage protected computers and to transmit ransom demands” and is currently in Canada awaiting extradition to the United States. If convicted, he faces a maximum of five years in prison.

A security issue delayed a record-breaking $2.04 billion Powerball drawing after an unnamed state failed to submit the appropriate data and complete security protocols. According to the Multi-State Lottery Association, which runs Powerball, one of the regional lottery commissions failed to finish tabulating their sales and ticketing data in time for Monday night’s drawing. The 10-hour delay ended Tuesday with a single winner who had bought the ticket at Joe’s Service Center, a gas station in Altadena, California, state lottery officials said.

Elon Musk Introduces Twitter Mayhem Mode

Satellite monitors discovered two vessels with their trackers turned off in the area of the pipeline prior to the suspected sabotage in September.

The first gas leaks on the Nord Stream 2 pipeline in the Baltic Sea were detected in the early hours of September 26, pouring up to 400,000 tons of methane into the atmosphere. Officials immediately suspected sabotage of the international pipeline. New analysis seen by WIRED shows that two large ships, with their trackers off, appeared around the leak sites in the days immediately before they were detected.

According to the analysis by satellite data monitoring firm SpaceKnow, the two “dark ships,” each measuring around 95 to 130 meters long, passed within several miles of the Nord Stream 2 leak sites. “We have detected some dark ships, meaning vessels that were of a significant size, that were passing through that area of interest,” says Jerry Javornicky, the CEO and cofounder of SpaceKnow. “They had their beacons off, meaning there was no information about their movement, and they were trying to keep their location information and general information hidden from the world,” Javornicky adds.

The discovery, which was made by analyzing images from multiple satellites, is likely to further increase speculation about the cause of the blasts. Multiple countries investigating the incident believe the Nord Stream 1 and 2 pipelines were rocked by a series of explosions, with many suspicions directed at Russia as its full-scale invasion of Ukraine continues. (Russia has denied its involvement.) Once SpaceKnow identified the ships, it reported its findings to officials at NATO, who are investigating the Nord Stream incidents. Javornicky says NATO officials asked the company to provide more information. 

NATO spokesperson Oana Lungescu says it does not comment on the “details of our support or the sources used” but confirmed that NATO believes the incident was a “deliberate and irresponsible act of sabotage” and it has increased its presence in the Baltic and North Seas. However, a NATO official, who did not have permission to speak publicly, confirmed to WIRED that NATO had received SpaceKnow’s data and said satellite imagery can prove useful for its investigations.

To detect the ships, Javornicky says, the company scoured 90 days of archived satellite images for the area. The company analyzes images from multiple satellite systems—including paid and free services—and uses machine learning to detect objects within them. This includes the ability to monitor roads, buildings, and changes in landscapes. "We have 38 specific algorithms that can detect military equipment," Javornicky says, adding that SpaceKnow’s system can detect specific models of aircraft on landing strips.

Once it gathered archive images of the area, SpaceKnow created a series of polygons around the gas leak sites. The smallest of these, around 400 square meters, covered the immediate blast area, and larger areas of interest covered several kilometers. In the weeks leading up to the explosions, SpaceKnow detected 25 ships passing through the region, from “cargo ships to multipurpose larger ships,” Javornicky says. In total, 23 of these vessels had their automatic identification system (AIS) transponders turned on. Two did not have AIS data turned on, and these ships passed the area during the days immediately ahead of the leaks being detected.

By international law, large ships are required to install and use AIS. This vessel tracking system was created to help ships navigate and avoid potential collisions with other vessels. When turned on, AIS will broadcast a ship’s name, location, the direction of travel, speed, and other information.

It is relatively rare for ships to turn off their AIS transponders. Ships that “go dark” are often suspected of being involved in illegal fishing or modern slavery, with officials in Europe previously investigating ships that are believed to have turned off their AIS transponders. “It would not be common practice \[to have AIS turned off\], unless the vessels have a classified military mission or they would have some clandestine objectives, because the Baltic Sea is one of the busiest seas in the world in terms of commercial traffic,” says Otto Tabuns, the director of the Baltic Security Foundation, an NGO that focuses on the region.

Tabuns says the Baltic Sea has multiple main “arteries” where ships travel and it is “responsible” for ships in the area to have their AIS trackers turned on. Collisions at sea can be deadly and environmentally ruinous. “There are many places in the \[Baltic\] sea that are not navigable for bigger ships,” Tabuns says. “There are also some areas that are not recommended or where it is prohibited to ship because of the heritage of World War Two.” Decades-old wartime submarines and munitions litter the Baltic Sea’s floor.

SpaceKnow detected the ships that had AIS turned off using synthetic aperture radar (SAR) images from satellites. Most satellites observing Earth take photos of what’s beneath them; others, however, also use SAR to bounce radio waves off the ground and create images from them. Andrey Kurekin, a coastal ocean color scientist at the Plymouth Marine Laboratory who has analyzed satellite images for detecting objects at sea, says SAR technology can be useful for detecting ships, as it shows reflections from metal objects. “They are shown as bright objects in SAR images,” Kurekin says.

Kurekin says SAR images can be used to identify the longitude and latitude coordinates of a ship, the direction it is heading, and potentially to estimate its speed. “The main advantage of SAR over optical sensors is that the microwaves penetrate through clouds,” Kurekin says. The images are less impacted by the weather and can also provide visibility at night. “It's quite difficult to hide a ship from a SAR sensor,” Kurekin adds.

