| CNN Politics edition.cnn.com
By Sean Lyngaas
Oct 8, 2025

Suspected Chinese government-backed hackers have breached computer systems of US law firm Williams & Connolly, which has represented some of America’s most powerful politicians, as part of a larger spying campaign against multiple law firms, according to a letter the firm sent clients and a source familiar with the hack.

The cyber intrusions have hit the email accounts of select attorneys at these law firms, as Beijing continues a broader effort to gather intelligence to support its multi-front competition with the US on issues ranging from national security to trade, multiple sources have told CNN.

The hackers in this case used a previously unknown software flaw, coveted by spies because it allows for stealth, to access Williams & Connolly’s computer network, said the letter sent to clients this week and reviewed by CNN. The letter did not name the hackers responsible, but the source familiar with the hack told CNN that Beijing was the prime suspect.

“Given the nature of the threat actor, we have no reason to believe that the data will be disclosed or used publicly,” the letter said, in a hint that the intruder was focused on espionage rather than extortion.

CNN has reached out to the Chinese Embassy in Washington, DC for comment.

Liu Pengyu, a spokesperson for the embassy, told CNN in response to a separate hacking allegation last month: “China firmly opposes and combats all forms of cyber attacks and cybercrime.”

It was not immediately clear which Williams & Connolly attorneys or clients were affected by the hack.

Williams & Connolly is known for its politically influential clientele and a storied bench of courtroom lawyers. The firm has represented Bill and Hillary Clinton; corporate clients, including tech, health care and media companies; and white-collar criminal defendants like Theranos founder Elizabeth Holmes.

A Williams & Connolly spokesperson declined to answer questions on who was responsible for the hack.

The hackers are “believed to be affiliated with a nation-state actor responsible for recent attacks on a number of law firms and companies,” Williams & Connolly said in a statement to CNN. “We have taken steps to block the threat actor, and there is now no evidence of any unauthorized traffic on our network.”

Another prominent US law firm hit by suspected Chinese hackers is Wiley Rein, CNN reported in July. With clients that span the Fortune 500, Wiley Rein is a powerful player in helping US companies and the government navigate the trade war with China.

The suspected Chinese hackers have been rampant in recent weeks, also hitting the cloud-computing firms that numerous American companies rely on to store key data, experts at Google-owned cybersecurity firm Mandiant have told CNN. In a sign of how important China’s hacking army is in the race for tech supremacy, the hackers have also stolen US tech firms’ proprietary software and used it to find new vulnerabilities to burrow deeper into networks, according to Mandiant.

The Chinese government routinely denies allegations that it conducts hacking operations, often pointing to alleged US operations targeting Chinese entities and accusing Washington of a “double standard.”

At any given time, the FBI has multiple investigations open into China’s elite hacking teams, which US officials consider the biggest state-backed cyber threat to American interests.

CNN has requested comment from the FBI.

“Law firms are prime targets for nation-state threat actors because of the complex, high-stakes issues they handle,” said Sean Koessel, co-founder of cybersecurity firm Volexity, which has investigated Chinese digital spying campaigns.

“Intellectual property, emerging technologies, international trade, sanctions, public policy, to name a few,” Koessel told CNN. “In short, they hold a wealth of sensitive, non-public information that can offer significant strategic advantage.”

fortune.com
By Amanda Gerut
News Editor, West Coast
October 4, 2025 at 5:33 AM EDT

Using AI to create fake identities, they get remote jobs, then hide in plain sight—in Slack, on Zooms, and in corporate infrastructure.

But at a cybersecurity conference in Las Vegas this August, an analyst wearing a black hoodie and dark glasses who goes by “SttyK” broke some disappointing news to a packed crowd of researchers, executives, and government employees: That trick no longer works. “Do not [ask why] Kim Jong-un is so fat,” SttyK warned in all-caps on a presentation slide. “They all notice what you guys have noticed and improved their opsec [operation security].”

It might sound far-fetched—like the plot of a Cold War–era spy movie—but the scheme is all too real, according to the FBI and other agencies, as well as the UN, cybersecurity investigators, and nonprofits: Thousands of North Korean men trained in information technology are stealing identities, falsifying their résumés, and deceiving their way into highly paid remote tech jobs in the U.S. and other wealthy countries, using artificial intelligence to fabricate work and veil their faces and identities.

In violation of international sanctions, the scam has pried open a gusher of cash for Kim’s government, which confiscates most of the IT workers’ salaries. The FBI estimates that the program has funneled anywhere from hundreds of millions to $1 billion to the authoritarian regime in the past five years, funding ruler Kim’s ambition of building the Democratic People’s Republic of North Korea (DPRK) into a nuclear-armed force.

The afflicted include hundreds of Fortune 500 businesses, aerospace manufacturers, and U.S. financial institutions ranging from banks to tiny crypto startups, says the FBI. The North Korean workers also take on freelance gigs and subcontracting: They have posed as HVAC specialists, engineers, and architects, spinning up blueprints and municipal approvals with the help of AI.

Companies across Europe, as well as Saudi Arabia and Australia, have also been targeted. Government officials and cybersecurity investigators from the U.S., Japan, and South Korea met in Tokyo in late August to forge stronger collaborative ties to counter the incursions.

The scheme is one of the most spectacular international fraud enterprises in history, and it creates layer upon layer of risks for companies that fall for it. First, there’s the corporate security danger posed by agents of a foreign government being within a company’s internal systems.

Then there’s the legal risk that comes with violating sanctions against North Korea, even if unintentionally. U.S. and international sanctions are intended to isolate and punish the bellicose rogue state, and violations can jeopardize national security for the U.S. and its allies, according to the FBI. “This is a code red,” said U.S. Attorney for D.C. Jeanine Pirro at a press conference in July. “Your tech sectors are being infiltrated by North Korea. And when big companies are lax and they’re not doing their due diligence, they are putting America’s security at risk.”

Companies also must confront the distressing possibility that an employee—perhaps even one making a six-figure salary—could be laboring under conditions that one South Korea–based NGO has called “comparable to modern slavery.”

That’s because the North Korean men (and they are all men) who are perpetrating these deceptions are also, in a sense, victims of the brutal regime: They are separated from their families and trafficked to offshore sites to do the remote IT work, and they face the prospect of beatings, imprisonment, threats to their loved ones, and other human rights violations if they fail to make enough money for the North Korean government.

“The Call is Coming from Inside the House”
This covert weaponization of the techdependent global economy has ensnared every industry and company size. But it has proved incredibly difficult to find and prosecute members of this shadow workforce among the U.S.’s 6 million tech and IT employees. Those tracking the scheme say that agents hide in plain sight in the IT and tech departments of American companies: writing and testing code, discussing bugs, updating deliverables, and even joining video scrums and chatting via Slack. Over the past 12 months, the scheme has proliferated further, with a 220% worldwide increase in intrusions into companies, according to cybersecurity firm CrowdStrike.

Here’s how the international scam often works: North Korean workers, many living in four- or five-man clusters in China or Russia, use AI to create unique personas based on real, verified identities to evade background checks and other standard security measures. Sometimes they buy these identities from Americans, and other times they steal them outright. They craft detailed LinkedIn profiles, topped with a headshot—usually manipulated—with work histories and technical certifications.

“If this happened to these big banks, to these Fortune 500 companies, it can or is happening at your company.”
U.S. Attorney for D.C. Jeanine Pirro

Paid coconspirators in the U.S. and elsewhere physically hold on to the fraudulent workers’ company laptops and turn them on each morning so that the agents can remotely access them from other locations. The FBI has raided dozens of these sites, known as “laptop farms,” across the U.S., said CrowdStrike’s counter adversary VP Adam Meyers. And now they’re popping up overseas. “We’ve seen the operations all over,” said Meyers, “ranging from Western Europe all across to Romania and Poland.”

The broad and decentralized program, with work camps largely based in countries where there is little international cooperation among law enforcement, has so far been a frustrating game of Whac-a-Mole for law enforcement agencies, which have arrested only lower-level accomplices. “Both the Chinese and Russian governments are aware these IT workers are actively defrauding and victimizing Americans,” an FBI spokesman told Fortune. “The Chinese and Russian governments are not enforcing sanctions against these individuals operating in their country.”

Reputational risk from the intrusions has kept targeted companies largely silent so far, although federal agencies including the Department of Justice, FBI, and State Department have jointly issued dozens of public warnings to executives without naming the specific companies that have been impacted. One exception is the sneaker and apparel giant Nike, which identified itself as a victim of the scheme after discovering it had hired a North Korean operative who worked for the company in 2021 and 2022. Nike did not respond to multiple requests for comment.

“There are probably, today, somewhere between 1,000 and 10,000 fake employees working for companies around the world,” said Roger Grimes, an expert in the North Korean IT worker scheme with cybersecurity firm KnowBe4. “Most of the companies don’t talk about it when it happens—but they reach out secretly.” Grimes estimates he has spoken with executives from 50 to 75 companies that have unknowingly hired North Koreans. Even his own company is not immune: KnowBe4 last year disclosed that it unwittingly hired a North Korean worker who doctored a photo with AI and used a stolen identity.

A panel of experts convened by the UN to assess compliance with sanctions against North Korea estimates that the IT worker scheme generates between $250 million and $600 million in revenue annually from workers who transfer their earnings to the regime. The panel reported last year that IT workers in the scheme are expected to earn at least $100,000 annually. The highest earners make between $15,000 and $60,000 a month and are allowed to keep 30% of their salaries. The lowest can only keep 10%.

Businesses that hire these workers—even unintentionally—are violating regulatory and financial sanctions, which creates legal liability if U.S. law enforcement ever opted to charge companies. “The call is coming from inside the house,” said Pirro at the July press conference. “If this happened to these big banks, to these Fortune 500, brand-name, quintessential American companies, it can or is happening at your company. Corporations failing to verify virtual employees pose a security risk for all.”

She continued, speaking directly to American companies: “You are the first line of defense against the North Korean threat.”

The Motivation and the Impact
The growing awareness of the North Korean IT worker scheme has raised alarms in recent years, but its roots go back decades. A DPRK nuclear test in 2006 led to the UN’s Security Council imposing comprehensive sanctions that year, and then expanding those sanctions in 2017 to prohibit trade and ban companies from employing North Korean workers.

President Donald Trump signed into law further U.S. sanctions on North Korea during his first term. The law, “Countering America’s Adversaries Through Sanctions Act,” assumes that any goods made anywhere in the world by North Korean workers should be considered the products of “forced labor” and are forbidden from entering the U.S.

Starved of cash by international sanctions, the regime began sending agents overseas to earn money in various industries, including construction, fishing, and cigarette smuggling. They eventually moved into the lucrative field of tech. Then, when businesses turned to remote work during the pandemic, the IT scheme took off, explained cybersecurity firm DTEX Systems lead investigator Michael “Barni” Barnhart.

The IT operation functions separately from North Korea’s army of malicious hackers, who focus on ransomware and crypto heists, although cybersecurity experts believe the two teams are yoked closely enough to share intelligence and work in tandem.

Grimes is often surprised by the audacity of the IT deceptions, he said. In one instance, he told Fortune, a company thought it had hired three people, but they were actually just a single North Korean man managing three personas. He had successfully used the same photo to apply to multiple jobs but altered it to make each image slightly different—long hair, short hair, and three different names. “Once you see it, it’s so obvious what they’ve done,” said Grimes. “It takes a lot of…I’m trying to think of a better term than ‘balls,’ but it takes a lot of balls to use the same picture.”

