Playtonic is shifting the Yooka-Laylee series from platforming to familiar-looking arcade racing.

After successfully replacing the firmware with a replacement image that did nothing more than display the word “patched” on the speaker’s LED display, the researcher got to wondering what else a hacker might do. So he turned his attention to FreeRTOS, the open source operating system that ran the Katana V2X. It contained a set of HID functions for allowing the speaker to act as a human interface device, a classification that includes keyboards, mice, and webcams. The speaker implemented a limited HID that allowed for things like changing the volume and playing or pausing sound, but little else.

The researcher discovered that he could change the speaker’s USB descriptor set, which is essentially a report that informs devices about the capabilities of a USB- or Bluetooth-connected peripheral. He was able to augment the existing descriptor set with a second one that reported the speaker being a keyboard. Then he used code already included in the firmware to streamline the process of sending keypresses.

All of this gave Moorats an idea: What if he used his device to send commands to the speaker that used the HID to pass them along to the connected PC? After some trial and error, he found that he could. In a blog post published on Wednesday, he wrote:

Chaining it all together, I was able to totally remotely, over the air, upload a custom firmware to my speaker which I hadn’t paired with, which would reboot, flash the custom firmware, and after rebooting type in the command echo pwned and execute it.

Advertisement

In a real attack scenario, I would execute the keystrokes for opening powershell.exe or similar and paste an actually malicious one-liner into that, but as a proof of concept, this was more than enough for me. A real attacker would also likely disable the routine for updating the firmware in both normal and recovery mode, making it impossible to wipe the malicious firmware from the device or patch it in the future.

This is worsened by the fact that Bluetooth is always on for the speaker, even in sleep mode, with no apparent way to disable it.

Advertisement

Before the speaker and USB-connected device can interact, they must successfully complete a challenge-and-response authentication procedure. Since the devices perform this handshake automatically each time the software boots, this isn’t usually a problem for the hacker. In certain cases, however, such as when the Katana V2X app isn’t open on the connected device, it’s a requirement.

The most oversubscribed sporting event in history is also the most phished. With more than 150 million ticket requests in the first 15 days and just six million seats across 16 cities in the US, Canada, and Mexico, the 2026 FIFA World Cup has created exactly the conditions that fraud thrives on: scarcity, urgency, and money moving fast.

Security researchers, the FBI, and multiple cybersecurity firms have published warnings in the past week describing a fraud infrastructure that is already operational, well-resourced, and scaling. The picture that emerges is not a handful of opportunistic phishing pages. It is a layered ecosystem of fake domains, banking malware, credential theft, and social media impersonation, all converging on the same window.

One operator, 300 cloned FIFA sites

The most detailed findings come from Group-IB, which tracked more than 4,300 fraudulent FIFA domains registered since August 2025. At the centre is a group it calls Ghost Stadium, a Chinese-speaking, financially motivated operation running a single phishing kit across more than 300 of those sites.

The fake is good. The page is a near-perfect copy of fifa.com, mimicking FIFA’s real single sign-on login, run by PingIdentity, down to the genuine client ID copied from the live site. It loads images directly from FIFA’s own servers, so the page looks authentic and slips past tools that flag copied assets.

The damage is in the details: the fake login also asks to reset the password. Once a victim enters credentials, the attacker locks them out of their real FIFA account and resells any tickets tied to it. Most traffic comes from Facebook ads with reused tracking codes, plus links on Telegram, WhatsApp, and in search results. Payment options include card entry, money-transfer apps like Chime and Nequi, Mexico-only processors, and a crypto option that converts card payments into cryptocurrency. That last one is a reliable tell, since FIFA’s official ticketing never accepts crypto.

13,000 domains and counting

FortiGuard Labs counted more than 13,000 World Cup-themed domains registered between January and May, roughly 8.8% of them classified as malicious or suspicious. The FBI’s public service announcement lists dozens of fake FIFA domains, from misspelled lookalikes to phony job pages, and warns more are coming.

Ticket fraud is just one piece. Group-IB also found counterfeit merchandise shops, bogus streaming sites that take a subscription fee and then install malware, and fake betting platforms that collect passport scans and selfies for identity theft. Bitdefender separately tracked FIFA lottery emails promising payouts of up to $2 million.

Group-IB estimates losses from premium and hospitality ticket fraud alone at $71 million to $474 million, with the broader campaign potentially reaching into the billions. Those are projections based on visible infrastructure, not confirmed losses.

Banking malware in streaming apps

For fans chasing free match streams, the bigger danger is on the phone. ThreatFabric observed a spike in malicious unofficial streaming apps, many posing as the popular RojaDirecta, around the recent Champions League final and expects a repeat at the World Cup on a larger scale.

Kaspersky tied those apps to two Android banking trojan families: Massiv and Perseus. Neither is distributed through Google Play, so installing one requires clicking past Android’s built-in warnings. Once installed, the malware uses accessibility tools to overlay fake bank login screens on real apps, record keystrokes, intercept one-time codes from SMS and authenticator apps, and control the screen remotely.

