<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/">
<channel><title>MRTD.NET</title><link>https://mrtd.net/</link><atom:link href="https://mrtd.net/rss.xml" rel="self" type="application/rss+xml"/><atom:link href="https://pubsubhubbub.appspot.com/" rel="hub"/><description>MRTD.NET covers crypto and blockchain security, exploit post-mortems, cybersecurity, and SEO/growth — original analysis with primary sources.</description><language>en</language>
<item><title>How to Store Your Seed Phrase Safely (Without Losing It Forever)</title><link>https://mrtd.net/how-to-store-seed-phrase-safely/</link><guid isPermaLink="true">https://mrtd.net/how-to-store-seed-phrase-safely/</guid><pubDate>Wed, 24 Jun 2026 00:04:34 +0000</pubDate><category>Crypto Security</category><description><![CDATA[A seed phrase has no reset button — lose it and the crypto is gone, with an estimated 2-4 million BTC already lost this way. Here's how to back up those words so they survive fire, theft, and the day you're not around.]]></description><content:encoded><![CDATA[<h2>Your seed phrase <em>is</em> your crypto — treat it that way</h2>
<p>A seed phrase (the 12 or 24 words your wallet shows you when you first set it up) is the master key to everything in that wallet. Anyone who has it controls your funds; anyone who loses it loses their funds. There is no password reset, no support line that can recover it, no bank to call. That single property — total power, zero recovery — is why how you store those words matters more than almost anything else you do in crypto.</p>
<p>This is the storage companion to our <a href="/protect-your-crypto-lessons-from-the-hacks/">defense checklist</a> and our guide to <a href="/crypto-social-engineering-scams-how-to-protect/">social-engineering scams</a>, which covers the other half of the problem: people being tricked into <em>giving</em> the phrase away.</p>
<h2>How much crypto simply vanishes</h2>
<p>Lost keys are not a rare edge case. Analysts at Chainalysis have estimated that on the order of <strong>1.8 million BTC</strong> sit in wallets that haven&rsquo;t moved since 2014 or earlier — coins that are most likely gone for good. Broader estimates, summarized by <a href="https://www.ledger.com/academy/topics/economics-and-regulation/how-many-bitcoin-are-lost-ledger" target="_blank" rel="noopener noreferrer">Ledger Academy</a>, put permanently lost bitcoin at roughly <strong>2.3 to 3.7 million coins</strong> — well over 10% of the supply that will ever exist. Most of that wasn&rsquo;t stolen. It was misplaced backups, dead hard drives, forgotten passphrases, and seed words nobody can find anymore.</p>
<p>The takeaway: for most people, <strong>losing</strong> the phrase is at least as big a risk as someone <strong>stealing</strong> it. Good storage has to defend against both.</p>
<h2>The two failure modes</h2>
<p>Every storage decision is a trade-off between two opposite dangers:</p>
<ul>
<li><strong>Loss / destruction</strong> — fire, flood, a faded ballpoint scrawl, a backup thrown out by mistake, a single copy in one place that gets destroyed.</li>
<li><strong>Theft / exposure</strong> — a roommate, burglar, repair worker, or house guest who finds the words, or a digital copy that ends up somewhere it can be read.</li>
</ul>
<p>Push too hard against one and you invite the other. One copy locked in a single safe is theft-resistant but a single point of failure. Five copies scattered around are loss-resistant but five chances to be stolen. The whole craft of seed storage is balancing these.</p>
<h2>Rule 1 — Never store it digitally</h2>
<p>The fastest way to lose a wallet is to put the words somewhere connected to the internet. No photos, no screenshots, no cloud notes, no email drafts, no password manager, no text file, no messaging yourself. Anything that touches a synced device or an online account can be exposed by malware or a breach of that service. Seed phrases belong <strong>offline and analog</strong>, full stop.</p>
<h2>Rule 2 — Make the backup survive fire and water</h2>
<p>Paper is fine until the first house fire, flood, or decade of humidity. The accepted gold standard is <strong>metal</strong>: a stainless-steel plate or capsule that is fireproof and corrosion-resistant, with no electronics to fail. As storage specialists like <a href="https://www.unchained.com/blog/how-to-store-bitcoin-seed-phrase-backups" target="_blank" rel="noopener noreferrer">Unchained</a> and <a href="https://blog.keyst.one/how-to-safely-store-bitcoin-seed-phrases-a-simple-guide" target="_blank" rel="noopener noreferrer">Keystone</a> note, <strong>stamped</strong> letters survive heat and time better than <strong>engraved</strong> ones, where the thin surface layer (and the inscription) is the first thing destroyed in a fire. If you only ever do one upgrade to your setup, move from paper to metal.</p>
<h2>Rule 3 — Redundancy in separate places</h2>
<p>One backup is a single point of failure. Two or three identical copies remove the &ldquo;my only copy burned&rdquo; risk — but each full copy is also one more place it can be stolen, so <strong>geography matters</strong>. Keep copies in genuinely separate locations you control or trust: home safe, a relative&rsquo;s house, a bank safe-deposit box. The goal is that no single fire, flood, or break-in can take all of them at once.</p>
<h2>Rule 4 — For serious amounts, split the secret</h2>
<p>If a wallet holds more than you&rsquo;d be comfortable trusting to one hidden plate, stop relying on a single complete copy of the words anywhere. Two well-established approaches remove that single point:</p>
<ul>
<li><strong>Multisig (e.g. 2-of-3).</strong> Funds need any two of three independent keys. You can lose — or have stolen — one key entirely and still be safe, and still recover. It&rsquo;s why one key can sit with a custodian or in a safe-deposit box without putting the funds at the mercy of that one location.</li>
<li><strong>Shamir&rsquo;s Secret Sharing (SLIP-39).</strong> Splits the secret into several shares where only a chosen number are needed to rebuild it. Some hardware wallets implement it directly. No single share, found on its own, reveals anything.</li>
</ul>
<p>Both mean an attacker has to compromise multiple places, and you can survive losing one — the best of both failure modes.</p>
<h2>Rule 5 — Plan for the day you&rsquo;re not around</h2>
<p>A backup so good that <em>only</em> you can ever find or understand it becomes a guaranteed loss the moment something happens to you. A real plan includes inheritance: a trusted person who knows a recovery exists, enough documented instructions (kept separate from the words themselves) for them to act, and, for larger estates, proper legal arrangements. Plenty of the permanently lost coins above belonged to people who simply never told anyone how to recover them.</p>
<h2>Common mistakes that quietly lose wallets</h2>
<ul>
<li>A <strong>single paper copy</strong> in a drawer — one accident from gone.</li>
<li>A <strong>photo or cloud note</strong> &ldquo;just in case&rdquo; — the case it creates is theft.</li>
<li><strong>Faded or smudged ink</strong>, or cheap label-maker tape that peels in a year.</li>
<li>Storing the words <strong>next to the hardware wallet</strong> — one theft takes both.</li>
<li>Telling <strong>no one</strong>, with no inheritance path.</li>
<li>A secret passphrase (the optional &ldquo;25th word&rdquo;) that&rsquo;s <strong>memorized and never backed up</strong> — forget it and the metal plate is useless.</li>
<li>Typing the words into a &ldquo;wallet validation&rdquo; or &ldquo;sync&rdquo; tool — that&rsquo;s not storage, that&rsquo;s how the phrase is <a href="/crypto-social-engineering-scams-how-to-protect/">stolen</a>.</li>
</ul>
<h2>A simple, solid setup for most people</h2>
<p>You don&rsquo;t need an elaborate scheme to be in far better shape than average:</p>
<ol>
<li>Generate the wallet on a hardware device; <strong>write the words on paper once</strong>, offline, to start.</li>
<li>Transfer them to a <strong>stamped metal backup</strong>.</li>
<li>Keep <strong>two copies in two separate, secure locations</strong> you trust.</li>
<li>Store backups <strong>away from the hardware wallet itself</strong>.</li>
<li>Tell <strong>one trusted person</strong> that a recovery exists and how to reach it if needed.</li>
<li>For larger holdings, graduate to <strong>multisig or SLIP-39</strong> so no one place holds the whole key.</li>
</ol>
<p>Storage is the unglamorous part of crypto security, and it&rsquo;s exactly where most coins are quietly lost — not to hackers, but to fire, water, and forgetting. The reassuring part is that a metal plate, two locations, and one trusted contact already put you ahead of the people whose coins make up that lost-forever statistic. And if the worst does happen and funds are taken rather than lost, understand the limits of <a href="/how-stolen-crypto-is-traced-and-recovered/">recovery and tracing</a> before you assume anything can be undone.</p>
<p><em>Informational only — not financial or security advice.</em></p>]]></content:encoded></item>
<item><title>Fake GTA 6 &#x27;Early Access&#x27; Sites Are Draining Crypto Wallets -- There Is No Early Access</title><link>https://mrtd.net/gta-6-early-access-scam-malware/</link><guid isPermaLink="true">https://mrtd.net/gta-6-early-access-scam-malware/</guid><pubDate>Tue, 23 Jun 2026 16:39:12 +0000</pubDate><category>Crypto Security</category><description><![CDATA[As GTA 6 pre-orders open June 25, security firms report a surge of fake 'early access' sites taking irreversible crypto payments and pushing malware that drains wallets and intercepts 2FA codes. Rockstar is not selling early access -- here's how to tell the scams apart and protect your wallet.]]></description><content:encoded><![CDATA[<h2>There is no paid &ldquo;early access&rdquo; to GTA 6 — only scams</h2>
<p>With <em>Grand Theft Auto VI</em> set to launch on November 19, 2026 and official pre-orders opening <strong>June 25</strong>, years of pent-up hype have created a near-perfect environment for fraud. Security firms are now reporting a surge of fake &ldquo;early access&rdquo; sites that take your money — often in crypto — and deliver malware or nothing at all. The single most useful fact to hold onto: <strong>Rockstar Games is not selling early access to anyone.</strong> Any site that offers it is a scam.</p>
<h2>Two scams wearing the same Vice City paint</h2>
<p>The fake sites look the part — neon Vice City artwork, GTA 6 logos, luxury cars, AI-generated splash images — and they split into two money-making schemes:</p>
<p><strong>1. Pay-in-crypto &ldquo;VIP early access.&rdquo;</strong> You&rsquo;re asked to send a few hundred dollars in cryptocurrency, enter a payment code, and the game &ldquo;unlocks.&rdquo; It never does. As <a href="https://www.helpnetsecurity.com/2026/06/23/gta-6-early-access-scam/" target="_blank" rel="noopener noreferrer">Help Net Security</a> and <a href="https://www.malwarebytes.com/blog/threat-intel/2026/06/gta-6-early-access-is-nothing-but-a-scam" target="_blank" rel="noopener noreferrer">Malwarebytes</a> document, the crypto angle is the whole point for the scammer: payments are irreversible, there&rsquo;s no chargeback and no fraud department to call. Once it&rsquo;s sent, it&rsquo;s gone.</p>
<p><strong>2. Fake &ldquo;installers&rdquo; that are malware.</strong> Other sites mimic Rockstar&rsquo;s branding and push &ldquo;downloads&rdquo; through Discord servers, YouTube links, and forums — Windows installers or Android APKs that actually install trojans. Per <a href="https://www.infosecurity-magazine.com/news/gta-6-scams-emerge-as-preorders/" target="_blank" rel="noopener noreferrer">Infosecurity Magazine</a> and <a href="https://gizmodo.com/fake-gta-6-real-malware-the-new-scam-targeting-windows-and-android-2000766397" target="_blank" rel="noopener noreferrer">Gizmodo</a>, the payloads range from credential stealers (browser-saved passwords, banking logins, game session tokens) to cryptominers and <strong>cryptocurrency-wallet drainers</strong> — and some Android versions intercept SMS messages to defeat text-based two-factor authentication.</p>
<h2>Why this is a crypto-security story, not just a gaming one</h2>
<p>The two schemes converge on your wallet. The &ldquo;early access&rdquo; sites want an irreversible crypto payment; the malware sites want to install a drainer that empties the wallet you already have — and, on Android, to read the SMS codes that would otherwise protect your exchange and bank logins. If you keep crypto on the same device you game on, a single bad &ldquo;GTA 6 installer&rdquo; can cost far more than the price of the game.</p>
<h2>How to stay safe</h2>
<ul>
<li><strong>Treat every paid &ldquo;GTA 6 early access&rdquo; offer as fraud.</strong> There isn&rsquo;t one. Official pre-orders open June 25 through legitimate storefronts (Steam, PlayStation Store, Xbox) and select retailers — nowhere else.</li>
<li><strong>Never pay cryptocurrency for game access.</strong> A request for crypto in exchange for &ldquo;unlocking&rdquo; anything is a flashing red flag precisely because it can&rsquo;t be reversed.</li>
<li><strong>Don&rsquo;t run &ldquo;installers&rdquo; or APKs from Discord, YouTube descriptions, forums, or lookalike sites.</strong> That&rsquo;s the malware delivery vector. Until launch, there is no GTA 6 file to install.</li>
<li><strong>If you already interacted with one:</strong> assume the device and any wallet on it may be compromised. Move funds to a clean wallet, <strong><a href="/revoke-token-approvals-protect-wallet-drainers/">revoke token approvals</a></strong>, change passwords from a different device, and run a malware scan. The SMS-interception angle is also a good reason to move 2FA off text messages to an authenticator app.</li>
</ul>
<p>This is the same playbook we cover in our guide to <a href="/crypto-social-engineering-scams-how-to-protect/">social-engineering scams</a>: manufactured urgency around something people desperately want, an irreversible payment, and a download that isn&rsquo;t what it claims. The hype is real; the early access is not.</p>
<p><em>Informational only — not financial or security advice. This is a developing story; details may change as security researchers track new variants.</em></p>]]></content:encoded></item>
<item><title>The Crypto Scam Texts You Ignore Are Run by Trafficking Victims</title><link>https://mrtd.net/southeast-asia-crypto-scam-compounds/</link><guid isPermaLink="true">https://mrtd.net/southeast-asia-crypto-scam-compounds/</guid><pubDate>Tue, 23 Jun 2026 14:33:48 +0000</pubDate><category>Crypto Security</category><description><![CDATA[Behind the 'wrong number' crypto-investment texts is a forced-labor industry: people lured by fake jobs, trafficked into Southeast Asian compounds, and made to run pig-butchering scams that cost victims an estimated $7.2B in 2025. Here's how it works -- and how to refuse it.]]></description><content:encoded><![CDATA[<h2>The &ldquo;wrong number&rdquo; text isn&rsquo;t a wrong number</h2>
<p>&ldquo;Hi, is this Jessica?&rdquo; &ldquo;Sorry to bother you — are you free to invest?&rdquo; The misfired text from a stranger who keeps the conversation friendly and eventually mentions a can&rsquo;t-miss crypto opportunity is one of the most common scam openers on the planet. What most people don&rsquo;t realize is who is usually on the other end: not a lone con artist, but a person who was trafficked, had their passport taken, and is being forced to run that script under threat of violence.</p>
<p>This is the supply side of the scams we cover in our <a href="/crypto-social-engineering-scams-how-to-protect/">social-engineering guide</a>, and understanding it makes the scams much easier to refuse.</p>
<h2>The pipeline: fake job, seized passport, forced fraud</h2>
<p>The operations run out of guarded compounds across Southeast Asia — concentrated in border areas of Myanmar, Cambodia, Laos, and connected through Thailand. The recruitment funnel is brutally simple:</p>
<ul>
<li><strong>A fake job offer.</strong> Ads promise well-paid &ldquo;customer service,&rdquo; &ldquo;translator,&rdquo; &ldquo;crypto,&rdquo; or tech roles, often requiring travel to the region.</li>
<li><strong>Arrival and capture.</strong> On landing, recruits&rsquo; identity documents are seized and many are trafficked across a border into a compound.</li>
<li><strong>Forced scamming.</strong> Inside, they&rsquo;re held against their will and made to defraud strangers online. The U.S. Department of Justice and U.N. human-rights investigators have documented <a href="https://www.ohchr.org/en/stories/2026/02/matter-survival-human-cost-cyber-scam-operations-south-east-asia" target="_blank" rel="noopener noreferrer">beatings, torture, and worse</a> used to enforce quotas.</li>
</ul>
<p>So the manipulation aimed at <em>you</em> is itself the product of coercion aimed at someone else. There are two sets of victims in every one of these chats.</p>
<h2>The money: &ldquo;pig butchering&rdquo; at industrial scale</h2>
<p>The dominant playbook is what&rsquo;s grimly called &ldquo;pig butchering&rdquo; — building trust or a fake romance over weeks, then steering the target onto a bogus crypto investment platform that shows fake gains until the moment they try to withdraw. According to <a href="https://www.chainalysis.com/blog/crypto-scams-2026/" target="_blank" rel="noopener noreferrer">Chainalysis</a>, crypto investment fraud of this kind drove an estimated <strong>$7.2 billion in losses in 2025</strong>, making it one of the most financially devastating forms of cybercrime.</p>
