Zach Edwards
LightNews LightNews
banner
thezedwards.bsky.social
Zach Edwards
@thezedwards.bsky.social
1.3K followers 6.5K following 3.7K posts
data supply auditor | privacy & ad tech expert | internet threats

Personal @ victorymedium.com
Sr Threat Analyst @ SilentPush.com
Posts Replies Media Videos
thezedwards.bsky.social
Today our team at @silentpush.bsky.social released research we’ve been working on all year – a magnum opus 39-page report on the state of Bulletproof Hosting Providers.

Brief thread with some details

Read the report @ www.silentpush.com/white-papers...
White paper cover with the "Silent Push" logo and the word "White Paper" above the title "Shining a light on the Global Bulletproof Hosting Ecosystem" and a picture of red storms over a large cityscape
December 15, 2025 at 7:31 PM
thezedwards.bsky.social
Found a "great deal" in about 30 seconds of hunting -- 1k abuse reports on YouTube for $100 - a mere 10 cents per report! This is the type of bot farm product that shit birds use when they want to harass researchers and other folks.
Screenshot of a web interface with "Category" "Report Service" and "service" is "Youtube VIdeo Reports - $100.50 per 1000" Description is: "Real users from unique accounts will report the YOutube video you order in link section. 0-12 hours start, 500-1000 reports daily. Please use this service for the profiles which is harmful for society such as drugs or other illegal things. We can't guarantee the video will be suspended, please use accordingly. However please do not forget these are just estimations.
December 13, 2025 at 6:17 PM
thezedwards.bsky.social
YouTube suspended my ~15+ year old account and all my videos due to a video I recorded about scammers targeting US government and military offices, which was embedded into articles like @ www.vice.com/en/article/w... from @josephcox.bsky.social

I was likely targeted by a mass reporting campaign.🤡
Screenshot of an article with the text “I’ve seen this on probably 50 different government subdomains,” Edwards added in the video. Some impacted sites included Senator John Tester’s site and one belonging to the Minnesota National Guard, both of which were pushing viagra products. And then a broken YouTube embed with the text "Video Unavailable" and then the text “100% of the .gov sites I’ve reported have cleaned it after I reported it, but it’s still constantly happening,” Edwards told Motherboard.
December 12, 2025 at 4:18 PM
thezedwards.bsky.social
a 5+ year old bug ticket was finally closed by Google - this was actually the last significant investigation into Chrome extensions that I did because the feedback loop was so challenging

definitely still a place with research opportunities and threat actors regularly doing weird stuff! 🖖
GMAIL screenshot with the email subject line "Re: Issue 159469672: other in ~59 Chrome extensions in orchestration file, associated with malware group" with the detail Changed status: In Progress (Accepted) → Fixed
November 19, 2025 at 3:47 PM
thezedwards.bsky.social
fun to see my mom in this crowd shot from the No Kings rally in Houston featured by the Houston Chronicle @ www.houstonchronicle.com/projects/202...
Large crowd of people at the No Kings rally in Houston, includes signs and flags and a blue and red and white umbrella and several inflatable frogs
October 19, 2025 at 4:40 AM
thezedwards.bsky.social
I’ve got this 100+ year old copy of an old play about Abraham Lincoln’s life which was owned by someone named Alden Nash who had an interesting personal emblem that he screen printed & glued onto the cover page.

The play was shown at the Birmingham Repertory Theatre then the Hammersmith Playhouse.📚
Picture of a light blue book cover with a drawing of Abraham Lincoln and the text “Abraham Lincoln A Play By John Drinkwater” A book page with a large black box glued to it with a white border in the box - the text says “ExLibris Alden Nash” and there is a strange symbol in the middle which appears to be the personal emblem of this Nash individual. The symbol has a double cross on top of a circle with a N in part of the circle. The circle is split by a horizontal line and part of the vertical line of the cross above.
September 9, 2025 at 2:46 AM
thezedwards.bsky.social
Our team @silentpush just dropped a definitive look at SocGholish (operated by TA569) and the initial access broker ecosystem they are facilitating. Big thanks to past researchers who have worked on SocGholish! We've got details about our visibility @ www.silentpush.com/blog/socghol... 🖖🏻
Mind map of SocGholish (Operated by TA56) infection chains. The details are complex but explained in more detail on our blog post.
August 6, 2025 at 7:49 PM
thezedwards.bsky.social
This AI Agent from Cluep[.]com claims to scrape data from: Twitter, Youtube, Linkedin, Pinterest, Reddit, Tumblr and TikTok

