Attackers are abusing Google Ads and legitimate Claude.ai shared chats in an active malvertising campaign.

Users searching for “Claude mac download” may come across sponsored search results that list claude.ai as the target website, but lead to instructions that install malware on their Mac.

Shared Claude Chats weaponized to target macOS users

The campaign was spotted by Berk Albayrak, a security engineer at Trendyol Group, who shared his findings on LinkedIn.

Albayrak identified a Claude.ai shared chat that presents itself as an official “Claude Code on Mac” installation guide, attributed to “Apple Support.”

The chat walks users through opening Terminal and pasting a command, which silently downloads and runs malware on their Mac.

While attempting to verify Albayrak’s findings, BleepingComputer landed on a second shared Claude chat carrying out the same attack through entirely separate infrastructure.

The two chats follow an identical structure and social engineering approach but use different domains and payloads. Both chats were publicly accessible at the time of writing:

What does the macOS malware do?

The base64 instructions shown in the shared Claude chat download an encoded shell script from domains such as:

• In variant seen by Albayrak [VirusTotal]: hxxp://customroofingcontractors[.]com/curl/b42a0ed9d1ecb72e42d6034502c304845d98805481d99cea4e259359f9ab206e
• In variant seen by BleepingComputer [VirusTotal]: hxxps://bernasibutuwqu2[.]com/debug/loader.sh?build=a39427f9d5bfda11277f1a58c89b7c2d

The ‘loader.sh’ (served by the second link above) is another set of Gunzip-compressed shell instructions:

This compressed shell script runs entirely in memory, leaving little obvious trace on disk.

BleepingComputer observed the server serving a uniquely obfuscated version of the payload on each request (a technique known as polymorphic delivery), making it harder for security tools to flag the download based on a known hash or signature.

The variant BleepingComputer identified starts by checking whether the machine has Russian or CIS-region keyboard input sources configured. If it does, the script exits without doing anything, sending a quiet cis_blocked status ping to the attacker’s server on its way out. Only machines that pass this check get the next stage:

Before proceeding further, the script also collects the victim’s external IP address, hostname, OS version, and keyboard locale, sending all of it back to the attacker. This kind of victim profiling before payload delivery suggests the operators are being selective about who they target.

The script then pulls down a second-stage payload and runs it through osascript, macOS’s built-in scripting engine. This gives the attacker remote code execution without ever dropping a traditional application or binary.

The variant identified by Albayrak, however, appears to skip the profiling steps. It goes straight to execution.

It harvests browser credentials, cookies, and macOS Keychain contents, packages them up, and exfiltrates them to the attacker’s server. Albayrak identified this as a variant of the MacSync macOS infostealer:

The briskinternet[.]com domain shown above in the variant identified by Albayrak appeared to be down at the time of writing.

When the legitimate URL is the threat

Malvertising has become a recurring delivery mechanism for malware.

BleepingComputer has previously reported on similar campaigns targeting users searching for software like GIMP, where a convincing Google ad would list a legitimate-looking domain but take visitors to a lookalike phishing site instead.

This campaign flips that, as there is no fake domain to spot.

Both Google ads seen here point to Anthropic’s real domain, claude.ai, since the attackers are hosting their malicious instructions inside Claude’s own shared chat feature. The destination URL in the ad is genuine.

It is not, however, the first time that attackers have abused AI platform shared chats this way. In December, BleepingComputer reported a similar campaign targeting ChatGPT and Grok users.

Users should navigate directly to claude.ai for downloading the native Claude app, rather than clicking sponsored search results. The legitimate Claude Code CLI is available through Anthropic’s official documentation and does not require pasting commands from a chat interface.

It is good practice to generally treat any instructions asking you to paste terminal commands with caution, regardless of where those instructions appear to come from.

BleepingComputer reached out to Anthropic and Google for comment prior to publishing.

AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.

At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.

Claim Your Spot

For years, Uber talked about becoming a super app. Then Waymo started picking up passengers in San Francisco, and the conversation grew more urgent. The company has been trying to embed itself inside the AV industry — as a data provider, an investor, and a distribution platform — but the consumer-facing bet may be just as important.

