Despite alerting Meta months ago, feminist groups say tens of thousands of fake accounts continue to bombard them on the platform.

IRANIAN women’s rights groups have for months faced a deluge of bots following their Instagram accounts and disrupting their digital outreach operations. Activists say that while they have repeatedly asked Meta, Instagram’s parent company, to stymie the flood of junk followers, more keep coming, totaling in the millions across dozens of organizations operating in Iran and elsewhere around the world.

The targeted bot campaigns, in which a group receives tens of thousands of new followers in as little as a single day, have gained momentum as the Iranian government works to counter broad dissent focused on an array of pressing social issues, including economic hardship. Women’s rights activists say they have faced a particularly aggressive crackdown from the government in recent months, with some surveilled by law enforcement and arrested. As the National Day of Hijab and Chastity approached last Tuesday, women around the country participated in #No2Hijab actions, in which they pushed back their hijabs, revealing their hair, or removed them altogether. Authorities label participants “bad-hijab women.” 

Through it all, Instagram has served as a crucial communication platform for feminist organizers because it is one of the few international platforms accessible and uncensored in Iran’s tightly controlled digital landscape.

“More and more people are pushing back against hijab right now; it’s unprecedented and I think the government is feeling threatened by the women’s rights movement,” says Firuzeh Mahmoudi, executive director of United for Iran, one of the organizations that has faced bot targeting on its Instagram page. “So whatever is going on with these bots that have been purchased systematically to target Instagram pages is definitely not a coincidence, in my opinion. We’ve seen about 30 women’s rights groups inside Iran and 40 outside targeted in this way.”

The bot campaigns align with the interests of the Iranian regime, but the actors behind them haven’t yet been identified. The attacks are in some ways subtle because they don’t involve a flood of malicious comments or attempts to take down entire pages. Instead, activists say, their Instagram pages—which often have just a few thousand followers—suddenly gain tens of thousands more in the span of a few hours. The new follower accounts seem to be named using long, systematic strings of unintelligible consonants and numbers. In one example, Mahmoudi says that a United for Iran page jumped from consistently averaging around 27,000 followers to 70,000 overnight. Other activists shared similar stories of their accounts gaining tens of thousands of followers in a few hours in recent weeks and then gaining and losing followers a few thousand at a time after that. 

These massive spikes and fluctuations skew administrators’ metrics, making it hard to determine whether they are reaching legitimate followers with their posts and stories. Activists also note that the bot accounts will individually report specific posts to Instagram as abusive to get them wrongly taken down.

“It’s not consistent, but it hasn’t stopped since April,” says Shaghayegh Norouzi, founder of Me\_Too\_Movement\_Iran. “For example, if we are working on a sexual assault report from someone with strong connections to the government, we get a lot of fake followers. In the past 10 days, over 100,000 fake accounts have been added to our public account. They repeatedly report our posts, so Instagram removes our posts. These attacks specifically affect our performance to spread our message and be in contact with women and minorities who need our help.”

Despite having known about the issue for months, Meta tells WIRED that its investigation into the bot attacks is ongoing and not yet complete. “We want everyone to feel safe on Instagram—particularly activists, both in Iran and around the world,” a company spokesperson said in a statement. “We are continuing to investigate the activists’ concerns and will take action on any accounts that break our rules.”

The company says it has been receiving updates about the issues from Iranian women’s rights activists since April and had taken down hundreds of Instagram accounts in connection with the activity prior to this week. Meta describes the bot bombardments as adversarial but says it has not found evidence of automated or scripted activity. When asked what else could explain the patterns the activists have been seeing on their accounts, the company declined to comment on the record.

After WIRED reached out to Meta for comment, the company initially said it “checkpointed” a few hundred more accounts, a protective measure in which potentially suspicious accounts are blocked unless their owner can confirm their identity. Moments prior to publication, a Meta spokesperson said the company was taking down an additional 18,000 accounts that have targeted Iranian women’s rights groups. The company says that, in contrast to the activists’ reports, it does not see evidence that individual posts are being falsely reported and taken down.

Me\_Too\_Movement\_Iran’s Norouzi says her organization has been forced to create a private Instagram page in addition to its public one in an attempt to create a safe space for legitimate users. But multiple page administrators tell WIRED that it is difficult and time-consuming to screen followers and noted that, of course, creating a private page limits who can see posts.

At the end of June, a consortium of activists released a statement with AccessNow about the attacks on Iranian women’s groups, urging Meta to take action against the bots. 

“The fake followers have built a campaign of harassment by using high numbers of comments to intimidate and silence these users,” the groups wrote. “The fake followers have also damaged the credibility of the accounts they have targeted, resulting in a significant loss in engagement, likes, and viewership. This campaign is essentially drowning out the real engagement and outreach these accounts previously had.”

Last month, digital rights and security nonprofit Qurium released an analysis of the campaigns targeting Iranian feminist groups. The researchers found that the bots used in April and May seemed to be purchased from a few specific social media marketing companies based in Pakistan. The firms advertise services through which a customer could spend about $50 to purchase 10,000 bot followers or about $1,500 for up to 1 million fake accounts.

“So far, Meta has been slow to investigate this problem, even though the fake followers violate Meta’s ‘inauthentic behaviour policy,’” the groups wrote at the end of June. “They do not depict typical bot-like behaviour, and are potentially being operated by real humans from paid-for troll farms. Despite these complexities, Meta has enough documentation and evidence … to warrant swift action.”

For weeks, numerous groups have been communicating with Meta about the issue. Tord Lundström, Qurium’s technical director, tells WIRED that he has been trying to provide concrete suggestions to the company on how to investigate and identify the bots Qurium discovered in its analysis. 

“The response from Facebook can be summarized as follows: ‘We are looking into it, it is very difficult to solve, we have lots of people working on it,’ but nothing happens,” Lundström tells WIRED. “The fake followers, likes, and reviews industry has been camping inside Facebook for years. We have identified dozens of portals inside Facebook providing these services. It takes seconds to find them, but it seems that Facebook has difficulties stopping this market. Why?"

Milad Keshtan, program lead at United For Iran, expressed similar frustrations. “We have really clear action items that Meta could take to help us mitigate these campaigns, but we haven’t seen any response from them, even though we have reached out to them directly,” he says.

Meta emphasized that its investigation is ongoing and that multiple teams within the company are analyzing the activity. But the company did not comment on the record about why it hasn’t specifically acted on the researchers’ recommendations.

And it is a particularly urgent moment for comprehensive action to safeguard the accounts of Iranian women’s rights organizers.

“The Me Too movement in Iran started about three years ago and has grown exponentially in the past six months,” Me\_Too\_Movement\_Iran’s Norouzi says. “Of course, government and anti-feminist movements in Iran do not like this growth and awareness. And it’s not only us as feminist activists, but also whoever has collaborated with us who have experienced these attacks on Instagram. We are in shock that Instagram is letting people use their platform to shut down voices of women and minorities.”

