Matthew Cox | Inside True Crime Podcast - How North Korea is Scamming Americans Out of Billions...
Episode Date: December 10, 2023How North Korea is Scamming Americans Out of Billions... ...
Transcript
Discussion (0)
The major players are looking at your house through Google Maps.
They're looking at what neighborhood you in.
They see what route you take to your job based on your cell phone connectivity to towers
because they can profile you for knowing exactly how much money you're worth
probably paying based on whatever scam might be appropriate.
I have a pretty unorthodox path started many years ago, mid-90s.
I was actually doing what
is, I guess, a watered-down version of what I was doing is called competitive intelligence,
otherwise known as corporate spy work or corporate espionage work, but I was doing it overseas.
And I was doing it well before there were any real laws wrapped around that kind of thing.
So my job really was if a large entity, whether it was a company or government, needed
information about a competitive environment, I would be the guy they would call with my team to go get that.
So I lived a very similar life in a lot of ways to people that you probably interviewed quite a bit,
but I did it as a very high-end consultative practice for those companies.
And I got, I was very successful at it, decided to branch out and build a U.S. operation for it in the early 2000s.
And funny story is I brought my consultancy to the U.S.
I got my stationary created.
I got my business cards done.
I got the website going and I was ready to go and then 9-11 happened and I was like damn it
everyone did it was like wow that's a shock this is going to be bad and the economy took a head
and basically companies kind of clamped up on buying what they would consider more luxury like
capabilities and services which I never considered a luxury but unfortunately they were too
busy trying to do their day-to-day business rather than hire a spook like me to go figure out what
was going on with their competitors.
And so over a sushi lunch one day, a friend of mine who was in the end of cybersecurity industry
said, look, he goes, dude, who better in the world to call and ask how a guy like you would
hack into them than you?
So why don't you just offer counter intel capabilities?
I was like, that's actually not a bad idea.
So almost over the next like two and a half, three weeks, I sort of pivoted my whole firm
from being a competitive intelligence company to being a counterintelligence company.
And so this is the early 2000s.
Cyber or what was called Infosec was just kind of burgeoning.
It was still an early nascent thing.
If you ask someone about information security or whatever, people would probably talk
about antiviruses at best, McAfee or Norton or Mantec, I think would probably be it.
Or firewalls, maybe that would be a word that people would know.
But that was about it.
And so little by little, I gained a pretty interesting customer.
base of organizations and mainly organizations at the time that wanted to make sure their
systems were up to snuff, and able to be secured against threat actors.
And that carried on for about 15 years.
In that set of years, I built companies that actually built security and intelligence-based
products and sold those companies off, which made me even more money because you're selling
a whole organization that has an intellectual property.
And I still do that today.
So I still build companies that build security or cybersecurity like products or
intelligence-based products.
But I've gone back to my roots now and I actually do provide counterintelligence
consulting, but more to family offices and ultra high net worth individuals, groups that
have a lot to lose and that don't really understand what vectors of attack they may be subject
to or what kind of individuals or groups they might be interesting,
find them interesting to attack.
So I have a really interesting job where I have to think like the bad guys
and advise my client and customers on what they're likely in for.
So it's kind of a dream job.
You know, I should get into that too, right?
Like, didn't we mention that?
Like, yeah, you should.
But I don't know the, but I don't know the cyber part of it enough.
Well, Natalie, it doesn't, it, the cyber,
just a speed issue. It's not the actual tactic. So what you did, you're an innovator. I'm not sure
to praise the prime part of your job or whatever. I'm praising the skill. We're able to manifest
and the way you think is actually an asset. And, you know, if I get into that. I was going to say,
even if I was going to say, even now, like I mean, and I don't really have any knowledge on how
things work. But I mean, I get stuff all the time from, you know, let's say, you know, Capital One
bank and I and I or capital one credit card like I have a couple capital one credit cards so I
get them you know they send it to me and I am I never click on it you know I never click on it I
think well I'll go to the app that's on my phone you know what I'm saying or I'll like I'm not
going to click on this thing because I don't know who this is I don't know it looks all right
or anything that I question I always go to the you know I always end up going to the you know
who sent it to me was it capital one was it the bank was it this
was it, you know, and then suddenly it's a bunch of numbers and letters.
It's like, okay, this is just some generated thing.
And it's like, you know, and I always tend to get, I just, I tend to have a great spidey sense.
You know, I'm super big on intuition.
I mean, I'm a big believer intuition.
So you're right on.
And well, this is what's interesting.
Those threat actors and the sophisticated ones, everything from, you know, the nation state
groups like before we got on the call, we talked about Lazarus, you know, from North
Korea, they thrive on duping people that are less discerning than you into doing things.
And they're looking to harvest everything from financial means, getting people to pay up in
crypto and all kinds of stuff and everything else. So I'd be curious about something. Did you get
taught that or did you naturally feel like you need to be more discerning and skeptical of what
you're getting? Was that just in you naturally to do that? I mean, obviously, from
just just growing up i think i've always been someone who's who's kind of thought how does that
work how would if i didn't want to do it that way how could i do it this like i've always been
very you know i was been very i'm going to say smart i was think of it as just being clever
you know i've always been super clever um and yeah i'm very i have a degree my degree's in fine arts
you know so like i don't have a normal degree and it always
And I remember my teachers were always explaining that, look, you know, if an artist designed this, then an artist can figure out how to replicate it or how to improve on or how to do something along those lines.
But I definitely think going to prison and meeting all of the various different types of criminals and hearing all the different types of scams.
And that definitely spiked my intuition at the very least because you very quickly.
question everything when someone approaches you. And I'm always very polite. I was raised by a strict
Catholic woman who was, you know, my mom was very, no matter what, you'd be polite. It doesn't matter.
You tell someone, you know, no matter how you do it, you do it politely. And so I've always been
very polite. But I can be very, very polite to you while internally thinking something's not right.
That doesn't sound right. You would never know I'm questioning you. But yeah, I'm not, I don't jump into
anything right away. And my dad had, there was just tons of things that he would mention to me.
Just, you know, he worked for State Farm insurance for, gosh, for like 50 years. I mean, he worked until
he was 70 something. Was it 50 or 40? Probably 40 years. Yeah, 40, 45 years. But he was very big on
on questioning people, asking questions about things, making phone calls. He was like,
nobody's ever going to not hire you because you called back two days later.
And they said, oh, okay, we'll let you know.
We'll give you a call within the week and calling back two days later.
It's like, they're not going to say, oh, you've called me twice.
And I told you, I'd call you back.
I'm not going to hire you.
He's like, that's not going to happen.
You know?
So, but yeah, there's lots of things along those lines.
But one of the things when you were talking about kind of like the, I don't know, I thought,
I thought of corporate espionage.
I remember I read a book called, and it was a novel.
It was called Paranoia.
I don't know if you ever read.
It was great.
It was about one company planting someone inside of another company to get into a,
and the guy worked there for six months or a year and became like a, he slowly got up to become a,
I don't know, some kind of vice president or something, but it was a, it was a great book.
And it was all.
to try and get, you know, corporate information.
And that's the evolution for me, because the, it started with getting information on a
personal level, person to person.
So social engineering and using those methods and tactics and collecting a little bit
information and then feeding it to another person that now is armed with that information
and then go meet that person in a, in a what would seem like a serendipitous way to then get
more information because now you've got some commonality.
and it was this sort of process to use a whole team to get this detail.
And usually it did include everything from people that might look like colleagues in the gym
that were just jogging in the treadmill next to you to beautiful women sitting at a bar
that probably shouldn't be the right.
You know, you'd have to like find the right type of woman that might be appropriate fit for that guy
because if it's a supermodel and he's not exactly the kind of guy to pull some woman like that,
it would never work.
But you get someone that is on par with that person,
then you got armed her with information about some sort of trade show that,
you know, he went to and she'd be like,
oh, where she was at so-and-so trade show, you know, two years ago?
I think we ran into each other.
And of course he's going to say yes.
And so it was really interesting the way we would do that.
The evolution of that for me was it just simply went from a human or,
to use a government terminology,
human intelligence gather across to a cyber,
to signals intelligence ability to do it.
So that's kind of where I landed.
All these years later, it's sort of the same thing, just done electronically.
Do you know who Andrew Bustamante is?
God, that name sounds so familiar.
So he's a former, he is a former, he is a former,
CIA I want to say spy you know he said former CIA spy and I interviewed him the other day and he has he's one of the things he does is he meets with he does of course he does security he did do security but he also does and keep in mind he was he went under for you know three months six months nine months 18 months you know ended and he's got he does a podcast
called everyday spy but he also does talks and he does workshops and um they're all kind of based
on like things that spies do every day like how do you become an everyday spy like it seems hokey
but it it actually he's he's he's an interesting interesting guy you've seen he was on lex friedman
he was on like he's he's he's huge right he's uh super interesting guy but definitely uh somebody
that may that maybe i was going to say if you're talking about how
high net individuals, they would get a kick out of him.
Like he's, and very articulate, obviously smart, really interesting guy.
But I was going to say, you know who Victor Lusting is?
No, I don't think so.
He's a scam artist.
He's like, he is the guy that I'm sure you've heard this.
He sold the Eiffel Tower for scrap twice.
That's awesome.
And he had a set of rules that he lived, that he lived.
like how to it was like how do you con someone right and one of the ways a lot of people don't realize
this is that initially what he did was he he rode or sailed cruise lines interesting this is back
prior to prior to world war one which is in the early teens uh 19 in the teens so he and he did
this for years back and forth back and forth and you know one of the things they asked you
he was asked later on in life was like how did you and he would scam people out of money he had a
very he had a very common story that he told people and they always wanted to invest and by the time
he got off the boat he had multiple people that wanted to invest in his place he was in
it was you know there weren't movies so he was in production to make plays he had very successful
plays he's on this cruise that's super expensive to be on he meets these he's now stuck with these
high net individuals, like you said, and he tells him he's in a world that they think is very
sexy. They've all been to plays. They're all doing the calculations on how much money these
things make. And so he would, on the cruise, he would go to Europe and back, Europe and
every time he would get two, three people. It got so bad, he had to keep switching cruise lines
because they were allowed to look for him. But once again, you don't have a photo of him.
This is back in, like I said, the early teens.
And one of his, he had a very basic set of rules.
And they were like, you, if you, if you should look him up.
They're great.
There's basic.
And they're so simple.
It's like, don't, like, don't talk.
First of it, don't talk a lot.
Yeah.
Introduce a subject like religion.
Whatever your, whatever your mark says.
their religion is you be that religion you know if you like no matter what they said you you'd
never be disagreeable you always agree you always wait for them to to hint at their political
beliefs and you agree and you support those political beliefs right you I mean he had a whole
series of little and there was nothing there were nothing but it was just being really being
agreeable hey we know you
probably hit play to escape your business banking, not think about it. But what if we told you
there was a way to skip over the pressures of banking? By matching with the TD Small Business
Account Manager, you can get the proactive business banking advice and support your business needs.
Ready to press play? Get up to $2,700 when you open select small business banking products.
