Learn how the North Korean-aligned Famous Chollima is using the a new Python-based RAT, "PylangGhost," to target cryptocurrency and blockchain jobseekers in a campaign affecting users primarily in India.

Wednesday, June 18, 2025 06:00

*   In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) we call “PylangGhost,” used exclusively by a North Korean-aligned threat actor. PylangGhost is functionally similar to the previously documented GolangGhost RAT, sharing many of the same capabilities. 
*   In recent campaigns, the threat actor Famous Chollima — potentially made up of multiple groups — has been using a Python-based version of their trojan to target Windows systems, while continuing to deploy a Golang-based version for MacOS users. Linux users are not targeted in these latest campaigns. 
*   The attacks are targeting employees with experience in cryptocurrency and blockchain technologies. 
*   Based on open-source intelligence, only a small number of users, predominantly in India, are affected. Cisco product telemetry does not indicate that there are any affected Cisco users. 

Since mid-2024, the threat actor group Famous Chollima (aka Wagemole), a North Korean-aligned threat actor, has been very active through several well-documented campaigns. These campaigns include using variants of Contagious Interview (aka DeceptiveDevelopment) and creating fake job advertisements and skill-testing pages. In the latter, users are instructed to copy and paste (ClickFix) a malicious command line in order to install drivers necessary to conduct the final skill-testing stage.  

Toward the end of the year, researchers documented Famous Chollima’s remote access trojan (RAT) called “GolangGhost” in its source code format, which was frequently used as the final payload in the threat actor’s ClickFix campaigns. 

In May 2025, Cisco Talos discovered threat actors starting to deploy a functionally equivalent Python variant of GolangGhost trojan, which we call “PylangGhost.” 

**Fake job interview sites mislead users to PylangGhost infection **

Famous Chollima seek financial benefit using a two-pronged approach: first, by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.  

This blog focuses on the first method, where real software engineers, marketing employees, designers and other workers are targeted by fake recruiters and instructed to visit skill-testing pages in order to move forward with their application. 

Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies. The skill-testing sites attempt to impersonate real companies such as Coinbase, Archblock, Robinhood, Parallel Studios, Uniswap and others, which helps with the targeting.  

Figure 1. Examples of initial fake job sites.

Each target is sent an invite code to visit a testing website where, depending on the position, they are instructed to enter their details and answer several questions to test their experience and skills. The sites are created using the React framework and have very similar visual designs, no matter the type of position.  

__Figure 2. Example of questions asked for an illegitimate Business Development Manager position at Robinhood.__

Once the user answers all the questions and provides personal details, the site displays an invitation to record a video for the interviewer, recommending that the user request camera access by pressing a button. 

__Figure 3. A camera setup page displayed once questions are answered.__

Finally, when the user requests camera, the site displays the instructions for the user to copy, paste and execute a command to allegedly install the required video drivers, if the OS is supported. When Talos used Windows and MacOS test systems, the instructions were shown as seen in Figure 4 and 5. The Linux test system led to another error message, without any instructions to download and install the payload.  

Figure 4. Windows instructions to copy, paste and execute a malicious command. 

Figure 5. MacOS instructions to copy, paste and execute a malicious command. 

Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS: PowerShell or Command Shell for Windows, and Bash for MacOS.

__Figure 6. Command Shell, PowerShell or Bash instructions to download a payload.__

**PylangGhost - Python variant of GolangGhost **

As the Golang variant of the RAT is already well-documented, this blog focuses on the Python version and the similarities between the two. The initial stage consists of a command line which the fake webpage tells the unsuspecting user to copy, paste and execute. 

The command line uses either PowerShell Invoke-Webrequest or curl to download a ZIP file containing the PylangGhost modules as well as Visual Basic Script file. This script is responsible for unzipping the Python library stored in the “lib.zip file” and launching the trojan by running a renamed Python interpreter using the file “nvidia.py” as the Python program to run. 

Figure 7. The first stage simply unzips a Python distribution library and launches the RAT. 

 PylangGhost consists of six well-structured Python modules. It is not clear to Talos why the threat actors decided to create two variants using a different programming language, or which was created first. Based on the comments in the code, it is unlikely that the threat actors used a large language model (LLM) to help rewrite the code for Python. One of the strings in the configuration module file (“config.py”) indicates that the Python version is 1.0, while the appropriate configuration variable in the Golang version indicates that the version is 2.0. However, Talos cannot definitively conclude that those two version numbers are comparable. 

 The execution starts with the file “nvidia.py”, which performs several tasks: It creates a registry value to launch the RAT every time user logs onto the system, generates a GUID for the system to be used in communication with command and control (C2) server, connects to the C2 server and enters the command loop for communication with the server.  

__Figure 8. ”nvidia.py” executes the main loop for communication with the C2 server__

 The configuration file “config.py” specifies the commands that can be received from the server, which are identical to the commands previously documented in the Golang version of the RAT. These commands enable remote control the infected system and the theft of cookies and credentials from over 80 browser extensions, including password managers and cryptocurrency wallets, including Metamask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink and MultiverseX. 

The command handling module, “command.py”, defines function handlers and handles the commands received from the C2 server.  

Command 

Functionality 

qwer 

COMMAND\_INFORMATION - collect information about the infected system, username, OS version etc 

asdf 

COMMAND\_FILE\_UPLOAD - file upload 

zxcv 

COMMAND\_FILE\_DOWNLOAD - file download 

vbcx 

COMMAND\_OS\_SHELL - launch an OS shell for remote access and control of the infected system 

ghdj 

COMMAND\_WAIT - sleep for a number of seconds specified by the C2 server 

r4ys 

COMMAND\_AUTO - browser information stealing command 

89io 

AUTO\_CHROME\_GATHER\_COMMAND - subcommand of the browser information stealer command 

gi%# 

AUTO\_CHROME\_COOKIE\_COMMAND - subcommand of the browser information stealer command 

dghh 

COMMAND\_EXIT 

_Table 1. Commands and functionalities._

The module “auto.py” contains the functionality for stealing the stored browser credentials and session cookies, as well as collecting data from various browser extensions.  

