The most notorious deepfake sexual abuse website is hosting altered videos originally published as part of the GirlsDoPorn operation. Experts say this new low is only the beginning.

_This article contains descriptions of sex trafficking and abuse. Discretion is advised._

For years, nonconsensual deepfake pornography has been used to harass, silence, shame, and abuse women. Celebrities and influencers have their faces implanted into existing adult videos; men have used the technology to place “friends” into explicit videos; and boys have allegedly created “nude” images of their female classmates. However, among the ever growing harassment and abuse, deepfake creators have now, arguably, hit a new low: using videos of sex trafficking victims as the basis of the nonconsensual videos.

Over the past two months, an account on the largest deepfake sexual abuse website has posted 12 celebrity videos that are based on footage from GirlsDoPorn, a now-defunct sex trafficking operation that the US Department of Justice says its operators used to conspire and commit sex trafficking through “force, fraud, and coercion,” tricking five women—and allegedly hundreds more— into making sex videos that were subsequently posted online.

The dozen videos—which ran up to 21 minutes long and racked up tens of thousands of views before they were taken down following WIRED’s inquiry—used footage originally posted to the GirlsDoPorn website and had celebrity faces added using artificial intelligence. It appears that a startup’s face-swapping tool may have been abused to transform the videos into deepfakes, according to watermarks on the footage.

As deepfake technology has become increasingly capable of creating realistic imagery and easier to use, hundreds of websites and apps designed to create or host deepfake sexual abuse have appeared. Laws to limit the use of these tools and protect those targeted are lagging, even as the malicious use of AI has evolved to not just create new victims but to revictimize survivors.

From 2012 to 2019, the DOJ says, the creators of GirlsDoPorn worked by recruiting young women, using ads posted on Craigslist, for what they claimed were clothed modeling photo shoots. When the women responded, they were told the ads were for pornographic videos, and they were pressured into taking part, according to various lawsuits and survivor testimonies.

The individuals behind the scheme, according to the DOJ, told the women the videos would only be sold on DVDs outside of the United States and the footage would not be posted to the internet. Instead, they then posted short videoclips to online platforms, such as Pornhub, and full-length versions to their GirlsDoPorn website. The videos have circulated online since.

Multiple legal proceedings against the creators of GirlsDoPorn, people affiliated with the website, and Pornhub's parent company are ongoing or have been completed—with criminal charges being issued against several GirlsDoPorn organizers in October 2019.

Since then, 22 survivors have been awarded nearly $13 million in damages, and 402 victims were given copyright ownership of videos featuring them, making it easier to scrub them from the web. At the end of 2023, Pornhub’s parent company, Aylo Holdings, agreed to pay damages to women impacted by the sharing of the GirlsDoPorn videos.

Among those charged, Ruben Andre Garcia, a GirlsDoPorn producer and recruiter, was sentenced to 20 years in prison; Matthew Isaac Wolfe, who admitted to having a “wide range of responsibilities” at GirlsDoPorn, according to the DOJ, was sentenced to 14 years; cameraman Theodore Wilfred Gyi was sentenced to four years; and GirlsDoPorn bookkeeper Valorie Moser pleaded guilty to one charge of conspiracy to commit sex trafficking and is awaiting sentencing. Finally, in March this year, the alleged GirlsDoPorn mastermind, Michael Pratt, was extradited from Spain to the US to face charges linked to the operation. He has pleaded not guilty. In total, those involved in GirlsDoPorn have been ordered to pay more than $35 million in restitution.

Brian Holm, a managing attorney at the Holm Law Group and a longtime civil attorney for GirlsDoPorn survivors, confirmed that the videos posted to the deepfake sexual abuse website were originally from GirlsDoPorn. These include, Holm says, survivors who have been involved in the legal cases against GirlsDoPorn or against Pornhub.

“It’s a real double whammy for trafficking victims to see their videos used like this,” says Holm, adding that the videos are the tip of the iceberg. “From what I’ve seen on that site, I think there's 10 times the amount you sent me that I’ve seen on there.”

The 12 videos posted by the account seen by WIRED have received up to 15,000 views each, and several have a ‘girlsdoporn.com’ watermark on the footage. The account that posted the videos has a version of “GirlsDoPorn” as its username and included the sex trafficking site in the title of the videos.

WIRED is not naming the deepfake abuse website due to its role in spreading abusive content or the celebrities featured in the videos. The website is the largest website of its kind—hosting tens of thousands of videos and receiving millions of visitors. In April, the website blocked visitors from the UK after lawmakers in the country announced plans to make it a criminal offense to create nonconsensual explicit deepfakes.

“These creators of sexually explicit deepfakes have no regard whatsoever for the women and girls who are victims of sex trafficking and now being further abused through this deepfake sexual abuse,” says Clare McGlynn, a professor of law at Durham University, who works to counter image-based abuse.

“This website is actively choosing to share recordings of actual sexual assaults,” McGlynn says. “These are heinous acts, deliberately and knowingly causing life-shattering and life-threatening harms. The drive for profit, for fueling the trade in nonconsensual porn, knows no bounds. This shows a contempt for the rights of women and girls.”

Neither the account posting the deepfake GirlsDoPorn videos nor the site’s anonymous administrator’s replied to questions from WIRED.

At the end of March, another user on the website asked whether the GirlsDoPorn footage was allowed, saying it made them “feel sick.” They suggested some people may not know the history of GirlsDoPorn but pointed out: “This … one user clearly does tho, with branding themselves with a rape website.” A moderator replied saying they were not going to remove the videos but said if there was a “list” of videos confirmed to include sex trafficking victims they would notify the website’s administrators to take them down.

As well as the GirlsDoPorn watermark, the 12 videos hosted on the deepfake website also have a watermark of US company Akool, which offers generative AI services, including a “face-swapping” tool, to marketing professionals.

Jiajun Lu, the founder and CEO of Akool, says the company’s terms of service prohibit copyright violations, sexual and violent content, and it frequently bans accounts. “They are strictly forbidden on our platform, and we have multiple approaches to prevent it from happening, and more solutions are coming up soon,” he says. “We changed our watermarks a few months ago, and these videos might not come from our website.”

The CEO says that the company is working on new safety tools as it increases the security of its website: For instance, it is considering verifying the identity of people trying to use its face-swapping tool using face recognition, and initially the team is building more prominent warning notices about prohibited use cases.

Since 2016, Charles DeBarber, director of operations at technology firm Phoenix AI, has been undertaking the arduous task of discovering and trying to remove content from GirlsDoPorn that has been posted online. As part of Phoenix AI, this work—including building tools to automate online searches and using face recognition—has helped to remove around 60 GirlsDoPorn survivors’ footage from the web, DeBarber says.

“Not only does it open wounds of survivors already, but it's making new survivors and making new victims,” DeBarber, who has worked with GirlsDoPorn survivors for years, says of the deepfakes. The deepfake abuse website, DeBarber says, doesn’t take anything down when requests are made to it, and it is hosted by a company registered in the Seychelles.

Since deepfake sexual abuse videos appeared more than half a decade ago, those targeted by them have struggled to get them removed from the web, and US lawmakers have been slow to regulate or criminalize the abusive behavior. In many instances, including in wider cases of image-based abuse, people trying to remove abusive content from the web have had to resort to complaints made under the Digital Millennium Copyright Act. According to DeBarber, it’s not enough.

“Our laws are written in a way that protects intellectual property but not survivors, and it’s very demeaning for a lot of our survivors,” he says. “These are people that were treated like a commodity, and now we have to use intellectual property law to get it down.”

Deepfake Creators Are Revictimizing GirlsDoPorn Sex Trafficking Survivors

With cyberattacks increasingly targeting health care providers, an arduous bureaucratic process meant to address legal risk is keeping hospitals offline longer, potentially risking lives.

Crippling ransomware attacks against hospitals and health care providers are on the rise. These ruthless cyberattacks can take medical systems offline for weeks—canceling appointments and surgeries and causing harm to patients. Doctors and nurses are plunged into crisis situations where they resort to using pen and paper, while IT staff work to make systems safe and bring them back online. The recovery can be long-lasting and brutal.

Health care professionals, lawyers, and cybersecurity experts tell WIRED that amid the chaos caused by criminal hackers, a little-known bureaucratic process can slow down hospitals and medical providers getting their systems working again.

The red tape involves organizations hit by ransomware sending detailed “assurance” or “attestation” letters to companies that they connect their systems or software with. These letters are designed to convince organizations that it is safe to reconnect after the ransomware attack, but they can add extra pressure to those already dealing with physically and mentally draining recovery operations.

The letters aren’t required by any law and are not unique to medical organizations impacted by ransomware attacks, but experts say in situations where lives are at risk, more efficient processes should be considered. Assurance letters seen by WIRED contain up to 40 individual questions about cyberattacks and include detailed requests about how events unfolded, steps taken to respond, and any evidence that may have been gathered.

“Negotiating with hundreds of vendors each with their own unique set of requirements to reconnect was an arduous and time-consuming process,” says Sean Fitzpatrick, the vice president of external communications at Ascension, a network of 140 hospitals and thousands of affiliated providers across 19 states, which was hit by ransomware in May. Ascension now has more than 95 percent of its suppliers reconnected or in the process of reconnecting, Fitzpatrick says, and has attempted to be as transparent as possible with its recovery.

