Despite Cyber Army of Russia’s claims of swaying US “minds and hearts,” experts say the cyber sabotage group appears to be hyping its hacking for a domestic audience.

When the activities of Russian hacker groups are exposed in a major public report and tied to a government agency—such as the Russian military's Sandworm unit, which has targeted Ukrainian electrical utilities to trigger three blackouts over the past decade, or the Russian foreign intelligence service's APT29, which is believed to have carried out the notorious SolarWinds supply chain attack—they tend to slink into the shadows and lay low until their next operation.

When the cybersecurity firm Mandiant last month highlighted the Cyber Army of Russia, by contrast, noting its haphazard attacks on Western critical infrastructure and the group's loose ties to the Russian military, the hackers took a very different approach. “Comrades, today the collective rotten West recognized us as the most reckless hacker group 🏆, on which I actually congratulate all of us 🎉," the group posted in Russian to its Telegram channel, along with a screenshot of WIRED's article about the hackers, in which we had described them with that “most reckless” superlative. “As long as they are afraid of us, let them hate us as much as they want.”

After that initial, less-than-friendly exchange of ideas, WIRED reached out to Cyber Army of Russia's Telegram account to continue the conversation. So began a strange, two-week-long interview with the group's spokesperson, “Julia," represented by an apparently AI-generated image of a woman standing in front of Red Square's St. Basil's Cathedral. Over days of intermittent Telegram messages, often interspersed with unsolicited Russian nationalist political talking points, Julia answered WIRED's questions—or at least some of them—laid out the group's ethos and motivations, and explained the rationale for the hackers' months-long cyber sabotage rampage, which initially focused on Ukrainian networks but has more recently included an unprecedented string of attacks hitting US and European water and wastewater systems.

An apparently AI-generated profile photo for “Julia,” the spokesperson for the Cyber Army of Russia on Telegram, whom WIRED interviewed.

Courtesy of RUSSIAN CYBER ARMY TEAM via Telegram

“We have united with the goal and mission of protecting our country in the information space against the background of unprecedented pressure from the United States, the European Union and Ukraine,” Julia wrote in a long opening statement in response to WIRED's questions.

“Our movement finds and hits the vulnerabilities of the Internet resources of both Ukraine and the countries that openly support the gang of terrorists and extremists, led by Zelensky, who are entrenched in power in Kiev,” Julia continued, using a typical Russian government description of the Ukrainian regime that has, in fact, led the defense against a brutal and unprovoked Russian invasion since 2022 that has led to close to 500,000 dead or wounded. “The most important battle is going on here and now for the minds and hearts of people, both living in Russia and Ukraine, and outside the warring countries. And the main weapon in this battle is information technology.”

**Sending a Message to … Muleshoe?**

Whether or not it's winning hearts and minds, Cyber Army of Russia—which also at times calls itself the Cyber Army of Russia Reborn or People's Cyber Army of Russia—seems to at least be getting some of the attention it seeks. Last week, a group of government bodies including the US National Security Agency, the FBI, the Cybersecurity and Infrastructure Security Agency, the UK's National Cybersecurity Center, and several others issued a joint report warning of “Russian hacktivists” targeting so-called operational technology targets like control systems for water and wastewater utilities. The report warned that victims had “experienced minor tank overflow events” and other disruptions—although it noted the effects were temporary, and the hacktivists had historically exaggerated their hacking's impact.

Those agencies didn't name Cyber Army of Russia. But their warning followed another report from Mandiant that had highlighted the group by name, as well as its attacks on civilian critical infrastructure targets including multiple US-based water utilities and a Polish wastewater utility. In the case of the small West Texas town of Muleshoe, _The Washington Post_ subsequently reported that the group's manipulation of control systems had gone so far as to cause a leak of tens of thousands of gallons of water. In that case and several others, Cyber Army of Russia even posted to the group's Telegram account a screen-capture video of the hacking. In their attack on the Polish wastewater facility, for instance, they set the video to a _Super Mario Bros_. soundtrack.

So what is the endgame of the group's trollish acts of sabotage? “Our actions on attacks and hacks of websites and computer systems for remote control of mechanisms … is a really powerful and in some cases very effective method of influencing (and not only psychological) the authorities of the countries of Europe and the USA, as well as their regional authorities,” Cyber Army of Russia's representative Julia told WIRED. “With these attacks we are trying to send the following message to the US authorities: If you continue to supply military equipment and make financial injections into the leadership of Ukraine … be prepared for the fact that in any of your settlements, in any industrial system or at a critical infrastructure facility, something may suddenly fail.”

Yet as unprecedented and disturbing as it may be for a Russian hacker group to trigger a significant water leak at a US utility, Cyber Army of Russia still seems at times to comically overestimate the clarity of its threat against Ukraine's allies. In response to a question about the Muleshoe water utility attack specifically, Julia noted that the group's operation is intended to persuade “mainly representatives of the Democratic Party \[because\] their support for Ukraine is the most significant"—a head-scratching statement given that Muleshoe is in a Texas congressional district that hasn't elected a Democratic representative since 1982.

In other hacking operations like its targeting of a Polish wastewater utility, cybersecurity researchers who watched the video of the attack told WIRED that Cyber Army of Russia appeared to be arbitrarily changing values in the utility's control system software, with no actual disruptive effect. In another case, the hackers posted a video to their Telegram channel claiming that, in response to French president Emmanuel Macron's threat of sending French military personnel to Ukraine, it had hacked a French hydroelectric dam and caused it to stop generating power. In fact, French newspaper _Le Monde_ reported, the group had actually hacked a water mill in a small village and caused its water level to drop by 20 centimeters.

When WIRED pointed out this mistake to Julia, she acknowledged the error but wrote that the group was undeterred by the setback. “It would be correct to consider it experimental,” she wrote of the attempted dam-hacking operation. “In other words, as it often happens in life, the real result did not match the expectation at all. However, we are not very saddened by this fact, there are many hydroelectric power plants in France, so we will still have the opportunity to gain more experience to commit more large-scale sabotage.”

