Modern Wisdom - #954 - Joe Tidy - Chasing The Most Hated Hacker In History
Episode Date: June 14, 2025Joe Tidy is a BBC cybersecurity correspondent, covering hacking, data security, and online safety. Many have either fallen victim personally to a cyberattack or know someone who has. But what exactly... is this growing threat? Who’s behind it, why are they doing it, and, most importantly, how can you protect yourself? Expect to learn what Scattered Spider is, if teenage hackers are the new digital cartel and why Russia is such a hotbed for hacking, when cyber security attacks will be treated as an act of war, the wild story of the hacker Julius Kivimäki, the fallout from the crowd strike attack the put the world on standstill, if regulation of the dark web and crypto economy will ever evolve past what it is today, and much more… Sponsors: See discounts for all the products I use and recommend: https://chriswillx.com/deals Get 35% off your first subscription on the best supplements from Momentous at https://livemomentous.com/modernwisdom Get the brand new Whoop 5.0 at https://join.whoop.com/modernwisdom Get a 20% discount & free shipping on Manscaped’s shavers at https://manscaped.com/modernwisdom (use code MODERNWISDOM20) Extra Stuff: Get my free reading list of 100 books to read before you die: https://chriswillx.com/books Try my productivity energy drink Neutonic: https://neutonic.com/modernwisdom Episodes You Might Enjoy: #577 - David Goggins - This Is How To Master Your Life: https://tinyurl.com/43hv6y59 #712 - Dr Jordan Peterson - How To Destroy Your Negative Beliefs: https://tinyurl.com/2rtz7avf #700 - Dr Andrew Huberman - The Secret Tools To Hack Your Brain: https://tinyurl.com/3ccn5vkp - Get In Touch: Instagram: https://www.instagram.com/chriswillx Twitter: https://www.twitter.com/chriswillx YouTube: https://www.youtube.com/modernwisdompodcast Email: https://chriswillx.com/contact - Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
What's happening with Scattered Spider?
Well, Scattered Spider is the name of this very loosely coordinated collective of hackers
that are, we think, currently causing havoc around the UK and the US as well.
So I don't know if you've heard about the news of the M&S cyber attack and the co-op cyber attack.
So there's a really big, if you're not in the UK, there's a really big
chain of supermarkets called M&S, very much loved over a hundred years old, one of the
pillars of the high street. Around Easter time, there was a cyber attack, which started causing
problems for M&S and it just got worse and worse and worse for them. Initially, they said, actually,
we can't take orders
on the internet, which for a massive company like M&S is really bad.
Then we started seeing logistics problems, empty shelves in some stores.
And then around the same time, there was a very similar attack on the co-op.
Again, another big supermarket chain in the UK.
They also do funeral services and insurance as well.
That attack wasn't as bad, but again, we're seeing disruption at stores, empty shelves,
real chaos behind the scenes.
And around the same time, we saw an attack on Harrods, obviously the luxury retailer
in London.
So everyone's wondering what on earth is going on.
And things have got progressively worse.
And then we hear the last couple of days, there are attacks on US retailers as
well, and everyone is pointing towards this really infamous group called
scattered spider and they're not a normal cyber crime gang.
They haven't named themselves that they are, uh, you know, not very organized.
They come together on discord and telegram. Have you heard of Anonymous?
Yes.
Yeah, so they're a little bit like that, but more out for cyber crime and money and infamy than
hacktivism. One company called CrowdStrike started looking at this activity coming from
this corner of the cyber crime ecosystem and they said, who are these people?
They're doing the same kind of tricks to get into, into places.
So they nicknamed them scattered spider.
Spider is the name that CrowdStrike gives cybercrime groups and scattered
is, is what they, um, the term they give for, you know, because they're
loosened it all over the place.
And actually I'm looking right now at the crowd strike scattered spider figurine.
It's very controversial actually that they've done this, but here you go.
So this is the, so they sell these on their merch website.
And like I say, quite controversial actually, because it kind of glamorizes these guys.
And there are some people who would say we shouldn't really glamorize cyber
criminals because the type of individuals that we think scattered spider are very
young, probably teenagers in the U S and UK, they will love the attention
of having their own figurine.
Do you think that social media platforms like Twitter have sort of changed what
hackers motivations are from just exploration or exploitation to now fame,
cloud chasing, stuff like that?
Absolutely.
Yeah.
When I wrote this book, my publisher on the first draft, my publisher said,
now that's all great, but can you answer some questions as to how this has
happened and why this has happened?
They really challenged me and I worked for the BBC, so normally we've got to be very
careful about giving opinions and putting our necks on the line in terms of theories
about things.
It was quite good because I landed on this, there are two factors which I think have turned
teenage hackers from largely benevolent groups of
people that are out to make a name for themselves, but they're also out to make the internet
a safer place to where we are now, where we've got cybercrime gangs, teenage gangs that are
causing mayhem and trying to make money.
I think Twitter is a very, that you could kind of see at that point when Twitter becomes
mainstream, this shift starting to take place.
Because of course, before Twitter, social networks were about being social with your network.
Whereas Twitter sort of invented the idea of followers and retweets and likes and, you know, clout online.
And that's when we started seeing in 2011 when Twitter was really on the ascendancy.
We saw LulzSec, the first of this conveyor belt of teenage cybercrime gangs.
Yeah.
There's no one flexing their recent ransomware exploitation on that personal Facebook account.
That wouldn't work, but on Twitter that would be great.
Yeah, absolutely.
And we know from interviews with arrested hackers and convicted hackers, they loved
it.
They loved the attention back then.
And I think where we are now is slightly different because I think what we're seeing is they
have come off Twitter or X, whatever they're calling it.
And now it's more in the kind of insular communities, but they're still after that online clout
and that infamy.
It's just they're in their own channels in Telegram and Discord.
I was going to say, where do these people live?
Yeah, Telegram and Discord. Yeah. So if we're talking about Scattered Spider,
which very much formed the last part of my book, because I talk about the kind of
this gradual shift to where we are now, But Scattered Spider, they're part of this
larger collective known as the comm, the community, which is a group of thousands of online delinquents,
really, largely boys, obviously it always is, and they're causing mayhem and in some cases,
doing some really nasty stuff like sextortion. Do you know what sextortion is?
No. So sextortion. Do you know what sextortion is? No.
So sextortion is this horrible sort of criminal harassment campaign where you trick someone into sending you nudes.
So I would, I might befriend someone on the internet and strike up a relationship,
a romantic relationship, send them some nudes that they think are of me, but I'm a criminal.
I'm a man, not the young girl they think I was.
Convince them into sending me nudes and then you start extorting them saying, if you don't
pay me, then I'm going to release all these pictures.
So we see that kind of activity in the comm and we see some really nasty stuff, some other
stuff like, there's some, it's really nasty, but, but like
cut signs, have you heard of cut signs?
No.
So like, you know, a fan sign where if you're a big fan of someone, you
will hold a sign up saying, I love them or you hold their name or their band
name, a cut sign is like that, but you literally cut into your own skin.
The names of hackers, the names of hackers that are extorting
you or, or. Wow. So the hackers are saying that you need to show me that you've self harmed my name
into your arm. Yeah. To show devotion or to make them feel powerful. There's a, excuse me, there's
a, a bit in my book where we w there a gang called Lizard Squad that was around in 2014,
15, and they destroyed someone's online life. They hacked all of this kid's accounts.
In order to get them back, he had to make a cut sign and say, Lizard Squad made me do this.
Although people are really shocked about what we're seeing in the comm now,
this kind of activity has been around for a while. We know it's there. We've got the history for it. So scattered spider are part of this larger
online cyber crime nastiness. They're a very kind of small niche of this much
larger group of largely unskilled cyber people. You wouldn't even call them cyber
criminals, but then they come together with a little bit of skill and a lot of balls and take on
these big hacking campaigns.
It seems, I don't know, I have to assume that although M&S is a hundred year old institution,
I would like to think that the cyber security isn't a hundred years old.
How if you've got to have someone with talent, I assume, how do they get
into a system of any kind? Is this cyber hacking or is this social engineering or
is this some combination of the two? It's yes a combination of the two. I think
the initial entry is usually through social engineering. But to be honest with
you, I mean a lot of hacking is that. To get into a system,
it's not really like in the movies where you kind of hunch over a laptop, typing code furiously to
get in. Normally, it starts with an email that you can trick someone into downloading an attachment
or you call up. This is what we think happened with the latest attacks is that they call up the IT help desk
and they pretend to be a member of staff and they say, you know, I've forgotten my password.
Can you let me in please?
And it sounds so stupid, but it works.
And then what often happens is once they are in, that's when you would argue the hacking
starts.
That's when they find a vulnerability that allows them to spread themselves throughout the network, deploy ransomware, which is this type of malicious
software that scrambles a company or a victim's computer and systems and servers, makes that
data completely unreadable, useless, brings computers to their knees. And that is where
they send the ransom note saying, if you want the key, pay us in Bitcoin
a certain amount and we'll give it back to you.
And ransomware is by far the number one problem in cyber right now.
