Today in Surveillance:
- EFF mapped exactly which categories of user data each UK age-verification method exposes. Authors Paige Collings and Erica Portnoy walked through five methods (facial estimation, photo-ID, open banking, email, and mobile operator checks) and named vendors Yoti, Persona, k-ID, Private ID, and Incode; EFF warned that data revealing sexual orientation, gender identity, or HIV status can be used by employers, governments, family members, scammers, or bad actors to inflict harassment, discrimination, arrest, or violence [1][2].
- A current Huntress employee forwarded FBI communications to a Russia-based ransomware operator. CEO Hanslovan called the disclosure "poor judgment" in a Tuesday blog post. Former analyst Ben Folland, who left Huntress in February, identified the operator as "Devman," described him as using modified DragonForce code built on leaked Conti source, and said Devman is "actively and publicly targeting my family and me" [3][4].
- Klue's Salesforce integration leaked customer data for hundreds of vendors via a compromised legacy OAuth token. Klue serves more than 250,000 users worldwide; Huntress and LastPass publicly identified themselves as affected. A new group called Icarus, not Shiny Hunters, runs the campaign [5].
- An anonymous researcher "bikini" published working exploits for 15 software projects, with two flaws already under active attack. Named projects include libssh2 (CVE-2026-55200, a pre-authentication RCE), Gitea (CVE-2026-20896, an authentication bypass fixed in 1.26.3), Splunk, RustDesk, 7-Zip, VLC, AnyDesk, OpenVPN, c-ares, and Floci. Federal Signal analyst Ethan Andrews published 44 KQL detection rules across the repo and floated the possibility that bikini used OpenAI's GPT-5.5 Codex to automate discovery [6][7].
- Meta launched Starfire AI glasses, advertised by Kylie Jenner. 404 Media's Samantha Cole connected the launch to the product line's history with law-enforcement surveillance, stalkers, and intimacy violations [8][9].
- Google Threat Intelligence warned that Russian influence operations have refocused on the US and Europe. The Russia-linked group GreyVibe, active since at least August 2025, is documented using ChatGPT, Gemini, and Ideogram AI across stages of operations, with five stated Russian objectives including undermining democracy and dividing Western coalitions [10][11].
EFF: Which UK Age Check Actually Collects Which Data
EFF published a LGBTQ+ Q&A on Tuesday by Paige Collings and Erica Portnoy walking through the data categories each UK age-verification method actually exposes. Five methods carry distinct risk profiles. Facial age estimation sends a photo or video of the face to a third-party server. Yoti and Persona run server-side processing; Yoti claims it deletes the image immediately, while Incode does not auto-delete for photo-ID matching. On-device vendors k-ID and Private ID return only the age result, but EFF warned that background details visible in a selfie, including location, can leak metadata even when the face data does not [1][2].
Photo-ID matching adds a driving license or passport image, plus a selfie, routed to third parties. Open-banking verification confirms 18+ status without sharing a date of birth, and credit-card verification leans on the simple fact that an adult can hold one in the UK. Email verification cross-references the address against banking, utilities, and other services to estimate age, which means a third party aggregates data on the user. Mobile operator checks the phone number's age-filter status; the absence of a filter implies 18+. EFF's framing of each method ends with the same conclusion: "There is no perfect, privacy protecting verification service" [1].
The harm list is where EFF drew the line. Data revealing sexual orientation, gender identity, or HIV status can be used by employers, governments, family members, scammers, or bad actors to inflict harassment, discrimination, arrest, or violence. The Q&A lands as the UK Online Safety Act's 18+ checks remain in force under Ofcom guidance. EFF's structural read sits inside the same identity-cache argument that runs through our age-verification coverage: every age check is an identity check, and the identity cache becomes the surveillance prize [12][13].
A Huntress Employee Forwarded FBI Communications to a Russia-Based Ransomware Operator. The CEO Called It "Poor Judgment."
