The Supreme Court will hear oral arguments Monday in a case that could limit the government’s ability to obtain bulk digital data of device users with a single warrant, in a rare instance of the country’s top justices taking on digital rights.

Chatrie v. The United States is the first major Fourth Amendment case the court has taken up since 2018, despite the proliferation of technology that impacts privacy since then. At the center of what the justices will address are so-called geofence warrants, which compel companies to disclose user data from a certain time and location.

“It’s a really interesting question about a law enforcement tool that would have been unimaginable a few decades ago, where you can basically look at potentially every phone, for example, that passed through a particular area in a particular window,” said John Villasenor, a law professor at UCLA and nonresident senior fellow at the Brookings Institution.

Both conservative and liberal civil liberties advocates have lined up in favor of the petitioner, leaving the United States government with fewer friend-of-the-court briefs on its side. Okello Chatrie was convicted for a 2019 bank robbery after police used a geofence warrant to obtain information from Google about users during a one-hour period and 17.5-acre area, then refined the search.

In Congress, Democrats have raised concerns about geofence warrants as they might pertain to abortion rights, while Republicans have raised concerns about their use in tracking suspects linked to the Jan. 6, 2021 insurrection at the Capitol.

Courts have been divided on the legality of the geofence warrant in Chatrie’s case. Google has since stopped storing location data in the cloud and moved records directly to user devices, but those siding with Chatrie say it could have broader implications for financial records, search history records, chat bot records and more.

“We think it’s important that courts get it right and that, among other things, courts recognize that we have a property interest in many of our digital records,” said Brent Skorup, a legal fellow at the Cato Institute, which has filed an amicus brief on behalf of the petitioner. “If the government can get those digital records without a warrant, that renders the Fourth Amendment pretty empty and we’re not secure in our privacy and traditional rights to having control of our private papers and effects.”

The United States noted that Chatrie opted into Google’s storage of his location history, and that the information’s collection is not substantially different from identification of other markers of someone’s presence, like tire tracks or boot prints.

“Individuals generally have no reasonable expectation of privacy in information disclosed to a third party and then conveyed by the third party to the government,” it wrote. A collection of 32 attorneys general have sided with the U.S. government, as well as some law professors.

In the 2018 case, Carpenter v. The United States, the Supreme Court limited the applicability of that “third-party doctrine” — echoed by the U.S. government’s argument in the Chatrie case — to search and seizure of 127 days’ worth of someone’s cell site location information, ruling that it constituted a search under the Fourth Amendment and therefore required a warrant.

The type of warrant is at issue in Chatrie v. The United States. A Virginia court ultimately found that geofence warrant unconstitutional because it was not sufficiently specific and was not supported by probable cause for every user whose data was collected. However, the court ruled the evidence was admissible in court, because law enforcement acted in “good faith” in the belief that it was constitutional.

Villasenor said the court could clear a lot up by addressing the good faith exception, something lower courts have used to sidestep substantial constitutional rulings, according to one study. But both Villasenor and Skorup say it’s possible that the Supreme Court also could fail to arrive at a conclusive ruling on the issues at stake in Chatrie.

While some civil liberties advocates are optimistic about the outcome due to the court’s ruling in Carpenter, three justices in that case have since been replaced by others.

The rarity of such digital privacy cases rising to the level of the Supreme Court might be simply a function of a crowded court agenda, but it’s not the only possibility.

“Part of it might be because the court has not developed a consensus view about how to approach these yet,” Skorup said. “It’s speculation on my part, but they probably have some ambivalence about taking up cases where they know that they’re not going to speak with one voice, or they know they might speak with fractured voices.”

Google itself filed a brief in the case, but sided with neither party, saying it took no position on the warrant in Chatrie’s specific case.

“But it urges the Court to hold that Google Location History and other similar digital documents stored remotely deserve the Fourth Amendment’s protection,” it wrote. “A contrary rule would leave the intimate details of millions of Americans’ daily lives — data that will exist in many forms as technology rapidly develops — exposed to warrantless surveillance.”

