A bipartisan bill would force the FBI to get a warrant to read Americans’ messages and ban the federal purchase of commercial data on US residents ahead of a critical April deadline.
Amid a paralyzing breach of medical tech firm Stryker, the group has come to represent Iran's use of “hacktivism” as cover for chaotic, retaliatory state-sponsored cyberattacks.
A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker’s largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker’s main U.S. headquarters says the company is currently experiencing a building emergency.
Based in Kalamazoo, Michigan, Stryker [NYSE:SYK] is a medical and surgical equipment maker that reported $25 billion in global sales last year. In a lengthy statement posted to Telegram, a hacktivist group known as Handala (a.k.a. Handala Hack Team) claimed that Stryker’s offices in 79 countries have been forced to shut down after the group erased data from more than 200,000 systems, servers and mobile devices.
A manifesto posted by the Iran-backed hacktivist group Handala, claiming a mass data-wiping attack against medical technology maker Stryker.
“All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption,” a portion of the Handala statement reads.
The group said the wiper attack was in retaliation for a Feb. 28 missile strike that hit an Iranian school and killed at least 175 people, most of them children. The New York Timesreports today that an ongoing military investigation has determined the United States is responsible for the deadly Tomahawk missile strike.
Handala was one of several hacker groups recently profiled by Palo Alto Networks, which links it to Iran’s Ministry of Intelligence and Security (MOIS). Palo Alto says Handala surfaced in late 2023 and is assessed as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor.
Stryker’s website says the company has 56,000 employees in 61 countries. A phone call placed Wednesday morning to the media line at Stryker’s Michigan headquarters sent this author to a voicemail message that stated, “We are currently experiencing a building emergency. Please try your call again later.”
A report Wednesday morning from the Irish Examiner said Stryker staff are now communicating via WhatsApp for any updates on when they can return to work. The story quoted an unnamed employee saying anything connected to the network is down, and that “anyone with Microsoft Outlook on their personal phones had their devices wiped.”
“Multiple sources have said that systems in the Cork headquarters have been ‘shut down’ and that Stryker devices held by employees have been wiped out,” the Examiner reported. “The login pages coming up on these devices have been defaced with the Handala logo.”
Wiper attacks usually involve malicious software designed to overwrite any existing data on infected devices. But a trusted source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity the perpetrators in this case appear to have used a Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command against all connected devices.
Intune is a cloud-based solution built for IT teams to enforce security and data compliance policies, and it provides a single, web-based administrative console to monitor and control devices regardless of location. The Intune connection is supported by this Reddit discussion on the Stryker outage, where several users who claimed to be Stryker employees said they were told to uninstall Intune urgently.
Palo Alto says Handala’s hack-and-leak activity is primarily focused on Israel, with occasional targeting outside that scope when it serves a specific agenda. The security firm said Handala also has taken credit for recent attacks against fuel systems in Jordan and an Israeli energy exploration company.
“Recent observed activities are opportunistic and ‘quick and dirty,’ with a noticeable focus on supply-chain footholds (e.g., IT/service providers) to reach downstream victims, followed by ‘proof’ posts to amplify credibility and intimidate targets,” Palo Alto researchers wrote.
The Handala manifesto posted to Telegram referred to Stryker as a “Zionist-rooted corporation,” which may be a reference to the company’s 2019 acquisition of the Israeli company OrthoSpace.
Stryker is a major supplier of medical devices, and the ongoing attack is already affecting healthcare providers. One healthcare professional at a major university medical system in the United States told KrebsOnSecurity they are currently unable to order surgical supplies that they normally source through Stryker.
“This is a real-world supply chain attack,” the expert said, who asked to remain anonymous because they were not authorized to speak to the press. “Pretty much every hospital in the U.S. that performs surgeries uses their supplies.”
John Riggi, national advisor for the American Hospital Association (AHA), said the AHA is not aware of any supply-chain disruptions as of yet.
“We are aware of reports of the cyber attack against Stryker and are actively exchanging information with the hospital field and the federal government to understand the nature of the threat and assess any impact to hospital operations,” Riggi said in an email. “As of this time, we are not aware of any direct impacts or disruptions to U.S. hospitals as a result of this attack. That may change as hospitals evaluate services, technology and supply chain related to Stryker and if the duration of the attack extends.”
According to a March 11 memo from the state of Maryland’s Institute for Emergency Medical Services Systems, Stryker indicated that some of their computer systems have been impacted by a “global network disruption.” The memo indicates that in response to the attack, a number of hospitals have opted to disconnect from Stryker’s various online services, including LifeNet, which allows paramedics to transmit EKGs to emergency physicians so that heart attack patients can expedite their treatment when they arrive at the hospital.
