### Impact
Affected versions of yiisoft/yii are vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used.

### Patches
Upgrade yiisoft/yii to version 1.1.31 or higher.

### References
- [Git commit](https://github.com/yiisoft/yii/commit/d386d737861c9014269b7ed8c36c65eadb387368)

If you have any questions or comments about this advisory, [contact us through security form](https://www.yiiframework.com/security).

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-7r2v-8wxr-3ch5: Yii does not prevent XSS in scenarios where fallback error renderer is used

Some misconfigured AI chatbots are pushing people’s chats to the open web—revealing sexual prompts and conversations that include descriptions of child sexual abuse.

Several AI chatbots designed for fantasy and sexual role-playing conversations are leaking user prompts to the web in almost real time, new research seen by WIRED shows. Some of the leaked data shows people creating conversations detailing child sexual abuse, according to the research.

Conversations with generative AI chatbots are near instantaneous—you type a prompt and the AI responds. If the systems are configured improperly, however, this can lead to chats being exposed. In March, researchers at the security firm UpGuard discovered around 400 exposed AI systems while scanning the web looking for misconfigurations. Of these, 117 IP addresses are leaking prompts. The vast majority of these appeared to be test setups, while others contained generic prompts relating to educational quizzes or nonsensitive information, says Greg Pollock, director of research and insights at UpGuard. “There were a handful that stood out as very different from the others,” Pollock says.

Three of these were running-role playing scenarios where people can talk to a variety of predefined AI “characters”—for instance, one personality called Neva is described as a 21-year-old woman who lives in a college dorm room with three other women and is “shy and often looks sad.” Two of the role-playing setups were overtly sexual. “It’s basically all being used for some sort of sexually explicit role play,” Pollock says of the exposed prompts. “Some of the scenarios involve sex with children.”

Over a period of 24 hours, UpGuard collected prompts exposed by the AI systems to analyze the data and try to pin down the source of the leak. Pollock says the company collected new data every minute, amassing around 1,000 leaked prompts, including those in English, Russia, French, German, and Spanish.

It was not possible to identify which websites or services are leaking the data, Pollock says, adding it is likely from small instances of AI models being used, possibly by individuals rather than companies. No usernames or personal information of people sending prompts were included in the data, Pollock says.

Across the 952 messages gathered by UpGuard—likely just a glimpse of how the models are being used—there were 108 narratives or role-play scenarios, UpGuard’s research says. Five of these scenarios involved children, Pollock adds, including those as young as 7.

“LLMs are being used to mass-produce and then lower the barrier to entry to interacting with fantasies of child sexual abuse,” Pollock says. “There's clearly absolutely no regulation happening for this, and it seems to be a huge mismatch between the realities of how this technology is being used very actively and what the regulation would be targeted at.”

WIRED last week reported that a South Korea–based image generator was being used to create AI-generated child abuse and exposed thousands of images in an open database. The company behind the website shut the generator down after being approached by WIRED. Child-protection groups around the world say AI-generated child sexual abuse material, which is illegal in many countries, is growing quickly and making it harder to do their jobs. The UK’s anti-child-abuse charity has also called for new laws against generative AI chatbots that “simulate the offence of sexual communication with a child.”

All of the 400 exposed AI systems found by UpGuard have one thing in common: They use the open source AI framework called llama.cpp. This software allows people to relatively easily deploy open source AI models on their own systems or servers. However, if it is not set up properly, it can inadvertently expose prompts that are being sent. As companies and organizations of all sizes deploy AI, properly configuring the systems and infrastructure being used is crucial to prevent leaks.

Rapid improvements to generative AI over the past three years have led to an explosion in AI companions and systems that appear more “human.” For instance, Meta has experimented with AI characters that people can chat with on WhatsApp, Instagram, and Messenger. Generally, companion websites and apps allow people to have free-flowing conversations with AI characters—portraying characters with customizable personalities or as public figures such as celebrities.

People have found friendship and support from their conversations with AI—and not all of them encourage romantic or sexual scenarios. Perhaps unsurprisingly, though, people have fallen in love with their AI characters, and dozens of AI girlfriend and boyfriend services have popped up in recent years.

Claire Boine, a postdoctoral research fellow at the Washington University School of Law and affiliate of the Cordell Institute, says millions of people, including adults and adolescents, are using general AI companion apps. “We do know that many people develop some emotional bond with the chatbots,” says Boine, who has published research on the subject. “People being emotionally bonded with their AI companions, for instance, make them more likely to disclose personal or intimate information.”

However, Boine says, there is often a power imbalance in becoming emotionally attached to an AI created by a corporate entity. “Sometimes people engage with those chats in the first place to develop that type of relationship,” Boine says. “But then I feel like once they've developed it, they can't really opt out that easily.”

