Darknet Diaries - 97: The Pizza Problem
Episode Date: July 20, 2021What if someone wanted to own your Instagram account? Not just control it, but make it totally theirs. This episode tells the story of how someone tried to steal an Instagram account from som...eone.SponsorsSupport for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.Support for this show comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.View all active sponsors.SourcesVid: The $5 Million Phone Hack 📱True Life Crime
Transcript
Discussion (0)
Whenever I join a social media site or start an online video game, it always goes like this.
I load up the webpage, click sign up, and then it asks me the question.
What username do you want to be known as?
And it never goes as planned.
Maybe my first choice is Batman.
So I try to make that my username.
But the site says that username already exists.
How about Batman1989?
No, definitely not Batman1989.
So I might try admin.
Nope, that's not available either.
And then I might try Jack.
Nope.
Papa Shell.
Nope.
C3P owned.
Nope.
Karate Skid.
Nope.
And before I know it, I'm left with some goofy name like Pumpkin Spice Snorter.
Because it feels like that's all that's left.
It's really hard to find a good username that's not already taken, especially on places like Twitter and Instagram, where there are hundreds of millions of people already registered there that have good names already.
But what if there was a way to just steal an account name that you really wanted?
Surely that would make it a lot easier, right?
These are true stories from the dark side of the internet.
I'm Jack Recider. This is Darknet Diaries.
This episode is sponsored by Delete.me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete Me. Delete Me is a subscription service that finds and removes personal information from
hundreds of data brokers' websites and continuously works to keep it off. Data brokers hate them
because Delete Me makes sure your personal profile is no longer theirs to sell. I tried it and they
immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things. It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me. Now at
a special discount for Darknet Diaries listeners. Today, get 20% off your Delete Me plan when you
go to joindeleteme.com slash darknetdiaries and use promo code Darknet at checkout. The only way to get 20% off is to go to
joindeleteme.com slash Darknet Diaries and enter code Darknet at checkout.
That's joindeleteme.com slash Darknet Diaries. Use code Darknet.
Support for this show comes from Black Hills Information Security. This is a company that Thank you. I'm sure they can help. But the founder of the company, John Strand, is a teacher. And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive.
And they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to
get some world-class training. That's blackhillsinfosec.com. Blackhillsinfosec.com.
This episode is a story about the dark stuff that happened to Miles. We've changed his name
because he wants to be anonymous about this.
I've been around for a while. I've been designing sites and products on the internet for about the
last 16 years. Back in 2005, Miles was fascinated with technology and the web and naturally was an
early adopter to new sites like Twitter. You know, as a part of that scene, you hear about things like,
what is this Twitter thing and why does this product look so horrible?
He joined Twitter in 2008, and yeah, it was pretty different then.
Same idea, just more clunky at how it looked and was used.
But the thing is, Twitter only came out in 2007.
So in 2008, there weren't a crazy amount of users there yet, which meant Miles
could pick a really simple username if he wanted. So like when I joined Twitter, I first tried to
register as Jack, because that's my name. But Jack was already taken by the founder of Twitter,
Jack Dorsey. Miles considered his first name as his username, but that was taken. So he tried to
think of another username to pick.
At the time, he was doing some web design and had a certain animal in a lot of his designs.
I don't want to say what animal, but you can think like turtle or shark or owl or elephant,
something like that. Miles was able to register for an account that had a simple animal name like that. So I was able to get a pretty cool handle and got known for that on Twitter.
It is cool having a short and sweet name for your Twitter account, a common single word,
an animal that he really liked. Then a couple of years later, when Instagram came out,
Miles was again an early adopter, getting on there before it became popular. And again,
he was able to register the same simple animal name
on Instagram. Before you knew it, I had this name on Twitter and Instagram, and then I had it on
Dribbble and LinkedIn and Facebook. At this point, he fully integrated this animal into his personal
brand. He wasn't any kind of celebrity or influencer with millions of followers, but he did get over 10,000 followers on Twitter and 9,000 followers on Instagram.
So he was invested in the handle and keeping it tied to his online identity.
And since it was short and sweet, other people thought it was cool too. Some even wanted to buy
it. I've been asked probably 150 times, maybe more, through DMs, can I buy your handle? And that's
just it. As more and more people join Twitter and Instagram, it becomes increasingly harder to find
a cool handle to register. So when animal as the handle was becoming more valuable over time,
these people might have wanted it for their own brand or business.
