Beware of deceptive Google Ads targeting QuickBooks and always confirm the website URL before logging in, as fake sites can bypass even 2FA.

The pressure of the looming tax filing deadline (April 15th in the US) can make anyone rush online tasks. Cybercriminals are acutely aware of this increased activity and are exploiting trusted platforms like Google to target Intuit QuickBooks users.

By purchasing prominent Google Ads, they are creating highly convincing fake login pages designed to pilfer sensitive information, including usernames, passwords, and even one-time passcodes (OTPs) – the keys to someone’s financial data needed for tax compliance.

Understanding this deceptive tactic is the first step in protecting yourself from falling victim.

**Brand impersonation: from Google ad to phishing page**

Accounting and tax preparation software has traditionally been a common lure for scammers, particularly those related to online support operating out of large call centres in India and surrounding areas.

Late last year, we documented a fraudulent QuickBooks installer that was laced with malware and generated a fake pop up to trick users into calling for assistance.

This time, the attack is even more dangerous as it goes after victims’ login credentials for QuickBooks. It starts from a Google search, showing an ad that impersonates Intuit’s branding for “QuickBooks Online”.

This leads to a fraudulent website that is essentially a lookalike.

Domain Name: QUICCKBOORKS-ACCCOUNTING .COM  
Registrar URL: https://www.hostinger.com  
Creation Date: 2025-04-07T01:44:46Z

Unbeknownst to victims, the sign-in page is actually a phishing portal that will steal account credentials in real-time and leak them to the criminals behind this scheme.

**  
One-time passcode workaround**

Passwords alone offer a limited level of security because they can be easily guessed, stolen through phishing, or compromised in data breaches. It is highly recommended to enhance account protection by enabling a second form of authentication like one-time passcodes sent to your device or utilizing a 2FA app for an extra layer of verification.

Phishing kits have evolved to become increasingly sophisticated, with some now capable of circumventing one-time passcodes and 2FA. These kits often employ “man-in-the-middle” or “adversary-in-the-middle” (AiTM) techniques.

When a victim enters their credentials and the one-time passcode on a fake login page created by the phishing kit, this information is intercepted in real-time and relayed to the attacker. The attacker can then use these stolen credentials and the valid one-time passcode to log in to the victim’s account before the passcode expires.

**Conclusion**

Cybercriminals often intensify their efforts to target accounting software like QuickBooks during or around tax season, hoping to capitalize on the increased volume of financial transactions and the time-sensitive nature of tax preparations.

Deceptive Google ads can be designed to closely resemble legitimate QuickBooks search results, leading unsuspecting users to fake login pages that harvest their credentials, financial data, or even install malware.

OTP and 2FA still significantly increase security against a vast majority of attacks, especially automated attempts and less sophisticated phishing, making them essential layers of protection when used on authentic platforms.

However, even with the added security of one-time passcodes and 2FA, these measures are rendered ineffective if the initial login occurs through a malicious website reached via a deceptive ad.

Therefore, it is critical to access your QuickBooks account and conduct all sensitive activities directly through the official Intuit QuickBooks website or application, carefully verifying the URL.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

**Malicious QuickBooks domains**

quicckboocks-accounting\[.\]com  
quicckbooks-accounting\[.\]com  
quicckrbooks-acccounting\[.\]com  
quicfkbooks-accounting\[.\]com  
quichkbooks-accounting\[.\]com  
quicjkbooks-accounting\[.\]com  
quickboorks-acccounting\[.\]com  
quickboorks-accountings\[.\]com  
quicnkbooks-accounting\[.\]com  
quicrkbookrs-accounting\[.\]com  
quicrkbooks-acccounting\[.\]com  
quicrkbooks-accountting\[.\]com  
quicrkboorks-accounnting\[.\]com  
quicrkboorks-accounting\[.\]com  
quicrkbrooks-online\[.\]com  
quicrkrbooks-accounting\[.\]com  
quictkbooks-accounting\[.\]com  
quicvkbooks-accounting\[.\]com  
quicxkbooks-accounting\[.\]com  
quirckbooks-accounting\[.\]com

 Tax deadline threat: QuickBooks phishing scam exploits Google Ads 

Cwmbran in Wales holds the Guinness World Record for the most roundabouts—at least according to Google AI Overviews. Except that's not actually true...