Yep, that's $2,700 to turn up your business. Visit TD.com slash small business match to learn more.
conditions apply yeah well it's identification people all of a sudden feel like you're in you're in
you know birds of a feather flock together as they say right right and and if you have the means to
sort of predict what they want to hear based on what they've said you win i couldn't agree more that's
brilliant no i mean that's really cool especially from the era that he's coming from because and you know
what's so funny is that you know we we get wrapped up in the cyber thing that it's super technical right you know
people you know yeah yeah it is but but there it's back to common sense it's back to common
sense it's that you don't want to create this elaborate text message if you're trying to scan
someone through your through a cell phone right and get people you know like oh well that's not real
you know this is why things like the AI stuff scary because it's starting to make it simple again
it's starting to reduce it down something that sounds cute natural language like and yeah back to
common sense 100% yeah it's crazy i had washed a few videos with the uh um the Lazarus group and
and i guess that that you know the amount of the bitcoin that they'd stolen and they couldn't
quite track them you know well they can track the bitcoin but they you know because they can only
get laundered through these exchanges you know they ended up recovering something like
forget what it was 260 million or something out of 300 million or uh and
And it was like, wow, they got that that money back.
Well, they still ended up with like $40 something or close to $40 million.
And I was like, that's a nice lick.
So I was thinking, I mean, if your fallback position is $40 million, wow.
Not that those guys saw any of that.
I mean, it's all, you know, from my understanding, well, it's all state, you know,
sponsored.
Well, that's interesting.
And we'll get into this.
If you're interested, I just had this conversation five minutes before I jumped on
the show with you that people still bifurcate nation state with threat actors that are
independent or criminals or whatever, cybercriminals.
And they're actually very overlapping.
So a lot of nation state skilled actors like out of Russia or whatever or China or North
Korea, excuse me, they're working, their night, they're moonlighting as cybercriminals doing
this kind of stuff. Because they have the skills. Right. Well, I mean, they've got resources.
I can see that in China. I definitely see it in Russia. But I mean, in North Korea, I mean,
those, it, you know, you're not accessing the, it must be very difficult to access the internet,
if that's possible at all. So, I mean, these are guys that are, that, you know, it's, it's been proven that they're
working for the
North Koreans just to generate
money for the regime
right so
which to me
you know I well you know
it's funny too because unfortunately the whole time I'm watching
the program on
on the Lazarus group and so
like well can you
basically give like a minute
or two explanation of what
happened
uh with that
well so there's just
the one thing I'm
Just to be clear, the specific ins that you're talking about is one of many.
So this group's still active.
So there's no shutting down of them, so to speak.
Oh, yeah, it's billions.
You're talking about billions.
Huge.
Huge.
And what's interesting is that, and just for context, you know, and I don't know how you want to kind of drive toward getting into this conversation.
We're kind of in it already, which is interesting.
The size of these, these points.
holes, as you put it, or licks as a good word for it, are massive. I mean, they absolutely
dwarf anything else that's kind of physically done where you're going into one location.
It's just unbelievable. What's really interesting and where I'm hoping we'll land in the
conversations around the ransomware operators that dwarf the Lazarus stuff too. But by the way,
just Lazarus for context to your viewership, this is a North Korean sponsored, we'll call it group,
at least the best of our abilities from an attribution standpoint. Attribution is really hard when it
comes to the internet stuff. You don't always know who's really behind it. A lot of what you do
technically is look for similarities in how some of the codes written, maybe the tactics they're
using to deploy what we'll call implants, right, which is malware. That usually is a pretty good
giveaway on who's doing it. There's a wrench in the system now, Matthew, which is that now with
things like the AI tools that we have, like chat GPT and all that, you can make your code look
like it was written by someone else entirely, and it'll send law enforcement on a
completely different scent than who you are. So this attribution of the process has gotten
to be very difficult. It's always been hard. It's even harder now. I guess it's the best way
to put it. But you're right. Back to what we talked about a little bit earlier, there was a very
big crypto scamming aspect to their operation, but that was sort of the smallest part of what
they're really up to, which is information stealing, other types of financial theft.
This was a good smokescreen in a lot of ways for everything else that they're up to.
And they're all learning from each other, too, as we get into the conversation.
There's massive syndicates of these guys, and they have different sort of roles,
responsibilities.
Some are access brokers.
They just simply get you access to what you want.
Then they affiliateize the access to others to get in that are a little more cavalier.
Sometimes they'll broker access to people that are bulls in a China shop and make a mess of things
so that it'll send everyone off on a wild goose chase to chase.
the affiliate they got in, but not the actual access broker.
So I'm getting into the weeds here, and I'm happy to define some of those concepts.
Yeah, what's the access broker?
You mean someone who, like, is working for the company?
No, access brokerage in the world of cyber or, you know, nation state sort of cyber activities
has to do with the, in human terms, it's the person with the key to the vault of the bank.
they give it out so people can go and do what they want to do in the vault they don't actually go in themselves they simply get paid for the access to it and they're the ones that build the more sophisticated methods to get in to an environment electronically and then what we call maintain persistence so they'll not only open the door but then they'll leave something in there that keeps the door open they'll wedge it open with something so that then they can broker that access to that environment to a bunch of people so this is what makes this very difficult is that it's not
not as clean cut as people might think.
It's not like hacker A goes and hacks and steals and does all this and then leaves.
Today, it's a gigantic, you know, organized business situation where there's the people that
will get access to the environments, then they'll broker the access out on the dark web to
the highest bidders or people that are lined up to sort of buy the access.
How is that?
I understand.
So how does that person get that access?
Like, for instance, I...
I was watching one program that was talking about North,
this is once again,
this was all kind of North Korea.
Sure.
But it was that apparently there was like an entire,
you know,
section or division in North Korea for,
for hackers or as,
you know,
sometimes it's espionage based also where they'll have some guy get,
so a North Korean who's highly talented,
get a job working, you know, programming or doing whatever.
And he'll work there for six months or a year, however long it is,
and become a valued employee.
And the, you know, the bank, some bank or financial institution or whatever it may be is in the UK or whatever,
somewhere in Europe or maybe it's in the United States.
And they love this employee.
They think he's great.
They don't realize he's in North Korea.
They think maybe he's, who knows where they're.
they think he is, you know, Malaysia, you know, wherever.
And, and so they work with him and they think he's great.
And then eventually he gets to a point where he's gained access to their system.
And that's really his goal.
And he's getting a paycheck.
Like if he makes, if he makes 150 or 200,000 a year, like that money goes into the North Korean coffers.
And he gets his $15,000 a year, which is still good money.
And he's allowed to, of course, you know,
work this job and then garner uh information or maybe uh maybe put himself in a position where
he can steal money or give someone access you know so that's when that's why i thought when you meant
an access broker someone who that's yeah that's absolutely a version of it it's the slow long term
long term kind of covert deployment of a real person to social engineer their way in and do do that right
Absolutely 100%.
What's more alarming is that you can do that exact thing with malware, spread out, like shotgun approach to thousands of organizations, get that malware in there that starts to laterally move.
And it literally, it's called blast radius.
It lambs on an HR lady's computer.
Let's call it Martha's computer who runs HR in Company X.
She opens emails up and reads resumes every day.
It's her job.
You weaponize one of those resumes
and that
resume gets opened by her to read it.
It opens. It's a real resume, but
alongside that resume being opened
is a piece of malware that gets deployed on her
computer. And then what it does is it
looks for every other computer connected to hers
and it laterally moves and spreads itself out to
the organization. And not only does it
do that, it reports back
to its owner about
where it is, what it's found and everything else,
just like the guy you're talking about, but done
in an electronic fashion, very
streamlined, very efficient, and then multiply that times thousands, if not hundreds of thousands
of computers, times thousands of companies. You've got a really, really powerful intelligence
collection capability to then figure out who you're going to go and attack. Is that how the Lazarus
Grooth got access to that? Basically, it was like, it was like $300 million with a Bitcoin,
the one of the cases that I had seen. And they moved it. Like overnight,
Within like a week, there was something like the Chinese holiday or something.
And like they had like five or six days that they were able to do this.
And even when it was detected, they couldn't know if they couldn't get hold of
anybody because all the banks were, it was a holiday.
Yep.
All that was planned.
All that was by design.
So it's just like good old school art of war, Matthew, where wait for a moonless night
to do your attack.
Same thing.
I mean, it's, you know, it's funny how history repeats the cell phone.
it comes like military strategy or espionized tactics or tradecraft they're always the same
strategies which is catch people off guard wait till there's some sort of political holiday or
national holiday to get people when there's a skeleton crew on staff where they really can't
respond and things like with crypto just really quick just to address that piece of it you know
ironically it was bitcoin right which is something that now has proven to be quite traceable
like if you've got the right utilities and tools and talent you can
figure out where things are going, but there's so many cryptocurrency that are not traceable
like that. They have really true anonymity. And had they decided to simply shift the currency
into a more anonymous alt coin or whatever you want to call it, they could have gone to ground
and there was no retrieving anything. So it's kind of interesting that, you know, and this is old,
right? This is not a recent situation. So these days they've gotten a little smarter about
hiding their their tracks.
Well, they, they did switch a portion, you know, portions of it.
They could only switch, you know, so much.
And they, they knew they were being tracked.
The problem is they had to go through an exchange.
In order to launder it, they had to go through an exchange, which this is what killed me
is that it's like, okay, you have to go through an exchange to convert this to actual cash
and get it into, and they're trying to make it obviously, you know, completely anonymous,
but it's being tracked thus far.
it was being tracked.
And eventually they ended up moving like 80% of it to to an exchange that was extremely
credible.
And, you know, they, when I watched this, they were like, like, we have no idea why
they thought that this exchange would do this for them.
Does that make sense?
Like, they were like, typically they'll go to a questionable exchange that does
and ask a lot of confidence.
And they were like, so we are fear, but you can only move so much through that.
And they said, for some reason, they moved it here.
And we just contacted them.
And they froze the money.
And they were like, so they got lucky.
And they did it getting 40 million.
What I didn't understand was, you know, it was all, I don't know, it's North Korea.
I kept thinking like, why wouldn't you have already gone somewhere in Europe?
And, you know, you could steal some, steal identities, get passports, go to Europe.
establish accounts that would allow you to move that money very quickly.
And it would have become anonymous.
Like you can wire it into whatever, 40 or 50 or 100 different banks and then wire it again.
And you only need a fake identity to do that or steal someone's real identity.
You know, 10 people's real identities, multiple corporations, multiple bank accounts.
Now, it may take some time, but at least the people that were tracking the Bitcoin,
would have been lost at that point.
At that point, they would have been like,
okay, this was just converted to cash
and placed in several Romanian banks.
And now it's been,
and people are cashing it out,
people are moving it to different corporate accounts,
people are moving it throughout Europe.
Now we've got a problem,
but for some reason, we just...
Well, you know, it's interesting, Matthew.
So two things.
One, in my entire career,
the way we've generally caught
people, especially from a cyber perspective, is some failure along the way where they've forgotten
to cover something up or they've misstepped in an area where they thought they were being a little
overzealous. Like if I were to speculate, this is purely speculation about why they maybe
went to a very legitimate exchange, was to hide in plain sight, right? To have something there
because it's well known that these less savory exchanges maybe couldn't handle the
volume, perhaps, and are imminently under the watch of the Interpol or FBI or others, right?
So it's almost like, let's go where they're not going to necessarily look or expect us to go.
Of course, the controls that were in place did catch it, and they lost out big.
The other half of this is that it's an interesting concept because you're talking about the final stages of the X-fill of the money.
No matter how sophisticated they might be, this is still a fairly new.
thing, meaning crypto and using it as a utility for massive harvesting of money and all that.
It's still kind of new.
So, you know, we're kind of judging the opt in the armchair.
You've heard that term before where we're sort of saying, well, obviously, they should have gone here.
And it's like, but you'd be surprised how many times people that are really sophisticated screw up.
I mean, for example, some of the more nation-state groups that I chase around, the ones that are government-funded and have the means, they don't cover their tracks in any way when they're doing kind of the
setup of their infrastructure sometimes completely.
They just leave it wide open because they
never, they make assumptions that no one's
ever going to go dig there.
