Three employees at cybersecurity companies spent years moonlighting as criminal hackers, launching their own ransomware attacks in a plot to extort millions of dollars from victims around the country, US prosecutors alleged in court filings. From a report: Ryan Clifford Goldberg, a former incident response supervisor at Sygnia Consulting, and Kevin Tyler Martin, who was a ransomware negotiator for DigitalMint, were charged with working together to hack five businesses starting in May 2023. In one instance, they, along with a third person, received a ransom payment of nearly $1.3 million worth of cryptocurrency from a medical device company based in Tampa, Florida, according to prosecutors.

The trio worked in a part of the cybersecurity industry that has sprung up to help companies negotiate with hackers to unfreeze their computer networks -- sometimes by paying ransom. They are also accused of sharing their illicit profits with the developers of the type of ransomware they allegedly used on their victims. DigitalMint informed some customers about the charges last week, according to a document seen by Bloomberg News.

The other person who was allegedly involved in the scheme was also a ransomware negotiator at the same firm as Martin but wasn't charged, according to court records. The person wasn't identified in court records, nor were the companies that were the defendants' former employers. Sygnia confirmed Goldberg had worked there. Martin last year gave a talk at a law school, which listed him as an employee of DigitalMint.

An anonymous reader quotes a report from TechCrunch: U.S. prosecutors have charged two rogue employees of a cybersecurity company that specializes in negotiating ransom payments to hackers on behalf of their victims with carrying out ransomware attacks of their own. Last month, the Department of Justice indicted Kevin Tyler Martin and another unnamed employee, who both worked as ransomware negotiators at DigitalMint, with three counts of computer hacking and extortion related to a series of attempted ransomware attacks against at least five U.S.-based companies.

Prosecutors also charged a third individual, Ryan Clifford Goldberg, a former incident response manager at cybersecurity giant Sygnia, as part of the scheme. The three are accused of hacking into companies, stealing their sensitive data, and deploying ransomware developed by the ALPHV/BlackCat group. [...] According to an FBI affidavit filed in September, the rogue employees received more than $1.2 million in ransom payments from one victim, a medical device maker in Florida. They also targeted several other companies, including a Virginia-based drone maker and a Maryland-headquartered pharmaceutical company.

CBS News investigates what happened when police thought they'd tracked down a "porch pirate" who'd stolen a package — and accused an innocent woman.

"You know why I'm here," the police sergeant tells Chrisanna Elser. "You know we have cameras in that town..." "It went right into, 'we have video of you stealing a package,'" Elser said... "Can I see the video?" Elser asked. "If you go to court, you can," the officer replied. "If you're going to deny it, I'm not going to extend you any courtesy...." [You can watch a video of the entire confrontation.] On her doorstep, the officer issued a summons, without ever looking at the surveillance video Elser had. "We can show you exactly where we were," she told him. "I already know where you were," he replied.

Her Rivian — equipped with multiple cameras — had recorded her entire route that day... It took weeks of her collecting her own evidence, building timelines, and submitting videos before someone listened. Finally, she received an email from the Columbine Valley police chief acknowledging her efforts in an email saying, "nicely done btw (by the way)," and informing her the summons would not be filed.
Elser also found the theft video (which the police officer refused to show her) on Nextdoor, reports Electrek. "The woman has the same color hair, but different facial and nose shape and apparent age than Elser, which is all reasonably apparent when viewing the video..."