Cwmbran in Wales, a town with a population of just under 50,000, holds the Guinness World Record for the most roundabouts—at least according to Google AI Overviews.

Except that’s not actually true…

Ben Black has been publishing lighthearted fake stories on April Fools’ Day for his community news site Cwmbran Life since 2018. The April Fools include the erection of a Hollywood-style sign on a mountain, and the creation of a nudist cold-water swimming club at a lake.   

In 2020, Black published a fake story saying Cwmbran had been recognized by Guinness World Records for having the highest number of roundabouts per square kilometer.  

He fabricated a random number of roundabouts, added a quote from a fictitious resident, and clearly stated that the “news” was an April Fool’s Day joke several hours later. 

So it came as quite a surprise when Black discovered that Google AI Overviews picked up this story as real news recently.  

The thing about April Fools’ Day is that it is treated very differently to every other day online. Normal news outlets publish deliberately fake news stories and we, as people with knowledge of April Fools Day, can use that to assess if something is true. Google AI obviously didn’t get that memo.

As Black said:

> _“It’s not a dangerous story, but it shows how fake news can easily spread even if it’s from a trusted news source.”_ 

Google AI Overviews has been under scrutiny since testing last year after generating false information, including advising people on the minimum required pebbles to eat in a day or using gasoline to cook spaghetti faster.

Black decided not to publish an April Fools’ prank this year due to his busy schedule and his recent experience with Google, which has made him hesitant about future pranks. 

We feel similar about online pranks coming from us, a cybersecurity company that you can trust, so we opted out of April Fools’ Day this year too.

 Google AI taken for a ride by April Fools’ Day joke 

Google has issued patches for 62 vulnerabilities in Android, including two actively exploited zero-days.

Google has patched 62 vulnerabilities in Android, including two actively exploited zero-days in its April 2025 Android Security Bulletin.

When we say “zero-day” we mean an exploitable software vulnerability for which there was no patch at the time of the vulnerability being exploited or published. The term reflects the amount of time that a vulnerable organization has to protect against the threat by patching—zero days.

The April updates are available for Android 13, 14, and 15. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

If your Android phone shows patch level 2025-04-05 or later then you can consider the issues as fixed. The difference with patch level 2025-04-01 is that the higher level provides all the fixes from the first batch and security patches for closed-source third-party and kernel subcomponents, which may not necessarily apply to all Android devices.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

**Technical details**

The zero-days are both located in the kernel:

CVE-2024-53150: an out-of-bounds flaw in the USB sub-component of the Linux Kernel that could result in information disclosure. Local attackers can exploit this flaw to access sensitive information on vulnerable devices without user interaction.

The out of bounds vulnerability was caused by the USB-audio driver code which failed to check the length of each descriptor before passing it on.  There are currently no details on how CVE-2024-53150 has been exploited in real-world attacks, by whom, and who may have been targeted in those attacks.

CVE-2024-53197: a privilege escalation flaw in the USB audio sub-component of the Linux Kernel. Again, no user interaction is required.

This vulnerability is the missing link to CVE-2024-50302 and CVE-2024-53104 which put together were reportedly exploited in Serbia by law enforcement using Cellebrite forensic tools to unlock a student activist’s device and attempt spyware installation.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Google fixes two actively exploited zero-day vulnerabilities in Android 

Google has shipped patches for 62 vulnerabilities, two of which it said have been exploited in the wild.
The two high-severity vulnerabilities are listed below -

CVE-2024-53150 (CVSS score: 7.8) - An out-of-bounds flaw in the USB sub-component of Kernel that could result in information disclosure
CVE-2024-53197 (CVSS score: 7.8) - A privilege escalation flaw in the USB sub-component of Kernel

Google Releases Android Update to Patch Two Actively Exploited Vulnerabilities

Hazel highlights the key findings within Cisco Talos’ 2024 Year in Review (now available for download) and details our active tracking of an ongoing campaign targeting users in Ukraine with malicious LNK files.

