Vue lecture

ICE to Pay Thomson Reuters $125 Million to Find ‘Voter Fraud’

ICE to Pay Thomson Reuters $125 Million to Find ‘Voter Fraud’

The Department of Homeland Security (DHS) plans to pay data broker giant Thomson Reuters $125 million for access to its databases of personal data — which includes peoples’ names, addresses, Social Security numbers, ethnicity, social media posts, and geolocation information — to help Immigration and Customs Enforcement (ICE) investigate what it describes as “voters fraud” and immigration fraud, according to procurement documents reviewed by 404 Media. The document says Thomson Reuters is able to let ICE continuously monitor millions of people and entities of interest.

The news comes after President Trump held a conspiracy-laden and unhinged press conference about election security on Thursday, setting the stage for potentially undermining the legitimacy of the upcoming midterm elections. It also follows ICE fatally shooting 2 people in a week. 

“Due to ICE’s re-prioritized mission, there is need for this data to be readily accessible to support the presidential mandate of the identification of Voters Fraud, Immigration Fraud and National Security,” the procurement document reads. “This data specifically validates and verifies school, benefit, immigration and other eligibility requirements.”

💡
Do you work at Thomson Reuters? Do you know about any other data sales like this? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

Thomson Reuters is most well known for running the Reuters news agency, but the company is also a massive data broker and sells access to that data to companies and governments. Its data product, called CLEAR, promises to “Accelerate investigations confidently through a vast collection of public and proprietary records,” according to Thomson Reuters’ website

Thomson Reuters lists some of the data sources that feed into CLEAR, and 404 Media has obtained an internal list. It includes credit header data, which is the personal information someone provides to a financial institution to open a credit card like their address, which goes to the credit bureaus and then transferred to Thomson Reuters. The procurement document also says it includes social media, property records, geolocation information, license plate data, and more.

The planned sale is specifically with Thomson Reuters Special Services (TRSS), a subsidiary which often handles Thomson Reuters’ government contracts. The document says TRSS offers embedded data scientists to clients who are cleared up to a Top Secret/SCI [Sensitive Compartmented Information] level. The plan is to pay the company $25 million a year over the next five years, totaling $125 million.

Parts of DHS have previously accessed CLEAR data, and 404 Media has reported on internal ICE documents which say it is integrated with Palantir’s tool for finding neighborhoods to raid. But the new document stresses that ICE has such a high need for this data, that it is planning to spend more than a hundred million dollars on another form of access to it.

ICE to Pay Thomson Reuters $125 Million to Find ‘Voter Fraud’
ICE to Pay Thomson Reuters $125 Million to Find ‘Voter Fraud’

Screenshots of the document.

“The importance of TRSS owning the proprietary data makes it essential for quality control to ICE. The access to that data after it is passed through another vendor serving as the prime contractor is included as part of ICE’s current contract, the data support request that ICE has in the past years for CLEAR data is significant, this year it has multiplied based on the urgency to identify Unaccompanied minors and individual involved in any type of fraud of government funds,” it continues. 

“Access to the same volume of data that is owned by TRSS through other companies that offer the services will sustain in [sic] additional cost to ICE because of the transactional fees they will incur in obtaining the data,” it adds.

The document says that TRSS is the only company able to offer access to the data in “batch.” Another section reads, “TRSS is the only contractor able to provide ICE with a continuous monitoring and alert service for millions of individuals and entities of interest, this is essential for national security purposes.”

In a previous statement to 404 Media about ICE’s earlier access to CLEAR data, Thomson Reuters said, “It’s inaccurate to connect CLEAR to ICE and its deportation and enforcement operations.” When 404 Media contacted the company on Thursday and sent the new procurement document which describes ICE wanting the data for voter fraud and immigration fraud enforcement, the company provided a new statement: “We prohibit the use of CLEAR for the purpose of identifying and locating noncriminal immigrants or undocumented individuals with the intention of deportation solely on the basis of the individual’s immigration status. We take this restriction seriously, and we enforce it.”

