| TechCrunch
Lucas Ropek
11:00 AM PDT · April 7, 2026

The new model will be used by a small number of high-profile companies to engage in defensive cybersecurity work.

Anthropic on Tuesday released a preview of its new frontier model, Mythos, which it says will be used by a small coterie of partner organizations for cybersecurity work. In a previously leaked memo, the AI startup called the model one of its “most powerful” yet.

The model’s limited debut is part of a new security initiative, dubbed Project Glasswing, in which 12 partner organizations will deploy the model for the purposes of “defensive security work” and to secure critical software, Anthropic said. While it was not specifically trained for cybersecurity work, the model will be used to scan both first-party and open source software systems for code vulnerabilities, the company said.

Anthropic claims that, over the past few weeks, Mythos identified “thousands of zero-day vulnerabilities, many of them critical.” Many of the vulnerabilities are one to two decades old, the company added.

Mythos is a general-purpose model for Anthropic’s Claude AI systems that the company claims has strong agentic coding and reasoning skills. Anthropic’s frontier models are considered its most sophisticated and high-performance models, designed for more complex tasks, including agent-building and coding.

The partner organizations previewing Mythos as part of Project Glasswing include Amazon, Apple, Broadcom, Cisco, CrowdStrike, the Linux Foundation, Microsoft, and Palo Alto Networks. As part of the initiative, these partners will ultimately share what they’ve learned from using the model so that the rest of the tech industry can benefit from it. The preview is not going to be made generally available, Anthropic said, though 40 organizations will gain access to the Mythos preview aside from the partnership.

Anthropic also claims that it has engaged in “ongoing discussions” with federal officials about the use of Mythos, although one would have to imagine that those discussions are complicated by the fact that Anthropic and the Trump administration are currently locked in a legal battle after the Pentagon labeled the AI lab a supply-chain risk over Anthropic’s refusal to allow autonomous targeting or surveillance of U.S. citizens.

News of Mythos was originally leaked in a data security incident reported last month by Fortune. A draft blog about the model (then called “Capybara”) was left in an unsecured cache of documents available on a publicly inspectable data lake. The leak, which Anthropic subsequently attributed to “human error,” was originally spotted by security researchers. “‘Capybara’ is a new name for a new tier of model: larger and more intelligent than our Opus models — which were, until now, our most powerful,” the leaked document said, adding later that it was “by far the most powerful AI model we’ve ever developed,” according to the report.

In the leak, Anthropic claimed that its new model far exceeded performance areas (like “software coding, academic reasoning, and cybersecurity”) met by its currently public models and that it could potentially pose a cybersecurity threat if weaponized by bad actors to find bugs and exploit them (rather than fix them, which is how Mythos will be deployed).

Last month, the company accidentally exposed nearly 2,000 source code files and over half a million lines of code via a mistake it made in the launch of version 2.1.88 of its Claude Code software package. The company then accidentally caused thousands of code repositories on GitHub to be taken down as it attempted to clean up the mess.

Correction April 7, 2026: An earlier version of this article erroneously stated how many partners are working with Anthropic on Project Glasswing. There are 12 partner organizations, though 40 organizations total will have access to the Mythos preview.

| TechCrunch
Lorenzo Franceschi-Bicchierai
Zack Whittaker
1:42 PM PDT · March 23, 2026

Leaked "DarkSword" exploits published to GitHub allow hackers and cybercriminals to target iPhone users running old versions of iOS with spyware, according to cybersecurity researchers.

Last week, cybersecurity researchers uncovered a hacking campaign targeting iPhone users that used an advanced hacking tool called DarkSword. Now someone has leaked a newer version of DarkSword and published it on the code-sharing site GitHub.

Researchers are warning that this will allow any hacker to easily use the tools to target iPhone users running older versions of Apple’s operating systems who have not yet updated to its latest iOS 26 software. This likely affects hundreds of millions of actively used iPhones and iPads, according to Apple’s own data on out-of-date devices.

“This is bad. They are way too easy to repurpose,” Matthias Frielingsdorf, the co-founder of mobile security startup iVerify, told TechCrunch on Monday. “I don’t think that can be contained anymore. So we need to expect criminals and others to start deploying this.”

Frielingsdorf said that these new versions of DarkSword spyware share the same infrastructure with the ones he and his iVerify colleagues analyzed previously, although the files are slightly different. The files uploaded to GitHub are uncomplicated, just HTML and JavaScript, he said, meaning anyone can copy and paste them and host them on a server “in a couple minutes to hours.”

“The exploits will work out of the box,” Frielingsdorf said. “There is no iOS expertise required.”

Kimberly Samra, a spokesperson for Google, which previously analyzed the DarkSword exploit, said the company’s researchers agree with Frielingsdorf’s assessment.

A security hobbyist who goes by the handle matteyeux also told TechCrunch that it is indeed trivial to use the leaked DarkSword samples. Matteyeux wrote in a post on X Monday that he was able to hack an iPad mini tablet running iOS 18, the previous generation of the operating system that is vulnerable to DarkSword, using the “in the wild” DarkSword sample that is circulating online.

Apple spokesperson Sarah O’Rourke told TechCrunch that the company was aware of the exploit targeting devices running older and out-of-date operating systems and issued an emergency update on March 11 for devices unable to run recent versions of iOS.

“Keeping your software up to date is the single most important thing you can do to maintain the security of your Apple products,” O’Rourke said, adding that devices with updated software were not at risk from these reported attacks and that Lockdown Mode would also block these specific attacks.

A spokesperson for Microsoft, which owns GitHub, did not immediately respond to a request for comment.

The code, which TechCrunch is not linking to, as it can be used in active attacks, contains several comments that describe how the exploits work and how to implement them.

One comment, likely written by one of the developers who worked on DarkSword, says that the exploit “reads and exfiltrates forensically-relevant files from iOS devices via HTTP,” referring to stealing information from a person’s iPhone or iPad and sending the data over the internet to an attacker-controlled server.

“This payload should be injected into a process with filesystem access class,” the comment reads.

In one case, the code references “post-exploitation activity” and describes process after the malware has gained access to the person’s phone and grabs its contents, including their contacts, messages, call history, and iOS keychain, which stores Wi-Fi passwords and other secrets, and dumps them into a remote server.

Another file contains references to uploading data to a popular Ukrainian apparel website, though TechCrunch could not immediately determine why. DarkSword was allegedly used by Russian government hackers against Ukrainian targets.

This particular spyware works specifically against iPhones and iPads running iOS 18, according to iVerify, Google, and Lookout, which also previously analyzed the DarkSword malware.

