Darknet Diaries - 109: TeaMp0isoN
Episode Date: January 25, 2022TeaMp0isoN was a hacking group that was founded by TriCk and MLT (twitter.com/0dayWizard). They were responsible for some high profile hacks. But in this story it’s not the rise that’s mo...st interesting. It’s the fall.SponsorsSupport for this show comes from Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldn’t be. Check them out at https://canary.tools.Support for this podcast comes from Cybereason. Cybereason reverses the attacker’s advantage and puts the power back in the defender’s hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.
Transcript
Discussion (0)
It always fascinates me how powerful a single computer is in someone's bedroom.
On a computer, a person can fall in love, get an education, get a job, do their job,
and it gives us endless access to entertainment like movies and music.
But what really intrigues me is that keyboard and mouse can be extremely dangerous.
The right combinations of keystrokes are illegal, such as hacking into a
bank and stealing money, which all can be done on a computer in your bedroom. You barely need to
move your fingers much at all to make it happen. Yet such a small physical movement can have a
massive impact in the digital world. It's asynchronous and logarithmic to the point that it's hard to visualize.
A push of a button can bring a whole country to a halt.
And the wrong combination of keystrokes
can have some serious consequences
for whoever pushed the button.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive. It's endless. And it's not a fair fight.
But I realized I don't need to be fighting this alone anymore. Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds
of data brokers' websites and continuously works to keep it off. Data brokers hate them because
Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name
and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for Darknet Diaries listeners. Today, get 20% off your Delete Me plan when you go to joindeleteme.com
slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off is to go to
joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries. Use code Darknet at checkout. That's join, delete me, dot com slash Darknet Diaries.
Use code Darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there,
and I can vouch they do very good work. If you want to improve the security of your organization, give them a call. Thank you. things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more. But get this, the whole thing is pay what you can. Black Hills believes that
great intro security classes do not need to be expensive, and they are trying to break down
barriers to get more people into the security field. And if you decide to pay over $195,
you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills
and showing them off to potential employers.
Head on over to BlackHillsInfosec.com
to learn more about what services they offer
and find links to their webcasts
to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com. Blackhillsinfosec.com.
This is a story that I've wanted to do for years,
but I knew it was too complex for me to do on my own.
So I waited to find the right person who could tell it.
But then, out of the blue, MLT messaged me on Twitter,
and we started talking about it.
I asked if he wanted to tell his story on the show. And he said, yeah.
So I sent him a microphone and we hit record.
Yeah, I'm just wondering about modifying my voice and masking it.
So yeah, we're going to alter his voice,
which might make it hard to understand him at faster speeds.
If you're having trouble following him,
I encourage you to make sure you're on 1x speed when listening,
because you'll be able to understand him better.
And you'll enjoy the show longer, too.
So MLT is what he likes to be called online,
but I believe that's his initials.
His real name is Matt, and he's been around computers all his life.
Yeah, I got my first computer when I was around four, maybe.
So, yeah, I've pretty much grown up with computers.
By the time he was 12, he was taking more of an interest in computers.
He was fascinated by how the computer is literally connected to the whole world.
And millions of other computers and people out there are all available right on his screen in his bedroom.
He started exploring websites and seeing what's out there.
This fascinated him so much that he started learning how to make his own websites in HTML
and taught himself how to program.
But while that's fun and interesting, of course, his main passion was video games,
specifically Xbox games.
And as he would play them, he was trying to find ways that he could cheat in the game.
I'd prefer to just kind of try and break the game rather than play it normally.
He found some cheat forums that he could download a cheat
and do things in the game you weren't supposed to do,
and that was fun.
But sometimes that would get him kicked out of certain online games.
But then, a while after that,
I started getting into modern a little bit.
He was just 12 years old at the time,
but he was taking his Xbox apart
and adding new code to it
through the JTAG port on the bottom. This would enable it to do new things, things it wasn't
supposed to do. I was never particularly competent at anything, but it was just kind of what I started
out with. But he was learning, and he was only 12 when he was disassembling his Xbox and modifying
it. And while he's becoming a teenager, he's getting better at
programming and making websites and finding some pretty interesting chat rooms online.
Because around this time, there was another group of people online that were also coming of age.
Hacking group Anonymous has struck again, and this time claiming it has stolen thousands of credit cards.
Anonymous is one of the biggest online vigilante groups. Members hack into companies and governments. We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.
And that's a formative force for a teenager to be involved with. While MLT was going to school,
he had a front and center view of what Anonymous was doing.
I mean, I used to be in AnonOps IRC pretty often.
The AnonOps IRC chat room was where a lot of the Anonymous members would hang out,
share memes, and formulate ideas. And for a while, MLT felt loosely affiliated with Anonymous,
at least curious enough to watch what they were doing
and ask questions on how things were done,
such as how a certain hack was done,
or how did that person deface a website.
The technical aspects of what Anonymous were doing were interesting to MLT.
But the thing about Anonymous is that there's much more noise than signal.
The Anon chat rooms are just filled with distractions and trolls. He liked the hacking stuff that was going
on, but sometimes things didn't make sense to him or align with what MLT thought was right or wrong.
And at the time, there were a lot of little satellite hacker collectives that sort of revolved around
Anonymous. They were in the same space, but not necessarily affiliated. And there was this one
website that MLT seemed drawn to. It was a foreign book called Poison.org, which Trick was the
administrator of. So here is where MLT first learned of Trick. Trick was the name of the founder and moderator of Poison.org.
He seemed heavily involved with the black hat hacking scene
and very knowledgeable about hacking.
MLT thought Trick's Poison.org forum was an interesting place,
and he was learning a lot by going there
and reading how people hacked into certain places and stuff.
It was just like a generic hacking forum.
