Infiltrating an International Ransomware Gang

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:15):
Pushkin. Just a quick note, this is a bonus episode
of What's Your Problem, and it's sponsored by Microsoft. John
Demaggio studies cybercrime for a living. It's his job. But
when he wanted to understand an international cybercrime gang called
lock Bit, he realized he couldn't learn everything he wanted

(00:38):
to know from the outside, so he started trying to
figure out how to get people on the inside to
tell him what he needed to know.

Speaker 2 (00:44):
So I spent a lot of time studying going back
to World War Two when they started having all these
documents about how to use the human trade craft to
sort of recruit and convince people to do things that
they don't necessarily know that they're doing to support your cause.

Speaker 1 (01:02):
So were you telling me you started studying sort of
World War two era spycraft.

Speaker 3 (01:07):
Yes, that's correct.

Speaker 1 (01:08):
What's something you learn from World War two era spycraft
that helped you weasel your way into a ransomware gang?

Speaker 2 (01:15):
Everything from their ego to understanding who their adversary is
and making them feel that being friends with you will
benefit them because you have a common enemy, or even
even being adversarial towards them and saying certain things just
to see what the reaction is to sometimes understand the truth.

Speaker 3 (01:37):
There's also the sort.

Speaker 2 (01:38):
Of the plan and prepare phase where you have to
go and sort of stalk them and understand who their
contacts are, who their friends are, who their enemies are,
where they hang out online, all of that stuff.

Speaker 1 (01:49):
So you have this set of strategic ideas in your mind,
what do you actually do?

Speaker 3 (01:59):
So what I did.

Speaker 2 (02:00):
The first thing I did is I needed to figure
out sort of their digital fingerprint, so I profiled them.
I began looking across the dark web. Obviously started with
the easy One, their data leak site, their own infrastructure,
and I went from there and I eventually found the
forums that they live on. And there's some very prominent
Russian hacking forums that have been around for about twenty years,

(02:21):
so it made sense to start there. And sure enough,
they were very prevalent on that website. They were very
involved with conversations, They have friends, their enemies, and they
do their business. So they actually would go there just
to talk and sort of hang out with their buddies.
And the drama, it was like it was like a
soap opera. The drama these guys would getting these big

(02:43):
arguments are the stupidest things. I just started profiling and
visually mapping out who is who, who they were talking to,
what those other people's roles were. Again, then I would
find the ones who are their friends, and I would
try to approach them and the people who worked for them.

Speaker 1 (02:59):
And did it work.

Speaker 3 (03:02):
It did well, It sort of worked.

Speaker 1 (03:10):
I'm Jacob Goldstein, and this is what's your problem. My
guest today is John DiMaggio. John is the chief security
strategist at a company called Analyst One, and I wanted
to talk with John about Lockbit, this ransomware gang that
was behind attacks that extorted over one hundred million dollars
from companies around the world. John wrote this sort of

(03:31):
book length series of online posts about Lockbit. It was
part of a thing John called the Ransomware Diaries. The
story of Lockbit is a great window into the ransomware industry,
and it is an industry with a lot of remarkable
similarities to ordinary non criminal industries. Lockbitch tried to brand itself,
It tried to attract talent and notch keywins, just like

(03:54):
any software company. But then there's also the part that
is not like any software company. There is the crime part,
and it was the crime part where Lockbit went too
far and wound up drawing the ire of international law
enforcement agencies that in fact have their own set of
innovative strategies. And John watched all this happen up close.

(04:15):
He told me his key contact on the inside had
the user name lock bits up, short for Lockbit Support.

Speaker 2 (04:21):
I didn't know it at the time when I first
started talking to them, but what I found out as
I began to talk more is there were two personalities
behind the account.

Speaker 3 (04:30):
One seemed to be much.

Speaker 2 (04:31):
Younger, friendlier, more in tune with sort of pop culture,
and the other one, who I gave a name mister
grumpy Pants, because he was all business, always serious, and
that was kind of how I differentiated.

Speaker 1 (04:45):
Tell me about the sort of conversations you had with
lockbits up, like, what was the nature of those exchanges.

Speaker 3 (04:53):
Well, so you have.

