Hacked - The $1.5 Billion Crypto Heist & Vibe Coding Beats Big Tech Interviews
Episode Date: March 16, 2025Learn more about your ad choices. Visit podcastchoices.com/adchoices...
Transcript
Discussion (0)
As all of you are aware, well, about two hours ago,
Bibit experienced a hack on our Ethereum code wallet.
So this particular record gets broken pretty often.
But as it stands right now, this is the story of the biggest crypto heist of all time.
The hacker have managed to hack the UI of all of the sinus computer
so that although we saw it was the correct URL of the safe wallet, but maybe it was not.
Or it could be, I'm just saying all the possibilities, I'm not accusing anything.
It could be that the safe server was hacked, so it was sending this, but we don't know.
That was the voice of Ben Zhao, CEO of By-Bit, almost immediately, I think like a couple of hours,
after discovering that his company had become the victim of this record-setting hack.
In late February 2025, By-Bit, a major cryptocurrency exchange suffered a devastating breach
losing nearly $1.5 billion U.S. dollars in Ethereum.
Dund-da-da.
Dund-da.
After I signing 30 minutes later, then we got the emergency call that our cold Ethereum
wallet is drained.
To execute a heist of this scale, the attackers exploited both software and people using
something called a Trojan transaction.
And in all of the confusion that followed, analysts quickly traced stolen crypto across multiple
blockchain networks with early signs pointing to a very well-known group with a history of state-sponsored
cybercrime. North Korea's Lazarus Group. And their ongoing Trader Trater program.
The impact rippled across crypto markets. Markets were already rippling for a bunch of other reasons.
And the hack raises questions, not just for by bit. How did the attackers influence?
trade a security layer, this cold wallet system that's supposedly pretty trusted.
Could this happen again?
And will more nation state hackers increasingly turn to cryptocurrency theft as like a geopolitical
weapon?
So the maximum damage that we have witnessed currently so far is the total amount of
around 401,000 Ethereum that's been hacked.
This is the affected amount.
got a lot of stories to get to.
Vibe coding has entered the Lexicon since our last episode.
Big vibe coder.
Huge vibe coder.
Big vibe coder over here.
But first, I think we unpack what seems to have happened here in the vibe at hack.
What might be the largest crypto heist of all time and another escalation in state-sponsored
cyber heists here on hacked.
Hey, Jordan.
How you doing?
I'm doing good, Scott.
How you doing?
Pretty good.
It's vibing out.
You're vibe-coding.
famously you're vibe coding a lot.
I have fallen in love with vibe coding.
You actually have.
This is not a bit.
We can talk about that in a bit.
But I think right now we should talk about the show's presenting sponsor, Push Security.
Push Security.
Hacked is brought to you by Push Security.
They keep you safe in the browser.
They keep your identities locked down.
We're going to talk about them a little later in the show.
But Hacked is brought to you by Push Security.
Vib coding.
I can't wait to talk about it, honestly.
We have a good story.
about vibe coding.
We're not just talking about that concept.
And we're going to save saying that word one more time for that section of the show.
Because right now we have a crypto heist to talk about.
This one was fascinating.
Like, there's a lot of these.
And there's a lot of state-sponsored cybercrime.
And then every so often one comes along that's just one heck of a fire show.
It's big.
It's technically really complicated.
It's quite murky what's happened.
But the CEO came out and spoke publicly.
And there's been a bunch of blockchain forensics that,
already taken place. So in a pretty rapid, like a pretty compressed period of time,
we got a really good sense of what had happened in this heist. And it's just,
it's colossal. $1.5 billion. I've been employing a, uh,
heist scale for a few years, the Ocean's 11 system, 2001 Ocean's 11 store in George Clooney.
They stole 160 million US dollars. So this is the better part of 10 oceans 11s.
Okay. Well, here, here's where I go with it.
Okay.
North Korea has an annual GDP of about $23 billion.
Oh, that's pretty good.
That's a good one.
When a state-sponsored hack happens and they steal $1.5 billion, that's big.
That's about 6% of their national GDP, which is huge.
Yeah.
Just to put that into context, if you were to steal 6% of Americas, the United States of America's GDP, which is $27.8 trillion.
Okay.
That would be $1.6 trillion.
Yeah, sure.
That's a huge chunk of the, like, well, currently the national deficit for the United States.
Yeah, sure.
And there's, it's quite, it's like it's very technically sophisticated what they've done here.
There's social engineering.
There's technical stuff going on.
But you made a billion and a half dollars doing it.
Like anything is efficient if it makes you a billion and a half dollar.
That's what makes this a fascinating story.
learning lots about your inner morals.
I didn't say good, I said efficient.
Unless you started with $1.7 billion,
anything that gets you up to $1.6 was certainly efficient,
especially when it was probably a bunch of people in a room.
Okay.
So let's start.
I'm going to start really high level because it took me a while to wrap my brain around
when my understanding of what occurred here.
The big story compressed down,
their goal was to get a piece of malware called plot twist onto the system of someone at the cold wallet company that ByBit used.
This was a supply chain attack with many, many other steps, but it was fundamentally a supply chain attack.
So, who boy.
ByBit's Ethereum cold wallet was considered secure due to being offline and protected by this multi-signature authorization system.
multiple different parties had to approve transactions.
It's not connected to the internet most of the time.
This is safe, right?
It's called safe.
Exactly.
We're going to get to, yeah, safe wallet.
The company is safe and then in brackets wallet.
So you can hear us say safe wallet.
It's kind of confusing because are we talking about cold wallet?
Yes, we are, but the specific brand of cold wallet is safe wallet.
On February 21st, 2025 during a routine transfer from ByBit's cold wallet to its operational hot wallet,
which is connected to the internet,
hackers activated malicious code injected into safe wallets interface.
They performed this thing called a Trojan transaction,
which manipulates the transaction data displayed by ByBit's signers,
showing this is a real legitimate transfer.
Everything's all good,
while secretly executing this hidden malicious,
like set of instructions to transfer it elsewhere to the thieves, essentially.
As we heard a little bit in the intro,
the CEO Ben Zhao confirmed he was the last person to sign,
using a ledger hardware wallet.
