Per contrastare l’abuso crescente delle tecnologie di intelligenza artificiale e ristabilire un ordine nel settore digitale, la Cyberspace Administration of China ha dato avvio a una maxi-campagna nazionale chiamata “Chiaro e Luminoso: rettifica dell’abuso della tecnologia di intelligenza artificiale”.

Questa iniziativa, della durata di tre mesi, punta a standardizzare l’utilizzo delle applicazioni AI, promuovere uno sviluppo etico del settore e proteggere i diritti legittimi dei cittadini cinesi. L’operazione è divisa in due fasi: la prima mira a controllare le fonti tecnologiche e rettificare gli strumenti IA illegali, migliorando la capacità delle piattaforme di identificare e bloccare contenuti sintetici pericolosi; la seconda, invece, si concentrerà sulla rimozione di contenuti falsi, pornografici, impersonificazioni digitali e attività online manipolatorie, punendo account e organizzazioni coinvolte.

Nella prima fase, sei problemi principali sono nel mirino delle autorità: dalla diffusione di software illegali come tool di “svestizione in un clic” e sintetizzatori vocali non autorizzati, alla mancanza di gestione dei dataset usati per l’addestramento dei modelli IA, spesso tratti da fonti non verificate o illegali.

A questi si aggiungono gravi carenze nei sistemi di sicurezza delle piattaforme, l’assenza di identificazione chiara dei contenuti generati e i rischi in settori sensibili come medicina, finanza ed educazione, dove l’AI viene impiegata senza adeguati controlli, generando “prescrizioni AI” o “investimenti fittizi” con effetti potenzialmente disastrosi.

La seconda fase si occupa invece di ripulire il web da sette categorie di contenuti pericolosi: tra questi, la generazione e diffusione di voci false su politica e attualità, la manipolazione di notizie tramite deepfake, la pubblicazione di contenuti pseudoscientifici e superstiziosi, e la produzione di materiale pornografico e violento tramite AI.

Altre pratiche sotto osservazione sono l’utilizzo di intelligenza artificiale per impersonare personaggi famosi o defunti a fini fraudolenti, il controllo delle conversazioni online tramite bot e content farm automatizzate, e l’uso di IA per creare piattaforme contraffatte o servizi seducenti rivolti a minori, con conseguente rischio di dipendenza e danni psicologici.

L’intervento dell’autorità cinese non si limita alla rimozione: tutte le piattaforme sono obbligate a implementare strumenti di rilevamento dei contenuti AI, effettuare revisioni regolari e rafforzare i controlli su API e chatbot. Gli amministratori locali del cyberspazio hanno ricevuto l’ordine di vigilare e intervenire attivamente, promuovendo al contempo la divulgazione scientifica e l’alfabetizzazione tecnologica della popolazione.

Con questa campagna, la Cina mira a consolidare un modello di governance dell’intelligenza artificiale che non solo freni gli abusi, ma educhi gli utenti, responsabilizzi gli sviluppatori e imponga limiti chiari a una tecnologia che, se lasciata incontrollata, può trasformarsi da risorsa a minaccia.

Il messaggio è chiaro: l’era dell’IA selvaggia sta finendo, almeno in Cina.

L'articolo L’Era dell’AI Selvaggia Sta per finire, almeno in Cina. Pechino lancia una campagna shock proviene da il blog della sicurezza informatica.

Il 6 maggio, l’Università Sun Yat-sen ha ospitato una conferenza dedicata allo sviluppo dell’intelligenza artificiale, durante la quale è stato ufficialmente inaugurato l’Istituto di Ricerca sull’Intelligenza Artificiale e annunciata la creazione di 17 nuovi centri di ricerca. Qian Depei, accademico dell’Accademia Cinese delle Scienze e primo preside della Facoltà di Informatica dell’università, presiederà il Comitato Accademico dell’Istituto.

Chen Hongbo, vicepresidente esecutivo dell’Istituto, ha spiegato che l’iniziativa integra le competenze scientifiche presenti nei vari dipartimenti dell’ateneo, articolandosi su tre livelli: “materia”, “fondamento” e “applicazione” dell’intelligenza artificiale.

L’obiettivo è affrontare le sfide strategiche nazionali, valorizzare i vantaggi industriali della Greater Bay Area e promuovere ambiti tecnologici chiave come i modelli multimodali di grandi dimensioni, i chip neuromorfici a basso consumo, i sistemi autonomi, l’economia a bassa quota e altri settori emergenti. Il fine ultimo è creare un ecosistema su larga scala che unisca industria, ricerca, accademia e applicazione.

La Cina sembra oramai oggi arrivata al pareggio con gli Stati Uniti, tanto che il NYT ha riportato questi traguardi raggiunti in appena 19 mesi da parte della Cina con un articolo che riporta “La posta in gioco di questa competizione è alta. Le principali aziende statunitensi hanno in gran parte sviluppato modelli di intelligenza artificiale proprietari e addebitato royalties per il loro utilizzo, in parte perché addestrare i loro modelli costa centinaia di milioni di dollari. Le aziende cinesi di intelligenza artificiale stanno espandendo la loro influenza rendendo disponibili gratuitamente i loro modelli al pubblico, che può utilizzarli, scaricarli e modificarli, rendendoli così più accessibili a ricercatori e sviluppatori di tutto il mondo.”

I 17 centri di ricerca copriranno una vasta gamma di settori interdisciplinari tra arti, scienze, medicina e ingegneria. Tra le aree di interesse figurano: calcolo scientifico ad alte prestazioni, fondamenti matematici dell’IA, chip e sistemi intelligenti, dispositivi di rilevamento ispirati al cervello umano, software intelligenti, modelli multi-agente e intelligenza incarnata, IA applicata ai big data medici e intelligenza collettiva.

Gao Song, presidente dell’Università e anch’egli accademico dell’Accademia Cinese delle Scienze, ha sottolineato il duplice approccio dell’ateneo: da un lato, rafforzare la ricerca teorica e lo sviluppo di tecnologie chiave come chip avanzati e software di base; dall’altro, utilizzare l’intelligenza artificiale per guidare un cambiamento di paradigma nella ricerca scientifica, promuovendo innovazioni tecnologiche rivoluzionarie in più settori.

Nel corso dell’evento è stato presentato anche il Piano di Lavoro per la Promozione dell’Intelligenza Artificiale, che include 15 iniziative suddivise in tre ambiti: formazione dei talenti, innovazione scientifica e tecnologica, e governance. L’università prevede di consolidare le risorse informatiche, migliorare i meccanismi di supporto e creare un ambiente favorevole per lo sviluppo dell’IA e la valorizzazione dei talenti.

Zhu Kongjun, segretario del comitato di partito dell’ateneo, ha dichiarato che, in quanto istituzione di riferimento della Greater Bay Area del Guangdong-Hong Kong-Macao, la Sun Yat-sen University si assume la responsabilità di guidare lo sviluppo strategico dell’IA, con un focus sull’autosufficienza tecnologica, sull’innovazione di base e sull’applicazione concreta al servizio degli obiettivi nazionali.

Fondato nel giugno 2020, l’Istituto di Ricerca sull’Intelligenza Artificiale ha ampliato ulteriormente le proprie attività nel dicembre 2024, entrando in piena operatività con una sede di oltre 40.000 metri quadrati e numerose piattaforme sperimentali di livello mondiale.