For recruiters, inconsistencies—like candidates who claim to hail from Texas, but speak with Korean accents and seem to know nothing about their home state—are sometimes chalked up initially to cultural differences, Grimes said. But once companies are alerted to the conspiracy, it quickly becomes clear who the fraudulent hires are.

The impact of the scheme becoming more publicly known in the past couple of years has led to what the FBI described to Fortune as an escalating desperation among the workers, and a shift in tactics: There have been more attempts to steal intellectual property and data when workers are discovered and fired.

Investigators recently identified a new evolution in the operational structure, which further conceals the North Korean IT workers. They’re subcontracting out more of the actual labor to developers based in India and Pakistan, investigator Evan Gordenker of incident response firm Palo Alto Networks explained. This creates what Gordenker described as a “Matryoshka doll” effect—a proxy between the North Koreans and the company paying them, and another layer of subterfuge that makes it even harder to find the culprits.

“What they’ve found is that it’s actually fairly cheap to find someone of a similar-ish skill set in Pakistan and India,” said Gordenker. It’s an alarming sign of the criminal enterprise’s success, he added: The North Korean fraudsters are so overwhelmed with work that they need to pass some of it off.

The Recruitment of American Accomplices
One ex-North Korean IT worker who communicated via email with Fortune escaped after years inside the scheme. He lives under the alias Kim Ji-min to prevent retaliation against his family still in North Korea.

His method was to use Facebook, LinkedIn, and Upwork to pose as someone looking to hire help for a software project, he explained in an email interview facilitated and translated by PSCORE, a South Korea–based NGO that has worked with thousands of North Korean refugees. When engineers and developers responded to his listings, Kim would steal their identities and use them to apply for tech jobs. He was hired to work on e-commerce websites and in software development for a health care app, he said, though he declined to name the companies he worked for: “They had no idea we were from North Korea.”

IT workers also hang out on Discord and Reddit to create relationships with freelancers and those looking to make extra cash, particularly in the “r/overemployed” subreddit, said Gordenker. The pitch is typically simple but effective, he said: “It’s usually like, ‘I’m a Japanese developer. I’m looking to get established in the United States, and I’m looking for someone to serve as the face of my company in that country. Would you be willing to, for 200 bucks a week?’” From there, the IT workers ask the person to upload photos of their ID. Sometimes it takes only five minutes. “Some people are sort of like, ‘Oh, $200 bucks a week? Yeah. Sign me up, absolutely,’” said Gordenker. “It’s stunningly easy.”

A Maryland man, Minh Phuong Ngoc Vong, pleaded guilty in April to charges that he allowed North Korean workers to use his identity to get 13 different jobs. Court records show that he offered up his driver’s license and personal details after being approached on a video game.

The recruitment tactics can be predatory: The scheme often targets people who are down on their luck, promising them easy money for picking up a laptop or submitting to a urinalysis to pass a drug test. “They will recruit people from recovering gambling addict forums and things like that where people have debt,” Gordenker said. “They need the money badly, and that creates leverage.”

Security investigator Aidan Raney, who posed as a willing American accomplice to the scheme, learned other operational details. The agents who recruited Raney spiced up his résumé with fabricated roles at companies, and turned his headshot into a black-and-white photo so it would look different from his real LinkedIn headshot. Raney corresponded with three or four workers who all called themselves “Ben,” and the Bens submitted his details to recruiters to land him the job interviews.

“They handle essentially all the work,” said Raney, founder and CEO of security firm Farnsworth Intelligence. “What they were trying to do was use my real identity to bypass background checks and things like that, and they wanted it to be extremely close to my real-life identity.”

Sometimes the work of the American accomplice is more involved: An operation in the suburbs of Phoenix facilitated by one woman, Christina Chapman, helped North Koreans fraudulently obtain jobs at 311 companies and earned the workers $17.1 million in salaries and bonuses, according to the Department of Justice’s 2024 indictment of Chapman. The operation was the biggest laptop farm busted so far, by revenue. North Koreans used 68 stolen identities to get work, and Chapman helped them dial in remotely for interviews and calls. Chapman’s cut totaled about $177,000, prosecutors said, but after pleading guilty she has been sentenced to 8.5 years in prison for her role and ordered to forfeit earnings and pay fines worth more than she ever earned in the scheme.

Nike was one of the companies that hired an IT worker in Chapman’s network, according to a victim impact statement the company filed before her sentencing. Nike paid about $75,000 to the unnamed worker over the course of five months, the letter states. “The defendant’s decision to obtain employment through Nike, via identity theft, and subsequently launder earnings to foreign state actors, was not only a violation of law—it was a betrayal of trust,” Chris Gharst, Nike’s director of global investigations, wrote to the judge. “The incident required us to expend valuable time and resources on internal investigations.”

Criminals or victims?
Law enforcement agencies and cybersecurity investigators have tracked participants in the North Korean IT worker scheme, but so far only low-level accomplices have been arrested and charged in the U.S. The workers use artificial intelligence and stolen or purchased IDs to craft fake résumés and LinkedIn pages to apply for remote jobs. Some of their names are believed to be aliases.

AI has breathed even more life into the operation. An August 2025 report from Anthropic revealed that North Korean agents had leveraged its Claude AI assistant to prep for interviews and get jobs in development and programming. “The most striking finding is the actors’ complete dependency on AI to function in technical roles,” the report states. “These operators do not appear to be able to write code, debug programs, or even communicate professionally without Claude’s assistance.”

The scam is alarming for the companies targeted, but the North Korean laborers themselves are much worse off, according to PSCORE secretarygeneral Bada Nam. Failure to meet monthly earnings quotas results in degradation, beatings, or worse—being forced back to North Korea where the workers and their families face prison, labor camps, and abuse. The consistent access to food outside of famine-ravaged North Korea might be more desirable than in-country work assignments, but the intense competition and humiliation workers face if they don’t excel has driven some to suicide, Nam said. “Because of this system, [we] view these workers not simply as perpetrators of fraud or deception, but also as victims of forced labor and human rights violations,” said Nam. “Their situation is comparable to modern slavery. Just as global consumers have become more attentive to supply chains in order to avoid supporting child labor, we believe a similar awareness is needed regarding North Korean IT workers.”

Those pursuing and trying to expose the scale and impact of this grift include the Las Vegas conference speaker SttyK, who is in his twenties and based in Japan. He is part of a secretive network of investigators who track North Korean operatives, producing research that’s used by large cybersecurity firms. The community has learned a lot from files and manuals mistakenly uploaded without password protection to the open cloud-based tech platform GitHub, which explain how to fraudulently get a remote tech job. SttyK and his research partners have also been aided by at least one secret informant involved in the scheme.

The GitHub trove shows that there are some cultural clues to watch for, SttyK told Fortune: The North Koreans prefer British to American English in translations; they use excessive amounts of exclamation marks and heart emojis in emails; and they really love the animated comedy franchise Minions, often using images from the films as their avatars. The IT workers use Slack to communicate among themselves, and SttyK showed a message from a North Korean boss reminding teams to work at least 14 hours a day. They log in six days a week, and on their day off, the workers play volleyball, diligently recording the winners and losers in spreadsheets, the GitHub files revealed.

There are no hard-and-fast rules to the scheme, said Grimes, and the quality of the work varies significantly: Some North Koreans achieve standout job performance, leveraging it so they can recommend friends or even themselves under another identity for new roles. Others only want to get their first few paychecks before they get fired for doing poor work or not showing up. “There isn’t one way of doing things,” said Grimes. “Different teams farm out the work in different ways.”

The Perpetrators as Victims Themselves
Ironically, perhaps, the harshness of the system may actually make the agents attractive hires for U.S. companies: These are tech workers who don’t complain, take personal days, or ask for mental health breaks. Indeed, beneath the sprawling scheme lies an uncomfortable truth: The modern economy prizes efficiency, productivity, and results. And North Korean IT workers are leaning in on those tenets.

In job interviews the North Koreans give the impression they love work and don’t mind 12-hour days, Grimes said. Executives at victimized companies have sometimes said the North Koreans were their best employees. This unflagging work ethic dovetails with preconceptions about Asian immigrants’ industriousness, and often outweighs the red flags that should raise alarms. “People tell themselves all sorts of stories” to rationalize inconsistencies, said Grimes. “It’s interesting human behavior.”

Mick Baccio, president of the cybersecurity nonprofit Thrunt, went a step further, suggesting that the North Koreans infiltrating American organizations may exploit employers’ inability to distinguish between different Asian ethnic groups. “Many companies have a very Western, U.S.-centric view on the problem,” he said. “I’m half Thai and it’s hard for some people to distinguish that…It’s not malicious.”

On the North Korean side, the longtime success of the scheme relies upon complete fidelity to leadership that the regime programs into citizens from a young age, said Hyun-Seung Lee, a defector who escaped North Korea 10 years ago and knew some of the IT workers in an earlier iteration of the scheme. Lee said that asking candidates to insult Kim may actually still work to expose some agents. Even now, after all these years, Lee finds he still has an emotional reaction to hearing such a thing, he said—and IT workers could be similarly affected.

“They believe that it is their fate, their responsibility, to be loyal to the regime,” said Lee. “And they’re trying to survive.”

A hub for fraud in Arizona
Christina Chapman pleaded guilty to charges related to her role in running a “laptop farm” for the North Korean scheme in the suburbs of Phoenix. Here’s what it looked like, according to the Department of Justice indictment.

68Stolen identities

311Companies scammed

$17.1 millionSalaries and bonuses transmitted to North Kora

$177,000Chapman’s earnings for her part in the scheme

This article appears in the October/November 2025 issue of Fortune with the headline “Espionage enters the chat.”

today.ucsd.edu UC San Diego
September 17, 2025
Story by:
Ioana Patringenaru - ipatrin@ucsd.edu

Study involving 19,500 UC San Diego Health employees evaluated the effectiveness of two different types of cybersecurity training

Cybersecurity training programs as implemented today by most large companies do little to reduce the risk that employees will fall for phishing scams–the practice of sending malicious emails posing as legitimate to get victims to share personal information, such as their social security numbers.

That’s the conclusion of a study evaluating the effectiveness of two different types of cybersecurity training during an eight-month, randomized controlled experiment. The experiment involved 10 different phishing email campaigns developed by the research team and sent to more than 19,500 employees at UC San Diego Health.

The team presented their research at the Blackhat conference Aug. 2 to 7 in Las Vegas. The team originally shared their work at the 46th IEEE Symposium on Security and Privacy in May in San Francisco.

Researchers found that there was no significant relationship between whether users had recently completed an annual, mandated cybersecurity training and the likelihood of falling for phishing emails. The team also examined the efficacy of embedded phishing training – the practice of sharing anti-phishing information after a user engages with a phishing email sent by their organization as a test. For this type of training, researchers found that the difference in failure rates between employees who had completed the training and those who did not was extremely low.

“Taken together, our results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks,” the researchers write.

Why is it important to combat phishing?

Whether phishing training is effective is an important question. In spite of 20 years of research and development into malicious email filtering techniques, a 2023 IBM study identifies phishing as the single largest source of successful cybersecurity breaches–16% overall, researchers write.

This threat is particularly challenging in the healthcare sector, where targeted data breaches have reached record highs. In 2023 alone, the U.S. Department of Health and Human Services (HHS) reported over 725 large data breach events, covering over 133 million health records, and 460 associated ransomware incidents.

