As strikes continue on Iran’s nuclear facilities, the real danger isn’t the explosion, but what happens if critical safety systems fail—and how that risk could spread across the Gulf.

A conversation between Cisco Talos and Cisco Security leaders on identity, vulnerabilities, and what defenders should focus on in 2025.

We’re proud to share that McAfee’s “Keep It Real” campaign has been named a finalist in the 2026 Shorty Awards Social Good Campaign category. 

This category recognizes work that doesn’t just perform, it matters: campaigns that raise awareness, inspire action, and make a real-world impact. 

That’s exactly what “Keep It Real” set out to do. 

Because behind every scam statistic is a person who thought they were making the right call. And too often, what follows isn’t just financial loss. It’s embarrassment, silence, and stigma. 

We wanted to change that. 

The campaign launched alongside McAfee Scam Detector to address a growing reality: scams powered by AI are becoming harder to recognize and easier to fall for. 

“Keep It Real” paired real survivor stories with AI-driven protection to show how scams actually happen and how people can stop them in the moment. 

The goal was simple: 

• Normalize the experience  
• Remove shame around being scammed 
• Help more people recognize scams faster  

Because when people feel safe talking about scams, they’re more likely to spot them and stop them. 

What Are the Shorty Awards? 

The Shorty Awards honor the best work in social media, digital campaigns, and online storytelling across brands, creators, and organizations. 

Now in their 18th year, the awards recognize campaigns that combine creativity, impact, and real-world relevance. Finalists are selected alongside leading global brands and judged on both industry evaluation and public voting. 

How McAfee’s Scam Detector Fits In 

McAfee’s Scam Detector is designed to help people identify scams across everyday digital moments. 

It uses AI to fight AI by flagging suspicious: 

• Text messages and emails  
• QR codes and links  
• Social media messages  
• AI-generated and deepfake content  

By combining automatic detection with clear guidance, Scam Detector helps people better understand what they’re seeing and decide what to trust. 

Real Stories Behind the Campaign 

A core part of “Keep It Real” was giving space to people who experienced scams to share what happened, in their own words. 

These stories helped show that scams can happen to anyone and played a key role in breaking the stigma around being targeted. 

 

This recognition reflects the work across McAfee teams who built and brought this campaign to life, including product, engineering, research, creative, and communications. 

It also reflects the individuals who chose to share their real scam stories to help others recognize scams, stay safer, and end the shame and stigma around being scammed. 

Support the Campaign 

The Shorty Awards include a public voting component. 

If you’d like to support the campaign, you can vote here:
https://shortyawards.com/18th/keep-it-real-mcafees-ai-scam-media-relations-campaign 

Voting is open through April 8, and you can vote once per day. 

The post McAfee’s “Keep It Real” Campaign Named Shorty Awards Finalist appeared first on McAfee Blog.

A WIRED analysis of DHS records identified dozens of specialized federal agents who used force against US civilians during the largest known deployment of its kind in US history.

Fraudsters often target the accounts of the deceased or their grieving relatives. Here’s how to keep the scammers at bay.

submitted by /u/albinowax
[link] [comments]

As DarkSword spreads, Apple tells WIRED it will enable iOS 18-specific fixes for millions of iPhone owners who remain on that iOS version rather than force them to update to iOS 26.

Tech giants like Apple, Google, and Microsoft are among those on a target list released by Iran’s Islamic Revolutionary Guard Corps.

The GPS Next-Generation Operational Control System was due for completion in 2016. Ten years later, the software for controlling the military’s GPS satellites still doesn’t work.

The past four weeks have seen a slew of new cybersecurity wake-up calls that showed why every organization needs a well-thought-out cyber-resilience plan

Vessels are increasingly being abandoned during the war on Iran, revealing a hidden failure in the global systems that keep goods—and people—moving.

McAfee’s mobile research team has uncovered a large-scale Android malware campaign we’re tracking as Operation NoVoice.

The campaign was distributed through more than 50 apps previously available on Google Play, disguised as everyday tools like cleaners, games, and photo utilities. Together, the apps were downloaded more than 2.3 million times, though it’s unclear how many devices may have been impacted.

If the attack succeeds, the malware can gain deep control of a device, allowing attackers to inject malicious code into apps as they are opened and access sensitive data.

However, the most serious impact depends on the device. 

On older or unpatched Android devices, the malware can install a highly persistent form of infection that may survive a standard factory reset. Newer Android devices with up-to-date security protections are not vulnerable to the root exploit observed in this campaign, though they may still be exposed to other types of malicious activity from these apps.

In other words, on vulnerable devices, the malware can behave like a kind of digital “zombie,” continuing to operate in the background even after a reset.

Want the full technical breakdown? Dive into the McAfee Labs research here. 

We break down what you need to know below: 

How “Operation NoVoice” Works 

Operation NoVoice is what security experts call a rootkit malware attack. 

A rootkit is a type of malware designed to gain deep, privileged control of a device while hiding its presence from the user and the operating system’s normal security tools. 

Breaking the term down: 

• “Root” refers to the highest level of access on a system (administrator-level control). 
• “Kit” refers to a collection of tools used by an attacker to maintain that control. 

Put simply, a rootkit allows attackers to operate underneath the normal apps and security protections on a phone, giving them powerful control while staying difficult to detect.

In the case of Operation NoVoice, the attack unfolds in several steps. 

1) A normal-looking app starts the attack

The campaign began with apps that appeared harmless on the Google Play Store. These apps advertised themselves as tools like phone cleaners, puzzle games, or gallery utilities. 

When a user downloaded and opened one of these apps, it appeared to work normally. There are no obvious signs to the user that anything is wrong. 

2) The malware quietly checks the device

Behind the scenes, the app contacts a remote server controlled by the attackers. 

The server collects information about the device, things like its hardware, operating system version, and security patch level. Based on that information, the attackers send back custom exploit code designed for that specific device.

3) The attack gains deep system access

If the exploit succeeds, the malware gains root-level access to the device.

At that point, the attackers can install additional malicious components and modify parts of the Android operating system itself. 

4) Every app on the phone can be affected

Once the rootkit is installed, it modifies a core Android system library that every app relies on. 

This allows attacker-controlled code to run inside any app the user opens. 

That means the attackers could potentially access data from messaging apps, financial apps, or social media apps without the user noticing. 

5) The malware can remain even after a reset

Operation NoVoice also includes persistence mechanisms designed to keep the malware active. 

In some cases, the infection could survive a standard factory reset, because the malicious components modify parts of the system software that resets typically do not replace.

Fully removing the infection may require reinstalling the device’s firmware, something most users cannot easily do themselves.

*To be clear, these apps have been removed from Google Play and are no longer available for download. 

Why The Name “Operation NoVoice” 

The name Operation NoVoice comes from a hidden component inside the malware itself. 

Researchers discovered a resource labeled “novioce” embedded in one of the attack’s later stages. The file contains a silent audio track that plays at zero volume. 

