Donald Trump’s military parade in Washington this weekend — a show of force in the capital that just happens to take place on the president’s birthday — smacks of authoritarian Dear Leader-style politics (even though Trump actually got the idea after attending the 2017 Bastille Day parade in Paris).Yet as disconcerting as the imagery of tanks rolling down Constitution Avenue will be, it’s not even close to Trump’s most insidious assault on the US military’s historic and democratically essential nonpartisan ethos.In fact, it’s not even the most worrying thing he’s done this week.On Tuesday, the president gave a speech at Fort Bragg, an Army base home to Special Operations Command. While presidential speeches to soldiers are not uncommon — rows of uniformed troops make a great backdrop for a foreign policy speech — they generally avoid overt partisan attacks and campaign-style rhetoric. The soldiers, for their part, are expected to be studiously neutral, laughing at jokes and such, but remaining fully impassive during any policy conversation.That’s not what happened at Fort Bragg. Trump’s speech was a partisan tirade that targeted “radical left” opponents ranging from Joe Biden to Los Angeles Mayor Karen Bass. He celebrated his deployment of Marines to Los Angeles, proposed jailing people for burning the American flag, and called on soldiers to be “aggressive” toward the protesters they encountered.The soldiers, for their part, cheered Trump and booed his enemies — as they were seemingly expected to. Reporters at Military.com, a military news service, uncovered internal communications from 82nd Airborne leadership suggesting that the crowd was screened for their political opinions.“If soldiers have political views that are in opposition to the current administration and they don’t want to be in the audience then they need to speak with their leadership and get swapped out,” one note read.To call this unusual is an understatement. I spoke with four different experts on civil-military relations, two of whom teach at the Naval War College, about the speech and its implications. To a person, they said it was a step towards politicizing the military with no real precedent in modern American history.“That is, I think, a really big red flag because it means the military’s professional ethic is breaking down internally,” says Risa Brooks, a professor at Marquette University. “Its capacity to maintain that firewall against civilian politicization may be faltering.”This may sound alarmist — like an overreading of a one-off incident — but it’s part of a bigger pattern. The totality of Trump administration policies, ranging from the parade in Washington to the LA troop deployment to Secretary of Defense Pete Hegseth’s firing of high-ranking women and officers of color, suggests a concerted effort to erode the military’s professional ethos and turn it into an institution subservient to the Trump administration’s whims. This is a signal policy aim of would-be dictators, who wish to head off the risk of a coup and ensure the armed forces’ political reliability if they are needed to repress dissent in a crisis.Steve Saideman, a professor at Carleton University, put together a list of eight different signs that a military is being politicized in this fashion. The Trump administration has exhibited six out of the eight.“The biggest theme is that we are seeing a number of checks on the executive fail at the same time — and that’s what’s making individual events seem more alarming than they might otherwise,” says Jessica Blankshain, a professor at the Naval War College (speaking not for the military but in a personal capacity).That Trump is trying to politicize the military does not mean he has succeeded. There are several signs, including Trump’s handpicked chair of the Joint Chiefs repudiating the president’s claims of a migrant invasion during congressional testimony, that the US military is resisting Trump’s politicization.But the events in Fort Bragg and Washington suggest that we are in the midst of a quiet crisis in civil-military relations in the United States — one whose implications for American democracy’s future could well be profound.The Trump crisis in civil-military relations, explainedA military is, by sheer fact of its existence, a threat to any civilian government. If you have an institution that controls the overwhelming bulk of weaponry in a society, it always has the physical capacity to seize control of the government at gunpoint. A key question for any government is how to convince the armed forces that they cannot or should not take power for themselves.Democracies typically do this through a process called “professionalization.” Soldiers are rigorously taught to think of themselves as a class of public servants, people trained to perform a specific job within defined parameters. Their ultimate loyalty is not to their generals or even individual presidents, but rather to the people and the constitutional order.Samuel Huntington, the late Harvard political scientist, is the canonical theorist of a professional military. In his book The Soldier and the State, he described optimal professionalization as a system of “objective control”: one in which the military retains autonomy in how they fight and plan for wars while deferring to politicians on whether and why to fight in the first place. In effect, they stay out of the politicians’ affairs while the politicians stay out of theirs.The idea of such a system is to emphasize to the military that they are professionals: Their responsibility isn’t deciding when to use force, but only to conduct operations as effectively as possible once ordered to engage in them. There is thus a strict firewall between military affairs, on the one hand, and policy-political affairs on the other.Typically, the chief worry is that the military breaches this bargain: that, for example, a general starts speaking out against elected officials’ policies in ways that undermine civilian control. This is not a hypothetical fear in the United States, with the most famous such example being Gen. Douglas MacArthur’s insubordination during the Korean War. Thankfully, not even MacArthur attempted the worst-case version of military overstep — a coup.But in backsliding democracies like the modern United States, where the chief executive is attempting an anti-democratic power grab, the military poses a very different kind of threat to democracy — in fact, something akin to the exact opposite of the typical scenario.In such cases, the issue isn’t the military inserting itself into politics but rather the civilians dragging them into it in ways that upset the democratic political order. The worst-case scenario is that the military acts on presidential directives to use force against domestic dissenters, destroying democracy not by ignoring civilian orders, but by following them.There are two ways to arrive at such a worst-case scenario, both of which are in evidence in the early days of Trump 2.0.First is politicization: an intentional attack on the constraints against partisan activity inside the professional ranks.Many of Pete Hegseth’s major moves as secretary of defense fit this bill, including his decisions to fire nonwhite and female generals seen as politically unreliable and his effort to undermine the independence of the military’s lawyers. The breaches in protocol at Fort Bragg are both consequences and causes of politicization: They could only happen in an environment of loosened constraint, and they might encourage more overt political action if gone unpunished.The second pathway to breakdown is the weaponization of professionalism against itself. Here, Trump exploits the military’s deference to politicians by ordering it to engage in undemocratic (and even questionably legal) activities. In practice, this looks a lot like the LA deployments, and, more specifically, the lack of any visible military pushback. While the military readily agreeing to deployments is normally a good sign — that civilian control is holding — these aren’t normal times. And this isn’t a normal deployment, but rather one that comes uncomfortably close to the military being ordered to assist in repressing overwhelmingly peaceful demonstrations against executive abuses of power.