US prosecutors have charged Michail Chkhikvishvili, also known as “Commander Butcher,” with a litany of crimes, including alleged attempts to poison Jewish children in NYC.

Federal prosecutors in Brooklyn on Tuesday unsealed a sweeping felony indictment against the 20-year-old they say is the head of a violent Eastern European skinhead gang implicated in a number of assaults and attacks abroad, some of them fatal. The gang, known asManiac Murder Cult or MKY, is connected to the com/764 pedophilia network, with at least one killing in Romania directly connected to MKY.

Michail Chkhikvishvili, otherwise known as “Commander Butcher,” “Michael,” and “Mishka,” was arrested on an Interpol warrant on July 6 in Chișinău, Moldova, for allegedly conspiring to solicit attacks on homeless people, Jews, and other racial minorities in New York City, distributing explosives-making instructions, and making violent threats in online conversations with an undercover FBI employee. One plot prosecutors say he concocted with the undercover fed involved poisoning Jewish children by handing out tainted candy while dressed as Santa Claus on New Year’s Eve 2023.

Chkhikvishvili remains in custody in Moldova—which has previously collaborated with the US on the extradition of noncitizens—and has yet to be extradited to the United States and make his first appearance in court. He has not been assigned an attorney. If convicted, he faces a potential sentence of decades in an American prison.

The feds allege that Chkhikvishvili tried to incite the undercover agent into additional attacks with either edged weapons or molotov cocktails and that he claimed that the planned attack would be a “bigger action than Breivik,” referring to Anders Breivik, the Norwegian neo-Nazi who killed 77 people in 2011.

According to the FBI, MKY adheres to a “neo-Nazi accelerationist ideology and promotes violence and violent acts against racial minorities, the Jewish community, and other groups it deems “Undesirables.” Much like other accelerationist militants such as the Atomwaffen Division and The Base, MKY seeks to destabilize society through violence and terrorism. It was founded in the Ukrainian city of Dnipro by Yegor Krasnov and is accused of many homicides and assaults in both Russia and Ukraine. In their Telegram channels, MKY members lionized in-person violence and distributed how-to guides on committing violent assaults and shootings, causing maximum harm to victims, and how perpetrators could cover their tracks. Committing and documenting such an attack is the criteria for admittance to MKY.

Courtesy of Department of Justice

There are extensive ties between MKY and 764. That alliance was developed by Chkhikvishvili himself, particularly through contact with two 764 members who went by the handles of “Xor” and “Kush,” both of whom remain unidentified. “Tobbz,” a troubled young German who killed an elderly woman and stabbed a man in 2022, had also joined MKY, according to reporting by Der Spiegel and Recorder.

The US Attorney’s office for New York’s Eastern District is also prosecuting two related cases: the child abuse and CSAM distribution case against 764 member Angel Almeida, whose Fall 2021 arrest was the feds’ first glimpse into the world of com, 764, and MKY; and the case against Nicholas Welker, the alleged former head of the neo-Nazi group Feuerkrieg Division, who was convicted in April for threatening a Brooklyn-based journalist. According to court records, Welker and Chkhikvishvili were in contact from July 2022 to March 2023, when Welker was arrested and charged.

Chkhikvishvili, a Georgian national, was present in the United States in 2022, according to an affidavit by FBI special agent Erica Dobin of the New York City Joint Terrorism Task Force. US authorities say he visited his girlfriend in California in March and April of that year, information the FBI learned after interviewing the young woman about her virulent neo-Nazi social media posts. Shortly thereafter, Chkhikvishvili traveled to Brooklyn, where he stayed with his grandparents and worked in a rehab facility taking care of an elderly Orthodox Jewish patient. “I’m working in rehab center privately in Jewish family,” he messaged another neo-Nazi in July 2022, according to the criminal complaint. “I get paid to torture dying jew, I think I almost killed him today.” The government says Chkhikvishvili sent multiple images of the patient to his fellow extremist. The patient died later that year, though the government does not allege that Chkhikvishvili caused his death.

It is unclear when Chkhikvishvili left the United States. Federal prosecutors give his place of residence as Tbilisi, Georgia, even though he was arrested in a Balkan country on the opposite side of the Black Sea.

In allegedly urging the undercover fed to commit acts of violence and record them, Chkhikvishvili repeatedly emphasized the lethal level of violence MKY members employed in their attacks, prosecutors say. “We murder they larp,” he allegedly wrote to another extremist while comparing MKY to another neo-Nazi group, referring to “live action role play.” Even while allegedly planning the mass poisoning scheme with the undercover FBI agent, prosecutors say, Chkhikvishvili did not shy away from the potential “heat” the undercover agent warned it would bring on MKY: “That’s what we exactly want,” he wrote in reply.

Alleged ‘Maniac Murder Cult’ Leader Indicted Over Plot to Kill Jews

After the Supreme Court limited the power of federal agencies to craft regulations, it’s likely up to Congress to keep US cybersecurity policy intact.

To protect America’s vital infrastructure from hackers without relying on a moribund Congress, the Biden administration bet big on creative uses of existing laws. But the Supreme Court probably blew up that approach.

President Joe Biden’s strategy relied on agencies interpreting the laws that give them regulatory powers to include cybersecurity, with the expectation that courts would defer to their interpretations of those laws under a decades-old legal doctrine known as Chevron deference.

But in a landmark case decided in late June, _Loper Bright Enterprises v. Raimondo_, the United States Supreme Court’s conservative supermajority eliminated Chevron deference and ordered courts to determine for themselves what ambiguous laws say—without assigning nearly as much weight to agencies’ interpretations.

Now, that controversial ruling could completely upend multiple agencies’ plans to require better cybersecurity from critical infrastructure entities like hospitals, water systems, and power plants. It could even help corporate America overturn existing rules aimed at keeping hackers off cloud platforms, securing pipelines and airports, and improving disclosures of major breaches.

“There’s the possibility of lawsuits to test the waters in a lot of regulations,” says Harley Geiger, counsel with the Center for Cybersecurity Policy and Law. “It definitely becomes much more difficult to regulate on critical infrastructure cybersecurity in areas where there is not sound or clear statutory backing.”

**Landmark Cyber Program Under Threat**

Biden’s marquee cyber regulation may also be his most endangered: a pending requirement for critical infrastructure organizations to report cyberattacks within 72 hours and ransomware payments within 24 hours.

The regulation, authorized by the 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), is meant to close massive gaps in the government’s awareness of the cyberattacks plaguing US companies every day. But when the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released the proposed rule in April, the business community slammed it for going further than lawmakers intended. By the time the public comment period closed earlier this month, many companies and trade groups had urged CISA to pare back the rule—with some of them even citing the _Loper Bright_ ruling.

The criticism mostly focused on three aspects of the rule that could represent its biggest vulnerabilities in a future lawsuit: the definition of a “covered entity” subject to the reporting requirements, the definition of a “covered incident” that needs to be disclosed, and the list of information that needs to be reported. Businesses say CISA used much broader language for these three provisions than Congress intended.

“They have gone well beyond the text,” says one cybersecurity-focused attorney, who requested anonymity because they represent clients in disputes with federal agencies. “There's a lot of vulnerable aspects to it.”