Or maybe they just thought it was cool and wanted to have it.
It's a property like a domain or anything else.
And so people are going to have all kinds of reasons.
But Miles suspects a lot of these requests weren't legitimate
and that people were trying to scam him out of his account,
act like buyers, but then just take it and not give him
any money. I suspect, you know, looking back that a lot of these conversations were for people who
were fishing for information. Mostly, he told people, no, he wasn't interested in selling his
account. But this one time in 2016, someone sent him a private message through Instagram, offering to buy his account.
The way the conversation went, it seemed pretty serious.
He was at least interested in talking further.
And so he suggested.
Well, why don't we move this over to text?
And so I gave this person my phone number.
Miles thought this was a good idea, in the moment at least, because it seemed like their interest was legit.
But instead of the deal moving forward over text, something else happened.
Within a matter of a couple of days, suddenly my phone wasn't working.
I had no phone service.
He was driving in his car when he first noticed.
The little icon on his phone that shows the signal strength just said no service.
He couldn't make a call. He couldn't get data over the network.
It was like his phone had been disconnected.
It was really bewildering.
You know, at first, I'm not thinking I've gotten hacked.
I think something's wrong with my phone.
So he drove home to figure out what was going on.
He didn't have a landline anymore,
so he just connected his phone to Wi-Fi and was able to message a friend. I generally think it's
weird that we call these devices our phones because it's one of the least used apps on this
device. And yet when it disappears, it was really unsettling to not quite have the flexibility I needed to get a hold of the people
that I needed. So that was interesting. Yeah. Suddenly having a phone that's only able to work
on wifi is weird. You're no longer able to get data or make calls when away from home,
or if there was an emergency when he was out, he wouldn't be able to call for help either.
He needed to get this fixed. So he called up AT&T, his provider at the time. He asked them, why does my phone have no service?
Oh, you called earlier and you changed your SIM information. No, I didn't. You know, and
that was really unnerving. At that moment, he realized someone hacked his phone. But how'd they do it?
Well, inside all phones is a little removable card with circuitry on it. These are called
SIM cards. And this SIM card is what activates your phone on the cellular network. Without it,
your phone won't work. And when you register your phone to a cell provider, you give them
your SIM card information and they'll tie that to your phone number. And when you go to switch
phones, or if you lose your phone,
you've got to tell the cell provider to use this new phone with your phone number.
And so the phone number gets tied to that new SIM card.
Well, as you can see, this can be abused.
Someone who wants your phone number can impersonate you.
They can call your mobile provider and say,
hey, I just got this new phone. Can you switch service to that? And if they're able to trick the mobile provider, they just took over
your phone number. But how bad would it be if someone took your phone number? Well, really bad,
actually. Our phone numbers are often used as a backup recovery method or a way to identify us.
To start, what if you lose the password to your email address?
It's not like they can email you a recovery link or something, since you can't read emails.
So often email providers will store your phone number in case you need to recover the password.
They'll just send you a text to verify your identity,
because the email provider assumes only you will have access to that text.
Well, in this case, someone SIM swapped Miles' phone number over to theirs and proceeded
to do a password recovery on his Gmail account.
They got the text to confirm their identity and reset the password.
And once you're in someone's email account, it's all downhill from there.
You can issue password resets on pretty much any other account they have
since they'll likely send you an email to change the password. They got into Twitter,
they got into Instagram, they got into Gmail. So obviously that's really disconcerting.
Can you imagine how scary and frustrating this must have felt, to lose your phone number, to be locked out of your email, Twitter, and Instagram.
When you don't have any idea what's going on
and you haven't been exposed to this world,
it's really unsettling.
You don't realize how critical your data can be
to your sort of sense of well-being
and how easily you can be manipulated,
you know, when somebody uses it. They tried his bank account too, but couldn't get in,
which I guess is somewhat good news. But actually, this was my first guess on why someone would
SIM swap him to go after his money. Because something I've seen quite commonly is that
criminals will go after people who they know have a lot of Bitcoin.
Because if you can get into someone's Bitcoin account, you can quickly transfer everything out,
and there's no way to undo that.
The honey attracts the bees.
