Skip to main content

Publications

For the most up to date list of my publications, see Google Scholar.

2025

Supporting Human Raters with the Detection of Harmful Content using Large Language Models
Kurt Thomas, Patrick Gage Kelley, David Tao, Sarah Meiklejohn, Owen Vallis, Shunwen Tan, Blaž Bratanič, Felipe Tiengo Ferreira, Vijay Kumar Eranti, Elie Bursztein
Proceedings of the IEEE Symposium on Security and Privacy (IEEE S&P 2025)

2024

Magika: AI-Powered Content-Type Detection
Yanick Fratantonio, Luca Invernizzi, Loua Farah, Kurt Thomas, Marina Zhang, Ange Albertini, Francois Galilee, Giancarlo Metitieri, Julien Cretin, Alex Petit-Bianco, David Tao, Elie Bursztein
arxiv 2024

Privacy Risks of General-Purpose AI Systems: A Foundation for Investigating Practitioner Perspectives
Stephen Meisenbacher, Alexandra Klymenko, Patrick Gage Kelley, Sai Teja Peddinti, Kurt Thomas, Florian Matthes
arxiv 2024

Help-seeking and coping strategies for technology-facilitated abuse experienced by youth
Diana Freed, Sunny Consolvo, Dan Cosley, Patrick Gage Kelley, Ender Ricart, Kurt Thomas, Natalie Bazarova
Proceedings of the ACM Conference on Computer-Supported Cooperative Work and Social Computing (CSCW 2024)

Give and Take: An End-To-End Investigation of Giveaway Scam Conversion Rates
Enze Liu, George Kappos, Eric Mugnier, Luca Invernizzi, Stefan Savage, David Tao, Kurt Thomas, Geoffrey M Voelker, Sarah Meiklejohn
Proceedings of the Internet Measurement Conference (IMC 2024)

Understanding Help-Seeking and Help-Giving on Social Media for Image-Based Sexual Abuse
Miranda Wei, Sunny Consolvo, Patrick Gage Kelley, Tadayoshi Kohno, Tara Matthews, Sarah Meiklejohn, Franziska Roesner, Renee Shelby, Kurt Thomas, Rebecca Umbach
Proceedings of the USENIX Security Symposium (USENIX Security 2024)

Poisoning web-scale training datasets is practical
Nicholas Carlini, Matthew Jagielski, Christopher A Choquette-Choo, Daniel Paleka, Will Pearce, Hyrum Anderson, Andreas Terzis, Kurt Thomas, Florian Tramèr
Proceedings of the IEEE Symposium on Security and Privacy (IEEE S&P 2024)

2023

Understanding the behaviors of toxic accounts on reddit
Deepak Kumar, Jeff Hancock, Kurt Thomas, Zakir Durumeric
Proceedings of the Web Conf (WWW 2023)

Understanding digital-safety experiences of youth in the US
Diana Freed, Natalie N Bazarova, Sunny Consolvo, Eunice J Han, Patrick Gage Kelley, Kurt Thomas, Dan Cosley
Proceedings of the CHI Conference on Human Factors in Computing Systems (CHI 2023)

“There’s so much responsibility on users right now:” Expert Advice for Staying Safer From Hate and Harassment
Miranda Wei, Sunny Consolvo, Patrick Gage Kelley, Tadayoshi Kohno, Franziska Roesner, Kurt Thomas
Proceedings of the CHI Conference on Human Factors in Computing Systems (CHI 2023)

Robust, privacy-preserving, transparent, and auditable on-device blocklisting
Kurt Thomas, Sarah Meiklejohn, Michael A Specter, Xiang Wang, Xavier Llorà, Stephan Somogyi, David Kleidermacher
arxiv 2023

“There will be less privacy, of course”: How and why people in 10 countries expect AI will affect privacy in the future
Patrick Gage Kelley, Celestina Cornejo, Lisa Hayes, Ellie Shuo Jin, Aaron Sedley, Kurt Thomas, Yongwei Yang, Allison Woodruff
Proceedings of the Symposium on Usable Security and Privacy (SOUPS 2023)

“Millions of people are watching you”: Understanding the {Digital-Safety} Needs and Practices of Creators
Patrawat Samermit, Anna Turner, Patrick Gage Kelley, Tara Matthews, Vanessia Wu, Sunny Consolvo, Kurt Thomas
Proceedings of the USENIX Security Symposium (USENIX Security 2023)

