The same chaotic day FTX declared bankruptcy, someone began stealing hundreds of millions of dollars from its coffers. A WIRED investigation reveals the company’s “very crazy night” trying to stop them.

By the evening of November 11 of last year, FTX’s staff had already endured one of the worst days in the company’s short life. What had recently been one of the world's top cryptocurrency exchanges, valued at $32 billion only 10 months earlier, had just declared bankruptcy. Executives had, after an extended struggle, persuaded the company's CEO, Sam Bankman-Fried, to hand over the reins to John Ray III, a new chief executive now tasked with shepherding the company through a nightmarish thicket of debts, many of which it seemed to have no means to pay.

FTX had, it seemed, hit rock bottom. Until someone—a thief or thieves who have yet to be identified—chose that particular moment to make things far worse. That Friday evening, exhausted FTX staffers began to see mysterious outflows of the company's cryptocurrency, publicly captured on the Etherscan website that tracks the Ethereum blockchain, representing hundreds of millions of dollars worth of crypto being stolen in real time.

“Holy shit,” one former FTX staffer, who asked not to be named because they weren't authorized to speak about internal company matters, remembers thinking. “After all this, we’re being hacked?”

According to its own accounting, FTX would ultimately lose between $415 million and $432 million worth of its cryptocurrency holdings to those unidentified thieves, numbers it has publicly confirmed as part of its bankruptcy process. What FTX hasn't previously revealed is how close it may have come to losing vastly more—how its staff and outside consultants raced to move more than $1 billion worth of crypto to more secure storage before it could be stolen by the malevolent presence on its network—even, at one point, scrambling to send close to half a billion dollars to a physical USB drive in one consultant's office in an effort to keep it out of the thieves' hands.

“Invitation: Urgent”

As the trial of FTX's disgraced founder Sam Bankman-Fried enters its second week, many in the cryptocurrency community are closely watching courtroom events for any hint of how the exchange was so catastrophically looted, just hours after it left his control. The question of who carried out that theft—and whether the thieves were FTX insiders or external hackers—looms largest of all. That mystery remains unsolved, and neither Bankman-Fried nor other top FTX executives have been charged with that theft.

But now, WIRED can reveal the events of FTX’s panicky night working to limit the damage from that theft—and to prevent what might otherwise have been a 10-figure heist. The new FTX leadership under Ray, its new CEO, declined to be interviewed about the incident. But WIRED learned the hour-by-hour details of the crisis response from a detailed invoice submitted by the restructuring firm Alvarez & Marsall for its work on FTX's bankruptcy case, interviews with individuals who participated in the immediate response to the theft, and blockchain analysis provided by the cryptocurrency tracing firm Elliptic.

That response started around 10 pm on the evening of November 11, when Zach Dexter, the chief executive of FTX subsidiary LedgerX, sent a Google Meet invite to a group of more than 20 of FTX’s remaining staff, bankruptcy lawyers, advisers, and consultants. The invitation’s one-word subject line: “urgent.”

A handful of staffers quickly joined that Google Meet video call, which would eventually grow to dozens of participants over the next 12 hours. They could all see FTX wallets being drained in real time on Etherscan. But almost no one on the call had any idea where exactly FTX stored its cryptocurrency or how it managed the secret keys that controlled those wallets. That knowledge was held only by a small group of FTX elite—Bankman-Fried and his inner circle. Bankman-Fried never appeared in the meeting, according to sources who were present, but Gary Wang, the FTX cofounder and CTO, did join the call.

By this point Wang was distrusted by many people close to Ray, sources say. In the midst of FTX’s meltdown, Wang had initially sided with Bankman-Fried and had only distanced himself from the former CEO after days of persuasion from others within the company.

Wang didn't win over any of his critics in the emergency meeting when he initially suggested the ongoing theft could be halted by simply changing the secret keys that protected the wallets that were being emptied. That seemed pointless, the former FTX staffer remembers thinking, given that whoever had gained access to the network could simply grab the new keys and continue their heist. “The fox is in the hen house, and you’re going to change the keys to the hen house?” the former staffer remembers thinking. Wang, who has since pleaded guilty to the same criminal charges Bankman-Fried now faces, did not respond to a request for comment sent to his attorney

Just as the Google Meet call started, however, LedgerX’s Dexter had started exploring a different approach to protecting FTX’s funds. The week before the theft, digital asset trust company BitGo had been negotiating with Sullivan & Cromwell, the law firm overseeing FTX’s bankruptcy process, to take custody of the firm’s remaining cryptocurrency holdings. So Dexter now called BitGo to try to circumvent the long legal contract process Sullivan & Cromwell had begun with the company. Instead, Dexter asked BitGo to immediately create “cold storage” wallets—wallets that would be kept securely offline—that FTX could move all its remaining funds into as a safe haven. Dexter did not respond to a request for comment.

BitGo said it could have the wallets ready in around half an hour. FTX staffers worried that this would still be too slow. The thieves could potentially take hundreds of millions of dollars more worth of crypto out of the company’s wallets by then.

Someone on the Google Meet call asked if anyone had a hardware wallet of their own where the money could be stored until BitGo was ready. Kumanan Ramanathan, an adviser to FTX from Alvarez & Marsall, volunteered. He had a Ledger Nano—a USB drive hardware wallet—in his office that he offered to set up as a temporary refuge for the vulnerable money.

Ramanathan set up a new wallet on his Ledger Nano at around 10:30 pm ET on November 11. The former FTX staffer remembers watching him check and double-check the password that he'd created for that wallet. Wang began sending FTX’s funds to it, and soon Ramanathan was holding between $400 and $500 million in the company’s crypto assets on a USB drive.

A Late-Night 911 Call

Minutes later, BitGo told the FTX staffers that its wallets were ready, and they began transferring hundreds of millions more in crypto to BitGo’s cold storage instead of Ramanathan's Ledger device. For the rest of that sleepless night, the staffers hunted for every wallet where FTX’s money was stored and transferred every coin they could find to BitGo. “They were scrubbing various systems trying to find where various private keys were, where assets were held,” says another person involved in the response, granted anonymity because they weren’t authorized to speak about it publicly. “It was just chaos.”

As FTX's staff focused on getting executives to sign off on those transfers of potentially vulnerable funds, Ramanathan was left holding the crypto that Wang had initially transferred to his Ledger wallet. That created the bizarre situation of an individual physically possessing around half a billion dollars worth of FTX's money, which presented its own unique legal and security risks. That night, Ryne Miller, the general counsel for FTX, rushed to Ramanathan's office to help safeguard it. Ryne Miller declined to comment for this story, and Ramanathan didn’t respond to a request for comment.

Ramanathan's record of billable hours shows that he and Miller spent nearly three and half hours in his office, from around 2 am to 5 am, on November 12. At some point, in fact, Ramanathan called the police to report a theft in progress and explain that he was holding a very large amount of the victim's money, requesting that officers come to his office to help protect it. After all, no one knew then—or now—who had stolen the other funds, and if they might try to physically take the stash that Ramanathan held too.

No such physical threat materialized. In fact, the siphoning of funds from FTX had stopped when the money was moved to Ramanathan's Ledger wallet. “He took a huge fucking risk using his personal Ledger,” says the former FTX staffer. “He’s a total boss. It’s my pretty strong feeling that if we hadn’t pulled this Ledger stunt, we would have lost significantly more money.” The money in Ramanathan's office was finally transferred to BitGo by around 5 am on Saturday, November 12. The company would ultimately hold $1.1 billion of the remaining FTX funds.

Later on Saturday, Bankman-Fried and Wang transferred another $400 million plus to accounts under the control of the Bahamas government for safeguarding, as reported by _Forbes_ and recorded in a court filing. At some points, that movement of funds to the Bahamas appears to have been confused with the theft itself. A week after the theft, some media outlets incorrectly reported that the stolen funds had actually been seized by the Bahamian government. As evidence to the contrary, cryptocurrency tracing firms like Elliptic and Chainalysis have observed portions of the actual stolen funds being sent to “mixing” services often used to launder stolen crypto funds such as THORchain and Railgun, behavior typical of thieves who pull off large-scale crypto heists.

Few Safeguards, No Map

In the months since the desperate rescue effort of November 11, FTX’s new regime, which is handling the company’s bankruptcy process, has publicly alleged glaring security failings that made the theft possible.

An April report released as part of FTX’s bankruptcy proceedings listed examples of that alleged neglect: The previous FTX regime had no independent chief information security officer or actual dedicated security team; it kept virtually all its cryptocurrency in hot wallets—wallets on computers connected to the internet—despite employees being instructed to publicly claim that it stored as little as 10 percent in hot wallets; it left keys to those wallets unencrypted or failed to properly set up security systems where multiple keys are needed to unlock funds; and it lacked the logging systems to even know who was moving funds and when, along with many other issues.

The same report describes the impossible situation that the new FTX regime faced on November 11, when, in its first day in charge, it discovered it had inherited a deeply compromised network. “Due to the FTX Group’s deficient controls to secure crypto assets, the Debtors faced the threat that billions of dollars of additional assets could be lost at any moment,” the report reads, using the term “debtors” to describe the new FTX administration led by Ray. “As the Debtors worked to identify and access crypto assets with no ‘map’ to guide them, the Debtors had to engineer technological pathways to transfer many types of assets they identified to cold storage.”

Given that apparently shambolic security and disorganization, it’s perhaps not a surprise that FTX became the target of one of the costliest crypto heists in history. But if not for a few quick decisions in the midst of that chaos, it now appears that it could have been far worse.

“It was a very, very crazy night,” the former FTX staffer says. “We worked on it, we got it done, and we saved a massive amount of customers’ money.”