This may seem strange, but it serves a purpose. 

By continuously playing silent audio in the background, the malware can keep a foreground service running without drawing attention. This allows the malicious code to remain active while appearing harmless to the operating system. 

The researchers believe the name “novioce” is likely a misspelling of “no voice,” referring to the silent audio trick used to keep the malware running. 

How To Stay Safe from Malware Disguised as Apps 

Operation NoVoice highlights an important reality: even apps that appear legitimate can sometimes hide malicious behavior. 

Fortunately, there are several steps users can take to reduce their risk. 

Be cautious with unfamiliar apps 

Even if an app appears on the Google Play Store, it’s still important to review: 

• the developer’s name 
• the number of downloads 
• recent user reviews (check for negative reviews) 

Apps with very few reviews, vague descriptions, or suspicious developer accounts can sometimes be part of malware campaigns. And exercise even greater caution with apps promoted through advertisements or that create a a sense of urgency.  

Keep your phone updated 

Many attacks rely on exploiting known vulnerabilities in older versions of Android. 

Installing system updates and security patches helps reduce the chance that these exploits will work.

Remove apps you don’t recognize 

If you notice apps on your device that you don’t remember installing, review them carefully and remove anything suspicious. 

Keeping your phone’s app list clean reduces the potential attack surface. 

Use mobile security protection 

Mobile security software can help detect suspicious behavior and block known malware. 

For example, McAfee Mobile Security detects this threat as Android/NoVoice and can warn users if a malicious app is identified.  

McAfee offers more than traditional antivirus, combining multiple layers of digital protection in one app  

• Scam Detector to help flag suspicious messages and links  
• Safe Browsing tools to help block risky websites  
• VPN to keep your connection private on public Wi-Fi  
• Identity Monitoring and Alerts to notify you if your personal information appears where it shouldn’t  
• Personal Data Cleanup to help remove your information from high-risk data broker sites  
• Device and Account Security to help protect the things you use most 

What Operation NoVoice Tells Us About the Future of Mobile Threats 

Operation NoVoice highlights how mobile malware is evolving. Instead of obvious malicious apps, attackers are increasingly hiding their operations inside ordinary-looking tools distributed through legitimate app stores.

What makes this campaign particularly concerning isn’t just the number of downloads or the technical complexity. It’s the way the malware combines several advanced techniques, device-specific exploits, modular plugins, and deep system persistence, into a single attack chain.

That approach allows attackers to quietly turn an everyday app download into long-term control of a device.

That’s why keeping devices updated, reviewing apps carefully, and using mobile security protection are becoming increasingly important. As Operation NoVoice shows, today’s malware isn’t just trying to get onto devices; it’s trying to stay there. 

The post Operation NoVoice: Android Malware Found in 50+ Apps Can Hijack Devices appeared first on McAfee Blog.

Authored By: Ahmad Zubair Zahid 

McAfee’s mobile research team identified and investigated an Android rootkit campaign tracked as Operation Novoice. The malware described in this blog relies on vulnerabilities Android made patches available for in 2016 – 2021. All Android devices with a security patch level of 2021-05-01 or higher are not susceptible to the exploits that we were able to obtain from the command-and-control server. However patched devices that downloaded these apps could have been exposed to unknown potential payloads outside of what we discovered. The attack begins with apps that were previously available on Google Play that appear to be simple tools such as cleaners, games, or gallery utilities. When a user downloaded and opened one of these apps, it appeared to behave as advertised, giving no obvious signs of malicious activity.  

In the background, however, the app contacts a remote server, profiles the device, and downloads root exploits tailored to that device’s specific hardware and software. If the exploits succeed, the malware gains full control of the device. From that moment onward, every app that the user opens are injected with attacker‑controlled code.  

This allows the operators to access any app data and exfiltrate it to their servers. One of the targeted apps is WhatsApp. We recovered a payload designed to execute when WhatsApp launches, gather all necessary data to clone the session, and send it to the attacker’s infrastructure.   

On older, unsupported devices (Android 7 and lower) that no longer receive Android security updates as of September 2021, this rootkit is highly persistent; a standard factory reset will not remove it, and only reflashing the device with a clean firmware will fully restore the device.   

In total, we identified more than 50 of these malicious apps on Google Play, with at least 2.3 million downloads.  

McAfee identified the malicious apps, conducted the technical analysis, and reported its findings to Google through responsible disclosure channels. Following McAfee’s report, Google removed the identified apps from Google Play and banned the associated developer accounts. McAfee is a member of the App Defense Alliance, which supports collaboration across the mobile ecosystem to improve user protection. McAfee Mobile Security detects this malware as a High-Risk Threat. For more information, and to get fully protected, visit McAfee Mobile Security.  

Background And Key Findings

Android malware has been moving toward modular frameworks that update themselves remotely and adapt to each device. Campaigns like Triada and Keenadu have shown that replacing system libraries gives attackers persistence to survive factory resets. BADBOX has shown that backdoors pre-installed through the supply chain can reach millions of devices. Recent research has confirmed links between several of these families, suggesting shared tooling rather than isolated efforts. 

NoVoice fits both trends but does not rely on supply chain access. It reaches devices through Google Play and achieves the same level of persistence through exploitation. McAfee’s investigation revealed the following key findings: 

• All carrier apps were distributed through Google Play. No sideloading required, no user interaction beyond opening the app. 
• C2 infrastructure remains active at the time of publication. 
• The C2 server profiles each device and delivers root exploits matched to its hardware and software version. 
• The rootkit overwrites a core system library, causing every app on the device to run attacker code at launch. 
• The infection survives factory reset and can only be removed by reflashing the firmware. 
• The chain is fully plugin-based. Operators can push any payload to any app on the device at runtime. 
• The only task we recovered clones WhatsApp sessions, but the framework is designed to accept any objective.

Naming  

The name comes from R.raw.novioce, a silent audio resource embedded in one of the later-stage payloads. It plays at zero volume to keep a foreground service alive, abusing Android’s media playback exemption. We believe it is a deliberate misspelling of “no voice.” 

Distribution Method 

All carrier apps were distributed through Google Play and request no unusual permissions. Their manifests include the same SDKs any legitimate app would (Firebase, Google Analytics, Facebook SDK, AndroidX). The malicious components are registered under tampered com.facebook.utils, blending in with the real Facebook SDK classes the apps already include.  

The initial payload is embedded in the app’s asset directory as a polyglot image. This means the file displays and renders a normal image, but a deeper inspection reveals that the encrypted malicious payload is appended after the PNG IEND marker. Since that marker signals to image viewers that the image data ends there, the appended payload remains hidden during normal viewing.

Geographical Prevalence 

The geographical prevalence map shows the highest infection rates in Nigeria, Ethiopia, Algeria, India, and Kenya, regions where budget devices and older Android versions that no longer receive security updates are common. 

