Darknet Diaries - 175: Bayrob
Episode Date: June 2, 2026It started with a fake car listing on eBay.What looked like a simple online scam quietly grew, over more than a decade, into one of the most sophisticated cybercrime operations the FBI had ev...er traced. Custom malware. Opsec off the charts. Fleets of infected computers mining cryptocurrency for someone else. Millions of dollars siphoned from victims who had no idea.This is the story of Bayrob and the three men from Romanian who were behind it. And the long, strange road that led American investigators to their door.SponsorsSupport for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.This show is sponsored by Meter, the company building networks from the ground up. Meter delivers a complete networking stack - wired, wireless, and cellular - in one solution that’s built for performance and scale. Alongside their partners, Meter designs the hardware, writes the firmware, builds the software, manages deployments, and runs support. Learn more at meter.com.This show is sponsored by Maze. Maze uses AI agents to triage and remediate cloud vulnerabilities by figuring out what’s actually exploitable, not just what’s theoretically risky. They remove the noise, prioritize vulns that matter, and manage remediation, so your team stops wasting time on meaningless vulns. Visit MazeHQ.com/darknet for more information.Support for this episode comes from NetSuite. NetSuite gives you visibility and control of your financials, planning, budgeting, and of course - inventory - so you can manage risk, get reliable forecasts, and improve margins. NetSuite helps you identify rising costs, automate your manual business processes, and see where to save money. KNOW your numbers. KNOW your business. And get to KNOW how NetSuite can be the source of truth for your entire company. Visit www.netsuite.com/darknet to learn more.This episode is sponsored by Chainguard. Chainguard builds container images the right way — minimal, hardened, and built from source every single day. We’re talking images with zero known CVEs, designed from the ground up for production. No bloat. No mystery packages. No 2 a.m. patching marathons because some transitive dependency lit up your dashboard. Stop patching images that are insecure. Start shipping clean. Head to chainguard.dev to see how secure your software supply chain can really be.
Transcript
Discussion (0)
Hey, it's Jack, host of the show.
What a fun show this has been to make over the years.
I'm having such a blast doing this.
And I think this episode is one that sent me on an adventure that I'll never forget.
It's a big and wild story.
So let's not waste any time.
These are true stories from the dark side of the internet.
I'm Jack Reesider.
This is Darknet Diaries.
This episode is sponsored by Mays.
Security teams are drowning in vulnerabilities.
40,000 common vulnerabilities and exposures, aka CVEs, dropped in 2025 alone.
With attackers being able to exploit new vulns in days, not weeks, or backlogs, or a ticking time bomb.
Engineers do not have enough time to manually triage them all.
But what if they did?
That's the question Maze was created to answer.
Maze uses AI agents to triage and remediate cloud vulnerabilities.
Traditional vuln scans use ruse.
rigid rulesets like if CBE is on a publicly exposed asset, make it a critical.
But that's silly.
Maze's AI agents investigate every vulnerability in your cloud the way your best security
engineer would, figuring out what's actually exploitable, not just what's theoretically
risky.
They remove the noise, prioritize bones that matter, and manage remediation so your team stops
wasting time on meaningless bones.
So check out Maze at maizehq.com slash darknet to learn all about AI vulnerability.
management that works. That's Maze spelled M-A-Z-E. MazeH-Q.com slash darknet.
Meet Liam. Yeah, I'm Lima Murku. I work with Semantic and I've been there since 2004.
And I work in the security response department and analyze malware. I've seen you before. Have you been on TV?
I have been on TV. So I was part of the team at Semantic that analyzed Stuxnet, the virus that was
infecting equipment at uranium meritional plants in Natanz in Iran.
Yeah, you were the one of the early ones to explain.
This is what was discovered.
That's right.
We were the team that discovered what Stuxnet did, what the payload was, how it worked,
how it had spread, who it was targeting.
Yeah, and then because of that, I was in a documentary that was shortlisted for an Oscar
in 2016 called Zero Days and by Academy Award-winning
director Alex Gibney. So if you want to know what I do in my job, you can see it all there.
And then also Kim Zetter wrote a book about it as well, and that whole story and my work and my team's
work was featured in that book as well. Yeah, Stuxnet was a huge deal, which really revealed the
length that NSA will go to create malware. And I covered Stuxnet in episode 29, if you're
interested in. I actually interviewed Kim Zetter for that one. And so after that, Liam continued
to investigate threats. I think he has the most first.
on investigating novel threats.
That is, threats that the world has never seen before
figured out yet.
And so one day, a new piece of malware
showed up on Liam's desk.
Yeah, so our customers at Symantec,
they'll get malware on their machines,
and then they'll send it to us for analysis,
so I got this file that I wanted to analyze for this customer.
And when I started looking at it,
something felt off about it compared to the other malware
that we would look at regularly.
It wasn't running the mill.
There was something different about it.
There's a lot to do when analyzing new malware, but first you need to collect a sample of it.
And Liam didn't have a complete sample yet.
He really wanted to know what this malware does and what it does to the victim and what's the objective of it and who are the people who created it and how does it spread?
And I understood that they were trying to defraud customers of eBay.
So I decided to name it, I couldn't use eBay as a trade name.
So I decided to call it Bay Rob because they were robbing customers of eBay.
and what the malware was doing was it was sitting on your computer
and when you tried to connect to the eBay website,
it would intercept your connection
and it would inject false information into your browsing session.
And it made it look like the false information
was actually coming from the eBay legitimate URL,
so you wouldn't notice that anything was different.
And then what they were using that to sell you things
that didn't exist on eBay.
He wrote up a little thing and published what he knew about this malware,
but he still didn't quite have all the pieces for it yet,
and he really wanted to know more about it.
The sample he got wasn't quite enough for him to fully infect a machine
to watch this malware, like it seemed to be infected,
but it would never actually do anything on his machine.
So he went on a hunt to learn more and had to think like a victim.
How do victims get hit with this?
How is it delivered?
How do you get infected?
And he learned where the watering holes were
that people were going to get infected with this.
specifically through phishing emails and Craigslist posts.
I kept searching to see if I could find that missing piece
and I just kept on looking through our telemetry
and looking to see where I might find this.
And I knew there was some places where this was probably going to be distributed
so I was looking in those places like on Craigslist, for example,
in email,
and looking to see if I could find any places where I could find a complete package
that would help me to analyze it from beginning to end
and understand exactly what the attackers were doing,
how they were making money,
where they were sending the money, the entire thing I wanted to know it all.
And it turns out that the reason I couldn't solve the entire problem
was because the attackers were geo-fencing their fraud
so that it could only happen in America and only happen in certain locations within America.
And I was in Ireland at the time, as based in Ireland.
So when I tried to connect to these auctions,
because they were posting these fraudulent auctions,
because I wasn't in America, I wasn't authorized to see this fraudulent data.
That's already impressive to me
that this malware only worked for Americans.
If anyone else in the world would be infected by it,
they're basically immune to it?
Wild.
So since he couldn't get scammed by these fraudulent eBay auctions,
he tried to find someone who had been scammed by them.
And he did find someone who lost thousands of dollars
after trying to buy a car on eBay.
And I managed to discover who that victim was.
I reached out to that victim,
and she had actually signed up for an auction
after she had been defrauded the first time
She went, she found another auction that was very similar, and she signed up for that,
and she had gotten the entire malware package.
And I spoke with her and she's prepared to share that with me.
He was able to get the malware off her machine and analyze it.
And he discovered how it works and what it does, how the infection happens and how the criminals use it to steal money.
But he wanted to see it in action still.
So he got a plan.
I posed as her.
I recorded my entire session and I went online and I bought this car.
and as part of the fraudulent information that they were injecting into the eBay website,
they injected a chat window where you could chat about this fraudulent auction.
And when you chatted, you thought you were talking to eBay support,
but you're actually talking to these attackers.
So I recorded this entire thing.
I went and I bought a car, I talked to the attackers, tried to engage them as much as possible
to see if their English was good and tried to talk about different hours of the day
to see when they might be awake and not.
And I recorded this entire thing and ended up being successful buying this car,
and going all the way through with the transaction to the point where they send me
information about a money meal where I was meant to send my money.
And that was where I stopped. I didn't actually go through and send any money.
But at that point I had victim information, I knew exactly how the threat worked,
I knew exactly how much money they were making, and I understood how the whole thing worked.
And more importantly, I had a video of exactly how it would work from beginning to end.
And what I did was I published that a blog saying, here's the thing,
The threat, here's how it works, here's how you can protect yourself, here's what it looks
like, here's a video of me buying a car, here's a video of me talking to the attackers, and
publish that.
Liam's blog post was well received.
People liked it and shared it.
A lot of people read it.
And after posting it, Liam kind of moved on to other things.
He felt like he pretty much got to the bottom of this.
Like he created signatures for how people can detect this and what command and control servers
it uses.
This was enough information for companies to do.
to create antivirus rules and block these servers.
And that should have been it for Liam researching this Bayrob malware.
But the Bay Rob malware started changing after that.
So they would name their command of control servers, various different things.
They picked random names for the URLs of their command of control servers,
but then they started putting my name in there.
So they had domain names like geassolim.com,
tinycockleam.com.
leam the mule.com, thank you leam.com, yeah, a variety of different variations of that over the years.
And then also because there was a little encrypted section underneath that,
they could also leave a message in the malware that they knew only I would see or someone who was analyzing the malware would see.
And then they left messages in there like semantic does group masturbation.
It was one of them.
So just over years, they would leave these messages in there for me.
And of course, when I saw that, that made me more interesting.
interested in understanding what was going on.
My favorite message they left for him in the malware was,
Semantic Team is a big hen-coop chicken smart.
Hen-coop chicken smart.