2022

Sok: A framework for unifying at-risk user research
Noel Warford, Tara Matthews, Kaitlyn Yang, Omer Akgul, Sunny Consolvo, Patrick Gage Kelley, Nathan Malkin, Michelle L Mazurek, Manya Sleeper, Kurt Thomas
Proceedings of the IEEE Symposium on Security and Privacy (IEEE S&P 2024)

“It’s common and a part of being a content creator”: Understanding How Creators Experience and Cope with Hate and Harassment Online
Kurt Thomas, Patrick Gage Kelley, Sunny Consolvo, Patrawat Samermit, Elie Bursztein
Proceedings of the CHI Conference on Human Factors in Computing Systems (CHI 2022)

2021

“Why wouldn’t someone think of democracy as a target?”: Security practices & challenges of people involved with US political campaigns
Sunny Consolvo, Patrick Gage Kelley, Tara Matthews, Kurt Thomas, Lee Dunn, Elie Bursztein.
Proceedings of the USENIX Security Symposium (USENIX Security 2021)
🏆 Distinguished Paper Award

Designing Toxic Content Classification for a Diversity of Perspectives
Deepak Kumar, Patrick Gage Kelley, Sunny Consolvo, Joshua Mason, Elie Bursztein, Zakir Durumeric, Kurt Thomas, Michael Bailey
Proceedings of the Symposium on Usable Privacy and Security (SOUPS 2021)

SoK: Hate, Harassment, and the Changing Landscape of Online Abuse
Kurt Thomas, Devdatta Akhawe, Michael Bailey, Dan Boneh, Elie Bursztein, Sunny Consolvo, Nicola Dell, Zakir Durumeric, Patrick Gage Kelley, Deepak Kumar, Damon McCoy, Sarah Meiklejohn, Thomas Ristenpart, Gianluca Stringhini.
Proceedings of the IEEE Symposium on Security and Privacy (IEEE S&P 2021)

2020

Who is targeted by email-based phishing and malware? Measuring factors that differentiate risk
Camelia Simoiu, Ali Zand, Kurt Thomas, Elie Bursztein.
Proceedings of the Internet Measurement Conference (IMC 2020)

Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale
Adam Oest, Penghui Zhang, Brad Wardman, Eric Nunes, Jakub Burgis, Ali Zand, Kurt Thomas, Adam Doupé, Gail-Joon Ahn.
Proceedings of the USENIX Security Symposium (USENIX Security 2020)
🏆 Distinguished Paper Award
🏆 Second Prize winner of the 2020 Internet Defense Prize

2019

Toward Gender-Equitable Privacy and Security in South Asia
Nithya Sambasivan, Nova Ahmed, Amna Batool, Elie Bursztein, Elizabeth Churchill, Laura Sanely Gaytán-Lugo, Tara Matthews, David Nemer, Kurt Thomas, and Sunny Consolvo
IEEE Security & Privacy Magazine, 2019

Five years of the Right to be Forgotten
Theo Bertram, Elie Bursztein, Stephanie Caro, Hubert Chao, Rutledge Chin Feman, Peter Fleischer, Albin Gustafsson, Jess Hemerly, Chris Hibbert, Luca Invernizzi, Lanah Kammourieh Donnelly, Jason Ketover, Jay Laefer, Paul Nicholas, Yuan Niu, Harjinder Obhi, David Price, Andrew Strait, Kurt Thomas, and Al Verney
Proceedings of the Conference on Computer and Communications Security (CCS 2019)

Protecting accounts from credential stuffing with password breach alerting
Kurt Thomas, Jennifer Pullman, Kevin Yeo, Ananth Raghunathan, Patrick Gage Kelley, Luca Invernizzi, Borbala Benko, Tadek Pietraszek, Sarvar Patel, Dan Boneh, and Elie Bursztein
Proceedings of the USENIX Security Symposium (USENIX Security 2019)
🏆 Distinguished Paper Award

Hack for Hire: Exploring the Emerging Market for Account Hijacking
Ariana Mirian, Joe DeBlasio, Stefan Savage, Geoffrey M. Voelker, and Kurt Thomas
Proceedings of the World Wide Web Conference (WWW 2019)