Right.
So this is social engineering, pretend to be Julie from reception who's locked herself
out, find the person who is sufficiently gullible or
doesn't stick to protocol and actually allows you in, in some ways.
Then you've got access to some intranet type system that means that you can access
other bits, maybe some more sort of spreading from there.
I would imagine maybe you, as that person emails someone else an attachment, which
gets you more access to how you level, you're thinking criminal.
Well, I'd look, what can I say?
I'm a, I am a young British man.
Um, but no, I mean, my password manager is a fucking mess.
So I would be bad at that.
It's good that you've got one.
Yes.
You're way, you're a way step ahead of most people.
If you've got a password manager, I had, who was the FBI's most wanted
guy, that hacker for a while.
Fuck.
Kevin Mitnick?
No, maybe he was on the show probably about three years ago or so.
And you know, he'd gone through all of this stuff that he'd done.
He'd broken himself out of jail twice and all of this bullshit.
And I got to the end of it and I was like, Hey man, I'm, I'm fucking terrified.
Like what, what, what do I do? And he's like, dude, just I'm, I'm fucking terrified. Like what, what, what do I do?
And he's like, dude, just use a, use a password manager.
Like the TLDR 90, 90, 10 solution is just get a password manager and use that.
So, uh,
Someone once said to me, there are, there are buckets of how difficult you are to
hack and hackers will always go for the easiest bucket.
Who can I hack?
Who uses the same passwords across multiple accounts?
Who uses weak passwords?
If you take yourself out of that easy bucket into the slightly harder bucket,
massively reduce your chance of getting hacked.
Yeah.
Why, like even if you're the target, but you're a difficult target,
there's so many more easy targets.
Fuck it.
We might as well go for them.
Okay.
So, ransomware, what this is, this can just totally debilitate computer systems,
companies, if M&S can't get eggs on the shelves, it seems it's pretty comprehensive.
Yeah, absolutely.
Ransomware completely cripples an organization.
It's like going back to medieval times, your pen and paper, you really are.
And sometimes we've had situations where ransomware has hit hospitals, for example, and they can't even function in any way you'd imagine. Like some of
the systems, some of the scanning systems they use in hospitals, for example, they've been infected
by ransomware. So they're down as well. So yeah, I would not want to be in an organization where
they've been hit with ransomware. M&S is going through a tough time.
I wonder whether, or probably more likely when, we will see the first vehicle hack.
Autonomous driving vehicles.
I drove from Palm Springs to Newport beach last week.
And I was in a, it was lovely. I mean, it was way too hot in Palm Springs, but I was in a
NIS, a rented Nissan Rogue, a new one.
And it had normal run of the mill, medium level trim Nissan Rogue.
And it had this radar guided cruise control and lane assist
that was keeping in lanes and would, if you just knocked the
indicator on would allow you to change it.
I was like, this is a city, it's a city of, you know, control and lane assist that was keeping in lanes and would, if you just knocked the indicator on would allow you to change it.
I was like, this is assisted autonomous driving in a fucking Nissan rogue, right?
An old school petrol, two liter chug, chug, chug American car, like
Japanese American car in America.
And, uh, I just remember thinking I've been in Waymo's, Waymo is now
available on Uber here in Austin, and I thought, holy shit, like if these ransomware
attacks, you need, as the level of kinetic importance to people's lives increases,
the level of security around those systems needs to increase.
I have to assume you've thought about this, the autonomous driving and the potential risks
to cybersecurity.
Yeah, yeah.
We haven't seen anything like you're talking about, but I mean, yeah, it does seem almost
inevitable that someone will find a way to cause havoc with autonomous driving.
It's a bleak thought.
But of course the companies that are behind these cars, they know that too.
And you hope and you pray that they are pretty much on top of security.
Jesus Christ, Joe, we've got to the point of hope and prayer.
Forget your password manager, just get on your knees and you know.
Have you read a book called Robo-pocalypse?
No. It's so good.
Spielberg brought the rights to it a few years ago. He never actually did anything with them,
but it would make and is going to make an awesome movie if they ever make it one day.
So in that book, it's about how AI kills us all. And one of the ways that they initially get that
first kind of like 50% of humanity dead is they take
over the driverless cars and the description of what can happen is it's
always it's always stuck with me but not to scare anyone that's not gonna happen
it's gonna be fine it's gonna be fine okay they are super duper cyber secure
I'm sure yeah well yeah up until up until you're reporting on it for BBC
News mate and then and then I'm going to ring in, I'm going to say, Joe said to me, I'm locked
inside of my Tesla, which I don't yet own, in Austin, Texas, people from outside
are trying to molotov cocktail it, people from inside are trying to hack it.
I'm fucked.
Okay.
So-
On that point, there was very recently, only like three weeks ago, some tech CEO in
some American company, or city, I can't remember which one.
It was a self-driving city, so whatever.
Maybe San Fran or Austin or something like that.
He was stuck in one of these cars and it just kept going around the car park and he couldn't
get it to stop.
And it was funny, but also like, hmm, a bit worrying.
I've got, look, you're the guy for me to give this take to.
I've said this before, but I have switched off, uh, the autonomous toggle
on Uber in Austin.
So you just, it's on, on the backend of the settings.
Do you want to be more likely to be matched with an autonomous vehicle?
And I've said, no reason being every time that there is a vehicle that's 10 minutes
away, that's a Waymo, it takes 20 minutes to get to me every single time.
And every single time that we do the journey, they say it's going to take 15 minutes for
me to get home from the East side of town or whatever.
And it always takes nearly double.
And I realized why.
And it's because Waymo's outwardly are so obvious that these big like bulbous clunky things,
Lidar on top and additional Jaguar shit,
and it's white, so it really stands out.
I think there's two reasons why humans behave on the road.
One is because of fear of retribution,
especially in America with a very heavily armed populace.
The second one is guilt,
sort of inconveniencing somebody else. So it's safety and, and, and human fucking decency, I suppose, is the two.
The problem is when you see a Waymo, there's no one in the driver's seat
and you can't see if there's anybody in the back.
So they just get cucked at every single junction.
No one lets them out.
Everybody's like, pedestrians will just, I will too.
When I go on a walk around Austin, I'll just happily walk out.
I'm like, it's a hundred feet away.
It's going to 30 miles.
It'll slow down.
I'll be fine.
You wouldn't do that if there was a human driving a car.
So it means that until you can program in retributive tailgating and beeping the
horn and flashing the lights from the Waymo to somebody else, or until you end up with more than 50% of the cars on the
road being autonomous, you don't have this level of coordinate.
It's an arms race, right?
It's an arm, it's an arms race of, uh, uh, like being mean as drivers.
And unfortunately the Waymo has come without any ammunition.
Tesla self-driving people got ahold of this take online and said that that's different
because Tesla self-driving is trained on real drivers.
So you do have more natural merging, sort of more aggressive driving styles are built
in because competent drivers are the drivers that this has been built on, whereas Tesla focused on software, Waymo focused on
hardware and yeah, with Waymo, it's just, it's like being in the back of the car
with your mum all the time.
Is that Tesla thing true?
Have you, have you done a comparison?
No, I've never been in a Tesla that's got full self-driving.
Uh, but I also know that the Tesla full self-driving community online
is, um, like very evangelist.
It's like oddly militant.
So I don't know.
I guess I'll wait and see until I get into one.
But yeah, that's my current working thesis on autonomous vehicles.
I thought you were going to say you don't do that because of like the safety concerns,
but actually, yeah, I also thought you were going to say they're slow because they're
slow and like,
they're very safe, aren't they? But no, I hadn't appreciated the other people on the roads.
Even engineering.
Before we continue, if your sleep's not been right, you're taking ages to nod off,
waking up at random times and feeling groggy in the morning, Mementos' sleep packs are here to help.
They are not a typical knock you out supplement that's just overloaded with melatonin. Only the
most evidence-based ingredients are perfect doses to help you fall asleep
more quickly, stay asleep throughout the night and wake up feeling more rested
and revitalized in the morning. Which is why I take these every single night and
why I trust Momentus with my life or at least my sleep because they make the
highest quality supplements on the planet. What you read on the label is
what's in the product and absolutely nothing else.
And if you're still unsure,
they've got a 30 day money back guarantee
so you can buy it completely risk-free,
use it every night for a month.
And if you do not like it for any reason,
they'll just give you a money back.
That's how confident they are that you love it.
Plus they ship internationally.
Right now you can get a 35% discount
on your first subscription
and that 30 day money back guarantee
by going to the link in the description below
or heading to livemomentous.com slash modern wisdom
and using the code modern wisdom at checkout. That's L-I-V-E-M-O-M-E-N-T-O-U-S dot com slash
modern wisdom and modern wisdom at checkout. Going back to the youth, these youths online,
I think I've heard you say that today's youth hacking culture is tipped from chaotic good into chaotic evil, apart from clout.
Is there anything else that's triggered some moral decline in this scene?
Yeah.
So we mentioned earlier about the rise of Twitter.
I would put that very much as one of the reasons we've seen this shift.