Malware Analysis

The following breakdown walks through each stage of the chain in order, from the moment a user opens the app to the moment stolen data leaves the device. No single file contains the full chain. Each stage decrypts and loads the next, most are delivered from the server at runtime. 

Stage 1: The Delivery

The moment the app opens, code injected into the legitimate Facebook SDK initialization path runs automatically. No user interaction is needed. It first checks whether the device has already been processed and, in most samples, whether it is running Android 12L or below. A subset of the carrier apps skips the version check entirely. If either check fails, it stops and logs a message disguised as a Facebook SDK error: “FacebookSdk: Failed in initStore.” 

If the device was already processed, the code cleans up files assumed to be left behind by previous runs, including paths that do not belong to any standard Android component. None of these are visible to the user. 

If the checks pass, the app reads a polyglot image from its own assets’ directory, extracts the encrypted payload (enc.apk) hidden after the image data, decrypts it to produce h.apk, and loads it into memory. It then deletes all intermediate files, temporary directories. 

Stage 2: The Gatekeeper 

The decrypted payload (h.apk) loads a native library (libkwc.so) that controls the rest of this stage. It first verifies it is running inside the intended carrier app by checking the package name and signing certificate against hardcoded values. It also checks whether the app is running in a debug environment. 

libkwc.so contains two encrypted embedded payloads. The first (sec.jar) is a gate designed to detect analysis environments. It runs 15 checks, including emulator detection, root indicators, debuggers, VPN and proxy connections, Xposed hooks, and GPS geofencing. If any check fails, the chain stops silently. The geofence compares the device’s location against bounding boxes for Beijing and Shenzhen hardcoded in the native library and excludes devices confirmed to be inside them. If the app does not have location permission, it cannot determine the device’s position and defaults to letting the chain continue. Two brands get special treatment: on Gionee devices, all checks except the geofence are skipped; on Meizu devices, the chain follows a separate code path entirely. Gionee devices have a documented history of shipping with pre-installed malware through supply chain compromise. 

Only if all checks in sec.jar pass does libkwc.so decrypt and load the second payload (hex.jar), which begins contacting the C2 server. If the gate fails, it deletes the working directory and stops. 

Stage 3: The Plugin 

Once the gate passes, hex.jar sets up a plugin framework built on an internal codebase the authors refer to as “kuwo” in their package names. It checks in with a C2 server every 60 seconds. Updates are delivered the same way as the initial payload: as image files with encrypted data hidden after the image content. The server returns download URLs in a response field named warningIcon, disguising plugin downloads as icon fetches. A log-deletion routine runs alongside the framework to remove forensic traces from the device. 

The first plugin delivered (rt) acts as an orchestrator. It manages sub-plugins and handles C2 communication. It checks in with the server, sending over 30 device identifiers including hardware model, kernel version, installed packages, and whether the device has already been rooted. The campaign’s name comes from this plugin: it embeds a silent audio resource named R.raw. novioce. 

The checkin tells the server two things: who this device is and whether it has already been rooted. If it has not, rt_plugin downloads security.jar, moving the chain into root exploitation. 

Stage 4: The Exploit 

security.jar first checks whether the device is already rooted. If it has been, it stops. For unrooted devices, it sends the device’s chipset, kernel version, security patch date, and other identifiers to the C2. The server responds with a list of exploit binaries matched to that specific device. 

Before running any exploit, the rootkit installer (CsKaitno.d) is decrypted from an embedded resource and written to disk. The rootkit is already in place before any exploit runs. 

The exploits are downloaded one at a time from the C2’s CDN, each encrypted and verified before execution. We recovered 22 exploits in total. Our deep analysis of one revealed a three-stage kernel attack: an IPv6 use-after-free for kernel read, a Mali GPU driver vulnerability for kernel read/write, and finally credential patching and SELinux disablement. 

The expected end result is the same across all exploits: a root shell with SELinux disabled. From that shell, the exploit loads CsKaitno.d. This is where exploitation ends and persistence begins. 

Stage 5: The Rootkit 

CsKaitno.d carries four encrypted payloads: library hooks for ARM32 and ARM64 (asbymol and bdlomsd), a bytecode patcher (jkpatch), and a persistence daemon (watch_dog). It first removes files associated with possible competing rootkits, then decrypts and writes its own payloads to disk. 

The installer backs up the original libandroid_runtime.so and replaces it with a hook binary matched to the device’s architecture. It also replaces libmedia_jni.so. The replacements are not copies of the original libraries. They are wrappers that intercept the system’s own functions. When any hooked function runs, it redirects to attacker code. 

After replacing the libraries, jkpatch modifies pre-compiled framework bytecode on disk. This is a second layer of persistence: even if someone restores the original library, the framework’s own compiled code still contains the injected redirections

Stage 6: The Watchdog 

To survive reboots, the installer replaces the system crash handler with a rootkit launcher, installs recovery scripts, and stores a fallback copy of the exploitation stage on the system partition. If any component is removed, the rootkit can reinstall itself. 

It then deploys a watchdog daemon (watch_dog) that checks the installation every 60 seconds. If anything is missing, it reinstalls it. If that fails repeatedly, it forces a reboot, bringing the device back up with the rootkit intact. 

After cleaning up all staging files, the installer marks the device as compromised. On the next boot, the system’s process launcher (zygote) loads the replaced library, and every app it starts inherits the attacker’s code. 

Stage 7: The Injection 

On the next boot, every app on the device loads the replaced system library. The injected code decides what to do based on which app it is running inside. Two payloads activate depending on the app. The malware authors named them BufferA and BufferB in their own code. Both are embedded as fragments inside the replaced libandroid_runtime.so from Stage 5, assembled in memory at runtime, and deleted from disk immediately after loading, leaving no files behind. BufferA runs inside the system’s package installer and can silently install or uninstall apps. BufferB runs inside any app with internet access. 

BufferB is the campaign’s primary post-exploitation tool. It operates two independent C2 channels with separate encryption keys and beacon intervals. Both channels send device fingerprints to the C2 and receive task instructions in return. 

If all primary domains fail and three or more days pass without contact, a fallback routine activates between 1 and 4 AM, reaching out to api[.]googlserves[.]com for a fresh domain list. Because BufferB runs inside any app with internet access, it can be active in dozens of apps simultaneously on a single device. 

Stage 8: The Theft 

The only task payload we recovered is PtfLibc, delivered to BufferB from Alibaba Cloud OSS. Its target is WhatsApp. 

PtfLibc copies WhatsApp’s encryption database, extracts the device’s Signal protocol identity keys and registration ID, and pulls the most recent signed prekey. It also reads 12 keys from WhatsApp’s local storage, including the phone number, push name, country code, and Google Drive backup account. For the client keypair, it tries multiple decryption methods depending on how the device stores the key. 

It sends the stolen data to api[.]googlserves[.]com through multiple layers of encryption and deletes the temporary database copy when done. 

