Security researchers are publishing 1,000 email addresses they claim are linked to North Korean IT worker scams that infiltrated Western companies—along with photos of men allegedly involved in the schemes.

The young developers are having the time of their lives. They pop open bottles of sparkling wine, eat steak dinners, play soccer together, and lounge around in a luxurious private swimming pool, all of their activity captured in photos that were later exposed online. In one picture, a man poses in front of a life-sized _Minions_ cardboard cutout. But despite their exuberance, these are not successful Silicon Valley entrepreneurs; they’re IT workers from the Hermit Kingdom of North Korea, who infiltrate Western companies and send their wages back home.

Two members of a cluster of North Korean developers, who allegedly operated out of Southeast Asian country Laos before being relocated to Russia by the beginning of 2024, are today being identified by researchers at cybersecurity company DTEX. The men, who DTEX believes have used the personas ‘Naoki Murano’ and ‘Jenson Collins,’ are alleged to have been involved in raising money for the brutalist North Korean regime as part of the widespread IT worker epidemic, with Murano alleged to have previously been linked to a $6 million heist at crypto firm DeltaPrime last year.

For years, Kim Jong-un’s North Korea has posed one of the most sophisticated and dangerous cyber threats to Western countries and businesses, with its hackers stealing the intellectual property needed to develop its own technology, plus looting billions in crypto to evade sanctions and create nuclear weapons. In February, the FBI announced that North Korea pulled off the biggest ever crypto heist, stealing $1.5 billion from crypto exchange Bybit. Alongside its skilled hackers, Pyongyang’s IT workers, who often are based in China or Russia, trick companies into employing them as remote workers and have become an increasing menace.

“What we’re doing isn’t working, and if it is working, it’s not working fast enough,” says Michael ‘Barni’ Barnhart, a leading North Korean cyber researcher and principal investigator at DTEX. As well as identifying Murano and Collins, DTEX, in a detailed report about North Korean cyber activity, is also publishing more than 1,000 email addresses that it alleges to have been identified as linked to North Korean IT worker activity. The move is one of the largest disclosures of North Korean IT worker activity to date.

North Korea’s broad cyber operations can’t be compared with those of other hostile nations, such as Russia and China, Barnhart explains in the DTEX report, as Pyongyang operates like a “state-sanctioned crime syndicate” rather than more traditional military or intelligence operations. Everything is driven by funding the regime, developing weaponry, and gathering information, Barnhart says. “Everything is tied together in some way, shape, or form.”

**The Misfits Move In**

Around 2022 and 2023, DTEX claims both Naoki Murano and Jenson Collins—their real names are not known—were based in Laos and also travelled between Vladivostok, in Russia. The pair appeared among a wider group of possible North Koreans in Laos, and a cache of their photos were first exposed in an open Dropbox folder. The photos were discovered by a collective of North Korean researchers who often collaborate with Barnhart and call themselves a “Misfit” alliance. In recent weeks, they’ve posted numerous images of purported North Korean IT workers online.

North Korea’s IT workers are prolific in their activities, often trying to infiltrate multiple companies simultaneously by using stolen identities or creating false personas to try to appear legitimate. Some use freelance platforms; others try to recruit international facilitators to run laptop farms. While their online personas may be fake, the country—where millions do not have basic human rights or access to the internet—steers talented children into its education pipeline where they can become skilled developers and hackers. That means many of the IT workers and hackers are likely to know each other, potentially since they were children. Despite being technically adept, they often leave a trail of digital breadcrumbs in their wake.

Murano was first linked to North Korean operations publicly by cryptocurrency investigator ZachXBT, who published the names, cryptocurrency wallet details, and email addresses of more than 20 North Korean IT workers last year. Murano was then linked to the DeltaPrime heist in reporting by Coinbase in October.. Members of the Misfits collective have shared photos of Murano looking pleased with himself while eating steak and a picture of an alleged Japanese passport.

Meanwhile, Collins, who DTEX included in its report and who was featured in swimming pool photos included in the Dropbox folder, was most commonly involved in IT work that generated revenue for Pyongyang, says narcass3 a member of the Misfits who asked to be identified by their online handle. “He seems to have mainly just worked on crypto/blockchain projects, including one which seems to be completely DPRK backed or primarily made up of IT workers,” narcass3 says.

Evan Gordenker, a consulting senior manager at the Unit 42 threat intelligence team of cybersecurity company Palo Alto Networks, says he is familiar with the two personas identified by DTEX and other outlets and the cluster of North Korean workers that were based in Laos. The group were putting out a lot of job applications, creating fake personas, and searching for potential accomplices, the researcher says. “It seemed to me like they also enjoyed a level of autonomy that I don't think you tend to see for some of the \[IT worker\] groups,” Gordenker says. “I don't know if that’s because they generated more money and earned more privileges or just because they happened to have a group lead that operated in that way.”

An email address in Murano’s name bounced back when contacted by WIRED. Meanwhile an email address in Collins’ name did not respond to a request for comment.

**Hiding in Plain Sight**

Pyongyang’s IT workers have been operating for the best part of a decade, but attention on their activities has intensified in the last 12 months as Fortune 500 companies realized they have inadvertently hired North Koreans. Teams of hackers and IT workers are set “earnings quotas” by Kim Jong-un’s regime, Barnhart says, with IT workers operating from multiple different North Korean military and intelligence organizations. One IT worker that made $5,000 per month could keep $200 of it, the investigator says.

Malicious IT workers, who may be likely to steal as well as earning money, are a part of the country’s recently revealed AI organization called 227 Research Center, which is part of the the primary intelligence agency the Reconnaissance General Bureau, while others are part of teams at the Ministry of National Defense, according to a cyber organization chart published by Barnhart in the DTEX report. IT workers that solely try to generate revenue from their jobs may be part of the Munitions Industry Department, the research says.

The relatively recent uptick in scrutiny around IT workers has come amid a growing US government crackdown: In May 2023, it sanctioned North Korean company Chinyong Information Technology Cooperation Company for employing IT workers in Laos and Russia, while at the start of this year, two North Korean front companies and their China- and Laos-based bosses were sanctioned by the US Treasury Department. The Treasury said IT worker groups earn “hundreds of millions of dollars” for the regime, and thousands of IT workers are dispatched around the world.

“IT workers play the numbers game and are applying for remote roles in volume,” says Rafe Pilling, director of threat intelligence, at Sophos’ Counter Threat Unit. That means they often make errors. “They seem to operate at such a pace that they can make mistakes like leaving Github repositories of CVs and tools publicly accessible, leaving comments in code and scripts, making mistakes across CV’s that make them easier to spot as fakes, and slip-ups on camera during interviews that can reveal subterfuge.”

Alongside identifying Murano and Collins, DTEX also published more than 1,000 email addresses allegedly linked to North Korean IT worker operations that have been gathered through investigations and collaboration with researchers. Each email address has been provided by multiple sources, Barnhard says. A WIRED analysis of almost two dozen of the emails, using open-source intelligence tools and a database of material leaked online, shows few of them appear to have any signs of authentic online behavior; some email addresses are linked to online developer tools or freelancing websites, with others having very little online presence.

“There’s quite a bit of reuse of personas and some of them last years and years,” Unit 42’s Gordenker says. Others might be used just once, Gordenker says, but the scammers can quickly create new personas if needed. “You’ll see a persona that works, for instance, can sometimes have four or five, six different jobs across the lifespan.”

As more IT workers are identified, they are increasingly adopting their tactics to try to make themselves harder to spot. Multiple cybersecurity researchers have found North Koreans using face-changing software during video interviews or using AI assistants to help answer questions in real-time.

