Darknet Diaries - 80: The Whistleblower
Episode Date: December 8, 2020In this episode we hear a story from a social engineer who’s job it is to get people to do things they don’t want to do. Why? For profit.SponsorsSupport for this episode comes from Senti...nelOne which can protect and assistwith ransomeware attacks. On top of that, SentinelOne offers threat hunting, visibility, and remote administration tools to manage and protect any IoT devices connected to your network. Go to SentinelOne.com/DarknetDiaries for your free demo. Your cybersecurity future starts today with SentinelOne.Support for this show comes from Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldn’t be. Check them out at https://canary.tools.Support for this show comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.View all active sponsors.
Transcript
Discussion (0)
How persuadable are you?
I think most of us think we make complete and logical decisions ourselves
and weigh all the consequences, and we're not influenced by marketing campaigns.
But I think, overwhelmingly, we're more persuadable than we think.
There's this mint study I find fascinating.
Some psychologists did this research in restaurants.
They found that if the server gave the customer a mint along with the
bill, the amount of tips went up by 3%. Why? Well, it's because the server gave them a small gift.
And as a human, when someone gives us something, even as small as a mint, we want to give something
back. But check this out. When the server gave two mints with the bill, the tips went up by 14%.
But there's more. If the server gave one mint with with the bill, the tips went up by 14%. But there's more.
If the server gave one mint with the bill and then walked away but then stopped and came back and said, you're nice diners here, take an extra mint. This resulted in tips increasing by 23%.
Incredible. Such a small gift given at just the right time with the right message
has quite an effect on us. And see, these are the
things I don't think we're consciously aware of. I don't know how much I'm going to tip until I get
the bill. And then I do this little math game to figure it out. And if at that same time, I'm also
given a little gift and told something nice. Yeah, I think this kind of stuff does work on me. And I
don't even realize it. But those are small things.
Surely I wouldn't be so easily persuaded to do something bigger, right? Like turn against my
company and cause it to have major financial loss. That's quite a big decision to make.
But this story is about a guy who persuaded someone to do exactly that.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online. Phone numbers, addresses, family members, where you work,
what kind of car you drive. It's endless and it's not a fair fight. But I realized I don't need to
be fighting this alone anymore. Now I use the help of Delete Me. Delete Me is a subscription
service that finds and removes personal information from hundreds of data brokers websites
and continuously works to keep it off. Data brokers hate them because Delete Me makes sure Thank you. Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code Darknet at checkout.
That's JoinDeleteMe.com slash DarknetDiaries and use code Darknet.
Our story today comes from a character.
We're going to refer to as Paint Parrot.
It's sort of a nickname he goes by.
Paint Parrot's a social engineer unlike any I've ever seen.
And if you don't know what a social engineer is,
it's basically just someone who can persuade other people to do things
they don't want to do through different psychological tricks.
But his story starts far away in Afghanistan.
So I was in a part of the British Army called the Royal Artillery,
which everyone assumes straight away is going to be to do big guns and things like that.
But we were actually a UAV unit, so unmanned air vehicles, drones. So we were
a drone unit within the Royal Artillery. And yeah, our job was obviously to, you know,
find, fix, finish and kind of build up that intelligence cycle for the guys on the ground
to then go out and do operations against, I don't know, like Taliban weapons caches,
or, you know, try and track people planting IEDs in the roads,
you know, or, you know, trying to find high-value targets
for special forces guys to go and, like, knock on the door, basically.
Paint Parrot said he was only in charge of unarmed drones,
no predators launching missiles down on targets.
Instead, they're sort of like
eyes in the sky and would watch the ground to gather as much intelligence as they could.
So it was a unique and quite exciting role, mentally quite taxing, because a lot of the
time you feel like your hands are tied, you're looking at stuff and you want to be able to do
something, especially when you're seeing friendly troops getting in contact with the Taliban, and you want to be able to intervene, but all you can do is watch. It's quite a surreal
time. What he was after was good intel that his team could use to have the upper hand,
which I guess is like espionage work, a spy in the sky. But after a while, he completed his duty
and left the military, which means he
needed to find work as a civilian. At first, he assumed he would just do what a lot of his peers
were doing. Originally, I wanted to do what a lot of ex-army guys do and just be a bodyguard.
You know, because it could be quite lucrative contracting in places like Iraq and Afghanistan.
So that was kind of the original plan. But while I was doing the training, I became good friends with the guy who ran a training company. And I started out going
back with him as an instructor. And then that evolved into me getting involved in some of
his projects that he was doing that weren't training, so sort of live operations, if you
will. And that's kind of how it kind of slowly sort of filtered me into less,
less sort of bodyguard stuff and more, you know,
security and risk assessments and sort of, yeah,
following people and gathering evidence for, you know,
whether it's sort of just normal sort of lawyer cases, you know,
and they need to get information to discredit the other party.
Now that's an interesting transition.
Getting intel for lawyers?
This is sort of like being a private eye.
But he's trying to find dirt on the other side of legal cases.
So he was gathering intelligence for companies, lawyers, court cases.
For example, this one time, he said there was a copyright infringement case.
You know, someone had their, they were claiming rights over intellectual property of something of
a business or an idea.
And in order to try and catch the other party out, we'd organize it.
They'd have a meeting in a conference room at a hotel.
No lawyers present.
And just the two guys that were arguing could kind of talk it out and hash it out.
