WEBVTT 00:00:02.340 --> 00:00:05.620 JACK: [MUSIC] Ransomware is a special type of malware. 00:00:05.620 --> 00:00:09.010 It’s kind of new and different compared to other malware. 00:00:09.010 --> 00:00:13.340 While most malware is quiet, downloading silently in the background, hiding itself from the 00:00:13.340 --> 00:00:16.230 victim, ransomware is the opposite. 00:00:16.230 --> 00:00:20.160 The moment it installs on your system, it announces it’s there in the loudest and 00:00:20.160 --> 00:00:23.090 boldest way possible. 00:00:23.090 --> 00:00:27.470 Ransomware locks down your computer completely, rendering it unusable. 00:00:27.470 --> 00:00:32.050 The purpose is to shout out that is has taken over your machine and until you pay a fee, 00:00:32.050 --> 00:00:33.360 you’re not getting it back. 00:00:33.360 --> 00:00:37.680 There are so many stories right now about businesses and government departments that 00:00:37.680 --> 00:00:42.399 are getting hit with ransomware and it costs them hundreds of thousands of dollars to fix. 00:00:42.399 --> 00:00:45.830 Russian railways got hit, banks, hospitals, governments, towns. 00:00:45.830 --> 00:00:48.640 The mobile phone operators got hit. 00:00:48.640 --> 00:00:49.680 Universities in China were hit. 00:00:49.680 --> 00:00:51.800 FedEx got hit in the US. 00:00:51.800 --> 00:00:54.140 Telefónica in Spain, and Renault in France. 00:00:54.140 --> 00:00:57.280 They’re all infected and their data was held ransom. 00:00:57.280 --> 00:01:03.040 But what about the everyday person, the person who has a laptop and uses it in evenings and 00:01:03.040 --> 00:01:07.399 after work, and goes on the internet to do shopping and other stuff? 00:01:07.399 --> 00:01:11.209 What happens when we are targeted by an internet thug? 00:01:11.209 --> 00:01:12.670 This story is about exactly that. 00:01:12.670 --> 00:01:17.020 It’s a story about individual users being hit with ransomware on their own computers, 00:01:17.020 --> 00:01:20.579 and the criminal behind it was a teenage boy in his bedroom. 00:01:20.579 --> 00:01:25.350 There’s a twist to this story, one that gave this criminal a hook to threaten and 00:01:25.350 --> 00:01:27.990 frighten his victims into paying ransom fees. 00:01:27.990 --> 00:01:33.289 It’s an example of social engineering at its best, or maybe its worst. 00:01:33.289 --> 00:01:42.060 JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:01:42.060 --> 00:01:46.669 I’m Jack Rhysider. 00:01:46.669 --> 00:01:50.859 This is Darknet Diaries. 00:01:50.859 --> 00:02:00.189 [INTRO MUSIC ENDS] 00:02:00.189 --> 00:02:06.359 JACK: This is a story about a guy named Zain Qaiser. 00:02:06.359 --> 00:02:07.880 The year was 2011. 00:02:07.880 --> 00:02:12.329 Zain was seventeen years old, living at home with his parents in Barking, which is in East 00:02:12.329 --> 00:02:13.329 London, UK. 00:02:13.329 --> 00:02:17.540 At the time he was studying Computer Science at City, University which is right in the 00:02:17.540 --> 00:02:18.540 middle of London. 00:02:18.540 --> 00:02:21.160 He spent most of his time on his MacBook Pro. 00:02:21.160 --> 00:02:25.890 City, University was one of the first in the UK to offer degree courses in Computer Science. 00:02:25.890 --> 00:02:28.849 More than that, they have one of the highest rates of graduate employment. 00:02:28.849 --> 00:02:32.950 Those who complete their courses are getting good jobs in InfoSec and going off to have 00:02:32.950 --> 00:02:34.159 great careers. 00:02:34.159 --> 00:02:40.180 Zain would not complete his courses, or graduate, or go off to have a great career. 00:02:40.180 --> 00:02:48.090 [MUSIC] There’s a whole secret malware economy that exists in the dark parts of the internet. 00:02:48.090 --> 00:02:53.120 You can hire a hacker or buy exploits, you can pay for botnet usage, or you can buy and 00:02:53.120 --> 00:02:55.659 sell stolen data from people. 00:02:55.659 --> 00:02:59.709 Online criminals today will often only be one part of the supply chain. 00:02:59.709 --> 00:03:05.830 One exploit kit found for sale on the dark web is called Angler. 00:03:05.830 --> 00:03:07.269 Some really clever hackers made it. 00:03:07.269 --> 00:03:08.439 We think it was probably Russian-made. 00:03:08.439 --> 00:03:13.040 Here’s how it works; it starts by somehow getting you to visit a malicious website. 00:03:13.040 --> 00:03:15.840 Now, websites you can visit can tell a lot about your computer. 00:03:15.840 --> 00:03:19.831 They can check what version of Flash you’re running, or Java, and if you go to a website 00:03:19.831 --> 00:03:23.370 that has the Angler Exploit Kit running on it, it’ll do just that. 00:03:23.370 --> 00:03:25.590 It’ll check what software versions you’re running. 00:03:25.590 --> 00:03:29.109 It’ll basically scan your computer for out-of-date software. 00:03:29.109 --> 00:03:34.989 It’ll check your Adobe PDF Reader version, then your Silverlight version, then your Java 00:03:34.989 --> 00:03:36.719 version, then your Flash version. 00:03:36.719 --> 00:03:40.900 If it sees any of these are out of date and have a known vulnerability, it moves onto 00:03:40.900 --> 00:03:41.900 Step Two. 00:03:41.900 --> 00:03:45.659 It will try to exploit that vulnerability and gain access to your computer. 