Darknet Diaries - 162: Hieu
Episode Date: August 5, 2025All Hieu Minh Ngo wanted was to make money online. But when he stumbled into the dark web, he found more than just opportunity, he found a global dark market. What started as a side hustle tu...rned into an international crime spree.Find Hieu on X: https://x.com/HHieupc.SponsorsSupport for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.Support for this show comes from Drata. Drata is the trust management platform that uses AI-driven automation to modernize governance, risk, and compliance, helping thousands of businesses stay audit-ready and scale securely. Learn more at drata.com/darknetdiaries.This show is sponsored by Red Canary. Red Canary is a leading provider of Managed Detection and Response (MDR), helping nearly 1,000 organizations detect and stop threats before they cause harm. With a focus on accuracy across identities, endpoints, and cloud, we deliver trusted security operations and a world-class customer experience. Learn more at redcanary.com.
Transcript
Discussion (0)
I want to make sure I pronounce your name right.
So can you say your name for me?
My name is Hugh Ming-Go.
Hugh was born in Vietnam.
I'm growing up in a small town in Vietnam.
It's called Cambran.
I started to be a hacker when I was very young,
maybe around like 14, 15 years old.
And then it's kind of out of courage.
you know like wondering about how the internet working and and back then the internet is
very expensive and super slow that's one of the reason that I started to hack
and steal a few internet dial-up accounts to be able to use it without paying
anything that's kind of the mind my
first time I got into Choppel when I was like 15 years old.
This was around 2004, a time when 56K modems were the most popular way to get online.
And the way it worked is you dialed a phone number and connected to the ISP that way,
and they would connect you to the internet.
But the ISP would charge you by the minute to go online.
Can you imagine that being charged for every minute you're on the internet?
That's how it worked back then.
You couldn't afford that.
So you figured out a way to use someone else's account,
basically stealing someone else's ISP connection to get online.
And that meant other people were paying for him to get online.
And just like a few months, you know,
a few months using these stolen internet dialed up account.
I got kind of like a paperwork sent to my house.
And my parents, they got very surprised.
And then they told me what's about.
And then I told them, you know, it's related to.
some stolen internet accounts.
The paperwork said that Hugh did $5,000 in damage,
and his father had to pay the fees, that's a lot of money.
His father was pretty mad and sent him away to go live with his uncle in Ho Chi Men City.
And little did everyone know it was going to be there in Ho Chi Minh City
where he was going to build a dark net service
and was going to make a fortune doing it.
These are true stories from the dark side of the Internet.
I'm Jack Recyder.
This is Darknet Diaries.
This episode is sponsored by Threat Locker.
Ransomware, supply chain attacks, and zero-day exploits can strike without warning,
leaving your business's sensitive data and digital assets vulnerable.
But imagine a world where your cybersecurity strategy could prevent these threats.
And that's the power of Threat Locker, Zero Trust, End Point Protection Platform.
Robust cybersecurity is a non-negotiable to safeguard organizations from cyber attacks.
Threat Locker implements a proactive, deny-by-default approach to cybersecurity, blocking every
action, process, and user unless specifically authorized by your team.
This least privileged strategy mitigates the exploitation of trusted applications and ensures 24-7
365 protection for your organization.
The core of Threat Locker is its Protect Suite, including application allow listing, ring
fencing, and network control, additional tools like the Threat Locker detect EDR, storage control,
elevation control, and configuration manager, enhance your cybersecurity posture and streamline
internal IT and security operations.
To learn more about how Threat Locker
can help mitigate unknown threats
in your digital environment
and align your organization
with respected compliance frameworks,
visit Threatlocker.com.
That's Threatlocker.com.
This episode is brought to you by Drada.
Let's face it, if you're leading GRC
at your organization,
chances are you're drowning
in a sea of spreadsheets every day,
balancing security, risk,
and compliance in an ever-changing landscape of threats and regulatory frameworks that can feel
like running a never-ending marathon.
Enter Drada, the modern GRC solution designed for leaders like you.
Drada automates the tedious tasks, security questionnaire responses, continuous evidence collection,
and much more, saving you hundreds of hours.
But it's more than just a time saver.
It's a scalable platform that adapts to your organization's needs.
Drata gives you one centralized platform to manage your risk and compliance program.
Drada empowers you with a holistic view of your GRC program and real-time reporting capabilities.
With Drata, you can also get access to their powerful Trust Center,
a live customizable tool that supports you and expediting your never-ending security review requests in the deal process.
It's perfect for sharing your security posture with stakeholders or potential customers,
cutting down on back-and-forth questions and building trust at every interaction.
Ready to modernize your GRC program and take back your time,
visit drada.com slash darknet diaries to learn more that's spelled d r a t rata drata dot com slash darknet
diaries his dad recognized that hugh was really into computers and hoachiman city is a big
city that has better schools to learn computers and so hugh got enrolled in classes and started
studying his parents would check in with him to make sure he was doing a schoolwork
I was learning a lot.
I was learning about web programming.
I built my first website,
hupc.com, I remember.
He was learning about operating systems, networking,
and cybersecurity all at high school.
He really loved computers and was hooked on learning more.
I went to the internet cafe,
you know, to use the internet because internet at my house is very slow.
So I went to the internet cafe.
And I, the moment,
You know, I've been there, I passed to one of the computer screen,
and I saw that computer screen is kind of very dark, you know,
some kind of dark background, and the phone side is very well,
and also like the color of the text is also like look cool, you know,
like green color and stuff like that.
And I asked the guy, you know, what's this forum about?
And then he told me it, you know, it's about the dark web in Vietnam.
Ooh, Vietnam's dark web? That sounds interesting. You ready to go there?
Hugh was fascinated by it. He learned how to access it, where to go. For him, it was like finding a whole hidden place online.
Filled with really fascinating stuff. Hacker forums, forbidden item marketplaces.
It really emphasized the power of the internet.
This was all unregulated.
The government, the police, they can't stop what goes on on the dark web.
And that really fascinated him.
There's this whole section of the internet where anything goes.
They're talking about hacking, talking about, you know, like sharing sensitive information.
And also like bank account and also some hacking techniques too, you know, like.
And it got me, you know, wondering.
how they did that.
Yeah, but so I think
maybe a normal person would
look at that and say, wow, there's
stolen stuff here, there's illegal things here,
maybe this isn't for me, maybe
I should go back to the clear web.
Right, that's true. What?
You know why? Because back then, right,
underground forum
is very fun, though.
They always
sharing and they don't mind
about money. Like
they, sometimes they
hack something they just post it for free for everybody not really like into business or trading or
dealing anything it's just like sharing techniques you know but you know like when they got into that
I say man you know it's something that you know I really wondering I watch on the movie and TV
about like hackers and very cool that's why you know I say yeah I want to learn that you know I want to
be a member in that
hacking forums
underground hacking forums
So this became his obsession
How to hack? What are the techniques?
Like he would learn about a vulnerability
And then use Google search queries
To find websites that were vulnerable
And it was like the whole internet
Opened up to him in new ways
He was finding that thousands of websites
Are vulnerable to a variety
of different attacks
And he was just getting into one after another
With simple techniques like default
passwords and SQL injection. But the extent of the damage he was doing was he just hacked into the
site and put something on the website that said, poned by Hugh PC, which is the name he was using
at the time, and also the name of the website that he made as a teenager. But the whole time he was just
curious, not using his access to make any money or stealing anything. He's just like learning
and like the excitement you get from getting into places that you're not supposed to be in. It made
him feel clever and smart and powerful. And he was teaching others how to do it.
After all, he was still in high school.
I said a lot of, like, hacking techniques and that.
Also, like, social engineering techniques.
But the thing, you know, like, the more I share, the more the people they know about me on these underground hacking forums.
And eventually, they voted me as an administrator in one of these forums, very popular in Vietnam.
And after that, you know,
I joined a few forums in Russia and even in the Eastern Europe as well, too.
So I keep learning, but the thing is when really making money.
You know, before that, it's just trading for free, sharing the knowledge, sharing the techniques.
From posting on the forums and being an administrator to one of them, he started becoming more known.
And so he met a guy, one of the forum users.
And this guy's like, hey, listen up, Hugh.
Your ability to hack into websites is actually worth a lot of money.
Do you want to team up?
Do you want to hack places and give me what you find?
And then I'll pay you for it.
The guy explained how together they can make all this money.
And Hugh didn't have much money at the time.
I was interested.
