Cloudflare blocked the largest-ever DDoS attack against a European network infrastructure company, which peaked at 22.2 Tbps and 10.6 Bpps. The hyper-volumetric attack has been linked to the Aisuru botnet and lasted just 40 seconds, but was double the size of the previous record. SecurityWeek reports: Cloudflare told SecurityWeek that the attack was aimed at a single IP address of an unnamed European network infrastructure company. Cloudflare has yet to determine who was behind the attack, but believes it may have been powered by the Aisuru botnet, which was also linked earlier this year to a massive 6.3 Tbps attack on the website of cybersecurity blogger Brian Krebs. Aisuru has been around for more than a year. The botnet is powered by hacked IoT devices such as routers and DVRs that have been compromised through the exploitation of known and zero-day vulnerabilities.

According to Cloudflare, the 22 Tbps attack was traced to over 404,000 unique source IPs across over 14 ASNs worldwide. "Based on internal analysis using a proprietary system, the source IPs were not spoofed," the company explained. The security firm described it as a UDP carpet bomb attack targeting an average of 31,000 destination ports per second, with a peak of 47k ports, all of a single IP address. Cloudflare revealed in July that the number of DDoS attacks it blocked in the first half of 2025 had already exceeded all the attacks mitigated in 2024.

Jaguar Land Rover has halted production for nearly a month following a major cyberattack, costing an estimated 30,000 vehicles and billions in lost revenue. "The company said on Tuesday that production would be halted for another week until at least October 1, which increased concerns that a full return to production could be months away," reports The Times. From the report: David Bailey, professor of business economics at Birmingham University, said the JLR statement did not commit to reopening production on October 1 and even if it did "it's not going to be back to normal, but phased production start with some lines opening before others, as we saw after the Covid closure back in 2020." He said: "It's 24 days [shutdown] as of September 24. So that is roughly 1,000 cars a day, 24,000 cars not produced. So by then, that's about 1.7 billion pounds in lost revenue. By October 1, it will be a hit to revenue of something like 2.2 billion pounds. It's pretty massive. JLR can get through, but they're going to be burning through cash this month."

Bailey also raised concerns that smaller companies further down the supply chain lacked the cash reserves to withstand the shutdown. The company directly employs more than 30,000 people, and it is estimated that approximately 200,000 workers in the supply chain depend on work from JLR. "The union has said that in some cases, staff have been told to go and apply for universal credit. There are firms I know that have applied for bank loans to keep going. But even then, you know they're approaching the limit of what they do. There's an added knock-on effect that some of the suppliers also supply other car assemblers, Toyota or Mini. So some of those are concerned that bits of the supply chain may go under and affect them as well, because the industry is so connected. One way or another, the government's going to take a hit. Either through some sort of emergency support, whether that's furlough or emergency short-term loans or through unemployment benefit, if this carries on."

There has been uncertainty over the extent of the cyberattack and exactly how the company has been affected, as well as who is responsible for it. According to one source, some JLR staff were still unable last week to access the Slack messaging system through the company's "one sign on" system. The JLR statement added: "We have made this decision to give clarity for the coming week as we build the timeline for the phased restart of our operations and continue our investigation."

Microsoft has successfully tested a microfluidic cooling system that removed heat up to three times better than cold plates currently used in datacenters. The technology etches tiny channels directly into silicon chips, allowing cooling liquid to flow directly onto the heat source. In lab tests announced September 23, 2025, the system reduced the maximum temperature rise inside GPUs by 65%. The channels, roughly the width of human hair, were optimized using AI to create bio-inspired patterns resembling leaf veins.

Microsoft collaborated with Swiss startup Corintis on the design. The cooling fluid can operate at temperatures as high as 70C (158F) while maintaining effectiveness. The company demonstrated the technology on servers running Microsoft Teams services, where the improved cooling enables overclocking during demand spikes that occur when meetings start on the hour and half-hour. Microsoft is investigating incorporating microfluidics into future generations of its first-party chips as the company plans to spend over $30 billion on capital expenditures this quarter.

iFixit's teardown of Apple's iPhone Air reveals a device dominated by its battery, which occupies approximately two-thirds of the internal space while critical components including the logic board cluster at the top. The battery matches the component used in Apple's iPhone Air MagSafe battery pack and can be swapped between devices.