He noted that there were some limitations on this.
There's a lot of code that gets churned up.
It's this sort of big flurry of a moment,
and there weren't really clear transaction details.
They executed this hidden contract upgrade.
They swapped the two wallets,
and approximately $401,000 Ethereum, $1.46 billion,
was transferred from Bybitt's wallet
to the hacker-controlled addresses within moments.
There were no cryptographic weaknesses here.
The vulnerability was through manipulative,
user interfaces on people's screens and a compromised like human trust social engineering moment.
So we're digging to the tech side of it now a little bit here.
You want me to or are you going to dig into it?
I've got, I want to lob my understanding of it at you and see if it, if it checks out with
what you're understanding.
So the attackers targeted a software developer working for safe wallet, the company, the
multi-signature wallet platform used by buy.
bit for cold storage. They described themselves on their website. I checked. This is still up.
The most trusted decentralized custody protocol and collective asset management platform.
Cold wallet, for anyone that doesn't know, is an offline storage solution for cryptocurrency.
It's disconnected from the internet. And what happened is the safe wallet developer downloaded
a fake version of an application called Docker. A Docker's piece of software that lets you like package
software stuff up. It's a virtualization thing. We virtually get.
It's not interesting to this.
They downloaded a fake version of it.
And that fake version contained a piece of malware called plot twist.
The whole goal of this was to get plot twist into the safe wallet system.
And it granted the attackers this persistent remote access to the developer's computer.
They were running a Mac and now the hacker had access into the system.
The way they did this, the way they got this dev to click on this funky link was a social engineering tactic.
We've talked about it before.
Apparently, it's been formalized in North Korea's, like, Lazarus Group ecosystem.
It's called their Trader Trater program.
It's dubbed that by the law enforcement in the West.
And it's basically, I know, right?
Law enforcement deserves accommodation with that.
They are quite good at naming things.
We've talked about this before, but it's always like blazing stallion eagle front force.
All Trader Trader basically is is you pose as a tech recruiter, like,
a blockchain project coordinate.
You pose as someone with a big implied bucket of cash behind you,
and you just start a conversation with someone.
You get them invested in the whole situation,
and then you send a thing over.
They use that to steal AWS tokens and credentials,
enabling to access the safe wallet backend
and get these malicious plot twist scripts running on the system.
So the way we figured this all out so quickly,
and I find this fascinating,
I was trying to get him on the show for this episode
and couldn't make it happen in time.
It starts with a character named Zach XBT.
He's this renowned crypto investigator.
He described himself as a former rugpole victim turned forensics,
kind of anonymous person on the internet who digs into these things.
So he's got a chip on his shoulder and he's going after it?
100%.
That's totally a really cool character.
Really want to talk to him for the show.
Maticulously traces the stolen Ethereum across wallets and blockchain networks
and figured out, based on some preliminary test transactions, that this was all linked to some wallets
that had previously been used in Lazarus Group operations.
That was confirmed by Arkham Intelligence, which is like a blockchain analytics firm,
that was then confirmed publicly by the FBI, who stated publicly in an announcement,
this is part of that trader-trader operation.
Be aware that this is happening.
A lot of job offers aren't real.
They're apparently state-sponsored hackers, and that's what occurred here.
Bringing us to Lazarus Group, also known, speaking of names, as Guardians of Peace, or Hidden Cobra.
Hidden Cobra.
Hidden Cobra.
Hidden Cobra.
Seemed to be.
Yeah.
There's layers to this thing.
They are widely, widely thought to be operated by the North Korean government.
They've been active since 2009.
They've been implicated in a bunch of hacks we've talked about in the show.
2014, Sony hack, the swift banking attacks, countless cryptocurrency heists.
We talked about the Rona Network hack in 2022.
They've been around for a long, long time.
All evidence would point to them.
There's a bunch of stuff about how they laundered the funds, something called peel
chaining, which involves essentially just like, imagine a firework going off,
where it's suddenly just like an initial lump sum
is just divided into thousands of intermediary wallets
and it immediately becomes,
you're trying to track the analytics across these,
which makes what Zach was able to do pretty remarkable.
But the next major thing in the hours immediately following,
as we discussed in the intro,
Bybut's CEO Ben Zhao immediately acknowledges the bridge publicly,
says that they have enough kind of capital
to be able to honor everyone's investments in the platform.
They hadn't locked down some kind of withdrawals.
It's sort of been locked down,
but generally speaking,
people could get their money out.
So this wasn't a real run-on-the-bank situation
as a time of recording.
It seems like everyone's stuff is okay.
They immediately secured a bridge loan of 80% of lost Ethereum
to stabilize the reserves and get everything to be okay.
It's quite the loan.
But here's the question.
Do they get a bridge loan in real money or do they get a bridge loan in a fuel loan?
That's actually a really, really good question.
Yeah.
I don't know.
Like, do they go to a real bank, borrow some real money,
and go on the internet and buy Ethereum with it to be like,
and we filled the tank back up.
Yeah, sure.
And by that point had Lazarus Group turned the Ethereum into Fiat Capital from someone.
Yeah, yeah, yeah.
Were they buying their own stolen money back?
Yeah, it wasn't a weird way.
Was there some Swiss bank somewhere acting as the head-eating tale of the Aurora Baurus
that is this financial crime?
It's a cool question.
I don't think we know the answer to it yet.
They offered a 10% bounty of $140 million U.S. dollars for recovery information.
I sure hope Zach Exbite got that bag.
And the reason they are not replying to emails right now is they're spending it.
Yeah, good for them.
You know, what an arc from Rugpole victim.
To wealthy investigator.
Exactly.
Online personality and invest.
investigative and now retiree.
That's kind of the by bit story as of right now.
We've got the better part of $1.5 billion vanished into the nebulous underworld that is
cryptocurrency laundering with seemingly a state-sponsored group behind it.
Is my understanding of what occurred, a copacetic with yours, Scott.
Yeah.
The thing for me is like the beauty of the hack for, like, for, like,
lack of better words is the fact that they had access.
They probably saw the back end of the system.
Then they got to work creating the Trojan, waiting for the one day.
They probably even identified the victim that they wanted.
So it would have had to have been very specific, like trigger points.