As the AI companion industry has grown, some of these services lack content moderation and other controls. Character AI, which is backed by Google, is being sued after a teenager from Florida died by suicide after allegedly becoming obsessed with one of its chatbots. (Character AI has increased its safety tools over time.) Separately, users of the generative AI tool Replika were upended when the company made changes to its personalities.

Aside from individual companions, there are also role-playing and fantasy companion services—each with thousands of personas people can speak with—that place the user as a character in a scenario. Some of these can be highly sexualized and provide NSFW chats. They can use anime characters, some of which appear young, with some sites claiming they allow “uncensored” conversations.

“We stress test these things and continue to be very surprised by what these platforms are allowed to say and do with seemingly no regulation or limitation,” says Adam Dodge, the founder of Endtab (Ending Technology-Enabled Abuse). “This is not even remotely on people’s radar yet.” Dodge says these technologies are opening up a new era of online pornography, which can in turn introduce new societal problems as the technology continues to mature and improve. “Passive users are now active participants with unprecedented control over the digital bodies and likenesses of women and girls,” he says of some sites.

While UpGuard’s Pollock could not directly connect the leaked data from the role-playing chats to a single website, he did see signs that indicated character names or scenarios could have been uploaded to multiple companion websites that allow user input. Data seen by WIRED shows that the scenarios and characters in the leaked prompts are hundreds of words long, detailed, and complex.

“This is a never-ending, text-based role-play conversation between Josh and the described characters,” one of the system prompts says. It adds that all the characters are over 18 and that, in addition to “Josh,” there are two sisters who live next door to the character. The characters’ personalities, bodies, and sexual preferences are described in the prompt. The characters should “react naturally based on their personality, relationships, and the scene” while providing “engaging responses” and “maintain a slow-burn approach during intimate moments,” the prompt says.

“When you go to those sites, there are hundreds of thousands of these characters, most of which involve pretty intense sexual situations,” Pollock says, adding the text based communication mimics online and messaging group chats. “You can write whatever sexual scenarios you want, but this is truly a new thing where you have the appearance of interacting with them in almost exactly the same way you interact with a lot of people.” In other words, they’re designed to be engaging and to encourage more conversation.

That can lead to situations where people may overshare and create risks. “If people are disclosing things they’ve never told anyone to these platforms and it leaks, that is the Everest of privacy violations,” Dodge says. “That’s an order of magnitude we've never seen before and would make really good leverage to sextort someone.”

Sex-Fantasy Chatbots Are Leaking a Constant Stream of Explicit Messages

Cybersecurity researchers have found that threat actors are setting up deceptive websites hosted on newly registered domains to deliver a known Android malware called SpyNote.
These bogus websites masquerade as Google Play Store install pages for apps like the Chrome web browser, indicating an attempt to deceive unsuspecting users into installing the malware instead.
"The threat actor utilized a

SpyNote, BadBazaar, MOONSHINE Malware Target Android and iOS Users via Fake Apps

If you use WhatsApp for Windows, you'll want to make sure you're on the latest version.

In a security advisory, Meta has disclosed a vulnerability that allowed an attacker to run arbitrary code on a user’s system that existed in all WhatsApp versions before 2.2450.6.

WhatsApp offers a desktop application for Windows and macOS, which users can synchronize with their mobile devices. Desktop versions of WhatsApp are generally used as extensions of mobile apps rather than primary platforms. So, while wide usage of these apps exists, their adoption rate lies likely significantly lower when compared to mobile platforms.

WhatsApp has over 3.14 billion monthly active users as of January 2025, with 73% using Android and 22% using iOS. Using WhatsApp on your desktop offers some advantages that users might appreciate. My excuse is that I can type faster on my laptop and I can make better screenshots of my conversations.

If you use WhatsApp for Windows, you should update as soon as you can.

You can find the current version of your WhatsApp for Windows by clicking on the **Settings** (gear symbol) > **Help**.

If your version number is lower than 2.2450.6, install a new version by following these steps:

1.  Click the **Start** menu and search for **Microsoft Store** to open it.
2.  In the Microsoft Store, click on **Library** located at the bottom left corner.
3.  Scroll through the list or use the search bar to find **WhatsApp Desktop**.
4.  Click on **Get Updates** or look for an **Update** button next to WhatsApp Desktop. If an update is available, it will appear here.
5.  Click the **Update** button to download and install the latest version of WhatsApp Desktop.
6.  Once the update is complete, restart the application to ensure all changes are applied.

My WhatsApp was already up to date because I have automatic updates turned on. This is how Microsoft Store on Windows can automatically install app updates.

1.  Select **Start**, then search for and select **Microsoft Store**.
2.  In the Microsoft Store app, select **Profile** (your account picture) > **Settings**.
3.  Make sure **App updates** is turned **On**.

**The vulnerability**

The vulnerability tracked as CVE-2025-30401 is described by Meta as:

> “A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment’s filename extension. A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp.”

