An anonymous reader quotes a report from The Guardian: An EU plan under which all WhatsApp, iMessage and Snapchat accounts could be screened for child abuse content has hit a significant obstacle after internal legal advice said it would probably be annulled by the courts for breaching users' rights. Under the proposed "chat controls" regulation, any encrypted service provider could be forced to survey billions of messages, videos and photos for "identifiers" of certain types of content where it was suspected a service was being used to disseminate harmful material. The providers issued with a so-called "detection order" by national bodies would have to alert police if they found evidence of suspected harmful content being shared or the grooming of children.

Privacy campaigners and the service providers have already warned that the proposed EU regulation and a similar online safety bill in the UK risk end-to-end encryption services such as WhatsApp disappearing from Europe. Now leaked internal EU legal advice, which was presented to diplomats from the bloc's member states on 27 April and has been seen by the Guardian, raises significant doubts about the lawfulness of the regulation unveiled by the European Commission in May last year. The legal service of the council of the EU, the decision-making body led by national ministers, has advised the proposed regulation poses a "particularly serious limitation to the rights to privacy and personal data" and that there is a "serious risk" of it falling foul of a judicial review on multiple grounds.

The EU lawyers write that the draft regulation "would require the general and indiscriminate screening of the data processed by a specific service provider, and apply without distinction to all the persons using that specific service, without those persons being, even indirectly, in a situation liable to give rise to criminal prosecution." The legal service goes on to warn that the European court of justice has previously judged the screening of communications metadata is "proportionate only for the purpose of safeguarding national security" and therefore "it is rather unlikely that similar screening of content of communications for the purpose of combating crime of child sexual abuse would be found proportionate, let alone with regard to the conduct not constituting criminal offenses." The lawyers conclude the proposed regulation is at "serious risk of exceeding the limits of what is appropriate and necessary in order to meet the legitimate objectives pursued, and therefore of failing to comply with the principle of proportionality". The legal service is also concerned about the introduction of age verification technology and processes to popular encrypted services. "The lawyers write that this would necessarily involve the mass profiling of users, or the biometric analysis of the user's face or voice, or alternatively the use of a digital certification system they note 'would necessarily add another layer of interference with the rights and freedoms of the users,'" reports the Guardian.

"Despite the advice, it is understood that 10 EU member states -- Belgium, Bulgaria, Cyprus, Hungary, Ireland, Italy, Latvia, Lithuania, Romania and Spain -- back continuing with the regulation without amendment."

An anonymous reader quotes a report from KrebsOnSecurity: A sprawling online company based in Georgia that has made tens of millions of dollars purporting to sell access to jobs at the United States Postal Service (USPS) has exposed its internal IT operations and database of nearly 900,000 customers. The leaked records indicate the network's chief technology officer in Pakistan has been hacked for the past year, and that the entire operation was created by the principals of a Tennessee-based telemarketing firm that has promoted USPS employment websites since 2016. KrebsOnSecurity was recently contacted by a security researcher who said he found a huge tranche of full credit card records exposed online, and that at first glance the domain names involved appeared to be affiliated with the USPS. Further investigation revealed a long-running international operation that has been emailing and text messaging people for years to sign up at a slew of websites that all promise they can help visitors secure employment at the USPS.

Sites like FederalJobsCenter[.]com also show up prominently in Google search results for USPS employment, and steer applicants toward making credit card "registration deposits" to ensure that one's application for employment is reviewed. These sites also sell training, supposedly to help ace an interview with USPS human resources. FederalJobsCenter's website is full of content that makes it appear the site is affiliated with the USPS, although its "terms and conditions" state that it is not. Rather, the terms state that FederalJobsCenter is affiliated with an entity called US Job Services, which says it is based in Lawrenceville, Ga. The site says applicants need to make a credit card deposit to register, and that this amount is refundable if the applicant is not offered a USPS job within 30 days after the interview process. But a review of the public feedback on US Job Services and dozens of similar names connected to this entity over the years shows a pattern of activity: Applicants pay between $39.99 and $100 for USPS job coaching services, and receive little if anything in return. Some reported being charged the same amount monthly. Michael Martel, spokesperson for the United States Postal Inspection Service, said in a written statement that the USPS has no affiliation with the websites or companies named in this story.