What does that mean?
And all this mocking and taunting actually made Liam want to look more into this Bayrob malware.
His name in the malware is what drew him back into this.
So he got a computer and set it up in the lab and got infected with a fresh copy of the malware
and went to analyze it further.
Now, because he worked at Saman's Heck, this gave him access to some pretty powerful malware analysis tools.
So he ran this through there.
I was able to see where they were connecting, where they were hosting, how they were rooting their traffic, how we could become part of that routing, how we could see some of their messages, how we could infiltrate, how they communicated.
And that was super, super important in understanding the entire attack.
The way this malware routes across the planet is fascinating to me.
The way they were protecting their identity was they were rooting their traffic through
infected machines so that if someone like me or law enforcement tried to trace them to their
original location, it would be very difficult to do that because they would jump through
multiple infected machines in multiple countries.
So if you saw their first IP address and you tracked that down, you would get a victim.
and even if you monitored that victim machine,
you would get another victim in another country,
and to go and trace it all the way back to their home machine
would be very, very difficult.
So it was a really smart way for them to hide their traces.
Clever, right?
So the attackers would never directly connect to their command and control server
or their victims.
Heck, they wouldn't even talk amongst each other directly.
Instead, they would always use at least three hops
through their infected victims to communicate with anything,
even just Googling things.
And if they wanted to connect to a victim, they'd go three hops to their command and control server and then three hops to the victim.
This made it incredibly difficult to trace even just what country the Bay Rob gang is located in.
And at the time, there were over 6,000 computers infected by this Bay Rob malware,
and any of them could be part of this proxy chain.
And that gave Liam an idea.
If they're using the infected computers to connect through,
then does that mean the infected computer Liam has in his lab?
has a one in six thousand chance of seeing a connection from these attackers?
Maybe.
So he gets this infected computer back online,
put some packet captures on it,
and waits a long time,
like over a month, and he never saw anything.
It all started off under my desk, actually, in the office.
I had my little test machine under my desk,
and I set it up there and I ran the malware,
and I was very disappointed to see that they never connected to my machine.
And then I started to realize,
So there's an algorithm that they're using to decide which machine to connect to.
Yeah, get this.
After Liam had his infected machine online for a month,
listening for connections from these criminals,
he noticed the malware suddenly changed after a month of being online.
More code was added to it.
And this code had all the details for how the proxy chain worked.
So to begin with, a machine had to be infected for 30 days
before it even received the proxy chain code at all.
And so he analyzed this proxy chain code,
and he saw that not all infected machines have the same weight
for being used by the hackers to hop around.
So then I understood that if you had a higher bandwidth,
you had a better chance of being used.
If you were in different geographies,
you had a better chance of being used.
So it went from underneath my desk to a server in the west coast of US,
then to a server in the east coast of the US.
This time, with a beefier server, with higher bandwidth.
And now this gave him a one in 400 chance
that these attackers might connect through his machine.
But still, after sitting there and listening for any proxy traffic coming through, nothing.
He looked at this proxy chain code again,
and he learned that before they would use a computer in the proxy chain,
they would take a screenshot of that computer and look at it
to see if this looked like a normal person's computer.
Because if it looked like a threat researcher, like Liam's computer,
or a cop, they might notice something off and not connect to that machine.
these hackers would vet every single computer before using it in that proxy chain.
Holy cow.
So Liam had to make sure his computer and his lab looked like someone's home computer.
But on top of that, Liam also discovered that if the infected computer was in Romania,
it would be given priority in the proxy chain.
Basically, it had a higher chance of being chosen for their first hop,
which might also be a clue as to where these guys are from.
So we rented a computer in Romania, infected it with a computer.
infected it with this malware, beefed it up with a fast internet connection,
made it look like a regular user's computer,
and waited 30 days for the proxy chain code to come on,
and then waited some more.
This time, he thought he had a 1 in 40 chance of them connecting to his machine now.
And eventually they would connect to my machine as their first machine in the chain,
which meant I got their home, or what I thought was their home IP address.
So I was getting these addresses in Romania, in Bucharest and in the town called Brashov,
and every now and again they would slip up
and you would see that that's exactly where they were coming from.
So by using those proxies,
not only was able to see where they were coming from originally,
but also I got to see an absolute treasure trove of information
that they sent across that network
because they felt they were protected.
So we would see, first of all,
they would see them setting up their campaigns,
so I would see them transferring all the files
that they needed to run their fraud.
I could see them Google searching for images
or for texts that they were going to use.
I can see them setting up email campaigns.
Wow, what an amazing insight he had to these attackers.
These guys were using this proxy network for everything.
Every time they'd check email or move money.
Or yeah, even searching Google,
they were unknowingly routing their traffic through Liam's computer.
Or at least sometimes it would be chosen to go through Liam's computer,
and he was capturing it all.
But just because Liam was in the connection path,
capturing this data, the data was unreadable.
And that's because these guys were in.
encrypting everything.
All communications to the command and control server was encrypted.
All communications between the different attackers was encrypted.
He could tell these guys were talking over Jabber,
but couldn't see any of the messages since they were using OTR, off the record,
which does end-to-end encryption on all Jabber chats.
So most of the time, Liam had nothing but encrypted gibberish,
but only every now and then that he'd see a small blip
where something wasn't quite encrypted all the way,
or metadata about a connection
would tell him what they were doing right now.
And by this point, Liam had been investigating
and tracking this malware for years
and has a way deeper understanding
of who's behind this compared to his first blog post.
I was analyzed the malware
and I knew where they were connecting
and I could see where they were connecting
all over the world and I was like,
I can't do anything about this,
but I know law enforcement could go
and they could get these servers
and these computers and these addresses
and they could actually take action on them.
So we went searching for law enforcement who would work with us on this case,
and we had a long list of all of the things that the attackers were doing.
And that was how we ended up contacting the FBI.
But as it turned out, the FBI was already on this.
Hi, I'm Stacey Whitaker.
I am now a retired FBI agent in 2007.
I was a pretty new FBI agent had only been in for a year
and was still learning kind of my job.
But yes, so I had been contacted.
very early on by one of the initial victims of the Bay Rob group.
She had reached out, I was working in the Cleveland Division at the time,
and so she reached out to the Cleveland FBI office
to report that she had been victimized on eBay.
And so I had simply answered her phone call
when she called the office and talked to her about what had happened to her.
And she explained to me that she had tried to purchase this vehicle on eBay,
and that she had supposedly won the auction.
She had paid for the vehicle, approximately $8,600.
And then she never received the car.
It was supposed to be transported to her, and she never received it.
And on the initial phone call, that was pretty much all that she knew.
And so I had asked her, as we typically do in the FBI, to report this information to IC3.
ic3.gov is a website that we use to collect information from victims of all different types of crime
related to the Internet primarily.
And so she did. She went to IC3 and she reported it. And at the time, I thought that was the end of that conversation.
Because, of course, for $8,600, the FBI typically is not going to open a case. But she actually called me back about two or three days later and told me that it was explaining to me that she had figured out on her own that her computer was infected with a virus.
And it was related to this eBay fraud. And it took a little bit of convincing to convince me that she,
She actually was correct.
She sent me Liam's report on Bay Rob.
And so I read, that was the first time I had read his report about this virus.
And so basically I had decided to go out and meet with her.
I took a computer forensic examiner from our office with me so that we could look at her
computer, we could verify that she was in fact infected on her computer with this virus,
which we did.
And so because of that, because she was infected with malware, we were.
were then able to open investigation, even though it was such a small amount of money that we were talking about.
And it was around here in 2007 is when Liam got in contact with FBI Special Agent Stacey to tell her all about what he learned.
But even with all that information, the FBI didn't make any progress on this case.
In fact, for the first five years of this case being opened, very little happened with the FBI.
It was very slow and very frustrating.
Very slow and frustrating.
So one thing I would say about, I think this case is a very good example of the evolution of the FBI in many ways as well.
So in the beginning in 2007, that was a time when we in the FBI, we didn't necessarily work hand in hand with private sector, right?
So even though I ended up talking with Liam in 2007, we shared some information a little bit, but then we kind of went our separate ways.
We didn't talk again until 2012 because that was.
was kind of the way that we did things at that time in the FBI. We didn't share information too much
with the private sector. We would, you know, do subpoenas, we would do search warrants and we would
gather information, but we didn't necessarily work hand in hand like we do today. Also, at that time,
we didn't necessarily work very many investigations that touched overseas either. So again, I was a new
agent in the FBI, and I opened this investigation and pretty quickly was able to determine that
all the money was going overseas. I was tracking the money, was figuring out where was getting
picked up in different countries in Europe. And when I figured that out, and I was talking with the
other agents on my squad, their reaction was basically, oh, you need to close that case. Again, this is in
2007, and we just didn't have as much visibility and as much partnership with other countries
as we do today. And so I refused to close the case.
and kept working at and kept collecting information,
even though I was very limited in what I could do.
I was talking with the, I mean, we did have an FBI office in Bucharest, in Romania.
And so I was sending information to our FBI office over there to try to,
initially it was simply sending them information on the money mules that were picking up the money.
So I was able to track the money being sent via Western Union.
And initially it was getting picked up in Greece,
and then it was in Hungary and then it was Romania.
It was several different countries in Europe where money was getting picked up.
So I didn't necessarily know at first that it was Romania.
But most of the money mules were using Romanian IDs when they would pick up the money.
So for five years, all I'm really able to collect for the most part is victim information, right?
I'm creating the spreadsheet of all these different victims that I've identified.
I'm identifying money mule accounts or IDs.
and money transactions, and I'm collecting all of that information.