In other words, it was possible for a sender to disguise the true nature of their attachment by changing the file extension to something harmless, like a jpeg, when in reality it was a malicious file that would be opened with the program the receiver had set as default for such a file.

In the past we’ve seen this used against users that have Python installed on their systems. People were sent a python or php script as an attachment which would get executed without any warning if the receiver opened them.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 WhatsApp for Windows vulnerable to attacks. Update now! 

Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild. Eleven of those flaws earned Microsoft's most-dire "critical" rating, meaning malware or malcontents could exploit them with little to no interaction from Windows users.

**Microsoft** today released updates to plug at least 121 security holes in its **Windows** operating systems and software, including one vulnerability that is already being exploited in the wild. Eleven of those flaws earned Microsoft’s most-dire “critical” rating, meaning malware or malcontents could exploit them with little to no interaction from Windows users.

The zero-day flaw already seeing exploitation is CVE-2025-29824, a local elevation of privilege bug in the Windows **Common Log File System** (CLFS) driver.  Microsoft rates it as “important,” but as **Chris Goettl** from **Ivanti** points out, risk-based prioritization warrants treating it as critical.

This CLFS component of Windows is no stranger to Patch Tuesday: According to Tenable’s **Satnam Narang**, since 2022 Microsoft has patched 32 CLFS vulnerabilities — averaging 10 per year — with six of them exploited in the wild. The last CLFS zero-day was patched in December 2024.

Narang notes that while flaws allowing attackers to install arbitrary code are consistently top overall Patch Tuesday features, the data is reversed for zero-day exploitation.

“For the past two years, elevation of privilege flaws have led the pack and, so far in 2025, account for over half of all zero-days exploited,” Narang wrote.

Rapid7’s **Adam Barnett** warns that any Windows defenders responsible for an LDAP server — which means almost any organization with a non-trivial Microsoft footprint — should add patching for the critical flaw CVE-2025-26663 to their to-do list.

“With no privileges required, no need for user interaction, and code execution presumably in the context of the LDAP server itself, successful exploitation would be an attractive shortcut to any attacker,” Barnett said. “Anyone wondering if today is a re-run of December 2024 Patch Tuesday can take some small solace in the fact that the worst of the trio of LDAP critical RCEs published at the end of last year was likely easier to exploit than today’s example, since today’s CVE-2025-26663 requires that an attacker win a race condition. Despite that, Microsoft still expects that exploitation is more likely.”

Among the critical updates Microsoft patched this month are remote code execution flaws in **Windows Remote Desktop** services (RDP), including CVE-2025-26671, CVE-2025-27480 and CVE-2025-27482; only the latter two are rated “critical,” and Microsoft marked both of them as “Exploitation More Likely.”

Perhaps the most widespread vulnerabilities fixed this month were in web browsers. **Google Chrome** updated to fix 13 flaws this week, and **Mozilla Firefox** fixed eight bugs, with possibly more updates coming later this week for **Microsoft** **Edge**.

As it tends to do on Patch Tuesdays, **Adobe** has released 12 updates resolving 54 security holes across a range of products, including **ColdFusion**, **Adobe Commerce**, **Experience Manager Forms**, **After Effects**, **Media Encoder**, **Bridge**, **Premiere Pro**, **Photoshop**, **Animate**, **AEM Screens**, and **FrameMaker**.

**Apple** users may need to patch as well. On March 31, Apple released a huge security update (more than three gigabytes in size) to fix issues in a range of their products, including at least one zero-day flaw.

And in case you missed it, on March 31, 2025 **Apple** released a rather large batch of security updates for a wide range of their products, from **macOS** to the **iOS** operating systems on **iPhones** and **iPads**.

Earlier today, Microsoft included a note saying **Windows 10** security updates weren’t available but would be released as soon as possible. It appears from browsing askwoody.com that this snafu has since been rectified. Either way, if you run into complications applying any of these updates please leave a note about it in the comments below, because the chances are good that someone else had the same problem.

As ever, please consider backing up your data and or devices prior to updating, which makes it far less complicated to undo a software update gone awry. For more granular details on today’s Patch Tuesday, check out the SANS Internet Storm Center’s roundup. Microsoft’s update guide for April 2025 is here.

For more details on Patch Tuesday, check out the write-ups from Action1 and Automox.

Patch Tuesday, April 2025 Edition

Google has issued patches for 62 vulnerabilities in Android, including two actively exploited zero-days.

Google has patched 62 vulnerabilities in Android, including two actively exploited zero-days in its April 2025 Android Security Bulletin.

When we say “zero-day” we mean an exploitable software vulnerability for which there was no patch at the time of the vulnerability being exploited or published. The term reflects the amount of time that a vulnerable organization has to protect against the threat by patching—zero days.

