On The Brink with Castle Island - Cupid & Hercules (Groom Lake) on Preventing and Responding to Cybercrime (EP.658)
Episode Date: August 21, 2025Wyatt sits down with the founders of Groom Lake. In this episode: How social engineering attacks are being used to exploit companies in crypto and beyond How companies can better protect themselve...s and be vigilant of these exploit attempts The future of cybersecurity software for crypto
Transcript
Discussion (0)
On today's episode, I sat down with Cupid and Hercules of the Groom Lake team.
Groom Lake is a security firm focused on both protecting companies in the crypto space from
exploits and recovering funds when exploits do occur.
Today's guests' true identities remain redacted for security purposes given their field of work,
but they were generous enough to join me for a discussion on cybersecurity and crypto
and how today's attackers are looking to carry out cybercrime.
In the episode, we discussed the threat posed by nation-state level threat actors,
what companies should be doing to enhance their own security
and how the security landscape and crypto stands to evolve.
I hope you enjoy our conversation.
Matt Walsh and Nick Carter are partners at Castle Island Ventures.
All of these expressed by them or the guests on this podcast are solely their opinions
and do not reflect the opinions of Castle Island Ventures.
Guest and hosts may maintain positions in the assets discussed in this podcast.
You should not treat any opinion expressed by anyone on this podcast
as a specific inducement to make a particular investment or follow a particular strategy
but only as an expression of their personal opinion.
This podcast is for informational purposes only.
Brought down by bad mortgage investments, Lehman, which has 25,000 employees, will be liquidated.
The federal government loans American International Group, AIG, $85 billion.
This is a different kind of market, and the Fed is asleep.
The federal government is stepping it to stabilize Fannie Mae and Freddie Mac, the two mortgage giants that have been threatened by the housing crisis.
The Bank of England has pumped 75 billion pounds more to Britain's ailing economy with a new round of quantitative easing.
You've printed a couple trillion dollars, and all of a sudden, people start to worry.
So out of this worry, we have something called the Bitcoin.
Cuban-Hercules from Groom Lake.
Appreciate you guys joining us.
I want to dive right in.
My understanding of Groom Lake, I think what people in the industry might be vaguely familiar with,
is that it's a private military organization combating cybercrime and crypto specifically.
What does that mean and what happens when you guys are called into action?
So Groom Lake, while we don't own any tanks or things like that,
we, on top of the retained approach to security and intelligence that we do, that military aspect
really comes in when you're looking at not just the intelligence work to do some very strategic
campaigns to find out information, but also the incident response aspect because we can deploy
to physically go after hackers as well. So that's where that military aspect really comes to
play. Cool. Understood. And can you talk about what engagements will look like or how you'll engage with
firms in the space? Typically, firms come and engage with us because they want to have this security
and intelligence attachment to their team so that nothing happens. So we come in and we layer in security
and intelligence over time and we have this close concierge relationship with them. And what does that
look like? What that looks like is where you're layering in Web 2 security fundamentals,
that's where we really focus because that's where over half of the hackers,
that occur are happening, especially as the landscape has shifted and nation states are seeing that
they're happening via Web 2 vulnerabilities, is what you're saying? Yeah, I would say, Herc. Do you want to
jump in on that? Most definitely. Specific to a lot of the exploits and issues that we face in
crypto, a lot of people tend to believe that the main focus needs to be on-chain, auditing your code,
and so forth. But the hard truth is the human element and the misconfiguration side of the house
is truly the weakest link that we see in the industry. A lot of the whales and
And these protocols tend to try to build very, very quickly.
And in doing so, they actually are very stressed out.
And they skip a lot of the fundamental things that they should put in place
to prevent a successful hack of an account.
Zoom is a great example, which we'll get into a little bit later, I assume.
But there's a lot of people in the space that are unfortunately being targeted
quite heavily by North Koreans to actually be social engineered by posing as a friend,
which will eventually lead to them getting hacked and then, of course, funds being drained.