Like it needs to be from these wallets because they have the balance that we're going after.
Like, this is the Moby Dick.
And it's like they waited for it.
And yeah, just a few little JavaScript injections.
everybody hits the go button to do something that's like a standard part of their
business operations and all of the trust checkmarks in the back end that need to be met
for the transaction to occur and then they just hijack that transaction and turn it into their own
it's kind of beautiful but also devastating and the thing the people that I feel the worst
for in this story is the developers it's safe because it's like I feel like they
this could be crippling to their business.
And it sounds like they make a very well thought out tool to do what they're trying to do.
And they've spent a lot of time considering things.
And then for something like this to happen.
Completely.
It's brutal for them.
Like they're the people that I feel worst for in this entire operation.
Yeah.
There have been a few stories like this.
supply chain attacks always reveal weak links.
And increasingly, with these very elaborate cold wallet, hot wallet,
multi-signatory systems that should be really, really complicated because they are a very thin wall between people into billions of dollars,
which is pretty big carrot.
There is, somewhere in that system, there's just a person sitting at a computer.
And if you can get access to their computer, you essentially have imbued yourself with all of the authority that they have over that wildly important set of transactions.
Yeah.
This wasn't, it's like, it wasn't someone at ByBit.
It wasn't someone with the billions of dollars of cryptocurrency.
It was just a person that had the right, like, dev access into this system.
Because they were just doing their job who just the right, like the right bit of social engineering on the wrong day that you click on that one.
file and suddenly this giant thing has been set in motion. It's kind of humbling in a weird way.
Yeah. Yeah. Fascinating. There's like an interesting tech side of this because the, like all of the new
development tools, like almost everything is written in open source. We're using Docker. So Docker is a
virtualization container. So you can set up like essentially a virtual computer that's really,
running a specific part of your application.
And then often those containers,
you're cloning them off of like Docker Hub.
So there's like a,
there's like a search engine full of pre-built versions of these things.
So like, oh, you need a Postgres like SQL server.
Download the one from Docker.
Yeah, it's just like there are templates.
And you can just go and grab them and they're like pre-set up
and pre-configured.
You don't have to like do anything.
The real question becomes how many of those templates
have state level malware injected in them.
Because that's where my mind goes.
Because I know that they have this issue too with like Visual Studio Code has like probably become in the history of like small IDs for lightweight coding.
Like stuff like you know vibe coders like.
Sure.
We'll get to it.
Visual Studio code is like the board the biggest like I'd say small scale ID.
these days.
And if you're not using full Visual Studio,
like if you're not building massive,
big native applications,
typically,
and like most people are writing code
and visual studio code.
Okay.
It's extendable.
So there's a plugin interface
and you can download all these extensions
and it's a public plug-in market.
So how many of those plugins
have malware injected in them
that are giving people access to code bases
and copying API keys and auth credentials?
And, you know,
this kind of,
kind of links back to the identity attack conversations with Adam from a few weeks ago about
like, I don't know, the more access that like the more we're letting people kind of like,
I see how corporations get to the point where they're like, you can't install anything on your
computer, you can't run anything on your computer unless it's in an authorized list because
it's like, especially for developers who like move, like there's an expectation that you're going to
move quickly, solve problems, you know, utilize tools that make you more effective.
efficient like AIs or Docker like templates or plugins and extensions and VS code.
And it's like how many of those have potential security risks in them?
And the answer is they could have potential security risks in them.
The answer is like all of them could have potential security risks in them.
It's funny to think about how do I put this?
I know folks who have jobs where the most catastrophic thing that could happen is not that
catastrophic if someone got into their system.
The worst thing that could happen is like a ransomware attack of a small, teeny, tiny little
organization.
And their computers are like military grade locked down by some IT person there who was like just,
you know, thumbtacks on cork board conspiratorial.
Like I swear to God, nothing's getting in that this could happen to a developer like a human error.
But like that this could happen to a developer whose system was we learn.
standing between a state sponsored cybercrang group and a billion and a half dollars is like
that's just fascinating that's just an interesting that's an interesting tension when I think about
like the elementary school teacher whose computer is like like nuclear is like silo requires
two keys turned at the same time to turn it on kind of thing the the human error is like
it's the whole thing I know but it but it's I don't even like what is the human
in this case.
You clicked on a funny link.
He clicked on a funky link that someone sent him.
Oh, do he?
Do you actually click on a link?
That's my understanding of it was that he was sent a link.
So the Trader Trader Program, I don't know what the narrative like conceit was,
whether this was a recruitment or a blockchain product.
I don't know what the narrative was.
And they were like, hey, do a coding exercise in this Docker and then send it back to us
and through the execution of it, it installed the malware.
Yeah, he was sent something and ran.
That's my understanding at this stage.
And again, this is like, we're like two weeks out.
So this is all pretty murky.
But my understanding was that they downloaded a fake Docker application and ran it.
And that's what happened.
So it was just a human, it was social engineering.
It was those people we saw at DefCon in the booth making the call.
Just a really well-spun lie.
Hey, we got a job at Anthropic coming up for $750,000 a year.
Are you interested?
I am.
Download this Docker and complete the three-exercise.
sizes in it and set it back to us.
Lead code style, intervieu test.
Like, get in here.
Yeah.
Yeah.
Yeah.
You dangle a carrot in front of someone's face.
As they go for it.
It's human.
It's really natural.
I think I'm going to take a little bit of a distraction as I do.
I will take a small deviation here to chase the thought that just jumped into my mind.
And when we look at.
at this is going to be a commendation for the traditional financial sector is what I'm about to say.
Because if we look at this ultra techy, young, you know, like most people that are into crypto are like younger.
Like there's the crypto like bandwagoners, but the people that are like crypto people, they're often like tech rooted, you know, very cyber smart.
and they've somehow created an industry that is so rife with bank heists and theft.
But on the other side of that coin, the fiat currency world,
a world that I would look to is like a dinosaur and like, you know,
like crypto exists because the fiat world and the traditional banking sectors
are the greatest solution.
It's like VHS rental and on Netflix world.
Totally.
It's slow, it's costly.
Yeah.
Cumber.
I get it.
