Don’t be fooled by its fun name and Tamagotchi-like interface—this do-everything gadget is trouble waiting to happen and a whole lot more.

Across the US, countless buildings, from government offices to your next hotel room door, are protected by RFID-controlled locks. On a recent trip to my office, I passed nearly 20 of these keyless entry systems, which are among the most pervasive in the world. But a playful palm-sized gadget with a Tamagotchi-like interface can likely thwart the locks on many of these doors. 

The $200 device is called Flipper Zero, and it’s a portable pen-testing tool designed for hackers of all levels of technical expertise. The tool is smaller than a phone, easily concealable, and is stuffed with a range of radios and sensors that allow you to intercept and replay signals from keyless entry systems, Internet of Things sensors, garage doors, NFC cards, and virtually any other device that communicates wirelessly in short ranges. For example, in just seconds, I used the Flipper Zero to seamlessly clone the signal of an office RFID badge tucked safely inside my wallet.

If you had only heard about Flipper Zero through TikTok, where the tool has gone viral, you might think that it was a toy that could make ATMs spit out money, cars unlock themselves, and gas spill out of pumps for free. I spent the last week testing one to determine whether the world was as vulnerable to Flipper Zero as social media made it out to be. What I found was mixed: Many of the most dramatic videos posted to TikTok are likely staged—most modern wireless devices are not susceptible to simple replay attacks—but the Flipper Zero is still undeniably powerful, giving aspiring hackers and seasoned pen-testers a convenient new tool to probe the security of the world’s most ubiquitous wireless devices. 

In reviews, people liken Flipper Zero to a Swiss Army knife for physical penetration testing. But in my week testing Flipper Zero, it felt more like a blacklight—something I could literally hold up to a device that would reveal information, invisible to the human eye, about how it worked, what data it was emitting, and how often it was doing so. 

Here’s a brief list of some things I’ve learned with the help of Flipper Zero this week: Some animal microchips will tell you the body temperature of your pet. My neighbor’s car tire pressure sensor leaks data to anyone in range of the signal. My iPhone blasts my face with infrared signals every few seconds. My home security system has built-in signal-jamming detection. WIRED’s office bathroom has a soap dispenser that broadcasts whether it needs a refill.

When I told Alex Kulagin, one of Flipper Zero’s co-creators, about my experiences using his tool to make these kinds of mundane observations, he explained that this is exactly what the device is meant for. “We want to help you understand something deeply, explore how it works, and explore the wireless world that’s all around you but difficult to understand,” he says. 

Kulagin and his business partner, Pavel Zhovner, first came up with the idea for Flipper Zero in 2019. Since then, their company has sold 150,000 devices and they’ve grown their team to nearly 50 people. But as they’ve grown, they’ve encountered some resistance. This summer, payments of more than $1.3 million were held up by PayPal, and in September, US Customs and Border Patrol seized a shipment of devices. According to Kulagin, CBP released the shipment after a month but has yet to tell the company why it held the shipment. CBP declined WIRED’s request to comment about the seized Flipper Zeros.

Bob Zahreddine is a lieutenant for the Glendale Police Department and executive officer with the High Tech Crime Cops, an industry group made up of law enforcement officials that, according to its website, “connects cyber cops and investigators.” Zahreddine says that he isn’t necessarily surprised that CBP has taken an interest in Flipper Zero. “Because Flipper Zero is so customizable, the potential is there for it to be used in all sorts of crime,” he says. 

Zahreddine’s organization maintains a listserv where investigators will often solicit advice from their peers and share news or information about developments in the latest law enforcement technology. He told WIRED that while he hasn’t heard any chatter about Flipper Zero being used in any crimes on his listserv, investigators there are aware of the tool and have been following its development since Kulagin and Zhovner began fundraising on Kickstarter. 

Indeed, it’s easy to imagine how someone could break the law or even just get up to some petty mischief with this device. For instance, not only was I able to clone the ID badge of my office with Flipper Zero, I was able to record the signal that my neighbor’s garage door opener makes when he pulls into his driveway. Older cars that don’t use rolling code encryption are likely unlockable with the device, and my Flipper Zero was able to read my credit card number through my wallet and pants.

But Kulagin isn’t particularly concerned about his tool’s potential for criminal mischief. “Obviously, there are old cars that are vulnerable to Flipper. But they aren’t secure by definition—that is not Flipper’s fault,” he says. “There are bad people out there, and they can do bad stuff with any computer. We aren’t intending to break laws.”

To that end, Flipper Zero’s firmware, by default, prevents individuals from transmitting on frequencies that are banned in the country the device is in, and Flipper Zero’s Discord server explicitly forbids discussions about alternative firmware with illegal features. The tool also isn’t able to copy or replay any encrypted signals. For instance, while I was able to read the signal from my credit and debit cards, I was unable to use that signal to actually pay for anything with contactless payment systems. However, because the project is open source, a savvy Flipper user could adjust the firmware to enable additional, perhaps malicious, functionality.

When I asked Kulagin whether he had been contacted by law enforcement about the Flipper, he told me that he hadn’t. “No, not yet at least,” he says.

While it’s possible to get into trouble with a device like a Flipper Zero, the tool undeniably gives any curious person looking to learn about the devices around them a way to access and dissect the signals and protocols that power our lives. Personally, I am more engaged with the technology I encounter while walking around after my week with the Flipper Zero. I’m thinking more like a pen-tester.

What Is Flipper Zero? The Hacker Tool Going Viral on TikTok, Explained

A new US State Department assessment highlights the stark economic toll of Tehran’s recent shutdowns and platform control.

As internet shutdowns, platform blocking, and content filtering become increasingly common levers for authoritarian control around the world, Iran has presented an especially dramatic case study on the economic impact and humanitarian toll of connectivity blackouts. 

In response to mass government opposition and protests, the Iranian regime launched an extensive shutdown in September that drastically limited all digital communication in the country. And Tehran has ongoing campaigns to slow connectivity and access to popular services, including Meta's Instagram. Dragging out the disruptions, though, is beginning to reveal the true economic toll of the brutal technique, according to new assessments by the US Department of State.

Iran is already a heavily sanctioned and isolated nation, yet the government has repeatedly imposed broad digital restrictions and shutdowns, including notable initiatives in 2017 and 2019. The cumulative impact of these crackdowns has affected the rights of more than 80 million people living in Iran and disrupted every aspect of Iranian society, including commerce.

“This is another instance, an important one, in which the officials show how they consistently pick their own self-interest over the public interest,” says Reza Ghazinouri, a strategic adviser for the San Francisco–based human rights and civil liberties group United for Iran. “In the past years, millions of Iranians have fallen below the poverty line, and further limiting access to platforms like Instagram just adds many more to that number. And this disproportionately impacts women. Sixty-four percent of Iranian businesses on Instagram are women-owned.”

From communicating with customers to processing transactions, businesses rely on digital platforms in different ways, but digital disruptions have an impact on businesses of all sizes. Multiple Iranian trade associations have said in recent weeks that their member companies are reporting major losses. And some reports have found that the recent outage affected hundreds of thousands of small businesses. 

“This censorship underscores the degree to which Iran’s leadership fears what is possible when its people can freely communicate with one another and the outside world,” Rob Malley, US special envoy for Iran, told WIRED in written remarks.

