Darknet Diaries - 101: Lotería
Episode Date: September 28, 2021In 2014 the Puerto Rico Lottery was mysteriously losing money. Listen to this never before told story about what happened and who did it.SponsorsSupport for this show comes from IT Pro TV. Ge...t 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET.Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.Sourceshttps://en.wikipedia.org/wiki/Puerto_Rico_Lotteryhttps://www.justice.gov/usao-pr/pr/10-individuals-indicted-drug-trafficking-and-money-launderinghttps://www.dea.gov/press-releases/2014/07/22/caribbean-corridor-strike-force-arrests-10-individuals-indicted-drughttps://casetext.com/case/united-states-v-delfin-robles-alvarez-7
Transcript
Discussion (0)
When I was a teenager living at home with my dad, it always felt like he was invading my privacy.
He would do things like open and read the mail that I got, or he would go into my room when I wasn't there.
He says he was picking up trash or collecting dirty cups, but I always suspected he was going through my things for some reason.
Sometimes he'd barge into my room when I was there, too, and I didn't like that.
What if he saw me doing something on my computer that I didn't want him to see?
So I set up an early warning system so I would know when he was coming.
I would sometimes put sheets of newspaper just outside my door.
I'd arrange it in such a way that he'd have to step on it to get to my door,
and the crinkle of the newspaper would tip me off that someone's
coming. This worked for a while, especially just hearing him complain, ah, there's newspaper all
over the floor. What's going on out here? That way I would know he's coming in. But one day he
decided to be tricky. He wanted to come in my room, but didn't want to make noise with the newspaper.
So he came up to my door very slowly and quietly and gently picked up the newspaper
so that it didn't make a single crinkle noise. With the early warning system deactivated,
he opened my door and came right in. But I was sitting in my bed reading one of my school books.
I was baffled that he didn't trip my alarm. And I asked, Dad, how did you get in
without the newspaper making noises? And he held up the paper to show me he had picked it up.
And he said, I'm always two steps ahead of you. Glad to see you're doing homework and left.
Well, little did he know that I was four steps ahead. I had wired a proximity sensor up to my door that he didn't know about.
And if someone came up to the door, a little light would blink in my room, letting me know
that someone's getting close. When he came up to get the newspaper, I saw the little light blink.
I was playing games on my computer and I turned the monitor off, grabbed a school book and jumped
in bed and acted like I was reading. This is what you have to do sometimes to catch someone in the act.
Two steps ahead isn't enough. Sometimes you need to be four steps ahead.
These are true stories from the dark side of the internet.
I'm Jack Recider. This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a subscription service
that finds and removes personal information from hundreds of data brokers websites and continuously
works to keep it off. Data brokers hate them because Delete.me makes sure your personal
profile is no longer theirs to sell. I tried it and they immediately got busy scouring the
internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today get 20% off your Delete Me plan when you go to joindeleteme.com slash dark net diaries and use promo code dark net at
checkout. The only way to get 20% off is to go to join delete me.com slash dark net diaries and
enter code dark net at checkout. That's join delete me.com slash dark net diaries. Use code dark net.
Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, incident response, and active monitoring to help keep businesses
secure. I know a few people who work over there, and I can vouch they do very good work. If you
want to improve the security of your organization, give them a call. I'm sure they can help. But the
founder of the company,
John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing, securing the
cloud, breaching the cloud, digital forensics, and so much more. But get this, the whole thing
is pay what you can. Black Hills believes that great intro security classes do not need to
be expensive, and they are trying to break down barriers to get more people into the security
field. And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
Content warning.
There are multiple swear words in this episode.
If you'd rather not hear bad language
you've been warned okay so you don't want your real name no okay so we'll just make up we'll
just make up something frank or tim i don't know let me go fucking do a random name generator let's
see what that says how about that yeah we'll let the ether tell us what it should be. Let's call it Owl Stalker.
Wait a minute.
What kind of name generator are you?
It's like a video game name generator?
Basically, yeah, dude.
Owl Stalker?
Yeah, why the fuck not?
All right.
I tried to use that name, but I just can't bring myself to call him Owl Stalker this whole episode.
So I'm just going to abbreviate his name to OS and call him Oz for short.
Yeah, just from a background perspective of early days, I used to run around in the Wares as a where's administrator and a router, um, and also a crypto encryption cracker for, uh, games and, uh, so some of the largest groups that are out there.
Um, I was actually not only hosting for the zero day drops of the where scene, uh, but also producing zero day for the zero-day drops of the Wares scene, but also producing zero-day for the Wares scene.
Ah, the old Wares scene in the 90s.
Wares is short for softwares,
but it specifically means pirated software.
Wares groups would buy software,
whether a video game or an app,
and then crack it so that you wouldn't need a license
or a serial key for it to run,
and then distribute it for anyone to download and use free of charge.
In the where scene of the 90s, you could download pretty much any popular game or app without paying for it.
Today, that's kind of gone away, since apps and games require internet connections for them to run,
but this was the 90s, where internet wasn't that fast.
And this was also a time before torrenting was a thing.
So he was on IRC, the internet relay chat, and was setting up servers to be the place to go when you wanted to
download the pirated software. But he wasn't always distributing pirated software. When he got his
first gateway computer, he wasn't sure what to do with it. But then a friend told him to check out
IRC where he can meet others. So he figured out how to get into chat rooms to see what was there.
My nice BOD modem decided to dial up.
I pop on and the first 10 minutes that I'm in, I actually get popped.
I had to rebuild my computer all the way from the ground up.
And at that time, it was all freaking disk to build the system.
And I vowed to never let that happen again.
And I was pissed.
This is what started him down a tour of the dark side.
He was already fascinated with what computers could do.
And so when his computer got hit with a virus,
it immediately fascinated him to want to know more.
He started asking around about how something like this could happen,
which led him eventually to these WERSE.A.R.S. groups,
which were doing illegal things.
And so I went and learned and trained
and taught myself actually how to program.
Then I actually kind of just made the decision as I matured
and I saw some of the other big groups
really starting to get taken down,
like our peer groups in that W.E.A.R.S. scene
starting to get really hit really hard. peer groups in that where scene starting to get really
hit really hard. Several friends of mine that, you know, I'd met through the years of being in
that scene actually going to jail. And I was like, dude, I don't want that to be me.
So he decided to go in a totally new direction in life. After being hunched over his PC for years,
secluded in his bedroom, he straightened his back and went outside and started training.
One, two, three, four, United States Marine Corps.
One, two, three, four, United States Marine Corps.
And I chose the Marine Corps specifically because as I shopped around, all the other branches had already built cybersecurity units and were already in the process of kind of, they were one step ahead of where the Marine Corps was. And so I said, you know what, I want to go in the Marine Corps specifically for this.
I walked into a recruiting station and said, hey, are you guys doing stuff with computers to protect
computers? You know, it wasn't even cybersecurity, right? They didn't even have a name at that point.
