The U.S. Departments of Justice and Homeland Security seized multiple internet domains this week, accusing them of being used to publishing thousands of AI or digitally-altered images and videos of nude women.

The domains, CFAKE.com and SOCFAKE.com, specialized in digital forgeries that “were made to appear to be sexual images of famous women, including politicians, first ladies of multiple countries, royalty, journalists, television presenters, athletes, entertainers, and others” either nude or engaged in sexual activity,” according to a Department of Justice release.

In addition to creating sexual images and videos of women without their consent, the service allowed people to browse by topics, including “rape,” “forced,” and “degradation.”

That description comes from a Department of Justice release describing the contents of its probable cause affidavit and search warrants. CyberScoop has not viewed the court documents.  

The sites were seized under the TAKE IT DOWN Act, a law passed last year giving federal authorities the ability to criminally prosecute those who create and distribute deepfake porn. The law was a rare moment of bipartisan agreement in Washington D.C., gaining support from both Democrats and Republicans who said their constituents were demanding tougher laws to curb the use of AI to create nonconsensual deepfake porn.

The operation marks one of the largest seizures since the law went into effect. The details of the operation disclosed by the government show how creators of deepfake porn rely on a web of international assets and infrastructure to evade law enforcement.

Robert Fraiser, U.S. Attorney for the District of New Jersey, said U.S. authorities worked in coordination with law enforcement agencies in France and Italy. According to U.S. officials, they were first notified about the website by Italian Polizia de Stato, while a parallel investigation run by the Paris Public Prosecutor’s Office in France resulted in the arrest of a suspect connected with the site, along with seized cryptocurrency funds.

“These seizures stopped a website that trafficked in humiliation, exploitation, and the violation of personal privacy on a massive scale,” said Frazer in a statement. “For the victims whose images were distributed without their consent, the harm is not virtual — it is deeply personal and often enduring.”

According to the Paris Prosecutor’s Office, Cyrille B., a 47-year-old French national was arrested and accused of being an administrator for CFAKE. A search of his home in Nice found computer equipment related to the site and a little more than $48,000 in Ethereum cryptocurrency that they said came from the site’s advertising.

The French investigation identified 300,000 images, 7,000 videos depicting 14,000 individuals from different countries. The site had approximately 200,000 user accounts, 4 million views per month and uploaded 50 pieces of new content every day.

The suspect had no prior criminal record, and will go to trial on July 7. The charges carry potential penalties of up to seven years in prison and €500,000.

U.S. Immigration and Customs Enforcement’s Homeland Security Investigation division is leading the federal investigation, in conjunction with the U.S. Attorney’s office for New Jersey.

The post US, France, and Italian authorities shut down massive deepfake porn site appeared first on CyberScoop.

Campaigns employing commercial surveillance vendors tracked targets by exploiting mobile phone network vulnerabilities in what researchers said Thursday was the first-ever linking of “real-world attack traffic to mobile operator signalling infrastructure.”

The two unknown parties behind the campaigns mimicked the identities of mobile phone operators with customized surveillance tools, and manipulated signaling protocols and steered traffic through network pathways to hide, according to research from the University of Toronto’s Citizen Lab.

“Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate,” a report published Thursday reads.

“Despite repeated public reporting, this activity continues unabated and without consequence,” Gary Miller and Swantje Lange wrote for Citizen Lab. “The continued use of mobile networks, built on a close inter-operator trust model and relied upon by users worldwide, raises broader questions for national regulators, policymakers, and the telecom industry about accountability, oversight, and global security.”

The attackers relied on identifiers and infrastructure associated with operators around the world, including networks based in Cambodia, China, the self-governing Island of Jersey, Israel, Italy, Lesotho, Liechtenstein, Morocco, Mozambique, Namibia, Poland, Rwanda, Sweden, Switzerland, Thailand, Uganda and the United Kingdom.

They shifted between SS7 and Diameter protocols, the signalling protocols known for 3G and 4G/most of 5G, respectively, according to the report. While Diameter was meant to be more secure than SS7, the Federal Communications Commission in 2024 opened a probe into both its vulnerabilities and SS7’s, and Sen. Ron Wyden, D-Ore., has asked for a Cybersecurity and Information Security Agency report about telecommunications vulnerabilities rooted in both protocols.

But identifying the vendors used in the two surveillance campaigns, or who was behind them, was beyond the researchers’ reach.

“The reality is that there are a number of known surveillance vendors and bad actors in this space, but given the opaque nature of telecommunications signalling protocols, those vendors are able to operate without revealing exactly who they really are,” Ron Deibert, director of Citizen Lab, wrote in his newsletter. “Much of the malicious things they are doing blend into the otherwise voluminous flow of billions of normal messages and roaming signals. They are ‘ghost operators’ within the global telecom ecosystem.”

One of the operators mentioned in Citizen Lab’s report, Israel-based 019 Mobile, wrote back that it didn’t recognize the hostnames referenced in the report as 019 Mobile’s network nodes, and couldn’t attribute the signaling activity it represents to 019 Mobile-operated infrastructure.

Another operator, Sure, said it has taken preventative measures to defend against misuse.

“Sure acknowledges that digital services can be misused, which is why we take a number of
steps to mitigate this risk,” CEO Alistair Beak said in a statement to CyberScoop. “Sure has implemented several protective measures to prevent the misuse of signalling services, including monitoring and blocking inappropriate signalling. Any evidence or valid complaint relating to the misuse of Sure’s network results in the service being immediately suspended and, where malicious or inappropriate activity is confirmed following investigation, permanently terminated.”

019 Mobile and a third operator, Tango Networks UK, didn’t respond to requests for comment from CyberScoop. The Citizen Lab report afforded some grace to the operators.

“It is important to note that the operator signalling addresses observed in the attacks do not necessarily imply direct operator involvement,” it states. “In some cases, access to the signalling ecosystem can be obtained through third-party providers, commercial leasing arrangements, or other intermediary services that allow actors to send messages using operator identifiers from legitimate networks.”

Updated 4/24/26: to include quote from Alistair Beak.

The post Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilities appeared first on CyberScoop.