Tigran Gambaryan, a former crypto-focused US federal agent, and a second Binance executive, Nadeem Anjarwalla, have been held in Abuja without passports for two weeks.

In his years as a US federal agent, Tigran Gambaryan helped to lead landmark investigations that took down cryptocurrency thieves and money launderers, dark-web drug dealers, and even crypto-funded child exploitation networks. Now, in his post-government role at the cryptocurrency exchange Binance, he has become the target himself of a very different sort of federal crypto crackdown: For the past two weeks, he and another Binance executive have been detained against their will by Nigerian officials.

Since February 26, Gambaryan, who now leads Binance's criminal investigations team, and Nadeem Anjarwalla, Binance's Kenya-based regional manager for Africa, have been stripped of their passports and held in confinement at a government property in the Nigerian capital of Abuja. Neither has been informed of any criminal charge against them, according to their families. Instead, the two men appear to have been swept up in Nigeria's broad actions to ban cryptocurrency exchanges amid a drastic devaluation of the country's national currency, according to the _Financial Times__,_ which was first to report the two executives' detention without identifying them.

“There’s no definite answer for anything: how’s he’s doing, what’s going to happen to him, when he’s coming back,” says Gambaryan’s wife, Yuki Gambaryan. “And not knowing that is killing me.”

Gambaryan, a US citizen, and Anjarwalla, a dual citizen of the UK and Kenya, arrived in Abuja on February 25, their families say, following the Nigerian government’s invitation to address its ongoing dispute with Binance. They met with Nigerian officials the next day, intending to speak to the government about its order to the country’s telecoms to block access to Binance and other cryptocurrency exchanges, which regulators blamed for devaluing its official currency, the naira, and for enabling “illicit flows” of funds.

Shortly after Gambaryan and Anjarwalla’s first meeting with the Nigerian government, however, Gambaryan and Anjarwalla were taken to their hotels, told to pack their things, and moved into a “guesthouse” run by Nigeria’s National Security Agency, according to their families. Officials seized their passports and have since held the two men at the house against their will for two weeks and counting.

Gambaryan has been visited by a US State Department official and Anjarwalla by a representative of the UK foreign office, their families say, but Nigerian government guards have also remained present in those meetings, preventing them from speaking privately.

When WIRED reached out to Binance, a spokesperson declined to comment on what the men or the company itself has been accused of or what demands the Nigerian government may have made for their release. “While it is inappropriate for us to comment on the substance of the claims at this time, we can say that we are working collaboratively with Nigerian authorities to bring Nadeem and Tigran back home safely to their families,” a Binance spokesperson tells WIRED. “They are professionals with the highest integrity and we will provide them all the support we can. We trust there will be a swift resolution to this matter.”

At one point last week, the two men were transferred to a local hospital after Anjarwalla fell ill. His exact symptoms were unclear but possibly indicated malaria, according to his wife. He has since recovered, however, and the two men were returned to the Nigerian government house, where they've been held since.

For Gambaryan in particular, becoming an apparent pawn in a dispute between Binance and an aggrieved government marks an ironic twist. Gambaryan's high-profile recruitment to lead Binance's investigations team in 2021 was widely regarded as an effort to clean up the exchange's flows of dirty money, better comply with regulations, and more closely cooperate with law enforcement. In late November of last year, Binance agreed to a plea deal with American prosecutors in which it would pay a record $4.3 billion settlement for alleged money laundering and submit to intense ongoing scrutiny from US regulators.

Prior to taking the Binance position, Gambaryan had become well known in the law enforcement world for his record of pioneering high-impact cryptocurrency cases as an agent in the US Internal Revenue Service’s criminal investigations (IRS-CI) division. From 2014 to 2017 alone, for instance, Gambaryan led the investigation into two corrupt federal agents who stole cryptocurrency from the Silk Road dark-web drug market and sold law enforcement intel to its creator, worked to track down 650,000 bitcoins stolen from the Mt. Gox exchange, helped develop a crypto tracing technique to find the server running the massive AlphaBay crime market, and had a hand in the takedown of the Welcome to Video crypto-based child sexual abuse materials network.

In his years at IRS-CI, Gambaryan was a “top-notch agent” of “the highest integrity,” according to Will Frentzen, a former prosecutor who worked closely with Gambaryan. “The cases he was involved in are a who’s who of the biggest crypto cases of that time,” says Frentzen. “He was innovative in investigating things in ways that very few people in the country had figured out, and incredibly selfless in terms of who got credit. I don’t think anyone had a bigger impact on these types of investigations.”

Gambaryan’s wife, Yuki, points to that track record to argue that her husband has earned the support of the US government, which she says now needs to help negotiate his freedom. “He’s done so much good for this country throughout his career,” she says. “I believe it’s his turn to get the same amount of support from his country.” She says she’s not aware of what exactly the State Department or the US embassy in Abuja has done so far to extricate him.

Anjarwalla, an Oxford- and Stanford-educated government affairs specialist for Binance, joined the crypto company a year ago. His wife, Elahe Anjarwalla, writes in a statement that he’s a “middle management employee of Binance with no decision-making authority.” She adds that Anjarwalla, a Muslim, is being held during Ramadan; that their infant son had his first tooth appear in the past two weeks; and that their baby will reach his first birthday next week. “Nadeem is a loving husband and father. He is my best friend,” she says. “All I want is for Nadeem to be allowed to come back home to us.”

