As the so-called Department of Government Efficiency continues to rampage through the United States government by making sweeping cuts to the federal workforce, numerous ongoing lawsuits allege that the group’s access to sensitive data violates the Watergate-inspired Privacy Act of 1974 and that it needs to halt its activity. Meanwhile, DOGE cut staff this week at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and gained access to CISA’s digital systems after the agency had already frozen its eight-year-old election security initiatives late last week.
The National Institute of Standards and Technology was also bracing this week for roughly 500 staffers to be fired, which could have serious impacts on NIST’s cybersecurity standards and software vulnerability tracking work. And cuts last week at the US Digital Service included the cybersecurity lead for the central Veterans Affairs portal, VA.gov, potentially leaving VA systems and data more vulnerable without someone in his role.
Multiple US government departments are now considering bans on China-made TP-Link routers following recent aggressive Chinese digital espionage campaigns. (The company denies any connection to cyberattacks.) A WIRED investigation found that users of Google’s ad tech can target categories that shouldn’t be available under the company’s policies, including people with chronic diseases or those in debt. Advertisers could also target national security “decision makers” and people involved in the development of classified defense technology.
Google researchers warned this week that hackers tied to Russia have been tricking Ukrainian soldiers with fake QR codes for Signal group invites that exploited a flaw to allow the attackers to spy on target messages. Signal has rolled out updates to stop exploitation. And a WIRED deep dive examines how difficult it can be for even the most connected web users to have nonconsensual intimate images and videos of themselves removed from the web.
And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
Running a cryptocurrency exchange is a risky business, as hacking victims like Mt. Gox, Bitfinex, FTX, and plenty of others can attest. But never before has a platform for buying and selling crypto lost a 10-figure dollar sum in a single heist. That new record belongs to ByBit, which on Friday revealed that thieves hacked its Ethereum-based holdings. The hackers made off with a sum that totals to $1.4 billion, according to an estimate by cryptocurrency tracing firm Elliptic—the largest crypto theft of all time by some measures.
ByBit CEO Ben Zhou wrote on X that the hackers had used a “musked transaction”—likely a misspelling of “masked transaction”—to trick the exchange into cryptographically signing a change in the code of the smart contract controlling a wallet holding its stockpile of Ethereum. “Please rest assured that all other cold wallets are secure,” Zhou wrote, suggesting that the exchange remained solvent. “All withdraws are NORMAL.” Zhou later added in another note on X that the exchange would be able to cover the loss, which if true suggests that no users will lose their funds.
The theft dwarfs other historic hacks of crypto exchanges like Mt. Gox and FTX, each of which lost sums of cryptocurrency that were worth hundreds of millions of dollars at the time the thefts were discovered. Even the stolen loot from the 2016 Bitfinex heist, which was worth close to $4.5 billion at the time the thieves were identified and the majority of the funds recovered in 2022, was only worth $72 million at the time of the theft. ByBit’s $1.4 billion is by that measure a far bigger loss and, considering that all crypto thefts in 2024 totaled to $2.2 billion, according to blockchain analysis firm Chainalysis, a stunning new benchmark in crypto crime.
The British government earlier this month raised privacy alarms worldwide when it demanded that Apple give it access to users’ end-to-end encrypted iCloud data. That data had been protected with Apple’s Advanced Data Protection feature, which encrypts stored user information such that no one other than the user can decrypt it—not even Apple. Now Apple has caved to the UK’s pressure, disabling that end-to-end encryption feature for iCloud across the country. Even as it turned off that protection, Apple expressed its reluctance in a statement: “Enhancing the security of cloud storage with end-to-end-encryption is more urgent than ever before,” the company said. “Apple remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in future in the UK.” Privacy advocates worldwide have argued that the move—and the UK’s push for it—will weaken the security and privacy of British citizens and leave tech companies vulnerable to similar surveillance demands from other governments around the world.
The only thing worse than the scourge of stalkerware apps—malware installed on phones by snooping spouses or other hands-on spies to surveil virtually all of the victim’s movements and communications—is when those apps are so badly secured that they also leak victims’ information onto the internet. Stalkerware apps Cocospy and Spyic, which appear to have been developed by someone in China and largely share the same source code, left data stolen from millions of victims exposed, thanks to a security vulnerability in both apps, according to a security researcher who discovered the flaw and shared information about it with TechCrunch. The exposed data included messages, call logs, and photos, TechCrunch found. In a karmic twist, it also included millions of email addresses of the stalkerware’s registered users, who had themselves installed the apps to spy on victims.