Now, even though Stacey was new at the FBI,
she was pretty sharp, especially with computers,
since she was a computer programmer in the Air Force before this,
and was really intrigued by this case,
probably more intrigued than anyone else at the time.
But she knew if she was going to solve this,
she was going to need more help on the investigation.
I bring in C-Syps eventually to help on the legal side,
and then I end up talking with Liam again in 2012,
who connects us with Owen.
And at this point, I'm figuring out that this is a very sophisticated group that we're dealing with, obviously.
And especially from all the work that Liam had already done, I knew, you know,
although I was on the Cyber Squad in Cleveland, I didn't have a super techie background,
certainly a little bit, but nowhere near as much as Ryan.
So I definitely needed some help on that side of things.
And so I asked Ryan to work on this case with me.
Yeah, so my name's Ryan McFarlane. I'm the IR practice lead at Trusted Tech, but at the time I was a cyber agent. I was coming from D.C. where I spent two years at our national cyber investigative joint task force working whole of government counter operations against China and was transferring back to Cleveland and got to Cleveland. And the first thing I ended up getting asked to do was to work with Stacey on this case.
So Stacey starts bringing Special Agent Ryan up to speed on this case.
You know, I land in Cleveland and start working this case with Stacy.
And I spent the first, you know, six months to a year just going after all the infrastructure that these actors were using.
And working with the U.S. Attorney's Office in Cleveland and C-S. to get legal process and a ton of technical coverage on the Bay Route group.
Of course, one thing the FBI is good at is following the money.
They learn that these criminals use money, mules, a lot.
So when the criminals would trick a victim into sending them thousands of dollars,
like through an eBay auction or something,
the victim didn't actually send that money directly to the criminals.
Instead, the criminals hired someone else to collect that money,
keep a portion of it, and then forward the rest to someone else.
And then they would forward that money again to someone else,
and eventually it would be forwarded all the way to the criminals
or turned into cryptocurrency and then given to the criminals.
And they would get these money mules by putting ads on Facebook or Craigslist,
advertising a legit job, like a work-from-home type of thing.
And then they trick the money mule and lie to them about why they're accepting this money
and where they're sending it and what's happening.
And the strange thing here is that even though the money mule is tricked into thinking
they're doing some legit work, being a money mule is actually illegal.
And these people could get arrested for this.
We're now more than five years into this investigation, and the FBI started bringing even more people into this case.
I'm Brian Levine. At the time, I was a cybercrime prosecutor at the computer crime and intellectual property section in Washington, D.C.
That's under the Department of Justice.
Yes, as part of the Department of Justice.
I was also a national coordinator for all the computer hacking and IP prosecutors around the country,
one of whom was Duncan Brown, who was in an AUSA, assistant U.S. attorney in the Northern District of Ohio.
and was brought in by Duncan and Stacey to help on the case.
Stacey and Ryan looked over the case more.
They got a lot of information from Liam at Symantec,
who discovered all this stuff about the way that proxy chains work
and how he's infiltrated the chain
and even captured some interesting things.
And also Liam suggested they talk with Owen.
So they called Owen up.
My name is Owen Miller.
I worked on AOL's cert team from 2011 to 2016.
I received a report of abuse on my next.
network from a specific IP at a specific time and was told it was related to potential
Bay Rob activity.
I went ahead and started taking a look at that and started pivoting around.
We were able to connect specific domains that they were using and accessing with various
accounts, various AOL accounts that were being used in order to tunnel traffic through us.
AOL allowed anyone to sign up for a free account and then tunnel network traffic through
our dial-up IP allocation space. So we were basically like a very large free open proxy service.
And we're also a free email provider. And basically we built a full packet capture indexing system.
At the time was called Moloch and is now called Archemy. We had deployed at an ISP level.
And so us and others as well that offer those same types of services were heavily being
leveraged by this group in order to create new accounts, chat with people.
all of that good stuff.
And so we just started digging around
and seeing when they would connect in,
where they would connect from,
start going through all of the network traffic
that they had presented to us.
So Owen from AOL was now feeding the FBI bits and pieces
of things that he was seeing.
And at the same time, Liam was still listening
to the traffic going over the proxy chains.
Every now and then,
he see them connect to the proxy chain
as their first hop,
which likely meant the criminals are connecting to this
from their home?
So he would call the FBI and say, look, I have a strong suspicion that these are the IP addresses of the criminals.
And they're in Romania.
And so the FBI would contact the Romanian police and ask them, could you find out whose IP this is and go see if those are our guys?
And the Romanian National Police were great.
And they would go and they'd come back and they'd say, you know, we just talked to a really nice school teacher.
And we were sending the Romanian National Police all over Romania.
and they were just, you know, the more doors they knocked on,
the more we realized something was going on that we just didn't understand.
So even though they're using six or seven hops through this proxy chain
before doing anything malicious, that still wasn't good enough to hide their tracks.
These attackers were doing something even before going into the chain
to hide their tracks even more.
Like for a while, their connections were all coming from like a schoolteacher's home in Romania
and then into the proxy chain or it would come from some other house in Romania.
and never for a long period of time.
Their home base seemed to move all over the city.
These guys were really good.
It was really challenging at this point
because at least at that time,
the Department of Justice was very careful about the legal process
that it issued.
And we had to justify what we were doing,
which was very challenging because we would often get back
what we would describe as nothing.
because everything was encrypted,
and I would have to go and make an explanation
as to why this was beneficial
to keep doing this kind of legal process.
And they would say, look, you're getting nothing.
Why are you wasting your time continuing this process?
And what we realized was these guys were so sophisticated
that you just had to get all information you could
all the time for as long as you could
because you didn't know what was going to end up being helpful in the end.
It was all about breadcrumbs.
The FBI continued to collect all the data they could.
They had Liam feeding them data that was captured at Symantec.
They had Owen feeding them what he saw at AOL.
And they were interviewing victims and money mules
and logging as many chats as they could.
I think they did a controlled buy
and tried to talk with these hackers as much as they could.
But much of this resulted in nothing
since it was all encrypted and obfuscated and wrapped in so many layers.
We were doing all of those things.
We were collecting information from Romania.
We were collecting it from Liam.
I think one of the biggest breakthroughs came from Owen at AOL.
So I'll let him, yeah, talk about that.
Yeah, sure.
So one of the members of the group was typing in his email address to log in on like
GMX.de or one-on-one internet.
They did not use SSL at the time for the login form.
So when he typed in his email address, he typed in his personal email address.
and then went oops, and then logged in with his, you know, quote-unquote work email address.
And so we have the same IP address at the same, within like, you know, 10 seconds, like typing in someone's email address, and then this actor's email address.
Oh, wow, what a tiny slip up.
In the year that Owen was monitoring this crew, this is the only time they slipped up like this.
That's such persistence on the investigators.
But also such discipline on the attackers.
The attacker accidentally typed the wrong email address.
And even though the login failed for that email,
it was a curious enough clue for Owen to look further into it.
The email address was RaduSpr at GMX.de.
So was there anything to find for this Radu SPR name?
At the time, you know, Facebook was pretty easy for looking people up based on email address
and just here you go, here he is.
And then, oh, all right, pivot around.
All right.
Oh, they have YouTube channels, lots of stuff.
skydiving, I think it was like T&T Brothers or something like that, a bunch of posts on like
various forums for like off-road vehicles and stuff in Romania and everything else. And it was
just like, you know, pictures, everything you could want. And it's like, I don't know who anyone
else is, but I'm pretty sure this is who this is. So we sent them AOL a search warrant for all
of this data. And, you know, they said, all right, there's a lot of information. Come on in and let's
explain it to you as we give you that information. So we came in. I remember it was Stacey and
Brian, and it was unbelievable. Brian, the DOJ prosecutor for this case was thrilled. So what we
started doing at that point was we had to use legal process. We did hundreds or thousands of
different legal process in this engagement, both domestically and abroad. And so once we had a
sense of who one of these actors was, we had more information that we could provide to Romania.
We did that through a mutual legal assistance treaty request shortened as an MLAT. And they started
going up and doing whatever they did in Romania to try and get us helpful information pursuant to
this legal process. One thing we found was the existing process of MLATs back and forth was too
slow for this case because the criminals kept changing their infrastructure. So we had to work with
our Office of International Affairs to create a faster process or a abbreviated version of the MLAT process.
What they were doing is actually moving locations, right? They were moving. Well, we didn't know
what they were doing. We just kept getting different IP addresses and different information.
So what we discovered through Romania's response to our MLAT request was that there were three people
that were communicating with each other,
one of which was the person
that Ian had identified
with encrypted communications.
And we could not get
through those encrypted communications,
and Romania could not as well.
We could see that in their home,
on their non-criminal machines
where they weren't encrypting all their traffic,
they were going to cryptocurrency websites
and specific ones that we knew
this group was focused,
on, but that wasn't really strong evidence. It wasn't enough to indict them or extradite them or
anything else. It just made us think we had the right people. But for quite a bit of time,
at that point, we're like, all right, we think we know who the three people are. But we just don't,
because they're encrypting everything, we don't really have enough evidence to extradite them
or to indict them. So at this point, we're going on year seven or eight of this FBI investigation.
Right around this time, you know, we're in pursuit mode, right? So we're, we're going on year seven.
We're trying to get as much visibility into their infrastructure.
And around this time, we get a data intercept on their systems that are controlling all their malware.
So they had a multi-layer command and control infrastructure where all the malware was reporting up to the first layer,
and then that layer was forwarding onto a couple of servers that were hosted in different places.
And we were able to, as a team, figure out where those servers were located.
So we went with legal process.
We got a data intercept on a couple of these top-level command and control servers.
And we were able to see the communications for all the botnet,
which meant that we got to see when they updated their malware,
what some of their campaigns looked like,
how they were loading additional plugins.
