Hacked - Ethical Space Hackers + CryptoProgram + Juice Jacking Revisited.
Episode Date: May 16, 2023A chat episode about the world's first ethical satellite hacking exercise, a much deeper look at Juice Jacking and whether (and when) it's actually a thing, and a remarkable crypto themed money making... opportunity that walked through our door. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
This episode, we're going to boldly go somewhere hacked has never gone before.
Where are we going, Jordan?
Hacked is going to space.
Hackers in space, Scott.
It's, you know, is it a utopian or dystopian?
I've got to ask.
You've heard the show before.
It's star hackers.
It's cosmic cybercrime.
No, they're not actually in space.
These are hackers on Earth, but they are hacking stuff in space.
We are talking about the cybersecurity team
that hacked a European Space Agency satellite
to prove, A, that satellites can be hacked,
GPS coordinates manipulated,
images sent back doctored,
and B, to figure out how to stop it.
Makes sense.
We're going to loop back around
and talk about a topic we touched on
very briefly a couple episodes ago,
juice jacking.
Okay.
And ask an important follow-up question
about that FBI warning
against juice jacking
that we read off in that episode, which is, has it ever actually happened?
And then in the back half, we're going to talk about a website that came across your path, Scott,
with a really just incredible crypto-themed money-making opportunity.
Not just an internet story.
You bumped into this one IRA.
I'm not going to say much right now because I wanted to be a part of this.
I want people to experience this.
You know, we talk about crypto.
So usually offhandedly on this podcast.
And we've never really taken a shot at it.
It's not our attention.
We do talk about obviously lots of the cyber crimes and other things that go on,
the frauds that live in the crypto space.
And, yeah, one came walking through my door the other day.
So I think I just got to embrace it and take the time to talk about it.
I'm looking forward to it.
All that more in this episode of Hacked.
How are you doing, Scott?
I'm good, Jordan. How are you?
I'm doing good. I'm good. You really turned that one over in your head. You thought about it for a second.
Well, you know, I'm not going to lie. I feel like the brain's a little cloudy today.
Sure.
But, you know, we were chatting before the episode and I feel like Jordan's in the same boat.
So let's hope that we're maximizing our sharpness here.
I'm maximizing my sharpness, turning my brain on.
I'm here to pour the last 5% of sharpness I have in me into the microphone for the people.
So hopefully we can do it.
So where do we want to start?
Do we want to start with space hackers?
Do we want to go juice jacking first?
I feel like it's a tie back to previous episodes.
I think we'd kick it there.
Why don't we start there?
So for anyone that didn't hear it, a couple episodes ago, right at the very, very end of the episode,
I think the press release had gone live that day, so we decided to include it.
We touched on something called juice jacking.
The FBI had put out this warning.
For anyone that doesn't know or there wasn't listening to that, juice jacking is a cyber attack,
essentially where a person's device is compromised when they plug into a public charging station.
There's a bunch of variations on it, but the basic idea is you try and use a publicly available port,
and it compromises your phone or device.
For the long time, listeners, we did an episode on Bad USB.
Some of you will know what that is, some of you isn't.
But essentially it's a USB key that is used to compromise computer systems.
It requires physical access.
You insert the key into the computer, then does some things, you know, tries to compromise the computer.
And I guess juice jacking is the same kind of idea.
You know, the little port on the bottom of your phone, you know,
if you're lucky enough to have a USBC, unlike us Apple users who have, you know,
firewire.
No, it's not fireware.
Lightning.
Thunderbolt.
Lightning.
No, lightning.
That's what it is.
Lightning.
It's essentially a USB port still.
It's not the same protocol and stuff, but essentially gives hardware access to the device.
That's why they can pull an HTML out of it, you know, feed insert into SD cards and things
like that.
You can get dongles that come out of your phone because it's essentially a bus access.
port, just like a USB port would be.
So juice jacking kind of makes sense.
We live in a world of bank card skimmers and tons of other hardware implementation
level frauds and hacks.
Juice jacking just seems like something that would be, if they're not doing it, I would say
that's a missed opportunity for bad people.
A missed opportunity for bad people.
yeah it sure does seem like it would be a thing
so last week the FBI puts out
I think was the FBI Denver office puts out that warning
then the FCC re-ups and puts out the warning another time
and that kind of one-to punch everyone covers this
NPR suggests quote crime is becoming increasingly common
potentially due to a rise in travel Wabo says quote
there's a substantial privacy risk due to juice jacking
CNN cautioned that connecting to a malicious charger could lead to immediate
infection. There's a fortune headline warning readers not to use these free charging stations
lest their bank accounts get depleted. These announcements prompt a whole bunch of media coverage
about this thing. That as you said, has been kind of floating around in the world for a little
over a decade now. Term was coined originally, I think by a maybe not a friend of the show,
but someone were both fond of Brian Krebs coined it back in 2011 when he saw a,
Especially a tech demo with a large hacking conference about this.
I'd love to meet Brian one of these days.
I feel like we talk about it or nothing.
If you don't know who he is, you should check out Krebsonsecurity.com.
His blog, it's amazing.
Something I've followed for literally.
I think we've got to start going to those conferences.
I feel like all these stories, there's always like a, and then.
Participate in the world, Jordan.