Instagram Slow to Tackle Bots Targeting Iranian Women’s Groups

Plus: A wild Indian cricket scam, an elite CIA hacker is found guilty of passing secrets to WikiLeaks, and more of the week's top security news.

The websites you visit can reveal (almost) everything about you. If you are looking up health information, reading about trade unions, or researching details around certain types of crime, then you can potentially give away a huge amount of detail about yourself that a malicious actor could use against you. Researchers this week have detailed a new attack, using the web’s basic functions, that can unmask anonymous users online. The hack uses common web browser features—included in every major browser—and CPU functions to analyze whether you’re logged in to services such as Twitter or Facebook and subsequently identify you.

Elsewhere, we detailed how the Russian “hacktivist” group Killnet is attacking countries that backed Ukraine but aren’t directly involved in the war. Killnet has launched DDoS attacks against official government websites and businesses in Germany, the United States, Italy, Romania, Norway, and Lithuania in recent months. And it’s only one of the pro-Russian hacktivist groups causing chaos.

We’ve also looked at a new privacy scandal in India where donors to nonprofit organizations have had their details and information handed to police without their consent. We also looked at the new “Retbleed” attack that can steal data from Intel and AMD chips. And we took stock of the ongoing January 6 committee hearings—and predicted what’s to come.

But that’s not all. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there!

For years, Amazon-owned security camera firm Ring has been building relationships with law enforcement. By the start of 2021, Amazon had struck more than 2,000 partnerships with police and fire departments across the US, building out a huge surveillance network with officials being able to request videos to help with investigations. In the UK, Ring has partnered with police forces to give cameras away to local residents.

This week, Amazon admitted to handing police footage recorded on Ring cameras without their owners’ permission. As first reported by Politico, Ring has given law enforcement officials footage on at least 11 occasions this year. This is the first time the firm has admitted to passing on data without consent or a warrant. The move will raise further concerns over Ring’s cameras, which have been criticized by campaign groups and lawmakers for eroding people’s privacy and making surveillance technology ubiquitous. In response, Ring says it doesn’t give anyone “unfettered” access to customer data or video but may hand over data without permission in emergency situations where there is imminent danger of death or serious harm to a person.

In 2017, the Vault 7 leaks exposed the CIA’s most secretive and powerful hacking tools. Files published by WikiLeaks showed how the agency could hack Macs, your router, your TV, and a whole host of other devices. Investigators soon pointed the finger at Joshua Schulte, a hacker in the CIA’s Operations Support Branch (OSB), which was responsible for finding exploits that could be used in the CIA’s missions. Schulte has now been found guilty of leaking the Vault 7 files to Wikileaks and is potentially facing decades in prison. Following an earlier mistrial in 2018, Schulte was this week found guilty on all nine charges against him. Weeks ahead of his second trial, _The New Yorker_ published this comprehensive feature exploring Schulte’s dark history and how the CIA’s OSB operates.

Hackers linked to China, Iran, and North Korea have been targeting journalists and media outlets, according to new research from security firm Proofpoint. Alongside efforts to compromise the official accounts of members of the press, Proofpoint says, multiple Iranian hacking groups have posed as journalists and tried to trick people into handing over their online account details. The Iranian-linked group Charming Kitten has sent detailed interview requests to its potential hacking targets, and they have also tried to impersonate multiple Western news outlets. “This social engineering tactic successfully exploits the human desire for recognition and is being leveraged by APT actors wishing to target academics and foreign policy experts worldwide, likely in an effort to gain access to sensitive information,” Proofpoint says.

In any company or organization, items will go missing from time to time. Usually these are misplaced phones, security passes, and files occasionally being left at bus stops by mistake. Losing any of these things may open up security risks if devices are insecure or if sensitive information is made public. Less commonly lost are desktop computers—unless you’re the FBI. According to FBI records obtained by VICE’s _Motherboard_, the agency lost 200 desktop machines between July and December 2021. Also lost, or in some cases stolen, were pieces of body armor and night-vision scopes.

Scams don’t get much more elaborate than this. This week, police in India busted a fake “Indian Premier League” cricket tournament. A group of alleged scammers set up the fake league in the western Indian state of Gujarat and hired young men to play cricket matches, posing as professional teams while they livestreamed the matches for people to bet on. According to police, the group hired a fake commentator, created onscreen graphics showing real-time scores, and played crowd noises downloaded from the internet. To hide the fact that the matches took place on a farm instead of inside a large stadium, the videofeed only showed closeups of the action. Police said they caught the gang as a quarterfinal match was being played. Police believe the gang was potentially running multiple leagues and was planning to expand to a volleyball league, too. The match footage is worth watching.

Amazon Handed Ring Videos to Cops Without Warrants

Researchers have found a way to use the web's basic functions to identify who visits a site—without the user detecting the hack.

Everyone from advertisers and marketers to government-backed hackers and spyware makers wants to identify and track users across the web. And while a staggering amount of infrastructure is already in place to do exactly that, the appetite for data and new tools to collect it has proved insatiable. With that reality in mind, researchers from the New Jersey Institute of Technology are warning this week about a novel technique attackers could use to de-anonymize website visitors and potentially connect the dots on many components of targets’ digital lives.

The findings, which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data. 

When you visit a website, the page can capture your IP address, but this doesn’t necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target’s browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser.

“If you’re an average internet user, you may not think too much about your privacy when you visit a random website,” says Reza Curtmola, one of the study authors and a computer science professor at NJIT. “But there are certain categories of internet users who may be more significantly impacted by this, like people who organize and participate in political protest, journalists, and people who network with fellow members of their minority group. And what makes these types of attacks dangerous is they’re very stealthy. You just visit the website and you have no idea that you’ve been exposed.”

The risk that government-backed hackers and cyber-arms dealers will attempt to de-anonymize web users isn’t just theoretical. Researchers have documented a number of techniques used in the wild and have witnessed situations in which attackers identified individual users, though it wasn’t clear how.

Other theoretical work has looked at an attack similar to the one NJIT researchers developed, but much of this past investigation has focused on grabbing revealing data that’s leaked between websites when one service makes a request to another. As a result of this prior work, browsers and website developers have improved how data is isolated and restricted when content loads, making these potential attack paths less feasible. Knowing that attackers are motivated to seek out techniques for identifying users, though, the researchers wanted to explore additional approaches.

“Let’s say you have a forum for underground extremists or activists, and a law enforcement agency has covertly taken control of it,” Curtmola says. “They want to identify the users of this forum but can’t do this directly because the users use pseudonyms. But let’s say that the agency was able to also gather a list of Facebook accounts who are suspected to be users of this forum. They would now be able to correlate whoever visits the forum with a specific Facebook identity.”