So at this time, this group had a number of different lines of business.
They were treating all these infected systems,
and it was about 400,000 of these systems at the time,
as a commodity, right?
And every computer could do a bunch of different functions.
We saw them instructing these computers to join mining pools
and mine cryptocurrency for them.
They could be used as proxies, and some of those proxies were sold on Alpha Bay to other cyber criminals out there.
They were doing some ad fraud.
They were mining those systems for credit card information, which they then sold on Alpha Bay as well.
So they were Alpha Bay vendors.
They were replacing your Internet browser with a custom version of their own Internet browser.
and everything that was done over that internet browser was uploaded to a couple of servers in North Carolina.
And then we'd actually see them go and mine through all that data.
So if they needed Bank of America accounts, they could jump in there and show me all the Bank of America accounts that I have login information to.
They could go to Chase and issue a command to say, show me all the Chase data I've taken.
Whoa, so while the FBI is ramping up their efforts, the criminals were also ramping up their sophistication and streams of revenue.
This has grown quite significantly from its meager eBay fraud with 6,000 infected nodes to now a worldwide plague of hundreds of thousands of computers infected,
stealing everything they could and selling everything that they thought was valuable.
They were making millions of dollars now, and the FBI really wanted to stop them at this point.
But these guys were good, like really good.
They had a sophisticated proxy network.
They used PGP for all their emails.
They used end-to-end encrypted jabber chats when they're communicating to each other
and encrypted everything that they were sending back and forth between them and the command and control server.
The FBI couldn't even follow the money since it used a whole vast network of money meals that would scour the world.
And on top of that, they were somehow constantly moving around in Romania, changing IP addresses all the time.
So the Romanian police couldn't find them either.
We're going to take a quick ad break here, but stay with us because the FBI is not giving up.
This episode is sponsored by Meter, the company building networks from the ground up.
If you employ and work with IT engineers, you're going to know how hard it is for them to do their job well.
What your business needs is performant, reliable, secure networking infrastructure.
But what you get is IT resource constraints, unpredictable pricing, and fragmented tools.
What you and your engineers need is a modern platform you can all trust to support your business.
Enter meter.
Meter delivers a complete networking stack, wired, wireless, and cellular in one solution
that's built for performance and scale.
Alongside their partners, Meter designs the hardware, writes the firmware, builds the software,
manages deployment, and runs support.
That means less time your employees spend writing to multiple vendors and more time working
and improving your IT systems.
Meter's full stack solution covers everything from first site survey to ongoing support,
giving you a single partner for all your connectivity needs.
Thanks to Meter for sponsoring this show.
Go to meter.com slash darknet to book a demo now.
That's spelled M-E-T-E-R, meter.com slash darknet and go book a demo.
Liam over at Semantic kept watch over what was happening on the wires.
And at one point, he saw a scam happening in progress.
I reached out to some people who were about to become victims
because I was able to see their information as the auction was in progress.
and I saw their telephone number, and I called them,
and I said, you are being victimized.
I'm calling you.
I'm not trying to sell you anything.
I'm telling you now, you're about to get scammed because of this auction.
And they wouldn't believe me.
They would think I was trying to scam them,
and then they would go ahead and I would see that they had continued
and they'd bought the fraudulent car,
even though I'd actually warned them.
I'm sure you've heard the phrase that in cybersecurity,
the defenders have to be right all the time,
but hackers only need to be right once to get in.
But in this scenario,
The hackers were essentially on defense since they had to be super careful not to reveal anything about themselves
because one slip-up and the FBI would swoop in on them and would be all over.
It is very interesting that what we were doing was we were waiting for their one slip-up.
We were getting mountains and mountains of data, and we knew that they were protecting themselves,
but they couldn't be right all the time.
It's so, so difficult to be right all the time and to have fail-safes everywhere.
And eventually they did make those tiny, tiny slip-ups.
It was like, you know, one 10-second period out of three years of monitoring data that broke the case.
So it was incredible.
And that's what Brian was referring to earlier when he was talking about, you know, we're doing all this legal process.
And we're at that time getting some pushback on why are you continuing to capture all this data.
It's because, yeah, it's all encrypted and we're not getting a lot out of it.
But we have to continue capturing it, watching for those.
those one little mishaps where they make a mistake.
That's the only time we can get information
that is going to reveal to us who these people are.
And at the time, we had the largest data intercept in the Bureau.
For this case.
For this case.
Because it was all going through,
all the command of control traffic was going through these servers.
And we had to keep re-upping
because we were getting little snippets here and there.
Occasionally, we'd catch them emailing a new email account.
that we hadn't seen before, and that turned out to be one of their money mules.
And their OPSEC wasn't nearly as good as these guys' opsAC.
So we were able to start to pull that thread back and work different angles.
We had to go brief the Deputy Attorney General during this case
because we had done a T3, and Department of Justice doesn't, you know,
that's such a, you know, a big, a legal,
you know, process that they don't like to use it, especially for long duration.
So we had to justify that we're seeing all this encrypted traffic.
We are seeing mistakes occasionally, but we had to basically go talk to the DAG and say,
hey, this is why we need to do this.
The reason we had to talk to the DAG, if I remember correctly, was this was the first time
in the history of the Department of Justice that we did a wiretap on a server.
Previously, you know, wiretaps were invented because of phones.
You would listen to the mafia talk to each.
other you listen to the narcos talk to each other and they're like wait this is a computer why
why would you even do a wiretap and maybe and there were arguments that we didn't even have to but we wanted
to have belt and suspenders we didn't want to make any mistakes here and because we were getting
contemporaneous electronic traffic through the server we wanted to have a wiretap but this confused a
lot of people in the department of justice who didn't quite get it whoa these guys were really taking this case
Seriously, they had a T3 wiretap on the command and control server, which happened to be in North Carolina.
T3 is short for Title III, which is where they have to get authorization from an attorney general who grants them approval to the data intercept.
In this case, the hosting provider for the server was shown the T3 and was able to put a tap in and give the FBI full captures of everything going in and out of that command and control server.
But that still didn't help because it was all encrypted, and these Title IIIs expire after 30 days.
So they had to keep renewing it again and again and convince the attorney general that they still need to keep it active in hopes that someday they'll see something that will give them the smoking evidence to arrest these guys.
But month after a month, they were not finding anything important.
We also had a title three on one of the main email accounts as well.
So we were watching the email coming through two.
And even though it was encrypted, the body of the email was encrypted.
But the email title, the email headers was not.
So we would get the title of the email, and that was the only information that we would see was just the title.
You said that, you know, normally the bad guy only has to be right once, and that was sort of flipped around.
But that's potentially to identify them.
Remember that when, in order for us to indict them, extradite them, and then if they want to go to trial, which these cybercriminals almost always do, we had to be able to put.
prove guilt beyond a reasonable doubt. And these cases are a lot harder to do that with than with a
standard case because you've got to remember you're dealing with a jury. So ultimately, it's not
like you're going to be able to go to trial on one mistake. You're going to have to build a body of
evidence. So they were using an email service that we were able to gather information from as well.
And so we literally had over 16,000 emails that we had to sit and review.
every single one, pulling out victim information, pulling out money mule information, and information
on money transactions, and gathering all of that data together, too, to be used later on down the
road in trial.
Most of their emails were PGP encrypted, right?
And Ryan explained to me, because I believe the FBI can do anything if they want to.
So Ryan explained to me that PGP stands for pretty good.
Pretty good privacy.
And so I said, Ryan, it's only pretty good.
Could you get through that encryption?
And Ryan said, no, you're not putting the right emphasis.
It's pretty good privacy.
That's how you should be interpreting that.
And then I also told Brian that I'm only moderately good.
At some point, Liam found something incredible.
He was continually capturing all the data through his node
that he sneakily set up in their proxy chain.
and they were using Jabber to send messages between each other.
And they had enabled OTR, which is an encryption on their Jabber chats.
So all Liam could see was that someone was saying something over that port,
but he couldn't see what they were saying.
So Jabber is encrypted, and there are different settings that you can use,
and by default, the setting for attachments is not, it doesn't default to encryption.
So your text, all the message that you sent are encrypted,
but attachments are not encrypted.
And that was the mistake that they made.
they were talking to each other
and we couldn't see what it was
that they were talking about
but if they sent an attachment
like an Excel spreadsheet
with all of their accounting in it
or a picture of their desktop
that was not encrypted
and we could extract that from the network
and we could see what it was.
That being said,
the majority of the attachments they sent
were encrypted.
They just occasionally, you know,
they're human too.
Forget to encrypt something
or there's a, you know,
something doesn't work right.
Whoa, this is something I did
not know that if you take the extra steps to add OTR to Jabber and order to encrypt all your
messages, it still doesn't encrypt attachments? And that's a whole separate process to enable and
apparently it's extra tricky to do. And it's interesting because these guys were clearly making
every effort they could to stay hidden and they still couldn't reliably keep their stuff encrypted.
So many places for your data to leak. And so one day Liam saw an attachment which wasn't
encrypted, and it was a gold mine for this case.
We got to see them transferring spreadsheets talking about all of the transactions, how much money
they were making, who were the victims, what were the credit card numbers of the victims,
what were the home addresses of the victims, what money meals they were using, the identity
of all their money meals. This was huge because it listed each of the members of this group
and how much money they each made. Here's what it said. Member MF got 25 percent. Remember,
Lynx got 25%.
Min got to take 10%.
Amy took 25%, and Raul got 15%.
This essentially showed how many members were involved
and their abbreviated nicknames.
They even took extra steps to obscure their haggardames.
Later, they would find out that Amy stood for a mighty essay.
And by this point, the FBI also stood up
an infected machine in their office to watch some of this traffic too.