“We continue to work with our customers to provide technology and services that support investigations into areas of national security and public safety, such as child exploitation, human trafficking, narcotics and weapons trafficking, and fraud/financial crime,” the statement added. The company also said, “Immigration status is not a search field in CLEAR.”

Thomson Reuters previously fired a longstanding employee after they spoke out about the company selling data products to ICE. 404 Media previously reported ICE invited staff to demos of a license plate reader app from Motorola that can be enhanced by CLEAR data.

Emma Pullman, head of shareholder engagement and responsible investment for the B.C. General Employees’ Union (BCGEU), which is a minority shareholder in Thomson Reuters, said, “Thomson Reuters has given shareholders, employees, and the media inconsistent and shifting accounts of the nature of its ICE contracts. TRSS latest ICE contract is the first to include voter fraud that we are aware of, and we intend to press the company, alongside other investors, for clarity on this contract.”

Update: This piece has been updated to include comment from Emma Pullman.

  •  

How Cops Use Flock to Track People, Not Cars

How Cops Use Flock to Track People, Not Cars

Police departments around the country have used Flock cameras at least hundreds of times to search for specific people, not cars, using searches such as “heavy-set male with a black and white hat,” “person on skateboard,” and “person wearing orange vest and construction hat,” according to data reviewed by 404 Media. Sometimes searches reference a target’s race or signs of their political affiliation.

The searches highlight that while most people associate Flock cameras with scanning license plates and tracking vehicles, some of the cameras are also capable of following the movements of particular people or groups of people. Flock’s nationwide network of cameras lets police officers in one state search for a vehicle across many other states at once; the people searches do a similar thing, typically on a smaller scale, sometimes querying many hundreds of cameras at once. These are called “FreeForm” searches, and allow cops to use Flock’s system as though they would use a search engine, with Flock’s AI and image recognition interpreting what footage and which people are relevant to a police officer’s search.

  •  

Podcast: We Are Living in a ‘ChatGPT Flyer Pandemic’

Podcast: We Are Living in a ‘ChatGPT Flyer Pandemic’

We start this week with Jason’s story about the ChatGPT flyer pandemic. They’re everywhere! Thank you to the readers and listeners who sent in their own examples. After the break, Sam tells us how Waymo snitched on kids and drove them to a group of waiting cops. In the subscribers-only section, Joseph explains why he bought a $3,000 suit that electrocutes your muscles. Yep.

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

  •  

I Bought the $3,000 Fitness Suit That Electrocutes You. I’m Sending It Back

I Bought the $3,000 Fitness Suit That Electrocutes You. I’m Sending It Back

Putting on the $3,000 Katalyst suit is like sliding around with an electric eel. First you lay out the vest, shorts, and arm straps (on a towel if you don’t want to make a mess) and spray their electrode pads with a lot of water. “More water is better,” Katalyst’s CEO Brendan Kennedy told me. You then clip the vest and shorts together, creating a single, dripping suit. After wrapping those around your body and zipping up, you put on the arm straps and connect them to the main suit with a pair of delicate cables. You slip a battery pack into a pocket near your thigh, snap its magnetic plugs to the vests and shorts, and you’re ready to work out, soaking wet and maybe cold if you took too long to assemble the contraption.

🖥️
404 Media is an independent website whose work is written, reported, and owned by human journalists and whose intended audience is real people, not AI scrapers, bots, or a search algorithm. Sign up to support our work and for free access to this article. Learn why we require this here.

The pitch is that Katalyst will essentially supercharge your workouts. The suit electrocutes your muscles while you do basic movements alongside a virtual instructor in the accompanying app. Think lunges, squats, and the movement of a deadlift. You can get the equivalent of a 2 hour strength session in just 20 minutes, Katalyst says. George Clooney has praised the suit, telling Esquire “my arms are twice the size they’ve ever been. It’s crazy.” Bloomberg Businessweek has covered the suit too, writing, “here’s the thing: The Katalyst suit worked.”