How this de-anonymization attack works is difficult to explain but relatively easy to grasp once you have the gist. Someone carrying out the attack needs a few things to get started: a website they control, a list of accounts tied to people they want to identify as having visited that site, and content posted to the platforms of the accounts on their target list that either allows the targeted accounts to view that content or blocks them from viewing it—the attack works both ways. 

Next, the attacker embeds the aforementioned content on the malicious website. Then they wait to see who clicks. If anyone on the targeted list visits the site, the attackers will know who they are by analyzing which users can (or cannot) view the embedded content.

The attack takes advantage of a number of factors most people likely take for granted: Many major services—from YouTube to Dropbox—allow users to host media and embed it on a third-party website. Regular users typically have an account with these ubiquitous services and, crucially, they often stay logged into these platforms on their phones or computers. Finally, these services allow users to restrict access to content uploaded to them. For example, you can set your Dropbox account to privately share a video with one or a handful of other users. Or you can upload a video to Facebook publicly but block certain accounts from viewing it. 

These “block” or “allow” relationships are the crux of how the researchers found that they can reveal identities. In the “allow” version of the attack, for instance, hackers might quietly share a photo on Google Drive with a Gmail address of potential interest. Then they embed the photo on their malicious web page and lure the target there. When visitors’ browsers attempt to load the photo via Google Drive, the attackers can accurately infer whether a visitor is allowed to access the content—aka, whether they have control of the email address in question. 

Thanks to the major platforms’ existing privacy protections, the attacker can’t check directly whether the site visitor was able to load the content. But the NJIT researchers realized they could analyze accessible information about the target’s browser and the behavior of their processor as the request is happening to make an inference about whether the content request was allowed or denied. 

The technique is known as a “side channel attack” because the researchers found that they could accurately and reliably make this determination by training machine learning algorithms to parse seemingly unrelated data about how the victim’s browser and device process the request. Once the attacker knows that the one user they allowed to view the content has done so (or that the one user they blocked has been blocked) they have de-anonymized the site visitor.

Complicated as it may sound, the researchers warn that it would be simple to carry out once attackers have done the prep work. It would only take a couple of seconds to potentially unmask each visitor to the malicious site—and it would be virtually impossible for an unsuspecting user to detect the hack. The researchers developed a browser extension that can thwart such attacks, and it is available for Chrome and Firefox. But they note that it may impact performance and isn’t available for all browsers.

Through a major disclosure process to numerous web services, browsers, and web standards bodies, the researchers say they have started a larger discussion about how to comprehensively address the issue. At the moment, Chrome and Firefox have not publicly released responses. And Curtmola says fundamental and likely infeasible changes to the way processors are designed would be needed to address the issue at the chip level. Still, he says that collaborative discussions through the World Wide Web Consortium or other forums could ultimately produce a broad solution.

“Vendors are trying to see if it’s worth the effort to resolve this,” he says. “They need to be convinced that it’s a serious enough issue to invest in fixing it.”

A New Attack Can Unmask Anonymous Users on Any Major Browser

The exploit can leak password information and other sensitive material, but the chipmakers are rolling out mitigations.

Some microprocessors from Intel and AMD are vulnerable to a newly discovered speculative execution attack that can covertly leak password data and other sensitive material, sending both chipmakers scrambling once again to contain what is proving to be a stubbornly persistent vulnerability.

Researchers from ETH Zurich have named their attack Retbleed because it exploits a software defense known as retpoline, which chipmakers introduced in 2018 to mitigate the harmful effects of speculative execution attacks. Speculative execution attacks, also known as Spectre, exploit the fact that when modern CPUs encounter a direct or indirect instruction branch, they predict the address for the next instruction they’re about to receive and automatically execute it before the prediction is confirmed. Spectre works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would normally be off-limits to a low-privileged application. Retbleed then extracts the data after the operation is canceled.

Is It a Trampoline or a Slingshot?

Retpoline works by using a series of return operations to isolate indirect branches from speculative execution attacks, in effect erecting the software equivalent of a trampoline that causes them to safely bounce. Stated differently, a retpoline works by replacing indirect jumps and calls with returns, which many researchers presumed weren’t susceptible. The defense was designed to counter variant 2 of the original speculative execution attacks from January 2018. Abbreviated as BTI, the variant forces an indirect branch to execute so-called gadget code, which in turn creates data to leak through a side channel.

Some researchers have warned for years that retpoline isn’t sufficient to mitigate speculative execution attacks because the returns retpoline used were susceptible to BTI. Linux creator Linus Torvalds famously rejected such warnings, arguing that such exploits weren’t practical.

The ETH Zurich researchers have conclusively shown that retpoline is insufficient for preventing speculative execution attacks. Their Retbleed proof-of-concept works against Intel CPUs with the Kaby Lake and Coffee Lake microarchitectures as well as with AMD Zen 1, Zen 1+, and Zen 2 microarchitectures.

“Retpoline, as a Spectre-BTI mitigation, fails to consider return instructions as an attack vector,” researchers Johannes Wikner and Kaveh Razavi wrote. “While it is possible to defend return instructions by adding a valid entry to the RSB return stack buffer before executing the return instruction, treating every return as potentially exploitable in this way would impose a tremendous overhead. Previous work attempted to conditionally refill the RSB with harmless return targets whenever a perCPU counter that tracks the call stack depth reaches a certain threshold, but it was never approved for upstream. In the light of Retbleed, this mitigation is being re-evaluated by Intel, but AMD CPUs require a different strategy.”

In an email, Razavi explained it this way:

_Spectre variant 2 exploited indirect branches to gain arbitrary speculative execution in the kernel. Indirect branches were converted to returns using the retpoline to mitigate Spectre variant 2._

_Retbleed shows that return instructions unfortunately leak under certain conditions similar to indirect branches. These conditions are unfortunately common on both Intel (Skylake and Skylake-based) and AMD (Zen, Zen+ and Zen2) platforms. This means that retpoline was unfortunately an inadequate mitigation to begin with._

In response to the research, both Intel and AMD advised customers to adopt new mitigations that the researchers said will add as much as 28 percent more overhead to operations.

Retbleed can leak kernel memory from Intel CPUs at about 219 bytes per second and with 98 percent accuracy. The exploit can extract kernel memory from AMD CPUs with a bandwidth of 3.9 kB per second. The researchers said that it’s capable of locating and leaking a Linux computer’s root password hash from physical memory in about 28 minutes when running the Intel CPUs and in about six minutes for AMD CPUs.

Retbleed works by using code that essentially poisons the branch prediction unit that CPUs rely on to make their guesses. Once the poisoning is complete, this BPU will make mispredictions that the attacker can control.

