Darknet Diaries - 120: Voulnet
Episode Date: June 28, 2022This is the story about when Mohammed Aldoub, AKA Voulnet, (twitter.com/Voulnet) found a vulnerability on Virus Total and Tweeted about it.SponsorsSupport for this podcast comes from Cybereas...on. Cybereason reverses the attacker’s advantage and puts the power back in the defender’s hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.Support for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.Sourceshttps://www.cyberscoop.com/story/trial-error-kuwait-mohammed-aldoub-case/
Transcript
Discussion (0)
A few years back, I used to play this really stupid mobile game.
I don't even remember what it was called.
You had a party of fighters, and you leveled them up or something.
But the thing was, in the game, there was an online chat option.
And at any moment, you could look at the people chatting
to see what they're talking about in the game.
Well, if you've played any game that has online chat options,
you know how toxic it can be.
And this place was no exception.
People were selling in-game gold that wasn't even possible
it was just all scams
because there was no way to send gold to anyone in the game
and there was just some real vile hatred spewed all over the place
the thing is the people that did this
felt like they could just hide behind their username
that they created a minute ago
because the worst case scenario is that they just might get banned from the game
but I was a network security engineer, and I wanted to see if there was a way to learn more
about the people that were saying rude stuff in chat. So I started a packet capture on my phone.
All network traffic coming in and out of the phone was captured, and then I started looking
through it. It wasn't easy. It's like looking for a needle
in a haystack. But eventually, I found what the packets looked like when they sent chat messages
to me, and it was not encrypted, which made it easy to crack the packet open and see exactly what
was in those messages. And amazingly enough, the network traffic showed a lot more information about that user who was chatting than what was showed in game.
In the game, all you see is a person's username.
There's no way to see anything more about them.
But the packets showed their username and user ID, which was just a very long number.
Now, I was also noticing this game was interacting with one of their servers.
And I saw how the game would look up user details. So I crafted my own packet to send to their server to look up a
user, and whoa, the server gave me their email address and IP address. And with an IP, I can
look up their general location of where they are in the world. So armed with this, I went back into
the game and waited for someone to start saying rude, horrible stuff.
And there was this one guy being a real jerk,
spamming all kinds of rude stuff, calling people names,
and it was just not nice.
And I told him, hey, stop being rude or else.
And he's like, or else what?
I'm like, or else I'll tell everyone here your real name.
I already know everything about you.
And it was then when I grabbed all the packets from this chat,
found his user ID, put it into the website,
got his email and IP address.
And actually from there, I looked up his email on Google
and got his first and last name.
Well, of course, he called my bluff,
knowing there's no way in-game to see someone's real name.
In fact, he never even entered his real name in the game,
so how would I know it?
So now he starts aiming his attacks towards me,
calling me names and taunting me.
So I think I remember his name was Evan.
So I started just writing Evan in the chat room
over and over and over.
Just that word, Evan, Evan, Evan, Evan, Evan.
He stopped chatting for a minute.
He was like, who are you?
I'm like, are you going to be nice now?
Or do you want me to say your last name too?
He tested me by saying, go ahead.
I don't believe you know it.
So I dropped the first part of his email address in chat,
and he stopped talking for a minute.
Then he asked, Adam, is that you?
I'm like, no, dude, I'm not Adam.
I'm the guy who's just trying to stop you from being rude.
Go find a hobby that doesn't include being mean to people.
And I guess this spooked him because he logged out of the game,
and I never saw him again.
These are true stories from the dark side of the Internet.
I'm Jack Recider. This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information
from hundreds of data brokers' websites and continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile
is no longer theirs to sell.
I tried it, and they immediately got busy scouring the internet for my name and gave me reports on what they found. And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy. Take control of your data
and keep your private life private by signing up for Delete Me. Now at a special discount for
Darknet Diaries listeners. Today, get 20% off your Delete Me plan when you go to joindeleteme.com
slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use
promo code darknet at checkout. The only way to get 20% off is to go to joindeleteme.com slash
darknetdiaries and enter code darknet at checkout. That's joindeleteme.com slash darknetdiaries.