SAR images of the dark ships shared with WIRED show the vessels as glowing objects, not far from the explosion site around Nord Stream 2. “We assume it was one of those two dark ships that we have detected, but we're not making any decision,” Javornicky says. He says the company is not in the business of determining what may have happened or who is responsible but instead provided the data to authorities.

Kurekin cautions that AIS tracking systems onboard ships can, at times, fail. The signal from AIS could stop communicating with satellites or receivers on land, Kurekin says, adding that the signal can be impacted by the weather too. “If there is a vessel that you can see in SAR image but it's not reported by the AIS system, it does not necessarily mean that there's something wrong with this vessel,” Kurekin says. Signals from AIS transponders can also be manipulated—warships have had their AIS data spoofed, and ships around Russia and the Black Sea have vanished from trackers in recent years.

While there are multiple ongoing investigations into the explosions, determining the full picture of what happened may take some time. Police in Copenhagen said its initial investigations have determined that “powerful explosions” caused “extensive damage” to the pipes. Images taken from around the exploded sections of the pipe appear to show that at least 50 meters of the pipeline were destroyed in the explosions.

In an email, the Swedish security service, Säkerhetspolisen, said that due to “secrecy” around its operations, it could not discuss its investigation or whether it was looking at satellite data. However, agency spokesperson Gabriel Wernstedt says the organization is conducting a “criminal investigation of gross sabotage” around both the Nord Stream 1 and 2 pipes. “Certain seizures were made during the onsite investigations that are being analyzed,” Wernstedt says. In public statements, Säkerhetspolisen has confirmed denotations happened at the pipes and that the Swedish armed forces are involved in the investigations.

However, while the investigations are ongoing, there appear to be difficulties between the countries that are looking into the incident, which could slow the process. While Sweden says it is working with investigators in Germany and Denmark, the official leading its investigation has rejected plans to form a joint investigation.

Tabuns says he hopes that the incident will act as motivation for countries to work on better ways to share intelligence, particularly as Sweden and Finland apply to join NATO. Each country will have its own levels of classification for information and systems where it collects intelligence—these may often not be compatible, Tabuns says. However, he adds that the events should see countries look at increasing the “integration of existing national systems so that there would be real-time information sharing for any response.”

_Update 9:30 am, 11-11-22: Added statement from NATO._

‘Dark Ships’ Emerge From the Shadows of the Nord Stream Mystery

Questions about the Kremlin’s relationships with these groups remain. But researchers are finally getting some answers.

Russia-based ransomware gangs are some of the most prolific and aggressive, in part thanks to an apparent safe harbor the Russian government extends to them. The Kremlin doesn't cooperate with international ransomware investigations and typically declines to prosecute cybercriminals operating in the country so long as they don't attack domestic targets. A long-standing question, though, is whether these financially motivated hackers ever receive directives from the Russian government and to what extent the gangs are connected to the Kremlin's offensive hacking. The answer is starting to become clearer.

New research presented at the Cyberwarcon security conference in Arlington, Virginia, today looks at the frequency and targeting of ransomware attacks against organizations based in the United States, Canada, the United Kingdom, Germany, Italy, and France in the lead-up to these countries' national elections. The findings suggest a loose but visible alignment between Russian government priorities and activities and ransomware attacks leading up to elections in the six countries.

The project analyzed a data set of over 4,000 ransomware attacks perpetrated against victims in 102 countries between May 2019 and May 2022. Led by Karen Nershi, a researcher at the Stanford Internet Observatory and the Center for International Security and Cooperation, the analysis showed a statistically significant increase in ransomware attacks from Russia-based gangs against organizations in the six victim countries ahead of their national elections. These nations suffered the most total ransomware attacks per year in the data set, about three-quarters of all the attacks.

“We used the data to compare the timing of attacks for groups we think are based out of Russia and groups based everywhere else,” Nershi told WIRED ahead of her talk. “Our model looked at the number of attacks on any given day, and what we find is this interesting relationship where for these Russia-based groups, we see an increase in the number of attacks starting four months before an election and moving three, two, one month in, up to the event.”

The data set was culled from the dark-web sites that ransomware gangs maintain to name and shame victims and pressure them to pay up. Nershi and fellow researcher Shelby Grossman, a scholar at the Stanford Internet Observatory, focused on popular so-called “double extortion” attacks in which hackers breach a target network and exfiltrate data before planting ransomware to encrypt systems. Then the attackers demand a ransom not only for the decryption key but to keep the stolen data secret instead of selling it. The researchers may not have captured data from every single double-extortion actor out there, and attackers may not post about all of their targets, but Nershi says the data collection was thorough and that the groups typically have an interest in publicizing their attacks.

The findings showed broadly that non-Russian ransomware gangs didn't have a statistically significant increase in attacks in the lead-up to elections. Whereas two months out from a national election, for example, the researchers found that organizations in the six top victim countries were at a 41 percent greater chance of having a ransomware attack from a Russia-based gang on a given day, compared to the baseline. 

The increase wasn't visible in every sector, though. Russia-based ransomware gangs did seem to target government organizations and infrastructure at a slightly elevated rate two months out from a country's national election, but Nershi says the total number of attacks on government entities in the data set was small to begin with. The analysis didn't find a statistically significant increase in the number of attacks against organizations in the communications, finance, energy, and utility sectors leading up to elections. But because of the overall increase in attacks across all types of organizations, the researchers theorize that there may be a spillover effect that the Russian government's general increase of cyber activity in the lead-up to an election in one of the six countries indirectly fuels ransomware attacks.