According to Apple’s own numbers, about one-quarter of all iPhone and iPad users are still running iOS 18 or earlier on their device. With more than 2.5 billion active devices, that likely equates to hundreds of millions of people whose devices are vulnerable to DarkSword attacks.

That’s why Frielingsdorf recommends everyone upgrade their iPhone’s operating system.

The discovery of DarkSword came only a few weeks after researchers discovered another advanced iPhone hacking toolkit known as Coruna. As TechCrunch reported, Coruna was originally developed by the defense contractor L3Harris, whose Trenchant division makes hacking tools for the U.S. government and its allies.

| TechCrunch
Zack Whittaker
8:01 AM PDT · March 20, 2026

A cyberattack on a U.S. car breathalyzer company has left drivers across the United States reportedly stranded and unable to start their vehicles.

The company, Intoxalock, says on its website that it is “currently experiencing downtime” after a cyberattack on March 14. Intoxalock sells breathalyzer devices that fit into vehicle ignition switches, and is used by people who are required to provide a negative alcohol breath sample to start their car.

Intoxalock spokesperson Rachael Larson confirmed to TechCrunch that the company had been hit by a cyberattack. Larson said the company took steps to “temporarily pause some of our systems as a precautionary measure.”

These breathalyzer devices need to be calibrated every few months or so, but the cyberattack has left Intoxalock unable to perform these calibrations. The company said customers whose devices require calibration may experience delays starting their vehicles.

Drivers posting on Reddit say that cars are unable to start if they miss a calibration, effectively locking drivers out of their vehicles.

According to local news reports across Maine, drivers are experiencing lockouts and some have been unable to start their vehicles. One auto shop in Middleboro told WCVB 5 in Boston that it has had cars parked in its lot all week due to the cyberattack.

News reports from across the United States show drivers are affected from New York to Minnesota, and drivers have been unable to drive because their vehicle-based breathalyzers cannot be immediately calibrated.

Intoxalock would not say what kind of cyberattack it was experiencing, such as ransomware or if there was a data breach, or whether it had received any communications from the hackers, including any ransom demands. The company’s technology is used in 46 states, its website says, and it claims to provide services to 150,000 drivers every year.

Intoxalock did not provide an estimated timeline for its recovery.

| TechCrunch
techcrunch.com
Zack Whittaker
8:50 AM PDT · March 9, 2026

Salt Typhoon is by far one of the most prolific hacking groups in recent years, breaching some of the top American phone companies. Here are all the countries that have been targeted.

Salt Typhoon is behind one of the broadest hacking campaigns in recent years, targeting some of the world’s largest phone and internet companies and stealing tens of millions of phone records about senior government officials.

The hacking group, attributed to China, is part of a wider cluster of hackers with the collective aim of helping China prepare for an eventual war with Taiwan, according to researchers. U.S. officials have called China’s potential invasion of Taiwan an “epoch-defining threat.” Much of the group’s efforts have focused on hacking Cisco routers at the edge of a company’s network to break in and taking control of surveillance devices that U.S. telecom companies are legally required to install to allow law enforcement to monitor calls and messages.

While Salt Typhoon is focused on hacking telecom infrastructure, other China-hacked groups like Volt Typhoon are prepositioning for destructive cyberattacks capable of causing widespread disruption, and Flax Typhoon runs a botnet of hijacked internet-connected devices for hiding the hackers’ malicious internet traffic.

But Salt Typhoon is by far one of the most prolific hacking groups in recent years, including targeting some of the top American phone companies.

The hacks allowed China to obtain call records, text messages, and captured phone audio from senior U.S. officials, many of whom were considered government targets of interest. This prompted the FBI to urge Americans to switch to end-to-end encrypted messaging apps, fearing that a foreign adversary could eavesdrop on their communications.

Salt Typhoon went even further, hacking at least 200 companies around the world, according to FBI officials. The list of affected countries keeps growing.

Here are the countries that have attributed hacks to Salt Typhoon.

United States
Some of the top U.S. phone companies, including AT&T and Verizon, were confirmed hacked by Salt Typhoon, as was internet provider CenturyLink (now Lumen). T-Mobile said it was targeted but that the hackers had no access to its customers’ calls, text messages, or voicemails.

Satellite communications giant Viasat was also compromised, allowing hackers to gain access to tools used by law enforcement to access the communications of others.

Internet and data providers Charter Communications (Spectrum) and Windstream were also named as Salt Typhoon victims. Fiber network giant Consolidated Communications was reportedly hacked as part of the campaign.

The hackers didn’t just target phone and internet providers. Per several reports, Salt Typhoon compromised the networks of a U.S. state’s National Guard, allowing them to steal data and access to other networks in every other U.S. state and several territories.

North and South America
According to security firm Recorded Future, its researchers have seen Salt Typhoon target Cisco devices associated with universities in Argentina and Mexico and elsewhere.

Meanwhile, the Canadian government confirmed that its top telecommunications firms were hacked by China as part of Salt Typhoon’s extended espionage campaign. Canada also confirmed several Cisco routers at one telecom giant were hacked to steal data from the company.

The government in Ottawa warned it saw targeting of companies that were “broader than just the telecommunications sector.”

Trend Micro said it saw Salt Typhoon activity in Brazil, the most populous country in South America.

Asia, Africa, and Oceania
Recorded Future said it’s seen Salt Typhoon targeting at least one Myanmar-based telecoms provider, Mytel, by way of hacked Cisco routers, as well as a South African telecommunications provider. It’s also seen attacks targeting routers of universities across Bangladesh, Indonesia, Malaysia, and Thailand.

Japan has also warned of the threat of Salt Typhoon to its networks.

Both the governments of Australia and New Zealand say they’ve seen Salt Typhoon activity in their telecom and critical infrastructure sectors. New Zealand said it also saw Salt Typhoon hackers across the government sector, as well as transportation, lodging, and military infrastructure networks.

Trend Micro also said it found at least 20 compromised organizations across the telecoms, consulting, chemical, and transportation industries, as well as government agencies and nonprofits in various countries, including Afghanistan, Eswatini, India, Taiwan, and the Philippines.

Europe
The British government has confirmed that a “cluster of activity” from Salt Typhoon was seen across the United Kingdom. While the activity wasn’t specified, news reporting suggests that senior U.K. government staff may have had their phone records tapped and text messages read.

Norway has also confirmed Salt Typhoon hacked several organizations in the country.

Dutch authorities in the Netherlands say that several smaller internet providers and web hosts were targeted and had access to routers, but their internal networks were not compromised.

An Italian internet provider was hacked, per Recorded Future.