Things like hack forums or leak forums or one of those kind of websites.
Some people were just posting screenshots of stuff they hacked into.
Some people posted tips and tricks on how to exploit other things.
MLT was drawn to the site and liked what he saw there
and was naturally curious about Trick, the guy who ran the site and liked what he saw there and was naturally curious about Trick, the guy who ran
the site. I knew other hackers on MSN Messenger who then eventually introduced me to Trick.
MLT and Trick sort of hit it off together. They both got along pretty well. MLT was fascinated
that Trick had started this hacker forum and Trick liked that MLT knew some hacking skills
and was curious to learn more. Do you remember the first thing you hacked with Trick?
The first major hack that I did with Trick was the English Defence League.
Now, I had to look up who the English Defence League was.
Being American, I just was not aware of this group.
The English Defence League has become the most significant
far-right street movement the UK has seen
since the National Front in the 1970s.
God bless every single person in this country,
of all religions, creeds and cultures.
And you know what?
Even God bless the Muslims.
They'll need it for when they're burning them houses.
From watching just a few videos about them,
it seems to me that their mission is to spread hatred towards Muslims.
In the UK, they're a very well-known right group that's openly Islamophobic, so I'm assuming that's probably why he wanted to target them.
You see, both MLT and Trick were from the UK. And while MLT didn't really associate himself to a religion, Trick was a
devout Muslim and was not happy seeing people like the English Defense League on the telly spouting
anti-Islamic slurs. Trick didn't want to physically confront these people, though. He could get hurt
pretty bad. But Trick was pretty good at computers and hacking and found this group to be absolutely insufferable. So Trick
told MLT, this is the target, the English Defense League. Let's see what we can do to them. MLT was
in because why not? The group seemed particularly mean and MLT was wanting to learn how to hack
and needed a good target. Might as well try to hack the EDL. Well, at the time, we used to run the website EnglishDefenseDeep.org,
which was a forum board
running MayBB,
which is just a type of
forum software.
We actually
developed a 0D exploit at the
time, but allowed
us to spawn a shell on MayBB.
And then from there, we just
exfiltrated the database and
dumped it online.
Well, you say
it so casually, but
talk about that. Like, was it you
that got the shell, or was it Trick?
It was me
that identified the vulnerability,
and it was Trick
that actually exploited the vulnerability
to spawn the shell.
Yeah, I mean, that sounds
exciting. And what were you
like, 13, 14?
I would have been around
15, 16,
maybe 15.
Yeah, so you were going to school
still, right? Yeah.
And this must have been probably later. Now, you had a computer in your bedroom? Yeah. So you were going to school still, right? Yeah. And this must have been probably late at night. You had a computer in your bedroom?
Yeah.
And this was on the weekend or at night or something?
Yeah, like mostly weekends and night times.
And yeah, I mean, that's just exciting.
Oh yeah, it was definitely fun at the time. Individuals claiming to be part of the
international internet sabotage group Anonymous have published phone numbers and addresses of
supporters of the English Defence League as part of what Anonymous says is the first phase of a
campaign to destroy the far-right group. Under the name of Anonymous, they made an online post with
all the data they took. Trick and MLT posted the whole database of everyone who's ever donated to the EDL in the past,
exposing some people who probably didn't want to be exposed this way.
But they didn't stop there.
They just carried right on to the next group.
Another far-right group, the British National Party, has also suffered its membership database being hacked,
which led to the organization
struggling to recruit new members as they feared social ostracization as a result of being linked
to the radical group. Now, Trick was the same age as MLT. They were both just teenagers. And these
two attacks they just carried out made the news throughout the UK. Sky News had a story about it. BBC was running articles.
It was wild for them to see how the UK reacted
to a few teenagers screwing around on their computers on the weekend.
But this kind of stuff is what fueled them to do more.
That was cool. That was fun.
A lot of people thought what they were doing was great
and that the EDL deserved it.
Trick wanted to take it up a notch and decided to convert his Poison.org website into a hacker group called Team Poison.
Trick asked a few of the more talented people from the forums if they'd be interested in joining Team Poison.
I was one of those people.
And then he went on to ask if I wanted to help co-lead the group with him.
And that's how MLT became the co-leader of the Team Poison hacker group.
They became fully entrenched in the hacker scene.
By this time, they've also separated themselves from Anonymous,
sometimes only popping in the Anon IRC chat rooms just to try to take over the channel or cause a ruckus.
By this point, MLT and Trick have hacked into numerous websites
and were learning quickly and eager to do more.
And so Team Poison continued attacking more websites.
Their early objectives were simply to try to deface their target websites.
That is, to change what's said on the site and write their own message up on there.
To first prove that they were there and to second
send whatever message they wanted to send. Sort of like digital graffiti on the internet. But as
MLT saw what websites were being defaced, it made him think about his morals. What kind of website
defacements are good and what aren't? I guess it depends on a few different factors, like motivation for one.
For example, if it's a perfectly legitimate website, then it's probably immoral to do so.
But if it was, say, a terrorist organization or something along those lines, then I think it's perfectly morally justified. I guess it is morally justified to attack a terrorist organization's website.
Okay, I guess I'm on board with that.
But MLT thought Anonymous was attacking websites for no reason sometimes.
Yeah, I feel like Anonymous are just honestly all over the place.
Like a lot of the time they'll just target some random low-hanging fruit
and then come up with some moral explanation
as to why it should be a target.
Yeah, but I'm wondering if you had, like,
a strong moral outset to starting all this.
Like, did you feel that governments were tyrannical?
No, definitely not.
I'd say within Team Poison,
I was probably the outlier in that respect because the trick was definitely politically motivated
and was doing it for morals.