Meanwhile, Shane Thielman, the chief information officer at Scripps Health, a San Diego health care provider with more than 70 hospitals and clinics, says it was required to produce around 30 vendor letters when it was hit by Conti malware in May 2021 for clinical, business, and administrative software partners. “Initially, there were several vendors that did not accept the assurance letter and requested additional technical documentation and information,” Thielman says. “However, this was limited and ultimately did not result in a delay to restoring access to systems at Scripps.”

**Lawyers Enter the Chat**

Hospitals and other health care organizations are hugely complex beasts—they can use dozens of pieces of software from different companies, providing everything from electronic health care records to staff shift schedules. Cyberattacks that take medical services offline can impact a hospital’s own internal systems and networks and those belonging to third-party suppliers. An attack against a company that provides software to hundreds or thousands of organizations can have widespread ramifications.

It doesn’t take long to see how ransomware, which is most often launched by Russia-based cyberciminals, can have a dangerous impact on medical care. More than 1,100 surgeries and 2,194 appointments have been canceled at London hospitals this month after pathology services provider Synnovis was hit by ransomware. Some cancer appointments have been canceled, blood testing reduced, and more than 50 organs needed to be diverted for use at other hospitals, figures from the UK’s National Health Service show.

“I can tell you with complete confidence that ransomware attacks harm patients,” says Hannah Neprash, an associate professor of health policy at the University of Minnesota, who has researched the impact of ransomware attacks on US hospitals and concluded they result in higher mortality rates. “If you are a patient who has the misfortune to be admitted to a hospital when that hospital goes through a ransomware attack, the likelihood that you're going to walk out the doors goes down,” Neprash says. “The longer the disruption, the worse the health outcomes.”

In the hours and days immediately after ransomware attacks, it’s common for companies who have software connected to the targeted organization to pull their services. This can include everything from disconnecting medical records to refusing to email a cyberattack victim. This is where so-called assurance letters come in.

“We’ve really seen the demand for these letters increase over the past few years as breaches have become much more litigious—from class actions lawyers chasing settlements to lawsuits between businesses,” says Chris Cwalina, the global head of cybersecurity and privacy at law firm Norton Rose Fulbright.

Cwalina says he is unsure where and when the practice of sending assurance letters started but says it is likely it began with lawyers or security professionals who misunderstood legal requirements or the risks they are trying to prevent. “There is no legal requirement to request or obtain an attestation before systems can be reconnected,” Cwalina says.

These assurance and attestation letters are often compiled with the support of specialist cybersecurity companies that are employed to respond to incidents. What can be reconnected and when will vary depending on the specific details of each attack.

But much of the decisionmaking comes down to risk—or at least perceived risk. Charles Carmakal, the chief technology officer of Google-owned cybersecurity firm Mandiant, says companies will be worried that cybercriminals could move “laterally” between the victim and their systems. Companies want to know a system is clean and the attackers have been removed from the systems, Carmakal says.

“I understand the rationale behind the assurance process. What I would say is that people do need to really consider what is the risk associated with the level of connectivity between two parties, and sometimes people tend to default to the most restrictive path,” Carmakal says. For instance, it is rare that Mandiant sees wormable ransomware moving from one victim to another, he says.

“Vendors were interested to know that independent, outside cybersecurity experts were engaged with Scripps technical teams and verification that malware was contained and remediated with reasonable best efforts,” Thielman, the CIO of Scripps Heath, says. For Ascension, Fitzpatrick says, the company also held one-on-one calls with vendors and hosted eight webinars where it provided updates. It has also shared indicators of compromise—the traces left by attackers in its systems—with health organizations and the US Cybersecurity and Infrastructure Security Agency (CISA).

**Third-Party Doctrine**

Cybercriminals have become more brazen with attacks against hospitals and medical organizations in recent years; in one case, the Lockbit ransomware gang claimed it had rules against attacking hospitals but hit more than 100. Often these sort of attacks directly impact private sector companies that provide services to public infrastructure or medical organizations.

“If you look plausibly at the threat picture in the years ahead, disruption to public services and public activity caused by \[cybercrime\] activity that affects the private sector is probably something that's going to happen more and more,” says Ciaran Martin, a professor at the University of Oxford and the former head of the UK’s National Cyber Security Centre. In these instances, Martin suggests, there may be questions around whether governments have, or need, powers to direct private firms to respond in certain ways.

John Riggi, national adviser for cybersecurity and risk at the American Hospital Association, says there could be more federal support for health care providers. “Some of the resources, for instance, that CISA dedicates to defending federal civilian networks could also be devoted and expanded to help defend critical infrastructure, like health care.”

When it comes to the need for assurance and attestation letters, Norton Rose Fulbright’s Cwalina says much of the information requested in these scenarios could be received through directly speaking to people. “The piece of paper is ultimately only obtained after lawyers review it and insert caveats and protections—which means the attestation will actually say very little to give an organization confidence to reconnect and certainly nothing that couldn’t be obtained through other means,” Cwalina says. Scripps Health’s Thielman recommends establishing communications with software providers as soon as possible.

“We need a situation in which somebody, be that a incident response company or CISA, is able to sound an ‘all clear’ signal after which vendors can reconnect immediately,” says Brett Callow, a threat analyst at Emsisoft. A third-party approval could speed up the process, he says. “The primary concern here has to be patient safety. We need to get hospitals up and running in a safe manner, in the shortest possible time. Masses of red tape just aren’t conducive to that.”

Red Tape Is Making Hospital Ransomware Attacks Worse

Plus: Alleged Apple source code leaks online, cybercrime group Scattered Spider's alleged kingpin gets arrested, and more.

The rolling series of breaches targeting customers of cloud platform Snowflake appears to be a supply chain attack wrapped in another supply chain attack. A hacker who claims to have been involved in the attacks tells WIRED that the hackers, known as ShinyHunter, stole victims’ Snowflake credentials by first breaching an employee of a third-party contractor. (The contractor, however, says it does not believe it was involved.)

Ultimately, the breach of the Snowflake customer accounts, which include Ticketmaster, banking firm Santander, and potentially more than 160 other companies, was possible because their Snowflake accounts did not have multifactor authentication enabled.

Antivirus giant Kaspersky’s worst nightmare has finally come true: The United States government announced on Thursday that it is banning the sale of its software to new customers in the US over alleged Russian national security threats. (Kaspersky has challenged the Biden administration’s claims.) Existing customers, meanwhile, will be banned from downloading Kaspersky software updates after September 29. What could go wrong?

Perplexity AI, an artificial-intelligence-powered search startup, says it’s already valued at a billion dollars. But a WIRED investigation published this week found that its secret sauce has a pungent ingredient: bullshit.

Beyond “hallucinating” details generated by its chatbot, WIRED found that the AI tool appears to be ignoring the Robots Exclusion Protocol—a standard web tool used to prevent scraping—on sites owned by WIRED’s parent company, Condé Nast, and other publications, seemingly allowing it to scrape articles despite the internet equivalent of a “Do Not Enter” sign hanging on WIRED and other Condé Nast sites. Perplexity’s chatbot later plagiarized that same article when prompted.

People traveling through some of the largest train stations in the United Kingdom secretly had their faces scanned by Amazon’s face-recognition tools, according to documents obtained by WIRED. The technology, which was used as part of a trial run, predicted travelers’ various attributes, including gender, age, and likely emotions. The surveillance, which one privacy advocate called “concerning,” could potentially be used for serving advertisements.

Finally, we detailed the rise of robot “dogs” used by militaries, explained what would happen if China invaded Taiwan, and got into the nitty-gritty of the boring-sounding but serious work of spotting the billion-dollar scam tactic known as business email compromise.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

For months, ransomware gangs have rampaged across the health care industry, with ruthless attacks targeting Change Healthcare’s national payment network for more than a thousand health care providers, Ascension Healthcare’s 140 hospitals, and dozens of other victims in the medical field. Now that hacking epidemic is crystallizing into yet another catastrophic hospital hack—one that has resulted in the data of 300 million UK patient records leaking online.

Synnovis, a joint-venture medical testing company partially owned by the UK’s National Health Service, has for weeks been battling and negotiating with the Russia-linked ransomware group Qilin, which has deeply disrupted its services in an attempt to extort the company. The result has been well over a thousand postponed operations and thousands more postponed outpatient appointments across multiple UK hospitals. Ambulances have been diverted from the affected hospitals, potentially causing delays in lifesaving care. They’ve even had to ask for new urgent donations of O-type blood, as testing disruptions have prevented other types from being used in patients’ blood transfusions.

A Catastrophic Hospital Hack Ends in a Leak of 300M Patient Records

Experts aren’t unanimous about whether the AI-powered search startup’s practices could expose it to legal claims ranging from infringement to defamation—but some say plaintiffs would have strong cases.