Inside FTX’s All-Night Race to Stop a $1 Billion Crypto Heist

Hundreds dead, thousands wounded—Hamas’ surprise attack on Israel shows the limits of even the most advanced and invasive surveillance dragnets as full-scale war erupts.

The Gaza Strip is one of the most densely populated areas on the planet. It’s also one of the most heavily locked down, surveilled, and suppressed. Israel has evolved an entire intelligence apparatus and aggressive digital espionage industry around advancing its geopolitical interests, particularly its interminable conflict in the Gaza Strip and the West Bank. Yet on Saturday, Hamas militants caught Israel unaware with a series of devastating land, air, and sea attacks, killing hundreds of people and leaving thousands wounded. Israel has now declared war.

Hamas’ surprise attack on Saturday is shocking given not only its scale compared to previous attacks, but also the fact that it was planned and carried out without Israel’s knowledge. Hamas’ deadly barrage underscores the limitations of even the most intrusive surveillance dragnets. In fact, experts say the sheer quantity of intelligence that Israel collects on Hamas, as well as the group’s constant activity and organizing, may have played a role in obscuring plans for this particular attack amid the endless barrage of potentially credible threats.

“There's no doubt that the scale and scope of this Hamas attack indicate just a colossal intelligence failure on behalf of the IDF \[Israel Defense Forces\] and in Shin Bet, the internal security agency,” says Raphael Marcus, a visiting research fellow at King’s College London’s Department of War Studies who focuses on the region. “They have such technical prowess and also a legacy of excellent human source capability.”

Israel is known for heavily monitoring Gaza and anyone who could be connected to Hamas using both traditional intelligence-gathering techniques and digital surveillance like facial recognition and spyware. Israel has proved its hacking skills and technical sophistication on the global stage for years, participating in the development of innovative malware for both digital espionage and cyber-physical attacks. The fact that Hamas was able to plan such an unprecedented and complex attack speaks to the limitations and inevitable blind spots of even the most comprehensive surveillance regime.

Jake Williams, a former US National Security Agency hacker and current faculty member at the Institute for Applied Network Security, emphasizes that when you have a firehose of intelligence streaming in from an array of sources, and when the climate is as fraught as that between Israel and Palestine, the challenge is organizing and parsing the information, not gathering it.

“Intelligence in an environment like Israel isn't finding a needle in a haystack—it's finding the needle that will hurt you in a pile of needles,” Williams says. “Given the number of Hamas members involved in the invasion, it's not plausible to me that Israel missed every human intelligence reflection of the planning. But I feel confident that there are always Hamas operatives talking about credible plans to attack the IDF. So Israel can't respond with force to every threat, even every credible one. They'd be at a heightened state of alert or actively engaged all the time, and that's probably actually worse for security.”

Though details of exactly how the attack happened are still emerging, it seems that oversights related to grappling with this signal-and-noise conundrum played a role.

“In retrospect, there was some information, but, like happens in all intelligence failures, it wasn't given sufficient consideration. It was misunderstood,” says Chuck Freilich, a former Israeli deputy national security adviser. “I think in the last days, from my understanding, there were some warning signs. And actually, the intelligence establishment had been warning for the past about half-year that there was going to be a significant conflict with Hamas, that they were bent on escalating the situation. But then they misread the signs.”

Colin Clarke, the director of research at the Soufan Group, an intelligence and security consultancy, says the Hamas attack would have “required months of preparation” and intelligence failures likely happened with both human intelligence and signals intelligence, where electronic and communications data is collected. “I’m still astonished that a breakdown in intelligence occurred at this level,” Clarke says. “I don’t think anybody, including the Israelis, were prepared for an operation this complex and multi-pronged.”

Crucial intelligence oversights could have happened as the result of numerous intersecting failures, says King’s College London’s Marcus. The Israeli intelligence apparatus may have misunderstood Hamas’s intentions, misread the context of crucial leads, been distracted by Israel’s political efforts with Saudi Arabia, or been grappling with domestic challenges. Israeli forces have complained, for example, of a brain drain from the IDF as individuals get pulled toward the private sector.

“I think that this wasn't just a military failure—I think that this was a dramatic failure of national leadership,” says Freilich, who authored _Israel and the Cyber Threat: How the Startup Nation Became a Global Cyber Power_. The ambush calls to mind the outbreak of fighting during Ramadan in October 1973 in which an Arab bloc targeted Israel with a surprise attack on the Jewish holy day Yom Kippur to set off nearly 20 days of fighting.

Palestinians in occupied territories, including the West Bank and Gaza Strip, have faced surveillance and controls for years, with many calling the conditions an apartheid. In September 2021, Israeli forces announced the completion of a 40-mile-long barrier around the Gaza Strip—the sliver of land between Israel, Egypt, and the Mediterranean Sea—that is essentially a “smart wall” equipped with radar, cameras, underground sensors, and an array of other surveillance instruments.

“Palestinians are subjected to multi-layered surveillance,” says Mona Shtaya, a non-resident fellow at the Tahrir Institute for Middle East Policy. “Various surveillance technologies are employed against Palestinians, including drones, mobile bugs (spyware) that have previously been uncovered as being injected into electronic devices prior to entry into the Gaza Strip.”

Shtaya adds that CCTV cameras are placed at entrances to the Gaza Strip, and that there is “continuous” online surveillance of people in the occupied areas. “It would not be an exaggeration to say that Palestinians are under surveillance in nearly every facet of their lives,” she says.

Such persistent surveillance can make people change their behaviors and limits freedom of expression and speech. “We can observe this phenomenon when people communicate with their families over phone calls or when they post content online, as they may alter certain keywords,” Shtaya says.

As Hamas attacked Israel on Saturday, videos emerged of a brute force approach: a bulldozer breaking through portions of the fence as hundreds of militants stormed into Israel using motorbikes, boats, and apparently paragliders. _Haaretz_ reported on Sunday that Hamas was able to gain so much ground because of IDF logistics issues in addition to intelligence failings.

While Israel’s technology industry has helped create many surveillance capabilities and pushed the global industry forward, Hamas, which is sanctioned as a terrorist organization in the US, also uses some digital tools in its operations. The group has leaned heavily on distributing its propaganda through radio and TV to legitimize its rule in Gaza, while it utilizes social media to a lesser extent, according to a review by the Center for Strategic and International Studies earlier this year. Still, Hamas has used fake Facebook accounts to lure Israeli soldiers into downloading data-stealing apps, and has distributed fake dating apps that are really spyware. In 2019, Israeli forces bombed a building they claimed housed a Hamas hacking group.

Multiple sources tell WIRED that they suspect Iran was involved in helping Hamas carry out its assault on Saturday, given the sophistication and intricacy of the attack. Iran has long-standing ties to Hamas, and its officials have praised the recent attacks.

As the conflict ramps up into full-scale war, there is significant concern about the number of civilians impacted, with Amnesty International saying it is “deeply alarmed” by the civilian deaths in Israel, Gaza, and the West Bank. The Hamas assault has killed at least 700 and injured more than 2,000 Israelis on Saturday, according to the latest available figures. Video footage and reports shared online depict Hamas gunmen killing civilians, leaving bloody bodies scattered through the streets, and taking dozens of hostages. In response, Israel is launching large-scale airstrikes against Hamas targets in Gaza, while working to retake militant-controlled areas and preparing for offensive actions, including a possible ground invasion of Gaza. At least 370 Palestinians in Gaza have been killed and more than 2,000 wounded so far.

Israel Defense Forces say women and children have been taken hostage. Israel has also cut power to Gaza and internet monitoring firms say there has been a decrease in connectivity. As the fog of surveillance gives way to the fog of war, the current situation in Israel serves as an important illustration that unrelenting surveillance does not equate to or guarantee security.

_Additional reporting by_ _Morgan Meaker_

Israel's Failure to Stop the Hamas Attack Shows the Danger of Too Much Surveillance

Plus: Sony confirms a breach of its networks, US federal agents get caught illegally using phone location data, and more.

Does the public have a right to see gruesome photos of animal test subjects taken by a public university?

That question underpins an ongoing court battle between UC Davis and the Physicians Committee for Responsible Medicine, an animal welfare group, which is fighting for the release of photos of dead monkeys used in tests of Elon Musk–owned Neuralink’s brain-chip implants. A WIRED investigation this week revealed the extent to which Neuralink and UC Davis have gone to keep images of the tests secret.

Also this week, an investigation by the Markup, copublished with WIRED, analyzed crime predictions by Geolitica (formerly PredPol) in Plainfield, New Jersey, and found that they accurately predicted crime less than 1 percent of the time. As WIRED previously reported, Geolitica is shutting down at the end of this year and being sold for parts to SoundThinking, maker of the gunshot-detection system ShotSpotter.

Earlier this year, the data-extortion gang Clop exploited a vulnerability in the widely used file-transfer service MOVEit, racking up victims around the globe including major corporations and US government agencies. The full number of victim organizations continues to climb into the thousands, with more than 3.4 million people’s data potentially stolen, making it the biggest hack of 2023.

If you own an inexpensive Android TV streaming box, you may want to toss it into the sea—or recycle it responsibly. New research found that at least eight cheap streaming boxes contained a backdoor that connects the devices with servers in China and is used to commit fraud and other cybercrime. Researchers also found dozens of Android, iOS, and TV box apps that were used for fraudulent behavior. While at least some of the apps have been removed from the app stores, more than 120,000 Android devices and 150,000 iOS devices were impacted.

