Darknet Diaries - 70: Ghost Exodus

Episode Date: July 21, 2020

Ghost Exodus is a hacker. He conducted various illegal activities online. Some of which he documents on YouTube. He’s also a great musician. He got into some trouble from his hacking. This ...is his story.A big thanks to Ghost Exodus for sharing his story with us. Also thanks to Wesley McGrew for telling us the inside story.SponsorsThis episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.This episode was sponsored by Detectify. What vulnerabilities will their crowdsource-powered web vulnerability scanner detect in your web applications? Find out with a 14-day free trial. Go to https://detectify.com/DarknetSources https://www.pcworld.com/article/167756/article.html https://archives.fbi.gov/archives/dallas/press-releases/2011/dl031811.htm

Transcript
Discussion (0)
Starting point is 00:00:00 In my early 20s, I worked in a nightclub. I wasn't doing anything special, just washing dishes and stuff. But one day, I overheard something that I still remember today. One of the servers was taking a customer's drink order, and for some reason, I heard the order. It was a standard cocktail, and for some reason, I knew this drink cost $4. When the server came back with the drink, the customer pulled out his cash and asked,
Starting point is 00:00:24 How much is it? The server told him it was $5. She was scamming customers who paid in cash. She would pocket the $1 extra at all. But still, I loved thinking about ways to exploit the system when I was in my early 20s. But whatever. I was now in this new awkward position. Do I tell management about this? I get anxiety about stuff like this. She might lose her job because of me. Or maybe even get arrested because of me. And I know some of you are thinking, no, no, no, no, no. It was her actions that would cause her to lose her job. But still, do you understand that feeling I'm
Starting point is 00:01:09 talking about where if you say something, it can have life-changing results for someone else? I didn't say anything, but the nightclub figured it out anyway, and she ended up getting fired. This is a form of insider threat. She was in a position that she was taking advantage of. Insider threats are people who are hired by a company, and then those people exploit the company that they're working for, for some kind of extra gain. Over 50% of companies claim to be victims of insider threats. But what does that look like in the hacker world?
Starting point is 00:01:50 These are true stories from the dark side of the internet. I'm Jack Recider. This is Dark by Delete Me. I know a bit too much about how scam callers work. They'll use anything they can find about you online to try to get at your money. And our personal information is all over the place online. Phone numbers, addresses, family members, where you work, what kind of car you drive. It's endless and it's not a fair fight. But I realize I don't need to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites
Starting point is 00:02:43 and continuously works to keep it off. Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell. I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found. And then they got busy deleting things. It was great to have someone on my team when it comes to my privacy. Take control of your data and keep your private life private by signing up for Delete Me. Now at a special discount
Starting point is 00:03:07 for Darknet Diaries listeners. Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries
Starting point is 00:03:23 and enter code darknet at checkout. That's joindeleteme.com slash darknetdiaries and enter code darknet at checkout. That's join deleteme.com slash darknetdiaries and use code darknet. Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure. I know a few people who work over there, and I can vouch they do very good work. If you wanna improve the security of your organization, give them a call.
Starting point is 00:03:53 I'm sure they can help. But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more, Thank you. into the security field. And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Starting point is 00:04:31 Head on over to blackhillsinfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training. That's blackhillsinfosec.com. blackhillsfosec.com. BlackHillsInfosec.com. Okay, so do you want to talk to me about probably the worst time of your life? You ready to relive this moment?
Starting point is 00:05:00 Yeah, we can relive it. Let's do this. Okay, so let's start with, what's your name? My name is Ghost Exodus. Ghost Exodus. I like the sound of that. It actually does sound like a cool hacker name, doesn't it? But to understand Ghost Exodus, I think it's important to go back to a time, a time where we're all waking up, looking around, looking for answers about life. I was 19, just turning 20. The year was 2004, and what Ghost Exodus is about to do is going to drastically change his life.
Starting point is 00:05:33 Well, I mean, the circumstances involved in my life might surprise you, because I've never talked about them to anyone before on the internet. But let's talk about what he's doing just before this big change. Prior to that, I was a classical concert pianist. And so music was pretty much the center focus of my life. He's actually really good at piano. And what you're hearing right now is actually him playing. And not just that, but he's also really good at violin. Check this out. When he was two years old, his mom and dad split up. She went to live in another state and gave full custody to his dad.
Starting point is 00:06:19 But his dad had other problems and a tough time raising a kid on his own. So by the time Ghost Exodus was 10 years old, he was adopted by the family next door. His mom would send him photos and letters sometimes, but he would only be able to see them during psychological counseling sessions. And eventually, his real mom stopped sending letters, and he lost contact with her. And so, when he was a teenager, he hired a private detective to try to find his biological mother. She was living in Texas. He went to see her. They reunited. He got to meet his biological brothers and sisters for the first time at 19 years old.
Starting point is 00:06:57 He decided this was the family he wanted to live with. So he moved in with his biological mother to rebuild his long-lost family. My mother was a pastor, married to a pastor. And because of my music abilities, I became the music director for my family's church. Makes sense, right? He wanted to be part of this family, and he can, by playing music in the church that they're involved with.