Participate in the community.
So that's juice jacking, right?
This thing that makes total sense, there's these FBI releases,
this FCC announcement.
Everyone covers it.
And that was kind of the story.
That's when we kind of skimmed past it.
Talked about it on the show a couple weeks ago.
Then there was this secondary wave of coverage that I wanted to talk about here.
An article by Brian Krebs and then another article from Ars Technica.
The Brian Krebs article, the headline was a little bit a little bit gentler.
It says, why is juice jacking suddenly back in the news?
Ars Technica is Dan Gooden, went a little bit.
a little bit further, fear-mongering over public's charging stations needs to stop.
Here's why.
And the thrust of these is that, broadly speaking, most cybersecurity experts
maintain that juice jacking is not a threat to the general public.
Unless you are being targeted by a nation-state actor, there are, quote, no known real-world
cases of juice jacking because modern iPhones and Android devices require users to acknowledge
a warning before exchanging files with connected devices.
Mike Grover, a researcher who essentially creates offensive hacking tools and conducts offensive hacking research for big companies,
believes that the threat of juice jacking is exaggerated for the general public and is more relevant to targeted situations.
There are extreme edge cases where keyboards or devices disguised as keyboards can enter malicious commands when connected to iPhones.
But these attacks are limited and are pretty impractical for juice jacking.
The big headline here is that for the past five years, no one has demonstrated a successful juice jacking attack.
on a device running a modern version of iOS or Android.
Apple representatives when contacted were not aware of any attacks in the wild,
and no security experts or documented cases of juice jacking occurring in the wild have been found.
That's fascinating.
I found it very fascinating.
And then I thought about it.
I plugged in one of my partner's lightning cables that I never used,
and my phone, as Android phones do, popped up with a little thing saying,
hey, would you like to allow data transfer using this cable and device?
And?
Well, I clicked no.
And it seems like that's what most people would do.
Okay, I'm going to counterpoint that because I've done this at least five times.
Okay.
I'll jump into a rental car.
I'll throw in a USB cable.
Sure, sure.
And, you know, it instantly kicks up and says,
hey, do you trust this car?
Do you want to transfer your phone contacts to it?
or whatever piles of data.
And usually I'm in the progress of opening like Google Maps
and then that pop up pops up right above the icon I'm about to hit
and I hit the trust button.
I've spent time looking for how to undo that trust connection.
Right, right, right.
Usually what happens the second I hit that trust button
is I rip the cable out of the bottom of the phone
because I don't want all of my 2,800 contacts in my phone
to be uploaded to some random rental.
car in Austin. Yeah, sure. So it's, it's, I don't, I don't think the pop-up is, is by any means,
um, a security step to prevent anything, you know, like how many times you jump on an airplane,
you throw your phone into the USB port to charge it and bang, you get, get a, do you trust
this computer pop up? It's like, absolutely not. I do I trust this? I want the free energy. I don't want,
I don't want, I don't want to communicate with it. That is fascinating that there's actually no
reputable known attacks with this vector, that's crazy.
I would have thought, given how many people and the extents that people go to steal my credit card,
you'd think they'd want your data.
Yeah, be it custom molding new plastic inserts to go over top of the gas pumps at my local.
I can't imagine that people haven't tried this.
Besides proof of concepts.
Proof of concept is a really good place to start here.
Like I mentioned, Brian Krebs term first kind of coined it,
DefCon Conference in 2011.
It was this researchers demonstrating this proof of concept.
The idea of compromising fake wall chargers sort of started to evolve over the years.
There was mactans, which is a really, really popular one.
But a lot of the reporting that happened about this,
In 2019, the Los Angeles District Attorney's Office published an alert warning people about this scam.
People loading malware onto charging stations or on cables left at stations to infect unsuspecting users' devices.
TechCrunch reporter Zach Whitaker started digging into this.
He contacted the DA's office and asked them,
hey, do you have any instances of this happening in your jurisdiction that you can point to?
And they couldn't.
Followed up saying, hey, can you, as the district attorney here, point to any jurisdictions in the
US where this has happened and they couldn't provide any.
So it's not to say that there aren't any happening.
It's that there's a lot of announcements going out about how this is a very significant
threat without a lot of documented case studies.
It's not to say, however, that charging stations and cables can't be used to compromise
devices.
It's just worth looking into how they can be used to realize that it's a pretty high-budget
operation.
So Linus Tech Tips just did a like a little, dropped a little video about something called
the OMG cable.
It's a regular looking USBC lighting type cable.
It's a lot like the bad USB rubber ducky from that episode from years ago that you mentioned
Scott.
And it's a cable with a little microcontroller used to emulate an input device like a keyboard
and a mouse.
It even has a little Wi-Fi emitter inside of it so that it can create its own little
network to talk to other networks.
Really interesting product.
costs $200 for one of these cables.
Requires a moderately high technical sophistication to even use.
This isn't to say that someone couldn't use this against the general public.
It's that it's much better for like a targeted attack and there are much easier ways to hack the average person.
Everything we talk about in the show is that you just, you lie to them.
The ultimate hack, the lie.
You don't need to buy $200.
The ultimate hack is you just lie to them.
