Darknet Diaries - 112: Dirty Coms
Episode Date: March 8, 2022This episode we talk with a guy named “Drew” who gives us a rare peek into what some of the young hackers are up to today. From listening to Drew, we can see that times are changing for t...he motive behind hacking. In the ’90s and ’00s it was done for fun and curiosity. In the ’10s Anonymous showed us what Hacktivism is. And now, in the ’20s, the young hackers seem to be profit driven.SponsorsSupport for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.Support for this show comes from Juniper Networks. Juniper Networks is dedicated to simplifying network operations and driving superior experiences for end users. Visit juniper.net/darknet to learn more about how Juniper Secure Edge can help you keep your remote workforce seamlessly secure wherever they are.
Transcript
Discussion (0)
The older generation gives us so much guidance and wisdom that I don't know
where we'd be without them. They teach us the dangers of the world and give us
insights that would take us decades to figure out on our own. But the Internet
doesn't have an older generation. We're still in the first generation of users.
It's only been 30 years since AOL brought millions of people online for
the first time. And oh how how the internet has changed since.
And I fear that when there's no older generation to guide the younger generation on how to be safe online,
that there's a lot of kids who will learn the hard way.
I know when I was a teen, I screwed around so much on the internet that I swear I got a new virus on my family computer every week.
And there was no one around to show me why that happened or how to fix it.
My grandma and dad barely knew how to turn it on, much less handle these kind of problems.
And the schools weren't teaching computers yet.
And when they finally did, they taught basic things like how to type or use some sort of application. Nowhere in the curriculum was anything about the dangers of downloading software,
shopping online, or going to chat rooms.
That kind of stuff is only taught by family.
Or in my case, by nobody.
In fact, the older generation often relies on the newer generation
to teach them about computers.
So many times I've seen parents ask their kids to set up the new computer
or show them how to use social media.
Kids teaching parents the dangers of social media
is like kids teaching parents street smarts.
But that's the world we're in because it's so new.
What will the internet look like in 2060? There will be
better educated users. Users who grew up with parents who have seen the darker side of the
internet and can warn them about it and show them the dangers. But that time is not here yet.
We're still in the age of the younger generation guiding our light.
And I sure hope they know where they're going.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money. And our personal information is all over the place
online. Phone numbers, addresses, family members, where you work, what kind of car you drive. It's
endless and it's not a fair fight. But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete Me. Delete Me is a subscription service that finds and removes
personal information from hundreds of data brokers websites and
Continuously works to keep it off data brokers hate them because delete me make sure your personal profile is no longer theirs to sell
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found and then they
Got busy deleting things. It was great to have someone on my team when it comes to my privacy
Take control of your data and keep your private life private by signing up for delete me and then they got busy deleting things. It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private
by signing up for Delete Me.
Now at a special discount
for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan
when you go to joindeleteme.com
slash darknetdiaries
and use promo code darknet at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries and use code darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher,
and he's made it a mission to make Black Hills Information Security
world-class in security training. You can learn things like penetration testing,
securing the cloud, breaching the cloud, digital forensics, and so much more. But get this,
the whole thing is pay what you can. Black Hills believes that great intro security classes do not
need to be expensive, and they are trying to break down barriers to get more people into the security field. And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find
links to their webcasts to get some world-class training. That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
The other day, someone found me,
and he was willing to open up and share what he knows
about some online communities that I don't have visibility into.
And I'll tell you right now, this episode isn't so much a story
as it's more of a tour of what's going on in some of these underground groups.
Groups that are home to hackers, scammers, and thieves.
Hello.
Hello.
What's up, man?
Not much.
Is there a name that I should refer to you as
when I'm talking about you on this episode?
You can call me Drew.
You sure?
I don't know if that's your real name or not,
but it sounds like a...
No, it's not.
Okay, it's just Drew.
Okay, sounds good.
Yeah, it's Drew.
And also, first of all, I want to clarify,
it's okay to record this call
to use it on a podcast, Darknet Diaries?
Yes, you have permission.
Okay, then it isaries. Yes. You have permission.
Okay.
Then it is recording.
All right.
So basically did you want like the full story?
Yeah.
All right. So it starts at like 13, like Roblox, you know, like playing Roblox and, um, I found that you can get this kind of Roblox. Okay. Sorry. Already. I'm like playing Roblox, and I found out you can get discounted Roblox.
Okay, sorry, already I'm lost.
Roblox is just outside of my peripheral view, and I don't really get it.
So I need to pause here for a moment, do some research, and I'll be right back.
Okay, so first of all, Roblox is a video game, but it's more than that.
It's a video game platform, which gives you the tools to make your own video game.
And if you build something cool, others might want to come play it too.
However, there's this thing called Robux.
It's the in-game currency of Roblox.
And some user-made Roblox games require you to pay Robux in order to play it.
Do I have this right so far?
Yeah, you're getting that right, except I think that
one thing to keep in mind is that
little kids want
in-game currency, and they're willing
to do anything for it because they don't have the physical money
for it, because their parents don't want to spend money.
Can you buy it with real cash?
Yes, you can only buy it with real
cash. Oh, you can't earn it in-game?
No, this is not an
in-game earnable commodity. So these
kids want it, and they can't pay for it because
their kids and their parents don't want to pay for their game
all the time. So they go to these
websites where they can just complete surveys
and do ads, and
they can get Roblox for it.
Okay, already I'm seeing potential
for abuse here. So there's
real money going in and real
money coming out of Roblox. Because if
you manage to create a game that people are willing to pay to play, you can get money as
the game creator. So if you can somehow get people to play your game, whether legitimately or not,
you get paid. But on the other side is how people are getting Robux. As Drew said, kids don't have
money. So they go to these websites and they
sit there and fill out surveys and watch
ads to get Robux.
And these ad servers make money
from their clicks and pay a percentage
to the kids that are clicking the links.
Yeah, that's exactly the model. What if it's even scams,
to be honest? Yeah, and not all these sites pay
out either, so you're kind of lucky if you
actually get Robux from doing all this work.
And you know if a 13-year-old really wants some Robux and sees an option to get some free ones,
they're going to click a link, install some software or sign up for something and give
their email and phone number. Drew's friends had set up one of these ad servers and was running
Google ads to make it easier for kids to find his server and come on by and click all the links
to earn Roblox. age. He's like 14, 15. He's doing this every single day. Suddenly the game wasn't to play
Roblox, but to commoditize and monetize the kids who were willing to sit and watch ads to get
Robux. And like I said, that's just the front end. You can imagine all the tactics to game the
back end, such as cloning a popular Roblox game and then somehow attacking the original to make it go down so that everyone flocks to yours because yours is up. Now you're
getting paid Robux. And there's all kinds of black hat strategies that are talked about on
hacker forums that discuss this, which is where Drew and his friend were hanging out.
He probably accumulated like $30,000 off that. Him and his friend both had $30,000. They're like,
okay, we're making this much money.
How are we going to multiply this?
They look around on the forums to see what other people are doing.
And that's when they learn about vanilla gift cards.
These are gift cards that you might receive for a job well done at work
or as a present of some kind.
It's a Visa gift card that you can use anywhere that accepts Visa cards.
And if you have one, you might be curious how much money is on it. People need to check their gift card balance, so they look up gift
card balance or vanilla gift card balance. So what his friends did was set up a site that looked just
like the Visa vanilla gift card site, and it had a little form to fill out, enter your card details
in order to check your balance. They collect the card information. They have an automated checker to check the balance of the card against the real site.
And then they sell the card, which they cash out through various methods like G2A or Minds.com.
Their site steals anyone's gift card who enters it in.
But of course, nobody would go to this page since it's unknown.
And if you do a Google search for vanilla gift card balance check,
you get the official Visa's page as a first link.
However, there's a way to get your site to almost instantly show up
above the first search result, and it only costs one or two bucks per click.
That's by using Google Ads.
Drew's friends would spend tons of money on Google Ads
to get their fake vanilla gift card balance checker
to show up as the first link when you Google for it.
People don't know the difference between two URLs a lot of the time.
Or at least they're not trained to know this.
They just collect the first result.
They press on the ad, it's a phishing page.
And they enter their card details, see their balance,
and before they can spend it, their card is emptied by Drew's friends.
But of course, Drew's friends aren't the only ones stealing cards this way. There's a whole
group of people who have made dozens of websites for all the various gift cards
to try to get anyone who's checking their gift card balance to click the link.
This is the one I probably the most, I've done this, I've been involved in this one for the
longest that I've ever been involved in anything for. It really disappoints me the most.
I've been a participator in this.
I've been a spectator.
I've been a
purposely trying to take it down
for years now.
Once I stopped, I hated it.
Yeah, Drew here
could no longer stand by and watch his
friends make thousands of dollars from
a little bit of work.
He learned how to clone a website, which is really easy,
and set up his own phishing site,
and he started running Google Ads himself
to try to get people to give him cards,
which is horrible.
It's stealing money from people.
It's wrong.
And it totally sucks to have someone steal your card in this way.
But why are people answering their gift card details
on a random site?
Come on!
So Drew is running this scam for a while,
and it's giving him some extra money,
but he had a gambling problem.
