βΌοΈ It amazes me that Signal, with "state-of-the-art E2E encryption" and a promise that "no one else can" read your messages, fails to turn off notification previews by default, while it has been known for over a decade that Apple stores them cleartext in notification storage.
Remember folks.. even your disappearing messages and deleted messages are still stored in your iOS notification storage when notification previews are on... For 1-2 months.. just sitting there waiting for whoever has the means to extract them...
Remember folks.. even your disappearing messages and deleted messages are still stored in your iOS notification storage when notification previews are on... For 1-2 months.. just sitting there waiting for whoever has the means to extract them...
π₯΄9π±4π3β€1π1
βοΈX lost its 4th court battle today against a European user β a tech lecturer who filed a GDPR data request after getting shadowbanned. He just wanted to see his data.
X intimidated the plaintiff after their first loss by sending two lawyers to one of his lectures at Leiden University. X then asked the court to impose a gag order on him, claiming he was talking about the case during his lecture β which he wasn't.
Elon Musk promised more transparency on X in 2022, including on shadowbans β where an account isn't actually banned, but its posts are quietly suppressed and hidden from search results. X has been doing exactly the opposite ever since the ownership changed.
For example, X is the only tech giant exploiting a loophole against Out-of-Court Dispute Settlement Bodies in the EU β by simply not paying them. These are independent, certified entities designed to resolve disputes between users and platforms over suspensions, shadowbans, etc. Because X doesn't pay, all of these bodies refuse to take on X cases.
X users are the only major platform users in Europe who are effectively forced to sue in court just to get their rights.
Source: https://uitspraken.rechtspraak.nl/details?id=ECLI:NL:GHAMS:2026:961
X intimidated the plaintiff after their first loss by sending two lawyers to one of his lectures at Leiden University. X then asked the court to impose a gag order on him, claiming he was talking about the case during his lecture β which he wasn't.
Elon Musk promised more transparency on X in 2022, including on shadowbans β where an account isn't actually banned, but its posts are quietly suppressed and hidden from search results. X has been doing exactly the opposite ever since the ownership changed.
For example, X is the only tech giant exploiting a loophole against Out-of-Court Dispute Settlement Bodies in the EU β by simply not paying them. These are independent, certified entities designed to resolve disputes between users and platforms over suspensions, shadowbans, etc. Because X doesn't pay, all of these bodies refuse to take on X cases.
X users are the only major platform users in Europe who are effectively forced to sue in court just to get their rights.
Source: https://uitspraken.rechtspraak.nl/details?id=ECLI:NL:GHAMS:2026:961
π6β€4
π¨ Element[.]io is experiencing a worldwide outage due to "legal reasons."
Element is a free and open-source instant messaging client based on the Matrix protocol. It provides secure, end-to-end encrypted communication for individuals, teams, and organizations.
They're working on getting it fixed right now.
Element is a free and open-source instant messaging client based on the Matrix protocol. It provides secure, end-to-end encrypted communication for individuals, teams, and organizations.
They're working on getting it fixed right now.
π’11
βοΈπΊπΈπ°π΅ Two U.S. nationals have been sentenced to 108 and 92 months in prison for running North Korean IT "laptop farms" that helped North Koreans pose as Americans and get hired at over 100 U.S. companies, including Fortune 500s.
The scheme generated $5M+ in revenue for North Korea, and gave them access to confidential data, including US defense contractor files.
https://www.justice.gov/opa/pr/two-us-nationals-sentenced-facilitating-fraudulent-remote-information-technology-worker
The scheme generated $5M+ in revenue for North Korea, and gave them access to confidential data, including US defense contractor files.
https://www.justice.gov/opa/pr/two-us-nationals-sentenced-facilitating-fraudulent-remote-information-technology-worker
π9π3π€¬3π’2π€1
π₯οΈπ₯ Two inmates at an Ohio prison built a secret hacking operation from behind bars, using computers they were supposed to be recycling. They downloaded and sold porn for snacks, built a hacker toolkit with Kali Linux and password crackers, and created fake passes to move freely around the facility.