Two weeks ago, Uber held its annual GO-GET product event in New York and announced something its executives had been circling for a long time: users in the U.S. can now book hotels inside the Uber app, through a partnership with Expedia Group, with access to more than 700,000 properties worldwide. Uber One members — the company’s subscription tier at $9.99 a month — get 20% off a rotating list of 10,000 hotels and 10% back in credits. Vacation rentals through Vrbo will follow later this year, along with restaurant reservations via OpenTable. In the meantime, a “Shop for Me” feature lets users order from stores that aren’t even on the platform.

The announcements, taken together, were the most concrete picture yet of something Uber has been trying to conjure since at least 2019: that an app with 199 million monthly active users could become the app they use for nearly everything.

Praveen Neppalli Naga, Uber’s CTO, offered the clearest explanation of the company’s thinking at TechCrunch’s StrictlyVC event late last month in San Francisco. The super app concept has existed for years in India and Southeast Asia, he noted, but U.S. versions have mostly flopped by bolting services onto traffic rather than building toward a reason to stay.

His answer to what fits? Membership. Every new category — food, groceries, now hotels — gives someone another reason to pay for Uber One. “I take Uber, go to the airport, take a flight, take another Uber, go to a hotel, go to a restaurant,” he said. “There is a flow you can actually build into it.”

Flights are not available yet, though Naga didn’t rule them out. Uber tried flight booking in Europe years ago without success. “First let’s get the hotel things done,” he said. Financial services sound like a possibility too — Uber already offers a debit card to drivers in Mexico — though how far that goes, or when, remains unclear. Said Naga: “Never say never.”

Uber isn’t alone in this race. Airbnb, arguably the company most directly threatened by Uber’s hotel push, announced its own transportation ambitions in late March — a partnership with Welcome Pickups to offer airport transfers in 125 cities across Asia, Europe, and Latin America, structured to keep users inside the Airbnb app rather than sending them to Uber. Meanwhile, Elon Musk has spent three years promising to turn X into an “everything app” in the WeChat mold, and is now nearing what he describes as a long-stated goal: X Money, a banking and payments platform built inside the social network, is expected to launch publicly soon. X claims 500 million monthly active users.

The big question is how many super apps the American market will actually support. WeChat works in China partly because the alternative was a patchwork of inferior options. In the U.S., people already have apps they like for most of what Uber wants to do. Getting them to consolidate inside a single platform requires either a compelling reason — Uber One’s discounts, say — or a seamless enough experience that switching feels worth it.

Uber’s bet is that its installed base is the moat. Its users have already handed over a credit card. Convincing them to book a hotel, or order from a store they’d never find on Uber Eats, is an easy lift compared with convincing them to download something new. Its most recent earnings, reported a few days ago, suggest Uber Eats may be the strongest argument for that thesis: delivery revenue grew 34% year over year in the first quarter, to $5.07 billion, making it easily the fastest-growing part of the business and pulling almost even with mobility in gross bookings.

Uber’s stock is still down about 8% from a year ago — suggesting that Wall Street isn’t fully convinced. But the company says that 50 million people are now paying for Uber One, and together they account for roughly half the company’s total bookings.

It’s a bird, it’s a plane, it’s a six-propeller flying vehicle with a nearly eight-foot wingspan.

For the next year, delivery drones operated by the British company Skyports are taking daily weekday trips across New York City’s East River, between the tip of Manhattan and a pier in Brooklyn. Since early May—a bit behind schedule—the drones have carried light cargo for a New York City health care system. Right now, those loads are basically a few pounds of paper; once the healthcare system is confident the setup works, it should include nonhazardous, non-biological packages, such as light pharmaceuticals.

The drones are part of an experiment run by two New York-New Jersey agencies to discover how a relatively new and sometimes controversial sky-bound delivery tech might fit into a hectic urban environment—and the airspace above it. The pilot program will also try to answer a question that hangs over the entire drone delivery industry: Where does it make sense?

“Will there be enough regular flights (1 to 2 per hour) that the client health care system finds true value?” Stephan Pezdek, the regional freight planning manager at the Port Authority of New York and New Jersey, which is operating the pilot, wrote in an email to WIRED. (The Port Authority declined to name the health care system for contractual reasons.) “Will deliveries make it to their destination faster and within the financial constraints of the current carriers they are using? Will the community appreciate the work and not feel like it is a disruption? All of this will inform our understanding of how the first corridor shapes up.”

The Port Authority, which is also working with the New York City Economic Development Corporation (NYCDEC) on this drone project, will also measure how the deliveries affect patient care, Pezdek says.