They assume that we're going to track the
movement of the data or we're going to track
the movement of the crypto, which is indeed what
normally happens. No one looks
at the infrastructure, so therefore not worry,
let's not worry about it. And they learn from the pain of failing
there. So you can bet your
bottom dollar. Those guys will probably never
use a very good
trustworthy exchange again.
Right. Because it may have been a miscalculation.
It may have been something where they thought that this was going to be the best place to keep something that was never going to be tangled with because it looks truly legit.
They still made 40, like a 40 million failure.
Like, I'm ready to like, let me fail.
Like, that's a hell of a failure.
You know, that's an amazing.
But you're right.
I always, you know, I'll interview these guys that, you know, have been in prison and, you know, the running scams.
And it's always something like you did.
you know you got the fake IDs you got the credit cards you got the uh the passports
you you set up the corporations you open the bank accounts you had people in between you and
them nobody knew your location you had all these drop phones you had all of this you did this
like all of these things and then you went to a you went and rented a room using a stolen credit card
Like, you have half a million dollars in the bank account, a couple hundred thousand in cash, and you used, and you're in the middle of running a multi-million dollar scam, and you used a stolen credit card for a $1,000 hotel room bill.
Yeah, 100%.
It's the old, yeah, it's Al Capone's tax records story, right, the famous one.
It's the taillight out on the car in the getaway that gets it pulled over now because they're, I use that all the time.
I always say, listen, I'm not one of these guys that's going to be driving around with a stolen car and a broken taillight and a body in the trunk.
Like, that's not me.
I'm crossing all my teas, dotting all my eyes.
Yeah.
But I'm pretty patient.
That's a key thing, right?
The genius is it's the obsessive, the obsessive compulsiveness.
that makes separates the men from the boys in that space even in cyber and i think it would
probably be somebody in your way in your world which is that the ones that are meticulous
usually when because they're they're really really obsessive about perfection and they're they're
really big on making sure that the the op is clean from the start and there's this there's this
it's an art form again back to that that concept i'm not trying to praise it per se i mean you know
but you have to appreciate the sophistication
of some of these groups that are perfect with their zero residual presence of things or how
they're able to completely eradicate anything. It's pretty amazing. And it takes a lot of effort.
You know, I think everything is kind of like that, though. Look at like Steve Jobs is like,
you know, this amazing visionary. Horrible interpersonal relationships. You know what I'm saying?
Exactly. It's like same thing, you know, you look at someone like, you know,
CEOs or presidents, you know, just complete narcissists that make their way all the way up the
chain.
But the fact is that, well, if he wasn't a narcissist, if he wasn't a narcissist, he would have
never made it up the chain, you know?
And what makes some CEOs, amazing CEOs or entrepreneurs are the same things that make
them detrimental to be around.
It's like, it's the same thing with like committing, you know, any type of crime.
like they you know or you know in the criminal world like you know these guys like you're taking
all these pains taking um precautions and then you make one little slip up because you think i've
i've done such an amazing job here that nobody's going to catch that yeah and matthew you're right
i mean look victim of your own success is real in this space especially with the volumes of money
we're talking about you know it's not just one bank heist it's effectively thousands of bank
ice all at once, right? And here's an interesting thing. I mean, you start looking at some of the
really, really sophisticated, you know, caucus region or Balkan, maybe, you know, Russian-esque groups.
And you saw the pictures of them sitting in Santrapay on these massive yachts with like a
freaking ocelot, right? It's like you're going to get caught doing that. I mean, you know,
there's no discretion after a while. There's an over, there's a, there's a, there's a, there's
megalomaniac quality that kicks in with the ones that are a little less than disciplined
and have the means to kind of win on a perpetual bit.
It's kind of like I was telling a friendlier day about watching world tour poker
or world championship poker games and it's always the same people that seem to end up
at the last rounds of these things.
There's a reason for that.
It's because they're very disciplined.
They're playing.
Yeah, it's not emotional eye to it.
No, it's not luck at all.
It's not luck.
yeah i was just i when you were you were mentioning like i know i saw this one about these this russian
hacking group that had stolen i forget how much uh cryptocurrency they'd stolen i mean it was it was
it was outrageous and they're you know because they're in russia you know they're they're on
social media they're driving um these you know these outy that i forget what the outy a is it
All right.
R8 sports car doing donuts.
They're driving in Ferraris.
They're just they're talking.
They're holding up stacks of money.
They're yeah, you know,
look at us,
look at it.
And it's just like,
wow,
you're like you better never leave Russia.
Like you're going to,
you know,
they end up going somewhere where they think,
eh,
you know,
we're going to pop into this country right here.
Nobody's paying attention.
No.
Countries are patient.
You know,
they throw an indictment and a
notice out there and just wait?
Yeah, well, this is the thing that that's funny is that, you know, you talk about, you know,
among the criminal underground from a cyber perspective, they look at the law enforcement groups
as slow and plotting and not that sharp and they're not going to hire the best talent ever
because it's the government.
It's the same story, right?
I think it holds true across all forms of whether it's kinetic or cyber or whatever.
The problem is you nailed it.
You said exactly what I say all the time is that they have all the time, is that they have all
time and the money in the world. There's no rush either. That's what I was just thinking. Yeah,
but they have an inexhaustible budget, manpower, and time. Yes. So you're always looking over
your shoulder. You're constantly running. So in some ways, I think that psychology is what
gets to these guys a bit. I think they're kind of like, well, you know, the time will come and I
won't be able to enjoy some of this. They sort of throw caution to the wind and they get a little
wild and crazy with their with their with their with their success i mean it's just it's crazy but then
there are these others that are that are very methodical like the ransomware operators and they've
made out billions worth of of of winnings out of the stuff not not millions anymore and um
the scary part is now they're they're figuring out how to refine that process matthew where
they're going to go after groups that are otherwise not normally targeted they'll go after
the average individual or someone they can pay them $5,000.
You used to be go after big companies, get something on the inside of the network to
encrypt everything and then hold them hostage and say, I'll give you the key if you pay me X
amount of money, right?
That's the classic that grandsonware scheme, which was very successful and they made a ton
of money.
And they even got it working where they knew a company had cyber insurance and they would
actually intentionally hack that organization knowing that they had a policy that would cover
it.
So they had a really clean plan for saying, here's a.
our premium list of what we're going to hack into here's our less than premium here's our like
kind of we'll net them and if we get them great if not who cares because they're not actually
the ones we know are going to pay so they figured out the the situation here which is it's frankly
the same thing as any kind of fraud in terms of insurance fraud if you know that there's going to be
a payout you do things in the exact way that you know that the claim can be made and the money
will be paid and and what's ironic is that you look at the stats online for ransomware
over the last I don't know four years pre-pandemic through the pandemic to now
I mean Matthew you're talking about a fraction of what's been reported I mean really
like are that that's reported like the rest that's happened no one's ever said anything
about it's all brushed into the carpet so I don't I think that the vast
majority of organizations have probably had a brush with it paid and not told anyone
about it yeah what was it the Sands casino which casino was it and that was a
in Vegas and that was a wasn't that a Russian based was a Russian base the Sands the Sands was
Iranian if I don't remember incorrectly yeah um but you know you're talking another situation
that's not even two and a half three weeks ago MGM was in the news oh that's right I was
going to say MGM was that's the one I thought was Russian because that was recent yeah that's that's
likely at least from an attribution with the people I've talked to it seems like it was probably
Russian in origin correct but they they first hit
hit another casino in Vegas a week or so beforehand, and they paid.
Yeah.
And that's what I heard.
Yeah.
And get this.
This is what's really interesting.
There's a high likelihood that they, what it's called island hopping, it's like a military
term they've commandeered for cyber, which is, if I want to get to Matthew, I'm going to go get
World War.
World War II, Pacific War.
I love World War.
Yeah, it's exactly what it is.
Totally, man.
So if I want to get to Matthew, I know he's really good at security.
but his neighbor is not
and he has really close ties
with his neighbor. In fact,
Matthew lets his neighbor in the house every now
and then if they need like something
when he's not at home and so they have a key.
So if I go hack into the neighbor,
I'll get into Matthew through a weak point
of his operational security,
which is his partner or his third party partner
or his customer or something like that.
So what's fascinating about this
is that now in the world that we're in today,
everything's so interconnected.
There's no way to really know
whether you're buttoned up or not.
You might have all of it, but that doesn't mean all the partners that you work with that are usually smaller and less capable have it all buttoned up.
And they have direct connectivity into your environment.
So it's a one-way ticket inward if you get into these smaller groups that are all the supply.
It's like the Target hack, the most famous one, probably one of the most famous hacks ever, T.J. Max and Target from a cyber perspective, those are like legendary hacks, right?
because the threat actor in Target got into Target's main network
by hacking into the HVAC system access.
Literally the air conditioner system vendor had access to the main network.
They got into those guys and then they bounced right through.
They essentially daisy chain themselves into the main network at Target.
So this is something that's commonplace now.
And so it's becoming almost a whackimal problem
for the law enforcement groups to go chase around
because you can't secure everything.
You can't build a big enough, tall enough wall
to secure everything.
What you have to do is now build things
that become a deterrent
for the threat actor to come after you.
You have to become a pain in the ass to hack, right?
And let them move on to lower hanging fruit
rather than trying to assume you're going to build something
that's a better group.
I was going to say whenever I'll talk with people
about fraud and I do these, you know, these talks, you know, you tend to get the same questions
over and over again, you know, and one of those questions is always like, well, how can we stop this
from happening? And, you know, and the problem is they always think that I'm going to be able to
say, oh, well, you have to do this. First I'll be like, well, is this, is this, are you able
to stop this? Yeah, absolutely. You can stop it. It can be stopped. You know, fraud can be stopped.
here's a problem you now make it but to do that you have to make it so difficult you've eliminated
normal people from obtaining loans so it's like there's that balance how do we how do you
still make the system manageable and usable and friendly enough to get allow people to apply for
loans and get loans and also eliminate as much fraud.
You know, it's a balancing, like, you can eliminate it.
If you want to go and make every phone call and check every, and order all those documents,
if you want to dump $1,500, if you want to change underwriting from being a $250 expense
and turn it into a $2,000 expense or $3,000 expense, you can do that.
But when they start doing the numbers, it's like, okay, well, now it's not worth it's not worth doing the loan.
We lose more money on allowing the fraud to go through.
Right.
So it's so funny.
This is great.
So I have this story I used to tell.
Well, not a story, this concept that if you want to do ultimate security, I don't care if it's physical security or cyber, same concept, right?
Ultimate security is no windows, no doors.
no light, no life.
It's over, because if you lock it up to the point where it actually is truly, quote, unquote, secure,
it's just not functional to your point, just to kind of extra double down on what you're saying,
because you're completely correct.
But then there's another aspect here.
So, yes, it's all about risk tolerance and management, right, mainly with these companies,
whether it's a physical level of tolerance.
Because if you make it look like Fort Knox, it might deter folks that you've talked to in the past
that would be like, oh, forget that one.
But it's also going to deter the customer base.
It feels too imposing.
It feels too intimidating.
And you're right.
You lose business.
And if it becomes too slow, because everything is slowed down to a crawl so it can be observed,
nobody wants to work with those types of organizations.
They're too painful to kind of interact with.
This is where the government has such a challenge because they have all these layers,
and it makes it incredibly difficult to kind of negotiate anything with them.
But then there's another aspect here that's interesting.
And this has more to do with, it's both, it's cyber and physical, is compliance has gotten in the world in the way, too, now.
So what's really interesting is that in an attempt to get organizations to comply with having a level of security that's good,
federal regulations have imposed a set of compliance standards.
