DEV Community: mrtd

Weaponized DMCA: How Fake Copyright Strikes Bury Competitors in Google — and How to Fight Back

mrtd — Fri, 19 Jun 2026 00:04:03 +0000

Originally published on MRTD.NET — fast, sourced news on crypto security, cyber & SEO.

A takedown that proved the point

In April 2026, someone filed a bogus copyright complaint to bury a Press Gazette investigation into Clickout Media — a firm reported to be buying up news brands, swapping staff for AI, and stuffing the sites with offshore-gambling affiliate links. The DMCA notice falsely claimed the original reporting had copied an unrelated article. Google removed the story from search before adjudicating anything; a Search Engine Land follow-up got delisted too. Both were reinstated about two weeks later after counter-notices, but the lesson landed: a single piece of paper can knock a competitor off Google for days, no court and no evidence required (Techdirt).

How a DMCA notice actually hits your rankings

There are two distinct mechanisms, and conflating them fuels a lot of bad SEO advice:

URL delisting. A single facially valid notice removes the specific URL(s) from Google Search. Google acts on the paperwork, not a ruling — verification effectively happens after removal. That ordering is exactly what makes the system abusable.
Site-wide demotion. Since the 2012 "Pirate Update," Google has used the volume of valid removal notices as a ranking signal: "If we receive multiple valid removal notices for a site, the entire site may be downgraded in Search results" (Search Engine Land).

If you're hit, it surfaces in Search Console as a "Notice of DMCA removal" — not a manual action, not a security issue, which is why owners often miss it.

The "18-month penalty" is a myth

A claim circulating in SEO circles says mass DMCA complaints trigger a fixed ~18-month algorithmic filter. We could find no evidence for it — not from Google, Search Engine Land, TorrentFreak, or court filings. Google's own description is the opposite of a fixed sentence: the copyright demotion is a periodically re-checked, decaying signal that eases as a site's valid-notice volume falls. There's no published clock. Treat "18 months" as folklore, not a mechanism.

Why it's abused — and what it costs the abuser

Because removal precedes verification, "spray a pile of notices" is a real tactic, not a hypothetical: TorrentFreak has documented mass bogus notices impersonating well-known brands to knock out legitimate tools. There's also a murkier "takedown-as-a-service" market — though the specific pricing and volume figures floating around trace to single trade-press sources and should be taken as illustrative, not gospel.

Filing a knowingly false notice is not free of risk. Under 17 U.S.C. §512(f), anyone who knowingly misrepresents that material is infringing is liable for damages and attorneys' fees. Courts have enforced it — Online Policy Group v. Diebold (2004) cost Diebold $125,000, and Automattic v. Steiner (2014) produced a ~$25,000 judgment for a fraudulent takedown. The catch: §512(f) wins are rare. Courts require subjective bad faith (Rossi, Lenz), so honest-mistake filers usually walk. It's a real deterrent, but a limited one.

If you're hit: the defense playbook

Catch it early. Watch Search Console for "Notice of DMCA removal," set alerts on sudden traffic/ranking drops, and search the Lumen Database (Harvard) — where Google deposits notices — for the complaint text and the (often anonymous or foreign) filer.
File a counter-notification via Google's official form, asserting a good-faith belief the removal was mistaken. If no lawsuit follows, content is typically reinstated in ~10–14 business days.
Document everything: authorship and publication proof (drafts, originals, archive.org captures), the Lumen copy of the notice, and your traffic/ranking loss.
Escalate to your host, registrar, and Google with proof of original authorship — Google can and does decline clearly non-infringing URLs.
Weigh §512(f) action or a demand letter where bad faith is provable.
Go public. Reporting egregious abuse to outlets like TorrentFreak, Techdirt or the EFF has reversed bogus takedowns through pressure alone.

The takeaway

Weaponized DMCA works because of a structural choice — remove first, verify later — not because of a secret penalty timer. Knowing the real mechanics (URL delisting vs. demotion signal), ignoring the folklore, and having a counter-notice + documentation drill ready is the difference between a two-week dip and a permanent one. Monitor Lumen, watch Search Console, and keep your authorship trail.

Informational only — not legal advice. Consult a qualified attorney for your situation.

UXLINK Exploiter Routes 8,340 ETH Through Tornado Cash as $44M Haul Is Laundered

mrtd — Fri, 19 Jun 2026 00:03:57 +0000

Originally published on MRTD.NET — fast, sourced news on crypto security, cyber & SEO.

What's happening now

The wallet attributed to the UXLINK exploiter has resumed moving its haul. On June 17, 2026, the address swapped roughly 14.6 million DAI for about 8,298.6 ETH, then deposited 8,340 ETH into Tornado Cash, according to on-chain alerts from PeckShield and corroborating reporting from The Crypto Times and FX Daily Report.

The Tornado Cash deposits were broken into uneven tranches — amounts like 100 ETH, 10 ETH and 2.6458848 ETH — a routine obfuscation pattern meant to frustrate clustering. The same wallet also bridged about 2.64 ETH (~$4,600) from Ethereum to a Bitcoin address. Even after this round, blockchain trackers say the wallet still holds roughly 10.54 million DAI that has not moved — a large, fully traceable balance sitting in the open.