Globally, drone delivery is still in an experimental phase. What projects do exist mostly focus on carrying cargo to rural or suburban areas, where gaps in road networks and services, plus emptier skies, could make the tech a better fit. Skyports has been delivering mail in remote areas of Scotland since 2023, and carrying cargo to offshore wind turbines in Germany. The US company Zipline says it makes deliveries to and from some 5,000 health facilities across four continents; its oldest program delivers vaccines and blood products in Rwanda. In the US, companies including Alphabet’s Wing and Amazon’s Prime Air are working to expand delivery services across the South, with a focus on the suburban areas surrounding Houston, Austin, and Dallas, Texas.

For drones, dense cities present different challenges. First, there’s the safety question. New York City’s airspace is packed, hosting three international airports. In Manhattan alone, there are three publicly owned heliports. In May 2023, nearly 9,000 helicopter flights took place over city land or water, according to data compiled by the New York City Council. This drone pilot program’s start date was pushed back in part because another experimental aviation tech, an electric vertical takeoff and landing (eVTOL) vehicle, was demo-ing its own first-of-its-kind flights out of the same heliport.

That citified hustle and bustle leads to extra precautions. The pilot project was, as standard, approved by the US Federal Aviation Administration, which requires a certified drone pilot to supervise every flight. Each flight will take place over a fixed route away from residential buildings. The project must obtain a weekly NYPD permit to operate, and delays in acquiring the first one also led the city to push back its start date, says Amanda Kwan, a spokesperson for the Port Authority. The agency also spoke with three local community boards before it allowed the drones to take off.

Anthropic built an AI model that found thousands of zero-day vulnerabilities in every major operating system and web browser. The Federal Reserve chair and the Treasury secretary called bank CEOs to discuss it. The company says there is a six-to-twelve month window to patch the flaws before adversaries build models that can do the same thing. The cybersecurity industry says the threat was already here. Both are right.

Claude Mythos Preview is the model. It is not yet publicly released. In controlled testing, it surpassed all but the most skilled humans at finding and exploiting software vulnerabilities, identifying flaws that had existed undetected for decades, including a 27-year-old bug in OpenBSD and a 17-year-old remote code execution flaw in FreeBSD. Anthropic CEO Dario Amodei described the current period as a “moment of danger” and warned of “some enormous increase in the amount of vulnerabilities, in the amount of breaches, in the financial damage that’s done from ransomware on schools, hospitals, not to mention banks.”

The discovery

Mozilla released Firefox 150 with fixes for 271 security vulnerabilities identified by Mythos in a single evaluation pass. The number is striking not because Firefox is unusually insecure but because no human team had found them. The vulnerabilities had accumulated across years of development, each one a potential entry point for an attacker with the right tools. Mythos found all 271 in one run.

The 💜 of EU tech

Advertisement

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

The model’s capability raises a question that the cybersecurity industry has been theorising about for years and now must answer practically: what happens when the cost of finding vulnerabilities drops to near zero? The traditional economics of cybersecurity depend on the asymmetry between attackers, who must find one flaw, and defenders, who must secure all of them. Mythos collapses the cost on both sides. Defenders can now scan their entire codebase for flaws they never knew existed. Attackers, once they build or obtain equivalent models, can do the same.

The response

Anthropic chose a controlled rollout, which it calls Project Glasswing. Approximately 40 technology companies and institutions have initial access to Mythos to bolster their systems. The list does not include most central banks and governments. The asymmetry is intentional: give defenders a head start before the capability becomes widely available.

The response from financial regulators was immediate. Federal Reserve Chairman Jerome Powell and Treasury Secretary Scott Bessent convened a meeting with major US bank CEOs to discuss the cyber risks raised by Mythos. The IMF flagged AI-powered cyber threats to the global banking system. The concern is not that Mythos itself will be used to attack banks. It is that the capability Mythos demonstrates, automated discovery of vulnerabilities at superhuman speed, will be replicated by adversaries who are not bound by Anthropic’s responsible disclosure practices.

Anthropic shipped financial services agents the day after announcing its 1.5 billion dollar Wall Street joint venture, a sequence that illustrates the company’s dual positioning: it is simultaneously the entity warning banks about AI-powered cyber threats and the entity selling AI products to banks. The joint venture with Blackstone and Hellman and Friedman is anchored at approximately 300 million dollars from Anthropic and will deploy AI across private equity operations.