As a result, it has become standard in many sectors to mandate both formal security training annually and to engage in unscheduled phishing exercises, in which employees are sent simulated phishing emails and then provided “embedded” training if they mistakenly click on the email’s links.

Researchers were trying to understand which of these types of training are most effective. It turns out, as currently administered, that none of them are.

Why are cybersecurity trainings not effective?
One reason the trainings are not effective is that the majority of people do not engage with the embedded training materials, said Grant Ho, study co-author and a faculty member at the University of Chicago, who did some of this work as a postdoctoral researcher at UC San Diego. Overall, 75% of users engaged with the embedded training materials for a minute or less. One-third immediately closed the embedded training page without engaging with the material at all.

“This does lend some suggestion that these trainings, in their current form, are not effective,” said Ariana Mirian, another paper co-author, who did the work as a Ph.D. student in the research group of UC San Diego computer science professors Stefan Savage and Geoff Voelker.

study of 19,500 employees over eight months
To date, this is the largest study of the effectiveness of anti-phishing training, covering 19,500 employees at UC San Diego Health. In addition, it’s one of only two studies that used a randomized control trial method to determine whether employees would receive training, and what kind of phishing emails–or lures–they would receive.

After sending 10 different types of phishing emails over the course of eight months, the researchers found that embedded phishing training only reduced the likelihood of clicking on a phishing link by 2%. This is particularly striking given the expense in time and effort that these trainings require, the researchers note.

Researchers also found that more employees fell for the phishing emails as time went on. In the first month of the study, only 10% of employees clicked on a phishing link. By the eighth month, more than half had clicked on at least one phishing link.

In addition, researchers found that some phishing emails were considerably more effective than others. For example, only 1.82% of recipients clicked on a phishing link to update their Outlook password. But 30.8% clicked on a link that purported to be an update to UC San Diego Health’s vacation policy.

Given the results of the study, researchers recommend that organizations refocus their efforts to combat phishing on technical countermeasures. Specifically, two measures would have better return on investment: two-factor authentication for hardware and applications, as well as password managers that only work on correct domains, the researchers write.

This work was supported in part by funding from the University of California Office of the President “Be Smart About Safety” program–an effort focused on identifying best practices for reducing the frequency and severity of systemwide insurance losses. It was also supported in part by U.S. National Science Foundation grant CNS-2152644, the UCSD CSE Postdoctoral Fellows program, the Irwin Mark and Joan Klein Jacobs Chair in Information and Computer Science, the CSE Professorship in Internet Privacy and/or Internet Data Security, a generous gift from Google, and operational support from the UCSD Center for Networked Systems.

nytimes.com
By Chris Buckley and Adam Goldman
Sept. 28, 2025

Fears of U.S. surveillance drove Xi Jinping, China’s leader, to elevate the agency and put it at the center of his cyber ambitions.

American officials were alarmed in 2023 when they discovered that Chinese state-controlled hackers had infiltrated critical U.S. infrastructure with malicious code that could wreck power grids, communications systems and water supplies. The threat was serious enough that William J. Burns, the director of the C.I.A., made a secret trip to Beijing to confront his Chinese counterpart.

He warned China’s minister of state security that there would be “serious consequences” for Beijing if it unleashed the malware. The tone of the meeting, details of which have not been previously reported, was professional and it appeared the message was delivered.

But since that meeting, which was described by two former U.S. officials, China’s intrusions have only escalated. (The former officials spoke on the condition of anonymity because they were not authorized to speak publicly about the sensitive meeting.)

American and European officials say China’s Ministry of State Security, the civilian spy agency often called the M.S.S., in particular, has emerged as the driving force behind China’s most sophisticated cyber operations.

In recent disclosures, officials revealed another immense, yearslong intrusion by hackers who have been collectively called Salt Typhoon, one that may have stolen information about nearly every American and targeted dozens of other countries. Some countries hit by Salt Typhoon warned in an unusual statement that the data stolen could provide Chinese intelligence services with the capability to “identify and track their targets’ communications and movements around the world.”

The attack underscored how the Ministry of State Security has evolved into a formidable cyberespionage agency capable of audacious operations that can evade detection for years, experts said.

For decades, China has used for-hire hackers to break into computer networks and systems. These operatives sometimes mixed espionage with commercial data theft or were sloppy, exposing their presence. In the recent operation by Salt Typhoon, however, intruders linked to the M.S.S. found weaknesses in systems, burrowed into networks, spirited out data, hopped between compromised systems and erased traces of their presence.
“Salt Typhoon shows a highly skilled and strategic side to M.S.S. cyber operations that has been missed with the attention on lower-quality contract hackers,” said Alex Joske, the author of a book on the ministry.

For Washington, the implication of China’s growing capability is clear: In a future conflict, China could put U.S. communications, power and infrastructure at risk.

China’s biggest hacking campaigns have been “strategic operations” intended to intimidate and deter rivals, said Nigel Inkster, a senior adviser for cybersecurity and China at the International Institute for Strategic Studies in London.

“If they succeed in remaining on these networks undiscovered, that potentially gives them a significant advantage in the event of a crisis,” said Mr. Inkster, formerly director of operations and intelligence in the British Secret Intelligence Service, MI6. “If their presence is — as it has been — discovered, it still exercises a very significant deterrent effect; as in, ‘Look what we could do to you if we wanted.’”

The Rise of the M.S.S.
China’s cyber advances reflect decades of investment to try to match, and eventually rival, the U.S. National Security Agency and Britain’s Government Communications Headquarters, or GCHQ.

China’s leaders founded the Ministry of State Security in 1983 mainly to track dissidents and perceived foes of Communist Party rule. The ministry engaged in online espionage but was long overshadowed by the Chinese military, which ran extensive cyberspying operations.

After taking power as China’s top leader in 2012, Xi Jinping moved quickly to reshape the M.S.S. He seemed unsettled by the threat of U.S. surveillance to China’s security, and in a 2013 speech pointed to the revelations of Edward J. Snowden, the former U.S. intelligence contractor.

Mr. Xi purged the ministry of senior officials accused of corruption and disloyalty. He reined in the hacking role of the Chinese military, elevating the ministry as the country’s primary cyberespionage agency. He put national security at the core of his agenda with new laws and by establishing a new commission.

“At this same time, the intelligence requirements imposed on the security apparatus start to multiply, because Xi wanted to do more things abroad and at home,” said Matthew Brazil, a senior analyst at BluePath Labs who has co-written a history of China’s espionage services.

Since around 2015, the M.S.S. has moved to bring its far-flung provincial offices under tighter central control, said experts. Chen Yixin, the current minister, has demanded that local state security offices follow Beijing’s orders without delay. Security officials, he said on a recent inspection of the northeast, must be both “red and expert” — absolutely loyal to the party while also adept in technology.

“It all essentially means that the Ministry of State Security now sits atop a system in which it can move its pieces all around the chessboard,” said Edward Schwarck, a researcher at the University of Oxford who is writing a dissertation on China’s state security.

Mr. Chen was the official who met with Mr. Burns in May 2023. He gave nothing away when confronted with the details of the cyber campaign, telling Mr. Burns he would let his superiors know about the U.S. concerns, the former officials said.

The Architect of China’s Cyber Power
The Ministry of State Security operates largely in the shadows, its officials rarely seen or named in public. There was one exception: Wu Shizhong, who was a senior official in Bureau 13, the “technical reconnaissance” arm of the ministry.

Mr. Wu was unusually visible, turning up at meetings and conferences in his other role as director of the China Information Technology Security Evaluation Center. Officially, the center vets digital software and hardware for security vulnerabilities before it can be used in China. Unofficially, foreign officials and experts say, the center comes under the control of the M.S.S. and provided a direct pipeline of information about vulnerabilities and hacking talent.

Mr. Wu has not publicly said he served in the security ministry, but a Chinese university website in 2005 described him as a state security bureau head in a notice about a meeting, and investigations by Crowd Strike and other cybersecurity firms have also described his state security role.

“Wu Shizhong is widely recognized as a leading figure in the creation of M.S.S. cyber capabilities,” said Mr. Joske.

In 2013, Mr. Wu pointed to two lessons for China: Mr. Snowden’s disclosures about American surveillance and the use by the United States of a virus to sabotage Iran’s nuclear facilities. “The core of cyber offense and defense capabilities is technical prowess,” he said, stressing the need to control technologies and exploit their weaknesses. China, he added, should create “a national cyber offense and defense apparatus.”

China’s commercial tech sector boomed in the years that followed, and state security officials learned how to put domestic companies and contractors to work, spotting and exploiting flaws and weak spots in computer systems, several cybersecurity experts said. The U.S. National Security Agency has also hoarded knowledge of software flaws for its own use. But China has an added advantage: It can tap its own tech companies to feed information to the state.
“M.S.S. was successful at improving the talent pipeline and the volume of good offensive hackers they could contract to,” said Dakota Cary, a researcher who focuses on China’s efforts to develop its hacking capabilities at SentinelOne. “This gives them a significant pipeline for offensive tools.”

The Chinese government also imposed rules requiring that any newly found software vulnerabilities be reported first to a database that analysts say is operated by the M.S.S., giving security officials early access. Other policies reward tech firms with payments if they meet monthly quotas of finding flaws in computer systems and submitting them to the state security-controlled database.

“It’s a prestige thing and it’s good for a company’s reputation,” Mei Danowski, the co-founder of Natto Thoughts, a company that advises clients on cyber threats, said of the arrangement. “These business people don’t feel like they are doing something wrong. They feel like they are doing something for their country.”

oag.dc.gov September 8, 2025
Lawsuit Alleges That 93% of Deposits to Athena Bitcoin, Inc. Are From Scams That Target Vulnerable Residents & Seniors & That Athena Profits from Illegal, Hidden Fees

Attorney General Brian L. Schwalb today sued Athena Bitcoin, Inc. (Athena), one of the country’s largest operators of Bitcoin Automated Teller Machines (BTMs), for charging undisclosed fees on deposits that it knows are often the result of scams, and for failing to implement adequate anti-fraud measures. When users discover they have been scammed and seek refunds, Athena imposes a strict “no refunds” policy on their entire transactions—even failing to return the significant undisclosed fees it collects from scam victims.

An investigation by the Office of the Attorney General (OAG) showed that Athena BTMs appeal to criminals because Athena fails to provide effective oversight, creating an unchecked opportunity for illicit international fraud. Athena BTMs are most frequently used by scammers targeting elderly users who are less familiar with cryptocurrency and less likely to report fraud. According to the company’s own data from its first five months of operations in the District:

93% of all Athena BTM deposits were the direct result of scams;

Nearly half of all deposits were flagged to Athena as the product of fraud;

Victims’ median age was 71; and

The median amount lost per scam transaction was $8,000, with one victim losing a total of $98,000 in nineteen transactions over a period of several days.
“Athena’s bitcoin machines have become a tool for criminals intent on exploiting elderly and vulnerable District residents,” said Attorney General Schwalb. “Athena knows that its machines are being used primarily by scammers yet chooses to look the other way so that it can continue to pocket sizable hidden transaction fees. Today we’re suing to get District residents their hard-earned money back and put a stop to this illegal, predatory conduct before it harms anyone else.”

Athena is one of the country’s largest BTM operators and has maintained seven BTMs in the District. BTMs allow users to purchase cryptocurrencies such as Bitcoin with cash and then deposit the cryptocurrency into a digital “wallet.” The wallet should be owned by the consumer purchasing the cryptocurrency, but in the scams conducted with Athena’s machines, exploited users send large sums of money directly to swindlers.

