Hackers claim to have compromised Gravy Analytics, the parent company of Venntel which has sold masses of smartphone location data to the U.S. government.  The hackers said they have stolen a massive amount of data, including customer lists, information on the broader industry, and even location data harvested from smartphones which show peoples’ precise movements, and they are threatening to publish the data publicly.

The news is a crystalizing moment for the location data industry. For years, companies have harvested location information from smartphones, either through ordinary apps or the advertising ecosystem, and then built products based on that data or sold it to others. In many cases, those customers include the U.S. government, with arms of the military, DHS, the IRS, and FBI using it for various purposes. But collecting that data presents an attractive target to hackers.

“A location data broker like Gravy Analytics getting hacked is the nightmare scenario all privacy advocates have feared and warned about. The potential harms for individuals is haunting, and if all the bulk location data of Americans ends up being sold on underground markets, this will create countless deanonymization risks and tracking concerns for high risk individuals and organizations,” Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, and who has followed the location data industry closely, told 404 Media. “This may be the first major breach of a bulk location data provider, but it won't be the last.”

Telegram, the popular social network and messaging application which has also become a hotbed for all sorts of serious criminal activity, provided U.S. authorities with data on more than 2,200 users last year, according to newly released data from Telegram.

The news shows a massive spike in the number of data requests fulfilled by Telegram after French authorities arrested Telegram CEO Pavel Durov in August, in part because of the company’s unwillingness to provide user data in a child abuse investigation. Between January 1 and September 30, 2024, Telegram fulfilled 14 requests “for IP addresses and/or phone numbers” from the United States, which affected a total of 108 users, according to Telegram’s Transparency Reports bot. But for the entire year of 2024, it fulfilled 900 requests from the U.S. affecting a total of 2,253 users, meaning that the number of fulfilled requests skyrocketed between October and December, according to the newly released data.

“Fulfilled requests from the United States of America for IP address and/or phone number: 900,” Telegram’s Transparency Reports bot said when prompted for the latest report by 404 Media. “Affected users: 2253,” it added.

Members of an underground criminal community that hack massive companies, steal swathes of cryptocurrency, and even commission robberies or shootings against members of the public or one another have an unusual method for digging up personal information on a target: the truck and trailer rental company U-Haul. With access to U-Haul employee accounts, hackers can lookup a U-Haul customer’s personal data, and with that try to social engineer their way into the target’s online accounts. Or potentially target them with violence too.

The news shows how members of the community, known as the Com and composed of potentially a thousand people who coalesce on Telegram and Discord, use essentially any information available to them to dox or hack people, no matter how obscure. It also provides context as to why U-Haul may have been targeted repeatedly in recent years, with the company previously disclosing multiple data breaches. 

“U-Haul has lots of information, it can be used for all sorts of stuff. One of the primary cases is for doxing targs [targets] since they [seem] to have information not found online and ofc U-Haul has confirmed this info with the person prior,” Pontifex, the administrator of a phishing tool which advertises the ability to harvest U-Haul logins, told 404 Media in an online chat. The tool, called Suite, also advertises phishing pages for Gmail, Coinbase, and the major U.S. carriers T-Mobile, AT&T, and Verizon.

This is Behind the Blog, where we share our behind-the-scenes thoughts about how a few of our top stories of the week came together. This week, we talk more about magic links and building shelves offline. A light Behind the Blog today but we're back from the holiday on Monday.

JOSEPH: There has been a lot of response to our post We Don’t Want Your Password. Much of it supportive, some of it mad, some of it funny. The TLDR is (although I do think it’s worth a read) is that we’re four journalists trying to spend as much time as possible doing actual journalism, rather than spending our very limited amount of time building things that are not necessary and that we’re not equipped to do. We do want to build, like our big project for a fulltext RSS feed for paying subscribers and for the broader independent media ecosystem, but we’re not interested in using up resources (time, mostly) on introducing a username/password login for the site when the current magic link system works mostly fine and is how the CMS we use is designed.

Here's a special year in review episode of the 404 Media Podcast! We riff on the last year in AI, media, journalism, and more. We'll be back with a normal news show in the new year!