With these keys and session data, an attacker can clone the victim’s WhatsApp session onto another device. 

Infrastructure 

The campaign spreads its C2 communication across multiple domains, each serving a different function. 

fcm[.]androidlogs[.]com handles initial device enrollment. Once the plugin framework activates, stat[.]upload-logs[.]com takes over as the primary C2 for plugin delivery, device checkin, exploit distribution, and result reporting. config[.]updatesdk[.]com serves as its fallback. Exploit binaries are hosted separately on download[.]androidlogs[.]com, with an S3-accelerated endpoint (logserves[.]s3-accelerate[.]amazonaws[.]com) as the primary CDN. This endpoint returned 403 errors during our analysis. 

Task payloads for BufferB are hosted on Alibaba Cloud OSS (prod-log-oss-01[.]oss-ap-southeast-1[.]aliyuncs[.]com). PtfLibc beacons to api[.]googlserves[.]com, a domain designed to look like Google service traffic at a glance. 

The domain separation is deliberate. Taking down one domain does not affect the others. The C2 can update BufferB’s domain lists at runtime, and a fallback routine fetches fresh domains from hardcoded backup endpoints if all configured domains go silent for three or more days. 

Recommendations 

Because the rootkit writes to the system partition, a factory reset does not remove it. A reset wipes user data but leaves system files intact. Compromised devices require a full firmware reflash to return to a clean state. Blocking the C2 domains and beacon patterns listed in this report at the network level can disrupt the chain at multiple stages. 

Attribution  

Several indicators link NoVoice to the Android.Triada family. The property (os.config.ppgl.status) NoVoice sets to mark a device as compromised is a known indicator of compromise for Android.Triada.231, a variant that uses the same property to track installation state. Both NoVoice and Triada.231 persist by replacing libandroid_runtime.so and hooking system functions so that every app runs attacker code at launch. Whether NoVoice is a direct evolution of Triada.231, a fork of its codebase, or a separate group reusing proven techniques, the shared approach suggests access to a common toolchain. 

Conclusion 

What makes NoVoice dangerous is not any single technique. It is the engineering effort behind the full chain: a self-healing pipeline that goes from a Play Store install to code execution inside every app on the device, survives factory reset, and monitors its own installation. The operators built a delivery system, an infrastructure. 

We recovered one task. The framework is designed to accept any number of them, for any app, at any time. The C2 infrastructure remains active. We do not know what other objectives have been deployed before, during, or after our analysis. The WhatsApp session theft we observed may be the least of it. 

The rootkit’s persistence model, overwriting a system library inherited by every process, patching pre-compiled framework bytecode, and monitoring its own installation with a watchdog, makes remediation difficult. 

This research underscores McAfee’s ongoing role in identifying advanced mobile threats and working with platform partners to protect users before large‑scale harm occurs. 

References 

https://www.kaspersky.com/blog/triada-trojan/11481/ 

https://www.kaspersky.com/about/press-releases/kaspersky-discovers-keenadu-a-multifaceted-android-malware-that-can-come-preinstalled-on-new-devices 

https://www.humansecurity.com/learn/blog/badbox-peachpit-and-the-fraudulent-device-in-your-delivery-box/ 

Indicators of Compromise 

Command and Control Servers 

api.googlserves[.]com 

api.uplogconfig[.]com 

avatar.ttaeae[.]com 

awslog.oss-accelerate.aliyuncs[.]com 

check.updateconfig[.]com 

config.googleslb[.]com 

config.updatesdk[.]com 

dnskn.googlesapi[.]com 

download.androidlogs[.]com 

fcm.androidlogs[.]com 

log.logupload[.]com 

logserves.s3-accelerate.amazonaws[.]com 

prod-log-oss-01.oss-ap-southeast-1.aliyuncs[.]com 

sao.ttbebe[.]com 

stat.upload-logs[.]com 

upload.crash-report[.]com 

nzxsxn.98kk89[.]com 

98kk89[.]com 

Carrier App Samples 

03e62ac5080496c67676c0ef5f0bc50fc42fc31cf953538eda7d6ec6951979d8,com.filnishww.fluttbuber.storagecleaner, 

066a096a3716e02a6a40f0d7e6c1063baecbebc9cbcc91e7f55b2f82c0dad413,com.wififinder.wificonnect, 

0751decd391fa76d02329b0726c308206e58fc867f50283aa688d9fe0c70e835,com.wuniversal.lassistant, 

07a9d41c1c775def78a017cf1f6e65266382e76de0f05400b3296e2230979664,com.dynamicpuzzle.cvbfhf, 

0f28c49b24070a36dec09dd9d4b768e1ef6583b4891eca2e935a304ce704fcce,com.wgoddessg.sgallery, 

106edd06b6961c3d38edfefd2869ee05285f11b68befe145b124794d0e79e766,com.crazycodes.blendphoto, 

183e9174e51786be77d1341bcf7f05514f581823532028119c5844a8a5111848,com.colorbrickelim.inationl, 

1e0376330ff9e97f798870da8433c81e39f3591c82497ca1f6b5f00878d0221a,com.crazycodes.photomotion, 

1e7fe0ae7546162f23ff4f6e570f51b38562bf4f0ffd9305533b43d19574be38,com.swiftc.tcleans, 

1e8b048c8d32662f340787893d9ca824b039c14fb91bcc16e185a8bb872e0b80,com.mybatice.googcomlayou.phonecleaner, 

224e2395d3df96cf19e0b7be9731452da5b568026d81bd0981e48893f6a66859,com.glamorousg.sgoddesslys, 

2c2c965f3d091693bc6906fc2ed8d03ffccb84e0665841f2d073c2f0a09261bc,com.myapps.gooble.mobile1.maxclean, 

30504104f232a990f8226ff746b1718aafb727ce111d5a538962cc5e06c4259a,com.mybatice.smartersleep.junkfiles, 

3937b0bec287662fd82fca4693c8b3619b8c61eca7fe6efa7540c1ae291f8759,com.crazycodes.beautycam, 

4830a985f064974e6b5d19ae95d645d01fb57edd975a4fce5a1453c2ada70d4e,com.khanbro.gamestation, 

4f7825647bab001298f768302d0eeb6e0d639d401dc8b5bf60a4b9841a93c980,com.wBoothCash_18748294, 

4fbf1906fe02745cbf0350563440e9a05d19cd4a27c4fb6b67436392a18a0cd4,com.steppay.yrewards, 

54224288aa9fa3d4281fb91ad7b202fbc3e5708b173e319b6b450ad15bcdab43,com.scleanm.nmastery, 

594521e642fee75d474d8d0be839ebe9341f30196b19555882499145bf00746b,com.qwalkingr.grewards, 

721d92d30fbb90fe643507055baa4cce937c8659f1520be1bbce7f9669af6f84,com.modes2048.gamepro, 

7d90ee0be5eb63fbaa6839efdd6217b482576b1bab553731cac0b55f2fa1e6fa,com.jkesogeop.classicsudo, 

