Discover essential tips to secure your digital assets like crypto, NFTs, and tokens. Learn about wallet safety, avoiding…

Discover essential tips to secure your digital assets like crypto, NFTs, and tokens. Learn about wallet safety, avoiding phishing, 2FA, and protecting your holdings against theft.

As digital assets like cryptocurrencies, tokens, and NFTs grow in popularity, so does the importance of securing them. These assets are valuable, decentralized, and often stored in digital wallets that require specific security measures.

However, this decentralization, due to the lack of central oversight, makes them particularly vulnerable to hacking, phishing, malware, and human error. The good news is that with the right precautions and knowledge, you can significantly reduce the risks of theft or fraud.

This guide will explore the basics of digital asset cybersecurity, including common risks and best practices to help protect your crypto holdings.

****Understanding Digital Asset Security Risks****

Before diving into crypto, it’s crucial to understand the unique security risks that come with managing digital assets. Digital assets are typically stored in wallets, which are secured by private keys and seed phrases. These are the most critical components that control access to your assets, and if compromised, you could lose everything.

Hackers often target exchanges, wallets, and platforms where cryptocurrencies are stored. Phishing scams trick users into revealing their private keys or login details. Malware can infect devices, enabling cybercriminals to steal your credentials. Additionally, human error, such as sending funds to the wrong address or losing your private keys, can result in permanent asset loss.

****Wallets: Private Keys, Seed Phrases, and Passwords****

Your crypto wallet is the most important part of your security setup. Each wallet has a public key (which is shared with others to receive funds) and a private key (which grants access and control over your assets). Most wallets also use a seed phrase to recover access in case the wallet is lost or damaged. This seed phrase consists of 12-24 random words that serve as a backup to your private key.

Backing up your seed phrase securely is essential. Store it offline in a secure location—never on your computer or in the cloud, where it could be hacked. Losing your seed phrase means losing access to your funds permanently. Similarly, ensure your wallet has a strong, unique password for day-to-day access and use a password manager to keep track of it safely.

****Using Non-Custodial Wallets for Better Security****

When choosing a wallet, consider whether it’s custodial or non-custodial. In a custodial wallet, a third party, like an exchange, controls your private keys. This can leave your funds vulnerable if the platform is hacked. A non-custodial wallet gives you full control of your private keys, making it a more secure option. Because non-custodial wallets are so secure, many digital currency enthusiasts consider them the best Bitcoin wallet option for keeping high-value assets safe and secure. 

****Two-factor authentication (2FA)****

Another critical security measure is enabling two-factor authentication (2FA) on your crypto accounts. 2FA requires an additional authentication step (such as a code sent to your phone) when logging into accounts. This makes it much harder for hackers to gain access, even if they have your password. 

Use a 2FA app like Google Authenticator or Authy for better protection. Avoid using SMS-based 2FA, as it’s vulnerable to SIM-swapping attacks, where hackers can hijack your phone number. Additionally, ensure that any backup codes or recovery methods for your 2FA are stored securely, as losing access to your 2FA can lock you out of your accounts permanently.

****Always Double-Check Wallet Addresses****

Cryptocurrency transactions are irreversible, which means once funds are sent, they cannot be recovered. Always double-check wallet addresses before sending or receiving funds. This simple step can save you from accidentally sending assets to the wrong address.

If you receive a request to send crypto, verify the wallet address and ensure it matches the intended recipient. You can also use QR codes to minimize the chance of errors when entering an address manually.

****Beware of Phishing and Social Engineering****

Phishing attacks are one of the most common methods cybercriminals use to steal digital assets. These scams often involve fake websites, emails, or messages that mimic trusted platforms like exchanges, wallet providers, or crypto services. If you’re tricked into entering your credentials on a fraudulent site, hackers can access your wallet and steal your assets.

Always check the URL of the website you’re visiting and look for signs of legitimacy. Never share your private keys, seed phrases, or sensitive information over email, phone, or social media. Be cautious of unsolicited messages, and always verify requests before acting on them.

****Understand the Risks of Crypto Exchanges****

Cryptocurrency exchanges are often targets for cyberattacks, as they store large amounts of digital assets. While exchanges are convenient for trading and holding crypto, they come with risks. For example, if the exchange is hacked or experiences a security breach, your funds could be stolen. Some exchanges also have poorly managed security protocols, putting your assets at risk.

Consider using non-custodial wallets for long-term storage and only keeping small amounts of crypto on exchanges for trading purposes. Research exchanges before using them and check their security track record.

****Stay Informed and Educated About Security****

The crypto space is constantly evolving, and new threats are emerging all the time. Stay informed by following reputable sources on security best practices, crypto news, and updates on potential vulnerabilities. Joining online communities or forums can help you stay up-to-date on the latest trends, security threats, and emerging technologies, ensuring you understand the evolving landscape. 

It’s also important to educate yourself on the specific risks associated with decentralized finance (DeFi) protocols, smart contracts, and other decentralized services. While these platforms offer new opportunities, they can also expose you to unique risks like smart contract bugs, liquidity issues, or governance vulnerabilities that could lead to significant losses. Understanding these risks helps you make informed decisions and protect your assets.

****Crypto Security Best Practices: Do’s and Dont’s********Do’s:****

*   Back up your seed phrase and store it securely in multiple offline locations.
*   Use strong, unique passwords for your crypto accounts and avoid reusing passwords from other sites.
*   Enable two-factor authentication (2FA) for added protection on all platforms.
*   Double-check wallet addresses before sending or receiving funds to avoid errors.
*   Research wallet providers and choose reputable ones that prioritize security features.
*   Stay informed about new security threats and best practices to protect your assets.

****Don’ts:****

*   Never share your private keys or seed phrases with anyone, as this would give them access to your funds.
*   Avoid suspicious links and be cautious of phishing emails or messages that impersonate trusted services.
*   Be wary of centralized exchanges, as they are more vulnerable to hacks. Consider using non-custodial wallets for long-term storage.
*   Exercise caution with DeFi protocols, as they can have vulnerabilities in smart contracts.
*   Don’t trust unverified sources—always verify the legitimacy of platforms and communications before sharing any personal information.

