Darknet Diaries - 154: Hijacked Line
Episode Date: February 4, 2025Conor Freeman (x.com/conorfrmn) stole money online. Lot’s of it. In this episode we talk with him, and hear how he did it, why he did, and what he spent it on.Conor’s website: https://con...orfreeman.ieConor’s X: https://x.com/conorfrmnSponsorsSupport for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.Support for this show comes from Drata. Drata is the trust management platform that uses AI-driven automation to modernize governance, risk, and compliance, helping thousands of businesses stay audit-ready and scale securely. Learn more at drata.com/darknetdiaries.Support for this show comes from ZipRecruiter. ZipRecruiter has solved the hiring problem. Employers prefer it the most for so many reasons. Let’s start by telling you about their matching technology. They work hard to find the best candidates for your needs, and will instantly show you results once you post a job listing. ZipRecruiter will speed up your hiring process. See it for yourself at www.ziprecruiter.com/DARKNET.Sources https://www.cbc.ca/news/canada/toronto/kidnapping-toronto-businessman-cryptocurrency-1.7376679 https://www.irishtimes.com/news/crime-and-law/courts/circuit-court/man-jailed-for-role-in-2-million-cryptocurrency-theft-1.4411641 https://www.irishtimes.com/news/crime-and-law/dun-laoghaire-man-could-face-108-year-us-prison-term-over-alleged-hacking-and-wire-fraud-1.3887715 https://www.sundayworld.com/crime/irish-crime/irish-authorities-to-transfer-2m-in-stolen-cryptocurrency-back-to-us-owners-after-cab-probe/40576219.html
Transcript
Discussion (0)
I just heard about this thing called K&R insurance.
I didn't even know this was possible.
K&R stands for kidnapping and ransom.
If you think you're a likely target for kidnapping
and people are gonna hold you until you pay a ransom,
then this might be worth buying.
Why do I know this?
I just ran across an article that said
a guy was kidnapped in Toronto and held for ransom.
They wanted him to pay a million dollars
and then they'll let him go.
And I think he paid it and then they dumped him off at a park and they sped off.
Why did they kidnap him?
Because they knew he had cryptocurrency.
A lot of it.
He was the founder of a crypto-based startup.
And if he didn't have the money, surely his company did.
Well, at least that's what the thieves thought.
And they were right.
Scary stuff.
These are true stories from the dark side
of the internet.
I'm Jack Recider.
This is Darknet Diaries. This episode is sponsored by ThreatLocker. Ransomware, supply chain attacks, and zero-day
exploits can strike without warning, leaving your business's sensitive data and digital assets
vulnerable.
But imagine a world where your cybersecurity strategy could prevent these threats.
That's the power of ThreatLocker, Zero Trust Endpoint Protection Platform.
Robust cybersecurity is a non-negotiable to safeguard organizations from cyberattacks.
ThreatLocker implements a proactive, deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team.
This least-privileged strategy mitigates the exploitation of trusted applications and ensures 24-7, 365 protection for your organization.
The core of ThreatLocker is the Protect Suite, including application allow listing, ring fencing, and network control. Additional tools like ThreatLocker Detect, EDR, Storage Control, Elevation Control, and Configuration Manager
enhance your cybersecurity posture and streamline internal IT and security operations.
To learn more about how ThreatLocker can help mitigate unknown threats in your digital environment
and align your organization with respected compliance frameworks, visit ThreatLocker.com.
The website is ThreatLocker.com. The website is ThreatLocker.com.
This episode is sponsored by Drada. Let's face it, if you're leading GRC at your organization,
chances are you're drowning in a sea of spreadsheets every day, balancing security,
risk, and compliance in an ever-changing landscape of
threats and regulatory frameworks that can feel like running a never-ending marathon.
Enter Drada, the modern GRC solution designed for leaders like you. Drada automates the tedious
tasks, security questionnaire responses, continuous evidence collection, and much more,
saving you hundreds of hours. But it's more than just a time saver. It's a scalable platform that Thank you. drada.com forward slash Dark Knight Diaries. That's drada, spelled D-R-A-T-A.
drada.com slash Dark Knight Diaries.
Let's see, what are you using for a mic here?
Steel series headset is a bod.
That sounds good.
Yeah, perfect.
So are you ready to tell us about the worst time of your life?
Yeah, I'm ready.
It always seems so weird to me to be digging into stories like this
because it is probably a hard thing to talk about, isn't it?
Yeah, it is.
Especially when it just happened.
But I mean, it's been four or five years now.
So I've kind of overcome it at this point.
How old are you now?
25.
Okay.
So I bet all this started in a video game somewhere, didn't it?
Yeah, yeah, it did
What game was that?
You're right
Minecraft
Okay, I was going to guess Minecraft or Roblox
Yeah, you know, there's actually, they're both involved at certain points throughout the story
So that was a fantastic guess
Yeah, so it was really minecraft where
i got into everything ever since i was younger i've always had an obsession with computers and
technology um and i was always kind of reserved when i was a kid so a lot of the time i spent
online and on computers and on video games and in my younger years that was Minecraft specifically. So yeah, I used to play Minecraft multiplayer servers.
One day I just got bored
and I decided to just join a server
and start messing with people,
which I cruelly took enjoyment in at the time.
So messing with, is that like griefing?
Yeah, griefing.
That's the term, exactly.
Yeah.
So is that using in-game mechanics to just screw with them or were you doing more than that?
In-game mechanics, yeah, just to mess with them.
Or just trolling them in the chat like a little kid.
But yeah, I was doing that for a while.
I had eventually joined one server and I had seen this other player on the server teleport into blocks.
So Minecraft's obviously made of blocks.
This guy teleported a couple of blocks downwards.
And I was impressed.
I didn't know what he was doing.
So I think he kind of knew that I was messing around with the server.
He was doing the same thing.
So I had messaged him, private messaged him on the server.
And we ended up talking on Skype.
And that was the beginning of everything, really.
This was back when I was probably 11 or 12 years old.
So this is where you start learning
glitches and hacks of some kind.
Yeah, so this guy was a programmer.
He was a Java programmer,
but he had his own custom-coded client on Minecraft
that he used to carry out various exploits or little glitches.
And I'd eventually befriended him, and we would go on disservice together
and mess with people just for fun because we enjoyed it.
But alongside programming in Java, he was also partaking in social engineering.
At that time, I had no idea what it was until he introduced me to it.
So we would join servers.
We'd mess with the admin of the server, so the owner.
And there was one, at one point, the first time it happened, we had joined the server.
He was talking to the admin kind of in a friendly way.
And then eventually, a couple of hours later, he logged into the admin kind of in a friendly way and then eventually a couple of hours later
he logged into the admin's account on Minecraft
on the server and took it over and deleted everything.
And I had no idea what was going on at this time.
Let me give you a little bit more context.
Minecraft is a game where players can create their own servers
with unique content and stuff.
And sometimes you even need to pay to play
on some of these player-made servers.
And somehow this guy was able to find the person
who's the administrator to this Minecraft server,
access their account, and delete the whole server.
What?
I eventually had figured out he'd socially engineered
the admin of this server into giving him the two answers
to his secret questions on his Minecraft account,
reset his password, logged in, and destroyed the server.
Oof, the admin got pwned.
No more Minecraft server.
Now it's a time to take control of someone's Minecraft account.
You had to log into Mojang's website, the creator of Minecraft,
and what you needed to do is have the username and password.
