We’re excited to share that McAfee’s Scam Detector has been named a finalist in the 2026 Webby Awards. 

Recognized in the AI Experiences & Applications – Consumer Application category and named a Webby Honoree for Best Use of AI & Machine Learning, Scam Detector is being acknowledged for its effectiveness as an AI-driven consumer tool. 

This recognition of Scam Detector validates something key in research findings. According to McAfee’s 2026 State of the Scamiverse report, Americans now spend 114 hours a year trying to decide what’s real and what’s fake online. 

Scam Detector was built with this era of uncertainty in mind, designed to help people cut through confusion and identify scams as they appear. The Webby recognition reinforces to us that McAfee’s Scam Detector is doing exactly that. 

What Are the Webby Awards? 

The Webby Awards are presented by the International Academy of Digital Arts & Sciences and recognize excellence across the internet, including apps, software, AI, and digital experiences. 

Each year, thousands of entries are evaluated, with finalists representing the top work in their category globally. 

In addition to judged awards, the Webby Awards include a People’s Voice Award, which is decided by public vote. 

How McAfee’s Scam Detector Uses AI to Stop Scams 

Scam Detector is designed to help people identify scams where they’re most likely to happen, always ready to help you spot what’s real and what’s not when you least expect it. 

It uses AI to analyze and flag suspicious: 

• Text messages and emails  
• Links and websites  
• QR codes  
• Social media messages  
• AI-generated and deepfake content  

Beyond detection, Scam Detector explains why something was flagged as risky. That transparency helps show how decisions are made, so people can quickly understand the risk and feel more confident trusting what’s flagged.

As scams become more personalized and harder to detect, this combination of automatic detection and clear guidance is critical to preventing financial loss and identity theft. 

Vote for McAfee’s Scam Detector 

Scam Detector is eligible for the Webby People’s Voice Award, which is decided by public vote. 

If you would like to support McAfee’s Scam Detector, you can vote here: https://vote.webbyawards.com/PublicVoting#/2026/ai/ai-experiences-applications/consumer-application 

Voting is open through Thursday, April 16 at 11:59 pm PDT. 

Winners will be announced on April 21, 2026. 

And a big thank you to the McAfee teams who brought Scam Detector to life and who continuously improve how Scam Detector identifies new threats and adapts to the evolving world of AI-driven scams. 

The post McAfee’s Scam Detector Named Webby Awards Finalist for AI Innovation appeared first on McAfee Blog.

Political candidates are purchasing more home alarms, bulletproof vests, and other protections amid rising fears of political violence.

In Telegram groups, men are sharing thousands of nonconsensual images of women and girls, buying spyware, and engaging in doxing and sexual abuse.

As Trump threatens Iranian infrastructure, the US government warns that Iran has carried out its own digital attacks against US critical infrastructure.

The AI lab's Project Glasswing will bring together Apple, Google, and more than 45 other organizations. They'll use the new Claude Mythos Preview model to test advancing AI cybersecurity capabilities.

Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code.

Microsoft said in a blog post today it identified more than 200 organizations and 5,000 consumer devices that were caught up in a stealthy but remarkably simple spying network built by a Russia-backed threat actor known as “Forest Blizzard.”

Also known as APT28 and Fancy Bear, Forest Blizzard is attributed to the military intelligence units within Russia’s General Staff Main Intelligence Directorate (GRU). APT 28 famously compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.

Researchers at Black Lotus Labs, a security division of the Internet backbone provider Lumen, found that at the peak of its activity in December 2025, Forest Blizzard’s surveillance dragnet ensnared more than 18,000 Internet routers that were mostly unsupported, end-of-life routers, or else far behind on security updates. A new report from Lumen says the hackers primarily targeted government agencies—including ministries of foreign affairs, law enforcement, and third-party email providers.

Black Lotus Security Engineer Ryan English said the GRU hackers did not need to install malware on the targeted routers, which were mainly older Mikrotik and TP-Link devices marketed to the Small Office/Home Office (SOHO) market. Instead, they used known vulnerabilities to modify the Domain Name System (DNS) settings of the routers to include DNS servers controlled by the hackers.

