Latest news with #Keybase
Yahoo
4 days ago
- Business
- Yahoo
US government sanctions tech company involved in cyber scams
The U.S. government imposed sanctions on Funnull, a company accused of providing infrastructure for cybercriminals running "pig butchering" crypto scams that have led to $200 million in losses for American victims. On Thursday, the Treasury's Office of Foreign Assets Control announced the sanctions, saying Funnull is "linked to the majority of virtual currency investment scam websites reported to the FBI.' The press release said that the $200 million in losses results in an average loss of $150,000 per victim, but that the numbers "likely underestimate the total losses, as many victims of scams do not report the crime.' Pig butchering scams involve criminals approaching victims online, often pretending to be interested in a romantic relationship, with the goal of tricking the victims into sending them money to invest in nonexistent crypto projects. According to the Treasury, Funnull is based in the Philippines and run by Chinese-national Liu Lizhi, who was also sanctioned on Thursday. Funnull, according to the Treasury, generated domain names for websites on IP addresses it owns, and provided 'web design templates to cybercriminals.' 'These services not only make it easier for cybercriminals to impersonate trusted brands when creating scam websites, but also allow them to quickly change to different domain names and IP addresses when legitimate providers attempt to take the websites down,' the Treasury said. The FBI released an alert that included more information about these activities. The Treasury referred to the Polyfill supply chain attack in its press release, saying Funnell 'purchased a repository of code used by web developers and maliciously altered the code to redirect visitors of legitimate websites to scam websites and online gambling sites, some of which are linked to Chinese criminal money laundering operations.' Those activities are exactly what researchers from cybersecurity firm Silent Push accused FUNNULL of carrying out last year. Researchers found that Funnull was responsible for the Polyfill supply chain attack, which was launched to push malware to whoever visited websites that used Polyfill's code. The goal was to redirect users to a malicious network of casino and online gambling sites, the researchers found. Do you have more information FUNNULL, or other companies facilitating scams? From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. Zach Edwards, a researcher at Silent Push who worked on the Funnull report last year, told TechCrunch that he was 'really glad to see the facts aligned with our suspicions.' 'It's encouraging that the Treasury has taken actions against the largest pig butchering and money laundering network that exists targeting people in the U.S., but we know that more needs to be done,' said Edwards. 'This effort from Funnull is the tip of the iceberg for what is actually going on right now out of China with financial schemes targeting Americans.' 'Global threat actors that are targeting Americans with financial scams need to be held accountable, and doxing the companies they work with and the individuals who run those companies, is an important first step,' he added.
Yahoo
01-05-2025
- Yahoo
Government hackers are leading the use of attributed zero-days, Google says
Hackers working for governments were responsible for the majority of attributed zero-day exploits used in real-world cyberattacks last year, per new research from Google. Google's report said that the number of zero-day exploits — referring to security flaws that were unknown to the software makers at the time hackers abused them — had dropped from 98 exploits in 2023 to 75 exploits in 2024. But the report noted that of the proportion of zero-days that Google could attribute — meaning identifying the hackers who were responsible for exploiting them — at least 23 zero-day exploits were linked to government-backed hackers. Among those 23 exploits, 10 zero-days were attributed to hackers working directly for governments, including five exploits linked to China and another five to North Korea. Another eight exploits were identified as having been developed by spyware makers and surveillance enablers, such as NSO Group, which typically claim to only sell to governments. Among those eight exploits made by spyware companies, Google is also counting bugs that were recently exploited by Serbian authorities using Cellebrite phone-unlocking devices. Even though there were eight recorded cases of zero-days developed by spyware makers, Clément Lecigne, a security engineer at Google Threat Intelligence Group (GTIG), told TechCrunch that those companies 'are investing more resources in operational security to prevent their capabilities being exposed and to not end up in the news.' Google added that surveillance vendors continue to proliferate. 'In instances where law enforcement action or public disclosure has pushed vendors out of business, we've seen new vendors arise to provide similar services," James Sadowski, a principal analyst at GTIG, told TechCrunch. "As long as government customers continue to request and pay for these services, the industry will continue to grow.' Do you have more information about government hacking groups, zero-day developers, or spyware makers? From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. The remaining 11 attributed zero-days were likely exploited by cybercriminals, such as ransomware operators targeting enterprise devices, including VPNs and routers. The report also found that the majority of the total 75 zero-days exploited during 2024 were targeting consumer platforms and products, like phones and browsers, while the rest exploited devices typically found on corporate networks. The good news, according to Google's report, is that software makers defending against zero-day attacks are increasingly making it more difficult for exploit makers to find bugs. "We are seeing notable decreases in zero-day exploitation of some historically popular targets such as browsers and mobile operating systems,' per the report. Sadowski specifically pointed to Lockdown Mode, a special feature for iOS and macOS that disables certain functionality with the goal of hardening cell phones and computers, which has a proven track record of stopping government hackers, as well as Memory Tagging Extension (MTE), a security feature of modern Google Pixel chipsets that helps detect certain types of bugs and improve device security. Reports like Google's are valuable because they give the industry, and observers, data points that contribute to our understanding of how government hackers operate — even if an inherent challenge with counting zero-days is that, by nature, some of them go undetected, and of those that are detected, some still go without attribution.