"To learn more about employment with USPS, visit USPS.com/careers," Martel wrote. "If you are the victim of a crime online report it to the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov. To report fraud committed through or toward the USPS, its employees, or customers, report it to the United States Postal Inspection Service (USPIS) at www.uspis.gov/report."

A list of all the current sites selling this product can be found in Krebs' report.

An anonymous reader quotes a report from Ars Technica: The New York Police Department (NYPD) and New York City's self-proclaimed computer geek of a mayor are urging resident car owners to equip their vehicles with an Apple AirTag. During a press conference on Sunday, Mayor Eric Adams announced the distribution of 500 free AirTags to New Yorkers, saying the technology would aid in reducing the city's surging car theft numbers. Adams held the press conference at the 43rd precinct in the Bronx, where he said there had been 200 instances of grand larceny of autos. An NYPD official said that in New York City, 966 Hyundais and Kias have been stolen this year thus far, already surpassing 2022's 819 total. The NYPD's public crime statistics tracker says there have been 4,492 vehicle thefts this year, a 13.3 percent increase compared to the same period last year and the largest increase among NYC's seven major crime categories.

Adams, as the city did when announcing litigation against Kia and Hyundai on April 7, largely blamed the rise in car thefts on Kia and Hyundai, which he said are "leading the way" in stolen car brands. Hyundais and Kias were the subjects of the Kia Challenge TikTok trend that encouraged people to jack said vehicles with a mere USB-A cable. The topic has graduated way beyond a social media fad and into a serious concern. [...] Adams was adamant grand larceny auto numbers were dragging the city's overall crime numbers up and urged New Yorkers to "participate" in the fight against car theft by using an AirTag. NYPD Chief of Department Jeffrey Maddrey said users who report a stolen vehicle equipped with an AirTag will see the police use "drones, our StarChase technology & good old fashion police work to safely recover your stolen car."

"Help us help you, get an AirTag," he tweeted.

A former Apple employee has been sentenced to three years in prison and must pay back over $19 million in restitution for stealing around $17 million from the tech giant through mail and wire fraud schemes. From a report: Dhirendra Prasad, 55, was originally charged in March 2022 and later pleaded guilty to conspiring to defraud Apple and related tax crimes back in November last year. Prasad was employed at the company between 2008 and 2018, mostly working as a buyer in Apple's global service supply chain, purchasing parts and services from vendors. In his written plea agreement, Prasad admitted he started siphoning money from his employer around 2011 by accepting kickbacks, stealing parts, inflating invoices, and fraudulently charging Apple for goods that were never delivered. He also admitted to evading tax on the proceeds of his schemes and conspiring on these activities with the owners of two vendor companies, who have been charged in separate cases.

Daniel Shin, the co-founder of Terraform Labs, was indicted in South Korea in connection with the collapsed Terra and Luna cryptocurrencies. From a report: According to reports from Bloomberg and the local Yonhap News Agency, Shin was charged on Tuesday with offenses including fraud, breach of duty, and embezzlement. Prosecutors at Seoul Southern District Court also indicted nine other people with ties to Terra, some of whom had roles in marketing, systems development, and management, as reported by Bloomberg. The outlet also reports that prosecutors have frozen a total of 246.8 billion won (about $184.7 million) in assets from the individuals they charged.

It was a mix of spiritualism and financial education, remembers one patron of Generación Zoe, which "pitched itself as an 'educational and resource-creating community for personal, professional, financial and spiritual development,'" reports Rest of World: Generación Zoe claimed to make money through trading, and promised a 7.5% monthly return on investment for three years for those who put money into its "trust." In Argentina and other countries, other companies with the Zoe name peddled a similar narrative... It included a "university" that offered courses on ontological coaching, a type of philosophical practice popular in some Argentine business circles...

Over 2020 and 2021, more than ten thousand people bought into Zoe, investing hundreds of millions of dollars between them. Zoe grew rapidly, hyping new tech innovations including the "robots" and a cryptocurrency called Zoe Cash. Its interests and visibility expanded: The Zoe name appeared on burger joints, car dealerships, a plane rental company, and pet shops, all emblazoned with its name. It sponsored soccer teams and even created three of its own... Zoe also spread beyond Argentina to other countries in Latin America and further afield, including Mexico, Paraguay, Colombia, Spain, and the U.S.