And, according to Czech cybersecurity officials, incidents related to Salt Typhoon hacks have been witnessed in Finland and Poland.

| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
8:11 AM PST · March 2, 2026

A group of hacktivists calling themselves “Department of Peace” claimed to have hacked the Department of Homeland Security (DHS), leaking allegedly stolen documents online.

On Sunday, the nonprofit transparency collective DDoSecrets published data relating to contracts between DHS, Immigration and Customs Enforcement (ICE), and more than 6,000 companies, including defense contractors Anduril, L3Harris, Raytheon, and surveillance enabler Palantir, as well as tech giants Microsoft and Oracle.

The hacktivist said the data comes from the Office of Industry Partnership, a unit within DHS that procures technology from the private sector.

DHS and ICE did not immediately respond to a request for comment.

Department of Peace explained their motives in a document alongside the hack, citing the recent killings of two peaceful protesters, U.S. citizens Alex Pretti and Renée Good, earlier this year in Minneapolis by federal agents.

“Why hack the DHS? I can think of a couple Pretti Good reasons! I’m releasing this because the DHS is killing us and people deserve to know which companies support them and what they’re working on,” the hackers wrote.

Since the beginning of the Trump administration, DHS and federal immigration agents with ICE have undertaken a campaign of mass deportations, arresting people with largely no criminal records, and detaining them in overcrowded facilities where critics say they are held in inhumane conditions. The mass deportation campaign has been aided by several tech companies, with Palantir at the forefront.

Security researcher Micah Lee organized the leaked data on a dedicated website, making the information easily searchable.

The site shows the name of the contractors, the amount of money they were awarded, as well as contact information, such as full names, email addresses, and phone numbers.

The largest contracts by total money awarded included $70 million for Cyber Apex Solutions, a company that claims on its barebones website to be “focused on filling the security gaps of critical infrastructure” in the U.S.; and $59 million for Science Applications International Corporation (SAIC), which provides AI services for government agencies. Underwriters Laboratories was awarded $29 million to provide testing, certification, and market intelligence to customers.

Cyber Apex Solution, SAIC, and Underwriters Laboratories did not immediately respond to a request for comment.

This story was updated to clarify that Palantir enables, not provides, surveillance for the government.

| TechCrunch techcrunch.com
Zack Whittaker
6:28 AM PST · March 6, 2026

Health tech giant TriZetto has confirmed that more than 3.4 million people had personal and health information stolen in a 2024 cyberattack, which the company failed to detect for almost a year.

The tech company, owned by multinational conglomerate Cognizant, serves around 200 million people across 875,000 healthcare providers throughout the U.S., according to its website. Doctors’ offices and healthcare providers use TriZetto to assess patients’ insurance for medical treatments.

TriZetto said in a filing with Maine’s attorney general on Friday that hackers stole patients’ insurance eligibility transaction reports from the company’s servers.

The data includes personal information like patients’ names, dates of birth, home addresses, and Social Security numbers, as well as information about their healthcare, such as their provider’s name, demographic data, and health and insurance details.

TriZetto said it identified the breach on October 2, 2025, but later discovered that the hackers had access as far back as November 2024.

Cognizant spokesperson William Abelson said the company “eliminated the threat” to its environment, but would not say why it took the company a year to detect the breach.

Several organizations have confirmed that their patients’ information was compromised in the cyberattack. One of these is OCHIN, a nonprofit consultancy firm that provides healthcare technology to some 300 rural and community care providers across the United States. Other healthcare providers across California have also confirmed.

According to TriZetto, not every customer was affected by the breach.

TriZetto is the latest major health tech company to confirm a hack in recent years.

In 2024, a ransomware attack at Change Healthcare, another health tech giant that processes some 15 billion healthcare transactions, allowed hackers to make off with more than 192 million patient files. The cyberattack sparked outages across the U.S., leaving many without access to medical treatments or medications.

Updated with comment from Cognizant.

techcrunch.com
Zack Whittaker
Lorenzo Franceschi-Bicchierai
8:20 AM PST · February 9, 2026

More than half-a-million people who bought access to phone surveillance and social media snooping apps had their email address and partial payment card numbers published online.

A hacktivist has scraped more than half-a-million payment records from a provider of consumer-grade “stalkerware” phone surveillance apps, exposing the email addresses and partial payment information of customers who paid to spy on others.

The transactions contain records of payments for phone-tracking services like Geofinder and uMobix, as well as services like Peekviewer (formerly Glassagram), which purport to allow access to private Instagram accounts, among several other monitoring and tracking apps provided by the same vendor, a Ukrainian company called Struktura.

The customer data also includes transaction records from Xnspy, a known phone surveillance app, which in 2022 spilled the private data from tens of thousands of unsuspecting people’s Android devices and iPhones.

This is the latest example of a surveillance vendor exposing the information of its customers due to security flaws. Over the past few years, dozens of stalkerware apps have been hacked, or have managed to lose, spill, or expose people’s private data — often the victims themselves — thanks to shoddy cybersecurity by the stalkerware operators.

Stalkerware apps like uMobix and Xnspy, once planted on someone’s phone, upload the victim’s private data, including their call records, text messages, photos, browsing history, and precise location data, which is then shared with the person who planted the app.

Apps like uMobix and Xnspy have explicitly marketed their services for people to spy on their spouses and domestic partners, which is illegal.

The data, seen by TechCrunch, included about 536,000 lines of customer email addresses, which app or brand the customer paid for, how much they paid, the payment card type (such as Visa or Mastercard), and the last four digits on the card. The customer records did not include dates of payments.

TechCrunch verified the data was authentic by taking several transaction records containing disposable email addresses with public inboxes, such as Mailinator, and running them through the various password reset portals provided by the various surveillance apps. By resetting the passwords on accounts associated with public email addresses, we determined that these were real accounts.

We also verified the data by matching each transaction’s unique invoice number from the leaked dataset with the surveillance vendor’s checkout pages. We could do this because the checkout page allowed us to retrieve the same customer and transaction data from the server without needing a password.

The hacktivist, who goes by the moniker “wikkid,” told TechCrunch they scraped the data from the stalkerware vendor thanks to a “trivial” bug in its website. The hacktivist said they “have fun targeting apps that are used to spy on people,” and subsequently published the scraped data on a known hacking forum.

The hacking forum listing lists the surveillance vendor as Ersten Group, which presents itself as a U.K.-presenting software development startup.

TechCrunch found several email addresses in the dataset used for testing and customer support instead reference Struktura, a Ukrainian company that has an identical website to Ersten Group. The earliest record in the dataset contained the email address for Struktura’s chief executive, Viktoriia Zosim, for a transaction of $1.