Use code darknet. Diaries, and use code DARKNET.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this.
The whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to blackhillsinfosec.com to learn more about what
services they offer and find links to their webcasts to get some world-class training.
That's blackhillsinfosec.com. Blackhillsinfosec.com.
For this story, we're headed to the Middle East.
So my name is Mohamed Al-Dub.
In Arabic, we spell it Mohamed Al-Dub.
Yeah, so where are you now?
In Kuwait, as always.
That's where I'm from.
Mohamed is in his 30s now, but ever since he was a teenager,
he was fascinated with computers.
Well, Kuwait generally is a very connected society,
so it's extremely easy to get
hooked on early. And with my, let's say, age group, you know, the internet entering our houses in the
late 90s, getting hooked early on on technology. I think it was very straightforward. But then I
actually entered the Kuwait University, the College of Engineering in the computer and software engineering department.
So I graduated as an engineer in that aspect.
Then after graduation, I actually went into cybersecurity.
So my entry into cybersecurity was around 2010.
He got a job in the government of Kuwait securing systems.
And pretty early on, he saw the importance of the internet
and securing all the stuff on it. In my earlier years, around 2010 and 2011,
I actually got introduced to the late Dan Kaminsky.
And his guidance was really amazing on how a new and upcoming person like me
would do to get properly into cybersecurity.
And I think with the emergence of social media
and it taking the political and the public scene in Kuwait by storm,
it was just natural for me to use that platform
to discuss cybersecurity, provide awareness.
Mohamed has built quite the Twitter following.
His name there is Volnet.
And you won't tell me what that means, but Volnet is what he
goes by. Today, he has 73,000 followers. But to get there, he shared a lot of knowledge about
security on Twitter. I did many, I would say, tweet storms where I take a certain malware sample that
is just fresh, currently being used to attack some entity in the Gulf region. Then I would go live on Twitter trying to analyze the malware,
how it works, what it does to the systems.
So it was kind of something that we do for the community, for the crowd.
People would love it. People would engage with it.
After college, he was able to get a job with the Kuwaiti government.
He was tasked with doing things like securing systems, analyzing malware, and other cybersecurity work. And he was getting good at security, scaling up, and his
popularity was growing on Twitter. With that, new doors started to open up for him. And then at 2018,
I actually left that government job. And then I did my first official cybersecurity training,
which was abroad. It was in the Netherlands. So I went on to give an Android malware analysis course
for the Dutch police, actually.
So it was kind of interesting because that was the first official training
that I delivered outside of Kuwait to an audience in Europe.
He particularly liked training.
Teaching people new things is fun.
So he looked around for more training opportunities.
I actually got accepted into Black Hat as a trainer.
And that was, for me, that was a dream come true.
I never thought, you know, usually in my earlier years
in doing the government work,
I would dream of visiting Black Hat, you know.
Black Hat is an annual security conference in Las Vegas,
which takes place the week before DEF CON.
And Black Hat is more geared towards security professionals
and the people who want to learn how to secure their systems better.
The training there, I hear, is pretty good.
So to be selected as a trainer made Mohamed feel proud.
And specifically, he was planning on teaching a course
about securing API endpoints. the year was 2019 and he got word that he was going
to be a trainer in the early part of that year like February or March but
black hat doesn't come until August so he had five months to prepare and it's
in those five months that this story takes place, a story that changed his life.
Now, one thing Mohammed likes doing is examining the latest malware. And specifically, he was
interested in malware that was somehow used in Kuwait, where he lived.
So, of course, being in the Gulf region, there were many interesting threat actors,
especially from, for example, Iran, from other countries, from Israel,
other entities and countries in the world.
So obviously, the Gulf region was heavily targeted.