But personally, I was just doing it just kind of to gain more skills
and see whether I was capable of it.
I was never really politically motivated or anything along
those lines. Yeah, but there was something that, I mean, if you saw somebody doing something that's
like, wow, that's actually hurting some people, like small businesses or whatever, that don't
deserve it, you would have stepped aside and said, I'm not going to be part of this. But something
drew you to be part of Team Poison, and I'm trying to figure out what was it that you said,
I want to, let's create something,
I want to be part of this.
What was that thing?
I feel like the main draw with it was
when I got the invite to the group,
I knew that I was,
but at the time, like,
I was nowhere near as skilled as Trek,
so I was just hoping that I would have been able
to learn
from what he was doing, really.
Yeah, it was never really about politics at all for me.
I might go so far as to say MLT was there because of curiosity's sake.
At one point he told me he just wanted to see if he could do it.
As in, here's the target, could you get in?
Okay, challenge accepted, kind of thing.
And MLT really wanted to learn more along the way.
It doesn't sound like he considered himself
a hacktivist or anything.
He was just poking at the world
in his own curious way.
But along the way,
he was watching how fired up Trick would get
over different political causes and stuff.
Yeah, I mean,
Geronimo Po I chatted with him pretty much several hours a day,
every day. I mean, he seemed like a pretty nice person.
Yeah, what was he like just in those chats?
Pretty normal for the most part.
I mean, he was obviously politically motivated, but it didn't seem like he was an extremist or anything like that.
He'd have no problem talking to people who mightn't necessarily respect his religion or anything like that.
He just seemed indifferent to it.
MLT was learning a ton about hacking from Trick and other members of Team Poison.
Yeah, but actual core members were me, Trick, Insane, and Hex.
There was a few other people who were, like, affiliated, but they weren't directly involved.
A lot of their targets were picked by Trick, because Trick really did feel strongly about certain things politically.
He was Muslim, and at the time there was a lot of tension between the West
and Islamic extremism like Al-Qaeda and ISIS.
So there was a lot of emotion in the air,
and it was easy to find targets that made Trick mad.
But sometimes they would just pick targets just to mess around with.
Like this one time they decided to hack a celebrity.
I wasn't actually directly involved in this one,
but I can tell you exactly how it happened.
Basically, it was done by Trick and a few members of a group called Z Company Hacking Crew.
Facebook used to use Facebook query language at the time.
This other group called Zee Hacking Crew also seemed to focus on finding Islamophobic Facebook pages
and trying to hack them or do something to them.
While doing that, they were getting pretty familiar with how Facebook worked.
And together with Trick, they discovered a way to exploit the Facebook query language
to make posts for any user they wanted. So at first they
used this exploit to attack racist and Islamophobic Facebook pages, which that was their original
intent. But when all that was done, they decided to aim higher on the target list, targeting the
French president's Facebook page, Nicolas Sarkozy. And they were able to post something to his page as the president.
And then they shifted their attention to the head of Facebook itself.
They posted to Facebook as Mark Zuckerberg,
saying something like, if Facebook is a social network,
it should do some social good too, instead of just being for profit.
And yeah, once again, this was something that Team Poison did, which reverberated across the internet. social network it should do some social good too instead of just being for profit and yeah once
again this was something that team poison did which reverberated across the internet for mark
zuckerberg's own account on facebook to have an unauthorized posting that's an interesting news
story all done by a couple of teenagers okay so let's let's move on to Tony Blair. Yeah, so with Tony Blair, that was trick again.
That was one of the attacks that I wasn't directly involved in.
But basically, he used a zero-day exploit that affected the webmail service.
I don't know if it was Tony Blair himself or one of Tony Blair's staffers,
but he used an exploit to gain access to the emails.
And then within the emails, he found an address book,
which had a bunch of personal information on politicians and stuff,
like phone numbers and that sort of thing.
Okay, so Trick used some kind of exploit to get the contacts list that Tony Blair had
on his email account.
And that's interesting.
But at first glance, this doesn't seem that important to me.
He wasn't able to read Tony Blair's emails or anything.
He just saw Tony Blair's contacts, names, phone numbers, email addresses.
But this is actually a bit more serious than that.
First of all, Tony Blair is the former prime minister of the UK.
So this was a high-profile target.
If Tony Blair gets compromised, you know the MI5 or GCHQ are going to come in to investigate.
And where does that investigative trail start?
With some Twitter posts.
Trick himself was posting this all over Twitter. And while a regular
person can't see who owns a Twitter account, Twitter has some extra insight into this. They
can see where the user connected from, what devices they used, what emails are registered
to the account. And if the MI5 is involved, it's probably pretty easy for them to get Twitter to
turn over the information of whoever's posting to the Team Poison Twitter account.
But Trick hid his tracks very well, always using a proxy or VPN or even a Tor client to connect to Twitter. But Twitter would only need him to mess up once for them to see his real IP. Internally,
within Team Poison, this felt like a big win. Hacking the former prime minister? What would be next? The queen herself?
Well, they don't hack the queen.
But stay with us because when we come back,
it gets much more serious. To be continued... I recently visited spycloud.com to check my darknet exposure and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and your organization at risk and what to remediate is critical for protecting you and your users from account takeover, session hijacking, and ransomware.
SpyCloud exists to disrupt cybercrime with a mission to end criminals' ability to profit
from stolen data. With SpyCloud, a leader in identity threat protection, you're never in the
dark about your company's exposure from third-party breaches, successful phishes, or info-stealer
infections. Get your free Darknet exposure report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries. The website is spycloud.com slash darknetdiaries.
Now while Team Poison sort of sprang out of Anonymous and was once loosely affiliated with them,
they started doing things to upset Anonymous.
There was another hacker group that came from Anonymous called LulzSec.