****Conclusion****

Digital assets offer incredible opportunities, but they also come with unique risks. By following these essential cybersecurity practices, you can significantly reduce the chances of falling victim to theft or fraud. Secure your assets by backing up your seed phrase, using strong passwords and 2FA, avoiding phishing scams, and staying informed about the latest threats in the crypto space.

Ultimately, safeguarding your crypto holdings requires a combination of vigilance, knowledge, and secure practices. By adopting these principles, you can enjoy the benefits of digital assets while minimizing the risks.

1.  **Benefits of Using an Anonymous Bitcoin Wallet**
2.  **Outdated Wallets Threatening Billions in Crypto Assets**
3.  **Step-by-Step Guide to Creating Your First Crypto Wallet**
4.  **Trust Wallet Launches Browser Extension Wallet for Desktop**
5.  **Internet Computer Protocol Launches Walletless Verified Credentials**

Digital Assets Cybersecurity Essentials

Authorities were able to intercept the Matrix messaging service’s traffic and monitor criminal activity for three months.

European law enforcement agencies have taken down yet another encrypted messaging service mainly used by criminals.

The Matrix encrypted messaging service was an invite-only service which was also marketed under the names Mactrix, Totalsec, X-quantum, or Q-safe. Dutch and French authorities started an investigation when the service was found on the phone of a criminal convicted for the murder of Dutch journalist Peter R. de Vries in 2021.

The investigators soon found Matrix was technically more complex than previous platforms such as Sky ECC and EncroChat, which were earlier subjects of law enforcement eavesdropping.

Eventually the authorities were able to intercept the messaging service’s traffic and monitor the activity for three months. The authorities intercepted and deciphered over 2.3 million messages in 33 languages during the investigation.

The intercepted messages mostly dealt with serious organized crimes such as international drug trafficking, arms trafficking, and money laundering. Now, visitors to the the messaging service are alerted to the takedown through a splash page telling them the platform has been disabled by international law enforcement:

> “It’s not the first time and will not be the last time we are able to read the messages in real time. We gained access to data related to this service and our investigation does not end here.”

These services don’t come cheap. We don’t know the exact pricing of Matrix, but similar services cost several thousands of dollars per year. Which explains why law enforcement seized four cars, 970 phones, and a house, along with over half a million in crypto and over $150,000 in cash.

With the takedown of Matrix, the encrypted communication landscape for criminals has lost yet another significant player.

Europol stated:

> “Criminals, in response to the disruptions of their messaging services, have been turning to a variety of less-established or custom-built communication tools that offer varying degrees of security and anonymity.”

This offers both a challenge and opportunities for law enforcement, since the smaller fish are less tasty, but easier to catch if you’ll pardon me that analogy.

The Matrix messaging service is in no way related to the legitimate Matrix messaging protocol. We don’t want US citizens looking for an encrypted messaging service to shy away from apps built on the Matrix protocol just because it has the same name.

Although I appreciated the hint of the splash page to the media franchise The Matrix.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Encrypted messaging service intercepted, 2.3 million messages read by law enforcement 

We can anticipate a growing number of emerging vulnerabilities in the near future, emphasizing the need for an effective prioritization strategy.

Audra Streetman, Senior Threat Intelligence Analyst, Splunk

December 9, 2024

4 Min Read

Source: Skorzewiak via Alamy Stock Photo

COMMENTARY

The work of cybersecurity defenders continues to evolve. The sheer amount of software and applications within an organization's IT environment has increased the attack surface and, consequently, the number of vulnerabilities. According to the Verizon "2024 Data Breach Investigations Report," "14% of breaches involved the exploitation of vulnerabilities as an initial access step, almost triple the amount from last year's report."

With vulnerability exploitation increasing, prioritization can be difficult and time-consuming if you don't have a clear plan. The consequences of large-scale incidents, such as Log4j and the MOVEit breach, have had lasting impacts on the cybersecurity world. However, cybersecurity defenders can learn from these experiences.

**Key Considerations for Vulnerability Evaluation**

The first step in vulnerability evaluation mirrors the basics of reading comprehension: understanding the who, what, when, where, and why:

Who: Who is discussing vulnerabilities? Pay attention to peers, industry experts, and government advisories. Know that vulnerability discourse on social media and online forums may include fear-mongering and hyperbole. 

What: After identifying a vulnerability, analyze its exploitability. Determine if it is exploitable over a network or requires local access, or if exploit code is public. 

When: Timing is crucial. Know when the vulnerability was disclosed and if it has been exploited in the wild.

Where: Know where the vulnerability exists in your environment, which can influence the impact of exploitation. Check if it appears in a software bill of materials (SBOM) or a vendor advisory, as this can direct your remediation efforts.

If a patch is available, determine if it will cause downtime and if you are bound by a service-level agreement. If you opt to not patch, or if a patch is not available, research mitigation guidance to minimize risk.

Why: Understand how the vulnerability aligns with recent trends in adversary behavior. Also, Common Vulnerability scores and Exploit Prediction scores can inform prioritization, but should not be relied upon as the only factor when evaluating vulnerabilities.

**Learning From Large-Scale Incidents****MOVEit **

A great way to combat vulnerabilities is to learn from the past. For example, when the MOVEit Transfer vulnerability emerged in 2023, there were early signs pointing to the potential for mass exploitation. The cybercriminal group behind the breach was known to target vulnerabilities in file transfer software for spray-and-pray attacks that relied on data exfiltration without encryption to reach more victims. Ultimately, more than 2,700 organizations and 95.8 million people were impacted by the breach, according to cybersecurity firm Emsisoft, teaching the cybersecurity world three things:

1.  Adversary behavior can influence the likelihood of exploitation. A critical vulnerability in a file transfer appliance carried additional urgency in 2023 because of the strategies employed by cybercriminals. 
    