And you know, like when talking about money, when it was very young,
I said, man, you know, like I saw the people making a lot.
some money too by you know by using like stolen identity and ready call and and you know like
to make some money and then and be able to buy some stuff if it's very cool right you know
like some technology stuff or some new devices something cool for myself without asking my
parents so that's why you know I say yeah okay let's uh so let's uh so like
Let's do it.
And then the guy, he moved to my apartment living with me.
And then I, you know, during the night time, after the school, I started to hack a lot of e-commercial website.
E-commerce sites, like places you go to buy things online, like clothes or computers, kitchen items, travel tickets.
A lot of these sites back then ran on.
WordPress or PHP or ASP and didn't have the best security and it's kind of like a numbers game,
right? If there are million e-commerce websites on the internet and one percent of them has poor
security, that's 10,000 websites that are just sitting there vulnerable, way more than enough for someone
like Hugh to go through. So the idea was to get into these sites and plant a listener that
would capture when someone would enter their credit card to buy something on there. And then Hugh
would give those credit card details to this guy he's teamed up with.
And the guy will somehow convert the cash for both of them?
Hugh was 17 at the time, a senior in high school.
And so after school and on the weekends,
Hugh and this guy would get busy scouring the internet
for a vulnerable site to hit.
Back then, a lot of websites, right?
They used, like, the language called Ph.P or ASP.
It contained a lot of vulnerabilities.
and then i search on google with those keywords you know some of the google doc that to be able to
find out for me on the list of the website and i put on the customized tool that i program
and then i just click scanning and it just kind of automated scanning for the vulnerabilities
And then it will give me the list of the vulnerable website.
And then I will exploit that to be able to obtain the reticone information.
And what was the first site that you made money from?
The first website is, I remember it's located in the UK, right?
That's website is still very popular nowadays in the UK.
But I don't want to mention that.
That's fine.
Yeah, what kind of site is it?
Is it a banking?
Is it a...
No, that's website.
It's a commercial website selling like electronic stuff.
And in that website, it got single injection, very ability.
So you found a website through Google Dorking and your scans.
Right.
You tested it for SQL injection.
It worked.
And what does that feeling like to get into a website using SQL injection?
It's got like a gold mine.
I say, wow.
You know, like this is so many credit card information.
Like a day, man, so excited though.
Like the feeling is kind of like you control something.
You have a power.
You feel like you'll be able to plug into anything.
If you have time and you have the resource.
And you feel like you're on top of the world, you know, you can be able to get anything.
And I feel like so excited.
Like the world, it's hard to say to, to explain that.
But feel like so happy.
And technically so happy, though.
Yeah.
Do you give each other a high five?
Right.
I mean we give a high five and hug it and say, yeah, we did it.
We got it.
And I think, you know, we will be able to make a lot of money from that.
this, not just selling the information, but also, like, using that.
And he's so excited, and we was laughing the whole night, I remember.
And we was very young.
Back then, he was like 18, and I was like 17.
And he said, yes, let's do this way.
We use all the red confirmation, right?
Every day we was getting, like, slowly, around like 50 to,
a hundred credit card from that website alone.
And we was playing on the poker website.
Of course they took the stolen credit cards to a gambling website.
I should have guessed.
No, they weren't actually gambling with it.
What they were using this poker website for was to launder the money.
See, back in the late 2000s, online poker casinos didn't always have the most strict security
and verification controls.
they were happy to take anyone's money, whether it was stolen or not.
So he created an account at the casino, loaded it up with as much stolen money as he could,
and he might make three or four of those kind of accounts,
and then he would have all those accounts join a poker table where his buddy was in
and just try to lose as many hands as possible as he could to his buddy.
Then his buddy would get all the chips and cash them out at the local bank.
This technique is called chip dumping.
Now, the casino was aware of these sort of things that would try to spot people doing this.
So he had to do things to avoid the fraud detection.
And his tricks were working.
And we were able to make in like a day, like thousand and thousand U.S.D. a day.
And then we split the money, like 50-50.
I, you know, I spend on, like, I used that money to spend on stupid stuff, vacation,
and also, like, checking girls out and, you know, like, easy money, easy go, technically.
Can you imagine that set up?
A hacked website is supplying them with a constant stream of 80 new credit cards a day.
And they'd take those cards, deposit the money into a casino, move the chips to another player, cash it out, and then go spend that money on something fun.
Like, where do you even focus here?
Do you want to get more credit cards or cash out more at the casino or just enjoy a good time with all the money you have?
For them, it was all of that.
They wanted more cards, and then they'd be busy trying to drain them all as fast as they could to honor the money.
But as Hugh found more and more sites vulnerable to his attacks,
he was sometimes stumbling upon whole databases of customer credit card details.
Websites shouldn't be storing their customer credit card details like that,
and this was even a surprise to him,
but this meant sometimes he could find thousands of credit cards in a single day.
Eventually, I went back on the underground hacking forums.
I sell the information.
Visa and MasterCard, I sell for like 50 cents.
for one information
and American Express
and Discover
a discover
I sell
from $1 to $3
you know
That sounds so cheap
So you're telling me
The full credit card information
You were selling that
and the people could take that credit card
and buy something for a few hundred dollars with that, right?
Right.
That's true
They can go on eBay and buy
or either they
you know
back then
it's very easy
though
you can just
use the stolen
account
stolen bank account
or stolen
credit card
information
you debossed
into PayPal
and then
you withdraw
it's so easy
you just
take a few days
and a few
weeks
to be able
to get the
the real
money out
and
I'm surprised
you were selling
it so cheap
though
because so many
so much
information
That's crazy cheap.
Usually cards are like, I don't know,
$10 to $50 per card
because theoretically each card
should be worth a few hundred dollars
before fraud detection kicks in
and make the card invalid.
Rarely I'll see them for like $5 or less,
but $0.50 a card?
Wow.
And that's what Hugh was selling them for
because he just had so many
because he just kept finding
more and more e-commerce sites
that were vulnerable to SQL injection,
which means the website's form field
wasn't as secure as it should be, right?
so he can go and type something onto a forum field in a website,
and that triggers the vulnerability.
And suddenly he can see whatever's in the database,
like an admin's password hash.
And then he could crack that password hash
and log into the site as the admin.
And sometimes that alone would give him credit card details to the site.
Because some sites did not treat their customer credit card data properly.
They show everything on the admin panel.
Like you just click on the customer,
option, right? It shows you the list of customers, and when you click on the credit
confirmation, it popped out of credit card information. I mean, when I hear that, I immediately
think that's a PCI violation. PCI is payment card industry. And for you to be able to accept
credit cards for your business, the credit card company has to verify that you're properly
storing customer credit card data. If you aren't, then you will lose the ability to process
transactions. It can be fined quite severely. So Hugh kept focusing on finding more and more
sites to hack into and take all the customer credit cards that the site would store in their
database. And he spent years doing this, mostly selling the cards in bulk on the dark web.
He was finding and selling tons of credit cards.
More than 100,000 break on formation.
He gets done with high school and decides he's had enough of this.
His pockets were overflowing with cash.
And he knew what he was doing was wrong.
So he decided to leave town.
And then, you know, like, I save up some money because I know this couldn't last long.
We was making more than a year.
And it kind of getting harder because they know the chicks, right?
And they fish the Bernardi beauties.
So getting harder.
And I saved up some money.
I pay for the school fee in New Zealand.
His sister was living in New Zealand.
So he decided to go see her and go to school there.
He knew that what he was doing was wrong and could potentially get him arrested, but he grappled with it.
Like, he went back and forth, convincing himself, it's okay to take these cards.
Like, his websites should secure their site better.
And if it wasn't him taking it, then it would surely be someone else taking it.
So why not me?
But then flipping it and being like, no, this is stealing.
This is illegal.
I'll get in trouble for this.
The move to New Zealand gave him a fresh start.
He wanted to become a good student who was learning computer science.
When I got into New Zealand, I stayed there for a few months, not doing anything illegal,
try to be a good student at the school, learning about computer networking and be a computer scientist, you know.
But things couldn't work out.
I started to hack it again after talking with a few friends, a few hackers on the internet.
And they say, you know, they need a red call.
And, you know, and I need money because my family couldn't afford to send me much money.
So I say, yes.
So let me find out if in New Zealand have some website that I can obtain the redid call information.
And I hacked into a few ecommercial website in New Zealand.
Yeah, the same thing, you know, it's just some basis, vulnerable.
And I got into the database and I got the stolen red call.
He was able to sell the credit card data to make some money, but with all these cards, he decided to use a few himself, which is probably a dumb idea.
