DOGE is expected to slash 40% of CISA's workforce

Don't miss my latest CSO piece examining how Trump's tariffs are shaking up cybersecurity.

Metacurity is a reader-supported publication that requires a lot of work and relies on the generous support of our paid readers. Please consider supporting Metacurity with an upgraded subscription. Thank you.

If you can't commit to a subscription today, please consider donating whatever you can. Thank you!

Sources say as many as 1,300 agency employees—nearly 40% of the agency's estimated 3,400 workers — could be pushed out or incentivized to leave the Cybersecurity and Infrastructure Security Agency (CISA) under the direction of Elon Musk's so-called Department of Government Efficiency (DOGE).

The timing of the cuts is unclear. One source familiar with the plans said the workforce reduction will likely come in weeks, not months, but workers will likely see a second "fork in the road" email first.

Earlier this year, the Trump administration fired probationary CISA employees, but a judge ordered more than 130 of them reinstated.

Sources say Elon Musk's DOGE effort is expected to make other significant cuts at CISA's fellow DHS agencies, including massive layoffs at the Federal Emergency Management Agency (FEMA) and potential cuts at Customs and Border Protection and Immigration and Customs Enforcement. (Margaret Brennan, Nicole Sganga, Andres Triay / CBS News and Betsy Klein, Jamie Gangel and Josh Campbell / CNN)

Related: Axios, NextGov/FCW

Elon Musk’s so-called Department of Government Efficiency (DOGE) plans to stage a “hackathon” this week in Washington, DC, to create a single “mega API” to give Musk and his workers greater access to individual Americans' most sensitive data hosted at the IRS.

The agency is expected to partner with a third-party vendor to manage certain aspects of the data project. Sources say Palantir, a software company cofounded by billionaire and Musk associate Peter Thiel, has been brought up consistently by DOGE representatives as a possible candidate.

Sources say two top DOGE operatives at the IRS, Sam Corcos and Gavin Kliger, are helping to orchestrate the hackathon. Corcos is a health-tech CEO with ties to Musk’s SpaceX. Kliger attended UC Berkeley until 2020 and worked at the AI company Databricks before joining DOGE as a special adviser to the director at the Office of Personnel Management (OPM). Corcos is also a special adviser to Treasury Secretary Scott Bessent. (Makena Kelly / Wired)

Related: The Verge, PYMNTS, Tech Times, TechCrunch, TechRadar

The Investigatory Powers Tribunal (IPT) confirmed that Apple is appealing against a British government order to create a "back door" to its encrypted cloud storage systems.

In a written ruling, the IPT said it had refused the British government's application to keep "the bare details of the case," including that Apple brought it, private.

In February, Britain issued a "technical capability notice" to Apple to enable access to encrypted messages and photos, even for users outside the country.

Apple has long said that it would never build a so-called backdoor into its encrypted services or devices because once one is created, hackers, in addition to governments, could exploit it, a sentiment echoed by security experts. In response to Britain's sweeping demands, the iPhone maker removed its most advanced security encryption for cloud data, Advanced Data Protection, for new users in Britain.

The IPT's ruling said neither Apple nor Britain had confirmed or denied the accuracy of media reports, adding: "This judgment should not be taken as an indication that the media reporting is or is not accurate."

The Home Office had argued that publicizing, the existence of the appeal or that Apple brought it could damage national security.

But Judges Rabinder Singh and Jeremy Johnson said: "We do not accept that the revelation of the bare details of the case would be damaging to the public interest or prejudicial to national security." (Sam Tobin / Reuters)

Related:  The Standard, AppleInsider, MacRumors, Financial Times, BBC, Open Rights Group, UK Courts and Tribunals Judiciary

Some vaguely sourced UK press reports say that united by a shared opposition to liberal Western values, a "Holy League" coalition of about 90 so-called hacktivist groups came together with the stated intention of waging cyberwarfare against Ukraine, Israel, and their allies.

The coalition includes groups believed to be working alongside Russia’s military intelligence branch, the GRU, as well as hackers said to have been trained by the Iranian Revolutionary Guard Corps (IRGC).

Among the league’s members is the Cyber Army of Russian Reborn (Carr), a group suspected of working on behalf of APT44, the GRU’s cyberwarfare unit, which for more than a decade has worked to infiltrate and infect Ukrainian and Western systems through sophisticated hacking operations. (Tom Ball / The Times)

Related: The Standard, Daily Mail

Taiwan’s Criminal Investigation Bureau (CIB) uncovered the identity of “Crazyhunter,” who attacked Mackay Memorial Hospital and several medical institutions, schools, and companies in February and March.