L'articolo In Cina è Rivoluzione IA! 17 nuovi centri di ricerca accademici nati in un solo giorno proviene da il blog della sicurezza informatica.

WELCOME BACK TO DIGITAL BRIDGE. I'm Mark Scott, and this weekend marked May 4th — also known as Star Wars Day, for those who follow such things. This video plays in my head every time I have to explain the Star Wars basics to a non-fan.

For anyone in Brussels on May 15, I'll be co-hosting a tech policy gathering in the EU Quarter. We're running a waiting list, so add your name here and we'll try to open up some more slots.

— The transatlantic relationship on tech is in the worst shape in decades. Here are some ways to improve it — even if wider political tension remain.

— A far-right candidate won the first round of Romania's presidential election. Europe has not responded well to the digital fall-out.

— Media freedom has been significantly curtailed over the last decade amid people's shift toward social media for their understanding of the world.

Let's get started:

LET'S BE CLEAR: THE TRANSATLANTIC RELATIONSHIP on tech is the worst I've seen in 20 years. The White House has already made clear it views European Union digital regulation as akin to protectionist tariffs, as well as an unfair check on free speech. The Berlaymont Building — home to the European Commission — has struggled to secure high-level meetings for its digital officials whenever they've made it to Washington. It also has doubled down on internal efforts to promote European economic interests over those from outside the bloc via public funds dedicated to the next generation of emerging technology.

In short, Brussels and Washington are talking past each other. Even when United States and EU officials disagreed — as they often did — in the past, there was always an informal line of communication between policymakers to ease tensions. That came from individuals, on both sides, who had invested a significant amount of personal capital in building ties with each other. People met at conferences. They swapped cellphone numbers. They built professional, and sometimes personal, relationships with their counterparts in each respective city.

I wouldn't say those networks are completely gone. But they are certainly on life support. It has left the world's two most important democratic powers at a crossroads. And on digital policymaking, I'm seeing more and more signs that the EU and other parts of the democratic world (with the significant exceptions of the United Kingdom and Japan) now willing to distance themselves from their one-time trusted ally.

But after I outlined that theory a couple of weeks ago in Digital Politics, many of you got in touch with a fair criticism. We get things are bad, went the emails. But where are the areas of common ground that can keep the (digital) embers alive — even if the transatlantic fire looks like it's going out?

Fair point. It's easy to criticize. It's harder to offer solutions. So here goes.

First, one chess piece worth taking off the board. In many European capitals, there's a growing interest in working directly with US state leaders, most notably governors who have taken on an increasing leadership position on tech just as Washington has given up that role. I wouldn't put my eggs in that basket — even if that could include working directly with California on areas like artificial intelligence standards and international data flow rules.

Thanks for reading the free monthly version of Digital Politics. Paid subscribers receive at least one newsletter a week. If that sounds like your jam, please sign up here.

Here's what paid subscribers read in April:
— Why digital services won't be on the front line of the unfolding global trade war; Donald Trump's extension of the TikTok sale/ban doesn't solve any of the underlying problems; How different generations consume online media. More here.
— The idea that any tech giant has a monopoly on social media misunderstands how we all use these platforms; What's behind Brussels' renewed attempt to "streamline" its digital rulebook; Annual corporate investment in AI has grown 13-fold over the last decade. More here.
— Non-US policymakers are seriously considering how to pull back from the US on tech; The transatlantic consensus that Google is a monopoly will have long-term consequences, but it will take time to play out; Digital-focused civil society groups worldwide have been hurt by cuts in US government support. More here.
— Canada's recent election shows the limits on how the online world can shape offline politics; How to understand the European Commission's collective $790 million antitrust fine against Meta and Apple; Brussels will spend $66 million this year to enforce its online safety regime. More here.

As much as many would like to bypass the current situation in Washington (and I mean the wider morass of nothingness on tech, excluding the recent Take it Down Act that will likely be signed by Donald Trump), few, if any, foreign governments are willing to publicly push ahead with such US state-based digital diplomacy out of fear of negating decades-old international norms that national governments speak to other national governments on such foreign policy issues. Basically, working directly with US states is a non-starter for most non-US government officials.

OK, so where can we find common ground? Weirdly, antitrust policy feels like the most secure US-EU digital issue where both sides are forging ahead with a new collective consensus. Yes, the White House may not like the EU's Digital Markets Act (though it has remained mostly quiet about the recent fines against Meta and Apple, respectively.) And yes, many EU competition officials look at the decades of Washington's stalled antitrust investigations into Big Tech as a sign the US is too slow and/or too unwilling to act.

But in the last five years, there's been a growing consensus across the Atlantic that 1) parts of Silicon Valley have abused their market dominance; 2) consumers and smaller rivals have been unfairly affected by those actions; and 3) aggressive antitrust enforcement — including the potential break-up of some of these tech companies — is the only way to re-level the market.

If that doesn't sound like a first step toward a rekindled transatlantic relationship on tech, then I don't know what does.

Next, to the thorniest of topics: platform governance. Trump's aversion to European-style online safety rules is well-known. It was mostly shared by his Republican and Democratic predecessors in the White House. Brussels, too, hates the fact its internal media landscape is dominated by the likes of Instagram and YouTube.

But where both sides equally agree is that more needsto be done to protect minors for online predatory behavior, scams and potentially abusive content algorithms that have led to a series of EU and US efforts aimed at boosting digital child safety. Yes, this is not a like-for-like comparison. Some in the US have given parents too much control over what their kids can see on social media. Some in the EU want to impose age verification standards — in the name of child safety — that would fundamentally undermine how the current internet works.

But the basic premise — that children must be better protected as they navigate the online world — is an issue that both sides of the current transatlantic divide can agree on. What better way to maintain some form of ongoing EU-US relationship on tech?

The third area goes out to all the uber-wonks among us. Washington and Brussels should double down on the geekiest of digital technocratic standards as a means of bridging the political divide. That includes technical discussions that have thrived, for decades, in international and multi-stakeholder organizations like the 3rd Generation Partnership Project, or 3GPP, which sets global standards for telecommunications networks. Yes, I told you this stuff was geeky.

That would allow European and US officials — and, by extension companies — to continue talking, even if their political masters ratchet up the transatlantic trade dispute. It would also provide a greater level of certainty for American and EU businesses to invest in the digital world which is, according to both Brussels and Washington, an ongoing political objective.

So there you have it: competition, child safety and tech standards. Three areas that could be a foundation for ongoing talks and cooperation amid an increasingly geopolitical period. Runners-up tech topics also include: cybersecurity, defense and data flows. If you're interested in me unpacking those, let me know here.

The $64 million question is whether Washington and Brussels are willing and/or able to see beyond their short-term political fight to allow apolitical officials to continue the digital work they've been doing for years.

In normal circumstances, I would certainly hope so. But as anyone who has spent time in either Brussels or Washington this year will attest to, we're not living in normal circumstances. And even the hope of finding non-partisan digital topics upon which the transatlantic relationship can be rekindled feels more like a hope, currently, than a legitimate policymaking objective.

For some bonus content, here are my latest pieces for Tech Policy Press on how the US is pulling back from its global leadership on digital policy and how the EU is embracing its inner Trump, on tech, to Make Europe Great Again.

Chart of the Week

REPORTERS WITHOUT BORDERS, a nonprofit organization, compiles a yearly index that tracks five indicators — security, social, legislative, political and economic — on the health of countries' domestic media ecosystems.