“It’s really been pretty uncommon to use the military for law enforcement,” says David Burbach, another Naval War College professor (also speaking personally). “This is really bringing the military into frontline law enforcement when. … these are really not huge disturbances.”This, then, is the crisis: an incremental and slow-rolling effort by the Trump administration to erode the norms and procedures designed to prevent the military from being used as a tool of domestic repression. Is it time to panic?Among the experts I spoke with, there was consensus that the military’s professional and nonpartisan ethos was weakening. This isn’t just because of Trump, but his terms — the first to a degree, and now the second acutely — are major stressors.Yet there was no consensus on just how much military nonpartisanship has eroded — that is, how close we are to a moment when the US military might be willing to follow obviously authoritarian orders.For all its faults, the US military’s professional ethos is a really important part of its identity and self-conception. While few soldiers may actually read Sam Huntington or similar scholars, the general idea that they serve the people and the republic is a bedrock principle among the ranks. There is a reason why the United States has never, in over 250 years of governance, experienced a military coup — or even come particularly close to one.In theory, this ethos should also galvanize resistance to Trump’s efforts at politicization. Soldiers are not unthinking automatons: While they are trained to follow commands, they are explicitly obligated to refuse illegal orders, even coming from the president. The more aggressive Trump’s efforts to use the military as a tool of repression gets, the more likely there is to be resistance.Or, at least theoretically.The truth is that we don’t really know how the US military will respond to a situation like this. Like so many of Trump’s second-term policies, their efforts to bend the military to their will are unprecedented — actions with no real parallel in the modern history of the American military. Experts can only make informed guesses, based on their sense of US military culture as well as comparisons to historical and foreign cases.For this reason, there are probably only two things we can say with confidence.First, what we’ve seen so far is not yet sufficient evidence to declare that the military is in Trump’s thrall. The signs of decay are too limited to ground any conclusions that the longstanding professional norm is entirely gone.“We have seen a few things that are potentially alarming about erosion of the military’s non-partisan norm. But not in a way that’s definitive at this point,” Blankshain says.Second, the stressors on this tradition are going to keep piling on. Trump’s record makes it exceptionally clear that he wants the military to serve him personally — and that he, and Hegseth, will keep working to make it so. This means we really are in the midst of a quiet crisis, and will likely remain so for the foreseeable future.“The fact that he’s getting the troops to cheer for booing Democratic leaders at a time when there’s actually [a deployment to] a blue city and a blue state…he is ordering the troops to take a side,” Saideman says. “There may not be a coherent plan behind this. But there are a lot of things going on that are all in the same direction.”See More: Politics

Jun 13, 2025Ravie LakshmananWeb Security / Network Security Cybersecurity researchers are calling attention to a "large-scale campaign" that has been observed compromising legitimate websites with malicious JavaScript injections. According to Palo Alto Networks Unit 42, these malicious injects are obfuscated using JSFuck, which refers to an "esoteric and educational programming style" that uses only a limited set of characters to write and execute code. The cybersecurity company has given the technique an alternate name JSFireTruck owing to the profanity involved. "Multiple websites have been identified with injected malicious JavaScript that uses JSFireTruck obfuscation, which is composed primarily of the symbols [, ], +, $, {, and }," security researchers Hardik Shah, Brad Duncan, and Pranay Kumar Chhaparwal said. "The code's obfuscation hides its true purpose, hindering analysis." Further analysis has determined that the injected code is designed to check the website referrer ("document.referrer"), which identifies the address of the web page from which a request originated. Should the referrer be a search engine such as Google, Bing, DuckDuckGo, Yahoo!, or AOL, the JavaScript code redirects victims to malicious URLs that can deliver malware, exploits, traffic monetization, and malvertising. Unit 42 said its telemetry uncovered 269,552 web pages that have been infected with JavaScript code using the JSFireTruck technique between March 26 and April 25, 2025. A spike in the campaign was first recorded on April 12, when over 50,000 infected web pages were observed in a single day. "The campaign's scale and stealth pose a significant threat," the researchers said. "The widespread nature of these infections suggests a coordinated effort to compromise legitimate websites as attack vectors for further malicious activities." Say Hello to HelloTDS The development comes as Gen Digital took the wraps off a sophisticated Traffic Distribution Service (TDS) called HelloTDS that's designed to conditionally redirect site visitors to fake CAPTCHA pages, tech support scams, fake browser updates, unwanted browser extensions, and cryptocurrency scams through remotely-hosted JavaScript code injected into the sites. The primary objective of the TDS is to act as a gateway, determining the exact nature of content to be delivered to the victims after fingerprinting their devices. If the user is not deemed a suitable target, the victim is redirected to a benign web page. "The campaign entry points are infected or otherwise attacker-controlled streaming websites, file sharing services, as well as malvertising campaigns," researchers Vojtěch Krejsa and Milan Špinka said in a report published this month. "Victims are evaluated based on geolocation, IP address, and browser fingerprinting; for example, connections through VPNs or headless browsers are detected and rejected." Some of these attack chains have been found to serve bogus CAPTCHA pages that leverage the ClickFix strategy to trick users into running malicious code and infecting their machines with a malware known as PEAKLIGHT (aka Emmenhtal Loader), which is known to server information stealers like Lumma. Central to the HelloTDS infrastructure is the use of .top, .shop, and .com top-level domains that are used to host the JavaScript code and trigger the redirections following a multi-stage fingerprinting process engineered to collect network and browser information. "The HelloTDS infrastructure behind fake CAPTCHA campaigns demonstrates how attackers continue to refine their methods to bypass traditional protections, evade detection, and selectively target victims," the researchers said. "By leveraging sophisticated fingerprinting, dynamic domain infrastructure, and deception tactics (such as mimicking legitimate websites and serving benign content to researchers) these campaigns achieve both stealth and scale." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Greg Touhill, director of the Software Engineering’s Institute’s (SEI’s) Computer Emergency Response Team (CERT) division is an atypical technology leader. For one thing, he’s been in tech and other leadership positions that span the US Air Force, the US government, the private sector and now SEI’s CERT. More importantly, he’s been a major force in the cybersecurity realm, making the world a safer place and even saving lives. Touhill earned a bachelor’s degree from the Pennsylvania State University, a master’s degree from the University of Southern California, a master’s degree from the Air War College, was a senior executive fellow at the Harvard University Kennedy School of Government and completed executive education studies at the University of North Carolina. “I was a student intern at Carnegie Mellon, but I was going to college at Penn State and studying chemical engineering. As an Air Force ROTC scholarship recipient, I knew I was going to become an Air Force officer but soon realized that I didn’t necessarily want to be a chemical engineer in the Air Force,” says Touhill. “Because I passed all the mathematics, physics, and engineering courses, I ended up becoming a communications, electronics, and computer systems officer in the Air Force. I spent 30 years, one month and three days on active duty in the United States Air Force, eventually retiring as a brigadier general and having done many different types of jobs that were available to me within and even beyond my career field.” Related:Specifically, he was an operational commander at the squadron, group, and wing levels. For example, as a colonel, Touhill served as director of command, control, communications and computers (C4) for the United States Central Command Forces, then he was appointed chief information officer and director, communications and information at Air Mobility Command. Later, he served as commander, 81st Training Wing at Kessler Air Force Base where he was promoted to brigadier general and commanded over 12,500 personnel. After that, he served as the senior defense officer and US defense attaché at the US Embassy in Kuwait, before concluding his military career as the chief information officer and director, C4 systems at the US Transportation Command, one of 10 US combatant commands, where he and his team were awarded the NSA Rowlett Award for the best cybersecurity program in the government. While in the Air Force, Touhill received numerous awards and decorations including the Bronze Star medal and the Air Force Science and Engineering Award. He is the only three-time recipient of the USAF C4 Professionalism Award. Related:Greg Touhill“I got to serve at major combatant commands, work with coalition partners from many different countries and represented the US as part of a diplomatic mission to Kuwait for two years as the senior defense official at a time when America was withdrawing forces out of Iraq. I also led the negotiation of a new bilateral defense agreement with the Kuwaitis,” says Touhill. “Then I was recruited to continue my service and was asked to serve as the deputy assistant secretary of cybersecurity and communications at the Department of Homeland Security, where I ran the operations of what is now known as the Cybersecurity and Infrastructure Security Agency. I was there at a pivotal moment because we were building up the capacity of that organization and setting the stage for it to become its own agency.” While at DHS, there were many noteworthy breaches including the infamous US Office of People Management (OPM) breach. Those events led to Obama’s visit to the National Cybersecurity and Communications Integration Center.  “I got to brief the president on the state of cybersecurity, what we had seen with the OPM breach and some other deficiencies,” says Touhill. “I was on the federal CIO council as the cybersecurity advisor to that since I’d been a federal CIO before and I got to conclude my federal career by being the first United States government chief information security officer. From there, I pivoted to industry, but I also got to return to Carnegie Mellon as a faculty member at Carnegie Mellon’s Heinz College, where I've been teaching since January 2017.” Related:Touhill has been involved in three startups, two of which were successfully acquired. He also served on three Fortune 100 advisory boards and on the Information Systems Audit and Control Association board, eventually becoming its chair for a term during the seven years he served there. Touhill just celebrated his fourth year at CERT, which he considers the pinnacle of the cybersecurity profession and everything he’s done to date. “Over my career I've led teams that have done major software builds in the national security space. I've also been the guy who's pulled cables and set up routers, hubs and switches, and I've been a system administrator. I've done everything that I could do from the keyboard up all the way up to the White House,” says Touhill. “For 40 years, the Software Engineering Institute has been leading the world in secure by design, cybersecurity, software engineering, artificial intelligence and engineering, pioneering best practices, and figuring out how to make the world a safer more secure and trustworthy place. I’ve had a hand in the making of today’s modern military and government information technology environment, beginning as a 22-year-old lieutenant, and hope to inspire the next generation to do even better.” What ‘Success’ Means Many people would be satisfied with their careers as a brigadier general, a tech leader, the White House’s first anything, or working at CERT, let alone running it. Touhill has spent his entire career making the world a safer place, so it’s not surprising that he considers his greatest achievement saving lives. “In the Middle East and Iraq, convoys were being attacked with improvised explosive devices. There were also ‘direct fire’ attacks where people are firing weapons at you and indirect fire attacks where you could be in the line of fire,” says Touhill. “The convoys were using SINCGARS line-of-site walkie-talkies for communications that are most effective when the ground is flat, and Iraq is not flat. As a result, our troops were at risk of not having reliable communications while under attack. As my team brainstormed options to remedy the situation, one of my guys found some technology, about the size of an iPhone, that could covert a radio signal, which is basically a waveform, into a digital pulse I could put on a dedicated network to support the convoy missions.” For $11 million, Touhill and his team quickly architected, tested, and fielded the Radio over IP network (aka “Ripper Net”) that had a 99% reliability rate anywhere in Iraq. Better still, convoys could communicate over the network using any radios. That solution saved a minimum of six lives. In one case, the hospital doctor said if the patient had arrived five minutes later, he would have died. Sage Advice Anyone who has ever spent time in the military or in a military family knows that soldiers are very well disciplined, or they wash out. Other traits include being physically fit, mentally fit, and achieving balance in life, though that’s difficult to achieve in combat. Still, it’s a necessity. “I served three and a half years down range in combat operations. My experience taught me you could be doing 20-hour days for a year or two on end. If you haven’t built a good foundation of being disciplined and fit, it impacts your ability to maintain presence in times of stress, and CISOs work in stressful situations,” says Touhill. “Staying fit also fortifies you for the long haul, so you don’t get burned out as fast.” Another necessary skill is the ability to work well with others.  “Cybersecurity is an interdisciplinary practice. One of the great joys I have as CERT director is the wide range of experts in many different fields that include software engineers, computer engineers, computer scientists, data scientists, mathematicians and physicists,” says Touhill. “I have folks who have business degrees and others who have philosophy degrees. It's really a rich community of interests all coming together towards that common goal of making the world a safer, more secure and more trusted place in the cyber domain. We’re are kind of like the cyber neighborhood watch for the whole world.” He also says that money isn’t everything, having taken a pay cut to go from being an Air Force brigadier general to the deputy assistant secretary of the Department of Homeland Security . “You’ll always do well if you pick the job that matters most. That’s what I did, and I’ve been rewarded every step,” says Touhill.  The biggest challenge he sees is the complexity of cyber systems and software, which can have second, third, and fourth order effects.  “Complexity raises the cost of the attack surface, increases the attack surface, raises the number of vulnerabilities and exploits human weaknesses,” says Touhill. “The No. 1 thing we need to be paying attention to is privacy when it comes to AI because AI can unearth and discover knowledge from data we already have. While it gives us greater insights at greater velocities, we need to be careful that we take precautions to better protect our privacy, civil rights and civil liberties.” 

