Seriously Risky Business Newsletter
October 16, 2025
Small Beer Surveillance Firms Escape Crackdown, For Now
Written by
Policy & Intelligence
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Nebulock .
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .
A recent investigation into a Jakarta-based company shows there are still companies willing to offer unethical surveillance-as-a-service, even as crackdowns on high-profile spyware have really hurt big players.
A collaborative media investigation kicked off by Lighthouse Reports looked at First Wap, a company that began as a mobile phone messaging service in 1999. The company soon pivoted to phone tracking after being asked by an unnamed law enforcement agency to support its counterterrorism efforts.
First Wap's surveillance product Altamides, short for Advanced Location Tracking and Deception System, exploits vulnerabilities in Signalling System 7 (SS7) to locate phones and even redirect text messages or phone calls. Because it exploits vulnerabilities in phone network protocols, Altamides does not require the deployment of malware to target devices.
A Lighthouse reporter managed to uncover a leaked dataset of historical Altamides queries, primarily from 2007 to 2014. This archive contained 1.5 million records spanning 160 countries and 14,000 phone numbers. Analysing it provided granular insight into how Altamides was being used, which included for the targeting of individuals in the US, the UK and, to some extent, Australia.
Spyware vendors typically take steps to avoid targeting the US, but Mother Jones identified a number of American targets including:
- Blackwater founder Erik Prince
- Anne Wojcicki, founder of DNA testing company 23andMe and the wife of Google's Sergey Brin
- Journalist Adam Ciralsky, while he was investigating the arms industry
- Raytheon executives and employees of telecom and cyber security firms
According to Mother Jones , First Wap customers included Belarus, Indonesia, Malaysia, Nigeria, Saudi Arabia, Singapore, the UAE, and Uzbekistan. It also found evidence that Altamides was used in corporate investigations.
Although the targeting described above is historical, First Wap continues to operate and has expanded its range of services beyond phone location and tracking. First Wap's sales director Guenter Rudolph told undercover Lighthouse reporters posing as potential buyers that Altamides can intercept calls and text messages, which facilitated access to accounts that relied on authentication codes sent via texts. The executive claimed it could "easily" provide access to a target's WhatsApp account, for example.
The overall vibe we're getting is that First Wap doesn't really care who Altamides is sold to, or who it was used against.
When it comes to the overall surveillance market though, it's not all bad news. Rudolph told the undercover reporters that the media attention given to high-profile spyware vendors led to those companies adopting "ethical principles". Per Mother Jones :
Rudolph mentioned an Israeli hacking firm, sanctioned by the US on the basis that it had supplied spyware used to target journalists, businesspeople, and activists. Rudolph said he had introduced two new clients to the firm, only to have them rejected—representing a loss to the Israeli firm of tens of millions of dollars of potential business.
This is good news! A combination of media coverage and government action including financial sanctions appears to have actually changed market dynamics. Only time will tell if governments can be bothered dealing with smaller and less sophisticated outfits like First Wap.
NSO Group: From Cyber Unicorn to Cautionary Tale
Speaking of high-end spyware, NSO Group is set to be sold to US investors in a deal worth "tens of millions of dollars", according to a company spokesperson.
The deal is still pending Israeli and US regulatory approval, but it underlines that the company has become a cautionary tale for spyware vendors who might consider selling to sketchy customers.
Back in 2019, the firm was reportedly valued at close to USD$1 billion in a management buyout. In that deal, two of its founders invested $100 million to regain control of the company after it had been sold to private investors in 2014.
Since then, the investors have been treated to a masterclass in wealth destruction. For those keeping count, assuming the reported figures are accurate, that's at least $900 million that has disappeared in a sea of human rights abuses.
Last month we wrote that US investment in spyware vendors was good news because it would encourage them to behave more responsibly. With this deal, NSO Group has become the poster child for how abusive use of spyware can destroy investor value. Will we soon be highlighting it as an example of US investment leading to responsible spyware? Watch this space.
The CCP Absorbs Hacking Contests
China's hacking competition scene has been completely co-opted by the state.
Back in 2021, we wrote that China's Tianfu Cup hacking contest demonstrated that the country's "exploit development workforce was amongst the best in the world" and that "the time to worry is when the Tianfu Cup gets boring".
The Tianfu Cup hasn't become boring so much as disappeared, as described this week by Eugenio Benincasa and the Natto Thoughts team in a retrospective of China's vulnerability research ecosystem.