Starting point is 00:07:24 Okay. But the extent of it was just so extreme that, I don't know, I just felt choked. Like all creativity was just being bled from me. The church was very strict and rigid and demanding of Ghost Exodus. He started wondering if this was a cult even. It was led by a megalomaniac. So my life was very micromanaged at the time. What the heck kind of recipe is this? A 20-year-old looking for answers in life, hires a private eye to find his birth mother, meets his brothers and sisters for the first time, moves in with them, gets inducted into a super strict church, and is not happy with how his life is being micromanaged. From 2004 to 2008 is when I was involved with this ministry. But in 2008, I finally got myself excommunicated. So that's when I just, I don't know, I just
Starting point is 00:08:20 let loose. And that's, I became like became like this eccentric loose cannon. During this time, Ghost Exodus also had an interest in computers, playing video games and downloading pirated software. But he was also seeing what activists like Anonymous were doing at the time, raising awareness for injustices in the world. And this interested him. So he gravitated towards where this kind of stuff was taking place online. There was a lot of injustice that really affected me by this type of ministry. And growing up in the rough neighborhoods that I
Starting point is 00:08:59 grew up in, like, I saw this need to use hacking as the means to help people who didn't have a voice and to help people who didn't have the technical capabilities to defend themselves. This was during a time when cyberbullying was this type of it's like an epidemic. And there were no no real viable means to to help people who are experiencing cyberbullying. Schools did not have a policy that knew how to deal with this. And law enforcement neither had any type of platforms where they could reach out and help people who were being affected by cyberbullying. So in my own life, my life being dominated, being controlled, being constantly subjected to ridicule and injustice, I just took my experience and then tried to find some type of solace by helping others.
Starting point is 00:10:00 Everyone has their own soft spot for something. And you know it's your soft spot when you see someone or something suffer and it just tears you up inside. You can't stop thinking about it. And Ghost Exodus didn't like seeing people getting bullied online. Because the results are horrible. Like, a naive kid might make a YouTube video and speak his mind about something, but he looks a little funny or talks a little funny and he gets mocked and made fun of. And somebody from the internet decides to get his real name and phone number and try to call him and mock him more and maybe even call his parents and mock them.
Starting point is 00:10:32 And this kind of thing can easily result in years of depression. All because you made one stupid video on YouTube. Ghost Exodus hated to see when the internet trolls would dogpile on someone and ruin that person's life. So he wanted to do something about it. I originally was a member of the Insane Masterminds crew, and I had always been a lone wolf my whole life. And I really didn't want recognition. I didn't want to join my peers doing any type of activities. I was completely content hacking on my own and learning on my own,
Starting point is 00:11:06 but I had bought some books and I realized like how much more I could learn if I had joined a crew. So I found the Insane Masterminds crew and they had recruited me and so i enjoyed this great camaraderie and i was able to expedite or you know greatly you know and vastly learn more in a group setting and from there i was like well if i could be a member of this really cool ass group why don't i start a group of my own, you know, that is fueled with my own ideals, you know, that I could recreate it in my own way. So Ghost Exodus became better at hacking.
Starting point is 00:11:54 He learned a lot from this crew, so much that he was able to start his own hacking group and he named it ETA. The Electronic Tribulation Army. Social injustice was the forefront. That was like our buckler and sword. And Electronic Tribulation Army. Social injustice was the forefront. That was like our buckler and sword. And this is really legitimate. Like, I'm not trying to sell myself here.
Starting point is 00:12:11 Like, we became vigilantes. And that's what I saw myself as, as some type of social justice mechanism to try to reach out and find people who were being affected. Because it was so easy to try to to rectify what they were going through um and then try to empower them by teaching them ways to to defend themselves um and it's i don't know it started really small with just us doing stupid shit, like burning SQL injections and cross-site scripting and phishing. And we didn't really have any type of modus operandi.
Starting point is 00:12:51 We were doing these things for the sheer, like, exploration of it. You know, I come from a generation where hacking wasn't to make a name for yourself. And so that was kind of like the direction I was taking the group. We did things for you know the sheer curiosity of it I mean the internet was like this great nexus of infinite puzzles and that's what kept me going is that every single like uh you, nexus in this great vast network, you know, called the internet was like
Starting point is 00:13:26 this great, just amazing puzzle. And I'm always really drawn to puzzles. And so hacking for curiosity is where I started. And that's where the ETA originated with. I kind of took, you know, the vestiges of my generation and brought it with me. But as we became more sophisticated and, you know, we started bringing in these crazy Jedi hackers, you know, we've seen that we can do more. So we started evolving into hacktivism and then hacktivism took us into like cyber vigilantism. And then that just took us into some really dark places where I started to kind of lose control of myself. And we kind of lost sight of what we had originally wanted to accomplish in those original stages. Like many hacktivist groups, ETA grew and gained momentum.