I already own a bunch of exercise and wellness tech, from smart swimming goggles to the Oura ring. I often plan my workout time as efficiently as I can. That’s one reason why my main form of exercise is rowing, which uses a lot of muscles at once, and why I sometimes wear resistance gloves during swimming to squeeze out as much benefit as possible. So, as a tool that promised super-efficient sessions even if the price tag is obviously insane, I really wanted to like Katalyst. I thought it might be the secret to finally branching out from rowing and swimming to more strength-focused routines.

But it wasn’t. It gave me pins and needles in my feet for days at a time and made my limbs numb and cold, derailed my other workouts, and it simply wasn’t fun in the way good and long-lasting exercise habits ideally should be. Instead, slipping into the $3,000 cyber suit for around a month made me reassess my obsession with fitness, optimization, and efficiency. It made me consider which of those concepts were actually helping me, and which were ultimately holding me back. What the fuck am I even doing? I eventually thought to myself, dripping water all over my apartment floor.

I wasn’t the only one. “Legit you are the craziest person I know,” 404 Media’s Emanuel Maiberg said after I sent a photo of the soaking wet suit to our group chat. They compared me to an Infinite Jest character, with Sam Cole saying “we’re laughing IRL over here.” Jason Koebler added: “As your friends and colleagues and cofounders. This is not normal. The bit has gone too far.” 

I Bought the $3,000 Fitness Suit That Electrocutes You. I’m Sending It Back
I Bought the $3,000 Fitness Suit That Electrocutes You. I’m Sending It Back

Images: 404 Media.

Katalyst is an electro muscle stimulation, or EMS, suit. The pads send electrical pulses that make your muscles contract. At first, as the suit and app ramp you into a workout, the pulses feel like a light tingling sensation. Then, a solid block of electricity across your arms, legs, and abs. You wet the pads, and sometimes the base layer of shorts and a long-sleeve t-shirt, because the water helps conductivity between the electrode and your skin, Katalyst says.

“That was absolutely insane,” I texted the rest of 404 Media after my first workout.

At some points, your limbs may lock in place due to the intensity of the blast. I tweaked my settings so I could complete the movements fully and with a good amount of difficulty and resistance, while not completing locking my legs or arms out. The app encourages and makes this easy to do: during a workout there are buttons in the app you can quickly press to increase or turn down the intensity of the pulses. The instructor in the pre-recorded video will often bring up the power during the workout to reach an electrocuting crescendo. It can take a few of the recommended three or so workouts a week to find your ideal baseline.

Katalyst’s instructors recommend you breathe out while the suit pulses. You perform a squat, or a lunge, or another movement for four seconds while the suit shocks you. Then you rest for four seconds. You keep doing that through different motions and intensities. In 20 minutes, the workout is over. 

This timesave is obviously the big attraction of the Katalyst; the idea that you can somehow squeeze hours of work into mere minutes without even leaving your home. “I'd been trying to go back to the gym a dozen times over the preceding 2-3 years with no luck. The time savings/mental ease of EMS training really is a blessing,” AustinAfter40, a YouTuber who makes EMS-related videos, told me in an email. Within the first few months of getting an EMS suit in 2023, Austin says he gained 10 pounds of muscle. In the years since that’s gone up to 20 pounds, without, Austin says, really touching anything heavier than a 15lb dumbbell. “My bone density has increased significantly, body fat has lowered, and back pain I've dealt with much of my life is now a distant memory,” he says.

I Bought the $3,000 Fitness Suit That Electrocutes You. I’m Sending It Back
I Bought the $3,000 Fitness Suit That Electrocutes You. I’m Sending It Back
I Bought the $3,000 Fitness Suit That Electrocutes You. I’m Sending It Back

Images: 404 Media.