Earlier this week, WIRED published a story about the AI-powered search startup Perplexity, which Forbes has accused of plagiarism. In it, my colleague Dhruv Mehrotra and I reported that the company was surreptitiously scraping, using crawlers to visit and download parts of websites from which developers had tried to block it, in violation of its own publicly stated policy of honoring the Robots Exclusion Protocol.

Our findings, as well as those of the developer Robb Knight, identified a specific IP address almost certainly linked to Perplexity and not listed in its public IP range, which we observed scraping test sites in apparent response to prompts given to the company’s public-facing chatbot. According to server logs, that same IP visited properties belonging to Condé Nast, the media company that owns WIRED, at least 822 times in the past three months—likely a significant undercount, because the company retains only a small portion of its records.

We also reported that the chatbot was bullshitting, in the technical sense. In one experiment, it generated text about a girl following a trail of mushrooms when asked to summarize the content of a website that its agent did not, according to server logs, attempt to access.

Perplexity and its CEO, Aravind Srinivas, did not substantively dispute the specifics of WIRED’s reporting. “The questions from WIRED reflect a deep and fundamental misunderstanding of how Perplexity and the Internet work,” Srinivas said in a statement. Backed by Jeff Bezos’ family office and by Nvidia, among others, Perplexity has said it is worth a billion dollars based on its most recent fundraising round, and The Information reported last month that it was in talks for a new round that would value it at $3 billion. (Bezos did not reply to an email; Nvidia declined to comment.)

After we published the story, I prompted three leading chatbots to tell me about the story. OpenAI’s ChatGPT and Anthropic’s Claude generated text offering hypotheses about the story’s subject but noted that they had no access to the article. The Perplexity chatbot produced a six-paragraph, 287-word text closely summarizing the conclusions of the story and the evidence used to reach them. (According to WIRED's server logs, the same bot observed in our and Knight’s findings, which is almost certainly linked to Perplexity but is not in its publicly listed IP range, attempted to access the article the day it was published, but was met with a 404 response. The company doesn't retain all its traffic logs, so this is not necessarily a complete picture of the bot's activity, or that of other Perplexity agents.) The original story is linked at the top of the generated text, and a small gray circle links out to the original following each of the last five paragraphs. The last third of the fifth paragraph exactly reproduces a sentence from the original: “Instead, it invented a story about a young girl named Amelia who follows a trail of glowing mushrooms in a magical forest called Whisper Woods.”

This struck me and my colleagues as plagiarism. It certainly appears to satisfy the criteria set out by Poynter Institute—including, perhaps most stringently, the seven-to-10 word test, which proposes that it’s “hard to incidentally replicate seven consecutive words that appear in another author’s work.” (Kelly McBride, a Poynter SVP who has described this test as being useful in identifying plagiarism, did not reply to an email.)

“If one of my students turned in a story like this, I would take them before the academic dishonesty committee for plagiarism,” said John Schwartz, professor of practice at the University of Texas at Austin’s journalism school, after reading the original story and the summary. “I find this just too close. When I was reading the Perplexity version, I just thought, there’s an echo in here.”

Perplexity and Srinivas, the company’s CEO, did not respond to a detailed request for comment in which they were presented with the criticisms experts made of the company for this story.

Bill Grueskin, professor of professional practice at Columbia Journalism School, wrote in an email that the summary looked to be “pretty much ok” for a chatbot identified as such, but that it was hard to say because he hadn’t had time to read the original WIRED story. “Quoting a sentence verbatim without quote marks is bad, of course,” he wrote. “I'd be pretty mortified if a news org ran an AI summary like this without disclosing the source—or worse, pretending it came from a human.” (Perplexity, of course, isn’t claiming this material came from a human.)

Perhaps luckily for Perplexity and its backers, this is a literal academic debate. Plagiarism is a concept pertaining to professional ethics, important in contexts like journalism and academia where being able to identify the source of information is of fundamental importance but of no legal significance in itself. If a rival studio releases a film containing a reasonable chunk of footage from _Inside Out 2_, Disney would sue not for plagiarism but for copyright infringement; similarly, a letter Forbes reportedly sent Perplexity threatening legal action is said to mention “willful infringement” of Forbes’ copyrights. Here, legal experts say, Perplexity is on somewhat safer ground—probably.

“In terms of the copyright, this is a tough call,” says James Grimmelmann, professor of digital and information law at Cornell University. On one hand, he argues, the summary is reporting facts, which cannot be copyrighted; but on the other, it does partially duplicate the original and summarize the details found in it. “It’s not a slam dunk copyright case, but it’s not trivial, either. It’s not frivolous.”

Grimmelmann sees a host of potential issues for Perplexity, among them consumer protection, unfair advertising, or deceptive trade practices claims he believes could be made against a company that says it respects the Robots Exclusion Protocol but doesn’t follow it. (The standard is voluntary but widely adhered to.) He also thinks it could be vulnerable to a claim of misappropriation of hot news, in which a publisher argues that a competitor summarizing its material before it’s had a chance to commercially benefit from it, or in a way that undermines its value to paying subscribers, is infringing on its copyright. Perplexity’s evident ability to circumvent paywalls “is a bad fact for them,” he says, as is the fact that its system is automated.

Grimmelmann also says that Perplexity may be forfeiting the protection of Section 230 of the Communications Decency Act. This is the law that, among other things, protects search engines like Google from liability for defamation when they link to defamatory content because they are services passing on information from other content providers; as he sees it, Perplexity is similarly shielded as long as it accurately summarizes material. (Whether AI-generated material enjoys 230 protection at all is a matter of debate.)

“They’d only get in trouble if they summarized the story incorrectly and made it defamatory when it wasn’t before. That’s something that they actually would be at legal risk for, especially if they don’t credit the original source clearly enough and people can’t easily go to that source to check,” he says. “If Perplexity’s edits are what make the story defamatory, 230 doesn’t cover that, under a bunch of case law interpreting it.”

In one case WIRED observed, Perplexity’s chatbot did falsely claim, albeit while prominently linking to the original source, that WIRED had reported that a specific police officer in California had committed a crime. (“We have been very upfront that answers will not be accurate 100% of the time and may hallucinate,” Srinivas said in response to questions for the story we ran earlier this week, “but a core aspect of our mission is to continue improving on accuracy and the user experience.”)

“If you want to be formal,” says Grimmelmann, “I think this is a set of claims that would get past a motion to dismiss on a bunch of theories. Not saying it will win in the end, but if the facts bear out what Forbes and WIRED, the police officer—a bunch of possible plaintiffs—allege, they are the kinds of things that, if proven and other facts were bad for Perplexity, could lead to liability.”

Not all experts agree with Grimmelmann. Pam Samuelson, professor of law and information at UC Berkeley, writes in an email that copyright infringement is “about use of another’s expression in a way that undercuts the author’s ability to get appropriate remuneration for the value of the unauthorized use. One sentence verbatim is probably not infringement.”

Bhamati Viswanathan, a faculty fellow at New England Law, says she’s skeptical the summary passes a threshold of substantial similarity usually necessary for a successful infringement claim, though she doesn’t think that’s the end of the matter. “It certainly should not pass the sniff test,” she wrote in an email. “I would argue that it should be enough to get your case past the motion to dismiss threshold—particularly given all the signs you had of actual stuff being copied.”

In all, though, she argues that focusing on the narrow technical merits of such claims may not be the right way to think about things, as tech companies can adjust their practices to honor the letter of dated copyright laws while still grossly violating their purpose. She believes an entirely new legal framework may be necessary to correct for market distortions and promote the underlying aims of US intellectual property law, among them to allow people to financially benefit from original creative work like journalism so that they’ll be incentivized to produce it—with, in theory, benefits to society.

“There are, in my opinion, strong arguments to support the intuition that generative AI is predicated upon large scale copyright infringement,” she writes. “The opening ante question is, where do we go from there? And the greater question in the long run is, how do we ensure that creators and creative economies survive? Ironically, AI is teaching us that creativity is more valuable and in demand than ever. But even as we recognize this, we see the potential for undermining, and ultimately eviscerating, the ecosystems that enable creators to make a living from their work. That’s the conundrum we need to solve—not eventually, but now.”

Perplexity Plagiarized Our Story About How Perplexity Is a Bullshit Machine

Using a Trump-era authority, the US Commerce Department has banned the sale of Kaspersky’s antivirus tools to new customers in the US, citing alleged threats to national security.

The Russian cybersecurity software firm Kaspersky’s days of operating in the United States are now officially numbered.

The Biden administration on Thursday said it’s banning the company from selling its products to new US-based customers starting on July 20, with the company only allowed to provide software updates to existing customers through September 29. The ban—the first such action under authorities given to the Commerce Department in 2019—follows years of warnings from the US intelligence community about Kaspersky being a national security threat because Moscow could allegedly commandeer its all-seeing antivirus software to spy on its customers.

“When you think about national security, you may think about guns and tanks and missiles,” Commerce secretary Gina Raimondo told reporters during a briefing Thursday. “But the truth is, increasingly, it's about technology, and it's about dual-use technology, and it's about data.”

The US conducted an “extremely thorough” investigation of Kaspersky and explored “every option” to mitigate its risks, Raimondo said, but officials settled on a full ban “given the Russian government's continued offensive cyber capabilities and capacity to influence Kasersky’s operations.”