The two men have had access to a television and a balcony, but Gambaryan has described the experience in detention to his wife as “Groundhog Day,” says Yuki Gambaryan. “I can tell he’s trying to stay positive, but it’s getting to him. He’s getting impatient, he’s feeling hopeless.”

For Gambaryan’s wife herself, the anxiety and uncertainty has made the past two weeks the “hardest days of her life,” she says. She has yet to tell their two young children.

“Sometimes it feels like I’ll never see him again,” says Yuki Gambaryan. “I’m just begging them to let him go.”

Binance’s Top Crypto Crime Investigator Is Being Detained in Nigeria

Information newly made available under California law has shed light on data broker practices, including exactly what categories of information they trade in.

Information newly made available under California law has shed light on data broker practices, including exactly what categories of information they trade in.

Any business that meets the definition of data broker must register with the California Privacy Protection Agency (CPPA) annually. The CPPA defines data brokers as businesses that consumers don’t directly interact with, but that buy and sell information about consumers from and to other businesses.

Where there’s money to be made you’ll find companies and individuals that will go to any length to get a piece of the action. At the moment there are around 480 data brokers registered with the CPPA. However, that might be just the tip of the iceberg, because there are a host of smaller players active that try to keep a low profile. There are 70 fewer data brokers listed than last year, but it is questionable whether they went out of business or just couldn’t be bothered with all the regulations tied to being a listed data broker.

The law requires registered data brokers to disclose in which of the following categories they actively trade information in:

*   Minors (24)
*   Precise Geolocation (79)
*   Reproductive healthcare data (25)

Four of these data brokers are active in all three of these categories: LexisNexis Risk Solutions, Harmon Research Group, Experian Marketing Solutions, and BDO USA, P.C., Global Corporate Intelligence group.

What is particularly disturbing is the traffic in the data of minors. Children require special privacy protection since they’re more vulnerable and less aware of the potential risks associated with data processing.

When it comes to children’s data, the CCPA requires businesses to obtain opt-in consent to sell the data of a person under the age of 16. Children between the ages of 13 and 16 can provide their own consent, but for children under the age of 13, businesses must obtain verifiable parental consent before collecting or selling their data.

Data brokers were under no obligation to disclose information about selling data belonging to minors until the Delete Act was signed into law on October 10, 2023. The Delete Act is a Californian privacy law which provides consumers with the right to request the deletion of their personal information held by various data brokers subject to the law through a single request.

The next step forward would be if more states followed California’s example. So far only four states—California, Vermont, Oregon, and Texas—have enacted data broker registration laws.

The Children’s Online Privacy Protection Act (COPPA), which regulates children’s privacy, does not currently prevent companies from selling data about children. An update for the bill (COPPA 2.0), that would enhance the protection of minors, is held up in Congress.

In Texas, data brokers are governed by Chapter 509 of the Business and Commerce Code and this includes the specification that each data broker has a “duty to protect personal data held by that data broker.” This is important because, as we have seen, breaches at these data brokers can be combined with others and result in a veritable treasure trove of personal data in the hands of cybercriminals.

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Data brokers admit they&#8217;re selling information on precise location, kids, and reproductive healthcare 

The Pentagon says it’s not hiding aliens, but it stops notably short of saying what it is hiding. Here are the key questions that remain unanswered—some answers could be weirder than UFOs.

But what, then, were those programs? Herein lies the most intriguing—and potentially ground-breaking—question that the Pentagon study leaves us wondering: What exactly are the secret compartmentalized programs that the whistleblowers and government witnesses _misidentified_ as being related to UAP technology? What, exactly, are the Pentagon, intelligence community, or defense contractors working on that, from a concentric circle or two away inside the shadowy world of SAPs, looks and sounds like reverse-engineering out-of-this-world technology or even studying so-called “non-human biologics”?

There are at least four clear possibilities.

Secret Tech From Foreign Nations

First, what exotic technological possibilities have been recovered from unknown _terrestrial_ sources? For example, if the government is working on reverse-engineering technologies, those technologies are likely from advanced adversary nation-states like China, Russia, and Iran, and perhaps even quasi-allies like Israel that may be more limited in their technology-sharing with the US. What have other countries mastered that we haven’t?

A Question of ‘Peculiar Characteristics’

Second, what technologies has the US mastered that the public doesn’t know about? One of the common threads of UFO sightings across decades have been secret military aircraft and spacecraft in development or not yet publicly acknowledged. For example, the CIA estimated that the U-2 spy plane in the 1950s accounted for as much as half of reported UFO sightings. And the AARO report spends a half-dozen pages documenting how confusion over subsequent generations of secret US government aircraft appear to have also contributed to the great intergalactic game of telephone of UFO programs inside the government, including modern Predator, Reaper, and Global Hawk drones. AARO investigated one claim where a witness reported hearing a former US military service member had touched an extraterrestrial spacecraft, but when they tracked down the service member, he said that the conversation was likely a garbled version of the time he touched an F-117 Nighthawk stealth fighter at a secret facility.