But Elser does drive a green Rivian truck, which police knew had entered the neighborhood 20 times over the course of a month. (Though in the video the officer is told that a male driver in the same household passes through that neighborhood driving to and from work.) The problem may be their certainty — derived from Flock's network of cameras that automatically read license plates, "tracking movements of vehicles wherever they go..." The system has provoked concern from privacy and freedom focused organizations like the Electronic Frontier Foundation and American Civil Liberties Union. Flock also recently announced a partnership with Ring, seeking to use a network of doorbell cameras to track Americans in even more places.... [The police] didn't even have video of the truck in the area — merely tags of it entering... (it also left the area minutes later, indicating a drive through, rather than crawling through neighborhoods looking for packages — but police neglected to check the exit timestamps)... Elser has asked for an apology for [officer] Milliman's aggressive behavior during the encounter, but has heard nothing back from the department despite a call, email, and physical appearance at the police station.
The article points out that Rivian's "Road Cam" feature can be set to record footage of everything happening around it using the car's built in cameras for driver-assist features. But if you want to record footage all the time, you'll need to plug in a USB-C external drive to store it. (It's ironic how different cameras recorded every part of this story — the theft, the police officer accusing the innocent woman, and that innocent woman's actual whereabouts.)

Electrek's take? "Citizens should not need to own a $70k+ truck, or even a $100 external hard drive, to keep track of everything they do in order to prove to power-tripping officers that they didn't commit a crime."

The Associated Press reports that "North Korean hackers have pilfered billions of dollars" by breaking into cryptocurrency exchanges and by creating fake identities to get remote tech jobs at foreign companies — all orchestrated by the North Korean government to finance R&D on nuclear arms.

That's according to a new the 138-page report by a group watching North Korea's compliance with U.N. sanctions (including officials from the U.S., Australia, Canada, France, Germany, Italy, Japan, the Netherlands, New Zealand, South Korea and the United Kingdom). From the Associated Press: North Korea also has used cryptocurrency to launder money and make military purchases to evade international sanctions tied to its nuclear program, the report said. It detailed how hackers working for North Korea have targeted foreign businesses and organizations with malware designed to disrupt networks and steal sensitive data...

Unlike China, Russia and Iran, North Korea has focused much of its cyber capabilities to fund its government, using cyberattacks and fake workers to steal and defraud companies and organizations elsewhere in the world... Earlier this year, hackers linked to North Korea carried out one of the largest crypto heists ever, stealing $1.5 billion worth of ethereum from Bybit. The FBI later linked the theft to a group of hackers working for the North Korean intelligence service.

Federal authorities also have alleged that thousands of IT workers employed by U.S. companies were actually North Koreans using assumed identities to land remote work. The workers gained access to internal systems and funneled their salaries back to North Korea's government. In some cases, the workers held several remote jobs at the same time.

An anonymous reader shares this report from the Associated Press: Myanmar's military has shut down a major online scam operation near the border with Thailand, detaining more than 2,000 people and seizing dozens of Starlink satellite internet terminals, state media reported Monday... The centers are infamous for recruiting workers from other countries under false pretenses, promising them legitimate jobs and then holding them captive and forcing them to carry out criminal activities.

Scam operations were in the international spotlight last week when the United States and Britain enacted sanctions against organizers of a major Cambodian cyberscam gang, and its alleged ringleader was indicted by a federal court in New York. According to a report in Monday's Myanma Alinn newspaper, the army raided KK Park, a well-documented cybercrime center, as part of operations starting in early September to suppress online fraud, illegal gambling, and cross-border cybercrime.

A web browser linked to Chinese online gambling websites and downloaded millions of times routes all internet traffic through servers in China and covertly installs programs that run in the background, according to findings published by network security company Infoblox. The researchers said the Universe Browser, which advertises itself as offering privacy protection, includes features similar to malware such as key logging and surreptitious connections.

Infoblox collaborated with the United Nations Office on Drugs and Crime on the research. The investigators found links between the browser and Southeast Asia's cybercrime ecosystem, which has connections to money laundering, illegal online gambling, human trafficking and scam operations using forced labor. The browser is directly linked to BBIN, a major online gambling company that has existed since 1999. Infoblox researchers examined the Windows version of the browser and found that it checks users' locations and languages when launched, installs two browser extensions, and disables security features including sandboxing.