Starting point is 00:14:28 But the members of the group were getting sloppy, cocky, or trying to outdo each other. And there was this sort of TikTok swing that became unsustainable. We just lost control. I mean, I lost control. Let's just be honest. I was probably the one who lost control. Yeah, how so? It just, it started really getting to my head
Starting point is 00:14:51 and it started to take control of my life. Like this megalomaniac, like church cult, like took everything from me. Like it left me with a self-esteem that was completely broken and hacking was a way to rebuild myself. In so doing, I became this narcissist, this ego-driven maniac. I just, I lost control of who I was until like, I didn't have an offline life anymore. And at the time I was married, I just had a kid like, and I didn't know how to stop. And so by like 2009, I really realized I had a problem. He started playing around with botnets,
Starting point is 00:15:40 which simply defined a botnet is a large group of computers that you control, but you don't own. So you really don't have permission to control them. When I seen what they could do, I don't know, my mind was blown. Like, they're so versatile. Like, you can do them, you can use them for good purposes, you can use them for bad purposes. You can sell them, you can lease them, you can sell them you can lease them you can rent them um i mean they superseded anything that we were doing like key logging you know host booters denial of service
Starting point is 00:16:13 just they i seen the potential for using them as this like badass freaking weapon that can pretty much you can do anything you can use it to leverage other people. It's like, it's just, it's just too much power in the hands of, in my hands. Yeah. Now the story goes, another guy named Isaac starts messing with ghost exodus at this time, doing things like doxing ghosts and calling the cops on him, stuff like that. But not just that, Isaac was targeting other members of ETA too. Like finding out where one of them lived and going and vandalizing his house. Isaac's motives aren't clear to me.
Starting point is 00:16:53 And I tried to message him, but he never messaged me back. I've watched some of his streams and videos online. And he does things that just don't make sense to anyone. Like he makes cringy internet prankster videos. And it wasn't just Isaac who was doing this. There were a few other people working with Isaac to do this too. So my guess is that they were just trying to cause chaos, maybe take over ETA or dissolve it somehow, or just flex in some weird internet way. I don't know. But when Isaac was doxing and calling the cops on Ghost Exodus,
Starting point is 00:17:22 this was really freaking him out. And when these things started to escalate, I really started to panic. So I made the decision to risk everything and make a complaint with the Internet Crime and Complaint Center, hoping that they might involve themselves and try to put an end to what Isaac was doing. But they never followed through with it. And because at this time I had a 13-month-old child, and my wife at the time, she was stressing, I didn't know how to stop this.
Starting point is 00:17:59 And so what led to my crime was, my crime in a nutshell was my, this circumstance into my own hands, taking the law into my own hands. against some of the websites that these guys were using as a platform to communicate, to collaborate, as a means to send a message to try to show them, you know, hey, back off. Now, at the time, Ghost Exodus was working as an overnight security guard in the Carroll Clinic in Dallas, Texas. This place is huge. It looks like a hospital. It has six stories, and it's a big building, but it closes down at night. So there's no patients in the building overnight or anyone except security. This is a clinic that treats spine, shoulder, knee, and ankle injuries. And Ghost Exodus was the night security guard for this building. He would walk the grounds and make sure the doors are locked and no vandalism was occurring.
Starting point is 00:19:00 He would often sit in the front lobby of the building where he could watch the security cameras for the entire clinic. Now, where I worked in the foyer, in the entrance at the Crow Clinic, they had a wireless access point that was really, really weak. And at nighttime, you know, that was the time when I did my studying. That's when I did my hacking. And that's the time I used to, you know, really, you know, direct my crew. But the access point was so weak, it would always drop my connections. So he started hunting and poking in the network, looking for a computer that had a more reliable internet connection. I ended up finding this computer, which turned out to be a server.
Starting point is 00:19:42 And this server he got access to controlled the heating, ventilation, and cooling for the whole building. It ran, you know, the SCADA software used to control, you know, the heating, ventilating, and air conditioning system for the Corral Clinic. But, you know, the idea was, I'm going to use this computer, I'm going to install LogMeIn so I can access it remotely from my laptop at my guard station. But the firewall was blocking the incoming connection. And instead of reconfiguring, you know, LogMeIn, or excuse me, reconfiguring TeamViewer,
Starting point is 00:20:20 I decided to use, you know, the browser with LogMeIn. With that, he was able to establish a persistent remote connection to this HVAC server. So basically, I used it for chatting on AOL Instant Messenger, using it for MySpace. And I used it to buy car magnets off of Vistaprint. Definitely against the rules of what he should be doing as a security guard. But I'm not sure if it's against the law. Now, sitting there in a large medical clinic all night long, he started to realize how many computers are in this building.
Starting point is 00:20:57 And at the same time, he's fascinated with botnets and is trying to build one himself. So he gets the idea to try to get some of the computers in this clinic to join his botnet. All he would need to do is execute one tiny program on that computer and this would make it join his botnet. So during his night patrol, he would wander the halls and look for potential computers he could exploit. But each computer he came across was locked, password protected. Unless you were a nurse or a doctor, you would not be able to unlock it. So he looked up how he could get into a locked
Starting point is 00:21:31 computer and found a tool called Offcrack. See, Windows stores your password as a hash. Windows creates the hash when you set the password by running it through a special algorithm. But a hash only works in one direction. You can't take a hash and convert it back to a password. So whenever you enter your password, Windows runs it through that same hashing algorithm. And if the resulting hash matches the hash from when you created the password, then Windows knows you entered a matching password. Offcrack looks at the hashes stored in Windows and tries to find a password that matches that hash. It's sort of a brute force password cracking method, because it's going to look at millions of hashes to try to find one that matches the one in Windows.
Starting point is 00:22:14 Basically, Offcrack is a way to find passwords for Windows computers. But what's more is that you could put an Offcrack CD in a computer and boot to it, and it'll try to search through the hashes in Windows to find a matching password to it. So, Ghost Exodus loaded Offcrack on a CD and his botnet on a USB drive, and he made his rounds through the clinic looking for a computer to sit down and use. And he would put the Offcrack CD in the tray, reboot the computer, wait for Offcrack to find a password, then he'd write that password down, take the CD out, reboot the computer, and now he has the password to log in with.
