Zach Edwards
LightNews LightNews
banner
thezedwards.bsky.social
Zach Edwards
@thezedwards.bsky.social
1.3K followers 6.5K following 3.7K posts
data supply auditor | privacy & ad tech expert | internet threats

Personal @ victorymedium.com
Sr Threat Analyst @ SilentPush.com
Posts Replies Media Videos
thezedwards.bsky.social
fun to see my mom in this crowd shot from the No Kings rally in Houston featured by the Houston Chronicle @ www.houstonchronicle.com/projects/202...
Large crowd of people at the No Kings rally in Houston, includes signs and flags and a blue and red and white umbrella and several inflatable frogs
October 19, 2025 at 4:40 AM
thezedwards.bsky.social
I’ve got this 100+ year old copy of an old play about Abraham Lincoln’s life which was owned by someone named Alden Nash who had an interesting personal emblem that he screen printed & glued onto the cover page.

The play was shown at the Birmingham Repertory Theatre then the Hammersmith Playhouse.📚
Picture of a light blue book cover with a drawing of Abraham Lincoln and the text “Abraham Lincoln A Play By John Drinkwater” A book page with a large black box glued to it with a white border in the box - the text says “ExLibris Alden Nash” and there is a strange symbol in the middle which appears to be the personal emblem of this Nash individual. The symbol has a double cross on top of a circle with a N in part of the circle. The circle is split by a horizontal line and part of the vertical line of the cross above.
September 9, 2025 at 2:46 AM
thezedwards.bsky.social
Our team @silentpush just dropped a definitive look at SocGholish (operated by TA569) and the initial access broker ecosystem they are facilitating. Big thanks to past researchers who have worked on SocGholish! We've got details about our visibility @ www.silentpush.com/blog/socghol... 🖖🏻
Mind map of SocGholish (Operated by TA56) infection chains. The details are complex but explained in more detail on our blog post.
August 6, 2025 at 7:49 PM
thezedwards.bsky.social
This AI Agent from Cluep[.]com claims to scrape data from: Twitter, Youtube, Linkedin, Pinterest, Reddit, Tumblr and TikTok

They claim that they are scraping these networks then using "APIs" to further scrape "the user’s geographic coordinates, device type and demographic data"

how? WTF?
The agent ingested TikTok videos about fried chicken, LinkedIn posts riffing on halal pizza and Pinterest boards showcasing nights at the movies. Then, it dove deeper into the social platforms, deriving user information from their application programming interfaces (APIs). This data differed from platform to platform but often included the user’s geographic coordinates, device type and demographic data, Walia said.
May 21, 2025 at 4:24 PM
thezedwards.bsky.social
21 year-old money launderer for a $265 million crypto theft ring was helping members exchange crypto for cash and mailing $25k in cash through the mail put inside "Squishmallow" stuffed animals www.cnbc.com/amp/2025/05/... 🫧🐰
Image of a purple "Squishmallow" that is 10 inches called Bubbles the Bunny. It's an oval pillow looking thing that is purple with bunny ears and a white fluffy circle on the bottom that is the feed and a crown of flowers that are purple with pink center, white with purple center, and pink with white center and the eyes are shaped half circle with open smiling mouth
May 17, 2025 at 5:29 AM
thezedwards.bsky.social
It was an honor and a pleasure to speak at Bsides SF - totally love that they had an artist draw my presentation ⬇️
Colorful poster board with the text “a deep dive into triad nexus pig butchering and money laundering network” with additional graphics and details IMAX screen with the text “a deep dive into the triad nexus pig butchering and money laundering network”
April 27, 2025 at 11:58 PM
thezedwards.bsky.social
...and the “solution” is an easy “click fix” copy and paste trick, which leads to malware if the unsuspecting developer completes the process.
Screenshot of a website with blurred out image in the background and a pop-up that says "Access to your computer..." along with other details. A section of code is highlighted which if copy / pasted would execute malware on a computer.
April 24, 2025 at 7:44 PM
thezedwards.bsky.social
cheers ya it's an interesting definition. i played w/ Gemini awhile ago and confirmed it still doesn't give you lists of URls but if you click the "Retry with Google Search" it does..