The April updates are available for Android 13, 14, and 15. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

If your Android phone shows patch level 2025-04-05 or later then you can consider the issues as fixed. The difference with patch level 2025-04-01 is that the higher level provides all the fixes from the first batch and security patches for closed-source third-party and kernel subcomponents, which may not necessarily apply to all Android devices.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

**Technical details**

The zero-days are both located in the kernel:

CVE-2024-53150: an out-of-bounds flaw in the USB sub-component of the Linux Kernel that could result in information disclosure. Local attackers can exploit this flaw to access sensitive information on vulnerable devices without user interaction.

The out of bounds vulnerability was caused by the USB-audio driver code which failed to check the length of each descriptor before passing it on.  There are currently no details on how CVE-2024-53150 has been exploited in real-world attacks, by whom, and who may have been targeted in those attacks.

CVE-2024-53197: a privilege escalation flaw in the USB audio sub-component of the Linux Kernel. Again, no user interaction is required.

This vulnerability is the missing link to CVE-2024-50302 and CVE-2024-53104 which put together were reportedly exploited in Serbia by law enforcement using Cellebrite forensic tools to unlock a student activist’s device and attempt spyware installation.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Google fixes two actively exploited zero-day vulnerabilities in Android 

Austin, TX, USA, 7th April 2025, CyberNewsWire

**Austin, TX, USA, April 7th, 2025, CyberNewsWire**

Deep visibility into malware-siphoned data can help close gaps in traditional defenses before they evolve into major cyber threats like ransomware and account takeover

SpyCloud, the leading identity threat protection company, today released new analysis of its recaptured darknet data repository that shows threat actors are increasingly bypassing endpoint protection solutions: 66% of malware infections occur on devices with endpoint security solutions installed. SpyCloud offers integrations with leading endpoint detection and response (EDR) products, such as Crowdstrike Falcon and Microsoft Defender, that close this detection gap.

EDRs play a vital role in detecting, protecting against, and responding to threats on enterprise devices. Despite advanced AI detection and telemetry analysis offered in today’s EDR solutions, modern infostealer malware is designed to evade even the most sophisticated defenses, using tactics like polymorphic malware, memory-only execution, and exploitation of zero-day vulnerabilities or outdated software. The data speaks for itself: nearly one in two corporate users were already the victim of a malware infection in 2024, and in the year prior, malware was the cause of 61% of all breaches. 

SpyCloud’s findings underscore that while EDR and antivirus (AV) tools are essential and block a wide range of security threats, no security solution can block 100% of attacks. Organizations need to take a layered approach to close the gaps before attacks progress deeper into their environments, resulting in events like ransomware and account takeover.  

> “When a malware infection goes undetected, the consequences can be catastrophic,” said Damon Fleury, Chief Product Officer at SpyCloud. “We are in an arms race at the endpoint, where attackers are constantly evolving their tactics to skirt detection. SpyCloud provides a critical line of defense – uncovering infostealer infections that evade EDRs and AVs, detecting when stolen data begins circulating in the criminal underground, and automatically feeding that intelligence back to the EDR to quarantine the device and begin the post-infection remediation process.”

By closing this visibility gap, SpyCloud EDR integrations provide a new and powerful protection mechanism. Once malware exfiltrates credentials, personally identifiable information (PII), or session cookies, that stolen data becomes a launchpad for further entrenchment and compromise. SpyCloud helps stop cybercrime before it happens by identifying these identity risks early, mapping them back to impacted users, devices, and applications, and sending actionable intelligence to an organization’s EDR for response and remediation.  

> “As identity becomes the security perimeter, organizations need more than device-level protection; they need insight into what their endpoint solutions are missing,” added Fleury. “SpyCloud’s expertise in accessing malware logs before they’re broadly circulated among criminals enables faster, more targeted responses needed to address infections, prevent lateral movement, and block disruptive follow-on activities like admin lockout and ransomware deployment.”

To learn more about how SpyCloud can augment endpoint security strategy and remediate malware infections that EDRs and AVs may miss, users can **register to join SpyCloud’s upcoming virtual event on April 10**, where experts will walk through the data, explain the attack chain in detail, and demo how SpyCloud’s EDR integrations work in real-world scenarios. 

**About SpyCloud**

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated holistic identity threat protection solutions leverage advanced analytics to proactively prevent ransomware and account takeover, safeguard employee and consumer accounts, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights, users can visit spycloud.com.

**Contact**

**Emily Brown**  
**REQ on behalf of SpyCloud**  
**\[email protected\]**

SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections

Heavy incoming traffic: A new wave of toll fee scams are sweeping America.

Back in August 2024, we warned about a relatively new type of SMS phishing (or smishing) scam that was doing the rounds.

Now a new wave of toll fee scams are working their way round the US. These attempts come as an unexpected text message linking to a website pretending to belong to one of the US toll authorities, like E-ZPass, The Toll Roads, SunPass, or TxTag.