Anytime he had excess cash,
he'd go online and try to double it
or triple it or quadruple it.
In fact, a lot of people in this
community have gambling problems. So even though he was making some money as a teenager, it was
gone like immediately. And so he starts looking at what else he can get involved with so he can
make more money. That's when he came across a forum called OG Users. This is a forum where you
can buy and sell social media accounts,
Instagram accounts, Snapchat accounts, Kik, Skype usernames, you name it.
Not just that, but other accounts too, like Roblox accounts and other video game accounts.
He was one of the early ones to join OG Users.
So I'm the 700th user to make an OG User account.
There's like hundreds of thousands now.
And this is probably the most valuable thing I've ever had in my life.
So I'm really early onto this forum.
So I look reputable.
Because things that matter on forums are seniority,
like how long you've been there, and vouchers.
And the longer you've been there,
the more vouchers you can accumulate anyway.
So basically, I'm on the forum
and I start manually making usernames that are just bad.
Like I'm making like, add data frames on Kik to sell.
Because people like a good Kik username because that's how they talk to other fraudsters.
They want it cool.
So the people who were already on OG users before him were making some pretty good sales.
For instance, if you have a short catchy username on Twitter, that goes for more money.
And I've talked about OG users in the past on other episodes and how horrible
it can be. Drew was seeing how people were making money selling accounts. So he just decided to go
on kick and find some clever sounding usernames that weren't registered yet and just register
them and then try to sell them for like $15 each. Well, his listings weren't selling, but the other
users on the forum saw what he was trying to do and he was trying real hard to make money
and they wanted to sort of throw him a bone.
So they started buying a few off him.
Now, creating a new user
on Kik and trying to sell it on OG users,
that's not illegal. It's similar to
buying a.com domain and trying to sell it.
This is not unethical at all. What's happening
obviously is going to turn extremely horrible.
Yeah. Give me 10 minutes
and it's going to be miserable.
Oh, sure.
It starts off pretty innocent.
It's like, okay, I'm going to make him like 100 bucks,
and, you know, I got to, I remember,
I got to have another gift card for my birthday present.
So with the money he has,
he goes on OG users to try to find something to buy,
something that he hopes he can resell for a higher price later.
And he finds a really good username for a price that was pretty low.
So I get it for very cheap because someone was trying to quick sell it
because they needed the money instantly.
They may be facing some sort of trouble or that it's broke.
Because what happens a lot is people have nice usernames and they go broke
and they sell the username to get some money back.
So yeah, that probably happened there.
He sold a really nice ad for like $200 to me.
Some lingo.
An at is a username.
A lot of usernames have the at symbol in front of them.
So they just shortened it to at on these forums.
I sold this one for probably like $350.
You know, now I've made $150 in a day.
I'm a proud little 14-year-old.
Of course, the danger is once you get one taste of the potential, you get hooked.
It's like blood to a shark.
And so he goes deep on OG users, trying to snipe more cheap deals and sell them for higher.
And along the way, he learns more about how OG users works.
All right, so here's some introduction to usernames, Marcus.
There is a service called swapping, not SIM swapping,
not to be confused with SIM swapping. And so whenever you take an account username from one
account to another, but with permission, you do this in an automatic fashion because people can
manually take the account before you claim it. What he's saying is suppose the account you want
to buy is stolen. If you buy it, there's a chance the account holder can contact like Instagram
support or whatever and recover their account. So what a lot of people do on OG users is as soon as they buy a stolen username, they
change the username to something else. This makes it so nobody has that username now and you can
just register a new account with that username. So you can abandon the account you just bought
because if somebody recovers it and gets their old account back, it'll have a different username and
it won't be the same as what they used to have. But here's the problem. Everyone on OG users sees when someone buys a
stolen username and they know you're going to change the username so you can create a new
account with that username. So what they'll do is they'll try to snipe that account from you
by constantly trying to create a new username with that name, hoping that when you change it, they'll get it before you have a chance to make a new one. There's an internal war that
happens whenever a sale happens on OG users, and some people lose their account right after they
bought it. Well, the only way to beat this or the potential of this is to have an automated system
called a swapper or a claimer or a turbo. These are all the same thing. Turbo is the original
name for it. So the turbo automatically uses thing. Turbo is the original name for it.
So the turbo automatically uses an Instagram endpoint to claim this username for you.
This is madness.
There's no trusting anyone in these groups.
Seriously, there's like a constant barrage of users
trying to hack users.
It's endless.
People would, Graham Ivan Clark, for instance,
the guy who hacked Twitter.
He's talking about Graham Ivan Clark.
That's the guy who hacked Bill Gates' Twitter, Elon Musk, Joe Biden, and Barack Obama's Twitter accounts
and posted a scam to people to send him Bitcoin.
Graham was in these groups before he was arrested.
Before he was a simmer, he would limit people's PayPal as a service.
He would call PayPal and tell them, just tell them the person's committing fraud.
So when people buy accounts on OG users,
they can use PayPal to do it.
What Graham was doing was reporting certain accounts to PayPal
to try to get their accounts frozen,
just to grief people and sort of attack the community he was part of.
And then the account agent would be like,
oh, shoot, he is committing fraud.
Or they'd try to convince him that the account's under 18.
Like, they did this to Ninja's account on stream.
So Ninja is a Twitch streamer, popular for playing Fortnite.
In fact, he's the most followed Twitch channel out there.
And his real name is Richard Tyler Blevins.
Like, my group of friends, they were in a call.
And they're like, we want to do something funny.
Like, they want to hack a mainstream guy.
So they go to Ninja's PayPal, and they manage to get it limited.
They say that they're ninja actually they're like hey i'm tyler blubbins and um um i'm not the proper age to run this account how do i close it down and support agents like what you're
not the proper age like yeah i put fake information but i need to close this out because i'm going to
turn 18 soon that's the general method or was was the method, I doubt this works anymore.
It's been so many years.
But they limited Tyler Ninja's account.
I thought that was kind of funny.
It's like, what did you gain from limiting Ninja's account?
But then there's a deeper thing where they actually limit people's PayPal as a service.
Like if you have someone who you don't like, you can charge back them,
which means you can send them a transaction and then take the money back.
That was a very big hustle.
People would buy things that they had the upfront money for,
but then just take the money back and get the product.
So you get like an OG's name for $1,000.
Just charge them back.
I particularly hate chargebacks
because the victim is so powerless in that situation.
If someone steals your credit card
and buys something online,
you can tell the credit card company,
hey, I didn't make this purchase.
Please reverse it.
And the credit card company
will do what's called a chargeback.
They'll take the money back
from what was sent to the merchant.
But on top of that,
they send the merchant a $15 penalty.
So that can be abused.
People can buy things, get the item that they wanted,
and then issue a charge back.
And the credit card company will side with the cardholder almost every time.
Anyway, this is just another example of how people in these communities attack each other.
And in fact, over the course of its existence,
the OG user's website itself has been breached at least three times, exposing
all the data on the users who are registered there. And since Drew was a member, this meant
his account had been in a few of these breaches. So I have to ask you now, have you been ripped off
by any of these kind of scams? Okay, so I've been scammed by people for thousands of dollars,
at times tens of thousands of dollars by my own friends. You've been scammed for $10,000?
Probably more.
How did you get scammed?
All right, so the biggest infighting of anything I've ever seen
is criminals versus criminals.
Because criminals have no boundaries, no limits,
and they have full anonymity.
You know how they do the prison studies?
It's like guards, whenever they have no,
guards, whenever they're masked, will do anything to a prisoner.
Well, imagine criminals who are
masked will do to other criminals.
So they will exhort you,
they will, if you manage,
if they manage to get your docs, which is obviously
a compilation of your personal information,
they will literally
do anything to you. Like, they will
swat you.
Just like they did to a man who went out to Tennessee,
but they'll do it to your own friend.
They will extort you.
They will pizza mom you.
And then there's always some grimmer things,
like they'll pull your SSN and they'll, like, open a loan.
But those are, like, the fundamental bad things, I'd say.
So it sounds like you got doxxed.
So his full details were exposed.
And of course, that landed in the hands of someone who wanted to extort him.
So that person contacted him and threatened him. to send packages or I'm going to contact your parents if you don't do this and give me this money. Sometimes they'll make you make like signs of their signs of them on you like um
they make you like write their Instagram username on you or they'll do things like they'll um.
What do you mean write the Instagram name on you? I don't understand.
Like on like on your forehead like. Okay so you write their name on your forehead
and then take a picture to show that I'll do whatever you want?
Yeah, it's like some sort of like off-lating thing, you know what I mean?
It's very weird.
It's that type of thing.
Like a dominance thing, I guess.
And they'll do more consequential things.
Like they'll tell you that you're going to tell your parents that you're a cyber criminal or that you
did something you didn't do. Like they'll say that
like I'm going to call your
dad and say that you extorted me
even though I don't even know him.
They'll do things
that would like affect a kid because it's normally kids
versus kids
in reality. Okay so
Drew was hit with this and he didn't want to tell his
parents and so he just sent them this, and he didn't want to tell his parents,
and so he just sent them some money,
and they went away.
But there was another time when he was scammed,
which was even stranger.
While all this is happening,
he's still playing Roblox, right?