And it's remarkable to think that these criminals
were feeling clever
and thinking they were super sneaky and laying low.
While in reality, a lot of their traffic was being routed right through the FBI's office.
But that wasn't all Liam captured.
He saw another attachment sent over Jabber.
A picture of their desktop that they had transferred between each other.
Two members had transferred between each other.
And they were trying to figure out why something wasn't working with their malicious campaign.
So one of the Bay Rob members had taken a screenshot and had transferred to another one,
but they had actually gone through my proxy machine at that time.
So I could see this.
They were using encrypted chat actually,
so I couldn't see the chat,
but because the pictures that they sent in the chat
were not encrypted,
I got this rare opportunity to see this image
get transferred across,
just like flash across my network.
And when we decoded it,
we saw that it was the attacker's desktop
and he was inside a VM machine,
and then he had his control panel,
his attacker's control panel on the desktop,
and he had a Facebook campaign
that they were using to try and find victims on the desktop.
And he was running that campaign through a hacked account.
So he had the hacked account information there as well.
And we could see how many machines they had infected.
And we could basically see the entire attack,
the entire fraud campaign from beginning to end
right in that one screenshot.
And it was just a total encapsulation of all their fraud in one picture.
The screenshot is incredible for this case.
You can see this guy's desktop.
You can see he's logged into a victim's Facebook page.
You can see he's posted an ad, work from home to try to recruit a money mule.
And you could see the command and control server in the background.
You can see he has chats open with somebody called Master Fraud,
which is interesting because MF was one of the people getting 25% of the cut.
So now they start linking, MF must be master fraud.
And they could also see he's encrypted his computer with TrueCrypt,
since that was a process running in the background,
which might be helpful later.
The challenge that we had
was there's all this encrypted traffic.
We think we have the three guys,
but we can't get any substantive evidence
connecting any one of them specifically
other than the first mistake
to the scheme.
And that's when we found out
that one of the other two
had decided to travel to Miami
to the United States.
And this could only be because
after 10 years of committing this scheme,
and nobody knocking on their doors,
they felt like they were pretty secure at this point.
They had really amazing OPSEC, as Ryan mentioned.
And this particular guy, whose name was Debeu-Denet,
had competed in international programming competitions
and had even had an internship at Google in the U.S.
before he switched over to crime.
So he had friends in the U.S.
And we got advanced intelligence was going to come to the U.S.
And so...
Arrest them on site.
Well, that was our initial thought,
but we knew if we arrested him, well, first of all, we didn't have enough evidence yet.
But even if we got that evidence while he was there, if we arrested him, we thought the other two would flee.
And we'd never see him again. They would go to Russia or somewhere else where we couldn't get them.
And when he was coming into the country, we actually had no technical information tying any one of these individuals to the Bay Rob infrastructure.
The Romanian National Police had very similar data intercepts upon their homes,
and guess what they weren't seeing.
Any connection to the Bay Rob infrastructure.
They weren't talking to the servers, they weren't talking to the proxies,
they weren't talking to tour off of their home internet.
So their home ISP was clean, completely clean.
There was a little bit of encrypted traffic that we couldn't explain,
but there wasn't anything that we could do with it.
So I like to refer to what Brian's talking about when this guy comes to Miami as Christmas in May.
We were so excited for this to happen.
We only had, I think, about maybe a 10-day lead that he was coming to the United States.
And we had to put together an operation to gather as much information on him as we possibly could when he was here.
And we had 10 days to prepare to do that.
So we decided to get a search warrant.
We didn't need a search warrant technically because there's a border exception.
What we wanted to do is when he came across the border, we wanted to search all his digital devices.
And we're hoping he'd have a lot of digital devices on him and that this would break the case.
But the exceptions to the search warrant requirement were really under attack at the time and continue to be,
in part after Snowden and part dual, a number of events that were going on.
So we didn't want to rely just on a exception to the...
the warrant requirement, especially if we had time to get an actual warrant.
So we did get an actual warrant, and maybe you guys could take it from there.
Did you go to the airport?
We did. Yes.
We were down in Miami, both of us with a whole group of support people from the Miami
division, as well as from FBI headquarters to, as Brian said, we were going to do a search warrant
on every device that he had.
We were hoping it was going to be a lot of devices.
It ended up not being very much.
He did not have a laptop with him.
He had his phone and a camera, and I think that was it.
And we had a full surveillance team on him.
And he was coming into the country with another individual.
So from the time he stepped on U.S. soil, we had a team that was essentially tracking his activity
to see if he was making any contacts or did anything that would indicate he was part of this group.
So the FBI gets short notice of him coming to the U.S.
and scrambles to come up with a plan and to meet him at the airport.
What they wanted to do is look through his devices
to see if they can see any evidence of him involved with this Bay Rob group
in order to lead to an arrest.
They thought if they interrogated him, that would spook him,
and he'd tell the others, and they'd all go into hiding.
So the plan was to somehow get a hold of his devices
and search them without him knowing they got searched.
So the Border Patrol was actually the ones that, you know,
sat down, they have to do their interview when you come through CBPS to interview you.
So they didn't interview with him and kind of made it take a little bit longer, but they collected
his devices and then provided them to us. We were sitting in a back room that he didn't even know
there was approximately 30 people in this back room all because of him to review his devices,
to image his devices. So Customs and Border Patrol did an interview with him,
collected his devices, passed them to us, so we could then have our computer forensic examiners
image his devices. And he had no idea. And then he gave it back and he left the airport
without knowing everything it copied. He did not know, but he was pissed enough and realized
that he wasn't going to do this, he was going to make this mistake again. So he was communicating
with the other members of the group
through a encrypted messaging app
jabber, but it was
saving logs, and he changed
after this whole incident,
he didn't think he was identified,
but he's like, let's stop recording those logs,
and he changed his password
on his phone to the Romanian
for U.S. Customs Can Blow Me.
Wow, so the FBI
took full forensic snapshots of
everything on his phone, and
he had no idea. They were there.
And then they tailed him.
And the whole time he was in the U.S. like ghosts.
And so he was here in the United States for, I believe, is about 12 days.
So we had him under constant surveillance almost that entire time.
And he wasn't just in Miami.
So he landed in Miami.
They were in Miami for a couple days.
They went to D.C. for a couple days.
Then they went up to New York and then ended up in Boston.
And we knew he was going to end up in Boston because that's where he flew out of.
They took a look at the data that got from his phone.
Stacey and I are in the Miami field office reviewing this almost immediately.
This is the best opportunity we have to actually get some visibility that we can tie directly
to an individual who we think is a member of the Bayrop Group.
And we're rolling through this phone through all the data and we come across the Jabber
chats.
And for the first time ever, we actually find communications that we're going to be.
were encrypted, but are decrypted or unencrypted on the endpoint on his phone,
talking about Bayrob Group operations.
They're talking about crypto mining and how much they're making a month,
crypto mining.
He's talking to the head of the group who's in Romania.
At that time, they were making about $6,000 a month mining their network of infected systems.
Master fraud.
Master fraud.
Yep.
incredibly technically gifted
cyber actor out there.
And by the way, I just, I always want to tell people
when you're naming your criminal character,
when you're giving your criminal alias,
it's best not to name yourself after the crime
because it may sound really cool at the time,
cool to all your friends, the other group,
but when you're eventually caught
and you will eventually be caught,
it dramatically limits your available defense.
defenses. So here it limited his defense to master fraud. Who? I'd never heard of any master fraud.
You can't argue at that point that this wasn't fraud. Everyone understood what we were doing.
No. Brian and Stacy were able to look through the chats, which were logged on the phone that they got a
snapshot of, and most of what they saw was benign, nothing to do with this Bayrock malware operation
at all. But because Ryan and Stacy knew this case very well, they would spot tiny clues, like MF.
was mentioned every now and then, very rarely.
And they knew MF was short for Master Fraud,
one of the leaders of this organization.
So little things like that would start to make them
see the network of who he's talking to.
And another thing they found were chats mentioning a file name
that they knew only existed on that command and control server
that they had access to.
So this linked him to knowledge of that command and control server.
We have a direct tie from this individual
It's a Bay Rob group operations, and we know we've got the right people.
So at that point, we could have arrested him.
We had enough evidence at that point to arrest him.
While he was in the U.S.
While he was in the U.S.
So this was a difficult decision because he was a high-value target.
We figured of these three people, he was probably the second most important,
but Master Fraud was still in Romania.
And we knew if we arrested him, Master Fraud would flee, or we felt like that was pretty likely.
They hoped they can eventually capture the whole gang, or most of them at the same time,
So they let him leave the country.
We let him leave the country.
And part of the reason we felt comfortable doing that
was we had worked with Romania for so long at this point.
I personally had been to Romania something like seven times.
And so we knew that we could work with them to successfully extradite.
You went to Romania seven times just for this case?
Just for this case, yeah.
So this is where it started getting exciting.
Because Dennett was here, and we got that additional information
from the Jabberchat log, we were just to be there.
jabber chat log, we were able to go to grand jury, get this indictment, do an extradition package
to Romania. And then I think both of you went over there, correct, as part of the arrest and
takedown. Yeah, we both went along with, we took four computer forensic examiners with us as well.
So there was a team of six of FBI over there. They identified the names and addresses of the three
main men behind this Bayrob malware campaign. There was Bogdan Nikolescu, aka Master.
to fraud, Tiberiu-Dinette, aka a Mighty S-A.
Radu Miklaus, aka Minota, aka Radu SPR.
The goal was to arrest all three at the exact same time
so none of them could tip off the others.
So the FBI and the Romanian police had to split up.
Yes, yeah, so all three of them were in different locations.
So we had to split up.
And so yes, McLeosh had unexpectedly left town.
