extortion

Popular AI “nudify” sites sued amid shocking rise in victims globally

ai sex images, California, child sexual abuse materials, csam, Deepfakes, deepnudes, extortion, non-consensual intimate imagery, nudify site, Policy, undress sites / Paul Patrick / August 16, 2024

San Francisco’s city attorney David Chiu is suing to shut down 16 of the most popular websites and apps allowing users to “nudify” or “undress” photos of mostly women and girls who have been increasingly harassed and exploited by bad actors online.

These sites, Chiu’s suit claimed, are “intentionally” designed to “create fake, nude images of women and girls without their consent,” boasting that any users can upload any photo to “see anyone naked” by using tech that realistically swaps the faces of real victims onto AI-generated explicit images.

“In California and across the country, there has been a stark increase in the number of women and girls harassed and victimized by AI-generated” non-consensual intimate imagery (NCII) and “this distressing trend shows no sign of abating,” Chiu’s suit said.

“Given the widespread availability and popularity” of nudify websites, “San Franciscans and Californians face the threat that they or their loved ones may be victimized in this manner,” Chiu’s suit warned.

In a press conference, Chiu said that this “first-of-its-kind lawsuit” has been raised to defend not just Californians, but “a shocking number of women and girls across the globe”—from celebrities like Taylor Swift to middle and high school girls. Should the city official win, each nudify site risks fines of $2,500 for each violation of California consumer protection law found.

On top of media reports sounding alarms about the AI-generated harm, law enforcement has joined the call to ban so-called deepfakes.

Chiu said the harmful deepfakes are often created “by exploiting open-source AI image generation models,” such as earlier versions of Stable Diffusion, that can be honed or “fine-tuned” to easily “undress” photos of women and girls that are frequently yanked from social media. While later versions of Stable Diffusion make such “disturbing” forms of misuse much harder, San Francisco city officials noted at the press conference that fine-tunable earlier versions of Stable Diffusion are still widely available to be abused by bad actors.

In the US alone, cops are currently so bogged down by reports of fake AI child sex images that it’s making it hard to investigate child abuse cases offline, and these AI cases are expected to continue spiking “exponentially.” The AI abuse has spread so widely that “the FBI has warned of an uptick in extortion schemes using AI generated non-consensual pornography,” Chiu said at the press conference. “And the impact on victims has been devastating,” harming “their reputations and their mental health,” causing “loss of autonomy,” and “in some instances causing individuals to become suicidal.”

Suing on behalf of the people of the state of California, Chiu is seeking an injunction requiring nudify site owners to cease operation of “all websites they own or operate that are capable of creating AI-generated” non-consensual intimate imagery of identifiable individuals. It’s the only way, Chiu said, to hold these sites “accountable for creating and distributing AI-generated NCII of women and girls and for aiding and abetting others in perpetrating this conduct.”

He also wants an order requiring “any domain-name registrars, domain-name registries, webhosts, payment processors, or companies providing user authentication and authorization services or interfaces” to “restrain” nudify site operators from launching new sites to prevent any further misconduct.

Chiu’s suit redacts the names of the most harmful sites his investigation uncovered but claims that in the first six months of 2024, the sites “have been visited over 200 million times.”

While victims typically have little legal recourse, Chiu believes that state and federal laws prohibiting deepfake pornography, revenge pornography, and child pornography, as well as California’s unfair competition law, can be wielded to take down all 16 sites. Chiu expects that a win will serve as a warning to other nudify site operators that more takedowns are likely coming.

“We are bringing this lawsuit to get these websites shut down, but we also want to sound the alarm,” Chiu said at the press conference. “Generative AI has enormous promise, but as with all new technologies, there are unanticipated consequences and criminals seeking to exploit them. We must be clear that this is not innovation. This is sexual abuse.”

Inside a violent gang’s ruthless crypto-stealing home invasion spree

Biz & IT, Cryptocurrency, extortion, Security, syndication / Kris Guyer / June 29, 2024

brutal extortion —

More than a dozen men threatened, assaulted, tortured, or kidnapped 11 victims.

Andy Greenberg and Matt Giles, WIRED.com – Jun 29, 2024 10: 55 am UTC

photo illustration of Cyber thieves stealing Bitcoin on laptop screen

Cryptocurrency has always made a ripe target for theft—and not just hacking, but the old-fashioned, up-close-and-personal kind, too. Given that it can be irreversibly transferred in seconds with little more than a password, it’s perhaps no surprise that thieves have occasionally sought to steal crypto in home-invasion burglaries and even kidnappings. But rarely do those thieves leave a trail of violence in their wake as disturbing as that of one recent, ruthless, and particularly prolific gang of crypto extortionists.

The United States Justice Department earlier this week announced the conviction of Remy Ra St. Felix, a 24-year-old Florida man who led a group of men behind a violent crime spree designed to compel victims to hand over access to their cryptocurrency savings. That announcement and the criminal complaint laying out charges against St. Felix focused largely on a single theft of cryptocurrency from an elderly North Carolina couple, whose home St. Felix and one of his accomplices broke into before physically assaulting the two victims—both in their seventies—and forcing them to transfer more than $150,000 in bitcoin and ether to the thieves’ crypto wallets.