Despite this relatively amateurish track record, Mandiant pointed in its report to evidence linking Cyber Army of Russia to the hacker group known as Sandworm, a cyberwarfare unit of Russia's military intelligence agency the GRU tied to many of Russia's most disruptive cyberattacks of the last decade. Cyber Army of Russia's short-lived YouTube channel, for instance, was created from a computer with an IP address that Mandiant—itself a subsidiary of YouTube's owner Google—had previously tied to Sandworm. Over the last year, Cyber Army of Russia also repeatedly dumped data to its Telegram channel that appeared to have been stolen from Ukrainian hacking targets breached by Sandworm not long before.

When WIRED asked about those ties to Sandworm and the GRU, Julia denied them without directly addressing Mandiant's evidence. “Hundreds of people of different ages, different nationalities, different professions (not related to IT), different levels of computer literacy, different levels of financial wealth and political beliefs joined the ranks of the Cyber Army,” Julia wrote. “We emphasize that despite the fact that there are individual representatives of the Russian security forces in our ranks and some of our participants are professionals in the field of information security, we are a completely people's project that has nothing to do with the GRU, or with any other military special forces, or with hacker groups like Sandworm.”

She later added, somewhat confusingly, that “the Sandworm hacker group does have something in common \[with us\] … This is the commander-in-chief of our Cyber Army.” It wasn't clear, however, whether that comment was referring to a shared leader overseeing the two groups—or even a kind of imagined ideological leader such as Russian president Vladimir Putin—or whether Julia meant that Sandworm itself gives the Cyber Army its orders, in contradiction to her previous statements. Julia didn't respond to WIRED's requests for clarification on that question or, in fact, to any questions following that comment.

**A Hacktivist Hype Machine**

Russian information warfare and influence operations experts with whom WIRED shared the full text of the interview noted that, despite Cyber Army of Russia's claims of acting as an independent grassroots organization, it closely adheres to both Russian government talking points as well the Russian military's published information warfare doctrine. The group's rhetoric about changing “minds and hearts” beyond the front lines of a conflict through attacks targeting civilian infrastructure mirrors a well-known paper on “information confrontation” by Russian military general Valery Gerasimov, for instance. Other portions of Julia's comments—an unprompted polemic against “non-traditional sexual relations” and a description of Russia as a conservative cultural “Noah's Ark of the 21st century”—echo similar statements made by Russian leaders and Russian state media.

None of that proves that Cyber Army of Russia has anything more than the thin ties to the GRU that Mandiant uncovered, says Gavin Wilde, a Russia-focused senior fellow at the Carnegie Endowment for International Peace. He argues instead that the group's comments appear to be an attempt to score points with a potential government sponsor, perhaps in the hopes of gaining a more official relationship. “They're really trying to hone their messaging, but not for a Western audience, necessarily, so much as to try to put points on the board domestically and with potential political or financial benefactors in Moscow,” he says.

At one point in the interview with WIRED, in fact, Julia explicitly voiced that request for more official government support. “I really hope that the People's Cyber Army of Russia will have great prospects, that our government agencies will not just pay attention to us, but support our actions, both financially and through the formation of full-fledged cyber troops as part of the Russian Armed Forces,” she wrote.

Outside of the conversation with WIRED, Cyber Army of Russia posts to its Telegram channel in Russian, not English—a strange move for a group that claims to be trying to influence Western politics in its favor. Other Russian influence operations created by the GRU itself, such as the Guccifer 2.0 and DCLeaks fronts created to influence the 2016 presidential election, wrote in English. Even other “hacktivist” groups targeting civilian critical infrastructure, such as Israel-linked Predatory Sparrow, take credit for their attacks in the language of their targets—in Predatory Sparrow's case, posting to Telegram in Persian in an apparent attempt to influence Iranians.

All of that suggests that, despite its claims, Cyber Army of Russia may be currently functioning more as a cheerleading campaign for Russians domestically than a real influence operation targeting the West, says Olga Belogolova, a Russia-focused influence operations researcher at the Johns Hopkins School of Advanced International Studies. If the group is as grassroots and decentralized as it claims to be, it may not even be aware of that disconnect. “These patriotic keyboard warrior types are going to try to curry favor with the government, but they also might be true believers of these talking points,” says Belogolova, adding that the group's Telegram account “feels like a marketing exercise or a tech bro hype machine.”

She points out, though, that the group's exposure by Mandiant and an alert from a half-dozen government agencies suggests that, regardless of the group's intended audience, it's now on Americans' radar, too. As it gains the West's attention, she notes, we shouldn't overblow the threat it represents—and in doing so succumb to its hit-and-miss attempts at instilling fear through its disruptive hacking.

“The more time I spend working on Russia and Russian influence operations,” Belogolova says, "the more I've become a believer that they're very into just hyping themselves up. And then we sometimes fall for the hype, too.”

A (Strange) Interview the Russian-Military-Linked Hackers Targeting US Water Utilities

Law enforcement officials say they’ve identified, sanctioned, and indicted the person behind LockBitSupp, the administrator at the heart of LockBit’s $500 million hacking rampage.

“He did not simply take money for himself, but he reinvested it into developing his operation and making it more desirable to criminals,” DiMaggio says. Throughout the lifecycle of the LockBit group, two major updates and releases of its malware happened, with each more capable and easier to use than the last. Analysis from the law enforcement operation by security company Trend Micro shows it was working on a new version too.

DiMaggio says the person he was speaking to privately using the LockBitSupp moniker was “arrogant” but “all business and very serious”—aside from sending cat stickers as part of chats. Publicly, on Russian language cybercrime forums where hackers trade data and discuss hacking politics and news, LockBitSupp was entirely different, DiMaggio says.

“The persona he amplified on the Russian hacking forums was a mix of a supervillain and Tony Montana from _Scarface_,” DiMaggio says. “He flaunted his success and money, and it rubbed people the wrong way at times.”

In addition to setting a bounty on their own identity, LockBitSupp’s more innovative and erratic side also organized an essay-writing competition on the hacking forums, offered a “bug bounty” if people found flaws in LockBit’s code, and said they would pay $1,000 to anyone who got the LockBit logo as a tattoo. Around 20 people posted pictures and videos of their tattoos.