**Changing Faces**

The IT worker stands in the middle of the cramped room and poses for his photo. A clock on the wall reads 11:30. In the background, three other men wearing military uniforms hunch over computers. A rack of laundry appears at the back of the room in the photo, which was first published by DTEX. “There’s a lot to unpack in that one image,” Barnhart says.

Barnhart explains that while much is unknown about the photo, it reveals some details about how the group of IT workers operate. One of the men, in the far right corner of the photograph, appears to have WhatsApp messages open on his computer screen, with multiple chats ongoing. Attached to the wall above him is a surveillance camera.

“The MSS watches them so they don’t become defectors,” Barnhart says, referring to North Korea’s counterintelligence agency and secret police, the Ministry of State Security. As the men are based out of a small work space, they are likely to lower down the pecking order of IT workers and will, like their compatriots, also face digital surveillance when they use their computers, he says. Barnhart says software he has seen monitors what the IT workers type and send on their devices. “They hate it,” he says. “It sends flags out to external servers whenever sexual imagery or sexual content is talked about or if Kim Jong-un is \[mentioned\].” Other researchers have spotted suspected IT workers ending job interviews when asked a variation on the question: “How fat is Kim Jong-un?”

While it’s unclear where the men in the room may be physically located, there are signs that the portrait photograph of the central subject has been used to create a false persona. Subsequent images obtained by Barnhart show the man edited into different clothes and turned into a cartoon-style illustration of his face.

“It shows him messing with the hairline. It shows him altering features, it shows him basically getting his profiles ready,” Barnhart says. One of these photos—of him edited into a leather jacket—appears on the website of “Benjamin Martin,” a self-styled web3 and full-stack developer.

Aside from appearing to be the North Korean from the IT worker photo, two of the companies listed on Martin’s online CV tell WIRED they have not heard of the persona, let alone employed him. One of the firms said it was not fully incorporated during most of the time the Martin persona listed he was working there. Martin did not respond to messages sent to the email listed on the developer webpage while a Telegram account linked to a phone number on Martin’s website responded “yes” in a limited Chinese-language exchange when asked if they were a North Korean IT worker.

Ultimately, Barnhart says, people need to understand how North Korean hackers and IT workers are operating, with fluidity between groups and approaches, before significant disruption of their efforts can take place. “We need to refocus, we need to reshape,” Barnhart says. “North Korea has already moved on to their next point and now they're subcontracting and creating another layer of obfuscation there, too.”

North Korean IT Workers Are Being Exposed on a Massive Scale

A new extra-secure mode for Android 16 will let at-risk users lock their devices down.

With the rise of mercenary spyware and other targeted threats, tech giants like Apple, Google, and Microsoft have spent the last few years trying to figure out how to protect the digital lives of their most at-risk, vulnerable users around the world. On mobile, the launch of Apple's iOS Lockdown Mode in 2022 was one concerted effort to shed nonessential functionality in favor of maximum security—a trade-off most users wouldn't want to make, but that could be very worth it for a public figure, activist, journalist, or dissident living under daily scrutiny and threat of attack. For years, Google has offered a program for a similar demographic called Advanced Protection that focuses on adding additional layers of monitoring and security to vulnerable users' Google accounts, a core piece of many people's digital lives that could be devastating if compromised. Now, Google is extending Advanced Protection with a suite of features for Android 16.

On Tuesday, the company announced an Advanced Protection mode for phones running the newest version of Android. At its core, the mode is designed around imposing strong security settings on all apps and services to silo data as much as possible and reduce interactions with unsecured web services and previously unknown, untrusted individuals. Advanced Protection on Android is meant to be as usable and flexible as possible, though, leaning on Google's rapidly expanding on-device AI scanning capabilities to provide monitoring and alerts without having to completely eliminate features. Still, the mode imposes restrictions that can't be turned off, like blocking phones from connecting to historic 2G data networks and disabling Chrome's Javascript optimizer, which could alter or break some web functionality on some sites.

“There are two classes of things that we use to defend the user. One is you obviously harden the system, so you try to lock things down, you prevent many forms of attacks," says Dave Kleidermacher, vice president of engineering at Android’s security and privacy division. "But two is you can't always prevent every attack entirely. But if you can detect that you've been compromised, you can take some sort of corrective action. In consumer security on mobile this detection has never really been a possibility, so that's one of the big things we've done here."

This monitoring and detection capability, known as Intrusion Logging, uses end-to-end encryption to indelibly store logs from your device in the cloud such that they can't be accessed by Google or any party aside from you, but also in a form that can't be deleted or modified, even if your device and Google account are compromised.

Logging and system monitoring tools are common on laptops and desktops—not to mention in enterprise IT environments—but offering the capabilities for consumers on mobile devices is more unusual. As with any scheme that takes data off a device and puts it in the cloud, the system does introduce some new risks, but Google and Google Cloud Services already run many end-to-end encrypted platforms for users, and Kleidermacher notes that the ability to create indelible logs that can't be manipulated or deleted by a sophisticated attacker is invaluable in addressing targeted attacks.

“The main innovation here is you have an audit log mechanism to detect compromise that is actually resistant to device tampering,” he says. “It's bringing intrusion detection to the consumer. So if you as a consumer suspect a problem and you're not sure, you can pull the logs down from the cloud. You can share them with a security expert, you can share them with an NGO, and they can use tools for analysis.”

Another feature that is on by default and can't be turned off in Advanced Protection is Android's Memory Tagging Extension (MTE). The feature, which debuted for Google's Pixel line and is starting to be adopted in processors on other devices, is a hardware security protection related to how a system manages its memory. If an attacker attempts to exploit a memory vulnerability such as a so-called buffer overflow, MTE will cause the process to fail, stopping the attack in its tracks. Memory corruption bugs are a common tool used by hackers, so neutering the entire class of vulnerabilities makes it much more difficult to attack a device.

Most Advanced Protection features will launch next week with Android 16, but Google says that Intrusion Logging is coming later this year along with features like USB protections that will prevent untrusted peripherals from using your phone's charging port for data transfers. And Google is also offering an API for integrating Advanced Protection directly into third-party apps. When a user turns Advanced Protection on, Android will impose enhanced defenses broadly across the operating system, but third-party integration will enable deeper defenses within non-Google apps.

“You want to prevent as much as you can, and a lot of these features are locking down the phone in ways that will make some attacks just much, much harder for attackers, more expensive, or even impossible,” Kleidermacher says.

Courtesy of Google

Google’s Advanced Protection for Vulnerable Users Comes to Android

Android’s “Scam Detection” protection in Google Messages will now be able to flag even more types of digital fraud.

Digital scammers have never been so successful. Last year Americans lost $16.6 billion to online crimes, with almost 200,000 people reporting scams like phishing and spoofing to the FBI. More than $470 million was stolen in scams that started with a text message last year, according to the Federal Trade Commission. And as the biggest mobile operating system maker in the world, Google has been scrambling to do something, building out tools to warn consumers about potential scams.

Ahead of Google’s Android 16 launch next week, the company said on Tuesday that it is expanding its recently launched AI flagging feature for the Google Messages app, known as Scam Detection, to provide alerts on potentially nefarious messages like possible crypto scams, financial impersonation, gift card and prize scams, technical support scams, and more. Combined with other AI security features for Google Messages—all of which run locally on users’ devices and do not share data or message content with the company—Android is now detecting roughly 2 billion suspicious messages a month.

“The fraud is truly heartbreaking,” says Dave Kleidermacher, vice president of engineering at Android’s security and privacy division. “There’s really a very huge amount—almost epidemic and a scourge to humanity—of financial scams that are all across the world.”

