LogoLogo

Podcasts

Newsletters

Videos

People

About

Search

Seriously Risky Business Newsletter

February 13, 2025

Governments Are Losing the Crypto Wars

Written by

Tom Uren
Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Resourcely .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

Still life with apple, Stability AI

Apple has refused to obey a UK Government order to provide access to encrypted iCloud data in the latest failure by authorities to mitigate the proliferation of 'warrant proof' encryption.

The Washington Post revealed the existence of the UK Government order, known as a Technical Capability Notice (TCN), last week: 

Security officials in the United Kingdom have demanded that Apple create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud, people familiar with the matter told The Washington Post .
The British government's undisclosed order, issued last month, requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies. Its application would mark a significant defeat for tech companies in their decades-long battle to avoid being wielded as government tools against their users, the people said, speaking under the condition of anonymity to discuss legally and politically sensitive issues.

The TCN is designed to preserve lawful access to cloud data stored with Apple's Advanced Data Protection , which was rolled out as an opt-in service in November 2022. The service effectively locks Apple (and law enforcement) out of a user's iCloud storage by encrypting it with keys that only that user can access. 

Under the UK's Investigatory Powers Act , the government can issue a TCN to ensure that service providers build or maintain the capabilities needed to satisfy interception warrants. 

We think that there is a place for lawful interception capabilities where they are proportionate and the right checks and balances are in place, but in this case it does not seem reasonable that UK authorities are able to impose changes worldwide. 

However, writing on LinkedIn, Alexander Martin, The Record's UK editor, expressed discomfort at The Washington Post's description of the capability as a 'back door'.  

But my frustration with the phrase "back door" is how it misrepresents the British government's intention. That intention is explicitly and intentionally to not create some kind of covert Top Secret capability to access encrypted data (e.g. one based on a cryptographic weakness only they know)...
Instead, the point of TCNs is just to ensure that existing access methods remain available… as they were with iCloud up until November 2022.

That seems less outrageous than The Washington’s Post's interpretation, but Post sources said that rather than complying, Apple would be likely to stop offering encrypted storage in the UK.  

Ciaran Martin, the former head of the UK's National Cyber Security Centre, told Seriously Risky Business he believed this incident drove home the fact that 'the crypto wars are over'. 

Martin said governments had lost the battle to gain access to encrypted communications. 

"When I say the crypto wars are over I don't mean governments (especially the UK's, and to some extent Australia and the EU), have stopped fighting them," he said. 

"I just mean it's clear they can't win them. They've lost." 

Martin cited various government regulatory attempts over the last several years that have all amounted to nothing. These included efforts to stop Meta's rollout of end-to-end encryption on Messenger , requiring client-side scanning on encrypted messaging apps such as Signal and Apple resisting requests to help the FBI obtain access to an iPhone used by a deceased terror suspect in 2015.

Martin thinks there are several factors that support arguments for 'more encryption' rather than 'more lawful access'. These include that there is no immediately apparent compromise position, the public and customer support for encryption and today's US political climate, which appears to support US Big Tech companies (for now). 

On BlueSky, Democratic Senator Ron Wyden, a member of the Senate Intelligence Committee, posted his support of Apple's stance:

Trump and Apple better tell the UK to go to hell with its demand to access Americans’ private, encrypted texts and files. Trump and American tech companies letting foreign governments secretly spy on Americans would be an unmitigated privacy and national security disaster.

Political support is the wild card here.

In its article The Washington Post noted Apple was originally going to offer its Advanced Data Protection "several years earlier, but backed off after objections from the FBI during the first term of President Donald Trump, who pilloried the company for not aiding in the arrest of 'killers, drug dealers and other violent criminal elements'."

Even if President Trump and broader political support is fickle, Martin doesn't think it will make much difference. The fundamental problem, he said, was that "there is no solution that will win people round and [expending political capital fighting encryption] is not worth it". 

Of course, circumstances can change, and a large enough intelligence failure, particularly one that leads to a major terrorist incident, could motivate politicians to tackle this as a priority. We hope that doesn't happen.

Cutting Heads Off the Ransomware Hydra

Aggressive government action over the last few years is curbing, but not eliminating, damaging ransomware attacks. This may be as good as it gets, with governments needing to continuously cut heads off the regenerating ransomware hydra.

