It's the end of the year. That means it's time to celebrate the best cybersecurity stories we've never published before. Since 2023, TechCrunch has been collectively looking back at the year's best articles in cybersecurity.
Even for those who are not familiar with it, the concept is simple. There are currently dozens of journalists reporting on cybersecurity in English. We publish tons of articles about cybersecurity, privacy, and surveillance every week. And many of them are great, so please read them. We are here to recommend the ones we like the most. So please keep in mind that this is a very subjective and incomplete list after all.
Anyway, let's get started. — Lorenzo Franceschi-Bicchierai.
Sometimes there's a hacker story that feels like it could be a movie or TV show as soon as you start reading it. This is the case with Shane Harris' very personal story about his months-long correspondence with a top Iranian hacker.
In 2016, a reporter for The Atlantic came into contact with someone who claimed to be working as a hacker for Iranian intelligence, where he was involved in major operations including the downing of a U.S. drone and the now-infamous hack into oil giant Saudi Aramco, in which Iranian hackers wiped the company's computers. Harris was understandably skeptical, but as he continued to talk to the hacker, he revealed his real name and began to believe him. When the hacker died, Harris was able to piece together the true story, which somehow turned out to be less believable than the hacker had led Harris to believe.
This fascinating story is also a great behind-the-scenes look at the challenges cybersecurity reporters face when dealing with sources who claim to have a great story to share.
In January, the British government secretly issued a court order requiring Apple to build a backdoor that would allow police to access customers' iCloud data around the world. Because of the global gag order, we only learned about it in the first place because the Washington Post reported the news. It would be the first of its kind, and if successful, it would be a major defeat for tech giants, which have spent the past decade locking themselves out of users' own data to avoid being forced to provide it to governments.
Apple subsequently stopped offering opt-in, end-to-end encrypted cloud storage to UK customers in response to demand. But breaking the news brought the secret order into the public eye, allowing both Apple and critics to scrutinize Britain's surveillance powers in a way that had never been tested in public. The story sparked months of diplomatic wrangling between Britain and the United States, with Downing Street withdrawing the request, only to reinstate it a few months later.
The story was the kind of fly-in access some reporters dream of, but the editor-in-chief of The Atlantic was unwittingly added to a signal group of senior U.S. government officials discussing war plans from their cell phones, allowing him to report on it in real time.
Secretary of Defense Pete Hegseth said, “We are now in a clean state on OPSEC, but that was not the case.'' Image courtesy of The Atlantic (Screenshot)
Reading a discussion about where the U.S. military should drop bombs, and then seeing a news report about a missile hitting the ground on the other side of the world, confirmed what he needed to know: Jeffrey Goldberg was indeed talking to real Trump administration officials, as he had suspected, and that this was all on the record and reportable.
And he did, paving the way for a months-long investigation into (and criticism of) the government's operational security practices in what has been called the biggest government operational security misstep in history. The unraveling of the situation ultimately revealed security flaws, including the use of copy clones of Signal, further compromising the government's ostensibly secure communications.
Brian Krebs is one of the most seasoned cybersecurity reporters, having specialized for years in tracking down online breadcrumbs that lead to the uncovering of the identities of notorious cybercriminals. In this case, Krebs was able to discover the identity of Ray, the hacker's online handle. Ray is part of a notoriously sophisticated and persistent teenage cybercrime group known as the Scattered LAPSUS$ Hunters.
Krebs' quest was very successful, and he was able to speak with someone very close to the hacker (I won't spoil the entire article here). I was then able to speak with the hacker himself, and he confessed to his crimes and claimed that he was trying to escape from a life of cybercrime.
As an independent outlet, 404 Media has used far more resources this year to achieve more impactful journalism than most mainstream media outlets. One of its biggest victories was exposing and effectively shutting down a massive air travel surveillance system that was wiretapped and operated in obscurity by federal agencies.
404 Media reported that a little-known data broker founded by the airline industry called Airline Reporting Corporation sells access to 5 billion airline tickets and itineraries containing the names and financial details of ordinary Americans, allowing government agencies such as ICE, the State Department, and the IRS to track people without a warrant.
ARC, which is owned by United Airlines, American Airlines, Delta Air Lines, Southwest Airlines, JetBlue Airways and others, announced it would end its warrantless data program after months of reporting by 404 Media and intense pressure from lawmakers.
The murder of UnitedHealthcare CEO Brian Thompson in December 2024 was one of the biggest stories of the year. The main suspect in the murder, Luigi Mangione, was arrested and charged with using a “ghost gun” soon after. This is a 3D-printed gun that has no serial number, was secretly manufactured without any background checks, and is virtually unknown to the government.
Drawing on past reporting experience with 3D-printed weapons, Wired set out to test how easy it would be to make a 3D-printed gun while navigating a patchwork legal (and ethical) landscape. The reporting process is exquisitely told, and the video that follows the story is wonderful and chilling.
DOGE (Department of Government Efficiency) made one of the biggest headlines of the year, alleging that a group of Elon Musk's henchmen breached the federal government and overcame security protocols and red tape as part of a mass exfiltration of national data. NPR has done some of the best investigative reporting exposing the resistance of federal employees trying to stop the theft of the government's most sensitive data.
In one article detailing a whistleblower's official disclosure shared with members of Congress, a senior IT official at the National Labor Relations Board told lawmakers that while seeking help in investigating DOGE's activities, “according to the cover letter that accompanied the official disclosure, we discovered a printed letter inside an envelope taped to the front door that contained threatening language, sensitive personal information, and an overhead photo of someone walking a dog.”
Any article that starts with a journalist saying, “I found something that made me want to take my pants off,” knows it's going to be a fun read. Gabriel Geiger discovered a dataset from a mysterious surveillance company called First Wap. It contained records of thousands of people around the world whose phones had been tracked.
Spanning 2007 to 2015, this dataset allowed Geiger to identify dozens of celebrities whose phones had been tracked, including a former Syrian first lady, the president of a private military contractor, a Hollywood actor, and an enemy of the Vatican. In this article, we explored the shadowy world of phone surveillance by exploiting Signaling System No. 7 (SS7), an obscurely named protocol that has long been known to enable malicious tracking.
Swatting has been a problem for many years. What started as a bad joke has turned into a real threat, resulting in at least one death. Swatting is a type of hoax in which someone (often a hacker) calls emergency services and tricks authorities into sending an armed SWAT team to the home of the target of the hoax. They often impersonate themselves as targets and pretend to be about to commit a violent crime.
In this feature, Wired's Andy Greenberg gave us a look at many of the characters in the story, including the call operators who must deal with this problem. And he also introduced the prolific swatter known as Towswatts, who tormented businesses and schools across the country for months with false (but very believable) threats of violence, and the hacker who took it upon himself to track Towswatts.