Is that a vulnerability in particular that's top of mind for you guys,
the moment, would you say it's one of the more common ones? I would say so right now there's been a
major shift in the industry, mainly because a lot of the advanced threats like nation state and even
very young people that are just being D-Gen hackers are starting to go after crypto, just because
it's becoming more popular. So if you look at the adoption curve of crypto as a whole, I would say it's
near one-to-one of what the threat actors are actually going after as well. And they are starting to
realize that social engineering of people is the biggest link. So yeah, it's definitely becoming the
biggest thing in the space. And with that, we've actually geared a lot of our security schedule,
if you will, with these clients and onboarding specific to operational security. So actually
getting them into a room, educating them on these issues in the space, and as well as how to
prevent them if they do occur. And I think the other thing to hone in on on this topic is that
you have different people who have different security concerns based off of the business
vertical that they work at a company. So a developer is going to have very different
security concerns than a head of marketing or someone in BD. And these people who want to socially
engineer companies know this and they're going to go after you accordingly. So they'll approach them
as maybe a fake investor. That's been a common one. Maybe come with job offers for a dev, all these
different ways to just get people to click that link, have that conversation, and then they start
to exploit them and pivot through the company. So by understanding the social engineering, these social
exploit attempts, they'll pretend to be some sort of actor that would do business with a firm,
for example, and exploit them via that direction. What are the workflows that you guys will put in
place for partners when they're under this vulnerability? I'll dive into the first part of the
question and then transition to that, but not just investors and stuff that we're seeing,
social engineering. At this point, we've actually seen that a lot of the threat actors will actually
do their research on people who are targeting. On individuals, you're saying. Correct. So let's say
friends, family, people they haven't spoken to in years that they might just have a random
connection with on even LinkedIn, for example. That's when we saw not too long ago.
And they'll go ahead, duplicate the telegram and so forth, and then actually attack.
But in terms of workflow for preventing it, there's a couple of ways that we do it.
So of course, education, in my opinion, is the number one factor with things.
Actually educate them, show them one-to-one of what these attacks look like.
So actually bringing up visuals, explaining these things in depth, and so forth,
and doing it in a repetitive way
to where they actually obtain the information.
The second half of that is taking the preventative steps
from the organizational side
of actually working with them as a virtual CISO, as you will,
and turning the culture within the organization
to where people are security-minded in general.
And then unfortunately, if somebody is targeted,
we tend to get them to a point through education
to where they actually know the steps to take immediately
to reduce the likelihood of a successful exploit.
And if they get to a point where they are,
portionally exploited, we will go ahead and be activated. We will join within five minutes,
and we will work to contain the threat and then remediate anything that comes from that.
And to add on there, it's a balancing act. It's between advisement and implementation.
And so when you're advising things, you're looking at companies onboarding and offboarding
practices and identifying gaps that you need to implement new strategies to make it more secure.
It could be how they're accessing certain sensitive systems and then implementing
solutions to make sure that's more secure. But I think the other big thing to this, and it's why we
have intelligence as a core offering, is that intelligence really complements the security aspect.
That's where we can really start to dig in on what would a threat actor be able to find
on this executive team or on the entire company to different people in general. And what data
is newly surfacing as well, because if you can have that knowledge, you can, one,
know what kind of things you could be approached with from a socially engineered perspective.
But two, were to then mitigate that data footprint that you have. I think a good example is
the other day we had found there was a telegram number being leaked. And we had looked into the
source of that leak. And then we had made sure that that was taken down. So now people couldn't
come in and socially engineer them on that front as easily. Understood. And a lot of the workflows that
talked about, you guys touched on this briefly, are non-crypto-specific ways that exploiters are
using to attack crypto companies or organizations? Are they choosing to attack crypto organizations
because of the perceived ability to exploit funds, maybe as opposed to other organizations?
Or why does it seem like the crypto industry in particular is being targeted?
I would say specifically, in my experience, I came from a very traditional financial background
doing traditional boring security engineering.
And a lot of the threat actor groups that actually go after just traditional institutions,
normally there isn't a magical honeypot of funds that they can just take.
Whereas crypto, it differs.
In the traditional world, a lot of the time they will either steal information or deploy something
like ransomware, and then if they steal the information, attempt to sell it.
So that's how they gain the funds.
In crypto, it's much easier because you have those gold bars that are locked behind a safe,
you just have to get into the safe.
And unfortunately, because the industry is still relatively,
new. Obviously, it's a very easy space to attack, unfortunately, just given the nature of how people
operate within the industry. And are most of the threat actors that you're talking about, are they
nation state affiliated? I would say in the beginning, yes, a mass majority of them, I'd probably
say near 80%. But at this point, I'm seeing a relation between both the nation state actors,
as well as just traditional normie hackers. And even the youth. Recently, we did an investigation on a
website that was cloned and everything. And we actually saw that the person that was stealing
these funds was 17 years of age, which is quite young, obviously. But yeah, we're seeing still,
of course, that the nation states for obvious reasons, but even the adoption of the youth in Gen Z today.
How are you able to detect the age of that attacker if you're able to share something like that?