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

The Secret Service never actually checked whether people gave proper consent to be tracked by a mobile phone location monitoring tool, despite claiming the data was collected with peoples’ permission, the agency admitted in an email obtained by 404 Media.

The email undermines the Secret Service’s and other U.S. federal agencies' justification that monitoring the movements of phones with commercially available location data without a warrant is possible because people allegedly agreed to the terms of services of ordinary apps that may collect it. The news also comes after the Federal Trade Commission (FTC) banned Venntel, the company that provided the underlying dataset for the surveillance tool used by the Secret Service, from selling sensitive location data, and alleged that it did not obtain that consent in multiple cases. The tool used by the Secret Service is called Locate X, which is made by a company called Babel Street.

In the 2022 email, the office of Senator Ron Wyden asked the Secret Service what steps it had taken to verify that the location data it purchased from Babel Street was obtained from consumers who consented to “the onwards sale and sharing of the data.” Venntel collates location data from a variety of sources, including apps installed on peoples’ phones such as weather or navigation tools. The Secret Service’s one word response to that question read “None,” according to a copy of the email Wyden’s office shared with 404 Media.

Hello! Here's a holiday gift: an episode of the 404 Media Podcast that was previously only for paying subscribers! It gives a lot more context on the how and why we cover AI they way we do. Here's the original description of the episode:

We got a lot of, let's say, feedback, with some of our recent stories on artificial intelligence. One was about people using Bing's AI to create images of cartoon characters flying a plane into a pair of skyscrapers. Another was about 4chan using the same tech to quickly generate racist images. Here, we use that dialogue as a springboard to chat about why we cover AI the way we do, the purpose of journalism, and how that relates to AI and tech overall. This was fun, and let us know what you think. Definitely happy to do more of these sorts of discussions for our subscribers in the future.

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

A lawyer defending an alleged distributor of Anom, the encrypted phone company for criminals that the FBI secretly ran and backdoored to intercept tens of millions of messages, is pushing to learn the identity of the confidential human source (CHS) who first created Anom and provided it to the FBI starting the largest sting operation in history, according to recently filed court records. The government says it will provide that identity under discovery, but the CHS may also be revealed in open court if they testify.

The move is significant in that the CHS, who used the pseudonym Afgoo while running Anom, is a likely target for retaliation from violent criminals caught in Anom’s net. The Anom case, called Operation Trojan Shield, implicated hundreds of criminal syndicates in more than 100 countries. That includes South American cocaine traffickers, Australian biker gangs, and kingpins hiding in Dubai. Anom also snagged specific significant drug traffickers like Hakan Ayik, who authorities say heads the Aussie Cartel which brought in more than a billion Australian dollars in profit annually.

Court records say, however, that if this defendant’s case goes to trial, the lawyer believes Afgoo will be the “government’s key witness.”

This week Jason, as both a drones and aliens reporter, tells us what is most likely happening with the mysterious drones flying over New Jersey. After the break, Joseph explains how cops in Serbia are using Cellebrite phone unlocking tech as a doorway to installing malware on activists' and journalists' phones. In the subscribers-only section, Sam tells us all about an amazing art project using traffic cameras in New York City.

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

• WTF Is Going on With the New Jersey Mystery Drones? Maybe Mass Panic Over Nothing
• The No-Win 'Mystery Drone' Clusterfuck
• Cellebrite Unlocked This Journalist’s Phone. Cops Then Infected it With Malware
• Traffic Camera 'Selfie' Creator Holds Cease and Desist Letter in Front of Traffic Cam

The Department of Homeland Security (DHS) believes that China, Russia, Iran, and Israel are the “primary” countries exploiting security holes in telecommunications networks to spy on people inside the United States, which can include tracking their physical movements and intercepting calls and texts, according to information released by Senator Ron Wyden.

The news provides more context around use of SS7, the exploited network and protocol, against phones in the country. In May, 404 Media reported that an official inside DHS’s Cybersecurity Infrastructure and Security Agency (CISA) broke with his department’s official narrative and publicly warned about multiple SS7 attacks on U.S. persons in recent years. Now, the newly disclosed information provides more specifics on where at least some SS7 attacks are originating from.

