Plus: Apple turns off end-to-end encrypted iCloud backups in the UK after pressure to install a backdoor, and two spyware apps expose victim data—and the identities of people who installed the apps.
The cybersecurity lead for VA.gov was fired last week. He tells WIRED that the Veterans Affairs digital hub will be more vulnerable without someone in his role.
Crypto exchange Bybit announced on Friday that “a sophisticated attack” led to the theft of Ethereum (ETH) from one of the company’s offline wallets.
Bybit’s chief executive and co-founder Ben Zhou said in a livestream that the hackers stole around 401,346 ETH, which at the time of the theft amounts to about $1.4 billion.
Both crypto security firm Elliptic, as well as crypto security researcher ZachXBT, the total amount of ETH stolen is worth around $1.4 billion, making this the largest known theft of crypto in history. The previous highest crypto breaches were the hacks against the Ronin Network and Poly Network, which resulted in the loss of $624 million and $611 million, respectively, according to data collected by Rekt, a site that tracks web3 and crypto breaches.
“In fact, it may even be the largest single theft of all time,” Tom Robinson, Elliptic’s co-founder and chief scientist told TechCrunch, referring to any kind of theft, not just data breaches.
Prior to Bybit’s breach, the withdrawal of around $1 billion from the Central Bank of Iraq is said to be the largest bank robbery of all time, according to the financial news site World Finance.
Zhou wrote on X that the hacker “took control” of one of the company’s cold wallets, referring to a digital wallet that stores cryptocurrency but in theory isn’t connected to the internet, and transferred funds to a “warm” wallet, which is online.
When reached for comment, Bybit spokesperson Tony Au referred to Zhou’s public posts. In one post, Zhou wrote that the company is “solvent” and “can cover the loss” even if it can’t recover the stolen funds.
Bybit, which is based in Dubai, United Arab Emirates, had an estimated total assets of $16 billion as of last week, according to CoinMarketCap.
To put things in perspective, in all of 2024, the total amount of crypto stolen by hackers was around $2.2 billion, according to blockchain tracking firm Chainalysis. And, in 2023, it was around $2 billion, according to multiple estimates.
Keep reading the article on Tech Crunch
A backdoor into iCloud end-to-end encryption would defeat the purpose of the feature, so Apple is pulling it from the UK altogether.
Apple confirmed Friday that it “can no longer” offer a security feature that allows users in the United Kingdom to encrypt their iCloud data.
In a statement provided to TechCrunch, Apple spokesperson Fred Sainz said the company’s Advanced Data Protection feature will no longer be available to new users and current U.K. users “will eventually need to disable this security feature.”
“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the U.K. given the continuing rise of data breaches and other threats to customer privacy,” the company said.
“Enhancing the security of cloud storage with end-to-end encryption is more urgent than ever before,” the statement said.
The announcement comes after the U.K. government reportedly ordered Apple earlier this year to build a backdoor that would allow British authorities “blanket” access to users’ data stored on Apple’s cloud servers, even if it is end-to-end encrypted. This request, seen as unprecedented in a modern democracy, alarmed privacy and security experts, who argued that if the British government prevailed, the demand would set a precedent for authoritarian countries to follow.
Apple offers users the option to turn on end-to-end encrypted iCloud backups through Advanced Data Protection. This feature effectively makes it impossible for anyone, including Apple and government authorities, to view data stored in iCloud by users’ who have opted-in.
A spokesperson for the U.K. Home Office did not immediately respond to TechCrunch’s request for comment.
Apple did not immediately say how the process of disabling ADP will work for users who had already turned it on before Friday.
Apple said that some types of data, including health data, messages stored in iCloud, and payment information, which are end-to-end encrypted by default for all users, will not be affected by this change, and will remain encrypted for everyone. But U.K. users will not be able to opt-in to use end-to-end encryption for the other types of data, such as photos, notes, backups, and other data, which were encrypted under ADP.
For those who already have ADP enabled, Apple said it will give customers more guidance soon, as well as a period of time to disable the feature to keep using iCloud.
ADP is unaffected for users outside of the United Kingdom, Apple said, and end-to-end encrypted communication services like FaceTime and iMessage are not affected, either.
“As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will,” Apple said, linking to its prior statements.
BBC News reported that ADP stopped being an option for new users starting at 3 p.m. U.K. time on Friday. TechCrunch has also confirmed that ADP is no longer an option for new users in the United Kingdom.