Starting point is 00:22:52 Once he's in, he'd pop the USB drive into the computer and run the malware to join this computer to his botnet. From there, he'd take the USB drive out, lock the computer, and walk away. He did it. It worked. He had a new node on his botnet. So he went and did it again. But while he was doing it again, he realized this could be a good motivator for some of the other people in his hacking group to do this too. So he brought a little laptop with him to work,
Starting point is 00:23:18 turned on the webcam for it, and made a video. Hey, what's up everybody? It's Ghost Exodus. You're on a mission with me. Infiltration. His video has this Mission Impossible music in it, and he's got a hoodie on, and he's walking around the building
Starting point is 00:23:34 acting super suspicious like he's a spy. What we gotta do is we gotta drop five men. Oh, my gosh. What an audacious bastard. He's claiming it's an office he broke into. But you and I know this was the clinic where he worked as a security guard. I actually purposely avoid that video because it makes me really embarrassed. It's a propaganda video that was aimed at some of the younger generations, some of the younger hackers, because they're so easily
Starting point is 00:24:06 impressionable. So I was trying to make this video to inspire them to emulate the things that I was showing in the video, because I wanted them to spread our bots. He shows a keycard that has the word security
Starting point is 00:24:23 written on it with a marker. I tell my viewers that this was a keycard that I'd swiped. In other words, I want them to believe that I stole it. He holds up a CD for the camera. It says Offcrack on it. And he holds up a USB drive, which he says has the botnet on it. He goes up the elevator, walks the halls, uses his keycard to get into places, finds a desk, and sits down. It's actually a nurse's station,
Starting point is 00:24:50 but the video just seems like it's a typical office. He starts typing stuff on the keyboard, but then he stops and puts on latex gloves. Yeah, you know what's funny is I already start touching the computer before I put on the gloves. All of that was just theatrics. He gets into the computer using Offcrack, then plugs the USB stick into it and begins copying files over to the computer.
Starting point is 00:25:15 You can see all this on the video. The botnet he was using was called RxBot. It's an open source botnet made in C++ that anyone can just download and use. We had done our research what antivirus software would detect the RxBot. And on some of these systems, you might actually, I don't know if it's in the video, but they had McAfee antivirus. So I was disabling it. So he disabled the antivirus and ran the program to join his computer to the botnet. The script runs, then deletes itself.
Starting point is 00:25:55 Job's done. And there it goes. It's melted. That's all I needed. Now, he was building this botnet so he could wage a denial of service attack on Isaac on July 4th, which was about a month away. So he released this video on YouTube to get other people to be inspired to do similar acts to build up his botnet. And what is the reaction from people when you dropped this video? It was mixed.
Starting point is 00:26:26 There were some who had the right mind to tell me, you know, Ghost, I don't think this is a good idea. Ghost, I think this is going to backfire. I'm like, no, no, it's not going to backfire. You know, I've never been caught. I'm never going to get caught. I'm too careful. Then there was other people, you know, those to who it was catered for was like, oh, you're such a badass. Oh, you know, you're so cool. Now, where can we get this botnet? And that's what drove me is that type of reaction. I wanted people to, I wanted it to be controversial. You know, I didn't want it to just always go my way. And that was my objective to be controversial and to really just create this persona of controversy. And I certainly did that to a T.
Starting point is 00:27:08 Ghost Exodus would eventually install this botnet on 14 computers within the medical clinic. And then once they were installed, he would go back to the lobby where he would normally sit to do his job and he would open up his tiny laptop and from the security desk, he would tell his botnet to attack, flooding the target computer with so many packets that it would take the target offline. I tested out the bots, the botnet pool that we had accumulated back in June of 2009 during the Iranian presidential elections to op Iran. So I used these bots in op Iran and in response to the death of Neda Agha Sultan, that peaceful woman's rights professor who was murdered,
Starting point is 00:27:56 you know, it didn't cause any significant damage to the systems. I had actually used the bot several times from there. But yeah, after I had installed them, yeah, we had tested them out. On several occasions, I attacked 94chan with them. I had like a love-hate relationship with Internet Hate Machine, who was the leader of 94chan. And I was always pissing her off. And we were always trying to, you know, best one another. But I especially used him, like I said, in Op Iran. And when he would have his botnet all put together and enter a target victim and hit launch and see his target go down, this was the feeling of winning. It's euphoria. It's like winning the
Starting point is 00:28:46 lottery. Whatever chemicals are secreted by the brain whenever you're gambling, that's the same feeling. That's the same chemical reaction that is going on in my mind that just keeps me pathologically doing it over and over and over. It's this great gratification that it's like, if you're not gratifying yourself in this fashion, then you're, then you're not relevant. Basically you're, you're like, I don't know. It's just, it was a feeling of, of relevance of, of the utmost relevance. I mean, what you can't be thinking that this is going to play out right. You know, in some of my, I kept an online journal, okay, on vampirefreaks.com. This episode is sponsored by Shopify.