OAG’s lawsuit alleges Athena violates the District’s Consumer Protection Procedures Act and Abuse, Neglect, and Financial Exploitation of Vulnerable Adults and the Elderly Act by:

Facilitating financial scams. Athena is well aware that the safeguards it has implemented are insufficient to protect customers from fraud. Athena’s own logs show that during its first five months of operation in the District, 48% of all funds deposited in the company’s BTMs resulted in consumers reporting directly to Athena that they had been the victim of a scam.

Illegally profiting from hidden fees. Athena BTMs charge District consumers fees of up to 26% per transaction without clearly disclosing them at any point in the process. Bitcoin purchased through other apps and exchanges typically have fees of 0.24% to 3%. In June 2024, Athena added a confusing and misleading reference to a “Transaction Service Margin” in its lengthy Terms of Service, but the magnitude of the margin is never disclosed, nor is the word “fee” ever mentioned.

Refusing to refund victims of fraud. Athena further deceives users through a refund policy that either outright denies scam victims refunds or arbitrarily caps them, even though Athena could easily return the hidden transaction fees it pockets. Athena also requires fraud victims to sign a release that frees the company of all future liability and blames victims for not sufficiently heeding onscreen BTM warnings.
With this lawsuit, OAG seeks to force Athena to bring Athena’s operations into compliance with District law, secure restitution for victims, and penalties for the District.

A copy of the lawsuit is available here.

This case is being handled by Assistant Attorneys General Anabel Butler and Jason Jones, Investigator Lu Lagravinese, and Civil Rights and Elder Justice Section Chief Alicia M. Lendon.

Resources for District Residents

Elder financial abuse is all too common and largely underreported. It happens to people across all socioeconomic backgrounds and can be perpetrated by anyone having a connection to the senior resident, whether through a family, personal, or business relationship. Elders or vulnerable adults may be hesitant to report abuse because of fear of retaliation or lack of physical or cognitive ability to report the abuse, or because they do not want to get the alleged abuser in trouble.

Resources to help residents learn how to detect, prevent, and report abuse of the elderly or vulnerable adults are available here.

| CyberScoop By
Tim Starks
September 10, 202

Major cyber intrusions by the Chinese hacking groups known as Salt Typhoon and Volt Typhoon have forced the FBI to change its methods of hunting sophisticated threats, a top FBI cyber official said Wednesday.

U.S. officials, allied governments and threat researchers have identified Salt Typhoon as the group behind the massive telecommunications hack revealed last fall but that could have been ongoing for years. Investigators have pointed at Volt Typhoon as a group that has infiltrated critical infrastructure to cause disruptions in the United States if China invades Taiwan and Americans intervene.

Those hacks were stealthier than in the past, and more patient, said Jason Bilnoski, deputy assistant director of the FBI’s cyber division. The Typhoons have focused on persistent access and gotten better at hiding their infiltration by using “living off the land” techniques that involve using legitimate tools within systems to camouflage their efforts, he said. That in turn has complicated FBI efforts to share indicators of compromise (IOCs).

“We’re having to now hunt as if they’re already on the network, and we’re hunting in ways we hadn’t before,” he said at the Billington Cybersecurity Summit. “They’re not dropping tools and malware that we used to see, and perhaps there’s not a lot of IOCs that we’d be able to share in certain situations.”

The hackers used to be “noisy,” with an emphasis on hitting a target quickly, stealing data and then escaping, Bilnoski said. But now for nation-backed attackers, “we’re watching exponential leaps” in tactics, techniques and procedures, he said.

Jermaine Roebuck, associate director for threat hunting at the Cybersecurity and Infrastructure Security Agency, said his agency is also seeing those kinds of changes in the level of stealth from sophisticated hackers, in addition to “a significant change” in their intentions and targeting.

“We saw a lot of espionage over the last several years, but here lately, there’s been a decided shift into computer network attack, prepositioning or disruption in terms of capabilities,” he said at the same conference.

The targeting has changed as organizations, including government agencies, have shifted to the cloud. “Well, guess what?” he asked. “The actors are going toward the cloud” in response.

They’ve also focused on “edge devices,” like devices that supply virtual private network connections or other services provided by managed service providers, Roebuck said. Organizations have less insight into the attacks those devices and providers are facing than more direct intrusions, he said.

therecord.media The Record from Recorded Future News, Jonathan Greig
September 9th, 2025

New York Blood Center submitted documents to regulators in Maine, Texas, New Hampshire and California that confirmed the cyberattack, which they said was first discovered on January 26.

One of the largest independent blood centers serving over 75 million people across the U.S. began sending data breach notification letters to victims this week after suffering a ransomware attack in January.

New York Blood Center submitted documents to regulators in Maine, Texas, New Hampshire and California that confirmed the cyberattack, which they said was first discovered on January 26.

The organization left blank sections of the form in Maine that says how many total victims were affected by the attack but told regulators in Texas that 10,557 people from the state were impacted. In a letter on its website, New York Blood Center said the information stolen included some patient data as well as employee information.

The information stolen during the cyberattack includes names, health information and test results. For some current and former employees, Social Security numbers, driver’s licenses or government ID cards and financial account information were also leaked.

An investigation into the attack found that hackers accessed New York Blood Center’s network between January 20 and 26, making copies of some files before launching the ransomware.

Founded in 1964, New York Blood Center controls multiple blood-related entities that collect about 4,000 units of blood products each day and serve more than 400 hospitals across dozens of states.

The organization also provides clinical services, apheresis, cell therapy, and diagnostic blood testing — much of which requires receiving clinical information from healthcare providers. The organization said some of this information was accessed by the hackers during the cyber incident.

The investigation into the ransomware attack was completed on June 30 and a final list of victims that needed to be notified was compiled by August 12.

New York Blood Center began mailing notification letters on September 5 but also posted a notice on its website and created a call center for those with questions.

Multiple blood donation and testing companies were attacked by ransomware gangs over the last year including OneBlood, Synnovis and South Africa’s national lab service.

techcrunch.com
Lorenzo Franceschi-Bicchierai
9:11 AM PDT · September 2, 2025

The Israeli spyware maker now faces the dilemma of whether to continue its relationship with U.S. Immigration and Customs Enforcement and help fuel its mass deportations program.

U.S. Immigration and Customs Enforcement (ICE) signed a contract last year with Israeli spyware maker Paragon worth $2 million.

Shortly after, the Biden administration put the contract under review, issuing a “stop work order,” to determine whether the contract complied with an executive order on commercial spyware, which restricts U.S. government agencies from using spyware that could violate human rights or target Americans abroad.

Almost a year later, when it looked like the contract would just run out and never become active, ICE lifted the stop work order, according to public records.

“This contract is for a fully configured proprietary solution including license, hardware, warranty, maintenance, and training. This modification is to lift the stop work order,” read an update dated August 30 on the U.S. government’s Federal Procurement Data System, a database of government contracts.

Independent journalist Jack Poulson was the first to report the news in his newsletter.

Paragon has for years cultivated the image of being an “ethical” and responsible spyware maker, in contrast with controversial spyware purveyors such as Hacking Team, Intellexa, and NSO Group. On its official website, Paragon claims to provide its customers with “ethically based tools, teams, and insights.”

The spyware maker faces an ethical dilemma. Now that the contract with ICE’s Information Technology Division is active, it’s up to Paragon to decide whether it wants to continue its relationship with ICE, an agency that has dramatically ramped up mass deportations and expanded its surveillance powers since Donald Trump took over the White House.
Emily Horne, a spokesperson for Paragon, as well as executive chairman John Fleming, did not respond to a request for comment.

In an attempt to show its good faith, in February of this year, Fleming told TechCrunch that the company only sells to the U.S. government and other unspecified allied countries.

Paragon has already had to face a thorny ethical dilemma. In January, WhatsApp revealed that around 90 of its users, including journalists and human rights workers, had been targeted with Paragon’s spyware, called Graphite. In the following days and weeks, Italian journalist Francesco Cancellato and several local pro-immigration activists came forward saying they were among the victims.

In response to this scandal, Paragon cut ties with the Italian government, which had in the meantime launched an inquiry to determine what happened. Then, in June, digital rights research group Citizen Lab confirmed that two other journalists, an unnamed European and a colleague of Cancellato, had been hacked with Paragon’s spyware.

An Italian parliament committee concluded that the spying of the pro-immigration activists was legal, but it also claimed that there was no evidence that Italy’s intelligence agencies, former Paragon customers, had targeted Cancellato.

John Scott-Railton, a senior researcher at Citizen Lab, who has investigated cases of spyware abuse for more than a decade, told TechCrunch that “these tools were designed for dictatorships, not democracies built on liberty and protection of individual rights.”

The researcher said that even spyware is “corrupting,” which is why “there’s a growing pile of spyware scandals in democracies, including with Paragon’s Graphite. Worse, Paragon is still shielding spyware abusers. Just look at the still-unexplained hacks of Italian journalists.”

Huawei has already ‘built an ecosystem entirely independent of the United States’, according to a senior executive.

South China Morning Post scmp.com Coco Fengin Guangdong
Published: 9:00pm, 29 Aug 2025

China has virtually overcome crippling US tech restrictions, according to a senior executive at Huawei Technologies, as mainland-developed computing infrastructure, AI systems and other software now rival those from the world’s largest economy.
Shenzhen-based Huawei, which was added to Washington’s trade blacklist in May 2019, has already “built an ecosystem entirely independent of the United States”, said Tao Jingwen, president of the firm’s quality, business process and information technology management department, at an event on Wednesday in Guiyang, capital of southwestern Guizhou province.
Tao highlighted the privately held company’s resilience at the event, as he discussed some of the latest milestones in its journey towards tech self-sufficiency.

That industry-wide commitment to tech self-reliance would enable China to “surpass the US in terms of artificial intelligence applications” on the back of the country’s “extensive economy and business scenarios”, he said.
His remarks reflected Huawei’s efforts to surmount tightened US control measures and heightened geopolitical tensions, as the company pushes the boundaries in semiconductors, computing power, cloud services, AI and operating systems.
Tao’s presentation was made on the same day that Huawei said users of token services on its cloud platform had access to its CloudMatrix 384 system, which is a cluster of 384 Ascend AI processors – spread across 12 computing cabinets and four bus cabinets – that delivers 300 petaflops of computing power and 48 terabytes of high-bandwidth memory. A petaflop is 1,000 trillion calculations per second.

justice.gov District of New Mexico | U.S. Government Seizes Online Marketplaces Selling Fraudulent Identity Documents Used in Cybercrime Schemes | United States Department of Justice
Thursday, August 28, 2025

The operators of VerifTools produced and sold counterfeit driver’s licenses, passports, and other identification documents that could be used to bypass identity verification systems and gain unauthorized access to online accounts.

ALBUQUERQUE – The U.S. Attorney’s Office for the District of New Mexico announced today the seizure of two marketplace domains and one blog used to sell fraudulent identity documents to cybercriminals worldwide. The operators of VerifTools produced and sold counterfeit driver’s licenses, passports, and other identification documents that could be used to bypass identity verification systems and gain unauthorized access to online accounts.

The Federal Bureau of Investigation (FBI) began investigating in August 2022 after discovering a conspiracy to use stolen identity information to access cryptocurrency accounts. The investigation revealed that VerifTools offered counterfeit identification documents for all 50 U.S. states and multiple foreign countries for as little as nine dollars, payable in cryptocurrency.

