Darknet Diaries - 118: Hot Swaps
Episode Date: May 31, 2022This is the story of Joseph Harris (https://twitter.com/akad0c). When he was a young teen he got involved with stealing video game accounts and selling them for money. This set him on a cours...e where he flew higher and higher until he got burned.Joseph sometimes demonstrates vulnerabilities he finds on his YouTube channel https://www.youtube.com/channel/UCdcuF5Zx6BiYmwnS-CiRAng.Listen to episode 112 “Dirty Coms” to hear more about what goes on in the communities Joseph was involed with.SponsorsSupport for this show comes from Axonius. Securing assets — whether managed, unmanaged, ephemeral, or in the cloud — is a tricky task. The Axonius Cybersecurity Asset Management Platform correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks.Support for this show comes from Synack. Synack is a penetration testing firm. But they also have a community of, people like you, who earn regular money by legally hacking. If you’re interested in getting paid to hack, visit them now at synack.com/red-team, and click ‘apply now.’
Transcript
Discussion (0)
When I was in college, I had some interests, and among them were gambling and programming.
Specifically, I liked craps, where you throw the dice and the pearl programming language.
Now, the thing about craps is that there are so many different kinds of bets you can do.
It's a little dizzying how much there is.
So I decided to make a little program that rolls the dice thousands and millions of times
to try to simulate the game to find an effective betting strategy.
First, I tried the typical betting strategy, putting money on the pass line, placing odds, and then rolling the
dice. After 100,000 rolls, the game showed that I had a massive amount of debt. Definitely not a
good strategy for the long run. So then I tried placing money right on numbers, betting on the
come line, the field, all the things. None had a positive
result. All put me in debt. Which is expected, right? The house always wins. The game is designed
that way. There's no way around it. But maybe there was. I mean, the game of craps was invented
in the 1700s, and they didn't have a computer to simulate all the possible betting variations to
see if one would work, right? So perhaps my little program could discover some surefire betting strategy,
one where the player always wins in the long run.
So I kept trying, night after night,
running new betting simulations and algorithms and trying to find something.
And eventually I tried playing around with buy bets.
Buying the two or ten will result in double your money if it hits.
And I ran this simulation 100,000 times.
And guess what?
The program showed I'd made a positive amount of money.
What?
I ran it again and again, and it showed the betting strategy was working.
This was a surefire way to make money in craps in the long term.
So I immediately went online and I found an online casino
and I opened an account and began betting this strategy.
But it wasn't winning.
I was losing money.
And I noticed something.
I forgot to calculate the VIG.
When you place this bet, the house charges you 5% to buy it.
I didn't know that.
So my program was wrong and gave me wrong results.
But this made me think, hold on, there are a lot of rules in craps. Surely one of these online
casinos screwed up the logic of the rules and has an error. I mean, it's just a human who programmed
it, and how much could they possibly know about craps to program it effectively? So I started
opening account after account on all
these different online casinos and looking at the craps games to see if they followed the rules.
And yeah, every one of them did follow the rules. And I never found a way to make money on craps.
My interest in gambling sort of dried up after that. But man, I sure tried.
These are true stories from the dark side of the internet.
I'm Jack Recider. This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds of
data brokers websites and continuously works to keep it off data brokers hate them because delete
me make sure your personal profile is no longer theirs to sell i tried it and they immediately
got busy scouring the internet for my name and gave me reports on what they found and then they
got busy deleting things it was great to have someone on my team when it comes to my privacy
take control of your data and keep your private life private by signing up for having me. Only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries and use code darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing, incident response, and active monitoring
to help keep businesses secure.
I know a few people who work over there,
and I can vouch they do very good work.
If you want to improve the security of your organization,
give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher,
and he's made it a mission
to make Black Hills Information Security
world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive.
And they are trying to break down barriers to get more people into the security field. And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find
links to their webcasts to get some world-class training.
That's BlackHillsIninfosec.com. Blackhillsinfosec.com.
So a while back, I did episode 112. It's called Dirty Comms, which does a little peek behind the
curtain on who's doing SIM swapping today and how they're doing it. And you should probably listen
to that one first before this one, but you don't need to. And one of the people I mentioned in that episode who was doing
this was Joseph Harris. Well, after the episode aired, Joseph reached out to me and told me I got
some of the parts wrong about him. And so I went back and just deleted all mentions of him altogether
because it turns out in my research, I didn't realize there were two different Joseph Harris's
and I was getting one mixed up with the other and it was a problem. But while I was clearing things up with him,
I asked him, hey, you've got quite the story. Do you want to come on the show and tell us?
And he said, yes. Where would you like to start? I could go all the way back how I kind of got
into hacking or I could, you know, start right at the tail end of it, where it all started with the big hack. Yeah, so how did you get into it?
This is my guess.
Video games, you decided to figure out some sort of cheat or hack into them,
or a way to manipulate it in a way that it shouldn't be,
and then that just kept going.
That's pretty accurate.
So I'm not sure if you've heard of a small little game
called RuneScape or Club Penguin.
These are some online multiplayer games
he was playing when he was 11 and 12 years old.
And as you play any online multiplayer game,
you start to see how some people
have some really cool accounts.
Either they're a high level,
or they have hard-to-get items.
It's just rare stuff that's sought after.
And eventually Joseph learned that there's a whole secondary market for these accounts.
Some video game accounts were selling for 500 to 1,000 U.S. dollars.
Real money.
Which was a lot back then for a 12-year-old.
He dabbled in trying to manipulate the game,
to try to get some free items, and that sort of worked.
But he thought, hmm, maybe there's just a way
to take over someone else's account and sell it.
So originally, I started kind of as a social engineer
finding out ways to dox these accounts
and then trick the email providers
into re-saying their Yahoo, their AOL,
whatever their provider was,
and then just take the accounts and then sell them for money.
He doxed the player to take over their account.
Okay, let's look at this.
What he means by docks here is he wanted to know
what their name and email address was
that was connected to their in-game account.
And he might figure this out by asking people in the game,
hey, I have this really cool thing I want to show you.
Can I email it to you?
Or something to tease out this information from someone.
And once he knew their email address and name, he could start looking them up online to try to find where they lived. Then he tried to call up their email provider to try to convince them
that it's his account. AOL, for example, they'd reset passwords with your, they'd ask, hey, what's
your first name, last name? You tell them that, which, you know, that's not pretty hard to get.
And then they would ask, what's your security question?
You didn't need to know that because afterwards they'd ask, okay, what's your address?
You would only have to provide them a correct zip code and they'd straight up reset the
password for you.
So it was a lot easier back then.
But, you know, essentially all you need to know is someone's name and address and you
can completely take over their AOL account.
So that's what he was doing when he was 12, trying to social engineer the email providers
to reset the password so he could get access to that email account. And what's little Joseph do
once he gets into someone's email account? Well, he resets the password for their RuneScape or
Club Penguin account so that he could get access to that in-game player's account.
And then he'd change the email address associated with it and sell it.
What was your highest one that you sold?
I think I sold, my highest was $1,500.
I sold for this one account.
And that was the highest amount I just sold for one at once and got $1,500 from it.
What was that for?
You went RuneScape?
That was actually for ClubPenguin. But RuneScape? That was actually for Club Penguin.
But RuneScape, I had some pretty big sales too, but I would sell the gold
so I would get a couple
hundred if I had a decent amount of gold.
It wasn't like an individual
sell at once. It would be a slow, gradual
sell for the RuneScape stuff.
But the Club Penguin was
the $1,500 closing deal.
Just one account, sold it for $1,500.
Just hearing that alone makes me pause.
Because in this scenario, we don't have a hacker trying to break into some corporation.
We have a pretty clever social engineer trying to hack their way into your email account.
When the crosshairs are pointed at just regular people,
individuals like you and me,
suddenly it feels like the wind changes
and the air gets colder.
I mean, are your accounts secured to the point
that it would withstand this?
Imagine if someone wanted to get into your email account
and called Google or Yahoo to pretend to be you
and try to get your account reset.
You think your defenses will hold, right? I mean, we seem to be putting a lot of trust into the person who works at the
email provider that they aren't susceptible to social engineering attacks in this scenario.
And it all comes down to that, I guess. But it sounds like they are vulnerable to this kind of
attack. Now, all this happened a while back, like 10 years ago.
And since then, email providers have made it harder
for people to reset their passwords this way.
I mean, there's two-factor authentication now
and secondary passwords.
And all this was added because it was getting abused
by people like Joseph.
I start transitioning to these original usernames.
Like, for example, say I had wanted Doc on Xbox. That might be worth some money
because it's short. Or if I got the name Game or something, Elite, something like that. That's
worth money, and there's a larger community based around it. And there's multiple sites where people
want these OG usernames. So Club Penguin, I was kind of over it. It wasn't making as much money
because I had taken as many accounts as I could really.
So I started, and there was a bigger community around these things.
So I started morphing into these OGs and suddenly I learned about Bitcoin.
And I think Bitcoin, wow, this is great.
This is like 2012, 2013.
I'm like, this is great because before with PayPal, sometimes people would reverse on me.
Or sometimes I'd have people calling up PayPal, getting their money back. But in this case, Bitcoin was peer-to-peer. Someone could send
me money, they can't take it back. So I love the idea of crypto and Bitcoin. And that's essentially
how I was trained. But then I started realizing, okay, why don't I start going after these people
that actually might have Bitcoin and stuff like that. And that's where I
kind of, it wasn't just me having this idea, but that's where the whole Bitcoin idea started.