As the U.K.’s National Cyber Security Centre (NCSC) notes in a new advisory detailing how Russian cyber actors have been compromising routers, DNS is what allows individuals to reach websites by typing familiar addresses, instead of associated IP addresses. In a DNS hijacking attack, bad actors interfere with this process to covertly send users to malicious websites designed to steal login details or other sensitive information.

English said the routers attacked by Forest Blizzard were reconfigured to use DNS servers that pointed to a handful of virtual private servers controlled by the attackers. Importantly, the attackers could then propagate their malicious DNS settings to all users on the local network, and from that point forward intercept any OAuth authentication tokens transmitted by those users.

Because those tokens are typically transmitted only after the user has successfully logged in and gone through multi-factor authentication, the attackers could gain direct access to victim accounts without ever having to phish each user’s credentials and/or one-time codes.

“Everyone is looking for some sophisticated malware to drop something on your mobile devices or something,” English said. “These guys didn’t use malware. They did this in an old-school, graybeard way that isn’t really sexy but it gets the job done.”

Microsoft refers to the Forest Blizzard activity as using DNS hijacking “to support post-compromise adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections against Microsoft Outlook on the web domains.” The software giant said while targeting SOHO devices isn’t a new tactic, this is the first time Microsoft has seen Forest Blizzard using “DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.”

Black Lotus Labs engineer Danny Adamitis said it will be interesting to see how Forest Blizzard reacts to today’s flurry of attention to their espionage operation, noting that the group immediately switched up its tactics in response to a similar NCSC report (PDF) in August 2025. At the time, Forest Blizzard was using malware to control a far more targeted and smaller group of compromised routers. But Adamitis said the day after the NCSC report, the group quickly ditched the malware approach in favor of mass-altering the DNS settings on thousands of vulnerable routers.

“Before the last NCSC report came out they used this capability in very limited instances,” Adamitis told KrebsOnSecurity. “After the report was released they implemented the capability in a more systemic fashion and used it to target everything that was vulnerable.”

TP-Link was among the router makers facing a complete ban in the United States. But on March 23, the U.S. Federal Communications Commission (FCC) took a much broader approach, announcing it would no longer certify consumer-grade Internet routers that are produced outside of the United States.

The FCC warned that foreign-made routers had become an untenable national security threat, and that poorly-secured routers present “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.”

Experts have countered that few new consumer-grade routers would be available for purchase under this new FCC policy (besides maybe Musk’s Starlink satellite Internet routers, which are produced in Texas). The FCC says router makers can apply for a special “conditional approval” from the Department of War or Department of Homeland Security, and that the new policy does not affect any previously-purchased consumer-grade routers.

Nonprofits run out of US Border Patrol stations are also selling other “operation”-themed coins that include a phrase popularized by the Proud Boys, potentially in violation of government rules.

An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021.

Shchukin was named as UNKN (a.k.a. UNKNOWN) in an advisory published by the German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short). The BKA said Shchukin and another Russian — 43-year-old Anatoly Sergeevitsch Kravchuk — extorted nearly $2 million euros across two dozen cyberattacks that caused more than 35 million euros in total economic damage.

Germany’s BKA said Shchukin acted as the head of one of the largest worldwide operating ransomware groups GandCrab and REvil, which pioneered the practice of double extortion — charging victims once for a key needed to unlock hacked systems, and a separate payment in exchange for a promise not to publish stolen data.

Shchukin’s name appeared in a Feb. 2023 filing (PDF) from the U.S. Justice Department seeking the seizure of various cryptocurrency accounts associated with proceeds from the REvil ransomware gang’s activities. The government said the digital wallet tied to Shchukin contained more than $317,000 in ill-gotten cryptocurrency.

The GandCrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations. The GandCrab team would then try to expand that access, often siphoning vast amounts of sensitive and internal documents in the process. The malware’s curators shipped five major revisions to the GandCrab code, each corresponding with sneaky new features and bug fixes aimed at thwarting the efforts of computer security firms to stymie the spread of the malware.

On May 31, 2019, the GandCrab team announced the group was shutting down after extorting more than $2 billion from victims. “We are a living proof that you can do evil and get off scot-free,” GandCrab’s farewell address famously quipped. “We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit.”