All we'd actually done is bugged the room
and had our lawyer basically downstairs listening to the audio
and kind of baited the other guy into admitting
that he'd stolen the intellectual property
and kind of bragging that he was going to get away with it.
There's a slight sex appeal to corporate intelligence, I guess.
It was kind of like this whole
world that, you know, as in the military
and things like that, you never really, you see
it in the movies, you don't really know that it
exists. You learn a lot of
social engineering because you're constantly having to
kind of talk your way into places you
shouldn't be. You know, you're constantly having to
sort of, you know, phone
somebody up and fish information out of them
and trying to get them to reveal things that they shouldn't do
or pretending to be someone else.
He would sometimes travel around, do training sessions
and would teach others how to gather intel like this, covertly.
After sort of, yeah, getting more and more into it,
one trip to the States, I met a private intelligence company
that was a DOJ contractor.
And that's kind of where it all kind of escalated from there and became something else.
Okay, so this DOJ contractor was an intelligence gathering company,
and they wanted to increase their presence in the UK, where Paint Parrot lived.
They knew of this London-based company, which was collecting intelligence there.
And they introduced Paint Parrot to this small
intelligence firm in the UK to see if he could help them out. And this is kind of where I first
got introduced into, yeah, the world of whistleblowing, basically.
So here's where we get to whistleblowers. In a nutshell, the Department of Justice doesn't
like it when corporations break the law. They want to bring these businesses to justice.
But it's not so easy for the DOJ to know when something illegal is going on inside a company.
So the DOJ gives out monetary rewards to whistleblowers who can provide detailed,
first-hand observations of misconduct by a company,
which results in a successful enforcement action that returns a significant
amount of money to harmed investors.
Basically, if someone inside the company comes forward and provides enough evidence that
this company was breaking the law and it results in a fine imposed by the SEC, the
whistleblower will get a percentage of that fine.
But the DOJ can't handle all of this intel being sent at them by themselves.
So they contract this work out to companies like this DOJ contractor the Paint Parrot just met.
But this London group that he also just met with was in the process of handling one of these whistleblower cases.
Now, this case is still ongoing, so we can't discuss specifics, but he can talk a little about it.
First, like in any
whistleblower case, there's a company that did something wrong. So brief overview, you know,
certain large company was, in order to get a competitive edge, was bribing government officials
in exchange for access to oil. They were paying off people they were shipping you know cash across borders
into other countries in order to pay off government officials in order to get their supply over
you know other corporations their competitors and they were also in the end it sort of came
out they're also manufacturing fake shipping manifests the ships
that never left or never existed in order to move what we can we we've assumed was large quantities
of oil or something but they were moving it anonymously in order to bolster their bolster
their stock sort of off the record and things that so we have a feeling that was then used in another country
in order to shift the balance of whether it be political power or whatever.
They were basically shipping some oil that wasn't even accounted for.
And they were using some of these to ship cash as well
that wasn't sort of off the books.
By saying, I'll be paid for this vessel to leave,
then this vessel never existed.
The manifest is there, but it never existed,
but they can attribute millions of dollars to that cost,
and that money then obviously went somewhere else in cash.
So this giant multinational corporation was doing a bunch of illegal things,
but it wasn't public, so nobody knew they were doing this.
Only a few people inside the company were aware
that this company was breaking the law.
But there was this one guy who worked for this company
who was upset with this company.
So he was in a certain African country.
He was their representative, basically.
So he had his own business,
but he also had business cards with you know this commodity company's logo one and he was like their in-country representative
he was a contractor rather than actually on their payroll okay but i mean how did they get connected
to your company um so how he got approached is i think he tried to sue the company for money that they owed him when he left.
I think that's how it started. He ended up with a grudge against this company.
And someone obviously caught wind of it and introduced him to where I was working, let's say this is before I came along.
And was like look
you didn't get you didn't win the lawsuit you know if you know of anything that they've done wrong
because i think he mentioned some of it in a lawsuit and we always kind of took it because
he lost the lawsuit no one took any of it seriously um he then got introduced to you know
this intelligence firm and they were like okay you know this OK, if you can prove this, this and this,
that's a whistleblower case. And that's kind of how it all kind of started.
This guy wasn't interested in being a whistleblower at first. But this UK intelligence firm convinced
him that being a whistleblower was the right thing to do and to come forward with this evidence to
the DOJ. He agreed to provide them with testimony and the necessary information for the case.
But then, things got
a little crazy.
So, Paint Parrot gets brought into this
UK intelligence firm to take a look at this
case. So they have this guy with
enough evidence to slap a huge fine
on this company. They just need him to come
forward with it. But this guy
was a bit of a loose cannon.
Let's just say the situation was complicated and the witness was at risk.
Predominantly at risk of themselves, but they were making threats towards their own family
and kids and things like this.
Their star witness had freaked out.
He disappeared from his home in Africa, threatened to kill his wife and family, and cut off all
contact with this intelligence company that Paint Parrot was working for. It looked like he had gone to the UK, where
Paint Parrot was. Oh, and I actually took a look at this guy's Facebook page. He is very strange.
He calls himself the Old God and goes around blessing people he thinks are merciful. His
pictures he posts are pretty odd too, like some are straight up amateur porn some with
his face painted in a very crude way and he posts a lot of weird conspiracy theory stuff so this is
what paint parrot walked into as being the new guy at work this was his first assignment you know it's
just kind of can you secure the family make sure the house is secured, and then can you try and track down and find our whistleblower?
