Best infosec-related long reads for the week of 7/19/25

Happy Saturday morning! Metacurity is pleased to offer our free and premium subscribers this weekly digest of the best long-form (and longish) infosec-related pieces we couldn't properly fit into our daily news crush. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com.

Please consider supporting Metacurity

Thank you so much for supporting Metacurity with your readership. But please consider stepping up your support so that Metacurity can continue to provide you with our weekday updates on the pressing infosec developments you need to know to navigate the complex digital security arena, alongside this weekly selection of infosec-related long reads.

Upgrading to a paid subscription will help us keep the lights on. We also provide corporate subscription options, and soon we’ll be introducing affordable sponsorship opportunities—perfect for promoting your events or products to a highly engaged audience.

To learn more, feel free to reach out at cynthia@metacurity.com.

Thank you so much for being part of the Metacurity community.

Confessions of a Laptop Farmer: How an American Helped North Korea’s Wild Remote Worker Scheme

Bloomberg Businessweek's Evan Ratliff tells the story of fake North Korean IT workers who mask themselves to work in America and how a desperate woman, Christina Marie Chapman, got roped into becoming a "laptop farmer" for them, providing geographic cover by making it appear as if they were working on US soil, only to end up with a 102-month prison sentence for her role in the fraudulent scheme.

The authorities still hadn’t tuned in as of summer 2023, but Chapman increasingly feared they might. That August she complained to her colleagues about their ongoing requests for her to fill out employment forms. “[I]n the future, I hope you guys can find other people to do your physical I9s,” she wrote in a group chat. “These are federal documents. I will SEND them for you, but have someone else do the paperwork. I can go to FEDERAL PRISON for falsifying federal documents.” She remembers getting a call that same month from a California company she’d returned a laptop to when a remote worker lost their job. They were asking why this was the second laptop she’d returned to it on someone else’s behalf. Chapman says she quickly got off the phone and didn’t hear from the company again.

By now, she’d begun to find her co-workers menacing. One, she recalls, said he was going to move in with her “to make sure that I stayed in line.” Another sent a local “friend” to pick up a laptop from her house—he didn’t need to ask for the address. She left it on the doorstep and hid inside. She says she approached a lawyer to find out how to untangle herself from the company, but the lawyer required a $10,000 retainer up front. Instead she hired two “assistants” by the hour from Craigslist to help her get into some other line of work.

By then it was already too late. That September, the FBI received a tip from Palo Alto Networks about a company that had unknowingly hired North Koreans. Soon after, the security firm published a blog post outlining the tactics being used in such campaigns. In court documents, the victim company isn’t named. But recently, examining a search warrant application in a separate case that described the victim and the blog post in succession, I uncovered a surprising detail—confirmed by a source with knowledge of the events, who spoke on condition of anonymity because they weren’t authorized to discuss them publicly. The victim wasn’t a client of Palo Alto Networks. It was Palo Alto Networks itself.

According to the warrant application, Palo Alto had received a warning from another company where one of its contractors had gone on to work, telling the security firm that this contractor had recently updated his LinkedIn profile from a North Korean IP address. When Palo Alto dug further, it discovered that this worker appeared to be one of at least nine North Koreans it had brought in through a staffing company. Three of them, it found, had used computers shipped to Chapman’s Arizona address. (Palo Alto facilitated my interviews with its researcher Evan Gordenker earlier this year without mentioning its role in the case. After I asked for comment about Palo Alto itself being a victim, the company stopped responding.)

In late 2023, Chapman took a trip to California to attend a concert—as she’d done to Japan a few months before—briefly leaving her Craigslist assistants in charge of her laptop farm. While she was away, one of the women messaged to tell her that FBI agents were at her house. “The bottom fell out of my world,” she says. She messaged Zhonghua, who told her to delete everything on her phone. She says she started to, then thought better of it. At her house, the FBI discovered more than 90 computers, all being operated remotely.

Agents met Chapman coming off her plane home and confiscated her devices but didn’t arrest her. The next day, she says, the FBI interviewed her for an hour and a half at her house without a lawyer present. She says they never mentioned North Korea or raised the possibility of her cooperating to lead them back to Zhonghua and the others. “I would have helped in a heartbeat,” she says, “after everything they put me through.” Pirro, the interim US attorney, declined to comment.