00:03:45.659 --> 00:03:49.310 Let’s dive into this for a second, here. 00:03:49.310 --> 00:03:53.420 One of the vulnerabilities the Angler Exploit Kit will use is what’s called a Use After 00:03:53.420 --> 00:03:55.019 Free vulnerability. 00:03:55.019 --> 00:03:58.749 This is where the program had some data in its memory but it’s done with it and freed 00:03:58.749 --> 00:04:03.629 it, but somewhere in the program is still a reference to that part of the memory. 00:04:03.629 --> 00:04:07.390 Okay, suppose you were eating popcorn with a friend, watching a movie. 00:04:07.390 --> 00:04:11.030 You’ve got a bowl of popcorn on your lap and you’re sharing it with them. 00:04:11.030 --> 00:04:16.209 They take a handful, [00:05:00] then you take a handful, then they take a handful, then 00:04:16.209 --> 00:04:18.290 you take the last handful. 00:04:18.290 --> 00:04:20.139 The popcorn is gone. 00:04:20.139 --> 00:04:23.550 The bowl is empty but your friend doesn’t know it. 00:04:23.550 --> 00:04:26.919 They still think there’s popcorn in the bowl so you play a little trick on them and 00:04:26.919 --> 00:04:30.000 put a bowl of spaghetti on your lap instead. 00:04:30.000 --> 00:04:34.960 When they go to reach into the popcorn bowl, they stick their hand in the bowl of spaghetti. 00:04:34.960 --> 00:04:39.919 This is kind of what Use After Free vulnerabilities are like, sorta. 00:04:39.919 --> 00:04:43.610 Your friend was programmed to reach into the popcorn bowl, thinking there was something 00:04:43.610 --> 00:04:45.139 there, but there was nothing there. 00:04:45.139 --> 00:04:49.080 In software world, you can put some commands in that bowl so when the software reaches 00:04:49.080 --> 00:04:52.210 for it, it executes those commands you told it to. 00:04:52.210 --> 00:04:54.020 Kind of brilliant, huh? 00:04:54.020 --> 00:04:56.490 Okay, enough with the bad analogies. 00:04:56.490 --> 00:05:01.139 Angler is an exploit kit, meaning it doesn’t just contain one exploit, but instead it looks 00:05:01.139 --> 00:05:03.960 all over your computer for any exploit it can use. 00:05:03.960 --> 00:05:08.460 It might have dozens of possible exploits to try and if it finds one, it then runs commands 00:05:08.460 --> 00:05:11.680 on your computer that it shouldn’t be able to run. 00:05:11.680 --> 00:05:13.800 This is where Angler sort of stops. 00:05:13.800 --> 00:05:16.960 Its job is really just to get in and execute the payload. 00:05:16.960 --> 00:05:21.580 A payload could be anything, though; it could be to steal user data or passwords, it could 00:05:21.580 --> 00:05:25.729 be to tie your computer into a botnet, or it could be just to delete everything on the 00:05:25.729 --> 00:05:26.860 computer. 00:05:26.860 --> 00:05:30.860 In short, if you have outdated software on your computer and visit a website running 00:05:30.860 --> 00:05:35.720 the Angler Exploit Kit set to destroy your computer, your computer will then be infected 00:05:35.720 --> 00:05:38.560 in seconds and begin deleting files. 00:05:38.560 --> 00:05:40.780 Scary stuff. 00:05:40.780 --> 00:05:45.110 Seventeen-year-old Zain Qaiser thought this was cool, though, and thought this had potential 00:05:45.110 --> 00:05:46.720 to make him some money. 00:05:46.720 --> 00:05:51.449 The problem was the Angler software was sort of hard to get at the time. 00:05:51.449 --> 00:05:56.940 In early 2012, Zain was very active in chat rooms and forums using his username K!NG but 00:05:56.940 --> 00:05:58.909 with an exclamation point for the ‘i.’ 00:05:58.909 --> 00:06:02.419 He had an idea and he wants to put his plan into action. 00:06:02.419 --> 00:06:07.490 [MUSIC] Zain makes contact with the Russian creators of Angler and tells them he has the 00:06:07.490 --> 00:06:10.940 skills and experience to make them a lot of money. 00:06:10.940 --> 00:06:15.289 You provide the malware, he said, and I’ll get it infected on a lot of computers. 00:06:15.289 --> 00:06:19.150 Zain tells them that he’s experienced in social engineering and that he’s good at 00:06:19.150 --> 00:06:23.270 manipulating people to get what he wants, and he’s got no problem doing it. 00:06:23.270 --> 00:06:27.629 He’s a native English speaker and knows how the online advertising industry works. 00:06:27.629 --> 00:06:30.949 Zain suggested a split of the profits. 00:06:30.949 --> 00:06:36.449 It was a partnership pitch and one of the Russians were open to hearing this pitch. 00:06:36.449 --> 00:06:38.370 An agreement was made. 00:06:38.370 --> 00:06:40.120 Zain got started on his plan. 00:06:40.120 --> 00:06:44.569 He got the Angler Exploit Kit which is good at getting into the victim’s computer, but 00:06:44.569 --> 00:06:45.789 that’s all it’s good for. 00:06:45.789 --> 00:06:50.000 You still need a payload or an action once the machine is exploited. 00:06:50.000 --> 00:06:53.340 Zain decided to weaponize Angler with Reveton. 00:06:53.340 --> 00:06:57.699 Reveton is a powerful ransomware that will encrypt an entire user’s hard drive with 00:06:57.699 --> 00:06:58.699 a password. 00:06:58.699 --> 00:07:01.580 Then you have to pay money to get that password to decrypt it. 00:07:01.580 --> 00:07:03.220 This worked perfect for Zain. 00:07:03.220 --> 00:07:08.060 Now he has a weaponized exploit kit all set up on a website, waiting for anyone to visit 00:07:08.060 --> 00:07:10.050 it to get infected. 