<h2>2026: the biggest crackdowns yet — and why the texts keep coming</h2>
<p>This year brought the largest coordinated response so far. The DOJ&rsquo;s <a href="https://www.justice.gov/opa/pr/scam-center-strike-force-takes-major-actions-against-southeast-asian-scam-centers-targeting" target="_blank" rel="noopener noreferrer">Scam Center Strike Force</a> and partner agencies restrained more than <strong>$701 million in cryptocurrency</strong> tied to laundered victim funds and removed over a million scam social-media accounts; a separate <a href="https://thehackernews.com/2026/05/global-crackdown-arrests-276-shuts-9.html" target="_blank" rel="noopener noreferrer">global operation</a> reported hundreds of arrests and multiple centers shut. These are real blows.</p>
<p>But the model is resilient: when one compound is raided, operators relocate across a porous border and rebuild. Enforcement alone won&rsquo;t end it — which is why the most reliable protection is still the target refusing to bite.</p>
<h2>How to protect yourself — on both sides of the funnel</h2>
<p><strong>If you&rsquo;re the target of the scam:</strong></p>
<ul>
<li>Treat <em>any</em> unsolicited contact that drifts toward investing — especially crypto with great returns — as a scam, no matter how warm or long-running the relationship feels. Romance plus a can&rsquo;t-lose investment is the signature.</li>
<li>The tell is the withdrawal. Fake platforms show profits and then invent fees, taxes, or &ldquo;verification&rdquo; to stop you cashing out. Real ones don&rsquo;t.</li>
<li>Never let someone you met online walk you into a platform, an app, or a &ldquo;support agent.&rdquo; The hard rules in our <a href="/crypto-social-engineering-scams-how-to-protect/">social-engineering guide</a> neutralize almost all of it.</li>
</ul>
<p><strong>If you&rsquo;re job-hunting:</strong></p>
<ul>
<li>Be deeply skeptical of high-paying overseas &ldquo;crypto,&rdquo; &ldquo;customer service,&rdquo; or &ldquo;translator&rdquo; roles that need you to travel fast and hand over your passport. That is the trafficking funnel, not a career.</li>
<li>Verify the employer independently — real company, real address, real people — before you book anything, and tell someone where you&rsquo;re going.</li>
</ul>
<p>The uncomfortable truth is that the spam you delete without thinking is the front end of a violent, multibillion-dollar industry built on trafficked labor. The same five seconds of skepticism that protects your savings also helps starve it.</p>
<p><em>Informational only — not financial or security advice. If you or someone you know may be trapped in one of these operations, contact local authorities or an anti-trafficking organization.</em></p>]]></content:encoded></item>
<item><title>Social Engineering Is How Crypto&#x27;s Biggest Thefts Now Happen — and How Not to Be Next</title><link>https://mrtd.net/crypto-social-engineering-scams-how-to-protect/</link><guid isPermaLink="true">https://mrtd.net/crypto-social-engineering-scams-how-to-protect/</guid><pubDate>Tue, 23 Jun 2026 00:03:20 +0000</pubDate><category>Crypto Security</category><description><![CDATA[In 2026, ~65% of crypto's $11.36B in scam losses come from social engineering, not exploits — including ZachXBT-documented $91M and $282M cases. Here's how the manipulation works (fake support, panic plays, pig-butchering) and the hard rules that stop almost all of it.]]></description><content:encoded><![CDATA[<h2>The biggest threat to your crypto isn&rsquo;t a hack — it&rsquo;s you</h2>
<p>Audited contracts, hardware wallets, cold storage — none of it matters if someone convinces <em>you</em> to hand over the keys. In 2026, social engineering is the leading cause of crypto loss, not exotic exploits. Of an estimated <strong>$11.36 billion</strong> in crypto scam losses, roughly <strong>65% trace to social engineering</strong> — manipulating a human, not breaking a system. The most expensive failures are psychological, and the defense is mostly a set of hard rules you decide in advance.</p>
<p>This is the human-layer companion to our <a href="/revoke-token-approvals-protect-wallet-drainers/">token-approvals guide</a> and <a href="/protect-your-crypto-lessons-from-the-hacks/">defense checklist</a>.</p>
<h2>How the manipulation actually works</h2>
<p>The mechanics vary; the playbook rarely does. Attackers build trust or urgency, then get you to do one irreversible thing.</p>
<ul>
<li><strong>Support impersonation.</strong> A &ldquo;support agent&rdquo; for your exchange or hardware-wallet maker contacts you — on Telegram, X, email, or via a paid search ad — and walks you toward entering your seed phrase or approving a transaction. Investigator <a href="https://decrypt.co/336279/bitcoin-investor-loses-91-million-to-social-engineering-scam-zachxbt" target="_blank" rel="noopener noreferrer">ZachXBT</a> documented a victim who lost <strong>$91M (783 BTC)</strong> to attackers impersonating exchange <em>and</em> hardware-wallet support, and a separate <strong>$282M</strong> hardware-wallet case. The iron rule: <strong>real support never contacts you first, and never asks for your seed phrase.</strong></li>
<li><strong>The &ldquo;your account is compromised, move funds now&rdquo; panic play.</strong> A fake alert pushes you to &ldquo;secure&rdquo; your assets by moving them to a wallet the attacker controls. Urgency is the weapon.</li>
<li><strong>Romance / &ldquo;pig butchering.&rdquo;</strong> A long con that builds a relationship over weeks before introducing a fake investment platform with fake returns — until you can&rsquo;t withdraw.</li>
<li><strong>Fake jobs, airdrops, and &ldquo;verification.&rdquo;</strong> Recruiters, giveaways, and support bots that all funnel toward one thing: your seed phrase, a malicious signature, or a &ldquo;verify your wallet&rdquo; approval.</li>
</ul>
<p>Most of it arrives through <strong>messaging platforms — Telegram above all — phishing pages, and impersonated profiles.</strong></p>
<h2>Hardware wallets don&rsquo;t make you immune</h2>
<p>A hardware wallet protects your key from malware. It does <strong>not</strong> protect you from <em>yourself</em> typing the seed phrase into a fake &ldquo;wallet validation&rdquo; site, or from approving a malicious transaction on a spoofed dApp. Social engineering routes around the hardware entirely by targeting the one part it can&rsquo;t secure: your decision.</p>
<h2>The rules that stop almost all of it</h2>
<ol>
<li><strong>Your seed phrase is never needed by anyone, ever.</strong> Not support, not &ldquo;validation,&rdquo; not a migration, not an airdrop. Anyone asking is an attacker. Full stop.</li>
<li><strong>Real support never DMs you first.</strong> Exchanges and wallet makers don&rsquo;t slide into your DMs. Treat any unsolicited &ldquo;support&rdquo; contact as impersonation and block it without engaging.</li>
<li><strong>Reach support only through bookmarks or in-app help</strong> — never a paid search ad, a DM link, or a number someone gives you. Lookalike URLs and sponsored results are a primary vector.</li>
<li><strong>Urgency is a red flag, not a reason.</strong> Every social-engineering script needs you to act <em>now</em>. Slow down; a real problem survives a five-minute pause to verify through official channels.</li>
<li><strong>Verify every signature.</strong> If a request asks you to approve a token you&rsquo;re not trading, sign a message you don&rsquo;t understand, or &ldquo;validate&rdquo; your wallet, stop.</li>
</ol>
<h2>A practical defense setup</h2>
<ul>
<li><strong>Compartmentalize.</strong> Keep savings on a hardware wallet that never touches random dApps; use a separate, low-balance hot wallet for day-to-day interactions.</li>
<li><strong>Assume every unsolicited contact is a scam</strong> — recruiter, support, influencer giveaway, &ldquo;I can recover your funds.&rdquo; Especially the funds-recovery ones; they prey on prior victims.</li>
<li><strong>Never type your seed phrase into anything connected to the internet.</strong> No legitimate process requires it.</li>
<li><strong>Independently verify</strong> people and platforms before sending money or signing — official sites, known channels, a second source.</li>
<li><strong>If you&rsquo;re hit</strong>, move remaining funds to a fresh wallet, revoke approvals, and report it; understand that, as we cover in <a href="/how-stolen-crypto-is-traced-and-recovered/">how stolen crypto gets traced</a>, speed is everything and recovery is rarely guaranteed.</li>
</ul>
<p>The uncomfortable summary: the strongest wallet in the world has a human attached to it, and that&rsquo;s what attackers target. The good news is that a handful of non-negotiable rules — never share the seed, never trust unsolicited support, never act on urgency — neutralize the overwhelming majority of these attacks.</p>
<p><em>Informational only — not financial or security advice.</em></p>]]></content:encoded></item>
<item><title>Token Approvals: The Silent Way Wallets Get Drained — and How to Revoke Them</title><link>https://mrtd.net/revoke-token-approvals-protect-wallet-drainers/</link><guid isPermaLink="true">https://mrtd.net/revoke-token-approvals-protect-wallet-drainers/</guid><pubDate>Mon, 22 Jun 2026 00:07:16 +0000</pubDate><category>Crypto Security</category><description><![CDATA[Most crypto losses aren't exotic hacks — they're approvals you signed and forgot. Here's what a token allowance is, why 'unlimited' approvals are a standing liability, and exactly how to check and revoke them with Revoke.cash, Etherscan, or your wallet.]]></description><content:encoded><![CDATA[<h2>The drain that needs no exploit</h2>
<p>Most wallets aren&rsquo;t emptied by some exotic smart-contract hack. They&rsquo;re emptied because the owner <em>signed a permission</em> — usually on a convincing phishing site — and a drainer used that permission to move the tokens out minutes later. No private key stolen, no zero-day. Just an approval the victim granted and forgot. This is the single most common way ordinary holders lose funds, and the defense is boring, free, and entirely in your control.</p>
<p>This pairs with our <a href="/protect-your-crypto-lessons-from-the-hacks/">defense checklist</a> and the incidents in our <a href="/crypto-hack-tracker-2026/">Crypto Hack Tracker</a>.</p>
<h2>What a token approval actually is</h2>
<p>To let a dApp (a DEX, a lending protocol, an NFT marketplace) move your ERC-20 tokens, you grant it an <strong>allowance</strong> — an on-chain permission to spend up to some amount of a specific token from your wallet. That&rsquo;s normal and necessary; it&rsquo;s how DeFi works.</p>
<p>The trap is the <strong>&ldquo;unlimited&rdquo; (infinite) approval</strong>. To save you from re-approving on every trade, most dApps request permission to spend <em>as many tokens as you hold — now and forever</em>. Convenient, and also a standing key to your tokens that never expires. If the contract you approved is malicious, or is later compromised, or you signed it on a phishing clone, that allowance is all an attacker needs.</p>
<h2>Why old approvals are a liability</h2>
<p>Approvals don&rsquo;t disappear when you stop using a dApp or disconnect your wallet — <strong>disconnecting is not revoking</strong>. The allowance sits on-chain indefinitely. Over a year of DeFi use, a typical wallet accumulates dozens of live approvals, many of them unlimited, to contracts the owner barely remembers. Each one is attack surface. The fix is to treat approvals like passwords: review them, and revoke the ones you don&rsquo;t need.</p>
<h2>How to check and revoke</h2>
<ul>
<li><strong><a href="https://revoke.cash/" target="_blank" rel="noopener noreferrer">Revoke.cash</a></strong> is the most-used tool, covering 100+ networks. Enter your address (or connect your wallet), and it lists every active approval. <strong>Sort newest-to-oldest</strong> if you suspect you just signed something malicious, and pay special attention to anything marked <em>unlimited</em>. Revoking sends an on-chain transaction (you&rsquo;ll pay a small gas fee in the network&rsquo;s native token) that sets the allowance back to zero.</li>
<li><strong><a href="https://etherscan.io/tokenapprovalchecker" target="_blank" rel="noopener noreferrer">Etherscan&rsquo;s Token Approval Checker</a></strong> (and the equivalent on other explorers) does the same from the block explorer side.</li>
<li><strong><a href="https://support.metamask.io/more-web3/learn/how-to-revoke-smart-contract-allowances-token-approvals/" target="_blank" rel="noopener noreferrer">MetaMask</a></strong> and other modern wallets now surface and let you revoke allowances natively.</li>
</ul>
<p>One critical caution: <strong>phishing clones of Revoke.cash exist.</strong> Bookmark the real site and use the bookmark — never reach a &ldquo;revoke&rdquo; tool through a search ad or a link someone DMs you.</p>
<h2>If you think you&rsquo;re already compromised</h2>
<p>Move fast — the window is short:</p>
<ol>
<li><strong>Disconnect</strong> your wallet from all dApps.</li>
<li><strong>Revoke every approval</strong> via Revoke.cash or the Etherscan checker, prioritizing unlimited ones.</li>
<li><strong>Move remaining funds to a fresh wallet</strong> (a brand-new seed phrase the attacker has never seen).</li>
</ol>
<p>Be clear-eyed about the limit: <strong>revoking does not recover already-stolen funds and does not reverse transactions.</strong> It stops <em>further</em> draining and closes the door. For where stolen funds go next, see <a href="/how-stolen-crypto-is-traced-and-recovered/">How Stolen Crypto Gets Traced</a>.</p>
<h2>Habits that keep you safe</h2>
<ul>
<li><strong>Prefer limited approvals over unlimited</strong> when a wallet offers the choice — approve only what the transaction needs.</li>
<li><strong>Revoke periodically.</strong> A monthly sweep of Revoke.cash clears the junk you&rsquo;ve accumulated.</li>
<li><strong>Use a separate &ldquo;hot&rdquo; wallet for dApp interactions</strong>, holding only what you&rsquo;re actively using; keep savings in a hardware wallet that never touches random dApps.</li>
<li><strong>Verify every signature request.</strong> If a site asks you to approve a token you&rsquo;re not trading, or requests an allowance that doesn&rsquo;t match what you&rsquo;re doing, stop.</li>
<li><strong>Bookmark the tools you trust.</strong> Most drains start with a lookalike URL.</li>
</ul>
<p>The uncomfortable truth is that the most expensive mistakes in crypto are usually a single careless click on &ldquo;Approve.&rdquo; The good news is the antidote costs a few minutes and a little gas.</p>
<p><em>Informational only — not financial or security advice.</em></p>]]></content:encoded></item>
<item><title>Hackers Hijack Brazil&#x27;s Emergency Alert System, Waking Millions With a Fake &#x27;Extreme Alert&#x27;</title><link>https://mrtd.net/brazil-emergency-alert-system-hacked-fake-extreme-alert/</link><guid isPermaLink="true">https://mrtd.net/brazil-emergency-alert-system-hacked-fake-extreme-alert/</guid><pubDate>Sun, 21 Jun 2026 07:45:23 +0000</pubDate><category>Cyber &amp; Tech</category><description><![CDATA[Late on June 19, a fake 'Extreme Alert' reading 'misantropi4' blasted to phones across Sao Paulo, Rio, Brasilia and beyond, overriding silent mode in the dead of night. Brazil's regulator pulled the national warning platform offline as federal police opened an investigation into a breach of critical public-safety infrastructure.]]></description><content:encoded><![CDATA[<h2>A nation woken by an alert that should never have fired</h2>
<p>Late on Friday, June 19, 2026 — around 11:40 p.m. local time and into the early hours of Saturday — phones across multiple Brazilian states blared a top-severity <strong>&ldquo;Extreme Alert,&rdquo;</strong> the class normally reserved for imminent threats to life. It overrode silent mode by design, jolting people awake in São Paulo, Rio de Janeiro, Brasília, Bahia and Pará. There was no emergency. The national public-warning system had been hijacked.</p>
<h2>The message was a taunt, not a warning</h2>
<p>Instead of evacuation instructions or a hazard notice, the alert read <strong>&ldquo;misantropi4&rdquo;</strong> — a stylized spelling of the Portuguese <em>misantropia</em> (misanthropy, a hatred of humankind), with the final letter swapped for a &ldquo;4.&rdquo; The content made clear this was not a malfunction or a mistaken broadcast but a deliberate intrusion into the system that Brazilians are supposed to be able to trust without question.</p>
<h2>The regulator pulled the system offline</h2>
<p>Brazil&rsquo;s telecoms regulator, <strong>Anatel</strong>, took the national warning platform — the Cell Broadcast–based Civil Defense alerting system — offline at around 1:30 a.m. to stop further messages from going out. The <strong>Federal Police</strong> opened an investigation into what officials have described as a <strong>probable remote intrusion</strong> into the country&rsquo;s critical public-warning infrastructure. As of reporting, no suspect has been publicly identified and authorities have not detailed how the system was accessed.</p>
<h2>Why a fake alert is far more than a prank</h2>
<p>Emergency alert systems are engineered for maximum trust and reach. They bypass silent mode, hit every phone within a geographic cell, and are reserved for genuine threats to life. That same design is exactly what makes a breach dangerous — not because of what <em>this</em> message said, but because of what the <strong>next</strong> false alarm could do.</p>
