| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
7:37 AM PST · December 12, 2025
Hama Film makes photo booths that upload pictures and videos online. But their back-end systems have a simple flaw that allows anyone to download customer pictures.
A company that makes photo booths is exposing pictures and videos of its customers online thanks to a simple flaw in its website where the files are stored, according to a security researcher.
The researcher, who goes by Zeacer, alerted TechCrunch to the security issue in late November after reporting the vulnerability in October to Hama Film, the photo booth maker that has franchise presence in Australia, the United Arab Emirates, and the United States, but did not hear back.
Zeacer shared with TechCrunch a sample of pictures taken from Hama Film’s servers, which showed groups of clearly young people posing in photo booths. Hama Film’s booths not only print out the photos like a typical photo booth, but booths also upload the customers’ photos to the company’s servers.
Vibecast, which owns Hama Film, has yet to respond to his messages alerting the company of the issues. Vibecast also hasn’t responded to several requests for comment from TechCrunch, nor did Vibecast’s co-founder Joel Park respond to a message we sent via LinkedIn.
As of Friday, the researcher said the company has still not fully resolved the security flaw and continues to expose customers’ data. As such, TechCrunch is withholding specific details of the vulnerability from publication.
When Zeacer first found this flaw, he noted that it appeared that photos were deleted from the photo booth maker’s servers every two to three weeks.
Now, he said, the pictures stored on the servers appear to get deleted after 24 hours, which limits the number of pictures exposed at any given time. But a hacker could still exploit the vulnerability he discovered each day and download the contents of every photo and video on the server.
Before this week, Zeacer said at one point he saw more than 1,000 pictures online for the Hama Film booths in Melbourne.
This incident is the latest example of a company that, at least for a time, was not implementing certain basic and widely accepted security practices, such as rate-limiting. Last month, TechCrunch reported that government contractor giant Tyler Technologies was not rate-limiting its websites used for allowing courts to manage their jurors’ personal information. This meant anyone could break into any juror’s profile by running a computer script capable of mass-guessing their date of birth and their easy-to-guess numerical identifier.
techcrunch.com
1:06 PM PST · December 10, 2025
Zack Whittaker
CEO of South Korean retail giant techcrunch.comresigns after massive data breach
Park Dae-jun has resigned as chief executive of South Korean retail giant Coupang after a data breach exposed the personal information of more than half of the country’s population.
In a statement, Park apologized for the breach, citing a “deep sense of responsibility for the outbreak and the subsequent recovery process.”
Coupang has replaced Park with Harold Rogers, the top lawyer at Coupang’s U.S.-based parent company, according to a machine translation of the company statement.
The retail giant, often compared to Amazon for its dominance in South Korean e-commerce and logistics, last month revealed details of a data breach affecting close to 34 million people. The breach allegedly began in June but wasn’t noticed until November, when Coupang initially said over 4,500 customers had their data stolen. The company later revised that figure dramatically upward.
The Coupang hack is the latest in a string of security incidents affecting corporate giants and the central government across the country this year, including a data center fire that led to a massive, irretrievable loss of South Korean government data.
| TechCrunch
Zack Whittaker
10:55 AM PST · December 3, 2025
Marquis said ransomware hackers stole reams of banking customer data, containing personal information and financial records, as well as Social Security numbers, belonging to hundreds of thousands of people. The number of affected people is expected to rise.
Fintech company Marquis is notifying dozens of U.S. banks and credit unions that they had customer data stolen in a cyberattack earlier this year.
Details of the cyberattack emerged this week after Marquis filed data breach notices with several U.S. states confirming its August 14 incident as a ransomware attack.
Texas-based Marquis is a marketing and compliance provider that allows banks and other financial institutions to collect and visualize all of their customer data in one place. The company counts more than 700 banking and credit union customers on its website. As such, Marquis has access to and stores large amounts of data belonging to consumer banking customers across the United States.
At least 400,000 people are so far confirmed affected by the data breach, according to legally required disclosures filed in the states of Iowa, Maine, Texas, Massachusetts, and New Hampshire that TechCrunch has reviewed.
Texas has the largest number of state residents so far who had data stolen in the breach, affecting at least 354,000 people.
Marquis said in its notice with Maine’s attorney general that banking customers with the Maine State Credit Union accounted for the majority of its data breach notifications, or around one-in-nine people who are known to be affected throughout the state.
The number of individuals affected by the breach is expected to rise as more data breach notifications roll in from other states.
Marquis said the hackers stole customer names, dates of birth, postal addresses, and financial information, such as bank account, debit, and credit card numbers. Marquis said the hackers also stole customers’ Social Security numbers.
According to its most recent notices, Marquis blamed the ransomware attack on hackers who exploited a vulnerability in its SonicWall firewall. The vulnerability was considered a zero-day, meaning the flaw was not known to SonicWall or its customers before it was maliciously exploited by hackers.
Marquis did not attribute the ransomware attack to a particular group, but the Akira ransomware gang was reportedly behind the mass-hacks targeting SonicWall customers at the time.
TechCrunch asked Marquis if it is aware of the total number of people affected by the breach, and if Marquis received any communication from the hackers or if the company paid a ransom, but we did not hear back by the time of publication.
| TechCrunch
Zack Whittaker
5:09 AM PST · November 17, 2025
The defacement of Protei's website said "another DPI/SORM provider bites the dust," apparently referring to the company selling its web intercept and surveillance products to phone and internet providers.
A Russian telecom company that develops technology to allow phone and internet companies to conduct web surveillance and censorship was hacked, had its website defaced, and had data stolen from its servers, TechCrunch has learned.
Founded in Russia, Protei makes telecommunications systems for phone and internet providers across dozens of countries, including Bahrain, Italy, Kazakhstan, Mexico, Pakistan and much of central Africa. The company, now headquartered in Jordan, sells video conferencing technology and internet connectivity solutions, as well as surveillance equipment and web-filtering products, such as deep packet inspection systems.
It’s not clear exactly when or how Protei was hacked, but a copy of the company’s website saved on the Internet Archive’s Wayback Machine shows it was defaced on November 8. The website was restored soon after.
During the breach, the hacker obtained the contents of Protei’s web server — around 182 gigabytes of files — including emails dating back years.
A copy of Protei’s data was provided to DDoSecrets, a nonprofit transparency collective that indexes leaked datasets in the public interest, including data from law enforcement, government agencies, and companies involved in the surveillance industry.
Mohammad Jalal, the managing director of Protei’s branch in Jordan, did not respond to a request for comment about the breach.
The identity of the hacker is not known, nor their motivations, but the defaced website read: “another DPI/SORM provider bites the dust.” The message likely references the company’s sales of deep packet inspection systems and other internet filtering technology for the Russian-developed lawful intercept system known as SORM.