In fact, at this point,
he's made his own game with his friends,
and he wants to attract some users to the game so that he could possibly make money
and make some of those Robux.
He had a little game going, and it was all set up and it was good, but it just didn't have many players.
So you want to get your game on Roblox to the front page so you get more players,
so you make more money. But how do you do it when you're a conniving teenager? You find a way to
falsely inflate the numbers to make your game look more popular so people join.
Basically, if you have bots,
that makes your game look more popular than it is.
So we'd use a bot net to do it.
It would have players that didn't exist join the game.
But he didn't have a bot.
Instead, he hired a service,
like a Roblox bot master kind of thing.
Someone who specializes in getting more players
into your Roblox servers for
a fee. But they aren't real players at all. They're just bots. But Drew didn't have enough
money to hire this person, so his friends gave him the money to pay this guy. So he gets his
friend's money and pays this bot master a few hundred dollars to turn it on. The bot master
takes the money, but doesn't deliver users to his game. Instead, Drew thinks when he was
screen sharing one day, he accidentally revealed something that identified who Drew really was.
And this essentially meant the bot master knew Drew's real name and identity and address.
So instead of sending him bots in his game, the bot master tried to extort Drew and said, give me
$500 or I'll make your life hell.
And this bot master guy
proceeded to show Drew's real name and
address and said, listen, pay
me or else you're going to be sorry. I know
where you live.
So one day,
me and my dad were home. I just lived with my father.
And I just
saw a random, like, actor-musical face come to the door and it lived with my father. And just a random, like, package from USPS comes to the door.
It's underneath my name.
And he was like, did you order this?
I was like, no, I'm like 13.
I don't have any use for USPS packing stuff.
Okay, so what he got was some empty flat boxes
from the United States Post Office.
Now, if you go to USPS.gov
and you click shop and then priority mail,
all the priority mail packaging supplies
are free. So you can just order some boxes, as many as you want, and all you have to do is pay
for the shipping cost. And so that's what he got. Because he didn't pay that bot master the $500
he asked for. He got a few boxes in the mail. Okay, that's a little spooky, but no big deal, right?
And then, like, two months later, like, 10,000 boxes show up.
And I'm, like, coming home from school, and I'm like, oh, this isn't good.
You know, like, the entire front yard is filled up.
My desk is no home framework.
And I was like, okay, how do I hide this situation?
As he says to me, there were, like, pallets of boxes. They filled up his entire front porch and the walkway.
And there were even more.
Stacks and stacks of flattened USPX priority mailboxes
were at his door and they were addressed to him.
As you can imagine, being a 15-year-old kid seeing this,
you get scared.
You don't want your parents to know either.
And so his dad wasn't home yet.
And Drew had to think quick.
I move all these packages away from the house to, like, some random place.
Like, obviously, this is very illegal and dumb.
I regret this horribly, but I just move them to this random, like, nearby, like, a lake.
It takes probably upwards of three hours.
I do it by myself, just carrying, running with these packages, trying to put them away.
He didn't put them in the lake, just next to it.
And it worked. Well, I mean,
at least his dad didn't find out.
But was it along
this time, were there messages that
you're getting of like, do this for me
or else you get more boxes, or some clear
reason?
Yeah, it's like, pay me back or get more boxes
and then that was it.
I began contacting my father and whatnot.
Pay you what? How much did they want?
He was only around 15 years old at the time.
And so he tells them that he doesn't have $500 and he doesn't even know where to get $500 from.
But that didn't matter to whoever was doing this.
I mean, these are like probably 16-year-old kids. they're like, I don't care. And after he didn't send them more money,
they sent him another order of 10,000 USPS packing boxes to his house.
And once again, he sees them as he's walking home from school one day
and is like, oh man, not again.
And immediately starts doing the same plan as before,
throwing as many as he can under his arms
and running them to a nearby empty piece of land
by a lake.
And he was able to stash them all away
before his dad got home.
And again, his dad didn't find out about this.
But this time,
someone was walking around the lake
and saw all these boxes
and investigated.
Shipping labels were still on a few,
which had Drew's name and address.
The homeowners association's like, why is there a bunch of boxes here? They look at the name of
the boxes. They come to the house. They're like, why do you have a bunch of boxes near this lake?
Then I'm like, okay, I moved the boxes. His dad, of course, hears about this from the homeowners
association, and Drew gets in trouble. Well, the biggest trouble was first of all, I had to move those boxes back to the house.
Like, in one day, it was hard.
Like, it was, um,
the next day I woke up unbelievably sore.
Like, it was so much weight to move.
But, um, the main punishment was obviously
being grounded for months and whatnot.
Like, no computer.
So then, for probably 12 months of my life,
I had to put boxes every single weekend to put into the recycling bin.
And we had to fill the entire garage with boxes.
Like, to the brim with boxes, like stacked up on stacks.
And they all went in the recycling bin.
I mean, across months, we had to split it up from months to months. One month I'd get to work, I'd fill up the entire recycling bin with boxes I had to cut up with a knife and arrange them so we could maximize the amount of boxes we recycle,
because this would have taken forever otherwise.
Right. Yeah, and that's the thing is, did you come clean to your dad and say,
actually, we were trying to falsely inflate our BroBlock server and so we paid
this guy and now he's getting back to us.
Afterwards I did
but he never knew about it initially obviously because
I knew it was a good discussion
and I wasn't saying anything about it.
It's just such a complex story
for a teenage son
to tell his dad like, alright this is a reason
that all this shit just happened.
Like wait, tell it to me a third time because i'm not getting it because here we are 45 minutes into
this call and i'm just now understanding it myself i can't imagine how many times you had
to explain it to your dad well that i think that's a a funny story are you able to laugh at it now
or are you still like upset from that whole thing both it's able to laugh at it now or are you still upset from that whole thing?
Both. It's hard to laugh at it
because it's like, man, why did I do that?
But
it is what it is. What is the lesson you learned
from that?
There's so many. First of all,
don't be doxable.
I learned a lot about OPSEC from that.
Let's talk about that
for a second. I love OPSEC research now.
It's my favorite thing to read about.
So what are the tricks to not be doxable?
All right.
So are we talking by the FBI or are we talking by a person?
By another teenager.
All right.
So if you want to avoid another teenager,
my best advice to you is don't screen share anything
because you will accidentally screen share something
that's too revealing.
I promise you.
Even if you think that you are only screen sharing Discord,
they may see you in IRL friend's name.
Don't link accounts to your Discord like your Spotify
because they can see who you're following,
who follows you, and your account.
Pretty much have a fake persona and um
don't reuse the same emails because if they know one of your emails like related business or
something they could just do a leak search up find like passwords see if you have commons
stuff like that so don't use passwords don't link accounts to your discord don't screen share
and just don't trust people online like they can be your friends but and you may like
accidentally share identity because you think they're harmless but you never know what a friend
will become in two years on the internet it could be anything and don't click on stuff oh yeah
obviously don't don't get ip logs yeah so um all right so that's one lesson you learned from this
what else did you learn from the cardboard boxes?
So aside from the object, aside from my object failures, obviously, never making those again.
But I learned some moral things like, why am I involved with these people on the internet?
I make no money, all the money I make I lose.
And then more like, more like where my priorities at.
So I've always been a very good student in school.
Like, I've always taken school really seriously.
Drew was realizing that the community he was involved with
was pretty toxic and not good for society.
But he didn't cut himself off of it.
Instead, he got back in these forums and in the chat rooms
just to study them and watch them and learn what they were doing.
Yeah, I mean, just coming out and saying,
hey, I've got all this information.
I want to share it with you.
Why?
I don't like the community.
I very much look down on the community, pretty much.
If I could, I would report every single one of these kids
to the FBI.
Sadly, that would be self-detrimental, obviously,
because of my history.
I'm looking to, obviously,
gain more knowledge on the community.
I want to document all of it,
and one day, hopefully look back on it
and realize, like,
talk about how crazy the internet was
whenever I was on it.
Like, my years as, like, a kid.
Whoa.
For some reason, this hits me in a weird way.
When I was a kid on the internet,
the internet was very different.
And there was a whole cohort of people
I instantly connect with today
because they were there for it. I'm talking about the where's scene, muds, AOL chat rooms,
freaking, cracking. And just hearing this noise by itself brings back so many memories.
And I look back at that as the good old days. Despite everything being a thousand times harder
to do back then, because the term user-friendly didn't exist yet, it still felt like simpler times. And what was happening
online was innovating a thousand times faster than the clunky outside world. Being online felt
counterculture and new things would constantly be springing up like Napster, hacking groups,
and the Pirate Bay, and police, and major media corporations couldn't
figure out how to stop us. There were so many times we were laughing at authorities for how
ineffective they were at policing the internet. But to the kids who are going through their teens
today and part of the online counterculture, is this what they're going to look back at
as the good old days? Are these the kinds of stories that will shape them into who they'll be later in life?
Maybe.
And we don't know how it's going to end up for them.
But it's like they're going through a similar painful crucible just as I did.
Just with all gas and no brakes.
Stay with us because after the break,
Drew starts naming names.
This episode is sponsored by NetSuite.
What does the future hold for business?
You don't know?
Me neither.