00:07:10.050 --> 00:07:14.280 But how do you trick someone to go to your website to get infected? 00:07:14.280 --> 00:07:19.070 His idea was to buy online ads that point people to his malicious website. 00:07:19.070 --> 00:07:20.490 Where would he buy those ads? 00:07:20.490 --> 00:07:22.310 On porn websites. 00:07:22.310 --> 00:07:26.320 The Russians provided him with some fake identities, and documents, and credentials so he could 00:07:26.320 --> 00:07:31.360 convince legitimate advertising agencies that he was just an everyday advertiser. 00:07:31.360 --> 00:07:33.599 This is a typical example of malvertising. 00:07:33.599 --> 00:07:38.330 Once people click on this link, they get redirected to a malicious website and the computer would 00:07:38.330 --> 00:07:42.509 be infected with that Reveton ransomware that Zain equipped into Angler. 00:07:42.509 --> 00:07:46.610 Now, if you’re going to demand a ransom payment, you need to have something your victim 00:07:46.610 --> 00:07:47.819 is willing to pay for. 00:07:47.819 --> 00:07:52.349 Sure, if you locked up someone’s computer and say pay me to unlock it, that may work, 00:07:52.349 --> 00:07:55.490 but Zain’s plan was a little more diabolical. 00:07:55.490 --> 00:07:59.750 The Reveton ransomware is sometimes known as the Police Virus and that’s because when 00:07:59.750 --> 00:08:04.349 you get infected with it, it shows you a police logo and tells you the victim has broken the 00:08:04.349 --> 00:08:06.900 law by visiting this porn site. 00:08:06.900 --> 00:08:10.110 Not only does the computer get frozen, but all of a sudden there are words on the screen 00:08:10.110 --> 00:08:13.900 that say ‘porn’ and ‘child porn’ and ‘FBI’ and ‘criminal charges.’ 00:08:13.900 --> 00:08:15.110 Well, you get the idea. 00:08:15.110 --> 00:08:19.210 For Zain to target people going to porn sites to try to get them to click on this ad so 00:08:19.210 --> 00:08:23.540 that they can be infected with the malware was a perfect match for this ransomware. 00:08:23.540 --> 00:08:27.740 It’s sort of a brilliant combination of social engineering and hacking. 00:08:27.740 --> 00:08:31.160 Victims of this would not only be mad but they’d be embarrassed, and ashamed, and 00:08:31.160 --> 00:08:33.780 scared, even. 00:08:33.780 --> 00:08:38.350 If you infect your family’s computer or a work computer, jeesh, what a mess it would 00:08:38.350 --> 00:08:41.810 be to explain that you were on a porn site when you got infected. 00:08:41.810 --> 00:08:46.300 Zain was ruthless at targeting these people, and soon with his paid ads, hard drives began 00:08:46.300 --> 00:08:48.700 getting infected with this malware. 00:08:48.700 --> 00:08:53.150 Zain’s ransom screen would even say that the victim’s IP was reported to the police. 00:08:53.150 --> 00:08:59.260 But to make it all go away all you have to do is pay $200 and everything is dropped. 00:08:59.260 --> 00:09:02.430 People started paying up. 00:09:02.430 --> 00:09:08.520 In the summer of 2012, with his agreement with the Russian crime group in place, Zain 00:09:08.520 --> 00:09:12.920 began his first stage which would become a colossal ransomware scam. 00:09:12.920 --> 00:09:16.100 [00:10:00] There’s almost no website on the internet that doesn’t display some sort 00:09:16.100 --> 00:09:17.250 of advertising. 00:09:17.250 --> 00:09:21.650 An advertising space on popular websites with large traffic is in demand and advertisers 00:09:21.650 --> 00:09:25.010 will pay good money to secure that advert slot. 00:09:25.010 --> 00:09:29.690 The problem comes in when the advert placed is just in front of malware secretly embedded 00:09:29.690 --> 00:09:31.130 in its code. 00:09:31.130 --> 00:09:34.570 Some big-name websites have been hit with malvertising like the New York Times and The 00:09:34.570 --> 00:09:35.570 Atlantic. 00:09:35.570 --> 00:09:38.940 These websites have high-traffic numbers and they didn’t know anything about these scams 00:09:38.940 --> 00:09:40.330 that were going on. 00:09:40.330 --> 00:09:45.890 Zain was fully aware of malicious advertising, malvertising, and he understood how to implement 00:09:45.890 --> 00:09:46.890 it. 00:09:46.890 --> 00:09:50.420 He acted as a legitimate advertiser looking to purchase advertising space on some of the 00:09:50.420 --> 00:09:52.960 biggest pornography sites in the world. 00:09:52.960 --> 00:09:57.780 He took part in real-time bidding of premium ad spaces; a constant changing market, and 00:09:57.780 --> 00:09:59.580 the bidding process is competitive. 00:09:59.580 --> 00:10:04.450 Basically, by paying for ads, he was buying traffic to his site and paid traffic got fast 00:10:04.450 --> 00:10:05.450 results. 00:10:05.450 --> 00:10:09.300 [MUSIC] Set it up, and straight away you can see more visitors and more clicks. 00:10:09.300 --> 00:10:13.610 All Zain needed is a click on that advert and the ball started rolling. 00:10:13.610 --> 00:10:17.290 This knowledge was partly why Zain was of interest to the Russian crime group. 00:10:17.290 --> 00:10:24.070 With their coding skills and his understanding of the ad market, they were onto a sure thing. 00:10:24.070 --> 00:10:28.270 The advertising company Zain was working with knew nothing about his real intentions. 