I get the desire to look for an alternative.
So maybe they just don't ever get reported,
but like how many times can you think of
in your last 20 years of your life
that you've heard of a digital heist?
Because money is numbers in a database table
in the financial system,
just as much as it is in the crypto system.
Yeah.
So it's like the crypto system,
like this theft by the Lazarus group
for $1.5 billion,
is the single largest heist that they've apparently ever had.
But they're, I just had this stat up.
Yeah, last year alone, they only got $1.34 billion out of 47 other attacks.
So like when you look at it, like they did 47 of these things last year.
Like I can't think of a single digital hijacking and digital heist from a traditional bank.
Anywhere in that sphere.
There's so much friction in that.
those systems and so many redundancies. And like the thing that crypto does good is it bypasses
a lot of really cumbersome, expensive like transfer protocols basically. It's just like sending
money sucks internationally. And there's a lot of there's just more efficient ways of being
able to do it. But that friction is also a redundancy. It's like if you if you were to manage to
move the numbers in the computer around, there's just a lot more of a safety net for catching it
before it gets anywhere.
Yeah.
Anyone who has ever had a credit card stolen knows this to be somewhat at least true.
There's redundancies.
There's backstops.
And those don't get lesser, the higher up you go.
The larger, the sums of money, even stronger the redundancies are because they don't
want to piss off their big customers.
They'll, in some cases, swallow the cost, which is kind of what we're starting to see
with things like buy bit.
They're reaching that level of institutional, like, capital that they can kind of like
eat it, create redundancies and safety nets.
that most people couldn't.
In this case, an unfathomably large loan
and a $1.40 million bounty to find the sons
of bitches responsible.
Like it's just different when you get to that scale.
Yeah.
Anyway, that just jumped into my mind.
Oh, it's fascinating.
We hear about that, like we've talked about this
for like five years straight now.
We talk about crypto heist because they're so common.
This one's amazing because it's so big.
Big and it's interesting.
Like, yeah.
It's like if we tried to make
a single episode covering all of the digital bank heist in the traditional financial sector.
I think we'd be like I haven't done any research in this.
This is all just.
I know what you're saying.
But like they'd never make the news.
We never see them trending and headlining where it's like it seems like every day there's
another one about a crypto heist.
Yeah.
If we were to try and cover every crypto heist,
we would have to go to a daily new show.
We would have to become like the daily cybercrime.
And it would just be a churn.
And the story would always be the same.
And if we were to do one for every major traditional financial...
There's an interesting argument to be made that that sector,
like the traditional finance sector is matured to a point where the heist is now sort of just rent-seeking.
And like it's like it's baked into it.
It's like, no, the theft is taking place.
It just doesn't...
You just don't have to put on a bandits mask anymore.
You can just make your cash in different ways.
But in any case...
I'm going to take one more digression just as you know the protocol.
So you mentioned money transferring, which immediately triggered in my head an article that I read.
I think it was even this morning lying in bed.
And it was about Remitly.
Remitly.
Remitly.
You must have seen the TV ads for Remitly or on like sports feeds.
Yeah, they're like a, last time I was surfing in Nicaragua, we ran into the remitly promotional team like eating lunch at the restaurant we were in.
Sorry, God.
Yeah, they're like a, they're like one of those apps.
I was just crushing some waves.
And the guy asked me if I wanted to send money online conveniently across 100 different currencies.
Yes, exactly.
So this is not an ad for remilly.
It's not.
But the, but the, that's funny.
But essentially they're one of those apps set up for like, oh, you're a, you know, an immigrant to North America.
You have, you make.
Oh, to send money.
Sure.
You send money home.
Like, they're set up to do that.
They charge, like, outrageous fees.
Like, it's something like 12% processing fees or something.
But anyway, so they're public remitly.
They're like the biggest.
And I read an article in investor news the other day.
I can't remember who it was.
Maybe it was Fortune Meg.
That a hedge fund has now taken out a $4 billion short position in them.
Because, and this is the best part, they did a reverse image search on all of their reviews for their app,
and it turns out that a majority of them are stock photos.
Oh, no.
So they're like, oh, these people are manufacturing.
positive sentiment in their reviews, which I'm sure happens in a number of companies.
And all of the other people that have real photos hate them and are complaining about it.
So they took a $4 billion short position against.
Another random deviation.
But I thought just the way that they detected that maybe they should take the short position
by like doing, like writing a piece of code to go through and iterate and then do a reverse
search against stock libraries to see how much of their.
reviews are faked, I thought was brilliant for like a small hedge fund. Validating that suspicion
of being like, I'm pretty sure this product, it's like I've looked at this product, it seems
really bad. I think it's really bad. All these reviews seem to think it's positive. I've developed
a theory, even still the risk tolerance of being like a four billy. I'm going to put four bills on
the line. We're pretty sure about this one, guys. Four billion. You got to go on a real publicity
deter telling people that that product sucks because people could go a real long time without
noticing that. That's fascinating. Well, then the beauty is too, is like just the fact that it is
such an interesting way to figure out that it maybe is not a great company. Like I know that I think
they had some major leaderships leave too, which is also triggering it. But I imagine this is getting
a lot of press because it's an interesting way to be like, you know, we're short in this company
because they're lying to you. I just want to very briefly loop back to we were talking about
Fiat heist versus crypto heist.
It's $1.5 billion.
You got the Razzal Khan and Dutch one in the billions.
All these multi-billion dollar crypto heists.
I looked up largest fiat heist of 2024, the Easter Sunday heist, which occurred
in the early morning hours of March 31st, 2024, just about a year ago to date.
They broke into a Garderworld facility, which is like a private security firm.
Stole ATM transfers or something.
It was like 20 million bucks.
Yeah.
But here's the thing is that still, that's not even a digital heist.
Like the way, what I was talking about is like, right.
There's been so many crypto digital heists occur.
How many Fiat digital heists?
Like I know that I can, like people can take a gun and go demand money.
Like that happens.
And that has happened for ever.
For eons.
Well, always has always will.
But I take your point.
Moving the decimal in the computer, the social engineering hack, but for dollars and cents.
Like.