Soon after law enforcement claimed to have revealed LockBitSupp’s identity, DiMaggio published new research about Khoroshev. Using a tip he received, plus open source intelligence and leaked information on the dark web, DiMaggio found social media profiles and extra personal information believed to be linked to the Russian national.

“He owns several legitimate businesses, also based out of Voronezh, drives a Mercedes, and previously owned a Mazda 6, not a lambo as he often boasts,” DiMaggio writes in the research. One of the email addresses included in the sanctions has links to a Russia-based e-commerce business registered in the name of Khoroshev, he writes. Several other emails and phone numbers were connected to these details, DiMaggio's research says.

LockBitSupp was banned from two prominent Russian-language cybercrime forums in January after a complaint was made about their behavior. “They’ve made partners, supporters, haters, and fans over the years,” says Victoria Kivilevich, director of threat research at security firm KELA.

Analysis of cybercrime forums by Kivilevich shows the Russian-language ecosystems had mixed responses, including surprise when LockBit was first compromised by law enforcement. “Users gloating that LockBit finally failed and got what he deserved, making references to his statements where he bragged how \[about how\] LockBit ‘RaaS’ is secure and better than any other operations,” Kivilevich says.

Other forum users questioned the technical decisions of LockBitSupp and whether they had collaborated with law enforcement, the researcher says. There were forum users who reacted neutrally, “mostly saying the operation won’t affect LockBit much and the operation will continue to exist,” Kivilevich says.

**Downfall**

After Operation Cronos took LockBit offline in February, it took LockBitSupp only five days to create replica versions of the group’s leak site. The website then started to be filled with apparent victims; it seemed like the LockBit group hadn’t been impacted by having all of its internal secrets accessed by police around the world.

These recently posted victims aren’t what they seem, though, multiple experts say. “The actual law enforcement intervention has been significant,” says Matt Hull, the global head of threat intelligence at cybersecurity firm NCC Group. The NCA says the number of LockBit affiliates has dropped to 69 since its February takedown, while the DOJ indictment says LockBit’s victim count has “greatly diminished” since then.

The Alleged LockBit Ransomware Mastermind Has Been Identified

The iPhone maker has detected spyware attacks against people in more than 150 countries. Knowing if your device is infected can be tricky—but there are a few steps you can take to protect yourself.

All that needs to happen is, the victim receives an iMessage with an attachment containing a zero-click exploit. “Without any further interaction, the message triggers a vulnerability, leading to code execution for privilege escalation and providing full control over the infected device,” says Boris Larin, principal security researcher at Kaspersky's Global Research & Analysis Team.

Once the attacker establishes their presence on the device, he says, the message is automatically deleted.

**Rise of Pegasus**

The most prominent and well-known spyware is Pegasus, made by Israeli firm NSO Group to target vulnerabilities in iOS and Android software.

Spyware only exists because of vendors such as NSO Group, which claims it sells exploits to governments only to hunt criminals and terrorists. “Any customers, including governments in Europe and North America, agree not to disclose those vulnerabilities,” says Richard Werner, cybersecurity advisor at Trend Micro.

Despite NSO Group’s claims, spyware has continued to target journalists, dissidents, and protesters. Saudi journalist and dissident Jamal Khashoggi’s wife, Hanan Elatr, was allegedly targeted with Pegasus before his death. In 2021, _New York Times_ reporter Ben Hubbard learned his phone had been targeted twice with Pegasus.

Pegasus was silently implanted onto the iPhone of Claude Magnin, the wife of the political activist Naama Asfari, who was jailed and allegedly tortured in Morocco. Pegasus has also been used to target pro-democracy protesters in Thailand, Russian journalist Galina Timchenko, and UK government officials.

In 2021, Apple filed a lawsuit against NSO Group and its parent company to hold it accountable for “the surveillance and targeting of Apple users.”

The case is still ongoing, with NSO Group attempting to dismiss the lawsuit, but experts say the problem is not going to go away as long as spyware vendors are able to operate.

David Ruiz, senior privacy advocate at security firm Malwarebytes, blames “the obsessive and oppressive operators behind spyware, who compound its danger to society.”

**The Spyware Drain**

If you think you may be targeted by spyware, there are only a few useful things you can do. First, enable Apple's Lockdown Mode, which disables certain features but is surprisingly usable and can protect your iPhone from getting infected in the first place. Second, if you suspect your device is already infected, helplines are available to aid you in removing spyware, such as Access Now’s Digital Security Helpline and Amnesty International’s Security Lab.

Detecting spyware can be extremely challenging—and for sophisticated spyware like Pegasus, discovering an infection on your own is all but impossible. There are less-sophisticated types of spyware that can cause unusual behavior, such as your battery draining quickly, unexpected shutdowns, or high data usage could be indicative of some types of infections, says Javvad Malik, lead security awareness advocate at security training organization KnowBe4. While specific apps claim to spot spyware, their effectiveness can vary, and professional assistance is often necessary for reliable detection, he says.

Apple’s iPhone Spyware Problem Is Getting Worse. Here’s What You Should Know

Plus: An assassination plot, an AI security bill, a Project Nimbus revelation, and more of the week’s top security news.

This week, WIRED reported that a group of prolific scammers known as the Yahoo Boys are openly operating on major platforms like Facebook, WhatsApp, TikTok, and Telegram. Evading content moderation systems, the group organizes and engages in criminal activities that range from scams to sextortion schemes.

On Wednesday, researchers published a paper detailing a new AI-based methodology to detect the “shape” of suspected money laundering activity on a blockchain. The researchers—composed of scientists from the cryptocurrency tracing firm Elliptic, MIT, and IBM—collected patterns of bitcoin transactions from known scammers to an exchange where dirty crypto could get turned into cash. They used this data to train an AI model to detect similar patterns.

