Darknet Diaries - Ep 25: Alberto
Episode Date: November 1, 2018Alberto Hill was sent to prison for a long time for hacking. For a crime he said he did not commit. Listen to his story and you be the judge on whether he's guilty or not. ...
Transcript
Discussion (0)
Put on your travel shoes, for this story we're going south of the border.
Actually, much more south than you think.
Go on past Mexico, past Panama, past the equator even.
Keep on going past Brazil, and there you'll find Uruguay.
It's a small country, about the size of the state of Missouri.
In February 2017, one of the top medical providers in the capital city of Montevideo got hacked.
This medical provider has a whole network of clinics and healthcare facilities.
The hacker broke in through the provider's website, accessed the database, and took a ton of patient records. A week later, the hacker sent a ransom email to the medical provider,
showing they had confidential data, and demanded they pay 15 bitcoins. If they didn't get the
bitcoins, they said they would publicly release the patient details of everyone who had HIV and cancer.
The note went on to say the price will go up by 5 bitcoins every day they don't pay.
It's unclear if the medical provider paid the ransom or not.
In some news articles, it said they did pay.
But someone close to this case told me the email didn't even have a bitcoin address in it.
Either way, the patient records never actually got leaked. The medical provider immediately began investigating who this hacker was. They worked with local police to try to
track down who was behind the extortion. After seven months, they got their break. They were
able to track down the IP address of who sent the email to an apartment in Montevideo.
The police raided the apartment and were totally stunned with what they found.
There were tons of electronic devices everywhere.
Laptops, cell phones, hard drives, crypto wallets, and thumb drives.
The police felt like they hit the jackpot and thought this person probably hacked many other places too.
They arrested Alberto Hill, the guy that lived there and the owner of this stuff.
They took him to jail and seized loads of equipment from his home.
Uruguayan police took from Alberto's apartment the following items.
1,400 US dollars, 8,000 euros, 150 Brazilian dollars, and 3,000 Uruguayan pesos.
Six laptop computers, five cell phones, a device used to clone credit cards, and 125 blank
credit cards, and an additional 30 normal credit cards. 13 hard drives, a drive duplicator, a few
routers, a flashlight, a magazine full of CDs, a whole stack of hardware Bitcoin wallets, two fake
toy coins that say Bitcoin on them, 16 USB drives, two printers, a Guy Fawkes anonymous mask, and a
guillotine. And on the laptops, they found hacking tools and programs and viruses.
Uruguayan police presented all this to Alberto,
and he made a verbal confession saying he did, in fact, hack into the medical provider,
and he did send the extortion email.
Alberto went to prison for a long time.
Case closed, right?
End of story?
Hold on, hold on.
My name is Alberto Gil, and I have something to say about this.
Alberto says there's one tiny detail that isn't right about this story.
I tell you, Jacques, I did not do it. I didn't do it, and I am innocent.
These are true stories from the dark side of the internet. I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work,
what kind of car you drive. It's endless and it's not a fair fight. But I realized I don't need to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a subscription
service that finds and removes personal information from hundreds of data brokers websites
and continuously works to keep it off. Data brokers hate them because Delete.me makes sure
your personal profile is no longer theirs to sell. I tried it and they immediately got busy scouring the
internet for my name and gave me reports on what they found. And then they got busy deleting
things. It was great to have someone on my team when it comes to my privacy. Take control of your
data and keep your private life private by signing up for Delete.me. Now at a special discount for
Darknet Diaries listeners. Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries
and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries
and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries.
Use code darknet.
Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call. I'm sure they can help. But the
founder of the company, John Strand, is a teacher and he's made it a mission to make Black Hills
Information Security world-class in security training. You can learn things like penetration
testing, securing the cloud, breaching the cloud, digital forensics, and so much more. But get this, Thank you. to the MetaCTF cyber range, which is great for practicing your skills and showing them off to potential employers,
head on over to blackhillsinfosec.com
to learn more about what services they offer
and find links to their webcasts
to get some world-class training.
That's blackhillsinfosec.com.
blackhillsinfosec.com.
Alberto Hill is a 41-year-old Uruguayan.
He was arrested and sentenced to prison for hacking into a medical facility and conducting extortion.
He was actually the first hacker to ever serve prison time in Uruguay.
But he says he didn't do it.
So why did he get arrested?
Yeah, very good question.
