Millions of people are accessing harmful AI “nudify” websites. New analysis says the sites are making millions and rely on tech from US companies.

For years, so-called “nudify” apps and websites have mushroomed online, allowing people to create nonconsensual and abusive images of women and girls, including child sexual abuse material. Despite some lawmakers and tech companies taking steps to limit the harmful services, every month, millions of people are still accessing the websites, and the sites’ creators may be making millions of dollars each year, new research suggests.

An analysis of 85 nudify and “undress” websites—which allow people to upload photos and use AI to generate “nude” pictures of the subjects with just a few clicks—has found that most of the sites rely on tech services from Google, Amazon, and Cloudflare to operate and stay online. The findings, revealed by Indicator, a publication investigating digital deception, say that the websites had a combined average of 18.5 million visitors for each of the past six months and collectively may be making up to $36 million per year.

Alexios Mantzarlis, a cofounder of Indicator and an online safety researcher, says the murky nudifier ecosystem has become a “lucrative business” that “Silicon Valley’s laissez-faire approach to generative AI” has allowed to persist. “They should have ceased providing any and all services to AI nudifiers when it was clear that their only use case was sexual harassment,” Mantzarlis says of tech companies. It is increasingly becoming illegal to create or share explicit deepfakes.

According to the research, Amazon and Cloudflare provide hosting or content delivery services for 62 of the 85 websites, while Google’s sign-on system has been used on 54 of the websites. The nudify websites also use a host of other services, such as payment systems, provided by mainstream companies.

Amazon Web Services spokesperson Ryan Walsh says AWS has clear terms of service that require customers to follow “applicable” laws. “When we receive reports of potential violations of our terms, we act quickly to review and take steps to disable prohibited content,” Walsh says, adding that people can report issues to its safety teams.

“Some of these sites violate our terms, and our teams are taking action to address these violations, as well as working on longer-term solutions,” Google spokesperson Karl Ryan says, pointing out that Google’s sign-in system requires developers to agree to its policies that prohibit illegal content and content that harasses others.

Cloudflare had not responded to WIRED’s request for comment at the time of writing. WIRED is not naming the nudifier websites in this story, as not to provide them with further exposure.

Nudify and undress websites and bots have flourished since 2019, after originally spawning from the tools and processes used to create the first explicit “deepfakes.” Networks of interconnected companies, as Bellingcat has reported, have appeared online offering the technology and making money from the systems.

Broadly, the services use AI to transform photos into nonconsensual explicit imagery; they often make money by selling “credits” or subscriptions that can be used to generate photos. They have been supercharged by the wave of generative AI image generators that have appeared in the past few years. Their output is hugely damaging. Social media photos have been stolen and used to create abusive images; meanwhile, in a new form of cyberbullying and abuse, teenage boys around the world have created images of their classmates. Such intimate image abuse is harrowing for victims, and images can be difficult to scrub from the web.

Using various open source tools and data, including website analysis tool Built With, Indicator staff and investigative researcher Santiago Lakatos looked into the infrastructure and systems powering 85 nudifier websites. Content delivery networks, hosting services, domain name companies, and webmaster services are all provided by a mixture of some of the biggest tech companies, plus some smaller businesses.

Based on calculations combining subscription costs, estimated customer conversion rates, and web traffic the sites sent to payment providers, the researchers estimate that 18 of the websites made between $2.6 million and $18.4 million in the past six months, which could equate to around $36 million a year. (They note this is likely a conservative estimate, as it doesn’t incorporate all the websites and transactions that take place away from the websites, such as those on Telegram.) Recently, whistleblower and leaked data reported on by German media outlet Der Spiegel indicated one prominent website may have a multimillion-dollar budget. Another website has claimed to have made millions.

Of the 10 most-visited sites, the research says, the most visitors came from the United States—India, Brazil, Mexico, and Germany make up the rest of the top five countries where people accessed the sites. While search engines direct people to nudify websites, the sites have increasingly received visitors from other online sources. Nudifiers have become so popular that Russian hackers have created fake malware-laced versions. Over the past year, 404 Media has reported one site making sponsored videos with adult entertainers, and the websites have also increasingly used paid affiliate and referral programs.

“Our analysis of the nudifiers’ behavior strongly indicates their desire to build and entrench themselves in a niche of the adult industry,” Lakatos says. “They will likely continue to try to intermingle their operations into the adult content space, a trend that needs to be countered by mainstream tech companies and the adult industry as well.”

Many of the problems of tech companies allowing nudify platforms to use their systems are well-known. For years, tech journalists have reported on how the deepfake economy has used mainstream payment services, social media advertisements, search engine exposure, and technology from big companies to operate. Yet little comprehensive action has been taken.

“Since 2019, nudification apps have moved from a handful of low-quality side projects to a cottage industry of professionalized illicit businesses with millions of users,” says Henry Ajder, an expert on AI and deepfakes who first uncovered growth in the nudification ecosystem in 2020. “Only when businesses like these who facilitate nudification apps’ ‘perverse customer journey' take targeted action will we start to see meaningful progress in making these apps harder to access and profit from.”