Thursday, April 3, 2025 14:03

Welcome to this week’s edition of the Threat Source newsletter. 

They say art is subjective, but have you ever seen a well-formatted bar chart? Van Gogh had _Starry Night_, but Talos’ 2024 Year in Review (available now!) has color-coded data with perfect labels. True beauty. 

If you haven’t yet had a chance to fully digest this gorgeous report (massive shout-out to our creative team), here are some links. Clicking on them may not change your life, but what if it does? Only one way to find out: 

Our Year in Review landing page houses all our Year in Review content, from videos to podcasts and topic summaries. There's more content coming out every week this month. Oh, you can also download the report itself here, which is useful. 

Here’s a two-minute animated overview. Watch those bad boy bar charts come to life. 

The TTP: Year in Review Special (Part 1) is inspired by The Last of Us in more ways than you might think. We have a two-part video interview with the report’s authors, featuring me calling cybercriminals “cheeky f\*\*\*\*\*s." Part 2 is coming out tomorrow, April 4th. 

This Beers with Talos B team episode genuinely caused someone to direct message me, citing their spouse’s concerns about their laughter levels when listening (“Are you okay?”). 

A couple of the report’s top findings: 

*   Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70 percent of Cisco Talos Incident Response cases. 
*   Operators endeavored to disable targets’ security solutions in most of the Talos IR cases we observed, almost always succeeding. 
*   Some of the top-targeted network vulnerabilities affect end-of-life (EOL) devices and therefore have no available patches, despite still being actively targeted by threat actors.

**The one big thing **

Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader. The file names use Russian words related to the movement of troops in Ukraine as a lure. Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group. 

**Why do I care? **

The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion. 

**So now what? **

Ways our customers can detect and block this threat are listed in this dedicated blog post.

**Top security headlines of the week**

**Gootloader Malware Resurfaces in Google Ads for Legal Docs**: Attackers target law professionals by hiding the infostealer in ads delivered via Google-based malvertising. (Dark Reading) 

**UK threatens £100K-a-day fines under new cyber bill:** The tech secretary revealed the landmark legislation's full details for first time. (The Register) 

**Hacker linked to Oracle Cloud intrusion threatens to sell stolen data**: The alleged breach was linked to a critical vulnerability (Cybersecurity Dive) 

**WordPress attackers hide malware in overlooked plugins directory**: The Must-Use plugins (mu-plugins) directory is used to store essential plugins that are necessary for a site to run properly. (SC Magazine)

**Can’t get enough Talos? **

I mean, bless you if that’s the case, because the Year in Review links in the opening section are probably enough to keep you going. But if you’re still thirsty for more, here’s what the press have been making of the Year in Review findings: 

*   **CNET:** Phishing Emails Aren't as Obvious Anymore. Here's How to Spot Them
*   **The Register**: Ransomware crews add 'EDR killers' to their arsenal - and some aren't even malware
*   **SiliconANGLE**: Cisco Talos report finds identity-based attacks drove majority of cyber incidents in 2024
*   **CyberScoop:** Identity lapses ensnared organizations at scale in 2024

**Upcoming events where you can find Talos**

*   RSA (April 28 – May 1) San Francisco, CA  
*   PIVOTcon (May 7 – 9) Malaga, Spain  
*   CTA TIPS 2025 (May 14 – 15) Arlington, VA  
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** **9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**   
MD5: 7bdbd180c081fa63ca94f9c22c457376  Typical Filename: c0dwjdi6a.dll   VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991

**SHA 256:** **5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1**   
MD5: 3e10a74a7613d1cae4b9749d7ec93515    
VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1   
Typical Filename: IMG001.exe    
Claimed Product: N/A    
Detection Name: Win.Dropper.Coinminer::1201 

**SHA256:** **47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**  
MD5: 71fea034b422e4a17ebb06022532fdde     
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details  
Typical Filename: VID001.exe     
Claimed Product: N/A     
Detection Name: Coinminer:MBT.26mw.in14.Talos

One mighty fine-looking report

Phishers are putting QR codes as images in attachments because it helps them bypass email filters.