“Api.py” is responsible for implementing the communications protocol with the C2 server, using RC4 encryption to encrypt packets over otherwise unencrypted HTTP used while communicating with the C2 server. The data in a HTTP packet is encrypted with RC4 algorithm, but the encryption key is also sent within the packet structure. The packet begins with 16 bytes of MD5 checksum for the rest of the packet, for verification of data integrity, followed by 128 bytes containing the RC4 encryption key, followed by an encrypted data blob.  

Finally, “util.py” handles the compression and decompression of files. 

**Comparison of Python and Golang modules **

To assess the similarity between the two versions, Talos compares the names of the modules written in different languages as well as their functionality. The structure, the naming conventions and the function names are very similar, which indicates that the developers of the different versions either worked closely together or are the same person.   

Module 

Python name 

Golang name 

Main function module 

nvidia.py 

cloudfixer.go 

Configuration module 

config.py 

config/constans.go 

Main command loop 

nvidia.py 

core/loop.go 

Command handlers 

command.py 

core/loop.go 

Browser Stealer functionality 

auto.py 

auto/\* modules 

File compression 

util.py 

util/compress.go 

Base64 message encoding 

command.py 

command/stackcmd.go 

Duplicate process check 

nvidia.py 

instance/check.go 

Communications protocol 

api.py 

transport/htxp.go 

_Table 2. Comparison of Python and Golang RAT module names._ 

**Coverage  **

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

ClamAV detections available for this threat:

Win.Backdoor.PyChollima-10045389-0
Win.Backdoor.PyChollima-10045388-0
Win.Backdoor.PyChollima-10045387-0
Win.Backdoor.PyChollima-10045386-0
Win.Backdoor.PyChollima-10045385-0
Win.Backdoor.PyChollima-10045384-0

**IOCs **

The IOCs can also be found in our GitHub repository here.

**SHA256 **

a206ea9b415a0eafd731b4eec762a5b5e8df8d9007e93046029d83316989790a - auto.py  
c2137cd870de0af6662f56c97d27b86004f47b866ab27190a97bde7518a9ac1b - auto.py  
0d14960395a9d396d413c2160570116e835f8b3200033a0e4e150f5e50b68bec - api.py 
8ead05bb10e6ab0627fcb3dd5baa59cdaab79aa3522a38dad0b7f1bc0dada10a - api.py 
5273d68b3aef1f5ebf420b91d66a064e34c4d3495332fd492fecb7ef4b19624e - nvidia.py 
267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3 - nvidia.py 
7ac3ffb78ae1d2d9b5d3d336d2a2409bd8f2f15f5fb371a1337dd487bd471e32 - nvidia.py 
b7ab674c5ce421d9233577806343fc95602ba5385aa4624b42ebd3af6e97d3e5 - util.py 
fb5362c4540a3cbff8cb1c678c00cc39801dc38151edc4a953e66ade3e069225 - util.py 
d029be4142fca334af8fe0f5f467a0e0e1c89d3b881833ee53c1e804dc912cfd - command.py 
b8402db19371db55eebea08cf1c1af984c3786d03ff7eae954de98a5c1186cee - command.py 
1f482ce7e736a8541cc16e3e80c7890d13fb1f561ae38215a98a75dce1333cee - config.py 
ed170975e3fd03440360628f447110e016f176a44f951fcf6bc8cdb47fbd8e0e - config.py 
929c69827cd2b03e7b03f9a53c08268ab37c29ac4bd1b23425f66a62ad74a13b - config.py 
127406b838228c39b368faa9d6903e7e712105b5ad8f43a987a99f7b10c29780 - config.py 
0ec9d355f482a292990055a9074fdabdb75d72630b920a61bdf387f2826f5385 - update.vbs 
c2d2320ae43aaa0798cbcec163a0265cba511f8d42d90d45cd49a43fe1c40be6 - update.vbs 
e7c2b524f5cb0761a973accc9a4163294d678f5ce6aca73a94d4e106f4c8fea4 - nvidiaRelease.zip 
28198494f0ed5033085615a57573e3d748af19e4bd6ea215893ebeacf6e576df - vdriverWin.zip 
fc71a1df2bb4ac2a1cc3f306c3bdf0d754b9fab6d1ac78e4eceba5c6e7aee85d - nvidiaRelease.zip 
d3500266325555c9e777a4c585afc05dfd73b4cbe9dba741c5876593b78059fd - nvidiaRelease.zip 

**C2 servers **

hxxp\[://\]31\[.\]57\[.\]243\[.\]29:8080 
hxxp\[://\]154\[.\]58\[.\]204\[.\]15:8080 
hxxp\[://\]212\[.\]81\[.\]47\[.\]217:8080 
hxxp\[://\] 31\[.\]57\[.\]243\[.\]190:8080

**Download host names **

api\[.\]quickcamfix\[.\]online   
api\[.\]auto-fixer\[.\]online   
api\[.\]quickdriverupdate\[.\]online   
api\[.\]camtuneup\[.\]online   
api\[.\]driversofthub\[.\]online   
api\[.\]drive-release\[.\]cloud   
api\[.\]vcamfixer\[.\]online   
api\[.\]nvidia-drive\[.\]cloud   
api\[.\]nvidia-release\[.\]us   
api\[.\]autodriverfix\[.\]online   
api\[.\]camdriversupport\[.\]com   
api\[.\]smartdriverfix\[.\]cloud   
api\[.\]drivercams\[.\]cloud   
api\[.\]camtechdrivers\[.\]com   
api\[.\]web-cam\[.\]cloud   
api\[.\]camera-drive\[.\]org   
api\[.\]nvidia-release\[.\]org 
api\[.\]fixdiskpro\[.\]online 
api\[.\]autocamfixer\[.\]online

**Fake job interview host names **

krakenhire\[.\]com  
yuga\[.\]skillquestions\[.\]com  
uniswap\[.\]speakure\[.\]com  
doodles\[.\]skillquestions\[.\]com  
www\[.\]hireviavideo\[.\]com  
kraken\[.\]livehiringpro\[.\]com  
quiz-nest\[.\]com  
www\[.\]smartvideohire\[.\]com  
www\[.\]talent-hiringstep\[.\]com  
provevidskillcheck\[.\]com  
skill\[.\]vidintermaster\[.\]com  
digitaltalent\[.\]review  
robinhood\[.\]ecareerscan\[.\]com  
evalswift\[.\]com  
livetalentpro\[.\]com  
quantumnodespro\[.\]com  
evalassesso\[.\]com  
parallel\[.\]eskillora\[.\]com  
coinbase\[.\]talentmonitoringtool\[.\]com  
uniswap\[.\]testforhire\[.\]com  
coinbase\[.\]talenthiringtool\[.\]com  
crosstheages\[.\]skillence360\[.\]com 
parallel \[.\] eskillprov \[.\] com 
assesstrack \[.\] com 
coinbase \[.\] talentmonitoringtool \[.\] com 
talent-hiringtalk\[.\]com 
uniswap\[.\]prehireiq\[.\]com 
fast-video-recording\[.\]com

Famous Chollima deploying Python version of GolangGhost RAT

These five communication channels are favored by scammers to try and trick victims at least once a week—if not more.

