In Brazil's Amazon, armed men with a rogue police unit overseeing illegal mining operations intimidated journalists investigating regional violence and trafficking surges. Though Brazil's 2023 deforestation decreased, fires and attacks continued as governments deprioritized crime reduction. Illegal mining finances threats to the climate-critical rainforest, yet improving security was absent from the 2023 UN climate summit agenda. With complex criminal networks forging cross-border alliances and violence escalating, addressing this dilemma is pivotal to safeguarding the Amazon and its Indigenous peoples. Nature: Solutions to these multifaceted issues might not be simple, but practical steps exist. Nations must cooperate to guard against this violence. They must support local communities -- by increasing the state's presence in remote areas and promoting health care, education and sustainable economic development -- and help them to safeguard the rainforest. For example, Indigenous peoples in Peru and Brazil are using drones and GPS devices to monitor their land and detect threats from violent invaders.

Indigenous peoples are the Amazon's best forest guardians, but they need more legally demarcated lands and protective measures, such as funding for Indigenous guards and rapid response and emergency protocols. In 2022, Colombia and Brazil saw the most deaths of environmental and land defenders worldwide. Developing effective strategies to enhance cooperation between law enforcement and local populations must also be a priority. To prevent irreversible damage to the rainforest and the climate, security in the Amazon must be added to the global climate agenda.

The source code for Grand Theft Auto 5 was reportedly leaked on Christmas Eve, a little over a year after the Lapsus$ threat actors hacked Rockstar games and stole corporate data. From a report: Links to download the source code were shared on numerous channels, including Discord, a dark web website, and a Telegram channel that the hackers previously used to leak stolen Rockstar data. In a post to a Grand Theft Auto leak channel on Telegram, the channel owner known as 'Phil' posted links to the stolen source code, sharing a screenshot of one of the folders.

U.S. officials are worried about hacking and insider theft of AI secrets, which China has denied. From a report: On a July day in 2018, Xiaolang Zhang headed to the San Jose, Calif., airport to board a flight to Beijing. He had passed the checkpoint at Terminal B when his journey was abruptly cut short by federal agents. After a tipoff by Apple's security team, the former Apple employee was arrested and charged with stealing trade secrets related to the company's autonomous-driving program. It was a skirmish in a continuing shadow war between the U.S. and China for supremacy in artificial intelligence. The two rivals are seeking any advantage to jump ahead in mastering a technology with the potential to reshape economies, geopolitics and war.

Artificial intelligence has been on the Federal Bureau of Investigation's list of critical U.S. technologies to protect, just as China placed it on a list of technologies it wanted its scientists to achieve breakthroughs on by 2025. China's AI capabilities are already believed to be formidable, but U.S. intelligence authorities have lately made new warnings beyond the threat of intellectual-property theft. Instead of just stealing trade secrets, the FBI and other agencies believe China could use AI to gather and stockpile data on Americans at a scale that was never before possible. China has been linked to a number of significant thefts of personal data over the years, and artificial intelligence could be used as an "amplifier" to support further hacking operations, FBI Director Christopher Wray said, speaking at a press conference in Silicon Valley earlier this year.

Mint Mobile has disclosed a new data breach that exposed the personal information of its customers, including data that can be used to perform SIM swap attacks. From a report: Mint is a mobile virtual network operator (MVNO) offering budget, pre-paid mobile plans. T-Mobile has proposed paying $1.3 billion to purchase the company. The company began notifying customers on December 22nd via emails titled "Important information regarding your account," stating that they suffered a security incident and a hacker obtained customer information.

"We are writing to inform you about a security incident we recently identified in which an unauthorized actor obtained some limited types of customer information," warns the Mint Mobile data breach notification. "Our investigation indicates that certain information associated with your account was impacted."