Speaking of phone security, we detailed how to know when your device will stop getting security updates and how to keep Google from using your data in its generative AI tool, Bard. Finally, we profiled the team at a UK-based nonprofit that’s helping women fight back against digital domestic violence.

That’s not all. Each week we round up the security and privacy news that we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

When WIRED first reported that Apple had sent a letter responding to demands from an anti-child-exploitation group called Heat Initiative, we had one big question: What the hell is Heat Initiative? An investigation by the Intercept now provides some clues.

According to the Intercept, the group is funded by “dark-money donors” linked to billionaire Democrats. Sarah Gardner, who leads the group, refused to comment on Heat Initiative’s funding and said she disagrees with Apple’s “privacy-absolutist” approach. The group, which had virtually no online presence when Apple sent that letter, is now waging a high-profile campaign to force the company to do more to scan for child sexual abuse material (CSAM) on users’ devices and iCloud storage, which would likely mean weakening encryption.

After Apple scrapped plans to scan images on users’ devices for CSAM amid widespread backlash, the company focused instead on tools known as Community Safety features for reporting CSAM. It also rolled out encrypted iCloud options. The company says it cannot meet Heat Initiative demands without compromising user privacy and security.

Sony Interactive Entertainment confirmed this week that it is the latest victim of the aforementioned MOVEit breach. The company says it has informed some 6,800 people, including past and current employees, about the breach, which may have exposed Social Security numbers and personal information. Data-extortion gang Clop has claimed responsibility for the breach, which Sony says it detected on June 2. Sony says it is working with cybersecurity experts and law enforcement as part of its investigation into the intrusion.

Agents working for the US Customs and Border Protection, Immigration and Customs Enforcement, and the US Secret Service broke the law by purchasing commercially available phone location data, according to a new report from the US Department of Homeland Security’s inspector general. Privacy and civil liberty advocates have long argued that the purchase of such data, known in the US government as commercial telemetry data (CTD), circumvents Fourth Amendment protections against unreasonable searches and seizures because agents don’t need to obtain a warrant to buy the information. But the inspector general report says the data was illegally accessed because agents failed to conduct a mandated privacy impact assessment before buying CTD.

The US Department of Justice this week unsealed indictments against eight Chinese firms and 12 of their employees, accusing them of producing and distributing chemicals needed for the production of fentanyl, a deadly opioid, in the United States. The employees and companies were also sanctioned by the US Treasury Department, cutting them off from US financial institutions. According to the DOJ, the companies “tend to use cryptocurrency transactions to conceal their identities and the location and movement of their funds.”

“We have identified and blocked over a dozen virtual currency wallets associated with these actors,” Treasury deputy secretary Wally Adeyemo said during a press conference on October 3. “The blocked wallets, which received millions of USD funds over hundreds of deposits, illustrate the scope and scale of the operation targeted today.”

Apple's Encryption Is Under Attack by a Mysterious Group

A “friendlier” front for racist extremism has spread rapidly across the US in recent months, as active club channels network on Telegram's encrypted messaging app.

On Monday evening, Gabrielle Hanson, a pro-MAGA mayoral candidate in Tennessee, walked through the parking lot of Franklin City Hall, on her way to debate her opponent, incumbent Ken Moore, in what was meant to be little more than a typical campaign stop in the small city of Franklin just south of Nashville.

What made this scene so different was the fact that Hanson was flanked by members of the Tennessee Active Club, an openly neo-Nazi hate group. One of the men escorting Hanson into the building was Sean Kauffmann, the reported leader of the group whom the Southern Poverty Law Center says has been part of the white supremacist movement for years, and was photographed giving a Nazi salute at a Black Lives Matter rally.

The group stood outside the building as the event took place, and they told a local reporter that they were there to provide security for Hanson, claiming that “credible threats” had been made against her. The Franklin Police Department tells WIRED that they have no information about threats against Hanson. Instead, the police department is investigating death threats made against local journalists by Kauffmann’s group in their Telegram channel just hours after the campaign event ended.

The threats, which included anti-Semitic slurs and references to white supremacist literature, featured the image of one reporter’s home after one follower asked: “Who is this person? Where can I find them so I can beat the shit out of them?”

Active clubs are a decentralized network of groups that have recently become the new, so-called friendlier face of the white supremacist movement, by promoting physical fitness and brotherhood while hiding their true nature. The movement has experienced explosive growth in recent months. For researchers who have been tracking the rise of this movement, the use of Telegram to disseminate threats like those in Franklin highlights the crucial role the encrypted messaging app has played in helping these groups recruit, organize, and spread hate speech to a huge following.

“The way that active clubs go about their organizing is resonating with folks on Telegram, where there is a ready-made audience of people who have already written off politics, and they have come to a point in their lives where they think white genocide is real, and they see the active club, in their minds, out there doing something about it,” Jeff Tischauser, senior researcher with the Southern Poverty Law Center, tells WIRED. “I see Telegram as a leading pipeline into the creation of active clubs, because that's just where a lot of the rhetoric and the content and the propaganda of active clubs exist.”

****Got a Tip?****

**Are you a current or former member of an active club? We’d like to hear from you. Using a nonwork phone or computer, contact David Gilbert at** **david.gilbert@wired.com****.**

“You Better Run”

The first threat made by the Tennessee Active Club’s Telegram channel was aimed at Phil Williams, chief investigative reporter for NewsChannel 5 WTVF, who has written extensively about Hanson’s campaign in recent months—including reports on Hanson’s prior arrest for promoting prostitution. (She says she took a plea deal.) Williams has also exposed the hypocrisy of Hanson and her campaign. As an alderman, Hanson attempted to block a permit for a Pride festival in Franklin; Williams reported that she supported her husband’s participation in the 2008 Chicago Pride parade while wearing a pair of Speedos.

After Williams posted pictures of the Tennessee Active Club at the candidate forum on Monday night, the group’s Telegram channel shared a post calling Williams a “lying sack of shit for the international jew media” before warning that the “Day of the Rope is real and it’s approaching quicker than they can prepare for.”

The post concluded: “You better run … run … run.”

“Day of the Rope” is a reference taken from the 1978 white supremacist book, _The Turner Diaries._ The concept in recent years has become shorthand for attacks on journalists, politicians, and others who oppose the white supremacist revolution.

Williams did not respond to WIRED’s request for comment on the threats but did address them on X (formerly Twitter) on Tuesday evening. “This is a story that is important to this community. I will not be deterred from continuing to do my job,” Williams wrote, adding: “Truth will prevail!”

The group also threatened Holly McCall, the editor of the Tennessee Lookout, a nonprofit outlet covering local government, after she posted a comment on X mocking the appearance of some members of the Tennessee Active Club present on Monday night.

The group responded on Telegram writing, “That’s our cyber division Holly.” In a comment under the group’s post, a follower wrote: “Who is this person? Where can I find them so I can beat the shit out of them? So they know I am in fact active and lurking.”

The group then posted a picture of McCall’s house taken from what appears to be her husband’s Facebook account. WIRED confirmed that the picture was McCall’s home.

McCall declined WIRED’s request to comment on the threats. In a post on X on Tuesday evening, she wrote: “I hadn't planned to publicly comment, but yup, I'm the Holly these guys want to beat the shit out of.”

At least some of these threats were flagged to the Franklin Police Department. Milissa Reierson, communications manager for the city of Franklin, told WIRED she cannot comment on specific investigations, but she said they are “monitoring the events from \[Monday\] night,” adding that the city “takes any threat seriously.”

Hanson, an extreme right-wing candidate who spread conspiracy theories about the Covenant School shooting in Nashville in March, did not respond to WIRED’s request for comment. She claimed in a Facebook post that she did not hire or ask the Tennessee Active Club to provide protection for her, adding: “I am not, nor have I ever been associated with any white supremacy or Nazi-affiliated group.”

However, within minutes of posting this statement on Facebook, her Instagram account shared a screenshot taken directly from the Tennessee Active Club Telegram channel. The post makes baseless claims that her opponent was a member of antifa, the loose-knit network of anti-fascist activists, even though he’s a lifelong Republican politician in his 70s. The Telegram posts also said, “You don’t want us showing up” and “remember there is no political solution.”

Hanson is also the listed realtor of the Lewis Country Store, a gas station on the outskirts of Nashville owned by self-described “literal Nazi” Brad Lewis, where the members of the Tennessee Active Club train together with other white supremacist groups.

“A Prepackaged Brand”

Active clubs emerged in late 2020. They’re the brainchild of Robert Rundo, an American white supremacist who is alleged to have cofounded the Rise Above Movement, a combat-ready group with ties to street fighting gangs. Rundo was extradited to the US earlier this year after being arrested in Romania on anti-riot act charges related to violent clashes with anti-fascist protesters in Los Angeles in 2017. (Rundo was charged with the same crime in 2017, but the charges were dismissed before being reinvestigated.)

Rundo was inspired by similar groups he observed while in Europe, and he views the active club movement as part of a “White Supremacy 3.0” strategy, which attempts to move away from the overtly violent and Nazi-infused movements of the past to present a friendlier public face of white supremacy.

Emphasizing physical fitness among active club members, Rundo has stated that his aim is to create a stand-by militia of trained and capable right-wing extremists who can be activated when the need for coordinated violent action on a larger scale arises.

“I definitely do believe that in the future there needs to be a mass movement, a mass organization, but when it comes for that, do you really want a bunch of guys coming strictly from the online world to come join a mass movement without having any experience or skills?” Rundo said in a video posted online just weeks before he was arrested in March. “Active clubs are a great local way to start guys off as they come from the online world into the real world, to learn actual skills.”