Alberto has a lot to say about this story,
and I spent a few weeks with him exchanging dozens of emails
and looking at tons of court documentation, news reports, and articles.
And I even hired a translator to decode some of the stuff.
I talked with Alberto for hours to fully understand his story.
It all started three years ago.
Alberto was working for the Uruguayan government.
I was in charge of security of a company of the government here in Uruguay.
He had been working for the government for four years as a security consultant,
securing systems, investigating malware, conducting security audits. Before that,
Alberto was working with Interpol and doing digital forensics. He has an associate's degree,
an engineering degree, and a master's degree, all related to computers. He's also very knowledgeable
about cryptocurrencies and has written papers on them, even given a few talks.
I was in an OWASP conference. I was talking about security and bitcoins. And then I was
selected to go to Sao Paulo, Brazil for the ICS2 conference. And I was talking about
bitcoins and security also. And he gave a few other talks as well, mostly talking about bitcoins and cryptocurrencies.
Alberto has been studying and working in computer-related jobs for the last 20 years.
And most of that time has been focused on security.
He is a PMP, or Project Management Professional.
And this certification is not easy to get.
And he's even a certified ethical hacker.
Yeah, that's actually a certification, which teaches you all the tools that a hacker uses
to break into places. When you're securing companies, it's good to know exactly what
tools the hackers are using to break into things. So taking the certified ethical hacker exam is
common in the InfoSec community. I'm actually a certified ethical hacker too. And one of the
most valuable assets to have if you're doing security work is to be endlessly curious. And one of the most valuable assets to have if you're doing security work is to be endlessly
curious. And Alberto is always wondering how secure the websites are that he visits.
It's something that you just can't control. It's stronger than you. I see a system and I just can't
help start looking at the source code. I start modifying things. It's stronger than me. I cannot,
it's like a little.
He'll check if any strange ports are open or glaring security problems.
Alberto has found vulnerabilities in sites and reported them so they can fix it.
It's just something he does sometimes.
On Saturday morning in 2015, he stumbled upon something interesting.
I was in bed with the computer,
and my girlfriend told me that she wanted to access to the medical institute,
and she wanted to see something about her health records.
He was helping her use this medical provider website to check her health information.
While using it, he decided to poke at it a little bit
and check if there were any obvious vulnerabilities. Now, to be honest, I've poked at my medical
provider's website before and I've found vulnerabilities and reported them. So this
isn't that crazy of an idea, but Alberto found a massive vulnerability with this medical provider's
website. Just for fun, he tried to log in as the username admin with the password admin and it worked.
He was logged in as the administrator to the medical facility.
This couldn't be so easy. I mean, admin, admin, and I had access to all the systems that, which not only about medical information, but it was about all the medical information, the medication, the finances of the company.
That was crazy.
I mean, with Admin and Mint, you could access to all of that.
You could create more users.
You could see the information about every user, not only the medical information, but also personal information.
That was crazy.
Alberto couldn't believe what he was seeing.
I looked this up, and since 1970,
computer companies have been using admin-admin as a default login.
It's over 45 years that we've known not to use this username-password combo,
yet it still exists on systems today.
And Alberto found it on a medical provider's system.
In terms of severity of this vulnerability for the medical provider,
this is a solid 10 out of 10.
Critical. Red alert. Stop everything and fix it immediately.
It's probably the most well-known vulnerability. It's easy to execute.
You can use it to exploit from anywhere in the world and has the capability to do major damage to the company.
In fact, of all vulnerabilities, this one might be the most severe one in existence.
Alberto knew he had to act quickly and do something about this.
So I immediately sent an email to the CERT of Uruguay.
CERT, which stands for Computer Emergency Readiness Team,
is a government-ran team that helps protect the government from cyber attacks.
But not also to the government, also to critical systems such as the medical institutions.
Right, the goal of CERT is not just to protect governments, but also to protect the nation from cybersecurity threats. And there
are CERTs ran by governments all over the world. So if you find a vulnerability in an important
company, the right course of action is to report it to the CERT, who can then contact that company
and sort it out. So that's just what Alberto did. He sent an email to the Uruguayan CERT,
telling them exactly what vulnerability he found, including his own IP address so they know which connection was his that logged into the system.
In two hours, they replied to me and they said, OK, it is confirmed. The admin-admin problem is right. There is a big problem there.
