SUMMARY A sophisticated attack campaign has compromised at least 16 Chrome browser extensions, exposing over 600,000 users to…

****SUMMARY****

*   **Large-Scale Breach**: Over 16 Chrome extensions were compromised, exposing 600,000+ users to data and credential theft.

*   **Phishing Attack**: Developers were tricked into granting access to a malicious OAuth app via fake Chrome Web Store emails.

*   **Cyberhaven Impact**: Attackers used admin credentials to deploy a malicious update stealing sensitive user data.

*   **Widespread Impact**: Many extensions across categories are linked to the same malicious infrastructure.

*   **Response & Recommendations**: Revoke credentials, monitor logs, and secure extensions; investigations continue.

A sophisticated attack campaign has compromised at least 16 Chrome browser extensions, exposing over 600,000 users to data theft and credential theft. The attack targeted extension publishers through phishing emails that mimicked official communications from the Chrome Web Store.

These emails, designed to create a sense of urgency, tricked developers into granting malicious applications access to their accounts. This allowed attackers to inject malicious code into legitimate extensions.

The recipient was directed to accept the policies by clicking a link, which then led them to a page for granting permissions to a malicious OAuth application called “Privacy Policy Extension.

Cyberhaven, a cybersecurity firm specializing in data loss prevention, was among the impacted firms and the first to publicly disclose its compromise. The attack occurred on December 24 and involved phishing a company employee to gain access to their Chrome Web Store admin credentials. 

According to Cyberhaven, the attackers compromised the “single admin account for the Google Chrome Store” and managed to publish a malicious update to their popular Chrome extension. This update, deployed on Christmas Day, was designed to steal sensitive user data, including passwords, session tokens, Facebook account credentials, and cookies.

The malicious extension, version 24.10.4, remained active for over 31 hours before being detected and removed from the Chrome Web Store. “Our security team detected this compromise at 11:54 PM UTC on December 25 and removed the malicious package within 60 minutes,” the company’s disclosure read.

Cyberhaven immediately released a legitimate update (version 24.10.5), hired Mandiant to develop an incident response plan and also notified federal law enforcement agencies for investigation. The company has confirmed that its systems, including CI/CD processes and code signing keys, were not compromised.

In an email sent to its customers, Cyberhaven has advised users to revoke and rotate passwords and text-based credentials, such as API tokens, and review their logs for malicious activity. This is due to the potential for stolen session tokens and cookies to bypass security measures, allowing hackers to access logged-in accounts without a password or two-factor code. However, the company has not disclosed the method of the breach or the corporate security policies that allowed the account compromise. 

Following the Cyberhaven breach, security researchers discovered numerous other compromised extensions exhibiting similar malicious behaviour. These extensions, spanning various categories including AI assistants, VPNs, and productivity tools, were found to be communicating with the same command-and-control servers.

> Regarding the Cyberhaven chrome extension compromise I have reasons to believe there are other extensions affected. Pivoting by the ip address there are more domains created within the same time range resolving to the same ip address as cyberhavenextpro (cont)
> 
> — Jaime Blasco (@jaimeblascob) December 27, 2024

Other extensions found to have been compromised, according to Secure Annex, a browser extension security platform, include the following:

Name

ID

VPNCity

nnpnnpemnckcfdebeekibpiijlicmpom

Parrot Talks

kkodiihpgodmdankclfibbiphjkfdenh

Uvoice

oaikpkmjciadfpddlpjjdapglcihgdle

Internxt VPN

dpggmcodlahmljkhlmpgpdcffdaoccni

Bookmark Favicon Changer

acmfnomgphggonodopogfbmkneepfgnh

Castorus

mnhffkhmpnefgklngfmlndmkimimbphc

Wayin AI

cedgndijpacnfbdggppddacngjfdkaca

Search Copilot AI Assistant for Chrome

bbdnohkpnbkdkmnkddobeafboooinpla

VidHelper – Video Downloader

egmennebgadmncfjafcemlecimkepcle

AI Assistant – ChatGPT and Gemini for Chrome

bibjgkidgpfbblifamdlkdlhgihmfohh

Vidnoz Flex – Video recorder & Video share

cplhlgabfijoiabgkigdafklbhhdkahj

TinaMind – The GPT-4o-powered AI Assistant!

befflofjcniongenjmbkgkoljhgliihe

Bard AI chat

pkgciiiancapdlpcbppfkmeaieppikkk

Reader Mode

llimhhconnjiflfimocjggfjdlmlhblm

Primus (prev. PADO)

oeiomhmbaapihbilkfkhmlajkeegnjhe

Tackker – online keylogger tool

ekpkdmohpdnebfedjjfklhpefgpgaaji

AI Shop Buddy

epikoohpebngmakjinphfiagogjcnddm

Sort by Oldest

miglaibdlgminlepgeifekifakochlka

Rewards Search Automator

eanofdhdfbcalhflpbdipkjjkoimeeod

Earny – Up to 20% Cash Back

ogbhbgkiojdollpjbhbamafmedkeockb

ChatGPT Assistant – Smart Search

bgejafhieobnfpjlpcjjggoboebonfcg

Keyboard History Recorder

igbodamhgjohafcenbcljfegbipdfjpk

Email Hunter

mbindhfolmpijhodmgkloeeppmkhpmhc

Visual Effects for Google Meet

hodiladlefdpcbemnbbcpclbmknkiaem

Cyberhaven security extension V3

pajkjnmeojmbapicmbpliphjmcekeaac

This means that it is a well-thought-after large-scale attack. Security researchers are still searching for more exposed extensions, but the sophistication and scope of the attack have increased the importance for organizations to secure their browser extensions. The identity of the attacker remains unclear.

1.  **Fake ChatGPT Extension Hijacks Facebook Accounts**
2.  **Chrome Extensions Harboring Dormant Colors Malware**
3.  **EmailGPT Flaw Puts User Data at Risk: Remove the Extension NOW**
4.  **Fake Ads Manager Malicious Extensions Target Facebook Accounts**
5.  **Ad-blocker Chrome extension AllBlock injected ads in Google searches**

16 Chrome Extensions Hacked in Large-Scale Credential Theft Scheme

Palo Alto, Calif., USA, 30th December 2024, CyberNewsWire

**Palo Alto, Calif., USA, December 30th, 2024, CyberNewsWire**

SquareX, an industry-first Browser Detection and Response (BDR) solution, leads the way in browser security. About a week ago, SquareX reported large-scale attacks targeting Chrome Extension developers aimed at taking over the Chrome Extension from the Chrome Store.

On December 25th, 2024, a malicious version of Cyberhaven’s browser extension was published on the Chrome Store that allowed the attacker to hijack authenticated sessions and exfiltrate confidential information. The malicious extension was available for download for more than 30 hours before being removed by Cyberhaven. The data loss prevention company declined to comment on the extent of the impact when approached by the press, but the extension had over 400,000 users on the Chrome Store at the time of the attack.

Unfortunately, the attack took place as SquareX’s researchers had identified a similar attack with a video demonstrating the entire attack pathway just a week before the Cyberhaven breach. The attack begins with a phishing email impersonating Chrome Store containing a supposed violation of the platform’s “Developer Agreement”, urging the receiver to accept the policies to prevent their extension from being removed from Chrome Store. Upon clicking on the policy button, the user gets prompted to connect their Google account to a “Privacy Policy Extension”, which grants the attacker access to edit, update and publish extensions on the developer’s account.

