Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
It’s the end of the year. That means it’s time for us to celebrate the best cybersecurity stories we didn’t do it publish. Since 2023TechCrunch reviewed the best cybersecurity stories of the year.
If you’re not familiar, the idea is simple. There are now dozens of journalists covering cybersecurity in the English language. Many articles on cybersecurity, privacy and surveillance are published every week. And a lot of them are awesome and you should read them. We’re here to recommend which ones we liked the most, so keep in mind that this is a very subjective and, ultimately, incomplete list.
Anyway, let’s go. —Lorenzo Franceschi-Bicchierai
Shane Harris has described how he cultivated an Iranian hacker as a source, who was later killed.
Every once in a while there’s a hacker story that, as soon as you start reading, you think might be a movie or TV show. This is the case of Shane Harris’ highly personal account of his months-long correspondence with a leading Iranian hacker.
In 2016, The Atlantic reporter made contact with a person claiming to work as a hacker for Iranian intelligence, where he claimed to have worked on major operations, such as the downing of a US drone and the now-infamous hack against oil giant Saudi Aramco, where Iranian hackers wiped the company’s computers. Harris was rightly skeptical, but as he continued to talk to the hacker, who eventually revealed his real name, Harris began to believe him. When the hacker died, Harris was able to piece together the real story, which somehow turned out to be more incredible than the hacker had led Harris to believe.
This gripping story is also a great behind-the-scenes look at the challenges cybersecurity journalists face when dealing with sources claiming to have great stories to share.
The Washington Post has revealed a secret order requiring Apple to let British authorities spy on users’ encrypted data.
In January, the The British government secretly issued Apple with a court order requiring the company to build a backdoor so police can access the iCloud data of any customer in the world. Due to a global gag order, it was only because The Washington Post announced that we had learned that the order existed from the start. The request was the first of its kind and, if successful, would be a major defeat for tech giants who have spent the past decade denying themselves access to their users’ data so as not to be forced to provide it to governments.
Apple next stopped offering its end-to-end encrypted cloud storage as an option to its customers in the United Kingdom in response to the request. But by breaking the news, the secret order was made public and allowed Apple and its critics to examine the UK’s surveillance powers in a way that had never been tested in public before. The story sparked a months-long diplomatic row between the UK and US, prompting Downing Street to drop its demand. try again several months later.
The Atlantic’s “The Trump Administration Accidentally Texted Me Its War Plans” Is This Year’s Best Headline
This story was the kind of instant access some journalists would dream of, but The Atlantic editor-in-chief was able to play in real time after being unintentionally added to a Signal group made up of senior U.S. government officials by a senior US government official discussing war plans on their cell phones.
Reading the discussion about where U.S. military forces should drop bombs — and then seeing news reports of missiles hitting the ground halfway around the world — was confirmation that Jeffrey Goldberg needed to know that he was, as he suspected, in a real conversation with real Trump administration officials, and all of it was being recorded and reportable.
And so he did, setting the stage for a months-long investigation (and critique) of the government’s security operational practices, in what has been called the largest government operation error in history. The outcome of the situation ultimately revealed security vulnerabilities involving the use of a counterfeit Signal clone this further compromised the government’s seemingly secure communications.
Brian Krebs tracked down the administrator of a prolific hacking group when he was a Jordanian teenager
Brian Krebs is one of the most experienced cybersecurity journalists, and for years he has specialized in tracking online breadcrumbs that have led him to reveal the identities of notorious cybercriminals. In this case, Krebs managed to find the true identity behind a hacker’s online alias, Rey.which is part of the famous advanced persistent adolescents‘ cybercrime group called Scattered LAPSUS$ Hunters.
Krebs’ quest was so successful that he was able to speak to someone very close to the hacker – we won’t spoil the whole article here – and then to the hacker himself, who confessed to his crimes and claimed he was trying to escape the life of a cybercriminal.
Independent news outlet 404 Media has produced more impactful journalism this year than most mainstream media outlets with far more resources. One of his greatest victories was effectively expose and shut down a massive air transportation surveillance system operated by federal agencies and operating in plain sight.
404 Media reported that a little-known data broker created by the airline industry, called Airlines Reporting Corporation, was selling access to 5 billion airline tickets and travel itineraries, including the names and financial information of ordinary Americans, allowing government agencies like ICE, the State Department and the IRS to track people without a warrant.
ARC, owned by United, American, Delta, Southwest, JetBlue and other airlines, announced it would end the no-guarantee data program after Report from 404 Media over several months and intense pressure from lawmakers.
Wired made the 3D printed gun Luigi Mangione allegedly used to kill a healthcare executive to test the legality of ‘ghost guns’
The murder of UnitedHealthcare CEO Brian Thompson in December 2024 was one of the biggest stories of the year. Luigi Mangione, the prime suspect in the murder, was soon after arrested and charged with using a “ghost gun,” a 3D-printed firearm that had no serial number and was privately manufactured without a background check — effectively a weapon the government had no idea existed.
Wired, using sound previous reporting experience on 3D printed weaponssought to test how easy it would be to build a 3D printed weapon, while navigating the disparate legal (and ethical) landscape. The reporting process was superbly explainedand the video that accompanies the story is both excellent and frightening.
NPR detailed a federal whistleblower’s account of how DOGE took sensitive government data and the threats it faced.
DOGE, or Department of Government Efficiency, has been one of the biggest ongoing stories of the year, as Elon Musk’s gang of lackeys ripped apart the federal government, eliminating security protocols and red tape, as part of the mass gain citizen data. NPR has done some of the best investigative reporting discover the resistance movement of federal workers trying to prevent the government’s most sensitive data from being stolen.
In a post detailing an official whistleblower disclosure shared with members of Congress, a senior IT employee at the National Labor Relations Board told lawmakers that while seeking help investigating DOGE activity, he “found a letter printed in an envelope taped to his door, which included threatening language, sensitive personal information, and aerial photos of him walking his dog, according to the cover letter attached to his official disclosure.”
Mother Jones found an exposed data set on surveillance victims, including world leaders, an enemy of the Vatican and maybe you.
Any story that begins with a journalist saying they found something that made them “feel like shit my pants”, you know it’s going to be a fun read. Gabriel Geiger found a dataset from a mysterious surveillance company called First Wap, which contained recordings of thousands of people from all over the world whose phone locations had been tracked.
The dataset, spanning 2007 to 2015, allowed Geiger to identify dozens of high-profile people whose phones were tracked, including a former Syrian first lady, the head of a private military company, a Hollywood actor and an enemy of the Vatican. This story explored the dark world of phone surveillance by exploiting Signaling System No. 7, or SS7, an obscurely named protocol long known to enable malicious tracking.
Wired reported on the investigation behind a series of “smash” attacks on hundreds of schools across the country.
Overwriting has been a problem for years. What started as a bad joke became a real threat, resulting in at least one death. Swatting is a type of hoax in which someone – often a hacker – calls emergency services and tricks authorities into sending an armed SWAT team to the hoax target’s home, often pretending to be the target themselves and claiming that they are about to commit a violent crime.
In this feature, Wired’s Andy Greenberg put a face to the many characters in these storieslike call operators who have to deal with this problem. And it also profiled a prolific swatter, known as Torswats, who for months tormented operators and schools across the country with false – but extremely credible – threats of violence, as well as a hacker who took it upon himself to track down Torswats.