I appreciate this doesn't paint this world in a great light
because I'm kind of being brought in on what's essentially a fuck-up.
But of course, it sounded interesting.
I get told that the FBI are involved and all this kind of thing.
So yeah, I'm like, okay, let's do this.
So he begins his search by getting to know the guy's family.
He asks them about the target's typical schedule and any favorite places that he tends to go.
And they had to do this safely
without bringing any harm to him or the guy's family,
which means a lot of his intel that he gathered
had to be secret.
So he begins scouring the internet to try to find information about this guy.
Yeah, we're humans, we're all creatures of habit.
You know, let's find out the restaurants he likes to go to,
places he kind of normally in his daily routine can't do without.
You know, if he always buys a bagel from this one food shop,
okay, well, let's check that out at the sort of time of day that he would go there.
So he's initially just sort of gathering lists and information out of his family
and sort of other friends and contacts that we kind of got in touch with
to try and track him down.
And then it was, like I say, site posting a lot of stuff on social media.
He was putting pictures on Facebook almost daily.
And I'm trying to sort of figure out what's in the background
to try and pin down whereabouts he is in London.
When you take a photo with a digital camera, a bunch of data like the date and time and even GPS location are stored as metadata inside the picture.
It used to be that when you uploaded a photo to Facebook, all of that metadata could be downloaded and viewed.
Obviously, this raised a lot of privacy concerns.
So Facebook and other social media platforms began automatically deleting metadata from uploaded photos. So Paint Parrot couldn't just download the photo and look at the metadata and see where it was taken. He had to actually identify things in the background of the photos to try to figure out where these photos were taken and where his target was. So instead of actually having to identify what was in the background of the photos,
you know, looking at the time he'd uploaded it
and looking at the frequency of when he was uploading pictures,
he was like, right, okay, that was taken this morning.
He uploaded it at that time.
A couple of hours later, okay, this picture's a couple of miles away.
So kind of build an idea of what area he's in
and then kind of just try and narrow it down and sort of close the net, so to speak.
So he figured out from the photos this guy was staying in a hotel. And looking at the background
landmarks and stuff in the photos, he narrowed his location down to a general part of town that
has a few well-known hotels. So now he has to figure out what hotel this guy's staying in.
Maybe to you and I, that's a little hard,
but to Paint Parrot,
that's nothing a little social engineering can't figure out.
So, you know, the first thing then is let's start calling these hotels,
you know, let's pretend, you know, I'm calling them saying
I've got the guy's laundry, you know, calling,
oh, you know, I work for so-and-so laundry,
we just quickly Googled a dry cleaning company that's, you know,
down the road kind of thing.
You know, it's like, oh, I work for so-and-so.
We've got clothes here.
He said he was staying with you guys, but we haven't got, you know,
we haven't got the room number.
I know he's expecting it today.
Is there any chance you can give us a room number?
We can make sure, you know, we can bring his right clean up to him this afternoon
yeah obviously most of them
were like no we haven't got a guest by that name
blah blah blah when we eventually found the right
one after about the 4th or 5th attempt
someone on the reception let it slip
gave us the room number and everything so we were like right cool
I know he's staying here I know he's in that room
number
excellent success the call worked
and he had the information he needed. So now he's
going to go find the target. Once I had the room number, you know, I just walked straight past
reception, walked straight upstairs, found the room, you know, and just kind of where it was
corridor wise. And, you know, just lingered around, I guess, in the right sort of way that,
you know, sitting on the, I think it was like a sofa at the end of something, you know, just one of those random bits of hotel furniture
and just kind of hung around there playing on my phone until, you know, confirmed that he was
actually staying in that room. So he waited nonchalantly outside the guy's hotel room to
make sure it was his room. Yeah, it's not quite a classic spy with the whole eye holes cut out
in a newspaper, you know.
Suddenly, the guy comes out of his room and starts walking to the lobby.
Paint Parrot sees him, but he didn't want to confront the whistleblower immediately.
Remember, they need this guy on their side if they want to use him against this company.
Initially, to try and talk to him and try and bring him back on board.
So we know he's there, you know, seeing he's got his phone on him.
We've got eyes on him when he's walked out.
And I've got like one of the bosses at the company to give him a call and try and talk him around.
You can see his phone rings, takes the phone out of his pocket
and see he's ignoring it.
You know, it's like, okay, so kind of know we're starting to get like a losing,
losing the sort of control.
So what's your pulse rate in these situations?
Like, are you cool and calm or nervous and sweaty?
The amount of times I follow someone or be looking at someone for a camera, you know, and you're like, you think, shit, they've seen me.
They're looking right at me.
And you look at the photos, it looks like they're looking right at you. And you follow someone for ages. And because they
just casually look over their shoulder at some point, even though you're across the
street and a good sort of 30 meters back or something, because they've looked over, you
get that paranoia of instantly thinking they've spotted me, you know, but the more and more I've done it,
once you kind of realize that everyone else around you is nowhere near as aware as you are because you're in this heightened state,
it almost gives this feeling of you can go anywhere, you can walk anywhere.
And as long as you're confident enough, people are easy.
If you look like you belong somewhere, people won't question you.
It's generally that simple.
So Pink Parrot continued to track and follow this guy for a while.
This went on for like a couple of days, trying to make sort of a soft approach
and just try and bring him back in.
Once it was quite obviously established that's not what he wanted to do
and he started posting more and more stuff on social media now
in relation to this case.
