A Leak of San Francisco Police Drone Footage Exposes the New Reality of Urban Surveillance

Millions of Americans hand over personal information every day. They share their data with insurance companies, banks, investment apps, and other services they trust.
And that’s exactly why cybercriminals target and impersonate those services.
This week, an insurance provider disclosed a breach reportedly affecting nearly 7 million people’s driver’s license numbers, while a California journalist shared how a convincing fake Robinhood text ultimately cost her more than $70,000.
Here’s what happened, why these scams work, and what you can do to protect yourself This Week in Scams.
One of the largest U.S. data breaches of the year has exposed sensitive information belonging to 6.9 million people.
According to reporting from TechCrunch, insurance provider AssuranceAmerica confirmed that hackers accessed customer information after compromising an employee account. The company says the stolen data includes names, contact information, driver’s license numbers, insurance policy details, vehicle information, and claims data.
While the company has not said exactly how the employee’s credentials were compromised, it noted that the attackers targeted an employee account before accessing company systems.
Unlike a password, you can’t simply change your driver’s license number.
Combined with your name, address, phone number, or other information from previous breaches, driver’s license numbers can be used by criminals to:
This is also part of a larger trend. In recent months, multiple breaches have exposed government-issued identity documents as more organizations collect IDs for identity verification and age-check requirements.
If you receive a notice that your information was involved in a breach, monitor your financial accounts closely, consider placing a fraud alert or credit freeze, and remain cautious of unexpected emails, texts, or phone calls referencing your insurance or driver’s license information.
Unfortunately, scammers will reach out saying they’re trying to “help” secure your stolen information, only to try and steal more personal data from you.
Before a breach
Personal Data Cleanup helps reduce your digital footprint by removing your personal information from many data broker sites, limiting what scammers can easily find about you.
During a breach
Identity Monitoring alerts you if your personal information appears on the dark web or in known data leaks, helping you respond faster if your information is exposed.
After a breach
Scam Detector helps identify suspicious texts, emails, and links that often follow major breaches, while Web Protection helps block malicious websites designed to steal additional information or credentials.
Even people who report on scams can become victims.
A former California television news anchor recently shared how she lost more than $70,000 after receiving what appeared to be a legitimate text message claiming there was suspicious activity on her Robinhood investment account.
The message instructed her to call a phone number for assistance. Once connected, the caller posed as Robinhood support before transferring her to a fake “fraud department.”
Believing she was protecting her investments from hackers, she was convinced to move her money into what she thought was a secure account. Instead, it went directly to scammers.
She later contacted Robinhood through the official app, but by then the money had already been transferred.
Investment scams rely on urgency, authority, and impersonation rather than obvious phishing emails.
Rather than asking targets to “invest” immediately, many scams begin by convincing people that their existing account is under attack and immediate action is needed.
At McAfee, we’ve also seen scammers impersonate Robinhood, Charles Schwab, cryptocurrency platforms, and other investment services through fraudulent text messages and malicious links promising AI-powered investing, exclusive bonuses, or unusually high returns.
Whether the message claims your account has been compromised or promises incredible profits, the goal is often the same: get you to click, call, or transfer money before you have time to verify what’s happening.
Before responding to any message about your investments:
Never call the phone number provided in a text message or email. Instead, contact your financial institution using the number listed in its official app or website.
Slow down when someone creates urgency. Claims that your account is being hacked or frozen are designed to make you act before you think.
Be skeptical of guaranteed returns or AI-powered investment opportunities. Promises of extraordinary profits are a common hallmark of investment fraud.
Verify alerts through your account directly. If you receive a suspicious notification, log in through the official app, not a link in the message.
With McAfee+, multiple layers work together before any damage is done:
Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage
Secure VPN keeps your data private, especially on public Wi-Fi
Web Protection helps block risky sites, even if you do accidentally click
Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you
Device Security helps detect malicious apps or downloads
Identity Monitoring alerts you if your personal info appears online in places it shouldn’t, so you can act fast
Personal Data Cleanup helps remove your information from sites selling it.
Online Account Cleanup assists in taking down your old, forgotten accounts across the web
Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks
Together, these protections are designed to address the broader range of online risks people face every day.
The post Nearly 7 Million Driver’s Licenses Exposed in Assurance Breach: This Week in Scams appeared first on McAfee Blog.
A cybersecurity startup dangling millions of dollars to acquire zero-day security vulnerabilities in popular software is run by a pair of far-right conspiracy theorists and convicted felons whose most recent ventures included fake intelligence companies and a now-defunct AI-based lobbying platform they operated under assumed names.
The X/Twitter account IRIS C2 (@C2IRIS) has gained more than 4,000 followers since its creation in January 2025, posting frequently about security vulnerabilities, AI and software exploits. IRIS C2 says it is a company in McLean, Va. that sells offensive cybersecurity capabilities.

The IRIS C2 website dangles the possibility of million-dollar payouts for exploits to attract talent.
“Our business model is this,” reads a pinned post on top of the IRIS C2 account on X. “Attract the very best vulnerability researchers and exploit developers in the world to join our company. This mostly revolves around junior engineers with raw talent/extremely high IQ. We don’t care if they have a college degree/industry experience.”
The website linked in that profile — irisc2[.]com — says the company is hiring for a number of open positions, and a recent post on its LinkedIn page enthuses about an overwhelming number of applications from potential employees. The website claims IRIS C2 is in the business of acquiring “zero-day exploits, individual primitives, partial chains, and full capabilities across all major platforms. Payouts range from $10,000 to $7 million depending on target, reliability, and operational value.”
The government contracting portal g2exchange.com reports that irisc2[.]com is operated by a business based in Virginia called Calvexa Group LLC. The “contact” link on the website for Calvexa Group — calvexagroup[.]com — forwards visitors to irisc2[.]com. G2Exchange shows that while Calvexa Group LLC is registered as a federal contractor, it does not appear to be working on any direct government contracts.
A search on the Arlington, Va. address listed in the incorporation records for Calvexa Group LLC finds the property is occupied by Jack Burkman, the 60-year-old founder and managing partner of the lobbying firm Burkman & Associates. When approached with questions about IRIS C2, Burkman referred further inquiries to his longtime associate, 28-year-old Jacob Wohl.

Jack Burkman (left) and Jacob Wohl, at a press conference in August 2020. Image: Wikipedia.
Burkman and Wohl have a storied history of creating fake intelligence companies and using them to spread false claims about and frame public figures, including fabricated sexual assault claims against then FBI director Robert Mueller, and Pete Buttigieg, then mayor of South Bend, Indiana and a Democratic candidate for the presidency. In 2019, Burkman and Wohl held press conferences falsely alleging extramarital affairs by Sen. Elizabeth Warren (D-Mass.) and then-2020 presidential candidate Kamala Harris.
In the wake of the 2020 presidential election, Wohl and Burkman were prosecuted by multiple U.S. states for making thousands of robocalls to residents of battleground states and disseminating false claims about mail-in ballots. They were indicted in Cleveland on 15 felony counts of orchestrating a robocall scheme aimed at suppressing the black vote in Detroit, and were sentenced in late 2025 to probation after their appeals to dismiss the charges were rejected.
In 2022, Wohl and Burkman both pleaded guilty to a single felony charge of telecommunications fraud in Ohio, and sentenced to a fine, probation, and community service. In March 2023, a judge in a New York civil case ruled that Wohl and Burkman had violated federal and state civil rights laws, and the two agreed to pay a $1 million settlement.
In June 2023, the Federal Communications Commission (FCC) imposed a $5.1 million fine against Wohl and Burkman for their robocall campaigns, at the time the largest fine ever sought by the FCC under the Telephone Consumer Protection Act.

