Hacked - Hong Kong Deepfake Heist + Three Million Toothbrush Botnet + Hacked Canada
Episode Date: March 15, 2024A chatty chat episode in which Scott and Jordan discuss the proposed Flipper Zero ban in Canada, a chatbot that lied to an airline passenger, a multimillion dollar deepfake heist in Hong Kong, and the... Satoshi Nakamoto court trial currently underway. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
I think it's time for a little trivia.
It me.
Was there, question one.
Question one.
Was there a botnet made up of three million internet connected toothbrushes
that were terrorizing the internet when they weren't terrorizing plaque?
That sounds so far-fetched that I can't imagine you just made it up.
So I'm going to go with true.
It's a double bluff.
No.
But it sounded so far-fetched that a lot of people thought it was.
true. Question number two. Was there an elaborate deep fake theatrical production used to stage a massive
200 million Hong Kong dollar corporate heist? That sounds like a for sure. Yeah, that definitely did
happen. Question number three, is Craig Wright, Satoshi Nakamoto? No. The answer is no, but true.
That is the trivia thing that you asked. I have framed this all as trivia. Like, maybe for legal reasons,
If he is Boise, he not making a great case.
And the stakes of the case he should be making are very high.
No, yes, maybe.
We've got a bunch of fascinating stuff to talk about,
but do you know the thing I'm most excited to talk about, Scott?
I'm excited to take all our listeners on a tour of our homeland.
It's the hacked Canada tiny stories about Canada tour.
Oh, well, there's some big stories about Canada that we're working on that we're coming out with the episodes in the future.
Yeah.
Yeah.
True North Strong and hacked.
Three stories from the north.
Strong and oppressed.
Jesus.
Flipper zero bad.
Air Canada chat bought weird.
And a strange identification system proposed to visit column adult sites.
Who knows what's even going on up here.
The fog of war is thick, but one thing is for certain.
You're listening to Hack.
I'm working on my broadcast transitions.
Did you enjoy that?
I did.
That was perfect.
You like that?
That was good.
Amazing.
But the question you kicked it all off with, my friend, how are you doing?
I'm good.
I'm good.
I just got back to a little week surfing in Nicaragua, which is why I was absent the last
episode.
I apologize and we'll be absent actually, I believe in the next episode because you did that
interview all that way.
And the internet in Nicaragua maybe isn't broadcast quality per se.
Well, we're happy to have you back, man.
Yeah, excited for a few of the interviews and things we get coming up for the show
in the next few episodes.
We're finally getting to the.
Scott's Crypto Corner book review.
I believe we're going to be doing an episode talking about
Douglas's Going Infinite and Zeke Fox's
number go up.
So that should be a good one.
Zeke is coming on the show, which is exciting.
We haven't done the interview yet, but it's coming up.
But really, yeah, really will keep all my thoughts until that episode.
No, crypto.
I want a mild correction.
I think the newest name is this the Scott Crypto Rage Cage was the most recent.
It's the most recent title.
Bitcoin is up to 73,000 after.
Don't you have egg on your face?
Apparently, apparently the world has found new value for it and has shot its price up.
So excited to hear any theories on what that value is.
Please draw me a chat on Twitter at HackPock.
You're excited to hear from you.
Almost as excited as we are to introduce some of our newest patrons on Patreon.
That's right.
Hackpodcast.com redirects to our Patreon.
And boy, do we appreciate all the support.
Absolutely.
You know who I support?
Tell me.
We haven't done this in like four episodes.
I'm like looking forward to this.
Danielson, my favorite karate kid.
Yes.
Danielson, thank you so much.
Smokeyoni.
That's a phone one to say.
I'm glad I got that one.
Smokeyoni, thank you.
And Brad.
Everybody loves a Brad.
It's all about Brad.
It's all about Brad.
Noeb.
Thanks, Noib.
Really do appreciate it.
Andrew Naylor.
Nailed it.
Love it.
Nailored it.
Nailored it.
Nailored it. Wauksera.
Thank you so much for your support.
Tofer the gopher.
Also known is just tofer.
Just tofer.
Just to find you.
Again, too loose with it.
Ruru Day.
Thank you so much for your support.
support. And last but not least, Scott, take it across the finish line.
Hackle.
Hackle. Hackle.
Hackle.
Thank you, everybody. It means a lot to us.
We haven't done a Patreon shout out in a little bit, but does mean the world to us.
If you want to support the show, hackedpodcast.com redirects to our Patreon, and it means a lot.
Definitely, definitely.
Merch store.hpodcast.com.
get some stuff if you want it if you don't want it totally understand
I'm not here to pressure you this is not a high pressure
maybe you don't need a bucket hat but you probably do
hey visor season is coming soon it is March
visors will be needed by like May at the latest yes
so get yours now you can find all that stuff if you just go to hacktopcast
dot com I think what a hackedpodcast.com slash store
is where you can purchase
that that hat?
No.
Nope.
I'm pretty sure it's store,
store.
dot hacked podcast.com.
That's why keep you around.
So howlpodcast.com goes to the Patreon.
Store.
Dot hack podcast goes to the store.
The logic tracks.
Sub domains.
Who knew?
Who knew?
Who knew?
It's been weird up here in Canada,
my friend.
Oh.
Spicy times.
Spicy times.
The first one I want to talk about.
So chat bots.
Chat bots.
So.