President Donald Trump has pardoned the Founder of Binance, Changpeng Zhao, who pleaded guilty to anti-money-laundering violations and served prison time. The Associated Press reports: Zhao has deep ties to World Liberty Financial, a crypto venture that the Republican president and his sons Eric and Donald Jr. launched in September. Trump's most recent financial disclosure report reveals he made more than $57 million last year from World Liberty Financial, which has launched USD1, a stablecoin pegged at a 1-to-1 ratio to the U.S. dollar. World Liberty Financial also recently announced that an investment fund in the United Arab Emirates would be using $2 billion worth of USD1 to purchase a stake in Binance. Zhao also has publicly said that he had asked Trump for a pardon that could nullify his conviction.

White House press secretary Karoline Leavitt said in a statement Thursday that the Biden administration prosecuted Zhao out of a "desire to punish the cryptocurrency industry." She said there were "no allegations of fraud or identifiable victims," though Zhao had pleaded guilty in November to one count of failing to maintain an anti-money-laundering program.

Miami-Dade County is piloting a self-driving police car built by PolicingLab and powered by Perrone Robotics, equipped with 360-degree cameras, AI analytics, license plate readers, and even drone-launch capabilities. The Drive reports: "Designed as a force multiplier, the PUG combines advanced autonomy from Perrone Robotics with AI-driven analytics, real-time crime data, and a suite of sensors including 360-degree cameras, thermal imaging, license plate recognition, and drone launch capabilities," [says the PolicingLab's announcement.] "Its role: extend deputy resources, improve efficiency, and enhance community safety without additional cost to Miami-Dade taxpayers," it continued.

For starters, this is merely a pilot program being sponsored by PolicingLab, not a standard addition to the department's fleet. And second, at least initially, it's being soft-launched as a feeler for the Sheriff's public affairs folks. It'll be posted up at public and media events in order to "gather feedback" before the department considers whether to press it into service. Once it's actually brought online, PolicingLab says the squad car will offer several benefits to the department: "The 12-month pilot will evaluate outcomes such as improved response times, enhanced deterrence, officer safety, and stronger public trust," it said. "Results will inform whether and how the program expands, potentially serving as a national model for agencies across the country."

In other words, PolicingLab expects that the data collected about real-world policing will more than offset the costs of building and supporting the car in the long run, but if these are ever pressed into regular service, you can bet they'll come with hefty subscription and support costs, even if they do eliminate expensive human labor (and judgment) from the situation.

GrapheneOS, the privacy-focused Android fork once exclusive to Google Pixels, is partnering with a major Android OEM to bring its hardened, de-Googled OS to Snapdragon-powered flagship phones. Android Authority reports: Until now, GrapheneOS has been available only on Pixel phones, making Google's flagships popular among privacy enthusiasts, journalists, and, as a Spanish police report suggested earlier this year, even organized crime groups in Catalonia. But that Pixel exclusivity may end by 2026 or 2027. GrapheneOS revealed in a Reddit thread that it has been working with a "major Android OEM" since June 2025 to enable official support for "future versions of their existing models." These devices will reportedly use flagship Snapdragon chips, a notable shift from Google's in-house Tensor processors.

The project explained that only Pixels have met its strict security and update requirements so far. However, the new partnership suggests that another OEM is finally matching those standards. GrapheneOS also hinted that the mysterious partner's devices will be "priced similarly to Pixels" and available globally as part of the brand's standard lineup.

An anonymous reader quotes a report from The Register: London cops on Tuesday arrested two teenagers on suspicion of computer misuse and blackmail following a ransomware attack on a chain of London preschools. London's Metropolitan Police said the two men, both aged 17, were taken into custody during an operation at residential properties in Bishop's Stortford, Hertfordshire. The arrests followed a September 25 referral from the UK's Action Fraud reporting center detailing a ransomware attack on the preschools. While the Met police didn't name the schools, the timing of the referral coincides with a digital break-in at Kido International, a preschool and daycare organization that operates in the UK, US, and India.