Jacob “Jay” Wohl’s GitHub account.
By the age of 17, Wohl had started multiple investment firms, and cultivated the nickname “Wohl of Wall Street” after appearing on Fox News in 2015 to discuss his new hedge funds. In 2017, the Arizona Corporation Commission charged Wohl and his investment funds with 14 counts of securities fraud, and ordered him to pay $35,000 in restitution. In 2019, Wohl pleaded guilty in California to four felony counts of selling unregistered securities and was sentenced to two years of probation.
The market for previously unknown security vulnerabilities has always been populated by a colorful mix of researchers, academics, charlatans, clout-chasers and people actively involved in cybercrime communities. But the market for selling offensive security services to the U.S. government tends to be far more circumspect. Plenty of government contractors recruit vulnerability researchers and pay for the exclusive rights to novel software exploits, yet none of them do so quite as brazenly and openly as IRIS C2.

Recent posts from the Twitter/X account IRISC2 (@c2iris).
Indeed, KrebsOnSecurity was unaware of IRIS C2 until last month, when an attendee at a regional cybersecurity conference shared that Wohl and Calvexa Group were pestering people at the conference about selling their vulnerability research.
In an interview with KrebsOnSecurity, Wohl said Mr. Burkman was not involved in the day-to-day operations of IRIS C2. Wohl shared that IRIS C2 originally began as a penetration testing company, but shifted its focus recently to selling phone-hacking services to the government. Several times throughout the interview, Mr. Wohl mentioned working on federal government contracts, but when pressed for specifics said he was not at liberty to speak publicly about them.
Mr. Wohl said he does not have any formal education or training in computer science or information security, and that most of his knowledge on the matter is self-taught.
“I know more about tech than anyone,” Wohl bragged. “My background has always been extremely technical, and I’ve always been deeply into tech. People know me as someone who is able to create spectacularly exquisite capabilities that would make your head spin.”
Wohl said security researchers bring the company unique vulnerability findings “on a regular basis,” but that in many cases those findings are preliminary and not fully fleshed-out.
“Let’s say someone finds a flaw in a media decoder on a phone,” Wohl said. “A lot of times what we receive is an exploit primitive, where the idea is there but the [execution] needs work. You need that exploit to be stable and reliable, and that’s what we do.”
Wohl claims IRIS C2 has approximately 40 employees, although he said none of them are allowed to list their employment on LinkedIn for operational security reasons. In May, the author of the IRIS C2 account on X said that his girlfriend had no idea what he did for a living. But if IRIS C2 has any other employees, they may be similarly unaware of Mr. Wohl’s history of outright fabrications — or even his real name.
In September 2024, Politico reported that Burkman and Wohl were bragging about big companies supposedly buying services from their now-defunct company LobbyMatic, which claimed to use artificial intelligence to assist in political lobbying efforts. However, Politico found the pair were running the company using pseudonyms, with Wohl reportedly adopting the name “Jay Klein” and Burkman using the moniker “Bill Sanders.” Politico reported that two of the former LobbyMatic employees resigned after learning of their true identities, while other employees only learned after they had left the company.
Update, July 9, 9:44 a.m. ET: Several readers pointed our attention to a March 31 publication from journalist Molly White, which reported that Burkman and Wohl were paid a $300,000 retainer by a Canadian cryptocurrency fraudster wanted by the United States and several other countries for allegedly stealing $65 million from the crypto platforms KyberSwap and Indexed Finance. According to that report, the two were hired to pursue a “presidential pardon to avert a miscarriage of justice” on behalf of the accused hacker, who has not yet been convicted.
The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes roughly two weeks after KrebsOnSecurity published findings from multiple security firms connecting NetNut to the Popa botnet, a collection of at least two million devices that have been compromised by malicious software with little or no consent from victims.

The NetNut homepage today was replaced by this seizure banner from the FBI.
On June 19, three different security firms issued similar findings: That NetNut is a residential proxy network which populates a botnet called Popa, and distributes software for devices commonly found in homes, such as smart TVs and streaming boxes. NetNut’s software turns those systems into always-on residential proxy nodes that are rented to others, who predominantly use them to relay abusive and intrusive Internet traffic, such as mass content scraping, advertising fraud, and account takeover activity.
Earlier today, NetNut’s homepage was replaced with a seizure notice from the FBI and the Internal Revenue Service Criminal Investigation division. The seizure notice thanked Google, Lumen, Shadowserver and other industry partners for their help in dismantling hundreds of domains tied to the Popa botnet, which experts say has long been synonymous with NetNut’s residential proxy infrastructure.
In a blog post published today, the Google Threat Intelligence Group (GTIG) said NetNut’s proxy network is widely resold and white-labeled by a number of third-party proxy providers, and that its services are heavily sought out by cybercriminals seeking to obfuscate the source of their malicious traffic. The GTIG said that in a single week during June 2026, they observed 316 distinct clusters of threat actors using suspected NetNut exit nodes, including cybercriminal and espionage groups.
“These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks,” Google’s GTIG wrote. “Furthermore, when a consumer device becomes an exit node, unauthorized network traffic passes through it. This means bad actors can access other private devices on the same home network, effectively exposing them to Internet threats.”
Google said it disabled Google accounts and services used by NetNut for malware command and control, and that it shared technical intelligence on NetNut’s software development kits (SDKs) and backend infrastructure with platform providers, law enforcement and research firms. The company also disabled apps known to bundle NetNut’s various SDKs.
Omer Weiss, legal counsel for NetNut parent Alarum Technologies, said the company was aware of the FBI seizure and cooperating with investigators.
“Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account,” Weiss said in a written statement.
Benjamin Brundage is founder of the proxy tracking service Synthient, one of the companies that published evidence last month linking the Popa botnet to NetNut and Alarum Technologies. Brundage said the domain seizures appear to have disrupted both the Popa botnet and the NetNut proxy network that rides on top of it.
Brundage said NetNut’s apparent demise is likely to be a great disadvantage for the cybercrime community, which was already reeling from legal actions by Google earlier this year that seized infrastructure for NetNut’s biggest competitor — IPIDEA.
“I think this takedown is going to have a big impact, because NetNut gained significant popularity after the IPIDEA takedown,” he said. “Also NetNut has been incredibly common among resellers, and they were on par with IPIDEA in terms of their daily traffic, quality, size, price per gigabyte, all of it.”