“We are theorizing that there seems to be some level of loose ties between these ransomware groups based in Russia and the Russian government,” Nershi said, "In that they are criminal organizations, they’re in it for profit, but it seems like occasionally the Russian government will ask them for favors, and they’ll agree to operate on this sort of ad hoc basis."

The research aligns with other recent analyses and information, including details from a massive trove of chat logs leaked earlier this year that showed how the notorious Conti ransomware group operates. The data indicated that Conti members very likely have connections within Russia's FSB intelligence agency and knowledge of Russian military hacking operations, painting a picture of loose and ad hoc cooperation. 

“What the groups get out of it is generally not being prosecuted. And for the Russian government, it can allow them to outsource to some degree certain tasks in a way that gives them plausible deniability,” Nershi says. "As I perceive it, it's a strange, nebulous, ambiguous relationship."

Russia’s Sway Over Criminal Ransomware Gangs Is Coming Into Focus

Anyone can get a blue tick on Twitter without proving who they are. And it’s already causing a ton of problems.

At the end of August, Sean Murphy was trying to book a flight between Nairobi, Kenya, and Entebbe, Uganda, with Kenya Airways. “The information on the booking page was ambiguous,” says Murphy, the cofounder of Web3 company ImpactScope. So he fired off a quick direct message to the verified Kenya Airways account on Twitter, asking it to confirm baggage allowances for the flight. A day later, when the account didn’t reply, he sent the company a public tweet reminding it about the question. Then the replies started.

Within minutes, multiple Twitter accounts claiming to be Kenya Airways tweeted him. All of them offered help, but none of them appeared official. The accounts used Kenya Airways’ logo and slogan, but clicking on their profiles raised red flags. “Most of their messages were well crafted,” Murphy says. “However, the low number of followers coupled with the spelling errors or odd choice of characters in their actual Twitter handles was the main giveaway.” The accounts included “@\_1KenyaAirways” and “@kenyaairways23.”

It’s now easier for Twitter accounts to appear official. In the chaotic days since Elon Musk completed his $44 billion takeover of Twitter and subsequently fired thousands of staff, the social network has revamped how its account verification works. The new Twitter Blue subscription, which has started rolling out to some users, allows anyone to pay $8 per month and get a blue check mark showing they are “verified.” The tick appears almost instantly once someone stumps up the cash, and no questions are asked—people do not have to prove their identity.

The verification symbol is a stark difference from Twitter’s previous approach to verification when only accounts belonging to brands, public figures, and governments were provided with blue ticks next to their name. In all those instances, verification was approved by Twitter staff. The new verification process—or lack of it—is likely to make it easier for scammers, cybercriminals, and peddlers of disinformation to hone their craft and appear legitimate.

“Cybercriminals very easily use social media as the perfect vehicle to target unbeknown victims, but when there is no clear and genuine way to check identities, you open up a path to impersonated accounts, which will no doubt be abused by threat actors in the search of a con,” says Jake Moore, global cybersecurity advisor at security firm ESET.

Things are already messy. Straight after Twitter Blue’s verification started rolling out, accounts impersonating people and brands appeared. Some people appeared to be testing the system; others were causing trouble. In some cases, new accounts were used, and in others, years-old Twitter accounts had been converted to blue-tick status. One account called Nintendo of America (handle: @nIntendoofus) tweeted a picture of Mario giving people the finger. Apple TV+ was impersonated along with gaming firm Valve, Donald Trump, and basketball star LeBron James. A post from an account pretending to be an ESPN analyst gained more than 10,000 engagements before it was deleted, fact-checking organization Snopes reported. The account had “NOT” in its handle, and its bio described it as a parody. As of yesterday, amid a surge of impersonation accounts, Twitter had paused allowing new accounts to purchase verification.

Twitter’s new approach to verified accounts is focused on the Twitter Blue subscription. Once a user pays, the blue tick appears next to an account’s name. If someone clicks on the tick, a message explains it is there because it has been purchased. In Twitter’s timeline, a user’s blue tick is shown prominently next to the name they give their account (which can easily be changed), rather than their username handle.

Cybercriminals have, of course, tried to scam people or impersonate them on social media for years, and they are always trying to stay one step ahead of the people hunting them down. Many scams involve convincing people that an account is authentic and then manipulating them via social engineering to hand over credit card details or personal information. These kinds of scams persist as criminals get results from them.

Support account scams—where a bad actor impersonates a company’s customer service team, as with Sean Murphy’s experience with Kenya Airways—are common. Kenya Airways’ official Twitter account has previously warned about accounts that impersonate it (one of these is not verified). Rachel Tobac, the cofounder of SocialProof security, which focuses on social engineering, says these support account scams will be easier to conduct on Twitter as there are fewer steps scammers need to take before they start impersonating official accounts.

“Previously, cybercriminals needed to procure a verified Twitter page by phishing the verified user to steal their credentials, buy stolen credentials online, or find the reused credentials in a password repository post data breach,” Tobac says. “Now the scammers can just use a stolen credit card to purchase a verified account and begin their scamming.” Millions of people’s credit card details can be purchased online and a single stolen card can cost just $1.

Musk has claimed that the $8 Twitter subscription fee will discourage bad actors from creating accounts, particularly at scale. The CEO has also said that accounts subscribing to Twitter Blue will have their tweets shown above non-verified accounts in search results. In a Twitter Space aimed at advertisers this week, Musk said he wanted to stop fake accounts and that bad actors “don’t have a million credit cards and phones.” (In one incident in February, Ukrainian officials shut down an alleged Russian-linked bot operation that used 3,000 SIM cards and had created more than 18,000 online accounts.)