The FBI used the VerifTools marketplace to generate and purchase counterfeit New Mexico driver’s licenses, which were paid for with cryptocurrency. The FBI has identified the equivalent of approximately $6.4 million of illicit proceeds linked to the VerifTools marketplace. The following counterfeit documents are an example of New Mexico driver’s licenses obtained from VerifTools.

“The internet is not a refuge for criminals. If you build or sell tools that let offenders impersonate victims, you are part of the crime,” said Acting U.S. Attorney Ryan Ellison. “We will use every lawful tool to disrupt your business, take the profit out of it, and bring you to justice. No one operation is bigger than us together. With our partners at every level of law enforcement we will protect New Mexicans and defend those who stand up for our community.”

"The removal of this marketplace is a major step in protecting the public from fraud and identity theft crime," said Philip Russell, Acting Special Agent in Charge of the FBI Albuquerque Division. "Together with our partners, we will continue to target and dismantle the platforms that criminals depend on, no matter where they operate."

Acting U.S. Attorney Ryan Ellison and Acting Special Agent in Charge Philip Russell of the FBI’s Albuquerque Field Office made the announcement today.

The FBI’s Albuquerque Field Office investigated this case. The Justice Department’s Office of International Affairs provided valuable assistance.

The Justice Department collaborated closely with investigators and prosecutors from multiple jurisdictions in this investigation, including the District of New Mexico, Eastern District of Virginia, the Dutch National Police and the Netherlands Public Prosecution Service.

nytimes.com By Farnaz FassihiRonen Bergman and Mark Mazzetti 2025/08/30

Israel was able to track the movements of key Iranian figures and assassinate them during the 12-day war this spring by following the cellphones carried by members of their security forces.

The meeting was so secret that only the attendees, a handful of top Iranian government officials and military commanders, knew the time and location.

It was June 16, the fourth day of Iran’s war with Israel, and Iran’s Supreme National Security Council gathered for an emergency meeting in a bunker 100 feet below a mountain slope in the western part of Tehran. For days, a relentless Israeli bombing campaign had destroyed military, government and nuclear sites around Iran, and had decimated the top echelon of Iran’s military commanders and nuclear scientists.

The officials, who included President Masoud Pezeshkian, the heads of the judiciary and the intelligence ministry and senior military commanders, arrived in separate cars. None of them carried mobile phones, knowing that Israeli intelligence could track them.

Despite all the precautions, Israeli jets dropped six bombs on top of the bunker soon after the meeting began, targeting the two entrance and exit doors. Remarkably, nobody in the bunker was killed. When the leaders later made their way out of the bunker, they found the bodies of a few guards, killed by the blasts.

The attack threw Iran’s intelligence apparatus into a tailspin, and soon enough Iranian officials discovered a devastating security lapse: The Israelis had been led to the meeting by hacking the phones of bodyguards who had accompanied the Iranian leaders to the site and waited outside.

Israel’s tracking of the guards has not been previously reported. It was one part of a larger effort to penetrate the most tightly guarded circles of Iran’s security and intelligence apparatus that has had officials in Tehran chasing shadows for two months.
According to Iranian and Israeli officials, Iranian security guards’ careless use of mobile phones over several years — including posting on social media — played a central role in allowing Israeli military intelligence to hunt Iranian nuclear scientists and military commanders and the Israeli Air Force to swoop in and kill them with missiles and bombs during the first week of the June war.

“We know senior officials and commanders did not carry phones, but their interlocutors, security guards and drivers had phones; they did not take precautions seriously, and this is how most of them were traced,” said Sasan Karimi, who previously served as the deputy vice president for strategy in Iran’s current government and is now a political analyst and lecturer at Tehran University.

The account of Israel’s strike on the meeting, and the details of how it tracked and targeted Iranian officials and commanders, is based on interviews with five senior Iranian officials, two members of the Islamic Revolutionary Guards Corps and nine Israeli military and intelligence officials.

The security breakdowns with the bodyguards are just one component of what Iranian officials acknowledge has been a long-running and often successful effort by Israel to use spies and operatives placed around the country as well as technology against Iran, sometimes with devastating effect.

Want to stay updated on what’s happening in Iran and Israel? , and we’ll send our latest coverage to your inbox.

Following the most recent conflict, Iran remains focused on hunting down operatives that it fears remain present in the country and the government.

“Infiltration has reached the highest echelons of our decision making,” Mostafa Hashemi Taba, a former vice president and minister, said in an interview with Iranian media in late June.

This month Iran executed a nuclear scientist, Roozbeh Vadi, on allegations of spying for Israel and facilitating the assassination of another scientist. Three senior Iranian officials and a member of the Revolutionary Guards said Iran had quietly arrested or placed under house arrest dozens of people from the military, intelligence and government branches who were suspected of spying for Israel, some of them high-ranking. Israel has neither confirmed nor denied a connection to those so accused.

Spy games between Iran and Israel have been a constant feature of a decades-long shadow war between the two countries, and Israel’s success in June in killing so many important Iranian security figures shows just how much Israel has gained the upper hand.

President Masoud Pezeshkian of Iran attending a protest in Tehran on June 22, following the U.S. attacks on nuclear sites in Iran. Mr. Pezeshkian himself escaped an attack on a bunker on June 16.
Credit...
Arash Khamooshi for The New York Times
Israel had been tracking senior Iranian nuclear scientists since the end of 2022 and had weighed killing them as early as last October but held off to avoid a clash with the Biden administration, Israeli officials said.

From the end of last year until June, what the Israelis called a “decapitation team” reviewed the files of all the scientists in the Iranian nuclear project known to Israel, to decide which they would recommend to kill. The first list contained 400 names. That was reduced to 100, mainly based on material from an Iranian nuclear archive that the Mossad, the Israeli intelligence agency, had stolen from Iran in 2018. In the end, Iran said the Israelis focused on and killed 13 scientists.

At the same time, Israel was building its capacity to target and kill senior Iranian military officials under a program called “Operation Red Wedding,” a play on a bloody “Game of Thrones” episode. Brig. Gen. Amir Ali Hajizadeh, the commander of the Revolutionary Guards’ Aerospace Force, was the first target, one Israeli official said.

Ultimately, Israeli officials said, the basic idea in both operations was to locate 20 to 25 human targets in Iran and hit all of them in the opening strike of the campaign, on the assumption that they would be more careful afterward, making them much harder to hit.

In a video interview with an Iranian journalist, the newly appointed head of the Revolutionary Guards Corps, Brig. Gen. Ahmad Vahidi, said that although Israel had human operatives and spies in the country, it had tracked senior officials and scientists and discovered the location of sensitive meetings mostly through advanced technology.

“The enemy gets the majority of its intelligence through technology, satellites and electronic data,” General Vahidi said. “They can find people, get information, their voices, images and zoom in with precise satellites and find the locations.”

From the Israeli side, Iran’s growing awareness of the threat to senior figures came to be seen as an opportunity. Fearing more assassinations on the ground of the sort that Israel had pulled off successfully in the past, the supreme Iranian leader, Ayatollah Ali Khamenei, ordered extensive security measures including large contingents of bodyguards and warned against the use of mobile phones and messaging apps like WhatsApp, which is commonly used in Iran.

Those bodyguards, Israel discovered, were not only carrying cellphones but even posting from them on social media.

“Using so many bodyguards is a weakness that we imposed on them, and we were able to take advantage of that,” one Israeli defense official said.

Iranian officials had long suspected that Israel was tracking the movements of senior military commanders and nuclear scientists through their mobile phones. Last year, after Israel detonated bombs hidden inside thousands of pagers carried by Hezbollah operatives in Lebanon, Iran banned many of its officials in particularly sensitive jobs from using smartphones, social media and messaging apps.

Smartphones are now completely off limits for senior military commanders, nuclear scientists and government officials.

The protection of senior officials, military commanders and nuclear scientists is the responsibility of an elite brigade within the Revolutionary Guards called Ansar al-Mehdi. The commander in chief of Ansar, appointed last August after the new government came into office, is Gen. Mohamad Javad Assadi, one of the youngest senior commanders in the Guards.

General Assadi had personally warned several senior commanders and a top nuclear scientist, Mohammad Mehdi Tehranchi, that Israel was planning to assassinate them at least a month before they were killed on the first day of the war, according to two senior Iranian officials with knowledge of the conversation. He had also called a meeting with the team leaders of security details asking them to take extra precautions, the officials said.

The cellphone ban initially did not extend to the security guards protecting the officials, scientists and commanders. That changed after Israel’s wave of assassinations on the first day of the war. Guards are now supposed to carry only walkie-talkies. Only team leaders who do not travel with the officials can carry cellphones.

But despite the new rules, according to officials who have held meetings with General Assadi about security, someone violated them and carried a phone to the National Security Council meeting, allowing the Israelis to carry out the pinpoint strike.

Hamzeh Safavi, a political and military analyst whose father is the top military adviser to Ayatollah Khamenei, said that Israel’s technological superiority over Iran was an existential threat. He said Iran had no choice but to conduct a security shakedown, overhaul its protocols and make difficult decisions — including arrests and prosecution of high-level spies.

“We must do whatever it takes to identify and address this threat; we have a major security and intelligence bug and nothing is more urgent than repairing this hole,” Mr. Safavi said in a telephone interview.

Iran’s minister of intelligence said in a statement this month that it had foiled an Israeli assassination attempt on 23 senior officials but did not provide their names or details of their positions and ranks. It said in the months leading up to the war, Iran had discovered and foiled 13 plots by Israel that aimed to kill 35 senior military and government officials. (An Israeli intelligence official disputed the Iranian account, saying that Israel had not been carrying out operations ahead of the surprise attack in June that could have led to heightened alertness on the part of Iran.)

The statement also said that security forces had identified and arrested 21 people on charges of spying for the Mossad and working as field and support operators in at least 11 provinces around Iran.

Iran has also accelerated efforts to recruit its own spies in Israel since the attacks of Oct. 7, 2023, which ignited the war in the Gaza Strip and triggered aggressive Israeli military operations in Iran and Lebanon.

Over the past year, Shin Bet, Israel’s domestic intelligence service, has arrested dozens of Israelis and charged them with being paid agents of Iran, accused of helping collect intelligence about potential targets for Iranian strikes on Israel.

Israel has made killing Iran’s top nuclear scientists an urgent priority as a way to set back the nation’s nuclear program, even poisoning two young upcoming scientists.

As Iran made steady progress over the years toward enriching its uranium stockpile into near-weapons grade material, Israeli military and intelligence officials concluded that the campaign of sabotage and explosions in the enrichment apparatus, which the Mossad had been engaged in for many years, had only a marginal impact.

In 2021, according to three Israeli security officials, the focus turned to what Israeli officials called “the weapon group” — a cadre of Iranian scientists who the Israelis believed met regularly to work on building a device to trigger the enriched uranium and cause a nuclear explosion. This is one of the most technologically difficult parts of a nuclear project. (Iran has said its nuclear program is for peaceful purposes, and the U.N.’s atomic watchdog and American intelligence agencies have long assessed that Iran has not weaponized its nuclear project.)

It was this group of scientists that became the focus of what Israel called Operation Narnia, the military plan to kill off scientists during the war’s early days this spring.

By the time of the June 16 national security meeting of top Iranian officials, Israel had already killed a number of high-profile figures associated with the nuclear program, including Mr. Tehranchi and Fereydoun Abbasi, another nuclear scientist, both killed just days earlier. The cellphones of their bodyguards helped Israel target all of them.