And so it was usually something similar, regular, that we try to hunt for threats,
try to look for state actors attacking certain entities.
As a government employee, he would sometimes get sent some malware to analyze, which was cool.
But because he quit his job, he needed to find a new place to keep tabs on the latest malware going around in Kuwait.
And one of the best avenues to look for such things is through using VirusTotal.
VirusTotal. This is a fascinating website.
Okay, so the free service they offer is that if you find some malware,
you can upload it to their site and it'll tell you what type of malware it is.
And this is really helpful for security teams to get information about
any malware they found on their network.
I mean, think about it.
Suppose your computer is running poorly.
You open up Task Manager and see a service running on there and you wonder, is this supposed to be here?
Well, you can grab it, upload it to VirusTotal, and it'll tell you if any antiviruses considered this to be harmful and any extra information about that malware.
So, yeah, security teams all over are constantly uploading malware to this site.
But if you have a premium membership, you get a bonus feature. If someone uploads some
malware to VirusTotal, and it's a file that it's never seen before, then you can get an alert.
So security researchers might be interested to see what this new file might contain,
and they can download it and analyze it. Mohamed loved this feature.
And I would use it to actually look for attacks that are targeting Kuwait, malware samples being uploaded from Kuwait, from other countries in the region, because they would be of interest to my line of work, obviously.
And as he said before, he'd sometimes grab some malware from this site, VirusTotal, and begin live streaming as he examines it to look to see what's in it.
And because he spoke Arabic, it also helped him understand threats targeting the Gulf region better too.
He found some pretty interesting stuff this way and would tweet about it
and then see some major security companies publishing alerts about it shortly after.
And this is what I would call security research.
Yeah, and in March, the end of March 2019,
during that usual threat hunting work,
I found a sample that resembled some sort of a banking malware
that was uploaded from Kuwait.
Okay, already this is interesting.
Mohamed saw that some never-before-seen malware was uploaded to VirusTotal
and downloaded it, looked at it, and found it was targeting a bank.
It didn't say what bank.
But Mohamed had a pretty good hunch that this was some sort of banking malware.
And so he's looking at this completely unknown malware targeting a bank
that was uploaded from somewhere in Kuwait.
Fascinating, right?
Well, if you think that's fascinating, you might be a geek. Not many people on the planet are looking through brand new malware, uploaded a virus total, trying to figure out what's going
on there. But this is what Mohammed does, because he loves discovering this new stuff,
because it poses all kinds of questions. You know,
what bank was this for? Did the victim upload it or the person who created this malware upload it?
Did it actually infect something and steal any money? What does it do? And this is why people
like following him on Twitter because he digs up some pretty interesting stuff sometimes.
So I came on to download it and analyze it and actually discussed
on Twitter, submitted the hashes for that piece of malware so that anybody in the region could,
you know, search for those hashes in the environment and see if they got that attack
or that malware. Okay, so he started a Twitter thread and at the time he had around 40,000
followers on Twitter. He wrote, quote, for those in the news at the time, there were some other stories going around about banks getting hacked and money stolen using the SWIFT money transfer system.
Muhammad saw this malware and had a hunch that it might somehow be related to those attacks
and felt like it was important to tweet about what he was finding. He went on and posted file names
and file hashes on Twitter. And you can think of a file hash sort of like a file's fingerprint.
Instead of posting the files himself on Twitter, he posted the hash. And that's so other people
can look through their file hashes to check if they have this malware on their systems too.
And posting file hashes like this is they have this malware on their systems too.
And posting file hashes like this is preferred because it's not posting any sensitive data that's in the malware,
just in case it contained a password or an IP address or something related to the victim. So interestingly, I found some strings in those pieces of malware that I think would be beneficial for people to use to search
for in the environment, which is what I shared. So one technique for analyzing malware is to
run the command strings on it. This will search the malware for any human readable words,
and it just spits out a list of words for you to see. And this might give you some clues as
to what's going on, like any internal notes left in the code or other information that is human readable.