So, like, if someone is tweeting on social media about how many Bitcoin they own or something,
then a social engineer could try to figure out their phone number and email address and stuff like that,
and then do a SIM swap to take control of their phone number and take control of their email
address, and then find out if their cryptocurrency is stored on an exchange, and if so, maybe do a
password recovery to get into the exchange and then empty the whole wallet. But Miles here didn't
have Bitcoin, so that wasn't the motive for whoever hacked into his phone.
But Miles was lucky because he was a web designer and socialized with other people in tech
and had a few friends that worked at Twitter and Instagram.
He reached out and asked if they could help him.
They could see the logs. They could see how this happened.
And so they were able to reverse the direction of what had happened.
Since they knew Miles personally, they were able to turn back the clock on his accounts.
They reset them to the way they were before the hack. That was Instagram and Twitter, though.
Gmail was a little harder. I was able to retrieve that, but it took
a lot of verification work and like two or three days. Okay. Crisis averted. He
was able to get everything back and his phone number, but it did take him a few days to sort
this all out. The big question in there would be like, what in my Gmail, what did they take?
Yeah, that is a major concern. Think of all the stuff
that comes through your email, bank statements, credit reports, receipts for things you've bought
online, your taxes, maybe. The idea got Miles's attention. There probably wasn't anything hyper
private or that I was terrified they were going to have or some business secret or some, you know,
bank details that I can think of.
But the number of times that you just email somebody a password
or something like that thinking, oh, it's behind Google, it's fine,
and that stuff is vulnerable.
Realizing this, Miles did a couple of things to tighten up his security.
He started using a password manager.
He switched cell phone carriers to a new number.
And with this new provider, he added extra security too, because this happens so much
that some mobile providers are now allowing you to make a pin code. This is a number that you
must know in order to change anything on your mobile plan. You know, I'm a designer. I'm
relatively technical. You'd call me internet savvy, but I am not a developer and I'm not well-versed in
cybersecurity. This whole experience has made me more so. He felt more secure with this, but was
realistic at the same time. He knew that social engineering was a thing and that the phone
companies could still be vulnerable to someone trying to trick them. Somebody could convince
somebody or somebody could have somebody on the inside or something like that.
So, you know, there's some trouble there.
Unfortunately for Miles, there was some trouble on the horizon.
It seemed like this was happening because of that simple Instagram and Twitter username that he had.
And someone else wanted that.
Lots of people, actually.
Stay with us, because after the break, there's more trouble
that comes his way. This episode is sponsored by SpyCloud. With major breaches and cyber attacks
making the news daily, taking action on your company's exposure is more important than ever.
I recently visited SpyCloud.com to check my darknet exposure and was surprised by just how Thank you. Darknet Exposure Report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
I think now might be a good time to tell you more about Miles' home life.
He has kids that are kind of older, and he has an ex-wife,
and he's currently living with his girlfriend.
In 2019,
Miles's nightmare happened again. He looked at his phone and saw there was suddenly no service.
The individual attempted a SIM hack and I was able to intercept much more quickly because I
knew what was happening this time. And so I was on the phone with T-Mobile immediately.
He was on this so quick that nobody was able to hack into any of his accounts.
But this time it was different.
This time whoever was trying to take over his phone was persistent
and they started calling Miles over and over but he didn't answer.
So then they started texting him ugly threats.
So they contacted me and began
telling me things like, if you don't release your Instagram handle, then we'll start going
after your son. What does that mean? What does going after my son mean? Whoa, whoa, whoa. Release
your Instagram handle or we'll go after your son?
I guess this makes it clear what the motivation of this person is.
They want his Instagram handle.
That was the main driver behind all this harassment, and this SimSwap at least.
But of course, no way, no way would you or I, and definitely not Miles, we're just not going to give up our Instagram handle because someone's threatening us over texts, right?
But shoot, this person was showing Miles that they know his son's trying not to relate back to them with threats or excitement.
But, you know, they kept pushing and kept telling me that they were going to go after my son and they were going to make it really bad for me.
I consider myself a fairly strong-willed person. But this was terrifying. And as soon as somebody
started, you know, bringing in family and my children, it was just a really terrifying feeling
to have somebody, you know, attacking you in that kind of way. It was a mean, harsh tactic.