I would also say the rise of Bitcoin as well, because if you think about when
Bitcoin started
becoming valuable and useful as a store of value or as something you could buy things
with, sort of 2011, 12, 13, that's when we saw this shift.
Certainly looking at some of the people I do in my book, they go from not even thinking
about money, just doing it for the lulls and for the cl cloud to thinking, hang on a minute, I can make some money here.
And as soon as you start introducing Bitcoin into the lives of young teenage
boys, you're looking at trouble.
Hmm.
So without cryptocurrency, would this be even harder again?
Yeah.
I think without cryptocurrency, a lot of cybercrime that happens these days would
be a lot harder.
Because the great thing about crypto, of course, if you're a cyber criminal, is that I can
steal crypto or I can extort crypto from someone.
And then it goes to my wallet and people don't know who I am.
No banks can stop that.
And if I can find a way and it's becoming harder now, but if I can find a way to launder that Bitcoin, I can get it out of the system, turn it into money I can use, happy days.
Without Bitcoin, you get things like bank card fraud, that kind of thing. We did see that in
some of the early days of hacking, but of course, that's easy to trace and track and stop if you're a bank. And one of the guys in the book, the main hacker that we follow who started as a teenage cybercriminal ended up becoming one of the most wanted criminals in the world.
He started by carding, which is where you take credit cards and you use the numbers and the details to spend without the owner knowing.
And the banks usually reimburse the owner. What's
interesting about that is when they first arrest him and they're going through all the bank receipts,
they work out he spent about 33,000 euros, which you'd think that's quite a lot of money for,
I think he was like 15, 16. When you look at the things he's spending the money on,
it's of course what you would do. We've both been 14, 15 year old boys. It's PlayStation games. It's
the latest phone. It's Netflix subscription. He even went and bought some land. He brought
like a little bit of land. We call himself a Lord. It's like Highland titles.
call himself a Lord, like Highland titles. And that's what you would do if you had unlimited money.
But of course, the problem with that is when you get arrested, it's all there
and the police have got it all.
And, you know, it's very hard to hide from.
Whereas cryptocurrency makes that way easier.
The other way that you could do it, I'm not giving anyone any ideas, because
this is how some cyber criminals work is through gift cards.
So you don't say to someone, send me $200 in a ransom, for example, you
say send me $200 worth of gift cards, and then you can sell those online for $190.
So then you get, you know, you have to shave a little bit off each time.
Oh, okay.
That's interesting.
But they're untraceable.
So.
You've said, uh, teenage hackers are sort of a kind of digital cartel.
Should we be thinking about them more like organized crime
than bored kids in bedrooms?
What's the tension there?
Well, I think, um, modern ransomware groups, for example, these really, really well-run, highly
organized money-oriented gangs like, I don't know, Evil Core or Lockbit, there's loads
of them.
Conti was another one.
They are like modern cartels.
They are run with, you know, there's someone who develops the malware.
There's someone that sends out the phishing emails.
There's someone that does the extortion negotiations.
There's 24 seven customer service on the dark net websites for these things.
But the teenage hacking gangs, they are slightly different.
They're becoming more organized now with the likes of scattered spider, but
it is a different type of culture.
It's more of a hacking culture than a hacking organization.
I wouldn't necessarily put them in the same bracket, but certainly if you look at the
rise of the teenage hacking gangs, every single step of the way, they've been underestimated.
There's a researcher called Alison Nixon, who she features quite a lot in my research.
She came up with this new phrase for these types of gangs.
She calls them NPTs, which stands for noob persistent threats.
So they're newbies, they're noobs, but it's a play on this very
famous and well-used term, APTs, which stands for advanced persistent threat.
So she's sort of poking fun at them, but she says, you know, they're
not advanced, but they are persistent and they are a threat and we should take them seriously.
And to be honest, I've been doing this job quite a long time now and we don't,
we don't take them seriously.
Every time there's a case like we're seeing right now in the UK, people are shocked.
How can this be done by teenagers from their bedrooms?
Well, we know from history that this is how they work.
They've just rolled the dice enough times.
They just keep on going.
Yeah.
And also they, they don't really care about getting caught.
This is the other thing about these, these teenage gangs, unlike the cyber
crime gangs that are based in Russia or places where law
enforcement in the West can't really get them.
These guys are very grab-able.
They're very get-able.
In the last about year and a half, there's been six arrests of teenagers and early twenties
hackers that are thought to be from the scattered spider culture or community because they're
in the UK and the US and
they don't, they don't protect themselves very well.
They don't actually disguise their voices when they call up IT desks,
pretending to be someone else, stuff like that, you know, like it's called
operational security and these groups, these NPTs are terrible at it because
they don't seem to care.
What are the patterns or dynamics about how young kids get pulled into these communities
online?
What's the typical trajectory of one of these people?
It's nearly always the same.
Every single hacker I've ever met has had the same pathway.
It's computer games.
So Minecraft or RuneScape or whatever it is, probably Fortnite these
days, probably still Minecraft, it's so popular. So you get into gaming and you play with your
mates, and then you start wanting to be better. So you buy some extra bits for your character
or you find some shortcuts, some cheats. Then you find yourself on a hacking forum and you
find ways to become better at the game and cheat the game. Then you find yourself sort of drawn away from the game
and drawn towards more fun ways to have fun on the internet, i.e. hacking. And it always starts off
as just a bit of fun. See, well, what happens if I type that in there? What happens if I go into
this server over here? Oh, where am I? This is exciting.
Then it's, oh, quick, you escape. Oh, that was wrong. I shouldn't have been there. Then it's, hang on a minute, what else can I do? Then it goes on from there. Then as soon as you start bringing
money into it, Bitcoin, then it can quite quickly become serious cybercrime. That is the path that
I have personally seen, speaking to all the path that I've personally seen speaking to all the
hackers that I've interviewed over the years, but also the NCA, the National
Crime Agency in 2015, they did a kind of massive research of all the convicted
cyber criminals and it was exactly the same.
It was step one gaming, step two gaming cheats all the way down until serious
cyber crime.
So it is a cliche, but it's true.
Hmm. Where are most of these people?
You've mentioned Russia.
I always say when I think hacking group, I just think, oh, it's the, what is it?
IRA or whatever in, in Russia or some,
Oh, GRU.
GRU.
So whatever.
There's loads of them, loads of acronyms.
Uh, what is it?
What, where, where are the role of these? You mentioned these two are notable, or at least scattered spiders notable
because they're primarily English speaking in the US and the UK, but
that's a rarity, I guess.
It is, yeah.
That's probably why they're so interesting as well, because we're like,
well, hang on a minute, they could be upstairs in the bedroom.
So if you're looking at the kind ofcrime ecosystem, these are the people that
are out to make money, defrauding, stealing money, extortion, ransomware, all that kind of stuff.
They could be anywhere, but the biggest gangs are organized and run, we think, from Russia,
Eastern Europe. We know this because there are lots of, lots of kind of like hints that you get.
So for example, I spoke to a guy who deals with, um, ransomware negotiations.
And I said, how, how can you be so sure that they're in Russia?
And he said, well, they speak and they plan in Russian on Russian forums.
They, um, work in Moscow hours and they don't ever answer you on public holidays in Russia.
There's a few hints there.
But of course, the actual affiliates, the people that are carrying out the everyday
attacks, we don't know where they are.
They could be anywhere.
There was a very famous arrest of an IT expert in Canada, who was an upstanding citizen of the Canadian IT scene.
And he was working for a Russian cybercrime gang called NetWalker. And I actually, on that one,
it was really interesting because one of my contacts sent me the negotiation portal
for when NetWalker was extorting this university. And it was during the pandemic.
And I was during the pandemic.
And I was over the course of about three weeks, I watched this negotiation, this extortion take place.
What, what, what, what do you mean by the portal?
Like a chat type thing?
Yeah.
So if you, um, if you get hit with ransomware, you'll have on your screen, on
your computer or pop up saying, Hey, you've been hit by ransomware, go to this
dark net website, um, which is like a
jumble of numbers and letters dot onion.
Um, and we can start the, start the negotiation.
They always, it's really, really kind of like irritating and frustrating, but they always like frame themselves as, um, we are here to help follow this link.
We will help you, you know, we'll get you through this.
And of course they're the, they're the bastards who are trying to extort you out. But it was fascinating watching this Netwalker
ransomware group extort San Francisco. I think it was the Southern California University or
something. And they were like, this is during the pandemic, we are working on a vaccine, please,
we haven't got any money, leave us alone. And they're like, how much you got? And they're like, yeah, $750,000.
That's nothing. I can't even buy McDonald's with that. Send more. And it ended up, they paid,
I think it was $1.2 million to these guys. Anyway, so he turned out to be in Canada.
Anyway, so he turned out to be in Canada, but most we think, if you look at the arrests, they could be anywhere, but they are normally based in Russia.
Then you've got North Korea.
They are very, very big on the hacking scene.