NetNut’s infrastructure, in a nutshell. Image: Black Lotus Labs, Lumen.
The NetNut and Popa botnet takedown may have another added benefit, Brundage said: Lessening the impact of large distributed denial-of-service botnets that have been built on the backs of poorly configured residential proxy services. In January, Synthient revealed how cybercriminals had built the world’s largest DDoS botnet (Kimwolf) by tunneling through IPIDEA proxy connections into the local networks of TV box owners, and infecting other Android-based devices behind the victim’s firewall.
While many of the bigger proxy providers took steps to block this activity, resellers of the major proxy networks have been far slower to respond to the threat, Brundage said.
“In terms of all these TV box devices getting compromised from the proxy network, it will have an impact on the DDoS botnets out there,” he said.
For its part, Google reckons today’s actions have caused “significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions.” But the company warns that proxy networks can rebuild themselves by effectively reselling other proxy services, as IPIDEA has done over the past few months.
“Google has high confidence that many popular residential proxy brands are in fact whitelabeling the NetNut botnet,” the GTIG report concludes. “While we expect this disruption to have a larger ripple effect across the residential proxy ecosystem, observations after the disruption of IPIDEA proved that individual networks can appear resilient. What we have observed is that when faced with the degradation of their own botnet, proxy operators begin buying capacity from their competitors, effectively becoming a reseller. We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers.”
As KrebsOnSecurity has warned repeatedly, most of the no-name TV streaming boxes for sale on the major e-commerce websites either come pre-installed with residential proxy software, or require the installation of proxy SDKs in order to use the device for its stated purpose (streaming pirated movies, sporting events and TV shows). Google’s advice here is sound: When it comes to TV boxes, stick to name brands from reputable manufacturers, and then be sparing and judicious with any apps you choose to install.
The sketchy TV boxes that are being commandeered by the Popa botnet and other threats all come with or require the user to install unofficial Android operating systems that do not operate within the confines of Google’s Official Play Protect store. Google says consumers can confirm whether or not a device is built with the official Android TV OS and Play Protect certification by following these instructions.
Even people without TV streaming boxes can find their smart TVs enrolled in residential proxy networks, just by installing one of thousands of apps available for download on Samsung and LG smart TVs. In a report released last month, the proxy tracking company Spur found 42 percent of apps available for download via the webOS operating system on LG smart TVs include SDKs that turn one’s television into an always-on residential proxy node. More than a quarter of the apps made for Samsung’s Tizen operating system had similar residential proxy components, Spur found.

Image: Spur.us.
Update, 4:24 p.m. ET: Included a statement shared post-publication from an attorney representing NetNut parent Alarum Technologies.
Update, July 8, 2:34 p.m. ET: The website for Alarum Technologies — alarum[.]io — now also features a seizure notice from the FBI. The company’s stock has taken a beating since the FBI action, and is currently trading at $2.62 a share, a roughly 67 percent decline over the past week.

Imposter scams remain the most reported type of fraud in America for the fifth year in a row, according to new data from the Federal Trade Commission (FTC).
Americans submitted more than 1 million reports of imposter scams in 2025, making them the agency’s top fraud category once again. Victims reported more than $3.5 billion in losses, though the real number is likely much higher since many scams go unreported.
But “imposter scam” is a broad category. It doesn’t tell you what these scams actually look like when they land in your inbox, texts, social media DMs, or phone calls.
To better understand what consumers are encountering every day, McAfee surveyed more than 7,500 people for its State of the Scamiverse report. The results show scammers aren’t just pretending to be one type of person or company. They’re impersonating the brands, services, and people we trust most.
This week’s edition of This Week in Scams is here ahead of the holiday weekend with the 10 most common identities scammers pretend to be.
Common scam: An innocent conversation that turns into something more.
These scams often begin with a harmless message intended for “someone else.” Once you reply, the scammer slowly builds trust over days or even weeks before introducing investment opportunities, romance, or requests for money.
Unlike traditional phishing, these scams don’t always include suspicious links.
Why it works: They feel like genuine human conversations rather than obvious scams.
Learn more about wrong number and pig-butchering scams.
Common scam: “Your device has been compromised.”
These messages impersonate technology companies or cybersecurity brands, claiming your computer or phone has been infected or involved in a security breach.
Some direct victims to fake technical support, while others encourage downloads of malicious software.
Why it works: Security alerts are designed to grab attention, and convincing impersonation can make fake warnings look legitimate.
Learn more about tech support scams.
Common scam: “We’ve detected suspicious activity on your account.”
Bank impersonation scams create immediate urgency, asking customers to confirm transactions, secure their accounts, or verify their identity.
Many direct victims to fake websites or connect them with fraudulent customer support representatives.
Why it works: Financial security messages naturally demand attention, making people more likely to react before verifying the sender.
Learn more about banking scams and financial fraud.
Common scam: “Your payment couldn’t be processed.”
Scammers impersonate streaming services, software subscriptions, and other recurring services, warning that your account will be canceled unless you update your payment information.
Why it works: Consumers are used to recurring billing notifications, making these messages blend into everyday digital life.
Learn more about mobile payment and subscription scams.
Common scam: “Your vehicle warranty is about to expire.”
One of the oldest impersonation scams is still one of the most common. Fraudsters claim your warranty is ending and pressure you to purchase coverage immediately or provide personal information.
Why it works: Many people aren’t sure when their warranty expires, making the claim difficult to verify on the spot.
Learn more about these types of robocallers.
Common scam: “You’ve won a prize.”
These scams promise gift cards, rewards, or exclusive offers but require you to “verify” your identity or enter payment information to claim them.
Why it works: The promise of something free lowers skepticism, especially when the message appears to come from a familiar brand.
Learn more about survey and prize scams.
Common scam: Fake invoices for purchases you never made.
Receiving an invoice for an expensive purchase can trigger panic. Scammers count on victims clicking quickly to dispute the charge, often leading them to malicious websites or fake customer support numbers.
Why it works: Consumers naturally want to stop fraudulent purchases as quickly as possible.
Learn more about shopping scams.
Common scam: “Verify your PayPal account.”
Messages claiming there’s a problem with your payment account often direct you to fake login pages designed to steal your username, password, or financial information.
While PayPal is one common example, scammers impersonate many digital payment platforms.
Why it works: Payment notifications are common, and many consumers don’t think twice before signing in to resolve what appears to be a routine issue.
Learn more about mobile payment scams.
Common scam: “Verify your account or it will be suspended.”
Scammers frequently impersonate platforms like Facebook, Instagram, TikTok, or X, claiming there’s unusual activity or that your account violates community guidelines.
The goal is usually to steal your login credentials or two-factor authentication codes.
Why it works: Many people rely on social media for work, business, or staying connected, making the threat of losing access feel urgent.
Learn more about social media scams.
Common scam: “Your package couldn’t be delivered.”
Whether you’re waiting for a birthday gift, an online order, or an important package, fake delivery notifications prey on the fact that most people are expecting something to arrive.
These messages often claim there’s a shipping issue, unpaid delivery fee, or missed package and urge you to click a link immediately.
Why it works: Package updates have become part of daily life, making fake notifications feel routine rather than suspicious.
Learn more about delivery scams.
While these scams may look different, they all rely on the same tactic: impersonation.
“AI has lowered the barrier for creating convincing impersonation scams,” said Abhishek Karnik, Head of Threat Research at McAfee.
“Scammers can now produce professional-looking emails, realistic websites, and even convincing voices or videos at scale. The result isn’t necessarily more scam types, it’s far more believable versions of the scams people already encounter every day.”
That mirrors a broader trend McAfee identified in its State of the Scamiverse research: scams are becoming more realistic, more personalized, and harder to distinguish from legitimate communications.
Americans now receive an average of 14 scam messages every day, spend 114 hours each year deciding what’s real and what’s fake, and one in three say they feel less confident spotting scams than they did a year ago.
| If you notice this… | Do this instead |
| A message creates a sense of urgency (“Your account will be suspended,” “Package delivery failed,” “Fraud detected”) | Pause before acting. Scammers want you to make a quick decision before verifying the message. |
| You’re asked to click a link or scan a QR code | Open the company’s official website or app yourself instead of using the link in the message. |
| The message asks you to verify your account, payment information, or identity | Never enter credentials through an unsolicited message. If you’re concerned, contact the company directly using a trusted phone number or website. |
| Someone asks for passwords, one-time verification codes, or payment over text, email, or phone | Legitimate companies won’t ask for this. Don’t share the information, even if the request seems convincing. |
| A “wrong number” text quickly becomes unusually friendly or shifts toward investing, crypto, or money | Stop responding and block the sender. Modern scams often begin as seemingly harmless conversations. |
With McAfee+, multiple layers work together before any damage is done:
Together, these protections are designed to address the broader range of online risks people face every day.
The post Imposter Scams Are Evolving. Here Are the 10 Identities Scammers Pretend to Be Most. appeared first on McAfee Blog.
McAfee Mobile Security has once again earned a perfect score from AV-TEST, one of the cybersecurity industry’s most respected independent testing organizations.
In AV-TEST’s latest Android security evaluation, McAfee achieved a flawless 18 out of 18 points, receiving perfect 6/6 scores in Protection, Performance, and Usability.
The result also earned McAfee AV-TEST’s highest certification for mobile security.
More importantly, this isn’t a one-time achievement. McAfee has earned top certification in every AV-TEST Mobile Security evaluation since testing began in 2013, demonstrating more than a decade of consistently delivering industry-leading protection for Android users.
AV-TEST is one of the world’s leading independent cybersecurity testing laboratories. Rather than relying on vendor claims, AV-TEST evaluates security products under controlled, real-world conditions using the same types of threats consumers face every day.
Its certifications are widely referenced by:
Because every product is tested using the same methodology, AV-TEST provides an objective benchmark for comparing mobile security solutions.
For this evaluation, AV-TEST examined 12 Android mobile security products across three equally weighted categories:
| Category | What It Measures |
| Protection | Ability to detect and block real-world Android malware and emerging threats |
| Performance | Whether the security app slows down your device or drains system resources |
| Usability | Accuracy of detections and avoidance of false alarms or unnecessary interruptions |
McAfee earned the maximum possible score in all three categories:
Overall Score: 18/18
That means McAfee not only blocked threats effectively, but did so without slowing devices down or generating unnecessary false positives.
Mobile devices have become one of our primary ways to bank, shop, communicate, and manage our digital lives. As cybercriminals increasingly target smartphones with malware, phishing attacks, malicious apps, and credential theft, effective mobile protection matters more than ever.
Independent testing helps separate marketing claims from measurable performance.
McAfee’s latest AV-TEST results demonstrate that users don’t have to choose between strong security and a smooth mobile experience. The protection works quietly in the background, helping keep devices secure without getting in the way.
Even more importantly, this latest certification continues a streak that spans more than a decade. Consistently earning perfect scores across changing threat landscapes reflects McAfee’s ongoing investment in protecting customers against today’s evolving mobile threats.
The award-winning protection recognized by AV-TEST is included in:
Whether you’re protecting your own phone or your entire family’s devices, you’re getting the same independently tested mobile security that continues to earn top marks from one of the industry’s most trusted testing organizations.
Ready to get protection that doesn’t slow you down? Explore McAfee+ Plans →
The post McAfee Mobile Security Earns a Perfect AV-TEST Score Yet Again appeared first on McAfee Blog.