Scammers operate all over the world, but Chinese scam groups particularly are behind millions of fraudulent messages, demanding things like “toll” payments or information for alleged postal service deliveries. When people click the links and enter their details, including payment information, scammers steal their data. In some cases, the scams are designed as a sort of smash-and-grab, where attackers quickly trick users into giving up some crumbs of information, like a pair of login credentials or a credit card number. These scams tend to be more formulaic and are potentially easier to detect. The more complex challenge is in detecting highly involved investment or romance scams—often called pig butchering scams—that build and evolve over months of messaging while scammers build a rapport with their targets before tricking them into handing over their life savings or even going into debt to send more money.

“It takes time for them to get to the scam—it’s not just click on the link,” Kleidermacher says. “By having the AI on-device, you can actually watch and observe these more sophisticated conversations and then detect their scams.”

Courtesy of Google

Courtesy of Google

In a screenshot of the Scam Detection feature provided by Google, an encrypted RSC chat shows a typical scam message saying an EZ Pass toll payment is outstanding. The message adds that the “legal ability” to drive may be revoked if the payment is not made. The message includes a link that directs someone toward a malicious payment website. The Scam Detection overlay at the bottom of the screen says that “suspicious activity” has been detected in the message and offers a way to report and block the sender, alongside an option that allows people to flag that it is not a scam.

Google is far from the only company using AI to try to combat scammers and stop them from reaching people’s inboxes. Some have turned to using AI to directly fight back against scammers. The British telecom company O2, for example, created an “AI Granny” that is set up to keep scammers on the phone and waste their time. And the online scam baiter Kitboga has created a series of bots to make simultaneous calls to call centers that run scams.

Meanwhile, in recent months, Meta, which owns WhatsApp, Messenger, and Instagram, has started to introduce pop-up warnings when people are asked to make payments in chat messages. Elsewhere, cybersecurity company F-Secure has created a beta tool to help people identify if a message and sender are likely scammers and block messages. Putting a layer of friction in place that nudges people away from messaging accounts they don’t know or replying to messages asking for details can reduce the chances that scammers are successful.

Google’s Kleidermacher says that the company is seeing “really positive impact” from using its machine learning systems to detect potential scam messages in real time. As the protections continue to mature, he notes that the underlying system could eventually proliferate beyond just the Google Messages app into third-party communication platforms.

For now, some of that expansion is starting within Google’s own products. The company also said on Tuesday that it is in the early phases of testing ways to incorporate scam detection for phone calls, but the capability has not been widely deployed.

Google Is Using On-Device AI to Spot Scam Texts and Investment Fraud

Before a crackdown by Telegram, Xinbi Guarantee grew into one of the internet’s biggest markets for Chinese-speaking crypto scammers and money laundering. And all registered to a US address.

As the underground industry of crypto investment scams has grown into one of the world's most lucrative forms of cybercrime, the secondary market of money launderers for those scammers has grown to match it. Amid that black market, one such Chinese-language service on the messaging platform Telegram blossomed into an all-purpose underground bazaar: It has offered not only cash-out services to scammers but also money laundering for North Korean hackers, stolen data, targeted harassment-for-hire, and even what appears to be sex trafficking. And somehow, it's all overseen by a company legally registered in the United States.

According to new research released today by crypto-tracing firm Elliptic, a company called Xinbi Guarantee has since 2022 facilitated no less than $8.4 billion in transactions via its Telegram-based marketplace prior to Telegram’s actions in recent days to remove its accounts from the platform. Money stolen from scam victims likely represents the “vast majority” of that sum, according to Elliptic's cofounder Tom Robinson. Yet even as the market serves Chinese-speaking scammers, it also boasts on the top of its website—in Mandarin—that it's registered in Colorado.

“Xinbi Guarantee has served as a giant, purportedly US-incorporated illicit online marketplace for online scams that primarily offers money laundering services,” says Robinson. He adds, though, that Elliptic has also found a remarkable variety of other criminal offerings on the market: child-bearing surrogacy and egg donors, harassment services that offer to threaten or throw feces at any chosen victim, and even sex workers in their teens who are likely trafficking victims.

Xinbi Guarantee is the second such crime-friendly Chinese-language market that Robinson and his team of researchers have uncovered over the past year. Last July, they published a report on Huione Guarantee, a similar Cambodia-based service that Elliptic said in January had facilitated $24 billion in transactions—largely from crypto scammers—making it the biggest illicit online marketplace in history by Elliptic's accounting. That market's parent company, Huione Group, was added to a list of known money laundering operations by the US Treasury's Financial Crimes Enforcement Network earlier this month in an attempt to limit its access to US financial institutions.

After WIRED reached out to Telegram last week about the illicit activity taking place on Xinbi Guarantee’s and Huione Guarantee’s channels on its messaging platform, Telegram appears to have responded Monday by banning many of the central channels and administrator accounts used by both Xinbi Guarantee and Huione Guarantee. “Criminal activities like scamming or money laundering are forbidden by Telegram's terms of service and are always removed whenever discovered,” Telegram spokesperson Remi Vaughn wrote to WIRED in a statement. “Communities previously reported to us by WIRED or included in reports published by Elliptic have all been taken down.”

Telegram had banned several of Huione Guarantee’s channels in February following an earlier Elliptic report on the marketplace, but Huione Guarantee quickly re-created them, and it’s not clear whether the new removals will prevent the two companies from rebuilding their presence on Telegram again, perhaps with new accounts or even new branding. “These are very lucrative businesses, and they’ll attempt to rebuild in some way,” Robinson said of the two marketplaces following Telegram’s latest purge.

Elliptic’s accounting of the total lifetime revenue of the biggest online black markets.Courtesy of Elliptic

Xinbi Guarantee didn't respond to multiple requests for comment on Elliptic's findings that WIRED sent to the market's administrators on Telegram.

Like Huione Guarantee, Xinbi Guarantee has offered a similar “guarantee” model of enabling third-party vendors to offer services by requiring a deposit from them to prevent fraud. Yet it's flown under the radar, even as it grew into one of the biggest hubs for crypto crime on the internet. In terms of scale of transactions prior to Telegram’s crackdown, it was second only to Huione's market, according to Elliptic.

Both services “offer a window into the China-based underground banking network,” Robinson says. “It's another example of these huge Chinese-language ‘guaranteed’ marketplaces that have thrived for years.”

On Xinbi Guarantee, Elliptic found numerous posts from vendors offering to accept funds related to “quick kills,” “slow kills,” and “pig butchering” transactions, all different terms for crypto investment scams and other forms of fraud. In some cases, Robinson explains, these Xinbi Guarantee vendors offer bank accounts in the same country as the victim so that they can receive whatever payment they're tricked into making, then pay the scammer in the cryptocurrency Tether. In other cases, the Xinbi Guarantee merchants offer to receive cryptocurrency payments and cash them out in the scammer's local currency, such as Chinese renminbi.

Aside from Xinbi Guarantee's central use as a cash-out point for crypto scammers, Elliptic also found that the market's vendors offered other wares for scammers such as stolen data that could be used for finding victims, as well as services for registering SIM cards and Starlink internet subscriptions through proxies.

North Korean state-sponsored cybercriminals also appear to have used the platform for money laundering. Elliptic found through blockchain analysis, for instance, that about $220,000 stolen from the Indian cryptocurrency exchange WazirX—the victim of a $235 million theft in July 2024, widely attributed to North Korean hackers—had flowed into Xinbi Guarantee in a series of transactions in November.

Those money-laundering and scam-enabling services, however, are far from the only shady offerings found on Xinbi Guarantee's market. Elliptic also found listings for surrogate mothers and egg donors, with one post showing faceless pictures of the donor's body. Other accounts have offered services that will, for a payment in Tether, place a funeral wreath at a target's door, deface their home with graffiti, post damaging statements around their home, have someone verbally threaten them, throw feces at them, or even, most bizarrely, surround their home with AIDS patients. One posting suggested these AIDS patients would carry “case reports and needles for intimidation."