Fig 1. Phishing email targeting extension developers

Fig 2. Fake Privacy Policy Extension requesting access to “edit, update or publish” the developer’s extension

Extensions have become an increasingly popular way for attackers to gain initial access. This is because most organizations have limited purview on what browser extensions their employees are using. Even the most rigorous security teams typically do not monitor subsequent updates once an extension is whitelisted.

SquareX has conducted extensive research and demonstrated at DEFCON 32, how MV3-compliant extensions can be used to steal video stream feeds, add a silent GitHub collaborator, and steal session cookies, among others. Attackers can create a seemingly harmless extension and later convert it into a malicious one post-installation or, as demonstrated in the attack above, deceive the developers behind a trusted extension to gain access to one that already has hundreds of thousands of users. In Cyberhaven’s case, attackers were able to steal company credentials across multiple websites and web apps through the malicious version of the extension.

Given that developer emails are publicly listed on Chrome Store, it is easy for attackers to target thousands of extension developers at once. These emails are typically used for bug reporting. Thus, even support emails listed for extensions from larger companies are usually routed to developers who may not have the level of security awareness required to find suspicion in such an attack. As per SquareX’s attack disclosure and the Cyberhaven breach that occurred within the span of less than two weeks, the company has strong reason to believe that many other browser extension providers are being attacked in the same way. SquareX urges companies and individuals alike to conduct a careful inspection before installing or updating any browser extensions.

Fig 3. Contact details of extension developers are publicly available on Chrome Store

SquareX team understands that it can be non-trivial to evaluate and monitor every single browser extension in the workforce amidst all the competing security priorities, especially when it comes to zero-day attacks. As demonstrated in the video, the fake privacy policy app involved in Cyberhaven’s breach was not even detected by any popular threat feeds.

SquareX’s Browser Detection and Response (BDR) solution takes this complexity off security teams by:

*   Blocking OAuth interactions to unauthorized websites to prevent employees from accidentally giving attackers unauthorized access to your Chrome Store account
*   Blocking and/or flagging any suspicious extension updates containing new, risky permissions
*   Blocking and/or flagging any suspicious extensions with a surge of negative reviews
*   Blocking and/or flagging installations of sideloaded extensions
*   Streamline all requests for extension installations outside the authorized list for quick approval based on company policy 
*   Full visibility on all extensions installed and used by employees across the organization

> SquareX’s founder Vivek Ramachandran warns: “Identity attacks targeting browser extensions similar to this OAuth attack will only become more prevalent as employees rely on more browser-based tools to be productive at work. Similar variants of these attacks have been used in the past to steal cloud data from apps like Google Drive and One Drive and we will only see attackers get more creative in exploiting browser extensions. Companies need to remain vigilant and minimize their supply chain risk without hampering employee productivity by equipping them with the right browser native tools.”

**About SquareX:**

SquareX helps organizations detect, mitigate, and threat-hunt client-side web attacks happening against their users in real-time.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware, and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

With SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, and enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach

From Elon Musk and Donald Trump to state-sponsored hackers and crypto scammers, this was the year the online agents of chaos gained ground.

For its entire existence as a global medium, the internet's evolution has been caught in a tug of war, pulled by opposing forces: on one side, moderation and control; on the other, disruption and anarchy.

This year, the most prominent actors weighing in on the side of disruption were familiar faces: The reckless oligarchs, cybercriminals, scammers, and state-sponsored hackers who made the internet feel particularly dangerous in 2024 were, to some degree, the same forces destabilizing the online world in 2023. But perhaps more than in any other recent year, those agents of chaos seemed to persist in the face of opposition, to grow in their influence—and to win.

From Elon Musk's completed remake of X in his own tech-bro image to Trump's disinformation-fueled campaign, to Russia's ongoing cyberattacks against Ukraine, to China's relentless onslaught of digital intrusions and crypto scammers' global spread, the online experience of 2024 was messy, hazardous, and Hobbesian. And for the most part, the people who made it that way are poised to exert even more influence over the year to come.

As we do every year, WIRED has assembled a list of the most dangerous people, groups, and organizations on the internet. Here are our picks for 2024.

**Elon Musk**

After years of evolution from entrepreneur to edgelord, Musk seemed to reach his final form this year in the run-up to November's US election. Once a technologist with ambiguous politics who occasionally pursued public arguments against scuba divers, Musk now uses his megaphone of 200-million-plus followers on X, the social media platform he fully controls, to broadcast an unrelenting stream of anti-regulation, anti-immigrant, anti-transgender, anti-press, anti-progressive talking points. He's amplified and repeated disinformation, like claims after the disastrous damage done by Hurricanes Helene and Milton that the Federal Emergency Management Agency (FEMA) was hoarding supplies or had spent its budget on migrants instead of needy Americans. He's repeated debunked theories about voter fraud and immigrants swinging elections. In at least one case, he's even seemed to drop a reference that suggest support for the QAnon movement, which maintains bizarre theories about satanic pedophile rings that only Donald Trump can destroy.

Meanwhile, Musk continues to push his AI startup, xAI, toward one of the most no-holds-barred visions of what that technology can make possible, with little regard for safety or preventing its use for disinformation. The company this year launched new image-generation capabilities in its Grok tool that were immediately used to create images of copyrighted characters, celebrities, and political figures in compromising or sexual positions. Musk himself at one point posted an AI-generated deepfake of Kamala Harris that mocked her with her own voice—with no annotation that it was not authentic—that received 150 million views.

More than any particular political message or technology he's pushed, however, the danger Musk represents is simply that the richest man in the world can buy one of the internet's most vital media platforms, then use it, along with hundreds of millions of dollars in donations, to elect the president of his choosing and shape US policy. After Trump's election, Musk was rewarded with hundreds of billions more in net worth. The system, in other words, is working—for oligarchs like Elon Musk.

**Donald Trump**

For the next four years, Donald Trump will once again be the most powerful single person in the world. This year, he was just a very loud one. On social media platforms like X—where Musk reinstated Trump's account despite a 2021 ban following his incitement of the January 6 storming of the US Capitol—and Trump's own Truth Social, he lit fires with false claims that arguably helped fuel his path to political victory. Like Musk, he made and repeated falsehoods such as FEMA spending its budget on immigrants rather than hurricane victims, or that immigrants were stealing and eating pets. By converting Robert F. Kennedy Jr. from a third-party candidate to an endorsing ally, Trump also reciprocally endorsed RFK Jr.'s long-running stream of anti-vaccine misinformation, rhetoric that has led to childhood vaccine rates now dipping to a lower level than before the Covid-19 pandemic.

Once his second term in office begins, Trump is poised to use digital surveillance to carry out a highly disruptive and even vindictive agenda: He's promised mass deportations of millions of immigrants starting on day one of his administration, and he's vowed to target political opponents and journalists with prosecution. There's little doubt that Trump will top this list in 2025. But in 2024, his words alone represent a clear and present danger.