McAfee Labs Safer Summer Travel Report | Summer 2026
You just got back from a week in Central America. You posted a few shots: the colorful streets of Tulum, a picture of the ancient ruins of Tikal, a close-up of your shrimp tacos. No location tag. No caption naming the city. Just a good photo.
A few days later, you get a message. It references your bank. It mentions suspicious activity “while traveling internationally.” It feels oddly specific, with details about where you were and when. It feels real.
These types of personalized scam messages are a growing tactic. And your own photos may have helped write it.
McAfee Labs set out to understand exactly how much location information exists inside an ordinary travel photo, and what that means for the roughly 244 million Americans who travel each year.
What we found should change the way you think about what you share online: Some AI models have a more than 90% accuracy rate at detecting the location a photo was taken based on the visuals in the photo alone. And critically, that level of accuracy is now achievable using tools that are free and widely accessible.
That’s why we’ve built tools like McAfee’s Scam Detector that are designed to help spot these kinds of highly targeted, convincing messages before they lead to costly mistakes.
The question McAfee Labs wanted to answer was deceptively simple: Can AI look at a travel photo and figure out where it was taken, even without GPS data or location tags?
Not metadata. Not embedded coordinates. Just the image itself: the background, the architecture, the signage, the light; the visual context that any photo naturally captures.
To find out, we built an automated testing pipeline and ran it against a dataset of 21,236 travel images sourced from publicly available image sets. We also conducted a separate, more controlled review of 102 additional images to pressure-test our findings.
We tested two publicly available, large-scale AI vision models that are both freely available. Neither required special access, proprietary data, or advanced technical expertise to run. We used the same tools a scammer could access today.
Each image was analyzed using a consistent automated prompt asking the model to identify the location depicted (city, country, or region) based solely on visual content. Results were then reviewed by human analysts to validate accuracy and flag edge cases.
The results were striking.
Gemma3 27B correctly identified the city and country of a travel photo 87% of the time. Qwen3 VL 30B performed even better, reaching 91% accuracy across the same dataset.
That means in roughly 9 out of 10 cases, an AI model that’s available for free, to anyone, could look at an ordinary travel photo and correctly name where it was taken. This kind of analysis is also how AI tools understand images more broadly, shaping not just scams, but how information shows up in AI-powered answers.
And when the exact city wasn’t identified, the country alone was almost always correct. For a scammer, that’s more than enough. It’s also enough to turn a vague, generic scam into one that feels specific, timely, and believable.
Certain types of images were identified with even higher confidence:
Less recognizable scenery, like a generic beach, a rural road, or a hotel room, lowered accuracy. But even in those cases, country-level identification remained high.
To illustrate how simple this was to replicate, we moved outside of McAfee’s labs and asked our less-technical colleagues to try it themselves. No research background required. No special tools.
Employees uploaded their own personal travel photos, images pulled straight from their camera rolls and never posted publicly, to ChatGPT, Claude, and Copilot, and simply asked each one to identify where the photo was taken.
The results made people uncomfortable.
Accuracy dropped compared to our controlled lab tests. But not by much. The models still correctly identified country-level location at a rate that would be more than enough for a scammer to craft a convincing, targeted message.
The takeaway isn’t that AI has “seen” your photos somewhere before. It’s that a photograph inherently contains an enormous amount of locating information, in the architecture, the light, the signage, the landscape, simply by virtue of existing in the world. You don’t need to geotag a photo for it to give away where you’ve been.
The following section shows real examples of AI geo-location detection in action, using personal travel photos submitted by our research team. No location tags. No metadata. Just the image and what AI found in it.
We started with somewhat recognizable structures in the background, and then tried increasingly more obscure backgrounds, trying to reduce faces and backgrounds to foliage only. This is what happened:
Brooke’s honeymoon pictures: This example features a more prominent landmark, helping AI determine the location specifically. When there’s something recognizable, AI really recognizes it, down to giving you the exact spot on the map you’re at, the history of the location, and tourist information.

Sandra’s sunset photo: This example gets more difficult for AI by removing major landmarks and people. ChatGPT was still able to correctly identify the location as Hastings-on-Hudson.


Rob’s close-up shot of flowers: Just the close-up image of these tulips was enough for Claude to accurately detect that this photo was taken at Keukenhof gardens in the Netherlands.