The last decade has not been good. The chart on the left, from 2013, highlights that while the likes of China and Saudi Arabia scored poorly across the board, democratic states — including the majority of Europe and North America — were still viewed as "satisfactory" (the light orange color.)

Fast forward to 2025, and many of those democratic countries, including the US, have fallen (see chart on the right) into the "problematic" category (the dark orange color). That includes many parts of Central and Eastern Europe, too.

Source: World Press Freedom Index

What happened in Romania? Take Two

AS DIGITAL POLITICS WENT TO PRESS on May 4, George Simion, a far-right ultra-nationalist politician, had won the first round of Romania's presidential election. The leader of the anti-vaccine Alliance for the Union of Romanians secured 41 percent of the vote — less than the majority Simion would need to win outright. He will now face a run-off, on May 18, with Nicușor Dan, the mayor of Bucharest, garnered 21 percent of the first round vote.

For the latest on Romania's presidential election, see here, here and here.

The reason Romania is holding a do-over on its presidential election is because of claims, during the previous vote in November, that pro-Russian politician Calin Georgescu unfairly used TikTok to woo voters in his unlikely first-round victory. The ultra-nationalist politician came out of the blue to top the first-round poll, and national regulators accused the China-linked platform of failing to uphold the country's electoral rules.

In an unprecedented step, Romania's intelligence services then released redacted documents (overview here) accusing foreign actors (they didn't mention Russia, but that was the inference) of conducting 85,000 cyberattacks on the country's election infrastructure. They also suggested there was a cross-platform influence operation involving pro-Georgescu Telegram channels that coordinated messages which people could then post to TikTok and Facebook. The spooks said similar tactics had been used in Ukraine — but, again, Moscow was never specifically mentioned in the redacted documents.

Digital Politics now reaches thousands of tech-savvy readers worldwide. If you're interested in sponsoring the newsletter, get in touch here.

Not surprisingly, TikTok pushed back hard against accusations it had any role in Romania's last presidential election. It released a series of cherry-picked reports (see here and here) about how the platform had removed spam accounts, promoted authoritative information to voters and took down waves of false likes and follow requests.

In December, a senior Romanian court annulled Georgescu's presidential first-round win, in part because of the declassified intelligence documents. That same month, the European Commission opened an investigation into TikTok's role in the Romanian vote, focusing on how the tech giant may have failed to mitigate election-related risks. In February, Georgescu was placed under investigation for mostly potential campaign financing irregularities. And in March, he was barred from standing in this week's presidential re-run.

I get it. That's a lot to take in — especially for most of us who are not Romanian politics experts.

But what is central to the wider digital debate is that a presidential election of democratic European country was annulled based on unsubstantiated claims that one of the candidates had unfairly benefited from a social media campaign that, potentially, had ties to Russia. That then led to both domestic and EU investigations into campaign financing irregularities and the role of a foreign-owned social media platform in a European country's nationwide vote.

To date, no one has yet to be convicted of a crime. Brussels has yet to publish any evidence of TikTok's role in allowing a coordinated influence campaign to flourish on its platform ahead of the November election.

If true, both sets of accusations — related to Georgescu's alleged campaign financing issues and TikTok's role in the November presidential election — would be grounds for potentially annulling the first-round presidential election. And there is an argument that given the speed of events, local judges and the European Commission had no choice but to step in, even if no actual evidence had yet to be shown to a court to prove any of the accusations.

But my fear is that in annulling the first round election in November, and then barring Georgescu from standing in this weekend's vote, Romania's court has given ultranationalists and pro-Russian politicians an easy victory in the battle for hearts-and-minds.

Sign up for Digital Politics

Thanks for getting this far. Enjoyed what you've read? Why not receive weekly updates on how the worlds of technology and politics are colliding like never before. The first two weeks of any paid subscription are free.

Subscribe
Email sent! Check your inbox to complete your signup.

No spam. Unsubscribe anytime.

Simion, another far-right ultra-nationalist politician, came first in the latest first-round presidential vote — and was closer to the 50 percent mark to secure an outright victory than many had expected. It's hard to argue there isn't a public groundswell of support for such opinions, now that similar pro-Russian presidential candidates have topped the polls in consecutive votes. And yes, TikTok was used again to communicate with voters. But its role in this weekend's election, based on what has been made public, was not significant compared to other means of reaching would-be supporters.

In jumping headlong into Romania's domestic politics, the European Commission also has over-stepped its role within the bloc's online safety regime, known as the Digital Services Act. Those rules do have a remit when it comes to election-related matters.

But by pulling the emergency cord in response to November's now-annulled election — via its ongoing investigation into TikTok's role in that vote — Brussels has made it easier for critics to claim the EU is willing to use its digital regulation to change voting decisions that officials in Brussels do not agree with.

I get it. That's not what is happening with the ongoing TikTok probe. But the perception for many on the outside is that the European Commission is weaponizing the Digital Services Act as part of efforts to nudge Romanians to vote against pro-Russian, far-right politicians.

That's just not a good look for the 27-country bloc as both domestic and non-EU influencers ramp up claims that Europe's online safety rules are an anti-democratic effort to censor online voices with whom it disagrees.

What I'm reading

— The Future of Privacy Forum breaks down all you need to know about South Korea's new AI regulatory framework. More here.

— Ireland's Data Protection Commission fined TikTok $600 million for failing to protect Europe's data via data transfer to China. TikTok's response here.

— International Association of Privacy Professionals explains why Colorado is reconsidering its approach to regulating artificial intelligence. More here.

— Researchers from the University of Zurich used AI-generated content in online discussions on Reddit to see if such content could change people's minds. The study received significant pushback for failing to gain consent of the people targeted by the AI-generated content. More here and here.

— The DSA40 Data Access Collaboratory published an in-depth FAQ on how Europe's online safety rules allow independent researchers to access platform data. More here.

digitalpolitics.co/newsletter0…

Global ransomware trends and numbers

With the International Anti-Ransomware Day just around the corner on May 12, Kaspersky explores the ever-changing ransomware threat landscape and its implications for cybersecurity. According to Kaspersky Security Network data, the number of ransomware detections decreased by 18% from 2023 to 2024 – from 5,715,892 to 4,668,229. At the same time, the share of users affected by ransomware attacks increased by 0.02 p.p. to 0.44%. This smaller percentage compared to other cyberthreats is explained by the fact that attackers often don’t distribute this type of malware on a mass scale, but prioritize high-value targets, which reduces the overall number of incidents.

That said, if we look at incidents at organizations requiring immediate incident response services that were mitigated by Kaspersky’s Global Emergency Response Team (GERT), we’ll see that 41.6% of them were related to ransomware in 2024, compared to 33.3% in 2023. Targeted ransomware is likely to remain the primary threat to organizations around the world for the foreseeable future.

Below are some of the global trends that Kaspersky observed with ransomware in 2024.

Ransomware-as-a-Service (RaaS) dominance

The RaaS model remains the predominant framework for ransomware attacks, fueling their proliferation by lowering the technical barrier for cybercriminals. In 2024, RaaS platforms like RansomHub thrived by offering malware, technical support and affiliate programs that split the ransom (e.g., 90/10 for affiliates/core group). This model enables less-skilled actors to execute sophisticated attacks, contributing to the emergence of multiple new ransomware groups in 2024 alone. While traditional ransomware still exists, the scalability and profitability of RaaS make it the primary engine, with platforms evolving to include services such as initial access brokering and data exfiltration, ensuring its dominance into 2025.