And I used that, those stolen redact information to buy electronic stuff, like laptop and cell phone on similar like eBay.
they call the trade me
platform
I use that
I use the stolen
credit card on that website
and then I got the stuff
and then I sell that
to the same platform
to make money
because I learn with the stuff
you know
like to get a real cash
but eventually
you know
I made a mistake
that
using the stolen
redicle
to buy the
music concert tickets to the ticket master.
And I bought a thousand and thousand music concert tickets to sell to other people with a cheaper price.
And then when...
You bought a thousand concert tickets?
Right.
I bought a lot.
Wow.
And I resell that to other people on the platform.
But the thing you know, like a few.
of the people they bought my music concert ticket.
They got robbed when they tried to enter the stadium
or try to enter the concert, right?
They got denied because this ticket, you know,
it's got invalid because it's kind of considered as a fault-earned ticket.
And they got so mad and they got so scared.
And then they also complained to the law enforcement,
to the police in this.
So the police in New Zealand, they fees my account on the platform and also fees my bank account.
So I got so scared.
They also called me and called my sister.
Almost a year, stayed in New Zealand.
I got into Chauble.
And the moment I got that full call from the law enforcement, I got so scared.
I bought the ticket.
I ran away.
I ran back to Vietnam.
Oh boy.
Hugh was on the run.
The police were now looking for him, but he was able to get away and find refuge in Ho Chi Men City in Vietnam.
He escaped the police and didn't suffer any consequences from this.
Lucky break.
We're going to take a quick ad break here, but stay with us because this is not going to be the last time that the police go looking for him.
His operation is about to go stratospheric.
This episode is sponsored by Red Canary.
a leader in managed detection response, also known as MDR. They serve companies of every size
in industry, focusing on finding and stopping threats before they can have a negative impact.
As the Cornerstone Security Operations partner for nearly 1,000 organizations, they provide
MDR with industry-leading threat accuracy across identities, endpoints, and cloud, and a world-class
customer experience. For more information about Red Canary, visit redcanary.com. That's redcanary.com.
Hugh gets back to Vietnam.
He's around 20 years old at this point.
He goes to see his mother and his father,
and they heard about his fraudulent concert ticket thing,
and they were mad.
They scolded him.
They shamed him.
And Hugh was just lying back to them.
I give them all the phone promises, you know.
I told them, you know, I will be a good boy,
and be a better person, not doing anything illegal.
It kind of feel very ashamed, you know.
So, my mom's, she was crying a lot.
But back then, I was like 20 years old, 19 years old.
Try to be a good person.
I didn't touch the computer within six months when they got back from New Zealand.
And I told with my mom, you know, I want to go to Hoichemian City to learn computer science at the university.
in Hoosem City.
My mom and my dad, you know, they kind of like believe me that, you know,
I'm kind of like a changed person,
and hopefully this time will be the last chance for me.
So around 2009, he moved to Ho Chi Men City
and enrolled in the computer science and cybersecurity program at the university.
But during that first year, I went to kind of like to hang out with all the old school
hackers.
in Vietnam. They own blackhead hackers. They heard about, you know, I got
trouble in New Zealand by using stolen red card. I say, yes, you know, that's why I don't
want to touch computer anymore. I got so scared. I almost got caught. And they told me,
you know, why you don't think about U.S. identity or personal information? It should be
safer. It should be easily to sell that. So these hackers were
telling him, yeah, of course you got in trouble for stealing stolen credit cards. Man, don't mess with
money. The police are going to get mad if you do that. That was your mistake. They take credit
card theft very seriously. Heck, I bet the U.S. Secret Service probably has a case opened on you.
What you should have done is gone into the business of stealing the identities of U.S. citizens
and sell that. Not only can you make money doing that, but the Secret Service doesn't give a crap
about stolen identities. In fact, nobody does. They'll never come after you for stealing identities,
especially if you stay here in Vietnam, they can't touch you.
So you should try stealing U.S. identities.
So Hugh starts looking into it.
My goodness, he thinks.
They're right.
Stealing identities and selling that is far less of a crime than stealing credit cards
and just as valuable on the dark web.
He wasn't sure why it was valuable,
but if he could get all the personal details of someone,
like their address, social security number, phone number, work history,
the type of car they have,
then people will buy that up like crazy on the dark web.
So he starts looking around for places that might have all this information on U.S. citizens.
I didn't think, kind of in the long term.
I just see whatever I see in front of me.
And the money just kind of fly my eyes.
And I thought that should be safer.
And I'm in Vietnam.
And this is U.S. identity should be fine.
I mean, the logic checks out, right?
stealing identities of people in a far, far away country,
no chance of them catching him in Vietnam, right?
And eventually I spent like almost a month.
I recon and also doing a lot of oceans
to get me a list of only data broker in the U.S.
to be able to provide these data.
Data brokers, of course.
They would absolutely have a,
a ton of people's identities.
Okay, so if you don't know, a data broker is a company that spends an enormous amount
of effort gathering up as much information as they can about you.
Here's how they do it.
Number one, they'll copy the whole phone book, end of their database.
That's got everyone's name and phone number.
Then they'll take a copy of all the county records.
This includes who owns which property, court records, marital status.
Then they'll look at your social media account and scoop up any photos that you have taken
of yourself and posted.
email addresses you list, affiliations, like which school you went to or place you work.
Like, LinkedIn is being scraped by data brokers all day, which you personally have told
what your skills are, who your coworkers are, where you work, and what you look like.
Now, to me, that's already spooky enough, that someone would go through all this trouble
to get all this data on me by doing all that.
But some data brokers go far deeper and are way more sinister at getting data on us.
they have been known to install trackers on your phone,
which typically just comes along for the ride on popular apps.
Like a data broker may pay an app developer to put a tracking pixel on the app
so that they can track people even more.
This means data broker is often collecting cell phone data,
which could include your phone number, the app usage,
but more interestingly, up to the minute location information.
Some data brokers go even further and set up antennas around town
and watch what phones interact with those antennas,
and they can track your phone's location that way.
Some have been known to put little sensors on roads
to identify which cars have passed down that road
and take pictures of license plates going by, too.
Of course, purchasing history is important to them.
I've heard stories of data brokers
buying your purchase history data from retail stores.
And if you don't know, a lot of retail stores
are very closely tracking all the purchases you make
with your credit card
and have a complete history of everything you've ever bought
with that card in their store.
Sometimes they even track where you are in the store and what you stop to look at to see
what interests you.
And yes, absolutely.
Data brokers are buying up all this data that the stores are collecting on you because
this consumer behavior is worth gold to these data brokers.
Why do these data brokers do this?
Why do they go to such great lengths to build databases on us?
Because there's a lot of people who are willing to buy this data.
Your data is very valuable.
And I'm not talking about selling it on the dark web.
We'll get to that.
Data brokers often sell their data to law enforcement.
And this has been a growing problem over time.
I feel like law enforcement has found a loophole to ignore the Fourth Amendment.
As a refresher, the Fourth Amendment says,
you have a right to privacy from the government.
The government should not be able to see into your life without a warrant or probable cause.
But they are through data brokers.
there's something called a third-party doctrine now,
which says if you give your data to a third party,
you no longer have a reasonable expectation of privacy from that data.
So that means if you have money in the bank,
the bank can share your data with the government without a warrant.
And law enforcement can purchase your location data from a data broker
without a warrant because it's commercially available data.
Data brokers are trying to ruin the Fourth Amendment.
And I want you to look a little closer at where this data is coming from,
Yes, a lot of it is publicly sourced, but a lot is not.
A lot is data that you think is just private between you and the party you trusted your data with.
But they're selling that data to others.
And so if you think it's safe and secure, but it's secretly being scraped and sold,
I would say that's spying on you, which the government isn't allowed to spy on its own citizens.
I mean, mass surveillance is against the law flat out,
but they can get away with it because data brokers are the ones
doing the spying and the mass surveillance, not the government,
and then they're selling it to the government.
Now, I've tried to remove my digital footprint as much as possible,
but there are still things that I'm forced to do,
which hurts my privacy and I hate it.
Like, for instance, anytime I see a doctor,
I can't do it under a fake name.
They have a strict policy where I have to prove my identity
in order to get medical treatment.
And then my medical records are being passed around
to millions of people.
HIPAA isn't there
to protect our privacy.
It's there to assist others
to get our data.
The portability part of it means
they're making it easy to package up our data
and send it to whoever asks for it.
And there are millions of people and entities
that can access HIPAA and patient data.