Evaluating Login Challenges as a Defense Against Account Takeover
Periwinkle Doerfler, Maija Marincenko, Juri Ranieri, Yu Jiang, Angelika Moscicki, Damon McCoy, and Kurt Thomas
Proceedings of the World Wide Web Conference (WWW 2019)

Rethinking the detection of child sexual abuse imagery on the Internet
Elie Bursztein, Travis Bright, Einat Clarke, Michelle DeLaune, David M. Eliff, Nick Hsu, Lindsey Olson, John Shehan, Madhukar Thakur, and Kurt Thomas
Proceedings of the World Wide Web Conference (WWW 2019)

“They Don’t Leave Us Alone Anywhere We Go”: Gender and Digital Abuse in South Asia
Nithya Sambasivan, Amna Batool, Nova Ahmed, Tara Matthews, Kurt Thomas, Laura Sanely Gaytán-Lugo, David Nemer, Elie Bursztein, Elizabeth Churchill, and Sunny Consolvo
Proceedings of the CHI Conference on Human Factors in Computing Systems (CHI 2019)
🏆 Best paper award

2018

Data Breaches: User Comprehension, Expectations, and Concerns with Handling Exposed Data
Sowmya Karunakaran, Kurt Thomas, Elie Bursztein, and Oxana Comanescu
Proceedings of the Symposium on Usable Privacy and Security (SOUPS 2018)

SybilFuse: Combining Local Attributes with Global Structure to Perform Robust Sybil Detection
Peng Gao, Binghui Wang, Neil Zhenqiang Gong, Sanjeev R. Kulkarni, Kurt Thomas, and Prateek Mittal
Proceedings of the Conference on Communications and Network Security (CNS 2018)

2017

Data breaches, phishing, or malware? Understanding the risks of stolen credentials
Kurt Thomas, Frank Li, Ali Zand, Jake Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, Angelika Moscicki, Dan Margolis, Vern Paxson, Elie Bursztein
Proceedings of the Conference on Computer and Communications Security (CCS 2017)

Understanding the Mirai Botnet
Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, Yi Zhou
Proceedings of the USENIX Security Symposium (USENIX Security 2017)

Pinning Down Abuse on Google Maps
Danny Yuxing Huang, Doug Grundman, Kurt Thomas, Abhishek Kumar, Elie Bursztein, Kirill Levchenko, and Alex C. Snoeren
Proceedings of the World Wide Web Conference (WWW 2017)

2016

Picasso: Lightweight Device Class Fingerprinting for Web Clients
Elie Bursztein, Artem Malyshev, Tadek Pietraszek and Kurt Thomas
Proceedings of the Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM 2016)

The Abuse Sharing Economy: Understanding the Limits of Threat Exchanges
Kurt Thomas, Rony Amira, Adi Ben-Yoash, Ari Berger, Ori Folger, Amir Hardon, Elie Bursztein, Michael Bailey
Proceedings of the Symposium on Research in Attacks, Intrusions and Defenses (RAID 2016)

Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software
Kurt Thomas, Juan Antonio Elices Crespo, Ryan Rasti, Jean-Michel Picod, Cait Phillips, Marc-André (MAD) Decoste, Chris Sharp, Fabio Tirelo, Ali Tofigh, Marc-Antoine Courteau, Lucas Ballard, Robert Shield, Nav Jagpal, Moheeb Abu Rajab, Panos Mavrommatis, Niels Provos, Elie Bursztein, Damon McCoy
Proceedings of the USENIX Security Symposium (USENIX Security 2016)

Cloak of Visibility: Detecting When Machines Browse a Different Web
Luca Invernizzi, Kurt Thomas, Alexandros Kapravelos, Oxana Comanescu, Jean-Michel Picod, Elie Bursztein
Proceedings of the IEEE Symposium on Security and Privacy (IEEE S&P 2016)

Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension
Frank Li, Grant Ho, Eric Kuan, Yuan Niu, Lucas Ballard, Kurt Thomas, Elie Bursztein, Vern Paxson
Proceedings of the World Wide Web Conference (WWW 2016)

2015

Neither Snow Nor Rain Nor MITM … An Empirical Analysis of Email Delivery Security
Zakir Durumeric, David Adrian, Ariana Mirian, James Kasten, Elie Bursztein, Nicolas Lidzborski, Kurt Thomas, Vijay Eranti, Michael Bailey, J. Alex Halderman
Proceedings of the Internet Measurement Conference (IMC 2015)
🏆 IRTF Applied Networking Research Prize