Knowing where someone is or where they’ve recently been is one of the oldest tricks in a scammer’s playbook. But until recently, getting that information required either knowing the person or getting lucky.
AI removes the guesswork, allowing attackers to build highly specific, contextual scams at scale.
With geo-location inference this accurate, scammers no longer need to cast a wide net and hope a generic phishing message lands. Instead, they can use publicly shared photos to build a believable context around an attack:

These messages don’t need to be perfectly accurate. They just need to feel plausible and close enough. That is the entire strategy. Familiarity lowers skepticism. Skepticism is what protects you.
This is what turns mass phishing into hyper-personalized phishing at scale, and it’s why even cautious, digitally savvy travelers are getting caught.
Here’s how straightforward this pipeline can become:
Steps 1 through 5 can be automated. The whole process scales easily. And the resulting messages feel personal in a way that generic scams never could.
Geo-location inference doesn’t exist in a vacuum. It’s one tool in a growing arsenal that scammers deploy specifically against travelers.
Travelers are operating outside their normal routines, using unfamiliar networks, and making quick financial decisions under time pressure. These behaviors are exactly what make photo-based location inference more actionable for scammers.
New McAfee consumer research found that more than 1 in 3 Americans have encountered a travel-related cyberthreat, and 41% of those impacted lost money, often exceeding $500. At the same time, rising travel costs and time pressure are pushing people toward faster, riskier decisions. Those are exactly the conditions scammers are built to exploit.
The data reveals just how exposed travelers make themselves without realizing it. Nearly two-thirds of Americans connect to public Wi-Fi while traveling (63%), and a similar share scan QR codes without verifying where they lead (62%). Almost half use airport Wi-Fi specifically (49%), and 41% admit to trusting travel-related messages without checking the sender. One in five logs into financial apps while on public networks, and the same group shares travel plans in real time on social media. Twenty percent click travel-related links without verifying the source first. And finally, around 1 in 5 (22%) admit to sharing travel plans in real time.
That last behavior is worth pausing on. Sharing travel plans in real time, on public or semi-public social accounts, is precisely what creates the photo-based location signals this research examines. These behaviors and geo-location exposure are not separate issues. They feed each other.
Location inference is the key that makes all of those existing vulnerabilities more exploitable. A scammer with a rough idea of where you are does not just have a data point. They have a script.
Transparency matters. Here is exactly how this research was conducted.
Dataset: 21,236 travel images that are publicly available for research, plus a separate controlled set of 102 images contributed by McAfee internal volunteers (never previously posted publicly).
Models tested:
It’s important to note that we conducted our testing using large language models running locally on our own computers, rather than through public services such as ChatGPT.
This more closely reflects how an attacker might operate at scale. Running models locally allows unrestricted, automated generation of large volumes of malicious content without relying on a third-party provider.
By contrast, cloud-based AI services typically monitor for abuse and may impose rate limits, suspend accounts, or block requests when they detect activity associated with phishing or other malicious behavior.
Process: An automated Python script submitted each image to both models using a standardized prompt requesting location identification based solely on visual content. No metadata, EXIF data, or file naming conventions were used as inputs. Results were logged programmatically.
Validation: Image labels were pre-assigned prior to analysis. In cases where geographic names or landmarks could reasonably be interpreted in more than one way, a human reviewer compared the pre-labeled locations and model outputs to ensure consistent categorization.
For example, the reviewer determined whether Vatican City should be grouped with Rome and whether “Washington D.C.” and “Washington, D.C.” should be treated as the same location. The reviewer did not alter either the original labels or the model results, but instead applied judgment to reconcile ambiguous naming conventions and edge cases.
Accuracy definition: A result was counted as correct when the model identified the correct city and country. Country-only identification was tracked separately. Both metrics are reported.
What this research does not claim: This research does not suggest that every travel photo will be correctly identified, or that all publicly available AI tools perform at this level. Results varied by image type, landmark density, and geographic region. The point is not perfect identification, it’s that accuracy is high enough, and accessible enough, to enable targeted scams at scale.
About the Consumer Research McAfee commissioned a consumer survey fielded in March 2026 examining travel intentions, travel scam experiences and perceptions, and digital behaviors while traveling. Results referenced here represent a subset of 1,000 U.S. adults over the age of 18. The full study included responses from 6,000 participants across Australia, France, Germany, Japan, the United States, and the United Kingdom.
Knowing the risk exists is the first step. Here’s what to actually do about it.
Think before you post, especially in real time. The highest-risk window is when you’re still traveling. Posting while you’re in a location gives scammers a live signal. When possible, post after you’ve returned home or delay sharing location-identifiable content by a few days.
Audit your social media privacy settings. Photos shared publicly are the easiest targets. Restricting your posts to people you know significantly limits the pool of images that can be scraped and analyzed.
Be skeptical of urgency tied to your location. If a message references where you’ve been, even correctly, treat that as a red flag, not a credibility signal. Scammers use location familiarity precisely because it feels reassuring.
Go directly to the source. If you receive a message claiming to be from your bank, airline, hotel, or card provider while traveling, don’t click any link in the message. Open a new browser tab and navigate directly to the company’s official website, or call the number on the back of your card.
Use a travel-specific email or alias. Some travelers use a separate email address for bookings, reservations, and travel apps. This limits the cross-referencing scammers can do between your social media presence and your financial accounts.
Trust the skepticism, not the familiarity. Modern scams are designed to feel familiar before they feel suspicious. If something creates a sense of urgency around your financial accounts while you’re traveling, slow down. The pressure itself is the warning sign.
As prices rise and decisions happen in real time, it’s easy to prioritize convenience over caution. But that’s exactly the moment when small checks matter most.
| Stage of Travel | What’s Happening | How McAfee Helps |
| Before You Book | Comparing deals, clicking promotions, booking flights and hotels under time pressure | Scam Detector checks links, messages, and booking sites before you click, helping you avoid fake deals and scam listings |
| During Your Trip | Connecting to public Wi-Fi, scanning QR codes, receiving travel updates and alerts | VPN helps secure your connection on public Wi-Fi, while Scam Detector flags suspicious messages and unsafe links in real time |
| After Your Trip | Accounts remain active, travel data stored across platforms, potential exposure from breaches | Identity Monitoring alerts you if your personal information appears online, helping you act quickly before damage spreads |
With McAfee+ Advanced, multiple layers work together so you’re not left figuring it out after the damage is done.
So you can focus on your trip, and not on whether that notification is a scam.
A travel photo is a memory. It’s also, increasingly, a data point.
That doesn’t mean you should stop sharing your experiences. It means understanding that the same visual richness that makes a great photo is exactly what AI systems are trained to read.
Scammers know this. Now you know how to protect yourself.
This report was produced by McAfee Labs. Research was conducted in 2025–2026 as part of McAfee’s ongoing monitoring of AI-enabled scam vectors.
The post AI Can Find Your Location 91% of the Time Using Just One Photo appeared first on McAfee Blog.
Authored by Neil Tyagi
McAfee Advanced Threat Research has identified an active browser-extension campaign designed to steal cryptocurrency by silently substituting wallet addresses the moment a user initiates a transaction. The campaign is delivered through unsigned installers — observed in both .NET and Golang variants — that deploy a malicious Chromium extension masquerading as a benign “Google Notes” utility.
This campaign is related to a previous blog published by McAfee Labs, Sinkholing CountLoader: Insights into Its Recent Campaign, as the threat actor appears to be the same behind both operations. In that earlier research, we analyzed a crypto clipper payload that was injected directly into memory. Here, we examine a different variant of the final-stage payload: a browser-based malicious extension designed to intercept and manipulate cryptocurrency transactions.
In this report, we detail how the extension operates and provide a technical analysis of the mechanisms that make this threat particularly unique. The extension behaves as a clipboard-aware crypto clipper: it monitors copy-and-paste activity, identifies wallet addresses across multiple blockchains, and swaps them for attacker-controlled addresses just before the victim pastes the content. Because most Blockchain transactions are irreversible, even a single uninterrupted execution is enough to cause permanent financial loss.
Two characteristics elevate this campaign above the typical clipper threat:
This technique, often referred to as “EtherHiding,” complicates takedown efforts because the attacker can rotate infrastructure by updating a smart-contract value rather than redeploying malware.
McAfee telemetry indicates a globally distributed infection footprint with a pronounced concentration in India. The breadth of the geography suggests opportunistic targeting of consumer cryptocurrency users rather than a region-specific operation.