They were like, hey, look, we really don't have a whole lot of options here. We'll see how you test. I tested really high on the entry level and was guaranteed to go into the role that I played in the military,
which was the cybersecurity side of the house, right?
If I die in a combat zone, if I die in a combat zone, park me up and get me home.
The Marine Corps boot camp is 13 weeks long, and it's brutal.
By the time you're done, you'll be in the best shape of your life.
There are no computers in boot camp.
Instead, you're trained on how to be a killer.
You learn to fight, you learn to use weapons, you learn to overcome fear and any obstacle that might be in your way.
And I say all this because it reminds me of a very specific scene in the movie Full Metal Jacket.
The movie follows Marines through boot camp and into the Vietnam War.
And when they're finished with boot camp, that's when they're assigned their occupation.
Yes, sir.
1800, engineers.
You go out and find mines.
Cowboy.
Sir, yes, sir.
0300, infantry.
Taylor.
And then one guy stands out, Joker.
Joker.
Sir, yes, sir.
4212, basic military journalism.
You gotta be shitting me, Joker.
You think you're Mickey Spillane?
You think you're some kind of fucking writer?
Sir, I wrote for my high school newspaper, sir.
Jesus H. Christ, you're not a writer.
You're a killer.
A killer, yes, sir.
I didn't think about, like, the fact that the Marine Corps
is, like, this elite military
and they're trained to do nothing but kill, right?
Like that's literally all they are.
I looked at it more as a means to an end to go get the hands-on experience, right,
from the government and really get trained up on government capabilities.
And, you know, that's kind of how I looked at it.
Then I hit boot camp and went, oh, fuck, what did I do? Got stripped of everything that I was
and rebuilt to who I am to some degree today. Right. But how did I come back and go into that
computing side of it? I mean, that was my end goal. I set a goal prior to going in and I made agreements with the
Marine Corps that I would be provided that. Well, of course, you know, now later on, I'm realizing
how lucky I was because there are no guarantees. When you sign a contract with the government,
whatever military or any other freaking government service, you're not guaranteed a damn thing. And in particular with the military, right? But how I transitioned back in out of, out of kind of
that fighting mentality, I mean, I always kept it with me, right? Because we were trained to fight
first. But what was really cool is that we were the ones that were defining how to fight with
digital aspects first. So were you doing mostly offensive or defense, forensics, incident response?
So I did both.
It just really depended on where I was and what I was doing.
When I was typically not in a forward deployed state, then it was defensive.
And even in a deployed state, we would do defensive forensic stuff,
working with our signals intelligence or intelligence professionals as well.
We would take and consume that.
They would bring us physical devices, like I said, chip off type stuff, like where we would actually go desolder chips on a board and actually analyze it at that level.
But then also offensive kind of stuff.
How long did you spend in there i spent
five years um active duty long enough to realize that i made a really freaking awesome and terrible
decision all in one why was it awesome and terrible well it was awesome because i got to go do some
really cool shit and learn a lot of really cool shit and it sucked because i mean again gotta talk
to a marine you hate it
while you're in and you love it while you're out, right? I mean, the life of a Marine is not,
it's not an easy life, man. It's not at all. But this experience really did level up his
understanding of computers and specifically cybersecurity. So with this experience and know-how, he landed a job at a consulting company.
They were doing forensics and other cybersecurity kind of stuff, right?
And this is, you know, early 2010s, right?
Just to give perspective of time frame here.
And I got cherry picked by an individual to come into this consulting firm.
They had him start by doing digital forensics,
analyzing an infected computer
to try to understand more about the malware,
looking for clues in a network or system
that showed signs of intrusion,
stuff like that.
But they also had him doing some attack type work too, where he would be assigned to try to get into a computer or a website or a network to test how secure it was.
He did that for a while, but then he got a new assignment.
The government of Puerto Rico hired this consulting agency to come do some work.
18 degrees above the equator at that sweet spot where the Atlantic embraces the Caribbean is the island of Puerto Rico.
In Puerto Rico, they sold the work and they were like, OK, cool.
We need to staff resources. Hey, you have availability.
Cool.
Welcome to this project.
And that's just kind of how it goes.
Like in consulting firms,
you get assigned to projects, right?
It was sold to me as initially
that we were going down there
to do IT operational improvements.
What he was told was that for this project,
him and a team would go down, audit the network,
evaluate it, and see if there were any areas to improve
to make the network more secure.
Okay, so you pack your bags, you head out.
How long did you think you were going to be there?
That's a hilarious question.
I realistically thought that I was only going to be there? That's a hilarious question. I realistically thought that I was only
going to be there for like maybe two to three weeks, like tops, right? We're going to come in
and evaluate their technical capabilities and look at like, okay, cool. You got like this 1970s IBM
mainframe. You might want to update that, right? Little did he know he would be staying there much longer than a few weeks.
He arrives in Puerto Rico and all goes as planned for a while. He sees what's there and yeah,
there are areas for them to improve the network to make it easier to maintain, get work done and
be more secure. So he's writing up all his findings and giving them suggestions on how to improve.
Then the next thing I know, we're in the middle of a meeting with the governor of
Puerto Rico. And he's like, I love the work that you guys have going on and that you've done for
us. I have a problem. And he goes, we are losing millions and millions of dollars a month through the lottery of Puerto Rico.
And we don't know how.
Now, to begin with, the governor of Puerto Rico is the highest person who has executive authority there.
So the fact that they got to meet with a governor was pretty interesting.
But this is a unique challenge, huh? To help figure out how they are losing millions of dollars through their state lottery?
Oz was intrigued by this problem, but he wasn't sure where to start.
He had to learn and get familiar with how the lottery system worked.
The lottery had weekly drawings.
The drawings themselves were physically done, live on TV, not electronic like how some lotteries are.
A bunch of balls go into a drum,
and then they draw one ball out at a time, showing the camera, and that's how the winning numbers are
announced. People would buy lottery tickets at special places that sold them, and if your numbers
match the numbers drawn, you win money. You don't have to match all the balls though. Even a partial
match, like if your ticket contained three out of the five numbers, you also won. And this Puerto Rico lottery is a big deal. It's been running since 1934 and is
ran by the Department of Treasury. Of course, a lottery is set up to generate revenue for the
government, since the amount of the payoffs is never more than the amount of money generated
through ticket sales. But in this case, the payouts were more than the ticket sales,
a lot more. Millions of dollars were being lost in the lottery.
We regrouped as a team and said, hey, you know, let's think through this. What are all the
possible reasons behind it? Maybe systems aren't just communicating and updating fast enough
because the network connectivity between, you know, building a and building B is absolutely horrible.
Maybe some clerical error in their systems, you know, like they're,
we're talking, you know, as we started to do our it analysis,
they were still running like windows 95 on some systems in the early 2010s.
Right. Like, it's like, Hmm. Okay.
So maybe you're just your processes aren't that good.