“As a precaution, some hospitals have temporarily suspended their connection to Stryker systems, including LIFENET, while others have maintained the connection,” wrote Timothy Chizmar, the state’s EMS medical director. “The Maryland Medical Protocols for EMS requires ECG transmission for patients with acute coronary syndrome (or STEMI). However, if you are unable to transmit a 12 Lead ECG to a receiving hospital, you should initiate radio consultation and describe the findings on the ECG.”
This is a developing story. Updates will be noted with a timestamp.
Update, 2:54 p.m. ET: Added comment from Riggi and perspectives on this attack’s potential to turn into a supply-chain problem for the healthcare system.
Update, Mar. 12, 7:59 a.m. ET: Added information about the outage affecting Stryker’s online services.
Tax season is a headache for many people, and when a shortcut promises to make filing easier, it’s hard to resist. This year, one of the newest trends is using AI chatbots like ChatGPT to help prepare tax returns.
According to new McAfee research, 30% of people say they plan to use an AI tool, such as ChatGPT, to help with their taxes, with younger adults leading the trend.
At first glance, it makes sense. AI tools can explain confusing tax rules, summarize IRS forms, and answer questions instantly.
But there’s an important line that should never be crossed: Do not enter your personal tax information into AI chatbots.
That includes Social Security numbers, income records, home addresses, bank details, or anything else tied to your identity.
Here’s why:
Typing Your Tax Info Into a Chatbot Is Like Posting It Online
Think about it this way: when you type something into an AI chatbot, you’re sending that information over the internet to a system that processes and stores data.
In practical terms, entering sensitive information into an AI tool is similar to typing it directly into a search engine or submitting it to an online form.
Once it leaves your device, you lose direct control over where it travels and how it may be stored.
Even companies with strong security protections are transparent about this risk.
OpenAI’s privacy documentation explains that they use encryption and strict access controls to protect user data. However, they also note that no internet transmission or digital storage system can be guaranteed completely secure.
This is true across the internet, not just for AI tools.
Even Secure Systems Can Experience Breaches
Security incidents can happen anywhere online, including companies with robust security programs.
For example, in late 2025, OpenAI disclosed a security incident involving a third-party analytics provider called Mixpanel. The breach occurred within the vendor’s systems, not OpenAI’s infrastructure, but some limited user profile data associated with the platform was exposed.
According to OpenAI’s disclosure, the data involved information such as:
Names associated with accounts
Email addresses
Approximate location data
Browser and device information
Importantly, chat content, passwords, payment information, and government IDs were not exposed in that incident.
But the event highlights a broader cybersecurity reality:
Even when a company takes strong security precautions, third-party services, vendors, and other parts of the digital ecosystem can still introduce risk.
That’s why cybersecurity experts recommend limiting what personal information you share online whenever possible.
Why Tax Data Is Especially Dangerous to Share
Tax information is one of the most valuable targets for cybercriminals.
If scammers obtain the details commonly found in tax filings, they may be able to:
Commit tax refund fraud
Open financial accounts in your name
Conduct identity theft
Launch highly personalized phishing attacks
Tax returns typically include multiple pieces of highly sensitive data, including:
Social Security numbers
Home addresses
Employer and income information
Banking details for refunds
Family member information
Entering these details into any tool outside of a secure tax platform significantly increases risk.
Safer Ways to File Your Taxes
Instead of relying on AI chatbots for filing, stick with trusted tax preparation options designed to securely handle sensitive data:
Official tax software platforms
Licensed tax professionals
IRS-approved free filing services
These systems are specifically built with compliance, encryption, and identity verification in mind.
AI tools can be incredibly useful for learning and research. But they are not secure tax filing platforms.
If you wouldn’t feel comfortable posting your Social Security number publicly online, you shouldn’t paste it into a chatbot either. When it comes to taxes, the safest rule is simple: Use AI for advice, not for your personal data.
Department of Homeland Security leaders removed top privacy officers who objected to mislabeling government records to block their public release, WIRED has learned.
Delivery apps are glitching and navigation routes are changing abruptly thanks to electronic warfare disrupting the satellite signals that power everything from missiles to your ride home.
We’re back with another roundup of must-know scams and cybersecurity news making headlines this week, including a scam that features the name of the Jim Carrey movie, The Truman Show.
Let’s break it down.
Why Reports Call it the “Truman Show” Scam
So, why the name of this scam?