They claim that they are scraping these networks then using "APIs" to further scrape "the user’s geographic coordinates, device type and demographic data"

how? WTF?
The agent ingested TikTok videos about fried chicken, LinkedIn posts riffing on halal pizza and Pinterest boards showcasing nights at the movies. Then, it dove deeper into the social platforms, deriving user information from their application programming interfaces (APIs). This data differed from platform to platform but often included the user’s geographic coordinates, device type and demographic data, Walia said.
May 21, 2025 at 4:24 PM
thezedwards.bsky.social
21 year-old money launderer for a $265 million crypto theft ring was helping members exchange crypto for cash and mailing $25k in cash through the mail put inside "Squishmallow" stuffed animals www.cnbc.com/amp/2025/05/... 🫧🐰
Image of a purple "Squishmallow" that is 10 inches called Bubbles the Bunny. It's an oval pillow looking thing that is purple with bunny ears and a white fluffy circle on the bottom that is the feed and a crown of flowers that are purple with pink center, white with purple center, and pink with white center and the eyes are shaped half circle with open smiling mouth
May 17, 2025 at 5:29 AM
thezedwards.bsky.social
It was an honor and a pleasure to speak at Bsides SF - totally love that they had an artist draw my presentation ⬇️
Colorful poster board with the text “a deep dive into triad nexus pig butchering and money laundering network” with additional graphics and details IMAX screen with the text “a deep dive into the triad nexus pig butchering and money laundering network”
April 27, 2025 at 11:58 PM
thezedwards.bsky.social
...and the “solution” is an easy “click fix” copy and paste trick, which leads to malware if the unsuspecting developer completes the process.
Screenshot of a website with blurred out image in the background and a pop-up that says "Access to your computer..." along with other details. A section of code is highlighted which if copy / pasted would execute malware on a computer.
April 24, 2025 at 7:44 PM
thezedwards.bsky.social
cheers ya it's an interesting definition. i played w/ Gemini awhile ago and confirmed it still doesn't give you lists of URls but if you click the "Retry with Google Search" it does..