The CIB said it confirmed the identity of "Crazyhunter” as a man surnamed Luo (羅) from Zhejiang Province, China. The CIB’s Technological Crime Investigation Unit analyzed information, including IP addresses, techniques, and malicious coding, to discover the hacker’s identity. 

The suspect is suspected of breaking laws regarding the obstruction of computer use, personal data protection, and extortion. The action of targeting hospitals, schools, and listed companies endangered the national public security, authorities said. 

Luo is also accused of disrupting social order. Authorities noted the suspect set up a website on the dark web to publicize victims and demand ransom, causing psychological panic and instability.  (Lily LaMattina / Taiwan News)

Related: Taiwan News, Databreaches.net, Northeast Herald

Following assurances from the Trump administration, Apple will keep TikTok and other apps from ByteDance on its US App Store for at least another 75 days.

Sources say the company received a letter from Attorney General Pam Bondi saying it should follow President Donald Trump’s executive order extending the pause on a TikTok ban in the US.

“The Deal requires more work to ensure all necessary approvals are signed, which is why I am signing an Executive Order to keep TikTok up and running for an additional 75 days,” Trump said in a post on his Truth Social platform. (Mark Gurman / Bloomberg)

Related:  AppleInsider, Neowin, PYMNTS.com, CNBC, Cryptopolitan, Tech in Asia, Universul.net, The Mac Observer, PhoneArena, Associated Press

UK prosecutors convicted five romance scammers-turned-money launderers after police shuttered a multimillion-pound fraud operation.

Prosecutors said 40 individuals were confirmed as victims, although the actual number is thought to be more than double that – 99 in total.

Fawaz Ali, 27, Ebenezer Tackie, 42, and Michael Quartey, 28, were all found guilty of money laundering offenses at a Guildford Crown Court trial on Friday.  The laundered proceeds from the romance scams are estimated to be £3.25 million ($4.22 million).

Two others, Kwabena Edusei, 36, and George Melseaux, 40, earlier pleaded guilty to the charges related to their roles in the operation and therefore did not face trial.

Edusei pleaded guilty to fraud and money laundering charges, while Melseaux also pleaded guilty to money laundering and possessing ID documents with intent to misuse for fraudulent purposes. (Connor Jones / The Register)

Related: Crown Prosecution Service, WiredGov

This weekend, a leak site used by the Everest ransomware gang was hacked and defaced.

The ransomware gang used the leak site to publish stolen files and extort its victims into paying a ransom demand. The message was replaced with a brief text note: “Don’t do crime—CRIME IS BAD xoxo from Prague.”

At the time of writing, the site was still defaced. It’s unclear if the gang also experienced a data breach due to the hack. (Zack Whittaker / TechCrunch)

Related: Techzine

The ongoing phishing campaign impersonating E-ZPass and other toll agencies has surged recently, with recipients receiving multiple iMessage and SMS texts to steal personal and credit card information.

The messages embed links that, if clicked, take the victim to a phishing site impersonating E-ZPass, The Toll Roads, FasTrak, Florida Turnpike, or another toll authority that attempts to steal their personal information, including names, email addresses, physical addresses, and credit card information.

This scam is not new, with the FBI warning about it in April 2024, but multiple reports of a recent surge in this mobile phishing campaign have emerged.

The text messages bypass anti-spam measures and come from seemingly random email addresses, which, combined with the scale of the attack, indicate an automated attack. (Bill Toulas / Bleeping Computer)

Related: r/scams, r/kansascity, Delaware News Journal

OpenAI is reportedly testing a new "watermark" for the Image Generation model, which is a part of the ChatGPT 4o model, likely because more and more users are generating Studio Ghibli artwork using the ImageGen model.

ChatGPT's Image Generation model allows users to create realistic visuals, such as art produced by Studio Ghibli, a famous and big name in the Japanese studio world.

ChatGPT's ImageGen model was previously limited to paid users (ChatGPT Plus customers), but it has now rolled out to everyone, including those with a free subscription.

As spotted by AI researcher Tibor Blaho, it looks like OpenAI is working on a new "ImageGen" watermark for free users. (Mayank Parmar / Bleeping Computer)

Related: Digital Trends, NewsBytes, India Today

Researchers at Socket report that a newly discovered malicious PyPi package named 'disgrasya' that abuses legitimate WooCommerce stores for validating stolen credit cards has been downloaded over 34,000 times from the open-source package platform.