Mike Grover, the security researcher who created this product, says that he wants to live in a world that is so secure from that kind of social engineering and lying-based act that the only way to get the average person is to need to use a $200 cable.
This just isn't where you would start for most people.
I found that very interesting.
I just want to back up a step.
You caught my interest when you mentioned some of the stats.
A lot of conversation about communicating with district attorneys and other American.
things.
Sure.
Have you thought about the option that maybe this attack vector is being used in other foreign
countries, of which I will not name, but we can all assume we know which ones we're
talking about.
Yeah, sure, definitely.
And they're worried that that attack vector will be brought into another global power
that they're not currently, you know, in love with.
Offrating in?
Yeah, sure, sure.
Yeah.
So that would be where my mind goes.
is if anyone's doing this in any kind of massive scale,
like you hear about Eastern superpowers
and how they love good insights into their citizen base and population.
I could see this being something that's actively going on
and like, say, you were to take a lovely trip to beautiful St. Petersburg
and plug your phone in somewhere.
You know, it's probably a better habit to develop to like understand that when you plug.
Yes. It's not the power cable in your laptop, you know, back in the day when you had like,
that's just straight, you know, DC voltage coming into your laptop. There's no way to really hack your computer through a DC input feed that goes into a power.
Mm-hmm.
Where when you plug in the base of your phone, you're essentially USBC powering it and giving access to whatever you're plugging.
into to your phone.
Yeah.
Or tablet or whatever,
or a USBC powered computer.
And that changes the risk profile
of plugging into things.
It would be interesting if we saw the rise of phones
that had a separate power port.
Oh, interesting.
Or maybe just the removal of a bus port altogether
because that could be a thing
as we go more and more wireless.
Until you switch over to the data transfer port
because you need to connect to your rental car in Austin.
Hey, Apple CarPlay Wireless is coming, or is here.
Sick.
I think there's, so the really skeptical read here,
and I don't think I necessarily prescribe to this,
is that this every couple of years,
we get a little fear-mongering press release.
And I don't quite think it's that.
What I think it is,
and so a few years ago,
the only way you could brute force your way
into one of these devices was using something called
a gray key.
It's like a device marketed to law enforcement that you can plug a phone into and after several hours, it can crack a password and it costs $30,000.
An OMG cable doesn't have quite that capacity as a different use case, but you can do some pretty similar stuff now for $200.
Now, $200 is still prohibitively expensive to buy a ton of these things and pepper them around the world at every public charging station.
but 30,000 down to 200, tech tends to get cheaper.
So I think that just sort of having this out there in the world is like it's almost, let's get in front of this and start communicating this idea that, you know, don't trust your hardware before these cables cost $10.
Before they get so cheap that you can just have them out in the world and see what happens.
Because just because we're not there yet does not mean we're not going to get there.
Yeah, it's a viable attack vector.
Obviously, the FBI feels the same.
Whether it's being used a lot or not,
it still doesn't reduce the risk of it.
So I think ingraining in people a sense of security
when it comes to, wow, you know,
everything in my life is on this tiny little computer
that I carry around and is completely vulnerable
to being stolen and or broken into
if I do the wrong thing.
like not setting a passcode on your phone, which is insane.
Yeah, yeah.
If it's not a thing, I think the more that people ignore it,
the more it'll become a thing.
So I think it's probably a healthy thing to communicate about.
I think it can be both true that it is not yet as big of a thing
as some of these warnings might suggest,
but yet it is almost inevitably going to become more of a thing.
I think those are probably both, at least somewhat true.
Yeah.
Yeah.
But is it a thing in space, Scott?
This is the question.
Something in space into a charging port on Earth?
Like a satellite?
No.
I don't know that you can.
I don't know if juice jacking satellites is the best.
Yeah, totally.
It's very expensive to get the cable up there.
It goes from $200 for a cable to many, many, many million.
And the deployment of it is very bad.
Well, and as we learned about a week ago,
there are much easier ways to compromise stuff in space.
Let's hear it. Let's hear it.
So about a week and a half ago,
cybersecurity researchers from the large French defense firm Thalas
did a demonstration at the European Space Agency's SISAT conference in Paris.
It's their big space defense conference.
And in this, they did a demonstration in which they successfully seized control of a satellite
in a demonstration that has been described as the world's first ethical satellite hacking exercise.
Importantly, not the first time a satellite has been hacked,
just the first time it was done ethically as an exercise.
So this demonstration targeted a European Space Agency,
opsat satellite.
This isn't cybersecurity related, but I thought it was cool.
It was a nano satellite, which I guess are the size of about a shoebox.
This little shoebox-sized thing that contained a, quote, experimental computer
10 times more powerful than any currently operating on a European Space Agency spacecraft.
And I think, from what I was able to suss, the whole purpose of this little shoebox-sized
opsat satellite, nano-satellite, was as a security research machine.
Sure.
It was sent up so that they could test live remote testing mission control systems and stuff like that.
It's like a honeypot.
They built themselves a honeypot to test it.
For them to test themselves.
They needed a bullseye, so they made their own.
In the demonstration, the company said its ethical hackers exploited the satellites, quote,
standard access rights to gain control of its application environment.
It, quote, made it possible to compromise the data sent back to Earth.