Governments and industry experts are sounding the alarm about the potential for major airline disasters due to increasing attacks against GPS systems in the Baltic region since the start of the war in Ukraine. The attacks can jam or spoof GPS signals, and can result in serious navigation issues. Officials in Estonia, Latvia, and Lithuania blame Russia for the GPS issues in the Baltics. Meanwhile, WIRED went inside Ukraine’s scrappy and burgeoning drone industry, where about 200 companies are racing to build deadlier and more efficient autonomous weapons.

An Australian firm that provided facial recognition kiosks for bars and clubs appears to have exposed the data of more than 1 million records of patrons. The episode highlights the dangers of giving companies your biometric data. In the United States, the Biden administration is asking tech companies to sign a voluntary pledge to make “good-faith” efforts to implement critical cybersecurity improvements. This week we also reported that the administration is updating its plan for protecting the country’s critical infrastructure from hackers, terrorists, and natural disasters.

And there’s more. Each week, we highlight the news we didn’t cover in depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

**How Israeli Weapons Firms Use Amazon and Google**

A government procurement document unearthed by The Intercept reveals that two major Israeli weapons manufacturers are required to use Google and Amazon if they need any cloud-based services. The reporting calls into question repeated claims from Google that the technology it sells to Israel is not used for military purposes—including the ongoing bombardment of Gaza that has killed more than 34,000 Palestinians. The document contains a list of Israeli companies and government offices “required to purchase” any cloud services from Amazon and Google. The list includes Israel Aerospace Industries and Rafael Advanced Defense Systems, the latter being the manufacturer of the infamous “Spike” missile, reportedly used in the April drone strike that killed seven World Central Kitchen aid workers.

In 2021, Amazon and Google entered into a contract with the Israeli government in a joint venture known as Project Nimbus. Under the arrangement, the tech giants provide the Israeli government, including its Israel Defense Forces, with cloud services. In April, Google employees protested Project Nimbus by staging sit-ins at offices in Silicon Valley, New York City, and Seattle. The company fired nearly 30 employees in response.

A mass surveillance tool that eavesdrops on wireless signals emitted from smartwatches, earbuds, and cars is currently being deployed at the border to track people’s location in real time, a report from Notus revealed on Monday. According to its manufacturer, the tool, TraffiCatch, associates wireless signals broadcast by commonly used devices with vehicles identified by license plate readers in the area. A captain from the sheriff’s office in Webb County, Texas—whose jurisdiction includes the border city of Laredo—told the publication that the agency uses TraffiCatch to detect devices in areas where they shouldn’t be, for instance, to find trespassers.

Several states require law enforcement agencies to obtain warrants before deploying devices that mimic cell towers to obtain data from the devices tricked into connecting to it. But in the case of TraffiCatch, a technology that passively siphons ambient wireless signals out of the air, the courts haven’t yet weighed in. The report highlights how signals intelligence technology, once exclusive to the military, is now available for purchase by both local governments and the general public.

**An Indian Assassination Plot in America**

_The Washington Post_ reports that an officer in India's intelligence service, the Research and Analysis Wing, was allegedly involved in a botched plan to assassinate one of Indian prime minister Narendra Modi's top critics in the United States. The White House said Monday that it was taking the matter "very, very seriously," while India's foreign ministry blasted the _Post_ report as "unwarranted" and "not helpful." The alleged plot to murder the Sikh separatist, Gurpatwant Singh Pannun, a dual citizen of the United States and Canada, was first disclosed by US authorities in November.

Canadian authorities previously announced having obtained "credible" intel allegedly linking the Indian government to the death of another separatist leader, Hardeep Singh Nijjar, who was shot to death outside a Sikh temple in a Vancouver suburb last summer.

**An AI Security Bill Emerges**

US lawmakers have introduced a bill aimed at establishing a new wing of the National Security Agency dedicated to investigating threats aimed at AI systems—or "counter-AI." The bipartisan bill, introduced by Mark Warner and Thom Tillis, a Senate Democrat and Republican, respectively, would further require agencies including the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) to track breaches of AI systems, whether successful or not. (The NIST currently maintains the National Vulnerability Database, a repository for vulnerability data, while the CISA oversees the Common Vulnerabilities and Exposures Program, which similarly identifies and catalogues publicly disclosed malware and other threats.)

The Senate bill, known as the Secure Artificial Intelligence Act, aims to expand the government's threat monitoring to include "adversarial machine learning"—a term that is essentially synonymous with "counter-AI"—which serves to subvert AI systems and “poison” their data using techniques vastly dissimilar to traditional modes of cyberwarfare.

A New Surveillance Tool Invades Border Towns

“Yahoo Boy” cybercriminals are openly running dozens of scams across Facebook, WhatsApp, Telegram, TikTok, YouTube, and more.

Most scammers and cybercriminals operate in the digital shadows and don’t want you to know how they make money. But that’s not the case for the Yahoo Boys, a loose collective of young men in West Africa who are some of the web’s most prolific—and increasingly dangerous—scammers.

Thousands of people are members of dozens of Yahoo Boy groups operating across Facebook, WhatsApp, and Telegram, a WIRED analysis has found. The scammers, who deal in types of fraud that total hundreds of millions of dollars each year, also have dozens of accounts on TikTok, YouTube, and the document-sharing service Scribd that are getting thousands of views.

Inside the groups, there’s a hive of fraudulent activity with the cybercriminals often showing their faces and sharing ways to scam people with other members. They openly distribute scripts detailing how to blackmail people and how to run sextortion scams—that have driven people to take their own lives—sell albums with hundreds of photographs, and advertise fake social media accounts. Among the scams, they’re also using AI to create fake “nude” images of people and real-time deepfake video calls.

The Yahoo Boys don’t disguise their activity. Many groups use “Yahoo Boys” in their name as well as other related terms. WIRED’s analysis found 16 Yahoo Boys Facebook groups with almost 200,000 total members, a dozen WhatsApp channels, around 10 Telegram channels, 20 TikTok accounts, a dozen YouTube accounts, and more than 80 scripts on Scribd. And that’s just the tip of the iceberg.

Broadly, the companies do not allow content on their platforms that encourages or promotes criminal behavior. The majority of the Yahoo Boys accounts and groups WIRED identified were removed after we contacted the companies about the groups’ overt existence. Despite these removals, dozens more Yahoo Boys groups and accounts remain online.

