Data Brokers are a Killer's Best Friend

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by enterprise browser maker Island.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

A Minnesota man has allegedly used people-search services to locate, stalk and eventually murder political targets.

The alleged shooter, Vance Boelter, is accused of killing Democratic state representative Melissa Hortman and her husband Mark on Saturday night. He is also facing charges for shooting Democratic state senator John Hoffman and his wife Yvette earlier that night. Both Hoffman and his wife survived with multiple gunshot wounds. 

According to an FBI affidavit, notebooks containing the names of more than 45 Minnesota state and federal public officials were found in Boelter's abandoned car. One notebook listed 11 different people search services that sell personal information of individuals online,  including physical addresses, emails, and phone numbers. 

The affidavit says:

Evidence uncovered in this investigation indicates that Boelter extensively planned his stalking, murders and attempted murders … Boelter's preparation efforts included identifying several websites that allow users to search for the personal information of others like home addresses and family member names . Boelter also made lists containing the names and home addresses of many Minnesota public officials, mostly or all Democrats.

It alleges that Boelter visited the homes of two additional other officials that same night. At one address he repeatedly rang the doorbell but the official was not home. At the other Boelter was interrupted by a police officer conducting a safety check and drove away.

This isn't the first time that personal information found online has been used in a murder.  

In 2020 federal judge Ester Salas was targeted by a disgruntled litigant in a violent attack that left her only child dead and her husband critically wounded. The assailant, a lawyer named Roy Den Hollander, had created an extensive dossier on Salas. She later wrote that, at that time, judges' addresses could "be purchased online for just a few dollars, including photos of our homes and the license plates on our vehicles". 

In the weeks prior to the attack on the judge, Hollander compiled a list of potential targets and murdered a professional rival; another lawyer. This incident led to the passage of legislation protecting judges' personal information from resale by data brokers. 

A proposal for similar legislation to protect federal lawmakers' personal information was introduced by Republican Ted Cruz and Democratic Senator Amy Klobuchar in 2023. The law did not pass. Klobuchar, from Minnesota, now says she was one of the many lawmakers targeted by Boelter. 

It’s not only judges or politicians that are at risk. This Lawfare article examines how information sourced through people search data brokers has been used maliciously: 

For decades, individuals engaged in various forms of abuse have purchased this information from people search websites and used it to hunt down and stalk, harass, intimidate, assault, and even murder other people. In October 1999, an individual stalking a 20-year-old woman, Amy Boyer, pulled up next to her car while she was at work and shot and killed her; he then shot himself. This man had purchased her date of birth from people search broker Docusearch for $20. (After the broker gave multiple dates of birth that were not for the right person, he provided them with her home address to get the right date of birth.) The man then spent $45 to acquire her Social Security number; $109 to get her employment information, which was refunded after the company could not deliver; $30 to search her by Social Security number, which yielded her home address (which he reportedly already had); and then another $109 to get a second employment information search. For this last request, a Docusearch employee called Boyer, lied about their identity and motives to get her to tell them her employment address, and then supplied that information to the stalker. The following month, the individual went to her workplace and murdered her.

Of course, data broker services are not the only method of locating someone's home address. The New York Times reports that murder victim Melissa Hortman's was published on her campaign website and that shooting victim John Hoffmann's home address was on his official legislative web page. Some lawmakers The Times spoke to chose to make their home addresses public to appear authentic and to reassure voters that they were part of the community. And it is always possible to follow public figures in real life to figure out where they live. 

The important factor in the above examples is choice. Individuals should have the right to decide whether their personal details should be easily accessible. And we suspect most people would find the dossiers compiled about them by people search companies scary. Verging on terrifying. Per Lawfare:

Typically, these companies get their information from government records. These include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses (such as for lawyers), bankruptcy filings, and much more. These dossiers contain everything from individuals’ names, addresses, and family information to data about finances, criminal justice system history, and home and vehicle purchases. 

Thanks to the legislation we mentioned earlier, federal judges can opt out of the data broker ecosystem. In some US States, law enforcement officers can also opt out of having their information available. Everyday Americans are not afforded this luxury.

We can't see any real benefit to making personal information on millions of people so easily accessible. The risks to their safety are very real, especially as the political climate in the United States heats up. 