There are signs the nudify websites are updating their tactics and approaches to try to avoid any potential crackdowns or evade bans. Last year, WIRED reported on how nudify websites used single sign-on systems from Google, Apple, and Discord to allow people to quickly create accounts. Many of the developer accounts were disabled following the reporting. The Indicator says that on 54 of the 85 websites, however, Google’s simple sign-in system is being used, and the website creators have taken steps to evade detection by Google. They would, the report says, use an “intermediary site” to “pose as a different URL for the registration.”

While tech companies and regulators have taken a glacial approach to tackling abusive deepfakes since they first emerged more than a decade ago, there has been some recent movement. San Francisco’s city attorney has sued 16 nonconsensual-image-generation services, Microsoft has identified developers behind celebrity deepfakes, and Meta has filed a lawsuit against a company allegedly behind a nudify app that, Meta says, repeatedly posted ads on its platform. Meanwhile, the controversial Take It Down Act, which US president Donald Trump signed into law in May, has put requirements on tech companies to remove nonconsensual image abuse quickly, and the UK government is making it illegal to create explicit deepfakes.

The moves may chip away at some nudifier and undress services, but more comprehensive crackdowns are needed to slow the burgeoning harmful industry. Mantzarlis says that if tech companies are more proactive and stricter in enforcing their policies, nudifiers’ ability to flourish will diminish. “Yes, this stuff will migrate to less regulated corners of the internet—but let it,” Mantzarlis says. “If websites are harder to discover, access, and use, their audience and revenue will shrink. Unfortunately, this toxic gift of the generative AI era cannot be returned. But it can certainly be drastically reduced in scope.”

AI 'Nudify' Websites Are Raking in Millions of Dollars

Cybersecurity researchers have discovered new artifacts associated with an Apple macOS malware called ZuRu, which is known to propagate via trojanized versions of legitimate software.
SentinelOne, in a new report shared with The Hacker News, said the malware has been observed masquerading as the cross‑platform SSH client and server‑management tool Termius in late May 2025.
"ZuRu malware

New ZuRu Malware Variant Targeting Developers via Trojanized Termius macOS App

Dr.Web reports Android malware surge in Q2 with adware, banking trojans and crypto theft hidden in fake apps, firmware and spyware targeting users.

A series of malicious apps and stealthy spyware is targeting Android users worldwide, with new data showing how cybercriminals keep finding ways to slip threats onto devices and even official app stores.

According to new findings from Dr.Web Security Space, adware is still the most common threat on mobile devices, but what is noticeable this time is how attackers keep finding new tricks to spread it.

****Adware Still Tops the Charts****

Adware Trojans continued to dominate, led by the Android.HiddenAds family. Although detections dropped by just over 80%, HiddenAds variants are still the most active group, often masquerading as harmless apps and vanishing from home screens once installed. Android.MobiDash adware trojans saw a jump of over 11%, proving that intrusive ads are still a reliable money maker for threat actors, revealed Dr.Web’s **report**.

****Fake Apps Fraud****

Android.FakeApp malware ranked third on the threat list, with activity dropping by a quarter. These malicious apps frequently pose as **finance tools, games or utilities** but instead, redirect users to gambling or phishing sites. Fake finance apps tricked Turkish and French-speaking users, promising easy income control or investment advice while silently pushing them to fraudulent sites.

****Banking Trojans Make a Comeback****

While some banking trojans like Android.BankBot and Android.SpyMax declined, Android.Banker surged by over 70% compared to the previous quarter. This spike highlights how cybercriminals keep targeting financial data with new variants, despite global awareness campaigns urging users to stick to official app stores.

****Crypto Theft Hidden in Firmware****

One of the most alarming revelations is a large-scale crypto theft campaign discovered in April. Attackers slipped a trojan named Android.Clipper.31 into a modified version of WhatsApp and even embedded it in the firmware of low-cost Android phones.

This trojan secretly **swaps legitimate crypto wallet addresses** for the attackers’ own and sends user images to a remote server, hunting for wallet seed phrases hidden in screenshots or photos.

****Spyware Targets Military Personnel****

Another concerning discovery made by Dr.Web and **reported by Hackread.com** in April 2025, was spyware hidden inside a fake version of Alpine Quest, a mapping app. Distributed through a bogus Telegram channel and a local app catalogue, Android.Spy.1292.origin was designed to gather sensitive data from Russian military personnel, including location files, messages and phone book contacts.

****Threats Found on Google Play****

Despite tighter controls, Dr.Web’s researchers continue to find dozens of **malicious or unwanted apps on Google Play** (Apple App Store is **not** a secure place either). Recent finds include adware modules disguised in cryptocurrency news apps and finance-themed fake apps that redirect users to shady sites instead of offering any real service.

This new wave of cybersecurity threats simply goes on to show that Android’s open nature still makes it a favourite target for criminals pushing ads, spyware and banking malware. Even official app stores are not completely safe, therefore, users must keep their devices protected with up-to-date security software and stay cautious with any new app, no matter how harmless it appears.

Malware Surge Hits Android: Adware, Trojans and Crypto Theft Lead Q2 Threats

The platform, which allows users to anonymously share the locations of ICE agents, is currently the third-most-downloaded iPhone app.