Because once you get the money, you know, you get to keep it essentially, you know. So then I
started transitioning from OG usernames to, oh, wow, why don't I just take emails of people that
have Bitcoin? Oh, whoa, This is so much more serious.
Taking someone's video cam account is one thing, but trying to steal their Bitcoin?
That's taking this to a new level. It's straight up robbing them at this point.
And he already had all the skills he needed to do this. He'd start by looking for people,
posting about Bitcoin, and then try to figure out what their email was, perhaps phishing them if he couldn't figure it out.
And then he'd learn what their name and address was,
and he'd try to call up the email provider
to trick them into resetting the password for him.
And from there, he was rooting around their emails,
looking for anything related to Bitcoin that he could steal.
But the problem was, he wasn't finding anyone good to target.
He'd find people who had Bitcoin, but they didn't have money on an exchange,
or he couldn't get into their email.
He needed some help.
And someone had found a GMX vulnerability.
GMX is an email service based in Germany.
And what he had was a vulnerability that let him take over any email address that he wanted at GMX.
Well, this was great for Joseph.
It made the process so much easier.
Now he didn't have to call anyone to get it reset.
He could do it all himself.
Now this vulnerability is somewhat interesting,
so let me explain to you how it works.
Essentially, it's session manipulation.
You needed two GMX accounts,
one that's brand new that you can log into,
and then the target account that you
want to log into. So you start by logging into your own account, then open a new browser, go to
GMX, and say you want to reset the password on your target account, but just before clicking the reset
button, you need to put an active session that you have on your other account into this browser
to make it look like you're already logged in. Now, when you click
reset password, it sees that you have an already logged in session and it just lets you reset the
password. This was a pretty serious vulnerability on GMX. Imagine just being able to take over
anyone's account you wanted. And he tested it and it worked. And so now he was on the hunt to find
GMX users who had Bitcoin.
I didn't know how to target these people or who to really go for.
So I was just using Google and typing in like keywords Bitcoin and like GMX.
With a few Google searches, he started seeing people talk about Bitcoin on forums that had GMX email addresses.
So he'd use this vulnerability, get into that person's email account and start looking
for anything Bitcoin related. But over and over when he did this, he just wasn't finding anything.
Until one day he does find someone who has an account on a Bitcoin exchange.
I got into their blockchain wallet and I remember seeing like 20, 25 Bitcoin, which at the time was
like 5K and I was freaking out because 5K was a lot of money.
I was 17 at the time.
But he had a secondary backup phrase, so I couldn't actually withdraw the money.
So I was basically just sitting on this account and couldn't withdraw any of the money.
Ah, so close.
A secondary passphrase was used, which screwed him up.
But this was close enough that he knew he was on the right path.
He just needed to keep looking.
And eventually, he was going to find some money. Okay, so there was this site called Cripsy,
which was an altcoin trading website back in 2013. I think they actually got seized because
the guy scammed out or something. There was a legal case with it, actually. I think he took
all the people's money. But that's a different story. But essentially, it used to be a very
popular altcoin trading platform. I got into someone's CryptoHeist account and they had $1,000
and I don't even remember what altcoin it was. It's definitely not one that's around today.
But they had that. I exchanged it for Bitcoin and then I exchanged that Bitcoin for PayPal.
And that was his first crypto heist. $1,000.
And the way he would get the Bitcoin into his PayPal wallet was using local Bitcoins.
This is a site where you could just connect with another person on the internet who wants to trade Bitcoin with you.
In this case, he found someone who he could send Bitcoin to, and they would send him money
through PayPal.
It worked.
It's like a natural high.
Like, I could compare it to a feeling of a drug feeling.
It was a rush for sure.
This is still 2014.
I'm still under 18.
I'm still kind of a new person to these things.
And after that, I didn't have much success with it.
I was actually making more money selling these usernames still.
So my focus still wasn't like, oh, crypto is an easy
way to get rich yet. It was still like, hey, you know, that's cool. There's a chance you can do
stuff with it. But I was still looking at these usernames. But in 2015, that sort of changed a bit.
A major event happened that would turn out to be a goldmine for Joseph.
The website BTCE had suffered a data breach. BTce is a crypto exchange you could go there and buy bitcoin
sell bitcoin and a bunch of other types of cryptocurrency too well in 2015 their user
database was stolen by someone no money was stolen just the user details and this included the
username the password hash the address and how much Bitcoin was in their wallet.
And I knew some people, and I'm not sure if you've heard of them, Lizard Squad.
Yeah.
But they had access to the database. And in 2015, one of their members hit me up and started asking
me if I could help them get into these accounts, because I was very good with AOL and Yahoo still.
I still could social engineer into them pretty well. So they started listing me off these Bitcoin emails that were on BTCE.
And also the thing about BTCE, it showed their balance.
So they could link me people with 100,000 Bitcoin,
and essentially I'd have their email, I'd just try to break into their email.
Now keep in mind, he didn't have access to this BTCE database dump.
That would have been like the motherlode to him.
But he was happy to work with the people who did have access to it
to try to steal Bitcoin from the specific users they gave him.
My first one that I got for them was this Yahoo.
It was one of the bigger ones on the list.
And it had six figures in crypto in it.
It was like, at the time,
it was probably thousands of Bitcoin
because Bitcoin's a lot lower,
but it had six figures in it.
I got into the Yahoo, I reset the BTCE
and there's another PIN code.
It's basically, you have to enter this passcode
to access the funds.
I don't know the passcode,
so I passed it to my friend who gave me it
and he says he's going to send a fake ID.
And I'm not sure what happened after that.
When he handed it over, the person he was working with said
they lost access to that account and didn't get any money from it.
And Joseph just wasn't sure if that was true,
or they were just saying that they wouldn't have to pay him his cut of the stolen funds.
But the person who had the BTC database kept working with Joseph,
giving him one or two accounts at a time
to see if he could actually steal Bitcoin from them.
But it was at the time, I think I made $10,000 to $20,000.
It wasn't like a...
I mean, Bitcoin was a lot lower at the time.
But still, it was about $10,000 to $20,000 from BTC stuff.
That was going all right.
But he was only getting a trickle of targets from this list.
He definitely wanted his hands on the whole database
so he could just go hog wild in there.
I mean, a database full of usernames, email addresses,
and how much crypto they had would have been golden for Joseph,
the guy who's been getting into email accounts for years.
But he couldn't get his hands on the database.
So he went back to stealing usernames from people.
Think about like Twitter, Instagram, stuff like that.
He'd get into the email associated with their account
and reset their Twitter password
and then get into those accounts
and sell those to other people.
He was definitely playing hard in this account market too,
becoming well-known
for having some pretty incredible accounts.
Ash, you have so much stuff going on.
Oh, yeah.
I mean, it starts in 2010 where I'm social engineering stuff, and it goes all the way
to 2018.
That's an eight-year kind of thing.
We're about halfway through this spree of his.
So stay with us because we're
going to take a quick break. But when we come back, everything goes off the rails.
This episode is sponsored by SpyCloud. With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited spycloud.com to check my darknet exposure
and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and your organization at risk
and what to remediate is critical for protecting you and your users from account takeover, session hijacking, and ransomware.
SpyCloud exists to disrupt cybercrime with a mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection, you're never in the dark about your company's exposure from third-party breaches, successful phishes, or infostealer infections.
Get your free Darknet Exposure Report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
So, I mean, what's your moral compass like?
Well, nowadays, it's...
Not now.
I'm talking about when you were doing BTCE kind of stuff.
It's sort of kind of gone into the natural order of who cares, it's online.
It's sort of like when I'm doing these acts online, I don't feel guilty at all. I remember
in early days, I kind of felt guilty about it, but you're looking behind a computer screen.
I would never be able to rob someone at gunpoint with a gun, but I'm looking behind a computer
screen. I don't see who I'm hurting. I mean, now I can obviously see it's wrong, but back then,
I honestly didn't really have a moral compass. I was willing to go the lengths to get these people's accounts.
And I didn't feel guilty about it.
I'm not staring them in the face.
I'm just essentially just able to take these accounts.
And I'm not sweating about it.
I sleep fine at night.
I'm taking money.
And the last thing on my mind is, oh, I should feel bad about that.
It's a terrible mindset to have looking back at it.
But that was my mindset at the time.
There wasn't really a solid moral compass when it came to my online activities.
I never swatted people.
That was a moral compass for me because I always thought people could get hurt if someone did that.
So I never did anything physically to possibly put someone in danger.
But when it came to taking people's emails or doing stuff to people online, there was really no moral compass. Oh, interesting. So physically hurting anyone
was the line. You're like, I'm not going past that. And there was a lot of swatting going on.
I mean, the circles you were in, people are swatting like crazy. Right. And I have been
swatted a few times. And I just, I always heard stories about people dying over swatting.
And honestly, that, you know, that was my limit.
I don't want anyone getting hurt because of one of my actions.
Wait, you got swatted?
Oh, yeah, definitely around that time.
I got a Skype message and the person said, hey, you have that darkness on Twitter.
You're going to give it to me or I'm going to swat you.
I basically just said, no, I'm not going to do that.