The REvil ransomware affiliate program materialized around the same as GandCrab’s demise, fronted by a user named UNKNOWN who announced on a Russian cybercrime forum that he’d deposited $1 million in the forum’s escrow to show he meant business. By this time, many cybersecurity experts had concluded REvil was little more than a reorganization of GandCrab.

UNKNOWN also gave an interview to Dmitry Smilyanets, a former malicious hacker hired by Recorded Future, wherein UNKNOWN described a rags-to-riches tale unencumbered by ethics and morals.

“As a child, I scrounged through the trash heaps and smoked cigarette butts,” UNKNOWN told Recorded Future. “I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire.”

As described in The Ransomware Hunting Team by Renee Dudley and Daniel Golden, UNKNOWN and REvil reinvested significant earnings into improving their success and mirroring practices of legitimate businesses. The authors wrote:

“Just as a real-world manufacturer might hire other companies to handle logistics or web design, ransomware developers increasingly outsourced tasks beyond their purview, focusing instead on improving the quality of their ransomware. The higher quality ransomware—which, in many cases, the Hunting Team could not break—resulted in more and higher pay-outs from victims. The monumental payments enabled gangs to reinvest in their enterprises. They hired more specialists, and their success accelerated.”

“Criminals raced to join the booming ransomware economy. Underworld ancillary service providers sprouted or pivoted from other criminal work to meet developers’ demand for customized support. Partnering with gangs like GandCrab, ‘cryptor’ providers ensured ransomware could not be detected by standard anti-malware scanners. ‘Initial access brokerages’ specialized in stealing credentials and finding vulnerabilities in target networks, selling that access to ransomware operators and affiliates. Bitcoin “tumblers” offered discounts to gangs that used them as a preferred vendor for laundering ransom payments. Some contractors were open to working with any gang, while others entered exclusive partnerships.”

REvil would evolve into a feared “big-game-hunting” machine capable of extracting hefty extortion payments from victims, largely going after organizations with more than $100 million in annual revenues and fat new cyber insurance policies that were known to pay out.

Over the July 4, 2021 weekend in the United States, REvil hacked into and extorted Kaseya, a company that handled IT operations for more than 1,500 businesses, nonprofits and government agencies. The FBI would later announce they’d infiltrated the ransomware group’s servers prior to the Kaseya hack but couldn’t tip their hand at the time. REvil never recovered from that core compromise, or from the FBI’s release of a free decryption key for REvil victims who couldn’t or didn’t pay.

Shchukin is from Krasnodar, Russia and is thought to reside there, the BKA said.

“Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia,” the BKA advised. “Travel behaviour cannot be ruled out.”

There is little that connects Shchukin to UNKNOWN’s various accounts on the Russian crime forums. But a review of the Russian crime forums indexed by the cyber intelligence firm Intel 471 shows there is plenty connecting Shchukin to a hacker identity called “Ger0in” who operated large botnets and sold “installs” — allowing other cybercriminals to rapidly deploy malware of their choice to thousands of PCs in one go. However, Ger0in was only active between 2010 and 2011, well before UNKNOWN’s appearance as the REvil front man.

A review of the mugshots released by the BKA at the image comparison site Pimeyes found a match on this birthday celebration from 2023, which features a young man named Daniel wearing the same fancy watch as in the BKA photos.

Update, April 6, 12:06 p.m. ET: A reader forwarded this English-dubbed audio recording from a ccc.de (37C3) conference talk in Germany from 2023 that previously outed Shchukin as the REvil leader (Shchuckin is mentioned at around 24:25).

When Syrian government accounts were hijacked in March, the breach looked chaotic. But it revealed something more troubling: a state struggling with the most basic layer of cybersecurity.

Plus: The FBI says a recent hack of its wiretap tools poses a national security risk, attackers stole Cisco source code as part of an ongoing supply chain hacking spree, and more.

Major AI labs are investigating a security incident that impacted Mercor, a leading data vendor. The incident could have exposed key data about how they train AI models.

A tax system breach in Oklahoma is putting highly sensitive personal information at risk. And unfortunately, this is exactly the kind of situation scammers love to exploit. 