Recently we’ve been seeing quite a few phishing campaigns using QR codes in email attachments.

The lure and the targets are varied, but the use of a QR code to get someone to visit the phishing site is fast becoming a preferred method for cybercriminals.

There are several reasons why cybercriminals might want to use QR codes:

*   The QR code is likely to be scanned with a phone, which are often less well protected against malicious websites or even completely unprotected.
*   Phones are also likely personal devices which provide attackers with a direct path to sensitive personal accounts. For example, banking apps will be often be installed on the same device.
*   QR codes are impossible for humans to identify as malicious at first glance.
*   Links in emails are usually analyzed by email filters, whereas QR codes can be embedded as an image which many email filters will ignore.
*   The use of QR codes in other applications like banking apps, may invoke a certain level of trust.

Combined with other known phishing techniques, QR codes provide criminals with a potent tool for collecting usernames and passwords, distributing malware, and other malicious activities.

Since any QR code scanner should show you the URL before following the link, the phishers often combine the use of QR codes with that of URL shorteners to further hide the real destination.

The attackers can even embed the QR codes in professionally designed documents mimicking HR portals, payroll updates, tax reviews, or e-signature services (e.g. DocuSign, Adobe), which increases the perceived legitimacy of the phish. Here’s one example we’ve seen:

> “To conveniently access and navigate the contents of the updated Employee Handbook, please scan the QR code provided below. This will direct you to the digital version of the handbook for easy reference and exploration.
> 
> {QR code}
> 
> Should you have any questions, Please do not hesitate to contact the HR department.”

The employee handbook example above comes from a four-page document showing a handbook which has been allegedly changed, and ends with specific instructions to open the QR code with the camera app of the smartphone:

> “Step-by-step guide
> 
> 1\. Open your camera app:
> 
> Launch the camera app on your smartphone
> 
> 2\. Point at the QR code:
> 
> Align your camera lens with the QR code, ensuring it is fully visible within the frame.
> 
> 3\. Wait for recognition:
> 
> Your phone will automatically detect the QR code and display a notification or link on the screen.
> 
> 4\. Access the content:
> 
> Tap on the notification or link to open the information associated with the QR code.”

The QR code in this example took anyone that followed the link to a website that redirected based on the email address. Personal email addresses would see generic advertising, but corporate email addresses would be prompted to log in with their Microsoft account.

So, this one was clearly looking to compromise a corporate account, but you can easily imagine how a phisher with another goal in mind could use a list of email addresses obtained in a breach, and with such a list run a targeted campaign.

Malwarebytes customers were protected against this phishing site.

Android warning (in Dutch)

**What can you do to avoid QR code phishing?******Keep your device up to date****

Many users have no idea whether their devices are still receiving updates. You can find your device’s Android version number, security update level, and Google Play system level in your Settings app.

You’ll get notifications when updates are available for you, but you can also check for them yourself. For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

**Scan a QR code with the same security mindset as clicking a link**

If you scan a QR code, make sure to use an app that shows you the full URL and asks you first before it visits the URL encoded in the QR code. If you do not trust the URL, don’t allow your device to open the link, and look for another way to get the information or download you want.

Modern Android devices (version 8 and above) have a native QR code scanning capability built into the camera app. Some QR code scanner apps may have a feature that automatically executes actions like opening a website or downloading a file. Disable features like these.