The protest movement in Iran has gained momentum since 22-year-old Mahsa Amini died in the custody of Iran's “morality police” while being held for allegedly breaking rules about wearing hijab. Since September, more than 18,000 people have been detained by Iranian law enforcement related to the demonstrations, and nearly 500 people, including nearly 60 children, have been killed at the protests as officials exert increasingly draconian force on demonstrators. 

Analysis of the recent shutdown by a consortium of digital rights groups, published at the end of November and cited by the State Department, showed that the Iranian government has been deploying an increasingly broad set of technical capabilities to make it more difficult for the population to circumvent digital restrictions. For example, the government has broadened its ability to block encrypted connections to defeat users' efforts to conceal their web browsing. Officials have also continued to expand their blocks on the Google Play Store, Apple's App Store, and browser extension stores, making it harder for Iranians to download circumvention tools. The findings also indicate that there is a cumulative impact and increasing effectiveness over time as the government stacks censorship, content filtering, and blocking with intermittent and large-scale outages.

It is difficult to gauge the exact economic impact of the digital blackouts and disentangle it from other factors like international sanctions. Based on the escalating internet shutdown tactics and tolerance for self-inflicted damage, though, the State Department believes that the Iranian regime feels more threatened by the recent protest movement than previous public waves of opposition. 

Earlier this month, in a high-profile concession to protesters, the Iranian government said it had shut down the “morality police” that enforced restrictive laws, particularly a rigid Islamic dress code for women. The laws are still in place, though, and it is unclear how much the move will actually impact enforcement in practice.

A State Department spokesperson told WIRED in a statement that the White House is “committed to helping the Iranian people exercise their universal right to freedom of expression and to freely access information via the internet.”

Iran’s Internet Blackouts Are Sabotaging Its Own Economy

Elon Musk claims plane-tracking data is a risky privacy violation. But the world loses a lot if this information disappears—and that's already happening.

I woke up Friday morning to the message I’d been expecting: “Your account, @Justin\_Ling has been locked for violating the Twitter Rules.”

Below was the offending tweet: a link to one of the few websites that provide real-time private jet flight data that “chief twit” Elon Musk, I wrote, “hasn't bullied into suppressing his flight data.”

Musk has accused these flight trackers of providing “basically assassination coordinates.” He has launched a crusade against these apps and anyone who shares them on his recently acquired social media platform. Accounts like mine were locked, while others were banned entirely—from the @ElonJet bot, which shared the location of Musk’s private plane, to reporters who picked up on his campaign. Twitter rules were rewritten on the fly to forbid publishing anyone’s “physical location.”

The chaotic few days prompted the European Union to warn Musk that silencing journalists would likely result in sanctions from EU regulators. US Representative Adam Schiff demanded that Musk reinstate the suspended accounts and explain to Congress why he decided to retaliate against the press in the first place.

As of Monday, following a poll asking users when he should lift the account suspensions, Musk reinstated some—but not all—of those accounts. 

Lost in the chaos is just how successful Musk has been at suppressing that real-time flight data on the internet. In so doing, he’s taking aim at an incredibly valuable source of information—which has helped researchers, journalists, and experts with everything from tracking Russian oligarchs to investigating the fate of missing aircraft to tracking down international hitmen. Musk isn’t the only one trying to keep this type of information out of the public’s hands. 

Both real-time and historical information on Musk’s main private jet—a 2015 Gulfstream G650ER, tail number N628TS—is conspicuously missing from the two main flight-tracking platforms: FlightAware and FlightRadar24.

FlightAware reports that its real-time data on Musk’s jet is unavailable “due to European government data rules,” while its historical data about the plane’s comings and goings was removed “per request from the owner/operator.” Looking up Musk’s jet on FlightRadar24 returns the message: “we could not find data.”

Even smaller tracking platforms, like AirportInfo—the account that led to my Twitter being locked—have taken Musk’s flight information offline.

“The ongoing hullabaloo about the location of Elon Musk’s airplane has caused us to stop displaying his plane at the moment,” says Christian Rommes, an AirportInfo administrator. “Because Musk is threatening legal action, we don’t want to take any risks.”

While Rommes says his office hasn’t heard from Musk’s legal team, they took the step as a precaution. “Don’t mess with the (former) richest man of the world,” he says.

Aircraft operators are required to report detailed information on their flight path to various national regulators, including the Federal Aviation Administration. That data is generally a matter of public record and is published to various websites popular amongst airline enthusiasts. 

Some companies, like FlightAware, augment government data with their own sources of real-time flight information. Other websites, like planespotters.net and airliners.net, allow users to submit photos taken of aircraft as they come and go around the world.

These services have proved incredibly useful for journalists and independent researchers in recent years.

When Malaysian Airlines flight 370 disappeared in 2014, these trackers provided the public with the same data investigators were puzzling over—a flight path that cut straight across Malaysia before stopping abruptly over the South China Sea. Those websites would become critical tools for independent researchers in the years that followed.

Journalists and the general public again turned to these services after Malaysia Airlines flight 17 and Ukrainian International Airlines flight 752 were shot down in 2014 and 2020, respectively. As early reports suggested disaster had struck, these websites showed clearly that the flights were interrupted in mid-air.

But the utility of real-time flight tracking goes far beyond disasters.

In more lighthearted examples, diehard soccer fans have used FlightRadar24 to figure out where prospective trades are heading ahead of a possible signing. In 2015, tens of thousands of football fanatics correctly identified star manager Jurgen Klopp’s private jet as it made its way to Liverpool, preempting the team’s announcement.

The availability of this data has made it possible to track everything from a shipment of US weapons to Ukraine to Nancy Pelosi’s tense visit to Taiwan, in defiance of Chinese warnings.

Some pilots have leaned into this new visibility. One made headlines after drawing a penis in the sky over Florida.

The websites have also contributed to embarrassment for some private jet owners. Thanks to @CelebJets, a bot account set up by 20-year-old programmer Jack Sweeney, who also created @ElonJet, scrutiny over the pace at which the rich and famous galavant around in their CO2\-intensive private planes reached a fever pitch in 2022. Marketing agency Yard calculated just how much environmental damage was caused by these private jet trips—particularly short-haul flights, where driving or taking public transit would take only marginally longer. That report led to a massive public shaming of celebrities like Taylor Swift, whose private jet addiction put 1,184 times more CO2 into the atmosphere than the average person produces in a whole year. 

A single Elon Musk flight from February burned nearly 4.5 tonnes of CO2.

Sweeney’s jet-tracking bots, which scraped that public flight data and sent it directly to Twitter, also published real-time information on Russian oligarchs. That bot helped open source investigators keep tabs on a cohort of the ultra-rich Russians mainly responsible for keeping Vladimir Putin’s regime running amid a costly war against Ukraine.

Investigative outlet Bellingcat recommends FlightRadar24 for open source investigators, and its researchers have relied on the tool to track likely Russian intelligence operatives, understand political tumult in Kazakhstan, follow the Venezuelan government’s semi-secret private jet, and keep tabs on NATO planes as they conduct operations. Other investigative outlets, like the Organized Crime and Corrupting Reporting Project, have similarly leveraged the data to hunt down shady dealings the world over.

But as Musk’s effort to suppress the information has shown, not everyone wants this data to remain public.

For starters, some planes can turn off their transponders, which relay their coordinates to flight regulators. That option is generally not available for private civilian aircraft.