The information is included in a letter the Department of Defense (DoD) wrote in response to queries from the office of Senator Wyden. The letter says that in September 2017 DHS personnel gave a presentation on SS7 security threats at an event open to U.S. government officials. The letter says that Wyden staff attended the event and saw the presentation. One slide identified the “primary countries reportedly using telecom assets of other nations to exploit U.S. subscribers,” it continues.

Authorities in Serbia have repeatedly used Cellebrite tools to unlock mobile phones so they could then infect them with potent malware, including the phones of activists and a journalist, according to a new report from human rights organization Amnesty International.

The report is significant because it shows that although Cellebrite devices are typically designed to unlock or extract data from phones that authorities have physical access to, they can also be used to open the door for installing active surveillance technology. In these cases, the devices were infected with malware and then returned to the targets. Amnesty also says it, along with researchers at Google, discovered a vulnerability in a wide spread of Android phones which Cellebrite was exploiting. Qualcomm, the impacted chip manufacturer, has since fixed that vulnerability. And Amnesty says Google has remotely wiped the spyware from other infected devices.

“I am concerned by the way police behave during the incident, especially the way how they took/extracted the data from my mobilephone without using legal procedures. The fact that they extracted 1.6 GB data from my mobilephone, including personal, family and business information as well as information about our associates and people serving as a ‘source of information’ for journalist research, is unacceptable,” Slaviša Milanov, deputy editor and journalist of Serbian outlet FAR and whose phone was targeted in such a way, told 404 Media. Milanov covers, among other things, corruption. 

This week we start with Joseph's story about how the weapon found on the alleged UnitedHealthcare CEO murderer was a particular 3D printed design. Then Jason tells us what he found about the alleged killer Luigi Mangione through his online accounts, and why, ultimately, this kind of journalism might not matter. After the break, Sam talks about how various healthcare companies removed pages about their leadership after the murder, and what we're seeing when it comes to social content moderation around it. In the subscribers-only section, we talk about Congress getting big mad at Apple and Google after 404 Media's reporting on deepfake apps.

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

• UnitedHealthcare Shooting Person of Interest Had 3D Printed Glock
• Luigi Mangione Played 'Among Us,' Breathes Air
• Major Health Insurance Companies Take Down Leadership Pages Following Murder of United Healthcare CEO
• Moderators Across Social Media Struggle to Contain Celebrations of UnitedHealthcare CEO’s Assassination
• Congress Pushes Apple to Remove Deepfake Apps After 404 Media Investigation

This article was produced with support from the Capitol Forum.

A location data company is asking police for the address of specific people’s doctors in case that can be useful in finding their mobile phone in a massive set of peoples’ location data, according to a document provided to U.S. law enforcement and obtained by 404 Media.

The document is a “Project Intake Form” that asks police for information about the person of interest they would like to track, such as biographical information and known locations, including family and friends' addresses and doctors offices they may visit. It shows that, in a time when surveillance of abortion and reproductive health clinics could rise in a post-Roe America, companies providing monitoring tools to the government are prepared to use healthcare information to track down targets. The company is called Fog Data Science, and its product uses location data harvested from smartphones either through ordinary apps or the advertising ecosystem. In 2022 the Electronic Frontier Foundation (EFF) revealed Fog had sold its phone tracking technology to multiple U.S. agencies, including local police. The document is included in a set of emails from March this year that 404 Media obtained through a public records request, showing the company is still pitching its technology to local law enforcement.

“Your objectives help us target what you want most. Details about the POI [person of interest] help us eliminate devices more efficiently,” the document reads. It then asks for details on the target, such as their name or known aliases, their link to criminal activity, their “distinguishing characteristics” such as their “gender, ethnicity, religion.”

The weapon found on the arrested person of interest in the murder of UnitedHealthcare CEO Brian Thompson is a specific 3D printed Glock frame called the Chairmanwon V1, two people in the 3D printed weapons community told 404 Media after viewing an image of the weapon provided to media outlets by police. 