They thought that he would be, I believe he was living in Brushoff,
also where Nikoleseko was living.
And so they expected him to be there, but he had left town like the day before and had gone to visit his grandmother in a completely different city in Romania.
And so they had to figure out where he was and do surveillance on him.
And then they stopped him in his vehicle on his way back to brush off.
Stacey, you were in Bucharest, and I was in Brazzav, which was where Nicoscu had a home at the end of a street.
and we were there when R&P made entry into the various locations that we had.
So what's it like going in their house and collecting that stuff?
It was interesting. It was very different. They have a different process than we do.
So I think we found it very interesting to watch the Romanian National Police
and see how they do things, how they collect evidence versus the way that we do it.
And then because we were there, the nice thing was we were then,
able to, a couple days later, take all of the evidence with us and take it back to the United
States with us.
So they caught them, and they took all their devices back to the United States.
But the Bay Rob gang was still in a jail in Romania.
We're going to take an ad break here, but stay with us because the next step is to get them
to the United States and to prosecute them.
This episode is sponsored by NetSuite.
Every business is asking the same question.
How do we make AI work for us sitting on the side of the side of the side of the world?
lines is not an option because one thing is almost certain. Your competitors already know how.
No more waiting with NetSuite by Oracle. You can put AI to work today. It's a unified suite that
brings your financials, inventory, commerce, HR, and CRM into a single source of truth. That
connected data is what makes your AI smarter. It intelligently automates routine tasks,
delivers actionable insights, help you cut costs and make fast AI-powered decisions with confidence.
From software and IT services to healthcare, equipment manufacturing, financial services, and many other great American industries, NetSuite delivers a customized solution for your business.
If your revenues are at least in the seven figures, get their free business guide, demystifying AI at netsuite.com slash darknet.
That guide is free for you, but only if you go to netsuite.com slash darknet.
NetSuite.com slash darknet.
So the FBI searched the homes of this group,
and they were really hoping to catch them in the act
with their computers open so they wouldn't have to crack any passwords
and unlock computers.
But when they entered the house, all the computers were off and locked.
But as they looked around, they were able to solve one of the mysteries they had,
which was how this group kept moving around with their IP addresses so much,
sending the Romanian police to the wrong address so many times.
One of the things they found were these large directional antennas.
What we realized with these directional antennas, which made for great trial exhibits, was that they were never using their home internet when they were involved in criminality.
They would hack into another account in Bucharest.
And Bucharest is a very big city.
It'd be like doing it in Manhattan.
And so every time they would just hack into a different person's home Wi-Fi.
And that would be the start of their proxy chain.
They would start there.
then at least towards the end, as Dennett explained it to us,
they would go to Tor.
Then from Tor, they would go through their proxy chain,
which was typically one to three infected computers.
And then from there, they would go to America Online
where Owen was seeing them.
And then from there, that's when they would use commercial ISPs
like Google, Facebook, eBay, etc.
So the way they were operating is they would actually meet
and everybody would essentially get a standard build.
So their laptops were all built out the same way,
and Nicoscu would configure them to be essentially,
you know, they get the cybercrime package,
which means multiple levels of encryption.
So they were running Linux with Lux on it,
and then they had a couple of true crypt containers on it.
And then Nicoscu had written his own encryption software,
for because TrueCrypt was no longer being updated.
So that's five layers of encryption just to unlock the laptop?
Yeah, four or five different layers.
And everybody in the group got the same package, essentially.
And they also, that was not the extent of it,
they also got some networking gear.
So each of them got a custom flash router.
And that custom flash router would allow them to proxy their traffic
between their different houses.
and their operational security was that their first hop from their house
was using a directional Wi-Fi to the Internet.
And that individual, say, you know, Nicoscu was in Brazov,
he would establish that on the router, the custom flashed router.
And then he would communicate to the other group that his router was set up,
and everybody would tunnel their traffic for the group
through that stolen Wi-Fi, through their...
router at that location and then they'd switch the router the next week to another another
individual's home and that was why we were seeing the encrypted traffic between the two locations
that we couldn't explain it was their tunneled encrypted traffic that was then being sent over
stolen Wi-Fi using the directional antennas then to Tor or proxy network then to infected systems
then up into the command and control infrastructure so again you know they were doing a pretty good job
of hiding their tracks.
So when I was seeing IP addresses that I thought could identify the address of the attackers,
it turns out they're using directional antennas to steal their neighbors' Wi-Fi.
So the addresses that I was seeing were very rarely their actual home address,
and I had to look at the data very, very carefully to understand when they slipped up,
and they weren't using their neighbor's stolen Wi-Fi.
They were actually using their own home IP address by mistake, and those slip-ups are very, very, very
The FBI wanted to prosecute these three in the United States.
But in order to do that, they had to convince the Romanian police to allow them to extradite
these three to the U.S. to face trial there.
But in order to get extradition approval, they had to have clear evidence as to who
everyone was in this case and what they did.
Because it might not be necessarily clear to other people that, you know, when we're
indicting this group, we can't just say, this is the group and they did all these things.
we need to be able to say, this person is master fraud and this person is a mighty S.A.
And this is the roles that they each individual played within the group.
And so for a long time, yeah, we knew who the three people were that were running everything,
but we could not say which one was which as far as their criminal moniker was concerned.
And so it wasn't until we got Dennett's phone.
And then we were able to, Ryan was able to connect his login activity with his vacation time
that we were finally able to say,
this person is this person, and this person is this person.
So the extradition was seamless with Romania
because of all this background work we had done.
So this was amazing.
We got them into the U.S. in a couple of months.
They get the three guys on U.S. soil
and then go in to question them.
First, they start with Dinet, aka a mighty essay.
They show him all the evidence they have against him
and basically said, look, you're definitely,
going to be found guilty. We have a ton of proof, but if you plead guilty, we'll try to get
your prison sentence much lower. So, Danette ends up pleading, and we confronted him with the
evidence during a proffer session. And during our investigation, one of the things we did
with the evidence collection is we had really good visibility into when they were logging into
and logging off of all of their criminal accounts.
And we didn't know it at the time,
but this information ended up being incredibly valuable
because it established this pattern of life
for all the different actors.
We could see when they were online doing,
you know, like in their criminal accounts
and when there were large gaps.
And when we were able to get Danette's personal computer
and search that,
He liked to travel, and he vacationed a lot, and he also took photos of everywhere he went.
He was an avid photographer.
So we could see through the photo metadata when he was in these certain locations, and then we overlaid it with all the criminal account data.
And you could see that every time one of these accounts went dark, Dynette was on vacation.
He logged on faithfully to the criminal account multiple times a day, every day, except for the exact periods of times when he went on vacation.
And there was something like 30 vacations.
And I remember we talked to him, and I said to him, look, we created a spreadsheet or a diagram to show this.
And I said, like, you know, look, if there were five overlaps in vacations, that would be curious.
If there were 10, hmm, something's going wrong here.
But with 30, you are the guy.
you are a mighty essay.
And Dennett told them a lot.
One thing he said was how many other members were involved in this back in Romania.
And as it turns out, he listed six other members and what roles they had.
This was huge for the FBI to paint a full picture of this group, each member and their operations.
Okay, so Dinette pled guilty.
And he was sentenced to 10 years in prison and was cooperating.
The other two weren't talking.
And they were just sticking to their not guilty, please.
So it meant that this case was going to go to trial.
Now you would think the hard part is over for the FBI,
and the prosecutors can take it from here, but the opposite is true.
In the month before the trial, the FBI had to work harder than ever.
Well, to explain how this process works, we worked, we all worked, probably straight 30 days.
My wife at the time, so I've got 15-year-old triplets, and she's from Columbia,
and I told her, listen, for the next month, month and a half,
I'm not going to be at home.
I'll be at the office pretty much the entire time.
She takes the kids, heads down to Columbia,
and that's the same for all of our families, right?
They didn't get to see us.
We were in the office.
A 10-hour day was probably a short day.
This is go-time.
Because now, the FBI had to convince a jury
that these men are guilty beyond doubt,
but it's always very difficult.
tricky to present electronic evidence to a jury since a lot of times they aren't very tech savvy
or know what this evidence even means?
And I got to say, the most important, I guess at the end of the day for the jury, the most
important piece of evidence came from the fact that Dennett, when he was cooperating, told us
everybody else who worked with the Bayrob group.
And Stacy, you know, we talked with Stacy and Ryan, and we decided that there was not enough
evidence to indict any of those people because we couldn't just indict them based on one criminal
saying these are the guys because, you know, the jury is not necessarily going to believe a criminal.
So Stacey said to me, well, why don't we just go over to Romania and talk to them and try and get
them to testify? And I said, well, I don't, why would they come to the United States risk being
arrested to testify when we don't have any evidence against them? And Stacey,
brought up the good point. They don't know. We don't have any evidence against them. So Stacey and I
went back to Romania right before trial, and we ended up flipping, what was it, five out of six?
Yeah. All three of us went back. Yeah, right there. And we flipped five out of six of them.
Five out of six. And they agreed to come to Cleveland and testify at trial.
And what's in it for them? So again, they didn't know that we didn't have enough evidence to
include them? Well, to be, to be honest, we had a lot of information on them, right? So we knew that
they were involved. We knew what their roles were in this, because we had a number of individuals
at this point in time that were telling us that they were involved in what their roles were
and what their criminal monocers were. So we did know, you know, what accounts they were using
and what their job was within the group. But we, at the time, we didn't feel, I mean, we could have
tried to indict them. We could have.
We could have. So it wasn't an empty threat. It was just we didn't feel like we had enough
because in these cases, we really only indict and extradite folks when we've got a really
bulletproof case. Your track record is 99% conviction rate. And they have to have had a
significant role, too. We're not going to just necessarily indict everybody who did anything.