But if you didn't have the password, you could reset the password
if you knew the answers to the two secret questions,
like what was your first car and who's your sixth grade teacher.
And since he watched his friend do this, he wanted to learn how to do it too.
So for example, let's say the admin's secret question was, what's your first pet's name?
Second question was, what's your hometown? Or what school did you go to? The second one's
no problem. You can easily find that out. Simple Google searches. The first question is a tough
one. So what we used to do is say we join
a server we'd find the admin we target him and uh we'd know his first question was what was your
first pet's name so we'd say or i would say in the chat oh my little kitten died today buttons
um have you ever had any pets before and we try and get talking to the admin
um and try and get him to divulge the answers
to that question. So I'd say, oh, what was your first pet's name? Unbeknownst to him, here I am
typing it out, putting it into his Mojang account, getting ready to reset it. And that was the first
experience of socially engineering someone. This is Connor Freeman, by the way. I should
have probably introduced you to him earlier, but I forgot. He liked the sense of power that these little hacks gave him.
When you get control of a server like that, you become unstoppable.
You have full control of the server now, and you can delete it all if you wanted.
And there's something alluring about that, that sense of power.
But to me, it's quite a funny power dynamic.
A TV show I really like, I think it's hilarious.
It's called Trailer Park Boys, and it's about life in a trailer park.
But the thing that intrigues me about the show is the immense power struggle that's going on in this trailer park.
Like there's a huge clash between the park supervisor and a couple guys who are always scheming to make money off of other people in the park.
And then there's some drug dealers that live at home with their mom.
I mean, there's a power struggle right there.
And then there's a guy who doesn't even live in the trailer park who comes by to try to assert his dominance over the park.
It's this incredible battle for power.
All for what, though?
To get the respect of the people in the trailer park?
It just seems so meaningless on the grand scheme of things.
But they take this tiny trailer park so seriously
as if it's their whole world.
I like it maybe because I grew up in different trailers myself,
so I can relate. But it just makes me think that there's this huge battle going on over a Minecraft server
that a few hundred people play. And it's all taken so seriously too. Anyway, after a while,
Minecraft hacking got old to Connor and he was wondering what else is out there to mess around
with. And he found some hacking forums, which explained all kinds of new stuff he could do. Yeah, a lot of social engineering things.
Back in the day, people used to do refund scams. So say you'd order something on Amazon,
you'd get onto Amazon after it's said delivered on Amazon and say it hasn't arrived. Someone might
have sold it off my porch or something like that. You'd get a refund and get your money back. That
was a huge thing back then. It still still is now but it's a lot less prevalent
because amazon had kind of caught on there was other other kind of scams and schemes people would
do return programs did scam return programs so our steel series was targeted a lot back then
you could basically create a support ticket to say that you bought a pair of SteelSeries
headphones. They're not working.
Can I get a return? And they would send you out
a free headset and they wouldn't ask for anything in return.
The only thing you had to do was send them a picture of
the headset or a serial number,
which you could source from eBay
or some kind of online marketplace
where people are reselling them.
Hold on, Connor. You're using
a SteelSeries headset right now.
Yeah, no, I paid for this one. Okay. Yeah, it's not from back then. I mean, this is a long time
ago. So refund scams were becoming a thing back in 2018 or so. There were instructions on how to
do it, but some people did not feel comfortable calling up somewhere and lying to someone to try
to convince them that you want a refund.
So there were actually people you could hire to do it for you.
Exactly.
So that was the makeup of it.
Essentially, you'd order, and that was Apple products were huge.
So essentially, you'd order something.
You'd order something, you'd go to a refund,
they were called on the forums, and you would say, hey, I ordered a MacBook for $1,200.
Can you refund it for me? i'll give you 20 so the refund would log into your account or they'd call amazon and pretend to be you and they'd execute this kind of scam on amazon they'd
socially engineer the rep into believing that the item was never delivered they get a refund for
their customer and then they get 20 of the total order value. And that was a huge thing on that forum.
There were so many people doing it.
So you would pay a scammer $200, $400 and then that's how you'd get your MacBook?
Yeah, exactly.
Instead of paying full price for it.
Okay, what other ways to make money?
What were kids doing those days?
There was a lot of cracking services, which are still around now.
But again, cyber hygiene has gotten better,
as well as that services security has gotten better, thankfully.
But back then, you could crack most online accounts.
What's an example?
Like Hilton Hotel was a massive one. people that had Hilton accounts that stayed a
lot in Hilton Hotels you'd build up these points and you could spend the points on free rooms
in Hilton branches worldwide so what people would do is crack these accounts they'd load up a
massive list of usernames and passwords and try them against the Hilton login page try and land
a few accounts that
had points on them and they then resell them on these forums to people looking to...
This one always surprised me because if I go on there and I buy a Hilton account with
a ton of points and I actually go to the hotel and I stay there with these stolen points,
like I'm in the room now if they want to like say, hold on, there with these stolen points. I'm in the room now. If they
want to say, hold on, this is some stolen
points. Looking back on it now,
it's insane. I myself would never do that
because just the stupidity
of it. If that person
who owned that account was to call up Hilton and say,
look, I didn't book this room.
You're one phone call away from somebody
knocking on the door and saying, hey, this isn't your
account and you've still in this room.
So people got pretty brave with it.
Like people didn't care.
Pizza Hut was another big one.
So you'd order pizzas and you'd build up points and people would then try and crack your Pizza Hut account.
And you could use these points to get pizzas on other people's accounts.
And you just walk into the store, use their points and walk out with a free pizza.
It reminds me of pizza plugs as well.
Yeah, but pizza plugs are slightly different.
They're mostly carders, so they're credit card fraudsters.
So they do a stolen card and order the pizza for collection or delivery.
A pizza plug is where you find someone who will give you really cheap pizzas,
like for five bucks, they'll send you three large pizzas or something.
And what they're doing is they're using a stolen credit card to order the pizzas to be sent to you,
and then you just pay them five bucks for it.
But again, that's insane because you're associating stolen card details with your own address.
If you, say, get it delivered with a stolen card, it's not the brightest.
Cook groups, is this a thing?
Cook groups in terms of like clothes online
yeah
yeah
probably
it's about the clothes
but it's called cook groups
cook groups
it's funny you mention that because I used to be hugely into fashion
I still am now but not as much as back then so cook groups essentially would be groups that they would employ bots so
someone would create a macro so i don't know if you're aware of what supreme i'm sure you are
supreme or say palace they're world widely popular streetwear brands they have weekly releases or
bi-weekly or whatever way they do it. So they release a very limited amount of stock on a certain day at a certain time.
So it's very hard to guess,
especially items, certain items like box logo hoodies
or something like that.
So people would create these macros or scripts
that would automatically lock them into the Supreme website.
They'd buy these clothes instantly
before anyone else could and then resell them.
That's a part of the cook groups
where people would put their names on an
item and someone would buy it for
them and resell it to them at a marked up price.
Yeah, it's kind of like
scalping concert tickets.
Is there anything illegal about cook
groups?
No, not from what I'm
aware of. I'm sure it's against the terms of service.
In terms of legality, no.
But it is kind of an underground culture there, right? You've got to find a group,
and sometimes it's the wrong group you're in, and those guys are just there to rip you off.
So you've got to find a trustworthy group that actually has these orders or whatever you're
looking for. Yeah, that's the hard thing, because a lot of these people aren't trustworthy because
what they're doing isn't trustworthy in itself. So it's hard to find someone that's actually going to pull through.