Maybe they haven't done a reconciliation of their books in a long time. So, hey,
let's bring in our forensic accountants and have them go, like, actually look at their,
you know, their numbers. So their forensic accountants looked through the ledger.
How much was paid out and how much was bought? And yeah, sure enough, millions of dollars more were paid out than were bought, which means the lottery was losing money, which is not supposed to happen. The lottery is set up to always generate money, not lose money. But these accountants couldn't figure out why. They did confirm that there were significant losses in the system, but from their analysis, it looked
like all the money was just going to
legitimate winners, and nothing suspicious
at all. This mystery
grew deeper.
We then
went and started at the
very onset of the process,
like, let's go physically look
at where the
actual lottery balls are stored, and how they're stored.
Now, since this is the governor asking for help, they had all the clearances and permission they needed to make a visit where the lottery is conducted.
He got to get up close and personal with the lottery balls themselves and analyze them.
Yeah, I got to touch and examine the balls, dude.
It was pretty fun.
The balls seemed fine.
None of them were an odd weight or size that would make them more or less likely to be drawn.
Didn't seem like that was the problem.
So next he looked around and asked,
Who all has access to this?
All right, you got cameras, you got door badge access systems.
He was given the names of everyone who had access to this. All right, you got cameras, you got door badge access systems. He was given the names of everyone
who had access to the lottery equipment.
Controls seemed to be properly in place.
Only a few people had access
to the balls and drawing room.
Then we start down the process of,
okay, so day of or day before,
what's your process?
Do you have like a reconciliation reconciliation you have all of these balls
get moved you know these racks of lottery balls get moved over and get staged they get counted
again they get allocated they get signed off on um you know there's the huge like you know
accountability process pre-day the same day of the lottery drawing, they go through again,
first thing in the morning, they do a check and then at lunch and then right before the actual
drawing itself, they do another check and then they roll them out to the public view.
So the public view is really TV. Every week, the drawing is done live, broadcasted on their local TV channel. And this is a big deal
in Puerto Rico. Many tune in while holding their tickets to see if their numbers are drawn.
We actually had the opportunity to walk out with the balls.
He means he was able to shadow and keep his eye on the lottery balls at every step of the way
between when he examined them and when they were drawn on live TV.
This way, nothing could be swapped or changed on his watch.
So we walked the balls out to, with the actual employee.
There was two employees that were assigned to do nothing but manage the lottery balls.
That's it.
Like, that was their sole job job day in, day out. They would go into accountability, reconcile sheets and basically count them,
make sure everything was good to go. And the way that they stored them, it's not like we,
like how we see here in the United States hours are where there are these plastic ping pong balls.
These are like little plastic kind of beads that they're,
they're a little bigger than a bead,
but they have a hole through the middle of them and they're stored instead of
a plastic like container with locks on them. They're stored.
They slide the beads down a metal rod and each like rod held a certain number
of lottery balls and they would lock each one of those.
So it was like this gigantic wooden box with 10 rows of these lottery balls in it with 10 locks on the front of it.
So they're rudimentary, but tamper-proof to some degree.
But they had full accountability day in and day out of it.
And even more heightened on the day of drawing, they had full accountability of the physical asset, the lottery balls themselves.
And once they would actually go through, they would dump them into the hopper.
And then it would actually do the hopper draw.
It would actually roll the ball down.
And there was a panel of employees for the lottery of Puerto Rico that sat up front that that ball, when it came out, they started from left to right.
The first person on the left would get it, put the ball on the little on the actual tray.
They would have the empty trays and they'd slide the ball down that little empty tray, document on a piece of paper what the number was.
And then they would continue to do that for the entire drawing and it would go all the way down.
And then whenever they would fill up an actual lottery ball holder, they would lock them up.
They would hand them back to the individual.
They had chain of custody custody forms and all sorts of
craziness. Then it would go, then all of those paper sheets would actually go into a review room
where there were four analysts that would sit in a review room and they had them from start to
finish, they had them in order. And so they would watch a video and pair up how the
balls were inside of the actual metallic rack and validate that yes that's correct that's the
correct ball that's the correct drawing number etc etc etc right and then what that would get
input into the computing system for the lottery of puerto. And what would happen is that would go back into a database
and that database would then be shared with the government of Puerto Rico's printing
group. And they would go do a print run of all of the winning numbers in the newspaper.
And then they would also take and actually do on the news that night,
a live notification.
It's published live, like the Puerto Rican lottery.
You can watch it locally in national TV live,
but then they do a recap on the news like we do here in the United States to some degree.
So the physical security process was fully sound.
Like just there was nothing that we could
find that was amiss. Like it was like, okay, they've got accountability all the way through
when they're printing the numbers. Like we even validated the numbers, right? We're like,
yeah, it's right in the paper. Yep, it's right on the news.
So after analyzing the system, they felt like the physical security of the balls and drawing process was fair and secure.
Their next step was for them to follow the numbers.
Once the officials recorded the winning numbers, where do they go next?
Well, another government department handled the next part.
See, there was one department in charge of the drawing, and then there was another department in charge of the payouts.
So they went to the payouts department, and they found the systems where the winning numbers were entered. They confirmed that the winning numbers did in
fact match up with what was actually drawn. Next, there is a database that gets updated.
The database has a list of every single lottery ticket purchased and what numbers that ticket had.
The database takes the winning numbers and updates all the tickets in the database to
indicate if the ticket is a winner and how much should be paid out. They go and meet with the
team that manages this database. The database administrator goes, who are you and why are you
here? Who's authorized you to be in here to audit me? I know how to do my job. Leave me alone.
And really was like standoffish. And I'm like, that's a little
odd, right? That is a little odd. But when I was the admin of firewalls for a company, I was very
protective of them myself. I too would ask for credentials of anyone asking to see what's inside
just to make sure. So maybe this is fine. So at that point, we're like, okay, we got to look at the database system
itself. So it's a DB2 database. And I'm like, all right, that's a pretty sound, solid financial
database. I mean, companies today still use it. Highly transactional. Makes sense. Go through,
look at the security configurations and settings. I didn't know enough about it.
So we hired a professional to come in that was specifically a DB2 database administrator.
And he looks at it and he's like, dude, everything looks sound and solid.
The database administrator checked a few things.
First, seeing who has access.
And it was everyone who is supposed to have access.
Just the IT team who is responsible for and it was everyone who is supposed to have access, just the IT team who is
responsible for maintaining it. Nobody else. Next, he looked at the logic of how the database gets
updated, but that was fine. The tickets that should have been winners were updated properly,
and the tickets that were losers were shown to not pay out anything. So this database looked fine. Next, he went down
to where people were buying lottery tickets and getting paid for their winnings.
We audited that process where individuals would go cash in their lottery tickets. We went and
audited several of those stations on the island because there are specific locations. It's not
like you could go to any gas station. specific locations. It's not like you could go to
any gas station. They had very specific setup locations where you could go cash in your lottery
ticket for winnings. This too all looked just fine. Nothing strange or unusual here either.