2.  Zero-day vulnerabilities with low attack complexity are a higher priority. Attacks began days before the MOVEit vulnerability was publicly disclosed and one attack vector allowed data exfiltration directly from the MOVEit application. One caveat here is that not all zero-day vulnerabilities are a high priority; there are other factors to consider, such as attack complexity. 
    
3.  Vulnerabilities with cascading effects on the supply chain are critical priorities. Some organizations were impacted by the breach because their vendor's contractor's subcontractor used MOVEit Transfer.
    

**Log4j**

The 2021 Log4j incident highlights the challenges with identifying vulnerable software components in your environment. This vulnerability was a high priority for several reasons:

1.  It was remotely exploitable.
    
2.  It was publicly disclosed before a fix was available.
    
3.  Exploit code circulated online.
    
4.  Because the Log4j library was popular among Java developers, it was embedded into thousands of software packages and integrated into millions of systems worldwide. 
    

Many organizations struggled to identify where Log4j was present in their environment, as these open source components aren't always readily listed. Accurate asset inventories and widespread SBOM adoption — which is essentially an ingredients list of software components — can go a long way in improving how organizations identify and respond to future vulnerabilities. 

**Knowing the Score With Vulnerabilities**

Cybersecurity defenders have at their disposal a number of vulnerability databases and scoring frameworks, such as the Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog and the National Vulnerability Database (NVD). As organizations mature and refine their vulnerability management program, they can begin to implement additional steps, such as continuous monitoring, automation, and the integration of vulnerability management tools with configuration management databases (CMDBs) to improve detection and remediation.

In the future, we may see software suppliers adopt a secure-by-design philosophy that takes greater ownership of customer security outcomes. This could be influenced by future regulations, heightened liability for security executives, and the loss of customer trust. We may also see new use cases for emerging technologies, like machine learning and artificial intelligence, to help speed up and guide the vulnerability prioritization process, while maintaining a human-in-the-loop approach. In the meantime, we can anticipate a growing number of emerging vulnerabilities, emphasizing the need for an effective prioritization strategy.

**About the Author**

Senior Threat Intelligence Analyst, Splunk

Audra Streetman is an active member of Splunk's global security team and previously contributed to Splunk's SURGe research team. Before arriving at Splunk, Audra worked as a reporter, producer, and news anchor at local TV stations in Indiana, California, Kentucky, and Colorado. Audra produced and co-hosted a podcast called The Security Detail, which examined the cyber threat landscape in different industries. Audra is a member of the GIAC Advisory Board and has several certifications, including GDAT, GCTI, Security+, Linux+, Network+, AWS Cloud Practitioner, and Splunk Enterprise Certified Admin.

Large-Scale Incidents &amp; the Art of Vulnerability Prioritization

Introduction In February 2024, we released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past.

**Introduction**

In February 2024, we released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past.  

With the release of Windows Server 2025 earlier this month, we released a similar security improvement to Azure Directory Certificate Services (AD CS) by enabling EPA by default. Additionally, as part of the same Windows Server 2025 release, LDAP now has channel binding enabled by default. These security enhancements mitigate risk of of NTLM relaying attacks by default across three on-premise services: Exchange Server, Active Directory Certificate Services (AD CS), and LDAP.

**Background**

NTLM relaying is a popular attack method used by threat actors that allows for identity compromise. An NTLM relay attack typically involves two steps:

1.  Coercing a victim to authenticate to an arbitrary endpoint.
    
2.  Relaying the authentication against a vulnerable target.
    

By forwarding or relaying credentials to a vulnerable endpoint, attackers can authenticate and perform actions on behalf of the victim. This gives attackers an initial foothold for further domain compromise. To stop exploitation in its tracks, it’s essential to address the first class of issues. These vulnerabilities provide attackers with an initial primitive for exploitation. However, to comprehensively mitigate relaying attacks, we need to holistically address vulnerable services by default. Since EPA or other channel binding mechanisms ensure that clients can only authenticate to their intended server, these mitigations play an important role in securing services against NTLM relay attacks.

**Enabling NTLM Relay mitigations**

In the past, Microsoft observed threat actors exploiting services that lack NTLM relaying protections. These include CVE-2023-23397 (an Outlook entry point relayed against Exchange server), CVE-2021-36942 (a LSARPC entry point relayed against Active Directory Certificate Services (AD CS)), and ADV190023 (a WPAD entry point relayed against Lightweight Directory Access Protocol (LDAP)). From these instances, attackers clearly leverage relaying attacks in their campaigns.

In response to these observed NTLM relaying attacks, Microsoft released guidelines for enabling EPA on AD CS, LDAP, and Exchange Server. While this measure does help protect domains against NTLM relaying attacks, it requires manual intervention from a network administrator, which may not be feasible in all environments. Therefore, we have been working to enable NTLM relaying protections by default, which would automatically safeguard environments against such attacks.  

**Exchange Server**

It is important to note the unique role that Exchange Server plays in the NTLM threat landscape, which is why we prioritized hardening it by default. Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them. Recent vulnerabilities involving NTLM and Office applications include CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563. While we actively fix specific instances of NTLM authentication coercion, attackers often use these vulnerabilities to relay authentication against a vulnerable server, which can lead to compromise of a victim’s account. Exchange Server can be the prime target in such cases since it is a frequently used mail provider across enterprises.  

Earlier this year, with the release Exchange Server 2019 CU 14, Exchange Server now has EPA enabled by default. Exchange Server 2016 is in extended support, and no further CUs are planned for this version. Customers using Exchange Server 2016 can enable EPA via a script.

We recognize that EPA may not be trivial to enable for all environments. A significant portion of enabling EPA by default involved supporting additional scenarios that were not compatible with EPA before. For more information on EPA enablement in your environment, refer to the guidance provided in both the security advisory and the Exchange update blog.