In fact, that six-figure sum appears to have been the gang’s only confirmed haul from its physical crypto thefts—although the burglars and their associates made millions in total, mostly through more traditional crypto hacking as well as stealing other assets. A deeper look into court documents from the St. Felix case, however, reveals that the relatively small profit St. Felix’s gang made from its burglaries doesn’t capture the full scope of the harm they inflicted: In total, those court filings and DOJ officials describe how more than a dozen convicted and alleged members of the crypto-focused gang broke into the homes of 11 victims, carrying out a brutal spree of armed robberies, death threats, beatings, torture sessions, and even one kidnapping in a campaign that spanned four US states.

In court documents, prosecutors say the men—working in pairs or small teams—threatened to cut toes or genitalia off of one victim, kidnapped and discussed killing another, and planned to threaten another victim’s child as leverage. Prosecutors also describe disturbing torture tactics: how the men inserted sharp objects under one victim’s fingernails and burned another with a hot iron, all in an effort to coerce their targets to hand over the devices and passwords necessary to transfer their crypto holdings.

“The victims in this case suffered a horrible, painful experience that no citizen should have to endure,” Sandra Hairston, a US attorney for the Middle District of North Carolina who prosecuted St. Felix’s case, wrote in the Justice Department’s announcement of St. Felix’s conviction. “The defendant and his coconspirators acted purely out of greed and callously terrorized those they targeted.”

The serial extortion spree is almost certainly the worst of its kind ever to be prosecuted in the US, says Jameson Lopp, the cofounder and chief security officer of Casa, a cryptocurrency-focused physical security firm, who has tracked physical attacks designed to steal cryptocurrency going back as far as 2014. “As far as I’m aware, this is the first case where it was confirmed that the same group of people went around and basically carried out home invasions on a variety of different victims,” Lopp says.

Lopp notes, nonetheless, that this kind of crime spree is more than a one-off. He has learned of other similar attempts at physical theft of cryptocurrency in just the past month that have escaped public reporting—he says the victims in those cases asked him not to share details—and suggests that in-person crypto extortion may be on the rise as thieves realize the attraction of crypto as a highly valuable and instantly transportable target for theft. “Crypto, as this highly liquid bearer asset, completely changes the incentives of doing something like a home invasion,” Lopp says, “or even kidnapping and extortion and ransom.”

Inside a violent gang’s ruthless crypto-stealing home invasion spree Read More »

Men plead guilty to aggravated ID theft after pilfering police database

Biz & IT, doxxing, extortion, Identity theft, Security / Kris Guyer / June 19, 2024

GUILTY AS CHARGED —

Members of group called ViLE face a minimum of two years in prison.

Dan Goodin – Jun 18, 2024 8: 30 pm UTC

Two men have pleaded guilty to charges of computer intrusion and aggravated identity theft tied to their theft of records from a law enforcement database for use in doxxing and extorting multiple individuals.

Sagar Steven Singh, 20, and Nicholas Ceraolo, 26, admitted to being members of ViLE, a group that specializes in obtaining personal information of individuals and using it to extort or harass them. Members use various methods to collect social security numbers, cell phone numbers, and other personal data and post it, or threaten to post it, to a website administered by the group. Victims had to pay to have their information removed or kept off the website. Singh pled guilty on Monday, June 17, and Ceraolo pled guilty on May 30.

Impersonating a police officer

The men gained access to the law enforcement portal by stealing the password of an officer’s account and using it to log in. The portal, maintained by an unnamed US federal law enforcement agency, was restricted to members of various law enforcement agencies to share intelligence from government databases with state and local officials. The site provided access to detailed nonpublic records involving narcotics and currency seizures and to law enforcement intelligence reports.

Investigators tied Singh to the unlawful access after he logged in with the same IP address he had recently used to connect to a social media site account registered to him, prosecutors said in charging papers filed in March 2023. Prosecutors said Singh also threatened to harm one victim’s family unless the victim, referred to as Victim-1 in court papers, turned over credentials for an Instagram account.

“In order to drive home the threat, Singh appended Victim-1’s social security number, driver’s license number, home address, and other personal details,” prosecutors wrote. “Singh told Victim-1 that he had ‘access to [] databases, which are federal, through [the] portal, I can request information on anyone in the US doesn’t matter who, nobody is safe.’” The defendant ultimately directed Victim-1 to sell Victim-1’s accounts and give the proceeds to Singh.

The criminal complaint went on to allege that Ceraolo used a compromised email account belonging to a Bangladeshi police official to email account to pose as a Bangladeshi police official to contact US-based social media companies and ask them for personal information belonging to certain users under the false pretense that the users were committing crimes or were in life-threatening danger. In one case, one of the social media companies complied. The pair then used the data belonging to victims to extort them in exchange for not publishing it.

On a different occasion, the pair used the compromised email account to request user information from a different social media company after claiming that the user had sent bomb threats, distributed child abuse images, and threatened officials of a foreign government. The social media company ultimately refused and later posted on X (formerly Twitter) that it had identified the fraudulent request.

Both defendants face a minimum sentence of two years in prison and a maximum of seven years. The date of sentencing isn’t immediately known.

Men plead guilty to aggravated ID theft after pilfering police database Read More »