The race

Amodei’s six-to-twelve month window is a prediction about how long it will take Chinese AI companies to build models with equivalent vulnerability-discovery capabilities. The window is not about whether adversaries will develop the capability. It is about when. The controlled rollout of Mythos is designed to give the companies that receive early access enough time to patch their most critical flaws before the window closes.

OpenAI released GPT-5.4-Cyber for vetted security teams, scaling its Trusted Access programme in direct response to the Mythos disclosure. The competitive dynamic between Anthropic and OpenAI has extended from commercial AI products into cybersecurity, with both companies positioning themselves as defenders of the software infrastructure their own models could be used to compromise.

Researchers have already demonstrated that AI agents from Anthropic, Google, and Microsoft can be hijacked via prompt injection to steal API keys and tokens, and all three vendors paid bounties but skipped public disclosure. The irony is precise: the AI agents that companies deploy to improve security are themselves vulnerable to attacks that could compromise the systems they are meant to protect.

The tension

The cybersecurity community’s response to the Mythos disclosure has been a mixture of alarm and scepticism. Security researchers note that AI-assisted vulnerability discovery has been developing for years and that the capabilities Mythos demonstrates, while impressive in scale, are an acceleration of existing trends rather than a discontinuous leap. The threat of AI-powered cyberattacks was identified by the UK’s National Cyber Security Centre more than a year ago. What Mythos changes is not the existence of the threat but the specificity of the evidence.

Anthropic occupies an unusual position. It is a company whose business model depends on selling AI capabilities to enterprises, including banks, while simultaneously arguing that AI capabilities of the kind it is developing pose an existential threat to the cybersecurity of those same enterprises. The resolution of the contradiction is commercial: Anthropic’s pitch is that you need its AI to defend against AI of the kind it builds. The logic is circular but the threat is real.

The 271 Firefox vulnerabilities were real. The 27-year-old OpenBSD bug was real. The meeting between the Fed chair and bank CEOs was real. The question is not whether AI will transform cybersecurity. The question is whether the six-to-twelve months Amodei describes is enough time to patch decades of accumulated vulnerabilities across every operating system, browser, and financial platform in production, or whether the window is an estimate designed to create urgency for a problem that cannot be solved on any timeline. Mythos found the flaws. Fixing them is a human problem.

In modern datacenters, storage can live anywhere — local to the machine, remotely accessed over the network, and/or shared between systems.

The next generation of servers will treat system memory in much the same way. Systems will still have some local DDR5, but the bulk of it will be remotely accessed from what some have taken to calling the memory godbox.

The ongoing DRAM shortage has created a perfect storm for the proliferation of the appliances, which not only allow for memory to be pooled, but also data stored in that memory to be shared by multiple machines simultaneously. In effect, memory becomes a fungible resource.

More importantly, your next round of servers will probably support the tech, if they don’t already.

CXL finally has its moment to shine

The technology at the heart of these memory godboxes isn’t new. Compute Express Link (CXL) has been slowly gaining traction since its introduction seven years ago.

As a quick refresher, CXL defines a common, cache-coherent interface for connecting CPUs, memory, accelerators, and other peripherals.

The technology comes in a couple of different flavors: CXL.mem, CXL.cache, and CXL.io, which, as a whole, have implications for disaggregated compute. Imagine a rack with a CPU node, GPU node, memory node, and storage node, which can talk to one another completely independently. That’s the core idea behind CXL.

CXL piggybacks off the PCIe standard, which means in theory it should be broadly compatible, but, up to this point, it’s primarily been used with memory devices.

The 1.0 spec opened the door to memory expansion modules, which allow you to add more memory by slotting them into a CXL-compatible PCIe slot. To the operating system — assuming you’re running Linux that is — the extra memory is largely transparent, showing up as if it were attached to another CPU socket, just one without any additional compute.

The 2.0 spec, which showed up in 2020, added basic support for switching, which meant memory could be pooled and then allocated to any number of connected systems.

AMD and Intel’s current crop of Epycs and Xeons already support these appliances. But while the memory can be partitioned and reallocated to different machines as needed, two machines can’t work on the same data simultaneously.

Unless you were memory-constrained, the added complexity of CXL 2.0 didn’t offer much benefit over simply using higher capacity DIMMs in the first place. 

At least, not until memory prices went through the roof.