Scammers love your smartphone.

They can text you fraudulent tracking links for packages you never bought. They can profess their empty love to you across your social media apps. They can bombard your email inbox with phishing attempts, impersonate a family member through a phone call, and even trick you into visiting malicious versions of legitimate websites.

But, according to new research from Malwarebytes, while scammers can reach people through just about any modern method of communication, they have at least five favored tracts for finding new victims—emails, phone calls and voicemails, malicious websites, social media platforms, and text messages. It’s here that people are most likely to find phishing attempts, romance scams, sextortion threats, and more, and it’s here that everyday people should stay most cautious when receiving messages from unknown senders or in responding to allegedly urgent requests for money or information.

For this research, Malwarebytes surveyed 1,300 people over the age of 18 in the US, UK, Austria, Germany, and Switzerland, asking about the frequency, type, impact, and consequences of any scams they found on their smartphones. Capturing just how aggravating today’s online world is, a full 78% of people said they encountered or received a scam on their smartphone at least once a week.

Here are the top five places that people actually encountered those weekly scams:

*   65% of people encountered a scam at least once a week through their **email**
*   53% encountered a scam at least once a week through **phone calls and voicemails**
*   50% encountered a scam at least once a week through **text messages (SMS)**
*   49% encountered a scam at least once a week through **malicious websites**
*   47% encountered a scam at least once a week through **social media platforms**

Unfortunately, scam prevention cannot fixate on only these five channels, as scammers change their tactics based on how they’re trying to trick their victims. For instance, though people were least likely to encounter a scam once a week through a buying or selling platform like Facebook Marketplace or Craigslist (36%), such platforms were of course the most likely place for scam _victims_ to have their credit card details and passwords stolen by a scammer masquerading as a legitimate business.

The noise from such daily strife has become deeply confusing, as just 15% of people strongly agreed that they could confidently identify a scam on their phone.

****Daily dilemma****

While 78% of people encountered a scam on their smartphone at least once a week, a shocking 44% of people encountered a scam at least _daily_. Similar to the weekly breakdown, here are the top five ways that people encountered scams once a day:

*   34% of people encountered a scam at least once a day through their **email**
*   25% encountered a scam at least once a day through **malicious websites**
*   24% encountered a scam at least once a day through **phone calls and voicemails**
*   24% encountered a scam at least once a day through **social media platforms**
*   22% encountered a scam at least once a day through **text messages (SMS)**

This list encompasses so much of any person’s daily use of their smartphone. They use it to check emails, browse the internet, make phone calls, scroll through social media, and text family and friends. And yet, it is in these exact places that people have come to expect getting scammed. As if the 44% of people who encounter a daily scam wasn’t depressing enough, there are 28% of people who said they encounter scams “multiple times a day.”

But the frequency of scams can only reveal so much. How, exactly, are scammers trying to trick their targets?

****Social engineering and extortion****

Scams are so difficult to analyze because they vary both in their delivery method and their method of deceit. A message that tries to trick a person into clicking a package tracking link is a simple act of social engineering—relying on false urgency or faked identity to fool a victim. But that message itself can come through a text message or an email, and it can direct a person to a malicious website on the internet. A romance scam, similarly, can start on a social media platform but can move into a messaging service like WhatsApp. And sometimes, a threat to release private information—which can be categorized as “extortion”—can happen through a phone call, a text message, or any combination of other communication channels.

This is why, to understand how people were being harmed by scams, Malwarebytes asked respondents about roughly 20 types of cybercrime that they could encounter and experience.

Broadly, Malwarebytes found that 74% of people had “encountered” or come across a social engineering scam, and that 36% fell victim to such scams. These were the most common social engineering scams that people encountered and that they experienced:

*   **Phishing/smishing/vishing**: 53% encountered and 19% experienced
*   **USPS/FedEx/postal scams**: 42% encountered and 12% experienced
*   **Impersonation scams**: 35% encountered and 10% experienced
*   **Marketplace or business scams**: 33% encountered and 10% experienced
*   **Romance scams**: 33% encountered and 10% experienced

For respondents who experienced any type of scam—making them scam victims—Malwarebytes also asked where they had found or encountered that scam. Here, the results show a far more intimate picture of where scams are most likely to harm the public.

For instance, 26% of charity scam victims were originally tricked on social media platforms. 37% of postal notification scam victims were first reached, predictably, through SMS/text messages. And, interestingly, despite how frequently cryptocurrency scams spread through social media, the most likely place for such a scam victim to be contacted was through email (30% for email vs. 13% for social media).

In its research, Malwarebytes also discovered that 17% of people have fallen victim to extortion scams, which includes ransomware scares, virtual kidnapping schemes, and threats to release sexually explicit photos (sextortion) or deepfake images.

Here, scam victims again shared where these scams arrived. The most popular channels for deepfake scammers to victimize people were social media platforms and emails—both at 17%. For sextortion scam victims, the most popular channel was email, at 35%. And 24% of virtual kidnapping scam victims said they were contacted through text messages, making it the most popular way to deliver such a threat.

These numbers may look depressing, but they should instead educate. No, there is no such thing as a perfectly safe communication channel today. But that doesn’t mean there isn’t help.

**Check if something is a scam**

Malwarebytes Scam Guard is a free, AI-powered digital safety companion that reviews any concerning text, email, phone number, link, image, or online message and provides on the spot guidance to help users avert and report scams. Just share a screenshot of any questionable message—like that strange email demanding a password reset or that alarming text flagging a traffic penalty—and Scam Guard will guide you to safety.

