BTC Sessions - Social Engineering: They Can’t Hack Your Bitcoin BUT They Can Hack You!
Episode Date: January 13, 2026Mentor Sessions Ep. 047: Human Hacking Bitcoin Wallets, Deadly Social Engineering Scams & Nuclear Breaches | Christopher HadnagyWhat if one phone call could drain your Bitcoin wallet like MGM'...s $190M ransomware nightmare, or social engineering tricks from Jamaican bank heists expose why Bitcoin's human element is your biggest security flaw? In this episode of BTC Sessions, world-renowned human hacking expert Christopher Hadnagy reveals how AI-fueled scams like sextortion are exploding, and targeting Bitcoin holders with FOMO, romance frauds, and voice phishing that bypasses security. He breaks down wild stories of tailgating, breaking into nuclear facilities and owning bank servers with just a clipboard, proving no system is safe from psychological manipulation. Chris warns of dark web guides and shares pro defenses like code words, MFA, and OSINT to hack-proof your sats. From QR phishing to AI accent-erasing vishing, he exposes how hackers spoof LinkedIn for $250K Bitcoin thefts. As founder of Innocent Lives Foundation, Chris flips his skills to hunt predators worldwide, rescuing kids from exploitation rings. If you're self-custodying BTC, this is your must-watch guide to human hacking threats, social engineering secrets, and Bitcoin security mastery—don't let hackers own you!About Christopher HadnagyWebsite: https://www.social-engineer.com/Podcast: https://www.social-engineer.org/podcast/X: @humanhackerInnocent Lives Foundation: https://www.innocentlivesfoundation.org/Chapters:00:00:00 Teaser & Intro00:01:35 Guest Intro & Social Engineering Definition00:02:58 Jamaican Bank Heist00:09:21 Heist Reflections00:10:19 Tactics: OSINT, Pretexts & Influence00:14:51 Bitcoin's Human Flaw00:16:31 Common Pretexts & LinkedIn Scams00:20:57 Scam Losses & Global Impact00:22:55 Motivations: FOMO, Romance & Sextortion00:28:42 AI's Role in Scams00:32:35 Vectors: Phishing, Vishing & MGM00:35:17 Generational Shifts: Smishing/QR00:38:53 Defenses: Verification, Code Words & MFA00:42:19 Breaches & Security Failures00:45:51 Sovereign Computing & Nostr00:47:22 Nuclear Facility Stories00:53:57 Innocent Lives Foundation Origins00:58:06 ILF Mission, Impact & Resources01:02:46 Podcast, Class & ClosingPrevious Episode:Mentor Sessions Ep. 046: Bitcoin 2026 Bull Run, TradFi Myths & Fed Liquidity Secrets | Joe Consorti: https://youtu.be/7p16VXpyEpU⚡ POWERED by Abundant Mines: Fully managed Bitcoin mining. Learn more at https://qrco.de/bgYKPB🔒 Lockdown your Bitcoin with the BEST gear on the market from Coinkite. Get the 5% Off the COLDCARD visit: https://qrco.de/bfiDBV💡BOOK Private Sessions with Nathan, Gary, or Ben at Bitcoin Mentor: Master self-custody, hardware, multisig, Lightning, privacy, and more. 👉 Visit bitcoinmentor.io Follow Us on X:• BTC Sessions: @BTCsessions• Nathan: @theBTCmentor• Gary: @GaryLeeNYC#HumanHacking #SocialEngineering #BitcoinSecurity #Bitcoin #BitcoinScams #BitcoinPodcast #BTC
Transcript
Discussion (0)
I got hired to break into three banks in Jamaica.
Just owned the whole thing.
I got hired to break into a nuclear facility once.
I was successful six times.
The phone is a very, very powerful vector to get people to do things.
Look at last year, MGM, major breach, that was done through the phone.
The hotel was shut down for nine days.
They lost $190 million.
We're seeing AI has taken the scam market and the threat actor market through the roof.
And of course, you know, crypto is a major part of that.
The newest form of QR fishing is a big deal.
Everything in social engineering starts with...
Meet Christopher Hagnaggy, bestselling author in the world's top social engineering expert
who's hacked Fortune 500 companies, governments, and even nuclear facilities to expose
the human vulnerability.
Now he's here to reveal why Bickland's biggest threat isn't tech, it's you in how to fight back
like a pro.
In this episode, Chris demonstrates powerful social engineering tactics with real world stories.
So he takes me down the hallway, unbages the tour, and he goes, do I need to be here with you?
No, no, you can go back to the desk, it's fine.
You keep the bank secure.
being here. Outlines the latest explosion of deadly scams in how to defend yourself.
I saw an interesting report last year from the FBI and their research and threat actors
seen an 80% increase in beer fishing. And how their tactics are now being used to rescue children
around the world. That guy got arrested. He'll be in prison for 150 years. Plus, Chris shares
some hilarious tales from when things went horribly long. The door gets kicked open. Five guys with
AR-15s come out. Slam us on the ground. What are you doing here? And I'm like, oh my God, there's a
letter in my pocket, right? You know, like, I was just like, please don't shoot. Chris, thank you so much
for joining me this morning. Really excited to have this conversation to kind of kick things off.
You've hacked some of the largest companies in the world. Can you give us a story of maybe some
of the wildest social engineering strategies, attempts, things that you've done that even like
the most tech savvy bitcoins have been fooled. And for anyone that might not be familiar, can you
give us a brief outline of what social engineering is? Sure. So social engineering,
Well, I'll give you my definition, and then I'll tell you how it works in the business world, right?
So I define social engineering as any act that influences a person to take an action that may or may not be in their best interests.
And I use the broad general definition because I think it's not always negative.
It can be used for positive, you know, to influence people positively or it can be used in malicious terms.
From the question you asked me, then we use social engineering in a way to audit companies in order to test their human firewalls, right?
So they're humans that work there.
How susceptible are they to influence that can create a vulnerability within an organization?
And we do this in a way where we don't want to shame people or create embarrassment, right?
So we're not using pretext that would be like flirtation or something embarrassing to them because we want them to be teachable.
Now, the bad guys, they don't care.
So they'll use anything.
They'll use sexual pretext.
They'll use something embarrassing threats, violence.
they'll use whatever. And we need to understand that so that way we can educate companies.
But as a professional, we don't want to ever use those type of things to hurt people.
We want to be the good guys always.
Beautiful. And so then can you take us through and give us a chance to pull out some
examples of the tactics and skills that we're at play there? What's maybe like the wildest social
engineering story that you have, either of yourself or a colleague or some member of the team?
Yeah, okay, wildest. Let me say there's quite a few. So I'm trying to think about
there was this time I got hired to break into three banks in Jamaica.
It's okay.
Yeah, right?
So we get me and my buddy, we get to Jamaica.
And it hits me, like, we definitely stand out in this country.
We are the wrong skin color.
And there's very, very few white people there.
So we had to come up with a pretext.
Why are we going to be in this bank in broad daylight?
And why do we, why does it matter?
Right.
So we came up with a pretext that we were doing an IT audit for credit card transactions.
So we were going to be there finishing this audit.
We had found on the web that they were actually conducting an audit with an American company
in order to get approval for doing business in America.
So we're like, perfect.
This is great.
So I had some shirts made with a logo on it.
We had some clipboards.
So we get to Jamaica, our host, he drives us to the first bank across the street.
We're just going to do a scope out.
And no one told me that their security.
So the bank is surrounded by a fence with barbed wire.
And in the in the,
in the fence are young men with dirt bikes,
helmets with like fangs drawn on them and sought off shotguns.
That's their security.
I'm like, wait, wait, wait, you didn't tell me this before we got here?
Like this is the, this is what we're breaking into.
And he's like, oh, yeah, don't worry.
Don't worry.
As long as you know, you don't do anything.
