It’s the end of the year. That means it’s time for us to celebrate the best cybersecurity stories we didn’t publish. Since 2023, TechCrunch has looked back at the best stories across the board from the year in cybersecurity.
If you’re not familiar, the idea is simple. There are now dozens of journalists who cover cybersecurity in the English language. There are a lot of stories about cybersecurity, privacy, and surveillance that are published every week. And a lot of them are great, and you should read them. We’re here to recommend the ones we liked the most, so keep in mind that it’s a very subjective and, at the end of the day, incomplete list.
Anyway, let’s get into it. — Lorenzo Franceschi-Bicchierai.
Every once in a while, there’s a hacker story that as soon as you start reading, you think it could be a movie or a TV show. This is the case with Shane Harris’ very personal tale of his months-long correspondence with a top Iranian hacker.
In 2016, The Atlantic’s journalist made contact with a person claiming to work as a hacker for Iran’s intelligence, where he claimed to have worked on major operations, such as the downing of an American drone and the now-infamous hack against oil giant Saudi Aramco, where Iranian hackers wiped the company’s computers. Harris was rightly skeptical, but as he kept talking to the hacker, who eventually revealed his real name to him, Harris started to believe him. When the hacker died, Harris was able to piece together the real story, which somehow turned out to be more incredible than the hacker had led Harris to believe.
The gripping story is also a great behind-the-scenes look at the challenges cybersecurity reporters face when dealing with sources claiming to have great stories to share.
In January, the U.K. government secretly issued Apple with a court order demanding that the company must build a backdoor so police can access iCloud data of any customer in the world. Due to a worldwide gag order, it was only because The Washington Post broke news that we learned the order existed to begin with. The demand was the first of its kind, and — if successful — would be a major defeat for tech giants who have spent the past decade locking themselves out of their users’ own data so they can’t be compelled to provide it to governments.
Apple subsequently stopped offering its opt-in end-to-end encrypted cloud storage to its customers in the U.K. in response to the demand. But by breaking the news, the secret order was thrust into the public eye and allowed both Apple and critics to scrutinize U.K. surveillance powers in a way that hasn’t been tested in public before. The story sparked a months-long diplomatic row between the U.K. and the United States, prompting Downing Street to drop the request — only to try again several months later.
This story was the sort of fly-on-the-wall access that some reporters would dream of, but The Atlantic’s editor-in-chief got to play out in real-time after he was unwittingly added to a Signal group of senior U.S. government officials by a senior U.S. government official discussing war plans from their cell phones.
Reading the discussion about where U.S. military forces should drop bombs — and then seeing news reports of missiles hitting the ground on the other side of the world — was confirmation that Jeffrey Goldberg needed to know that he was, as he suspected, in a real chat with real Trump administration officials, and this was all on-the-record and reportable.
And so he did, paving the way for a months-long investigation (and critique) of the government’s operational security practices, in what was called the biggest government opsec mistake in history. The unraveling of the situation ultimately exposed security lapses involving the use of a knock-off Signal clone that further jeopardized the government’s ostensibly secure communications.
Brian Krebs is one of the more veteran cybersecurity reporters out there, and for years he has specialized in following online breadcrumbs that lead to him revealing the identity of notorious cybercriminals. In this case, Krebs was able to find the real identity behind a hacker’s online handle Rey, who is part of the notorious advanced persistent teenagers‘ cybercrime group that calls itself Scattered LAPSUS$ Hunters.
Krebs’ quest was so successful that he was able to talk to a person very close to the hacker — we won’t spoil the whole article here — and then the hacker himself, who confessed to his crimes and claimed he was trying to escape the cybercriminal life.
Independent media outlet 404 Media has accomplished more impact journalism this year than most mainstream outlets with vastly more resources. One of its biggest wins was exposing and effectively shuttering a massive air travel surveillance system tapped by federal agencies and operating in plain sight.
404 Media reported that a little-known data broker set up by the airline industry called the Airlines Reporting Corporation was selling access to five billion plane tickets and travel itineraries, including names and financial details of ordinary Americans, allowing government agencies like ICE, the State Department, and the IRS to track people without a warrant.
ARC, owned by United, American, Delta, Southwest, JetBlue, and other airlines, said it would shut down the warrantless data program following 404 Media’s months-long reporting and intense pressure from lawmakers.
The killing of UnitedHealthcare CEO Brian Thompson in December 2024 was one of the biggest stories of the year. Luigi Mangione, the chief suspect in the killing, was soon after arrested and indicted on charges of using a “ghost gun,” a 3D-printed firearm that had no serial numbers and built in private without a background check — effectively a gun that the government has no idea exists.
Wired, using its past reporting experience on 3D-printed weaponry, sought to test how easy it would be to build a 3D-printed gun, while navigating the patchwork legal (and ethical) landscape. The reporting process was exquisitally told, and the video that goes along with the story is both excellent and chilling.
DOGE, or the Department of Government Efficiency, was one of the biggest running stories of the year, as the gang of Elon Musk’s lackeys ripped through the federal government, tearing down security protocols and red tape, as part of the mass-grab of citizens’ data. NPR had some of the best investigative reporting uncovering the resistance movement of federal workers trying to prevent the pilfering of the government’s most sensitive data.
In one story detailing a whistleblower’s official disclosure as shared with members of Congress, a senior IT employee in the National Labor Relations Board told lawmakers that as he was seeking help investigating DOGE’s activity, he “found a printed letter in an envelope taped to his door, which included threatening language, sensitive personal information and overhead pictures of him walking his dog, according to the cover letter attached to his official disclosure.”
Any story that starts with a journalist saying they found something that made them “feel like shitting my pants,” you know it’s going to be a fun read. Gabriel Geiger found a dataset from a mysterious surveillance company called First Wap, which contained records on thousands of people from around the world whose phone locations had been tracked.
The dataset, spanning 2007 through 2015, allowed Geiger to identify dozens of high profile people whose phones were tracked, including a former Syrian first lady, the head of a private military contractor, a Hollywood actor, and an enemy of the Vatican. This story explored the shadowy world of phone surveillance by exploiting Signalling System No. 7, or SS7, an obscurely named protocol long known to allow malicious tracking.
Swatting has been a problem for years. What started as a bad joke has become a real threat, which has resulted in at least one death. Swatting is a type of hoax where someone — often a hacker — calls the emergency services and tricks the authorities into sending an armed SWAT team to the home of the hoaxer’s target, often pretending to be the target themselves, and pretending they are about to commit a violent crime.
In this feature, Wired’s Andy Greenberg put a face on the many characters who are part of these stories such as the call operators who have to deal with this problem. And he also profiled a prolific swatter, known as Torswats, who for months tormented the operators and schools all over the country with fake — but extremely believable — threats of violence, as well as a hacker who took it upon himself to track Torswats down.