Well, I was going to say prior to that, I mean, in terms of the age of the attacker, that can be
tipped off from if it's an insider threat or even some of those intelligence threads that you can
pull can allow you to identify exactly who it is and so that's how you find out. But what we see
from an insider perspective is, yeah, while it is nation state sometimes, I think I was telling you
last time we spoke why it through the intelligence work have found the Lazarus Group plant
working at a company for two years as a principal debt when the company was in stealth mode. But we've also found
lots of risks where people are hiring folks who have these obscured backgrounds. There isn't a nice thing
to the anonymous nature of crypto that people really value. But sometimes if you have a multi-billion
dollar company, you may want to know a bit more about the people that you're bringing on the team
because we have seen rogue actors who aren't connected to nation states, even exploit a company,
steal funds because it was a crime of opportunity. They were given so much trust and so much
access that eventually over time they made that decision. And that's where we then come in and
hunt them down. From your perspective, are countries like the U.S. making adequate efforts to try and
combat these sorts of threat actors? The United States specifically, and even the world as a whole,
I would say no, in all honesty. Just given how the industry operates as a whole, people are very
anti-regulation in a lot of ways. I think, unfortunately, but fortunately, it is really up to the
protocols in VCs and so forth to actually become security-minded and start adopting
security-minded policies within work.
It's always a cat and mouse game with crime, and regulation is always catching up to the new
attack vectors and the things that folks are being exploited by.
So since consulting and working in crypto, I have seen a shift that more and more teams are
becoming security-minded, where the history of the space,
it really started from this perspective of if you have a smart contract audit, you are good.
That is the trust signal for the investors.
That's the trust signal for the users and all the stakeholders that this is a safe protocol
to use.
But now that we've seen this ever-increasing shift into these Web 2 fundamentals, the human
side of things, that's really woken people up to, I need to start to implement my own
security solutions. And then I think we're going to see more and more regulation come in on top of
that, like SAC II clients and things like that. So the U.S., I would say, does have a good signal of trust,
but we still come across many, many companies, large corporations who don't even have
2FA on some high-risk environments. And so that's why it's easy to think this won't happen to me,
because everyone's so focused on building and just shipping and getting out there.
But I think teams have to have this mindset that engaging, whether it's an outside entity,
luck groom lake, or whether it's bringing on someone that will handle that internally,
you're taking things off your plate to give to an important subject, which is security,
so that you can use your time in a higher leveraged way, which is building the thing,
making that the main thing.
Makes sense.
You mentioned two at bay, which I think,
a lot of people are familiar with. Are there any blanket suggestions you guys would have for
organizations that want to tighten operational security and security generally?
Oh, yeah, most definitely. I think the first one is obviously MFA. It should be enabled and actually
enforced across the organization because it is extremely easy for a threat actor if they have
your password to authenticate into your account and then issues arise. But on top of that,
if you really want to go the full length, I would recommend UBK keys as a whole. So it kind of looks like a USB,
but it is a very, very more strengthened version of MFA, if you will, for your accounts.
I also think companies as a whole need to at least be doing, let's say, like a quarterly audit
across all environments as a whole. We commonly find that people genuinely don't know who has,
let's say, administrator access or even access to a lot of their systems. So actually putting
an operational procedure on even something as a quarterly basis to actually go into the systems,
verify who is in them and who has access to what can really make the difference.
understood. And then those are great suggestions from everything that I've heard in the crypto industry
thus far. I think unfortunately we also touch on individual safety and I'd say in today's day and age,
I have my real name here, I guess. I think of being in the crypto industry is there being a
slight additional risk when it comes to your individual safety. How would you suggest people look at
their individual safety in light of some of these threat actors? I would say the first and biggest one
is when it comes to individual safety, obviously you need to operate with a general
sense of operational security. So if you're going out, going to a club, doing whatever,
don't post on your public Instagram that you're sitting here, you have a million-dollar watch
on and so forth. But yeah, I think in general the biggest thing is the operational security side
of the house, trying to not put your name fully out there if you can, but obviously for some
people it is required. Just try to operate in a more smart way in your day-to-day operations.
But Cupid definitely left some comments on that as well. We've been thinking deeply about this for a while
because individuals have their own concerns and threat vectors to consider,
even individuals within a company.
But there's lots of traders who don't operate with a company.
So a simple answer will be that those individuals will be able to, in a sense,
hire Groom Lake as we go and launch one of these tools that we have coming up.
It's a platform that's going to be really focused on data leak monitoring
and operational security and things like that to really lower the risks here.
but I would say that it is certainly a mindset where most of the people that come to us,
you will see that there's this common thread of how they got exploited.