Second is banks.
There are laws in place where the banks have to verify
who you are before they do business with you.
Know your customer type stuff.
and the banks are forced to report certain activity to the government.
So millions of customers' banking data is going to the government again without a warrant.
Lastly, I hate all this public record stuff.
If I buy a house, get married, go to court, start a business, get arrested.
All that is public record.
And it gets abused all day, every day because it is.
I have no choice when it comes to these matters.
My banking history, medical information, marital status, there's no way to opt out of any of it.
and data brokers are just licking their lips,
sucking it up as fast as they can,
and they're profiting off of it,
and they're using it to strip away my rights.
But don't think it stops there.
Data brokers are just companies trying to make money.
So they have no problem selling your data to Walmart,
Facebook, Google, insurance companies,
credit card agencies, ad agencies,
because all these businesses would love to know more
about who you are so that they can target you with ads
or to calculate the risk of doing business with you.
And these data brokers absolutely do not want you to know they exist.
They do a great job at hiding their presence in the world.
Let me give you an example.
I'm going to list eight of them for you.
And I bet you've never heard of any of these companies,
yet there's a high chance that all of them know exactly what you're doing right now.
Merkel, Locate Plus, live ramp,
micro-built, vental, safe graph, X-mode social, court ventures.
I certainly don't know anything about these companies, but Hugh was learning a lot about them.
And I find out, right, there are a few key players in this data business related to the U.S.
and they provide these data to law enforcement, to lawyers, to private investigator, stuff like that.
And I see, man, it's kind of very difficult to get these information.
You have to prove yourself.
You have to be verified.
So that's why I put a lot of time, like almost a month, and I hacked into two different data,
broker. Very popular one. The first one is the Locate Plus. Locate Plus is a data broker that
markets itself to people doing background checks and investigations. They get their data from
criminal records, property records, the phone book, and also gather social security numbers and date
of birth. The first one I had to do is the Locate Plus and the same.
The second one is the microbuilt.
Microbuilt collects data on U.S. citizens, which includes criminal history, employment history,
address history, and Social Security numbers.
They also keep records of your utility payments, rent payments, loan payments, and stuff like that to see if you pay your bills on time.
The big credit bureaus use this one, like Experian and Equifax,
because your credit score is a reflection of how well you pay your bills.
But not only that, landlords use microbuilt.
Employers do background checks on it, and lenders look to see how much of a risk you are before doing business with you.
So the two companies, Locke Plus and microbeaut. I hacked them a few times.
First, single injection, the second one, the five upload vulnerabilities, and the third one, cross-size scripting.
When I got into their database, right, I steal the customer lockings of their platform.
And then I use that to be able to lock it into the platform and make a curious.
Okay, interesting.
He didn't get into the main data broker database.
Instead, he was just able to get into the web portal side of things,
which had user accounts.
And that's the people who used the site to do background checks and lookups with.
He was able to steal some of their logins.
So now he could log into the site and use it as if he was a lawyer or a copy.
or an investigator who's been vetted by the site to look up anyone's data.
I can search your name, the state that you've been living, or the city you live in, and that's all.
If we pop out the possible people identity related to that name and in that city,
and you can get the social security number rivalization on the previous 10 years addresses that you've been living,
even the current one.
And also you will obtain your relatives, your family members, right?
You can also get the information.
Now, these sites charge for their service.
It's often a pay per search kind of thing.
So when he would search, it would go to someone else's bill.
And he thought if he did a lot of searches on one user,
then their bill would go way up,
and then they'd investigate what's going on here,
and they would find out that he's been using their account,
and they would shut it down.
So he would cycle through all the accounts he had to spread out his activity.
I remember I was using more than 5,000 accounts on my route building alone.
So with his access, he could look anyone up and get their full name,
made a name, phone number, email address, where they live, address history,
social security number, driver's license, where they work, work history,
and the VIN number for their car.
He decides to build a website to charge users
to be able to look up people in this database.
Because so much information,
then I build a website,
and then I, to that website,
I sell to all the cybercriminals around the world
for like $1 for one search,
kind of like $1 for one information,
one identity, basically.
The first week of him launching this website,
he made $5,000 from people doing searches on it.
It was an instant hit.
He wasn't sure why people were using his site to search for other people, but he didn't care.
He just saw the money coming in.
It was like, yeah.
And interestingly, this was the early days, and crypto wasn't really adopted so well yet,
so he wasn't accepting that.
Back then, I didn't use Bitcoin.
We used Liberty Reserve.
Liberty Reserve was sort of like a PayPal in the way that you could send money to someone online.
except they didn't do much in regards of checking people's identities.
So it became known as the place for criminal transactions around 2010.
It was the go-to place for stuff like that for a while.
So he was getting tons of Liberty Reserve dollars,
and they were piling up in his account there.
Then he was using some Vietnamese money mules
that he found on the dark web to send them as Liberty Reserve dollars,
and they'd cash it out and give him cash.
And things were looking good for a few months.
But, you know, the thing is not.
stable because the two companies they find out about the vulnerability so they shut down
and then they also fish the vulnerability abilities kind of like me and them you know like
we've been playing the cat and mouse game kind of they fish the vulnerability I fired down
another one so we just keep hacking and fishing so I got kind of tired he was getting tired
of constantly trying to find new ways to stay in
in the system. They were getting good at detecting him and kicking him out. So he stops to think about
it. And he thought, you know, why struggle to maintain access? When he could just become a paying
user of the site. Now, MicroBelt would only allow certain people to use their site. You had to be
a professional investigator or a cop or in a position that you can be trusted with this data. And there's
a serious vetting process. So Hugh decided, but why not try to act like a private,
investigator and get in.
Step one, create a driver's license with a fake name.
At first, I got the license to Google, but it didn't work.
I tried to do Photoshop and stuff like that, but it couldn't work out.
It's not good quality.
Okay, that didn't work.
Time for Plan B.
Try to impersonate someone who is allowed to have an account there.
So I did kind of like an old thing.
through gathering on the list of emails address
belong to private investigator and you know when i hacked into my debut and low look a plus right
i got the email address already i got on the list already so i used that to do fishing
i was fishing them uh you know to a malware so i can uh got
into the computer.
Wow.
So the 5,000 users that he got from MicroBelt,
he could see which ones were private investigators
and get all those emails
and also their data from the data broker
to know everything about them
and then send them phishing emails.
And if they clicked the link,
he would infect their computer with malware,
essentially giving him access to their computers.
And when he got access,
he would look around to see if he could find
any identifying documents for these private investigators
so he could impersonation.
them.
And one of the private
investigator, I remember
he was living in
Michigan in the U.S.
And I got into his
computer to the malware.
I got all the data
on his computer
including the
private investigator
license, even his
passport, his social security
numbers, and
I got everything. I mean, I got
everything.
And back then, you know, like the people, they still got a habit,
saving all the sensitive stuff on their desktop inside the spread sheet, right?
Kind of like an Excel file, storing the username and password,
like sensitive information in that file.
And I got that file too, you know.
So I got all the information.
They have birth and rivalization, stuff like that.
So I impersonated as him.
under his name, I obtained an account at Myrbilt.
So I got a Myrbilt account officially.
I was using that maybe a month or two.
So they found out this is a fake account.
So they shut down my account.
So he's realizing MicroBuild is giving him a lot of trouble
and decides to look at another data broker to maybe register an account there.
And that's when he found a data broker called Court Ventures.
Court ventures providing API and data access for the people to making queries to be able to obtain the U.S. identity.
Oh, this is even better, he thought.
If he could get API access to make queries and do searches, that's a whole lot easier to integrate into his website.
They were just like the others.
They had address history, criminal history, full identity data.
And yeah, investigators, cops, fraud detection agencies, and credit bureaus loved using court ventures.
to look up people's data.
He found a private investigator in Singapore
and was able to obtain all his details
and was going to impersonate him
to try to get an account at Court Ventures.
I got his license,
and I impersonated that guy,
the private investigator in Singapore,
and I used that to apply the Coat Venture account.
And I paid for them.
You know, I was dealing with them like real business men, you know, like I say, yeah, I was, I was doing for big company doing background check for Mars, Google, so I need a lot of curies every month to do background check.
And they okay with that because I paid for them and I told them, you know, I want to have a good deal.
And then the CEO of that conference,
company, they gave me a good deal.
Like, I remember like 14 cents, 14 cents for one information.
So I say, yes, okay, we make a business contract too.
Like, I fake the signature, I fake the name, everything.
