John Scott-Railton
@jsrailton.bsky.social
Chasing digital badness. Senior Researcher at Citizen Lab, but words here are mine.
Reposted by John Scott-Railton
Spyware found on Belarusian journalist's phone shortly after interrogation by security services. Reporters w/o Borders: Spyware likely installed while the journalist was detained. The same infection method recently used in Kenya + Serbia. H/t @jsrailton.bsky.social
therecord.media/spyware-bela...
therecord.media/spyware-bela...
New spyware discovered on Belarusian journalist’s phone after interrogation
Researchers at the nonprofit Reporters Without Borders discovered a previously unknown spyware tool on the phone of a Belarusian journalist who had been detained by security services.
therecord.media
December 17, 2025 at 6:08 PM
Spyware found on Belarusian journalist's phone shortly after interrogation by security services. Reporters w/o Borders: Spyware likely installed while the journalist was detained. The same infection method recently used in Kenya + Serbia. H/t @jsrailton.bsky.social
therecord.media/spyware-bela...
therecord.media/spyware-bela...
Belarusian KGB put spyware on phones of detained journalist.
Growing list of cases where authoritarian regimes use detention to implant spyware on phones:
🦠Belarus
🦠Kenya
🦠Serbia
And likely plenty more.
Important investigation & reminder that dictators don't always need zero-days.
Growing list of cases where authoritarian regimes use detention to implant spyware on phones:
🦠Belarus
🦠Kenya
🦠Serbia
And likely plenty more.
Important investigation & reminder that dictators don't always need zero-days.
#Belarus: RSF reveals the existence of a previously unknown spyware tool, used since at least 2021 by the KGB against journalists. Installed after the physical confiscation of phones, #ResidentBat constitutes a grave violation of press freedom. RSF calls for a ban on these surveillance technologies.
Exclusive: RSF uncovers new spyware from Belarus
Reporters Without Borders (RSF)’s Digital Security Lab (DSL), working with the Eastern European organisation RESIDENT.NGO, has uncovered a previously unknown spyware tool used by the State Security Co...
rsf.org
December 17, 2025 at 3:45 PM
Belarusian KGB put spyware on phones of detained journalist.
Growing list of cases where authoritarian regimes use detention to implant spyware on phones:
🦠Belarus
🦠Kenya
🦠Serbia
And likely plenty more.
Important investigation & reminder that dictators don't always need zero-days.
Growing list of cases where authoritarian regimes use detention to implant spyware on phones:
🦠Belarus
🦠Kenya
🦠Serbia
And likely plenty more.
Important investigation & reminder that dictators don't always need zero-days.
Reposted by John Scott-Railton
1/ Yesterday’s Q2-Q3 Adversarial Threat Report by Meta was interesting in many ways. For us @citizenlab.ca, it was a blast from the past.
For the first time, Meta’s investigators attributed what in 2019 we had named Endless Mayfly - a relentless, sophisticated influence op targeting Iran’s enemies.
For the first time, Meta’s investigators attributed what in 2019 we had named Endless Mayfly - a relentless, sophisticated influence op targeting Iran’s enemies.
Burned After Reading: Endless Mayfly’s Ephemeral Disinformation Campaign - The Citizen Lab
Using Endless Mayfly as an illustration, this highlights the challenges of investigating & addressing disinformation from research & policy perspectives.
citizenlab.ca
December 12, 2025 at 4:15 PM
1/ Yesterday’s Q2-Q3 Adversarial Threat Report by Meta was interesting in many ways. For us @citizenlab.ca, it was a blast from the past.
For the first time, Meta’s investigators attributed what in 2019 we had named Endless Mayfly - a relentless, sophisticated influence op targeting Iran’s enemies.
For the first time, Meta’s investigators attributed what in 2019 we had named Endless Mayfly - a relentless, sophisticated influence op targeting Iran’s enemies.