Trends and Lessons from Three Years Fighting Malicious Extensions
Nav Jagpal, Eric Dingle, Jean-Philippe Gravel, Panayiotis Mavrommatis, Niels Provos, Moheeb Abu Rajab, Kurt Thomas
Proceedings of the USENIX Security Symposium (USENIX Security 2015)

Framing Dependencies Introduced by Underground Commoditization
Kurt Thomas, Danny Yuxing Huang, David Wang, Elie Bursztein, Chris Grier, Thomas J. Holt, Christopher Kruegel, Damon McCoy, Stefan Savage, Giovanni Vigna
Proceedings of the Workshop on the Economics of Information Security (WEIS 2015)

Ad Injection at Scale: Assessing Deceptive Advertisement Modifications
Kurt Thomas, Elie Bursztein, Chris Grier, Grant Ho, Nav Jagpal, Alexandros Kapravelos, Damon McCoy, Antonio Nappa, Vern Paxson, Paul Pearce, Niels Provos, Moheeb Abu Rajab
Proceedings of the IEEE Symposium on Security and Privacy (IEEE S&P 2015)
🏆 Distinguished Practical Paper Award

2014

Dialing Back Abuse on Phone Verified Accounts
Kurt Thomas, Dmytro Iatskiv, Elie Bursztein, Tadek Pietraszek, Chris Grier, Damon McCoy
Proceedings of the Conference on Computer and Communications Security (CCS 2014)

Consequences of Connectivity: Characterizing Account Hijacking on Twitter
Kurt Thomas, Frank Li, Chris Grier, Vern Paxson
Proceedings of the Conference on Computer and Communications Security (CCS 2014)

2013

Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse
Kurt Thomas, Damon McCoy, Chris Grier, Alek Kolcz, Vern Paxson
Proceedings of the USENIX Security Symposium (USENIX Security 2013)

Practical Comprehensive Bounds on Surreptitious Communication Over DNS
Vern Paxson, Mihai Christodorescu, Mobin Javed, Josyula Rao, Reiner Sailer, Douglas Schales, Marc Ph Stoecklin, Kurt Thomas, Wietse Venema, Nicholas Weaver
Proceedings of the USENIX Security Symposium (USENIX Security 2013)

2012

Manufacturing Compromise: The Emergence of Exploit-as-a-Service
Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J. Dietrichq, Kirill Levchenko, Panayiotis Mavrommatis, Damon McCoy, Antonio Nappa, Andreas Pitsillidis, Niels Provos, M. Zubair Rafique, Moheeb Abu Rajab, Christian Rossow, Kurt Thomas, Vern Paxson, Stefan Savage, Geoffrey M. Voelker
Proceedings of the Conference on Computer and Communications Security (CCS 2012)

Adapting Social Spam Infrastructure for Political Censorship
Kurt Thomas, Chris Grier, Vern Paxson
Proceedings of the 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 2012)

2011

Suspended Accounts in Retrospect: An Analysis of Twitter Spam
Kurt Thomas, Chris Grier, Vern Paxson, Dawn Song
Proceedings of the Internet Measurement Conference 2011 (IMC 2011)

Design and Evaluation of a Real-Time URL Spam Filtering Service
Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song
Proceedings of the IEEE Symposium on Security and Privacy (IEEE S&P 2011)

2010

The Koobface Botnet and the Rise of Social Malware
Kurt Thomas, David M. Nicol
Proceedings of the International Conference on Malicious and Unwanted Software (MALWARE 2010)
🏆 Best Paper Award

@spam: The underground on 140 characters or less
Chris Grier, Kurt Thomas, Vern Paxson, Michael Zhang
Proceedings of the CCS Conference on Computer and Communications Security (CCS 2010)

unFriendly: Multi-Party Privacy Risks in Social Networks
Kurt Thomas, Chris Grier, David M. Nicol
Proceedings of the Privacy Enhancing Technologies Symposium (PETS 2010)

Barriers to Security and Privacy Research in the Web Era
Kurt Thomas, Chris Grier, David M. Nicol
Proceedings of the Workshop on Ethics in Computer Security Research (WECSR 2010)