any ruling broadly covering this search concept could impact Gemini - would also impact Programmable Search Engine
Screenshot of a conversation with Google Gemini where first person writes "Got any good URLs for sports?" Gemini responds "Sorry, I can't help search the web for URLs yet, but I'm still learning." Then the button "Retry with Google Search" is clicked and Google Gemini responds: Sure, here are some good URLs for sports: ESPN: https://www.espn.com/ - The World Wide Leader in Sports Sports Illustrated: https://www.si.com/ - The Sports Illustrated website Bleacher Report: https://bleacherreport.com/ - Sports news and highlights CBS Sports: https://www.cbssports.com/cbssports - Sports news, scores, and highlights Fox Sports: https://www.foxsports.com/ - Sports news, scores, and highlights NBC Sports: https://www.nbcsports.com/watch - Sports news, scores, and highlights The Athletic: https://www.nytimes.com/athletic/ - In-depth sports journalism The Ringer: https://www.theringer.com/ - Sports and pop culture commentary SB Nation: https://www.sbnation.com/ - A network of sports blogs Deadspin: https://deadspin.com/ - Sports and pop culture commentary
March 11, 2025 at 9:11 PM
thezedwards.bsky.social
The singular organization who has prevented WWIII for decades is being attacked by this administration. We're losing allies, losing trade deals and becoming less safe due to how these folks see Russia as allies and all our traditional allies as enemies. This is completely backwards global diplomacy.
Screenshot of Elon Musk saying "I agree" to a tweet from someone named Gunther Eagleman who wrote, "It's time to leave NATO and the U.N."
March 2, 2025 at 4:38 PM
thezedwards.bsky.social
I had to triple check this was accurate, that the President of the United States is endorsing three garbage crypto tokens tied to countless scandals, and likely untold numbers of investors got a heads up and made bank off the announcement. In the end, this will lose people money & hurt our country.
Post from President Donald J Trump on Truth Social which reads, "A U.S. Crypto Reserve will elevate this critical industry after years of corrupt attacks by the Biden Administration, which is why my Executive Order on Digital Assets directed the Presidential Working Gruop to move forward on a Crypto Strategic Reserve that includes XRP, SOL, and ADA. I will make sure the U>S. is the Crypto Capital of the World. We are MAKING AMERICA GREAT AGAIN!"
March 2, 2025 at 4:30 PM
thezedwards.bsky.social
X specifically setup bot defenses so that viewing tweets requires having an account. You can see in this video if you open a tweet in an incognito / non-logged-in state, then click "replies" you immediately are prompted w/ a login, then blocked from reading more.
February 1, 2025 at 7:29 PM
thezedwards.bsky.social
The top downloaded / viewed PDF across the .gov ecosystem yesterday was for the OPM forking memo @ www.opm.gov/media/cbklse... according to analytics.usa.gov
Screenshot of a table from the Federal Government's public Analytics account showing "Top Downloads" with the text "Top downloads played yesterday on U.S. Federal Government hostnames." with a link to "Download the data" and a dropdown that says "Yesterday" The first result under this is titled "Latest Memos from www.opm.gov with a download file link. It had 29,988 downloads. The second is "About Form W-9, Request for Taxpayer identification Number and Certification.." from irs.gov which has 26k downloads. The next is a UCIS Employment eligibility form with 23k downloads and then just ucis or IRS downloads going from 17k to 13k to 13k to 12k to 11k to 11k to 11k
January 31, 2025 at 2:22 AM
thezedwards.bsky.social
... to connect up their criminal client websites through a series of CNAME records they control, which are then mapped to hundreds of IP addresses that are hosted at a variety of providers.

You can see this DNS data flow via the chart attached:
Screenshot of a mind map. On the left is the detail "FUNNULL customer hostname" connected by "CNAME" to 6 domains that look like fn01[.]vip and funnull[.]vip with slight variations on numbers on the other 4. This chain is connected by another "CNAME" line into 3 additional CNAME records, for fn301[.]vip + fnvip100[.]com + funnull10[.]com and then those records are connected with a line that says "A" for "DNS A records" and then that is connected to a line that says "FUNNULL's POP IP addresses" This is a flow how how websites stay online in FUNNULL CDN Infrastructure
January 30, 2025 at 7:52 PM
thezedwards.bsky.social
You can see this exact same behavior on their app-ads.txt file @ www.nytimes.com/app-ads.txt -- all DIRECT accountIDs, all owned by NYtimes directly.