As the popularity of ICEBlock, an app where people can share sightings of immigration enforcement officials, has soared in recent days, Trump administration officials have threatened to prosecute its developer and CNN for reporting on the platform. But legal experts tell WIRED that there is nothing illegal about the app and prosecuting its creator would be unconstitutional.

The app, which launched in April, allows users to anonymously share the locations of ICE agents within a 5-mile radius. Joshua Aaron, the app’s developer, says ICEBlock is quickly growing, with more than 241,000 users. As of this writing, it’s the third-most-downloaded free iPhone app in the United States, after the Love Island app and ChatGPT.

US attorney general Pam Bondi was on Fox News Monday talking about ICEBlock, when she spoke directly about Aaron, the app’s sole developer. “We are looking at him,” she said. “And he better watch out.” Speaking alongside President Donald Trump outside a migrant detention center known as “Alligator Alcatraz” in Florida on Tuesday, Homeland Security secretary Kristi Noem said the government was looking into prosecuting CNN.

“What they’re doing is actively encouraging people to avoid law enforcement activities and operations and we’re going to actually go after them and prosecute them,” she said. “What they’re doing, we believe, is illegal.”

ICEBlock allows users to alert each other when ICE agents are nearby.

Photograph Courtesy of ICEBlock

But legal experts tell WIRED that ICEBlock falls under protected speech. “That is as basic and uncontroversial a First Amendment principle as they come,” says Alex Abdo, the litigation director at the Knight First Amendment Institute at Columbia University. “So, it's pretty shocking to see federal law enforcement officials suggesting that there's anything here to investigate.”

Scott Hechinger, a civil rights attorney, says prosecuting the app’s creator would be illegal.

“Threatening people, in this case companies and projects, with arrest and retaliation for exercising their First Amendment rights is profoundly illegal and unconstitutional,” he says. He points to past media appearances from border czar Tom Homan, where Homan condemned congresswoman Alexandria Ocasio-Cortez for sharing information about the immigrants’ legal rights, as emblematic of the administration’s lack of respect for constitutionality.

A spokesperson using ICE's general press email referred WIRED to a statement issued by acting director Todd M. Lyons on June 30, but did not provide further comment. The White House did not immediately respond to WIRED’s request for comment.

In the statement, Lyons called CNN’s coverage of the app “reckless and irresponsible.” When reached for comment, Emily Kuhn, senior vice president of communications at CNN, pointed WIRED to a statement from the network saying that reporting on the existence of an app is neither illegal nor an endorsement.

The Trump administration’s rebukes of the app have also focused on the idea that it’s placing ICE agents in danger. Responding to a question about a CNN report on ICEBlock Monday, White House press secretary Karoline Leavitt said, “Surely, it sounds like this would be an incitement of further violence against our ICE officers.” She went on to say, “there’s been a 500 percent increase in violence against ICE agents, law enforcement officers across the country who are just simply trying to do their jobs and remove public safety threats from our communities.”

On June 20, the Department of Homeland Security put out a press release citing the purported 500 percent increase, however its link for the statistic directs users to a Breitbart article that just quotes the DHS without providing in-depth details to support the number.

“ICE and the Trump administration are under the misimpression that law enforcement in the United States is entitled to operate in secret,” says Seth Stern, director of advocacy at Freedom of the Press Foundation. Stern points to ICE agents wearing masks while operating in public and accusations by the administration targeted at journalists who report on ICE as examples of this “misimpression.”

Aaron tells WIRED the app is about “informing, not obstructing.” He describes a potential user interaction as someone walking around their neighborhood, then getting an alert on their phone saying that ICE has been spotted a few blocks away—with directions for safely getting home. By tapping the plus button in the ICEBlock app, anyone can report a new sighting.

“We're pushing back against authoritarianism. We're pushing back against fascism,” he says. “They're gonna fire off hate rhetoric at you. They're gonna demonize everything you're doing. They're gonna threaten you.”

The app is part of a larger trend of people using social media and apps to resist the Trump administration’s ramping up of immigration arrests. In early June, as protests began to swell in Los Angeles, multiple grassroots groups shared emergency alerts to local residents as ICE raids were happening across the city.

According to the Apple listing for ICEBlock, the app does not store any data on its users. Since it does not collect user data, Aaron doesn’t know how many people have used the app in Los Angeles, for example, or even where past sightings have been posted. Individual users can only see what’s been reported within a 5-mile radius and the sightings auto-delete after four hours.

The app is currently only available on iPhones. Based on his past interactions with Apple during ICEBlock’s approval process, Aaron feels confident that it will remain available in the app store. “They've already reviewed it,” he says. “That's why they approved it.” Apple did not respond to requests for comment.

Aaron says ICEBlock will never have ads or a button asking for donations. For him, the simplicity of the app’s interface is an intentional choice. “This is literally an early-warning system,” he says. “So, how much do you want going on in that early-warning system? Except to say, ‘Hey, something's coming up within your 5-mile radius. Get the fuck out.’”

Trump Officials Want to Prosecute Over the ICEBlock App. Lawyers Say That’s Unconstitutional

This Fourth of July, Bruce, the 25-foot mechanical shark from Jaws, shares how his saltwater struggles mirror the need for real-world cybersecurity stress testing.

Thursday, July 3, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Hi, I’m Bruce, the 25-foot mechanical star of “Jaws.”  