If you scroll the Katalyst subreddit, you find many people saying much the same thing. But navigating the world of EMS can feel like the Wild West. Austin makes money from his EMS-related videos with affiliate links, so viewers need to keep that in mind when watching whatever suit he is currently making videos about even if the information is sincere and helpful (he has since moved onto TitanBody, a Katalyst competitor). The intensity and metrics of EMS suits are not standardized, so you don’t really know what you’re getting. An intensity rating of, say, 200 on a Katalyst is probably not going to be the same on a TitanBody suit. Or a VisionBody suit. Or any of the other EMS suit companies that have clearly bought Google Search ad space when you look for anything EMS-related. 

Katalyst is FDA-cleared. That is not the same as FDA-approved. The Katalyst suit falls into Class II of the FDA’s different groups for devices, putting it in the moderate risk category. Being cleared means Katalyst can sell the suit, but the FDA is not saying everyone should slip it on.  

On the Katalyst subreddit, people have historically complained about the company’s customer service or suit delivery times (the customer service was very good for me, with a dedicated Zoom call to talk through the issues I was facing). Kennedy, through his company Mont y Mer, acquired Katalyst in 2025. He said the previous CEO and Katalyst’s founder, Bjoern Woltermann, had “essentially bankrupted the company twice in six years,” and had taken orders and payment from more than 1,000 customers but hadn’t created any suits. Kennedy said he then went around the world meeting with different suppliers to produce those original 1,000 suits. For me, it took around five months for my suit to arrive when I ordered it in 2025. Kennedy said Katalyst has inventory now and has “sort of solved that problem.” Woltermann acknowledged a request for comment but did not provide a response in time for publication.

Beyond the anecdotal, the science suggests EMS suits can work. Professor Yong-Seok Jee at Hanseo University, who has researched EMS, told me in an email that while athletes often use EMS to target specific muscle groups, he says the suits can also help normal people. Like me, presumably. “For non-athletes or the general population, EMS can be particularly useful as a time-efficient and low-impact training option, especially for beginners, older adults, or individuals with limited mobility,” he continued. 

But EMS is not some magic tool you can use instead of actually working out and exercising normally. “That said, EMS is not a shortcut or replacement for exercise. Its effectiveness depends heavily on appropriate intensity, supervision, and program design, and there are safety considerations (e.g., avoiding excessive stimulation),” Jee said.

Casey Johnston, who runs the lifting-focused newsletter She’s a Beast and author of A Physical Education, told me in an email Katalyst is “definitely in no way a replacement or even effective complement to strength training.” 

“If anything, similar to the drag suit argument, wearing a thing like the Katalyst would probably hamper your ability to effectively learn strength training movements and form, which is a huge cornerstone of translating strength to real life, before it would be additive in any meaningful way with, I can't put enough quotes, ‘muscle stimulation,’ or whatever term they use,” she added.     

“This suit looks like the biggest scam I’ve ever seen,” Johnston wrote. She pointed to the Relaxacisor, a device from 1949 that blasted your abs with electrical pulses. “This thing is no different, and equally scammy,” Johnston said.

I Bought the $3,000 Fitness Suit That Electrocutes You. I’m Sending It Back
I Bought the $3,000 Fitness Suit That Electrocutes You. I’m Sending It Back

Screenshots of the app.

I didn’t want to replace my current exercise regime of rowing and swimming five or six times a week with the Katalyst. I wanted to slot it in. I’ve repeatedly injured myself with various strength routines, to the point where I’ve had to do physical therapy and had medical procedures done, so I wanted Katalyst to supplement my existing exercise and get more strength in there. That didn’t work.

First, obviously, you ache after blasting yourself with electricity. So much so that you (wisely) need to rest, but also so much so that you can’t then row or swim, even at a lower level. So I found myself not doing the two forms of exercise I love and get great joy from and which have drastically improved my health over the years. 

Next, I started to essentially injure myself with the suit. I often got pins and needles in my hands and feet. One of the instructors in the app said pins and needles in your hands can happen and should go away quickly. But mine would last for hours, and my feet multiple days. Then my limbs would feel numb and I would be incredibly cold, so much I would start sneezing. Kennedy told me getting pins and needles for this long was “extremely abnormal.” I took his advice of wetting the pads even more, and even the base layer you put on. I also did some workouts without the arms turned on at all. That stopped the issue with my hands at least.