Absolutely not. You know, playing the tough guy attitude. He said, okay, you're going to get swatted.
So I'm a little on edge. You know, they posted my address. I know they have the capability.
How do you think they got your address?
Well, I mean, I used to register domain names, so I might've not always had the best opsec. I mean,
I obviously didn't in some cases when I was younger. And if they can find old domain I registered when I was 14, 15, my address was public on those at the time. So basically, yeah, I hear, I'm expecting it. And, you know, I hear bang on the door and I rush up from the basement all the way there. And then my mom says, go downstairs. You need to hide down there.
I said, no, this is the police.
And she kind of, her facial expression changed
because she thought we were getting robbed or something.
But she's like, okay.
I'm like, we just need to go out.
So we go out.
It's the SWAT team.
They line us up against the house,
pointing guns at our back.
And then eventually they realized there was no hostage.
Apparently I had, according to the SWATer, I had killed my sister, which I don't even have a sister or any
siblings amongst other things. And that I would shoot any police officer that would come in the
door. So they obviously realized that was a false flag. And I basically just said someone online
wanted my username. They're like, oh, okay. And they just left after that. I mean, at some point your parents
have to like, I don't know, notice something, right? Like, okay, so there's swatting going on.
You've got some strange amount of money. Like what are you spending this money on? Is it noticeable
by your parents? No, no, I'm my money. I'm more just saved it, had it in my PayPal. Yeah, I'd buy stuff like video games or cards and stuff like that.
But I wasn't going out buying the new designer outfit or anything like that.
So it wasn't very noticeable to my parents that I had money.
Like Pokemon cards?
Yu-Gi-Oh, actually.
I was a Yu-Gi-Oh kid as a kid, and there was these rare cards. So yeah, I'd buy Yu-Gi-Oh, actually. I was a Yu-Gi-Oh kid as a kid, and there was these rare cards.
So yeah, I'd buy Yu-Gi-Oh cards.
Okay, so what do your parents say at this?
Are they privy at all to your whole thing?
I mean, my parents know I'm into these accounts.
They know I have these.
They don't necessarily know that I'm just straight up stealing them,
but they know people want my accounts,
and they're willing to go to strange lengths, but they're not really suspicious.
They trust me as their son. They're not like, Joseph, what are you up to down there? Is you
up to no good? That thought never crossed their mind. My family has always been very supportive
of me and never really always had trust in me. There was discipline in my family, but they weren't super,
you know, uptight discipline. They weren't, you know, questioning and taking away stuff from me.
Yeah. I mean, it's kind of a good excuse, right? You tell your parents like, yeah, I mean,
this is my Twitter account. Somebody wanted it. What am I going to do? Like it totally like separates you from the whole rest of the illegal activity you're doing. And it doesn't,
it's not even like about the illegal activity.
So the first time the cops come to your house,
it's because you were a victim, not even a criminal.
Yeah, exactly.
That's kind of ironic.
The first time the cops come to my house, I'm a victim.
It would be about six, seven months later
where the cops actually show up to my house for something illegal,
and suddenly I'm not the victim, I'm the perpetrator.
But that's not about SIM swapping.
That's about taking an Instagram account.
Okay, let's go into it.
What happens when the cops come back?
Okay, so I had in 2015,
I'm sure you know there's sort of a certain accounts with big followings.
You can make money off them by promoting people.
Like if I have a big page with millions of followers, people pay me to shout out their products.
So in about 2015, I had broken into an AOL account of this guy that had this massive car page on Instagram,
had over 3 million followers, and I had just taken it from him. And then I had the account
for about two weeks before he got it back, but I had made a little money off it. And I had actually
linked my friend's phone number to the account. And so eventually this guy, most people, you steal
their account. They're not going to go the extra mile.
But this guy had a vengeance out for me.
He put in his own money to get the people to investigate into it.
And eventually they traced that phone number to my friend and then my friend to me.
And they still didn't have enough reason to arrest me or anything.
But they had enough to get a warrant on my house and essentially seize all my computers.
He said they were going to look through his devices to see if they could find any evidence of him committing crimes.
And they didn't charge him with anything because they didn't have enough evidence.
And they were going to look through his computers to see if they could find something on him.
And of course, his computer was full of chat logs and evidence of him stealing accounts and Bitcoin.
And when that day winds down and he goes back to his room,
he has no computers at all to work on.
Actually, my friend comes by and just drops off his computer.
And funny enough, I had actually just ordered a new computer a week earlier, and that comes in too.
So I get access to the internet again within less than 24 hours.
And that doesn't really scare me at all.
I'm still gung- to do stuff, you know?
Okay. So you have, or like, did you, did you continue to try to take and sell usernames at
that point? Or were you like? Yeah, but I, I stayed away from those big million follower accounts. So
I still continued usernames, but those million follower accounts I had stayed away from. I was sort of a little shy with those.
And then it was that same year where I finally got a hold of that BTC email list.
Someone I knew, I had helped a guy get into a Sprint account,
and in return he gave me that BTC email list.
So now I have control of the email list,
and suddenly I can start going through the list and trying to take accounts. This was the golden list. So now I have control of the email list and suddenly I can start going through the
list and trying to take accounts. This was the golden list, the list of people's names,
email addresses, and how much cryptocurrency they had at the BTCE exchange. Of course,
Joseph was very happy to get this list. Oh yes, definitely. 100%. I mean, I'm 19 at the time,
so I'm out of high school, so I can do this all day, essentially.
Yeah, it was a really big deal for me to have that because I thought that was the pinnacle of just getting stuff.
He'd comb through the list, looking for accounts that had a lot of Bitcoin in it,
and then look to see what email addresses were associated to that.
Now, as you know, typically, when you log into an email account,
all you need is an email address and a password.
So he first wanted to see if he could figure out the password.
Joseph was getting more savvy in the hacking scene,
and he signed up for a website which lets you put in an email address,
and it would search all the public database breaches out there
and tell you any cracked passwords that were associated with that email address.
And you'd search in the email into this leak site,
and it would display the public passwords of them.
So essentially, I'm them. So essentially I'm
copying these passwords. I'm trying them with variants. Like if the password's cool dog one,
two, two, I might try cool dog with a K or maybe cool dog one, two, two with an exclamation point
at the end. And just hoping I try a few variants of there are commonly I've found commonly
associated and then try to just sign into the email account. An interesting one where people thought they were being slick is I remember commonly seeing
something like a password, like a complex password and then like maybe an ad symbol
and then PayPal.com.
And eventually I just pieced together, oh, for LinkedIn.com, it's LinkedIn.com.
For MySpace, it's MySpace.com.
Let me just use their common password.
And then let's try Yahoo com.
Oh, Yahoo com works.
So they're just using their common password with basically just the site afterwards.
And that was actually a common strategy.
It seemed like a decent amount of people were using.
So I kind of picked up on it and always tried it.
Oh, wow.
That's interesting.
So even though people were using different passwords on every site, which is what you
should be doing, the way they were changing it was guessable. And Joseph was able to piece
this together and make some money from this. Just to see if I can get lucky. And in some cases,
I did. There was a few accounts where I got lucky in and I entered the password correctly
and just straight up reset their account. And I'd say in that little run, I made about 30 Bitcoin or so,
which at the time was about $10,000 to $15,000. Well, after a while, this list had grown cold.
It got passed around a lot and all the accounts with big Bitcoin had already been drained or
moved. He was getting into accounts, opening the lid and seeing nothing in there. So lots of hacking, but not many hits.
So I'm doing that, but it's at that point where I'm sort of, I had a group of friends who was
suddenly targeting different people. They're saying BTC isn't the move. Instead, we should
start targeting altcoin investors. So while Bitcoin is sort of the flagship cryptocurrency,
there are many other cryptocurrencies out there. Anyone who wants to start their own cryptocurrency can. And there's lots of money that gets poured
into these altcoins. Now around then, Joseph was seeing the people in his circle starting to get
into SIM swapping. This is where you can try to take over someone's phone so they could then reset
the password on an email account. Well, since Joseph was literally in the business
of resetting passwords and getting into email accounts,
it made sense for him to start learning
how to do SIM swapping
and see how that can be added to his tool belt.
So he started dabbling with it.
Back then, you know, SIM swapping was fairly easy.
You could, you would,
back then they would ask for last four digits of social.
Oh, hey, I'm calling up AT&T.
Hey, I just got a new cell phone.
I have a new SIM card.
I'm trying to activate my device on that SIM card.
And they'd say, OK, well, what's your name?
You'd say it.
Then they'd ask for your last four social security number.
You'd give it to them.
And you can buy basically almost anyone's social security number off the dark web for like essentially three bucks.
So you just buy their social three bucks and call up AT&T, Verizon, T-Mobile, and they'll just activate the device for you.
So it's really easy.
But while Joseph did it a few times, he wasn't doing it that much, really.
Until he got in with this group of online criminals who were doing SIM swaps to steal people's cryptocurrencies. And specifically, this group was focused on people
with a certain kind of altcoin. Augur, which was the first ERC-20 token to be featured on the
Ethereum blockchain. It was essentially the first Ethereum altcoin on the blockchain. And I believe
the persons I was involved with
actually targeted that company
and they got a list of all the pre-sale investors.
Basically everyone who had deposited money
when they were launching.
So they had the list of all the basically ICO investors.