7f00991e63154a79ea220b713fcfb2ef8b8db923a75366a61e9bc30d9c355274,com.glamorousg.sgoddesslys, 

8cd77df7cf2242105b12297071ad1d11e91264f9de311d1b082666da19134476,com.wtoolboxp.xpro, 

974a5d005d3cfe4c63bd7a46ca72c6716c6c6de397d2e3e19b1730def31f7825,com.systmapp.mobile1.cleanmanager, 

98819230a6c3f5092517ada9652e9156e338acc27d29e4647b3cb69cddb668cb,com.crazycodes.airvpn, 

98db4904c3299b8ac383dd177c3cde87af25c088df1988f484427aab3b5c4e0d,com.wlifetoolp.lpro, 

9b9f55c4a68385e4a739c7d11159c9b4ab006660142331e8bdc477b5eba62aad,com.ulifea.eassistants, 

a02694b5de7a8a6ef3024d53e54a54a676f992bfa1e070f07827ab9b5dd1365c,com.priceper.km, 

a1e77c148f190b6bfdd40ce657722e902a31cedecab669dd6f78f38b6b18ddf7,crazycodes.notes.app, 

a430123efe9611f322fbc3c459fc5ec13abbb0def88ba3ec56a05a361a51a9ac,com.gbversion.gbplus.gblatestversion, 

ab6365bf7e6c7fba6867b44a80e8bf653c7b66ff91204ee3e2981b6532fea7ee,com.snowfindthesame.samethesnowswe, 

b4438ac1694e3a08a994750a7ac76399c48d5d3446e90ebebbea1f8694bf3dd5,com.guidely.earningapp, 

b8087e3535d395210b80637be35da6ae8e10450b6fb87de62a284d5d7397cd17,com.shcoob.groobe.timebuke, 

bf47dc1577c8b862c4e849a7ce52e143239f2f7274421befa902baf4bd1c4a19,com.wlifet.etoolbox, 

c332166f720e4d2f6f9b59993559df05281e7d2fbd56f90a7f2399a0ac620295,com.ebitans.tenstarbd, 

c509a98d0823add0c1440a7b043586eb5a8069fbb776ca36252f5b7653c92cb7,com.whabitn.tnotes, 

c517b26dfc8ffd5de7f49966ff3391475f80299ebc6ad9988bf166029cf76c91,com.filnishww.fluttbuber.storagecleaner, 

cf945c433aa80120be10566b9f1ae88e043f96872996f599b75bb57c74248e56,com.mfunt.ttetris, 

d72d96c6f299fe961dd98655e0468e45ed3ac03df0cfa499e27d4c399e304500,com.wififinder.wificonnect, 

db1168f2cb3b25ef65e06eb4e788ddda237a428fbce0725de1e9d70b36e96833,com.whomea.eassistan, 

ddc4da4c63c8bc7df53c3c7fe350b56ad31f313c7d95b472dc45a9fcf85273f0,com.mi2048nig.game, 

df00753933359d7369668eddeb0dc2565f075c78e4b46f3cabd2e8ff31eda42e,com.sportscash.xyz, 

e32c8a869585c107ccd1586b5edebc1d8eaa18017c2dd39b6267eec4db7f7410,com.biopops.mathly, 

e5b8d25ef612f0240ce28fbffd550fd4e0b9abdbf325e3ff85718e8312b70c2b,com.wdailyn.anova, 

e5f3aa5ef6b5b5fa94a921b55f52aa2c1011486b7370f1585deb6d571325ebcb,com.khan.pregnancyexercise, 

ec79443aa53864e4d322b8fa8fd4aad0ef878221f01e7d32512694ba24992aee,com.merge2048joy.joy, 

f654c5f926ebfcded4c0d07590972536280454e2501dc8a525390402fa945ff1,com.kgoddessv.svibe, 

f7c664ea66c43a82801ed7da23369af1e285857c1a4bf200147b716715f09d3f,com.chall2048enge.game, 

fc3b06c36feb38ed62f3034e428e814d6e1ac06ec1569ea22428374b8d15d848,com.jekunotesimple.notesimple, 

fd62c2bfa2277eff8787926f9976aa4a11235a18a9a543ced71a509c6ebf2bf2,com.game.ludoplay, 

The post Operation NoVoice: Rootkit Tells No Tales appeared first on McAfee Blog.

Day by day, I find we're eeking more goodness out of OpenClaw and finding the sweet spot between what the humans do well and the agent can run off and do on its own. Significantly, we're shifting more and more of the workload to the latter as all 3 of us at HIBP HQ get better at assigning workloads to machines. In addition to my use of my "PwnedClaw" bot to help catalogue and process data breaches, Stefan and I are both using GitHub Copilot in Visual Studio extensively, and Charlotte is using her own Telegram bot, "Pwny," plugged into OpenClaw to crawl all our content and look for inconsistencies while designing revised user interfaces. Over the last couple of weeks, I've spent US$854 on Claude tokens, which feels like a lot until you look at it like an employee doing work for you. But we've barely scratched the surface, and I can't wait to see the things we do with this in the weeks and months to come 😊

For a hobby project built in my spare time to provide a simple community service, Have I Been Pwned sure has, well, "escalated". Today, we support hundreds of thousands of website visitors each day, tens of millions of API queries, and hundreds of millions of password searches. We're processing billions of compromised records each year provided by breached companies, white hat researchers, hackers and law enforcement agencies. And it's used by every conceivable demographic: infosec pros, "mums and dads", customer support services, and, according to the data, more than half the Fortune 500 who are actively monitoring the exposure of their domains. So yeah, "escalated" seems fair!

Amidst all the time spent processing data, we've been trying to figure out where to invest energy in building new stuff. In essence, data breaches are pretty simple: you've got a bunch of exposed email addresses attributed to a source, sitting next to a whole bunch of fields we describe with metadata. Our goal has always been to help people use this data to do good after bad things happen, and today we're launching a bunch of new features to do just that. So, here goes:

New Features, New Plans

In the beginning (ok, in "recent years"), there was one plan we referred to as "Pwned", and within that, there were various levels. For example, the entry-level plan has been "Pwned 1," and to this day, more than half our subscriptions are on it. That's "a coffee a month" for a simple service that, by the raw numbers, does precisely what most of our subscribers are looking for. These are typically small businesses that make a handful of API queries or monitor a domain or two with a few email addresses. It's simple, effective and... insufficient for larger organisations. So, we added Pwned 2, 3 and 4, and they all added more RPMs for email searches and more capacity for searching larger domains. Then we added Pwned 5, which added stealer log support, and somewhere along the way also added Pwned Ultra tiers for making large numbers of API requests. As a result, that one "plan" added more and more stuff at different levels and ultimately became a bit kludgy.