Some groups continue to go cross-platform, while Windows remains the primary target

Many ransomware attacks still target Windows-based systems, reflecting the operating system’s widespread use in enterprise environments. The architecture of Windows, combined with vulnerabilities in software such as Remote Desktop Protocol (RDP) and unpatched systems, makes it a prime target for ransomware executables. In recent years, however, some attackers have diversified, with groups like RansomHub and Akira developing variants for Linux and VMware systems, particularly in cloud and virtualized environments. While Windows remains the epicenter, the growing focus on cross-platform ransomware signals a shift toward exploiting diverse infrastructures, especially as organizations adopt hybrid and cloud setups. This is not a new trend, and we expect it to persist in the coming years.

Overall ransomware payments down, average ransom payment up

According to Chainalysis, ransomware payments dropped significantly in 2024 to approximately $813.55 million, down 35% from a record $1.25 billion in 2023. On the other hand, Sophos reports that the average ransom payment surged from $1,542,333 in 2023 to $3,960,917 in 2024, reflecting a trend of targeting larger organizations with higher demands. This report also highlights that more organizations paid ransoms to get their data back, although other reports indicate that fewer organizations paid ransoms than in 2023. For example, according to Coveware, a company that specializes in fighting ransomware, the payment rate hit a record low of 25% in Q4 2024, down from 29% in Q4 2023, driven by law enforcement crackdowns, improved cybersecurity and regulatory pressures discouraging payments.

While encryption remains a core component of many ransomware attacks, the primary goal for some groups has shifted or expanded beyond locking data

In 2024, cybercriminals increasingly prioritized data exfiltration alongside, or sometimes instead of, encryption, focusing on stealing sensitive information to maximize leverage and profits or even extending threats to third parties such as customers, partners, suppliers, etc. Encryption is still widely used, but the rise of double and triple extortion tactics shows a strategic pivot. RansomHub and most modern ransomware groups often combine encryption with data theft, threatening to leak or sell stolen data if a ransom is not paid, making exfiltration a critical tactic.

Dismantled or disrupted ransomware actors in 2024

Several major ransomware groups faced significant disruptions in 2024, though the ecosystem’s resilience limited the long-term impact. LockBit, responsible for 27.78% of attacks in 2023, was hit hard by Operation Cronos in February 2024, with law enforcement seizing its infrastructure, arresting members and unmasking its leader, Dmitry Khoroshev. However, despite these efforts, LockBit relaunched its operations and remained active throughout 2024.

ALPHV/BlackCat, another prolific group, was dismantled after an FBI operation in December 2023, though affiliates migrated to other groups such as RansomHub. The Radar/Dispossessor operation was disrupted by the FBI in August 2024, and German authorities seized 47 cryptocurrency exchanges linked to ransomware laundering. Despite these takedowns, groups like RansomHub and Play quickly filled the void, underscoring the challenge of eradicating ransomware networks. However, according to the latest research, the RansomHub group presumably paused their operations as of April 1, 2025.

Some groups disappear, others pick up their work

When ransomware groups disband or disappear, their tools, tactics and infrastructure often remain accessible in the cybercriminal ecosystem, allowing other groups to adopt and enhance them. For example, groups like BlackMatter or REvil, after facing pressure from law enforcement, saw their code and methods reused by successors like BlackCat, which in turn was followed by Cicada3301. Disappearing groups may also sell their source code, exploit kits or affiliate models on dark web forums, enabling emerging or existing gangs to repurpose these resources. In addition, malicious tools are sometimes leaked to the internet, as was the case with LockBit 3.0. As a result, many smaller groups or individuals unrelated to the ransomware developers, including hacktivists and low-skilled cybercriminals, get hold of these tools and use them for their own purposes. This cycle of knowledge transfer accelerates the evolution of ransomware as new actors build on proven strategies, adapt to countermeasures, and exploit vulnerabilities faster than defenders can respond. In telemetry, these new groups using old toolkits can be identified as old groups (e.g., LockBit).

Ransomware groups increasingly developing their own custom toolkits

This is done to increase the effectiveness of their attacks and avoid detection. These toolkits often include exploitation tools, lateral movement tools, password attack tools, etc. that are tailored to specific targets or industries. By creating proprietary tools, these groups reduce their reliance on widely available, detectable exploits and maintain control over their operations. This in-house development also facilitates frequent updates to counter defenses and exploit new vulnerabilities, making their attacks more resilient and harder for cybersecurity measures to mitigate.

General vs. targeted ransomware share

Targeted ransomware attacks, aimed at specific organizations for maximum disruption and payout, focus on high-value targets such as hospitals, financial institutions and government agencies, leveraging reconnaissance and zero-day exploits for precision. General ransomware, which spreads indiscriminately via phishing or external devices, often affects smaller businesses or individuals with weaker defenses. The focus on targeted attacks reflects cybercriminals’ preference for larger ransoms, though general ransomware persists due to its low-effort, high-volume potential.

According to Kaspersky research, RansomHub was the most active group executing targeted attacks in 2024, followed by Play.

Each group’s share of victims according to its data leak site (DLS) as a percentage of all reported victims of all groups during the period under review (download)

AI tools used in ransomware development (FunkSec)

FunkSec emerged as a ransomware group in late 2024 and quickly gained notoriety, claiming multiple victims in December alone and outpacing established groups like Cl0p and RansomHub. Operating on a Ransomware-as-a-Service (RaaS) model, FunkSec employs a double extortion tactic that combines data encryption with exfiltration. The group targets sectors such as government, technology, finance and education in countries including India, Spain and Mongolia.

FunkSec is notable for its heavy reliance on AI-assisted tools, particularly in malware development. Its ransomware features AI-generated code with comments that are perfect from a language perspective, suggesting the use of large language models (LLMs) to streamline development and evade detection. Unlike typical ransomware groups that demand millions, FunkSec’s ransoms are unusually low, adopting a high-volume, low-cost approach.

Bring Your Own Vulnerable Driver attacks continue

Bring Your Own Vulnerable Driver (BYOVD) is an increasingly prevalent technique used in ransomware attacks to bypass security defenses and gain kernel-level access on Windows systems.

With BYOVD, attackers deploy a legitimate but vulnerable driver – often digitally signed by a trusted vendor or Microsoft – on a target system. These drivers, which operate at the kernel level (ring 0) with high privileges, contain exploitable flaws that allow attackers to disable security tools, escalate privileges or execute malicious code undetected. By leveraging signed drivers, attackers can evade Windows’ default security checks.

Although BYOVD is an advanced technique, there is a range of open-source tools like EDRSandblast and Backstab that lower the technical barriers and simplify such attacks. According to the Living Off The Land Drivers (LOLDrivers) project, hundreds of exploitable drivers are known, highlighting the scale of the problem. Attackers continue to find new vulnerable drivers, and tools like KDMapper allow mapping of unsigned drivers into memory via BYOVD, complicating defenses.

Regional ransomware trends and numbers

Share of users whose computers were attacked by crypto-ransomware, by region. Data from Kaspersky Security Network (download)

In the Middle East and Asia-Pacific regions, ransomware affected a higher share of users due to rapid digital transformation, expanding attack surfaces and varying levels of cybersecurity maturity. Enterprises in APAC were heavily targeted, driven by attacks on infrastructure and operational technology, especially in countries with growing economies and new data privacy laws.