There are surely other secret craft still in testing and development now, including the B-21 stealth bomber, which had its first test flight in November and is now in testing at Edwards Air Force Base in California, as well as others we don’t know about. The government can still surprise us with unknown craft—like the until-then-unknown modified stealthy helicopter left behind on the Pakistan raid to kill Osama bin Laden. And some of these still-classified efforts are likely causing UFO confusion too: AARO untangled one witness’s claim of spotting a UAP with “peculiar characteristics” at a specific time and place and were able to determine, “at the time the interviewee said he observed the event, the DOD was conducting tests of a platform protected by a SAP. The seemingly strange characteristics reported by the interviewee match closely with the platform’s characteristics, which was being tested at a military facility in the time frame the interviewee was there.” So what was that craft—and what were its “peculiar characteristics?”

Relatedly, the US military has a classified spaceship, the X-37B, that has regularly orbited around the Earth since its first mission in 2010—it just blasted off on its seventh and most recent mission in December—and its previous, sixth, mission lasted a record-breaking 908 days in orbit. The Pentagon has said remarkably little about what it does up there for years at a time. What secret space-related or aviation-related programs is the government running that outsiders confuse as alien spacecraft?

A Material Matter

The third likely area of tech development that might appear to outsiders to be UFO-related is more speculative basic research and development: What propulsion systems or material-science breakthroughs are defense contractors at work on right now that could transform our collective future? Again, AARO found such confusion taking place: After one witness reported hearing that “aliens” had observed one secret government test, AARO traced the allegation back to find “the conversation likely referenced a test and evaluation unit that had a nickname with ‘alien’ connotations at the specific installation mentioned. The nature of the test described by the interviewee closely matched the description of a specific materials test conveyed to AARO investigators.” So what materials were being tested there?

There are some puzzling materials-science breadcrumbs wrapped throughout the AARO report. It found one instance where “a private sector organization claimed to have in its possession material from an extraterrestrial craft recovered from a crash at an unknown location from the 1940s or 1950s. The organization claimed that the material had the potential to act as a THz frequency waveguide, and therefore, could exhibit ‘anti-gravity’ and ‘mass reduction’ properties under the appropriate conditions.” Ultimately, though, the new report concluded, “AARO and a leading science laboratory concluded that the material is a metallic alloy, terrestrial in nature, and possibly of USAF \[US Air Force\] origin, based on its materials characterization.”

A Knowledge Limit

Fourth and lastly is the category of the truly weird: Scientists at the forefront of physics point out that we should be humble about how little of the universe we truly understand; as Harvard astronomy chair Avi Loeb explains, effectively all that we’ve learned about relativity and quantum physics has unfolded in the span of a single human lifespan, and astounding new discoveries continue to amaze scientists. Just last summer, scientists announced they’d detected for the first time gravitational waves criss-crossing the universe that rippled through space-time, and astrophysicists continue to suspect that the universe is far weirder than we think. (Italian astrophysicist Carlo Rovelli last year posited the existence of “white holes” that would be related to black holes, which, he pointed out, were still a mystery just 25 years ago when he was starting his career.)

Answers here could be almost unfathomably weird—think parallel dimensions or the ability to travel at a fraction of the speed of light. And one of the most intriguing questions left by the UAP “game of telephone” is whether there are truly astounding advances in physics that government scientists, defense contractors, or research laboratories or centers could be feeling around that could also appear from the outside to be UFO-related.

The 4 Big Questions the Pentagon’s New UFO Report Fails to Answer

Borrowing from the playbook of ransomware purveyors, the darknet narcotics bazaar Incognito Market has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transaction and chat records of users who refuse to pay a fee ranging from $100 to $20,000. The bold mass extortion attempt comes just days after Incognito Market administrators reportedly pulled an "exit scam" that left users unable to withdraw millions of dollars worth of funds from the platform.

Borrowing from the playbook of ransomware purveyors, the darknet narcotics bazaar **Incognito Market** has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transaction and chat records of users who refuse to pay a fee ranging from $100 to $20,000. The bold mass extortion attempt comes just days after Incognito Market administrators reportedly pulled an “exit scam” that left users unable to withdraw millions of dollars worth of funds from the platform.

An extortion message currently on the Incognito Market homepage.

In the past 24 hours, the homepage for the Incognito Market was updated to include a blackmail message from its owners, saying they will soon release purchase records of vendors who refuse to pay to keep the records confidential.

“We got one final little nasty surprise for y’all,” reads the message to Incognito Market users. “We have accumulated a list of private messages, transaction info and order details over the years. You’ll be surprised at the number of people that relied on our ‘auto-encrypt’ functionality. And by the way, your messages and transaction IDs were never actually deleted after the ‘expiry’….SURPRISE SURPRISE!!! Anyway, if anything were to leak to law enforcement, I guess nobody never slipped up.”

Incognito Market says it plans to publish the entire dump of 557,000 orders and 862,000 cryptocurrency transaction IDs at the end of May.

“Whether or not you and your customers’ info is on that list is totally up to you,” the Incognito administrators advised. “And yes, this is an extortion!!!!”