Alberto felt relieved that the CERT was now working towards contacting the medical provider and resolving the issue. But he had a hunch the site had many more problems.
I noticed that the system was very weak,
and I was sure that it had many other security issues.
I don't know. I knew that it was easy to have that system,
but I didn't do anything else.
And after that, Alberto forgot about this.
Once he reported it, it was no longer in his hands, and he went on with his life.
Two years pass.
In February 2017, someone hacked into the same medical facility and took the patient records.
It's unclear exactly what vulnerability was used.
A hacker sent an email to the medical provider demanding 15 bitcoins that released
the patient data they collected. The medical facility began an investigation. They contacted
the police, who called this case Operation Bitcoins. It took them seven months in order to
do something. And what they did led them to issuing two search warrants to two people.
One was me, one was me at my house, and another was a person I do not know. The police came to his house, knocked on his door, but he wasn't home.
So they left a note saying to come to the police station so they could talk to him. friend and his girlfriend. The Interpol appears. They told me, do you know why you're here? And I
said, no. Alberto's head was racing with what this was all about. Still, he had no idea why the police
wanted to talk to him. And he was thinking maybe it was because of a recent order of some computer
parts that he got directly from China. But then the police asked him if he knows about the medical
provider he reported the issues about two years ago. And I said, oh, okay. And I felt such a relief because I had nothing to hide about that. I was,
I mean, okay, they're going to ask me questions about how I access to that. I mean, I was so
relieved when they told me it was about it. Alberto told them everything about how he was
able to use AdminAdmin to access the medical provider's website and to see all kinds of
information that he shouldn't be allowed to see. He told them exactly step by step how he was able to use AdminAdmin to access the medical provider's website and to see all kinds of information that he shouldn't be allowed to see.
He told them exactly step by step how he was able to find the vulnerability and got access.
And at one point they showed me a paper with the email asking for the extortion email.
And they asked me, OK, you sent this?
I said, no, I did not.
Well, they asked me several times until they told me,
well, I have here a paper from the internet company
saying that your IP, this email was sent from your IP.
And I said, it's impossible.
I mean, I didn't tell him that you're lying,
but it was not possible. The police just heard Alberto explain how years ago he was able to
hack into the website. So this caused a lot of suspicion. So to be safe, the police held Alberto
in jail that night. His girlfriend came to visit him. She just brought me food to eat and some medication for my asthma because I was frozen.
It was a very bad situation for me, but I was feeling that it was going to be everything clear
and they were going to have the evidence that I didn't do anything.
And the morning after that, my girlfriend took me coffee and something to eat.
And she didn't know anything.
She didn't know anything what was going on.
The police took Alberto out of his cell.
But instead of letting him go, they put him in the back of a police car and took him to his own apartment.
The police put on latex gloves and began going through his things.
And Alberto had a lot of things.
Electronics and computers everywhere.
Here's one of the police officers explaining what they found in this search.
When we started to search in his laboratory,
we found stickers, keychains, and books about Bitcoin.
He told us that he was in Argentina on the 7th of August,
buying and selling Bitcoin. Therefore, we that he was in Argentina on the 7th of August, buying and selling Bitcoin,
therefore we were not wrong in what we were doing.
There was also a lot of information about credit cards
and machines that could clone chips and cards.
We found several electronic cards and chip cloners,
which he bought directly from China.
Then he had a lot of hard drives, computers,
four or five monitors,
and surveillance cameras with remote access to them.
This does seem like a lot of equipment for one guy to have in his apartment.
And the police kept finding what looked like hacker paraphernalia
and asked Alberto why he had it.
First they asked why he had so many hard drives.
And he said he had about 50 of them.
And he was buying them broken, dirt cheap from eBay.
And he was doing research to try to see what kind of data
he could scrape off of a broken hard drive.
Alberto was writing a research paper about what data is left on hard drives when you sell them on eBay.
Then there were seven laptops.
Alberto's not a guy who throws out old computers that are no good.
Instead, he keeps them around in case he needs them.
He likes to experiment with different operating systems and applications,
and having multiple computers to do this is handy.
Then he had about ten cell phones.
But he simply goes on to say these are all phones that he's used over the years,
and he just didn't throw any of them out.
They just piled up in drawers over time.
You know what, now that I think about it,
in my drawer here I've got three, four, five, six cell phones myself
that's just kind of piled up over the years, so I guess I do the same thing too.