**Use anti-malware protection on your devices**

Your mobile devices are in need of protection just as much as your computer. Malwarebytes protects devices with Malwarebytes for Android and Malwarebytes for iOS.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 QR codes sent in attachments are the new favorite for phishers 

The first-of-its-kind solution integrates with company codebases, enabling AI agents to work in-context and generate production-grade, front-end code in minutes.

AutonomyAI, a company focused on enhancing front-end software development for businesses, has announced its launch from stealth with $4 million in pre-seed funding, with participation from Inbound Capital, Gilad Shany of IoN Partners and Vikram Makhiija, Senior Director at Google Cloud Security, among others.

Research firm IDC predicts that by 2028, the market for AI-supporting technology investments will reach $749 billion, with 67% of the $227 billion projected spend for 2025 going towards business integrations such as AI agents. This figure surpasses cloud and digital service provider investments for the first time. Speaking at Davos 2025, Salesforce CEO Marc Benioff proclaimed that the deployment of an Agentic AI suite has allowed him to better redistribute resources in the company. His remarks echo the growing sentiment regarding the use of AI to increase efficiency at organizational levels. 

AutonomyAI’s proprietary Agentic Context Engine (ACE) comprehends organizational frameworks, powering a suite of autonomous AI agents for companies to integrate into their front-end development workflows to yield consistent, production-ready results. The ACE-powered agents understand the nuances of a company’s codebase and organizational standard, enabling them to execute tasks with the precision and stability expected from a senior developer in minutes, such as fetching key external information like UI designs, and utilizing components from the codebase without needing a developer to specify, supervise, refactor, or test the code. 

“Until now, AI solutions for code development operated in silos, lacking context about the organization and its goals, helping individual developers complete their tasks rather than perform the tasks for them in accordance with the company’s sprint cycles,” said Adir Ben-Yehuda, CEO. “We inform our agents of the business’s needs, enabling them to simply ‘run with it’. This is pragmatic AI – the future of AI-driven development.”

AutonomyAI believes that plugging in AI agents to organizational contexts is the key to unlocking the true efficiency of AI, significantly accelerating innovation without any sacrifice to quality.

“Autonomy AI is the first AI coding solution that truly comprehends and adapts to the unique context of a business, empowering engineers to dramatically increase their efficiency while allowing organizations to put more resources into business logic and high-impact projects,” said Arik Faingold, Chairman and co-founder of AutonomyAI. Gilad Shany, investor and Managing Partner at ION Crossover, added, “AutonomyAI’s leadership team’s vision represents a fundamental shift in how organizations use AI, which will soon become the new standard.” 

AutonomyAI developed its solution on the backs of co-founder and CTO Tammuz Dubnov and an engineering team that includes four former CTOs, who saw the potential impact of AI agents on the velocity of R&D. The company’s funded emergence from stealth, its engineering team’s deep expertise, and its innovative ACE-powered AI agents position AutonomyAI to lead the emerging market for AI-powered development.

****About AutonomyAI****

Co-founded by Arik Faingold (Co-founder of Pentera and Comm-IT) and Tammuz Dubnov (CTO), and led by Adir Ben-Yehuda (CEO), AutonomyAI’s mission is to transform the way software companies develop front-end code with its Agentic Context Engine (ACE) and suite of AI agents that plug into organizational frameworks and generate ‘production-grade’ code in minutes, enabling organizations to redistribute their resources more efficiency towards more strategic and innovative projects.

AutonomyAI Emerges from Stealth with $4M Pre-Seed Funding to Transform Front-End Development with Autonomous AI Agents

Cybersecurity researchers have disclosed details of a new vulnerability impacting Google's Quick Share data transfer utility for Windows that could be exploited to achieve a denial-of-service (DoS) or send arbitrary files to a target's device without their approval.
The flaw, tracked as CVE-2024-10668 (CVSS score: 5.9), is a bypass for two of the 10 shortcomings that were originally disclosed by

Google Patches Quick Share Vulnerability Enabling Silent File Transfers Without Consent

A lawyer for Xiaofeng Wang and his wife says they are “safe” after FBI searches of their homes and Wang’s sudden dismissal from Indiana University, where he taught for over 20 years.