Muhammad looked at the code for human readable words and one word stood out
for him. GBKadmin. Why does this malware have the word GBK admin in it? Is that a username? Is that the name of the malware?
Is GBK admin something important? He had no idea and just decided to tweet it,
telling his followers, take note that the malware has GBK admin in it, and that might mean something.
So the malware sample itself didn't really point at a certain bank with certainty.
Which made him feel confident that his Twitter posts were fine.
He's not naming a bank.
He's careful not to post any sensitive information.
So he posted a bunch of stuff he found,
had some conversations with people about it,
and then sort of closed up his research into this and was done with it.
Moving on to other things.
After all, he didn't work in the
banking sector. So all he can do is just warn other people that there's some banking malware
going around in Kuwait. And since he's done that, he can now do something else. Not much more for
him to do about this. Well, a few days later, we saw a tweet from the Gulf Bank of Kuwait's
Twitter account saying they had a service disruption. And this service disruption resulted in them losing
$9 million. Yeah, 2.8 million Kuwaiti dinars. Very interesting that the Gulf Bank of Kuwait
was reporting a problem. Yeah, I realized that something definitely was off because this thing doesn't happen normally to all banks, you know, a problem in your transaction with that kind of big loss.
And then the bank publicly talked about it.
So obviously something was really off there.
And that's why it got the attention of the country, like everyone in Kuwait was talking about it.
What did the Gulf Bank mean by that statement?
We're going to take a quick ad break here, but stay with us,
because this story just got interesting.
This episode is sponsored by NetSuite.
What does the future hold for business?
You don't know? Me neither.
But what I do know is that you don't have to be months ahead of your competitors to be more successful. Just a few days or even a few hours can work wonders. So until someone brings you a crystal ball, NetSuite can give you an
advantage. More than 38,000 businesses have future-proofed their business with NetSuite by
Oracle. It's a cloud ERP service and one that i'd be using if i needed the help net suite brings
accounting financial management inventory and hr into one fluid platform when you're closing the
books in days not weeks you're spending less time looking backwards and more time on what's next
whether your company is earning millions or even hundreds of millions net suite helps you respond
to immediate challenges and seize your biggest opportunities and make use of real-time insights
and forecasting,
allowing you the opportunity to look into the future with actionable data.
Speaking of opportunity, download the CFO's guide to AI and machine learning at netsuite.com slash darknet. The guide is free to you at netsuite.com slash darknet,
netsuite.com slash darknet. This was a very interesting tweet that Mohamed was reading.
The Gulf Bank suffered a service disruption that resulted in a loss of $9 million
two days after Mohamed found some banking malware uploaded by someone in Kuwait?
Hmm.
Mohamed was starting to put the pieces together.
Of course I did those pieces together.
But I was, I did put them in my mind,
but I was very careful not, you know,
to actually come up with a conclusion in public
that would try to publicly link these two incidents
because there wasn't much,
there wasn't a lot of, let's say,
concrete proof for me to be able to do that.
So it really, it was eerily, I would say, familiar.
It sounded like there's a possible connection there.
But yeah, he didn't say anything publicly about any theories that he had
that might connect the malware he found to Golf Bank.
He just watched Twitter, talked about it, and he observed. Okay, so the Gulf Bank is Kuwait's fourth largest
bank. At the time, they self-reported that they had $2.25 billion in capital, and that losing
$9 million was only less than half a percent of their total capital. But again, I want to emphasize the word
losing here, not stealing or robbed. The Gulf Bank never did say the money was stolen or that they
were robbed, only that there was a service disruption that resulted in them losing millions
of Kuwaiti dinars. Well, a few days after that, the next news we saw from the bank was that they
fired their general manager of IT without explaining publicly why.
And the general manager seemed particularly surprised by this and said it was unjust that they asked him to leave.
Something big at the bank was happening, and they weren't being transparent about what it was.