More useful to someone like Musk is the FAA’s Limiting Aircraft Data Displayed list. Introduced by a 2018 act of Congress, it allows private jet owners to block their data from being disseminated by the FAA. A spokesperson for FlightRadar24 confirmed to WIRED that, as they rely primarily on the FAA’s data, they respect the block list.

Not everyone relies on the FAA, however. Planes regularly transmit basic information mid-flight, through Automatic Dependent Surveillance-Broadcast technology (ADS-B). 

ADS-Bexchange, which describes itself as the “world’s largest source of unfiltered flight data,” has continued reporting real-time information on Musk’s Gulfstream using that technology. Sweeney relies on that website for his bots—which have since moved over to Instagram and Mastodon.

“The position data shown by ADSBexchange is available to anyone who can spend $50 on Amazon and put the parts together,” reads a Q&A on its website. “It’s not secret.”

Users on the site’s Discord channel have spent recent days mocking Musk’s attempt to go after this information and have been clear that they do not intend to remove his jet from the platform. “ADSBx does no blocking or hiding for any reason,” one moderator wrote.

Anyone keeping tabs on Musk’s jet would have known that the Twitter CEO was heading to Qatar for the World Cup finale on Sunday. Doha was a key player in Musk’s Twitter takeover. While there, Musk snapped a selfie with a Russian state broadcaster. (Musk has also relied on a Dubai-based financier with ties to Russian oligarchs to finance his $44 billion purchase of the social network.)

Given how much scrutiny this type of flight data has brought on him and his business dealings, perhaps it’s no surprise that Musk has taken some desperate measures to hide this information. He reportedly offered Sweeney $5,000 to take the @ElonJet bot down. Sweeney countered, asking for $50,000—but the pair do not appear to have ever made a deal. Despite vowing to respect Sweeney’s right to publish the information, Musk banned all of his bots and his personal Twitter account earlier this month, while ADS-B’s Twitter account was similarly removed.

Steffan Watkins is a Canadian Osint researcher who has spent years tracking planes and ships using this kind of publicly available data. Last year, he worked with a United Nations panel of experts to identify planes smuggling weapons into Libya.

“Simply put, because flight data is publicly available through many different flight trackers, the public is empowered to fact-check any statement from any source, government or private,” he says. “Unsurprisingly, there are powerful people who don’t want the transparency that provides.”

Knowing more about where government planes and private jets are going to and coming from can yield surprising results. Watkins points out that the CIA’s extraordinary rendition program, which enabled the arbitrary detention and torture of suspected terrorists—many of whom were innocent—was exposed with the help of open source flight data.

“As the CIA kidnapped and flew citizens of other countries to black sites around the world for integration and torture on government-chartered bizjets, they left a trail of data in their wake that was used to unravel the routes used to ship their abductees,” Watkins told WIRED.

More recently, in 2018 researchers used ADS-B data to trace the route that a Saudi kill squad took on its way to murder _Washington Post_ journalist Jamal Khashoggi.

Earlier this year, the Saudi government submitted a proposal to the International Civil Aviation Organization to encrypt and restrict access to this data. “The uncontrolled access to detailed/accurate ADS-B data on the internet raised concerns by aircraft operators and owners on safety, security, and privacy of flights,” the Saudis wrote to the Montreal-headquartered UN body.

“Oh, the country that flies assassins around the world wants to hide aviation info from the public because of ‘security’?” Watkins says. “How quaint.”

A Saudi prince, Alwaleed bin Talal bin Abdulaziz, is the second-largest shareholder in Twitter. The site’s largest owner, Musk, is similarly relying on security concerns as he moves to ban this flight data from his platform.

In announcing the ban on real-time flight data last week, he alleged that a “crazy stalker” followed a car carrying one of his children. “Legal action is being taken against Sweeney & organizations who supported harm to my family,” he tweeted.

The Los Angeles Police Department sees no link between his private jet’s coordinates and the alleged stalking, according to _Washington Post_ reporters Drew Harwell and Taylor Lorenz—two journalists Musk banned on Twitter. A Bellingcat contributor geolocated the incident, which Musk recorded and published to Twitter (possibly in violation of his own rules), to a gas station miles away from the airport and nearly a full day after Musk’s jet had last been in the air.

Seeing how few—if any—of Musk’s critics and online tormentors have air-to-air intercept capabilities, and given that airports continue to be some of the most secure places in modern society, the Tesla owner’s security concerns appear overblown.

“Safety, security, and privacy sound like noble goals, but there isn’t a rash of violent attacks on private planes—or any planes—and no indication there will be,” Watkins says. “Musk’s gripes are almost Musk-specific; few people have a jet they themselves can call on and fly anywhere with on a whim.”

Elon Musk and the Dangers of Censoring Real-Time Flight Trackers

Plus: An FBI platform got hacked, an ex-Twitter employee is sentenced for espionage, malicious Windows 10 installers circulate in Ukraine, and more.

As Russia's invasion of Ukraine drags on, navigation system monitors reported this week that they've detected a rise in GPS disruptions in Russian cities, ever since Ukraine began mounting long-range drone attacks. Elsewhere, a lawsuit against Meta alleges that a lack of adequate hate-speech moderation on Facebook led to violence that exacerbated Ethiopia's civil war. 

New evidence suggests that attackers planted data to frame an Indian priest who died in police custody—and that the hackers may have collaborated with law enforcement as he was investigated. The Russia-based ransomware gang Cuba abused legitimate Microsoft certificates to sign some of their malware, a method of falsely legitimatizing hacking tools that cybercriminals have particularly been relying on lately. And with the one-year anniversary of the Log4Shell vulnerability, researchers and security professionals reflected on the current state of open source supply-chain security, and what must be done to improve patch adoption.

We also explored the confluence of factors and circumstances leading to radicalization and extremism in the United States. And Meta gave WIRED some insight into the difficulty of enabling users to recover their accounts when they get locked out—without allowing attackers to exploit those same mechanisms for account takeovers.

But wait, there’s more! Each week, we highlight the security news we didn’t cover in depth ourselves. Click on the headlines below to read the full stories.

Alexey Brayman, 35, was one of seven people named in a 16-count federal indictment this week in which they were accused of operating an international smuggling ring over the past five years, illegally exported restricted technology to Russia. Brayman was taken into custody on Tuesday and later released on a $150,000 bond, after being ordered to forfeit his passport and abide by a curfew. He is an Israeli citizen who was born in Ukraine. Brayman and his wife, Daria, live in Merrimack, New Hampshire, a small town where the two ran an online craft business out of their home. “They are the nicest family,” a delivery driver who regularly drops off packages at their home told _The Boston Globe_. “They’ll leave gift cards out around the holidays. And snacks.” The indictment alleges, though, that their house was a staging site for “millions of dollars in military and sensitive dual-use technologies from US manufacturers and vendors.” Two other suspects connected to the case have also been arrested in New Jersey and Estonia.

A hacker breached the FBI information-sharing database InfraGard this week, compromising data from more than 80,000 members who share details and updates through the platform related to critical infrastructure in the United States. Some of the data is sensitive and pertains to national and digital security threats. Last weekend, the hacker posted samples of data stolen from the platform on a relatively new cybercriminal forum called Breached. They priced the database at $50,000 for the full contents. The hacker claims to have gained access to InfraGard by posing as the CEO of a finance company. The FBI said it was “aware of a potential false account associated with the InfraGard Portal and that it is actively looking into the matter.”