In particular, by modifying the images captured by the satellite's camera,
and to achieve other objectives such as masking selected geographic areas in the satellite imagery
while concealing their activities to avoid detection.
They basically got in the middle of the data transmission to and from this little experimental satellite
and they were able to doctor images it was sending back and then conceal their activities.
So they man in the middle data communication to a satellite?
They man in the middle data communication with a satellite.
I got to like this, when I read this, I got to assume.
You know, we're not talking about 70s satellites.
You know, we're not talking about satellites that, you know,
probably have less power than the USB chip inside of that cable we were just talking about.
The, when you said they were doctoring photos,
that's always a weird thing for me because my mind always jumps to, like, Photoshop.
Yeah, sure.
Oh, they're just, how are they going to get in the middle of a data transmission,
open Photoshop, edit a photo, and then resend it?
So I wonder if it's not something like it's running Unix and it has a command line image tool and they were able to modify the image files prior to sending using image magic or something along those lines in the command line.
That would make more sense to me.
That was me justifying how they did this because it seems pretty insane to be like, oh yeah, we're just going to.
Connect to the satellite.
Yeah, sure.
Edit some photos.
Crack open creative clouds.
Yeah, totally.
My guess would be that, oh Lord, I don't know.
But I mean, these photographs, they're only taking photographs of one thing, right?
They're pointing that thing back at Earth and taking photos of down, essentially.
And I'm assuming that they're largely stitched together images based on GPS status.
So I wonder if by doctoring images it's more to do with, you know, if you're looking at this GPS cord,
it don't bake it into the images you're sending back?
Like if it's more of like a direction for the camera than a doctoring of the image the camera produces.
Yeah.
Yeah.
So that's where my mind went to.
Like obviously too, if they're stitching, they probably have some form of image tool on the satellite that's executing, you know, a script to do something to these images, be it stitch them, be it, you know, increase the contrast and brightness.
You know, whatever the process for the pre-process of these images is.
I wonder if they just interfered with that thing.
But I thought that that point alone jumped out of me the most, being like,
huh, they're doctoring images in the transmission.
That seemed like the hardest thing.
You know, when we talk about building a computer, putting it in a box,
and then sending it to space, that computer still having security vulnerabilities isn't overly surprising.
It's still a computer at the end of the day.
There still has to be inbound and outbound communication from it.
To me, it makes sense that you can hack a satellite, just like you can hack a car or a phone or a computer or anything else.
Well, and the timing of it is pretty interesting too.
So the exercise happened on April 27th, and that's almost right before this very big news story concerning a release of a big old batch of highly classified U.S. intelligence documents.
I'm not sure if you followed this story, but it was a 21-year-old IT worker who allegedly leaked a giant batch of documents on Discord.
not sure if you followed that one.
I didn't.
I didn't see that one.
Very interesting story.
We'll probably talk about it at some point in greater detail
because I think it warrants it.
But inside of that giant data dump,
there were warnings that the Chinese government
is developing very similar capabilities
as this demonstration to seize control of satellites.
The leaks suggested some stuff
about the methods that folks in China have been exploring.
Attackers mimicking the operator signals,
potentially enabling them to, quote,
seize control of a satellite,
rendering it ineffective to support communications, weapons or intelligence surveillance, and reconnaissance systems.
So it's a very interestingly timed experiment that lines up with some real-world techniques in this document dump that happened again on Discord.
Beyond that document leak on Discord, we'll wrap up here is, you know, are there other case days?
Has this actually happened in the real world?
One is a tech demo.
One is sort of alleged tactics.
Last year, a researcher from Belgium successfully infiltrated a SpaceX Starlink terminal using a custom design modship.
They were able to introduce their own unique code into the Starlink satellite.
A separate group of researchers from the University of Texas was also able to gain control over Starlink satellites.
Those were both kind of more experiments.
If we keep drilling, though, there are some very real-world possible implications beyond demonstrations.
Early last year, as the Ukrainian invasion commenced, satellite internet users,
across Europe started reporting significant service outages.
And a piece in Bloomberg described how Russian hackers successfully breached several mainstream satellite internet companies
and were probably responsible for these outages.
So while this is still largely a tech demo, still largely a speculative thing in document dumps,
there are real-world applications for hacking satellites as we become more reliant on satellites.
Yeah, absolutely.
Especially with the things going on in the world these days.
is the amount we're relying on them for, you know,
battlefield communication, GPS usage, you know,
satellites have just become so ingrained in us,
not even just internet connectivity,
which is in its own right.
Like if you've been following the Ukraine conflict,
obviously Starlink has had a big presence in that.
It's interesting that they took control of the satellite
and were introducing code and other malicious things
via changing something on the ground level.
like something, you know, not in the satellite,
but they changed a chip in the local access terminal,
which tells me that they put the control mechanisms here and not up there,
which makes it much easier to bypass because you can touch it here,
where if you put it up there, it's a lot harder to get up there and change a chip.
It's fascinating.
I think we're going to see more and more of this stuff, which is sad,
but the reality is, I think we've,
GPSes are everywhere.
I remember 20 years ago you had to buy an individual GPS unit.
Now it's like our watches have it, our phones, have it, our cars have it,
our you name it.
We're all GPSed up.
We've willingly committed to being tracked.