The top-heavy component layout addresses the bendgate vulnerability that damaged logic boards in previous thin iPhone models when pressure was applied to the device's middle section. Despite the iPhone Air's thinner profile, iFixit awarded it a 7 out of 10 repairability score, citing reduced component layering that provides more direct access to the USB-C connector, battery, and other serviceable parts compared to standard iPhone models. The dual-entry system further contributes to the device's serviceability.

The U.S. General Services Administration has approved Meta's AI system Llama for use by federal agencies, declaring that it meets government security and legal standards. Reuters reports: "It's not about currying favor," [said Josh Gruenbaum, the GSA's procurement lead, when asked whether tech executives are giving the government discounts to get President Donald Trump's approval]. "It's about that recognition of how do we all lock in arms and make this country the best country it could possibly be." Federal agencies will be able to deploy the tool to speed up contract review or more quickly solve information technology hiccups, among other tasks, he said.

Microsoft is working on bringing support for setting a video as your desktop wallpaper on Windows 11. From a report: Hidden in the latest Windows 11 preview builds, the feature lets you set an MP4, MOV, AVI, WMV, M4V, or MKV file as your wallpaper, which will play the video whenever you view the desktop.

For many years, users have wanted the ability to set a video as a desktop background. It's a feature that many Linux distributions support, and macOS also supports the ability to set a moving background as your lock screen. Windows Vista did support setting videos as your wallpaper, but only as part of the Ultimate SKU via a feature called DreamScene.

Last week the Guardian reported on "thousands of AI workers contracted for Google through Japanese conglomerate Hitachi's GlobalLogic to rate and moderate the output of Google's AI products, including its flagship chatbot Gemini... and its summaries of search results, AI Overviews." "AI isn't magic; it's a pyramid scheme of human labor," said Adio Dinika, a researcher at the Distributed AI Research Institute based in Bremen, Germany. "These raters are the middle rung: invisible, essential and expendable...." Ten of Google's AI trainers the Guardian spoke to said they have grown disillusioned with their jobs because they work in siloes, face tighter and tighter deadlines, and feel they are putting out a product that's not safe for users... In May 2023, a contract worker for Appen submitted a letter to the US Congress that the pace imposed on him and others would make Google Bard, Gemini's predecessor, a "faulty" and "dangerous" product
This week Google laid off 200 of those moderating contractors, reports Wired. "These workers, who often are hired because of their specialist knowledge, had to have either a master's or a PhD to join the super rater program, and typically include writers, teachers, and people from creative fields." Workers still at the company claim they are increasingly concerned that they are being set up to replace themselves. According to internal documents viewed by WIRED, GlobalLogic seems to be using these human raters to train the Google AI system that could automatically rate the responses, with the aim of replacing them with AI. At the same time, the company is also finding ways to get rid of current employees as it continues to hire new workers. In July, GlobalLogic made it mandatory for its workers in Austin, Texas, to return to office, according to a notice seen by WIRED...

Some contractors attempted to unionize earlier this year but claim those efforts were quashed. Now they allege that the company has retaliated against them. Two workers have filed a complaint with the National Labor Relations Board, alleging they were unfairly fired, one due to bringing up wage transparency issues, and the other for advocating for himself and his coworkers. "These individuals are employees of GlobalLogic or their subcontractors, not Alphabet," Courtenay Mencini, a Google spokesperson, said in a statement...
"Globally, other AI contract workers are fighting back and organizing for better treatment and pay," the article points out, noting that content moderators from around the world facing similar issues formed the Global Trade Union Alliance of Content Moderators which includes workers from Kenya, Turkey, and Colombia.

Thanks to long-time Slashdot reader mspohr for sharing the news.

Writing in Communications of the ACM, former Go tech lead Russ Cox warns we need to keep improving defenses of software supply chains, highlighting "promising approaches that should be more widely used" and "areas where more work is needed." There are important steps we can take today, such as adopting software signatures in some form, making sure to scan for known vulnerabilities regularly, and being ready to update and redeploy software when critical new vulnerabilities are found. More development should be shifted to safer languages that make vulnerabilities and attacks less likely. We also need to find ways to fund open source development to make it less susceptible to takeover by the mere offer of free help. Relatively small investments in OpenSSL and XZ development could have prevented both the Heartbleed vulnerability and the XZ attack.
Some highlights from the 5,000-word article:

• Make Builds Reproducible. "The Reproducible Builds project aims to raise awareness of reproducible builds generally, as well as building tools to help progress toward complete reproducibility for all Linux software. The Go project recently arranged for Go itself to be completely reproducible given only the source code... A build for a given target produces the same distribution bits whether you build on Linux or Windows or Mac, whether the build host is X86 or ARM, and so on. Strong reproducibility makes it possible for others to easily verify that the binaries posted for download match the source code..."