But what's really interesting about North Korea is they're the only country that we
know of in the world that as well as doing cyber spying,
which we all do, every country does it, UK and US all over it. But North Korea does that,
plus they steal cryptocurrency and they are very, very good at it. They just stole,
oh my, what was it now? I think it was like, I can't even remember. It was like $1.5 billion.
I can't even remember. It was like $1.5 billion.
The country of North Korea or?
The country of North Korea has a cyber team that they've always denied this, of
course, but they have a cyber team that is dedicated to making money for the
regime by hacking and they used to do banks, but now they do cryptocurrency
companies, but they're unusual.
Most countries don't have that. Most countries just have their cyber spies and they're out to
project power, steal secrets. In some cases, they'll be used in military. So Russia, we know,
is hacked against Ukraine in the war, for example. But most cybercrime is done by criminals who could be anywhere, but are largely organized
in Russia and Eastern Europe.
Why is that area of the world such a hotbed?
Have they got lax internal scrutiny from the law enforcement?
Is it side-eye allowed by the state to try and fuck up everybody else?
What's going on?
Well, yes. So there's this golden rule, if you're a Russian cyber criminal, which is
you do not hack Russia or former Soviet states. It's like a kind of unwritten rule. If you do,
you get in lots and lots of trouble. And there was a cyber crime gang called Reval or Are Evil.
And they were allowed to kind of just run amok for years and years, hacking left,
right and center Western companies, causing huge amounts of problems.
But then, so the story goes, they accidentally hacked Russia and then suddenly there were some
arrests. So yeah, there is that kind of culture in Russia. Obviously the Russian government denies this every single time it comes up.
There was this summit between Biden and Putin.
When was that now?
2021, I think.
It came off the back of some absolutely horrendous ransomware attacks, one of
which was against Colonial Pipeline, which is a really important part of the
US petrol and oil infrastructure.
And it meant that there was shortages at pumps and panic buying and there was no fuel going
up and down the East Coast.
So this conversation between Biden and Putin, according to him was like, you've got to stop
your people hacking.
This is no good.
And Putin was like, it's not us.
We get hacked too. But the evidence really is not really there for that. This episode is brought to you by whoop
Your body is constantly sending you signals, but without real data
It's easy to over train under recover and miss your best performance, which is where whoops brand new
5.0 comes in. It is the newest version of the wearable. I've trusted for like
2,000 nights now giving you everything that you need.
24-7 tracking of your heart rate, your sleep, your recovery, your workouts and more all translated
into clear personalized simple data. And now it's 7% smaller. It's got 14 days of battery life,
health span to track your pace of aging and hormonal insights for women who want smarter
support during their cycle and pregnancy and all of that stuff. Basically it is everything that was
awesome about Whoop, plus tons of new tools to help
you optimize your health and performance. Right now, you can get the brand new Whoop 5.0
by going to the link in the description below or heading to join.whoop.com
modern wisdom. That's join.whoop.com
modern wisdom. How close are we to seeing cyber attacks being treated as acts of war?
Well, there's this thing called, I think it's Article 5 in NATO, which means that when you get
attacked and it's a confirmed attack, then everyone else piles in. It's one of the founding parts of NATO, one of the tenets. And some people have
said what we've seen in Ukraine, sorry, with the attacks against Colonial Pipeline and others is,
oh, could this be Article 5? There was another attack on US government solar winds attack thought
to be from Russia. People were saying maybe that crosses the threshold, but I think people are very, very scared to bring cyber in the same, anywhere near the same kind of, um,
seriousness as a, as a missile.
When in fact, sometimes the damage can be, you know, can be just as bad.
What was that one that tried to get, was it Iranian nuclear reactors and it waited around the Stuxnet?
Can you tell me the story behind that?
Oh, just like, unbelievable.
You have to take your hats off to them.
So Stuxnet was an attack by, they've never admitted it, but Israel and the
US against Iran, and they were very worried about the uranium enrichment
helping to create nuclear weapons for Iran.
According to the story, the president at the time said, right, well, what can we do to
slow them down?
Someone said, let's hack them.
The Stuxnet virus was so specifically and perfectly targeted that it only infected that certain system.
I think they spread it through USB sticks or something. They dropped them in the car park.
Absolutely brilliant. It's dumb, but it works. That's what they always say in cyber. It sounds
dumb, but if it works, it's not dumb. It managed to get inside the system of this very specific machinery that they were using in the Natanz
refinery. It sped up the refinery centrifuges so fast that it caused, apparently, we don't know,
because obviously Iran would never admit it, but we think it caused physical damage and potentially
broke some of those centrifuges and slowed them down. We don't know how much it slowed them down.
We don't know how much damage was done, but it's largely been, you know,
hailed as one of the most impressive cyber attacks of all time.
Didn't it, it was infected some insane percentage of computers around the world as well.
Like loads and loads of machines had it, but it just, it didn't do anything.
It was just, is this, is this computer attached to an Iranian nuclear facility?
No.
All right, just chill out.
Nothing for you to do.
Maybe you'll get, maybe you'll meet someone in future that is, and it
just did that over and over again.
That's it.
And it's really targeted, really precise.
And there have been cases where a country is blamed for releasing something like
that,
an uncontrollable worm that's got out of hand.
So there's this one called NotPetya, which was 2017, I think it was.
And it was, well, again, Russia would never admit this, but it was thought to be from
Russia against Ukraine.
They hacked into a really popular accountancy software that the Ukrainians used.
It was a worm that spread uncontrollably and it was a fake ransomware.
Normally, the thing comes up and it says, pay this and you'll get your files back.
With NotPetya, it was a shredder.
It was fake. Even if you paid, you wouldn't get files back. But with NotPetya, it was a shredder. It was fake. Even if you paid,
you wouldn't get anything back. And that spread from Ukraine all over the world, hundreds
of countries affected by this. And it caused, they think, the most damage of any hack ever.
I can't remember the figure now, but it was... I know one company lost a billion MERSC, the logistics company, they were back to pen and paper.
So they had ships coming into harbors.
They didn't even know what was on the ships.
They didn't know how to unload it, where it was going.
Absolute carnage.
And it cost them well over a billion.
I can't remember the details of that.
This is like the Wuhan Institute of Virology equivalent of a online worm.
And you can't stop it.
The only way to stop it is to inoculate all the computers so that if you get it,
they don't get ill.
It's like a vaccine around the world.
Yeah.
What are the ways that cybersecurity firms find these sorts of hackers.
Like what is it?
I know TTP is sort of part of this, but I don't know.
If you're good enough to construct a worm that does ransomware and scrambles
and does all the rest of it, I have to assume that you're good enough to be able
to hide your tracks.
So it's, yeah.
How did the security companies track down who caused it? Well, a lot of it is follow the money,
because if you can follow the trail of cryptocurrency and Bitcoin, then you might
be able to get them. But thinking about that, there's a part in my book where Julius Kivimaki,
this guy that we follow all the way through,
he gets caught. One of the ways that they find out it's him is because he does the biggest self-own
in cybercrime history, an absolute monster of a blunder. Someone in the book called Antti Kuritu,
who's a cyber expert, he says that everyone thinks that cybercriminals are masterminds when
they're carrying out the hacks, but they're not masterminds at covering their tracks. They often get a bit lazy or a bit
arrogant about that part of it because operational security is really, really hard.
This guy, Kivimaki, he starts sending out, he's got all these, the patient data of psychotherapy
patients all over Finland, 33,000 people.
He's managed to steal all the notes from the therapists.
So he starts extorting the company by releasing every day, 100 new records.
And yeah, this is the kind of stuff that you do not want on the internet.
Like the stuff you say to your therapist is the most sensitive information
probably that you could ever hope that stays safe. So day one, 100 records. Day two, this
is on the dark net. Day two, another 100 records. Day three, another 100 records. But then he
says to make it easier for all the people on the forum, here's a bulk download. So you
can download all 300 patient data notes instead of having to do one after the other.
Then he goes to bed.
And then what he doesn't realize is he's accidentally uploaded the entire database of 33,000 patients.
So he's given away all his bargaining chips, but also he's accidentally uploaded his entire
home directory for his computer.
So it's like, for example, I want to send you an email.
I accidentally send all the emails in my inbox and all the attachments and every
folder on my desktop as well.
So the police found this in the morning and they obviously downloaded it as quick
as they could, he woke up and he realized that what he'd done and he starts deleting
files from the
server, the police find an IP address, which is an internet protocol, which tells you roughly where
the physical computer is. They find an IP address in that home directory accidental dump for a
cloud server company, which is only half an hour away from them in Helsinki. So there's this race
against Ransom Man, that's what he's called, deleting everything as he's going, because they've
got this massive server that could potentially give them all the clues they need. They get to the
server farm, pull out the internet cable, severing Ransom Man from his server. I put it like this,
if you imagine a drug dealer, the cops are arriving, he's
trying to flush all the cocaine, but then suddenly, I don't know.
They cut off the water or something.
Exactly. Something like that. So he's nothing he can do. So then they had this massive server
full of all the evidence they needed to track him down.
It was a little bit harder than that.
Um, he did, he did try and use aliases and that kind of thing, but there was
just so much there on that server that led them back to him and that's what led
to ultimately led to his conviction.