Other listings have offered sex workers as young as 18 years old, noting the specific sex acts that are allowed and forbidden. Elliptic says that one of its researchers was even offered a 14-year-old by a Xinbi Guarantee merchant. (The account holder noted, however, that no transaction for sex with someone below the age of 18 would be guaranteed by Xinbi. The legal age of consent in China is 14.)

Exactly why Xinbi Guarantee is legally registered in the US remains a mystery. Its incorporation record on the Colorado Secretary of State's website shows an address at an office park in the city of Aurora that has no external Xinbi branding. The company appears to have been registered there in August of 2022 by someone named “Mohd Shahrulnizam Bin Abd Manap.” (WIRED connected that name with several people in Malaysia but couldn't determine which one might be Xinbi Guarantee's registrant.) The listing is currently marked as “delinquent,” perhaps due to failure to file more recent paperwork to renew it.

For fledgling Chinese companies—legitimate and illegitimate—incorporating in the US is an increasingly common tactic for “projecting legitimacy,” says Jacob Sims, a visiting fellow at Harvard's Asia Center who focuses on transnational Chinese crime. “If you have a US presence, you can also open US bank accounts,” Sims says. “You could potentially hire staff in the US. You could in theory have more formalized connections to US entities.” But he notes that the registration's delinquent status may mean Xinbi Guarantee tried to make some sort of inroads in the US in the past but gave up.

While Telegram has served as the chief means of communication for the two markets, the stablecoin cryptocurrency Tether has served as their primary means of payment, Elliptic found. And despite Telegram’s new round of removals of their channels and accounts, Xinbi Guarantee and Huione Guarantee are far from the only companies to use Tether and Telegram to create essentially a new, largely Chinese-language darknet: Elliptic is tracking close to 30 similar marketplaces, Robinson says, though he declined to name others in the midst of the company's investigations.

Just as Telegram shows new signs of cracking down on that sprawling black market, Tether, too, has the ability to disrupt criminal use of its services. Unlike other more decentralized cryptocurrencies such as Bitcoin, Tether can freeze payments when it identifies bad actors. Yet it’s not clear to what degree Tether has taken measures to stop Chinese-language crypto scammers and others on Xinbi Guarantee and Huione Guarantee from using its currency.

When WIRED wrote to Tether to ask about its role in those black markets, the company responded in a statement that it encourages “firms like Elliptic and other blockchain intelligence providers to share critical data with law enforcement so we can act swiftly and in coordination.”

“We are not passive observers—we are active players in the global fight against financial crime,” the Tether statement continued. “If you’re considering using Tether for illicit purposes, think again: it is the most traceable asset in existence. We will identify you, and we will work to ensure you are brought to justice.”

Despite that promise—and Telegram’s new effort to remove Huione Guarantee and Xinbi Guarantee from its platform—both tools have already been used to facilitate tens of billions of dollars in theft and other black market deals, much of it occurring in plain sight. The two largely illegal and very public markets have been “remarkable for both the scale at which they're operating and also the brazenness,” says Harvard’s Jacob Sims.

Given that brazenness and the massive criminal fortunes at stake, expect both markets to attempt a revival in some form—and plenty of competitors to try to take their place atop the Chinese-language crypto crime economy.

An $8.4 Billion Chinese Hub for Crypto Crime Is Incorporated in Colorado

As AI-driven fraud becomes increasingly common, more people feel the need to verify every interaction they have online.

These days, when Nicole Yelland receives a meeting request from someone she doesn’t already know, she conducts a multistep background check before deciding whether to accept. Yelland, who works in public relations for a Detroit-based nonprofit, says she’ll run the person’s information through Spokeo, a personal data aggregator that she pays a monthly subscription fee to use. If the contact claims to speak Spanish, Yelland says, she will casually test their ability to understand and translate trickier phrases. If something doesn’t quite seem right, she’ll ask the person to join a Microsoft Teams call—with their camera on.

If Yelland sounds paranoid, that’s because she is. In January, before she started her current nonprofit role, Yelland says, she got roped into an elaborate scam targeting job seekers. “Now, I do the whole verification rigamarole any time someone reaches out to me,” she tells WIRED.

Digital imposter scams aren’t new; messaging platforms, social media sites, and dating apps have long been rife with fakery. In a time when remote work and distributed teams have become commonplace, professional communications channels are no longer safe, either. The same artificial intelligence tools that tech companies promise will boost worker productivity are also making it easier for criminals and fraudsters to construct fake personas in seconds.

On LinkedIn, it can be hard to distinguish a slightly touched-up headshot of a real person from a too-polished, AI-generated facsimile. Deepfake videos are getting so good that longtime email scammers are pivoting to impersonating people on live video calls. According to the US Federal Trade Commission, reports of job and employment related scams nearly tripled from 2020 to 2024, and actual losses from those scams have increased from $90 million to $500 million.

Yelland says the scammers that approached her back in January were impersonating a real company, one with a legitimate product. The “hiring manager” she corresponded with over email also seemed legit, even sharing a slide deck outlining the responsibilities of the role they were advertising. But during the first video interview, Yelland says, the scammers refused to turn their cameras on during a Microsoft Teams meeting and made unusual requests for detailed personal information, including her driver’s license number. Realizing she’d been duped, Yelland slammed her laptop shut.

These kinds of schemes have become so widespread that AI startups have emerged promising to detect other AI-enabled deepfakes, including GetReal Labs and Reality Defender. OpenAI CEO Sam Altman also runs an identity-verification startup called Tools for Humanity, which makes eye-scanning devices that capture a person’s biometric data, create a unique identifier for their identity, and store that information on the blockchain. The whole idea behind it is proving “personhood,” or that someone is a real human. (Lots of people working on blockchain technology say that blockchain is the solution for identity verification.)

But some corporate professionals are turning instead to old-fashioned social engineering techniques to verify every fishy-seeming interaction they have. Welcome to the Age of Paranoia, when someone might ask you to send them an email while you’re mid-conversation on the phone, slide into your Instagram DMs to ensure the LinkedIn message you sent was really from you, or request you text a selfie with a time stamp, proving you are who you claim to be. Some colleagues say they even share code words with each other, so they have a way to ensure they’re not being misled if an encounter feels off.

“What’s funny is, the lo-fi approach works,” says Daniel Goldman, a blockchain software engineer and former startup founder. Goldman says he began changing his own behavior after he heard a prominent figure in the crypto world had been convincingly deepfaked on a video call. “It put the fear of god in me,” he says. Afterward, he warned his family and friends that even if they hear what they believe is his voice or see him on a video call asking for something concrete—like money or an internet password—they should hang up and email him first before doing anything.

Ken Schumacher, founder of the recruitment verification service Ropes, says he’s worked with hiring managers who ask job candidates rapid-fire questions about the city where they claim to live on their résumé, such as their favorite coffee shops and places to hang out. If the applicant is actually based in that geographic region, Schumacher says, they should be able to respond quickly with accurate details.

Another verification tactic some people use, Schumacher says, is what he calls the “phone camera trick.” If someone suspects the person they’re talking to over video chat is being deceitful, they can ask them to hold up their phone camera to show their laptop. The idea is to verify whether the individual may be running deepfake technology on their computer, obscuring their true identity or surroundings. But it’s safe to say this approach can also be off-putting: Honest job candidates may be hesitant to show off the inside of their homes or offices, or worry a hiring manager is trying to learn details about their personal lives.

“Everyone is on edge and wary of each other now,” Schumacher says.

While turning yourself into a human captcha may be a fairly effective approach to operational security, even the most paranoid admit these checks create an atmosphere of distrust before two parties have even had the chance to really connect. They can also be a huge time suck. “I feel like something’s gotta give,” Yelland says. “I’m wasting so much time at work just trying to figure out if people are real.”