• Prevent Vulnerabilities. "The most secure software dependencies are the ones not used in the first place: Every dependency adds risk... Another good way to prevent vulnerabilities is to use safer programming languages that remove error-prone language features or make them needed less often..."

• Authenticate Software. ("Cryptographic signatures make it impossible to nefariously alter code between signing and verifying. The only problem left is key distribution...") "The Go checksum database is a real-world example of this approach that protects millions of Go developers. The database holds the SHA256 checksum of every version of every public Go module..."

• Fund Open Source. [Cox first cites the XKCD cartoon "Dependencies," calling it "a disturbingly accurate assessment of the situation..."] "The XZ attack is the clearest possible demonstration that the problem is not fixed. It was enabled as much by underfunding of open source as by any technical detail."

The article also emphasized the importance of finding and fixing vulnerabilities quickly, arguing that software attacks must be made more difficult and expensive.

"We use source code downloaded from strangers on the Internet in our most critical applications; almost no one is checking the code.... We all have more work to do."

Near Microsoft's headquarters in Redmond, the Five Stones coffee shop advertised for a barista a few months ago — and started getting resumes from "people who listed Microsoft and other tech companies," writes the Wall Street Journal: The applicants typically had master's degrees and experience in graphic design or marketing roles, Andrews said — sometimes senior ones. They were applying to jobs at Five Stones that would pay Redmond's minimum wage, $16.66 an hour. Five Stones hasn't yet hired such candidates because the coffee shop gives priority to more traditional entry-level baristas, like high-schoolers...

[Microsoft and Amazon] have laid off more than 46,000 employees since 2023, according to Layoffs.fyi, which tracks workforce reductions. That represents 85% of layoffs by Seattle-area tech companies... As Amazon and Microsoft have made cuts — and other local tech firms including Expedia and Redfin have followed suit — the effects have rippled through Seattle's other business sectors. Weakness in payroll and sales tax contributed to a projected $146 million shortfall in revenue over the next two years. Restaurant and retail spending is down in the business and shopping districts surrounding Amazon's and Microsoft's campuses, with total transactions falling by as much as 7% in some popular areas in the past year, according to data from Square. In the first half of 2025, around 450 restaurants closed in Seattle, or about 16% of its total. "At the halfway point of the year, we've already seen as many closures as we'd usually see in a full year," said Anthony Anton, chief executive officer of the Washington Hospitality Association.

Uber driver Juan Prado made six figures in 2021, often shuttling passengers in town for job interviews and doing frequent drop-offs near downtown tech offices. Now, he said, demand is much lower. "There are moments where you can be online, and in certain areas, it shows nothing...." Seattle tech firms are asking for significantly fewer job placements than years ago, said Noelle McDonald, senior vice president at recruiting company Aquent, which counts Amazon and Microsoft as clients. Hiring windows have lengthened and open roles receive around 10 times as many applications.
And of course, "Commercial real-estate vacancies stand at a record high as offices built to accommodate a boom sit empty... "

While some laid-off employees launched their own startups, "the outlook for many tech workers is dour as companies invest in software tools they can use to streamline teams," the article points out. Microsoft CEO Satya Nadella "has said the company is increasingly looking to AI to perform coding and other tasks once done by people," while in June, Amazon "said its workforce would shrink going forward."

The Shai-Hulud malware campaign impacted hundreds of npm packages across multiple maintainers, reports Koi Security, including popular libraries like @ctrl/tinycolor and some packages maintained by CrowdStrike. Malicious versions embed a trojanized script (bundle.js) designed to steal developer credentials, exfiltrate secrets, and persist in repositories and endpoints through automated workflows.
Koi Security created a table of packages identified as compromised, promising it's "continuously updated" (and showing the last compromise detected Tuesday). Nearly all of the compromised packages have a status of "removed from NPM". Attackers published malicious versions of @ctrl/tinycolor and other npm packages, injecting a large obfuscated script (bundle.js) that executes automatically during installation. This payload repackages and republishes maintainer projects, enabling the malware to spread laterally across related packages without direct developer involvement. As a result, the compromise quickly scaled beyond its initial entry point, impacting not only widely used open-source libraries but also CrowdStrike's npm packages.

