Crypto-Funded Chinese Peptide Labs Are Booming
by Andy Greenberg, Andy Greenberg,Dell Cameron,Dhruv Mehrotra,Maddy Varner · WIREDComment
LoaderSave StorySave this story
Comment
LoaderSave StorySave this story
Meta has been quietly stashing dormant face recognition code on more than 50 million phones, WIRED reported this week, tucked inside the companion app that pairs with its Ray-Ban and Oakley smart glasses. If activated, the feature—known internally as NameTag—would let wearers identify people in front of them by matching captured faces against a biometric gallery sitting on the user’s device. It’s the same kind of technology Meta said it walked away from in 2021, after paying out billions of dollars to settle biometric privacy lawsuits in Texas and Illinois.
Meanwhile, xAI is asking a federal judge to force four people suing the company over Grok-generated deepfake nudes to drop their pseudonyms and litigate under their real names—including one plaintiff who alleges the chatbot was used to fabricate sexual images of her as a child. The plaintiffs say they’d sooner drop the suit than submit to harassment and doxing from Musk’s online supporters. xAI’s lawyers, however, claim that since the deepfakes will remain under seal, there’s “nothing inherently stigmatizing” about naming the people in them.
Google rolled out a new Android feature this week aimed at the wave of AI-powered impersonation scams that help fraudsters spoof a familiar number and clone a person’s voice. Packaged with Google Dialer and shipping to phones running Android 12 or later, it pings the caller’s device for a silent cryptographic handshake. If the call is fake, Android will flag it and strip the contact photo from the screen, but only if both ends are on Google Dialer, which leaves iPhones out of the picture.
WIRED also reported this week that the Manhattan Institute—the same right-wing think tank that engineered the 1990s broken-windows policing and the Trump administration’s anti-DEI push—is now shopping model legislation to turn minor protest-related offenses into felonies under a novel theory it calls “civil terrorism.”
Researchers have detailed a clever new browser side-channel attack called FROST that fingerprints other tabs—and sometimes the apps on your device—by measuring how long it takes to read from a sandboxed file on your SSD. The attack runs entirely in JavaScript and feeds the timing traces through a neural network trained on the I/O signatures of common software. No evidence so far anyone is using it in the wild.
And that’s not all. Each week, we round up the security and privacy news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.
Chinese Crypto-Funded Fentanyl Labs Are Switching to Selling Peptides
The supplements known as peptides—chains of amino acids that promise to help those who smear, ingest, or inject them achieve everything from weight loss to skin rejuvenation—have become their own largely unregulated pharmaceutical subindustry. So it figures that their growth is being fueled by cryptocurrency, often sent directly to the Chinese labs that sell these mysterious panaceas.
Crypto-tracing firm Chainalysis this week published an analysis of crypto flows to peptide sellers, a gray market that the company now measures at more than $100 million a year and growing. Chainalysis specifically found that some of the same Chinese labs that were previously selling fentanyl precursors have now switched to manufacturing and selling peptides. The transition, Chainalysis believes, is designed to cash in on the wave of “looksmaxing” hype across social media that has pushed peptide sales—and to avoid the risk of a law enforcement crackdown on opioid manufacturers.
Meta’s AI Support Hacked Its Own Users’ Accounts
AI can do all kinds of things if you just ask it: Code an app, touch up your photos, or even hack President Barack Obama’s Instagram account. Since Meta announced in March that its account support will be increasingly automated with AI, including for functions like updating your password, hackers found that they could exploit the tool to reset the password and take over accounts of even high-profile users and celebrities. Among the victims, as reported by 404 Media, are Obama, the chief master sergeant of the US Space Force, and makeup chain Sephora. Meta says the issue is now fixed and affected accounts have been secured. But the wave of takeovers illustrates the risks of off-loading security functions to AI—particularly at companies like Meta, which has very publicly touted its all-in approach to adopting AI across the company.
Anthropic Is Now Helping the NSA With Offensive Hacking
When AI firm Anthropic rolled out its powerful Mythos tool to a select group of organizations for testing, it raised eyebrows by including the US National Security Agency on that initial access list. Mythos, after all, is reportedly capable of finding previously hidden, hackable vulnerabilities in software with alarming speed, raising fears that it could be used for automated mass surveillance and cyberattacks. But the NSA also has a defensive mission, and initial reporting suggested the agency might just be using Anthropic’s tool to find bugs in popular software used by Americans—such as Microsoft’s—with the goal of better securing it. Yet the Financial Times now reports that Anthropic is helping the NSA take its use of Mythos a step further, deploying Anthropic’s own engineers to the agency to help it learn to use the AI tool—including for offensive hacking. The FT couldn’t confirm that Mythos is being used in active hacking operations. But given the growing use of AI for state-sponsored hacking, it would be a surprise if the US is not joining the field of modern-day automated cyberintrusions.
Bill Pulte Tapped as Acting Director of National Intelligence
US president Donald Trump has picked Bill Pulte to temporarily act as director of national intelligence. Pulte replaces Tulsi Gabbard, who recently stepped down from the role citing her husband's health issues. Trump has said he is considering other people for the permanent job, but that confirmation process can take months.
As acting director, Pulte would be responsible for the entire US intelligence community, coordinating 18 different agencies including the Central Intelligence Agency and NSA.
Pulte would simultaneously remain in his position as director of the Federal Housing Finance Agency, where he's been busy. Typically, the agency's work involves regulating Fannie Mae and Freddie Mac, but Pulte has spent his time issuing multiple criminal referrals to the Justice Department accusing Trump's political enemies of mortgage fraud, including New York attorney general Letitia James, Federal Reserve governor Lisa Cook, and US senator Adam Schiff.
Both Republican and Democratic senators have expressed concerns about Pulte’s pick, which was made as Congress is still debating whether to renew a sweeping surveillance program known as Section 702.
Weird GPS Data Mystery Linked to US Military
For years, GPS satellites have been broadcasting mysterious data in a little-used portion of their public signal. The messages appear random. No one seemed to know exactly what they were for—until now. This week, University College London professor Steven Murdoch published evidence that may solve the mystery. After analyzing millions of archived GPS transmissions spanning nearly two decades, Murdoch concluded that the messages are likely part of the system the US military uses to distribute cryptographic keys to military GPS receivers around the world.
Murdoch borrowed techniques from the world of signals intelligence. He studied how often the messages changed, when satellites synchronized their behavior, and how those patterns evolved over time. One event stood out: In May 2011, nearly every operational GPS satellite abruptly switched to broadcasting the same placeholder message before transitioning to a new pattern. The change coincided with the rollout of a military system known as Over-the-Air Distribution, or OTAD, which allows military GPS receivers to receive updated cryptographic keys remotely rather than requiring them to be physically reprogrammed.
In an interview with WIRED, Murdoch stressed that he didn't crack any military encryption and cannot read the contents of the messages. Instead, his work shows how much can be learned by studying the behavior of a system rather than its secrets. The signals themselves are publicly broadcast and can be received by anyone with the right equipment. By examining years of those transmissions, Murdoch argues, he has uncovered a previously undocumented piece of GPS infrastructure that has been hiding in plain sight.