Like, when is like, like, if we consider, like, all of the major crypto exchanges and companies that have fallen, like, show me the equivalent in Wells Fargo.
Show me the equivalent in, you know, Hong Kong bank.
Like, show me, like, all of the massive banking institutions.
You just don't see them.
No.
So it's like an interesting, anyway, we can go to the ad oasis.
But I just found it, if people were spending so much time stealing crypto, like, what if they spent all that time?
stealing digital currency or like digital fiat.
Seems a lot harder.
Seems.
We should probably tell folks about who the show is brought to them by.
We should.
I think it's brought to them by Push Security.
Yeah, push.
The guys that push are great.
They're fantastic.
We're fantastic.
We like a great product.
We like working with them.
We like telling folks about them.
It's not every day that something comes along where I'm like,
damn, I should have thought of that.
How did I not think of that?
And this is one of those products.
Push security is 100% one of those products.
The problem they're tackling is identity attacks.
You know, we talked about it a little bit early in the episode,
fishing, credential stuffing, session hijacking, account takeover,
basically the number one cause of breaches right now.
And their approach, well, it's pretty interesting.
Instead of trying to lock down everything at the infrastructure level,
they start where people actually work, which is inside of the browser.
They built a browser extension that observes employees,
creates corporate identities, and logs into their work apps.
which when you think about it, makes a heap of sense.
And because they've got that visibility,
they can see exactly how the identities are being used.
You know, are people using stolen credentials?
Are they reusing passwords across to them?
Have they figured out ways to bypass and skip multi-factor authentication?
Are they using a local account when they should be using the single sign-on authority?
And the kicker is when they do find all those vulnerabilities,
they can automatically enforce controls all right there, right in the browser.
But it's not all just about protecting identities,
push or monitoring them too.
In real time for attacks
using adversary in the middle tool kits,
clone login pages,
which are becoming a big deal with AI
because you can clone them very easily,
stolen credentials and stolen session tokens.
It's endpoint detection response,
except all inside the browser.
The team, you know, obviously we had Adam on,
super sharp, killer research,
red team backgrounds.
They put out great research.
They're just smart, great people.
We respect them.
We respect their product.
And that's why they're our sponsors.
Sure. Push security. It's a super smart approach. It's a really solid team. It's interesting research.
You should check them out. Go to pushsecurity.com to learn more.
Think about the last time you heard a breach story on this show. It always starts the same way.
Someone somewhere saw something too late. An alert buried, a signal missed, an SOC that just
couldn't keep up. Arctic Wolf set out to solve that problem by rebuilding security operations
from the ground up for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform,
a fully agenic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs,
this swarm is full of deterministic agents
that handle whole entire workflows.
Humans stay in the loop and on the loop
to validate the critical decisions and keep everything trustworthy,
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion
telemetry events every week and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven
decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and
proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI insecurity operations actually looks like,
go to Arcticwolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their head.
Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving into the most impactful breaches of 2025. Their field CTO and security leaders are going to
unpack not just what happened, but why these attacks succeeded. And most importantly, what businesses
can do to fortify their defenses for it's too late. You're going to walk away with real insights
and how threat actors are evolving, how defenders are responding, and what strategies can help
you stay ahead of the next big breach. It's not fearmongering. It's practical, actionable,
intelligence from experts in the trenches. Register now at arcticwolf.com slash hacked.
Are we vibing out yet?
I think we're vibing.
I think we're getting a vibe coding.
It's because of vibe coding.
So there's this clip where if everything is as it appears of a Columbia University representative
trying to decide whether a student built a piece of software to cheat on coursework
or just to cheat on job applications.
So when you mention that there are some classes at Columbia that do teach some foundationally code
either courses or topics, could this software be used for those classes?
You're never going to be in a class where your data structure professor is on a one-on-one
Zoom with you, asks you to share your screen, and then watches you, like, code up,
like that. That's not a thing that at Columbia.
So, yeah, like, I guess it could work, I guess, but, I mean, the same way that if I made a new
browser, then the new browser could be used to Google Up questions.
Like, like, it would be just be such a roundabout, useless way of using the product.
But it could happen if a teacher did, like, choose to do that with a student or multiple students in the class?
In the case where you are in a one-on-one Zoom with your professor, and they ask you to share your screen to make sure that you're not looking at any solutions online, then, theoretically, yes, you could use a tool.
But, like, to be frankly, it's my first time thinking about it being used like that.
Back up.
So there's this piece of software called EliteCode.
Leit code is an online coding platform primarily used for preparing for like software engineering job interviews.
I have never had to use this piece of software, but I'm betting that both you and I, Scott, know people who have.
Oh, definitely.
I know a good friend of mine from Vancouver used it recently to prepare for job interviews.
There you go.
Big tech companies use leit code style problems in their hiring processes.
It's like a standardized way to test coding skills.
And because of that, a lot of candidates find themselves like grinding through,
lead code prep as they go into these job applications.
It can be job prep.
It can be training.
But lead code is a big thing in that ecosystem.
I find it to be like a self-fulfilling prophecy.
Like when Google started doing this stuff, it was to see how you thought.
Like they would bring people in and give them abstract problems and be like, solve this.
And then they would literally watch you solve it.
And they would see how you like broke down the problem, looked at the potential solutions.
Like even if you didn't get it right, they got a good understanding of like how you would tackle a problem.
in the real world.
And now it's just turned into this ridiculous, like,
LSAT cram session for software engineers
where they just, like, have to be ready to answer all of these problems.
Like, write me the pseudo code for Towers of Hanoi.
You're like, okay, here it is.
Like, they know how to do it, like off the back of their hand.
Yeah.
It felt like, as I was reading and learning about it,
it felt like sort of the, like, historical realization
of this thing that started in the 90s.
Like, Microsoft had those famous brain teaser interview questions,
Totally.
And then you got Google in the 2000s with like
Alguards like whiteboarding questions.
Like essentially do math in front of us right now.
And it's just kind of kept evolving
and becoming more automated and more standardized.
And Leat code is kind of the like ultimate expression of that.
The other thing I will say is like,
so the friend of mine that used this recently,
he would talk to me between his interviews
and I helped him do a little prep and stuff.
And it was like,
the interviews now are nuts.
