The week was dominated by news of thousands of pagers, walkie-talkies and other devices being blown up in Lebanon on Tuesday and Wednesday in an attack targeting the militant group Hezbollah. At least 32 people were killed, including at least four children, and more than 3,200 people were wounded. The covert campaign has been widely attributed to Israel, though none of the country’s government agencies have commented.
In addition to the carnage, the attacks have had — apparently by design — the effect of sowing paranoia and fear, not only among Hezbollah members but also in the Lebanese public at large. Hardware and warfare experts say the incident is unlikely to set a global precedent that the communications and electronic devices people rely on most, such as smartphones, are being rigged with explosives left and right. But it does create the potential to inspire copycats and put advocates on notice that such attacks are possible.
Researchers say China’s 2023 Zhujian Cup, a hacking competition linked to the country’s military, took the unusual step of requiring participants to keep the content of the exercise secret — and may have been targeting a real victim as part of the event. Apple’s new standalone app Passwords, which launched with iOS 18, may help solve your login woes. And a now-deleted post from billionaire Elon Musk questioning why no one has tried to assassinate Joe Biden and Kamala Harris renewed concerns this week that Musk is willing to inspire extremist violence and is a threat to national security in the United States.
And there’s more. Every week, we round up privacy and security news we haven’t covered in depth. Click on the headlines to read the full stories. And stay safe.
Last month, media outlets, Microsoft, and Google warned that an Iranian state-sponsored hacking group known as APT42 had targeted the political campaigns of Joe Biden and Donald Trump, and had managed to steal Trump campaign emails that were then shared with journalists. Now, the FBI has weighed in with the additional revelation that the same hackers also sent those stolen Trump communications to Democrats, though there is no indication for now that the Democrats requested those emails from the Iranians or necessarily received the message from the Iranians.
However, Republicans were quick to compare the news to allegations that the Trump campaign “conspired” with Russian hackers, part of the Kremlin’s GRU military intelligence agency, who breached the Democratic National Committee and the Clinton Campaign in 2016 to carry out a hacking and leak operation. In a statement, the Trump campaign demanded that Democrats “must clarify whether they used the hacked material.” Harris’ campaign told CNN that it has cooperated with law enforcement and was “not aware of any materials being sent directly to the campaign,” believing the emails to be spam or phishing attempts. “We condemn in the strongest terms any efforts by foreign actors to interfere in US elections, including this unwanted and unacceptable malicious activity,” Morgan Finkelstein, national security spokesperson for the Harris campaign, told CNN.
The FBI announced this week that it had dismantled a network of hacked machines secretly controlled by a Chinese state-sponsored hacking group known as Flax Typhoon. The botnet, comprised of 260,000 routers and Internet of Things devices, was allegedly run by a Chinese contractor known as Beijing Integrity Technology Group — a rare case of a well-known, publicly traded company essentially operating a massive collection of hacked devices on behalf of the Chinese state. The botnet, according to the FBI and security firm Black Lotus Labs, had been used to hack American and Taiwanese government agencies, defense contractors, telecommunications, and other targets. At the time of its dismantlement, the botnet still comprised 60,000 machines, making it the largest Chinese state-sponsored botnet in history, according to Black Lotus Labs.
On Wednesday night, two young men were arrested after they allegedly stole hundreds of millions of dollars worth of cryptocurrency and spent the proceeds on luxury cars, watches, jewelry and designer handbags. In an unsealed indictmentThe U.S. Justice Department has charged Malone Lam, 20, known online as “Anne Hathaway,” and Jeandiel Serrano, 21, also known as “VersaceGod,” with stealing $243 million in cryptocurrency and laundering the proceeds by mixing services to conceal their origin.
CoinDesk reported that the men allegedly tricked the theft victim, a creditor of the now-defunct trading firm Genesis, using a social engineering scam that led them to reset their Gemini two-factor authentication and transfer 4,100 bitcoins to a compromised wallet. An analysis A transaction report by blockchain researcher ZachXBT revealed that the $243 million was split between multiple wallets and then distributed to over 15 exchanges.
On Thursday, TechCrunch reported that the latest update to Apple’s desktop operating system, macOS 15 (Sequoia), breaks some features of major security tools created by CrowdStrike, SentinelOne, and Microsoft. It’s not clear what specifically in the update is causing the issues, but social media posts and internal Slack messages reviewed by the tech outlet show that the update has frustrated engineers working on macOS-focused security tools.
A CrowdStrike sales engineer informed colleagues via Slack, as seen by TechCrunch, that the company would not be able to support Sequoia on day one, despite its usual practice of quickly supporting new versions of the operating system. While they hope for a quick patch, they will likely have to scramble to resolve the issue with an update to their own code — assuming there isn’t an immediate fix available from Apple, which has yet to comment on the matter.
Cryptocurrency theft has practically become a common form of cybercrime. But one brutal gang took that form of theft to a new level of cruelty and violence, breaking into the homes of a series of victims to threaten and extort them into handing over their cryptocurrency holdings, sometimes even resorting to kidnapping and torture. This week, that disturbing story came to an end with the sentencing of the group’s leader, a Florida man named Remy St. Felix, to 47 years in prison. St. Felix is one of 12 members of the gang who have been charged, convicted and sentenced. Before the home invasions St. Felix led, another member of the group named Jarod Seemungal allegedly stole millions using more traditional cryptocurrency hacking techniques. But St. Felix’s more violent, offline extortion attempts netted his gang only about $150,000 worth of cryptocurrency before they were caught and sentenced to years in prison. The lesson: crime doesn’t pay, or at least, not physical crime.