In the 1998 film The Truman Show, the main character unknowingly lives inside a staged reality TV world where everything around him is carefully controlled. In the “Truman Show” scam, criminals try to place victims into a similarly staged investment environment, complete with fake group chats, fake investors, and fake profits designed to build trust. It doesn’t actually have anything to do with the movie.
What is the “Truman Show” Scam?
The “Truman Show” scam is an AI-powered investment scam where criminals create an entire fake online community to convince victims an investment opportunity is real.
According to reports, scammers invite people into group chats on platforms like Telegram or WhatsApp that appear full of investors sharing tips and celebrating profits. In reality, many of the participants, moderators, and conversations may be run by AI bots designed to simulate a lively trading community.
Security researchers say the moderator and the other “investors” in the group may actually be AI-driven bots, programmed to simulate real conversations and enthusiasm around the investment strategy.
The scam often includes:
A group chat on Telegram or WhatsApp
A downloadable trading app or website
Screenshots showing fake profits
Encouragement from “other members” to invest more
The app itself may appear legitimate. But in reality, it often redirects users to a malicious website where scammers collect personal and financial information.
Once victims deposit money, the criminals can quickly drain accounts or block withdrawals.
McAfee’s State of the Scamiverse research shows just how convincing scams have become. One in three Americans (33%) say they feel less confident spotting scams than they did a year ago, as criminals increasingly use polished branding, realistic conversations, and AI-generated content to make fraudulent opportunities look legitimate.
Why this works: people naturally trust social proof. When it looks like dozens of other investors are making money, people lower their skepticism.
Fake Government Letters Are Targeting Residents Across Towns
Another scam to be aware of this week includes spoofed letters impersonating local government offices.
According to reporting from WGME in Maine, residents in multiple towns recently received official-looking notices requesting payment for supposed municipal fees tied to development applications.
The letters appeared convincing. They used formal language, official seals, and department names.But there was a problem.
One of the notices claimed it came from a “Board of Commissioners,” even though the town in question does not have one.
Officials say the letters instructed recipients to send payments by wire transfer, a method legitimate government offices almost never use for these kinds of transactions.
McAfee’s experts say these scams are effective because they rely on volume. Fraudsters send thousands of letters hoping a small percentage of recipients will respond before verifying the request. And remember, these types of scams occur all the time and across the globe. While today’s reports are in Maine, it’s important to be vigilant wherever you live.
Red flags to watch for:
Requests for wire transfers, gift cards, or crypto payments
Pressure to pay quickly to avoid penalties
Official-looking letters with subtle inconsistencies
Contact information that doesn’t match the official government website
The safest move is simple: verify the request independently. Contact the government office directly using phone numbers listed on its official website, not the ones in the letter.
LexisNexis Confirms Data Breach After Hackers Leak Files
Meanwhile, a well-known data analytics company is dealing with a breach after hackers published stolen files online.
According to BleepingComputer, LexisNexis Legal & Professional confirmed that attackers accessed some of its servers and obtained limited customer and business information. The confirmation came after a hacking group leaked roughly 2GB of stolen data on underground forums.
LexisNexis says the compromised systems contained mostly older or “legacy” data from before 2020, including:
Customer names
User IDs
Business contact information
Product usage details
Support tickets and survey responses
The company says highly sensitive financial information, Social Security numbers, and active passwords were not part of the exposed data.
However, attackers claim they accessed millions of database records and hundreds of thousands of cloud user profiles tied to the company’s systems.
LexisNexis says it has contained the intrusion and is working with cybersecurity experts and law enforcement.
Why breaches like this matter: even when the stolen data appears limited, it can still be used in targeted phishing attacks.
For example, scammers might use real names, email addresses, or business roles to send convincing messages that appear legitimate.
Breaches often trigger waves of follow-up scams weeks or months later. (We know we cover this one a lot, but it’s key to remember!)
McAfee’s Safety Tips This Week
A few simple habits can make these schemes much easier to spot.
Be skeptical of investment groups online. Real trading communities rarely pressure you to deposit money quickly or download unfamiliar apps.
Verify government payment requests independently. If you receive a letter demanding payment, contact the agency directly using information from its official website.
Treat breach-related messages cautiously. After a breach makes headlines, phishing emails often follow pretending to offer “account verification” or “security updates.”
Avoid clicking unfamiliar links in emails or texts. Tools like McAfee’s free WebAdvisor can help flag risky websites and block known malicious pages before they load.
Pause before sending money or personal information. Many scams rely on urgency. Slowing down gives you time to verify what’s real.