Like he had full day interviews
Where he had to go in and write code
In front of the lead software engineers
Like on a like
Put him up on the screen
And like watch him write code
And use the ID and stuff
And it's just like like
I don't know when like 24 hours worth of interview time
Became a thing but like
Unpaid interviews that are a day long
Yeah yeah sure
So
Yeah so lead code as I understand it
If you were looking for certain jobs
In big big tech
That's typically
withstanding between you in the offer in terms of both training and testing.
And Roy Lee, the student in that first clip that we heard, does not like LeitCode.
Quote, it made me hate programming.
And he wasn't alone.
This comments are always anecdotal, but I sure found a lot of them that echoed that general
sentiment of just sort of exhaustion with this system.
Quote, LeitCode is literally tech companies telling you to spend months on something to make
their interview process cheaper.
quote, Leit code is the most useless way to test to dev.
99% of us will never use any of these algos in real life.
And the last one I'll say here,
oh man, they're mad that we're using their method of wasting our time right back at them.
That last one is foreshadowing.
The shade here on Leit Code does need to be taken with a grain of salt,
as we will see some of this.
There's a marketing component to this,
but it's still a really fascinating story.
So Roy is a sophomore at Columbia.
He's been grinding on Leet Code prepping for these like,
He's doing exactly what you're supposed to do.
I think he says he's put in like 600 hours into this process.
And he's just,
he's miserable going through this.
Leakote has anti-cheat functionality in it,
basically saying like you just,
you can't ask chat jippity to go do this for you.
Roy hits a wall.
And I'm speculating here,
but I think given what he's said about this story,
I think this has some validity.
I can imagine there's something profoundly demoralizing
about grinding for hundreds of
hours on these technical prep tests, when all you read about is about how AI is going to destroy
these jobs that you are currently applying for and have just trained for for the last four years
of your life.
To speak nothing of the fact that you know intellectually, the software can solve the thing that
it is asking you to do.
Is that good?
Is that bad?
I don't know.
I understand the idea that these companies want people who actually understand what is
occurring under the hood of this code.
You do not want a vibe coder in a $500,000 a year.
software engineer position.
They're all going to be vibe coders soon.
I know.
It's complicated.
It's weird.
So here's the thing for me.
Yeah.
It's like the origin of this was great.
When Microsoft is doing it, when Google was doing it, they were doing it to like filter
out people.
They wanted the smartest, the best, and the brightest.
And they were willing to pay for it.
They just wanted, they just needed to figure out a way to find those people.
And it's like they don't want people.
that studied this and can recall it from memory.
They want people that can understand it and figure it out.
So all this is done is, like, I kind of agree with this guy.
This is, like, the entire sentiment of where this began is ruined.
You've just turned this into a history exam.
It has nothing to do with, like, how you think anymore,
which is what the point of it was,
was like, we need people that can, like,
yeah, can take a big, big problem,
them, break it down into compartmentalized pieces, solve those pieces and solve the overall issue.
And it's like, that's gone.
And now it's like, these have structures.
Like, there's training systems that will walk you through 247 of these puzzles,
explaining to you exactly how to solve them in the optimal way.
And it's like, that's great training because you'll passively learn from that.
But at the same time, it's like, I don't know, the entire interview process to me is just kind of,
not as good as it used to be.
That one comment I read, and again, it's a YouTube comment.
It doesn't mean anything, but it seems apt.
Lead code is literally tech companies telling you to spend months on something to make their interview process cheaper.
The efficiency of being like, well, if you just want us to know that you're kind of legit enough that we should look at you, spend hundreds of hours on this thing, K-bye.
It's like, oh, you can see why that's a bummer and why some people might butt their heads up against it.
and maybe why Roy made the call that he's about to make.
To me, I don't, like, to me, we're already asking that.
It's like, did you go to Stanford?
Did you go to Kansai?
It's like, yeah, but it's like you already spent thousands of hours on that training
regiment.
Like, what's another 500 hours into something else?
It's like it's just, it's essentially a certification.
Like, they may as well turn it into a certification process, like a little post-grad
professional program.
When you graduate with your bachelor's in competing science, you go.
into this, you spend another 500 hours, and you get a certificate in, like, computer algorithms.
And it's like, here you go, you've passed. And now you don't even need to do any coding exams
at these places. They know you know how to do them. It's like they may as well just do that
with it. Like, they may as well just put it online. I'm, I'm not sure that they're going to be
able to, given what is about to occur. Because it seems as though the gamification of that
certification has been itself gamified. Royally decides to cook up a workaround. And instead of
continuing like the endless prep cycle. He built a piece of software he called
interview coder. This is what I was talking about earlier of the grain of salt that there is a
little bit of like this is a marketing story for a piece of software, but I think it's pretty
interesting. It takes a photo of what is occurring on the screen during the interview,
runs that through a large language model that analyzes it, produces the correct result,
and then feeds it to you outside of whatever computer that you're doing it on that has the
anti-cheat stuff on it and allows you to just sort of see the correct answer.
on the very edge of your peripheral vision and answer it and copy it.
You can instantly process coding problems.
You can figure out the optimal solution to this question they've put in front of you.
And because it's sort of because of that way that it works,
it's operating undetected by this anti-cheat software the lead code uses.
He uses it, allegedly, on interviews with Amazon, meta, TikTok,
passes every single interview.
this audio I'm about to play is from him, it seems,
completing a Amazon job interview
and getting a job offer from Amazon.
So what I would like you to do is to write me a data structure,
so it will be like a class,
which inside will do something with the data.
And the idea of this class is that it will literally find medium.
So, the round to operations and and get.
And he uploaded that to YouTube.
I actually had to do a pretty, a little bit of a circuit to get that audio because Amazon copyright striked it, which is what makes me think it's real.
That is ripped from another upload under the name, handsome young Korean male hacks Amazon's interview process with AI re-uploaded.
I enjoy it. I enjoy the stuff. I enjoy that.
You know what the best thing is?
is like this is, I assume it's like the interview process will change and adapt and this will be,
this will be a flash in the pan. But like Roy's going to get a real job off right of this.