Former Twitter employee Ahmad Abouammo was convicted in August of being paid to send user data to the Saudi Arabian government while working at the tech company. He was also found guilty of money laundering, wire fraud, and falsification of records. He has now been sentenced to 42 months in prison. Abouammo worked at Twitter from 2013 to 2015. “This case revealed that foreign governments will bribe insiders to obtain the user information that is collected and stored by our Silicon Valley social-media companies,” US attorney Stephanie Hinds said in a statement. “This sentence sends a message to insiders with access to user information to safeguard it, particularly from repressive regimes, or risk significant time in prison.” Earlier this year, whistleblower and former Twitter security chief Peiter Zatko alleged that Twitter has long had problems with foreign agents infiltrating the company. The situation has been of particular concern as new CEO Elon Musk massively overhauls the company and its workforce.

In an effort to compromise Ukrainian government networks,  hackers have been posting malicious Windows 10 installers on torrent sites used in Ukraine and Russia, according to researchers from the security firm Mandiant. The installers were set up with the Ukrainian language pack and were free to download. They deployed malware for reconnaissance, data gathering, and exfiltration. Mandiant said it could not definitively attribute the campaign to specific hackers, but that the targets overlap with those that have been attacked in past hacks by the Russian military intelligence agency GRU.

Years after it was proved vulnerable and insecure, the US National Institute of Standards and Technology said on Thursday that the SHA-1 cryptographic algorithm should be removed from all software platforms by December 31, 2030. Developers should turn instead to algorithms with more robust security, namely SHA-2 and SHA-3. The “security hash algorithm,” or SHA, was developed by the National Security Agency and debuted in 1993. SHA-1 is a slightly modified replacement used since 1995. By 2005 it was clear that SHA-1 was “cryptographically broken,” but it remained in widespread use for years. NIST said this week, though, that attacks on SHA-1 “have become increasingly severe.” Developers have eight years to migrate away for any remaining uses of the algorithm. "Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government,” NIST computer scientist Chris Celi said in a statement.

An Alleged Russian Smuggling Ring Was Uncovered in New Hampshire

How do you keep Facebook easy to use without being trivial to exploit? The company is trying to chart a middle ground.

the threat of Facebook account takeovers always looms, whether they’re caused by attacks that steal users’ login credentials or hacks that, say, compromise users’ email accounts and exploit the access to launch rogue account recoveries. At the same time, though, Facebook users need to be able to regain access to their accounts if they forget their password or otherwise get locked out. Account recovery creates a classic tension for any digital service, but when you have close to 3 billion users, the stakes are at their highest. Now, Facebook parent company, Meta, is sharing new insight into its balancing act over the last year as it attempts to improve the account recovery process and detect more potentially malicious activity on its platforms without creating disruptions for users or compromising their account security.

Meta has focused its efforts on examining and expanding users’ options for setting “contact points,” or third-party services like email addresses and phone numbers where Facebook can communicate with a user about account recovery. Meta told WIRED that a quarter of all Facebook account compromises begin with abuse of a contact point. At the same time, though, Meta says people are twice as likely to successfully recover their account when their contact points are up to date, highlighting the fine line between keeping people out of their own accounts versus blocking bad actors. 

“There’s a fundamental feedback loop, and the account compromise work is an area where it’s especially relevant because it’s such an adversarial space,” says Nathaniel Gleicher, Meta’s head of security policy. “Whenever my team gets involved in something, it means there’s an adversary on the other side. But we have to be really careful about how to stop bad actors without also stopping good actors."

Meta didn’t provide specific statistics on how many accounts are compromised per month or how many people recover access to their accounts after a compromise.

The company says it employs a range of assessments and “verification challenges” in an attempt to separate the activity of real Facebook users trying to regain access to their accounts from malicious access attempts. Depending on the situation, Facebook may send a code to a device that was formerly logged in to the account or request that a user provide identification to authenticate them. Instagram is also exploring a recovery feature in which a randomly selected group of accounts a user interacts with most can be asked to testify to their identity and the validity of their login attempts.

Most account recovery features on Facebook are automated to handle the sheer scale of the social network's user base. But in 2021, the company said it would begin expanding its offerings for users to live-chat with a person about account recovery issues. In October, Facebook's systems offered 1.3 million users in nine countries the option to work with live agents as part of the account recovery flow, according to Meta. The company plans to expand the live chat to 30 countries. The rollout has been very gradual, Gleicher says, so Meta can fine-tune the system and reduce the chance that attackers can exploit it to social engineer, or trick, agents into granting improper access to accounts.

Meta says it applies the concepts of “adversarial design” to build systems with the assumption that attackers will try to exploit them, rather than ignoring the reality of these risks and being caught off guard. 

“You’re living in an adversarial space and you expect the bad guys to keep exploiting, and one way to tackle this is whenever you build a system, you roll it out slowly and you watch carefully for how it gets exploited, and then you rapidly build systems to protect it,” Gleicher says. “But all of that is reactive, and you want to be careful about being purely reactive. ‘Threat ideation’ is a system we’ve built that relies on a combination of strategic foresight, tabletop exercises, red teaming, blue teaming, purple teaming techniques to take a new product that we’re considering, an event that’s coming up, a policy, and put people both inside the company and outside in the shoes of the bad guys and the shoes of the good guys to see what they're going to do.”

Using some of the same signal analysis methodology, Meta plans to roll out more nuanced warnings to users for Facebook Messenger and Instagram to automatically redirect suspicious links to spam when they may lead to targeted phishing attacks or malware and expand alerts when a user communicates with a new account that may be an imposter posing as someone the target user knows and trusts.

It's difficult to bring all of these components together without accidentally blocking legitimate content or locking people out, but Meta says it remains motivated to find the balance. And hey, at the end of the day, helping more users get back into their accounts is good for user retention and, therefore, good for business.

“When bad actors compromise email, those are things that are outside of our direct control, and it's not necessarily a compromise targeted at Meta assets,” Gleicher says. “But we have a lot of users, which means we have a really important, wide-ranging responsibility.”

As always, the best protections for all of your online accounts are strong unique passwords, using a password manager to keep track of them all, and enabling two-factor authentication on every account that offers it.

Meta’s Tricky Quest to Protect Your Account

Navigation system monitors have seen a recent uptick in interruptions since Ukraine began launching long-range drone attacks.

Every day, billions of people use the GPS satellite system to find their way around the world—but GPS signals are vulnerable. Jamming and spoofing attacks can cripple GPS connections entirely or make something appear in the wrong location, causing disruption and safety issues. Just ask Russia.

New data analysis reveals that multiple major Russian cities appear to have faced widespread GPS disruption during the past week. The signal interference follows Ukraine launching long-range drone attacks deep into Russian territory, and it may act as a way to potentially stop drones that rely upon GPS for navigation, experts say. 

The GPS interference has “expanded on a scale that hasn't been seen before,” says Erik Kannike, a program manager at Estonian defense intelligence firm SensusQ who has been monitoring the situation. “What we're seeing now, since about a week ago, is GPS jamming bubbles covering hundreds if not thousands of kilometers around tactical cities.”

The GPS issues were first spotted by the monitoring system GPSJam, which uses data from planes to track problems with the satellite navigation system. The website has logged an increasing number of GPS disturbances in the Russian cities of Saratov, Volgograd, and Penza since the start of December. All of the cities are in Eastern Russia and within hundreds of kilometers of the border with Ukraine. 