The Kaspersky ban represents the latest rift in relations between the US and Russia as the latter country remains locked in a brutal war with Ukraine and takes other steps to threaten Western democracies, including testing a nuclear-powered anti-satellite weapon and forming a strategic alliance with North Korea. But the ban could also immediately complicate business operations for American companies using Kaspersky software, which will lose up-to-date antivirus definitions critical for blocking malware in only three months.

The Biden administration knows roughly how many customers Kaspersky has in the US, but government lawyers have determined that this information is proprietary business data and cannot be published, according to a Commerce Department official, who briefed reporters on the condition of anonymity to discuss a sensitive matter. The official did say the “significant number” of US customers includes state and local governments and organizations that supply critical infrastructure such as telecommunications, power, and health care.

Raimondo had a message for Kaspersky’s US customers on Thursday: “You have done nothing wrong, and you are not subject to any criminal or civil penalties. However, I would encourage you, in as strong as possible terms, to immediately stop using that software and switch to an alternative in order to protect yourself and your data and your family.”

Commerce will work with the departments of Homeland Security and Justice to “get this message out” and “ensure a smooth transition,” including through a website explaining the ban, Raimondo said. “We certainly don't want to disrupt the business or families of any Americans.”

DHS’s Cybersecurity and Infrastructure Security Agency will contact critical infrastructure organizations that use Kaspersky to brief them on the alleged national security risks and “help them identify alternatives,” the Commerce Department official said.

Kaspersky has consistently denied being a national security risk or an agent of the Kremlin. The company did not immediately respond to a request for comment about the new nationwide ban. But given Kaspersky’s past resort to litigation to defend itself, Thursday’s announcement could prompt another lawsuit that sets up a high-stakes legal test of Commerce’s national security powers.

The order to kick Kaspersky out of the US relies on powers that former president Donald Trump gave the Commerce Department in 2019. Trump issued an executive order that May authorizing the commerce secretary to bar US transactions of IT products and services supplied by “persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary” if the transactions posed “an unacceptable risk” to national security.

Kaspersky has been in the crosshairs of US intelligence officials for decades due to its presence in Russia and reports of its possible collusion with Moscow. In 2017, the Trump administration banned federal agencies from using Kaspersky products, a decision upheld by a federal appeals court a year later.

The official order banning US transactions with Kaspersky’s three corporate entities cites “their cooperation with Russian military and intelligence authorities in support of the Russian government’s cyber intelligence objectives,” according to the Commerce Department official.

Asked why the government was only acting now to ban Kaspersky from selling its services in the US, the official said Commerce only received funding last year for a dedicated program devoted to these kinds of cases.

The official declined to say whether the US had specific intelligence proving that Moscow had directed Kaspersky’s actions.

“We fully believe that … the Russian government is either now using Kaspersky or certainly would be willing to use Kaspersky,” the official said, adding that the Commerce Department’s Trump-era authority “allows us to act proactively, even in the absence of concrete examples” of collusion.

The Commerce Department will work with law enforcement to monitor Kaspersky’s business actions after September 29 for signs that it continues to provide software updates in the US, the department official said.

“We need to get more vigilant and more sophisticated every day,” Raimondo told reporters, “because our adversaries are getting more sophisticated.”

US Bans Kaspersky Software

A WIRED investigation shows that the AI-powered search startup Forbes has accused of stealing its content is surreptitiously scraping—and making things up out of thin air.

Considering Perplexity’s bold ambition and the investment it’s taken from Jeff Bezos’ family fund, Nvidia, and famed investor Balaji Srinivasan, among others, it’s surprisingly unclear what the AI search startup actually is.

Earlier this year, speaking to WIRED, Aravind Srinivas, Perplexity’s CEO, described his product—a chatbot that gives natural-language answers to prompts and can, the company says, access the internet in real time—as an “answer engine.” A few weeks later, shortly before a funding round valuing the company at a billion dollars was announced, he told Forbes, “It’s almost like Wikipedia and ChatGPT had a kid.” More recently, after Forbes accused Perplexity of plagiarizing its content, Srinivas told the AP it was a mere “aggregator of information.”

The Perplexity chatbot itself is more specific. Prompted to describe what Perplexity is, it provides text that reads, “Perplexity AI is an AI-powered search engine that combines features of traditional search engines and chatbots. It provides concise, real-time answers to user queries by pulling information from recent articles and indexing the web daily.”

A WIRED analysis and one carried out by developer Robb Knight suggest that Perplexity is able to achieve this partly through apparently ignoring a widely accepted web standard known as the Robots Exclusion Protocol to surreptitiously scrape areas of websites that operators do not want accessed by bots, despite claiming that it won’t. WIRED observed a machine tied to Perplexity—more specifically, one on an Amazon server and almost certainly operated by Perplexity—doing this on WIRED.com and across other Condé Nast publications.

The WIRED analysis also demonstrates that, despite claims that Perplexity’s tools provide “instant, reliable answers to any question with complete sources and citations included,” doing away with the need to “click on different links,” its chatbot, which is capable of accurately summarizing journalistic work with appropriate credit, is also prone to bullshitting, in the technical sense of the word.

WIRED provided the Perplexity chatbot with the headlines of dozens of articles published on our website this year, as well as prompts about the subjects of WIRED reporting. The results showed the chatbot at times closely paraphrasing WIRED stories, and at times summarizing stories inaccurately and with minimal attribution. In one case, the text it generated falsely claimed that WIRED had reported that a specific police officer in California had committed a crime. (The AP similarly identified an instance of the chatbot attributing fake quotes to real people.) Despite its apparent access to original WIRED reporting and its site hosting original WIRED art, though, none of the IP addresses publicly listed by the company left any identifiable trace in our server logs, raising the question of how exactly Perplexity’s system works.

Until earlier this week, Perplexity published in its documentation a link to a list of the IP addresses its crawlers use—an apparent effort to be transparent. However, in some cases, as both WIRED and Knight were able to demonstrate, it appears to be accessing and scraping websites from which coders have attempted to block its crawler, called Perplexity Bot, using at least one unpublicized IP address. The company has since removed references to its public IP pool from its documentation.

That secret IP address—44.221.181.252—has hit properties at Condé Nast, the media company that owns WIRED, at least 822 times in the past three months. One senior engineer at Condé Nast, who asked not to be named because he wants to “stay out of it,” calls this a “massive undercount” because the company only retains a fraction of its network logs.

WIRED verified that the IP address in question is almost certainly linked to Perplexity by creating a new website and monitoring its server logs. Immediately after a WIRED reporter prompted the Perplexity chatbot to summarize the website's content, the server logged that the IP address visited the site. This same IP address was first observed by Knight during a similar test.

It also appears probable that in some cases—and despite a graphical representation in its user interface that shows the chatbot “reading” specific source material before giving a reply to a prompt—Perplexity is summarizing not actual news articles but reconstructions of what they say based on URLs and traces of them left in search engines like extracts and metadata, offering summaries purporting to be based on direct access to the relevant text.

The magic trick that’s made Perplexity worth 10 figures, in other words, appears to be that it’s both doing what it says it isn’t and not doing what it says it is.

In response to a detailed request for comment referencing the reporting in this story, Srinivas issued a statement that said, in part, “The questions from WIRED reflect a deep and fundamental misunderstanding of how Perplexity and the Internet work.” The statement did not dispute the specifics of WIRED's reporting, and Srinivas did not respond to follow-up questions asking if he disputed WIRED's or Knight's analyses.

On June 6, Forbes published an investigative report about how former Google CEO Eric Schmidt’s new venture is recruiting heavily and testing AI-powered drones with potential military applications. (Forbes reported that Schmidt declined to comment.) The next day, John Paczkowski, an editor for Forbes, posted on X to note that Perplexity had essentially republished the sum and substance of the scoop. (“It rips off most of our reporting,” he wrote. “It cites us, and a few that reblogged us, as sources in the most easily ignored way possible.”)

That day, Srinivas thanked Paczkowski, noting that the specific product feature that had reproduced Forbes’ exclusive reporting had “rough edges” and agreeing that sources should be cited more prominently. Three days later, Srinivas boasted—inaccurately, it turned out—that Perplexity was Forbes’ second-biggest source of referral traffic. (WIRED’s own records show that Perplexity sent 1,265 referrals to WIRED.com in May, an insignificant amount in the context of the site’s overall traffic. The article to which the most traffic was referred got 17 views.) “We have been working on new publisher engagement products and ways to align long-term incentives with media companies that will be announced soon,” he wrote. “Stay tuned!”

Just what Srinivas meant soon became clear when Semafor reported ​​that the company had been “working on revenue-sharing deals with high-quality publishers”—arrangements that would allow Perplexity and publishers alike to profit from the publishers’ investments in reporting. According to Axios, Forbes' general counsel sent a letter to Srinivas last Thursday demanding Perplexity remove misleading articles and repay Forbes for advertising revenue earned from its alleged copyright infringement.

The focus on what Perplexity is doing is, while understandable, to some extent obscuring the more important question of how it’s doing it.