Jessica Eise, an assistant professor studying climate change and social behavior at Indiana University Bloomington, says her research team has been forced to essentially become digital forensics experts due to the amount of fraudsters who respond to ads for paid virtual surveys. (Scammers aren’t as interested in the unpaid surveys, unsurprisingly.) For one of her research projects, which is federally funded, all of the online participants have to be over the age of 18 and living in the US.

“My team would check time stamps for when participants answered emails, and if the timing was suspicious, we could guess they might be in a different time zone,” Eise says. “Then we’d look for other clues we came to recognize, like certain formats of email address or incoherent demographic data.”

Eise says the amount of time her team spent screening people was “exorbitant” and that they’ve now shrunk the size of the cohort for each study and have turned to “snowball sampling,” or recruiting people they know personally to join their studies. The researchers are also handing out more physical flyers to solicit participants in person. “We care a lot about making sure that our data has integrity, that we’re studying who we say we’re trying to study,” she says. “I don’t think there’s an easy solution to this.”

Barring any widespread technical solution, a little common sense can go a long way in spotting bad actors. Yelland shared with me the slide deck that she received as part of the fake job pitch. At first glance, it seemed legit, but when she looked at it again, a few details stood out. The job promised to pay substantially more than the average salary for a similar role in her location and offered unlimited vacation time, generous paid parental leave, and fully covered health care benefits. In today’s job environment, that might have been the biggest tipoff of all that it was a scam.

_Update 5/12/2025, 6:34 PM ET: This article was updated to clarify the nature of a federally funded research project._

Deepfakes, Scams, and the Age of Paranoia

Plus: A DOGE operative’s laptop reportedly gets infected with malware, Grok AI is used to “undress” women on X, a school software company’s ransomware nightmare returns, and more.

A United States Customs and Border Protection request for information this week revealed the agency’s plans to find vendors that can supply face recognition technology for capturing data on everyone entering the US in a vehicle like a car or van, not just the people sitting in the front seat. And a CBP spokesperson later told WIRED that the agency also has plans to expand its real-time face recognition capabilities at the border to detect people exiting the US as well—a focus that may be tied to the Trump administration’s push to get undocumented people to “self-deport” and leave the US.

WIRED also shed light this week on a recent CBP memo that rescinded a number of internal policies designed to protect vulnerable people—including pregnant women, infants, the elderly, and people with serious medical conditions—while in the agency’s custody. Signed by acting commissioner Pete Flores, the order eliminates four Biden-era policies.

Meanwhile, as the ripple effects of “SignalGate” continue, the communication app TeleMessage suspended “all services” pending an investigation after former US national security adviser Mike Waltz inadvertently called attention to the app, which subsequently suffered data breaches in recent days. Analysis of TeleMessage Signal’s source code this week appeared to show that the app sends users’ message logs in plaintext, undermining the security and privacy guarantees the service promised. After data stolen in one of the TeleMessage hacks indicated that CBP agents might be users of the app, CBP confirmed its use to WIRED, saying that the agency has “disabled TeleMessage as a precautionary measure.”

A WIRED investigation found that US director of national intelligence Tulsi Gabbard reused a weak password for years on multiple accounts. And researchers warn that an open source tool known as “easyjson” could be an exposure for the US government and US companies, because it has ties to the Russian social network VK, whose CEO has been sanctioned.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**ICE’s Deportation Airline Hack Reveals Man “Disappeared” to El Salvador**

Hackers this week revealed they had breached GlobalX, one of the airlines that has come to be known as “ICE Air” thanks to its use by the Trump administration to deport hundreds of migrants. The data they leaked from the airline includes detailed flight manifests for those deportation flights—including, in at least one case, the travel records of a man whose own family had considered him “disappeared” by immigration authorities and whose whereabouts the US government had refused to divulge.

On Monday, reporters at 404 Media said that hackers had provided them with a trove of data taken from GlobalX after breaching the company’s network and defacing its website. “Anonymous has decided to enforce the Judge's order since you and your sycophant staff ignore lawful orders that go against your fascist plans,” a message the hackers posted to the site read. That stolen data, it turns out, included detailed passenger lists for GlobalX’s deportation flights—including the flight to El Salvador of Ricardo Prada Vásquez, a Venezuelan man whose whereabouts had become a mystery to even his own family as they sought answers from the US government. US authorities had previously declined to tell his family or reporters where he had been sent—only that he had been deported—and his name was even excluded from a list of deportees leaked to CBS News. (The Department of Homeland Security later stated in a post to X that Prada was in El Salvador—but only after a New York Times story about his disappearance.)

The fact that his name was, in fact, included all along on a GlobalX flight manifest highlights just how opaque the Trump administration’s deportation process remains. According to immigrant advocates who spoke with 404 Media, it even raises questions about whether the government itself had deportation records as comprehensive as the airline whose planes it chartered. “There are so many levels at which this concerns me. One is they clearly did not take enough care in this to even make sure they had the right lists of who they were removing, and who they were not sending to a prison that is a black hole in El Salvador,” Michelle Brané, executive director of immigrant rights group Together and Free, told 404 Media. “They weren't even keeping accurate records of who they were sending there.”

**The Computer of a DOGE Staffer With Sensitive Access Reportedly Infected With Malware**

Elon Musk’s so-called Department of Governmental Efficiency has raised alarms not just due to its often reckless cuts to federal programs, but also the agency’s habit of giving young, inexperienced staffers with questionable vetting access to highly sensitive systems. Now security researcher Micah Lee has found that Kyle Schutt, a DOGE staffer who reportedly accessed the financial system of the Federal Emergency Management Agency, appears to have had infostealer malware on one of his computers. Lee discovered that four dumps of user data stolen by that kind of password-stealing malware included Schutt’s passwords and usernames. It’s far from clear when Schutt’s credentials were stolen, for what machine, or whether the malware would have posed any threat to any government agency’s systems, but the incident nonetheless highlights the potential risks posed by DOGE staffers’ unprecedented access.

**Grok AI Will “Undress” Women in Public on X**

Elon Musk has long marketed his AI tool Grok as a more freewheeling, less restricted alternative to other large language models and AI image generators. Now X users are testing the limits of Grok’s few safeguards by replying to images of women on the platform and asking Grok to “undress” them. While the tool doesn’t allow the generation of nude images, 404 Media and Bellingcat have found that it repeatedly responded to users’ “undress” prompts with pictures of women in lingerie or bikinis, posted publicly to the site. In one case, Grok apologized to a woman who complained about the practice, but the feature has yet to be disabled.

**A Hacked School Software Company Paid a Ransom—but Schools Are Still Being Extorted**

This week in don’t-trust-ransomware-gangs news: Schools in North Carolina and Canada warned that they’ve received extortion threats from hackers who had obtained students’ personal information. The likely source of that sensitive data? A ransomware breach last December of PowerSchool, one of the world’s biggest education software firms, according to NBC News. PowerSchool paid a ransom at the time, but the data stolen from the company nonetheless appears to be the same info now being used in the current extortion attempts. “We sincerely regret these developments—it pains us that our customers are being threatened and re-victimized by bad actors,” PowerSchool told NBC News in a statement. “As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”

**A Notorious Deepfake Porn Site Shuts Down After Its Creator Is Outed**

Since its creation in 2018, MrDeepFakes.com grew into perhaps the world’s most infamous repository of nonconsensual pornography created with AI mimicry tools. Now it’s offline after the site’s creator was identified as a Canadian pharmacist in an investigation by CBC, Bellingcat, and the Danish news outlets Politiken and Tjekdet. The site’s pseudonymous administrator, who went by DPFKS on its forums and created at least 150 of its porn videos himself, left a trail of clues in email addresses and passwords found on breached sites that eventually led to the Yelp and Airbnb accounts of Ontario pharmacist David Do. After reporters approached Do with evidence that he was DPFKS, MrDeepFakes.com went offline. “A critical service provider has terminated service permanently. Data loss has made it impossible to continue operation,” reads a message on its homepage. “We will not be relaunching.”