And they were doing things like hacking PlayStation and the CIA and some other high-profile accounts.
The situation with LulzSec, they made some threats over Twitter.
And then I wasn't even involved at this point, but Trick was arguing with me over Twitter and stuff.
And then Sabu from LulzSec, he started making up a bunch of lies about me.
It's not clear what started this Twitter spat, but Sabu, a member of LulzSec and Team Poison weren't getting along.
MLT and the crew at Team Poison did some research on Sabu and found where he worked,
and they broke into some computers where Sabu worked and showed a screenshot of this to Sabu, proving they were in
his work computers. At first he denied ever working for it, but if you look at his Twitter profile now,
he's admitted that he asked later. This, of course, escalated the situation. Next, LulzSec allegedly
started DDoSing the Poison.org website
and trying to deface it, or at least making spammy posts on it there.
And Sabu continued to talk trash about Team Poison on Twitter.
You start spreading a bunch of fake blogs.
Basically, you fake an entire IRC conversation
that made it look like Team Poison was some sort of
sire controlled by LulzSec.
Like,
he was trying to act like
LulzSec was Team Poison all
along to deflect away from the fact
that he'd been hacked. Weird stuff
going on, for sure. But I actually see
this all the time with these underground
hacker groups. They often turn on each other
and try to dox each other and attack each other.
It's weird.
Did anybody at school know that this was some of the stuff you were into?
Nobody in school knew anything about Team Poison,
although I did get in trouble in school for hacking-related things a few times.
Like the school's computers and stuff?
Yeah, like one time
I SQL injected the school's
website and defaced it.
And then
another time I wrote
an email spoofer
and I was sending spoofed
emails from like
the principal's email address
to some random student's email address
and getting people put on detention and things like that. This hack on his school's website
resulted in him getting in trouble at school. His parents were not happy about this and they gave
him a stern talking to and they grounded him from using computers for a while. Little did they know
that the incident at the school
was just a tiny blip on the long list of things
that MLT was getting into.
So what happens with P. Diddy?
The situation with P. Diddy,
this is quite a crazy one.
So basically, we managed to get access to an internal machine in a hotel.
Okay, so to get into this hotel's network, it started with a phishing email.
They crafted an email that looked like it was from another employee at that hotel.
And it was asking this person to open the attached zip file and run the app inside it.
Well, the app was malware.
So when the employee opened it, it gave Team Poison access to the computer in the hotel.
From using that access, we performed some lateral movement and gained access to some other machines on the network.
And some of those machines were security cameras. And literally, as we are sitting watching these security cameras,
P. Diddy casually walks into a hotel and checks in at the front desk.
Well, it was complete chance that they saw this.
P. Diddy is Sean Puffy Combs, a very popular rapper at the time.
But seeing Puff Daddy himself on the camera was just a small thing
because Team Poison was in the computer at the front desk that he just checked into.
And they watched the data go across the screen saying that
Sean Puffy Combs has just checked in and paid for his room.
Using his AMX black card, which has an unlimited credit balance.
They were able to see what Puff Daddy's credit card number was and snagged it.
We basically just donated a few hundred thousand dollars to charity
and then bought pizzas for anyone who asked on Twitter.
And Pay Daddy got extremely frustrated about it.
He tried hiring a team of private detectives
and all kinds of crazy stuff.
Yeah, and so did P. Diddy ever figure out
who was behind this?
No, he did not.
But there's quite a few articles that state
he hired a team of private detectives
to try and find out who the perpetrators were.
And how did you feel about that?
Did you feel like, yeah, good luck, you're never going to find me,
I'm better than that?
Yeah, I mean, that's how I felt at the time,
but I feel like these days I'd probably be a bit more paranoid.
Were you feeling like you were untouchable, unstoppable?
Yeah, pretty much.
I mean, back then I definitely had a huge ego.
I just thought that I was never going to get caught.
Yeah.
Tell me about that ego.
Describe it some more.
Well, it was just a case of thinking I was a lot more
skilled than what I actually was
and thinking I was a lot better at covering my tracks
than what I actually was.
And then
soon enough I found out that
that wasn't the case at all.
Okay. Let's see.
What else have we got here? Blackberry attack.
Were you part of that?
Yes, I was.
So what was
going on to even
want to attack Blackberry?
Well, it was Trek's idea to
attack it because
it was during the London
riots back in like
2012? 2011
maybe.
And
since Blackberry was a huge form provider at the time,
and BlackBerry Messenger was all the rage,
BlackBerry agreed to cooperate with the police
and hand over information on BBM users,
like who were taking part in the rioting,
and as a result tricked us site to attack BlackBerry.
Okay.
So, the target is acquired.
Let's go after BlackBerry.
So, what happened?
Yeah, the method for gaining access to BlackBerry was totally different to our usual methods.
Okay.
So, their method here is quite involved.
First, they gathered a list of as many employee names as they could who worked at BlackBerry.
Then they had a friend who had several database dumps of various breaches over the years,
and they took these names of BlackBerry employees and searched the database dumps to try to find some matching names,
and they found some. Quite a few, actually.
But from there, they looked to see if any of those employees had Gmail accounts.
We called them all up, pretending to be from Google,
and we told them that there's been a brute force attempt on their Gmail account
and that it's been locked for security reasons.
And then we would say that in order to unlock their account,
we were going to send them an unlock code.
And then from there, we would just do a password reset request on their Gmail account. And from there, they'd get a text message from Google with a code.
And then they'd just read it out over the phone, pretty much no question asked.
Now, once they got into some BlackBerry employees' Gmail accounts, they looked to see if there were any emails regarding BlackBerry.
And that's where they found that, yeah, some people's emails they got into had an account at blog.blackberry.com.