But Israel was also targeting a wide variety of Iranian leaders, including the heads of government branches at the national security meeting, and killed at least 30 senior military commanders through strikes during the war.

General Hajizadeh, the head of the Revolutionary Guards’ air force, assembled his leadership team, accompanied by their security units, at the very start of the war to monitor intelligence about possible Israeli strikes. Israeli warplanes swooped in and carried out a pinpoint strike on the bunker where General Hajizadeh had taken refuge, killing him and other top commanders.

Mr. Hajizadeh’s son Alireza has said that his father took extra caution with phones. On a video published on Iranian media, he said that “when my father wanted to discuss something important he would tell us to take the phones and smart devices out of the room and place it far away.”

The ability to track the bodyguards also helped lead the Israelis to the June 16 meeting. The attendees, in addition to Mr. Pezeshkian, the Iranian president, included the speaker of Parliament, Gen. Mohammad Baqer Ghalibaf, and the head of the judiciary, Gholam-Hossein Mohseni-Ejei. Also on hand were the ministers of the interior, defense and intelligence and military commanders, some brand-new to their jobs after their bosses had been killed in previous strikes.

The attack destroyed the room, which soon filled with debris, smoke and dust, and the power was cut, according to accounts that emerged afterward. Mr. Pezeshkian found a narrow opening through the debris, where a sliver of light and oxygen was coming through, he has said publicly.

Three senior officials said the president dug through the debris with his bare hands, eventually making enough of a space for everyone to crawl out one by one. Mr. Pezeshkian had a minor leg injury from a shrapnel wound and the minister of interior was taken to the hospital for respiratory distress, officials said.

“There was only one hole, and we saw there was air coming and we said, we won’t suffocate. Life hinges on one second,” Mr. Pezeshkian said recently, recounting the attack in a meeting with senior clerics, according to a video published in Iranian media. He said if Israel had succeeded in killing the country’s top officials it would have created chaos in the country.

“People,” he said, “would have lost hope.”

cyberscoop.com
article By
Tim Starks
August 27, 2025
Google says it is starting a cyber “disruption unit,” a development that arrives in a potentially shifting U.S. landscape toward more offensive-oriented approaches in cyberspace.

But the contours of that larger shift are still unclear, and whether or to what extent it’s even possible. While there’s some momentum in policymaking and industry circles to put a greater emphasis on more aggressive strategies and tactics to respond to cyberattacks, there are also major barriers.

Sandra Joyce, vice president of Google Threat Intelligence Group, said at a conference Tuesday that more details of the disruption unit would be forthcoming in future months, but the company was looking for “legal and ethical disruption” options as part of the unit’s work.

“What we’re doing in the Google Threat Intelligence Group is intelligence-led proactive identification of opportunities where we can actually take down some type of campaign or operation,” she said at the Center for Cybersecurity Policy and Law event, where she called for partners in the project. “We have to get from a reactive position to a proactive one … if we’re going to make a difference right now.”

The boundaries in the cyber domain between actions considered “cyber offense” and those meant to deter cyberattacks are often unclear. The tradeoff between “active defense” vs. “hacking back” is a common dividing line. On the less aggressive end, “active defense” can include tactics like setting up honeypots designed to lure and trick attackers. At the more extreme end, “hacking back” would typically involve actions that attempt to deliberately destroy an attacker’s systems or networks. Disruption operations might fall between the two, like Microsoft taking down botnet infrastructure in court or the Justice Department seizing stolen cryptocurrency from hackers.

Trump administration officials and some in Congress have been advocating for the U.S. government to go on offense in cyberspace, saying that foreign hackers and criminals aren’t suffering sufficient consequences. Much-criticized legislation to authorize private sector “hacking back” has long stalled in Congress, but some have recently pushed a version of the idea where the president would give “letters of marque” like those for early-U.S. sea privateers to companies authorizing them to legally conduct offensive cyber operations currently forbidden under U.S. law.

The private sector has some catching up to do if there’s to be a worthy field of firms able to focus on offense, experts say.

John Keefe, a former National Security Council official from 2022 to 2024 and National Security Agency official before that, said there had been government talks about a “narrow” letters of marque approach “with the private sector companies that we thought had the capabilities.” The concept was centered on ransomware, Russia and rules of the road for those companies to operate. “It wasn’t going to be the Wild West,” said Keefe, now founder of Ex Astris Scientia, speaking like others in this story at Tuesday’s conference.

The companies with an emphasis on offense largely have only one customer — and that’s governments, said Joe McCaffrey, chief information security officer at defense tech company Anduril Industries. “It’s a really tough business to be in,” he said. “If you develop an exploit, you get to sell to one person legally, and then it gets burned, and you’re back again.”

By their nature, offensive cyber operations in the federal government are already very time- and manpower-intensive, said Brandon Wales, a former top official at the Cybersecurity and Infrastructure Security Agency and now vice president of cybersecurity at SentinelOne. Private sector companies could make their mark by innovating ways to speed up and expand the number of those operations, he said.

Overall, among the options of companies that could do more offensive work, the “industry doesn’t exist yet, but I think it’s coming,” said Andrew McClure, managing director at Forgepoint Capital.

Certainly Congress would have to clarify what companies are able to do legally as well, Wales said.

But that’s just the industry side. There’s plenty more to weigh when stepping up offense.

“However we start, we need to make sure that we are having the ability to measure impact,” said Megan Stifel, chief strategy officer for the Institute for Security and Technology. “Is this working? How do we know?”
If there was a consensus at the conference it’s that the United States — be it the government or private sector — needs to do more to deter adversaries in cyberspace by going after them more in cyberspace.

One knock on that idea has been that the United States can least afford to get into a cyber shooting match, since it’s more reliant on tech than other nations and an escalation would hurt the U.S. the most by presenting more vulnerable targets for enemies. But Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, said that idea was wrong for a couple reasons, among them that other nations have become just as reliant on tech, too.

And “the very idea that in this current bleak state of affairs, engaging in cyber offense is escalatory, I propose to you, is laughable,” he said. “After all, what are our adversaries going to escalate to in response? Ransom more of our hospitals, penetrate more of our water and electric utilities, steal even more of our IP and financial assets?”

Alperovitch continued: “Not only is engaging in thoughtful and careful cyber offense not escalatory, but not doing so is.”

bloomberg.com 2025-08-26 - Twenty activists urging company to sever ties with Israeli military were arrested last week. Executive Brad Smith said he welcomed discussion but not disruption.

For the better part of a year, Microsoft Corp. has failed to quell a small but persistent revolt by employees bent on forcing the company to sever business ties with Israel over its war in Gaza.

The world’s largest software maker has requested help from the Federal Bureau of Investigation in tracking protests, worked with local authorities to try and prevent them, flagged internal emails containing words like “Gaza” and deleted some internal posts about the protests, according to employees and documents reviewed by Bloomberg. Microsoft has also suspended and fired protesters for disrupting company events.

Despite those efforts, a steady trickle of employees, sometimes joined by outside supporters, continue to speak out in an escalating guerilla campaign of mass emails and noisy public demonstrations. While still relatively small, the employee activism is notable given the weakening job market and the Trump administration’s crackdown on pro-Palestinian protests.

Last week, 20 people were arrested on a plaza at Microsoft’s Redmond, Washington, headquarters after disregarding orders by police to disperse. Instead, they chanted and called out Microsoft executives by name, linking arms as police dismantled their makeshift barricades and, one by one, zip-tied them and led them away.

On Tuesday, protesters occupied the office of Microsoft President Brad Smith, sharing video on the Twitch livestreaming platform that showed them chanting, hanging banners and briefly attempting to barricade a door with furniture. Smith didn’t appear to be there. Police detained at least two people who entered a building that houses the offices of senior executives, said Jill Green, a spokesperson for the Redmond Police Department. Others were protesting outside, she said.

An employee group called No Azure for Apartheid says that by selling software and artificial intelligence tools to Israel’s military, the company’s Azure cloud service is profiting from the deaths of civilians. Microsoft denies that, but the protests threaten to dent its reputation as a thoughtful employer and reasonable actor on the world stage. In recent years, Microsoft has generally stayed above the fray while its industry peers battled antitrust investigations, privacy scandals or controversial treatment of employees.

Now Microsoft is being forced to grapple with perhaps the most politically charged issue of the day: Israel’s treatment of Palestinians. Earlier this month, the company announced an investigation into reports by the Guardian newspaper and other news outlets that Israel’s military surveillance agency intercepted millions of Palestinian mobile phone calls, stored them on Microsoft servers then used the data to select bombing targets in Gaza. An earlier investigation commissioned by Microsoft found no evidence its software was used to harm people.

Microsoft says it expects customers to adhere to international law governing human rights and armed conflict, and that the company’s terms of service prohibit the use of Microsoft products to violate people’s rights. “If we determine that a customer — any customer — is using our technology in ways that violate our terms of service, we will take steps to address that,” Smith said in an interview last week, adding that the investigation should be completed within several weeks. Smith said employees were welcome to discuss the issue internally but that the company will not tolerate activities that disrupt its operation or staffers.

After Hamas’s deadly Oct. 7, 2023 attack on Israel, Microsoft executives were quick to offer condolences and support to employees. “Let us stand together in our shared humanity,” then-human resources chief Kathleen Hogan said in a note a few days after the attacks, which killed some 1,200 people, including civilians and soldiers.
Unity was short-lived: Jewish employees lamented what they said was a troubling rise in antisemitism. Palestinian staffers and their allies accused executives of ignoring concerns about their welfare and the war in Gaza, which has killed tens of thousands. The debate continued in internal chatrooms, meetings with human resources leaders and in question-and-answer sessions with executives. But the chatter was mostly limited to Microsoft’s halls.

That changed in early April at a bash Microsoft hosted to mark the 50th anniversary of the company’s founding. Early that morning, Vaniya Agrawal picked up Ibtihal Aboussad and drove to Microsoft’s campus. The two early-career company engineers — who respectively hail from the Chicago area and Morocco — had both decided to leave Microsoft over its ties to Israel, which had been documented in a series of articles, including by the Associated Press, and reached out to No Azure for Apartheid. “This isn’t just Microsoft Word with a little Clippy in the corner,” said Agrawal, who was arrested on Wednesday. “These are technological weapons. Cloud and AI are just as deadly as bombs and bullets.”

Intel Corporation (INTC) www.intc.com Aug 22, 2025 • 4:53 PM EDT

U.S. Government to make $8.9 billion investment in Intel common stock as company builds upon its more than $100 billion expansion of resilient semiconductor supply chain

SANTA CLARA, Calif.--(BUSINESS WIRE)-- Intel Corporation today announced an agreement with the Trump Administration to support the continued expansion of American technology and manufacturing leadership. Under terms of the agreement, the United States government will make an $8.9 billion investment in Intel common stock, reflecting the confidence the Administration has in Intel to advance key national priorities and the critically important role the company plays in expanding the domestic semiconductor industry.

The government’s equity stake will be funded by the remaining $5.7 billion in grants previously awarded, but not yet paid, to Intel under the U.S. CHIPS and Science Act and $3.2 billion awarded to the company as part of the Secure Enclave program. Intel will continue to deliver on its Secure Enclave obligations and reaffirmed its commitment to delivering trusted and secure semiconductors to the U.S. Department of Defense. The $8.9 billion investment is in addition to the $2.2 billion in CHIPS grants Intel has received to date, making for a total investment of $11.1 billion.