 5 riskiest places to get scammed online 

Scammers are abusing sponsored search results, displaying their scammy phone number on legitimate brand websites.

_The examples in this post are actual fraud attempts found by Malwarebytes Senior Director of Research, Jérôme Segura._

Cybercriminals frequently use fake search engine listings to take advantage of our trust in popular brands, and then scam us. It often starts, as with so many attacks, with a sponsored search result on Google.

In the latest example of this type of scam, we found tech support scammers hijacking the results of people looking for 24/7 support for Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal.

Here’s how it works: Cybercriminals pay for a sponsored ad on Google pretending to be a major brand. Often, this ad leads people to a fake website. However, in the cases we recently found, the visitor is taken to the legitimate site with a small difference.

Visitors are taken to the help/support section of the brand’s website, but instead of the genuine phone number, the hijackers display their scammy number instead.

The browser address bar will show that of the legitimate site and so there’s no reason for suspicion. However, the information the visitor sees will be misleading, because the search results have been poisoned to display the scammer’s number prominently in what looks like an official search result.

Once the number is called, the scammers will pose as the brand with the aim of getting their victim to hand over personal data or card details, or even allow remote access to their computer. In the case of Bank of America or PayPal, the scammers want access to their victim’s financial account so they can empty it of money.

A technically more correct name for this type of attack would be a search parameter injection attack, because the scammer has crafted a malicious URL that embeds their own fake phone number into the genuine site’s legitimate search functionality.

See the below example on Netflix:

These tactics are very effective because:

*   Users see the legitimate Netflix URL in their address bar
*   The page layout looks authentic (again, because it is the real Netflix site)
*   The fake number appears in what looks like a search result, making it seem official.

This is able to happen because Netflix’s search functionality blindly reflects whatever users put in the search query parameter without proper sanitization or validation. This creates a reflected input vulnerability that scammers can exploit.

Fortunately, Malwarebytes Browser Guard caught this and shows a warning about “Search Hijacking Detected,” and explains that unauthorized changes were made to search results with an overlaid phone number.

But Netflix is just one example. As we mentioned earlier, we found that other brands, such as PayPal, Apple, Microsoft, Facebook, Bank of America, and HP being abused in the same way by scammers.

The HP example is a bit clearer to identify as suspicious, as it says “4 Results for” which is shown in front of the scammers text. But even then if you’re on a genuine website you expect to see a genuine number, right?

Interestingly, Apple is the one where we found the scammer’s number was the hardest to identify as false.

This looks as if the web page tells the visitor they have no matches for their search, so they’d better call the number on display. That would drive them straight in the arms of scammers.

**How to stay safe from tech support scams**

As demonstrated in these cases, Malwarebytes Browser Guard is a great defense mechanism against this kind of scam, and it is free to use.

There are also some other red flags to keep an eye out for:

*   A phone number in the URL
*   Suspicious search terms like “Call Now” or “Emergency Support” in the address bar of the browser
*   Lots of encoded characters like the %20 (space) and %2B (+ sign) along with phone numbers
*   The website showing a search result before you entered one
*   The urgent language (Call Now, Account suspended, Emergency support) displayed on the website
*   An in-browser warning for known scams (don’t ignore this).

And before you call any brand’s support number, look up the official number in previous communications you’ve had with the company (such as an email, or on social media) and compare it to the one you found in the search results. If they are different, investigate until you’re sure which one is the legitimate one.

If during the call, you are asked for personal information or banking details that have nothing to do with the matter you’re calling about, hang up.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Scammers hijack websites of Bank of America, Netflix, Microsoft, and more to insert fake phone number 

Cybersecurity researchers at Netcraft have discovered a series of new SEO poisoning related attacks exploiting Google’s search results…

Cybersecurity researchers at Netcraft have discovered a series of new SEO poisoning related attacks exploiting Google’s search results to spread malicious content and other scams. According to researchers, an “organized” network of attackers is using compromised websites to boost the visibility of malicious content in search rankings.

Behind this operation is Hacklink, a black market platform that allows scammers to inject links to phishing pages and fraudulent services into unsuspecting websites, with search engines doing the rest.

****Hijacked Sites, Invisible Links, Manipulated Results****

Instead of defacing websites or stealing data, attackers using Hacklink insert invisible code into the source of compromised sites. These links are designed to match keywords searched by users, especially in the gambling, pharmaceutical, and adult content sectors. When someone searches for a related term, the attacker’s sites show up high in the results, often outranking legitimate businesses.

The content is prepared to be hidden from everyday users but fully visible to search engine crawlers. By doing this, the attacker piggybacks on the reputation of the compromised site, especially those ending in .gov, .edu, or popular country code domains. This tactic tricks search algorithms into treating scam sites as credible, giving them an increase in visibility.

****Hacklink: SEO Fraud as a Service****

Hacklink is an online shop for scammers. Attackers can browse a list of already-compromised domains, select keywords and target URLs, and pay to have their content injected.

According to Netcraft’s report shared with Hackread.com ahead of publishing on Tuesday, prices vary, but listings often start around $1, with premium domains costing more. All of this is done through a web-based control panel, making large-scale manipulation of search rankings accessible to anyone with money and malicious intentions.

In many cases, the website owner remains unaware. Their site looks and functions normally, even as it silently boosts fraudulent sites selling fake products, redirecting to phishing pages, or spreading malware.

Hacklink Market’s website (Screenshot: Hackread.com)

****Targeting Online Gambling in Turkey****

Netcraft’s report also notes an increase in attacks targeting the online gambling sector in Turkey. Groups like “Neon SEO Academy” and “SEOLink” are offering services to manipulate search rankings for gambling-related keywords. These operators claim access to over 15,000 compromised websites and actively market their offerings through platforms like Telegram and WhatsApp.

These groups offer much more than link injection. Some provide access to admin panels of vulnerable sites, allowing more extensive and long-term control. Others use private blog networks to further boost the legitimacy of malicious links, an approach that mixes pushy SEO tactics with questionable ethics.