You're not going to, you know, use the guns.
I'm like, that, like, what the heck?
So I tell my buddy Ryan, I'm like, okay, so here's what we're going to do.
We need a distraction, right?
So we're going to, I went up to a guy in the street, just walking down the street.
And I said, hey, man, you want to make $20?
He said, sure, what do I got to do?
I said, I want you to walk into the bank and just talk to the security guard about how you get a job at the bank.
He's like, I don't want to work there.
I'm like, great.
I just want you to just have a conversation.
He's like, what is this about?
I'm like, we're just doing a test, you know?
So I'm like, he's like, great.
And here's 20 bucks.
walks in the bank. I said to my buddy, okay, just follow me. So he's having a conversation with
the security guard. And we just walk in and I grabbed my cell phone. And I'm like, yeah, Frank,
we're coming up right now. And I walk right through the metal detectors. And we walk right past
the guard. He hears me on the phone. And we just walk up the stairs. Never even stops me.
So we get upstairs. I've never even seen the inside of this bank. So I have no clue where we're
going. So we get up the stairs and right to the right. There's a woman walking in front of us.
And I'm like, let's just follow her. And she keys into this door. She,
walks in and the sign says ATM testing center. So we walk in and all these ATMs are there,
just taking apart, they're doing parts and testing it. And she turns around and goes, excuse me,
you can't be in here. And so, yeah, we're doing the PCI audit. Don't worry. And she's like,
oh, okay, that was it. She lets me go. So I'm like, okay. So we walk around and we're taking
pictures of the ATMs. We're plugging things into network sockets. We're just doing all this.
And we were there maybe like 30 minutes. I'm like, okay, we got to get out of here. So like,
okay, you guys pass. We're going to go down the hall. And we walk out and we see a sign that says the call center. So we start walking down the call center. And the door is locked. We could see there's like an RFID thing. So I'm like, man, maybe somebody will come and we walk real slow. And as we get closer, I see a woman walking towards a door. So I speed up and she badges out and I hold a door up and for her, oh, yeah, ladies first. She's like, oh, thank you. And then we walk in, right? So we quickly scoot around the aisle way. We go down this one aisle. And there's a woman.
sitting there on the phone and she's next to a computer that's on but logged out. So I say to her,
hey, I need you to log into this computer. And she's like, I need to log into this computer.
I said, yeah, we're doing an audit. I need you to log into this computer, please. And she's like,
okay. And as she leans over to type her credentials in, I just hit record on my phone. And I start
recording her password, right? But now she logged in and she's like, okay, this is weird. I said,
no, no, we're just doing a quick audit. So Brian sits down and he starts hacking away.
the computer just like, you know, hacking the whole network. And right behind me, there's a guy sitting
on his computer and he gets up to go use the bathroom and he leaves his computer completely unlocked
his credentials there. So I go sit at his computer and I start doing the same thing. Five minutes later,
this woman comes out. She's a manager. She's like, hey, I don't know how many you guys are,
why are you guys here? So we're doing a PCI audit. We're just finishing up. She's like, okay,
and she walks away, but we could tell her she was really thinking something. So a few minutes later,
the main manager comes out and she's like, who's your contact here? And I said, oh, I forgot his name.
She's like, no, you're not here unless you have a contact. Come with me. So she goes, takes me around.
We're going to security. So we go down to security. And she says, hey, these two here, they don't have a contact.
And while we were walking down the stairs, I was looking through my phone for the name of the guy who I should have remembered.
So let's say, it's like, they don't have a contact name. And I said, I just forgot it. You know, you kind of startled me.
It's Frank. And she's like, well, you didn't know it up there. So she says at a security guard.
You take care of them. And he says, well, I saw them come in. So I think they're okay.
And I said, oh, you know what? Let's just call Frank. And you can ask him. So I pick up my phone and I call the guy out in the van. Right. And I'm like, hey, Frank, Mr. Smith, I need you to verify with security that we're supposed to be here. He catches on.
So I hand him the phone, guy with a Jamaican accent. He says them, yeah, this is Frank Smith. I'm sorry. I forgot to put them on the list. I should have done that. So the woman.
and walks away. Security guards like, okay, okay, what should I do now, sir? And he's like,
they need to finish their audit. So let them do whatever they need to do. So he gives me the phone
back. I'm like, yes, Mr. Smith. Thank you so much, sir. Okay, we'll finish shortly. You
hang up the phone. And he's like, so where do you need to go? I'm like, we need to go to the server
room. You know, can we do that? He's like, sure. So he takes me down the hallway on badges the
door. And he goes, do I need to be here with you? Like, no, no, you can go back to the desk.
It's fine. You keep the bank secure. We'll be in here. Just owned the whole thing.
Oh my God.
Yeah. So we're there
maybe an hour. We exit the bank and I'm like
let's just get the heck to the van and get the heck out of here.
Just totally owned the whole thing.
Didn't get killed. You know, that's one of our
phrase we always said, Ryan didn't die.
And yeah, that's maybe one of the craziest stories I have.
That is unbelievable with the high stakes and everything too.
But I'm not going to lie, I can tell by the micro expressions
that you quite enjoyed this job.
I think it's quite the adventure as well.
Very good pickup on that.
Yes.
That's incredible. I want to pull a few things out of there of what exactly was in play, because it almost sounds like something out of a movie or something that's ridiculous or just good luck as you're going through. But even I picked up on a few things. So we had the pretext of all getting the information beforehand. You had the props that were involved. We also had a couple bit players. There was reading the person who was suspicious of you. Can you walk us through in this particular scenario? What were some of the skills that you were deploying? And how was it, how was it you were then able to navigate this human hacking to go directly to the server room?
Yeah. Okay. So yeah, that's a really good question. So everything in social engineering starts with OSENT, and that stands for open source intelligence, right? So that's what we find on the internet. Like everyone does it, but we do it with intent. You know, if you're going to a restaurant and you look up the reviews, that's OSENT, right? If your kid is about to go over someone's house, you look up their family to make sure they're safe, that's OScent. We do it looking for clues on what would be a trigger, an emotional trigger, that would allow us to get.
gain access to what we need to gain access to.
In this case, that audit was, that PCI audit was right on the heels.
So we knew that was a good one to give us an excuse for being two white guys in a country
that doesn't normally have a lot of the, you know, American people just walking around
a bank.
So we had to have something that would, now the brain goes, okay, yeah, this makes sense, right?
Because we need to give the brain an excuse to excuse activity that looks a little suspicious.
So the first thing was a distraction.
The guy talking to the security guard,
he sees the shirt,
he's not going to actually question us.
He might have to ask us who's your contact here,
but now he hears us talking on the phone,
and he's just like, okay, yeah, they're here.
They're already with someone, let them go.
Once we get upstairs, the walking, and this is called shoulder surfing.
Oh, no, I'm sorry, it's called tailgating.
So when we tailgate into the ATM room, you know, we're in there,
and now we're in this very secure room.
room and we're saying to her PCI, oh, yeah, okay, we already had some guys here. I get it. Okay, no problem.
We're giving her an excuse to ignore these two strangers that shouldn't be in this room. And there's
signs everywhere, you know, like no unauthorized personnel must have the proper security badge.
You know, everything is in there. Like being inside of an ATM is one of the biggest dangers because
if you know the tech they're using, I mean, think of this right now, and I'm sure all your listeners
have heard of this, the skimmers, you go to a gas station or an ATM, you're supposed to jiggle
the slot because there's skimmers that they have that you can put right over there that could steal
all your info. If I know what kind of tech they're using in that ATM, I know what kind of
skimmer to put on their ATMs. So like being in there and taking pictures of inside that massive
threat, right? Then next, getting the password, it was by just kind of telling her with an authoritative
tone with no threat, I need you to put your password in this computer. And she was like, why do I need
to put mine? Oh, we're doing an audit. Please do it.