But Miles didn't cave to these demands. Of course not. He understands tech and security enough to know how to secure
the phones in his whole family. But I kept pushing back and worked with T-Mobile to lock it down.
Miles was not only able to recover from the SIM swap attempt, but made sure every phone in his
account had a PIN code and no changes to his service could be done without it. I shut that down, locked everything up
and just kind of, you know, try to recover. Although his accounts didn't get compromised
this time, the scary threats drained Miles. He also wondered how did they get to him this time?
Because he switched phone providers and got a new phone number and he didn't give this phone number
out to anyone who was interested in buying this handle.
So this attack just came out of nowhere.
He figured that info like his new phone number was probably out there on the internet.
The hacker just had to spend a little time figuring out what his real name is and then digging this stuff up.
Because keeping your personal information off the internet is really hard. Your stuff is
scattered all over the place. Addresses, employment, history, your family relationships, and phone
numbers. Once you have one piece of information, then you get your second. And as soon as you have
your second, it becomes orders of magnitude easier to continue developing a profile and adding
information. Miles thinks that's what happened to him.
The hackers spent some time putting together a target profile.
Then they were able to launch an informed social engineering attack on him.
They're able to get a hold of T-Mobile and manipulate their way in through either doing
it in person or doing it over the phone and convince somebody to change out the SIM for them.
It seems like this shouldn't be possible,
especially since Miles had all the extra security in his account.
But it still happened.
The hacker might have come up with some crazy story like,
I'm on vacation and lost my phone,
and since I'm away from home, don't have that pin code that I was
supposed to have. And eventually the phone rep just gave in. It was probably being nice, maybe
empathetic and just said okay we'll switch your phone. Because he didn't like getting hacked,
one thing Miles looked into was removing all his personal information off the internet.
What I now know is the amount of work that would be necessary for me to expunge
the internet of my personal details is an enormous chore. And honestly, probably something that a
normal individual like me would have hard time doing. He's a guy who works in tech. He'd have
to lock down his social media accounts, scrub through all the public records and websites, and purge his info from internet archives like the Wayback Machine and
Archive.org. Even though it was a tedious endeavor, he still gave it a try. I had had some help
removing some identifying information from cybersecurity experts, sort of a friend of a
friend, and had done some work there to remove
some of that kind of available information, but it's a drop in the bucket. Still, he felt better
about his security after the second hack. He had extra protections put in place on his phone
account and got some of his info cleaned up from the web, and he was using two-factor authentication
on all his social media accounts. And for a while, all was good and quiet. The security measures that he put in place
were holding. No suspicious activity for a while. But then, in early 2021, something happened that
he didn't prepare for. It happened on a Friday night. My girlfriend and I are sitting on the couch.
It's like 1030 at night, getting close to being ready to head to bed. And we got a knock on the
door and we've got a couple of pizzas showing up. And we didn't order pizza. But the delivery guy is like, is this your name? Yes.
Is this your address? Yes.
Is this your phone number?
Yes, but that's an old phone number that he stopped using after his phone got SIM swapped a few years ago.
Suddenly, this pizza was super creepy.
And I immediately thought, OK, this is a hack.
Like this is this is happening again. Like this is, this is happening again.
And this is some new schema. Miles tells the guy there's been a mix up. You're going to have to
tell your manager, like we didn't order any pizza. And the guy was totally bewildered and went,
went away. And within about 30 minutes, we had another order, different company, same thing.
And within another 30 minutes, by about 1130, we were already asleep in bed.
Same thing.
What the heck is going on here?
Three pizzas in one night that he did not order?
Was this some kind of screw up?
Like was someone accidentally putting his name and address down instead of their own when they were trying to order pizza?
I thought, yeah, maybe that happened.
But then three in a row, like who's going to order three orders of pizza and make the same mistake
over and over? Miles was convinced that this was an attack on him of some kind and was remembering
all these old SIM swaps that had happened in the past. But who was doing it and why?
No one had reached out to him to demand anything.
The last time he had a threat about his Instagram handle
was in 2019, a year and a half earlier.
So the next day, he got in touch with the pizza companies
to try to figure out what happened.
We reached out to the management the next day and, you know, all that they said is that
it was an internet order that was placed using this, you know, phone number and this address
and your name.
Not much to go on there.
It just looked like these orders were coming from miles.