<p>A population that is jolted awake by a meaningless &ldquo;Extreme Alert&rdquo; learns, a little, to distrust the channel. The real damage of a hijacked warning system is the <strong>&ldquo;cry wolf&rdquo; effect</strong>: every false alert erodes the public&rsquo;s willingness to act on the real one that may follow — the flood, the wildfire, the evacuation order these systems exist to deliver. A warning channel only works if people believe it.</p>
<h2>Critical civic infrastructure is an attack surface</h2>
<p>Public-warning platforms belong on the same list as power grids, water utilities and transit systems: civic infrastructure that is high-impact, broadly accessible, and — by mandate — able to command the attention of an entire nation in seconds. They are operated jointly by governments and mobile carriers and tie together many moving parts, which is part of what makes them attractive and difficult to fully lock down.</p>
<p>The risk isn&rsquo;t hypothetical. Even <em>accidental</em> false alerts have shown how fast a single message spreads panic across a population — the 2018 erroneous ballistic-missile alert in Hawaii, a human error rather than an attack, sent an entire state scrambling before the correction came. A deliberate intrusion into the same kind of system raises the stakes considerably.</p>
<h2>What to take from it</h2>
<p><strong>For the public:</strong> a legitimate emergency alert describes a real, specific hazard and points to official guidance. A cryptic word or an obvious taunt is a red flag, not an instruction. When in doubt, confirmation comes from broadcasters and official government channels — not from the alert alone.</p>
<p><strong>For operators:</strong> the episode is a blunt reminder that alert <em>origination</em> needs strong authentication and continuous monitoring, that a fast kill-switch matters (Anatel&rsquo;s quick takedown limited the damage), and that a clear public-communication plan is part of incident response — because in a warning system, restoring <strong>trust</strong> is as urgent as restoring the service.</p>
<p><em>This is a developing story; details may change as Brazilian authorities continue their investigation.</em></p>]]></content:encoded></item>
<item><title>How to Get a New Site Indexed by Google in 2026 (What Works, What&#x27;s a Waste)</title><link>https://mrtd.net/how-to-get-indexed-by-google-2026/</link><guid isPermaLink="true">https://mrtd.net/how-to-get-indexed-by-google-2026/</guid><pubDate>Sun, 21 Jun 2026 00:02:00 +0000</pubDate><category>SEO &amp; Growth</category><description><![CDATA[IndexNow covers Bing, Yandex and ChatGPT — but Google ignores it. Here's the evidence-based split: the two fast levers that actually get Google to index a new site, the myths that waste weeks (the Indexing API, sitemap pings, paid indexing bots), and a realistic checklist.]]></description><content:encoded><![CDATA[<h2>The uncomfortable first lesson</h2>
<p>You built a clean site, submitted a sitemap, maybe pinged IndexNow — and Google still shows nothing. Here&rsquo;s the part most guides skip: <strong>getting indexed by Google and getting indexed by everything else are two different problems</strong>, and conflating them wastes weeks. We separate what actually moves Google in 2026 from the folklore that just feels productive.</p>
<h2>Bing, Yandex and ChatGPT are the easy half</h2>
<p>If you&rsquo;ve set up <a href="https://www.indexnow.org/documentation" target="_blank" rel="noopener noreferrer">IndexNow</a>, you&rsquo;ve largely solved discovery for <strong>Bing, Yandex, Naver, Seznam and Yep</strong> — you POST your new/changed URLs to one endpoint and they get notified instantly. And because <strong>ChatGPT Search retrieves from Bing&rsquo;s index</strong>, confirmed Bing indexing effectively gates your visibility in ChatGPT&rsquo;s web results. That&rsquo;s a big chunk of the modern search surface handled with one integration.</p>
<p>The catch: <strong>Google does not use IndexNow.</strong> It has said so repeatedly. So every &ldquo;instant indexing&rdquo; claim that leans on IndexNow is talking about <em>Bing&rsquo;s</em> world, not Google&rsquo;s. For Google, you need different levers.</p>
<h2>What actually gets you into Google</h2>
<p>There are really only two fast paths, plus one slow one.</p>
<p><strong>1. Google Search Console — the only direct lever.</strong> Verify your domain (a private DNS TXT record; it does <strong>not</strong> trigger penalties or &ldquo;re-evaluation,&rdquo; a common fear), submit your <code>sitemap.xml</code>, then use <strong>URL Inspection → Request Indexing</strong> on your key pages. There&rsquo;s a soft daily cap (~10–12 URLs), so spread a new site&rsquo;s pages over a few days. GSC is also the only place you can see whether a domain carries an inherited problem — essential if you bought an aged or expired domain.</p>
<p><strong>2. Links on pages Google already re-crawls hourly.</strong> Googlebot&rsquo;s crawl budget for a brand-new, zero-authority domain is tiny. The fastest way to get a new URL <em>discovered</em> is a link to it from a page Google visits constantly — Reddit, Hacker News, Medium, established communities. These links are usually <code>nofollow</code>, but in 2026 <strong>nofollow is a hint, not a wall</strong> — it still seeds discovery. The rule: genuine participation only. One useful link in a relevant thread beats ten drops that get your account banned and stamp an unnatural-link footprint on your domain.</p>
<p><strong>3. Time plus a track record.</strong> Consistent, original, bylined publishing with clean technical signals is what graduates you from &ldquo;crawled occasionally&rdquo; to &ldquo;crawled and trusted.&rdquo; There&rsquo;s no button for this.</p>
<h2>The myths that waste your time</h2>
<ul>
<li><strong>&ldquo;Use the Google Indexing API.&rdquo;</strong> It&rsquo;s officially restricted to <code>JobPosting</code> and livestream <code>BroadcastEvent</code> structured data. Using it for articles is against Google&rsquo;s terms, unreliable, and risks losing API access. Ignore the blog posts recommending it.</li>
<li><strong>&ldquo;Ping Google with your sitemap URL.&rdquo;</strong> Google <a href="https://developers.google.com/search/blog/2023/06/sitemaps-lastmod-ping" target="_blank" rel="noopener noreferrer">deprecated the sitemap ping endpoint in 2023</a>. It does nothing now. Google schedules recrawls off your <code>&lt;lastmod&gt;</code> — so keep it <em>accurate</em> (only bump it on real content changes; inflating it on every page erodes the signal).</li>
<li><strong>&ldquo;Pay a Telegram indexing bot / a 300-site submission service.&rdquo;</strong> These are the exact spam footprints Google&rsquo;s 2024–2026 spam updates target. On an aged/expired domain you&rsquo;re <em>more</em> sensitive to this, not less. Net effect ranges from zero to a penalty.</li>
<li><strong>&ldquo;Apply to Google News for traffic.&rdquo;</strong> Google News is auto-discovery now — no application. A days-old site won&rsquo;t get Top Stories; that needs a publishing track record, clear bylines/datelines, and correct <code>NewsArticle</code> schema. Anyone selling &ldquo;instant approval&rdquo; is running a scam.</li>
</ul>
<h2>Don&rsquo;t forget the AI crawlers</h2>
<p>ChatGPT-Search (OAI-SearchBot), Perplexity and Google&rsquo;s AI systems matter now — and a crucial 2026 detail: <strong>most AI crawlers and Google News do not execute JavaScript.</strong> If your content is injected client-side, they see an empty shell. Ship server-rendered or static HTML, confirm it with <code>curl -A "OAI-SearchBot" &lt;url&gt;</code>, and make sure <code>robots.txt</code> doesn&rsquo;t accidentally block <code>OAI-SearchBot</code>, <code>Googlebot</code>, <code>PerplexityBot</code>. Structured data (<code>Organization</code>, <code>NewsArticle</code>, <code>FAQPage</code>, <code>Dataset</code>) and a clean entity footprint help these systems decide you&rsquo;re a real, citable source.</p>
<h2>A realistic checklist for a new site</h2>
<ol>
<li><strong>Server-render</strong> your content; verify with a bot user-agent. Non-negotiable.</li>
<li><strong>IndexNow</strong> on every publish → Bing/Yandex/ChatGPT-Search covered.</li>
<li><strong>GSC</strong>: verify, submit sitemap, Request Indexing on key URLs over a few days.</li>
<li><strong>Bing Webmaster</strong>: one-click import from GSC; confirms ChatGPT-Search eligibility.</li>
<li><strong>Earn a few links on fast-crawled, high-authority pages</strong> — genuinely.</li>
<li><strong>Internal linking + accurate lastmod + a frequently-updated homepage</strong> so what Google does crawl, it crawls efficiently.</li>
<li><strong>Publish consistently</strong> and wait. Authority is earned, not pinged.</li>
</ol>
<p>The honest summary: indexing isn&rsquo;t one switch. Bing-class engines you can notify instantly; Google you have to <em>earn</em> with verification, real links, clean signals and time. Anything promising to shortcut that last part is selling you the myth.</p>
<p><em>This is a practitioner&rsquo;s evidence-based guide, not a guarantee — search behavior changes. For our take on AI-search specifically, see our <a href="/ai-search-visibility-seo-geo-aeo-what-works/">AI-search visibility analysis</a>.</em></p>]]></content:encoded></item>
<item><title>How Stolen Crypto Gets Traced — and Why It Rarely Stays Hidden</title><link>https://mrtd.net/how-stolen-crypto-is-traced-and-recovered/</link><guid isPermaLink="true">https://mrtd.net/how-stolen-crypto-is-traced-and-recovered/</guid><pubDate>Sat, 20 Jun 2026 00:02:00 +0000</pubDate><category>Crypto Security</category><description><![CDATA[Public blockchains remember everything, so stolen funds leave a permanent trail. Here's how forensic firms follow the money, where mixers and bridges fall short, the choke points that enable freezes, and what actually gets recovered.]]></description><content:encoded><![CDATA[<h2>The counterintuitive truth about stolen crypto</h2>
<p>When a protocol gets drained, the instinct is to assume the money is gone — spirited into the anonymous ether. The opposite is usually true. Public blockchains record <strong>every transfer permanently and openly</strong>, so stolen funds leave an immutable, timestamped trail that anyone can follow in real time. Thieves can <em>move</em> the money almost instantly; what they struggle to do is <em>spend</em> it without revealing themselves. That gap — between moving and cashing out — is where nearly every recovery happens.</p>
<p>This is an evergreen companion to our <a href="/crypto-hack-tracker-2026/">Crypto Hack Tracker</a> and incident <a href="/category/crypto-security/">post-mortems</a>: not how thefts happen, but how the stolen funds get chased.</p>
<h2>Why crypto is traceable in the first place</h2>
<p>Three properties make blockchains hostile to launderers:</p>
<ul>
<li><strong>The ledger is public and permanent.</strong> Once funds move, the transaction is visible forever. There is no delete button.</li>
<li><strong>Wallets are pseudonymous, not anonymous.</strong> An address isn&rsquo;t a name — but the moment any address touches a service that knows its customer (an exchange, an off-ramp), its entire history becomes attributable.</li>
<li><strong>Address clustering.</strong> Analysts group wallets likely controlled by one actor using on-chain heuristics — funding sources, change-address patterns, repeated gas-payers, contract fingerprints — collapsing dozens of scattered addresses into a single traceable entity.</li>
</ul>
<h2>Who does the tracing</h2>
<p>A mature forensics industry now exists. Commercial analytics firms — <strong>Chainalysis</strong>, <strong>TRM Labs</strong>, <strong>Elliptic</strong>, and intelligence platforms like <strong>Arkham</strong> — map fund flows and label entities. TRM&rsquo;s <strong>Beacon Network</strong> (2025) gives investigators, exchanges and custodians a real-time channel to coordinate freezes. Security outfits like <strong>PeckShield</strong>, <strong>SlowMist</strong> and <strong>Lookonchain</strong> flag incidents within minutes and publish the fund movements, while independent investigators such as <strong>ZachXBT</strong> fuse on-chain tracing with old-fashioned OSINT. The speed of that public alerting is itself a weapon: the faster an address is labeled &ldquo;stolen,&rdquo; the harder it is to cash out.</p>
<h2>What thieves try — and why it usually isn&rsquo;t enough</h2>
<p>Launderers do have tools to break the trail. <strong>Mixers</strong> like Tornado Cash pool funds to sever the link between deposit and withdrawal. <strong>Cross-chain bridges</strong> and chain-hopping move value between blockchains to shake single-chain tools. <strong>Peel chains</strong> skim small amounts across thousands of hops. State-linked actors stretch laundering over weeks in sub-$500K tranches.</p>
<p>But each of these <em>obscures</em> rather than <em>erases</em>. Mixers leak signal through timing and amounts; bridges are increasingly mapped by cross-chain analytics; peel chains are pattern-recognizable; and all of it eventually has to converge on an exit. Tornado Cash itself shows the cat-and-mouse: OFAC-sanctioned in August 2022 (cited as laundering over $7B, including $455M+ for North Korea&rsquo;s Lazarus Group), then <a href="https://home.treasury.gov/news/press-releases/sb0057" target="_blank" rel="noopener noreferrer">delisted in March 2025</a> after a court ruled its immutable contracts aren&rsquo;t sanctionable property. The legal status changed; the traceability did not.</p>
<h2>The choke points</h2>
<p>Funds become catchable wherever crypto meets the regulated world:</p>
<ul>
<li><strong>Centralized exchanges + KYC</strong> — the decisive choke point. When laundered funds hit a compliant exchange, accounts get identified and balances frozen. This is the mechanism behind most seizures.</li>
<li><strong>Fiat off-ramps</strong> — converting to bank money requires KYC&rsquo;d intermediaries.</li>
<li><strong>Stablecoin freezes</strong> — issuers can freeze tokens on-chain. <strong>Tether</strong> says it has helped freeze billions in USDT across thousands of cases with law enforcement worldwide (a single August 2025 action froze ~$344M alongside OFAC); Circle can freeze USDC too, more conservatively.</li>
<li><strong>Law-enforcement coordination</strong> — the FBI, IRS-CI and partners act on the trail that analytics firms hand them, within a freeze window measured in hours.</li>
</ul>
<h2>It does work — the receipts</h2>
<ul>
<li><strong>Bitfinex (2016):</strong> US authorities <a href="https://www.justice.gov/usao-dc/pr/bitfinex-hacker-sentenced-money-laundering-conspiracy-involving-billions-stolen" target="_blank" rel="noopener noreferrer">seized 94,000+ BTC</a> in 2022 (then ~$3.6B); Ilya Lichtenstein was sentenced to 5 years in 2024.</li>
<li><strong>Poly Network (2021):</strong> ~$610M drained — and <a href="https://www.cnbc.com/2021/08/23/poly-network-hacker-returns-remaining-cryptocurrency.html" target="_blank" rel="noopener noreferrer">returned almost entirely</a> within days.</li>
<li><strong>Euler Finance (2023):</strong> ~$197M exploited; the attacker <a href="https://www.coindesk.com/business/2023/04/03/euler-says-all-recoverable-funds-stolen-in-200m-hack-have-been-returned" target="_blank" rel="noopener noreferrer">returned the recoverable funds</a>.</li>
<li><strong>Ronin / Axie Infinity (2022):</strong> ~$600M stolen by Lazarus; Chainalysis and US agencies <a href="https://www.chainalysis.com/blog/axie-infinity-ronin-bridge-dprk-hack-seizure/" target="_blank" rel="noopener noreferrer">clawed back ~$30M</a> — the first-ever seizure of crypto stolen by a North Korean group.</li>
</ul>
<h2>The hard reality</h2>
<p>Recovery is bimodal. When the attacker is cooperative or careless and the theft is reported fast, most funds can come back (Poly Network, Euler). Against professional or state actors, expect partial recovery at best. <a href="https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/" target="_blank" rel="noopener noreferrer">Chainalysis</a> put 2025 crypto theft above $3.4B, with North Korea&rsquo;s Lazarus alone responsible for roughly $2B — about three-quarters of service-compromise losses. Bybit&rsquo;s $1.5B 2025 loss was mostly laundered despite intense tracing. Tracing isn&rsquo;t magic; it&rsquo;s leverage.</p>
<h2>If you&rsquo;re hit: the playbook</h2>
<ol>
<li><strong>Move in hours, not days.</strong> The freeze window is tiny and closes as funds split and hop. Speed is the single biggest determinant of recovery.</li>
<li><strong>Notify exchanges and stablecoin issuers immediately</strong> with the attacker addresses — on-chain freezes can lock funds before cash-out.</li>
<li><strong>Engage analytics/IR firms</strong> (Chainalysis, TRM, Elliptic) and credible independent investigators to trace and publicly flag the flow.</li>
<li><strong>Report to law enforcement early</strong> — seizures legally require their involvement.</li>
<li><strong>Preserve evidence:</strong> transaction hashes, timestamps, the anchor attacker addresses, logs.</li>
<li><strong>Set expectations.</strong> Making stolen funds unspendable is a win even when full recovery isn&rsquo;t possible.</li>
</ol>
<p>The thief&rsquo;s problem is permanent: the blockchain remembers. For the defensive side of this coin, see <a href="/protect-your-crypto-lessons-from-the-hacks/">How to Actually Protect Your Crypto</a>.</p>