Jun 06, 2025The Hacker NewsMalware / Endpoint Security Cybersecurity researchers are alerting to a new malware campaign that employs the ClickFix social engineering tactic to trick users into downloading an information stealer malware known as Atomic macOS Stealer (AMOS) on Apple macOS systems. The campaign, according to CloudSEK, has been found to leverage typosquat domains mimicking U.S.-based telecom provider Spectrum. "macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation," security researcher Koushik Pal said in a report published this week. "The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries." It's believed that the activity is the work of Russian-speaking cybercriminals owing to the presence of Russian language comments in the malware's source code. The starting point of the attack is a web page that impersonates Spectrum ("panel-spectrum[.]net" or "spectrum-ticket[.]net"). Visitors to the sites in question are served a message that instructs them to complete a hCaptcha verification check to in order to "review the security" of their connection before proceeding further. However, when the user clicks the "I am human" checkbox for evaluation, they are displayed an error message stating "CAPTCHA verification failed," urging them to click a button to go ahead with an "Alternative Verification." Doing so causes a command to be copied to the users' clipboard and the victim is shown a set of instructions depending on their operating system. While they are guided to run a PowerShell command on Windows by opening the Windows Run dialog, it's substituted by a shell script that's executed by launching the Terminal app on macOS. The shell script, for its part, prompts users to enter their system password and downloads a next-stage payload, in this case, a known stealer called Atomic Stealer. "Poorly implemented logic in the delivery sites, such as mismatched instructions across platforms, points to hastily assembled infrastructure," Pal said. "The delivery pages in question for this AMOS variant campaign contained inaccuracies in both its programming and front-end logic. For Linux user agents, a PowerShell command was copied. Furthermore, the instruction 'Press & hold the Windows Key + R' was displayed to both Windows and Mac users." The disclosure comes amid a surge in campaigns using the ClickFix tactic to deliver a wide range of malware families over the past year. "Actors carrying out these targeted attacks typically utilize similar techniques, tools, and procedures (TTPs) to gain initial access," Darktrace said. "These include spear phishing attacks, drive-by compromises, or exploiting trust in familiar online platforms, such as GitHub, to deliver malicious payloads." The links distributed using these vectors typically redirect the end user to a malicious URL that displays a fake CAPTCHA verification check in an attempt to deceive users into thinking that they are carrying out something innocuous, when, in reality, they are guided to execute malicious commands to fix a non-existent issue. The end result of this effective social engineering method is that users end up compromising their own systems, enabling threat actors to bypass security controls. The cybersecurity company said it identified multiple ClickFix attacks across customer environments in Europe, the Middle East, and Africa (EMEA), and in the United States. And these campaigns are gaining steam, adopting several variations but operating with the same end goal of delivering malicious payloads, ranging from trojans to stealers to ransomware. Earlier this week, Cofense outlined an email phishing campaign that spoofs Booking.com, targeting hotel chains and the food services sector with fake CAPTCHAs that lead to XWorm RAT, PureLogs Stealer, and DanaBot. The fact that ClickFix is flexible and easy to adapt makes it an attractive malware distribution mechanism. "While the exact email structure varies from sample to sample, these campaigns generally provide Booking[.]com-spoofing emails with embedded links to a ClickFix fake CAPTCHA site which is used to deliver a malicious script that runs RATs and/or information stealers," Cofense said. The email security firm said it has also observed ClickFix samples mimicking cookie consent banners, wherein clicking on the "Accept" button causes a malicious script file to be downloaded. The user is subsequently prompted to run the script to accept cookies. In one April 2025 incident analyzed by Darktrace, unknown threat actors were found to utilize ClickFix as an attack vector to download nondescript payloads to burrow deeper into the target environment, conduct lateral movement, send system-related information to an external server via an HTTP POST request, and ultimately exfiltrate data. "ClickFix baiting is a widely used tactic in which threat actors exploit human error to bypass security defenses," Darktrace said. "By tricking endpoint users into performing seemingly harmless, everyday actions, attackers gain initial access to systems where they can access and exfiltrate sensitive data." Other ClickFix attacks have employed phony versions of other popular CAPTCHA services like Google reCAPTCHA and Cloudflare Turnstile for malware delivery under the guise of routine security checks. These fake pages are "pixel-perfect copies" of their legitimate counterparts, sometimes even injected into real-but-hacked websites to trick unsuspecting users. Stealers such as Lumma and StealC, as well as full-fledged remote access trojans (RATs) like NetSupport RAT are some of the payloads distributed via bogus Turnstile pages. "Modern internet users are inundated with spam checks, CAPTCHAs, and security prompts on websites, and they've been conditioned to click through these as quickly as possible," SlashNext's Daniel Kelley said. "Attackers exploit this 'verification fatigue,' knowing that many users will comply with whatever steps are presented if it looks routine." Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

In 2025, it’s very difficult not to see gambling advertised everywhere. It’s on billboards and sports broadcasts. It’s on podcasts and printed on the turnbuckle of AEW’s pay-per-view shows. And it’s on app stores, where you can find the FanDuel and DraftKings sportsbooks, alongside glitzy digital slot machines. These apps all have the highest age ratings possible on Apple’s App Store and Google Play. But earlier this year, a different kind of app nearly disappeared from the Play Store entirely.Luck Be A Landlord is a roguelite deckbuilder from solo developer Dan DiIorio. DiIorio got word from Google in January 2025 that Luck Be A Landlord was about to be pulled, globally, because DiIorio had not disclosed the game’s “gambling themes” in its rating.In Luck Be a Landlord, the player takes spins on a pixel art slot machine to earn coins to pay their ever-increasing rent — a nightmare gamification of our day-to-day grind to remain housed. On app stores, it’s a one-time purchase of $4.99, and it’s $9.99 on Steam. On the Play Store page, developer Dan DiIorio notes, “This