But it still wasn’t working for me, mentally. It made me think what was I even doing this for. To be efficient for efficiency’s sake? 

There is something lost when you favor efficiency above all else. You lose the joy of just moving in a way that feels good. You lose embracing the process of exercise itself when trying to make the time spent as short as possible. You lose sight of your actual goal with exercise, which for me is to keep active and healthy, not get insanely jacked. You lose that state of everything fading away, your mind clearing, endorphins flowing, and nothing else existing but your body moving without you even thinking about it. What runners call the runners’ high, or what I get in rowing when I’m on a longer workout. Maybe some people do get that or feel good with EMS suits. The in-app instructors said you might. I know I didn’t get it with Katalyst.

  •  

Companies Are Throttling Employees’ AI Use Because It’s Too Expensive

Companies Are Throttling Employees’ AI Use Because It’s Too Expensive

Companies across tech, entertainment, banking, and many other industries are throttling their employees’ use of AI and pleading with workers to use less powerful models to stop AI costs from spiraling out of control, according to leaked Slack chats, screenshots of internal dashboards, emails, and more material obtained by 404 Media from half a dozen companies including Atlassian, Adobe, and Amazon. In at least one case, AI spending has tripled to more than $15 million a month.

The news shows the looming fallout from companies adopting AI as quickly as possible, and AI providers’ moves to charge enterprises based on how much they use AI rather than a flat fee. Emails obtained by 404 Media even show some companies cutting off access to some AI models altogether in an attempt to stop burning through their AI tokens, and big tech companies like Adobe are ending unlimited access to Claude.

  •  

Podcast: The AI Tokenpocalypse Is Here

Podcast: The AI Tokenpocalypse Is Here

We start this week with Joseph’s story about the Tokenpocalypse, which is companies scrambling to stop spending so much on AI after providers started charging per AI token. After the break, Joseph and Emanuel tell us about the ways companies are trying to do this, including using a tool to make their LLMs talk like cavemen. In the subscribers-only section, Emanuel explains how entirely fake AI-generated flowers are all over eBay, Etsy, and Amazon.

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

  •  

Apple ‘Hide My Email’ Vulnerability Reveals Peoples’ Real Email Addresses

Apple ‘Hide My Email’ Vulnerability Reveals Peoples’ Real Email Addresses

A vulnerability in Apple’s “Hide My Email” tool lets almost anyone discover a person’s real email address that is supposed to be hidden by the feature, and Apple has failed to fix it for more than a year, according to a security researcher and 404 Media’s own tests.

404 Media is not revealing the exact details of the vulnerability because it can still be exploited as of Monday, when 404 Media verified the issue with one of our own hidden email addresses.

  •  

Companies Are Making Claude and Codex Talk Like Cavemen to Stop AI’s Soaring Costs

Companies Are Making Claude and Codex Talk Like Cavemen to Stop AI’s Soaring Costs

Companies are deliberately making their AI tools speak like cavemen in an attempt to stop burning through AI tokens and curb their massive expenditure on AI, 404 Media has found. The tool turns the usually verbose outpost of LLMs like Claude Code, Codex, or Gemini into a much more to the point answer. Think less “you’re right to push back, I was wrong,” and more “Hulk smash.”

Use of the caveman plugin is in direct response to the skyrocketing and unpredictable cost of AI. As 404 Media previously reported, companies are scrambling to stop spending so much on AI, with consulting giant Accenture finding much of the “soaring token spend” is thanks to people using AI to convert PDFs to presentations. People using caveman include developers at OpenAI, Nvidia, and GitHub, according to the tool’s creator. A senior OpenAI employee has even contributed code to the project, adding support for OpenAI’s Codex tool.