Towards the end of 2021, however, the shine began to wear off, as authorities began looking into Zoe's activities... Zoe members reported being unable to withdraw the funds they had put into trusts or "robots," and in early 2022, the value of Zoe Cash plummeted. Angry investors banged on the doors of Zoe's branches, and investigations against Zoe and Cositorto piled up across Latin America, Spain, and the U.S.

By March 2022, a handful of high-profile names involved with Zoe in Argentina had been arrested, or were wanted by the authorities...
Prosecutors now accuse Zoe of being nothing more than a simple Ponzi scheme.

Mike Lynch, the tech entrepreneur once hailed as Britain's answer to Bill Gates, has lost an appeal against extradition to the US to answer criminal fraud charges. The Guardian reports: Lynch, the founding investor of the British cybersecurity firm Darktrace, is facing allegations that he duped the US firm Hewlett-Packard into overpaying when it struck an $11bn deal for his software firm Autonomy in 2011. Two high court judges considered Mike Lynch's challenge at a recent hearing in London and on Friday issued a ruling rejecting his appeal against extradition to face the charges.

Lynch, who could face a maximum prison sentence of 25 years if found guilty, has always denied the allegations and any wrongdoing. Lord Justice Lewis and Justice Julian Knowles ruled on Friday that Lynch, who made 500 million pounds from the sale to HP and was hailed as one of Britain's few global tech champions, should be extradited to the US to stand trial. Sushovan Hussain, Autonomy's former finance director, is already serving time in jail in the US after being found guilty of fraud relating to the same deal.

A spokesperson for Lynch said he was considering appealing to the European court of human rights. "Dr Lynch is very disappointed, but is reviewing the judgment and will continue to explore his options to appeal, including to the European court of human rights (ECHR)," he said. "The United States' legal overreach into the UK is a threat to the rights of all British citizens and the sovereignty of the UK." However, criminal defense law firm Corker Binning said that only 8% of applications to the ECHR in such cases -- seeking a Rule 39 order to stop the UK extradition until it has considered the case -- were successful last year.

Amazon has launched its Anti-Counterfeiting Exchange (ACX), an initiative to help retail stores label and track marketplace counterfeits as part of the e-commerce giant's efforts to crack down on organized crime on its platform, the company announced on Thursday. From a report: Online marketplaces in the United States including Amazon face hurdles in keeping counterfeiters off their platforms and fake merchandise from entering their warehouses. The new program mimics data exchange programs by the credit card industry to find scammers and identify their tactics. Stores and Amazon marketplace sellers can anonymously contribute information and records flagging counterfeiters to a third-party database or use the database to avoid doing business with the bad actors.

"We think it is critical to share information about confirmed counterfeiters to help the entire industry stop these criminals earlier," Dharmesh Mehta, Amazon's vice president of selling partner services, said in a statement. The Seattle-based retail giant piloted the anti-counterfeiting initiative in 2021 with an undisclosed number of apparel, home goods and cosmetics stores, where counterfeiting is most common.

The FBI, Interpol and the UK's National Crime Agency have accused Meta of making a "purposeful" decision to increase end-to-end encryption in a way that in effect "blindfolds" them to child sex abuse. From a report: The Virtual Global Taskforce, made up of 15 law enforcement agencies, issued a joint statement saying that plans by Facebook and Instagram-parent Meta to expand the use of end-to-end encryption on its platforms were "a purposeful design choice that degrades safety systems," including with regards to protecting children. The law enforcement agencies also warned technology companies more broadly about the need to balance safeguarding children online with protecting users' privacy. "The VGT calls for all industry partners to fully appreciate the impact of implementing system design decisions that result in blindfolding themselves to CSA [child sexual abuse] occurring on their platforms or reduces their capacity to identify CSA and keep children safe," the statement said.

An anonymous reader quotes a report from TorrentFreak: Last year, a U.S. federal court handed a 40-month prison sentence to Gary Bowser. The Canadian pleaded guilty to being part of the Nintendo hacking group "Team Xecuter" and has now served his time. In part due to his good behavior, Bowser got an early release from federal prison. [...] In a recent video interview with Nick Moses, Bowser explains that he was released from federal prison on March 28th. He is currently in processing at the Northwest Detention Center in Tacoma, Washington, to prepare for his return to Canada.