Perseus, built on leaked code from the older Cerberus trojan, even reads note-taking apps for saved passwords and crypto recovery phrases. The simplest red flag, according to ThreatFabric, is a streaming app requesting accessibility access. No legitimate streaming app needs it.

Social media, stolen credentials, and open Wi-Fi

Fortinet counted over 1,700 spoofed FIFA accounts, nearly 90% on Facebook and Instagram, plus a scheme using fake FIFA job ads and calendar invites to redirect applicants to a lookalike Google login. Bitdefender found more than 55 football-themed ad campaigns on Facebook and Instagram pushing counterfeit kits, fake Panini stickers, and phishing pages.

Stolen FIFA logins are already circulating. Fortinet found hundreds of thousands of user credentials, plus more than 4,600 FIFA-related URLs, in data collected by credential-stealing malware families including Vidar, LummaC2, and RedLine.

Host-city Wi-Fi is its own problem. A Kaspersky survey that drove around Mexico City, Monterrey, and Guadalajara found 10% to 12% of networks open and password-free, with the WPS pairing feature still active on nearly half. Both leave openings for rogue “evil twin” hotspots that copy a real network and quietly intercept traffic.

What to watch for

The scams leave clear tells. Buy tickets only through fifa.com, typed directly, not via an ad or search result. Enable multi-factor authentication, and treat any seller requesting cryptocurrency as a scam. On Android, refuse accessibility permissions for streaming apps. On open Wi-Fi in host cities, use mobile data for banking and email.

Meta says it is now showing warning pop-ups when people search Facebook for FIFA tickets, and it partnered with Visa to take down a Facebook network linked to fake World Cup gambling sites. The FBI is asking victims to report at IC3.

The bigger concern is what has not yet been activated. Group-IB counted roughly 3,800 fraudulent FIFA domains sitting parked and unused, ready to switch on. With ready-made scam kits and ticket-buying bots already for sale, the peak window is easy to predict: 11 June to 19 July, when searches for tickets, streams, and travel will be at their highest.

Thinking about investing in a Fire TV Stick? You’ve timed it well — there’s another Amazon Prime Day fast approaching, and these little gadgets are almost certainly going to be heavily discounted during the event.

A Fire TV stick plugs into your TV’s HDMI port to turn it into a smart TV, from which you can access various apps — including not just Prime Video but all the best streaming services. It’ll also enable you to control your TV using your voice, via Alexa — a game-changer for commands that would otherwise require lengthy typing using your remote’s arrow keys (truly, is there anything more dull?).

The Denon Home 400 sits in the Japanese brand’s completely repositioned Home 2.0 range for 2026, and it doesn’t take much to see the updates as a direct challenge to Sonos and the best wireless speakers on the market. The range features three speakers — the Denon Home 200, 400 and 600 — all of which promise spatial audio from a single box. They’re all tuned by sound masters, built for native stereo playback even as singular units, deliver an immersive experience, and have refined designs.

The Denon Home 400 sits right in the middle of the range, but occupies a bit of a sweet spot. Its $599 price tag puts it at the same ball park as the Sonos Era 300, and I think Denon comes out of the comparison looking like the better option.

It’s raining blood, hallelujah.

Tech giant Toshiba and mega-retailer Muji warned visitors that suspicious sign-in screens popping up on their websites could collect credentials.

Both Japanese companies advised users who entered their account login data in the authentication screens to change their passwords to access the service.

The login pop-ups were generated by the external service hosted at polyfill[.]io, which in 2024 introduced malicious code in scripts delivered by its CDN.

“We have confirmed that some parts of our website may display a sign-in screen like the one shown below. We are currently working to eliminate this screen, but if you do see it, please select “Cancel” without entering any information,” Toshiba said in a short communication.

Japanese retail giant Muji published a similar announcement earlier this week, warning website visitors of suspicious authentication screens generated by the external service polyfill[.]io.

“At this time, we have not confirmed any unauthorized access or information leakage to this site, but in order to ensure the safety of our customers, we ask that you consider your response,” Muji states.

Both Toshiba and Muji have solved the issue and suspended the service.

Japanese media outlets reported that Zojirushi, FiNC Technologies, Ishiyaku Publishers, and online publishing brand Hobonichi were also impacted by the same issue.

Security researcher Pasquale Pillitteri says that Samsung Smart TVs and websites also displayed a login prompt on June 1.

Some reports claim that the problem was caused by the polyfill[.]io incident in 2024, when the domain was purchased by a Chinese entity and added malicious scripts that impacted more than 100,000 websites using the Polyfill service.

Polyfill is a JavaScript CDN for  legacy browsers, allowing modern sites to run on them by providing a compatibility layer for unsupported technologies.

The Polyfill code was delivered via a CDN at polyfill[.io], although the domain was not owned by the creator of the open source project, Andrew Betts. As such, when the domain expired, it could be claimed by anyone.