And so basically, we talk to these people individually and they believe,
that cooperating was in their best interest.
And a lot of them felt really bad about what,
because a lot of them had moved on at this point.
It took so long to do this case.
A lot of them now had kids and had a regular job
and were like so embarrassed.
Some of them were crying when we were talking to them
and not because they were scared of the consequences,
but I think because they were humiliated
by the fact that they had done this
and people now knew they said.
So what's the option you give up?
Like, can you come testify, please?
Or come testify or we have.
No, I'm going to jump in on this one.
There was no quid pro quo or anything.
It was purely optional.
They had to, we didn't make any promises to them.
They had to believe that this was in their best interest or just want to do it out of their own.
So it's just a matter of, hey, come clean.
Well, it was 10 years later, they remembered, all of them remembered, like waking up and
Nicoske and Dinnett and McLeouse being gone.
and words starting to spread, and everyone was freaking out there
because there weren't too many extraditions from Romania to the U.S.
I think cybercriminals in Romania felt like the worst thing that could happen
was they'd be prosecuted in Romania if they were caught,
and in Romania you kind of got a slap on the wrist,
you wouldn't spend much time in jail.
So this was like seismic when these arrests happened in Romania,
and they just wanted to curry favor, I think, at that point.
they wanted to be helpful. They didn't want to risk any bad things happening to them.
Now, even though they had seized everyone's computers, they still couldn't get into them.
Because remember, each computer was wrapped in five layers of encryption. First was this boot integrity
thing, making sure that no hardware changes since setting it up. Then they would use Lux to encrypt
the Linux partition. Then there was a custom layer of encryption that MasterFraud wrote himself using
SSE. Then there was a true crypt container, and then there was another true crypt container.
And keep in mind that every layer has its own,
unique complex password to decrypt.
And once they got through all that, then you would boot into Linux.
And then finally, there were these virtual machines that they would load.
And that's where they would do the work from.
I think it took like five or eight passwords just to log in to work every morning for these guys,
which is incredibly impressive.
Master fraud, he programmed in assembly language.
So very unusual character.
And when we got these computers and Dennett explained to us what we were seeing,
Not only was it this multiple levels of encryption, they had built, Master Fraud had come up with himself a kill switch that would enable him to press a single button and encrypt the whole machine.
And if he didn't decrypt it within a certain amount of time, it would just wipe the whole thing.
He created his own software-based key logger.
So if the FBI or Romania had put something in the computer, it would have detected and alerted that.
So, you know, he was off the charts compared to what we see, even at C-Sips where it's all very advanced.
So these systems were all configured the same, and they had similar tool sets and the same kind of encryption everywhere.
So when Dennett pled, he actually was able to provide his password for a couple layers of that, his work,
platform. So we were starting to be able to essentially peel back the layers of encryption and see what was in each layer of encryption. So we'd peel back the first one and we'd get into the Linux operating system that they were using. And we saw that there was some source code for the encryption software, the container software that Nicoscu had written. We'd come across a couple of additional true crypt containers and we could unpack some of the
And we were doing forensic analysis on these systems,
and sometimes we'd be able to find a mistake
where they left a password somewhere,
or we were able to get in
because somebody would tell us what their password was.
I remember one of the passwords was
Pizza Kitchen in Romanian backwards.
That was his password,
and it was like a 15-letter,
maybe it was longer than that password,
and it needed to be in concert with a number
concert with another password and we only got so far.
So we could only get so far through that encryption because they had been in jail for a bit
after being extradited and their passwords were extremely complex.
And we could never, never get in past the layer that Nicoscu wrote.
I had actually gone to Quantico.
We have a lab there that specializes in helping in these highly advanced technical situations.
and we brought the source code out there,
and they analyzed it,
and we spent a lot of time trying to break into it.
And everybody will say, you know,
the first rule of encryption is don't write your own.
But in this case,
Nicoscu was so good that he wrote a pretty solid piece
of, you know, encrypted container software.
So even the FBI couldn't crack into these machines.
And they even tried to crack the passwords by brute forcing it,
but the way SSC and TrueCryphs,
was set up was they worked in tandem.
So the FBI would have to crack two passwords
at the same moment to get through those layers,
and that made this astronomically more difficult.
But one of the things we learned is
these computers still had value,
even if they were completely encrypted.
So at trial, we were able to show Nicoscu's tower,
which had hard drives that you could just pull in and out,
like a data center, which was not what a normal person would have,
And we were able to have the FBI testify, yes, this was on his desk.
This was his tower when we came in there.
And, you know, we've used all our tools.
We are not able to decrypt any of this.
And that's pretty powerful when you have all this other evidence that this guy is master fraud.
Because, you know, the jury's looking at this enormous tower of hard drives.
They know this is nothing like their home computer.
They know the FBI with all its power can't get into it.
And they're thinking, all right, something's up here.
With a list of money mules and money mulling being illegal in the United States,
where you going around and arresting all these money mules?
So we did have conversations with a lot of the money mules,
and many of the money mules were arrested by their local police.
We did not arrest any of the money mules or prosecute them.
I'll let you.
Yeah, so at trial, we had some of the money mules testify,
and they were victims as well.
In fact, in some ways, they were the most scarred victims based on their testimony.
First of all, what the Bayrob group told them in many cases, they would place advertisements for them on Facebook, on their machines tended to be infected as well.
So when they would go to Yahoo or Google, they would see an advertisement for a wire transfer agent.
And so they thought this was legit.
And what the Bayrob group would tell many of them was that when Americans go and travel in Europe, they often get mothers.
and lose their passport and lose their money.
And so what we do is we help relatives get them money quickly.
And so these people thought they were actually doing something good, that they were helping out.
And I will never forget when one of the most prolific money mules testified at trial,
and the defense attorney tried to cross-examine her and make her, you know, he said,
well, you're calling these people victims now, but you do.
didn't see them as victims then, she absolutely exploded because she was, she said, I was so
embarrassed. This is like the worst thing that's ever happened in my life. I never knew. I didn't
mean to do this, et cetera. And he, as he was coming back, he turned to us on the prosecution
table and said, one too many questions. We took all the evidence that we had collected over
this entire case. We took all of our victim complaints. We, Stacey and I went through. We,
all the IC3.gov complaints.
We went out and interviewed hundreds of victims,
I felt like, at the end of this,
and had some of them come testify at trial.
We had a search warrant on a couple of the command and control systems,
which I had actually stood up a copy of that command and control server
in our office, and then I invited Liam to come out
because he had done so much of the technical analysis.
technical analysis, that we needed another expert set of eyes on what we are seeing.
How much money do you think they made?
So we had hard numbers that they defrauded people out of $4 million.
Defraud?
Yeah.
Well, in total, made $4 million.
At least $4 million.
We had identified over a thousand U.S. victims.
A thousand victims.
Just on the eBay fraud alone.
What we had estimated they'd made over the entire length of the operation.
because they've been operating for 10 years.
And we didn't have accounting for all of those years,
but we could see a lot of the output,
and we were able to estimate over the given period
that it was about $40 million.
And then how big was the botnet?
Botnet reached a maximum of about $450,000 machines,
and at any one particular time,
they had hundreds of thousand machines operating.
That was other key evidence, by the way,
because once we arrested them, the botnet stopped.
And I was going to say,
One of my favorite moments in this case was actually, you know, we'd been watching this group for almost 10 years and had identified, like I said, over a thousand victims of eBay fraud.
And so it was so frustrating to know that this was continuing to go on year after year after year.
And then finally we were in Romania when they arrested him.
And the day after we arrested him, I turned to Ryan and I said, master fraud is in jail right now.
Like it's done.
We have stopped the fraud and the victimization.
Okay, so you bring all this evidence.
What's the defense bring?
Well, so the defense's main defense is the most common defense
that you typically see at the Department of Justice,
which we refer to as the Saudi defense,
which stands for some other dude did it,
which I would refer to as the sortie defense,
in this case, some other Romanian dude did it.
So that was their defense.
They didn't put on witnesses.
They challenged our evidence.
And as you would expect in a case like this, argued that there was insufficient evidence to say that these were the guys.
This jury was mostly retired, and a few people didn't even own cell phones.
It was going to be tricky to present all this evidence to them.
Owen's doing traffic analysis.
Liam's doing reverse engineering.
We have title, you know, data intercepts on the command and control infrastructure.
We're addressing topics like encryption and crypto mining and being a vendor on the dark web to essentially folks that are not cyber savvy.
And frankly, the entire team did a great job of taking this complex evidence and making
it relatable to the jury and understanding a lot of what we did it was was truly education of what we had
and why it was important in in very common terms and they did it they were able to convince the
jury that both men were guilty they were found guilty on all counts um dinette consistent with
the plea agreement was sentenced to 10 years in prison um mclaus was sent to
to 18 years and Nicoscu, who was master fraud, was sentenced to 20 years.
Wow, 20 years. That sounds like a lot.
These are tremendous sentences for a cybercrime case.
What you gotta remember is the judges who sentence, and it's the judge who sentence is not the jury,
they sentence for all kinds of cases.
They see terrorism, they see murder, they see all these crazy cases.
So at the end of the day, a lot of judges are like, well, you know, this guy hacked, you know, we're talking $4 million or $40 million or whatever the case may be.
It's not a billion-dollar Ponzi scheme.
It's not, nobody died.
So I'm going to give them a couple of years.
We see that all the time.
And so it was only because, I think, we had so much great evidence.
We had so many victims testify about how it impacted them, the money mules.
and the scope of the crime.
And we were also able to show that these guys
weren't just doing their criminal job.
They were really sadistic.
They really wanted to hurt the victims.