Yeah, it's amazing to me how big the hidden parts of the internet are
and all these things going on at once.
And we never see it as just like a common internet user.
You never see any of this.
How are you discovering all these different places on the internet?
Through this forum.
The forum was massive.
I don't really want to say the name of it,
but it was probably one of,
so Hack Forums was one of the forums
that was around a long time.
I think it's been going for 15 years,
maybe a little less than that.
That would be the oldest kind of
clear net hacker forum that I'm aware of.
This forum that I was a member of
kind of branched off of Hack Forums aware of. This forum that I was a member of kind of
branched off of hack forums because the admin of hack forums was, I think he was kind of a well
known fed. People didn't really like him and he was really stringent on the rules on that website.
So this forum that I was on kind of branched off of hack forums and allowed for more
black hatter, gray hatter, unethical methods. So all of the scumbags that weren't allowed to
advertise their services on hack forums
kind of moved over to this forum that I was a part of.
So, I mean, there was a huge range of services offered
because there were so many people on it.
Well, you call them scumbags.
You were one of the users.
I was one of them, yeah.
What do you get dabbling in?
What's kind of the first money you're making in this kind of world?
Thinking back, so Xbox ran a promo a long time ago, or Microsoft rather.
They ran a promo.
I think it was a collab with Skittles or something like that.
They still do it now with Mountain Dew and Doritos.
You buy a bag of Doritos and they'll have a code on the back of it
and get double XP or something for Call of Duty.
But way back when,
there was a promo that was ran with,
I think it was Skittles,
where you'd buy a pack of Skittles,
input the code on the back of the pack of Skittles
and you'd get a free seven-day membership
or a 14-day membership on Microsoft Live.
But there was people that had scripts or macros
that were brute- this code so you
just set up the script it brute force the code throw hundreds of thousands of it against it and
you would eventually just keep racking up free membership codes because there was no rate limit
or anything on the on the website so you could just get like 50 to 100 to even more thousands
of these 14-day xbox codes um But I eventually got my hands on that script.
So that was probably the first money I made when I had that script.
I had it running and then I was reselling these membership codes
for like probably $5 or $10 a piece to people on the forum,
on eBay and online marketplaces.
When I was young, I discovered a way to get free Audible books.
So, so far I'm with you, right?
I was hanging out in shady chat rooms, griefing people in video games too, and getting free stuff.
But I think this is where our paths are about to diverge.
All right.
So this was making a few bucks for you, weren't it?
But not very much because you were just learning.
What were you like, 14 years old then?
Probably 13 or 14, yeah, which is insane looking back.
After a while of being on this forum, I kind of got bored of it.
I had a relationship with the admin.
We talked back and forth, and I think he kind of annoyed me one day.
So I just quit that forum
and luckily for me or unluckily looking back there was a new forum that opened up called OG Users
which was an online marketplace where people would buy and sell OG original usernames so say
at Jack on Instagram or at Jack on Twitter and they'd buy and sell these different usernames for hundreds of thousands of dollars.
And that was my next venture then,
getting into acquiring these usernames.
So Jack on Twitter is Jack Dorsey,
the original owner of Twitter.
Good luck getting that one.
But the thing about OG users that I think is worth pointing out
is half of them were fine and legit reselling
and then half of them were fine and legit reselling,
and then half of them were social engineered stolen accounts.
Would you consider that to be true?
I'd say it's a lot more skewed.
I'd say it was probably 95% stolen, 5% if even that genuine.
So if you're not aware, OG Users is a place where people are selling usernames.
That is Twitter accounts, Instagram accounts, Snapchat accounts.
Why?
Because we all hate it when we go to register at one of these places and someone has already taken our name.
And so some people would pay extra for an account with a cool name.
The problem is the stuff for sale on this site is often stolen accounts
where people would hack into that account, get control of it,
and then sell it on the site,
OG users. Yeah. So I had a bit of crypto. I discovered Bitcoin back when I dabbled in the other things on the other forum, but I had an understanding of what crypto was. So I had a bit
of Bitcoin and I had bought a username one day on Twitter. I can't remember the exact handle, but
I bought it to resell it. I held it for a couple of weeks, put it back up for sale, and I made a couple of hundred on that.
So that was my first venture into buying and selling the usernames.
It didn't last long, though, buying them.
That's when it turned into me then stealing them or being introduced to people that were stealing them.
And I'm kind of falling into that.
What was your method for stealing usernames?
Breached databases were a huge thing back then.
I know they're even bigger now, but a lot of people didn't know
how to use them, utilize them or how to find them.
So there were services where, there still is now, I'm sure,
but there were services where you could search someone's username or email and pull their data from a breach database, like their password,
username, full name. So what I was doing was doxing these account holders. I would find their
email. I'd search the email through the breach databases and then find their password. And I'd
try my luck at logging into the account with that password. And because not many people were doing
this at the point, I had quite some success with that.
Probably most of these were just crappy usernames, though.
And you just didn't even care and you just logged back out?
Yeah, a lot of them were.
It was more the thrill of being able to find the password and log in.
Or sometimes you get a password that's incorrect
or you might add an exclamation mark or an ad or something at the end
and that would be the correct one.
And you get a bit of a thrill out of that.
But yeah, most of them weren't anything amazing.
Yeah, I imagine that's a big thrill to be like,
yeah, no, wrong password.
And then you're like, what if I add an exclamation point?
And then, bang, you're in.
Oh my gosh, I'm brilliant.
I'm a genius.
I'm the best hacker in the world.
Look at me.
Yeah, you feel like a genius.
This allowed you to acquire some
Twitter and Instagram were your main things? Twitter and Instagram. Yeah. I mean,
they're still the main ones now. They're the most popular social medium. So that's what people would
go for the most. Connor was making some scratch from all this. All in Bitcoin, of course, looking
through database breaches, finding passwords that would work on Twitter, then stealing those usernames and selling them.
Okay, so roughly, how profitable was this for you selling OG users?
I don't know. I couldn't quantify a figure.
Probably $20,000 or $30,000.
No, probably a lot less.
I didn't really get into it that deep.
He built up a reputation for having quite a bit of usernames
for sale on OG users. It was going well.
But then something else caught his attention.
Something so much bigger
that eventually made him lose interest
in OG users altogether.
The thing he saw some people doing
was SIM swapping.
Yeah, so it would start with a target.
You'd dox the user.
You'd use various different methods of getting all their information.
So their full name, address, phone number, their SSN.
There's a certain website that you can buy credits on
and input someone's first and last name and get their SSN.
So you'd have all that information.
Back in the day, it was a lot simpler than it was now.
So say if you were on T-Mobile, I would call up and say, Hey, my name is Jack Reesider. all that information and then you'd back in the day it was a lot simpler than it was now so say
if you were on t-mobile i would call up and say hey my name is jack reciter my last four of my
ssn is one two three four i've just lost my phone and my sim card is inside it i have a replacement
sim card here if i give you the icc id can you swap my sim over to this card and the agent would
happily do it and once that's done your phone that's done, your phone number is now mine. Your phone number is now mine.
Just think about how scary that sounds.
If someone can take your phone number from you,
they can pretty much become you.
So much of our identity is tied to our phone number.
Yes, they can text the people you know as you.
They might be able to call your bank and pretend to be you.
But perhaps the scariest is that they can often recover some of your accounts.