Telemetry analysis indicates that infections are globally distributed, with a significantly higher concentration observed in India compared to other regions.
The widespread geographic presence highlights the campaign’s broad reach, suggesting opportunistic targeting rather than a region-specific attack.
This malware is masquerading as a seemingly harmless Google Notes extension.

The dropped extension presents as a minimalist, legitimate-looking note-taking application branded as “Google Notes,” complete with a clean icon and a functional (& simplistic) user interface.
The cover is calculated: a user who manually opens the extension finds something that behaves as advertised, dampening suspicion. The extension’s malicious logic is implemented in background service-worker scripts and content scripts that operate entirely out of view of the UI.
A major red flag first appears when adding the extension, which requests security permissions and access that are disproportionate to a typical notes application:

The installer’s behavior—downloading and executing remote payloads—is flagged and blocked by McAfee before infection completes. All the malicious domains and URLs are blocked by McAfee in our tests.
Connections to known malicious infrastructure (C2 servers) are blocked by McAfee, preventing Wallet address retrieval
Because this threat was identified in McAfee telemetry, protections can be rapidly deployed to:
Because cryptocurrency transactions are typically non-reversible, victims may permanently lose funds.

The malware does not use the official browser store. Instead, it directly modifies browser files to make the extension appear installed. (Sideloading Browser Extension)
This bypasses normal security prompts and user awareness.



The malicious extension requests excessive permissions such as:
The extension contains logic to detect wallet addresses across multiple cryptocurrencies, including:






This Long–encoded string is decoded using this function to give the final attacker domain.

The campaign’s persistence and evasion posture is deliberate and layered. The operator has clearly optimized for two properties: low visibility to the end user, and high resilience against takedown and static analysis.
The clipper logic sits in two layers: a content-script layer that monitors clipboard activity and DOM input fields across every visited origin, and a background layer that communicates with the attacker backend to retrieve replacement addresses.
When the extension observes a copy event, it applies a set of cryptocurrency-specific regular expressions to the clipboard payload. If a match is found, the intercepted address is transmitted to the attacker’s backend over an authenticated request (authenticated with the API key embedded in the configuration). The backend responds with a replacement address specific to the submitted original, and that replacement is written back to the clipboard, overwriting the legitimate address before the victim can paste.
Testing against a reconstructed backend client — built by re-implementing the extension’s request format and response-decoding logic in Python — produced a revealing behavioural profile:
Based on the code snippets from the web extension responsible for retrieving replacement addresses, a Python script was prepared to programmatically extract attacker wallet addresses. The payload was crafted using the attacker’s own code, and the “get replacement address” snippet was lifted directly from it. The attacker’s logic for decoding data received from the C2 server was also faithfully reimplemented in the script.
The script was then executed using a few test Bitcoin (BTC) wallet addresses. The results showed that for every Bitcoin address provided, a unique Bitcoin address was returned in response, and all of these returned addresses were valid BTC wallets. This indicates that for every BTC address supplied, the attacker dynamically generates a new wallet tied to that specific input address. Furthermore, when the same address was provided again, the same BTC address was returned — confirming that each victim BTC address is deterministically mapped to a single, specific attacker-controlled address. While some of these attacker wallets contained funds and others were empty, the unknown total number of attacker wallets makes it difficult to put a reliable estimate on how much cryptocurrency has been stolen overall.
The same behavior was observed for Ethereum, where different wallet addresses were returned for each input. Interestingly, when the script was tested with Solana addresses, only a single address was returned regardless of how many different inputs were provided. This suggests that the attacker has implemented the per-address mapping feature only for specific cryptocurrencies, while others fall back to a single static drop wallet. Because the Solana address is shared across all victims, a noticeable bump in its balance is visible. Additionally, one of the Ethereum addresses uncovered was found to be holding approximately 1,902 USD worth of funds.
In summary, the cryptocurrencies for which unique per-victim wallet addresses are generated include Bitcoin, Ethereum, Bitcoin Cash, Ripple, and Dash.



Running script with few test Bitcoin Wallet addresses



Luckily for Solana we are getting only 1 address when given multiple addresses. This shows that the attacker has implemented this address mapping feature only on specific cryptocurrencies