The extortion message includes a “Payment Status” page that lists the darknet market’s top vendors by their handles, saying at the top that “you can see which vendors care about their customers below.” The names in green supposedly correspond to users who have already opted to pay.

The “Payment Status” page set up by the Incognito Market extortionists.

We’ll be publishing the entire dump of 557k orders and 862k crypto transaction IDs at the end of May, whether or not you and your customers’ info is on that list is totally up to you. And yes, this is an extortion!!!!

Incognito Market said it plans to open up a “whitelist portal” for buyers to remove their transaction records “in a few weeks.”

The mass-extortion of Incognito Market users comes just days after a large number of users reported they were no longer able to withdraw funds from their buyer or seller accounts. The cryptocurrency-focused publication **Cointelegraph.com** reported Mar. 6 that Incognito was exit-scamming its users out of their bitcoins and Monero deposits.

CoinTelegraph notes that Incognito Market administrators initially lied about the situation, and blamed users’ difficulties in withdrawing funds on recent changes to Incognito’s withdrawal systems.

Incognito Market deals primarily in narcotics, so it’s likely many users are now worried about being outed as drug dealers. Creating a new account on Incognito Market presents one with an ad for 5 grams of heroin selling for $450.

New Incognito Market users are treated to an ad for $450 worth of heroin.

The double whammy now hitting Incognito Market users is somewhat akin to the double extortion techniques employed by many modern ransomware groups, wherein victim organizations are hacked, relieved of sensitive information and then presented with two separate ransom demands: One in exchange for a digital key needed to unlock infected systems, and another to secure a promise that any stolen data will not be published or sold, and will be destroyed.

Incognito Market has priced its extortion for vendors based on their status or “level” within the marketplace. Level 1 vendors can supposedly have their information removed by paying a $100 fee. However, larger “Level 5” vendors are asked to cough up $20,000 payments.

The past is replete with examples of similar darknet market exit scams, which tend to happen eventually to all darknet markets that aren’t seized and shut down by federal investigators, said **Brett Johnson**, a convicted and reformed cybercriminal who built the organized cybercrime community Shadowcrew many years ago.

“Shadowcrew was the precursor to today’s Darknet Markets and laid the foundation for the way modern cybercrime channels still operate today,” Johnson said. “The Truth of Darknet Markets? ALL of them are Exit Scams. The only question is whether law enforcement can shut down the market and arrest its operators before the exit scam takes place.”

Incognito Darknet Market Mass-Extorts Buyers, Sellers

Backdoor.Win32.Beastdoor.oq malware suffers from a remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/6268df4c9c805c90725dde4fe5ef6fea.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Beastdoor.oqVulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 1332, makes outbound connections to SMTP port 25 and executes a PE file named svchost.exe dropped in Windows directory. Third party adversaries who can reach an infected host can issue various numeric commands made available by the backdoor.Family: BeastdoorType: PE32MD5: 6268df4c9c805c90725dde4fe5ef6feaVuln ID: MVID-2024-0674Dropped files: svchost.exeDisclosure: 03/09/2024Commands:27 return victims username and computer information5 or 19 will shutdown victims computer6 restart victims computer9 delete all files including program files16 victim computer screen goes black28 returns clipboard information30 terminates the backdoor and deletes it from the systemExploit/PoC:C:\sec>nc64.exe x.x.x.x 13322727VICTIM DESKTOP-2C3IQHO Windows 8.1 Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHzC:\WINDOWS\C:\WINDOWS\system32\1565 x 8302.01svchost.exe svchost.exe2828I dont like u30Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Beastdoor.oq MVID-2024-0674 Remote Command Execution

By Deeba Ahmed
Midnight Blizzard (aka Cozy Bear and APT29) originally breached Microsoft on January 12, 2024.
This is a post from HackRead.com Read the original post: Russian Midnight Blizzard Hackers Breached Microsoft Source Code

Microsoft confirms that Russian state-sponsored hackers, known as Midnight Blizzard, infiltrated their systems and stole source code. Experts warn of potential zero-day vulnerabilities.

Microsoft has been hit by a significant cybersecurity breach, with the company confirming that Russian hackers infiltrated its infrastructure, compromising valuable source code.

The breach, originally discovered on January 12, 2024, and **reported** on January 19, raised concerns about the potential misuse of proprietary information and the security of millions of users relying on Microsoft’s products and services.

Earlier this year, Microsoft disclosed that Russian state-sponsored hackers referred to as Midnight Blizzard (also known as Nobelium, Cozy Bear, and APT29), have been spying on the email accounts of Microsoft’s team members. The group, known for the **devastating SolarWinds attack**, successfully stole source code in what Microsoft now terms an “ongoing attack.”

Reportedly, the hackers infiltrated a “small percentage of corporate email accounts” and stole internal messages and files in an attack that began in late November 2023. The threat actor compromised a non-production test tenant account using a password spray attack, accessing some Microsoft corporate email accounts, including senior leadership and cybersecurity employees, and exfiltrating emails and documents.

The attackers exploited vulnerabilities in Microsoft’s defences, gaining unauthorized access to a substantial portion of source code, including Windows OS components, Office Suite, and other critical software elements.