Reposted by John Scott-Railton
In 2019, we @citizenlab.ca published an investigation into a disinfo / influence operation we called "Endless Mayfly", and which we attributed at the time to an "Iran-aligned entity"
citizenlab.ca/2019/05/burn...
Now, Meta's latest adversarial threat report showing we were spot on 👇
citizenlab.ca/2019/05/burn...
Now, Meta's latest adversarial threat report showing we were spot on 👇
December 11, 2025 at 10:38 PM
In 2019, we @citizenlab.ca published an investigation into a disinfo / influence operation we called "Endless Mayfly", and which we attributed at the time to an "Iran-aligned entity"
citizenlab.ca/2019/05/burn...
Now, Meta's latest adversarial threat report showing we were spot on 👇
citizenlab.ca/2019/05/burn...
Now, Meta's latest adversarial threat report showing we were spot on 👇
Hotel toilet privacy is disappearing.
Glass doors.
Or no door.
Or a big window into the room.
Or frosted glass so that the light spills out.
Who is asking for this?
Glass doors.
Or no door.
Or a big window into the room.
Or frosted glass so that the light spills out.
Who is asking for this?
November 25, 2025 at 9:03 AM
Hotel toilet privacy is disappearing.
Glass doors.
Or no door.
Or a big window into the room.
Or frosted glass so that the light spills out.
Who is asking for this?
Glass doors.
Or no door.
Or a big window into the room.
Or frosted glass so that the light spills out.
Who is asking for this?
Massive global issue with Cloudflare.
App not working? Can't login? Probably why.
SO much of the internet depends on Cloudflare to stay online.
But what happens when Cloudflare itself goes down?
Well, you're watching it.
App not working? Can't login? Probably why.
SO much of the internet depends on Cloudflare to stay online.
But what happens when Cloudflare itself goes down?
Well, you're watching it.
November 18, 2025 at 2:45 PM
Massive global issue with Cloudflare.
App not working? Can't login? Probably why.
SO much of the internet depends on Cloudflare to stay online.
But what happens when Cloudflare itself goes down?
Well, you're watching it.
App not working? Can't login? Probably why.
SO much of the internet depends on Cloudflare to stay online.
But what happens when Cloudflare itself goes down?
Well, you're watching it.
CRUSHING BLOW TO NSO: 🇺🇸Court permanently bans Pegasus spyware-maker from targeting WhatsApp
🚫Must destroy tools exploiting WhatsApp
🚫Stop future development of WA targeting
Foreign gov customers exempt from data deletion but...
🚫NSO is barred from helping them hack WA. 1/
🚫Must destroy tools exploiting WhatsApp
🚫Stop future development of WA targeting
Foreign gov customers exempt from data deletion but...
🚫NSO is barred from helping them hack WA. 1/
November 13, 2025 at 12:41 AM
CRUSHING BLOW TO NSO: 🇺🇸Court permanently bans Pegasus spyware-maker from targeting WhatsApp
🚫Must destroy tools exploiting WhatsApp
🚫Stop future development of WA targeting
Foreign gov customers exempt from data deletion but...
🚫NSO is barred from helping them hack WA. 1/
🚫Must destroy tools exploiting WhatsApp
🚫Stop future development of WA targeting
Foreign gov customers exempt from data deletion but...
🚫NSO is barred from helping them hack WA. 1/
Reposted by John Scott-Railton
What used to be bugs and informants is now #spyware. Bringing together victims of #Stasi surveillance and #spyware to discuss: How can we protect #freedom in the digital age?
🗓️ November 12, 18:30
#BerlinFreedomWeek
Register here 👇
www.berlin-freedom-week.com/en/event/sta...
🗓️ November 12, 18:30
#BerlinFreedomWeek
Register here 👇
www.berlin-freedom-week.com/en/event/sta...
November 11, 2025 at 1:17 PM
What used to be bugs and informants is now #spyware. Bringing together victims of #Stasi surveillance and #spyware to discuss: How can we protect #freedom in the digital age?
🗓️ November 12, 18:30
#BerlinFreedomWeek
Register here 👇
www.berlin-freedom-week.com/en/event/sta...