“We found that we can inject branch targets that reside inside the kernel address-space, even as an unprivileged user,” the researchers wrote in a blog post. “Even though we cannot access branch targets inside the kernel address-space—branching to such a target results in a page fault—the Branch Prediction Unit will update itself upon observing a branch and assume that it was legally executed, even if it's to a kernel address.”

Intel and AMD Respond

Both Intel and AMD have responded with advisories. Intel has confirmed that the vulnerability exists on Skylake-generation processors that don’t have a protection known as enhanced Indirect Branch Restricted Speculation (eIBRS) in place.

“Intel has worked with the Linux community and VMM vendors to provide customers with software mitigation guidance which should be available on or around today's public disclosure date,” Intel wrote in a blog post. “Note that Windows systems are not affected given that these systems use Indirect Branch Restricted Speculation (IBRS) by default which is also the mitigation being made available to Linux users. Intel is not aware of this issue being exploited outside of a controlled lab environment.”

AMD, meanwhile, has also published guidance. “As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending software suppliers consider taking additional steps to help guard against Spectre-like attacks,” a spokesman wrote in an email. The company has also published a white paper.

Both the researchers’ research paper and blog post explain the microarchitectural conditions necessary to exploit Retbleed:

_**Intel**. On Intel, returns start behaving like indirect jumps when the Return Stack Buffer, which holds return target predictions, is underflowed. This happens upon executing deep call stacks. In our evaluation we found over a thousand of such conditions that can be triggered by a system call. The indirect branch target predictor for Intel CPUs has been studied in_ _previous work__._

_**AMD**. On AMD, returns will behave like an indirect branch regardless of the state of their Return Address Stack. In fact, by poisoning the return instruction using an indirect jump, the AMD branch predictor will assume that it will encounter an indirect jump instead of a return and consequentially predict an indirect branch target. This means that any return that we can reach through a system call can be exploited—and there are tons of them._

In an email, Razavi added: “Retbleed is more than just a retpoline bypass on Intel, specially on AMD machines. AMD is in fact going to release a white paper introducing Branch Type Confusion based on Retbleed. Essentially, Retbleed is making AMD CPUs confuse return instructions with indirect branches. This makes exploitation of returns very trivial on AMD CPUs.”

The mitigations will come at a cost that the researchers measured to be between 12 percent and 28 percent more computational overhead. Organizations that rely on affected CPUs should carefully read the publications from the researchers, Intel, and AMD, and be sure to follow the mitigation guidance.

_This story originally appeared on_ _Ars Technica__._

New ‘Retbleed’ Attack Can Swipe Key Data From Intel and AMD CPUs

Nonprofit donors had their information given to law enforcement without consent, highlighting limited data protections in the world’s largest democracy.

Prasanto K. Roy, a public policy consultant from New Delhi, is worried. In 2017 he began sending regular donations to the Indian fact-checking organization Alt News to support its work countering online misinformation. But on July 5 the nonprofit said that Indian payments gateway Razorpay, which it used to receive donations, had shared its donors’ data with New Delhi police following the arrest of Alt News cofounder Mohammed Zubair last month.

Roy is now hesitant to use Razorpay, saying he is concerned about tech companies handing over data—including his own—to law enforcement without consent. “When a payment gateway gives out donor databases on a police demand that is excessive, that information can be misused by the police or others it could reach,” he said. “India doesn’t even have privacy laws in place yet.”

The full extent of the data that Razorpay shared with police remains unclear, but Alt News said that the data it collects from donors includes phone numbers, email addresses, and tax IDs. A police official told the _Hindustan Times_ that the force is gathering data from banks to cross-reference with the Alt News data.

The investigation appears to be part of an ongoing probe to check whether Alt News received donations from outside of India, after police claimed that the organization’s parent received funds from several other countries, including Pakistan and Syria. Zubair, the cofounder of Alt News, was arrested on June 27 for a 2018 tweet that allegedly hurt religious sentiments, but is also being investigated for other charges, including receiving foreign funds under India’s Foreign Contribution (Regulation) Act, which restricts foreign donations to nonprofits.

While the arrest has spurred many Indians to fear that police are quashing internet freedom, it has also highlighted the limited legal protections on privacy in the world’s largest democracy, which lacks a comprehensive data protection law. The stakes are growing higher as more people in India use the internet for leisure, communications, and commerce. The country’s digital payments market—already at $3 trillion in value—is expected to skyrocket to $10 trillion by 2026, according to Boston Consulting Group.

Razorpay has faced social media backlash and threats of a boycott for sharing donor data without first informing Alt News. “Many donors and fundraisers said they wouldn’t use Razorpay again, and that was my initial reaction too,” said Roy, while adding that perhaps other companies would also have caved under the same pressure from police.

In a public statement on Twitter, Razorpay did not mention Alt News and said that the data shared was “restricted to what was within the scope of investigation.” Razorpay CEO Harshil Mathur tweeted that police were attempting to “determine whether there were any foreign donations or not” and claimed that donors’ tax IDs and addresses were not shared. Razorpay did not respond to a request for comment; Alt News cofounder Pratik Sinha declined to comment.

Indian police obtained the data from Razorpay under section 91 of the Criminal Procedure Code, which allows officials to seek documents or data connected to an ongoing investigation. But criminal lawyers told WIRED that the law gives police considerable flexibility, leaving room for overreach or misuse.

“Section 91 allows the police to make any request for information to any person during an inquiry, and it’s a standard investigative tool,” said Abhinav Sekhri, a criminal lawyer based in New Delhi. “Companies routinely receive such requests, at severe cost, because there are consequences for noncompliance, leaving them with no choice at times.” One such consequence could be an executive facing criminal action and potentially imprisonment, Sekhri says.

Meanwhile, financial technology experts say that even if Razorpay hadn’t complied with the demand to hand over Alt News data, the police could likely have retrieved it from other players in the payments ecosystem. “The source and destination information is stored across the entire chain,” said Srikanth Lakshmanan, a researcher who runs Cashless Consumer, a collective that works on consumer awareness of digital payments in India. “It’s not just Razorpay that will store this information, but also the card issuer and acquiring bank and payment network.”

This broad collection and sharing of data can make privacy in digital payments in India seem nigh on impossible. “The state of privacy in digital payments in India is nonexistent,” Lakshmanan says. The ease with which digital data can be shared and leaked makes privacy challenging around the world, but India’s centralized biometric identity system, Aadhaar, can add extra vulnerabilities, he says. “It's easy to look for more information in India where a whole range of data sets are cross-linked, giving a much richer profile.”

A Privacy Panic Flares Up in India After Police Pull Payment Data

The US House committee has already uncovered a more organized and sinister plot than many imagined. But history suggests the worst may be yet to come.