💡
Do you know anything else about token spend inside companies? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.
  •  

Podcast: If AI Is Sentient Then So Is 'Age of Empires II'

Podcast: If AI Is Sentient Then So Is 'Age of Empires II'

We start this week with Matthew’s story about a fascinating paper that argues if LLMs are sentient, then by those metrics so is the classic game Age of Empires II. After the break, Matthew tells us about a wild story out of Texas with a data center being built on land that was donated to be a park. In the subscribers-only section, we talk hacking and basketball.

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

  •  

How Hackers Broke into Madison Square Garden

How Hackers Broke into Madison Square Garden

The hackers that stole a large cache of data from Madison Square Garden called a low level employee and tricked them into letting the hackers into MSG’s systems, according to the hackers and 404 Media’s review of the stolen data.

The breach highlights the risk of social engineering over voice calls, sometimes called ‘vishing’. Whereas phishing, where hackers social engineer someone over email or send them a fake login page, has been common for decades, vishing has only become prevalent more recently, especially as young and native English speaking hackers have become a serious cybersecurity threat.

💡
Do you know anything else about this hack or others? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.
  •  

The Tokenpocalypse Is Here: Companies Are Scrambling To Stop Spending So Much on AI

The Tokenpocalypse Is Here: Companies Are Scrambling To Stop Spending So Much on AI

Consulting giant Accenture is trying to figure out how to stop non-technical workers from blowing through companies’ AI token budget on trivial tasks like converting PDFs to presentation slides, according to leaked audio obtained by 404 Media. Across the industry Accenture is seeing “soaring token spend,” according to the audio.

The news highlights a major shift in the tech industry and other companies that use AI: the wave of uninhibited AI growth is over. Some AI providers like GitHub are now charging customers per token rather than a flat subscription fee, leading some companies to burn through their tokens. Uber recently capped employees’ use of AI tools like Claude Code and Cursor; that came after Uber told employees to use AI as much as possible and Uber’s CTO said the company had blown its entire AI budget in four months. And Accenture itself reportedly started requiring senior staff to start using AI or risk losing out on promotions. 

It also undercuts the narrative that superpowered engineers generating mountains of code are behind the AI boom. In many cases it is non-technical staff burning through tokens for non-specialized tasks.

💡
Do you know anything else about token spend inside tech companies? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

“We’re seeing from some of the data internally at least that it’s actually not our engineers that are driving the token consumption. It’s a lot of the non-engineers that are doing some of those behaviors [...] you were talking about,” Justice Kwak, Accenture’s agentic AI strategy lead, said in a recent internal meeting, according to the audio obtained by 404 Media.

  •  

Madison Square Garden Made Dossier on Activists Who Opposed Facial Recognition

Madison Square Garden Made Dossier on Activists Who Opposed Facial Recognition

Madison Square Garden compiled a list of activists who have publicly criticized the venue’s use of facial recognition technology, putting their tweets and comments into a document that was then accessible to other people inside the company, 404 Media has found.

The news shows that MSG, operated by Jim Dolan who has garnered a reputation for being pernicious against his perceived enemies, is not only deploying controversial facial recognition technology but keeping track of specific people who take issue with it. The document was included in a 45GB cache of data hackers stole from MSG and posted online this month, which 404 Media then downloaded and reviewed.

“The wake of a data breach would be a good time for Madison Square Garden to stop subjecting its patrons to biometric surveillance,” Adam Schwartz, privacy litigation director at the Electronic Frontier Foundation (EFF), and one of the people included in the document, told 404 Media.

  •  

Stopping Tech Company Censorship (with Jake Hanrahan)

Stopping Tech Company Censorship (with Jake Hanrahan)

This week Joseph speaks to Jake Hanrahan, creator of the independent conflict-focused media company Popular Front. They talk all about conflict journalism and how to get your journalism out there when platforms like YouTube make it all that much harder, sometimes.