Senate Homeland Security Committee chair Gary Peters, whose panel led the drafting of CIRCIA, added to the regulation’s legal peril when he filed a public comment saying that “the proposed rule is overbroad and needs additional clarity,” including on the definitions of covered incidents and covered entities. Peters’ objections are significant, because courts analyzing unclear laws will likely lean heavily on congressional intent.

It’s unclear if CISA will back down in the face of these headwinds. A spokesperson says the agency is “still assessing” the _Loper Bright_ ruling “and any potential impacts that this may have on the agency’s rulemaking actions.” The spokesperson says the final regulation will be “consistent with authorities given to us by Congress.”

CISA officials “seem quite committed to the scope that they're aiming for, because they really seem to view it as important to their mission,” says Stephen Lilley, a partner at the law firm Mayer Brown who focuses on cyber matters. Even so, he added, “CISA now has to be thinking, have we pushed too far in light of these recent decisions, and do we need to be a bit more modest in our ambitions?”

The consequences of a government retreat are hard to predict but potentially serious. Scaled-back CIRCIA requirements could exempt more companies from reporting or reduce the amount of information they have to report, easing the burden on those organizations but weakening the government’s understanding of digital threats.

Most experts predict only modest changes. “I would expect them to try to make as limited a reaction as their lawyers say they need to make,” Lilley says.

Still, it’s clear that the officials behind the government’s biggest-ever cyber regulation—due to be finalized by October 2025—are on notice.

“There's no way that CISA takes the next \[14\] months to develop this rule without considering the effect of _Loper Bright_ and the loss of Chevron deference,” Geiger says.

**Planes, Trains, and Cloud Services**

While CISA’s incident reporting mandate has attracted the lion’s share of post–_Loper Bright_ attention, the ruling threatens a host of other existing and pending cyber regulations.

The Department of Health and Human Services is working on a rule that would condition hospitals’ receipt of federal Medicare and Medicaid funding on their compliance with cyber requirements. The closely watched HHS rule represents the Biden administration’s attempt to stem a massive tide of ransomware attacks on hospitals and the rest of the health care sector. But the powerful hospital industry has objected to new mandates, saying they will overly burden already struggling facilities. Few details are known about the rule—including its exact legal basis—so it’s unclear whether HHS has been rewriting it to address _Loper Bright_.

Corporate America’s most-loathed cyber regulation is the Securities and Exchange Commission’s 2023 rule requiring publicly traded companies to announce cyber incidents with a “material” impact within four business days. That rule may be safe from new lawsuits, given the SEC’s clear legal authority to require the disclosure of information that materially affects stock prices. But Geiger says companies might instead challenge the SEC’s authority to penalize companies for hacks, since the underlying law and regulation don’t mention cybersecurity. (The SEC declined to comment for this story.)

Lawsuits could also hit the Transportation Security Administration over its cyber requirements for pipeline, rail, and aviation operators. The TSA significantly modified its emergency directives to address industry criticism, but as the agency codifies those directives in more formal rules, disgruntled companies could seize the chance to sue. “There’s not a history of that agency doing cyber, and there’s not a great statutory hook to point to,” says the cyber attorney, who cited “a lot of frustration” with the TSA’s “perpetual invocation of an ongoing but undescribed emergency” to justify the requirements. (The TSA declined to comment.)

The Commerce Department could hit a legal snag with its proposal to require cloud companies to verify their customers’ identities and report on their activities. The pending rule, part of an effort to clamp down on hackers’ misuse of cloud services, has drawn industry criticism for alleged overreach. A major tech trade group warned Commerce that its “proposed regulations risk exceeding the rulemaking authority granted by Congress.” (Commerce declined to comment.)

Lawsuits could also target other regulations—including data breach reporting requirements from the Federal Trade Commission, the Federal Communications Commission, and financial regulators—that rely on laws written long before policymakers were thinking about cybersecurity.

“A lot of the challenges where the agencies are going to be most nervous \[are\] when they’ve been interpreting something for 20 years or they newly have interpreted something that’s 30 years old,” says the cyber attorney.

The White House has already faced one major setback. Last October, the Environmental Protection Agency withdrew cyber requirements for water systems that industry groups and Republican-led states had challenged in court. Opponents said the EPA had exceeded its authority in interpreting a 1974 law to require states to add cybersecurity to their water-facility inspections, a strategy that a top White House cyber official had previously praised as “a creative approach.”

**All Eyes on Congress**

The government’s cyber regulation push is likely to run headlong into a judicial morass.

Federal judges could reach different conclusions about the same regulations, setting up appeals to regional circuit courts that have very different track records. “The judiciary itself is not a monolith,” says Geiger, of the Center for Cybersecurity Policy and Law. In addition, agencies understand cutting-edge tech issues much better than judges, who may struggle to parse the intricacies of cyber regulations.

There is only one real solution to this problem, according to experts: If Congress wants agencies to be able to mandate cyber improvements, it will have to pass new laws empowering them to do so.

“There is greater onus now on Congress to act decisively to help ensure protection of the critical services on which society relies,” Geiger says.

Clarity will be key, says Jamil Jaffer, the executive director of George Mason University’s National Security Institute and a former clerk to Supreme Court Justice Neil Gorsuch. “The more specific Congress gets, the more likely I think a court is to see it the same way an agency does.”

Congress rarely passes major legislation, especially with new regulatory powers, but cybersecurity has consistently been an exception.

“Congress moves very, very slowly, but it’s not completely passive \[on\] this front,” Lilley says. “There's a possibility that you will see meaningful cyber legislation in particular sectors if regulators are not able to move forward.”

One major question is whether this progress will continue if Republicans seize unified control of the government in November’s elections. Lilley is optimistic, pointing to the GOP platform’s invocation of securing critical infrastructure with heightened standards as “a national priority.”

“There's a sense across both sides of the aisle at this point that, certainly in some of the sectors, there has been some measure of market failure,” Lilley says, “and that some measure of government action will be appropriate.”

Regardless of who controls Capitol Hill next January, the Supreme Court just handed lawmakers a massive amount of responsibility in the fight against hackers.

“It's not going to be easy,” Geiger says, “but it's time for Congress to act.”

The US Supreme Court Kneecapped US Cyber Strategy

A hacker group called “NullBulge” says it stole more than a terabyte of Disney’s internal Slack messages and files from nearly 10,000 channels in an apparent protest over AI-generated art.

A group calling itself “NullBulge” published a 1.1-TB trove of data late last week that it claims is a dump of Disney's internal Slack archive. The data allegedly includes every message and file from nearly 10,000 channels, including unreleased projects, code, images, login credentials, and links to internal websites and APIs.

The hackers claim they got access to the data from a Disney insider and named the alleged collaborator. A person with that name who lists Disney as their current employer did not return WIRED's request for comment. Whether the hackers actually had inside help remains unconfirmed; they could also have plausibly used info-stealing malware to compromise an employee's account. Disney did not confirm the breach or return multiple requests for comment about the legitimacy of the stolen data. A Disney spokesperson told the Wall Street Journal that the company “is investigating this matter.”

The data, which appears to have been first published on Thursday, was posted on BreachForums and later taken down, but it is still live on mirror sites.

Roei Sherman, field CTO at Mitiga Security, says he isn't surprised that a giant like Disney could have a breach of this scale and significance. “Companies are getting breached all the time, especially data theft from the cloud and software-as-a-service platforms,” he says. “It is just easier for attackers and holds bigger rewards."