And it was just very authoritative.
I'm standing.
She's sitting.
You know, it's a great education lesson because it's like she was questioning me,
but she didn't feel she had the authority enough to actually question me and say like,
I don't know if I should do this, right?
Now, the first manager comes out and we gave her the same excuse and she walks away,
but we saw her.
And now we're reading body expressions, you know, body language, facial expressions.
And I can tell.
I'm like, Ryan, she did not believe me, you know?
So she went back to the big men.
like, hey, these two guys, like, what's all, what's up?
What does you know about this?
And she starts looking through, no, we don't know.
Now the big manager comes out.
And she's like, okay, you're coming with me because you don't know the name.
So she takes us to security.
And this is where the main flaw happens.
She takes us to security thinking, okay, they'll take care of it.
So she feels safe now.
I did my job.
I brought them to security.
But we had already owned the security guard by being seen before, right?
And then having the phone call, he never spoke.
to Frank Smith in his life, the president of the bank.
Like that security guard never had a conversation with him.
So all he hears is another Jamaican voice saying he's Frank Smith and being like,
oh, yes, sir, yes, sir, yes, I'll do it.
I'll do this.
Yeah, thank you, sir.
And that's it.
And then after that, when he's like, now what do I do,
taking me to the server room, that's a request.
The president just told you to take me wherever I need to go.
So it's a lot, like the path to that breach is making sure we fill all the
mental gaps of where questions would be and giving them answers that they don't have to then ask,
right? And that's basically like how you influence someone is when you start when a target,
I hate using that phrase, but when a target starts thinking, that's when you lose the ability
to influence. Because as soon as I start questioning you, like, wait, wait, this doesn't sound right.
Or, wait, tell me more about that. Now I'm thinking. I'm critically thinking. But if I can fill all those
gaps in before you ask questions, now I have your brain stuck in alpha mode.
you're on autopilot and bam,
where you're just going to comply with anything I ask.
That's incredible.
It's funny because there's two things that popped into my mind.
One is it's kind of like the opposite of being on YouTube
and doing the podcast thing where my goal is to create as many curiosity,
like open loops as possible.
It's almost like you're trying to avoid those at all costs,
that everything just goes into autopilot and we just skirt by.
It's amazing how like the bit players and like it's amazing how much even like,
you'll see it in advertising like the lab coat or the tech shirt
can carry so much authority.
that people will just comply with it.
I do want to add one other quick story
because I realized I did this as a kid
and I didn't even know what I was doing at the time.
When I was maybe underage with friends
and we'd want to go out and have a pint,
I'd make sure that we'd dress nice,
wear nice shoes, always wear nice shoes.
And what we would do is we'd skirt in
and go find a table where they hadn't bust yet
and grab an empty glass and go ask for a refill.
And they wouldn't check us
because we were showing up with the glass already.
The pretext was, we're here hanging out
and having a drink.
I want to, so very much so,
I believe in particularly in Bitcoin, the biggest security flaw is the human element, right?
A lot of the tech and the tools are absolutely phenomenal. A lot of times they'll be having
conversations with a client and they want no single point of failure. And always have to
remind them that as long as you can move it, as long as you have access to it, you're the single
point to failure. It's the responsibility that we necessarily have to deal with. So again,
you've worked with government agencies, Fortune 500 companies. Are there any psychological tricks or
common pretext that almost work on everybody. The kind of golden go-toes that people should be
on the lookout for. I'm thinking like tech, janitor, I'm not sure if the authoritative sort of
position works, but is there anything that's like these are really commonly used for people that
are malicious actors? Yeah. So tech support is a big one, right? Because especially when it comes to
cryptocurrency, just recently, and I was doing it just to see how far I can get. I got this, this
LinkedIn message from somebody who the name I knew the guy. I knew who he was. He's a friend of
mine. We haven't spoken in a couple years, but I know him. And he says, hey, I have this friend that's
really interested in your industry. Can I introduce you to her? And I'm like, yeah, sure, no problem.
He's like, do you still use signal? I'm like, yeah, here's my number in case you lost. He's
great. Now he introduces me to this woman named Rachel. And she's a jewelry designer. Okay.
and she moved into L.A. from Russia,
and she just wants to learn about my industry,
and she's very interested.
Great conversations back and forth.
Sends pictures, nothing illicit.
Sends pictures, sends videos, sends all sorts of things
that prove that she's real.
And now the conversation starts.
I'm very interested in cryptocurrency.
And I've made a lot of money investing in cryptocurrency.
Would you want to learn how to do it?
And I said, oh, I'm very interested in.
I don't know much about crypto.
So I'm kind of a novice.
You just to teach me everything.
Next thing I know I'm getting invited to a platform.
This platform is a special platform that can help you make lots of money.
Look, here's my bank account.
I turned $1,000 into $300,000.
All these, everything that you know is about to happen.
And all she wants me to do is, of course, invest in this one crypto on this platform
that I can't find anywhere else in the world.
Right?
And all I've got to do is give like, just do $1,000 and you'll see the return.
Okay.
$1,000. 5,000 comes back. What? So I see, if you gave me 50,000, you know what would happen?
And you know, you could see it clear what's happening. And then it's like, you obviously had not
researched your mark. Right. And I told her you have not researched your mark. And if you did,
you would know what's about to happen right now. And then I went back. And this was the part that shocked
me. I went back to my LinkedIn chats, to the guy who I know. And that chat was now just LinkedIn
user. And I'm like,
like, oh, they went as far as actually spoofing his account.
So this was a targeted attack against me.
I'm like, that's interesting.
That's really interesting.
But during that whole process, besides that, using people that you know, there was tech support involved.
Like she said, if you have any questions, just click the support button on this platform.
There's people there 24-7 to answer questions.
So, of course, I do.
Hey, what is this platform?
How does it work?
Can I just do this through Coinbase?
That's where I like to invest.
Can I just do it through Coinbase or do I have to do it?
No, no, you have to use this platform.
You can't do it through Coinbase.
All the benefits and profits come through this platform.
You can't use other platforms.
So there's tech support sounding legitimate, telling me all these things that I want to hear.
And because they're using the language and they're looking for people who claim to be novices, right, to claim to be, I don't know much about crypto.
Why?
Well, that's because now you can manipulate them easier.
And I remember one guy here locally in Orlando.
I got I got panged by a news reporter who was asking you help this guy.
He lost 250K and it was this exact scam.
They said, look, we have, you know, Bitcoin was going through the roof.
It was early, like mid-COVID when Bitcoin was just rushing to the to the 100s, right?
And it was, he says, you know, the guy said, just give me 5K.
And within three days, I had 15,000 back.
He's like, so that was a 300% return.
I'm like, what the heck?
This guy's like, here's all my money, 250,000.
Because he's like, if he could turn this into a million, all of a sudden,
the guy's gone.
Can't get him.
Email account's dead.
Everything's dead.
And this guy's life savings is completely in the wind.
They ended up, we ended up tracking it to some group out in Nigeria, South Africa somewhere.
And it was just a group that was doing this on mass accounts.
It's doing this to a ton of people.
But they use this.
These platforms that are going to make you.
instantly rich, tech support that sounds real,
and then they follow it up with all of these.
This woman has an account on LinkedIn that's years old.
Like, her old history is there.
You know, she's following other people,
writing posts.
I mean, they went through a lot of trouble
to make sure that this whole thing looks as legitimate as possible.
That's a lot of money in it.
That's why.
Yeah, as I say, I think there's,
I remember hearing like hundreds of billions in terms of scams.
Like, it's just an unfathomable amount of money
that has stolen from people every year.
Coin Kite has been in the game for years, creating hands down, the best and most secure hardware
when it comes to securing your Bitcoin.
The Cold Card Q is an absolute powerhouse and my daily driver, and it's ideal for newcomers
and advanced users alike.