SORM is the main lawful intercept system used across Russia as well as several other countries that use Russian technology. Phone and internet providers install SORM equipment on their networks, which allows their country’s governments to obtain the contents of calls, text messages, and web browsing data of the networks’ customers.
Deep-packet inspection devices allow telecom companies to identify and filter web traffic depending on its source, such as a social media website or a specific messaging app, and selectively block access. These systems are used for surveillance and censorship in regions where freedom of speech and expression are limited.
The Citizen Lab reported in 2023 that Iranian telecoms giant Ariantel had consulted with Protei about technology for logging internet traffic and blocking access to certain websites. Documents seen and published by The Citizen Lab show that Protei touted its technology’s ability to restrict or block access to websites for specific people or entire swathes of the population.
| TechCrunch
techcrunch.com
Zack Whittaker
4:47 AM PST · November 12, 2025
Australia's intelligence chief warned that Chinese hackers are trying to break into its networks, sometimes successfully, to "pre-position" for sabotage ahead of an anticipated invasion of Taiwan.
Australia’s intelligence head Mike Burgess has warned that China-backed hackers are “probing” the country’s critical infrastructure, and in some cases have gained access.
Burgess, who heads the country’s main intelligence agency, the Australian Security Intelligence Organisation, said that at least two China government-backed hacking groups are pre-positioning for sabotage and espionage.
The comments, made during a conference speech in Melbourne on Wednesday, echo similar remarks by the U.S. government, which has warned that the ongoing hacking campaigns may pose risks of economic and societal disruption.
According to Burgess, a hacker group known as Volt Typhoon is trying to break into critical infrastructure networks such as power, water, and transportation systems. Burgess warned that successful hacks could affect energy and water supplies, and cause widespread outages.
The U.S. has previously said that the Chinese hackers have spent years planting malware on critical infrastructure systems that are capable of causing disruptive cyberattacks when activated. U.S. officials said that Volt Typhoon’s goals are to hamper the U.S.’ response to China’s anticipated future invasion of Taiwan.
“I do not think we — and I mean all of us — truly appreciate how disruptive, how devastating, this could be,” said Burgess, speaking about the threat. He said that once the hackers have access, what happens next is a “matter of intent, not capability.”
Burgess also warned that another China-backed hacking group dubbed Salt Typhoon, known for hacking into the networks of phone and internet companies to steal call records and other sensitive data, was also targeting the country’s telecoms infrastructure.
Salt Typhoon has hacked more than 200 phone and internet companies, according to the FBI, including AT&T, Verizon and Lumen, along with several other cloud and data center providers. The hacks prompted the FBI to urge Americans to switch to end-to-end encrypted messaging apps to avoid having their calls and text messages accessed by the hackers.
The Canadian government also confirmed earlier this year that its telcos were breached as part of China-linked attacks.
China has long denied the hacking allegations.
| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
9:35 AM PST · November 6, 2025
WhatsApp notified the consultant, who works for left-wing politicians, that his phone was targeted with spyware made by Paragon.
Francesco Nicodemo, a consultant who works with left-wing politicians in Italy, has gone public as the latest person targeted with Paragon spyware in the country.
On Thursday, Nicodemo said in a Facebook post that for 10 months, he preferred not to publicize his case because he “did not want to be used for political propaganda,” but now “the time has come.”
“It is time to ask a very simple question: Why? Why me? How is it possible that such a sophisticated and complex tool was used to spy on a private citizen, as if he were a drug trafficker or a subversive threat to the country?” Nicodemo wrote. “I have nothing more to say. Others must speak. Others must explain what happened.”
Online news site Fanpage first reported the news that Nicodemo was among the people who received a WhatsApp notification in January.
The revelation that Nicodemo was targeted with Paragon spyware widens the scope — once again — of the ongoing spyware scandal in Italy, which has ensnared several victims from various positions in society: several journalists, immigration activists, prominent business executives, and now a political consultant with a history of working for the center-left Partito Democratico (Democratic Party) and its politicians.
Governments and spyware makers have long claimed that their surveillance products are used against serious criminals and terrorists, but these recent cases show that this isn’t always true.
“The Italian government has given some spyware targets clarity and explained the cases. But others remain troublingly unclear,” said John Scott-Railton, a senior researcher at The Citizen Lab, who has for years investigated spyware companies and their abuses, including some involving the use of Paragon spyware.
“None of this looks good for Paragon, or for Italy. That’s why clarity from the Italian government is so essential. I believe that if they wanted to, Paragon could give everybody a lot more clarity on what’s going on. Until they do, these cases are going to remain a weight around their neck,” said Scott-Railton, who confirmed that Nicodemo received the notification from WhatsApp.
Natale De Gregorio, who works with Nicodemo at their public relations firm Lievito Consulting, told TechCrunch in an email that Nicodemo did not want to comment beyond what he told Fanpage and his public Facebook post.
At this point, it’s unclear who among Paragon customers targeted Nicodemo, but an Italian parliamentary committee confirmed in June that some of the victims in Italy were targeted by Italian intelligence agencies, which are under the purview of right-wing prime minister Giorgia Meloni.
A spokesperson for the Italian prime minister’s office did not respond to a request for comment from TechCrunch.
Jennifer Iras, the vice president of marketing for REDLattice, a cybersecurity company that has merged with Paragon after the Israeli spyware maker was acquired by U.S. private equity giant AE Industrial, also did not respond to a request for comment.
In February, following the revelations of the first wave of victims in Italy, Paragon cut ties with its government customers in Italy, specifically the intelligence agencies AISE and AISI.
Later in June, the Italian Parliamentary Committee for the Security of the Republic, known as COPASIR, concluded that some of the Paragon spyware victims that had been identified publicly, namely the immigration activists, were lawfully hacked by Italian intelligence services.
COPASIR, however, said there was no evidence that Francesco Cancellato, the director of Fanpage.it, an Italian news website that has investigated the youth wing of the far-right ruling party in Italy, led by Meloni, had been targeted by either of Italy’s intelligence agencies, the AISI and AISE.
COPASIR also did not investigate the case of Cancellato’s colleague Ciro Pellegrino.
Paragon, which told TechCrunch that the U.S. government is one of its customers, has an active contract with U.S. Immigration and Customs Enforcement.
| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
8:36 AM PST · November 7, 2025
The congressional research office confirmed a breach, but did not comment on the cause. A security researcher suggested the hack may have originated because CBO failed to patch a firewall for more than a year.
The U.S. Congressional Budget Office has confirmed it was hacked.
Caitlin Emma, a spokesperson for CBO, told TechCrunch on Friday that the agency is investigating the breach and “has identified the security incident, has taken immediate action to contain it, and has implemented additional monitoring and new security controls to further protect the agency’s systems going forward.”