00:10:28.270 --> 00:10:33.340 Zain laced his adverts with redirects to websites infected with malware, the Angler Exploit 00:10:33.340 --> 00:10:34.520 Kit. 00:10:34.520 --> 00:10:38.270 Users didn’t know it but as soon as their browser hit that website, Angler was scanning 00:10:38.270 --> 00:10:41.010 their system, looking for a way to infect it. 00:10:41.010 --> 00:10:44.910 The Angler Exploit Kit is like a sniffer dog trying to find its target. 00:10:44.910 --> 00:10:48.700 Now, why doesn’t Antivirus stop this, you might ask? 00:10:48.700 --> 00:10:53.040 Well, first of all, a lot of people don’t use Antivirus so they’re like sitting ducks, 00:10:53.040 --> 00:10:54.580 especially if they don’t update their software. 00:10:54.580 --> 00:10:57.790 This is why I’m telling you always update your software. 00:10:57.790 --> 00:11:02.350 But second of all, the creators of Angler were really clever to avoid its detection. 00:11:02.350 --> 00:11:07.190 It would constantly change domains and IPs to avoid any blacklist and it would encrypt 00:11:07.190 --> 00:11:11.230 all traffic to avoid Antivirus seeing malicious commands coming over. 00:11:11.230 --> 00:11:15.620 It would change the way it looks to avoid any matching string detection that Antivirus 00:11:15.620 --> 00:11:16.660 might be looking for. 00:11:16.660 --> 00:11:19.300 It’s a rascal of a malware. 00:11:19.300 --> 00:11:22.720 Angler didn’t even need its own files to launch an attack. 00:11:22.720 --> 00:11:25.670 It didn’t even need time on the machine before it could operate. 00:11:25.670 --> 00:11:29.890 It can spot a vulnerability, send commands to exploit it, and then conduct whatever it 00:11:29.890 --> 00:11:31.110 needs to do on that. 00:11:31.110 --> 00:11:35.750 On top of that, the Russian coders who made it had a zero-day vulnerability in it, too, 00:11:35.750 --> 00:11:39.500 a vulnerability in Adobe Flash that Adobe didn’t even know about. 00:11:39.500 --> 00:11:44.720 It was stealthy, cunning, and very effective. 00:11:44.720 --> 00:11:50.820 [MUSIC] The ransomware favored by Zain and this Russian group was called Reveton. 00:11:50.820 --> 00:11:55.670 It’s been called the Police Virus, or even the FBI Virus, as it pretends to be an official 00:11:55.670 --> 00:11:56.670 police notice. 00:11:56.670 --> 00:12:00.730 REPORTER: Target Eleven with a warning now to everyone who has a computer. 00:12:00.730 --> 00:12:06.470 A new virus is not only infecting your computer but the crooks behind it are also extorting 00:12:06.470 --> 00:12:07.470 money. 00:12:07.470 --> 00:12:11.870 It’s called the FBI Virus but it has nothing to do with the agency. 00:12:11.870 --> 00:12:14.680 JACK: This is ransomware with a twist of social engineering. 00:12:14.680 --> 00:12:17.990 It’s a psychological trick, a scare tactic. 00:12:17.990 --> 00:12:20.850 The computer was frozen and displayed an FBI logo. 00:12:20.850 --> 00:12:23.610 It just said ‘You have broken the law. 00:12:23.610 --> 00:12:25.610 You are facing imprisonment. 00:12:25.610 --> 00:12:29.380 We have captured images on this adult site via your webcam. 00:12:29.380 --> 00:12:34.170 This notice has locked and frozen your computer when you are viewing a pornography website.’ 00:12:34.170 --> 00:12:37.100 Embarrassment, shame, fear of exposure. 00:12:37.100 --> 00:12:41.430 All emotions this malware banked on to push its users into following its instructions 00:12:41.430 --> 00:12:45.230 and paying the money to just make it all go away. 00:12:45.230 --> 00:12:48.920 In the ransomware it even said the victim’s internet service provider had been notified 00:12:48.920 --> 00:12:50.540 by the Cyber Crimes Unit. 00:12:50.540 --> 00:12:54.820 It even gives their IP address, host name, and it says ‘Illegally downloaded material 00:12:54.820 --> 00:12:58.310 has been located on your computer which has broken some copyright laws.’ 00:12:58.310 --> 00:13:05.200 It all sounds and looks official, then says the user is subject to a fine of $200,000 00:13:05.200 --> 00:13:07.920 or face imprisonment for up to three years. 00:13:07.920 --> 00:13:12.260 Of course, if you want to avoid that, all you have to pay is this $200 fee and your 00:13:12.260 --> 00:13:17.940 computer will be unlocked and all criminal proceedings against you will be stopped. 00:13:17.940 --> 00:13:22.370 It doesn’t demand too much money as a ransom fee, just enough to be worth doing, but not 00:13:22.370 --> 00:13:25.350 too much that people wouldn’t or couldn’t pay for it. 00:13:25.350 --> 00:13:30.590 Bitcoin was around then, the cryptocurrency, but it was only 2012 so it was only a few 00:13:30.590 --> 00:13:33.300 years since Bitcoin was created. 00:13:33.300 --> 00:13:39.020 While Bitcoin wasn’t quite popular yet and the prices were fluctuating a lot, people 00:13:39.020 --> 00:13:43.670 just weren’t tech savvy enough to figure out how to buy Bitcoin and send it, so the 00:13:43.670 --> 00:13:48.790 solution was GreenDot MoneyPak prepaid cards. 00:13:48.790 --> 00:13:52.260 These aren’t linked to a bank account and each card comes with a unique fourteen-digit 00:13:52.260 --> 00:13:53.260 number. 00:13:53.260 --> 00:13:57.180 Once a card has been loaded with cash, you can give that number to anyone and they’ll 00:13:57.180 --> 00:13:59.130 have immediate access to those funds. 00:13:59.130 --> 00:14:01.290 The US is the world’s biggest user of these cards. 