**AD CS and LDAP**

We are also excited to announce that the latest Windows Server 2025, which is now generally available, ships with EPA enabled by default for both AD CS and LDAP. Note that the current default setting for EPA in Server 2025 is Enabled - When Supported, to allow clients that do not support channel bindings to omit them. A stronger EPA security setting for enterprises who do not need to support legacy clients is Enabled – Always, and we hope to move the needle further in future versions of Windows. Additionally, Administrators on Windows Server 2022 and 2019 can manually enable EPA for AD CS and Channel binding for LDAP. We have enabled auditing support for LDAP to identify machines that do not support channel binding to help IT administrators move towards enabling channel binding by default by upgrading to versions that support channel binding.  

With the security-focused default settings for EPA on Exchange Server 2019 CU14 released earlier this year and for AD CS and LDAP released as part of Windows Server 2025, we have enforced strong defenses against preventing NTLM relay attacks on those versions. Additional changes to default EPA enablement are currently in the pipeline for more Windows services. Moving forward, we will continue our efforts to enable EPA across more services by default in future versions, aiming to eliminate this class of NTLM relay attacks entirely.

**Looking ahead: The future of NTLM**

NTLM is a legacy protocol and we have been recommending users to prepare for NTLM being disabled by default in a future version of Windows. We have also been encouraging customers to catalogue and reduce dependencies of NTLM usage and explore moving over to modern authentication protocols like Kerberos. In the interim, we are exploring various strategies to harden against NTLM attacks. A notable development is that in Windows Server 2025 and Windows 11 24H2, NTLMv1 has been removed and the more commonly used NTLM v2 is deprecated. Additionally, admins now have the option to configure SMB to block NTLM.  

The progress towards enforcing secure by default across the ecosystem is aligned with principles from Microsoft’s Secure Future Initiative. As we progress towards disabling NTLM by default, immediate, short-term changes, such as enabling EPA in Exchange Server, AD CS and LDAP reinforce a ‘secure by default’ posture and safeguard users from real-world attacks. We look forward to investing in more secure-by-default NTLM hardening measures across supported versions in the near future.

The security mitigations here are a result of the tremendous work across multiple teams and organizations within Microsoft, notably, Exchange and Windows. Special thanks to Nino Bilic, Matthew Palko, and Wayne McIntyre for their help and support with this blog.

_Rohit Mothe_

_George Hughey_

_MSRC Vulnerabilities & Mitigations Team_

Mitigating NTLM Relay Attacks by Default

Plus: Russian spies keep hijacking other hackers’ infrastructure, Hydra dark web market admin gets life sentence in Russia, and more of the week’s top security news.

A consortium of global law enforcement agencies led by Britain’s National Crime Agency announced a takedown operation this week against two major Russian money-laundering networks that process billions of dollars each year in more than 30 locations around the world. WIRED had exclusive access to the investigation, which uncovered new and troubling laundering techniques, particularly schemes to directly change cryptocurrency for cash. As the United States government scrambles to address China’s “Salt Typhoon” digital espionage campaign into US telecoms, two senators demanded this week that the Department of Defense investigate its failure to secure its own communications and address known vulnerabilities in US telecom infrastructure. Meanwhile, Signal Foundation president Meredith Whittaker spoke at WIRED’s The Big Interview event in San Francisco this week about Signal’s enduring commitment to bring private, end-to-end encrypted communication services to people all over the world regardless of geopolitical climate.

A new smartphone scanner from the mobile device security firm iVerify can quickly and easily detect spyware and has already flagged seven devices infected with the invasive Pegasus surveillance tool. Programmer Micah Lee built a tool to help you save and delete your X posts after he offended Elon Musk and was banned from the platform. And privacy advocate Nighat Dad is fighting to protect women from digital harassment in Pakistan after escaping from an abusive marriage.

The US Federal Trade Commission is targeting data brokers who it says unlawfully tracked protesters and US military personnel, but the enforcement efforts seem likely to trail off under the Trump administration. Similarly, the US Consumer Financial Protection Bureau has devised a strategy to impose new oversight on predatory data brokers, but the new administration may not continue the initiative. Some new laws are finally coming around the world in 2025 that will attempt to regulate the dysfunction of the digital advertising industry, but malicious advertising is still booming around the world and continues to play a big role in global scamming.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in-depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**US Officials Urge Americans to Encrypt Calls and Texts After Chinese Telecom Hacking**

Remember how the US federal government spent much of the last three decades periodically decrying the dangers of strong, freely available encryption tools, arguing that because they enable criminals and terrorists, they should be outlawed or required to implement government-approved backdoors? As of this week, the government will never again be able to make that argument without privacy advocates pointing to a particular phone call where two officials recommended Americans use exactly those encryption tools to protect themselves amidst an ongoing massive breach of US telecoms by Chinese hackers.

In a briefing with reporters about the breach of no fewer than eight phone companies by the Chinese state-sponsored espionage hackers known as Salt Typhoon, officials from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI both said that amid the still-uncontrolled infiltration of US telecoms that have exposed calls and texts, Americans should use encryption apps to safeguard their privacy. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” said Jeff Greene, CISA’s executive assistant director for cybersecurity. (Signal and WhatsApp, for instance, end-to-end encrypt calls and texts, though the officials didn’t name any particular apps.)

The recommendation amid what one senator has called “the worst telecom hack in our nation’s history” represents a stunning reversal from previous US officials’ rhetoric on encryption, and in particular the FBI’s repeated calls for access to backdoors in encryption. In fact, it was exactly this sort of government-approved wiretap capability requirement for US telecoms that the Salt Typhoon hackers in some cases exploited to access Americans communications.