The thing is, Matthew, most of the time, the penalty for not being in compliance is lower than the amount you'd pay for secure.
So they just pay the fine.
They don't bother deploying all that and getting the hassle of buying all this crap that they don't know how to deploy or need a team to run.
But it's a fine of $2 million when it would actually cost us three and a half or four to really buy everything that would put us in compliance.
Just pay the fine.
And so that's kind of where it is now.
I watched, I was watching some series the other day where they were, it was for pain management.
And there was a company.
and the company they were like you know what a speaker program is it's yeah yeah so they were
running a speaker program where they you know they can't pay the doctors to prescribe medication
but if you prescribe for this much medication we'll put you on our speaker program and you'll get
it you'll get whatever $4,500 and you come and give a speech at this little convention and you
make this much whatever so they're paying them you know it's a workaround
so they were talking about the speaker program and then they were talking about going off brand
like saying we're going to start pushing these we're going to start pushing these doctors to
prescribe this not for cancer which it was designed for cancer and we've been pushing cancer
now we're going to tell them they can also prescribe it for other types of pain and they were like
listen that's that's going to come back on us and they sat there in their actuaries in the
boardroom doing the numbers and he's like okay well we're looking at a
a profit of a billion dollars and a fine at maximum at the max the fines half a billion we just
made a billion half a billion yeah that's right the worst scenario is we make half a billion
best case is if they catch us at all they they they it's a 200 million dollar fine and we
made yeah 800 million like you know what I mean it just it was like wow like it's totally worth it
to do that.
And in so many cases, it is.
It really is.
And then, you know, that kind of dovetails into another aspect around using the technology
to your advantage in ways that it's quite clever.
So usually people think of hackers and they think they're stealing either information
or intellectual property or money or crypto, right, one of the same.
It's usually that's what people think.
They think that there's a hooded kid or whatever.
somewhere in a basement it's the usual visual that Hollywood's great right yeah yeah and while while
there's elements of yeah exactly there's elements of that you know script kitties or skitties will call
them you know that do this kind of stuff it's fine you know they're they're playing around and
they're learning um it's not fine but you know what i mean they're they're not the threat the threat
the real threats and this is extremely clever is market manipulation with hacking and what i mean by that
is they're going and they're hacking into large public organizations.
We're talking about these very well-organized groups.
And they'll deploy malware that is intended to get caught, Matthew.
Like, it's not meant to hide that long.
It's meant to sort of stay like a little ticking time bomb until such time that it makes sense for it to sort of show itself.
And then magically, the press gets an anonymous tip that so-and-so public organizations hacked.
You might want to go check on it, report on it.
And what they've done in that timeline is they've bought short positions in the stock price
so that when it does get hacked, they make an incredible amount of money on the plummet,
and then they make money on the correction on the way back up.
It's incredible.
You know, it's funny you saying that I specifically was talking to my buddy, Pete,
because the guy that I told you was like, oh, you got to check out this.
You got to ask him this, ask him about this.
And I was thinking to myself, like, the, I wonder why they don't buy up the stock and, and, and, you know, short sell it, you know, and create these, these situation.
If they can't move the crypto or that, you know, they can't move the Bitcoin, then why not go ahead and buy up as much of the, of the company and take, you know, short positions?
And I was actually, we talked about that. And he was like, you should mention that.
yeah that's that's that is insane it's funny there was something else when you were talking i was
gonna i wanted to um mention there was this i want to say it was called like solar sale or something
it was uh like they were solar winds solar winds and it's what they're the the big the big uh solar generators
oh different okay no so it could be two different things then so solar winds is that
IT firm that got hacked.
And in the way the hackers did it was they actually implanted a malicious code into one of the
updates that this company sent out to their entire constituency of users, which is a really
advanced way of getting yourself embedded, right?
They didn't deploy their own malware as like a separate kind of thing.
they actually baked in the compromise into an update that went out legitimately by the company.
Is that what you're talking about, solar winds?
Yeah, yeah.
I think I was thinking about two different things.
I know that in China, I know there was also an American company that was doing the windmills, you know, the solar.
Yeah.
Yeah.
And they actually, and this was an intellectual property theft from China where they had stolen a bunch of the software.
But anyway, you were saying for.
Yeah, that one is just kind of the poster child for supply chain hacking, the best way to put it.
Wasn't that a Russian company?
Well, Solar Winds is an American company, but it was believed to be a Russian actor behind the hack, right?
And then they, they, so in one go, like the way they were able to sort of scoop up a time,
they got into about 30,000 different organizations all in one.
so and they had access to these and yeah and so what are they taking from those organizations yeah
is this just well it depends because i think this is where this this is the weird murky area
between where geopolitical motivations that drive these more sophisticated government run groups
bleeds into the cyber criminals that are all financially motivated and sometimes those
governmental groups that have political motivations to destabilize or create influence campaigns.
We're getting into something much deeper and not quite per se true crime per year show.
But I think it is a massive, massive operation that uses things like criminal activity to their advantage.
It's almost like proxy militia, right?
You know, think of it that way.
When you have a hacker that's out there wreaking havoc by stealing millions of dollars in crypto or shorting stock,
I mean, what an incredible misdirection utility for a nation-state actor to leverage.
I mean, look, there's been no shortage in history, back to, you know, our history lesson
for the third one of this particular episode.
But, you know, Air America program where they were moving drugs in to the U.S.,
I mean, that's an operation facilitating criminal activities on the streets to facilitate
an agenda for a slush fund.
I mean, there's all these stories that are very, very much.
akin to what we're talking about here.
But anyway, we're getting into some big nuances.
But, yeah, solar winds was a really interesting one because it set the standard for how you
could go and hack into one place and get into many.
And yes, there is information or intellectual property theft.
There's PII, which is personally identifiable information like social security numbers,
birthdays, names, everything that you would have had a blast with in your past life,
getting a hold of it, because it would have given you a treasure trove of an unlimited
supply of identities that you could leverage.
So if you think about the force multiplication of technology, Matthew, they're doing
nothing different than what you created, pioneered, came up with when you were doing
what you were doing.
It's just done at a scale and a speed and a cadence and a frequency that's unprecedented.
That's the difference.
Yeah, I was going to say when you were talking more about the, you know, the organization
that are backed by nations, it's like, it's like a, you know, it's like a cyber war, right?
Like, you know, like we're spying on them. They're spying on us. But in the end, I always wonder, like,
let's say you've got North Korea or you've got China or you've got, you know, Russia. And the, you know,
the justice department will come out with these. I see, and I, you know, I remember watching something.
This was like, this was actually, I think, when I was like in prison, it was like 10 years ago.
And they had indicted a bunch of people in, like, in North Korea or China.
I forget which one.
And they actually had tracked them back to the where they, they knew where they worked.
They knew the name of the department.
They knew who was working in that department.
They said, because we can watch them go all the way.
We know when they show up within 20 minutes, there's a spike in activity.
Like, we know when this guy works.
there was a whole thing and they had indicted multiple uh nationals and but in the end like
how do you prosecute those guys how do you you're never going to get your hands on them every
once in a while now i know that i was locked up with a bunch of of a bunch of uh you know they
weren't hackers right because i've really only been locked up with one or two guys that were
ever charged with actually charged with like hacking so but i was charged with guys that
were running, you know, like dark web forums, credit card for them.
I always say credit card forums, but they do other stuff.
They sell counterfeit credit cards.
They sell dumps of information, you know, a dump is.
They sell dumps.
They sell folds.
And then sometimes they have these tutorials on just how to run PayPal scams.
Just a very, you know, different scams that they got 45 minute video.
on how to scam PayPal out of X amount of dollars or different scams you can run.
So it's, I always say credit card, you know, forms, but they do other stuff.
So sure.
One is that I was locked up with a bunch of these guys.
And, you know, everybody would call them hackers, but they weren't hackers.
But, you know, and several of these guys were Russian or you or from Ukraine.
And they got got some of them.
And one or two of them were actually Russian.
And they only ended up getting this one guy.
because, like, Russia wouldn't hand him over.
He just happened to decide to go on vacation just outside of rush.
Like, like, I don't know what he was thinking, like, ah, I'm 150 miles away, you know, from the border or something.
Like, I don't know what you're thinking.
Like, he went into Russia and they notified the FBI that he had entered.
I forget what country was it.
I'm going to say it was Moldova.
I was like, I forget.
Anyways, one of these little countries, probably one of the Baltic or the Eastern European bloc countries that used to be.
And he happened to go there on a vacation, like a skiing vacation or something.
I forget what it was.
And sure enough, he wasn't there more than like three days.
And the FBI flies in and they arrest him and they throw him on a plane.
And, you know, he's landing in New York and he's screaming the whole time.
You're kidnapping me.
And anyway, and he ended up, it's so funny, too, because he ended up getting, I still want to say he barely got any time.
You know, like some of these guys, they're an outrageous time, 15 years, 20 years.
This guy got like, I don't know if it was five or six or seven years.
For the amount of money he had stolen, it was not that much time.
And I always noticed that a lot of the international criminals tend to get less time than the U.S. would give.
one of their own citizens.
It's not always the case.
There's always an exception.
But yeah, it's...
Therein lies the frailty of the system
as it relates to international laws,
especially with cyber, right?
Because...
Right.
Like, how do you get a whole world?
Yeah, exactly.
And like in the beginning of the show,
we talked about how attribution is difficult, right?
It's very hard to sort of fingerprint an individual sometimes.
You know, you might know,
where the machine might be or a general sense of where the IP address is coming out of,
but it's still a far, far, far, far, far, it's still a million miles from the individual behind it
sometimes, right? I was speaking to a colleague there day that was fascinating. He was hugely
involved in the Zeus botnet takedown. Zeus is a banking trojan, it's specifically there to
harvest banking credentials. And then they would run these whole teams to log in using those
credentials and then move money literally just you're in the you're in the person's account you can
send it wherever you want you can add an account you can do all kinds of stuff and they would they would
do all kinds of stuff like grab the two-factor authentication code from the cell phone by conning people
into giving them the code where they would actually get the malware to do that and harvest the
information from the phone i mean it was incredibly sophisticated stuff but all that to tell you that it took
exactly what you're talking about it took them getting the individuals on video
going into the banks, doing the actual transaction where they could correlate the timestamp of the video with the individual that was facially recognized, or at least now they can do that kind of thing, with the transaction happening at the, you know, the teller window to then get the guy.
But even with that, if the person did it at one bank and then zipped off somewhere else or had a hoodie on or my gosh, think about COVID with the mask situation, it's like, how are you going to even forget it, it's over.
So you're right.
Even if you get an indictment, how do you get the guy?
Like China's not handing over, Russia's not handing over a national.
Right.
Yeah.
And, you know, the other thing about this is that back to kind of get to the theme of this particular episode, I mean, you know, honestly, Matthew, most of these guys feel like it's a victimless crime.
Like, no one gets hurt.
There's no violence, at least from the perspective of a lot of these guys.
It's completely passive.
the money is going to get paid back somehow by some group.
It's not victimless.
Honestly, it isn't.
But from the perspective of the threat actor,
they're like,
look,
nobody got hurt.
It was a painless way to get a lot of money.
Like you said,
if a failure is 40 million bucks,
come on.
It's hard.
You don't have to sell me.
You don't have to sell me on.
Yeah.
Yeah.
Oh, yeah.
Listen.
Like, I,
you know,
one of the reasons,
like my dollar amount isn't that high is because I was cautious.
You know,
I like to me if I was thinking, okay,
so you're telling me that right now I nobody can nobody's going to like as long as I
don't leave Florida,
you're telling me you will allow me to run a scam in Georgia,
but you will you will not extradite me to Georgia.