00:14:01.290 --> 00:14:06.690 You can buy them at Wal-Mart, CVS, Walgreens, all sorts of big retailers, and put cash onto 00:14:06.690 --> 00:14:07.690 it. 00:14:07.690 --> 00:14:10.162 It costs six dollars and you can deposit up to $500 on this card. 00:14:10.162 --> 00:14:15.310 At the time, it was the [00:15:00] ideal method for anonymous internet criminals to accept 00:14:15.310 --> 00:14:17.130 money from their victims. 00:14:17.130 --> 00:14:21.560 The Reveton ransom screen gave the user details, instructions on how to pay their fee. 00:14:21.560 --> 00:14:24.540 Step one, take cash to one of these retail locations. 00:14:24.540 --> 00:14:27.950 Step two, pick up a MoneyPak and buy it with cash at the register. 00:14:27.950 --> 00:14:32.270 Step three, come back and enter the MoneyPak code into the code section on this message 00:14:32.270 --> 00:14:33.560 screen, and then click submit. 00:14:33.560 --> 00:14:35.240 It’s that simple. 00:14:35.240 --> 00:14:39.030 Zain’s paid ads taking traffic to his site was working. 00:14:39.030 --> 00:14:43.120 People were getting their computers locked and they were paying to have it unlocked. 00:14:43.120 --> 00:14:49.240 Money started to come in for Zain. 00:14:49.240 --> 00:14:53.780 The next challenge was to get the cash and to make sure his Russian associates got their 00:14:53.780 --> 00:14:54.780 share. 00:14:54.780 --> 00:14:59.170 It’s not so easy to move a lot of money around as a criminal and not be caught by 00:14:59.170 --> 00:15:00.390 the police. 00:15:00.390 --> 00:15:04.450 Zain would collect the money and then use Liberty Reserve to transfer it to his Russian 00:15:04.450 --> 00:15:08.150 associates, but he needed some help to do this. 00:15:08.150 --> 00:15:12.220 [MUSIC] Liberty Reserve was kind of like the shady cousin of PayPal. 00:15:12.220 --> 00:15:16.490 It’s the black sheep of the digital currency family and one that was favored by a lot of 00:15:16.490 --> 00:15:17.490 cyber-criminals. 00:15:17.490 --> 00:15:21.740 An account at Liberty Reserve didn’t ask you for your real credentials, or proof, or 00:15:21.740 --> 00:15:24.930 identity, or anything in order to transfer money. 00:15:24.930 --> 00:15:30.040 In fact, it didn’t even have a full license to be operating as a funds transfer business, 00:15:30.040 --> 00:15:32.770 something which would later catch up with its founder. 00:15:32.770 --> 00:15:36.830 Someone who wanted to launder money quickly, and privately, and online knew this was a 00:15:36.830 --> 00:15:38.370 perfect setup. 00:15:38.370 --> 00:15:43.500 Zain was the distributor of the malware and this ransom scam, but to launder the funds 00:15:43.500 --> 00:15:46.850 and get access to the money, he needed a middle man. 00:15:46.850 --> 00:15:48.950 That’s where Raymond came in. 00:15:48.950 --> 00:15:50.690 He’s from Maple Valley in Washington. 00:15:50.690 --> 00:15:53.160 He’s thirty-five years old in 2012. 00:15:53.160 --> 00:15:58.180 He was a student at Florida International University and his role was to cash the ransomware 00:15:58.180 --> 00:16:02.930 payments from the MoneyPak cards, and then he’d convert the cash to Liberty Reserve, 00:16:02.930 --> 00:16:05.600 transfer the money to Zain, and keep a little bit for himself. 00:16:05.600 --> 00:16:08.130 The two got their routine polished pretty quickly. 00:16:08.130 --> 00:16:12.760 Zain opens multiple accounts and prepaid cards using more fake identifications provided by 00:16:12.760 --> 00:16:16.160 his Russian contact, and he gives these accounts to Raymond. 00:16:16.160 --> 00:16:19.380 Raymond uses the MoneyPak codes for each ransom payment. 00:16:19.380 --> 00:16:24.330 He logs into his MoneyPak account, uses the codes to transfer the ransom to fraudulent 00:16:24.330 --> 00:16:25.330 accounts. 00:16:25.330 --> 00:16:29.050 Now, there are limits to the number of transactions and amounts of money that can be deposited 00:16:29.050 --> 00:16:30.490 through MoneyPak. 00:16:30.490 --> 00:16:35.950 Deposits of up to $1,000 within a twenty-four-hour period seems to have been the standard allowance. 00:16:35.950 --> 00:16:40.760 Raymond most likely had multiple MoneyPak accounts, all in fake names so that he could 00:16:40.760 --> 00:16:42.020 avoid hitting these limits. 00:16:42.020 --> 00:16:46.490 Once he transferred the money into the accounts that Zain gave him, he could go and withdraw 00:16:46.490 --> 00:16:49.130 the money from multiple ATMs in different locations. 00:16:49.130 --> 00:16:52.630 Then he’d send it to Zain through Liberty Reserve. 00:16:52.630 --> 00:16:57.110 To open an account at Liberty Reserve, it was simple as name and e-mail address. 00:16:57.110 --> 00:17:01.090 You need to convert your criminally-obtained cash so you buy what they call Liberty Reserve 00:17:01.090 --> 00:17:02.730 dollars with cash. 00:17:02.730 --> 00:17:08.419 That transforms your ransom cash into digital currency for a fee of about 5%. 00:17:08.419 --> 00:17:12.370 To buy Liberty dollars, Raymond would have to go through an exchanger, someone located 00:17:12.370 --> 00:17:16.799 in a completely different country, who could purchase Liberty dollars in bulk. 00:17:16.799 --> 00:17:21.199 Liberty Reserve itself had no identification details for the people who held accounts there. 