The post The Supreme Court is about to decide how far geofence warrants can go appeared first on CyberScoop.

A federal judge has sentenced the maker of stalkerware pcTattleTale, which went out of business after a data breach, to supervised release and a $5,000 fine.

Bryan Fleming pleaded guilty in January to a charge of intentionally manufacturing, possessing or selling a device with the knowledge that it would be primarily used for surreptitious interception of communications. On Friday, a judge handed down Fleming’s sentence.

It was the first stalkerware conviction since 2014, when the maker of StealthGenie, pled guilty and also didn’t serve prison time, instead receiving a $500,000 fine from the court.

According to Fleming’s plea agreement, his incriminating activity began as early as 2017, as the owner of Fleming Technologies LLC.

“Defendant’s software enabled buyers to covertly and remotely monitor a victim’s cellular telephone and computer activities, including, texts, emails, phone calls, geo-location, and web browsing,” the agreement states. “Defendant began directly advertising his spying software to persons wanting to spy on spouses or partners without their knowledge.”

It continued: “Defendant’s spying software covertly created a video every time a victim’s device was used, which captured any and all activity occurring on the device. The person monitoring the device could log into a remote dashboard and monitor the activity on the victim’s device.”

An undercover agent from Homeland Security Investigations, a division of U.S. Immigration and Customs Enforcement, posed as a marketing affiliate and customer to communicate with Fleming, according to a 2022 indictment.

pcTattletale went out of business in 2024 after suffering a data breach. Researchers have found that stalkerware apps often fail to protect personal information collected during their use.

An attorney for Fleming didn’t immediately respond to a request for comment Monday morning.

The post pcTattleTale stalkerware maker sentence includes fine, supervised release appeared first on CyberScoop.

A federal judge has blocked Perplexity, makers of the Comet AI browser, from accessing user Amazon accounts and making purchases on their behalf.

In an March 9 order, Judge Maxine Chesney of the Northern District Court of California said the temporary injunction reflects the likelihood that Amazon “will succeed on the merits” of its claim that Perplexity’s AI agents violate the Computer Fraud and Abuse Act and the Comprehensive Computer Data Access and Fraud Act.

The court held that Amazon “has provided strong evidence that Perplexity, through its Comet browser, accesses with the Amazon user’s permission but without authorization by Amazon, the user’s password-protected account.”

Per the ruling, Perplexity must prohibit Comet from accessing, attempting to access, assisting, instructing or providing the means for others to access Amazon user accounts. Perplexity must also delete all Amazon account and customer data it collected along the way.

Perplexity told the court that the purchases were legitimate and legal because their users had authorized their AI agent to make the purchases on their behalf. But Amazon has explicitly denied them such permission, saying the agents make mistakes, interfere with Amazon’s own algorithm and place their users at an elevated cybersecurity risk.

Additionally, Chesney wrote that Amazon has incurred “significantly more” than $5,000 needed to qualify as computer fraud, including the cost of time spent by Amazon employees to develop new web tools to block Comet’s access to private customer accounts and detect future unauthorized access by the browser.

According to Amazon, they have asked Perplexity officials on five separate occasions to cease covertly accessing Amazon’s store with its agents. In a cease-and-desist letter sent to Perplexity Oct. 31, 2025, attorney Moez Kaba of law firm Hueston Hennigan wrote to Perplexity, alleging the automated purchases degrade the online shopping experience for Amazon customers.

Amazon requires AI agents to digitally identify themselves when using the e-commerce platform. But they alleged Perplexity executives “refused to operate transparently and have instead taken affirmative steps to conceal its agentic activities in the Amazon Store,” including configuring their software to covertly pose as human traffic.

“Such transparency is critical because it protects a service provider’s right to monitor AI agents and restrict conduct that degrades the customer shopping experience, erodes customer trust, and creates security risks for our customers’ private data,” wrote Kaba.

Additionally, such agents could pose a further risk to Amazon through cybersecurity vulnerabilities exploited by cybercriminals to hijack AI browsers like Comet.