Israel Deletes a Bank, Burns Iranian Cryptocurrency

Predatory Sparrow, a purported pro-Israeli hacktivist group, has claimed responsibility for two separate attacks on Iranian financial services in the midst of military conflict between the two countries.

On Tuesday the group, also known as Gonjeshke Darande in Persian, posted that it had "conducted cyberattacks which destroyed the data of the Islamic Revolutionary Guard Corps' 'Bank Sepah'." 

UK-based Iran International reported "major disruptions" to banking services:

Messages and videos sent to Iran International reveal a nationwide breakdown in financial services. "You can't even buy internet from Irancell," one audience [member] wrote.

"We have no way to pay," another said, with bank systems crashing and cash machines out of service.

Sepah Bank has been entirely knocked offline, according to dozens of reports.

Shortly after claiming responsibility for the Bank Sepah attack Predatory Sparrow issued a warning.

"Associating with the regime's instruments for evading sanctions and financing its ballistic missiles and nuclear program is bad for your long-term financial health," the group posted on X on Tuesday.

"Who's next?"

The following day, the group claimed responsibility for an attack on the Iranian crypto exchange Nobitex. It later said that it had "burned" USD$90 million worth of assets by sending them to various cryptocurrency addresses.

The addresses weren't exactly random:

• Bitcoin - 1F*ckiRGCTerroristsNoBiTEXXXaAovLX
• Tron - TKF*ckiRGCTerroristsNoBiTEXy2r7mNX
• Dogecoin - DF*ckiRGCTerroristsNoBiTEXXXWLW65t
• Ethereum - 0xffffffffffffffffffffffffffffffffffffdead
• Ton - UQABF*ckIRGCTerroristsNOBITEX1111111111111111_jT
• Solana - F*ckiRGCTerroristsNoBiTEXXXXXXXXXXXXXXXXXXX
• Harmony - one19f*ckterr0rf*ckterr0rf*ckterr0rxn7kj7u
• Ripple - rF*ckiRGCTerroristsNoBiTEXypBrmUM

It described these as "burn addresses". And we don't have to rely on Predatory Sparrow's word, here. The odds of Predatory Sparrow actually being able to randomly generate cryptocurrency addresses containing these phrases are impossibly small. The likely scenario is that these addresses don't correspond to actual wallets and that cryptocurrency is now stranded forever. They sent $90 million to nobody simply to make a point.            

Predatory Sparrow is all about sending messages.  

When it claimed responsibility for the Bank Sepah hack, it said the bank was:

…an institution that circumvented international sanctions and used the people of Iran's money to finance the regime's terrorist proxies, its ballistic missile program and its military nuclear program.

This is what happens to institutions dedicated to maintaining the dictator's terrorist fantasies.

It also posted documents that underlined the bank's relationship with Iran's armed forces and intelligence services. 

When announcing its Nobitex hack it said:

…the exchange is at the heart of the regime's efforts to finance terror worldwide, as well as being the regime's favourite sanctions violations tool… 

Nobitex doesn't even pretend to abide by sanctions. In fact, it publicly instructs users on how to use its infrastructure to bypass sanctions.

The regime's dependence on Nobitex is evident from the fact that working at Nobitex is considered valid military service, as it is considered vital to the regime's efforts.

These cyberattacks are the result of Nobitex being a key regime tool for financing terrorism and violating sanctions. Associating with regime terror financing and sanction violation infrastructure puts your assets at risk.

We first wrote about Predatory Sparrow in 2022, in the wake of its spectacular attacks on three Iranian steel companies. The notable thing about those and earlier attacks was the efforts the group had taken to illustrate that it was conducting its destructive operations responsibly by minimising unnecessary collateral damage. 

In an attack that disrupted Iran's fuel subsidy system, for example, the group warned emergency services commanders to fill up beforehand. And it only disrupted the system temporarily, despite having the capacity to cause more serious, longer-lasting damage. 

This is just one of many behaviours that makes Predatory Sparrow's hacktivist cover look pretty thin. At the time we said:

This obviously doesn't feel like the work of hacktivists — why go to such lengths to show that you are operating responsibly? That behaviour seems more in keeping with a state trying to mitigate escalation risk and build norms of responsible behaviour.