Now, this BlackBerry blog was just a WordPress site.
And so they went to the WordPress admin panel and said, I forgot my password.
And the WordPress site would email them a link to make a new password.
Well, they already had access to the Gmail account.
And so they just clicked the link and created a new password.
And that's how they got into blog.blackberry.com.
Trick crafted up a message to post to their blog.
The message that looks like it was posted on the BlackBerry blog
website is, Dear RIM, you will not assist
the UK police because if you do,
innocent members of the public who were
at the wrong place at the wrong time and owned
a BlackBerry will be charged for no reason at all.
And it goes on and on.
And it's signed, Trick, Team Poison,
greets to Insane,
Hex, MLT,
Black Hacker, Knowledge is Power, Twitter, Team Poison, Trick. greets to insane hex MLT black hacker knowledge is power
Twitter
team poison
trick
um
there's a lot of
mixed feelings
in regards to
that particular
hack
like um
a lot of people
thought it was a
good thing
other people thought
it was terrible
and a really bad
thing to do
um
as for me
personally um I don't necessarily agree with it,
but I was just curious to learn my particular method of social engineering.
As you can hear, a lot of what went on at Team Poison was Trix doing. Either he did it himself
or told the team, this is the target target and he crafted all the communications and messaging
that team poison was putting out there such as having strongly worded messages to blackberry
did you know where he lived um small heath permanent other than that i don't know anything
more specific no address on anything trick was born in the, but his family was born in Pakistan.
And they were Muslims, and raised him to be Muslim
too. And it sounds like Trick was becoming
more opinionated about
who to hack, based on his politics
and culture. Together,
Team Poison went on to hack so
many more sites. The United
Nations, NATO, and
many more. If you were to put a number
on it, how many things do you think you team poison hacked?
Um, at least a few thousand.
I mean, that 1,400 number is just, um, that's a list of mirrored defuse pages from Zone H.
Okay, so Zone H.
This is a website that hackers will post proof of what they've hacked into.
This sort of shows your reputation and history of what your group has done over time.
And on this Zone H website, Team Poison has over 1,400 different websites listed that they claim they hacked into between 2010 and 2013.
But you can probably guess that if you hack into 1,400 different websites and deface them,
it's probably not all for political reasons.
There were some wide nets that Team Poison would cast sometimes,
just to see if any of the websites on the internet were vulnerable to something.
And so if they had a hit, they'd get in there and deface the front page showing Team Poison was here.
Because the websites they got into were all over the place.
DVD review sites sites backpacking
sites antiques teddy nation poker review sites catering sites and so many more random sites
all the zone h reports that are just like kind of random sites that was before kind of team poison
came into the public line right so um most of the hacks we did after that point, we didn't even bother to submit our own hatch.
But that's when we specifically began to go after a target that we would choose between the team rather than just any random website.
MLT says he wasn't involved with these hacks because that was before Team Poison was formed.
But now that Team Poison is here, he's definitely involved now, in a big way. and interesting story, but it gave us access to hundreds of.gov.au sites.
Fnet was one of the
last hacks I pulled off before I quit
the empire. Probably one of the
most difficult ones
was when
we gained access to Fsecure
for about a grand total
of three minutes, maybe.
Yeah, and
what kept you doing it?
Was it just a sense of friends hanging out
or was there, what did you feel?
And you said it's not really politically motivated,
but did you feel that there was some sort of social justice
that you wanted to make right in the world?
It was honestly never really about that for me.
It's just I realized I was surrounded by people who knew more than me,
and I just wanted the opportunity to learn.
It was probably a stupid idea because of all the repercussions it's caused.
Yeah, but there's a lot of work here.
I don't know.
It's just that doesn't, it's not sitting right with me
that that's all you were there for is just because,
oh, I want to learn more
i don't mind breaking some laws i don't mind this is stealing a hundred thousand dollars from pd
diddy i just want to learn it's it seems like a there's something more to it to me
honestly like i don't know what else to say about that i was just a dumb teenager at the time. I was curious more than anything.
I mean,
if I was ever in it for money,
I'm sure I could have
definitely made some money.
Well, yeah. Why didn't
you decide to do that?
I feel like if I was
blackout now rather than
back then, then I would be deciding to do that.
But back then, it never really crossed my mind properly.
After talking with him a little more, I came to the conclusion that MLT did all this with Team Poison,
partly because he was a rebellious teenager, partly because he was curious,
partly because he wanted to learn more, partly because these was a rebellious teenager, partly because he was curious, partly because he wanted to learn more,
partly because these were his friends
and he had been through a lot with them,
and partly because it was an absolute adrenaline rush
when you hack into something.
I mean, like, I feel like that was also a big part
of the adrenaline rush,
because, like, when you pop a shell,
like, on a government server, it's just, like, the rush, it gets kind of addictive adrenaline rush. Because when you pop a shell on a government server,
it's just like the rush, it gets kind of addictive in a way.
Did Team Poison make money from any of this stuff?
I know that I made no money personally,
and neither did Trick.
I'm not sure about Hex or Insane.
But if they did make money,
it was definitely not due to anything that I carried out.
Was there anything that anyone did that you were like,
whoa, that's too much, that's gone too far.
I'm not feeling comfortable with that.
That's exactly how I felt when I'm tricked into stuff with the anti-terror hotline.
The anti-terrorist hotline was set up by the UK government.
It was set up for citizens to report suspected terrorism.
The anti-terrorist hotline is confidential.
It's there just in case you see anything unusual.
If you suspect it, report it.
This was what Trick wanted to attack.
He compromised a PBX server that was based in the philippines and then he wrote a
script using asterisk um which spoofed call ids in a loop and randomly generated the call ids so
essentially they were just getting a call from a different phone number every second. So no matter how many times they block the numbers, they just continue calling.