Ransomware is less prevalent in Africa due to lower levels of digitization and economic constraints, which reduce the number of high-value targets. However, as countries like South Africa and Nigeria expand their digital economies, ransomware attacks are on the rise, particularly in the manufacturing, financial and government sectors. Limited cybersecurity awareness and resources leave many organizations vulnerable, though the smaller attack surface means the region remains behind global hotspots.

Latin America also experiences ransomware attacks, particularly in countries like Brazil, Argentina, Chile and Mexico. Manufacturing, agriculture, and retail, as well as critical sectors such as government and energy are targeted, but economic constraints and smaller ransoms deter some attackers. The region’s growing digital adoption is increasing exposure. For example, NightSpire ransomware compromised Chilean company EmoTrans, a logistics company serving key industries in Chile such as mining, agriculture and international trade. The group first appeared in March 2025, and attacked government institutions, manufacturers and other companies in various parts of the world. Like many other groups, NightSpire uses the double extortion strategy and has its own data leak site (DLS).

The Commonwealth of Independent States (CIS) sees a smaller share of users encountering ransomware attacks. However, hacktivist groups like Head Mare, Twelve and others active in the region often use ransomware such as LockBit 3.0 to inflict damage on target organizations. Manufacturing, government, and retail are the most targeted sectors, with varying levels of cybersecurity maturity across the region affecting security.

Europe is confronted with ransomware, but benefits from robust cybersecurity frameworks and regulations that deter some attackers. Sectors such as manufacturing, agriculture, and education are targeted, but mature incident response and awareness limit the scale of attacks. The region’s diversified economies and strong defenses make it less of a focal point for ransomware groups than regions with rapid, less secure digital growth.

For example, RansomHub claimed responsibility for a 2024 attack on Kawasaki’s European offices, disrupting operations across multiple countries. The breach compromised customer and operational data, affecting supply chains for Kawasaki’s motorcycle and industrial products in Europe. The regional impact was significant in countries such as Germany and the Netherlands, where Kawasaki has a strong market presence, highlighting vulnerabilities in Europe’s manufacturing sector.

Change in the share of users whose computers were attacked by crypto-ransomware, by region, 2024 compared to 2023. Data from Kaspersky Security Network (download)

Emerging threats and future outlook

Looking ahead to 2025, ransomware is expected to evolve by exploiting unconventional vulnerabilities, as demonstrated by the Akira gang’s use of a webcam to bypass endpoint detection and response systems and infiltrate internal networks. Attackers are likely to increasingly target overlooked entry points like IoT devices, smart appliances or misconfigured hardware in the workplace, capitalizing on the expanding attack surface created by interconnected systems. As organizations strengthen traditional defenses, cybercriminals will refine their tactics, focusing on stealthy reconnaissance and lateral movement within networks to deploy ransomware with greater precision, making it harder for defenders to detect and respond in time.

Ransomware groups are also likely to escalate their extortion strategies, moving beyond double extortion to more aggressive approaches such as threatening to leak sensitive data to regulators, competitors or the public. The Ransomware-as-a-Service model will continue to thrive, allowing less-skilled actors to launch sophisticated attacks by purchasing access to pre-built tools and exploit kits. Geopolitical tensions may further drive hacktivism and state-sponsored ransomware campaigns targeting critical assets, such as energy grids or healthcare systems, as part of hybrid warfare. Smaller organizations with limited cybersecurity budgets will face heightened risks as attackers exploit their weaker defenses. To adapt, businesses must adopt zero-trust security models, secure IoT ecosystems and prioritize employee training to mitigate phishing and social engineering threats.

The proliferation of large language models (LLMs) tailored for cybercrime will further amplify ransomware’s reach and impact. LLMs marketed on the dark web lower the technical barrier to creating malicious code, phishing campaigns and social engineering attacks, allowing even less-skilled actors to craft highly convincing lures or automate ransomware deployment. As more innovative concepts such as RPA (Robotic Process Automation) and LowCode, which provide an intuitive, visual, AI-assisted drag-and-drop interface for rapid software development, are quickly adopted by software developers, we can expect ransomware developers to use them to automate their attacks as well as new code development, making the ransomware threat even more prevalent.

Recommendations

To effectively counter ransomware in 2025, organizations and individuals must adopt a multi-layered defense strategy that addresses the evolving tactics of groups like FunkSec, RansomHub and others that leverage AI, Bring Your Own Vulnerable Driver (BYOVD) and double extortion.

Prioritize proactive prevention through patching and vulnerability management. Many ransomware attacks exploit unpatched systems, so organizations should implement automated patch management tools to ensure timely updates for operating systems, software and drivers. For Windows environments, enabling Microsoft’s Vulnerable Driver Blocklist is critical to thwarting BYOVD attacks. Regularly scan for vulnerabilities and prioritize high-severity flaws, especially in widely used software like Microsoft Exchange or VMware ESXi, which were increasingly targeted by ransomware in 2024.

Strengthen endpoint and network security with advanced detection and segmentation. Deploy robust endpoint detection and response solutions such as Kaspersky NEXT EDR to monitor for suspicious activity like driver loading or process termination. Network segmentation is equally important – limit lateral movement by isolating critical systems and using firewalls to restrict traffic. Implement a zero-trust architecture that requires continuous authentication for access.

Invest in backups, training and incident response planning. Maintain offline or immutable backups that are tested regularly to ensure rapid recovery without paying a ransom. Backups should cover critical data and systems and be stored in air-gapped environments to resist encryption or deletion. User education is essential to combat phishing, which remains one of the top attack vectors. Conduct simulated phishing exercises and train employees to recognize AI-crafted emails used by FunkSec and others for stealth. Kaspersky GERT can help develop and test an incident response plan to minimize potential downtime and costs.

The recommendation to not pay a ransom remains robust, especially given the risk of unavailable keys due to dismantled infrastructure, affiliate chaos or malicious intent, as seen in the 2024 disruptions. By investing in backups, incident response and preventive measures like patching and training, organizations can avoid funding criminals and mitigate the impact. Kaspersky also offers free decryptors for certain ransomware families. If you get hit by ransomware, check to see if there is a decryptor available for the ransomware family used in your case. Note that even if one isn’t available right now, it may be added later.

securelist.com/state-of-ransom…

Not too long ago, I was searching for ideas for the next installment of the “Big Chemistry” series when I found an article that discussed the world’s most-produced chemicals. It was an interesting article, right up my alley, and helpfully contained a top-ten list that I could use as a crib sheet for future articles, at least for the ones I hadn’t covered already, like the Haber-Bosch process for ammonia.

Number one on the list surprised me, though: sulfuric acid. The article stated that it was far and away the most produced chemical in the world, with 36 million tons produced every year in the United States alone, out of something like 265 million tons a year globally. It’s used in a vast number of industrial processes, and pretty much everywhere you need something cleaned or dissolved or oxidized, you’ll find sulfuric acid.

Staggering numbers, to be sure, but is it really the most produced chemical on Earth? I’d argue not by a long shot, when there’s a chemical that we make 4.4 billion tons of every year: Portland cement. It might not seem like a chemical in the traditional sense of the word, but once you get a look at what it takes to make the stuff, how finely tuned it can be for specific uses, and how when mixed with sand, gravel, and water it becomes the stuff that holds our world together, you might agree that cement and concrete fit the bill of “Big Chemistry.”