We’ll be back next week with another roundup of the scams and cybersecurity news making headlines and what they mean for your digital safety.
Frustrated by fragmented war news, Anghami’s Elie Habib built World Monitor, a platform that fuses global data, like aircraft signals and satellite detections, to track conflicts as they unfold.
A pair of US lawmakers are calling for an investigation into how easily spies can steal information based on devices’ electromagnetic and acoustic leaks—a spying trick the NSA once codenamed TEMPEST.
A highly sophisticated set of iPhone hijacking techniques has likely infected tens of thousands of phones or more. Clues suggest it was originally built for the US government.
John C. isn’t the person you picture getting scammed.
He’s 36. He’s tech-savvy. He’s a mechanical engineer leading a team at a national energy lab in Denver. And he told us his story for one reason: “Scammers will target anyone.”
It began with a phone call from someone claiming to be the IRS. They said John had underpaid his taxes and needed to resolve it quickly. The caller sounded polished and convincing, so convincing that John didn’t stop to question it.
“I thought maybe they sent back too much money [in my refund], and they needed it back,” he said. “I was just so busy and overwhelmed that I never really stopped to think about the situation.”
A follow-up email arrived with IRS logos, clean formatting, and a big payment button. John was trying to move fast between classes as he finished up his PhD, and he wanted to correct the situation as quickly as possible.
“I was like, let me just hurry up and do this, get it over with.”
He clicked. He paid. But later, when he checked his statement, he saw the charge didn’t look like an IRS payment at all. In fact, it was an international charge. The whole thing was a scam.
John said the scammer on the phone had appealed to his emotions and been incredibly convincing.
“It was absolutely masterful,” John said. “I would give him an Oscar for it.
And new McAfee research shows John isn’t alone, with nearly 1 in 4 (23%) US adults surveyed revealing they’ve lost money to a tax scam.
Example of a tax scam text message
Key findings from McAfee’s 2026 Tax Season Survey
Here’s what our January 2026 survey of 3,008 U.S. adults found:
The big picture: lots of worry, not enough confidence
82% of Americans say they’re concerned about tax fraud this season.
67% say they’re seeing the same or more tax scam messages than last year.
40% say tax scam messages are more sophisticated than last year.
84% are concerned about AI making tax scams more realistic.
Only 29% say they’re very confident they could spot a deepfake tax scam.
How often scams are reaching people
34% say they’ve been contacted by someone claiming to be the IRS or another tax authority (phone, text, or email).
38% say they’ve been asked to click a link or send payment related to a “tax issue.”
Common asks include SSNs (15%), birth dates (11%), addresses (10%), “you owe back taxes” pressure (9%), and banking details (8%).
Who is getting hit hardest
Nearly 1 in 4 Americans (23%) say they’ve fallen for a tax scam.
Young adults report the highest exposure: 42% of 18–24-year-olds say they’ve fallen for at least one tax scam.
11% of Americans report tax-related identity theft, rising to 17% among ages 25–34.
The money is real
Among people who say they’ve fallen for a tax scam, the average loss is $1,020.
Separately, nearly 1 in 5 Americans say they’ve lost money to a tax scam.
Tax filing is increasingly digital (and that changes the risk)
55% say they file taxes online (software or IRS Free File).
75% say they receive refunds or pay taxes electronically (direct deposit, cards, apps, EFTPS, etc.).
30% say they plan to use an AI tool (like ChatGPT) to help prepare taxes, especially younger adults. This is highly dangerous, even with platform security protections. For example, if an AI tool were compromised in a data breach, user messages with personal tax information (like social security numbers, home address, and more) could be made public.
Tax Scams Now Hit Year-Round, McAfee Labs Finds
In addition to our consumer survey findings, McAfee Labs analyzed malicious URLs, apps, texts, and emails in the months leading up to filing season.
The major takeaway: tax scams don’t wait for April.
Scam activity began climbing as early as November and has again continued building steadily into 2026.
Between September 1, 2025, and February 19, 2026, McAfee Labs identified 1,468 malicious or suspicious tax-themed unique domains, an average of 43 new fake tax websites every day.
In early November 2025 alone, the average number of new tax-themed malicious domains nearly doubled in just over a week. After a brief dip in late December, activity resumed climbing into February, a pattern we expect to intensify as the April filing deadline approaches.
A chart showing the unique, malicious domains detected by McAfee’s Web Advisor
Fake IRS Websites Are A Major Threat
Scammers are rapidly creating lookalike IRS domains that mimic official government URLs.