Background, in brief

UXLINK, a Web3 social protocol, disclosed a security breach on September 22, 2025, tied to a compromise of its administrative multisig. Headline loss estimates have clustered around $44 million, though component figures vary across outlets and were never fully reconciled. Early attribution and forensic tracking came from SlowMist and PeckShield. This article does not detail how the breach was carried out; our focus is the public, on-chain movement of the already-stolen funds.

The Tornado Cash factor

Why route through Tornado Cash now? Because the legal calculus changed. OFAC delisted Tornado Cash from the SDN list on March 21, 2025, following the Fifth Circuit's Van Loon v. Treasury ruling that its immutable smart contracts are not sanctionable "property." In April 2025, a federal judge in the Western District of Texas issued a permanent injunction barring OFAC from re-sanctioning the protocol (CoinDesk).

That means simply using the mixer is no longer an OFAC violation per se — which is precisely why exploiters can now route funds through it with less friction. The caveats matter, though: laundering criminal proceeds remains illegal regardless, co-founder Roman Semenov is still individually SDN-listed, and developer Roman Storm's criminal case continued into 2026 (CoinDesk). Delisting the tool did not decriminalize what it's being used for.

A months-long laundering pattern

This is not a one-off. Trackers have watched the same wallet alternate between ETH and stablecoins for months. Back around March 20, 2026, it ran the opposite leg — swapping 5,496 ETH for roughly 11 million DAI, with Lookonchain estimating about $935,000 in trading profit on that move alone (The Crypto Times). The pattern — park value in DAI when ETH looks rich, rotate back to ETH before mixing — suggests an actor managing the haul actively rather than dumping it.

What UXLINK has done

In the aftermath, UXLINK coordinated with centralized exchanges and law enforcement across Singapore, South Korea and Japan to flag and freeze suspicious transfers, recovering a portion of the assets. The project ran a two-phase user-compensation plan and executed a first token buyback in October 2025 using recovered funds. There is no reported freeze or seizure of the specific ETH now headed into Tornado Cash, and no public negotiation with the attacker.

The takeaway

Two lessons stand out. For projects: an admin multisig is critical infrastructure — signer hygiene, hardware isolation and spending limits are not optional once a treasury or mint authority is attached. For the ecosystem: tracing still works. The funds are labeled, followed and reported in near-real-time; ~$10.5M of the haul remains frozen-in-place by visibility alone. What the mixer delisting changed is the exit — the off-ramp is now legally cleaner, which shifts more of the deterrence burden onto exchanges and on-chain analytics rather than sanctions designations.

See this incident alongside other 2026 exploits in our Crypto Hack Tracker.

Informational only — not financial or security advice. Figures are based on third-party on-chain analytics and may be revised.

How to Actually Protect Your Crypto: 9 Lessons From the Hacks We Cover

mrtd — Thu, 18 Jun 2026 10:44:35 +0000

Originally published on MRTD.NET — fast, sourced news on crypto security, cyber & SEO.

We cover crypto-security incidents every week, and after enough post-mortems a pattern emerges: the losses are rarely exotic. The same handful of mistakes show up again and again. Here is a practical defense checklist drawn straight from the cases we've reported — no hype, just what actually moves the needle.

1. Treat your seed phrase as the whole game

A hardware wallet never asks for your seed phrase on a website. The biggest retail losses start with a phished seed or a fake "wallet validation" page. If anything — an app, a support agent, a pop-up — asks you to type your 12/24 words, it is a scam. Store the phrase offline, never as a photo or cloud note.

2. Audit your token approvals

Many drains don't steal your keys — they abuse an approval (allowance) you granted a contract long ago. A buggy or abandoned contract you once approved is a standing door into your wallet. Periodically review and revoke allowances (tools like revoke.cash make this easy), especially for routers and bridges you no longer use.

3. "Deprecated" is not "safe" — withdraw from dead protocols

The Aztec Connect drain of ~$2.19M happened three years after the product shut down, because the immutable contract still held residual funds with no team to pause it. Treat any shutdown announcement as a deadline: withdraw your balance and revoke approvals before you forget.

4. Be paranoid around security disclosures and "urgent updates"

Scammers ride the news cycle. After any legitimate disclosure, expect fake "firmware update" or "migrate your funds now" messages. Update wallet firmware only inside the official app, bookmark official sites, and distrust urgency.

5. Avoid thin-liquidity tokens

Most retail blow-ups happen in low-liquidity altcoins and freshly minted "mining" tokens that are trivial to manipulate. There's a reason Russia's regulator restricted retail investors to just BTC, ETH and USDT — depth is protection. The deeper and more boring the market, the harder you are to rug.

6. Assume romance/investment "opportunities" are scams

The industrial "pig-butchering" networks behind the largest-ever $15B bitcoin seizure and the Disruption Week takedown all run the same playbook: a friendly stranger, a slow build, a fake platform showing fake gains. If someone you met online is guiding your crypto investing, you are the target.

7. Lock down your accounts AND your registrar

Account security isn't just 2FA. The GoDaddy case showed a domain moving despite 2FA and a transfer lock — because the registrar's support desk operated above the customer's settings. For anything critical (exchange logins, your domain, email), use phishing-resistant 2FA (a passkey or hardware key, not SMS) and a registry-level lock on key domains.