****Update from Microsoft****

Previously, Microsoft stated that there was no evidence that the “threat actor had any access to customer environments, production systems, source code, or AI systems.” However, as per Microsoft’s update **published** on March 8, 2024, Midnight Blizzard is using information from corporate email systems to gain unauthorized access, including access to source code repositories and internal systems. Still, the company asserts that there’s no evidence that attackers compromised Microsoft-hosted customer-facing systems.

**Midnight Blizzard** is using various tactics to attack Microsoft, some of which were shared between Microsoft and its customers via emails. Moreover, the company claims hackers increased the attack volume, such as password sprays, by up to 10 times in February compared to January.

Microsoft has increased security investments and coordinated cross-enterprise efforts to counter Midnight Blizzard’s persistent threat. The company is enhancing its security controls, detections, and monitoring, as well as conducting ongoing investigations into the group’s activities.

Hackread will continue to share findings and information as they evolve. Users are advised to implement security updates, report suspicious activity, and adhere to security best practices.

**Ariel Parnes**, former Head of the Israeli Intelligence Service Cyber Department, winner of the Israel Defense Prize for tech innovations in the cyber field, and COO and Co-Founder at SaaS incident response leader, Mitiga, shared the following insights with Hackread.com:

“For advanced nation-state cyber groups, access to a company’s source code is akin to finding the master key to its digital kingdom, opening up avenues for finding new zero-day vulnerabilities: undiscovered security flaws that can be exploited before they’re known to the software creators or the public.”

Ariel warned that “Zero-day vulnerabilities represent a critical threat because there’s no straightforward way to detect them until after they’ve been discovered and disclosed by the software creators. Given this challenging landscape, organizations need to double down on cybersecurity measures focused on proactive defence.”

1.  Microsoft Disables App Installer After It’s Abused for Malware
2.  Fake Ledger App on Microsoft Store to Steal $800k in Crypto
3.  Microsoft Azure Exploited to Create Undetectable Cryptominer
4.  Microsoft Teams External Access Abuses for DarkGate Malware
5.  Microsoft Outlook Flaw Exploited by Russian Forest Blizzard Group

Russian Midnight Blizzard Hackers Breached Microsoft Source Code

A list of topics we covered in the week of March 4 to March 10 of 2024

March 8, 2024 - The flaws could allow an attacker with privileged access to a guest VM to access the hypervisor on the host.

March 8, 2024 - Users of JetBrains TeamCity on-prmises server need to deal with two serious vulnerabilities.

March 7, 2024 - Pet retail company PetSmart has emailed customers to alert them to a recent attack that used reused passwords.

March 7, 2024 - The US Treasury Department has sanctioned Predator spyware vendor Intellexa Consortium, and banned the company from doing business in the US.

March 6, 2024 - The ALPHV gang's attempt to cover up an exit scam isn't going well.

 A week in security (March 4 &#8211; March 10) 

Content creators are using copyright laws to get nonconsensual deepfakes removed from the web. With the complaints covering nearly 30,000 URLs, experts say Google should do more to help.

The number of nonconsensual deepfake porn videos online has exploded since 2017. As the harmful videos have spread, thousands of women—including Twitch streamers, gamers, and other content creators—have complained to Google about websites hosting the videos and tried to get the tech giant to remove them from its search results.

A WIRED analysis of copyright claims regarding websites that host deepfake porn videos reveals that thousands of takedown requests have been made, with the frequency of complaints increasing. More than 13,000 copyright complaints—encompassing almost 30,000 URLs—have been made to Google concerning content on a dozen of the most popular deepfake websites.

The complaints, which have been made under the Digital Media Copyright Act (DMCA), have resulted in thousands of nonconsensual videos being removed from the web. Two of the most prominent deepfake video websites have been the subject of more than 6,000 and 4,000 complaints each, data published by Google and Harvard University’s Lumen database shows. Across all the deepfake platforms analyzed, around 82 percent of complaints resulted in URLs being removed from Google, the company’s copyright transparency data shows.

Millions of people find and access deepfake video websites by searching for deepfakes, often alongside the names of celebrities or content creators. WIRED is not naming the specific websites to limit the exposure they receive. However, lawyers and companies combating deepfakes online, including by systematically making DMCA complaints, say the number of copyright complaints and high percentage of removals are a sign that Google should take more action against the specific websites. This should include removing them from search results entirely, they say.

“If the sole purpose of these websites is to abuse and manipulate a person’s personal brand, or take their autonomy away from them, or host simple revenge porn, they shouldn’t be there,” says Dan Purcell, the founder and CEO of Ceartas, a firm that helps creators remove their content when it is being used without permission.

For the biggest deepfake video website alone, Google has received takedown requests for 12,600 URLs, 88 percent of which have been taken offline. Purcell says that given the large volume of offending content, the tech company should be examining why the site is still in search results. “If you remove 12,000 links for infringement, why are they not just completely removed?” He adds: “They should not be crawled. They’re of no public interest.”

In the five years since nonconsensual deepfake porn videos first emerged, tech companies and lawmakers have been slow to act. At the same time, machine learning improvements have made it easier to create deepfakes. Today, there are a few kinds of explicit deepfake content: videos where a person’s face is put onto existing consensual pornography, apps that can “undress” a person or swap their face onto a nude image, and some generative AI that allows entirely new deepfake images to be created, such as the images of Taylor Swift which spread online in January.