Today, we're launching a bunch of new features to better support the volume and privacy needs of our subscribers, and we're shuffling our existing plans to help do this. Here's what they now look like:

1. Core: The fundamentals, largely being what we already had and designed for entry-level use cases
2. Pro: Contains a bunch of the new features designed for larger orgs and those searching domains on behalf of customers
3. High RPM: The old "Ultra" plan levels, designed solely for making large volumes of requests to the email search API
4. Enterprise: We've had this for many years now, and it's a more tailored offering

So, that's the high-level overview. Let's now look at all the new stuff and everything that changes:

Supporting MSPs Monitoring on Behalf of Third Parties

For most people, this won't sound particularly exciting, but I'm putting it up front because I'll refer to it when describing the more important stuff shortly. In the past, we've had the following carve-out in our terms of use, namely, what you're not permitted to use the service for:

the benefit of a third party (including for use by a related entity or for the purpose of reselling or otherwise making the Services available to any third party for commercial benefit)

This excluded managed service providers from, for example, monitoring their customers' domains as part of their services. That clause has now been revised with the preceding text:

unless you have purchased a Paid Service which expressly allows you to do so

Which means we can now welcome MSPs to the Pro and High RPM tiers. They can't just take HIBP and use it to create a competing product (for obvious reasons, that's a pretty standard clause within many online services), but they can absolutely add it to the offerings they provide to their own customers. And we're adding new features to make it easier to do just that, for example:

Automating Domain Verification

Preserving privacy whilst still providing a practical, effective service has always been a balancing act, one I think we've gotten pretty spot on. But the hoops people have had to jump through for domain verification, in particular, have been cumbersome. An organisation wanting to add a bunch of its domains has had to go through the process one by one via the web interface, then verify control over them one by one. They'd spend a lot of time doing kludgy, repetitive work. Today, we're launching two new ways of adding domains in a much more automated fashion, and the first is the verifying via DNS API:

Successfully adding a pre-defined TXT record to DNS is solid proof that whoever is attempting to search that domain genuinely controls it. As well as the old kludgy way of doing it in the browser, waiting for DNS to propagate, then coming back to the browser to complete the verification, we can now fully automate the process via API. Here's how it works:

1. Call the HIBP API to generate the TXT record token
2. Call the API on your DNS provider to add the token to the TXT record
3. Call another HIBP API to validate that the token exists

This is easily scripted in your language of choice, and you can enumerate it over as many domains as you like. You can also keep retrying step 3 above as often as needed when DNS takes a little while to do its thing. It's all now fully documented in the latest version of the API, and ready to roll. But what if you don't control the DNS? Perhaps it's a cumbersome process in your org, or you're an MSP monitoring your customers' domains, but you don't have control of DNS. That's where the verifying by email API comes in:

We've long had a verification process that involves choosing one of several standard aliases on a domain to email a verification token to. You do this via the dashboard, grab the token sent to the email, paste it back into the dashboard and the domain is now verified. The new API makes that much easier, especially when multiple domains are being verified. Here's how it works:

1. Call the HIBP API and specify one of the pre-defined aliases to send a verification email to
2. Click the link in the email and approve the domain to be added to the requester's account

And that's it. We see this being particularly useful for MSPs who can now send a heap of emails on their customers' domains, and so long as someone receives it and clicks the link, that's the verification process done. That API is also now fully documented and ready to roll and is accessible to all Pro plan subscribers.

Auto-verifying Subdomains

This one was just unnecessarily frustrating for larger customers who spread email addresses over multiple subdomains. Let's say a company owns example.com and they successfully verify control of it, but then they distribute their email addresses by region. They end up with addresses @apac.example.com and @emea.example.com and so on, and in the past, needed to verify each subdomain separately.

Turns out we have 154 votes for this feature in User Voice, which is substantially more than I expected. So, in keeping with the theme of the Pro plan making it easier on larger orgs, anyone on that level can now add their apex domain, verify it accordingly, then go to town adding all the subdomains they want without the need for verifying each one.

Bringing K-Anonymity Searches to the Masses

Until today, every time you took out a subscription via the public website and started searching email addresses, it looked like this:

GET https://haveibeenpwned.com/api/v3/breachedaccount/test@example.com

Clearly, this involved sending the email address to HIBP's service. Whilst we don't store those addresses, if you're sending data to a service in this fashion, there's always the technical capability for us to see that piece of PII and associate it back to the requester via their API key. This approach is what we'll refer to as "direct email search". Let's now look at k-anonymity searches, and I'll break it down into a few simple steps:

1. Start by creating a SHA-1 hash of the address to be searched, so for test@example.com, that's:

   567159D622FFBB50B11B0EFD307BE358624A26EE

2. Take the first 6 characters of the hash and pass them to the new API:

   GET https://haveibeenpwned.com/api/v3/breachedaccount/range/567159

   What's really important here is that those 6 characters are the only identifier sent to HIBP and they're completely useless in identifying which address was actually searched for (that link also explains why SHA-1 is perfectly reasonable for this)
3. HIBP then responds with the suffixes of every hash we have that matches that prefix and for each one, the breaches it's appeared against:

   {
     "hashSuffix": "D622FFBB50B11B0EFD307BE358624A26EE",
     "websites": [
         "Adobe",
         "Stratfor",
         "Yahoo",
         ...
     ]
   },
   ...

   The prefix presently contains 393 suffixes, and if one of them matches the remaining characters of the hash of the full email address, you know that's the address you're looking for.

This is the same methodology we've been using for years with the Pwned Passwords search, and we're currently serving about 18 billion requests a month, so it seems that lots of people have easily gotten to grips with it. It's a pretty simple technical concept with great privacy attributes, and it's fully documented on the API page.

K-anonymity searches are now available to all Pro and High RPM subscribers at the same rate limit as the direct searches. That rate limit is shared, so you can either make 100% of them to k-anon or 100% to the direct search or go 50/50. We're really happy with the privacy aspects of this API and we know it ticks a box a lot of orgs have been asking for.

Unsmoothing the API Rate Limit

Previously, when you took out a 10-request-per-minute API key, we implemented a rate limit of 1 request every 6 seconds. The same logic applied to all the higher-tier products, too, and the reason was simply to distribute the load across each minute more evenly or in other words, "smoothing" the rate at which requests were made. That was important earlier on as the underlying Azure infrastructure had to support that traffic, and sudden bursts could be problematic.

But the other thing that was problematic is that people (quite reasonably) assumed that they could make 10 fast requests, wait a minute, then go again. This led to support overhead for us and customer frustration, and neither is good.

With these latest updates, 10RPM (and all the other RPMs) is now implemented exactly as it sounds - 10 requests in any one-minute block. Here's our Azure API Management policy:

In other words, we've "unsmoothed" it. You can hammer the service 10 times in quick succession, then wait a minute, and you won't see a single HTTP 429 "Too many requests" response. Equally, if you're on a 12,000 RPM plan (and you can actually send that many requests quickly!), you won't see an unexpected 429. We can do this now because of the way we serve a huge amount of content from Cloudflare's edge, unburdening the underlying infrastructure from sudden spikes.