And it would show their address.
How'd they get that?
I think they actually SIM swapped the people in Augur
and I believe they had it uploaded on Google Drive or something,
just to keep track, like a spreadsheet, essentially.
That's wild, all the SIM swapping that happens.
Because SIM swapping to get an ad account, yeah, okay, I covered that.
SIM swapping to get some Bitcoin.
But now here we go, SIM swapping just to get a database.
Right.
Even if you get a SIM swap, how are
you going to get the
database?
You're going to
that's you see they
must have reset the
person's Gmail and
I'm not sure they're
necessarily looking for
that.
It's hit or miss
sometimes with these
things.
You can do all this
work and still not
make money, which is
you know, you're not
going to get everything
first try.
But they got these
Augur people and they
must have had their
spreadsheet backed up
with Google Drive and or something basically to easily keep track of it. And they download this and this is even more
valuable. This shows Ethereum address. It's like essentially the BTCE thing. It shows Ethereum
address, how much money they bought, and their email. Whoa, did you follow that? When this Augur
crypto coin initially launched,
there was a pre-sale where investors could buy some early.
And the CEO of Augur was saving all these investors' names
in a spreadsheet and storing it on Google Drive.
And this group then sim-swapped the CEO,
probably just looking to steal some crypto,
but instead went into his Google Drive account
and found the spreadsheet of all the initial investors,
their email, and how much auger they bought. This list was amazing for this particular group of
criminals. Joseph was seeing these people go down the list, targeting every one of the whales,
trying hard to get into each of their accounts. And he wanted to do it too, but they wouldn't
give him the list. It was too valuable for them.
He did help this group get into other crypto-related accounts, though. And he says at the time, AOL and Yahoo emails were the easiest to break into
because it didn't take much for him to call up and convince them
that he was the owner of the account to get the password reset.
Let's just reenact one of these calls, right?
So you call up Yahoo, and they say,
Yes, this is Yahoo. How can I help you?
What do you say?
Hi, I'm Joseph Harris.
I'm trying to reset my Yahoo email address.
Okay, what's your email?
Docman123 at Yahoo.
Pull up the account.
Okay, we need you to verify your security question answer on file,
or you have a card on file that you can verify
now what i would do before i would call yahoo in a lot of cases was i'd call up the billing
department uh call up yahoo say hey i'm trying to add a card to my yahoo account i'm actually
thinking about making a purchase uh yahoo small business um i need to make sure my card's on file
and they'd say okay uh you don't have a card on file.
I'm like, weird, I thought I just added it.
Like, would you like me to add the card for you?
So you give them a fake visa.
It doesn't have to be valid at all.
It doesn't actually bill anything.
Just give them a fake visa, give them a security code,
and they register it on the account,
then call back the regular Yahoo support.
Hi, oh, we see you have a card on file could you
verify the last four digits of the card for it and you know that visa because you added it you
tell them the last four digits of card okay we've successfully they'd actually say congratulations
which i always thought was funny because if it's someone who lost access to their email why would
they want to be congratulated but for me congratulations you you got the account essentially
so i always thought it was a funny word choice.
They say, congratulations, we can add an alternate email to you. We can do this. And what I would do is I'd say, these security question answers I have on file, I think someone might know them.
Could you transfer me to a manager so I can update them permanently in the system? They transfer me
to a manager and I would tell them these security questions system. They transfer me to a manager
and I would tell them these security questions,
they're compromised, like someone else knows them.
Could you update them on file?
And I would call them and they would essentially
permanently update the original security questions answers.
So if DocBan1337 Yahoo is trying to get their account back,
they call, what's the name of your first pet?
Oh, my first pet is this.
That's not what we have on file.
They can't even get their Yahoo back
because I've updated their original questions with a manager.
So now they can't even get their email address back.
Man, he's scary.
This worked very well for him to get into these email accounts.
And at the time, he was getting into a lot of them.
He didn't have any other job, so he would just focus on this all day. So he was mastering the
dark art of email compromise. But because he was doing this so often, he would always be on the
lookout for easier ways to do it, such as looking for bugs in some of these email providers. And one day he found a bug in Gmail,
which let him reset anyone's password.
See, at the time, if you told Google that you forgot your password,
it would look at your cookie history
to see if you ever logged into that account before.
And if you didn't have a session cookie from the past,
it would ask you some really hard questions to do the account reset.
But if it did see that you had a cookie from a past login, it would only ask you some easy questions to let
you back into the account because it probably meant that you were the rightful owner. So Joseph
decided to make fake cookies. My bug was essentially, I was able to get it so it appeared
that way for any account. So when I tried to reset
a password on the form, it would show that I had signed into that email before. So now suddenly,
when I reset the password, the form's registering as this person is signed into this email right now.
If they fill out a basic amount of information, we either give it back to them, or in some cases,
it would just straight up let you change your password right away. It was so heavily reliant on cookies back then that even if you had the
wrong answers filled out, it would still let you reset the password because it's like,
this person's signed into the account right now. It just would reset for it. It was a terrible bug
with Google. It was never publicly disclosed. It wasn't like it was big news. I'm sure if it was
big news, Google would be getting all kinds of stuff for that. But it was never, it was never publicly disclosed. It wasn't like it was big news. I'm sure if it was big news, Google would be getting all kinds of stuff for that.
But it was never, it was sort of,
I found it and I told a few friends,
but it was never like a public bug
that everyone was doing.
So Google eventually fixed it after about a month.
But for a whole month, yeah, you could essentially,
as long as the account wasn't two-stepped,
you could basically just, you could do the trick
and then you could essentially just
reset anyone's Gmail. Some cases it didn't work, but in most cases it would just reset the Gmail
account with not knowing any information because it registered that your cookies, essentially that
you were signed into the Gmail account right now as we were speaking, your cookies are attached
to this Google account. So you see, there were lots of different tricks he was using to get into
accounts. But it doesn't stop there. This different tricks he was using to get into accounts.
But it doesn't stop there.
This group was giving him users to target,
and they were heavy into SIM swapping
to get into emails and accounts.
And so he was learning how to SIM swap pretty well, too.
So once you get someone's Yahoo account,
you probably, like, get in the zone.
Like, it's probably go go go time what are
you doing like you lock the door uh put the headphones on let's go and what is it that's
going on um i'm typically looking for if it was crypto i'm obviously looking for their crypto
wall do they have a backup do they have a form i can reset you have a certain tool that's looking
through the email?
No, I'm manually searching it because I don't want to miss anything.
A tool, they can miss something.
But if it's a crypto person, I'm going through every email,
any lead that could possibly lead to something because I don't want a machine to miss it.
So I'm just manually looking through.
Yeah, it's time consuming, but if you go through it too quick,
you're going to overlook something that could lead to something else.
So rattle off the first five searches you might do.
Well, depending on it, with Yahoo, for something else, I would be looking at their Google Cloud or their OneDrive account and try to see if they have any pictures or backups saved there.
But with Yahoo, they have Yahoo documents, so I might be looking through your Yahoo documents, or I might be searching keywords relating to crypto, something
like that. Yahoo documents, see if they have any backup. If I'm looking, if I know specifically
they have an Ethereum wallet, I might search up the keyword Ethereum wallet JSON and see if they
have the Ethereum wallet backup there. Now, another place he liked digging through was people's Google Drive or OneDrive.
These are private storage places that people use to put sensitive information on so you
don't lose it.
And he would find ways into this and start looking around for interesting stuff there.
A lot of people do store their seeds and their private keys in their email.
It's a terrible habit to have.
But back then, especially, you'd see people that would write down their private keys in their email. It's a terrible habit to have, but back then,
especially, you'd see people that would write down their private keys in their cloud storage or
something like that, or have their backup taken a photo of and be in Yahoo Photos, something like
that. What's the trick to try to find these things? Are you just looking for seed phrase?
Yeah, exactly. I'm just going through, looking through send inbox, seeing if they have sent themselves an email.
I might do from this email to my email, see if they did that.
Going through photos, just manually searching, making sure I don't miss anything.
So you're also looking through Dropbox and any other place that they might...
Oh, of course. If I can get into their Apple account.
If someone hasn't turned off their sync settings, automatically, if they take a photo of my seat,
I'm going to see it in the iCloud
unless they change their settings.
And not everyone's going to go into their iCloud
and disable it so it syncs to iCloud.
You know, most people have their sync option on.
So if they take a photo,
I can see that photo of whatever they took in their iCloud.
Boo.
Most of the time, both Android and Apple phones will automatically send photos taken on the phone to Google Photos their iCloud. Boo. Most of the time, both Android and Apple phones
will automatically send photos taken on the phone
to Google Photos or iCloud.
And because Joseph knew this,
he would get into there and look through the photos
taken on the phone to try to find anything good.
Some people don't even know their photos are synced this way.
And this makes me pause to think, too,
because what if he's not there to steal
cryptocurrency? What if he's there to steal nudes or incriminating photos or just private stuff that
you don't want leaked? This is way too easy for someone to get into the photos taken on my phone.
And I think the problem here is that we want phones with cool features that are easy to use.
And sure, you could set your phone to not back up the photos to the cloud,
but now you've got to find a way to back up these photos yourself somewhere,
which is a lot more work. It's harder to do.
And so we opt for easier methods to do things, even though they're less secure.