“They’re not hiding under different names,” says Kathy Waters, the cofounder and executive director of the nonprofit Advocating Against Romance Scammers, which has tracked the Yahoo Boys for years. Waters says the social media companies are essentially providing the Yahoo Boys with “free office space” to organize and conduct their activities. “They’re selling scripts, selling photos, identifications of people, all online, all on the social media platforms,” she says. “Why these accounts still remain is beyond me.”

The Yahoo Boys aren’t a single, organized group. Instead, they’re a collection of thousands of scammers who work individually or in clusters. Often based in Nigeria, their name comes from formerly targeting users of Yahoo services, with links back to the Nigerian Prince email scams of old. Groups in West Africa can be often organized in various confraternities, which are cultish gangs.

“Yahoo is a set of knowledge that allows you to conduct scams,” says Gary Warner, the director of intelligence at DarkTower and director of the University of Alabama at Birmingham’s Computer Forensics Research Laboratory. While there are different levels of sophistication of Yahoo Boys, Warner says, many simply operate from their phones. “Most of these threat actors are only using one device,” he says.

The Yahoo Boys run dozens of scams—from romance fraud to business email compromise. When making contact with potential victims, they’ll often “bomb” people by sending hundreds of messages to dating app accounts or Facebook profiles. “They will say anything they can in order to get the next dime in their pocket,” Waters says.

Searching for the Yahoo Boys on Facebook brings up two warnings: Both say the results may be linked to fraudulent activity, which isn’t allowed on the website. Clicking through the warnings reveals Yahoo Boy groups with thousands of members—one had more than 70,000.

Within the groups—alongside posts selling SIM cards and albums with hundreds of pictures—many of the scammers push people toward other messaging platforms such as Meta’s WhatsApp or Telegram. Here, the Yahoo Boys are at their most bold. Some groups and channels on the two platforms receive hundreds of posts per day and are part of their wider web of operations.

After WIRED asked Facebook about the 16 groups we identified, the company removed them, and some WhatsApp groups were deactivated. “Scammers use every platform available to them to defraud people and constantly adapt to avoid getting caught,” says Al Tolan, a Meta spokesperson. They did not directly address the accounts that were removed or that they were easy to find. “Purposefully exploiting others for money is against our policies, and we take action when we become aware of it,” Tolan says. “We continue to invest in technology and cooperate with law enforcement so they can prosecute scammers. We also actively share tips on how people can protect themselves, their accounts, and avoid scams.”

Groups on Telegram were removed after WIRED messaged the company’s press office; however, the platform did not respond about why it had removed them.

Across all types of social media, Yahoo Boys scammers share “scripts” that they use to socially manipulate people—these can run to thousands of words long and can be copied and pasted to different victims. Many have been online for years. “I’ve seen some scripts that are 30 and 60 layers deep, before the scammer actually would have to go and think of something else to say,” says Ronnie Tokazowski, the chief fraud fighter at Intelligence for Good, which works with cybercrime victims. “It’s 100 percent how they'll manipulate the people,” Tokazowski says.

Among the many scams, they pretend to be military officers, people offering “hookups,” the FBI, doctors, and people looking for love. One “good morning” script includes around a dozen messages the scammers can send to their targets. “In a world full of deceit and lies, I feel lucky when see the love in your eyes. Good morning,” one says. But things get much darker.

The Yahoo Boys have been behind a recent wave of sextortion across the United States and elsewhere, says Paul Raffile, an intelligence analyst at the Network Contagion Research Institute who is closely tracking the criminals. Broadly speaking, during sextortion, a scammer will use intimate or explicit images to try to get someone to pay them money. “The Yahoo Boys are the principal threat actor behind the surge of sextortion that we’re seeing over the past 18 months,” Raffile says. “They are responsible for forcing dozens of teens to suicide.”

In a series of posts in one Telegram channel, highlighted by Warner, who is also involved in Intelligence for Good, one cybercriminal can be seen walking others through how to run a sextortion scam. They say they tricked people into sharing nude images—posting screenshots of the conversation—and explained ways other people can replicate it. “Hey I am posting your naked pictures on social media and Facebook,” says a sample message cybercriminals could use. “Am not just posting it am sending copies of it to your area,” the message says, before demanding $700.

While the scripts like these are shared on all social media channels, WIRED found at least 80 on the document-sharing service Scribd. The company removed them after WIRED got in touch, with a spokesperson saying there are limits on what people can upload and that the company has automated and manual reviews to remove content. “We’re actively building out new capabilities to broaden the scope of content moderation coverage to include a wider range of concerning text and image violations,” the spokesperson says. Some of the scripts had been online since 2020, and on pages where they were removed a “reading suggestions” section recommended other scam scripts.

Raffile says the Yahoo Boys have been able to “thrive” online “due to lack of moderation around all the illicit material” that they’re sharing. “They’re acting with impunity because they feel they will never get caught,” Raffile says.

Beyond the messaging platforms, the Yahoo Boys have a presence on TikTok and YouTube. “We design our app to be inhospitable to those who seek to exploit our community and we’ve removed this content for violating our policies,” a TikTok spokesperson says.

“Our policies prohibit spam, scams, or other deceptive practices that take advantage of the YouTube community,” a YouTube spokesperson says. “We also prohibit videos that encourage illegal or dangerous activities. As such, we have terminated the flagged channels for violating our policies and our terms of service.” They add that the company removed accounts for breaching policies about harmful content, spam, and generally violating its terms of service.

The accounts posted tutorials about how to scam people, link to groups on messaging apps, and promote technology for fake video calls. On TikTok, multiple accounts include carousels of images that the scammers can use in their efforts to create believable personas. Some of these include posts of elderly women for scammers who are in “need of grandma pictures for proof” of their fake identities and others for scammers who “need kids pics” for their victims.

As well as being a threat to thousands of people around the world, the Yahoo Boys can be quick to adopt new technologies. David Maimon, a professor at Georgia State University and the head of fraud insights at the identity-verification firm SentiLink, has monitored Yahoo Boys for years and says their techniques have evolved alongside new technologies.