8. The money rarely comes back — prevention is the whole strategy

Across enforcement actions, recovered funds are a tiny fraction of what's stolen; mixers and cross-chain bridges move proceeds faster than freezes land. Don't rely on getting hacked funds back. The defense is not falling for it in the first place.

9. Verify before you trust a "no admin keys" claim

"Fully decentralized, no admin keys" is marketed as safety, but it can also mean no one can stop an exploit either. Immutability cuts both ways. For any protocol holding your funds, look for real audits, a live bug bounty, and a track record — not just a slogan.

None of this is complicated, and that's the point. The exotic-sounding hacks we write up almost always reduce to one of these nine failures. Get them right and you've eliminated the vast majority of how people actually lose crypto.

We turn every incident into lessons like these. Follow @mrtdnet on Telegram for the next one.

Russia Will Let Retail Investors Hold Just 3 Cryptos — BTC, ETH, USDT — From July 2026

mrtd — Thu, 18 Jun 2026 06:33:30 +0000

Originally published on MRTD.NET — fast, sourced news on crypto security, cyber & SEO.

Russia is about to do something most crypto-friendly framings avoid saying out loud: tell ordinary investors exactly which coins they are allowed to own. From July 1, 2026, non-qualified retail investors in Russia will be permitted to trade just three digital assets — Bitcoin, Ethereum, and USDT — under the country's incoming "On Digital Currency and Digital Rights" law. First Deputy Governor Vladimir Chistyukhin laid out the framework in early June and pointedly tamped down hopes of near-term additions.

What the rules actually say

Three constraints define the retail regime, per reporting from Crypto Briefing and others:

A three-asset allowlist. Bitcoin, Ethereum and USDT are in. Everything else — Solana, XRP, Cardano, the long tail — is off-limits to ordinary investors unless they qualify as "professional."
A hard spending cap. Retail buyers face an annual limit of about 300,000 rubles (~$4,000) on crypto bought through brokers.
Mandatory risk testing. All investors, qualified or not, must pass a risk-awareness test before trading.

This is not a ban — Russia is building a regulated on-ramp — but it is a tightly fenced one.

In, out, and the "professional" escape hatch

The split is stark. Out of the 10,000-plus tokens that trade somewhere on the market, Russia's retail allowlist is exactly three — about 0.03% of available assets. Yet those three carry the overwhelming majority of real liquidity: Bitcoin and Ethereum together account for roughly two-thirds of total crypto market capitalization, and USDT is the stablecoin that settles the bulk of global crypto trading pairs.

The notable omission is XRP — despite its large market cap and active community, it did not make the cut, a reminder that "big" and "liquid/regulator-approved" are not the same thing. Anything beyond the three requires clearing the professional-investor bar, which is precisely the gate that keeps the retail majority inside the fence.

The logic, and the signal

The central bank's stated rationale is liquidity and risk: restrict newcomers to the deepest, hardest-to-manipulate markets, cap their exposure, and make them acknowledge the risk in writing. Whatever one thinks of the paternalism, the mechanism is coherent — thin-liquidity altcoins are where retail investors get hurt most.

The more interesting question is whether this becomes a template. Russia is effectively treating retail crypto like a regulated securities product: an approved-instrument list, position caps, and suitability testing. That is a very different model from the US "regulation by enforcement" approach or the EU's MiCA licensing regime. An explicit, short allowlist is simple to administer and easy for other risk-averse regulators to copy — and it quietly concentrates legitimacy in BTC, ETH, and the dominant stablecoin while sidelining everything else.

Bottom line

For Russian retail, the practical effect from July 2026 is narrow: three coins, a ~$4,000 yearly cap, and a test. For the wider market, the signal is bigger. When a G20 central bank writes down a three-name allowlist, it is making a statement about which crypto assets it considers real enough to let citizens touch — and which it does not. Expect the "approved list" model to come up elsewhere.

We track crypto policy alongside the hacks. Have detail on the final rule text? Reach us via @mrtdnet on Telegram.

llms.txt Reality Check: ~10% of Sites Have It, AI Search Engines Almost Never Read It

mrtd — Thu, 18 Jun 2026 01:59:23 +0000

Originally published on MRTD.NET — fast, sourced news on crypto security, cyber & SEO.

If you run a site, you have probably been told to add an llms.txt file — a plain-text, Markdown "map" that tells large language models which pages matter and how your content is structured. The pitch is tidy: help the AIs understand you, and get cited more. After eighteen months of that pitch, the data is in, and it is unkind. For AI search, llms.txt does close to nothing. For developer tooling, it quietly does something real. Knowing the difference saves you time.

What it is supposed to do

Proposed in 2024 (by Answer.AI's Jeremy Howard), llms.txt lives at your domain root, like robots.txt, but aimed at language models: a curated, Markdown index of your key URLs and summaries so a model doesn't have to wade through your HTML and navigation. Reasonable idea. The question was always whether anyone on the consuming side would actually use it.