Speaker 2 (04:54):
To understand that when I did the initial part that
was sort of cover pretending to be somebody else. I
only got so far with that, and after I wrote
The Ransomware Diaries Volume one, they knew who I was.
The farthest I got was talking to them is myself,
and they you know, it was just I started with with, Hey,
do you guys know who I am? I want to
have a conversation with you, And they were, you know,

(05:16):
said to me, yeah, your favorite researcher. We love you, okay,
And they were very willing to talk, which is why
I got so much farther talking to them as myself
as I did pretending to be a hacker.

Speaker 1 (05:26):
Uh Huh. What's the thing you learned from lock bits up?
What's a what's a What's one detail of your understanding
that was improved by that relationship?

Speaker 2 (05:36):
Well, there were a lot of things, but one of
the key things I had learned was information about uh.
They prob internal problems that they had with affiliates. For example,
they complained that they've got really good hackers, but some
of these hackers are younger kids, and they're good at hacking,
but they're really bad at negotiating, uh, And he was.
They were unhappy about the amount of money coming in,

(05:59):
so they talked about that and coming up with a
with a model of how much they would accept, and
they created sort of a formula per company, and so
just things like that, things around tech resources. They asked
me one time if I would buy them. They couldn't
get a they they couldn't get a Domain tools account,
and they wanted to know because they couldn't pay for
it with crypto, they want to know if I would
buy it for them, which, of course they're playing with me,

(06:21):
you know. And it was sort of a cat and
mouse fun relationship for a while of going back and forth.
So it was friendly for most of our relationship until
it wasn't.

Speaker 1 (06:31):
So okay, So you're in this world and I just
want to step back for a minute to talk about
what's going on in a big way. Right, there's this
phrase that's sort of central here, which is ransomware as
a service. Ransomware is like straightforwards something a lot of
people are familiar with. It's basically, some bad actor, some hacker,

(06:53):
hacks into some companies' computers, locks them up and says
we're not going to unlock them unless you pay us
a ransom. That's ransomware.

Speaker 3 (07:02):
Exactly.

Speaker 1 (07:03):
What is ransomware as a service? What is I mean?
We know about software as a service, right, it's basically
you pay whatever amount of a month and you get to
use software. What's ransomware as a service.

Speaker 2 (07:12):
So ransomware is a service. There's more than just ransomware.
So you have this two part model where you have
a service provider. That service provider provides the actual ransomware code.
They also provide infrastructure. So the provider provides these services,
the hacker goes and does the dirty work of actual hacking,

(07:33):
and together when a victim pays the extortion, they share
the profit from it. The benefit from using this model
is you can have a lot higher volume than if
it was just five guys in a group doing it themselves.
By using this model, you can have many people doing
attacks on your behalf. Much higher volume of attacks, much
higher revenue.

Speaker 1 (07:54):
So Lockbit is basically just a software company. They're like
an enterprise software company. They write software and provide various
tools for users. But in this case the users are criminals,
are people who want to hack into various computer systems
and steal data and extort money.

Speaker 3 (08:14):
That's correct.

Speaker 2 (08:15):
But the other piece to it is the service provider aspect.
They're the ones that are sort of in charge, that
run the show, that give direction, that step in whenever
there's an issue, if there's a victim not paying, sometimes
they'll come in and help with the negotiation or take
over or give direction on how much you can you
can accept as a payment, or even say this is

(08:36):
what you can or cannot hack this company. So they're
definitely in the leadership chair.

Speaker 1 (08:42):
So I want to talk about how lockbit sort of
grows and makes a name for itself. And one of
the things that's really interesting is kind of how uninteresting
it is. It's like, oh, it's this international criminal gang
and they're acting like a boring software company, and it
seems like a key early moment for them as they're
trying to grow and differentiate themselves in the market. Is

(09:05):
this summer paper contest in to tell me about that?

Speaker 3 (09:12):
Yeah, it's it's pretty crazy.

Speaker 2 (09:13):
So on this long running forum that I mentioned earlier,
this Russian hacking forum, lockbit really wanted to to get
their brand out there. So what they did is they
sponsored this hacking paper contest, meaning hackers would submit these
papers on different ways to hack and lockbit they would

(09:35):
they would take part in this and they would help review.
And there was five winners and the I think I
don't remember what the what the what the I think
was five thousand dollars maybe.