**Volt Typhoon**

In the cybersecurity world, the last months of 2024 have been dominated by warnings from public officials about a Chinese state-sponsored hacking group known as Salt Typhoon, which has penetrated at least eight telecoms, in some cases accessing the real-time calls and texts of Americans. But in the midst of that cyberespionage scandal, a different, far more dangerous digital threat from China still quietly looms: A Chinese state-sponsored group called Volt Typhoon spent much of 2024 continuing its stealthy campaign to breach US critical infrastructure facilities—not to spy on communications, but to prepare for a potential cyberattack. While headlines about Volt Typhoon have largely dissipated since it was first called out and named by Microsoft in May of 2023, officials warn that the group continues to “pre-position” itself inside of networks that appear to be chosen for maximum disruption, perhaps timed to a Chinese invasion of Taiwan. Given that Chinese head of state Xi Jinping has told his country's military to be prepared for that invasion by 2027, now is the time to head off the digital salient of what could be a world-shaking future war.

**Sandworm**

While Volt Typhoon prepares, Sandworm attacks. The Russian hacking group, a unit of the country's GRU military intelligence agency, has in fact carried out many of the most disruptive cyberattacks of the past decade. Those attacks—mostly in Ukraine—include at least three blackouts triggered by its hacking, the destructive NotPetya malware that spread around the globe and inflicted $10 billion in damage, and countless data-destroying breaches that the group has carried out since the beginning of Russia's full-scale invasion of Ukraine in 2022. In 2024, as Russia fought Ukraine to a stalemate or regained territory in the east of the country, Sandworm continued to project its power beyond that front: Security firm StrikeReady discovered Sandworm targeting Ukraine's energy sector again this fall, perhaps in preparation for another round of electrical utility hacking, either to carry out its own attacks or as reconnaissance for the Russian military's now-annual physical bombing of Ukraine's grid.

**Israeli Military and Intelligence**

Last year, WIRED named both the IDF and Hamas on this list, a nod to each side's use of the internet in its propaganda efforts in the war in Gaza following Hamas' October 7 attack. This year, with Israel's adversaries in that conflict like Hamas and Hezbollah significantly weakened and in retreat, it's the Israeli forces that remain on the offensive. Israel's military continues to use AI tooling to identify targets for bombs as its strikes have killed tens of thousands of Gazan civilians and leveled entire cities in the territory. Israeli missiles continue to intermittently knock out Gaza's communications infrastructure, destroying 80 percent of the country's top telecom's cell towers and leading to information blackouts amid the destruction and starvation of that now year-plus siege. Add to all of that a still-mysterious Israeli supply chain attack that hid lethal explosives in pagers and walkie-talkies in an effort to target Hezbollah operatives, which led to immediate distrust of all communications devices in the country, and Israel's government forces remain an internet apex predator by any definition.

**Black Cat/AlphV/RansomHub**

Ransomware in 2024 was, again, one of the most abhorrent forms of cybercrime to blight the internet. But few ransomware attacks in history have been quite as dangerous and damaging as the one that targeted UnitedHealthcare subsidiary Change Healthcare early this year, carried out by a ransomware group known as Black Cat or AlphV. Even after extracting a $22 million ransom from the company—a payment processor that handles around 40 percent of all health care insurance claims across the US—the hackers' disruption of Change's network continued to prevent the company from completing payments to pharmacies, clinics, health care practices, and hospitals across the country for weeks, causing some to even go out of business. Then, as if it hadn't inflicted enough chaos, AlphV ran off with Change's ransom money instead of sharing it with a group of hackers with whom it had partnered to infiltrate the company. That led the jilted hackers to share the data stolen from Change Healthcare with another, newer ransomware crew called RansomHub, which extorted the company a second time—an unprecedented health care cybersecurity debacle.

**The Com**

Even in an age of state-sponsored Chinese cyberspies, Russian hacker saboteurs, and ransomware gangs, nihilistic young hackers remain a constant in the darker corners of the internet. And few of those corners are as dark as the ones frequented by the Com. The loose movement of online trolls and criminals who operate under the Com banner in channels on Telegram and Discord, many just in their teens, engage in some of the most despicable digital crimes possible, from petty crypto theft and ransomware to sextortion, harassment, and the creation and trade of child sexual abuse material. This year, several members of a Com subgroup of ransomware hackers known as Scattered Spider were arrested, following their alleged high-profile 2023 attacks on companies including Caesar's Entertainment and MGM Resorts. But other members of the group are allegedly responsible for the serial breaches of well over a hundred customers of the cloud provider Snowflake. It's a safe bet that the Com will continue to serve as a haven for plenty more criminal acts to come.

**Data Brokers**

Once, privacy fears centered on government agencies like the FBI and NSA and their ability to carry out mass surveillance worldwide. Now, increasingly, we give away that same surveillance data en masse to companies you've never heard of. This year, it came to light that several data brokers collect and then sell access to Americans' highly granular location data pulled from their phones. Surveillance services like Babel Street's LocateX allegedly can—and do—track visitors to sensitive locations abortion clinic or mosques. A data broker called Near Intelligence left a vast cache of location data exposed online, revealing the movements of hundreds of visitors to sex trafficker Jeffrey Epstein's island in the Caribbean. Reporting on both companies has demonstrated how much private location data our devices leave behind as revelatory digital detritus, and how the possession of that data now extends far beyond government agencies to little-known firms with highly questionable privacy and security practices.

**Character.AI**

If 2023 was the year that AI tools future-shocked the internet with their seemingly abrupt rise to prominence, 2024 was the year that those tools became normalized, quietly settling into common use in spite of all their alleged flaws and ethical problems. Yet those issues are still there, and perhaps no startup better exemplifies them than Character.AI, an AI firm backed by $2.7 billion in investment from Google. According to lawsuits filed in Texas and Florida against the company, its chatbots have encouraged children to engage in self-harm and violence against their parents, and allegedly contributed to 14-year-old dying by suicide. Other chatbots hosted by the company have allegedly coached kids into developing eating disorders, role-playing as school shooters, and even seemed to be sexually grooming them. Despite repeatedly vowing to implement age restrictions, no meaningful age safeguards appear to have been added even now, according to news outlet Futurism. If this is the future of artificial intelligence, the AI era is going to be a dark age indeed.

**Crypto Scammers**

The crypto-based investment scams known as “pig butchering”—a term experts now say should be retired because it can further harm victims—pulled in a staggering $37 billion in 2023, and likely more in 2024. The victims of that explosively growing form of crimes aren't just those who fall for its scams and lose their life savings, but also many of the perpetrators of the scams themselves: As many as 200,000 people have been enslaved in compounds across Southeast Asia and forced to carry out the fraud schemes. In some cases, they've been kept in electrified shackles and faced threats of cattle prods and beatings from the gangs overseeing their work. This year, the dystopia those scammers have ushered in has begun to spread worldwide, with operations cropping up in the Middle East, Eastern Europe, Latin America, and West Africa. The targets of their fraud, of course, are even more global. Crypto scams have already become a top-tier form of cybercrime, and there's no end in sight to the expansion of this predatory underworld industry.

The Most Dangerous People on the Internet in 2024

Organizations in the region should expect to see threat actors accelerate their use of AI tools and mount ongoing "harvest now, decrypt later" attacks for various malicious use cases.

Source: Tero Vesalainen via Shutterstock

If incidents this year are any indication, deepfakes and “harvest now, decrypt later” attacks spurred by the growing adoption of quantum computing projects are among the many concerns that organizations in the Asia-Pacific (APAC) region will need to deal with in 2025.

Over the past year, cybercriminals operating in the APAC region have increasingly leveraged AI to launch sophisticated campaigns — such as AI-generated phishing emails, adaptive malware, and deepfakes. The attacks have undermined trust in critical communications and exacerbated social tensions, says Clement Lee, security architect and evangelist at Check Point Software Technologies, Asia Pacific.