“As the only semiconductor company that does leading-edge logic R&D and manufacturing in the U.S., Intel is deeply committed to ensuring the world’s most advanced technologies are American made,” said Lip-Bu Tan, CEO of Intel. “President Trump’s focus on U.S. chip manufacturing is driving historic investments in a vital industry that is integral to the country’s economic and national security. We are grateful for the confidence the President and the Administration have placed in Intel, and we look forward to working to advance U.S. technology and manufacturing leadership.”

“Intel is excited to welcome the United States of America as a shareholder, helping to create the most advanced chips in the world,” said Howard Lutnick, United States Secretary of Commerce. “As more companies look to invest in America, this administration remains committed to reinforcing our country’s dominance in artificial intelligence while strengthening our national security.”

Under the terms of today’s announcement, the government agrees to purchase 433.3 million primary shares of Intel common stock at a price of $20.47 per share, equivalent to a 9.9 percent stake in the company. This investment provides American taxpayers with a discount to the current market price while enabling the U.S. and existing shareholders to benefit from Intel’s long-term business success.

The government’s investment in Intel will be a passive ownership, with no Board representation or other governance or information rights. The government also agrees to vote with the Company’s Board of Directors on matters requiring shareholder approval, with limited exceptions.

The government will receive a five-year warrant, at $20 per share for an additional five percent of Intel common shares, exercisable only if Intel ceases to own at least 51% of the foundry business.

The existing claw-back and profit-sharing provisions associated with the government’s previously dispersed $2.2 billion grant to Intel under the CHIPS Act will be eliminated to create permanency of capital as the company advances its U.S. investment plans.

Investing in America’s Future

Intel has continued to strategically invest in research, development and manufacturing in the United States since the company’s founding in 1968. Over the last five years, Intel has invested $108 billion in capital and $79 billion in R&D, the majority of which were dedicated to expanding U.S.-based manufacturing capacity and process technology.

Intel is currently undertaking a significant expansion of its domestic chipmaking capacity, investing more than $100 billion to expand its U.S. sites. The company’s newest chip fabrication site in Arizona is expected to begin high-volume production later this year, featuring the most advanced semiconductor manufacturing process technology on U.S. soil.

Since joining the company as CEO in March, Tan has taken swift actions to strengthen Intel’s financial position, drive disciplined execution and revitalize an engineering-first culture. Today’s agreement supports the company’s broader strategy to position Intel for the future.

Strengthening the U.S. Technology Ecosystem

Intel’s U.S. investments come as many leading technology companies support President Trump’s agenda to achieve U.S. technology and manufacturing leadership.

Intel is deeply engaged with current and potential customers and partners who share its commitment to building a strong and resilient U.S. semiconductor supply chain.

Satya Nadella, Chairman and Chief Executive Officer, Microsoft: “The decades-long partnership between Microsoft and Intel has pioneered new frontiers of technology and showcased the very best of American ingenuity and innovation. Intel’s continued investment in strengthening the U.S. semiconductor supply chain, supported by President Trump’s bold strategy to rebuild this critical industry on American soil, will benefit the country and broader technology ecosystem for years to come.”

Michael Dell, Chairman and Chief Executive Officer, Dell Technologies: “The industry needs a strong and resilient U.S. semiconductor industry, and no company is more important to this mission than Intel. It’s great to see Intel and the Trump Administration working together to advance U.S. technology and manufacturing leadership. Dell fully supports these shared priorities, and we look forward to bringing a new generation of products to market powered by American-designed and manufactured Intel chips.”

Enrique Lores, President and CEO, HP: “We share Intel’s and the Trump Administration’s deep commitment to building a strong, resilient and secure U.S. semiconductor industry. Intel’s continued investment in domestic R&D and manufacturing is integral to future innovation and will strengthen the partnership between HP and Intel for years come. This is a defining moment for great American companies to lead the world in cutting-edge technologies that will shape the future.”

Matt Garman, AWS CEO: “Leading-edge semiconductors are the bedrock of every AI technology and cloud platform, making U.S. investment in this critical industry one of the most important technological, economic and national security imperatives of our time. Intel plays a vital role as one of the country’s leading chip manufacturers, and we applaud the Trump administration’s efforts to usher in a new era of American innovation in partnership with American companies.”

PJT Partners acted as Intel’s exclusive financial advisor in connection with this investment agreement.

About Intel

Intel (Nasdaq: INTC) is an industry leader, creating world-changing technology that enables global progress and enriches lives. Inspired by Moore’s Law, we continuously work to advance the design and manufacturing of semiconductors to help address our customers’ greatest challenges. By embedding intelligence in the cloud, network, edge and every kind of computing device, we unleash the potential of data to transform business and society for the better. To learn more about Intel’s innovations, go to newsroom.intel.com and intel.com.

Forward-Looking Statements

This release contains forward-looking statements, including with respect to: the agreement with the U.S. government and its expected benefits, including the anticipated timing of closing and impacts to Intel’s existing agreements with the U.S. government under the CHIPS Act; Intel’s investment plans, including in manufacturing expansion projects and R&D; and the anticipated production using Intel’s latest semiconductor process technology in Arizona later this year. Such statements involve many risks and uncertainties that could cause our actual results to differ materially from those expressed or implied, including those associated with: uncertainties as to the timing of the consummation of the transaction and the receipt of funding; Intel’s ability to effectively use the proceeds and realize and utilize the other anticipated benefits of the transaction as contemplated thereby; the availability of appropriations from the legislative branch of the U.S. government and the ability of the executive branch of the U.S. government to obtain funding and support contemplated by the transaction; the determination by the legislative, judicial or executive branches of the U.S. government that any aspect of the transaction was unauthorized, void or voidable; Intel’s ability to obtain additional or replacement financing, as needed; Intel’s ability to effectively assess, determine and monitor the financial, tax and accounting treatment of the transaction, together with Intel’s and the U.S. government’s obligations thereunder; litigation related to the transaction or otherwise; potential adverse reactions or changes to business relationships resulting from the announcement or completion of the transaction; the timing and achievement of expected business milestones; Intel’s ability to effectively comply with the broader legal and regulatory requirements and heightened scrutiny associated with government partnerships and contracts; the high level of competition and rapid technological change in the semiconductor industry; the significant long-term and inherently risky investments Intel is making in R&D and manufacturing facilities that may not realize a favorable return; the complexities and uncertainties in developing and implementing new semiconductor products and manufacturing process technologies; Intel’s ability to time and scale its capital investments appropriately; changes in demand for Intel’s products; macroeconomic conditions and geopolitical tensions and conflicts, including geopolitical and trade tensions between the U.S. and China, the impacts of Russia's war on Ukraine, tensions and conflict affecting Israel and the Middle East, and rising tensions between mainland China and Taiwan; the evolving market for products with AI capabilities; Intel’s complex global supply chain supporting its manufacturing facilities and incorporating external foundries, including from disruptions, delays, trade tensions and conflicts, or shortages; recently elevated geopolitical tensions, volatility and uncertainty with respect to international trade policies, including tariffs and export controls, impacting Intel’s business, the markets in which it competes and the world economy; product defects, errata and other product issues, particularly as Intel develops next-generation products and implements next-generation manufacturing process technologies; potential security vulnerabilities in Intel’s products; increasing and evolving cybersecurity threats and privacy risks; IP risks including related litigation and regulatory proceedings; the need to attract, retain, and motivate key talent; Intel’s debt obligations and its ability to access sources of capital; complex and evolving laws and regulations across many jurisdictions; fluctuations in currency exchange rates; changes in Intel’s effective tax rate; catastrophic events; environmental, health, safety, and product regulations; and other risks and uncertainties described in this release and Intel’s 2024 Form 10-K, Q1 2025 Form 10-Q, Q2 2025 Form 10-Q, and other filings with the SEC. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of the date they were first made. Intel does not undertake, and expressly disclaims any duty, to update such statements, whether as a result of new information, new developments, or otherwise, except to the extent that disclosure may be required by law.

san.com Aug 23, 2025 at 12:34 AM GMT+2
A hacker breached an airline and stole information on hundreds of thousands of people, including U.S. government employees.

Summary

• Exposed IDs
  Straight Arrow News examined 2,626 photos of identifying documents such as passports, IDs and birth certificates that were stolen by a hacker.

• U.S. government data
  The data includes the names, emails and phone numbers of employees from the State Deptartment, ICE, TSA, CBP and more.

• Airline denial
  Uzbekistan Airways denied that any intrusion took place and even suggested that leaked data may have been generated with artificial intelligence.

Full story
A hacker claims to have stolen information on hundreds of thousands of people — including U.S. government employees — after breaching an international airline. Straight Arrow News obtained a sample of the data, allegedly taken from Uzbekistan Airways, and confirmed the presence of sensitive documents such as scans of thousands of passports.

The data was advertised on Thursday by the hacker, who is known online as ByteToBreach and purports to be a native of the Swiss Alps, on a dark web forum known for hosting leaks, malware and hacking tools. The purportedly 300-gigabyte data cache contains, among other things, the email addresses of 500,000 passengers and 400 airline employees.

The post included a sample of the data, such as alleged credentials for multiple servers and software programs run by the airline. It also showed partial credit card data, as well as scans of 75 passports from the U.S., Russia, Israel, the U.K., South Korea and other nations. The hacker claims to have obtained identifying documents from more than 40 different countries.

The hacker provided Straight Arrow News with a larger data sample than the one posted online, containing 2,626 photos of identifying documents such as passports, IDs, marriage licenses and birth certificates. Numerous passports belonged to babies and young children.

Passports and other identifying data are valuable on underground markets given their potential use for a range of criminal activities, such as fraud and identity theft. Hackers could also leverage the prevalence of data on government employees for phishing attacks.
U.S. government employees’ data compromised
Another document from the sample the hacker provided to SAN contained 285 email addresses belonging to airline employees. A list of email addresses for passengers held 503,410 entries.

A spreadsheet with personal information of 379,603 members of Uzbekistan Airways’ loyalty program exposes names, genders, birthdates, nationalities, email addresses, phone numbers, member IDs and more.

The email addresses indicate that those members include employees of several U.S. government agencies, including the State Department, the Department of Energy, Immigration and Customs Enforcement, Customs and Border Protection and the Transportation Security Administration.

Employees of foreign government agencies from countries like Russia, Uzbekistan and the United Arab Emirates were also in the data.

SAN reached out to several phone numbers of government employees. An apparent TSA employee answered the phone by introducing themselves with the first name listed in the hacked data, as well as their government position. After SAN explained that their data had been exposed, the employee declined to comment and referred a reporter to the Department of Homeland Security’s public affairs office.

The public affairs office did not respond to an email from SAN. An email to the State Department’s office of press operations went unanswered as well.

Four files containing raw reservation and ticketing data mention airlines, airports, flight numbers and other information. The hacker also claimed that the raw data contained partial credit card information, although SAN was unable to independently verify the presence of financial data.
...

edition.cnn.com | CNN Business - Millions of AT&T customers can file claims worth up to $7,500 in cash payments as part of a $177 million settlement related to data breaches in 2024.

The telecommunications company had faced a pair of data breaches, announced in March and July 2024, that were met with lawsuits.

Here’s a breakdown.