The next week, Mohamed goes to a security event in Kuwait to hang out with other people in InfoSec and socialize.
But while he's at this event socializing, his phone rings.
I got a call.
Someone from the cybercrime department,
the cyber, let's say, branch of the police,
where they handle complaints related to cybercrime.
They told him that there's a possibility
that the Gulf Bank is going to complain to the police
about his tweets,
the ones that talk about the malware
that he found on VirusTotal.
And they asked him to come down
so that they can question him.
He agrees to be there,
but was nervous about this whole thing now.
Well, of course, you would be worried
because that bank is powerful
and because I was extremely careful
in my wording of all the research that I did,
not to include anything that would link obviously to a certain entity or certain bank.
Because I was talking in general, mentioning things that are already de-anonymized like password hashes,
talking about malware attacks in general or talking about certain malware without attributing it to a certain entity by name. So legally, I was in the clear, regardless of what I have, let's say,
concluded or guessed in the back of my mind. So I went to the questioning and they asked me,
are those your tweets? I said, yes. Did you mean the Gulf Bank made a complaint?
Did you mean them in your, for example, tweet?
I said, no, I didn't mention them, didn't mean them in my tweets.
And that was the end of the questioning.
Okay, so maybe this is a routine part of the investigation, where the bank is just doing their due diligence
by following up any clues or leads about the incident.
And since Mohamed had tweeted about the banking mall where he found,
maybe there was more to it.
So that's why the police were questioning him.
After talking with them, he felt relieved and thought,
that's probably the end of that.
It was then that, you know, interesting things happened, actually.
Around that time, I had to go to the USA,
accompanying my wife because she was visiting her mother, who was being
treated and was very sick in the United States.
So I flew to the US, and while I was in the US, I got a call that I need to be present
for investigation by the public prosecution.
They wanted him present for an investigation?
Because they wanted to ask him more questions about what he knew about this incident at the Gulf Bank.
Did he know more than what he was tweeting about?
This second round of questioning was a little worrisome for him,
but he knew he was innocent and wanted to cooperate.
So he told them that he's in the U.S.
helping take care of a sick family member,
and he can't come on the date they requested.
But he'll be happy to come in as soon as he gets back to Kuwait.
And he even showed them his return ticket on when he'll be back,
and they said, okay, no problem.
So he finished up his trip to the U.S. and went back to Kuwait
and went to talk with the investigators.
But they said, because he didn't show up on the date they requested,
he's now being charged. Because the public prosecution went on with investigation,
didn't wait for my arrival. I was regarded as in absentia. So it was, I was accused of, let's say,
charging the Kuwaiti law, which means abuse of a mobile device, which means that you have used a mobile device to do something bad.
It was the way the Kuwaiti law was, let's say, worded.
And that I was disclosing trade secrets of the complainant.
What?
Mohamed's tweets have now led him to being accused of abusing a mobile phone device
and leaking trade secrets?
Something has clearly gone very wrong.
I was worried, but there wasn't a thing I could do about it.
So the only thing I could do about it was to prepare a solid defense.
So he hires a lawyer to help make sure he navigates this criminal charge properly.
When a big bank is bringing down charges against you
and they've reported that they've lost $9 million,
you want to take this very seriously, even if you are completely innocent.
So he was being very cautious. And I was part of him wondering, how much of this is related to
hacking? How much of this is related to the violation of free speech laws in Kuwait?
So I'm not really a lawyer, but generally the constitution of Kuwait gives,
let's say, a big blanket for freedom of speech. But then it says according to the laws.
And then the laws go on to specify the general protections of the constitution.
So we have laws for cyber crimes. We have laws for print. We have laws for live media,
like for example, videos, television, radio.
We also have the state security laws. All of these laws contribute to, let's say, further
restriction of freedom of speech. So there are public figures in Kuwait that you cannot,
let's say, for example, talk about in any, let's say, bad manner, regardless of your intent.