If you are a publisher, this is the best way to prevent 3rd parties from selling your user data. But it's also complex and requires a big team.
Screenshot of the NYTimes app-ads.txt file. Text includes: OWNERDOMAIN=nytimes.com # Index Exchange # Updated 10/26/2023 by JT indexexchange.com, 184733, DIRECT #OB # Magnite # Updated 10/26/2023 by JT rubiconproject.com, 17470, DIRECT #OB # PubMatic # Updated 10/26/2023 by JT pubmatic.com, 158573, DIRECT, 5d62403b186f2ace #OB # Google google.com, pub-4177862836555934, DIRECT, f08c47fec0942fa0 # Media.net # Updated 2/21/2024 by JT Media.net, 8CU4XCJ1B, DIRECT #OB # OpenX # Updated 2/21/2024 by JT openx.com, 539052954, DIRECT, 6a698e2ec38604c6 #OB # TripleLift # Updated 2/21/2024 by JT triplelift.com, 746-EB, DIRECT, 6c33edb13117fd86 #OB triplelift.com, 746, DIRECT, 6c33edb13117fd86 #OB # Adswizz adswizz.com, 463, DIRECT
January 10, 2025 at 1:57 AM
thezedwards.bsky.social
All websites and apps need to appreciate that all vendors they list within their ads.txt + app-ads.txt are being given enough data about your users to sell it. That's why really serious orgs who really know what the fuck is going on with the bid stream like the NYTimes, have ZERO 3rd party vendors:
Screenshot of the Nytimes.com ads.txt file located at https://www.nytimes.com/ads.txt - the screenshot contains ad tech domains separated by an accountID after a comma, and then another reference for "DIRECT" which is highlighted throughout the page. There are 29 lines that mention "DIRECT" and a similar number of ad tech domains listed.
January 10, 2025 at 1:57 AM
thezedwards.bsky.social
What annoys me the most about this beyond the macro privacy concerns of RTB? It's 2025 & app companies who have faced some of the biggest data privacy scandals in the world are still responding to reporters and sharing their "list of data partners" without including a link to their app-ads.txt file.
Text from the Wired / 404 report with the text "A Grindr spokesperson told 404 Media in an email that “Grindr has never worked with or provided data to Gravy Analytics. We do not share data with data aggregators or brokers and have not shared geolocation with ad partners for many years. Transparency is at the core of our privacy program, therefore the third parties and service providers we work with are listed here on our website.” Grindr was previously found to have allowed data brokers to obtain its users’ location data."
January 10, 2025 at 1:57 AM
thezedwards.bsky.social
imo it's really important to not muddle that Apple settled this case because Siri can unintentionally record conversations *but* Apple also said numerous times that the lawsuit's argument of "and the audio data was sold + used for ads" was basically laughable... Apple doesn't admit to this! ⤵️
Apple repeatedly moved to dismiss the suit, arguing that "there are no facts, much less plausible facts, that tie Plaintiffs’ receipt of targeted ads to their speculation that Siri must have been listening to their conversations, and Apple must have used Siri to facilitate targeted ads by third parties." Through the settlement agreement, Apple ultimately agreed that Siri unintentionally recorded private conversations and is likely hoping the settlement will finally end the controversy for good.
January 2, 2025 at 8:24 PM
thezedwards.bsky.social
Our team believes that threat actors abusing cracked versions of Acunetix is a new threat vector for numerous enterprise organizations. Keep your eyes peeled for that scanner hitting your endpoints!
Screenshot of computer terminal with numerous "GET and POST" requests to a variety of API / endpoints with "404" after some and "200" after others
December 19, 2024 at 6:02 PM
thezedwards.bsky.social
Our team was able to acquire additional details about how Araneida works, and can report that the threat actors behind this are openly bragging in a Telegram channel about how many successful attacks the software has facilitated.