The lack of response from Perplexity executives to earlier entreaties from Amazon may have played a role in the court’s injunction, with Chesney noting that Amazon was likely to suffer irreparable harm without court intervention because “Perplexity has made clear that, in the absence of the relief requested, it will continue to engage in the above-referenced challenged conduct.”

The case could have broader implications for the way commercial AI agent tools are designed and how far they can legally act on a person’s behalf. Notably, while Amazon opposes Comet’s AI-directed purchases, Perplexity claims that its users have given them permission to make purchases on their behalf.

Perplexity argued a court order halting their AI’s activities would go against the public interest, depriving them of consumer choice and innovation. Chesney concluded the opposite, endorsing Amazon’s argument that the public has a greater interest in protecting their computers from unauthorized access.

Perplexity did not respond to a request for comment on the ruling at press time.

You can read the injunction below.

The post Federal judge blocks Perplexity’s AI browser from making Amazon purchases appeared first on CyberScoop.

A federal court has thrown out a lawsuit brought by the Trump administration attempting to force the state of California to turn over sensitive voter data.

The decision, issued by the U.S. Central District Court of Southern California, is a major setback to the federal government’s massive data collection effort on American voters, and its argument that existing civil rights laws permit it to demand that information from states in the name of election integrity.

The ruling, signed by Judge David Carter, called voting “a fundamental political right” and stated flatly: “the government’s request is unprecedented and illegal.”

Carter noted that the civil rights laws the Department of Justice cited to justify its demand for the records were “to protect hard won civil rights victories allowing access to the ballot box,” not to give the executive branch or president unfettered access to voter data.

The opinion also described the breadth and scope of the government’s request as “unprecedented,” noting it was seeking information such as names, social security numbers, home addresses, voting history and “other sensitive information” for nearly 23 million Californians. While California officials offered the federal government redacted versions of the information, DOJ’s lawsuit asked for the full, unredacted copies of the records.

“The pieces of legislation at issue in this litigation were not passed as an unrestricted means for the Executive to collect highly sensitive information about the American people,” Carter wrote. “It is not for the Executive, or even this Court to authorize the use of civil rights legislation as a tool to forsake the privacy rights of millions of Americans. That power belongs solely to Congress.”

Last September, the federal government sued California Secretary of State Shirely Weber—one of dozens of state officials facing federal lawsuits for  refusing to hand over unredacted voter data. The federal government claims the lawsuits are meant to ensure “clean” voter rolls and deter noncitizen voting and voter fraud, but neither it nor Trump have ever been able to prove their claims in court.

Election and legal experts have predicted that the administration’s efforts to compel states to hand voter records over to the federal government would face serious pushback in the courts, as the constitution explicitly empowers states and Congress to manage elections.

The League of Women Voters of California, the American Civil Liberties Union, the ACLU Foundation of Northern California, and the ACLU Foundation of Southern California brought a joint countersuit on behalf of voters to halt the DOJ’s demands. The groups argued state laws and federal privacy protection prohibited the disclosure of highly sensitive voter data.

In a joint statement following the decision, the groups hailed the win and said it “affirms that the federal government is not entitled to unfettered access to private voter data.”

“Voters should never have to choose between their privacy and their fundamental right to vote,” the statement said. “States must retain authority to manage elections in ways that safeguard sensitive information, and federal agencies must respect the limits on their power.”

Carter also issued a stark warning about the impact of adopting the Trump administration’s legal logic on ballot access, saying that “the taking of democracy does not occur in one fell swoop; it is chipped away piece-by piece until there is nothing left.”

“The case before the Court is one of these cuts that imperils all Americans,” Carter wrote. The erosion of privacy and rolling back of voting rights is a decision for open and public debate within the Legislative Branch, not the Executive. The Constitution demands such respect, and the Executive may not unilaterally usurp the authority over elections it seeks to do so here.”

The administration’s demand to states like California “goes far beyond what Congress intended” when it passed the underlying civil rights laws cited in the government’s justification, and citizens would rightly fear that the data could be misused by “executive fiat.”