CBO is a nonpartisan agency that provides economic analysis and cost estimates to lawmakers during the federal budget process, including after legislative bills get approved at the committee level in the House and Senate.
On Thursday, The Washington Post, which first revealed the breach, reported that unspecified foreign hackers were behind the intrusion. According to the Post, CBO officials are worried that the hackers accessed internal emails and chat logs, as well as communications between lawmakers’ offices and CBO researchers.
Reuters reported that the Senate Sergeant at Arms office, the Senate’s law enforcement agency, notified congressional offices of a breach, warning them that emails between CBO and the offices could have been compromised and used to craft and send phishing attacks.
It’s unclear how the hackers gained access to the CBO’s network. But soon after news of the breach became public, security researcher Kevin Beaumont wrote on Bluesky that he suspected hackers may have exploited the CBO’s outdated Cisco firewall to break into the agency’s network.
Last month, Beaumont noted that CBO had a Cisco ASA firewall on its network that was last patched in 2024. At the time of his posting, the CBO’s firewall was allegedly vulnerable to a series of newly discovered security bugs, which were being exploited by suspected Chinese government-backed hackers.
Beaumont said the CBO’s firewall had not been patched by the time the federal government shutdown took effect on October 1.
On Thursday, Beaumont said that the firewall is now offline.
The CBO’s spokesperson declined to comment when asked about Beaumont’s findings. Spokespeople for Cisco did not immediately respond to a request for comment.
techcrunch.com
Jagmeet Singh
6:30 PM PDT · October 28, 2025
A security researcher found the Indian automotive giant exposing personal information of its customers, internal company reports, and dealers’ data. Tata confirmed it fixed the issues.
Indian automotive giant Tata Motors has fixed a series of security flaws that exposed sensitive internal data, including personal information of customers, company reports, and data related to its dealers.
Security researcher Eaton Zveare told TechCrunch that he discovered the flaws in Tata Motors’ E-Dukaan unit, an e-commerce portal for buying spare parts for Tata-made commercial vehicles. Headquartered in Mumbai, Tata Motors produces passenger cars, as well as commercial and defense vehicles. The company has a presence in 125 countries worldwide and seven assembly facilities, per its website.
Zveare said he found that the portal’s web source code included the private keys to access and modify data within Tata Motors’ account on Amazon Web Services, the researcher said in a blog post.
The exposed data, Zveare told TechCrunch, included hundreds of thousands of invoices containing customer information, such as their names, mailing addresses, and permanent account number (PAN), a 10-character unique identifier issued by the Indian government.
“Out of respect for not causing some type of alarm bell or massive egress bill at Tata Motors, there were no attempts to exfiltrate large amounts of data or download excessively large files,” the researcher told TechCrunch.
There were also MySQL database backups and Apache Parquet files that included various bits of private customer information and communication, the researcher noted.
The AWS keys also enabled access to over 70 terabytes of data related to Tata Motors’ FleetEdge fleet-tracking software. Zveare also found backdoor admin access to a Tableau account, which included data of over 8,000 users.
“As server admin, you had access to all of it. This primarily includes things like internal financial reports, performance reports, dealer scorecards, and various dashboards,” the researcher said.
The exposed data also included API access to Tata Motors’ fleet management platform, Azuga, which powers the company’s test drive website.
Shortly after discovering the issues, Zveare reported them to Tata Motors through the Indian computer emergency response team, known as CERT-In, in August 2023. Later in October 2023, Tata Motors told Zveare that it was working on fixing the AWS issues after securing the initial loopholes. However, the company did not say when the issues were fixed.
Tata Motors confirmed to TechCrunch that all the reported flaws were fixed in 2023 but would not say if it notified affected customers that their information was exposed.
“We can confirm that the reported flaws and vulnerabilities were thoroughly reviewed following their identification in 2023 and were promptly and fully addressed,” said Tata Motors communications head Sudeep Bhalla, when contacted by TechCrunch.
“Our infrastructure is regularly audited by leading cybersecurity firms, and we maintain comprehensive access logs to monitor for unauthorized activity. We also actively collaborate with industry experts and security researchers to strengthen our security posture and ensure timely mitigation of potential risks,” said Bhalla.
techcrunch.com/
Lorenzo Franceschi-Bicchierai
10:00 PM PDT · October 28, 2025
On Monday, researchers at cybersecurity giant Kaspersky published a report identifying a new spyware called Dante that they say targeted Windows victims in Russia and neighboring Belarus. The researchers said the Dante spyware is made by Memento Labs, a Milan-based surveillance tech maker that was formed in 2019 after a new owner acquired and took over early spyware maker Hacking Team.
Memento chief executive Paolo Lezzi confirmed to TechCrunch that the spyware caught by Kaspersky does indeed belong to Memento.
In a call, Lezzi blamed one of the company’s government customers for exposing Dante, saying the customer used an outdated version of the Windows spyware that will no longer be supported by Memento by the end of this year.
“Clearly they used an agent that was already dead,” Lezzi told TechCrunch, referring to an “agent” as the technical word for the spyware planted on the target’s computer.
“I thought [the government customer] didn’t even use it anymore,” said Lezzi.
Lezzi, who said he was not sure which of the company’s customers were caught, added that Memento had already requested that all of its customers stop using the Windows malware. Lezzi said the company had warned customers that Kaspersky had detected Dante spyware infections since December 2024. He added that Memento plans to send a message to all its customers on Wednesday asking them once again to stop using its Windows spyware.
He said that Memento currently only develops spyware for mobile platforms. The company also develops some zero-days — meaning security flaws in software unknown to the vendor that can be used to deliver spyware — though it mostly sources its exploits from outside developers, according to Lezzi.
When reached by TechCrunch, Kaspersky spokesperson Mai Al Akkad would not say which government Kaspersky believes is behind the espionage campaign, but that it was “someone who has been able to use Dante software.”
“The group stands out for its strong command of Russian and knowledge of local nuances, traits that Kaspersky observed in other campaigns linked to this [government-backed] threat. However, occasional errors suggest that the attackers were not native speakers,” Al Akkad told TechCrunch.
In its new report, Kaspersky said it found a hacking group using the Dante spyware that it refers to as “ForumTroll,” describing the targeting of people with invites to Russian politics and economics forum Primakov Readings. Kaspersky said the hackers targeted a broad range of industries in Russia, including media outlets, universities, and government organizations.
Kaspersky’s discovery of Dante came after the Russian cybersecurity firm said it detected a “wave” of cyberattacks with phishing links that were exploiting a zero-day in the Chrome browser. Lezzi said that the Chrome zero-day was not developed by Memento.
In its report, Kaspersky researchers concluded that Memento “kept improving” the spyware originally developed by Hacking Team until 2022, when the spyware was “replaced by Dante.”
Lezzi conceded that it is possible that some “aspects” or “behaviors” of Memento’s Windows spyware were left over from spyware developed by Hacking Team.