**An Increase in Deepfakes & Quantum Computing-Related Cyberattacks**

"This was starkly demonstrated during recent elections seen across APAC: in India where deepfakes fueled widespread disinformation; in Indonesia, where a doctored deepfake video aimed to stir anti-China sentiment; and in Hong Kong, a finance worker who was duped into sending $25 million by a deepfake impersonation of company executives," Lee says. As these tactics start extending from political spheres into the corporate realm, businesses must adopt AI-driven security defenses to counter them, Lee notes.

Simon Green, president of Asia, Pacific, and Japan at Palo Alto Networks, described the APAC region as being on the cusp of a "perfect storm of AI-driven cyber threats" heading into 2025. Attacks featuring deepfake audio and video will likely be the most visible manifestations of the trend, he noted.

Related:Middle East Cyberwar Rages On, With No End in Sight

"We can expect deepfakes to be used alone or as part of a larger attack much more often in 2025," Green said. The use of audio deepfakes in particular is likely to increase over the next 12 month, as technology for highly credible voice cloning becomes more easily accessible.

**AI-Focused Cybersecurity Preparations**

Expect also to see more organizations in the APAC region looking for ways to better protect their data as they implement AI-enabled projects.

"Our customers are asking how they can get more value out of their data, while maintaining robust security, especially as they look to benefit from GenAI products like Microsoft Copilot," adds Max McNamara, vice president and managing director Australia and New Zealand at AvePoint.

"This starts with having secure, accessible data, ensuring you can scale with solutions that don't compromise your security posture, and rigorously adhering to increasingly complex regulatory standards," he says. APAC organizations will increasingly be looking to ensure their data is not just accessible, but also fundamentally secure within their borders, he notes.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

"Our customers are asking how they can get more value out of their data, while maintaining robust security, especially as they look to benefit from GenAI products like Microsoft Copilot," McNamara says, adding that this starts with having secure, accessible data, ensuring you can scale with solutions that don't compromise your security posture, and rigorously adhering to increasingly complex regulatory standards.

**Quantum Projects Will Drive Increase in Harvest Now, Decrypt Later Attacks**

The growing number of quantum computing projects in the APAC region is likely going to fuel an increase in "harvest now, decrypt later" attacks as well. Such attacks involve adversaries collecting and storing currently encrypted data with the intention of decrypting it in the future, when quantum computers become powerful enough to break today's encryption standards. The attacks pose a significant threat to sensitive information that needs to remain secure for extended periods of time.

According to Fortune Business Insights, Asia Pacific is the fastest growing quantum computing market in the world, with multiple companies including IBM, Microsoft, Google, Alibaba, Baidu, JSR, and D-Wave systems currently involved in large regional quantum software and hardware projects. One example is a new quantum computing cloud platform that Alibaba has deployed in collaboration with the Chinese Academy of Sciences. Some quantum projects in the APAC region are happening at a national level, such as India's US-funded National Mission on Quantum Technologies & Applications, and Singapore's Quantum Engineering Programs.

Related:Governments, Telcos Ward Off China's Hacking Typhoons

"The advent of quantum computing threatens to render current encryption standards obsolete, risking exposure of sensitive data and compromising critical infrastructure," Lee says. "Quantum-resistant cryptography will gain traction as organizations prepare for future decryption threats."

Organizations in the APAC region should expect increased interest in harvest now, decrypt later attacks from a wide range of adversaries, including nation-state-backed threat actors, according to Palo Alto Networks' Green. The attacks will pose a threat to governments and businesses, civilian and military communications, critical infrastructure, and organizations developing quantum projects, Green said. Organizations concerned about the trend should develop a quantum resistant road map that includes deployment of quantum resistant tunnelling, stronger crypto libraries and quantum key distribution, according to Palo Alto Networks.

Richard Sorosina, chief technology security officer and vice president of solution architecture at Qualys' EMEA & APAC operations, believes that the fast-evolving and increasingly sophisticated nature of the APAC threat landscape will likely accelerate ongoing consolidation of security capabilities at many organizations in the region. He expects organizations will increasingly move toward a unified security platform approach that will provide both a centralized view of risk across the organization and mechanisms to remediate that risk when found. Many of these efforts will be "driven by a need to reduce complexity, increase operational efficiency, enhance detection and response capabilities, and reduce overall cost," Sorosina says.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Deepfakes, Quantum Attacks Loom Over APAC in 2025

KrebsOnSecurity.com turns 15 years old today! Maybe it's indelicate to celebrate the birthday of a cybercrime blog that mostly publishes bad news, but happily many of 2024's most engrossing security stories were about bad things happening to bad guys. It's also an occasion to note that despite my publishing fewer stories than ever this past year, we somehow managed to attract near record levels of readership (thank you!).

Image: Shutterstock, Dreamansions.

KrebsOnSecurity.com turns 15 years old today! Maybe it’s indelicate to celebrate the birthday of a cybercrime blog that mostly publishes bad news, but happily many of 2024’s most engrossing security stories were about bad things happening to bad guys. It’s also an occasion to note that despite my publishing fewer stories than ever this past year, we somehow managed to attract near record levels of readership (thank you!).

In case you missed any of them, here’s a recap of 2024’s most-read stories. In January, KrebsOnSecurity told the story of a Canadian man who was falsely charged with larceny and lost his job after becoming the victim of a complex e-commerce scam known as triangulation fraud. This can occur when you buy something online — from a seller on **Amazon** or **eBay**, for example — but the seller doesn’t actually own the item for sale. Instead, they purchase the item using stolen payment card data and your shipping address. In this scam, you receive what you ordered, and the only party left to dispute the transaction is the owner of the stolen payment card.

Triangulation fraud. Image: eBay Enterprise.

March featured several investigations into the history of various people-search data broker services. One story exposed how the Belarusian CEO of the privacy and data removal service **OneRep** had actually founded dozens of people-search services, including many that OneRep was offering to remove people from for a fee. That story quickly prompted Mozilla to terminate its partnership with OneRep, which Mozilla had bundled as a privacy option for Firefox users.

A story digging into the consumer data broker **Radaris** found its CEO was a fabricated identity, and that the company’s founders were Russian brothers in Massachusetts who operated multiple Russian language dating services and affiliate programs, in addition to a dizzying array of people-search websites.

Radaris repeatedly threatened to sue KrebsOnSecurity unless that publication was retracted in full, alleging that it was replete with errors both factual and malicious. Instead, we doubled down and published all of the supporting evidence that wasn’t included in the original story, leaving little room for doubt about its conclusions. Fittingly, Radaris now pimps OneRep as a service when consumers request that their personal information be removed from the data broker’s website.

Easily the longest story this year was an investigation into Stark Industries Solutions, a large, mysterious new Internet hosting firm that materialized when Russia invaded Ukraine. That piece revealed how Stark was being used as a global proxy network to conceal the true source of cyberattacks and disinformation campaigns against enemies of Russia.

The homepage of Stark Industries Solutions.

Much of my summer was spent reporting a story about how advertising and marketing firms have created a global free-for-all where anyone can track the daily movements and associations of hundreds of millions of mobile devices, thanks to the ubiquity of mobile location data that is broadly and cheaply available.