What didn't sit well with me is the fact that it's a denial of service against the anti-terror hotline.
Trick had been doing this out of protest.
He wasn't happy with how a few suspected terrorists who were Muslim were being treated.
He wanted to do something about it.
And he thought hitting the anti-terrorist hotline was doing something about it.
When this actually happened, my first hearing of it, I was actually on vacation in Cyprus at the
time. And I was sitting in a bar and suddenly the news comes on and it's talking about Team Poison and the anti-terror hotline
and I literally had no knowledge about the situation up until that point.
The details of these attacks usually take time to emerge,
but in this case they came in under 24 hours.
Now, Team Poison is an anarchist, hacktivist group
and it began by jamming the UK's counter-terrorism hotline
with hundreds of computer-generated calls in what's known as a denial-of-service attack.
These have been seen lately crashing websites like the Home Office last weekend.
Now, Team Poison was protesting over the extradition of alleged terror suspects
from Britain to the US. The group then called the terror hotline to explain its actions and to mock
officers and who the officers then warned them that they would be traced and reported to the FBI.
Yeah, I was pretty much panicked by that point because,
I mean, it was pretty obvious that that was going to be the final straw.
Why?
Well, I mean, we've already been causing
a bunch of problems for law enforcement
and then
Trick decides to go and attack
the Met Police,
out of all people.
Yeah, but I mean, he's already
attacked Tony Blair, and so if you're
going to get the Prime Minister,
that's going to attract...
Yeah, but
I feel like the main difference between those two attacks, though, is that
the reasoning for attacking the anti-terror hotline was basically in support of terrorism.
What do you mean?
Like, I think he was complaining about terror suspects being extradited. But if you looked into the cases of who he was complaining about,
it was like one of them was bin Laden's right-hand man, for example.
Like, it's hardly like there were innocent people that he was protesting about.
I told him at the time he'd gone too far and then I think it was maybe one day before I returned from Cyprus
there was a BBC article stating that a 17 year old team poison member had been arrested
and there was only two members of team poison in UK, both of who were 17,
and he was one of them and I was further.
And, like, obviously, I knew I hadn't been arrested,
so I just assumed it must have been him.
Right, so what did you feel when you read that?
Um, I was pretty paranoid, panicking.
You were in Cyprus with your parents?
Yeah, yeah, I was at the time.
Did they notice you being paranoid and panicky?
Not that I'm aware of.
In hindsight, I think him getting arrested first was probably very beneficial for me because it gave me a chance to cover my tracks at least.
MLT starts going through the process of wiping his computer and phone.
And not only was he wiping that,
but he was also getting into any servers that he had access to.
And there were a bunch that hosted various malware and phishing sites and stuff.
He was getting into all those and destroying them,
running tools like DBAN, making whatever data that was on there gone forever.
He had his laptop with him, so that was easy to wipe,
but his computer at home posed another challenge.
I had a friend who advocated my house at home at the time
because he was feeding my cat,
so I told him to install Darragh's boot and nuke onto a CD disc
and then got him to just wipe everything off my home computer as well.
He had a suspicion that as soon as he gets home, he'll be arrested.
Cyprus is an island in the Mediterranean Sea.
From the island, MLT could see Turkey just to the north.
And the thought crossed his mind a few times
that maybe he should just escape to Turkey and start a new life on the run.
He urged, went home instead, and faced the consequences.
He went back home to the UK, half expecting to be arrested at the airport, but nothing.
He goes home, expecting the police to be there. But nothing.
He spends a quiet night at home, erasing any last bits of evidence he could.
It wasn't until a few days later that the police came.
It was pretty late at night, which was surprising because usually it's early in the morning.
But yeah, I was just lying in bed, pretty much drifting off, getting ready to fall asleep. And then all of a sudden, maybe 15 plainclothes officers come running into my bedroom.
How'd they get in the house?
Take the door down.
They rush into his room. He stands up to take a look at them.
They grab him and push him against the wall and put his arms around his back and handcuff him.
They confiscate all his computers and his home and take him down to the police station.
They keep him in a holding cell for three days while they question him.
Every 30 minutes, they'd loudly bang on the door of my cell.
Throughout the entire night.
And then each morning, I'd have to do an interview.
But obviously, I'd be completely exhausted because they've intentionally kept me awake all night. While the police didn't tell him how they found him,
he had a lot of time to think about what were the possible ways they caught him.
As if we were being hit with private exploits or something.
Or if it wasn't that, then something else I became aware of
is when we actually arrested Trick,
his computer was still switched on
and his IRC client was open
and he was in the middle of a conversation with me
where I was
pasting him vulnerabilities and database information from the European Union court systems
without realizing that there was a police officer stood right behind him at the time.
They scheduled his court case for a few months out and let him go back home.
Trick was the first to have to go to court.
Trick's real name is Junaid Hussain.
And even though he was arrested when he was 17, they were trying him as an adult.
And they were specifically upset with him for attacking the anti-terrorist hotline.
He pleaded guilty to it.
And they sentenced him to six months in prison for violating the Computer Misuse Act.
MLT's court case came after that,
and he was still only 17 when he went before the court,
so they tried him as a minor.
On top of that, they thought Trick was the main person,
so MLT should get less of a punishment than Trick, right?
And as you may remember,
MLT wasn't even part of the anti-terrorist hotline attack,
so they didn't charge him for that at all.
Instead, they brought up his hacks that he did on the European court systems
and some other targets.
He pled guilty to that,
and they sentenced MLT to two years supervised release.
That is no prison time for him.
It's just kind of like two years of probation.
Trick was sentenced to six months in prison,
but after serving a month and a half, they let him go.