He also had a bunch of thumb drives.
Some of these were storage devices, but many were hacking devices.
Rubber duckies, bash bunnies, to name a few.
And while Alberto says, yes, these are tools a hacker would use,
you have to know what tools the hackers use in order to protect yourself.
So he just had them around for learning purposes.
And he had a bunch of Ledger wallets.
These look like USB sticks, but they're actually hardware Bitcoin wallets.
These are really handy if you want to store your Bitcoins offline, like, for instance, in a safe. But it is kind of strange to have a whole stack of them, though.
I talked to the company in France, and I was the person that was the reseller of them here
in this part of the world. So I got a box full of Ledger wallets.
You know, I have one of these Ledger wallets myself. And in fact, up until this point,
all the stuff he has, I have about the same stuff in my lab. It's not uncommon to see a security engineer with a lab full of equipment. But Alberto
had some stranger stuff that the police kept asking him about. For instance, he had a credit
card cloner and a bunch of blank credit cards. Now, the first thing the police thought was that
he was buying stolen credit card numbers online and then printing his own credit cards.
But when the police asked him why he had this, he told them.
I was making a test of security with the credit cards,
especially with the chips.
He goes on to explain that he's using the machine to conduct research on the chip and pin features of the cards.
He explains that that card writer was never used
and every one of the cards were blank.
He says the cloner itself is easy to get and legal, but it's the software on the cloner that's the hard part to obtain.
Even hotels have cloners to make room keys with.
But then there are 30 actual credit cards with his name on them.
Actually, many of them are expired.
And I have had them since 1995.
So I never got rid of credit cards.
I was always storing them after they expired.
So I was collecting them.
Besides credit cards, there was a lot of cash found in his apartment.
Specifically, the police found $1,400 U.S., 8,000 euros,
$150 Brazilian dollars, and 3,000 Uruguayan pesos.
Now think about how much cash you have stashed away at home 8,000 euros, 150 Brazilian dollars, and 3,000 Uruguayan pesos.
Now think about how much cash you have stashed away at home,
and compare it to the roughly 13,000 dollars the police found at Alberto's.
Would you say this is a suspiciously large amount of money to keep at home?
Well, the police did.
And the Uruguayan money makes sense, because that's where he lives,
and even the Brazilian money makes sense, because it's the neighboring country,
and he was just there to give a talk.
But the police wanted to know why he had so many US dollars and euros.
Why did I have that? Because of transactions with bitcoins. I mean, all the euros were because of a transaction that I made selling a couple of bitcoins to a tourist report, they said they found a guillotine. I think they say less than 2,000. That was also from the operations with vehicles.
And according to a police report, they said they found a guillotine.
Oh, that's very funny, Shaq.
I mean, my mother really laughed a lot when you sent me an email asking me that question
because I don't have a device to cut heads in my house.
I have many things, but not that.
A guillotine is a device to cut papers in a perfect way.
I mean, in a flawless way, just to cut paper.
And in fact, the maker of the paper cutting device actually does call it a guillotine too.
And lastly, he also had an anonymous mask hanging on the wall.
Yeah, well, the mask.
Why did I buy that mask? the wall. Alberto tried desperately to explain the reason why he had all these things to the that it was the final evidence that I was a super criminal, of course.
Alberto tried desperately to explain the reason why he had all these things to the police,
but the evidence was just too much.
The police were blown away by the amount of hacker paraphernalia found.
They thought if he talked like a duck and looked like a duck,
then he probably is a duck.
They had certainly thought they'd captured a cyber terrorist.
Who else would have all these computer parts?
The police seized all his stuff, including the guillotine and mask. No matter how much
Alberto explained, the police simply didn't listen and grew more excited with each new
device they found. The police were making a big mess in his apartment, taking things apart and
leaving stuff all over the floor. Alberto grew more desperate trying to explain the reasons
why he owned each and everything in his apartment. This continued all morning long, for hours.
Then around 1pm, a new police officer showed up.
He had a quick chat with the police in his apartment, and then pulled Alberto aside for a talk.
Alberto could tell he had more authority and was more serious than the other policemen.
And he started to tell me that, okay, I had to confess about the mail, the other policemen. And I was thinking to myself, okay, if I admit that, I know, I am certain that they do not have any evidence or IP that links me to that email.