There are limits to what you can talk. You can, for example, let's say, bad manner, regardless of your intent. There are limits to what you can talk.
You can, for example, let's say, use hate speech against religious or political minorities.
So it goes on and on about the political aspects, religious aspects, or restrictions on free speech, and also the cybercrime part of that.
And the cybercrime, let's say, law was actually interesting because it came out in 2014.
It was supposed to, let's say, address cybercrimes
or crimes that are related to cybersecurity,
like hacking, for example, fraud.
But then it came to be abused by lawyers, by people,
to actually, you know, accuse anyone who would talk badly about you.
So if you were a government official, if you were like a social media figure and someone was trying to talk about you in a way
you don't like, you can go and then try to sue them according to that law. And many times it
would result, you know, in verdicts where people have to pay fines. And I think my case was an
example of that because I didn't actually, you know, do any wrongdoing.
Interesting.
So it sounds like if someone says something damaging towards your company or you,
you can take them to court and possibly get them to pay a fine for what they said.
So Mohamed read over his tweets a few more times very carefully,
trying to find if he said anything negative towards the Gulf Bank.
But he didn't even mention the Gulf Bank in his tweets at all.
So he felt confident that he didn't do anything wrong.
He did mention the word GBK admin, though.
And wait a minute.
GBK.
Does that stand for Gulf Bank of Kuwait?
Huh.
Even if it did, he didn't know that at the time.
His trial date was set for July 2019.
Now, August, the month after his trial date,
is when Black Hat was going to occur in the U.S.
And Mohammed was scheduled to give a training session at that conference.
So he wanted to wrap up this trial so that he could go to the U.S. and give his training. So he wanted to wrap up this trial
so that he could go to the U.S. and give his training. So he goes to court in July. Just the
public prosecutor was there. The lawyer for the bank didn't even show up. Mohamed had been planning
with his lawyer what to say. And then we provided a really solid defense. We, let's say, discussed
this aspect that, first of all, it's already protected speech. Second of all, it didn't mention any bank by name.
It didn't mention specifically any trademark by the bank.
And the fact that it's absolutely not a secret because the bank already discussed that there's a problem that happened.
There's a problem in their system that resulted in loss of millions of dollars.
So there was no secret that there's something wrong happening at the bank already.
On top of that, there was no any kind of contractual agreement between me and the bank.
That would result in me having any secret shared between me and them.
So I think I would come upon, I would come upon by, let's say,
through public sources, which are, of course, not considered secrets.
He says the judge looked convinced and seemed to be on his side.
So he prepares his flight to Las Vegas to attend Black Cat.
He first had to fly to New York and then to Vegas.
The night before my flight to New York,
I received a strange phone call in Telegram,
you know, an encrypted phone call in Telegram.
But then when I answered, it was someone very suspicious
in the way they're
talking. They're trying to kind of ask about the incident that happened with the bank. And then
they tried to say, you know, I have some information about the hack that happened in that bank,
trying to, you know, try to pull my string. I felt that someone was trying to pull my leg into discussing this incident, trying to find, trying to, you know, entrap me.
So I realized that this is either someone who is totally crazy or I would be actually crazy not to think that this was some entrapment attempt by someone, by who I don't know.
You know, a bank doesn't really do that.
Who would try to do that?
I have no idea who would benefit from that.
However, I played it cool, told them that this is a legal matter,
I should be talking to legal authorities, blah, blah, blah.
And then I hung up.
What was really suspicious for me is that why would someone try to target me,
try to entrap me in that fashion?
Did I really anger some real powerful folks?
Was that tweet that much, you know, let's say, strong against?
However, that was compromised.
Did the bank really get some pressure from people who linked my tweet to the incident
at the bank?
I still don't know who is that person to this day.
But of course, as I said before, it would be crazy not to think it was some sort of related,
you know, entrapment attempt.
That was strange, and it rekindled his worry about the case.