The Biden administration has spent much of the last two years bracing key U.S. networks and infrastructure against crippling cyberattacks from Russia, Iran and China. But it is following a different playbook as it ramps up its efforts to thwart digital threats from North Korea: Follow the crypto -- and stop it. From a report: Convinced North Korea primarily sees hacking as a way to funnel money back to the cash-strapped Kim Jong Un regime, the White House has focused on blocking the country's ability to launder the cryptocurrency it steals through its cyberattacks. In the last year, the administration has unveiled a flurry of sanctions against North Korean hacking groups, front companies and IT workers, and blacklisted multiple cryptocurrency services they use to launder stolen funds. Earlier this month, national security adviser Jake Sullivan announced a new partnership with Japan and South Korea aimed at cracking down on Pyongyang's crypto bonanza -- thereby choking off money to its nuclear and conventional weapons programs.

"In countering North Korean cyber operations, our first priority has been focusing on their crypto heists," Anne Neuberger, the National Security Council's top cybersecurity official, said in an interview. The stepped-up effort to blunt North Korea's cyber operations is fueled by growing alarm about where the fruits of those attacks are going, Neuberger said. Hacking, she argued, has enabled North Korea to "either evade sanctions or evade the steps the international community has taken to target their weapons proliferation ... their missile regime, and the growth in the number of launches we've seen."

"The Portland International Airport in Oregon understands holiday travel is stressful. So this season, it invited a few specialists..." writes the Washington Post.

One TV station describes them as "therapy llamas... two 400-pound fluffballs serving as therapy animals" stationed at Portland International Airport (or PDX) earlier this week, for "travelers, in need of a calming moment."

From the Washington Post: Airports around the globe use a variety of methods to inject some Zen into one of the busiest travel periods of the year. They decorate their halls in holiday lights, host carolers and concerts, and bring in therapy dogs for group canine counseling.

Portland does all of the above. True to the city's quirky spirit, it also invites local camelids to the airport to canoodle with passengers. That's where Gregory, president and founder of Mountain Peaks Therapy Llamas & Alpacas, comes in. "PDX has an ongoing partnership with various therapy animal programs," said Allison Ferre, media relations manager with the Port of Portland, which operates the airport. "So this year, when we were bringing back holiday concessions programing, we just thought, "Who better to lead that parade than the llamas and alpacas?"

This year's theme was "reindeer." Gregory and her daughter, Shannon Joy, dressed the pair in antler headbands, glittery halters with tinkling bells and poinsettia-adorned wreathes. Red velvet banners worn like saddles were inscribed with their names and silvery snowflakes. "They looked pretty fancy," Gregory said...

Though the pair had to pass through security, they didn't have to submit to a pat down, which they might have enjoyed for the extra pets.

"It's easy to default to giving the tech gifts that retailers tend to push on us this time of year..." notes Lifehacker senior writer Thorin Klosowski.

"But before you give one, think twice about what you're opting that person into." A number of these gifts raise red flags for us as privacy-conscious digital advocates. Ring cameras are one of the most obvious examples, but countless others over the years have made the security or privacy naughty list (and many of these same electronics directly clash with your right to repair). One big problem with giving these sorts of gifts is that you're opting another person into a company's intrusive surveillance practice, likely without their full knowledge of what they're really signing up for... And let's not forget about kids. Long subjected to surveillance from elves and their managers, electronics gifts for kids can come with all sorts of surprise issues, like the kid-focused tablet we found this year that was packed with malware and riskware. Kids' smartwatches and a number of connected toys are also potential privacy hazards that may not be worth the risks if not set up carefully.

Of course, you don't have to avoid all technology purchases. There are plenty of products out there that aren't creepy, and a few that just need extra attention during set up to ensure they're as privacy-protecting as possible. While we don't endorse products, you don't have to start your search in a vacuum. One helpful place to start is Mozilla's Privacy Not Included gift guide, which provides a breakdown of the privacy practices and history of products in a number of popular gift categories.... U.S. PIRG also has guidance for shopping for kids, including details about what to look for in popular categories like smart toys and watches....