Like if you have a Google account and you go there and say, oh, I forgot my password.
They might have an option to text you a code to confirm it's you. And they text you thinking
nobody in the world is going to have access to your phone except you, right? Which you can use
to reset a Google account. And now you have access to their email,
drives, photos, and maybe even their YouTube channel and more. And once they have control
of your main email account, they can just go through and reset your other accounts.
Say you lost your Twitter password. It'll say, okay, no problem. Let's email you a new one.
And so now they can get into your Twitter too. And this whole thing hinges on whether or not
you can convince the T-Mobile customer service rep
that you really did lose your phone and to get them to switch SIM cards for you.
So were some carriers easier for you than others?
Yeah, T-Mobile by far was the easiest.
It was insane.
Sometimes you'd have to brute force these calls.
So you'd have to call 10 or 15 times until you get an agent who just doesn't care
enough and he'll just swap it. T-Mobile was insane. You just make one call and they do it
willy-nilly, happily just swap the SIM. AT&T was definitely the hardest and then Verizon,
I'd say, was in the middle. Sprint as well, although not many people used it. Sprint
was another one. And then I think Cricket is what it's called. Cricket and Sprint were pretty easy too.
But as it got harder, people started to look into exploits
on the actual websites of these carriers.
So there's a couple of well-known exploits in AT&T and T-Mobile
that people would use to either retrieve the pin off someone's account
or remotely swap the same to themselves
or pull their information or whatever else.
It's crazy to me how in-depth of knowledge you have of this, right?
You understand wireless carriers of the world and SIM cards
and usernames and passwords and computers,
skills are just going higher and higher.
And yet you have to go to like, I don't know, history class
and learn about the war and stuff in the afternoon
and then go back to this crazy technical stuff.
Did it feel like you were living two different worlds?
Yeah, definitely.
And nobody knew about it in my personal life.
And that was the thing. you kind of have this detached personality where
where in person you're a completely different different guy and then when you're online it's
like your your brain is in a different place so you completely dissociate from from your real life
so it's like two separate personas that you have it was like that the whole time yeah i mean it's
also interesting to look at maybe some of the other kids in school
who are trying to build up their social media, right?
And you see these people who are on Instagram and you're like,
all right, so you've got like, you know, 300 followers.
I can get you a count by this afternoon with a million followers.
Like, what's the deal here?
There's no game.
And how did you feel?
Did you ever look at that like that?
Like, look at these fools.
Yeah, it was actually exactly that i mean when you're young and impressionable like i was i i thought i was on top of the world and which is way smarter than everybody else so i would kind of look at
them and be like oh you're an idiot how do you not like know what i know or how are you so impressed
or whatever else well you had to know that you had to know that what you were doing
is not exactly the straightforward way to do things.
It's the back way, wrong way, and it works way,
but it's not exactly the way you're supposed to.
Yeah, yeah, of course.
I mean, it's hard to know that though, right?
The ethical compass isn't quite as aligned as it should be
because when you go online, this is all you see, right?
And it's kind of like if you really want to get married and you go online and this is all you see, right? And it's kind of like, if you really
want to get married and you go online and all you see is other people getting married and other
people's engagement photos and their marriage and all this stuff. And you're just like, I want to
get married so bad. And it's like all you see, right? And so it's like, everyone's getting
married but me. And so when you go online, you're just like, dang, everyone's getting paid but me.
I got to get paid too. Because this is all all you see your mind is kind of tuned into it yeah exactly and so it's hard to know exactly
what is right and wrong in this world when everyone's around you is doing this stuff
and it's like okay i'm not even gonna ask if this is legal or not but if you guys are getting away
with it i guess it's not so bad yeah there is no there is no forethought of illegality,
or at least back then, because it was, like I said,
it was completely separating the real world from a computer screen.
So you wouldn't even be thinking of legality
because it wouldn't be an idea or a thought in your head
because you're in this other world, essentially.
Quite often people come to me in a panic,
telling me that someone just took over their
Instagram, Twitter or Facebook account and they can't log in anymore. And they ask me, what should
I do? And unfortunately, I don't have a good answer. I mean, you can open a ticket with that
site and ask for help. But because the site is so overwhelmed with help tickets, it's likely that
your ticket gets ignored. It's as if their support team doesn't
exist. But really, that's like the only option I have. Go through support to get it back.
I would tell them to go on LinkedIn, sort by company employer and look through all the
people that work at Twitter and Instagram and just message them all on LinkedIn and
hope someone sees your message and helps you out. That's probably the only way it's happening.
Yeah, but it does
sound like the other way is to go
hire a hacker to get it back
as well. I'm never going to recommend
that, but that
sounds like the more
likely way to get it back.
I'm sure it's a thought for a lot of people,
yeah. So up until now, the reason
why Connor would do a SIM swap was to steal someone's Twitter or Instagram account so he could sell it
on OG users. There was this direct connection between SIM swapping and making money selling
users. Granted, it's criminal, but he didn't care. But then he started learning about cryptocurrency.
By the time you start doing your first SIM swap for crypto, how old are you?
Must have been 17,
16 or 17.
So were you out of school by then?
No, I would have still been in school.
Okay.
It was my last couple of years of school.
Yeah, you're doing that sort of thing.
Do you have extracurricular activities at school
that you're doing stuff to?
No, nothing.
As soon as school's out, you're like,
I'm going straight home. Yeah, exactly.
That's when I went to school.
That's where all my friends are. My friends are
home. Why would I go somewhere else?
Exactly. So you go home,
you log into the chat app,
whatever it is, like you
just said, and you just sort of like,
what's the crack? What's everyone up to?
Yeah, we're going to forums and trawl around
and see what's going on that day.
And what would some of the stuff
you'd see?
Just the marketplace is really
what people are up to and what's happening
in the kind of community that I was in
on these forums.
Was it addicting to the point where you're like,
I want to check to see what's going on.
I want to see what's going on.
I want to see what's going on.
Or was it like, no, I'm going home to play video games
and I'll check on it maybe Sunday night.
Yeah, well, see, I would game and look at it intermittently.
So I would game a lot.
I would sometimes game with these people
and then I would check back on the forums
or check in with the other people and see what's going on.
Counter-Strike.
You moved on.
Two years ago.
Yeah.
I knew it.
Yeah.
All right.
And you're griefing on Counter-Strike, I bet, too.
You hate your own teammates.
Yeah.
Yeah, exactly.
Oh, I hate you.
The thing about crypto is you have to secure your own.
With traditional money, a bank will secure your money for you.
And if they get robbed, they're insured, so they still have your money.
But that's not the case with cryptocurrency.
People have to stand up their own security.
And some people are worse than others at this.
And Conor's friends were starting to go after people for their cryptocurrency instead of their usernames.
Because stealing their cryptocurrency
is way more valuable than stealing their usernames.
Someone had messaged me.
I think they'd sent me a blockchain explorer link
of their wallet and it had maybe 10 or 15 Bitcoin
and I messaged them back, like, how did you do this?
How did you get this money?
And then they kind of introduced me into SIM swapping for crypto then.
And that's where it all started.
Oh, yeah.
We're 30 minutes in and now we're going to get started.
But we're going to take a quick break first before we do.
Stay with us.
This episode is sponsored by ZipRecruiter.
The moment a vacancy opens up, the pressure's on to fill it.
But I can't imagine how time-consuming it must be trying to find the right person for a job.