game does not contain any real-world currency gambling or microtransactions.”And it doesn’t. But for Google, that didn’t matter. First, the game was removed from the storefront in a slew of countries that have strict gambling laws. Then, at the beginning of 2025, Google told Dilorio that Luck Be A Landlord would be pulled globally because of its rating discrepancy, as it “does not take into account references to gambling (including real or simulated gambling)”.DiIorio had gone through this song and dance before — previously, when the game was blocked, he would send back a message saying “hey, the game doesn’t have gambling,” and then Google would send back a screenshot of the game and assert that, in fact, it had.DiIorio didn’t agree, but this time they decided that the risk of Landlord getting taken down permanently was too great. They’re a solo developer, and Luck Be a Landlord had just had its highest 30-day revenue since release. So, they filled out the form confirming that Luck Be A Landlord has “gambling themes,” and are currently hoping that this will be the end of it.This is a situation that sucks for an indie dev to be in, and over email DiIorio told Polygon it was “very frustrating.”“I think it can negatively affect indie developers if they fall outside the norm, which indies often do,” they wrote. “It also makes me afraid to explore mechanics like this further. It stifles creativity, and that’s really upsetting.”In late 2024, the hit game Balatro was in a similar position. It had won numerous awards, and made $1,000,000 in its first week on mobile platforms. And then overnight, the PEGI ratings board declared that the game deserved an adult rating.The ESRB had already rated it E10+ in the US, noting it has gambling themes. And the game was already out in Europe, making its overnight ratings change a surprise. Publisher PlayStack said the rating was given because Balatro has “prominent gambling imagery and material that instructs about gambling.”Balatro is basically Luck Be A Landlord’s little cousin. Developer LocalThunk was inspired by watching streams of Luck Be A Landlord, and seeing the way DiIorio had implemented deck-building into his slot machine. And like Luck Be A Landlord, Balatro is a one-time purchase, with no microtransactions.But the PEGI board noted that because the game uses poker hands, the skills the player learns in Balatro could translate to real-world poker.In its write-up, GameSpot noted that the same thing happened to a game called Sunshine Shuffle. It was temporarily banned from the Nintendo eShop, and also from the entire country of South Korea. Unlike Balatro, Sunshine Shuffle actually is a poker game, except you’re playing Texas Hold ‘Em — again for no real money — with cute animals (who are bank robbers).It’s common sense that children shouldn’t be able to access apps that allow them to gamble. But none of these games contain actual gambling — or do they?Where do we draw the line? Is it gambling to play any game that is also played in casinos, like poker or blackjack? Is it gambling to play a game that evokes the aesthetics of a casino, like cards, chips, dice, or slot machines? Is it gambling to wager or earn fictional money?Gaming has always been a lightning rod for controversy. Sex, violence, misogyny, addiction — you name it, video games have been accused of perpetrating or encouraging it. But gambling is gaming’s original sin. And it’s the one we still can’t get a grip on.The original link between gambling and gamingGetty ImagesThe association between video games and gambling all goes back to pinball. Back in the ’30s and ’40s, politicians targeted pinball machines for promoting gambling. Early pinball machines were less skill-based (they didn’t have flippers), and some gave cash payouts, so the comparison wasn’t unfair. Famously, mob-hating New York City mayor Fiorello LaGuardia banned pinball in the city, and appeared in a newsreel dumping pinball and slot machines into the Long Island Sound. Pinball machines spent some time relegated to the back rooms of sex shops and dive bars. But after some lobbying, the laws relaxed.By the 1970s, pinball manufacturers were also making video games, and the machines were side-by-side in arcades. Arcade machines, like pinball, took small coin payments, repeatedly, for short rounds of play. The disreputable funk of pinball basically rubbed off onto video games.Ever since video games rocked onto the scene, concerned and sometimes uneducated parties have been asking if they’re dangerous. And in general, studies have shown that they’re not. The same can’t be said about gambling — the practice of putting real money down to bet on an outcome.It’s a golden age for gambling2025 in the USA is a great time for gambling, which has been really profitable for gambling companies — to the tune of $66.5 billion dollars of revenue in 2023.To put this number in perspective, the American Gaming Association, which is the casino industry’s trade group and has nothing to do with video games, reports that 2022’s gambling revenue was $60.5 billion. It went up $6 billion in a year.And this increase isn’t just because of sportsbooks, although sports betting is a huge part of it. Online casinos and brick-and-mortar casinos are both earning more, and as a lot of people have pointed out, gambling is being normalized to a pretty disturbing degree.Much like with alcohol, for a small percentage of people, gambling can tip from occasional leisure activity into addiction. The people who are most at risk are, by and large, already vulnerable: researchers at the Yale School of Medicine found that 96% of problem gamblers are also wrestling with other disorders, such as “substance use, impulse-control disorders, mood disorders, and anxiety disorders.”Even if you’re not in that group, there are still good reasons to be wary of gambling. People tend to underestimate their own vulnerability to things they know are dangerous for others. Someone else might bet beyond their means. But I would simply know when to stop.Maybe you do! But being blithely confident about it can make it hard to notice if you do develop a problem. Or if you already have one.Addiction changes the way your brain works. When you’re addicted to something, your participation in it becomes compulsive, at the expense of other interests and responsibilities. Someone might turn to their addiction to self-soothe when depressed or anxious. And speaking of those feelings, people who are depressed and anxious are already more vulnerable to addiction. Given the entire state of the world right now, this predisposition shines an ugly light on the numbers touted by the AGA. Is it good that the industry is reporting $6 billion in additional earnings, when the economy feels so frail, when the stock market is ping ponging through highs and lows daily, when daily expenses are rising? It doesn’t feel good. In 2024, the YouTuber Drew Gooden turned his critical eye to online gambling. One of the main points he makes in his excellent video is that gambling is more accessible than ever. It’s on