And he actually posted a list of email addresses and names of people at the DOJ in the US.
Huh? That's really odd. He's trying to dox the Department of Justice?
That makes no sense because that's not the target organization you want his help on.
No. As I i said this guy
completely lost the plot he i don't know whether as a mental breakdown or or what um or whether
he's just crazy but yeah he kind of he done the same for the company that he was blowing a whistle
on as well so he kind of put his hands up and said you know i'm a whistleblower. And he listed the names of DOJ names and emails,
FBI names and emails, and names and emails of the top people at the company that he was blowing the
whistle on. At this point, the team decides this guy is no longer worth the risk. So Paint Parrot
takes all the information he has, the guy's location, texts, audio recordings of him making
threats against his wife and family, and prepares a nice little file to pass along to London law enforcement so they can arrest him.
Yeah, we kind of packaged it all in a nice way to sort of present and kind of resolve the situation.
They're like, oh my God, yeah, we've never had anyone do this before. It's absolutely brilliant.
The police had enough evidence to bring that guy in and question him.
So this means they lost their whistleblower.
What do you do with this case now?
After the break, we'll find out. Stay with us.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people
who work over there, and I can vouch they do very good work. If you want to improve the security of
your organization, give them a call. I'm sure they can help. But the founder of the company,
John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security
world-class in security training. You can learn things like penetration testing, securing the
cloud, breaching the cloud, digital forensics, and so much more. But get this, the whole thing is pay
what you can. Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find
links to their webcasts to get some world-class training. That's BlackHillsInfosec.com.
BlackHillsInfosec.com The conversation shifted over the course of a few days to,
well, now we don't have a witness and we still want this case.
And it was like, you managed to find him and track him down.
How would you feel about, let's try and find a new witness or two, you know, for this investigation?
Now, you might be wondering, why does this UK intelligence firm that Payne Parrott works for even care about finding a whistleblower and bring this case to justice?
Well, it's simple. Money. Check this out. When a whistleblower reports a crime to the SEC,
and the SEC issues fines for that company,
the whistleblower will get a cut of the fines collected.
In fact, the SEC can reward up to 30% of the fines collected
back to whoever brought them the evidence that a crime was committed.
But that's not always just the whistleblower who brings it forward.
A company like the one Paint Parrot works for
would outline all the laws broken, compile all the evidence neatly, and handle the whistleblower who brings it forward. A company like the one Paint Parrot works for would outline all the laws broken, compile all the evidence neatly, and handle the
whistleblower. Then Paint Parrot's company would deliver it to the DOJ contractor who's based in
Washington, D.C., and that company has an in with the DOJ and the SEC to get the attention of the
right people to get this moving quickly. So that 30% might be split three ways
between the whistleblower the company Paint Parrot works for
and the DOJ contractor.
So that means if a company is fined $500 million,
30% of that is $150 million.
So $150 million split three ways.
This is why the Intel firm that Paint Parrot worked for
wanted this case. This was a huge
company committing massive crimes that could result in billions of dollars in fines. And that's just a
fascinating business model that this Intel firm was doing. To go seek dirt on a company and then
find a whistleblower in that company who can testify that crimes were committed, all so this
company can get the reward in the end. At this point, they testify that crimes were committed, all so this company can get the reward
in the end? At this point, they knew what crimes were committed by this company, and now they just
needed to find a person on the inside of the company to come forward with the evidence.
This group wanted Paint Parrot to approach somebody who was part of the company and convince
them to turn into a whistleblower. But they needed to find the right person, someone who's willing to do it,
and would have access to the right evidence.
While Paint Parrot had done some social engineering
and intel gathering in the past,
this was totally new territory for him,
definitely in the moral gray area.
Because the new goal is now to create a whistleblower,
to find someone who didn't necessarily think to become a whistleblower,
and then convince them to detonate a bombshell allegation against the very company they work for.
But Paint Parrot was up for this challenge. He knew they would have to be really smart about
the approach if they were going to do this. You know, it's not like you can just knock on the
door of a company and, you know, follow someone out and tap them on the shoulder in the street
and go, hey, do you want to come forward and be a whistleblower? That kind of doesn't work.
You have to
cultivate them. So this is what we call
human intelligence, but it's basically
social engineering.
You've got to build a
story that
puts you on a like-for-like with the
individual you want to target.
You've got to very, very quickly
be memorable to them and be
their best friend before you even approach the subject of whistleblowing you've got to have
enough things in common and you know like stupid shit i like the same movies the same tv shows go
on vacation to the same places to the point where you know they're like oh my god you know i found
someone that's into the same stuff as me do you want to grab a beer later you know, they're like, oh my God, you know, I found someone that's into the same stuff as me. Do you want to grab a beer later? You know, and you can then start building
on a relationship. And how, how, how much experience have you had with something like
that before this to get close to a source like that without them knowing who you are?
So I've had like a minimal exposure to it, but never done more of a long game like this.
What I'd done before was a couple of days,
you know, just trying to,
maybe just trying to bump into someone
and get some information out of them in a bar
or, you know, knocking on a door,
pretending to be someone else
or getting a job at a warehouse
to try and find someone that's stealing stock.
You know, so never playing the game
or playing a role to this sort of level.
You know, never tried it at this point, but I was like,
hey, you know, I've done it for smaller stuff. So surely it's just do the same thing, but longer,
right? Paint Parrot and his team began looking for employees of this company to try to find someone who could be a whistleblower.