The Canadian guy named Jake Moffitt successfully sued Air Canada after being misled by the airline's chatbot policy about their bereavement travel terms.
So airlines have policies to provide discounts for people urgently flying because somebody died.
These are very important policies.
Following his grandmother's death, Moffat books a flight from Vancouver to Toronto and goes looking for information on the website about the bereavement rates where he was, you know, purchasing his ticket.
speaks with the chatbot on the website to find out what the terms are,
and the chatbot inaccurately instructed him to book his flight immediately
and request a refund within 90 days.
This is importantly not how Air Canada's bereavement policy works.
Jake files the claim, gets denied,
then presents a screenshot of the chatbot's advice,
and his refund request is rejected.
In this rejection, Air Canada argues two major points.
First is that while the chatbot provided incorrect info,
it also provided a link to another page on their website that on that page did contain the correct
information. So it was like a truth and a lie situation. And then they made a very weird abstract
argument about it being this sort of separate entity that was not their responsibility. Both
stances were dismissed by the tribunal and Moffett's sort of persistence in this led to a ruling in
his favor granting him this partial refund and additional damages. And as of the time we're
recording. I checked this morning. The chatbot is disabled on Air Canada's website.
This is, if this had come out any other way, we'd be in for a world of hurt with random
AI chatbots telling us random things that weren't actually right. So I'm so happy that
this small lesson, I'm so happy that this person took it to court. Yeah. Because the two or
$4,000 or whatever he was fighting for in regards to his ticket refund is probably nothing compared to
what his legal bill was.
So kudos to you, my friend.
The world owes you a favor,
at least Canadians do,
for setting the precedent that these chatbots
can't just make stuff up.
Yeah.
For a bunch of reasons,
there should be a penalty
for the race to replace customer service people
with chatbots that have no internal model of the world.
Like the idea that a representative of the company
can just tell you incorrect stuff
that you can then act on
that the company is not liable for
is like,
we can all immediately see why that's not a great idea.
That's not what this technology is for.
And the fact that it was being used on our Canada's website this quickly is pretty shocking to me, to be honest.
Well, it's also shocking that they must have trained the chatbot on Air Canada's policies and procedures and that it got it so wrong, which is wild to me.
So I'm not sure if that's indicative of just bad training or whether it's indicative of them not setting the right boundaries.
for what the chatbot was allowed to do, but it's just just bad stuff.
Like it actually, it reminds me of the Watsonville Chevrolet.
I don't know.
I think we chatted about this in a previous episode,
but like one of the first big chatbot headaches was some Chevy dealer in some place
called Watsonville, which I do not know where it is.
I'm going to assume Kentucky or Wyoming.
The, uh, anyway, they put a chat GPT chat bot on their site and it said powered by
chat GPT and all the rest of it.
And people just started training it to say yes to everything.
And then to pair it back that it was legally binding.
So people started like buying Chevy Tahos for a dollar and like setting all these.
I'm pretty sure the people that were trolling it on the internet weren't taking them to court being like, no, you owe me a Chevy Tahoe.
But that would be really funny if they actually had taken them to court.
I feel like what's happening here is there's some enterprising folks out there that realized very quickly, hey, if we show up to these companies and saying we've,
figured out how to plug the open AI chat GPT API into a chat bot, you can replace a lot of your
customer service people with this. It's going to save you this much money and look at how good the
results are. And they've just been on a sales tour for the last year and a half. And I'm hoping
these stories are sort of a big megaphone blast into the world. Like this is not an appropriate
application of this technology. That's not what this should be for. Because people will figure out
You can compromise this thing with plain language, which means if you just put it on the internet, you're going to get a chat bot on your site telling people, yeah, a Chevy Tahoe cost a nickel.
And yeah, you can just request a refund on your on your airplane ticket.
It's like it's not, it's not a good idea.
That, yeah, it's, I feel maybe this is my own bias against his AI bots, but like I feel like they become really good at conversation.
Like, like they're like the old touring test to be like whether you can identify it.
Is it a Turing test?
I can remember what the test is for AI.
Yeah, Turing test.
If it, Turing test, yeah, of like whether you can identify whether it's human or an
AI, I feel like they're crushing that thing.
But the part of them then being trustworthy and having the right information, I feel like
they're not crushing as much.
So I'm sure it's only a matter of time, but I rarely have discussions with chat,
GBT, to get answers for questions that I want answers to.
where the answers are actually the answers.
I feel like whether or not chat GPT can pass a blind kind of conversational touring test with
someone is like, yeah, probably in a lot of cases it can.
But the difference is that a company employs a human being, they kind of become liable
for a lot of that human being's actions.
And it is not established that a company is liable for the actions of a chatbot.
Yeah.
And how you train a chatbot is just fundamentally different.
than a human being.
And also, like, you can fire a human being.
You can get angry at a human being.
There's penalties and incentives for a human being
that just don't exist for a chapot.
So, yeah, it can probably pass that test in a lot of situations,
but when it fails to, you got no move whatsoever.
Well, the, like, customer service agent,
like the word agent is actually like a pretty powerful term.
That's true.
To like, so it's like, in a legal sense,
it's a powerful term.
It's like an agent is essentially the spokesperson
for a company in that regard.
And once you have a chat bot agent,
like you need to be held liable for what it says.
If people are using the information that's providing
to make decisions,
then you should be liable for the information that's providing.