Speaker 1 (09:45):
Uh, you put a screenshot in your report. And what's
amazing is how banal. It looks it looks totally like
some college software contest or just some boring enterprise software company.
Like there's this little kind of clip art of just
like a dude at a laptop with a little plant
next to him, although there is also a skull and

(10:06):
crossbones next to him. It's like, we're just coders, but we're bad.
And as you said, first place is five thousand dollars,
which seems like not that much. Right, they're exploiting that.
They're stealing tens of millions of dollars at this point, right.
And then it says like accepted article topics, just like
it would in a college contest, but under accepted article topics,
it says hacks any methods for pouring shells, fixing, elevating rights,

(10:32):
your story is and tricks interesting hack stories. It's such
a fantastic combination of well banality and evil.

Speaker 3 (10:42):
It is.

Speaker 2 (10:42):
But here's what you have to think about. There's two
benefits for this. One what I mentioned, sort of getting
their name out and getting known with hackers. But two,
they're looking for those upcoming rising stars, if you.

Speaker 1 (10:54):
Will, recruitment. It's talents, right, and yeah.

Speaker 2 (10:58):
That's right, and that's why Lackbit was different than most
of these are the ransomware groups, because they approached it
is a business and they thought out of the box
and that's kind of what would set them ahead in
a part at the time from other ransomware groups.

Speaker 1 (11:11):
So does it work this strategy?

Speaker 3 (11:16):
It absolutely worked.

Speaker 2 (11:17):
I mean, there's a reason that people know their name
and know who they are, and there's a reason that
they have so many people that at the time in
a way really wanted to work for them over other groups.
It was propaganda and it worked.

Speaker 1 (11:31):
And so it seems like by around twenty twenty one
they've hit the big time. And there's this one hack
in particular that you write about in the summer of
twenty one of Accenture, the big international consulting company. Tell
me about the Accenture hack.

Speaker 2 (11:49):
So in the Accenture hack, you know, the affiliate had
gone in compromised them, they locked down their data, and
lock Bit, you know, put on their site that you
know they were a victim. Reporter started to report about it,
and you got a lot of buzz in the media. Now,
the problem with the Accenture hack is that Accenture denied

(12:11):
that the hack took place. Initially saying that it wasn't
real and it didn't happen. The issue with that is
their customer's data was on their website and you could
you could go see it and validate it and download
samples of it.

Speaker 1 (12:26):
The customer's data was on the lockbit website.

Speaker 3 (12:29):
That's correct.

Speaker 2 (12:30):
That's correct, and it was just a sampling, but you
could see this information and it looked quite authentic.

Speaker 1 (12:37):
So so does this accenture hack sort of put Lockbit
on the map in a bigger way?

Speaker 3 (12:44):
Oh? I mean the media surrounding that was was was
very loud.

Speaker 2 (12:50):
I mean it was across many organizations. Lots of of
of well known journalists and organizations reported on it. All
this feeds into the propaganda. Now the journalist shouldn't report
on it. I'm just saying, you know, lockbit plays that
to benefit him as them as well.

Speaker 1 (13:07):
Yeah, So basically the press coverage is good for lockbit
because hackers see it and go to lockbit and say, hey,
I want to be an affiliate and do some hacking.

Speaker 2 (13:16):
Essentially, that's right, and to be fair, the same thing
from me from writing these reports. Yes, it helps researchers
law enforcement, but it also helps them that that's the
reason that they were friendly to me is because they
were fans of a lot. I have probably just as
many criminal hackers that are fans of the ransomware diaries
as there are researchers and you know, right, regular people
that are not criminals.

Speaker 1 (13:36):
Well, I mean there's an ecosystem here, right, like the
the job. There's a universe of people whose job is
fighting criminals and a universe of people who are criminals
who are trying to evade being caught. Right, And that's right,
the kind of intellectual universe has got to be almost
entirely overlapping. Everybody's trying to figure out what everybody else

(13:57):
is doing. Everybody's sort of using the same tricks on
each other. It makes sense that the bad guys and
the good guys would be reading the same.

Speaker 3 (14:06):
Stuff it does.

Speaker 2 (14:08):
And you know that's really where that uh that that
that that human framework came in because his ego was
was the main thing I was able to play on
in order to get information. And even when there were
lies in that information, you know, I talked to the
people who work for them, So I would take those
lies and I would present them in a different way
to those people to get a response, and that would

(14:30):
help me to validate what's real and what's not.