So him and the team looked again to see how much money was missing from the lottery while they had watched the whole
thing take place. And something strange happened. The lottery showed no losses for the weeks that
they were there investigating this and shadowing people and auditing the payout stations and
analyzing the databases. Huh. That's odd. But that's a clue in itself.
That's why we kind of saw a slow trickle when we first got to the island and were inside. Really, what we identified, the hard stop was when we went and actually had the interview and sat with the database team.
That was the same database team that was questioning him for being there. So his hunch was that if this stopped happening once he started poking his nose in things, then he thinks this might be an insider.
So we take this all back to the governor and we're like, man, the only thing that's disappointing is you've got an insider somewhere.
And we don't know what it is. It's on the digital element. And the governor of Puerto Rico looks at me and the team and goes, I know you're here for security elements. Go do whatever you have to do to figure this out. You are indemnified of anything, of any digital crime or physical crime on the island to figure out how the hell I'm losing this money. I said, can I get that in writing?
And he said, absolutely.
So to this date, I own an indemnification of committing any crime on the island of Puerto Rico,
which is pretty cool, right?
Like, I'm like, hey, fuck yeah.
Now, by this point, he's been there for over a month trying to figure this out.
So while he thought he was only going to be there a few weeks,
he's now flying into the island every week and flying back home on the weekends.
But now he suspects someone inside the lottery is doing something sneaky.
But who?
Stay with us, because after the break, he goes four steps ahead. Thank you. to risk. Vanta helps you start or scale your security program by connecting you with auditors and experts to conduct your audit and set up your security program quickly. Plus, with automation
and AI throughout the platform, Vanta gives you time back so you can focus on building your
company. Join over 9,000 global companies like Atlassian, Quora, and Factory who use Vanta to
manage risk and prove security in real time. For a limited time, listeners get $1,000 off Vanta at Vanta.com slash Darknet.
That's spelled V-A-N-T-A, Vanta.com slash Darknet for $1,000 off.
Oz has examined every aspect of the network
and found nothing that would suggest the lottery is losing money.
He has confirmed that before he got there, it was losing a lot of money, but whatever was happening stopped since he's arrived.
This makes him believe that there's an insider somewhere that stopped once they saw he was investigating. Puerto Rico, the highest executive position on the island, has granted him full indemnity and that he may investigate this however he wants, even if it requires breaking the law to do it.
Absolutely. That's why they gave me indemnity.
And you were referring to like, can I like can I break into a network?
Like, can I break into a building?
Like, were you asking the governor that?
Yeah.
I was like, what do you mean by free reign?
He's like, do whatever you need to do.
I was like, so you're telling me I could go break into a building and I won't get arrested.
Or if I get arrested, then I'm indemnified and you'll drop all charges and you'll bail me out.
And he's like, yeah, I'll invite you over to my house to have like Chichon and freaking, you know, some Cuba Libre.
Yeah. This is exciting. like, Chachon and freaking, you know, some Cuba Libre.
Yeah.
This is exciting.
I geeked up.
Like, what the fuck?
It was totally, like, me being a pen tester.
I'm like, what the fuck?
I just got, like, indemnified by the government of Puerto Rico to do what?
Okay.
This is so unusual.
I don't even, because he's pretty much been given permission to hack into the government of Puerto Rico to find this insider.
Which is like a penetration test, right?
But typically this is done just to check how secure the network is.
In this case, he was going to hack into the network to try to catch someone conducting criminal activity inside the lottery's network.
So that's a totally different objective from a normal penetration test.
Also, pen testers typically have what's called a get-out-of-jail-free card,
where the head of security has granted them permission to hack into the network or break into the building.
But in Oz's situation, he has a literal get out of jail free card from the governor,
which allows him to break laws if he wants. If he gets arrested, he can just show it to get out of
jail. Now, Oz has done a number of penetration tests before. He did offensive work while in the
Marines, but he's also conducted a number of them as a consultant. So he's experienced at this and
already has a good lay of the land since he's been there auditing this whole process for the last month.
He knows how everything is working and who all the people are that make it work.
The first thing he does is notify the FBI.
Now you might be wondering, why would the FBI be interested in what's going on in the lottery of Puerto Rico?
Well, that's because Puerto Rico is a territory of the U.S. So there's actually an FBI field office over there.
And Oz thought this was a criminal case worthy of the FBI knowing about and that he was investigating it and had permission to do so.
They were like, all right, go investigate, get everything that you can.
You have carte blanche to do whatever you want.
Right. Like literally carte blanche.
Mind you, up until that point, I've been suit and tie every freaking day.
Right. As a consultant is usually on your customer site. carte blanche. Mind you, up until that point, I'd been suit and tie every freaking day, right,
as a consultant is usually on your customer site. I freaking dropped into straight civilian clothes,
acting like a tourist. I did some things to change my appearance and walked right into
the government building and started to kind of look around. He went into this building because
he knew this is where the database
and main network for the lottery payout system actually sat.
He figures if he can get into the building,
he might be able to get into the network covertly.
But you might wonder, if he has full permission from the governor,
why not just get official authorization to log into the network systems himself?
Well, he did that, remember?
And he found nothing.
And that might have been because it's very obvious
that he was in there looking around
for this particular thing.
And if you're some insider hacking the system
and you're trying not to get caught,
you're not going to be in the network doing bad stuff
when you have auditors looking over your shoulder, right?
So he wants to go in covertly
to see if he can find malicious insider activity when they think they aren't being watched. So he
heads into this government building with the goal of finding a way into the network. But to be
successful, he needs to bring some supplies. Full on lockpick set. Like, I mean, that was number one.
I had two laptops with me. I carried that was number one. I had two laptops
with me. I carried them everywhere I went. I had my forensics laptop and my offensive security
laptop. It's just the standard tools that I also carry is like a pocket knife and a flashlight,
right? Looking like a tourist, he heads into the government building. Now, this is a publicly
accessible building with places that citizens can go and take care of things like permits or even
cash-in lottery tickets there. On top of that, he's been in this building a few times already
as he was auditing the whole lottery process. There was a door that where I knew the finance
like office was like finance office. You say you're walking down a hallway and you come to
like a T intersection and to the right there was a sign that said finance, but straight ahead, like 10 feet ahead past that T intersection on the right hand side, there was a door.
And I was like, Hmm, I wonder if that's where they keep like physical financial records might be a computer in there that's unlocked. Right.
So that's what I was thinking, like off the top of my head. And I look up and there's no cameras like pointed at this door.
They're pointed down the main corridor facing towards where the entrance of the government of Puerto Rico's entrance is.
And then down the corridor of where finance office main door is.
But there's not one facing or towards me or facing behind my back at that door, right? Because there was an end of
a hallway, right? So there was like nowhere you could go basically at the end of it. And so,
you know, I'm like, okay, so I just lean up against the freaking wall and
jiggle the handle. It's locked. So I pull out my lock pick set.