Sherman, who reviewed the data in the leak, added that “all of it looks legit—a lot of URLs, conversations of employees, some credentials, and other content.”

The NullBulge site says that it is a “hacktivist group protecting artists’ rights and ensuring fair compensation for their work.” The group claims it hacks only targets that violate one of three “sins.” First: “We do not condone any form of promoting crypto currencies or crypto related products/services.” Second: “We believe AI-generated artwork harms the creative industry and should be discouraged.” And third: “Any theft from Patreons, other supportive artist platforms, or artists in general.”

The group's “wall of knowledge,” where it lists its data dumps, summarizes the philosophy: “What better way to punish someone than getting them in trouble eh?” Previously, the group targeted the Indian content creator Chief Shifter with a “first shaming.” Then in May, NullBulge posted a “second punch” and teased the Disney breach. “Here is one I never thought I would get this quickly … Disney. Yes, that Disney,” NullBuldge wrote, suggesting that the group may be a single person. “The attack has only just started, but we have some good shit. To show we are serious, here is 2 files from inside.”

In addition to the alleged Slack data, NullBulge posted what appears to be detailed information about the individual whom they claim provided the insider access and data. The leak includes medical records and other personally identifying information, plus the alleged contents of the alleged Disney employee's 1Password password manager. NullBulge claims to have doxxed the individual in retaliation for cutting off communication and access, although whether the employee actually collaborated with the group in the first place remains unconfirmed.

Security researchers have long warned about corporate Slack accounts as a treasure trove for attackers if compromised. The popular team communication platform is owned by Salesforce and is used by an array of prominent organizations, including IBM, Capital One, Uber, and Disney rival Paramount.

“Disney will probably be targeted a lot more now by opportunistic threat actors,” Sherman warns.

Hackers Claim to Have Leaked 1.1 TB of Disney Slack Messages

Senator Mark Warner is trying to pass new limits on when the government can wiretap Americans. At least two senators are quietly trying to stop him.

Members of the United States Senate have been working for more than a month to shore up safeguards against further misuse of the US government’s most consequential surveillance program. Those efforts have hit a snag, however, with at least two Republican senators now privately objecting to the changes—provisions that seek to impose new limits on the US government’s power to wiretap communications between Americans and foreigners overseas.

In a bipartisan move, Senate Intelligence Committee members approved two provisions last month aimed at addressing what legal experts describe as troubling inadequacies in the Foreign Intelligence Surveillance Act (FISA), the key authority by which the US intelligence community can direct certain companies to secretly intercept calls, texts, and emails on the government’s behalf. The provisions were introduced last week as part of a must-pass piece of legislation authorizing various intelligence activities for the coming fiscal year.

One of the provisions seeks to clarify what types of businesses can be subjected to the wiretap orders—companies the government commonly refers to as “electronic communication service providers,” or ECSPs. The intelligence community has sought for years to expand the definition of the term in order to enlist the aid of new companies, and succeeded in doing so after a heated congressional fight this spring over the FISA wiretap program known as Section 702.

Privacy experts argue that the government drastically overshot its mark, creating ambiguity in FISA that threatens to ensnare limitless categories of new companies and individuals—anyone, virtually, deemed a “custodian” of equipment capable of storing and carrying the data it seeks.

Legal experts such as Marc Zwillinger, one of the few private attorneys to ever appear before the nation’s secret surveillance court, noted in April that the changes were likely to vastly increase the number of Americans whose communications are being wiretapped—communications that the government claims not to “target” but to merely intercept “incidentally.”

WIRED has learned from multiple sources that a Republican senator filed an objection to the provision addressing this issue, a “fix” that would limit the range of businesses subject to wiretap orders to those referenced in a 2022 FISA court opinion. As secret law, the exact nature of these businesses remains classified; however, it is widely believed that the government was seeking the power to compel the cooperation of US-based data centers in addition to service providers like AT&T and Google, which are among the more traditional targets of FISA directives.

WIRED could not immediately confirm the identity of the Republican senator objecting to the proposal, but understands they serve on a committee of jurisdiction. The judiciary holds jurisdiction over FISA, while the intelligence committee owns the amendment carrying the provision, the Intelligence Authorization Act (IAA). The IAA is passed annually, normally as a standalone bill, but is slated to be attached this year as an amendment to another piece of must-pass legislation, the National Defense Authorization Act, which Congress is aiming to vote on by fall.

The Senate’s practices for the approving of amendments prior to a floor vote are somewhat obscure and often informal, differing depending on the committee. In this case, a single objection by a member of the intelligence committee is likely enough to see it struck. Objections filed with committee leaders are typically kept private.

A Senate source with knowledge of the ongoing negotiations, granted anonymity because they are not authorized to speak on the record, tells WIRED that Senate practices for passing controversial amendments have grown increasingly nebulous in recent years, blaming the desire of many lawmakers to avoid scrutiny for their positions on contentious issues. Senate leaders may, for example, use substitute amendments to strike down or add language to a bill in place of a process that previously required a public vote.

In an effort to salvage the Section 702 program, Senate Intelligence Committee chair Mark Warner urged lawmakers in May to temporarily set aside concerns about the ECSP language, one impetus behind this year’s drawn-out congressional fight that delayed renewal of the 702 program for half a year, threatening to sunset the authority after a temporary extension last winter. In remarks to the press and to colleagues on the Senate floor, Warner, a Democrat of Virginia, promised to address the concerns this summer, vowing to reporters that he was “absolutely committed” to refining the text that experts like Zwillinger warned would expand the intelligence community’s authority beyond reason.

Successfully attaching the new language to the IAA in June, Warner appeared to follow through with his promise.

“As Senator Warner expressed during the 702 debate, and as evidenced by his efforts to include these provisions in the committee-passed IAA, he supports these measures and remains committed to working through any challenges that may arise ahead of the full vote in the Senate,” said Warner’s press secretary, Valeria Rivadeneira.

Zwillinger tells WIRED that any backtracking by the Senate over the ECSP concerns is likely to impact the public’s trust in the intelligence community’s word during future FISA debates. “The overbroad ECSP definition added during the reauthorization of Section 702 should be narrowed,” he says, noting that “even its sponsors had agreed to narrow it to the specific circumstances that generated the amendment.”

**Friends of the Secret Court**

A second provision approved by Senate intel members in June—and now similarly under threat—aims to ensure the FISA court more reliably calls upon attorneys like Zwillinger to provide advice about the impact of FISA surveillance on Americans’ civil liberties. These experts, known as amici curiae (literally “friends of the court”), are a common feature in US courts, used by judges to gain insight into key issues surrounding difficult cases, often when civil rights are involved. Unlike typical amici, experts called to submit briefs before the FISA court are few and far between, with the law demanding that they be eligible for access to classified information.

The law currently directs the FISA court to appoint an amicus when presented with a “novel or significant” concern, unless it finds that doing so is “not appropriate.” The new provision, however, would create a presumption that the court more reliably appoints amici when a government request for surveillance presents “exceptional” constitutional concerns, or when the government intends to directly target an American.