The tab signer gives you a low-cost, user-friendly option for those just getting started
or for convenience when traveling.
You can head to coinkite.com and use code BTC sessions for discounts, or simply,
scan the QR code on the screen to get started right away.
One company I like pointing people to when they ask about Bitcoin mining is abundant mines.
They were founded by Bo and Christine Turner after losing over half a million dollars to broken
promises in the mining industry, and they built their hosting model to remove the usual headaches.
With abundant mines, you own your machines and keep 100% of the Bitcoin you mine.
There's no revenue share, no hidden skims.
Pricing is simple.
One flat monthly fee covers power, parts, labor, and repairs.
They also guarantee uptime.
The machine goes down, their hash rate redirect system
routes hash power from their fleet, so earnings don't just stop.
And every machine is insured at full replacement value.
Everything is hosted in the U.S., powered by hydro,
and mining equipment may qualify for 100% year-one bonus depreciation.
Learn more at abundantmines.com slash sessions.
Stuck on your Bitcoin setup, unlock expert guidance from top educators.
Schedule a free chat at Bitcoin Mentor.io and get started hassle-free today.
All right, let's jump back into the episode.
I'm curious too, because there's a few things that I want to pull apart.
One was just basically, what is the most common motivation that we're seeing for these sort of scams right now?
So I've seen love scams.
I've seen this kind of greet.
It's funny because I'm surprised they actually do like they give them the 5K and they get the 15 back.
It reminds me something out of the movies.
or like you pretend to suck at pool just to hustle somebody.
But that seems like a risky play.
But I've seen love, greed, and then the fear as well too.
What's kind of dominating currently the motivation that they're trying to attack on the target,
if that makes sense?
So one of the big ones I see is FOMO, right?
Fear of missing out.
Like when Bitcoin was just shooting up to 100K, people were legitimately making a lot of money.
There was a lot of people becoming overnight millionaires.
And those of us on the sidelines watching
We're like, I want a piece of that
So that was a big one
Second one is we see a lot of romance scams
A ton of romance scams happening right now
They're really targeting widowed and widowers
Right? So people who have just lost mates
Who have some money, they're on Facebook mostly saying
Oh man, my husband of 40 years just passed away
Here's some pictures of our travels and here's a yacht,
Here's a Ferrari, here's this. Oh, bam,
A guy comes on and he's like, hey, I just saw your post.
You don't know me.
God bless you.
I lost my wife five years ago.
It does get easier.
Just stay strong.
Now this complete stranger is telling this woman and she's like, wow, that's so nice of you.
Thank you.
And they just start chatting.
And it's just innocent chat.
Nothing turns sexual at all.
Next thing you know, it goes from once a week to a couple times a day to all day.
They're chatting to where now it's like, you know, I want to come visit you.
But I can't because I'm from this very poor country and visas
They're very expensive and, you know, I just, I can't do it.
I'll pay for the ticket.
I'll pay for the visa.
And of course, after five, six, $10,000 a cent, he's at the airport.
He gets stopped by security.
They took my visa.
I must have filed it wrong.
I'll save money and pay you back and I'll come.
No, no, no, I want you to be here.
I'll give you more money.
Let's do the visa right.
I had this one woman here.
She lost 150K.
And at the end of it, she believed that her kids were just trying to ruin her happiness.
She believed that this person was real and that he loved her.
And it's just so sad.
On the backside of that with our young people, we're seeing something called sex distortion.
And they're really targeting young men.
What they do is they chat up as a young, attractive female, usually somewhere between 14, 16 years old.
And they send a nude, right?
And this is usually someone else they've extorted.
And they say, hey, you know, here's my pick.
I want to pick of you.
So guy sends that. They start sexting back and forth. Then, you know, this is a terrible topic, but they asked the kid,
I want to see you. So they take a video of himself. As soon as he sends that video to them, then the guy reveals,
I'm not a 15-year-old girl. I'm this dude from Africa or whatever. And now I have this video of you,
and I'm going to give it to your parents. I'm going to post it on Facebook. Or you're going to start taking
money from your parents, crypto, if they have it, whatever they have, you're going to start giving it to me.
So the kids do.
It starts off small $100, $200, then it starts getting larger and larger.
And the kids are like, I don't want to do this.
We have two ways.
You either keep doing it or you can't be yourself.
And they actually suggest suicide.
Wow.
There have been hundreds of suicides across this country because of this right now.
And these guys don't care.
There's actually a guide on the dark web on how to do this, training people how to do this to other kids.
It's completely awful.
It gives me goosebumps just talking about it because of how disgusting is.
It's unbelievably dark.
It's basically just setting up a blackmail operation, specifically targeting incredibly vulnerable young men.
Yes.
Yeah.
Because the routine is men tend to not go for help, right?
So they know that, boy, we don't want to go to our parents and say, Mom, Dad, I took a picture of me myself, sent it to this group, and now they're making me steal things.
They don't want to go for help.
So their pride, ego, whatever it is, keeps them.
And I have a really good friend.
He's actually a house representative in South Carolina.
And he speaks about this because his son committed suicide because of this exact scam.
And it's incredibly dark.
It's horrible.
But we see, and they've taken anything, credit cards, crypto, any type of coin, anything that you can give them that they can cash out and take.
And they have operations.
Like we're talking like sometimes it's call centers of people just sitting in an office, like a day job doing this nonstop.
It's terrific.
So those are those are some of the top ones that.
we're seeing happening and that people need to be aware of.
No, it's funny.
Your story about the romance scam, I've actually, I tried to assist with a situation that was
almost identical.
It was the daughter of someone who reached out and said, hey, I think my dad's being
scammed.
But at the end of the day, if I can't convince somebody that they're being scammed, right?
There's something I can do to convince them that like, hey, that person doesn't exist.
And so the money's gone.
There's no getting back.
And I'm not even sure at this point in time, if they're necessarily aware that they're still
being scammed or what happened there.
It's unbelievably frustrating.
I do want to talk, it's a bit of a darker topic, but we're going to get there a little bit later as well, too,
because I want to talk about your work with the Innocent Lives Foundation as well, because I would imagine,
just by the nature of your work, you're going to have to, you're going to be in the dark areas of the internet from time to time.
But continuing just briefly on the scam moment, I want to see if how large language models, how AI may have changed the social engineering landscape over the last couple of years.
Because if I already guess, I would say that most of the attack vectors are coming from fishing.
So like you're just your emails with links trying to get people involved in open.
up conversation, but probably wasn't as much of the vishing or the voice fishing, but that may be
shifting. So I'm curious, Chris, the AI's impact on social engineering and the security concerns
mean to have now. Two major ones. So first, we found a hacking group, a threat actor group out
of the country of Georgia. They were using an AI-based software that took away their accents
and it made them sound American. It was a, and I found it's a legitimate piece of software. They
actually sell it for call centers who are out of the Philippines or other places where they want
them to sound British or American. And it's a piece of software that sits on the phone system that
takes away the accents. Well, the bad guys are now using it because we kind of been taught,
you know, you hear an Indian Microsoft support probably a bad guy, right? Or, oh, that Filipino
call center, I don't know if I trust you, right? So we've been taught that as terrible as that is to
racially profile, but we kind of have been beaten with that. Now they're like, well, we've got to
about with something else.
Yeah.
Second thing was I was in a conference in Spain last year, and there was two federal agents
from Japan that were there, and they said that fishing was never an issue in Japan.
Like, they rarely saw it.
And they said, did soon, and they remember that the year that chat GPT went viral, that
all of a sudden, fishing went up 50%, and 100%, and 200%, and 200%, they started to analyze.
And what it was, is that before Russia was their main adversary, and their, there was, and
their translation skills sucked.
And now chat GPT
and all of us know this, I can take any paragraph
I want, put it in this GPT and say
translate it to this language and it's
perfect, perfect dialect.