He starts trying to pick the lock, which is not a fast or easy thing to do. It takes time and patience and lots of trial and error.
You might not have the right tool at first and you need to try a different one.
And you don't know if you need to turn the lock to the right or left to unlock it.
So it's kind of like throwing darts in the dark.
And at the same time, he's nervous since someone could be coming around the corner at any moment and see what he's doing and question him.
But after a short while, he gets the lock open and opens the door.
I popped the lock on this door.
I was correct. It was the finance department.
I was correct. It's where all the physical freaking documents were.
I was correct that there were computers in there.
I was incorrect in identifying that there might be people fucking sitting in there.
And so four people turn the fuck around and look at me and go, what are you doing here?
How did you open that door? That door is supposed to be locked. And I'm like, oh shit.
He just goes right back out into the hallway and closes the door.
He sees that people were getting up to come see what he was doing.
I was like, yeah, here I go. I'm going to fucking Puerto Rican jail.
Like, this is going to suck, right?
Like, you know, I was freaking the hell out, dude.
I didn't know if I could believe the governor of Puerto Rico or not, right?
Like, I mean, is he really going to bail me out of jail?
How long is it going to take for them to realize that I'm in jail?
Right?
Like, those are thoughts going through my head. Like when that happened. He had to think fast. He did some mental
calculus. Should he run? Well, that would certainly make him look more suspicious and it could get him
kicked out of the building for good. Instead, he wanted to contain this problem to just this office.
So he walks around to the front door of this finance office
and he tries to think of a story. Because he's been there before, he remembers that the floor
above him is where the passport office is. And that's what he decides to use as an excuse. He
was going to act like a lost tourist, not able to speak Spanish and was looking for the passport
office. So he puts on a face and walks into the finance office.
And I'm like, hey, I was told to come here because this is the passport office.
And so the director of finance for the entire government of Puerto Rico
was one of the guys that was sitting in the back, right?
And he walks out and he's like, that door was not unlocked.
I was like, it was.
I just pushed on it.
I don't know. Sorry, sir. I'm really like I lost my passport. I'm trying to go to Cuba because at the time you could fly from Puerto Rico to Cuba. You couldn't fly direct from the United States to Cuba, but you could fly to Puerto Rico and then fly from Puerto Rico to Cuba as a United States citizen. Right.
And so this director of finances was like, give me a side eye. But he's like, yeah, follow me. He gets escorted to the passport office. He was trying
to contain his stress on the way. And on the walk there, the head of finance was curious of the
situation. Well, he drops me off at the passport office and I walk in. I'm like, hey, so I fill out
a bunch of documents and act like I need to get a freaking, you know, my passport basically
freaking renewed because I lost it or whatever.
And waited till he left, and I just kind of sat
because there were quite a few people in there,
and I just sat and just kind of waited for about half an hour or so,
if I recall, and then bounced out and continued on down the path,
right? Like, totally almost got fucking popped. He left the building. That was enough excitement
for a day. Who knows what would happen if they called security on him or caught him on another
floor trying to open other doors. He decided to leave and let things cool down. Ended up in a, in going back the next day.
And I had already seen like what looked like a lunchroom area, like up on the third floor. So
this is like, mind you, the government buildings like seven stories tall, right? I was like,
it looks like a little lunchroom. And I was like, I'll go check that out today. So I head up to the third floor.
Mind you, finance was on first floor.
Second floor was passport office.
So, you know, OPSEC was in terrible aspects of multiple things. And I included this in my report to the governor of Puerto Rico.
I was like, dude, you know, you have all these financial records that are sitting,
your physical financial records that are sitting on the first floor.
You have hurricanes and flooding like continuously on this island. You might want to think about
moving that to a higher level, right? You know, shit like that. Those are kind of other
recommendations that we're putting out there for him. He gets up to the lunchroom area,
then walks around the hallways near there. He sees another door and tries to guess what's inside it.
He puts his ear up to the door. No noises are coming from
inside. There are no windows to see in either. He walks around the halls. No signs as to what this
office might be. And it's not connected to any others. It's sort of a secluded office with no
signage. Hmm. He pulls out his lock picks and starts working on the lock.
After a few minutes, he gets it open and looks inside.
And when I open the door, man, it's like freaking inch and a half, two inches of fucking dust all over the fucking floor, dude. And I look to my right and there's three PCs lined up in a row that had plastic pulled over them.
And like, there's no lights on in here.
And so I'm like, okay, cool.
So I like literally pulled my flashlight out
and make my way over to the computers.
Dude, lo and behold, one's running.
Nice.
This is great for him.
A room that nobody ever visits.
It's dark, it's quiet, and it has a running computer.
This could be gold. If this computer is connected to the lottery network,
then he can use it to watch and gather data he needs to catch the insider.
I closed the door behind me and I actually set my laptop up against it. So if for whatever reason
someone came in, it would knock it over and alert me to when
a big room like it was probably the size of I'd say is probably a 50 foot by 50 foot, but it would
give me enough time to at least like lock down everything that I was doing. Right. I'm like,
oh, sweet. Let's go check this out. So I let the plastic off the monitor. I'm like,
let's see if it even works.
Turn the monitor on, presented with a login screen for Windows 98 with the admin account.
And I'm like, hmm, it's not going to be this easy, right?
Like admin, admin, like now, doesn't work.
And so I sit there and I'm like, let's just sit here and kind of think through this.
And logically, like if I were the administrator or system administrator for the government of Puerto Rico and was running a 1998 system, what would I use as a password for admin to get on the system, right? So I run through your typical default list of passwords, right?
For admin, like admin, admin, admin administrator, admin root, like freaking et cetera, et cetera.
I tried this over a period of a couple hours because I didn't want to potentially trip if they had any alarms,
like multiple failed login attempts on a system.
None of his login attempts worked.
He couldn't guess the right password.
He found some open Ethernet ports and tried plugging into them, but none of them worked. He couldn't guess the right password. He found some open ethernet ports and
tried plugging into them, but none of them worked. He thought about unplugging the one running
computer from the network and plugging his laptop into it, but he wasn't sure if this computer was
running anything important and wanted to be as quiet as possible. So he went home for the night
to rethink and strategize. I'm like, all right, Metasploit, what do you have for 1998 Windows systems?
And there was a boot screen freaking, what is it, the accessibility feature.
I can't remember what the actual vulnerability was, but basically ended up being able to create an exploit that I could plug in a USB and bypass
the login screen. Okay, so Metasploit is a really cool toolkit with lots of exploits and
vulnerabilities that are all pre-packaged and ready for you to just hack into things. He creates this
USB drive with the exploit payload on it. And if the exploit works, he should be able to just go
back to that computer, plug in the USB drive and get into the system. So he goes back the next day, heads up to the
same room, picks a lock to get it open, puts his laptop against the door as a rudimentary alarm
system and pulls out his malicious USB stick and puts it in the computer running Windows 98.