And this chat with the pizza companies didn't help much because more pizzas started showing
up later that
day. We received three or four more orders. Which they just had to turn all those pizza deliveries
away. And you should understand that none of these orders were prepaid. Every one of them was supposed
to be paid when the pizza was delivered to the house. So all these pizza places were really
annoyed as well for making a pizza, driving it out
and then not getting paid for it. And things kept getting worse. My girlfriend started getting
phone calls from pizza companies saying, hey, we have a delivery for your address and it's for
11.45 at night. Are you sure that this is you?
And we're saying, good Lord, no, that's not us.
We're not trying to order pizza at the, you know, nth hour of the night.
Now they had his girlfriend's number and were harassing her?
And still nobody was demanding anything from Miles.
There were no suspicious DMs or texts or emails saying why any of this is happening.
The fact that it was to my girlfriend and not me started really wigging me out.
And this is when I knew my suspicions were confirmed that it was somebody trying to hack
us, but we hadn't had any communication from any hacker at this point.
The pizzas kept coming to his house for two whole days.
You know, my girlfriend's freaking out.
This seems really weird.
What's happening?
And the anxiety is going up.
And then my parents text me and say, hey, son, sorry, we've got bad news.
We just got a pizza delivery for you here at our house in Colorado.
Which his parents aren't even in the same state of where Miles lives.
So did your parents pay for the pizza?
No, no.
They just, they sent the pizza away.
And, you know, frankly, like it was a strange feeling because it's pizza and it's cash on
delivery.
So it's not like somebody's paying for this pizza, right?
Oh, can you do that still?
I didn't know that was possible.
Agreed.
I have no idea how this is a reality.
This is a lot of wasted pizzas at this point.
And I wonder if anyone ever got to eat any of those.
So they all go to bed Saturday night, not sure what's going to happen.
But then, sure enough, the next day.
My girlfriend gets this text from a number
that we don't recognize. And it says, tell your boyfriend to let go of his Instagram handle or
the pizza doesn't stop. Miles's suspicions were confirmed. This was all about his Instagram handle, the one with the animal name.
We were just freaked out.
Why is someone so interested in getting control of an Instagram account with only 9,000 followers?
Well, this brings us to the world of OG accounts.
OG stands for Original Gangster, but it really just means that these account handles are short and sweet.
Like I was saying, his Instagram account was a short animal name like owl, shark, elephant, or turtle,
just a single common word, and Instagram handles like that are in high demand. People will sometimes
pay good money for accounts like that. Imagine a company or influencer with that animal in their
brand. They'd probably be more than happy to have a short and sweet username like that.
Because it adds a little prestige, like, wow, how'd you get that account?
And so, when there's a demand for short usernames like this in the world, there's a marketplace for it.
And one of these marketplaces is called OGUsers.com, and you can go there and see all kinds of accounts for sale with cool names.
But this is not always the cleanest
place. People see how certain accounts go for pretty good money and they try to obtain these
accounts to sell them. I'm looking at the site right now and there's an Instagram account on
there for sale for like a few thousand dollars. So if someone can hack into a phone or an account and take it over, they can flip it on this site for pretty good money.
And so now you see, whoever was harassing him
was probably doing it to make money off his account.
And that's all they cared about.
But this case is strange to me because they weren't trying to hack his account
or take it over in any way because all his security measures held up.
So whoever this was resorted to bullying him and harassing him in hopes that he would give up his account to make the harassment go away.
On the outside, it seems like this is just pizza. What's the big deal?
But when you don't know what this
person can access and there's just nothing I can do. To make things more stressful, Miles had been
researching this kind of harassment on the web. He was getting worried what the harasser might do
next. We had uncovered that this sort of thing can lead to swatting and fire trucking. Which means
the harasser can call the
cops or the fire department to your house. They might say something like, oh, my neighbor's house
is on fire. Please come and help. Or that you're standing in the street waving a gun around
threatening people. Speaking of the police, Miles did file a police report with his local PD. When
he got on the phone with them, he filled them in on everything and told them that in the past,
his phone had been SIM swapped a few times and now they're harassing him to try to get his Instagram account.
But the police just said something like,
And you have this handle and it's worth money?
You know, it was perplexing to them.
Miles didn't think the local PD could do anything to help him.
They just don't have resources to find a mysterious harasser who might be in another country.