The injected script performs credential harvesting and persistence operations. It runs TruffleHog to scan local filesystems and repositories for secrets, including npm tokens, GitHub credentials, and cloud access keys for AWS, GCP, and Azure. It also writes a hidden GitHub Actions workflow file (.github/workflows/shai-hulud-workflow.yml) that exfiltrates secrets during CI/CD runs, ensuring long-term access even after the initial infection. This dual focus on endpoint secret theft and backdoors makes Shai-Hulud one of the most dangerous campaigns ever compared to previous compromises.
"The malicious code also attempts to leak data on GitHub by making private repositories public," according to a Tuesday blog post from security systems provider Sysdig: The Sysdig Threat Research Team (TRT) has been monitoring this worm's progress since its discovery. Due to quick response times, the number of new packages being compromised has slowed considerably. No new packages have been seen in several hours at the time...
Their blog post concludes "Supply chain attacks are increasing in frequency. It is more important than ever to monitor third-party packages for malicious activity."

Some context from Tom's Hardware: To be clear: This campaign is distinct from the incident that we covered on Sept. 9, which saw multiple npm packages with billions of weekly downloads compromised in a bid to steal cryptocurrency. The ecosystem is the same — attackers have clearly realized the GitHub-owned npm package registry for the Node.js ecosystem is a valuable target — but whoever's behind the Shai-Hulud campaign is after more than just some Bitcoin.

alternative_right writes: Austria's armed forces have switched from Microsoft's Office programs to the open-source LibreOffice package. The reason for this is not to save on software license fees for around 16,000 workstations. "It was very important for us to show that we are doing this primarily (...) to strengthen our digital sovereignty, to maintain our independence in terms of ICT infrastructure and (...) to ensure that data is only processed in-house," emphasizes Michael Hillebrand from the Austrian Armed Forces' Directorate 6 ICT and Cyber.

This is because processing data in external clouds is out of the question for the Austrian Armed Forces, as Hillebrand explained on ORF radio station O1. It was already apparent five years ago that Microsoft Office would move to the cloud. Back then, in 2020, the decision-making process for the switch began and was completed in 2021.

Valve is dropping support for Steam running on 32-bit versions of Windows, starting January 1, 2026. A report adds and comments: Steam has been available on Windows for more than two decades and, therefore, was built with 32-bit systems in mind. Today, every modern computer is 64-bit, with compatibility layers built in to support older 32-bit apps. So, even though 32-bit apps have carried forward, there's really no place for 32-bit operating systems anymore -- which is why Valve is axing support for them.

Security researcher Dirk-jan Mollema discovered two vulnerabilities in Microsoft's Entra ID identity platform that could have granted attackers administrative access to virtually all Azure customer accounts worldwide. The flaws involved legacy authentication systems -- Actor Tokens issued by Azure's Access Control Service and a validation failure in the retiring Azure Active Directory Graph API.

Mollema reported the vulnerabilities to Microsoft on July 14. Microsoft released a global fix three days later and found no evidence of exploitation. The vulnerabilities would have allowed attackers to impersonate any user across any Azure tenant and access all Microsoft services using Entra ID authentication. Microsoft confirmed the fixes were fully implemented by July 23 and added additional security measures in August as part of its Secure Future Initiative. The company issued a CVE on September 4.

Gearbox CEO Randy Pitchford has responded to Borderlands 4 performance complaints by calling the game "a premium game made for premium gamers." Pitchford claimed customer service reports for performance issues represent "less than one percent of one percent" of players and told critics to "code your own engine and show us how it's done, please."

The game holds a Mixed rating on Steam despite reaching 300,000 concurrent players Sunday, a franchise record. Gearbox recommends DLSS and frame generation for 60+ fps at 1440p even on powerful hardware. Pitchford compared running the game on older hardware to driving "a monster truck with a leaf blower's motor."

Microsoft is adding the free Microsoft 365 Copilot Chat and agents to Office apps for all Microsoft 365 business users today. From a report: Word, Excel, PowerPoint, Outlook, and OneNote are all being updated with a Copilot Chat sidebar that will help draft documents, analyze spreadsheets, and more without needing an additional Microsoft 365 Copilot license.

"Copilot Chat is secure AI chat grounded in the web -- and now, it's available in the Microsoft 365 apps," explains Seth Patton, general Manager of Microsoft 365 Copilot product marketing. "It's content aware, meaning it quickly understands what you're working on, tailoring answers to the file you have open. And it's included at no additional cost for Microsoft 365 users."