The adoption numbers tell the story

Two figures, side by side, settle most of the debate:

Adoption is real-ish. An SE Ranking study of 300,000 domains found a 10.13% adoption rate — roughly one in ten sites now ship an llms.txt.
Usage is not. In one analysis of over 500 million AI-bot visits across 90 days, only 408 requests targeted llms.txt directly. That is on the order of eight ten-thousandths of one percent of AI-crawler traffic — statistically zero. GPTBot, ClaudeBot, PerplexityBot, OAI-SearchBot and Google-Extended overwhelmingly skip the file and crawl your HTML like always.

One in ten sites publish it; about one in a million bot visits read it. That gap is the whole point.

Google — and everyone else — said no

This is not ambiguity. In July 2025, Google's Gary Illyes said Google does not support llms.txt and has no plans to; John Mueller publicly compared it to the long-discredited keywords meta tag (Search Engine Roundtable). Google noted the file even appeared to be supported only because an internal CMS had added it and some teams never removed it. As of mid-2026, having an llms.txt does not measurably improve your odds of being cited by ChatGPT, Claude, Gemini, or Perplexity in their answer surfaces. There is no standard, no enforcement, and no adoption from OpenAI, Google, Anthropic, Meta, or Mistral on the search side.

Where it actually helps: developer tooling

Here is the nuance the "it's dead" takes miss. Agentic developer tools do fetch it. Cursor, Claude Code, GitHub Copilot, Windsurf, MCP servers, and a growing set of in-product AI assistants pull llms.txt to orient themselves in a codebase or a documentation site. If you run docs, an API, or a developer product, an llms.txt (and an llms-full.txt) genuinely helps coding agents and doc assistants use you correctly. That is a real, narrow, non-SEO benefit.

Our take

Full disclosure: we publish one at mrtd.net/llms.txt. We keep it because it is cheap, it is honest documentation of our structure, and the developer-tooling use is legitimate — not because we expect it to win us AI citations. If your goal is to be cited by AI search, your time is far better spent on the things that demonstrably move the needle: clean, extractable HTML; clear structured data; verifiable facts with sources; and being a primary reference others link to.

Bottom line: llms.txt is not a scam and not a ranking hack. It is useful documentation for agents and a no-op for AI search. Ship one if you serve developers; don't expect it to do anything for your citations.

We cover SEO and GEO with sources and skepticism. Disagree, or have fresher data? Reach us via @mrtdnet on Telegram.

GoDaddy Handed a 27-Year-Old Domain to a Stranger — Despite 2FA and a Domain Lock

mrtd — Thu, 18 Jun 2026 01:07:20 +0000

Originally published on MRTD.NET — fast, sourced news on crypto security, cyber & SEO.

Domain security advice usually stops at "turn on two-factor authentication and a transfer lock." A recent GoDaddy incident is a blunt reminder that those controls protect you from outsiders — and do nothing about the one party that can move your domain with a few clicks: the registrar itself.

What happened

As reported by The Register and others, a Lancaster, PA nonprofit's main domain — in continuous use for 27 years — was transferred out of its account and into a stranger's, roughly 2,000 miles away, in a matter of minutes. By the early afternoon the domain sat in the wrong account and its DNS records were wiped, knocking the organization's website and email offline.

The cause was almost absurdly mundane. An executive assistant named Susan had asked GoDaddy support to help recover an unrelated domain. Her email signature happened to contain a subdomain of the nonprofit's address. A GoDaddy agent reportedly read the parent domain off that signature, decided it was the one she meant, and queued it for transfer to her account — no ownership check, no documentation. GoDaddy then "considered the matter closed." The link Susan was later sent to upload supporting documents expired before she could even use it.

The security that didn't matter

Here is the part worth dwelling on. The victim's account was not poorly secured. It had dual two-factor authentication — both an email code and an authenticator-app code required to log in — and the domain had ownership/transfer protection enabled. Every control the security checklists tell you to turn on was on.

None of it mattered, because the transfer never went through the front door. It went through GoDaddy's internal support tooling, which operates above the customer's own security settings. 2FA stops someone from logging into your account. It does nothing when an agent moves your asset from the inside. The lesson is uncomfortable: for a domain, your registrar's support process is part of your attack surface — arguably the weakest part — and you don't control it.

The recovery was the second disaster

Getting it back was its own ordeal. The nonprofit's IT firm reportedly made 32 calls, spent about 9.6 hours on hold, and sent 17 emails over four days, receiving a fresh case number each time and not a single callback. In the end, the stranger — Susan — had to call GoDaddy herself to reverse it. An accidental, unverified transfer took minutes to execute and days of escalation to undo.

The real lesson: treat your domain as critical infrastructure

A domain is not just a setting; it is the root of your website, your email, and often your identity and password resets. Protect it accordingly:

Set a Registry Lock, not just a registrar lock, for high-value domains. A true registry-level lock (EPP serverTransferProhibited / serverUpdateProhibited) requires out-of-band, multi-person authorization to change — it is designed precisely to stop a single support agent or a single compromised account from moving a domain.
Use a registrar that matches the stakes. Budget registrars optimize for volume and fast support actions. Critical domains belong at registrars with strict, documented verification and enterprise/registry-lock options.
Monitor your own DNS and WHOIS. Set alerts for nameserver, registrant, or DNS-record changes so an unauthorized move is caught in minutes, not when email stops.
Have a written recovery runbook — registrar abuse/legal contacts, proof-of-ownership documents pre-assembled, and an escalation path — before you need it. The time to find the emergency contact is not during the outage.