All from two secret computers they built from recycling scraps and hid in a ceiling.
In 2014, Marion Correctional Institution signed a deal with a nonprofit called RET3 to have inmates disassemble old computers for parts. Inmates Adam Johnston and Scott Spriggs rebuilt two fully functioning PCs from the scraps instead.
Johnston hid them on plywood boards in the ceiling above a closet in a third-floor training room and ran cables directly into the prison's network switch.
To get them there, he loaded the computers onto a hygiene cart alongside soap and shampoo, wheeled it 1,100 feet across the prison, past a guard, through a metal detector, into an elevator, and up three floors.
Once connected, he could remote into the hidden machines from any inmate terminal. He stole a staff member's login by shoulder surfing. That password hadn't been changed in years.
Using those credentials, Johnston accessed DOTS, the state's offender tracking database. He searched for a young inmate serving a long sentence, found Kyle Patrick, and pulled his SSN and date of birth by bypassing a security filter through the browser's view settings.
He applied for five credit cards in Patrick's name, had his mother provide a neighbor's address as the mailing address, and she intercepted the mail. One Visa debit card was approved. She called the prison and read him the card number and activation code. He activated it from inside the prison. Both the application and activation traced back to a state government IP.
He also researched tax refund fraud via a Bloomberg article, planning to file false returns and have refunds loaded onto prepaid cards.
The computers contained Kali Linux, Wireshark, Nmap, Cain, THC Hydra, VPN tools, Tor, proxy software, and articles on making drugs, explosives, and fake credit cards.
The scheme unraveled when new web filtering software flagged the stolen credentials being used for three hours on a Friday, a day the employee didn't work. IT alerted the warden. Everyone suspected an inmate. Nobody called law enforcement.
The prison's IT specialist was emailed the exact network switch port the rogue computer was plugged into. He misread the email and physically checked the wrong port. Three days later he re-read it, followed the correct cable into the ceiling, and found two hidden computers on plywood boards. He then had inmates pull them down, contaminating the crime scene.
The warden admitted he knew illegal activity was occurring but couldn't explain why he never reported it. The state trooper assigned to the prison literally shared an office with the prison's investigator. Neither was informed. It took over a month before anyone reported it, and only because an outside security officer told them they were legally required to.
After the discovery, inmates wiped other prison computers with CCleaner at least 10 times in two days to destroy evidence. Johnston, transferred to another prison and placed in segregation with his phone access blocked, simply used another inmate's PIN to call his mother five more times.
Of 308 computers seized across the prison, 291 had no inventory tags. The investigation found no password enforcement, no IT inventory, no crime scene protection, and years of unsupervised inmate access to computers and network infrastructure.
The warden resigned.
All from two secret computers they built from recycling scraps and hid in a ceiling.
In 2014, Marion Correctional Institution signed a deal with a nonprofit called RET3 to have inmates disassemble old computers for parts. Inmates Adam Johnston and Scott Spriggs rebuilt two fully functioning PCs from the scraps instead.
Johnston hid them on plywood boards in the ceiling above a closet in a third-floor training room and ran cables directly into the prison's network switch.
To get them there, he loaded the computers onto a hygiene cart alongside soap and shampoo, wheeled it 1,100 feet across the prison, past a guard, through a metal detector, into an elevator, and up three floors.
Once connected, he could remote into the hidden machines from any inmate terminal. He stole a staff member's login by shoulder surfing. That password hadn't been changed in years.
Using those credentials, Johnston accessed DOTS, the state's offender tracking database. He searched for a young inmate serving a long sentence, found Kyle Patrick, and pulled his SSN and date of birth by bypassing a security filter through the browser's view settings.
He applied for five credit cards in Patrick's name, had his mother provide a neighbor's address as the mailing address, and she intercepted the mail. One Visa debit card was approved. She called the prison and read him the card number and activation code. He activated it from inside the prison. Both the application and activation traced back to a state government IP.
He also researched tax refund fraud via a Bloomberg article, planning to file false returns and have refunds loaded onto prepaid cards.