What his life will look like in Canada remains uncertain. However, in federal prison, Bowser has shown that he doesn't shy away from putting in work and helping other people in need. Aside from his prison job, he spent several nightly hours on suicide watch. The prison job brought in some meager income, a large part of which went to pay for the outstanding restitution he has to pay, which is $14.5 million in total. Thus far, less than $200 has been paid off. "I've been making payments of $25 per month, which they've been taking from my income because I had a job in federal prison. So far I paid $175," Bowser tells Nick Moses.

If Bowser manages to find a stable source of income in Canada, Nintendo will get a chunk of that as well. As part of a consent judgment, he agreed to pay $10 million to Nintendo, which is the main restitution priority. "The agreement with them is that the maximum they can take is 25 to 30 percent of your gross monthly income. And I have up to six months before I have to start making payments," Bowser notes. At that rate, it is unlikely that Nintendo will ever see the full amount. Or put differently, Bowser will carry the financial consequences of his Team-Xecuter involvement for the rest of his life.

Motherboard has discovered a swatting-as-a-service account on Telegram that uses computer generated voices to issue bomb and mass shooting threats against highschools and other locations across the country. An anonymous reader shares an excerpt from the report: Known as "Torswats" on the messaging app Telegram, the swatter has been calling in bomb and mass shooting threats against highschools and other locations across the country. Torswat's connection to these wide ranging swatting incidents has not been previously reported. The further automation of swatting techniques threatens to make an already dangerous harassment technique more prevalent. Swatting is when someone calls in a bogus threat in an attempt to direct law enforcement resources to a particular home, school, or other location. Often, swatting calls result in heavily armed police raiding an innocent victim's home. At least one case has resulted in police killing the unsuspecting occupant.

Torswats carries out these threatening calls as part of a paid service they offer. For $75, Torswats says they will close down a school. For $50, Torswats says customers can buy "extreme swattings," in which authorities will handcuff the victim and search the house. Torswats says they offer discounts to returning customers, and can negotiate prices for "famous people and targets such as Twitch streamers." Torswats says on their Telegram channel that they take payment in cryptocurrency. [...] On their Telegram channel, Torswats has uploaded at least 35 distinct recordings of calls they appear to have made. Torswats may have made many more swatting calls on others' behalf, though: each filename includes a number, with the most recent going up to 170. Torswats also recently shuttered their channel before reappearing on Telegram in February.

In all of those 35 recordings except two, Torswats appears to have used a synthesized voice. The majority of the calls are made with a fake male sounding voice; several include a woman which also appears to be computer generated. Torswats is seemingly able to change what the voice is saying in something close to real-time in order to respond to the operator's questions. These sometimes include "where are you located," "what happened," and "what is your name?" [...] Earlier this month, Torswats allegedly changed their tactics: they claimed to have made a swatting call using their own voice. In the subsequent recording, they start with much the same script as their automated voice. "I've done something really bad and want to kill myself," they tell the operator. They then claim they came out to their parents as a transgender woman, that they have an AR-15, and will shoot any police who respond. "Forgot to cut off my laugh at the end," Torswats wrote on Telegram.

"Early Wednesday, San Francisco police made an arrest in the April 4th killing of tech exec Bob Lee," writes Slashdot reader xevioso. "Lee was stabbed in the early hours of April 4th, and later died. His killing prompted a host of claims that this was yet another example of San Francisco's slide into chaos, but the person arrested is reportedly another tech exec." Mission Local reports: The alleged killer also works in tech and is a man Lee purportedly knew. We are told that police today were dispatched to Emeryville with a warrant to arrest a man named Nima Momeni. The name and Emeryville address SFPD officers traveled to correspond with this man, the owner of a company called Expand IT.

Multiple police sources have described the predawn knifing that last week left the 43-year-old Lee dead in a deserted section of downtown San Francisco as neither a robbery attempt nor a random attack. Rather, Lee and Momeni were portrayed by police as being familiar with one another. In the wee hours of April 4, they were purportedly driving together through downtown San Francisco in a car registered to the suspect. Some manner of confrontation allegedly commenced while both men were in the vehicle, and potentially continued after Lee exited the car. Police allege that Momeni stabbed Lee multiple times with a knife that was recovered not far from the spot on the 300 block of Main Street to which officers initially responded.