That's why I'm going to live in a canyon.
I like this story.
Tinder is now requesting video verification.
if you're not sure what that is.
It's that you have to essentially shoot a small video.
You've probably seen some form of video verification at some point in your life.
Some sites required for access, other things like that.
If you haven't, I'm sure you'll see it more in the future.
Essentially, you upload a small video of you confirming that you are who you are.
Obviously, usually you put something in the video to confirm that that is the reason for the video.
And it essentially is a two-factor authentication and identity.
confirmation so that they can
prove that you are who you are and
that you're willingly participating in
the application
usage. So for Tinder that would be
you can't make fake profiles because
obviously with the amount of
fraud and stuff going on in the world
they don't want a bunch of people
with fake Tinder accounts
trying to defraud people.
Completely get it.
I think we're going to see more and more
of this style of verification
just as the world is being over
run by bots and fake users. But at the same time, I'll say that we're hitting a different
turning point where the bots and fake users are now actually capable of generating their own
AI videos. And that's only going to get better and better. So this type of verification is
probably going to get worse and worse. Yeah. So I don't, I'm not on Tinder. But like a lot
of platforms, there's sort of like a forking in verification. Tinder also uses a blue checkmark
system. And it's kind of just verification. People can set a preference to, I only want to be
swiping and chatting with people that have this verified blue checkmark, which is Tinder's seal
of approval that you are not catfishing someone. And it used to be that you just had to take a
photo of yourself using the selfie camera in the app. And now they want you to film a video.
So my question on the technical hardware side is, is the app forcing you to use a self-a-
selfie camera, any kind of a defense against an AI-based spoof? Does that help prevent against
that? Or is there a way I'm not aware of getting around that to feed in an AI-generated video
into that front selfie camera signal?
You know, if there's a will, there's a way.
Sure. I don't know.
I don't know. Yeah, exactly. I don't know of anything else at my head, but if there's a will,
is away.
You know,
right.
Putting,
intercepting communication and faking it is something that we deal with constantly.
The,
one of the things that I found most interesting about this,
and I want to flip this now,
is something that I've been thinking about a decent amount
because it's relevant, you know,
both to the show,
also to, you know,
hobbies as well as careers is, you know,
we talked about video game cheaters.
And there's this huge,
huge issue in free-to-play games.
You know, you've got your Apex Legends,
you can rattle off the list of free-to-play games
that have massive cheating problems.
And it all comes down to the fact that
they chase the cheaters and ban them with such haste,
but they can just create new accounts.
So most cheaters have hundreds of accounts.
They don't have one account.
When they lose that account,
They don't, you know, it's not over for them.
They just jump to another account.
They don't stop.
Yeah.
Ruinning people's games.
And so I was actually thinking about this last weekend.
And I think that that blue checkmark system needs to move to free to play games.
Because, and if you're a game dev, if you work for any of the major studios, this one's free.
Take it and run with it.
DM us and say thanks.
You know, if you create an account.
count, you play some of these free-to-play games. Lots of people buy the battle passes, they buy
the seasonal subscriptions. They spend money on these games. And like we've talked about that
before, I see that largely as a tipping culture, is like, thanks for making this great thing
that I enjoy consuming, have some money. At the same time, every time I have a bad cheating
experience, it makes me want to play the game less and less. But I like the game. I want
game studios to implement essentially a security bond where maybe I pay 20 bucks and it goes into a
trust and as long as my account never gets banned for cheating, I can get that $20 back.
But it buys me the right to have a quote unquote blue check mark. And then when I matchmake,
I can choose to only matchmake against people that have the blue check mark. So essentially there can be
the public lobbies that are just full of chaos and cheaters running rampant.
And then there can be the blue checkmark lobbies,
which are people who are like,
I'm serious about playing this game.
And I understand that there will be financial retaliation if I get caught cheating.
And it's like, I think I would happily pay,
on a free-to-play game that I play with some regularity,
I would happily pay $20, $30 just to have that,
just to be a part of a lobby and to be a part of games that have a way lower likelihood of having cheaters in them.
What do you think of that, Jordan?
Yeah, I was going to ask, I like it.
I was going to ask if you need the financial penalty to have a verified blue checkmark system,
but I do like that you don't get your money back cudgel element of it.
I think that that would.
Here in Canada, I don't know if it's like it in the States,
but you have to put a coin into the shopping cart before you can take it.
And if you want to get your coin back, you've got to put the shopping cart back where you found it.
It's a little bit of that psychology at work.
But that's the thing, because the issue with free to play is that, like, you get an account band, you just create a new one.
Make a new one.
There's automatic generators that just make hundreds of accounts.
You can buy full accounts from the cheating companies.
So the funny thing is that these cheaters are paying tens, hundreds, thousands of dollars to cheat providers to ruin the game for other people.
And those other people, I think, would happily pay or at least secure the ability to play without those cheaters.
It's this interesting thing.
Like, you know, you buy whatever digital currency is in these free-to-play games.
It's like just hold some of it in like a bond.
And, you know, you can withdraw it and lose the blue checkmark at any time.
I don't know.
I just thought it was a way to still allow people to enter the ecosystem of playing the game.
But then the people that really enjoy the game can essentially remove or reduce the risk of cheater interactions in their play.