And it's typically that they were tired, they were rushed, they weren't getting through,
because whenever we talk to them, 80, 90% of the time, it's 20-20 hindsight.
Oh, I think I've known that.
And these are people who take a huge thoughtful approach to their security.
And they've taken to X to say, oh, I'm so secure.
I have so many layers to my security.
And that's great.
But we have to recognize that there's this mental aspect to it as well.
And that if you're moving a lot of funds and you're trying to move quickly
or somebody's trying to rush you for some reason,
a big example would be these folks who poses VCs trying to get people in a call and say,
oh, you know, we have a group of VCs or we have all the advice.
advisors in here, jump in the call, oh, sorry, that LinkedIn work, use this one. And they're trying
to make it so you're not thinking. So slowing down and really thinking that it could be me that
they're going after this time. That will go so far in someone's personal protection and security.
The pushed sense of urgency seems to be a really recurring theme. And I've heard people where
they'll get five phone calls and two emails immediately about their Coinbase account being
compromised or about the fact that their transaction last week didn't go through for some reason
and they create this head rush almost of I don't know what to do now. Yeah, and crypto is such a
collaborative space that it's okay to reach out to a friend to someone else who's security-minded
and say, hey, does this sound right? Or have you heard of this? That will help be a third sounding
board to just help you slow down as well. Because yeah, at Coinbase one where people were being rushed
with, oh, we're seeing your funds being moved. That was huge. And we dealt with new cases in that
regard. Yeah, and I've heard stories of people who've talked to others off a cliff, like you're saying,
where you're like, you're about to do something, but thankfully we're here before.
Do you guys work with individuals in any capacity you experience individual fund loss?
So in the fun loss scenario, yes. It's never just companies that come to us when it comes to a
crypto theft. We've even worked with individuals who have some intelligence need or,
something that was very personal to them in private that they needed support with and they didn't
know where else to go. So we've worked with people in that regard. And in terms of the proactive
stuff, yeah, we've worked with individuals and whales, folks like that. I think with the advent of
this platform Reaper, that's going to be that opportunity where many individuals can break down
that barrier to entry and get help. And can you speak about Reaper while we're on this subject and
what that does more precisely.
Maybe relatedly, I'd love to hear
how you think software offerings
for proactive defense and crypto will evolve.
Oh, interesting.
Okay.
I'm interested to hear your take on the second part,
Hercules, but let me give a little lowdown on Reaper.
So Reaper is a tool that we've developed over time
through our folks who have been trained
on the intelligence aspect of our work and capabilities,
and it's this 24-7 data leak monitoring tool.
that allows us to very deeply find all of the threads that exist on an individual.
And we can do that just from getting an email and a phone number.
And people are very surprised when these data points pop up on what exists on them.
Because it's even coming up with some account that they made seven years ago
that they totally forgot about is out there.
And it's leaking some little nuanced piece of their information,
which then allows it to lead to something else.
And that gives people this big bird's eye view
of everything that's out there on them.
Future versions of this will allow us to do things like scrubbing this data.
It will allow us to do sim swap detection
so that people can know if they're being actively compromised.
So we really see Reaper as this ability for individuals in the space
to have this mindful approach to their own operational security,
because that's what the space has really been craving in a big way.
And on top of that, from a business perspective,
how nice would it be for an executive or CSO
to be able to see the entire data leak footprint
of their whole company and be alerted if anything new comes up
on one their employees?
So the second part of your question, though,
could you rephrase that?
What do you think cybersecurity software looks like for crypto
in a few years' time?
Oh, yeah, most definitely.
That's one I get quite excited about.
So I'll answer this in a Web2 context
and transition it over into our world.
So in the Web 2 space,
we have a ridiculous amount of security tooling
that's SaaS-based.
It's from every single category
that you can imagine from compliance,
which is amazing all the way over to pen testing.
But specific to Web 3, in crypto in general,
I think we're going to see a massive adoption
of these Web 2 tools, which we already do in development.
But there definitely will be a lot of new tooling
that I think talented engineers will create
over the next couple of years
that are definitely security focused,
but also take core components of Web2
to introduce them into the industry and security ways.
But I personally think that there is a mindset
that a lot of people have specific to SaaS solutions
as a whole in regards to Web2 security
is that they are a all in one solution for everything.
But the truth is, these solutions supplement
your primary efforts.
So I think there will be a lot of software
that is adopted across the industry,
but I think having somebody like Groom Lake, for example,
is able to lead the efforts and software exists to supplement the other avenues.