Federal authorities are making arrests and seizing funds with the help of new tools to identify criminals through cryptocurrency transactions. From a report: James Zhong appeared to have pulled off the perfect crime. In December 2012, he stumbled upon a software bug while withdrawing money from his account on Silk Road, an online marketplace used to hide criminal dealings behind the seemingly bulletproof anonymity of blockchain transactions and the dark web. Mr. Zhong, a 22-year-old University of Georgia computer-science student at the time, used the site to buy cocaine. "I accidentally double-clicked the withdraw button and was shocked to discover that it resulted in allowing me to withdraw double the amount of bitcoin I had deposited," he later said in federal court. After the first fraudulent withdrawal, Mr. Zhong created new accounts and with a few hours of work stole 50,000 bitcoins worth around $600,000, court papers from federal prosecutors show.

Federal officials closed Silk Road a year later on criminal grounds and seized computers that held its transaction records. The records didn't reveal Mr. Zhong's caper at first. Authorities hadn't yet mastered how to track people and groups hidden behind blockchain wallet addresses, the series of letters and numbers used to anonymously send and receive cryptocurrency. One elemental feature of the system was the privacy it gave users. Mr. Zhong moved the stolen bitcoins from one account to another for eight years to cover his tracks. By late 2021, the red-hot crypto market had raised the value of his trove to $3.4 billion. In November 2021, federal agents surprised Mr. Zhong with a search warrant and found the digital keys to his crypto fortune hidden in a basement floor safe and a popcorn tin in the bathroom. Mr. Zhong, who pleaded guilty to wire fraud, is scheduled to be sentenced Friday in New York federal court, where prosecutors are seeking a prison sentence of less than two years.

Mr. Zhong's case is one of the highest-profile examples of how federal authorities have pierced the veil of blockchain transactions. Private and government investigators can now identify wallet addresses associated with terrorists, drug traffickers, money launderers and cybercriminals, all of which were supposed to be anonymous. Law-enforcement agencies, working with cryptocurrency exchanges and blockchain-analytics companies, have compiled data gleaned from earlier investigations, including the Silk Road case, to map the flow of cryptocurrency transactions across criminal networks worldwide. In the past two years, the U.S. has seized more than $10 billion worth of digital currency through successful prosecutions, according to the Internal Revenue Service -- in essence, by following the money. Instead of subpoenas to banks or other financial institutions, investigators can look to the blockchain for an instant snapshot of the money trail.

An anonymous reader quotes a report from The Verge: The New York Police Department is reenlisting Digidog, the four-legged robot that the city faced backlash for deploying a few years back, as reported earlier by The New York Times. NYC Mayor Eric Adams announced the news during a press event on Tuesday, stating that the use of Digidog in the city can "save lives." Digidog -- also known as Spot -- is a remote-controlled robot made by the Hyundai-owned Boston Dynamics. It's designed to work in situations that may pose a threat to humans, helping to do things like perform inspections in dangerous areas and monitor construction sites. However, Boston Dynamics also touts its use as a public safety tool, which the NYPD has tried in the past.

City officials say that the NYPD will acquire two robot dogs for a total of $750,000, according to the NYT, and that they will only be used during life-threatening situations, such as bomb threats. "I believe that technology is here; we cannot be afraid of it," Mayor Adams said during Tuesday's press conference. "A few loud people were opposed to it, and we took a step back — that is not how I operate. I operate on looking at what's best for the city." The Surveillance Technology Oversight Project (STOP), a group that advocates against the use of local and state-level surveillance, has denounced Mayor Adams' move. "The NYPD is turning bad science fiction into terrible policing," Albert Fox Cahn, STOP's executive director, says in a statement. "New York deserves real safety, not a knockoff robocop. Wasting public dollars to invade New Yorkers' privacy is a dangerous police stunt."

The new management of FTX, headed by CEO John Ray III, on Sunday released its first interim report on control failures at the collapsed crypto exchange. There is a lot to digest. The Block: The 45-page report -- published Sunday afternoon by FTX Trading Ltd and its affiliated debtors -- describes in painstaking detail FTX's slapdash record-keeping, near non-existent cybersecurity defenses and its sparse expertise in key areas like finance. One of the more eye-catching items concerned Alameda Research, the trading firm that allegedly had access to billions of dollars in customer funds stored with FTX. The report states that Alameda "often had difficulty understanding what its positions were, let alone hedging or accounting for them."

