A ban on weapons of mass destruction in orbit has stood since 1967. Russia apparently has other ideas.

Russia vetoed a United Nations Security Council resolution Wednesday that would have reaffirmed a nearly 50-year-old ban on placing weapons of mass destruction into orbit, two months after reports Russia has plans to do just that.

Russia's vote against the resolution was no surprise. As one of the five permanent members of the Security Council, Russia has veto power over any resolution that comes before the body. China abstained from the vote, and 13 other members of the Security Council voted in favor of the resolution.

If it passed, the resolution would have affirmed a binding obligation in Article IV of the 1967 Outer Space Treaty, which says nations are "not to place in orbit around the Earth any objects carrying nuclear weapons or any other kinds of weapons of mass destruction."

**Going Nuclear**

Russia is one of 115 parties to the Outer Space Treaty. The Security Council vote Wednesday follows reports in February that Russia is developing a nuclear anti-satellite weapon.

"The United States assesses that Russia is developing a new satellite carrying a nuclear device," said Jake Sullivan, President Biden's national security advisor. "We have heard President Putin say publicly that Russia has no intention of deploying nuclear weapons in space. If that were the case, Russia would not have vetoed this resolution."

The United States and Japan proposed the joint resolution, which also called on nations not to develop nuclear weapons or any other weapons of mass destruction designed to be placed into orbit around the Earth. In a statement, US and Japanese diplomats highlighted the danger of a nuclear detonation in space. Such an event would have "grave implications for sustainable development, and other aspects of international peace and security," US officials said in a press release.

With its abstention from the vote, "China has shown that it would rather defend Russia as its junior partner, than safeguard the global nonproliferation regime," said Linda Thomas-Greenfield, the US ambassador to the UN.

US government officials have not offered details about the exact nature of the anti-satellite weapon they say Russia is developing. A nuclear explosion in orbit would destroy numerous satellites—from many countries—and endanger astronauts. Space debris created from a nuclear detonation could clutter orbital traffic lanes needed for future spacecraft.

The Soviet Union launched more than 30 military satellites powered by nuclear reactors. Russia's military space program languished in the first couple of decades after the fall of the Soviet Union, and US intelligence officials say it still lags behind the capabilities possessed by the US Space Force and the Chinese military.

Russia's military funding has largely gone toward the war in Ukraine for the last two years, but Putin and other top Russian officials have raised threats of nuclear force and attacks on space assets against adversaries. Russia's military launched a cyberattack against a commercial satellite communications network when it invaded Ukraine in 2022.

Russia has long had an appetite for anti-satellite (ASAT) weapons. The Soviet Union experimented with "co-orbital" ASATs in the 1960s and 1970s. When deployed, these co-orbital ASATs would have attacked enemy satellites by approaching them and detonating explosives or using a grappling arm to move the target out of orbit.

In 1987, the Soviet Union launched an experimental weapons platform into orbit to test laser technologies that could be used against enemy satellites. Russia shot down one of its own satellites in 2021 in a widely condemned "direct ascent" ASAT test. This Russian direct ascent ASAT test followed demonstrations of similar capability by China, the United States, and India. Russia's military has also demonstrated satellites over the last decade that could grapple onto an adversary's spacecraft in orbit, or fire a projectile to take out an enemy satellite.

These ASAT capabilities could destroy or disable one enemy satellite at a time. The US Space Force is getting around this threat by launching large constellations of small satellites to augment the military's much larger legacy communications, surveillance, and missile warning spacecraft. A nuclear ASAT weapon could threaten an entire constellation or render some of space inaccessible due to space debris.

Russia's ambassador to the UN, Vasily Nebenzya, called this week's UN resolution "an unscrupulous play of the United States" and a "cynical forgery and deception." Russia and China proposed an amendment to the resolution that would have banned all weapons in space. This amendment got the support of about half of the Security Council but did not pass.

Outside the 15-member Security Council, the original resolution proposed by the United States and Japan won the support of more than 60 nations as co-sponsors.

"Regrettably, one permanent member decided to silence the critical message we wanted to send to the present and future people of the world: Outer space must remain a domain of peace, free of weapons of mass destruction, including nuclear weapons," said Kazuyuki Yamazaki, Japan's ambassador to the UN.

_This story originally appeared on_ _Ars Technica._

Russia Vetoed a UN Resolution to Ban Space Nukes

Sources suspect China is behind the targeted exploitation of two zero-day vulnerabilities in Cisco’s security appliances.

Network security appliances like firewalls are meant to keep hackers out. Instead, digital intruders are increasingly targeting them as the weak link that lets them pillage the very systems those devices are meant to protect. In the case of one hacking campaign over recent months, Cisco is now revealing that its firewalls served as beachheads for sophisticated hackers penetrating multiple government networks around the world.

On Wednesday, Cisco warned that its so-called Adaptive Security Appliances—devices that integrate a firewall and VPN with other security features—had been targeted by state-sponsored spies who exploited two zero-day vulnerabilities in the networking giant's gear to compromise government targets globally in a hacking campaign it's calling ArcaneDoor.

The hackers behind the intrusions, which Cisco's security division Talos is calling UAT4356 and which Microsoft researchers who contributed to the investigation have named STORM-1849, couldn't be clearly tied to any previous intrusion incidents the companies had tracked. Based on the group's espionage focus and sophistication, however, Cisco says the hacking appeared to be state-sponsored.

“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” a blog post from Cisco's Talos researchers reads.

Cisco declined to say which country it believed to be responsible for the intrusions, but sources familiar with the investigation tell WIRED the campaign appears to be aligned with China's state interests.

Cisco says the hacking campaign began as early as November 2023, with the majority of intrusions taking place between December and early January of this year, when it learned of the first victim. “The investigation that followed identified additional victims, all of which involved government networks globally,” the company's report reads.

In those intrusions, the hackers exploited two newly discovered vulnerabilities in Cisco's ASA products. One, which it's calling Line Dancer, let the hackers run their own malicious code in the memory of the network appliances, allowing them to issue commands to the devices, including the ability to spy on network traffic and steal data. A second vulnerability, which Cisco is calling Line Runner, would allow the hackers' malware to maintain its access to the target devices even when they were rebooted or updated. It's not yet clear if the vulnerabilities served as the initial access points to the victim networks, or how the hackers might have otherwise gained access before exploiting the Cisco appliances.

Cisco has released software updates to patch both vulnerabilities, and advises that customers implement them immediately, along with other recommendations for detecting whether they've been targeted. Despite the hackers' Line Runner persistence mechanism, a separate advisory from the UK's National Cybersecurity Center notes that physically unplugging an ASA device does disrupt the hackers' access. “A hard reboot by pulling the power plug from the Cisco ASA has been confirmed to prevent Line Runner from re-installing itself,” the advisory reads.

The ArcaneDoor hacking campaign represents just the latest series of intrusions to target network perimeter applications sometimes referred to as “edge” devices like email servers, firewalls, and VPNs—often devices intended to provide security—whose vulnerabilities allowed hackers to obtain a staging point inside a victim's network. Cisco's Talos researchers warn of that broader trend in their report, referring to highly sensitive networks that they've seen targeted via edge devices in recent years. “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications,” they write. “In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations—critical infrastructure entities that are likely strategic targets of interest for many foreign governments.”