It's a little thing, but it'll solve a lot of unnecessary frustration for a bunch of people, including us. That's implemented across every single plan, too, so everyone benefits.

We Just Wanna Go (Even) Fast(er)

Here's our challenge today: how do we enable millions of people a day to search through billions of records with near instantaneous results... and do it affordably? They're somewhat competing objectives, but every now and then, we find this one neat trick that dramatically improves things. About 18 months ago, I wrote about how we were Hyperscaling HIBP with Cloudflare Workers and Caching. The basic premise is that, as people search the service, we build a cache in Cloudflare's 300+ edge nodes that includes the entire hash range just searched for (see the k-anon section above). We flush that out on every new breach load and as it builds back up to the full 16^6 possible cachable hash ranges, our origin load approaches zero and everything gets served from the edge. Almost, because we have the following problem I described in the post:

However, the second two models (the public and enterprise APIs) have the added burden of validating the API key against Azure API Management (APIM), and the only place that exists is in the West US origin service. What this means for those endpoints is that before we can return search results from a location that may be just a short jet ski ride away, we need to go all the way to the other side of the world to validate the key and ensure the request is within the rate limit.

Or at least we had that problem, which we've just solved with a simple fix. The quoted problem stemmed from the fact that, to ensure everyone adhered to the rate limit, we performed the APIM check before returning any data. That meant always waiting for packets to make a round trip to America, even when the data was cached nearby. But what we realised is that adhering to the rate limit can be eventually enforced; it really doesn't matter too much if a request or two in excess of the rate limit slips through, then we enforce it. The reason why that epiphany is important is that with that in mind, we can start returning data to the client immediately whilst doing the APIM check asynchronously. If the request exceeds the rate limit, Cloudflare will block subsequent requests until the client starts making requests within their limit. So, the rate limit check is no longer a blocking call; it's a background process that doesn't delay us returning results.

What that means is a dramatic reduction in the time til first byte:

That's almost a 40% reduction in wait time! It's an awesome example of how continuous investment in the way we run this thing yields tangible results that make a meaningful difference to the value people get from the service.

Passkeys!

Just one more thing...

This is all new, all free and all available to everyone, whether they have a paid subscription or not. Remember when I got phished last year? I sure do, and I vowed to use that experience to maximise the adoption of passkeys wherever possible. So, putting my money (and time) where my mouth is, we've now launched passkeys as an alternate means of signing into your dashboard:

This saves you needing a "magic" link via email on every sign-in, and whilst it doesn't constitute 2FA (the passkey becomes a single factor used to sign in), it massively streamlines how you access the dashboard. And because we never used passwords for access in the first place, the only account-takeover risk our customers face is someone gaining access to either their email account or to where they store their passkeys (in either case, they have much bigger problems!).

Here's how it works: start by signing into your dashboard, then heading over to the "Passkeys" section on the left of the screen and adding a new one:

The name is so you can keep track of which passkey you save where. I save most of mine in 1Password, but you can also save them on a physical U2F key or in your browser, for example. Clicking "Continue" will cause your browser to prompt you for the location where you'd like to store it and again, that's 1Password for me:

And that's it - we're done!

So, how does it work? Check this out, and don't blink or you'll miss it:

Compared to typing in your email address, hitting the "Sign In" button, flicking over to the mailbox, waiting for the mail to arrive, then clicking the link, we're down from let's call it 30 seconds to about 3 seconds. Nice 😎

Even though there isn't much security benefit to doing this on HIBP (you can still sign in via email, too), we wanted to build this as an example of just how easy it is. It took Stefán about an hour to build a first cut of this (with support from Copilot), and, aside from the dev time, building passkey support into your website is totally free. There are no external services you need to pay for, no hardware to buy or special crypto concepts to grasp. Passkeys are dead simple, and web developers with even a passing interest in security and usability should be adding support for them right now. We also wanted to make sure they were freely available to anyone, regardless of whether you have a paid subscription, because security like this should be the baseline, not a paid extra. So, go and give them a go in HIBP now.

And just in case you want to really geek out on how passkeys work, Stefán presented this at NDC Security in Oslo earlier this month:

All the Plans and Future Changes for Existing Subscribers

It's easiest just to see the whole overview all in one image (or jump over to the pricing page on the website), and it largely reflects everything described above:

One immediate difference to how we've previously represented the plans is that the annual price is now shown as a monthly figure. It turns out that the vast majority of our subscribers choose annual billing, so leading with the per-month pricing puts the least relevant figures front and centre. As we looked around at other services, that was a pretty consistent trend, especially when one annual subscription is more cost-effective than renewing a monthly one 12 times (annual is roughly 10x a year's worth of month-by-month payments).

Another change is that we're going to cap the number of larger domains (those with over 10 breached addresses) that can be searched on each subscription. Let me explain why: Every time we load a data breach, each record in the breach is checked against each domain being monitored. In 2025, we added 2.9 billion breached records, and we have 400k monitored domains. Multiply those out, and we're looking at 1.16 quadrillion checks for our subscribers each year. This is all handled by SQL queries, so it's not like we're getting hit with human overhead at scale, but we're getting hit hard with SQL costs. Across everything we pay to run this service (storage, app hosting, functions, API management, App Insights, bandwidth, etc.), the SQL bill is more than the total for all other services combined. In addition to how we currently calculate plan size based on breached email count, we're adding a cap on the number of domains per plan.

Only domains with more than 10 breached addresses are included in the cap.

The “10” threshold aligns with the existing requirement for a domain to need a subscription at all, and means this change impacts only a single-digit percentage of subscribers. It also helps filter out noise so the cap reflects domains that actually matter. For those larger domains beyond the cap, all current alerts will continue to work just fine until they run a search. At that time, they'll have the option to upgrade the plan or reduce the number of domains. But none of that affects existing subscribers now:

There will be no changes to existing plans until at least August 2 this year.

We do an annual price revision each August, and that's already factored into the table above. That applies to any new subscriptions immediately, but it won't touch existing ones until August 2 at the earliest. The revised pricing only kicks in on the next subscription renewal after that date, so it could be as late as August 2027 if you're an existing subscriber. The same goes for the cap on the number of domains being monitored - there's no impact on existing subscribers until at least August. That leaves plenty of time to cancel, downgrade, upgrade, or just do nothing, and the plan will automatically roll over to the new one. We'll be emailing everyone in the coming days with details of precisely what will change.

Note: if you had an old Pwned 5 subscription for the sake of stealer log access, we'll be rolling all those folks over to Pro 1 and applying a permanent discount code to ensure there's no change in price by moving to the higher plan (it'll actually drop slightly). That'll be explained in the upcoming email, it just made more sense to keep stealer logs in Pro and move people over, and this'll just give them free access to all the new stuff too.