Do they have the right skills? Are they going to fit into the culture?
Is this person a better fit than the other thousand that applied?
Well, if you're an employer who can relate, I have one question for you.
Have you tried ZipRecruiter?
ZipRecruiter has figured out
how to solve this very problem. In fact, four out of five employers who post on ZipRecruiter get a
quality candidate within the first day. And right now you can try ZipRecruiter for free at
ZipRecruiter.com slash darknet. ZipRecruiter has great reviews on G2 and is ready to start showing
your job to qualified candidates immediately. So don't waste your time or money when ZipRecruiter's matching technology
works fast to find you top talent.
So relax, employers, and let ZipRecruiter speed up your hiring.
See it for yourself.
Just go to ZipRecruiter.com slash Darknet right now and try it for free.
That's the same price as a genuine smile from a stranger,
a picture-perfect sunset, or a cute dog running
up to you and licking your hand. Again, that's ZipRecruiter.com slash Darknet. ZipRecruiter,
the smartest way to hire. Connor was adept at SIM swapping and Bitcoin,
and now was ready to combine the two. I kind of joined calls with these guys, and I'd be witnessing them carrying out these heists
while I was in the call,
and then I kind of ended up getting involved.
The first one I can't remember,
I'm sure it was someone on Twitter
that was parading about having crypto,
and they were chosen as a target.
Yeah, step one of robbing someone
is to figure out who to rob.
He's got the skills to get into someone's account if he knows their phone number and stuff, of robbing someone is to figure out who to rob. He's got the skills
to get into someone's account
if he knows their phone number
and stuff.
So now he just needs to figure out
who are the people
with a lot of crypto out there
and then try to target them.
So my main role
throughout the whole thing
really was seeking out people
with crypto,
doxing them,
and then sharing this information.
And then my other group members
would carry out the SIM swap process. And then my other group members would carry out the
SIM swap process. And sometimes I would help with that, sometimes I wouldn't. So my role was really
the pre-attack ocean, I would say. Since he was in Ireland, it was harder for him to navigate the
whole SIM swap aspect since a lot of targets had American numbers and stuff. So his job was to find
the people who had crypto.
And really, it wasn't that hard.
A big thing was Twitter.
Obviously, a lot of people in the crypto community are active on Twitter.
So sometimes people would post stupidly or not stupid, really.
They should be allowed to post their wallet balance.
But people would post their wallet balance on these social media sites, Twitter, for for example stating that they had 100 bitcoins or something like that and then they
didn't become a target for us or for other people doing the same thing another thing was altcoins
so people who create their own crypto we would target they typically be teams of 10 or 15 people
that would always have a ceo and a cfo so they were the two roles that we would target. The CFO is obviously the chief financial officer. So
they're normally in charge of the assets. And then the CEO would have a big stake in the actual altcoin.
So we would normally target people either on Twitter or target these team members of
open coming altcoins. If you have crypto, the first step in securing it is to not let anyone
know you have it. Because if it's not Connor and his lads coming after you, it'll be North Korea coming after you.
Or maybe even your own government if they don't like you having crypto.
And on top of that, don't use your real name online.
It just makes it easier for everyone to find your address and where you work and everything.
What some Twitter users were doing, they were using their real name and posting their wallet balance.
And this would immediately make Connor zoom in on them.
And he would start a new document and just start going through his methods
to find information about them.
There's a couple of different ones.
One good one is, say you knew their full name
and you knew their approximate location.
So let's say you're Jack and you're living in Tampa, Florida or somewhere like that.
If you had maybe posted on Twitter
about ordering your favorite Asian food
and you had maybe a bag
that had the restaurant's name on it,
we could call that restaurant
and then you could say,
my name's Jack.
I want to place an order.
Do you have me on file?
I just want to make sure
you have the right address.
The person working in the Chinese restaurant
that you've ordered food from before would then reiterate your address to
to who they think is Jack and then you'd have their address there in front of you.
Going back to the exploits as well, AT&T and T-Mobile had exploits at some point. AT&T you
could put in a mobile number and then you could pull back their SSN or the last four of their SSN from their AT&T account unauthorized.
That was a big one that we used.
Many other people abused if you couldn't find their SSN on the other sources.
He wants as much information as he can get about them because the more he knows, the easier it'll be to hack into their digital life.
Yes, you namely need the full name, the address,
the last four of the SSN, you might need the last four of a debit or credit card number,
in some cases a date of birth, you might need a mother's maiden name,
previous addresses maybe, all these different types of things, but I mean they were all easily
sought out online. So we would essentially profile them before
we executed the attack.
So we would have a full docs,
all their family, their previous
addresses, like a
huge list of information about them.
So when it came to that time,
we weren't lacking any information.
It was just, we were ready to go.
Ready to go, as in, he'd hand this information
to the other guys in the group and say,
OK, I found a guy with 100 Bitcoin.
Here's his info.
I think he's a good target.
Should we?
Because the thing about stealing crypto is that there's no way to reverse the transfer.
There's no central authority.
There's no support ticket to open.
If you snatch it, you can keep it.
Unless, of course, someone catches you.
Now, as he said, he's not operating alone here.
Once the other guys decide that this is a good target
that he found and he has info on,
then other people join in to do the SIM swap
process and the heist begins.
Typically, I'd be waiting
at the reset password screen so we'd
all be on a call together on
Discord and
someone would be doing the SIM swap process
and I would be ready then to reset the
password and input the 2FA code. So they'd let me know when it was go time really and I would send
the code. They'd read it out to me and reset the password and then start looking through.
The code he's waiting for is to get into their Gmail. He knows their Gmail address and he started
the login process but said, I forgot my password.
And it asks him, OK, do you want us to text you a code to let you in?
So his finger is on that button waiting until the SIM swap happens before he says yes.
And so as soon as they get the SIM swapped, he says, yes, go ahead and send me that code. And then the person reads off that code over the phone and he can log in.
It's all very coordinated and done extremely quickly.
What are all the roles going on here, right?
So you've got you as the OSINT doxer targeting person,
and then there's someone who does the SIM swap,
and they're the holder of the phone as well, right?
The holder, exactly, yeah.
Is there a holder that's a different person than the one you're calling?
It depends on the circumstances.
So, no, you'd always really have a holder,
at least back then anyway.
So you'd have someone that would find the target.
You'd have someone that would engage with someone
to SIM swap the target, either do it themselves
or they'd engage an employee of a carrier.
And then you'd have someone who's the holder.
So that's the person who's physically holding the phone
and replacing the SIM card in the phone with the blank SIM
that the number has been swapped to.
So you're on a call with the holder and the SIM swapper.
So the SIM swapper is like, okay, hold on, let me call him, try to get it.
No, it's not working, let me call again.
No, it's not working, let me call again.
Okay, it worked, I got him to port the number.
Do you see it holder?
And the holder's like, yeah, it's active.
Okay.
And then you're like, okay, great.
I'm going to initiate a password reset.
Tell me the number.
And then the holder's like, I don't see it yet.
I don't see it yet.
Okay, here it is.
Is that kind of how those calls went?
Yeah, that's exactly how they went.
It was like clockwork, the process.
So each rel would execute their action
and then it'd go then directly after that.
So the holder would say,
the SIM's active, as soon as the SIM's active,
then you send the reset code and you get going,
then it's the email.
Connor's second task is now to find the crypto.