State-sponsored hackers' shift to compromising edge devices has become prevalent enough over the past year that Google-owned security firm Mandiant also highlighted it in its annual M-Trends report earlier this week, based on the company's threat intelligence and incident response findings. The report points to widely exploited vulnerabilities in network edge devices sold by Barracuda and Ivanti and notes that hackers—and specifically espionage-focused Chinese groups—are building custom malware for edge devices, in part because many networks have little or no way to monitor for compromise of the devices. Detecting the ArcaneDoor hackers' access to Cisco ASA appliances, in particular, is “incredibly difficult,” according to the advisory from the UK's NCSC.

Mandiant notes that it has observed Russian state-sponsored hackers targeting edge devices too: It's observed the unit of Russia's GRU military intelligence agency, known as Sandworm, repeatedly hack edge devices used by Ukrainian organizations to gain and maintain access to those victim networks, often for data-destroying cyberattacks. In some cases, the lack of visibility and monitoring in those edge devices has meant that Sandworm was able to wipe a victim network while holding on to its control of an edge device—then hit the same network again.

“They’re systemically targeting security appliances that sit on the edge for access to the rest of the network,” says John Hultquist, Mandiant's head of threat intelligence. “This is no longer an emerging trend. It's established."

Hultquist notes, however, that China is unmatched in its discovery and use of network appliance zero days, like the ones it has used to run rampant through Cisco firewalls over the past several months. He expects more to come, as China's cyberspies continue to turn devices meant to protect target networks against their owners. “It's unlikely these zero days are being produced haphazardly. We suspect a well-resourced, coordinated effort is underway to find and exploit these vulnerabilities,” Hultquist says. “Unfortunately, we'll almost certainly see several more zero-days in security appliances this year.”

'ArcaneDoor' Cyberspies Hacked Cisco Firewalls to Access Government Networks

Internal emails suggest that the company continued to provide gunshot data to police in cities where its contracts had been canceled.

When Mayor Brandon Johnson announced in February that Chicago would stop using the gunshot-detection system known as ShotSpotter by year’s end, local activists were elated.

Ever since 2021, when the police fatally shot 13-year-old Adam Toledo while responding to a ShotSpotter alert, the Stop ShotSpotter Campaign has been pressuring the city to ditch the technology. Johnson’s decision not to renew the Windy City’s contract with ShotSpotter was seen as the culmination of the campaign’s efforts.

But ending the contract may not be enough to remove the company’s more than 2,500 sensors from neighborhoods on the city’s South and West Sides, where they’re disproportionately located. Internal emails reviewed by _South Side Weekly_ and WIRED suggest that ShotSpotter keeps its sensors online and, in some instances, provides gunshot-detection alerts to police departments in cities where its contracts have expired or been canceled. The emails raise new questions about whether the more than 2,500 sensors in Chicago will be turned off and removed, regardless of Johnson’s decision.

“We continue to focus on serving the City of Chicago with our critical gunshot detection technology service during our contractual term,” a ShotSpotter spokesperson wrote in a statement. “Nothing has changed regarding our singular purpose to close the public safety gap by enabling law enforcement agencies globally to more efficiently and effectively respond to incidents of criminal gunfire … where gunshot wound victims’ lives are in the balance.”

An organizer who’s been active in the push to cancel ShotSpotter’s contract in Chicago wasn’t surprised that the company has continued to work with police behind the scenes in cities where contracts have ended.

“I think it’s exactly what cops and corporations do,” says Nathan Palmer, an organizer with the Stop ShotSpotter Campaign and Black Youth Project 100. “Especially when we’re thinking about Chicago, it would benefit ShotSpotter to keep the mics up and working so that they can also throw lobbying money at whoever’s gonna oppose Mayor Brandon Johnson in the next election.”

ShotSpotter, which rebranded as SoundThinking in 2023, has a customer base of roughly 170 cities, according to its most recent filing with the US Securities and Exchanges Commission. Chicago is not the first to deem the ShotSpotter technology not worth the cost. (By the time the city’s contract extension ends in November, ShotSpotter will have cost Chicago more than $57 million since then-mayor Rahm Emanuel inked a comprehensive deal with the company in 2018.)

San Antonio, San Diego, and Dayton, Ohio, have all joined a growing list of cities that have publicly cut ties with ShotSpotter. Confidential company emails reviewed by the _Weekly_ and WIRED, however, indicate that the company never completely pulled its technology out of some cities.

An October 2023 email sent to John Fountain, a director of field and network operations at SoundThinking who left the company in December, described how the company continued to secretly offer its help to police in cities where contracts had lapsed. The email, which addressed a shortage of sensors in a city with an active contract, apparently referred to Clark Dunson, SoundThinking’s director of systems engineering.

“I would like to imagine we can pull some \[sensors\] from an old coverage area … Maybe San Diego and Indianapolis,” wrote the sender, whose name was redacted. “Last time we looked to remove sensors from an old coverage area I know Clark flipped out since we still work with police using those sensors (which I did not know).”

A spokesperson for SoundThinking declined to answer detailed questions about what services the company has provided to police departments after contracts are up and instead emailed a statement. “SoundThinking believes this confidential information was illegally disclosed by ex-employees and is currently pursuing civil and criminal remedies against the private parties responsible,” the statement read. “Due to this ongoing litigation, we cannot comment specifically on the leaked materials; however, we will continue to object to the use of our stolen data and reinforce the safety and privacy risks of disclosing individual sensor locations.”

ShotSpotter is suing two former employees who the company alleges posted confidential company information on Twitter after one was fired in November.

In February, WIRED reported ShotSpotter sensor locations based on leaked company data showing more than 25,000 microphones arrayed across the globe. Those maps revealed active sensors remained in both San Diego and Indianapolis. The Indianapolis Metropolitan Police recently told the _Indianapolis Star_ that it does not have a contract with the company after piloting technology from three different gunshot-detection companies in 2022.

“The evaluation of whether or not gunshot detection technology system is right for Indianapolis is still ongoing,” a police spokesperson told the _Star_. The statement added that the department believed it was ShotSpotter’s responsibility to remove its sensors.

ShotSpotter doesn’t sell its sensors to cities. Instead, the company uses a software-as-service model, billing cities for the software and applications that allow police to access ShotSpotter alerts. When a contract expires, the company apparently doesn’t always retrieve its sensors.

An email from Fountain dated from December 2022 estimated that there were a “few hundred sensors still installed” in San Diego and that they are “active even if the market isn’t.”

Fountain again noted that removing any sensors from San Diego would require Clark Dunson’s approval. “Clark is really pushy and he likes to tinker around with those coverage area\[s\] but I imagine we can pull a few here and there,” he wrote.

In August 2023, Dunson sent an internal email that said ShotSpotter had been providing “test alerts” to police in San Diego and San Antonio. “As a last resort we can pull sensors away from San Diego or San Antonio if needed but Lee \[Lim, a SoundThinking tech-support engineer\] has been working with the PD in those areas giving test alerts and tracking down detections for them.”

The San Diego Police Department denied that sensors in that city are active or collecting any data. SDPD also claimed to have never asked the company for help with gunshot detections in any incidents involving homicides or shootings.