While this free version of Copilot will rewrite documents, provide summaries, and help create slides in PowerPoint, the $30 per month, per user Microsoft 365 Copilot license will still have the best integration in Office apps. The Microsoft 365 Copilot license is also not limited to a single document, and can reason over entire work data.

An anonymous reader shares a column: After nearly 30 years of USB-A connectivity, the market is now transitioning to the convenient USB-C standard, which makes sense given that it supports higher speeds, display data, and power delivery. The symmetrical connection is also smaller and more user-friendly, as it's reversible and works with smartphones and tablets. I get that USB-C is inevitable, but tech brands should realize that the ubiquitous USB-A isn't going anywhere soon and stop removing the ports we need to run our devices.

[...] It's premature for brands to phase out USB-A when peripheral brands are still making compatible products in 2025. For example, Logitech's current wireless pro gaming mice connect using a USB-A Lightspeed dongle, and most Seagate external drives still use USB-A as their connection method. The same can be said for other memory sticks, keyboards, wireless headsets, and other new devices that are still manufactured with a USB-A connection.

I have a gaming laptop with two USB-A and USB-C ports, and it's a constant struggle to connect all my devices simultaneously without needing a hub. I use the two USB-A ports for my mouse and wireless headset dongles, while a phone charging cable and portable monitor take up the USB-Cs. This setup stresses me out because there's no extra space to connect anything else without losing functionality.

Google has restructured Android's decade-old monthly security update process into a "Risk-Based Update System" that separates high-priority patches from routine fixes. Monthly bulletins now contain only vulnerabilities under active exploitation or in known exploit chains -- explaining July 2025's unprecedented zero-CVE bulletin -- while most patches accumulate for quarterly releases.

The September 2025 bulletin contained 119 vulnerabilities compared to zero in July and six in August. The change reduces OEM workload for monthly updates but extends the private bulletin lead time from 30 days to several months for quarterly releases. The company no longer releases monthly security update source code, limiting custom ROM development to quarterly cycles.

The UK's data-protecting Information Commissioner's Office has issued a warning about what it calls a worrying trend, reports the BBC: "students hacking their own school and college IT systems for fun or as part of dares." Since 2022, the the Information Commissioner's Office (ICO) has investigated 215 hacks and breaches originating from inside education settings and says 57% were carried out by children. Other breaches are thought to come from staff, third party IT suppliers and other organisations with access. According to the new data, almost a third of the breaches involved students illegally logging into staff computer systems by guessing passwords or stealing details from teachers.

In one incident, a seven-year-old was involved in a data breach and subsequently referred to the National Crime Agency's Cyber Choices programme to help them understand the seriousness of their actions... In another incident three Year 11 students aged 15 or 16 unlawfully accessed school databases containing the personal information of more than 1,400 students. The pupils used hacking tools downloaded from the internet to break passwords and security protocols. When questioned, they said they were interested in cyber security and wanted to test their skills and knowledge. Another example the ICO gave is of a student illegally logging into their college's databases with a teachers' details to change or delete personal information belonging to more than 9,000 staff, students and applicants. The system stored personal information such as name and home address, school records, health data, safeguarding and pastoral logs and emergency contacts.

Schools are facing an increasing number of cyber attacks, with 44% of schools reporting an attack or breach in the last year according the government's most recent Cyber Security Breaches Survey.
"Youth cyber crime culture is a growing threat linked to English-speaking teen gangs," the article argues, noting breaches at major companies to suggest it's a kind of "gateway" crime.

The ICO's principal cyber specialist tells the BBC that "What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure."

"There has never been a successful, widespread malware attack against iPhone," notes Apple's security blog, pointing out that "The only system-level iOS attacks we observe in the wild come from mercenary spyware... historically associated with state actors and [using] exploit chains that cost millions of dollars..."

But they're doing something about it — this week announcing a new always-on memory-safety protection in the iPhone 17 lineup and iPhone Air (including the kernel and over 70 userland processes)... Known mercenary spyware chains used against iOS share a common denominator with those targeting Windows and Android: they exploit memory safety vulnerabilities, which are interchangeable, powerful, and exist throughout the industry... For Apple, improving memory safety is a broad effort that includes developing with safe languages and deploying mitigations at scale...