So it's that kind of thing, those mistakes that can be made.
It's Russellbrickt at gmail.com.
Yes, that kind of thing.
Yeah.
Yeah.
Yeah.
Like if you're going to start the biggest online drug selling network in human history,
make sure that your old forum posts aren't linked to your name at gmail.com.
But that's a really good example, isn't it, of how someone's online presence can start,
you know, innocently enough.
You're building something, you're a software developer, you're just asking for advice.
You don't know that in five years time, you're a massive mastermind.
Yeah, you've got to future proof yourself.
Be careful what runescape username you use in 2012 because God knows where
you're going to end up 14 years later.
Yeah. Okay. Yeah.
Okay.
So, I welcome our internet overlords.
My operational security is horrible.
Uh, okay.
So another hack that I knew about, one of the most famous ones, uh, the
Christmas hack of computer games.
And it seems like this sort of kicks off a lot of the story that you've been following.
So what, what first drew you to this? What's the story behind the Lizard Squad?
Give me the, give me the overview.
Yeah.
So, 2014 Christmas time, there was a ginormous DDoS attack, which is a
very low level form of hacking.
It's like, I liken it to when Glastonbury tickets go on sale,
everyone lands on the website and accidentally the website crashes.
It's like that really in cyber crime.
If you get enough traffic into a server or a website, you can bring it down.
So the Lizard Squad were part of this, as I said earlier, this conveyor belt of
these teen hacking gangs, these NPTs that emerged in 2010s. They decided they were going to
go after not just Xbox Live, but PlayStation Network as well. I still don't really know how
they did it, but they managed to bring these services down for hours and hours on what was
the busiest time of year, Christmas Eve, Christmas Day, Boxing Day So that was coincidentally, like that was the first story I ever covered.
And I went into the Sky News, I used to work for Sky News, and I walked into the Sky News
newsroom, I think it was like very early on boxing day or the day after boxing day.
And they said to me, have you heard about this massive hack these kids have done?
I was like, what are you talking about?
No.
So then I looked into it and I couldn't believe the power that these kids could wield.
I found it absolutely fascinating.
So my news editor came over to me and he said, Riley's called, who's the head of Sky News,
he says he wants a lizard on air tonight.
So I was like, right, how on earth am I going to get one of these anonymous
lizard squad hackers to do a TV interview in, you know, six hours, seven hours,
whatever it was.
So anyway, I managed to find one and it turned out to be, um, this kid who was,
I think he was 16 at the time, 17, uh, calling himself Ryan.
And we did an interview and it was, uh, you jumped ahead.
How'd you find him?
calling himself Ryan and we did an interview and it was, uh,
you jumped ahead. How do you find him?
Oh, just like going after person who says they're involved and then that turns out they're not then another person, then another, I don't even know.
I couldn't tell you how I got to him, but in, I went through,
I know one of the people I went through was this guy called Vinnie,
who was part of Lizard Squad. It's kind of like an adjacent member. He didn't, he said he didn't really do anything for them.
And I believe him and he was cleared of all wrongdoing.
And he actually lived in Twickenham,
which was like three miles away from the Sky Newsroom.
So he promised he would get me this kid, Ryan,
who was a part of the gang that took out
these gaming services.
So anyway, I did this interview with Ryan, who it turned out was Julius Kivimaki.
That's one of the alices he used was Ryan.
That really sparked off in my mind this fascination I've had ever since with cybercrime.
I've tried to keep tabs on Ryan or Julius ever since, but then the trail ran cold because
he disappeared for a while.
So then when he pops up as potentially the person behind this ginormous hack in Finland
on the psychotherapy centers called Vestamo, I thought, wow, he has had a career.
My money, Kivimaki is the most hated hacker in history, not just because of the Vistamo
hack and the PlayStation and Xbox one, but also there are lots of times in that sort
of 10, 12 year cybercrime career where he has done some really hateful, nasty stuff
to not only people that he wanted to go after,
but fellow hackers as well.
What like?
So there was a Sony executive called John Smedley who fought back a bit on Twitter against
Lizard Squad.
He was like, he wouldn't, it used to be a prolific tweeter and he sort of fired back
some tweets against these kids and they
didn't like it.
They went after him pretty badly.
One of the things that Kiddumaki did was he found out that John Smedley was flying from
Phoenix to Houston or somewhere.
I can't remember where it was.
He convinced the airline that there was a bomb on John Smedley's flight.
And it had to get escorted by fighter jet to a different airport where he was,
um, he was questioned at gunpoint and all sorts of stuff like that.
Um, and there, there is a litany of situations, uh, and incidents where
Kivimaki has done some really horrible things.
What you said about, um, what he's done to other hackers as well.
What's in that list?
Well, there was a kid called Blair Straiter who I spoke to in the book and
Kivimaki led probably a three-year harassment campaign against him.
Have you heard of swatting?
Not swatting?
Yes.
Yes.
have you heard of swatting?
Not swatting? Yes.
Yes.
Where you pretend you, you call up the police and you say, there's a.
I'm one or whatever.
Yeah.
Um, and, and the SWAT team arrive and, and it's really dangerous and people
have died, um, so they would do that all day, all night for months against Blair
Straiter, they've also got this weird thing, which is, it's still a thing now.
I don't really understand it, but it's, um, when you get doxxed, your doxxers day, all night for months against Blair Straitor. They've also got this weird thing, which is still a thing now.
I don't really understand it, but it's when you get doxxed, your documents come
online, so that means that everyone knows where you live, your real name, all that
stuff.
So for a hacker, that's a pretty bad situation to be in if you're doxxed.
Cause you, you know, the whole point of it is you're anonymous and you're powerful
and you're, you know, you can disappear at any moment.
So with Blair,
they doxed him and then Kivimaki and others would send him pizzas, Chinese takeaways,
all these kind of deliveries. At one stage, a lorryload of sand and gravel arrived at his house.
Personally, if a free pizza turned up at my house, I'd be happy about it. But when you talk to people who have been victims of this for months, it becomes horrible because you are on edge the whole time
and the delivery drivers won't pay if you haven't paid them and they get annoyed with you.
So that kind of harassment is not nice. There was an article written by another journalist called
Kevin Ruse who interviewed the Strait of family around this time when it was really bad.
And the article was called Haunted by Hackers.
And I've always thought that's such a good headline because for Blair Straiter and his
family, that's what it was like.
A quick aside, grooming isn't just about looking good.
It's about feeling good and the right tools make all the difference.
That's where Manscaped's beard and balls bundle comes in.
It comes with their beard hedger lawnmower 5.0 Ultra
and all the essentials that you need
to keep looking sharp from head to toe.
The beard hedger is your precision trimmer
featuring 20 adjustable lengths
so you can dial in the perfect style,
whether it's light stubble or a full Burt Reynolds stash
like I'm rocking here.
And for downstairs, the lawnmower 5.0 Ultra
has a cutting edge ceramic blade,
reduced grooming accidents, 75 minute battery, waterproof technology and an LED light so you
could use it as a flashlight if you needed to scare off an intruder perhaps. Right now you can
get 20% off and free shipping on the beard and balls bundle by going to the link in the description
below or heading to manscaped.com modern wisdom using the code modern wisdom 20 at checkout.
That's manscaped.com modern wisdom wisdom using the code modern wisdom 20 a checkout. That's manscaped.com slash modern wisdom and modern wisdom 20 a checkout.
Yeah, it's ruthless, man.
Okay.
So you sit down with this guy.
You don't know.
I mean, this is what 2014?
2014.
Yeah.
Yeah.
The first time you do it.
Um, what stuck with you from that first interview?
What stuck with you from that first interview?
Just, just complete lack of remorse, caring, um, smirking throughout the entire interview.
A lot of honesty.
He didn't sort of make up, uh, sort of-
So he didn't hide his face?
No, not at all.
Not at all. No, no, he, he turned up, uh, to the Sky News interview on, on Skype.
Fully, uh, didn't disguise his voice, his face didn't give a damn.
Surely that's a bad idea.
This is what I'm saying.
OPSEC is terrible.
These NPT-
No, that's it.
But surely that's something different.
That to me seems like operational security is covering your tracks.
That seems more like a purposeful middle finger.
Absolutely. Oh yeah. And don't forget, well, you don't know this, I don't know how far you got in
the book, but at this point, Kivimaki was already under investigation. He'd already been arrested.
He was on bail. So you got to factor that in. Wow.
So you've got to factor that in. Wow.
But, you know, Kivimaki and there's a few others like him in the last kind of 10, 15
years, they're a different breed.
So you've got the MPTs who don't care, they're out to cause chaos, get some money, a bit
of infamy.
Then you've got the kind of, Alison Nixon, the researcher I mentioned earlier, she calls
them the centers of gravity.
There are certain teenage hackers who they are the center of their gangs and everyone
follows their lead.
And you don't necessarily have to be the most technical to be that center of gravity, but
you have to be the most ballsy, anarchistic.
Charismatic.
Charismatic. Charismatic.