The Register reported Tuesday that Huntress CEO Kyle Hanslovan published a blog disclosing that a current company threat hunter had forwarded FBI communications, including screenshots containing FBI agent names, to a ransomware operator using the handle "Devman." Hanslovan's direct quote: "While this disclosure was not illegal, it reflected poor judgment" [3].
The fuller story came from former Huntress analyst Ben Folland, who left the company in February. Folland alleged earlier in the week that the employee refused to cooperate with investigators because "they wanted Devman," and identified Devman as a Russia-based operator using modified DragonForce code built on leaked Conti source. Folland's framing of his own situation: "Devman is actively and publicly targeting my family and me" [3]. The Register reached out to the FBI for comment and received no response. In his rebuttal, Folland pushed back on the company line: "This was not just 'poor judgment'" [3][4].
The insider-threat angle is the policy payload. A managed-detection vendor with explicit visibility into incident-response work is also a vendor where an employee can decide, on a personal judgment call, what counts as cooperation with law enforcement and what counts as tipping off a target. The Register noted that Devman has used the same DragonForce-modification pipeline across the recent wave of ransomware cases, which means the operational picture for defenders is now tangled with the personal animus between a former employee and the current workforce. Our insider-threat and security-vendor coverage tracks the disclosure-tension through-line [14][15].
Klue's Salesforce Integration Leaked Customer Data for Hundreds of Vendors
The Register reported Monday that around June 11 attackers used a "compromised legacy credential" linked to Klue's Salesforce integration to obtain OAuth tokens and access customers' Salesforce data. Klue serves more than 250,000 users worldwide, and Huntress publicly identified itself as a victim while saying hundreds of companies were affected. LastPass was also among the affected companies [5].
The exposed data was primarily CRM data: business contacts, price quotes, sales-related data, and messaging. LastPass said customer names, phone numbers, email addresses, physical addresses, and case support data were also taken. Huntress stated that no financial information, threat data, passwords, payment-card information, or engineering data was exposed [5].
The campaign is run by a new group called Icarus, active since late April, and not Shiny Hunters, who told The Register they "wish" they had been involved. Icarus is described as "modeled in the same mold" as Shiny Hunters and Scattered Spider, running a mixed ransom and leak operation. The supply-chain angle is the news here: a market-intelligence tool that bills itself as helping vendors close deals became the entry point into security vendors' deal pipelines. Our Shiny Hunters Salesforce-campaign tracker covers the broader pattern [16][17].
"Bikini" Dumped Working Exploits for 15 Software Projects. Two Are Under Active Attack.
The Register reported Monday that an anonymous researcher using the handle "bikini" published a GitHub repository called "exploitarium" containing working exploit code for zero-day vulnerabilities across 15 software products and open-source projects, without notifying any of the vendors or maintainers in advance. The repo has since been removed. The named projects include libssh2, Splunk, RustDesk, 7-Zip, VLC, AnyDesk, OpenVPN, c-ares, Gitea, and Floci [6][7].
Two specific CVEs carry the urgent read. CVE-2026-55200 is a critical pre-authentication remote code execution in libssh2, a heap corruption reachable via crafted SSH packets with an oversized packet length; a fix is merged into mainline but no release has shipped. CVE-2026-20896 is a critical authentication bypass in self-hosted Gitea Docker deployments enabling full takeover, fixed in Gitea 1.26.3. Attackers were already exploiting at least two of the vulnerabilities at the time of publication, though no specific threat actor was named [6].
Federal Signal analyst Ethan Andrews floated the working theory that bikini used OpenAI's GPT-5.5 Codex to automate the discovery and exploit-writing pipeline. Andrews published 44 KQL detection rules covering the full repo, and noted that some disclosures were low-impact AI-fuzzing noise. Bikini's own framing of the dump: "Feel free to report them yourself and take credit for the CVE if handed out lulz." The Register compared the release pattern to "Nightmare Eclipse," though bikini targets many vendors rather than carrying a single-vendor grudge [6]. The practical read for any service running the affected software is fast inventory: which version, on which host, exposed to which network. Our ongoing supply-chain risk coverage tracks the consumer-protection implications [18].