Each method is weaponized—almost always against women—to degrade, harass, or cause shame, among other harms. Julie Inman Grant, Australia’s e-safety commissioner, says her office is starting to see more deepfakes reported to its image-based abuse complaints scheme, alongside other AI-generated content, such as “synthetic” child sexual abuse and children using apps to create sexualized videos of their classmates. “We know it’s a really underreported form of abuse,” Grant says.

As the number of videos on deepfake websites has grown, content creators—such as streamers and adult models—have used DMCA requests. The DMCA allows people who own the intellectual property of certain content to request it be removed from the websites directly or from search results. More than 8 billion takedown requests, covering everything from gaming to music, have been made to Google.

“The DMCA historically has been an important way for victims of image-based sexual abuse to get their content removed from the internet,” says Carrie Goldberg, a victims’ rights attorney. Goldberg says newer criminal laws and civil law procedures make it easier to get some image-based sexual abuse removed, but deepfakes complicate the situation. “While platforms tend to have no empathy for victims of privacy violations, they do respect copyright laws,” Goldberg says.

WIRED’s analysis of deepfake websites, which covered 14 sites, shows that Google has received DMCA takedown requests about all of them in the past few years. Many of the websites host only deepfake content and often focus on celebrities. The websites themselves include DMCA contact forms where people can directly request to have content removed, although they do not publish any statistics, and it is unclear how effective they are at responding to complaints. One website says it contains videos of “actresses, YouTubers, streamers, TV personas, and other types of public figures and celebrities.” It hosts hundreds of videos with “Taylor Swift” in the video title.

The vast majority of DMCA takedown requests linked to deepfake websites listed in Google’s data relate to two of the biggest sites. Neither responded to written questions sent by WIRED. The majority of the 14 websites had over 80 percent of the complaints leading to content being removed by Google. Some copyright takedown requests sent by individuals indicate the distress the videos can have. “It is done to demean and bully me,” one request says. “I take this very seriously and I will do anything and everything to get it taken down,” another says.

“It has such a huge impact on someone’s life,” says Yvette van Bekkum, the CEO of Orange Warriors, a firm that helps people remove leaked, stolen, or nonconsensually shared images online, including through DMCA requests. Van Bekkum says the organization is seeing an increase in deepfake content online, and victims face hurdles to come forward and ask that their content is removed. “Imagine going through a hiring process and people Google your name, and they find that kind of explicit content,” van Bekkum says.

Google spokesperson Ned Adriance says its DMCA process allows “rights holders” to protect their work online and the company has separate tools for dealing with deepfakes—including a separate form and removal process. “We have policies for nonconsensual deepfake pornography, so people can have this type of content that includes their likeness removed from search results,” Adriance says. “And we’re actively developing additional safeguards to help people who are affected.” Google says when it receives a high volume of valid copyright removals about a website, it uses those as a signal the site may not be providing high-quality content. The company also says it has created a system to remove duplicates of nonconsensual deepfake porn once it has removed one copy of it, and that it has recently updated its search results to limit the visibility for deepfakes when people aren't searching for them.

The DMCA is an imperfect tool, particularly when it comes to deepfakes. Goldberg says it needs someone to “affirm under penalty of perjury” that they’re the copyright holder of the video or images. “But the process of creating a deepfake can transform the image so much that the resulting image is not the same intellectual property as the images it was sourced from,” Goldberg says. Ultimately, this could mean the person creating the deepfake video may be the copyright holder of the abusive content. “Our firm has long advocated that the copyrighting of illegal works should revert to the victims so they can exercise control over them,” Goldberg says. “But the law has not yet caught up.”

Purcell, from Ceartas, says that the law is “not fit for purpose” and can be very “easily weaponized” by deepfake websites filing counternotices against DMCA requests. “At that point, the only option is to sue them,” Purcell says, which raises its own problems. The websites often don’t include contact details or information about who created them, and they can be based in countries with difficult legal regimes. “They will do anything to stay anonymous. They will hide themselves,” van Bekkum says. “They are using, on purpose, hosting companies offshore.”

Grant, the Australian regulator, says her office works with technology platforms and can also issue orders for content to be removed. The office has also targeted individuals who upload videos to deepfake websites. Last year, Grant’s office pursued a man who uploaded images of Australian public figures to one of the largest deepfake websites. He was ordered to remove the material and delete it from his devices.

“I am not a resident of Australia. The removal notice means nothing to me. Get an arrest warrant if you think you are right,” he emailed back after receiving the legal order, according to court documents. Months later, border officials told Grant that the man had entered Australia, and he was ultimately charged with contempt of court.

The incident was a rare example of a regulator or law enforcement body taking successful action against someone creating deepfakes. Adam Dodge, a lawyer and founder of Endtab (Ending Technology-Enabled Abuse), says technology companies should be funding greater education efforts in schools and communities about the harms of creating and sharing deepfakes, while legislators should put in place laws that don’t push the burden of getting content removed on the victims. “It needs to be considered as harmful, as devastating, and as important to internet safety as other forms of banned or criminal or regulated material that people find to be abhorrent and unacceptable,” Dodge says.