all our phones, and betting companies are using decades of well-honed app design and behavioral studies to manipulate users to spend and spend.Meanwhile, advertising on podcasts, billboards, TV, radio, and websites – it’s literally everywhere — tells you that this is fun, and you don’t even need to know what you’re doing, and you’re probably one bet away from winning back those losses.Where does Luck Be a Landlord come into this?So, are there gambling themes in Luck Be A Landlord? The game’s slot machine is represented in simple pixel art. You pay one coin to use it, and among the more traditional slot machine symbols are silly ones like a snail that only pays out after 4 spins.When I started playing it, my primary emotion wasn’t necessarily elation at winning coins — it was stress and disbelief when, in the third round of the game, the landlord increased my rent by 100%. What the hell.I don’t doubt that getting better at it would produce dopamine thrills akin to gambling — or playing any video game. But it’s supposed to be difficult, because that’s the joke. If you beat the game you unlock more difficulty modes where, as you keep paying rent, your landlord gets furious, and starts throwing made-up rules at you: previously rare symbols will give you less of a payout, and the very mechanics of the slot machine change.It’s a manifestation of the golden rule of casinos, and all of capitalism writ large: the odds are stacked against you. The house always wins. There is luck involved, to be sure, but because Luck Be A Landlord is a deck-builder, knowing the different ways you can design your slot machine to maximize payouts is a skill! You have some influence over it, unlike a real slot machine. The synergies that I’ve seen high-level players create are completely nuts, and obviously based on a deep understanding of the strategies the game allows.IMAGE: TrampolineTales via PolygonBalatro and Luck Be a Landlord both distance themselves from casino gambling again in the way they treat money. In Landlord, the money you earn is gold coins, not any currency we recognize. And the payouts aren’t actually that big. By the end of the core game, the rent money you’re struggling and scraping to earn… is 777 coins. In the post-game endless mode, payouts can get massive. But the thing is, to get this far, you can’t rely on chance. You have to be very good at Luck Be a Landlord.And in Balatro, the numbers that get big are your points. The actual dollar payments in a round of Balatro are small. These aren’t games about earning wads and wads of cash. So, do these count as “gambling themes”?We’ll come back to that question later. First, I want to talk about a closer analog to what we colloquially consider gambling: loot boxes and gacha games.Random rewards: from Overwatch to the rise of gachaRecently, I did something that I haven’t done in a really long time: I thought about Overwatch. I used to play Overwatch with my friends, and I absolutely made a habit of dropping 20 bucks here or there for a bunch of seasonal loot boxes. This was never a problem behavior for me, but in hindsight, it does sting that over a couple of years, I dropped maybe $150 on cosmetics for a game that now I primarily associate with squandered potential.Loot boxes grew out of free-to-play mobile games, where they’re the primary method of monetization. In something like Overwatch, they functioned as a way to earn additional revenue in an ongoing game, once the player had already dropped 40 bucks to buy it.More often than not, loot boxes are a random selection of skins and other cosmetics, but games like Star Wars: Battlefront 2 were famously criticized for launching with loot crates that essentially made it pay-to-win – if you bought enough of them and got lucky.It’s not unprecedented to associate loot boxes with gambling. A 2021 study published in Addictive Behaviors showed that players who self-reported as problem gamblers also tended to spend more on loot boxes, and another study done in the UK found a similar correlation with young adults.While Overwatch certainly wasn’t the first game to feature cosmetic loot boxes or microtransactions, it’s a reference point for me, and it also got attention worldwide. In 2018, Overwatch was investigated by the Belgian Gaming Commission, which found it “in violation of gambling legislation” alongside FIFA 18 and Counter-Strike: Global Offensive. Belgium’s response was to ban the sale of loot boxes without a gambling license. Having a paid random rewards mechanic in a game is a criminal offense there. But not really. A 2023 study showed that 82% of iPhone games sold on the App Store in Belgium still use random paid monetization, as do around 80% of games that are rated 12+. The ban wasn’t effectively enforced, if at all, and the study recommends that a blanket ban wouldn’t actually be a practical solution anyway.Overwatch was rated T for Teen by the ESRB, and 12 by PEGI. When it first came out, its loot boxes were divisive. Since the mechanic came from F2P mobile games, which are often seen as predatory, people balked at seeing it in a big action game from a multi-million dollar publisher.At the time, the rebuttal was, “Well, at least it’s just cosmetics.” Nobody needs to buy loot boxes to be good at Overwatch.A lot has changed since 2016. Now we have a deeper understanding of how these mechanics are designed to manipulate players, even if they don’t affect gameplay. But also, they’ve been normalized. While there will always be people expressing disappointment when a AAA game has a paid random loot mechanic, it is no longer shocking.And if anything, these mechanics have only become more prevalent, thanks to the growth of gacha games. Gacha is short for “gachapon,” the Japanese capsule machines where you pay to receive one of a selection of random toys. Getty ImagesIn gacha games, players pay — not necessarily real money, but we’ll get to that — for a chance to get something. Maybe it’s a character, or a special weapon, or some gear — it depends on the game. Whatever it is, within that context, it’s desirable — and unlike the cosmetics of Overwatch, gacha pulls often do impact the gameplay.For example, in Infinity Nikki, you can pull for clothing items in these limited-time events. You have a chance to get pieces of a five-star outfit. But you also might pull one of a set of four-star items, or a permanent three-star piece. Of course, if you want all ten pieces of the five-star outfit, you have to do multiple pulls, each costing a handful of limited resources that you can earn in-game or purchase with money.Gacha was a fixture of mobile gaming for a long time, but in recent years, we’ve seen it go AAA, and global. MiHoYo’s Genshin Impact did a lot of that work when it came out worldwide on consoles and PC alongside its mobile release. Genshin and its successors are massive AAA games of a scale that, for your Nintendos and Ubisofts, would necessitate selling a bajillion copies to be a success. And they’re free.Genshin is an action game, whose playstyle changes depending on what character you’re