And when he came out of prison, MLT said Trick changed.
Yeah, definitely.
Like, he was, I mean, he was always maybe mildly extreme,
but ever since getting out, it was like totally different.
Yeah, and how was it different?
What was he doing differently?
Well, I mean, in the past,
he would always talk about, like, hacktivism
as a means of getting his political message across.
But when he got out of prison,
he was talking a lot more about, like, direct action,
saying people needed to die and kinds of things like that. What kind of people was he saying needed to die?
That is, Trick was becoming aggressive to anyone
who wasn't Muslim.
After prison,
Trick went back home
to Birmingham, UK.
And I believe
that's where he married
his longtime girlfriend,
Sally Jones.
Now, Sally was born
in the UK
and was raised Catholic.
But she left
the Catholic church
as a teenager
and joined an all-girl
punk rock band.
And when the Iraq War took place, she sympathized with Muslims and became Muslim herself.
Sally spent a lot of time online, too, hanging out in chat rooms and being active on Twitter.
Yeah, I'm pretty sure that her and Trick met over Twitter, like back when Teen Poison was active.
Sally and Trick started chatting privately and getting to know each other.
She would even join the Team Poison chat room sometimes and hang out with MLT and other members.
Honestly, back when I used to talk to her, she was just relatively normal.
Just a typical normal person until she met Trick.
She was kind of like one of Trick's groupies.
She just seemed kind of obsessed with him.
They really hit it off.
Sally liked the rebel in Trick.
Trick liked the Muslim in her.
But there was an age difference.
Trick was 18 and Sally was 44,
more than twice his age.
And she had a few children too, and I believe her older son
was just one year younger than Trick.
But she ultimately left her boyfriend to be with Trick, aka Junaid Hussain. And after Junaid got
out of prison, they decided to get married. But Junaid was different now. Junaid had become more
radicalized while in prison, and after being out for a few months, he got into some trouble. He got
into a fight with a police officer and was arrested again.
And they let him go and gave him a court date.
But Junaid never planned on making a court appearance.
Instead, he decided to move to Syria.
He went alone, flying to Turkey and then crossing over the border to Syria.
And later, Sally Jones decided to go to Syria too.
And she took her nine-year-old son,
little Jojo, from a previous relationship
with her. And together,
she flew to Syria and reunited with
Junaid.
He would attempt
to message me regularly, but
I'd try and avoid any communications
with him. Like, for one
example,
the first time he messaged me from Syria was he linked me to a
website. Raqqa has been slaughtered silently. And basically what he asked was if I was capable of
hacking that website, finding out who was running it, and then passing that information on to ISIS.
And he was also messaging me asking if I can get credit cards for ISIS to use.
Yeah, Junaid Hussein had joined ISIS, a terrorist organization. And ISIS loved him. He was particularly
helpful at setting up computers and their online presence. And he started a new hacker
group called the Cyber Caliphate to carry out cyber attacks on behalf of ISIS.
Junaid quickly rose to be one of ISIS's most prominent and influential English-speaking members,
letting him run the English Twitter account and write articles.
In fact, Junaid became one of the best international recruiters for ISIS because he was able to connect with English-speaking teens over social media and online in ways that other ISIS members just couldn't do. But it's not like you
could just go to Syria and join ISIS. There's a rigorous recruitment process to prove you're
worthy. You have to change your name and become a citizen and have someone vouch for you.
And you might even be told to kill someone, like a captured prisoner or something. Junaid changed
his name to Abu Hussein Al-Britani. Sally Jones changed her name to Um Hussein Al-Britani. Sally
even began training her 10-year-old son to be part of ISIS, pushing him to become a child soldier.
At one point, Junaid got on a video call with MLT and a few others.
Junaid was holding up an AK-47 rifle in his hands and was waving it around, showing them.
At first, nobody took him seriously.
Everyone was saying it was an airsoft rifle.
But then he made it pretty clear that it wasn't by showing everyone the magazine and ammo for it and all that stuff.
This didn't sit well with MLT.
What his old buddy Trick was doing was wrong.
And MLT wanted nothing to do with this.
I was definitely against it. As soon as he told me the kind of things he was actually doing,
I just tried to cut off contact as much as possible.
Junaid would message him sometimes, but MLT just stopped responding altogether.
As Junaid's prominence and power rose within the ranks of ISIS,
it also meant that he became a bigger target for U.S.
forces who were actively at war with ISIS. It became pretty clear that Junaid was a powerful
recruiter for ISIS, and they wanted to stop him. The Sunday Times listed Junaid as the third ISIL
target on the Pentagon's kill list. And I've got to say, it's not easy to get on Central Command's
kill list, especially ranked number three.
Just hacking stuff does not warrant that kind of attention.
Look at all the hacks that have happened over the years.
And while there's a FBI's most wanted list, none of the people on that list appear on CENTCOM's kill list.
What Junaid did was far more sinister than just hacking places.
Junaid was not only a recruiter for ISIS, but he was also in communication with a lot of
foreign members, instructing them to commit acts of violence. He would private message people on
Twitter and then take that to more secure messaging platforms and begin feeding people information,
such as what targets to attack, how to make bombs, how to use weapons, and how to make money.
And a few attacks that took place were linked to Junaid.
Hussein is accused of being linked to the shooting attack in Garland, Texas in May,
where contest participants were asked to draw the Prophet Muhammad.
Investigators believe Hussein was messaging one of the gunmen
to radicalize him and urge him to launch an attack,
making it potentially the first ISIS-directed attack in the U.S.
Not only that, but his wife, Sally Jones, was doing the same thing.
Often she would take over in the private messaging
and offer to send new recruits manuals or books that would make someone more radicalized.
Then she'd follow up and ask them,
what kind of attack do you want to do?