Roy might have a business out of this. He's turning $60 a month for this. Yeah, yeah, but it's going to
go away. Like I would assume, of course, the interview process will adapt unless he wants to stay,
like this is like game cheating, but for interviews, if you consider interviews a game. But like,
he saw a big problem, compartmentalized it, figured out of
solution, solved it, and was like, he's, he, he, he, he, he's the whiteboard test.
Yeah, he gave his own whiteboard test. Yeah, exactly. Like Microsoft, like, you should hire this
person. Like the, uh, the aftermath of this was like, uh, didn't have that quality to it.
It wasn't like a round of applause. Flowers for the young man. Yeah, I'm sure not. It's like,
no, after it was crushing. Amazon rescinds the offer. Columbia got a formal complaint from
Amazon and had that disciplinary hearing. Uh, Roy,
dips.
He just, he leaves Columbia.
Handsome young Korean dips.
He was scheduled for a disciplinary hearing on March 11th.
I don't think he stuck around.
I won't be a quote,
I won't be on campus when Columbia wants to talk to me.
And at the heart of this is this kind of question of like,
is the game that he was,
is the system he was trying to game already obsolete by the time he tried to game it?
You kind of alluded to this earlier.
It was quote,
LMs will make most human intelligence work obsolete in two years.
Why should I care?
I don't have time to work two years in a big tech job
or do I want to anymore?
Is that, are those timelines accurate?
I don't know, but I get the sense,
it's almost like a doomerism feeling of like,
all anyone is telling me,
none of these jobs will exist anymore.
The CEOs of these companies are telling us
that a lot of these jobs won't exist anymore.
What are we doing here?
The thing for me is like,
Yeah.
Right now,
yeah.
Senior software engineers,
people that can pass the whiteboard test off of just instinct,
are more valuable than anything.
Because it's all of the work that those people hate,
the boring fill in the blanks code,
these tools crush that.
But it's like, here's a problem,
let's make a solution.
And it's like the architecture,
the problem, the problem.
solving, the, okay, there's nothing out there that does this. We need to create a library
that does that. All of the senior stuff still exists. The juniors, like my biggest fear is,
like, we're going to age out. Like, the senior devs like me and, like, you know, people that
are in our generation are going to age out because, like, even if you're a 27-year-old grad
few years out and you've been using AI for the last three years to optimize your development,
like the point's going to come when like you're going to be the senior.
Right.
And you don't understand what's going on under the hood quite as well as you maybe need to.
The thing, the thing is though, is that like I will say like as somebody who's been vibe
coding as of recently, it isn't just letting the AI do stuff.
Like you still, like you're getting, you're transitively learning.
learning so much. Like, so I, like Jordan knows this, but the listeners don't, but I've been
building like an open source app privately and I'm going to launch it whenever it's done.
The, uh, wanted to build something multi-platform OSX, uh, Linux, uh, Windows. So I started using
electron. You know, I talked about it with Adam. It's like kind of the, the heart and soul of
so many of these new chromium, you know, curdled apps. And yeah, I'd never built
living in it. And I started doing some buildup research, but the research is so much more
efficient when it's backed by AI. So instead of just Googling and reading API docs, I just have a
conversation with an AI. Eventually, you're like, hey, generate me some code. You realize that
there's problems in it right away. You learn more about the interface, the stack, the every part about
it. So I'm actually on V5 of this product that I'm building because over the first four
iterations, I was just learning.
And it's like, even though I was utilizing AI to do it, like for lots of things, research,
bullshit code, things like that.
But it's like, you just passively learn.
So it's like, I still think people are going to be, like, vibe coding is not just about,
like, going to the beach and doing nothing and having it write everything for you.
I think you actually do end up, like, as somebody that is a senior developer, it's really
great for me.
if I was a junior developer,
I don't know if I'd be learning as quick,
picking up the intricacies and the tiny details,
the efficacy's inside of the nuances.
So that's, I don't know,
I guess time will tell,
but man, oh man, is AI getting good at coding?
It's, for me, it's like a,
I wouldn't go as far as say I'm agnostic on the tech,
but the thing that concerns me
is the, like, dependency concept.
It's that when something pops off,
it's great that you were learning while you're doing this.
And I believe it.
It's not just type in a prompt and get a piece of software back out.
You're still developing software.
But it's when shit pops off and something doesn't quite work and it can't solve it.
Where is the actor in this situation that knows how to go in and solve things?
You are increasingly relying.
And I don't think that's in a lot of cases.
We rely on tools and technology all the time.
I'm not going to get into a big panic about that.
a lot of engineers use calculators, that's fine.
But I understand how it makes this transitory period of like, so what is it I'm applying
for?
What is the job here?
What does my career ladder look like when this technology is changing so rapidly?
And all of these threats are kind of in the ecosystem.
It's an odd moment.
And it all kind of gets expressed right here in this little story.
Well, the shot I'd throw back is like that.
that scenario where like AI can't figure it out.
I would actually contest that a bit because like when something goes wrong in code,
it's either a logical, like the logic has failed somewhere,
and there's nothing more logical than the AI compared to a human.
Like the AI wins that one, checkmark.
It's often what it is is like some protocol changes or some AP.
API changes and they just haven't, they publish a new, you know, API and it's like the old
calls don't work anymore. That's often what's breaking things. But like, but the nowadays,
instead of me going to the API source and reading through their documentation, I can just ask an AI.
And it summarizes it instantly for me. It's like, oh, the version 1.4 changes. All the change is
made to this, you know, crowd operation for this and boom, boom, boom, here's how the new context
needs to look for the call, would you like me to update it? Yes. Done. So it's like, I just don't know.
You don't foresee situations where the concept of overall, maybe that's it. The concept of
overreliance on this doesn't really concern you. No, the concept of overreliance is going to be
what kills the industry. I think we're saying the same thing. Yeah, yeah. That's the sort of,
Not threats, but that's the thing I'm alluding to.
The thing that I'm referencing when I talk about it now is like,
yeah, AI is good at here's the problem.
Big and wide.
I'm doing this in video to Jordan and like compartmentalizing a small,
a big problem and do a bunch of small things.
Discrete steps.
It's really bad at that.
It can't go.
