🚔 Prolific hackers' arrest

😎 TGIF, everyone. Welcome back to Codebook.

• 👋🏻 It feels good to be back after a couple weeks away. What did I miss?
• 📬 Have thoughts, feedback or scoops to share? codebook@axios.com.

Today's newsletter is 1,409 words, a 5.5-minute read.

The Department of Justice has charged and arrested two Sudanese brothers with operating Anonymous Sudan, a hacker group known for destructive website takedowns.

Why it matters: The indictment, unsealed Wednesday, paints the clearest picture of who was running the mysterious Anonymous Sudan hacking group — which has launched more than 35,000 attacks in the last year against hospitals, government offices and other major organizations.

Driving the news: A grand jury indicted Ahmed Salah Yousif Omer and Alaa Salah Yusuuf Omer with a count of conspiracy to damage protected computers.

• Ahmed Omer was also charged with three counts of damaging protected computers.
• The FBI and the U.S. Attorney's Office for the Central District of California seized Anonymous Sudan's hacking tool, according to a press release.
• The Washington Post reported that officials arrested the duo abroad in March.

Threat level: Anonymous Sudan's attacks have caused more than $10 million in damage to U.S. organizations, according to federal officials.

• Anonymous Sudan's victim list spans sectors and includes several high-profile names: Cloudflare, Microsoft, OpenAI and even the FBI itself.
• Cedars-Sinai Medical Center in Los Angeles had to redirect emergency room patients to other hospitals for treatment.

The big picture: Anonymous Sudan has been a mystery to security researchers for a little more than a year.

• The group is mostly politically motivated, unlike other cybercriminal groups where money is the prime motivator.
• But the group has been far more prolific than the typical political hacking group. At times, security researchers had even assumed the group was a front for pro-Russia political hackers.
• However, officials told the Post they don't believe a third party, including a government, was financing or supporting the group's work.

What they're saying: "What's unusual is the predominance of the ideological motive, with financial sprinkled in," Martin Estrada, U.S. attorney for the Los Angeles region, told the Post.

How it works: Anonymous Sudan targeted victims in distributed denial-of-service attacks — where hackers overload internet-enabled devices with bot traffic until they're inaccessible.

• While suffering a website outage might not sound too bad, the repercussions can be huge. Customers may not be able to make payments online and corporations may not be able to access cloud servers.
• Anonymous Sudan would demand victims pay a ransom to make the attack end, according to court filings.
• Some of these victims sustained millions of dollars in losses from these attacks, according to a criminal complaint unsealed Wednesday.

Between the lines: Anonymous Sudan was also selling its tool to other hacking groups looking to launch their own large-scale DDoS attacks, according to the complaint.

• More than 100 users have used the tool — known as Godzilla Botnet, Skynet Botnet and InfraShutdown — to deploy their own DDoS attacks, per federal officials.
• This is also unusual: Building and selling hacker tools is more common in the cybercrime world and rarely seen in the political hacking space.

Zoom in: The private sector played a prominent role in helping the FBI identify the people running this group.

• PayPal's own internal investigation after its attack uncovered certain accounts tied to Anonymous Sudan, according to the complaint.
• Those accounts then helped the FBI identify potential email addresses linked to Ahmed Omer, specifically, according to the affidavit.

What's next: The two brothers have not appeared in court yet.

• If convicted, Ahmed Omer could face a maximum sentence of life in prison, while Alaa Omer could face a maximum of five years.

Worldcoin, the identity and cryptocurrency venture co-founded by Sam Altman, is rebranding itself as World (and World Network) to reflect what it says is a broader mission.

Why it matters: World is pitching its technologies as key to helping distinguish bots from humans in an increasingly AI-dominated society.

Driving the news: In addition to unveiling the name, Altman and co-founder Alex Blania used a San Francisco event to unveil a series of updates, including a new version of its Orb iris-scanning technology.

• World said the new version of the Orb is powered by Nvidia's latest Jetson chipset and has nearly five times the AI performance and uses fewer parts.
• The venture said the new Orb will allow for a broader rollout, including self-service kiosks.

Beyond the Orb, World is also creating options for people to join its identity project without having their iris scanned.