However, this week's attack on Bank Sepah is causing an entirely different magnitude of disruption. It's not clear yet how bad this will be longer-term, but successfully deleting an entire bank would cause a lot of collateral damage and be very bad for Iran's economy.

Predatory Sparrow has always tried to portray itself as a responsible actor, in this case by pointing out it is targeting specific organisations that violate sanctions and support Iran's terrorist activities. 

That's all well and good, but if the group has managed to permanently delete a major financial institution, the collateral damage to Iran's banking sector will be immense, and won't just affect sanctions-violating activities. Is that still responsible behaviour? That'll be in the eye of the beholder, we suspect.

Sepah Bank may be able to recover, but if it can't, this is a hack for the history books.

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Passkeys get more usable: Apple has announced the next major release of its operating systems such as iOS and MacOS will include the ability to import and export passkeys. This will make it possible to transfer them from a MacOS to Windows devices, for example, and is one step towards making passkeys cross-platform. Ars Technica has further coverage. 
2. Archetyp market takedown: Europol has announced that a "large-scale" European law enforcement operation involving six countries has dismantled "the most enduring dark web marketplace". The operation involved 300 officers and targeted "the platform’s administrator, moderators, key vendors, and technical infrastructure". Archetyp was one of the few darknet markets that allowed the sale of synthetic opioids such as fentanyl.  
3. Infostealer crackdown: Last week Interpol announced that authorities from 26 countries had seized infrastructure linked to infostealer malware. The operation resulted in the seizure of 41 servers and over 100GB of data, as well as the arrest of 32 suspects.  

Sponsor Section

In this Risky Bulletin sponsor interview Michael Leland, Field CTO of Island, talks about how Island manages risks from extensions, phishing and infostealers. Even when credentials are stolen, it is still not game over and there are still ways to prevent data loss and breaches.

Shorts

Posing as a Journalist for Fun and Profit

The Record has an interesting account of how a cryptocurrency company CEO was tricked into authorising remote control of his computer during a purported interview for a YouTube show about investments. This attack used a compromised YouTube account to lend credibility to the approach. 

Security firm Trail of Bits wrote about its CEO's encounter with the same threat actor back in April. The lure in this case was a media opportunity, an invitation to participate in a Bloomberg Crypto series. But the attackers approached the CEO over X, wouldn't use email and tried to arrange meetings with Calendly pages "that clearly weren't official Bloomberg properties". These red flags tipped the CEO off. 

(Disclaimer: Trail of Bits is a Risky Business sponsor.)

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq  take a look at a new AI-powered covert influence campaign and compare it to World War 2 efforts. 

Or watch it on YouTube!

From Risky Bulletin:

Chrome gets a new prompt to prevent sneaky local network attacks: Google Chrome is adding a new prompt that will ask for permissions when websites or mobile apps want to connect to a user's localhost or access devices hosted on their internal local network (LAN).

The new prompt is designed to block a rising trend on the internet, where threat actors lure users to malicious sites that access and relay malicious code through their browsers.

This code can contain CSRF (cross-site request forgery) exploits that hack local routers and IoT devices sitting on the same network and abuse them for ad fraud or other types of botnets.

[more on Risky Bulletin]

Cock[.]li gets hacked: A threat actor named Satoshi has allegedly hacked controversial email provider Cock[.]li and is now selling its data on an underground hacking forum.

They are selling this data on a Russian language underground hacking forum named XSS for 1 Bitcoin, or approximately $105,000.

The hacker allegedly used a recently disclosed zero-day in the Roundcube webmail software (CVE-2025-49113) to dump Cock[.]li's database and steal the details of over one million registered users.

[more on Risky Bulletin, including cock[.]li's use by the internet's worst figures.]

Predator spyware alive despite US sanctions: Despite being sanctioned twice by the US Treasury Department last year, surveillance and spyware maker Intellexa has continued to operate and has even set up new server infrastructure for its customers.

In a report published on Thursday, security firm Recorded Future says it identified new customer- and victim-facing infrastructure, along with new systems to avoid detection.

The new infrastructure includes servers and domains for hosting and delivering the Predator mobile spyware, as well as VPS servers for anonymizing traffic and hosting management panels for Intellexa customers.

[more on Risky Bulletin]