So I sent back to him and they didn't verify anything.
They just keep going.
They okay everything.
Okay, he got the account.
He could do searches on people now.
Good, good.
thought. But he wanted that API key. So he applied for it. And a few weeks later, they gave it to
him. Incredible. So I got the account, man. I said, oh, oh my God. I got the API asset to like
almost 200 million US identity right there. And all I need to do, you know, to integrate that
into my website. That's all. Yeah, 200 million US citizens details were in this data broker.
that's like over 60% of all U.S. citizens' data.
That's incredible.
And at 14 cents per lookup,
he could sell each of those searches for a dollar on his website.
His grand plan was starting to come together.
So at that time, my website is still on the clear web.
You know, like anybody can gain access.
But most of the clients that I have is all cybercriminals around the world.
And technically, I didn't care what they,
whatever they've been using this identity.
So I just keep selling to the API of the code venture.
And I remember every month I was marking more than 120K per month, USD.
Yeah, he really didn't care who would use this site or why.
He didn't even ask.
All he knew is that people liked using it to look up people
and he could make a nice profit off it.
So it seemed like a good business model.
him. But even though he was making
$120,000 a month,
he still had a massive bill to pay
to court ventures every month.
And I
was paying for
gold venture every
month from
$20,000 to $35,000
USD per month.
Yeah, they're happy.
And I'm happy as well.
So we're kind of a win-win situation.
I keep running
that website for over
two years
and I was making more than
3 million U.S.D
by selling the
U.S. identity.
It makes me wonder
is any of this illegal?
I mean, can you squarely
point at who the victim is here
in this situation?
Do you know the story of irate Joe's?
It's an interesting one.
So there's this U.S. grocery store
called Trader Joe's. It's fantastic.
I love it.
A majority of food there
at Trader Joe's is the Trader Joe's branded stuff,
and people get hooked on that brand.
Well, up in Vancouver, Canada,
they were like begging Trader Joe's to come open a store here.
But Trader Joe's refused.
They're like, no, we only focus in the U.S.
We're not going international.
So some guy in Vancouver is like,
but you know what, I'm going to open my own Trader Joe's in Canada.
Why not?
Because if they're not going to do business here,
then there's probably no jurisdiction issues or harm.
Should be fine.
So he crosses the border into Washington.
state, buys a ton of Trader Joe stuff, and drives it back to Vancouver and opens up a little
shop called Pirate Joe's. He charged more than Trader Joe's did because of the logistics of it,
but hey, people in Vancouver were happy to get some of their favorite food items. Finally,
Trader Joe's was like, hey, you can't do that. And Pirate Joe's was like, yeah, yeah, we're in
Canada. Your U.S. laws don't apply here. He was right. Trader Joe's had a really hard time
getting anywhere legally, but eventually they convinced a U.S. court to force a trademark infringement
on Pirate Joe's, saying the name of the store is too similar to Trader Joe's, and they're
smugglers. So what did they do? Pirate Joe's dropped the pee and renamed the store to irate
Joe's, and they clearly put all over their store. We are unaffiliated, unauthorized, and unafraid.
Trader Joe's was furious that they stayed open and started.
banning them from coming into the store to buy stuff. They banned the owner who was driving
twice a week to buy $5,000 worth of groceries from Trader Joe's. Then he got his coworkers to go to
different Trader Joe's and try to buy stuff from there. But Trader Joe started figuring out which
stores in Washington they were visiting and buying food in the shop so they would block these other
people from purchasing things. So Irate Joe started asking their customers to help stock the store.
They're like, hey, if you're going to Washington, please pick some stuff up for us at the store.
And soon dozens of people were now helping stock the shelves at IRA Joe's.
I'm telling you, people really love Trader Joe's stuff.
And crowdsourcing the buying was working for them.
But Trader Joe's was putting more and more limits on how much people could buy in the stores that were close to Vancouver.
The guy who owned Irate Joe's is like, bro, I'm your biggest customer by far.
I buy more than anyone else in this store.
What is your deal?
We're not asking for anything special.
We just want to buy what you have.
but Trader Joe's kept giving them legal trouble
and eventually, irate Joe's shut down
from the expensive legal fees that they kept facing.
And again, here's a situation where I wonder,
who's the victim?
Trader Joe's sure thought it was them.
But what do you think?
I mean, when I was a teenager,
I used to buy things from the dollar store
and then sell them on eBay for $5 each.
If it's legal for data brokers to sell identities
of U.S. citizens, why would it be illegal for Hugh to buy those and resell them for more?
This is the part I don't get. It's apparently perfectly fine for a data broker to buy and sell
identifying information on U.S. citizens, but it's not for Hugh? In Hugh's case, he didn't hack into
the site. He didn't steal anything. He was a paying customer of court ventures and was paying
them a lot of money for all the searches people did, and they seemed to be fine with that.
that Hugh was their customer.
So he had his little website set up
and accepted payment from Liberty Reserve
and users could search court venture database
through the API.
And at first, that website
is called the
US searching.in.4
and then eventually
like suppaget.org and
5Gate.com, stuff like that.
You know, I change in the domain
like constantly to avoid
like law enforcement.
And I was selling
more than
a little more than
3 million
U.S. identities
during that two years
from 2010
to 2012.
Okay, let me do the math.
Three million searches,
14 cents per search.
It's $420,000
that he paid to Court Ventures
and all this.
Jeez, that's a lot of money
Court Ventures made off him.
And that was fine for him
because he made over $2.5 million in profit after that.
Unbelievable.
And during 2011, right, I dropped out the school.
I didn't study and finish the university anymore.
Because I was thinking, man, I was making a lot of money.
Every month, like, I was making up to $120k per month.
What were you using the money for that you were getting?
Back then, it's too young, too dumb, you know, like a lot of money.
I spent on stupid stuff on five-star, hotel, and business class.
Spend a lot of money on, like, stupid things.
And I waste a lot of money for cars and luxury stuff.
What kind of car did you have?
I was having, like, three different calls, choose a sport course.
one of them is BMW, the convertible one.
And another one is a customized call, like full customized one.
That I don't even know that, you know, what kind of call is it,
but kind of like one of the, I remember I used that call to be in a contest
for a good customized call, and I won the price as well too.
Because I spent so much money on that call
and customize that and fine-tune that call.
And the other call that I have is luxury call, luscious, right?
Yeah, so what did your parents think of all this money?
I was lying to them.
I was working for an international bank in the U.S.
And they hired me to protect the system
and also building their website.
you know like all the lives you know and when I meet up with all the people kind of like same
age even like the people that I know on the street they ask me you know why I am so
rich and I lie to them you know because my family was a well a wealthy family and they
they got everything for me that's why so I kind of like lying with each other with
in stories, you know, and I kind of very tight, though.
What were the people that were using your site?
Do you know why they were searching for people?
What was the point of them paying for people's searches?
That's a good question, though.
The question, you know, like the answer for this is at that time,
I didn't care much about how did they use these.
information. All I know, you know, maybe they use that to impersonate somebody, or even
like they use that to bypass the regular transaction, authentication, whatever. That's all I know.
So like he said, this went on for years. He was able to automate a lot of it. So he would only do a few
hours of work a week to keep it all going. Life was going great for him. Eventually, Code Venture, right?
they got
Esquois by the Experian
Oh interesting
In December 2011
Experian bought court ventures
Now Experian is one of the three major credit bureaus in the U.S.
They create a credit score for every U.S. adult
And rental places and loan agencies
will check your credit score before doing business with you
So Experian loved the data that court ventures had on people so much
that they just bought it outright
I couldn't find what the purchase price was for 200 million U.S. citizens' data,
but I imagine it was in the millions of dollars.
Now, after Experian bought court ventures,
the Secret Service contacted Experian and was like,
you know that company you just bought?
Yeah, well, we have reason to believe that they are giving data to someone
who is illicitly reselling it to criminals.
Experian is like, what?
Say that again?
court ventures never told them this in the trade deal.
So Experian quickly shut down Hugh's account
and cooperated with the Secret Service.
In fact, Experian was so mad that they sued court ventures
for not taking action on this earlier.
I suspect the lawsuit was because they were misrepresenting
their business in the trade deal.
And so, the Secret Service now had their eyes fixed on Hugh.
One of the code requests from the U.S. Secret Service,
you know, asking about the status of my account, the fake account.
And eventually they shut down my account at the code venture.
They shut down his account entirely.
But he had a backup plan in case this did happen.
He had a second account.
Not one he made, but when he stole the password to someone else's account.