Representatives for Ersten Group did not respond to our requests for comment. Struktura’s Zosim did not return a request for comment.

techcrunch.com
Zack Whittaker
7:25 AM PST · February 5, 2026

The ransomware attack at Conduent allowed hackers to steal a "significant number of individuals’ personal information" from the govtech giant's systems. Conduent handles personal and health data of more than 100 million people across America.

A data breach at government technology giant Conduent appears to affect far more people than first disclosed, with the number of victims potentially stretching to dozens of millions of people across the United States.

The January 2025 ransomware attack, which knocked out Conduent’s operations for several days, is now known to affect at least 15.4 million people in Texas alone, accounting for about half of the state’s population. Conduent said in October that 4 million people across the state were affected.

Another 10.5 million people are affected across Oregon, per the state’s attorney general.

Conduent has also notified hundreds of thousands of people across Delaware, Massachusetts, New Hampshire, and other states, according to data breach notifications seen by TechCrunch.

The stolen data includes individuals’ names, Social Security numbers, medical data, and health insurance information.

One of the largest government contractors today, Conduent handles and processes large amounts of personal and sensitive information on behalf of large corporations, government departments, and several U.S. states. The company says its technology and operational support services reach more than 100 million people in the United States across various government healthcare programs.

When contacted with several questions about the data breach, Conduent spokesperson Sean Collins provided a boilerplate statement that did not address the questions, nor did they answer if Conduent knows how many individuals are affected by the cyberattack. The spokesperson would not say if the breach affects more than 100 million people.

Collins said that the company has been working to “conduct a detailed analysis of the affected files to identify the personal information” taken in the breach but would not say how many data breach notifications the company has sent out to date.

Little else is known about the breach, and the company has disclosed few details. Conduent disclosed the cyberattack in April, months after hackers knocked out the company’s systems, which resulted in outages to government services across the United States.

The Safeway ransomware gang took credit for the breach, claiming to have stolen over 8 terabytes of data.

In a later SEC filing, the company said that the stolen datasets “contained a significant number of individuals’ personal information associated with our clients’ end-users,” referring to its corporate and government customers.

Conduent also said it is continuing to notify individuals whose data was stolen in the breach, and plans to conclude alerting individuals by early 2026. The company did not give a more specific timeline.

techcrunch.com
Lorenzo Franceschi-Bicchierai
11:15 AM PST · January 8, 2026

The infamous spyware maker released a new transparency report claiming to be a responsible spyware maker, without providing insight into how the company dealt with problematic customers in the past.

NSO Group, one of the most well-known and controversial makers of government spyware, released a new transparency report on Wednesday, as the company enters what it described as “a new phase of accountability.”

But the report, unlike NSO’s previous annual disclosures, lacks details about how many customers the company rejected, investigated, suspended, or terminated due to human rights abuses involving its surveillance tools. While the report contains promises to respect human rights and have controls to demand its customers do the same, the report provides no concrete evidence supporting either.

Experts and critics who have followed NSO and the spyware market for years believe the report is part of an effort and campaign by the company to get the U.S. government to remove the company from a blocklist — technically called the Entity List — as it hopes to enter the U.S. market with new financial backers and executives at the helm.

Last year, a group of U.S. investors acquired the company, and since then, NSO has been undergoing a transition that included high-profile personnel changes: former Trump official David Friedman was appointed the new executive chairman; CEO Yaron Shohat stepped down; and Omri Lavie, the last remaining founder who was still involved in the company, also left, as Israeli newspaper Haaretz reported.

“When NSO’s products are in the right hands within the right countries, the world is a far safer place. That will always be our overriding mission,” Friedman wrote in the report, which does not mention any country where NSO operates.

Natalia Krapiva, the senior tech-legal counsel at Access Now, a digital rights organization that investigates spyware abuses, told TechCrunch: “NSO is clearly on a campaign to get removed from the U.S. Entity List and one of the key things they need to show is that they have dramatically changed as a company since they were listed.”

“Changing the leadership is one part and this transparency report is another,” said Krapiva.

“However, we have seen this before with NSO and other spyware companies over the years where they change names and leadership and publish empty transparency or ethics reports but the abuses continue.”

“This is nothing but another attempt at window dressing and the U.S. government should not be taken for a fool,” said Krapiva.

Ever since the Biden administration added NSO to the Entity List, the company has lobbied to have its restrictions lifted. After President Donald Trump took office again last year, NSO intensified these efforts. But, as of May last year, NSO had failed to sway the new administration.

In late December, the Trump administration lifted sanctions against three executives tied to the Intellexa spyware consortium, in what some saw as a sign of a shift in the administration’s attitude toward spyware makers.

A lack of details
This year’s transparency report, which covers 2025, has fewer details than reports from previous years.

In an earlier transparency report covering 2024, for example, NSO said it opened three investigations of potential misuse. Without naming the customers, the company said it cut ties with one, and imposed on another customer “alternative remediation measures,” including mandating human rights training, monitoring the customer activities, and requesting more information about how the customer uses the system. NSO did not provide any information about the third investigation.

NSO also said that during 2024, the company rejected more than $20 million “in new business opportunities due to human rights concerns.”

In the transparency report published the prior year, covering 2022 and 2023, NSO said it suspended or terminated six government customers, without naming them, claiming these actions resulted in a revenue loss of $57 million.

In 2021, NSO said it had “disconnected” the systems of five customers since 2016 following an investigation of misuse, resulting in more than $100 million in “estimated loss of revenue,” and it also said that it “discontinued engagements” with five customers due to “concerns regarding human rights.”

NSO’s newest transparency report does not include the total number of customers NSO has, statistics that have been consistently present in previous reports.

TechCrunch asked NSO spokesperson Gil Lanier to provide similar statistics and figures, but did not receive answers by press time.

John Scott-Railton, a senior researcher at The Citizen Lab, a human rights organization that has investigated spyware abuses for more than a decade, criticized NSO.

“I was expecting information, numbers,” Scott-Railton told TechCrunch. “Nothing in this document allows outsiders to verify NSO’s claims, which is business as usual from a company that has a decade-long history of making claims that later turned out to be misrepresentation.”

| TechCrunch
techcrunch.com/

Lorenzo Franceschi-Bicchierai
12:01 PM PST · January 16, 2026

Nicholas Moore pleaded guilty to stealing victims’ information from the Supreme Court and other federal government agencies, and then posting it on his Instagram @ihackthegovernment.

A hacker posted the personal data of several of his hacking victims on his Instagram account, @ihackthegovernment, according to a court document.