****Real-Time Ranking Manipulation****

Researchers also noted that attackers are able to dynamically change the text that appears in search results by adjusting anchor text across their link network. This means they can remotely influence how a compromised site appears in Google’s results, even without full control of that site.

In more advanced setups, this method can even take search users to phishing pages or cloned versions of real websites. Users who think they’re visiting a trusted service may be entering passwords or payment information into a trap.

Screenshot shows the compromised website of the LifeBridge Christian Church – Colorado, United States

While online gambling is the most visible victim today, this method could be applied to almost any industry that relies on search engine visibility, including banking, healthcare, crypto trading, and charitable fundraising. The tactic targets both user trust and brand integrity, making it difficult for victims to even detect the problem.

****What To Do?****

Organizations should security admin panels, apply patches, and monitor file changes regularly. But awareness is just as important. SEO poisoning isn’t just a search engine problem, it’s a growing part of the cybercrime economy.

Site owners should review how their domains appear in search results, audit for unauthorized outbound links, and monitor their domain’s reputation. If suspicious links are detected, use disavow tools and report abuse to search engines promptly.

For users, verify URLs carefully, especially when dealing with financial transactions or personal information. And when in doubt, go directly to a known domain rather than trusting search engine links alone.

And most importantly, follow Hackread.com for more cybersecurity-related news and security tips!

Hacklink Market Linked to SEO Poisoning Attacks in Google Results

The unsound function `dump_code_load_record` uses `from_raw_parts` to directly convert the pointer `addr` and `len` into a slice without any validation and that memory block would be dumped.

Thus, the 'safe' function dump_code_load_record is actually 'unsafe' since it requires the caller to guarantee that the addr is valid and len must not overflow. Otherwise, the function could dump the memory into file illegally, causing memory leak.

> **Note**: this is an internal-only crate in the Wasmtime project not intended for external use and is more strongly signaled nowadays as of [bytecodealliance/wasmtime#10963](https://github.com/bytecodealliance/wasmtime/pull/10963). Please open an issue in Wasmtime if you're using this crate directly.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-9ghp-w2hm-vfpf

**wasmtime\_jit\_debug Dumps Undefined Memory by \`JitDumpFile\`**

Moderate severity GitHub Reviewed Published Jun 17, 2025 to the GitHub Advisory Database • Updated Jun 17, 2025

**Package**

cargo wasmtime-jit-debug (Rust)

**Affected versions**

< 24.0.0

The unsound function dump_code_load_record uses from_raw_parts to directly convert the pointer addr and len into a slice without any validation and that memory block would be dumped.

Thus, the 'safe' function dump\_code\_load\_record is actually 'unsafe' since it requires the caller to guarantee that the addr is valid and len must not overflow. Otherwise, the function could dump the memory into file illegally, causing memory leak.

> **Note**: this is an internal-only crate in the Wasmtime project not intended for external use and is more strongly signaled nowadays as of bytecodealliance/wasmtime#10963. Please open an issue in Wasmtime if you're using this crate directly.

**References**

*   bytecodealliance/wasmtime#8905
*   bytecodealliance/wasmtime@b5e31a5
*   https://rustsec.org/advisories/RUSTSEC-2024-0442.html

Published to the GitHub Advisory Database

Jun 17, 2025

Last updated

Jun 17, 2025

GHSA-9ghp-w2hm-vfpf: wasmtime_jit_debug Dumps Undefined Memory by `JitDumpFile`

Consider this: Berkshire Hathaway, Warren Buffett’s $700 billion conglomerate, operates one of the most influential investor websites on…

Consider this: Berkshire Hathaway, Warren Buffett’s $700 billion conglomerate, operates one of the most influential investor websites on the planet, utilizing HTML that predates YouTube, employing table-based layouts and single-color backgrounds that Buffett personally insists on keeping “simple.”

Craigslist processes over 2 billion page views monthly through an interface that hasn’t changed since 2000, deliberately rejecting modern design because founder Craig Newmark believes complexity reduces functionality. Meanwhile, IRS.gov receives 1.4 billion visits annually during tax season through a navigation system so convoluted that TurboTax built a $3 billion business simply by making tax filing less painful.

Healthcare.gov’s initial launch disaster in 2013, where a $400 million website could handle only six users simultaneously, still echoes in government procurement today. The UK’s Gov.uk, conversely, became a global model by ruthlessly prioritizing user needs over departmental politics, saving an estimated £4.1 billion annually through better digital design.

These contrasts reveal a fundamental truth: interface design isn’t cosmetic, it’s economic infrastructure that can make or break trillion-dollar markets.

The Rapid Rebuild Hackathon 2025, organized by Hackathon Raptors, challenged developers to tackle exactly these kinds of functional but frustrating digital experiences. Over 72 hours, twelve teams transformed everything from Berkshire Hathaway’s deliberately minimalist investor portal to revolutionary reimaginings of system-level BIOS interfaces, proving that sometimes the most impactful innovation comes not from building something new, but from fixing what already works, just barely.

****The Art of Digital Resurrection****

“The most impactful solutions don’t always come from building something entirely new,” explains the hackathon’s core philosophy. “Sometimes breakthrough innovation emerges from reimagining what already exists, using modern tools to transform crucial but neglected digital spaces.”

This approach proved prescient when examining the winning submissions. BIOSage, the grand prize winner, didn’t just modernize a website, it completely reimagined how users interact with system-level interfaces. The project integrated a locally hosted LLaMA 3.2 language model to provide offline diagnostics, transforming the traditionally static BIOS experience into an intelligent, multilingual system assistant.

“What sets BIOSage apart is its recognition that even the most fundamental computing interfaces can benefit from modern AI integration,” notes Anand Singh, Technical Lead at Meta and hackathon judge.

Singh’s extensive background in embedded systems and wireless communications, including work on OpenRAN and high-altitude platform systems, provided a unique perspective on the technical challenges of bringing AI to firmware-level interfaces.

Singh’s experience with low-power IoT networks and embedded optimization proved particularly relevant when evaluating BIOSage’s achievement in running complex language models locally without compromising system performance.

“The ability to provide intelligent diagnostics without internet connectivity addresses a critical gap in system administration,” he observed. “This isn’t just a UI improvement, it’s a fundamental advancement in how we approach system-level troubleshooting.”