“At this time, there is no contract and there is no plan to move forward with the company,” a spokesperson for the department wrote in an email. San Diego and ShotSpotter entered into an agreement that allows the company to leave its sensors on city property. “However, as of September 2021, the equipment is deactivated, cannot collect any data, and is inoperable.”

But emails the _Weekly_ and WIRED obtained via a California Public Records Act request show that ShotSpotter stayed in touch with SDPD for more than 15 months after the city’s contract expired in September 2021. In those emails, ShotSpotter support staff routinely address SDPD as a “ShotSpotter Customer.”

These weren’t just mass marketing emails that all customers past and present are frequently subjected to. The emails we obtained show that in October 2021, after the contract had lapsed, ShotSpotter also provided an SDPD officer with an “investigative lead summary” about a shooting in San Diego, including the precise location and the number of rounds detected, upon SDPD’s request.

ShotSpotter also sent SDPD emails updating the department about routine scheduled maintenance in October 2022 and how the company planned to address the “extremely high volume of fireworks activities” around New Year’s Day in 2023.

“Despite our efforts, we may occasionally miss a gunshot in error,” wrote Dinh Nguyen, a technical support engineer at ShotSpotter, in a December 2022 email to SDPD. “You may also experience some delays in the publication of incidents.”

ShotSpotter is not on a list of surveillance technologies the SDPD is required to frequently publish as a part of a sweeping surveillance ordinance passed by the San Diego City Council in August 2022 and amended in January of this year.

A San Diego councilmember whose district includes several of the neighborhoods where ShotSpotter sensors were installed in 2016 said that their “office is aware of the ShotSpotter situation” via a spokesperson. In July 2021, the then-District Four councilmember requested the city remove sensors from his district, which helped scuttle the contract renewal.

“A request to remove such \[sensors\] has been forwarded to the San Diego Police Department and the mayor’s office,” a spokesperson for current District Four councilmember Henry L. Foster III (who was sworn in in April) wrote in an email to the _Weekly_ and WIRED. “Devices that have not been approved in accordance with the Surveillance Ordinance should not be installed and or operational by the City of San Diego or third party.”

San Diego mayor Todd Gloria’s office did not respond to requests for comment.

In 2021, San Diego’s city council pulled a scheduled vote on a four-year extension to ShotSpotter from its agenda, effectively sunsetting the city’s agreement with the company. Although Gloria’s office said in statements at the time that it would bring the extension back up in the city council, there is no indication that it did.

Based on a map of the secret locations of every ShotSpotter sensor in the country published by WIRED, there are still about 30 active sensors in San Diego, most of which are clustered near UC San Diego’s La Jolla campus and the Scripps Institution of Oceanography.

When asked to comment on whether SDPD receives and responds to ShotSpotter alerts from these active sensors, a spokesperson for the department directed questions to the UCSD police. UCSD did not respond to requests for comment.

The _Weekly_ and WIRED requested emails sent between San Antonio Police Department and ShotSpotter dated after the city’s contract with ShotSpotter expired in the fall of 2017. In March, the SAPD filed an appeal with the Texas attorney general, seeking to have the responsive records withheld under a laundry list of exemptions provided for by the state’s public records act. The police provided sealed records to the Texas AG to review. The AG is expected to decide whether to release the records by May.

SAPD said that after the contract lapsed, the department never asked ShotSpotter for assistance, and no arrests were made based on detections provided by the company.

Records produced in response to a separate public records request show that ShotSpotter sent four-term San Antonio mayor Ron Nirenbergt at least two marketing emails months after the city council voted not to include ShotSpotter in its budget for the upcoming fiscal year. The company does not appear to have communicated with his office after November 2018, however. Nirenberg’s office did not respond to requests for comment.

“To me it sounds like, on their part, another strategic business decision, and that’s what they’re doing in every city,” says Palmer, the Stop ShotSpotter organizer. “It sounds like a business decision, because they don’t actually care about public safety.”

_This story was copublished in collaboration between_ Southside Weekly _and_ WIRED.

ShotSpotter Keeps Listening for Gunfire After Contracts Expire

The company belatedly conceded both that it had paid the cybercriminals extorting it and that patient data nonetheless ended up on the dark web.

More than two months after the start of a ransomware debacle whose impact ranks among the worst in the history of cybersecurity, the medical firm Change Healthcare finally confirmed what cybercriminals, security researchers, and Bitcoin's blockchain had already made all too clear: that it did indeed pay a ransom to the hackers who targeted the company in February. And yet, it still faces the risk of losing vast amounts of customers' sensitive medical data.

In a statement sent to WIRED and other news outlets on Monday evening, Change Healthcare wrote that it paid a ransom to a cybercriminal group extorting the company, a hacker gang known as AlphV or BlackCat. “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure,” the statement reads. The company's belated admission of that payment accompanied a new post on its website where it warns that the hackers may have stolen health-related data that would “cover a substantial proportion of people in America.”

Cybersecurity and cryptocurrency researchers told WIRED last month that Change Healthcare appeared to have paid that ransom on March 1, pointing to a transaction of 350 bitcoins or roughly $22 million sent into a crypto wallet associated with the AlphV hackers. That transaction was first highlighted in a message on a Russian cybercriminal forum known as RAMP, where one of AlphV's allegedly jilted partners complained that they hadn't received their cut of Change Healthcare's payment. However, for weeks following that transaction, which was publicly visible on Bitcoin's blockchain and which both security firm Recorded Future and blockchain analysis firm TRM Labs told WIRED had been received by AlphV, Change Healthcare repeatedly declined to confirm that it had paid the ransom.

Change Healthcare's confirmation of that extortion payment puts new weight behind the cybersecurity industry's fears that the attack—and the profit AlphV extracted from it—will lead ransomware gangs to further target health care companies. “It 100 percent encourages other actors to target health care organizations,” Jon DiMaggio, a researcher with cybersecurity firm Analyst1 who focuses on ransomware, told WIRED at the time the transaction was first spotted in March. “And it’s one of the industries we _don’t_ want ransomware actors to target—especially when it affects hospitals.”

Compounding the situation, a conflict between hackers in the ransomware ecosystem has led to a _second_ ransomware group claiming to possess Change Healthcare's stolen data and threatening to sell it to the highest bidder on the dark web. Earlier this month that second group, known as RansomHub, sent WIRED alleged samples of the stolen data that appeared to come from Change Healthcare's network, including patient records and a contract with another health care company.

As of Monday, strangely, the listing for that data on RansomHub's dark-web site had been taken down. Change Healthcare's post to its website, however, warns that 22 screenshots of its data had been posted to the dark web by an unnamed hacker group, and that they included “protected health information (PHI) or personally identifiable information (PII),” though it said it hadn't seen any sign that medical records like doctor's charts or full medical histories for any patients were among the stolen data.

For Change Healthcare and the beleaguered medical practices, hospitals, and patients that depend on it, the confirmation of its extortion payment to the hackers adds a bitter coda to an already dystopian story. AlphV's digital paralysis of Change Healthcare, a subsidiary of UnitedHealth Group, snarled the insurance approval of prescriptions and medical procedures for hundreds of medical practices and hospitals across the country, making it by some measures the most widespread medical ransomware disruption ever. A survey of American Medical Association members conducted between March 26 and April 3 found that four out of five clinicians had lost revenue as a result of the crisis. Many said they were using their own personal finances to cover a practice’s expenses. Change Healthcare, meanwhile, says it has lost $872 million to the incident and projects that number to rise well over a billion in the longer term.