They use small changes, extra letters, added words, subtle misspellings, to trick taxpayers into believing they’re on a legitimate IRS site.
Examples include domains that insert additional text around “irs.gov” or add misleading subdomains designed to pass a quick glance.
These fake portals are used to:
Steal login credentials
Harvest Social Security numbers and tax IDs
Capture payment details
Charge bogus “processing fees”
In some cases, these sites don’t just steal, they overcharge.
McAfee Labs observed scam services offering to file for an EIN (Employer Identification Number), something the IRS provides for free, and charging as much as $319 for it.
Example of a scam website we found charging for an EIN.
The official IRS website explicitly warns: you never have to pay a fee to obtain an EIN.
Other scam sites misuse legitimate policy terms, like the “Fresh Start Initiative,” to harvest personal data and enroll victims in aggressive robocall and marketing campaigns.
Tax scams don’t always steal outright. Sometimes they monetize confusion.
Here it shows them charging $319 for an EIN, and collecting their personal information.
How a Typical Tax Scam Unfolds
Most tax scams aren’t one single message. They’re a sequence, designed to make you panic, click, and comply.
Below is the common playbook, plus the red flags that show up repeatedly.
*Note: Scammers may swap the details like AI voice, fake IRS videos, cloned websites, or impersonating tax software, but the pattern stays familiar.
Step
What happens
Red flags you’ll see at this step
Red flags that are true every time
What to do instead
1) The hook
You get a call, text, or email claiming there’s a tax issue (refund problem, underpayment, verification needed).
Message arrives out of nowhere, often during busy hours; “final notice” language; spoofed caller ID.
Unexpected contact + urgency.
Don’t engage. Pause. Go directly to IRS.gov or your tax provider’s official site (type it in).
2) The authority move
They lean hard on being “the IRS” or “state tax authority,” sometimes with personal details.
They sound polished; may use AI voice cloning; may cite a “case number.” Fake or meaningless case numbers are very common.
They want you to trust the title, not verify the source.
Ask for written notice and time. Real tax issues can be verified through official channels.
3) The link
They send a link to a “secure portal” or “refund page.”
Never click the link. Navigate to the real site yourself. If unsure, delete it.
4) The data grab
The site (or “agent”) asks for SSN, banking info, login credentials, or details from a prior return.
Requests that are broader than needed; “verify identity” prompts; form fields that feel too invasive.
They want sensitive info fast.
Stop. Don’t type anything. If you already did, assume it’s compromised and act quickly (see next section).
5) The payment push
They demand payment to “avoid penalties,” “release your refund,” or “resolve a mistake.”
Gift cards, crypto, wire transfers, payment apps; pressure to pay today; threats.
Urgency + unusual payment method.
The IRS does not demand immediate payment via text/social, and doesn’t require gift cards or crypto. Verify independently.
6) The escalation
If you hesitate, they intensify: threats, “law enforcement,” or AI video/audio that “proves” it’s real.
Deepfake IRS video, intimidating language, “you’ll be arrested,” “your license will be revoked.”
Fear is the product.
Hang up. Save evidence. Talk to a trusted person. Contact official support through verified numbers.
7) The aftermath
You realize it was a scam—often after noticing a strange charge or login activity.
Charges from odd merchants; new accounts; IRS account alerts; failed tax filing due to “duplicate return.”
Shame keeps people quiet—scammers count on that.
Report it and protect your identity right away. You’re not alone, and it’s not your fault.
Key point: A message can look “official” and still be fake. AI is making scam language smoother and scams more believable. The safest habit is simple: slow down, and verify using official sources you navigate to yourself.
What to do if you’ve been involved in a tax scam
First: take a breath. Scams are designed to trick you, especially when you’re overwhelmed, rushed, or just trying to fix a problem quickly.
John said it plainly: “Don’t be embarrassed. It does happen. It’s common… they will target anyone.”
And he’s right. The most important thing is what you do next.
1) Stop the bleeding: cut off contact
Stop replying
Don’t click anything else
Don’t send more information or money
2) Capture proof (before it disappears)
Take screenshots and save:
Phone numbers, email addresses, usernames
The message content
Links (don’t click them, just copy)
Payment receipts and transaction IDs
3) Lock down your accounts (especially email)
If a scammer gets into your email, they can reset passwords for everything else.
Do this today:
Change your email password first, then banking/tax accounts
Turn on two-factor authentication (2FA)
If you reused passwords anywhere, change those too
Important: If you clicked a suspicious link, downloaded a file, or gave someone remote access to your computer, make sure you use a different, trusted device (like your phone or another computer) to change passwords. Why? If a scammer installed malware or has access to your computer, they may be able to see all of your brand-new passwords as you’re making them.