The House committee investigating the January 6 attack never promised a quiet summer, but when hearings started a month ago it certainly seemed like it might be a _quieter_ summer. Many of what were anticipated to be the biggest revelations appeared to have leaked before the hearings began, and the six to eight scheduled public sessions, expected to last only about two hours each, seemed to telegraph modest ambitions—especially in comparison to the 1973 Watergate hearings that stretched for 237 hours, or even the far less consequential 2015 Republican-led Benghazi hearings, where Hillary Clinton alone testified publicly for 11 hours.

But then the hearings began, and with them an emotional and tense multimedia roller coaster, exquisitely produced by former ABC News executive James Goldston to mimic a prestige TV series, in which each “episode” reveals deeper twists and turns and ever more corruption and outrage. Representative Liz Cheney and surprise witness Cassidy Hutchinson, an aide to former chief of staff Mark Meadows, emerged as the summer’s biggest breakout TV stars. 

The testimony so far has proven far more compelling, damning, and reputationally damaging to former president Trump than almost anyone imagined. The committee evidently has the goods and understands how to package them for maximum effect. They are now preparing to return from a brief summer break with two more hearings this week, one on Tuesday and a second prime-time hearing on Thursday.

For 18 months, the tick-tock of the Trump administration’s chaotic build to January 6 has trickled out in news reports, documentaries, and government documents, giving the public a sense of the scope of misdeeds and damage to American democracy. But the events had seemed akin to what the country (and the world) lived through during Trump’s four years as president—a disordered and noisy series of imprudent and haphazard pronouncements, ill-considered tweets, hasty policy choices, and reckless bluster.

Now the country can see otherwise: There was a method to Trump’s madness. The events across the 10 weeks from early November to January 6 were far more organized and sinister than previously known.

Most importantly, the evidence of crimes and criminality has proved inescapable.

In fact, it seems there was a lot of crime in the days and weeks leading up to the riot at the Capitol on January 6—and Trump’s aides seemed to clearly understand that they were headed toward a criminal reckoning. As Hutchinson recounted White House counsel Pat Cipollone telling her, “We’re going to get charged with every crime imaginable if we \[let the President go to the Capitol on January 6.\]”

Altogether, the committee has painted a far more organized and coherent picture of the administration’s efforts than most imagined existed. The hearings have revealed a seven-part coordinated effort by the Trump White House—and the president personally—to weaponize every public, political, and governmental tool at his disposal to hold on to power in the face of a clear and convincing electoral loss. He and a small cadre of loyal aides tried to undermine the legitimacy of Joe Biden’s victory, encouraged states to overturn valid election results, attempted to install election-doubting loyalists at the Justice Department, and applied consistent pressure to Vice President Mike Pence to step outside his constitutional role and reject the electoral college certification. And then—when literally all else failed—Trump encouraged his supporters to flock to the Capitol and stood by—without taking any action to stop them—while they rampaged through the building and came close to harming Pence and lawmakers.

Trump knew what he was doing, was told by aides repeatedly and broadly that it was wrong, and continued his pressure campaign anyway. January 6 wasn’t a spontaneous riot; it was the final attempt at a coup that had failed at every step until then. And the fact that so many of the participants, from members of Congress to, according to Hutchinson, White House chief Mark Meadows himself, apparently sought presidential pardons for their actions in the Trump administration’s final days makes it clear there was what prosecutors call “mens rea,” a guilty mind. In the 18 months since the events at the Capitol, the Justice Department has brought charges against more than 800 people involved in the riots, including eye-opening charges of “seditious conspiracy” against some of the white nationalist militia members, like the Oath Keepers and the Proud Boys, who should figure prominently at this week’s congressional hearings. Precisely none of those yet charged have been within Trump’s inner circle.

That may soon change—and American democracy might very well hinge on whether it does.

While the chair, Representative Bennie Thompson, and vice chair Cheney maintain that their purpose is only to deliver a comprehensive accounting of the events around January 6, the outlines of a whole series of criminal actions are now evident. The technical crimes may feel somewhat obscure—wire fraud, theft of honest services, defrauding the United States, obstruction of justice, obstruction of an official proceeding of Congress—but the fact pattern seems to grow ever more clear. Moreover, the hearing that focused on the White House pressuring elected officials in the state of Georgia brought renewed attention to the possibility that even if the US Justice Department fails to act, state prosecutors might very well decide Donald Trump committed electoral crimes there.

The biggest shift in the national landscape from the January 6 committee, though, seems likely to be ahead of us.

It’s worth remembering too how much the political and factual landscape can change during hearings like this: The biggest revelation of the Watergate hearings—that Nixon had installed a taping system in the White House that would have captured all the key conversations of the conspiracy and cover-up—didn’t emerge until mid-July 1973, weeks into the hearings by Senator Sam Ervin’s Watergate select committee.

Perhaps similarly, there’s a growing sense that the blockbuster nature of the January 6 hearings—and the damaging testimony elicited thus far—is itself compelling further cooperation and testimony. For example, Hutchinson, who had long been represented by a Trump-paid attorney, changed counsel midstream and began cooperating. Friday, Cipollone—who had also resisted testifying—met with committee investigators for nearly eight hours. And the Justice Department announced in a court filing Monday that one of Trump’s attorneys had interviewed with the FBI, as part of Steve Bannon’s related criminal contempt process, testimony that could have wide-ranging implications and itself spur further targets to cooperate. (As part of that filing, the Justice Department rejected Bannon’s weekend public proclamation that he was willing to cooperate with the committee as insincere, saying, “The only thing that has really changed since he refused to comply with the subpoena in October 2021 is that he is finally about to face the consequences of his decision to default.”)

Prosecutors understand this phenomenon well: As evidence of crimes mount, cooperation among the conspirators often spreads. Conspiracies crumble as testimony builds and personal legal and criminal jeopardy rises with it. John Dean, the former White House counsel who originally helped architect the Watergate cover-up before turning states’ witness, became a star witness only after he realized how much—and how clearly—he’d participated in the obstruction of justice.

Other Trump aides seem to be listening to the January 6 hearings and making their own calculations as the committee reconvenes this week. Surely many of them will be uncomfortable with what they hear in the hours and days ahead.

The January 6 Insurrection Hearings Are Just Heating Up

The pro-Russian group Killnet is targeting countries supporting Ukraine. It has declared "war" against 10 nations.

The attacks against Lithuania started on June 20. For the next 10 days, websites belonging to the government and businesses were bombarded by DDoS attacks, overloading them with traffic and forcing them offline. “Usually the DDoS attacks are concentrated on one or two targets and generate huge traffic,” says Jonas Sakrdinskas, acting director of Lithuania’s national cybersecurity center. But this was different.