Speaker 1 (14:32):
Is there some specific example of playing on his ego,
something you said to flatter him or something.

Speaker 2 (14:38):
Uh well, yeah, you know one of the one of
the things that that was big for him was, you know,
he wanted to be sort of the Darth Vader of
ransomware of my words, not his, but you know, he
he wanted to be this this top person. So you
know when you would talk about him changing the game
of ransomware and telling him, you know, you guys are
are are on top? You know, how did you get there?

(15:00):
How did you how did you get ahead of other
groups like like REvil and uh in in time, Black Matter,
in groups like that, And you know he loved that.
You know, it would just that was a thing that
would get mister grumpy pants talking was sort of playing
on his ego, you know, asking questions about how he
got to be the top brand in ransomware and how

(15:23):
he's better than all the other ones.

Speaker 3 (15:25):
And he fed right into that.

Speaker 1 (15:30):
Coming up after the break, what happens when lockbit is
used to hack a hospital for children with cancer, So
kind of early twenty twenties Lockbit is king of the

(15:53):
ransomware world. And then it seems like in about twenty
twenty three they sort of start going too far or
their affiliates start going too far right, they start to
get into trouble, and it seems like the back of
hospital that is actually called Thick Kids, which is yeh,

(16:14):
a children's cancer hospital in Canada, is kind of a
turning point. And like I do wonder, like you could
hack anybody, why would you hack a cancer hospital for children? Like,
is it because you want to be as evil as possible?

Speaker 2 (16:34):
Yeah, it's because they see them as a as an
easy target because a hospital has to be available and
make their resources easily accessible by their patients, clients, medical organizations,
and inherently the more accessible something is less secure it is.
So it makes them an easy target. They have a

(16:55):
lot of money, and they're more likely to pay because
the data is so sensitive and the systems that are
encrypted are so critical that it makes them a ripe
target and that's the reason that they'll go after them. Initially,
the hospital was hacked, the systems were encrypted, data was stolen,
and they didn't they weren't going to let them out

(17:17):
of this. They were going to force them to pay
or they weren't going to give them the key to
decryptor systems, and didn't seem to care that these kids
couldn't get the care that they needed and the treatments
that they needed. The only reason so what ended up
happening was with all the media around it, it was
such a bad look for Lockbit that the leadership of

(17:37):
the group decided, after you know, about two weeks, they decided, Okay,
we're going to go ahead and we're going to give
them the cryption key, just because this was getting to
be too hot. And if you remember, like the whole
Colonial Pipeline thing with the Dark Side ransomware group, you
know that got that got so much attention that you know,
government agencies got involved and went after them, and when

(17:58):
that happens, it's very bad for ransomware groups. So they
essentially saw things could possibly go that direction with the
amount of bad publicity they were getting, and decided it
wasn't worth it the payment they were going to get,
and they went ahead and provided the hospital with the
decryption key so they could get those systems back online.

Speaker 1 (18:18):
And and in fact, their concern about a backlash was justified. Right,
it seems like international governments, kind of led by the UK,
do start to go after Lockbit around this point. Right,
What do you do if you're a government and you
want to go after a Russian hecking gang?

Speaker 2 (18:39):
Well, it's not easy. The things that you have to
do is you have to use resources that people like
me don't have available to try to figure out their
their infrastructure, their hosting infrastructure, what what what where their
servers live? Uh, and then which is very difficult when
they're there the dark web.

Speaker 3 (18:59):
It's hard to figure.

Speaker 1 (19:00):
That out because there's this is the cat and mouse thing.
They're like complicated smart systems. These people used to hide
their location essentially.

Speaker 2 (19:08):
That's that's right, and so that's one aspect is trying
to figure out that infrastructure.

Speaker 3 (19:15):
In some cases you.

Speaker 2 (19:16):
Can use legal means to take it down, but with
groups like Lockbit, often they will use service providers that
are in countries that cater to criminal activity and won't
respond subpoenas. The other thing, though, that lawn that these
governments and law enforcements try to get into is the
infrastructure that is public, the panel that the bad guys

(19:37):
use to log into with the graphical interface to control
these attacks, and there's technical ways to do that, and
then there's also the ways of infiltrating the people who
work for the group to get their credentials access.