You send it to a person of that
language and they read it.
It's like, whoa, do you speak this?
I'm like, no, no, I just had to translate it.
And those two things are the things that we're seeing AI.
Now, the third one I'll give you is on the dark web.
There is a tool called fraud GPT.
So they kind of hacked chat GPT and took away all of the stoppers.
For 1,800 euros a year, you can have access to this tool that writes fishing emails,
actually writes malware, could hack websites just by telling it, go to this website,
hack it, writes fishing campaigns, sends them, and then collects credentials.
It can write vishing scripts.
It can write small bits of Trojans and ransomware and send them to targets.
it's truly unbelievable now.
You don't have skill.
I mean,
when I started this back in the day,
if you were going to hack someone,
you had to have skill.
And we used to call people
who couldn't hack script kitties.
Like you just,
you just dedos things.
You just write something small.
Now you don't have to have talent at all.
You don't have to have skill.
You just have to have 1,800 euros a year.
That's it.
And you can do anything.
So we're seeing AI has taken
the scam market
and the threat actor market
through the roof.
And of course,
you know,
crypto is a major part of that because it got very popular during COVID.
And a lot of people who never even thought about investing in crypto became crypto investors.
So everyone's got a coin-based wallet.
So that became one of a major vector that we see.
And with the downside of that, too, I always try to push that.
Like the best thing you can do for your security in terms of Bitcoin is just information.
Keep learning, right?
It's when you're in a situation that you don't understand how it operates or what you have,
that you're going to be vulnerable to somebody guiding you through basically one of those scripts
and ultimately giving up your private key, giving up information, giving in your login to your account.
What I found, I never even thought about it from that perspective because I see tons of stuff
online about like vibe coding and what people are building using, you know, Grock and Clod and
all these amazing tools, but I never even consider the fact that that has the double-edged sword,
that now you don't need any coding skills to build up malicious, malicious software.
I'm curious then because we are focusing mostly on the human element, but if we take a look at
basically like Trojans, the kind of actual tools that people might be trying to use to gain
access to a computer or device.
What are the major, what are the most common vector of someone's trying to get malicious
software onto a device?
What should you be looking out for?
What kind of tools are people building using these A.M.
Models and how are they getting it there?
So there's two main vectors and the third that we're seeing popping up.
So first is, of course, fishing is always going to be the biggest one.
Because fishing, you can do, you can send millions of emails with one click.
And if you even get a 1% success ratio, it's still massive, right?
So fishing will always be.
But I saw an interesting report last year from the FBI
that they have recently in their research and threat actors
seen an 80% increase in spearfishing
being based on the targets of social media,
which means that the threat actors are actually looking at you,
looking at me, going to our LinkedIn, Instagram,
Twitter, whatever accounts.
And they're saying, okay, what does this guy like?
What does he tweet about?
What does he talk about?
and using that information in the phishing email.
That's really interesting.
The second one, which we're seeing massive increase in, is vishing, voice fishing.
You mentioned it before, but you look at last year, MGM, major breach.
That was done through the phone.
We're having an MGM.
I'm not familiar with that one.
Oh, my gosh.
So MGM, the Scattered Spider Group called support, called the guy, said they were support,
and they needed help getting this program installed, talked to this guy into downloading
this EXE, installing it.
It was ransomware.
They owned the whole network, shut down everything.
I mean, what we found is MGM's network was flat.
So all of their casino machines were on the same network as their rooming and ATM.
The hotel was shut down for nine days.
They lost $190 million, $120 million, something around there.
And they wouldn't pay the ransom.
So eventually they ended up paying half the ransom.
and the hackers were like, we told you all of it or nothing,
so they kept the money and still didn't turn it back on.
And it was one phone call.
One phone call, that's it, to get someone to install a piece of software.
Klorox, same thing.
They called their tech support.
They got credentials given to them, logged into the network, hacked the living crap
out of the whole company.
We're just seeing the phone being used so much right now against hospitals,
against health care networks,
against manufacturing major Fortune 500s
because we are so busy
that if I get a phone call and my caller ID says,
oh, it's my tech support,
oh, I better answer this.
I'm going to answer it.
And their spoofing is simple,
using the language, looking it up.
And you have these companies that,
5,000, 100,000 people in it,
you don't know who the tech supports.
You'd never spoken to them.
And if you did, it's a new guy.
I just started last week, whatever.
The phone is a very, very, very,
powerful vector to get people to do things.
Do you think that, I'm kind of curious, do you think that's going to change and kind of evolve
over time kind of generationally? And what I kind of mean by that is like, for me being an
internet native generation, like I remember getting dial up, maybe it was like eight or something.
I'm, I'm naturally distrusting of emails, right? I've lived through this so I naturally don't trust
emails, but phone was always the safe way as well too. Is it kind of getting to the point where we
probably will start to have those kind of inbuilt mechanisms that we just don't trust phone calls
necessarily anymore because it's getting too frequent. Like even now, I don't answer any call.
I don't recognize. I don't bother. There's no voicemail. I don't pick it up. Additionally, just to
kind of tee on to that, is there anything that you think that we can maybe use in order to
combat these sort of things? So what I'm thinking of in particular is how do we verify the identity
of the person that we're talking to, and I have some ideas, in a world where they can imitate a voice,
they know all the information, how do we trust at all or verify the person on the other end of the
phone?
Okay, there's a series of really good questions, by the way.
So yes to the generational thing, and we're seeing it.
So they came up with a new tech vector, which is smishing, SMS fishing, right?
Because the younger generation, they're just on their phone.
So now they get a text message saying, hey, this is your bank and your login failed,
or here's your code that you need to log in.
So they're using smithing now to grab credentials or to gain access to someone's phone.
Because if I can gain access to your phone, I don't know about you,
but I do everything on my phone, right?
Banking, credit card, crypto, everything's on my phone.
You gain access to my device.
I am screwed.
So I work really hard to make sure that device is locked down, right?
And the newest form of QR fishing is a big deal.
I mean, COVID taught us something really interesting is that we scan everything now, right?
So this group of hackers, I mean, I hate to say it was genius, what it was.
They went through New York City subway system and they were where all these ads were like, you know,
Subway $5 off coupon or get this pizza for $10 off.
They replace the QR codes with their own QR codes.
That would be download this app to get the coupon.
And of course, they download the app because they're trusting it.
It's right here in the subway in New York, right?
Must be real.
Download the app to get that pizza coupon.
And of course, the app is now hacking their phone.
And what people aren't reading and thinking is that when you're installing this app
and it's just a coupon app that's saying, I need access to your contacts.
I need access to your files.
They need access to your photos.
and it's just a sound and audio and pictures.
And everyone's like, yes, yes, yes, yes.
And it's just like you just gave this app access to everything, right?
Yeah.
So I do think generationally what we will see and that what we have seen is the attack vectors
will be very targeted towards a generation.
Vishing still works on the generation before me because business was always done in the phone.
Right.
So my dad, my grandpa, those people, they're going to answer a phone call, right?
They're not going to text message as much.
but the generation, let's say younger than me,
they're always on their devices
and social media is a big thing.
So we're seeing a lot of LinkedIn spoofing, right?
Where Instagram spoofing,
things like that where people are coming out
with accounts that look like,
I mean, I just saw this thing,
this woman lost, what was it, 200K?
Because she thought she was chatting with Elon Musk
and he was giving her an investment opportunity.
Wow.
Yeah.
And it's like the account was verified,
had his picture, talked like him, and she just fell for it. Right. It's just kind of, kind of crazy.
So your last question was, what are the things that we can do? I love what you said about verifying
because this is something I preached from the hilltops. Right now, there is no mechanism that
is going to allow you to verify everything. So my rule of thumb is I tell my kids, my wife,
my friends, my family, if you can't verify, do not give over information. So someone calls me,
and I pick it up and they say they're from my bank
and they want something that I shouldn't be giving.