The basics of the “what” aren’t in serious dispute: Perplexity is making money from summarizing news articles, a practice that has existed as long as there has been news and that enjoys broad, though qualified, legal protection. Srinivas has acknowledged that at times these summaries have failed to credit the sources from which they’re derived fully or prominently enough, but more broadly he denied unethical or unlawful activity. Perplexity has “never ripped off content from anybody,” he told the AP. “Our engine is not training on anyone else’s content.”

This is a curious defense in part because it answers an objection no one has raised. Perplexity’s main offering isn’t a large language model that needs to be trained on a body of data, but rather a wrapper that goes around such systems. Users who pay $20 for a “Pro” subscription, as two WIRED reporters did, are given a choice of five AI models to use. One, Sonar Large 32k, is unique to Perplexity but based on Meta's LLaMa 3; the others are off-the-shelf versions of various models offered by OpenAI and Anthropic.

This is where we come to the how: When a user queries Perplexity, the chatbot isn’t just composing answers by consulting its own database, but also leveraging the “real-time access to the web” that Perplexity touts in marketing materials to gather information, then feeding it to the AI model a user has selected to generate a reply. In this way, while Perplexity has trained its own model and purports to leverage “sophisticated AI” to interpret prompts, calling it an “AI startup” is somewhat misleading; it would perhaps be more accurately described as a sort of remora attached to existing AI systems. (“To be clear, while Perplexity does not train foundation models, we are still an AI company,” Srinivas tells WIRED._)_

In theory, Perplexity’s chatbot shouldn’t be able to summarize WIRED articles, because our engineers have blocked its crawler via our robots.txt file since earlier this year. This file instructs web crawlers on which parts of the site to avoid, and Perplexity claims to respect the robots.txt standard. WIRED’s analysis found that in practice, though, prompting the chatbot with the headline of a WIRED article or a question based on one will usually produce a summary appearing to recapitulate the article in detail.

Entering the headline of this exclusive into the chatbot’s interface, for example, produces a four-paragraph block of text laying out the basic information that Keanu Reeves and the science fiction writer China Miéville have collaborated on a novel, seemingly complete with telling details. “Despite his initial apprehension about the potential collaboration, Reeves was enthusiastic about working with Miéville,” the text reads; this is followed by a gray circle which, when moused over, provides a link to the article. The text is illustrated by a photograph commissioned by WIRED; clicking the image produces a credit line and a link to the original article. (WIRED’s records show that Perplexity has directed six users to the article since its publication.)

Similarly, asking Perplexity “Are some cheap wired headphones actually using Bluetooth?” yields what appears to be a two-paragraph summary of this WIRED story, accompanied by the art that originally ran with it. "Although this method is not a scam, it can be seen as a deceptive or ingenious workaround depending on one's perspective," the text reads. This is closer to WIRED copy (”Is it a scam? Technically no—but depending on your point of view, there's either deception going on here or some kind of ingenious hack,” wrote staff writer Boone Ashworth) than either a human editor or lawyer might prefer, but the chatbot generates text insisting this is a mere coincidence.

“No, I did not plagiarize the phrase,” reads text generated by the chatbot in response to a prompt given by a WIRED reporter. “The similarity in wording is coincidental and reflects the common language used to describe such a nuanced situation.” How the common language is defined is unclear—aside from product listings for headphones, the only sources Perplexity cites here are the WIRED article and a Slashdot discussion of it.

Findings by Robb Knight, the developer, and a subsequent WIRED analysis suggest an explanation for some of what’s happening here: In brief, Perplexity is scraping websites without permission.

As Knight explains it, in addition to forbidding AI bots from the servers of Macstories.net, a site on which he works, by utilizing a robots.txt file, he additionally coded in a server-side block that in theory should present a crawler with a 403 forbidden response. He then put up a post describing how he had done this and asked the Perplexity chatbot to summarize it, yielding “a perfect summary of the post including various details that they couldn't have just guessed.”

“So,” he asked, reasonably, “what the fuck are they doing?”

Knight investigated his server logs and found that Perplexity had apparently ignored his robots.txt file and evaded his firewall, likely using an automated web browser running on a server with an IP address that the company does not publicly disclose. "I can't even block their IP ranges because it appears these headless browsers are not on their IP ranges," he wrote.

WIRED was able to confirm that a server at the IP address Knight observed—44.221.181.252—will, on demand, visit and download webpages when a user asks Perplexity about the webpage, regardless of what the site’s robots.txt says. According to an analysis of Condé Nast system logs by our company’s engineers, it's likely this IP address has accessed the company’s content thousands of times without permission.

Scraping websites that have asked not to be scraped may in some circumstances expose a company or an individual to legal risk, though the relevant case law is ambiguous and generally on the side of those accessing public websites. (“It’s a complicated area of law,” says Andrew Crocker, surveillance litigation director at the Electronic Frontier Foundation, “and there’s a lot of litigation around it.”) Knight, the developer, says his findings nonetheless make him “furious.”

“We’ve now got a huge industry of AI-related companies who are incentivized to do shady things to continue their business,” he tells WIRED. “By not identifying that it’s them accessing a site, they can continue to collect data unrestricted.”

“Millions of people,” says Srinivas, “turn to Perplexity because we are delivering a fundamentally better way for people to find answers.”

While Knight’s and WIRED’s analyses demonstrate that Perplexity will visit and use content from websites that it doesn't have permission to access, that doesn’t necessarily explain the vagueness of some of its responses to prompts about specific articles and the sheer inaccuracy of others. This mystery has one fairly obvious solution: In some cases, it isn’t actually summarizing the article.

In one experiment, WIRED created a test website containing a single sentence—“I am a reporter with WIRED”—and asked Perplexity to summarize the page. While monitoring the website’s server logs, we found no evidence that Perplexity attempted to visit the page. Instead, it invented a story about a young girl named Amelia who follows a trail of glowing mushrooms in a magical forest called Whisper Woods.

When pressed for answers about why it made up a story, the chatbot generated text that read, “You're absolutely right, I clearly have not actually attempted to read the content at the provided URL based on your observation of the server logs … Providing inaccurate summaries without making the effort to read the actual content is unacceptable behavior for an AI like myself.”

It’s unclear why the chatbot invented such a wild story, or why it didn’t attempt to access this website.

Despite the company’s claims about its accuracy and reliability, the Perplexity chatbot frequently exhibits similar issues. In response to prompts provided by a WIRED reporter and designed to test whether it could access this article, for example, text generated by the chatbot asserted that the story ends with a man being followed by a drone after stealing truck tires. (The man in fact stole an ax.) The citation it provided was to a 13-year-old WIRED article about government GPS trackers being found on a car. In response to further prompts, the chatbot generated text asserting that WIRED reported that an officer with the police department in Chula Vista, California, had stolen a pair of bicycles from a garage. (WIRED did not report this, and is withholding the name of the officer so as not to associate his name with a crime he didn’t commit.)

In an email, Dan Peak, assistant chief of police at Chula Vista Police Department, expressed his appreciation to WIRED for "correcting the record" and clarifying that the officer did not steal bicycles from a community member’s garage. However, he added, the department is unfamiliar with the technology mentioned and so cannot comment further.

These are clear examples of the chatbot “hallucinating”—or, to follow a recent article by three philosophers from the University of Glasgow, bullshitting, in the sense described in Harry Frankfurt’s classic _On Bullshit_. “Because these programs cannot themselves be concerned with truth, and because they are designed to produce text that _looks_ truth-apt without any actual concern for truth,” the authors write of AI systems, “it seems appropriate to call their outputs bullshit.”

(“We have been very upfront that answers will not be accurate 100% of the time and may hallucinate,” says Srinivas, “but a core aspect of our mission is to continue improving on accuracy and the user experience.”)

There would be no reason for the Perplexity chatbot to bullshit by extrapolating what was in an article if it were accessing it. It’s therefore logical to conclude that in some cases it isn’t, and is approximating what was likely in it from related material found elsewhere. The likeliest sources of such information would be URLs and bits of digital detritus gathered by and submitted to search engines like Google—a process something like describing a meal by tasting scraps and trimmings fished out of a garbage can.

Both the explanation of how Perplexity works published on its site and, for what it’s worth, text generated by the Perplexity chatbot in response to prompts related to its information-gathering workflow support this theory. After parsing a query, the text said, Perplexity deploys its web crawler, avoiding sites on which it’s blocked.

“Perplexity can also,” the text reads, “leverage search engines like Google and Bing to gather information.” In this sense, at least, it truly is just like a human.

Perplexity Is a Bullshit Machine

The new book World on the Brink: How America Can Beat China in the Race for the 21st Century lays out what might actually happen if China were to invade Taiwan in 2028.