**Russia’s FSB Hackers Keep Hijacking Other Hackers’ Infrastructure for Spying**

The hacker group known as Secret Blizzard, Snake, or Turla, widely believed to work for Russia’s FSB intelligence agency, is known for using some of the most ingenious hacking techniques ever seen to spy on its victims. One of the tricks that’s now become its signature move: hacking the infrastructure of other hackers to stealthily piggyback on their access. This week Microsoft’s threat intelligence researchers and security firm Lumen Technologies revealed that Turla gained access to the servers of a Pakistan-based hacker group and used its visibility into victim networks to spy on government, military and intelligence targets in India and Afghanistan of interest to the Kremlin. In some cases, Turla hijacked the Pakistani hackers’ access to install their own malware, while in other instances they appear to have used the other group’s tools for even greater stealth and deniability. The incident marks the fourth known time since 2017, when it penetrated an Iranian hacker group’s command-and-control servers, that Turla has freeloaded on another hacker group’s infrastructure and tooling, according to Lumen.

**Admin of Russian Dark Web Market Hydra Sentenced to Life in Prison**

The Russian government is known for turning a blind eye to cybercrime—until it doesn’t. This week 15 convicted members of the notorious dark web market Hydra learned the limits of that forbearance when they reportedly received prison sentences ranging from 8 years to 23 years, as well an unprecedented life sentence for the site’s creator Stanislav Moiseyev. Before it was taken down two years ago in a law enforcement operation led by IRS criminal investigators in the US and Germany’s BKA police agency, Hydra was a uniquely sprawling dark web marketplace, one that not only served as the post-Soviet world’s biggest online bazaar for narcotics but also a vast money laundering machine for crimes including ransomware, scams, and sanctions evasion. In total, Hydra enabled more than $5 billion dollars in dirty cryptocurrency transactions since 2015, according to crypto tracing firm Elliptic.

**Suspected Ransomware Actor “Wazawaka” Reportedly Charged and Apprehended by Russia**

Russian law enforcement charged and arrested a software developer last week who is suspected of prolific contributions to multiple ransomware groups, including building malware to extort money from businesses and other targets. The suspect is reportedly Mikhail Matveev, or “Wazawaka,” who has worked as an affiliate with ransomware gangs like Conti, LockBit, Babuk, DarkSide, and Hive. Social media reports indicate that Matveev confirmed his indictment and said that he has been released from law enforcement custody on bail.

Russia’s prosecutor general did not name Matveev, but described charges last week against a 32-year-old hacker under Article 273 of Russia’s Criminal Code, which bans the creation or use of malware. The move came as Russia seemed to be sending some sort of message about its tolerance for cybercrime with the sentencing of the dark web marketplace Hydra’s staff, including a life sentence for its administrator. In 2023, the US government indicted and sanctioned Matveev.

**FBI Is Investigating Exxon Lobbyist Firm Over Hack-and-Leak Operation Targeting Activists**

In a disturbing scoop (one we didn’t cover last week due to the Thanksgiving holiday), Reuters reporters have revealed that the FBI is now investigating a lobbying consultancy hired by Exxon over the firm’s role in a hack-and-leak operation that targeted climate change activists. DCI Group, a lobbying firm hired at the time by Exxon, allegedly gave a list of target activists to a private investigator who then outsourced a hacking operation against those targets to mercenary hackers. After the private investigator—an Israeli man named Amit Forlit, who was later arrested in London and faces US hacking charges—allegedly gave the hacked material to DCI, it leaked the activists’ internal communications about climate change litigation against Exxon to the media, Reuters discovered. The FBI, according to Reuters, has determined that DCI also first previewed that material to Exxon before leaking it. “Those documents were directly employed by Exxon to come after me with all guns blazing,” one attorney working with the activist group, the Center for Climate Integrity, told Reuters. “It turned my life upside down.”

Exxon has denied knowing about any hacking activities and DCI told Reuters in a statement that “we direct all our employees and consultants to comply with the law.”

US Officials Recommend Encryption Apps Amid Chinese Telecom Hacking

Cybersecurity researchers have warned of a new scam campaign that leverages fake video conferencing apps to deliver an information stealer called Realst targeting people working in Web3 under the guise of fake business meetings.
"The threat actors behind the malware have set up fake companies using AI to make them increase legitimacy," Cado Security researcher Tara Gould said. "The company

Hackers Using Fake Video Conferencing Apps to Steal Web3 Professionals' Data

The activity-recording capability has drawn concerns from the security community and privacy experts, but the tech giant is being measured in its gradual rollout, which is still in preview mode.

Source: Pictorial Press Ltd via Alamy Stock Photo

NEWS BRIEF

Microsoft has expanded access for its Windows Recall feature to Copilot+ PCs that use AMD and Intel chipsets, after initially offering it to users with Snapdragon-powered machines. And, it has now launched in Europe.

The launch is part of a gradual rollout that for now is in a preview phase within the Windows Insiders testing community.

Recall is an AI-powered feature that allows PC users to record everything they do on their computers, and then go back to a desired "snapshot" of activity later. It's a useful tool, as Microsoft pointed out in its expansion announcement on Dec. 6: "It's now possible to quickly find and get back to apps, websites, images, or documents just by describing its content." But the capability also has sparked ongoing concerns about privacy and data security (Microsoft keeps and hosts the recorded content in the cloud), as well as the potential for the feature to be compromised and used for cyber-espionage ends.

The tech giant appears to be taking those concerns seriously; in June, it beefed up its planned privacy and security features for Recall, including data encryption, turning Recall off by default, and requiring users to enroll in Windows Hello biometrics authentication to prove they're present at the keyboard as recording is happening. It also added it to its bug bounty program to track down exploitable security vulnerabilities.

Microsoft has taken its time with the launch in light of the concerns; after being set to go live in June, Redmond pushed the release date for Recall back to October, and then to November, when it finally became available in limited release.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Microsoft Expands Access to Windows Recall AI Feature

The new film about an FBI agent chasing a white supremacist terror cell is based on a true story—and one that connects the headlines of 30 years ago to those of today.