No, see, it can, but like you can't just go to a thing and be like,
make me this.
and then it like loses the context of it sometimes some of the new AIs are much better with context
but like it has a hard time solving a massive problem well it's really good if you give it the
small boxes and you're like hey figure out like do this small thing write me the function that
does this make sure that it's type checking it's air checking air handling it's doing all of these
things. It's great at that. But if you go to it and just type into like Clio or, not Clio,
Cleo is the law software. Cloud. Cloud Opus. So you have to say it. If you just go to Cloud
Opus and be like, yo, make me this app, it'll cough you out a bunch of stuff that starts to get
confused halfway through. Like, it's not great. Like I've had it be like, this is the directory
structure that you want your app to have. And here are the,
files that we're going to build. And then it will give me half of those files because it just
forgets about it halfway through. Like they're just, it's just not great. So you still need somebody
there to like put the pieces together. And the other thing I'll say is like if you ask it to do
something, it often takes the cheapest route. That's the thing that I've been finding with it.
is like, like, make me, like, do this, refactor this to be more like this.
It'll do it, but it'll leave off type checking, air handling.
So you have to go back through and be like, hey, you know, this looks like it's going to be
security risk and allow for SQL injection.
It's like, oh, yeah, you're right.
And then it, like, is like, here's how we can fix that.
I'm like, well, great.
I wish you had done it.
But that, to me, feels like,
a feature, not a tool thing where it's like, it's just like we, we have acknowledged that
seven out of ten times a developer will ask some question about security redundancy.
So why don't we just bake that into the prompts?
Like, bake that into the back end of how this thing works.
And just over time, it's just going to solve those things.
When I started this chat, I said right now.
Sure.
There you go.
Because it's going to change.
It's going to be better.
Like I know there was another article that I was.
I stumbled on, I think it was also in Fortune, about how like the Anthropic CEO, the IBM
CEO, the metas, they're all talking about how AI is a supercharging their development teams because
it's, and I'll talk about that in a second because that's crazy. The state of AI IDs, wild.
But yeah, it's just supercharging their teams and at the same time it's going to be replacing
like junior devs. Like they're just not going to need as many because when you can get a senior
developer who's got a 4x output to what's expected, like because he's been or they've been
supported by AI tools, it's crazy.
Like the industry is in for a rude, rude shock.
There's like this hard, hard tangent.
It was like a kind of Victor Turner who had this concept in sociology or anthropology or
something that liminality is the roots of like human discomfort.
When we find ourselves strung between two different well understood states, that's when we're uncomfortable.
It's the group of people that doesn't, you don't banish the person and you don't put them in the cage.
You make them live on the edge of the society.
You just kind of put them over there and that's what we don't like.
And it feels like we're living in this liminal moment where like we're not, we're not quite there yet.
We haven't quite gotten to whatever this is going to turn into.
But we're no longer in the world we just came from.
We're suspended in this point in the middle and it is, it's discomforting.
It's not a good feeling for a lot of people.
We're just in a new technical revolution.
We're in the middle of it.
We're right in the middle of it.
Where it's like we had this with computers.
We had this with cell phones.
Totally.
You know, the mobilization of the workforce, the mobilization of communication.
Like, do you remember, like, in your lifetime, you would have had like a house phone.
And like, when you went outside the house, you wouldn't have got a phone call.
Yeah.
I think about all.
100%.
Yeah.
All the things that I didn't do when.
I moved out. And that was like, it's like, okay, a transition had occurred. It had occurred in my
mind before it had occurred in the mind of my parents type thing. But I'm not going to get cable.
I'm not going to get a landline. I'm not going to do all these things.
Yeah, you're a millennial wire cutter. Exactly. The transition had happened when I had the brain
plasticity of a 16 year old and it was fine. But now I'm not and I don't and it isn't.
It's just different. Yeah. So this is just another one of those things. Like we, like I think we talked
about it before, but like the economic impact of like the mobilization of communication and instantaneous
communication. So like email replacing letter mail and fax machines, even fax machines, technological
revolution. All of a sudden we can send a letter across the world in four and a half
minutes instead of four weeks. Like that was like and this is the same thing. We're just further down
the whole of the technological revolution. It's like now we're at the point where it's like one of our
premier
you know
wizardry jobs
the software engineers
is oddly going to be
the first thing killed
by their own creation
sure
so it's like
yeah
what a time to be alive
Scott
what a time to be alive
but as somebody
who likes to build things
and doesn't like
bullshit
sure the minutia
it is
amazing
The last couple of weeks, like I've been using Vs code, a visual studio code.
Yeah.
So I've been using some of their, like, extensions inside of VS code.
And last night, I tried cursor, which is like the, which is like a branch of Visual Studio code that's been, like, injected with AI malware.
Like, it is entirely, no, no, I'm just like saying.
Oh, I see.
Like it's inside the heart of the system.
Like you're, it's not just visual studio code with like a chat.
Copy and pasting.
Yeah.
Yeah.
It's like, no, we've woven these things together at a foundational level.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
So it's like, and I have to say, and this like, this is not a paid ad for cursor,
but it should be.
Holy fucking shit.
It's that big of a difference, huh?
It's like, it's reading.
your mind.
Like you'll import a library
into a file
and you'll like go to define
the con like to import like a value
and you go to use it and it'll be like
is this what you want to do?
And it'll just show you the code
of what you're about to write
and you just hit tab
and it's in your file
and you're like, holy fucking shit.
Like that's all I was like thinking.
Cool.
So immediately I set us up a corporate account
so any of our devs.
are all have cursor licenses.
Now, it's not cheap, but it's not expensive.
And for like the kind of optimization that that could do, like, I couldn't even imagine.
Strange.
Yeah.
Roy Lee saw it coming.
Roy Lee will be just fine.
He will end in some massive tech company or start his own, maybe.
Okay.
I think that's another one in the bucket.
What do you think?
I think that's another great episode of Hacked Podcast.
brought to you by push security.
Push security.
They keep your identity safe in the browser where it lives, where we do all of our work.
You should check them out.
Pushsecurity.com.
I like this one.
We got a big old crypto heist and a crazy job application hack.
I found those fun.
Appreciate you listening.
Excited to catch you in the next one.