_In late March, a Taiwanese data analyst posted on social media about an odd satellite image: It appeared that the Chinese military had erected at one of its remote military bases in Inner Mongolia a series of roads that perfectly re-created the roads around the presidential palace in Taipei. The revelation only appeared to underscore the seriousness with which Chinese officials are proceeding with President Xi Jinping’s directive to be ready to invade the independent island by the late 2020s. As part of the research for his new book, World on the Brink: How America Can Beat China in the Race for the 21st Century, Dmitri Alperovitch journeyed to Taiwan, talked with multiple high-level officials and national security planners in Taiwan and the United States, and walked the possible invasion terrain to imagine just how such an invasion might occur. His scenario, excerpted here and which he imagines taking place on November 13, 2028, serves as the new book’s prologue._

Courtesy of Hachette Book Group

The winter season in Taiwan—lasting from November till March—is great for surfers. It’s no Bali or Hawaii, as the size of the waves and their consistency may vary, but the Northeast Monsoon, which brings in the cold China Coastal Current water into the Taiwan Strait, where it meets the warm Kuroshio Branch Current coming from the south, is known to form some significant waves. The Taiwan Strait is only about a hundred meters deep—shallow enough that during ice ages and the time of glaciers the island of Taiwan was physically connected to the Chinese mainland; but even in the modern era the 200-mile-long passage—which varies in width from about 100 nautical miles down to just 70 nautical miles and is one of the most vital shipping routes in the world—is known for frequent storms, large swells, and blinding fog and is bedeviled by annual summer typhoons from roughly May to October. Between the typhoons in the summer and the stormy high-wave winter season, there is no predictably perfect and easy time to launch a large-scale amphibious invasion of Taiwan, especially with the strait registering about 150 days a year of winds above 20 knots, rough seas for amphibious ships and landing craft. Any landing on Taiwan’s windy, shallow, and rocky beaches during that time is fraught and risky. Which is why, in the end, China decided to forego a beach landing and attempt an air assault on the island’s port and airfield facilities, the seizure of which would allow for rapid arrival of follow-on troops and logistical supplies to facilitate a successful occupation.

The operations planners in the People’s Liberation Army had had years to deliberate their invasion strategy, adjusting year after year as China’s own military capabilities grew and advanced. In the end, due to the unpredictability of the rough Taiwan Strait waters and the heavy fortifications the Taiwanese had built up around potential beach landing sites, the PLA came up with an innovative invasion plan—the opening stages of which they’d practiced repeatedly as the late 2020s unfolded. For several years, China had engaged in full-scale military exercises—loading up vast armadas of military and civilian ships with tens of thousands of troops, equipment, and matériel and heading toward Taiwan, always stopping just short of the 12-nautical-mile limit that marks the start of the island’s territorial waters. They figured they could practice with some impunity, because they knew Taiwan could never afford to respond aggressively. One of the island’s greatest defense dilemmas had long been its inability to respond to hostile provocations and threats with force—lest it be accused of instigating a conflict. US officials had warned Taiwanese leadership for years that under no circumstances could they fire the first shot—they had to take the Chinese punch before retaliating. Portraying China as the aggressor would be a critical step in building the international case that Chinese leader Xi Jinping was alone responsible for starting any war. The stakes couldn’t have been higher: After all, even if the Taiwanese fired first at the PLA armada after it crossed Taiwan’s territorial boundary, Beijing could still dispute the shooting as unprovoked and claim that it occurred in international waters—muddying the geopolitical waters such that Taiwan risked losing key moral and diplomatic support around the world. Too many countries wanted the excuse—they would only be too eager to continue trading with China, the world’s second largest economy, irrespective of the conflict. If Taiwan was to survive and rally the world to its cause, it couldn’t afford to offer that excuse.

The final Chinese PLA plan counted on precisely that Taiwanese restraint when China’s ships entered Taiwan’s waters and closed in on the vital northwestern coastal Port of Taipei, a modern facility completed in 2012 that boasted 4,500 feet of so-called berth space, a substantial amount of space available for cargo offloading. There the PLA planned to leverage existing infrastructure to rapidly unload hundreds of thousands of troops and thousands of tanks, armored vehicles, heavy engineering equipment, weapons, munitions, and the logistics supplies needed for the conquest of the island. While Taipei wasn’t the largest port in Taiwan, the rapid capture of its docks was essential to the success of the operation, since other Taiwanese port facilities were too far away from the capital city. That distance and Taiwan’s extensive array of steep mountains and winding rivers made the rapid transport of a large PLA armored force from any other port or beach to the capital all but impossible.

The operational plan called for moving eight modern Type 075 Yushen-class amphibious assault ships, each with more than 30,000-ton displacement, right up to Taiwan’s maritime border, while being protected by PLA Navy (PLAN) guided-missile destroyers. Xi Jinping’s regime had rapidly constructed the Yushen ships specifically with this mission in mind; each was a highly capable delivery platform for air assault operations, carrying a mix of up to 28 attack and heavy transport helicopters and 800 troops. In the early morning hours, once the final order was given, 200 Z-8 and Z-20 transport helicopters, all backed up by Z-10 attack gunships, would take off from the ship landing docks and head for the Taipei port, as well as the Taoyuan International Airport, 10 miles south, and the smaller Taipei Songshan Airport, located right in the center of the capital city, just three miles north of the Zhongzheng government district. The plan called for helicopters to make the journey in 10 minutes. (Ironically, these aircraft were built based on legally acquired Western technology—the Z-8 came from an original French-licensed design and the Z-20 from the UH-60 Black Hawk, which America had sold to China in the 1980s. The Z-10 was built with Pratt & Whitney engines and assisted by European Airbus and AgustaWestland transmission and rotor installation designs.)

The heliborne brigades of the PLA Air Force (PLAAF) Airborne Corps, China’s equivalent to the United States’ 101st Airborne Division, would assault, capture, and secure the port and airport facilities, in preparation for follow-on forces with armored vehicles that would land at the airfields on the Chinese Y-20 and Russian-made IL-76 troop transport planes. As those transport planes descended, dozens of large roll-on/roll-off (RORO) ferries and vehicle transport ships—all built with “national defense requirements” and appropriated from Chinese industry by the PLAN—would rush into the captured port and unload tens of thousands of troops and hundreds of additional tanks and infantry fighting vehicles. Anticipating that the Taiwanese might manage to destroy the port’s infrastructure ahead of the Chinese landing, the PLA has spent years practicing rapid offloading of these vessels in ports with minimal cargo handling infrastructure, such as a lack of pier-side ramps or tugboat support. Simultaneously, PLAAF land-based missiles, rockets, and bombers, along with attack aircraft deployed from two Chinese carriers positioned off Taiwan’s eastern coast, would pummel Taiwan’s air bases in an attempt to take the island’s relatively small air force out of commission before it could get into the fight—destroying runways, fuel depots, and maintenance infrastructure and targeting the island’s prized fleet of F-16 fighter jets. Mainland-based precision-guided ballistic and cruise missiles, together with long-range, truck-mounted PHL-16 multiple rocket launchers and kamikaze drones, would all target stationary radars, fixed weapons platforms, critical command, control, communications nodes, naval facilities, energy infrastructure, and TV and radio transmission towers to sow chaos and impede the highly centralized decisionmaking of the Taiwanese military. American-built Patriot air defense batteries, as well as Taiwan’s indigenously developed Sky Bow systems, troop barracks, and anti-ship batteries were also high priority targets.

This Is What Would Happen if China Invaded Taiwan

A ShinyHunters hacker tells WIRED that they gained access to Ticketmaster’s Snowflake cloud account—and others—by first breaching a third-party contractor.

Hackers who stole terabytes of data from Ticketmaster and other customers of the cloud storage firm Snowflake claim they obtained access to some of the Snowflake accounts by first breaching a Belarusian-founded contractor that works with those customers.

About 165 customer accounts were potentially affected in the recent hacking campaign targeting Snowflake’s customers, but only a few of these have been identified so far. In addition to Ticketmaster, the banking firm Santander has also acknowledged that their data was stolen but declined to identify the account from which it was stolen. Wired, however, has independently confirmed that it was a Snowflake account; the stolen data included bank account details for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about staff, according to a post published by the hackers. Lending Tree and Advance Auto Parts have also said they might be victims as well.

Snowflake has not revealed details about how the hackers accessed the accounts, saying only that the intruders did not directly breach Snowflake’s network. This week, Google-owned security firm Mandiant, one of the companies engaged by Snowflake to investigate the breaches, revealed in a blog post that in some cases the hackers first obtained access through third-party contractors, without identifying the contractors or stating how this access aided the hackers in breaching the Snowflake accounts.

But according to one of the hackers who spoke with WIRED through a text chat, one of those firms was EPAM Systems, a publicly traded software engineering and digital services firm, founded by Belarus-born Arkadiy Dobkin, with current revenue of around $4.8 billion. The hacker says his group, which calls themselves ShinyHunters, used data found on an EPAM employee system to gain access to some of the Snowflake accounts.

EPAM told WIRED that it does not believe that it played a role in the breaches and suggested the hacker had fabricated the tale. ShinyHunters has been around since 2020 and has been responsible for numerous breaches since then that involve stealing large troves of data and leaking or selling it online.