Speaker 1 (19:50):
So they're basically hacking. They're basically hacking the hackers. So
in February of twenty twenty four, this international coalition of
law enforcement agencies actually takes over lockbit sort of publicly
facing site, right Lockbit's dark websites tell me about that.

Speaker 2 (20:09):
Yeah, So it was great when you went to the
website that that day, it was no longer Lockbit's data
leak site. Instead it was a mock site, so it
looks just like it, except instead of having real victims
within the site, the NCAA put the criminals as the victims,

(20:31):
and they named affiliates with the victims, and they had
a countdown timer for for lock bits up saying they
were going to release his identity ha.

Speaker 1 (20:39):
And the countdown timer is the kind of thing that
the that the bad guys use when they hack a company,
saying we're gonna.

Speaker 3 (20:44):
That's rite yeah, uh huh, yeah, that's what they do.

Speaker 2 (20:47):
A count down timer for traditional victims is how long
they have to pay to the data's lead so in.

Speaker 1 (20:53):
The same way that Lockbit was essentially marketing itself. Now
the now the cops, now the law enforcement officials, are
are doing that same kind of marketing. They're sort of
doing this kind of propagandistic thing to attract attention, presumer
what to scare off all the affiliates, like why why
would they be doing it in this showy way just

(21:13):
for attention to get good press.

Speaker 2 (21:15):
No, it was it was a psychological operation. So prior
to this, they didn't they never did this there. The
way they took sites down were just to take it
down and put a message up saying law enforcement took
this down. This was psychological. It was meant to put
stress on the people who worked for the organization and
being concerned that they no longer had anonymity and that

(21:37):
their names and information was now being reviewed and revealed
by law enforcement. And the whole goal of this was
was to affect the lockbit brand and to make people
not trust Lockbit.

Speaker 3 (21:49):
Or want to work for the organization.

Speaker 2 (21:52):
So it was very planned in, thought out and methodical.
It wasn't just, you know, to get attention. It was
specifically to hurt that brand and make affiliates afraid to
work for them. And in addition to that mock website
on the back end that panel that I was mentioning
that admin paneled that they would use now when that
took place, when the takedown took place, when the affiliates

(22:14):
logged into that panel, they had tailored messages with their
username by law enforcement saying, hey, you're logging into the panel.

Speaker 3 (22:21):
We know who you are.

Speaker 2 (22:22):
We've been monitoring the activity you've been doing. We've got
your wallets. We're going to be coming to talk to
you soon. So it was it was very detrimental to criminals.
That was a brilliant operation in my opinion.

Speaker 1 (22:35):
And you mentioned that they had a countdown timer for
when they were going to reveal the name of Lockbit,
sup the person. Oh that you said, there's people, but
at least one of the people behind this, behind Lockbit,
one of the key Lockbit players. Did they in fact
reveal the name of that person.

Speaker 2 (22:52):
They didn't when the countdown time, or they didn't when
they did they at that time they didn't, but there's
a reason that they didn't. But they did not do
that in February. The reason that they didn't is because
Lockbit agreed to tell them information about some of his
adversarial group. There was a group called black who he
didn't like, and he agreed to try and get to
give them information.

Speaker 1 (23:13):
So use they used the threat of naming him as
leverage and getting him to flip. Basically, that's correct. Do
we know who he is now? Was he ever named?

Speaker 3 (23:25):
Yeah? It was.

Speaker 2 (23:27):
It was several months later. The site came back online,
meaning the law enforcement version of the site came back online.
There was a new timer, and once again they said
they were going to reveal Lockfit's name, and the timer
began again, and on May seventh, when that timer expired,
they did. They released his name and his picture, Dmitry Koshewev.

(23:50):
They put that out there, indicted him, wanted posters the
whole nine yards.

Speaker 1 (23:54):
Is that grumpy pants?

Speaker 3 (23:56):
That's well my opinion.

Speaker 2 (23:59):
My opinion is that that was the younger person and
the other guy's still out there, but I think law
enforcement might tell you otherwise, though they do agree with
me that there's two people.

Speaker 1 (24:09):
So he's been indicted but not arrested. Is that what
you're saying?

Speaker 2 (24:13):
That's correct because he's in Russia and there's protections there.
The law enforcement just can't get their hands on them. Unfortunately,
the criminals are protected when they're in Russia.