A month later, Palo Alto Networks researchers happened to discover a cache of documents that North Korean IT workers had left exposed on GitHub, according to the firm’s blog post. Among these, they found, were “résumés with fake identities, impersonating individuals of various nationalities” and “copies of IT job opening posts from US companies.” Several of the documents—which contained Korean-language passwords, some including words used only in North Korea—showed jobs the authors had actually obtained. Three of those gigs, according to the search warrant application, “were later tied through business records to the computers found in Chapman’s residence.”

The Amnban Files: Inside Iran's Cyber-Espionage Factory Targeting Global Airlines

UK-based Iranian opposition activist and independent cyber espionage investigator Nariman Gharib delves into the Amnban Files, gigabytes of data stolen from internal servers of Amnban, Sharif Advanced Technologies, which he calls Tehran's "digital hit squad," revealing how the state-sponsored operation is harvesting millions of airline passengers' personal data for Iran's intelligence machine.

The breach cracked open their entire operation. Behind the legitimate facade of penetration testing and security consulting lurks something sinister. These aren't consultants—they're cyber mercenaries working for APT39, the notorious hacking group tied directly to Iran's Ministry of Intelligence and Security (MOIS).

The evidence is overwhelming: systematic attacks on Royal Jordanian, Turkish Airlines, Rwanda Airlines, Wizz Air, and nearly a dozen other carriers. This isn't security research. It's preparation for digital warfare.

The Intelligence Connection Exposed

Every authoritarian regime needs its digital soldiers. Iran's cyber-espionage units conduct what they call Cyber Network Exploitation (CNE)—spy speak for breaking into foreign networks to steal intelligence. But it doesn't stop at data theft. These operations enable Cyber Network Attacks (CNA) designed to cripple infrastructure, crash airport systems, and worse.

APT39, also known as Chafer, is MOIS's favorite attack dog. They don't chase money—they hunt intelligence on foreign airlines, government systems, telecommunications companies. Jordan. Turkey. UAE. If you're flying through the Middle East, you're in their crosshairs.

Here's where it gets personal: Amnban's CEO is Benham Amiri, already flagged by intelligence agencies for APT39 connections.

But Amiri went further—he actually hired Ali Kamali, a hacker so toxic the FBI sanctioned him in 2020 for attacking American infrastructure. This isn't hiding in the shadows. This is brazen.

Myanmar’s Digital Crackdown is Worsening: The World is Stepping Back

For Tech Policy Press, Wai Phyo Myint, the Asia Pacific Policy Analyst, and Faiz Naeem, the Asia Pacific Program Associate at Access Now, underscore how a digital crisis is unfolding in Myanmar as the junta ramps up communications blackouts, surveillance systems, biometric ID schemes, and social media manipulation at the same time as allies such as Thailand and the US are cutting off support for exiled activists, independent media and civil society.

The military has continued to expand its digital surveillance capabilities. At the core of this new regime is what civil society monitors refer to as the Personal Scrutinization and Monitoring System. This is believed to be a centralized military-run database that collects information on people’s location history, criminal records, financial activity, and more.

A key part of this system is the electronic identification card, or e-ID. The junta maintains that the e-ID is required only for specific purposes, such as applying for a passport or certain types of labor permits. But civil society groups have documented a steady increase in coercion. Workers are being pushed to enroll in the e-ID system or risk losing access to employment, social security benefits, and freedom of movement. Although there is no official mandate requiring all citizens to register, in practice, refusal to enroll increasingly leads to exclusion.

Once issued, the e-ID links the holder to a vast array of databases. With a single scan, authorities are reportedly able to pull up an individual’s personal history, including political affiliations, past arrests, and other sensitive details. The entire surveillance apparatus mirrors India’s Aadhaar biometric ID system. It was reported that members of Aadhaar's technical team provided expertise to the junta on biometric scanners — raising concerns about India's involvement in the military's surveillance infrastructure.