00:17:21.199 --> 00:17:25.409 They only had that name and e-mail address that used to open the account. 00:17:25.409 --> 00:17:29.330 All the transfers from cash to Liberty Reserve and Liberty dollars back to cash were done 00:17:29.330 --> 00:17:35.570 through these middlemen exchanges, and technically entirely outside of Liberty Reserve itself. 00:17:35.570 --> 00:17:40.470 All this is a complicated and technical way just to get clean cash that doesn’t have 00:17:40.470 --> 00:17:46.330 a criminal trail but it was working for Zain, and Raymond, and the Russian coders. 00:17:46.330 --> 00:17:50.730 Zain, back in London, received about 70% of the ransom payments. 00:17:50.730 --> 00:17:52.410 That was his cut from this operation. 00:17:52.410 --> 00:17:53.539 Pretty good. 00:17:53.539 --> 00:17:57.330 Money was rolling in nicely at this point and the more ads he bought on those porn sites, 00:17:57.330 --> 00:18:00.669 the more traffic he’d get to his websites which resulted in [00:20:00] more people being 00:18:00.669 --> 00:18:04.440 hit with ransomware which meant more people paying to remove it. 00:18:04.440 --> 00:18:07.059 He was basically trading nickels for dimes. 00:18:07.059 --> 00:18:09.740 The plan was working. 00:18:09.740 --> 00:18:14.649 [MUSIC] He was still a student at City, University, living at home with his parents. 00:18:14.649 --> 00:18:17.019 He didn’t have any paid employment. 00:18:17.019 --> 00:18:21.600 He didn’t have any legitimate income but he was spending a lot of money that he was 00:18:21.600 --> 00:18:23.450 making through these scams. 00:18:23.450 --> 00:18:27.820 He bought a 5,000 British pound watch. 00:18:27.820 --> 00:18:30.340 He stayed in posh hotels and he partied with prostitutes. 00:18:30.340 --> 00:18:32.870 He was using drugs and gambling a lot. 00:18:32.870 --> 00:18:39.169 He was reported to have spent £70,000 in one London casino within a ten-month timeframe. 00:18:39.169 --> 00:18:43.360 I wonder what he was telling his friends and family where he was getting all this money 00:18:43.360 --> 00:18:44.740 from. 00:18:44.740 --> 00:18:48.380 But the whole malware-as-a-business supply chain is fascinating to me. 00:18:48.380 --> 00:18:52.679 You’ve got one team working to create the Angler exploit, and they’re arming it with 00:18:52.679 --> 00:18:56.730 the Reveton ransomware which was made by a completely different group of people, and 00:18:56.730 --> 00:19:00.460 then Zain is there deploying it to the world to infect as many people as he could. 00:19:00.460 --> 00:19:04.909 Then when the money comes in, Raymond over in Florida is laundering it and sending it 00:19:04.909 --> 00:19:05.909 back to Zain. 00:19:05.909 --> 00:19:10.100 It’s impressive how many things have to go on here for this operation to work. 00:19:10.100 --> 00:19:17.820 Around this time, police in Spain began receiving hundreds of complaints of ransomware viruses. 00:19:17.820 --> 00:19:20.350 A bunch of other people were investigating this, too. 00:19:20.350 --> 00:19:25.740 The Trend Micro eCrimes Unit, The European Cybercrime Centre at Europol, the Spanish 00:19:25.740 --> 00:19:30.450 police, and Interpol all coordinated to help each other try to figure out who was behind 00:19:30.450 --> 00:19:31.450 this. 00:19:31.450 --> 00:19:34.910 This information-sharing allowed them to build up a pretty good picture of how the gang network 00:19:34.910 --> 00:19:39.470 was structured, including how they did traffic redirection and set up their command and control 00:19:39.470 --> 00:19:40.480 servers. 00:19:40.480 --> 00:19:46.350 Under codename Operation Ransom, a twenty-seven-year-old Russian man was arrested in December 2012 00:19:46.350 --> 00:19:48.899 while he was on holiday, apparently, in Dubai. 00:19:48.899 --> 00:19:52.600 But it was discovered that he was the head of a Spanish gang. 00:19:52.600 --> 00:19:58.190 A few months later, ten other people were arrested during six raids in Málaga, Spain. 00:19:58.190 --> 00:20:03.270 But this group wasn’t the one Zain was connected to; this was the group responsible for making 00:20:03.270 --> 00:20:04.980 the Reveton ransomware. 00:20:04.980 --> 00:20:08.389 The police tracked them down, brought their whole operation to a crumble. 00:20:08.389 --> 00:20:12.169 Seven Russians, two Georgians, and two Ukrainians were arrested. 00:20:12.169 --> 00:20:16.059 Police were able to seize a lot of computers and equipment and credit cards that were used 00:20:16.059 --> 00:20:19.210 in all these ransomware attacks, and for laundering the money. 00:20:19.210 --> 00:20:23.950 The police believed this gang was collecting more than €1,000,000 a year. 00:20:23.950 --> 00:20:29.799 There were more than 1,200 reported cases of ransomware scams just in Spain since May 00:20:29.799 --> 00:20:31.710 2011. 00:20:31.710 --> 00:20:35.950 But while the group who created Reveton was arrested, the Reveton software itself was 00:20:35.950 --> 00:20:40.749 in the hands of criminals like Zain to keep infecting people with it, and use it. 00:20:40.749 --> 00:20:45.840 While this was a big success for the Spanish police to cut down on a lot of it, it didn’t 00:20:45.840 --> 00:20:49.649 affect Zain at all. 00:20:49.649 --> 00:20:58.650 [MUSIC] Three months later, in May 2013, the US government shut down Liberty Reserve. 