Eventually, Joseph got his hands on the full list of Augur investors and was going wild with
that. He had lots of ways into accounts, but sometimes they would all fail. And that's when
he had to try to SIM swap it. I have a burner Android phone that cost me 20, 30 bucks that I
ordered off eBay or some site or got off Craigslist. I have a SIM card that I just paid and bought online
from eBay or some reseller. And I got a phone and I've just called up AT&T or Verizon, verified my
details and gave them my SIM card. And now I have the phone in my hand and I'm going on gmail.com
and I'm typing in the person's email.
And then I see a phone option.
I'm typing in that phone number and I'm getting a text directly to that phone in my hand, reading off that code, typing in my web browser, resetting that person's email password.
He scored a lot while doing all this.
These are still early days.
So it's basically like I'm not making too much.
I'm making twice.
I hadn't made six figures yet even, but by 2017, the end of the year, I had made six figures. But at the time, these were a couple of 10,000s at a time kind of hits. And crypto wasn't, this is still 2016, the start of 2017. So crypto hasn't done that little 2017 bull run yet. Ethereum, for example, is still under $10. But this little spree started to wind down. The list of whales to attack was dwindling, the Gmail bug that he found got
fixed, and the phone companies were starting to get more strict at stopping SIM swap attacks.
They were now requiring people to know the account number or security number or something else to
swap it. So simming suddenly just became too hard to do.
Now, most of this crypto he stole, he would just cash it out right away using local bitcoins.
But as 2017 came around, the price of crypto rose dramatically,
and he decided to just start keeping a bunch of it and hold it.
And without even doing anything, he was watching his money double and triple in value that year.
And one day he came across an account that he wanted to get info from,
and he found the phone number associated to it, but it was a Verizon number.
And Verizon just upped their security, making it too hard to do a SIM swap with them anymore.
So I'm trying to reset a Verizon.
They're gung-ho on this passcode or account number.
And so I start to think, account number, how can I get that? Is there a bug I can find to get this account number or something?
And I decide to look for a bug that might disclose the account number. I look through pages, I'm not
finding anything. Then I think, what about the quick page thing where there's pages with like
AT&T and Verizon, where you quickly pay your bill and you
don't need like access to the account. You just enter your phone number. So I look at this quick
page page. I enter a targets, a Verizon, some random guy's Verizon number. And then I look at
the page. It has the account number, but it's not fully disclosed. But then I'm like, why don't I
look a little deeper? So I look into the sources and I find a JavaScript variable that has the account number just completely disclosed right there. So I've now found in the JavaScript that the account number that was just disclosed to me. And now essentially, I'm pretty much the only one in this community that's able to do Verizon's because this is when the social
stuff got patched. So essentially, I'm like the go-to guy to reset these Verizon's accounts
because I'm the only one who knows how to do them because I'm the only one that has this bug
to basically find the account number. I want to linger here for a second.
Joseph found a page on Verizon's website
which lets you put in someone's phone number
to pay their bill.
And then if he inspected the source code,
he could see their account number.
Is this a data breach?
Yes, I'd say it is.
The account number should not be known publicly.
I mean, even Verizon knew that,
and that's why they asked for that number before porting a SIM card over.
So the fact that you could go to this website
and just get the account number of any phone number you wanted
is a data breach.
But the thing is, defenders, or security professionals like myself,
have a hard time visualizing what a data breach like this can actually cause damage to.
So what if someone knows my Verizon account number?
What are they going to do, pay my bill with it?
But I read something the other day that I think captures this problem.
I'm going to reference the Marine Corps doctrine on warfighting.
MCDP1.
Yeah, I sometimes do read Marine Corps manuals on war fighting.
And there's this section which talks about the science, art, and dynamic of war. And the section
ends by saying this, quote, we thus conclude that the conduct of war is fundamentally a dynamic
process of human competition requiring both the knowledge of science and the creativity of art, but driven
ultimately by the power of human will. End quote. This sounds exactly like what hackers do.
Defending and attacking a network is a human competition. Who's better at their job?
And this doctrine goes on about how creativity plays a big part in winning a war. You have to be able to
visualize what could possibly happen. And here's an example of a hacker being able to visualize
and be more creative than the defenders. Joseph possesses a strong creative force. It's remarkable
what he can do with just a little bit of user data. Yeah, like, oh, what can we do with account
number? Like, okay, haha, yeah, they know the account number. user data. Yeah, like, oh, what can we do with account number?
Like, okay, haha, yeah, they know the account number.
So you look at this like, oh, this is such a little breach.
But this one little breach is basically the key to take over anyone's Verizon account.
It's scary to think about.
Because when you give this little piece of user data to someone like Joseph, who's skilled at SIM swapping and stealing crypto, it could mean
hundreds of thousands or millions of dollars in stolen money from users. And the weird thing is,
Verizon isn't even going to be blamed when their users get their money stolen. I don't know,
I guess I'm just surprised to see such creativity and enormous human will that some attackers have.
And this wasn't the only time he found a vulnerability on a cell provider.
He also found a bug on T-Mobile's website.
So essentially what I did is I had a compromised account number to a T-Mobile account.
So I signed in with someone else's T-Mobile account,
and I just started looking through the HTTP traffic.
And I was looking through requests.
I'm visiting every single URL and just basically
getting a full scope of the request being sent out. And I stumble upon the WSG one, which is a
new one. And I noticed it has the T-Mobile ID field in it. And it has the phone number of the
person I'm signed into. And so it was a very simple thing. I just tested with someone else's
phone where it disclosed their info. I also said, and then I started trying
different values after that. So instead of
MSID, I try a T-Mobile
ID and I could search them by their email
address. So I was just figuring out these
different parameters I could use to pull
different information or pull up information
based off like account number
or email address
or phone number.
And it would just display their information.
I'm proper impressed with this.
I mean, he's capturing packets,
changing the data on it and replaying them.
That's not some basic skills there.
He's got some real hacking chops to figure that out.
But what this did is it allowed him to read text messages
for other T-Mobile users without having to SIM swap them
because he was changing the IMSI number. Joseph was getting
pretty dangerous. He's mastered how to get into people's emails. He's cornered the market on SIM
swapping certain carriers. He's finding some pretty juicy vulnerabilities, and he's absolutely
ruthless about stealing people's cryptocurrencies. He starts learning about how to find even bigger
accounts to go after. Because
since crypto was booming, it meant there were a lot of newly minted millionaires. And Joseph was
laser-eyed focus on who they were and was targeting them. And sure enough, he got into an account
which had over a million dollars in cryptocurrency, and he stole it.
At this time, I was a crypto millionaire.
There was a hack I did that I made millions of dollars,
essentially by finding a backup seed.
This was a big score, his biggest yet.
He can't go into details about this one, though. But it was exciting for sure.
He was walking taller and on a
new high for about a week because that's when the cops showed up. So they actually went to my old
house, my mom's, and they basically said, we want to see Joseph. And she gave him my new address and
gave me a call, a heads up that they were on the way. So I was kind of prepared, but they were,
I kind of just put my computer somewhere where I didn't have time to get rid of it or anything,
but I just kind of put it to the side and they knocked and they said, Joseph Harris,
like you're under arrest. And honestly, I'm not, I asked, is this like about, I knew there was that
other charge, like, is this about the Instagram thing? And they said yes. And then essentially they took me to the near police station.
I was booked, took fingerprints.
And then essentially after that, they let me go on a $500 bail.
What?
He was arrested for stealing that Instagram account from a while back?
And the cops had no clue he had stolen a million dollars a week earlier.
So he got a misdemeanor charge and was let go on a 500 bail
yeah and i mean did that scare you at all or you're just like ha ha i was sort of like a ha
ha moment in a way but i did get super careful after that anytime i would use a computer i just
started destroying them completely just removing all like any computers i had i i went probably through like
five max like within like nine months and probably destroyed a couple pcs while i was at it i was
just i would because honestly how they got me was they had done forensics on my uh my computer and
even though i had thought i had deleted everything they were obviously they could still dig into the
ram and see oh this person had skype logs so even though he's deleted everything, obviously they could still dig into the RAM and see, oh, this person had Skype logs.
So even though he's deleted everything, we can use advanced forensics and find all that he's been doing.
So I wasn't even going to risk debanding at that point.
I was not going to risk anything.
I'm doing bigger bucks.
I can afford to buy new Macs.
I'm just going to completely smash, scatter these parts in dumpsters or wherever I can and just not have physical evidence.
Well, tell me about this smash. Was this a social event or did you like...
Oh, it wasn't. It wasn't a social event. It was just me using tools and smashing computers and
then putting them in trash bags and throwing them in different areas not near my house. So,
I mean, that was just my way of saying, okay, well, even if I get arrested, there's going to
be no physical evidence.
My idea was I just don't want anyone to get a hold of my computers because I know they got advanced forensics, and I'm not going to take any risks with that.
Yeah, I just imagine you taking it to a party and saying, hey, everyone, give it a good stomp.
I was living with my roommates at the time, so they didn't know exactly what i was doing they knew something was up i'm sure but they they helped me smash them but they weren't exactly sure what what they were smashing
before i decided to get rid of this like okay joseph sure you know um so there was sort of
these things where my friend would get out the chains not chainsaw it's some sort of tool and
basically drill into it that might have been a drill pit i don't remember completely but
yeah we destroyed i remember us playing around with magnets too. So there was sort of
that, but it wasn't something like that, essentially. It wasn't one of those things
to flex. It was more, I don't want this to be evidence. I got to get rid of it.