Last week, WIRED confirmed that Senator John Cornyn, whose committee assignments include both judiciary and intelligence, was the source of an objection to the new amicus language, threatening to scuttle the changes. Another Senate source with knowledge of the objection says that Cornyn is specifically concerned about delays that he believes will result from the court’s increased reliance on the amici, viewing the process as potentially tying up cases in discovery battles as experts vie with the government for access to classified files.

The source adds that Cornyn claims the new rules threaten to grant foreign nationals greater rights than those of criminal defendants, something that foreign adversaries could exploit. It is unclear, however, by what method Cornyn believes a foreign adversary might gain insight into the court’s proceedings. Information presented in the hearings are among the nation’s most closely guarded secrets.

Noah Chauvin, a former intelligence counsel for the US Department of Homeland Security, dismissed Cornyn’s concerns as overblown and, in some cases, invalid. “In almost every instance, the presumption that amici will be appointed applies to a circumstance where the surveillance targets a US person,” he says. The only exception is when the surveillance presents a “novel or significant interpretation of the law.”

Even when amici avail themselves of new appellate rights laid out in the provision, however—after objecting, for instance, to a new method of surveillance certified by the court—the process would not inhibit the government from continuing to intercept communications under FISA. Instead, the surveillance would continue under the last certification issued by the court, even if it has already expired.

Amici's right to access information is relatively narrow, says Chauvin, now an assistant professor at the Widener University Commonwealth Law School in Pennsylvania. He notes that the government has the ability to prevent delays at any time by simply providing experts with the information they need in advance, rather than forcing the court to debate what it’s required to disclose. While relying on constitutional experts more frequently may slow down the process in certain instances, he says, that is also largely the point. “To the extent \[amici\] create friction, making it more difficult for the government to access Americans’ private information without demonstrating to a court that such access is necessary—that’s a feature, not a bug.”

Notably, FISA proceedings are, for obvious reasons, conducted ex parte, meaning the target of a surveillance order has no presence or representation in court. This arguably heightens the need for the court to rely on advice from subject matter experts when it’s confronted with unprecedented uses of communications technologies, which are constantly evolving.

WIRED reached out to the White House, National Security Council, and Office of the Director of National Intelligence for comment on the possible fate of provisions, but has not received a response.

With regards to other concerns raised by Cornyn, such as the fact that the amici are not required to have specific intelligence-collection experience, Senate sources defending the new text noted that’s nothing new. While some experts called up by the FISA court have that experience, others are tapped for their knowledge of privacy and civil liberties or their expertise in communications technology. Ultimately, it’s the court’s prerogative to determine what “legal or technical expertise” is necessary depending on the matter at hand, so long as that person is “eligible for access to classified information.”

Experts and multiple Senate sources noted that the amicus provision approved by the Senate Intelligence Committee last month was effectively a watered-down version of an amendment introduced by senators Mike Lee and Patrick Leahy four years ago. For instance, that amendment would have directed the FISA court to appoint an amicus in cases where the government sought to surveil a congressional staffer—no longer the case. Such “sensitive investigative matters” now extend purely to elected officials and political candidates, in addition to members of political, news, and religious organizations.

Notably, the much stronger Lee–Leahy amendment passed the Senate in 2020 by a wide margin: 77–19. “That's how uncontroversial this provision is,” says Liza Goitein, a FISA expert and senior director at the Brennan Center of Justice at New York University School of Law. “This is a commonsense, good-government measure that is overwhelmingly supported by lawmakers on both sides of the aisle.”

Goitein says the concerns about delays resulting from the amici challenging FISA decisions are also exaggerated. “There's no appeal right,” she says. “They can _petition_ the FISA court to certify the case for review. The FISA court can say no, so the FISA court can police this and determine whether it's going to cause undue delay or not.”

Senate sources say discussions over the provisions will continue throughout the week as staffers attempt to hammer out a resolution. The timeline for a vote on the full package of amendments to the NDAA remains unclear, though Senate staffers cited rumors that leadership would attempt to force a vote by the end of July. That said, lawmakers just received the notoriously voluminous text last week, raising serious doubts about the chamber’s ability to move the bill before its August recess. That it’s a mystery as to which party will control the Senate following the November election only serves to add friction to the process.

Sean Vitka, policy director at the nonprofit Demand Progress, notes that the 702 surveillance program was reapproved by Congress only after Warner vowed to address both the ECSP and amicus concerns this year. “Concerns that these modest-but-critical fixes are somehow too privacy-protective, when in fact they explicitly give spy agencies exactly what they asked for, are so ill-informed they blow past bad faith and border on incoherence,” he says.

If the objections hold, Vitka says, the next US president will retain “one of the most dangerous spying powers to ever exist.” The consequences of failing to implement these provisions, he warns, “could be catastrophic.”

US Senators Secretly Work to Block Safeguards Against Surveillance Abuse

A security researcher who assisted with the deal says he believes the only copy of the complete dataset of call and text records of “nearly all” AT&T customers has been wiped—but some risks may remain.

US telecom giant AT&T, which disclosed Friday that hackers had stolen the call records for tens of millions of its customers, paid a member of the hacking team more than $300,000 to delete the data and provide a video demonstrating proof of deletion.

The hacker, who is part of the notorious ShinyHunters hacking group that has stolen data from a number of victims through unsecured Snowflake cloud storage accounts, tells WIRED that AT&T paid the ransom in May. He provided the address for the cryptocurrency wallet that sent the currency to him, as well as the address that received it. WIRED confirmed, through an online blockchain tracking tool, that a payment transaction occurred on May 17 in the amount of 5.7 bitcoin. Chris Janczewski, head of global investigations for crypto-tracing firm TRM Labs, also confirmed using the company's own tracking tool that a transaction occurred in the amount of about 5.72 bitcon (the equivalent of $373,646 at the time of the transaction), and that the money was then laundered through several cryptocurrency exchanges and wallets, but said there was no indication of who controlled the wallets.

A security researcher who asked to be identified only by his online handle, Reddington, also confirmed that a payment occurred. The hacker enlisted him to serve as the go-between for their negotiation with AT&T, and Reddington received a fee from AT&T for serving in that capacity. Reddington provided WIRED with proof of the fee payment. The hacker initially demanded $1 million from AT&T but ultimately agreed to a third of that.

WIRED viewed the video that the hacker says he provided to AT&T as proof to the telecom that he had deleted its stolen data from his computer. Reddington says he believes it was the entire AT&T dataset that Binns allegedly stole because the hacker and Binns stored the data in a cloud server that they both could access, and he says the hacker deleted it from that server.

AT&T did not respond to WIRED’s request for comment.

It was indirectly through Reddington that AT&T learned about the data theft three months ago.

Reddington tells WIRED that in mid-April, an American hacker living in Turkey and believed to be John Erin Binns—not the hacker who received payment—contacted him to say that he had obtained Reddington's AT&T call logs. After Reddington verified that the call logs were real, Binns allegedly told Reddington that he had also obtained call and texting logs of millions of other AT&T customers through a poorly secured cloud storage account hosted by Snowflake. Reddington notified the security firm Mandiant about the breach, and Mandiant then notified AT&T. In a regulatory filing it made to the Securities and Exchange Commission on Friday, AT&T said that it first learned of the breach in April.