“The centralization of this information by the federal government would have a chilling effect on voter registration which would inevitably lead to decreasing voter turnout as voters fear that their information is being used for some inappropriate or unlawful purpose,” Carter wrote in his conclusion.

The post Federal court dismisses Trump DOJ lawsuit seeking California voter data appeared first on CyberScoop.

A hacker who pleaded guilty to conspiring to launder billions of dollars worth of bitcoin stolen in the 2016 Bitfinex hack has been released from prison, a little more than one year after being sentenced to a five-year stint.

Ilya Lichtenstein posted on X that his early release came as a result of a bipartisan 2018 law that President Donald Trump signed in his first term that was meant to reduce the federal inmate population.

“Thanks to President Trump’s First Step Act, I have been released from prison early,” he wrote last week. “I remain committed to making a positive impact in cybersecurity as soon as I can.”

The Bitfinext hack eventually led to what the Justice Department said was, at the time of the arrest of Lichtenstein in 2022, the then-biggest federal recovery and seizure of stolen bitcoin, worth $3.6 billion. Authorities accused Lichtenstein and his wife, Heather Morgan — a rapper on the side who went by the name Razzlekhan — of laundering $4.5 billion from the Bitfinex hack.

It’s a quick reversal from Lichtenstein’s sentence issued in November 2024. At the time of the arrest of the Manhattan couple, law enforcement touted its pursuit of crypto criminals.  

“Today’s arrests, and the department’s largest financial seizure ever, show that cryptocurrency is not a safe haven for criminals,” said then-Deputy Attorney General Lisa Monaco. “In a futile effort to maintain digital anonymity, the defendants laundered stolen funds through a labyrinth of cryptocurrency transactions.”

Lichtenstein on X hailed himself as a “hacker on the road to redemption,” adding, “To the supporters, thank you for everything. To the haters, I look forward to proving you wrong.”

Morgan hailed his release, too.

In response to a request for comment, a Bureau of Prisons spokesperson indicated that while Lichtenstein is out of prison, he remains in a form of confinement.

“Ilya Lichtenstein is currently in the custody of the Bureau of Prisons (BOP),” said the spokesperson, Randilee Giamusso. “Mr. Lichtenstein transferred from the Federal Correctional Institution (FCI) Allenwood Low on December 30, 2025, to community confinement overseen by the BOP’s Sacramento Residential Reentry Management (RRM) Office.

“Community confinement means the individual is in either home confinement or a Residential Reentry Center (RRC, or halfway house). He has a projected release date of January 25, 2026,” Giamusso said.

The Justice Department did not respond to a request for comment. The FBI declined to comment. A U.S. official told CNBC that Lichtenstein “has served significant time on his sentence and is currently on home confinement consistent with statute and Bureau of Prisons policies.”

Updated 1/5/26: to include comment from the Bureau of Prisons.

The post Convicted Bitfinex bitcoin launderer freed from prison, thanks Trump law appeared first on CyberScoop.

The U.S. Sentencing Commission is issuing preliminary sentencing guidelines for criminal offenses under the Take It Down Act, a law passed earlier this year to curb the spread of nonconsensual deepfake pornography.

The Take It Down Act marks one of the first major pieces of legislation passed by Congress to address AI-generated deepfakes, attracting broad bipartisan support. The legislation sailed through Congress, passing 402-2 in the House and comfortably in the Senate, despite opposition from some digital rights groups, and had the vocal support of First Lady Melania Trump.

The law’s language makes it a federal crime to publicize nonconsensual intimate or pornographic imagery of others, both real and AI-generated, and requires companies to remove any images hosted or shared on their platforms within 48 hours of receiving notice. It also empowers the Federal Trade Commission to investigate and enforce compliance. 

The legislation provides broad guidance on prison sentences and financial penalties for offenses, with digital forgers subject to fines and up to two years of imprisonment for deepfaking an adult and up to three years for a minor.

The commission proposes more specific penalties for different types of offenses, while also seeking public input on the most appropriate way to define the offense in U.S. law.