But he still went to the U.S.
And while in Vegas, his lawyer contacted him
and told him the judge had a verdict on the case.
In the end, it was clear for the judges
that it was absolutely not in violation of any law in Kuwait.
So he was cleared of all wrongdoing,
which is great news to receive while you're in Vegas, right?
Mohammed tells me he didn't attend any parties there
because he was so focused on delivering his training
and just wanted to get back to Kuwait as soon as it was over.
And so when he got back to Kuwait, he checked in with his lawyer
and all seemed quiet, all was good. And he was glad to have this behind him. And that was August.
September then comes and it passes. And then in October, he gets another message.
Yeah, the lawyer sends me over WhatsApp that they have appealed.
Again, it was the public prosecutors who wanted to investigate this further.
His lawyer explains this is just a matter of formalities.
If the prosecutors bring him to the appeals court and he's still found innocent,
then they can say they've exhausted all options in this case and they can leave it be.
This makes it look like the prosecutors worked really hard to solve this case.
And since this was just a formality, there was no new evidence on him or any new charges.
But Mohammed was still
worried about it. I mean, at the least, he's having to spend all this money on legal fees
to help him out. Appeals court took over a year because coronavirus kept delaying the courts.
And waiting for your trial is always nerve-wracking, no matter how confident you are that
you're not guilty of anything. But the trial day finally came,
and the judge looked at his case. I was cleared immediately, like on the spot.
This gave Mohammed a big sigh of relief. This meant it was finally over. And yeah, since then,
two years later, it's still over. There's been no more calls from the police about this.
But what a wild ride that this has resulted in,
just from finding some malware on VirusTotal and tweeting about what you found.
Now, during that time,
there was a large rash of bank robberies
happening all over the world.
Someone was going around,
usually sending phishing emails to banking employees,
hacking into the bank,
and then targeting the Swift network
to steal millions of dollars from banks.
And many of these worked. And the United Nations investigated this and published a report.
And this report says the government of North Korea is responsible for robbing banks in Bangladesh,
Chile, Costa Rica, The Gambia, Guatemala, India, Liberia, Malaysia, Malta, Nigeria, Poland,
the Republic of Korea, Slovenia, South Africa,
Tunisia, Vietnam, and Kuwait. Right there in black and white, this UN investigation report says that
in March 2019, a bank in Kuwait was robbed by the government of North Korea. That's the exact
same month and year that the Gulf Bank announced that they had a
service disruption and lost $9 million. This UN report does not say which bank in Kuwait was robbed,
but it does say the amount stolen was $49 million. And so that's a big mismatch in numbers,
which means either the Gulf Bank was not robbed,
but really did have some kind of weird disruption
that made them lose millions of dollars,
which means a totally different bank got robbed
the same month and year in Kuwait,
or the Gulf Bank of Kuwait was not telling the truth,
saying it was a service disruption
when really it was a robbery,
saying it was $9 million when really it was $49 million.
We don't know the truth to the story.
Yeah.
So there is this variance between the Gulf Bank tweet
and whatever bank the UN report was trying to hint at.
So, you know, either it happened at a different bank
or maybe there's more to the story
than what was put in the public sources.
I mean, you don't need to comment on this,
but I was just thinking it through, right?
Yeah, I mean, if it looks like a duck
and it walks like a duck,
it smells like a duck and it walks like a duck, it smells like a duck.
Big thank you to Mohamed Al-Dub. You can find him on Twitter.
His name there is Voulnet, V-O-U-L-N-E-T.
And while you're on Twitter,
why don't you give a follow to Darknet Diaries.
This show is made by me, the space bard, Jack Recyder.
Sound design is done by the deletist, Andrew Merriweather.
Editing helped this episode by Shift Control Damien.
And our theme music is by the escapist, Breakmaster Cylinder.
How do you add flavor to an algorithm?
Toss in a Boolean cube.
This is Darknet Diaries.