The U.K.’s Decryption Order, the CLOUD Act, and Recommended Next Steps

In Lawfare, Jennifer Daskal, partner at Venable LLP, points out that despite promising press reports, the UK government has not yet in fact fully backtracked on its case against Apple in which it demanded the company provide an encryption backdoor to its cloud services, suggesting ways for the United States to use the Clarifying Lawful Overseas Use of Data Act (CLOUD) to push the UK into finally abandoning its anti-security crusade.

It appears, based on recent reporting that—thanks to push-back from the Trump administration—the UK may be looking to change course. But for now, the UK case against Apple continues. The following describes ways the administration could use the CLOUD Act as additional leverage in these discussions, and suggests statutory amendments to the CLOUD Act that would help protect against additional foreign government decryption mandates in the future.

There are several possible ways for both the executive branch and Congress to respond:

The Department of Justice has the authority to object to CLOUD Act orders and categories of such orders; it could object to any orders issued to any company that has been subject to a decryption mandate. Doing so would, under the terms of the agreement, render such orders null and void.

The U.S.-U.K. agreement specifies two different ways that the Justice Department might do so: Following an objection by a provider, it can invoke section 5, par.11 with respect to specific “Order[s];” alternatively, under section 12, par. 3, it can object to a whole category of “Legal Process.” The Justice Department need simply notify the relevant authority in the U.K. of its objection, and the U.K. can no longer rely on the CLOUD Act to issue relevant orders or categories of such orders.

There is strong ground for raising an objection with respect to the UK-issued orders: There is an explicit statutory requirement saying that executive agreements shall not create any obligation that providers be capable of decrypting data. Indeed, Congress would not advance the CLOUD Act until that provision was added to the bill. Any order that is coupled with a decryption demand certainly violates the spirit, if not the letter, of the CLOUD Act and the U.S.-U.K. agreement.

The executive branch could threaten to pull the U.S.-U.K. agreement entirely if the U.K. continues to use its Investigatory Powers Act to seek to prohibit the use of end-to-end encryption. Given the reported security benefits of the CLOUD Act agreement, this might be sufficient to compel a change in the U.K. approach.

To terminate the agreement, the United States simply needs to send a diplomatic note to that effect; termination takes effect a month later. (Alternatively, the U.S. could refuse to renew the agreement when it expires in 2027, but that is too long from now given the immediacy of the dispute with the U.K.) An updated agreement should make clear that the U.K. is prohibited from issuing decryption orders to U.S. companies and that continued issuance of such orders will render the agreement null and void.

Congress can also require these changes. Congress could, for example, amend the criteria for CLOUD Act agreements to specify that foreign governments that issue extraterritorial decryption orders on U.S. companies are ineligible for such agreements. This would prevent the U.K. or any other country from relying on a combination of their domestic law and a CLOUD Act agreement to support decryption efforts. In fact, even if the dispute with the UK is resolved, Congress may wish to also intervene to prevent this from becoming an issue with other countries.

This ‘violently racist’ hacker claims to be the source of The New York Times’ Mamdani scoop

The Verge's Elizabeth Lopatto tells the story of a virulently racist hacker she calls the Anime Nazi who has taken credit for hacking three universities, University of Minnesota, New York University, and Columbia University, the latter of which became famous when the New York Times published the admissions application of the current Democratic nominee for mayor of New York City.

The alleged hacker, in response to a request for comment, wrote that this story wouldn’t achieve anything but making The Verge look ridiculous and “giving funny publicity to me.” Most journalists, they claimed, “are smart enough to figure that out before publishing, so end up removing my name and any direct references to me.” They added, in a separate email, “My comment: her name is [slur].”

In what little reporting exists about the actual Columbia breach (and not what stolen data reveal about a mayoral candidate when he was 17 years old), the hacker has been said to be “politically motivated.” Bloomberg, which spoke to the hacker, reported that they are acquiring information about whether universities persisted in affirmative action admissions after the Supreme Court effectively banned the practice in 2023. Insofar as open racism can be said to be a political motivation, the hacker is indeed politically motivated. But it also has the effect of soft-pedaling the reason for repeated attacks on institutions of higher learning. The Anime Nazi is an activist like a Klansman is an activist.