Change Healthcare's confirmation of its ransom payment now appears to show that much of that catastrophic fallout for the US health care system unfolded _after_ it had already paid the hackers an exorbitant sum—a payment in exchange for a decryption key for the systems the hackers had encrypted and a promise not to leak the company's stolen data. As is often the case in ransomware attacks, AlphV's disruption of its systems appears to have been so widespread that Change Healthcare's recovery process has extended long after it obtained the decryption key designed to unlock its systems.

As ransomware payments go, $22 million wouldn't be the most that a victim has forked over. But it's close, says Brett Callow, a ransomware-focused security researcher who spoke to WIRED about the suspected payment in March. Only a few rare payments, such as the $40 million paid to hackers by CNA Financial in 2021, top that number. “It’s not without precedent, but it’s certainly very unusual,” Callow said of the $22 million figure.

That $22 million injection of funds into the ransomware ecosystem further fuels a vicious cycle that has reached epidemic proportions. Cryptocurrency tracing firm Chainalysis found that in 2023, ransomware victims paid the hackers targeting them fully $1.1 billion, a new record. Change Healthcare's payment may represent only a small drop in that bucket, but it both rewards AlphV for its highly damaging attacks and may suggest to other ransomware groups that health care companies are particularly profitable targets, given those companies are especially sensitive to both the high cost of those cyberattacks financially and the risks they pose to patients' health.

Compounding Change Healthcare's mess is an apparent double-cross within the ransomware underground: AlphV, by all appearances, faked its own law enforcement takedown after receiving Change Healthcare's payment in an attempt to avoid sharing it with its so-called affiliates, the hackers who partner with the group to penetrate victims on its behalf. The second ransomware group threatening Change Healthcare, RansomHub, now claims to WIRED that they obtained the stolen data from those affiliates, who still want to be paid for their work.

That has created a situation where Change Healthcare's payment provides little assurance that its compromised data won't still be exploited by disgruntled hackers. “These affiliates work for multiple groups. They’re concerned with getting paid themselves, and there’s no trust among thieves,” Analyst1's DiMaggio told WIRED in March. “If someone screws someone else, you don’t know what they’re going to do with the data.”

All of that means Change Healthcare still has little assurance that it has avoided an even worse scenario than it has yet faced: paying what may be one of the biggest ransoms in history and still seeing its data spilled onto the dark web. “If it gets leaked after they paid $22 million, it’s pretty much like setting that money on fire,” DiMaggio warned in March. “They’d have burned that money for nothing.”

Change Healthcare Finally Admits It Paid Ransomware Hackers—and Still Faces a Patient Data Leak

Over the weekend, President Joe Biden signed legislation not only reauthorizing a major FISA spy program but expanding it in ways that could have major implications for privacy rights in the US.

The ability of the United States to intercept and store Americans’ text messages, calls, and emails in pursuit of foreign intelligence was not only extended but enhanced over the weekend in ways likely to remain enigmatic to the public for years to come.

On Saturday, US president Joe Biden signed a controversial bill extending the life of a warrantless US surveillance program for two years, bringing an end to a months-long fight in Congress over an authority that US intelligence agencies acknowledge has been widely abused in the past.

At the urging of the agencies and with the help of powerful bipartisan allies on Capitol Hill, the program has also been extended to cover a wide range of new businesses, including US data centers, according to recent analysis by legal experts and civil liberties organizations that were vocally opposed to its passage.

Section 702 of the Foreign Intelligence Surveillance Act, or FISA, allows the US National Security Agency (NSA) and Federal Bureau of Investigation (FBI), among other agencies, to eavesdrop on calls, texts, and emails traveling through US networks, so long as one side of the communication is foreign.

Americans caught up in the program face diminished privacy rights.

While the government requires a foreign target to commence a wiretap, Americans are often party to those intercepted conversations. And although US attorney general Merrick Garland insisted in a statement on Saturday that the updates to the 702 program “ensure the protection of Americans' privacy and civil liberties,” and that the government never intentionally targets Americans, the government nevertheless reserves the right to store their communications and access them later without probable cause.

“Section 702 is supposed to be used only for spying on foreigners abroad,” says Dick Durbin, chair of the Senate Judiciary Committee. “Instead, sadly, it has enabled warrantless access to vast databases of Americans’ private phone calls, text messages, and emails.”

Under the law, the government can retain communications captured by the 702 program for half a decade or more—indefinitely, so long as the government makes no effort to decrypt them.

A trade organization representing some of the world’s largest tech companies came out against plans to expand Section 702 in the final hours of the debate, claiming that a new provision authored by House Intelligence Committee members would damage the competitiveness of US technologies, “arguably imperiling the continued global free flow of data between the US and its allies.”

US intelligence obtains its vast surveillance power through yearly certifications doled out by a secret court. The certifications permit the NSA in particular to force businesses in the US—categorized as “electronic communications service providers,” or ECSPs—to cooperate with the program, collecting data and installing wiretaps on the agency’s behalf.

Years ago, the government sought to unilaterally expand the definition of ECSP under the law, seeking to compel the cooperation of whole new categories of businesses. That effort was beaten back by the FISA court in 2022, in a ruling that stated only Congress has the “competence and constitutional authority” to rewrite the law.

On the spy community’s behalf, the House Intelligence Committee introduced an amendment last year to codify the sought-after expansion of the 702 program, broadening the definition of what it means to be an ECSP.

With the backing of party leaders, the House and Senate intel committees maintained an outsize influence over the bill’s trajectory through Congress, lobbying lawmakers hand-in-hand with the intelligence community to defeat a slate of popular reforms, including a House amendment that would have required the FBI to obtain search warrants before accessing the communications of Americans collected under Section 702.

The House and Senate judiciary committees, which oversee the work of the US Justice Department, have traditionally held jurisdiction over FISA. However, much of their authority was sapped after the House speaker, Mike Johnson, adopted the pro-surveillance views of the intel committee members, which align with those of the White House.

Legal experts—including a rare few attorneys who’ve argued cases before the FISA court in the past—say the new ECSP text ensnares owners of facilities housing equipment used to store and carry data, as well as commercial landlords and virtually anyone with access to communications equipment in those spaces. The text, they argue, may be interpreted by the government as granting it authority to compel the assistance of “delivery personnel, cleaning contractors, and utility providers,” among others.

Criticism of the 702 program largely stems from revelations of abuse in a declassified court filing from 2022, which describes rampant misuse of the 702 database by the FBI. Investigators at the bureau have been caught unlawfully scouring 702 data for information on American protesters, journalists, and political donors. On at least one occasion, an FBI analyst worked to access the communications of a sitting member of Congress.

The FBI instituted scores of new procedures in an attempt to clamp down on the abuse internally, practices that are now codified under the law. House and Senate intelligence members say codifying the policies will serve as a sufficient bulwark against further abuse. Civil libertarians who have pursued new warrant requirements under FISA—an amendment that was dropped after a tie vote in the House of Representatives last week—argue, conversely, that the FBI should not be trusted to oversee itself in the wake of recent scandal.