Last week, Nicholas Moore, 24, a resident of Springfield, Tennessee, pleaded guilty to repeatedly hacking into the U.S. Supreme Court’s electronic document filing system. At the time, there were no details about the specifics of the hacking crimes Moore was admitting to.

On Friday, a newly filled document — first spotted by Court Watch’s Seamus Hughes — revealed more details about Moore’s hacks. Per the filing, Moore hacked not only into the Supreme Court systems, but also the network of AmeriCorps, a government agency that runs stipend volunteer programs, and the systems of the Department of Veterans Affairs, which provides healthcare and welfare to military veterans.

Moore accessed those systems using stolen credentials of users who were authorized to access them. Once he gained access to those victims’ accounts, Moore accessed and stole their personal data and posted some online to his Instagram account: @ihackthegovernment.

In the case of the Supreme Court victim, identified as GS, Moore posted their name and “current and past electronic filing records.”

In the case of the AmeriCorps victim, identified as SM, Moore boasted that he had access to the organization’s servers and published the victim’s “name, date of birth, email address, home address, phone number, citizenship status, veteran status, service history, and the last four digits of his social security number.”

And, in the case of the victim at the Department of Veterans Affairs, identified as HW, Moore posted the victim’s identifiable health information “when he sent an associate a screenshot from HW’s MyHealtheVet account that identified HW and showed the medications he had been prescribed.”

According to the court document, Moore faces a maximum sentence of one year in prison and a maximum fine of $100,000.

techcrunch.com
Lorenzo Franceschi-Bicchierai
12:15 PM PST · December 19, 2025

On Wednesday, Cisco revealed that a group of Chinese government-backed hackers is exploiting a vulnerability to target its enterprise customers who use some of the company’s most popular products.

Cisco has not said how many of its customers have already been hacked, or may be running vulnerable systems. Now, security researchers say there are hundreds of Cisco customers who could potentially be hacked.

Piotr Kijewski, the chief executive of the nonprofit Shadowserver Foundation that scans and monitors the internet for hacking campaigns, told TechCrunch that the scale of exposure “seems more in the hundreds rather than thousands or tens of thousands.”

Kijewski said the foundation was not seeing widespread activity, presumably because “current attacks are targeted.”

Shadowserver has a page where it’s tracking the number of systems that are exposed and vulnerable to the flaw disclosed by Cisco, named officially as CVE-2025-20393. The vulnerability is known as a zero-day, because the flaw was discovered before the company had time to make patches available. As of press time, India, Thailand, and the United States collectively have dozens of affected systems within their borders.

Censys, a cybersecurity firm that monitors hacking activities across the internet, is also seeing a limited number of affected Cisco customers. According to a blog post, Censys has observed 220 internet-exposed Cisco email gateways, one of the products known to be vulnerable.

In its security advisory published earlier this week, Cisco said that the vulnerability is present in software found in several products, including its Secure Email Gateway and its Secure Email and Web Manager.

Cisco said these systems are only vulnerable if they are reachable from the internet, and have its “spam quarantine” feature enabled. Neither of those two conditions are enabled by default, per Cisco, which would explain why there appears to be, relatively speaking, not that many vulnerable systems on the internet.

Cisco did not respond to a request for comment, asking if the company could corroborate the numbers seen by Shadowserver and Censys.

The bigger problem with this hacking campaign is that there are no patches available. Cisco recommends that customers wipe and “restore an affected appliance to a secure state,” as a way to remediate any breach.

“​​In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance,” the company wrote in its advisory.

According to Cisco’s threat intelligence arm Talos, the hacking campaign has been ongoing since “at least late November 2025.”

| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
7:37 AM PST · December 12, 2025

Hama Film makes photo booths that upload pictures and videos online. But their back-end systems have a simple flaw that allows anyone to download customer pictures.
A company that makes photo booths is exposing pictures and videos of its customers online thanks to a simple flaw in its website where the files are stored, according to a security researcher.

The researcher, who goes by Zeacer, alerted TechCrunch to the security issue in late November after reporting the vulnerability in October to Hama Film, the photo booth maker that has franchise presence in Australia, the United Arab Emirates, and the United States, but did not hear back.

Zeacer shared with TechCrunch a sample of pictures taken from Hama Film’s servers, which showed groups of clearly young people posing in photo booths. Hama Film’s booths not only print out the photos like a typical photo booth, but booths also upload the customers’ photos to the company’s servers.

Vibecast, which owns Hama Film, has yet to respond to his messages alerting the company of the issues. Vibecast also hasn’t responded to several requests for comment from TechCrunch, nor did Vibecast’s co-founder Joel Park respond to a message we sent via LinkedIn.

As of Friday, the researcher said the company has still not fully resolved the security flaw and continues to expose customers’ data. As such, TechCrunch is withholding specific details of the vulnerability from publication.

When Zeacer first found this flaw, he noted that it appeared that photos were deleted from the photo booth maker’s servers every two to three weeks.

Now, he said, the pictures stored on the servers appear to get deleted after 24 hours, which limits the number of pictures exposed at any given time. But a hacker could still exploit the vulnerability he discovered each day and download the contents of every photo and video on the server.

Before this week, Zeacer said at one point he saw more than 1,000 pictures online for the Hama Film booths in Melbourne.

This incident is the latest example of a company that, at least for a time, was not implementing certain basic and widely accepted security practices, such as rate-limiting. Last month, TechCrunch reported that government contractor giant Tyler Technologies was not rate-limiting its websites used for allowing courts to manage their jurors’ personal information. This meant anyone could break into any juror’s profile by running a computer script capable of mass-guessing their date of birth and their easy-to-guess numerical identifier.

techcrunch.com
1:06 PM PST · December 10, 2025
Zack Whittaker

CEO of South Korean retail giant techcrunch.comresigns after massive data breach
Park Dae-jun has resigned as chief executive of South Korean retail giant Coupang after a data breach exposed the personal information of more than half of the country’s population.

In a statement, Park apologized for the breach, citing a “deep sense of responsibility for the outbreak and the subsequent recovery process.”

Coupang has replaced Park with Harold Rogers, the top lawyer at Coupang’s U.S.-based parent company, according to a machine translation of the company statement.

The retail giant, often compared to Amazon for its dominance in South Korean e-commerce and logistics, last month revealed details of a data breach affecting close to 34 million people. The breach allegedly began in June but wasn’t noticed until November, when Coupang initially said over 4,500 customers had their data stolen. The company later revised that figure dramatically upward.