Now, if you don't know, you can go on LinkedIn, search for a company, and see thousands of
employees that work for that company. And from there, you can try to find people who would be
in the position to know what dirt this company has. Because after all, a whistleblower has to
testify in court to say that they saw this company commit crimes. So it can't just be anyone who works there.
So they slowly start going through individuals of this company, narrowing it down.
Then, when they find people who would be in the know, they start scouring their social media profiles,
trying to figure out if this person could be persuaded to be a whistleblower.
Because you sort of need to find someone with strong morals and ethics who's willing to do the right thing.
And is willing to work with the SEC.
Because at the end of the day, a whistleblower has to decide.
What do they care about more?
This company they work for?
Or justice for the crimes that were committed?
Eventually, Paint Parrot and his team zeroed in on a person.
This guy ticked all the boxes of someone who would know enough to testify,
has the morals and ethics to want to do the right thing,
was American, so he could be patriotic,
and as a bonus, the target was living in the UK, right where Paint Parrot was.
This was now their target,
and their mission is to convince this guy to blow the whistle on the company he worked for.
Now that they've identified their target,
Paint Parrot got to work learning as much
about this guy's life as possible.
First of all, it's like, you know,
let's run his, his usually standard
sort of open source intelligence type techniques.
Let's try and get as much information as we can.
And let's look at his, you know,
try and build up who and where his family are use facebook so we can get pictures of his family first and last names you know locations
you know found out he's from a certain state okay so now we're just looking at people who match them
names in that state and eventually you start whistling down the list to the point where i had
his mom's um landline and mobile number, all just through open source intelligence.
You know, we're looking at Facebook, Instagram, and he's still got an old MySpace.
You know, all this kind of stuff.
I kind of build up a picture of this guy's life.
Where does he go?
When does he go on holiday?
When does he travel back to the States?
Where does he go on holiday?
Is there anywhere he goes regularly?
This is all pretty basic research.
Most of the information they're getting is just from public social media profiles.
But he was also looking up things like voter registration databases,
real estate listings, and other online resources to fill out their picture.
But most of what they're getting is just stuff that's publicly out there already for anyone to find.
So here we've managed to get his mobile phone number by this point.
We've got a wealth of information about his daily life from various social media and his wife's social media and stuff like that.
Oh, yeah, that's a good tip.
If the target is not showing much on social media, find their spouse.
Because their spouse might be posting all the info, like where they're traveling,
what food they're eating, pictures of themselves. It sometimes can be a much better source of information than the target themselves. We've got historical data of his family and where they
currently are living and his relations and how often he generally travels back to the States.
Because we kind of almost build out what we call a pattern of life on the person.
And we use that to then start trying to decide how we're going to fit ourselves,
like basically how I'm going to slot into this guy's life.
And that's the question, right?
With all this information, how do you approach the person to convince them to be a whistleblower?
If you just phone them up and say, hey, do you want to be a whistleblower?
That seems odd and you might instantly lose them. If you want to persuade someone,
the best way to do it is to get them to believe it's their idea. So that's the plan. Paint Parrot was going to enter this guy's life, become friends with him, and then slowly plant the idea that
whistleblowing is a great idea.
So this means Paint Parrot needs to come up with a pretext,
a backstory as to who he is, and then meet this guy.
Paint Parrot builds an identity online.
He creates a fake LinkedIn profile and business cards
to look like he works at another company with a similar job as the guy he's targeting.
In fact, he purposely made his profile a bit less accomplished as his target
so his target wouldn't feel intimidated.
Pink Parrot begins memorizing his pretext.
We'd get a load of, like in the UK, like pay-as-you-go SIM cards
and just like second-hand phones, stick a pay-as-you-go SIM in it.
You know, never really put any money on it unless we actually had
to make a call from it, but half the time
you just give out that number for people
to call you on it. A lot of these
phones ended up with little
stickers on, so we put them in like a rubber case
or whatever, but when you take the case off
they'd all have a little sticker on with various
sort of like case names
that the code name would attribute to the project
or case on the back of
it i think at one point i had like six phones and i had to take the rubber cases off sometimes to
remind myself what phone was for what job and for what you know personality i am do you like uh
stare in the mirror and call yourself by your fake name and like try on different accents and stuff
no so generally this kind of thing,
some people might argue this,
but I always use my real first name because there's nothing worse
than when someone shouts your name
and you're not using your real name
and you don't respond to it.
You know, my name's not Dave
and there's no point in me introducing myself
to people as Dave
because, you know,
especially after doing this for a while
and, you know, you are going to have
a few drinks with them at some point,
if you're talking to someone else and your target turns around you and says,
Dave, and you just completely ignore it because it's not your actual name,
it can land you in the shit.
Or somebody coming into the bar and shouting your real name
and then explain yourself.
Exactly.
If you're sitting there and you've told this guy your name is Dave
and someone comes in going, hey, Fred, Fred, you know, Fred,
why are you ignoring me, Fred?
And you're like, fuck off.
You see that sort of stuff in the movies, don't you?
Yeah, it just doesn't work like that.
So at this point, Paint Parrot has spent weeks
learning about every aspect of his target.
He has his own story
cooked up along with fake business cards and a fake social media profile. And now he thinks it's
time to make first contact. Paint Parrot knows this guy's routine is to go to the bar every Friday
night with some co-workers, have a few drinks, and then a few hours later the co-workers leave
and his wife comes and a few friends to have a few more drinks.