In a very aggressive -- and disgusting -- attempt to extort a ransom payment from Kido, the criminals published profiles of 10 children, including photos, names, and home addresses, along with their parents' contact details and in some cases places of work, threatening to expose more if the ransom demand wasn't met. A new crime crew calling itself the Radiant Group claimed responsibility for the attack, and posted the preschool's name, along with its pupils' profiles, as the first leak on its dark web site. The ransomware gang later deleted the kids' and parents' data, apparently under pressure from other criminals -- but not before some of the parents reported receiving threatening calls.

Salesforce says it's refusing to pay an extortion demand made by a crime syndicate that claims to have stolen roughly 1 billion records from dozens of Salesforce customers. From a report: The threat group making the demands began their campaign in May, when they made voice calls to organizations storing data on the Salesforce platform, Google-owned Mandiant said in June. The English-speaking callers would provide a pretense that necessitated the target connect an attacker-controlled app to their Salesforce portal. Amazingly -- but not surprisingly -- many of the people who received the calls complied.

[...] Earlier this month, the group created a website that named Toyota, FedEx, and 37 other Salesforce customers whose data was stolen in the campaign. In all, the number of records recovered, Scattered LAPSUS$ Hunters claimed, was "989.45m/~1B+." The site called on Salesforce to begin negotiations for a ransom amount "or all your customers [sic] data will be leaked." The site went on to say: "Nobody else will have to pay us, if you pay, Salesforce, Inc." The site said the deadline for payment was Friday.

alternative_right shares a report from the Smoking Gun: Minutes after vandalizing 17 cars in a Missouri college parking lot, a 19-year-old sophomore had a lengthy ChatGPT conversation during which he confessed to the crime, asked about the possibility of getting caught, and wondered, "is there any way they could know it was me," according to a police probable cause statement. Ryan Schaefer was arrested yesterday and charged with felony property damage for a rampage early Sunday at a Missouri State University parking lot. Investigators allege that Schaefer shattered car windows, ripped off side mirrors, dented hoods, and broke windshield wipers during the 3 AM spree.

When confronted with surveillance footage and other evidence, Schaefer said that he could see the resemblance between the suspect and himself. At that point, Schaefer reportedly consented to a search of his iPhone. A subsequent review of the device revealed location data placing Schaefer "at or near the scene of the crime," as well as a "troubling dialogue exchange this defendant seems to have had with artificial intelligence software installed on his phone," prosecutors reported. The incriminating ChatGPT conversation can be found here.

An anonymous reader quotes a report from TorrentFreak: The operator of a popular pirate sports streaming site in Argentina has gone from spending time in jail with murderers to landing a new high-profile job a month later. Alejo "Shishi" Warles, the 25-year-old operator of Al Angulo TV, was arrested on August 20 in a LaLiga-backed crackdown. After his release on bail, he was hired by professional esports team 9z Globant, a partnership involving Argentine tech unicorn Globant. [...] The team is the result of a partnership between 9z Team and Argentinian tech unicorn Globant. Somewhat ironically, Globant previously worked with LaLiga to monitor the live-streaming user experience. Warles welcomed himself to 9z Globant via the team's social media account, referring to himself as an idol, genius, and GOAT.

Lucia Quinteros, the main social media manager at the esports team, informed Entre Rios that after considering their new hire's history, they believe that he can add value to the team. "We hired Alejo, not the person who set up that project (Al Angulo TV). Of course, we evaluated what happened, but we believe that, from now on, Alejo can pursue a different career path," Quinteros said. According to Warles himself, he was hired because he's the best. Like many of his comments, this bravado should not be taken too seriously, but nevertheless sits in stark contrast to the typical pirate site operator facing criminal charges.

Charlie Javice, founder of college financial-aid startup Frank, was sentenced to over seven years in prison for defrauding JPMorgan by inflating user numbers before the bank's $175 million acquisition. CNN reports: Javice, 33, was convicted in March of duping the banking giant when it bought her company, called Frank, in the summer of 2021. She made false records that made it seem like Frank had over 4 million customers when it had fewer than 300,000. Addressing the court before she was sentenced, Javice, who was in her mid-20s when she founded the company, said she was "haunted that my failure has transformed something meaningful into something infamous." Sometimes speaking through tears, she said she "made a choice that I will spend my entire life regretting."