On December 5, GPSJam logged a limited amount of GPS interference in Russia—the majority of registered interference took place around Moscow, where the Kremlin for years has tampered with GPS connections. However, since December 11, multiple areas of the country have faced GPS disruption, data gathered by GPSJam shows. In addition, wireless data analytics firm Aurora Insight measured an increase in GPS signal levels in the area at the start of December—a sign that potential GPS interference could have happened.

At the start of Russia’s full-scale invasion of Ukraine in February, there was no GPS interference detected by the website in these areas—aside from around Moscow. In recent months, the website has tracked little signal interference around Russia, although there has been some near Belarus. Some GPS disturbances have also been logged near Russia's border with Finland.

Disruption to Global Navigation Satellite Systems—a broad term that includes all satellite-based navigation systems, including Russia’ GLONASS, China's Beidou, and Europe's Galileo—can be caused in multiple ways. Most commonly, attackers use jamming or spoofing. Jamming can involve overriding radio signals so they don’t operate as intended, while spoofing can create false signals. Jamming can stop drones flying in certain areas and make map apps unreliable. And hundreds of warships appear to have had their locations spoofed since 2020.

As the most widely used GNSS system, GPS has become an “international utility” in recent decades. This also means it has become “more susceptible and more likely to be interrupted,” says Dana Goward, the president of the Resilient Navigation and Timing Foundation, a nonprofit that helps to protect critical infrastructure. “Doing so causes greater and greater havoc in any number of systems,” Goward adds.

There are relatively few large-scale monitoring efforts tracking GPS disruptions. John Wiseman, the technologist and open source enthusiast who created GPSJam, says the system works by looking at ADS-B signals that are sent by planes flying around the world—the signals are used by planes to let people know their location and to allow them to be tracked. As part of ADS-B data, a plane’s GNSS signal strength can be recorded.

Wiseman says GPSJam, which launched in July after he began collecting data in mid-February, uses ADS-B data from ADS-B Exchange, a network of aviation followers who track planes. This is generally GPS data, but it can also be other GNSS data if a plane uses a different system. Wiseman then aggregates this data each day to show areas where there appears to be GPS interference. 

The GPSJam map shows potential interference in red hexes across a world map, while areas where there may be some smaller interference are shown in yellow, and green hexes represent no interference. The system is able to classify areas only where planes have flown over and where ADS-B data is collected. Since the start of the war in Ukraine, planes have not been flying over the country’s airspace.

“Most of the red zones that are regularly there correlate with places where people have previously documented GPS interference,” Wiseman says. (He has previously built multiple open source flight tracking tools.) “It's really just measuring aircraft. There are stories where people on the ground and some of those regions aren't noticing anything.” In the cities recently impacted, there have been some Russian-language social media posts discussing outages, although it is unclear how widely GPS has been disrupted on the ground.

Todd Walter, the director of the GNSS laboratory at Stanford University, says GPSJam is a “valuable resource” for those tracking GPS interference. “It is a good method to quickly see where jamming is prevalent,” Walter says. Along with fellow researchers at Stanford, Walter has previously documented how ADS-B data can be used for tracking GNSS disruptions. Despite the technique working, Walter says, there are limitations to using ADS-B data to track GPS outages. 

“It is not very good at detecting weak jammers or jammers on other frequencies,” Walter explains, adding that an aircraft’s body can shield potential sources of blocking, making it harder to detect smaller, local sources of GPS blocking. “Areas that are green on GPSJam are not necessarily free of any GPS jamming,” he adds.

GPS disruptions can also be monitored from space. Data provided to WIRED from Aurora Insight, which uses satellites to sense GNSS disruptions, shows an increase in signal strength in eastern Russia in recent weeks, compared with measurements taken in August. “Increases in GPS signal levels have the potential to interfere with some types of GPS receivers,” the company says, pointing out that this does not explicitly mean interference or jamming has taken place. 

Throughout Russia's full-scale war in Ukraine, its forces have attempted to control the information space and communications. Its hack against the ViaSat satellite system disrupted satellite connections across Europe. Cities have had telephone equipment destroyed by missiles, and in some occupied areas Russia has tried to take control of Ukraine’s internet, subjecting people to censorship and surveillance. (At the same time, Russia has been hacked at an unprecedented scale.) 

Electronic warfare—including the jamming and blocking of GPS signals—has also been a part of the war. Russia has a well-documented history of disrupting GNSS signals, including testing electronic warfare systems in Syria. In 2018, taxis around the Kremlin appeared thousands of miles away on maps. Tankers off the Russian coast have also vanished from tracking systems. One 2019 report from the nonprofit C4ADS documented 9,883 cases of GNSS spoofing linked to Russia, saying it often happens when president Vladimir Putin visits an area. (Russia is not the only country with these capabilities: In the past eight years, commercial airlines in the US have reported at least 90 incidents of GPS interference, many of which were reportedly linked to nearby military tests.)

Since Russia invaded Ukraine in February, GNSS signal disruption has been spotted multiple times. In March, the European Union Aviation Safety Agency issued an alert warning about satellite navigation systems being jammed or spoofed around Ukraine and in nearby regions. The United States has accused Russia of attempting to jam GPS, and reports say Russian jamming technologies have made Ukrainian drones inoperable during battles taking place on the ground.

The recently reported GPS interference in Russian cities may be linked to Ukraine’s attacks against Russian territories, Kannike says, although this remains unconfirmed. “The logical conclusion here is that this is a response to the Ukrainian strikes deep behind Russian lines,” Kannike says. 

At the start of December, Ukraine launched drone attacks against military bases inside Russia. This was followed by reports that the Pentagon supported the long-range strikes. Russia’s media and telecommunications agency Roskomnadzor did not respond to WIRED’s request for comment.

GPS jamming could stop drones from operating in the areas. Analysis of Russia’s electronic warfare capabilities says the country has multiple types of military equipment that can be used to interfere with GPS. This includes trucks and vehicles, equipped with scores of antennas, that can move to areas where officials may want to block signals. “This suggests that Russia is, at least for the winter, adopting a much more defensive posture where they're actually focused on preventing incidents in their homeland,” Kannike adds. “The days where Russians underestimate Ukrainian long-range strike capabilities is certainly over.”

GPS Signals Are Being Disrupted in Russian Cities

The suit claims the company lacks adequate moderation to prevent widespread hate speech that has led to violence and death.

On November 3, 2021, Meareg Amare, a professor of chemistry at Bahir Dar University in Ethiopia, was gunned down outside his home. Amare, who was ethnically Tigrayan, had been targeted in a series of Facebook posts the month before, alleging that he had stolen equipment from the university, sold it, and used the proceeds to buy property. In the comments, people called for his death. Amare’s son, researcher Abrham Amare, appealed to Facebook to have the posts removed but heard nothing back for weeks. Eight days after his father’s murder, Abrham received a response from Facebook: One of the posts targeting his father, shared by a page with more than 50,000 followers, had been removed.

"I hold Facebook personally responsible for my father's murder," he says.

Today, Abrham, as well as fellow researchers and Amnesty International legal adviser Fisseha Tekle, filed a lawsuit against Meta in Kenya, alleging that the company has allowed hate speech to run rampant on the platform, causing widespread violence. The suit calls for the company to deprioritize hateful content in the platform’s algorithm and to add to its content moderation staff.