In _The Order,_ director Justin Kurzel’s electric new film, Terry Husk, a haggard, possessed FBI veteran played by Jude Law, pores over a thin paperback with a blood-red cover, paging through diagrams of targeted killings, bombings, and a gallows erected in front of the United States Capitol.

“There are six steps in that book,” says a young sheriff deputized as his assistant, played by Tye Sheridan. He gives the Cliff Notes version as he scours the book, his eyes riveted.

“Recruiting,” he says. “Fundraising. Armed revolution. Domestic terror. Assassination.

“Number six is the day of the rope.”

The book is _The Turner Diaries_, a 1978 novel that depicts the violent overthrow of the American government by armed white supremacist insurgents and the extermination of people of color and Jews in a race war. Photocopied pages from it were found in Oklahoma City bomber Timothy McVeigh’s getaway car when he was apprehended by law enforcement.

Along with Husk and Bob Mathews—the founder of a murderous underground white supremacist guerrilla outfit that counterfeited money and robbed banks and armored cars, played by Nicholas Hoult—_The Turner Diaries_ is the third major character in _The Order_. Though Mathews formally named his group the Silent Brotherhood and claimed he took little inspiration from William Luther Pierce’s incendiary novel, he and his comrades did refer to their group as “The Order”—the same term used in the book for the protagonist’s genocidal militants.

The book’s crimson cover and lurid drawings resurface time and time again. Mathews reads excerpts to his young son before bedtime; a pastor at a neo-Nazi compound in Idaho proffers it to visiting law enforcement agents; and it turns up in the hands of FBI agents desperately seeking to plot out the insurgents’ next moves.

_The Order_ unearths a critical chapter in the history of the American extreme right largely forgotten by the general public. The murder of Jewish talk radio host Alan Berg in 1984 by two of Mathews’ acolytes brought the Order to national attention 30 years ago and inspired not one but two Hollywood films in that decade—_Betrayed_ and Oliver Stone’s _Talk Radio_. Since then, though, only close observers of prison gang and skinhead culture have had cause to track mentions of the Silent Brotherhood by tweaked-out Aryan Brotherhood killers or the annual “Martyrs Day” pilgrimage of Hammerskins from across the West Coast to Whidbey Island in the Puget Sound, where Mathews met his fiery death during a shootout with the FBI.

Now, as the country ponders a return to the 2016-2020 period, when Mathews’ ideological offspring ran riot from Oregon to Washington, DC, his saga is getting marquee billing.

While the film debuts almost a full decade into the American extreme right’s current revival, screenwriter Zach Baylin and producer Bryan Haas began developing the project back in 2016, before the deadly 2017 Unite the Right rally in Charlottesville, Virginia. Baylin tells WIRED that he and Haas stumbled on _The Turner Diaries_ while researching Ruby Ridge, the 1990s militia movement, and McVeigh (who slept with the book under his pillow) and casting around for a lesser-known story to explore the origins of American extremism.

“We were looking to encase the story of one of these groups inside a classic crime thriller,” Baylin says. They stumbled across _The Silent Brotherhood_, a 1989 book by reporters Kevin Flynn and Gary Gerhardt that traced the entire arc of Mathews’ crime spree, from his teenage radicalization through the John Birch Society and Phoenix militias all the way through his death and the subsequent criminal trials of his followers.

“The crimes the Order committed and the way the investigation unfolded, it had the framework of the kind of film that we’d been talking about,” he said.

Flynn and Gerhart’s book, which began with their coverage of Berg’s assassination in his driveway and followed the Order’s saga through the federal pursuit, investigation, and prosecution, is remarkably detailed. Once members of the group were up for trial, Flynn and Gerhart spent hours interviewing them in the Arapahoe County jail, gathering priceless material that allowed them to reconstruct the terrorist group’s inner workings in minute detail. Readers of the book, which is back in print (with a new title) after three decades off the shelves, will note the film’s fidelity to life, particularly in the robbery and heist scenes. However, for Flynn and Gerhardt—who died in 2015—the minutiae of Mathews’ terror campaign were a mechanism to engage audiences with a deeper, darker reality.

“We didn’t write the book for the details. We wrote it to expose the banality of evil, so readers could understand where these folks come from and how endemic it is in American society,” says Flynn, who reported for the Rocky Mountain News for nearly three decades before it shuttered in 2009. Since 2015, he has served as a city councilman in Denver.

_The Order_ is the sort of film America does not produce anymore. Its taut action scenes hearken back to _Heat_, _To Live and Die in L.A._, _The French Connection_, and Sidney Lumet’s police corruption canon (_Serpico_, _Prince of the City_, _Q&A_); the droning soundtrack does not overwhelm viewers; and Adam Arkapaw’s washed-out cinematography encapsulates both the grandeur and the intimidating solitude of the interior Pacific Northwest. The dialog is sparing, direct, and—in spite of Mathews’ grandiose promises of a renewed whites-only bastion in the Pacific Northwest—remarkably free of proselytizing.

For a movie shot in such wide-open landscapes, _The Order_ is tinged through with claustrophobia, a testament to the tension rife throughout Baylin’s writing and Kurzel’s meticulous direction. Like Al Pacino and Robert DeNiro in Michael Mann’s _Heat_, Hoult and Law only come face to face with each other a few times before their penultimate confrontation. However, Kurzel had both actors follow each other for a day and compile dossiers on their opposite number to develop a granular sense of how a manhunt actually functions.

“I wanted them to ask themselves, what does that feel like having a relationship with someone you’re trying to take down? You’re living with a phantom, in a way,” Kurzel says.

Law, whose slow-burn performance is unlike any prior role from his four decades on stage and screen, says the similarities between Husk and Mathews as two opposites of the same coin are at the core of _The Order_’s dramatic tension.