00:20:58.650 --> 00:21:02.499 Suspected of laundering more than six billion dollars in criminal proceeds, it had been 00:21:02.499 --> 00:21:04.210 under investigation for a while. 00:21:04.210 --> 00:21:08.700 Its owner, Arthur Budovsky, was a shady character who had been dodging the law for years. 00:21:08.700 --> 00:21:13.570 In 2011 he was told he needed the appropriate license to be running a money-transmitting 00:21:13.570 --> 00:21:17.860 business, but when his application failed, he simply moved his business to Costa Rica. 00:21:17.860 --> 00:21:21.940 For two years, his operations were under police investigations with his funds being seized 00:21:21.940 --> 00:21:23.249 multiple times. 00:21:23.249 --> 00:21:27.919 By the end of 2013, Arthur was in custody, along with seven of his employees, and Liberty 00:21:27.919 --> 00:21:31.129 Reserve had been officially seized and shut down. 00:21:31.129 --> 00:21:35.830 PREET: Today we announce charges in what may be the largest international money laundering 00:21:35.830 --> 00:21:38.889 case ever brought by the United States. 00:21:38.889 --> 00:21:44.769 Specifically, we unseal charges against Liberty Reserve and seven of its principals and employees, 00:21:44.769 --> 00:21:49.249 who for years have operated one of the world’s most widely-used digital currencies. 00:21:49.249 --> 00:21:53.150 JACK: That’s Preet Bharara, the US attorney for New York. 00:21:53.150 --> 00:21:56.830 Liberty Reserve was a key part of the chain for Zain and Raymond, and the Russian crime 00:21:56.830 --> 00:21:58.200 group behind them. 00:21:58.200 --> 00:22:01.830 Without the ability to convert the ransom payments through Liberty Reserve, they were 00:22:01.830 --> 00:22:03.370 going to have a problem. 00:22:03.370 --> 00:22:09.549 PREET: Liberty Reserve was intentionally created and structured to facilitate criminal activity. 00:22:09.549 --> 00:22:12.100 It was essentially a black-market bank. 00:22:12.100 --> 00:22:15.379 JACK: When Liberty Reserve was taken down, everyone who had Liberty dollars in their 00:22:15.379 --> 00:22:18.309 accounts just vanished, and lost them immediately. 00:22:18.309 --> 00:22:21.389 Those Liberty dollars were gone, no longer available. 00:22:21.389 --> 00:22:25.519 Whatever value they represented in cash had now been lost overnight. 00:22:25.519 --> 00:22:29.470 But now that the website was in the hands of the authorities, investigators started 00:22:29.470 --> 00:22:32.630 looking into who the users were for the site. 00:22:32.630 --> 00:22:39.029 [MUSIC] Zain kept doing this but it looks like this is where Raymond’s involvement 00:22:39.029 --> 00:22:40.370 came to an end. 00:22:40.370 --> 00:22:45.830 Raymond actually went on to secure a job as a network engineer at Microsoft and Microsoft 00:22:45.830 --> 00:22:49.720 had no knowledge of what Raymond was up to in the previous years. 00:22:49.720 --> 00:22:54.110 To continue, Zain simply switched to a different crypto-currency platform. 00:22:54.110 --> 00:22:58.200 The fall of Liberty Reserve highlighted his name to the investigating authorities and 00:22:58.200 --> 00:23:02.539 much of the profit-side of the scam was [00:25:00] uncovered in the following years from Liberty 00:23:02.539 --> 00:23:03.539 data. 00:23:03.539 --> 00:23:07.940 The authorities had followed the strings and were piecing together exactly what Zain had 00:23:07.940 --> 00:23:09.559 been up to. 00:23:09.559 --> 00:23:15.279 As Zain continued to buy advert space, some advertising companies began getting suspicious 00:23:15.279 --> 00:23:16.279 of him. 00:23:16.279 --> 00:23:20.730 They would challenge him and question him, and what Zain would do in response? 00:23:20.730 --> 00:23:24.330 He tried to manipulate and even threaten the ad agencies. 00:23:24.330 --> 00:23:28.929 He told the director of one of the companies based in Canada, quote, “Really, it’s 00:23:28.929 --> 00:23:29.929 better if we work together. 00:23:29.929 --> 00:23:31.830 We can make some serious money together. 00:23:31.830 --> 00:23:33.950 It’s my way or no way. 00:23:33.950 --> 00:23:35.640 The K!NG is back.” 00:23:35.640 --> 00:23:36.640 End quote. 00:23:36.640 --> 00:23:39.530 When he didn’t get the response he wanted, he followed up with another threat. 00:23:39.530 --> 00:23:43.940 Quote, “I’ll first kill your server and then I’ll send child porn spam abuses to 00:23:43.940 --> 00:23:45.940 you.” End quote. 00:23:45.940 --> 00:23:51.289 Zain then launched a revenge distributed denial-of-service attack on these advertising sites that would 00:23:51.289 --> 00:23:52.499 host his ads. 00:23:52.499 --> 00:23:56.520 The purpose of the DDoS attack was to make the target’s website unavailable, essentially 00:23:56.520 --> 00:23:57.529 take it down. 00:23:57.529 --> 00:24:02.009 It overwhelmed that website and made it crash, making it unavailable for website users and 00:24:02.009 --> 00:24:03.980 therefore customers of the company. 00:24:03.980 --> 00:24:06.580 Zain used his methods of attack as revenge. 00:24:06.580 --> 00:24:08.429 It was simple retaliation. 00:24:08.429 --> 00:24:09.720 You question me? 00:24:09.720 --> 00:24:11.029 You don’t want to come on board with me? 00:24:11.029 --> 00:24:12.029 How dare you. 00:24:12.029 --> 00:24:13.029 I’ll make you pay. 00:24:13.029 --> 00:24:17.090 Zain wants to disrupt the business of those agencies and if he crashes the website, paying 00:24:17.090 --> 00:24:20.350 customers can’t go to them and use their website to purchase ad space. 