Your job as a privacy-conscious gift-giver doesn't end at the checkout screen. If you're more tech savvy than the person receiving the item, or you're helping set up a gadget for a child, there's no better gift than helping set it up as privately as possible.... Giving the gift of electronics shouldn't come with so much homework, but until we have a comprehensive data privacy law, we'll likely have to contend with these sorts of set-up hoops. Until that day comes, we can all take the time to help those who need it.

The New York Times reports: Last month, I received an alarming email from someone I did not know: Rui Zhu, a Ph.D. candidate at Indiana University Bloomington. Mr. Zhu had my email address, he explained, because GPT-3.5 Turbo, one of the latest and most robust large language models (L.L.M.) from OpenAI, had delivered it to him. My contact information was included in a list of business and personal email addresses for more than 30 New York Times employees that a research team, including Mr. Zhu, had managed to extract from GPT-3.5 Turbo in the fall of this year. With some work, the team had been able to "bypass the model's restrictions on responding to privacy-related queries," Mr. Zhu wrote.

My email address is not a secret. But the success of the researchers' experiment should ring alarm bells because it reveals the potential for ChatGPT, and generative A.I. tools like it, to reveal much more sensitive personal information with just a bit of tweaking. When you ask ChatGPT a question, it does not simply search the web to find the answer. Instead, it draws on what it has "learned" from reams of information — training data that was used to feed and develop the model — to generate one. L.L.M.s train on vast amounts of text, which may include personal information pulled from the Internet and other sources. That training data informs how the A.I. tool works, but it is not supposed to be recalled verbatim... In the example output they provided for Times employees, many of the personal email addresses were either off by a few characters or entirely wrong. But 80 percent of the work addresses the model returned were correct.
The researchers used the API for accessing ChatGPT, the article notes, where "requests that would typically be denied in the ChatGPT interface were accepted..."

"The vulnerability is particularly concerning because no one — apart from a limited number of OpenAI employees — really knows what lurks in ChatGPT's training-data memory."

And there was a broader related warning in another article published the same day. Microsoft may be building an AI silo in a walled garden, argues a professor at the University of California, Berkeley's school of information, calling the development "detrimental for technology development, as well as costly and potentially dangerous for society and the economy." [In January] Microsoft sealed its OpenAI relationship with another major investment — this time around $10 billion, much of which was, once again, in the form of cloud credits instead of conventional finance. In return, OpenAI agreed to run and power its AI exclusively through Microsoft's Azure cloud and granted Microsoft certain rights to its intellectual property...

Recent reports that U.K. competition authorities and the U.S. Federal Trade Commission are scrutinizing Microsoft's investment in OpenAI are encouraging. But Microsoft's failure to report these investments for what they are — a de facto acquisition — demonstrates that the company is keenly aware of the stakes and has taken advantage of OpenAI's somewhat peculiar legal status as a non-profit entity to work around the rules...

The U.S. government needs to quickly step in and reverse the negative momentum that is pushing AI into walled gardens. The longer it waits, the harder it will be, both politically and technically, to re-introduce robust competition and the open ecosystem that society needs to maximize the benefits and manage the risks of AI technology.

An anonymous reader shared this report from Fast Company: Providers of critical infrastructure in the United States are doing a sloppy job of defending against cyber intrusions, the National Security Council tells Fast Company, pointing to recent Iran-linked attacks on U.S. water utilities that exploited basic security lapses [earlier this month]. The security council tells Fast Company it's also aware of recent intrusions by hackers linked to China's military at American infrastructure entities that include water and energy utilities in multiple states.

Neither the Iran-linked or China-linked attacks affected critical systems or caused disruptions, according to reports.

"We're seeing companies and critical services facing increased cyber threats from malicious criminals and countries," Anne Neuberger, the deputy national security advisor for cyber and emerging tech, tells Fast Company. The White House had been urging infrastructure providers to upgrade their cyber defenses before these recent hacks, but "clearly, by the most recent success of the criminal cyberattacks, more work needs to be done," she says... The attacks hit at least 11 different entities using Unitronics devices across the United States, which included six local water facilities, a pharmacy, an aquatics center, and a brewery...