And then provide more help for them to carry it out. And so Junaid Hussein continued
to help people conduct acts of terror. This is what drew the attention of the U.S. military.
Hacking is one thing, but urging people to commit acts of violence and helping them do it
is an entirely different thing. And because he was an ISIS member, it meant he became the target of the U.S. military,
which is how he became number three on CENTCOM's kill list.
And when you get on their kill list,
there's only one way off.
The only problem was they didn't exactly know where he was.
The rumor regarding that that I heard is that
someone tricked them into downloading a malicious APK file onto his Android phone.
And then they managed to get a geolocation from there.
I'm not 100% sure if that story is true. It's just what I've been told from a few people.
I'm not sure how they got his location either.
However, once the U.S. forces did learn the exact location of where Junaid Hussein was,
they sent out an attack drone to fly over.
They got a fix on his location and fired a rocket towards the location,
and it hit a structure and exploded, killing three people.
And none of those people were Junaid Hussein.
They were just three regular Syrian civilians.
Junaid knew the U.S. was out to get him.
So him and Sally reportedly always kept their 10-year-old son close by
to shield them from drone strikes.
And this seemed to work.
Drones did not attack while the boy was with them.
But a few weeks go by, and Junaid went on a drive without the 10-year-old boy to a gas station.
U.S. forces got intel of his location and ordered another drone strike.
The drone flew in fast.
It was too quiet to hear it coming, and it was too fast to find cover,
and it fired a missile directly towards Junaid Hussein.
Junaid Hussein was killed on August 25th, 2015. He was 21 years old. To date,
he's the only known hacker to ever be killed by a U.S. drone strike.
U.S. spy drones followed and tracked notorious British-born ISIS
hacker Junaid Hussein for days in the middle of heavily populated Raqqa, Syria, before finally
launching a Hellfire missile off a drone to kill him as he stood in the street Monday. The U.S.
had to be sure it was him and to fire at him when civilians were not nearby.
I feel like I'd be lying if I said that. I felt sympathy for him. Like, obviously,
he was a friend at one point, but considering what he's done since then, it's hard to feel bad
for him at all. What happened to Sally Jones, you might wonder? Well, she stayed in Syria and
continued to train her boy to be a child soldier for ISIS. And there's even a video of a few kids
killing some Kurdish soldiers, shooting them in the back of the head. And one of the kids looks
like Sally Jones's 12-year-old son, Jojo. Sally denied it was her son in the video, though.
Two years after Junaid's death, we hear this on the nightly news.
News of a developing story here in the UK. We are hearing from the government,
they have confirmed to the BBC that a notorious female British jihadist
was actually killed in a drone strike in Syria. This is Sally Ann Jones.
The report also said that her 12-year-old son was killed in the drone strike too. The
details of this aren't clear because I'm not sure if the strike was intended for her or if she was
just in a building that was hit with incoming shells. If it was a drone strike just for her,
it would mean she's the first woman ISIS member to be targeted by a drone like that.
But it would also be questionable legally to attack a woman and a 12-year-old boy who weren't active combatants within ISIS.
MLT was able to finish his supervised release without getting into any more trouble.
And still, since his arrest, MLT has kept a clean record.
For the last five years or so, I was doing a lot of book bounty hunting.
And I was pretty active on most
of the major platforms but I've kind of shifted my focus recently to zero day exploit development
so like I should be auditing say a web application or some IOT device for vulnerabilities and then
crafting an exploit based on that and selling it.
Whoa, selling zero days is a heavy thing to be involved with. I've done a few episodes on this
alone. Basically, he'll look at certain applications or devices to try to find vulnerabilities in them,
but instead of telling the maker of the product about it, he'll sell those to someone else,
specifically Zerodium or Trend Micro's Zero Day Initiative. Now these two companies
will verify that this is an actual unpatched vulnerability and pay people who bring it to them.
But they both do two totally different things with the exploits they get. Zerodium pays more,
much more. But they'll take the exploit and sell it to government entities who will use the exploit and sell it to government entities, who will use the exploit as a weapon to attack.
And you really don't know what government Zerodium is selling their exploits to.
Trend Micro's zero-day initiative doesn't pay as much,
but will take the exploit and develop antivirus signatures for it
and report it to the software maker so it can be fixed.
Both of these are legal for someone to report bugs to, Yeah, like, I'd rather just stick with lower payouts and have a clear conscience.
That's a tough decision, though, isn't it?
Oh, yeah, definitely.
How hard is it for you to say, well, I could
make much more from this
but I'm going to do the right
thing. Yeah, it's sometimes
a struggle.
MLT has taken
his interest in all this and recently started
a new hacking group called 0x
FFFF. The big difference
with this group is that it's legal.
They develop zero-day vulnerabilities and sell them legally and ethically.
They do bug bounty hunting and more.
You can see what the group is up to by going to blog.0xffff.info.
Big thank you to MLT for sharing this incredible story with us I've been meaning to do a story on
Junaid Hussain for years because it's one of the most insane stories I've ever heard but couldn't
tell it unless I had someone who was personally involved with him to tell the story I can't think
of anyone better to tell the story than MLT so thanks for sharing this hey you're invited to the dark net diaries discord this is my favorite
chat room on the entire internet and it's where fans of the show hang out and ask questions and
post funny memes come hang out with us i want you there to join just go to discord.gg
slash dark net diaries this show is made by me the crouching kitten jack rees sider sound design
by the hidden hawk and Andrew Merriweather.
And our theme music is by the buzzing Breakmaster Cylinder.
I went to a wedding the other day.
Both the bride and groom are Wi-Fi technicians.
And oh, let me tell you, the reception was great.
This is Darknet Diaries.
Darknet Diaries