You can see the interface here in this video.
December 19, 2024 at 6:02 PM
thezedwards.bsky.social
The most prominent effort to abuse a cracked copy of Acunetix is a tool called “Araneida scanner” – this was first mentioned publicly last year as having the SSL certificate from Acunetix from Chris Duggan at TLP R3D Intelligence Ltd.
Screenshot of the tweet from @ x[.]com/TLP_R3D/status/1665777020767293447 with the text 1/2 🕵️‍♂️💻 Stellar insight from @FalconFeedsio on Araneida - the scanner & dumper tool. The intriguing "Araneida Customer Panel" spotted on Shodan has got us digging deeper! 🌐🔍 We've got a lineup of 10 IPs featuring a sleek login panel: 🔹181.214.147.41 🔹181.214.147.110 🔹181.214.147.28 🔹181.214.147.111 🔹181.214.147.91 🔹181.214.147.115 🔹181.214.147.123 🔹181.214.147.132 🔹91.244.197.169 🔹181.214.147.40 A curious find: A self-signed cert dubbed "Acunetix Web Vulnerability Scanner" - an enigma.🔐🤔 Furthermore, the login panel leads to a ghost domain araneida[.]io, which remains unhosted. The plot thickens... #Pentesting #Araneida
December 19, 2024 at 6:02 PM
thezedwards.bsky.social
100% of the domains launched from this campaign are hosted across 2 IP addresses -- and there are dozens of similarly named domains mapped to these IP addresses.
Screenshot of the Silent Push interface for the IP range 185.147.124[.]110 -- the screenshot includes rows and columns in dark black and grey with a list of domains in the left column that look similar.
December 13, 2024 at 9:43 PM
thezedwards.bsky.social
Across this network, we found targeted brands include:
Etsy
Allegro
AliExpress
Amazon
ASOS[.]com
Best Buy
Binance
Costco Wholesale
eBay
Flipkart
Kraken Digital Asset Exchange
Rakuten
Shopee
Temu
TikTok
Wayfair
Wish
Screenshot of a malicious phishing website with the "eBay" logo in the top left. A list of "Sports & outdoor" products are visible. Screenshot of a malicious phishing website with the "Best Buy" logo in the top left. The rest of the content includes pictures of electronics products and a menu for navigation.
December 11, 2024 at 6:02 PM
thezedwards.bsky.social
fwiw Twitter has non-disclosed advertising logic associated w/ popular tweets -- on accounts with larger threads &/or maybe some view threshold, that's when the ad auction triggers under it - and it's a keyword auction which can be problematic in times like these. If X changes reverses this ban 💸➡️🗑️
Screenshot of a Twitter thread with the original tweet from "Derek Guy" the menswear blogger who has a profile photo that is a black and white picture of his headshot. The text says "has this guy ever worn the same jacket twice?" and there are four pictures of the person accused of killing the United Healthcare CEO. The thread has a red box around the text from Derek and also a red box around an advertisement below one additional reply in the Twitter thread. The advertisement is from a company that makes varsity letter jackets, and the text of the ad is "Build your own custom varsity letterman jacket!"
December 10, 2024 at 1:28 AM
thezedwards.bsky.social
Very sad stuff. These librarians helped me research my grandpa about 7 years ago & helped me find this picture in their archives. My grandpa "Dexter Haven" worked at NASA in the 60's and 70's and was the Chairman of the Manned Space Center Bond Campaign raising money for the Apollo mission. 🚀🌕
Black and white photo of four men, one in a military uniform. The text reads, "Bond kickoff - Congressional Medal of Honor winner Ssft Charles B. Morris, right, was featured speaker at the May 3 MSC Savings Bond Campaign kickoff meeting of division canvassers. Morris earned the CMH during a search-and-destroy mission in Vietnam in which he was wounded four times while assisting other wounded men in his squad and defending the group's position. Others at the kickoff table are, left to right, MSC Bong campaign chairman Dexter Haven, US Treasury Savings Bong area manager Harry Dedeaux, MSC Director of Administration Philip H. Whitbeck and Morris."
December 4, 2024 at 1:06 AM
thezedwards.bsky.social
I'm a big fan of the recent FTC actions against data brokers -- but just a reminder: to my knowledge neither Gravy Analytics, Venntel OR Mobilewalla have approved access to the advertising bid stream, yet they somehow acquire billions of mobile advertising data points for sale. Who is their source?
Screenshot with the text: Data powering the surveillance state Venntel’s data is reportedly used by the powerful and controversial surveillance company Babel Street to power its product Locate X, which sells data locations so precise that it makes it possible for anyone to track individuals' visits to highly sensitive locations such as abortion clinics. Gravy Analytics and Venntel say they gather more than 17 billion signals from about a billion smartphones every day, in part by obtaining the information from other data suppliers, the FTC said. The location data the companies sell is not anonymized and can easily be used to identify individuals, according to the FTC’s complaint.
December 3, 2024 at 11:28 PM