The Coupang hack is the latest in a string of security incidents affecting corporate giants and the central government across the country this year, including a data center fire that led to a massive, irretrievable loss of South Korean government data.

| TechCrunch
Zack Whittaker
10:55 AM PST · December 3, 2025

Marquis said ransomware hackers stole reams of banking customer data, containing personal information and financial records, as well as Social Security numbers, belonging to hundreds of thousands of people. The number of affected people is expected to rise.

Fintech company Marquis is notifying dozens of U.S. banks and credit unions that they had customer data stolen in a cyberattack earlier this year.

Details of the cyberattack emerged this week after Marquis filed data breach notices with several U.S. states confirming its August 14 incident as a ransomware attack.

Texas-based Marquis is a marketing and compliance provider that allows banks and other financial institutions to collect and visualize all of their customer data in one place. The company counts more than 700 banking and credit union customers on its website. As such, Marquis has access to and stores large amounts of data belonging to consumer banking customers across the United States.

At least 400,000 people are so far confirmed affected by the data breach, according to legally required disclosures filed in the states of Iowa, Maine, Texas, Massachusetts, and New Hampshire that TechCrunch has reviewed.

Texas has the largest number of state residents so far who had data stolen in the breach, affecting at least 354,000 people.

Marquis said in its notice with Maine’s attorney general that banking customers with the Maine State Credit Union accounted for the majority of its data breach notifications, or around one-in-nine people who are known to be affected throughout the state.

The number of individuals affected by the breach is expected to rise as more data breach notifications roll in from other states.

Marquis said the hackers stole customer names, dates of birth, postal addresses, and financial information, such as bank account, debit, and credit card numbers. Marquis said the hackers also stole customers’ Social Security numbers.

According to its most recent notices, Marquis blamed the ransomware attack on hackers who exploited a vulnerability in its SonicWall firewall. The vulnerability was considered a zero-day, meaning the flaw was not known to SonicWall or its customers before it was maliciously exploited by hackers.

Marquis did not attribute the ransomware attack to a particular group, but the Akira ransomware gang was reportedly behind the mass-hacks targeting SonicWall customers at the time.

TechCrunch asked Marquis if it is aware of the total number of people affected by the breach, and if Marquis received any communication from the hackers or if the company paid a ransom, but we did not hear back by the time of publication.

| TechCrunch
Zack Whittaker
5:09 AM PST · November 17, 2025

The defacement of Protei's website said "another DPI/SORM provider bites the dust," apparently referring to the company selling its web intercept and surveillance products to phone and internet providers.
A Russian telecom company that develops technology to allow phone and internet companies to conduct web surveillance and censorship was hacked, had its website defaced, and had data stolen from its servers, TechCrunch has learned.

Founded in Russia, Protei makes telecommunications systems for phone and internet providers across dozens of countries, including Bahrain, Italy, Kazakhstan, Mexico, Pakistan and much of central Africa. The company, now headquartered in Jordan, sells video conferencing technology and internet connectivity solutions, as well as surveillance equipment and web-filtering products, such as deep packet inspection systems.

It’s not clear exactly when or how Protei was hacked, but a copy of the company’s website saved on the Internet Archive’s Wayback Machine shows it was defaced on November 8. The website was restored soon after.

During the breach, the hacker obtained the contents of Protei’s web server — around 182 gigabytes of files — including emails dating back years.

A copy of Protei’s data was provided to DDoSecrets, a nonprofit transparency collective that indexes leaked datasets in the public interest, including data from law enforcement, government agencies, and companies involved in the surveillance industry.
Mohammad Jalal, the managing director of Protei’s branch in Jordan, did not respond to a request for comment about the breach.

The identity of the hacker is not known, nor their motivations, but the defaced website read: “another DPI/SORM provider bites the dust.” The message likely references the company’s sales of deep packet inspection systems and other internet filtering technology for the Russian-developed lawful intercept system known as SORM.

SORM is the main lawful intercept system used across Russia as well as several other countries that use Russian technology. Phone and internet providers install SORM equipment on their networks, which allows their country’s governments to obtain the contents of calls, text messages, and web browsing data of the networks’ customers.

Deep-packet inspection devices allow telecom companies to identify and filter web traffic depending on its source, such as a social media website or a specific messaging app, and selectively block access. These systems are used for surveillance and censorship in regions where freedom of speech and expression are limited.

The Citizen Lab reported in 2023 that Iranian telecoms giant Ariantel had consulted with Protei about technology for logging internet traffic and blocking access to certain websites. Documents seen and published by The Citizen Lab show that Protei touted its technology’s ability to restrict or block access to websites for specific people or entire swathes of the population.

| TechCrunch
techcrunch.com
Zack Whittaker
4:47 AM PST · November 12, 2025

Australia's intelligence chief warned that Chinese hackers are trying to break into its networks, sometimes successfully, to "pre-position" for sabotage ahead of an anticipated invasion of Taiwan.

Australia’s intelligence head Mike Burgess has warned that China-backed hackers are “probing” the country’s critical infrastructure, and in some cases have gained access.

Burgess, who heads the country’s main intelligence agency, the Australian Security Intelligence Organisation, said that at least two China government-backed hacking groups are pre-positioning for sabotage and espionage.

The comments, made during a conference speech in Melbourne on Wednesday, echo similar remarks by the U.S. government, which has warned that the ongoing hacking campaigns may pose risks of economic and societal disruption.

According to Burgess, a hacker group known as Volt Typhoon is trying to break into critical infrastructure networks such as power, water, and transportation systems. Burgess warned that successful hacks could affect energy and water supplies, and cause widespread outages.

The U.S. has previously said that the Chinese hackers have spent years planting malware on critical infrastructure systems that are capable of causing disruptive cyberattacks when activated. U.S. officials said that Volt Typhoon’s goals are to hamper the U.S.’ response to China’s anticipated future invasion of Taiwan.

“I do not think we — and I mean all of us — truly appreciate how disruptive, how devastating, this could be,” said Burgess, speaking about the threat. He said that once the hackers have access, what happens next is a “matter of intent, not capability.”

Burgess also warned that another China-backed hacking group dubbed Salt Typhoon, known for hacking into the networks of phone and internet companies to steal call records and other sensitive data, was also targeting the country’s telecoms infrastructure.

Salt Typhoon has hacked more than 200 phone and internet companies, according to the FBI, including AT&T, Verizon and Lumen, along with several other cloud and data center providers. The hacks prompted the FBI to urge Americans to switch to end-to-end encrypted messaging apps to avoid having their calls and text messages accessed by the hackers.

The Canadian government also confirmed earlier this year that its telcos were breached as part of China-linked attacks.