<p><em>Informational only — not financial, legal, or security advice.</em></p>]]></content:encoded></item>
<item><title>Weaponized DMCA: How Fake Copyright Strikes Bury Competitors in Google — and How to Fight Back</title><link>https://mrtd.net/weaponized-dmca-fake-takedowns-bury-competitors-seo/</link><guid isPermaLink="true">https://mrtd.net/weaponized-dmca-fake-takedowns-bury-competitors-seo/</guid><pubDate>Fri, 19 Jun 2026 00:05:00 +0000</pubDate><category>SEO &amp; Growth</category><description><![CDATA[A bogus DMCA notice can knock a rival off Google for days with no court and no evidence — as a 2026 case against Press Gazette showed. Here's how takedowns actually affect rankings, why the '18-month penalty' is a myth, and the counter-notice playbook for victims.]]></description><content:encoded><![CDATA[<h2>A takedown that proved the point</h2>
<p>In April 2026, someone filed a bogus copyright complaint to bury a <em>Press Gazette</em> investigation into Clickout Media — a firm reported to be buying up news brands, swapping staff for AI, and stuffing the sites with offshore-gambling affiliate links. The DMCA notice falsely claimed the original reporting had copied an unrelated article. Google removed the story from search before adjudicating anything; a <em>Search Engine Land</em> follow-up got delisted too. Both were reinstated about two weeks later after counter-notices, but the lesson landed: a single piece of paper can knock a competitor off Google for days, no court and no evidence required (<a href="https://www.techdirt.com/2026/04/09/someone-filed-a-bogus-dmca-notice-to-kill-a-story-about-a-sketchy-seo-firm-it-worked-briefly/" target="_blank" rel="noopener noreferrer">Techdirt</a>).</p>
<h2>How a DMCA notice actually hits your rankings</h2>
<p>There are two distinct mechanisms, and conflating them fuels a lot of bad SEO advice:</p>
<ul>
<li><strong>URL delisting.</strong> A single facially valid notice removes the specific URL(s) from Google Search. Google acts on the <em>paperwork</em>, not a ruling — verification effectively happens <em>after</em> removal. That ordering is exactly what makes the system abusable.</li>
<li><strong>Site-wide demotion.</strong> Since the 2012 &ldquo;Pirate Update,&rdquo; Google has used the <em>volume of valid removal notices</em> as a ranking signal: &ldquo;If we receive multiple valid removal notices for a site, the entire site may be downgraded in Search results&rdquo; (<a href="https://searchengineland.com/dmca-requests-now-used-in-googles-ranking-algorithm-130118" target="_blank" rel="noopener noreferrer">Search Engine Land</a>).</li>
</ul>
<p>If you&rsquo;re hit, it surfaces in <strong>Search Console</strong> as a &ldquo;Notice of DMCA removal&rdquo; — not a manual action, not a security issue, which is why owners often miss it.</p>
<h2>The &ldquo;18-month penalty&rdquo; is a myth</h2>
<p>A claim circulating in SEO circles says mass DMCA complaints trigger a fixed ~18-month algorithmic filter. We could find <strong>no evidence</strong> for it — not from Google, Search Engine Land, TorrentFreak, or court filings. Google&rsquo;s own description is the opposite of a fixed sentence: the copyright demotion is a <em>periodically re-checked, decaying signal</em> that eases as a site&rsquo;s valid-notice volume falls. There&rsquo;s no published clock. Treat &ldquo;18 months&rdquo; as folklore, not a mechanism.</p>
<h2>Why it&rsquo;s abused — and what it costs the abuser</h2>
<p>Because removal precedes verification, &ldquo;spray a pile of notices&rdquo; is a real tactic, not a hypothetical: TorrentFreak has documented mass <em>bogus</em> notices impersonating well-known brands to knock out legitimate tools. There&rsquo;s also a murkier &ldquo;takedown-as-a-service&rdquo; market — though the specific pricing and volume figures floating around trace to single trade-press sources and should be taken as illustrative, not gospel.</p>
<p>Filing a knowingly false notice is not free of risk. Under <strong>17 U.S.C. §512(f)</strong>, anyone who <em>knowingly misrepresents</em> that material is infringing is liable for damages and attorneys&rsquo; fees. Courts have enforced it — <em>Online Policy Group v. Diebold</em> (2004) cost Diebold <strong>$125,000</strong>, and <em>Automattic v. Steiner</em> (2014) produced a <strong>~$25,000</strong> judgment for a fraudulent takedown. The catch: §512(f) wins are rare. Courts require <em>subjective</em> bad faith (<em>Rossi</em>, <em>Lenz</em>), so honest-mistake filers usually walk. It&rsquo;s a real deterrent, but a limited one.</p>
<h2>If you&rsquo;re hit: the defense playbook</h2>
<ol>
<li><strong>Catch it early.</strong> Watch Search Console for &ldquo;Notice of DMCA removal,&rdquo; set alerts on sudden traffic/ranking drops, and search the <strong>Lumen Database</strong> (Harvard) — where Google deposits notices — for the complaint text and the (often anonymous or foreign) filer.</li>
<li><strong>File a counter-notification</strong> via Google&rsquo;s official form, asserting a good-faith belief the removal was mistaken. If no lawsuit follows, content is typically reinstated in <strong>~10–14 business days</strong>.</li>
<li><strong>Document everything</strong>: authorship and publication proof (drafts, originals, archive.org captures), the Lumen copy of the notice, and your traffic/ranking loss.</li>
<li><strong>Escalate</strong> to your host, registrar, and Google with proof of original authorship — Google can and does decline clearly non-infringing URLs.</li>
<li><strong>Weigh §512(f)</strong> action or a demand letter where bad faith is provable.</li>
<li><strong>Go public.</strong> Reporting egregious abuse to outlets like TorrentFreak, Techdirt or the EFF has reversed bogus takedowns through pressure alone.</li>
</ol>
<h2>The takeaway</h2>
<p>Weaponized DMCA works because of a structural choice — remove first, verify later — not because of a secret penalty timer. Knowing the real mechanics (URL delisting vs. demotion signal), ignoring the folklore, and having a counter-notice + documentation drill ready is the difference between a two-week dip and a permanent one. Monitor Lumen, watch Search Console, and keep your authorship trail.</p>
<p><em>Informational only — not legal advice. Consult a qualified attorney for your situation.</em></p>]]></content:encoded></item>
<item><title>UXLINK Exploiter Routes 8,340 ETH Through Tornado Cash as $44M Haul Is Laundered</title><link>https://mrtd.net/uxlink-exploiter-launders-8340-eth-tornado-cash/</link><guid isPermaLink="true">https://mrtd.net/uxlink-exploiter-launders-8340-eth-tornado-cash/</guid><pubDate>Fri, 19 Jun 2026 00:00:00 +0000</pubDate><category>Crypto Security</category><description><![CDATA[On-chain trackers say the UXLINK attacker swapped ~14.6M DAI for 8,298 ETH and funneled 8,340 ETH into Tornado Cash on June 17, 2026 — while ~$10.5M in stolen DAI still sits in the open. A look at the fund flows and why the mixer is back in play.]]></description><content:encoded><![CDATA[<h2>What&rsquo;s happening now</h2>
<p>The wallet attributed to the <strong>UXLINK exploiter</strong> has resumed moving its haul. On <strong>June 17, 2026</strong>, the address swapped roughly <strong>14.6 million DAI for about 8,298.6 ETH</strong>, then deposited <strong>8,340 ETH into Tornado Cash</strong>, according to on-chain alerts from <a href="https://www.cryptotimes.io/2026/06/18/uxlink-exploiter-moves-8340-eth-then-sends-it-to-tornado-cash/" target="_blank" rel="noopener noreferrer">PeckShield</a> and corroborating reporting from <a href="https://www.cryptotimes.io/2026/06/18/uxlink-exploiter-moves-8340-eth-then-sends-it-to-tornado-cash/" target="_blank" rel="noopener noreferrer">The Crypto Times</a> and <a href="https://fxdailyreport.com/uxlink-faces-exploit-attacker-launders-8340-eth/" target="_blank" rel="noopener noreferrer">FX Daily Report</a>.</p>
<p>The Tornado Cash deposits were broken into <strong>uneven tranches</strong> — amounts like 100 ETH, 10 ETH and 2.6458848 ETH — a routine obfuscation pattern meant to frustrate clustering. The same wallet also <strong>bridged about 2.64 ETH (~$4,600) from Ethereum to a Bitcoin address</strong>. Even after this round, blockchain trackers say the wallet <strong>still holds roughly 10.54 million DAI</strong> that has not moved — a large, fully traceable balance sitting in the open.</p>
<h2>Background, in brief</h2>
<p>UXLINK, a Web3 social protocol, disclosed a security breach on <strong>September 22, 2025</strong>, tied to a compromise of its administrative multisig. Headline loss estimates have clustered around <strong>$44 million</strong>, though component figures vary across outlets and were never fully reconciled. Early attribution and forensic tracking came from <a href="https://crypto.news/uxlink-hack-token-swap-plans-advance-as-protocol-prepares-compensation/" target="_blank" rel="noopener noreferrer">SlowMist</a> and PeckShield. This article does <strong>not</strong> detail how the breach was carried out; our focus is the public, on-chain movement of the already-stolen funds.</p>
<h2>The Tornado Cash factor</h2>
<p>Why route through Tornado Cash now? Because the legal calculus changed. OFAC <strong>delisted Tornado Cash from the SDN list on March 21, 2025</strong>, following the Fifth Circuit&rsquo;s <em>Van Loon v. Treasury</em> ruling that its immutable smart contracts are not sanctionable &ldquo;property.&rdquo; In April 2025, a federal judge in the Western District of Texas issued a <strong>permanent injunction barring OFAC from re-sanctioning</strong> the protocol (<a href="https://www.coindesk.com/policy/2025/04/29/tornado-cash-can-t-be-sanctioned-again-texas-judge-rules" target="_blank" rel="noopener noreferrer">CoinDesk</a>).</p>
<p>That means simply <em>using</em> the mixer is no longer an OFAC violation per se — which is precisely why exploiters can now route funds through it with less friction. The caveats matter, though: <strong>laundering criminal proceeds remains illegal regardless</strong>, co-founder Roman Semenov is still individually SDN-listed, and developer Roman Storm&rsquo;s criminal case continued into 2026 (<a href="https://www.coindesk.com/business/2026/03/10/u-s-requests-october-retrial-for-tornado-cash-developer-roman-storm" target="_blank" rel="noopener noreferrer">CoinDesk</a>). Delisting the tool did not decriminalize what it&rsquo;s being used for.</p>
<h2>A months-long laundering pattern</h2>
<p>This is not a one-off. Trackers have watched the same wallet <strong>alternate between ETH and stablecoins for months</strong>. Back around <strong>March 20, 2026</strong>, it ran the opposite leg — swapping <strong>5,496 ETH for roughly 11 million DAI</strong>, with Lookonchain estimating about <strong>$935,000 in trading profit</strong> on that move alone (<a href="https://www.cryptotimes.io/2026/03/20/uxlink-hacker-converts-5496-eth-to-11m-dai-after-44m-breach/" target="_blank" rel="noopener noreferrer">The Crypto Times</a>). The pattern — park value in DAI when ETH looks rich, rotate back to ETH before mixing — suggests an actor managing the haul actively rather than dumping it.</p>
<h2>What UXLINK has done</h2>
<p>In the aftermath, UXLINK <strong>coordinated with centralized exchanges and law enforcement</strong> across Singapore, South Korea and Japan to flag and freeze suspicious transfers, recovering a portion of the assets. The project ran a two-phase <strong>user-compensation plan</strong> and executed a first token buyback in October 2025 using recovered funds. There is <strong>no reported freeze or seizure</strong> of the specific ETH now headed into Tornado Cash, and no public negotiation with the attacker.</p>
<h2>The takeaway</h2>
<p>Two lessons stand out. For projects: an <strong>admin multisig is critical infrastructure</strong> — signer hygiene, hardware isolation and spending limits are not optional once a treasury or mint authority is attached. For the ecosystem: <strong>tracing still works</strong>. The funds are labeled, followed and reported in near-real-time; ~$10.5M of the haul remains frozen-in-place by visibility alone. What the mixer delisting changed is the <em>exit</em> — the off-ramp is now legally cleaner, which shifts more of the deterrence burden onto exchanges and on-chain analytics rather than sanctions designations.</p>
<p>See this incident alongside other 2026 exploits in our <a href="/crypto-hack-tracker-2026/">Crypto Hack Tracker</a>.</p>
<p><em>Informational only — not financial or security advice. Figures are based on third-party on-chain analytics and may be revised.</em></p>]]></content:encoded></item>
<item><title>How to Actually Protect Your Crypto: 9 Lessons From the Hacks We Cover</title><link>https://mrtd.net/protect-your-crypto-lessons-from-the-hacks/</link><guid isPermaLink="true">https://mrtd.net/protect-your-crypto-lessons-from-the-hacks/</guid><pubDate>Thu, 18 Jun 2026 10:45:00 +0000</pubDate><category>Crypto Security</category><description><![CDATA[Most crypto losses aren't exotic — they repeat the same handful of failure modes we see in every post-mortem: blind approvals, dust left in dead protocols, registrar and phishing weak points, and chasing thin-liquidity tokens. Here is a practical, no-hype defense checklist drawn directly from the incidents we've reported.]]></description><content:encoded><![CDATA[<p>We cover crypto-security incidents every week, and after enough post-mortems a pattern emerges: the losses are rarely exotic. The same handful of mistakes show up again and again. Here is a practical defense checklist drawn straight from the cases we&rsquo;ve reported — no hype, just what actually moves the needle.</p>
<h2>1. Treat your seed phrase as the whole game</h2>
<p>A hardware wallet never asks for your seed phrase on a website. The biggest retail losses start with a phished seed or a fake &ldquo;wallet validation&rdquo; page. If anything — an app, a support agent, a pop-up — asks you to type your 12/24 words, it is a scam. Store the phrase offline, never as a photo or cloud note.</p>
<h2>2. Audit your token approvals</h2>
<p>Many drains don&rsquo;t steal your keys — they abuse an <strong>approval</strong> (allowance) you granted a contract long ago. A buggy or abandoned contract you once approved is a standing door into your wallet. Periodically review and revoke allowances (tools like revoke.cash make this easy), especially for routers and bridges you no longer use.</p>
<h2>3. &ldquo;Deprecated&rdquo; is not &ldquo;safe&rdquo; — withdraw from dead protocols</h2>
<p>The <a href="/aztec-connect-deprecated-router-2-19m-drain/">Aztec Connect drain of ~$2.19M</a> happened three years after the product shut down, because the immutable contract still held residual funds with no team to pause it. Treat any shutdown announcement as a deadline: withdraw your balance and revoke approvals before you forget.</p>
<h2>4. Be paranoid around security disclosures and &ldquo;urgent updates&rdquo;</h2>
<p>Scammers ride the news cycle. After any legitimate disclosure, expect fake &ldquo;firmware update&rdquo; or &ldquo;migrate your funds now&rdquo; messages. Update wallet firmware only inside the official app, bookmark official sites, and distrust urgency.</p>
<h2>5. Avoid thin-liquidity tokens</h2>
<p>Most retail blow-ups happen in low-liquidity altcoins and freshly minted &ldquo;mining&rdquo; tokens that are trivial to manipulate. There&rsquo;s a reason <a href="/russia-retail-crypto-allowlist-btc-eth-usdt-july-2026/">Russia&rsquo;s regulator restricted retail investors to just BTC, ETH and USDT</a> — depth is protection. The deeper and more boring the market, the harder you are to rug.</p>
<h2>6. Assume romance/investment &ldquo;opportunities&rdquo; are scams</h2>
<p>The industrial &ldquo;pig-butchering&rdquo; networks behind the <a href="/us-15b-bitcoin-seizure-prince-group-reserve-vs-victims/">largest-ever $15B bitcoin seizure</a> and the <a href="/disruption-week-14m-scam-accounts-3m-frozen/">Disruption Week takedown</a> all run the same playbook: a friendly stranger, a slow build, a fake platform showing fake gains. If someone you met online is guiding your crypto investing, you are the target.</p>
<h2>7. Lock down your accounts AND your registrar</h2>
<p>Account security isn&rsquo;t just 2FA. The <a href="/godaddy-transferred-27-year-domain-to-stranger-2fa-lock/">GoDaddy case</a> showed a domain moving despite 2FA and a transfer lock — because the registrar&rsquo;s support desk operated above the customer&rsquo;s settings. For anything critical (exchange logins, your domain, email), use phishing-resistant 2FA (a passkey or hardware key, not SMS) and a registry-level lock on key domains.</p>
<h2>8. The money rarely comes back — prevention is the whole strategy</h2>
<p>Across enforcement actions, recovered funds are a tiny fraction of what&rsquo;s stolen; mixers and cross-chain bridges move proceeds faster than freezes land. Don&rsquo;t rely on getting hacked funds back. The defense is not falling for it in the first place.</p>
<h2>9. Verify before you trust a &ldquo;no admin keys&rdquo; claim</h2>
<p>&ldquo;Fully decentralized, no admin keys&rdquo; is marketed as safety, but it can also mean <em>no one can stop an exploit either.</em> Immutability cuts both ways. For any protocol holding your funds, look for real audits, a live bug bounty, and a track record — not just a slogan.</p>
<p>None of this is complicated, and that&rsquo;s the point. The exotic-sounding hacks we write up almost always reduce to one of these nine failures. Get them right and you&rsquo;ve eliminated the vast majority of how people actually lose crypto.</p>