The texts usually create a sense of urgency—a common tactic of scammers, by telling you there is only a limited time left to act or there will be dire consequences.

The phishing sites are typically out to steal personal information and/or payment details. Reportedly, some users get up to 7 such messages in a day.

Many state departments are issuing warnings. For example, the Wisconsin Department of Transportation (WisDOT) Division of Motor Vehicles (DMV) recently warned consumers of reported phishing attempts via text, and the Arizona Department of Transportation even published a reminder that the state highway system doesn’t have toll roads, because of these scams.

A typical text message might look like this:

> “Your toll payment for E-ZPass Lane must be settled by {a date in the very near future}. To avoid fines and the suspension of your driving privileges, kindly pay by the due date.
> 
> Pay here: {malicious link}
> 
> (Please reply with “Y”, then exit the text message. Open it again, click the link, or copy it into your browser and open it.)”

 The malicious links are often fabricated to look legitimate by including an existing domain name before the actual domain name. E.g. e-zpass.com- roadioe\[.\]cc.

**How to avoid falling for toll fee scams**

*   Check the phone number that the text message comes from. Some of the scams we saw were easy to dismiss because they came from telephone numbers outside the US.
*   Look for the actual site that handles the alleged toll fees and compare the domain name. Sometimes there is only a small difference, so inspect it carefully.
*   If you decided to pay, make sure you receive confirmation of payment. Official toll agencies will send confirmation after collecting payments. If you don’t receive that, call the toll service to check.
*   Never interact with the scammer in any way. Every reaction provides them with information, even if it’s only that the phone number is in use.
*   If you think the toll fee is feasible because you have indeed travelled in that area, check on the official toll service’s website or call their customer service number.
*   The FBI asks that if you receive a suspicious message, contact the FBI Internet Crime Complaint Center at ic3.gov. Be sure to include the phone number from where the text originated, and the website listed within the text.

**Indicators of Compromise (IoCs)**

Domains involved in toll fee scams:

com-roadioe\[.\]cc

uoshxkdhkz\[.\]top

com-zgoupbb\[.\]top

forfeitzm\[.\]top

sunpass-verification\[.\]top

com-tollbilljhy\[.\]top

com-etc-bbzj\[.\]vip

com-tollbilltid\[.\]vip

com-tollbilltwd\[.\]vip

paytollrbzx\[.\]vip

com-ticketvb\[.\]xin

com-emzwepr\[.\]xin

com-ustolls\[.\]xin

com-tollbilaz\[.\]xin

etc-tollad\[.\]xin

roadetctre\[.\]xin

Did you know that Malwarebytes for mobile scans your texts for scams and blocks known malicious sites?

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Toll fee scams are back and heading your way 

Crypto software wallets are invincible in the micro range. If you own multiple crypto assets, you need safe and reliable wallets, too.

Crypto wallets offer an extra layer of security against **malicious attacks** targeting everyday users. It’s not always easy to open your online crypto account every time you want to make a payment, and many merchants still don’t support direct crypto transactions. That’s where digital wallets step in. They make payments easier, but in 2025, the biggest concern around crypto wallets is safety.

That’s why it makes sense to focus on wallets that are both cost-effective and secure. Before choosing one, it’s important to understand how its security system works. At the same time, the wallet should be flexible enough to let you buy, sell, or stake crypto without hassle.

There are over a hundred crypto wallets available this year, but we’re going to focus on 10 that stand out as some of the safest options.

****1: Zengo****

The wallet has more than 380 coins. As you can do frequent transactions, we would categorize it as a hot wallet. Meanwhile, it is not a hardware-compatible wallet. The cost of maintaining the wallet is 19.99 every month. However, the annual subscription is only $129. 

They claim that they have been providing services to over 1.5 million customers and “0 wallets” have been hacked.

****Special features** **

It is the best wallet for security-conscious users. The strong and integrated security design can stop any kind of phishing crimes or bad entry gates. 

The company says that there are 1.5 billion customers who have had zero wallet attacks to date. 

****Benefits** **

Firstly, you get a secure infrastructure with this wallet. Moreover, you will get weekly software updates. You can easily buy or sell Crypto from the wallet. Therefore, it is a good option to keep your fiat currency in it. 

****Limitations** **

The price of the wallet is slightly on the higher side. Moreover, no hardware devices are compatible with it. Lastly, it allows only third-party access for withdrawals. 

Understandably, this measure is important from a security point of view. But it is stunted from the utility point of view. 

****2: Coinbase** **

This wallet can support more than 5500 cryptocurrencies. It is a hot wallet for sure. Like the previous one, it has no hardware wallet compatibility. But the best part is that it is a free wallet. This is the reason why it is more popular among users. Moreover, Coinbase has over **90 govt crypto assets** too. 

