The newly established Department of Government Efficiency continues to disrupt the operations of the U.S. government by implementing significant reductions to the federal workforce. Many ongoing lawsuits contend that the group’s access to sensitive information breaches the Privacy Act of 1974, which arose in the wake of the Watergate scandal, demanding an immediate cessation of its activities. This week, DOGE further reduced staff at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and obtained access to CISA’s digital frameworks, following the agency’s decision to freeze its long-standing election security initiatives just last week.
In related news, the National Institute of Standards and Technology (NIST) is reportedly preparing for the termination of around 500 employees, which could significantly affect the agency’s capabilities in cybersecurity standards and the tracking of software vulnerabilities. Cuts enacted last week at the U.S. Digital Service included the cybersecurity head responsible for the central Veterans Affairs portal, VA.gov, potentially exposing VA systems and information to heightened risks due to the absence of this key role.
Various U.S. government departments are now contemplating restrictions on the use of China-manufactured TP-Link routers in light of recent escalated Chinese digital espionage activities, although the company has denied any association with cyberattacks. A WIRED investigation has uncovered that users of Google’s advertising technology can target groups that their policies should ordinarily exclude, such as individuals with chronic illnesses or financial distress. Advertisers can also target “decision makers” in national security and individuals engaged in developing classified defense technologies.
This week, Google researchers alerted the public that Russian-affiliated hackers have been deceiving Ukrainian troops with phony QR codes leading to Signal group invites. This tactic exploits a vulnerability allowing the attackers to surveil the messages of their targets. Signal has since implemented updates to address this loophole. Additionally, a WIRED deep dive explores how challenging it is for even well-connected internet users to remove nonconsensual intimate images and videos of themselves from online platforms.
And there’s more to uncover. Each week, we compile security and privacy news that didn’t receive in-depth coverage from us. Click on the headlines to access the full stories—stay safe out there.
Running a cryptocurrency exchange involves high risks, as demonstrated by the experiences of hacking victims such as Mt. Gox, Bitfinex, and FTX, among many others. Remarkably, no platform has previously lost a ten-figure dollar amount in a single heist as was witnessed with ByBit. On Friday, the exchange disclosed that its Ethereum-based assets had been compromised, with crooks making off with a staggering $1.4 billion—potentially marking the largest cryptocurrency theft ever recorded.
ByBit’s CEO, Ben Zhou, posted on X that the hackers employed a “musked transaction”—presumably a typographical error for “masked transaction”—to mislead the exchange into cryptographically altering the code of the smart contract governing a wallet containing its Ethereum reserves. “Please rest assured that all other cold wallets are secure,” Zhou reassured, indicating that the exchange remains solvent. “All withdrawals are NORMAL.” He later added on X that the exchange would absorb the loss, suggesting that no user funds would be at risk.
This theft far exceeds previous notorious hacks of crypto exchanges like Mt. Gox and FTX, which lost sums worth hundreds of millions when the thefts were uncovered. Even the 2016 Bitfinex heist, which had close to $4.5 billion in stolen funds identified when the culprits were caught and predominantly recovered in 2022, was valued at only $72 million at the time of the theft. ByBit’s loss of $1.4 billion constitutes a significantly greater theft and represents a new staggering benchmark in crypto crime, especially as total cryptocurrency thefts reported in 2024 reached $2.2 billion, according to the analysis firm Chainalysis.
Earlier this month, the British government sparked global privacy concerns by demanding that Apple provide access to users’ end-to-end encrypted iCloud data. This data had been secured using Apple’s Advanced Data Protection feature, which encrypts user information in such a way that not even Apple can decrypt it. In response to pressure from the UK, Apple has agreed to disable this end-to-end encryption feature for iCloud in the region, openly expressing its reluctance with a statement highlighting the growing importance of enhancing cloud storage security through such encryption. “Apple remains committed to offering our users the highest level of security for their personal data and is hopeful that we will be able to do so in the future in the UK,” the company stated. Privacy advocates around the globe warn that this decision—along with the UK’s coercive stance—will undermine the security and privacy of British citizens and could make technology firms susceptible to similar surveillance requests from governments worldwide.
Perhaps even more troubling than the threat posed by stalkerware applications—malware covertly placed on devices by spying partners or other individuals to monitor the victim’s activities—is when such applications are secured so poorly that they expose victims’ data online. Stalkerware applications Cocospy and Spyic, likely developed by individuals in China and sharing a significant common codebase, reportedly left the personal information of millions of victims vulnerable online due to a security flaw in both applications, as revealed by a security researcher who exposed the issue to TechCrunch. The leaked data included messages, call history, and photos. In a twisted turn of events, it also released the email addresses of millions of the stalkerware’s registered users, who had installed the applications for the purpose of spying on their victims.