Liza Goitein, a FISA expert and senior director at the Brennan Center of Justice at New York University School of Law, says the bill signed by Biden on Saturday represents “a gift to any president who may wish to spy on political enemies.”

“Although some senators fought valiantly to protect Americans’ civil liberties, they could not overcome the barrage of false and misleading statements from the administration and surveillance hawks on the congressional intelligence committees,” says Goitein. “This is a truly shameful episode in the history of the US Congress, and sooner or later, the American people will pay the price.”

The Next US President Will Have Troubling New Surveillance Powers

Thousands of exposed files on a misconfigured North Korean server hint at one way the reclusive country may evade international sanctions.

For almost a decade, Nick Roy has been scanning North Korea’s tiny internet presence, spotting new websites coming online and providing a glimpse of the Hermit Kingdoms’ digital life. However, at the end of last year, the cybersecurity researcher and DPRK blogger stumbled across something new: signs North Koreans are working on major international TV shows.

In December, Roy discovered a misconfigured cloud server on a North Korean IP address containing thousands of animation files. Included in the cache were animation cells, videos, and notes discussing the work, plus changes that needed to be made to ongoing projects. Some images appeared to be from an Amazon Prime Video superhero show and an upcoming Max (aka HBO Max) children’s anime.

The findings and security lapse—detailed in a report by the Stimson Center think tank's North Korea–focused 38 North Project, which helped analyze the findings along with Google-owned security firm Mandiant—provide a glimpse at how North Korea can use skilled IT and tech workers to raise funds for its heavily sanctioned regime. It also comes as US officials increasingly warn about North Korean IT workers infiltrating companies and their outsourcing.

North Korea’s internet is a small—and fragile—space. The repressive nation only has 1,024 IP addresses and around 30 websites that connect to the global internet. While there is a limited internal intranet, only a few thousand of the country’s 26 million people can get on the internet. When they do, it’s highly controlled: These select few North Koreans can use the internet for an hour at a time and have a person sitting next to them approving their use every five minutes.

When Roy discovered the exposed cloud server, it was being updated on a daily basis. Martyn Williams, a senior fellow on the 38 North Project who helped analyze the contents of the server, says the server likely allowed work to be sent to and from North Korean animators. The server itself is still live, but it mysteriously stopped being used at the end of February. While there is a login page, its contents can be accessed without a username and password. “I found the login page after I found all the exposed files,” Roy says.

Inside, the files contained editing comments and instructions in Chinese which were translated to Korean, the researchers write in their report. “For a lot of the animation files, we would find things like spreadsheets with details of the workflow,” Williams says. A sample of the files shared with WIRED show detailed anime images and video clips, with notes for the authors and date stamps on various files. In one instance, the report says, an animator was “asked to improve the shape of the character’s head.”

Based on the documents and drawings, the researchers were able to identify some of the shows and projects the North Koreans were working on. Some of the projects included work from season 3 of the Amazon show _Invincible_, which is produced by California-based Skybound Entertainment. There were also documents linked to Max and Cartoon Network show _Iyanu: Child of Wonder_, produced by YouNeek Studios, as well as files from a Japanese anime series and an animation studio in Japan.

Some file names gave away clues about the series and episode numbers. There were also files and projects the researchers could not identify—including a “bunch of files” with videos of horses and a Russian book on horses, Williams says.

Sanctions placed upon the North Korean regime, for its ongoing human rights abuses and nuclear warfare programs, prohibit US companies from working with DPRK companies or individuals. However, the researchers say it is highly unlikely that any companies involved would have a clue about North Korean animators working on the shows, and there is nothing suggesting the companies violated any sanctions or other laws. “It is likely that the contracting arrangement was several steps downstream from the major producers,” the report says.

Spokespeople for Amazon and Max spokesperson declined to comment for this story. YouNeek Studios did not respond to a request for comment.

“We do not work with North Korean companies, or Chinese companies on _Invincible_, or any affiliated entities, and have no knowledge of any North Korean or Chinese companies working on _Invincible_,” a spokesperson for Skybound Entertainment says. “We take any claims very seriously and have commenced an investigation into this.” In a post on X, the company characterized the findings as “unconfirmed” and said it is working with authorities to investigate.

Williams says it is possible that a front company in China is used to help disguise the activity and involvement of North Koreans. The researchers were able to analyze connections to the exposed server and, despite most having their location masked by a VPN, spotted access from Spain and three Chinese cities. “All three cities are known to have many North Korean–operated businesses and are main centers for North Korea’s IT workers who live overseas,” the report says.

While Williams says the researchers did not find any identifiable names of North Korean organizations buried in the files, the country has a well-established animation company called April 26 Animation Studio, which is also known as SEK Studio. Originally set up in the 1950s, the studio has worked on hundreds of international TV shows and movies.

However, in recent years, the US Treasury Department has sanctioned SEK Studios, individuals linked to it, and various “front companies” that it says are used to “work for foreign customers.” Many of these have links to China, according to the sanctions. “SEK Studio has utilized an assortment of front companies to evade sanctions targeting the government of the DPRK and to deceive international financial institutions,” a statement issued as part of the sanctions in 2021 says.

The main aim of these efforts, says Michael Barnhart, a North Korea researcher at Mandiant, is to raise money for the North Korean regime. The country’s hackers and scammers have stolen and extorted billions of dollars to help fund its military ambitions in recent years, including from huge cryptocurrency heists. In early 2022, the FBI issued a 16-page alert warning companies that remote North Korean freelance IT workers were infiltrating businesses to earn money they could funnel back home.

“The volume is much higher than we were expecting,” Barnhart says of North Korea’s IT workers. They are constantly changing their tactics to avoid being caught, he says. “We had one not too long ago, where during the interview, the person’s mouth was just off-frame. You could tell that someone in the background was speaking on their behalf.” Technically, Barnhart says, companies should verify their remote workers’ devices and make sure that there is no remote software connecting to a company laptop or network. Businesses should also put extra efforts at the hiring stage by training HR staff to detect possible IT workers.

However, he says, increasingly there is a greater crossover between North Korean IT workers and individuals who are members of known hacking groups or classified as advanced persistent threats (APTs). “The more we focus on IT workers, the more we’re starting to see APT operators and efforts blending in with those,” he says. “This might be the most quick learning-on-your-feet, nimble nation-state that I've ever seen.”

North Koreans Secretly Animated Amazon and Max Shows, Researchers Say

Plus: New York’s legislature suffers a cyberattack, police disrupt a global phishing operation, and Apple removes encrypted messaging apps in China.

Looking for love? Be careful what you wish for.

A loose-knit community of con artists known as Yahoo Boys has begun using real-time face-swap technology to woo victims with romance scams. Using a variety of tools and techniques, the scammers use AI-powered apps to make themselves look like entirely different people on video calls. Just remember: If someone you’ve never met IRL is asking you for money, just say no.

Elsewhere in the world of harmful deepfakes, two major websites used for creating fake nude images of people are now blocked in the United Kingdom. The censorship, which appears to be self-imposed, comes just days after the UK proposed legislation that would ban nonconsensual, sexualized AI-generated images.

