A Hacker May Have Deepfaked Trump's Chief of Staff in a Phishing Campaign

WIRED

30-05-2025

Andy Greenberg Matt Burgess Lily Hay Newman May 30, 2025 2:42 PM Plus: An Iranian man pleads guilty to a Baltimore ransomware attack, Russia's nuclear blueprints get leaked, a Texas sheriff uses license plate readers to track a woman who got an abortion, and more. Photo-Illustration: Wired Staff;For years, a mysterious figure who goes by the handle Stern led the Trickbot ransomware gang and evaded identification—even as other members of the group were outed in leaks and unmasked. This week German authorities revealed, without much fanfare, who they believe that enigmatic hacker kingpin to be: Vi­ta­ly Ni­ko­lae­vich Kovalev, a 36-year-old Russian man who remains at large in his home country.
Closer to home, WIRED revealed that Customs and Border Protection has mouth-swabbed 133,000 migrant children and teenagers to collect their DNA and uploaded their genetic data into a national criminal database used by local, state, and federal law enforcement. As the Trump administration's migrant crackdown continues, often justified through invocations of crime and terrorism, WIRED also uncovered evidence that ties a Swedish far-right mixed-martial-arts tournament to an American neo-Nazi 'fight club' based in California.
For those seeking to evade the US government surveillance, we offered tips about more private alternatives to US-based web browsing, email, and search tools. And we assembled a more general guide to protecting yourself from surveillance and hacking, based on questions our senior writer Matt Burgess received in a Reddit Ask Me Anything.
But that's not all. Each week, we round up the security and privacy news we didn't cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
The FBI is investigating who impersonated Susie Wiles, the Trump White House's chief of staff and one of the president's closest advisors, in a series of fraudulent messages and calls to high-profile Republican political figures and business executives, the Wall Street Journal reported. Government officials and authorities involved in the probe say the spear phishing messages and calls appear to have targeted individuals on Wiles' contact list, and Wiles has reportedly told colleagues that her personal phone was hacked to gain access to those contacts.
Despite Wiles' reported claim of having her device hacked, it remains unconfirmed whether this was actually how attackers identified Wiles' associates. It would also be possible to assemble such a target list from a combination of publicly available information and data sold by gray market brokers.
'It's an embarrassing level of security awareness. You cannot convince me they actually did their security trainings,' says Jake Williams, a former NSA hacker and vice president of research and development at Hunter Strategy. 'This is the type of garden variety social engineering that everyone can end up dealing with these days and certainly top government officials should be expecting it.'
In some cases, the targets received not just text messages but phone calls that impersonated Wiles' voice, and some government officials believe the calls may have used artificial intelligence tools to fake Wiles' voice. If so, that would make the incident one of the most significant cases yet of so-called 'deepfake' software being used in a phishing attempt.
It's not yet clear how Wiles' phone might have been hacked, but the FBI has ruled out that a foreign nation is involved in the impersonation campaign, the Bureau reportedly told White House officials. In fact, while some of the impersonation attempts appeared to have political goals—a member of Congress, for instance, was asked to assemble a list of people Trump might pardon—in at least one other case the impersonator tried to trick a target into setting up a cash transfer. That attempt at a money grab suggests that the spoofing campaign may be less of an espionage operation than a run-of-the-mill cybercriminal fraud scheme, albeit one with a very high-level target.
'There's an argument here for using something like Signal—yes, the irony—or another messaging platform that offers an independent form of authentication if users want to validate who they're talking to,' Hunter Strategy's Williams says. "The key thing as always is for government officials to be using vetted tools and following all federally mandated protocols rather than just winging it on their own devices." Iranian Man Behind Baltimore Ransomware Attack Pleads Guilty
The 2019 ransomware attack against the city government of Baltimore represents one of the worst municipal cybersecurity disasters on record, paralyzing city services for months and costing taxpayers tens of millions of dollars. Now the Department of Justice has unexpectedly revealed that it arrested one of the hackers behind that attack, 37-year-old Sina Gholinejad, in North Carolina last January, and that he's pleaded guilty in court. Gholinejad has admitted to being involved in the larger Robbinhood ransomware campaign that hit other targets including the cities of Greenville, North Carolina and Yonkers, New York. It's still far from clear how Gholinejad was identified or why he traveled from Iran to the US, given that most ransomware criminals are careful to remain in countries that don't have extradition agreements with the US government and are thus beyond US law enforcement's reach. Indeed, the indictment against him names several unnamed co-conspirators who may be still at large in Iran. Russia's Nuclear Blueprints Exposed in Huge Document Leak
More than two million documents left exposed in a public database have revealed Russia's nuclear weapons facilities in unprecedented levels of detail, according to reporting this week by Danish media outlet Danwatch and Germany's Der Spiegel. Reporters examined the huge trove of documents relating to Russian military procurement—as Russian authorities slowly restricted access—and found blueprints for nuclear facilities across the country. Experts called the leak an unparalleled breach of Russia's nuclear security, with the data potentially being incredibly useful for foreign governments and intelligence services.
The documents show how Russia's nuclear facilities have been rebuilt in recent years, where new facilities have been created, detailed site plans including the locations of barracks and watchtowers, and the locations of underground tunnels connecting buildings together. There are descriptions of IT systems and security systems, including information on surveillance cameras, electric fences being used, and the alarm systems in place. 'It's written explicitly where the control rooms are located, and which buildings are connected to each other via underground tunnels,' Danwatch reports. Cops Used License Plate Recognition Cameras in Search for Woman Who Got an Abortion
License plate recognition cameras are creating huge databases of people's movements across America—capturing where and when cars are traveling. For years there have been concerns that the cameras could be weaponized by law enforcement officials or private investigators and turned against those seeking abortions or providing abortion related care. Officials from Johnson County Sheriff's Office in Texas—where nearly all abortions are illegal—searched 83,000 Flock license plate reader cameras at the start of this month while looking for a woman they claim had a self-administered abortion, 404 Media reported this week.
Sheriff Adam King said that the officials weren't trying to 'block her from leaving the state' and were searching for the woman as her family were concerned about her safety. However, experts say that conducting a search across the entire United States shows the sprawling dragnet of license plate reader cameras and highlights how those seeking abortions can be tracked. 'The idea that the police are actively tracking the location of women they believe have had self administered abortions under the guise of 'safety' does not make me feel any better about this kind of surveillance,' Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation told 404 Media. Investment Scam Company Linked to $200 Million in Losses Sanctioned by US Government
Philippines-based company Funnull Technology Inc and its boss Liu Lizhi have been sanctioned by the Department of the Treasury's Office of Foreign Assets Control (OFAC) for their links to investment and romance scams, which are often referred to as 'pig butchering' scams. 'Funnull has directly facilitated several of these schemes, resulting in over $200 million in U.S. victim-reported losses,' OFAC said in a statement announcing the sanctions. The company purchases IP addresses from major cloud service providers and then sells them to cybercriminals who could use them to host scam websites—OFAC says Fullnull is 'linked to the majority' of investment scam websites reported to the FBI. In January independent cybersecurity journalist Brian Krebs detailed how Fullnull was abusing Amazon and Microsoft's cloud services.