At the time, Betts responded publicly by recommending that website owners remove the service from their sites, and relaunched the JavaScript CDN service at a new domain, polyfill.com, and later settled at polyfill.top.

While the deactivation of the service at polyfill[.]io stopped the redirections, some sites using the service failed to clean all their pages over the past two years, so remnants of Polyfill code remained.

Pillitteri reports that, starting in late May 2026, the polyfill[.]io domain became active again and started responding with HTTP 401 authentication requests.

User browsers visiting pages such as Toshiba’s and MUJI’s interpret that as a request for a username and password, so they serve a login prompt.

At the moment, there is no indication that impacted websites were hacked or that credentials entered on these rogue login screens were stolen. However, users are strongly recommended to be cautious about unexpected authentication prompts.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Advertisement

Get the whitepaper

from the acceptable-collateral-damage,-I-assume dept

ICE never needed officers to disguise themselves with masks and strip themselves of identification before Trump took office for the second time. What ICE is doing now isn’t what ICE was doing during Trump’s first term, even though it’s the same hateful bigot sitting behind the Resolute Desk he thinks should be covered in gold leaf.

According to the DHS, ICE officers need to look like roving kidnapping squads because they fear for their safety. Supposedly, they’re under attack now more than ever, something not even supported by the DHS’s context-free claims of massive increases in assaults of ICE officers.

ICE has never been popular. People have been calling for ICE to be abolished for far longer than the last 18 months of its existence. But now that ICE behaves like an invading force, rather than an agency involved in immigration and customs enforcement, more people are reacting to its unwanted presence in their neighborhoods.

ICE’s excuses for mask-wearing were [cough] unmasked when ICE was asked to fill in for unpaid TSA agents. ICE officers showed up at airports without masks to stand around and milk the clock, apparently unworried about being “exposed” or subjected to threats to them or their families.

But now that the TSA is as staffed as it’s ever going to be, ICE is returning to American streets, long on masks and short on training. Criminal opportunists know a good thing when they see it. When it’s impossible to tell whether the person assaulting you/demanding access to your home/running off with your valuables is an actual federal officer or just someone with access to ski masks and camo, the criminals have the upper hand.

As of February, Noticias Telemundo had documented at least six cases of impostors posing as ICE agents to rob or harass immigrants. In mid-January, a man broke into a house in Pittsburgh claiming to be an ICE agent and threatening a teen with a knife. In February, police in San Diego said a man allegedly impersonated an officer and wrapped his arms around the neck of a restaurant manager, claiming the manager was in the country illegally and he was going to arrest him.

Sure, some of you may be scoffing at “six cases” since Trump won the election. But that’s only the ones where a (foreign!) news agency managed to put together the pieces to deliver reporting that should have been done much earlier by domestic new agencies.

Here’s the more damning stat:

Of the 31 impersonation cases documented in 2025, 84% involved individuals who claimed to be ICE agents. Others identified themselves as officers from Border Patrol or the Department of Homeland Security.

Thirty-one impersonations. Apparently all of them involved people pretending to be in the business of migrant deportation. And it’s not just the normal crime you’d expect from criminals seeing a flaw in the system and exploiting it. It’s also led to an increase in the sort of crime this administration will likely greet with pardons and payout from the “FUCK AMERICA $1,776 MILLION SLUSH FUND.”

The recorded incidents include intimidation, robbery and sexual assault, as well as so-called “immigration operations” carried out by armed vigilantes against what they describe as an “invasion” of foreigners in the U.S.

This was a problem the FBI recognized months ago, but rarely speaks of now because it’s being led by the only guy who has a chance at drinking Defense Department Secretary Pete Hegseth under the table. The current “leadership” has nothing to say about giving criminals more opportunities to engage in criminal acts.

Neither DHS nor ICE responded to Noticias Telemundo’s request for official statistics about cases of fake ICE agents. They also did not comment on the trends revealed by this investigation.

Not even the rote “fake news” quasi-rebuttal from this miserable assortment of inhuman asshats. Well, if DHS and ICE won’t speak for themselves, I’ll let this next quote from NBC/Telemundo speak for itself:

“You’re going back to Mexico,” a man told the immigrants in a video recorded from inside their truck. He insulted them for their appearance and for not speaking English, took their keys and snatched the immigrant’s phone when he called his boss. The manager later told the police that the fake agent had claimed to be from ICE and had warned him that all his employees were going to go to “f—–g jail.”

This isn’t fake news. This isn’t implication extrapolated from minimal inference. There are literal recordings of these impersonations.

This isn’t people imagining the worst because they’re politically opposed to the current administration. These are documented instances of the only thing that could be worse than the brutality and bigotry perpetrated by this administration: criminal acts encouraged by this government’s unwillingness to do its dirty work honestly.

Filed Under: bigotry, dhs, ice, masked officers, mass deportation, thugs, trump administration