I mean, of that I'm sure.
So if I say, okay, I send the email, later I thought that I would be able to prove that no, there is no link between that male and me.
And I would avoid all the pressure,
all the psychological pressure that would put it on me.
So I decided to say, okay, I'll send the email.
When the police threatened to raid his mother's house,
he confessed to writing the ransom email.
Because he knew he could prove he was innocent in court.
And he wanted to save the grief of his mother and girlfriend being questioned and searched.
And a few minutes after I admit that, I was surprised that my girlfriend appeared.
They had taken her to my house. She was surprised to see Alberto handcuffed and being treated poorly.
It was embarrassing to Alberto.
The police took Alberto and his girlfriend to jail, as well as many boxes of electronics.
Alberto was able to go directly to court that day.
It was a frustrating long period of time where they were asking me questions that were irrelevant because of the lack of knowledge in about
computers that the judge and the prosecutor have so they were asking me irrelevant questions
they didn't know what to ask me well it was very frustrating for me because I wanted to tell the
truth but I was unable to explain myself in order for them to understand because they didn't have the knowledge to understand the situation. They hardly know what an IP address
was, so that's for you to have an idea of how frustrating it was, the whole situation.
That court day was over. Alberto was taken back to his jail cell, and while walking there,
he saw the boxes of stuff they took from his apartment and noticed something. One of the items he had in his apartment was a thing called
a USB killer. This is a device that looks like a regular USB drive, but it's got a very dangerous
side to it. When you plug it in, it charges a large capacitor up and then discharges it quickly,
zapping the port with a huge power surge. This causes a massive electronic shock and usually kills whatever you plug into it, such
as a laptop.
It's designed to test the surge capabilities of USB ports, but usually it just destroys
whatever you plug it into.
Alberto saw they had taken this and was trying to tell them not to plug it in.
I told him, please be careful with that because it could destroy any device that has a USB port.
And he said, OK, OK.
So they took him back to his cell for the night.
And my girlfriend also was arrested, and she spent the night there in the Interpol building.
The interrogation for her was not nice.
I mean, they told him, for example, that I had admitted everything
and that I told that she was the mind behind everything.
I mean, things like that they told her.
They were playing with her mind. It was stupid.
And she knew nothing.
This took a major psychological toll on his girlfriend.
Her whole life was now flipped upside down.
She couldn't imagine how this could have happened to her.
She was really taking this terribly and couldn't sleep at all while in jail,
worrying that she might not ever get out.
Alberto was very worried also,
realizing that all this looks very bad to the courts,
and admitting to the email made everything worse.
His anxiety was becoming very high,
and he was worried about what happened to his girlfriend. And at that point, you are in a cell that is very small.
All you can do is think. And that's what I did, I thought.
This episode is sponsored by SpyCloud. With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited SpyCloud.com to check my darknet exposure
and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and your organization at risk
and what to remediate
is critical for protecting you and your users from account takeover, session hijacking,
and ransomware. SpyCloud exists to disrupt cybercrime with a mission to end criminals'
ability to profit from stolen data. With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure from third-party breaches,
successful phishes, or info-stealer infections.
Get your free Darknet exposure report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries. Alberto spent the night in the freezing jail with very little sleep.
And when he woke up, he was taken back into the courtroom to testify.
And at that point, my mother was aware of everything.
And she got me a lawyer.
During the interrogation, the prosecutor asked me,
in this pen drive you have 12 viruses.
How do you explain that?
And I was like, oh my God.
I don't want to do that.
I don't want to explain that, waste my time.
It's common for information security professionals
to play around with viruses.
They'll load them up on a thumb drive
and see if they can infect a lab device.
But the prosecutor had such little knowledge of computers
that Alberto didn't think he would understand. I just said, okay, I'm sorry. Yeah, I had viruses. Well, I don't know.
And the prosecutor got the file and said, you had a USB kill. What's a device that has a name of
kill? And I thought to myself, what the hell did I tell about the USB kill devices? Oh my God. Things did not go well for Alberto during court.
Piles of evidence showed he was a very capable hacker
and knew a great deal about Bitcoin
and admitted to hacking into the medical provider
and admitted to sending the email.
He only admitted to the email because he wanted to save the grief
of his girlfriend and mother getting harassed by the police.
At the end of the day, well, my lawyer called me and he said, I am so sorry, but you are going to prison.