“To build rapport with victims, the fraudsters first used text messages, then started sending recorded audio messages, to now using deepfake tools to communicate with victims live,” Maimon says. “On some of the markets we now also see the use of cloned voices. It is now accompanied with sending physical items to victims such as presents, food deliveries, and flowers.” Within some groups, they use “nudification” tools to turn photos of people clothed into nude photos, and deepfake video calls.

While the Yahoo Boys have been active for years, all the experts spoken to for this piece say they should be treated more seriously by social media companies and law enforcement. “It’s time that we start looking at Yahoo Boys as a dangerous organization, transnational organized crime, and start giving it some of those labels,” Raffile says.

These Dangerous Scammers Don’t Even Bother to Hide Their Crimes

Outabox, an Australian firm that scanned faces for bars and clubs, suffered a breach that shows the problems with giving companies your biometric data.

Police and federal agencies are responding to a massive breach of personal data linked to a facial recognition scheme that was implemented in bars and clubs across Australia. The incident highlights emerging privacy concerns as AI-powered facial recognition becomes more widely used everywhere from shopping malls to sporting events.

The affected company is Australia-based Outabox, which also has offices in the United States and the Philippines. In response to the Covid-19 pandemic, Outabox debuted a facial recognition kiosk that scans visitors and checks their temperature. The kiosks can also be used to identify problem gamblers who enrolled in a self-exclusion initiative. This week, a website called “Have I Been Outaboxed” emerged, claiming to be set up by former Outabox developers in the Philippines. The website asks visitors to enter their name to check whether their information had been included in a database of Outabox data, which the site alleges had lax internal controls and was shared in an unsecured spreadsheet. It claims to have more than 1 million records.

The incident has rankled privacy experts who have long set off alarm bells over the creep of facial recognition systems in public spaces such as clubs and casinos.

“Sadly, this is a horrible example of what can happen as a result of implementing privacy-invasive facial recognition systems,” Samantha Floreani, head of policy for Australia-based privacy and security nonprofit Digital Rights Watch, tells WIRED. “When privacy advocates warn of the risks associated with surveillance-based systems like this, data breaches are one of them.”

According to the Have I Been Outaboxed website, the data includes “facial recognition biometric, driver licence \[sic\] scan, signature, club membership data, address, birthday, phone number, club visit timestamps, slot machine usage.” It claims Outabox exported the “entire membership data” of IGT, a supplier of gambling machines. IGT vice president of global communications Phil O’Shaughnessy tells WIRED that “the data affected by this incident has not been obtained from IGT,” and that the firm would work with Outabox and law enforcement.

The website’s owners posted a photo, signature, and redacted driver license belonging to one of Outabox’s founders, as well as a redacted screenshot of the alleged internal spreadsheet. WIRED was unable to independently verify the identity of the website’s owners or the authenticity of the data they claimed to have. An email sent to an address on the website was not returned.

"Outabox is aware and responding to a cyber incident potentially involving some personal information,” an Outabox spokesperson tells WIRED. “We have been in communication with a group of our clients to inform them and outline our strategy to respond. Due to the ongoing Australian police investigation, we are not able to provide further information at this time.”

The New South Wales police force confirmed to WIRED that it was investigating a data breach on Wednesday, but a spokesperson declined to share further details. On Thursday, the force announced that it, working alongside federal and state agencies, had arrested an unnamed 46-year-old man in a Sydney suburb. He is expected to be charged with blackmail.

Clubs that used Outabox’s technology posted announcements about the incident and notified clients this week. One person who posted a breach notification from a club they visited recounted their experience with the facial recognition system. “My fondest memory of this system is visiting a club and having it confidently match my face to a member that was clearly 20+ years older than me, and looked nothing like me,” they wrote in a post on X. The club did not respond to a request for comment.

The Have I Been Outaboxed website, which is still online at the time of writing, alleges that Outabox stopped paying its developers in the Philippines. AI companies frequently employ low-cost overseas labor, including in the Philippines, to power their systems. The website encourages anybody whose data is included in the breach to contact venues and ask that they remove Outabox’s system. The site, which was set up last week according to online records, lists 19 venues. WIRED searched the database for prominent Australians including politicians, and it returned redacted results listing their name and the venues they allegedly attended.

“We are aware of a malicious website carrying a number of false statements designed to harm our business and defame our senior staff,” the Outabox spokesperson says. “We believe this is linked and urge people not to repeat false and reputationally damaging misinformation.” Outabox declined to specify which statements are false, citing the police investigation.

It’s unclear how much of the story told on the website is true, or whether the perpetrators even have the claimed biometric data. Australian cybersecurity expert Troy Hunt, founder of the breach notification website Have I Been Pwned, tells WIRED that there is little reason to doubt it at this time.

“I haven’t seen any reason not to take this at face value, which means they have exactly what they say they have,” he says. In posts on X, Hunt speculated that the website’s posting may have been preceded by demands that were not met, and that the perpetrators’ actions now “clearly land” in the realm of criminality.

“Offshoring is a messy discussion between the legalities of data sovereignty, perceived shortcomings of foreign labor, and frankly, a big dose of xenophobia,” Hunt says. “It’s not like Aussie developers doing exactly the same thing would have made this OK.”

Floreani of Digital Rights Watch says that the incident illustrates the “significant negative consequences” that can arise from collecting sensitive biometric data. “We need bold privacy reform and strict limitations on facial recognition technology,” she says. “As always, surveillance isn’t safety.”

The Breach of a Face Recognition Firm Reveals a Hidden Danger of Biometrics

Ukraine needs small drones to combat Russian forces—and is bootstrapping its own industry at home.

Inside Ukraine’s Killer-Drone Startup Industry

The Biden administration is asking tech companies to sign a pledge, obtained by WIRED, to improve their digital security, including reduced default password use and improved vulnerability disclosures.

The pledge offers examples of how companies can meet the goals, although it notes that companies “have the discretion to decide how best” to do so. The document also emphasizes the importance of companies publicly demonstrating “measurable progress” on their goals, as well as documenting their techniques “​​so that others can learn.”