And I just have to never go to Georgia again.
good i'm good like i'll go sit in the starbucks you know i you know you because my crime now
just because of technology think about it i used to have to make my own w2s and paystubs now
you can just go to you know paystubs dot com they'll make your w2s and pay subs they'll calculate
everything so it's perfect per state like the whole thing i used to have to make my own bank statements
I used to have to make my own, you know, I would design my own bank websites.
I would make my own, I had to figure out how to get the, the software to make my own appraisals.
I had to go buy, I had to buy a house.
Like now I could, and then you had to actually physically had to go get, I had to go get, go to the DMV, get them to issue me a driver's license in the name of someone who doesn't exist.
or maybe someone who does exist maybe it's a stolen identity you know i had to so i then have to
i have to create this entire this entire you know legend that isn't real to support my person
to borrow money and then i actually have to go into a close physically go into downtown to
public records and then i also have to go to a closing i have to go into banks and open banking
Now, now you can sit in a Starbucks.
I can make my pay subs through a website.
You pay a few bucks.
You make pay stubs and W-2s.
You can open your corporation online.
You can open up the bank accounts online.
You can rent an Airbnb.
You can have it appraised.
They never have to see me.
I can schedule a closing.
And I can close on my loans and property and loan.
all remotely sitting at a Starbucks and then wire the money wherever you want to wire it. And
the interesting thing about that is everybody involved in that transaction now doesn't have to know
what's going on. They don't have to know a scam's going on because they're just doing what
they do on a regular basis. Tons of closings are done remotely. Tons of bank accounts are
opened online. Tons of, you know, all of these things. Appraiser show up. They never meet the owner.
You rent Airbnbs. You never see the tenant. All of these things happen on a daily basis with no
interaction. So if some guy sends you an email or you get a phone call or a text and they transfer
the money, you get the money, then you're like, yeah, of course, sure, I'll mail you the key or I'll
put it under the mat or so, you know, my, and if you said, hey, Matt, you could do that.
It's just all that has to take place in Georgia.
And if you're ever indicted, don't worry, we will not allow them to extradite you from Florida.
Like, I'm, I don't have to leave Florida.
Right.
You know, if I have to vacation in Florida the rest of my life, it's not going to kill me.
And so that's what I'm saying, like, North Koreans and stuff.
Like, they.
Yeah, exactly.
Yeah.
Well, think about, think about like the, you know, some of the lesser fortunate, you know, areas of the world that.
that, you know, where there's average poverty line is way lower than that ours.
Nigeria.
Some of them.
Yeah.
Nigerians can.
Yeah.
Totally.
The, you know, the Slovenians and, and, and that whole group of guys and gals that do it,
they're crazy talented.
I was going to say, they're very sophisticated, very sophisticated.
Right.
And that's a living for them.
Like, this is the thing that's really, and it's not advocating for it.
Obviously, like on this show.
I'm sure you have plenty of people that talk about it like this is the best thing
it's the slice bread to do.
It always comes back to the fact that that's a hard life looking over your shoulder.
But for people that live in a state of effectively fear and probably risk of what could
happen to them in their home countries, that would be probably worse than any prison
here in the U.S., they don't care.
They have no, there's no compunction to do what they're doing because it's just way more
motivating to see the kind of money they can make.
Like you said, sitting in some internet cafe.
They may not have a Starbucks, but they certainly have something that's equivalent to that,
that has anonymity all over the place for them.
They understand how to use technology better than the average does here.
And now, with the advent of these tools to speak very fluently, like whether it's even
text-based, like an email or an SMS message, or now unbelievably audio with AI, well, you can
sound like me and I can sound like you today.
You know, I could be an avatar that you're talking to right now.
I'm not even real.
I just, I joined, I subscribed, I think you subscribe for like a month for like a dollar and, and for this, this, uh, this website. And I dumped a 10 minute video of me. And then I, I, I, uh, dumped a, uh, dumped an article of from Wired that I downloaded called the art of the steel just to see if it, what it would sound like. Yeah. It had me, I just read the, it literally, it's, it's, it's like, it's like, it's, it's like,
40. I'm going to say it was 40 minutes of me reading a wired article.
Yeah. And it's, listen, everybody that I sent it to, even my wife was here in the walking
through the kitchen when I was playing with it. And I said, I said, how does that sound?
She was, what do you mean? I went, how does that, you know, how's that sound? I just generated
that. You didn't just read that? I was like, that's the. And I was like,
I played it. She was like, that is insane. If you listen to it, it's perfect. It pronounced one or two words incorrectly. And you can, there's a feature you can click on to have it say it a couple of times. You're like, oh, that's the one I want. That's the correct pronunciation. It was, it's amazing. So I had a guy on I was talking to the other day. We were talking about Facebook. Do you remember this scam, which is still, I'm sure, I'm sure probably used.
someone builds a fake a fake uh facebook page just you know they use your picture the whole thing you know
they take a bunch of your friends they they subscribe you know they um they follow whatever so
you know a cursory look at it looks like oh it's you and then they contact you through messenger
you know they would text you through messenger before and say oh my gosh um you know kareem i i'm in
I'm in Budapest right now.
And this actually happened to my mother several times.
They would say, I'm in Budapest right now.
You know, my wallet was stolen.
I have no money.
Can you please Western Union me $1,000?
I'll be back in Florida next week.
I'll pay you back.
I am so sorry.
I've lost my passport.
I'm just in a desperate situation.
Yeah.
My mom was almost going to pay.
Like she was like, oh my gosh, I can't believe it.
Carol is in Buddha oh I can't believe this I had no idea she was even going like she's ready to try and she's trying to
She's trying to figure out how to Western Union money to Budapest and if she hadn't asked my sister
She that woman would have got the money now
What would have happened if Carol actually called her?
There was if there was if there was any question before
If my buddy Zach called me on the phone right now said bro I'm man I'm
I'm in a bad spot, bro.
Can you cash at me $500, man?
Here's what happened.
This happened.
I'm getting two tires replaced.
I lost this.
I'll give you the money right back.
I'd be like, yeah, absolutely, bro.
Sure.
If it was hit points.
Get this.
There's a story.
And maybe for your show notes,
I'll have to find the link to it.
I'll make sure I send it to you.
There's a story about a mother sitting down in her living room watching TV,
and she gets a phone call.
And it's her daughter frantically crying.
saying mom mom they took me they got me please help and then she goes off in the distance
fades off like kind of in the background whimpering and a voice gets on the phone saying if you don't
pay X amount of money to this account you'll never see your daughter again think about the
sense of urgency they created right then right that's a big part of the process right you got to get
that urgency built up and then they created a motivation and then they basically told her exactly
what to do they even said look you're going to do it Bitcoin I think that's maybe
adding a little bit to the story with the method of payment. But I know for a fact, it was get
it done, get it done now, or you're never going to see your daughter again. The lady literally
was on the verge of paying. Of course, they did the usual. Don't call law enforcement. Don't call
the cops. The worst thing you could possibly do, all the usual. Had the daughter not walked down
the stairs going, hey, mom, what are you up to? And she looked up and she's like, I just got a phone call
from me. She's like, what are you talking about? I've been in my bedroom the whole time.
They grabbed sound clips from her off her whatever social media accounts and compiled.
enough of the voice nuances and cadence, everything you just said to create a perfect script
that people fell for.
So, yeah, that's happened.
Like, that literally happened like two, three months ago.
And it was kind of hit the news pretty heavily.
And then it's now gone a little bit quiet on that kind of thing.
But because the next evolution of its video, right?
You're going to have audio and the video, right?
It's going to be a perfect mat.
It's going to be a perfect frame.
And there's not going to be much ability to discern it.
the authenticity is at stake now where you don't even know what's real anymore.
And it's a new bastion, man.
It's a whole new era for criminals.
Yeah, I was going to say, I remember reading an article about a Russian that spoke good English.
And there were a Russian, there's a Russian like hacking group or whatever where they were calling up,
they would call up and get like increases on people's credit cards or they would borrow money in their names.
and then the company would say, well, can you call us?
And so they paid him to call the company because he had a good enough American accent
and he could get on the phone and explain, yes, I'm so-and-so.
And they would give him the information, my social security number is this, my date of birth, here's my address.
And they would ask him a few questions.
And he said, sometimes, you know, they would ask questions, I didn't know.
And I'd say, I'm sorry, like I can't recall.
Or he'd give him the wrong answer and be like, well, I had several.
roommates in college. I mean, not sure. I mean, I lived in a dorm. And they go, okay, well,
let me give you another one. And, you know, they would pull what like a Lexus Nexus report
started asking questions. And eventually he'd be able to get a few of them right. And then boom,
they just gave him $100,000 whatever. Home equity line of credit on his on his house. And they
immediately transfer the money. And, you know, so you don't even need that guy.
Now, especially with the North Koreans and, you know, that sort of thing.
Like now they can, if they can get into an organization.
Yes.
And they can make a phone call from the, whatever, the CEO or president or whoever in that person's voice.
You know, once they get the lay of the land and know enough about the company, you know, Bob can call Jennifer and HR and or, you know, in bookkeeping or whatever.
I mean, who knows, like how.
well and you know mining the internet now is all been done forever and you know there's there's
practically nothing you can't get publicly open source wise these days you know like the good old
days of having to use hoover's or nexus they're kind of gone everything's generally open sourced
at this point through social media and all that and now you know this idea that they're trying to
train these machine learning models on data that's been curated.
It's all sliced, diced, organized.
I had an interview not long ago about, it's a little off track,
but it's interesting because it does have to do with reconnaissance, right?
Or casing and environment, if you want to call it that.
Now, I mean, the major players are looking at your house through Google Maps and Google Earth.
And check what kind of car you have.
They're looking at what neighborhood you're in.
They see what route you take to your job based on your cell phone connectivity to towers.
And they see where you stop to have your coffee because they can profile you for knowing exactly how much money you're worth probably paying based on whatever scam might be appropriate.
So all that's kind of predigested and ready to rock for a lot of these threat actors.
And it's just it's at a scale that's it's unprecedented.
And there's really not much defense against that.
This is the thing that's interesting.
You're relying on people's wherewithal and spidey sense that kick in, if you will, which, I mean,
I hate to say it, but the vast majority of people, when it comes to these technical type scams,
look, Matt, I would fall for a lot of this AI generated voice stuff and video stuff.
If it wasn't absurd, like the funny ones that we see are pretty silly, right?
They're people saying the most off-the-wall things.
But if they see something slightly off from what they would normally say, I'd totally buy it.
like what your wife did with your with your uh your art of the steel reading that you didn't do but
your avatar red or whatever you want to call it right right so yeah i mean i think that it just it all
you know and it i'm not going to say it depends like if somebody called up and said oh you know
we've got your your wife and we need you know whatever you know 30 thousand dollars i'd be like
guys miscalculate you know but somebody else may say of course you know uh you know it has to be
reasonable um so uh but yeah i i i definitely i hear you and uh yeah with the i was going to say you
can gosh you know you can and you can track people so many different ways like there's so
many different things you can do um what i i was wondering about
is you you wrote a book about like um about um about um cryptocurrency right uh no i was probably
quoted in a few of those that i didn't write a book on it specifically but which one are you
referring to the the rise of the central bank digital currency yeah so sorry that is that is my
that is my substack stuff so yeah sorry i was thinking of a physical book that that was printed
that was never printed that was an article I wrote about yeah okay BDCs is what you're
referring to I thought it was like an I thought it was like an ebook but okay no just a
it's a publication but yeah it's on like substack yeah okay yeah I did I definitely
found it to be a very interesting utility we'll call it that I don't know where you
want to go with it because there's a lot we can talk about what so well here's what I
Okay, here's what I was thinking, because I know that there's like the, what is it, Fed coin, is that what the, so, and I was thinking if they moved, if the, if the government moved, I mean, obviously there's all the conspiracy theories, you know, they can just say, hey, you know, hey, guess what, you can, you buy, you've been buying too much gas lately. You can't do that anymore. You can't, you can only spend this much on this or, oh, you've been bad. So you can only spend so much on food or whatever it may be. If you don't get the next.
vaccine we're not going to allow you to buy groceries anymore you know whatever there's all these
the worst case scenarios well what i was thinking is like what does that do be and i only think
i'm only wondering this is because of the the north korean um scam where they were tracking all the
money and they got such a substantial amount back like for illicit types of organizations
drugs uh for instance uh even fraud you know you could track
everything from here on out.