AT&T is one of more than 150 companies that are believed to have had data stolen from poorly secured Snowflake accounts during a hacking spree that unfolded throughout April and May. It's been previously reported that the accounts were not secured with multi-factor authentication, so after the hackers obtained usernames and passwords for the accounts, and in some cases authorization tokens, they were able to access the storage accounts of companies and siphon their data. Ticketmaster, the banking firm Santander, LendingTree, and Advance Auto Parts were all among the victims publicly identified to date.

Reddington has facilitated a number of negotiations between the hackers and victims of the Snowflake account breaches. He says Binns asked him to contact AT&T “to facilitate a buyback of the data,” and that “given the importance of the data” and the potential for harm, “I felt an obligation to ensure he did not sell the data to anyone else.”

He notes that the sequence of events indicates that Ticketmaster’s Snowflake account was likely the first one breached in the campaign, after which the hackers targeted AT&T and others.

“Analysis of the data samples \[the hackers\] provided from other victims indicated that the hack of Ticketmaster occurred first,” he tells WIRED. “From there, it seems the actors figured out they could target ‘snowflakecomputing.com’ domains by looking for stolen credentials. It did not take them long to compile a list and write a script to hit all of the Snowflake victims simultaneously.”

The stolen AT&T data included call and text messaging metadata, but not the content of calls or messages or the names of the phone owners, according to AT&T’s SEC filing. Reddington alleges that Binns demonstrated how easily he could identify the owners of the numbers using a reverse-lookup program that identified by name the family members, colleagues, and others attached to the phone numbers who communicated with them.

The stolen data included telephone numbers of “nearly all” of AT&T's cellular customers and the numbers of customers of other wireless carriers who exchanged calls or messages with those AT&T customers between May 1, 2022, and October 31, 2022, as well as on January 2, 2023, according to the company. It also included the landline phone numbers that communicated with the affected AT&T customers during this period. The data included dates for the communication and the duration of calls. “For a subset of the records, one or more cell site ID numbers associated with the interactions are also included,” the company said in a blog post. Cell site IDs reveal which cell towers a phone pings and can potentially be used to identify a phone user’s general location and movements.

News of the breach became public on Friday only when AT&T disclosed it in its blog post and SEC filing. Although public companies are required to report breaches to the SEC after learning about them, AT&T wrote that the Department of Justice had granted it exemptions in May and June to delay notification due to a potential national security or public safety harm if the breach were revealed. The FBI told CNN that AT&T had contacted the bureau shortly after learning about the hack, but the bureau wanted to review the data to determine what had been taken and assess any potential harm before AT&T disclosed it publicly and to the SEC.

The hacker who received the payment from AT&T alleges that Binns was responsible for the breach and shared samples of the data with him and others after downloading it. He says he believes Binns allegedly stole "several billions" of records from AT&T, though WIRED was unable to confirm this. Reddington understands that the data that was deleted was the only complete dataset taken by the hackers. Reddington says he does not believe the hackers posted the data publicly, though he's not sure how many people received excerpts of the data Binns allegedly provided or what they did with it.

Despite the payment and deletion, some AT&T customers and those who communicated with them may still be at risk, given that others may have samples of the data that were not deleted.

The hacker who spoke with WIRED obtained payment from AT&T instead of Binns because, he says, in an odd twist to the case, Binns was arrested in Turkey in May for an unrelated breach dating back to 2021. That one involved a massive theft of data from T-Mobile. AT&T said in its SEC filing that it believed “at least one person” associated with the breach had already been apprehended, but didn't identify him. 404 Media was first to report on Friday that Binns is allegedly that person.

Binns was indicted in 2022 on 12 counts related to the 2021 hack of T-Mobile "and theft and sale of sensitive files and information" that involved data on more than 40 million people. Binns, however, had moved from the US to Turkey in 2018 with his Turkish mother, according to an interview he gave three years ago to The Wall Street Journal. The indictment remained sealed until this year. Last September, the US learned he could possibly be arrested in Turkey and extradited to the US because he didn’t have Turkish citizenship. Prosecutors in Seattle, near where T-Mobile is based, asked a US court in December to unseal parts of the indictment so they could give it and an arrest warrant to Turkish authorities who were making the final decision on whether Binns could be extradited legally under Turkish law. The court granted the request to unseal in January.

The hacker who received payment from AT&T tells WIRED he believes Binns was arrested in Turkey around May 5, since Binns hasn't responded to any attempts by him and others to contact him. WIRED contacted the Seattle public defender representing Binns in the T-Mobile case but did not receive a reply.

Binns has had contact with US authorities on a number of occasions and has accused the CIA and other agencies of wild conspiracies to harm and entrap him. As part of a 2020 FOIA lawsuit against the FBI, CIA, and US Special Operations Command to obtain records he claimed they held about him, Binns claimed that CIA contractors spied on him, experimented on him, harassed him, and that one of them pointed a “psychotronic weapon” at his head and used a microwave oven to shock him, among other allegations. He later filed a motion to dismiss his FOIA case, claiming he had filed some documents while “experiencing a psychological episode brought on by intoxication.”

Last October, in the T-Mobile case, Binns wrote to the US District Court in Seattle and said he believed his actions were affected by a chip that had been implanted in his brain when he was an infant. In a certified letter sent to the court and viewed by WIRED, Binns told the judge that he believed a “wireless brain (basal gangliea) stimulation implant or device implanted” shortly after he was born was responsible for “erratic behavior to include irresistible impulses, artificial neurological problems, and the possible commission of crimes.”

The timeline suggests that if Binns is responsible for the AT&T breach, he allegedly did it when he was likely already aware that he was under indictment for the T-Mobile hack and could face arrest for it.

AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records

Plus: The Heritage Foundation gets hacked over Project 2025, a car dealership software provider seems to have paid $25 million to a ransomware gang, and authorities disrupt a Russian bot farm.

But that’s not all. Each week, we round up the security news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

For the third time since 2010, spyware vendor mSpy has suffered a substantial data breach, this time exposing millions of customers and prospective users around the globe, many of whom appear to have used the software to snoop on others. The leaked trove, published by transparency group Distributed Denial of Secrets, contains potentially terabytes of data apparently stolen from mSpy’s customer support system, Zendesk. It reveals names, email addresses, customer support tickets and documentation, and more.

Unlike military-grade spyware, like NSO Group’s infamous Pegasus, mSpy is a consumer product that’s often marketed as a way for parents to keep tabs on their children’s phone usage. But its customer base isn’t necessarily limited to nosey parents. Among the data is evidence that US government entities at least inquired about using the software, including the Social Security Administration, Immigration and Customs Enforcement personnel, and a US federal judge. Given the amount of data exposed by the leak, expect more revelations to trickle out.

**“Gay Furry Hackers” Annoy the Heritage Foundation**

The Heritage Foundation—a right-wing think tank whose “Project 2025” plan for molding the US into what critics describe as an autocratic Christian nationalist state ruled by an Über President Donald Trump—suffered a minor cyberattack this week at the gloved hands of self-described “gay furry hackers.” The breach itself appears to have been fairly minor—2 gigabytes of data taken from a blog called the Daily Signal. Much of it was “useless,” according to “vio,” one of the hackers with the group SeigSec, which said it targeted the Heritage Foundation because “Project 2025 threatens the rights of abortion health care and LGBTQ+ communities in particular.” Still, the intrusion apparently irked Heritage columnist Mike Howell, whose alleged chat with “vio” was leaked and later shared by Howell. SeigSec, which previously targeted a US nuclear lab and NATO, now says it is disbanding.