I 100% agree.
I have like clawed back money from large corporations.
I have clawed back money because a person from the company
on the phone on a recorded call told me something.
I took action based on that.
and then something about what they told me turned out to be wrong.
And the call was recorded and we were able to reconcile and I got the money back.
Like that has actually happened to me.
And it concerned air travel weirdly enough to this story.
No, it wasn't with Air Canada.
But anyway, it's like it matters.
It matters that there is an accountable person because otherwise it's just this like,
if Air Canada had won this, it means that companies could just shrug off basically everything
they tell their customers.
Oh, that was a chatbot.
sorry, separate entity than us.
You know, what can you do?
These things suck.
Like, why do you have it?
Why is it telling people to do things?
Yeah, totally.
I feel like we could bang on this,
bang on this drum all day long,
but I've had the same thing where I've had to go back
to recorded phone calls to get refunds on things.
And yeah, there's a reason why they record those calls.
And it's pretty amazing.
Mine was insurance related, which was even better.
Weird.
That sounds like a phone way to navigate.
Yeah, cool tech, don't use it this way.
Anyway, actually, speaking of cool tech, you shouldn't think about a certain way.
There's another story coming out of Canada and concerns.
A device that I know holds a special place in your heart, Scott, the Flipper Zero.
Yeah, yeah, I definitely don't own one, seeing as they're about to be banned.
Yeah, what else do I need to say about that?
Take that episode down about how you bought and love yours.
I bought mine because I knew that they were probably going to be banned at some point.
And then now I'm literally definitely don't have it.
It's definitely not sitting right beside.
No. You're not holding it at the present moment. Yeah, the innovation science and economic
development Canada agency has put forward a proposed ban on the importation sale and use of,
amongst other devices, the flipper zero. So let me, I just need to go off a bit on this because
it's, this thing is getting such a bad name for just being configurable. You know what I'm saying?
Yep. You can do things on it, like run a small Wi-Fi web server,
and therefore we should ban it because that small web server can expose a security hole in Tesla's
key system. It's like, well, you know, I could buy a micro PC off of Ali Express for like 80 bucks
and do the exact same thing. So or a Raspberry Pi or any number of other things that has
the ability to run a Wi-Fi server. So why is why is the Fipper Zero getting a bad name?
just because it's kind of marketed as a tool,
and by kind of, I mean, is marketed as a tool to do these things.
I'm not going to sand that edge off.
It's pretty explicitly marketed that way.
That's not a good reason to get rid of it.
But it's,
yeah,
it's like it's doing its job.
It's proved that there are security full of vulnerabilities
in certain car manufacturers key systems.
It's like great.
Like that's good.
Fix those problems.
100%.
Don't ban the device.
Don't ban a security research device if you're worried about the security.
of other device. It's just, it's
extraordinarily backwards. For anyone that
doesn't know, a flipper zero
is, it is, it is marketed as
kind of a hacker tool. But what it really
is is a small, beginner
friendly device that lets you interact with
wireless signals, RFID, NFC,
Wi-Fi, as you mentioned, Bluetooth, standard radio.
You can do all sorts of fun
little hackery projects with it. You can change
TV channels. You can clone a hotel
key card. You can read a
Pets RFID chip. It's a little
wireless signal receiver. Yeah. Yeah. It's
It's an extensible platform that allows you to pretty much do anything.
There's an entire like circuit interconnect on it where you can put in custom boards.
We did a whole episode about it.
If you have any interest in it and any interest in buying one before they get banned,
I recommend you move fastly or quickly.
The, um, we did an episode about it.
We had a great, uh, Talking Sasquatch, big YouTuber on about it.
Go back a few months and give it a listen.
Great episode.
But, uh, very cool little devices.
It's like a, it's like a pre-made microcontract.
computer to do this stuff. It's not, it's like my cell phone is running Unix. So it's like I could
do it on my cell phone. But it's like this is just its own kind of little pre-made cutesy toy device for
it. Yeah. It's kind of great. And people have really adopted it. And the community has developed
that is extending it. And I don't know. Yeah. It's nice. I think it's worth digging into where this
is coming from. So car thefts are admittedly a pretty disproportionate problem in Canada. Just seems to be a thing.
disproportionately disproportionate, a lot of complicated reasons why that is.
Despite all of the versatility that we've discussed, the Flipper Zero does lack a lot of the
capabilities necessary for actually bypassing modern car anti-theft protections.
Signal amplification relay devices are kind of widely understood.
If you're going to buy a thing to steal cars, you're probably buying that.
Flipper Zero doesn't let you do that.
I was just going to say rolling key generators and stuff like that.
Like you can buy a specific device.
I can go on the internet right now and buy a device that is meant to hack rolling key like automotive keys.
Like I can buy that right now and have it shipped in my house.
That's not banned.
No.
But Flipper Zero's banned because in some situations it can be used to run a fishing or like a man in the middle attack, et cetera, et cetera.
And it is what it is.
In Canada, you kind of think of the geography in Canada.
You drive up, not a lot of buyers in Alaska.
You can drive down, but primarily the buyers for stolen cars exported from Canada aren't in the United States.
If you go through the land borders, they're extraordinarily well protected.
You can get across in other parts.
It's a massive open border, but that's not where the sellers for these cars are.
The buyers for these cars are primarily across oceans, let's just call it.
Is that your political waves?