<p><em>We turn every incident into lessons like these. Follow <a href="https://t.me/mrtdnet" target="_blank" rel="noopener noreferrer">@mrtdnet</a> on Telegram for the next one.</em></p>]]></content:encoded></item>
<item><title>Russia Will Let Retail Investors Hold Just 3 Cryptos — BTC, ETH, USDT — From July 2026</title><link>https://mrtd.net/russia-retail-crypto-allowlist-btc-eth-usdt-july-2026/</link><guid isPermaLink="true">https://mrtd.net/russia-retail-crypto-allowlist-btc-eth-usdt-july-2026/</guid><pubDate>Thu, 18 Jun 2026 06:40:00 +0000</pubDate><category>Crypto Security</category><description><![CDATA[From July 1, 2026, Russia's central bank will restrict non-qualified retail investors to just three digital assets — Bitcoin, Ethereum and USDT — with a ~$4,000 annual cap and mandatory risk testing. Everything else, including XRP and Solana, requires 'professional investor' status. It's an allowlist model for retail crypto, and other regulators are watching.]]></description><content:encoded><![CDATA[<p>Russia is about to do something most crypto-friendly framings avoid saying out loud: tell ordinary investors exactly which coins they are allowed to own. From <strong>July 1, 2026</strong>, non-qualified retail investors in Russia will be permitted to trade just <strong>three digital assets — Bitcoin, Ethereum, and USDT</strong> — under the country&rsquo;s incoming &ldquo;On Digital Currency and Digital Rights&rdquo; law. First Deputy Governor <strong>Vladimir Chistyukhin</strong> laid out the framework in early June and pointedly tamped down hopes of near-term additions.</p>
<h2>What the rules actually say</h2>
<p>Three constraints define the retail regime, per <a href="https://cryptobriefing.com/russia-central-bank-restricts-retail-crypto/" target="_blank" rel="noopener noreferrer">reporting from Crypto Briefing</a> and others:</p>
<ul>
<li><strong>A three-asset allowlist.</strong> Bitcoin, Ethereum and USDT are in. Everything else — Solana, <strong>XRP</strong>, Cardano, the long tail — is <strong>off-limits</strong> to ordinary investors unless they qualify as &ldquo;professional.&rdquo;</li>
<li><strong>A hard spending cap.</strong> Retail buyers face an annual limit of about <strong>300,000 rubles (~$4,000)</strong> on crypto bought through brokers.</li>
<li><strong>Mandatory risk testing.</strong> All investors, qualified or not, must pass a risk-awareness test before trading.</li>
</ul>
<p>This is not a ban — Russia is building a regulated on-ramp — but it is a tightly fenced one.</p>
<h2>In, out, and the &ldquo;professional&rdquo; escape hatch</h2>
<p>The split is stark. Out of the <strong>10,000-plus</strong> tokens that trade somewhere on the market, Russia&rsquo;s retail allowlist is exactly <strong>three</strong> — about <strong>0.03%</strong> of available assets. Yet those three carry the overwhelming majority of real liquidity: Bitcoin and Ethereum together account for roughly <strong>two-thirds of total crypto market capitalization</strong>, and USDT is the stablecoin that settles the bulk of global crypto trading pairs.</p>
<p>The notable omission is <strong>XRP</strong> — despite its large market cap and active community, it did not make the cut, a reminder that &ldquo;big&rdquo; and &ldquo;liquid/regulator-approved&rdquo; are not the same thing. Anything beyond the three requires clearing the <strong>professional-investor</strong> bar, which is precisely the gate that keeps the retail majority inside the fence.</p>
<h2>The logic, and the signal</h2>
<p>The central bank&rsquo;s stated rationale is <strong>liquidity and risk</strong>: restrict newcomers to the deepest, hardest-to-manipulate markets, cap their exposure, and make them acknowledge the risk in writing. Whatever one thinks of the paternalism, the mechanism is coherent — thin-liquidity altcoins are where retail investors get hurt most.</p>
<p>The more interesting question is whether this becomes a <strong>template</strong>. Russia is effectively treating retail crypto like a regulated securities product: an approved-instrument list, position caps, and suitability testing. That is a very different model from the US &ldquo;regulation by enforcement&rdquo; approach or the EU&rsquo;s MiCA licensing regime. An explicit, short <strong>allowlist</strong> is simple to administer and easy for other risk-averse regulators to copy — and it quietly concentrates legitimacy in BTC, ETH, and the dominant stablecoin while sidelining everything else.</p>
<h2>Bottom line</h2>
<p>For Russian retail, the practical effect from July 2026 is narrow: three coins, a ~$4,000 yearly cap, and a test. For the wider market, the signal is bigger. When a G20 central bank writes down a three-name allowlist, it is making a statement about which crypto assets it considers real enough to let citizens touch — and which it does not. Expect the &ldquo;approved list&rdquo; model to come up elsewhere.</p>
<p><em>We track crypto policy alongside the hacks. Have detail on the final rule text? Reach us via <a href="https://t.me/mrtdnet" target="_blank" rel="noopener noreferrer">@mrtdnet</a> on Telegram.</em></p>]]></content:encoded></item>
<item><title>llms.txt Reality Check: ~10% of Sites Have It, AI Search Engines Almost Never Read It</title><link>https://mrtd.net/llms-txt-reality-check-adoption-vs-actual-use/</link><guid isPermaLink="true">https://mrtd.net/llms-txt-reality-check-adoption-vs-actual-use/</guid><pubDate>Thu, 18 Jun 2026 01:40:00 +0000</pubDate><category>SEO &amp; Growth</category><description><![CDATA[llms.txt — a proposed markdown 'map' for language models — now sits on roughly one in ten sites. But in 90 days of 500M+ AI-bot visits, only a few hundred fetched it, and Google has explicitly said it doesn't use it. Here's the honest split: near-zero value for AI search, real value for developer tooling.]]></description><content:encoded><![CDATA[<p>If you run a site, you have probably been told to add an <strong>llms.txt</strong> file — a plain-text, Markdown &ldquo;map&rdquo; that tells large language models which pages matter and how your content is structured. The pitch is tidy: help the AIs understand you, and get cited more. After eighteen months of that pitch, the data is in, and it is unkind. For <strong>AI search</strong>, llms.txt does close to nothing. For <strong>developer tooling</strong>, it quietly does something real. Knowing the difference saves you time.</p>
<h2>What it is supposed to do</h2>
<p>Proposed in 2024 (by Answer.AI&rsquo;s Jeremy Howard), llms.txt lives at your domain root, like robots.txt, but aimed at language models: a curated, Markdown index of your key URLs and summaries so a model doesn&rsquo;t have to wade through your HTML and navigation. Reasonable idea. The question was always whether anyone on the <em>consuming</em> side would actually use it.</p>
<h2>The adoption numbers tell the story</h2>
<p>Two figures, side by side, settle most of the debate:</p>
<ul>
<li><strong>Adoption is real-ish.</strong> An SE Ranking study of <strong>300,000 domains</strong> found a <strong>10.13%</strong> adoption rate — roughly <strong>one in ten</strong> sites now ship an llms.txt.</li>
<li><strong>Usage is not.</strong> In one analysis of <strong>over 500 million AI-bot visits across 90 days</strong>, only <strong>408</strong> requests targeted llms.txt directly. That is on the order of <strong>eight ten-thousandths of one percent</strong> of AI-crawler traffic — statistically zero. GPTBot, ClaudeBot, PerplexityBot, OAI-SearchBot and Google-Extended overwhelmingly skip the file and crawl your HTML like always.</li>
</ul>
<p>One in ten sites publish it; about one in a million bot visits read it. That gap is the whole point.</p>
<h2>Google — and everyone else — said no</h2>
<p>This is not ambiguity. In <strong>July 2025</strong>, Google&rsquo;s Gary Illyes said Google does not support llms.txt and has no plans to; John Mueller publicly <strong>compared it to the long-discredited keywords meta tag</strong> (<a href="https://www.seroundtable.com/google-does-not-endorse-llms-txt-40789.html" target="_blank" rel="noopener noreferrer">Search Engine Roundtable</a>). Google noted the file even <em>appeared</em> to be supported only because an internal CMS had added it and some teams never removed it. As of mid-2026, having an llms.txt <strong>does not measurably improve your odds of being cited</strong> by ChatGPT, Claude, Gemini, or Perplexity in their answer surfaces. There is no standard, no enforcement, and no adoption from OpenAI, Google, Anthropic, Meta, or Mistral on the search side.</p>
<h2>Where it actually helps: developer tooling</h2>
<p>Here is the nuance the &ldquo;it&rsquo;s dead&rdquo; takes miss. <strong>Agentic developer tools do fetch it.</strong> Cursor, Claude Code, GitHub Copilot, Windsurf, MCP servers, and a growing set of in-product AI assistants pull llms.txt to orient themselves in a codebase or a documentation site. If you run <strong>docs, an API, or a developer product</strong>, an llms.txt (and an <code>llms-full.txt</code>) genuinely helps coding agents and doc assistants use you correctly. That is a real, narrow, non-SEO benefit.</p>
<h2>Our take</h2>
<p>Full disclosure: <strong>we publish one at <a href="https://mrtd.net/llms.txt">mrtd.net/llms.txt</a>.</strong> We keep it because it is cheap, it is honest documentation of our structure, and the developer-tooling use is legitimate — <em>not</em> because we expect it to win us AI citations. If your goal is to be cited by AI search, your time is far better spent on the things that demonstrably move the needle: clean, extractable HTML; clear structured data; verifiable facts with sources; and being a primary reference others link to.</p>
<p><strong>Bottom line:</strong> llms.txt is not a scam and not a ranking hack. It is useful documentation for agents and a no-op for AI search. Ship one if you serve developers; don&rsquo;t expect it to do anything for your citations.</p>
<p><em>We cover SEO and GEO with sources and skepticism. Disagree, or have fresher data? Reach us via <a href="https://t.me/mrtdnet" target="_blank" rel="noopener noreferrer">@mrtdnet</a> on Telegram.</em></p>]]></content:encoded></item>
<item><title>GoDaddy Handed a 27-Year-Old Domain to a Stranger — Despite 2FA and a Domain Lock</title><link>https://mrtd.net/godaddy-transferred-27-year-domain-to-stranger-2fa-lock/</link><guid isPermaLink="true">https://mrtd.net/godaddy-transferred-27-year-domain-to-stranger-2fa-lock/</guid><pubDate>Thu, 18 Jun 2026 01:10:00 +0000</pubDate><category>Cyber &amp; Tech</category><description><![CDATA[A nonprofit's 27-year-old domain was moved into a stranger's account in minutes, with the DNS wiped — even though the account had dual two-factor auth and ownership protection turned on. The transfer didn't break the security; it bypassed it entirely, through GoDaddy's own support desk. That's the threat model everyone forgets.]]></description><content:encoded><![CDATA[<p>Domain security advice usually stops at &ldquo;turn on two-factor authentication and a transfer lock.&rdquo; A recent GoDaddy incident is a blunt reminder that those controls protect you from <em>outsiders</em> — and do nothing about the one party that can move your domain with a few clicks: <strong>the registrar itself.</strong></p>
<h2>What happened</h2>
<p>As <a href="https://www.theregister.com/2026/04/29/godaddy_megagaffe_wrongly_transferred_27yearold/" target="_blank" rel="noopener noreferrer">reported by The Register</a> and others, a Lancaster, PA nonprofit&rsquo;s main domain — in continuous use for <strong>27 years</strong> — was transferred out of its account and into a stranger&rsquo;s, roughly <strong>2,000 miles away</strong>, in a matter of minutes. By the early afternoon the domain sat in the wrong account and its <strong>DNS records were wiped</strong>, knocking the organization&rsquo;s website and email offline.</p>
<p>The cause was almost absurdly mundane. An executive assistant named Susan had asked GoDaddy support to help recover an <em>unrelated</em> domain. Her email signature happened to contain a <strong>subdomain</strong> of the nonprofit&rsquo;s address. A GoDaddy agent reportedly read the parent domain off that signature, decided it was the one she meant, and <strong>queued it for transfer to her account</strong> — no ownership check, no documentation. GoDaddy then &ldquo;considered the matter closed.&rdquo; The link Susan was later sent to upload supporting documents expired before she could even use it.</p>
<h2>The security that didn&rsquo;t matter</h2>
<p>Here is the part worth dwelling on. The victim&rsquo;s account was <strong>not</strong> poorly secured. It had <strong>dual two-factor authentication</strong> — both an email code and an authenticator-app code required to log in — <em>and</em> the domain had <strong>ownership/transfer protection enabled.</strong> Every control the security checklists tell you to turn on was on.</p>
<p>None of it mattered, because the transfer never went through the front door. It went through GoDaddy&rsquo;s <strong>internal support tooling</strong>, which operates above the customer&rsquo;s own security settings. 2FA stops someone from logging into your account. It does nothing when an agent moves your asset from the inside. The lesson is uncomfortable: for a domain, <strong>your registrar&rsquo;s support process is part of your attack surface</strong> — arguably the weakest part — and you don&rsquo;t control it.</p>
<h2>The recovery was the second disaster</h2>
<p>Getting it back was its own ordeal. The nonprofit&rsquo;s IT firm reportedly made <strong>32 calls</strong>, spent about <strong>9.6 hours on hold</strong>, and sent <strong>17 emails over four days</strong>, receiving a fresh case number each time and not a single callback. In the end, the <em>stranger</em> — Susan — had to call GoDaddy herself to reverse it. An accidental, unverified transfer took minutes to execute and days of escalation to undo.</p>
<h2>The real lesson: treat your domain as critical infrastructure</h2>
<p>A domain is not just a setting; it is the root of your website, your email, and often your identity and password resets. Protect it accordingly:</p>
<ul>
<li><strong>Set a Registry Lock, not just a registrar lock</strong>, for high-value domains. A true registry-level lock (EPP <code>serverTransferProhibited</code> / <code>serverUpdateProhibited</code>) requires out-of-band, multi-person authorization to change — it is designed precisely to stop a single support agent or a single compromised account from moving a domain.</li>
<li><strong>Use a registrar that matches the stakes.</strong> Budget registrars optimize for volume and fast support actions. Critical domains belong at registrars with strict, documented verification and enterprise/registry-lock options.</li>
<li><strong>Monitor your own DNS and WHOIS.</strong> Set alerts for nameserver, registrant, or DNS-record changes so an unauthorized move is caught in minutes, not when email stops.</li>
<li><strong>Have a written recovery runbook</strong> — registrar abuse/legal contacts, proof-of-ownership documents pre-assembled, and an escalation path — <em>before</em> you need it. The time to find the emergency contact is not during the outage.</li>
</ul>
<h2>Bottom line</h2>
<p>You can do everything right — 2FA, locks, a clean account — and still lose your domain to a tired support agent reading the wrong line of an email signature. The defenses that actually address that failure mode are <strong>registry locks</strong> and <strong>choosing a registrar whose process you trust</strong>, not another toggle inside an account that the registrar can reach around at will.</p>
<p><em>We cover the unglamorous infrastructure risks too. Have a registrar horror story or correction? Reach us via <a href="https://t.me/mrtdnet" target="_blank" rel="noopener noreferrer">@mrtdnet</a> on Telegram.</em></p>]]></content:encoded></item>
<item><title>Reddit Dominates AI-Search Citations — But 2025 Showed How Fast That Can Crater</title><link>https://mrtd.net/reddit-dominates-ai-search-citations-2025-volatility/</link><guid isPermaLink="true">https://mrtd.net/reddit-dominates-ai-search-citations-2025-volatility/</guid><pubDate>Thu, 18 Jun 2026 00:20:00 +0000</pubDate><category>SEO &amp; Growth</category><description><![CDATA[Reddit appears in roughly 93% of AI-search opportunities and is the single most-cited source for Google AI Overviews and Perplexity. Yet most of that influence is invisible to users, and in 2025 the numbers swung wildly — ChatGPT's Reddit citations fell from ~60% to ~10% in six weeks. Here is what site owners should actually take from it.]]></description><content:encoded><![CDATA[<p>If you optimize for the AI answer engines — ChatGPT, Perplexity, Google&rsquo;s AI Overviews — you have heard the advice: <em>get on Reddit.</em> The data behind that advice is real, but it is also more fragile than the headline suggests. Reddit&rsquo;s grip on AI citations is enormous, largely invisible, and — as 2025 proved — alarmingly unstable.</p>
<h2>Reddit really is everywhere in AI answers</h2>
<p>The dominance is not a vibe. Across recent studies, Reddit shows up in roughly <strong>93% of AI-search opportunities</strong>, with on the order of <strong>23.6 million pages</strong> cited in AI responses (<a href="https://ziptie.dev/blog/why-reddit-dominates-chatgpt-perplexity-and-google-ai-overviews/" target="_blank" rel="noopener noreferrer">ZipTie</a>). It is the single most-cited source for both <strong>Google AI Overviews (~2.2%)</strong> and <strong>Perplexity (~6.6%)</strong> of all citations. The structural reasons are obvious: public indexing, a Google content-licensing deal, mature moderation, and thousands of specialized subreddits that read like exactly the long-tail Q&amp;A these models crave.</p>