Former CEO Sam Bankman-Fried, now under house arrest and facing a litany of criminal charges, described Alameda in internal communications as "hilariously beyond any threshold of any auditor being able to even get partially through an audit," according to the report. He went on: "Alameda is unauditable. I don't mean this in the sense of 'a major accounting firm will have reservations about auditing it'; I mean this in the sense of 'we are only able to ballpark what its balances are, let alone something like a comprehensive transaction history.' We sometimes find $50m of assets lying around that we lost track of; such is life."

"Thieves has discovered new ways to steal cars by pulling off smart devices (like smart headlights) to get at and attack via the Controller Area Network (CAN) bus," writes longtime Slashdot reader KindMind. The Register reports: A Controller Area Network (CAN) bus is present in nearly all modern cars, and is used by microcontrollers and other devices to talk to each other within the vehicle and carry out the work they are supposed to do. In a CAN injection attack, thieves access the network, and introduce bogus messages as if it were from the car's smart key receiver. These messages effectively cause the security system to unlock the vehicle and disable the engine immobilizer, allowing it to be stolen. To gain this network access, the crooks can, for instance, break open a headlamp and use its connection to the bus to send messages. From that point, they can simply manipulate other devices to steal the vehicle.

"In most cars on the road today, these internal messages aren't protected: the receivers simply trust them," [Ken Tindell, CTO of Canis Automotive Labs] detailed in a technical write-up this week. The discovery followed an investigation by Ian Tabor, a cybersecurity researcher and automotive engineering consultant working for EDAG Engineering Group. It was driven by the theft of Tabor's RAV4. Leading up to the crime, Tabor noticed the front bumper and arch rim had been pulled off by someone, and the headlight wiring plug removed. The surrounding area was scuffed with screwdriver markings, which, together with the fact the damage was on the kerbside, seemed to rule out damage caused by a passing vehicle. More vandalism was later done to the car: gashes in the paint work, molding clips removed, and malfunctioning headlamps. A few days later, the Toyota was stolen.

Refusing to take the pilfering lying down, Tabor used his experience to try to figure out how the thieves had done the job. The MyT app from Toyota -- which among other things allows you to inspect the data logs of your vehicle -- helped out. It provided evidence that Electronic Control Units (ECUs) in the RAV4 had detected malfunctions, logged as Diagnostic Trouble Codes (DTCs), before the theft. According to Tindell, "Ian's car dropped a lot of DTCs." Various systems had seemingly failed or suffered faults, including the front cameras and the hybrid engine control system. With some further analysis it became clear the ECUs probably hadn't failed, but communication between them had been lost or disrupted. The common factor was the CAN bus.

An anonymous reader quotes a report from MacRumors: An Apple Store at the Alderwood Mall was burgled last weekend, with thieves infiltrating the location through a nearby coffee shop. According to Seattle's King 5 News, thieves broke into Seattle Coffee Gear, went into the bathroom, and cut a hole in the wall to get to the Apple Store backroom. The burglars were able to bypass the Apple Store's security system by using the adjacent coffee shop, stealing a total of 436 iPhones that were worth around $500,000.

According to Seattle Coffee Gear manager Eric Marks, the coffee shop is not noticeably adjacent to the Apple Store because of the way that the store is laid out. "I would have never suspected we were adjacent to the Apple Store, how it wraps around I mean," Marks told King 5 News. "So, someone really had to think it out and have access to the mall layout." Police were able to obtain surveillance footage of the theft, but as it is part of an active investigation, it has not yet been released. Nothing was stolen from the coffee shop, but it will cost $1,500 to replace locks and repair the bathroom wall.