Rock Glue

To kick things off, it might be helpful to define some basic terms. Despite the tendency to use them as synonyms among laypeople, “cement” and “concrete” are entirely different things. Concrete is the finished building material of which cement is only one part, albeit a critical part. Cement is, for lack of a better term, the glue that binds gravel and sand together into a coherent mass, allowing it to be used as a building material.
What did the Romans ever do for us? The concrete dome of the Pantheon is still standing after 2,000 years. Source: Image by Sean O’Neill from Flickr via Monolithic Dome Institute (CC BY-ND 2.0)
It’s not entirely clear who first discovered that calcium oxide, or lime, mixed with certain silicate materials would form a binder strong enough to stick rocks together, but it certainly goes back into antiquity. The Romans get an outsized but well-deserved portion of the credit thanks to their use of pozzolana, a silicate-rich volcanic ash, to make the concrete that held the aqueducts together and built such amazing structures as the dome of the Pantheon. But the use of cement in one form or another can be traced back at least to ancient Egypt, and probably beyond.

Although there are many kinds of cement, we’ll limit our discussion to Portland cement, mainly because it’s what is almost exclusively manufactured today. (The “Portland” name was a bit of branding by its inventor, Joseph Aspdin, who thought the cured product resembled the famous limestone from the Isle of Portland off the coast of Dorset in the English Channel.)

Portland cement manufacturing begins with harvesting its primary raw material, limestone. Limestone is a sedimentary rock rich in carbonates, especially calcium carbonate (CaCO₃), which tends to be found in areas once covered by warm, shallow inland seas. Along with the fact that limestone forms between 20% and 25% of all sedimentary rocks on Earth, that makes limestone deposits pretty easy to find and exploit.

Cement production begins with quarrying and crushing vast amounts of limestone. Cement plants are usually built alongside the quarries that produce the limestone or even right within them, to reduce transportation costs. Crushed limestone can be moved around the plant on conveyor belts or using powerful fans to blow the crushed rock through large pipes. Smaller plants might simply move raw materials around using haul trucks and front-end loaders. Along with the other primary ingredient, clay, limestone is stored in large silos located close to the star of the show: the rotary kiln.

Turning and Burning

A rotary kiln is an enormous tube, up to seven meters in diameter and perhaps 80 m long, set on a slight angle from the horizontal by a series of supports along its length. The supports have bearings built into them that allow the whole assembly to turn slowly, hence the name. The kiln is lined with refractory materials to resist the flames of a burner set in the lower end of the tube. Exhaust gases exit the kiln from the upper end through a riser pipe, which directs the hot gas through a series of preheaters that slowly raise the temperature of the entering raw materials, known as rawmix.
The rotary kiln is the centerpiece of Portland cement production. While hard to see in this photo, the body of the kiln tilts slightly down toward the structure on the left, where the burner enters and finished clinker exits. Source: by nordroden, via Adobe Stock (licensed).
Preheating the rawmix drives off any remaining water before it enters the kiln, and begins the decomposition of limestone into lime, or calcium oxide:

The rotation of the kiln along with its slight slope results in a slow migration of rawmix down the length of the kiln and into increasingly hotter regions. Different reactions occur as the temperature increases. At the top of the kiln, the 500 °C heat decomposes the clay into silicate and aluminum oxide. Further down, as the heat reaches the 800 °C range, calcium oxide reacts with silicate to form the calcium silicate mineral known as belite:

Finally, near the bottom of the kiln, belite and calcium oxide react to form another calcium silicate, alite:

It’s worth noting that cement chemists have a specialized nomenclature for alite, belite, and all the other intermediary phases of Portland cement production. It’s a shorthand that looks similar to standard chemical nomenclature, and while we’re sure it makes things easier for them, it’s somewhat infuriating to outsiders. We’ll stick to standard notation here to make things simpler. It’s also important to note that the aluminates that decomposed from the clay are still present in the rawmix. Even though they’re not shown in these reactions, they’re still critical to the proper curing of the cement.
Portland cement clinker. Each ball is just a couple of centimeters in diameter. Source: مرتضا, Public domain
The final section of the kiln is the hottest, at 1,500 °C. The extreme heat causes the material to sinter, a physical change that partially melts the particles and adheres them together into small, gray lumps called clinker. When the clinker pellets drop from the bottom of the kiln, they are still incandescently hot. Blasts of air that rapidly bring the clinker down to around 100 °C. The exhaust from the clinker cooler joins the kiln exhaust and helps preheat the incoming rawmix charge, while the cooled clinker is mixed with a small amount of gypsum and ground in a ball mill. The fine gray powder is either bagged or piped into bulk containers for shipment by road, rail, or bulk cargo ship.

The Cure

Most cement is shipped to concrete plants, which tend to be much more widely distributed than cement plants due to the perishable nature of the product they produce. True, both plants rely on nearby deposits of easily accessible rock, but where cement requires limestone, the gravel and sand that go into concrete can come from a wide variety of rock types.

Concrete plants quarry massive amounts of rock, crush it to specifications, and stockpile the material until needed. Orders for concrete are fulfilled by mixing gravel and sand in the proper proportions in a mixer housed in a batch house, which is elevated above the ground to allow space for mixer trucks to drive underneath. The batch house operators mix aggregate, sand, and any other admixtures the customer might require, such as plasticizers, retarders, accelerants, or reinforcers like chopped fiberglass, before adding the prescribed amount of cement from storage silos. Water may or may not be added to the mix at this point. If the distance from the concrete plant to the job site is far enough, it may make sense to load the dry mix into the mixer truck and add the water later. But once the water goes into the mix, the clock starts ticking, because the cement begins to cure.

youtube.com/embed/mJyUUnjih1k?…

Cement curing is a complex process involving the calcium silicates (alite and belite) in the cement, as well as the aluminate phases. Overall, the calcium silicates are hydrated by the water into a gel-like substance of calcium oxide and silicate. For alite, the reaction is:

Scanning electron micrograph of cured Portland cement, showing needle-like ettringite and plate-like calcium oxide. Source: US Department of Transportation, Public domain
At the same time, the aluminate phases in the cement are being hydrated and interacting with the gypsum, which prevents early setting by forming a mineral known as ettringite. Without the needle-like ettringite crystals, aluminate ions would adsorb onto alite and block it from hydrating, which would quickly reduce the plasticity of the mix. Ideally, the ettringite crystals interlock with the calcium silicate gel, which binds to the surface of the sand and gravel and locks it into a solid.

Depending on which adjuvants were added to the mix, most concretes begin to lose workability within a few hours of rehydration. Initial curing is generally complete within about 24 hours, but the curing process continues long after the material has solidified. Concrete in this state is referred to as “green,” and continues to gain strength over a period of weeks or even months.

hackaday.com/2025/05/07/big-ch…

Magnets aren’t magic, but sometimes you can do things with them to fool the uninitiated — like levitating. [Jonathan Lock] does that with his new maglev desk toy, that looks like at least a level 2 enchantment.

This levitator is USB-powered, and typically draws 1 W to 3 W to levitate masses between 10 g and 500 g. The base can provide 3 V to 5 V inductive power to the levitator to the tune of 10 mA to 50 mA, which is enough for some interesting possibilities, starting with the lights and motors [Jonathan] has tried.