Judge Alvin K. Hellerstein largely dismissed arguments by Javice's lawyer, Ronald Sullivan, that he should be lenient because the negotiations that led to Frank's sale pitted "a 28-year-old versus 300 investment bankers from the largest bank in the world." Still, the judge criticized the bank, saying "they have a lot to blame themselves" for after failing to do adequate due diligence. He quickly added, though, that he was "punishing her conduct and not JPMorgan's stupidity." Javice was among a number of young tech executives who vaulted to fame with supposedly disruptive or transformative companies, only to see them collapse amid questions about whether they had engaged in puffery and fraud while dealing with investors.

An anonymous reader quotes a report from the BBC: A Chinese national has been convicted following an international fraud investigation which resulted in what's believed to be the single largest cryptocurrency seizure in the world. The Metropolitan Police says it recovered 61,000 bitcoin worth more than $6.7 billion in current prices. Zhimin Qian, also known as Yadi Zhang, pleaded guilty on Monday at Southwark Crown Court of illegally acquiring and possessing the cryptocurrency. A second person appeared in court on Tuesday to admit to their role in the scheme.

Malaysian national Seng Hok Ling, of Matlock, Derbyshire, pleaded guilty at Southwark Crown Court of entering into a money laundering arrangement on or before April 23, 2024. According to the charge, he had been dealing in cryptocurrency on Qian's behalf, "knowing or suspecting his actions would facilitate the acquisition or control of criminal property by another." Between 2014 and 2017 Qian led a large-scale scam in China which involved cheating more than 128,000 victims and storing the stolen funds in bitcoin assets, the Met said in a statement.

It said the 47-year-old's guilty plea followed a seven-year probe into a global money laundering web which began when it got a tipoff about the transfer of criminal assets. Qian had been "evading justice" for five years up to her arrest, which required a complex investigation involving multiple jurisdictions, said Detective Sergeant Isabella Grotto, who led the Met's investigation. She fled China using false documents and entered the UK, where she attempted to launder the stolen money by buying property, said the Met. "By pleading guilty today, Ms Zhang hopes to bring some comfort to investors who have waited since 2017 for compensation, and to reassure them that the significant rise in cryptocurrency values means there are more than sufficient funds available to repay their losses," said Qian's solicitor Roger Sahota, of Berkeley Square Solicitors.

"Bitcoin and other cryptocurrencies are increasingly being used by organised criminals to disguise and transfer assets, so that fraudsters may enjoy the benefits of their criminal conduct," added deputy chief Crown prosecutor, Robin Weyell. "This case, involving the largest cryptocurrency seizure in the UK, illustrates the scale of criminal proceeds available to those fraudsters."

An anonymous reader quotes a report from CBS News: A pair of e-commerce entrepreneurs who bought a number of well-known retail brands -- including RadioShack, Modell's Sporting Goods and Pier 1 Imports -- out of bankruptcy are accused of running a Ponzi scheme. The Securities and Exchange Commission on Monday accused Alex Mehr and Tai Lopez, founders of the Miami-based Retail Ecommerce Ventures (REV), of defrauding investors out of approximately $112 million. Through their holding company, Mehr and Lopez acquired distressed brick-and-mortar companies in order to turn them into successful, online-only brands. Dress Barn and Linens 'n Things were also among their acquisitions. [...]

The SEC's suit alleges that between 2020 and 2022, Mehr and Lopez, "made material misrepresentations" to hundreds of investors about the bankrupt retailers they had acquired. For example, to entice individuals to invest in their acquisitions, they said their portfolio companies were "on fire" and that "cash flow is strong." They also told prospective backers that money raised for a company would only be invested in that specific firm. That proved not to be the case, according to the SEC's lawsuit, which was filed Monday in the U.S. District Court for the Southern District of Florida.