Yeah.
They're across oceans.
They go into sea cans and then go on shipping freighters that then take them across oceans,
notably the Pacific Ocean.
And a funny thing about sea cans, now that you mention it, a lot of those in our port systems.
Yeah.
A ton of those in our ports.
So there's tons of things you could do to prevent car theft.
You could invest more money and security in our ports.
You could create stricter regulations.
about the anti-theft measures that go into these cars that make them prohibitively difficult to steal.
We talked about that a ton in the Kiya Boys episode.
There's a lot of really cool, meaningful actions you can take.
Banning a hacking gizmo is just like a regrettably performative gesture that, if anything,
is going to sort of like hold back meaningful security research in a country that is saying it is doing this because there is a security problem with cars.
The only thing I can think of, and maybe if there's some bureaucrat at the GOA,
our GOC, government of Canada, listening to this,
is there something that we just don't know that's not reported in the news?
Like, maybe these things are being used to steal, like, Honda Civics everywhere.
Like, their push button, script kitty car theft devices.
Because, yeah, I agree with you.
It does seem performative if it's just exposing security flaws in,
especially when it comes to Tesla.
Because one of the things that I keep referencing is that, like,
you can kind of use them to trick people into generating a spare key.
and then making the flipper zero
to essentially a web hotspot.
Anyway, yeah, unless there's something
that we just don't know about
that's not being reported
because they just don't want people to know about
and talk about how easy it is
to just, you know, steal Toyota Ravours or something,
then yeah, I don't,
it does seem performative to be for sure.
Good times. Good times.
Good times.
So here's one.
There was one last Canadian story.
It's kind of ranty Canadian episode.
Do you, to heck with it.
There's a bill currently in the committee in the House of Commons here up in Canada that would make it.
So if you want to view adult content, you either have to.
So how do I get into this?
I don't know the best way to do this.
Yeah.
Yeah, proposed Senate bill trying to mandate age verification on explicit websites.
The argument, I understand the argument.
It is to protect minors.
However, the bill importantly doesn't specify a method for verifying user's ages.
And looking at sort of some of the available systems in other jurisdictions, the two big things that come up would be either a digital identification system that you have to, you know, plug in to access these sites or a facial recognition software, which has intuitively raised concerns about anonymity and privacy on the internet up here in Canada.
I don't think it I think this seems like people go into the grocery store and getting all of the ingredients for a ginormous catastrophic data breach and putting them in the basket and walking them up to the self-service till this like what if we had a giant database of identities of people that visited a porno site seems like the biggest target in the world I can imagine the episode two years from now where we talk about the data breach it just seems like such a bad.
I 100% agree with you. The other thing, unless they figured out a way to really, like I'm just
thinking it through right now, to really like multi-tier, you know, unconnected key systems with,
I don't know how they do it, but I agree. It would be have, especially if it was a government
contract and built by government contractors, it would probably be ripe for data breaches.
I'm sure that they would take their best crack. I don't get that.
the sense I don't really have a tin foil hat about this one. I don't think this is the first
step towards creating a digital identification system and a social. I'm not, I'm not meaningfully
worried about this. I think this is starting from a good instinct to try and keep minors off of
adult websites, which is a good instinct. But I just think that this is a solution with the actual
solution, which is a technical one, sort of being shrugged off. And I think until you can propose
that in a secure, meaning,
full way, you shouldn't, this Bill S-2-10, you shouldn't be bringing this forward.
I got a bigger challenge for you in regards to the fact that adult content is just
everywhere on the internet now.
So you literally can't just, if your concern is minor exposure to adult content, then you
shouldn't just let minors on the internet because I don't know when the last time you were on
a social network was, Reddit, Twitter, or X.
literally any trending post on X is immediately followed immediately by the top reply,
which is an only fans person promoting their only fans with explicit content.
It's like it's their marketing scheme.
Same thing on Reddit.
If something's trending, there's only fans people marketing themselves in the comments.
And it's just like there's porn everywhere.
I don't know.
Unless we start doing, unless they're marrying it to like image identification technology.
So like your web browser will then filter all that stuff out if you haven't verified your ID,
which is probably a likely solution to that.
I just can't see how they're how mandating identity and facial recognition for explicitly
adult content on the internet or tagged out of all content on the internet is going to help
because it's just so much of it at this point.
Yeah.
I think you kind of drove past the solution there,
which is that like this is a hardware level problem.
Yeah, software local.
Hardware platform combination level problem.
The simplest version of this is that like most kids don't have,
most 11 year olds don't have a sufficient side hustle to purchase an iPhone.
It's probably being bought for them by a parent.
And when the parent gives it to them,
they can put controls on that device because they're handing an internet connected device to a minor.
Totally.
If you don't want that minor,
to see something, that security should largely be occurring at a hardware level.
I think there's tons of things that platforms can do to strengthen that and to keep miners
from seeing things they shouldn't be seeing and should be.
That would be a great place for a well-intentioned law passer to start looking at as,
what can we be asking these platforms to be doing?
There's some stickiness there, but that those two solutions, large platform and
hardware level protection seems like a way better approach.
of this. Let me turn on your, uh, it seems you've gone to an adult website. Turn on your webcam.
