Back in 2018, my former colleague at VICE Motherboard Joseph Cox and I started publishing a list of the best cybersecurity stories that were published elsewhere. It wasn’t just a way to tip our hats at our friendly competitors; by pointing to other publications’ stories, we were giving our readers a fuller picture of what had happened in the world of cybersecurity, privacy, and surveillance in the year that was just ending.
Now that both Cox and I have moved on from Motherboard, we at TechCrunch are picking up the cyber jealousy list to once again list the best cybersecurity stories of the year — and the ones we were the most jealous of. — Lorenzo Franceschi-Bicchierai.
If you were on the internet in October 2016 and lived on the U.S. east coast, you probably remember that day when major websites like Twitter, Spotify, Netflix, PayPal, Slack, and hundreds of others stopped working for a couple of hours. As it turned out, that was the work of three enterprising young hackers, who had built one of the most effective distributed denial-of-service tools ever created.
In this lengthy piece, Andy Greenberg profiles the three young hackers and tells the untold story of their lives, from teenage computer nerds, to accomplished cybercriminals — and, in the end, to reformed cybersecurity professionals. Sit on a comfy chair and get engrossed in this must-read.
In September, an unholy alliance of Russian cybercriminals and Western teenagers with exceptional social engineering skills allegedly hacked and took down MGM’s casinos in Las Vegas, causing widespread disruption. This was one of the most talked about cyberattacks of the year and several publications stayed on the story. Jason Koebler, former editor in chief of VICE Motherboard and now one of the co-founders of the workers-owned outlet 404 Media had the smart idea of flying to Las Vegas and seeing the chaos with his own eyes. The result of his trip was a piece that showed just how bad MGM was hit, resulting in a “nightmare” for casino workers, as Koebler put it.
NPR’s cybersecurity correspondent Jenna McLaughlin reported from Kyiv documenting a series of excellent news and audio stories about life in wartime Ukraine from those defending the country after Russia’s invasion. Cyberwarfare has played a significant role in the war, with cyberattacks hitting Ukraine’s energy sector and its military operations. McLaughlin’s dispatches spanned meetings with top cyber defenders to reporting on Ukraine’s defensive (and offensive) operations against its Russian aggressors, spliced with highlights of normal everyday Ukrainian life featuring soccer, of course.
In an astonishing about-face, electronics maker Anker admitted that its supposably always-encrypted cameras weren’t always encrypted. In short, a security researcher found a bug that showed it was possible to access unencrypted streams of customer videos, despite Anker’s claims that its Eufy cameras were end-to-end encrypted. The Verge verified and reproduced the security researcher’s findings and Anker eventually admitted that its cameras were not end-to-end encrypted as it claimed and had in fact produced unencrypted streams. Hats off to The Verge for its impressive and dogged reporting getting to the bottom of Anker’s misrepresentations and botched attempt to cover it up.
In 2020, Russian government hackers sneaked malicious code into the supply chain of software made by SolarWinds, a tech company whose customers range from giant corporations to federal government agencies. The hack was stealthy and incredibly effective, giving the Russians the chance to steal secrets from their rival country. Veteran cybersecurity reporter Kim Zetter spoke with the people who helped investigate the incident and reconstructed the stealthy hack almost blow-by-blow in an incredibly detailed and deep investigation. Zetter also published a handy and thorough timeline of events on her Substack, which is worth subscribing to if you haven’t already.
For years, very few people were aware of the existence of an Indian firm called Appin. But thanks to an investigation based on “interviews with hundreds of people, thousands of documents, and research from several cybersecurity firms,” as Reuters put it, its team of journalists reported and published evidence that shows Appin as a hacking-for-hire operation that helped to obtain information on executives, politicians, military officials, and wealthy people all over the world. This is one of the most detailed and exhaustive looks inside the shadowy world of hacking-for-hire companies, who don’t work for governments like Hacking Team or NSO Group, but instead for wealthy private customers. The story itself made headlines when Reuters was forced to take down the story to comply with a New Delhi court order. Reuters said in an editor’s note it stands by the reporting.
Trickbot is one of the most active and damaging Russian cybercrime syndicates, having hit thousands of companies, hospitals, and governments in the last few years. In this investigation, based on interviews with cybersecurity experts as well as an analysis of a trove of data from the ransomware gang that leaked online, WIRED’s Matt Burgess and Lily Hay Newman unmask one of Trickbot’s “key personas.” The journalists identify him as a Russian man who says he’s “fucking addicted” to Metallica, and likes the classic movie Hackers. A week later after the reporters published, the U.S. and U.K. governments announced sanctions against 11 people for their alleged involvement in Trickbot — including the man identified in the original WIRED story.
“I was floored by how easily someone could steal my phone,” wrote Business Insider’s Avery Hartmans, whose phone number was hijacked by someone who tricked her carrier, Verizon, into thinking they were her. Our phone numbers are connected to our bank accounts, password resets, and more, so SIM swapping can result in frighteningly damaging access to a person’s life. In this case, by exploiting this single point of failure, the hacker was able to rack up thousands of dollars in fraudulent purchases in Hartmans’ name. Hartmans’ breathtakingly detailed first-hand account of tracking down her SIM swapper with unwavering determination — with help along the way — was an incredible way to raise awareness to these kinds of targeted SIM swapping hacks, and not least to show how useless most companies can be to help.
Data containing close to a year’s worth of facial recognition requests obtained by Politico reporter Alfred Ng show that in the year after police in New Orleans began using facial recognition, the practice failed to identify suspects most of the time and was used almost exclusively against Black people. The use of facial recognition by police, law enforcement and government agencies remains a highly controversial practice across the United States. While critics say facial recognition is deeply flawed at a technical level because it is nearly always trained on white faces, Ng’s reporting confirms what civil rights advocates have also argued for years: that facial recognition amplifies the human biases of the authorities that use this technology. Or, in the words of one New Orleans council member who voted against facial recognition, that New Orleans’ use of facial recognition is “wholly ineffective and pretty obviously racist.”
Just as last year came to a close, password manager LastPass confirmed that cybercriminals stole its customers’ encrypted password vaults storing its customers’ passwords and other secrets during an earlier data breach. The full impact of this theft remained unknown until September 2023 when cybersecurity reporter Brian Krebs reported that several researchers had identified a “highly reliable set of clues” that seemingly connected more than 150 victims of crypto thefts linked to stolen LastPass password vaults. According to Kreb’s extensive reporting, over $35 million in crypto had been stolen so far. One of the victims, who had been using LastPass for more than a decade, told Krebs they were robbed of approximately $3.4 million worth of different cryptocurrencies.