And you don't care.
And the thing about that Christmas day hack was he appeared on the interview, fully face
and voice.
And yes, it came very quickly afterwards.
There was a knock on his door by the Finnish police.
But they never got him on anything.
All the things he told me, either they didn't find evidence or they were too
busy on his other cases to look into it.
But as far as I'm aware, and if you look at his court records, none of that was
taken into account with any subsequent convictions.
Do you know what he did in between that and the mental health hack?
Not really.
I know that he traveled a lot.
I know that he was carrying a lot of Bitcoin.
I spoke to one fellow Lizard Squad hacker who he went out with in the Netherlands
on a Jolly and he was carrying a hardware crypto wallet and it had something like
$50,000 worth of Bitcoin in.
And that was apparently just his holiday spending money. And of course that Bitcoin now would be worth something like $50,000 worth of Bitcoin in. And that was apparently just his holiday spending money.
And of course, that Bitcoin now would be worth something like 12 million.
But you're right, there is this gap in his story, which I would love to find out what
happened.
But the actual hack happened in 2018.
So he stole the Vistamo database of psychotherapy patient notes in 2018. So he stole the Vistamo database of psychotherapy patient notes in 2018. So there
wasn't like a huge gap, it didn't go to 2020, but yeah, there was a gap. There is a suggestion
by a Finnish journalist, which is yet to be confirmed and it's all alleged and huge pinch
of salt with this because we don't know if this is true, but he thinks
that Kivimaki might be involved in a hacking cybercrime thing that happened around that
time, which was, Kivimaki aside, whoever did this, it's like the perfect crime.
What they did, I'm not going to say Kivimaki because we don't know if it was him, but what
they did was they found a website on the ClearWeb, so that's the internet that we all know and love, that was advertising darknet drugs marketplaces.
So it had links for the darknet links. So like, as I say, jumbleofnumbersandletters.onion, he hacked into that and then changed the links for those darknet websites to his
own fake darknet marketplaces, which had all the things you would imagine like buy your
Coke here, buy your MDMA here, but all the money going into that marketplace was going
into his pocket.
And I spoke to the police about this.
I was like, if that is Kivamaki, why aren't you looking into that?
Like, why isn't that part of your investigations now that he's behind bars?
You know, aren't you investigating this?
And the guy, Marco Lepponen, the Finnish police officer said, we
haven't got any complaints.
There are no victims.
Because of course no one's complaining.
No one's complaining.
The cocaine that I tried to buy on the dark web, I didn't receive my order for that.
Exactly.
It's the perfect crime.
The perfect crime.
But anyway, I don't know who's behind that one, but there is some vague
suggestion that some journalists have made.
How did he do the Vistamo hack?
Do you know?
Yes. It was, it took about four minutes. It was, it was awful.
The security at Vistamo was terrible and there have been convictions.
The CEO has been convicted.
He's appealing it, but the cyber security practices at that company were very, very poor.
So he did a scan of open servers with no passwords.
He logged in, saw it all there, downloaded it.
It must have been, well, no one knows why he did it in 2018, but then he
didn't do the extortion until 2020.
But my theory is he couldn't believe his luck.
He downloaded it and then sort of sat with it for a long time.
Waiting to see if someone's realized.
I think so.
Because of course, at some point, we don't know why in 2020, he decided
to extort the company, which went wrong.
Ran out of Bitcoin to party with.
You know what I mean?
I need to, I need to fund the party fund.
But that was, that's my other, that's my, the other really mysterious thing
about this character is that, um, we don't know why he did it because
apparently he did have enough money.
Apparently he was and is very wealthy.
The court fees alone, the lawyer's fees to try and defend himself, absolutely
humongous and part of his defense was, why would I do this?
I've got loads of money.
And then they say, well, how much money have you got?
And he says, I can't remember.
It fluctuates by the day based on what the price of Bitcoin is.
So why did that hack hit differently?
What was it about the Vistamo hack that caused such uproar?
Well data breaches happen all the time.
Data stolen from people all the time, from companies all the time.
And to be honest, it's a kind of just like a little bubbling thing that happens in life
all the time.
And we kind of like take it for granted.
There aren't many situations where people
actually are badly affected by that. But when you've got a group of people who are already
vulnerable because they're in therapy, some of them have had horrendous lives, childhoods,
some of them are children. And when you get that kind of insight into their lives through the psychotherapy notes
that the therapist is writing down, like I said earlier, that kind of data is the most
precious of them all, isn't it?
So that in itself is pretty bad.
Stealing that data is pretty bad.
But then what happened next was run of the mill. So he went to the CEO of Astamo and he said, give me 400,000 euros worth of Bitcoin and
I won't publish the data on the internet.
That didn't work.
So then he started releasing them on the internet on the darknet as I described, 100 a day,
which would have carried on if he hadn't have messed it up.
And then after that, he went the step even further and he sent out emails to every single
one of the victims he could find email addresses for, which is about 27,000 people.
And they all received an email in their inbox on Saturday night after they got out of the
sauna in Finland, because everyone has a sauna in Finland on a Saturday night.
And they saw in their inboxes an email from Ransom Man saying,
I have got your notes, pay me now, or I will put them on the internet.
And if you can imagine the kind of impact that would have on you or on me,
that's horrendous, but you've got to put yourself in the position of people who
are already in the lowest of low.
And I spoke to lots of the victims and some of these people have still got
PTSD and some of these people are scared to leave the house and the long-term impact is
absolutely horrendous. Although the evidence has never been presented, the lawyer that represents
about 4,000 of the victims, she says that two of the families have said that people have
taken their lives over this.
Did he send that extortion email after he accidentally leaked all 33,000?
Yep.
Right.
Okay.
So he was the last, a last roll of the dice to see if he could make some money out of it.
Yeah.
Yeah.
Okay. So he, faceplant, he, Ross Ulbricht at gmail.com, his own computer onto a server.
The police realized it's 30 minutes away.
They get in the car, they run down there, they unplug the computer,
the internet from the servers.
They now have the servers and they start to do cyber forensic stuff.
Yep. Took a long time. the internet from the servers, they now have the servers and they start to do cyber forensic stuff.
Yep.
Took a long time, but they managed to come up with a name.
The funny thing was of course, even before the servers, people were
wondering, could this be Julius Kivimaki?
Cause he was so infamous in Finland by that stage as all the teenage stuff he'd
done.
in Finland by that stage as all the teenage stuff he'd done. And then in I think it was 2022,
they decided they had their man and they wanted to start finding him, but they couldn't find him. So I think it was late 2022 that they put out an Interpol red notice for him. So they didn't know
where he was. They had a feeling that he was somewhere in Europe, but they didn't know where.
So they put out that it's a bit of a nuclear option actually and a bit controversial because
Kivimaki has always said they could have just asked me and I would have come back.
Whether or not he would have done, I don't know.
Anyway, so this Interpol red notice went out for him and the detectives in Finland kind
of just got on with other cases.
I don't know what a red notice is.
What is that?
Oh, sorry.
It means that if you are found anywhere in the world, if you've got a red notice out
for your arrest, they can arrest you like that.
And then they send you back to wherever the Interpol red notice came from.
Assuming you're somewhere that's got extradition.
Oh yeah.
Yeah.
Yeah.
Should have gotten to North Korea. Could have been a really good country.
That's his mistake.
So they put this notice out and then they kind of got on with other things.
And then remarkably, there was this stroke of luck in Paris whereby someone called in a domestic
incident disturbance in the early hours of, I think it was February
2024.
And the police, the French police went to the house and they were expecting it to be
a woman being abused or something like that.
And they opened the door and everything was fine and there wasn't any danger.
And this man, it was after a night out, so I think he was a bit hung over and still asleep.
They dragged him out of his bed and they just did some ID checks.
And he was traveling on a passport for someone called Asan Ahmet, which is a Romanian passport.
And they were like, well, hang on a minute.
This guy's six foot four green eyes does not look like a Romanian called Asan Ahmet.
So they ran some checks and somehow they unearthed the fact that this was Julius
Kivimaki.
So they arrested him on the spot and took him back to the-
Do you know what the disturbance was?
Well, the call went out from a woman who'd been out with the woman and Kivimaki
that night, and Apparently there'd been a
big row and she hadn't answered her phone and he was being abusive and aggressive.
But then if you ask Kivimaki, which some journalists did afterwards,
apparently it was someone who knew that he was hiding. They did it deliberately to get police
to know where he was.
Again, not a very liked person.
Yeah, he doesn't seem like a good guy. Okay.
So he then gets extradited from France?
Back to Finland.
Yep.
Back to Finland.
And then so begins this months long time period where they were putting together the case against
him in time for
the trial, which was in 2014, no, 2034, sorry, and led to his conviction.
And what was the court trial process like?
Claims, defenses, and the sentence and all of that. Yeah. So, um, the police had a giant folder of evidence against him, not only for the
hacking, but also for the blackmail.
It took police ages to get that evidence together for the, for the actual
blackmail part of it, because they had to go to, um, they wouldn't say which
US tech giant, but they had to go and kind of get some evidence from them.