I was charged with two things.
One was extortion and another thing was fraudulent access to secret information.
Alberto was found guilty, and he was being sent to a long-term prison where he would have to stay for years.
That day, I really thought it was the end of the world for me.
I was really, really, I don't know, my mind was like blocked.
I never thought something like that
would happen to me. A few days after court, he was put on a bus and sent to a prison very far away.
He knew his life had changed forever and still couldn't believe it. After the court ruling,
the news of this hit major news outlets. The police lined up all the electronics they took
from his house and put them on display for the media. The equipment filled up a very large conference table. On the table, you see his cell phones, laptops, USB drives,
blank credit cards, credit card cloner, routers, and the iconic anonymous mask, and so much more.
This was the first time the hacker had gone to prison in Uruguay, so it was a big deal.
The police may have hyped up the story too, thinking it was a great achievement for them
to have captured a dangerous hacker. And the media really wasn't kind either, because what kind of jerk steals patient records
and tries to use them for extortion? By the time Alberto arrived to the prison, he was already very
popular. The first day that I arrived, the people that were in my cell asked me,
what crime did I commit? And said no i commit a computer crime
and well i hack a system and say oh you're the hacker oh my god you're my hero i want to be like
you can you have the the facebook of my girlfriend and i was like oh God, I cannot believe it. And this prayer that other people that arrived after me in Shell told me that,
oh, you are the hacker, oh my God, I want to be like you.
I was realizing the magnitude that this case has in the press.
I mean, it was in every newspaper in Uruguay. It was in every TV news in Uruguay, in every radio program.
I mean, it was everywhere.
Everybody knew about this case.
Prison is a world I have never thought I could be in,
where you are surrounded by people that live in another world of crime.
None of them were hackers. They were
sexual offenders, killers, drug dealers, people that commit very violent crimes. I mean, their
profile was completely different than mine. I have never imagined I could be with people like that.
Prison warden made a strict rule announcing that
because Alberto was a convicted hacker,
that he was not allowed to touch any computers or electronics.
But Alberto was a nice guy, followed all the rules,
and people started to like him.
And three months after that, I was teaching the inmates
the basics of work in a room with seven computers
connected to the internet.
He had earned the trust of the prison guards and had good behavior while in prison.
And this prison was actually not that bad.
It had a little more freedom than most prisons.
For instance, if you had good behavior, there was an option to get out one or two days a week.
This might sound weird to Americans, but think of it like a combination of probation and prison at the same time.
When you have probation, you are very restricted on what you can do.
You may not be able to go out at night or with certain people,
and you may have to get a specific job.
So in a way, probation is kind of like prison, but you get to go home.
And this prison Alberto was in let some inmates go free one day a week.
And the guards started telling Alberto that, well, because of his good behavior,
in a month they may let him go home one day a week.
But then something strange happened. that, well, because of his good behavior, in a month they may let him go home one day a week.
But then something strange happened.
At the end of February, somebody went to visit me to the shale,
and they called my name, and I wasn't expecting anyone.
And I went outside, and I met a person who I didn't know, and we started talking.
And he was a person who had many companies, and he wanted to know about my case because he was surprised about this
and he said, man, government should hire people like you, not send to jail.
A few days after that, I was granted, I could go outside the jail for 72 hours a week.
This is strange.
At this prison, usually when you get a free day, it starts out
with one, and then you work your way up to two, and you might get three days a week to be able
to leave the prison. Also, he was expecting it to take another month before his first free day,
but only a few days after the strange visitor appeared, he was given the maximum free time off.
Alberto didn't know what to think of this and was very surprised, but he was happy to be getting
out half the week now.
So he found a place to stay near the prison on his free days.
The first time I went outside, this person who I met in prison came to my house
and he started talking to me.
And at one point, he told me directly,
I want you to hack this bank and steal money.
This stranger had an elaborate plan all sorted out.
He knew exactly which bank to hack into,
and which accounts to target,
and how much money to steal.
He explained the plan thoroughly to Alberto.
This was becoming even stranger for Alberto.
Normally someone asking him to hack into something
is a simple no,
but this one seemed more serious.
Alberto said no to the man many times,
and he finally left. This stressed Alberto out.
Imagine if that bank got hacked by another person after this situation.
They would point to me.
I would be the person of interest.