This summer marks 50 years since my 4 minutes of screentime kept people out of the water for decades. Maybe this Fourth of July weekend you’re planning to sea-shanty your way to a special screening? If you do, here’s a little behind-the-scenes story on how my endless malfunctions almost made Spielberg hang up his director hat before you could say “phone home.” 

I was built for a studio tank — a predictable and safe environment. But Spielberg, in pursuit of realism, had other plans. He threw me into the Atlantic, where the salt water, rolling waves and unruly weather conditions caused more chaos than anybody had bargained for. 

Each day, my hydraulics jammed, my pneumatics corroded and my paint peeled like a sunburned tourist on Amity Beach.

There were days when the crew could only capture one or two shots before either I broke, the weather broke, or one of the actors’ egos broke. Every night they’d patch me up and whisper an assortment of four-letter words into my rusty gills.

My saving grace became Verna Fields, aka “Mother Cutter.” Spielberg’s editor was the one to suggest they only use fleeting moments of footage starring yours truly. While I bobbed around like a skydancer on a windless day, Verna worked her magic: stitching reactions, cutting away at just the right moment and building tension with empty water. She turned me from a potential failure to a legend. 

And thus, I became a lesson in what happens when you build for a predictable environment but deploy in the wild. Sound familiar? 

I’ve been told that readers of Talos’ Threat Source Newsletter are security folks, and I’ve been asked to write something just for you. Here it goes… 

*   _“You’re gonna need a bigger boat.”_ Overprepare. Expect things to go wrong.  
*   _“It’s only an island if you look at it from the water.”_ Perspective matters. Make sure your alerts are honed to spot the things that really matter. 
*   _“Smile, you son of a…”_ Sometimes, your last line of defense is your defining moment. Should everything else fail, make sure you have something left in the tank. 

In cybersecurity, your green ticked audit checklists mean nothing if you haven’t pressure-tested your environment against real red teamers. Incident response plans need ocean trials, not just bullet points. 

If I have a legacy beyond people sticking their noggin in my teeth for “the gram,” it’s this: Build your defenses for salt water, not studio tanks. And remember, the mayor always wants to keep the network open... 

_Editor’s note: I’d like to thank Bruce for his time and perspective, and I hope he found our studio a relaxing place to write. I’m also sorry that I only had two barrels and not the requested three for him to play with._ 

_Bruce’s story is why_ _Cisco Talos Incident Response_ _exists: to help you prepare for the effects of salt water before they wreak havoc on your system. With Talos IR, you can stress test your defenses using real world scenarios and incident responders who’ve experienced just about everything there is to see._ 

_Enjoy the Fourth of July weekend, and remember to listen out for the_ duh dun.

**The one big thing **

Cisco Talos has enhanced its email threat detection engine to address brand impersonation tactics using PDF payloads in phishing attacks. These attacks often exploit popular brands to steal sensitive information, employing methods like QR code phishing and telephone-oriented attack delivery (TOAD), where victims are tricked into calling adversary-controlled phone numbers. Adobe’s e-signature service and PDF annotations have also been abused to bypass detection systems. 

**Why do I care? **

Phishing attacks are getting sneakier, using PDFs and trusted brands to trick people into giving up personal info or downloading malicious software. If you're not careful, you could fall for one of these scams, especially since attackers are using clever tactics like fake phone numbers or QR codes to seem legitimate. 

**So now what? **

Be extra cautious with emails containing PDFs, even if they look legit. Avoid scanning QR codes or calling phone numbers from unsolicited emails. Cisco’s detection tools are updated often, but staying vigilant and double-checking anything suspicious is your best defense.

**Top security headlines of the week **

**Europol Dismantles $540 Million Cryptocurrency Fraud Network, Arrests Five Suspects**   
The international effort, codenamed Operation Borrelli was carried out by the Spanish Guardia Civil, along with support from law enforcement authorities from Estonia, France, and the United States. (The Hacker News) 

**International Criminal Court hit by new 'sophisticated' cyberattack**   
In a statement yesterday, the ICC revealed that it had contained a "sophisticated and targeted" cybersecurity incident, which was discovered by systems in place to detect cyberattacks targeting its systems. (Bleeping Computer) 

**Windows’ Infamous ‘Blue Screen of Death’ Will Soon Turn Black**   
After more than 40 years of being set against a very recognizable blue, the updated error message will soon be displayed across a black background. (SecurityWeek) 

**Ahold Delhaize Data Breach Impacts 2.2 Million People**   
The incident impacted Giant Food pharmacies, Food Lion and Stop & Shop, among others. Stolen information may include names, contact info, date of birth, SSN, passport number, financial account information and more. (SecurityWeek) 

**Germany asks Google, Apple remove DeepSeek AI from app stores**   
The Berlin Commissioner for Data Protection has formally requested Google and Apple to remove the DeepSeek AI application from the application stores due to GDPR violations. (Bleeping Computer)

**Can’t get enough Talos? **

**Decrement by one to rule them all: AsIO3.sys driver exploitation**   
Learn how our researcher, Marcin Noga, found two critical vulnerabilities in ASUS’ Armory Crate and AI Suite drivers.