<h2>&hellip;but most of that influence is invisible</h2>
<p>Here is the twist operators miss. On ChatGPT, Reddit reportedly occupies about <strong>27% of search slots</strong> — the pages the model <em>reads</em> — yet appears in only about <strong>0.35% of the citations actually shown to users</strong> (<a href="https://discoveredlabs.com/research/reddit-chatgpt-influence-2025" target="_blank" rel="noopener noreferrer">Discovered Labs</a>). Do the division: visible citations are roughly <strong>1.3% of the underlying usage</strong>, meaning something like <strong>98–99% of Reddit&rsquo;s influence never surfaces as a clickable link.</strong> Reddit is shaping the <em>answer</em> far more than it is sending you the <em>referral.</em> For comparison, Google surfaces Reddit to users about <strong>6x more often</strong> (≈2.11%) than ChatGPT does.</p>
<p>That gap matters: a platform can be the backbone of an AI&rsquo;s answer while sending almost no measurable traffic. Optimizing for &ldquo;citations you can see&rdquo; badly understates — and misreads — what is actually driving the model.</p>
<h2>Then 2025 happened</h2>
<p>The case against betting everything on one platform is the volatility itself. By the accounts compiled above, ChatGPT cited Reddit in close to <strong>60% of prompt responses in early August 2025</strong>, then <strong>collapsed to around 10% by mid-September</strong> — roughly an <strong>83% drop in six weeks</strong>, with no public explanation. Separately, after Reddit <strong>sued Perplexity over scraping in October 2025</strong>, Perplexity&rsquo;s Reddit citations reportedly fell about <strong>86%</strong>, with YouTube partially filling the gap.</p>
<p>Two of the biggest answer engines, two double-digit-to-single-digit collapses, in one quarter. Whatever the causes — model updates, licensing friction, litigation — the lesson is that <strong>AI citation share is not a durable asset you own.</strong> It is rented, and the terms change without notice.</p>
<h2>What site owners should actually do</h2>
<ul>
<li><strong>Don&rsquo;t build your AI-visibility strategy on a single platform.</strong> Reddit&rsquo;s structural edge is real, but a strategy that depends on one source&rsquo;s citation rate is one model update away from a cliff.</li>
<li><strong>Be the primary source, not just a Reddit comment.</strong> The durable play is original, citable material on a domain you control — clear claims, verifiable numbers, named authorship — so that when an engine wants a fact, <em>you</em> are the canonical reference. (That is the entire thesis of GEO.)</li>
<li><strong>Measure usage, not just visible citations.</strong> If you only track the links users see, you will undervalue channels that the model reads but rarely surfaces — and over-rotate toward the wrong work.</li>
<li><strong>Diversify your footprint.</strong> Reddit, yes — but also Stack Exchange-style Q&amp;A, your own indexed content, and structured pages that are easy for a model to extract.</li>
</ul>
<h2>Bottom line</h2>
<p>Reddit dominates AI-search sourcing, and ignoring it would be a mistake. But 2025 showed that citation share is <strong>volatile, mostly invisible, and outside your control.</strong> Treat platforms as amplifiers, not foundations — and put the foundation on content you actually own.</p>
<p><em>We cover SEO and GEO with the same sourcing discipline we apply to crypto incidents. Questions or data to share? Reach us via <a href="https://t.me/mrtdnet" target="_blank" rel="noopener noreferrer">@mrtdnet</a> on Telegram.</em></p>]]></content:encoded></item>
<item><title>Meta Hid a Face-ID System in Its Smart-Glasses App, Then Deleted It a Day After WIRED Found It</title><link>https://mrtd.net/meta-nametag-hidden-face-recognition-smart-glasses-app/</link><guid isPermaLink="true">https://mrtd.net/meta-nametag-hidden-face-recognition-smart-glasses-app/</guid><pubDate>Wed, 17 Jun 2026 22:10:00 +0000</pubDate><category>Cyber &amp; Tech</category><description><![CDATA[Researchers found a dormant facial-recognition feature called 'NameTag' buried in Meta's AI companion app — face-matching, local databases, the works — shipped to an app with 50M+ installs. Meta removed it within about 24 hours of WIRED's report and insisted it was never enabled. Whether you believe that, 'built but switched off' is its own kind of warning.]]></description><content:encoded><![CDATA[<p>A privacy fight that played out in roughly <strong>24 hours</strong> says a lot about where always-on wearables are headed. On June 4, 2026, WIRED reported that Meta&rsquo;s AI companion app — the one that pairs with its Ray-Ban smart glasses — contained a <strong>hidden, dormant facial-recognition feature</strong> internally called <strong>&ldquo;NameTag.&rdquo;</strong> By June 5, Meta had stripped the code out. The speed of the deletion is the tell.</p>
<h2>What was actually in the app</h2>
<p>According to the reporting (<a href="https://www.eff.org/deeplinks/2026/06/victory-meta-strips-facial-recognition-code-smart-glasses-app-after-public-outcry" target="_blank" rel="noopener noreferrer">EFF</a>, <a href="https://thenextweb.com/news/meta-nametag-facial-recognition-smart-glasses-removed" target="_blank" rel="noopener noreferrer">The Next Web</a>, <a href="https://gizmodo.com/meta-removes-face-recognition-system-from-its-smart-glasses-is-mad-about-it-2000768975" target="_blank" rel="noopener noreferrer">Gizmodo</a>), researchers found more than a stray reference. NameTag reportedly included <strong>face-detection models, biometric matching tools, local databases, and alerting</strong> — the components of a working system to identify a person seen through the glasses in real time. Crucially, this code shipped inside an app that has been <strong>downloaded onto more than 50 million devices.</strong></p>
<p>Meta&rsquo;s defense, delivered loudly, is that the feature was <strong>never enabled</strong> and was &ldquo;exploratory.&rdquo; A company spokesman accused WIRED of burying that detail. Both things can be true at once: the feature was off, <em>and</em> it was built, packaged, and distributed at scale.</p>
<h2>Why &ldquo;dormant&rdquo; is not &ldquo;harmless&rdquo;</h2>
<p>The instinct to wave this away — &ldquo;it wasn&rsquo;t even turned on&rdquo; — misses how software risk works. A capability that is fully built and shipped is one configuration flag away from being live. The hard engineering — the models, the matching pipeline, the local store — is the part that takes months. Toggling it on is the easy part.</p>
<p>So the meaningful facts are: the system <strong>existed</strong>, it was <strong>complete enough to run</strong>, and it was <strong>inside 50 million installs</strong>. That it was disabled is a policy choice, and policy choices are reversible without warning. The 24-hour delete after public exposure underlines the point — this was governed by reputational pressure, not by a technical impossibility.</p>
<h2>The real problem: bystanders can&rsquo;t consent</h2>
<p>Set aside the corporate back-and-forth and the core issue is structural. Face-ID built into camera glasses breaks the one privacy principle that matters most in public space: <strong>consent</strong>. The wearer might agree to terms; the stranger on the sidewalk who gets silently identified, named, and looked up never did — and usually has no idea it happened. Privacy advocates have made this argument for years, and it is exactly why a <em>latent</em> NameTag alarmed people more than a clearly-labeled feature would: covert identification removes the bystander&rsquo;s ability to even object.</p>
<p>This is not hypothetical. In 2024, students demonstrated that off-the-shelf Meta glasses plus public face-search tools could de-anonymize strangers in real time. NameTag would have folded that capability into the official app.</p>
<h2>Bottom line</h2>
<p>Meta deleted the code, and the EFF and others fairly called it a win — public scrutiny worked. But the durable lesson is not &ldquo;Meta backed down.&rdquo; It is that <strong>the surveillance capability is being quietly built into mainstream consumer hardware</strong>, switched off by policy rather than absent by design. For anyone thinking about privacy in public, the question is no longer whether the glasses <em>can</em> identify you — increasingly they can — but who gets to flip the switch, and whether you will ever be told when they do.</p>
<p><em>Covering privacy and surveillance tech — corrections or tips welcome via <a href="https://t.me/mrtdnet" target="_blank" rel="noopener noreferrer">@mrtdnet</a> on Telegram.</em></p>]]></content:encoded></item>
<item><title>&#x27;Disruption Week&#x27;: 1.4M Scam Accounts Killed, but Only ~$3.8M in Crypto Frozen</title><link>https://mrtd.net/disruption-week-14m-scam-accounts-3m-frozen/</link><guid isPermaLink="true">https://mrtd.net/disruption-week-14m-scam-accounts-3m-frozen/</guid><pubDate>Wed, 17 Jun 2026 21:10:00 +0000</pubDate><category>Crypto Security</category><description><![CDATA[A DOJ-led public-private operation disabled more than 1.4 million Southeast Asian scam accounts and made 63 arrests — yet froze under $4 million in crypto. The viral '$3 billion frozen' figure is wrong, and the real gap between accounts taken down and money recovered is the actual lesson.]]></description><content:encoded><![CDATA[<p>A coordinated international takedown of Southeast Asian &ldquo;scam center&rdquo; networks produced a striking set of numbers this week — and an even more striking mismatch between them. <strong>More than 1.4 million</strong> scam accounts, pages and groups were disabled and <strong>63 suspects</strong> were arrested, but the total cryptocurrency <strong>frozen was under $4 million</strong>. If you saw it shared as a &ldquo;$3 billion freeze,&rdquo; that figure is wrong — and the real numbers tell a more useful story.</p>
<h2>What actually happened</h2>
<p>The operation was part of the US Department of Justice&rsquo;s <strong>Scam Center Strike Force &ldquo;Disruption Week&rdquo;</strong> — a joint effort between law enforcement (the US, Australia, Canada, New Zealand, Thailand and the UK) and a roster of private companies including <a href="https://crypto.news/coinbase-freezes-3m-as-doj-hits-southeast-asia-scam-networks/" target="_blank" rel="noopener noreferrer">Coinbase</a>, Apple, Google, <a href="https://www.engadget.com/2186397/meta-took-down-over-a-million-scam-accounts-in-joint-operation-with-microsoft-spacex-and-doj/" target="_blank" rel="noopener noreferrer">Meta</a>, Microsoft, SpaceX, Silent Push, TRM Labs and Zenlayer. The targets were the industrialized <strong>&ldquo;pig-butchering&rdquo;</strong> operations — romance-and-investment scams, often run out of forced-labor compounds — that have become Southeast Asia&rsquo;s dominant cyber-fraud export.</p>
<p>The disclosed tallies:</p>
<ul>
<li><strong>Meta:</strong> disabled <strong>1.4 million+</strong> accounts, pages and groups.</li>
<li><strong>Microsoft:</strong> suspended about <strong>20,000</strong> accounts.</li>
<li><strong>Coinbase:</strong> froze <strong>just over $3 million</strong> in crypto; the operation-wide total frozen was about <strong>$3.8 million</strong>.</li>
<li><strong>Arrests:</strong> <strong>63</strong> suspects so far.</li>
</ul>
<h2>The number that got mangled</h2>
<p>It is worth correcting the record, because it illustrates how crypto news distorts. A widely shared claim put the freeze at &ldquo;<strong>$3 billion</strong>.&rdquo; The actual figure is roughly <strong>$3 million</strong> — a <strong>1,000x</strong> overstatement. We flag it not to nitpick but because the gap between the viral number and the real one is exactly the kind of error that shapes how people perceive crypto enforcement.</p>
<h2>Why so few dollars frozen?</h2>
<p>Here is the real lesson. <strong>1.4 million accounts disabled, $3.8 million frozen.</strong> Set those side by side and the asymmetry is the point. A few quick ratios make it concrete:</p>
<ul>
<li>That is roughly <strong>22,000 accounts disabled per arrest</strong> (1.4M ÷ 63) — confirmation that this kind of operation targets <em>infrastructure</em>, not individuals.</li>
<li>The FBI&rsquo;s IC3 has put annual losses from crypto-investment fraud in the <strong>billions</strong> of dollars (on the order of ~$5.8B in a recent year). Against that, <strong>$3.8 million frozen is about 0.07%</strong> — a rounding error.</li>
</ul>
<p>Why? Because once scam proceeds are converted and bridged across chains and through mixers, they move faster than freezes can land. Exchanges can only freeze what is still sitting in identifiable, custodial wallets when the order arrives. The real disruption here is <strong>operational</strong> — killing the advertising, hosting, messaging and recruitment surface that scam centers depend on — not asset recovery.</p>
<h2>What it means</h2>
<ul>
<li><strong>Account takedowns scale; freezes don&rsquo;t.</strong> Platforms can disable infrastructure by the million; clawing back funds is slow and rarely catches more than a sliver.</li>
<li><strong>Prevention beats recovery.</strong> For users, the takeaway is unchanged and unglamorous: the money is almost never coming back, so the defense is not falling for the romance-investment funnel in the first place.</li>
<li><strong>Read the numbers, not the headline.</strong> A &ldquo;$3 billion&rdquo; freeze and a &ldquo;$3 million&rdquo; freeze are different stories. The unsexy real figure — small dollars, enormous account counts — is the accurate picture of how this fight actually works.</li>
</ul>
<p><em>We verify figures against primary reporting before publishing. Spotted an error or have detail on this operation? Reach us via <a href="https://t.me/mrtdnet" target="_blank" rel="noopener noreferrer">@mrtdnet</a> on Telegram.</em></p>]]></content:encoded></item>
<item><title>Chrome Put a 4GB AI Model on Your Computer: What Gemini Nano Means for Privacy</title><link>https://mrtd.net/chrome-gemini-nano-4gb-on-device-ai-privacy/</link><guid isPermaLink="true">https://mrtd.net/chrome-gemini-nano-4gb-on-device-ai-privacy/</guid><pubDate>Wed, 17 Jun 2026 20:30:00 +0000</pubDate><category>Cyber &amp; Tech</category><description><![CDATA[Recent Chrome builds ship Gemini Nano — a ~4GB on-device AI model — downloaded in the background to power new built-in browser APIs. Running locally is a genuine privacy win, but a multi-gigabyte model installed without a clear prompt raises a fair consent question. Here is what is actually on your machine.]]></description><content:encoded><![CDATA[<p>If you run a recent version of Google Chrome on a desktop, there is a decent chance your browser has quietly downloaded a <strong>~4GB artificial-intelligence model</strong> in the background. It is called <strong>Gemini Nano</strong>, and it is the engine behind Chrome&rsquo;s new built-in AI features. The download is real — <a href="https://www.snopes.com/fact-check/google-chrome-ai-installed-computer/" target="_blank" rel="noopener noreferrer">Snopes verified it</a> — and it is worth understanding what it is, why it is mostly good, and where the legitimate concern lies.</p>
<h2>What is actually on your machine</h2>
<p>Gemini Nano is a compact, on-device language model that Chrome delivers through its component-updater system. The weights live in a file named <code>weights.bin</code>, inside a folder called <code>OptGuideOnDeviceModel</code>. You can check whether your browser has it — and its current size — by visiting <strong><code>chrome://on-device-internals</code></strong> in the address bar.</p>
<p>Per <a href="https://developer.chrome.com/docs/ai/prompt-api" target="_blank" rel="noopener noreferrer">Chrome&rsquo;s developer docs</a>, the model powers a family of JavaScript APIs that web pages and extensions can call directly: a general <strong>LanguageModel</strong> (the &ldquo;Prompt API&rdquo;), plus <strong>Summarizer, Translator, Writer, Rewriter and Proofreader</strong>. It runs on Chrome for Windows 10/11, macOS 13+, Linux and Chromebook Plus — not yet on Android, iOS, or ordinary ChromeOS devices. The full APIs remain in an experimental/early stage, with broad stable availability targeted for <strong>Chrome 145–150 (late 2026 into 2027)</strong>.</p>
<h2>On-device means private — that part is genuinely good</h2>
<p>The headline benefit is real: because the model runs <strong>locally</strong>, prompts and the text it processes do not have to be sent to a cloud server. For a browser that already sees a huge share of what people read and write, doing AI inference on the device — summarizing a page, translating text, proofreading a form — without shipping that content to Google&rsquo;s servers is a meaningful privacy improvement over cloud AI. No round-trip, no server-side log of the prompt.</p>
<h2>The fair concern: a 4GB install you didn&rsquo;t really approve</h2>
<p>The friction is consent and disk. <strong>Four gigabytes is not a rounding error.</strong> Consider the scale: Chrome holds roughly two-thirds of the global browser market (commonly cited around <strong>66–68%</strong>, on the order of billions of users). If the model reaches even <strong>500 million</strong> eligible desktops, that is about <strong>2 exabytes</strong> of identical model weights sitting on consumer drives; reach a billion devices and it is <strong>~4 exabytes</strong>. Most of those users never saw a clear &ldquo;we&rsquo;re about to download a 4GB AI model&rdquo; prompt — it arrived as a background component update.</p>