playing — characters you get from gacha pulls, of course. In Zenless Zone Zero, the characters you can pull have different combo patterns, do different kinds of damage, and just feel different to play. And whereas in an early mobile gacha game like Love Nikki Dress UP! Queen the world was rudimentary, its modern descendant Infinity Nikki is, like Genshin, Breath of the Wild-esque. It is a massive open world, with collectibles and physics puzzles, platforming challenges, and a surprisingly involved storyline. Genshin Impact was the subject of an interesting study where researchers asked young adults in Hong Kong to self-report on their gacha spending habits. They found that, like with gambling, players who are not feeling good tend to spend more. “Young adult gacha gamers experiencing greater stress and anxiety tend to spend more on gacha purchases, have more motives for gacha purchases, and participate in more gambling activities,” they wrote. “This group is at a particularly higher risk of becoming problem gamblers.”One thing that is important to note is that Genshin Impact came out in 2020. The study was self-reported, and it was done during the early stages of the COVID-19 pandemic. It was a time when people were experiencing a lot of stress, and also fewer options to relieve that stress. We were all stuck inside gaming.But the fact that stress can make people more likely to spend money on gacha shows that while the gacha model isn’t necessarily harmful to everyone, it is exploitative to everyone. Since I started writing this story, another self-reported study came out in Japan, where 18.8% of people in their 20s say they’ve spent money on gacha rather than on things like food or rent.Following Genshin Impact’s release, MiHoYo put out Honkai: Star Rail and Zenless Zone Zero. All are shiny, big-budget games that are free to play, but dangle the lure of making just one purchase in front of the player. Maybe you could drop five bucks on a handful of in-game currency to get one more pull. Or maybe just this month you’ll get the second tier of rewards on the game’s equivalent of a Battle Pass. The game is free, after all — but haven’t you enjoyed at least ten dollars’ worth of gameplay? Image: HoyoverseI spent most of my December throwing myself into Infinity Nikki. I had been so stressed, and the game was so soothing. I logged in daily to fulfill my daily wishes and earn my XP, diamonds, Threads of Purity, and bling. I accumulated massive amounts of resources. I haven’t spent money on the game. I’m trying not to, and so far, it’s been pretty easy. I’ve been super happy with how much stuff I can get for free, and how much I can do! I actually feel really good about that — which is what I said to my boyfriend, and he replied, “Yeah, that’s the point. That’s how they get you.”And he’s right. Currently, Infinity Nikki players are embroiled in a war with developer Infold, after Infold introduced yet another currency type with deep ties to Nikki’s gacha system. Every one of these gacha games has its own tangled system of overlapping currencies. Some can only be used on gacha pulls. Some can only be used to upgrade items. Many of them can be purchased with human money.Image: InFold Games/Papergames via PolygonAll of this adds up. According to Sensor Towers’ data, Genshin Impact earned over 36 million dollars on mobile alone in a single month of 2024. I don’t know what Dan DiIorio’s peak monthly revenue for Luck Be A Landlord was, but I’m pretty sure it wasn’t that.A lot of the spending guardrails we see in games like these are actually the result of regulations in other territories, especially China, where gacha has been a big deal for a lot longer. For example, gacha games have a daily limit on loot boxes, with the number clearly displayed, and a system collectively called “pity,” where getting the banner item is guaranteed after a certain number of pulls. Lastly, developers have to be clear about what the odds are. When I log in to spend the Revelation Crystals I’ve spent weeks hoarding in my F2P Infinity Nikki experience, I know that I have a 1.5% chance of pulling a 5-star piece, and that the odds can go up to 6.06%, and that I am guaranteed to get one within 20 pulls, because of the pity system.So, these odds are awful. But it is not as merciless as sitting down at a Vegas slot machine, an experience best described as “oh… that’s it?”There’s not a huge philosophical difference between buying a pack of loot boxes in Overwatch, a pull in Genshin Impact, or even a booster of Pokémon cards. You put in money, you get back randomized stuff that may or may not be what you want. In the dictionary definition, it’s a gamble. But unlike the slot machine, it’s not like you’re trying to win money by doing it, unless you’re selling those Pokémon cards, which is a topic for another time.But since even a game where you don’t get anything, like Balatro or Luck Be A Landlord, can come under fire for promoting gambling to kids, it would seem appropriate for app stores and ratings boards to take a similarly hardline stance with gacha.Instead, all these games are rated T for Teen by the ESRB, and PEGI 12 in the EU.The ESRB ratings for these games note that they contain in-game purchases, including random items. Honkai: Star Rail’s rating specifically calls out a slot machine mechanic, where players spend tokens to win a prize. But other than calling out Honkai’s slot machine, app stores are not slapping Genshin or Nikki with an 18+ rating. Meanwhile, Balatro had a PEGI rating of 18 until a successful appeal in February 2025, and Luck Be a Landlord is still 17+ on Apple’s App Store.Nobody knows what they’re doingWhen I started researching this piece, I felt very strongly that it was absurd that Luck Be A Landlord and Balatro had age ratings this high.I still believe that the way both devs have been treated by ratings boards is bad. Threatening an indie dev with a significant loss of income by pulling their game is bad, not giving them a way to defend themself or help them understand why it’s happening is even worse. It’s an extension of the general way that too-big-to-fail companies like Google treat all their customers.DiIorio told me that while it felt like a human being had at least looked at Luck Be A Landlord to make the determination that it contained gambling themes, the emails he was getting were automatic, and he doesn’t have a contact at Google to ask why this happened or how he can avoid it in the future — an experience that will be familiar to anyone who has ever needed Google support. But what’s changed for me is that I’m not actually sure anymore that games that don’t have gambling should be completely let off the hook for evoking gambling.Exposing teens to simulated gambling without financial stakes could spark an interest in the real thing later on, according to a study in the International Journal of Environmental Research and Public Health. It’s the same reason you can’t mosey down to the drug store to buy candy cigarettes. Multiple studies were done that showed kids who ate candy cigarettes