Federal contracting records reviewed by WIRED this week show that United States Customs and Border Protection is transitioning from testing small drones to using them as standard surveillance tools, a move that will further expand CBP’s already extensive dragnet that in some cases extends far beyond US land borders.

Meanwhile, US Immigration and Customs Enforcement is planning to incorporate a broad cybersecurity contract that will include expanding employee surveillance and monitoring. The move comes as the US government is escalating leak investigations and condemning internal dissent.

The Chinese-language artificial intelligence app Haotian can be used to create “nearly perfect” face swaps during live video chats, and it is a favorite tool of Southeast Asian scammers. A WIRED investigation along with independent research indicates that the company has actively marketed its tools to scammers, often via Telegram. Haotian’s main Telegram channel vanished after WIRED contacted Telegram for comment.

Fraudsters in China are using AI-generated images of supposedly defective products and services gone awry—from dead crabs to shredded bed sheets—to convince ecommerce sites to give them refunds.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

The hacker collective known as the Com has rampaged across the internet for years, breaching hundreds of companies for nihilistic fun and profit. Now they’ve hit a particularly large and sensitive trove of highly personal data: user records for PornHub, the world’s biggest porn site.

ShinyHunters, a subgroup within the Com, appears to have stolen more than 200 million records for PornHub premium users, a total of 94 gigabytes of data detailing users’ histories on the site linked to their account information, including email addresses. According to a public statement from PornHub, the data appears to have been taken from MixPanel, a data analytics firm the porn site used until 2021, suggesting the breached data may be four years old or older. BleepingComputer, the media outlet that broke the news of the breach, reports that PornHub has received extortion emails from the hackers over the last week. No doubt quite a few of the site’s users are hoping PornHub will pay—and that ShinyHunters will keep their personal browsing private.

Venezuela Blames the US for a Cyberattack on Its State Oil Firm

Venezuela’s state oil company, Petróleos de Venezuela (PDVSA), says a cyberattack disrupted its administrative systems shortly after the US military seized a tanker carrying nearly 2 million barrels of Venezuelan crude. In a public statement, PDVSA said operations continued, but it accused the US of orchestrating the intrusion as part of a broader campaign against the country’s energy sector. Reporting by Reuters suggests the attack may have been more damaging than PDVSA acknowledged, temporarily halting oil cargo deliveries and taking internal systems entirely offline.

The episode followed an unusual escalation by Washington in its ongoing standoff with Caracas, which has been marked by dueling claims over sovereignty and security, and by maritime strikes and seizures targeting vessels that US officials have linked to criminal networks operating under the protection of Venezuelan president Nicolás Maduro—an allegation for which the Trump administration has presented no public evidence.

Hackers Have Exploited a Cisco Zero-Day Since November—And Still No Patch

Network “edge” devices like routers, VPNs, and firewalls have become a prime target for hackers hunting for inroads to breach their targets. So the news of an unpatched, critical security vulnerability in a range of Cisco products represents a feeding frenzy—and one that network intruders have quietly enjoyed for weeks. Cisco’s Talos research team this week revealed a zero-day in Cisco’s Secure Email Gateway and Secure Email and Web Manager products that use its AsyncOS software, noting that it had been exploited since late November by hackers who appear to be a Chinese state-sponsored group. Worse still, Cisco doesn’t appear to have a patch ready to fix the vulnerability even now.

A Cisco advisory notes, however, that the vulnerability lies in the devices “spam quarantine” feature, which isn’t exposed on the internet by default and can be taken offline as a mitigation measure until a patch is available. “We strongly urge customers to follow guidance in the advisory to assess any exposure and mitigate risk,” reads a statement from Cisco. “Cisco is actively investigating the issue and developing a permanent remediation.”

Two Cybersecurity Firm Staffers Plead Guilty to Ransomware Attacks

Plenty of cybersecurity professionals must have entertained the thought that it’s more lucrative on the dark side. But two men who worked at the cybersecurity companies Sygnia Consulting and DigitalMint actually decided to try it. After launching their own ransomware campaign that went as far as extracting a million dollars from a Florida medical device company, they’ve now pleaded guilty to hacking charges. Ryan Clifford Goldberg worked for Israeli firm Sygnia as an incident responder, while Kevin Tyler Martin worked for US cybersecurity company DigitalMint as, ironically, a ransomware negotiator, while also allegedly acting as an affiliate of the notorious ALPHV ransomware gang. A third alleged co-conspirator is mentioned in court filings but wasn’t charged in the case.