Drop it in, get full access.
Sweet.
He's now on this computer as an administrator.
Amazing.
But he quickly realizes he's only administrator for this computer.
It doesn't give him access to anything else.
He checks the network status.
Yes, this computer is on the network.
And yes, he can reach the lottery network from here.
Fantastic.
I'm like, all right, I've got this access into the system.
I'm local admin.
Is there any antivirus running on it?
It didn't flag for my exploit to come on.
So that's kind of cool.
No local antivirus on the system connected to the network
so i'm like all right so i have a couple options here i can either unplug and hope that they're
not doing you know freaking 802 11x like nick based freaking uh security or if they're doing mac address filtering security
and etc etc i start thinking through like what are my options here do i install tools locally
on the system or do i unplug the nick from the system and then jack in with my my pen testing
laptop well in the meantime i'm like all right I have local admin. Let me go ahead and dump the credential files. When you have users on a computer,
their username and password hash is stored somewhere on that computer. And when you're
administrator, you can see the password hash. Now, the password hash isn't the password. It's
the result of the password when it's passed through an algorithm. And it looks like scrambled
letters. So he grabs this hash file to try to crack the passwords on this computer. Because with the USB
exploit he used, he just bypassed the login process. He didn't actually use a password to
get in. So he thinks if he can crack the password on this computer, then he can try using this
username and password to get into other computers on the network. So I drop that to my thumb drive, pull that off, throw that into my pen test laptop.
He then runs a tool called John the Ripper to try hundreds of thousands of passwords to see
if they match the hash. The program can try hundreds of passwords per second or more,
depending on how fast the computer is. So he knows this will take a while and just lets it run.
So I'm like, you know what?
Fuck it.
Like, they haven't been aware that the system's online.
They're not going to know if it goes offline.
So I unplug.
He only unplugged the network cable, not the power cable.
And actually leave it unplugged overnight just to see what happened, right?
So I leave the room.
I leave it unplugged overnight, go and build another thumb
drive that has a bunch of tools on it, like Nmap and freaking man-in-the-middle tools. But basically,
I build my tool suite onto a thumb drive that I can take and actually just run off of my thumb
drive instead of installing directly onto the system, right? With all kinds of extra tools,
he heads back the next day,
goes up to the floor, picks the lock, gets back in,
sets the laptop against the door, and goes back to the computer.
He plugs the computer back into the network port, and all is fine.
So he plugs in the USB drive and starts to run one of these tools he brought.
And so I actually enumerate the network.
This is the typical first thing a pen tester does to get a lay of the land.
Enumerating the network is basically getting a map of what's out there.
You can ask certain systems what other computers do they know about,
and they'll be happy to tell you.
NMAP scans are also common, which can scan a whole range of IP addresses
inside the network to see if anything responds.
I knew the IP address ranges for the IT systems over in the lottery.
So I was like, well, let me see if I can ping those IP addresses and see,
you know, how this network looks.
And it was like, basically looked flat, right?
I like to think of a flat network like an empty hull of a ship.
If it's just one big open space in the hull and there's a hole in the hull,
the entire hull can fill up
with water. So a good idea is to segment your network so that if someone gets into one part
of your network, they are completely blocked off from getting into other parts. So what he found
is this long forgotten computer not only was connected to the network, but it could reach
every part of the network since nothing was blocking it.
This was fantastic for Oz, who wanted to find a way into the systems he thought were suspect.
But now it's closing in on the end of the third day. He's thinking it's starting to get risky if
he has to come back here every day and pick a lock and sneak in. So he sets up a reverse shell to this
computer. This allows him to go back to the hotel.
And from there, he can remotely connect into this computer
and use it as if he's sitting right in front of it.
So he goes back to the hotel and looks at the scans
that he was doing on the lottery's IP range.
And I find a web server that has port 80.
And I'm like, all right, that's cool.
I wonder if it's open from the outside.
By open to the outside, he means,
can you get to it from the World Wide Web
and not the local network?
So I ran a scan on the outside of the network as well, right?
And again, fortunately for us, we had already been given like the IP addresses
for the entirety of not just the lottery, but the government of Puerto Rico,
because as we were talking with them, we're like, look, maybe someone compromised them from the outside
and you're getting money siphoned off, right?
Like, maybe that's a possibility.
So we asked them, they provided.
And so I run port scan against the outside,
find the web server that enumerates
at the same version of Drupal that I had.
I go through the Metasploit table,
there's an exploit for mo-code execution exploit for it, and it's running on a Linux system.
So when trying to exploit a system and get unauthorized access to it, the more you know
about it, the better. A scan might show you what kind of server is running, what kind of web
framework is on that. In this case, Drupal was the web framework and the operating system was Linux. On top of that, you might get versions of
what software is on that system. And if you know what version it's running, you can go look to see
if that version has any known vulnerabilities that you can exploit. Oz found a vulnerability
for that version of Drupal and tried to exploit it from the outside. And bingo, it worked. He got in,
which is always a rush to hack into a system from the outside.
And I was like, holy fuck, yes. And literally, like the whole team was sitting around the table
and I'm sitting there freaking, I'm drinking a Mai Tai at this point. I'm like, fuck yes,
like check this out. Like, you know, I'm doing my due diligence of screenshots and all that other
shit, right? And they're like, are you fucking serious? I'm like, yeah.
So like I do general commands to show like,
who am I like,
and it shows like root.
Yeah.
And then I actually do like freaking a dump of basically the file structure
and a freaking show that it's actually the Puerto Rican web server.
Right. Not just aican web server, right?
Not just a random ass server, dude.
Start pinging internal IP addresses that they had already grabbed forensic images off of as well, too.
And they're like, holy shit.
And they're like, yeah, from the hotel Wi-Fi, bro.
What's up?
Excellent.
He's now in a system inside the Lottery's network.
And from here, he's able to get into other computers and route traffic to this Linux server so he can capture and analyze the traffic in the network.
This is the man-in-the-middle attack that he was wanting to do.
It's kind of like a wiretap, but for network traffic.
So once he's got all this set up, he watches the traffic day in and day out.
Basically, this is, you know, we're about, what, month three and a quarter at this point.
So what we did is we actually started laying low once I actually like had popped everything, right, and had access and just started monitoring. We are sitting kind of just at the hotel
monitoring. I'm chilling, hanging out.
And we know that the drawing goes. We know that the actual input goes at the night of the drawing, but doesn't start the payouts until the morning.
We see a login from the individual, one of the database individual systems into the mainframe, which was abnormal, right, to see that.
And then at that point, we said, okay, we need to go basically get on this mainframe, right?