So his plan is to somehow make first contact just as his co-workers leaving and the target's wife is showing up.
Because at that point, the guy would already have a few drinks in him and be comfortable with the territory and wouldn't have any of his work friends around.
Paint Parrot knew this was going to be a long game.
He didn't think he was just going to be able to meet this guy in a pub one night and convince him
to be a whistleblower that same night.
So his plan was just to become
friends with him at first and gain trust.
So Friday night comes.
Paint Parrot and a few of his co-workers
head to the pub where they know this guy
will be.
So, you know, I'm in this bar
initially with a couple of other
colleagues just to kind of
be seen in the bar and
not be that you know creepy weirdo that's on his own because that also doesn't work and um once i
feel like he's you know he's drunk enough and you get to a point where the bar's busy that you've
actually got a queue to get served you know i kind of slip myself in front of him at the queue and you know i'm just on a fake phone
call to whoever you know and i'm i'm talking about trying to get this place booked so that's up and
coming ski trip um you know i'm right in front of the guy sort of he's literally on the left
shoulder kind of thing i'm talking about loud enough that he can hear because obviously it's a
bar and i'm starting to really moan and complain that I can't get this place booked.
You know, I'd heard great reviews about it.
I'd been there another time a year.
I really wanted to do the run-up to Christmas, which was like the dates that he does.
Yeah, I really wanted to do it this year because I've heard it's amazing.
See, Pete Parrott knew so much information about his target.
He knew that this guy booked that exact room just weeks earlier.
So he's being all loud and rude on this phone call
and putting on a show about not being able to get that room.
Yeah, so I'm there obviously making a scene.
For fuck's sake, I'm dying to take you guys there.
I can't get it booked.
I'm sorry I made these promises to you guys.
I'll try and figure it out. It's's supposed to be an amazing place it's beautiful it's stunning the
skiing is brilliant you know and i'm just saying it's loud enough that the guy can hear and i'm
you know subtly repeating the name of the villa a few times in this like fake phone call
so it kind of re-establishes it you know because you might hear it once in past and he might miss
it and so are you looking at this guy to see if he's like picking up on you or watching what he's doing no so i can obviously
i'm aware he's still just behind my left shoulder and i'm trying to sort of use like the drinks and
the mirrors behind the bar and you know whatever is there to try and catch a glimpse just reflect
reflection here and there and slowly see you know he's starting to twig. So I kind of,
you know,
carry on talking about it.
I can't book it.
You know,
I hang the phone up.
I'm like,
this is fucking bollocks
kind of thing.
And the guy's like,
hey man,
you all right?
I'm like,
no,
no,
man,
this is bullshit.
I've been trying to book this place
and it's already booked out.
I promised my friends I was going to.
I guess I was just too slow
in doing it.
You know,
someone else swooped in
and booked it.
And he kind of said,
oh,
I heard you say, you know, so and so, like the name of the place. And I was like, yeah, that's it. You know, someone else swooped in and booked it. And he kind of said, oh, I heard you say, you know,
so-and-so, like, the name of the place.
And I was like, yeah, that's it.
I was like, what, what'd you know?
He's like, oh, I'm the fucking asshole that booked it.
And it's, bang, there we are.
You know, conversation started.
The magic of this is the fact that Paint Parrot
didn't approach the target.
He got the target to break the ice.
You want them to make the first conversation with you.
Because people are inherently suspicious.
If I go up to this person and go, oh, hey, you're so-and-so,
they'll generally get their guard up.
But if they overhear you talking about something in a bar or whatever,
that is so unique and tied into their lives,
they almost feel,
especially after a couple of drinks,
obligated to say,
oh my God, I know that,
or I know where that is.
I go there.
And it's them then starting the conversation,
which instantly makes them feel at ease.
You kind of see what I mean? It's a psychological thing, I guess.
So back at the bar, Paint Parrot got the guy to initiate conversation.
But that's just the first step.
Now he's got to capitalize on this opportunity.
He's got this one shot to cement a friendship with this guy,
or else he might lose months of research and work that he built up for this moment.
Yeah, obviously I'm at the bar.
I get served before him.
There's obviously a queue.
I'm like, look, dude, do you want a drink kind of thing?
And he's like, yeah.
And we kind of talk.
And at that point, one of my colleagues, one of my drinking buddies in the bar,
kind of comes up, taps you on the shoulder and says, don't worry about me.
We've got to go.
I'm like, OK, I guess I'll stay here on my own kind of thing
and just finish this drink.
And I'm talking to this guy, he's obviously like,
don't be stupid, come and sit with us.
That's it now.
I've now sort of put myself into this guy's life.
Paint Parrot got a seat at the table he was in.
And once he sat down, this is where all of that research
on the Target and his wife comes into play.
Paint Parrot already knew their favorite bands and he knew where they like to go on vacation, what they'd like to do.
So he was finding ways to casually bring this up into conversations to make himself look like the perfect friend they never knew existed.
You're just trying to show that you're into the same things as they are.
Everyone wants someone that's into all the same stuff as they are, don't they?
You could go anywhere and do anything with them.
You know you're going to have a great time.
That's how you want them to arrive at that kind of conclusion in their minds.
Stay, chat, laugh, have a few drinks.
You know, all of a sudden we've got so much in common.
And after a few drinks, it's like, look, hey, I really should shoot.