This is important because journalistic best practices around the use of hacked materials is to contextualize the hacker’s motivation, if the materials are used at all. While it appears to be true that the hacker opposes affirmative action, it may be more relevant — particularly when the news article in question attacks a left-wing politician of color — that the hacker’s pseudonym is literally a racist slur.

The hacker says they redact SSNs and other personally identifying data before releasing information from the intrusions. In the case of the Minnesota hack, they claim, “I only posted (redacted) bare minimum to prove they’re breaking the law.” One of their admirers has claimed they are “the nicest possible hacker.” The redactions in the New York University data were imperfect, however, says Zack Ganot, the CEO of DataBreach.com. “He says he’s not trying to leak personal information,” Ganot says. “He did a lousy job.” Emails, names, and home addresses, among other personal identifying information, are available in the data from the NYU leak.

Ganot notes that the data is valuable; to his knowledge, the hacker hasn’t yet sold it. This isn’t necessarily surprising — that’s not the kind of damage they’re trying to do — but it also doesn’t mean the data is safe.

This alleged hacker’s racial animus aligns with the recent Republican war on higher education. It also aligns with a turn from certain Silicon Valley circles against elite universities. Universities aren’t just politically endangered — they are, in the hacker’s own words, “soft targets.”

“Universities have basically the most vulnerable networks that exist in my experience,” the Anime Nazi wrote. “Massive networks with huge surface area and a lot of legacy systems.” They also generally spend less on security than private companies. Unless the hacker is caught or America’s universities seriously upgrade their security quickly, the Anime Nazi could very well strike again.

Quantum Scientists Have Built a New Math of Cryptography

Quanta magazine's Ben Brubaker interprets the complex concepts behind a new paper by two cryptographers that proposes how quantum cryptography can be put on a much firmer theoretical footing than practically any kind of classical cryptography.

In the fall of 2022, that question caught the attention of Dakshita Khurana, a cryptographer at the University of Illinois at Urbana-Champaign and NTT Research. Khurana and her graduate student Kabir Tomer set out to build a new tower of cryptography. Her first step was to build a new foundation using quantum building blocks instead of classical one-way functions. She would then need to prove that this new foundation could support a tower of other cryptographic protocols. Once she proved that the foundation could support the tower, she would have to find a solid place for the whole thing to sit — a bedrock of real-world problems that seem even harder than the NP problems used in classical cryptography.

For the first step, Khurana and Tomer focused on a quantum version of a one-way function, called a one-way state generator, that satisfied the three properties that make one-way functions useful. First, the function must run quickly so that you can easily generate a cryptographic lock and the corresponding key to open it for each message you want to send. Second, each lock must be secure, requiring great effort to break open without the right key. Finally, every lock must be easy to open with the right key.

The crucial difference lay in the nature of the locks. Classical one-way functions generate mathematical locks made of bits — the 0s and 1s that store information in a classical computer. Quantum one-way state generators would instead generate locks made of units of quantum information called qubits. These quantum locks could potentially remain secure even if all classical locks are easy to break. Khurana and Tomer hoped to start with this new quantum foundation and build a tower of cryptographic protocols on top of it. “This turned out to be quite hard,” Khurana said. “We were stuck for many, many months.”

By July 2023, Khurana was nearly nine months pregnant and planning for parental leave. Tomer was out of ideas. “I’m much more pessimistic than Dakshita,” he said. “She’s always the one who believes that things will work.”

Then they made a breakthrough. The crucial step was defining another mathematical building block that served as something like a basement floor: a structure that would connect the foundation of one-way state generators to a tower of cryptographic protocols. When Khurana and Tomer worked out what properties that building block would need to have, they found that it resembled a one-way function with a perplexing mixture of quantum and classical characteristics. As in an ordinary one-way function, both locks and keys were made of classical bits, but the procedure for generating these locks and keys would only run on a quantum computer. Stranger still, the new building block satisfied the first two defining properties of one-way functions, but not the third: It was easy to generate locks and keys, and every lock was hard to break. But a key wouldn’t easily open its lock.