any ruling broadly covering this search concept could impact Gemini - would also impact Programmable Search Engine
Screenshot of a conversation with Google Gemini where first person writes "Got any good URLs for sports?" Gemini responds "Sorry, I can't help search the web for URLs yet, but I'm still learning." Then the button "Retry with Google Search" is clicked and Google Gemini responds: Sure, here are some good URLs for sports: ESPN: https://www.espn.com/ - The World Wide Leader in Sports Sports Illustrated: https://www.si.com/ - The Sports Illustrated website Bleacher Report: https://bleacherreport.com/ - Sports news and highlights CBS Sports: https://www.cbssports.com/cbssports - Sports news, scores, and highlights Fox Sports: https://www.foxsports.com/ - Sports news, scores, and highlights NBC Sports: https://www.nbcsports.com/watch - Sports news, scores, and highlights The Athletic: https://www.nytimes.com/athletic/ - In-depth sports journalism The Ringer: https://www.theringer.com/ - Sports and pop culture commentary SB Nation: https://www.sbnation.com/ - A network of sports blogs Deadspin: https://deadspin.com/ - Sports and pop culture commentary
March 11, 2025 at 9:11 PM
thezedwards.bsky.social
The singular organization who has prevented WWIII for decades is being attacked by this administration. We're losing allies, losing trade deals and becoming less safe due to how these folks see Russia as allies and all our traditional allies as enemies. This is completely backwards global diplomacy.
Screenshot of Elon Musk saying "I agree" to a tweet from someone named Gunther Eagleman who wrote, "It's time to leave NATO and the U.N."
March 2, 2025 at 4:38 PM
thezedwards.bsky.social
I had to triple check this was accurate, that the President of the United States is endorsing three garbage crypto tokens tied to countless scandals, and likely untold numbers of investors got a heads up and made bank off the announcement. In the end, this will lose people money & hurt our country.
Post from President Donald J Trump on Truth Social which reads, "A U.S. Crypto Reserve will elevate this critical industry after years of corrupt attacks by the Biden Administration, which is why my Executive Order on Digital Assets directed the Presidential Working Gruop to move forward on a Crypto Strategic Reserve that includes XRP, SOL, and ADA. I will make sure the U>S. is the Crypto Capital of the World. We are MAKING AMERICA GREAT AGAIN!"
March 2, 2025 at 4:30 PM
thezedwards.bsky.social
X specifically setup bot defenses so that viewing tweets requires having an account. You can see in this video if you open a tweet in an incognito / non-logged-in state, then click "replies" you immediately are prompted w/ a login, then blocked from reading more.
February 1, 2025 at 7:29 PM
thezedwards.bsky.social
The top downloaded / viewed PDF across the .gov ecosystem yesterday was for the OPM forking memo @ www.opm.gov/media/cbklse... according to analytics.usa.gov
Screenshot of a table from the Federal Government's public Analytics account showing "Top Downloads" with the text "Top downloads played yesterday on U.S. Federal Government hostnames." with a link to "Download the data" and a dropdown that says "Yesterday" The first result under this is titled "Latest Memos from www.opm.gov with a download file link. It had 29,988 downloads. The second is "About Form W-9, Request for Taxpayer identification Number and Certification.." from irs.gov which has 26k downloads. The next is a UCIS Employment eligibility form with 23k downloads and then just ucis or IRS downloads going from 17k to 13k to 13k to 12k to 11k to 11k to 11k
January 31, 2025 at 2:22 AM
thezedwards.bsky.social
... to connect up their criminal client websites through a series of CNAME records they control, which are then mapped to hundreds of IP addresses that are hosted at a variety of providers.

You can see this DNS data flow via the chart attached:
Screenshot of a mind map. On the left is the detail "FUNNULL customer hostname" connected by "CNAME" to 6 domains that look like fn01[.]vip and funnull[.]vip with slight variations on numbers on the other 4. This chain is connected by another "CNAME" line into 3 additional CNAME records, for fn301[.]vip + fnvip100[.]com + funnull10[.]com and then those records are connected with a line that says "A" for "DNS A records" and then that is connected to a line that says "FUNNULL's POP IP addresses" This is a flow how how websites stay online in FUNNULL CDN Infrastructure
January 30, 2025 at 7:52 PM
thezedwards.bsky.social
You can see this exact same behavior on their app-ads.txt file @ www.nytimes.com/app-ads.txt -- all DIRECT accountIDs, all owned by NYtimes directly.