For example, the law included specific language adding new criminal offenses for deepfakes to sections of U.S. law prohibiting obscene or harassing phone calls, a nod to how much nonconsensual pornography is shared through smartphones.

That section has been updated to further define the offense as anyone using “an interactive computer service”  to knowingly publish an “intimate visual depiction” of a minor and (in certain cases) adults with the intent to “abuse, humiliate, harass, or degrade” or “arouse or gratify the sexual desire of any person.”

Individuals found guilty of threatening to publish nonconsensual deepfakes of an adult would be subject to a maximum of years in prison if the threat involves “an intimate visual depiction” of them and 18 months if the deepfake is used for digital forgery. Deepfaking a minor for the purpose of digital forgery carries a maximum sentence of 30 months.

While experts have warned about the damaging potential of deepfakes for years, large language models have gotten increasingly better at developing lifelike media. As more AI deepfake tools come online, public interest groups have called for companies like OpenAI to take tools like Sora 2 offline after they were used to create scores of false cell-phone style videos depicting food stamp recipients that were later picked up by real news outlets like Fox News.

This month, the American Bar Association released a report around the use of AI in the legal sector that found courts were generally unprepared for deepfake media and the many ways it could impact the integrity of evidence presented to the court.

The deepfake changes are part of a broader package of proposed regulatory changes the U.S. Sentencing Commission is proposing, with any comments from the public accepted until Feb. 16, 2026.

The post U.S. Sentencing Commission seeks input on criminal penalties for deepfakes appeared first on CyberScoop.

NSO Group argued in a court filing this week that the court should pause the permanent injunction preventing it from targeting WhatsApp with its spyware while the company appeals the decision. According to the company, enforcing the injunction would cause irreparable harm to its business and prevent the U.S. government from using its products.

Those were just two of the arguments NSO Group employed in its motion to stay on Wednesday. The second argument coincides with the vendor’s recent decision to tap an ex-U.S. envoy to Israel from the first Trump administration as its executive chairman, and its confirmation of U.S. investors purchasing the company.

NSO Group repeated its claim that the Northern District Court of California’s decisions  could effectively shut down the company, which makes Pegasus spyware. “NSO will suffer irreparable, potentially existential injuries if the injunction is not stayed,” it says.

But the company dived further into its reasoning. The injunction, it argues, requires the defendants to destroy code that accesses or uses the WhatsApp platform.

“The deletion and destruction of computer code and technologies cannot be undone or remedied by money damages — once these are gone, they are gone,” the NSO Group motion contends. “And the injunction prohibits NSO from engaging in entirely lawful conduct to develop, license, and sell products used in authorized government investigations — a prohibition that would devastate NSO’s business and could well force it out of business entirely.”

In the meantime, NSO Group’s competitors would have no such restrictions, the motion states. And, it says, the injunction “apparently bans NSO from selling or maintaining any technology to collect information from user devices if the target information comes from WhatsApp — even if the collection method never touches WhatsApp servers.” The effect would be to halt any NSO Group business during its appeal, the company argues.

NSO Group also maintains that the injunction goes against one of the pertinent laws in the case, the main federal anti-hacking statute: The Computer Fraud and Abuse Act.

The law “expressly excepts from the CFAA’s prohibitions ‘any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States . . . or of an intelligence agency of the United States,’” the motion states. 

A stay is in the public interest because of Pegasus’ use in combating crime in terrorism, the company added.

“Because the Court refused to carve U.S. law-enforcement operations out of the permanent injunction, that injunction would prevent the FBI (or any other U.S. or state law enforcement or intelligence agency) from entering into another such license for any existing version of Pegasus,” the motion reads. “Regardless of whether the FBI or any other U.S. government agency has made direct, operational use of the system in the past, allowing the injunction to go into effect would thus deprive U.S. law enforcement of the ability to use the system in the future.“

The FBI once purchased a license for Pegasus and reportedly flirted with deeper involvement with NSO Group.