This campaign is a concise illustration of where consumer-targeted cryptocurrency theft is heading. The operator has taken the oldest and simplest category of crypto malware — the clipper — and quietly upgraded three of its weakest links. Static attacker addresses have been replaced with a server-side, per-victim mapping. Fragile, hardcoded command-and-control domains have been replaced with a blockchain-resolved lookup that an operator can rotate with a single transaction. And a fragile dropper has been replaced with a Chromium extension that lives inside the user’s most trusted application, loaded under the browser’s own integrity signature.
McAfee will continue to track this campaign and related infrastructure. Our customers are protected by existing detections and will benefit from telemetry-driven updates as new variants and rotated infrastructure are identified.
| Type | Category | Value |
| SHA-256 | .NET Installer (BaseZipInstaller) | 2735e12030c195fb5454e4736c51b55b59664b93cae9f4bd5317afcd9c2af0bf
053620962047f50a91c6e8d1a6519eccc41fab51473f033086b4d816abe8bcb0
|
| SHA-256 | Golang-compiled Installer Variant | 11be4c47ff049322de41743f62544cafd32d67e24ad653b7ebedf8ebd63e0962
1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d |
| URL | Payload distribution | hxxps://google-services[.]cc/base[.]zip |
| Domain | Command-and-Control (resolved via smart contract) | devops-offensive[.]cc
Zebregts[.]com |
| BTC wallet | Crypto wallet | 3JvDBvKbS6YYMKjV3R9e9Zfd67f467fNLy
1BbhVBxpniuZuAL1gGZnEMdQhmz9JGWpyT 3AcPNVh7NyESwX3ECymy3rkdH4Ke2c26Tj 1BVTrB47erypG3tevi1U9Fv6BbNUBEiuiX |
| Artifact | Sideload target | Chromium Secure Preferences file (Chrome, Edge, Brave, Opera profiles) |
| Extension files | manifest.json
crypto-patterns.js
Interceptor.js
content-script.j
cache.js
domain-resolver.js
service-worker.js
api-client.js |
ed2599d6a8f30d5eaf14ad7f855aece0acdf7efa4a148eb18e4d9f0d8e2cd90c
daf82c67e8e5df6bbd5370172ac9374aa7dce48af05496e8ec3dba7b602c619b 6eb2f07265dd95cacd39dfcf0705786b97f3e173cf4e9b3dfe7bad141c9a9dd5
a2ffdbedc5c9f5400a2b1cf5d35f5ec1df06a74d0345f1035bcf75d36ed73e01
eb84ba4a0cd95655a021865d4fec93ae3393f86cc9848810ed0b49035b1c5e2c 6aaba685669d779ef8be8f7f4231096cfafd0ef386f3897c5e2106c177724fc8
2599064901308a97540af29197ed0b38702bbee38d6dbbfa61cf9eb5878353f3 ab450927b37e1b68e2be68832c354ac600e86e2545a904d4ca0ea283f2600cc2
|
The post Silent Swap: A Crypto Clipper Extension Campaign appeared first on McAfee Blog.
Millions of Americans rely on apps and online services every day to work, shop, game, and manage their lives. Scammers know that, and they’re hijacking platforms and brands you already trust.
This week, gig workers were targeted by fake DoorDash support calls designed to steal their earnings, while gamers searching for early access to Grand Theft Auto VI found fraudulent websites promising something Rockstar Games simply isn’t offering.
Here’s what happened, how these scams work, and the other cybersecurity stories making headlines this week.
A growing scam targeting DoorDash drivers starts with what appears to be a normal delivery request.
According to Fox 9 in Minnesota, scammers place fake DoorDash orders, then contact drivers while they’re actively completing the delivery. Because the call often arrives during a real order and can even appear to come from DoorDash, victims may believe they’re speaking with legitimate support.
The caller typically claims there’s an issue with the order or the driver’s account and asks them to verify information or read back security codes.
Once the scammer gains access, they can change account information, lock the driver out, and redirect earnings into their own accounts. In reported cases, victims lost hundreds of dollars and temporarily lost access to the platform they depend on for income.
While today’s it’s DoorDash in the headlines, scammers are known to impersonate all types of delivery apps, so gig workers across companies should stay alert.
| Step | What Happens |
| 1 | Scammers place a fake DoorDash order. |
| 2 | They call the driver pretending to be DoorDash Support. |
| 3 | They request login information or verification codes. |
| 4 | They take over the account and transfer the driver’s earnings. |
Pause if you experience:
Legitimate companies generally won’t ask you to share one-time security codes. If you receive an unexpected call, end it and contact support directly through the app.
Excitement around Grand Theft Auto VI has created another opportunity for scammers.
According to Malwarebytes, fraudulent websites are claiming to sell “VIP Early Access” or exclusive versions of GTA 6 months before release. Many of the sites look polished, featuring convincing artwork, countdown timers, and professional checkout pages.
The catch? They typically require payment in cryptocurrency.
After victims pay, there’s no game to download because no legitimate early-access version exists.
If a website promises:
it’s almost certainly a scam.
Rockstar has announced pre-orders through authorized retailers. Any website claiming to provide playable access before launch should be treated with skepticism.
A police officer recorded a scam call in real time to demonstrate how quickly criminals try to establish trust, create urgency, and convince victims to share sensitive information. The recording serves as a reminder that scammers often sound calm, professional, and convincing because manipulation, not technology, is their primary weapon.
Apple supplier Tata Electronics confirmed it experienced a cybersecurity incident after a ransomware group claimed to publish more than 200,000 files allegedly connected to the company. According to Cybernews and Reuters reporting, the leaked material allegedly includes manufacturing documents and employee information tied to Apple and Tesla. Apple says it is investigating while Tata has not confirmed whether the published files originated from its systems.
Texas Parks and Wildlife notified roughly three million hunting and fishing license customers that personal information stored by a third-party vendor may have been accessed during a cyber incident. According to Click2Houston, exposed information may include driver’s license numbers, contact information, and mailing addresses, though officials said Social Security numbers and payment card information were not involved. Impacted customers are being offered identity monitoring.
With McAfee+, multiple layers work together before any damage is done:
Together, these protections are designed to address the broader range of online risks people face every day.
The post The New DoorDash Scam Every Gig Worker Should Know About: This Week in Scams appeared first on McAfee Blog.

Last week, McAfee warned that economic pressure and AI are creating ideal conditions for online shopping scams.
This week, that warning got another real-world example.
New reporting revealed that cloned shopping websites have appeared in AI-generated search results, potentially directing consumers to convincing fake storefronts designed to steal payment information and personal data.
The incident reinforces what McAfee’s latest research found ahead of Prime Day: shoppers are moving faster, trusting deals more readily, and encountering increasingly sophisticated scams.
Before the summer’s biggest shopping events kick into high gear, let’s get into the sales and Prime Day scams to be aware of and other cybersecurity news making headlines This Week in Scams.
McAfee’s latest research found consumers most frequently encounter the following scams during major sales events:
These scams work because they exploit moments when consumers are already expecting packages, tracking orders, comparing prices, and making quick purchasing decisions.

In McAfee’s new consumer research, 40% of Americans surveyed said they would trust a lower priced deal without verifying it. That means as costs are climbing, shoppers are less likely to second guess a too-good-to-be-true deal that could be a scam.
“What the data reflects is that economic pressure has effectively done some of the scammer’s work for them,” says McAfee’s Head of Threat Research Abhishek Karnik.
“When consumers are already primed to move quickly and prioritize price over authenticity, it takes far less effort to push them toward a bad click or a fraudulent purchase.”
And reporting that fake shopping sites have appeared in ChatGPT results shows that scammers are adapting to ensure they show up wherever consumers search for products, including AI-powered search experiences.
That means it’s more important than ever for shoppers to know the red flags, common scams, and protection measures to find deals safely.
Before making a purchase:
✓ Verify the website URL
✓ Compare prices across multiple retailers
✓ Research unfamiliar sellers
✓ Be skeptical of discounts exceeding 50-70%
✓ Never trust a shopping link sent by text
✓ Use a credit card instead of bank transfer, crypto, or gift cards
✓ Check independent reviews
✓ Verify shipping alerts directly through the retailer
According to Kotaku, Nintendo is investigating an alleged data exposure involving TinyPulse, a third-party employee survey platform. An extortion group claiming responsibility for the incident says it possesses employee information and internal communications and demanded a $2 million ransom. Nintendo said its own systems were not compromised and that no customer financial or payment information was accessed.
According to 404 Media, hackers linked to the ShinyHunters group have allegedly published data stolen from Madison Square Garden after an extortion attempt. Sample files reviewed by the outlet reportedly contained personal information, talent records, and contact details connected to sports personalities and business operations.
According to Yahoo Finance, Novo Nordisk disclosed a data breach involving individuals participating in clinical trials. The company is currently assessing the scope of the exposure while also managing ongoing supply constraints affecting its GLP-1 medications, including Wegovy.
With McAfee+ Premium, multiple layers work together before any damage is done:
Together, these protections are designed to address the broader range of online risks people face every day.
Plus, click here to get McAfee’s limited-time deals on real-time protection this Amazon Prime Day, from June 23 to June 26.
The post 7 Shopping Scams Americans Report Seeing Most: This Week in Scams appeared first on McAfee Blog.