ICE’s Deportation Airline Hack Reveals Man ‘Disappeared’ to El Salvador

A CBP spokesperson tells WIRED that the agency plans to expand its program for real-time face recognition at the border, potentially aiding Trump administration efforts to track people who self-deport.

United States Customs and Border Protection plans to log every person leaving the country by vehicle by taking photos at border crossings of every passenger and matching their faces to their passports, visas, or travel documents, WIRED has learned.

The escalated documentation of travelers could be used to track how many people are self-deporting, or leave the US voluntarily, which the Trump administration is fervently encouraging to people in the country illegally.

CBP exclusively tells WIRED, in response to an inquiry to the agency, that it plans to mirror the current program it’s developing—photographing every person entering the US and match their faces with their travel documents—to the outbound lanes going to Canada and Mexico. The agency currently does not have a system that monitors people leaving the country by vehicle.

“Although we are still working on how we would handle outbound vehicle lanes, we will ultimately expand to this area,” CBP spokesperson Jessica Turner tells WIRED.

Turner could not provide a timeline on when CBP would begin monitoring people leaving the country by vehicle.

She tells WIRED that CBP currently matches photos of people coming into the country with “all documented photos, i.e., passports, visas, green cards, etc,” and adds that all “alien/non-US citizens encounter photos taken at border crossing” are stored by CBP. “The encounter photos can be used for subsequent crossings to verify identity,” Turner says. She did not specify whether CBP may integrate additional photos or data sources in the future.

When asked, Turner says it’s not currently evident that a purpose of the outbound face-matching system would be tracking self-deporations. “Not to say it won't happen in the future, though, with the way self-deportation is going,” Turner says. She later adds that the goal of an outbound system would be to “biometrically confirm departure from the US.” This differs from the purpose of tracking people coming into the US, she says, which also considers the “purpose and intent” of entering the country.

WIRED reported this week that CBP recently asked tech companies to send pitches on how they would ensure every single person entering the country by vehicle, including people two or three rows back, would be instantly photographed and matched with their travel documents. CBP has struggled to do this on its own. The results of a 152-day test of this system, which took place at the Anzalduas border crossing between Mexico and Texas, showed that the cameras captured photos of everyone in the car that met “validation requirements” for face-matching just 61 percent of the time.

Currently, neither CBP nor Immigration and Customs Enforcement have any publicly known tools for tracking self-deportations, aside from an ICE app that allows people to tell the agency when they leave the country.

Last month, ICE announced that it is paying the software company Palantir $30 million to build a tool called ImmigrationOS that would give the agency “near real-time visibility” on people self-deporting from the US, with the goal of having accurate numbers on how many people are doing so, according to a contract justification published a few days later.

When asked, CBP would not confirm or deny whether its monitoring of outbound vehicles would or could be integrated with ImmigrationOS. “CBP does not use Palantir Technologies,” Turner says. (CBP has paid for Palantir services three times, with the last payment in 2013.)

ICE has not specified where Palantir would get the data to power the ImmigrationOS. However, the agency notes that Palantir could create ImmigrationOS by configuring the case management system that the company has provided to ICE since 2014.

This case management system integrates all of the information ICE may have about a person from investigative records or government databases, according to a government privacy assessment published in 2016. At the time of the assessment, it stored information about people’s physical attributes—like hair and eye color, height and weight, and any scars or tattoos—as well as any "location-related data” from “covert tracking devices” and any data from license plate readers, which can provide a detailed travel history.

DHS noted in a 2024 report that CBP has struggled to get biometric data from people leaving the country over land—meaning, people traveling via "cars, trains, buses, bicycles, trucks, and on foot.” The report says that CBP wants to create a “biometric-based departure program” to monitor when people considered aliens leave the country, which DHS notes is required under US law.

The Trump administration is strongly encouraging self-deportation. In March, the Department of Homeland Security revoked the legal status of more than half a million people from Cuba, Haiti, Nicaragua, and Venezuela who were given temporary parole to stay in the US due to instability in their home countries. A judge temporarily blocked the move, but the government is challenging this in court.

In April, the Social Security Administration listed more than 6,000 of these people who had temporary parole as dead, as a way of effectively ending their financial lives in the US. DHS also sent emails to an unknown number of people claiming that their legal parole had been revoked and demanding them to self-deport. Then, this week, the Trump administration offered to pay people in the country illegally $1,000 for a plane ticket to self-deport.

_Updated 2:25 pm ET, May 9, 2025: Added additional details provided by CBP._

US Customs and Border Protection Plans to Photograph Everyone Exiting the US by Car

CBP’s acting commissioner has rescinded four Biden-era policies that aimed to protect vulnerable people in the agency’s custody, including mothers, infants, and the elderly.

US Customs and Border Protection (CBP) has quietly rescinded several internal policies that were designed to protect some of the most vulnerable people in its custody—including pregnant women, infants, the elderly, and people with serious medical conditions.

The decision, outlined in a memo dated May 5 and signed by acting commissioner Pete Flores, eliminates four Biden-era policies enacted over the last three years. These policies were intended to address CBP’s long-standing failures to provide adequate care for detainees who are most at risk—failures that have, in some cases, proved fatal.

The May 5 memo was distributed internally to top agency leadership but was not announced publicly.

CBP justified the rollback by stating in the memo–titled Rescission of Legacy Policies Related to Care and Custody–that the policies were “obsolete” and “misaligned” with the agency’s current enforcement priorities.

Together, the now rescinded policies laid out standards for detainees with heightened medical needs—requiring, for instance, access to water and food for pregnant people, ensuring privacy for breastfeeding mothers, and mandating diapers and unexpired formula be stocked in holding facilities. They also instructed agents to process at-risk individuals as quickly as possible to limit time in custody.

“It's appalling and it's just an extension of the culture of cruelty that the administration is trying to perpetrate,” says Sarah Mehta, deputy director of government affairs for the ACLU’s Equality Division. Rescinding the policies, she says, “is a damning statement about the way that this administration thinks and cares about people with young children.”

CBP did not immediately respond to WIRED’s request for comment.

One of the world’s largest law enforcement agencies, CBP is primarily responsible for apprehending and detaining individuals who cross the US border without authorization. While Immigration and Customs Enforcement (ICE) oversees longer-term detention and deportation proceedings, CBP handles the earliest stages of custody, when migrants are held and processed in short-term facilities that have repeatedly drawn criticism for poor medical care and overcrowding

In January the Senate Judiciary Committee issued a damning report revealing dysfunction in CBP's medical operations. The investigation revealed chronic understaffing, improper use of medical record systems, and vague or nonexistent guidance for treating children, pregnant individuals, and others with complex medical needs.

The report was prompted by the death of 8-year-old Anadith Danay Reyes Álvarez, who died in May 2023 at a CBP facility in Harlingen, Texas. The Panamanian girl, who had a known history of heart problems and sickle cell anemia, reportedly pleaded for help along with her mother. Both were ignored. She died in custody, her final hours spent in a facility whose staff were unequipped—and seemingly unwilling—to provide critical care.

“Just last week in letters to the Trump administration, I raised serious concerns about transparency, accountability, and the humane treatment of detained individuals, particularly in light of repeated reports of detainee mistreatment and inadequate medical care,” US senator Dick Durbin, chairman of the Senate Judiciary Committee, tells WIRED. “Instead of taking actions to course-correct, the Trump administration rescinded several internal policies aimed at protecting some of the most vulnerable individuals in CBP custody—including pregnant women, children, the elderly, and those with serious medical conditions. This is unacceptable. We are a nation of values, and these values should be represented in the care of vulnerable people in our government’s custody.”