But he wanted to get the whole thing noted on the record. So I filed a report. They said there was really nothing that they can do.
They suggested filing a report with the FBI.
So he did that too.
You go through a specific cyber internet crime URL and you fill out a really long form
that I don't think does anything and I doubt
anybody has seen it. All Miles got was an auto reply email. He never heard anything back from
the FBI, which made him feel like he was on his own. The police couldn't do anything and the FBI
probably won't do anything. It wasn't like there were millions of dollars involved or there was
any threat to national security. It was just harassment and bullying by pizza.
I'm sure there are, you know, way bigger fish to fry,
but that's where these particular genre of hackers can fly below the radar.
So what would you do in this situation?
Would you give up your OG Instagram account to make the pizzas stop?
Or would you say, no way, what's mine is mine. Go away. We've called the police and the FBI already.
Miles and his girlfriend thought about this exact problem. They decided not to reply to their
harasser, which they're pretty sure was a guy. And so on Sunday, she didn't write back. And then he says, okay, I guess the pizza
continues. And they weren't joking. So the pizza keeps coming. Car after car kept pulling up to
their house. We put a sign on our door that said, we did not order pizza. Go away, do not deliver. Here's the police case ID that we filed and reference
that if you need to. Some people ignored it and rang anyway. It was a nightmare.
More and more pizzas kept coming and then more people were getting harassed.
It's now also coming to my ex-wife and our kids.
They lived in the same town, but at a different address.
Miles is not sure how this harasser got their information,
but he did not like this.
It's one thing for adults to be involved,
but as soon as my kids are involved,
it just amplifies things massively.
And one of my kids has a disorder
that really amps him up. So his fear factor just went through the roof, and that was
really uncomfortable. So I ask you again, listener, what would you do now? You've called the police,
you've acted like this hasn't bothered you and tried to ignore the harasser.
But now your kids, ex-wife, parents, and girlfriend are being harassed too.
It's been four solid days of pizzas coming to your house.
All because you have an Instagram account that doesn't even have 10,000 followers.
How much more harassment can you take?
And keep in mind, this is the third time someone has targeted
you specifically to get control of your Instagram account. So even if you fight this one off,
there's inevitably going to be another. Your anxiety and anger and stress grows with every
ring of the doorbell. So I just gave up. I was done. I hate this.
This is so sad and depressing that the harasser won this battle.
That this worked. This shouldn't work.
Something should have saved him.
I don't know. Security? Police? Instagram? The phone companies? The pizza places?
I hate that no one was there to help him fight this.
And that he lost.
He lost because the harasser pushed him to his limit and there was no recourse he had.
He got in touch with a friend he had at Facebook and they helped him get in touch with the Instagram team.
And he told the Instagram team everything that happened, the pizza, the threats.
And I told them, I'm done. I don't, like, having a cool Instagram handle is not worth it to me compared to the possibility of this being able to happen again and again
and the unrealistic expectation that I'm going to expunge the internet
of all of my personal details for this to not be able to happen in the future.
He didn't want this person to have his Instagram account.
So he was just going to get Instagram to lock his account permanently so nobody could have it.
But this created a new problem. His harasser saw that his account was locked and that made him mad.
He said, okay, I'm going to take your Twitter handle now too. I can see that you got Instagram involved.
Losing his Instagram account,
that was something Miles had already made up his mind on.
But he really wasn't ready to lose his OG Twitter account too.
So he got back control of his Instagram account
and was preparing to give it to his harasser.
I was exhausted. I was done. to give it to his harasser.
I was exhausted. I was done. I'm ready to trade this in. I'm ready to just walk away.
Miles figured out that if he stopped fighting, give up his account, and got Instagram to back off, the hacker would leave his Twitter account alone. So he worked with Instagram to move his
account to a new handle, not the short and sweet one that he used to have,
some long, ugly one. And that way he could keep all his pictures and followers and DMs and whatever.
But then he would just give a freshly made new account to his harasser. And once he got
everything moved around, he gave the password over to his harasser. He wanted this to be a clean
break and he didn't want to do anything more
to upset his attacker. I mean, I didn't care if the account got banned in a year,
but I didn't want them to ban the account now and then him say, oh, you got Instagram to ban
the account. I guess the pizza continues, or I guess you're going to get swatted.