The second Trump administration earlier rebuffed an attempt by NSO Group to get the company removed from a Commerce Department trade blacklist. That decision came before the company’s recent U.S.-flavored moves, however.

The post NSO Group argues WhatsApp injunction threatens existence, future U.S. government work appeared first on CyberScoop.

The phishing kit Lighthouse, which has aided text scams like those soliciting victims to pay unpaid road tolls, appears to have been hampered shortly after Google filed a lawsuit aimed at its creators.

Google said on Thursday that Lighthouse had been shut down. Two other organizations that have tracked the suspected Chinese operators of Lighthouse said they saw signs it had at least been disrupted.

“This shut down of Lighthouse’s operations is a win for everyone,” said Halimah DeLaine Prado, general counsel at Google. “We will continue to hold malicious scammers accountable and protect consumers.”

Members of the syndicate, known to some by the name Smishing Triad, had been corresponding on Telegram channels.

“We can confirm that all Lighthouse Telegram channels previously tracked have been deleted or taken down due to Telegram TOS violations,” Kasey Best, the director of threat intelligence at Silent Push, told CyberScoop. “We are tracking many websites still active and using Lighthouse kit code, as well as phishing kits used by other Smishing Triad threat actors, but there could be backend changes with Lighthouse or other disruptions in this criminal ecosystem which are just starting to be seen.

“Either way, this is a positive sign for Google’s lawsuit, and we look forward to increased pressure against smishing threat actors based mostly in China,” Best continued.

Ford Merrill, lead researcher at SecAlliance, told CyberScoop that it “can confirm that several domains historically associated with Lighthouse infrastructure appear to no longer be resolving to DNS requests at present.”

Google filed its lawsuit in the U.S. District Court for the Southern District of New York. They allege that 25 unnamed individuals behind Lighthouse have violated racketeering, trademark and anti-hacking laws with their prolific SMS phishing, or “smishing,” platform.

The post Google, researchers see signs that Lighthouse text scammers disrupted after lawsuit appeared first on CyberScoop.

The Trump administration’s top cyber officials have emphasized the urgent need to take aggressive action to deter increasingly brazen foreign cyberattacks. Trump himself, however, has repeatedly brushed aside the notion that foreign cyber activity is anything even really noteworthy.

When Trump’s team talks about foreign hacking, be it China’s alleged massive cyberespionage campaign against telecommunications companies or its efforts to take root in U.S. critical infrastructure, they insist the actions can’t be tolerated and must be deterred.

“We need to find some way to communicate that this is not acceptable,” Alexei Bulezel, senior director for cybersecurity at the National Security Council, said in May when asked about the groups thought to be behind those campaigns, Salt Typhoon and Volt Typhoon.

More recently, last month, National Cyber Director Sean Cairncross cast a wider net about foreign adversaries who want to “do us harm,” saying, “To date I don’t think the United States has done a tremendous job of sending the signal, in particular to China, that their behavior in this space is unacceptable.”

Trump, by contrast, has framed all that differently, to the point of dismissiveness.

Asked in June about Chinese hacking of U.S. telecoms, theft of intellectual property and more, Trump answered, “You don’t think we do that to them? We do. We do a lot of things. … That’s the way the world works. It’s a nasty world.”

Asked in August about whether he would discuss alleged Russian hacking of U.S. courts with Vladimir Putin, Trump replied, “I guess I could, are you surprised? … They hack in, that’s what they do. They’re good at it, we’re good at it, we’re actually better at it.”

The gulf between what Trump says about cyber compared to what his top deputies say provokes a variety of reactions from cyber experts and former officials. It sends mixed signals to adversaries, some say, while others say it might just reflect facts of life about today’s cyber environment or a president who doesn’t behave or think conventionally.

At the same time, Trump’s casual messaging about cyber may reflect a broader trend of nations increasingly treating cyber operations as a routine instrument of power.

A need for consistency?

A lack of consistency between the president and his personnel muddles a clear message to adversaries, and downplaying cyberattacks is unwise, said Christopher Painter, who served as the top State Department cyber official under President Obama.