Where things really get interesting is when the 3.0 spec arrives in AMD and Intel’s next-generation of Epycs and Xeons. In fact, from what we understand, Amazon’s Graviton5 CPUs we looked at in December already support the spec.

CXL 3.0 introduces two key capabilities that make it particularly interesting for memory appliances. The first is support for larger topologies: Multiple CXL switches can be stitched together into a fabric. The second is support for memory sharing: Rather than partitioning memory into slices only accessible to one machine at a time, memory can be shared between machines.

In theory this could allow two machines running the same set of workloads to use the memory closer to that of one. It’s a bit like deduplication for memory. In fact, we already do this in virtualized environments like KVM, but it now works across machines.

There are security and performance implications to all of this. Thankfully in CXL 3.1 and later, the consortium introduced confidential computing capabilities into the spec, allowing for isolation where necessary.

On the performance end of things, CXL 3.0 moves to PCIe 6.0 as a baseline, which provides 16 GB/s of bidirectional bandwidth per lane. Assuming 64 lanes of CXL per CPU, that works out to an additional 512 GB/s of bandwidth. So memory bandwidth shouldn’t be too much of an issue for most applications. Latency, on the other hand, is a different story. 

CXL-attached memory is going to add some latency. However, as we’ve previously discussed, the latency isn’t as bad as you’re probably thinking — on the order of a NUMA hop, or about 170 to 250 nanoseconds of round trip latency. Obviously, the farther the memory appliance is from the host CPU, the worse the latency is going to be.

Late last year, the CXL consortium ratified the 4.0 spec, which among other things doubles the bandwidth from 16 GB/s per lane to 32 GB/s by re-basing on PCIe 7.0. However, it’ll be a while before we see appliances based on the spec.

Where’s my memory godbox?

There are several companies developing hardware for these kinds of networked memory appliances. 

Panmnesia’s CXL 3.2-compatible PanSwitch is one of the most sophisticated examples. The switch features 256 lanes of connectivity for CXL memory modules, devices, or CPUs to connect, pool, or share resources.

If you’re okay with memory pooling and don’t need the niceties of CXL 3.0, then there are already several memory appliances available that are compatible with the latest generation of Xeon 6 and Epyc Turin processors.

Liqid’s composable memory platform, for example, can provide a pool of up to 100 TB of DDR5 to as many as 32 hosts. Meanwhile, UnifabriX Max systems provide CXL 1.1 or 2.0 connectivity to 16 or more systems with support for CXL 3.2 already in the works.

We suspect that as more CXL 3.0 compatible CPUs and GPUs hit the market, more of these memory godboxes will appear.

AI eats everything

Don’t get too excited. While network attached memory has the potential to reduce an enterprise’s infrastructure spend, those same qualities make it attractive for the very thing driving the memory shortage in the first place.

AI adoption has driven demand for DRAM off the charts. In addition to the HBM used by GPUs, DDR5 is being used for key value cache offload during inference.

These KV caches store model state and can chew significant amounts of memory — often more than the model itself — in multi-tenant serving scenarios.

Rather than discard these caches and recompile them when the model state is restored, it’s more efficient to offload them to system memory and eventually flash storage.

The problem with using flash storage is that it has a finite write endurance. After a while it wears out. Instead, CXL memory vendors are positioning the tech as a more resilient alternative.

That’s bad news for enterprises looking to these memory godboxes for salvation from the RAMpocalypse. ®

Designer Matty Benedetto of Unnecessary Inventions runs a studio in Vermont where he makes contraptions to tackle problems that no one has ever asked about. His most recent project mixes two known elements to create something new, which has the potential to change how teams handle lengthy discussions around a table. He transformed conventional office chairs into a full seesaw that rocks up and down while spinning in a complete circle.

Benedetto started simple by collecting a couple of worn-out office chairs from storage. He wanted seats that everyone was familiar with, so no one felt out of place when they sat down. A simple test compared the wheels on each base to determine which pair rolled and slid the best across a floor. These results allowed him to choose the right parts without guesswork. He then gently separated the chairs, keeping the seats and center supports intact. A small 3D printed model allowed him to see how the elements would connect and move together. The initial chair bases already spun freely in all directions, so he retained that motion for the finished form. He then designed a bespoke bracket to connect everything at the midway point.

