π₯οΈπ₯ Two inmates at an Ohio prison built a secret hacking operation from behind bars, using computers they were supposed to be recycling. They downloaded and sold porn for snacks, built a hacker toolkit with Kali Linux and password crackers, and created fake passes to move freely around the facility.
All from two secret computers they built from recycling scraps and hid in a ceiling.
In 2014, Marion Correctional Institution signed a deal with a nonprofit called RET3 to have inmates disassemble old computers for parts. Inmates Adam Johnston and Scott Spriggs rebuilt two fully functioning PCs from the scraps instead.
Johnston hid them on plywood boards in the ceiling above a closet in a third-floor training room and ran cables directly into the prison's network switch.
To get them there, he loaded the computers onto a hygiene cart alongside soap and shampoo, wheeled it 1,100 feet across the prison, past a guard, through a metal detector, into an elevator, and up three floors.
Once connected, he could remote into the hidden machines from any inmate terminal. He stole a staff member's login by shoulder surfing. That password hadn't been changed in years.
Using those credentials, Johnston accessed DOTS, the state's offender tracking database. He searched for a young inmate serving a long sentence, found Kyle Patrick, and pulled his SSN and date of birth by bypassing a security filter through the browser's view settings.
He applied for five credit cards in Patrick's name, had his mother provide a neighbor's address as the mailing address, and she intercepted the mail. One Visa debit card was approved. She called the prison and read him the card number and activation code. He activated it from inside the prison. Both the application and activation traced back to a state government IP.
He also researched tax refund fraud via a Bloomberg article, planning to file false returns and have refunds loaded onto prepaid cards.
The computers contained Kali Linux, Wireshark, Nmap, Cain, THC Hydra, VPN tools, Tor, proxy software, and articles on making drugs, explosives, and fake credit cards.
The scheme unraveled when new web filtering software flagged the stolen credentials being used for three hours on a Friday, a day the employee didn't work. IT alerted the warden. Everyone suspected an inmate. Nobody called law enforcement.
The prison's IT specialist was emailed the exact network switch port the rogue computer was plugged into. He misread the email and physically checked the wrong port. Three days later he re-read it, followed the correct cable into the ceiling, and found two hidden computers on plywood boards. He then had inmates pull them down, contaminating the crime scene.
The warden admitted he knew illegal activity was occurring but couldn't explain why he never reported it. The state trooper assigned to the prison literally shared an office with the prison's investigator. Neither was informed. It took over a month before anyone reported it, and only because an outside security officer told them they were legally required to.
After the discovery, inmates wiped other prison computers with CCleaner at least 10 times in two days to destroy evidence. Johnston, transferred to another prison and placed in segregation with his phone access blocked, simply used another inmate's PIN to call his mother five more times.
Of 308 computers seized across the prison, 291 had no inventory tags. The investigation found no password enforcement, no IT inventory, no crime scene protection, and years of unsupervised inmate access to computers and network infrastructure.
The warden resigned.
All from two secret computers they built from recycling scraps and hid in a ceiling.
In 2014, Marion Correctional Institution signed a deal with a nonprofit called RET3 to have inmates disassemble old computers for parts. Inmates Adam Johnston and Scott Spriggs rebuilt two fully functioning PCs from the scraps instead.
Johnston hid them on plywood boards in the ceiling above a closet in a third-floor training room and ran cables directly into the prison's network switch.
To get them there, he loaded the computers onto a hygiene cart alongside soap and shampoo, wheeled it 1,100 feet across the prison, past a guard, through a metal detector, into an elevator, and up three floors.
Once connected, he could remote into the hidden machines from any inmate terminal. He stole a staff member's login by shoulder surfing. That password hadn't been changed in years.
Using those credentials, Johnston accessed DOTS, the state's offender tracking database. He searched for a young inmate serving a long sentence, found Kyle Patrick, and pulled his SSN and date of birth by bypassing a security filter through the browser's view settings.
He applied for five credit cards in Patrick's name, had his mother provide a neighbor's address as the mailing address, and she intercepted the mail. One Visa debit card was approved. She called the prison and read him the card number and activation code. He activated it from inside the prison. Both the application and activation traced back to a state government IP.
He also researched tax refund fraud via a Bloomberg article, planning to file false returns and have refunds loaded onto prepaid cards.
The computers contained Kali Linux, Wireshark, Nmap, Cain, THC Hydra, VPN tools, Tor, proxy software, and articles on making drugs, explosives, and fake credit cards.
The scheme unraveled when new web filtering software flagged the stolen credentials being used for three hours on a Friday, a day the employee didn't work. IT alerted the warden. Everyone suspected an inmate. Nobody called law enforcement.