• One new method allows people to scan their NFC-enabled passport. World said the passport will allow people to verify their age, nationality and passport ownership without revealing their identity.
• World is also working to integrate its identity verification into other software to help combat deepfakes. The company listed FaceTime, WhatsApp and Zoom as among the applications compatible with its digital ID system.
• The company also is updating its mobile app to support "mini apps" from various third parties.

Federal authorities have arrested a man in Athens, Alabama, who allegedly helped hack the Securities and Exchange Commission's account on X, formerly Twitter, this year.

Why it matters: The arrest is the first indication of who was actually behind the incident, which sent shockwaves through the financial and crypto world.

Catch up quick: In January, someone hacked the SEC's X account and published a post falsely saying that national exchanges were now approved to list bitcoin ETFs.

• At the time, the SEC was actively deliberating such an approval, making the post even more believable.
• This post prompted bitcoin to spike $1,000, according to officials.
• The SEC said at the time that the hack was the result of a SIM swap attack, meaning an attacker had taken over the phone number tied to one of the agency's cellphones.

What's happening: Federal investigators arrested Eric Council Jr. yesterday in connection with the SEC account hack, according to a press release.

• Council is accused of participating in a scheme with others to take over the @SECGov account on X and share a fake post in the name of SEC Chair Gary Gensler.
• Law enforcement believes Council received personal information about someone tied to the SEC from his co-conspirators, per an indictment unsealed yesterday.
• Council then used these details to create fraudulent ID cards to present in person at an AT&T store, which operated the victim's cellphone plan.
• Once at the store, Council purchased a SIM card linked to the victim's phone number and shared the details about the SIM with his co-conspirators.
• His co-conspirators then used the information to hack the SEC's account.

The intrigue: The Justice Department says Council conducted several suspicious internet searches afterward, including:

• "SECGOV hack,"
• "telegram sim swap,"
• "how can I know for sure if I am being investigated by the FBI," and
• "What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them."

What we're watching: The DOJ did not share any additional information about Council's alleged co-conspirators.

As organizations grow, communication can break down. This impacts engagement, productivity, and your bottom line.

Smart Brevity breaks through and keeps teammates engaged with

• 40% shorter emails, on average
• 100% of the insights they need

We boiled down the basics into three workbooks.

Get the bundle

@ D.C.

🗳️ Google will block election ads across all of its platform after the last polls close on Nov. 5 to prevent voting misinformation, according to an obtained memo. (Axios)

📝 The Cybersecurity and Infrastructure Security Agency and the FBI are seeking public feedback on a new product security guide for the tech sector that would detail ways to build more security-resilient products. (Cybersecurity Dive)

@ Industry

😵‍💫 Microsoft told customers it's missing more than two weeks of security logs for some of its cloud products after a bug caused an internal monitoring agent to malfunction. (TechCrunch)

📸 Instagram has added new features — including one designed to prevent screenshots of illicit photos sent via direct messages — to protect teens from sextortion scams. (The Verge)

👀 Some U.S.-based Kaspersky customers are still finding ways to use the Russia-based antivirus product on their systems, despite government restrictions. (TechCrunch)

@ Hackers and hacks

🩺 The BianLian ransomware gang has claimed responsibility for a cyberattack on Boston Children's Health Physicians, a network of more than 300 pediatric doctors. (BleepingComputer)

🚔 Brazilian police say they've arrested USDoD, a hacker who has breached several major corporations, including National Public Data. (CyberScoop)

⚠️ Millions of people are using AI bots on Telegram to remove clothes from people's bodies in photos. (Wired)

I just spent the last two weeks on an epic road trip across the United States. It was incredible.

• Louisville, the Texas State Fair, Albuquerque's hot air balloon festival, Zion National Park — I saw so much!

📍 🏡 I've also relocated to the Bay Area, or, as my editor says, the Best Coast. Invite me to your media events!

Axios HQ's Smart Brevity trainers and editors have worked with 20,000+ professionals to elevate workplace comms. They partner with orgs – big and small — to:

• Understand and apply Smart Brevity
• Make key internal comms actionable
• Track progress along the way

▶️ See how Smart Brevity works

☀️ See y'all Tuesday!

Thanks to Megan Morrone for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.