Days before the attacks started, Lithuania blocked coal and metal from being moved through its country to the Russian territory of Kaliningrad, further bolstering its support for Ukraine in its conflict with Russia. Pro-Russian hacker group Killnet posted “Lithuania are you crazy? 🤔” on its Telegram channel to 88,000 followers. The group then called on hacktivists—naming a number of other pro-Russian hacking groups—to attack Lithuanian websites. A list of targets was shared.

The attacks, Sakrdinskas explains, were continuous and spread across all areas of daily life in Lithuania. In total more than 130 websites in both the public and private sectors were “hindered” or made inaccessible, according to Lithuania’s government. Sakrdinskas says the attacks, which were linked to Killnet, have mostly dropped off since the start of July, and the government has opened a criminal investigation.

The attacks are just the latest wave of pro-Russian “hacktivist” activity since the start of Vladimir Putin’s war in February. In recent months Killnet has targeted a growing list of countries that have supported Ukraine but are not directly involved in the war. Attacks against websites in Germany, Italy, Romania, Norway, Lithuania, and the United States have all been linked to Killnet. The group has declared “war” on 10 nations. The targeting often happens after a country offers support for Ukraine. Meanwhile XakNet, another pro-Russian hacktivist group, has claimed to have targeted Ukraine’s biggest private energy company and the Ukrainian government.

While security experts have frequently warned that attacks from Russia could target Western countries, the efforts of volunteer hacktivist groups can have an impact without being officially backed or conducted by the state. “They definitely have malicious intent when they conduct these attacks,” says Ivan Righi, a senior cyberthreat intelligence analyst at security firm Digital Shadows who has studied Killnet. “They're not working together with Russia but in support of Russia.”

Killnet started as a DDoS tool and was first spotted in January this year, Righi says. “They were advertising this app or this website, where you could hire a botnet and then use it to launch DDoS attacks.” But when Russia invaded Ukraine at the end of February, the group pivoted. The vast majority of Killnet’s efforts and those of its “legion” group—members of the public who are asked to join and launch attacks—have been DDoS attacks, Righi says, but he has also seen the group linked to some website defacements, and the group itself has made unverified claims that it has stolen data.

Its Telegram channel, where it makes political statements and talks about targets, was created at the end of February and has grown in popularity, with the number of members doubling since May. “They began to gain a lot of popularity from the public in Russia,” Righi says. Righi says it produces slick promotional videos and sells its own merchandise.

While DDoS attacks aren’t sophisticated, they “will still be able to create uncertainty in the population and give the impression that we are a piece in the current political situation in Europe,” said Sofie Nystrøm, the head of Norway’s NSM cybersecurity agency, in a statement after businesses in the country were targeted by DDoS attacks at the end of June.

Russia has long been home to cybercriminals such as ransomware groups, which the country has largely ignored as long as they don’t target companies in Russia. Simultaneously, Russian military hackers have stirred global chaos for years—causing electricity blackouts in Ukraine, hacking the Olympics, and conducting the worst cyberattack in history. Evidence against state-backed Russian hackers has been piling up since the start of the war, though Russia has consistently denied launching cyberattacks around the world. The Russian embassy in the United States did not immediately respond to a request for comment.

In April, cybersecurity officials in the US, Australia, Canada, New Zealand, and the UK warned against the potential damage that pro-Russian groups, including XakNet and Killnet, could cause. While it is not clear who is behind Killnet or whether the group is backed by the Russian state, one other notorious Russian hacktivist group has been linked to the Kremlin. At the end of June, US cybersecurity company Mandiant, as first reported by Bloomberg, said Russian intelligence operatives had passed stolen information to XakNet. Ukrainian officials have also pinned attacks on DTEK, the country’s largest private energy firm, on XakNet. (The group has posted about DTEK multiple times in its 36,000-subscriber Telegram channel.)

“We've seen a number of groups emerge in the context of the Russian invasion of Ukraine,” says Alden Wahlstrom, a senior analyst at Mandiant. “XakNet and Killnet both have questionable provenance.” Wahlstrom says any claims of hacktivism should be approached with “a healthy dose of skepticism” and that Russian intelligence agencies have an “established history of using cutout groups” for cyberactivities. Last week the Trickbot cybercriminal group—which is made up of multiple smaller groups like the Conti ransomware group, and has links to the Russian state—was spotted by IBM targeting Ukraine for the first time. IBM describes the move as a “huge shift” in the group’s behavior.

XakNet has claimed it is not being directed by the Russian government. In one Telegram post responding to Mandiant’s findings, it said it “fully” supports the Kremlin’s position and acknowledges its activities aren’t legal. It said it does not cooperate with Russia’s FSB security service “at the moment” but is “happy to provide data to those who ask.”

It is possible there are some connections among Russian hacker groups themselves. In multiple instances, Wahlstrom says, they have cross-posted about other groups’ work on their Telegram channels. For instance, when Killnet called for Lithuania to be targeted it posted a message asking for help from XakNet, Russian ransomware groups, and other pro-Russian hacking groups.

“XakNet and Killnet have given a decent amount of media interviews in the Russian media space, which is a reason to at least consider that there is a potential dual component to some of this activity,” Wahlstrom says. “They are helping to advance Russian interests abroad, either in Ukraine or further afield, but on the flip side they're being heavily promoted in the Russian media as groups that are displays of these patriotic volunteers that embody support for Russian government decisions.”

Killnet responded to a request for comment by saying it was “no longer friends” with XakNet. “Our enemy is your government bro,” the group says. “But we are not dangerous to ordinary people.”

DDoS attacks have been prominent in Ukraine, too. Officials there created a volunteer IT army, where people from around the world can help launch attacks against Russian targets. The IT army has claimed to take down, at least temporarily, the websites of Russian government departments, food delivery services, and banks—one of Putin’s speeches last month was delayed by an hour after the IT army attacks. Attacks against Russia have also come from hacktivist groups outside of Ukraine, such as Anonymous.

Ultimately, as Russia’s war against Ukraine continues, the activity of pro-Russian cyber groups continues to be in line with Russian aims. “Moscow has kept its relationship with Russia-based hacktivist groups deliberately ambiguous,” says Emily Harding, deputy director of the international security program at the Center for Strategic and International Studies, a US-based think tank. “Moscow’s security services know who these operators are and will use some form of leverage to force them to cooperate when needed.”

Harding says analysts have continuously predicted that Russia would use “deniable tools” and groups to react against countries that support Ukraine. While DDoS attacks may not be sophisticated, they contribute to this effort. And if attacks by so-called hacktivist groups become more advanced, there’s a greater chance they could cause more damage or risk escalation of the conflict. “The risk of miscalculation is real,” Harding says. “No one has yet really tested the limits of cyber operations without causing escalation.”

Russian ‘Hacktivists’ Are Causing Trouble Far Beyond Ukraine

Plus: A duplicitous bug bounty scheme, the iPhone's new “lockdown mode,” and more of the week's top security news.