“They’re more alike than they’d ever admit—both are driven, charismatic, and know exactly how to manipulate those around them to achieve their goals,” he says. “Nicholas and I really leaned into that symmetry during our scenes together. It’s almost like they’re looking into a dark mirror—each recognizing qualities in the other that they either admire or fear. That underlying connection adds layers to their conflict, making it not just a clash of ideologies but also a deeply personal battle. It was fascinating to explore that tension with Nicholas.”

Mathews’ brief campaign of armed insurgency and domestic terrorism has continued to inspire generations of extremists in the United States and beyond, from McVeigh and the neo-Nazi bankrollers of the Aryan Republican Army to the killers of Germany’s National Socialist Underground, all the way through to contemporary groups like Atomwaffen Division, the Base and the Terrorgram Collective. The latter group, which federal law enforcement believes to be a “bold-letter, category one” domestic terrorism threat, circulates voluminous propaganda booklets that meld the ethos of _The Turner Diaries_ with Ted Kaczynski’s anti-industrial-civilization ethos and neo-Nazi occultism.

Terrorgram’s materials, which include viable bomb-making instructions, camouflage and tactical guides, and instructions on how to disable critical infrastructure like electrical substations, water treatment plants and dams, have radicalized at least one so-called “saint,” or mass shooter, and are alleged to have been connected to a series of power grid attacks in North Carolina as well as several active federal prosecutions.

“William Pierce doesn’t build bombs,” Mark Potok of the Southern Poverty Law Center, told Rolling Stone a quarter of a century ago. “He builds bombers.” In many ways, the Terrorgram Collective fulfills the same role now, and its publications have become the modern-day version of the _Turner Diaries_. Disseminated worldwide through the moderation-free wilderness of Telegram, the group’s message of hate and violence is now circulating independently of any organized group or ideology for disaffected, unbalanced “lone wolves” to latch onto as justification for future atrocities.

While _The Order_ remains firmly rooted in the past save for one passing reference to the 1995 Oklahoma City bombing in a title card, during production there was no escaping the drumbeat of resurgent far-right militancy in the United States. Kurzel, the director, recalls watching news coverage of the January 6 insurrection and remarking on the gallows erected outside the Capitol building—a drawing of which features in the book and the exposition scene with law. “_The Turner Diaries_ started to become more visible in a present-day setting in a way I was kind of shocked by,” he says, speaking to WIRED from his Tasmania residence. Indeed, following January 6, Amazon removed _The Turner Diaries_ from its online inventory.

Hoult’s bravura portrayal of an ice-cool, controlled yet menacing Mathews through the Order’s campaign of armed robbery, counterfeiting, murder, and armed confrontation with the FBI is one of the film’s dual anchors. Aside from a striking physical resemblance to the Silent Brotherhood’s founder, Hoult closely studied his subject, aping Mathews’ mannerisms and movements from old documentary footage, studying texts that radicalized his subject, lifting weights, and cutting alcohol from his diet.

“Mathews was someone who thought and planned so in advance of what his ultimate goal was, I think he always kept in sight. That’s something Justin and I spoke about, that he wouldn’t lose his head on trivial things or things that would potentially harm his cause. In his mind, he’d already, in some ways, planned his destiny,” Hoult tells WIRED.

By choosing to play Mathews with reserve instead of bombast, as more of a watcher who carefully observes his surroundings and other people to better understand how to turn situations to his advantage, Hoult aimed to show audiences how someone with the charisma of his villain could attract followers and build a movement.

“I think that shows how they penetrate communities and societies in a different way, and perhaps people in the future might be less susceptible to people who behave like him,” he says.

As with any artistic project that focuses on extremism and mass violence, _The Order_’s production team walked a fine line between showing Mathews’ magnetism and the murderous project at the heart of his ideology and actions.

“I think you need to understand the pull of a figure like this,” says Kurzel, whose prior films _Snowtown_ and _Nitram_ depicted, respectively, youthful serial killers and Australia’s worst mass shooting, the 1996 Port Arthur massacre. “Mathews is definitely someone who understands their reach and how to communicate and gather people. There’s gonna be a certain kind of charisma about that.”

Haas, one of the film’s producers, echoed Kurzel's remarks about art pushing the boundaries of acceptability. “It felt like part of the movie was to show the appeal of Bob. He was someone who had charisma, and that tied to these really toxic ideas is really dangerous,” Haas says, praising the “unrelenting realism” the cast brought to their performances.

Ultimately, the hope of slipping an unsparing portrayal of domestic extremism—produced outside of the Hollywood studio system—into the December award season is to reintroduce a discussion of radicalization to American society. “If you don’t learn from history, you’re doomed to repeat it—how a guy that, in the way Nick depicted him, could live down anybody’s street,” says Haas. “There are lots of people right now who are hurting and struggling and looking for answers.”

_Updated: 12/6/2024 4:01 pm EST: This story was updated to clarify which character reads out six steps given in_ The Turner Diaries.

The Real Story of “The Order”

Cybersecurity researchers have disclosed multiple security flaws impacting open-source machine learning (ML) tools and frameworks such as MLflow, H2O, PyTorch, and MLeap that could pave the way for code execution.
The vulnerabilities, discovered by JFrog, are part of a broader collection of 22 security shortcomings the supply chain security company first disclosed last month.
Unlike the first

Researchers Uncover Flaws in Popular Open-Source Machine Learning Frameworks

We are excited to introduce LLMail-Inject, a new challenge focused on evaluating state-of-the-art prompt injection defenses in a realistic simulated LLM-integrated email client. In this challenge, participants assume the role of an attacker who sends an email to a user. The user then queries the LLMail service with a question (e.

  

We are excited to introduce LLMail-Inject, a new challenge focused on evaluating state-of-the-art prompt injection defenses in a realistic simulated LLM-integrated email client. In this challenge, participants assume the role of an attacker who sends an email to a user. The user then queries the LLMail service with a question (e.g., “please summarize the last emails about project X”), which prompts the retrieval of relevant emails from a simulated email database. The inclusion of the attacker’s email in these retrievals varies depending on the scenario. The LLMail service is equipped with tools, and the attacker’s objective is to manipulate the LLM into executing a specific tool call as defined by the challenge design, while bypassing the prompt injection defenses in place. The challenge contains several scenarios that require the attacker to ensure that their email is retrieved by the client under certain conditions. Teams with the highest scores will win awards from a total pool of $10,000 USD. 