Twitter also briefly launched and removed an “official” label that was placed on some public accounts. “Please note that Twitter will do lots of dumb things in coming months,” Musk tweeted this week. “We will keep what works & change what doesn’t.” (Twitter did not immediately respond to a request for comment, although it is believed many of its press office team were let go in the recent Twitter layoffs.)

Beyond allowing scammers to appear genuine, multiple experts believe that the verification changes could erode what it means for legitimate accounts to be verified on social media. “The shift to purchasing verified accounts will likely greatly reduce the trust that users, emergency services, public utilities, journalists, and brands have in Twitter verified accounts, as it’s unlikely that Twitter will quickly catch and shut down every new Twitter Blue verified account that is impersonating others,” Tobac says.

In addition to scams, the ability to quickly create genuine-looking verified accounts is also likely to aid disinformation campaigns. For years, Russian, Chinese, and Iranian state-supported actors have tried to manipulate many conversations online. They can create thousands of fake accounts in attempts to amplify disinformation. “We know that disinformation actors, particularly those that are linked to governments, have budgets,” says Elise Thomas, a senior OSINT analyst at the Institute for Strategic Dialogue who has focused on misinformation and disinformation. “We’ve already seen many disinformation campaigns buy web domains, spend thousands or tens of thousands on advertising, purchase bot accounts in bulk, and employ trolls.”

As noted by Eliot Higgins, the founder of the investigative unit Bellingcat, which among other things has uncovered Russian disinformation and exposed its network of international spies, it would be trivial for a government to pay for verified accounts. In 2018, Russia’s Internet Research Agency, which has consistently pumped out disinformation, had a budget of around $10 million. “Beyond impersonation of real people and organizations, it could also allow disinformation operations to create new personas—for example, journalists or government agencies that don’t exist—and make that fake persona seem more credible with a check mark,” Thomas says.

And state-backed actors haven’t needed verified marks to sow information chaos in the past. “Many state-backed disinformation campaigns use fake accounts to amplify user-generated content that is divisive and polarizing in order to get topics to trend, and to make voices at the fringe appear louder than they are,” says Samantha Bradshaw, an assistant professor in new technology and security at American University. “It is therefore unclear whether this policy will raise the cost of influence operations in a meaningful way.” Russian state-backed Twitter accounts have previously managed to be quoted in the press hundreds of times, without any verification at all.

As the rollout of Twitter Blue continues, staff at the newly cut Twitter may face an uphill battle in determining whether accounts are part of coordinated efforts to influence discourse online or are indeed authentic. Twitter’s own staff have hinted that verification without identity checks may have to change in the future. Yoel Roth, Twitter’s head of trust and safety, said that in the short term the company will “ramp up” proactive reviews of accounts that appear to be impersonating other people. “I think we need to invest more in identity verification as a complement to proof-of-humanness,” Roth tweeted. “Paid Verification is a strong (not perfect) signal of humanness, which helps fight bots and spam. But that’s not the same thing as identity verification.”

Elon Musk's Twitter Blue Verification Is a Gift to Scammers

Security researchers see updated tactics and tools—and a tempo change—in the cyberattacks Russia’s GRU military intelligence agency is inflicting on Ukraine.

Since Russia launched its catastrophic full-scale invasion of Ukraine in February, the cyberwar that it has long waged against its neighbor has entered a new era too—one in which Russia has at times seemed to be trying to determine the role of its hacking operations in the midst of a brutal, physical ground war. Now, according to the findings of a team of cybersecurity analysts and first responders, at least one Russian intelligence agency seems to have settled into a new set of cyberwarfare tactics: ones that allow for quicker intrusions, often breaching the same target multiple times within just months, and sometimes even maintaining stealthy access to Ukrainian networks while destroying as many as possible of the computers within them.

At the CyberwarCon security conference in Arlington, Virginia, today, analysts from the security firm Mandiant laid out a new set of tools and techniques that they say Russia’s GRU military intelligence agency is using against targets in Ukraine, where the GRU’s hackers have for years carried out many of the most aggressive and destructive cyberattacks in history. According to Mandiant analysts Gabby Roncone and John Wolfram, who say their findings are based on months of Mandiant’s Ukrainian incident response cases, the GRU has shifted in particular to what they call “living on the edge.” Instead of the phishing attacks that GRU hackers typically used in the past to steal victims’ credentials or plant backdoors on unwitting users’ computers inside target organizations, they're now targeting “edge” devices like firewalls, routers, and email servers, often exploiting vulnerabilities in those machines that give them more immediate access.

That shift, according to Roncone and Wolfram, has offered multiple advantages to the GRU. It's allowed the Russian military hackers to have far faster, more immediate effects, sometimes penetrating a target network, spreading their access to other machines on the network, and deploying data-destroying wiper malware just weeks later, compared to months in earlier operations. In some cases, it's enabled the hackers to penetrate the same small group of Ukrainian targets multiple times in quick succession for both wiper attacks and cyberespionage. And because the edge devices that give the GRU their footholds inside these networks aren't necessarily wiped in the agency's cyberattacks, hacking them has sometimes allowed the GRU to keep their access to a victim network even after carrying out a data-destroying operation.

"Strategically, the GRU needs to balance disruptive events and espionage," Roncone told WIRED ahead of her and Wolfram's CyberwarCon talk. "They want to continue imposing pain in every single domain, but they are also a military intelligence apparatus and have to keep collecting more real-time intelligence. So they've started 'living on the edge' of target networks to have this constant ready-made access and enable these fast-paced operations, both for disruption and spying."