And so the governor of Puerto Rico forced the CIO to give us physical
access into that mainframe. And they basically like pulled the CIO like from his job and placed
him on temporary leave, right? And we have administrative access on this mainframe,
this IBM mainframe where the databases are running and put some monitoring tools on and
just started monitoring. They were able to watch the logs of the database. Who logs in? What changes
do they make? What data is being updated? With a database like this, there are tons of changes.
So when someone comes to cash in their winning lottery ticket, they take it to a place where
they can cash it and the clerk scans the ticket. And at that point, the scanner will check
the database to see if it's a winning ticket or not. So already the database has a read operation
that would show the logs. Then the database tells the clerk, this is a winning ticket, you should
pay this amount. And when the clerk pays it, it updates the database to indicate this ticket has
been paid and it shouldn't be cashed out again. So every lottery ticket that gets paid, there's an update to the database, which means there's
a lot of logs that he's got to sift through to try to find anything unusual.
So he's watching these transactions happen all day, every day.
A clerk scans a winning lottery ticket.
It's a winner and should be paid out for a dollar.
And the clerk pays out the dollar.
Nothing odd there.
But as he looks closer at these logs and analyzes them more, he sees something.
He sees someone change the payout amount for a winning lottery ticket. They went into the database and made the payout higher than it actually was. The payout was supposed to be a dollar, but it would change to like $10,000.
You would see the transaction for $10,000 exit,
and then you would see the amount that was actually paid out go back to a dollar in the database.
This was it. This was the smoking gun.
Someone inside the lottery IT team was going into the database and changing one number,
waiting for the payout to happen, and then changing it back.
This is why when they audited all the transactions before, they didn't find any sign of this
happening because someone's going in the database and wiping the evidence.
It was only from sitting patiently, doing some real-time monitoring of
logs, collecting network traffic, and watching these tickets get paid out that they caught this.
At the point that I had actually dropped in and we were monitoring and we see this,
I immediately have to contact the bureau, the FBI field office in Puerto Rico.
The governor wanted whoever was behind this arrested and instructed him to contact the FBI.
And remember, Puerto Rico is a territory of the U.S., so there's an FBI field office on the island.
But before he could give the FBI all this evidence, he needed to figure out who the person was that was making these changes.
Because the problem was, whoever was doing this was using the username Service to make these changes, not his actual username.
So it wasn't clear who was going in and making these changes. But the thing about this database,
because it's a super secure database, the only way to actually make changes to it is to physically
go into the data center room where the server was and log into it that way. There was no way to connect into this thing
remotely. And this is great because now he just needs to know who was in the room during that time
that the change was made. And there's an easy way to figure that out. Security camera footage.
Oz gets access to the video and rewinds it to that moment. We'd see him walk into the server room like two seconds later, log into the mainframe,
be there for a few minutes and then leave.
And so we were able to tie like, hey, there was a transaction that occurred between here
and here.
What was this at this time?
So what they started doing is taking snapshots on that database, like literally like on the
hour, basically.
And they were able to actually,
what we were able to point out is like,
look, last night's synchronization of this,
this ticket should have paid out a dollar.
It changed at this time.
Here's camera feed.
Here's network access into the mainframe.
Here's camera feed access to him
walking into the server room where the mainframe is. Here's the modification into the payout table. And here's a modification of the
actual payout table being done again. Here's him walking out of that server room, badging in back
into the database or the IT room. And here's video feed footage of that as well. So I mean,
like nailed tied down all the way up.
So this explains what was happening inside the network at the time.
But what about what's happening outside the network at the payout stations?
This operation must have been coordinated with someone outside.
Yep. So they would say, I will be at this payout station at this time. So this guy would go in like 10 minutes beforehand, change the payout amount. The person will walk up with that Baleto ticket number. They would
actually type in that Baleto serial number and it would be for $10,000 versus a dollar.
He would see the transaction process and then immediately go flip it back to a dollar. So
the individuals on the end at the payout stations didn't know.
Like, they're like, oh, this is a $10,000 winning ticket.
Sweet. Here's your $10,000.
Oz has cracked the case.
He's figured out how the millions of dollars are being stolen from the lottery.
And he knows exactly who did it with all the evidence showing how it was done.
We call the Bureau.
Like, we're like, dude, we've got soup to nuts evidence of freaking fraud right here.
Full on, we know that this is happening.
Definitive, this individual is fully active in doing this.
And the Bureau's like, cool, wrap up all your information.
And this is kind of freaking fun. When you meet with the Bureau to do data drops, you know, you'd think you'd go to a field office and go hand them whatever evidence you had.
Well, that's not the case here.
Because we were the gringos on the island, because they had freaking taken and actually put the CIO on leave.
And basically, we had interviewed and there was already enough like noise kind of fluttering
around and people were starting to kind of talk.
And the FBI mentioned to us that, hey, there's chatter in the cartels that there's gringos
on the island actively investigating
beheads up. And that's why we went in to wait for a little while post me actually having access.
One, I needed to collect evidence. And two, we were laying low because the cartel,
there was chatter from the FBI that the cartel was aware, right? That there was some sort of investigation going on.
But once we actually, so this is the fun part though, again,
what I was trying to say is that, you know,
you would think that it'd be a field office that you'd go walk this data into.
Well, no, here I'm a gringo in freaking Puerto Rico, right?
They call outsiders gringos, right?
So the FBI, instead of having, and this tripped me the fuck out
because I'd worked with them tons in the military, right?
It tripped me the fuck out when they go,
yeah, meet us at the mall food court and just bring it all on a thumb drive.
And I'm like like what the fuck so i go to the puerto rico mall to meet the bureau to transfer
the empirical data that we have at this point on at least this database administrator making
these manipulations and payouts right and literally meet these two guys like we're in
casual clothes where we go order our food at the little food
stall we're walking with the trays and he's like you got that thumb drive just drop it on my tray
while we're walking then we do he grabs it puts it in his pocket and we go sit down and eat lunch
like kind of fucking wild right like what the fuck supposedly the reason for this is safety
and security.
There are drug cartels on the island and the FBI knows that the cartels are watching the FBI field office very closely and knows everyone who comes in and out.
Since Oz was already being talked about by the cartel, they didn't want to tip off anyone that Oz might have found something and was meeting with the FBI.
So they made it look like it was just a casual lunch meeting.
Surely you wouldn't pass along top secret evidence
to someone in a public place where anyone can hear, right?
That was exactly why they did it there.
Whenever I made that dead drop to them,
they jumped on and looked at it, right?
But I get a call like seven o'clock that night
that, hey, meet us at X location.
We want a debrief basically of what's on here and kind of walk us through.
Like I'm talking to you right now on the details of what's happened.
And I had my significant other actually traveling into town that was supposed to be there at like nine.
I didn't get out of my debrief until like freaking almost midnight and missed picking my significant other up at the airport. They were standing at the airport in the dark with
the lights off. And I wasn't able to leave because I'm doing a debrief to the FBI.
And I tell them, like, hey, my significant other is over at the airport.
Would y'all mind going and picking them up?
And they go, sure.