What happened?
On March 30, 2024, AT&T announced it was investigating a data leak that had occurred roughly two weeks prior. The breach had affected data until 2019, including Social Security numbers, and the information of 73 million former and current customers was found in a dataset on the dark web.
Four months later, the company blamed an “illegal download” on a third-party cloud platform that it learned about in April for a separate breach. This leak included telephone numbers of “nearly all” of AT&T cellular customers and customers of providers that used the AT&T network between May 1 and October 31, 2022, the company said.

The class-action settlement includes a $149 million cash fund for the first breach and a $28 million payout for the second breach.

Am I eligible for a claim?
AT&T customers whose data was involved in either breach, or both, will be eligible. Customers eligible to file a claim will receive an email notice, according to the settlement website.
AT&T said Kroll Settlement Administration is notifying current and former customers.

How do I file a claim?
The deadline to submit a claim is November 18. The final approval hearing for the settlement is December 3, according to the settlement website, and there could be appeals following an approval “and resolving them can take time.”

“Settlement Class Member Benefits will begin after the Settlement has obtained Court approval and the time for all appeals has expired,” the website states.

How much can I claim?
Customers impacted by the March incident are eligible for a cash payment of up to $5,000. Claims must include documentation of losses that happened in 2019 or later, and that are “fairly traceable” to the AT&T breach.

reuters.com - Aug 13 (Reuters) - U.S. authorities have secretly placed location tracking devices in targeted shipments of advanced chips they see as being at high risk of illegal diversion to China, according to two people with direct knowledge of the previously unreported law enforcement tactic.
The measures aim to detect AI chips being diverted to destinations which are under U.S. export restrictions, and apply only to select shipments under investigation, the people said.

They show the lengths to which the U.S. has gone to enforce its chip export restrictions on China, even as the Trump administration has sought to relax some curbs on Chinese access to advanced American semiconductors.
The trackers can help build cases against people and companies who profit from violating U.S. export controls, said the people, who declined to be named because of the sensitivity of the issue.
Location trackers are a decades-old investigative tool used by U.S. law enforcement agencies to track products subject to export restrictions, such as airplane parts. They have been used to combat the illegal diversion of semiconductors in recent years, one source said.

Five other people actively involved in the AI server supply chain say they are aware of the use of the trackers in shipments of servers from manufacturers such as Dell (DELL.N), opens new tab and Super Micro (SMCI.O), opens new tab, which include chips from Nvidia (NVDA.O), opens new tab and AMD (AMD.O), opens new tab.
Those people said the trackers are typically hidden in the packaging of the server shipments. They did not know which parties were involved in installing them and where along the shipping route they were inserted.
Reuters was not able to determine how often the trackers have been used in chip-related investigations or when U.S. authorities started using them to investigate chip smuggling. The U.S. started restricting the sale of advanced chips by Nvidia, AMD and other manufacturers to China in 2022.
In one 2024 case described by two of the people involved in the server supply chain, a shipment of Dell servers with Nvidia chips included both large trackers on the shipping boxes and smaller, more discreet devices hidden inside the packaging — and even within the servers themselves.
A third person said they had seen images and videos of trackers being removed by other chip resellers from Dell and Super Micro servers. The person said some of the larger trackers were roughly the size of a smartphone.
The U.S. Department of Commerce's Bureau of Industry and Security, which oversees export controls and enforcement, is typically involved, and Homeland Security Investigations and the Federal Bureau of Investigation may take part too, said the sources.
The HSI and FBI both declined to comment. The Commerce Department did not respond to requests for comment.
The Chinese foreign ministry said it was not aware of the matter.
Super Micro said in a statement that it does not disclose its “security practices and policies in place to protect our worldwide operations, partners, and customers.” It declined to comment on any tracking actions by U.S. authorities.

nytimes.com - Documents examined by researchers show how one company in China has collected data on members of Congress and other influential Americans.

The Chinese government is using companies with expertise in artificial intelligence to monitor and manipulate public opinion, giving it a new weapon in information warfare, according to current and former U.S. officials and documents unearthed by researchers.

One company’s internal documents show how it has undertaken influence campaigns in Hong Kong and Taiwan, and collected data on members of Congress and other influential Americans.

While the firm has not mounted a campaign in the United States, American spy agencies have monitored its activity for signs that it might try to influence American elections or political debates, former U.S. officials said.

Artificial intelligence is increasingly the new frontier of espionage and malign influence operations, allowing intelligence services to conduct campaigns far faster, more efficiently and on a larger scale than ever before.

The Chinese government has long struggled to mount information operations targeting other countries, lacking the aggressiveness or effectiveness of Russian intelligence agencies. But U.S. officials and experts say that advances in A.I. could help China overcome its weaknesses.

A new technology can track public debates of interest to the Chinese government, offering the ability to monitor individuals and their arguments as well as broader public sentiment. The technology also has the promise of mass-producing propaganda that can counter shifts in public opinion at home and overseas.

China’s emerging capabilities come as the U.S. government pulls back efforts to counter foreign malign influence campaigns.

U.S. spy agencies still collect information about foreign manipulation, but the Trump administration has dismantled the teams at the State Department, the F.B.I. and the Cybersecurity and Infrastructure Security Agency that warned the public about potential threats. In the last presidential election, the campaigns included Russian videos denigrating Vice President Kamala Harris and falsely claiming that ballots had been destroyed.

The new technology allows the Chinese company GoLaxy to go beyond the election influence campaigns undertaken by Russia in recent years, according to the documents.

In a statement, GoLaxy denied that it was creating any sort of “bot network or psychological profiling tour” or that it had done any work related to Hong Kong or other elections. It called the information presented by The New York Times about the company “misinformation.”

“GoLaxy’s products are mainly based on open-source data, without specially collecting data targeting U.S. officials,” the firm said.

After being contacted by The Times, GoLaxy began altering its website, removing references to its national security work on behalf of the Chinese government.

The documents examined by researchers appear to have been leaked by a disgruntled employee upset about wages and working conditions at the company. While most of the documents are not dated, the majority of those that include dates are from 2020, 2022 and 2023. They were obtained by Vanderbilt University’s Institute of National Security, a nonpartisan research and educational center that studies cybersecurity, intelligence and other critical challenges.

Publicly, GoLaxy advertises itself as a firm that gathers data and analyzes public sentiment for Chinese companies and the government. But in the documents, which were reviewed by The Times, the company privately claims that it can use a new technology to reshape and influence public opinion on behalf of the Chinese government.

politico.com - The identities of confidential court informants are feared compromised in a series of breaches across multiple U.S. states.

The electronic case filing system used by the federal judiciary has been breached in a sweeping cyber intrusion that is believed to have exposed sensitive court data across multiple U.S. states, according to two people with knowledge of the incident.

The hack, which has not been previously reported, is feared to have compromised the identities of confidential informants involved in criminal cases at multiple federal district courts, said the two people, both of whom were granted anonymity because they were not authorized to speak publicly about the hack.

The Administrative Office of the U.S. Courts — which manages the federal court filing system — first determined how serious the issue was around July 4, said the first person. But the office, along with the Justice Department and individual district courts around the country, is still trying to determine the full extent of the incident.

It is not immediately clear who is behind the hack, though nation-state-affiliated actors are widely suspected, the people said. Criminal organizations may also have been involved, they added.

The Administrative Office of the U.S. Courts declined to comment. Asked whether it is investigating the incident, the FBI referred POLITICO to the Justice Department. The Justice Department did not immediately reply to a request for comment.

It is not immediately clear how the hackers got in, but the incident is known to affect the judiciary’s federal core case management system, which includes two overlapping components: Case Management/Electronic Case Files, or CM/ECF, which legal professionals use to upload and manage case documents; and PACER, a system that gives the public limited access to the same data.

In addition to records on witnesses and defendants cooperating with law enforcement, the filing system includes other sensitive information potentially of interest to foreign hackers or criminals, such as sealed indictments detailing non-public information about alleged crimes, and arrests and search warrants that criminal suspects could use to evade capture.

Chief judges of the federal courts in the 8th Circuit — which includes Arkansas, Iowa, Minnesota, Missouri, Nebraska, North Dakota, and South Dakota — were briefed on the hack at a judicial conference last week in Kansas City, said the two people. It is unclear who delivered the brief, though the Director of the Administrative Office of the U.S. Courts, Judge Robert J. Conrad, Jr., was in attendance, per the first person. Supreme Court Justice Brett Kavanaugh was also in attendance but didn’t address the breach in his remarks.

Staff for Conrad, a district judge in the Western District of North Carolina, declined to comment.

The hack is the latest sign that the federal court filing system is struggling to keep pace with a rising wave of cybersecurity threats.

propublica.org - Microsoft announced that Chinese state-sponsored hackers had exploited vulnerabilities in its popular SharePoint software but didn’t mention that it has long used China-based engineers to maintain the product.
ast month, Microsoft announced that Chinese state-sponsored hackers had exploited vulnerabilities in SharePoint, the company’s widely used collaboration software, to access the computer systems of hundreds of companies and government agencies, including the National Nuclear Security Administration and the Department of Homeland Security.

The company did not include in its announcement, however, that support for SharePoint is handled by a China-based engineering team that has been responsible for maintaining the software for years.

ProPublica viewed screenshots of Microsoft’s internal work-tracking system that showed China-based employees recently fixing bugs for SharePoint “OnPrem,” the version of the software involved in last month’s attacks. The term, short for “on premises,” refers to software installed and run on customers’ own computers and servers.

Microsoft said the China-based team “is supervised by a US-based engineer and subject to all security requirements and manager code review. Work is already underway to shift this work to another location.”

It’s unclear if Microsoft’s China-based staff had any role in the SharePoint hack. But experts have said allowing China-based personnel to perform technical support and maintenance on U.S. government systems can pose major security risks. Laws in China grant the country’s officials broad authority to collect data, and experts say it is difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement. The Office of the Director of National Intelligence has deemed China the “most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.”

ProPublica revealed in a story published last month that Microsoft has for a decade relied on foreign workers — including those based in China — to maintain the Defense Department’s cloud systems, with oversight coming from U.S.-based personnel known as digital escorts. But those escorts often don’t have the advanced technical expertise to police foreign counterparts with far more advanced skills, leaving highly sensitive information vulnerable, the investigation showed.

ProPublica found that Microsoft developed the escort arrangement to satisfy Defense Department officials who were concerned about the company’s foreign employees, and to meet the department’s requirement that people handling sensitive data be U.S. citizens or permanent residents. Microsoft went on to win federal cloud computing business and has said in earnings reports that it receives “substantial revenue from government contracts.” ProPublica also found that Microsoft uses its China-based engineers to maintain the cloud systems of other federal departments, including parts of Justice, Treasury and Commerce.

In response to the reporting, Microsoft said that it had halted its use of China-based engineers to support Defense Department cloud computing systems, and that it was considering the same change for other government cloud customers. Additionally, Defense Secretary Pete Hegseth launched a review of tech companies’ reliance on foreign-based engineers to support the department. Sens. Tom Cotton, an Arkansas Republican, and Jeanne Shaheen, a New Hampshire Democrat, have written letters to Hegseth, citing ProPublica’s investigation, to demand more information about Microsoft’s China-based support.

Microsoft said its analysis showed that Chinese hackers were exploiting SharePoint weaknesses as early as July 7. The company released a patch on July 8, but hackers were able to bypass it. Microsoft subsequently issued a new patch with “more robust protections.”

The U.S. Cybersecurity and Infrastructure Security Agency said that the vulnerabilities enable hackers “to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.” Hackers have also leveraged their access to spread ransomware, which encrypts victims’ files and demands a payment for their release, CISA said.