Google Is Getting Thousands of Deepfake Porn Complaints

By Waqas
The teasure trove of highly sentisive data is being sold for just $3,000 in Monero (XMR) cryptocurrency on Breach Forums.
This is a post from HackRead.com Read the original post: Hacker Claims Breaching US Federal Contractor Acuity, Selling ICE, USCIS Data

The IntelBroker hacker claims to have breached Acuity, a US federal contractor and is now selling data belonging to ICE and USCIS – This incident could potentially expose sensitive information of immigrants and could have national security implications.

The notorious hacker known as IntelBroker has claimed responsibility for a recent data breach allegedly targeting Acuity Inc., a Federal contractor based in Reston, Virginia. The breach has resulted in the theft of sensitive data and documents from two prominent U.S. government entities: U.S. Immigration and Customs Enforcement (ICE) and U.S. Citizenship and Immigration Services (USCIS).

For your information, Acuity Inc. is a federal technology consulting firm headquartered in Reston, Virginia. They offer their deep industry expertise to federal agencies, particularly those focused on National Security and Public Safety. According to the company, their core mission is to help these agencies plan for the future, improve their ability to serve citizens and deliver measurable results through innovative technology solutions and proven management techniques.

These alarming claims surfaced in a recent post on Breach Forums, a notorious cybercrime and hacker forum. Hackread.com has exclusively confirmed that the stolen data is currently being offered for sale on the forum for a mere $3,000 in Monero (XMR) cryptocurrency.

Screenshot: Hackread.com

Following the breach announcement on Breach Forums, IntelBroker proceeded to showcase a sample of the alleged stolen data, purportedly containing personal and Personally Identifiable Information (PII) of over 100,000 victims. The showcased records include:

*   Full names
*   Passport
*   Date of Birth
*   Phone numbers
*   Email addresses
*   Physical addresses
*   Physical attributes.

According to the hacker, “everything belongs to the US citizens,” implying that the compromised data contains information about civilians as well as government agents.

****The Sensitive Nature of Data****

In addition to the information available on the forum, Hackread.com gained insight into further sensitive data, including source code, user manual, confidential conversations and feedback exchanged between ICE agents and contractors. This extended to discussions on investigative techniques such as those utilized by the Five Eyes alliance, the Ukraine, and Russia conflict, information on terrorism-related seminars globally, etc.

Moreover, the alleged compromised data includes .GOV-hosted emails containing plain-text passwords for some. It’s worth noting, however, that these accounts are protected by Two-factor Authentication (2FA), and any unauthorized attempts to access them are promptly blocked until a valid code is provided.

Leaked email addresses (left) and what happened when the hacker attempted to sign in (right) Screenshot: Hackread.com

Given the highly sensitive nature of this information, Hackread.com has refrained from sharing some screenshots and has redacted sample data accordingly. It’s essential to emphasise that, at no point, did Hackread.com attempt to access these accounts.

****How did the alleged hack take place?****

In an exclusive conversation with the hacker, Hackread.com learned that they had exploited a critical 0-day vulnerability in GitHub. Despite not disclosing technical details of the Proof of Concept (PoC) regarding the alleged vulnerability, the hacker claimed that this flaw enables attackers to steal GitHub tokens and advance their malicious activities.

In response to these developments, Hackread.com has initiated contact with GitHub, ICE, USCIS, and Acuity Inc. to request their comments on the matter.

****Who is IntelBroker?****

IntelBroker is known for targeting high-profile targets in the United States. Some of their previous data breaches include Las Angeles Intl. Airport, US DoD Documents, Staffing Giant Robert Half, Facebook Marketplace Database, DARPA-related accesses in General Electric breach, Weee! Grocery and several others.

In fact, according to the United States government, IntelBroker is also the hacker behind one of the T-Mobile data breaches.

****Aftermath of Acuity Inc.’s Alleged Breach****

The aftermath of Acuity Inc.’s alleged breach carries potentially severe and long-lasting repercussions. The compromised data, if obtained by nations deemed adversarial by the United States, could pose significant risks to national security. The exploitation of such intelligence-related information may jeopardize the safety of agents and officials, as well as compromise ongoing operations.

Moreover, recent events highlight the vulnerability posed by third-party contractors. Just recently, on March 4th, 2024, American Express disclosed that its cardholders had been affected by a significant data breach originating from a third-party vendor.

In August 2023, an IT contractor employed by the Metropolitan Police Force experienced a cyberattack that impacted over 50,000 MET police personnel.

In September 2023, a third-party contractor experienced a data breach that affected over 8,000 Greater Manchester Police Officers. In October 2023, another contractor inadvertently exposed their database, resulting in the leakage of sensitive details about 500,000 Irish Police vehicle seizure records.