🗓️ November 12, 18:30
#BerlinFreedomWeek
Register here 👇
www.berlin-freedom-week.com/en/event/sta...
Reposted by John Scott-Railton
A firm that sells extraordinarily powerful phone hacking technology that has been demonstrably connected to widespread harms worldwide, including gruesome murder, and was properly sanctioned and held liable because of it
....is now in the hands of these people.
That's Bad News, everyone.
....is now in the hands of these people.
That's Bad News, everyone.
Former Trump official appointed exec chairman of spyware company NSO Group. David Friedman previously served as Trump's ambassador to Israel + before that was a bankruptcy lawyer for the president. NSO was recently acquired by investors led by a Hollywood producer therecord.media/former-trump...
Former Trump official named NSO Group executive chairman
NSO Group announced Friedman’s appointment on Sunday, saying that NSO’s three founders no longer have any stake in the firm.
therecord.media
November 11, 2025 at 4:55 AM
A firm that sells extraordinarily powerful phone hacking technology that has been demonstrably connected to widespread harms worldwide, including gruesome murder, and was properly sanctioned and held liable because of it
....is now in the hands of these people.
That's Bad News, everyone.
....is now in the hands of these people.
That's Bad News, everyone.
Bringing NSO Group out of the cold would signal to the rest of the spyware industry that even the most notorious mercenary spyware company..
...with a history of harming the US.
...and a mountain of abuses..
Can get a free pass.
It would defang US efforts to curb proliferation & bad behavior.
...with a history of harming the US.
...and a mountain of abuses..
Can get a free pass.
It would defang US efforts to curb proliferation & bad behavior.
We asked David Friedman, the former US ambassador to Israel, who has been named exec chairman of the NSO Group holding company, whether he would try to get sanctions on NSO lifted. He said: “I hope that will be accomplished, but we haven’t made that request yet”. www.theguardian.com/technology/2...
Tech giants vow to defend users in US as spyware companies make inroads with Trump administration
Apple and WhatsApp say they’ll keep warning users if their phones are targeted by governments using hacking software against them
www.theguardian.com
November 10, 2025 at 7:18 PM
Bringing NSO Group out of the cold would signal to the rest of the spyware industry that even the most notorious mercenary spyware company..
...with a history of harming the US.
...and a mountain of abuses..
Can get a free pass.
It would defang US efforts to curb proliferation & bad behavior.
...with a history of harming the US.
...and a mountain of abuses..
Can get a free pass.
It would defang US efforts to curb proliferation & bad behavior.
UPDATE: NSO just hired former Trump ambassador to Israel.
They're trying to push Pegasus spyware to 🇺🇸America.
Your rights and freedoms are in danger.
NSO Group is no friend to the US & has spent years undermining our security & values 1/
They're trying to push Pegasus spyware to 🇺🇸America.
Your rights and freedoms are in danger.
NSO Group is no friend to the US & has spent years undermining our security & values 1/
November 9, 2025 at 10:05 PM
UPDATE: NSO just hired former Trump ambassador to Israel.
They're trying to push Pegasus spyware to 🇺🇸America.
Your rights and freedoms are in danger.
NSO Group is no friend to the US & has spent years undermining our security & values 1/
They're trying to push Pegasus spyware to 🇺🇸America.
Your rights and freedoms are in danger.
NSO Group is no friend to the US & has spent years undermining our security & values 1/
YIKES: NSO floats Pegasus spyware used in hypothetical "time of domestic crisis" in 🇺🇸America.
I believe they won't stop lobbying until they get Pegasus into USA.
To hack Americans. 1/
I believe they won't stop lobbying until they get Pegasus into USA.
To hack Americans. 1/
November 7, 2025 at 8:36 PM
YIKES: NSO floats Pegasus spyware used in hypothetical "time of domestic crisis" in 🇺🇸America.
I believe they won't stop lobbying until they get Pegasus into USA.