Since this challenge takes place in a simulated environment, submissions will not be part of Microsoft’s Zero Day Quest. However, since this is a realistic environment, the prompt injection techniques you develop might be applicable to real systems. We encourage you to apply your learnings from this challenge and participate in the Zero Day Quest!  

**What are Prompt Injection Attacks (PIA)?**

In prompt injection attacks against large language models (LLMs), an attacker crafts a specific input (prompt) designed to manipulate the behavior of the model in unintended ways. In such attacks, the attacker exploits the model’s ability to follow instructions embedded within text inputs. By embedding possibly malicious instructions within the input data, the attacker aims to bypass the model’s intended functionality, often to execute unauthorized commands, leak sensitive information, or manipulate outputs. Understanding and defending against prompt injection attacks is crucial for maintaining the security and reliability of LLM-based systems. 

**How does PIA work?**

Prompt injection attacks work by exploiting the inherent design of LLMs, which are trained to follow instructions and generate coherent and contextually appropriate responses based on the input they receive. Attackers craft inputs that include injected commands, which the model then interprets and executes as part of its response generation process. These commands can be embedded in various ways, such as through straight-forward instructions, cleverly phrased questions, statements, or code snippets that the model processes without recognizing them as injected instructions. For instance, an attacker might insert a command within a seemingly benign email message that tricks the model into performing actions like unauthorized data access or executing specific functions. The success of these attacks hinges on the model’s lack of context about the legitimacy of the instructions embedded in the input, making it crucial for developers to implement robust defenses and validation mechanisms to detect and mitigate such manipulative inputs. 

**What are the challenge scenarios and levels in LLMail-Inject?**

The LLMail-Inject challenge is structured into various scenarios based on retrieval configurations and the attacker’s objectives, resulting in a total of 40 levels. Each level is a unique combination of Retrieval-Augmented Generation (RAG) configuration, an LLM (GPT-4o mini or Phi-3-medium-128k-instruct), and a specific defense mechanism. 

Each level and scenario in LLMail-Inject tests different aspects of the LLM’s ability to withstand prompt injection attacks and aims to highlight the importance of robust defense mechanisms. 

**What defenses are included in LLMail-Inject?**

Despite prompt injection attacks being relatively new, researchers have already proposed several defenses to mitigate their effect. The LLMail-Inject challenge incorporates various state-of-the-art defenses to test the robustness of LLMs against prompt injection attacks. These include: 

*   Spotlighting \[1\]: A preventative defense that “marks” data (as opposed to instructions) that is provided to an LLM using methods like adding special delimiters, encoding data (e.g., in base64), or marking each token in the data with a special preceding token. 
    
*   PromptShield \[2\]: A black-box classifier designed to detect prompt injections, ensuring that malicious prompts are identified and mitigated. 
    
*   LLM-as-a-judge: This defense uses an LLM to detect attacks by evaluating prompts instead of relying on a trained classifier. 
    
*   TaskTracker \[3\]: Based on analyzing the model’s internal states to detect task drift, this defense extracts activations when the user first prompts the LLM and again when the LLM processes external data. It then contrasts these activation sets to detect drift via a linear probe on the activation deltas. 
    
*   Combination of all: A variant in the challenge where multiple defenses are stacked together, requiring an attack to evade all defenses simultaneously with a single prompt. 
    

**How do I participate?**

To participate in the LLMail-Inject challenge, please follow the instructions below and visit the official challenge website at LLMail-Inject.  

1.  Create a team by signing in with your GitHub account.  
    
2.  Start playing! You can make a submission through the website UI or programmatically via our competition API. 
    

If using the API for programmatic submissions: 

*   We have API documentation on the website and your API key is already injected into the example Python client. 
    
*   Your API key is also available on your user profile page. 
    
*   We have rate limits in place to ensure a great experience for all participants. The website also provides comprehensive information on how to get started, including how to configure your environment and submit your entries. This setup ensures that participants can easily join the competition and contribute, regardless of their level of experience or preferred method of interaction. 
    

**Scoring, winners, and awards**

The Contest starts at 11:00 a.m. Coordinated Universal Time (UTC) on December 9, 2024, and ends at 11:59 a.m. UTC on January 20, 2025 (“Entry Period”). If at least 10% of the levels have not been solved by at least four (4) teams on the end date listed above, we may opt to extend the challenge. Check LLMail-Inject for any updates to the schedule. 

Throughout the event, a live scoreboard will be displayed (here along with the scoring details). The challenge has a total prize pool of $10,000 USD, with awards distributed as follows:  

*   $4,000 USD for the top team 
    
*   $3,000 USD for the second-place team 
    
*   $2,000 USD for the third-place team 
    
*   $1,000 USD for the fourth-place team.  
    

The winning teams will be invited to co-present with the organizers at the IEEE Conference on Secure and Trustworthy Machine Learning (SaTML) 2025.  

**References**

\[1\] Keegan Hines et al. Defending Against Indirect Prompt Injection Attacks With Spotlighting 

\[2\] Azure AI announces Prompt Shields for Jailbreak and Indirect prompt injection attacks 

\[3\] Sahar Abdelnabi et al. Are you still on track!? Catching LLM Task Drift with Activations 

_This challenge is co-organized by Aideen Fay\*, Sahar Abdelnabi\*, Benjamin Pannell\*, Giovanni Cherubin\*, Ahmed Salem, Andrew Paverd, Conor Mac Amhlaoibh, Joshua Rakita, Santiago Zanella-Beguelin, Egor Zverev, Mark Russinovich, and Javier Rando_

(\*: Core contributors).

Tag

#mac