Before the official faculty profiles of renowned Indiana University, Bloomington (IU) data privacy professor Xiaofeng Wang and his wife disappeared and the FBI raided two of the couple’s homes last week, the school is said to have been reviewing for months whether the professor received unreported research funding from China, WIRED has learned.

Indiana University contacted Wang in December to ask about a 2017-2018 grant in China that listed Wang as a researcher, according to an unsigned statement that appears to be written by a Purdue University professor and long-time collaborator of Wang seen by WIRED. The statement says that the author believed IU was concerned that Wang allegedly failed to properly disclose the funding to the university and in applications for US federal research grants.

The statement has been circulating among cybersecurity and privacy scholars at universities around the world in recent days and was sent to WIRED by three separate sources. It claims that Wang had explained the funding situation to IU, then was told in February that the school would continue looking into the matter.

Alex Tanford, a professor emeritus at Indiana University and the IU Bloomington Chapter president of the American Association of University Professors, says Wang reached out to him and said that he had been accused of alleged research misconduct. Tanford says he provided Wang guidance as a member of the faculty board of review. IU did not answer WIRED’s questions regarding any probes into Wang.

“The charge seemed trivial—that he had failed to properly disclose who was principal investigator on a grant application and had not fully listed all his coauthors on an article,” Tanford tells WIRED of the allegations. He says Wang wanted to know if the university had the right to lock him out of his office and computer, as he was in the middle of ongoing research.

Research papers Wang published between 2017 and 2018 list funding from places like the National Science Foundation, National Institutes of Health, the US Defense Advanced Research Projects Agency, the US Army Research Office, Google, and Samsung, according to a WIRED review of his publications from the time period.

Wang regularly collaborated with researchers at the Institute of Information Engineering (IIE) at the Chinese Academy of Sciences, a government-funded cybersecurity research lab. In papers, Wang and his coauthors disclosed that the IIE scholars received funding from sources such as the National Natural Science Foundation of China, but that Wang was being supported by US grants. It’s not uncommon for professors at US institutions to collaborate with researchers in China, and there's no public evidence to suggest that the arrangements were improper.

According to the unsigned statement’s title and metadata, it appears to have been authored by Ninghui Li, a computer science professor at Purdue who has collaborated on research with Wang since at least 2006. The pair also serve together on the board of the ACM Special Interest Group on Security, Audit, and Control (SIGSAC), which aims “to develop the information security profession by sponsoring high quality research conferences and workshops,” according to the Association for Computer Machinery’s website. Li did not respond to emailed requests for comment nor a voicemail left on his office phone.

Jason Covert, one of attorneys representing Xiaofeng Wang and his wife, Nianli Ma, a library systems analyst whose employee profile was also removed by Indiana University, tells WIRED that Wang and Ma are both “safe” and that neither of them have been arrested. Their legal team is not currently aware of any pending criminal charges against them, and while the couple’s attorneys have viewed a search warrant from the Department of Justice, Covert says they have not received a copy of the affidavit establishing probable cause.

Wang is considered among the top researchers in the field of privacy, data security, and biometric privacy, and his sudden disappearance came as a shock to many of his academic peers. Wang joined IU in 2004 and is the lead principal investigator of the multidisciplinary Center for Distributed Confidential Computing, which he established in 2022 with an almost $3 million grant from the National Science Foundation (NSF), according to a since-deleted bio on IU’s website. As part of his application for the NSF funding and other US federal research grants, Wang would have been required to disclose other grants he already received or were currently pending review.

On March 28, the FBI searched two home addresses associated with Wang. The same day, IU also reportedly terminated Wang’s job via an email sent by provost Rahul Shrivastav, which WIRED obtained and was first reported by The Indiana Daily Student. The email also said it was understood that Wang had recently accepted a position with a university in Singapore, a detail also repeated in the statement attributed to Li.