Somebody was hiring me to hack a bank, and I did it, no, no way.
So, and the funny thing is that this bank had several security issues, so I thought to myself, oh no, oh no, oh my God.
This was really troubling Alberto, so he reported it to the prison guards.
And he was able to get some Xanax to deal with his anxiety.
But each week Alberto had free days out of prison, he would see this stranger. This guy was stalking him, following him home and around town,
each time asking Alberto if he was ready to help him hack into the bank.
Alberto started getting really distraught over this,
and his anxiety was growing more and more.
He had to take more Xanax to calm himself, but his mind was racing.
What if that bank gets robbed and they blame me?
What if I know too much and this guy wants to kill me?
What if he threatens me?
Alberto became more agitated.
The pills weren't working.
He took more.
He didn't know what to do and he was scared.
And he took more pills.
Finally, this started to calm him down.
He started walking back to the prison where he knew he'd be safer.
But he was starting to get drowsy along the way.
And at one point I closed my eyes
and the next thing was a beep beep beep beep. Now I opened my eyes and I was seeing a light.
They cut all my clothes. I had all kinds of devices in my body.
And they told me, you were two hours in coma.
You were dead for two hours.
The intense anxiety caused Alberto to over-medicate on Xanax,
which made him overdose.
He was found and rushed to the hospital,
where they were able to revive him in time to save his life.
He had to spend some time to calm down and take it easy after that.
Meanwhile, Alberto's lawyer was endlessly trying to get him out of prison.
He appealed the case, but it was not accepted.
So he appealed again, and again it wasn't accepted.
And finally, on the third appeal, the lawyer had some good news. He phoned me and he told me, Alberto, they failed your favor, but there is only one thing.
They asked for $10,000 bail in order to release you.
And I said, OK, no problem.
I started calling some people, called my mother.
And the next day, she put that money in a bank account.
She had to fill a lot of documents.
And she gave the paper saying that the money was deposited.
And they sent a fax to the shale saying that I had to be released.
After spending nine months in prison, Alberto was set free
and was able to return home for the first time to his apartment in Montevideo.
I arrived to my house and I couldn't believe it when I opened the door home for the first time to his apartment in Montevideo.
Couldn't believe that there was so much stuff left behind by the police.
He was totally shocked that they didn't take every last device and examine it for evidence.
In his mind, he was wondering if the investigators did anything right.
And I found 29 hard disks.
They also left three laptops,
three cellular phones.
I also found money, money from Uruguay,
from Paraguay and Argentina.
And I also found blank credit cards.
No, it was crazy.
I mean,
that explains that the process was...
They were not prepared.
I don't know if they were not prepared for this
or what the hell happened.
It was all a show.
To Alberto, the investigation went wrong in a million ways.
The police weren't knowledgeable enough
on how to handle this case
and didn't take all the evidence
and they handled the evidence poorly. Like they didn't clone the laptop's hard drives. Instead,
they just turned it on to take a look at it. In fact, I talked to Alberto for hours and a lot of
what he had to say was just about how this case was handled so improperly. Which is probably why
in the end, they caught the wrong guy. He sometimes wonders if all this was just done to set him up
and have him arrested for some other reason. He's got a few theories about this,
like maybe it was a big cover-up
from something else bigger and more shady
going on at the medical facility,
and they needed to distract the media.
But these are just conspiracy theories
cooked up in the mind of a guy
who's been sitting in prison for months.
After Alberto was convicted and sent to prison,
the police couldn't find any evidence on his girlfriend,
so they let her go after one night in jail and rough questioning.
She had a very traumatic situation.
She started taking a lot of medication to sleep.
She was having a very bad time.
She has never taken any medication in her life for anxiety.
I mean, but she started taking that because she couldn't sleep at night.
I mean, they told her so many lies about me.
So she was thinking to herself,
I spent eight years with a person I didn't know anything about.
He was a criminal.
I mean, she was questioning everything because they were lying to her.
They were telling her all kinds of stupid things that destroyed her,
including the fact that I said that, they told her,
I said that, I admitted everything and that she was in charge of everything.
That was crazy.
I mean, they played with her mind.
The worst thing that they did was that they stressed her with losing her job.
That is the most important thing that she has.