The computers contained Kali Linux, Wireshark, Nmap, Cain, THC Hydra, VPN tools, Tor, proxy software, and articles on making drugs, explosives, and fake credit cards.
The scheme unraveled when new web filtering software flagged the stolen credentials being used for three hours on a Friday, a day the employee didn't work. IT alerted the warden. Everyone suspected an inmate. Nobody called law enforcement.
The prison's IT specialist was emailed the exact network switch port the rogue computer was plugged into. He misread the email and physically checked the wrong port. Three days later he re-read it, followed the correct cable into the ceiling, and found two hidden computers on plywood boards. He then had inmates pull them down, contaminating the crime scene.
The warden admitted he knew illegal activity was occurring but couldn't explain why he never reported it. The state trooper assigned to the prison literally shared an office with the prison's investigator. Neither was informed. It took over a month before anyone reported it, and only because an outside security officer told them they were legally required to.
After the discovery, inmates wiped other prison computers with CCleaner at least 10 times in two days to destroy evidence. Johnston, transferred to another prison and placed in segregation with his phone access blocked, simply used another inmate's PIN to call his mother five more times.
Of 308 computers seized across the prison, 291 had no inventory tags. The investigation found no password enforcement, no IT inventory, no crime scene protection, and years of unsupervised inmate access to computers and network infrastructure.
The warden resigned.
β€19π±10π€£7π€―4π₯2π1
This media is not supported in your browser
VIEW IN TELEGRAM
βΌοΈπͺπΊ The EU's new Age Verification app was hacked with little to no effort.
When you set it up, the app asks you to create a PIN. But that PIN isn't actually tied to the identity data it's supposed to protect. An attacker can delete a couple of entries from a file on the phone, restart the app, pick a new PIN, and the app happily hands over the original user's verified identity credentials as if nothing happened.
It gets worse. The app's "too many attempts" lockout is just a counter in a text file. Reset it to 0 and keep guessing. The biometric check (face/fingerprint) is a simple on/off switch in the same file. Flip it to off and the app skips it entirely.
However, important context:
This is not a production EU app that citizens are being asked to install today.
It is the official DEMO / DEV reference implementation (white-label blueprint) published at ageverification.dev and on GitHub. The project docs are explicit:
βThis white-label application is a reference implementation β¦ that should be customised before publishing it.β
Pre-built APKs and hosted services are for testing and demonstration purposes only.
It ships relaxed storage (SharedPreferences for PIN/flags, visible PNGs) deliberately so developers in 27 member states can quickly test flows, debug, and reset state on emulators/devices.
That said β fair criticism remains:
Even for a reference/demo, the defaults are weaker than they should be (no secure-by-default keystore/Keychain example in the obvious path, no strong tamper detection in the demo build).
The European Commissionβs public statements (βtechnically ready β¦ highest privacy standards in the worldβ) created the misleading impression that this was a finished, hardened product. That was sloppy messaging.
When you set it up, the app asks you to create a PIN. But that PIN isn't actually tied to the identity data it's supposed to protect. An attacker can delete a couple of entries from a file on the phone, restart the app, pick a new PIN, and the app happily hands over the original user's verified identity credentials as if nothing happened.
It gets worse. The app's "too many attempts" lockout is just a counter in a text file. Reset it to 0 and keep guessing. The biometric check (face/fingerprint) is a simple on/off switch in the same file. Flip it to off and the app skips it entirely.
However, important context:
This is not a production EU app that citizens are being asked to install today.
It is the official DEMO / DEV reference implementation (white-label blueprint) published at ageverification.dev and on GitHub. The project docs are explicit:
βThis white-label application is a reference implementation β¦ that should be customised before publishing it.β
Pre-built APKs and hosted services are for testing and demonstration purposes only.
It ships relaxed storage (SharedPreferences for PIN/flags, visible PNGs) deliberately so developers in 27 member states can quickly test flows, debug, and reset state on emulators/devices.
That said β fair criticism remains:
Even for a reference/demo, the defaults are weaker than they should be (no secure-by-default keystore/Keychain example in the obvious path, no strong tamper detection in the demo build).