Because it's honestly one of those things that's just ruining free-to-play games at this point.
And EA's got monstrous lawsuits against companies, Activision 2.
They're trying to put a stop to it.
but with the global cheat development community
and how much money there is to be made
and fulfilling that demand,
it's, I don't know, it's interesting.
You know, short of the government making it illegal
like they did in Korea,
I don't know what other retribution there is.
So making it a bit of a financial sting,
if you want to pay 20 bucks to cheat for 10 games
and then get your account band and lose the 20 bucks,
you're only going to do that so many times.
We talked about this in the GDC episode,
but as games are moving kind of away from in-app purchases
and more towards taxing user-generated content,
identity verification feels like it.
If not being necessary for that to work,
certainly has a benefit to know who you are buying
and selling stuff to
and know that you're taking part in an economy
where everyone has a little blue checkmark.
Yeah, sure.
I see the appeal of that.
Yeah, and I see the appeal of making a free-to-play game.
Obviously, you can introduce it to a large audience with no barriers of entry.
Great.
I would say, I don't know how many people then convert into being people that spend money on the game,
but given the revenue numbers that you see in some of the quarterly reports coming out of major studios,
I think it's pretty good.
Yeah.
So it's like if I'm at the point that I'm spending money on cosmetics in many instances in these games,
you're not most game companies get roasted when they have pay to win stuff but when it comes down
strictly to cosmetics and other things like that's where again i see that like tipping culture you're
like oh yeah i love this game here's 12 dollars yeah toss a couple bucks in the in the hat yeah sure
but at the same time it's like once you truly start to enjoy a game if your experiences just get
worse and worse and robbed from you by people cheating for whatever you know mental health
reasons they do that.
There's got to be a way.
There's got to be a way around it.
And it's like if it's not a financial disincentive, like they've tried hardware
banning.
There's spoofers for that.
They've tried so many different things.
And none of them have really worked.
So it's like if they can just get to the point where it is a financial penalty,
you know, I'm okay with that.
Especially for established games that have huge player bases like
Call a Duty, Apex, League of Legends, things like.
that. So I just think it's, I don't know, I think it's, it's, it's, it's, it's something that as a
society we need to be moving more to the video selfie, you know, kind of verification,
but maybe it needs to be financial. Hmm. Yeah. For the nine seconds when a video selfie is
still unspoofable, it would, uh, it would solve the problem, but, but money's, but money's
evergreen. It'll always, people never want to lose that. Exactly. And if they want to make money,
maybe they should look into a little, no, I'm not even going to say that.
Something called a crypto program.
Oh my God.
We'll get back to that later.
We'll get back to that later.
We'll get back to that after the break.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the
ground up for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform, a fully agentic system powered by the swarm of
experts. Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic
agents that handle whole entire workflows. Humans stay in the loop and on the loop to validate
the critical decisions and keep everything trustworthy, and all of this is just off-running on
their secure operations graph. A constantly updating intelligence engine fueled by more than $9 trillion
telemetry events every week and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like, go to arcticwolf.com slash hacked.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks to turn defenses on their head.
Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving into the most impactful breaches of 2025. Their field CTO and security leaders are going to
unpack not just what happened, but why these attacks succeeded. And most importantly, what businesses
can do to fortify their defenses for it's too late. You're going to walk away with real insights
and how threat actors are evolving, how defenders are responding, and what strategies can help
you stay ahead of the next big breach. It's not fearmongering. It's practical, actionable,
intelligence from experts in the trenches. Register now at arcticwolf.com slash hacked.
So, Scott, I've been trying to get rich quick lately.
Do you know of anything that could help me out with that?
Jordan.
Do I?
Okay.
Story time.
Story time.
Take me through it.
So, yeah.
We had a birthday the other week, a couple weeks back.
And one of my wife's friends popped back into town for the birthday.
came over, hung out,
walked through the front door of my house.
And this isn't something we normally cover on the show,
not something that I normally want to cover on the show,
but then proceeded to try in a bit of an MLM model
tell us about how they were making so much money
on the internet with crypto,
not just investing in crypto and the regular ways of crypto,
but a little system by the name of crypto program.
So I'm not sure if you're familiar with it.
I certainly wasn't.
But it's essentially an MLM-style investment.
I don't want to, the intent here isn't a slander.
They might be the most brilliant people in the world
and have figured out how to make money at a thin air
because let me tell you about the returns on this program in a second.
But I will say that there have been a number of notices
coming out from securities, commissions, and administrators
saying, you know, hold up, watch out,
and maybe don't get invested in this.
notably the province next to ours, the BC Securities Commission,
which I will add is where my friend lives, who is currently invested in this.
So they came out and essentially flagged a notice and said,
hey, watch out for this.
We exercise or we urge you all to exercise caution when dealing with this firm.
They don't have any registration.
They have a lot of bold claims and nothing to back it up.
You know, please be put on notice.
But let's just, let's just,
dive into this.
There's lots of information.
Once they told me the name of it,
I went, I just Googled it and just, you know,
found a pretty incredible little article by BehindMLM.com.
It seems to be this site that tears apart kind of multi-level marketing schemes
and how they work.
And this program actually has an MLM model.