So even if it was a year and a half later and they said,
hey,
we just found out this loan was a fraud and it was whatever.
It was,
you know,
identity theft or,
hey,
this was a transaction that was made.
And guess what?
That was five kilos of cocaine.
Like,
you can now track all that back.
So does that,
do you feel like that eliminates certain types of crimes?
And how do criminals get around that?
Yeah,
that's a really good thing.
point um it will 100% in my opinion create an obsolescence with existing methods right that
you just can't do anymore because the internet never forgets and you're 100% right they can
always go and watch the tape to use this right and and do it like you said however many years later
because they simply have the computing power to go dig through it and figure out what maybe
happen and then go indict someone so you're right that that will absolutely change the game
for criminals to have to figure out how to overcome that.
However, the parallel to this is that cyber criminals are probably embracing that type of tech
faster than the good guys are in some cases.
They're actually in classic fashion, they're finding the utility of things like the AI stuff
we're talking about where they're truly anonymized.
And they, for example, when you had to create or we talked about Frank Abbottes,
when we had our first conversation when you had to create a fake check where you put the little
logo on there now you can have essentially a really well-tuned AI art program created for you better
than you could ever do it you just need to have the printing facility right frankly most things
aren't even physical anymore anyway you know your boarding passes certainly are not to get on an airplane
what would you bother you just need to make sure you have the record there and then you have the record
here and you're good to go um so i think i think that we'll see and not sound hyperbolic with the
statement, but I think we're going to see a new breed of sort of criminal slash hacker come about
that don't need too much technical capability because it's all built to be run and operated.
So you don't even need to be really good at building it anymore just to operate it.
And I think that's what we're going to see a shift towards.
But the surveillance state, just to kind of finish off on your question, I don't think that'll
slow down.
I think you're 100% right.
I mean, there's going to be a whole push using, we'll call it fear tactics to say it's in
it's an ever the best interest for us to watch everything.
And people will capitulate to that because people will say, ah, what's a little privacy,
giving up a little privacy for security because that's the tradeoff.
I think most people will probably give into that.
It'll be the, it'll be the criminals will probably be a little less willing to share.
Right.
I was going to say, they'll come up with some kind of, I'm thinking they'll come up with some kind of bar.
system or Elks trade in something else, they'll, you know, they're going to figure out.
There'll be a shadow economy, just like anything else, you know.
It's kind of what I think that everyone thought or was worried that crypto would sort of
become, hence the regulation push.
But see, this is what's so ironic about it all.
Cryptocurrency, just broadly speaking, not one or the other, not specifically with Bitcoin
or any of the others, the whole power of it and the value of it is it's decentralized, right?
It's not meant to be controlled by one operator.
That's kind of the whole point.
So the minute you start to do that, like this Fed one,
the Fed Next or whatever they're calling this TBDC,
it's really just a recreation of the federal bank,
but done in electronic fashion where the money's programmable
to be different from that than it is for me.
That's all it is.
But it's no more, it's not distributed.
it's not a decentralized system it's still centralized so it kind of defeats the purpose of
something that's kind of hard to hack so it'll become a huge target in my opinion if they
centralize it well now you can point your cannons at it that's where the bad act that's where the
well put this way that's where activists will probably target right because now it's
a lot harder a lot easier to hack than something that's you're going back to castle mode strategy
versus decentralized which the very nature of decentralization makes it very difficult to hack when you
centralize it, it's a, it's a target. Yeah, I mean, you can, as much as much of a, like you just
say, like as much of a mode as you can put around it, it's like, okay, that's great and you
centralize it. But the truth is, all you got to do is get through once. And that's the thing
I always said about law enforcement was I was like, listen, I, like, I can't make a mistake.
Like, the law enforcement only has to be right. They can make a thousand mistakes. They only got
to be right once they get their hands on me. So, uh, yeah, that's, um,
Yeah, that's frightening. Of course, you know, I also, my wife is, I was told in the comment section that I shouldn't say she's a conspiracy nut.
She's, she, you know, she's very, listen, she'll get something in her head. And for like a week, at least a week, I have to hear about it and watch shows on it. And one of them was about the grid going down.
Yeah.
And I mean, and it's, it's so bad that like I was in New York and I took a picture of the,
the skyline and I sent it to her and it wasn't it's beautiful wow that's amazing it was
god I wouldn't want to be there if the grid goes down and I was like that's what that's what
you're where your mind with but yeah um oh listen though we've got I got dried beans I got
top ramen soup we got a lot of water we've got we have a three yeah oh yeah yeah
she's definitely she definitely she she wants an acre
way away from everybody because all we have to do is survive three months until everybody
kills each other off and 80% of them be gone, then we only have to deal with the 20%
and that'll be that's we can we can survive that. And I'm just like, what are you doing?
You're a crazy person, right? I don't know who you are. But so yeah, I watched the grid going
down and about how
I guess it's China
was trying
to hack the grid
and China and Russia
to try and kind of I don't know what they were
trying to get into but their big
concern is how vulnerable
the electrical grid is in the United States
Yeah I mean this is this is a big
one this is semi decentralized
semi you're right
There's a daisy chain cascading, like, effect or dominant effect is the problem.
They were like, if you take out, you only have to take out so much.
And then the whole thing with that, they were talking about Texas like a year or so, like a year ago.
Right.
Exactly.
Well, here's the thing.
And this is one that we could probably do an entirely separate show on for like two hours on it.
Because here's the reason why there's so many layers to this.
The first layer is that your wife's not crazy about.
about the fact that the power grid is indeed pretty vulnerable by the sheer nature of what it is.
And what I mean by that is it's old.
Right.
So it's flooding off incredibly old and obsolete software, basically.
And the problem is most things can't be retrofitted with new software because, again, it's this whole daisy chain effect.
If you can't fix one piece and not the other, if you fix this piece, the other parts don't work with it.
It's just this mess.
A lot of the companies that built this stuff, the software part of it,
are out of business now.
They're gone.
And it's like you're going to the airport
and you see them printing out
the manifest for the plane.
They have the dot matrix printer.
Yeah.
That's because the software is written
to work only with those printers.
They can't go plug in a nice laser printer
to it anymore.
It just doesn't work.
So it's,
it's funny.
I flew like Delta one time
and it was the worst ticket.
It was his old thick ticket
that was a dot matrix and this was only like a couple years ago it was hard to read the whole
thing and i was like i don't understand i'm flying like like a value jet and i got a nice
clean easy to read ticket and this look at this thing yeah but yeah i didn't even think about that
i just was like well why don't why won't they up why don't they upgrade i was like what's but
yeah i didn't realize that what you're they've been around forever they're still using this
their whole systems based on this this technology that doesn't that is difficult to upgrade
that's the first problem the second problem is the is the actual physical hardware um the big
transformers that our country effectively like lives off of these things if if they go down we
don't have spares which sucks right and guess where guess where the spares would get made
in china no no and you know how long it would take for them to do it if they even wanted to
do it for us like a year or two to get some of these things made yeah i was saying that like the turnaround
time is is outrageous and then you're not you're not ordering one or two of them at that point you'd have
to order you're trying to get them to make hundreds thousands of them and and nothing's nothing's
worse for getting a backup uh you know transformer than bad geopolitical relations with the country
that makes it for you so so there's some really scary propositions there and then last
lastly, you know, they, there's a daisy chain.
So, for example, why bother with the grid if you can go after water treatment?
Because if you can go after water treatment, which might be an easier target because
it's not as high profile as the power grid is.
Now you make water in, I'm not trying to make this a doom and gloom session here, but it is
valuable.
No.
All of a sudden, the water's not drinkable, Matt, and in your drinking water that gives, that creates
mass dysentery in a town that overreys,
runs the hospitals. Now all you have to do is pressurize a power grid. You don't have to
hack it. You just pressurize it that much more when it's overburdened. So, you know, just like the
beginning of our conversation, we talked about attacking on a moonless night or waiting until there's
a national holiday, wait for a harsh winter. I mean, these are old strategy and tactics that
aren't forgotten, right? Art of war is alive and well in terms of military strategies for this.
So, yeah, there's just, there's a frailty here that's hard to fix.
And, you know, everyone kind of asks me that.
But like, why don't they just fix it all?
It's like, well, there's this huge litany of things that are all interrelated and interlaced that make it almost impossible to fix in any meaningful amount of time for nothing less than billions of dollars of expenditure.
So, sadly, we're kind of in a bad place.
The government's also very, you know, reactive.
You very much so.
You know.
There's a big amount of event of some.
kind yeah the only proactive thing that they do really is like the military you know we may
need this type of a jet in the few we have to stay ahead of the curve and so they're always
pushing to be ahead but in so in almost every other way it's crisis legislation you know
even though you know this is an issue i know but it's manageable right now and i'm not going to get
reelected if i start pushing for an agenda that nobody else thinks is an issue let's wait for
everything crisis. The minute the politics play a part in this, it's all over pretty much because
it's not going to really address the urgency of something. But you know, and then, okay, I talked
about water, but there's even one probably even more concerning than even like water and energy
and it's communications. If you simply take down communications, everything else is now like
you separated the deer from the herd and it's fair game. I mean, this is what's scary about this
idea of a coordinated cyber warfare attack. Now, the reason it doesn't happen, I think. Believe me,
I don't know 100%. These are just speculations after 30 years of doing this or so is because that
would constitute an act of war. And this has been the weird line that's been drawn in the sand that
no one quite knows where it is, is that what hack by either a nation state group or a cyber
criminal group constitutes an act of war. There's no clear, there's no clear like rules of engagement
with that. You know what I mean? Right. That one would probably well step over the line because
it would be the equivalency of someone firing a missile into our power grids in the U.S.
It's the same equivalency. So I think that's probably where they're sort of stepping back and saying,
let's not push the limits. That's kind of an act of war. Let's play it cool. Let's do recon. Let's
go sniff around. Let's loiter. Let's figure out where the flaws are. But then let's not push
the limits too much to where we actually incited an entire international incident that could
move straight to a kinetic attack or war. Right. Right. Yeah. That's that's probably why it hasn't
happened, to be honest. All right. All right. Well, let's, uh, yeah, well, I mean,
I'll, I don't think any of that helped. Uh, it is going to help my.
No, no, your wife, my wife's issue.
Eat into that and you'll have two, three weeks worth of show.
Listen, I have a water.
I have a, like, I had to buy this $150 water filtration thing.
It's got a pump and it's the whole thing.
I'm like, what are you doing?
Yeah.
I keep telling her, you should try it out.
You should, we've got a pond.
There's a pond over there.
I'm telling you, go drink, go, take care of it.
Yeah.