Or worse, go after his bank account,
steal his money, or wreck his life in some way. I didn't know how capable this individual was.
I just didn't want to push the limit. I just, I wanted it to be done.
So once Miles had the OG account cleared out and a new password, he reached out to the hacker,
and when he messaged the guy,
he had a little request. I just said, listen, I've got this password. I'm ready to give it to you. But do you mind if I dig in here with you a little bit? I want to know why, why did you do this?
What's in it for you? How, how, how did you do it? And he said, yeah, sure. We can go over it right
now. And I said, yeah, this is the third time your community has done this to me, and I'm tired.
He said, I never knew about the first two attempts.
Police didn't give a fuck because it's basically only harassment unless they swat you.
He says, yeah, you're in the magic middle where it's too weird for cops and too small for FBI.
It's a sad reality.
Like, it's fascinating to me. He says it's a sad reality. Like, he knows that this is a problem. It's a loophole.
Man, that is a sad reality. And it confirmed what Miles already suspected. The police couldn't help
and the FBI probably won't help. This kind of harassment flies under the radar.
Miles texted with his bully for like a whole hour and talked about all kinds of stuff,
like that Instagram handles are probably the highest value accounts, followed by TikTok.
And that's why this guy was so interested in Miles' Instagram and not his Twitter.
And there's other ways to harass people, like sending taxis instead of pizzas,
or even prostitutes. And Miles even asked, what's the best TV representation of this kind of hack? And the attacker said, oh, you should watch MTV's True Life crime series. There's an episode called
The $5 Million Hack, and it goes over what SIM swapping is pretty clear. But maybe the most
surprising of all, Miles found that this attacker works in tech.
This guy works for a cybersecurity company, and this is a hobby for him,
which is just completely bizarre.
Yeah, that does seem odd. You'd think someone who worked in cybersecurity might spend their
nights helping people, not exploiting them. Or if they were going to exploit someone,
it should be some evil corporation or something, not the little guy.
Like he's telling me things that, you know, are sort of like what you would tell your friend.
And he became really very buddy-buddy.
Because the tone was getting friendlier, Miles decided to level with the guy.
I said, you realize like this was extremely,
like this was very difficult and I was put in a very difficult, vulnerable position.
And he sort of laughed it off and said, yeah, isn't it funny? Like how anxious people get
as though he wasn't talking to somebody he had just done it to.
As they wrapped up this text thread, Miles, who seems like a nice guy, maybe too nice,
left things on good terms with this person and said,
Okay, well, I'm going to give you this password.
Hey, and if you want to keep in touch, let me know.
Like, I'm always interested in continuing to learn more.
And frankly, I am.
Like, I want to learn.
I want to be, you know, more adept at this and be able to take care of myself and my kids and my family more successfully.
So Miles passed everything over to his harasser.
The guy's plan was to resell it as quickly as possible.
That way, if the count got banned or hijacked again down the line,
it would be someone else's problem at that point.
It's weird to be on this side of it now
and not have as much fear or anxiety about it.
But it's over.
You know, if it started again,
it would be back.
I doubt Miles ever expected to hear from his harasser again,
but then he got sent another text message
with a crazy proposal to you.
He reached out maybe a week later and said,
hey, it's me again.
I know you're probably asleep, but I got a deal for you.
Hope you're doing well though, which is insane.
Basically, I'll sum it up for you when you wake up
and I'll give you your handle back
and I'll take hours of my time to get information
on every possible website I can think of,
like off of the internet for me.
If you can give me an Instagram username that's been inactive for forever
with your connections at Instagram,
it's not something super insane, so I don't think it should be a problem.
It would be a personal account for me, so it wouldn't be sold or anything.
Whoa, this is bizarre.
Something about this banter we had had made him feel like now we're buddies and connected. And
you know, for me, I, I try, I'm trying to sort of, uh, use my brain to empathize with him and
imagine what it's like being in his shoes. And, you know, he seems like maybe he's a younger guy and has a different perspective on all this stuff. But that was bizarre to me. I
couldn't believe that had happened. Because they weren't buddies. This was a conversation between
the attacker and the victim, no matter how friendly the tone was over messaging. And Miles
didn't have another Instagram account to offer in order to
get his account back. Miles occasionally checked up on his old Instagram account for a while. For
a few weeks the account was active and had zero followers then suddenly went off Instagram
entirely. Right now that account just says sorry this page isn't available. So it seems like
Instagram may have detected all this and removed it somehow or banned it.