Starting point is 00:29:42 The new year is a great time to ask yourself, what if? When I was thinking, what if I start a podcast? My focus was on finding a catchy name, some cool stories, and working out the best way to record. But oh, so much more goes into making a podcast than that. If you're thinking, what if I start my own business? Don't be scared off, because with Shopify, you can make it a reality. Shopify makes it simple to create your brand, open for business, and get your first sale. Get your store online easily with thousands of customizable drag and drop templates. And Shopify helps you manage your growing business. Shipping,
Starting point is 00:30:14 taxes, and payments are all visible from one dashboard, allowing you to focus on the important stuff. So what happens if you don't act now and someone beats you to the idea? The best time to start your new business is now with Shopify. Your first sale is closer than you think. Established in 2025. That has a nice ring to it, doesn't it? Sign up for your $1 per month trial period at shopify.com slash darknet. Go to shopify.com slash darknet and start selling with Shopify today. Shopify.com slash darknet. And start selling with Shopify today. Shopify.com. This was a feeling I had on the forefront of my mind at the time. I believe I'm going to be arrested.
Starting point is 00:30:59 I knew that time was coming. After the break, we'll find out if Ghost Exodus' premonition comes true. At this point, Ghost Exodus was posting screenshots of this HVAC computer that he hacked into in the clinic. He didn't say where this HVAC computer was that he accessed. He just wanted to flex a little and get some street cred that he hacked into a computer, and this one happened to control the heating and cooling of a building. There was a new recruit in the ETA who went by the moniker Immortal, and he had taken the screenshots of the HVAC SCADA software that I had taken and posted it on a security blog that was seen by Wesley McGrew. So my name is Wesley McGrew. So that was 2009. At that time, I was a research associate at Mississippi State University where I was working on a PhD dissertation on industrial control system and SCADA security. And so that there was a tie in
Starting point is 00:32:05 with that. And that's partially how I got involved with it. Now, Wesley, being a smart student, had a blog where he was just writing stories about information security called McGrewsecurity.com. And sometimes hackers would write to him and call out other hackers or brag about what they did, or just send him weird stuff to see if he would post it. Another member of the group, who went by the name Immortal, later Hex, got in touch with me and was in touch with me for a good period of time, apparently just to brag about different things to see if I would write about them. Immortal was claiming to be part of the Electronic Tribulation Army and was boasting about what he had done and wanted Wesley to write about it.
Starting point is 00:32:49 I guess Immortal wanted to be famous. I was in touch with Immortal over a period of, I don't even know how long, he would message me various things. The most memorable one of which being around about that time there was a North Korean missile test and he had it in his head that he wanted to hack North Korea, just being very difficult due to their limited attack service. But he thought he'd done it. He thought he had found a target for his attacks, and he showed it to me via MSN Messenger or AOL Instant Messenger or whatever it was at the time. And I had to let him know that, hey, this is a South Korean site. And he didn't know the difference between North and South Korea.
Starting point is 00:33:30 So that sort of sets the stage there for Immortal. Later on, probably a few weeks after that, he was aware either from my site or from something that I had published that I was interested in industrial control systems and data security. And so he sent me some screenshots of a system that he had claimed to have hacked. And it was screenshots of an HVAC system at a hospital. Wesley was writing his Ph.D. thesis on the security of industrial control systems. So this really interested him. He began investigating it further.
Starting point is 00:34:15 So at that point, all I had was a set of PNG or JPEG screenshots, static screenshots. And what I saw in those was sort of the human machine interface of this SCADA system, showing operating rooms, showing the heating, ventilation, air conditioning, chillers for medicines and medical equipment and implants and things like that, that sort of stuff. And so that piqued my interest right there. And I wanted to find out more about it,
Starting point is 00:34:44 but not through talking to a mortal. And I wanted to find out more about it, but not through talking to a mortal. And so I started doing image searches and open source intelligence based off the pictures that I was seeing in these HMI screenshots. I was able to identify it as being the Carroll Clinic. And I believe, I've never physically been there, but there are other facilities connected to it that use the same HVAC system. And I was also able to find a forum post on a hacker forum where Ghost Exodus had posted these screenshots saying that he had hacked into these things. And while it was a thrill for Ghost Exodus to launch a DDoS attack on his targets, it was also a thrill for Wesley to try to track down who Ghost Exodus was. Oh, it's very exciting, right? I mean, I don't think anybody, you know, I tell folks even now,
Starting point is 00:35:35 you know, I don't do anything I don't enjoy, right? And so back then we worked for the Forensics Training Center and loved investigating things, loved doing computer forensics, loved doing the open source thing. I still love doing the open source intelligence thing. And so, yeah, it was very exciting and interesting to do that sort of stuff. So much fun that it practically consumed Wesley. From there, you know, I wanted to find out as much about Ghost Exodus as I could. That being a Thursday, I spent the rest through that weekend amount of time, so three, four days, gathering as much as I could through open source intelligence, through searches and various, anything I could to put together what wound up being
Starting point is 00:36:28 two burned DVD pulls of information about Ghost Exodus, who I didn't even know. Despite finding all this about him, despite finding eight gigs worth of information, I didn't know his name. I knew that he was a security guard at that hospital. I had the videos, uh, from YouTube of him putting malware onto the, uh, nurse's station computer. I had other videos that he had recorded while he was at work. Uh, just, you know, gigs and gigs of stuff about him. That following Monday, we contacted the Jackson, Mississippi FBI and handed that information over.