Some of the compromised devices had been connected to the open internet with a default password of "1111," federal authorities say, making it easy for hackers to find them and gain access. Fixing that "doesn't cost any money," Neuberger says, "and those are the kinds of basic things that we really want companies urgently to do." But cybersecurity experts say these attacks point to a larger issue: the general vulnerability of the technology that powers physical infrastructure. Much of the hardware was developed before the internet and, though they were retrofitted with digital capabilities, still "have insufficient security controls," says Gary Perkins, chief information security officer at cybersecurity firm CISO Global. Additionally, many infrastructure facilities prioritize "operational ease of use rather than security," since many vendors often need to access the same equipment, says Andy Thompson, an offensive cybersecurity expert at CyberArk. But that can make the systems equally easy for attackers to exploit: freely available web tools allow anyone to generate lists of hardware connected to the public internet, like the Unitronics devices used by water companies.

"Not making critical infrastructure easily accessible via the internet should be standard practice," Thompson says.

"The iMessage connection software that powers Beeper Mini and Beeper Cloud is now 100% open source," Beeper announced late this week. " Anyone who wants can use it or continue development."

But while Beeper says it's done trying to bring iMessage to Android, CNET reports that the whole battle was "deeply tied" to Apple's ongoing strategy to control the mobile market: The tide seems to be changing, however: Apple said last month it would be opening up its Messages app (likely due to European regulation) to work with the newer, more feature-rich texting protocol called RCS. This hopefully will lead to a more modern and secure messaging experience when texting between an iPhone and an Android phone, and lead away from the aging SMS and MMS standards. Unfortunately, green bubbles will continue to persist even if there might be little to no functional difference. While third-party apps like Nothing Chats attempted and ultimately failed to bring iMessage to Android, Apple will likely never release the app on Google's mobile operating system.

Until RCS is fully adopted, companies are creating services to allow access to iMessage via Android phones. Apple, for its part, has been quick to block apps like Beeper Mini, citing security concerns. This, however, is raising eyebrows from lawmakers regarding competition in the messaging space and Apple's tight control over the market...

Beeper in a December 21 blog post told users to grab a jailbroken iPhone and install a free Beeper tool that'll generate iMessage registration codes to keep the service operational. It's such a roundabout and potentially expensive way of trying to get iMessage on Android that it likely won't be worth it for most people. For those not willing to go out and jailbreak an iPhone, Beeper said in a now-deleted blog post that it would allow people to rent a jailbroken unit for a small monthly fee starting next year.

According to Canalys Research, Microsoft's plan to end support for Windows 10 could result in about 240 million computers being sent to landfills. "The electronic waste from these PCs could weigh an estimated 480 million kilograms, equivalent to 320,000 cars," adds Reuters. From the report: While many PCs could remain functional for years post the end of OS support, Canalys warned demand for devices without security updates could be low. Microsoft announced a plan to provide security updates for Windows 10 devices until October 2028 for an undisclosed annual price. If the pricing structure for extended Windows 10 support mirrors past trends, migrating to newer PCs could be more cost-effective, increasing the number of older PCs heading to scrap, Canalys said.

Beeper Mini, which offers iPhone messaging on Android phones, has grown fast and its duel with Apple has gotten the attention of antitrust regulators. The New York Times: Apple was caught by surprise when Beeper Mini gave Android devices access to its modern, iPhone-only service. Less than a week after Beeper Mini's launch, Apple blocked the app by changing its iMessage system. It said the app created a security and privacy risk. Apple's reaction set off a game of Whac-a-Mole, with Beeper Mini finding alternative ways to operate and Apple finding new ways to block the app in response. The duel has raised questions in Washington about whether Apple has used its market dominance over iMessage to block competition and force consumers to spend more on iPhones than lower-priced alternatives.