And it literally literally took 18 months
for Google or Amazon, whoever it was, to send back some details about it. But that was one of
the crucial pieces of evidence that they needed. Eventually, yeah, he was convicted. In Finland,
they don't have juries. They do it all by judges. There's three judges that decide.
They found him guilty on all counts.
But what was really interesting is that every single time that it's said in the paperwork,
Kivimaki either by himself or with others. So every charge came with that because they're never
quite sure whether or not he did it on his own or not. They think he might have had help from
somewhere, but they don't know where. There's some discussions right now happening in Finland, like this week, about whether or not
there's a suspect in Estonia that might have helped in some way, but we don't know.
But the conviction happened. They said that in the totality of the evidence, he's guilty,
but if you take each individual one, they couldn't quite pin him on each individual
one.
It's a strange thing, but the prosecutors are very happy.
The police are very happy.
They said that they took everything kind of holistically and said, right, yes, he did
it because of all these bits.
None of them are kind of like a smoking gun, but all of them together were enough to convict
him. What was your reaction to the arrest and the trial and stuff as you were following
this going on?
Cause obviously this was, you know, a decade after you first sat down with this guy,
that must've been a slightly, I don't know, out of body experience for
you to see it occurring.
Yeah, it was bizarre because I just had a feeling all those years ago that this kid
would be worth watching.
And there were rumors at the time that he'd kind of fled with a stash of billions of Bitcoin
and stuff.
And I've always been fascinated about what happened after the Lizard Squad takedown at
Christmas.
And being in the courtroom, seeing him as now, I think, 26, 27 years old,
still cocky, still smiling, still not really caring about anything was absolutely fascinating.
There was this bizarre moment in the trial where he applied for bail because he was in prison and
he was having to leave prison each day to go to the courthouse. And he applied for bail because he was in prison and he was having to leave prison each day
to go to the courthouse and he applied for bail to be released so he could be a free
man until the end of the case.
Although the police objected because they were worried he'd be a flight risk, the judges
agreed, so he was let out.
Then the police were like, whoa, whoa, whoa, whoa, what are you doing?
This guy is not going to be, we can't pin him down.
Why have you let him go?
So they very quickly appealed and the judges were like, oh yeah,
okay, quick, get him back in.
He wouldn't come in.
He disappeared.
They couldn't find him.
Just like, where did he go?
Well, um, they, the police kept calling him and said, we, you've got to come back in, court order.
He's like, I'll see you on Tuesday.
This was like Saturday.
I'll see you Tuesday when the case starts again.
They're like, no, no, come in now.
He's like, no, no, I'm fine.
So anyway, they found his social media handles or somehow like some obscure forum handle
that he was using in the past. And he posted a picture of himself, his hand, holding a bottle of really expensive champagne.
And they saw from the background that it looked potentially like a kind of Airbnb.
And then they figured out that there's no way he could have got an apartment.
He's not in any hotels, so there's only small places he could be.
And they looked at all the pictures of all the Airbnb's in Helsinki and then
got the right one, rang the doorbell and there he was.
Holy fuck, they geoguessed their way to finding him.
Yeah.
But all the court cases I have covered in my time as a journalist, people
arrived in a suit and they're really polite and they try really
hard to make the jury and the judges realize they're good guys. But just it's classic, you know,
that's that character of that teenage cyber criminal who's just got away with it for so long.
What is it about his psychology? Is he completely detached?
Is this guy a psychopath?
Does he, is he just really cocky and out for recognition?
And what do you think is driving him?
Well, one thing that kept, one word that kept coming up is sociopath.
And it's really difficult and dangerous, I think, to kind of throw these things around.
I'm not a clinical psychologist.
I can't decide on that kind of thing. But one of the guys that used to hack with him back in the
teenage days says that the thing about him was he just wanted to sort of watch the world burn.
He just wanted to cause chaos and damage. One of the cops said that it's like the kind of guy who likes to get in a fight in a bar,
but he can do it from behind the computer to protect his bone structure, which I always quite
liked. But I don't know. I'd like to sit down with him. I tried to get an interview with him
during the trial and he said yes and his lawyer said yes, but the judge blocked it at the last minute.
So I wasn't able to, and then we were talking on text and then he just stopped
talking to me, that was about when he disappeared actually.
So maybe that's why he stopped talking to me.
Um, and I've tried many times to contact him while he's been in prison, but he,
he, he won't answer my, um, my letters.
Dang it.
So yeah, he, uh, he, uh, he remains a bit of an enigma.
How long's the sentence?
Very short.
He'll be out in probably a year and a half from now.
You should have just waited to publish the book.
You didn't need to publish it now.
You can do a follow-up.
You'd like the paperback.
You have the paperback.
Paperback can have a little appendix, additional chapter.
That's the usual way that authors do it.
With what's happening right now with M&S, Co-op and Harrods, I think there
could be enough for another chapter when the paperback comes out.
Hey, that's, we've just brought up a, we've doubled sales.
We've doubled sales over there.
Um, so I'm interested in this Maxim Yakubets guy as well, that you went and,
and tried to track down.
It seems like you have a penchant for trying to find Eastern European young men.
No accusation, but you do seem to have a skill for it.
So what's the story of him and Evil Core and stuff like that?
Yeah.
So Evil Core are the kind of OGs of Russian cybercrime.
They were there from the beginning and they evolved as the cybercrime ecosystem evolved.
And they've been kind of run and led by a family, the Yakubets family.
And Maxim Yakubets was the most wanted cyber criminal in the world. There's a $10 million reward out for his
arrest, him and his right-hand man, Igor Turochev. So we decided in, I think it was just for the
pandemic, so 2019, that we would try and go and find him in Russia. Because one of the things
that I became a bit annoyed about was that the West points fingers at these people, UK, US, and says, oh, they're cyber criminals.
They're guilty.
They've done this, that, and the other.
They've stolen $100 million worth of money from innocent people around the world.
But you never hear from the actual cyber criminals themselves.
They never get a chance to have their say.
I know that sounds silly, but as a journalist,
that's kind of like my job. That's the bit that interests me is hearing both sides.
So I remember I was sat in the garden there and I was just thinking one afternoon,
why don't we go? Why don't we try and find these people? So we did. We searched around
Moscow and we got all the addresses that were known
about them and tracked down their supercars and tried to go to the garages that they were at.
And I managed to find an address that we thought was Maki Yakubets, but it was actually his dad.
But we went there and his dad opened the door and we had this absolutely,
We had this absolutely, for me, unforgettable interview with Jacobet Sr. where he was so angry
with the West accusing his son of being a cyber criminal. I was saying things like, speaking through my producer, reporter, translator, like, well, how do you explain the Lamborghinis? He's
like, well, they could be rented. How do you explain the quarter of a million dollar wedding?
Well, we don't know how much it was.
Have you seen the paperwork?
He's like, well, no, but I went there and spoke to the wedding organizer.
He had an answer for everything.
What was fascinating about that and what's become even more fascinating is we went there
in 2019 and put the documentary out.
I think it was last year, the National Crime Agency gave us loads
more information about evil core.
And they said it wasn't just these seven or eight men.
It was also the dad.
He's a part of it.
He's in some way involved money.
You met the mastermind.
He was in front of you.
You could have snagged him.
Yeah.
Yeah.
Um, so yeah, that was, that was a, that was an amazing trip, but I didn't enjoy it.
It was the worst assignment I've ever been on.
It was so, and I went to Ukraine as well during the war, but this was worse.
The Moscow trip was worse.
Well, you're in a, what is a, there aren't many countries that you go to that are kind
of like, um, adversarial countries that, you know, go to that are adversarial countries.
They're not friends of the UK and the BBC out there is seen as an arm of the British
government even though of course we're completely independent.
So there's that plus I'm going there to track down cyber criminals who we know have got
links to the Kremlin and it was really intimidating the entire time.
We thought we were followed at one stage.
We flew out to, um, this place called Yoshka Ola, which is about a thousand
kilometers East to try and find, um, uh, Igor Turochev.
And we were convinced there were guys in the airport who we saw,
who we then saw our hotel.
Um, so that, that kind of thing, hotel. That kind of thing isn't nice.
I'm here complaining, but really the one that got off the worst was my fellow reporter on the story
with me, Andrei Zakharov, who was and is a very talented cyber reporter. He helped me out with the
whole story and he was there the whole time. Maybe it was that or maybe it talented cyber reporter, but he helped me out with the whole story and he
was there the whole time. And maybe it was that, or maybe it was something else, but he was very
quickly put on the enemy of the state list shortly after that, and he had to flee the country.
No way. Because of the work that you did together?
We don't know if it was that because he's done a lot of provocative to the criminal.
Right. Okay. An illustrious a lot of provocative to the criminal. Right. Okay.
An illustrious history of pissing off the criminal.
It was after that.
It was after that.
He thinks that it was possibly the straw that broke the camel's back.
But before he decided to leave, he was followed around the entire city by some nasty looking
men for weeks and weeks and weeks, horribly intimidating for him.