As states grapple with the far-reaching implications of the United States Supreme Court's June decision to reverse the constitutional right to abortion, WIRED examined the privacy risks posed by widely deployed automated license plate readers as the risks of being prosecuted for seeking an abortion ramp up around the country. And researchers underscored the digital self-defense value of end-to-end encryption anywhere in the world, as civil rights protections and law enforcement powers evolve.

Apple announced a new protection this week known as “Lockdown Mode” for iOS 16 that will let users elect to run their phone in a more limited, but more secure mode if they are at risk of being targeted with invasive spyware. And researchers say that new encryption algorithms announced by the National Institute of Standards and Technology that are designed to be resistant to quantum computers will be difficult to test in any practical sense for years to come. 

We examined how users can protect themselves against the worst Instagram scams and took a look back at the worst hacks and data breaches of 2022 so far, with many more inevitably still to come.

But that's not all. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there!

In one of the most expansive and impactful breaches of personal data of all time, attackers grabbed data of almost 1 billion Chinese citizens from a Shanghai police database and attempted to extort the department for about $200,000. The trove of data contains names, phone numbers, government ID numbers, and police reports. Researchers found that the database itself was secure, but that a management dashboard was publicly accessible from the open internet, allowing anyone with basic technical skills to grab the information without needing a password. The scale of the breach is immense and it is the first of this size to hit the Chinese government, which is notorious for hoarding massive amounts of data, not only about its own citizens, but about people all over the world. China was memorably responsible for the United States Office of Personnel Management breach and Equifax credit bureau breach, among many others worldwide.

FBI director Christopher Wray and the chief of the UK's security agency MI5, Ken McCallum, issued a joint warning this week that China is, as Wray put it, the "biggest long-term threat to our economic and national security." The pair noted that China has conducted extensive espionage around the world and interfered in elections and other political proceedings. Wray noted that if China moves to seize Taiwan it would "represent one of the most horrific business disruptions the world has ever seen." McCallum said that since 2019, MI5 has more than doubled its focus on China and now conducts seven times as many Chinese Community Party-related investigations as it did in 2018. China Foreign Ministry spokesman Zhao Lijian described British officials as attempting to "hype up the China threat theory." He added that MI5 should "cast away imagined demons."

The bug bounty program HackerOne, which manages vulnerability submission and reward programs for companies, fired an employee this week for stealing vulnerability disclosures submitted through the platform and submitting them to affected companies to recover the reward for personal gain. HackerOne uncovered the scheme when one customer company flagged a vulnerability disclosure that was suspiciously similar to one it had received in June from a different researcher. The rogue employee, who was new to the company, had access to HackerOne's platform from April 4 until June 23 and made seven vulnerability disclosures using stolen research. “This is a clear violation of our values, our culture, our policies, and our employment contracts,” HackerOne wrote in an incident report. “We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future.”

The United States Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Treasury Department said in a joint alert this week that North Korean hackers have been targeting the healthcare and public health sectors with the little known Maui ransomware strain. They warned that paying such ransoms could violate US sanctions. “North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services,” the alert warns. “In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods.”

Chinese Police Exposed 1B People's Data in Unprecedented Leak

Quantum-proof encryption is here—decades before it can be put to the test.

In 1994, a Bell Labs mathematician named Peter Shor cooked up an algorithm with frightening potential. By vastly reducing the computing resources required to factor large numbers—to break them down into their multiples, like reducing 15 to 5 and 3—Shor’s algorithm threatened to upend many of our most popular methods of encryption.

Fortunately for the thousands of email providers, websites, and other secure services using factor-based encryption methods such as RSA or elliptic curve cryptography, the computer needed to run Shor’s algorithm didn’t exist yet. 

Shor wrote it to run on quantum computers which, back in the mid-1990s, were largely theoretical devices that scientists hoped might one day outperform classical computers on a subset of complex problems.

In the decades since, huge strides have been made toward building practical quantum computers, and government and private researchers have been racing to develop new quantum-proof algorithms that will be resistant to the power of these new machines. For the last six years, the National Institute of Standards and Technology (NIST)—a division of the US Department of Commerce—has been running a competition to find the algorithms that it hopes will secure our data against quantum computers. This week, it published the results.

NIST has whittled hundreds of entries from all over the world to an initial list of just four: CRYSTALS-Kyber for general encryption, and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for use in digital signatures during identity verification or when signing digital documents. “People have to understand the threat that quantum computers can pose to cryptography,” says Dustin Moody, who leads the post-quantum cryptography project at NIST. “We need to have new algorithms to replace the ones that are vulnerable, and the first step is to standardize them.”

Just as RSA encryption relies on the difficulty of factoring extremely large numbers, three of the four algorithms unveiled this week use a complicated mathematical problem that’s expected to be difficult for even quantum computers to wrestle with. Structured lattices are abstract multi-dimensional grids that are extremely challenging to navigate unless you know the shortcuts. In structured lattice cryptography, as with RSA, the sender of a message will encrypt the contents using the recipient’s public key, but only the receiver will have the keys to decrypt it. With RSA the keys are factors—two large prime numbers that are easy to multiply together but difficult to ascertain if you have to work backwards. In these post-quantum cryptography algorithms the keys are vectors, directions through the maze of a structured lattice.

Although it will be a few years before these standards are published in their final form, it’s a pretty big moment. “For the first time, we have something to use against a quantum threat,” says Ali El Kaafarani, the CEO of PQShield, which worked on the FALCON algorithm.

Those quantum threats might still be decades away, but security experts warn of “harvest now, decrypt later” attacks—bad actors hovering up caches of encrypted data with the expectation that they’ll eventually have a quantum computer that can access them. The longer it takes to implement quantum-proof cryptography, the more data will be vulnerable. (Although, Lancaster University quantum researcher Rob Young points out that a lot of sensitive data that could be harvested now is also time sensitive: Your credit card number today will be irrelevant in 15 years.)

“The first thing organizations need to do is understand where they are using crypto, how, and why,” says El Kaafarani. “Start assessing which parts of your system need to switch, and build a transition to post-quantum cryptography from the most vulnerable pieces.”

There is still a great degree of uncertainty around quantum computers. No one knows what they’ll be capable of or if it’ll even be possible to build them at scale. Quantum computers being built by the likes of Google and IBM are starting to outperform classical devices at specially designed tasks, but scaling them up is a difficult technological challenge and it will be many years before a quantum computer exists that can run Shor’s algorithm in any meaningful way. “The biggest problem is that we have to make an educated guess about the future capabilities of both classical and quantum computers,” says Young. “There's no guarantee of security here.”