The prison's IT specialist was emailed the exact network switch port the rogue computer was plugged into. He misread the email and physically checked the wrong port. Three days later he re-read it, followed the correct cable into the ceiling, and found two hidden computers on plywood boards. He then had inmates pull them down, contaminating the crime scene.
The warden admitted he knew illegal activity was occurring but couldn't explain why he never reported it. The state trooper assigned to the prison literally shared an office with the prison's investigator. Neither was informed. It took over a month before anyone reported it, and only because an outside security officer told them they were legally required to.
After the discovery, inmates wiped other prison computers with CCleaner at least 10 times in two days to destroy evidence. Johnston, transferred to another prison and placed in segregation with his phone access blocked, simply used another inmate's PIN to call his mother five more times.
Of 308 computers seized across the prison, 291 had no inventory tags. The investigation found no password enforcement, no IT inventory, no crime scene protection, and years of unsupervised inmate access to computers and network infrastructure.
The warden resigned.
β€19π±10π€£7π€―4π₯2π1
This media is not supported in your browser
VIEW IN TELEGRAM
βΌοΈπͺπΊ The EU's new Age Verification app was hacked with little to no effort.
When you set it up, the app asks you to create a PIN. But that PIN isn't actually tied to the identity data it's supposed to protect. An attacker can delete a couple of entries from a file on the phone, restart the app, pick a new PIN, and the app happily hands over the original user's verified identity credentials as if nothing happened.
It gets worse. The app's "too many attempts" lockout is just a counter in a text file. Reset it to 0 and keep guessing. The biometric check (face/fingerprint) is a simple on/off switch in the same file. Flip it to off and the app skips it entirely.
However, important context:
This is not a production EU app that citizens are being asked to install today.
It is the official DEMO / DEV reference implementation (white-label blueprint) published at ageverification.dev and on GitHub. The project docs are explicit:
βThis white-label application is a reference implementation β¦ that should be customised before publishing it.β
Pre-built APKs and hosted services are for testing and demonstration purposes only.
It ships relaxed storage (SharedPreferences for PIN/flags, visible PNGs) deliberately so developers in 27 member states can quickly test flows, debug, and reset state on emulators/devices.
That said β fair criticism remains:
Even for a reference/demo, the defaults are weaker than they should be (no secure-by-default keystore/Keychain example in the obvious path, no strong tamper detection in the demo build).
The European Commissionβs public statements (βtechnically ready β¦ highest privacy standards in the worldβ) created the misleading impression that this was a finished, hardened product. That was sloppy messaging.
When you set it up, the app asks you to create a PIN. But that PIN isn't actually tied to the identity data it's supposed to protect. An attacker can delete a couple of entries from a file on the phone, restart the app, pick a new PIN, and the app happily hands over the original user's verified identity credentials as if nothing happened.
It gets worse. The app's "too many attempts" lockout is just a counter in a text file. Reset it to 0 and keep guessing. The biometric check (face/fingerprint) is a simple on/off switch in the same file. Flip it to off and the app skips it entirely.
However, important context:
This is not a production EU app that citizens are being asked to install today.
It is the official DEMO / DEV reference implementation (white-label blueprint) published at ageverification.dev and on GitHub. The project docs are explicit:
βThis white-label application is a reference implementation β¦ that should be customised before publishing it.β
Pre-built APKs and hosted services are for testing and demonstration purposes only.
It ships relaxed storage (SharedPreferences for PIN/flags, visible PNGs) deliberately so developers in 27 member states can quickly test flows, debug, and reset state on emulators/devices.
That said β fair criticism remains:
Even for a reference/demo, the defaults are weaker than they should be (no secure-by-default keystore/Keychain example in the obvious path, no strong tamper detection in the demo build).
The European Commissionβs public statements (βtechnically ready β¦ highest privacy standards in the worldβ) created the misleading impression that this was a finished, hardened product. That was sloppy messaging.
π€£34π5π©2
π¨ Bluesky was attacked by Iranian threat actors today and experienced some downtime.
I have no idea why they would target Bluesky β this seems like a friendly fire incident. π because it's the one platform that has the same enemies as Iran.
I have no idea why they would target Bluesky β this seems like a friendly fire incident. π because it's the one platform that has the same enemies as Iran.
π€£21π5π4β€1
A cybersecurity researcher from Brazil exposed a large scale scam operation by buying a "Ledger" hardware wallet off a Chinese marketplace β suspiciously cheap and the packaging looked original from a distance.