Bottom line

You can do everything right — 2FA, locks, a clean account — and still lose your domain to a tired support agent reading the wrong line of an email signature. The defenses that actually address that failure mode are registry locks and choosing a registrar whose process you trust, not another toggle inside an account that the registrar can reach around at will.

We cover the unglamorous infrastructure risks too. Have a registrar horror story or correction? Reach us via @mrtdnet on Telegram.

Reddit Dominates AI-Search Citations — But 2025 Showed How Fast That Can Crater

mrtd — Thu, 18 Jun 2026 00:12:25 +0000

Originally published on MRTD.NET — fast, sourced news on crypto security, cyber & SEO.

If you optimize for the AI answer engines — ChatGPT, Perplexity, Google's AI Overviews — you have heard the advice: get on Reddit. The data behind that advice is real, but it is also more fragile than the headline suggests. Reddit's grip on AI citations is enormous, largely invisible, and — as 2025 proved — alarmingly unstable.

Reddit really is everywhere in AI answers

The dominance is not a vibe. Across recent studies, Reddit shows up in roughly 93% of AI-search opportunities, with on the order of 23.6 million pages cited in AI responses (ZipTie). It is the single most-cited source for both Google AI Overviews (~2.2%) and Perplexity (~6.6%) of all citations. The structural reasons are obvious: public indexing, a Google content-licensing deal, mature moderation, and thousands of specialized subreddits that read like exactly the long-tail Q&A these models crave.

...but most of that influence is invisible

Here is the twist operators miss. On ChatGPT, Reddit reportedly occupies about 27% of search slots — the pages the model reads — yet appears in only about 0.35% of the citations actually shown to users (Discovered Labs). Do the division: visible citations are roughly 1.3% of the underlying usage, meaning something like 98–99% of Reddit's influence never surfaces as a clickable link. Reddit is shaping the answer far more than it is sending you the referral. For comparison, Google surfaces Reddit to users about 6x more often (≈2.11%) than ChatGPT does.

That gap matters: a platform can be the backbone of an AI's answer while sending almost no measurable traffic. Optimizing for "citations you can see" badly understates — and misreads — what is actually driving the model.

Then 2025 happened

The case against betting everything on one platform is the volatility itself. By the accounts compiled above, ChatGPT cited Reddit in close to 60% of prompt responses in early August 2025, then collapsed to around 10% by mid-September — roughly an 83% drop in six weeks, with no public explanation. Separately, after Reddit sued Perplexity over scraping in October 2025, Perplexity's Reddit citations reportedly fell about 86%, with YouTube partially filling the gap.

Two of the biggest answer engines, two double-digit-to-single-digit collapses, in one quarter. Whatever the causes — model updates, licensing friction, litigation — the lesson is that AI citation share is not a durable asset you own. It is rented, and the terms change without notice.

What site owners should actually do

Don't build your AI-visibility strategy on a single platform. Reddit's structural edge is real, but a strategy that depends on one source's citation rate is one model update away from a cliff.
Be the primary source, not just a Reddit comment. The durable play is original, citable material on a domain you control — clear claims, verifiable numbers, named authorship — so that when an engine wants a fact, you are the canonical reference. (That is the entire thesis of GEO.)
Measure usage, not just visible citations. If you only track the links users see, you will undervalue channels that the model reads but rarely surfaces — and over-rotate toward the wrong work.
Diversify your footprint. Reddit, yes — but also Stack Exchange-style Q&A, your own indexed content, and structured pages that are easy for a model to extract.

Bottom line

Reddit dominates AI-search sourcing, and ignoring it would be a mistake. But 2025 showed that citation share is volatile, mostly invisible, and outside your control. Treat platforms as amplifiers, not foundations — and put the foundation on content you actually own.

We cover SEO and GEO with the same sourcing discipline we apply to crypto incidents. Questions or data to share? Reach us via @mrtdnet on Telegram.

Meta Hid a Face-ID System in Its Smart-Glasses App, Then Deleted It a Day After WIRED Found It

mrtd — Thu, 18 Jun 2026 00:10:16 +0000

Originally published on MRTD.NET — fast, sourced news on crypto security, cyber & SEO.

A privacy fight that played out in roughly 24 hours says a lot about where always-on wearables are headed. On June 4, 2026, WIRED reported that Meta's AI companion app — the one that pairs with its Ray-Ban smart glasses — contained a hidden, dormant facial-recognition feature internally called "NameTag." By June 5, Meta had stripped the code out. The speed of the deletion is the tell.

What was actually in the app

According to the reporting (EFF, The Next Web, Gizmodo), researchers found more than a stray reference. NameTag reportedly included face-detection models, biometric matching tools, local databases, and alerting — the components of a working system to identify a person seen through the glasses in real time. Crucially, this code shipped inside an app that has been downloaded onto more than 50 million devices.

Meta's defense, delivered loudly, is that the feature was never enabled and was "exploratory." A company spokesman accused WIRED of burying that detail. Both things can be true at once: the feature was off, and it was built, packaged, and distributed at scale.