Research published in September explored the dark nexus between harm groups and cybercrime communities consumed with perpetrating financial fraud. That analysis found an increasing number of young, Western cybercriminals are also members of fast-growing online groups that exist solely to bully, stalk, harass and extort vulnerable teens into physically harming themselves and others.

One focus of that story was a Canadian cybercriminal who used the nickname **Judische.** Identified by the Mandiant as one of the most consequential threat actors of 2024, Judische was responsible for a hacking rampage that exposed private information on hundreds of millions of Americans.  That story withheld Judische’s real name, but the reporting came in handy in late October when a 25-year-old Canadian man named Connor Riley Moucka was arrested and charged with 20 criminal counts connected to the Snowflake data extortions.

A surveillance photo of Connor Riley Moucka, a.k.a. “Judische” and “Waifu,” dated Oct 21, 2024, 9 days before Moucka’s arrest. This image was included in an affidavit filed by an investigator with the Royal Canadian Mounted Police (RCMP).

In November, KrebsOnSecurity published a profile of Judische’s accomplice — a hacker known as **Kiberphant0m** — detailing how Kiberphant0m had left a trail of clues strongly suggesting that they are or recently were a U.S. Army soldier stationed in South Korea.

My reporting in December was mainly split between two investigations. The first profiled **Cryptomus**, a dodgy cryptocurrency exchange allegedly based in Canada that has become a major payment processor and sanctions evasion platform for dozens of Russian exchanges and cybercrime services online.

How to Lose a Fortune with Just One Bad Click told the sad tales of two cryptocurrency heist victims who were scammed out of six and seven figures after falling for complex social engineering schemes over the phone. In these attacks, the phishers abused at least four different Google services to trick targets into believing they were speaking with a Google representative, and into giving thieves control over their account with a single click. Look for a story here in early 2025 that will explore the internal operations of these ruthless and ephemeral voice phishing gangs.

Before signing off for 2024, allow me to remind readers that the reporting we’re able to provide here is made possible primarily by the ads you may see at the top of this website. If you currently don’t see any ads when you load this website, please consider enabling an exception in your ad blocker for KrebsOnSecurity.com. There is zero third-party content on this website, apart from the occasional Youtube video embedded as part of a story. More importantly, all of our ads are static images or GIFs that are vetted by me and served in-house directly.

Fundamentally, my work is supported and improved by _your_ _readership_, tips, encouragement and, yes, criticism. So thank you for that, and keep it coming, please.

Here’s to a happy, healthy, wealthy and wary 2025. Hope to see you all again in the New Year!

Happy 15th Anniversary, KrebsOnSecurity!

IN THIS ARTICLE, YOU WILL LEARN: NFT-focused news website NFTEvening and the NFT market’s data and analytics-based platform…

**IN THIS ARTICLE, YOU WILL LEARN:**

*   **Study Overview**: NFTEvening and Storible collaborated on a study to test whether AI, specifically Long Short-Term Memory (LSTM) networks, can recover missing cryptocurrency seed phrases by analyzing 85.7 million combinations using the BIP39 word list.

*   **AI’s Capabilities**: The neural network, trained for 30 days, achieved a prediction rate of 994,051 guesses per second. It could recover one missing word in 0.02 seconds, two words in 29 seconds, and three words in 2.28 hours. Recovery of up to four words required 178 hours, with recovery times increasing exponentially for more missing words.

*   **LSTM Functionality**: LSTMs are a type of RNN that excels in sequential data processing, using memory cells and gates to predict and complete patterns in text-like data, making them suitable for seed phrase prediction.

*   **Security of Crypto Seed Phrases**: Despite AI’s advancements, the massive number of possible seed phrase combinations makes it practically impossible for AI to recover enough words to breach cryptocurrency wallets. For example, cracking eight missing words would take 174 times the universe’s age.

*   **Conclusion and Disclaimer**: The study shows that AI is not a current threat to cryptocurrency seed phrase security if the phrase remains secret. However, these findings are based on current AI capabilities and computational limits.

NFT-focused news website NFTEvening and the NFT market’s data and analytics-based platform Storible collaborated to conduct a study to investigate whether powerful AI, specifically a type called Long Short-Term Memory (LSTM), can crack cryptocurrency seed phrases. 

For this research, they analysed 85,714,285 seed phrase combinations using 2048 words from the BIP39 word list to determine the time it takes for AI to recover missing crypto seed phrases and the feasibility of LSTM networks in recovering lost or incomplete cryptocurrency phrases.

For this, a neural network was trained on a cloud-based server for 30 days to predict seed phrases and estimate recovery time. The model used LSTM architecture, achieving an average prediction rate of 994,051 guesses per second. The recovery time was analyzed using scenarios from one to twelve missing words.

The results showed that AI could retrieve one missing word in 0.02 seconds, two words in 29 seconds, three words in 2.28 hours, and up to four words in a max recovery time of 178. Moreover, AI can discover the correct seed phrase sequence of 12 words in just 8 minutes, whereas the time needed to recover 8 missing words from a seed phrase is 174 times longer than the universe’s current age.

****What is LSTM?****

For your information, a seed phrase is like a secret password for your cryptocurrency. It is a list of 12-24 words that gives you access to your digital wallet.

LSTM networks are Recurrent Neural Networks (RNN) that excel in remembering information over extended sequences. They incorporate memory cells and gates to control information flow, allowing them to effectively learn and predict patterns in sequential data like text and time series.

****How LSTMs Work in Seed Phrase Recovery****

LSTMs can predict the next likely word in a sequence or complete missing words by observing patterns in known seed phrases. Memory cells store crucial information, with three gates – forget, input, and output – regulating the flow of information. The forget gate discards irrelevant information, the input gate determines new information, and the output gate controls the next word prediction.

The researchers tried to use this AI to guess missing words in seed phrases. They tested it on millions of possible combinations. They found that even with this powerful AI, it would take an incredibly long time, longer than the universe’s age, to guess enough words to steal someone’s cryptocurrency.

The research indicates that AI is not a threat to your cryptocurrency if you keep your seed phrase secret. While AI may eventually crack seed phrases, it is currently highly secure. Though LSTMs offer powerful capabilities for sequence learning, the sheer number of possible combinations and the inherent complexity of seed phrase structures make successful recovery highly improbable.

_**Disclaimer:** This analysis provides an estimate based on current AI capabilities and computational power._

1.  AI-based Model to Predict Extreme Wildfire Danger
2.  Are We on the Brink of Saying Goodbye to Passwords?
3.  Google’s Gemini AI Chatbot Keeps Telling Users to Die
4.  Guessing passcode “just from the way we tilt our phone”
5.  unCAPTCHA algorithm Crack Google’s AI System reCAPTCHA

Study Finds AI Can Guess Crypto Seed Phrases in 0.02 Seconds

Secure Gaming during holidays is essential as cyberattacks rise by 50%. Protect accounts with 2FA, avoid fake promotions,…

Secure Gaming during holidays is essential as cyberattacks rise by 50%. Protect accounts with 2FA, avoid fake promotions, use secure downloads, and trust verified tools to enjoy safe, uninterrupted gameplay.

The holiday season is a time of joy for gamers, with more free time to play, exciting events, and in-game promotions. However, this festive period comes with higher risks of cyberattacks than any other period of the year.

Studies by Wowvendor, a company dealing in WoW services, indicate that hackers increase their activity by 50% during the holidays and especially prey on gamers via malware and phishing. This article will detail these risks and give some useful advice on how to enjoy gaming without compromising your account security.