In a timeline included in their presentation, Roncone and Wolfram point to no fewer than 19 destructive cyberattacks Russia has carried out in Ukraine since the beginning of this year, with targets across the country's energy, media, telecom, and finance industries, as well as government agencies. But within that sustained cyberwarfare barrage, the Mandiant analysts point to four distinct examples of intrusions where they say the GRU's focus on hacking edge devices enabled its new tempo and tactics.

In one instance, they say, GRU hackers exploited the vulnerability in Microsoft Exchange servers known as ProxyShell to get a foothold on a target network in January, then hit that organization with a wiper just the next month, at the start of the war. In another case, the GRU intruders gained access by compromising an organization's firewall in April of 2021. When the war began in February, the hackers used that access to launch a wiper attack on the victim network's machines—and then maintained access through the firewall that allowed them to launch _another_ wiper attack on the organization just a month later. In June 2021, Mandiant observed the GRU return to an organization it had already hit with a wiper attack in February, exploiting stolen credentials to log into its Zimbra mail server and regain access, apparently for espionage. And in a fourth case, last spring, the hackers targeted an organization's routers through a technique known as GRE tunneling that allowed them to create a stealthy backdoor into its network—just months after hitting that network with wiper malware at the start of the war.

Separately, Microsoft’s Threat Intelligence Center, known as MSTIC, revealed today yet another example of the GRU launching repeated cyberattacks on the same Ukrainian targets. According to MSTIC, the hacker group it calls Iridium, more widely known as the GRU hacking unit Sandworm, was responsible for Prestige ransomware attacks that hit transportation and logistics targets in Ukraine and Poland from March to October of this year. MSTIC notes that many of the victims of that ransomware had earlier been hit with the wiper tool HermeticWiper just before Russia’s February invasion—another piece of data-destroying malware linked to the GRU.

The GRU, Roncone and Wolfram point out, have certainly targeted "edge" devices before this new phase of the agency cyberwar in Ukraine. In 2018, the agency's hackers infected more than half a million routers worldwide with malware known as VPNFilter, and they similarly attempted to create a botnet of hacked firewall devices that was discovered just ahead of Russia's Ukraine invasion in February.

But the Mandiant analysts argue that only now are they seeing that hacking of edge devices used to accelerate the agency's pace of operations and to achieve persistence inside networks that lets the GRU pull off repeated intrusions against the same victims. That's meant that instead of having to choose between stealthy cyberespionage and disruptive cyberattacks that destroy the very systems they're spying on, the agency has been able to "have their cake and eat it too," as Roncone puts it.

Ukraine's own cybersecurity agency, known as the State Services for Special Communications and Information Protection, or SSSCIP, agrees with Mandiant's conclusion that Russia has quickened its pace of cyber-operations since the start of the war in February, according to Viktor Zhora, a senior SSSCIP official. He confirms that the GRU, in particular, has come to favor targeting edge devices while other Russian intelligence agencies, such as the FSB, continue to use phishing emails as a common tactic. But he argues that the examples of repeated wiping of the same organization in quick succession, or a wiping attack followed by an espionage operation against the same target, remain relatively rare.

Instead, Zhora contends that the GRU's switch to a faster operating rhythm shows how the agency's hackers are racing—struggling, even—to keep up with the speed of physical war.

“Operating in a covert mode over the last eight years, having unlimited financial resources, widely available human resources, gave them a lot of opportunities. They used that time to test, to probe and develop new technologies. Now, they’ve needed to increase the density of their attacks, and they require much more resources," says Zhora. "They still try to carry out their expected role, to be Russia's most active and destructive agency. But with sanctions, with the intellectual flow out of Russia, with difficulties in human resources and infrastructure, their operational limits are significantly greater. But we can see in the tactics they use that they're still seeking new opportunities for intelligence and wiping options."

At times, Roncone and Wolfram say, GRU hackers do seem to be struggling to keep up with the new pace they've set. In one case, they saw the hackers backdoor an email server but set up their command-and-control server incorrectly, so that they failed to control it. In another case, they sent the wrong commands to a wiper tool, so that it failed to wipe the systems it had infected. "It's just the tempo and probably a bit of human error and burnout that leads to these sort of 'oopsies,'" says Roncone.

Another shift in the GRU's hacking to "quick and dirty" methods can be seen in the specific wiper malware that it uses, according to Roncone and Wolfram. Since May, Mandiant has observed GRU hackers deploying the relatively simple, targeted wiper malware known as CaddyWiper in nine different operations targeting Ukrainian organizations—five attacks in May and June, then another four last month.

The decision to make that small, straightforward wiper code its sabotage payload of choice represents a stark contrast with years past. In 2017 and 2018, the GRU group Sandworm unleashed complex destructive worms inside of target networks that took months to hone and deploy: automated, self-replicating, multi-featured code such as the Olympic Destroyer malware designed to cripple the Pyeongchang Winter Olympics and the NotPetya malware that hit Ukrainian networks and spread worldwide, causing an unprecedented $10 billion in damage.

In the early days of Russia's invasion, for reasons that aren't quite clear, Kremlin hackers targeting Ukraine appear to have used a grab bag of at least half a dozen wiping tools of varying quality inside of victim networks, such as HermeticWiper, WhisperGate, and AcidRain. But in more recent months, the GRU appears to have deployed mainly CaddyWiper, again and again, Mandiant found, though in modified forms, changed just enough to evade detection. (Ukraine's SSSCIP, for its part, declined to confirm whether it has seen the same nine CaddyWiper attacks Mandiant had tracked.