**Talos Takes: Teaching LLMs to spot malicious PowerShell scripts**   
Hazel chats with Ryan Fetterman from the SURGe team to explore his new research on how LLMs can assist security operations centers in identifying malicious PowerShell scripts.

**Beers with Talos: Terms and conceptions may apply**  
In this episode, the crew reassembles after a totally intentional and not-at-all accidental hiatus. They cover AI-assisted IVF, a possible underground war against dairy, and the real heroes: conference dogs.

**Upcoming events where you can find Talos **

*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: cd697cc93851d0b1939a7557b9ee9b3c0f56aab4336dd00ff6531f94f7e0e836**   
MD5: c94c094513f02d63be5ae3415bba8031   
VirusTotal: https://www.virustotal.com/gui/file/cd697cc93851d0b1939a7557b9ee9b3c0f56aab4336dd00ff6531f94f7e0e836/details  
Typical Filename: setup   
Claimed Product: N/A   
Detection Name: W32.Variant:Gen.28iv.1201 

**SHA 256: 57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536**   
MD5: 79b075dc4fce7321f3be049719f3ce27   
VirusTotal: https://www.virustotal.com/gui/file/57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536/details   
Typical Filename: RemCom.exe   
Claimed Product: N/A   
Detection Name: W32.57A6D1BDBD-100.SBX.VIOC 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe    
Claimed Product: N/A   
Detection Name: Simple\_Custom\_Detection   

**SHA 256: 061e13a4fc9f1d4da0671082d5e4666f316bb251f13eded93f9cdb4a584d0bc0**   
MD5: 8d74e04c022cadad5b05888d1cafedd0  
VirusTotal: https://www.virustotal.com/gui/file/061e13a4fc9f1d4da0671082d5e4666f316bb251f13eded93f9cdb4a584d0bc0/details  
Typical Filename: smhost.exe   
Claimed Product: N/A   
Detection Name: Artemis:Lazy.27fx.in14.Talos

**SHA 256: 2eb95ef4c4c24f1e38a5c8b556d78b71c8a8fb2589ed8c5b95e9d18659bde293**  
MD5: N/A  
VirusTotal: N/A, use https://talosintelligence.com/sha\_searches  
Typical Filename: N/A  
Claimed Product: N/A  
Detection Name: W32.2EB95EF4C4-100.SBX.TG

A message from Bruce the mechanical shark

Silent Push exposes thousands of fake e-commerce websites spoofing major brands like Apple and Michael Kors. Learn how this Chinese phishing scam targets shoppers and steals financial data, impacting global consumers.

Cybersecurity firm Silent Push has exposed a massive phishing scam originating from China, which has created thousands of fake e-commerce websites designed to trick online shoppers. These fraudulent sites mimic well-known brands and aim to steal sensitive financial information, impacting both English and Spanish-speaking consumers worldwide.

According to Silent Push’s research, shared with Hackread.com ahead of its publishing on July 2nd, 2025, the investigation began after a crucial tip from Mexican journalist Ignacio Gómez Villaseñor.

Villaseñor’s May 26, 2025, X/Twitter post highlighted a threat actor specifically targeting Hot Sale 2025, a major annual sales event in Mexico, similar to Black Friday in the United States. It ran from May 26 to June 3, 2025, and is sponsored by the Asociación Mexicana de Ventas Online (AMVO).

****How the Scam Works****

The scammers create convincing fake versions of popular retail websites, including those of Apple, Harbor Freight Tools, Michael Kors, REI, Wayfair, and Wrangler Jeans. While these sites appear to offer products, they do not process actual purchases. Instead, they are designed to capture credit card details entered by unsuspecting users.

The “harborfrieghtshop” fake website (Source: Silent Push)

A key finding from tests carried out by Publimetro México, as reported by Gómez Villaseñor, was that “by entering false bank card data into these portals, the system reacts as if you were actually processing a payment.”

This includes displaying “reserved cart” timers and logos of legitimate payment services like Visa, MasterCard, PayPal, Oxxo, and SPEI. This elaborate simulation is intended to build trust and allow the criminals to steal information without immediate suspicion.

****Credit Card Theft and More****

Silent Push also found that some of these fake websites, such as rizzingupcartcom, integrated real Google Pay purchase widgets. While Google Pay typically offers enhanced security by using virtual card numbers, the threat actors still exploit this by simply not delivering the “purchased” goods after payment, researchers noted. This means even payments made through Google Pay are at risk of leading to financial loss, even if the direct credit card details are not compromised.

Silent Push has high confidence in the Chinese origin of this network, based on a private technical fingerprint found within the scam’s infrastructure, which includes Chinese words and characters. The sheer scale of the operation is significant, with thousands of fraudulent domains identified.

Many of these sites show sloppy errors, like harborfrieghtshop (a misspelling of Harbor Freight) which strangely displayed a cloned version of the Wrangler Jeans site. Other examples include guitarcentersalecom, which offered children’s accessories instead of musical instruments, and nordstromltemscom (note the “l” instead of an “i” in “items”) which was a direct copy of the fake Guitar Center site.

Despite some of these sites being taken down, thousands were still active as of June 2025, highlighting the persistent nature of this threat. Silent Push continues to track this widespread phishing campaign and urges consumers to be cautious when shopping online.