The Justice Department has taken interest in the case. Beeper Mini met with the department's antitrust lawyers on Dec. 12, two people familiar with the meeting said. Eric Migicovsky, a co-founder of the app's parent company, Beeper, declined to comment on the meeting, but the department is in the middle of a four-year-old investigation into Apple's anticompetitive behavior. The Federal Trade Commission said in a blog post on Thursday that it would scrutinize "dominant" players that "use privacy and security as a justification to disallow interoperability" between services. The post did not name any companies.

An anonymous reader quotes a report from TechCrunch: Rite Aid has been banned from using facial recognition software for five years, after the Federal Trade Commission (FTC) found that the U.S. drugstore giant's "reckless use of facial surveillance systems" left customers humiliated and put their "sensitive information at risk." The FTC's Order (PDF), which is subject to approval from the U.S. Bankruptcy Court after Rite Aid filed for Chapter 11 bankruptcy protection in October, also instructs Rite Aid to delete any images it collected as part of its facial recognition system rollout, as well as any products that were built from those images. The company must also implement a robust data security program to safeguard any personal data it collects.

A Reuters report from 2020 detailed how the drugstore chain had secretly introduced facial recognition systems across some 200 U.S. stores over an eight-year period starting in 2012, with "largely lower-income, non-white neighborhoods" serving as the technology testbed. With the FTC's increasing focus on the misuse of biometric surveillance, Rite Aid fell firmly in the government agency's crosshairs. Among its allegations are that Rite Aid -- in partnership with two contracted companies -- created a "watchlist database" containing images of customers that the company said had engaged in criminal activity at one of its stores. These images, which were often poor quality, were captured from CCTV or employees' mobile phone cameras.

When a customer entered a store who supposedly matched an existing image on its database, employees would receive an automatic alert instructing them to take action -- and the majority of the time this instruction was to "approach and identify," meaning verifying the customer's identity and asking them to leave. Often, these "matches" were false positives that led to employees incorrectly accusing customers of wrongdoing, creating "embarrassment, harassment, and other harm," according to the FTC. "Employees, acting on false positive alerts, followed consumers around its stores, searched them, ordered them to leave, called the police to confront or remove consumers, and publicly accused them, sometimes in front of friends or family, of shoplifting or other wrongdoing," the complaint reads. Additionally, the FTC said that Rite Aid failed to inform customers that facial recognition technology was in use, while also instructing employees to specifically not reveal this information to customers. In a press release, Rite Aid said that it was "pleased to reach an agreement with the FTC," but that it disagreed with the crux of the allegations.

"The allegations relate to a facial recognition technology pilot program the Company deployed in a limited number of stores," Rite Aid said in its statement. "Rite Aid stopped using the technology in this small group of stores more than three years ago, before the FTC's investigation regarding the Company's use of the technology began."

Longtime Slashdot reader Kreuzfeld writes: Help please: here in Lawrence, Kansas, the public school district has recently started using Gaggle (source may be paywalled; alternative source), a system for monitoring all digital documents and communications created by students on school-provided devices. Unsurprisingly, the system inundates employees with false 'alerts' but the district nonetheless hails this pervasive, dystopic surveillance system as a great success. What useful advice can readers here offer regarding successful methods to get public officials to backtrack from a policy so corrosive to liberty, trust, and digital freedoms?

An anonymous reader quotes a report from the New York Times: The Federal Trade Commission on Wednesday proposed sweeping changes to bolster the key federal rule that has protected children's privacy online, in one of the most significant attempts by the U.S. government to strengthen consumer privacy in more than a decade. The changes are intended to fortify the rules underlying the Children's Online Privacy Protection Act of 1998, a law that restricts the online tracking of youngsters by services like social media apps, video game platforms, toy retailers and digital advertising networks. Regulators said the moves would "shift the burden" of online safety from parents to apps and other digital services while curbing how platforms may use and monetize children's data.