For example, they developed one phishing email
that was supposedly your HIV test results.
And when you clicked on the link, you were positive.
It's like, why would you do that?
You know, I mean, like, you're freaking people out way more
than even the value of the money.
And so I think the judge really,
this was a serious group, it was a serious threat.
If they get back out there, they may just start up again.
And so we felt quite good.
Those were some of the highest sentences you'll ever see,
or at least as of that time, in a cybercrime case.
And even today, it's pretty rare.
Yeah, I think the other thing that is sometimes lost in this
is that, you know, each one of these victims,
this does something different to each one of them, right?
So any one of us may lose, you know, $7,000,
and we'd, you know, write it up to, man, I made a huge mistake there.
But the folks that were being victimized here, you know,
they were folks that really couldn't afford an extra $7,000, right?
They were buying a vehicle to get to work.
Some of these victims, you know, it caused a lot of strife in their relationships,
where, you know, one person in the relationship said,
no, that sounds like a scam, don't do it, and they did it anyway, and they lost it, and it started
kind of a downfall in that relationship. We had some folks that were divorced over this.
What was that for?
Well, because they basically disagreed that, well, when they lost the money, it caused such
strife in the relationship that they...
You idiot, you got scammed, how they...
Essentially.
Wow.
And I want to be clear, though, like, you could be very smart and still fall for this.
So two things I want to make clear.
I don't know if it was clear from the background.
When you went to eBay, if you were infected with the malware, it would make it appear that eBay had an escrow agent protection program.
And you were sending the money to an eBay escrow agent who would only release the money once you got the car and were satisfied with it.
That was all just the malware.
It was a money mule.
But anybody would see that and think, all right, that sounds very safe.
And the URLs would say eBay even.
It was just all malware.
Exactly right.
That's really sophisticated.
And one of the victims who testified at trial was a used car salesman,
like who had a dealership who would buy cars online all the time.
And he fell for this too.
He had a very lengthy chat with the Bay Rob Group,
not knowing what was the Bay Robb Group about this escrow agent program
because he hadn't seen it before.
They must have stayed on with him for an hour to convince him that this was real.
And then ultimately he fell for it.
And I think that helped that the jury,
looked at this guy testify who was victimized as a card dealer,
and we're like, oh, well, if he fell for it, I would have fell for this.
And with that, the FBI investigation and prosecution was over.
All three of the main people involved were arrested, found guilty, and put behind bars.
Wow, what an investigation.
We've got a ton of people to thank for this.
So, first of all, the Cleveland Field Office was with us all the way.
So our cyber squad, our organized crime squad,
We had great supervisors that supported us.
We had great executive management, fantastic analysts, our computer scientists, our folks.
Feels like a lot of interns were going through a lot of data there.
Not so much.
I mean, these are all professional folks that are doing this.
We typically don't have interns on our squads.
And so we got a ton of support from the Miami Field Office.
We had Customs and Border Patrol, the U.S. Attorney's Office,
including Duncan Brown, Brian McDonough, and O'M Cokarney, in addition to myself.
And then, of course, Symante and AOL were hugely instrumental, obviously.
I imagine eBay was helpful.
eBay was helpful, as was a lot of the brands whose trademarks,
these guys mimicked in order to trick people.
So we had great cooperation and witnesses from Facebook,
from Walmart, from eBay, from Google, from Yahoo, all coming to testify at trial.
So what happened to the millions of dollars these guys made?
Well, they spent a lot of it as soon as they got their hands on it.
The FBI was able to seize some of that, but not enough to pay back all the victims.
However, these guys were running huge cryptocurrency farms,
basically putting all the infected machines to use to mine crypto.
And the FBI seized the computers, which held those.
crypto wallets?
They did have some cryptocurrency, and actually at this point in time it's probably worth
a lot of money, but it's locked in a couple of layers of encryption.
Really?
Still haven't been able to crack it?
We haven't been able to get there.
Wow.
Those machines sitting in the FBI evidence room hold the keys to millions of dollars of Bitcoin
that the FBI would love to confiscate.
But the multiple layers of encryption is just too strong for them to crack.
crack. And so it just sits there in a room, unplugged, dormant. If it was me, I probably would have
used that Bitcoin as some kind of bargaining chip to get my sentence reduced. But because they didn't,
it makes me wonder that in 20 years when these guys get out, they might have saved their keys
somewhere else that they can still access and come out of prison as millionaires. That's crazy
to think about. In case you were wondering, yes, I did get all these people in the same room
to interview them all at once. We all met up at the RSA conference in San Francisco earlier this year.
What are you all doing at RSA? What are you hoping to get out of this?
See where AI is going and see if we can cut through the AI hype.
I'm just here to talk to you and then get a drink with them. And then I'm going back home.
And that's what I'm doing. I'm flying to Chicago tomorrow morning for an ABA conference.
I spoke on a panel today about ethics and cybersecurity,
and then tomorrow I am speaking on a panel about a framework
for measuring the security and safety of AI.
So I was really excited that I could do this as well while I was here.
I'm on a panel with Brian talking about AI agent, security, safety, and reliability.
I'm really intrigued by this whole case because of how much these Bayrob guys
took their upsets seriously.
They deployed all the best practices
and took extra steps to keep the FBI
or anyone else from discovering them.
And it was only from these really tiny mistakes.
And over the course of 10 years of the FBI
and semantic and AOL diligently listening and monitoring them
that these mistakes were even found.
And it's one of those cases
that if the FBI wants to catch you badly enough,
even with the best obsec there is, they still can.
It might take them 10 years to gather enough evidence on you, though.
And I just want to recap all the things they did here to try to keep the FBI off them,
since it's fascinating to me to watch them work.
First, they didn't talk openly.
These guys never casually texted each other about this or talked about their criminal enterprise over the phone.
When they would, they would always use encrypted chats.
And the FBI also discovered that they often ran the radio in the background when they were working together in the same room
in order to keep any listening devices from hearing what they were saying.
Next, they didn't use their home internet.
They used stolen Wi-Fi, long-distance antennas,
and could connect to the Wi-Fi from miles away.
And then they'd VPN into one of their houses where the proxy chain would begin.
They used Tor and proxies and hacked routers to get online.
They encrypted everything, everywhere, or at least they tried to.
When moving files, they used SFDP.
When connecting to their command and control server, they used SSH.
They encrypted their hard drives multiple times.
They didn't log anything.
At first, some jobber logs were saved, but then they turned those off.
Logs are like documenting your activities.
It's a liability.
They created fake personas.
Each of them used their hacker handles when discussing this work
and never used these handles outside of work.
They were extremely careful in that matter.
And then they used abbreviated version of those handles on top of it,
making an extra confusing.
They didn't contaminate work and personal data.
The work computer was for work only, isolated,
not just with a physical computer, but also on a separate network.
Only approved virtual machines could be used for work.
Never do anything from your personal computer.
They reduced who they had to trust as much as possible, keeping a small circle of who knew about this.
They built their own computers, their own malware, and didn't share it with anyone.
They were self-sufficient, and those who did get to help them often were lied to about what they were doing.
This also meant nobody had any power over them.
They had to be paranoid at all times in order to keep up these efforts for years and years.
And even when they got arrested, two still refused to talk to cops and actually dealt with the pressure well,
staying calm and cool the whole time.
They conducted counterintelligence,
trying to know who might be looking at them
and then blocking those IPs and domains.
Yeah, I was told that they found out which IPs
that Symantec had in the FBI
and were blocking those IPs from accessing parts of their network.
And they did so much more.
But my goodness, this is what it looks like
when bad guys have good obsec.
They almost made it impossible to be caught.
Because even though they did an amazing job
at protecting their data from leaking,
they didn't stop every drip.
and enough drips can make a puddle.
Thank you so much to my guests.
FBI special agent Ryan McFarland, FBI special agent Stacey Whitaker,
DOJ prosecutor Brian Levine,
and the director from Symantec, Liam Omerku,
and from AOL Owen Miller.
Now that I'm retired, I've created a nonprofit
called CryptoCops Academy that is dedicated to teaching law enforcement
as well as students all about cryptocurrency
in hopes to, one, instruct law enforcement so that they can better investigate crimes involved
in crypto, but then also to instruct the students, young people, all about crypto and how it works
and how to keep their crypto safe and how to not fall for scams involving cryptocurrency as well.
And because I met and got to work with such incredibly talented people like you've talked to today,
I started formergov.com, the first directory of former government and military professionals.
And happy to have any of your listeners who are former gov, and that's federal, state, local, tribal, outside the U.S. or military.
Happy to give them free membership.
They can just reach out to contact at formergov.com.
What an incredible story.
Hey, listeners, I'm going to be releasing a new podcast soon.
And it's by far the most insane, dark and crazy stuff.
that anyone has ever told me and probably will ever tell me,
and it'll be a five-part series.
And if you want to get in on it, when it's launched,
sign up to be a premium listener.
Since I'm going to be releasing it to those who support me first,
all I'm asking is for you to buy me a cup of coffee once a month
to show your support.
It might not seem like as much, but it's actually huge.
It's way more than you can even imagine.
It fuels me.
It carries the show.
It gives me hope, and it's so helpful.
So please, sign up as a premium.
subscriber by going to plus.
darknet diaries.com.
And hey, when you do, you get an ad-free version of the show
and a bunch of bonus episodes that you won't be able to find anywhere else.
So thank you very much.
This episode is created by me,
The Man and the Black Hat, Jack Recyter.
Our editor is the Touch typist Tristan Ledger.
Mixing by proximity sound,
our intro music is by the mysterious breakmaster cylinder.
Why did the man get fired at the keyboard factory?
He wasn't putting in enough shifts.
This is Darknet Diaries.
stories.