****The Rise of Cyber Threats During Holidays****

The gaming community gets busy during the holidays. Unfortunately, cybercriminals find this an attractive target. The key reasons for increased risks are as follows:

*   **Increased player traffic** – A large consumer base of online gaming creates, in turn, more opportunities for hackers to exploit vulnerabilities.
*   **Attractive holiday promotions** – Many players get tricked into fake giveaways and deals, without knowing it compromises their data security.
*   **Malware in pirated games** – Most of the time, hackers put harmful software inside cracked versions of popular titles.

For instance, cybersecurity companies have informed that the number of phishing emails with “in-game rewards notifications” and “discount offers” have spiked around the times of past holiday seasons. These examples of threats put the importance of vigilance during peak gaming hours deeper into focus.

****Common Cyber Threats to Gamers****

Cyber threats range from gaming cyber attacks and data security incidents to DDoS attacks. This will likely impact some players more and possibly their performance during peak gaming periods. Understanding these dangers can help players stay protected:

****Fake add-ons, mods and Phishing schemes** **

Hacks through counterfeit mods are common in games such as World of Warcraft. Hackers distribute these infected mods using counterfeit mods and give the malware the chance to steal login credentials or infect the device they’re playing on. Additionally, fraudulent links and websites trick people into providing personal information or downloading malicious software.

****DDoS attacks** **

The gaming industry is seeing a lot of DDoS attacks (distributed denial of service attacks), wherein hacker group gets a network of infected devices (botnet) that perform a network DDoS attack to inundate a game server or a group of players with a massive amount of traffic. This overload disrupts the server or network connection and has broken the game so that normal users can’t even get in.

These attacks send many requests and place a heavy load onto the server. Hackers aim at certain players’ IP addresses and try to degrade their connection, or that of the player behind it, to give themselves an in-game advantage. This type of targeted interference disrupts competitive gameplay and can negatively impact a game’s experience for the player.

Additionally, the number of ransomware attacks against gaming accounts has risen as well. They involve locking players out of their accounts and asking for payment to access them. When you are faced with unfamiliar software or links, it’s best to stay awake and alert to risks.

****Best Practices for Secure Gaming****

A large number of cyber attacks on gamers can stem from unauthorized downloads, according to leading cyber security firm Kaspersky. To enjoy your games safely during the holidays, follow these cybersecurity tips:

*   **Download software from official sources** — Do not download games or updates from untrusted websites — they can hide malware.
*   **Use two-factor authentication (2FA)** — It simply gives you extra protection for your gaming accounts.
*   **Verify promotional offers** — Don’t accept offers that are simply too good even to be true. There are always official channels for you to confirm their legitimacy.
*   **Avoid cracked games** — First and foremost pirated games are illegal, and they’re dangerous for security reasons too.

Working with your use of strong, unique passwords across all your accounts, these measures can go a long way toward mitigating your risk of being victimized in this way.

****The Role of Gaming Companies****

Leading gaming companies have stepped up their efforts to combat cyber threats. Their initiatives include:

*   **Enhanced security systems** – AI detecting and blocking unusual activity on gaming networks.
*   **Regular updates and patches** – Time and time again, developers release updates to patch vulnerabilities, and protect players with updates.
*   **Player education** – Many platforms offer users a way of recognizing and preventing scammers.

For instance, World of Warcraft’s creators, Blizzard Entertainment, is constantly monitoring its ecosystem for threats and expelling them while at the same time urging players to use solutions, for example, 2FA. Machine learning has been introduced into other companies, such as Valve and Riot Games, in an attempt to detect possible hacking through in-game behaviours.

****Advanced Cybersecurity Tools for Gamers****

Gamers now have access to cutting-edge cybersecurity solutions tailored to safeguard their online experience:

*   **Gaming-optimized VPNs** – VPN services will make sure that you have safe, encrypted connections while reducing latency and optimizing the routing of the server. It shields against DDoS attacks and keeps the gameplay smooth.
*   **Anti-phishing extensions** – Google Safe Browsing and Microsoft Defender SmartScreen are tools that actively block malicious sites and alert players that a phishing page is attempting to lure them into a trick.
*   **Behavioural analytics and anti-cheat systems** – Dedicated platforms use machine learning to analyze login patterns and in-game behaviour, detecting anomalies like hacking or unauthorized access.
*   **DDoS mitigation services** – Distribution denial-of-service attacks that cause gaming servers to stop working are identified and neutralized by Cloudflare, Akamai Prolexic, and other companies that protect gaming servers so that gamers can continue enjoying online sessions uninterrupted.

With these state-of-the-art tools, gamers will be protected from changing threats, which will protect gaming for the holidays and beyond.

****Stay on the Safe Side****

The holiday season is a wonderful opportunity to connect with your favourite games and communities. While cyber threats do increase during this period, staying informed and adopting secure practices can protect your gaming experience. From using official platforms to enabling two-factor authentication, every step you take helps reduce risks.

Gaming companies are also playing their part by providing services and insights that enhance player safety. By working together and staying alert, gamers can fully embrace the holiday spirit, free from cybersecurity concerns.

1.  What is Blockchain Gaming and its Play-to-Earn Model?
2.  Exploring Data Privacy and Security in B2B Gaming Data
3.  The Rise of Blockchain Gaming and Secure Marketplaces
4.  Winos4.0 Malware Targeting Windows via Fake Gaming Apps
5.  Gcore Thwarts 500 Million PPS DDoS Attack on Gaming Company

Secure Gaming During the Holidays

The US water sector suffered a stream of cyberattacks over the past year and half, from a mix of cybercriminals, hacktivists, and nation-state hacking teams. Here's how the industry and ICS/OT security experts are working to better secure vulnerable drinking and wastewater utilities.

Source: Vyacheslav Lopatin via Alamy Stock Photo

The unprecedented wave of high-profile cyberattacks on US water utilities over the past year has just kept flowing.

In one incident, pro-Iranian hackers penetrated a Pittsburgh-area water utility's PLC and defaced the touchscreen with an anti-Israel message, forcing the utility to revert to manual control of its water pressure-regulation system. A water and wastewater operator for 500 North American communities temporarily severed connections between its IT and OT networks after ransomware infiltrated some back-end systems and exposed its customers' personal data. Customer-facing websites and the telecommunications network at the US's largest regulated water utility went dark after an October cyberattack.

Those were just some of the more chilling stories that have recently sparked fear over the security and physical safety of drinking water and wastewater systems. The cyberattacks have spurred warnings and security guidelines from the Cybersecurity and Infrastructure Security Agency (CISA), the White House, the FBI and the Office of the Director of National Intelligence (ODNI), the Environmental Protection Agency (EPA), and the Water ISAC (Information Sharing and Analysis Center).

Most of the attacks landed on the softest of targets, small water utilities without security expertise and resources, in mainly opportunistic attacks. Meanwhile, cyberattacks on large utilities like Veolia and American Water hit IT, not OT, systems — none of which actually disrupted water services. Overall, the cyberattacks on water appeared to be mainly about "poking around and eroding confidence," says Gus Serino, president of I&C Secure and a former process control engineer for the Massachusetts Water Resources Authority.