China has long denied the hacking allegations.

| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
9:35 AM PST · November 6, 2025

WhatsApp notified the consultant, who works for left-wing politicians, that his phone was targeted with spyware made by Paragon.

Francesco Nicodemo, a consultant who works with left-wing politicians in Italy, has gone public as the latest person targeted with Paragon spyware in the country.

On Thursday, Nicodemo said in a Facebook post that for 10 months, he preferred not to publicize his case because he “did not want to be used for political propaganda,” but now “the time has come.”

“It is time to ask a very simple question: Why? Why me? How is it possible that such a sophisticated and complex tool was used to spy on a private citizen, as if he were a drug trafficker or a subversive threat to the country?” Nicodemo wrote. “I have nothing more to say. Others must speak. Others must explain what happened.”

Online news site Fanpage first reported the news that Nicodemo was among the people who received a WhatsApp notification in January.

The revelation that Nicodemo was targeted with Paragon spyware widens the scope — once again — of the ongoing spyware scandal in Italy, which has ensnared several victims from various positions in society: several journalists, immigration activists, prominent business executives, and now a political consultant with a history of working for the center-left Partito Democratico (Democratic Party) and its politicians.

Governments and spyware makers have long claimed that their surveillance products are used against serious criminals and terrorists, but these recent cases show that this isn’t always true.

“The Italian government has given some spyware targets clarity and explained the cases. But others remain troublingly unclear,” said John Scott-Railton, a senior researcher at The Citizen Lab, who has for years investigated spyware companies and their abuses, including some involving the use of Paragon spyware.

“None of this looks good for Paragon, or for Italy. That’s why clarity from the Italian government is so essential. I believe that if they wanted to, Paragon could give everybody a lot more clarity on what’s going on. Until they do, these cases are going to remain a weight around their neck,” said Scott-Railton, who confirmed that Nicodemo received the notification from WhatsApp.

Natale De Gregorio, who works with Nicodemo at their public relations firm Lievito Consulting, told TechCrunch in an email that Nicodemo did not want to comment beyond what he told Fanpage and his public Facebook post.

At this point, it’s unclear who among Paragon customers targeted Nicodemo, but an Italian parliamentary committee confirmed in June that some of the victims in Italy were targeted by Italian intelligence agencies, which are under the purview of right-wing prime minister Giorgia Meloni.

A spokesperson for the Italian prime minister’s office did not respond to a request for comment from TechCrunch.

Jennifer Iras, the vice president of marketing for REDLattice, a cybersecurity company that has merged with Paragon after the Israeli spyware maker was acquired by U.S. private equity giant AE Industrial, also did not respond to a request for comment.

In February, following the revelations of the first wave of victims in Italy, Paragon cut ties with its government customers in Italy, specifically the intelligence agencies AISE and AISI.

Later in June, the Italian Parliamentary Committee for the Security of the Republic, known as COPASIR, concluded that some of the Paragon spyware victims that had been identified publicly, namely the immigration activists, were lawfully hacked by Italian intelligence services.

COPASIR, however, said there was no evidence that Francesco Cancellato, the director of Fanpage.it, an Italian news website that has investigated the youth wing of the far-right ruling party in Italy, led by Meloni, had been targeted by either of Italy’s intelligence agencies, the AISI and AISE.

COPASIR also did not investigate the case of Cancellato’s colleague Ciro Pellegrino.

Paragon, which told TechCrunch that the U.S. government is one of its customers, has an active contract with U.S. Immigration and Customs Enforcement.

| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
8:36 AM PST · November 7, 2025

The congressional research office confirmed a breach, but did not comment on the cause. A security researcher suggested the hack may have originated because CBO failed to patch a firewall for more than a year.

The U.S. Congressional Budget Office has confirmed it was hacked.

Caitlin Emma, a spokesperson for CBO, told TechCrunch on Friday that the agency is investigating the breach and “has identified the security incident, has taken immediate action to contain it, and has implemented additional monitoring and new security controls to further protect the agency’s systems going forward.”

CBO is a nonpartisan agency that provides economic analysis and cost estimates to lawmakers during the federal budget process, including after legislative bills get approved at the committee level in the House and Senate.

On Thursday, The Washington Post, which first revealed the breach, reported that unspecified foreign hackers were behind the intrusion. According to the Post, CBO officials are worried that the hackers accessed internal emails and chat logs, as well as communications between lawmakers’ offices and CBO researchers.

Reuters reported that the Senate Sergeant at Arms office, the Senate’s law enforcement agency, notified congressional offices of a breach, warning them that emails between CBO and the offices could have been compromised and used to craft and send phishing attacks.

It’s unclear how the hackers gained access to the CBO’s network. But soon after news of the breach became public, security researcher Kevin Beaumont wrote on Bluesky that he suspected hackers may have exploited the CBO’s outdated Cisco firewall to break into the agency’s network.

Last month, Beaumont noted that CBO had a Cisco ASA firewall on its network that was last patched in 2024. At the time of his posting, the CBO’s firewall was allegedly vulnerable to a series of newly discovered security bugs, which were being exploited by suspected Chinese government-backed hackers.

Beaumont said the CBO’s firewall had not been patched by the time the federal government shutdown took effect on October 1.

On Thursday, Beaumont said that the firewall is now offline.

The CBO’s spokesperson declined to comment when asked about Beaumont’s findings. Spokespeople for Cisco did not immediately respond to a request for comment.

techcrunch.com
Jagmeet Singh
6:30 PM PDT · October 28, 2025

A security researcher found the Indian automotive giant exposing personal information of its customers, internal company reports, and dealers’ data. Tata confirmed it fixed the issues.

Indian automotive giant Tata Motors has fixed a series of security flaws that exposed sensitive internal data, including personal information of customers, company reports, and data related to its dealers.

Security researcher Eaton Zveare told TechCrunch that he discovered the flaws in Tata Motors’ E-Dukaan unit, an e-commerce portal for buying spare parts for Tata-made commercial vehicles. Headquartered in Mumbai, Tata Motors produces passenger cars, as well as commercial and defense vehicles. The company has a presence in 125 countries worldwide and seven assembly facilities, per its website.

Zveare said he found that the portal’s web source code included the private keys to access and modify data within Tata Motors’ account on Amazon Web Services, the researcher said in a blog post.

The exposed data, Zveare told TechCrunch, included hundreds of thousands of invoices containing customer information, such as their names, mailing addresses, and permanent account number (PAN), a 10-character unique identifier issued by the Indian government.

“Out of respect for not causing some type of alarm bell or massive egress bill at Tata Motors, there were no attempts to exfiltrate large amounts of data or download excessively large files,” the researcher told TechCrunch.