By this point, he had graduated high school and moved out on his own. And the story he told his
parents was that he was a Bitcoin investor.
Since it skyrocketed that year, it was a believable story.
And it was partially true.
So his parents trusted that he was doing well.
And he started getting more sophisticated with laundering his Bitcoin too.
See, when you steal someone's Bitcoin, it's hard to cash it out without it being tracked to you.
All the exchanges require KYC, or know your customer.
And you have to give them a valid photo ID
and tell them who you are and all this kind of stuff.
And so if there is a crypto heist or some funny business,
the Feds can track that crypto to an exchange
and then get the exchange to tell them who cashed out with it.
And in fact, Joseph did have an account at an exchange,
Coinbase, under his real name,
and he was cashing out on some of these licks.
But he could do that because he was cleaning the money first before putting it into his account and cashing it out.
Well, so the basic idea is I was paying to have these German Binance accounts created, a thousand bucks or so.
At the time, I had a lot of money, so a thousand bucks was a lot.
So I'd pay a thousand bucks for a couple of these people that this guy I knew knew a bunch of German people.
So I'd have him create these Binance accounts for me.
And I would essentially slowly launder the money through those.
I'd change the crypto to Monero, then I'd take the Monero out, send the Monero to my Monero address,
then send the Monero to another Monero address I did.
And I'm sure you know Monero is a privacy coin, so it doesn't show up on the blockchain.
So basically, that's basically money laundering 101 with crypto.
You need to get your crypto to Monero, and you need to send your Monero to another address
so there's no transaction.
And suddenly you buy, say, Bitcoin again with Monero or Ethereum, there's no way to tell
where that Monero came from originally
because it's not public on the blockchain.
So essentially, once you buy that Ethereum,
all that shows is that someone bought Ethereum with Monero,
but we have no idea where this Monero came from.
So they can't do blockchain analysis and track,
oh wait, this came from this hack and this hack.
But all they see is someone's used Monero to buy this,
but there's no proof that I got that illegally.
There's no proof.
I'm just a Monero user.
Makes sense.
So you've got some money coming into Coinbase.
You're cashing out, putting it in your bank account.
You've got an apartment or a house or something.
I have a house with four roommates.
It's not a big house.
At the time, I'm still living within my means.
You see all these crazy stories, and I i always kind of look down on it i'd see people
going in la posting their ads and i'd kind of be like oh i've never been really the party type
myself i was more just kind of like i had this money i was saving it you know i was i wasn't
being i was buying stuff like i bought some usernames and stuff, but I wasn't going out buying Lamborghinis
and stuff like that.
Yeah. So you are doing all this work in an office setting or in your bedroom or what?
I have a little basement area and I have a decent little computer set up and I'm just
kind of doing it in there. There's a big TV that I bought. I got a TV. I can watch that.
I got some game consoles if I want to play some Xbox.
And obviously, I got my computer right there.
So I also have a good Mac because I've always been –
I always like bringing my Mac and doing stuff on my Mac too.
So those are my main setup.
I got my big PC downstairs, and I got my Mac that I use around the house.
I'm just trying to picture it, right?
Let's just put it this way.
That house, it's a small little house.
It's just kind of crazy to think.
My friends used to joke about it now, but it's like millions of dollars was stolen in that house.
Just crazy to think some small little house, not even a major place, but the amount of money that was stolen just in the basement of some, you know, it's not an expensive house. It's probably worth $100,000, $200,000, and it's
four people paying for rent. I'm not going out buying a penthouse or anything. And it's just
kind of odd to think, oh, wow, there was millions of dollars that was laundered and stolen through
that house. Did you have an exit strategy in mind? Did you say, okay, I'm going to only steal this
much money and then I think I'm going to hang it up? That was sort of it, but it's just that,
like you said before, that rush. One second, you are not a millionaire. You have thousands of
dollars or 100K, but you're not a millionaire. Then within two seconds, 10 seconds, you instantly have $2 million, $3 million.
Just within like a minute, it's that rush.
It's like an insane natural high that you're like, whoa.
When you have that rush, when you make it,
and it's like, oh my gosh, I just did it.
I just have an extra $2 million.
What do you do to maybe celebrate
or what do you do after that to just kind of let it linger?
Probably just go out with my friends, play video games, get some food, honestly.
I remember after my first million dollar one, I had my friend and we went to Fazoli's.
It's an Italian place and that was my celebration.
Fazoli's gives you free breadsticks.
Hey, I just got a million dollars.
Let's go get some free breadsticks.
Guys, on me, on me.
Yeah, of course it was on me.
Yeah, I wasn't having my friend pay.
So at this point, it's like you're insane.
And also, it's just a very big rush.
It's enjoyable.
And you've already made your millions of dollars.
So now it's more like you're not even stressing about getting the money.
You're like, I can do this until I make another one.
And at this point, crypto is starting to crash.
I don't know if you remember, but in 2018, Ethereum went from near $1,500 and it started going down, slowly down to $600.
So suddenly my money, I'm losing like every time crypto is dropping, I'm losing six figures.
That's how much I had.
Anytime it would start dropping, my millions was going down.
I was losing $100,000, $200,000, $300,000 at a time because I had so much that anytime it dropped, I'd lose a lot of money.
So even though I stole this money, that was starting to wear on my mind.
Like, oh, wow, my money's going down.
So I'm getting a rush from doing this and my money's going down.
Why don't I keep doing it?
So up until now, if you had control of someone's phone number
and wanted to get into their Gmail account,
you could just tell Gmail, hey, reset my password.
And typically the backup way into a Gmail
was to get a text to your phone with a link to reset the password.
But Gmail added a new security feature,
which somehow messed this up. So SIM swapping someone to try the password. But Gmail added a new security feature, which somehow
messed this up. So SIM swapping someone to try to get into their Gmail account just wasn't working
well anymore. Basically, Gmail was starting to get a little strict. You try a SIM swap form and it
wasn't letting you because it would give you these unrecognized device errors. So people were not
being able to do Gmails. But I had actually found a bug with by using a web debugger and sim swapping that I could
actually make it appear as if I
signed in the device before. Remember how I
had done that with Gmail before to be able
to reset passwords? But here if I
controlled someone's sim and had the
sim device I could also do it so that
I could
essentially appear as if I was signing in the account
suddenly the forms let me reset
with just phone number,
not even like I'm completely bypassing G off in two step,
which is now in the picture.
So I have this bug to do this stuff.
And I hear about this crowd machine guy.
This crowd machine guy.
He's talking about the owner and CEO of a crypto company called Crowd Machine.
Now, by this point, Joseph has moved his sights higher.
Instead of targeting people with crypto,
why not target companies that have crypto?
Because they'll have way more.
Now, you can go onto websites like CoinMarketCap
and see who the biggest whales are in crypto.
And you can see which wallets have over a million dollars.
It's right there for anyone to see
because the blockchain is a public ledger.
Joseph found a certain wallet that had a lot of this CrowdMachine altcoin in it. And it was so
much that Joseph thought for sure it must be owned by either the company or the CEO. And so he set
his sights on the CEO of CrowdMachine, thinking surely he must have access to these big wallets somehow.
And he has two-step security on it.
He has geoth, he has an alternate email.
Normally this guy's not targetable,
but I decided to try my bug on him.
So at this time I was thinking,
normally when I did SIM swaps,
I would let other people do the SIM for me,
like they'd hold the SIM.
But in this case, I was a little upset about a breakup.
So I was just kind of in ruthless mode.
I was like, I want to make a lot of money.
I want to do this.
I want to do that. And I started seeing my friend Joel get arrested.
And they got him by tracking the cell phone location.
They could see where he was.
Okay, so Joel Ortiz was the first ever person
to be arrested and convicted for SIM swapping.
Apparently, he stole $23 million
from someone using a SIM swap attack.
Joel is currently facing 10 years in prison for this.
Joseph knew him and didn't want to be arrested
in the same way by being identified
because of what cell towers he was connecting to.
So to do this SIM swap, Joseph drove far away from his home in Missouri all the way to Oklahoma.
Yeah, so Oklahoma is like about, I went to Oklahoma City.
That's about an eight to nine hour drive.
It's not too far.
Maybe it's a little less than that.
So we drive down to Oklahoma.
My cousin's driving me.
And he doesn't stay long.
He drops me off. Well, actually, he stays the first day. And I go to Walmart to buy a cell phone,
just a cheap cell phone, which that was my first mistake. Normally, I buy these things on eBay.
And keep in mind, I haven't held the phone a while. So I'm a little outdated with how to do it.
What he means is this group he was with got so big that some people specialized in SIM swaps,
and you could just tell them the number you wanted, and they would do the SIM swap.
And then when you went to do the password reset, you just asked them for the text message,
and they would tell you what's on the phone.
And that's what he normally would do when he needed to do a SIM swap.
But for this particular one, he wanted to do it himself,
maybe because he had this Gmail bug that he found
that he didn't want to share with anyone.
So essentially, I'm just, like I said, a lot of times,
you know these people probably have a lot of money,
but you don't necessarily know how they store it.
So this time, I call up AT&T, and I ask to activate it.