While initial takeup of the active club idea was relatively slow, there has been explosive growth in the movement’s numbers this year, research shows. In April 2023, a report from the Accelerationism Research Consortium, a group of researchers, academics, and journalists who track the spread of accelerationism, found that there were 30 active clubs operating in 17 different states. By August, research conducted by Alexander Ritzmann for the Counter Extremism Project (CEP), a nonprofit that tracks extremist groups, found that there were 46 clubs operating in 34 different states—a 50 percent increase in the number of clubs and a 100 percent increase in the geographical spread in the space of just five months.

Because the network is decentralized, with each local group operating relatively independently, it allows anyone who wants to start an active club to do so very quickly. And Telegram is playing a central role in that explosive growth.

"A couple of guys who are motivated by racial animus or anti-Semitic hatred, they can go on Telegram, message a leader or an administrator of an active club channel, and the administrator will help this new group create the branding,” Tischauser says. “It’s basically a template that anybody can access if they have that political ideology. It's like a prepackaged brand that anybody could access.”

Spreading Hate

The number of members who partake in real-world activities with active clubs—everything from mixed martial arts training to handing out flyers and harassing LGBTQ events— is small, with each cell having on average between five and 25 members. But the number of people following these groups on Telegram is many times larger. Some of the groups have thousands of followers, and almost all typically have hundreds of followers.

A number of those followers will be researchers, law enforcement officers, and journalists. But there are also a huge number of people who are monitoring these groups because they already have an interest in the ideas being discussed.

“Telegram is the place where the active clubs are the most active. It is an essential component for the circulation not just of their ideology, but of their marketing,” Tischauser says. He points out that all the groups expect members to purchase branded gear from the Will2Rise website, an activewear brand established by Rundo that _Rolling Stone_ described as “the Lululemon for fascists.”

Telegram is also a hugely powerful recruiting tool, giving this movement a platform free of censorship or restrictions to spread its message to a much larger audience than it would have on other mainstream platforms.

“Alt-tech platforms—and Telegram is really one of the biggest examples of this—provide these hate groups with a ready-made audience of people that already subscribe to this very hateful ideology,” Tischauser says.

The vast majority of the Telegram channels identified as belonging to the clubs listed in the CEP report are public, available for everyone to see. The transparency is part of Rundo’s White Supremacy 3.0 strategy where he urges groups to only post positive content about training of the sense of brotherhood that the clubs claim to inspire, while avoiding violent threats and Nazi symbolism. But some groups do not appear to be subscribing to Rundo’s ideals—chief among them, the Tennessee Active Club.

“I don't think they got that memo,” Tischauser says. “They've always been posting Nazi stuff and glorifying Hitler, being very rabidly anti-Semitic. They showed up to at least two cities in Tennessee and they were flying the swastika, while Sean Kauffman, the leader, is seen giving the Heil Hitler hand gesture.”

Telegram tells WIRED that it is investigating the threats made in the Tennessee Active Club channel. “Telegram is a platform that supports the right to peaceful free speech, but calls to violence are explicitly forbidden on our platform,” Remi Vaughn, a spokesperson for the messaging app, wrote in a statement. “Our moderators proactively monitor public parts of the platform and accept user reports in order to remove content that breaches our terms of service.”

For everything we know about the growth and spread of active clubs on Telegram, there is an entire world that is off-limits to journalists and researchers, where members of these clubs coordinate and network in secret. A local anti-fascist activist in Tennessee, who is closely monitoring some of these nonpublic channels and requested anonymity due to threats to their safety from the groups they are tracking, confirmed to WIRED the existence of the secret chats, which they say are used to coordinate actions both locally and nationally.

While active clubs effectively operate independently—a deliberate decision, taken so that the movement can continue even if one group is deactivated—there still appears to be a level of national coordination happening, even while Rundo is in custody awaiting trial. This coordination was seen in August 2023 when a white nationalist fight club event took place in Southern California featuring members from multiple active clubs across the United States, including the Tennessee club, as well as members of other hate groups like Blood Tribe and Patriot Front.

“There's some national leadership within the active clubs who are talking with each other, maybe it's at the chapter leader level, where they're talking and they're organizing these events and then mobilizing folks to come out, which takes a lot of resources and logistics,” Tischauser says. “So there has to be some kind of structure there.”

Tischauser says he sees little preventing the active club movement from continuing to grow rapidly. He says he has already seen a number of new clubs emerge since the CEP report was published last month—and that’s a real concern because, as Ritzmann bluntly states in his report: “If Active Clubs are allowed to continue to operate and multiply, the likelihood for targeted political violence and terrorism by their members against supposed enemies of the ‘white race’ (e.g., Jews, people of color, Muslims, and LGTBQI+ people) will increase.”

White Supremacist Active Clubs Are Breeding on Telegram

At least a million data points from 23andMe accounts appear to have been exposed on BreachForums. While the scale of the campaign is unknown, 23andMe says it's working to verify the data.

The genetic testing company 23andMe confirmed on Friday that data from a subset of its users has been compromised. The company said its systems were not breached and that attackers gathered the data by guessing the login credentials of a group of users and then scraping more people’s information from a feature known as DNA Relatives. Users opt into sharing their information through DNA Relatives for others to see. 

Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained 1 million data points exclusively about Ashkenazi Jews. There also seem to be hundreds of thousands of users of Chinese descent impacted by the leak. On Wednesday, the actor began selling what it claims are 23andMe profiles for between $1 and $10 per account, depending on the scale of the purchase. The data includes things like a display name, sex, birth year, and some details about genetic ancestry results, like that someone is, say, of “broadly European” or “broadly Arabian” descent. It may also include some more specific geographic ancestry information. The information does not appear to include actual, raw genetic data.

The company emphasized in a statement that it does not see evidence that its systems have been breached. It also encouraged users to use strong, unique passwords and enable two-factor authentication to keep attackers from compromising their individual accounts using login credentials exposed in other data breaches.

“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” the company said in a statement. “We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.” 

The company has not been clear on whether it has validated the data the threat actor leaked, noting that its investigation is ongoing and that it currently has “preliminary results.” A spokesperson for the company told WIRED that the leaked information is consistent with a situation in which some user accounts were exposed and then leveraged to scrape data visible in DNA Relatives. But when pressed on the details of whether the data has been validated, the spokesperson said that verifying the data is pending and that the company cannot currently confirm whether the leaked information is real.

This point is significant both for everyone whose information may have been compromised and because the data posted by the actor claims to include “celebrities.” Entries for technologists Mark Zuckerberg, Elon Musk, and Sergey Brin are all visible in the sample data, including “Profile ID,” “Account ID,” name, sex, birth year, current location, and fields known as “ydna” and “ndna.” It is unclear if the data for these entries is legitimate or was inserted. For example, Musk and Brin appear to have the same profile and account IDs in the leak.

The technique of using credentials exposed in other data breaches to infiltrate accounts where those logins have been reused is known as “credential stuffing” and is a widely used account compromise technique.

“Credential stuffing never really went away and a lot of it just comes down to the fact that humans reuse their passwords—that's what makes it possible,” says Ronnie Tokazowski, a longtime digital scams researcher. “And the fact that it's claiming to target a Jewish population or celebrities—it’s not shocking. It reflects the underbelly of the internet.”

The full picture of why the data was stolen, how much more the attackers have, and whether it is actually focused entirely on Ashkenazim is still unclear.

“When data is shared relating to ethic, national, political or other groups, sometimes it's because those groups have been specifically targeted, but sometimes it's because the person sharing the data thinks it'll make reputation-boosting headlines,” says Brett Callow, a threat analyst at security firm Emsisoft. 

Callow notes that the situation raises broader questions about keeping sensitive genetic information safe and the risks of making it available in services that are designed like social networks to facilitate sharing. With such platforms come all of the data privacy and security issues that have plagued traditional social networks, including issues related to data centralization and scraping.

“This incident really highlights the risks associated with DNA databases,” Callow says. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”

_Update 7:00 pm ET, October 6 to note that data from hundreds of thousands of 23andMe users of Chinese descent seems to have also been exposed in the incident._

23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews

Location-enabled tech designed to make our lives easier is often exploited by domestic abusers. Refuge, a UK nonprofit, helps women to leave abusive relationships, secure their devices, and stay safe.

Pick up any piece of tech and Emma Pickering knows how it can be used to abuse, harass, and stalk women. Amazon’s Ring home doorbell cameras can monitor when someone leaves the house and who is visiting them. Until recently, Netflix showed the IP addresses where users were logged in, allowing their location to be tracked. Workout apps and websites such as Strava show where and when people are exercising. And abusers often slip small GPS trackers or audio recorders into women’s belongings or attach them to their cars.

“Perpetrators buy them in bulk, and they’ll buy probably 60 very cheaply; they’re very small and discrete,” says Pickering, who works at Refuge, the UK’s largest domestic abuse organization, where she heads a team that helps women secure their devices. Pickering says that in one case “over 200” recording devices were found in a woman’s home.

Refuge launched its Technology-Facilitated Abuse and Economic Empowerment Team in 2017, amid a surge of abusers weaponizing apps, devices, and online services to harm women. The charity helps women and their children leave abusive relationships, providing emergency accommodation, legal help, financial aid, and more. Almost every case now involves technology in some form, Pickering says, and the issue is so serious that every person the organization places into a refuge goes through a tech assessment to secure their accounts. The tech abuse team, which is made up of 11 people, is the only one of its kind in the UK and just one of a handful of similar organizations around the world.