A telltale sign that the spyware caught by Kaspersky belonged to Memento was that the developers allegedly left the word “DANTEMARKER” in the spyware’s code, a clear reference to the name Dante, which Memento had previously and publicly disclosed at a surveillance tech conference, per Kaspersky.
Much like Memento’s Dante spyware, some versions of Hacking Team’s spyware, codenamed Remote Control System, were named after historical Italian figures, such as Leonardo da Vinci and Galileo Galilei.
A history of hacks
In 2019, Lezzi purchased Hacking Team and rebranded it to Memento Labs. According to Lezzi, he paid only one euro for the company and the plan was to start over.
“We want to change absolutely everything,” the Memento owner told Motherboard after the acquisition in 2019. “We’re starting from scratch.”
A year later, Hacking Team’s CEO and founder David Vincenzetti announced that Hacking Team was “dead.”
When he acquired Hacking Team, Lezzi told TechCrunch that the company only had three government customers remaining, a far cry from the more than 40 government customers that Hacking Team had in 2015. That same year, a hacktivist called Phineas Fisher broke into the startup’s servers and siphoned off some 400 gigabytes of internal emails, contracts, documents, and the source code for its spyware.
Before the hack, Hacking Team’s customers in Ethiopia, Morocco, and the United Arab Emirates were caught targeting journalists, critics, and dissidents using the company’s spyware. Once Phineas Fisher published the company’s internal data online, journalists revealed that a Mexican regional government used Hacking Team’s spyware to target local politicians and that Hacking Team had sold to countries with human rights abuses, including Bangladesh, Saudi Arabia, and Sudan, among others.
Lezzi declined to tell TechCrunch how many customers Memento currently has but implied it was fewer than 100 customers. He also said that there are only two current Memento employees left from Hacking Team’s former staff.
The discovery of Memento’s spyware shows that this type of surveillance technology keeps proliferating, according to John Scott-Railton, a senior researcher who has investigated spyware abuses for a decade at the University of Toronto’s Citizen Lab.
It also shows that a controversial company can die because of a spectacular hack and several scandals, and yet a new company with brand-new spyware can still come out of its ashes.
“It tells us that we need to keep up the fear of consequences,” Scott-Railton told TechCrunch. “It says a lot that echoes of the most radioactive, embarrassed and hacked brand are still around.”
techcrunch.com
Lorenzo Franceschi-Bicchierai
7:45 AM PDT · October 21, 2025
A developer at Trenchant, a leading Western spyware and zero-day maker, was suspected of leaking company tools and was fired. Weeks later, Apple notified him that his personal iPhone was targeted with spyware.
Earlier this year, a developer was shocked by a message that appeared on his personal phone: “Apple detected a targeted mercenary spyware attack against your iPhone.”
“I was panicking,” Jay Gibson, who asked that we don’t use his real name over fears of retaliation, told TechCrunch.
Gibson, who until recently built surveillance technologies for Western government hacking tools maker Trenchant, may be the first documented case of someone who builds exploits and spyware being themselves targeted with spyware.
“What the hell is going on? I really didn’t know what to think of it,” said Gibson, adding that he turned off his phone and put it away on that day, March 5. “I went immediately to buy a new phone. I called my dad. It was a mess. It was a huge mess.”
At Trenchant, Gibson worked on developing iOS zero-days, meaning finding vulnerabilities and developing tools capable of exploiting them that are not known to the vendor who makes the affected hardware or software, such as Apple.
“I have mixed feelings of how pathetic this is, and then extreme fear because once things hit this level, you never know what’s going to happen,” he told TechCrunch.
But the ex-Trenchant employee may not be the only exploit developer targeted with spyware. According to three sources who have direct knowledge of these cases, there have been other spyware and exploit developers in the last few months who have received notifications from Apple alerting them that they were targeted with spyware.
Apple did not respond to a request for comment from TechCrunch.
The targeting of Gibson’s iPhone shows that the proliferation of zero-days and spyware is starting to ensnare more types of victims.
Spyware and zero-day makers have historically claimed their tools are only deployed by vetted government customers against criminals and terrorists. But for the past decade, researchers at the University of Toronto’s digital rights group Citizen Lab, Amnesty International, and other organizations have found dozens of cases where governments used these tools to target dissidents, journalists, human rights defenders, and political rivals all over the world.
The closest public cases of security researchers being targeted by hackers happened in 2021 and 2023, when North Korean government hackers were caught targeting security researchers working in vulnerability research and development.
Suspect in leak investigation
Two days after receiving the Apple threat notification, Gibson contacted a forensic expert who has extensive experience investigating spyware attacks. After performing an initial analysis of Gibson’s phone, the expert did not find any signs of infection, but still recommended a deeper forensic analysis of the exploit developer’s phone.
A forensic analysis would have entailed sending the expert a complete backup of the device, something Gibson said he was not comfortable with.
“Recent cases are getting tougher forensically, and some we find nothing on. It may also be that the attack was not actually fully sent after the initial stages, we don’t know,” the expert told TechCrunch.
Without a full forensic analysis of Gibson’s phone, ideally one where investigators found traces of the spyware and who made it, it’s impossible to know why he was targeted or who targeted him.
But Gibson told TechCrunch that he believes the threat notification he received from Apple is connected to the circumstances of his departure from Trenchant, where he claims the company designated him as a scapegoat for a damaging leak of internal tools.
Apple sends out threat notifications specifically for when it has evidence that a person was targeted by a mercenary spyware attack. This kind of surveillance technology is often invisibly and remotely planted on someone’s phone without their knowledge by exploiting vulnerabilities in the phone’s software, exploits that can be worth millions of dollars and can take months to develop. Law enforcement and intelligence agencies typically have the legal authority to deploy spyware on targets, not the spyware makers themselves.
Sara Banda, a spokesperson for Trenchant’s parent company L3Harris, declined to comment for this story when reached by TechCrunch before publication.
A month before he received Apple’s threat notification, when Gibson was still working at Trenchant, he said he was invited to go to the company’s London office for a team-building event.
When Gibson arrived on February 3, he was immediately summoned into a meeting room to speak via video call with Peter Williams, Trenchant’s then-general manager who was known inside the company as “Doogie.” (In 2018, defense contractor L3Harris acquired zero-day makers Azimuth and Linchpin Labs, two sister startups that merged to become Trenchant.)
Williams told Gibson the company suspected he was double employed and was thus suspending him. All of Gibson’s work devices would be confiscated and analyzed as part of an internal investigation into the allegations. Williams could not be reached for comment.
“I was in shock. I didn’t really know how to react because I couldn’t really believe what I was hearing,” said Gibson, who explained that a Trenchant IT employee then went to his apartment to pick up his company-issued equipment.