You know, I'm going to call you back
and not on the number on the phone.
Pulling my credit card out,
tiling the back number,
and I'm like, here we are.
I'm going to call, take that number.
And you do that every time.
And if you don't have that,
then don't give the information out.
You know, when my grandma was around,
I would tell her, listen,
someone calls you and says that the police,
I've been arrested,
they need $5,000 for bail.
I said, here's a code word
that you and I have.
have no one else knows this word. Let's just say it was unicorn, right? And I wrote it down on a
sticky note and I put it next to her landline phone. And I said, Grandma, you never say this word.
I'm the only one whoever says this word. So if someone calls saying they're me and they need money,
they need help, you say, what's our code word? If I say, I'm too drunk to remember, you say,
when you sober up, call me back and you hang up. And I'm like, and that saved her from getting hacked a few
times because people would call, ask for money, and we had a verifying. I had that same system with
my daughter. You have a code word. So if you ever call me and use this word, I know you're actually
in trouble. But if someone calls me and said, you've been kidnapped and they want ransom, I'm going to
say, ask her for the code word. If they don't know it, I'm not going to trust it. So this is a very,
very important word. You never forget it and we never joke with it. We set up verification processes for
things that we can. But if you can't, right, I don't have the ability to set up a verification process
with my bank, right? So what I do is I call my bank and I say, hey, do you have a process for
wire transfers? Can I give a code word or a password that wire transfers can't be done without
this? Like, yes, great, here is my code and put it in the account and no one should ever say this
except me. So if someone calls with a wire transfer request, they have to have this word, right?
And anyone that allows me, and we call this multi-factor authentication or MFA, I tell people,
set it up on everything you can.
And don't say, oh, it's just my Netflix.
Oh, it's just my Instagram.
Set it up on everything.
Because I'm telling you this,
and this is still the case in 2026.
68% of the people surveyed say
that they reuse the same password
across multiple sites.
So your bank's not getting hacked.
I can tell you that right now,
even a community bank.
But Yahoo got hacked a couple years ago
to a tune of a billion accounts.
Now, if your Yahoo password
was the same as your Instagram
as your bank, as your credit card, as your coinbase,
the hackers are going to go try all that right away.
So if you have MFA set up on your accounts,
they're not going to get past that password.
But better yet, use a password manager and use MFA on everything
and let that password manager make up the passwords for you
as long as the account will let.
And the only thing you have to remember is your password manager's password.
And what I say is use a lyric from a song,
or use a sentence with spacings and punctuation.
Use something that you'll remember
That's not just a phrase
Like, you know, your favorite football team or something
You know, use something like, you know,
my daughter was born on this date, exclamation, exclamation,
and you have it all written out.
That's a very long sentence.
You're going to remember it.
It's going to take someone forever to hack that.
And all you need to do is remember that.
Let the password manager at MFA do the rest.
Very interesting.
I have a few things I want to tease out there too
because I'm curious.
And this goes beyond like my understanding
how password authentication is working on most,
I'd say like modern servers.
if I'm a hacker and I get into Yahoo,
my thought process would be that the,
the user's passwords would all be encrypted.
And so I wouldn't necessarily be able to extract that information.
But is it,
but there has me some way that it's verifying when it goes ahead and check.
So if like you get in the backdoor of Yahoo,
could you possibly get all the users like both login and password credential?
So let's tell a sad story about a password manager named LastPass,
promised and swore that they were secure as heck.
Someone hacked their back end and they found,
that a large majority of the passwords
from a legacy system
were all plain text, not encrypted.
Plain text passwords for millions of accounts.
And sadly,
LastPass kept their mouth shut
and they wouldn't tell you
if your password was breached or not.
So when that happened and I was using LastPass,
we got rid of that account
and I had to go change the thousands of accounts
that were in my manager
because I didn't know if I was one of the legacy accounts
that had a non-increquent account.
encrypted password. So you're right. It should be encrypted. But let's think about McDonald's just
got breached a few months ago. Their employment database, like where you can go sign up to work,
we had millions and millions and millions of people's names, social security, everything in there.
The password was password. No. I'm not kidding. It was over 2025 and the password was password.
How many billions of dollars is McDonald's worth? Like, oh my God. Yeah. And that's a lot of people's
Social Security numbers, date of births, address, phone numbers, everything about you,
you put on an employment application there, just sitting on a server with the password of password.
It's, so you're right.
We should be seeing things like you said locked down, but we're not.
We're not seeing it, right?
The companies are still, and this is a little bit of a soapbox moment for me, so I won't go off too much.
But just recently, the U.S. government actually held a CEO accountable of a company that
got breached and find the CEO personally.
When you start doing that, now you're going to see security get taken seriously.
As a CEO, if my money is being threatened, not my insurance carrier, not my company's money,
right?
Because, you know, hey, while Walt Disney was firing millions of people, hundreds of thousands of people,
while the president was taking a $25 million bonus.
So his money doesn't get hurt while these people are living in their cars.
Right.
So you start finding the sea level.
of these companies that made decisions to not be secure,
I guarantee you you're going to see that CISO and that CEO
on that security team like White on Rice saying,
are we secure, are we good?
I need to know right now.
We need to see more of that because what they do is they hide behind their policies.
And you think about Yahoo getting breached.
Let's go back even further Target when they got breached with their credit card systems.
Did people stop shopping at Target?
No.
Did people stop applying for jobs at McDonald's?
No. It happens because the companies are like, well, we're still in business. We're okay.
You start finding those CEOs for bad security. And I guarantee you you're going to see a change because we're not seeing what you said. They should be encrypted.
But sadly, many times, it's poor security infrastructure and process that still makes it vulnerable.
I'm still absolutely blown away to the password was password. I can't get that out of the back of my mind because it's so absolutely ridiculous. And you're right. The people that made those decisions that it's, it's, it's,
We're kind of like in a weird abstract where people don't necessarily realize the value that data has.
They just give it away so freely.
You're so open to just putting everything on Facebook and just posting it.
Here's all my credentials.
Oh, my goodness.
How much value that information goes for that the person that, especially if it's in situations where it's required,
if they were required to collect personal information and they mishheld the security,
of it.
Of course, you should be liable for it, right?
Yes.
You've had somebody's data stolen and put them in potentially in harm's way.
One thing I do want to throw in your radar, but I won't dive into it too much.
It's coming specifically from the Bitcoin world.
If you haven't checked them out,
I think I'd be awesome to have a conversation with you and Matt Hill and the team over at Start 9.
Their whole mission is sovereign computing.
So it's self-hosted password managers, self-hosted files, right,
to try and get away from the last past sort of issues.
And then additionally, there's another tech that probably hasn't made it into your world yet,
very popular in the Bitcoin space called Noster, notes and other stuff over relays.
But it has wonderful implications for identity because just a private, public key kind of setup.
So you can think of it like the most common use case is like Twitter.
It's like a social media experience.
But you have to sign the post with your private key.
So in terms of identity, I know that post came from at least the person who controls that key, right?
So it gives us another way to maybe verify identity in the future.
But I don't know about that.
There are a lot more things I want to get to and I don't want to make sure that I'm being
conscious of your time.
Has there, Chris, has there ever been a company that you were hired to do a security audit, right?
a threat kind of assessment to get in there, that you couldn't,
that their existing system actually stopped the best from getting through.
Oh, boy.
So I got hired to brig into a nuclear facility once.
What?
And it was a week-long job.
Just a week?
Just a week.
We had five days, both nighttime and daytime.
And I was successful six times.
but I got arrested five times that week.
So I don't know if that counts because we were still successful,
but there was a couple wins on their part that were really excellent.
