Zach Edwards

Sorry to hear this, you’re an excellent journalist and your work speaks for itself. Hoping for the best for everyone impacted by the layoffs.

I also had a nice video call with Meg Whitman and some folks on her team when this research came out. There was some very interesting shenanigans being conducted by one of their vendors that I found and they immediately went 10 alarm fire on them about it. Was a solid response plan imo! 🖖

Facebook‘s Ongoing VIP-User Data Exfiltration Vulnerability via Adobe’s Marketo Software & Why… Over the last 2 months, Facebook has quietly changed several ways they deploy Adobe’s Marketo email software across core Facebook…

a similar issue impacted Facebook + Adobe and I had like 2 weeks of arguments with them before FB paid me a data breach bounty and Adobe changed the entire structure of their a specific URL token
medium.com/@thezedwards...

Quibi, JetBlue and Others Gave Away Email Addresses, Report Says (Published 2020)

just reported another subtle email address data supply chain breach to a major corporation who yeeted my email to their vendors due to a dumb URL structure -- this problem always comes up! some of my previous research on it: www.nytimes.com/2020/04/29/b...

We need to dramatically improve ad libraries as a core way to slow down scams.

a basketball game between the heat and the lakers is being played Alt: a basketball game between the heat and the lakers is being played - kobe bryant makes a fade away jump shot as a defender tries to block it at the buzzer, the shot is perfect and goes in to win the game as the clock goes to zero above the backboard.

that feeling when you finish and publish the massive client report you've been working on for ages right before the new year

As both the House & Senate look to repeal Section 230, I'm curious who they think should be held liable for the comments they've left open on the Epstein photo dump...? Them? Dropbox?

Do they have a trust & safety team watching the comments?

My Youtube account was unsuspended but the video in question is still private. Based on their vague feedback it seems possible that YouTube now has a tool to scrape videos for URLs (like from my screen sharing research session) and then flag videos which in any way reference a known malicious URL.

Silent Push Completes Strategic Acquisition of HYAS, Expanding Customer Base and Securing Global Leadership in Preemptive and Proactive Cyber Defense Acquisition strengthens Silent Push’s capabilities to deliver deeper visibility, stronger intelligence, and enhanced defensive outcomes.

P.S. Silent Push announced we acquired Hyas today 🚀
www.silentpush.com/news/silent-...

Shining a Light on the Global Bulletproof Hosting Ecosystem Silent Push developed this white paper on the current state of Bulletproof Hosting and lesser-known technical dynamics we’re observing.

Our team will be speaking more about BPH’s in the coming months as we encourage more law enforcement actions and private responses to these growing challenges.

Read our final 2025 White Paper "Shining a Light on the Global Bulletproof Hosting Ecosystem" @ www.silentpush.com/white-papers...

Threat actors love a wild policy NiceNic has which requires 3rd parties to have a “Power of Attorney” over any brands that are mentioned on malicious infrastructure being reported by that 3rd party. So to get a network down that impersonates dozens of brands, it would require dozens of POAs...

Bulletproof Registrar NiceNic is given some special attention... oh what's that, you've never heard of a Bulletproof Registrar? Well what happens if you combine a BPH + a BPR? ⚖️📴

If you don’t know about NiceNic, you’re way behind the threat actors...

Reminder, CISA + NSA + FBI + DOD + international law enforcement wrote about the threat of Bulletproof Hosting Providers last month and included details about Infrastructure Laundering from FUNNULL in their report:

www.cisa.gov/resources-to...

This is the *newest form of Bulletproof Hosting*

a man in a blue jacket with stars on it is singing into a microphone at a party . Alt: lil dicky the rapper is in a blue jacket with stars on it dancing

FUNNULL is illicitly acquiring IPs and mapping them into their network in order to make their network faster for U.S. victims connecting to their scam websites and likely saving money by doing this.

This is the dance that FUNNULL admins do when they steal western IPs without ramifications.