“Facebook can no longer be allowed to prioritize profit at the expense of our communities. Like the radio in Rwanda, Facebook has fanned the flames of war in Ethiopia,” says Rosa Curling, director of Foxglove, a UK-based nonprofit that tackles human rights abuses by global technology giants. The organization is supporting the petition. “The company has clear tools available—adjust their algorithms to demote viral hate, hire more local staff and ensure they are well-paid, and that their work is safe and fair—to prevent that from continuing.”

Since 2020, Ethiopia has been embroiled in civil war. Prime Minister Abiy Ahmed responded to attacks on federal military bases by sending troops into Tigray, a region in the country’s north that borders neighboring Eritrea. An April report released by Amnesty International and Human Rights Watch found substantial evidence of crimes against humanity and a campaign of ethnic cleansing against ethnic Tigrayans by Ethiopian government forces. 

Fisseha Tekle, Amnesty International's lead Ethiopia researcher, has further implicated Facebook in propagating abusive content, which, according to the petition, endangered the lives of his family. Since 2021, Amnesty and Tekle have drawn widespread rebuke from supporters of Ethiopia’s Tigray campaign—seemingly for not placing the blame for wartime atrocities squarely at the feet of Tigrayan separatists. In fact, Tekle’s research into the countless crimes against humanity amid the conflict fingered belligerents on all sides, finding the separatists and federal Ethiopian government mutually culpable for systematic murders and rapes of civilians. Tekle told reporters during an October press conference: “There’s no innocent party which has not committed human rights violations in this conflict.”

In a statement Foxglove shared with WIRED, Tekle spoke of witnessing “firsthand” Facebook’s alleged role in tarnishing research aimed at shining a light on government-sponsored massacres, describing social media platforms perpetuating hate and disinformation as corrosive to the work of human rights defenders.

Facebook, which is used by more than 6 million people in Ethiopia, has been a key avenue through which narratives targeting and dehumanizing Tigrayans have spread. In a July 2021 Facebook post that remains on the platform, Prime Minister Ahmed referred to Tigrayan rebels as “weeds” that must be pulled. However, the Facebook Papers revealed that the company lacked the capacity to properly moderate content in most of the country’s more than 45 languages. 

Leaked documents shared by Facebook whistleblower Frances Haugen show that parent company Meta's leadership remained well-informed of the platform's potential for exacerbating political and ethnic violence throughout the Tigray war, earning Ethiopia special attention at times from the company's premiere risk and response team. By at least 2021, the documents show, conflict in the country had raised enough alarms to warrant the formation of a war-room-like operation known as an IPOC, a process Facebook created in 2018 to respond rapidly to political "crisis moments." 

Relative to its usual content moderation processes, IPOC is viewed internally as a scalpel, deployed not only to anticipate emerging threats but triage cases of "overwhelming abuse" spurred on by political flash points. This includes the use of so-called "break the glass" measures: dozens of "levers" IPOC teams can deploy during exceptionally inciteful events to quell spikes in hate speech on the platform. In the US, for instance, this included the November 2020 election and subsequent attack on the US Capitol. 

In testimony before the US Senate last fall, Haugen likened the violence in Ethiopia to the genocide of more than 25,000 Rohingya Muslims in Myanmar, war crimes for which Facebook has been internationally condemned for its role in instigating, by the United Nation's Human Rights Council, among others. "What we saw in Myanmar and are now seeing in Ethiopia are only the beginning chapters of a story so terrifying no one wants to read the end of it," Haugen, a former Facebook product manager, told lawmakers. 

As late as December 2020, Meta lacked hate speech classifiers for Oromo and Amharic, two of the major languages spoken in Ethiopia. To compensate for its inadequate staff and in the absence of classifiers, Meta’s team searched for other proxies that would allow them to identify dangerous content, a method known as network-based moderation. But the team struggled because they found, for reasons not immediately clear, that Ethiopian users were far less likely to perform actions that Facebook had long used to help detect hate speech, which included the appearance of too many "angry" face reactions. One internal proposal suggested ditching this model entirely, replacing it instead with one that lends greater weight to other "negative" actions, such as users un-liking pages or hiding posts. It's not clear from the documents whether the proposal was accepted.

In its 2021 roadmap, Meta designated Ethiopia as a country in “dire” risk of violence, and in an assessment of the company’s response to violent and inciting content, it ranked its own capacity in Ethiopia as a 0 out of 3. Yet, in another document, a Meta staff member acknowledged that the company lacked “human review capacity” for Ethiopia in the run-up to the country’s elections. 

The petitioners have asked the high court to issue a declaration naming Meta responsible for violating a slate of basic rights guaranteed under Kenya’s Constitution of 2010: the right to freedom of expression and association; the right not to be subjected to violence or have information about one’s family or private affairs unnecessarily publicized; and the right to equal protection under the law, among others. Moreover, the petitioners have asked the court to order the establishment of a victims' fund of over $2 billion, with the court itself dispersing the funds on a case-by-case basis. Lastly, they’ve asked the court to compel Facebook to declare that its algorithms will no longer promote inciteful, hateful, and dangerous content and demote it wherever found, in addition to rolling out new crisis mitigation protocol “qualitatively equivalent to those deployed in the US,” for Kenya and all other countries whose content Meta moderates from Nairobi. 

“Kenya is the content moderation hub for posts in Oromo, Tigrinya, and Amharic. These are the only three Ethiopian languages, out of the 85 spoken in the country, that Facebook’s current content moderators can even attempt to cover,” says Curling. “There are currently 25 Facebook content moderators working on Ethiopian-related content for a country of 117 million people. Decisions by these individuals, forced to work in awful and unfair conditions, about what posts are taken down and what remains online are taken in Kenya, and it is the Kenyan courts, therefore, that need to determine both men’s legal challenge.”

Meta spokesperson Sally Aldous told WIRED that hate speech and incitement to violence are against the company’s policies. “Our safety and integrity work in Ethiopia is guided by feedback from local civil society organizations and international institutions,” she says. “We employ staff with local knowledge and expertise, and continue to develop our capabilities to catch violating content in the most widely spoken languages in the country, including Amharic, Oromo, Somali, and Tigrinya.” 

Aldous did not address whether the company has more than 25 moderators focused on the country and whether the company has an IPOC team focused on the conflict in Tigray, beyond the country’s election cycles.

Meanwhile, in the wake of his father’s death, Amare and his family were forced to flee their home. He is currently awaiting the outcome of his asylum claim in the United States.

“Every dream we had collapsed,” he says.

A New Lawsuit Accuses Meta of Inflaming Civil War in Ethiopia

The company has taken measures to mitigate the risks, but security researchers warn of a broader threat.

Less than two weeks ago, the United States Cybersecurity & Infrastructure Security Agency and FBI released a joint advisory about the threat of ransomware attacks from a gang that calls itself “Cuba.” The group, which researchers believe is, in fact, based in Russia, has been on a rampage over the past year targeting an increasing number of businesses and other institutions in the US and abroad. New research released today indicates that Cuba has been using pieces of malware in its attacks that were certified, or given a seal of approval, by Microsoft.