In construction it is much like the commercial units you’ve seen: four permanent magnets that repel another magnet in the levitator. Since such an arrangement is about as stable as balancing a basketball on a piece of spaghetti, the permanent magnets are wrapped in control coils that pull the levitator back to the center on a 1 kHz loop. This is accomplished by way of a hall sensor and an STM32 microcontroller running a PID loop. The custom PCB also has an onboard ESP32, but it’s used as a very overpowered USB/UART converter to talk to the STM32 for tuning in the current firmware.

If you think one of these would be nice to have on your desk, check it out on [Jonathan]’s GitLab. It’s all there, from a detailed build guide (with easy-to-follow animated GIF instructions) to CAD files and firmware. Kudos to [Jonathan] for the quality write-up; sometimes documenting is the hardest part of a project, and it’s worth acknowledging that as well as the technical aspects.

We’ve written about magnetic levitation before, but it doesn’t always go as well as this project. Other times, it very much does. There are also other ways to accomplish the same feat, some of which can lift quite a bit more.

hackaday.com/2025/05/07/magic-…

Un nuovo rapporto della Conferenza delle Nazioni Unite sul commercio e lo sviluppo (UNCTAD) afferma che l’intelligenza artificiale e l’automazione basata sull’intelligenza artificiale potrebbero presto avere un impatto sul 40% della forza lavoro globale. Il rapporto indica che entro il 2033 l’intelligenza artificiale potrebbe diventare un mercato dal valore di migliaia di miliardi di dollari.

Tuttavia, la crescita economica potrebbe essere troppo concentrata, portando ad un aumento delle disuguaglianze. Il rapporto ha inoltre evidenziato che l’automazione basata sull’intelligenza artificiale potrebbe indebolire il vantaggio dei bassi costi del lavoro nei paesi in via di sviluppo. Per risolvere questo problema, il rapporto raccomanda ai governi di attuare politiche proattive del lavoro.

vidverto.io/?utm_source=vidver…Nel suo Rapporto sulla tecnologia e l’innovazione 2025, l’UNCTAD sottolinea che, sebbene l’intelligenza artificiale sia un importante strumento di progresso, non è necessariamente di natura universale. Il rapporto prevede che il valore del mercato dell’intelligenza artificiale raggiungerà i 4,8 trilioni di dollari (circa 404 trilioni di rupie) entro il 2033, grazie alla sua crescente popolarità e al potenziale di trasformazione digitale. Tuttavia, si ritiene che l’accesso alle infrastrutture e alle competenze in materia di intelligenza artificiale sia concentrato solo in poche economie.

Il rapporto indica che solo 100 aziende, per lo più negli Stati Uniti e in Cina, rappresentano il 40% della spesa globale in ricerca e sviluppo sull’intelligenza artificiale. Tra i nomi più importanti nell’elenco figurano Apple, Nvidia, Microsoft e Baidu. Il rapporto delle Nazioni Unite indica che se questa tendenza alla centralizzazione dell’accesso allo sviluppo dell’intelligenza artificiale dovesse continuare, potrebbe ampliare il divario tecnologico e privare molti paesi in via di sviluppo dei suoi benefici.

Il rapporto conferma che uno degli svantaggi più grandi dell’ascesa dell’intelligenza artificiale potrebbe riguardare la forza lavoro, poiché il 40% dei posti di lavoro a livello globale potrebbe essere eliminato a causa dell’automazione guidata dall’intelligenza artificiale.

Il rapporto evidenzia inoltre che 118 paesi, per lo più del Sud del mondo, non sono inclusi nelle discussioni chiave sulla governance dell’intelligenza artificiale e la loro mancata partecipazione al tavolo potrebbe comportare che i loro interessi non vengano rappresentati quando vengono sviluppate e concordate le politiche globali sull’intelligenza artificiale. L’UNCTAD raccomanda ai paesi che stanno vivendo l’ascesa dell’intelligenza artificiale di rafforzare la cooperazione internazionale per stabilire un quadro globale completo per l’intelligenza artificiale.

L’UNCTAD suggerisce inoltre ai paesi in via di sviluppo di migliorare proattivamente le politiche del lavoro per proteggere la propria forza lavoro dagli impatti negativi. Sottolinea inoltre gli investimenti nella riqualificazione, nell’aggiornamento e nell’adattamento della forza lavoro per garantire che l’intelligenza artificiale crei nuove opportunità di lavoro anziché eliminare quelle esistenti.

Il rapporto fornisce anche una tabella di marcia per consentire una crescita inclusiva con l’intelligenza artificiale, comprese misure per sviluppare un “meccanismo di dialogo pubblico equivalente all’intelligenza artificiale” per migliorare la responsabilità; Creare strutture condivise a livello globale per garantire l’accesso alle infrastrutture per le economie in via di sviluppo; Concentrarsi su modelli e set di dati open source per democratizzare la conoscenza e le risorse; E strategie di rafforzamento delle capacità nei paesi in via di sviluppo per superare la mancanza di opportunità.

La Segretaria generale dell’UNCTAD, Rebeca Grynspan, ha chiesto una maggiore cooperazione internazionale per “spostare l’attenzione dalla tecnologia alle persone” e consentire ai paesi di partecipare alla definizione di un quadro globale per l’intelligenza artificiale

L'articolo IA: Progresso o Minaccia? L’ONU Avverte: il 40% dei Lavori è a Rischio Cancellazione proviene da il blog della sicurezza informatica.

La piattaforma X si è ritrovata nuovamente al centro di uno scandalo etico, questa volta a causa del comportamento del chatbot Grok, creato dall’azienda di Elon Musk. Gli utenti dei social network hanno iniziato a usare in massa l’intelligenza artificiale per “spogliare” le donne in pubblico. Tutto quello che devi fare è lasciare un commento con un’immagine e la frase “toglietele i vestiti” sotto la foto di qualcuno, e Grok creerà un’immagine modificata della donna in biancheria intima o in costume da bagno. In alcuni casi, invece di un’immagine, il bot fornisce un collegamento a una chat separata in cui avviene la generazione.

Questa accessibilità della funzione e la possibilità di avviarla direttamente nei commenti sotto i post pubblici rendono la situazione particolarmente tossica. Non stiamo parlando di siti specializzati con accesso a pagamento ai deepfake, ma di un normale social network, dove l’immagine diventa immediatamente una risposta al post originale della vittima. Anche se Grok non crea immagini completamente nude come altri bot, le conseguenze di queste immagini “semi-nude” non sono meno traumatiche.

Dal Kenya giungono le prime denunce di una nuova ondata di abusi. A quanto pare, è stato proprio lì che la funzione “spogliarsi” tramite Grok ha riscosso particolare popolarità all’inizio di maggio. I media locali hanno riferito che un gran numero di utenti si è lamentato di tali azioni. Una ricerca su Platform X rivela decine di tentativi simili rivolti alle donne che hanno pubblicato le loro foto. La protezione non è un’opzione. È una necessità.

I ricercatori sui diritti umani hanno pubblicato uno screenshot di Grok in azione e hanno chiesto direttamente all’IA di X se avesse adottato misure di sicurezza sistemiche, come filtri, errori di decodifica o apprendimento per rinforzo, per evitare di generare contenuti non etici. Grok ha risposto pubblicamente riconoscendo l’errore e affermando che l’incidente era dovuto a una protezione insufficiente contro le richieste dannose. Nella risposta si sottolinea che il team sta rivedendo le proprie politiche di sicurezza per migliorare la trasparenza e la tutela della privacy.