Policy reversals have come to define the Trump administration's immigration tactics, from attempts to revoke the status of 500,000 immigrants from Cuba, Haiti, Nicaragua, and Venezuela living legally in the US to purging student visas. In January, a day after President Donald Trump's inauguration, the Department of Homeland security reversed a Biden-era policy that forbade ICE and CBP officers from arresting people in "protected areas," including schools, places of worship, and hospitals.

As the number of people held in ICE detention has climbed–reaching roughly 47,928 in April, according to the Transactional Records Access Clearinghouse–apprehensions at the southern US border have fallen sharply, dropping to levels not seen in decades.

CBP says that its personnel will continue to follow broader standards under the National Standards on Transport, Escort, Detention, and Search (TEDS), and remain bound by the Flores agreement, which requires that children be given safe and sanitary quarters. The Trump administration has previously argued that the original settlement does not require that children be allowed to sleep or wash themselves with soap.

US Customs and Border Protection Quietly Revokes Protections for Pregnant Women and Infants

CBP says it has “disabled” its use of TeleMessage following reports that the app, which has not cleared the US government’s risk assessment program, was hacked.

The United States Customs and Border Protection agency confirmed on Wednesday that it uses at least one communication app made by the service TeleMessage, which creates clones of popular apps like Signal and WhatsApp with the addition of an archiving mechanism for compliance with records-retention rules.

“Following the detection of a cyber incident, CBP immediately disabled TeleMessage as a precautionary measure,” CBP spokesperson Rhonda Lawson tells WIRED. “The investigation into the scope of the breach is ongoing.”

President Donald Trump's now former national security adviser Mike Waltz was photographed last week using TeleMessage Signal during a cabinet meeting, and the photo seemed to show that he was communicating with other high-ranking officials, including Vice President JD Vance, US director of national intelligence Tulsi Gabbard, and what appears to be US secretary of state Marco Rubio.

In the days since the photo was published, TeleMessage has reportedly suffered a series of breaches that illustrate concerning security flaws. Analysis of the app's Android source code also appears to indicate fundamental flaws in the service's security scheme. As these findings emerged, TeleMessage—an Israeli company that completed an acquisition last year by the US-based company Smarsh—imposed a service pause on its products pending investigation.

“TeleMessage is investigating a potential security incident. Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation,” a Smarsh spokesperson told WIRED in a statement on Monday. “Out of an abundance of caution, all TeleMessage services have been temporarily suspended. All other Smarsh products and services remain fully operational.”

WIRED contacted CBP about its potential use of the software after some data stolen from TeleMessage in one of the recent breaches indicated that CBP was potentially a customer.

US senator Ron Wyden called for the Department of Justice to investigate TeleMessage in a letter on Tuesday, alleging that the service is “a serious threat to US national security.” TeleMessage is a federal contractor, but the consumer apps it offers are not approved for use under the US government's Federal Risk and Authorization Management Program, or FedRAMP. In his letter, Wyden referenced that “several federal agencies” use TeleMessage, asserting that the company “sold dangerously insecure communications software to the White House and other federal agencies.”

There is still no complete public accounting of US government officials and agencies that have used the software.

Customs and Border Protection Confirms Its Use of Hacked Signal Clone TeleMessage

In the wake of SignalGate, a knockoff version of Signal used by a high-ranking member of the Trump administration was hacked. Today on Uncanny Valley, we discuss the platforms used for government communications.

All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.

When former national security adviser Mike Waltz had a picture taken of him last week, he didn’t expect for the whole world to see that he was using TeleMessage, a messaging app similar to Signal. Now the app has been hacked, with portions of data linked to government entities like Customs and Border Protection (CBP) and companies like Coinbase. Today on the show, we’re joined by WIRED senior writer Lily Hay Newman to discuss what this incident tells us about the growing vulnerabilities in government communications.

Articles mentioned in this episode:  
**Mike Waltz Has Somehow Gotten Even Worse at Using Signal**, by Lily Hay Newman  
**The Signal Clone the Trump Admin Uses Was Hacked** , by Joseph Cox and Micah Lee  
**The Signal Clone Mike Waltz Was Caught Using Has Direct Access to User Chats**, by Lily Hay Newman

You can follow Zoë Schiffer on Bluesky at @zoeschiffer and Lily Hay Newman on Bluesky at @lhn. Write to us at uncannyvalley@wired.com.

**How to Listen**

You can always listen to this week's podcast through the audio player on this page, but if you want to subscribe for free to get every episode, here’s how:

If you're on an iPhone or iPad, open the app called Podcasts, or just tap this link. You can also download an app like Overcast or Pocket Casts and search for “Uncanny Valley.” We’re on Spotify too.

**Transcript**

_Note: This is an automated transcript, which may contain errors._

**Zoë Schiffer:** Hi, this is Zoë. Before we start, I want to take the chance to remind you that we want to hear from you. If you have tech-related questions that have been on your mind or a topic that you wish we'd cover, write to us at uncannyvalley@WIRED.com. And if you listen to and enjoy the show, please rate it and leave a review on your podcast app of choice. It really honestly makes a difference. Welcome to WIRED's _Uncanny Valley_. I'm WIRED's director of business and industry, Zoë Schiffer. Today on the show, the hacking scandal surrounding TeleMessage, the knockoff version of Signal, which is used by at least one high-ranking member of the Trump administration. The app has temporarily suspended its services while it investigates the incident. We're going to talk about how former national security adviser Mike Waltz was seen last week using the app in a cabinet meeting and what this latest incident tells us about the growing vulnerabilities in government communication. I'm joined by Lily Hay Newman, senior writer at WIRED. Lily, welcome to the show.

**Lily Hay Newman:** It's a pleasure to be here.

**Zoë Schiffer:** What exactly is TeleMessage?

**Lily Hay Newman:** Yeah. So TeleMessage is a company that's been around since the late ’90s. It was founded in Israel, and it creates apps that are sort of mirror images or clones of existing communication apps, and then adds in an archiving feature. So this is especially perhaps wanted for apps that are securing communications, such that it's difficult to retain copies of the messages. So if you need copies for compliance or you need a record, the idea is that these services are giving the same functionality as apps you know, like WhatsApp or Telegram or Signal, but with the addition of these archiving features.

**Zoë Schiffer:** And that's important, obviously, for people who work in government because, technically, members of the press and other people are supposed to be allowed to access a lot of the communications that aren't classified by submitting Freedom of Information Act requests. And you can't do that if the messages are disappearing.

**Lily Hay Newman:** Correct. There are record retention laws in the US and other countries for transparency and information requests, as you said. But historically, the way governments and other institutions have complied with that is by using communication platforms that are built for the purpose of government communications, tailor-built to be in compliance in a number of ways. So all of this is coming up because now the Trump administration in recent months has been sort of departing from the standard ways that officials in the US have communicated to use consumer platforms, particularly the secure messaging platform Signal, to talk to each other, but doing so in a very ad hoc consumer way like in the same way that you and I would set up a Signal conversation. That's what they've been doing, and that's where you get into this whole question of how do you comply with records requirements. How do you comply with safety requirements when you're just kind of using off-the-shelf tech in a regular way? And so that's where TeleMessage comes in.

**Zoë Schiffer:** Well, it seems like one of the people, as we mentioned earlier, who was using TeleMessage was Mike Waltz, the now former national security adviser, who at this point is best known for starting that infamous Signal group chat a few weeks back that accidentally added a senior member of The Atlantic Newsroom. How did we find out that he was using TeleMessage in the first place?