****Why should beginners use it?****

Beginners can use it for practice. It has easy navigation. You can use it on the website as well. Meanwhile, you can easily download it from various platforms and start using it without any concern. But it is the best option for the low-cost beginners. 

The company charges 0 network fees either. Plus, you can customize and minimize the wallet anytime. If you check the **BTC heatmap, you’ll see that Bitcoin has most of the investors’ shares**. Hence, you need a free wallet source for Bitcoin investors. 

****Benefits** **

It is the best option for beginners. Moreover, it is a low-cost platform with various amenities. You can trade more than 5500 coins over it. 

****Limitations** **

The wallet code is not an open-source code. You cannot generateay new address for every single transaction. It is not comfortable with the hardware assets. However, you can connect your ledger wallet to transfer assets. 

****3: Exodus****

The coin supports more than 281 currencies. It is a hot wallet for sure. However, the best part is that it is hardware-compatible. It is free of cost, too. 

****Why choose it?****

You can choose it as it makes slots to manage individual digital currencies on your mobile platform itself. The fiat payment methods are also separate. You can find them easily in your wallet. 

Lastly, you can use it to purchase or sell your coins. At the same time, you can swap or stake the coins easily. But the best part is that you can do all of these directly from your mobile phone. 

****Benefits** **

The platform offers intuitive integration across mobile and desktop. It also offers the same to and from any browser platform. The software wallet is compatible with hardware wallets like Trezor.

So, it is an exceptional quality which premium wallets also don’t offer often. 

****Limitations** **

Customer support is very limited. It is available through email only. There is no in-house exchange policy with this wallet. Lastly, it is not an open-source option.

****4: Electrum****

It is a bitcoin-only wallet. On that note, it is one of the major downsides of this wallet. However, you can treat it as a hot as well as a cold wallet. Moreover, it is hardware-compatible. But the best part is that it is free of cost.

****Why Should You Choose It?****

You should choose a wallet that’s tailored to secure your Bitcoin. And that’s Electrum for you. Moreover, the Electrum app is available over a range of platforms. 

****Benefits****

Firstly, it is a free and downloadable wallet option. At the same time, it is well compatible with all the hardware wallets. Lastly, its source code is auditable. You may also peer review the codes and send suggestions. 

****Limitations** **

The biggest drawback of the platform is that it does not have the best trading features. So, buying, selling, and staking are not options you can pursue on this platform. You may simply keep your Bitcoin safe here. 

Moreover, there are no customer support options here. You will get community support at best. Lastly, you need genuine technical expertise to develop your wallet. 

This wallet is widely used for managing Ethereum and ERC-20 tokens. It is a hot wallet and works as a browser extension or mobile app. While it doesn’t support hardware wallet integration by default, it can be connected to devices like Ledger. One major reason for its popularity is its simple interface and easy access to decentralized apps.

****Why Should You Choose It?****

If you’re working mostly with Ethereum and related tokens, MetaMask is a smart choice. It’s user-friendly, supports quick access to decentralized apps, and works smoothly across both mobile and browser platforms.

****Benefits****

MetaMask is free to use and easy to install on both desktop and mobile devices. It offers seamless access to Ethereum-based dApps, supports custom tokens, and can be connected to hardware wallets like Ledger for added security. It’s also open-source, so developers can review and contribute to its code.

****Limitations****

MetaMask is limited to Ethereum and ERC-20 tokens, so it’s not ideal if you deal with a wide range of cryptocurrencies. It doesn’t offer built-in options for staking or advanced trading. Customer support is minimal, and new users might find the interface a bit technical at first.

****6: Trust Wallet****

The wallet supports more than 10,000 cryptocurrencies, including all major tokens and coins. It is a hot wallet designed for frequent on-the-go transactions. Trust Wallet is not tied to any specific hardware wallet by default, but it does support hardware integration through third-party connections. The wallet is free to download and use, with no monthly subscription costs.

It’s owned by Binance, which adds a layer of credibility. The wallet has been downloaded over 60 million times and has maintained a strong track record with no major security breaches reported.

****Special features****

Trust Wallet is known for its built-in Web3 browser that lets users interact with decentralized apps (dApps) directly from within the wallet. It also supports staking of various coins and offers a secure backup feature using a single recovery phrase.

The wallet runs with a strong emphasis on user privacy. No personal data or KYC is needed to set up or use it.

****Benefits****

Trust Wallet is a beginner-friendly wallet that supports a huge range of assets. It includes built-in staking, token swapping, and direct access to dApps. It’s available on both Android and iOS platforms, and it also supports NFTs across multiple blockchains.

Since it’s backed by Binance, there’s strong ongoing development, regular security updates, and integration with popular tools.

****Limitations****

The wallet doesn’t come with its own in-house customer support; users rely on community forums or Binance channels for help. Although it can connect with Ledger, it’s not fully optimized for hardware wallet security. Also, as a mobile-only wallet, it may not suit users looking for a full desktop experience.