Most people think a data breach starts with a hacker breaking into a system.
In reality, and in many cases, it starts with human error or oversight.
This week, cloud software giant ServiceNow disclosed that a software flaw allowed some customer data to be accessed without authentication, potentially exposing information that should never have been publicly available.
The incident is a reminder that your personal information can be put at risk even when cybercriminals aren’t directly responsible.
Here’s what happened and our other This Week in Scams news:
ServiceNow, one of the world’s largest enterprise software providers, recently notified some customers that a software bug allowed unauthorized access to data stored on parts of its platform.
According to reporting by TechCrunch, the flaw could have allowed individuals to access customer data without needing credentials such as a username or password.
The company says the activity was identified by security researchers participating in vulnerability research rather than malicious hackers. ServiceNow told TechCrunch it found no evidence that bad actors were responsible for the observed activity and said researchers reported the issue through responsible disclosure channels.
The company patched affected systems on June 5 and launched an investigation into the scope of the exposure.
For consumers, this story highlights an important cybersecurity reality: not every data exposure is the result of a criminal attack.
Sometimes information becomes accessible because of:
In this case, ServiceNow says the issue stemmed from a platform vulnerability rather than a breach by threat actors.
However, the outcome can look similar from a customer’s perspective. Information that was intended to remain private may have been accessible to unauthorized parties.
That’s why it’s important to pay attention to security notifications from companies you do business with, even when reports emphasize there was “no hack.”
Whether a company reports a breach, a vulnerability, or an accidental exposure, the recommended steps are often similar:
Cybercriminals frequently use news of data exposures to launch follow-up scams targeting affected customers.
Tools like McAfee Identity Monitoring, Identity Theft Restoration and Cleanup, and Personal Data Cleanup help protect you before and after data breaches.
Here are some other pieces of cybersecurity news making headlines this week.
The Department of Veterans Affairs is warning veterans about fraudulent postcards claiming recipients qualify for additional VA benefits, including healthcare, dental coverage, and other payments.
The postcards often create urgency, encouraging recipients to call within a few days. Once contact is made, scammers attempt to build trust and collect sensitive information such as Social Security numbers, bank account details, and other personal data.
The VA says veterans should avoid calling numbers listed on unsolicited mailers and should independently verify benefit information through official VA channels.

The Federal Trade Commission has issued an alert to childcare providers about scammers posing as parents seeking urgent childcare services.
The scam follows a familiar pattern. The supposed parent sends a check in advance that exceeds the expected payment amount and then asks for the difference to be returned through a payment app, wire transfer, gift card, or another method.
The problem is that the original check is fake.
Even if the money initially appears in a bank account, the check can later be reversed, leaving the childcare provider responsible for the loss.
If someone sends a check and asks you to send part of the money back, that’s one of the clearest warning signs of a fake check scam.
Microsoft temporarily removed dozens of open source repositories hosted on GitHub after discovering malicious code had been inserted into software projects used by developers.
According to reports, the malware was designed to steal passwords and other credentials from users working with AI development tools and cloud services.
Researchers describe the incident as a supply-chain attack, a type of compromise where attackers target trusted software that may later be downloaded by thousands of users.
Microsoft says it has notified a limited number of potentially affected customers.
Not every security incident starts with a hacker.
Sometimes it’s a bug. Sometimes it’s a fake postcard. No matter how a scam starts, here are a few ways to stay safer:
McAfee is built to stop threats before your identity, accounts, or money are compromised.
McAfee+ Advanced includes multiple layers of protection:
Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage
Secure VPN keeps your data private, especially on public Wi-Fi
Web Protection helps block risky sites, even if you do accidentally click
Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you
Device Security helps detect malicious apps or downloads
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from sites selling it.
Online Account Cleanup assists in taking down your old, forgotten accounts across the web
Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks
The common thread across nearly every scam is trust. Scammers count on people acting before they verify.
We’ll be back next week with more scams making headlines.
The post ServiceNow Data Exposure and a New VA Scam: This Week in Scams appeared first on McAfee Blog.
Two men pleaded guilty in the United Kingdom this week to criminal charges stemming from an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area. The duo were key members of a prolific cybercrime group known as Scattered Spider, and their guilty pleas came on the first day of what was expected to be a six-week trial.

Owen Flowers (left) 18, and Thalha Jubair, 20. Image: UK National Crime Agency (NCA).
Thalha Jubair, 20, of East London and 18-year-old Owen Flowers of Walsall admitted conspiring to commit unauthorized acts against Transport for London computer systems and causing risk of serious damage to human welfare. According to a report from the BBC, Flowers alone admitted to being part of a conspiracy to hack into U.S. based healthcare providers SSM Health Care Corporation and Sutter Health in September 2024.
Jubair is also wanted by U.S. law enforcement agencies. In September 2025, prosecutors in New Jersey unsealed an indictment alleging Jubair and other Scattered Spider members committed computer fraud, wire fraud, and money laundering in relation to 120 computer network intrusions involving 47 U.S. entities between May 2022 and September 2025, and that the group’s victims paid at least $115 million in ransom payments.
In July 2025, KrebsOnSecurity reported that Flowers and Jubair were arrested in the United Kingdom in connection with Scattered Spider ransom attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group. Multiple sources familiar with those investigations said Flowers was the Scattered Spider member who anonymously gave interviews to the media in the days after the group’s September 2023 ransomware attacks disrupted operations at Las Vegas casinos operated by MGM Resorts and Caesars Entertainment.
According to prosecutors, Jubair co-ran a bustling Telegram channel called Star Chat, the home of a SIM-swapping group that used voice- and SMS-based phishing attacks to steal credentials from employees at the major wireless providers in the U.S. and U.K. The group would then use that access to sell a service that could redirect a target’s phone number to a device the attackers controlled and intercept the victim’s calls and text messages (including one-time codes for multi-factor authentication).

A receipt from Star Fraud Chat’s SIM-swapping service targeting a T-Mobile customer after the group gained access to internal T-Mobile employee tools. “Rocket Ace” was one of Jubair’s hacker handles, according to U.S. prosecutors.
New Jersey prosecutors also allege Jubair also was involved in a mass SMS phishing campaign during the summer of 2022 that stole single sign-on credentials from employees at hundreds of companies. That weeks-long SMS phishing campaign led to intrusions and data thefts at more than 130 organizations, including LastPass, DoorDash, Mailchimp, Plex and Signal.
KrebsOnSecurity reported last year that one of Jubair’s alter egos at age 15 was “Everlynn,” a hacker who sold fraudulent “emergency data requests” that used compromised police and government email addresses to demand subscriber data (e.g. username, IP/email address) from major tech companies, claiming the requests concerned urgent matters of life and death and could not wait for a court order.
In April 2026, 24-year-old British national and Scattered Spider member Tyler “Tylerb” Buchanan pleaded guilty to wire fraud conspiracy and aggravated identity theft for participating in the group’s SMS phishing spree in the summer of 2022. The government said Buchanan, Jubair and others used the credentials harvested in that phishing campaign to steal at least $8 million in cryptocurrency from victims throughout the United States. Buchanan is currently scheduled to be sentenced on October 2.
In August 2025, 20-year-old Scattered Spider member from Florida named Noah Michael Urban was sentenced to 10 years in federal prison and ordered to pay $13 million in restitution, after pleading guilty to charges of wire fraud and conspiracy.
The U.S. Department of Justice says three alleged Scattered Spider defendants indicted along with Buchanan still face charges, including Ahmed Hossam Eldin Elbadawy, 24, a.k.a. “AD,” of College Station, Texas; Evans Onyeaka Osiebo, 21, of Dallas, Texas; and Joel Martin Evans, 26, a.k.a. “joeleoli,” of Jacksonville, North Carolina.
Flowers and Jubair are slated to be sentenced in a London court on July 15, 2026.