**Lily Hay Newman:** So his screen, the screen of his phone, was sort of inadvertently captured in a photo of a cabinet meeting, a Reuters photo, that Mike Waltz was participating in, was sitting at the table with Trump and a number of officials. The photo is a bit funny because it seems like he thinks no one can see him using his phone, or he is kind of checking his phone. I mean, we've all been there, looking under the conference table at our phone. But additionally, his screen shows what appears to be Signal. So we're really going, zooming in deep into this photo, right. We're looking over his shoulder at his phone. Now we're seeing this notification. And then in the notification, instead of the normal words that would be there, people noticed that the Signal … where it would normally say Signal, was being referred to as TM Signal. And that's how people realized that, actually, he was using this other app called TeleMessage.

**Zoë Schiffer:** Got it. Yeah. Nothing makes me love reporters more than the absolute psychotic behavior of zooming in on a tiny little phone screen to be like, “What exactly is going on here?” But kudos to 404 Media, because I think they were the first ones to point that out. You wrote in a recent WIRED article that Mike Waltz has inexplicably gotten even worse at using Signal. So, I guess what did you mean by that? How is he getting worse at using this end-to-end encrypted app?

**Lily Hay Newman:** This whole revelation about his use of TM Signal is building on this previous situation called Signal Gate. Mike Waltz was the person who inadvertently added Jeffrey Goldberg, the top editor of The Atlantic, to the chat. And so already Mike Waltz was not having a great track record, and then disappearing messages were on the whole time. And so, one of the many criticisms was that this was not in compliance with government record-retention laws. So we don't know this, but presumably then he started using TM Signal as a solution to that aspect of the issues raised. But I just want to be clear. We don't know. It could be that they were already using it, or he was already using TM Signal at the time. I'm not sure. But one might suspect that hearing some of this criticism, he was like, “OK, let me find a solution that does retain records and does have an archiving feature.” And that's where TeleMessage would come in.

**Zoë Schiffer:** So the national security advisoer sets up this group chat, presumably not in compliance, then switches to one that looks like it might be in compliance, and then that version is promptly hacked. Do we know at this point who is behind the hacking?

**Lily Hay Newman:** More and more is coming out about potential hacks of TeleMessage or sort of ability to intercept messages and see messages in memory. First, 404 Media and Micah Lee published a piece with an unnamed hacker providing evidence that they could breach TeleMessage. And then, on Monday, NBC News published an additional report with an additional unnamed hacker. So clearly there's a lot of insecurity here. And the criticism of TM Signal from this company, TeleMessage, is that it claims to have all the same security features as real Signal and to sort of preserve that, and just add on this archiving feature. But, definitionally, adding in the archiving feature breaks Signal security. The way signal is designed and other end-to-end encrypted apps like WhatsApp, when you add in this other party, it's virtually impossible that the security guarantees could be preserved. And then, on top of that, it seems like from source code review that's starting to come out, and research that's starting to happen, and analysis into TM Signal, that actually it's just not constructed in a very secure way at all. So, just a lot of layers to get to the point, which is that this was a wildly insecure app for Mike Waltz to be using, sitting at a table with the top cabinet members and the president of the United States. It's wild.

**Zoë Schiffer:** We're going to get into what exactly was accessed in this hack. But before we do that, we're going to take a short break.

\[_break_\]

**Zoë Schiffer:** We are back. So let's get into what exactly was accessed when it looks like multiple hackers were able to break into TM Signal, which was being used by at least one member of the Trump administration.

**Lily Hay Newman:** So far, these researchers, what they've shown is that some messages, sometimes at least, are being sent to the archiving server in plain text, meaning they are readable. That's precisely what a platform like genuine Signal is trying to avoid. And so that's what's happening. So these were sort of fragments or pieces or whole messages, but not whole conversations, things like that, so far. One thing that 404 Media reported on from these leaks was evidence that US Customs and Border Patrol agents have been using TM Signal. It's not totally clear what's going on with this. WIRED reached out to CBP. We've been trying to get clarification on what this leaked data means. There seem to be confirmed CBP phone numbers associated with these accounts that came out of this breach. CBP has told WIRED just that they're looking into it. But that's an example that is really concerning, it would potentially show that this app is in wider use across other agencies in the US government.

**Zoë Schiffer:** Is there a national security concern with the fact that this app was developed in Israel, regardless of the fact that it was acquired by a US company recently?

**Lily Hay Newman:** The thing is, even without getting into any specific geopolitics, the point of the protocols that exist for the US government to use its own purpose-built communication platforms is that any and all foreign governments conduct espionage. The US does it. Everyone does it. So, for your most sacred and sensitive national communication, you want to do that on a platform that you completely control, that you have built and vetted yourself, and just all parameters are controlled by you. You don't want to involve any other parties. So Israeli espionage groups are known for being very aggressive, very innovative, very cunning. So, for that reason, particularly, perhaps it's a concern that TeleMessage was founded in the country and has those ties. But just in general, regardless of what country it is, I think it's important conceptually to understand that it doesn't make sense to use the app in this way.

**Zoë Schiffer:** After this reporting came out, TeleMessage has paused or stopped its services. What's the status of the company right now?

**Lily Hay Newman:** Right. So clearly, they have concerns, and their parent company, Smarsh, has concerns about these findings as well. They say that they are investigating a potential breach and have employed a third-party firm to help them with that. And they've taken down all the content from the TeleMessage website and paused TeleMessage operations, essentially. So they say it's a pause and pending the investigation, but a pretty big reaction here to these findings.

**Zoë Schiffer:** That's a good place to end it. When we come back, we'll share our recommendations for what to check out on WIRED.com this week. Welcome back to _Uncanny Valley_. I'm Zoë Schiffer, WIRED's director of business and industry. I'm joined today by WIRED senior writer Lily Hay Newman. Before we take off, Lily, tell our listeners what they absolutely have to read on WIRED this week.

**Lily Hay Newman:** I'm just fascinated by this story by our colleague Caroline Haskins. US border agents are asking for help taking photos of everyone entering the country by car. And this is, we're just continuing our CBP discussions for today. CBP has apparently released a request for information seeking pitches, essentially for companies to help them do vehicle surveillance at the border and face recognition technology to see specifically who is in cars, not just the front seat. And I think it's really important for all of us to be aware of the extensive and expansive surveillance dragnet at the US border and all different types of US border crossings. The southern border of the US has long been known as sort of like a forefront of surveillance technology. And so it's dark, but interesting to hear that CBP feels like they don't yet have what they need to do this type of analysis and face recognition in cars, but that they want it, and they're trying to expand the analysis they can do on who is in every car.

**Zoë Schiffer:** Right. And it'll be interesting to see which company gets this contract. OK. Well, I wanted to flag a piece that we published yesterday by Paresh Dave and Kylie Robison. It's about OpenAI announcing that it is not, in fact, going to restructure its company to make the nonprofit arm not in control. In other words, the nonprofit arm is going to remain in control of the company. And this is a reversal of a prior announcement where it said it was going to become a public benefit corporation, likely to make fundraising easier. But after the plan was announced, the company got a ton of pushback from a variety of civic organizations and also Elon Musk, who was involved in the founding of the company before an acrimonious split in 2018. These groups don't usually agree on a lot, but they agreed on this, that becoming a for-profit company was in violation of OpenAI's founding mission. So we have a lot of good reporting on how people are taking this news and what it means for the future of the company. That's our show for today. We'll link to all the stories we spoke about in the show notes. Make sure to check out Thursday's episode of _Uncanny Valley_, which is about Trump's meme coin saga and the conflict of interest that come with it. Adriana Tapia produced this episode. Amar Lal at Macro Sound mixed this episode. Jordan Bell is our executive producer. Condé Nast's head of global audio is Chris Bannon. And Katie Drummond is WIRED's global editorial director.

Source

Wired