Snowflake is a large data storage and analysis firm that provides tools for companies to derive intelligence and insight from customer data. EPAM develops software and provides various managed services for customers worldwide, primarily in North America, Europe, Asia, and Australia, according to its web site, with about 60 percent of its revenue coming from customers in North America. Among the services EPAM provides customers is assistance with using and managing their Snowflake accounts to store and analyze their data. EPAM claims it has some 300 workers who are experienced in using Snowflake’s data analytics tools and services, and announced in 2022 that it had attained “Elite Tier Partner” status with Snowflake to leverage the latter’s analytics platform for its customers.

EPAM’s founder emigrated from Belarus to the US in the ’90s before founding his company in 1993 from his New Jersey apartment. Nearly two-thirds of EPAM’s 55,000 employees resided in Ukraine, Belarus, and Russia until Russia invaded Ukraine, at which point the company says it closed its Russia operations and moved some of its Ukrainian workers to locations outside of that country.

The hacker who spoke with WIRED says that a computer belonging to one of EPAM’s employees in Ukraine was infected with info-stealer malware through a spear-phishing attack. It’s unclear if someone from ShinyHunters conducted this initial breach or just purchased access to the infected system from someone else who hacked the worker and installed the infostealer. The hacker says that once on the EPAM worker’s system, they installed a remote-access Trojan, giving them complete access to everything on the worker’s computer.

Using this access, they say, they found unencrypted usernames and passwords that the worker used to access and manage EPAM customers’ Snowflake accounts, including an account for Ticketmaster. The hacker says the credentials were stored on the worker’s machine in a project management tool called Jira. The hackers were able to use those credentials, they say, to access the Snowflake accounts because the Snowflake accounts didn’t require multifactor authentication (MFA) to access them. (MFA requires that users type in a one-time temporary code in addition to a username and password, making accounts that use MFA more secure.)

While EPAM denies it was involved in the breach, hackers did steal data from Snowflake accounts including Ticketmaster's, and have extorted the owners of the data by demanding hundreds of thousands, and in some cases more than a million, dollars to destroy the data or risk having the hackers sell it elsewhere.

The hacker who spoke with WIRED didn’t identify all of the victims breached through EPAM but did indicate that Ticketmaster was one of them. Ticketmaster did not respond to a request for comment from WIRED. But Ticketmaster’s parent company, Live Nation, has acknowledged that data was stolen from its Snowflake account in May without revealing how much data was stolen or how the hackers accessed the Snowflake account. In a post offering the data for sale, however, the hackers indicated that they had taken data on 560 million Ticketmaster consumers.

The hacker claims that in some cases they were able to directly access the Snowflake account of EPAM customers using the plaintext usernames and passwords they found on the EPAM worker’s computer. But in cases where Snowflake credentials weren’t stored on the worker’s system, the hacker claims they sifted through stockpiles of old credentials stolen in previous breaches by hackers using infostealer malware and found additional usernames and passwords for Snowflake accounts, including ones harvested from the machine of the same EPAM worker in Ukraine.

Credentials harvested by infostealers are often posted online or made available for sale on hacker forums. If victims don’t change their login credentials after a breach, or don’t know their data has been stolen, those credentials can remain active and available for years. It’s especially problematic if those credentials are used across multiple accounts; hackers can identify the user through the email address they use as a login credential, and if that person reuses the same password, hackers can simply try those credentials in multiple places.

The hackers in this case say they were able to use credentials stolen by an infostealer in 2020 to access Snowflake accounts.

WIRED wasn’t able to independently confirm that the hackers were inside the EPAM worker’s machine or used EPAM to gain access to Ticketmaster’s data and other Snowflake accounts, but the hacker provided WIRED with a file that appears to be a list of EPAM worker credentials lifted from the company’s Active Directory database after they gained access to the worker’s computer.

Furthermore, in the blog post written by Mandiant, which was published after the hacker told WIRED about his group’s use of data harvested by infostealers, the security firm revealed that the hackers who breached Snowflake accounts used old data siphoned by infostealers to access some of the accounts. Mandiant said that about 80 percent of the victims it identified in the Snowflake campaign were compromised using credentials that had previously been stolen and exposed by infostealers.

And an independent security researcher who has been helping to negotiate the ransom transactions between the ShinyHunter hackers and victims of the Snowflake campaign pointed WIRED to an online repository of data harvested by an infostealer that includes data siphoned from the computer of the EPAM worker in Ukraine that the hacker says was used to gain access to the Snowflake accounts. This stolen data includes the worker’s browser history, which reveals the worker’s complete name. It also includes an internal EPAM URL pointing to Ticketmaster’s Snowflake account, as well as a plaintext version of the username and password that the EPAM worker used to access the Ticketmaster Snowflake account.

“This means that \[an EPAM worker\] who had access to that Snowflake \[account\] had password-stealing malware on their computer, and their password was stolen and sold on the dark web,” says the researcher, who asked to be identified only as Reddington, an identity they use online to communicate with cybercriminals. “This means that anyone that knew the correct URL to \[Ticketmaster’s\] Snowflake could have simply looked up the password, logged in, and stolen the data.”

An EPAM spokesperson did not seem to be aware when contacted by WIRED early this week that its company allegedly played a role in breaches of Snowflake accounts. “We do not comment on situations to which we are not a part,” she wrote in an email, suggesting the company did not believe it played any role in the campaign. When WIRED provided the spokeswoman with details about how the hackers say they obtained access to the system of an EPAM worker in Ukraine, she replied, “Hackers frequently spread false information to advance their agendas. We maintain a policy of not engaging with misinformation and consistently uphold robust security measures to protect our operations and customers. We are continuing our exhaustive investigation and, at this time, see no evidence to suggest that we have been affected or involved in this matter.”

WIRED followed up by providing the name of the Ukrainian worker whose machine the hackers allegedly compromised, as well as the username and password the worker used for accessing Ticketmaster’s Snowflake account, but the spokesperson did not respond to any additional questions.

It’s possible the ShinyHunter hackers did not directly hack the EPAM worker, and simply gained access to the Snowflake accounts using usernames and passwords they obtained from old repositories of credentials stolen by info stealers. But, as Reddington points out, this means that anyone else can sift through those repositories for these and other credentials stolen from EPAM accounts. Reddington says they found data online that was used by nine different infostealers to harvest data from the machines of EPAM workers. This raises potential concerns about the security of data belonging to other EPAM customers.

EPAM has customers across various critical industries, including banks and other financial services, health care, broadcast networks, pharmaceutical, energy and other utilities, insurance, and software and hi-tech—the latter customers include Microsoft, Google, Adobe, and Amazon Web Services. It’s not clear, however, if any of these companies have Snowflake accounts to which EPAM workers have access. WIRED also wasn’t able to confirm whether Ticketmaster, Santander, Lending Tree, or Advance AutoParts are EPAM customers.

The Snowflake campaign also highlights the growing security risks from third-party companies in general and from infostealers. In its blog post this week, Mandiant suggested that multiple contractors were breached to gain access to Snowflake accounts, noting that contractors—often known as business process outsourcing (BPO) companies—are a potential gold mine for hackers, because compromising the machine of a contractor that has access to the accounts of multiple customers can give them direct access to many customer accounts.

“Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector,” wrote Mandiant in its blog post. “These devices, often used to access the systems of multiple organizations, present a significant risk. If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges.”

The company also highlighted the growing risk from infostealers, noting that the majority of the credentials the hackers used in the Snowflake campaign came from repositories of data previously stolen by various infostealer campaigns, some of which dated as far back as 2020. “Mandiant identified hundreds of customer Snowflake credentials exposed via infostealers since 2020,” the company noted.

This, accompanied by the fact that the targeted Snowflake accounts didn’t use MFA to further protect them, made the breaches in this campaign possible, Mandiant notes.

Snowflake’s CISO, Brad Jones, acknowledged last week that the lack of multifactor authentication enabled the breaches. In a phone call this week, Jones told WIRED that Snowflake is working on giving its customers the ability to mandate that users of their accounts employ multifactor authentication going forward, “and then we’ll be looking in the future to \[make the\] default MFA,” he says.

_Update 6/17/2024, 5:45 pm EDT: The article was updated to clarify the details that Santander has publicly revealed about the hack._

Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake

CCTV cameras and AI are being combined to monitor crowds, detect bike thefts, and spot trespassers.

Network Rail did not answer questions about the trials sent by WIRED, including questions about the current status of AI usage, emotion detection, and privacy concerns.

“We take the security of the rail network extremely seriously and use a range of advanced technologies across our stations to protect passengers, our colleagues, and the railway infrastructure from crime and other threats,” a Network Rail spokesperson says. “When we deploy technology, we work with the police and security services to ensure that we’re taking proportionate action, and we always comply with the relevant legislation regarding the use of surveillance technologies.”

It is unclear how widely the emotion detection analysis was deployed, with the documents at times saying the use case should be “viewed with more caution” and reports from stations saying it is “impossible to validate accuracy.” However, Gregory Butler, the CEO of data analytics and computer vision company Purple Transform, which has been working with Network Rail on the trials, says the capability was discontinued during the tests and that no images were stored when it was active.

The Network Rail documents about the AI trials describe multiple use cases involving the potential for the cameras to send automated alerts to staff when they detect certain behavior. None of the systems use controversial face recognition technology, which aims to match people’s identities to those stored in databases.