Cuba used these cryptographically signed “drivers” after compromising a target's systems as part of efforts to disable security scanning tools and change settings. The activity was meant to fly under the radar, but it was flagged by monitoring tools from the security firm Sophos. Researchers from Palo Alto Networks Unit 42 previously observed Cuba signing a privileged piece of software known as a “kernel driver” with an NVIDIA certificate that was leaked earlier this year by the Lapsus$ hacking group. And Sophos says it has also seen the group use the strategy with compromised certificates from at least one other Chinese tech company, which security firm Mandiant identified as Zhuhai Liancheng Technology Co. 

“Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity,” the company said in a security advisory today. “Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature … The signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware.”

Sophos notified Microsoft about the activity on October 19 along with Mandiant and security firm SentinelOne. Microsoft says it has suspended the Partner Center accounts that were being abused, revoked the rogue certificates, and released security updates for Windows related to the situation. The company adds that it hasn't identified any compromise of its systems beyond the partner account abuse.

Microsoft declined WIRED's request to comment beyond the advisory.

“These attackers, most likely affiliates of the Cuba ransomware group, know what they’re doing—and they’re persistent," says Christopher Budd, director of threat research at Sophos. “We’ve found a total of 10 malicious drivers, all variants of the initial discovery. These drivers show a concerted effort to move up the trust chain, starting at least this past July. Creating a malicious driver from scratch and getting it signed by a legitimate authority is difficult. However, it’s incredibly effective, because the driver can essentially carry out any processes without question."

Cryptographic software signing is an important validation mechanism meant to ensure that software has been vetted and anointed by a trusted party or “certificate authority.” Attackers are always looking for weaknesses in this infrastructure, though, where they can compromise certificates or otherwise undermine and abuse the signing process to legitimize their malware. 

“Mandiant has previously observed scenarios when it is suspected that groups leverage a common criminal service for code signing,” the company wrote in a report published today. “The use of stolen or fraudulently obtained code signing certificates by threat actors has been a common tactic, and providing these certificates or signing services has proven a lucrative niche in the underground economy.”

Earlier this month, Google published findings that a number of compromised “platform certificates” managed by Android device makers including Samsung and LG had been used to sign malicious Android apps distributed through third-party channels. It appears that at least some of the compromised certificates were used to sign components of the Manuscrypt remote access tool. The FBI and CISA have previously attributed activity associated with the Manuscrypt malware family to North Korean state-backed hackers targeting cryptocurrency platforms and exchanges.

“In 2022, we’ve seen ransomware attackers increasingly attempting to bypass endpoint detection and response products of many, if not most, major vendors,” Sophos' Budd says. “The security community needs to be aware of this threat so that they can implement additional security measures. What’s more, we may see other attackers attempt to emulate this type of attack.”

With so many compromised certificates flying around, it seems that many attackers have already gotten the memo about shifting toward this strategy.

Cuba Ransomware Gang Abused Microsoft Certificates to Sign Malware

And new evidence suggests those hackers may have collaborated with the police who investigated him.

The case of the Bhima Koregaon 16, in which hackers planted fake evidence on the computers of two Indian human rights activists that led to their arrest along with more than a dozen colleagues, has already become notorious worldwide. Now the tragedy and injustice of that case is coming further into focus: A forensics firm has found signs that the same hackers also planted evidence on the hard drive of _another_ high-profile defendant in the case who later died in jail—as well as fresh clues that the hackers who fabricated that evidence were collaborating with the Pune City Police investigating him.

On Tuesday, Boston-based forensics firm Arsenal Consulting, which has been working on behalf of the defendants in the Bhima Koregaon case, released a new report revealing their analysis of the hard drive of Stan Swamy, perhaps the most famous of the 16 activists arrested in the case, all of whom have advocated for rights for Dalits—the Indian group once known as “untouchables"—as well as for Indian Muslims and indigenous people. Swamy, an 84-year-old Jesuit priest who suffered from Parkinson's disease, died in a hospital last year after being arrested in 2019 and contracting Covid-19 in jail. Arsenal has now found that evidence found on Swamy's computer was fabricated by the same hackers whom Arsenal found planting evidence on two other defendants in the case, Surendra Gadling and Rona Wilson.

Just as significant, Arsenal found new signs of the hackers' attempt to clean up their tampering and cover their tracks just a day before Swamy's computer was seized in 2019—a suggestion that the digital intruders likely knew the raid and seizure was coming and were cooperating with the Pune police who carried it out.

"It should be noted that this is one of the most serious cases involving evidence tampering that Arsenal has ever encountered," Arsenal's report, authored by its president, Mark Spencer, reads. "The attacker responsible for compromising Swamy’s computer had extensive resources (including time), and it is obvious that their primary goals were surveillance and incriminating document delivery."

Mihir Desai, an attorney who represented Swamy and still represents two other Bhima Koregaon 16 defendants, described the new report as a significant win for their cause. “It reconfirms and reiterates the bogus nature of the evidence and casts a doubt on all arrests,” Desai says. He adds that the specific finding in the report that the hackers tried to erase their trail just before the seizure of Swamy's computer as evidence indicates that "someone from the investigating agency was fully aware as to what was happening.”

In its report, Arsenal points to a series of clues the hackers left on Swamy's computer, which the firm has been analyzing on behalf of the late priest's legal defense team since August of this year. The hackers, according to Arsenal's report, compromised Swamy's machine at least three times between 2014 and 2019, installing several different versions of a piece of malware known as NetWire. Based on artifacts in the computer's memory and disk storage, Arsenal found that the NetWire malware installed a series of files in a hidden folder on Swamy's computer, including one that listed weapons possessed by various units of a militant rebel group and another that seemed to suggest kidnapping members of India's ruling party, the BJP.

According to Arsenal, Swamy never touched the files himself. After his devices were seized by Pune City Police, those files were among the digital evidence used to charge him and the other Bhima Koregaon 16 defendants with terrorism as well as inciting a riot in 2018 that led to two deaths.

All of Arsenal's findings, the firm notes, match the earlier cases of evidence fabrication, seemingly carried out by the same hackers, that targeted the two defendants' machines that Arsenal examined earlier. "Arsenal has effectively caught the attacker red-handed (yet again)," the report adds.

On Swamy's computer, however, Arsenal also found something new: The hackers seem to have begun what Arsenal calls "antiforensics"—a clean-up operation–on June 11, 2019, deleting files that revealed its access to Swamy's machine in an apparent attempt to cover their tracks, just a day before Pune Police seized Swamy's computer on June 12 of that year. Arsenal describes that attempt at anti-forensics as "both unique and extremely suspicious given the computer's imminent seizure."

In other words, the hackers wanted to plant fake evidence that could be revealed to incriminate Swamy while also deleting _actual_ evidence of their fabrications that might be discovered in legal proceedings, says Tom Hegel, a researcher for security firm Sentinel One. (Hegel and his colleague Juan Andres Guerrero‑Saade published their own findings on the Bhima Koregaon hacking cases this year.) Hegel argues the timing of that deletion, which he says displays a sloppy urgency, suggests the hackers somehow knew the seizure of Swamy's devices was coming, and after five years of stealthy access to his computer, scrambled to erase their fingerprints. "The timing and the rushed cleanup effort is, in my opinion, clear evidence of collusion between the police unit and the attackers at that point," Hegel says.

That cleanup is one of several signs that the hackers who targeted members of the Bhima Koregaon 16 may well have been working in league with the Pune City Police who arrested many of the defendants. Last June, Hegel and Guerrero‑Saade revealed to WIRED that an official in the Pune City Police appears to have added his own email address and phone number to several of the defendants' hacked email accounts, in some cases months before they were arrested, seemingly as a crude backup mechanism to try to maintain access to their accounts. “There’s a provable connection between the individuals who arrested these folks and the individuals who planted the evidence,” Guerrero‑Saade told WIRED at the time.