I've got some stuff on my desk that I've got to try and get on top of over the weekend it sucks to work over
the weekend you've got to do it kind of thing and you kind of hope that they come up with let you
grab a drink again sometime or whatever if it feels like they're not going to do it you know
i just went with the look there's my card give us coffee fancy catching up or something
like that and i think within about 10 minutes of leaving he'd drop me a you know he dropped me a
text and says hey man it's good to be you kind of thing blah blah blah yeah definitely let's let's
grab a drink we're doing some things or something like later on that that week he's like you should
totally come boom wow i can't tell if i'm more impressed or terrified by this whole thing.
To think that a stranger you meet in a public space might actually be part of a team of people who have spent months researching every part of your life with the specific goal of manipulating you and influencing you to do something, to make a major life decision.
This is pretty crazy. Stay with us because after the break, we'll hear how he plays the long game. in the news daily, taking action on your company's exposure is more important than ever. I recently
visited spycloud.com to check my darknet exposure and was surprised by just how much stolen identity
data criminals have at their disposal, from credentials to cookies to PII. Knowing what's
putting you and your organization at risk and what to remediate is critical for protecting you
and your users from account takeover, session hijacking, and ransomware.
SpyCloud exists to disrupt cybercrime.
With a mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure from third-party breaches,
successful phishes, or info-stealer infections.
Get your free Darknet Exposure Report at spycloud.com
slash darknetdiaries. The website is spycloud.com slash darknetdiaries.
Paint Parrot has completed step one of his mission. He has successfully initiated contact
and made a connection with the target. Now he needs to slowly build up a sense of trust before he can say anything about whistleblowing.
You've got to really get that trust with them before you can move on to the next step.
So yeah, the next few weeks, I am the person he met in that bar for all intents and purposes
and going for drinks.
And slowly you start building up more stuff about work. And fortunately, this company had made the press.
Because the case had already started,
there was a subpoena issued.
So they were aware of it in their office and things like that.
So you can slowly start building up about,
oh my God, you work for so-and-so, didn't you?
I forgot.
Aren't they under like u.s
investigation or something at the moment he kind of builds that into conversation slowly
i kind of slowly slowly brought it up and i think was it a barbecue or something on a sunday
and i sort of mentioned it quietly to one side to him i have to laugh at this point because it's
only been a couple weeks weeks and Paint Parrot is
at his target's friend's house, hanging out with the gang at a Sunday barbecue. I just imagine him
wearing like a floral shirt and sunglasses, music playing, holding a beer and a hot dog.
And that's him on the job on a Sunday afternoon. This is his career now.
Because he wasn't at this barbecue just for fun.
This was a moment for him to start closing in on his final goal.
So we're there having this barbecue,
and I kind of collar him and his wife to one side.
I'm like, look, you know, this investigation,
it's a U.S. investigation.
Is that going to affect you guys?
Could you end up being arrested
and sent back to the States?
Because that would kind of suck,
kind of thing.
Kind of just plant the seed
and a little bit of fear on it.
Just left it with him to simmer.
And the key thing is like
mentioning it in front of his wife.
If you can get the wife to worry,
then he's going to worry more.
He's not just going to worry at work,
he's going to worry at home.
And that's kind of what you want. And once you start again worried yeah we met up i think it
was like the next time we met up it's just having drinks the three of us and i kind of said look i
know like a lawyer who deals with all this kind of stuff and he deals with a lot like american
cases and things like that yeah do you want me to have a have a chat with him and see if i can
find out if there's any way he can kind of help you out?
And he's obviously like, yeah, yeah, please, if you could, if you can help us, that'd be amazing.
So Paint Parrot has engineered this whole situation so that it looks like he's just helping out a friend in need.
He hasn't said anything about whistleblowing.
He's set it up so his target feels like he might be in trouble.
And fortunately, his new friend Paint Parrot might be able to save him.
At this point, it's time for Paint Parrot to make his final move so obviously i go away yeah i know exactly
what we're going to do because it's all our plan at the end of the day so i leave it like a few
days a week and i sort of get in touch from like hey you know that thing we spoke about
i was like i can introduce you to someone that can kind of help you out. And he's like, oh my God, brilliant.
So we arranged a meeting at like a conference center,
a set of nice apartments in London.
And I basically walk him up and introduce him to the lawyer
that deals directly with the, he's a British lawyer,
but deals directly with the DOJ on these cases.
And I basically like make an instruction and sit there for about five minutes
before just kind of leaving a room and leaving him to it.
So as we know, that lawyer was there to help him blow the whistle on the company he worked for.
And it must have been a bit of a shock for this guy to realize this wasn't just some friendly lawyer,
but a person who knows this case inside and out.
In that room, the lawyer explains to the target
that the DOJ is looking for a whistleblower
and promises that he will be granted full immunity
from any of the company's wrongdoings
if he works with them.
The whistleblower agreed to cooperate.
And just like that, months of research,
planning, chasing, and deception was over.
I think the next thing I noticed,
I met up with him after that
to give him Burnaphone and a few
other bits of equipment.
And obviously the whole dynamics changed.
He's kind of weirded out.
Do you ever tell this guy, like, look,
I just did this because it was my job?
No, I have no contact
with him after. Once he kind of gets
handed off and... Well, have you ghosted him?
Did he text you, like, bro, aren't we
hanging out this weekend? You kind of,
they get told, it all gets
explained to him, you know, and he gets told,
you know, not the ins and outs of my
role, but, you know, but you won't have any more contact with this
guy. Yeah, you knew him as whatever.