Hackers reportedly accessed W-2 and 1099 files through Oklahoma’s online tax portal, according to state officials, exposing the kind of information that can open the door to tax fraud, identity theft, and highly targeted phishing attempts. 

Before the follow-up scams start rolling in, this is the kind of moment where layered protection matters. McAfee+ Advanced includes identity monitoring and data cleansup that can help alert you if your personal information starts circulating where it shouldn’t, and Scam Detector can flag suspicious messages if scammers try to use this breach as a hook. 

What Happened in Oklahoma 

According to a statement by the Oklahoma Tax Commission and reported by KOCO News 5, a local ABC affiliate, suspicious activity inside the state’s Oklahoma Taxpayer Access Point system was identified in December 2025. The agency says impacted individuals have been notified directly by mail, and complimentary credit monitoring and fraud assistance are being offered. 

When W-2s, 1099s, Social Security numbers, and tax-related records are exposed, scammers can use that information to: 

• File fraudulent tax returns  
• Try to open new accounts  
• Build phishing emails or texts that feel unusually real  

Either way, the goal is the same: use real information to make the next scam more believable. 

Red Flags of a Scam After a Breach Like This 

The breach itself is real. But what often follows is a second wave of scams pretending to help. 

Watch For: 

• Emails or texts about your “tax account” that create urgency  
• Messages asking you to verify personal information  
• Fake alerts about refunds, filings, or suspicious activity  
• Links telling you to log in and “secure” your account  

That’s where people can get hit twice: once by the breach, and again by the scam that follows it. 

What To Do If You’re Impacted 

First, don’t panic. Then: 

• Take advantage of any free credit monitoring or fraud assistance being offered  
• Monitor your bank accounts, tax records, and credit reports closely  
• Consider placing a fraud alert or credit freeze if needed  
• Be extra careful with any message referencing taxes, refunds, or account access 
• Go directly to official sites instead of clicking links in emails or texts  

And that, my friends, is scam number one in this week’s This Week in Scams. 

Let’s get into what else is on our radar. 

The FBI Impersonation Scam Showing Up Across the U.S. 

Scammers pretending to be federal agents are making the rounds across the country, and this one is built to make people panic fast. 

Field offices, including Chicago and Houston, are warning the public about fraudsters posing as FBI agents in calls, texts, and emails. In some cases, the scammers claim you’re connected to an investigation. In others, they say you’re a victim of fraud and need to act immediately to protect yourself. 

Sometimes they do not stop there. They may also pretend to be bank employees working alongside the FBI, all to make the story feel more convincing and get access to your money or personal information. 

Why This Scam Works

This scam plays on the same pressure tactics we’ve seen over and over again: authority, urgency, and confusion. 

If someone claims to be a federal agent, many people freeze up and assume they need to cooperate immediately. That’s exactly what scammers are counting on. 

The FBI has been clear about this: federal law enforcement will not ask you for money or sensitive personal information over the phone, by text, or by email. 

The Red Flags in This Message

• Unsolicited outreach from someone claiming to be federal law enforcement  
• Pressure to act immediately  
• Requests for money, gift cards, prepaid cards, or personal information  
• Instructions to keep the conversation secret  
• Stories involving a bank “working with” the FBI  

If it feels dramatic, high-pressure, and just a little off, trust that instinct. 

What To Do if You Get One Of These Messages

• Do not respond  
• Do not send money or share personal information  
• Contact the agency directly using publicly listed contact information  
• Save the message for your records  
• Report it to the FBI: 1-800-CALL-FBI (225-5324), or online at tips.fbi.gov.

This is also exactly the kind of message McAfee’s Scam Detector is built to flag before you get pulled in. 

How McAfee Helps You Stay Ahead of Scams and Breaches 

McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done: 

• Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
• Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
• Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
• Safe Browsing helps block risky sites if you do click
• Device Security helps detect malicious apps or downloads
• Secure VPN keeps your data private, especially on public Wi-Fi  

This kind of layered protection is critical in cases like ghost student scams, where the first sign of fraud often comes after financial damage has already happened. 