Speaker 1 (24:24):
So is that the end of Lockbit?

Speaker 2 (24:28):
It's not, you would think it is, But most almost
every other group that this has happened to, that's the
end of the story, or at least it causes them
to take that operation down and they have to start
from scratch somewhere else with a new operation, with a
new name and a new brand. But Lockbit worked so
hard on that brand. I don't think he'll ever take

(24:49):
it away until he's till they actually arrest everybody. But no,
they continued, but they continued at a much lower level.
They didn't have the equality of hackers still working for them.
They started having to lie about attacks to try and
stack the numbers and things of that nature.

Speaker 1 (25:08):
Do you think they'll unforcement officials campaign the whole thing
of like naming the people and doing all the stunts
on the website. You think that worked? You think it
was sort of like Lockbit rose on marketing and in
a way fell on the marketing of the governments.

Speaker 2 (25:20):
Yeah, well, was it one hundred percent effective, No, but
it was about eighty percent effective. And prior to this,
I would say that most of those operations were like
forty percent effective. And what I mean by that is
this actually affected the brand where people, the quality hackers,
the quality affiliates. Why would they work for this organization

(25:40):
with all this heat where they can't trust that they're
going to be protected when they can go work for
some other premier worgans.

Speaker 1 (25:46):
Like any software company. Their biggest problem is finding and
keeping good people.

Speaker 3 (25:51):
That's right, That's exactly right.

Speaker 1 (25:54):
And by good people, I guess in this case, it
means bad people, right. So okay, so this is a
year ago. Basically, this is early twenty twenty four. Lockbit
gets mostly taken down, not knocked out, at least knocked down.
Where are we today, Like, what is the state of
the ransomware industry?

Speaker 2 (26:12):
So it's changed a bit. I would say you have
more groups, but you don't have sort of these. You
don't have as many big organizations that sort of hold
all the majority of attacks. You have smaller to medium
sized groups that work more under the radar, meaning they're

(26:34):
not doing the same volume of attacks. They're also not
getting the same amount of money and ransom extortions as
they did before. But they're still out there. They're just
doing it, the model just changed a little bit.

Speaker 1 (26:48):
And so as part of the idea that, oh, maybe
trying to have a big name and be like a
famous criminal gang is not a good long term strategy.

Speaker 3 (26:58):
That's exactly correct.

Speaker 2 (26:59):
I think that this is what really made them realize
that people are sort of lower on the radar, just
trying to get money and extort, but not necessarily have
this voice that's heard across the world.

Speaker 1 (27:10):
What's like, what's the big lesson to you from the
Lockbit story.

Speaker 2 (27:16):
The big lesson there is being voisterous. Having this ego
is actually a downfall. Being loud, getting publicity, getting your
name out there, well, that might help attract people to
come work for you. There's the opposite side of that,
where it also attracts a lot of attention from law enforcement,
and if you're a criminal group, that's not a good thing.

(27:38):
And I think bad guys have figured that out between
mainly from twenty twenty four with both the black Cat
ransomware group and with Lockbit. Those were your prominent players,
and those guys both got decimated by law enforcement, and
that happened because of the attention that they drew to themselves.
So I think That's the lesson that adversaries have learned

(27:59):
is you have to be quieter about what you do.

Speaker 1 (28:05):
Lively. Back in a minute with the lightning round. Let's
finish with the lightning round. It's gonna be a little
more random and a little more about you. Okay, what's
one thing you learned when you hacked into the Pentagon

(28:27):
as a fifteen year old boy?

Speaker 2 (28:31):
Oh man, That's the reason that had I talked to
these criminals and I sometimes have empathy to want to
help them change what they're doing, is because I got
a second chance, and I remember that fear, and I
want to try to help some of these young kids
to change what they're doing and not continue down this road.

Speaker 1 (28:48):
What actually happened there? What was it that happened?

Speaker 2 (28:51):
Yeah, So my stepfather worked for Colon Powell during the
Iraq War. He was at the Pentagon and he had
a classified system in our basement, and I had a
friend over and I was really into computers and hacking
figuring things out. And I didn't do anything elaborate. I
just figured out his credentials and I logged in and
was put looking around. Nothing elaborate, but enough that it

(29:12):
got attention and bad things happened, and and the FBI showed.