Why "dormant" is not "harmless"

The instinct to wave this away — "it wasn't even turned on" — misses how software risk works. A capability that is fully built and shipped is one configuration flag away from being live. The hard engineering — the models, the matching pipeline, the local store — is the part that takes months. Toggling it on is the easy part.

So the meaningful facts are: the system existed, it was complete enough to run, and it was inside 50 million installs. That it was disabled is a policy choice, and policy choices are reversible without warning. The 24-hour delete after public exposure underlines the point — this was governed by reputational pressure, not by a technical impossibility.

The real problem: bystanders can't consent

Set aside the corporate back-and-forth and the core issue is structural. Face-ID built into camera glasses breaks the one privacy principle that matters most in public space: consent. The wearer might agree to terms; the stranger on the sidewalk who gets silently identified, named, and looked up never did — and usually has no idea it happened. Privacy advocates have made this argument for years, and it is exactly why a latent NameTag alarmed people more than a clearly-labeled feature would: covert identification removes the bystander's ability to even object.

This is not hypothetical. In 2024, students demonstrated that off-the-shelf Meta glasses plus public face-search tools could de-anonymize strangers in real time. NameTag would have folded that capability into the official app.

Bottom line

Meta deleted the code, and the EFF and others fairly called it a win — public scrutiny worked. But the durable lesson is not "Meta backed down." It is that the surveillance capability is being quietly built into mainstream consumer hardware, switched off by policy rather than absent by design. For anyone thinking about privacy in public, the question is no longer whether the glasses can identify you — increasingly they can — but who gets to flip the switch, and whether you will ever be told when they do.

Covering privacy and surveillance tech — corrections or tips welcome via @mrtdnet on Telegram.

AI-Search Visibility Data: Classic SEO Still Predicts Citations, But Most Live Off the Map

mrtd — Wed, 17 Jun 2026 23:52:22 +0000

Originally published on MRTD.NET — fast, sourced news on crypto security, cyber & SEO.

The finding: SEO helps, but most citations live off the traditional map

A wave of 2026 vendor research keeps landing on the same uncomfortable pair of facts. Strong classic SEO still raises your odds of being cited by an LLM — and most of what LLMs actually recommend never shows up in a traditional rank tracker. A directional analysis circulated at roughly 29,562 domains echoes earlier work by Kevin Indig, whose study of ~98,000 citation rows from ~1.2M ChatGPT responses found that ranking #1 in Google correlates strongly with being cited: 43.2% of top-ranking pages were cited, versus far lower rates beyond position 20.

The catch is concentration and invisibility. In that same dataset, the top 30 domains captured 67% of citations within a topic, and ChatGPT retrieved roughly 6x more pages than it cited — about 85% of retrieved pages were never cited. Separately, The Digital Bloom reports that ~80% of ChatGPT-cited URLs don't rank in Google's top 100 for the same query. Both can be true: page-level relevance lifts your odds, while a long tail of citations comes from forums and community threads that classic metrics never measured.

Domain authority is not the signal people think it is

This is where the nuance bites. Page-level ranking helps, but domain-level authority scores largely don't. Search Atlas's correlation analysis across 21,767 domains found Domain Authority barely moves AI visibility — ChatGPT r ≈ −0.12, Perplexity r ≈ −0.18, Gemini r ≈ −0.09. Treat the exact coefficients as single-study, directional figures, but the direction matches a broader pattern: brand mentions and topical coverage now out-predict backlink-derived authority.

What controlled experiments actually killed

The most useful 2026 work is the experiments that failed. In OtterlyAI's Markdown-vs-HTML test, .md mirrors of live pages — given equal footer-link discovery — drew 0% of AI-bot visits and zero citations over 14 days, while HTML versions pulled 7.4% of bot traffic and were the only format cited. The same body of work found llms.txt drew ~0.1% of AI-bot traffic, performing roughly 3x worse than an average content page. Search Engine Land's review reaches the same verdict: there is no evidence llms.txt boosts inclusion, and several schema-markup "wins" survive only as correlations with plausible rival explanations.

What the data suggests actually works

Be indexed by Bing. ChatGPT discovers candidate pages via the Bing index, and Seer Interactive's audit found ~87% of SearchGPT citations match Bing's top results. Submitting via IndexNow accelerates discovery — a low-cost, high-leverage prerequisite.
Ship reference-grade, extractable HTML. Citations cluster in the upper sections of long-form pages (Indig found the 10–20% band performs best; 5,000–10,000-character pages earn the most). Quotable, self-contained passages beat clever formatting tricks.
Earn entity and brand coverage. Broad topical clusters and brand mentions correlate with citation more than isolated keyword pages.
Show up where LLMs read. OtterlyAI's AI Citation Economy report (1M+ citations) puts community platforms at 52.5% of citations, with Reddit the single most-cited domain across ChatGPT, Perplexity and AI Overviews. Reddit's question-and-thread structure maps cleanly onto long-tail intent, which is why it over-indexes.
Keep content fresh. Recency is the recommendation with the strongest evidence base for time-sensitive queries.