****Quality Assurance in Rapid Development****

The compressed 72-hour timeline presented unique challenges for maintaining code quality while pushing innovation boundaries. This tension between speed and reliability became a crucial evaluation criterion, drawing heavily on the expertise of Yulia Drogunova, Senior QA Engineer at Raiffeisen Bank.

With over eight years of experience building effective testing processes for major financial institutions, including Raiffeisen Bank and VTB Bank, and her work with international companies such as Luxoft and Lineate, Drogunova brought a critical perspective to evaluating how teams managed quality under extreme time pressure.

“The most impressive projects weren’t just those with flashy features,” Drogunova explained during the evaluation process. “They were the ones that implemented proper testing methodologies even within hackathon constraints.”

Her experience implementing automated tests into CI/CD processes, which has increased development speed and reduced defects in production banking applications, informed her assessment of how teams structured their rapid development cycles.

Drogunova particularly highlighted the Smart Builders team’s approach to their Hacker News reimagining. “They demonstrated an understanding that accessibility testing isn’t an afterthought, it’s integral to the development process,” she noted, referencing their implementation of voice reader capabilities and keyboard navigation. This aligned with her experience in ensuring mobile banking applications meet accessibility standards across diverse user needs.

The winning projects consistently showed evidence of systematic testing approaches. Refreshify, the second-place winner, implemented comprehensive error handling for its AI-powered website transformation engine.

“Sanjay Sah’s team understood that when you’re processing arbitrary URLs and generating real-time previews, robust error handling isn’t optional,” Drogunova observed. Her background in both manual and automated testing for web-based applications informed her appreciation for the defensive programming techniques employed.

****Frontend Architecture Under Pressure****

The hackathon’s focus on user experience transformation highlighted the critical role of frontend architecture in delivering compelling user interfaces rapidly. Vladislav Krushenitskii, a senior front-end developer with over a decade of experience spanning complex management systems and international client projects, evaluated how teams leveraged modern frameworks to achieve maximum impact in the shortest time possible.

Krushenitskii’s background with the Russian Hack Team, a network of 30 elite developers known for exceptional hackathon performance, provided valuable context for assessing rapid development strategies. His experience implementing micro-frontend architectures at EPAM Systems and reducing page load times by 30% through optimized React and Redux implementations informed his evaluation criteria.

“The most successful teams understood that hackathon development isn’t about shortcuts, it’s about intelligent architectural decisions,” Krushenitskii explained. His assessment focused particularly on how teams balanced feature richness with maintainable code structure.

The Delbyte team’s BetterShire Hathaway project caught his attention for its thoughtful component architecture. “They implemented a modular design system that could scale beyond the hackathon scope,” he noted, drawing parallels to his work developing sophisticated management systems with complex components like dynamic trees and filters. “The subsidiary showcase section demonstrated an advanced understanding of data presentation patterns that I’ve seen take weeks to perfect in commercial projects.”

Krushenitskii’s experience with React Native and cross-platform development proved relevant when evaluating mobile-first approaches. Several teams, including the WhaleMatch redesign, implemented responsive design patterns that he recognized from his work on cinema and startup interfaces for clients in the USA and Norway.

“The teams that truly understood modern web development didn’t just make things look better, they fundamentally improved how information flows through the interface,” he observed.

****The Innovation Spectrum: From Extensions to Complete Rebuilds****

The diversity of technical approaches reflected different philosophies about innovation and user experience improvement. Projects ranged from browser extensions enhancing existing platforms to complete ground-up rebuilds, each presenting unique technical challenges and user experience opportunities.

The ReStyle Chrome extension demonstrated how targeted interventions could transform user experiences without requiring comprehensive platform rebuilds. BuildWithKT.dev’s approach to enhancing Stack Overflow’s interface through real-time theme customization showed a sophisticated understanding of browser extension architecture while addressing genuine usability concerns.

At the opposite end of the spectrum, Level One’s Battle City Remastered represented a complete reconstruction of a classic gaming experience using pure Python and Pygame. The technical achievement of recreating complex game mechanics in just 72 hours showcased the team’s deep understanding of game development principles and efficient coding practices.

****Lessons in Scalable Innovation****

The hackathon results revealed consistent patterns among successful projects that extend beyond hackathon contexts into broader software development practices. Teams that achieved top rankings demonstrated several key characteristics that align with industry best practices for rapid innovation.

**Constraint-Driven Creativity**: The most innovative solutions emerged from teams that embraced technical limitations as creative catalysts rather than obstacles. BIOSage’s offline AI diagnostics capability, for instance, turned the constraint of no internet connectivity into a competitive advantage for system administration scenarios.

**User-Centered Problem Solving**: Winning teams consistently prioritized genuine user pain points over technical showcasing. The multiple Hacker News reimaginings each addressed specific usability issues, such as navigation complexity, information density, and accessibility barriers, rather than simply applying modern styling to existing interfaces.

**Architectural Thinking**: Even within hackathon timelines, successful teams implemented architectural patterns that could support future development. This forward-thinking approach distinguished projects with genuine commercial potential from purely demonstrative implementations.

****The Future of Digital Modernization****

The Rapid Rebuild concept addresses a pressing industry need as organizations struggle with legacy systems that serve critical functions, despite their outdated interfaces. The hackathon’s results suggest several emerging trends in how developers approach modernization challenges.

AI integration emerged as a transformative factor, with multiple projects incorporating intelligent features to enhance user experiences. Beyond BIOSage’s diagnostic capabilities, projects like HackerNews-Revamped integrated AI chatbots could discuss articles from the content’s perspective, demonstrating how artificial intelligence can add contextual value to information consumption.

Accessibility considerations became central rather than peripheral to design decisions. Teams consistently implemented features like voice navigation, customizable themes, and keyboard shortcuts as core functionality rather than afterthoughts. This shift reflects growing industry recognition that inclusive design benefits all users while expanding market reach.

The hybrid approach of extension-based enhancements alongside complete rebuilds suggests a pragmatic evolution in how organizations might approach legacy system modernization. Rather than requiring wholesale replacement, targeted improvements through browser extensions or API layers can provide immediate benefits to the user experience while maintaining the underlying system’s stability.

