It’s the end of the year. That means it’s time to celebrate the best cybersecurity stories we didn’t publish. From 2023, TechCrunch has looked back at the year’s best stories in cybersecurity.
If you’re not familiar, the concept is simple. There are now dozens of journalists covering cybersecurity in the English language. There are tons of stories about cybersecurity, privacy, and surveillance published every week. And many of them are great, and you should read them. We’re here to recommend the ones we liked best, so keep in mind that this is a very subjective and, at the end of the day, incomplete list.
Anyway, let’s get into it. — Lorenzo Franceschi-Bicchierai.
Every once in a while, there’s a hacker story that once you start reading, you think it could be a movie or a TV show. Such is the case with Shane Harris’s very personal story of his months-long correspondence with a top Iranian hacker.
In 2016, The Atlantic reporter contacted a person who claimed to work as a hacker for Iran’s intelligence services, where he claimed to have worked on major operations such as the downing of a US drone and the now-infamous hack against oil giant Saudi Aramco, where Iranian hackers wiped the company’s computers. Harris was rightfully skeptical, but as he continued to talk to the hacker, who eventually revealed his real name, Harris began to believe him. When the hacker died, Harris was able to piece together the real story, which somehow turned out to be more incredible than the hacker had led him to believe.
The compelling story is also a great behind-the-scenes look at the challenges cybersecurity journalists face when dealing with sources who claim to have great stories to share.
In January, the UK government secretly issued a court order to Apple requiring the company to create a backdoor so police could access the iCloud data of any customer in the world. Due to a worldwide gag order, it was just because The Washington Post news that we learned the order was there all along. The requirement was the first of its kind and – if successful – would be a major defeat for tech giants that have spent the past decade locking themselves out of their users’ data so they can’t be forced to provide it to governments.
Apple then stopped offering encrypted cloud storage to its UK customers in response to demand. But with the news, the secret order was released to the public and allowed both Apple and critics to scrutinize the UK’s surveillance powers in a way that has not previously been tried in public. The story sparked a months-long diplomatic row between the United Kingdom and the United States, with Downing Street rejecting the request – only to try again several months later.
This story was the kind of instant access some reporters would dream of, but The Atlantic’s editor played out in real time after he was unwittingly added to a Signal group of senior US government officials. with a senior US government official discussing war plans on their cell phones.
Reading the discussion about where the US military should drop bombs — and then seeing news reports of missiles hitting the ground on the other side of the world — was confirmation that Jeffrey Goldberg should have known that he was, as he suspected, in a real conversation with real Trump administration officials, and it was all recorded and reportable.
And so he did, paving the way for a months-long investigation (and criticism) of the government’s operational security practices, in what has been called the largest government’s fault in history. The disclosure of the situation finally revealed the security loopholes involved in its use a disable signal clone which further compromised the government’s apparently secure communications.
Brian Krebs is one of the most veteran cyber security reporters and for years has specialized in tracking down online crumbs that lead him to uncover the identities of notorious cyber criminals. In this case, Krebs was able to find the real identity behind the online handle of a hacker, Rey, who belongs to the notorious group of advanced teenage cybercrimes calling themselves the Scattered LAPSUS$ Hunters.
Krebs’ search was so successful that he was able to speak to a person very close to the hacker—we won’t spoil the entire article here—and then the hacker himself, who confessed to his crimes and claimed he was trying to escape a life of crime in cyberspace.
Independent media outlet 404 Media has achieved more journalistic impact this year than most mainstream media with far more resources. One of her biggest victories was uncovering and effectively shutting down a massive air travel surveillance system used by federal agencies and operating in plain sight.
404 Media reported that a little-known data broker founded by the airline industry called the Airlines Reporting Corporation was selling access to five billion airline tickets and travel itineraries, including names and financial information of ordinary Americans, allowing government agencies like ICE, the State Department and the IRS to track people without a warrant.
ARC, which is owned by United, American, Delta, Southwest, JetBlue and other airlines, said it would shut down the warrantless data plan after 404 Monthly media report and intense pressure from legislators.
The December 2024 assassination of UnitedHealthcare CEO Brian Thompson was one of the biggest stories of the year. Luigi Maggione, the prime suspect in the killing, was arrested soon after and charged with using a “phantom gun,” a three-dimensional weapon that had no serial numbers and was privately manufactured without a background check — essentially a weapon the government has no idea exists.
Wired, using it previous experience reporting on 3D printed weaponssought to test how easy it would be to make a 3D-printed weapon while navigating the tangled legal (and ethical) landscape. The reporting process was excellently told and the video accompanying the story is excellent and chilling.
DOGE, or the Department of Government Efficiency, was one of the biggest stories of the year as Elon Musk’s gang of lackeys tore through the federal government, tearing down security protocols and red tape as part of a massive grab of citizens’ data. NPR had some of the best investigative reporting exposing the resistance movement of federal workers trying to prevent the theft of the government’s most sensitive data.
In a story detailing a whistleblower’s official disclosure as shared with members of Congress, a senior IT official at the National Labor Relations Board told lawmakers that while seeking help investigating DOGE’s activity, he “found a typed letter in an envelope taped to his door, which included threatening language and sensitive personal information about his dog. its official unveiling.”
Any story begins with says a journalist found something that made them “feel like I’m going to crap my pants,” you know it’s going to be a fun read. Gabriel Geiger found a dataset from a mysterious tracking company called First Wap that contained records of thousands of people from around the world whose phone locations had been tracked.
The data set, spanning 2007 to 2015, allowed Geiger to identify dozens of high-profile individuals whose phones were monitored, including a former first lady of Syria, the head of a private military contractor, a Hollywood actor and an enemy of the Vatican. This story explored the shadowy world of phone surveillance by exploiting Signaling System No. 7, or SS7, an obscurely named protocol long known to enable malicious surveillance.
Swatting has been a problem for years. What started as a bad joke has become a real threat, which has backfired at least one death. Swatting is a type of hoax where someone—often a hacker—calls the emergency services and tricks the authorities into sending an armed SWAT team to the home of the hoaxer’s target, often pretending to be the target themselves and pretending to be about to commit a violent crime.
In this feature, Wired’s Andy Greenberg put a face to the many characters that are part of these stories, such as the call operators who have to deal with this problem. And it also described a prolific hacker known as Torswats who for months had been plaguing operators and schools across the country with fake—but highly believable—threats of violence, as well as a hacker who took it upon himself to track down Torswats.