There are referral commissions.
So you get additional returns on the people that you directly bring in.
and then the people that they bring in.
So it has that upward.
Sort of triangular form factor.
Precisely.
It seems very multi-level and very marketing.
But let's just talk about this because it blew my mind.
So this company promises on a $550 investment,
What am I going to make?
Tell me.
How rich am I going to be?
USD coin or tether.
So the two kind of USD
related coins,
I wouldn't say that they're
exactly pinned to the US dollar
as we've seen some variances occur.
But coins that are essentially
supposed to represent the value
of one US dollar.
They guarantee
a return of 25%
per month.
Oh my gosh.
per month Jordan
per month oh wow
and then you get a
for people under you in the
tiers
triangular shape
sure the person directly underneath you
for the first month that they're in
you get an additional four and a half percent
on anything that they put in
so that's 29 and a half percent
you get an additional 2.8 percent
of what they put in for the months
after the first month but the first month
you get a bonus so you get four and a half
percent. People underneath them, you get a consistent 1.14% return. That means if you bring enough
people into this, you would essentially be getting like 29% a month, which is insane returns.
Seems high. If you've done anything in finance, 29% guaranteed monthly returns is insane.
Crunch those numbers for me, Scott.
I pulled out my trusty, you know, HP12C.
If you don't know what it is, great calculator, you should get one.
Reverse poll's notation.
If you're a math nerd, does a little finance, the HP12C, just Google it.
The thing's beautiful.
It's the nicest calculator in the world.
And I ran some quick calcs.
If you put 10 grand in.
Some forensics accounting.
If you put $10,000 in at 25% monthly returns.
I'm going to be so fucking rich
12 months in
you have $145,000
sick
24 months you have $2.12 million
$2.12 million.
Double down
what happens in three
I didn't run the three
I will in a sec if you want me to you
I just want to talk about this from a corporate
perspective because
if you can guarantee
25 up to 29%
guaranteed returns, that means that you essentially have figured out the matrix and you know how to
make money at a thin air.
So it's like the question then becomes, and I don't want to talk about the fact that this is
crypto or this is anything.
This isn't an unregulated space, which should fire up a million red flags.
But if you know how to print money at a thin air, why do you need to seek investment?
Why are you giving this money to other people?
because you've got to assume that the crypto program people also need to make money off of your investment.
So let's say that they split the difference with you.
So they give you half and they keep half, which would be, if you know how to make money out of thin air,
it seems like a pretty low return for the company.
Yeah, it's a very generous thing to do if you can print money to give half of it away.
but cool.
If you've figured out a system where you can get 50% guaranteed returns on investment,
I don't see why you would ever, like the credibility test for me is,
is if you know how to do that, why are you making it public?
If you actually know how to do that, you don't need other people's money.
There's no reason to share this.
You can make more money than you've ever thought possible.
At 50% returns, I did some quick numbers.
Say you took $50,000 in friends and family money.
12 months, $6.5 million.
Cool.
24 months, $842 million.
So if you know how to make returns on that level,
how, why?
Have you turned this into a,
into a multi-level investment opportunity.
Sure.
It blows my mind that things like this exist.
Like, people don't give it.
I'm not going to say people think it's legit.
I'm going to say people don't give it enough critical analysis.
Sure.
I'm not going to assume that the numbers on this site are real,
because I'm not going to assume that anything on this site is real,
because my gut is that this is not real.
But if you were to go over to the site and you shouldn't, don't, I'm going to read it for you.
Quote, the best way to grow your crypto.
You're going to see a big old video with a very AI human being taking you through this.
There are no names on this site.
There are no real human being faces explaining any of this.
Behind MLM did some very nice reporting and figure out who is behind this.
I'm not going to say their name for legal reasons.
But the site would suggest that there are 11,000 registered users with,
10,000 registered wallets.
And the product they're basically trying to hawk here.
Step one, you create an account.
Step two, you add a cryptocurrency wallet.
Step three, you use it to buy this package.
It is unclear what is in the package.
It's not crypto.
It's something, I think.
I don't know what you're buying.
But then step four, you get a 25% monthly return.
So it's literally like the step three question mark step four profit meme.
They put that on a real website and put an AI face next to it, and they want you to give them hundreds of dollars.
Here is the question mark. Here's what they state. This is directly off their website.
When you put a package, we use the funds to buy goods and services at one price and then offer them at another price.
So they're essentially doing...
There should be a name for that process.
They're essentially doing goods and service arbitrage.
This one's called online.
Oh, they aren't.
This one is called online affiliate marketing,
sending paid and organic traffic to purchase services
when the opportunity presents itself.
Oh, my God.
It means it's insane to me.
It's insane.
Either these people have figured out the matrix
and are giving it away to people just out of the goodness of their hearts.
because I'll tell you what, Jordan,
if I knew how to make 50% legal 50% monthly returns.
I'll see you on your island, Scott.
Yeah, yeah, literally.
Like, I would leverage and sell everything I own.
Do it for 12 months and never,
nobody in the descendancy tree of my life would ever have to work again.