The news is significant in that it could be the first assassination in the United States using a 3D printed weapon, and could usher in fresh calls to further regulate the printing of firearms by ordinary citizens. The finding comes after police arrested a person of interest, Luigi Mangione, on Monday in Pennsylvania. Mangione has now been charged with a handful of crimes, including carrying a gun without a license, but he has not been charged with the murder itself.

“I can confirm that it is a 3D printed Glock. It’s a V1 chairmanwon design,” Print Shoot Repeat, a pseudonymous and high profile member of the 3D printing firearms community told 404 Media in an online chat. “It appears to be the first high profile case involving a 3D printed gun and it’s my guess that this will have a huge impact on DIY firearms regulations going forward.”

We start this week with Sam's stories about multiple people building big datasets of Bluesky users' posts. People are not happy! After the break, Jason talks all about reverse-engineering Redbox machines, and a trip he took to see one being ripped up. In the subscribers-only section, Joseph explains two big moves the U.S. government is making against data brokers.

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

• Your Bluesky Posts Are Probably In A Bunch of Datasets Now
• The Redbox Removal Team
• FTC Bans Location Data Company That Powers the Surveillance Ecosystem
• U.S. Government Tries to Stop Data Brokers That Help Dox People Through Credit Data

The Federal Trade Commission (FTC) announced sweeping action against some of the most important companies in the location data industry on Tuesday, including those that power surveillance tools used by a wide spread of U.S. law enforcement agencies and demanding they delete data related to certain sensitive areas like health clinics and places of worship. 

Venntel, through its parent company Gravy Analytics, takes location data from smartphones, either through ordinary apps installed on them or through the advertising ecosystem, and then provides that data feed to other companies who sell location tracking technology to the government or sells the data directly itself. Venntel is the company that provides the underlying data for a variety of other government contractors and surveillance tools, including Locate X. 404 Media and a group of other journalists recently revealed Locate X could be used to pinpoint phones that visited abortion clinics. 

The FTC says in a proposed order that Gravy and Venntel will be banned from selling, disclosing, or using sensitive location data, except in “limited circumstances” involving national security or law enforcement. Sensitive locations include medical facilities, religious organizations, correctional facilities, labor union offices, schools and childcare facilities, domestic abuse and homeless support centers, shelters for refugee or immigrant populations, and military installations. The FTC also demands that the companies delete all historic location data. 

On Tuesday the Consumer Financial Protection Bureau (CFPB) published a long anticipated proposed rule change around how data brokers handle peoples’ sensitive information, including their name and address, which would introduce increased limits on when brokers can distribute such data. Researchers have shown how foreign adversaries are able to easily purchase such information, and 404 Media previously revealed that this particular data supply chain is linked to multiple acts of violence inside the cybercriminal underground that has spilled over to victims in the general public too.

The proposed rule in part aims to tackle the distribution of credit header data. This is the personal information at the top of a credit report which doesn’t discuss the person’s actual lines of credit. But currently credit header data is distributed so widely, to so many different companies, that it ends up in the hands of people who use it maliciously.

The impact of the proposed rule change if it was to go into force won’t be clear until it actually happens, which potentially would not be until at least next year. And that might be up in the air: Elon Musk who is playing a key role in the transition to the forthcoming Trump administration and venture capitalist Marc Andreessen have both criticized the agency. But the proposed rule change still shows a significant effort by a U.S. government agency to wrangle the data broker industry.

This week we start with Emanuel's couple of stories about Niantic, the company that makes Pokémon Go, and its plan to build an AI model based on data collected by its users. After the break, Jason and Emanuel talk about their big investigation into the rise of "AI pimping." In the subscribers-only section, Joseph explains why he doesn't use a mobile phone and how he uses an iPad Mini instead.

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

• Pokémon Go Players Have Unwittingly Trained AI to Navigate the World
• Pokémon Go Data ‘Adding Amplitude to War Is Obviously an Issue,’ Niantic Exec Says
• Inside the Booming 'AI Pimping' Industry
• I Don't Own a Cellphone. Can This Privacy-Focused Network Change That?