Starting point is 00:37:19 Now, the FBI likes handling bigger cases than this. Threats against the country or civilians or crimes over $1 million in damage. But the evidence that Wesley collected made it real easy for the FBI to follow up on. Like Ghost Exodus had a YouTube video of him breaking into office buildings. I mean, come on, if a hacker is going to post videos like that and show their face and everything, they're definitely asking for a knock on the door, right? But also, the way Wesley framed it to the feds made it seem pretty important. Right. Well, you know, I think this is a little bit different than a Web site defacement or some some act of activism in that it from all the information and it's visible about this. It's a it's a health care facility, right? And so it's patient information.
Starting point is 00:38:07 And so people's personal health care records are sensitive. And there is a potential for that medicines, to cause them to have to to re-sterilize equipment, to cause them to have to throw away implants that had gone above or below acceptable temperatures, things like that. So there's an impact to this, to the victim organization and it's and it's not you know it was i did not see this as sort of a uh an act of of activism that had any particularly positive result right and so uh that sort of factors into the decision to report this right and so it's it because, I mean, it's a crime and it seems to have, like, it'll have a potential real impact on organizations and individuals. So the FBI took Wesley's report and got to work. They did some Google searches and found Ghost
Starting point is 00:39:17 Exodus' Gmail address. And from there, they searched for his Gmail address and found a Craigslist post that Ghost Exodus made, which had his resume on it but not ghost exodus's real name they contacted the security companies on his resume and then cross-referenced it with the security guards working for the carroll clinic and just like that they had the name of their suspect ghost exodus was jesse mcgraw the fbi created an indictment for jesse mc McGraw and got a warrant for his arrest. It's Friday evening at 11 o'clock p.m. on June 26, 2009, and one of the things I used to do was drive around the clinic just to make sure nobody was breaking into the underground parking garage.
Starting point is 00:40:11 And I see this van. And I'm thinking, ah, that's got to be the cleaning crew's van. So I don't think much of it. It's my last night. And I'm training a new employee who has never worked a shift a day in his life. It's my last night, and I'm training a new employee who has never worked a shift a day in his life. It's my last night because I'm also about to start my new job at Global Data Guard as an entry-level network security analyst.
Starting point is 00:40:38 So I'm driving around. I park. I go inside. And I meet the new employee, and suddenly, out of nowhere, I'm surrounded by about three FBI agents and two, I don't know, state police or senior police officers just shouting, you know, where's the gun? Where's the gun? Where's the gun? And I'm like, I mean, I lock up. I don't even know what's going on. I mean, I, I still reel from that knife. And I'm like, what gun? I'm like the one from your video. I'm like, which video? Now we're, we're having a shouting match because we're trying to figure this out. He's like, the one from your MySpace. I'm like, which MySpace?
Starting point is 00:41:27 He pulls up his phone and looks. And I was like, oh, that's fake. Besides, I can't carry a gun here anyways. And he's like, are you Jesse McGraw? I'm like, yes. He's like, are you Ghost Exodus?
Starting point is 00:41:44 I'm like, maybe. I can't remember. I think that's what he said. But anyways, what I'm going to tell you is like being raided by the FBI, there's nothing quite like it. you know to immobilize you know people that they're putting under arrest and to get them to cooperate to get them to confess um just being swarmed like that i still look over my shoulder this very day even though i know that that type of thinking is irrational. I still get those feelings. It pretty much ended very quickly. Oh, they take me down to this station, and then they interview me.
Starting point is 00:42:33 And I've never been arrested before. He says, if you confess to everything that you've done here, then maybe the judge will go easy on you. Here's a paper and pen. I know you're a good writer. And so I'm thinking, maybe if I confess to what I've done, I can go home. I didn't know that I would be incriminating myself. Like this is what really sealed my fate. There was no way I could fight this case after I had self-incriminated. You know, a lot of people think that once you've been arrested by law enforcement or the FBI or the Secret Service, that they've been watching you.
Starting point is 00:43:08 They know everything about you, but that is not true. Because if they knew, then they would not need you to confess. One of the tactics that law enforcement use, other than fear, is to convince you that things are going to go lenient. Things are going to go and work in your favor as long as you confess. But by self-incriminating, you're basically handing them – you're basically signing your life away. I just didn't see it at the time. So you passed up? I confessed to everything that I had done in relation with the Corral Clinic. The one thing I didn't do, and this is pretty well known, is that I did not give up my friends.
Starting point is 00:43:59 The police didn't let him go home that day. They just put him right in jail. I'm transferred to Seagoville Jail, where I remained for two years as I'm fighting my case. And my first week in jail, I was just so terrified. I didn't shower for a week. I didn't eat hardly.
Starting point is 00:44:20 I actually had my cellmate bring me food for a while. Now, once news spread of his arrest, Wesley blogged about this case, claiming he was the one who called the FBI on Ghost Exodus. And as you can imagine, this had some consequences for Wesley. You know, I had sex toys mailed to me. I had lots of phone calls. I had, uh, I have, you know, just gigs and gigs of crap here on my computer of logs of them talking about, you know, coming to my house and, and, uh, and kidnapping me and just various attacks, just, uh, you know, overall more bluster than anything. I don't know that I ever felt personally, physically threatened by any of them, but there was a lot of talk and a lot of harassment from other members of McGraw's
Starting point is 00:45:16 hacker group, the Electronic Tribulation Army. So various members of that group would try to attack my website, denial of service attacks. And one of them, he went by the Handle Fixer. He was the main bad actor along those lines, along the harassment lines. And eventually, he pled guilty to charges of CFA, Computer Fraud and Abuse Act, for denial of service attacks against my website in order to – it was part of an agreement to have charges against him dropped for witness intimidation. And so that was sort of the – he was the main bad actor on that. I mean, so when you're posting it publicly, did you kind of expect something like that? You know, I mean, I, I, I really didn't know what to expect one way or the other.
