Chinese Peptide Laboratories Funded by Cryptocurrency Are Thriving

This week, WIRED reported that Meta has been discreetly storing dormant facial recognition code on over 50 million smartphones, embedded in the companion app for its Ray-Ban and Oakley smart glasses. If activated, this feature—referred to internally as NameTag—would enable users to identify individuals in their vicinity by comparing captured faces against a biometric database on their device. This technology mirrors what Meta claimed to have abandoned in 2021 after settling biometric privacy lawsuits in Texas and Illinois for billions.

In another development, xAI is urging a federal judge to compel four individuals suing the firm over deepfake images generated by Grok to abandon their pseudonyms and litigate using their real names. One plaintiff asserts that the chatbot was used to create sexual images of her as a child. The plaintiffs have expressed a preference to withdraw their case rather than face harassment and doxing from supporters of Musk. Conversely, xAI’s legal team contends that, since the deepfakes will remain sealed, revealing the individuals’ identities holds “nothing inherently stigmatizing.”

This week, Google introduced a new feature for Android designed to combat AI-driven impersonation scams, which allow fraudsters to spoof familiar numbers and replicate voices. Integrated within Google Dialer and available for devices running Android 12 or newer, this feature notifies the recipient’s device with a silent cryptographic handshake. If the call is deemed fraudulent, Android will flag it and remove the contact photo from the screen, although this protection only works when both parties use Google Dialer, leaving iPhone users without this safeguard.

Additionally, WIRED reported that the Manhattan Institute—a right-wing think tank responsible for the 1990s broken-windows policing and the Trump administration’s anti-DEI initiatives—is now promoting model legislation aimed at categorizing minor protest-related offenses as felonies under a novel classification they term “civil terrorism.”

Researchers have revealed a new browser side-channel attack dubbed FROST that can fingerprint other tabs—and at times, applications on your device—by timing accesses to a sandboxed file on your SSD. This attack operates completely in JavaScript and utilizes timing data analyzed by a neural network trained on the I/O signatures of commonly used software. Currently, there is no evidence that it has been employed in real-world scenarios.

Furthermore, each week we compile security and privacy news that has not been covered extensively. Click on the headlines for full articles, and remember to stay safe.

Peptides—chains of amino acids marketed for benefits like weight loss and skin rejuvenation—have developed into a largely unregulated subindustry of pharmaceuticals. Their growth is increasingly supported by cryptocurrency, often directly sent to Chinese labs producing these enigmatic substances.

This week, crypto-tracing firm Chainalysis released a report analyzing crypto transactions related to peptide sellers, a gray market now estimated at over $100 million annually and on the rise. Chainalysis discovered that some Chinese labs transitioning from selling fentanyl precursors have started producing and selling peptides instead. This shift appears aimed at capitalizing on the “looksmaxing” trend trending on social media while avoiding potential crackdowns on opioid production.

AI can perform a wide array of tasks if prompted: from coding applications to enhancing photos and even hacking Instagram accounts belonging to public figures like President Barack Obama. Since Meta revealed in March that its account management would increasingly rely on AI, various hacks have exploited this to reset the passwords and seize control of accounts belonging to prominent users such as Obama, the chief master sergeant of the US Space Force, and the makeup retailer Sephora. Meta claims the issue has been resolved and affected accounts secured. However, the wave of account takeovers highlights the inherent risks associated with delegating security functions to AI, especially for a company like Meta that has publicly embraced AI integration.

When AI company Anthropic introduced its advanced Mythos tool for testing with a limited number of organizations, eyebrows were raised as the US National Security Agency was included in this initial access group. Mythos, known for uncovering hidden vulnerabilities in software rapidly, has sparked concerns about its potential use in automated mass surveillance and cyberattacks. However, initial reports suggested that the NSA could be leveraging Anthropic’s tool to identify bugs in widely-used software—like Microsoft products—with intentions to enhance security. Recently, the Financial Times reported that Anthropic is further aiding the NSA by deploying its engineers to assist in utilizing Mythos, possibly even in offensive hacking. While it couldn’t be confirmed whether Mythos is actively being used in hacking operations, the increasing use of AI for governmental hacking raises questions about the US’s involvement in contemporary automated cyber intrusions.

Former President Donald Trump has appointed Bill Pulte as the acting director of national intelligence. Pulte replaces Tulsi Gabbard, who left the role due to her husband’s health issues. Trump mentioned he is considering other candidates for the permanent position, yet the confirmation process may take several months.

As the acting director, Pulte is tasked with overseeing the entire US intelligence community, coordinating among 18 different agencies, including the Central Intelligence Agency and NSA.