Tuttavia, nonostante le scuse, il bot ha continuato a soddisfare tali richieste. I tentativi di chiedere a Grok di “rendere una persona completamente nuda” si scontrano effettivamente con un rifiuto, ma le fasi intermedie, ovvero l’immagine di una donna in lingerie, restano per ora disponibili. L’IA accompagna addirittura alcune richieste respinte con spiegazioni circa l’inammissibilità di creare immagini con una totale violazione della privacy, sebbene aggiunga subito che l’immagine in biancheria intima è già stata generata.

Questo squilibrio nelle risposte del sistema evidenzia l’imperfezione dei filtri esistenti e la mancanza di reali limitazioni a livello di interfaccia utente. Tuttavia, l’amministrazione X non ha ancora commentato la situazione.

Molti utenti stanno già esprimendo apertamente la loro indignazione. Secondo loro, usare l’intelligenza artificiale per manipolare immagini di donne senza consenso non è intrattenimento tecnologico, ma una forma di violenza digitale. Alcuni paragonano ciò che sta accadendo a una violazione di massa dei confini, mascherata dall’interfaccia di un chatbot di tendenza.

L'articolo Quando l’AI Diventa Troppo Social: Il Caso Grok e la Manipolazione delle Immagini Femminili proviene da il blog della sicurezza informatica.

Nel mondo del cybercrime organizzato, Darcula rappresenta un salto di paradigma. Non stiamo parlando di un semplice kit di phishing o di una botnet mal gestita. Darcula è una piattaforma vera e propria, un servizio venduto “as-a-Service” che ha consentito a centinaia di operatori criminali di orchestrare attacchi su scala globale, con oltre 884.000 carte di credito trafugate, secondo una recente inchiesta coordinata da Mnemonic, società norvegese specializzata in threat intelligence.

Dicembre 2023. Un SMS apparentemente banale raggiunge un dipendente di Mnemonic: una notifica fraudolenta che imita il servizio postale norvegese. Il team di analisti decide di scavare, scoprendo che il link nel messaggio punta a una pagina realistica, geolocalizzata e ottimizzata per l’apertura da mobile. Nulla di nuovo, apparentemente. Dietro quel messaggio però una rete di oltre 20.000 domini, progettata per colpire utenti in più di 100 paesi. Un’infrastruttura solida, resiliente, e soprattutto scalabile.

Il cuore della piattaforma è un toolkit chiamato Magic Cat. Creato presumibilmente da un giovane sviluppatore cinese di 24 anni, originario dell’Henan. Magic Cat permette di generare in modo automatico pagine di phishing estremamente realistiche clonando il frontend di qualsiasi servizio bancario, logistico o istituzionale. Automaticamente le pagine vengono localizzate e adattate ai layout locali di oltre 130 paesi.

Chi usa Darcula non ha bisogno di scrivere codice: seleziona un brand, genera una campagna, lancia un dominio. Il phishing si fa “plug-and-play”.

L’analisi tecnica di Mnemonic ha messo in evidenza alcune contromisure avanzate usate da Darcula per sfuggire al rilevamento:

• Accesso condizionato: i link malevoli rispondono solo se richiesti da dispositivi mobili su rete cellulare, rendendo inefficaci molti sandbox e crawler.
• Crittografia lato client: i dati vengono cifrati direttamente nel browser della vittima, prima della trasmissione al server di comando, ostacolando le attività di intercept.
• Branding dinamico: l’HTML delle pagine si aggiorna automaticamente per seguire modifiche reali nei siti clonati, evitando il rischio di layout “vecchi” che destano sospetti.

Questi elementi dimostrano una progettazione professionale, più vicina a quella di un SaaS legittimo che a un kit venduto nel dark web.

Un PhaaS con dashboard, licenze e supporto

Darcula è una piattaforma commerciale in tutto e per tutto. I suoi operatori acquistano licenze d’uso, ricevono aggiornamenti continui, accedono a dashboard centralizzate per tracciare le performance delle campagne e scaricare i dati esfiltrati. In alcuni casi, esiste persino un sistema di assistenza tecnica via Telegram.

Secondo Mnemonic, sarebbero oltre 600 gli attori criminali attualmente attivi sulla piattaforma. Alcuni si concentrano su singoli paesi; altri gestiscono centinaia di campagne su larga scala. Le vittime si contano a milioni, e includono cittadini italiani, tedeschi, australiani, francesi e americani.

Tra le vittime ci sono utenti di servizi postali, bancari e governativi, inclusi:

• Poste Italiane
• Nexi
• Royal Mail
• La Poste
• Australia Post

L’Italia figura tra i paesi colpiti con campagne localizzate in lingua italiana.

Darcula si distingue da altre piattaforme PhaaS per alcune caratteristiche tecniche chiave:

• Generazione automatica di kit di phishing: grazie all’uso di strumenti headless browser e scraping, gli operatori possono generare pagine clone di qualsiasi sito legittimo, incluso il marchio, il layout e i testi aggiornati.
• Infrastruttura dinamica: i kit sono ospitati su oltre 20.000 domini attivi in rotazione, molti dei quali sfruttano CDN e redirect multipli per evitare blacklist e scansioni automatizzate.
• Supporto per comunicazioni “trusted”: l’uso di iMessage (Apple) e RCS (Android) consente di aggirare i filtri anti-spam tradizionali, facendo apparire i messaggi più legittimi e affidabili.

La suite Darcula non si ferma solo alla generazione delle campagne di phishing ma offre anche un modulo per il riutilizzo della carte di credito rubate alle vittime. Nella suite Darcula esiste la sezione “[em]Platform card generation[/em]” che genera un’immagine valida della carta di credito rubata pronta per essere utilizzata nei digital wallet.

Darcula dimostra quanto sia urgente un approccio strategico alla difesa contro il phishing moderno:

• Intelligence basata su dominio e URL non è più sufficiente: serve analisi comportamentale e rilevamento su endpoint e mobile.
• Simulazioni phishing devono essere realistiche, geolocalizzate, simulate da smartphone reali, non solo da desktop.
• Threat sharing e cooperazione tra CERT, ISP e vendor devono evolvere per intercettare infrastrutture PhaaS nel momento della creazione, non solo a danno avvenuto.

Darcula non è un exploit. Non è un singolo attacco. È un framework commerciale per campagne criminali globali. È la dimostrazione di come il phishing sia passato dalla truffa artigianale all’industria del crimine digitale in franchising.

E mentre il malware viene sempre più spesso contrastato da EDR e XDR, la vera vulnerabilità rimane l’utente. Per questo, awareness e threat hunting devono camminare insieme. Sempre.

Fonti esterne utilizzate

• BleepingComputer – Darcula PhaaS steals 884,000 credit cards via phishing texts
• Mnemonic – Exposing Darcula: A rare look behind the scenes of a global Phishing-as-a-Service operation
• Netcraft – Darcula v3: Phishing kits targeting any brand
• Heise.de – Phishing network around Darcula exposed

L'articolo Nessuna riga di codice! Darcula inonda il mondo con il Phishing rubando 884.000 carte di credito proviene da il blog della sicurezza informatica.