**Car Dealership Software Firm Appears to Have Paid $25M to Ransomware Gang**

Victims of ransomware attacks only have two choices, and both of them are bad: Refuse to pay the attackers and try to claw your way back without access to your systems and data, or pay up and hope they give you the decryption keys—and don’t leak your data anyway. CDK Global, which provides software to US car dealerships, seems to have picked the latter option. According to researchers at crypto tracing firm TRM Labs, CDK sent 387 bitcoin, worth around $25 million, to an account believed to be controlled by the BlackSuite ransomware gang. CDK has not confirmed the payment, but if accurate it would be at least the second major payment to ransomware gangs this year. In March, Change Healthcare paid a $22 million ransom to help end the disruption to medical facilities across the US. The problem with paying—besides costing a literal fortune—is that it can encourage more ransomware attacks. In fact, following Change Healthcare’s payment, researchers at security firm Recorded Future saw the largest spike in ransomware attacks targeting the health care industry in the four years that it has tracked the criminal activity. The catch, of course, is that paying can work: CDK indicated last week that nearly all of the 15,000 dealerships it works with are back online.

**DOJ Disrupts “AI-Enhanced” RT Bot Farm**

The US Department of Justice announced on Tuesday that US, Canadian, and Dutch authorities seized two domains used to operate a “bot farm” allegedly created by RT, the Russian state media organization, and operated by Russia’s Federal Security Service (FSB). The DOJ says it identified 968 social media accounts linked to the bot farm that were used to amplify RT content online. The RT bot farm was created in 2022, according to the DOJ, and commandeered by an FSB agent in 2023. It is unclear what impact the bot farm had, and the DOJ says its investigation is ongoing.

Spyware Users Exposed in Major Data Breach

Telecom giant AT&T says a major data breach has exposed the call and text records of “nearly all” of its customers, epitomizing the dire state of data security.

From targeted wiretaps to bulk surveillance dragnets, phone companies have been at the center of privacy concerns for decades—and their time in the limelight isn't over yet. On Friday, telecom giant AT&T announced that it recently suffered a data breach impacting call and text messaging records of “nearly all” its customers. The company is in the process of notifying about 110 million people that they were affected.

AT&T said in a US Securities and Exchange Commission filing that it learned about the data breach on April 19. Attackers exfiltrated data between April 14 and April 25. The company said in its SEC submission that the US Justice Department authorized delayed disclosure of the breach on May 9 and again on June 5, pending investigation. AT&T added that it is “working with law enforcement in its efforts to arrest those involved in the incident.” So far, “at least one person has been apprehended.”

“Yeah, this is really bad,” says Jake Williams, vice president of research and development at the cybersecurity consultancy Hunter Strategy. “What the threat actors stole here are essentially call data records. These are a gold mine in intelligence analysis because they allow someone to understand networks—who is talking to whom and when. And threat actors have data from previous compromises to map phone numbers to identities. But even without identifying data for a phone number, closed networks—where numbers _only_ communicate with others in the same network—are almost always interesting.”

The incident is significant not only because of its sheer scale and reach but because AT&T says it is the latest in a staggering spate of data thefts that resulted from attackers compromising organizations’ Snowflake cloud accounts. Snowflake is a data warehousing platform, and attackers collected its customers’ account credentials in recent months to steal hundreds of millions of records from about 165 Snowflake clients, including Ticketmaster, Santander bank, and LendingTree’s QuoteWizard.

The AT&T data is from both landline and cellular accounts and spans May 1, 2022, to October 31, 2022. A smaller, undisclosed number of people also had records from January 2, 2023, stolen in the breach. The company said on Friday that the data trove “does not contain the content of calls or texts” and does not include the date and time of communications. But attackers did make off with phone numbers and a massive amount of so-called “metadata” about calls and texts, including who contacted whom, call durations, and tallies of a customer’s total calls and texts. The trove also includes some cell site identification numbers—essentially cell tower data that can be used to approximate a cellphone's location when it made or received a call or text.

The data includes some records of people who are customers of phone carriers—known as “mobile virtual network operators”—that contract with AT&T to use the larger company's networks and infrastructure for their service. And, crucially, the stolen trove exposes people who have no relationship with AT&T when they communicated with an AT&T customer during the relevant time spans.

Though the breach is not a worst-case scenario in every possible way—the data does not, for example, include identifying customer information like Social Security numbers—it could be a gold mine for attackers looking to construct compelling phishing attacks and other scams to target individuals or specific communities of people. And the breach underscores that even without the contents of communications, leaked metadata still has major implications for people's privacy and security. This is why privacy advocates have long made a distinction between communication platforms—namely, the secure messaging app Signal—that are designed to generate the absolute bare minimum of metadata, versus other communication platforms that don't curtail metadata use to the same degree. This even includes other end-to-end encrypted services like WhatsApp.

The Google-owned cybersecurity firm Mandiant investigated the string of Snowflake account intrusions and said in June that financially motivated criminal hackers, tracked under the name UNC5537, are behind the attacks. The group used info-stealing malware to grab credentials for companies’ Snowflake accounts and then easily logged into any accounts that didn't have two-factor authentication enabled. The security feature was turned off by default on Snowflake accounts. Snowflake has since put new multifactor authentication policies in place.

AT&T emphasizes that it “does not believe” the data stolen in the breach is publicly available. But that doesn't mean that it poses no threat from the actor that stole it. On Friday, the US Cybersecurity and Infrastructure Security Agency released an alert about the situation. And, though only a handful of victims of the Snowflake rampage have come forward, hackers have already been advertising, trying to sell, and demanding ransoms from impacted companies over data stolen from their Snowflake accounts. Actors including ShinyHunters and another account going by the handle Sp1d3rHunters have been advertising the data on the cybercrime marketplace BreachForums, which was recently resurrected after being taken down by law enforcement, and demanding companies pay millions for the data to be removed.

_Additional reporting by Matt Burgess._

The Sweeping Danger of the AT&T Phone Records Breach

A new resolution echoes what 16 members of Congress have already said to the White House: It must do more to free one of the most storied crypto-focused federal agents in history.

When Tigran Gambaryan was first invited in February to meet with the Nigerian government in order to settle a dispute with his employer, the cryptocurrency exchange Binance, Nigerian officials detained him against his will, stripped him of his passport, and told him he was a “guest” of the state. He's since been charged with financial crimes and jailed for months as a criminal suspect.

Pressure is now mounting within the US Congress for the Biden administration to treat him as what his supporters argue he has been all along: a hostage, held illegally by an unaccountable foreign country.

On Wednesday, US congressman Rich McCormick, who represents Gambaryan's district in his home state of Georgia, submitted a resolution to the House Committee on Foreign Affairs that both urges the Nigerian government to release Gambaryan and calls on the US government to recognize that Gambaryan is being illegally detained as a hostage in an effort to extort his employer, Binance. That resolution represents the latest in a series of growing calls from Congress for the White House to step up its pressure on Nigeria to release Gambaryan, a former federal agent who led many of the most significant cryptocurrency-related criminal cases of the last decade during his time as an IRS criminal investigator.