Here's what he found after cracking the thing open:
The "hardware wallet"
Inside the shell was a completely different chip β the kind you'd find in a cheap IoT gadget, not a wallet designed to protect your crypto. The markings had been physically sanded off to hide what it actually was.
The firmware pretended to be a real Ledger version that doesn't even exist (Ledger Nano S+ V2.1). And here's the kicker: every seed phrase and PIN you'd type into it was stored in plain text and sent straight to the attacker's server (kkkhhhnnn[.]com). Instantly...
It was built to drain wallets across ~20 different blockchains.
The fake app
The seller kindly included a "Ledger Live" app to go with it. It was a modified copy β not even signed properly, the attackers didn't bother with the basics β and it silently siphoned off data the moment you used it.
Just when you thought this was it, the same crew is also pushing malware for Windows, macOS, and even iOS β using TestFlight to sneak past Apple's App Store review entirely.
The researcher has sent a full report to Ledger's security team. A deeper technical breakdown is expected once they've finished their analysis.
This was shared on Reddit by u/Past_Computer2901
Here's what he found after cracking the thing open:
The "hardware wallet"
Inside the shell was a completely different chip β the kind you'd find in a cheap IoT gadget, not a wallet designed to protect your crypto. The markings had been physically sanded off to hide what it actually was.
The firmware pretended to be a real Ledger version that doesn't even exist (Ledger Nano S+ V2.1). And here's the kicker: every seed phrase and PIN you'd type into it was stored in plain text and sent straight to the attacker's server (kkkhhhnnn[.]com). Instantly...
It was built to drain wallets across ~20 different blockchains.
The fake app
The seller kindly included a "Ledger Live" app to go with it. It was a modified copy β not even signed properly, the attackers didn't bother with the basics β and it silently siphoned off data the moment you used it.
Just when you thought this was it, the same crew is also pushing malware for Windows, macOS, and even iOS β using TestFlight to sneak past Apple's App Store review entirely.
The researcher has sent a full report to Ledger's security team. A deeper technical breakdown is expected once they've finished their analysis.
This was shared on Reddit by u/Past_Computer2901
π13β€3π₯1
π¨ Three Windows zero-days released by Nightmare-Eclipse are being used in the wild by threat actors.
BlueHammer (CVE-2026-33825): LPE, Abuses Windows Defenderβs signature-update pipeline and VSS to breach protected registry hives, dump SAM hashes/identities, and escalate privileges.
RedSun: LPE to SYSTEM abusing Defender's own cloud remediation to overwrite System32 binaries.
UnDefend: Unprivileged DoS that starves the AV of updates while spoofing healthy EDR telemetry.
BlueHammer (CVE-2026-33825): LPE, Abuses Windows Defenderβs signature-update pipeline and VSS to breach protected registry hives, dump SAM hashes/identities, and escalate privileges.
RedSun: LPE to SYSTEM abusing Defender's own cloud remediation to overwrite System32 binaries.
UnDefend: Unprivileged DoS that starves the AV of updates while spoofing healthy EDR telemetry.
π₯7β€4
βΌοΈ Microsoft Windows domain controllers servers are restarting repeatedly after getting stuck in reboot loops because of recent April patches. π
Workaround: IT administrators can reach out to Microsoft Support for business to access a mitigation...
Workaround: IT administrators can reach out to Microsoft Support for business to access a mitigation...
π4β€2
Media is too big
VIEW IN TELEGRAM
π·πΊ The FSB released footage of Sochi Deputy Mayor Evgeny Gorobets and two officials caught in a multimillion-ruble bribery sting.
Fluorescent marking spray on the cash glowed under UV light, leaving forensic evidence on the money and their hands.
Fluorescent marking spray on the cash glowed under UV light, leaving forensic evidence on the money and their hands.
π₯1
Versions 3.24.0 through 6.19.0 are vulnerable. This issue has been fixed in version 6.19.1.
Ghost is also used by many cybersecurity platforms and media outlets like 404media.
The vulnerability is being tracked here: https://nvd.nist.gov/vuln/detail/CVE-2026-26980
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
π₯2
π¨π¦πͺ Dubai Police are confirmed to be "conducting electronic surveillance operations capable of detecting private WhatsApp messages."
It started with a message in a private group chat of airline workers.
Just colleagues talking, the kind of exchange that happens in thousands of workplace WhatsApp threads every single day.
An airline worker in Dubai shared images of a building damaged during the Iranian attacks...
He sent them to people he knew, in a closed conversation he believed was private.
He was wrong.
Dubai Police were watching.
They downloaded the evidence.
They built their case.
Then they lured the man to a meeting.
He showed up.
They arrested him on the spot.