A Russian cybercriminal gang called Cyber Army of Russia Reborn appears to have been created with the help of Sandworm, the notorious Russian military hacking unit that has carried out devastating cyberattacks against Ukraine for years. The difference? Cyber Army of Russia Reborn is even more brazen, taking credit for attacks against critical infrastructure in Europe and the United States.

Change Healthcare’s ransomware saga entered a new chapter this week. A cybercriminal group called RansomHub claims to be selling highly sensitive patient information stolen from the company. The sale follows RansomHub’s claims that it possesses terabytes of data stolen in a February attack by another ransomware gang known as AlphV or Black Cat, which received a $22 million payment in March. Change Healthcare says it has spent $872 million response to the ransomware attack as of March 31.

The biggest global surveillance program carried out by the US may be about to get bigger. A two-year renewal of Section 702 of the Foreign Intelligence Surveillance Act, which technically expired on Friday, will soon go up for a vote by the US Senate after passing the House last week. Included in the legislation is a provision that would greatly expand the number of businesses that could be conscripted to spy on behalf of the US government, which critics have called the “Stasi provision.” One of the largest lobbying firms for Big Tech companies has opposed the provision over fears that tech industry workers could be forced to become informants.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

There’s a kernel of truth in every good fiction, which is why the very real Defense Advanced Research Projects Agency, or Darpa, is a constant go-to for shows like the _X-Files_ and games like _Metal Gear Solid_. It tends to pop up whenever a shadowy government agency is needed to reverse engineer a stolen alien artifact or construct a giant killer robot. A Darpa announcement this Thursday, however, sounds almost too much like the opening sequence of a Hideo Kojima game: With the help of the US Air Force Test Pilot School, the agency says an experimental aircraft known as the X-62 was successfully flown by artificial intelligence during a simulated dogfight against a human pilot in an F-16. “The potential for autonomous air-to-air combat has been imaginable for decades,” US Air Force secretary Frank Kendall says, “but the reality has remained a distant dream up until now.”

**New York State Legislature Hit by Cyberattack**

Details are scant as to the impact, but for at least several hours this week, hackers felled computer systems supporting the work of New York’s state legislature. While an attack on something called the Legislative Bill Drafting Commission isn’t quite as jaw-dropping as one against a power plant or a naval base, the LBDC is one of a dozen required stops that legislation in New York must make en route to becoming law. Bills can’t be introduced, amended, or reviewed by committee without it, much less get a vote. Luckily, the agency reports it was able to get back on its feet within a few hours using a “backup system.” An investigation of the attack is ongoing.

**Police Disrupt Global Phishing Operation**

An armada of law enforcement agencies arrested 37 suspects around the world last weekend in an operation targeting LabHost, reportedly one of the world’s largest phishing-as-a-service platforms. The investigation was spearheaded by the London Metropolitan Police in cooperation with Europol. Investigators uncovered a whopping 40,000 phishing domains being operated by as many as 10,000 users worldwide, Europol says. LabHost charged a monthly fee of $249. That cybercriminals have discovered the psychological benefits of just-below pricing is yet another sign of the growing popularity and sophistication of these markets.

**Apple Removes Encrypted Messaging Apps in China**

Encrypted messaging apps WhatsApp, Signal, and Telegram have gone the way of Winnie the Pooh. Citing “national security concerns,” China ordered Apple to delete “certain apps” from its Chinese App Store this week, the tech behemoth announced (while neglecting to specify which ones). Apple reportedly met with Chinese authorities to express concern over how banning the apps would impact its users but relented after being met with a stone wall. “We are obligated to follow the laws in the countries where we operate,” the company said, “even when we disagree.” Apple is heavily dependent on China’s workforce to manufacture its products, and sales in the region have topped $70 billion in recent years. That Apple has become beholden to the Chinese government because of this is no longer much of a secret.

AI-Controlled Fighter Jets Are Dogfighting With Human Pilots Now

The world's most-visited deepfake website and another large competing site are stopping people in the UK from accessing them, days after the UK government announced a crackdown.

Two of the biggest deepfake pornography websites have now started blocking people trying to access them from the United Kingdom. The move comes days after the UK government announced plans for a new law that will make creating nonconsensual deepfakes a criminal offense.

Nonconsensual deepfake pornography websites and apps that “strip” clothes off of photos have been growing at an alarming rate—causing untold harm to the thousands of women they are used to target.

Clare McGlynn, a professor of law at Durham University, says the move is a “hugely significant moment” in the fight against deepfake abuse. “This ends the easy access and the normalization of deepfake sexual abuse material,” McGlynn tells WIRED.

Since deepfake technology first emerged in December 2017, it has consistently been used to create nonconsensual sexual images of women—swapping their faces into pornographic videos or allowing new “nude” images to be generated. As the technology has improved and become easier to access, hundreds of websites and apps have been created. Most recently, schoolchildren have been caught creating nudes of classmates.

The blocks on the deepfake websites in the UK were first spotted today, with two of the most prominent services displaying notices on their landing pages that they are no longer accessible to people visiting from the country. WIRED is not naming the two websites due to their enabling of abuse.

One of the websites with the restriction in place is the biggest deepfake pornography website existing today. Its homepage, when visiting from the UK, displays a message saying access is denied. “Due to laws or (upcoming) legislation in your country or state, we are unfortunately obligated to deny you access to this website,” the message says. It also shows the visitor’s IP address and country.

The other website, which also has an app, displays a similar message. “Access to the service in your country is blocked,” it says, before hinting there may be ways to get around the geographic restriction. The websites do not appear to have any restrictions in place when visiting from the United States, although may also be restricted in other countries.

It is not immediately clear why the sites have introduced the location blocks or whether they have done so in response to any legal orders or notices. Nor is it clear whether the blocks are temporary. Messages sent to the websites through email addresses and contact forms went unanswered. The creators of the websites have not posted any public messages on the websites or their social media channels about the blocks.

Ofcom, the UK’s communications regulator, has the power to persue action against harmful websites under the UK’s controversial sweeping online safety laws that came into force last year. However, these powers are not yet fully operational, and Ofcom is still consulting on them.

It’s likely the restrictions may significantly limit the amount of people in the UK seeking out or trying to create deepfake sexual abuse content. Data from Similarweb, a digital intelligence company, shows the biggest of the two websites had 12 million global visitors last month, while the other website had 4 million visitors. In the UK, they had around 500,000 and 50,000 visitors, respectively.

This week, politicians in the UK announced plans for a law that criminalizes the creation of nonconsensual deepfakes. Under the law, which is yet to be passed, people could face an unlimited fine if they create deepfakes to “cause alarm, humiliation, or distress to the victim.” This builds on previous provisions that make it illegal for people in the UK to share sexualized deepfakes.

“While it’s unclear if these platforms have been ordered to block UK access or have done so proactively due to the recent criminalization, it shows legislation can make a meaningful difference in removing the legal ambiguity that many deepfake pornography platforms use as cover for the clear ethical harms they cause,” Henry Ajder, an AI and deepfake expert, tells WIRED. Ajder adds that search engines and hosting providers around the world should be doing more to limit the spread and creation of harmful deepfakes.