But what I do know is that you don't have to be
months ahead of your competitors to be more successful.
Just a few days or even a few hours can work wonders.
So until someone brings you a crystal ball, NetSuite can give you an advantage.
More than 38,000 businesses have future-proofed their business with NetSuite by Oracle.
It's a cloud ERP service and one that I'd be using if I needed the help.
NetSuite brings accounting, financial management, inventory, and HR into one fluid platform. When you're closing the books in days, not weeks, you're
spending less time looking backwards and more time on what's next. Whether your company is
earning millions or even hundreds of millions, NetSuite helps you respond to immediate challenges
and seize your biggest opportunities. And make use of real-time insights and forecasting,
allowing you the opportunity to look into the future with actionable data. Speaking of opportunity, download the CFO's Guide to AI and Machine Learning at
netsuite.com. The guide is free to you at netsuite.com.
Okay, so some lessons learned, some things there.
Let's get into another story here.
So what's another thing you've seen, a way to make money online?
Let's think.
What have I seen kids doing lately?
Let's get into SIM swapping then.
We could talk about SIM swapping.
Okay, so by this point you probably know what SIM swapping is. But if not, I'll be real quick.
SIM swapping is when someone tricks the phone company
to move your cell phone number to their phone.
Just like when you get a new cell phone.
You need to tell the phone company that you have a new phone
and that you want your number to work on that.
Now, it shouldn't be possible for someone to just take your phone number.
But there are ways it can be done.
The first way is going to sound obvious.
You get an insider of these companies,
normally what we call a mani or a manager,
to give you their login
or to just do swaps whenever no one's looking
for an imaginary customer.
So these insiders are frequently paid
about $10,000 per swap
And this is the beginning of SIM swapping
This is how SIM swapping started
Okay, so that's one way to do a SIM swap
Obviously, if you're a manager of a mobile phone store
You have the ability to do that
And if you do that for one of these kids
You can make some serious money
Easily over $1,000 per number
Maybe even $10,000 per number
But there's a new way these
kids are doing it. And it's wild, feral even. So it starts with the fact that you're not calling
the phone company. You're actually on the new wave is called a Remo snatching. Remo is short
for remote tablet. So you are going to T-Mobile. T-Mobile was the easiest place there right now.
You go to a T-Mobile. You run inobile is the easiest place to say it right now. You go to a T-Mobile.
You run in.
You take the store manager's tablet from his hands.
You run out.
Okay, I get it.
If you have the store manager's tablet,
that's the device that's authorized to move phone numbers.
So it makes sense that by stealing that,
you can do a SIM swap on someone.
But wait, it's not that easy.
Let's back up.
Let's back way up.
First, you need to know who to SIM swap.
Identifying the target can take a long time, and there's a lot of steps.
And I want to break that down.
We've talked about SIM swapping on the show in the past,
such as in the episode called The Pizza Problem and Tennessee.
These are two stories where people were targeted simply because they had high-value usernames on Instagram and Twitter.
Okay, so that's one reason to target someone,
to get control of their username and sell it on OG users for a few thousand dollars.
But I feel like that's old hat now.
There's a whole new crime wave that's springing up.
The things I see people sim swap for are bank logs,
which are bank logins,
where they wire out money or they use cell transfer. Okay, so banks. While this is big in
this community, it's really hard to actually do it. So first, they have to figure out a valid login
for the user. And we'll get into how they know passwords later. But for now, just assume that
they have a working username and password for a bank account.
And so they log into the account.
But they'd have no way to withdraw it, because you'd have to receive a OTP or a one-time PIN in order to withdraw the funds.
So they start SIM swapping the person to receive the one-time passcode.
And SIM swapping banks is actually a crazy hustle, because the thing is that there's a bunch of money in banks.
But it also requires that you have real-world knowledge of money laundering because you are literally stealing this person's money
and you have to find a way to not make it traceable to you.
That's extremely hard, obviously.
Right, so while there's some really savvy people playing in that space,
the easier target is going after people who have cryptocurrency
because with cryptocurrency, it's stupid easy to grab all the money in a wallet and
just send it to an anonymizing service like Tornado Cash and cash out. And since this is an easier
target now, it means more people are going after cryptocurrencies now. Okay, so it makes sense for
these kids to target people with high value crypto wallets. But how do you find someone with a big,
fat crypto wallet? Well, it takes a whole bunch
of steps. So this is a huge market. I don't know how underground it is, but it seems pretty
underground. People use what we call combo list or basically leaked database that are password
and email, except the passwords have been de-hashed, obviously. Like, we're into, like, Rainbow Cracker, John the Ripper.
And they run them through looking for these things called commons,
which are passwords that are used across multiple sites.
Okay, so you've heard of major websites suffering from data breaches, right?
Where the whole user database is stolen. And if you're a customer at one of these sites,
you might just shrug and maybe change your password and carry on,
hoping that nothing comes
back and hits you, right? Well, this data is golden in these circles. First, you can head over to a
site like raidforums.com or nulled.to or cracked.to. These sites post tons and tons of full database
leaks. It might cost you a few bucks to get it, but you can download them right there. And we're
talking major websites that have been breached. Their databases are right there, easy to grab.
Sites like Adobe, the Alaska Voter Database. There's an Apple database there, apparently.
Adult Friend Finder, the Android Forums. And that's just a small example from the A's.
Inside these database dumps could be a bunch of things. But they typically have a person's name, their username, their email,
maybe their phone number, maybe their address, and their password.
But their password is typically hashed in the database,
which means you can't actually see what it is.
But this is where tools come in that can crack password hashes.
It's hard to crack a single hash if that's all you want to do.
But when you have like 100
million records in the Adobe database, for instance, you'll likely be able to find some
hashes that aren't very strong. And now you have a valid usernames and passwords for people.
Now take that username or email address and cross reference it with other data breaches. Is this person reusing passwords?
Are there usernames and passwords in the Adobe breach that also work on Netflix?
Sadly, yes. Yes, a lot of people just pick one password and then use that on all the sites they
have accounts for. And so now just by cracking a database dump, you've got access to someone's
Netflix account. And this
opens up a whole new
massive market in the underground
communities. People will buy
Netflix accounts for $2.50
each. Because that's
obviously way cheaper than paying the $18
a month for a premium subscription.
Alright, so let's extrapolate
Netflix to Walmart, Chipotle, Nordstrom, OnlyFans, Surfshark, NordVPN, Macy's Credit, Buffalo
Ball Wings, Papa John's. There are sites you can go to to buy user accounts for any of these
websites. And you might even get a combo pack for a bunch of logins, say $10 for the whole pack.
But wait, you might wonder, why would anyone
want to buy a Chipotle login? Well, now you're stumbling into the case of the mystery burrito
orders that people are reporting on the Chipotle subreddit. You can download a Chipotle app on your
phone and use it to order food. But the app is often connected to your credit card. So you can use someone else's Chipotle account to order
a burrito for you, and
then they pay for it. The same
goes with Papa John's. Free
pizza if you have a valid login
to someone else's account. And
this enters us into the world of pizza
plugs, which I've been watching
closely for a while. It's kind of
mythical. There's these
chat rooms where you can go
and make a food order, such as three large pizzas. And someone in the chat room will take your order
and ask you for like five bucks. And then they'll use the stolen pizza account to log in, create the
order, and then send you the pizza. It costs them two or three dollars to buy the account. They make five dollars from this.
You get three pizzas for five dollars.
And oh, the account holder is the one who's paying for it.
And I'm telling you, this goes so much deeper than I have time for.
Oh, and the lingo for buying and selling these valid logins is just logs.
So there's a whole bunch of people out there looking through database dumps,
trying to find valid logs to as many places as they can so they can sell these logs for profit.
And then you start selling $30 logs for Apple because people can use your connected Apple
credit card to place Apple quarters. They charge $50 for those logs. You get $10 a day, it's $500
a day. And a really popular one going on right now is Hilton Honors Logins,
because these logs can get you a few nights stay in a fancy hotel for free. Okay, so there's two
types of accounts you can get, FA and NFA. That is full access and non-full access. All the accounts
we just listed are basically NFA, non-full access. A full access account is one that has all these valid logins
plus a valid email account login.
So that means if you can get into someone's Outlook or Gmail,
then you can easily reset the password for any of these other accounts
that you want to get into.
And it really does give you full access into someone's digital life.
And there's a little tool that people use that once they get into someone's email account,
they can quickly search through all the emails to see if there's anything of value in these
emails.
It's called Yahoo Ranger, the program that does this.
It automatically searches the key terms inside the Yahoo or the websites that you want to
see if they're signed up for.
So if you want to see that they're signed up for AMX or Bank of America or Chipotle,
then you just use Yahoo Ranger and you see.
Crazy, huh?
But it's really not that complex
if you don't have FA accounts too.
You can just take a database dump
and convert it to a combo list.
This is just a formatted list
showing username, colon, password.
And you can take this combo list
and have a tool just automatically
try logging into tons of sites to check if the password works anywhere.
And then they use software such as Century MBA, OpenBullet, or SilverBullet to thereby automatically check all these combo lists.
So this is not a manual process, and it goes at probably 5,000 CPM, which means it goes at 5,000 attempts per second a lot of the times.