Pune City Police officials declined to respond to WIRED's request for comment, both in June and in response to the new findings from Arsenal.

Of the 16 Bhima Koregaon defendants, 11 remain in jail. Three have been released on bail, and one has been confined to house arrest. But the case of Stan Swamy, the oldest of the defendants and the only one to die in detention, has taken perhaps the biggest spotlight: Human rights organizations and the US State Department have spoken out against Swamy's imprisonment, and he was posthumously awarded the Martin Ennals Award, sometimes described as the Nobel Prize for human rights defenders.

But Swamy was far from unique in being targeted by the hackers who sought to frame him. Based on the details of the malware and hacking infrastructure described in Arsenal's report, Hegel says that the hackers who broke into Swamy's computer, as well as those of the two other Bhima Koregaon defendants, are part of the group Sentinel One calls "Modified Elephant." Hegel and Guerrero‑Saade analyzed the group's code and command-and-control servers in a report they published in February that tied Modified Elephant to the targeting of hundreds of activists, journalists, and academics since as early as 2012.

"The links back to Modified Elephant are extremely obvious and verifiable," says Hegel. "It’s another confirmation, at least from the evidence we have so far, that the defendants in the Bhima Koregaon case have been framed." And it's becoming harder than ever to deny that the hackers who did that framing were in league with the very authorities who condemned Stan Swamy to spend the last months of his life in a jail cell.

Hackers Planted Files to Frame Indian Priest Who Died in Custody

A confluence of factors is leading people in the nation to gravitate toward extremist views.

All across the country, there are signs of a more radicalized American populace. It’s become impossible to ignore over the past few years. The US has witnessed an insurrection, the rise of QAnon, increasing anti-Semitism, attacks on the LGBTQ community, and more. While radicalism has risen to some degree in many other Western nations, this trend has been exceptionally more pronounced in the United States. It is, therefore, necessary to determine the root causes of it and what makes America, well, exceptional. 

To better understand extremism in the US, it’s necessary to understand who is being radicalized. It’s primarily right-wing extremism, but right-wing extremism covers many different groups and types of people who engage with it. It’s not just the people who join militias like the Proud Boys or the Oath Keepers, it’s the seemingly ordinary people who latch onto QAnon or other conspiracy theories. 

The January 6, 2021, attack in Washington is a good case study on what kind of people have become radicalized in the US. There were members of militia groups there, but research has shown roughly 90 percent of the people who stormed the Capitol were not affiliated with militias or other far-right groups. Many were business owners or regular working people who became convinced over time that the 2020 election had been stolen from Donald Trump.

Conspiracy theories like those under the QAnon umbrella have infiltrated many groups of people one might not expect. They’ve found their way into yoga and parenting groups. A neighbor you regularly encounter at the grocery store and don’t think twice about could be in the process of being radicalized. People from all walks of life can be influenced by these conspiracy theories. 

All of that said, there are some notable psychological and social factors that could be causing Americans to become more prone to embrace extreme ideologies. One of the key factors appears to be a strong sense of uncertainty. The human brain doesn’t like uncertainty, and it can cause people to seek out a path to feeling more certain and assured by any means possible.

J. M. Berger, an author and researcher who focuses on extremism, says there have been many reasons for people to feel uncertain over the past decade or so. Rapid changes in technology, major shifts in the labor market and the economy, the Covid-19 pandemic, and more have caused many Americans to feel unanchored. This creates a situation where extremism can flourish.

“What you find is people are most vulnerable to authoritarianism and extremist impulses when they don’t know what they’re supposed to do,” Berger says. “They don’t know where they fit in the world.”

Arie Kruglanski, a professor of psychology at the University of Maryland, says that something that motivates people in uncertain times is a need to feel significant. 

“These things increase the motivation to reassert your significance. Once you have that, you’re vulnerable to narratives that promise you a restoration of your significance,” Kruglanski says. “Many of these conspiracy theories—most of them, I would think—do that.”

Extremist movements can make people feel significant, give them a sense of purpose, and provide them a narrative that explains why everything seems so screwed up. They also give them a sense of community and support. Kruglanski says the more you feel embraced by a network of people, the more you feel motivated to embrace their narrative, even if it’s extreme. Oftentimes, he says, people don’t realize how extreme the group they’re joining actually is until they’ve become invested in it.

Berger says social media has ramped up feelings of uncertainty. He says that’s partly due to the fact that ideas can now almost instantly be spread far and wide with little effort, which can be destabilizing.

“In the past, when transmission of ideas was slower, the ideas had a chance to evolve as they were being transmitted. This would sometimes create a sort of moderating influence,” Berger says. “With social media, ideas move so fast that there’s really no prospect for moderation. Even the most extreme ideas can spread incredibly quickly.”

Social media has also made it easier for people to become radicalized because they can easily find people who share any extreme views they may have and who will happily invite them into a movement. Someone who wouldn’t have met people who share their views in the small town they lived in years ago can easily find a community online and become further radicalized.

“Social media has radically changed how people communicate,” Berger says. “It’s radically changed the kinds of ideas people are exposed to.” 

Research has shown social media exacerbates political polarization, often pushes users to view more extreme content, and helps extremists organize and coordinate their efforts. Social media also has positive impacts in terms of helping organize activists and connecting people in beneficial ways, but its negative effects and uses are significant.

“The network support, the clandestine conspiracy narratives combined with the sense of uncertainty, sense of lost significance—these elements create a combustible mixture that can be lit and lead to radicalization and radical action,” Kruglanski says.

So, many people feel uncertain and insignificant, and social media is flooded with disinformation and groups of extremists who will invite them into a movement. That’s some of it. The more obvious aspect of this, but one that is important, is the role of political leaders in America and a Republican Party that has become more extreme itself. 

“We have people who are the top leaders of a right-wing party who are really just willing to come out and express and endorse positions that are much more radical than what used to be the norm in American politics,” Berger says. “They’re creating a permission structure for people to talk about racism and violence in ways that previously would have been outside of the realm of civil discourse.”

Thomas Zeitzoff, an associate professor in the School of Public Affairs at American University, says the Republican Party has embraced—and is now largely controlled by—extreme figures who would have been sidelined in the past.

“The people who used to gatekeep and keep out people like Pat Buchanan or kick out the John Birchers are not running the party,” Zeitzoff says. “I’m a big believer that parties have to be strong gatekeepers. You have to push people like Marjorie Taylor Greene and Lauren Boebert out. They have no business being in a mainstream party.”

Bringing the US back to a more stable place and countering extremism isn’t an easy thing to do when extremism has become this rampant, but there may be some solutions. Kruglanski says those who oppose this extremism need to find positive ways to offer people significance, dignity, and a sense of certainty. Berger proposed a similar remedy.

“If there is a solution, I think it’s to pursue policies that give people some sense of security and understanding of where they are and how they’re supposed to interact with the world,” Berger says.

There will always be conspiracy theorists. Social media isn’t going anywhere. And political leaders will forever use fear and lies to influence people. But America will have to deal with these conditions that are making extremism more likely if it’s going to continue to function politically. A house built on dynamite is a dangerous place to live.

Source

Wired