CISA developed the pledge in consultation with tech companies, seeking to understand what would be feasible for them while also meeting the agency’s goals, according to Goldstein. That meant making sure the commitments were feasible for companies of all sizes, not just Silicon Valley giants.

The agency originally tried using its Joint Cyber Defense Collaborative to prod companies into signing the pledge, according to the tech industry official, but that backfired when companies questioned the use of an operational cyberdefense collaboration group for “a policy and legal issue,” the industry official says.

“Industry expressed frustration about trying to use the JCDC to obtain pledges,” the official says, and CISA “wisely pulled back on that effort.”

CISA then held discussions with companies through the Information Technology Sector Coordinating Council and tweaked the pledge based on their feedback. Originally, the pledge contained more than seven goals, and CISA wanted signatories to commit to “firm metrics” for showing progress, according to the industry official. In the end, this person says, CISA removed several goals and “broadened the language” about measuring progress.

John Miller, senior vice president of policy, trust, data, and technology at the Information Technology Industry Council, a major industry trade group, says that change was smart, because concrete progress metrics—like the number of users using multi-factor authentication—could be “easily misconstrued.”

Goldstein says the number of pledge signatories is “exceeding my expectations about where we’d be” at this point. The industry official says they’re not aware of any company that has definitively refused to sign the pledge, in part because vendors want to “keep open the option of signing on” after CISA’s launch event at RSA. “Everyone’s in a kind of wait-and-see mode.”

Legal liability is a top concern for potential signatory companies. “If there ends up being, inevitably, some type of security incident,” Miller says, “anything \[a\] company has said publicly could be used in lawsuits.”

That said, Miller predicts that some global companies facing strict new European security requirements will sign the US pledge to “get that credit” for something they already have to do.

CISA’s Secure by Design campaign is the centerpiece of the Biden administration’s ambitious plan to shift the burden of cybersecurity from users to vendors, a core theme of the administration’s National Cybersecurity Strategy. The push for corporate cyber responsibility follows years of disruptive supply-chain attacks on critical software makers like Microsoft, SolarWinds, Kaseya, and Change Healthcare, as well as a mounting list of widespread software vulnerabilities that have powered ransomware attacks on schools, hospitals, and other essential services. White House officials say the pattern of costly and often preventable breaches demonstrates the need for increased corporate accountability.

The US Government Is Asking Big Tech to Promise Better Cybersecurity

Blockchain analysis firm Elliptic, MIT, and IBM have released a new AI model—and the 200-million-transaction dataset it's trained on—that aims to spot the “shape” of bitcoin money laundering.

One task where AI tools have proven to be particularly superhuman is analyzing vast troves of data to find patterns that humans can't see, or automating and accelerating the discovery of those we can. That makes Bitcoin's blockchain, a public record of nearly a billion transactions between pseudonymous addresses, the perfect sort of puzzle for AI to solve. Now, a new study—along with a vast, newly released trove of crypto crime training data—may be about to trigger a leap forward in automated tools' ability to suss out illicit money flows across the Bitcoin economy.

On Wednesday, researchers from cryptocurrency tracing firm Elliptic, MIT, and IBM published a paper that lays out a new approach to finding money laundering on Bitcoin's blockchain. Rather than try to identify cryptocurrency wallets or clusters of addresses associated with criminal entities such as dark-web black markets, thieves, or scammers, the researchers collected patterns of bitcoin transactions that led from one of those known bad actors to a cryptocurrency exchange where dirty crypto might be cashed out. They then used those example patterns to train an AI model capable of spotting similar money movements—what they describe as a kind of detector capable of spotting the “shape” of suspected money laundering behavior on the blockchain.

Now, they're not only releasing an experimental version of that AI model for detecting bitcoin money laundering but also publishing the training data set behind it: a 200-million transaction trove of Elliptic's tagged and classified blockchain data, which the researchers describe as the biggest of its kind ever to be made public by a thousandfold. “We're providing about a thousand times more data, and instead of labeling illicit wallets, we're labeling examples of money laundering which might be made up of chains of transactions,” says Tom Robinson, Elliptic's chief scientist and cofounder. “It's a paradigm shift in the way that blockchain analytics is used.”

Blockchain analysts have used machine learning tools for years to automate and sharpen their tools for tracing crypto funds and identifying criminal actors. In 2019, in fact, Elliptic already partnered with MIT and IBM to create a AI model for detecting suspicious money movements and released a much smaller data set of around 200,000 transactions that they had used to train it.

For this new research, by contrast, the same team of researchers took a much more ambitious approach. Rather than try to classify single transactions as legitimate or illicit, Elliptic analyzed collections of up to six transactions between Bitcoin address clusters it had already identified as illicit actors and the exchanges where those previously identified shady entities sold their crypto, positing that the patterns of transactions between criminals and their cashout points could serve as examples of money laundering behavior.

Working from that hypothesis, Elliptic assembled 122,000 of these so-called subgraphs, or patterns of known money laundering within a total data set of 200 million transactions. The research team then used that training data to create an AI model designed to recognize money laundering patterns across Bitcoin's entire blockchain.

As a test of their resulting AI tool, the researchers checked its outputs with one cryptocurrency exchange—which the paper doesn't name—identifying 52 suspicious chains of transactions that had all ultimately flowed into that exchange. The exchange, it turned out, had already flagged 14 of the accounts that had received those funds for suspected illicit activity, including eight it had marked as associated with money laundering or fraud, based in part on know-your-customer information it had requested from the account owners. Despite having no access to that know-your-customer data or any information about the origin of the funds, the researchers' AI model had matched the conclusions of the exchange's own investigators.

Correctly identifying 14 out of 52 of those customer accounts as suspicious may not sound like a high success rate, but the researchers point out that only 0.1 percent of the exchange's accounts are flagged as potential money laundering overall. Their automated tool, they argue, had essentially reduced the hunt for suspicious accounts to more than one in four. “Going from ‘one in a thousand things we look at are going to be illicit’ to 14 out of 52 is a crazy change,” says Mark Weber, one of the paper's coauthors and a fellow at MIT's Media Lab. “And now the investigators are actually going to look into the remainder of those to see, wait, did we miss something?”