What is hype

Markdown mirrors, llms.txt files, and "chunking" your pages for crawlers are, on current evidence, near-zero-yield. Schema markup may help indexing hygiene but should not be sold as a direct citation lever. And any single vendor's correlation coefficient — including the 29,562-domain figure — is directional, not gospel; most of this research is observational, platform-specific, and shifts month to month.

Bottom line

GEO/AEO is not a replacement for SEO; it's SEO with a different distribution. Get into Bing, write citable HTML, build entity depth, and earn presence on the community sites LLMs trust. Then measure per platform — ChatGPT, Perplexity and AI Overviews overlap on as little as 11% of cited sources — because a win on one engine tells you little about the others.

DIP Protocol Drained for ~$111K on BNB Chain in Reserve-Skim Exploit

mrtd — Wed, 17 Jun 2026 23:52:17 +0000

Originally published on MRTD.NET — fast, sourced news on crypto security, cyber & SEO.

On June 17, 2026, the BNB Chain DeFi project DIP Protocol was drained of an estimated $111,000, according to initial incident reports. The attacker reportedly abused a flaw in how the protocol accounted for pool reserves during token transfers — a skim-style routine that could be made to double-count reserves, letting the attacker withdraw more value than they were entitled to.

We are still verifying the on-chain specifics (transaction hashes and the attacker address) against block-explorer data and will update this page with the confirmed trail. What follows is an explanation of the class of vulnerability, which is well understood and recurs across automated-market-maker (AMM) style contracts.

What a "reserve skim" bug actually is

AMM pools track internal reserves — the contract's own record of how many tokens it holds. Many pools also expose a skim() function: a maintenance routine that pushes out any tokens sent to the contract above the recorded reserves, so the accounting stays consistent.

The danger appears when the balance check and the reserve update get out of sync. If a router or transfer path lets a caller trigger an accounting update before the contract reconciles its true token balance, the same surplus can be counted twice — once by the pool's internal math and once by the attacker who skims it out. Repeat that in a loop and the pool bleeds value with every iteration.

This is a cousin of the classic re-entrancy and fee-on-transfer mismatch bugs: the contract trusts a number it should have re-derived from balanceOf at the moment of truth.

Why it keeps happening

Three recurring reasons:

Composability. Pools are called by routers, which are called by aggregators. Each hop is an opportunity for the reserve and the real balance to diverge.
Fee-on-transfer and rebasing tokens. Any token whose transferred amount differs from the requested amount breaks naive reserve math unless the contract measures balances before and after.
Copy-paste forks. A subtle fix in an upstream AMM often never reaches the dozens of forks that inherited the original bug.

How protocols defend against it

Measure, don't assume. Re-read balanceOf(address(this)) and compute deltas at the moment of settlement rather than trusting cached reserves.
Check-effects-interactions and re-entrancy guards on every state-changing path, including skim and sync.
Invariant tests and fuzzing that assert reserves can never exceed real balances after any sequence of calls.
Independent audits plus a live bug bounty sized to the TVL at risk — a five-figure bounty rarely outbids a six-figure exploit.

What to watch next

The immediate questions are whether DIP Protocol can negotiate a return of funds (increasingly common via on-chain messages to the attacker), whether a single audited dependency is implicated, and whether other forks of the same pool code are exposed. We will track the attacker address once confirmed and update the incident facts above.

Have details on this incident, including transaction hashes or the official post-mortem? Reach the desk via @mrtdnet on Telegram.

Crawl Budget Reclamation: What It Is, Who Needs It, and the Pruning Playbook

mrtd — Wed, 17 Jun 2026 23:36:08 +0000

Originally published on MRTD.NET — fast, sourced news on crypto security, cyber & SEO.

What crawl budget actually is

Google defines crawl budget as "the set of URLs that Googlebot can and wants to crawl," governed by two levers in its Large Site Owner's Guide to Managing Crawl Budget. The first is the crawl capacity limit — the maximum simultaneous connections Googlebot will open and the delay between fetches, tuned so it doesn't overload your origin. The second is crawl demand, Google's appetite for your URLs based on perceived inventory, popularity, and content staleness.

The practical takeaway is that crawl budget is not a fixed daily quota you "spend." It is a negotiated equilibrium: a faster, healthier server raises the ceiling, and more valuable, fresher content raises demand. Google states the only durable ways to increase it are to "increase your serving capacity" and, more importantly, "increase the value of the content on your site."

Who it actually matters for

This is where most coverage overreaches. Google is explicit that crawl budget is a concern for a narrow band of sites: those with 1M+ unique pages updating moderately often, 10k+ pages with daily-changing content, or any site showing a large share of URLs stuck as "Discovered – currently not indexed" in Search Console. The documentation opens with a blunt disclaimer: "If your site doesn't have a large number of pages that change rapidly, or if your pages seem to be crawled the same day they are published, you don't need to read this guide."

For most small and mid-size sites, an accurate sitemap and periodic index-coverage checks are sufficient. Spending engineering hours chasing crawl budget on a 400-page brochure site is misallocated effort.