People sell upwards of, I'd say, 5,000 logs a day on their
shops. I personally can see. It tells you how much stock a shop has. So you can tell
how many sales you're getting per day. I've seen people sell upwards of 10,000 accounts
per day at $3 per video. Since our account, $35,000.
Okay, so now it should be clear how someone can get a bunch of valid logins to various sites.
Okay, but I only wanted to say all that because that will help you understand
how we find someone who has a lot of cryptocurrency to target.
The most popular database I've ever seen in my years of being here is the Ledger database.
Ledger is a company that provides physical cold wallet storage for Bitcoin.
Well, what does it say about someone if they buy a Ledger wallet? It means they have Bitcoin.
So thereby, that's a perfect target for crypto.
Oh, very interesting. Ledger is a physical crypto wallet. And in 2020, the user database
was breached. Five months later, the database was posted to RAID forums.
In the database is email, name, physical address, and phone number.
No passwords or crypto keys were in there.
But with a little cross-referencing,
one can take the email address from the Ledger database
and see if it matches any emails in another database. And from there,
seeing if there are any known passwords for that email address. Then you can try plugging that
email address and password into Coinbase or Binance or Kraken or FTX or Gemini or any crypto
exchange to see if it's a valid login. And these are all crypto exchanges where people
keep their cryptocurrency. And of course, if you know someone's username and password at a crypto
exchange, it means big trouble for them. But there's a few safety checks that these exchanges
put in place to thwart kids like this. First, there's a lot of value just in knowing if the
person is registered at, say, Coinbase. Forget
about their password for a second. Is this email even registered here? And if you type in someone's
email address and a bogus password, it won't give you any clue on whether that email is registered
there or not. However, if you try to sign up for a new account with an email address that already
exists, then bingo. Coinbase will tip
its hand and say, that email is already registered here. So this is how someone can take the ledger
database dump and figure out who has accounts on Coinbase or Gemini or Kraken or Binance or wherever,
and then cross-reference that with other database dumps to try to figure out what the password is
on those accounts.
Now, if a thief has a valid email and password to your crypto account, there's still a big hurdle in the way.
2FA.
All the crypto exchanges require you to enable two-factor authentication.
They urge you to get something like Google Authenticator or Authy, which is an app on
your phone that has a six digit number that you
have to have in order to log in. But at the bare minimum, they'll send you a text message with the
six or seven digit code to log in. So just by having a username and a password isn't enough
to get into someone's crypto account. You also need that 2FA code. And the vast majority of Coinbase users use text-based codes.
Can you see where we've arrived now?
Well, a lot of people on Coinbase have millions of dollars.
So that's where this new simming wave is coming from.
They're using commons from databases, getting into Coinbase.
This is all automated.
And then they get their balance on their sim swap them.
But yes, it's massively profitable.
It's arguably the most profitable thing you can do right now.
Now, at this point, we have enough information to SIM swap the target.
We know they have a Ledger wallet,
and we know they have a Coinbase account,
and we have their username and password.
All that's needed now is to take control of their phone number
so that we can get number so that we can get
texts so that we can log in. But while this might be enough to SIM swap someone, the thieves take
this step further to try to figure out how much is in the account before SIM swapping someone.
I don't even know if you're going to believe me whenever I tell you this, but there was an exploit
in Coinbase for about one month where you could check the balance of any valid password and username.
No matter what, you didn't need to have any sort of access
except username and password.
So you didn't need to sim them to see their balance.
So people just ran millions upon millions of combos,
combo lists through Coinbase,
and just found the millionaires of Coinbase.
There's obviously millions of those.
That is, if you just had a valid username and password,
you could see how much was in the user's Coinbase account.
This made it crystal clear exactly who to target
for a juicy SIM swap.
But you still need that 2FA code to get in and move the money.
It's just that you didn't need it to see the balance for a while.
Now, I've sort of
confirmed this. A bleeping computer ran an article back in October 2021 saying that 6,000 Coinbase
customers had their crypto wallets drained due to a flaw in Coinbase's 2FA system. And I'm pretty
sure it's talking about this bug that Drew just said. Knowing exactly how much money that someone has in their
account is vital to making your SIM swap more successful. And there's one last bit about
Coinbase. If you have a valid username and password and you log in, you'll see whether or not that
user has text message 2FA or something like Google Authenticator, because the page will tell you
which code it's looking for. And the vast majority of Coinbase users use text-based 2FA. However, there still may be a problem if the thief doesn't know
the phone number. Sometimes they just don't. And if you're going to SIM swap someone, you need that
phone number, right? But there's a clue sitting right there on the page. And it shows the last
two digits of the phone number and it specifically says,
enter the seven digit code we just sent to XXXXXXX37
or whatever the last two digits are.
That little clue of just knowing
what the last two digits of the phone number are
are enough for these thieves to get the full phone number.
So you have to do this thing called number tracing
or ISP doxing.
So the endpoint, here's what it'll tell you on the endpoint.
The endpoint will tell you the real name of the person,
and it'll tell you the last two numbers of the phone number.
With this information, you have to do a
bed verified or white page search on the person.
So typically it starts at, well, find their name,
find their approximate location, find their phone number.
There's a million ways to do this.
My best advice is de-hash the email, Find their name, find their approximate location, find their phone number. There's a million ways to do this.
My best advice is de-hash the email.
Because clearly their opsec wasn't too good, these email owners, or else they wouldn't be password leaked.
Their IP or something's going to be in there that you can use to approximately geolocate them.
Then do a people search on white pages that have been verified in that area with their name.
And then you'll find their phone number.
That will match the last two of the hint.
Okay, so that's how these SIM swappers
are choosing their targets today.
At this point, they know the username,
the password, the phone number,
and the account balance
to know if it's going to be a juicy grab.
Oh, and you can quickly look up
what kind of carrier the phone number belongs to
so you can SIM swap using the right carrier. But this is a big setup process just to figure out
who our SIM swapping target's going to be. In fact, it's so much work. This is a market just
in itself. Just identifying a list of targets and selling this information is its own racket. So while it seems like a lot of work,
someone could just step in right here, buy the data, and go for a SIM swap.
Okay, so now we're ready for the big SIM swap event. So you remember how the process got started,
right? Someone ran into a T-Mobile store, snatched the tablet from the store manager's hands,
and ran out of there. This is called a Remo,
remote tablet grab.
But we're still not ready
for that part yet.
Before you steal
the manager's tablet,
you need the manager's password
that's on the tablet, right?
So you need to do
recon on the store.
Figure out everything you can
about the manager
to try to social engineer them.
Just like calling up the manager
and be like,
hey, this is John working with the EIT help desk at T-Mobile.
Can you please tend to this ticket?
I send you a fake URL.
Enter your manager login.
Okay, so now you have the manager's password to log into the tablet,
and we know how to get the tablet.
But let me tell you, this is a major problem that T-Mobile is trying to battle.
And there are internal memos going around right
now of procedures of what to do if this happens at your store. Like one thing is to immediately
call the IT help desk and get the tablet disabled as fast as you can and get that manager account
disabled. And so when this happens, stores typically get the tablet disabled within 10 minutes.
And so we've got to back up again because we've only got this 10-minute window
and you've got to do everything in that.
And so you need to be prepared.
And we have not done our preparations yet.
So what you need to know here
is that this isn't done by one person.
The snatcher is just one pawn in this game.
Obviously, people on Telegram
aren't the type of person to go run into a store.
They pay some idiot so that they know IRL
if the governor's in the store for them.
And that person who runs in and grabs it and runs out
is really getting paid the lowest on the list here.
Probably making $200, bro.
I've seen people pay their runners so little.
So they pay $200 for someone to go in and grab the tablet
and bring it back out to them.
And they have to be set up nearby
because they only have 10 minutes to do this, remember?
And so the person who ultimately has the tablet in their hands is particularly skilled at
navigating the T-Mobile software to do the SIM swap. And maybe that's because they worked in
the store before, or they saw a video on how it's done. But still, the person who's actually typing
on the tablet, doing the SIM swap, isn't the same person who's going to steal the cryptocurrency
from Coinbase users.
That's a whole other group of people
who have collected all those Coinbase logs
and are waiting for someone to do a Remo.
And they all get organized inside a Telegram chatroom.
And people are willing to pay a person to do a Remo swap,
sometimes $10,000 per number.
I'm just trying to confirm that when they're in this Telegram channel and they're like, okay, I hope somebody gets a Remo tonight. I've got three
accounts I really want to do. All you need to do is provide that phone number to the person who
got the Remo, right? Perfect, man. You sound like a Remo swap right now. You're using a lingo.
I'm ready, man.
The quote is, you either die a hero or you live long enough to
become a villain, and that's
I think that's true.
Yeah.
It's funny, but...
You're using the terms.
Okay.
So people
are in Telegram, and they're like, alright, what was it? Friday night, Saturday nightgram and they're like, all right.
What was it?
Like Friday night, Saturday night.
Someone's like, okay, I think we're going to try it.
And they tell the group, like, I'm going to drive down there.
I'm going to try and grab the tablet.
I'm all set.
It's extremely intense.
Yeah, there's all these people.
They're locking their bedroom doors.