"It's like they've said, ‘We're not gonna build out a fancy multifaceted wiper like NotPetya that can worm on its own. What we need is just something that's really lightweight and easily modifiable and easily deployable,'" says Roncone. "So they're using this not-that-great, does-the-job wiper, which seems like part of shifting their entire tactical strategy to accommodate these fast-paced operations." And while those quick-and-dirty methods may not be as flashy or as innovative as the GRU cyberattacks of the past, they can nonetheless inflict serious digital chaos in a country that needs every resource it has to fend off Russia's invaders.

_Update 12:10 pm EST 11-10-22: Added MSTIC's attribution of the Prestige ransomware attacks on Ukraine and Poland to the GRU's Sandworm group._

Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless

Cash is safe—for now. Contactless payment methods, like Apple Pay or Google Wallet, are more of a threat to the existence of physical cards.

The proliferation of contactless payment options shifts how businesses interact with customers at the moment of purchase, from international retailers to local pop-up shops. But there’s no need to fret just yet if you enjoy buying stuff with cold, hard cash. Plastic cards are first on the chopping block.

“I’d suggest that the time is ripe to plan for plastic (and metal) cards to be sent to Shady Pines Retirement Home for the Tragically Overstayed Welcome,” wrote Nick Holland, global head of insights and networks at Money 20/20. During the group’s 2022 conference in October in Las Vegas, financial technology companies touting efficiency and seamless experiences were front and center, as plastic cards faded into the background.

Anyone who is on the fence about using their smartphone for contactless payments should check out Whitson Gordon’s case for adopting the technology. Convinced and need guidance setting up Apple Pay or Google Wallet? Apple and Google offer step-by-step instructions to guide you through that initial setup. After you link your cards to the mobile device and practice the necessary steps to complete purchases, here are a few tips to help you get the most out of smartphone wallets.

Don’t Forget About Phone-to-Phone Payments

You may be comfortable tapping your phone against a checkout terminal, but it might feel like a surprise the first time a business asks you to tap your phone to their phone. Smaller merchants, delivery companies, and take-out restaurants may continue to forgo traditional card terminals altogether as companies like Mastercard and Visa introduce features that use near-field communication chip technology to enable phone-to-phone payments. Similar to the lightning port on the iPhone, the era of credit card readers plugged into smartphones is likely to come to an end.

Make Use of Virtual Card Numbers

Always look to see what your options are when it comes to virtual card numbers. For example, if you choose to get an Apple Card on your iPhone and the number leaks, it can be changed with just a couple of taps. Open your **Wallet** and tap on the **Apple Card**. In the top-right corner, select the **card icon** and choose the button that reads **Request New Card Number**. Virtual card numbers are not only useful for smartphone payments. Google added the option to use the security feature easily in your web browser.

Add More Than Just Payment Methods

Your debit card and credit card are likely the very first items you connect to your digital wallet. It doesn’t need to stop there! From boarding passes to proof-of-vaccine cards, digital wallets can hold so much more than just payments. It’s even possible to connect your health insurance card for easy access. (The main aspect of a physical wallet that a digital one can never replicate is providing me with a secret receptacle to hoard ancient receipts and scraps of paper.)

Keep a Little Cash on Hand

Even if you choose to use your mobile device instead of a plastic card for most in-person transactions, it still makes sense to keep a few dollar bills in your wallet. Just in case. Your smartphone might get wet and stop functioning. Also, not every store is set up to accept Apple Pay or Google Wallet. Some retailers even offer a small discount to customers who pay with cash.

How to Use Apple Pay or Google Wallet Instead of Plastic Cards

True the Vote’s IV3 app is meant to catch election cheaters. But it has a fundamental flaw.

Ten days before Georgia’s Senate runoff election in 2021, Gamaliel Warren Turner Sr., a 69-year-old veteran, found out that someone in his county had challenged his eligibility to vote. Turner, a retired major in the US Army, had requested an absentee ballot, and when it didn’t arrive in the mail, he got nervous and called the Muscogee County registrar’s office to figure out where it was. According to court records, a clerk informed Turner that his name was on a list of thousands of voters in the county whose registrations were under investigation.

“I was beyond irate. I was hollering,” Turner says. “I didn’t know what the hell a voter challenge was. I just wanted to know, am I going to be able to vote or not?”

Turner has lived in Georgia for his entire life and voted there in nearly every election for the past 50 years. He owns a home there and the utility bills are under his name. He has a Georgia driver’s license that he uses to drive his two cars, both registered in Muscogee County. But in 2019, his job required that he temporarily relocate to Camarillo, California. In order to avoid missing packages while away on his temporary work assignment, he did what millions of Americans do every year and notified the United States Postal Service (USPS) that he wanted his mail forwarded to a new address.

What Turner didn’t know at the time was that this simple notification to the USPS would enmesh him in a scheme dreamed up by a right-wing activist group called True the Vote that ended up challenging the voter registrations of 364,000 Georgians.

Best known for its work on the widely debunked film _2,000 Mules_, True the Vote had developed an algorithm that matched names in voter rolls with data kept by the USPS about individuals who changed addresses. The group’s goal was to aggressively cull voter rolls, under the suspicion that inaccurate registrations lead to voter fraud, which is extremely rare in the US.

Along with Turner’s, True the Vote sent the names of approximately 4,000 supposedly ineligible voters to the leader of the Republican Party in Muscogee County, Alton Russell, a toilet paper salesman, who in turn submitted them to the county Board of Elections to challenge their voter registrations. But the scheme didn’t work: Most of the counties in Georgia rejected True the Vote’s challenges, and Turner successfully sued the Muscogee County Board of Elections to ensure his ballot would be counted in the 2021 runoff election.