While the two websites can still be accessed in the UK using a VPN, the restrictions are a sign that constant pressure—from lawmakers, tech companies, and campaigners—can make deepfake porn harder to access and create. “Of course, people will be able to use VPN to access these websites and apps, but that introduces friction,” Durham University’s McGlynn says. “It introduces a message that there’s something wrong and harmful about this material such that you have to use a VPN to access it.”

“Hopefully,” McGlynn adds, “this can show other governments around the world that if we take steps, we could actually reduce the prevalence \[of\] and easy access to deepfake sexual abuse material.”

The Biggest Deepfake Porn Website Is Now Blocked in the UK

One juror in former US president Donald Trump’s criminal case in New York has been excused over fears she could be identified. It could get even messier.

You’ve been asked to serve on the jury in the first-ever criminal prosecution of a United States president. What could possibly go wrong? The answer, of course, is everything.

A juror in former president Donald Trump’s ongoing criminal trial in New York was excused on Thursday after voicing fears that she could be identified based on biographical details that she had given in court. The dismissal of Juror 2 highlights the potential dangers of participating in one of the most politicized trials in US history, especially in an age of social media frenzies, a highly partisan electorate, and a glut of readily available personal information online.

Unlike jurors in federal cases, whose identities can be kept completely anonymous, New York law allows—and can require—the personal information of jurors and potential jurors to be divulged in court. Juan Merchan, the judge overseeing Trump’s prosecution in Manhattan, last month ordered that jurors’ names and addresses would be withheld. But he could not prevent potential jurors from providing biographical details about themselves during the jury selection process, and many did. Those details were then widely reported in the press, potentially subjecting jurors and potential jurors to harassment, intimidation, and threats—possibly by Trump himself. Merchan has since blocked reporters from publishing potential jurors’ employment details.

The doxing dangers that potential jurors face became apparent on Monday, day one of the proceedings. An update in a _Washington Post_ liveblog about Trump’s trial revealed the Manhattan neighborhood where one potential juror lived, how long he’d lived there, how many children he has, and the name of his employer. Screenshots of the liveblog update quickly circulated on social media, as people warned that the man could be doxed, or have his identity revealed publicly against his will with the intent to cause harm, based solely on that information.

“It's quite alarming how much information someone skilled in OSINT could potentially gather based on just a few publicly available details about jurors or potential jurors,” says Bob Diachenko, cyber intelligence director at data-breach research organization Security Discovery and an expert in open source intelligence research.

Armed with basic personal details about jurors and certain tools and databases, “an OSINT researcher could potentially uncover a significant amount of personal information by cross-referencing all this together,” Diachenko says. “That's why it's crucial to consider the implications of publicly revealing jurors' personal information and take steps to protect their privacy during criminal trials.”

Even without special OSINT training, it can be trivial to uncover details about a juror’s life. To test the sensitivity of the information the _Post_ published, WIRED used a common reporting tool to look up the man’s employer. From there, we were able to identify his name, home address, phone number, email address, his children’s and spouse’s identities, voter registration information, and more. The entire process took roughly two minutes. The _Post_ added a clarification to its liveblog explaining that it now excludes the man’s personal details.

The ready availability of those details illustrates the challenges in informing the public about a highly newsworthy criminal case without interfering in the justice process, says Kathleen Bartzen Culver, the James E. Burgess Chair in Journalism Ethics and director of the School of Journalism & Mass Communication at the University of Wisconsin-Madison.

“Simply because a notable figure is on trial does not mean that a juror automatically surrenders any claim to privacy,” Bartzen Culver says. “People who have been drawn into a case that is exceptionally newsworthy are not aware that a simple statement that they make about where they work might identify them and open them up to scrutiny and possibly risk.”

The dangers to jurors or potential jurors has only increased since the first day of jury selection, which remains ongoing, in part due to the challenges of prosecuting a former US president and the presumptive Republican nominee in the 2024 US presidential election. Trump is charged with 34 counts of falsifying business records, a class E felony in New York state, for payments made ahead of the 2016 presidential election related to alleged affairs with two women, adult performer Stormy Daniels and Playboy model Karen McDougal. Trump has claimed his prosecution is a “communist show trial” and a “witch hunt” and has pleaded not guilty.

On Fox News, coverage of Trump’s trial has repeatedly focused on the potential political motivations of the jurors, bolstering the former president’s claims. Trump, in turn, has repeated the claims by the conservative news network’s hosts. In a post on Truth Social on Wednesday, Trump quoted Fox News commentator Jesse Watters claiming on air that potential jurors in Trump’s trial are “undercover liberal activists lying to the judge in order to get on the Trump jury.” This, despite a gag order that forbids Trump from “making or directing others to make public statements about any prospective juror or any juror in this criminal proceeding.”

Broader media coverage of the Trump trial jurors appears to often be the work of political reporters who are unfamiliar with the journalism ethics specific to covering a criminal trial, says UW-Madison’s Bartzen Culver. “It's like when political reporters covered Covid and science journalists lost their minds.” She adds that it’s important for any journalist covering a criminal case—Trump’s or otherwise—to “consider our role within the justice system.”

“Unethical behavior by journalists can delay trials. It can result in overturned convictions and the people having to go back and do a retrial,” Bartzen Culver says. “That all works against our system of justice.”

The New York case is one of four ongoing criminal proceedings against Trump. In Georgia, where he faces multiple felony charges for alleged attempts to interfere with the state’s electoral process in 2020, Trump supporters leaked the addresses of members of the grand jury, after their names were listed in the 98-page indictment against the former president, as required by state law. Georgia’s Fulton County Sheriff’s Office said last August that it was investigating threats against the jury members. The incident highlights the persistent dangers people can face from Trump’s supporters, both in the near term and for the rest of their lives, if they’re viewed as having acted against him.

The leaks were discovered by Advance Democracy Inc. (ADI), a nonpartisan, nonprofit research and investigations organization founded by Daniel J. Jones, a former investigator for the FBI and the US Senate Intelligence Committee. So far, Jones tells WIRED, ADI has not uncovered attempts to dox jurors in Trump’s New York trial. But it’s still early days.

“We have not yet found identifying information on the extremist forums we monitor,” Jones says. “Having said that, I share your concern that it is only a matter of time before this happens.”

The Trump Jury Has a Doxing Problem

Watch how smooth-talking scammers known as “Yahoo Boys” use widely available face-swapping tech to carry out elaborate romance scams.

The compliments start flowing as soon as she answers the video call. “Wow, you so pretty, honey,” says the man on the other side of the screen. His video feed shows he’s white, with short hair, likely a few years younger than her, and is sitting in front of his camera wearing a plaid shirt.

“You’re looking different with that beard and stuff gone,” the woman says in an American accent as the conversation gets going. The man doesn’t miss a beat. “I told you I was going to shave my beard so I will look good.”

Except, he isn’t who he claims to be. His videofeed is a lie. And—beard or not—the face the woman can see over the video call is not his: It’s a deepfake.

In reality, the man is a scammer using face-swapping technology to totally change his appearance in real time. In a video of the call—filmed by the scammer’s accomplice likely thousands of miles away from the woman—his real face can be seen on this laptop alongside the fake persona as he speaks to his victim.