To hack Americans. 1/
I believe they won't stop lobbying until they get Pegasus into USA.
To hack Americans. 1/
NEW: Paragon spyware hit a key Italian campaign manager / political strategist.
Super concerning case & a reminder that Italy has a growing pile of unexplained infections with Paragon's Graphite spyware.
Super concerning case & a reminder that Italy has a growing pile of unexplained infections with Paragon's Graphite spyware.
NEW: The Paragon spyware scandal in Italy widens again.
A political consultant who works with left-wing politicians, who are part of the opposition party Partito Democratico, has now come out as the latest target.
"It is time to ask a very simple question: Why? Why me?" Francesco Nicodemos said.
A political consultant who works with left-wing politicians, who are part of the opposition party Partito Democratico, has now come out as the latest target.
"It is time to ask a very simple question: Why? Why me?" Francesco Nicodemos said.
Italian political consultant says he was targeted with Paragon spyware | TechCrunch
WhatsApp notified the consultant, who works for left-wing politicians, that his phone was targeted with spyware made by Paragon.
techcrunch.com
November 6, 2025 at 9:03 PM
NEW: Paragon spyware hit a key Italian campaign manager / political strategist.
Super concerning case & a reminder that Italy has a growing pile of unexplained infections with Paragon's Graphite spyware.
Super concerning case & a reminder that Italy has a growing pile of unexplained infections with Paragon's Graphite spyware.
Outages are impromptu seminars on where the internet actually lives.
On the syllabus: your favorite app's resilience & trust model.
Good thread from @signal.org's CEO.
On the syllabus: your favorite app's resilience & trust model.
Good thread from @signal.org's CEO.
📣THREAD: It’s surprising to me that so many people were surprised to learn that Signal runs partly on AWS (something we can do because we use encryption to make sure no one but you–not AWS, not Signal, not anyone–can access your comms).
It’s also concerning. 1/
It’s also concerning. 1/
PSA: we're aware that Signal is down for some people. This appears to be related to a major AWS outage. Stand by.
October 27, 2025 at 9:00 PM
Outages are impromptu seminars on where the internet actually lives.
On the syllabus: your favorite app's resilience & trust model.
Good thread from @signal.org's CEO.
On the syllabus: your favorite app's resilience & trust model.
Good thread from @signal.org's CEO.
I'm getting a lot of LLM-generated inbound.
Someone pushed a button forcing me to spend more time reading the message than they spent creating it.
Please, give me your authenticity, typos & bad grammar.
Someone pushed a button forcing me to spend more time reading the message than they spent creating it.
Please, give me your authenticity, typos & bad grammar.
October 27, 2025 at 9:46 AM
I'm getting a lot of LLM-generated inbound.
Someone pushed a button forcing me to spend more time reading the message than they spent creating it.
Please, give me your authenticity, typos & bad grammar.
Someone pushed a button forcing me to spend more time reading the message than they spent creating it.
Please, give me your authenticity, typos & bad grammar.
POV: you can't sleep because Amazon is down.
Design thinking that inserts brittle dependence into our lives.
While extracting fees for life.
Don't be these guys.
Design thinking that inserts brittle dependence into our lives.
While extracting fees for life.
Don't be these guys.
October 21, 2025 at 9:57 AM
POV: you can't sleep because Amazon is down.
Design thinking that inserts brittle dependence into our lives.
While extracting fees for life.
Don't be these guys.
Design thinking that inserts brittle dependence into our lives.
While extracting fees for life.
Don't be these guys.
Today's Amazon outage should be a wakeup call.
We've put too many internet eggs into a single basket.
We've put too many internet eggs into a single basket.
Your favorite thing is down because DynamoDB at Amazon's AWS US-EAST-1 Regionwoke up with Main Character Syndrome.
This is the default /legacy backbone for a ton of things.
Including Amazon's own stuff.
Massive outages.
Here's what's going on & what we know 1/
This is the default /legacy backbone for a ton of things.
Including Amazon's own stuff.
Massive outages.