And so I bought her a, you know, almost.
as a as i don't want to say as a joke because it's not because it's not a joke but almost just to
be you know ha ha i bought her this thick survival guide right love about halfway she's about
halfway through it pretty cool man she's totally into it she's totally she's watching this guy
canadian prepper this guy i don't know if you know who that is this guy every day that is we've been
on the brink for because i have a buddy who watches him and
And so I heard about him about two, two, three years ago.
So for two or three years, it periodically, I'll catch a, a five-minute clip here or a minute clip here.
It's always going under.
For two or three years now, he is on the, we are on the verge.
It's over.
Yeah.
You know, it's this guy, his whole, his whole thing is doom and gloom.
You know, I'm a, I'm on the other side.
I think it's going to be fine.
They know what they're doing.
you're also you're also a survivalist you know I think instinctively so so you know
there's there's preppers and then the survivalist and sometimes there's an overlap but
the reality is this that like look what this is an interesting thing to think about because
if we went into a lawless like environment for a while that's interesting right I don't
mean in a good way I mean it's fascinating because guys like you and I and other folks that
you've interviewed were we're probably more equipped to think about the ramifications
of what that means than most.
Most are just so well.
Because look, the U.S., unless you've been in inner cities or big cities with some of the
crazy stuff that happen over the years, I live in suburbia and what I'm in the U.S.
And I don't see riots and looting and all that.
I've never seen it live.
Right.
But if it ever did happen where there was a true blackout, think about like the opportunistic,
think about the panic.
and then the groups that feel like they're underserved and the opportunity that it presents itself,
it would be pretty crazy.
So I think the truth of the matter is that there are some really interesting concerns around
these topics when it comes to where the psychology of the world goes to when things like
that happened.
Because, I mean, look, think about, you know, we haven't talked too much about how you went
from where you were as a child to where you got to, where you went to prison and now where
you are today. But there hadn't been a psychological shift somewhere. You weren't just born ready
to go do the stuff you did. You got there due to something that compelled you to go there.
And I think certain activities like this, especially with the hackers, by the way, coming back to
that really quickly, those criminals feel like gods. Oh, I'm sure. Right. And that's where they get cocky.
That's where they make mistakes. Right. So there's some of that. But it's an interesting thing because
crises like we're talking about will accelerate that behavior in by the droves of people.
And I think that's where we're, that's really scary, right?
Because you know the damage you could have caused individually.
Imagine hundreds of you running around, scamming people.
Like, I'm not talking about like firebombs and loitering and breaking windows.
I'm talking about now there's some desperation in the world and there's some like depressive qualities because of the economy.
economies hit due to certain things, that's going to engender and foster more of that behavior.
It just will.
Desperation will cause necessity will create that.
And then another of an invention is necessity.
Yeah.
And then you add success to that equation, Matt, and what happens then?
You get people blood drunk on success of it and they're ready to take the chances.
Yeah, I was, I was going to say when I wrote my, I probably rewrote my book like three times.
but one of the things I had I finally did was I ordered well I did I ordered a few books and but really it's probably the best book I read was somebody actually just gave me this little book I'll bet you it wasn't a hundred pages and it was written by a woman who had written three memoirs and I read that memoir and it or that book and it was just great like it was like she was so just you know she didn't sugarcoat anything and she experienced
all of these things that I thought was that really I was like, wow.
And she was like, look, even if you don't think there are certain things in your, you know, in your childhood that helped shape the person that you are, find those things, you know, look for them, you know, because they're there.
You may not, they may not be, they may not be, you know, obvious to you.
But if you look for them, they are there.
And you need to find them and you need to include them in your book because the reader is going to want to point to certain situations in your past that helped, you know, shape a person that you are.
And, and, you know, even though some of the other books I had read had said similar types of things, they had never been that clear and crisp.
And this woman, I mean, talk about brevity.
Like, what a short book, but just every word was important.
And I, and I, so I read that.
And after I read that, I rewrote my book.
And the difference between people reading my book, prior to that rewrite and after that rewrite was night and day.
I mean, I had guys telling me how amazing the book was with tears in their eyes.
Just like, bro, like, that, you know, that thing about your dad.
like and they're just in their eyes welled up and I was just like wow this is amazing like
so you know definitely you know the whole being able to point to things that helped shape you
that was that was a huge that was huge and the other thing is I'm sorry I was going to say the
other thing you mentioned too which was crucial is that you're right it's it she also
explained to you know like how you felt why you felt that way why you felt how you felt afterward
What were the things that led up to making that decision or this decision?
And one of the things you said was, and I always say this is that every time I got away with
something, I became more and more emboldened by it.
And when you said the God thing, like I used always, and I've said this on numerous podcasts
where I said, there is no better feeling in the world than walking into a bank,
handing them a fake ID
a bunch of fake
fake W2s, fake paystubs,
fake bank statements,
you know,
a fake ID
closing on a loan and having them
hand you a check for $250,000
and thank you for ripping them off.
I mean, you feel like James Bond.
You walk out of there feeling like
I have everything's under control.
I can handle everything.
I'll never.
never get caught. I'm just that good. And you walk out and you feel it's a feeling that's
just, it's better than any drug. It's amazing. You know, it's so interesting. You're saying that
because the closest thing I've, so you know what's really interesting. So the gentleman that
introduced you and I, Arsnake, soon that show will be out, whether it's before or this one or
after this one comes out. Nonetheless, it's really cool when guys like him, yourself and me coming
different worlds, completely different paths,
are able to have this intersection and have a meaningful conversation about
that kind of strategy and that rush,
because that's the key thing that drives us all in a similar way,
whether we're the black out of the white hat in the equation,
or formerly black, now white,
or maybe black now gray working for the government.
Right.
It's interesting because there's the same motivation.
I spoke to a couple of special operations guys that,
are not in a good place.
They're suffering from PTSD from being out in Afghanistan and Iraq and all that.
But what's so interesting with the, you know, people see that as a very binary thing.
They're like, oh, these poor guys, they're suffering from PTSD.
It's such a shame.
You know what they struggle with the most?
A lot of the guys, not everyone.
I'm not trying to sugarcoat this, but a lot of the guys miss it.
Oh, yeah.
They miss the adrenaline from that is so high in like my career paths.
It's been really fascinating.
I get to chase extremely sophisticated threat actors everywhere, and I get paid for that.
It's pretty cool.
You know, it's like being an investigator.
And how cool is it for you to, I can imagine you get on a conference call, you call up,
you're talking to all these IT guys that are panicking.
And if you're the guy that walks in and you say, okay, well, hold on, I just looked at it.
Here's what's happening.
Here's this.
Here's that.
You need to do this.
And you just boom, boom, boom, boom, boom.
and everybody goes, wow, I never thought, oh my gosh.
So if I do that and you just bam, bam, bam,
and you're the guy that's got all the answers when there's five other guys
that are experts that have panicked or are just in complete panic mode.
And you walk in and boom, boom, boom, boom, boom, here's what happens.
Here's how we fix it.
Here's this. Here's this.
Fix this.
Call me back in an hour.
Yeah.
You get off that phone call.
You must feel like.
Yeah, that's the ego.
God, I'm good.
No doubt.
That's the ego.
explosion, but then there's an interesting thing, the parallel to your story about being
at the teller and getting that check for $250,000, that's when I've been pouring over some sort
of data or findings or telemetry or something. And I'm looking for this proverbial,
not even a needle in a haystack because I can't even use a magnet. I'm looking for a toothpick
in a haystack, right? And I find it. And I'm like, that's where he slipped up. It's kind of like
the movies we've seen where he gets this one little thing, this one little break, this one thread
that unravels the whole sweater, that's the exhilaration from my side of the house.
And it's probably very much shared with law enforcement groups that are really dedicated to
their craft is that when you finally get this one thing where he's like he finally or she finally
made a mistake, that God complex got the better of him. And now they just did that one thing they
shouldn't have done. They took the chance to not bother setting up the VPN right or they didn't
bother with a proxy or they didn't, you know, something where they didn't cover their tracks or
obfuscate themselves. There's that same location. I was just like, it's the, it's,
it's the parking ticket with, uh, you know, Berkowitz, you know, the son of Sam, the parking
ticket. Like, there's, there's 500 police officers who have scoured every single lead
for the last six months and some guy said, let's check the parking tickets. Like, what if this
guy somebody got a parking ticket the night of the murder that shouldn't have been there that
maybe lives someone else maybe got a parking ticket i mean how remote is that possibility and
sure enough berkowitz got a parking ticket he doesn't live in this borough why is he in this borough
they they call they call the precinct they oh i know that guy he's a nut they make a few phone
calls they watch him for a day or two that's it it's obvious it's him look
Look at all the, you know, he's been writing letters.
Look, he lives on this street.
He mentioned this, the name of this street here.
This, like he just names them off and it's like, holy shit.
Like, what a random, how did that guy feel?
How did that detective feel?
Yeah, exactly.
No, you're right.
And, and, you know, it's funny.
It's either laziness or ego that is usually the, the catalyst for the failure when it comes to a criminal doing something.
it's rarely bad
process
I mean you know
there's always the ones that get caught
like all the funny videos of criminals
that do the stupidest high sever
those are obvious
but I'm talking about the ones
that have really spent the time
to figure out how to do it
it's unfortunately
fortunately depending on how you look at it
it's that one little slip up
you know what I'd be curious
about
you know when it comes to like
I get people ask me this question a lot
they're like so do you hire hackers
you know that were bad
and reform them and this and that.
And it's like, yes and no.
Many times I'll catch something in the process of being set up by maybe someone
that's young and aspiring.
And I'll, it's not quite there yet, but it's like, that's some good work.
Right.
But they're really, you know, they would do really well working on the good guy's side, right?
Like coming in and, by the way, when I say the good guy side, you know, we talked about this
several times in this chat.
good guy the perk is you don't sleep looking over your shoulder waiting for the feds to kick the door in
that's worth a lot of money dude like that's worth that's worth your life not not only that
that i don't think these guys realize how much money there is in cyber security you do it i mean it's
ridiculous the i i told remember i told you there was like one guy i knew who had um uh was actually
in prison for for hacking and talk about the when i remember we said talk about somebody who has
a touch of asperger syndrome this guy it was very difficult for him to even make eye contact
he um uh nicest guy so we started talking and he was 19 when he got indicted he ended up getting
six years he did five years um and and he had been on heroin he was stealing information
The crime that he ended up selling, the dumps, I forget how many, whatever it was,
100,000 or 30,000 credit card profiles that he had sold.
He made 500 bucks on.
He had to do five years for that.
Had been arrested several times.
So he had a criminal record, but it was all for drug possession.
Sure.
So, you know, on the federal sentencing guidelines, you know, he was like a level four or five,
but they were all like possession or, or maybe safe.
but minor sales like these are these dudes are all probation he'd never been to prison so he ends up getting a chunk of time and had never had a driver's license so I remember he was about we were he was going to be out in five months four months for less probably less than six months and he used to come and talk to me all the time because he said I was interesting to talk to you know the bar's low in in prison so it's not it's not me and but I was always working
on writing guys stories i wrote a bunch of true crime stories just guys eventually you're so
many true crime stories every once in a while i'd hear one i'd be like man bro i need to write i'm gonna
do you mind if i would you let me write a story about you you know and it'd be nothing it'd be 10 000
words or something and i'd order there gave me something to do i'd order the freedom of information
act on the guy i'd order his transcripts i'd all these things through the mail by the way so i'd order
all these so it gave me time you know my name gets called at mail call i write letters i get
So, you know, really, I did that the last seven years maybe that I, I was there.
So I remember this guy, no father, you know, and we were talking and I was like, well, what are you going to do when you get out?