Meta Launched Starfire AI Glasses, Advertised by Kylie Jenner
404 Media's Samantha Cole reported Tuesday on Meta's launch of Starfire AI smart glasses, with a YouTube ad fronted by Kylie Jenner. The piece situates the launch against the product line's documented history with law-enforcement surveillance, stalkers, and intimacy violations, and references prior 404 Media reporting on facial recognition and CBP use of the glasses [8][9].
The always-on-camera objection rides the launch directly. Smart glasses raise the same surveillance question as the prior Ray-Ban and Name Tag lines, with the celebrity-fronted refresh raising the profile of the question. A Meta spokesperson queried the framing on prior CBP reporting. Our Meta smart-glasses coverage tracks the prior model history, the live facial-recognition hack at RSAC, and the bipartisan Senate pressure [19][20][21].
Russia Refocuses Influence Operations on the US and Europe. GreyVibe Has Been Using ChatGPT and Gemini Since at Least August 2025.
The Register reported Monday on a Google Threat Intelligence analysis warning that Russian influence operations have shifted beyond their near-exclusive Ukraine focus back toward the US and Europe, with increased activity targeting the EU, NATO, and US priorities. The five documented Russian objectives are undermining democracy, dividing Western coalitions, promoting Russia's image and regional interests, maintaining domestic stability, and repressing political dissent within Russia [10].
The Russia-linked group GreyVibe, documented by WithSecure researchers and active since at least August 2025, has used ChatGPT, Gemini, and Ideogram AI across stages of operations, including building malware, spinning up infrastructure, and crafting lures. The shift in focus is the structural read: AI-enabled identity-and-infrastructure pipelines move faster than human teams can build them, and synthetic-persona accounts keep the upstream pressure on. Our AI-policy and platform-integrity coverage tracks the regulatory gap [11][22].
What to Watch This Week
EFF's Q&A in regulatory framing. The Q&A names vendors and methods concretely, which makes it usable as a reference for the next Ofcom consultation cycle and for state-level age-verification bills in the US. Watch whether regulators or vendors respond to the EFF mapping [1][2].
Huntress employee cooperation with investigators. The Register noted the FBI declined to comment. The unresolved question is whether the FBI's law-enforcement outreach to the employee will resume, whether the Folland allegations trigger a separate review, and what the disclosure-to-criminal pipeline looks like inside the company's security team [3][4].
Klue OAuth exposure downstream impact. Klue serves more than 250,000 users. Watch for additional vendor disclosures, the Icarus group's next moves, and whether any of the exposed CRM data feeds targeted phishing against security-vendor staff [5].
libssh2 and Gitea patching. CVE-2026-55200 has a fix in mainline but no release. CVE-2026-20896 is fixed in Gitea 1.26.3. Any operator running these services should verify version and exposure before the active-attack volume scales up [6].
Meta Starfire response window. Watch whether the Senate Markey-Wyden-Merkley privacy concerns get an airing against the Starfire launch, and whether the prior CBP and facial-recognition press returns as a launch impediment [8][19].