So they, like, drive by.
But the FBI didn't pick anyone up.
They just drove by and said they didn't see anyone and left.
So by the time the
debrief was over, Oz calls his significant other to see what was going on. My significant other is
just fucking furious, bro. Like just absolutely beyond pissed off, right? And here I am. I can't
explain shit to them. The reason why he can't explain this is because it's a classified case.
He can't explain that he was with the FBI the
whole time. Because what if the cartels
are tapping his phone or something, right?
So all Oz could do is
just make up a story.
I'm so sorry. I fell asleep.
But of course that wasn't the case.
He just couldn't explain. At least
not here, not now. But
he returns back to his hotel and
stays on the island a little longer to assist the FBI.
And they basically put us on monitored custody, right?
Like they were following us everywhere we went.
He kept meeting with the FBI to provide more evidence and information that he had access to that might help the case.
The Bureau kind of took over most of the investigation. We had some limited support to them as more ancillary and informational, just to fill in gaps that they weren't able to pick up out of what we had provided and whatnot. a cartel on the island, basically an illegal drug smuggling group. The FBI somehow found a cartel
member with lottery tickets and confiscated the tickets from him. They call the lottery tickets
boletas there. And so the FBI was curious, what if they try to cash in these boletas?
So they get someone to go undercover into a payout station and hand them one of these boletas that
was from a cartel member. The payout clerk looks at the serial number on the ticket and back at
the undercover agent and doesn't even try to cash the ticket. Instead says, pull around back into
the garage and that someone would help them out shortly, which turned out to be the individual was told to pop their
trunk, don't look back and go drive to this location. So they popped their trunk, stuff was
put into it. They drove to basically where not where they were told to go and basically wherever
they went, I don't know. And they popped the trunk to look in there to find that they had like 50 kilos of cocaine
and like 40 freaking assault rifles, man.
So not only were they stealing money from the government of Puerto Rico,
they were also running guns and drugs through that process.
Apparently, the people who worked at the payout station itself were also part of this.
They had a system set up that if someone came with a specific ticket, it meant they were a driver for
the cartel and here for a pickup. So when the FBI pulled around back and got the car loaded up with
cocaine and weapons, this was quite a surprise. And they realized they had stumbled upon something
much bigger than just lottery fraud.
But somehow it was all linked together.
So pretty elaborate scheme from from the cartel.
So at that point, the bureau literally like safety extradited us off the island.
They were like, you've got to get the hell out of here.
Like, you know, you've interrupted a huge cartel operation and we're going to do the takedown and y'all need
to get the hell off the island. And so of course Oz booked it out of there. This is why he didn't
want to have his name mentioned in this episode because his life was in danger for uncovering
this cartel operation in Puerto Rico which means that even though he still has indemnity from the governor to commit crimes on the island, he'll likely never go back. The FBI indicted 10 people involved in this case.
An indictment is just a charge against someone, basically listing reasons why these people should
be arrested. The indictment claims that these people took $12 million to a nearby island and
bought cocaine and brought it back to Puerto Rico. They used boats and airplanes to traffic the drugs in and used Blackberry phones to communicate with and they even had spiritual
rituals before doing a big buy. And they intended to distribute and sell this in Puerto Rico for
financial gains. The indictment also claims that three of the people listed were involved with
laundering money through the lottery. In total, the FBI believed that these 10 people
illicitly generated $127 million from the sale of drugs and weapons and lottery tickets.
The feds wanted to try to seize all this money if they found it, as well as planes, boats, cars,
and property that was part of the operation. As I looked through this case, it links back to a case where
a few years earlier, 20 other people were arrested, including the leader of this cartel.
And a lot of evidence points to testimony from what those people said in their trial.
10 individuals were arrested from this operation that Oz uncovered. The first few I looked at all
pled not guilty at first, and then switched to guilty.
And those people got 5 to 15 years in prison for this.
One guy held on to his not guilty plea, which meant that this case went to trial.
Which is cool for me because now I can see a lot more details about this case because the court transcripts are publicly available.
And it turns out they were using these winning lottery tickets to launder money.
And here's how they did it.
The court records showed that they had someone inside the lottery
who would produce winning lottery tickets.
Then those winning lottery tickets were sold to people in the cartel
for 20% more than whatever it was worth.
So if the winning lottery ticket was worth $10,000,
the cartel members could buy the ticket for $12,000.
The reason for this is because the cartel had a lot of illicit cash,
and they wanted a way to make the cash look legitimate.
So when they'd cash in the winning lottery ticket,
they would get a check from the Puerto Rico lottery
and take the check to their bank to deposit it.
This would allow them to legally declare their winnings on their taxes.
This way, they had a nice clean record of where they got their money from.
Sneaky stuff.
Anyway, this guy who went to trial was found guilty and the judge sentenced him to life in
prison. Not just for this lottery stuff, but also for the cocaine and weapon smuggling.
So this brings us to the guy inside the IT department at the lottery. He was one of the
10 that got arrested and he appears to be a really dangerous guy. He was being charged with all four
counts of drug running and lottery fraud. But I called up Puerto Rico and I spoke to someone who
was close to him. And they said he was a good guy and just fell in with the wrong crowd. See, besides
being an IT guy, he also had a private pilot's license and liked flying planes. And on the
weekends, he would charter tours in his planes
to show people around the island.
Well, this cartel heard about his planes
and hired him to move some drugs from one island to another.
Eventually, he was being hired to do more and more trips for the cartel.
He got out on bail while the courts figured out what to do with him.
At first, he pled not guilty, but then he came back into court and changed his plea to guilty.
The court said, OK, come back in four months and we'll determine your sentence.
Well, in that four month time frame, he somehow got involved with this cartel again and was part of a mission where he had to capture someone and take them somewhere.
And in that mission, he was shot and killed.
So police found $30,000 in his car after that.
And this is a surprise ending for me.
The IT guy who was changing the numbers in the database
was shot and killed in the end?
While playing the lottery itself is a gamble,
this guy was gambling with his life.
And when the stakes are that high, you might either get rich or die trying.
A big thank you to Owl Stalker, Oz, for sharing this story with us.
He's been sitting on this one for a while, not telling anyone this whole story.
And I'm thrilled to be sharing it with you, which is like the first time the story has ever been told publicly.
If you like stories like this, if you think they're valuable, please consider supporting the show.
I'm an independent creator and I can focus on this full time through listener support.
And if you donate to the show, you'll get bonus episodes and an ad free version of the show.
So please visit patreon.com slash darknet diaries and consider supporting the show.
Thank you.
This show is made by me, El Linche Oscuro, Jack Reciter.
Sound design and original music was created by the Lobo Loco, Andrew Merriweather.
Editing helped this episode by the Siempre Lista, Damien.
And our theme music is done by the Melodica Breakmaster Cylinder.
Hey, what do you call two monkeys that share one Amazon account?
Prime mates.
This is Darknet Diaries.