“The continued detention of Tigran Gambaryan in Nigeria is a clear violation of his rights, and he is simply being used as a means of extortion by the Nigerian government,” McCormick wrote in a statement. “We urge Nigeria to immediately release Tigran and provide him with the necessary medical care and due process. The United States Government must do everything in its power to secure the release of Tigran Gambaryan, and all of our citizens wrongfully detained abroad.”

McCormick's resolution to push for Gambaryan's release follows an earlier open letter from 16 members of Congress calling on the White House to transfer Gambaryan's case to the Office of the Special Presidential Envoy for Hostage affairs. That letter noted that Gambaryan has suffered from malaria and pneumonia, collapsing in court during one day of his trial, yet has been denied proper care in a hospital. “Gambaryan's health and wellbeing are in danger, and we fear for his life,” the letter read. “Immediate action is essential to ensure his safety and preserve his life. We must act swiftly before it is too late.” Two House members, French Hill and Chrissy Houlahan, visited Gambaryan in jail last month and have also called for his release.

Gambaryan and another Binance staffer, Nadeem Anjarwalla, flew to Abuja in late February at the invitation of the Nigerian government after the country's officials accused Binance, where Gambaryan works as head of its investigations and financial crime compliance, of money laundering and contributing to the devaluation of the country's national currency, the naira. But just days into that negotiation, the two men were detained in a government-run “guest house” against their will.

The situation escalated further when Anjarwalla, who is based in Kenya, escaped during a visit to a mosque for Ramadan prayers. Gambaryan was then criminally charged with tax evasion and money laundering—all signs suggest those charges relate to the behavior of Binance, not Gambaryan personally—and moved to Kuje prison, where he has since been held.

Tigran Gambaryan

Photograph: Binance

The charges against Gambaryan are particularly ironic given his track record as a federal agent. Prior to being hired by Binance, which was widely seen as part of the exchange's efforts to clean up its operations' lax compliance and years of alleged money laundering documented in a $4.3 billion settlement with the US government last year, Gambaryan spent a decade leading many of the most significant crypto crime investigations in history. From 2014 to 2017 alone, for instance, Gambaryan identified two corrupt federal agents who had enriched themselves with cryptocurrency from the Silk Road dark-web drug market, helped to track down half a billion dollars worth of bitcoins stolen from early crypto exchange Mt. Gox, helped develop a secret crypto tracing method that located the server hosting the massive AlphaBay dark web crime market, and helped to achieve the takedown of the Welcome to Video crypto-funded child sexual abuse video network.

Gambaryan's supporters point out that his work for the IRS led to the seizure of more than $4 billion dollars, including several of the largest monetary seizures in the history of US criminal justice. “He’s done so much good for this country throughout his career,” Gambaryan's wife Yuki told WIRED in March. “I believe it’s his turn to get the same amount of support from his country.”

When WIRED reached out to Binance about the new resolution seeking Gambaryan's freedom, a company spokesperson responded in a statement: “Tigran is a hero and we are pleased to see that’s recognised by so many people around the world. We are hopeful he’ll be sent home to his family soon.”

Yet the Biden administration has been criticized for reacting slowly and ineffectually to free Gambaryan. In a House Foreign Affairs Committee hearing last month, McCormick laid into Roger Carstens, the White House's special presidential envoy for hostage affairs, and Rena Bitter, the State Department's assistant secretary for consular affairs, asking why Gambaryan's case had not been elevated to that of an urgent hostage situation. “If he was your parent or your son, I would make the case this would already have been elevated. If it was someone of interest to the president or the secretary, this would have already been elevated. He is a US citizen,” McCormick told the hearing. “This guy deserves better.”

Bitter noted in response to McCormick's questioning that her colleagues had visited Gambaryan nine times but remained noncommittal about elevating his case to that of an urgent hostage situation. “We are watching this case closely, and we talk about this case quite frequently,” she told McCormick, adding that the State Department had “asked for humanitarian release” due to Gambaryan's medical issues.

On Thursday, neither the US nor Nigerian Departments of State immediately responded to WIRED's request for further comment on Gambaryan's case.

In his resolution and statements in last month's hearing, McCormick has argued that every aspect of Gambaryan's situation, from the illegality of his detention to Nigeria's record of human rights abuses, qualifies him for treatment as a hostage of a foreign government. One of the two Nigerian government bodies making allegations against Gambaryan dropped all charges against him last month. Yet he remains in Kuje jail, a facility that also houses convicted members of terrorist groups including Boko Haram. Even when he collapsed in court due to symptoms of malaria and pneumonia, the resolution notes, he was only admitted to a hospital for five hours before being returned to jail.

In a statement sent to WIRED Thursday, Gambaryan's wife, Yuki, expressed her concern again for her husband's health, thanked McCormick for his resolution, and emphasized her husband's lack of influence over Binance's actions.

“I hope the US government’s involvement will expedite the process of getting him released. My husband is innocent, he is not a decision maker at Binance and I hope the Nigerian authorities release him,” Gambaryan wrote. “He needs to be freed right now."

Pressure Grows in Congress to Treat Crypto Investigator Tigran Gambaryan, Jailed in Nigeria, as a Hostage

The cybercrime boss, who helped lead the prolific Zeus malware gang and was on the FBI’s “most wanted” list for years, has been sentenced to 18 years and ordered to pay more than $73 million.

For more than a decade, Vyacheslav Igorevich Penchukov—a Ukrainian who used the online hacker name “Tank”—managed to evade cops. When FBI and Ukrainian officials raided his Donetsk apartment in 2010, the place was deserted and Penchukov had vanished. But the criminal spree came to a juddering halt at the end of 2022, when he traveled to Switzerland, was arrested, then was extradited to the United States.

Today, at a US federal court in Lincoln, Nebraska, a judge sentenced Penchukov to two concurrent nine-year sentences, after he pleaded guilty to two charges of conspiracy to participate in racketeering and a conspiracy to commit wire fraud. United States District Judge John M. Gerrard also ordered Penchukov to pay more than $73 million, according to court records. The court also ordered three years of supervised release for each count and said they should run concurrently.

Both charges carried a maximum sentence of up to 20 years each. According to court documents, however, the US government and Penchukov’s lawyers both requested a less severe sentence following him signing a plea agreement in February. It is unclear what the terms of the plea deal include. At the time, documents show, Penchukov could also face having to repay up to $70 million—less than the combined amount he's ordered to pay in restitution and forfeited funds. “I understand this, but I don’t have such amounts of money,” he said in court earlier this year.

The US prosecution of Penchukov—who has been on the FBI's “most wanted” cyber list for more than a decade—is a rare blow against one of the most well-connected leaders of a prolific 2010s cybercrime gang. It also highlights the ongoing challenges Western law enforcement officials face when taking action against Eastern European cybercriminals—particularly those based in Russia or Ukraine, which do not have extradition agreements with the US.

Ahead of the sentencing, the Department of Justice refused to comment on the case, and the FBI and Penchukov’s lawyers did not respond to WIRED’s requests for comment.

When the Ukrainian pleaded guilty in February—a number of charges were dropped following him signing the plea agreement—he admitted to being one of the leaders of the Jabber Zeus hacking group, starting in 2009, that used the Zeus malware to infect computers and steal people’s bank account information. The group used the details to log in to accounts, withdraw money, and then send it to various money mules—stealing tens of millions from small US and European businesses.