Speaker 3 (29:16):
Up and things.

Speaker 1 (29:17):
The FBI showed up at your house.

Speaker 3 (29:19):
Yeah they did. It was It was not a good
day for me.

Speaker 1 (29:24):
I'm glad it worked out in the end. It did.

Speaker 3 (29:27):
It did.

Speaker 2 (29:28):
It only worked out though, because of who he worked for,
my stepfather, and the connections that he had, and the
fact that I had no prior record. That's the reason
that it worked. And I had a summer where I
had to go work at Fort Belvoir doing community service,
but I just do such a good job they wanted
to hire me to work there. So it was definitely
a life changing experience. And then I joined the army
and became a military police officer. So that was my story.

(29:50):
But it worked out well for him.

Speaker 1 (29:52):
So I understand that when you were a military police officer,
you did undercover drug bys I did. What's something you
learned doing undercover drug byes as a military police officer?

Speaker 2 (30:04):
What I learned is it's not black and white. It's
not just you're a bad guy or a good guy.
There are there there's still human beings.

Speaker 1 (30:12):
What's one thing you learned pushing carts at home depot.

Speaker 2 (30:17):
That you should never have an ego because I did
all that crazy work and I got out and I
could not get a job in law enforcement because of
my tattoos. At the time, you couldn't have visible tattoos,
at least in Virginia. Tried to join the FBI because
I smoked weed in high school at the time, day
at a zero tolerance.

Speaker 3 (30:33):
I couldn't get into that. I didn't couldn't get.

Speaker 2 (30:36):
A job, and I had to start at the very bottom.
I've been working retail. I'm not even in the store.
I'm in the parking lot, you know. That was I
was living out of my truck for a couple of weeks,
and then I rented a room at a house. That house,
they were selling.

Speaker 3 (30:48):
Drugs out of the house.

Speaker 2 (30:49):
The cops raided it, rested everybody but me, but I
couldn't even get in the house to get my stuff.

Speaker 3 (30:54):
I mean, it was a tough time in my life.

Speaker 1 (30:58):
I'm going to change gears to talk about something much
more pedestrian. Now, what's your favorite depiction of hacking in
a work of fiction? Uh?

Speaker 2 (31:09):
Corey Uh, there's an author, Corey Doctro, brilliant guy. He's
one of my favorite authors, and he does hacker fiction
if you will, and he's got a probably twenty books now,
but they're they're phenomenal, especially the Homeland series. That's one
of my favorite.

Speaker 1 (31:28):
Okay, Homeland series. Who's your favorite cyber criminal in real life?

Speaker 2 (31:36):
I would probably say the hacker known as us D
O D. He is a He is a hacker who's
not Russian. Uh. He lives in Brazil. I became very
good friends with him. I've never written about him. He
wasn't a target of mine. He helped me actually when
I was going after ransom VC and he gave me

(31:57):
a lot of good insight information and we just became
friends for a long time and we talked and he
was somebody who I really had wanted to help. He's
in jail now, so you can figure out if I
was able to help him or not.

Speaker 1 (32:10):
Why? Why him? What was what was that relationship?

Speaker 2 (32:15):
You know, he had issues like like everybody, but you know,
he was a he had a good side to him.
There was a side to him. He was a decent
person and I really thought if he hadn't become a criminal,
he's somebody that would have been in the cybersecurity field.
He did have empathy for people. He hated law enforcement

(32:37):
in the government, but he did have empathy for people,
and he was somebody who I could talk to and
and actually feel like I could I could make a
difference with the conversations that we had.

Speaker 1 (32:53):
John DiMaggio is the chief security strategist at Analyst One.
Today's show was produced by Gabriel Hunter Chang. It was
edited by Lydia Jean Kott and engineered.

Speaker 3 (33:03):
By Sarah Buguer.

Speaker 1 (33:04):
I'm Jacob Goldstein and we'll be back later this week
with another episode of What's Your Problem. A port Asner
SA

All Episodes

Episode Transcript

Popular Podcasts

The Breakfast Club

Dateline NBC

Decisions, Decisions

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Infiltrating an International Ransomware Gang

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}The Breakfast Club

Dateline NBC

Decisions, Decisions

All Episodes

Infiltrating an International Ransomware Gang

The Breakfast Club