Yeah, I mean, so the way these typically work,
how do I put this?
the way certain triangle
like shaped
business plans
tend to work
is everyone buying into this system
is putting money into a pot
and as long as the pot is bigger
than people trying to take money out
the pot keeps getting bigger
inevitably there's only so many people
on the planet who will fall for a grift
and at a certain point
more people start trying to take their money out
than are putting the money in
and the whole thing collapses.
Historically, that's what this looks like.
You can tether on the like, I'll pay you, you'll give me a cut of yours,
kind of you work under me and my funnel element to it.
If you can't keep getting people into it, it collapses.
I'm going to just simply read off the Miriam Webster definition for Ponzi scheme.
Has nothing to do with this company, not implying it.
unrelated, and I'm stating that as a fact,
an investment swindle in which early investors are paid off with money put in by the latter ones
to encourage more and bigger risk-taking.
Famous Ponzi scheme, Bernie Madoff, lasted for decades.
The ability to bring people in, give them guaranteed returns,
show them on paper that they're making returns.
And then when the odd person cashes out, you just pay it from the pool of,
money given to you by other people.
As long as you can keep growing the pool, if people want to cash out, they can.
Which actually means that some people, Ponzi schemes probably actually made out good and got insane
returns.
And I think, having spoken to my friend that he knows people and is a person who has made
out somewhat good from this.
But at some point, in a completely unregulated investment,
with no oversight.
Anyway, I'm not going to say anything.
I'm just going to say, you should just Google it because
if I knew how to make 50%, or monthly returns.
Maybe you have no idea what I would do with it.
Let's maybe put a pin in it with what behind MLM wrote about this.
Sure.
It puts it nicely.
The business model fails the Ponzi logic test.
anyone capable of legitimately generating 25% a month on a consistent basis isn't giving you access for free.
In fact, they probably wouldn't be giving you access at all because 25% a month with even a modest starting capital soon turns into a fortune.
That's exactly my thought process when they were explaining it to me.
I was like, there's no way that people are just like, yeah, why wouldn't, why not?
Why wouldn't I just give this to you?
They go on to say, I'm quoting behind MLM.com again, just quoting them, while I can't speak for every promoter, neither crypto program or the name of the person they have looked into as being behind this, neither of those are registered with the SEC.
This means, at a minimum, crypto program is committing securities fraud.
Seemingly well aware that they are operating illegally, they offer up this disclaimer, arguing that they are exempt from the U.S. Securities Act of 1933,
they do not cite a reason why.
Quote, disclaimers like this are meaningless.
You can't just claim to be exempt from securities law
and carry on breaking the law.
Yep.
Right through my door.
Yeah, wow, this is this walked right through your door.
It's funny, you know, we make the offhanded comment
about crypto here and there
and about how it's an irregular space and the wrists
and the thievery and the frauds and you name it.
And then this one just, you know, hopped into my life.
I felt like I had to talk about it.
It was just such a fascinating, fascinating challenge to society to look at it and go,
this seems like a great idea versus this is clearly something that I should be scared of.
And the human nature is fascinating where some people see it as the opportunity that they've been waiting for
and other people see it as, you know, a risk, a massive risk.
You see story after story after story of people getting rich by investing and stuff.
And then you see story after story about people getting rich investing in crypto.
And then a crypto investment thing comes along and says, this is now all that is going to happen to you.
It's very compelling.
And just like one coin, what we have here isn't even really, this isn't a crypto scam.
There's a lot of bad faith crypto projects, big rug pulls.
That happens all the time.
This isn't even that.
This is allegedly just a Ponzi scheme that you buy into with crypto.
They haven't created a new coin or token or thing.
They're just using that stuff to do a good old fashioned Ponzi scheme.
I'm just here to talk about it.
Allegedly.
Allegedly.
Allegedly.
Yeah.
Anyway, I think that's it.
That's all I wanted to talk about.
So, you know, solving video game cheating, watching out for.
potentially risky crypto investment structures on the internet.
Space hackers.
Safe hackers.
Juice jacking, whether it exists or not, and whether it will exist or not,
whether it exists or not in other countries, getting verified on Tinder.
And getting verified on Tinder.
And whether or not AI will make all that irrelevant.
You know what?
Let's end here.
Just on the subject of AI generated videos,
which are relevant to Tinder and relevant to a crypto program.m.
Did you follow the fake Drake story?
Oh, yeah. Absolutely.
Heck yeah.
We're talking about the music generated one.
Yeah, the music generated fake Drake.
Yeah, love it.
I think we're going to talk about this in the future.
The new one that just dropped the other day was a Frank Ocean one.
But what was interesting here wasn't that it went viral on the internet.
It's that someone use that technology on a leaked music forum
where people sell leaked pre-launched music to one.
another. They created fake Frank Ocean music, went on one of these forms where people buy early
access to leaked tracks, sold the fake tracks to those underground music collectors, and made off
with like $13,000. Wow. Yeah. I wonder when Frank Ocean's going to radio only to hear his new hit
single that he didn't. And I know nothing about it. Not before Grimes does. Not before Grimes does,
because she just put her voice out for anyone to use. Did she? Yeah, she did.
It's actually pretty cool.
I don't know why I brought this up right as we're outtrowing an episode.
It seems like a whole thing we should talk about.
Maybe we'll talk about this on the next chatty chat episode of Hacked.
Take care, everybody.
Thanks for listening.