Decentralized finance (DeFi) services that aren't compliant with anti-money laundering and terrorist financing rules pose "the most significant current illicit finance risk" in that corner of the crypto sector, according to the U.S. Department of the Treasury's first analysis of hazards from the technology. From a report: In an expected risk assessment, published Thursday, the Treasury Department said thieves, scammers, ransomware cyber criminals and actors for the Democratic People's Republic of Korea (DPRK) are using DeFi to launder proceeds from crime. On the basis of its findings, the department recommends an assessment of "possible enhancements" to U.S. anti-money laundering (AML) requirements and the rules for countering the financing of terrorism (CFT) as they should be applied to DeFi services. It also calls for input from the private sector to inform the next steps. "Clearly, we can't do this alone," said Brian Nelson, Treasury's undersecretary for terrorism and financial intelligence, in a Thursday webcast hosted by ACAMS, a global organization focused on preventing financial crime. "We call on the private sector to use the findings of the risk assessment to inform your own risk-mitigation strategies." The 40-page report warns that "DeFi services at present often do not implement AML/CFT controls or other processes to identify customers, allowing layering of proceeds to take place instantaneously and pseudonymously."

Several domain names tied to Genesis Market, a bustling cybercrime store that sold access to passwords and other data stolen from millions of computers infected with malicious software, were seized by the Federal Bureau of Investigation (FBI) today. KrebsOnSecurity reports: Sources tell KrebsOnsecurity the domain seizures coincided with "dozens" of arrests in the United States and abroad targeting those who allegedly operated the service, as well as suppliers who continuously fed Genesis Market with freshly-stolen data. Active since 2018, Genesis Market's slogan has long been, "Our store sells bots with logs, cookies, and their real fingerprints." Customers could search for infected systems with a variety of options, including by Internet address or by specific domain names associated with stolen credentials.

But earlier today, multiple domains associated with Genesis had their homepages replaced with a seizure notice from the FBI, which said the domains were seized pursuant to a warrant issued by the U.S. District Court for the Eastern District of Wisconsin. But sources close to the investigation tell KrebsOnSecurity that law enforcement agencies in the United States, Canada and across Europe are currently serving arrest warrants on dozens of individuals thought to support Genesis, either by maintaining the site or selling the service bot logs from infected systems. The seizure notice includes the seals of law enforcement entities from several countries, including Australia, Canada, Denmark, Germany, the Netherlands, Spain, Sweden and the United Kingdom. [...]

One feature of Genesis that sets it apart from other bot shops is that customers can retain access to infected systems in real-time, so that if the rightful owner of an infected system creates a new account online, those new credentials will get stolen and displayed in the web-based panel of the Genesis customer who purchased that bot. "While some infostealers are designed to remove themselves after execution, others create persistent access," reads a March 2023 report from cybersecurity firm SpyCloud. "That means bad actors have access to the current data for as long as the device remains infected, even if the user changes passwords. SpyCloud says Genesis even advertises its commitment to keep the stolen data and the compromised systems' fingerprints up to date. "According to our research, Genesis Market had more than 430,000 stolen identities for sale as of early last year -- and there are many other marketplaces like this one," the SpyCloud report concludes.

An anonymous reader quotes a report from The Guardian: The federal government is considering a "roadmap" on how to restrict access to online pornography to those who can prove they are 18 or older, but there are warnings that any system could come at the cost of Australians' privacy online. On Friday, the eSafety commissioner provided a long-awaited roadmap to the government for how to verify users' ages online, which was commissioned by the former Morrison government nearly two years ago. The commissioner's office said the roadmap "explores if and how age verification and other measures could be used to prevent and mitigate harm to children from online pornography" but that any action taken will be a decision of government.

There were a variety of options to verify people's ages considered during the consultation for the roadmap, such as the use of third-party companies, individual sites verifying ages using ID documents or credit card checks, and internet service providers or mobile phone operators being used to check users' ages. Digital rights groups have raised concerns about the potential for any verification system to create a honeypot of people's personal information. But the office said any technology-based solution would need to strike the right balance between safety, privacy and security, and must be coupled with education campaigns for children, parents and educators. [...]

It comes as new industry codes aimed at tackling restricted-access content online, developed by groups representing digital platforms, and software, gaming and telecommunications companies were submitted to the eSafety commissioner for approval. The content covered includes child sexual abuse material, terrorism, extreme crime and violence, and drug-related content. The commissioner, Julie Inman Grant, will now decide whether the voluntary codes meet her expectations or whether she needs to enforce mandatory codes. [...] The second phase of the codes will set out how the platforms restrict access to pornography on their sites -- separate from the use of age verification systems.