“Either cyber and cyberattacks are a priority or they’re not, and it’s [a] problem if you communicate they’re not serious by saying, ‘Oh, we don’t care now,” said Painter, now a nonresident senior adviser at the Center for Strategic and International Studies. Cyberattacks are serious, he said, and “We need to say it, and we need to be consistent about it, and we need to make sure we take it seriously. So I am concerned that it undermines the narrative that I think we need.”

Trump downplayed foreign cyber activity during his first term, too, both publicly and privately, in the latter case shunting away an adviser while the president tried to watch a golf tournament by saying “You and your cyber … are going to get me in a war — with all your cyber s—t.” According to Painter, Trump often links the issue to Russian interference in the 2016 presidential election, a subject he resents because he believes it undermines the legitimacy of his presidency.

But Painter also noted Trump wasn’t the first to downplay any kind of foreign cyber activity, with former Director of National Intelligence James Clapper remarking about the 2015 Office of Personnel Management hack, “You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”

Clapper also drew a line between the OPM breach, which he said was “passive intelligence collection activity” and a full-fledged cyberattack. There’s a long-lasting debate over whether cyberespionage constitutes a cyberattack.

Trump officials, too, have emphasized they’re more worried about the activity of Volt Typhoon, with its potential for disruption, than that of Salt Typhoon, which is more espionage-focused.

Some analysts acknowledge that Trump has a point when he dismisses cyberespionage as a fact of modern life rather than something that requires retaliation. “My own experience says that it’s extremely difficult, if not impossible, to deter espionage,” said Michael Daniel, who held the White House’s top cyber position under Obama and is now president of the Cyber Threat Alliance.

Any threat in an attempt to deter cyberespionage has to be credible to be effective, said Erica Lonergan, an assistant professor at Columbia University’s School of International and Public Affairs. And there are a few things working against the United States making credible threats.

“We do it, because we all do it, and everyone knows we do it,” she said. Next, the potential consequence has to be more harmful than the value of cyberespionage, which is extremely useful to have. “We’re not going to go to war over cyberespionage. No matter how many times a member of Congress calls it an act of war or not, we didn’t go to war over the spy balloon.”

Yet other analysts read Trump’s comments on foreign cyber activity differently. He might have an aggressive reaction to a more clearly damaging attack than the incidents he’s downplayed, said James Siebens, a fellow with Stimson Center’s Strategic Foresight Hub.

“If we were talking about a genuinely destructive cyberattack that cost people’s lives, I would imagine that there would be a fairly forceful response,” said Siebens, who recently co-authored a study on cyber deterrence. “My view is that President Trump was doing something that he often does, which is to state plainly things that make people uncomfortable, but are nonetheless observable and rooted in an important truth.”

Richard Harknett, director of the Center for Cyber Strategy and Policy at the University of Cincinnati, took Trump’s recent remarks as a comment more on the potency of U.S. capabilities compared to its adversaries.

“It wasn’t sort of a complacency, it was more confidence,” said Harknett, who served as the first scholar-in-residence at United States Cyber Command and National Security Agency beginning in 2016. Of course, he said, “The president tends to speak in confident terms regardless.”

Daniel said that some  contradictions between Trump and his cyber team are to be expected. Different officials are bound to have differences of opinion, including in the Trump administration, which has hardly been a “paragon of consistency” in its messaging to the world, he said. Daniel added that deterrence is a challenge for every administration; throughout history, the United States has often threatened not to tolerate certain actions, but then failed to respond when those actions occurred. 

Several experts said they were willing to give the administration time to iron out any potential contradictions. Harknett said it’s hard to read too much into public comments alone right now. More important, Harknett and others said, will be what the administration says in a forthcoming cyber strategy.

A global trend?

Trump is not the only world leader in recent months to speak about his nation’s cyber activity in a more casual manner. At the beginning of this month, Chinese President Xi Jinping and South Korean President Lee Jae Myung joked about the security of a cell phone gift that Xi gave his counterpart, which ended in Xi quipping, “You can check if there’s a backdoor.”