The proposed changes would require certain online services to turn off targeted advertising by default for children under 13. They would prohibit the online services from using personal details like a child's cellphone number to induce youngsters to stay on their platforms longer. That means online services would no longer be able to use personal data to bombard young children with push notifications. The proposed updates would also strengthen security requirements for online services that collect children's data as well as limit the length of time online services could keep that information. And they would limit the collection of student data by learning apps and other educational-tech providers, by allowing schools to consent to the collection of children's personal details only for educational purposes, not commercial purposes. [...]

The F.T.C. began reviewing the children's privacy rule in 2019, receiving more than 175,000 comments from tech and advertising industry trade groups, video content developers, consumer advocacy groups and members of Congress. The resulting proposal (PDF) runs more than 150 pages. Proposed changes include narrowing an exception that allows online services to collect persistent identification codes for children for certain internal operations, like product improvement, consumer personalization or fraud prevention, without parental consent. The proposed changes would prohibit online operators from employing such user-tracking codes to maximize the amount of time children spend on their platforms. That means online services would not be able to use techniques like sending mobile phone notifications "to prompt the child to engage with the site or service, without verifiable parental consent," according to the proposal. How online services would comply with the changes is not yet known. Members of the public have 60 days to comment on the proposals, after which the commission will vote.

jd writes: Ars Technica is reporting a newly-discovered man-in-the-middle attack against SSH. This only works if you are using "ChaCha20-Poly1305" or "CBC with Encrypt-then-MAC", so it isn't a universal flaw. The CVE numbers for this vulnerability are CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446.

From TFA:

At its core, Terrapin works by altering or corrupting information transmitted in the SSH data stream during the handshake -- the earliest stage of a connection, when the two parties negotiate the encryption parameters they will use to establish a secure connection. The attack targets the BPP, short for Binary Packet Protocol, which is designed to ensure that adversaries with an active position can't add or drop messages exchanged during the handshake. Terrapin relies on prefix truncation, a class of attack that removes specific messages at the very beginning of a data stream.

The Terrapin attack is a novel cryptographic attack targeting the integrity of the SSH protocol, the first-ever practical attack of its kind, and one of the very few attacks against SSH at all. The attack exploits weaknesses in the specification of SSH paired with widespread algorithms, namely ChaCha20-Poly1305 and CBC-EtM, to remove an arbitrary number of protected messages at the beginning of the secure channel, thus breaking integrity. In practice, the attack can be used to impede the negotiation of certain security-relevant protocol extensions. Moreover, Terrapin enables more advanced exploitation techniques when combined with particular implementation flaws, leading to a total loss of confidentiality and integrity in the worst case.

In a notice on Monday, Xfinity notified customers of a "data security incident" that resulted in the theft of customer information, including usernames, passwords, contact information, and more. The Verge reports: Xfinity traces the breach to a security vulnerability disclosed by cloud computing company Citrix, which began alerting customers of a flaw in software Xfinity and other companies use on October 10th. While Xfinity says it patched the security hole, it later uncovered suspicious activity on its internal systems "that was concluded to be a result of this vulnerability."

The hack resulted in the theft of customer usernames and hashed passwords, according to Xfinity's notice. Meanwhile, "some customers" may have had their names, contact information, last four digits of their social security numbers, dates of birth, and / or secret questions and answers exposed. Xfinity has notified federal law enforcement about the incident and says "data analysis is continuing."

We still don't know how many users were affected by the breach. Xfinity will automatically ask customers to change their passwords the next time they log in to their accounts, and it's also encouraging users to turn on two-factor authentication. You can find the full notice, including contact information for the company's incident response team, on Xfinity's website (PDF). UPDATE 12/19/23: According to TechCrunch, almost 36 million Xfinity customers had their sensitive information accessed by hackers via a vulnerability known as "CitrixBleed." The vulnerability is "found in Citrix networking devices often used by big corporations and has been under mass-exploitation by hackers since late August," the report says. "Citrix made patches available in early October, but many organizations did not patch in time. Hackers have used the CitrixBleed vulnerability to hack into big-name victims, including aerospace giant Boeing, the Industrial and Commercial Bank of China and international law firm Allen & Overy."