were more likely to take up smoking (of course, the candy is still available — just without the “cigarette” branding.)So while I still think rating something like Balatro 18+ is nuts, I also think that describing it appropriately might be reasonable. As a game, it’s completely divorced from literally any kind of play you would find in a casino — but I can see the concern that the thrill of flashy numbers and the shiny cards might encourage young players to try their hand at poker in a real casino, where a real house can take their money.Maybe what’s more important than doling out high age ratings is helping people think about how media can affect us. In the same way that, when I was 12 and obsessed with The Matrix, my parents gently made sure that I knew that none of the violence was real and you can’t actually cartwheel through a hail of bullets in real life. Thanks, mom and dad!But that’s an answer that’s a lot more abstract and difficult to implement than a big red 18+ banner. When it comes to gacha, I think we’re even less equipped to talk about these game mechanics, and I’m certain they’re not being age-rated appropriately. On the one hand, like I said earlier, gacha exploits the player’s desire for stuff that they are heavily manipulated to buy with real money. On the other hand, I think it’s worth acknowledging that there is a difference between gacha and casino gambling.Problem gamblers aren’t satisfied by winning — the thing they’re addicted to is playing, and the risk that comes with it. In gacha games, players do report satisfaction when they achieve the prize they set out to get. And yes, in the game’s next season, the developer will be dangling a shiny new prize in front of them with the goal of starting the cycle over. But I think it’s fair to make the distinction, while still being highly critical of the model.And right now, there is close to no incentive for app stores to crack down on gacha in any way. They get a cut of in-app purchases. Back in 2023, miHoYo tried a couple of times to set up payment systems that circumvented Apple’s 30% cut of in-app spending. Both times, it was thwarted by Apple, whose App Store generated $1.1 trillion in developer billings and sales in 2022.According to Apple itself, 90% of that money did not include any commission to Apple. Fortunately for Apple, ten percent of a trillion dollars is still one hundred billion dollars, which I would also like to have in my bank account. Apple has zero reason to curb spending on games that have been earning millions of dollars every month for years.And despite the popularity of Luck Be A Landlord and Balatro’s massive App Store success, these games will never be as lucrative. They’re one-time purchases, and they don’t have microtransactions. To add insult to injury, like most popular games, Luck Be A Landlord has a lot of clones. And from what I can tell, it doesn’t look like any of them have been made to indicate that their games contain the dreaded “gambling themes” that Google was so worried about in Landlord.In particular, a game called SpinCraft: Roguelike from Sneaky Panda Games raised $6 million in seed funding for “inventing the Luck-Puzzler genre,” which it introduced in 2022, while Luck Be A Landlord went into early access in 2021.It’s free-to-play, has ads and in-app purchases, looks like Fisher Price made a slot machine, and it’s rated E for everyone, with no mention of gambling imagery in its rating. I reached out to the developers to ask if they had also been contacted by the Play Store to disclose that their game has gambling themes, but I haven’t heard back.Borrowing mechanics in games is as old as time, and it’s something I in no way want to imply shouldn’t happen because copyright is the killer of invention — but I think we can all agree that the system is broken.There is no consistency in how games with random chance are treated. We still do not know how to talk about gambling, or gambling themes, and at the end of the day, the results of this are the same: the house always wins.See More:

Heading into Doom: The Dark Ages, I thought the game being a prequel to the 2016 series reboot would make a good entry point for the series. Despite enjoying high-octane first-person shooters, Doom and its 2020 sequel Doom Eternal somehow never landed on my radar (although I will defend the so-awful-it’s-good 2005 film and its first-person-shooter sequence). So I entered The Dark Ages, something of an origin story for the Doom guy and his crusade against the forces of Hell, ready to gorge the lore and push through the series. After completing its roughly 10-hour, 22-chapter campaign, I can definitively say: That shit doesn’t make any sense. And it doesn’t matter. We got demons to kill. The Dark Ages casts you as the Slayer, a remarkable soldier who’s so much better at murdering demons than any of the human rabble you come across. Why is he the best demon murderer? Shh, demons to kill. Doomguy is kept in reserve by some sort of alien group called the Maykrs (a tragedeigh pronounced like “makers”), chilling in a ship floating above the human-versus-demon battlefields. He’s almost like The Winter Soldier in that he’s kept as something of a prisoner in between being called upon for demon-slaying missions. In the early parts of the story, before he breaks free, he’s basically loaned out to techno-medieval humans as they battle against hordes of demons from Hell. Or are they aliens? Is this game set on Earth? Dude, there are demons to shotgun in the face. While on loan, Doomguy shows up everyone incapable of killing demons by slaying hundreds upon hundreds of them himself, sometimes just by jumping from really high up (so cool). He fights with some human kingdom in its quest to keep some MacGuffin away from some Big Bad Demon. The story takes the Slayer to Hell and also to an alien planet… maybe. Who really knows? You’ll be too busy parrying attacks with the chainsaw shield or piloting a mech suit to care. Its story won’t be receiving any honors come awards season, but Doom: The Dark Ages’ gameplay might. Parrying attacks and an emphasis on melee add welcome variety to the ways the Doom Slayer battles enemies, and by the end of the game, as you’ve upgraded his arsenal, you’ll truly feel like an unstoppable demon-killing machine, swapping between from the skullcrusher to the accelerator to more depending on what the situation calls for. Once the BFC — big fucking crossbow — winds up in your hands, it’s truly lights out for the demons. Though its plot may not matter (or make a lick of sense), by the end of The Dark Ages, you’ll at least understand the fear Doomguy instills in demons after you slaughter who knows how many of them, including their leader. Doomguy’s taken over the Maykr ship, now seemingly his base of operations for his demon-slaying exploits. He’s the demons’ nightmare, their eternal enemy, their John Wick after his puppy was killed. He’s unrelenting in his quest to rid the cosmos of demons. Why again does he need to kill demons? Hey man, just enjoy that sweet, sweet chainsaw shield.