Makes sense. It's very helpful.
Is this cybercrime that you guys are dealing with?
Is it trending up? Is it trending down?
Or which way do you see it moving?
It's definitely trending up.
But I would say personally, the increase in social engineering attempts is becoming more and more
crazy.
And the tactics that are being leveraged are becoming different every day.
Very sophisticated.
Very sophisticated, yes.
And there's this thing called,
TTPs, which are tactics, techniques, and procedures.
And whenever we investigate a hack, those TTPs will allow us to do some association of
who may have been responsible behind this.
And we're seeing the social engineering specifically is heavily coming through the nation-state
groups.
And they wait quite a while to actually execute, and they are using some robust tooling to
actually complete this.
They're using custom malware as well as deepfakes, which I made a post on Twitter not
too long ago about it.
Deepfake technology now as a whole is extremely, extremely good.
So I even thought before this meeting throwing your face on mine and doing a little thing,
but didn't have enough time, but it's quite crazy at this point.
To that point, I'd be amiss not to mention AI as an added attack vector.
You hit the nail on the head, I think, with deepfakes.
A lot of companies in a space, to my knowledge, also employ audio verification.
You'll respond with your voice, certifying who you are.
Something like that, to me, seems like a mechanism that will come under threat in coming years.
So how can you be a couple steps ahead of threat vectors?
related to deep fakes, AI mechanisms, et cetera.
I think the voice one is something that is often overlooked,
because you just think the video, you go to the face.
And even as of a year ago, the technology get quite good.
I even, in my experimentation days, took a podcast that FDR did a very long time ago
and threw it in and was able to actually recreate his voice very, very similarly.
And just think, if it's good on a computer, imagine a cell phone doing a call.
It would be near spot on.
But I think as a whole, we're going to get to a point with a,
AI and these deep fake technologies of the whole that to actually prevent them, you have to employ
a little bit of true identification if you're onboarding somebody, for example, but also doing
things as simple as telling the person with their hands to simply put it over their face.
Because the tech today, it is quite hard to actually map over the fingers and all.
But I also think if it's a friend or a colleague or somebody similar, I always recommend if things
get suspicious, hanging up the phone and the call and contact them through another means that you
believe is safe. So that could be returning a phone call, right, unless they're sim swapped,
because it is true you can only spoof out, outbound, unless they're sim swapped, or reach out to them
on signal, reach out to them on telegram, or if they're in another room or a friend of a friend,
call that friend and have them speak to them individually. Yeah, there's a great suggestions.
In the wake of all of the concerns that will collectively face, when should people reach out
to you guys, Groom Lake, and how should they get in contact? Reaching out to Groom Lake from a
company perspective, typically we see people reach out at all phases, but the most common would be when
there's some big milestone approaching that's about three months out. And that could be TGE,
could be Mainnet launch, anything like that, any major inflection point in a company. For individuals,
when you're thinking about something like Reaper, this is an opportunity to front-run social
engineering attempts. So the sooner, the better because then you can have, you know,
We're talking about the AI and the implications of that, but from a defensive perspective,
having something that is your personal hunter-killer drone that can just take two pieces of
information and look for a hundred plus different attack vectors on you is going to be really big.
So the sooner you go and implement security, whether you're an individual or a company,
it's always the better, because security is this act of layering things over time.
and the more time you have to layer countermeasures, the better off you're going to be.
Definitely. And I'll reinforce that point as well. Doing things early from the beginning is great
from an organizational perspective because you tend to build a cultural idea around security as a whole.
And going into an organization and reviewing their operational security procedures, their current tech stack,
what their configurations look like across the whole, any change you make tends to introduce a little bit of friction.
It's unfortunately how security works.
but with our packages in the way that we tailor things,
we tend to get friction that's very, very minimal.
But going into an organization that has existed for quite a long time,
and that has been doing things that they might have thought is right,
but it truly is not up to par.
It's harder to go backwards, and it will take more time.
But we have ways to do it, and we are more than happy to do it.
Yeah, it makes sense, harder to rebuild something that's been around for some time already.
Definitely.
Hercules and Cupid.
I appreciate you coming on having a conversation with us,
and thank you for the work you continue to do in the space.
Yeah, thank you, Wyatt. Yeah, man. It's been a pleasure. Thanks for having this on.
Thanks for listening to another episode of On the Brink with Castle Island. To find out more about Castle Island, visit castle island. Visit castle island.com. To listen to all of our podcast episodes, please go to On the brink dashpodcast.com or just click on the tab in our website. Thanks for listening.