Lastly, being owned by Binance may raise concerns for users looking for more decentralized control.

The Crypto.com DeFi Wallet supports over 1000 cryptocurrencies and is designed as a hot wallet, allowing users to make frequent transactions with ease. It’s non-custodial, meaning users have full control over their private keys. While it isn’t tied directly to a hardware wallet, it can integrate with Ledger devices for added security. The wallet is completely free to use with no subscription or maintenance costs.

The wallet is part of the broader Crypto.com ecosystem, which has tens of millions of users globally. It is separate from the centralized Crypto.com app, giving users the option to keep their assets fully decentralized.

****Special features****

One of the standout features is the ability to stake and earn rewards on various assets directly from the wallet. It also includes token swapping, DeFi access, and NFT storage. Users get full control over their keys, with backup options via a recovery phrase.

The wallet is also open-source, which means its code is publicly auditable, a major plus for transparency and community trust.

****Benefits****

The wallet provides access to decentralized finance without sacrificing usability. You can connect it easily with the Crypto.com exchange or app for seamless transfers. There’s a built-in swap function that supports multiple chains, and the app is available on both iOS and Android.

Another benefit is the ability to stake coins directly from the wallet and earn passive income. The user interface is clean and intuitive, especially for users already familiar with Crypto.com’s services.

****Limitations****

Although the wallet offers Ledger integration, it’s not natively built for hardware security, so users must go through extra steps to sync. There’s no desktop version of the wallet; it’s mobile only, which might not suit all users.

Also, as with most DeFi wallets, there’s no way to recover your funds if you lose your recovery phrase. And while support exists, it may not be as responsive as that of fully centralized platforms.

****8: BitBox02****

BitBox02 is a hardware wallet that supports major cryptocurrencies like Bitcoin, Ethereum, and Litecoin, along with ERC-20 tokens. It’s a cold wallet, which means it stores your assets offline for maximum protection. Unlike hot wallets, it’s not meant for frequent daily transactions. It is a paid device, with a one-time cost of around $129, depending on where you buy it.

Developed by Shift Crypto, a Swiss company, BitBox02 is known for its strong focus on privacy, security, and open-source principles. It’s available in two versions: Bitcoin-only and multi-coin, giving users the option to choose based on their needs.

****Special features****

BitBox02 comes with a built-in screen and touch sensors for transaction confirmation, and it uses a microSD card for backup instead of the traditional 12 or 24-word recovery phrase. This makes backup and restoration more straightforward and secure for some users.

The wallet’s firmware and companion app are open-source, which allows for public audits and community contributions, a solid trust factor for security-focused users.

****Benefits****

As a cold wallet, BitBox02 offers high-end security. Your private keys never touch an internet-connected device. The use of a microSD card for encrypted backups is a unique feature that enhances safety and user convenience.

The device is lightweight, portable, and works with Windows, macOS, and Linux. It also supports Tor for added privacy, and users can verify all addresses on the device screen before sending transactions.

****Limitations****

BitBox02 isn’t ideal for those looking for a wallet for everyday use; it’s designed for long-term holding and security, not frequent trading. The supported coins list is more limited compared to some multi-coin software wallets.

It also doesn’t support mobile use; it must be connected to a computer. Finally, while the microSD backup system is secure, it’s a less familiar method that could confuse users accustomed to seed phrases.

****9: SafePal S1****

The SafePal S1 is a hardware wallet supporting over 10,000 cryptocurrencies, including Bitcoin (BTC), Ethereum (ETH), Binance Coin (BNB), and various ERC-20 tokens. As a cold storage device, it keeps assets offline, enhancing security. The wallet operates independently without direct integration with other hardware wallets. Priced at $49.99, it offers a cost-effective solution for secure crypto storage.

****Special Features****

The SafePal S1 employs a 100% air-gapped signing mechanism, ensuring complete offline operation without Bluetooth, Wi-Fi, NFC, or USB connections. It features an EAL 5+ independent secure element, a true random number generator, multiple layers of security sensors, and an anti-tampering self-destruct mechanism. Additionally, its compact design, comparable to a credit card, enhances portability.

****Benefits****

Users benefit from managing unlimited tokens within a single device, with support for over 100 blockchains and continuous additions. The wallet integrates seamlessly with the SafePal App, providing access to decentralized applications (DApps) and facilitating cross-chain swaps and trades. Its user-friendly interface supports 15 languages, catering to a global audience.

****Limitations****

While the SafePal S1 offers robust security features, it lacks direct USB connectivity, relying solely on QR code scanning for transactions, which may be less convenient for some users. Additionally, as a hardware wallet, it requires physical possession for access, which might not suit users who prefer software-based solutions. Furthermore, being a relatively newer entrant in the hardware wallet market, it may not have the same extensive track record as some established competitors.