And he could use their account to continue to do lookups.
But he no longer has to do.
had that API access where he could automate it.
That belonged to one of the company,
one of the U.S. data broker as well, too.
It's called the U.S. Searchinfo.com.
Something like that, I don't remember.
It's a long name.
But anyway, this company,
I got one of the accounts to fishing attack.
And I used that to do manually searching identity
for other people who still need the service.
He wanted to get another API connection to court ventures.
This hand-searching stuff was just taking way too much time.
So he starts emailing them, hey, how come he shut off my API connection?
I need it back.
But what he didn't know is that because the Secret Service were investigating him.
It was them who was responding to his emails.
And they was marking up a story that, you know, they will offer me a good API connection.
not only to the U.S. identity data, but also the U.K. identity data.
I say, well, you know, it's a good business kind of like, too good to be true.
But, you know, at that time, the money just blind my eyes.
I say, okay, it looks good.
But the thing, you know, I feel something suspicious going on too.
Something not right.
Apparently there was another guy
that was doing the same thing as Hugh
also reselling data broker data
but the Secret Service caught that guy
who was in the UK
and that guy was assisting the Secret Service
to catch other people doing the same
so that's what felt off to Hugh
he was talking to both the Secret Service
an agent named Matt O'Neill
and a guy from the UK named Mark
who got caught reselling identities
his name Mark
he still keeps
communicate with me to email
and even call me to, I remember to Skype back then.
And they say, you know, they want me to go to the U.S. and also go to Australia or go to Hawaii.
I say, no, I don't want to go there.
But Matt O'Neill and Mark, they collaborate together and they lose me.
to Guam.
They told him if he can meet them in Guam, they'll give him all the things he needs for his API access.
And they made up a story of why they need to meet him in person.
Something like, well, the big boss really wants to meet you.
You're one of our best customers and we can get the contract signed right then and there.
And then we can open the big party, you know.
So we can have fun together.
And then you can fly back to Vietnam, everything good.
So he decides to fly to Guam, which is kind of near Southeast Asia.
He figures it's the closest.
option that they gave him and looked safe.
You know, I didn't do any research about Worm.
I thought it's just like an island, nobody care.
And I heard that some of Vietnamese people, they live in over there as well, too.
Maybe it's fine, you know, if any problem, I will, you know, go to talk to my people asking
for help.
And then I bought a ticket and then I went to Worm with my sister.
Because back then, you know, back then my English is not.
really well and I went there with her together and the moment I landed at the international airport
they escorted me to U.S. Customs Office and that moment that right moment you know I just feel like
man something going on something fishy yeah and then they told me sit down here you know
we want to talk to you a little bit
and I was so nervous
I was trembling
like man
and I was shocking
I said man
something
not right
they put a stack of the paper
like
I remember like maybe like
10 inches thick
very thick
documents
and they told me
you know
we know about you
We know everything about you.
Maybe more than your family knows about you.
And that moment I say, man, it's over.
It's over.
And that's it.
I feel like I was on top of the world.
And right now, I was living in hell.
And that's it.
They sent me to the jail in warm.
After that, and they sent my sister back to Vietnam.
I told with the prosecutor and the U.S. Secret Service agent.
I said, my sister had nothing to do with this.
It's all about me.
So they released my sister, and I was staying in the jail in one for a little more than two months.
And then they sent me back to the mainland.
U.S. mainland. To many
children, they send me to Hawaii,
to Los Angeles,
Nevada,
they sent me to Oklahoma,
New Jersey,
and then New York,
and then New Hampshire.
New Hampshire is where his case was going to be tried.
So that was his final destination.
And he was stuck in prison through the entire legal battle.
Apparently, the U.S. prosecutor
who first investigated him was in New Hampshire,
And so that's why his trial was there.
Reflecting back on how he got caught, he has a few theories.
First, he blames Brian Krebs, a cybersecurity journalist who did an article that said
how criminals can look up people on the dark web.
And his website is listed there.
And so he thinks that's how the Secret Service probably first learned about my website.
And on his website, he made a few mistakes.
The first week of having it, he used a hosting provider but registered it under his real name,
but then he changed the registration to an anonymous name,
but those past records are still visible.
Second, he used to have his personal email address on the website
for contact details.
So these slip-ups would have easily traced someone to Hugh.
And I also believe that Secret Service probably used his site,
did some searches on people,
and then tried to correlate that with the logs at Court Ventures
to pinpoint exactly which user Hugh was using for his site.
But this whole time he wasn't sure exactly why he was arrested.
He was paying for these searches in full.
Where's the fraud here?
Where's the crime?
But it wasn't until after his arrest,
where he learned what people were using his site for.
The federal court, they told me, you know,
the information that I stole and also, like, sell that to other people.
They're using that for tax return.
That's something new to me.
I never know that, you know, tax return.
And then I find out what tax return.
And then it's very serious.
What people were doing, it was going to Hughes's site, looking someone up,
getting all their details, and then trying to file the taxes for that person.
See, here in the U.S., we pay taxes to the government all year,
and typically people overpay on their taxes.
So they get a big return come tax season.
So a lot of Americans get a check for maybe a few thousand dollars every year from the government
because they've overpaid on their taxes.
Well, criminals know this.
So they file tax returns on other people,
and they put on there that they should get a $2,000 refund,
and then the IRS processes the tax filing,
and they look at it, and it looks legit,
and sends this person a $2,000 check.
And when the real person goes to file their taxes,
the IRS is like, oh, no, no, no, you have already filled it out.
We've already sent you a check.
And now suddenly there's a bunch of Americans saying,
oh, no, I didn't.
Give me my money.
And there is a big problem.
So the Secret Service was investigating this,
because Hughes People's search engine was complicit in helping criminals defraud a lot of American citizens.
And apparently there were a lot of people in New Hampshire that someone stole their tax return check.
And you know, I got so much information.
And they turned kind of like thousands and thousands victims in New Hampshire.
Okay, there's the V word, victim.
We found a victim.
The people of New Hampshire who didn't get their tax refunds.
Okay, sure.
victims of identity theft. I'll give them that. But typically, the IRS will understand and pay them
anyway, essentially giving out two refund checks. So this makes the IRS the victim. But then you could
say, no, it's the U.S. taxpayer. That's the real victim because this is money that's just lost.
And it drives me nuts. How much money the IRS loses on this every year. Like every single year,
the IRS will give out billions of dollars to criminals submit.
tax refund scams.
And I just have to ask.
IRS, when are you going to take this problem seriously?
You're world class at collecting our money, but terrible at distributing it to the right people.
Billions of tax dollars are lost every year because a criminal asked you for money.
How is this acceptable?
So what were your charges?
Because I have no idea what you're actually guilty of still.
Yes, technically you can read that on the U.S. Code records.
Okay, fine. I will.
All right, he's charged with three items here.
All three are violations of the CFAA figures, right?
The first specifically says he used a data broker in a way that they didn't authorize him to use.
It's against their terms of service to resell the data that you're given access to
or to impersonate someone to get an account there.
And he did that.
He absolutely violated their terms of use.
and that is what the Secret Service is saying he's going to prison for.
Unauthorized access, which we can guess means that he impersonated an authorized user,
which is against their terms of use.
You know how many of us violate the terms of use on websites?
We all do all the time.
Like if you ever let someone use your Spotify or Netflix log in,
that's the same violation, unauthorized access.
He's being charged with that sort of thing.
Second item. Specifically, it says he's personally gained money from violating his access. And the third item is that it was in excess of $5,000. So all three of these are CFAA violations. And it drives me nuts that if you violate a website's terms of service, it's a federal crime. I don't know why it's not just a civil issue. A problem between you and the website. Like, why is it a federal crime? I think the site has grounds to terminate you, ban you, and probably even sue you for violating their terms of service. But prison time?
I think that's just going too far.
But that's how it is.
It's a federal offense to violate a website's terms of use.
And I'd be remiss if I didn't mention Aaron Schwartz here.
Aaron was an MIT student, and because he was a student,
he had access to academic research papers through a place called J-Store.
Well, he thought this information was so valuable to the world
that he was downloading it and publishing it for free.
The world should have this academic research,
not keep it exclusive only for university students.
But J-Store was pissed.
They called the feds on Aaron for violating their terms of service,
and the DOJ charged him with 13 felony counts,
and he was facing 35 years in prison.
They told him, look, if you take a plea deal,
you'll probably only do six months in prison,
but he absolutely did not want a felony on his record.
A felony for violating the terms of service.