Around two weeks later, Gibson said Williams called and told him that following the investigation, the company was firing him and offering him a settlement agreement and payment. Gibson said Williams declined to explain what the forensic analysis of his devices had found, and essentially told him he had no choice but to sign the agreement and depart the company.
Feeling like he had no alternative, Gibson said he went along with the offer and signed.
Gibson told TechCrunch he later heard from former colleagues that Trenchant suspected he had leaked some unknown vulnerabilities in Google’s Chrome browser, tools that Trenchant had developed. Gibson, and three former colleagues of his, however, told TechCrunch he did not have access to Trenchant’s Chrome zero-days, given that he was part of the team exclusively developing iOS zero-days and spyware. Trenchant teams only have strictly compartmentalized access to tools related to the platforms they are working on, the people said.
“I know I was a scapegoat. I wasn’t guilty. It’s very simple,” said Gibson. “I didn’t do absolutely anything other than working my ass off for them.”
The story of the accusations against Gibson and his subsequent suspension and firing was independently corroborated by three former Trenchant employees with knowledge.
Two of the other former Trenchant employees said they knew details of Gibson’s London trip and were aware of suspected leaks of sensitive company tools.
All of them asked not to be named but believe Trenchant got it wrong.
techcrunch.com - Lorenzo Franceschi-Bicchierai
Zack Whittaker
6:17 AM PDT · October 3, 2025
The hacking group claims to have stolen about a billion records from companies, including FedEx, Qantas, and TransUnion, who store their customer and company data in Salesforce.
A notorious predominantly English-speaking hacking group has launched a website to extort its victims, threatening to release about a billion records stolen from companies who store their customers’ data in cloud databases hosted by Salesforce.
The loosely organized group, which has been known as Lapsus$, Scattered Spider, and ShinyHunters, has published a dedicated data leak site on the dark web, called Scattered LAPSUS$ Hunters.
The website, first spotted by threat intelligence researchers on Friday and seen by TechCrunch, aims to pressure victims into paying the hackers to avoid having their stolen data published online.
“Contact us to regain control on data governance and prevent public disclosure of your data,” reads the site. “Do not be the next headline. All communications demand strict verification and will be handled with discretion.”
Over the last few weeks, the ShinyHunters gang allegedly hacked dozens of high-profile companies by breaking into their cloud-based databases hosted by Salesforce.
Insurance giant Allianz Life, Google, fashion conglomerate Kering, the airline Qantas, carmaking giant Stellantis, credit bureau TransUnion, and the employee management platform Workday, among several others, have confirmed their data was stolen in these mass hacks.
The hackers’ leak site lists several alleged victims, including FedEx, Hulu (owned by Disney), and Toyota Motors, none of which responded to a request for comment on Friday.
It’s not clear if the companies known to have been hacked but not listed on the hacking group’s leak site have paid a ransom to the hackers to prevent their data from being published. When reached by TechCrunch, a representative from ShinyHunters said, “there are numerous other companies that have not been listed,” but declined to say why.
At the top of the site, the hackers mention Salesforce and demand that the company negotiate a ransom, threatening that otherwise “all your customers [sic] data will be leaked.” The tone of the message suggests that Salesforce has not yet engaged with the hackers.
Salesforce spokesperson Nicole Aranda provided a link to the company’s statement, which notes that the company is “aware of recent extortion attempts by threat actors.”
“Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support,” the statement reads. “At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”
Aranda declined to comment further.
For weeks, security researchers have speculated that the group, which has historically eschewed a public presence online, was planning to publish a data leak website to extort its victims.
Historically, such websites have been associated with foreign, often Russian-speaking, ransomware gangs. In the last few years, these organized cybercrime groups have evolved from stealing, encrypting their victim’s data, and then privately asking for a ransom, to simply threatening to publish the stolen data online unless they get paid.
| TechCrunch techcrunch.com
Zack Whittaker
Sarah Perez
2:10 PM PDT · September 25, 2025
Call recording app Neon was one of the top-ranked iPhone apps, but was pulled offline after a security bug allowed any logged-in user to access the call recordings and transcripts of any other user.
A viral app called Neon, which offers to record your phone calls and pay you for the audio so it can sell that data to AI companies, has rapidly risen to the ranks of the top-five free iPhone apps since its launch last week.
The app already has thousands of users and was downloaded 75,000 times yesterday alone, according to app intelligence provider Appfigures. Neon pitches itself as a way for users to make money by providing call recordings that help train, improve, and test AI models.
But Neon has gone offline, at least for now, after a security flaw allowed anyone to access the phone numbers, call recordings, and transcripts of any other user, TechCrunch can now report.
TechCrunch discovered the security flaw during a short test of the app on Thursday. We alerted the app’s founder, Alex Kiam (who previously did not respond to a request for comment about the app), to the flaw soon after our discovery.
Kiam told TechCrunch later Thursday that he took down the app’s servers and began notifying users about pausing the app, but fell short of informing his users about the security lapse.
The Neon app stopped functioning soon after we contacted Kiam.
Call recordings and transcripts exposed
At fault was the fact that the Neon app’s servers were not preventing any logged-in user from accessing someone else’s data.
TechCrunch created a new user account on a dedicated iPhone and verified a phone number as part of the sign-up process. We used a network traffic analysis tool called Burp Suite to inspect the network data flowing in and out of the Neon app, allowing us to understand how the app works at a technical level, such as how the app communicates with its back-end servers.
After making some test phone calls, the app showed us a list of our most recent calls and how much money each call earned. But our network analysis tool revealed details that were not visible to regular users in the Neon app. These details included the text-based transcript of the call and a web address to the audio files, which anyone could publicly access as long as they had the link.
For example, here you can see the transcript from our test call between two TechCrunch reporters confirming that the recording worked properly.
a JSON response from Neon Mobile's server, which reads as transcript text from a call between two TC reporters, which says: "Uh, it worked. Hooray. Okay. Thanks, mate."
Image Credits:TechCrunch
But the back-end servers were also capable of spitting out reams of other people’s call recordings and their transcripts.
In one case, TechCrunch found that the Neon servers could produce data about the most recent calls made by the app’s users, as well as providing public web links to their raw audio files and the transcript text of what was said on the call. (The audio files contain recordings of just those who installed Neon, not those they contacted.)
Similarly, the Neon servers could be manipulated to reveal the most recent call records (also known as metadata) from any of its users. This metadata contained the user’s phone number and the phone number of the person they’re calling, when the call was made, its duration, and how much money each call earned.
A review of a handful of transcripts and audio files suggests some users may be using the app to make lengthy calls that covertly record real-world conversations with other people in order to generate money through the app.
App shuts down, for now
Soon after we alerted Neon to the flaw on Thursday, the company’s founder, Kiam, sent out an email to customers alerting them to the app’s shutdown.