Technology-facilitated abuse can range from harassment via phone call or text message to logging into someone’s social media and email accounts without their permission, which allows abusers to read, delete or send messages. In more extreme cases, they might install “stalkerware” on victims’ phones to monitor every tap and scroll. Nonconsensual image-sharing, commonly known as “revenge porn,” and economic abuse, where money and banking apps may be controlled by an abuser, are also frequent. In August, a report from MPs in the UK concluded that tech abuse is becoming “increasingly common.”

Pickering says her team primarily focuses on helping people in the more severe cases. “Firstly, we need to establish if it’s safe to speak to them on their device,” she says. If it isn’t, Refuge will send women a burner phone and then set them up with a new email address, using the encrypted email service Proton Mail, before sending them extra information. It’s the start of a meticulous process—known as an “attack assessment” by the team—to secure accounts and devices.

“We go through everything,” Pickering says. Refuge will ask the person they are helping to list every device and online account they and any children have. These can easily number into the hundreds. “Within the home, if they’ve fled the relationship, we also need to check anything they’ve left behind to unsync from any devices or accounts that they could still be using back home.” This will include products like Google Home Hubs, and Amazon’s Ring doorbells and Alexa, and it requires checking who set up the devices and is the administrator of the accounts, as well as which names phone contracts are in. From there, a safety plan is created, Pickering says. This can include going through the accounts and checking settings for who has access to them, removing devices connected to accounts, using secure passwords, and setting up measures such as two-factor authentication. On average, Pickering says, it can take three weeks to get through the entire process, although more complex cases take much longer.

“I don’t think people realize how serious it is, the consequences for perpetrators to have access to this information, to see that there’s evidence in someone’s phone that they’re planning to leave a relationship, read emails about financial settlements, child contact orders—it puts someone at really significant risk,” Pickering says. Even for those in nonabusive relationships, the charity has created a digital breakup tool with cybersecurity firm Avast to detail the process of separating everything from delivery apps to gaming accounts from former partners.

While the technology itself isn’t usually the problem—it’s how abusers use it to harass their victims that creates the issues—Pickering says tech companies don’t put enough thought into how their services can be used maliciously. They also don’t put enough effort into preventing such abuses. They’re not “considering having features built in that can mitigate these risks,” she says.

For instance, Apple launched its small AirTag GPS tracker without many safety features, and dozens of people have subsequently reported being tracked by the devices. (The company has made some improvements and is now working with other tracker manufacturers to make it easier to identify trackers someone has placed on your belongings). One of the biggest issues currently, Pickering says, is satellite navigation systems within cars. “My car, for instance, if I drive it somewhere, it’s connected to an app, and I don’t know how many people are on my app, it doesn’t give me notifications,” she says. There are also boundary settings that can alert a vehicle’s owner if it travels beyond a specific set of locations.

Aside from designing products better, tech companies need to make it easier for people to understand the settings on their phone and digital accounts. “Many people come to us and their confidence around tech is very limited,” Pickering says. “We have to do a lot of work with them initially to make them feel comfortable.”

While tech abuse is rising, Pickering aims to increase understanding around the problem and tackle some of the issues at its roots. “We’ve got a really big ambition to train the police,” she says, adding that officers often don’t know what to look for in cases of tech abuse and may not take issues seriously. The Refuge team has already worked with one tech company, which she says she cannot name due to an NDA, to advise on safety. “Amazon and Google could work with us,” Pickering says. “And we could help make sure that their products are developed with safety in mind.”

_This article first appeared in the November/December 2023 issue of WIRED UK._

The Team Helping Women Fight Digital Domestic Abuse

New research has found that some streaming devices and dozens of Android and iOS apps are secretly being used for fraud and other cybercrime.

When you buy a TV streaming box, there are certain things you wouldn’t expect it to do. It shouldn’t secretly be laced with malware or start communicating with servers in China when it’s powered up. It definitely should not be acting as a node in an organized crime scheme making millions of dollars through fraud. However, that’s been the reality for thousands of unknowing people who own cheap Android TV devices.

In January, security researcher Daniel Milisic discovered that a cheap Android TV streaming box called the T95 was infected with malware right out of the box, with multiple other researchers confirming the findings. But it was just the tip of the iceberg. Today, cybersecurity firm Human Security is revealing new details about the scope of the infected devices and the hidden, interconnected web of fraud schemes linked to the streaming boxes.

Human Security researchers found seven Android TV boxes and one tablet with the backdoors installed, and they’ve seen signs of 200 different models of Android devices that may be impacted, according to a report shared exclusively with WIRED. The devices are in homes, businesses, and schools across the US. Meanwhile, Human Security says it has also taken down advertising fraud linked to the scheme, which likely helped pay for the operation.

“They’re like a Swiss Army knife of doing bad things on the internet,” says Gavin Reid, the CISO at Human Security who leads the company’s Satori Threat Intelligence and Research team. “This is a truly distributed way of doing fraud.” Reid says the company has shared details of facilities where the devices may have been manufactured with law enforcement agencies.

Human Security’s research is divided into two areas: Badbox, which involves the compromised Android devices and the ways they are involved in fraud and cybercrime. And the second, dubbed Peachpit, is a related ad fraud operation involving at least 39 Android and iOS apps. Google says it has removed the apps following Human Security’s research, while Apple says it has found issues in several of the apps reported to it.

First, Badbox. Cheap Android streaming boxes, usually costing less than $50, are sold online and in brick-and-mortar shops. These set-top boxes often are unbranded or sold under different names, partly obscuring their source. In the second half of 2022, Human Security says in its report, its researchers spotted an Android app that appeared to be linked to inauthentic traffic and connected to the domain flyermobi.com. When Milisic posted his initial findings about the T95 Android box in January, the research also pointed to the flyermobi domain. The team at Human purchased the box and multiple others, and started diving in.

In total the researchers confirmed eight devices with backdoors installed—seven TV boxes, the T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G, and a tablet J5-W. (Some of these have also been identified by other security researchers looking into the issue in recent months). The company’s report, which has data scientist Marion Habiby as its lead author, says Human Security spotted at least 74,000 Android devices showing signs of a Badbox infection around the world—including some in schools across the US.

The TV devices are built in China. Somewhere before they reach the hands of resellers—researchers don’t exactly know where—a firmware backdoor is added to them. This backdoor, which is based on the Triada malware first spotted by security firm Kaspersky in 2016, modifies one element of the Android operating system, allowing itself to access apps installed on the devices. Then it phones home. “Unbeknownst to the user, when you plug this thing in, it goes to a command and control (C2) in China and downloads an instruction set and starts doing a bunch of bad stuff,” Reid says.

Human Security tracked multiple types of fraud linked to the compromised devices. This includes advertising fraud; residential proxy services, where the group behind the scheme sell access to your home network; the creation of fake Gmail and WhatsApp accounts using the connections; and remote code installation. Those behind the scheme were selling access to residential networks commercially, the company’s report says, claiming to have access to more than 10 million home IP addresses and 7 million mobile IP addresses.

The findings tally with those of other researchers and ongoing investigations. Fyodor Yarochkin, a senior threat researcher at security firm Trend Micro, says the company has seen two Chinese threat groups that have used backdoored Android devices—one it has researched deeply, the other is the one Human Security looked at. “The infection of devices is quite similar,” Yarochkin says.

Trend Micro has found a “front end company” for the group it investigated in China, Yarochkin says. “They were claiming that they have over 20 million devices infected worldwide, with up to 2 million devices being online at any point of time,” he says. Based on Trend Micro’s network data, Yarochkin believes these figures to be credible. “There was a tablet in one of the museums somewhere in Europe,” Yarochkin says, adding he believes it is possible that swaths of Android systems may have been impacted, including in cars. “It’s easy for them to infiltrate the supply chain,” he says. “And for manufacturers, it's really difficult to detect.”

Then there’s what Human Security calls Peachpit. This is an app-based fraud element, which has been present on both the TV boxes as well as Android phones and iPhones, Reid says. The company identified 39 Android, iOS, and TV box apps that were involved. “These are template-based applications—not very high quality,” says Joao Santos, a security researcher at the company. Apps about developing six-pack abs and logging the amount of water a person drinks were included.

The apps performed a range of fraudulent behavior, including hidden advertisements, spoofed web traffic, and malvertising. The research says that while those behind Peachpit appear different from those behind Badbox, it is likely they are working together in some way. “They have this SDK that did the ad fraud part, and we found a version of this SDK that matches the name of the module that was being dropped on the Badbox,” Santos says, referring to a software development kit. “That was another level of connection that we found.”

Human Security’s research says the ads involved were making 4 billion ad requests per day, with 121,000 Android devices impacted and 159,000 iOS devices impacted. There had been 15 million downloads in total for the Android apps, the researchers calculate. (The Badbox backdoor was found only on Android, not on any iOS devices.) Reid says that based on the data the company has, which isn’t a complete picture due to the complexity of the ad industry, those behind the scheme could have easily earned $2 million in one month alone.

Google spokesperson Ed Fernandez confirms the 20 Android apps reported by Human Security have been removed from the Play Store. “The off-brand devices discovered to be Badbox-infected were not Play Protect–certified Android devices,” Fernandez says, referring to Google’s security testing system for Android devices. “If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results.” The company has a list of certified Android TV partners. Apple spokesperson Archelle Thelemaque says that it found five of the apps Human reported breaching its guidelines, and the developers were given 14 days to make them follow the rules. Four of them have done so, as of publication.

Toward the end of 2022 and in the first part of this year, Reid says, Human Security took action against the advertising fraud elements of Badbox and Peachpit. According to data shared by the company, the amount of fraudulent ad requests from the schemes taking place now has completely dropped off. But the attackers adapted to the disruption in real time. Santos says when the countermeasures were first deployed, those behind the schemes started by sending out an update to obfuscate what they were doing. Then, he says, those behind Badbox took down the C2 servers powering the firmware backdoor.