The pressure was too much for him.
and Aaron killed himself.
So after that, politicians were like, whoa, whoa, whoa,
why does the CFAA have it written in there
that unauthorized access to a website is a federal crime?
People are dying over this.
Just because you violated a website's terms of use
should not be a federal crime.
And so Aaron's law got proposed,
which asks to change the CFAA
to stop saying that a terms of use violation is
a federal crime. But sadly, the law didn't get passed. Can you tell I hate the CFAA?
See, here, I'm upset about this because, first of all, these data brokers are collecting
data on us without our permission. And so they should be the ones that are doing illegal
things. Second of all, they're selling this data for 14 cents per lookup. You're selling it for $1 per
look up, yeah? So the only real thing here is that you're saying, hey, I'm just up, I'm doing an
upcharge for this and giving access to more people. It's not really stolen data. It's actually
paying for the data as you're using it. And you're right. The unauthorized access is a CFAA
violation. And I can see them saying that. But I'm just so frustrated about this because you didn't
do any money laundering in the U.S., so
for them to say you did money laundering there,
it's not true that you did that
in Vietnam.
So I'm just frustrated on your behalf.
I know, but
the thing is where it's it, though.
That's how it works.
And also the
damage amount
that they put in my case
is very huge, though,
like over 60
million USD.
The prosecutors were saying he caused $60 million in damage.
And, of course, they didn't explain how they came to that number.
It's kind of impossible to look through 3 million lookups on Hughes site
and then connect that to what identity theft crimes happen for those people
and then add up how much money was earned from that.
And anyway, all that was secondhand.
None of that stolen money was done by Hugh.
So they likely just made up some number.
But he's not the one who did the identity theft.
he's not the one who did tax fraud scams.
So it's maddening that they're saying
he's the one who's responsible for all that damage.
Like, Hugh is a criminal.
He is the bad guy here, okay?
I'm not trying to say he should have gotten off.
He absolutely did break the law.
What I'm saying is that this is the wrong law
to be charging him with
because I hate when the CFAA is used like that.
They tried to say he was also in trouble for money laundering,
but he didn't do any of his money laundering in the U.S.
so I'm not sure if that one even flies,
but none of his charges were for any of the credit cards he stole or drained
all those sites that he hacked into back then.
There's nothing about all the concert tickets that he bought
and then essentially scammed all those people.
Like, those are easy charges to slap him with,
yet they're completely absent here.
There is a law around identity theft,
but I think it would be hilarious if they charged him with that,
since that's the whole business model of what data brokers do already, right?
they work every day to grab as many identities as they can without anybody's permission and then
sell them. And not only that, he didn't steal the identities. He paid for them. So the theft part
would be in question too. I think the proper crime here that they probably should have charged him
with is that he was knowingly helping criminals conduct crimes, right? Like aiding and abetting
and conspiracy, that sort of thing. Hugh knew his site was used by criminals. And they were his
favorite customers because they would pay for tons of searches. So he was catering to them,
making it easier and better for them to use his site. So while he didn't do any of the tax fraud
himself, he did help a lot of people do it. But he wasn't being charged with aiding and abetting.
He was being charged with violating the terms of service of a data broker where he was impersonating
someone else to get an account there. But the thing is, the feds would have a much harder time proving
his site was intended for criminal use
compared to simply giving him a CFAA
violation, which is easy to
convict someone of. Like I said, we all
violate the CFAA all day
every day. So in my
opinion, the feds charged him with the wrong crime
because of the almost guaranteed win
for them, as opposed to charging him
with the right crime and then struggling to find evidence
to prove that he did that.
And by the way, while the fed
said that he caused $60 million in
damage, nobody was asking
for restitution there. None of the data
brokers were saying he caused them damage.
So if he did do all that damage, find that victim and bring them into the case.
Because here's the thing.
I'm looking at the indictment, and there's not a single company name here or victim name listed
at all.
Of course not, because the data brokers want to hide from you.
So the only thing listed there is Company A, headquartered in New Jersey.
And it said he did an SQL injection on Company A.
Well, by doing a little bit of research, it's kind of easy to figure out that the data
broker in New Jersey that they're talking about is U.S. Info Search, which Hugh did, in fact, steal
credentials and used that site. But not much at all. I mean, it was such a small blip in his
story that it's hardly worth mentioning. Yet that's the company that was saying he got unauthorized
access to you. But here's the thing. Here's how it all connects. Court Ventures was partnered with
U.S. Info Search. If you were a paid court ventures user and you look someone up, they had a connection
to U.S. InfoSearch. So you'd get results from them too. Now, I'm just connecting the dots here,
but that sounds like to me that Court Ventures was reselling data broker information that they got
from U.S. Info Search. Like, surely, whatever deal they had with U.S. Info Search, they were selling
that data for a higher price to their own customers, right? You see my point. This story is pretty
bizarre. So you could say this company listed in the indictment, U.S. Info Search, was the back end, and
provided data to court ventures.
And it's U.S. info search that the U.S. government is saying
Hugh got unauthorized access to you and profited off that access.
You say the victims were the people who got their tax fraud or whatever stolen.
But I really think the victims are the people you were stealing from, right?
Locate Plus, micro-built, and the source.
Yeah, venture.
I think those are the people you were robbing or attacking,
and I'm surprised, were they part of the case at all?
Did they come and testify against you or give evidence?
No, no.
I didn't see anybody from this company.
Yeah, but I can't.
I just, did you have a good lawyer?
I pay for the lawyer.
I spent almost more than, I think, up to 700,000.
Wow.
Yeah, for the lawyer.
Because I would have fought to say, yeah, you're saying that he caused $60 million in damage.
However, he did not actually do any of that damage.
He just gave the information to someone else, and someone else did the damage.
He never did a tax fraud.
So you can't say he's the one who did tax fraud.
It's like if I sell you a lighter and then you take that lighter and you burn a building down with the lighter,
I'm not in trouble for selling you the lighter
the person who burned the building down is.
Not true.
But you know, back then, you know, like,
a lot of people told me the same thing.
You know, I shouldn't keep, you know,
I shouldn't hire a lawyer.
I just keep that money.
Yeah.
But, you know, like my family, you know,
they're so worried and they just look up on the internet,
you know, oh, yeah, this is good lawyer,
like good, good rating.
Like, five stars.
rating international lawyer
whatever in New Hampshire
you know like professional one
and yes
that's what happened
I remember like
every time
the lawyers and his team
meet me up
like every
every time like that it cost me
like 5 to 10,000
USD
and an email
I sent to him
or the lawyer team, like, it cost me like
two or three hundred U.S.D.
I know.
Lawyers are so expensive.
So expensive.
I know.
It's very expensive.
But, you know, it's why easy, you know, easy money, easy gold.
So I'm, for real, you know, I don't really complain about it.
Like, because at the end of the day, it's kind of like dirty money.
You know, another thing that really bugs me about this whole thing
is neither MicroBilt, Locate Plus, or Court Ventures
ever told their victims that there was a database breach.
No.
They never say, even until now,
I thought about them and they never mentioned anything about it,
even though it really happened to them.
What's comebacks?
I have no sympathy for these data brokers.
I absolutely hate them.
They take my data without consent.
I can't even opt out if I want.
They don't protect it.
And when it's lost in the data breaches,
they don't even have the decency to tell me that my data that they gathered on me got loose.
Hugh was desperately trying to get his lawyer to help him.
But here's the thing, there's a 99% conviction rate when the feds slap you with a CFAA violation.
In all the cases of the feds accusing someone of a CFAA violation,
I've only been able to find two or three cases that the defendant actually won.
The rest were people pleading guilty or found guilty in charge.
trial. So the chances of Hugh
getting off were slim to none,
he tried to fight it, but
everything they tried just kept getting
denied by the courts.
And after a few years of fighting,
Hugh got tired and was running
in the wrong cash.
You know, my lawyers
explained to me, you know,
I may lose the trial,
I may get up to like
45 years in federal prison.
Forty-five years. And I got so
scared. I got so scared.
All the charges,
like all combined together
not only from New Hampshire
right but also from the
from New Jersey as well too
so I got two
two criminal charges
from New Hampshire
and New Jersey
so they all combined together
and they
they say up to like 45 years
if I lose
so my family and me was so scared
So we play
We play a
Play Deal
And
Yeah
I play Guilty
During the summertime of
2015
Guilty
Guilty of doing
$60 million in damage
When
Your sentence came up
Or during a play deal
Did you offer
To give up
Your money to reduce the sentence
Like
How did that go
Oh yeah
My family also asked them, you know, like they want to give back all the money.