Speaking of which, the thing that (almost) nobody reads but everyone is subject to has been revised to reflect the changes described above - the Terms of Use. For the first time, we've also summarised all the changes and linked through to an archive of the old ones, so if you really love digging through a long document prepared by lawyers, this should make you happy 😊

We're Still Doing Credit Cards via Stripe

While I'm here, just a quick comment on our ongoing Stripe dependency and, as a result, the necessity to pay for public services via credit card. I've written before about some of the challenges we've faced with customers' requests to pay by other means and how, push comes to shove, they (almost) always find a way around internal barriers. Let me share a recent empirical anecdote about this:

Just the other day, I had a call with a Fortune 500 company that was initially interested in our enterprise services. As the discussion unfolded, it became evident that the public services would more than suffice and that the enterprise route was too burdensome for their particular use case. Be that as it may, the procurement lady on the call was adamant that payment by credit card was impossible, even going to the extent of making a pretty bold statement:

No Fortune 500 company is going to pay for services like this via credit card!

O RLY? If only I had the data to check that claim... 😊 Based on a list of their domains, 132 unique Fortune 500 companies have paid for our services by credit card. The real number will be higher because many more of their domains are not on that list, or purchases have been made via an email address not on the corporate domain. Let's call it somewhere between a quarter and a third of the Fortune 500 who've puschased direct via the world's most common payment method. In other words, a significantly different number from the "zero" claim.

I've dropped the hard facts here out of both frustration from our dealings with unnecessarily artificial barriers and in support of the folks out there who, just like me in my corporate days, had to deal with "Neville" in procurement. Per that linked blog post, push back against "corporate policy" prohibiting payment by card, and statistically, you'll likely find you're not the 1 in 160 who can't make a simple payment.

Summary

We're continuing to massively invest in expanding HIBP in every way we can find. Nearly 3 billion additional breached records last year, hundreds of billions of free Pwned Passwords queries during that time, a bunch of new tweaks and features everyone gets access to and, of course, all the new stuff we've rolled into the higher plans. These new features are the culmination of a huge volume of work dating back to November, when I took this pic of our little team during our planning meeting together in Oslo.

We all hope it helps people use our Have I Been Pwned services to do more good after bad things happen.

Plus: Apple makes big claims about the effectiveness of its Lockdown Mode anti-spyware feature, Russia moves to implement homegrown encryption for 5G, and more.

This year, AI agents took the center stage – as a defensive capability, but more pressingly as a risk many organizations haven't caught up with

Silver Fox is back in Japan, spoofing tax and HR emails timed to the one season when no one thinks twice about opening them

A text that looks like it came straight from a courthouse is making the rounds across the U.S. And yes, I got it too. 

First things first, that’s a scam. And to be clear: DON’T SCAN THAT QR CODE. 

It’s the same playbook as last year’s toll road scams, just dressed up with a little more authority and a lot more pressure. 

Before doing anything, our team ran it through McAfee’s Scam Detector. It immediately flagged the message as suspicious, and that’s exactly the kind of moment this tool is built for. When something feels just real enough to second guess, it gives you a clear signal before you click, scan, or spiral. 

How the scam works 

The text claims you’ve missed a payment, violated a law, or have some kind of outstanding “case.” It then pushes you to scan a QR code or click a link to resolve it quickly. 

From there, one of two things usually happens: 

1. You’re taken to a fake payment page designed to steal your money, or 
2. You’re prompted to download something that gives scammers access to your device or data  

Either way, the goal is the same: get you to act fast before you have time to question it. 

The red flags in this message 

• Urgent, threatening language about fines, penalties, or legal action  
• Vague accusations with no real details about what you supposedly did  
• Official-looking formatting like case numbers, clerk signatures, and judge names  
• Copy-paste consistency across states: McAfee employees in New York and California received nearly identical messages with the same names  

There are reports of this scam popping up nationwide, but the rule is simple: law enforcement does not text you to demand payment or resolve legal issues. 

What to do if you scanned the QR code 

First, don’t panic. Then: 

• Do not pay anything or enter personal information  
• Do not delete apps you were told to install (this can make it harder to detect what happened)  
• Run a device scan using a trusted security tool like McAfee’s free antivirus  
• Keep an eye on your financial accounts and logins for unusual activity  

And that, my friends, is scam number one in this week’s This Week in Scams (new format, we’re experimenting a little).  

Let’s get into what else is on our radar. 

What to Know About an Alleged Crunchyroll Breach 

Anime streaming platform Crunchyroll is investigating claims of a data breach involving customer support ticket data, potentially impacting millions of users. 

According to TechCrunch, access appears to involve a third-party vendor system, a reminder that even strong security setups still rely on people and partners, which can introduce risk in everyday moments. 

Even if you’ve never entered your credit card into a support form, these tickets can still include: 

• Email addresses  
• Usernames  
• Screenshots or account details  
• Conversations that reveal habits, subscriptions, or personal context  

That’s more than enough for scammers to build highly believable follow-ups. 

Why this matters right now 

When breaches like this surface, scammers don’t wait. They use the moment to send emails and messages that feel timely, relevant, and legitimate. 

For example, scammers might send messages pretending to be Crunchyroll and suggesting you “click this link to secure your account” after the breach. In reality, that “security check” exposes your information.

This is where tools like Scam Detector come back into play, flagging suspicious links and messages even when they reference real companies or real events. 

What to do if you have a Crunchyroll account 

• Change your password, especially if you’ve reused it elsewhere  
• Turn on two-factor authentication  
• Be cautious of emails referencing the breach or asking you to “secure your account”  
• Avoid clicking links and go directly to the official site instead  

How McAfee Helps You Stay Ahead of Scams and Breaches

McAfee+ Advanced gives you multiple layers working together so you’re not left figuring it out in the moment: 

• Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage  
• Safe Browsing helps block risky sites if you do click or scan  
• Device Security helps detect and remove malicious apps or downloads  
• Identity Monitoring alerts you if your personal info shows up where it shouldn’t, so you can act fast  
• Personal Data Cleanup helps remove your information from data broker sites, making you a harder target in the first place  
• Secure VPN keeps your data private, especially on public Wi-Fi  

Plus our instant QR code scam checks will flag suspicious QR codes before you scan them.

Safety tips to carry into next week 

• Slow down when a message creates urgency. That’s the hook  
• Don’t scan QR codes or click links from unexpected texts  
• Go directly to official websites instead of using links sent to you  
• Use tools that flag scams in real time so you don’t have to guess  

The reality is, these scams are designed to look normal. You shouldn’t have to be an expert to spot them. That’s why McAfee’s here to help. 

We’ll be back next week with more scams making headlines. 

The post Got a “Court Notice” Text? Ignore It. Plus, the Crunchyroll Breach: This Week in Scams appeared first on McAfee Blog.

Experts say that an American ground operation targeting nuclear sites in Iran would be incredibly complicated, put troops’ lives at great risk—and might still fail.