He now sits in custody, facing charges that include publishing information deemed harmful to state interests, which could mean up to two years behind bars.
And then came the detail that should stop everyone reading this cold.
In their own police report, authorities stated plainly that the clip had been detected "through electronic monitoring operations."
Electronic monitoring of a private WhatsApp conversation between coworkers...
Radha Stirling (a human rights activist) put it bluntly: individuals are being tracked, identified, and arrested not for public statements, but for private exchanges between colleagues.
And the questions this raises don't stop at Dubai's borders.
They land squarely at the feet of WhatsApp and every company that promises its users end-to-end encryption capabilities.
Because if a closed chat between colleagues can be intercepted, decoded, and used as the basis for an arrest by an overreaching state, then billions of users worldwide are owed an answer to one very simple question.
How private are private Whatsapp groups and messages really?
It started with a message in a private group chat of airline workers.
Just colleagues talking, the kind of exchange that happens in thousands of workplace WhatsApp threads every single day.
An airline worker in Dubai shared images of a building damaged during the Iranian attacks...
He sent them to people he knew, in a closed conversation he believed was private.
He was wrong.
Dubai Police were watching.
They downloaded the evidence.
They built their case.
Then they lured the man to a meeting.
He showed up.
They arrested him on the spot.
He now sits in custody, facing charges that include publishing information deemed harmful to state interests, which could mean up to two years behind bars.
And then came the detail that should stop everyone reading this cold.
In their own police report, authorities stated plainly that the clip had been detected "through electronic monitoring operations."
Electronic monitoring of a private WhatsApp conversation between coworkers...
Radha Stirling (a human rights activist) put it bluntly: individuals are being tracked, identified, and arrested not for public statements, but for private exchanges between colleagues.
And the questions this raises don't stop at Dubai's borders.
They land squarely at the feet of WhatsApp and every company that promises its users end-to-end encryption capabilities.
Because if a closed chat between colleagues can be intercepted, decoded, and used as the basis for an arrest by an overreaching state, then billions of users worldwide are owed an answer to one very simple question.
How private are private Whatsapp groups and messages really?
β€12π€¬3π€£3π2π₯2
Tesla has remotely altered tens of thousands of customer cars without consent, confirming you don't actually OWN your Tesla when you buy one.
They've demonstrated there's one single point of failure: the mothership. Whoever owns that, owns every Tesla on the road.
This past week they pushed config changes that got customers banned from using FSD. Experts confirm the mechanism is simple: an SMS wakes the car up, then software is pushed and installed from the mothership straight to the car's media control unit without user interaction.
This raises the question of how many privacy and data protection laws they broke, and how much data they collect on users, since they had enough to single out owners of third-party devices.
They've demonstrated there's one single point of failure: the mothership. Whoever owns that, owns every Tesla on the road.
This past week they pushed config changes that got customers banned from using FSD. Experts confirm the mechanism is simple: an SMS wakes the car up, then software is pushed and installed from the mothership straight to the car's media control unit without user interaction.
This raises the question of how many privacy and data protection laws they broke, and how much data they collect on users, since they had enough to single out owners of third-party devices.
β€8π₯4π±3π1π€1
π¨πΊπΈ A week ago, the FBI Director couldn't log into his FBI account, so he panicked and called White House aides convinced he'd been fired. It was a technical glitch.
That's just one scene from The Atlantic's new report on Kash Patel, drawn from 24+ sources, describing heavy drinking, unexplained absences, and colleagues who now view him as a national-security vulnerability.
Trump personally called Patel to express his unhappiness after a video surfaced of him chugging beer with the U.S. Olympic hockey team in Italy.
Officials question whether alcohol played a role in Patel publicly pushing bad info on active cases, including the Charlie Kirk murder investigation.
He still has the job. But senior Trump officials are already discussing replacements, and a former official calls him "rightly paranoid."
https://www.theatlantic.com/politics/2026/04/kash-patel-fbi-director-drinking-absences/686839/
That's just one scene from The Atlantic's new report on Kash Patel, drawn from 24+ sources, describing heavy drinking, unexplained absences, and colleagues who now view him as a national-security vulnerability.
Trump personally called Patel to express his unhappiness after a video surfaced of him chugging beer with the U.S. Olympic hockey team in Italy.
Officials question whether alcohol played a role in Patel publicly pushing bad info on active cases, including the Charlie Kirk murder investigation.
He still has the job. But senior Trump officials are already discussing replacements, and a former official calls him "rightly paranoid."
https://www.theatlantic.com/politics/2026/04/kash-patel-fbi-director-drinking-absences/686839/
π€£23β€2π₯1