****Implications for Industry Practice****

The 72-hour timeframe compressed typical development cycles while maintaining quality standards, offering insights into rapid innovation methodologies. The most successful teams implemented practices that mirror emerging industry trends toward accelerated development cycles and continuous improvement.

Cross-disciplinary collaboration proved essential, with winning teams effectively combining frontend development, backend architecture, user experience design, and domain expertise. This integration reflects the industry movement toward full-stack competency and collaborative development practices.

The emphasis on immediate usability over feature completeness aligns with lean development principles and minimum viable product approaches. Teams that focused on solving specific user problems comprehensively outperformed those attempting to recreate entire feature sets superficially.

****Looking Forward****

The Rapid Rebuild Hackathon 2025 demonstrated that innovation often emerges not from creating entirely new solutions but from applying fresh perspectives and modern tools to existing challenges. As the digital landscape continues evolving, the ability to thoughtfully modernize legacy systems while preserving their essential value becomes increasingly critical.

The projects showcased techniques and approaches that extend far beyond hackathon contexts, offering roadmaps for organizations seeking to modernize user experiences without abandoning functional infrastructure. From AI-enhanced system interfaces to accessibility-first redesigns, the innovations demonstrated paths forward for digital transformation that prioritize user needs while respecting technical constraints.

The success of diverse approaches, from targeted browser extensions to complete system rebuilds, suggests that digital modernization isn’t a one-size-fits-all challenge. Instead, it requires careful assessment of user needs, technical constraints, and organizational capabilities to determine the most effective intervention strategy.

Most importantly, the hackathon reinforced that exceptional user experiences don’t require revolutionary technology, they require thoughtful application of existing tools, a deep understanding of user needs, and the courage to reimagine how digital interfaces can better serve their intended purposes. In an era of rapid technological change, the ability to bridge legacy functionality with modern expectations may prove more valuable than any individual technical skill.

Rapid Rebuild Hackathon 2025: When Legacy Meets Innovation

In a confirmation that we've gone full Black Mirror, air fryer and other IoT manufacturers are being told to stop playing with our data.

In a confirmation that we’ve gone full Black Mirror, the UK’s privacy czar has wagged a finger at air fryer manufacturers and told them to stop playing with our data.

New draft guidance from the Information Commissioner’s Office (ICO) targets not just air fryer vendors but manufacturers of any smart home products, ranging from smart lighting systems through to internet-connected refrigerators and connected toys.

Collectively known as IoT (Internet of Things) devices, these connected objects have a nasty habit of collecting our data without us really understanding what they’re doing. It’s a problem with many of them, although late last year Which? magazine added air fryers to the list of offenders.

The guidance highlights data that IoT vendors might collect. This includes registration data such as an owner’s name, address, and email. It also means information gathered directly from the product that reveals how the user interacts with it. A device might simply tell its manufacturer when you used the product and how long for, but sensors embedded in it might monitor anything from temperature to motion.

The ICO is interested in enforcing privacy laws such as the UK’s version of the General Data Protection Regulation (UK GDPR). That allows products to process user information if it’s purely for domestic use, like asking a smart speaker to play Lady Gaga’s all-time greatest hits, say.

But if the IoT vendor uses audio recordings of the person’s interactions with the speaker to improve its own service or even to make inferences about that person from their musical choices, then that isn’t domestic use. That’s processing for the company’s own purposes, and it falls on the wrong side of the law.

**Consent is key**

The guidance tells vendors to ask for consent when processing this kind of data. That means ensuring that users can easily tell what they’re consenting to, and be able to make a clear choice not to do so.

Users should be able to find out how the manufacturer is using their information after they sign up for the service, says the ICO. They must also be able to withdraw consent at any time. In practice, that helps people who might click a consent button early on but then think twice about it later and decide to change their permissions.

When vendors do collect information about users they must tell them what they’re collecting, and why they’re using it. They should tell people what decisions they’re making with it, and how it affects their service. People should also be informed about how long the vendor will keep that data.

The company should also process user data fairly. That means only doing what people expect them to do with it, and not in ways that harm the user.

This is all good advice, and in keeping with existing privacy laws, but it means vendors will have a fine line to walk. Some of the requirements are nuanced. For example, the guidance asks companies to consider ways of making their privacy information easy to follow. That means giving them all the information they need without overloading them. It might require careful user interface design, along with collaboration between designers and privacy or compliance professionals.

Where appropriate, design choices like navigation panels, collapsible lists, large text, and diagrams will go a long way towards satisfying these requirements, the ICO says.

**There’s an existing UK law for IoT security**

There’s also a section outlining security for IoT devices and the data they collect. This points to an existing UK law called the Product and Telecommunications Infrastructure Regulations 2024 (PSTI Regulations), which came into effect last year. This calls for specific protections such as the use of unique passwords for devices, encryption of user data, and regular security updates.

The security aspect of IoT is perhaps one of the most important of all. Even companies with the best of intentions can make mistakes and leak customer data gathered by everything from connected chastity devices through to kids’ toys.

This guidance applies not just to smart connected objects but to the apps that vendors often provide with them. Those apps, which give you data about what your smart object is doing and allow you to control it, are great ways for vendors to harvest information about you.

**You’re your own best protection**

The document is still in draft form and open to consultation. Because it’s UK guidance it likely won’t protect people not in the UK. As always, the first line of defense is you.

So, when buying a smart home device, consider whether an app for it is necessary. Your smart fryer might have no way of phoning home without an app, but you might be able to just check whether your food is done without needing your phone to tell you.

In some cases, you might want to consider whether you really need a product to be connected at all. Connected devices are a great way for companies to nickel and dime you unexpectedly through subscription programs, or brick your product remotely when they decide it isn’t profitable for them any more.

Sometimes, all you want to do is cook up some hot fries without things getting too complicated, you know?

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Smart air fryers ordered to stop invading our digital privacy 

Reddit has announced more AI-powered tools to help advertisers. But do users care for it?

Reddit has introduced two Artificial Intelligence (AI) tools which will use Reddit comments, posts, and conversations to help sellers make the most of the community.

Reddit is a social media platform and online forum where users can share and discuss content across a wide range of topics. The platform’s structure divides it into communities known as “subreddits,” each focused on a specific subject or interest (from cars to movies to sports to knitting).