The statement says Wang planned to start at the unnamed Singaporean university on June 1, 2025, and requested a leave of absence from Indiana University in early March. But IU responded by “putting him on administrative leave, removing his IU homepage, and disabling his IU email address,” it claims.

Wang’s new job offer “would be irrelevant in any event because it is for \[the\] next academic year and would not justify firing him,” Tanford says. Terminating his employment via an email was a violation of university policy, Tanford claims, which prohibits firing a tenured professor without cause, and requires a 10-day notice and a hearing before a faculty board of review, if requested by the staff member. “The faculty is deeply concerned. If the administration can fire a tenured professor without due process and in violation of a policy approved by our trustees, none of us is safe,” he says.

Reached for comment, an IU spokesperson declined to answer detailed questions from WIRED about prior communications between the university and Wang and the school’s decision to fire him.

“Indiana University was recently made aware of a federal investigation of an Indiana University faculty member,” university spokesperson Mark Bode tells WIRED in an emailed statement. “At the direction of the FBI, Indiana University will not make any public comments regarding this investigation. In accordance with Indiana University practices, Indiana University will also not make any public comments regarding the status of this individual.”

The FBI has so far not commented on the reason for its activities surrounding Wang’s properties. In a statement sent to WIRED, Indianapolis-based spokesperson Chris Bavender says, “The FBI conducted court authorized law enforcement activity at homes in Carmel and Bloomington, Indiana last Friday. We have no further comment at this time.”

WIRED could not immediately reach Wang or Ma for comment directly, but Covert, their attorney, provided a statement on their behalf.

“Prof. Wang and Ms. Ma are thankful for the outpouring of support they have received from colleagues at Indiana University and their peers across the academic community,” the statement reads. “They look forward to clearing their names and resuming their successful careers at the conclusion of this investigation.”

To many in the academic research community, the events surrounding Wang and another Chinese-born scholar in Florida who was fired recently are reminiscent of the China Initiative, a US Department of Justice campaign launched under the first Trump administration to combat cybercrime and economic espionage. Critics accused the program of unfairly targeting Chinese-born researchers and broader Asian-immigrant and Asian-American academic communities.

The DOJ abandoned the program under the Biden administration in 2022 after it lost or withdrew charges in a number of associated cases. At the time, a top DOJ official said it had “helped give rise to a harmful perception” that there are lower standards for prosecuting conduct related to China, and people with ties to the country are treated differently. But several congressional efforts have since sought to resurrect the program or start similar law enforcement campaigns, including a 2023 bill that passed the House but not the Senate last year.

“We, like many other organizations and individuals, have broad concerns that the end of the \[China Initiative\] is just in name but does not reflect a change in fact and substance,” Jeremy Wu, the coorganizer of APA Justice, a nonprofit organization that advocates against racial profiling, said in a March webinar at the Michigan State University. Wu declined WIRED’s request to comment on the events surrounding Wang.

Matthew Green, a professor at Johns Hopkins University who specializes in cryptography and cryptographic engineering says that, while he doesn’t know Wang personally, he is troubled by how secretive Indiana University has been about the circumstances that led to his alleged firing. “This is not normal behavior by a university,” Green tells WIRED.

Green says he worries that cases like Wang’s could make young engineers from China think twice about studying at American universities, and even motivate talented researchers who have lived in the US for decades to instead consider working abroad. “We may lose a huge amount of expertise,” Green says.

Cybersecurity Professor Faced China-Funding Inquiry Before Disappearing, Sources Say

Cybersecurity researchers have disclosed details of a now-patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run that could have allowed a malicious actor to access container images and even inject malicious code.
"The vulnerability could have allowed such an identity to abuse its Google Cloud Run revision edit permissions in order to pull private Google Artifact

Tag

#google