New Fake Marketplace From China Mimics Top Retail Brands for Fraud

SentinelLabs uncovers NimDoor, new North Korea-aligned macOS malware targeting Web3 and crypto firms. Exploits Nim, AppleScript, and steals Keychain, browser, shell, and Telegram data.

A new report from SentinelLabs, released on July 2, 2025, reveals a sophisticated cyberattack campaign targeting Web3 and cryptocurrency companies. Threat actors aligned with North Korea are aggressively exploiting macOS systems with a newly discovered malware called NimDoor, utilizing complex, multi-stage attacks and encrypted communications to remain undetected.

The research, authored by Phil Stokes and Raffaele Sabato and shared with Hackread.com, highlights the attackers’ shift towards less common, cross-platform programming languages like Nim. This change complicates efforts to detect and analyse their malicious activities.

The group also uses AppleScript in clever ways, not just for the initial breach but also as simple, hard-to-spot backdoors. Their methods show a clear improvement in staying hidden and persistent, including using encrypted WebSocket (wss) communication and unusual ways to maintain access even after malware is supposedly shut down.

****How the Attacks Works****

The attacks begin with a familiar social engineering trick: hackers pretend to be trusted contacts on platforms like Telegram, inviting targets to fake Zoom meetings. They send emails with a malicious Zoom SDK update script designed to look legitimate but is actually heavily disguised with thousands of lines of hidden code. This script then downloads more harmful programs from attacker-controlled websites, which often use names similar to real Zoom domains to fool users.

The fake Zoom update notification (Credit: SentinelLabs)

Once inside, the infection process becomes multi-layered. The hackers deploy several tools, including a C++ program that injects malicious code into legitimate processes, a rare technique for macOS malware. This allows them to steal sensitive data like browser information, Keychain passwords, shell history, and Telegram chat histories.

According to SentinelLabs’ blog post, they also install the Nim-compiled ‘NimDoor’ malware, which sets up long-term access. This includes a component named “GoogIe LLC” (note the deceptive capital ‘i’ instead of a lowercase ‘L’), which helps the malware blend in. Interestingly, the malware includes a unique feature that triggers its main components and ensures continued access if a user tries to close it or the system reboots.

****Another Day, Another North Korean Campaign****

SentinelLabs’ analysis shows that these North Korean-aligned actors are constantly developing new ways to bypass security. Their use of Nim, a language that allows them to embed complex behaviours within compiled programs, makes it harder for security experts to understand how the malware works. Additionally, using AppleScript for simple tasks like regularly checking in with their servers helps them avoid using more traditional, easily detectable hacking tools.

The report goes on to show how important it is for companies to strengthen their defences as these threats keep changing. As hackers try out new programming languages and more advanced tactics, cybersecurity researchers need to update how they detect and stop these attacks. SentinelLabs sums it up by calling them “inevitable attacks” that everyone should be ready for.

N Korean Hackers Drop NimDoor macOS Malware Via Fake Zoom Updates

Facebook's pursuit of your personal data continues, and now it has a new target: photos on your phone that you haven't shared with it yet.

Facebook’s pursuit of your personal data continues apace, and now it has a new target: photos on your phone that you haven’t shared with it yet.

Techcrunch reports that the social media giant is now asking its users to peek at the photos on their phones’ camera rolls. In return it will give them new ideas to view their photos.

In a pop-up message seen by some of the site’s users, Facebook asks users to “allow cloud processing” of the photos in their camera roll. “To create ideas for you, we’ll select media from your camera roll and upload it to our cloud on an ongoing basis, based on info like time, location or theme,” the message says.

Image courtesy of Techcrunch

The site will then offer things like collages, recaps, AI restyling or themes like birthdays or graduations, it continues, adding that Facebook won’t use the photos to target you for ads.

But what else might Meta do with those photos? Its AI terms of service allow it to analyze the images you load using AI, “including facial features”.

Incidentally, you can’t share any images with Meta that contain images of people in Illinois or Texas unless you’re legally authorized to consent on their behalf, it warns. That’s likely because both those states have strict laws around the use of biometric data, including facial recognition, in photos. We’re not sure how that works, then, if you grant the company unfettered access to your camera roll which includes photos of your trip to Chicago or Austin to visit friends and family.

Another question is over whether the company will scan children’s images. If you have an aversion to sharing your kids’ photos on Facebook, this could be a real issue.

We can extend this into even more worrying areas. What if you have photos of your kids in the bath that you don’t want an AI to train on? Or if you have intimate photos of yourself or a partner on your phone?

Facebook reserves the right to subject any content to “automated or manual (i.e. human) review and through third-party vendors in some instances”. There’s nothing in Meta’s messaging that seems to stop it from subjecting your camera roll photos to this.

Facebook has made camera roll cloud processing an opt-in service, meaning that you must deliberately select it for the app to start scanning your camera roll. However, this wasn’t enough for at least one Reddit commenter, who warned that you can’t control your photos once you share them with others.

“So although I always uninstall Facebook and Instagram, if I share a photo of me with my family, Meta will still get to analyze it, because at least one of them will still have those apps installed,” they said. In general, reactions to the story seem negative.