This self-shot video is one of scores posted online by scammers known as Yahoo Boys, a loose collective of con artists, often based in Nigeria. The video reveals how they are using deepfakes and face-swapping to ensnare victims in romance scams, building trust with victims using fake identities, before tricking them into parting with thousands of dollars. More than $650 million was lost to romance fraud last year, the FBI says.

A Yahoo Boy scammer uses multiple phones and face-swapping software against a victim. It’s one of two techniques the group uses for real-time calls.

The Yahoo Boys have been experimenting with deepfake video clips for around two years and shifted to more real-time deepfake video calls over the last year, says David Maimon, a professor at Georgia State University and the head of fraud insights at identity verification firm SentiLink. Maimon has monitored the Yahoo Boys on Telegram for more than four years and shared dozens of videos with WIRED revealing how the scammers are using deepfakes.

A WIRED review of the videos and three associated Yahoo Boy Telegram channels shows how the con artists’ techniques have evolved as deepfake applications and artificial intelligence have improved. It is one of the first times the specific tactics and outlandish techniques of scammers using deepfake video calls has been documented in this detail.

The videos show Yahoo Boys using the technology on setups involving both laptops and phones. In multiple videos, the scammers often brazenly show their own faces, as well as those of the victims they are scamming. “I don't think they're doing this because they’re stupid,” Maimon says. “I think that they simply don’t care, and they’re not afraid of the repercussions.”

The Yahoo Boys are experienced scammers—and they openly brag about it. Photos and videos of their conning and recruitment can be found all across social media, from Facebook to TikTok. However, the cybercriminals, who have links back to Nigerian prince email scams, are arguably their most open on Telegram.

In groups containing thousands of members, Yahoo Boys organize and advertise their individual skills for a smorgasbord of scams. They’re skilled social manipulators, who can have long-lasting impacts on their victims. Business email compromise, crypto scams, and impersonation scams are all touted in hundreds of posts per day. Members claim to be selling photo and video editing skills and entire albums of explicit photographs that can be used to build a convincing persona. Fake IDs and legitimate-looking social media profiles are for sale. Scam “scripts” are free to download.

“The Yahoo Boys have elements of organized crime and disorganized crime,” says Paul Raffile, an intelligence analyst at the Network Contagion Research Institute, who has investigated Yahoo Boys sextorting teenagers and driving them towards suicide. “They don't have a leader, they don’t have a governance structure.” Rather, Raffile says, they organize in clusters and share advice and tips online. Telegram did not respond to WIRED’s request for comment about Yahoo Boys’ channels, but the three channels no longer appear to be accessible.

The digital con artists started using deepfakes as part of their romance scams around May 2022, says Maimon. “What folks were doing was just posting videos of themselves, changing their appearance, and then sending them to the victim—trying to lure them to talk to them,” he says. Since then, they’ve moved on.

To create their videos, the Yahoo Boys are using a handful of different software and apps. WIRED is not naming the specific software, to limit people’s ability to copy the attacks. However, the tools they are using are often advertised for entertainment purposes, such as allowing people to swap their faces with celebrities or influencers.

The Yahoo Boys’ live deepfake calls run in two different ways. In the first, shown above, the scammers use a setup of two phones and a face-swapping app. The scammer holds the phone they are calling their victim with—they’re mostly seen using Zoom, Maimon says, but it can work on any platform—and uses its rear camera to record the screen of a second phone. This second phone has its camera pointing at the scammer’s face and is running a face-swapping app. They often place the two phones on stands to ensure they don’t move and use ring lights to improve conditions for a real-time face-swap, the videos show.

The second common tactic—shown below—uses a laptop instead of a phone. (WIRED has blurred real faces in both videos.) Here, the scammer uses a webcam to capture their face and software running on the laptop changes their appearance. Videos of the setup show scammers are able to see their own face alongside the altered deepfake, with just the manipulated image being displayed over the live video call.

Maimon says he and his teams have tracked down some of the victims, both in deepfake videos and photo albums being sold by Yahoo Boys, and have tried to contact them. WIRED was not able to determine the real identities of victims or scammers, and it is not clear how many times deepfakes have been used. Still, the videos appearing to feature victims reveal how the scammers build rapport with their targets.

Videos show scammers telling people they “love” them and frequently complimenting their appearance. In one video, a scammer says they want to travel to Canada to meet their target, and when they do, they will pay them “instantly,” suggesting the target has sent them money that the scammer has falsely promised to pay back. Other videos contain deeply personal information, showing the levels of trust that scammers can create with the people they target. “Some victims, they talk about their eating disorders, they talk about their depression,” Maimon says.

The videos are likely only a snapshot of the Yahoo Boys’ romance-scamming activity, and many of the videos they self-publish are partly intended to show off their capabilities to allow others to “buy” the approach. Raffile says that, as he investigated the groups for sextortion, he noticed most face-swapping was being used for romance scams. However, there were also instances where Yahoo Boys claimed to use deepfake “nude” generators on photographs.

The scammers can run face-swapping software on laptops. It mimics their facial expressions and mouth movements.

Artificial intelligence will supercharge scams. While deepfake videos have been around for more than half a decade—mostly used for nonconsensual pornography—they’re often glitchy and easy to spot. Lips don’t sync up as people talk, and errors are relatively trivial to detect. However, the technology is quickly improving and becoming easier for anyone to use.

Some of the Yahoo Boy videos are unbelievable, obvious fakes, while others appear plausible. When they’re viewed live, on a mobile phone, with unstable connections, any obvious flaws may be masked—especially if a scammer has spent months social-engineering their victim.

Rachel Tobac, the cofounder and CEO of SocialProof security, who along with company CTO Evan Tobac reviewed a selection of Yahoo Boy videos for WIRED, says she has generally seen some face swapping being used in romance scams over the past 12 months. “They were not super convincing last year, when I checked them out. This year, a lot has changed,” Rachel Tobac says. “Especially the ones where they’re able to change the pitch of their voice and the look of their face—sometimes changing skin tone, hair, eye color, everything’s matched. It’s pretty wild.”

The Yahoo Boys appear to often use existing personas and faces built into the apps. The scammers largely talk using their own voices, although in a couple of videos this may have also been altered. In many of the videos seen by WIRED, the onscreen characters can turn their heads but not move their entire bodies. Their lips and facial expressions move with those made by the face of the scammer. The capabilities of these tools will only improve over time.

Andrew Newell, the chief scientific officer at identity verification company iProov, says he has seen a “massive change” in the number of face-swapping systems being used in the last year, tracking more than 100 different tools. Only a fraction of these tools allow for real-time face-swapping, he says. “We have seen quite big advances in terms of how good these live tools are.”

While the Yahoo Boys may not develop their own software or be technically sophisticated, Maimon says, they are versatile. They’ll run multiple scams at once, speak with dozens of victims at a time, and different individuals will have the skills needed to complete an entire scam. “There's a constant evolution,” Maimon says.

Ronnie Tokazowski, the chief fraud fighter at Intelligence for Good, which works with cybercrime victims, says because the Yahoo Boys have used deepfakes for romance scams, they’ll pivot to using the technology for their other scams. “This is kind of an early warning where it's like: ‘OK, they’re really good at doing these things. Now, what’s the next thing they're going to do?’”

Source

Wired