Yahoo
16-04-2025
- Politics
- Yahoo
NSO lawyer names Mexico, Saudi Arabia, and Uzbekistan as spyware customers behind 2019 WhatsApp hacks
The governments of Mexico, Saudi Arabia, and Uzbekistan, among others, were behind the 2019 hacking campaign that targeted more than 1,200 WhatsApp users with NSO Group's Pegasus spyware, according to a lawyer working for the Israeli spyware maker. During a hearing in the lawsuit between WhatsApp and NSO Group last Thursday, NSO Group's lawyer Joe Akrotirianakis specifically named the three governments as the spyware-using customers, according to a transcript of the hearing obtained by TechCrunch this week. This is the first time that representatives for NSO Group have publicly confirmed who the spyware maker's customers are (or were), after years of refusing to acknowledge or discuss its clientele, arguing that it was 'unable' to do so, an NSO Group spokesperson told TechCrunch in 2023, for example. The revelation comes as part of a lawsuit brought by Meta-owned WhatsApp in 2019, which accused NSO Group of hacking around 1,400 WhatsApp users by exploiting a vulnerability in the messaging app's systems between around April and May that same year. Do you have more information about NSO Group, or other spyware companies? From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. The content of last week's hearing was first reported by Courthouse News Service. In the lawsuit's complaint, WhatsApp claimed that there were more than 100 targeted victims who work as human rights activists, journalists, and 'other members of civil society.' Citizen Lab, a digital rights group that has investigated government spyware abuses for more than a decade, said in a report at the time that it helped WhatsApp identify those victims. Last week, NSO Group's lawyer Akrotirianakis told the judge that, 'there's at least eight customers whose names are part of the discovery in this case,' but only named three during the hearing. At the same time, the lawyer also hinted that a list of countries included in a court document unsealed last week, which shows in what countries 1,223 victims of the 2019 spyware campaign were located, is also a list containing NSO Group customers. 'Pegasus was licensed for territories and it can only be used in those territories,' said Akrotirianakis, referring to NSO Group's marquee spyware. Apart from Mexico and Uzbekistan, the list of 51 countries includes Bahrain, India, Morocco, Spain, United Kingdom, and the United States. Saudi Arabia, which was mentioned by NSO Group's lawyer in the hearing, however, does not appear in the list. This could be explained by the fact that some NSO Group's customers can target individuals outside of their own territory. For example, in 2017, Citizen Lab reported that there was 'circumstantial evidence' to suggest that one or more of NSO Group's government customers in Mexico targeted several individuals, including the child of a well known Mexican journalist, who was inside the United States at the time he was targeted. Reached by TechCrunch, NSO Group spokesperson Gil Lainer declined to comment. When asked, Lainer did not dispute that Mexico, Saudi Arabia and Uzbekistan were three company customers at the time of the WhatsApp spyware campaign. WhatsApp's spokesperson Zade Alsaway told TechCrunch that the company is looking forward 'to the upcoming trial to determine damages, and securing an injunction against NSO to protect WhatsApp and people's private communication.' On Tuesday, in a pre-trial order, the judge presiding over the lawsuit said that while NSO Group said that documents provided as part of the lawsuit identify 'at least four countries as NSO customers,' the company has not confirmed that those countries are its customers. 'The evidentiary record is opaque as to which of [NSO's] clients were responsible for the attacks at issue, and thus [WhatsApp] were unable to discover evidence about whether screening procedures were followed with respect to those clients," wrote the judge. "Moreover, to the extent that the parties discuss facts regarding clients who were found to have misused Pegasus, those facts appear to have come from media reports, rather than from defendants." For years, organizations like Citizen Lab and Amnesty International have documented cases where Pegasus was used to target or hack journalists, dissidents, and human rights defenders in some of the countries mentioned in the victim list, such as Mexico, Hungary, Spain, and the United Arab Emirates, among several others. TechCrunch reached out for comment to the embassies of Mexico, Saudi Arabia, and Uzbekistan in the U.S. and will update the story if we receive a response. Sign in to access your portfolio
Yahoo
08-04-2025
- Yahoo
Google fixes two Android zero-day bugs actively exploited by hackers
On Monday, Google released an update for Android that fixes two zero-day flaws that 'may be under limited, targeted exploitation,' as the company put it. That means Google is aware that hackers have been and may still be using the bugs to compromise Android devices in real-world scenarios. One of the two now-fixed zero-days, tracked as CVE-2024-53197, was identified by Amnesty International in collaboration with Benoît Sevens of Google's Threat Analysis Group, the tech giant's security team that tracks government-backed cyberattacks. In February, Amnesty said it had found that Cellebrite, a company that sells devices to law enforcement for unlocking and forensically analyzing phones, was taking advantage of a chain of three zero-day vulnerabilities to hack into Android phones. Do you have more information about Android zero-days? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop. In this case, Amnesty found the vulnerabilities, including the one patched on Monday, being used against a Serbian student activist by local authorities armed with Cellebrite. There isn't a lot of information, however, on the second vulnerability, CVE-2024-53150, patched on Monday, other than the fact that its discovery was also credited to Google's Sevens and that the flaw was found in the kernel, the core of an operating system. Google did not immediately respond to a request for comment. Amnesty spokesperson Hajira Maryam said the non-profit did not have anything to share at this point. The tech giant said in its advisory that 'the most severe of these issues is a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed," and that, "user interaction is not needed for exploitation.' Google said that it would push source code patches for the two fixed zero-days within 48 hours of the advisory, while also noting that Android partners are "notified of all issues at least a month before publication.' Given Android's open source nature, every phone manufacturer now has to push patches out to their own users. This story was updated to include Amnesty's response. Sign in to access your portfolio
Yahoo
05-03-2025
- Business
- Yahoo
Hackers launder most of Bybit's stolen crypto worth $1.4B
The hackers who stole around $1.4 billion in cryptocurrency from crypto exchange Bybit have moved nearly all of the robbed proceeds and converted them into Bitcoin, in what experts call the first phase of the money-laundering operation. On February 21, Bybit said that a 'sophisticated attack' on one of the company's wallets resulted in the theft of 401,346 Ethereum, worth around $1.4 billion at the time, in what is the largest crypto theft in history and possibly the largest heist of any kind ever. Blockchain monitoring firms and researchers, as well as the FBI, have accused the North Korean government of being behind the hack. Since the digital robbery, the hackers have moved all the Ethereum they stole out of the dozens of crypto wallets they originally split the proceeds between and have converted most of the funds to Bitcoin, according to Tom Robinson, the co-founder and chief scientist of crypto monitoring firm Elliptic; and Ari Redbord, a former federal prosecutor and senior Treasury official who is now global head of policy at TRM Labs, also a blockchain monitoring firm. Andrew Fierman, the head of national security intelligence at blockchain monitoring firm Chainalysis, told TechCrunch that the company is tracking around 90% of the stolen Bybit funds, 'the majority of which have been converted to [Bitcoin] and are being held in ~4,400 addresses.' "The remaining ~10% of stolen funds have been lost to fees/freezes/off-ramped,' the company said. Off-ramps are services that turn crypto into cash. During this first phase between February 24 and March 2, the North Korean hackers took steps to obscure the origins of the stolen cryptocurrency. According to Redbord, the hackers did this by mostly relying on THORSwap, a decentralized protocol that enables users to swap assets across different blockchains 'without the need for an intermediary.' These laundering steps, Redbord said, showed an 'unprecedented level of operational efficiency" from the hackers. 'This rapid laundering suggests that North Korea has either expanded its money-laundering infrastructure or that underground financial networks, particularly in China, have enhanced their capacity to absorb and process illicit funds,' said Redbord. 'The scale and velocity of this operation present new challenges for investigators, as traditional anti-money laundering (AML) mechanisms struggle to keep pace with the high volume of illicit transactions.' At the same time, both Redbord and Robinson said that this is only the beginning for the hackers. 'They still have a way to go to benefit from these funds,' Robinson told TechCrunch. Do you have more information about the Bybit hack, or other crypto heists? From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop. Redbord explained that, for now, the second phase has entailed depositing 'an initial tranche' of the stolen funds — now Bitcoin — into mixers, which is designed to 'create doubt in the tracing process' for investigators. Crypto mixers (or tumblers) are services designed to obscure the origin and destination of someone's cryptocurrency by mixing it with other users' funds. 'Up to this point essentially anyone with the patience and willingness could follow the flow of the Bybit funds. Mixers, though, are major hurdles for most investigators,' said Robinson. Redbord noted, however, that mixers usually receive a volume of a few million to $10 million a day so, 'whether these mixers can continue to absorb the amount of money at play is an open question.' In other words, while the hackers got a major, record-breaking amount of loot from Bybit, it's still unclear how much of it the hackers will be able to convert to cash. But there's still hope for Bybit to recover some of it, according to Robinson. 'It's likely that at least some of these funds will pass through exchanges, where they could potentially be frozen,' Redbord said. 'It's just a question of whether those exchanges are aware quickly enough that they are handling stolen assets.' After the hack, Bybit offered a total bounty of $140 million to anyone who could help trace the funds and freeze them, a process that prevents anyone else from accessing the funds. The company said it would pay 5% of the recovered funds to 'the entity that successfully froze the funds,' and 5% to whoever first reported the funds and led to them being frozen. As of this writing, Bybit has awarded only $4.3 million to 19 bounty hunters, according to the official page of the bounty. Bybit did not respond to a request for comment. Sign in to access your portfolio