It's like, that's a non-stop. You're going to create a giant underground for something that
a lot of people access. It's not a good idea. Yeah, totally. If your intention is to like,
you know, sink the, the adult porn industry, the legitimate porn industry that has rules and
regulations and, you know, brings structure and probably, I don't know, I don't know the right
words I'm looking for here, but, you know, better than the underground scene in, you know,
in regards to a number of, you know, rights and non-human trafficking-y things.
Yeah, I think that any kind of system like this,
I do think that that might be the solution,
like a good, solid platform, like iPhone, Microsoft, OSX,
you enable child accounts.
The computer or the browser has an extension that auto identifies that all content
and immediately removes it from the page.
I think that's the real solution here.
is allowing parents to put the boundaries on what their children are allowed to do on the internet.
Maybe there's an issue there in the sense that maybe there's not so many technically savvy parents,
but I feel like as the millennial generation and below becomes the new parents,
I feel like that's going to quickly change.
I'm not sure how many millennials exist besides my wife, love her to death,
that aren't technically savvy.
I wasn't sure where that was going at the beginning of the sentence.
Yeah, yeah, yeah.
She's a power iPhone user, but the second you put a computer in front of her, she's, she doesn't love it.
Say that.
They're unwieldy.
Yeah, put protective barriers around the kids, not necessarily around the content,
if you don't want to drive legitimate sex work underground.
It's just not, which is not a good place for it to be.
Yeah, agreed.
Well,
Anyway.
Rage against the machine.
a bunch of Canadian stories.
Let's kick it over to some of our fine sponsors.
And then when we come back, we'll talk about a pretty wild heist in Hong Kong.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up
for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform,
a fully agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs,
this swarm is full of deterministic agents
that handle whole entire workflows.
Humans stay in the loop and on the loop
to validate the critical decisions
and keep everything trustworthy,
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine
fueled by more than 9 trillion telemetry event.
every week and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent-led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like, go to Arcticwolf.com slash hacked.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their head.
Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving into the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened, but why
these attacks succeeded, and most importantly, what businesses can do to fortify their defenses
for it's too late.
You're going to walk away with real insights into how threat actors are evolving, how defenders
are responding, and what strategies can help you stay ahead of the next big breach.
It's not fearmongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
International news.
So, this is an interesting one.
We don't know the name of the company.
It has not been included in, based on my research, a single piece of coverage about this story.
So we're just going to call it a large multinational company.
Uh-huh.
An employee at said large multinational company joins a conference call.
This was a couple weeks ago.
They got on the call and a bunch of their coworkers are there.
Cameras on.
And the result of that call.
The person is to go ahead with a transfer of 200 million Hong Kong dollars.
It turns out the entire call was a deep fake theatrical production.
The person got looped into the call through a fishing scheme.
Their co-workers who were again on camera were deep faked based on publicly available video and photography.
And the entire thing was a scam to get them to go ahead and transfer this money to the hackers who took the money and ran.
Case is the first of its kind in Hong Kong involving deep fake technology.
arrests have been made yet. The cops are still looking into it. And the story went wide because they
were trying to get outward that this technology has reached a point where you can be looking
at a person on a Zoom call and this is possible. Yeah. Yep. Had to come. It was coming at some point.
The thing that surprises me most is that it wasn't just one deep fake person that they deep faked an
entire team of people.
That to me is crazy.
Like it's very sophisticated.
Like I'd say that this is, I would say that if they're at that point where they're like,
you know what's going to make this more convincing if we bring six colleagues to them chat
to?
If they're at that,
if they're at that level of sophistication, I think that we are in trouble and you're
going to hear more and more and more about this.
Yeah.
There was a reason I used a theatrical production because
There's something different to me about one person doing this versus a whole bunch of people getting together and casting parts and figuring out who's going to say what and scripted it all out and then putting on their deep fake masks and going into it.
It's very theater kids do cyber crime energy.
I'm sure they're not.
I'm sure they're very dangerous hackers.
But it is just sort of a different tenor for these types of corporate hacks.
For context, $200 million Hong Kong dollars is about $25 million U.S. dollars.
This is a large corporate heist.
And it was a fishing scheme and a Zoom call.
It's crazy.
Like I mentioned to you, but like while we were in Nicaragua, my parents-in-law got defrauded.
Yeah.
WhatsApp.
Somebody was pretending to be my wife, same name, set up their WhatsApp profile,
messenger gave her some lie about our messenger mother, gave her some lie about our phone.
had broken, her touchscreen wasn't working, but she was somehow still able to use WhatsApp.
Her SIM wasn't ready. She couldn't call her, et cetera, et cetera.
But she needed to pay some bills right away and needed her to send some money on her behalf,
and she couldn't do it because her phone was busted. So, of course, loving mother.
Yeah, I'll help my daughter out.
Some brutal.
Thought she was just being independent, didn't want to call me to verify.
Next thing, you know, $4,200 is on its way in Montenegro.
Apparently the police have tracked it to Montenegro.
And like we're talking about a tiny, tiny WhatsApp call.
Like pretty, like as far as like checks and balances go,
like would have been pretty easy to see through it.
If she'd looked at the contacts,
phone number,
she would have noticed that the area code was definitely not something that Michaela would have
or my wife would have.
The, yeah, anyway.
So you think about that level of sophistication,
probably being more successful than you would imagine.
Like it might seem like something that you would immediately identify as fraud and the scam.