Real Estate Its Free Real Estate GIF Alt: Real Estate Its Free Real Estate GIF

Infrastructure Laundering from FUNNULL CDN & Triad Nexus is the newest and nastiest form of bulletproof hosting, where this network uses “account mules” to illicitly acquire IPs from major cloud providers like Amazon, Microsoft, Cloudflare and Google...

a couple of women standing next to each other with the words peer pressure on the bottom Alt: a couple of women standing next to each other with the words peer pressure on the bottom

BPH’s get online through “peering agreements” w/ other ASNs. In the white paper we’re using the free data from Hurricane Electric to explain why folks really need to be more focused on peering relationships. If you find a BPH, how are they getting online & who are their ASN peers? We need more:

You’ll see plenty of references to The Spamhaus Project 💌 , the long-term gold-standard for tracking BPH’s with their Don't Route Or Peer Lists (DROP). We’ve never found a false positive on their list, but we’ve found their drop list does NOT cover all ASNs we consider BPHs. (examples shared!)👀

woody and buzz lightyear from toy story are standing next to each other Alt: woody and buzz lightyear from toy story are standing next to each other with the text "Criminals, Criminals Everywhere"

This report was a monster to get over the finish line. We “name names” and show how the technical sausage is made.

Two decades ago, there was really only one BPH – the Russian Business Network (RBN) operated out of Moscow, being the internet honeybadger of crime. But since then this illicit business model has exploded in popularity. We're tracking over 100 ASNs operating as BPH's right now...w/ more every month!

BPH’s host malware delivery infrastructure & C2s, phishing sites & financial fraud campaigns, money laundering infrastructure, websites conducting ad fraud & various types of illicit CPA/locker/redirect campaigns, CSAM, and every other horrible thing you can think of that exists on the internet. 🌩️

BPH’s are the front door, side door, & the back screen door hanging off the hinges for some of the most serious cybercrime campaigns. These hosting providers *ignore legitimate abuse complaints* which ensures that malicious campaigns, even after they are identified & reported, keep humming along. 🤕

White paper cover with the "Silent Push" logo and the word "White Paper" above the title "Shining a light on the Global Bulletproof Hosting Ecosystem" and a picture of red storms over a large cityscape

Today our team at @silentpush.bsky.social released research we’ve been working on all year – a magnum opus 39-page report on the state of Bulletproof Hosting Providers.

Brief thread with some details

Read the report @ www.silentpush.com/white-papers...

Exclusive: Petco takes down Vetco website after exposing customers' personal information TechCrunch found Petco's veterinary clinics were spilling customers' personal information and medical histories of their pets.

We found the bug in how Vetco generates PDF documents for its customers. Its PDF page was public and was indexed by Google, which is how we found it. Worse, an IDOR bug in the URL meant it was possible for anyone to obtain customer data by changing the customer's unique ID by a single digit. 🤦

Found a "great deal" in about 30 seconds of hunting -- 1k abuse reports on YouTube for $100 - a mere 10 cents per report! This is the type of bot farm product that shit birds use when they want to harass researchers and other folks.

Screenshot of an article with the text “I’ve seen this on probably 50 different government subdomains,” Edwards added in the video. Some impacted sites included Senator John Tester’s site and one belonging to the Minnesota National Guard, both of which were pushing viagra products. And then a broken YouTube embed with the text "Video Unavailable" and then the text “100% of the .gov sites I’ve reported have cleaned it after I reported it, but it’s still constantly happening,” Edwards told Motherboard.

YouTube suspended my ~15+ year old account and all my videos due to a video I recorded about scammers targeting US government and military offices, which was embedded into articles like @ www.vice.com/en/article/w... from @josephcox.bsky.social

I was likely targeted by a mass reporting campaign.🤡

just use TOR Browser if looking for that level of obfuscation imo 🖖

This is a really interesting development and if FF is able to grow market share with this feature, it could encourage other browsers to try and find a way to make theirs free too.

All that being said, FF really struggles with *making money* so it does still worry me when they start handing $$ out.

Brave browser also doesn't have a free VPN, in-fact I don't know of any credible* browsers with free VPNs built in currently. Even Apple's iCloud Private Relay costs money.

*Opera Browser has a free VPN but the browser is owned by a Chinese consortium and I wouldn't trust it at all.

Firefox Is Testing a Free, Built-In “Browser-Only” VPN Mozilla is testing a free, built-in VPN in Firefox to improve online privacy. The browser-only VPN hides your IP and encrypts traffic while you browse.

The new *free* FireFox VPN which has been tested for months (windowsreport.com/firefox-is-t...) is likely on the horizon for a wider release based on recent comments that a VP / head of Product at Firefox made on Linkedin.

Google couldn't even get a free VPN + abandoned their $$ "Google One VPN"

SS7 is gonna remain a dumpster fire security threat and China will continue to exploit it if we can’t even have simple cybersecurity requirements for the telecom industry.