You know, really, I mean, the first time I got arrested that week,
this tiny female cop, I mean, she could have been over five, three,
rips me out of the truck that we were in,
slams me on the hood and had me cuffed before my face bounced off the hood.
I was so impressed.
I'm like, holy crap.
I said, I've never been cuffs so fast.
She's like, yes, scum.
And she tracks me over to this grassy area.
She has me kneeling on the grass.
And I'm like, where we get dead, right?
Like, I don't know what's happening.
And we always have a letter.
We always have a letter in our pocket.
That explains why we're here.
We call the get at a jail free letter.
So I'm kneeling on the grass.
Ryan's next to me in the grass.
And I'm like, look, we're pest control.
I mean, go look in my truck.
You can see that we have all the spraying cans and everything.
She's like, I'm not looking in your truck, scum.
And I'm like, I'm like, I just look.
I just need you to go look in the truck.
You'll see.
I mean, look at our shirts.
Say pest control.
It's like, I don't care what your shirt say.
So she goes, are you armed?
And I'm like, no, no weapons.
But I had, okay, I have this knife that I carry.
Okay, this knife here.
I carry this knife and it's a switchblade, right?
So I carry this.
And I don't look at it.
Okay, great.
And I don't look at this as a weapon.
I look at this as a tool, right?
I mean, so when I said I wasn't armed, I said, no, I'm not armed.
she grabbing things out of my pockets
and she holds this and she's looking at it
and I'm like oh please don't point that at your face
she goes why not I'm like it's a spring loaded knife
she goes you said you weren't arm scum
and she kicks me right I'm laying on the girl like
but I'm like okay
this is going south I'm like hey
in my pocket there's a letter that explains
why we're here so she means down
and she grabs a letter she opens it up
my point of contact
Greg she's like
Greg that mother and I'm like yeah Greg
Greg yeah she's like
shut up, scum. And I'm like, but I'm not scum anymore. Like, you can see there here, right?
She's like, you're staying there until Greg gets. And when I knew, you know, Greg was in the Bush's
video recording it. Like you. Oh my God. So, but they were very good. They handled themselves
really well. But yeah, that was, that was an interesting one. Actually, the second time we got
caught was even funnier because you can't make this stuff up. We had done our OSINT on the
facility where, and then we found that there was a facility they owned that was,
going to have a groundbreaking ceremony.
So we called a week in advance
and said we were from the local newspaper
and we wanted to send two photographers out
to the facility to gain access
to take pictures of the groundbreaking ceremony.
They said, sure, just bring their IDs, no problem.
So we had some fake IDs made and all this stuff.
And we used a real news station in the area.
So we get out there, guys like,
oh, yeah, just go in here, they'll give you your badges.
So we're like, this is it.
We're winning.
This is awesome.
We're going to be inside this facility.
we're going to be inside with all these guards.
Like no one's going to care.
We're going to have badger.
We can run around the hack, whatever we want.
So we get in there.
We give them our fake IDs and the guys back there putting our information in.
And there's one guard which we didn't see.
He texts the editor of that paper who happens to be his cousin.
And he says, hey, pretty cool.
You're photographer's here.
And she goes, photographer, question mark.
And he's like, yeah.
And he snapped a picture of us, which we didn't see.
And she goes, they don't work for me.
I don't know who they are.
So we don't know any of this is happening.
Next thing I know, the door gets kicked open.
Five guys with AR-15s come out, slam us on the ground.
What are you doing here?
And I'm like, oh, my God, there's a letter in my pocket, right?
You know, like, I was just like, please don't shoot.
You know, like, take the letter.
And right away, they were like, oh, okay, okay, this was an audit.
We get it.
We get it, you know.
But it was like, that was the second time.
I'm like, you can't plan that stuff because we were winning.
You can't know that that.
guy behind the counter to happen to be on staff that day is related to the stinking woman who
runs the editorial of the newspaper like what like so we got you know that there is i don't know if that's
that's not that obviously isn't a story related to their security but they handled it quite quite
well something really funny um actually not really funny it's ironic but i laugh at it is we had this
suburban that we rented because we wanted to have we had to drive through the desert and all the
So at one point I pulled into the parking lot
and we were taking pictures of locks.
And what I didn't know is we had a drone
that we had flown over to take video
and they had spotted the drone.
And we didn't know they spotted the drone.
So I pull in, I'm taking pictures of locks
and I'm backing out and the reverse camera
comes up on the screen.
And there's like six guys with guns
running at the car saying, get out of the car.
I put it and drive and I just floor it.
And we pull out of the highway.
We're running away.
I'm fleeing to a little.
I'm like, Ryan's like, we're going to die, man.
Okay, we get away with that.
Two weeks later, some German nationals fly into the same place and they have a meeting at this facility and they rent the same car.
Same car?
They pull into the parking lot and the guys from the security have their license plate on the thing.
They come running out and they slam these guys on the ground.
They cuffed them.
They arrest them.
And they're like, well, what do we do?
What do we do?
My contact calls me.
He's like,
you just got some German nationals arrested.
They're good,
they're good,
but we have to explain that that card.
That's a good lesson for us.
Maybe next time we need to include in the report
all the assets that we use.
So that way someone else doesn't get arrested
for using the same card.
Anyway,
some stories from the field, sorry.
Oh my God.
No,
that's absolutely,
that's phenomenal.
And just side note on the knife too,
that knife that I carry was a gift from one of my best friends
who actually told me to get your book.
It was the introduction to me learning
He was the same one who gave me that knife as a present.
So I always carry it and it's very, very dear to me.
I do want to make sure that we do get a chance to cover.
I want to pivot here, completely different change of mood.
I want to talk a little bit about the Innocence Lives Foundation.
Innocent Life Foundation.
Lives Lives, my apologies.
And what exactly you've set up there, how you've gotten into it, and what kind of work you guys are doing?
Yeah.
Thank you for that, by the way.
So we're going back maybe 10 years.
I was doing a job, a social engineering job for a large organization,
and part of it was an internal network scan.
So once we get inside, they wanted us to scan the whole network and see what we can see,
what we'd be able to pivot to.
And I find this one guy late at night is computers on tour.
You know, that's a dark web.
So I asked the director, hey, is there any reason?
I know there's legitimate reasons.
Maybe you have someone on tour.
He's like, not in that department.
Can you tell us what he's doing?
I'm like, I can't because he's on tour, but I could install a key logger.
So we did. We installed a key logger and we found that this guy was flying to the Philippines.
He was small children recording it and then trading those recordings from his work computer to the dark web with other people like him.
And he wasn't doing it at home because they had his one shared computer with his wife, yada yada, we set up a sting operation.
That guy got arrested. He'll be in prison for 150 years.
Good.
And for me, and I know this sounds so naive, but when that happened back then 10, 11 years ago, I thought this isn't a.
problem here. I thought this was a third world problem.
Like, this is happening here. I started
doing research and finding that
at that time, 60%
of the world's child is
produced in America.
No. 60%
because we have so much freedom here.
You'll see it. And I'm not encouraging anyone to go
read reports, but you'll see someone who's been arrested
for the of a toddler.
They get two and a half years in prison.
They get five years in prison. They get seven years in prison.
You know, that's it. It's a short term
for these people that come out and do it again and again and again.
And I went to my lawyer and I said, I want to do more of that.
And he said, well, you've got a lot of problems.
He goes, first, hunting those people means you're coming in contact with child,
which is illegal, even if you're a good guy.
Second is, you can't be a vigilante.
Those guys on the interweb who go out and get these guys to come to McDonald's
and slap them around and humiliate them, law enforcement hates them
because they're vigilantes.
And those guys definitely get a walk because anything you have as proof gets thrown out out of the gutter, right?
And third, you have to have law enforcement contacts.
Otherwise, all of your leads mean nothing.
You're doing this for nothing.
So I'm like, ooh, thanks, Tim.
I got to go figure this part out.
