🚨NEW REPORT from us: exposing a new social engineering/hacking tactic.
🇷🇺Russian state-backed hackers successfully compromised a prominent (& professionally paranoid) expert on Russian military operations.
Shocking, right? But the attack is solidly clever & worth understanding. I expect more like it.
ATTACK FLOW
Keir Giles gets a message purporting to be from
U.S. State Dept asking for a consultation.
The attackers send the message from a gmail, but CC'd a bunch of email addresses state.gov email addresses. Including one from with same name as the purported sender.
Strong credibility signal to have a bunch of gov ppl on the CC line right?
Well, what the attackers were counting on is that the State Dept mailserver just accepts all email addresses without emitting a bounce.
So they seem to have just created some fake State Dept staff names and addresses.
INTRODUCING THE DECEPTION
The attackers wait for the 2nd interaction to introduce the pivotal deception: getting him to 'connect to a secure platform.'
In the next days they patiently walk him through what they want him to do, even sending a very official looking (but fake) State Dept. document.
The attack works like this: the attackers try to deceive the target into creating and sharing an App-Specific Password (ASP) with them.
They do this by reframing ASPs as something that will let him access a secure resource (spoiler: not how this works)
REMINDER: WHAT IS AN ASP?
What's an ASP? Well, not every app that users want to use supports Multi-Factor Authentication.
Some older email clients for example don't. So providers like #Google let users create a special password just for those apps.
There were so many clever bits to this attack, it's easy to imagine a lot of people falling for it.
Everything was clean. Doc looked real. The language was right. Email addresses at the State Dept. seemed to be CC'd.. I could go on.
They even had Keir enter "ms.state. gov" into the ASP name...
SLOW FOOD SOCIAL ENGINEERING
This attack was like slow food. 10 email exchanges over several weeks! Very much not your run-of-the-mill phishing.
It's like they know what we all expect from them...and then did the opposite.
Ultimately, he realized something was wrong and got in touch with us at #citizenlab ... but not before the attackers got access.
He's said that he expects some sort of 'leak' constructed out of a mixture of his real messages & carefully added falsehoods. I tend to agree, this is a pretty common tactic.
Here's what that looks like, btw, from a report we did back in 2017 where we compared what was released after a hack by Russian hackers vs the original:
Coda: Hilariously (to me at least) the attackers called the fake platform it *MS DoS*
WHO DID IT?
Enter the Google Threat Intelligence Group w/analysis & attribution.
GTIG had been working on their own parallel investigation. Our friendly social engineers are: 🇷🇺 #UNC6293, a #Russian state-sponsored threat actor.
Google adds bonus additional low confidence association to #APT29 (that would be Russia's #SVR).
Nice people.
TAKEAWAYS?
Takeaway: some gov-backed groups are feeling pressure & experimenting.
Moving from smash & grab phishing... to subtler, slower & perhaps less detectable.
Targeting App-Specific Passwords is novel.
But it's just part of a trend of state-backed attackers innovating & moving beyond simple phishing that targets credentials (maybe multi-factor codes) towards other mechanisms of account access.
A lot of more sophisticated attackers are also spreading attacks across platforms.. for example starting the attack on Signal/Telegram, then later pivoting to email, etc. The folks at Volexity (above pic showing a similarly complex operation) have some good reporting on that (link below)
GET SAFER
Do you think you face increased risk because of who you are & what you do?
✅Use Google's free Advanced Protection Program.
Set it up now:
Advanced Protection
Google Advanced Protection Program
The strongest account security made to protect the personal data and information of people most at risk of phishing, hacking and targeted digital a...
✅Exercise extra skepticism when unsolicited interactions slide into suggesting you change account settings!
✅Talk to your IT/ Security team about ASPs. Share the report, we've made some suggestions for them..
READ THE REPORTS
Ours at Citizen Lab:
The Citizen Lab
Same Sea, New Phish: Russian Government-Linked Social Engineering Targets App-Specific Passwords - The Citizen Lab
In May 2025, Keir Giles, a well-known expert on Russian military operations, was targeted with a highly sophisticated and personalized phishing att...
Google's Post:
https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia
Other citations:
Our Tainted Leaks report where we walk through how materials got manipulated & leaked after a Russian gov hack:
The Citizen Lab
Tainted Leaks: Disinformation and Phishing with a Russian Nexus - The Citizen Lab
Documents stolen from a prominent journalist and critic of the Russian government were manipulated and then released as a “leak” to discredit d...
Volexity's recent report:
Volexity
Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aim...
In other news, the UK Online Safety Act is forcing websites to begin collecting IDs.
This will end, predictably in fresh breaches.
And more harm to users.
Just as there are war hawks that delight in hard talk about military action, there are surveillance-yearners...
For reasons I'll never fully understand the UK politicians aren't just surveillance-permissive.
They delight in the idea.
Pre-crime preventative detention coming soon...
Like a volcanic explosion.
Except instead of blanketing the world with ash, it's a smothering burden of low value, low-enjoyment, derivative, error-filled content.
He was reportedly tortured while in prison.
Story: 
As a researcher working on targeted / 0click attacks (including a few that have been done over WhatsApp..) it's hard to see how this works without opening up a fat new attack surface to be probed.
I'm also worried about the ways that these advertising signals get used for tracking people in new parts of their digital lives.
And it bugs me that it's going to be really hard if not impossible to use WhatsApp in a privacy-first way.
What are your thoughts?
Writeup: 
This is not something I was tracking.
Source: 
That's enough friction to keep the knowledge from most of the globe.
Every time I encounter knowledge gatekeeping in a health related journal I wince.
I wonder if the American Journal of Psychiatry has considered the costs to the field, and our global mental health, of staying closed?
The thing is, I can personally read these articles thanks to my institutional affiliation.
But the momentary friction as I cross through the paywall reminds me that most people can't.
The article: https://psychiatryonline.org/doi/10.1176/appi.ajp.20250289
Their website: 
Including severing Ledger founder David Balland's finger.
Authorities are probing possible links to additional cases.
This dynamic of remotely-masterminded attacks is terrifying. Nothing about these attacks requires super special skills, and the sheer ease of moving the assets once the wrench attack has happened is likely to attract more criminal groups.
I still think we're in the earliest days of these. Plenty of #OPSEC lessons and complexities to start thinking about here.
Also, almost certainly the case that post- #Coinbase breach we will see more of these attacks.
Read the news story: 
2- Audiences move from incumbent platforms following influential voices that they follow. Focus on onboarding these influential voices. This is more impactful than just trying to bring the whole audience first.
This dynamic can build contagion. Find ways to more publicly highlight when influential accounts join.
And make it super easy for Nostr users to use clients to reconstruct followees & social graphs from incumbent platform. Trick will be to do this in a privacy respecting way.
(sidenote: that's way the follow packs were such a good idea. But we need much more of this)
(note: influential voices may experience a period of 'where's my audience?' So it's key to find ways to get the transitioning user from that to the reconstruction of their network. )
3- Multiple peers transitioning is key. Having local clusters develop is important (& probably helps with the dry period before an audience is rebuilt.)
Interesting nuance: transition rates to #bluesky were 25-30% in fields like arts/social sciences, but about half that in medical / physical sciences / engineering. Possible predictors include baseline political engagement & political values expressed.
This has an implication for Nostr: focus messaging on Nostr features that may align with people in incumbent platforms. There has to be desire.
Paper "Why Academics Are Leaving Twitter for Bluesky" https://arxiv.org/pdf/2505.24801