1.  US Govt’s secret terrorist watchlist with 2M records exposed online
2.  Chinese Group Storm-0558 Hacked European Govt Emails, Microsoft
3.  Adobe ColdFusion Flaw Used by Hackers to Access US Govt Servers
4.  Traffic sign near ICE headquarters hacked with “Abolish ICE” message
5.  Norweigian researcher exposes how a US firm collected his location data

Hacker Claims Breaching US Federal Contractor Acuity, Selling ICE, USCIS Data

Plus: An ex-Google engineer gets arrested for allegedly stealing trade secrets, hackers breach the top US cybersecurity agency, and X’s new feature exposes sensitive user data.

For years, Registered Agents Inc.—a secretive company whose business is setting up other businesses—has registered thousands of companies to people who appear to not exist. Multiple former employees tell WIRED that the company routinely incorporates businesses on behalf of its customers using what they claim are fake personas. An investigation found that incorporation paperwork for thousands of companies that listed these allegedly fake personas had links to Registered Agents.

State attorneys general from around the US sent a letter to Meta on Wednesday demanding the company take “immediate action” amid a record-breaking spike in complaints over hacked Facebook and Instagram accounts. Figures provided by the office of New York attorney general Letitia James, who spearheaded the effort, show that in 2023 her office received more than 780 complaints—10 times as many as in 2019. Many complaints cited in the letter say Meta did nothing to help them recover their stolen accounts. “We refuse to operate as the customer service representatives of your company,” the officials wrote in the letter. “Proper investment in response and mitigation is mandatory.”

Meanwhile, Meta suffered a major outage this week that took most of its platforms offline. When it came back, users were often forced to log back in to their accounts. Last year, however, the company changed how two-factor authentication works for Facebook and Instagram. Now, any devices you’ve frequently used with Meta services in recent years will be trusted by default. The move has made experts uneasy; this means that your devices may not need a two-factor authentication code to log in anymore. We updated our guide for how to turn off this setting.

A ransomware attack targeting medical firm Change Healthcare has caused chaos at pharmacies around the US, delaying delivery of prescription drugs nationwide. Last week, a Bitcoin address connected to AlphV, the group behind the attack, received $22 million in cryptocurrency—suggesting Change Healthcare has likely paid the ransom. A spokesperson for the firm declined to answer whether it was behind the payment.

And there’s more. Each week, we highlight the news we didn’t cover in depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

In January, Microsoft revealed that a notorious group of Russian state-sponsored hackers known as Nobelium infiltrated the email accounts of the company's senior leadership team. Today, the company revealed that the attack is ongoing. In a blog post, the company explains that in recent weeks, it has seen evidence that hackers are leveraging information exfiltrated from its email systems to gain access to source code and other “internal systems.”

It is unclear exactly what internal systems were accessed by Nobelium, which Microsoft calls Midnight Blizzard, but according to the company, it is not over. The blog post states that the hackers are now using “secrets of different types” to breach further into its systems. “Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”

Nobelium is responsible for the SolarWinds attack, a sophisticated 2020 supply-chain attack that compromised thousands of organizations including the major US government agencies like the Departments of Homeland Security, Defense, Justice, and Treasury.

According to Microsoft, it has found no evidence that its customer-facing systems were breached.

On Wednesday, ​the US Department of Justice announced that it was charging a former Google engineer with stealing trade secrets about artificial intelligence on behalf of two Chinese companies. Linwei Ding was arrested in Newark, California, on four counts of federal trade secret theft. If convicted he could face a decade in prison.

“Today’s charges are the latest illustration of the lengths affiliates of companies based in the People’s Republic of China are willing to go to steal American innovation,” FBI director Christopher Wray said in a statement to the Associated Press.

The indictment, unsealed Wednesday, alleges that the theft began two years ago, when Ding, a Chinese national, began uploading hundreds of company files about its data centers into a personal Google Cloud account. Soon after and unbeknownst to Google, Ding allegedly founded his own startup specializing in training large AI models while also joining a separate Chinese AI company as its CTO. He resigned from Google in December, according to the indictment.

The US Cybersecurity and Infrastructure Security Agency confirmed this week that hackers breached the agency’s systems in February, according to Recorded Future. CISA, which works to protect US critical infrastructure from cyberattacks and other threats, says it took two of its systems offline after the breach, which was carried out through vulnerabilities in Ivanti IT management software. CISA declined to comment on which systems it took offline, but Recorded Future reports that, according to unnamed sources, one “houses critical information about the interdependency of US infrastructure,” while the other “houses private sector chemical security plans.” It is unclear who the hackers are or whether they accessed or stole data from CISA systems. The agency released an advisory on February 29 warning entities that use Ivanti Connect Secure and Ivanti Policy Secure tech to patch vulnerabilities in the products.

As if getting a phone call through a social network isn’t bad enough, X’s newly released audio and video calling feature can reveal the IP address of anyone you call. Even worse: The feature is turned on by default. While IP addresses can reveal the general location of the user, they’re not precise enough to expose exact locations. Still, civil liberties organizations warn that exposing IP addresses is highly concerning for activists living under authoritarian regimes or other high-risk users. To disable X’s calling feature, go to **Settings and privacy > Privacy and safety > Direct messages** in the X app, and toggle the **Enable audio and video calling** option to off. If you want to keep the feature on but not expose your IP address, toggle on the Enhanced call privacy option, which X says will mask your IP address. Why _this_ feature is not enabled by default remains unclear.

Tag

#intel