Chinese peptide labs funded with cryptocurrencies are thriving

Meta has quietly stored its passive facial recognition code on more than 50 million phones, WIRED reported this week, inside a companion app that pairs with its Ray-Ban and Oakley smart glasses. If activated, the feature – known internally as NameTag – will allow the wearer to recognize people in front of them by matching captured faces to a gallery of biometrics on the user’s device. It’s the same type of technology that Meta said it was moving away from in 2021, after paying billions of dollars to settle biometric privacy lawsuits in Texas and Illinois.

Meanwhile, xAI is asking a federal judge to force four people suing the company over fake nude photos created by Grok to drop their pseudonyms and litigate under their real names — including one plaintiff who alleges the chatbot was used to fabricate sexual images of her when she was a child. Plaintiffs say they would drop the lawsuit sooner rather than submit to online harassment and defamation from Musk’s supporters. However, xAI’s lawyers claim that since the deepfake will remain under seal, there is “nothing inherently stigmatizing” about naming the people in it.

Google rolled out a new feature for Android this week aimed at combating the wave of AI-powered impersonation scams that help scammers impersonate a familiar number and clone a person’s voice. It is packaged with Google Dialer and ships to phones running Android 12 or later, and pings the caller’s device for a silent encrypted handshake. If the call is fake, Android will flag it and remove the contact’s image from the screen, but only if both parties are on Google Dialer, leaving iPhones out of the picture.

WIRED also reported this week that the Manhattan Institute — the same right-wing think tank that designed the broken windows policy in the 1990s and pushed the Trump administration to combat DEI — is now purchasing model legislation to turn minor protest-related crimes into felonies under a new theory it calls “civil terrorism.”

Researchers have detailed a new clever browser side-channel attack called FROST that fingerprints other tabs — and sometimes apps on your device — by measuring how long it takes to read from a sandboxed file on your SSD. The attack is powered entirely using JavaScript and feeds timing traces through a neural network trained on the I/O signatures of common programs. There is no evidence yet of anyone using it in the wild.

And that’s not all. Every week we round up security and privacy news that we don’t cover in detail ourselves. Click on the headlines to read the full stories, and stay safe out there.

Dietary supplements known as peptides — chains of amino acids that promise to help those who smear, ingest or inject them achieve everything from weight loss to skin rejuvenation — have become a largely unregulated pharmaceutical sub-industry. So, its growth is clearly supported by cryptocurrencies, which are often sent directly to Chinese laboratories that sell these mysterious drugs.

Cryptocurrency tracking firm Chainalysis this week published an analysis of cryptocurrency flows to peptide sellers, a gray market the company now measures at more than $100 million annually and growing. Specifically, Chainalysis found that some of the same Chinese laboratories that previously sold fentanyl precursors have now shifted to manufacturing and selling peptides. Chainalysis believes the shift is designed to capitalize on the wave of social media “phenomenological” hype that has driven peptide sales — and to avoid the risk of crackdowns by law enforcement on opioid manufacturers.

AI can do all sorts of things if you just ask it: program an app, enhance your photos, or even hack President Barack Obama’s Instagram account. Since Meta announced in March that its account support would be increasingly automated using artificial intelligence, including functions like updating your password, hackers have discovered they can exploit the tool to reset passwords and take over the accounts of even high-profile users and celebrities. Among the victims, as reported by 404 Media, are Obama, the first sergeant in the US Space Force, and the cosmetics chain Sephora. Meta says the issue has now been fixed and affected accounts have been secured. But the wave of acquisitions illustrates the risks of hollowing out AI security functions — especially at companies like Meta, which has publicly touted its holistic approach to adopting AI across the company.

When AI company Anthropic rolled out its powerful Mythos tool to a select group of organizations to test, it raised eyebrows by including the US National Security Agency on that initial access list. After all, Mythos is said to be able to find previously hidden, hackable vulnerabilities in software with alarming speed, raising concerns that it could be used for automated mass surveillance and cyberattacks. But the NSA also has a defense mission, and initial reports suggest the agency may be using Anthropic to find bugs in popular software used by Americans — like Microsoft — with the goal of better securing them. However, the Financial Times now reports that Anthropic is helping the NSA move forward with its use of Mythos, deploying Anthropic engineers to the agency to help it learn to use the AI ​​tool, including offensive hacking. FT was unable to confirm that Mythos was used in active hacking operations. But given the increasing use of artificial intelligence in state-sponsored hacking, it would be surprising if the United States did not join the field of automated cyber intrusions in the modern era.

US President Donald Trump has chosen Bill Bolt to serve as interim Director of National Intelligence. Bolte replaces Tulsi Gabbard, who recently resigned from the role due to her husband’s health issues. Trump said he is considering appointing other people to the permanent job, but that confirmation process could take months.

As acting director, Bolte will be responsible for the entire US intelligence community, coordinating 18 different agencies including the CIA and the National Security Agency.