“Your data privacy is our number one priority, and we want to make sure it is fully secure even during this period of rapid growth. Because of this, we are temporarily taking the app down to add extra layers of security,” the email, shared with TechCrunch, reads.
Notably, the email makes no mention of a security lapse or that it exposed users’ phone numbers, call recordings, and call transcripts to any other user who knew where to look.
It’s unclear when Neon will come back online or whether this security lapse will gain the attention of the app stores.
Apple and Google have not yet commented following TechCrunch’s outreach about whether or not Neon was compliant with their respective developer guidelines.
However, this would not be the first time that an app with serious security issues has made it onto these app marketplaces. Recently, a popular mobile dating companion app, Tea, experienced a data breach, which exposed its users’ personal information and government-issued identity documents. Popular apps like Bumble and Hinge were caught in 2024 exposing their users’ locations. Both stores also have to regularly purge malicious apps that slip past their app review processes.
When asked, Kiam did not immediately say if the app had undergone any security review ahead of its launch, and if so, who performed the review. Kiam also did not say, when asked, if the company has the technical means, such as logs, to determine if anyone else found the flaw before us or if any user data was stolen.
TechCrunch additionally reached out to Upfront Ventures and Xfund, which Kiam claims in a LinkedIn post have invested in his app. Neither firm has responded to our requests for comment as of publication.
techcrunch.com
Lorenzo Franceschi-Bicchierai
9:11 AM PDT · September 2, 2025
The Israeli spyware maker now faces the dilemma of whether to continue its relationship with U.S. Immigration and Customs Enforcement and help fuel its mass deportations program.
U.S. Immigration and Customs Enforcement (ICE) signed a contract last year with Israeli spyware maker Paragon worth $2 million.
Shortly after, the Biden administration put the contract under review, issuing a “stop work order,” to determine whether the contract complied with an executive order on commercial spyware, which restricts U.S. government agencies from using spyware that could violate human rights or target Americans abroad.
Almost a year later, when it looked like the contract would just run out and never become active, ICE lifted the stop work order, according to public records.
“This contract is for a fully configured proprietary solution including license, hardware, warranty, maintenance, and training. This modification is to lift the stop work order,” read an update dated August 30 on the U.S. government’s Federal Procurement Data System, a database of government contracts.
Independent journalist Jack Poulson was the first to report the news in his newsletter.
Paragon has for years cultivated the image of being an “ethical” and responsible spyware maker, in contrast with controversial spyware purveyors such as Hacking Team, Intellexa, and NSO Group. On its official website, Paragon claims to provide its customers with “ethically based tools, teams, and insights.”
The spyware maker faces an ethical dilemma. Now that the contract with ICE’s Information Technology Division is active, it’s up to Paragon to decide whether it wants to continue its relationship with ICE, an agency that has dramatically ramped up mass deportations and expanded its surveillance powers since Donald Trump took over the White House.
Emily Horne, a spokesperson for Paragon, as well as executive chairman John Fleming, did not respond to a request for comment.
In an attempt to show its good faith, in February of this year, Fleming told TechCrunch that the company only sells to the U.S. government and other unspecified allied countries.
Paragon has already had to face a thorny ethical dilemma. In January, WhatsApp revealed that around 90 of its users, including journalists and human rights workers, had been targeted with Paragon’s spyware, called Graphite. In the following days and weeks, Italian journalist Francesco Cancellato and several local pro-immigration activists came forward saying they were among the victims.
In response to this scandal, Paragon cut ties with the Italian government, which had in the meantime launched an inquiry to determine what happened. Then, in June, digital rights research group Citizen Lab confirmed that two other journalists, an unnamed European and a colleague of Cancellato, had been hacked with Paragon’s spyware.
An Italian parliament committee concluded that the spying of the pro-immigration activists was legal, but it also claimed that there was no evidence that Italy’s intelligence agencies, former Paragon customers, had targeted Cancellato.
John Scott-Railton, a senior researcher at Citizen Lab, who has investigated cases of spyware abuse for more than a decade, told TechCrunch that “these tools were designed for dictatorships, not democracies built on liberty and protection of individual rights.”
The researcher said that even spyware is “corrupting,” which is why “there’s a growing pile of spyware scandals in democracies, including with Paragon’s Graphite. Worse, Paragon is still shielding spyware abusers. Just look at the still-unexplained hacks of Italian journalists.”
techcrunch.com Zack Whittaker
11:15 AM PDT · August 29, 2025
A spyware vendor was behind a recent campaign that abused a vulnerability in WhatsApp to deliver an exploit capable of hacking into iPhones and Macs.
WhatsApp said on Friday that it fixed a security bug in its iOS and Mac apps that was being used to stealthily hack into the Apple devices of “specific targeted users.”
The Meta-owned messaging app giant said in its security advisory that it fixed the vulnerability, known officially as CVE-2025-55177, which was used alongside a separate flaw found in iOS and Macs, which Apple fixed last week and tracks as CVE-2025-43300.
Apple said at the time that the flaw was used in an “extremely sophisticated attack against specific targeted individuals.” Now we know that dozens of WhatsApp users were targeted with this pair of flaws.
Donncha Ó Cearbhaill, who heads Amnesty International’s Security Lab, described the attack in a post on X as an “advanced spyware campaign” that targeted users over the past 90 days, or since the end of May. Ó Cearbhaill described the pair of bugs as a “zero-click” attack, meaning it does not require any interaction from the victim, such as clicking a link, to compromise their device.
The two bugs chained together allow an attacker to deliver a malicious exploit through WhatsApp that’s capable of stealing data from the user’s Apple device.
Per Ó Cearbhaill, who posted a copy of the threat notification that WhatsApp sent to affected users, the attack was able to “compromise your device and the data it contains, including messages.”
It’s not immediately clear who, or which spyware vendor, is behind the attacks.
When reached by TechCrunch, Meta spokesperson Margarita Franklin confirmed the company detected and patched the flaw “a few weeks ago” and that the company sent “less than 200” notifications to affected WhatsApp users.
The spokesperson did not say, when asked, if WhatsApp has evidence to attribute the hacks to a specific attacker or surveillance vendor.
This is not the first time that WhatsApp users have been targeted by government spyware, a kind of malware capable of breaking into fully patched devices with vulnerabilities not known to the vendor, known as zero-day flaws.
In May, a U.S. court ordered spyware maker NSO Group to pay WhatsApp $167 million in damages for a 2019 hacking campaign that broke into the devices of more than 1,400 WhatsApp users with an exploit capable of planting NSO’s Pegasus spyware. WhatsApp brought the legal case against NSO, citing a breach of federal and state hacking laws, as well as its own terms of service.
