Kids Are Using Fake Mustaches to Bypass Age-Verification Systems—Here’s How

It turns out that some age-verification systems are no match for a little creativity. According to a recent report from the U.K.-based nonprofit Internet Matters, children are drawing on fake mustaches with makeup pencils to slip past the digital gates of adult websites. This eyebrow-raising tactic is just one of several methods kids are using to defeat online age checks.

The report surveyed 1,000 children about their experiences with age-verification checks. Approximately half of the respondents said that these checks were easy to bypass. “Children demonstrated a clear awareness of how to bypass age checks, either through their own experiences or by hearing about methods from others,” the report states. It adds that “one technique brought up was children drawing facial hair on themselves so that the tools verifying them would think they were older, which was reported as working in multiple instances.”

How the Fake Mustache Trick Works

Age-verification systems often rely on facial recognition or real-time camera checks to estimate a user’s age. However, children have discovered that adding a simple accessory—like a drawn-on mustache—can fool these tools into thinking they are adults. This method exploits the algorithms’ reliance on visual cues associated with maturity, such as facial hair.

Building on this, other kids have found alternative bypasses. Some point their webcams at adult-looking characters in video games, while others simply pull obscure or funny faces. These workarounds highlight the fragility of current age-gating technology.

The Global Push for Age-Verification Laws

Age-verification laws are spreading rapidly worldwide, often promoted under the banner of online child safety. In the United States, half of all states have enacted some form of age-checking legislation. The United Kingdom has also implemented such laws, spurring a global trend. These regulations typically require adults to prove their age—usually by uploading a government-issued ID to a third-party service—before accessing adult content.

Critics, however, argue that these laws create databases vulnerable to hacking and leaks. They also warn that such measures threaten the open and decentralized nature of the internet. Companies like Apple have rolled out software updates to comply with these laws, while platforms like Reddit and Meta use a mix of ID uploads and algorithmic age estimation. Others, such as Discord, have delayed their rollouts due to user backlash and security concerns.

Why Current Age-Check Systems Are Failing

The fake mustache trick is not an isolated incident. As age-verification checks become more common, children are proving remarkably adept at finding loopholes. This suggests that many systems are not robust enough to handle determined users. The reliance on superficial visual cues makes them easy to manipulate.

Furthermore, the report indicates that kids share bypass methods among themselves, creating a cycle of circumvention. This raises questions about the effectiveness of these laws in achieving their stated goal of protecting minors. For more insights on online safety, check out our guide on keeping kids safe online.

What This Means for Parents and Policymakers

For parents, the takeaway is clear: age-verification systems are not foolproof. It is essential to have open conversations with children about online safety and the risks of adult content. For policymakers, the findings underscore the need for more sophisticated, privacy-preserving solutions. Relying on superficial checks like facial hair detection is not enough.

In addition, tech companies must invest in stronger verification methods that balance security with user privacy. As the landscape evolves, stay informed about the latest developments in digital age verification. Ultimately, the fake mustache trick serves as a wake-up call: current systems are failing, and a smarter approach is needed.

Rise of Silent Subject Phishing: How Empty Email Subject Lines Are Targeting VIP Users

Cybercriminals are refining their tactics with a new wave of attacks that rely on a surprisingly simple trick: leaving the subject line blank. Known as silent subject phishing or null subject phishing, this technique is gaining traction among threat actors who target high-value individuals within organizations. According to a report from cybersecurity firm Cyberproof, these campaigns are designed to slip past traditional email defenses while exploiting human curiosity.

Instead of using suspicious keywords or urgent language that might trigger spam filters, attackers send emails with empty or vague subject fields. This approach reduces the amount of data available for detection engines to analyze, making it harder for machine learning models to flag the messages as malicious. The result? A higher chance that the email lands in the recipient’s inbox, ready to be opened.

How Silent Subject Phishing Bypasses Email Defenses

One of the main reasons behind the rise of silent subject phishing is its ability to evade conventional security controls. Many email filtering systems rely heavily on subject-line analysis to identify potential threats. By removing the subject entirely, attackers strip away a key signal that security tools use to assess risk. This forces organizations to depend on other detection methods, which may not be as robust.

Building on this, the emails often contain malicious links, QR codes, or attachments. These elements direct users to spoofed login pages or initiate malware downloads. In some cases, attackers encourage victims to scan QR codes with their personal mobile devices, where corporate monitoring tools are less effective. This shift to personal devices further complicates detection and response efforts.

Evasion Through Domain Rotation and URL Shortening

Attackers also rotate domains and payloads frequently to maintain campaign resilience. Shortened URLs are commonly used to obscure the final destination, bypassing URL filtering mechanisms. This makes it difficult for security teams to block malicious links before they reach users. As a result, the campaign can persist over time without being easily disrupted.

VIP Users in the Crosshairs: Why Executives Are Targeted

These campaigns frequently target executives, board members, and other privileged users. The reason is straightforward: a successful compromise of a VIP account can lead to significant data breaches, financial fraud, or lateral movement within the enterprise. Cyberproof observed that the activity spiked during the first quarter of 2026, with a 13.9% increase between January and February, followed by a further 7.0% rise in March. Projections suggest this upward trend will continue.