Our analysis found that, when employed as a real-time defensive measure, the original Arm Memory Tagging Extension (MTE) release exhibited weaknesses that were unacceptable to us, and we worked with Arm to address these shortcomings in the new Enhanced Memory Tagging Extension (EMTE) specification, released in 2022. More importantly, our analysis showed that while EMTE had great potential as specified, a rigorous implementation with deep hardware and operating system support could be a breakthrough that produces an extraordinary new security mechanism.... Ultimately, we determined that to deliver truly best-in-class memory safety, we would carry out a massive engineering effort spanning all of Apple — including updates to Apple silicon, our operating systems, and our software frameworks. This effort, together with our highly successful secure memory allocator work, would transform MTE from a helpful debugging tool into a groundbreaking new security feature.

Today we're introducing the culmination of this effort: Memory Integrity Enforcement (MIE), our comprehensive memory safety defense for Apple platforms. Memory Integrity Enforcement is built on the robust foundation provided by our secure memory allocators, coupled with Enhanced Memory Tagging Extension (EMTE) in synchronous mode, and supported by extensive Tag Confidentiality Enforcement policies. MIE is built right into Apple hardware and software in all models of iPhone 17 and iPhone Air and offers unparalleled, always-on memory safety protection for our key attack surfaces including the kernel, while maintaining the power and performance that users expect. In addition, we're making EMTE available to all Apple developers in Xcode as part of the new Enhanced Security feature that we released earlier this year during WWDC...

Based on our evaluations pitting Memory Integrity Enforcement against exceptionally sophisticated mercenary spyware attacks from the last three years, we believe MIE will make exploit chains significantly more expensive and difficult to develop and maintain, disrupt many of the most effective exploitation techniques from the last 25 years, and completely redefine the landscape of memory safety for Apple products. Because of how dramatically it reduces an attacker's ability to exploit memory corruption vulnerabilities on our devices, we believe Memory Integrity Enforcement represents the most significant upgrade to memory safety in the history of consumer operating systems.

They stole a woman's phone in Barcelona. Unfortunately, her husband was security consultant/penetration tester Martin Vigo, reports Spain's newspaper El Pais.

"His weeks-long investigation coincided with a massive two-year police operation between 2022 and 2024 in six countries where 17 people were arrested: Spain, Argentina, Colombia, Chile, Ecuador, and Peru...." In Vigo's case, the phone was locked and the "Find my iPhone" feature was activated... Once stolen, the phones are likely wrapped in aluminum foil to prevent the GPS from tracking their movements. "Then they go to a safe house where they are gathered together and shipped on pallets outside of Spain, to Morocco or China." This international step is vital to prevent the phone from being blocked if the thieves try to use it again. Carriers in several European countries share lists of the IMEIs (unique numbers for each device) of stolen devices so they can't be used. But Morocco, for example, doesn't share these lists. There, the phone can be reconnected...

With hundreds or thousands of stored phones, another path begins: "They try to get the PIN," says Vigo. Why the PIN? Because with the PIN, you can change the Apple password and access the device's content. The gang had created a system to send thousands of text messages like the one Vigo received. To know who to target with the bait message, the police say, "the organization performed social profiling of the victims, since, in many cases, in addition to the phone, they also had the victim's personal belongings, such as their ID." This is how they obtained the phone numbers to send the malicious SMS...

Each victim received a unique link, and the server knew which victim clicked it... With the first click, the attackers would redirect the user to a website they believed was credible, such as Apple's real iCloud site... [T]he next day you receive another text message, and you click on it, more confidently. However, that link no longer redirects you to the real Apple website, but to a flawless copy created by the criminals: that's where they ask for your PIN, and without thinking, full of hope, you enter it... "The PIN is more powerful than your fingerprint or face. With it, you can delete the victim's biometric information and add your own to access banking apps that are validated this way," says Vigo. Apple Wallet asks you to re-authenticate, and then everything is accessible...

In the press release on the case, the police explained that the gang allegedly used a total of 5,300 fake websites and illegally unlocked around 1.3 million high-end devices, about 30,000 of them in Spain.
Vigo tells El Pais that if the PIN doesn't unlock the device, the criminal gang then sends it to China to be "dismantled and then sent back to Europe for resale. The devices are increasingly valuable because they have more advanced chips, better cameras, and more expensive materials."

To render the phone untraceable in China, "they change certain components and the IMEI. It requires a certain level of sophistication: opening the phone, changing the chip..."