Facebook isn’t the only company that allows you to automatically upload your photos to the cloud. Apple offers this as part of its tightly integrated photos service, and has been producing montages and other assets from its users’ photos for a long time.

Apple says that it only uses AI to analyze your photos on your local device, and while it stores them in the cloud it doesn’t access them there. However it also says that it has “a worldwide, royalty-free, perpetual, nonexclusive license to use the materials you submit within the Services and related marketing as well as to use the materials you submit for Apple internal purposes.” Those services include iCloud+. iCloud is the cloud service that stores your photos.

Google, which also allows you to automatically upload photos to its service, says that you own your photos but retains the right to modify and create derivative works on your content, and to share it with contractors.

Google’s past relationship with photo users has been problematic. It once deleted a dad’s account after he took an image of his son’s groin to send to a doctor and it was automatically uploaded to the cloud, where Google identified it as child sexual abuse material. Law enforcement considered him innocent. Google refused to reinstate his services.

Our advice? If you’re going to allow a service to automatically analyze the photos you take, be sure that you completely trust that service. Check to see if it has been accused of mishandling users’ data in the past, such as Meta was here, here, and of course here.

That’s not enough, though. Be careful who else you share your photos with, and under what circumstances. If you do share them, do so only with those you trust. Include a caveat to ensure that they know how you’re comfortable with them using those photos, and what you’re not OK with them doing.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Facebook wants to look at your entire camera roll for &#8220;AI restyling&#8221; suggestions, and more 

Agents with the Federal Bureau of Investigation (FBI) briefed Capitol Hill staff recently on hardening the security of their mobile devices, after a contacts list stolen from the personal phone of the White House Chief of Staff Susie Wiles was reportedly used to fuel a series of text messages and phone calls impersonating her to U.S. lawmakers. But in a letter this week to the FBI, one of the Senate's most tech-savvy lawmakers says the feds aren't doing enough to recommend more appropriate security protections that are already built into most consumer mobile devices.

Agents with the **Federal Bureau of Investigation** (FBI) briefed Capitol Hill staff recently on hardening the security of their mobile devices, after a contacts list stolen from the personal phone of the White House Chief of Staff **Susie Wiles** was reportedly used to fuel a series of text messages and phone calls impersonating her to U.S. lawmakers. But in a letter this week to the FBI, one of the Senate’s most tech-savvy lawmakers says the feds aren’t doing enough to recommend more appropriate security protections that are already built into most consumer mobile devices.

A screenshot of the first page from Sen. Wyden’s letter to FBI Director Kash Patel.

On May 29, **The Wall Street Journal** reported that federal authorities were investigating a clandestine effort to impersonate Ms. Wiles via text messages and in phone calls that may have used AI to spoof her voice. According to The Journal, Wiles told associates her cellphone contacts were hacked, giving the impersonator access to the private phone numbers of some of the country’s most influential people.

The execution of this phishing and impersonation campaign — whatever its goals may have been — suggested the attackers were financially motivated, and not particularly sophisticated.

“It became clear to some of the lawmakers that the requests were suspicious when the impersonator began asking questions about Trump that Wiles should have known the answers to—and in one case, when the impersonator asked for a cash transfer, some of the people said,” the Journal wrote. “In many cases, the impersonator’s grammar was broken and the messages were more formal than the way Wiles typically communicates, people who have received the messages said. The calls and text messages also didn’t come from Wiles’s phone number.”

Sophisticated or not, the impersonation campaign was soon punctuated by the murder of Minnesota House of Representatives Speaker **Emerita Melissa Hortman** and her husband, and the shooting of Minnesota State Senator **John Hoffman** and his wife. So when FBI agents offered in mid-June to brief U.S. Senate staff on mobile threats, more than 140 staffers took them up on that invitation (a remarkably high number considering that no food was offered at the event).

But according to **Sen. Ron Wyden** (D-Ore.), the advice the FBI provided to Senate staffers was largely limited to remedial tips, such as not clicking on suspicious links or attachments, not using public wifi networks, turning off bluetooth, keeping phone software up to date, and rebooting regularly.

“This is insufficient to protect Senate employees and other high-value targets against foreign spies using advanced cyber tools,” Wyden wrote in a letter sent today to **FBI Director Kash Patel**. “Well-funded foreign intelligence agencies do not have to rely on phishing messages and malicious attachments to infect unsuspecting victims with spyware. Cyber mercenary companies sell their government customers advanced ‘zero-click’ capabilities to deliver spyware that do not require any action by the victim.”

Wyden stressed that to help counter sophisticated attacks, the FBI should be encouraging lawmakers and their staff to enable anti-spyware defenses that are built into Apple’s iOS and Google’s Android phone software.

These include Apple’s Lockdown Mode, which is designed for users who are worried they may be subject to targeted attacks. Lockdown Mode restricts non-essential iOS features to reduce the device’s overall attack surface. Google Android devices carry a similar feature called Advanced Protection Mode.

Wyden also urged the FBI to update its training to recommend a number of other steps that people can take to make their mobile devices less trackable, including the use of ad blockers to guard against malicious advertisements, disabling ad tracking IDs in mobile devices, and opting out of commercial data brokers (the suspect charged in the Minnesota shootings reportedly used multiple people-search services to find the home addresses of his targets).