The complexity of these new algorithms makes it difficult to assess how well they’ll actually work in practice. “Assessing security is usually a cat-and-mouse game,” says Artur Ekert, a quantum physics professor at the University of Oxford and one of the pioneers of quantum computing. “Lattice based cryptography is very elegant from a mathematical perspective, but assessing its security is really hard.”

The researchers who developed these NIST-backed algorithms say they can effectively simulate how long it will take a quantum computer to solve a problem. “You don't need a quantum computer to write a quantum program and know what its running time will be,” argues Vadim Lyubashevsky, an IBM researcher who contributed to the the CRYSTALS-Dilithium algorithm. But no one knows what new quantum algorithms might be cooked up by researchers in the future.

Indeed, one of the shortlisted NIST finalists—a structured lattice algorithm called Rainbow—was knocked out of the running when IBM researcher Ward Beullens published a paper entitled “Breaking Rainbow Takes a Weekend on a Laptop.” NIST’s announcements will focus the attention of code breakers on structured lattices, which could undermine the whole project, Young argues. 

There is also, Ekert says, a careful balance between security and efficiency: In basic terms, if you make your encryption key longer, it will be more difficult to break, but it will also require more computing power. If post-quantum cryptography is rolled out as widely as RSA, that could mean a significant environmental impact.

Young accuses NIST of slightly “naive” thinking, while Ekert believes “a more detailed security analysis is needed”. There are only a handful of people in the world with the combined quantum and cryptography expertise required to conduct that analysis.

Over the next two years, NIST will publish draft standards, invite comments, and finalize the new forms of quantum-proof encryption, which it hopes will be adopted across the world. After that, based on previous implementations, Moody thinks it could be 10 to 15 years before companies implement them widely, but their data may be vulnerable now. “We have to start now,” says El Kaafarani. “That’s the only option we have if we want to protect our medical records, our intellectual property, or our personal information.”

Will These Algorithms Save You From Quantum Threats?

The US Federal Communications Commission says a man posing as a fake broadband service promised victims discounts on internet services and devices.

Traxler's scam lasted from May to August 2021, during which he "repeatedly engaged in conduct that violated the federal wire fraud statute and the Commission's rules," the FCC said. The proposed $220,210 forfeiture penalty is "the statutory maximum we can impose, and reflects the scope, duration, seriousness, and egregiousness of Cleo's apparent violations," according to the commission.

When Cleo applied to be in the EBB program, the FCC initially told the entity that its application would be "denied as it lacks sufficient information for approval." But Cleo subsequently gained FCC approval by offering documents including copies of two invoices "with customer-identifying information removed, which Cleo claimed was 'due to CPNI and privacy.'" Cleo also claimed to the FCC that it "had been providing high-speed wireless Internet" to 500 customers.

Dozens of Nearly Identical Complaints

The FCC said it reviewed 41 complaints about Cleo, all of which "focused on the same types of allegations. According to the complaints, consumers searched the list of participating EBB Program providers through individual states' Universal Service or EBB Program websites, the FCC website, or USAC's \[Universal Service Administrative Company\] website and followed links to Cleo's website. The complaints alleged that Cleo accepted payment for EBB Program discounted broadband services or connected devices from these consumers electronically, failed to send the ordered product or provide the requested services, and then failed to provide refunds."

The FCC interviewed eight of the consumers who filed complaints, who live in Alabama, Arizona, Colorado, Illinois, Massachusetts, New York, Washington state, and Wisconsin.

An Illinois woman ordered a laptop from Cleo for $50 using the Venmo payment service. The woman got no response when she contacted Cleo to report that she never received the laptop, the FCC said. She then "attempted to reach out to Cleo via social media (Facebook) and by telephone, but Cleo did not respond and blocked her both on Facebook and telephone," the FCC said.

A New York woman "ordered an EBB Program-discounted tablet, laptop, 'Wi-Fi box,' and hotspot service from Cleo's website on July 13, 2021, and arranged payment of $108.94 on the website through PayPal," the FCC said. This consumer "told Bureau staff that she e-mailed Cleo when she did not receive the devices she ordered and that Cleo staff were 'rude to her and told her they didn't have to provide service to her.' She said someone at Cleo told her to 'read the fine print.' She exchanged a few e-mails with Cleo until it ultimately stopped responding."

Other complainants similarly said that Cleo stopped responding to messages seeking information on the devices they never received. Some of the consumers were able to cancel payments made via credit card or PayPal.

"The eight consumers interviewed by the Bureau and other consumers who filed complaints with the FCC's Consumer Complaint Center all stated that Cleo did not deliver the EBB Program-supported services or devices they ordered, and the company refused to issue refunds. Some consumers stated in their complaints that Cleo claimed it would sue them when they asked for a refund," the FCC said.

Shady Terms of Service Forbade Refunds

The terms of service that Cleo cited when denying refunds said the company "does NOT nor will ever imply or agree upon a refund, credits nor any other refunds of service and monies to be returned to you."

"Cleo Communications operates a PREPAID Service. All services are sold as in \[sic\] and without warranty. Under NO circumstances does Cleo Communications represent any warranty nor provide a refund of any kind for services that are offered," the terms state, according to the FCC. The Cleo terms additionally said that "charge backs to us via any customer bank is breach of contract at any time and is subject to further legal action up to but not limited to small claims court actions for breach of contract in the amount of what is disputed, any and all legal fees, court fees, attorney fees, filing fees, interest at 9.9%, and a contract breach fee in the amount of $300.00."

Rude Responses: “You Will Be Taken to Court”

The FCC document detailed incidents in which Cleo responded to customers seeking refunds by threatening to sue or seek charges for harassment:

_As examples, on August 2, 2021, when a customer e-mailed requesting a refund, Cleo responded, "\[y\]our wish to hide behind PayPal instead of contacting us. We will not be issuing you a refund. We will not be allowing you to use your benefits as we have claimed them. And you will be taken to Court. Cleo Care."_

_On August 10, 2021, when another customer requested a refund, Cleo responded, "Refund denied. Please see the terms of service that outline your rights and our obligations and rights that will be imposed. Also your EBB has been claimed. You will not use our credit anywhere else and you will be issued an invoice and to collections. Cleo Collections." Cleo continued in a later e-mail with that customer by saying, "\[n\]ext time read before you order. As we will now no longer communicate. Any further e-mails will result in harassment charges in Ohio. Cleo Legal."_

_On August 12, 2021, Cleo stated to another customer, "\[w\]e are not ignoring you, nor are we charging you. You have requested a refund and refunds are not given and was informed of this and someone would decide of \[sic\] one would be issued or not. Please see- kyty.xyz/terms.html. Is what was sent to the FCC. With documents that you are and have not been ignored that your claims state \[sic\]. Cleo Legal Affairs._

_This story originally appeared on_ _Ars Technica__._

Source

Wired