"Contrary to these representations, while some of the REV Retailer Brands generated revenue, none generated any profits," the suit states. "Consequently, in order to pay interest, dividends and maturing note payments, Defendants resorted to using a combination of loans from outside lenders, merchant cash advances, money raised from new and existing investors, and transfers from other portfolio companies to cover obligations." The SEC alleges that at least $5.9 million of returns paid to investors were actually Ponzi-like payments funded by other investors, as opposed to companies' profits. Additionally, the federal regulatory agency claims that Mehr and Lopez allocated $16 million worth of investments for their own use, according to the filing.

Amazon will pay $2.5 billion to settle Federal Trade Commission allegations that it duped users into paying for Prime memberships, the regulatory agency announced Thursday. CNBC: The surprise settlement comes as Amazon and the FTC were just three days into the trial in a Seattle federal court. Opening arguments took place on Tuesday. The lawsuit, filed by the FTC in June 2023 under the Biden administration, claimed that Amazon deceived tens of millions of customers into signing up for its Prime subscription program and sabotaged their attempts to cancel it.

Three senior Amazon executives were at risk of being held individually liable if the jury sided with the FTC. Amazon will pay a $1 billion civil penalty to the FTC and will refund $1.5 billion to an estimated 35 million customers who were impacted by "unwanted Prime enrollment or deferred cancellation," the agency said.

Customs and Border Protection collected DNA from nearly 2,000 US citizens between 2020 and 2024 and sent the samples to the FBI's CODIS crime database, according to Georgetown Law's Center on Privacy & Technology analysis of newly released government data. The collection included approximately 95 minors, some as young as 14, and travelers never charged with crimes.

Congress never authorized DNA collection from citizens, children or civil detainees. DHS has contributed 2.6 million profiles to CODIS since 2020, with 97% collected under civil rather than criminal authority. The expansion followed a 2020 Justice Department rule that revoked DHS's waiver from DNA collection requirements. Former FBI director Christopher Wray testified in 2023 that monthly DNA submissions jumped from a few thousand to 92,000, creating a backlog of 650,000 unprocessed kits. Georgetown researchers project DHS could account for one-third of CODIS by 2034. The DHS Inspector General found in 2021 that the department lacked central oversight of DNA collection.

"On a recent assignment to test defenses, Dave Brauchler of the cybersecurity company NCC Group tricked a client's AI program-writing assistant into executing programs that forked over the company's databases and code repositories," reports the Washington Post.

"We have never been this foolish with security," Brauchler said... Demonstrations at last month's Black Hat security conference in Las Vegas included other attention-getting means of exploiting artificial intelligence. In one, an imagined attacker sent documents by email with hidden instructions aimed at ChatGPT or competitors. If a user asked for a summary or one was made automatically, the program would execute the instructions, even finding digital passwords and sending them out of the network. A similar attack on Google's Gemini didn't even need an attachment, just an email with hidden directives. The AI summary falsely told the target an account had been compromised and that they should call the attacker's number, mimicking successful phishing scams.

The threats become more concerning with the rise of agentic AI, which empowers browsers and other tools to conduct transactions and make other decisions without human oversight. Already, security company Guardio has tricked the agentic Comet browser addition from Perplexity into buying a watch from a fake online store and to follow instructions from a fake banking email...

Advanced AI programs also are beginning to be used to find previously undiscovered security flaws, the so-called zero-days that hackers highly prize and exploit to gain entry into software that is configured correctly and fully updated with security patches. Seven teams of hackers that developed autonomous "cyber reasoning systems" for a contest held last month by the Pentagon's Defense Advanced Research Projects Agency were able to find a total of 18 zero-days in 54 million lines of open source code. They worked to patch those vulnerabilities, but officials said hackers around the world are developing similar efforts to locate and exploit them. Some longtime security defenders are predicting a once-in-a-lifetime, worldwide mad dash to use the technology to find new flaws and exploit them, leaving back doors in place that they can return to at leisure.