Which means all this drama for nothing.
Now nobody seems to own this thing.
I texted this harasser myself multiple times for days, but never got anything back from them.
They ignored me altogether.
I think they probably used some service that lets them get a new phone number whenever they want.
And when they were just done with Miles, they deleted their numbers and moved on. What a strange way to bully people online now, right? Completely bizarre. It's, I mean,
you know, if you think about it from a point of view of like a video game and you abstract away the humanity, right?
If you think away the humanity into something like a character
and if you justify that it's only pizza and it's annoying
because you're not able to empathize with somebody that they might think,
well, yeah, it's just pizza now, but what's next? And if you can kind of just sit there in that
space and you think about it as a internet handle, not as somebody's, like I've spent years
cultivating this brand and, you know, is it worth tens of thousands of dollars?
Probably not.
But it's meaningful.
But to him, it was just a game.
It was just a way to extract something that he could probably make a few thousand dollars in Bitcoin and move on to the next handle.
I had a chance to chat with Nicole Beckwith from the last episode about this.
If you're not familiar, Nicole was in IT security and then became a cop and investigated a lot of cybercrime while as a police officer and as a Secret Service task force officer, she
gets frustrated when she hears stories like this.
Your typical officer that goes through the police academy, there is no
course for cybercrime. They don't even explain the basics, which has to change. It's no longer
okay to not be tech savvy as a police officer. They really need to have courses in the police
academy that explain what an IP address is, social media and how you can look at
profiles and, you know, forensics and OSINT investigations on that. And so that was the
course. It was a half day course. I tried to make it several days, but it was shot down
that I put together for, for officers and that I still do to this day. They need to understand
all of this and they don't.
And it's so frustrating for me to hear time and time and case in case again that I filed a police report,
they never followed up with me.
And in fact, there was a local case
where a female was submitted
that she was being stalked and harassed on social media.
And this person was
saying like, I'm coming after you, like I'm going to get you. And it sat on the shelf of the police
department. She was eventually murdered by this person. And if they would have just understood
how to get that information, and it makes me so mad just saying this, but if they would have
understood how to get that information, she would likely still be alive today. And it's unacceptable
in my opinion. And as an officer and as somebody who is in this field, it's no longer an option.
It has to be a baseline for every officer in the United States to understand
you how to get this information and how to work those cases. And, you know, I'm fighting
the system and trying to ensure that that happens. Do you have any recommendations for anyone
listening and in this situation? Yeah, So a couple of things. One,
if you are a police department and you are listening to this, I'm on Twitter at Nicole
Beckwith. I'm on LinkedIn, you know, slash Nicole Beckwith. Find me. I will conduct,
I don't care if it's virtual. I don't care if it's in person, free of charge to your agency training on all of this. I have half-day courses. I have full-day
courses. I have week-long courses. I will offer that free of charge for your entire agency.
Just ask me for it. But then additionally for the victims that are being harassed,
that constantly have to deal with this, Um, you do have recourse and
you can, if you go to your local police department and it sits and nothing is being done,
take it to the next step, file a complaint with the, uh, with IC3, the internet crime
complaints that are the FBI runs. You can also take it to your local FBI. You can take it to
your local Secret Service.
Don't be afraid just because they're a federal agency to call them.
That's what they're there for.
Thanks so much to Miles for sharing your story.
I hope you can keep your Twitter account for a long time.
This never happens to you again.
I'm an independent creator who loves bringing this show to you free of charge every two weeks.
But what really helps me keep on that schedule are my Patreon supporters. These are the people who donate money to the show every month to help keep the Wi-Fi on and the stories flowing. If you
want to show your support for this show, please visit patreon.com slash darknetdiaries and consider
donating. Thank you. The show is made by me, the pumpkin spice snorter, Jack Recider. This episode
was produced by the chair spinning Charles Bolte. Sound design by the colorful Garrett Tiedemann.
Editing help by the gum chewing Damien. And our theme music is by the paper airplane pilot
Breakmaster Cylinder. And even though I have paper hands when it comes to holding cryptocurrency and diamond hands when it comes to holding paper currency, this is Darknet Diaries.