Related:IoT Cloud Cracked by 'Open Sesame' Over-the-Air Attack

The race is now on to secure the water sector — especially the smaller more vulnerable utilities — from further cyberattacks. Many larger water utilities already have been "stepping up their game" in securing their OT networks, and others started building out their security infrastructures years ago, notes Dale Peterson, president of ICS/OT security consultancy Digital Bond. "My first client in 2000 was a water utility," he recalls. "Some \[large utilities\] have been working on this for a very long time."

The challenge lies in securing smaller utilities, without overprescribing them with unnecessary and high-overhead security infrastructure. Tools that require expertise and overhead are a nonstarter at sites where there isn't even dedicated IT support, much less cyber know-how. Peterson argues that government recommendations for sophisticated security monitoring systems are just plain overkill for most small utilities. These tiny outfits have bigger and more tangible priorities, he says, like replacing aging or damaged pipes in their physical infrastructure.

Related:Frenos Takes Home the Prize at 2024 DataTribe Challenge

**ICS/OT Cyber-Risk: Something in the Water?**

Like other ICS/OT industries, water utilities of all sizes have been outfitting once-isolated programmable logic controller (PLC) systems and OT equipment with remote access, so operators can more efficiently monitor and manage plants from afar — to control water pumps or check alarms, for instance. That has put traditionally isolated equipment at risk.

"They are starting and stopping pumps, setting changes, responding to alarms or failures \[in\] a system. They remote in to look at SCADA/HMI screens to see what's wrong or to take corrective action," explains I&C Secure's Serino, who works closely with water utilities. He says it's rare for those systems to be properly segmented, and VPNs are "not always" used for secure remote access.

PLC vendors such as Siemens are increasingly building security features into their devices, but water plants don't typically run this next-generation gear.

"I have yet to see any secure PLCs deployed" in smaller water sites, Serino says. "Even if there are new PLCs, their security features are not 'on.' So if you \[an attacker\] can get in and get access to the device on that network, you can do whatever you are capable of doing to a PLC."

Related:20% of Industrial Manufacturers Are Using Network Security as a First Line of Defense

Because many ICS/OT systems integrators that install OT systems traditionally do not also set up security for the equipment and software they install in water utility networks, these networks often are left exposed, with open ports or default credentials. "We need to help integrators making \[and installing\] SCADA equipment for these utilities make sure they are secured" for utilities, says Chris Sistrunk, technical leader of Google Cloud Mandiant's ICS/OT consulting practice and a former senior engineer at Entergy. 

Default credentials are one of the most common security weaknesses found in OT networks, as well as industrial devices sitting exposed on the public Internet. The Iranian-based Cyber Av3ngers hacking group easily broke into the Israeli-made Unitronics Vision Series PLCs at the Aliquippa Municipal Water Authority plant (as well as other water utilities and organizations), merely by logging in with the PLCs' easily discoverable factory-setting credentials.

The good news is that some major systems integrators such as Black & Veatch are working with large water utilities on building security into their new OT installations. Ian Bramson, vice president of global industrial cybersecurity at Black & Veatch, says his team works with utilities that consider security a physical safety issue. "They are looking to build \[security\] in and not bolt it in," he explains, to prevent any physical safety consequences from poor cybersecurity security controls.

**Cybersecurity Cleanup for Water**

Meanwhile, there are plenty of free cybersecurity resources for resource-strapped water utilities, including the Water-ISAC's top 12 Security Fundamentals and the American Waterworks Association (AWWA)'s free security assessment tool for water utilities that helps them map their environments to the NIST Cybersecurity Framework. Kevin Morley, manager of federal relations for the AWWA and a utility cybersecurity expert, says the tool includes a survey of the utility's technology and then provides a priority list of the security controls the utility should adopt and address, focusing on risk and resilience.

"It creates a heat map" of where the utility's security weaknesses and risks lie, he says. That helps arm a utility with a cybersecurity business case in the budget process. "They can go to leadership and say 'we did this analysis and this is what we found,'" he explains.

There's also a new cyber volunteer program that assists rural water utilities. The National Rural Water Association recently teamed up with DEF CON to match volunteer cybersecurity experts to utilities in need of cyber help. Six utilities in Utah, Vermont, Indiana, and Oregon encompass the initial cohort for the bespoke DEF CON Franklin project, where volunteer ICS/OT security experts will assess their security posture and help them secure and protect their OT systems from cyber threats.

Mandiant's Sistrunk, who serves as a volunteer cyber expert for some small utilities, points to three main and basic security steps small (and large) utilities should take to improve their defenses: enact multifactor authentication, especially for remote access to OT systems; store backups offline or with a trusted third party; and have a written response plan for who to call when a cyberattack hits.

Serino recommends a firewall as well. "Get a firewall if you don't have one, and have it configured and locked down to control data flows in and out," he says. It's common for firewalls at a water utility to be misconfigured and left wide open to outgoing traffic, he notes: "If an adversary can get in, they could establish their own persistence and command and control, so hardening up the perimeter" for both outgoing and ingoing traffic is important.

He also recommends centralized logging of OT systems, especially for larger water utilities with the resources to support logging and detection operations: "Have the ability to detect a problem so you can stop it before it reaches the end goal of causing an impact."

**About the Author**

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Hackers Are Hot for Water Utilities

The work on quantum computing hit some major milestones in 2024, making the path to a workable quantum computer seem closer than ever. Google, Microsoft, and other research efforts hit significant milestones this year, but is the cybersecurity world ready?

Source: Marko Aliaksandr via Shutterstock

The quest to create a useful quantum computer reached a significant milestone at the end of 2024 with Google's announcement of its Willow chip. The chip promises reduced noise and fewer errors as the number of qubits grows — a necessary step to advance toward advanced quantum computing. Despite some debate on when these systems will actually become available, experts still advise making plans and migrating to post-quantum technologies.

The shift from today's technology, where adding more qubits adds more noise, to a future where increasing the number of qubits exponentially reduces the amount of noise — an achievement known as "threshold scalability" — conquers a major impediment to quantum computers. Creating a 1,000-qubit quantum computer requires foundational advancements beyond today's noisy intermediate-scale quantum (NISQ) computers to create reliable logical qubits that can be used in easily scaled architectures.

The Google announcement marks "a significant leap forward," says Karl Holmqvist, founder and CEO at Lastwall, an identity services provider focused on quantum resilience.

"Companies should be starting to get concerned about a usable quantum computer now," Holmqvist says. "This is not because there is proof of a cryptographically relevant quantum computer yet. It is because there are active campaigns that are currently taking place to capture encrypted data and store it until there is a system that can break our asymmetric encryption."

Related:Dark Reading Confidential: Quantum Has Landed, So Now What?

The threat posed by quantum computers seems to be becoming more real every day. In addition to Google's Willow chip announcement, Microsoft announced in November that it had reached a 24-qubit milestone with Atom Computing using lasers, while Japanese researchers from the Riken Quantum Computer Research Center announced a "general-purpose" optical quantum computer.

The future implications could be dire. The Hudson Institute, a free-market think tank, warns that quantum computers pose a systemic cyber-risk to financial systems; it published two papers describing risks of disruption to the US financial system and cryptocurrencies.

**Less Than a Decade Away?**

Quantum computing is one of those technologies that many have perennially predicted is only a decade away. Currently, the median estimate among experts is that within 15 years, a quantum computer will be able to break RSA-2048 in 24 hours, according to the "Quantum Threat Timeline Report 2024."