Undeterred, True the Vote has quietly rolled out a web app called IV3 to replicate this process around the country. The browser-based application has led to the challenges of hundreds of thousands of voter registrations, the group claims. Yet little is known about IV3. The app is not active in most states, and to get access, you need to provide True the Vote with a valid form of identification. But by analyzing the code IV3 uses for its frontend, WIRED has been able to piece together how the tool likely functions. Our review found that the app ultimately uses an ineffective and unreliable methodology to determine who should remain on the rolls. Experts say that the app weaponizes public data and is more likely to remove eligible voters from the rolls than it is to catch rampant fraud that doesn’t exist in this country.

True the Vote is a Texas–based nonprofit whose founder, Catherine Engelbrecht, has played a crucial role in mainstreaming the voter fraud movement. The organization has set itself apart by using technology to legitimize their dubious claims of massive voter fraud, but it has consistently refused to provide any empirical evidence. IV3 is part of a growing strategy by right-wing activists to leverage state laws that allow a private citizen to dispute a voter's eligibility to toss out tens of thousands of voter registrations and ballots in battleground states. According to _The New York Times_, activists in Michigan tried to challenge 22,000 voter registrations for the state’s August primary. In Texas, residents challenged the eligibility of more than 6,000 voters in Harris County.

While it’s unclear how many voter challenges were facilitated using True the Vote’s app, Facebook posts from groups organizing some of the country’s largest voter challenges suggest that people are actively using IV3. For instance, in September, a group called VoterGA challenged the registrations of 37,500 voters in Georgia. On its Facebook page, one member encouraged her colleagues to use IV3, claiming that she had used the app to challenge nearly 6,000 people in Georgia’s Fayette County.

According to the True the Votes tax filings obtained by _Reveal_ from the Center for Investigative Reporting, True the Vote spent more than $500,000 on app development in 2020, using some of those funds to build a “proprietary organizing web app” that leverages its “national voter roll database” to “notify counties of voter role inaccuracies”. The app, which is not named but whose description mirrors IV3, was likely built by OPSEC Group LLC, whose founder, Gregg Phillips, was a former board member of True the Vote who has worked closely with Engelbrecht for years. OPSEC also performed the debunked data analysis behind _2,000 Mules_.

Court marshals arrested Engelbrecht and Phillips last week after they refused a court order to turn over alleged evidence of voter fraud that’s central to a defamation case brought by software company Konnech against True the Vote. Representatives for True the Vote did not respond to WIRED’s request for comment.

Access to IV3 is limited only to verified individuals who reside in one of the seven states where the app is active. However, WIRED was able to analyze the app’s public-facing code to get a better understanding of how it works. This was possible because upon loading the app’s login page, the browser automatically requests all the code needed to render the frontend components of the entire tool, even if a user is unauthenticated. By saving these HTML, JavaScript, and CSS files and running a web mock server, WIRED was able to explore some of the core features of the app, albeit without live data sent from True the Vote’s servers.

In a help page WIRED found bundled in the app’s code, True the Vote claims that IV3 cross-references state databases of voter registrations with the USPS NCOALink database, a dataset of approximately 160 million permanent change-of-address records that can be licensed for a fee. If True the Vote’s algorithm finds a “substantive discrepancy” between the two records, it will flag the registration for manual review by individuals who sign up to use the app. These records then show up in a page on the app called “IV3 Identified Records for Review.” After a volunteer submits a challenge, True the Vote claims to “prepare that challenge for filing based on your state’s specific requirements.” Network requests made by the app suggest that individuals who sign up for IV3 are only able to see and vet registered voters in their own county, as many state laws only allow other voters within the county to submit challenges.

When we rendered the frontend components in IV3, we found that the tool also gives vetted users the ability to look up the registrations of any voter in their county in order to determine whether or not the registration looks suspicious enough to challenge. While this voter registration data is technically public, its distribution by a partisan group can feel intimidating. “I feared that I could—or my family could—become the next target of harassment from True the Vote and their supporters for having voted, especially because my name and address had been published online and I had been publicly identified as a challenged voter,” a woman who had their registration challenged by True the Vote said in court records.

While WIRED was unable to use the app with live data, court records suggest that the way True the Vote matches individuals from voter rolls to those in the USPS database appears broken. Ken Mayer, a political scientist who analyzed a file of challenged voters for a lawsuit that Fair Fight filed against True the Vote, said in an expert report that True the Vote’s file of challenged voters was “riddled with errors” and “almost certainly mismatches voters with NCOA records.” He added, “The results do not come anywhere close to what would be required for valid practices in academic studies of election administration.” True the Vote did not respond to questions about Mayer’s assessment.

Moreover, experts say that the entire premise of using USPS data alone to invalidate voter registrations is flawed. Andrew Garber, a counsel within the Brennan Center’s Voting Rights and Elections Program, says that there are dozens of reasons why people might want their mail forwarded and all are insufficient alone to cancel a voter’s registration. “The use of this app is really concerning because it seems to be an effort to automate and take onto a mass scale a process that’s supposed to be local and individualized,” Garber says.

USPS did not immediately respond to WIRED’s request to comment on True the Vote’s use of its address-change data.