It was “weird for Xi, especially because the Chinese are loath to ever admit they do anything,” Painter said, even if he was joking.

The openness about cyber doesn’t end there, extending to a number of cases where nations that historically haven’t pointed the finger at other countries over alleged cyberattacks are more willing to do so by releasing technical analyses.

“We’re starting to see more non-Western countries, and notably China, making attributions back now,” said Allison Pytlak, director of the Cyber Program at the Stimson Center think tank and the co-author of the deterrence report with Siebens. Singapore recently made its first cyber attribution as well.

Trump officials have been touting offensive operations, which used to be a topic of very little public discussion. And other nations have been growing more open about cyber operations, from Japan’s recent active cyber defense legislation to Australia establishing its own Cyber Command last year.

‘There is more openness about cyber in general, the strategic level, in terms of leaders being willing to talk about cyberespionage, cyber offense,” Lonergan said. “No one talked about cyber offense in the U.S. government for years.”

That openness could turn out to be a good thing, Pytlak said. It could “spark debate” in the public about the very nature of cyber, about the differences between the harm espionage causes and the kind of national security threat other kinds of activity poses.

The post While White House demands deterrence, Trump shrugs appeared first on CyberScoop.

Google on Wednesday filed a lawsuit against pesky text message scammers — like those who flood targets with notices that they have unpaid road tolls, or have a package waiting — in an attempt to disrupt a “phishing for dummies” operation the company accuses of victimizing more than 1 million people.

The lawsuit against 25 unnamed individuals believed to reside in China takes aim at those behind the phishing-as-a-service kit known as Lighthouse and its “staggering” scale.

“Defendants are a group of foreign cybercriminals who have engaged in relentless phishing attacks against millions of innocent victims, including Google customers, to steal personal and financial information,” the lawsuit filed in the U.S. District Court for the Southern District of New York reads. “These attacks have collectively swindled innocent victims out of millions of dollars and harmed Google through the unauthorized use of its trademarks and services.”

Google alleges that the defendants violated multiple laws in their SMS phishing, or “smishing,” operation: the Racketeer Influenced and Corrupt Organizations Act, the Lanham Act that governs trademark law and the main federal anti-hacking statute, the Computer Fraud and Abuse Act. Some of the smishing messages make use of Google product logos, and target Google customers.

The civil suit seeks a temporary restraining order and damages against the unnamed individuals. Google is asking the court to compel hosting providers to block Lighthouse-connected IP addresses and fraudulent domains from using those services. The company also hopes that it can help raise user awareness by filing the suit.

Other organizations have tracked the scope of Lighthouse and its ilk. One firm found that in a 20-day period, 200,000 Lighthouse-created websites attracted more than 1 million victims in 121 countries.

Another said that between July 2023 and October 2024, Chinese smishing syndicates compromised between 12.7 million and 115 million payment cards in the United States alone.  Over that same timeframe, Google’s suit states, Lighthouse users also launched 32,094 distinct U.S. Postal Service phishing sites.

“The scam is simple: criminals send a text message, prompting recipients to click a link and share information such as email credentials, banking information and more,” Google explained in a blog post announcing the suit. “They exploit the reputations of Google and other brands by illegally displaying our trademarks and services on fraudulent websites.”

In addition to the lawsuit, Google on Wednesday endorsed three bills from House and Senate members to combat fraud. Those bills are the Guarding Unprotected Aging Retirees from Deception (GUARD) Act, which would permit state and local law enforcement to use federal grants to investigate financial scams aimed at retirees; the Foreign Robocall Elimination Act, which would create a task force to fight foreign-originated robocalls; and the Scam Compound Accountability and Mobilization (SCAM) Act, which would direct an executive branch national strategy to counter scam compounds.

“Legal action can address a single operation; robust public policy can address the broader threat of scams,” Halimah DeLaine Prado, general counsel for Google, wrote in the blog post.

The post Google files lawsuit against Lighthouse ‘phishing for dummies’ text scammers appeared first on CyberScoop.