Evidence of change in the ransomware ecosystem comes from incident response firm Coveware and blockchain analysis company Chainalysis' tracking of cryptocurrency flows. 

Coveware's latest quarterly report found fewer companies were paying ransoms when attacked (an all-time low at just a quarter of victims), and median payments were  down.   

Chainalysis found the total volume of ransomware payments was down 35% from USD$1.25 billion in 2023, to USD$813 million last year. 

This sharp decrease in payments occurred entirely in the second half of 2024, which Coveware and Chainalysis attribute to separate incidents affecting two of the most prominent ransomware groups. LockBit was disrupted by law enforcement action , while ALPHV/BlackCat disappeared in an exit scam . 

The pace of law enforcement actions affecting cybercriminals ramped up over 2024 and Coveware observed a splintering of the ransomware ecosystem away from Ransomware-as-a-Service groups towards 'lone wolves' and high-volume commodity ransomware. 

Broadly, Ransomware-as-a-Service (RaaS) groups have declined as a force, with LockBit and ALPHV/BlackCat effectively eliminated (although a new RaaS group known as RansomHub is causing its fair share of disruption ). 

The two most common ransomware strains are Akira and Fog, both high-volume operations that target small and medium enterprises with standardised attacks. Coveware notes that Akira's "general avoidance of the healthcare sector and critical infrastructure has kept them out of the headlines that have thrust other big game hunters into the media spotlight". From a public policy perspective, groups that avoid critical infrastructure represent 'wins' and consequently should be moved down the disruption priority list.

Interestingly, what Coveware calls 'lone wolves' are the fourth largest category of ransomware actors, contributing about 8% of ransomware attacks. These actors do not claim an affiliation with a group or brand name and do not use an encryptor derived from existing code. 

These adaptations in the ransomware ecosystem have been driven by international law enforcement and cyber operations that have disrupted gangs and their infrastructure. These operations involved the arrest of gang members and have driven down profitability. Moreover, Coveware said, "dismantling ransomware-as-a-service platforms and ransomware gangs makes it harder for new actors to enter the cybercrime ecosystem, raising the financial and operational barriers to entry". 

That's all good stuff, and it doesn't end there. 

Chainalysis found that criminals were changing their cryptocurrency laundering methods as well. It observed a substantial decline in the use of mixers , services that attempt to launder illicit funds by mixing it with legitimate currency flows. It describes this decline as "a testament to the disruptive impact of sanctions and law enforcement actions, such as those against Chipmixer, Tornado Cash, and Sinbad".  

Chainalysis also said that "curiously, ransomware operators, a primarily financially motivated group, are abstaining from cashing out more than ever". It thinks this is due to 'decisive and unpredictable' law enforcement action creating uncertainty about where criminals can safely park their funds.  

Although this is all good news, ransomware is not 'solved'. It is more a red queen kind of a thing, where governments will have to work very hard to constantly keep a lid on it.

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

  1. German takedowns and Thai arrests: Four European ransomware suspects were arrested in Phuket, Thailand, on 10 February and '8Base', the group's leak site, was taken down by European authorities on the same day. The US Department of Justice unsealed charges against two of the arrested individuals and alleged the Russian pair had used Phobos ransomware on over 1,000 victims to collect USD$16m in ransom payments. It is good to see this kind of international cooperation against a significant but relatively new group .   
  2. Bulletproof hosting sanctions: The US, UK and Australian governments have jointly sanctioned the Zserver bulletproof hosting service for its role in supporting LockBit ransomware attacks. The governments' measures also targeted key personnel at the Russia-headquartered service.   
  3. More transparent surveillance: The Foreign Intelligence Surveillance Court (FISC), the US court that oversees foreign intelligence, will begin allowing certain members of Congress to observe its proceedings, reports The Record . We're not entirely sure this is 'cheerful' news — there are both pros and cons that are covered well in the article — but we support the idea of increased transparency.  

Sponsor Section

In this Risky Bulletin sponsor interview , Travis McPeak, the CEO and founder of Resourcely, explains that companies now realize they have a ton of cloud-related technical debt because of the success of cloud posture management products. Travis talks about different approaches he has seen to tackle rampant cloud misconfigurations.