Earlier this year, WhatsApp disrupted a spyware campaign that targeted around 90 users, including journalists and members of civil society across Italy. The Italian government denied its involvement in the spying campaign. Paragon, whose spyware was used in the campaign, later cut off Italy from its hacking tools for failing to investigate the abuse.
techcrunch.com 2025/08/21 - The two self-described hacktivists said they had access to the North Korean spy’s computer for around four months before deciding what they had found should be made public.
Earlier this year, two hackers broke into a computer and soon realized the significance of what this machine was. As it turned out, they had landed on the computer of a hacker who allegedly works for the North Korean government.
The two hackers decided to keep digging and found evidence that they say linked the hacker to cyberespionage operations carried out by North Korea, exploits and hacking tools, and infrastructure used in those operations.
Saber, one of the hackers involved, told TechCrunch that they had access to the North Korean government worker’s computer for around four months, but as soon as they understood what data they got access to, they realized they eventually had to leak it and expose what they had discovered.
“These nation-state hackers are hacking for all the wrong reasons. I hope more of them will get exposed; they deserve to be,” said Saber, who spoke to TechCrunch after he and cyb0rg published an article in the legendary hacking e-zine Phrack, disclosing details of their findings.
There are countless cybersecurity companies and researchers who closely track anything the North Korean government and its many hacking groups are up to, which includes espionage operations, as well as increasingly large crypto heists and wide-ranging operations where North Koreans pose as remote IT workers to fund the regime’s nuclear weapons program.
In this case, Saber and cyb0rg went one step further and actually hacked the hackers, an operation that can give more, or at least different, insights into how these government-backed groups work, as well as “what they are doing on a daily basis and so on,” as Saber put it.
The hackers want to be known only by their handles, Saber and cyb0rg, because they may face retaliation from the North Korean government, and possibly others. Saber said that they consider themselves hacktivists, and he name-dropped legendary hacktivist Phineas Fisher, responsible for hacking spyware makers FinFisher and Hacking Team, as an inspiration.
At the same time, the hackers also understand that what they did is illegal, but they thought it was nonetheless important to publicize it.
“Keeping it for us wouldn’t have been really helpful,” said Saber. “By leaking it all to the public, hopefully we can give researchers some more ways to detect them.”
“Hopefully this will also lead to many of their current victims being discovered and so to [the North Korean hackers] losing access,” he said.
“Illegal or not, this action has brought concrete artifacts to the community; this is more important,” said cyb0rg in a message sent through Saber.
Saber said they are convinced that while the hacker — who they call “Kim” — works for North Korea’s regime, they may actually be Chinese and work for both governments, based on their findings that Kim did not work during holidays in China, suggesting that the hacker may be based there.
Also, according to Saber, at times Kim translated some Korean documents into simplified Chinese using Google Translate.
Saber said that he never tried to contact Kim. “I don’t think he would even listen; all he does is empower his leaders, the same leaders who enslave his own people,” he said. “I’d probably tell him to use his knowledge in a way that helps people, not hurt them. But he lives in constant propaganda and likely since birth so this is all meaningless to him.” He’s referring to the strict information vacuum that North Koreans live in, as they are largely cut off from the outside world.
Saber declined to disclose how he and cyb0rg got access to Kim’s computer, given that the two believe they can use the same techniques to “obtain more access to some other of their systems the same way.”
During their operation, Saber and cyb0rg found evidence of active hacks carried out by Kim, against South Korean and Taiwanese companies, which they say they contacted and alerted.
North Korean hackers have a history of targeting people who work in the cybersecurity industry as well. That’s why Saber said he is aware of that risk, but “not really worried.”
“Not much can be done about this, definitely being more careful though :),” said Saber.
techcrunch.com - Security researcher Eaton Zveare told TechCrunch that the flaws he discovered in the carmaker's centralized dealer portal exposed vast access to customer and vehicle data. With this access, Zveare said he could remotely take over a customer's account and unlock their cars, and more.
A security researcher said flaws in a carmaker’s online dealership portal exposed the private information and vehicle data of its customers, and could have allowed hackers to remotely break into any of its customers’ vehicles.
Eaton Zveare, who works as a security researcher at software delivery company Harness, told TechCrunch the flaw he discovered allowed the creation of an admin account that granted “unfettered access” to the unnamed carmaker’s centralized web portal.
With this access, a malicious hacker could have viewed the personal and financial data of the carmaker’s customers, tracked vehicles, and enrolled customers in features that allow owners — or the hackers — to control some of their cars’ functions from anywhere.
Zveare said he doesn’t plan on naming the vendor, but said it was a widely known automaker with several popular sub-brands.
In an interview with TechCrunch ahead of his talk at the Def Con security conference in Las Vegas on Sunday, Zveare said the bugs put a spotlight on the security of these dealership systems, which grant their employees and associates broad access to customer and vehicle information.
Zveare, who has found bugs in carmakers’ customer systems and vehicle management systems before, found the flaw earlier this year as part of a weekend project, he told TechCrunch.
He said while the security flaws in the portal’s login system was a challenge to find, once he found it, the bugs let him bypass the login mechanism altogether by permitting him to create a new “national admin” account.
The flaws were problematic because the buggy code loaded in the user’s browser when opening the portal’s login page, allowing the user — in this case, Zveare — to modify the code to bypass the login security checks. Zveare told TechCrunch that the carmaker found no evidence of past exploitation, suggesting he was the first to find it and report it to the carmaker.
When logged in, the account granted access to more than 1,000 of the carmakers’ dealers across the United States, he told TechCrunch.
“No one even knows that you’re just silently looking at all of these dealers’ data, all their financials, all their private stuff, all their leads,” said Zveare, in describing the access.
Zveare said one of the things he found inside the dealership portal was a national consumer lookup tool that allowed logged-in portal users to look up the vehicle and driver data of that carmaker.
In one real-world example, Zveare took a vehicle’s unique identification number from the windshield of a car in a public parking lot and used the number to identify the car’s owner. Zveare said the tool could be used to look up someone using only a customer’s first and last name.
With access to the portal, Zveare said it was also possible to pair any vehicle with a mobile account, which allows customers to remotely control some of their cars’ functions from an app, such as unlocking their cars.
Zveare said he tried this out in a real-world example using a friend’s account and with their consent. In transferring ownership to an account controlled by Zveare, he said the portal requires only an attestation — effectively a pinky promise — that the user performing the account transfer is legitimate.
“For my purposes, I just got a friend who consented to me taking over their car, and I ran with that,” Zveare told TechCrunch. “But [the portal] could basically do that to anyone just by knowing their name — which kind of freaks me out a bit — or I could just look up a car in the parking lots.”
Zveare said he did not test whether he could drive away, but said the exploit could be abused by thieves to break into and steal items from vehicles, for example.
Another key problem with access to this carmaker’s portal was that it was possible to access other dealer’s systems linked to the same portal through single sign-on, a feature that allows users to log in to multiple systems or applications with just one set of login credentials. Zveare said the carmaker’s systems for dealers are all interconnected so it’s easy to jump from one system to another.