While the attackers have been slowed, the boxes are still in people’s homes and on their networks. And unless someone has technical skills, the malware is very hard to remove. “You can think of these Badboxes as kind of like sleeper cells. They're just sitting there waiting for instruction sets,” Reid says. Ultimately, for people buying TV streaming boxes, the advice is to buy branded devices, where the manufacturer is clear and trusted. As Reid says, “Friends don't let friends plug in weird IoT devices into their home networks.”

Your Cheap Android TV Streaming Box May Have a Dangerous Backdoor

Elon Musk’s brain-chip startup conducted years of tests at UC Davis, a public university. A WIRED investigation reveals how Neuralink and the university keep the grisly images of test subjects hidden.

The tan macaque with the hairless pink face could do little more than sit and shiver as her brain began to swell. The California National Primate Center staff observing her via livestream knew the signs. Whatever had been done had left her with a “severe neurological defect,” and it was time to put the monkey to sleep. But the client protested; the Neuralink scientist whose experiment left the 7-year-old monkey’s brain mutilated wanted to wait another day. And so they did.

As the attending staff sat back and observed, the monkey seized and vomited. Her pupils reacted less and less to the light. Her right leg went limp, and she could no longer support the weight of her 15-pound body without gripping the bars of her cage. One attendant moved a heat lamp beside her to try to stop her shaking. Sometimes she would wake and scratch at her throat, retching and gasping for air, before collapsing again, exhausted.

An autopsy would later reveal that the mounting pressure inside her skull had deformed and ruptured her brain. A toxic adhesive around the Neuralink implant bolted to her skull had leaked internally. The resulting inflammation had caused painful pressure on a part of the brain producing cerebrospinal fluid, the slick, translucent substance in which the brain sits normally buoyant. The hind quarter of her brain visibly poked out of the base of her skull.

Elon Musk says no primates died as a result of Neuralink’s implants. A WIRED investigation now reveals the grisly specifics of their deaths as US authorities have been asked to investigate Musk’s claims.

On September 13, 2018, she was euthanized, records obtained by WIRED show. This episode, regulators later acknowledged, was a violation of the US Animal Welfare Act; a federal law meant to set minimally acceptable standards for the handling, housing, and feeding of research animals. There would be no consequences, however. Between 2016 and 2021, the United States Department of Agriculture (USDA) enforced the humane treatment of animals through what it called “teachable moments.” Because the center—home to a colony of nearly 5,000 primates run by the University of California–Davis—had proactively reported the violation, it could not be legally cited.

And neither could Neuralink. “If you want to split hairs,” a former employee tells WIRED, “the implant itself did not cause death. We sacrificed her to end her suffering.” The employee, who signed a confidentiality agreement, asked not to be identified.

****Got a Tip?****

Missing from the veterinary records released by the university are hundreds of photographs taken by the primate center’s staff between 2018 and 2020 of Neuralink’s test subjects. Though publicly funded, thus bound by California’s open records law, UC Davis has fought disclosure of the photographs for more than a year. Releasing them, it says, would not serve the public’s interest.

Meanwhile, videos of the experiments have seemingly vanished. Documents obtained by WIRED show that the primate center’s staff wrote about reviewing a “tape” of the aforesaid monkey hours before they stopped her heart. The school has not acknowledged that such a tape exists, and Neuralink, whose partnership with the school ended three years ago, was permitted to store its own footage and remove it from the property when it wished.

“They provided their own computing infrastructure, and they had their own network connection, and they have removed their computing infrastructure from the premises,” the school said in a September 2021 email to the Physicians Committee for Responsible Medicine, which is suing UC Davis for the release of images and videos of Neuralink’s experiments there. “The IT staff at the California National Primate Research Center were in no way involved with any aspects of the creation or storage of Neuralink’s video content,” the school added.

Records show that the school ordered Neuralink to request permission before recording any of the animals. And the school reserved the right to view the footage.

Internal emails reviewed by WIRED show that Neuralink, founded and owned by Elon Musk, had tight control over what UC Davis was allowed to divulge about the experiments. Interviews with sources familiar with the tests shed light on the tensions between the school and outside groups over the public’s right to know about research it’s subsidizing.

The sources say secrecy is given top priority, not merely because of the proprietary research being conducted at the center, but also out of fear that the public will respond poorly—perhaps violently—to images of the macaques being experimented on. Though the school’s protocols work effectively to prevent images of the experiments from getting out, it could not legally keep hidden all the written records of Neuralink’s procedures.

Macaques procured for Neuralink from UC Davis’ colony were trained months and even years before going under the knife, a former Neuralink employee recently told WIRED. But the prospect for survival was abysmal for some, they say, due in part to “poor planning and poor procedure.” Early on, the Neuralink researcher says, the company lacked personnel crucial to the operation. “We didn’t have any surgical techs. We didn’t even have a veterinary pathologist on staff at the time.”

After an animal was “sacrificed,” few if any records were created. The former employee claims Neuralink worked purposely to keep records of its work out of UC Davis’ hands—specifically to shield them from public records requests. The products under development at the center are proprietary and created for profit, the researcher says, not to “further the knowledge of mankind.”

Emails obtained by WIRED through a public records request show Davis’s staff scrambling in February 2018—the earliest days of the partnership—to get Neuralink’s equipment up and running. The university had agreed to provide the firm with a dedicated on-site network with a secure uplink to a remote facility. In one email, a faculty member noted that Neuralink had been warned against “live streaming” or producing any “recording of actual monkeys.” Asked if the same rules would apply after Neuralink’s equipment was set up, another Davis official said once installed “they can do whatever they want.”

Neuralink did not respond to WIRED’s request to comment. UC Davis spokesperson Andy Fell maintains that the university has complied with the California Public Records Act, having supplied the “vast majority of records” requested by the Physicians Committee. “Some requested items were not provided because they are exempt from disclosure under the law for various reasons set out in court filings,” he says. “All animal research at UC Davis, including contract research like that performed by Neuralink, is conducted under the same rules and regulations and overseen by the UC Davis Institutional Animal Care and Use Committee (IACUC),” Fell adds.

UC Davis’ Institutional Animal Care and Use Committee did not respond to a request for comment.

Davis has released hundreds of pages of emails, contractual documents, memos, and other veterinary records detailing the public university’s work for Neuralink between 2018 and 2020. The descriptions of botched surgeries and the suffering of the subjects was enough to provoke media investigations and coax comments of concern from a handful of lawmakers.

Hundreds of files remain under lock and key—including photographs of the neurological damage that resulted from Neuralink’s work with the macaques. The experiments involved drilling a hole roughly the size of a US dime into the monkey’s skulls, placing electrodes inside their brains, and screwing titanium plates to their skulls. UC Davis says the value of the photos of these operations now lies exclusively in “informing future research and clinical practices,” or what it calls “the refinement of surgical techniques.”

In October 2022, the Physicians Committee sued UC Davis—a public institution, funded in part by US taxpayers—in an attempt to gain access to records of Neuralink’s work. The Physicians Committee, which aims to promote alternatives to animal testing, has many detractors in the scientific community. The American Medical Association, which supports the use of animals in biomedical research, is one of the largest.

The Physicians Committee has argued in California state court that the public has the right to know about any suffering resulting from taxpayer-funded animal tests. “Disclosure of the footage is particularly important because Neuralink actively misleads the public about, and downplays the gruesome nature of, the experiments,” Corey Page, an attorney with Evans and Page who is representing the Physicians Committee in the lawsuit, tells WIRED.

The Physicians Committee’s suit against UC Davis, filed in California state court in Yolo County, is ongoing.

As it is a public records law that UC Davis is fighting, its arguments against greater transparency are centered around what’s best for the public. According to the school's attorneys, that means the public should not see images of Neuralink’s work.

One researcher familiar with the photos conceded they are particularly gruesome. “A macaque skull with the flesh torn out of it is not a pretty image,” they say. The school routinely deals with protesters, the source says. As a result, any visual evidence of experiments or animal subjects are tightly controlled. Filming the monkeys without the permission of the facility’s director is forbidden. Davis exercises the right to “pre-review” any media it allows to be captured.

A typical request for a recording at the colony, approved in August 2019, aimed to capture how a monkey’s breathing caused “vibration and movement” in a brain implant. Neuralink’s researchers emphasized in paperwork obtained by WIRED that the subject would “NOT be in focus” herself.

Court records show Davis’s attorneys have argued that the most likely outcome of releasing the photos is that its own pathologists will simply stop taking them. While losing a “useful note‐taking and memory‐jogging” tool, they say, refusing to take photos at the necropsy stage of the experiments may also run afoul of federal regulatory guidelines, enforced by the USDA and the campus’s own “animal use” committee. Compliance with this committee, incidentally, is a prerequisite of the center’s federal funding.

A document known as a Vaughn index relays the school’s specific rationale for withholding more than 370 photos, which may be subject to release under the 1968 California Public Records Act. The index lays out the theory that viewing the images would have such a visceral impact on the public that fears of reprisal among Davis’ researchers would be detrimental to their work ethic.

It centers on the belief that the public is too naive at large to distinguish between scientific inquiry and senseless butchery. In its own words, there is a high risk of “non‐contextual misinterpretation of the photos by persons who are not privy to the contextual facts.”

“The interest in protecting the safety of public employees and ensuring research that benefits the public can proceed without risk of violence clearly outweighs the public's interest in viewing said photographs,” the document says.