<p>There is also a quieter shift worth naming: every browser becomes an AI runtime that <strong>any website can invoke</strong>. That is powerful for developers, but it also means a new local capability surface that security and privacy reviewers will need to reason about — rate-limiting, abuse of the on-device model by hostile pages, and fingerprinting based on model availability or version.</p>
<h2>What to do about it</h2>
<ul>
<li><strong>Check what you have:</strong> open <code>chrome://on-device-internals</code> to see if the model is present and how much space it uses.</li>
<li><strong>Reclaim the space if you want:</strong> on metered or small-disk machines, you can manage Chrome&rsquo;s optimization-guide / on-device model components; the model re-downloads only if a feature needs it.</li>
<li><strong>Developers:</strong> treat the built-in APIs as progressive enhancement — feature-detect (<code>'LanguageModel' in self</code>), never assume availability, and don&rsquo;t send anything to a page&rsquo;s AI call you wouldn&rsquo;t want processed locally.</li>
</ul>
<h2>Bottom line</h2>
<p>Gemini Nano in Chrome is a real step toward <strong>private, local AI</strong> — and that is the right direction. The legitimate criticism is not the technology but the <strong>rollout</strong>: shipping a multi-gigabyte model to billions of machines deserves a clearer heads-up than a silent background update. Useful, mostly private, and a reminder that &ldquo;your browser&rdquo; now quietly includes an AI you didn&rsquo;t explicitly install.</p>
<p><em>Tracking on-device AI and browser privacy — questions or corrections welcome via <a href="https://t.me/mrtdnet" target="_blank" rel="noopener noreferrer">@mrtdnet</a> on Telegram.</em></p>]]></content:encoded></item>
<item><title>The $15B Question: What Happens to the 127,271 BTC the US Seized From a Scam Empire</title><link>https://mrtd.net/us-15b-bitcoin-seizure-prince-group-reserve-vs-victims/</link><guid isPermaLink="true">https://mrtd.net/us-15b-bitcoin-seizure-prince-group-reserve-vs-victims/</guid><pubDate>Wed, 17 Jun 2026 19:30:00 +0000</pubDate><category>Crypto Security</category><description><![CDATA[The US seized 127,271 bitcoin — about 0.64% of all the bitcoin ever mined — from Cambodia's Prince Group, the largest forfeiture in DOJ history. The coins sat untouched since 2020, yet were fully traced. Now the fight is over where $15 billion goes: a federal reserve, or the scam's victims.]]></description><content:encoded><![CDATA[<p>The largest cryptocurrency forfeiture in history is no longer about catching the scammer. It is about what happens to the money.</p>
<p>In October 2025, US prosecutors filed a civil forfeiture complaint for <strong>127,271 bitcoin</strong> tied to <strong>Chen Zhi</strong>, the 38-year-old founder of Cambodia&rsquo;s <strong>Prince Holding Group</strong>, in what the Department of Justice called a <a href="https://www.justice.gov/opa/pr/chairman-prince-group-indicted-operating-cambodian-forced-labor-scam-compounds-engaged" target="_blank" rel="noopener noreferrer">record seizure</a>. At the bitcoin prices of the period — roughly $118,000 per coin — that hoard was worth about <strong>$15 billion</strong>. Eight months on, with the coins sitting in US government custody, a harder question has surfaced: do they go to a federal bitcoin reserve, or back to the people who were defrauded?</p>
<h2>A seizure with no real precedent</h2>
<p>The scale is hard to overstate. <strong>127,271 BTC is about 0.64% of the ~19.9 million bitcoin ever mined</strong> — roughly one in every 156 coins in existence, controlled by a single forfeiture. For comparison, the 2022 Bitfinex-linked seizure recovered about 94,000 BTC; this is <strong>roughly 35% larger</strong>. The Silk Road forfeitures totaled around 50,000 BTC — this is <strong>about 2.5 times</strong> that.</p>
<p>What makes it a landmark for investigators is not just the size but the <strong>traceability</strong>. According to reporting and blockchain-analytics firms such as <a href="https://www.trmlabs.com/resources/blog/operation-prince-inside-the-global-effort-that-led-to-the-largest-forfeiture-in-us-history" target="_blank" rel="noopener noreferrer">TRM Labs</a>, the coins had been <strong>largely dormant since December 2020</strong> — and were still followed, attributed, and ultimately frozen years later. That is the quiet lesson of the case: on a public ledger, sitting still is not the same as being safe. Five years of inactivity did not break the chain of evidence.</p>
<h2>&ldquo;Pig butchering&rdquo; at industrial scale</h2>
<p>The bitcoin came from one of Asia&rsquo;s largest scam operations. US and partner agencies allege Prince Group ran at least <strong>10 forced-labor compounds</strong> in Cambodia, where trafficked workers were coerced into running <strong>&ldquo;pig-butchering&rdquo;</strong> romance-investment scams — the long-con model where victims are befriended, slowly groomed, then drained on fake crypto platforms. The <a href="https://www.cnbc.com/2025/10/14/bitcoin-doj-chen-zhi-pig-butchering-scam.html" target="_blank" rel="noopener noreferrer">CNBC report</a> and others describe a vertically integrated fraud business, not a lone operator.</p>
<p>The enforcement response matched the scale. The US and UK coordinated sanctions against <strong>146 individuals and entities</strong> linked to the network — among the largest single actions ever aimed at crypto-enabled fraud.</p>
<h2>The $15 billion question</h2>
<p>Here is where it gets contentious, and where the story is still live. Forfeited criminal assets in the US have traditionally fed <strong>victim-compensation and restitution</strong> processes. But since 2025, the federal government has also maintained a <strong>Strategic Bitcoin Reserve</strong> that holds bitcoin obtained through forfeiture rather than selling it. Initial reports — including the early flag that surfaced this debate on crypto channels — describe <strong>victims pressing for restitution while the seized coins are folded into government holdings</strong>.</p>
<p>Both positions have a logic. A reserve argues the coins are a national asset that should not be dumped on the market; restitution argues the money was stolen from identifiable people and should return to them. The unresolved tension is the real news: a $15 billion pool of recovered crypto is now a test case for <strong>who has first claim on forfeited digital assets</strong> — the state, or the defrauded. We will track how the forfeiture and any restitution claims proceed.</p>
<h2>Why it matters beyond one case</h2>
<p>Three takeaways for anyone in this space:</p>
<ul>
<li><strong>Dormancy is not anonymity.</strong> Coins untouched for five years were still traced to a forfeiture. Analytics and patience beat &ldquo;let it cool off.&rdquo;</li>
<li><strong>Scam infrastructure is industrial.</strong> Pig-butchering is run from staffed compounds with trafficking and money-laundering pipelines, not isolated bad actors — which is why responses now involve sanctions on 100+ entities, not single arrests.</li>
<li><strong>Forfeiture policy is becoming crypto policy.</strong> When a single case holds 0.64% of mined supply, what a government <em>does</em> with seized coins — hold or return — is itself a market and a justice question.</li>
</ul>
<p><em>Following this case or have details on the restitution process? Reach the desk via <a href="https://t.me/mrtdnet" target="_blank" rel="noopener noreferrer">@mrtdnet</a> on Telegram.</em></p>]]></content:encoded></item>
<item><title>Signal Rejects the UK&#x27;s Device-Scanning Push, Reopening the E2EE Fight</title><link>https://mrtd.net/signal-uk-device-scanning-e2ee-fight/</link><guid isPermaLink="true">https://mrtd.net/signal-uk-device-scanning-e2ee-fight/</guid><pubDate>Wed, 17 Jun 2026 13:00:00 +0000</pubDate><category>Cyber &amp; Tech</category><description><![CDATA[Signal has again refused to comply with a reported UK plan to scan devices for illegal imagery, bundled with age verification. The objection is not about any single law — it is that client-side scanning is fundamentally incompatible with end-to-end encryption.]]></description><content:encoded><![CDATA[<p>Signal has once again drawn a hard line. According to <a href="https://t.me/okaylmao/1488" target="_blank" rel="noopener noreferrer">initial reports</a>, the messaging app is refusing to comply with a UK proposal that would require devices sold or used in the country to scan for illegal imagery, packaged alongside mandatory age verification. Signal&rsquo;s position is the same one its president, Meredith Whittaker, has stated for years: if a jurisdiction forces it to break end-to-end encryption, it will leave that market rather than ship a weakened product to everyone else.</p>
<p>This is not really a story about one bill. It is the latest round of a fight that has run through the UK&rsquo;s Online Safety Act and the EU&rsquo;s &ldquo;Chat Control&rdquo; debate — and the technical core of the disagreement matters more than the politics.</p>
<h2>Why client-side scanning breaks the model</h2>
<p>End-to-end encryption (E2EE) means only the sender and recipient can read a message; the service in the middle cannot. <strong>Client-side scanning</strong> tries to sidestep that by checking content <em>on your device</em> — before it is encrypted, or after it is decrypted — against a list of prohibited material.</p>
<p>Proponents frame this as &ldquo;we&rsquo;re not breaking encryption, we&rsquo;re scanning before it applies.&rdquo; Cryptographers have repeatedly rejected that framing for a simple reason: a scanner sitting inside your trusted endpoint, reporting on your messages, is a surveillance mechanism regardless of where the encryption boundary sits. Once that capability exists, three problems follow:</p>
<ul>
<li><strong>Scope creep.</strong> A system built to match one category of content can be silently re-pointed at another. The match list is controlled by whoever operates it.</li>
<li><strong>False positives and chilling effects.</strong> Perceptual-hash and AI classifiers misfire. At population scale, even a tiny error rate generates large numbers of innocent people flagged.</li>
<li><strong>A single point of failure.</strong> A mandated on-device scanner is a high-value target. Compromise it and you compromise everyone.</li>
</ul>
<p>The <a href="https://www.eff.org/issues/privacy" target="_blank" rel="noopener noreferrer">EFF</a> and a long list of security researchers have made versions of this argument for years: you cannot add an exceptional-access door for &ldquo;the good guys&rdquo; that stays shut for everyone else.</p>
<h2>Signal&rsquo;s line in the sand</h2>
<p>Signal&rsquo;s leverage is its credibility. It is a non-profit, its protocol is open and independently audited, and it has walked away from markets before rather than degrade its guarantees. That makes its &ldquo;we will leave&rdquo; threat believable in a way a commercial platform&rsquo;s might not be.</p>
<p>The practical stakes are real. The Signal Protocol underpins not just Signal but the E2EE in WhatsApp and others. A mandate that forces scanning into one app sets precedent for the rest, and a patchwork of country-by-country scanning rules is exactly the fragmentation secure-messaging projects are built to resist.</p>
<h2>What to watch</h2>
<p>The open questions are whether the reported UK proposal advances into binding rules, whether it is paired with age-verification mandates that pull in even more identity data, and whether other governments cite it as precedent. For anyone building or relying on secure communications, the signal in the noise is consistent: the encryption debate has moved from <em>&ldquo;should messages be encrypted&rdquo;</em> to <em>&ldquo;can your own device be conscripted to report on you.&rdquo;</em> That is the line Signal is refusing to cross.</p>]]></content:encoded></item>
<item><title>DIP Protocol Drained for ~$111K on BNB Chain in Reserve-Skim Exploit</title><link>https://mrtd.net/dip-protocol-bnb-reserve-skim-exploit/</link><guid isPermaLink="true">https://mrtd.net/dip-protocol-bnb-reserve-skim-exploit/</guid><pubDate>Wed, 17 Jun 2026 06:00:00 +0000</pubDate><category>Crypto Security</category><description><![CDATA[DeFi project DIP Protocol was drained of roughly $111,000 on BNB Chain through a token-transfer bug that let an attacker double-count pool reserves. Here is the class of flaw involved and why it keeps reappearing.]]></description><content:encoded><![CDATA[<p>On June 17, 2026, the BNB Chain DeFi project <strong>DIP Protocol</strong> was drained of an estimated <strong>$111,000</strong>, according to initial incident reports. The attacker reportedly abused a flaw in how the protocol accounted for pool reserves during token transfers — a <code>skim</code>-style routine that could be made to <strong>double-count reserves</strong>, letting the attacker withdraw more value than they were entitled to.</p>
<p>We are still verifying the on-chain specifics (transaction hashes and the attacker address) against block-explorer data and will update this page with the confirmed trail. What follows is an explanation of the <em>class</em> of vulnerability, which is well understood and recurs across automated-market-maker (AMM) style contracts.</p>
<h2>What a &ldquo;reserve skim&rdquo; bug actually is</h2>
<p>AMM pools track internal <strong>reserves</strong> — the contract&rsquo;s own record of how many tokens it holds. Many pools also expose a <code>skim()</code> function: a maintenance routine that pushes out any tokens sent to the contract <em>above</em> the recorded reserves, so the accounting stays consistent.</p>
<p>The danger appears when the <strong>balance check and the reserve update get out of sync</strong>. If a router or transfer path lets a caller trigger an accounting update <em>before</em> the contract reconciles its true token balance, the same surplus can be counted twice — once by the pool&rsquo;s internal math and once by the attacker who skims it out. Repeat that in a loop and the pool bleeds value with every iteration.</p>
<p>This is a cousin of the classic re-entrancy and <strong>fee-on-transfer mismatch</strong> bugs: the contract trusts a number it should have re-derived from <code>balanceOf</code> at the moment of truth.</p>
<h2>Why it keeps happening</h2>
<p>Three recurring reasons:</p>
<ul>
<li><strong>Composability.</strong> Pools are called by routers, which are called by aggregators. Each hop is an opportunity for the reserve and the real balance to diverge.</li>
<li><strong>Fee-on-transfer and rebasing tokens.</strong> Any token whose transferred amount differs from the requested amount breaks naive reserve math unless the contract measures balances before and after.</li>
<li><strong>Copy-paste forks.</strong> A subtle fix in an upstream AMM often never reaches the dozens of forks that inherited the original bug.</li>
</ul>
<h2>How protocols defend against it</h2>
<ul>
<li><strong>Measure, don&rsquo;t assume.</strong> Re-read <code>balanceOf(address(this))</code> and compute deltas at the moment of settlement rather than trusting cached reserves.</li>
<li><strong>Check-effects-interactions and re-entrancy guards</strong> on every state-changing path, including <code>skim</code> and <code>sync</code>.</li>
<li><strong>Invariant tests and fuzzing</strong> that assert reserves can never exceed real balances after any sequence of calls.</li>
<li><strong>Independent audits plus a live bug bounty</strong> sized to the TVL at risk — a five-figure bounty rarely outbids a six-figure exploit.</li>
</ul>
<h2>What to watch next</h2>
<p>The immediate questions are whether DIP Protocol can negotiate a return of funds (increasingly common via on-chain messages to the attacker), whether a single audited dependency is implicated, and whether other forks of the same pool code are exposed. We will track the attacker address once confirmed and update the incident facts above.</p>
<p><em>Have details on this incident, including transaction hashes or the official post-mortem? Reach the desk via <a href="https://t.me/mrtdnet" target="_blank" rel="noopener noreferrer">@mrtdnet</a> on Telegram.</em></p>]]></content:encoded></item>
<item><title>AI-Search Visibility Data: Classic SEO Still Predicts Citations, But Most Live Off the Map</title><link>https://mrtd.net/ai-search-visibility-seo-geo-aeo-what-works/</link><guid isPermaLink="true">https://mrtd.net/ai-search-visibility-seo-geo-aeo-what-works/</guid><pubDate>Tue, 16 Jun 2026 15:10:00 +0000</pubDate><category>SEO &amp; Growth</category><description><![CDATA[New vendor analyses spanning tens of thousands of domains suggest page-level SEO strength still correlates with being cited in ChatGPT, Perplexity and AI Overviews, yet a large share of AI recommendations never appear in traditional rank trackers. We separate the load-bearing tactics from the GEO hype.]]></description><content:encoded><![CDATA[<h2>The finding: SEO helps, but most citations live off the traditional map</h2>