Like, don't come in, Dad.
I'm going to be busy tonight.
Don't come in the room, whatever you do.
And then they're all go, okay okay i'll give you some personal time like that would be the one sorry i know what you're talking about this has happened like people people are like
well i can't do it right now i have to eat dinner yeah it's like bro we literally have
10 minutes to do this there is no time for for dinner. It's either dinner or $100,000.
You choose.
Yeah.
This is really non-exaggerating.
This is really how it is sometimes.
The rumors are so short.
This is what I love imagining.
It's like the actual person behind the screen.
And if it is a teenager, then yes, there is this possibility of it all going wrong any second
because they're living at home and they've got to clean their room.
All right.
So besides that, they're in Telegram.
They get the message.
Okay, I got the remote.
And what did you say?
$10,000 per number?
Oh, I'll break it down to you based on carrier.
So T-Mobile at the moment costs you about $5,000 per spot.
If they're a fraud victim,
then it costs you $7,500.
A fraud victim has special protections
on their account,
but they're still bypassable.
Verizon is going to cost you
upwards of probably $50,000.
Verizon is extremely well secured,
but it is still possible
if you have the right equipment,
like you need a branch manager login,
which is a very high position.
So you need to be able to pay off that Verizon manager a lot.
And you can't hack them.
You can't.
It appears right now.
I could be wrong.
Maybe we'll find new findings.
But you literally just need an insider.
You can't write them or anything.
For AT&T, I think that people are starting to decrease their prices down to $2,000 to
$3,000 because their Opus tool is not too secure.
Okay, so this person who does the Remo snatch
lets everyone know hours before that they are planning to do a Remo that night.
So the activator is the person who coordinates the Remo snatch.
And so the activator tells everyone in the Discord channel
that they've got the Remo and they're ready for orders.
Immediately, people in Telegram start giving him information, phone number and ICC ID. That's all they need to
begin the process of moving the phone number from the customer's phone to the thief's phone in
Telegram. It's an intense 10 minutes. Time is ticking. And at any moment, that tablet will
become deactivated. So they've got to go as fast as they can, swapping out
as many numbers as they can
in that time frame. On a good night,
an activator can make
over $100,000 from
doing this. Yeah, I mean, at that point, you just go
hit your lick. More lingo.
A lick is whenever you joke
someone, but I'll use more plain language.
A lick is a
successful log, or a log.
So log means log in in our lingo.
So whenever you hit a lick, it means that you withdrew their balance.
It's yours. You won.
So there's multiple ways that you can use this vernacular.
You could say, this person looks like a lick.
This person looks like an easy target, in other words.
You could use, I hit a lick today,
meaning I hit a successful withdrawal on a Coinbase account.
So now these guys have control over their target's phone numbers, and it's time for them to work as fast as they can.
Sweating profusely, you go reset the Yahoo password.
You're on a proxy near them, utilizing a residential proxy nearby the target location.
Log into their Yahoo. Reset the password of the Yahoo, because most of the time it's not the same as their Coinbase.
Receive the Coinbase device device authentication link still sweating profusely
Your holder should be receiving codes this entire time. You're screaming at your holder to send you the code
immediately
Or you're not you're not gonna pay them. Um
What sorry holder is who again older someone that's actually actually holding onto the phone that's receiving the OTP.
So most of the time, the people that have the targets in balance aren't going to hold the phone themselves because that's bad operational security.
Holy cow.
They have a designated holder.
People who just hold the cell phones just so that the person with the leads or targets doesn't get caught.
Oh man, so there's a holder involved with this whole thing too.
And yes, holders get paid
for just being the ones who bought the phone
and got the number switched over to it.
Okay, so the person who wants to do the lick
might first start by going to the victim's email
and resetting the password.
And on a lot of email providers,
in order to reset the password,
a text is sent to you.
And so the email provider sends the text
and the holder tells the person what the text is.
And they get the access to the email account.
And from there, they try to log into Coinbase.
Upon putting in the username and password, it sends a text to the phone that the holder has.
And the holder has to give the code to this person.
And the person now logs into Coinbase.
But there's typically a check in Coinbase and it says something like,
we don't recognize this device.
We're sending you an email to verify it's you. Well, the person's already in their email account. But there's typically a check in Coinbase and it says something like, we don't recognize this device.
We're sending you an email to verify it's you.
Well, the person's already in their email account.
So they just have to wait for the email and click.
Yeah, it's me.
And Coinbase lets them in.
Now they're in someone's Coinbase account, which might have $30,000, $100,000 or sometimes even more than a million dollars in it.
Then you swap the balance to Coinbase Pro so that you're able to withdraw the funds.
And then you withdraw it to your Exodus or your Metamask or your Electra wallet.
The reason why they transfer it to Coinbase Pro is because there's a higher daily withdrawal limit there.
But there's a safety check there too.
Before you can withdraw funds from Coinbase,
there's one more 2FA check.
So you need to get another text message from the holder to initiate the transfer.
But there's still yet another security hurdle.
Coinbase has a maximum daily withdrawal limit.
And sometimes people have more than that.
But Drew says that's not a problem.
You know, there's a few workarounds.
People use exploits I can't talk about
but there are ways to withdraw $250,000 or a million dollars.
You can withdraw massive amounts of money.
There are one way that everyone knows that I can say to you is
there is a certain bot out there on a forum
that is able to spam requests all at the same time
to overwhelm them and allow
them to withdraw like a bunch of batches of smaller transactions but there is other ways as
well that are more directly exploits jeez these kids are determined and why wouldn't they be when
there's a potential one million dollar lick that they can score from this?
So the new generation of crypto swappers, I probably know at least personally 10 millionaires
who are all under the age of 16.
I want to know for a fact, can't be lying, seeing them send transactions live, seeing
them hit $1 million licks live.
As for the older generation, the ones that were there extremely early with the crazy $20 million Michael Turpin targets, they have $15 million, $10 million, and they're in new hustles like NFTs and phishing, like really high-level things.
Okay, Michael Turpin is a cryptocurrency investor, but he has a few startups in the space too, like Transform Group and BitAngels.
In January 2018, someone did the steps you just heard to hack into Turpin's crypto wallet and steal $23 million worth of crypto out of it.
$23 million stolen in one night.
And you know, as soon as the person got that, they had to pay all the people down the
line that helped them get there. In this case, it was insiders working at AT&T that helped do this.
Well, once this guy stole the $23 million, he still wasn't happy. He tweeted,
Stole $23 million and still can't stay away from drugs. Stole $23 million and can't get my shit
straight. Turpin, of course, went to the police, who started investigating
and were able to find some pretty solid evidence
that led them to a guy named Nicholas Truglia,
who was 21, living in Manhattan,
and Joel Ortiz, 18, living in Boston,
with his mom and dad.
They arrested both of these young men.
Joel Ortiz was sentenced to 10 years in prison.
Court records show that Nicholas had over $70 million in assets at the time of his arrest. He pled guilty and is still in court
waiting to be sentenced. But as for Michael Turpin, he was really mad that he lost $23 million.
Of course he would be. But he also had 50 other crypto accounts and they were all fine.
So I'm not sure what percentage of his crypto funds were stolen. But he was still furious,
so mad that he sued both Nicholas and AT&T. He sued AT&T for $200 million, claiming the person
who talked with him on the phone said his phone number is secure and cannot be SIM swapped.
Yet it was. And he wants AT&T to admit that they are the biggest reason why his money was stolen.
However, the judge dismissed the case.
But Turpin also sued the hacker, Nicholas.
And he won that lawsuit.
The judge favored on the side of Turpin
and granted him $75 million.
And so while Turpin lost $24 million,
he was ultimately given $75 million in compensation.
Wild stuff.
Big advice to crypto investors out there or someone holding coin bases,
this is going to be very useful for you.
Use designated emails for things that you do.
Like separate your personal email from your crypto investing email, I would say.
All right.
This makes sense. We've now graduated from
don't reuse passwords to
don't reuse emails on
high-profile accounts.
If you have an email address
that was just for your crypto exchange
and you used it nowhere else,
then it would be really hard to discover
that email address and try to
crack it. Because after all,
you need a username and a password to
get into these places. So why not make the username really hard to find? If your username is the same
email address that you use for everything, then that's like giving half of your login to whoever
you chat with. Now, we just went over the 100 steps it takes to SIM swap someone and steal all their
money. But I want to take a step back and look at this for a moment.
This wasn't a quick and simple method to do this.
It took a whole lot of research to find just a good target.
And this is important to know because people ask me questions all the time like,
well, what's the real danger if I put my birth date on my Facebook profile?
And they're expecting some sort of quick and simple way a hacker can use it against them.
But it's not always quick and simple.
If these kind of criminals get a whiff that you've got something that they want,
they will case out your life and build a massive report on you so that they can completely own your digital life and become you.
Every little scrap of extra information they can get about you
can potentially mean a massive payday for them.