There are also promoted posts, which look like regular Reddit posts but are marked as sponsored. They can include text, images, videos, or carousels and often appear in users’ feeds or within specific subreddits. Due to its size, Reddit has evolved into a major digital platform for both advertising and AI-powered data analysis.

Reddit introduced its “Reddit Community Intelligence” at the Cannes Lions International Festival of Creativity 2025. It described this new addition as the collective knowledge of billions of conversations to help businesses and organizations make “smarter marketing decisions.”

Last year, Reddit launched AI-powered advertising such as an ads inspiration library, AI copywriter, and image auto-cropper to help small businesses create more effective, platform-specific ads.

The new tools, dubbed “Reddit Insights” and “Conversation Summary Add-ons” use AI to analyze conversations, summarize sentiment, and surface relevant user-generated content for advertisers.

Last year, the FTC advised Reddit that it would conduct a non-public inquiry focused on Reddit’s sale, licensing, or sharing of user-generated content with third parties to train AI models. This was before Reddit announced a partnership with OpenAI to bring Reddit content to ChatGPT.

When the FTC launched a Request for Information (RFI) to better understand how technology platforms deny or degrade users’ access to services based on the content of their speech or affiliations, and how this conduct may have violated the law, without specifically mentioning Reddit, the company saw a 9% drop in stock price.

The new tools will undoubtedly fuel the ongoing debates about the ethics of AI-driven analysis on Reddit, especially regarding user consent and the potential for privacy breaches.

In April, users of the r/ChangeMyView subreddit expressed outrage at the revelation that researchers at the University of Zurich were secretly using the site for an AI-powered experiment in persuasion, prompting the moderation team to explain that the experiment was conducted without authorization.

Given the open nature of Reddit it’s important to keep in mind that anything you post can be found by anyone and everything, including AI. So, it’s important to hold yourself to the same standards you may use when posting on social media.

On June 28, 2025 a new Privacy Policy will go into effect. It stands to reason that you should be aware of the current policy and keep up with any changes.

A few general rules to help improve your privacy on the platform:

*   Anonymity: there is no reason to use your real name or any identifying information in your username or profile. Don’t share personal details like your location, workplace, or other identifiers in posts or comments unless they are relevant to the post.
*   Don’t link to other social media profiles in your profile or posts. Also don’t link your account to your Google or Apple account.
*   If you’re active in several Reddit communities, consider creating separate accounts for different interests or sensitive topics.
*   In your Reddit account settings, under Privacy you can turn off “Show up in search results” to prevent your posts and comments from being indexed by search engines or easily browsed by others.
*   You can also disable “Personalize ads on Reddit based on information and activity from our partners.”
*   Protect your account using a unique, complex password and enable two-factor authentication (2FA) for your Reddit account.
*   Regularly check your account activity for unauthorized access and report anything suspicious.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Reddit&#8217;s new AI-powered tools scan your posts to serve you better ads 

Cybersecurity researchers have disclosed three security flaws in the popular Sitecore Experience Platform (XP) that could be chained to achieve pre-authenticated remote code execution.
Sitecore Experience Platform is an enterprise-oriented software that provides users with tools for content management, digital marketing, and analytics and reports.
The list of vulnerabilities, which are yet to be

Hard-Coded 'b' Password in Sitecore XP Sparks Major RCE Risk in Enterprise Deployments

The shooter allegedly researched several “people search” sites in an attempt to target his victims, highlighting the potential dangers of widely available personal data.

The man who allegedly assassinated a Democratic Minnesota state representative, murdered her husband, and shot a state senator and his wife at their homes in a violent spree early Saturday morning may have gotten their addresses or other personal details from online data broker services, according to court documents.

Suspect Vance Boelter, 57, is accused of shooting Minnesota representative Melissa Hortman and her husband, Mark Hortman, in their home on Saturday. The couple died from their injuries. Authorities claim the suspect also shot state senator John Hoffman and his wife Yvette Hoffman in their home earlier that night. The pair are currently recovering and are “incredibly lucky to be alive,” according to a statement from their family.

According to an FBI affidavit, police searched the SUV believed to be the suspect's and found notebooks that included handwritten lists of “more than 45 Minnesota state and federal public officials, including Representative Hortman’s, whose home address was written next to her name.” According to the same affidavit, one notebook also listed 11 mainstream search platforms for finding people's home addresses and other personal information, like phone numbers and relatives.

The addresses for both lawmakers targeted on Saturday were readily available. Representative Hortman's campaign website listed her home address, while Senator Hoffman's appeared on his legislative webpage, The New York Times reports.

“Boelter stalked his victims like prey,” acting US attorney Joseph Thompson alleged at a press conference on Monday. “He researched his victims and their families. He used the internet and other tools to find their addresses and names, the names of their family members.” Thompson also alleged that the suspect surveilled victims' homes.

The suspect faces several charges of second-degree murder.

Privacy and public safety advocates have long argued that the US should regulate data brokers to guarantee that people have better control over the sensitive information available about them. The US has no comprehensive data privacy legislation, and efforts to regulate data brokers from within federal agencies have largely been quashed.

“The accused Minneapolis assassin allegedly used data brokers as a key part of his plot to track down and murder Democratic lawmakers,” Ron Wyden, the US senator from Oregon, tells WIRED. “Congress doesn't need any more proof that people are being killed based on data for sale to anyone with a credit card. Every single American's safety is at risk until Congress cracks down on this sleazy industry.”

In many cases, basic information like home addresses can be found through public records, including voter registration data (which is public in some states) and political donations data, says Gary Warner, a longtime digital scams researcher and director of intelligence at the cybersecurity firm DarkTower. Anything that isn't readily available through public records is almost always easy to find using popular “people search” services.

“Finding a home address, especially if someone has lived in the same place for many years is trivial,” Warner says. He adds that for “younger people, non-homeowners, and less political people, there are other favorite sites” for finding personal information.

For many in the general public as well as in politics, Saturday's violent crime spree brings new urgency to the long-standing question of how to protect sensitive personal data online.

“These are not the first murders that have been abetted by the data broker industry. But most of the previous targets were relatively unknown victims of stalking and abuse,” alleges Evan Greer, deputy director of the digital rights group Fight for the Future. “Lawmakers need to act before they have more blood on their hands.”

Tag

#git