Here's what's going on & what we know 1/
October 20, 2025 at 10:12 AM
Today's Amazon outage should be a wakeup call.
We've put too many internet eggs into a single basket.
We've put too many internet eggs into a single basket.
Your favorite thing is down because DynamoDB at Amazon's AWS US-EAST-1 Regionwoke up with Main Character Syndrome.
This is the default /legacy backbone for a ton of things.
Including Amazon's own stuff.
Massive outages.
Here's what's going on & what we know 1/
This is the default /legacy backbone for a ton of things.
Including Amazon's own stuff.
Massive outages.
Here's what's going on & what we know 1/
October 20, 2025 at 9:24 AM
Your favorite thing is down because DynamoDB at Amazon's AWS US-EAST-1 Regionwoke up with Main Character Syndrome.
This is the default /legacy backbone for a ton of things.
Including Amazon's own stuff.
Massive outages.
Here's what's going on & what we know 1/
This is the default /legacy backbone for a ton of things.
Including Amazon's own stuff.
Massive outages.
Here's what's going on & what we know 1/
NEW: 🇰🇵DPRK has begun hiding malware on blockchain.
Result, decentralized, immutable malware.
Nearly impossible to remove.
Report cloud.google.com/blog/topics/...
Result, decentralized, immutable malware.
Nearly impossible to remove.
Report cloud.google.com/blog/topics/...
October 18, 2025 at 5:48 PM
NEW: 🇰🇵DPRK has begun hiding malware on blockchain.
Result, decentralized, immutable malware.
Nearly impossible to remove.
Report cloud.google.com/blog/topics/...
Result, decentralized, immutable malware.
Nearly impossible to remove.
Report cloud.google.com/blog/topics/...
EW: 🇰🇵DPRK has begun hiding malware on blockchain.
Result, decentralized, immutable malware.
Nearly impossible to remove.
cloud.google.com/blog/topics/...
Result, decentralized, immutable malware.
Nearly impossible to remove.
cloud.google.com/blog/topics/...
October 18, 2025 at 5:47 PM
EW: 🇰🇵DPRK has begun hiding malware on blockchain.
Result, decentralized, immutable malware.
Nearly impossible to remove.
cloud.google.com/blog/topics/...
Result, decentralized, immutable malware.
Nearly impossible to remove.
cloud.google.com/blog/topics/...
NOW: US court permanently bans Pegasus spyware maker from hacking WhatsApp.
NSO Group can't help their customers hack WhatsApp etc. ether. Must delete exploits & R&D.
Bad news for NSO. Huge competitive disadvantage for the notorious company.
Big additional win for WhatsApp 1 /
NSO Group can't help their customers hack WhatsApp etc. ether. Must delete exploits & R&D.
Bad news for NSO. Huge competitive disadvantage for the notorious company.
Big additional win for WhatsApp 1 /
October 17, 2025 at 11:37 PM
NOW: US court permanently bans Pegasus spyware maker from hacking WhatsApp.
NSO Group can't help their customers hack WhatsApp etc. ether. Must delete exploits & R&D.
Bad news for NSO. Huge competitive disadvantage for the notorious company.
Big additional win for WhatsApp 1 /
NSO Group can't help their customers hack WhatsApp etc. ether. Must delete exploits & R&D.
Bad news for NSO. Huge competitive disadvantage for the notorious company.
Big additional win for WhatsApp 1 /
Now we're seeing confirmation of the NSO acquisition.
Mark my words, this is the path through which Pegasus gets put on Americans iPhones & Androids.
This dictatorship-in-a-box belongs nowhere near our constitutional rights.
Mark my words, this is the path through which Pegasus gets put on Americans iPhones & Androids.
This dictatorship-in-a-box belongs nowhere near our constitutional rights.
SCOOP: Spyware maker NSO Group confirmed to us that the company has been acquired by a U.S. investment group.
NSO's spokesperson said the group "has invested tens of millions of dollars in the company and has acquired controlling ownership," but declined to say who is behind the investment.