If some obscure website you had an
account with gets breached and they get the password you used and you reuse that password
somewhere else, that just opens doors for them. Obviously, getting into your email and phone
number is valuable to them, so they'll really love it if you just post that publicly. But then
there are the little things. What city you're in, what browser you use, what things you like,
where you like to get coffee, and who
your family members are. All these things can be used to exploit you further. If they know what
city you're in, they can use a proxy in your location to make their traffic look like it's
coming from somewhere close to you. If they know what browser you use, that'll help them look more
like you when they're trying to access your accounts. And if they know what things you like,
that might tell them about some other areas of your life to check out. And if they know where you like to get coffee, this might result in them
meeting you there and picking your pockets while you're standing in line for your latte.
And if they have information about who your family members are, those family members might
get targeted. Drew here told me a story about how one time when they wanted to get into some guy's
account, they texted the wife posing as the husband to get her to read off the two-factor authentication codes
over text messages.
The more information they have on you,
the easier it makes their job.
Imagine they had full access to your bank account
and decided to transfer all the money out,
but your bank decided, wait, something doesn't seem right,
and they challenge the transfer and say,
hmm, just to make sure it's you, what's your birthday? Now that one piece of data that you thought was
innocent to just share publicly could have been your savior if you didn't post it to Facebook.
I hope you're convinced now to never share your private and personal information on a public
website. I think it should also be clear at this
point that you should never reuse the same passwords on different websites. In fact, to
emphasize this point, I'm going to play you a song by Rachel Toback. were the same, a criminal, then found their fame by taking that data to go.
Soon may a criminal come to steal your pictures and data and run.
One day when the crime is done, they'll steal your account and go.
The kid then noticed strange behavior.
There had been a login failure.
Reused password was their traitor.
It was already boned.
Soon may a criminal come to steal your pictures and data and run.
One day when the crime is done, they'll steal your account and go.
What do you call this?
Like, this group?
There's a few different words.
We call it COM.
First of all, I'm sure you've heard COM,
but we just vaguely call ourselves COM.
COM, spelled C-O-M.
It's short for community.
And this is new to me.
Back in my day, we called it the scene.
Now, I guess it's the community.
Yes, we just call it com though.
And then we call them, there's Simming Com,
and then there's, oh, there's Kraken Com,
there's Roblox Com, there's, I'm trying to think.
Oh, there's Twitch Com.
People bought Twitches.
There's One Vanilla Com.
There's InfoSec Com.
InfoSec Com?
That's right up my alley.
I had to ask him more about that.
And the way he says it is that there's some people in the IT security space
who want to be part of InfoSec Twitter and respected as good security researchers,
but also want to do things that are illegal or unethical,
sort of acting like both an innocent white hat and a shady black hat at the same time.
Such as Ryan Phobia Stevenson. This is a guy who reported a few bugs that he found in telecom
companies and was awarded for it. But then he used those bugs to grab customer data from telecom
companies and sell them on underground markets. The guy was double dipping. It sounds like there are comms for every
little area of focus that people can make money at online. But the common thread in all this is
that they're all unethical comms. And that's why I call them dirty comms. These are nasty communities.
Let's talk about NFTs. So every day in the news, I'm seeing another attack on NFTs such as somebody scamming someone out of their board ape
or a classic
okay go on you've seen this
is it somebody from your comms that are conducting these things
well yeah okay so it's from the initial really really
rich simcom that I mentioned these things well yeah okay so it's from the initial really really such really really rich
simcom that i mentioned so those initial rich simmers that are not in the current one
um they now steal nfts there's a there's a notable group of people i know i'm not going to say them
by name but basically there's just people who literally go on discords someone says they help
the nft they message them they post their. I witnessed this firsthand just this week.
I was in an NFT Discord.
Oh, and if you don't know what NFT is, in this case, it's just digital art that you can buy and sell.
And these pieces of digital art are going for like thousands of dollars each.
And sometimes even hundreds of thousands of dollars each.
In Discord, I got a direct message saying
I was selected to be on a pre-sale list
for one of these NFT drops,
and I have to buy it now.
But of course, I didn't click the link.
But someone in the channel did.
And the site said,
in order to mint the NFT,
you just need to connect your MetaMask crypto wallet
and enter your 24-word seed phrase.
Now that 24-word seed phrase
is not something you should ever share, ever.
That's the private password basically to your crypto wallet. And if you give someone that,
you basically handed them control of your entire crypto wallet. Well, this person put their seed
phrase into the bogus website. And as soon as they did, the thief got in their crypto wallet and took all their valuable
NFTs and sold them for like half price. The thief made about $40,000 in Ethereum in like five
minutes. It was absolutely crazy to watch this person get their account drained right in front
of my eyes. And there was nothing that anyone could do to stop it. And there's no shortage of stories of
people getting digitally mugged and their crypto wallets stolen and NFTs. And I think the reason is
because these crypto wallets hold tons of money and they're just like browser add-ons. If you
connect your crypto wallet to the wrong site, it's game over. And it's so easy to connect it to the
wrong site. It's kind of like if you have your bank
account accessible right in the browser as a plugin, and all the sites you're visiting all
want to take a look at it. But this is just the beginning. Almost every day this happens. There
are so many scammers trying to get access to people's crypto wallets, which might have cryptocurrency
in it or an NFT. And the scams are vast and fast, coming at you from every angle if
you play in this space. For instance, another big scam I saw the other day was when an NFT was just
about to launch their project. And on launch day is a big day. Everyone who wants to be part of it
is ready to rush to mint their tokens and hope that it goes up in price. So there's a frenzy in
those moments because there's a limited supply and you don't want to be bought out.
So already when people are in a rush to buy something,
they're prone to make mistakes.
And typically eager buyers will be in the Discord chat room
for that NFT to watch what's going on.
But there's a whole slew of things
that can go wrong with this.
First, the owner of the Discord can get hacked.
And here's how that happens.
They built up their credibility through a friend. That's how it always goes.
Hey, my friend says that I should talk to you. And he eventually, he eases the way into sending some sort of file that they can actually Discord token log him with. If you use Discord, chances
are you don't enter your username and password every time you visit the site or open the app.
And that's because once you authenticate,
there's a little authentication token that exists on your computer
which keeps you logged in.
But if you can just tick the authentication token,
then you can log in as that person without needing a password.
The authentication token has all the stuff in there.
And yeah, if you can get someone to install your malware,
the malware can steal the token.
Okay, so if you can access a moderator's account
on a popular Discord channel that's about to launch an NFT,
then you can make a ton of money.
All you need to do is copy the official website of this NFT,
which is super easy,
and make a similar- URL with like one letter
different and change where the money goes when someone buys the NFT. Instead of it going to the
NFT maker, it's now going to your wallet. So now all you need to do is direct people to your page.
And since you're a moderator, you can post a main message, go guns blazing as we call it.
The message might read, minting is now live, open to the public, but hurry, we'll be closing in 10 Post a main message, go guns a-placing as we call it. buy their NFTs. And I've seen this happen over and over. Scammers are infecting Discord and are
making over $100,000 in 10 minutes doing this. But there are other scams that are going on in
Discord too. There is people who actually buy NFT Discords that people won't even realize.
People grow NFT Discords using um growth services like um they
get like shadow packages from people on instagram verify people they grow them just just just to
exit scam or just to sell them to someone who will exit scam oh yeah i've seen this too if you find
an nft project that has a hundred thousand followers on twitter and 80 000 members in
discord you're gonna think that that's a hot hot NFT project and be more excited about it. But the numbers are all faked. It's a Discord channel that was just
bought last week and it came with 80,000 members already in it, but they're all bots. And so it
creates a false buzz about it. And they launch a project and people pay them and they get nothing
for it except for some cheap piece of art that was made by someone on Fiverr. The creators just
grab the money and leave.
Again, a scam like this can earn someone over $100,000 if done right.
But these are certainly pretty involved and complex scams.
It takes a long time.
You have to build a website, buy an NFT server, create all the artwork.
It's not easy and takes some real finesse.
But then if that wasn't enough NFT scams going around,
there's also influencer scams happening.
They get a reputable person to be their upfront.
There are these rich people who are crypto influencers
who convince people to fall for these tricks.
Like, they're friends.
Like, they convince their friends to fall for NFT scams.
And the person setting them up is these millionaire sim swappers.
It's horrible.
Yikes, man, you can't even trust your friends in NFT land. They might be getting paid by these scammers to scam you. I've dabbled in these NFTs and I'll tell you, it's not for everyone.
It's fraught with landmines, hackers, thieves, scammers, criminals, and so much more. But a big
reason why so many people are into NFTs is because they can go up in value.
I've seen someone buy an NFT for $200
and then sell it for $20,000 the same day.
So there are massive gains you can make from NFTs legally.
But from watching the news in this space,
I'm willing to bet that over $100,000 worth of NFTs
are stolen or scammed from someone every day.
And that's real money that you can watch the blockchain and see the criminals cash out and probably go buy luxury cars with or
something. These JPEGs that are NFTs are extremely valuable, which is why thieves are so into it.
I just want you to understand that NFTs is a very big hustle where a lot of real money is being stolen every day.
And it's making the people in these dirty comms rich.
Those people, that was all for profit pretty much.
Like Joel Ortiz, Nicholas Trigalia, Xavier Clemente.
Why are you naming people here?
I mean, they're all public names.
Okay.
Oh, these have been all arrested?