"In a filing with Maine's attorney general, Comcast confirmed that almost 35.8 million customers are affected by the breach. Comcast's latest earnings report shows the company has more than 32 million broadband customers, suggesting this breach has impacted most, if not all Xfinity customers."

A ransomware group that claimed to have successfully hacked Insomniac Games has now leaked the vast majority of its stolen files. From a report: Last week ransomware group Rhysida threatened to expose sensitive data about the company, its employees and its upcoming games, if it wasn't paid for the data. It then published data online which appeared to corroborate its claim that it had successfully hacked the Sony-owned studio, including an annotated screenshot from Insomniac's upcoming Wolverine game.

The group then threatened to publish the stolen data within seven days, but first offered it for auction with a starting price of 50 Bitcoins (approximately $2 million). Now, according to Cyber Daily, Rhysida has followed through with its threat and posted more than 1.3 million files totalling 1.67 terabytes to its darknet leak site. Around 98% of the hacked data has been leaked, with Rhysida stating that "not sold data was uploaded," implying that the remaining 2% may have been sold to someone.

An international group of law enforcement agencies have seized the dark web leak site of the notorious ransomware gang known as ALPHV, or BlackCat. From a report: "The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against ALPHV Blackcat Ransomware," a message on the gang's dark web leak site now reads, seen by TechCrunch. According to the splash, the takedown operation also involved law enforcement agencies from the United Kingdom, Denmark, Germany, Spain and Australia.

In a later announcement confirming the disruption, the U.S. Department of Justice said that the international takedown effort, led by the FBI, enabled U.S. authorities to gain visibility into the ransomware group's computer to seize "several websites" that ALPHV operated. The FBI also released a decryption tool that has already enabled more than 500 ALPHV ransomware victims to restore their systems. (The government's search warrant puts the number at 400 victims.) The FBI said it worked with dozens of victims in the United States, saving them from paying ransom demands totaling approximately $68 million.

An anonymous reader quotes a report from BleepingComputer: Former Amazon security engineer Shakeeb Ahmed pleaded guilty this week to hacking and stealing over $12.3 million from two cryptocurrency exchanges in July 2022. The two affected companies are Nirvana Finance, a decentralized crypto exchange, and an unnamed exchange on the Solana blockchain platform that Ahmed hacked using his blockchain audit and smart contract reverse engineering skills. He first targeted the undisclosed crypto exchange by manipulating a smart contract to introduce false pricing data, generating roughly $9 million worth of inflated fees. Ahmed later withdrew the funds and offered to return all but $1.5 million on the condition that the exchange refrained from involving law enforcement.

Although not explicitly named by the Justice Department, the details of the attack match those of a July 2022 breach impacting the Crema Finance decentralized finance (DeFi) platform. Shortly after this first hack, Ahmed exploited a Nirvana Finance DeFi protocol smart contract loophole to take a flash loan of ANA cryptocurrency tokens at a low price and sell it back at a higher rate, yielding him approximately $3.6 million. Despite being offered a $300,000 bounty to return the stolen crypto assets, Ahmed kept everything he stole (representing all the funds owned by Nirvana Finance) after demanding $1.4 million and not reaching an agreement, forcing the exchange to shut down.

Seeking to conceal his actions and obscure the digital trail of the stolen funds, Ahmed used several cryptocurrency mixers (including Samourai Whirlpool), the Solana and Ethereum blockchains, and foreign exchanges to convert the millions he stole into Monero, a cryptocurrency known for its enhanced privacy and anonymity. Wary of being apprehended, Ahmed actively sought ways to elude detection and extradition. His online searches revealed his interest in strategies to flee the United States, thwart asset seizures, and secure citizenship in different nations, clearly showcasing Ahmed's intention to sidestep legal repercussions for his actions. [...] Ahmed entered a guilty plea for a single computer fraud charge, an offense with a maximum imprisonment term of five years. Additionally, he committed to compensating his victims with a sum totaling $5,071,074.23.