Imagine if you were looking at your son on Zoom who was saying,
Hey, Mom, like, I need you to wire $6,000 to pay my rent to this woman because my bank account's been hacked and I can't have access to my money and I'll pay you back in 12 days, et cetera, et cetera.
Imagine what's about to start happening.
Totally.
Like on a recreational level.
Like the corporate sophistication side will kick in and there'll become tons of policies and checks and balances.
But if you start thinking about applying this technology to everyday people and boomers who love their kids, that's a billion dollar industry right there.
Yeah.
I remember about a year ago, we did an episode on pig butchering scams, which are basically what happened to your in-laws.
And that sucks.
And I hope they're kind of okay.
Yep.
And so much of that is about exploiting the emotional vulnerability that emerges when a person is concerned about a loved one.
Totally.
You need that emotional hook.
And it is bizarre to say, but there are emotional vulnerabilities in a corporate context.
The desire of a person to not mess up in front of their peers, to not suffer embarrassment in a potentially ruthless corporate culture.
It's not the same.
as concern about a loved one, but it is the same kind of identification of an emotional vulnerability
and setting up a lot of work to exploit that emotional vulnerability to catastrophic ends.
It's the same basic kind of like the social engineering is conspicuously similar.
I'm just like I'm just to keep running through this in my head about like if you got a
FaceTime call from your mother.
Totally.
And she's like and she's like your father's in the hospital and blah, blah, blah.
I need you to do this, blah, blah, but like, can you like, eh, eh.
Yeah.
It's just, it's going to be insane unless they can figure out how to stop that stuff.
Because like, like we were talking with our in-laws about how like there needs to be a, like, if anybody's asking for money, if you're about to send money, you have to at least speak to somebody on the phone, which is still very fakable.
But imagine if you had a FaceTime call and you could see your daughter and she was like, or your mother or your mother or your.
your son or whatever, somebody in your family.
And they were just like, yeah, I need this thing.
Well, Blok, can you help me?
Of course.
It's going to be, yeah, I don't know.
I'm hoping this is another thing that's going to need a technological solution.
Like, WhatsApp phone calls.
Like, it seems to me, like, every messaging service that I have an account on,
I get flooded with garbage, including, like, PlayStation Network.
Like, I'm constantly getting scams from everywhere.
and just deleting and banning and blocking and reporting.
Pretty much every time I log into a messaging service,
I have to report and block at least one account.
So they're going to need to get better at identifying that stuff,
and that's probably going to be an AI solution.
I would assume that they're going to need.
Just like we dealt with email spam,
we're going to have to start dealing with messenger spam.
It's tough because like so much,
so many of the genuinely good solutions that center around, okay,
if someone calls you with an urgent reason that you need to send money,
hang up and call the person back.
Don't hit reply, but call the phone number.
Like these really basic things.
But those are, that's not really how we interact.
Your coworker calls you up on Zoom.
A family member calls you up.
Sorry, just one second, let me hang up on you and call you back.
It's like it's a really unintuitive thing to do.
It's smart.
It's good personal security.
But it is not intuitive to how we.
we communicate with the people that we know in our lives.
So if you can, if a person can get past that filter where you're just, you think you're
talking to the person you think you're talking about those kinds of personal security
policies, call them are really, really hard to lean on.
And I think that, yeah, software and software level stuff to sort of back you up a little bit.
You're like, hey, this person's video looks a little weird.
hey, we've done a little bit of work to figure out that we think this phone number is being spoofed.
Yeah.
I don't know what those technical solutions are, but it's like we got we got to give people a little
bit of backup in these situations because the thing that we asked them to do is really unintuitive,
uh, socially, I guess you could say.
The other issues, and we talked about this in the pig butchering one, this applies here.
Like these people got away with 25 million and one hack.
And it's like, totally.
Can you imagine what the global market value for scamming is?
Just given how many people are employed and are human trafficked and are, et cetera, et cetera, across the globe to become scammers and to execute scams.
Like it's got to be billions of dollars, organized crime.
And it's, yeah, I don't know.
But humans, expecting humans to be smart enough to identify it, I don't think is going to be the answer here.
You know, we've had that problem with passwords for, you know, since passwords existed.
go listen to a problem with passwords.
I think it was like episode three.
Yeah, it's an early one.
But yeah, so I think that the technical platforms and the solutions,
they're going to need to do something.
Actually, you know, I think we have that contacted Interpol.
If we're going to have a conversation with them about something,
I think scamming would be an amazing episode.
Yeah.
Talk about the global size and scale of scamming.
For sure.
There's a story that we're going to be looking into relatively soon.
It concerns, for lack of a better term, the Chinese mob and a 200,000.
person, a scam factory operation that has been likened by experts to modern day slavery.
And it gives you a pretty gnarly sense of the scale of what is behind a lot of these things.
It's like, we don't, we really don't know who's making these calls.
And in a lot of cases, it doesn't look like what you think it looks like.
Yeah.
Speaking of like weird pop culture scammy references, like they're making their way into like
Hollywood cinema now.
In the recent episode of True Detective, one of the police officers, I don't know,
of, do you saw the new episode, our new series season, didn't you?
I did, yeah.
Yes.
Now I remember what you're talking about.
So one of the police officers in Alaska, it was Alaska, right?
Yeah, Alaska.
He was sending money and stuff and paid for a plane ticket and all this things for some
woman that he was what'sapping with.
And she never showed up.
And he'd sent her money.