He's like, oh, I don't know.
And I was like, okay, well, you're going to need, you know, and you start at the bottom.
You're going to need ID.
I know when I get the halfway house, I'll take care of that.
What do you mean get the halfway house?
you can do it now they had something called they called it the the flow bus i'm like i'm getting my
i'm walking out here with a driver's license yeah well i figure i'll do it in the halfway house i'm like
why would you do that you have all the time in the world right now so we do that so we help him
get his driver's license and then he was like i was like what are you going to do for a living he's
like oh i don't know i mean i'm a felon now so i don't think i can really do anything and i was
like what do you like doing he's like well i mean i like computers i like programming i like hacking
I like this. I go, well, aren't there's those guys? Aren't they called like penetration
specialist or something? He's like, oh, I know, but he's like, I'm a, I was locked up.
I'm a felon. And he said, I can't do that. I'm a, whoa, whoa, whoa, I said, listen, bro.
I said, you're making the common mistake that most of these guys make.
Like every con man that was in there was actively trying to figure out how to cover up his
scams. How do I cover up the news reports? How do I cover up my name? Can I change my name?
Can I get Reputation.com to bury my information?
can I this like to me you're working on your next felony you're working on your next
indictment by doing that and I was like I was the only one in there who was saying actively
saying oh I'm telling everybody what I did yeah I'm gonna I'm gonna make sure and well I was
going to say so for him I told him I said you need to look at this as your calling card yeah
bro I've been locked up at that point 12 years or something I was like I've never met any hackers
you know you can turn this into something
something. You know, we can get you a Wikipedia page. We can start naming all the things you can do.
We can write your story. We can write your story. We can. And I said, you need to figure out how to
get licensing because I think most of these guys get like certificates. And I said, he's like, yeah,
but I'm a felon. I go, yeah, but these aren't, the government doesn't give you. The government
isn't the person who's giving you the license. So I said, these are just certificates by
individual companies. So they're not going to care that you're a felon. I agree.
And I said, so I said, you need to order that stuff now.
So he actually ordered several books.
And within a few months, he was like, listen, there's like, I forget what he had said.
It was like, there's five major, major certificates you need.
This one, this one, this.
By the time I got out of, and he was like, no company's going to hire me.
I said, no, no, most of these hacking companies and these penetration specialists and
cybersecurity companies, most of them hire companies that do are subcontractors.
That company will probably hire you.
This company will get certified to work for this company.
This company gets the contracts.
They don't even know that you work for them.
And so we were talking.
And by the time I got out and we spoke, by this point I'd gotten out of the halfway house,
he got out before me.
he had four of like these five major certificates and he was going for the fifth one which was huge i
mean we're talking about days of being of well you know what they are days of being tested then he
had to go in front of a board that questioned him like he had passed them all flying because he was
brilliant this is the guy who would sit down for 20 hours straight in front of the and not eat and do nothing
but play on the computer and design things and whatever they call.
Anyway, this guy's making,
he was making over $150,000 within two years of being out of prison
because his bosses were like,
you're insane.
Like his bosses who have been doing it,
some of 10, 15, 20 years were like,
you're just better than me.
Sure.
You know,
that's it.
You nailed it.
That's actually the key thing.
thing. It's the natural proclivity to think that way. So here's a funny story.
So, and, you know, other people you've interviewed in the same world that I'm in that we all
know each other would probably arguably say a very similar thing. A lot of the folks that are,
we call them Boy Scouts, the ones that work for the government that have the perfect record,
they get all the DSSI level clearances and all that. It's not that they're bad, bad at what they
do at all. This is not about an indictment of their skill.
What's funny is that they just can't think in a way that is applicable to the thing, the problem.
Like, in other words, when I'm on a hunt, I'm literally thinking like the criminal.
I'm not thinking like the investigator.
And a lot of people, you know, don't realize that that's part of the training that, you know, law enforcement goes through, which is you have the profilers,
really good example of the people that are like chasing around really scary people like
zero killers you know there's a lot of shows that now yeah yeah but that's very much that talent
what's so interesting is that people that listen to your show that maybe are in a state of
either recovery from some of that world or they're they're upset with the world and they're
contemplating going into it you said it best there's huge opportunities that are not apparent
sometimes they're not very clear that you could actually do something legitimate
using those skills.
It's not that you have to forego that, you know, you're doing exactly that now.
You know, you've literally taken, these are fascinating stories.
There's a lot of people that listen to this because they're really interested in how you think
or how people like you think because it's something so foreign to them.
There's a lot of very innocent people in the world that can't even begin to conceive of
how you would even start a scam.
They're like, how would you even get?
And it's like, well, it's pretty obvious to me.
And it's pretty obvious to you.
It's not obvious to a lot of folks.
Well, I think, you know, it's like people saying, like, well, how could you get a, how could I, how could I get a driver's license in your name?
Right.
Right.
I don't know your social security number.
I don't know your date of birth.
I probably don't even know you.
I don't even think I know your full name.
If you end up assuming you have a mental name, like, how do you go about doing that?
And, you know, even if I knew that information, how do I order those documents?
Well, the moment they say, oh, we need a copy of your driver's license.
They're like, I don't have his driver's license.
I can't get the DACA.
I can't get his birth certificate.
I don't have his driver's license.
It's like, stop.
How could he get it?
Well, he has his driver's license.
What if his house burned down and he had nothing?
And he was naked standing outside of his house.
He was in his underwear, standing outside of his house watching everything he has burned.
And both of his parents were deceased and everything's gone.
How would he get it?
Why not?
I guess he wouldn't.
Really, he wouldn't get it.
You think that there's no vehicle out there that allows him to get a copy of his driver's license
from scratch.
uh well i guess uh and you go listen so you know so to me i always started thinking immediately
they only want to copy so it only has to look like a driver's license you know they only want
they don't know what he looks what doesn't have his picture on it they don't know what he looks
like yeah this is some woman sitting in a in the you know in the statistical you know in the uh where
the birth certificate office 15 you know 15 states away if she gets a
cashier's check for $25.
It says, I want a certified copy of this driver's license or his birth certificate.
And it has all the questions filled out correctly.
And it's got a copy of a driver's license.
She's sending you the birth certificate.
You know, so it was all these, you know, to me, it was always like, there's a way.
There's a way to get this.
And I just had to figure out that way.
And once you get one or two documents, it's, you know, it's that you crack the door.
I can kick that door wide open.
and now I have everything and all those documents are start being used to gather more documents.
And before you know it, I'm you and I'm walking into your bank account and your bank or I'm applying for a loan and your property or I'm doing all these things that you people think aren't possible.
It's like everybody has certain skill sets.
And I used to teach the real estate class in prison.
I taught it for 10 years.
So I taught it at a medium security prison for three years and seven years at the low security prison.
And I used to walk in because, you know, these guys like they're, you got a bunch of drug dealers in there.
And, you know, they have no education.
They don't have it.
Maybe they have a prison GED.
And they're sitting in there and they're trying to figure out these guys are getting out soon and they don't know what to do.
They're either they've decided they're going back to prison or they're going to be a rapper.
or they're going to, you know, they don't know what to do.
And then some of them are like, well, maybe I could, you know, maybe I could do real estate or something or fix up houses or something.
And I would go in there and I would, one of the first thing I'd say is like, are there anybody here for drugs?
And they raise their hand and I'd be like, who, this is the, this is probably one of the few, few chances or a few times in your life that being a drug dealer is going to be a major.
advantage to you. You have a hustler mentality. You're used to going into rough neighborhoods. You don't mind knocking on a door and being turned down. You're this like right now, you guys are about to shine. And listen, I had guys walking out of that class stopping me at the door and shaking my hand. Like, bro, that was amazing. That was an amazing class. And I would have guys come to me and I'd be in the chow hall or something. And some guy would walk up, he'd go, hey, bro.
my sally is taking your class.
And I'm like, okay, he's like, I'm going to sign up next quarter.
And I go, okay, how come?
He'd go, listen, this dude just came in the other day.
And he said, I'm taking Matt Cox's real estate course.
He goes, I'm going to be a millionaire, bro.
Telling you right now, he said, all I got to do.
And he's like, he's like, I've never seen this dude so excited about anything my whole life.
He's ordering real estate books from the street.
Like he's just from, because it's true.
And I used to say, like, do you think that a 40-year-old?
old divorcee white woman is going to go into a neighborhood that you'll go into?
She doesn't have that hustler mentality.
She wants to sit behind a desk.
She wants to talk to other women like her.
And you know, like you guys can go get those deals.
You guys can, you know, you just have to know, how to, you know, how to talk, you know, correctly.
You need to know, you need to know how a, how a closing takes place, how, um, negotiations take
like how to write a contract, what a closing means, you know, what documents need to be
signed? So we go through all that and, uh, but yeah, I think that most people,
they don't play to their strengths. No. And a lot of times they, a lot of times they think
their strengths are weaknesses. And that's not, that's another problem. Very well said. Very well
said. You know, it's funny, Matt. So my, my day job, um, one of them, um, I have several
things that I do, but one of them is actually helping ultra-high net worth individuals and
family offices stay secure. And it began very similar to the ways that you were talking about
that friend of yours that went into the world of penetration testing and vulnerability assessments
and all that. And then it grew out from there, and this is a long time ago. This is in the late
90s, so I'm ancient when it comes to this. But as far as the way it evolved is I started to provide
counterintelligence and countermeasure services to my to my clients and what that is is
predicting where the threat will be coming from and setting up essentially not traps because
the goal isn't to necessarily catch the adversary because that's like you said there's no
point it's more just deter them move along you'll find a lower hand for easier target but it was
fascinating because a lot of these people that are uber successful and they feel like God's in
their own way because they've somehow either made money through family means or there's a trust
fund situation or maybe they're inventive and ingenious with something and ultimately it manifested
into huge wealth whenever I tell them that we're going to have to do this this and this and this
because this is probably a way that they're going to come at you they're gobsmack they have
no idea how the hell we came up with that as a risk and then we cite all the ways that they
are exposed and they're like, oh my God, I had no idea that that was a way that I could be
infiltrated. And it's funny because it takes people that are inclined and have the proclivity
or maybe, and I'd say it, maybe there's been a desperation in their lives to have to become
that hustler to have their mind and the synapses and their mind evolve in such a way that
make them think that way. And I mean, I'm sure you'd agree with me. Once you think that way,
you can never not think that way again. You will always think like that, whether you act on or not
beside the point, but you'll always think about it. And it's cool because it's like, well,
that's a superhero power, man. Like, Matt, you've got a superhero power. And that's what
you were bringing out with those guys in prison. I think that's amazing because they're, look,
they shouldn't be praised for the bad behavior, but they should be absolutely encouraged for the
skill that they've been able to engender to use it for something else.
I had folks that have worked for me that have been in a less than savory position and
have done some time and they had a very similar story.
And look, for one, I've never had more loyal and capable folks work for me than people
that have probably been through a rough period.
And I have a new opportunity presented to them where they get to use those skills but for
something completely good.
And it's awesome, man.
I love those guys.
Yeah.
Well, first of all, I've been told in the comment section to thank my guests.
Listen, my comment section is nothing but just, you know, telling me how I should be doing
things and things that I'm doing badly, which, you know, it's fine.
It's, it's, you know, constructive criticism.
So thank you very much for taking the time to, you know, for spending this time with me.
My pleasure.
Hey, I appreciate you guys watching the interview.
If you liked it, do me a favor and subscribe to the channel.
Hit the bell so you get notified of videos just like this.
Leave me a comment in the comment section.
Also, please consider joining my Patreon.
And I really appreciate you guys.
See you.