They got access to this person's phone and Gmail,
and they're assuming somewhere in this digital life of theirs
must be the keys to their
crypto wallet. And all they need is a seed phrase or a private key. And these are very important to
keep safe and have backups of. So a lot of people store them somewhere in their online world.
So as soon as Connor gets in, he immediately starts sniffing for blood.
So the first thing, which is crazy the way that it was and still is. So if you
go on to, if you have a Gmail account and go on to Chrome, if you're assigned into your Chrome
account with your Gmail address, if you type in passwords.google.com, it'll pop up. You'll be
prompted to put in your password. Once that's done, you'll be prompted with a page that has
every single website you've used and the password if you've saved that password for that website.
But this would sync across devices.
So say I took your Gmail account
and you had saved your Twitter password
or your Gemini or whatever,
your Binance password onto your Gmail account,
I could log into your email and view all these saved passwords,
which would then allow me to just use them and log straight in.
And in the event that I needed to FA, we had your phone so we could get that code.
Okay, hold it. Just stop right there. I just tried this and I'm so upset right now. I've been using
Gmail since like 2007 or so. And the last few years I've taken drastic measures to de-Google
my life. However, I just logged into my Gmail and then went to passwords.google.com, just like he
said. And what do you know? Some of my most sensitive passwords are sitting right there,
easily organized and in clear text. I must have told Google at some point, yeah, you can remember
to log into this site. And it did. But I have my own password manager. I don't ever remember using
Google's password manager. Yet I'm looking at my logins here and I don't ever remember using Google's password manager
yet I'm looking at my logins here and I'm miffed about it.
Dang, there's even an option to export all these passwords too.
And it shows me all the sites I've declined to save passwords for.
Like, this just lays out my whole digital life
and I had no idea Google was saving any of this.
And I'm a guy who's super focused on computers and security and tech and privacy. I can't imagine how a non-techie navigates this. I deleted all my passwords from here and the
sites that I said I want to opt out of saving passwords for because I never want Google to be
storing my passwords. I've just been finding more privacy-focused apps to use instead of Google.
Most of their products are not end-to-end encrypted. And I feel that my stuff is just too important
to be subject for an eventual data breach
or being subpoenaed or something.
My sensitive data is either stored locally
and never sees the internet at all
or is stored on some end-to-end encrypted service somewhere.
So even if it shows up in a breach,
it can't be seen by someone.
Taking your personal privacy seriously is the only way to make sure that your stuff is safe.
Next thing then would be Evernote, which was the cloud note-taking app.
But a lot of crypto investors seem to use that for whatever reason.
So we'd reset the Evernote account, look through the notes, see if we could find it.
Nomic somewhere or seed phrase.
We'd go through Google Docs, Google Drive,
any linked cloud accounts, like anything that was there.
Did you have like a regular expression
that you were able to search for for Seed Phrases?
Yeah, mnemonic or Seed Phrase or Bitcoin or crypto
or you just try a plethora of different things
and you'd find it eventually.
Or you'd look in their sent emails. people would send their mnemonic to to themselves or a
different email so it'd be in the sent emails but it is your right it is kind of an art you'd need
to know what to look for or else you'll find nothing like to say and is it just you in this
account or other people looking as well no be most of us would be logged in looking simultaneously.
But if you had
too many people on
at the one time,
it would lock everyone out.
So it would be
probably two or three people.
But just to go back
to the OSINT stage,
the pre-SIM swapping stage,
I'll say,
I missed this step.
So what you could do is
say your email is jack at darknetdiaries.com
or whatever.
I could go on to coinbase.com,
go into reset password and input your email.
If your email existed in their database,
it would send out a password reset form.
If it didn't exist,
it would pop up and say,
this user does not exist
or this email does not exist.
So what we would do is try their their email against
these different services and we compile a list of services that we knew they used so once we were in
the email account we just we would go to them directly straight away so say i would try all
the different crypto exchanges with their email see which ones they're registered to and then as
soon as we have access to the account we can can try them instantly. So there's no time wasting.
Yeah, so they fixed that.
If you try to reset an email password there, it'll say, well, if we had an account here, we'll send you the password right now.
And they don't give any sort of clue.
So the way to do it nowadays, I believe it still works,
is just to go register at Coinbase with that email address.
And it'll say, oh, this account already exists. Okay, thank you. That's all I wanted to know. Yeah, not a great patch they put in.
I don't mention this enough, but I do think that you should have a different username on every
site you log in for. You already know how to use a different password for every site. Take it a step up and use unique email addresses
or usernames for every site.
Like what some people do is they'll get a domain.
Like I have darknetdiaries.com
and I have a catch-all email rule
so that anything going to at darknetdiaries.com,
I will get in my inbox.
So I can make something like Coinbase at darknetdiaries.com
or Evernote at
darknettdires.com. As many email addresses as I want. I don't even have to create them. I can
just use them because there's a catch-all email and gets them all. This way I can have unlimited
email addresses and each one is unique for every single site I use. Because you don't want people
to be able to profile you by just taking your email that you use everywhere to register accounts for
and then they can cross-reference that or Google that you use everywhere to register accounts for, and then they
can cross-reference that or Google that or search databases to see what are all the accounts that
this email address is valid for. When you're protecting your digital life, the goal is to
make it as hard as you can for people like Connor. You can't have perfect security, but I'm a big fan
of making it as painful as possible for someone to hack you because
eventually they'll run out of time or energy to hack you and move on to the easier targets.
I've said it before being secure online is like running from a bear in the woods. You don't need
to be faster than the bear you just need to be faster than your friend in order to survive the
bear. So that should be your personal goal to be more private and more secure than your friend in order to survive the bear. So that should be your personal goal,
to be more private and more secure than your friends.
I recently met someone whose privacy was way better than mine
and we became friends and it really made me step up my game.
And defense in depth is important too.
Hiding all your most personal data behind a single login or account
is a bit scary.
But if you assume someone does get into your Gmail,
why not also limit them to what they can see and do from there?
Make them run into dead ends again and again.
So like delete your emails when you don't need them anymore.
I don't know about you,
but every time I get a new Windows or Mac computer,
I create a fresh Microsoft or Apple account just for that machine,
which is not tied to any other profile that I use.
And that severely limits the damage that can be caused
if someone gets into that account without my consent
or gets breached or something.
Oh, and I should also mention,
it's a good idea to use two-factor authentication
that isn't SMS text messages
because he had access to the person's phone, right?
If the 2FA code can be sent by text, he can get it.
But if you're using something like Google Authenticator for 2FA codes,
that's harder for him to access.
However, as you know, I'm skeptical about what Google is collecting about me.
They want it all.
So I personally use Aegis to store my 2FA codes.
That's spelled A-E-G-I-S.
It's an open source app that works great for this.
And in my opinion, it's way more private than Google Authenticator is or Authy.
God, I gotta stop ranting about privacy.
Sorry.
All right, let's get back on track.
All right.
So let's say you find a private key.
What do you do?
So if you found a private key, you'd load up the wallet.
Say I found an Exodus key, I'd have an Exodus client downloaded and ready.
Or I'd have a couple of different clients. Say I found a Bitcoin private key, I could go into
Exodus or blockchain and import that seed phrase and have access to the wallet.
Now, just because they found the private key or seed phrase doesn't always mean there's crypto
in that wallet. So there's a moment of truth. Does this wallet have money in it?
You're right. Nine out of 10 times,
you wouldn't know what's in that wallet.