If she loses her job, she loses everything. And she has, they call her company and they told the boss
of the company about the situation. So she had a very difficult issue that she told me
that still until now, she has nightmares and very recurrent nightmares that she is sleeping
and she dreams that she's being arrested,
that the doors of her apartment is open,
that it's the police, that she's taken to a cell.
So I was pretty sad when I heard that
because it's been more than a year and
she's still having the consequences of the traumatic interrogation process that they apply on her.
After eight years of being together, this incident caused Alberto to lose his girlfriend.
This was simply too much of a bad experience for her and she had to leave him to go help herself. As of right now, Alberto has only been out of prison for five
months and is still working with his lawyer to collect the evidence of what they took from his
apartment. The police have kept most of it still, including some Bitcoin wallets which have a lot
of money in them. In fact, life is very hard for him because most of his computers, phones,
and money and credit cards are still being kept from him.
For instance, all his two-factor authentication tokens are in police custody, making it impossible for him to log into certain accounts.
But there have been a few things that have gone his way since getting out.
After I got released, it was incredible.
I got job offers from an important security company for a pen testing position in a security company.
It was something that I lived and okay, okay, life goes on.
I'm stronger than ever.
I could spend eight months in jail.
So if I could do that, I could do anything in life.
That's the way I see it.
This whole story certainly puts Alberto in a really weird situation.
He absolutely has all the opportunity, capability, and know-how to commit this crime,
which is what was used to convict him.
But what really made him look bad in court was all the hacker stuff he had,
like the rubber ducky, the anonymous mask, and the hacker t-shirts and stickers.
And it poses a question to me, at least.
Why do security professionals who are there to stop hackers embrace the hacker culture?
I've spent my whole professional career keeping hackers out of my clients' networks.
So you'd think that I would absolutely abhor the hacker communities and would work towards breaking them up.
But instead, I love going to hacker conferences where I get to meet seriously scary hackers and swap tactics and skills with them.
I blog about how to hack
and teach others, and I wear hacker shirts myself. So why do I play on both sides of the fence?
I'm not exactly sure. I guess it's the same reason why law enforcement likes watching bloody and
violent movies, or why that firefighter that lives down the street from me has stickers of
flames on his truck. Because fire's badass, and we all got into these professions because it's
exciting to be so close to the action. And the only way to be effective at stopping it is to
embrace it and to be part of it. As Ric Flair once said, or this one from The Godfather.
He taught me, keep your friends close, but your enemies closer.
And this one. There is no teacher but the enemy.
Or Rage Against the machine saying,
Throw your enemy!
Or this quote from Mr. Robot.
The devil's at his strongest while we're looking the other way.
To truly stop hackers, we must become hackers.
The very thing we hate and the thing that scares us the most.
And because of this philosophy, it's a thin gray line between an illegal hacker and a security professional.
It's not that easy to just call someone good or bad.
We all have a little bit of both inside of us.
But the truth is, nobody should be convicted of a crime because of what stickers they have or clothes they wear.
They should only be convicted because they actually committed a crime.
And in Alberto's case, the justice system wasn't prepared and had a predetermined idea of what a hacker looks like and wasn't capable of looking at the evidence
with clear eyes. In some ways, illegal hackers and security professionals are long lost twins.
We have the same skills and the same endless curiosity. And in many cases, we look the same.
I guess it's one of those relationships that's truly complicated.
And too complicated for this judge in Uruguay to fully understand.
As for Alberto, he learned I'm going to report this. I mean, of course, I was connecting with a VPN and a proxy. So
you have to be lucky to trace me. There's no way I'm going to report them. I turned
off the computer and went to bed and slept like a baby. I mean, I've learned my lesson.
Not anymore.
Yeah.
You've been listening to Darknet Diaries.
Alberto is now working towards changing the legislation in his country
to prevent situations like this from happening again in the future.
He's got a petition going to help make changes, and you can find links to that at darknetdiage.com.
He's currently writing a book about his experiences, so look for that in the future.
Oh, you may have heard ads in this episode and wonder what's up with that when I also take
donations. The truth is right now I need both. And I hope someday I'll be able to go back to
being ad-free, but the donations right now just aren't enough to make that a possibility.
But the more you donate and share this show with your friends,
the faster I can go back to being an ad-free podcast.
I do have plans to give in more rewards to Patreon supporters,
so look for that in the future too.
This show was created by me, La Sombra, Jack Recider.
And the theme music is made by the phantas Brickmaster Cylinder.