The risk of public officials being harassed is a factor addressed by most, if not all, open records laws in the United States, which are traditionally built on a presumption that favors disclosure. In most cases, being a mid- to low-level employee is enough to warrant redaction by default–a rule that is generally observed, as well, by professional news organizations. In veterinary records reviewed by WIRED, Davis has consistently censored the names of all of its staff, including those at director level. The university has even redacted identifying information about the animals, including their names and other identifiable information.

In part, Davis argues that the photos represent what’s called a “deliberative” work product. Public officials are often protected from disclosing information that reflects meditations on policies that have yet to become rule or law. The object is to encourage debate and consideration of all ideas—not just the ones assumed to be good from the start. This privilege, however, does not extend to documents related to policies actually enacted. And the school states clearly that the photos it’s choosing to withhold have been kept only to inform future policy.

History shows there are other consequences to the release of photographs specifically with regards to animal treatment. The creation of the US Animal Welfare Act can be tied to the public’s reaction to evidence of animal abuse published more than 60 years ago in _Life_ magazine. Without being able to see what _Life_ audaciously called “concentration camps for dogs,” it’s difficult to predict just how long it would have been before the United States finally adopted a law to protect animals that are bought, sold, and experimented upon.

Neuralink ended its partnership with UC Davis in September 2020, but the Physicians Committee claims that it continues to employ the same neurosurgeon and many of the staff responsible for the experiments that poisoned, maimed, and ultimately killed at least 12 macaque monkeys.

Last month, the company announced that it is preparing to start human trials after receiving a green light from the US Food and Drug Administration. Since ending its partnership with Davis, Neuralink has brought its testing in-house—far from the prying eyes of journalists, animal welfare groups, and the jurisdiction whose records laws first shed light on its practices.

How Neuralink Keeps Dead Monkey Photos Secret

Victims of the MOVEit breach continue to come forward. But the full scale of the attack is still unknown.

In a field of shocking, opportunistic espionage campaigns and high-profile digital attacks on popular businesses, the biggest hack of 2023 isn’t a single incident, but a juggernaut of related attacks that keeps adding victims to its score. In the coming months, more people, as many as tens of millions, could find out that their sensitive information has been compromised. But more still will likely never learn of the situation or its impact on them.

Since May, mass exploitation of a vulnerability in the widely-used file transfer software MOVEit has allowed cybercriminals to steal data from a dizzying array of businesses and governments, including Shell, British Airways, and the United States Department of Energy. Progress Software, which owns MOVEit, patched the flaw at the end of May, and broad adoption of the fix ultimately halted the rampage. But the “Clop” data extortion gang had already orchestrated a far-reaching smash and grab. And months later, the full extent of the damage is still coming into view.

Last week, Ontario’s government birth registry, BORN Ontario, said that it suffered a MOVEit-related attack earlier this year in which hackers stole sensitive personal data from 3.4 million people, including 2 million babies as well as expectant parents and those seeking fertility care. The compromised health data dates from January 2010 to May 2023. While organizations like BORN continue to disclose a slow trickle of MOVEit incidents, researchers say that the number of suspected attacks—and the total number of people whose data has already been stolen in these incidents—far exceeds what has come to light.

“I don’t think we’re done hearing about this by any means. We’re going to keep seeing that rolling disclosure over probably the next few months,” says Emily Austin, security research manager and senior researcher at the threat intelligence firm Censys. “These companies are completing their investigations—they’re starting to notify customers who might have been affected.”

Austin points out that one of the nuances of the MOVEit situation is that it is a true software supply chain security issue. The vulnerabilities existed in two versions of the MOVEit service: the cloud service known as MOVEit Cloud, and the local version that institutions run themselves on their premises, known as MOVEit Transfer. The latter is where most of the exploitation occurred. But many organizations that had data stolen in MOVEit exploitation attacks weren’t directly using it. Instead, they’d collaborated with a third party or contracted with a vendor that does. Attackers were able to steal whatever data they could grab from vulnerable MOVEit systems, whether the information was from one institution or many.

“An advanced and persistent threat actor used a sophisticated, multi-stage attack to exploit this zero-day vulnerability, and we are committed to playing a collaborative role in the industry-wide effort to combat cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products,” Progress Software said in a statement.

Centralized data repositories like MOVEit have been particularly appealing targets to Clop, which is known for strategically exploiting systems embedded in the software supply chain, including multiple file transfer tools. Earlier this year, Clop claimed it breached more than 100 organizations by abusing the GoAnywhere file transfer tool. The gang also mounted a massive data extortion campaign at the end of 2020 by exploiting flaws in Accellion networking equipment.

The MOVEit incident eclipses them, though, both in the number of victim organizations and individuals whose data was compromised. Antivirus company Emsisoft has been tracking the number of MOVEit victim organizations that have publicly declared they were impacted since May. The researchers have combed individual US state breach notifications, filings with the US Securities and Exchange Commission, public disclosures, and Clop's own disclosure website to tabulate and reconcile the true toll of the attacks.

To date, Emsisoft has concluded that 2,167 organizations have been impacted by the sprawling campaign. The number had been hovering around 1,000 in recent months, but it jumped significantly when the National Student Clearinghouse revealed 890 colleges and universities across the US—including Harvard University and Stanford University—had been impacted by MOVEit breaches. Organizations in the US account for 88.8 percent of known victims, according to Emsisoft, while a smattering of other organizations in Germany, Canada, and the UK have also been exposed by Clop and come forward.

According to Emsisoft’s analysis, around 1,841 organizations have disclosed breaches, but only 189 of them have specified how many individuals were impacted by the incident. From these detailed disclosures, Emsisoft has found that more than 62 million individuals had their data breached as part of Clop’s MOVEit spree. But since there are estimated to be nearly 2,000 organizations that have not revealed how many individuals had personal data affected in their breaches—and since researchers have concluded that there are other impacted organizations that haven’t come forward at all—the true total of people whose data was compromised is likely even larger, possibly on the scale of hundreds of millions of individuals, according to Emsisoft.

“It’s inevitable that there are corporate victims that don’t yet know they’re victims and there are individuals out there who don’t yet know they’ve been impacted,” says Brett Callow, a threat analyst at Emsisoft. “MOVEit is especially significant simply because of the number of victims, who those victims are, the sensitivity of the data that was obtained, and the multitude of ways that data can be used.”

Censys’ Austin says file transfer tools are by their nature a “fantastic target” for cybercriminals. The whole purpose of the tools is to manage and share data, so these services are often trusted with large volumes of sensitive information. BORN Ontario said in a statement last week that the data taken in the breach was from those “seeking pregnancy care and newborns.” This included lab test results, pregnancy risk factors, and procedures. Names, dates of birth, government ID numbers like Social Security numbers, addresses, and more have all been compromised in other MOVEit incidents.

While cybercriminal groups often make headlines for attention-grabbing ransomware or extortion attacks, such as those against casinos, persistent and unrelenting theft, publication, extortion, and trade of people’s sensitive data from sprees like the MOVEit rampage can ruin lives—a cumulative reality that is often overshadowed by individual incidents where profits are on the line. Hacks on schools have revealed details of sexual assaults, child abuse allegations, and suicide attempts, with the Associated Press reporting individuals often don’t know the details have been published. Meanwhile, breaches of mental health service providers have exposed patients’ records.

Callows says that he suspects the slow drip of MOVEit-related disclosures “will rumble on for years.” More broadly, he and Austin emphasize that defenders should prepare for cybercriminals to continue targeting widely-used data management software. As Callow puts it, “MOVEIt isn’t the first file transfer application to be exploited and it likely will not be the last.”

Just last week, MOVEit developer Progress Software disclosed a new set of vulnerabilities in one of its file transfer tools for servers, known as WS\_FTP Server, along with patches for the flaws. The company says that it has not “currently” seen evidence that the bugs are being actively exploited.

The Biggest Hack of 2023 Keeps Getting Bigger

A software company sold a New Jersey police department an algorithm that was right less than 1 percent of the time.

_This article was_ _copublished_ _with_ _The Markup__, a nonprofit, investigative newsroom that challenges technology to serve the public good. Sign up for its newsletters_ _here_.

Crime predictions generated for the police department in Plainfield, New Jersey, rarely lined up with reported crimes, an analysis by The Markup has found, adding new context to the debate over the efficacy of crime prediction software.

Geolitica, known as PredPol until a 2021 rebrand, produces software that ingests data from crime incident reports and produces daily predictions on where and when crimes are most likely to occur.

We examined 23,631 predictions generated by Geolitica between February 25 and December 18, 2018, for the Plainfield Police Department (PD). Each prediction we analyzed from the company’s algorithm indicated that one type of crime was likely to occur in a location not patrolled by Plainfield PD. In the end, the success rate was less than half a percent. Fewer than 100 of the predictions lined up with a crime in the predicted category, that was also later reported to police.

Diving deeper, we looked at predictions specifically for robberies or aggravated assaults that were likely to occur in Plainfield and found a similarly low success rate: 0.6 percent. The pattern was even worse when we looked at burglary predictions, which had a success rate of 0.1 percent.

“Why did we get PredPol? I guess we wanted to be more effective when it came to reducing crime. And having a prediction where we should be would help us to do that. I don't know that it did that,” says captain David Guarino of the Plainfield PD. “I don't believe we really used it that often, if at all. That's why we ended up getting rid of it.”

Guarino noted that concerns about accuracy and the department’s general disinterest in using the software suggested that the money paid for Geolitica’s software could have been better spent elsewhere.

The Reading Police Department in Reading, Iowa, introduced Predpol, now rebranded as Geolitica, in 2013.