Sale

N-GEN GAMING Video Gaming Chair with Footrest Lumbar Support for Home Office High Back Recliner Height…

• Racing Style for Long Sessions – High-back gaming chair with ergonomic racing design, ideal for long hours at your gaming desk or home office.
• Ergonomic Support – Comes with a removable headrest, lower back pillow, and pull-out footrest to reduce pressure and support healthy posture during…
• Quality Materials – Supportive high-density foam cushions, breathable PU leather, and a vibrant finish combine for lasting comfort and a refined look.

Ball bearings in the new bracket provided smooth, effortless seesaw movement as needed. He assessed the distances and opted on chairs spaced ten feet apart along a robust metal tube that cost him $100. That tube served as the main beam, measuring a solid 5 feet square to maintain equilibrium. A simple hex bolt held the tube in place and prevented it from slipping around during operation. The early brackets he created on his 3D printer were ideal for brief test runs, but they were too flimsy for real-world use. So he bought some CNC machined aluminum replacements and gave them a lovely bead blast finish with a layer of black anodizing to clean up the lines and make them more durable. These new pieces were high-quality, solidly constructed, and arrived with an aura of precision, so assembly seemed substantial right away.

Drilling guide holes in those printed copies ensured that everything fit together seamlessly. He inserted the machined brackets directly into the chair bases after a test run revealed that individual seat rotations were producing much too much wobbling. By removing the extra spin and lowering the overall height, he created a more stable configuration that let people to securely climb on and off. The new design secured the chairs in place, but the middle pivot allowed the entire seesaw to glide smoothly up and down and spin freely. When two people of nearly equal size sat down, equilibrium just happened. Benedetto persuaded his friend to accompany him on his first official test run.

They climbed to the opposite ends and adjusted their weight to see how it worked. The beam went up and down smoothly, while the base turned the entire seesaw in wonderful huge circles. In one humorous run, they pretended to be an office staff disputing deadlines over a stack of paperwork, but the soft, steady motion kept the mood light and enjoyable. The finished design measured ten feet long and was low enough to fit between two normal desks in a shared workspace. The chairs are linked beneath the worktable, allowing users to lean forward and type or write without having to climb off. After many test sessions, the bearings have demonstrated their ability to tolerate frequent rocking without making a noise or sticking, while remaining lovely and smooth.

Google launched a 99 dollar screenless fitness tracker and a 9.99 dollar per month AI health coach powered by Gemini. One day later, Whoop announced that it would add on-demand video consultations with licensed clinicians to its app. Google is betting that artificial intelligence can interpret your health data. Whoop is betting that you still need a doctor. The US Food and Drug Administration, which relaxed its oversight of both AI health tools and consumer wearables in January, is betting that neither needs much regulation.

The sequence is not a coincidence. It is a philosophical split in the wearable health industry, articulated in product announcements issued 24 hours apart. The question both companies are answering is the same: what should happen after the sensor on your wrist collects the data? Google’s answer is an AI chatbot. Whoop’s answer is a human with a medical licence. The market will decide which one people trust with their bodies.

The tracker

The Fitbit Air is a screenless band that costs 99 dollars. It is the smallest Fitbit ever made. It tracks heart rate, heart rate variability, SpO2, sleep stages, and activity continuously, with a battery life of approximately one week. It has no display. All data is accessed through the new Google Health app, which replaces the Fitbit app on 19 May.

The device ships on 26 May with a three-month free trial of Google Health Premium, which costs 9.99 dollars per month or 99 dollars per year. The premium tier includes the Google Health Coach, an AI assistant built on Gemini that generates personalised workout plans, interprets sleep trends, summarises health records, and answers questions about a user’s fitness and medical data.

Google’s strategy is not to sell hardware. It is to sell the AI layer on top of the data. The Google Health app is designed to be wearable-agnostic, with planned support for Apple Watch, Oura, and Garmin devices later this year. The Fitbit Air is the entry point, not the destination. Google wants to be the intelligence that sits between every wearable sensor and every health decision, regardless of which device collected the data.

The response

Whoop’s announcement arrived on 8 May, exactly one day after Google’s. The company will offer on-demand video consultations with licensed clinicians through its app for users in the United States, launching this summer. The consultations begin with a review of the user’s continuous biometric data collected by the Whoop band. If the user has synced blood work or medical history through HealthEx, an electronic health records integration that Whoop is also launching, that information is included.