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for early access to these interview episodes and to power our journalism.If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

  •  

ICE Appears to Be Buying Immigrants’ Tax Identifiers from a Data Broker

ICE Appears to Be Buying Immigrants’ Tax Identifiers from a Data Broker

Immigration and Customs Enforcement (ICE) appears to be purchasing records related to immigrants’ tax identifiers from a data broker, potentially skirting a court order that banned ICE from sourcing such information, according to Senator Ron Wyden and government procurement records reviewed by 404 Media.

The contract, worth nearly $10 million, is related to ITINs, or Individual Taxpayer Identification Numbers, which is the identifier many undocumented people use to file their taxes rather than a Social Security number (SSN).

“It looks for all the world like Trump is trying to skirt the law and a court order to fuel his mass-deportation campaign,” Senator Wyden told 404 Media in an emailed statement after reviewing the procurement records. “A court has already struck down an agreement between the IRS and Homeland Security to illegally share ITINs and other personal information. A contract to buy that same information from private data brokers is a clear end-around both taxpayer privacy laws and a court order.”

💡
Do you know anything else about this contract? Do you work at a company handling ITINs? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.
  •  

Podcast: The Government Wants to End Anonymity on Phones

Podcast: The Government Wants to End Anonymity on Phones

We start this week with Joseph’s story about the FCC’s wild proposal to require peoples’ government ID numbers to even get a phone plan. The FCC is doing it to curb robocalls, but also said it would be useful for a bunch of other stuff. After the break, Jason tells us all about cops abusing Flock to stalk girlfriends and other people. In the subscribers’ only section, Emanuel explains how a software update is impacting Amazon drivers.

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

  •  

Hackers Publish Knicks and Madison Square Garden Data Online

Hackers Publish Knicks and Madison Square Garden Data Online

Hackers have published data stolen from Madison Square Garden online for anyone to download, including what they say is customers’ personal information. A sample reviewed by 404 Media includes files mentioning specific sports teams, and specifically Knicks-related personalities, with fields such as “address,” “claim to fame,” “cost of talent,” and sometimes contact information for them or their representatives.

“It’s very simple. When you pay us, your data is deleted, and you move on with your life. When you don’t pay us, you get posted here, among other things,” a popup on the hackers’ website reads. The group publishing the data is ShinyHunters, which has been responsible for an array of breaches over the years.

The data dump comes just days after the Knicks won the NBA Finals in five games against the Spurs. Although the breach likely happened before that—a spokesperson for the hacking group said the hack was on June 5—the Knicks’ victory has put a huge amount of attention on them and MSG.

💡
Do you know anything else about this breach? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.
  •  

Hackers Are Hijacking Entire Roblox Games Now

Hackers Are Hijacking Entire Roblox Games Now

Hackers have long targeted Roblox accounts to steal a player’s valuable items, which can sometimes be worth many tens of thousands of very real dollars. But that wasn’t enough for some. Now, hackers are taking over Roblox developer accounts and stealing ownership of entire video games and digital worlds.

Multiple Roblox developers—that is, people who make games for others to play on the Roblox platform, and sometimes make their livelihood doing so—told 404 Media about this happening to them. In multiple cases, the developers said Roblox support did not help them get their games back until 404 Media contacted Roblox for comment.

Ioannis Matziaris said his two 20-year-old sons spent five years building a game called “The Shadow Network” with more than 12,000 members. In April, someone approached Christos, one of the sons, with a job offer and convinced him to run a particular file. It was actually malware.

“Within hours, they had taken ownership of our entire Roblox group, transferred our main game to a new group they created, and stolen our Robux,” Matziaris said. He said the family contacted Roblox support and filed a DMCA takedown request with Roblox and got no response. 

💡
Do you know anything else about hacking on Roblox? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

“This isn't just beaming,” Matziaris said, referring to when hackers “beam” or hack a victim to steal their items. “This is an organized group that steals games, republishes them, and recruits unsuspecting developers to build on stolen work.”