But they say no, they don't need that.
Really?
Right.
They don't need money.
They don't need any assets.
And they don't need anything.
So, it's why it.
So, but the thing, you know, I spend a lot of money on lawyer.
Yeah.
On, you know, like, during my.
incarceration as well too, you know, like for foods and medication and stuff like that.
So they didn't take any of your money or property or cars or anything?
No.
They didn't care.
They say they don't need that.
They just want you.
They just want me.
After pleading guilty, he was sentenced to 13 years in prison.
13 years for getting access to data broker data, which he wasn't authorized to access.
At this point, I'm wondering, what if, instead of Hugh accessing data-broker data to sell that,
what if he just made his own data broker business, you know, for anyone to access?
Would that be illegal?
Like, if Hugh copied all the data out of the phone book and all the court records and the county records
and scraped some LinkedIn data to build complete profiles on millions of people,
that's all public information, right?
And it wouldn't have been that hard for him to do because he's a clever guy.
Are there laws that he would be breaking if he sold that?
data? I guess what I'm wondering is, are there laws that data brokers have to follow? Well, I had
to stop and look into that. Basically, yes, there are data broker laws, and often states regulate
them. And the gist of the laws is that data brokers have to prove that they aren't selling their
data to criminals. I mean, think about all the dangerous household things we probably all have, right?
box cutters, a hammer, matches, lighters, gasoline, bleach.
These are all things that can cause a lot of harm at destruction, right?
Yet, when you go to buy them, the store doesn't verify your intent.
They're not like, hey, what are you going to do with that box cutter?
You have to prove to us that you're going to put it to good use.
Yet, that's how data brokers treat their customers.
Their customers have to show proof that they have a legitimate reason to search their data.
and they're on the approved list of okay people.
Apparently it's not good enough for data brokers just to say,
hey, you can't use this for malicious intent.
They have to verify every single user
to try to prevent any of them from using the data maliciously.
So the approved list is people like law enforcement,
marketers, investigators, loan agencies, those sort of people.
And that distinction is very fascinating to me.
Data brokers are legal,
but only if they sell their data
to an exclusive group of people
and I don't like that
not one bit
I mean of course I don't like
that there's a business out there
buying and selling my personal information
that's gross
go get a real job all right
but I think I might have a hot take here
I don't like that they only sell their data
to a certain group of people
I wish they sold it to anyone
only people in some exclusive club
can look up my data
a club that I'm not allowed in?
I mean, the reason why states regulate data brokers
is because if anyone could search those databases,
then we'd all be flooded with scammers
and identity thieves and stockers.
But to me, that's not the problem.
To me, the problem is, one,
I don't even know how much data those data brokers have on me,
and two, I don't even know who has my data.
Like, if I could somehow feel the sting and pain
every time my privacy is lost,
I would take my privacy way more seriously.
So, like, I know there's probably apps on my phone that are sending real-time location data right now to a data broker.
And if someone took that data and saw where I was and came to my house and knocked on my door,
of course I wouldn't answer because I never answered my door.
But I just imagine them continually pounding on the door like, hey, I know you're home, answer the door.
Your phone is sending me real-time location data to me right now.
I'd immediately be like, wait, what app is sending you my location data?
and I think having a scary moment like that
would absolutely force me to uninstall apps that are tracking me.
So my hot take is that stalkers aren't the problem here.
It's the obsessive collection of my data.
That's the problem.
If data brokers open themselves up to let anyone search their site,
we'd all be way more private and secure
because we'd all be taking huge steps into protecting our privacy way more seriously.
When we don't know what's out there, we don't think it's a problem.
And they're trying to hide that from us.
Of course, the data brokers say they take our privacy seriously,
and security is their top priority.
Yeah, well, until it isn't, Hugh got into four different data brokers,
all by himself, and it didn't look like it was that hard for him to do.
Not only that, there's news story after news story of data brokers getting hacked into.
The biggest wine is when Equifax got reached.
If the data brokers were so worried about their data getting into the wrong hands like scammers and stalkers, then don't collect it at all.
Because if there's one thing I've learned about doing over 160 episodes on hacking, is that you will fail at securing your network and data at some point.
There is no safe way to collect and store my personal data, much less sell it.
the regulators think forcing data brokers to vet every user
is stopping criminals from accessing the data
but clearly criminals are in fact accessing the data
since when do criminals follow regulations
so really all the regulations are doing is stopping people like
you and me normal citizens from being able to see what's in there
there are so few people who truly understand
what is happening in this data broker world
since they like to operate in the dark
in the shadows of the internet, and they work hard to keep everyone else in the dark.
I want to believe that someday privacy will be in style again,
and we just need enough cool people to tell us it's worth wanting,
because data brokers has a bad aesthetic.
Surveillance is sterile.
It's cold, gray, and depressing.
There's nothing cool or romantic or aspirational about being trackable
down to when you're peeing or having sex or eating or sleeping.
Yet these data brokers are feverish.
trying to know all of that about you
and build a complete behavior profile on you
and then selling that to millions of people
who are on the allowed list.
I hope someday wanting privacy
doesn't make you a weirdo,
but it makes you cool.
Hugh was sentenced in 2015,
which meant he'd get out in 2026,
because he already spent two years in prison by that point,
and it was there.
in the New Hampshire prison
where he learned English
and studied all kinds of things.
The police asked if he could share his story
with others to teach them
how the dark networks and all that.
So he cooperated and told his story
and was trying to self-rehabilitate
to get out early.
But when he was in prison,
he heard some news,
which really crushed him.
That Liberty Reserve website
was seized by the feds,
and the owner was caught.
I heard on the news that he got caught.
And the thing is,
Q had a lot of money
still in his life.
Liberty Reserve account, but when the Fed
seized the site, they seized all that
money too. How much did you
lose there?
I was safe
enough over there, like a little more
than $300K.
Wow.
I was thinking, man,
I will go home and then we get that
money. But
you know, the
moment I heard on the new during my
incarceration time in 2014 or
And I say, man, it's over.
No more money.
So he continued serving his prison sentence, staying out of trouble.
Because he had good behavior, they let him out early.
After serving seven years in prison, they let him out in 2020.
There was a lot of complications getting out of prison in the middle of a pandemic.
So it took him eight months to get home after he was released.
But he eventually made it back to Vietnam.
When you got home in 2020,
Did you have money remaining from all this?
I still got a little more than 50,000 USD and one apartment.
When he got home, he got a job with the Vietnamese government to help with their national cyber defense.
They so-called the NCSC, the National Cybersecurity Center.
And been working there for like four years.
I just left NCSC just five months ago
because, you know, like the government,
they resuscial the agency
and that's why I left NCSC.
And right now, I just try to mainly focus
on cybergram investigation.
And I love hunting cybercriminals technically.
And to the day,
I got home until now, I was having law enforcement in Vietnam and other countries as well
to arrest more than 200 cyber criminals.
He says he also enjoys helping victims of scams and identity theft by educating them on what
options they have and helping them regain control of their life and use the law to help them out.
In fact, it sounds to me that Hugh feels pretty bad for all the people who got scammed from his service.
You know, I owe a lot to the people,
especially the people in the U.S.
I, kind of like I hurt and harm so many people's lives.
And I kind of always feel ashamed about it.
So he wants to be clear that he is sorry
for anyone whose identity got stolen
and lost money from his website.
He truly feels bad about it
and has apologized publicly multiple times
and wants to try to do what he can to correct the wrongs
done, which is why he's helping victims now and worked with law enforcement to catch cybercriminals in his home country.
Thank you so much to Humeing No for telling us this incredible story.
This one was wild.
I had to stop and think like multiple times while making it.
And I love a good story that puts me in deep thought like that.
And I hope it did for you too.
I recently read a book about Data Brokers, which was extremely eye-opening,
and I encourage you all to read it.
It is called Means of Control by Byron Tau.
Check it out.
It's a total page turner.
You will not see the world the same again after that.
Don't forget, you can pick up some really cool shirts at our shop.
I guarantee you will find a shirt you love there.
Go to shop.
Dot darknet diaries.com.
This episode is created by me, the HAC Street Boy himself, Jack Recyter.
Our editor is the hash-slashing Tristan Ledger, mixing by
proximity sound and our intro music by the mysterious breakmaster cylinder.
They say if you don't pay for it, then you're the product.
But what if you pay a data broker to look up your own data?
What then?
This is Darknet Diaries.