<p>A wave of 2026 vendor research keeps landing on the same uncomfortable pair of facts. Strong classic SEO still raises your odds of being cited by an LLM — and most of what LLMs actually recommend never shows up in a traditional rank tracker. A directional analysis circulated at roughly 29,562 domains echoes earlier work by Kevin Indig, whose study of ~98,000 citation rows from ~1.2M ChatGPT responses found that <a href="https://searchengineland.com/chatgpt-citations-domains-study-472349" target="_blank" rel="noopener noreferrer">ranking #1 in Google correlates strongly with being cited</a>: 43.2% of top-ranking pages were cited, versus far lower rates beyond position 20.</p>
<p>The catch is concentration and invisibility. In that same dataset, the top 30 domains captured 67% of citations within a topic, and ChatGPT retrieved roughly 6x more pages than it cited — about 85% of retrieved pages were never cited. Separately, The Digital Bloom reports that <a href="https://thedigitalbloom.com/learn/2025-ai-citation-llm-visibility-report/" target="_blank" rel="noopener noreferrer">~80% of ChatGPT-cited URLs don&rsquo;t rank in Google&rsquo;s top 100</a> for the same query. Both can be true: page-level relevance lifts your odds, while a long tail of citations comes from forums and community threads that classic metrics never measured.</p>
<h2>Domain authority is not the signal people think it is</h2>
<p>This is where the nuance bites. Page-level ranking helps, but domain-level authority scores largely don&rsquo;t. Search Atlas&rsquo;s correlation analysis across <a href="https://searchatlas.com/blog/authority-metrics-in-the-age-of-llms-visibility-correlation-analysis/" target="_blank" rel="noopener noreferrer">21,767 domains found Domain Authority barely moves AI visibility</a> — ChatGPT r ≈ −0.12, Perplexity r ≈ −0.18, Gemini r ≈ −0.09. Treat the exact coefficients as single-study, directional figures, but the direction matches a broader pattern: brand mentions and topical coverage now out-predict backlink-derived authority.</p>
<h2>What controlled experiments actually killed</h2>
<p>The most useful 2026 work is the experiments that failed. In OtterlyAI&rsquo;s <a href="https://otterly.ai/blog/geo-experiment-html-vs-markdown/" target="_blank" rel="noopener noreferrer">Markdown-vs-HTML test</a>, .md mirrors of live pages — given equal footer-link discovery — drew 0% of AI-bot visits and zero citations over 14 days, while HTML versions pulled 7.4% of bot traffic and were the only format cited. The same body of work found <a href="https://speakerdeck.com/thomaspeham/geo-experiments-2026-what-we-tested-what-failed-and-what-actually-works" target="_blank" rel="noopener noreferrer">llms.txt drew ~0.1% of AI-bot traffic</a>, performing roughly 3x worse than an average content page. Search Engine Land&rsquo;s review reaches the same verdict: there is <a href="https://searchengineland.com/geo-myths-lies-467617" target="_blank" rel="noopener noreferrer">no evidence llms.txt boosts inclusion</a>, and several schema-markup &ldquo;wins&rdquo; survive only as correlations with plausible rival explanations.</p>
<h2>What the data suggests actually works</h2>
<ul>
<li><strong>Be indexed by Bing.</strong> ChatGPT discovers candidate pages via the Bing index, and Seer Interactive&rsquo;s audit found <a href="https://martech.zone/chatgpt-visibility-and-bing-indexnow/" target="_blank" rel="noopener noreferrer">~87% of SearchGPT citations match Bing&rsquo;s top results</a>. Submitting via IndexNow accelerates discovery — a low-cost, high-leverage prerequisite.</li>
<li><strong>Ship reference-grade, extractable HTML.</strong> Citations cluster in the upper sections of long-form pages (Indig found the 10–20% band performs best; 5,000–10,000-character pages earn the most). Quotable, self-contained passages beat clever formatting tricks.</li>
<li><strong>Earn entity and brand coverage.</strong> Broad topical clusters and brand mentions correlate with citation more than isolated keyword pages.</li>
<li><strong>Show up where LLMs read.</strong> OtterlyAI&rsquo;s <a href="https://otterly.ai/blog/the-ai-citations-report-2026/" target="_blank" rel="noopener noreferrer">AI Citation Economy report</a> (1M+ citations) puts community platforms at 52.5% of citations, with Reddit the single most-cited domain across ChatGPT, Perplexity and AI Overviews. Reddit&rsquo;s question-and-thread structure maps cleanly onto long-tail intent, which is why it over-indexes.</li>
<li><strong>Keep content fresh.</strong> Recency is the recommendation with the strongest evidence base for time-sensitive queries.</li>
</ul>
<h2>What is hype</h2>
<p>Markdown mirrors, llms.txt files, and &ldquo;chunking&rdquo; your pages for crawlers are, on current evidence, near-zero-yield. Schema markup may help indexing hygiene but should not be sold as a direct citation lever. And any single vendor&rsquo;s correlation coefficient — including the 29,562-domain figure — is directional, not gospel; most of this research is observational, platform-specific, and shifts month to month.</p>
<h2>Bottom line</h2>
<p>GEO/AEO is not a replacement for SEO; it&rsquo;s SEO with a different distribution. Get into Bing, write citable HTML, build entity depth, and earn presence on the community sites LLMs trust. Then measure per platform — ChatGPT, Perplexity and AI Overviews <a href="https://otterly.ai/blog/the-ai-citations-report-2026/" target="_blank" rel="noopener noreferrer">overlap on as little as 11% of cited sources</a> — because a win on one engine tells you little about the others.</p>]]></content:encoded></item>
<item><title>Crawl Budget Reclamation: What It Is, Who Needs It, and the Pruning Playbook</title><link>https://mrtd.net/crawl-budget-reclamation-pruning-junk-pages-playbook/</link><guid isPermaLink="true">https://mrtd.net/crawl-budget-reclamation-pruning-junk-pages-playbook/</guid><pubDate>Tue, 16 Jun 2026 09:30:00 +0000</pubDate><category>SEO &amp; Growth</category><description><![CDATA[SEO practitioners report large traffic gains from pruning junk indexed pages to free Google's "crawl budget." We break down what crawl budget actually is per Google's own docs, who it genuinely matters for, and a concrete reclamation playbook — while staying skeptical of the headline +67% figure.]]></description><content:encoded><![CDATA[<h2>What crawl budget actually is</h2>
<p>Google defines crawl budget as &ldquo;the set of URLs that Googlebot can and wants to crawl,&rdquo; governed by two levers in its <a href="https://developers.google.com/search/docs/crawling-indexing/large-site-managing-crawl-budget" target="_blank" rel="noopener noreferrer">Large Site Owner&rsquo;s Guide to Managing Crawl Budget</a>. The first is the <strong>crawl capacity limit</strong> — the maximum simultaneous connections Googlebot will open and the delay between fetches, tuned so it doesn&rsquo;t overload your origin. The second is <strong>crawl demand</strong>, Google&rsquo;s appetite for your URLs based on perceived inventory, popularity, and content staleness.</p>
<p>The practical takeaway is that crawl budget is not a fixed daily quota you &ldquo;spend.&rdquo; It is a negotiated equilibrium: a faster, healthier server raises the ceiling, and more valuable, fresher content raises demand. Google states the only durable ways to increase it are to &ldquo;increase your serving capacity&rdquo; and, more importantly, &ldquo;increase the value of the content on your site.&rdquo;</p>
<h2>Who it actually matters for</h2>
<p>This is where most coverage overreaches. Google is explicit that crawl budget is a concern for a narrow band of sites: those with <strong>1M+ unique pages</strong> updating moderately often, <strong>10k+ pages</strong> with daily-changing content, or any site showing a large share of URLs stuck as <strong>&ldquo;Discovered – currently not indexed&rdquo;</strong> in Search Console. The documentation opens with a blunt disclaimer: &ldquo;If your site doesn&rsquo;t have a large number of pages that change rapidly, or if your pages seem to be crawled the same day they are published, you don&rsquo;t need to read this guide.&rdquo;</p>
<p>For most small and mid-size sites, an accurate sitemap and periodic index-coverage checks are sufficient. Spending engineering hours chasing crawl budget on a 400-page brochure site is misallocated effort.</p>
<h2>The real crawl-budget killers</h2>
<p>The waste, when it exists, is structural. The recurring offenders are <strong>faceted navigation and URL parameters</strong> that multiply near-duplicate combinations (Google&rsquo;s <a href="https://developers.google.com/search/docs/crawling-indexing/crawling-managing-faceted-navigation" target="_blank" rel="noopener noreferrer">faceted navigation guidance</a> covers this directly), <strong>infinite spaces</strong> like unbounded calendars or filter chains, <strong>soft 404s</strong> that return 200 for missing content, <strong>duplicate and thin pages</strong>, <strong>long redirect chains</strong>, and <strong>slow server responses</strong> that throttle the capacity limit. One practitioner <a href="https://tryansly.com/blog/seo-case-study-crawl-budget" target="_blank" rel="noopener noreferrer">case study</a> reported Googlebot spending ~70% of its crawl on parameterized filter URLs at a single ecommerce retailer — illustrative, but a one-site anecdote, not the industry-wide &ldquo;~60% wasted&rdquo; rule it&rsquo;s sometimes quoted as.</p>
<h2>The reclamation playbook</h2>
<p>Google&rsquo;s own best practices form a concrete, defensible sequence:</p>
<ol>
<li><strong>Consolidate duplicates</strong> — canonicalize variants and merge thin pages rather than letting parameter permutations sprawl.</li>
<li><strong>Block unimportant URLs with robots.txt — not noindex.</strong> This is a subtle but critical point many &ldquo;noindex the junk&rdquo; recommendations get wrong: a <code>noindex</code> page must still be <em>crawled</em> to read the tag, so it keeps consuming crawl. Robots.txt is the correct tool when the goal is to stop crawling entirely.</li>
<li><strong>Return 404/410 for permanently removed pages</strong> and eliminate soft 404s so Googlebot stops re-requesting dead URLs.</li>
<li><strong>Keep sitemaps current</strong> with accurate <code>&lt;lastmod&gt;</code> values, and mirror your important internal links so discovery doesn&rsquo;t depend on the sitemap alone.</li>
<li><strong>Speed up the origin.</strong> Faster responses directly raise the crawl capacity limit.</li>
</ol>
<h2>On that +67%: a case study, not a formula</h2>
<p>The widely shared +67% figure comes from a <a href="https://tryansly.com/blog/seo-case-study-crawl-budget" target="_blank" rel="noopener noreferrer">practitioner case study</a> of a B2B SaaS site that deleted 400 of 550 blog posts — those with zero organic traffic in twelve months <em>and</em> no backlinks — and recorded a 67% organic lift by month four. Treat this as reported, not guaranteed. The confound is obvious: removing 73% of low-quality content simultaneously improves perceived domain quality, internal-link equity, and topical focus. Isolating &ldquo;freed crawl budget&rdquo; as the cause is not possible from the data, and the same intervention on a different site could just as easily <em>lose</em> traffic if pruning catches pages with latent value.</p>
<p>Critically, Google&rsquo;s documentation makes <strong>no claim</strong> that crawl budget directly improves rankings or traffic. Reclamation is a hygiene and efficiency discipline — get your best pages crawled sooner and re-crawled more reliably — not a growth lever. Audit before you cut, and prune for quality, not for a number.</p>]]></content:encoded></item>
<item><title>Deprecated Aztec Connect Contract Drained of ~$2.19M Three Years After Shutdown</title><link>https://mrtd.net/aztec-connect-deprecated-router-2-19m-drain/</link><guid isPermaLink="true">https://mrtd.net/aztec-connect-deprecated-router-2-19m-drain/</guid><pubDate>Mon, 15 Jun 2026 11:20:00 +0000</pubDate><category>Crypto Security</category><description><![CDATA[An attacker exploited a settlement-boundary flaw in Aztec Connect's abandoned RollupProcessorV3 contract on June 14, 2026, draining roughly $2.19M in ETH and stablecoins. The privacy bridge was sunset in March 2023 and Aztec Labs holds no keys to pause it. The case is a reminder that "deprecated" is not "safe."]]></description><content:encoded><![CDATA[<h2>What was reported</h2>
<p>On June 14, 2026, an attacker drained roughly <strong>$2.19 million</strong> from the long-deprecated <strong>Aztec Connect</strong> privacy bridge on Ethereum, according to <a href="https://thedefiant.io/news/hacks/aztec-connect-deprecated-contract-exploit-2-1m-zk-proof" target="_blank" rel="noopener noreferrer">The Defiant</a> and <a href="https://crypto.news/aztec-connect-loses-2-1m-after-old-contract-exploit/" target="_blank" rel="noopener noreferrer">crypto.news</a>. The drained assets reportedly included <strong>908.99 ETH</strong> (about $1.57M), <strong>270,513 DAI</strong>, <strong>167.89 wstETH</strong> (about $357K), plus smaller balances of yvDAI, yvWETH, LUSD and yvLUSD — residual deposits left in contracts that have sat dormant since Aztec Labs sunset the product in <strong>March 2023</strong> to focus on its newer privacy network.</p>
<p>Critically, this was a legacy component. The Aztec Foundation stated the exploited product has <strong>no connection to the AZTEC ERC-20 token or the current Aztec network</strong>, and that the live chain and its users were unaffected. Because Aztec Connect was fully decommissioned, the team <strong>holds no admin keys</strong>: it could not pause, upgrade, or reverse the transactions as the drain unfolded.</p>
<h2>How the flaw worked (high level)</h2>
<p>Security firm <a href="https://www.cryptotimes.io/2026/06/15/slowmist-details-root-cause-of-2-19m-aztec-connect-exploit/" target="_blank" rel="noopener noreferrer">SlowMist</a> attributed the loss to a <strong>settlement-boundary mismatch</strong> in the <code>processRollup()</code> function of the <code>RollupProcessorV3</code> contract. In plain terms, the contract&rsquo;s Layer-1 settlement loop processed only the number of transactions indicated by a <code>numRealTxs</code> parameter, while the accompanying zero-knowledge proof committed to a larger set of decoded public-input slots. That divergence let forged entries in the unexamined slots pass settlement without being validated against deposits, signatures, or withdrawals — producing balances on the rollup that were never backed on L1. Per SlowMist, the operation was executed across <strong>14 consecutive <code>processRollup()</code> calls</strong> in a single atomic transaction.</p>
<p>On-chain sleuths including <strong>Param (@Param_eth)</strong>, <strong>BlockSec&rsquo;s Phalcon team</strong>, and <strong>CertiK</strong> flagged and dissected the incident. The attacking address was reportedly <strong>funded through Tornado Cash</strong> beforehand — a common laundering pattern, not evidence that Tornado Cash itself was exploited here. We are deliberately not republishing exploit mechanics.</p>
<h2>Why &ldquo;deprecated&rdquo; is not &ldquo;safe&rdquo;</h2>
<p>This is the core lesson, and it is not unique to Aztec. Immutability cuts both ways: the same property that makes a contract trustless also means a frozen, abandoned contract can be attacked indefinitely if it still holds value and contains a latent bug. Once a team relinquishes upgrade and pause authority — often a deliberate decentralization choice — there is <strong>no emergency brake</strong>. A &ldquo;shutdown&rdquo; that only removes the front-end leaves the on-chain attack surface fully intact.</p>
<p>The broader June backdrop underscores the point. The same week, trackers logged a separate, larger incident at <strong>Humanity Protocol</strong> — figures in initial reports ranged from roughly <strong>$30M to $36M</strong> and centered on compromised bridge controls rather than a legacy-contract bug — alongside other bridge losses. The common thread is residual funds and lingering permissions sitting in components most users assumed were retired.</p>
<h2>Defensive takeaways</h2>
<p>For teams winding down a protocol:</p>
<ul>
<li><strong>Sweep residual value first.</strong> Before relinquishing keys, drain or migrate funds and give users a hard, well-communicated deadline to withdraw.</li>
<li><strong>Decide deliberately on immutability vs. an emergency exit.</strong> If you renounce admin keys, you also renounce your ability to pause a future exploit — keep a guarded pause/withdraw path until balances are near zero, then renounce.</li>
<li><strong>Don&rsquo;t stop the audits at sunset.</strong> Latent verification bugs (proof-vs-settlement mismatches like this one) often surface long after the product is &ldquo;done.&rdquo; Maintain monitoring and a bug-bounty channel for legacy code.</li>
<li><strong>Publish a clear decommission status</strong> so users and integrators know a contract is unmaintained and unfunded.</li>
</ul>
<p>For users:</p>
<ul>
<li><strong>Withdraw from wound-down protocols</strong> rather than leaving &ldquo;dust&rdquo; — small leftover balances still aggregate into attractive targets.</li>
<li><strong>Revoke token approvals</strong> to deprecated routers and bridges using approval-management tools; an unused allowance to a legacy contract is standing risk.</li>
<li><strong>Treat shutdown announcements as a call to exit, not relax.</strong> Set on-chain alerts for any contract you still have exposure to.</li>
</ul>
<p>Aztec Connect&rsquo;s drain caused no harm to the active network — but it is a textbook reminder that on Ethereum, code you abandon does not abandon its risk.</p>]]></content:encoded></item>
</channel></rss>