****10: Ledger Nano X****

The Ledger Nano X is a hardware wallet that supports over 5,500 cryptocurrencies, including major assets like Bitcoin (BTC), Ethereum (ETH), and Binance Coin (BNB). As a cold storage device, it keeps your private keys offline, providing enhanced security. The Nano X is compatible with both desktop and mobile devices via Bluetooth connectivity. Priced at $149, it offers a comprehensive solution for managing a diverse crypto portfolio.

****Special Features****

The Nano X features Bluetooth Low Energy (BLE) connectivity, allowing users to manage their crypto assets on the go through the Ledger Live app on smartphones. It incorporates a Secure Element (SE) chip, ensuring that private keys remain isolated and protected from potential threats. The device can install up to 100 apps simultaneously, accommodating a wide range of cryptocurrencies.

****Benefits****

The Ledger Nano X offers extensive support for a vast array of cryptocurrencies, making it suitable for users with diverse portfolios. Its Bluetooth functionality enhances user experience by enabling wireless management of assets via mobile devices. The integration with the Ledger Live app provides a unified platform for buying, selling, swapping, and staking various cryptocurrencies. Additionally, the device’s robust security features, including the Secure Element chip and custom operating system, offer peace of mind to users.

****Limitations****

While Bluetooth connectivity adds convenience, some users may have concerns about potential security risks associated with wireless connections. However, Ledger emphasizes that only non-sensitive data is transmitted via Bluetooth, and private keys never leave the device. The device’s price point of $149 may be considered high compared to other hardware wallets. Additionally, the battery is not replaceable, which could affect the device’s longevity.

Top Crypto Wallets of 2025: Balancing Security and Convenience

A security researcher found a flaw in Verizon call record requests that may have put millions of Americans at risk

Security researcher Evan Connelly discovered an enormous flaw affecting one of the largest telecommunications companies in the world that could allow any single person to view the recent incoming call log for potentially any Verizon phone number.

“In short, anyone could lookup data for anyone,” Connelly said.

A vulnerability in the Verizon Call Filter iOS app allowed anyone to request the call logs of millions of US Verizon customers. The Verizon Call Filter app for iOS allows customers to view a log of their recent calls. This log will show them the phone numbers and an associated timestamp.

To request such a log the app sends a request to a server to fetch the data belonging to the phone number in question.  The network request to the server contains various details such as your phone number and the requested time period for call records. The server then responds with a list of calls and timestamps.

But, as it turns out, there were no checks to make sure that the number the information was requested about and the number that sent the request matched.

So, the researcher was able to craft requests for any given phone number and get the call logs for that number, without the ownership of that number. The consequence: anyone could look up data for any Verizon Wireless customer.

The researcher did not check whether every Verizon Wireless customer was affected by this flaw.

> “The issue I discovered impacted at least those who have the Verizon Call Filter service enabled (I did not test a number which had it disabled; I can’t rule out whether or not all Verizon numbers could have been impacted).”

But it looks as if the Verizon Call Filter is enabled by default, so at least a great many Verizon Wireless customers would be impacted.

This is not just a privacy concern. For some people this could be a security hazard. For people in a domestic abuse situation, public figures, or those of interest to resourceful cyberattackers, a history of calls and frequent callers falling in the wrong hands can put people at physical risk or even compromise national security.

An attacker with access to someone’s call history could figure out their daily habits, see who they talk to most often, and guess their personal relationships. There is no available information whether this flaw was ever actively abused.

Thankfully, Verizon took the issue seriously and fixed it promptly.

Timeline:

*   2/22/2025 – Issue discovered and reported to Verizon
*   2/24/2025 – Acknowledgment from Verizon of the report
*   3/23/2025 – Researcher requested an update as the issue appeared fixed
*   3/25/2025 – Confirmation from Verizon that the issue is resolved

**Verizon call filter**

The Verizon Call Filter is a useful tool against robocalls, since it’s a screening and filtering tool that helps you manage nuisance calls. Verizon uses a Know Your Customer (KYC) scoring system to identify spam call networks and block their calls before they reach your phone. Based on your settings, blocked calls will either go to voicemail or stopped altogether.

If you no longer want to use Call Filter, it’s easy to turn it off. Here’s how:

**On iPhone:**

1.  Open the Call Filter app.
2.  Go to Settings.
3.  Tap Manage Plan and select Turn Off Call Filter.

Alternatively, you can disable it from your iPhone’s settings by going to Settings > Phone > Call Blocking & Identification and toggling off the Call Filter option.

**On Android:**

1.  Open the Call Filter app (it might already be installed on your device).
2.  Tap Account, then Manage Plan.
3.  Follow the steps to disable Call Filter.

As an alternative you can use Malwarebytes Mobile Security for iOS or Malwarebytes Mobile Security for Android to block scam calls.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#ios