And I was like, oh, Hollywood's catching up on this trend.
Like they're into, you know, the love scams.
things. So it was just good to see in pop culture.
For sure. Make it a little bit more known to people that these are going on.
Yeah. It's so common that if you want to make a character seem relatable, you have them
fall for a giant internet grip. Exactly. Exactly. Five figure penalty. Yeah. But you know what's not
causing trouble, Scott? Toothbrushes? Three million of them. This is what we'll keep this one real
quick because it's more just to like it's a bizarre one. So there's this it's sort of a one said the other
sad thing between a Swiss newspaper and a security firm. So Argauer Z-Tung, a Swiss newspaper,
publishes this very sensational story about three million internet connected toothbrushes being hacked
and used to do cyber attacks, kind of a DDoS story. And the report claims that the attack caused a
website to go down for four hours, resulting in millions.
of dollars and damages. And the story was sourced from cybersecurity firm Fortinet and was
widely circulated and republished by global news outlets. The story goes very, very viral.
It's remarkable. Three million internet connected toothbrushes. It paints this picture of a very
mundane technology being used for very malicious purposes. Great story. Unfortunately, cybersecurity experts
quickly challenged the report. Foundationally,
a lack of evidence, but really just sort of the implausibility of the whole thing, Marai Botnet,
which one of the largest botnets ever at its peak infected 650,000 devices, far fewer than the
three million toothbrushes claimed. So what, like, what happened here? A lie went viral. Like,
what's the story? Or falsehood, rather. And at this stage, it's kind of come down to a disagreement
between Fortinet and Our Garrow Zetone.
Fordenet issues a clarification, stating that the story was a result of a misinterpretation
and translation issues, leading to a mix-up of a hypothetical situation and an actual situation.
Fortinette says, we put out this hypothetical, this Swiss newspaper mistranslated it, and then
published that to the world.
Our Gar-Z-Tung, the Swiss newspaper, responds, maintaining that Fortinnet provided
detailed information about the attack and had reviewed the article before publication.
And at this point, a lot of people read this story about a three million toothbrush botnet
did not read the corrections and the responsibility for this giant misinformation explosion
is still contested between the newspaper and Fortnite.
But what we did get out of it is a whole bunch of memes, a whole bunch of fun chatter about
misinformation in the cybersecurity space.
So that was fascinating to read, just how quickly a mistranslation or a misrepresentation turned into a viral story that just burst out into the world.
The thing that I'm Googling in the background here is, does somebody make an internet connected toothbrush?
Right?
Like, is that a real thing?
Does it exist and why?
What's that?
What is it for?
Why do you need the, I love internet connected stuff.
I spend so much of my time on the internet,
why do you need a toothbrush
to be internet connected?
Yeah, apparently there is one.
Or multiple.
So I am...
Oh, yeah, sorry, answer to that.
Yes, there are.
There are internet connected toothbrushes.
Crazy.
Bizar.
Crazy.
I'm...
I'm...
I'm reading about a toothbrush right now.
The 3D maps your teeth
and tells you when you've missed places.
Like, that sounds amazing.
Maybe when I'm missing in my life.
Oh, no.
Is it internet connected toothbrush?
Maybe that will bring it all together.
What if this was, oh, dang, what if this was a viral ad for internet connected toothbrushes?
Dude.
You might be on to something.
I wouldn't, I would be in a sense furious and in another sense, deeply impressed.
Yeah, I'd be mostly impressed.
I think I'd be mostly impressed.
I think I might buy that toothbrush.
I'm like you are half as good at making toothbrushes as you are promoting them.
Sold.
We just unwillingly promoted a toothbrush that does 3D mapping of your teeth and tells you when you miss spots till like 100,000 people.
So if this was a marketing campaign, add that to your KPI, congratulations. You did it.
In an attempt at covering a story about misinformation in the tech and security space, we have inadvertently participated in it.
Oh, man.
Last thing I want to talk with you about
because this goes back to an idea
that we've wanted to make something about
for a long time.
Concerns the identity of one Satoshi Nakamoto.
In this past week,
the crypto open patent alliance
and self-claimed
Satoshi Nakamoto, a man named Craig Wright,
will be presenting their closing statements
and a trial in a sense determining
if Wright is Satoshi.
There's been a really fascinating court case to be following.
The justice in the trial guy named James Miller has not said whether or not a decision is going to be coming out at the end of this.
But the sort of outcome of this case that Copa, this patent alliance is bringing against Wright, could have huge implications on a bunch of other ongoing cases that center around Wright's claim that he is the creator of Bitcoin.
I'm not sure that anyone
to require, anyone listening to this requires
a rundown of who Satoshi Nakamoto is.
What do you think about that?
No, I don't think so.
I think we could summarize into saying
Satoshi Nakamoto was on internet forums
and is believed to be the creator of blockchain
and the Bitcoin, the Bitcoin.
The interesting, like to me it seems,
to me it seems, my opinion is,
I'm trying to think of good ways to present this,
This is being done for clout.
I don't know how much of the database rights, trademark stuff, patent issues there's going to be.
I'm not sure what value.
He's going to get out of it if he wins.
Because a lot of his stuff was shared publicly.
It's open source technology, et cetera, et cetera.
It's mostly just being done for, hey, I'm.
the guy seems like to me.