The real crawl-budget killers

The waste, when it exists, is structural. The recurring offenders are faceted navigation and URL parameters that multiply near-duplicate combinations (Google's faceted navigation guidance covers this directly), infinite spaces like unbounded calendars or filter chains, soft 404s that return 200 for missing content, duplicate and thin pages, long redirect chains, and slow server responses that throttle the capacity limit. One practitioner case study reported Googlebot spending ~70% of its crawl on parameterized filter URLs at a single ecommerce retailer — illustrative, but a one-site anecdote, not the industry-wide "~60% wasted" rule it's sometimes quoted as.

The reclamation playbook

Google's own best practices form a concrete, defensible sequence:

Consolidate duplicates — canonicalize variants and merge thin pages rather than letting parameter permutations sprawl.
Block unimportant URLs with robots.txt — not noindex. This is a subtle but critical point many "noindex the junk" recommendations get wrong: a noindex page must still be crawled to read the tag, so it keeps consuming crawl. Robots.txt is the correct tool when the goal is to stop crawling entirely.
Return 404/410 for permanently removed pages and eliminate soft 404s so Googlebot stops re-requesting dead URLs.
Keep sitemaps current with accurate <lastmod> values, and mirror your important internal links so discovery doesn't depend on the sitemap alone.
Speed up the origin. Faster responses directly raise the crawl capacity limit.

On that +67%: a case study, not a formula

The widely shared +67% figure comes from a practitioner case study of a B2B SaaS site that deleted 400 of 550 blog posts — those with zero organic traffic in twelve months and no backlinks — and recorded a 67% organic lift by month four. Treat this as reported, not guaranteed. The confound is obvious: removing 73% of low-quality content simultaneously improves perceived domain quality, internal-link equity, and topical focus. Isolating "freed crawl budget" as the cause is not possible from the data, and the same intervention on a different site could just as easily lose traffic if pruning catches pages with latent value.

Critically, Google's documentation makes no claim that crawl budget directly improves rankings or traffic. Reclamation is a hygiene and efficiency discipline — get your best pages crawled sooner and re-crawled more reliably — not a growth lever. Audit before you cut, and prune for quality, not for a number.

'Disruption Week': 1.4M Scam Accounts Killed, but Only ~$3.8M in Crypto Frozen

mrtd — Wed, 17 Jun 2026 23:32:16 +0000

Originally published on MRTD.NET — fast, sourced news on crypto security, cyber & SEO.

A coordinated international takedown of Southeast Asian "scam center" networks produced a striking set of numbers this week — and an even more striking mismatch between them. More than 1.4 million scam accounts, pages and groups were disabled and 63 suspects were arrested, but the total cryptocurrency frozen was under $4 million. If you saw it shared as a "$3 billion freeze," that figure is wrong — and the real numbers tell a more useful story.

What actually happened

The operation was part of the US Department of Justice's Scam Center Strike Force "Disruption Week" — a joint effort between law enforcement (the US, Australia, Canada, New Zealand, Thailand and the UK) and a roster of private companies including Coinbase, Apple, Google, Meta, Microsoft, SpaceX, Silent Push, TRM Labs and Zenlayer. The targets were the industrialized "pig-butchering" operations — romance-and-investment scams, often run out of forced-labor compounds — that have become Southeast Asia's dominant cyber-fraud export.

The disclosed tallies:

Meta: disabled 1.4 million+ accounts, pages and groups.
Microsoft: suspended about 20,000 accounts.
Coinbase: froze just over $3 million in crypto; the operation-wide total frozen was about $3.8 million.
Arrests: 63 suspects so far.

The number that got mangled

It is worth correcting the record, because it illustrates how crypto news distorts. A widely shared claim put the freeze at "$3 billion." The actual figure is roughly $3 million — a 1,000x overstatement. We flag it not to nitpick but because the gap between the viral number and the real one is exactly the kind of error that shapes how people perceive crypto enforcement.

Why so few dollars frozen?

Here is the real lesson. 1.4 million accounts disabled, $3.8 million frozen. Set those side by side and the asymmetry is the point. A few quick ratios make it concrete:

That is roughly 22,000 accounts disabled per arrest (1.4M ÷ 63) — confirmation that this kind of operation targets infrastructure, not individuals.
The FBI's IC3 has put annual losses from crypto-investment fraud in the billions of dollars (on the order of ~$5.8B in a recent year). Against that, $3.8 million frozen is about 0.07% — a rounding error.

Why? Because once scam proceeds are converted and bridged across chains and through mixers, they move faster than freezes can land. Exchanges can only freeze what is still sitting in identifiable, custodial wallets when the order arrives. The real disruption here is operational — killing the advertising, hosting, messaging and recruitment surface that scam centers depend on — not asset recovery.

What it means

Account takedowns scale; freezes don't. Platforms can disable infrastructure by the million; clawing back funds is slow and rarely catches more than a sliver.
Prevention beats recovery. For users, the takeaway is unchanged and unglamorous: the money is almost never coming back, so the defense is not falling for the romance-investment funnel in the first place.
Read the numbers, not the headline. A "$3 billion" freeze and a "$3 million" freeze are different stories. The unsexy real figure — small dollars, enormous account counts — is the accurate picture of how this fight actually works.

We verify figures against primary reporting before publishing. Spotted an error or have detail on this operation? Reach us via @mrtdnet on Telegram.