The European Commissionβs public statements (βtechnically ready β¦ highest privacy standards in the worldβ) created the misleading impression that this was a finished, hardened product. That was sloppy messaging.
π€£34π5π©2
π¨ Bluesky was attacked by Iranian threat actors today and experienced some downtime.
I have no idea why they would target Bluesky β this seems like a friendly fire incident. π because it's the one platform that has the same enemies as Iran.
I have no idea why they would target Bluesky β this seems like a friendly fire incident. π because it's the one platform that has the same enemies as Iran.
π€£21π5π4β€1
A cybersecurity researcher from Brazil exposed a large scale scam operation by buying a "Ledger" hardware wallet off a Chinese marketplace β suspiciously cheap and the packaging looked original from a distance.
Here's what he found after cracking the thing open:
The "hardware wallet"
Inside the shell was a completely different chip β the kind you'd find in a cheap IoT gadget, not a wallet designed to protect your crypto. The markings had been physically sanded off to hide what it actually was.
The firmware pretended to be a real Ledger version that doesn't even exist (Ledger Nano S+ V2.1). And here's the kicker: every seed phrase and PIN you'd type into it was stored in plain text and sent straight to the attacker's server (kkkhhhnnn[.]com). Instantly...
It was built to drain wallets across ~20 different blockchains.
The fake app
The seller kindly included a "Ledger Live" app to go with it. It was a modified copy β not even signed properly, the attackers didn't bother with the basics β and it silently siphoned off data the moment you used it.
Just when you thought this was it, the same crew is also pushing malware for Windows, macOS, and even iOS β using TestFlight to sneak past Apple's App Store review entirely.
The researcher has sent a full report to Ledger's security team. A deeper technical breakdown is expected once they've finished their analysis.
This was shared on Reddit by u/Past_Computer2901
Here's what he found after cracking the thing open:
The "hardware wallet"
Inside the shell was a completely different chip β the kind you'd find in a cheap IoT gadget, not a wallet designed to protect your crypto. The markings had been physically sanded off to hide what it actually was.
The firmware pretended to be a real Ledger version that doesn't even exist (Ledger Nano S+ V2.1). And here's the kicker: every seed phrase and PIN you'd type into it was stored in plain text and sent straight to the attacker's server (kkkhhhnnn[.]com). Instantly...
It was built to drain wallets across ~20 different blockchains.
The fake app
The seller kindly included a "Ledger Live" app to go with it. It was a modified copy β not even signed properly, the attackers didn't bother with the basics β and it silently siphoned off data the moment you used it.
Just when you thought this was it, the same crew is also pushing malware for Windows, macOS, and even iOS β using TestFlight to sneak past Apple's App Store review entirely.
The researcher has sent a full report to Ledger's security team. A deeper technical breakdown is expected once they've finished their analysis.
This was shared on Reddit by u/Past_Computer2901
π13β€3π₯1
π¨ Three Windows zero-days released by Nightmare-Eclipse are being used in the wild by threat actors.
BlueHammer (CVE-2026-33825): LPE, Abuses Windows Defenderβs signature-update pipeline and VSS to breach protected registry hives, dump SAM hashes/identities, and escalate privileges.
RedSun: LPE to SYSTEM abusing Defender's own cloud remediation to overwrite System32 binaries.
UnDefend: Unprivileged DoS that starves the AV of updates while spoofing healthy EDR telemetry.
BlueHammer (CVE-2026-33825): LPE, Abuses Windows Defenderβs signature-update pipeline and VSS to breach protected registry hives, dump SAM hashes/identities, and escalate privileges.
RedSun: LPE to SYSTEM abusing Defender's own cloud remediation to overwrite System32 binaries.
UnDefend: Unprivileged DoS that starves the AV of updates while spoofing healthy EDR telemetry.
π₯7β€4
βΌοΈ Microsoft Windows domain controllers servers are restarting repeatedly after getting stuck in reboot loops because of recent April patches. π
Workaround: IT administrators can reach out to Microsoft Support for business to access a mitigation...
Workaround: IT administrators can reach out to Microsoft Support for business to access a mitigation...
π4β€2