The other thing I will say is that, like, if you are Satoshi Nakamoto accessing the initial
wallets and blockchain pieces that you use to create the coin and accessing all of the money,
i.e. Bitcoin that are sitting in Satoshi Nakamoto's accounts should probably be the number
one piece of proof to prove that you're them.
Just saying?
Like if you can sit down in court and log into the origin wallet and move some Bitcoin around,
I'm sure people will then believe you.
Yes.
It does seem like there would be a pretty easy set of ways to prove that you were Satoshi Nakamoto.
So to add a little bit to that, Craig Wright, Australian computer scientist,
has claimed since 2016 that he is Satoshi Nakamoto.
So beyond clout, which is certainly, that's a reasonable supposition, right is engaged in a series of copyright events that he is sort of embarked upon with the sort of presumption that he is Nakamoto.
He is suing people as Nakamoto, the synonymous creator of Bitcoin.
This lawsuit from Kopa against him is essentially attempting to.
set a precedent that he is not.
They're arguing this case,
trying to make the argument that he is not Satoshi Nakamoto
so that in future cases in the UK, you know, high court,
he can't start from that presumption.
That's really what this is interrogating.
If Wright wins,
those other legal exchanges he's in the middle of
against Coinbase, Crocken,
a bunch of other,
Blockstream.
Cryptocurrency platforms and Blockstream is a real leg up if he wins this one.
And it's a real setback if he doesn't.
Yeah.
His case, I'm stammery because we're talking about an actively unfolding court case concerning litigious participants.
But the case he's made so far has been interesting to say the least.
He had his sister on the stand who tells us.
story from, I think he was 18 or 19, and she saw him dressed up as a ninja so that when she
heard the name Satoshi Nakamoto, she put two and two together and thought, surely, that must be
my Australian brother, Craig Wright, because she saw him in a ninja outfit one time. It is a series
of strange anecdotal defenses to this claim that he is Nakamoto, that to me, from everyone
around, I'm like, oh, man, I feel like there's a really short distance to you proving this.
And it's just you crack it open those wallets and moving some stuff around.
But so far that hasn't happened yet.
Big news for you, Jordan.
When I was a child, my brother and I used to dress up as ninjas all the time, actually.
So new announcement, I am Satoshi Nakamoto.
We're on here first.
We're on episode 87.
And my hope is that the way this podcast is like, I don't want it to end.
I really enjoy making it.
But my hope is the way it ends is that on episode 100, you prove that after all of the
crypto shit talking, you were Satoshi Nakamoto.
That's the last episode.
We're done.
That would be the perfect way for this to all wrap up.
Could you imagine?
There's some untold backstories here.
Jordan and I, in our brief, hacked was becoming a TV show, period.
pitched an entire idea called solving Satoshi or seeking Satoshi.
It's been so long.
It was solving.
And we were going to make an entire docudrama series about looking for the real Satoshi
Nakamoto.
So we would have met Craig Wright if we had the opportunity to make that show.
And since somebody else has made that show.
That's true.
That's true.
I would honestly, like, I'm not.
I would honestly really love to interview Craig.
Right. I would be fascinated to hear the story from him because I'm not sitting in a courtroom. I'm not listening to. I mean, I'm not reading transcripts. I'm reading secondary coverage. I would love to understand, you know, that argument in those claims. But it has been a bizarre. I think even people firmly in his camp would agree. This court case has been extremely odd. And maybe the case was not made as well as it could have been. But it is a fascinating one.
He is more than welcome to drop us a note.
Love to have him on the show.
Love to chat about it.
Maybe we could dress up his ninjas and do a video stream.
It would be great.
The, yeah, I don't, I think it's an interesting.
The thing for me is that if you're going to build something like blockchain and Bitcoin, chances are you've put an Easter egg in it somewhere.
like no developers immune from putting an Easter egg in things, which we see all the time.
If you just Google any piece of software and the term Easter egg, you'll find Easter eggs laden in pieces of software.
I can't remember which Microsoft product it was, but it had a Microsoft Flight Simulator was an Easter Egg inside of it.
So you could like go and do a special menu, put some key commands, and boom, you were like in Microsoft Flight Simulator, which to me is just amazing.
that reps.
So there has to be some fingerprints on the software and Easter eggs that only the creators would know about.
Granted, like we're fighting over white papers and things like that, which is less sophisticated and less potential for that.
But yeah, I don't know.
Even wherever the origin code is, having the original pieces of code and the original proof of concept for it, like that stuff has to exist.
And if you have that, then that would probably strengthen your case too.
So, yeah, it's an interesting claim.
I don't think that my personal opinion is that I don't think that we will ever have,
even if somebody, even if Craig Wright is Satoshi Nakamoto,
I don't think any court will ever rule that they are as it will likely be unprovable.
So unless some definitive evidence shows up like you log into the origin.
wallet. I don't think, I think everybody's S-O-L. So. Yeah. And as much as I love crypto, I would prefer it be
open source. That's why you invented it. I invented it and gave it to the people. You're all
welcome. Congratulations on your speculative gains. I hope you enjoy all your free money that you've
generated out of nowhere.
Well, this was fun.
We haven't done one of these in a minute.
Thanks for going on a tour of our Canada cybercrime and tech gripes with us.
That was a lot of fun.
Hong Kong heists.
Thanks again for listening.
This was a fun one.
And yeah, we'll catch you in the next one.
Take care, everybody.