“The defendant played a crucial role, a leadership role, in this scheme by directing and coordinating the exchange of stolen banking credentials and money mules,” prosecutors said in court earlier this year. They would steal thousands from victim companies, often draining their accounts.

Penchukov, who was also a well-known DJ in Ukraine, also admitted to a key role organizing the IcedID (also known Bokbot) malware, which collected the victim’s financial details and allowed ransomware to be deployed on systems. He was involved from November 2018 to at least February 2021, officials say. Investigators found he kept a spreadsheet detailing the $19.9 million income IcedID made in 2021.

“I never thought that we would ever see any of Jabber Zeus crew” face justice in the US, says Jim Craig, a senior director at cybersecurity firm Intel 471, who was previously a special agent in the FBI and helped lead the investigation into the Zeus cybercriminals and Penchukov, who is in his late thirties, starting in July 2009. Craig, who attended the sentencing, said he was happy with the result. Penchukov has aged since US investigators originally published photos of him, Craig says, and the criminal boss spoke during the sentencing hearing to apologize for his actions.

The Zeus malware, linked to FBI-wanted Russian Evgeniy Bogachev, first appeared online around the end of 2006 and in part used keyloggers to steal people’s banking information when they entered it online. The cybercriminals would log into accounts and send money to people acting as mules, who would cash out the funds. “It was just a really big jump in capabilities,” Keith Jarvis, a senior researcher at cybersecurity company Secureworks, says of the Zeus malware. “The volume of it was so out of control, and the banks didn't have a really good handle on it.”

By 2009, when the FBI’s investigations were starting, the Zeus gang had developed Jabber Zeus, adding the Jabber instant messenger into the setup. “When there was a compromise, they would get notified, and they could immediately have an operator jump on and start conducting the fraud automatically,” Jarvis says. They later developed Gameover Zeus and the group’s members—including Bogachev and, according to US prosecutors, an FBI-wanted Maksim Yakubets—eventually morphed into building some of the most disruptive ransomware of the past decade. (Bogachev and Yakubets, respectively, have $3 million and $5 million rewards on their heads from the US government).

In 2010, as detailed by WIRED’s 2017 cover story chronicling the hunt for the Zeus creators, the FBI and other law enforcement agencies had identified Penchukov and other members by analyzing their Jabber chat messages seized from a US-based server. “Ultimately we ran across a message where Tank had talked about his daughter,” Craig says. Penchukov disclosed her date of birth, name, and birth weight, which were used in cooperation with Ukraine’s security service to determine there was only one girl born that day with those details, and Penchukov was her father. The FBI investigators traveled to Donetsk, Ukraine, to arrest members of the gang.

Operation Trident Breach collared more than 50 people around the world in September 2010—with some members later being sentenced—but Penchukov wasn’t one of them. “It was quite obvious that Tank was tipped off,” Craig says. “There was no sign of him, and it was quite clean. You could definitely tell no one had been there a few days,” Craig recounts of the raid on Penchukov’s apartment. As detailed by MIT Technology Review, officials suspected corruption and family connections to high-level Ukrainian officials. Plus Russian investigators involved in the case “ghosted” other officials on the day the arrest was due to take place.

Penchukov was first publicly named in a February 2012 indictment, detailing his and other Zeus members’ alleged crimes. In 2015 he changed his name to Vyacheslav Igoravich Andreev. Jarvis, from Secureworks, says Penchukov can be considered one of the “elder statesmen” of this era of cybercrime, and everything has always indicated he was in charge of “running” the money mules the groups used and organizing the finances.

In November 2022 it was reported that Penchukov had been arrested in Geneva when he was “traveling to meet up with his wife.” The circumstances of his arrest are unclear, and Swiss authorities declined to comment on the case.

Since the Zeus gang were at their height, their particular brand of bank fraud—directly accessing victims accounts and moving money from them—has declined in prominence. Ransomware and data extortion, using cryptocurrency to launder money, has become the primary tactic of Russia-linked cybercriminals, earning them more than $1.1 billion in 2023.

Craig, the former FBI investigator, says one outstanding question will be how much Penchukov cooperated with officials and if he revealed anything about other criminals. “The significance of him being caught is important to show that law enforcement is not going to stop—wherever they go, there's going to be a chance and opportunity for them to get caught,” Craig says.

_Update 7/11/2024, 12:40 pm ET: Updated to clarify the amount of money Penchukov will be forced to turn over to authorities._

Notorious Hacker Kingpin ‘Tank’ Is Finally Going to Prison

Google is bringing the password-killing “passkey” tech to its Advanced Protection Program users more than a year after rolling them out broadly.

The password killers known as “passkeys” are now available to users of Google's Advanced Protection Program, which works to add an additional layer of account protection for people who fear that they could face targeted digital attacks. The company is more than a year into supporting passkeys for all regular individual accounts and made them the default login option in October. But Google waited to offer passkeys to APP users until it was sure the community was ready to take the step.

APP users typically have a public-facing position or do controversial work. Anyone can enroll for free, but enabling Advanced Protection involves strict requirements for adding multi-factor authentication to an account, which previously involved hardware tokens. With the addition of passkeys, though, APP project manager Shuvo Chatterjee points out that APP's defensive benefits will now be more usable and accessible to people around the world.

“Security keys are super-duper strong. They are an un-phishable factor,” Chatterjee told WIRED ahead of today's announcement. “And yet it is still a thing that people have to carry around. They lose it, they cost a lot. So a request that we keep getting from the field is, are there other ways by which we can get the same level of security, but from something that’s more convenient and something we already have? Passkeys are something \[that\] works with the threat profile that our high-risk users deal with.”

With digital crime and online fraud exploding around the web, tech giants have stepped up their push in recent years to secure accounts and promote passkeys, a cryptographic authentication system, as a more-secure replacement for the scourge of passwords. Passkeys are stored locally on your devices (or can be stored on hardware tokens that support the protocol known as FIDO2) and are guarded by a fingerprint, face scan, or pin. Advanced Protection will also still offer users the option of enabling the service with traditional two-factor authentication where the hardware token is the second factor.

Courtesy of Google

If you wish to join, use the Advanced Protection Program enrollment page, click “Get started,” and walk through the process to enroll with a passkey or a physical security key. While APP is meant to keep everyone out of your account, Chatterjee also emphasizes that the program offers recovery options that users should set up so they can regain access if they are ever locked out of their own account.

The passkey rollout hasn't always been straightforward, but they are gradually proliferating around the world. Google said in April that passkeys were used for authentication more than a billion times across more than 400 million Google accounts in their first year of deployment. And the company says that each day, users authenticate with passkeys more often than SMS one-time codes or one-time codes generated on apps like Google Authenticator.

For Advanced Protection Program users who want the highest level of protection, though, the option to start using passkeys will mean less overhead and more possibilities.

“We’ve encountered many people who just don’t have access to security keys,” Chatterjee says. “They can’t get them in their country, they’re a journalist traveling in a war zone, they’re a campaign worker hopping from town to town. They don’t have security keys with them, but they have their phone with them. There are many situations where having the flexibility and security of passkeys is really important to this population.”

Source

Wired