So you could put it in,
you could hit nothing,
you could say zero,
you could put it in and it would say
1,500,000, 600,000.
So you'd be on this call
and you'd input this wallet
and you'd see X amount of money
and you'd be freaking out
and then everyone would collaboratively freak out
then altogether on the call.
It would sound like monkeys in a
zoo.
Once we had access
then we would send the funds to a
newly created wallet
and then from there we would disperse
the funds evenly from that
fresh wallet.
And just like that, the heist is a success.
Each of the people involved would
get their cut and go on
their merry way. Some would convert their Bitcoin to Monero to make it harder to trace. Others would
convert it to cash and some sort of street deal type thing. And others would just try to buy crazy
things with crypto. And of course, once they were able to steal money and get away with it,
they wanted to do it again and again. So it became a regular thing for these guys.
And Connor went along on a number of crypto heists.
There were ones that were smaller sums of money in maybe the tens of thousands.
And then there were some that were low to high six figures.
The biggest one was two million.
Two million dollars in one wallet?
In one wallet, yeah.
I think it might have been spread across a couple of different ones.
But it was one victim that was 2 million.
That was kind of a freak out moment when that happened.
That sounds like quite a high.
Yeah, it was.
And that's the thing, you know,
it wasn't really about the money for me.
Like I didn't spend,
if you look at all the other people,
there was a kid arrested recently.
I don't know if you've seen it, but he stole hundreds of millions of crypto through SIM swapping,
but he was spending his money on luxury cars and bottles and clubs.
I wasn't that type of person.
Like, I think I spent 100,000 max out of 2 million that I had. So it was more the high that I chased and
the sense of achievement that you'd get when you found the wallet. Looking back now,
it's pathetic getting the achievement from that. But back then it was like a high
and it just became addicting then. I mean, again, it's still one of these crazy moments of like, what is your family life like?
You got homework and stuff to do.
And your family's like,
Dave, make sure you do your chores, Connor.
You got to make sure to get this done.
And you're like, okay, okay.
And then they're like giving you a few dollars
for doing your chores or whatever.
I don't know what's going on there.
You're just kind of like, oh, that's great.
But I got, and then I just imagine like,
mom, don't interrupt me.
It's Friday night.
I got a big thing going on tonight.
Just please do not come in my room.
Like, was it just in the bedroom of your parents' house?
In the bedroom of my parents' house, yeah.
But it's, I live with my mom,
or I lived with my mom back then.
And because I was making money or a smaller amount of money back in the heyday
and the older days before any of this started,
I always kind of used to have a small bit of money just from different online ventures.
But when this happened, I had kind of told her and the rest of my family
that I was investing in crypto because this was at the point of the crypto boom
where Bitcoin first exploded.
So it was kind of believable that I had invested early
with the funds that I made when I was 12 or 13 into Bitcoin
and it's now exploded and multiplied my wallet
when in reality it was stolen.
So that was the,
I mean,
what were the excuses of just like,
hey,
I'm busy tonight.
Please don't
schedule dinner.
Like,
just bring dinner in the room.
Like,
I'm not going to come out
because I'm on a really intense
call,
investment thing.
What are you saying to her?
Yeah,
see,
I was kind of a hermit already.
So it wasn't unusual for me not
to leave the room for extended periods of time.
So it's
I don't know.
She didn't really suspect much because
she was so used to it from years
and years of me being like that.
Yeah.
I've watched these old Western movies where
the bandits
rob the train or whatever or or the gold mines, and they kill people on the way to do it, right?
But then there's like, you know, three or four bandits involved in this, and they're camping out there in the desert or whatever.
And they're looking at each other like, I could kill these other two guys and then I don't have to split my cut.
Was that kind of experience happening?
Because like
you said, you see someone post on Twitter, hey, I've got $100,000 in crypto. You're like, there's
my target. Well, if somebody sees your chat, like, oh, these kids just stole $100,000. There's our
new target. Let's target these kids. Well, like other people targeting us?
Yeah. No, not for me because of where I am, but I know what happened to a lot of other people targeting us? Yeah. No, not for me because of where I am,
but I know what happened to a lot of other people in the States.
There was a lot of swatting and doxing
and various things going on between the community.
People would get pissed off, targets would be stolen,
and people would start doxing people,
sim swapping them, swatting them, crazy things.
I know there's a bigger community now of violence as a service,
which people are now using to hire people to commit violent acts
against other community members,
like throwing bricks through windows and things like that.
That wasn't a big thing back then,
but I know it's increasing in popularity now.
All right, did we reach the height of this?
Is this where things start going wrong?
Yeah, so after the two million one,
that was really where I called it quits.
I mean, I wanted to for a long time,
but the big one, someone kind of reached out to me
and I said I'd join in and then we did that
and I got my split and that was it.
I was done.
And that went on for a good while.
I think that was it. I was done. And that went on for a good while. I think that was in 2018.
Yeah, so altogether you said
you've made about $2 million from all this.
Yeah, roughly around there.
Like you said, you stopped at around $2 million.
Was that a goal to hit $2 million
and then say, I think I've got enough for a while?
What was your future plans?
No.
Yeah, I'll get into the future plans in a minute.
But no, there was no monetary value.
I think at that point, just before that hack happened, I think I was kind of my moral compass was starting to develop and my conscience
was starting to develop as well. So I kind of
started realizing that it was wrong and develop as well. So I kind of started realizing that it was wrong.
And then that happened.
And then I kind of knew I can't do this anymore.
This is what I'm doing isn't right.
I'm stealing money from people.
And that's when I kind of stepped away from it.
In terms of the exit plan,
I had looked at a couple of different things.
There's a couple of islands,
one that I was looking at with
st kits and nevis so you could purchase a citizenship through ownership of property so
say you could buy a three-bedroom house for three hundred thousand dollars and they would give you a
passport and st kits and nevis or these islands i think they're the virgin islands or something
like that they have no income tax so i was kind of thinking of buying a house there,
moving over there and somehow laundering my money.
I mean, it was a pipe dream now that I think of it now,
but back then that was my plan of action.
That's a funny plan because that sounds like, I don't know,
gangster drug dealer plans of like, okay, we're just going to rob one more bank
and then we're going to disappear into the Virgin Islands.
And it's not a plan for an 18-year-old to be like,
I'm retired at the age of 18.
Yeah.
And I'm just going to live on the island forever now.
It's a weird feeling.
I was hoping, I don't know what I'm hoping,
but it's like, okay, now I have this money.
I'm going to start a big business
and I'm going to start the startup and I'm going to do this great stuff.
After that, I had kind of, or before it ended, I had kind of started thinking about how to legitimize my skills.
So I was thinking of maybe opening up a cybersecurity consulting business because of what I was doing, which is ironic.
But I was thinking of using my funds to create a business to protect people online or help them protect their organizations or themselves.
So that was also part of the exit plan to create my own consulting company in that space.
But yeah, that never panned out.
You had these plans.
You're like, okay, that's the end.
Last one.
That was a big nice one.
Do you just leave the group entirely?
Yeah, kind of, yeah.
It got to a point where I had stopped and then I was so paranoid that every day
I would be searching SIM swap arrest and things like that.
One day I had woken up and checked my phone
and I had searched this term
and I had seen one of the people I was associated with
was arrested over in America, in the States.
And that's when I kind of knew my time was coming.
Once I seen this article,
and then it was really just a countdown then after that.
Yeah, so what'd you do after that?