These are probably like the most famous sim swappers I've ever arrested. Oh, these have been all arrested? These are probably the most famous
SIM swappers I've ever arrested. Plug Walk Joe,
aka Joseph James
O'Connor, whatever.
Okay, I've got to look up what these people did.
Alright, Joel Ortiz was
arrested for SIM swapping. In fact, he was the first
ever person to be convicted for SIM swapping.
And this is wild.
2019
is the first time a SIM swapper was ever convicted.
This is truly the definition of a modern crime.
If only three years ago was the first time anyone's ever been convicted of this.
So Joel Ortiz was 21 from Boston and according to police,
he scammed 40 people and stole a total of $7 million conducting SIM swaps.
He was arrested and got 10 years in prison for this.
We already talked about Nicholas Truglia.
He's awaiting sentencing.
But Drew also mentioned Xavier Clemente.
This guy was 19 years old when he was arrested for SIM swapping.
Police say he stole over $1 million in cryptocurrencies.
Then there's Plug Walk Joe, James O'Connor.
He was 22, living in the UK when he was arrested for SIM swapping.
Authorities say he stole over $700,000 doing this.
But the list just goes on and on.
There's Yousef Selassie, a 19-year-old from Brooklyn
who was arrested for stealing a million dollars in cryptocurrency.
And there's a guy who goes by the nickname Baby Al Capone.
He stole $20 million in cryptocurrency.
This guy was just 15 years old when he was
arrested. And there's two more guys, Ahmed Herod and Matthew Dittman. They're facing charges for
working together to do a SIM swap and steal some crypto. And there's Eric Meggs, a guy who was
arrested for SIM swapping. He stole over $500,000 doing it. Declan Harrington pled guilty to doing
SIM swapping attacks. And of course, Shane Sonderman from episode 106 was arrested for SIM swapping.
And currently he's spending five years in prison.
And there's Corey DeRose, a 22-year-old from the UK who was accused of stealing 100 bitcoins
and is now facing prison time.
Oh, and by the way, the items confiscated by the police are incredible.
Luxury watches, luxury cars, penthouse apartments.
These kids are blowing
it as fast as they get it. And almost all of them have gambling addictions, where they'll put some
money in an online casino and spin the wheel and try to hit it even bigger. And they kind of like
showing off what they're willing to wager during live streams and stuff so that others can see
how much money they have. It's nuts. On their Telegram channels, they actively post screenshots of their
targets and how much money is in them and that they just scammed them for millions of dollars.
And you can confirm this because they will literally show you the TXIDs and their Bitcoin
wallets filled with millions of dollars. And they'll do thousands of dollar giveaways every
day. They just do ridiculously crazy things with their money because they're kids. This list goes
on and on.
A lot of people are being arrested that are under 18 years old.
And so we just never see their names in the news.
And some of them get caught and are just forced to give back the cryptocurrency or NFTs they
stole.
And they just get a stern warning.
And I don't know about you, but all this just blows me away.
I had no idea what this underground community looked like before now,
but now I feel like my eyes have adjusted and I can see in the dark. Do you feel that way too?
I feel like it's an all-out war zone on the internet right now. Yeah, every day we hear
about another company getting hit with ransomware or data breach. But all that is NIMBY. It's not in my backyard.
This is what is in my backyard.
This is teenagers targeting regular people.
And their nicknames are no coincidence.
One goes by Baby Al Capone.
Another goes by Billy the Kid.
Billy the Kid used to rob trains back in the old days.
He would just stick up random people and demand money from them.
And it seems like the same thing is going on here. If you make any mention that you have a lot of
cryptocurrency publicly, you can probably expect that someone's going to want to steal that from
you. And it's not the most easy thing in the world to keep safe. It's really tricky. So if you're
holding crypto, I strongly encourage you to not put all your stuff in one address.
Break it up into different wallets because if something gets compromised, you don't want them taking the whole piggy bank.
Phone companies should probably step up their security.
It sounds like they're trying to make it harder, and that's why people are paying $10,000 per SIM swap today.
But how can they eliminate this when there's insiders who work as regional managers
who are in on the cut of this? I mean, they might get an equivalent to a whole year's worth of
salary by helping a SIM swapper do a million dollar lick. That could be a tough thing to
turn down for someone who really needs the money. And maybe the answer is not to use SIM cards
anymore and just keep a Wi-Fi hotspot in your pocket at all times and bounce your phone off it when you need to call someone.
I don't know.
Exchanges like Coinbase do a fairly good job
at making it hard for criminals to get into someone's account.
In fact, the exploit that Drew said,
which let someone check the balance of an account without 2FA,
I think Coinbase reimbursed all the people who were hit with that exploit.
And they continue to improve.
But perhaps they should force everyone
to use Google Authenticator.
That would make it harder for these people.
Or maybe give you the option
to have a second password on the site
that's just for transfers.
The problem is,
the harder they make it for criminals to steal stuff,
the harder they make it for users to use the site.
So it becomes a difficult balance.
On top of that, I'm positive
North Korea is hitting Coinbase all the time,
trying to find a hot wallet somewhere and steal that. So they really have a heavy load that they've
got to defend against. No pressure, right? But it seems obvious to me, at least, that even if you
fix a few of these problems, the people in these dirty comms will just find another way to do it.
And as the internet moves at the speed it does,
software and websites don't always put security first. These are some of the consequences for
not doing that. And like I was saying at the beginning, there's not a lot of wisdom being
passed down from generation to generation on what the dangers of the internet are,
whether it's for the users of the site or the teenagers trying to hack into them.
And I think it's going to get worse before it gets better.
It might even take 40 more years before we see a world
where people go online in a safe, responsible manner,
where users value their privacy and security above all.
And no, not to install apps or buy devices that put your privacy at risk
and have a strong understanding of the digital dangers
that are out there and do things to protect themselves.
And that's why I thought this episode was important
for you to listen to.
Now you have a much clearer view
into why someone would target you and how they do it
when maybe you never even thought you were the target before.
This is why things like Defcon exist,
which is a conference that hackers go to to show off all the new ways they've learned how to hack into things.
And the primary focus there is to share offensive hacking techniques. And sharing these techniques
has arguably made security better. Because if people don't share them, then we don't know that
problem exists. And you can't do things to defend against it. The real criminals and nation state
actors do not share their techniques publicly because they don't want it fixed. And we can't
simply ignore that and hope security problems somehow magically get fixed. My hope is that
now that you've heard all these techniques, that you will now take your digital life more seriously
than you were before. I imagine a world where users were so well-educated on security
that they take it upon themselves to overly secure their environments
because they've been hit too many times by bad actors
or were just taught properly how to practice safe internet usage.
There's this part in the TV show Mr. Robot
where Elliot, a hacker, goes into an office building
and he wants to use someone's computer
and he looks around to try to find a good person,
a social engineer, to get them to stand up
so he can use their terminal.
And he sees an older lady sniffing whiteout
and he thinks, okay, surely an older lady sniffing whiteout
would be the perfect candidate
to convince to let Elliot use her computer.
Here's the scene.
Hi, Edie. I'm Henry from IT.
Hello.
We've detected you using some unauthorized remote access software
to connect to your computer workstation from home.
Oh, my. That can't be true.
Don't worry. I'm just going to take a look at your machine
and perform an assessment to make sure
you don't have an unauthorized desktop sharing service installed.
I'm going to have to contest that. I've hardened my install further than the standard configuration. perform an assessment to make sure you don't have an unauthorized desktop sharing service installed.
I'm going to have to contest that. I've hardened my install further than the standard configuration,
including a restrictive host-based firewall rule set and whitelisting to block unauthorized apps from running. I might have chosen the wrong candidate. Isn't that just beautiful? That lady
knows her digital environment so well and has taken so many
security precautions. It brings tears to my eyes. Imagine a world where the average internet user
is that educated and serious about their digital safety. But it's going to take a long time for us
to get there. Sometimes things need to break down before they can break through.
It's a war zone out there.
Be careful.
But be brave.
Hang in there.
You can do it.
Take your own digital security seriously.
Practice good digital hygiene.
Good luck dodging the Bullets. is created by the reactivator, Andrew Merriweather. Editing helped this episode by the sleeping Damien.
And our associate producer,
just back from his trip to Pancake's retirement ceremony,
is Ray Redacted.
Our theme music is by the heat-bringing Breakmaster Cylinder.
The one nice thing about getting sim swapped is you don't get any annoying telemarketers anymore.
Sometimes it's so bad,
I'm not sure which is worse anyway.
This is Darknet Diaries.
I want to play for you the entire InfoSec sea shanty by Rachel Toback.
Here it is.
There once was a kid whose passwords laid across all sites.
They were the same, a criminal.
Then found their fame by taking that data to go Soon may a criminal come
To steal your pictures and data and run
One day when the crime is done
They'll steal your account and go
The kid then noticed strange behavior
There had been a login failure
Reused password was their traitor it was already pwned
soon may a criminal come to steal your pictures and data and run one day when the crime is done
they'll steal your account and go now our friend did quickly learn their lesson.
Don't reuse passwords.
Turn on two-step and store them in.
A password manager encrypted wherever they go.
Soon may a criminal come to steal your pictures and data and run.
One day when the crime is done, they'll steal your account and go.