Tip: A password manager like McAfee’s can help you create strong, unique passwords quickly, without having to memorize them all.
4) Check for identity theft signals
Tax scams often turn into identity theft. Watch for:
IRS notices about a return you didn’t file
Trouble e-filing because a return was already submitted
Alerts about a new IRS online account you didn’t create
If you suspect tax-related identity theft:
Consider filing an IRS identity theft report (commonly done with IRS Form 14039, Identity Theft Affidavit).
Create or log into your IRS account periodically to review account activity (John now does this every few months).
IRS phishing email: If you received a scam email posing as the IRS, you can forward it to phishing@irs.gov.
Your bank or card provider: If you paid, contact them immediately. Even if recovery isn’t guaranteed, speed matters.
6) Clean up your digital footprint
Scammers don’t just use what you give them. They also use what they can look up.
Removing your personal details from risky data broker sites can reduce how easily scammers can target you again. Tools like Personal Data Cleanup can help you identify where your information is exposed and guide removal.
7) Add protection for the next attempt
Tax season scams often come in waves, especially if scammers think your info is “good.”
Helpful layers include:
Web protection to warn you about risky links and lookalike sites before you enter info – get our free WebAdvisor download here
Scam detection that can flag suspicious messages
Identity monitoring to alert you if key personal info shows up in risky places
Run a free antivirus scan to check your device for malware or unwanted programs (especially if you clicked a link or downloaded anything)
The key takeaway
Tax season creates the perfect storm: time pressure, sensitive data, and a lot of official-looking communication.
Our research shows most people are worried, and for good reason. Scammers are getting more convincing, and AI is raising the bar on what “real” looks and sounds like.
“Tell your friends, tell your family,” John said. “Everyone I know at some point has heard this story, and it might just prevent someone from losing… thousands of dollars.”
If you remember just three things this season, make them these:
Pause before you click.
Verify through official channels you navigate to yourself.
If something happens, act quickly, and don’t blame yourself.
After strikes killed senior Iranian officials, Iran cut off internet access. Journalists are relying on satellite links, encrypted apps, and smuggled footage to report from inside the country.
New analysis shows that attacks on satellite navigation systems have impacted some 1,100 ships in the Middle East since the US and Israel attacked Iran on February 28.
In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet. Since then, the person in control of Kimwolf — who goes by the handle “Dort” — has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against the researcher and this author, and more recently caused a SWAT team to be sent to the researcher’s home. This post examines what is knowable about Dort based on public information.
A public “dox” created in 2020 asserted Dort was a teenager from Canada (DOB August 2003) who used the aliases “CPacket” and “M1ce.” A search on the username CPacket at the open source intelligence platform OSINT Industries finds a GitHub account under the names Dort and CPacket that was created in 2017 using the email address jay.miner232@gmail.com.
Image: osint.industries.
The cyber intelligence firm Intel 471 says jay.miner232@gmail.com was used between 2015 and 2019 to create accounts at multiple cybercrime forums, including Nulled (username “Uubuntuu”) and Cracked (user “Dorted”); Intel 471 reports that both of these accounts were created from the same Internet address at Rogers Canada (99.241.112.24).
Dort was an extremely active player in the Microsoft game Minecraft who gained notoriety for their “Dortware” software that helped players cheat. But somewhere along the way, Dort graduated from hacking Minecraft games to enabling far more serious crimes.
Dort also used the nickname DortDev, an identity that was active in March 2022 on the chat server for the prolific cybercrime group known as LAPSUS$. Dort peddled a service for registering temporary email addresses, as well as “Dortsolver,” code that could bypass various CAPTCHA services designed to prevent automated account abuse. Both of these offerings were advertised in 2022 on SIM Land, a Telegram channel dedicated to SIM-swapping and account takeover activity.
The cyber intelligence firm Flashpoint indexed 2022 posts on SIM Land by Dort that show this person developed the disposable email and CAPTCHA bypass services with the help of another hacker who went by the handle “Qoft.”
“I legit just work with Jacob,” Qoft said in 2022 in reply to another user, referring to their exclusive business partner Dort. In the same conversation, Qoft bragged that the two had stolen more than $250,000 worth of Microsoft Xbox Game Pass accounts by developing a program that mass-created Game Pass identities using stolen payment card data.
Who is the Jacob that Qoft referred to as their business partner? The breach tracking service Constella Intelligence finds the password used by jay.miner232@gmail.com was reused by just one other email address: jacobbutler803@gmail.com. Recall that the 2020 dox of Dort said their date of birth was August 2003 (8/03).