There were also MySQL database backups and Apache Parquet files that included various bits of private customer information and communication, the researcher noted.

The AWS keys also enabled access to over 70 terabytes of data related to Tata Motors’ FleetEdge fleet-tracking software. Zveare also found backdoor admin access to a Tableau account, which included data of over 8,000 users.
“As server admin, you had access to all of it. This primarily includes things like internal financial reports, performance reports, dealer scorecards, and various dashboards,” the researcher said.

The exposed data also included API access to Tata Motors’ fleet management platform, Azuga, which powers the company’s test drive website.

Shortly after discovering the issues, Zveare reported them to Tata Motors through the Indian computer emergency response team, known as CERT-In, in August 2023. Later in October 2023, Tata Motors told Zveare that it was working on fixing the AWS issues after securing the initial loopholes. However, the company did not say when the issues were fixed.

Tata Motors confirmed to TechCrunch that all the reported flaws were fixed in 2023 but would not say if it notified affected customers that their information was exposed.

“We can confirm that the reported flaws and vulnerabilities were thoroughly reviewed following their identification in 2023 and were promptly and fully addressed,” said Tata Motors communications head Sudeep Bhalla, when contacted by TechCrunch.

“Our infrastructure is regularly audited by leading cybersecurity firms, and we maintain comprehensive access logs to monitor for unauthorized activity. We also actively collaborate with industry experts and security researchers to strengthen our security posture and ensure timely mitigation of potential risks,” said Bhalla.

techcrunch.com/
Lorenzo Franceschi-Bicchierai
10:00 PM PDT · October 28, 2025

On Monday, researchers at cybersecurity giant Kaspersky published a report identifying a new spyware called Dante that they say targeted Windows victims in Russia and neighboring Belarus. The researchers said the Dante spyware is made by Memento Labs, a Milan-based surveillance tech maker that was formed in 2019 after a new owner acquired and took over early spyware maker Hacking Team.

Memento chief executive Paolo Lezzi confirmed to TechCrunch that the spyware caught by Kaspersky does indeed belong to Memento.

In a call, Lezzi blamed one of the company’s government customers for exposing Dante, saying the customer used an outdated version of the Windows spyware that will no longer be supported by Memento by the end of this year.

“Clearly they used an agent that was already dead,” Lezzi told TechCrunch, referring to an “agent” as the technical word for the spyware planted on the target’s computer.

“I thought [the government customer] didn’t even use it anymore,” said Lezzi.

Lezzi, who said he was not sure which of the company’s customers were caught, added that Memento had already requested that all of its customers stop using the Windows malware. Lezzi said the company had warned customers that Kaspersky had detected Dante spyware infections since December 2024. He added that Memento plans to send a message to all its customers on Wednesday asking them once again to stop using its Windows spyware.

He said that Memento currently only develops spyware for mobile platforms. The company also develops some zero-days — meaning security flaws in software unknown to the vendor that can be used to deliver spyware — though it mostly sources its exploits from outside developers, according to Lezzi.

When reached by TechCrunch, Kaspersky spokesperson Mai Al Akkad would not say which government Kaspersky believes is behind the espionage campaign, but that it was “someone who has been able to use Dante software.”

“The group stands out for its strong command of Russian and knowledge of local nuances, traits that Kaspersky observed in other campaigns linked to this [government-backed] threat. However, occasional errors suggest that the attackers were not native speakers,” Al Akkad told TechCrunch.

In its new report, Kaspersky said it found a hacking group using the Dante spyware that it refers to as “ForumTroll,” describing the targeting of people with invites to Russian politics and economics forum Primakov Readings. Kaspersky said the hackers targeted a broad range of industries in Russia, including media outlets, universities, and government organizations.

Kaspersky’s discovery of Dante came after the Russian cybersecurity firm said it detected a “wave” of cyberattacks with phishing links that were exploiting a zero-day in the Chrome browser. Lezzi said that the Chrome zero-day was not developed by Memento.

In its report, Kaspersky researchers concluded that Memento “kept improving” the spyware originally developed by Hacking Team until 2022, when the spyware was “replaced by Dante.”

Lezzi conceded that it is possible that some “aspects” or “behaviors” of Memento’s Windows spyware were left over from spyware developed by Hacking Team.

A telltale sign that the spyware caught by Kaspersky belonged to Memento was that the developers allegedly left the word “DANTEMARKER” in the spyware’s code, a clear reference to the name Dante, which Memento had previously and publicly disclosed at a surveillance tech conference, per Kaspersky.

Much like Memento’s Dante spyware, some versions of Hacking Team’s spyware, codenamed Remote Control System, were named after historical Italian figures, such as Leonardo da Vinci and Galileo Galilei.

A history of hacks
In 2019, Lezzi purchased Hacking Team and rebranded it to Memento Labs. According to Lezzi, he paid only one euro for the company and the plan was to start over.

“We want to change absolutely everything,” the Memento owner told Motherboard after the acquisition in 2019. “We’re starting from scratch.”

A year later, Hacking Team’s CEO and founder David Vincenzetti announced that Hacking Team was “dead.”

When he acquired Hacking Team, Lezzi told TechCrunch that the company only had three government customers remaining, a far cry from the more than 40 government customers that Hacking Team had in 2015. That same year, a hacktivist called Phineas Fisher broke into the startup’s servers and siphoned off some 400 gigabytes of internal emails, contracts, documents, and the source code for its spyware.

Before the hack, Hacking Team’s customers in Ethiopia, Morocco, and the United Arab Emirates were caught targeting journalists, critics, and dissidents using the company’s spyware. Once Phineas Fisher published the company’s internal data online, journalists revealed that a Mexican regional government used Hacking Team’s spyware to target local politicians and that Hacking Team had sold to countries with human rights abuses, including Bangladesh, Saudi Arabia, and Sudan, among others.

Lezzi declined to tell TechCrunch how many customers Memento currently has but implied it was fewer than 100 customers. He also said that there are only two current Memento employees left from Hacking Team’s former staff.

The discovery of Memento’s spyware shows that this type of surveillance technology keeps proliferating, according to John Scott-Railton, a senior researcher who has investigated spyware abuses for a decade at the University of Toronto’s Citizen Lab.

It also shows that a controversial company can die because of a spectacular hack and several scandals, and yet a new company with brand-new spyware can still come out of its ashes.

“It tells us that we need to keep up the fear of consequences,” Scott-Railton told TechCrunch. “It says a lot that echoes of the most radioactive, embarrassed and hacked brand are still around.”