Resourcely is releasing Campaigns, a tool for identifying and remediating vulnerabilities in your existing infrastructure. Want to burn down your CSPM findings? Try out Campaigns today

Campaigns
Configuration platform for cloud resources: develop secure applications faster and reduce costly incidents.

Shorts

Paragon Cuts Ties With Italy

Paragon Solutions, an Israeli mobile spyware company, has reportedly cut ties with the Italian government.

The Guardian writes:

Paragon’s decision to end the Italy contract followed revelations that an Italian investigative journalist and two activists who were critical of Italy’s dealings with Libya were among the people who had allegedly been targeted with the spyware. The work of all three individuals has been critical of the rightwing government of Italy’s prime minister, Giorgia Meloni.

The Italian government denies it is involved and said although WhatsApp had found seven Italian accounts have been targeted, accounts from 13 other European countries were also affected. 

By staying on the right side of the US government, Paragon Solutions has been able to sell its products to US agencies . The carrot of potential US sales could be an incentive for the company to enforce its terms of service, although it is not yet clear what the Trump administration's attitude to abusive spyware will be.  

Foreign Influence Task Force Disbanded

The US Department of Justice's new Attorney General, Pam Bondi, has disbanded the FBI's Foreign Influence Task Force to reallocate resources to "more pressing priorities and [to] end risks of further weaponization and abuses of prosecutorial discretion". 

Although Bondi is clearly concerned about its politicisation, foreign influence operations are standard operating procedure for some adversaries. Catalin Cimpanu at Risky Business News noted :

The unit was set up in 2017 to counter foreign influence operations targeting US elections. The unit's work contributed to charges and sanctions against many Russian government and private organizations involved in info-ops and bot farms targeting elections in the US around the globe.

The memo announcing the move spelt out higher priorities including immigration, human trafficking, smuggling, transitional [sic] organised crime and cartels. But no mention of cybercrime.  

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about Israeli spyware vendor Paragon, how and why it positions itself to sell to the US market, and how its capabilities might work.

Or watch it on YouTube!

From Risky Biz News :

Supply chain attack at AdsPower browser platform: A threat actor has compromised the AdsPower browser platform and injected malicious code that modified third-party crypto wallet extensions and stole user funds.

The breach took place on January 21 and went undetected for three days before the company removed the code and forcibly uninstalled all the targeted extensions from users' browsers.

According to SlowMist founder Yu Xian , the code worked as a backdoor that extracted mnemonic recovery phrases and private keys from the wallet extension and sent them to an attacker's server.

AdsPower, which develops a multi-profile privacy-centric browser, says that users who downloaded and installed cryptocurrency wallet extensions between January 21, 10:00 AM, and January 24, 10:00 AM (UTC+0) were likely affected.

[ more on Risky Business News ]

Taliban leak: Hackers have breached and leaked documents from 21 Taliban ministries and government agencies. The hackers have leaked over 50GB of data on a website named TalibLeaks . The documents allegedly include the names of political prisoners and the details of travel bans for certain government employees. The Taliban government has confirmed the authenticity of the files but denied suffering a security breach. [Additional coverage in Amu ] [h/t DataBreaches.net ]

Recent Newsletters

  • Governments Are Losing the Crypto Wars
  • Risky Bulletin: Supply chain attack at AdsPower browser platform
  • DeepSeek Is a Win for Chinese Hackers
  • Risky Bulletin: Crypto-stealer makes it on the iOS App Store
  • Risky Bulletin: CISA & FDA warn of backdoor in patient monitor

Recent Videos

  • Srsly Risky Biz: Governments are losing the crypto wars
  • Risky Business Weekly (779): DOGE staffer linked to The Com
  • Between Two Nerds: A Paragon of virtue
  • Srsly Risky Biz: DeepSeek a boon for Chinese APTs
  • Risky Business Weekly (778) Musk's child soldiers seize control of FedGov IT systems

Recent Podcasts

  • Srsly Risky Biz: Governments are losing the crypto wars
  • Risky Business #779 -- DOGE staffer linked to The Com
  • Between Two Nerds: A Paragon of virtue
  • Risky Bulletin: Browser extension supply chain attack hits AdsPower
  • Srsly Risky Biz: DeepSeek a boon for Chinese APTs

© Risky Business 2007-2025.