They gave me a little trouble at first,
but eventually, I got them to activate the SIM card.
And then I do my vulnerability to try to make it
so that it appears as if I've signed in again.
I pull off the bug.
Okay, at this point, he's in the accounts.
He has control over the CEO's phone and his Gmail account,
all from within this hotel room.
This is all in a hotel room, yeah. And I'm alone in a hotel room. I've been alone for about five
days. So I'm starting to get a little antsy and kind of nervous and I'm upset about the breakup.
I get it activated. I use my bug to bypass two-step and I reset the code with just the
account with just the phone number. And'm excited because i i hadn't i had
done it before with another thing but i had never done it to bypass geos so i'm like wow like this
bug's even more effective than i thought so i sign in and i start looking through his stuff
now i'm seeing some interesting emails but but I decide to go to Google Drive.
And I'm looking through his files, and that's when I see a backup to Metamask numeric passphrase, which is, I forget how many.
I think it's like 12 characters.
It's a 12-character word.
I don't know exactly what it's for, but I'm guessing it's for Ethereum.
So I put that new numeric passphrase in Metamask, loads up the wallet, and I see he has $3 million in his own coin there.
Joseph now has full control of this wallet.
With just a few clicks of the mouse, he can transfer $3 million of this crypto coin to his own wallet.
And so he takes a moment to just look at this. A tiny smile
flashes across his face and he grabs it all. All $3 million worth of this crowd machine crypto coin.
But I'm like, surely there's more stuff. So I start, his account's a super admin on his G Suite.
So I go through his users and I find the tech guy, the guy who
built an automated system to send out the investors their coin. So I reset his account
and I get into the tech guy thing and I see that he has a script that basically automates the
process of sending out these coins to the investors. But his bad fault is he backed up
his source code for this on Google Drive.
The source code shows exactly how to pull money out of the main wallet for this company,
step by step.
So all now Joseph has to do is read what's in the source code
and follow it to transfer the money to his own wallet.
So he cracks it open to take a look.
And sitting right there in the source code was the private key
for the main CrowdMachine wallet.
He loads this private key up into his wallet,
which gives him control of that wallet.
And I accessed the private key,
and it has about $17 million in it.
That is $17 million worth of this crowd machine cryptocurrency.
Whoa.
This was by far the most he's ever had control of.
But at this point, it's still sitting in their wallet.
And of course, he wants to move it to his wallet so only he would be able to control this money.
So I see that this wallet has $17 million in it.
And I already have $3 million. So I have $20 million
total. But I decide that I don't know what this moral compass was. It doesn't mean thinking back
to it, it makes no sense. But I decide I'm not going to take everything from them. I just take
$15 million from them. And I leave $5 million still in the CrowdSell wallet. What do you think
the reason was? I think the reason was a slight bit of guilt.
Like, do I completely want to take these people completely dry?
Or just leave them with something, I think was my mindset.
Which, looking back at it, I'm going to tank their coin anyways.
Why wouldn't I just take it all?
But I do feel at the time I felt slightly bad about just robbing them for everything.
That's the biggest hit I've done.
$20 million is a lot of
money. So I'm thinking, I think it was flawed logic and it was just rushed. But I do believe
that there was a bit of guilt there that I didn't want to take everything from them. So that's
honestly what I believe. I still don't know why because I should have just... If I had done it
again, I probably... I don't know how I would have gone.
But it just, logically, it doesn't make sense for me to only take $15 million.
But I do believe there is a bit of guilt about taking such a large amount.
And hence, I left $5 million for them, which in retrospect doesn't make much sense.
But I guess I just didn't want to clean them dry.
So he grabs a total of $15 million worth of this crypto coin and closed it all up and shut down for the night.
Whoa, what a lick. $15 million.
He's pumped and amazed.
But he realizes something.
This is an altcoin. Specifically, it's an Ethereum-based ERC-20 token.
And because it's Ethereum-based, he can exchange it directly for Ethereum.
But the more he exchanges, the lower the coin will
go. And that's because of how liquidity pools work and stuff. So essentially, the more he takes out,
the more the price goes down. He realizes he's not going to be able to get anywhere near $15
million if he takes it all out this way. So he comes up with a plan and tries to make a deal
with the people he just robbed. That's correct. I sent them an email saying,
hey, I obviously control a large portion of your token sales.
If I was to sell this off, it's clearly going to cause a lot of damage to your token.
You won't come back from this.
Instead of me crashing your token and completely ruining your company,
there's an easier alternative.
You can send me $8 million in Bitcoin to my
address, and in return, I will return the $14 million I stole. As a token of good faith,
I've sent $1 million back to the CrowdSell wallet. Huh. Interesting proposal. Clearly,
the company saw that they had $15 million in their coins stolen, and Joseph knew they raised
tens of millions of dollars from their ICO.
Would they want to save their coin or let it crash?
Just this week, I saw a news story
that a company called Rary got hacked
and lost $80 million.
And they offered a $10 million,
no questions asked reward to whoever returned the money.
So these things do happen.
But Crowd Machine never replied to Joseph. Instead, they were busy dial returned the money. So these things do happen. But Crowd Machine never replied
to Joseph. Instead, they were busy dialing the police. After a day or two of waiting, Joseph
decided to just start exchanging this coin for Ethereum. And just as he expected, this caused
the price of the coin to start going down. By the time he exchanged all his coins for ETH,
what he had in his wallet was just a few hundred thousand dollars, nowhere near the $14 million that he started with.
And of course, now all the investors are mad that the coin just tanked.
So that was the part I was at.
And obviously, I was a little bummed out about the way it turned out.
It could have turned out a lot better.
I made some mistakes.
I was low on sleep.
So I wanted to get out of Oklahoma.
So I had my cousin come to pick me up from Oklahoma, the person who dropped me off.
And he gets there, we chill. And then the next day we get ready to leave. I'm supposed to check
out on a Tuesday, but instead I decide, this is just weird. I'm getting out of there. So we leave.
And actually, I forgot to mention this part, but when we were checking out, I talked to the thing and the, I remember the hotel guests who were checking us out were being kind of acting a bit weird to us.
Like they seem nervous or they knew, seemed like they knew something was up or something.
And I remember getting in my cousin's car because we're going to stop by Walmart to get some supplies to get rid of this stuff.
I remember seeing the person as soon as I leave, the person at the hotel checkout goes to a van.
They literally went to a van.
I waved at them, but they didn't wave back.
And so I thought, okay, that's kind of weird.
I get to the Walmart and I see a police car parked out.
That kind of spooks me a little bit.
I'm like, okay, whatever. So I go through the Walmart, I see a police car parked out. That kind of spooks me a little bit. I'm like,
okay, whatever. So I go through the Walmart, get the supplies. And then my cousin has to fill up
his car on gas. So we pull into the gas station. I remember my cousin telling me his last thoughts
before it all happened was, it's a beautiful day. But I was sitting in the passenger seat
and then an undercover agent points a gun at the car windshield and says, get out of the car.
My initial thoughts are I'm being robbed.
So I get out of the car, and instead of being robbed, I'm now handcuffed, and the person shows his badge.
He's part of the Secret Service.
What happens to your cousin?
So that's actually a really tragic part.
Because he was driving me, he actually got booked too, and his mugshot was featured on the front page of some articles as well. He was released two days later,
but I've always felt terrible about that. And I think it was kind of bad police work and media
because he wasn't even there at the time that the hack was taking place. So it was sort of just,
unfortunately, he just kind of got, I think he knew kind of what I was up to, but it's just
unfortunate that he got kind of flung in the mix.
I've always felt bad about that.
Okay, so they put you in the back of a police car.
They drive you to the station.
They interview you.
You answer questions.
That's correct, but I'm not telling them any information.
In my head, I'm trying to beat around the bush to see what they got on me.
They're asking me these questions, and I'm not giving them the answers. I can tell they're unhappy. And then finally,
I just get sick of the interview. I say, you know what? I'm going to back out here.
Honestly, you guys, whatever, do whatever. I'm not going to answer any of your questions without a
lawyer. And they kind of look at me and say, now, are you sure that's the route you want to take? Because the media is going to get this soon. And you can help us or you might be able to help us
or something. I just at the time, I'm like, I'm obviously not going to rat on my friends or anyone
that they might be interested in. So I just say, nope, we're done here. And I go back to an Oklahoma
jail cell, which I don't know if you know, but Oklahoma is kind of notorious for a bad jail.
This time, the police questioned him
and did not let him go home.
They kept him in jail for the entire investigation,
which took months, which is kind of surprising to me
that they kept him in jail
without giving him any kind of verdict.
Keep in mind, I was one of the first that was arrested.
You know, there was Joel, followed by Ricky,
both two I knew, and then Xavier, who I wasn't really aware of too much. I knew him, but not
personally. Essentially, what happened is I was sent to jail. Our appeal happens. The bail's set
at $14 million. My lawyer's initial reaction is, we need to get this bail lowered because we need to get them out on bail.
That was strenuous.
I was in jail from September to December before my bail hearing was finally here.
And the judge does lower it to a million dollars.
But at the time, they don't have everything set.
They don't know what to do with us yet.
They don't know what sentences they're giving out.