Searching this email address at DomainTools.com reveals it was used in 2015 to register several Minecraft-themed domains, all assigned to a Jacob Butler in Ottawa, Canada and to the Ottawa phone number 613-909-9727.
Constella Intelligence finds jacobbutler803@gmail.com was used to register an account on the hacker forum Nulled in 2016, as well as the account name “M1CE” on Minecraft. Pivoting off the password used by their Nulled account shows it was shared by the email addresses j.a.y.m.iner232@gmail.com and jbutl3@ocdsb.ca, the latter being an address at a domain for the Ottawa-Carelton District School Board.
Data indexed by the breach tracking service Spycloud suggests that at one point Jacob Butler shared a computer with his mother and a sibling, which might explain why their email accounts were connected to the password “jacobsplugs.” Neither Jacob nor any of the other Butler household members responded to requests for comment.
The open source intelligence service Epieos finds jacobbutler803@gmail.com created the GitHub account “MemeClient.” Meanwhile, Flashpoint indexed a deleted anonymous Pastebin.com post from 2017 declaring that MemeClient was the creation of a user named CPacket — one of Dort’s early monikers.
Why is Dort so mad? On January 2, KrebsOnSecurity published The Kimwolf Botnet is Stalking Your Local Network, which explored research into the botnet by Benjamin Brundage, founder of the proxy tracking service Synthient. Brundage figured out that the Kimwolf botmasters were exploiting a little-known weakness in residential proxy services to infect poorly-defended devices — like TV boxes and digital photo frames — plugged into the internal, private networks of proxy endpoints.
By the time that story went live, most of the vulnerable proxy providers had been notified by Brundage and had fixed the weaknesses in their systems. That vulnerability remediation process massively slowed Kimwolf’s ability to spread, and within hours of the story’s publication Dort created a Discord server in my name that began publishing personal information about and violent threats against Brundage, Yours Truly, and others.
Dort and friends incriminating themselves by planning swatting attacks in a public Discord server.
Last week, Dort and friends used that same Discord server (then named “Krebs’s Koinbase Kallers”) to threaten a swatting attack against Brundage, again posting his home address and personal information. Brundage told KrebsOnSecurity that local police officers subsequently visited his home in response to a swatting hoax which occurred around the same time that another member of the server posted a door emoji and taunted Brundage further.
Dort, using the alias “Meow,” taunts Synthient founder Ben Brundage with a picture of a door.
Someone on the server then linked to a cringeworthy (and NSFW) new Soundcloud diss track recorded by the user DortDev that included a stickied message from Dort saying, “Ur dead nigga. u better watch ur fucking back. sleep with one eye open. bitch.”
“It’s a pretty hefty penny for a new front door,” the diss track intoned. “If his head doesn’t get blown off by SWAT officers. What’s it like not having a front door?”
With any luck, Dort will soon be able to tell us all exactly what it’s like.
Update, 10:29 a.m.: Jacob Butler responded to requests for comment, speaking with KrebsOnSecurity briefly via telephone. Butler said he didn’t notice earlier requests for comment because he hasn’t really been online since 2021, after his home was swatted multiple times. He acknowledged making and distributing a Minecraft cheat long ago, but said he hasn’t played the game in years and was not involved in Dortsolver or any other activity attributed to the Dort nickname after 2021.
“It was a really old cheat and I don’t remember the name of it,” Butler said of his Minecraft modification. “I’m very stressed, man. I don’t know if people are going to swat me again or what. After that, I pretty much walked away from everything, logged off and said fuck that. I don’t go online anymore. I don’t know why people would still be going after me, to be completely honest.”
When asked what he does for a living, Butler said he mostly stays home and helps his mom around the house because he struggles with autism and social interaction. He maintains that someone must have compromised one or more of his old accounts and is impersonating him online as Dort.
“Someone is actually probably impersonating me, and now I’m really worried,” Butler said. “This is making me relive everything.”
But there are issues with Butler’s timeline. For example, Jacob’s voice in our phone conversation was remarkably similar to the Jacob/Dort whose voice can be heard in this Sept. 2022 Clash of Code competition between Dort and another coder (Dort lost). At around 6 minutes and 10 seconds into the recording, Dort launches into a cursing tirade that mirrors the stream of profanity in the diss rap that Dortdev posted threatening Brundage. Dort can be heard again at around 16 minutes; at around 26:00, Dort threatens to swat his opponent.