Starting point is 00:46:17 I mean, you know, obviously that's, that's the sort of thing that can happen. You would think that with the leader of your hacking crew, such as it is, being arrested and having given the feds all the information about all the members of the group, you'd think they'd be on their best behavior and wouldn't want any additional bad attention. But there you go. Ghost Exodus' court case dragged on and on. You might wonder why there would be such a lengthy trial, considering he had already confessed to hacking the clinic. Well, they were trying to pin extra things on him, like the cops were saying he hacked into NASA, but he was saying he didn't do that,
Starting point is 00:47:03 and they wanted him to turn in other members of ETA so he could get less time. But he wasn't going to turn anyone else in. So this went on for two years before his sentencing. And that whole time he was in jail. On March 17, 2011 is your sentencing. Yes. What did they give you? 110 months, which equals nine years nine years for two counts one was
Starting point is 00:47:32 hacking into that hvac server and the other was installing malicious code on the nurses stations but remember he only got into that hvac computer because his wi-fi was spotty and he wanted to browse the internet faster, not because he did anything bad to the HVAC system. I mean, okay, yes, he did. He wasn't supposed to install remote control software on that server and he wasn't even supposed to access that system and he did that, but he did it only to chat online and to shop, not to be malicious and attack the clinic or anything else. You could compare this to him breaking into an office that he shouldn't have gone in just to watch TV or something. But he was charged as if he stole stuff,
Starting point is 00:48:10 caused damage, or ruined something. So it's just odd here that his intent had nothing to do with his sentence. The court was harsh on him because this was a medical clinic. Because what kind of jerk hacks into a medical clinic, right? The court showed how he had access to patient records and private info. But he insisted he never took any of that or looked at any private info at all. And he just used these computers to wage a denial of service attack on other computers.
Starting point is 00:48:40 Nine years seems like an awfully long time. But I think the court didn't recognize or understand the intent and use of these computers. They simply saw that someone hacked into a bunch of computers at a medical clinic, and this seemed to cloud their judgment of what that meant. I mean, people who are convicted of manslaughter often serve less than nine years. Not that I think ghost exodus should go without punishment, but nine years? Really? That just seems extra harsh. So he went to prison for a long, long time.
Starting point is 00:49:13 And spending that long of a time in prison can really mess you up. Whenever you spend a long time in prison, you get too used to the environment. You get used, it becomes a part of you, a part of your psyche. You're controlled on a minute-to-minute, day-to-day, hour-to-hour basis. You become accustomed to violence. You become accustomed to all types of things that are only exclusive if you've ever been a prisoner. At some point, he somehow sneakily borrowed a computer to contact his lawyer while he was in prison. When he was caught doing this, they threw him in the shoe. Solitary confinement, where he had almost no interaction with other people, very little activity,
Starting point is 00:49:59 and it's extra strict. He stayed a whole year in the shoe. This affected him physically and psychologically. Fluids began collecting in his lungs and he began to lose weight and became very frail. He describes this experience as torture. But after 13 months, he got out of the shoe and was able to serve normal prison time. And after seven and a half years in prison, they let him out on good behavior. And when he got out, he was able to connect with his wife. But he was a different person now, and she was a different person too. My family was very worried that I was playing them. I hadn't really changed at all. Anytime I sat down at a computer, like, my wife immediately began to panic
Starting point is 00:50:50 because she thought I was hacking. And if I said I wasn't, she thought I was lying. Because these are things she was revisiting because that's how we used to be over a decade ago. So in her mind, I'm still playing the same games. I'm still playing them. But I wasn't. And while I was on home confinement, while serving home confinement through a halfway house, she's so afraid that I'm doing this again, that she kicks me out of the house,
Starting point is 00:51:25 threatens to call the FBI to search my laptop. And I now realize like I'm in a dangerous situation. I'm financially codependent. I have nowhere to go. At the same time, he had a friend who wanted to go to Nigeria to visit some friends and ultimately end up in Israel, which would be quite the adventure. Ghost Exodus knew this guy and thought, this guy is not going to be able to make this kind of trip on his own. He was just a mama's boy, a cosmopolitan type of kid, very preppy. He'd never had any, doesn't have any straight smarts. So the combination of Ghost Exodus needing a place to go and being afraid of the FBI, and this guy wanting to leave the country, go to Nigeria, Ghost decides to go to Nigeria with him.
Starting point is 00:52:10 That's one of the things that I picked up in prison. It's like this need to escape, because you spend years ruminating on leaving. And just the environment is so depressing, so stressful. You constantly just daydream and fantasize about escaping. And so when you leave prison, sometimes you find yourself in that same feeling because you haven't fully acclimated back to society yet. And so I kind of carried that over when I was released. And so the extremity of those thoughts or those actions were based on thoughts I had originally had while incarcerated. So what I ended up doing is I started doing research on cargo ships.