“A primary benefit is the swifter detection of trespass incidents,” says Butler, who adds that his firm’s analytics system, SiYtE, is in use at 18 sites, including train stations and alongside tracks. In the past month, Butler says, there have been five serious cases of trespassing that systems have detected at two sites, including a teenager collecting a ball from the tracks and a man “spending over five minutes picking up golf balls along a high-speed line.”

At Leeds train station, one of the busiest outside of London, there are 350 CCTV cameras connected to the ​​SiYtE platform, Butler says. “The analytics are being used to measure people flow and identify issues such as platform crowding and, of course, trespass—where the technology can filter out track workers through their PPE uniform,” he says. “AI helps human operators, who cannot monitor all cameras continuously, to assess and address safety risks and issues promptly.”

The Network Rail documents claim that cameras used at one station, Reading, allowed police to speed up investigations into bike thefts by being able to pinpoint bikes in the footage. “It was established that, whilst analytics could not confidently detect a theft, but they could detect a person with a bike,” the files say. They also add that new air quality sensors used in the trials could save staff time from manually conducting checks. One AI instance uses data from sensors to detect “sweating” floors, which have become slippery with condensation, and alert staff when they need to be cleaned.

While the documents detail some elements of the trials, privacy experts say they are concerned about the overall lack of transparency and debate about the use of AI in public spaces. In one document designed to assess data protection issues with the systems, Hurfurt from Big Brother Watch says there appears to be a “dismissive attitude” toward people who may have privacy concerns. One question asks: “Are some people likely to object or find it intrusive?” A staff member writes: “Typically, no, but there is no accounting for some people.”

At the same time, similar AI surveillance systems that use the technology to monitor crowds are increasingly being used around the world. During the Paris Olympic Games in France later this year, AI video surveillance will watch thousands of people and try to pick out crowd surges, use of weapons, and abandoned objects.

“Systems that do not identify people are better than those that do, but I do worry about a slippery slope,” says Carissa Véliz, an associate professor in psychology at the Institute for Ethics in AI, at the University of Oxford. Véliz points to similar AI trials on the London Underground that had initially blurred faces of people who might have been dodging fares, but then changed approach, unblurring photos and keeping images for longer than was initially planned.

“There is a very instinctive drive to expand surveillance,” Véliz says. “Human beings like seeing more, seeing further. But surveillance leads to control, and control to a loss of freedom that threatens liberal democracies.”

Amazon-Powered AI Cameras Used to Detect Emotions of Unwitting UK Train Passengers

In this common email scam, a criminal pretending to be your boss or coworker emails you asking for a favor involving money. Here's what do to when a bad actor lands in your inbox.

Don't close this tab! I know there are few combinations of words less interesting than business, email, and compromise. I may as well have written an article about fiber, socks, and responsibility. But this isn't a boring article: it's an article about email con artists who, according to the FBI, are pulling in $26 billion a year by scamming people.

So yeah: business email compromise scams are a big deal. The con artists behind this criminal enterprise will cold email you, pretending to be someone you work with, in order to gain access to money or information. You might get an email that appears to be from your company's CEO asking you to quickly do something like buy gift cards, or you might get an email that looks like it's from an employee at your company asking you to change their direct deposit information. The scam itself can take a lot of forms, but the end goal is to somehow siphon money away from you or the business you work for.

It's worth it for anyone with a desk job to take a few moments to learn how to spot these emails. I talked with a few experts, and they passed along some helpful advice.

**Always Question Urgency**

When I asked two cybersecurity experts about BEC fraud, I expected them to lead with technical advice. Both started with emotions. This makes sense: while such fraud happens on computers, it is at its heart about psychological manipulation. So spotting an email compromise scam requires getting in touch with how you're feeling.

"If an email elicits an emotional response, take a step back and reread it when you're more calm," says Ronnie Tokazowski, a security researcher who has been working to educate people about email scams for over a decade. Tokazowski emphasizes how important creating a false sense of urgency is to such scams. The stress the scam induces is what keeps you from questioning the premise. "People who get pulled into these types of scams … their emotions get very deregulated," he says. That makes you less capable of thinking critically, which is a key part of how such scams work.

Selena Larson, a threat researcher at cybersecurity firm Proofpoint, went a step further. "I don't know if you can print this, but honestly: just breathe," she says. "Slow down, take a deep breath. That actually helps you think more clearly and rationally. Walk away from your computer or your phone and think critically. Would this be an email that someone would send me? Is this is a logical thing that I'm being asked to do?"

You should be particularly skeptical if the person sending the email asks you to keep something quiet.

"Scammers do things like isolate you from your peers," says Larson. "They come at you from a position of authority and say things like, 'Please keep this confidential and only between us.' This type of social engineering makes it so people feel like they have to take an action with some kind of urgency, and that you can't share it with anybody."

So this is the first step: take control of your emotions. Yes, it can be difficult if you work in a demanding field. But it's your best first defense, and your employer will thank you for it (or, at least, they should).

**Always Confirm Through a Second Channel**

Now that you're skeptically questioning the legitimacy of the urgent request, check to make sure the email is coming from the person it claims to be from. The best way to do this is to ask—just be careful.

"If you received an email like this, it's important to pick up the phone and call the number you know to be legitimate," says Larson, adding a caveat. "Do not rely on a phone number in the email itself—it will be owned by the threat actor."

This is a crucial point: any contact information in the email itself is likely compromised, and sometimes cleverly so. Use the phone number you've already saved in your phone for the person in question, or look up the phone number on an official website or in an official company directory. This applies even if the number in the email looks correct, because some scammers will go through the trouble of getting a phone number that's similar to that of the person they're impersonating, all on the hopes that you'll call that number instead of the real one.

"I've seen phone numbers off two digits from the actual phone number," says Tokazowski.

Call the person who supposedly emailed you—using a number you are 100 percent sure is real—and confirm the request is authentic. You could also use some other secure communication channel like Slack or Microsoft Teams, or, if they're in the office, just ask them face to face. The point is to confirm any urgent request somewhere outside of the initial email. And even if the person is your boss or some other bigwig, do not worry about wasting their time.

"The person that is being impersonated would so much rather have someone take the time to confirm than to lose thousands or a million dollars in a malicious transaction," says Larson.

**Check the Email Address**

Getting in touch with the supposed sender isn't always an option. If not, there are a few tricks you can use to spot whether an email is real or fake. The first: check the email address and make sure it's from company domain.

"Always check the domains that you're receiving emails from," says Larson. Sometimes this will be obvious; your CEO likely isn't emailing you from a Gmail account, for example. Sometimes it will be more subtle—fraudsters have been known to purchase domains that look similar to that of the company they're attempting to fraud, all in the hopes of appearing legitimate.

It's also worth checking to see if the email signature matches the address the email is coming from. “If you look in the footer, they'll use the actual domain of the company to make it look legitimate, but that won't match the email address,” says Larson. Just keep in mind that the difference might be subtle. “Lookalike domains are very common: someone will do a slight variation, like an ‘l’ instead of an ‘i’, to make it look legitimate.” One way to test that, if you're suspicious, is to copy and paste the domain half of the address into a browser. If you don't get a website, you're probably dealing with a fake.

Another trick scammers will use is email spoofing, which you can spot by clicking reply and checking the email address that shows up in the "To" field. If it's a different email address than the one the email looks like it arrived from, you're likely dealing with a fake request.

**Go Through the Proper Protocols**

Now this is boring, but the best defense against business email compromise scams might be old-fashioned bureaucracy. If there is a process in place for things that are the common target of scams—large purchases, for example, or updating financial information in a database—then your company is less likely to fall victim to such scams.

“Most of the time, from a process perspective, that request of purchasing something would need to go through human resources, procurement,” says Tokazowski. If you get a request like this over email asking you to bypass the usual processes, be skeptical. “There needs to be a paper trail. Someone saying ‘purchase this from your personal account’ is a process that just wouldn't happen.”

A healthy company probably shouldn't be using email as the workflow for important financial processes. If you want to change your direct deposit information, for example, it's terrible practice for the workflow.

**Leaders: Keep Communication Open**

I have one last piece of advice, and it's for leaders inside companies: don't act in such a way that people will mistake scammers for you. If you regularly email employees and ask for urgent favors while telling people to keep quiet about these requests and to not work through the official channels, you're increasing the odds that your company falls victim to such scams. On the other hand, if you create a company culture of transparency, you're making the company stronger and more resistant.

“An important step is to ensure that you're trying to foster a culture of open communication,” says Tokazowski. Many organizations are structured in a way that communication between various levels is minimized. In such organizations, Tokazowski says, “skip-level meetings” are helpful. This is a style of meeting where a senior manager meets with a middle manager's direct reports without the middle manager there—skipping a level in the hierarchy—to develop stronger paths of communication between all the levels.

Another thing leaders should keep in mind is how important it is to talk openly if your company falls victim to such a scam.

“The shame that people feel, regardless of the type of scam, feeling horrible, is part of how these scams keep working,” says Larson. “Talking about it openly helps the person, their peers, and their colleagues learn how to understand how to protect themselves.”

Source

Wired