Butler said the voice of Dort is not his, exactly, but rather that of an impersonator who had likely cloned his voice.
“I would like to clarify that was absolutely not me,” Butler said. “There must be someone using a voice changer. Or something of the sorts. Because people were cloning my voice before and sending audio clips of ‘me’ saying outrageous stuff.”
This week in scams, we’re looking at three very different stories with the same underlying theme: trust is being exploited at scale.
A massive government contractor data breach has quietly grown to affect more than 25 million people. Meanwhile, a viral AI-generated image of Mary-Kate and Ashley Olsen posing in a fake luxury campaign is spreading across social media, fooling some users and alarming others.
And in a new threat report, OpenAI detailed how its own tools are being misused for dating scams, impersonation, and influence operations.
Let’s break it down.
The Conduent Data Breach Now Impacts 25+ Million People
The fallout from a ransomware attack on Conduent, one of the largest government contractors in the U.S., continues to expand.
According to reporting from TechCrunch, updated state-level breach notifications now indicate that more than 25 million people across the U.S. have had personal data exposed.
Conduent provides services tied to state benefit programs, including food assistance, unemployment systems, and other government payment processing operations. The company has said its services reach over 100 million people.
Data reportedly exposed in the breach includes:
Names
Dates of birth
Addresses
Social Security numbers
Health insurance and medical information
TechCrunch noted that the majority of affected individuals appear to be in Oregon and Texas, based on state breach disclosures. Other states have also reported an impact.
The attack has been described as one of the largest government-contractor-related data breaches in recent memory.
Why this matters: When companies that process government benefits are hit, the exposed data often includes highly sensitive identity information. Social Security numbers combined with medical or insurance details can significantly increase the risk of identity theft and fraud.
How to Protect Yourself After a Major Data Breach
If you believe your data may have been exposed:
Monitor your credit reports for unfamiliar activity
Consider placing a free credit freeze
Be wary of phishing emails or texts referencing benefits or account verification
Never share personal information in response to unexpected outreach
Breaches like this often lead to secondary scams months later. The breach itself is only phase one. Phishing campaigns usually follow.
That Viral Olsen Twins “Louis Vuitton” Image? It’s AI.
A supposed luxury campaign featuring Mary-Kate and Ashley Olsen began circulating widely on X and Facebook this week, racking up millions of views.
The images show the twins styled in what appears to be a high-end fashion shoot, drawing numerous comments over their styling. But social media users quickly pointed out visual irregularities and inconsistencies commonly associated with AI-generated imagery.
A screenshot of one of the AI images making thr rounds across social media.
While this doesn’t fall into our typical “scam” roundup, the normalization of AI-generated visuals that look close enough to real to confuse people are a growing issue that can lead to real confusion and distrust.
We have entered a phase where:
Fake ads look legitimate
Public figures appear in campaigns they never participated in
Synthetic images spread faster than corrections
Today it’s a fashion ad. Tomorrow it could be a fake political endorsement, financial announcement, or emergency alert.
The takeaway: If you see a surprising campaign or announcement, verify it through official brand websites or verified accounts before assuming it’s real.
OpenAI Details How ChatGPT Is Being Misused
In a newly released threat report, OpenAI outlined several ways its tools have been abused by bad actors.
A cluster of accounts used ChatGPT to run a dating scam targeting Indonesian men, allegedly defrauding hundreds of victims per month.
Some accounts used the tool to generate promotional copy and ads for a fake dating platform that pressured users into completing costly “tasks.”
Other accounts posed as law firms, impersonating real attorneys and U.S. law enforcement to target fraud victims.
OpenAI also banned accounts linked to activity believed to be part of influence operations, including efforts targeting Japanese political figures.
OpenAI stated that the activity was detected and accounts were removed.
Why this matters: AI tools themselves are not inherently scams. But they dramatically lower the cost and increase the scale of fraud operations. Writing persuasive emails, generating fake legal letters, building scam ads… these now require fewer technical skills than ever before.
The technology doesn’t create the criminal intent. It just accelerates it.
McAfee’s Safety Tips This Week
Assume viral images could be AI-generated until verified
Verify unexpected announcements through official websites
Treat post-breach emails as suspicious by default
Be skeptical of online “consultation” invites that promise payment
Never send money to someone you’ve only met online
We’ll Be Back Next Week
From ransomware breaches to AI-generated impersonations, the pattern is clear: scammers are scaling trust manipulation with technology.
Stay skeptical. Verify before you click. And we’ll be back next week with another breakdown of what’s making headlines, and what it actually means for your security.
Login
.jpg)