Yeah, if you are to, like,
bump into him in the street sometime
or anything like that, just, you know, you never met him.
You know, and it's kind of, that's that,
you know, the phone number that was being used,
that SIM card gets pulled out, snapped, and that's it.
I wonder if he felt used at that point or what.
Probably, but I mean, you know, at this point he's been,
you know, he's doing a patriotic thing,
you know, helping a US investigation.
He's, you know, he's obviously had the carrot of the huge financial reward
dangled in front of him. So I think that's probably enough to calm most people's doubts about it.
You might be wondering where all these laws come from. In 2010, the United States passed a Dodd-Frank
Wall Street Reform and Consumer Protection Act.
This was just a little over a year after the 2008 financial crisis,
when Wall Street executives and shady mortgage companies tanked the world economy.
And so the Dodd-Frank Act was designed to stop something like that from ever happening again.
And one part of that bill had to deal with corporate whistleblowers, the people who come forward when they see their organization are doing something wrong or illegal, and tell the government. Whistleblowers had already
received protection from the feds when they came forward, but this bill did something new.
To encourage more people to flip on their companies and report wrongdoings, this new law said,
whenever a whistleblower comes forward to provide good information in a case that results in a fine of over a million dollars, the whistleblower is awarded a bounty of anywhere
from 10 to 30 percent of that fine. Which, if you do the math, a 10 percent bounty on a million
dollar fine is a hundred thousand dollars. But these fines are often way up in the tens of
millions of dollars, meaning that whistleblowers could be in a position to
make a lot of cash by telling on their companies. In this case, Paint Parrot said the DOJ was
estimating the fine could be in the billions of dollars because of how much corruption this
company was accused of. And 10% of one billion dollars is a hundred million dollars. Paint
Parrot said that in situations like this, the reward would actually get split three ways.
Between his British intelligence company he worked for, the American company that partnered with the DOJ, and the whistleblower himself.
Even if this was split three ways, that's still life-changing money for everyone.
Looking at the SEC's website, in October 2020, the SEC paid out the highest reward
ever to a whistleblower, $114 million. And to date, they've paid out over $700 million to
different whistleblowers. And that's why this company Paint Parrot worked for was in the
business of bringing whistleblowers forward, because they wanted a chunk of this change. And that's one of the weirdest business models I've ever heard of. A company in the business of bringing whistleblowers forward because they wanted a chunk of this change.
And that's one of the weirdest business models I've ever heard of.
A company in the business of making whistleblowers?
Yeah, and let's back up for a second.
So this is the whole impetus of why your company, your agency,
wanted to do this is because they wanted to get cash in on this sort of bounty.
And that's why they're like, let in on this sort of bounty.
And that's why they're like, let's make the whistleblowers,
let's find the whistleblowers before they're even ready to whistleblow so that we can cash in on this bounty,
because that would be a lot for that company.
Exactly.
You know, that's retirement money for the guys that own the business.
These things take years and years and years to pay out.
You know, it's not a quick, it's not a quick sort of get rich,
quick scheme for them.
I think only like 20% of them or something like that ever pay out you know it's not a quick it's not a quick sort of get rich quick scheme for them i think only like 20 of them or something like that ever pay out so it kind of becomes a game of volume as well the more whistleblowers or more cases they can find the more chance they have of
one of them paying out obviously that's not something we say to the whistleblowers that
there's only a percentage chance that it's actually going to pay out. That's because then you lose that whole financial incentive for them.
Yeah, these groups don't even know if the SEC will for sure pay out a bounty or not.
So on one hand, more whistleblowers might come forward to protect from sketchy business practices,
which is obviously good.
But you've also got this weird secretive industry now of professional whistleblower
chasers and groomers who are gathering information on people and convincing them to upend their lives,
knowing there's a chance they won't receive anything from it. As for the specific whistleblower
in this case, Paint Parrot says the SEC is still investigating this, so we don't know if he'll get his payout or not.
So let's zoom out a little bit. So after this, you know, this seemed to be,
like you said, still ongoing. So these things take a long time, but it seemed to be a successful
mission for this agency that you're working for, right? Let's go find a whistle. Let's go make a
whistleblower. You found, made one. And did they say, okay, let's do it again?
Yeah, so basically right after finishing that,
destroyed that SIM card for that burner phone,
and I probably took a weekend off, and before I knew it,
it was like, ah, I actually did that one so well.
It's starting to look at this company.
And kind of the same process starts all over again.
Wow.
Paint Parrot kept on doing this sort of whistleblower cultivation
with that company for a few more years
until he decided to go his own way and start his own company,
which does surveillance work.
He says he's mainly given up on the corporate intelligence beat
and instead he mostly focuses on penetration
testing, social engineering, and red teaming. A big thank you to Paint Parent for sharing his
story with us. This one was wild, wasn't it? If you like this show, if it brings value to you,
consider donating to it through Patreon. By directly supporting the show, it helps keep ads at a minimum. It helps get people to make
the show and it tells me you want more of it. So please visit patreon.com slash darknetdiaries
and consider supporting the show. Thank you. The show is made by me, the public eye,
Jack Recider. This episode was produced by the not-so-green Christian Green.
Sound design and original music was created by the mesmerizing Andrew Merriweather.
Editing helped this episode by the slow dancer, Damien.
And our theme music is by the bouncy Breakmaster Cylinder.
And even though I would sometimes get in trouble for reserving a conference room all day
because I thought my cubicle was just too small,
this is Darknet Diaries.