Sources
- EFF Deeplinks, Paige Collings and Erica Portnoy: LGBT Q&A: What Data Are Companies in the UK Collecting When Verifying My Age?, June 30, 2026. https://www.eff.org/deeplinks/2026/06/lgbt-qa-what-data-are-companies-uk-collecting-when-verifying-my-age
- State of Surveillance: Age Verification Surveillance Infrastructure ID System, the structural brief on the identity-cache argument. /news/age-verification-surveillance-infrastructure-id-system-2026
- The Register: Huntress CEO says threat hunter used poor judgment in alerting ransomware crim about law enforcement probe, June 30, 2026. https://www.theregister.com/security/2026/06/30/huntress-ceo-says-threat-hunter-used-poor-judgment-in-alerting-ransomware-crim-about-law-enforcement-probe/5264532
- State of Surveillance: Persona Age Verification Surveillance Biometrics Government Reporting, the brief on vendor reporting obligations. /news/persona-age-verification-surveillance-biometrics-government-reporting-2026
- The Register: AI may be good at finding security vulnerabilities but it can't beat human stupidity, June 29, 2026. https://www.theregister.com/security/2026/06/29/ai-may-be-good-at-finding-security-vulnerabilities-but-it-cant-beat-human-stupidity/5263262
- The Register: Anonymous researcher drops 0-day 'exploitarium' repo, June 29, 2026. https://www.theregister.com/security/2026/06/29/anonymous-researcher-drops-0-day-exploitarium-repo/5263961
- State of Surveillance: Anthropic MCP Vulnerability RCE AI Supply Chain 150 Million Downloads, the AI-supply-chain attack-surface vessel. /news/anthropic-mcp-vulnerability-rce-ai-supply-chain-150-million-downloads-2026
- 404 Media, Samantha Cole: Meta launches Starfire AI smart glasses, advertised by Kylie Jenner, June 30, 2026. https://www.404media.co/meta-smart-glasses-starfire-kylie-jenner/
- State of Surveillance: ACLU 75 Organizations Meta Facial Recognition Glasses Name Tag, the prior name-tag vessel. /news/aclu-75-organizations-meta-facial-recognition-glasses-name-tag-2026
- The Register: Four years into Ukraine invasion, Russia turns influence ops back to US and Europe, June 29, 2026. https://www.theregister.com/security/2026/06/29/four-years-into-ukraine-invasion-russia-turns-influence-ops-back-to-us-and-europe/5264011
- State of Surveillance: Anthropic ID Verification Consumer Capabilities July 8, the AI-identity-verification structural vessel. /news/anthropic-id-verification-consumer-capabilities-july-8-2026
- State of Surveillance: Cory Doctorow Age Verification Is Mass Surveillance, the prior AV mass-surveillance vessel. /news/cory-doctorow-age-verification-is-mass-surveillance-2026
- State of Surveillance: Yoti GrapheneOS Age Verification Privacy Phone Reported Authorities, the prior Yoti reporting vessel. /news/yoti-grapheneos-age-verification-privacy-phone-reported-authorities-2026
- State of Surveillance: 149 Million Passwords Exposed Infostealer Database, the credential-exposure structural vessel. /news/149-million-passwords-exposed-infostealer-database-2026
- State of Surveillance: Amazon Meta Employee Surveillance Badge Tracking, the corporate mobile-device policy tracker. /news/amazon-meta-employee-surveillance-badge-tracking-2026
- State of Surveillance: ShinyHunters 2026 Breach Tracker Salesforce Carnival Canvas Campaign, the broader Salesforce-campaign tracker. /news/shinyhunters-2026-breach-tracker-salesforce-carnival-canvas-campaign
- State of Surveillance: TransUnion Salesforce ShinyHunters Breach, the prior Salesforce-campaign vessel. /news/transunion-salesforce-shinyhunters-breach-2026
- State of Surveillance: AWS Bedrock Mythos 30 Day Retention Enterprise IT Playbook, the supply-chain AI-policy vessel. /news/aws-bedrock-mythos-30-day-retention-enterprise-it-playbook-2026
- State of Surveillance: Senators Meta Facial Recognition Smart Glasses Markey Wyden Merkley, the Senate-pressure vessel. /news/senators-meta-facial-recognition-smart-glasses-markey-wyden-merkley-2026
- State of Surveillance: RSAC Meta Smart Glasses Facial Recognition Hacked Live Demo, the RSAC facial-recognition vessel. /news/rsac-meta-smart-glasses-facial-recognition-hacked-live-demo-2026
- State of Surveillance: 64 Groups Oppose Meta Smart Glasses Facial Recognition Congress, the coalition letter vessel. /news/64-groups-oppose-meta-smart-glasses-facial-recognition-congress-2026
- State of Surveillance: Anthropic Fable 5 Silent Guardrails Apology AWS Bedrock Data 30 Day, the AI-policy vessel. /news/anthropic-fable-5-silent-guardrails-apology-aws-bedrock-data-30-day-2026