Safety tips to carry into next week 

• Be extra cautious after any real breach makes headlines  
• Do not trust unsolicited messages just because they reference real institutions  
• Never send money to someone claiming to be law enforcement  
• Go directly to official websites instead of clicking links  
• Use tools that flag suspicious messages in real time so you do not have to guess 

The reality is, scams are getting better at looking official. 

You should not have to be an expert to spot them. That’s why McAfee is here to help. We’re Safer Together.

We’ll be back next week with more scams making headlines. 

The post Oklahoma Tax Breach and FBI Impersonation Scam: This Week in Scams appeared first on McAfee Blog.

In this episode, we discuss Iran’s threats to target US tech firms, gear up for the midterm elections, and get a scene report from the Polymarket pop-up bar in DC.

As strikes continue on Iran’s nuclear facilities, the real danger isn’t the explosion, but what happens if critical safety systems fail—and how that risk could spread across the Gulf.

We’re proud to share that McAfee’s “Keep It Real” campaign has been named a finalist in the 2026 Shorty Awards Social Good Campaign category. 

This category recognizes work that doesn’t just perform, it matters: campaigns that raise awareness, inspire action, and make a real-world impact. 

That’s exactly what “Keep It Real” set out to do. 

Because behind every scam statistic is a person who thought they were making the right call. And too often, what follows isn’t just financial loss. It’s embarrassment, silence, and stigma. 

We wanted to change that. 

The campaign launched alongside McAfee Scam Detector to address a growing reality: scams powered by AI are becoming harder to recognize and easier to fall for. 

“Keep It Real” paired real survivor stories with AI-driven protection to show how scams actually happen and how people can stop them in the moment. 

The goal was simple: 

• Normalize the experience  
• Remove shame around being scammed 
• Help more people recognize scams faster  

Because when people feel safe talking about scams, they’re more likely to spot them and stop them. 

What Are the Shorty Awards? 

The Shorty Awards honor the best work in social media, digital campaigns, and online storytelling across brands, creators, and organizations. 

Now in their 18th year, the awards recognize campaigns that combine creativity, impact, and real-world relevance. Finalists are selected alongside leading global brands and judged on both industry evaluation and public voting. 

How McAfee’s Scam Detector Fits In 

McAfee’s Scam Detector is designed to help people identify scams across everyday digital moments. 

It uses AI to fight AI by flagging suspicious: 

• Text messages and emails  
• QR codes and links  
• Social media messages  
• AI-generated and deepfake content  

By combining automatic detection with clear guidance, Scam Detector helps people better understand what they’re seeing and decide what to trust. 

Real Stories Behind the Campaign 

A core part of “Keep It Real” was giving space to people who experienced scams to share what happened, in their own words. 

These stories helped show that scams can happen to anyone and played a key role in breaking the stigma around being targeted. 

 

This recognition reflects the work across McAfee teams who built and brought this campaign to life, including product, engineering, research, creative, and communications. 

It also reflects the individuals who chose to share their real scam stories to help others recognize scams, stay safer, and end the shame and stigma around being scammed. 

Support the Campaign 

The Shorty Awards include a public voting component. 

If you’d like to support the campaign, you can vote here:
https://shortyawards.com/18th/keep-it-real-mcafees-ai-scam-media-relations-campaign 

Voting is open through April 8, and you can vote once per day. 

The post McAfee’s “Keep It Real” Campaign Named Shorty Awards Finalist appeared first on McAfee Blog.

A WIRED analysis of DHS records identified dozens of specialized federal agents who used force against US civilians during the largest known deployment of its kind in US history.

As DarkSword spreads, Apple tells WIRED it will enable iOS 18-specific fixes for millions of iPhone owners who remain on that iOS version rather than force them to update to iOS 26.

Tech giants like Apple, Google, and Microsoft are among those on a target list released by Iran’s Islamic Revolutionary Guard Corps.

The GPS Next-Generation Operational Control System was due for completion in 2016. Ten years later, the software for controlling the military’s GPS satellites still doesn’t work.

Vessels are increasingly being abandoned during the war on Iran, revealing a hidden failure in the global systems that keep goods—and people—moving.