Nothing, I just waited.
You got to go to the Virgin Islands.
No.
Now's the time, go, go, go.
Because like I said,
my conscience was growing more and more guilty.
I was developing as a person.
I was a young adult, so I was growing older.
My brain was kind of developing out of being a stupid little kid stealing money.
So, I mean, my guilty conscience just told me to just wait and get arrested.
And that's what happened.
One of the holders in this group,
the person who had the physical phone during the SIM swap,
was just 15 years old.
And his parents heard him calling T-Mobile,
trying to act like someone else, lying on the phone.
His parents caught him in the act.
And they called the police on their own kid.
Or so the story goes,
that 15-year-old was very cooperative with the police,
which Connor thinks is how
the police learned who he was.
Well, that, and Connor simply went
by Connor in the group that he was with,
so his OPSEC wasn't really that good.
I was woken up by a
knock on the door
while I was in bed, really. My mother
let them in. I'd say 12
to 15 police officers came into
my room. Your mother probably had no idea.
No clue at all.
That you had done anything illegal.
Yeah.
Okay, so 12 officers come into your room?
There was a huge amount, yeah,
because they obviously needed a search team
and they didn't know whether I was going to kick off
or try and hurt them.
That's got to be quite the shock
to be sitting there playing CSGO or whatever
and turn around and see 12 officers in your room like, well, hold on, fellas.
Yeah, so I was actually asleep in bed.
So I had woken up, I'd sat up and opened my eyes
and in a semicircle surrounding the end of my bed was this mass amount of police officers.
And I thought I was dreaming.
So I went to grab my phone next to me and they kind of shouted at me, put the phone down.
I went to go my phone next to me and they kind of shouted at me, put the phone down. I went to go and check the time.
So that's when it hit me then that this situation is happening now and there's police in my home.
Do the police in Ireland have guns?
No, not normal officers, no.
Okay, so you had no guns pointed at you?
Not from what I can recall.
There might have been a couple of armed officers, but I highly doubt it. I mean, they knew
what they were getting into when they raided me.
They knew this fat little 18-year-old
wasn't going to pull out
an AK-47 and start shooting
them. They had no idea, but that's
why they brought 12 of them with them.
It's not just some fat little 18-year-old.
We got to really muscle this guy
if he does something.
Okay, so I mean, that's quite a shock so i imagine they they start talking with you they take all your devices
they took all my devices here i'd asked to see the search warrant and they produced it
um united states versus connor freeman or whatever extradition request search warrant and
and uh then it all started becoming real they started searching
everything and then brought me down to the the station and booked me into the system then and
did you tell them you did it or did you talk or what uh no i kind of acted ignorant but i mean
the the evidence was substantial that they had so i, they weren't relying on me saying I did
anything. I mean, I was kind of screwed either way. So, I mean, I didn't really have to tell
them anything. I was just arrested. I was brought down to the police station and they carried out
a search and seized all my devices. Okay. So, the United States wanted you.
They didn't want you. This was not an Irish investigation.
That's correct, yeah.
Well, that's scarier, I think,
because the United States is more harsh on criminals than the Irish.
Well, I wouldn't say that.
I mean, maybe in terms of headline sentencing,
but for white-collar crime, I think they're pretty similar.
But it was an extradition request.
So there's an extradition treaty
between the USA and Ireland
that they can,
I don't know exactly how it works,
but the USA can conscript Irish police forces
to carry out an arrest on their behalf
to be extradited back to the States.
So that's what happened.
So you went to the United States?
No, didn't go to the U.S., no.
So I was arrested on this extradition warrant,
and I was booked into an Irish jail.
But they had sought my extradition,
so it's obviously a long legal process before that actually happens.
So I was booked into an Irish jail, and I was there for a couple of weeks.
And then, yeah, I was kind of released.
So when my property was searched, I had all my crypto on a Trezor hardware wallet.
That was never found when my house was being searched. So while I was on bail, I had made an agreement with my lawyer
to hand over my crypto wallet to the Irish police
to then hand over to the US.
So I'd given up all of my assets voluntarily.
That's a decision I've heard
that other criminals in your situation
have to think hard about.
Because the two options are, hold on to it until after all this is over, maybe 10 years from now,
and I come back and there's all this crypto that I could just live off of.
Or give it all up in order to reduce my sentencing.
And hopefully that's a nice gesture that they notice and think positive of me for giving it.
Yeah, well, it was a mix of both.
To me, really, it was dirty money.
So whether I had it or not, I didn't care.
I didn't really want to be in possession of it anyway anymore
because I just didn't feel right having that money.
So we made an agreement that I'd give it back to them
and that obviously went in my favor in the end.
But yeah, I was give it back to them. And that obviously went in my favor in the end. But
I was in jail for about a month and then I was released on bail. And then the legal process went on for quite a while until I was eventually sentenced. I thought there was an article where
I saw that you were going to get 108 years. Yeah. So the headline sentence in the USA
was 108 years. That's the maximum penalty for each of the charges added up consecutively.
I mean, did you freak out if you heard, did you hear that that was a possibility or you're
going to go to prison for 108 years?
Oh, yes. Definitely freaked me out, yeah.
What did they sentence you to?
So I got three years in prison.
And then because I spent a month in jail, I was given one month off.
So it was two years and 11 months.
And in Ireland, typically every prisoner gets a quarter of their sentence off.
But if you're sentenced to under three years, you get a third of your sentence off. So I served 11 or 12 months in total out of the two years, 11 months.
So what was prison like?
It was fine. I mean, it helped me a lot in some ways.
I was going to say it was fine.
Well, I mean, prison is prison. It was as fine as it can be. A lot of people ask me
how did it feel when I got arrested and I spent my first time and first night in jail, and they're weirded out when I say it felt great.
But like that was the best sleep I'd had in years because I,
my conscience had grown so guilty and I had felt so bad.
Like I was sleeping horribly for a long time.
So when I finally got arrested,
it was kind of like a kind of moments like I could sleep peacefully.
Knowing that this was the end of things.
How did you pass the time in prison?
Exercising and reading, really.
I read a lot and I exercised a lot.
What kind of books did you like reading?
A lot of self-help books.
Yeah.
Okay, so how long have you been out of prison?
I've been out since 2020, I think.
What's going on now?
I literally just finished a master's degree in cybersecurity last month.
So I was doing that for two years.
After I got out of prison, I think I'd been out for about a year and I'd seen it.
A college here was offering a course in a master's in cybersecurity and I'd seen it. A college here was offering a course in
a master's in cybersecurity and I
applied for that and luckily I was accepted and
undertook that for the last two years so
I've just finished that last month.
Similar to what you
wanted to do, right? Which is to help people get
secure.
Yeah, it's kind of
it's turned around a lot.
The opposite of what it used to be.
A big thank you to Connor Freeman for coming on the show
and telling us this wild internet adventure he went on.
Stay out of trouble, kids.
This episode was created by me, the pocket pirate,
Jack Recyder. Our editor is the busy tone bandit, Tristan Ledger. Mixing by Proximity Sound,
and our intro music is by the mysterious Breakmaster Cylinder. I wanted to make my phone
SIM swap proof, so I opened up the little SIM card tray, and I filled it with glitter and hot glue.
Now if someone tries to get in there, they're going to get a dazzling surprise.
This is Darknet Diaries. And hot glue, now if someone tries to get in there, they're going to get a dazzling surprise.
This is Darknet Diaries.