If you are a publisher, this is the best way to prevent 3rd parties from selling your user data. But it's also complex and requires a big team.
Screenshot of the NYTimes app-ads.txt file. Text includes: OWNERDOMAIN=nytimes.com # Index Exchange # Updated 10/26/2023 by JT indexexchange.com, 184733, DIRECT #OB # Magnite # Updated 10/26/2023 by JT rubiconproject.com, 17470, DIRECT #OB # PubMatic # Updated 10/26/2023 by JT pubmatic.com, 158573, DIRECT, 5d62403b186f2ace #OB # Google google.com, pub-4177862836555934, DIRECT, f08c47fec0942fa0 # Media.net # Updated 2/21/2024 by JT Media.net, 8CU4XCJ1B, DIRECT #OB # OpenX # Updated 2/21/2024 by JT openx.com, 539052954, DIRECT, 6a698e2ec38604c6 #OB # TripleLift # Updated 2/21/2024 by JT triplelift.com, 746-EB, DIRECT, 6c33edb13117fd86 #OB triplelift.com, 746, DIRECT, 6c33edb13117fd86 #OB # Adswizz adswizz.com, 463, DIRECT
January 10, 2025 at 1:57 AM
thezedwards.bsky.social
All websites and apps need to appreciate that all vendors they list within their ads.txt + app-ads.txt are being given enough data about your users to sell it. That's why really serious orgs who really know what the fuck is going on with the bid stream like the NYTimes, have ZERO 3rd party vendors:
Screenshot of the Nytimes.com ads.txt file located at https://www.nytimes.com/ads.txt - the screenshot contains ad tech domains separated by an accountID after a comma, and then another reference for "DIRECT" which is highlighted throughout the page. There are 29 lines that mention "DIRECT" and a similar number of ad tech domains listed.
January 10, 2025 at 1:57 AM
thezedwards.bsky.social
What annoys me the most about this beyond the macro privacy concerns of RTB? It's 2025 & app companies who have faced some of the biggest data privacy scandals in the world are still responding to reporters and sharing their "list of data partners" without including a link to their app-ads.txt file.
Text from the Wired / 404 report with the text "A Grindr spokesperson told 404 Media in an email that “Grindr has never worked with or provided data to Gravy Analytics. We do not share data with data aggregators or brokers and have not shared geolocation with ad partners for many years. Transparency is at the core of our privacy program, therefore the third parties and service providers we work with are listed here on our website.” Grindr was previously found to have allowed data brokers to obtain its users’ location data."
January 10, 2025 at 1:57 AM
thezedwards.bsky.social
imo it's really important to not muddle that Apple settled this case because Siri can unintentionally record conversations *but* Apple also said numerous times that the lawsuit's argument of "and the audio data was sold + used for ads" was basically laughable... Apple doesn't admit to this! ⤵️
Apple repeatedly moved to dismiss the suit, arguing that "there are no facts, much less plausible facts, that tie Plaintiffs’ receipt of targeted ads to their speculation that Siri must have been listening to their conversations, and Apple must have used Siri to facilitate targeted ads by third parties." Through the settlement agreement, Apple ultimately agreed that Siri unintentionally recorded private conversations and is likely hoping the settlement will finally end the controversy for good.
January 2, 2025 at 8:24 PM
thezedwards.bsky.social
Our team believes that threat actors abusing cracked versions of Acunetix is a new threat vector for numerous enterprise organizations. Keep your eyes peeled for that scanner hitting your endpoints!
Screenshot of computer terminal with numerous "GET and POST" requests to a variety of API / endpoints with "404" after some and "200" after others
December 19, 2024 at 6:02 PM
thezedwards.bsky.social
Our team was able to acquire additional details about how Araneida works, and can report that the threat actors behind this are openly bragging in a Telegram channel about how many successful attacks the software has facilitated.

You can see the interface here in this video.
December 19, 2024 at 6:02 PM
thezedwards.bsky.social
The most prominent effort to abuse a cracked copy of Acunetix is a tool called “Araneida scanner” – this was first mentioned publicly last year as having the SSL certificate from Acunetix from Chris Duggan at TLP R3D Intelligence Ltd.
Screenshot of the tweet from @ x[.]com/TLP_R3D/status/1665777020767293447 with the text 1/2 🕵️‍♂️💻 Stellar insight from @FalconFeedsio on Araneida - the scanner & dumper tool. The intriguing "Araneida Customer Panel" spotted on Shodan has got us digging deeper! 🌐🔍 We've got a lineup of 10 IPs featuring a sleek login panel: 🔹181.214.147.41 🔹181.214.147.110 🔹181.214.147.28 🔹181.214.147.111 🔹181.214.147.91 🔹181.214.147.115 🔹181.214.147.123 🔹181.214.147.132 🔹91.244.197.169 🔹181.214.147.40 A curious find: A self-signed cert dubbed "Acunetix Web Vulnerability Scanner" - an enigma.🔐🤔 Furthermore, the login panel leads to a ghost domain araneida[.]io, which remains unhosted. The plot thickens... #Pentesting #Araneida
December 19, 2024 at 6:02 PM
thezedwards.bsky.social
100% of the domains launched from this campaign are hosted across 2 IP addresses -- and there are dozens of similarly named domains mapped to these IP addresses.
Screenshot of the Silent Push interface for the IP range 185.147.124[.]110 -- the screenshot includes rows and columns in dark black and grey with a list of domains in the left column that look similar.
December 13, 2024 at 9:43 PM