With this, he said, the portal also had a feature that allowed admins, such as the user account he created, to “impersonate” other users, effectively allowing access to other dealer systems as if they were that user without needing their logins. Zveare said this was similar to a feature found in a Toyota dealer portal discovered in 2023.
techcrunch.com - Google’s AI-powered bug hunter has just reported its first batch of security vulnerabilities.
Heather Adkins, Google’s vice president of security, announced Monday that its LLM-based vulnerability researcher Big Sleep found and reported 20 flaws in various popular open source software.
Adkins said that Big Sleep, which is developed by the company’s AI department DeepMind as well as its elite team of hackers Project Zero, reported its first-ever vulnerabilities, mostly in open source software such as audio and video library FFmpeg and image-editing suite ImageMagick.
Given that the vulnerabilities are not fixed yet, we don’t have details of their impact or severity, as Google does not yet want to provide details, which is a standard policy when waiting for bugs to be fixed. But the simple fact that Big Sleep found these vulnerabilities is significant, as it shows these tools are starting to get real results, even if there was a human involved in this case.
“To ensure high quality and actionable reports, we have a human expert in the loop before reporting, but each vulnerability was found and reproduced by the AI agent without human intervention,” Google’s spokesperson Kimberly Samra told TechCrunch.
Royal Hansen, Google’s vice president of engineering, wrote on X that the findings demonstrate “a new frontier in automated vulnerability discovery.”
LLM-powered tools that can look for and find vulnerabilities are already a reality. Other than Big Sleep, there’s RunSybil and XBOW, among others.
techcrunch.com 24.07 - "We're getting a lot of stuff that looks like gold, but it's actually just crap,” said the founder of one security testing firm. AI-generated security vulnerability reports are already having an effect on bug hunting, for better and worse.
So-called AI slop, meaning LLM-generated low-quality images, videos, and text, has taken over the internet in the last couple of years, polluting websites, social media platforms, at least one newspaper, and even real-world events.
The world of cybersecurity is not immune to this problem, either. In the last year, people across the cybersecurity industry have raised concerns about AI slop bug bounty reports, meaning reports that claim to have found vulnerabilities that do not actually exist, because they were created with a large language model that simply made up the vulnerability, and then packaged it into a professional-looking writeup.
“People are receiving reports that sound reasonable, they look technically correct. And then you end up digging into them, trying to figure out, ‘oh no, where is this vulnerability?’,” Vlad Ionescu, the co-founder and CTO of RunSybil, a startup that develops AI-powered bug hunters, told TechCrunch.
“It turns out it was just a hallucination all along. The technical details were just made up by the LLM,” said Ionescu.
Ionescu, who used to work at Meta’s red team tasked with hacking the company from the inside, explained that one of the issues is that LLMs are designed to be helpful and give positive responses. “If you ask it for a report, it’s going to give you a report. And then people will copy and paste these into the bug bounty platforms and overwhelm the platforms themselves, overwhelm the customers, and you get into this frustrating situation,” said Ionescu.
“That’s the problem people are running into, is we’re getting a lot of stuff that looks like gold, but it’s actually just crap,” said Ionescu.
Just in the last year, there have been real-world examples of this. Harry Sintonen, a security researcher, revealed that the open source security project Curl received a fake report. “The attacker miscalculated badly,” Sintonen wrote in a post on Mastodon. “Curl can smell AI slop from miles away.”
In response to Sintonen’s post, Benjamin Piouffle of Open Collective, a tech platform for nonprofits, said that they have the same problem: that their inbox is “flooded with AI garbage.”
One open source developer, who maintains the CycloneDX project on GitHub, pulled their bug bounty down entirely earlier this year after receiving “almost entirely AI slop reports.”
The leading bug bounty platforms, which essentially work as intermediaries between bug bounty hackers and companies who are willing to pay and reward them for finding flaws in their products and software, are also seeing a spike in AI-generated reports, TechCrunch has learned.
techcrunch.com - Google has suspended the account of phone surveillance operator Catwatchful, which was using the tech giant’s servers to host and operate the monitoring software.
Google’s move to shut down the spyware operation comes a month after TechCrunch alerted the technology giant the operator was hosting the operation on Firebase, one of Google’s developer platforms. Catwatchful relied on Firebase to host and store vast amounts of data stolen from thousands of phones compromised by its spyware.
“We’ve investigated these reported Firebase operations and suspended them for violating our terms of service,” Google spokesperson Ed Fernandez told TechCrunch in an email this week.
When asked by TechCrunch, Google would not say why it took a month to investigate and suspend the operation’s Firebase account. The company’s own terms of use broadly prohibit its customers from hosting malicious software or spyware operations on its platforms. As a for-profit company, Google has a commercial interest in retaining customers who pay for its services.
As of Friday, Catwatchful is no longer functioning nor does it appear to transmit or receive data, according to a network traffic analysis of the spyware carried out by TechCrunch.
Catwatchful was an Android-specific spyware that presented itself as a child-monitoring app “undetectable” to the user. Much like other phone spyware apps, Catwatchful required its customers to physically install it on a person’s phone, which usually requires prior knowledge of their passcode. These monitoring apps are often called “stalkerware” (or spouseware) for their propensity to be used for non-consensual surveillance of spouses and romantic partners, which is illegal.
Once installed, the app was designed to stay hidden from the victim’s home screen, and upload the victim’s private messages, photos, location data, and more to a web dashboard viewable by the person who planted the app.
TechCrunch first learned of Catwatchful in mid-June after security researcher Eric Daigle identified a security bug that was exposing the spyware operation’s back-end database.
The bug allowed unauthenticated access to the database, meaning no passwords or credentials were needed to see the data inside. The database contained more than 62,000 Catwatchful customer email addresses and plaintext passwords, as well as records on 26,000 victim devices compromised by the spyware.
The data also exposed the administrator behind the operation, a Uruguay-based developer called Omar Soca Charcov. TechCrunch contacted Charcov to ask if he was aware of the security lapse, or if he planned to notify affected individuals about the breach. Charcov did not respond.
With no clear indication that Charcov would disclose the breach, TechCrunch provided a copy of the Catwatchful database to data breach notification service Have I Been Pwned.
Catwatchful is the latest in a long list of surveillance operations that have experienced a data breach in recent years, in large part due to shoddy coding and poor cybersecurity practices. Catwatchful is by TechCrunch’s count the fifth spyware operation this year to have spilled users’ data, and the most recent entry in a list of more than two-dozen known spyware operations since 2017 that have exposed their banks of data.
As we noted in our previous story: Android users can identify if the Catwatchful spyware is installed, even if the app is hidden, by dialing 543210 into your Android phone app’s keypad and pressing the call button.