Therefore, organizations must recognize that VIP user phishing is not just a nuisance—it is a strategic threat. Attackers are willing to invest time and resources to craft campaigns that specifically target high-value individuals. The potential payoff from a single compromised executive account far outweighs the effort involved.

Abuse of Legitimate Tools and Phishing-as-a-Service Platforms

Alongside social engineering, the campaign leverages legitimate remote monitoring and management (RMM) software to blend malicious activity with routine IT operations. Cyberproof found variants of Datto RMM deployed under deceptive filenames. This allows attackers to establish persistence, execute commands, and exfiltrate sensitive data without raising immediate suspicion.

Additionally, a phishing-as-a-service (PaaS) toolkit known as FlowerStorm has been linked to the activity. This platform automates large-scale distribution and supports multi-stage attack chains. It enables threat actors to rapidly change tactics across different targets, making it harder for defenders to keep up.

Defending Against Silent Subject Phishing Attacks

To mitigate the risks posed by silent subject phishing, organizations need to move beyond subject-line filtering alone. A multi-layered approach is essential. Key measures include verifying full sender addresses for inconsistencies, avoiding unexpected attachments or links, and enforcing multi-factor authentication (MFA) across all accounts.

Furthermore, employee training is crucial. Users should be taught to recognize atypical phishing tactics, such as emails with no subject line or those that ask them to scan QR codes. Advanced email security solutions that inspect message content and behavior can also help detect malicious activity that simpler filters miss.

In conclusion, the findings from Cyberproof indicate a shift toward stealth-focused phishing operations. By using minimal content and trusted tools, attackers are achieving high success rates while evading detection. Organizations must adapt their defenses to address these evolving threats, especially when it comes to protecting their most valuable users.

Braintrust breach: AI evaluation startup confirms cloud hack, urges all customers to rotate API keys

The Braintrust breach has sent shockwaves through the AI development community after the startup confirmed unauthorized access to its Amazon Web Services cloud infrastructure. In an urgent email sent to customers on Monday, Braintrust instructed every user to revoke and replace their API keys stored on the platform.

This cloud security incident marks a critical moment for the fast-growing company, which provides evaluation tools for AI models. The compromised AWS account contained sensitive API keys that customers use to access cloud-based AI services from providers like OpenAI and Anthropic.

What happened in the Braintrust breach?

Braintrust disclosed the security event on its website Tuesday, stating that the incident has been contained. The company said it has locked down the compromised account, audited access across related systems, and rotated internal secrets.

However, the startup’s email to customers revealed a more cautious posture. “We’ve communicated with one impacted customer and to date have not found evidence of broader exposure,” the message read. Despite this, Braintrust asked “every customer to rotate” any API keys they store with the platform.

Investigation into the AWS account compromise

The company confirmed that the cause of the Braintrust breach is still under investigation. Spokesperson Martin Bergman told TechCrunch that the email was sent “out of an abundance of caution,” adding that while the company confirmed a security incident, “there is no evidence of a breach at this time.”

This distinction matters in cybersecurity circles. A security incident means unauthorized access occurred, but a breach typically implies data was exfiltrated or misused. Braintrust is still determining whether customer data actually left its systems.

Why API key rotation matters after a cloud security incident

Hackers frequently target corporate cloud accounts and third-party platforms to steal API keys. Once obtained, these keys allow attackers to impersonate legitimate users and access internal systems without breaking into the target company’s networks directly.

Jaime Blasco, co-founder of cybersecurity firm Nudge Security and a recipient of Braintrust’s breach alert, warned that the incident could have “downstream implications for affected customers.” AI companies relying on Braintrust’s platform may face heightened risk if their keys were exposed.

This is not the first time the tech industry has seen such a scenario. In 2023, CircleCI, a development tools provider, suffered a similar cloud data breach and asked customers to rotate “any and all secrets” stored on its platform. More recently, a European Union cybersecurity agency reported that hackers stole 92 gigabytes of data from a compromised AWS account used by the European Commission, affecting 29 EU entities.

Braintrust’s business and the stakes of the breach

Braintrust offers a platform that helps companies monitor and evaluate AI models and products. Founder and CEO Ankur Goyal previously described the service as an “operating system for engineers building AI software.” The startup raised $80 million in a Series B funding round in February, reaching a valuation of $800 million.

Given this rapid growth, the Braintrust breach raises questions about security practices at AI startups handling sensitive infrastructure. For companies integrating Braintrust into their AI development pipelines, the incident serves as a stark reminder to audit third-party security postures regularly.

Lessons for AI companies and developers

Building on this incident, developers should take immediate steps to protect their credentials. First, rotate all API keys stored with Braintrust. Second, review access logs for any suspicious activity tied to those keys. Third, consider implementing key rotation policies that automatically refresh credentials on a regular schedule.

For more on securing your development workflows, check out our guide on API key security best practices. Additionally, learn how to respond to cloud security incidents effectively.

As Braintrust continues its investigation, the broader AI ecosystem must stay vigilant. Cloud security incidents targeting API keys are becoming more common, and the stakes grow higher as AI tools handle increasingly sensitive data.