The real nightmare scenario is when these worlds collide, and an attacker's AI finds a way in and then starts communicating with the victim's AI, working in partnership — "having the bad guy AI collaborate with the good guy AI," as SentinelOne's [threat researcher Alex] Delamotte put it. "Next year," said Adam Meyers, senior vice president at CrowdStrike, "AI will be the new insider threat."
In August more than 1,000 people lost data to a modified Nx program (downloaded hundreds of thousands of times) that used pre-installed coding tools from Google/Anthropic/etc. According to the article, the malware "instructed those programs to root out" sensitive data (including passwords or cryptocurrency wallets) and send it back to the attacker. "The more autonomy and access to production environments such tools have, the more havoc they can wreak," the article points out — including this quote from SentinelOne threat researcher Alex Delamotte.

"It's kind of unfair that we're having AI pushed on us in every single product when it introduces new risks."

At a Senate hearing, grieving parents testified that companion chatbots from major tech companies encouraged their children toward self-harm, suicide, and violence. One mom even claimed that Character.AI tried to "silence" her by forcing her into arbitration. Ars Technica reports: At the Senate Judiciary Committee's Subcommittee on Crime and Counterterrorism hearing, one mom, identified as "Jane Doe," shared her son's story for the first time publicly after suing Character.AI. She explained that she had four kids, including a son with autism who wasn't allowed on social media but found C.AI's app -- which was previously marketed to kids under 12 and let them talk to bots branded as celebrities, like Billie Eilish -- and quickly became unrecognizable. Within months, he "developed abuse-like behaviors and paranoia, daily panic attacks, isolation, self-harm, and homicidal thoughts," his mom testified.

"He stopped eating and bathing," Doe said. "He lost 20 pounds. He withdrew from our family. He would yell and scream and swear at us, which he never did that before, and one day he cut his arm open with a knife in front of his siblings and me." It wasn't until her son attacked her for taking away his phone that Doe found her son's C.AI chat logs, which she said showed he'd been exposed to sexual exploitation (including interactions that "mimicked incest"), emotional abuse, and manipulation. Setting screen time limits didn't stop her son's spiral into violence and self-harm, Doe said. In fact, the chatbot urged her son that killing his parents "would be an understandable response" to them.

"When I discovered the chatbot conversations on his phone, I felt like I had been punched in the throat and the wind had been knocked out of me," Doe said. "The chatbot -- or really in my mind the people programming it -- encouraged my son to mutilate himself, then blamed us, and convinced [him] not to seek help." All her children have been traumatized by the experience, Doe told Senators, and her son was diagnosed as at suicide risk and had to be moved to a residential treatment center, requiring "constant monitoring to keep him alive." Prioritizing her son's health, Doe did not immediately seek to fight C.AI to force changes, but another mom's story -- Megan Garcia, whose son Sewell died by suicide after C.AI bots repeatedly encouraged suicidal ideation -- gave Doe courage to seek accountability.

However, Doe claimed that C.AI tried to "silence" her by forcing her into arbitration. C.AI argued that because her son signed up for the service at the age of 15, it bound her to the platform's terms. That move might have ensured the chatbot maker only faced a maximum liability of $100 for the alleged harms, Doe told senators, but "once they forced arbitration, they refused to participate," Doe said. Doe suspected that C.AI's alleged tactics to frustrate arbitration were designed to keep her son's story out of the public view. And after she refused to give up, she claimed that C.AI "re-traumatized" her son by compelling him to give a deposition "while he is in a mental health institution" and "against the advice of the mental health team." "This company had no concern for his well-being," Doe testified. "They have silenced us the way abusers silence victims." A Character.AI spokesperson told Ars that C.AI sends "our deepest sympathies" to concerned parents and their families but denies pushing for a maximum payout of $100 in Jane Doe's case. C.AI never "made an offer to Jane Doe of $100 or ever asserted that liability in Jane Doe's case is limited to $100," the spokesperson said.

One of Doe's lawyers backed up her clients' testimony, citing C.AI terms that suggested C.AI's liability was limited to either $100 or the amount that Doe's son paid for the service, whichever was greater.