And its apparent replacement, the Matrix Cup, seems to have been set up to directly benefit the Chinese state.
In his opening address at the 2024 Matrix Cup, Zhou Hongyi, the organising chairman and founder of Qihoo 360, said the event would allow "the results to stay in China and be used by the state to defend cyber security".
Hongyi went on to say that Western hacking competitions are organised by intelligence agencies who harvest the vulnerabilities and techniques for their own benefit. In his view, Chinese researchers were being shortchanged because the prize money on offer in Western competitions did not match the value of the vulnerabilities and techniques that Chinese researchers were handing over.
"I think the Americans were getting our services for free", he said.
The Matrix Cup is more secretive than other competitions. In a write up of last year's Matrix Cup, 360 Digital Security, which hosted the competition, didn't even name affected products. The Best Vulnerability Award, for example, went to "a vulnerability in a leading global virtualisation management platform". Plans for the 2025 Matrix Cup have not been publicly announced. Although we wouldn't be surprised if it had already taken place, just very quietly.
As for the money, the 2024 Matrix Cup boasted a USD$2.75 million prize pool, more than double the $1.1 million distributed at the 2024 Pwn2Own contest .
Chinese researchers are making bank, and the CCP is doing nicely out of this too.
Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:
Three Reasons to Be Cheerful This Week:
- Salesforce extortion site seized: The FBI announced that, together with partners, it had taken down the BreachForums site. At the time of the seizure, a group calling itself ScatteredLapsus$Hunters was threatening to publish data stolen from 39 Salesforce customers to BreachForums if the company did not pay up.
- Signal improves its post-quantum protection: Signal has rolled out changes that make its protocol more resistant to quantum computing attacks. The good news here is not any practical improvement in security today, but rather that Signal is doing work that will probably flow through to many of today's end-to-end encrypted messengers. Ars Technica has further coverage .
- $15 billion seized from Cambodian scammers: The US and UK have taken sweeping action against the Prince Group, a Cambodian conglomerate that the US Treasury says operates "a transnational criminal empire". The US Department of Justice also announced it had seized USD$15 billion of cryptocurrency from Chen Zhi, the Prince Group's founder and chairman.
Sponsor Section
In this Risky Business sponsored interview, Tom Uren talks to Damien Lewke, CEO and founder of Nebulock about countering adversary use of AI… with AI. They talk about how threat actors are rapidly adopting AI and what defenders should be doing in response.
Shorts
Ukraine's Steps Toward a Cyber Force
Last week, Ukraine's parliament took its first step toward approving the creation of a dedicated cyber force within the country's military.
Although Ukraine has been involved in a real war for years there still isn't universal agreement about the need for a Cyber Force.
In our view, one of the stronger arguments for a Ukrainian Cyber Force is that it could allow civilian hacktivists to become cyber reservists. This could formalise the relationship of Ukraine's IT Army with its military, make it easier to collaborate effectively and also provide hacktivists with the protections granted to military personnel.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about how different cybercriminal groups are looking for insiders to provide network access.
Or watch it on YouTube!
From Risky Bulletin :
Windows 10 reaches End-of-Life: The Windows 10 operating system reached End-of-Life (EOL) on Tuesday, October 14, after more than 10 years since its official release back in July 2015.
The OS won't receive any new security updates unless users or companies enroll in the Extended Security Updates (ESU) program.
Because Windows 10 is still installed on around 40% of all Windows systems, Microsoft has made this ESU the first one available to home consumers—ESUs were initially introduced to provide extended paid support for larger enterprises.
[ more on Risky Bulletin ]
Microsoft revamps Edge's "IE Mode" after zero-day attacks: A mysterious threat actor is abusing the legacy Internet Explorer mode in Microsoft Edge to run malicious code in a user's browser and take over their device.
The attacks have been going on since at least August, according to the Microsoft Edge security team .
The Internet Explorer legacy mode, or IE Mode, is a separate website execution environment in Edge. It works by reloading a web page but running its code inside the old Internet Explorer engines.
[ more on Risky Bulletin ]
EU scraps Chat Control vote: The European Union has scrapped next week's vote on Chat Control, proposed legislation that would have mandated tech companies to break their encryption to scan content for child abuse materials.
The project was supposed to be put to a vote on Tuesday, October 14, during a meeting of interior ministers of EU member states.
Denmark, which currently holds the EU presidency and was backing the legislation, scrapped the vote, according to reports on Austrian and German media.
[ more on Risky Bulletin ]