Elliptic says it's already been privately using the AI model in its own work. As more evidence that the AI model is producing useful results, the researchers write that analyzing the source of funds for some suspicious transaction chains identified by the model helped them discover Bitcoin addresses controlled by a Russian dark-web market, a cryptocurrency “mixer” designed to obfuscate the trail of bitcoins on the blockchain, and a Panama-based Ponzi scheme. (Elliptic declined to identify any of those alleged criminals or services by name, telling WIRED it doesn't identify the targets of ongoing investigations.)

Perhaps more important than the practical use of the researchers' own AI model, however, is the potential of Elliptic's training data, which the researchers have published on the Google-owned machine learning and data science community site Kaggle. “Elliptic could have kept this for themselves,” says MIT's Weber. “Instead there was very much an open source ethos here of contributing something to the community that will allow everyone, even their competitors, to be better at anti-money-laundering.” Elliptic notes that the data it released is anonymized and doesn't contain any identifiers for the owners of Bitcoin addresses or even the addresses themselves, only the structural data of the “subgraphs” of transactions it tagged with its ratings of suspicion of money laundering.

That enormous data trove will no doubt inspire and enable much more AI-focused research into bitcoin money laundering, says Stefan Savage, a computer science professor at the University of California San Diego who served as adviser to the lead author of a seminal bitcoin-tracing paper published in 2013. He argues, though, that the current tool doesn't seem likely to revolutionize anti-money-laundering efforts in crypto in its current form, so much as serve as a proof of concept. “An analyst, I think, is going to have a hard time with a tool that's _kind_ of right sometimes,” Savage says. “I view this as an advance that says, ‘Hey, there's a thing here. More people should work on this.’”

Savage warns, though, that AI-based money-laundering investigation tools will likely raise new ethical and legal questions if they end up being used as actual criminal evidence—in part because AI tools often serve as a “black box” that provides a result without any explanation of how it was produced. “This is on the edge where people get uncomfortable in the same way they get uncomfortable about face recognition,” he says. “You can't quite explain how it works, and now you're depending on it for decisions that may have an impact on people's liberty.”

MIT's Weber counters that money laundering investigators have always used algorithms to flag potentially suspicious behavior. AI-based tools, he argues, just mean those algorithms will be more efficient and have fewer false positives that waste investigators' time and incriminate the wrong suspects. “This isn't about automation,” Weber says. “This is a needle-in-a-haystack problem, and we're saying let's use metal detectors instead of chopsticks.”

As for the research impact that Savage expects, he argues that even beyond blockchain analysis, Elliptic's training data is so voluminous and detailed that it may even help with other kinds of AI research into analogous problems like health care and recommendation systems. But he says the researchers do also intend their work to have a practical effect, enabling a new and very real way to hunt for patterns that reveal financial crime.

“We're hopeful that this is much more than an academic exercise,” Weber says, “that people in this domain can actually take this and run with it.”

A Vast New Data Set Could Supercharge the AI Hunt for Crypto Money Laundering

China's brain-computer interface technology is catching up to the US. But it envisions a very different use case: cognitive enhancement.

At a tech forum in Beijing last week, a Chinese company unveiled a “homegrown” brain-computer interface that allowed a monkey to seemingly control a robotic arm just by thinking about it.

In a video shown at the event, a monkey with its hands restrained uses the interface to move a robotic arm and grasp a strawberry. The system, developed by NeuCyber NeuroTech and the Chinese Institute for Brain Research, involves soft electrode filaments implanted in the brain, according to state-run news media outlet Xinhua.

Researchers in the US have tested similar systems in paralyzed people to allow them to control robotic arms, but the demonstration underscores China’s progress in developing its own brain-computer interface technology and vying with the West.

Brain-computer interfaces, or BCIs, collect and analyze brain signals, often to allow direct control of an external device, such as a robotic arm, keyboard, or smartphone. In the US, a cadre of startups, including Elon Musk’s Neuralink, are aiming to commercialize the technology.

William Hannas, lead analyst at Georgetown University’s Center for Security and Emerging Technology (CSET), says China is quickly catching up with the US in terms of its BCI technology. “They’re strongly motivated,” he says of the Asian superpower. “They're doing state-of-the-art work, or at least as advanced as anybody else in the world.”

He says China has typically lagged behind the US in invasive BCIs—that is, those that are implanted in the brain or on its surface—choosing instead to focus on noninvasive technology that’s worn on the head. But it’s quickly catching up on implantable interfaces, which are being explored for medical applications.

More concerning, though, is China’s interest in noninvasive BCIs for the general population. Hannas coauthored a report released in March that examines Chinese research on BCIs for nonmedical purposes.

“China is not the least bit shy about this,” he says, referring to ethical guidelines released by the Communist Party in February 2024 that include cognitive enhancement of healthy people as a goal of Chinese BCI research. A translation of the guidelines by CSET says, “Nonmedical purposes such as attention modulation, sleep regulation, memory regulation, and exoskeletons for augmentative BCI technologies should be explored and developed to a certain extent, provided there is strict regulation and clear benefit.”

The translated Chinese guidelines go on to say that BCI technology should avoid replacing or weakening human decisionmaking capabilities “before it is proven to surpass human levels and gains societal consensus, and avoid research that significantly interferes with or blurs human autonomy and self-awareness.”

These nonmedical applications refer to wearable BCIs that rely on electrodes placed on the scalp, also known as electroencephalography or EEG devices. Electrical signals from the scalp are much harder to interpret than those inside the brain, however, and there’s a huge effort in China to use machine learning techniques to improve analysis of brain signals, according to the CSET report.

A handful of US companies are also developing wearable BCIs that arguably fall under the category of cognitive enhancement. For instance, Emotiv of San Francisco and Neurable in Boston are starting to sell EEG headsets intended to improve attention and focus. The US Department of Defense has also funded research on wearable interfaces that could ultimately enable control of cyber-defense systems or drones by military personnel.

Source

Wired