The voter challenges facilitated by IV3 have already run into problems. In an email IV3 sent to its users in August that WIRED obtained, True the Vote has run into hurdles in Georgia, Ohio, and Pennsylvania. The email states that in Pennsylvania, election officials told True the Vote each challenge requires a notarized and signed affidavit, at a cost of $5 to $7 each. “Think about that for those of you who completed 20, or 50, or 100, or several hundred challenges,” the August email reads. “It was never our intent for this process to cost our volunteers any money, much less hundreds to thousands of dollars just to ask your county to check and verify the rolls. We will be talking to election attorneys and Pennsylvania officials about this statute. It needs to be changed.”

While IV3 makes it possible to file a large number of challenges, it’s highly unlikely that any of them would be sufficient to remove anyone from voter rolls. Nevertheless, the challenges are likely to burden election officials as they may have to research and adjudicate each challenge brought. According to Garber, “even if the challenges don’t result in people being removed from the roles, they are gumming up the works and slowing down other vital election processes.”

Turner says he already voted by absentee ballot for the 2022 US midterms, which conclude today. But that doesn’t mean he’s not concerned with what True the Vote has been up to around the country. “It’s dangerous,” he says. “They are just throwing everything up against the wall and seeing what sticks. All of their strategies to disenfranchise voters are just sowing distrust about elections and it’s frustrating. I just don’t know where all of this is heading.”

Inside the ‘Election Integrity App’ Built to Purge US Voter Rolls

Voter intimidation has cropped up in places across the nation, but the voting booth remains the one place where nobody can get to you.

Though foreign Disinformation campaigns have targeted the 2022 United States midterm elections to a degree, most of the pressure on US voting infrastructure has come from inside the house. Violent domestic threats against election officials have soared around the country in the past couple of years, endangering workers and, increasingly, driving them from the profession altogether. And as early voting began around the US in recent days, scattered incidents at ballot drop boxes and polling places have put voters on edge. Last week, a federal judge in Arizona notably ordered armed members of a group called Clean Elections USA to stop visibly carrying guns and wearing body armor within 250 feet of ballot drop boxes.

Officials and researchers say that casting a ballot will be safe and uneventful for the vast majority of US voters. They also emphasize, as was the case in 2020, that US elections are in fact the most secure and rigorous they've ever been thanks to a number of initiatives, including efforts to phase out voting machines that do not produce a paper backup and the expanded use of postelection audits, including gold standard “risk-limiting" audits. Yet erosion of public trust in any election system is as big a threat to the democracy it underpins as real-world meddling. With so much at stake, the 2022 US midterms are highlighting the criticality of one core US voting protection: the secret ballot.

“The secret ballot is really profound—it’s critical to capturing the true will of the people,” says Ben Adida, the executive director of VotingWorks, a nonprofit maker of open source voting equipment. “People who would break your kneecaps or physically threaten you at the polls represent one extreme, but there are also much more subtle ways that undue influence could affect the outcome of an election. Think about people who support a candidate but don’t feel that strongly about it. They might think, ‘Well, do I really want to fight with my spouse or my employer? It's just one vote.’”

Until the 1890s, US voting was a local, public event, conducted either orally or using paper tickets. And efforts to institute private voting using the now-familiar “Australian ballot” method were controversial at first because the spectacle and transparency of public voting were embedded in US democratic culture. 

Being able to cast your vote secretly, though, provides two core democratic protections. The first and perhaps more intuitive benefit relates to individual privacy. Whether using a voting machine or filling out a scannable form, US voters cast their ballots at the polls in privacy booths. And while they must be registered to vote in databases that are often public, the votes they actually cast are totally disconnected from their identities. This means that even if a family member, acquaintance, or political operative is voting with you at the same time, they shouldn't be able to actually know for sure how you voted, leaving you the opportunity to vote however you choose.

“There’s a challenge when you can’t connect the vote to the person, but we've largely solved that problem with audits after elections and checking that we’re recording votes accurately,” says Lawrence Norden, senior director of the elections and government program at the Brennan Center at New York University School of Law. “For a majority of American history, elections were held in public, and there was a reason we moved to the secret ballot. Part of it was that people were subject to violence and intimidation, and actually polling places could become violent.”

In recent weeks, some voters have been alarmed to realize that volunteers who work at local polling places for early voting and on Election Day rarely undergo extensive vetting or screening. This is because the role is considered a community contribution and is typically only modestly compensated. But in Miami-Dade County, Florida, for example, three people who claim to be former members of the Proud Boys domestic terrorist group planned to work at polling sites on Election Day. One was put on a standby list after information surfaced that he participated in the January 6, 2021, attack on the US Capitol. For people who might feel uncomfortable voting in increasingly politicized and charged environments, the privacy booth is a last-line defense.

The second societal benefit of secret voting, though, is not about the right to individual privacy, but instead about undercutting the ability of any entity, foreign or domestic, to buy votes. If you can't be sure that someone voted a certain way, there's no clear benefit to paying, blackmailing, or otherwise pressuring someone over how they vote. This relates in part to ongoing discussions over whether people should be allowed to take selfies in voting booths or otherwise document their trips to the polls. The US voting system is designed, though, so that even a photo captured in the privacy booth doesn't definitively prove how someone voted.

“You should be able to lie convincingly about how you voted, but not just because you choose not to tell someone," VotingWorks' Adida says. “In fact, you shouldn’t be able to show evidence. There is a stronger secrecy property these systems strive for known as ‘receipt-free.’ We as a society don’t want you to be able to sell your vote, even if you want to. It is actually not your right to sell your vote. There’s a greater democracy goal at stake here."

With career election workers leaving their positions in droves, and fears about voter intimidation on the rise, US election infrastructure is at a fraught inflection point. As more and more challenges encroach, the privacy booth is a refuge—and increasingly, perhaps, a bunker.

Source

Wired