NSO's spokesperson said the group "has invested tens of millions of dollars in the company and has acquired controlling ownership," but declined to say who is behind the investment.
Spyware maker NSO Group confirms acquisition by US investors | TechCrunch
NSO Group confirmed to TechCrunch that an unnamed group of American investors has taken “controlling ownership” of the surveillance tech maker.
techcrunch.com
October 10, 2025 at 3:58 PM
Now we're seeing confirmation of the NSO acquisition.
Mark my words, this is the path through which Pegasus gets put on Americans iPhones & Androids.
This dictatorship-in-a-box belongs nowhere near our constitutional rights.
Mark my words, this is the path through which Pegasus gets put on Americans iPhones & Androids.
This dictatorship-in-a-box belongs nowhere near our constitutional rights.
NEW: fresh trouble for mercenary spyware companies like NSO.
#Apple is launching fat bounties on the zero-click exploits that feed the supply chain behind products like Pegasus & Paragon's Graphite.
With bonuses, exploit developers can land $5 million payouts.
security.apple.com/blog/apple-s...
#Apple is launching fat bounties on the zero-click exploits that feed the supply chain behind products like Pegasus & Paragon's Graphite.
With bonuses, exploit developers can land $5 million payouts.
security.apple.com/blog/apple-s...
October 10, 2025 at 3:33 PM
NEW: fresh trouble for mercenary spyware companies like NSO.
#Apple is launching fat bounties on the zero-click exploits that feed the supply chain behind products like Pegasus & Paragon's Graphite.
With bonuses, exploit developers can land $5 million payouts.
security.apple.com/blog/apple-s...
#Apple is launching fat bounties on the zero-click exploits that feed the supply chain behind products like Pegasus & Paragon's Graphite.
With bonuses, exploit developers can land $5 million payouts.
security.apple.com/blog/apple-s...
NEW: Pegasus spyware coming to America?
An ex-Adam Sandler producer with ties to China is trying to acquire NSO Group.
Again.
Simonds fronted this before in 2023 & failed. But the backers haven't given up. Why?
Where is the money coming from? 1/
www.globes.co.il/news/article...
An ex-Adam Sandler producer with ties to China is trying to acquire NSO Group.
Again.
Simonds fronted this before in 2023 & failed. But the backers haven't given up. Why?
Where is the money coming from? 1/
www.globes.co.il/news/article...
October 10, 2025 at 11:35 AM
NEW: Pegasus spyware coming to America?
An ex-Adam Sandler producer with ties to China is trying to acquire NSO Group.
Again.
Simonds fronted this before in 2023 & failed. But the backers haven't given up. Why?
Where is the money coming from? 1/
www.globes.co.il/news/article...
An ex-Adam Sandler producer with ties to China is trying to acquire NSO Group.
Again.
Simonds fronted this before in 2023 & failed. But the backers haven't given up. Why?
Where is the money coming from? 1/
www.globes.co.il/news/article...
NEW: cost to 'poison' an LLM and insert backdoors is relatively constant. Even as models grow.
Implication: security doesn't scale with LLMs.
Super interesting: Prior work had suggested that as model sizes grew, it would make them cost-prohibitive to poison. 1/
arxiv.org/pdf/2510.07192
Implication: security doesn't scale with LLMs.
Super interesting: Prior work had suggested that as model sizes grew, it would make them cost-prohibitive to poison. 1/
arxiv.org/pdf/2510.07192
October 9, 2025 at 4:56 PM
NEW: cost to 'poison' an LLM and insert backdoors is relatively constant. Even as models grow.
Implication: security doesn't scale with LLMs.
Super interesting: Prior work had suggested that as model sizes grew, it would make them cost-prohibitive to poison. 1/
arxiv.org/pdf/2510.07192
Implication: security doesn't scale with LLMs.
Super interesting: Prior work had suggested that as model sizes grew, it would make them cost-prohibitive to poison. 1/
arxiv.org/pdf/2510.07192