Starting point is 00:53:08 Well, come to find out, leaving the country by cargo ships is the easiest way to come in and go undetected. I end up getting this commercial marine tracking software, and I end up finding a ship that just so happens to disable its automatic identification system. And usually when ships disable the AIS system, it's because they're engaged in some type of illegal trafficking activity in international waters. So I'm tracking this ship i i hop on a plane go to florida and i amazingly manage to slip past border patrol and customs agents to actually get to this ship without a ticket without you know being authorized you know with ship without a ticket, without being authorized with a passport, a ticket, and a shuttle. And we go up there, and I pose as an Israeli-American. I explained to him that I am an ivory dealer and that I want them to take me to Nigeria. To take me to Nigeria because my main goal was to try to start over in Israel. And I was afraid that customs would turn me back.
Starting point is 00:54:40 Now, I should point out here that when he flew from Texas to Miami, he violated his probation. He wasn't allowed to leave the state. But at this point, he's standing at the docks with his traveling partner, talking to the captain, trying to get on this ship. I managed to get on the ship. This ship was very interesting because this company is one of the biggest cargo shipping companies in the world, but they're also one of the dirtiest. This is why we specifically selected this as our means to leave the country, because they don't have much of a conscience. They've been busted several times, trafficking weapons to Russia,
Starting point is 00:55:21 a disassembled tank to North Korea, and ivory to Florida. So I was like, you know what? This is the shipping company we need. So we get on board, and I explain to them, look, I know that you're disabling your AIS system. I know you won't really have a big problem taking us to Nigeria, but here's the deal. I'm into ivory. I know that you're into ivory. You want to make a buck, take us to Nigeria. But here's the deal. I'm into ivory. I know that you're into ivory. You want to make a buck, take us to Nigeria. The captain said, you're going to have to pay if you want a ride, you know.
Starting point is 00:55:53 And so the captain gave them a price. They tried to haggle this down, but they just couldn't get the price down to an amount that they could actually pay. So they didn't get a ride out of there. And they waited in Miami for the next ship to arrive, hoping that they might find a better rate. But by that time, his travel partner had called his mom and told her what they were doing. And his mom thought it was Ghost Exodus' idea to leave the country, so she called the police on Ghost Exodus. The police saw this was a violation of his probation to leave the state. So they issued a warrant for his arrest and went down to the docks and arrested him there.
Starting point is 00:56:29 When I was leaving prison the second time, I had nowhere to go. I had basically burned every bridge I had. And I still had probation to serve three years. So in my mind, I was thinking, you know what? I've been locked up for so long. I'm constantly worried. I've never really decompressed from this experience. I just, even in society, I felt like I'm still locked up. I still feel that way. So having nowhere to go, I just said, you know what? Screw this. I'm just going to go on the run. And when they pick me up, they'll pick me up.
Starting point is 00:57:12 During that time, I lived in Cedar Hill State Park. He was actually living in a forest, homeless at the time. My wife notified my mother. My mother was the one who notified my probation officer who called park authorities, and they actually freaking sent a drone to come and try to find me. Can you believe that? I've never seen that before. I've never heard that type of whine that those drones make before. Just the thought of it just scared the living daylight out of me.
Starting point is 00:57:45 They did this for the better part of about a week looking for me but they never found me but then i found myself on a greyhound bus going to on alaska texas which is by goodrich and lake livingston and i stayed there for about five months living in the forest then on my way back is when I got picked up. Because of like a traffic stop or something? Exactly. He was given two more years of prison time, but this time he would have no probation when he got out. The judge saw that he couldn't serve his probation, so he had to just stay in prison until all of his time was served.
Starting point is 00:58:22 But after about a year and a half, he was let go on good behavior, which means now, in 2020, he's finally free. No probation, no prison. And he can focus on rebuilding his life. He's currently a fry cook, since he doesn't have a car and needs a job within walking distance. In total, he served nine years, eight months in prison, all because he installed malicious
Starting point is 00:58:46 software on 14 nurse stations and gained access to that HVAC server. And it's ironic, since he did all that, inside the very building he was supposed to be protecting from threats. As for what he plans to do next, he tells me he thinks his forensic examiner for his case was not very good, and it was one of the reasons why he got such a long incarceration. So he'd like to study digital forensics, because he doesn't want an incompetent forensics examiner to ruin anyone else's life. A big thank you to Jesse McGraw, Ghost Exodus, for coming on the show and sharing your story. Stay safe out there and good luck in your future.
Starting point is 00:59:33 Also, thanks to Wesley McGrew for coming on and telling us your story. Wesley has finished his PhD in computer science and is now a director at Cyber Operations for a cybersecurity company. If you're all caught up on Darknet Diaries episodes and want more, you're in luck. There are now six bonus episodes for Patreon subscribers. By supporting the show through Patreon, it tells me that this show brings value to you.
Starting point is 00:59:54 It also shows a new ethic in supporting something you appreciate. So please visit patreon.com slash darknetdiaries to unlock bonus episodes and an ad-free feed. Thank you very much. This show is made by me, the local ghost, Jack Recider. Original music and sound design was done by the quick blade, Andrew Merriweather. Editing helped this episode by the megabyte-er, Damien. And our theme music is by the bzz bzz bleep bleep bloop bloop breakmaster cylinder.
Starting point is 01:00:22 And even though there's some CEOs somewhere out there that are just now figuring out what blockchain is and think it's a cutting edge technology when actually it's 10 years old now. This is Darknet Diaries.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.