Photograph: Susan L. Angstadt/Getty Images

“We do have a mentoring program,” Guarino says. “We could probably put \[the money\] toward that, for the summertime. We used to have about 80 kids.” A contract between the department and Geolitica listed a $20,500 subscription fee for its first annual term, and then $15,500 for a yearlong extension.

We sent our findings and methodology to Geolitica prior to publication. Representatives did not respond to multiple requests for comment.

A report from WIRED last week revealed that Geolitica is ceasing operations at the end of this year. SoundThinking, a law enforcement technology company previously known as ShotSpotter, has hired Geolitica’s engineering team, but not its senior leadership, and is in the process of acquiring some of its intellectual property. Geolitica’s current customers are being transitioned into SoundThinking’s patrol platform.

“We believe that offering our law enforcement partners the ability to deploy their limited staffing resources has tremendous merit and that when fully integrated into Resource Router, these highly complementary assets will create a best-in-class deployment system for agencies of all sizes,” SoundThinking senior vice president Sam Klepper wrote in a statement to The Markup.

Information about the shutdown and customer transition to SoundThinking was not posted on Geolitica’s website or social media accounts. SoundThinking also purchased HunchLab, another predictive policing company, from Azavea in 2018.

Klepper explains that SoundThinking plans on incorporating some of Geolitica’s algorithms into its own existing systems, but “the algorithms mentioned do not include any crime prediction modeling source code at all. SoundThinking did not purchase any of Geolitica's crime prediction technology or source code.”

In 2021, The Markup published an investigation in partnership with Gizmodo showing that Geolitica’s software tended to disproportionately target low-income, Black, and Latino neighborhoods in 38 cities across the country. Our investigation was based on data downloaded in January 2021 from an unprotected cloud storage server linked from a page on the Los Angeles Police Department’s website. That server stored predictions Geolitica had provided to police departments in dozens of cities across the country over nearly three years. Access to that server was later restricted.

Our \[The Markup’s\] investigation stopped short of analyzing precisely how effective Geolitica’s software was at predicting crimes because only two out of 38 police departments provided data on when officers patrolled the predicted areas. Geolitica claims that sending officers to a prediction location would dissuade crimes through police presence alone. It would be impossible to accurately determine how effective the program is without knowing which predictions officers responded to and which ones they did not respond to.

After we requested this information from the 38 departments in our original investigation, only Plainfield provided us with more than one day’s worth of data on officer patrol locations.

We tested Geolitica’s accuracy by comparing the system’s predictions to crime reports, which only capture crimes reported to police, not instances when someone was victimized but elected not to inform law enforcement. The Bureau of Justice Statistics reported that less than half of violent and property crimes were reported to police in 2022. Reporting rates are also inconsistent across demographic groups. The agency found in a 2012 report that Black, Latino, and lower-income crime victims were more likely to report the crime than White people and people from higher-income households.

Plainfield police officers reported visiting 129 of the 23,760 prediction locations provided by Geolitica, according to the data. To conduct our analysis, we filtered out those predictions to sidestep the issue of police presence deterring potential crimes, and compared the rest against a list of crime incident reports obtained through public records requests. Each prediction was assigned to one of the department’s four daily patrol shifts, and each shift lasted 11 hours and 15 minutes. If a crime occurred in that location during the shift period, we counted it as a correct prediction.

The lengths of these prediction windows was a major problem, American University law professor Andrew Ferguson, who authored the book _The Rise of Big Data Policing,_ tells The Markup after being informed of our findings. "The timing piece is a flawed system,” he says. “The precision of it was supposed to be having the officers at the right time at the right place, not ‘during an entire day’s shift, there will be crime.’”

Plainfield officials say they never used the system to direct patrols. Instead, officials say all of the instances when the automated monitoring system tagged police vehicles as having visited a prediction location were coincidental overlaps that naturally occurred as officers regularly traveled across the geographically small, largely suburban community. To account for all possibilities, The Markup ran its analysis with the patrolled prediction locations both included and filtered out, and did not see a significant difference in the results.

Records showed that none of the five arrests that occurred in prediction locations during the time period of our analysis could have conceivably been due to officers responding to a Geolitica prediction, which Guarino also confirmed. Similarly, we asked the other 37 departments in our previous investigation if they could point to any arrests that came as a direct result of a Geolitica prediction, but none could. Representatives from neither the National Association of Criminal Defense Lawyers nor the National District Attorneys Association could recall a case going to trial where the arrest came as a direct result of an algorithmic crime prediction.

Despite Plainfield officials’ assertions that the software wasn’t used to inform where officers went, there is a quote on Geolitica’s website from former Plainfield police officer sergeant Larry Brown hailing the program. “Robbery at a restaurant ... PredPol prediction and robbery was 10 ft. away,” wrote Brown. “I train our 100+ officers on how to patrol PredPol boxes and I love our successes.”

In an email to The Markup, Guarino wrote that he wasn’t familiar with the incident Brown, who retired in 2018, mentioned and didn’t “know how Sgt. Brown came to that conclusion.” Multiple attempts to contact Brown were unsuccessful.

A major problem with Geolitica’s system, as it was used in Plainfield, is that there were a massive number of predictions compared to a relatively small number of crimes. In a 2021 email to The Markup regarding our previous investigation into the company’s algorithm, Geolitica CEO Brian MacDonald wrote that the number of predictions generated in each area was set by the law enforcement agency using the software. The data we received for Plainfield, which has a population of around 54,000, had 80 predictions per day for just a handful of crime types, while the maximum number of crimes of any type reported in a single day was 22 during the analysis period. This volume of predictions sits below the median of 107 daily predictions for the 37 other jurisdictions we analyzed in our original investigation. Some larger cities had far more predictions, like Los Angeles, which averaged just over a thousand daily. But there were cities smaller than Plainfield, like Niles, Illinois, which has around half Plainfield’s population, with a large volume of daily predictions—231, on average.

In her 2019 master’s thesis for the Naval Postgraduate School, Ana Lalley, police chief of Elgin, Illinois, wrote critically about her department’s experience with the software, which left officers unimpressed. “Officers routinely question the prediction method,” she wrote. “Many believe that the awareness of crime trends and patterns they have gained through training and experience help them make predictions on their own that are similar to the software’s predictions.”

Lalley added that when the department brought those concerns to Geolitica, the company warned that the software “may not be particularly effective in communities that have little crime.” Elgin, a Chicago suburb, has about double Plainfield’s population.

“I think that what this shows is just how unreliable so many of the tools sold to police departments are,” says Dillon Reisman, founder of the American Civil Liberties Union of New Jersey’s Automated Injustice Project. “We see that all over New Jersey. There are lots of companies that sell unproven, untested tools that promise to solve all of law enforcement’s needs, and, in the end, all they do is worsen the inequalities of policing and for no benefit to public safety.”

David Weisburd, a criminologist who served as a reviewer on a 2011 academic paper coauthored by two of Geolitica’s founders, recalls approving their ideas around crime modeling at the time, but warns that inaccurate predictions can have their own negative externalities outside of wasting officers’ time.

“Predicting crimes in places where they don’t occur is a destructive issue,” Weisburd says. “The police are a service, but they are a service with potential negative consequences. If you send the police somewhere, bad things could happen there.”

One study found that adolescent Black and Latino boys stopped by police subsequently experienced heightened levels of emotional distress, leading to increased delinquent behavior in the future. Another study found higher rates of use of force in New York City neighborhoods led to a decline in the number of calls to the city’s 311 tip line, which can be used for everything from repairing potholes to getting help understanding a property tax bill.

“To me, the entire benefit of this type of analysis is using it as a starting point to engage police commanders and, when possible, community members in larger dialog to help understand exactly what it is about these causal factors that are leading to hot spots forming,” says Northeastern University professor Eric Piza, who has been a critic of predictive policing technology.

For example, the city of Newark, New Jersey, used risk terrain modeling (RTM) to identify locations with the highest likelihood of aggravated assaults. Developed by Rutgers University researchers, RTM matches crime data with information about land use to identify trends that could be triggering crimes. For example, the analysis in Newark showed that many aggravated assaults were occurring in vacant lots.

The RTM then points to potential environmental solutions that come from across local governments, not just police departments. A local housing organization used that New Jersey data to prioritize lots to develop for new affordable housing that could not only increase housing stock but also reduce crime. Other community groups used the crime-risk information to convert city-owned lots to well-lighted, higher-trafficked green spaces less likely to attract crime.

Newark police are seen at the scene after a fatal shooting on August 17, 2023.

Photograph: Kyle Mazza/Getty Images

Even Geolitica seems to be moving away from its original core functionality of crime predictions and toward pitching itself as a broader platform for managing police department data. Both Geolitica’s patrol management platform, and the one operated by SoundThinking, advertise that they can incorporate elements of risk terrain modeling into their systems.

A pitch presentation, prepared for the police department in San Ramon, California, last year and obtained through a public records request, offered three tiers of service the department could purchase, with only the highest-cost option providing “automated daily patrol guidance.” The lower levels offered services designed to help departments better understand their operations, like creating heat maps showing the frequency of officer patrols in each part of a jurisdiction and allowing the department to independently set their own locations for officers to patrol. San Ramon Police Department records manager Jessica Simonds tells The Markup that the department subscribed to the lowest level, without the automated predictions.

A Geolitica patrol heat map showing the frequency of officer patrols in parts of Elgin, Illinois.

Courtesy of San Ramon Police Department

“The problem with predictive policing is the policing part,” says Ferguson. “The data about where crime occurs and where victimization occurs, that's something that should be studied. But that doesn't mean that the solution is policing. It might mean the solution is figuring out why people are victimized and funding the solution to that.”

Source

Wired