The middle-of-the-road estimate of when quantum computers will pose an encryption threat is less than 15 years. Source: Global Risk Institute

While many experts see the possibility of a useful quantum computer in less than a decade — based on three key areas: hardware progression, error correction, and algorithm development — useful quantum computers still have a long way to go before they become possible. For example, while Google's work on Willow is a major step toward making error correction — mainly a theoretical field before this decade — more achievable in larger quantum computing chips, achieving this step is just the second milestone out of six listed on its quantum computer road map.

Related:Quantum Leap: Advanced Computing Is a Vulnerable Cyber Target

In addition, gauging the risk is difficult, with terms such as "threshold scalability" and "quantum supercomputers" muddying the waters, says Rebecca Krauthamer, co-founder and CEO of QuSecure.

"There's so much complicated vocabulary when it comes to quantum, the thing that people need to look out for is when they start seeing quantum computers beginning to solve problems that they recognize," Krauthamer says. "So whether it's improved battery technology, or route optimization for self-driving cars, or optimized portfolio management, or breaking encryption — that's the time everybody should have already migrated to post-quantum technologies, and not just post-quantum but crypto-agile management of cryptography."

Yet the lack of significant benefits for the private sector could put a damper on development. The Boston Consulting Group, for example, points out that quantum computing programs have had difficulty converting effort into value.

"Quantum computing today provides no tangible advantage over classical computing in either commercial or scientific applications," BCG stated in a July analysis. "Though experts agree that there are clear scientific and commercial problems for which quantum solutions will one day far surpass the classical alternative, the newer technology has yet to demonstrate this advantage at scale."

**Experts Still Urge Preparation**

In addition, the point at which nation-states could use quantum computers to break encryption could be sooner, increasing the risk for some industries. Quantinuum, for example, accelerated its road map for fully fault-tolerant quantum computing to 2030 and warns that quantum secure solutions will likely be necessary before 2035.

"Given where we stand today, the need to complete migration to PQC \[post-quantum computing\] to effectively protect sensitive data needs to be prioritized," says Duncan Jones, head of cybersecurity for Quantinuum.

Quantinuum expects incremental advances in the next few years. That includes improvements in error correction and qubit scaling, continued research into applications such as quantum decryption, and, as a result, greater adoption of PQC technologies, such as post-quantum encryption, quantum key distribution, and quantum random number generation (QRNG), says the company's Jones.

"Organizations implementing quantum-safe strategies today should focus on PQC migration while ensuring their cryptographic foundations are as strong as possible through the use of QRNGs," he says. "This approach provides immediate security benefits while preparing for future quantum-safe technologies."

Google acknowledges that while its error correction breakthrough is significant, there is a difference between theory and practice.

"We still have a long way to go before we reach our goal of building a large-scale, fault-tolerant quantum computer," two members of the Google Quantum AI team stated in a blog post. "The engineering challenge ahead of us is immense."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Quantum Computing Advances in 2024 Put Security In Spotlight

iProov uncovers a major Dark Web operation selling stolen identities with matching biometrics, posing a serious threat to KYC verification systems

****SUMMARY****

*   **Dark Web Identity Fraud Operation:** iProov uncovered a sophisticated dark web network collecting genuine identity documents and facial images to bypass KYC verification.

*   **Voluntary Identity Compromise:** Individuals in regions like LATAM and Eastern Europe are willingly selling their personal and biometric data for short-term financial gain.

*   **Evolving Fraud Techniques:** Attackers use methods ranging from basic static images to advanced tools like deepfake software and custom AI models to defeat liveness checks.

*   **Global Biometric Data Risks:** High-profile breaches (e.g., ZKTeco and ChiceDNA) reveal vulnerabilities in biometric access systems and facial recognition technologies.

*   **Multi-Layered Defense Needed:** Experts recommend advanced real-time verification, challenge-response mechanisms, and continuous monitoring to counter these sophisticated threats.

iProov, a provider of science-based biometric identity verification solutions, has uncovered a large-scale Dark Web operation dedicated to bypassing Know Your Customer (KYC) verification checks. This operation involves systematically collecting genuine identity documents and corresponding facial images.

The iProov Security Operations Center (iSOC) and the company’s Biometric Threat Intelligence service discovered this threat through extensive threat-hunting activities and red team testing. The dark web group has amassed a substantial collection of these identities, potentially obtained through compensated participation where individuals willingly provide their personal information in exchange for payment. This alarming trend extends beyond traditional data theft, as individuals knowingly compromise their identities for short-term financial gain.

“What’s particularly alarming about this discovery is not just the sophisticated nature of the operation, but the fact that individuals are willingly compromising their identities for short-term financial gain,” said Andrew Newell, Chief Scientific Officer at iProov in a press release. Selling identity documents and biometric data not only risks financial security but also provides criminals with genuine identity packages for sophisticated impersonation fraud, Newell added.

This operation, primarily observed in the LATAM and Eastern Europe regions, presents a significant challenge to organizations relying on biometric verification. Genuine credentials paired with matching facial images can easily bypass traditional document verification and basic facial matching systems.

Furthermore, the sophistication of these attacks continues to evolve. While basic attacks utilize simple methods like printed photos or static images, mid-tier attackers employ more advanced techniques such as real-time face-swapping and Deepfake software.

The most sophisticated attackers leverage custom AI models and specialized software to create synthetic faces that can respond to liveness challenges, making it increasingly difficult to distinguish between genuine and fabricated interactions.

This indicates that verification systems face a multi-layered challenge in detecting fake documents and genuine credentials misused by unauthorized individuals. Biometric data, like fingerprints and facial recognition, is increasingly used for identification and security purposes. However, recent incidents involving major vendors and service providers highlight a growing threat to this sensitive information. 

> 📢 EXPOSED: Criminal networks aren't stealing identities anymore.
> 
> They're buying them. Legally. With cash.
> 
> And because these are REAL documents freely given, traditional fraud checks are useless.
> 
> Watch how this works 📷 or Read more: https://t.co/0mX1VSf9my pic.twitter.com/X2KR4tJ61t
> 
> — iProov (@iProov) December 23, 2024

In June 2024, Hackread reported Kaspersky Lab discovered 24 vulnerabilities in ZKTeco’s biometric access systems, which are used for facial recognition and entry control.  The vulnerabilities ranged from SQL injection vulnerabilities to buffer overflow flaws, allowing attackers to inject malicious code.

In September 2024, a separate incident exposed the sensitive data of thousands of customers who used ChiceDNA, an Indiana-based genetic testing and facial matching service. An unsecured WordPress folder left publicly accessible contained biometric images, personal details, and even facial DNA data.

Therefore, organizations should adopt a multi-layered verification approach to combat such threats. This includes verifying the presented identity against official documents and detecting real persons using embedded imagery and metadata analysis.

Real-time verification using unique challenge-response mechanisms, along with managed detection and response through advanced technologies and continuous monitoring, is also essential. Improving protection against sophisticated attacks would make it harder for attackers to spoof verification systems.

1.  **Thousands of UEFA Customer Credentials Sold on Dark Web**
2.  **Stolen Singaporean Identities Sold on Dark Web Starting at $8**
3.  **Dark Web Sales Fuel 32% Increase in Healthcare Cyberattacks**
4.  **Hackers Sell Fake Pegasus Spyware on Clearnet and Dark Web**
5.  **Dark Web Anti-Bot Services Help Phishers Bypass Google Alerts**

Tag

#google