The distinction from Google’s approach is deliberate. A clinician can ask follow-up questions, identify patterns that require context a chatbot does not have, and carry the professional accountability that comes with a medical licence. An AI coach can tell you your heart rate variability is trending down. A doctor can tell you why.

Blossom Health raised 20 million dollars to put AI copilots alongside psychiatrists, a model that treats AI as support for clinicians rather than a replacement for them. Whoop is applying the same logic to wearable health data: the AI processes the numbers, but a human makes the call.

Will Ahmed, Whoop’s founder and chief executive, posted an image on X of a Whoop circuit board with the words “Don’t bother copying us, we will win” engraved on it. The message was originally aimed at Amazon, which launched and subsequently killed the Halo fitness band. It now reads as a response to a company with considerably more resources than Amazon’s wearables division.

The economics

Whoop raised 575 million dollars in March 2026 at a valuation of 10.1 billion dollars, with investors including the Qatar Investment Authority, Mubadala, Abbott, and the Mayo Clinic. The company reported 1.1 billion dollars in annualised revenue in 2025, up 103 per cent year over year, and said it was cash-flow positive. It has more than 2.5 million members.

Whoop’s subscription costs between 199 and 359 dollars per year depending on the tier. Google Health Premium costs 99 dollars per year. The Fitbit Air costs 99 dollars. A year of Fitbit Air plus Google Health Premium costs less than a year of Whoop’s cheapest plan. The clinician consultations that Whoop is adding will cost extra, with pricing not yet announced.

The price gap frames the competitive question. Google is offering AI health coaching at a price point that undercuts Whoop’s subscription by more than half. Whoop is offering human medical consultations at a price that will push its total cost higher. One company is driving the cost of health guidance toward zero. The other is arguing that the value of a human clinician justifies a premium. Both positions are coherent. Neither has been tested at scale in the wearable market.

The field

ChatGPT Health launched in January 2026, connecting Apple Health data to OpenAI’s models. Microsoft followed a week later with Copilot Health. Perplexity launched Perplexity Health, pulling together electronic health records, wearable data, and lab results into a single AI-powered dashboard. Amazon opened its Health AI to all US customers, backed by its One Medical clinical network and pharmacy.

Every major AI platform now has a health product. The wearable data that Fitbit, Whoop, Apple Watch, and Oura collect has become the input for a competition between AI models, each promising to turn continuous biometric monitoring into personalised health advice. The differentiation is not in the data. Heart rate, sleep stages, and SpO2 are measured by every device on the market. The differentiation is in what happens next.

Corti’s Symphony AI outperformed models from OpenAI and Anthropic on medical coding benchmarks, demonstrating that specialised health AI can exceed general-purpose models on clinical tasks. The implication for the wearable market is that the AI interpreting your health data may matter more than the sensor collecting it. Google is building that AI into a consumer subscription. Whoop is routing around it to a human.

The regulation

In January 2026, the FDA updated two guidance documents that collectively loosened oversight of both consumer wearables and AI-enabled health tools. The General Wellness Guidance clarified that low-risk wellness devices using optical sensing to estimate physiological parameters, which describes every screenless fitness tracker on the market, can be sold without premarket review as long as they make wellness claims rather than clinical ones. The Clinical Decision Support Guidance softened the agency’s approach to AI tools that help users navigate diagnoses and health decisions.

The regulatory shift creates space for both Google and Whoop. Google’s AI health coach can offer personalised guidance without triggering medical device classification, provided it frames its outputs as wellness advice. Whoop’s clinician consultations operate under existing telemedicine frameworks. The FDA’s position is that neither the AI chatbot nor the wearable sensor requires the level of scrutiny applied to medical devices, as long as neither claims to diagnose or treat disease.

The gap between what these products do and what they claim to do is where the regulatory question lives. An AI coach that tells a user their recovery score suggests they should rest is wellness advice. An AI coach that tells a user their heart rate variability pattern is consistent with early atrial fibrillation is a clinical claim. The line between the two is a sentence, and the incentive to cross it increases with every subscription dollar at stake.

Google built a 99 dollar tracker and a 9.99 dollar AI coach. Whoop is adding doctors to an app attached to a 10 billion dollar company. The FDA says both are fine. The user strapping a screenless band to their wrist and asking what their data means will not be choosing between two products. They will be choosing between two theories of what health data is for: a prompt for an algorithm, or a conversation with a person who went to medical school.