The senator’s letter notes that while the FBI has recommended all of the above precautions in various advisories issued over the years, the advice the agency is giving now to the nation’s leaders needs to be more comprehensive, actionable and urgent.

“In spite of the seriousness of the threat, the FBI has yet to provide effective defensive guidance,” Wyden said.

**Nicholas Weaver** is a researcher with the **International Computer Science Institute**, a nonprofit in Berkeley, Calif. Weaver said Lockdown Mode or Advanced Protection will mitigate many vulnerabilities, and should be the default setting for all members of Congress and their staff.

“Lawmakers are at exceptional risk and need to be exceptionally protected,” Weaver said. “Their computers should be locked down and well administered, etc. And the same applies to staffers.”

Weaver noted that Apple’s Lockdown Mode has a track record of blocking zero-day attacks on iOS applications; in September 2023, **Citizen Lab** documented how Lockdown Mode foiled a zero-click flaw capable of installing spyware on iOS devices without any interaction from the victim.

Earlier this month, Citizen Lab researchers documented a zero-click attack used to infect the iOS devices of two journalists with Paragon’s Graphite spyware. The vulnerability could be exploited merely by sending the target a booby-trapped media file delivered via iMessage. Apple also recently updated its advisory for the zero-click flaw (CVE-2025-43200), noting that it was mitigated as of iOS 18.3.1, which was released in February 2025.

Apple has not commented on whether CVE-2025-43200 could be exploited on devices with Lockdown Mode turned on. But HelpNetSecurity observed that at the same time Apple addressed CVE-2025-43200 back in February, the company fixed another vulnerability flagged by Citizen Lab researcher **Bill Marczak**: CVE-2025-24200, which Apple said was used in an extremely sophisticated _physical_ attack against specific targeted individuals that allowed attackers to disable USB Restricted Mode on a locked device.

In other words, the flaw could apparently be exploited only if the attacker had physical access to the targeted vulnerable device. And as the old infosec industry adage goes, if an adversary has physical access to your device, it’s most likely not your device anymore.

I can’t speak to Google’s Advanced Protection Mode personally, because I don’t use Google or Android devices. But I have had Apple’s Lockdown Mode enabled on all of my Apple devices since it was first made available in September 2022. I can only think of a single occasion when one of my apps failed to work properly with Lockdown Mode turned on, and in that case I was able to add a temporary exception for that app in Lockdown Mode’s settings.

My main gripe with Lockdown Mode was captured in a March 2025 column by TechCrunch’s **Lorenzo Francheschi-Bicchierai**, who wrote about its penchant for periodically sending mystifying notifications that someone has been blocked from contacting you, even though nothing then prevents you from contacting that person directly. This has happened to me at least twice, and in both cases the person in question was already an approved contact, and said they had not attempted to reach out.

Although it would be nice if Apple’s Lockdown Mode sent fewer, less alarming and more informative alerts, the occasional baffling warning message is hardly enough to make me turn it off.

Senator Chides FBI for Weak Advice on Mobile Security

This week on the Lock and Code podcast, we speak with Becky Holmes about how she tricks, angers, and jabs at romance scammers online.

_This week on the Lock and Code podcast…_

There’s a unique counter response to romance scammers.

Her name is Becky Holmes.

Holmes, an expert and author on romance scams, has spent years responding to nearly every romance scammer who lands a message in her inbox. She told one scammer pretending to be Brad Pitt that she needed immediate help hiding the body of one of her murder victims. She made one romance scammer laugh at her immediate willingness to take an international flight to see him. She has told scammers she lives at addresses with lewd street names, she has sent pictures of apples—the produce—to scammers requesting Apple gift cards, and she’s even tricked a scammer impersonating Mark Wahlberg that she might be experimenting with cannibalism.

Though Holmes routinely gets a laugh online, she’s also coordinated with law enforcement to get several romance scammers shut down. And every effort counts, as romance scams are still a dangerous threat to everyday people.

Rather than tricking a person into donating to a bogus charity, or fooling someone into entering their username and password on a fake website, romance scammers ensnare their targets through prolonged campaigns of affection.

They reach out on social media platforms like Facebook, LinkedIn, X, or Instagram and they bear a simple message: They love you. They know you’re a stranger, but they sense a connection, and after all, they just want to talk.

A romance scammer’s advances can be appealing for two reasons. One, some romance scammers target divorcees and widows, making their romantic gestures welcome and comforting. Two, some romance scammers dress up their messages with the allure of celebrity by impersonating famous actors and musicians like Tom Cruise, Brad Pitt, and Keanu Reeves.

These scams are effective, too, to sometimes devastating consequences. According to recent research from Malwarebytes, 10% of the public have been the victims of romance scams, and a small portion of romance scam victims have lost $10,000 or more.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Holmes about her experiences online with romance scammers, whether AI is changing online fraud, and why the rules for protection and scam identification have changed in an increasingly advanced, technological world.

>  ”I’ve seen videos of scammers actually making these real life video manipulation calls where you’ve got some guy sitting one side of the world pretending to be somewhere else completely, and he’s talking into his phone and it’s coming out on the other person’s phone as a different image with a different voice.”

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Tag

#apple