Essentially, the judge said, the DA said that I was, essentially said the story
that I was one of the, probably one of the best hackers in America. And that if I got released,
that I would basically be free to do whatever. I could, you know, they could strike computer
elections, but that wouldn't really stop me. You know, it, you know, so they were explaining the
story that if I got out, even if they banned me from the internet while I was facing trial,
I'd still be able to find a way to access the internet.
And I believe the word they used was I was a threat to the state of California.
California, because that's where the victim was.
When Crowd Machine was robbed, they quickly called the police
who investigated and that led them to Oklahoma.
And Crowd Machine is based in California.
So the prosecutors of this case were all in California,
and they put him on a plane and fly him over to California to be tried.
And strangely enough, the jail that he went to in California
was where Joel Ortiz was being kept,
the first person ever to be arrested for SIM swapping,
and Joseph knew this guy.
Yeah, we were both locked.
At this time, they were putting us...
This is a state charge, which I'm very grateful it was a state charge,
because if it was a federal charge, I probably would have had much more time,
and I wouldn't have got that halftime.
But we all basically committed crimes to people in San Jose.
There's a special task force called called React who investigates sim crimes
and kind of pioneered the whole
arresting stuff. They were the ones that made
the first initial sim crime requests.
They're pretty smart with what they do with that stuff
and they were able to get
us. So Joel was arrested
by React. Ricky was
a state charge in Florida.
Xavier was arrested
by React and then I was arrested by REACT.
And me, Joelle, and Xavier were all sent to Elmwood, which is basically the San Jose
sort of facility for corrections, which is just, it's not a prison, it's a jail.
So we were, basically, they were, any charge, then Callie, we were all getting sent to Elmwood. So
Joelle was in the pod next to me. I was in a dorm environment. So we talked behind the, there was a courtyard that
connected the two dorms and you could talk through the door. And so, and Joel and prison, they called
or jail, they called Joel Bitcoin. So I, on my way to court one day, I heard them saying Bitcoin.
I'm like, is his name Joel? I'm like, yeah. And he's like, he's in that pod there. So I had one
of them basically get him to come to the door. And then we had a brief little
conversation there. Do you remember how they caught you? I know exactly how they caught me.
Remember that bug I told you on how I was able to reset, uh, Gmail's with two-step. Yeah. So
when I was doing it with the web debugger, I must have let the hotel's IP connect to the phone briefly,
the Android device I was using.
So the hotel IP, when pulling out the bug,
they were able to pull that off.
Very terrible mistake.
I have VPNs everywhere else, but I'm pretty sure...
They said that's how they got me, the IP address.
So I think for a brief moment, that hotel IP registered to that phone,
and then they subpoenaed the hotel.
And I think my name was, I don't know how,
obviously a few of my friends have got arrested,
so maybe they mentioned Doc is Joseph Harris.
And essentially, I'm pretty sure, I mean, if Joseph Harris,
someone who they think may be involved with crypto crimes, is staying at a hotel where $14 million happened, wow, that's odd.
Oh, and also we got a Walmart surveillance footage of him buying the phone.
We don't have his name because he paid with cash, but we know he went to Walmart and bought a phone.
And we also know someone at this hotel where Joseph Harris is staying performed this hack.
So it was those two pieces of evidence.
And also, if you remember, I said I was going to destroy all that technology, including
the phone I used to hold the SIM swap.
That was on me, of course, in the car while we were literally, if it had been 30 minutes
earlier or 30 minutes later, that technology would have been gone, completely destroyed.
So it was honestly, and that case might have been gone, completely destroyed. So it was,
honestly, and that case might have not had as much hold if they hadn't found the device used to
perpetrate the hack. So they basically caught me red-handed.
What did jail teach you? What did you learn there?
Well, first of all, it was just, it's sort of a reality check. We take so much for granted,
walking to Dollar General, getting snacks,
going to the movies, hanging out with friends. Your freedom's gone. And jail in some ways is
worse than prison because jail, you're in this waiting period. I mean, there's more dangerous
people in prison, but jail, there's not much to do at all. In prison, you can get stuff like
iPads and certain things, Walkmans to pass the day.
You can go to church and do certain things, activities.
In the jail cell I was in, there was barely nothing to do.
The only thing I could do was I worked out a bit and I read books.
But it's just such a reality check that your freedom's gone.
So the biggest thing I learned about this, if I keep on with this, my freedom's gone.
The prosecutors looked through all his devices, his computer, his phone. They even read through
the text messages that he had with his girlfriend at the time. And they were surprised to see that
a majority of what he stole was still in his possession, since he wasn't spending it wildly.
And Crowd Machine had some strange messaging to its investors, not being completely honest with what was going on. Joseph went to court, and in the end,
he was found guilty and was sentenced to 16 months in prison. The fact that I was willing to give up
all my money, the fact that I wasn't this person that was going out partying. The fact that I was someone who apparently the DA
said didn't seem like an awful person was sweet to my girlfriend at the time. And then also the
fact that the crowd machine people weren't being completely honest with the prosecutor. I think
all these three things factored into me getting a very light sentence, which compared to some of
these guys, 16 months is very light. And I've always been grateful for that. So it's always been sort of a,
nah, you got a second chance. You got lucky in this situation. If that ever happens again,
you're not going to be getting lucky. And of course, there's the morale side of that. Some
of your morals start to come back when you can look in your face, look what you did,
look at the people you're hurting. So I think all that, yeah, I definitely learned a lot of lessons.
And since then, I haven't committed any more crimes.
I've had no run-ins with the laws.
And, you know, I've obviously, I still do hacking, but in an ethical side of things.
Since getting out of prison, Joseph has been looking for vulnerabilities on websites and
reporting them.
He found a big one on Xbox Live and another big vulnerability with Microsoft and a Google bug that would have made him a lot of money
if he was still breaking any email addresses.
But he doesn't want to break the law anymore.
So when he finds these vulnerabilities,
he reports them ethically and responsibly
through a bug bounty program.
And these companies appreciate
that he's reporting these vulnerabilities to them
and actually paying him for it,
which is what he's doing mainly now to get by.
But something I was thinking about was, what if he stashed away some of that crypto before
going to jail?
It's gone up so much since he was arrested, and he could have came out mega rich.
But his lawyer convinced him it's way better to turn over everything since he'd get a
shorter sentence for cooperating.
I mean, I could have played it differently. I could have gone to jail, maybe done five, 10 years and came out. And, you know,
I would have been, say I got five years or something, half time, do two years, six months.
I could have been out by now and had been a crypto millionaire still. So yeah, that very much was a
possibility for me. It just wasn't a route I
wanted to personally take. I'd rather get out in my eight months time, 16 months with half and
just move that all behind. Because what I learned is my freedom's more important than
millions of dollars in crypto. At least for me, that's how it is.
There's some lessons learned for me from listening to this. First, this React task force only took three days to find and arrest Joseph after CrowdMachine called them.
And that is some pretty quick moving.
It sounds like they know how to investigate these cases and are getting better at capturing cyber criminals who steal crypto assets.
So if you're a victim of one of these kind of cyber heists, see if there's a React task force in your state and reach out to them. They've got the ability to work with tech companies to gather clues that
could lead to catching the person. Next, it sounds like if you have any crypto assets or digital
assets of value, do not store it on the cloud. For a long time, we used to say, don't keep your
crypto at an exchange in case that exchange goes down or leaves town. And if you don't have your private keys, then it's not your crypto.
So it's already not recommended to leave stuff on the exchange.
But now I want to take it a step further and say,
don't store any private keys or seed phrases digitally or in the cloud.
If you took a picture of your private key, that picture might be in your cloud storage.
And if someone got in there and looked at it, game over.
You just lost it all.
And if you're storing seed phrases in a text file
or even in a password vault,
that's also something these digital robbers
are laser focused on
and will go through every one of your files
looking for that.
So the recommended thing to do
is put your seed phrase in some fire resistant device
or container and store it in a safe.
Also, we should be more protective of our
social media accounts. There's a big industry of people trying to steal these and sell them.
So make sure you're enabling two-factor authentication to protect these and don't
make the second factor a text message. Make it like a Google authenticator or some hardware
token like a YubiKey and secure your email and all important accounts like this. You've really
got to fortify your digital life,
and email should be your priority.
You don't want anybody getting in there and rummaging through your private stuff.
And above all, don't click on any links
that seem too good to be true,
because people are trying to fish you all the time,
and they want to steal whatever digital assets you have
that are of value.
So be super cautious about all links that people send you.
Good luck.
A big thank you to Joseph Harris for sharing the story with us.
Joseph is the fourth person ever to be arrested for SIM swapping, and it's wild to be watching
how modern crimes are springing up and being introduced into the world.
And if you want to hear more about SIM swapping and other digital heists, check out episode 112 called
Dirty Comms. If you like this show, if it brings value to you, consider donating to it through
Patreon. By directly supporting the show, it helps keep ads at a minimum, and it tells me you want
more of it. So please visit patreon.com slash darknetdiaries and consider supporting the show.
Thank you. This show is made by me, the plug, Jack Recyder. Sound design by The Ringer. please visit patreon.com slash darknetdiaries and consider supporting the show.
Thank you.
This show is made by me, the plug, Jack Recyder.
Sound design by The Ringer, Andrew Merriweather,
and editing helped this episode by the holder, Damien.
And our theme music is by the 120-volt Breakmaster Cylinder.
I think I lost an electron.
Yep, I'm positive. This is Darknet Diaries.