The script specifically targeted WooCommerce stores using the CyberSource payment gateway to validate cards. It is a key step for carding actors who need to evaluate thousands of stolen cards from dark web dumps and leaked databases to determine their value and potential exploitation.

Socket says the malware's end-to-end checkout emulation process is particularly difficult for fraud detection systems to detect on the targeted websites.

Still, Socket says there are methods to mitigate the problem, like blocking very low-value orders under $5, which are typically used in carding attacks, monitoring for multiple small orders with unusually high failure rates, or high checkout volumes linked to a single IP address or region.

Socket also suggests adding CAPTCHA steps on the checkout flow that may interrupt the operation of carding scripts and apply rate limiting on checkout and payment endpoints. (Bill Toulas / Bleeping Computer)

Related: Socket

Noah Urban, a Flordia man linked to the sprawling Scattered Spider cybercriminal gang, pleaded guilty in a Jacksonville federal courtroom to charges including conspiracy and wire fraud.

Urban faced charges in two separate federal cases: in Florida, unsealed in January 2024, and in southern California, announced in November of last year. In the Florida case, Urban pleaded guilty to conspiracy to commit wire fraud and one count each of wire fraud and aggravated identity theft. In the California case, he pleaded guilty to one count of conspiracy to commit wire fraud.

In the Florida case, Urban was accused of stealing at least $800,000 in cryptocurrency from five different victims between August 2022 and March 2023. Prosecutors said Urban and others would steal victims’ personal information and arrange for the victims’ cell phone numbers to be swapped to phones that Urban and the other conspirators controlled.

As part of his plea agreement, Urban agreed to make restitution to all victims. The agreement listed amounts, victim by victim, for both the Florida and California cases. Urban’s plea agreement also includes a list of items he agrees to forfeit, including cash, cryptocurrency, and physical items.

Urban will forfeit the assets of Dai, Ethereum, Monero, Bitcoin, and Ripple cryptocurrencies, all held in various cryptocurrency wallets. While the values of cryptocurrencies can vary, Dai is currently worth approximately $1.3 million, and the largest portion of Ethereum is currently worth roughly $1.3 million.

Urban will also forfeit $27,702 in currency seized from a Palm Coast home, plus miscellaneous jewelry and six watches. (Eric Wallace / News4Jax)

Related: Databreaches.net

A hacker breached the GitLab repositories of multinational car-rental company Europcar Mobility Group and stole source code for Android and iOS applications and some personal information belonging to up to 200,000 customers.

The actor tried to extort the company by threatening to publish 37GB of data, including backups and details about the company’s cloud infrastructure and internal applications.

In late March, a threat actor using the company’s name as an alias announced that they “successfully breached Europcar's systems and obtained all their GitLab repositories.”

They claimed to have copied from the repositories more than 9.000 SQL files with backups containing personal data and at least 269 ENV files—used to store application configuration settings, environment variables, and sensitive information.

To prove that the breach was not a hoax, Europcar, the threat actor, published screenshots of credentials present in the source code they stole.

While the full extent of the damage is still being evaluated, the stolen data includes only the names and email addresses of Goldcar and Ubeeqo users. Based on online statistics, the number of affected customers may be between 50,000 and 200,000, some of them from 2017 and 2020. (Ionut Ilascu / Bleeping Computer)

Related: Cyber Daily, Techzine

Google announced Sec-Gemini v1, an experimental new AI model designed to help security professionals combat cyber threats using real-time data and advanced reasoning.

Google tailored the new model, pulling in fresh data from sources like Google Threat Intelligence, the OSV vulnerability database, and Mandiant’s threat reports. This allows it to help with root cause analysis, threat identification, and vulnerability triage.

Google says the model performs better than others on two well-known benchmarks. On CTI-MCQ, which measures how well models understand threat intelligence, it scores at least 11 percent higher than competitors. On CTI-Root Cause Mapping, it edges out rivals by at least 10.5 percent. (Brian Fagioli / BetaNews)

Related: Google, Hacker News (ycombinator), Slashdot, Evan Kotsovinos

Best Thing of the Day: Peeling Back the BS on Facebook

Careless People, a book by former Facebook employee Sarah Wynn-Williams, is a first-person account of what it was like working at the social media giant as it abandoned values to make money, crush competition, and jettison regulation.

Worst Thing of the Day: It's OK, We Can Go Blind, Thank you

Substantial cracks have appeared in the intelligence-sharing relationship between the US and the UK, along with rifts that threaten America's position with other Five Eyes alliance members.

Closing Thought