Since the rise of encryption in the mid-1990s, governments worldwide have argued that this data-scrambling technology would allow criminals and terrorists to break the law while evading law enforcement. Over the years, authorities have always found a way, from accessing unencrypted backups to using spyware, to access data directly on people’s devices.
“If you are not in the U.K., you should turn on ADP now,” said Matthew Green, a cryptography expert and teacher at Johns Hopkins University, wrote on X in response to the news.
“The more people who use it, the harder it will be to shut off this way,” said Green.
Clarified the forms of data protected under Advanced Data Protection in the ninth paragraph.
Keep reading the article on Tech Crunch
A trove of chat logs allegedly belonging to the Black Basta ransomware group has leaked online, exposing key members of the prolific Russia-linked gang.
The chatlogs, which include over 200,000 messages spanning from September 18, 2023, to September 28, 2024, were shared with threat intelligence company Prodaft by a leaker. The cybersecurity firm says the leak comes amid “internal conflict” within the Black Basta group after some members allegedly failed to provide its victims with functional decryption tools despite paying a ransom demand.
It’s not yet known if the leaker, who uses the alias “ExploitWhispers” on Telegram, was a member of the Black Basta gang.
Black Basta is a prolific Russian-language ransomware gang, which the U.S. government has linked to hundreds of attacks on critical infrastructure and global businesses, whose publicly known victims include U.S. healthcare organization Ascension, U.K. utility company Southern Water, and British outsourcing giant Capita. The leaked chat logs give a never-before-seen look inside the ransomware gang, including some of its unreported targets.
According to a post on X by Prodaft, the leaker said that the hackers “crossed the line” by targeting Russian domestic banks.
“So we are dedicated to uncovering the truth and investigating Black Basta’s next steps,” the leaker wrote.
TechCrunch obtained a copy of the hackers’ chat logs from Prodaft, which contain details about key members of the ransomware gang.
These members include “YY” (Black Basta’s main administrator); “Lapa” (another of Black Basta’s key leaders); “Cortes” (a hacker linked to the Qakbot botnet); and “Trump” (also known as “AA” and “GG”).
The hacker “Trump” is believed to be an alias used by Oleg Nefedovaka, who Prodaft researchers describe as “the group’s main boss.” The researchers linked Nefedovaka to the now-defunct Conti ransomware group, which shut down soon after its internal chat logs leaked following the gang declaring its support for Russia’s full-scale invasion of Ukraine in 2022.
The leaked Black Basta chat logs also quote one member as saying they are 17-years-old, TechCrunch has seen.
By our count, the leaked chats contain 380 unique links related to company information hosted on Zoominfo, a data broker that collects and sells access to businesses and their employees, which the chatlogs show the hackers used to research the companies they targeted. The links also give some indication of the number of organizations targeted by the gang during the 12-month period.
The chat logs also reveal unprecedented insights into the group’s operations. The messages include details on Black Basta’s victims, copies of phishing templates used in their cyberattacks, some of the exploits used by the gang, cryptocurrency addresses associated with ransom payments, and details about ransom demands and victims’ negotiations with hacked organizations.
We also found chat logs of the hackers discussing a TechCrunch article about ongoing Qakbot activity, despite an earlier FBI takedown operation aimed at knocking the notorious botnet offline.
TechCrunch also found chat logs that named several previously unknown targeted organizations. This includes the failed U.S. automotive giant Fisker; healthtech provider Cerner Corp, which is now owned by Oracle; and U.K.-based travel firm Hotelplan. It is not yet known if the companies were breached, and none of the companies responded to TechCrunch’s inquiries.
The chat logs appear to show the gang’s efforts in exploiting security bugs in enterprise network devices, such as routers and firewalls that sit on the perimeter of a company’s network and act as digital gatekeepers.
The hackers boasted their ability to exploit vulnerabilities in Citrix remote access products to break into at least two company networks. The gang also talked about exploiting vulnerabilities in Ivanti, Palo Alto Networks and Fortinet software to carry out cyberattacks.
A conversation between Black Basta members also suggests that some of the group were worried about being investigated by Russian authorities in response to geopolitical pressures. While Russia has long been a safe haven for ransomware gangs, Black Basta was also concerned about actions brought by the U.S. government.
Messages sent after the group’s breach of Ascension’s systems warned that the FBI and CISA are “100% obliged” to get involved and could lead to the agencies “taking a tough stance on Black Basta.”
Black Basta’s dark web leak site, which it uses to publicly extort victims into paying the gang a ransom demand, was offline at the time of publication.
Keep reading the article on Tech Crunch