He is a superb journalist and I'm still friends with him and I know he's doing
well now, but yeah, I can't complain about my handling or treatment when
Andre had a really tough time.
Wow.
I got scared in a hotel.
Wow.
At least I get to stay in my country though.
You know, at least I'm in my home country still.
That's nice.
Exactly.
I'll tell you though, when I got back, I installed a security camera system
on around my house because I was, I just started feeling a little bit intimidated.
Cause I once interviewed a guy who, um, he decrypted ransomware.
So like when ransomware is deployed in the system, it scrambles your files.
You have to pay them to get the key to unlock it.
This guy, uh, Fabian, uhian Wasser, is an anonymous researcher from a company called MCSoft, and he is so
good at building his own decryptors that the hackers absolutely hate him.
When he's searching through a piece of malware, he has found, on more than one occasion, fuck
you Fabian, stuff like that.
No way.
They write for you.
They write in their code.
In case he's looking. In case he finds it, yeah.
Cause they hate him so much.
And he fled his country.
He fled Germany because he was so scared of, you know, some of these gangs are,
are very, very rich and it wouldn't be much to drop, you know, 20 grand to go
and get someone's legs broken or whatever.
Wow.
What was the fallout from that CrowdStrike thing?
Because you've just held up a cool toy model thing.
So CrowdStrike, cyber security organization, maker of cool
figurines, but also, also subject of a lot of bad press only at the start of this year. What, what, first off, what the fuck happened?
And secondly, is this, is that, what was the comeuppance of that?
Cause I kind of heard about it.
It was a huge deal, loads of shit happened and then nothing.
Well, give it time.
There are some big court cases against CrowdStrike right now.
There are companies like, oh, is it United, the airline in the US?
They are trying to sue CrowdStrike for something like 7,000 flight
cancellations across the day that the CrowdStrike caused the world
to implode.
So the CrowdStrike problem was, was it this year?
This year has flown by.
Maybe it was this year.
Anyway, so they did an update for their CrowdStrike software and they're like an antivirus company.
It was a year ago, 19th of July, 2024.
Oh, it was, okay, last year. And they're like an antivirus. 19th of July, 2024.
Oh, it was okay last year.
Um, and so CrowdStrike is a kind of like antivirus company, one of the biggest and best in the world and, uh, used by some ginormous corporations, including
United to protect systems from cyber attacks.
They did a really innocuous update where they sent through some really
like tiny bits of information to keep
the software up to date. It completely bricked the system. It caused the blue screen of death
on something like, I think it was two and a half million computers around the world. And that's
not just computers like we're talking on now, that's servers that run airlines, those kind of computers.
So yeah, the world went mad for, I think, like three days.
No computers running, flights canceled, online services down, shops offline.
Massive, massive problems.
It was like some sort of apocalypse was unfolding. But we bounced back.
We're still here.
The best image that I saw of that was someone's smart fridge.
The front screen of a smart fridge, which is, yeah, yeah.
You got BSOD'd on a fucking Samsung American chiller.
Yeah. on a fucking Samsung American chiller. Yeah, it's just, you know, there is kind of like the uncanny valley, but the
equivalent of that for smart homes.
And I still don't think that we're out of the other side of it.
I think that most houses would benefit from a physical switch on the wall for
most things and that a nice, quite simple up and down, your fridge does not need an app.
No.
I mean, look, Eko water.
That's a hydrogen water company that I love.
I love hydrogen water.
I think it's awesome.
This like big revolution in health.
What's hydrogen water?
So it's a special type.
I haven't got it here, but like, imagine that this flask, um, was able to
hydrogenate the water.
So it's actually all self-contained within the unit itself.
So it's a kind of hot thing.
It'll be in the UK in five years time.
It's big in America.
It's coming big in America.
It'll, it'll transport over the Atlantic in about five years time.
They have an app for your fucking flask and it allows you to change the color of the LED and it tracks how much water
you've drank and I'm like, it's cool.
I love the product, but the app to me, and then there's, they did a battery
update that you need to over the air update your flask from your phone.
I'm like, guys, yeah, yeah, yeah, I know it's cool, but there is a, there's just
a little, this and I think, look, if,
you know, crowd strike issues, another update, and I can't get my hydrogen water out of my echo, echo water flask, I'm going to be pissed.
So I think the, the way that you, or the way at least that this seems to be explained is that
the hackers are always going to be out ahead of governments of they're going to be coming up with increasingly
innovative ways to circumvent both security systems and, and law enforcement
to try and track them down.
Is regulation ever going to catch up with how fast dark web hackers,
crypto economy stuff can evolve?
Like is this, is there a light note at all here, or are we just kind of in it for the
long haul, make sure that you've got a password manager downloaded?
Yeah, I think, I think there are some things that we can do right now today that would
make it so much harder for hackers, but we don't because there's a thing of like security
versus convenience.
So reusing passwords, keeping your software up to date.
Um, actually, you know, when you think about CrowdStrike, that was one of the things about CrowdStrike that was so bad was that the people that kept their
software up to date, which is what we're being told all the time, they were the
ones that got hit.
If you were, if you weren't, if you hadn't have done the software update, then
you were fine because it was that thing that, that bricked your system.
But no, generally speaking, CrowdStrike aside, keep the software up to date.
Do part, do two factor on your multi factor, um, good passwords.
And it sounds so obvious and I'm bored saying it and I know I can see you
falling asleep, but if we all did this, then the world would be, the cyber
world would be a safer place, but, but we don't.
And there's a lot of things at the moment about, you know, quantum computing
and AI and deep fakes and stuff and how this is how the hackers are getting in
these days with all these whiz bang new things, they're not.
If you look at the list of how hackers are getting in, it's the same old stuff.
Someone said the other day that nothing in cyber has changed for 20 years.
Social engineering, find a person who's prepared to let you into the system, go from there.
Yeah.
Yeah, but also, once you get in, they're not using the latest and greatest techniques to
move around a system, they're going
through something that should have been patched a year ago or two years ago.
How much truth is there to this quantum computing will be able to make all
encryption totally obsolete because it can work out prime numbers in this
split of a second and
everyone's fucking Bitcoin is going to be owned by one guy and all of our
passwords are going to be released.
Yes.
They call it Q day, the day when the quantum computers can break encryption.
And there's this thing called, I think it's something like grab now,
encrypt later or decrypt later.
So the idea being that if you, as it harvests now and decrypt later.
So if you're a spy agency, for example, China or the UK or the US, you can grab
all of this data that at the moment is encrypted.
So all the most important vital communications are done with
really high grade encryption.
So if I'm a, if I'm a president Trump'm President Trump talking to Prime Minister Stama,
we will talk on a really, really secure line, which if I grab that, it just comes out as gibberish.
But if I grab it now, I might be able to make it un-gibberish when Q-Day happens.
Oh, fuck.
That's the worry is that Q-Day will mean that kind of thing happens.
But I'm trying to be positive. It is a concern. The National Crime Agency recently put out advice
saying the deadline is 2030. I think they said you need to get everything encrypted in a way that is post quantum encryption
safe or post quantum safe now because of what I just described.
Uh, I'm just having a look here.
This is a friend's, um, uh, a job advertisement for the new head of cyber
security at his majesty's treasury in Britain provoked derision because of its stated pay of 57,000 pounds a year.
That was the total annual salary around about $70,000 for the head, the head of cyber
security of his majesty's treasury in the UK.
Yeah. Yeah, that's a big problem.
That's a big problem.
Have we considered low pay as a vector of risk, like just disgruntled workers as a potential,
you know, I mean, you don't-
Yeah, yeah, yeah. They call it an insider threat. They call it inside a threat because sometimes there will be people in high levels of power
who could be corrupted. But I don't want to start, I think that's rare. That's a rare thing that we
see. They think potentially this is all alleged and all reports have come out. So I'm not saying this is what's happened, but there's a big thing at the moment right
now with Coinbase where lots and lots of people have had their crypto stolen or exposed.
And I think that might be inside a threat.
But yeah, you mentioned the salary there.
The problem with cyber jobs is that you can get paid a lot of money, but not really in the public sector.
It's all in the private sector.
But of course we need, we need very good people to be in the public sector, protecting the way more important stuff.
Yeah.
Joe, you're fucking awesome, dude.
You're really great.
Books, books, fantastic.
You're a wonderful communicator.
Where should people go?
They want to check out all of your stuff.
Oh, it's, it's, um, fantastic. You're a wonderful communicator. Where should people go? They want to check out all of your stuff. Oh, it's, it's, um, yeah.
So my book is called Control Alt Chaos, how teenage hackers
hijack the internet, um, and it's out on the third or the fifth of June.
Um, the book launches the third of June.
That's why I got confused.
Um, and then it will be in all the usual places and on, um, on audio book as well.
And it's also coming out in Finland and it'll come out in the US in January as well.
Hooray, dude, you're brilliant.
Uh, good luck doing more investigations.
I look forward to speaking to you again when you've found some more awful people
from the Eastern Europe that we can talk about stories to do with.
Thank you, mate.
Thanks for having me on.