So my first task, I was like, okay, how do we look into the predators without seeing bad stuff?
So me and my buddy, we created a virtual machine that is basically,
a hacked version of Windows that doesn't cache anything, has an automatic blur tool built in,
and it sits on unknown IPs in a cloud. So that means no one on their computer is accessing
the dark web. We're not saving any images and you can't see any images because everything's blurred.
Okay, problem number one solved. Problem number two, we have to come up with a rule set that makes us
non-vigilante. So we don't do undercover work. We don't make believe we're 13-year-old girl on the
internet. We don't do any of that. We literally go on the dark web, find people informed,
that have already admitted to children or posting content,
and we reverse who they are in the real web.
That's a lot of work, right?
I sadly can't get into how we do that
because that would then educate the predators.
And then thirdly, I had to get law enforcement contacts.
And that unbelievably was the hardest.
Because as soon as you approach as a citizen.
Yeah, even for me.
It was hard because you approach law enforcement as a citizen,
and they say, no, we're not interested in working with vigilantes.
So I had this case,
really sad case, a father who I knew, a friend of mine called me and said, oh, my daughter was groomed,
and she sent some nude pictures over Instagram. You know, can you help me find out who this guy is?
And I had taken over the account, done the research, found out who he was. And then I called my
contact in the feds. And I said, hey, I know you said, you want to work me, but I have a case.
And this guy, and I have the actual identity. And I didn't do anything. You have all the records.
And I handed everything over to him. They went and arrested this guy. And they called me.
said, okay, we'll work with you. And I was like, who. So once I got that, then I was able to build
contacts with other major law enforcement in the U.S. over the last two or three years, we've
been able to build law enforcement contacts in 23 other countries. So we now have a great network
of law enforcement contacts. Our mission is to locate people who traffic children and create what's
called CSAM. That's child sex abuse material. And when we find those people, we then
geolocate them in the real world, wherever they are, and then we find a law enforcement
contact in that area and we hand that person over with all the steps we took. And it has to be
legal because the one thing I don't want to do is I don't want to ever have to testify,
because some of these people that we find are linked to cartels, linked to massive groups
that I don't want my name attached to, right? So we tell people we have to make that. Law enforcement
has to be able to reproduce every step that we do.
So we got to give them step one, step two, step three.
They go redo our research.
And once they prove it, they get a warrant and the rest is done.
I mean, just last week we had in where was it in Brazil, we had somebody, they arrested this guy found four terabytes.
Oh my God.
...computer, four terabytes.
And sadly, a lot of it was with his own children.
But he'll be in prison for a very, very long time.
So that's our mission.
Innocentlifoundation.org.
We do a lot of things there.
Besides that, we actually have a lot of education for parents,
for caregivers,
for people who maybe don't know how to monitor their kids,
don't have to talk to their kids about this.
A lot of info on there,
how you can talk to your children about this,
how you can bring this topic up.
So, yeah, we have a lot of things.
We're a nonprofit, so legitimate 501C3.
We have only two employees.
Everyone else is a volunteer.
and I'm not an employee, I'm a volunteer.
So if anybody likes the mission
and they want to donate,
they can do that there
at the Innocentlifest Foundation.org.
Beautiful.
That's unbelievable admirable work that you're doing
and critical work that you're doing as well too.
It's nice to see
the skills and tools that you've learned
be put to such a, would you say,
a moral mission as well too?
Not there's anything wrong with security.
No, I agree, though.
It's like that's really meaningful,
I would imagine for you.
When I can retire from my job, that's what I want to do full time, right, when I can retire
because it's like I love what I do for work. And you know, you saw that on my face, but my passion
project is that because what I have found through eight years, we've been doing is eight years now,
is not everybody can do it. And I get that. And I'm not saying there's weakness.
It's not everybody can do it. I have some really great friends that donate and help out,
but they can't be part of the mission because their mental makeup is not allows them to manage that.
and we've had some people that thought they were passionate, they came in, then they slipped on something that was horrific and they, they, you know, they need help. So we have a, we have a therapist on staff, right? Because we want everyone, we mandate therapy. If you work for us, you have to meet with her once a month, right? So we, we do this because we value that. So we tell people, listen, not everyone's made to do this. You know, it's kind of like, I know, I can't be a doctor because I do not like needles. I can't do it. So if you're a doctor, so if you're a doctor,
doctor and you can look at veins and blood and all that and not care, man, more power to you.
That's not me. It's not my job, right? I can do this and still sleep at night. So, you know,
I, you know, that's what I really want to do when I, when I can retire if that ever happens.
The time, the time will come. And even just that point you, like, I feel you in the sense,
I had a good friend that was, that was an EMS or EMT, but he had to retire from that profession
because there was a, there was a domestic situation he was called to and he couldn't
intervene. And he couldn't psychologically deal with that.
right? The fact that he's like, I'm well aware what's going on here, but I can't do anything
about it. And you got to know yourself. It's it's difficult work to go into those darker areas
of humanity. And it's admirable that you and your team are able to do so and to actually help
some people. Thank you. Yeah, they're amazing. Chris. Anyone who wants to support
Innocentlives.comfondation.org. Incidentlivesfoundation.org. And for anyone that might like
to work with you on the security front, check out the podcast, check out the book. Where can
they go and find you where are all the best links and resources to point them towards.
Excellent. Thank you. So our podcast, which has been around since 2009, if you can believe that.
Wow. That's as old as Bitcoin. It is, right? You know what? I kick myself to this day.
I remember when Bitcoin started. You would have seen it early. Yep. And somebody came to me like,
dude, give me like a couple hundred dollars. I'll get you like a bunch of these. And I'm like,
no one's ever going to do anything with that. I kick myself to this day. I would be retired right now.
If I had done that, right? Anyhow, 2009 podcast is on social-engineer.org, but it's on Spotify, Our Heart Radio, Apple, tunes. It's not everything. So you can go listen to it there. We have four different episodes of the podcast. The origin, which is the human element where I get someone interesting and we talk about that. Then we have the security awareness series where someone else on my team and I, we talk about good tips to be secure. We have the Doctor's In series, which is, I have this wonderful PhD that works with me. And she picks,
a scientific topic and we kind of dissect that for the month. And then the fourth Monday is with
an Emmy Award winning reporter and we kind of go over topics that just make your life better.
So it can be something as silly as how to care for your animals or something about, you know,
terrorism and sports events and things like that. It can we cover all sorts of topics.
But that's on social dash engineer.org. And then if you want to know anything about the work
I do, it's social dash engineer.com. I have a class coming up in February of this year called
the foundational application of social engineering.
And it's in Orlando.
And it's basically, it's not just if you're in this field.
This class covers like the basis of how to be a communicator from all levels.
So I've had every type of people in this class.
So if you're interested, just go to social dashengineer.com.
You can info about it there.
Beautiful, Chris, love it.
We'll have to have you back on again.
We didn't even touch really on micro expressions or was it disc.
And like there's so much more to unpack.
So we'll have to do it again.
Thank you so much for stopping by, my friend.
Thank you.
You. Yes, you watching the Bitcoin price movements and the latest exciting news.
It's awesome to stay informed, but the real power of Bitcoin comes from taking control.
Don't just watch, take action.
Head over to bTCsessions.ca slash learn for free step-by-step tutorials that guide you through
every major skill you need to know, plus full video playlist for deeper dives on any topic you
like. And if you're ready for the ultimate fast track, scroll to the bottom and check out
Bitcoin Mentor.io for premium one-on-one experience with my team of Bitcoin experts to ensure
you get it right the first time. Don't wait. Secure your Bitcoin future today. Hit the link in the
show notes or scan the QR code on the screen. If you enjoyed this episode, Christopher Hadnaggy,
please do like and subscribe. It really does help out. And check out the previous episode with Joe
consorti on his 2026 macro outlook.