Roblox is much more than a game to many people; it is a business. While Roblox the company maintains the Roblox platform itself, essentially anyone can make a game built on top of it. Some of these games go massively viral, like Grow a Garden, which isn’t just a massively popular Roblox game but a huge video game in its own right. In turn, developers of these games monetize their creations with in-game transactions. Some Roblox developers make millions of dollars and open dedicated studios. 

It’s not entirely clear what the hackers planned to do with the games, be that just steal the Robux or try to monetize their popularity. But you can see why a hacker might want to commandeer a game for themselves. Matziaris said that after the hack, Roblox denied the family’s claim over the game because “there is no indication that group ownership was transferred due to your account being compromised.” 

When 404 Media contacted Roblox for comment, the company changed its stance. “We were troubled to hear of this specific incident and have restored the game to its owner,” the company said in a statement. Roblox added it has “several safety mechanisms in place, including Enhanced Protection, the most secure version of 2-step verification, which is designed to eliminate ‘point-of-authentication’ attacks like phishing and credential stuffing. Account Session Protection is also enabled by default for all users and helps secure web sessions by binding them to a specific device. Unfortunately none of these methods can completely eliminate the risk of account theft, particularly when bad actors convince users to run malicious software on their own devices or execute untrusted code. We continue to work on new ways to prevent these occurrences and actively encourage users to follow security best practices, including not clicking on links or downloading anything from unknown senders.”

Matziaris’s family is not the only person impacted. Mohamed Kaparoza, another developer, told 404 Media he was hacked “after I was contacted through Discord by individuals claiming they wanted to hire me as a project manager for their game. During the conversation, they asked me to install a Python package called ‘robase,’ which they described as part of their database/project tools.”

“Shortly after installing it, I was logged out of my Roblox account on both my PC and Phone. I also noticed my Discord account was compromised around the same time. Afterwards, my 2-step verification and passkey were changed without my permission, and my game/group were transferred to another user. I never received any notification about a login from a new location or device before this happened,” he added. Kaparoza said Roblox has not returned his game.

Jovan Rai, another developer, said they were also offered a project manager role and asked to run a file. Ironically, this time the attackers presented themselves as Cheesy Studios and working on the game The Shadow Network, which belongs to the Matziaris brothers. The hackers stole ownership of Rai’s group, called Overcoding Overseers. 

“The game was generating ~10,000 Robux daily, had reached 1,100 concurrent users, and was my primary, only source of income. I am a minor, a 15-year-old Canadian who made this game independently,” Rai said.

Rai told 404 Media he had been “fighting” Roblox support for more than 30 days. Roblox only restored his game after 404 Media contacted Roblox for comment.

When 404 Media relayed details of Kaparoza and Rai’s cases, Roblox said in a statement “The Roblox support team investigates all claims and restores ownership if they can validate it.”

  •  

Flock Leaked Cops’ License Plate Searches via DuckDuckGo, Bing

Flock Leaked Cops’ License Plate Searches via DuckDuckGo, Bing

Automatic license plate reader (ALPR) company Flock exposed the reasons cops conducted searches, and sometimes the specific searched license plates, in common search engines like DuckDuckGo and Bing, according to tests by privacy advocates and 404 Media and a statement from the company.

The news marks an unusual data breach, and shows that sometimes surveillance technology can leak data in unexpected ways. 404 Media previously reported that Flock exposed the live feeds of some of its cameras. 

In May the NoCo Privacy Coalition, an activist organization focused on Northern Colorado, shared with 404 Media multiple search engine results that appeared to expose some data related to Flock searches.

💡
Do you know anything else about Flock? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.
  •  

Podcast: Google Employees Meme About How Bad Their AI Is

Podcast: Google Employees Meme About How Bad Their AI Is

We start this week with Emanuel’s story about the internal memes Google employees are making all about AI. Definitely check out some of the examples in the article or on YouTube. After the break, Jason tells us how Microsoft explicitly wants to “make people addicted” to its new AI assistant, according to an internal document. In the subscribers-only section, Jason explains how companies are using Reddit to manipulate AI search results and big LEGO drama.

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

  •  
❌