00:24:20.350 --> 00:24:21.830 It’s the core of their business. 00:24:21.830 --> 00:24:26.289 The company was losing tons of money for every second that ads weren’t being served. 00:24:26.289 --> 00:24:29.940 Zain then launched more denial-of-service attacks against the websites that were questioning 00:24:29.940 --> 00:24:30.940 him. 00:24:30.940 --> 00:24:34.490 Again, these were against the advertising companies who tried to stop what he was doing. 00:24:34.490 --> 00:24:40.889 The DDoS attacks costs these businesses at least £500,000 and lost ads in incident response 00:24:40.889 --> 00:24:41.889 costs. 00:24:41.889 --> 00:24:46.049 One of the ad agencies getting hit with this attack reported Zain to the police. 00:24:46.049 --> 00:24:53.290 The police were dispatched to Zain’s home and arrested him in July 2014, but he was 00:24:53.290 --> 00:24:59.309 released a few days later with no charges because of the lack of evidence. 00:24:59.309 --> 00:25:04.509 Zain thought he outsmarted the police, but little did he know, the National Crime Agency’s 00:25:04.509 --> 00:25:07.799 Cyber Crime Unit were now investigating him fully. 00:25:07.799 --> 00:25:13.100 The fall of Liberty Reserve wasn’t the only event across Zain’s active ransomware period 00:25:13.100 --> 00:25:15.009 that interfered with his operations. 00:25:15.009 --> 00:25:20.799 In 2016, eighty-six raids in Russia arrested more than fifty individuals involved in the 00:25:20.799 --> 00:25:23.399 Lurk cyber-attack in Russian banks. 00:25:23.399 --> 00:25:28.279 Lurk was malware that mimicked the online banking app for Russia’s biggest bank, Sberbank. 00:25:28.279 --> 00:25:32.710 It’s estimated the gang behind Lurk stole forty-five million dollars from Russian financial 00:25:32.710 --> 00:25:35.549 institutions in just under two years. 00:25:35.549 --> 00:25:42.070 In mid-2016, Angler was at its peak use, estimated to be behind 40% of all exploit kit infections. 00:25:42.070 --> 00:25:45.690 By this time, Angler was being rented out by the crime group who owned it. 00:25:45.690 --> 00:25:49.331 Anyone willing to pay could get a version of it and use it however they wished. 00:25:49.331 --> 00:25:53.259 There were quite a few people using this Angler kit to conduct these ransomware attacks; Zain 00:25:53.259 --> 00:25:54.750 wasn’t the only one. 00:25:54.750 --> 00:25:59.320 This spread the kit around the globe and was being operated by hundreds of different hackers. 00:25:59.320 --> 00:26:00.940 The money it generated? 00:26:00.940 --> 00:26:05.269 Researchers at Cisco Talos believe the Angler ransomware was making around sixty million 00:26:05.269 --> 00:26:07.320 dollars a year for hackers. 00:26:07.320 --> 00:26:12.129 Cisco Talos research group looked into this a little further and found links between Angler 00:26:12.129 --> 00:26:13.129 and Lurk. 00:26:13.129 --> 00:26:17.700 It’s possible that in the crackdown of Lurk, they also caught some of the Angler hackers 00:26:17.700 --> 00:26:22.480 too, something that would have had an impact on the ransomware scam Zain was spearheading 00:26:22.480 --> 00:26:24.639 from the UK. 00:26:24.639 --> 00:26:30.960 [MUSIC] In early 2017, the National Crime Agency in the UK had collected enough evidence 00:26:30.960 --> 00:26:34.299 from the Liberty Reserve servers to build a case against Zain. 00:26:34.299 --> 00:26:37.710 The police once again went to Zain’s house and arrested him. 00:26:37.710 --> 00:26:41.890 Police seized Zain’s MacBook Pro and found logs, records, and data. 00:26:41.890 --> 00:26:47.299 This tied him to the scam and that he was working with the Russian creators of Angler. 00:26:47.299 --> 00:26:51.120 Over 3,000 chat logs and almost one million images were stored. 00:26:51.120 --> 00:26:54.570 The computer was encrypted and was running both Windows and Mac OS. 00:26:54.570 --> 00:26:59.009 Zain had created partitions with encrypted virtual machines, remote servers, and remote 00:26:59.009 --> 00:27:00.139 desktops. 00:27:00.139 --> 00:27:04.640 He hid things pretty well, but this was the NCA, and it’s 2017. 00:27:04.640 --> 00:27:09.770 They have a whole digital forensics team who can comb through everything to gather evidence. 00:27:09.770 --> 00:27:14.490 Part of Zain’s downfall was copies of the control dashboard that he was using. 00:27:14.490 --> 00:27:18.159 One of the cool things about Angler and Reveton was that it had these really cool dashboards 00:27:18.159 --> 00:27:21.470 that showed you how many infections there were, and where the infections were, and who 00:27:21.470 --> 00:27:23.460 paid, and all this stuff. 00:27:23.460 --> 00:27:27.140 This was present on his laptop and he was able to log into it. 00:27:27.140 --> 00:27:34.030 One screenshot showed that Zain had received $14,00 in ransom payments for just July of 00:27:34.030 --> 00:27:35.470 2014. 00:27:35.470 --> 00:27:39.230 Multiple financial accounts were found that linked Zain to using different crypto-currencies 00:27:39.230 --> 00:27:40.230 overseas. 00:27:40.230 --> 00:27:45.740 In February 2017 he was charged with blackmail, fraud, and computer misuse. 00:27:45.740 --> 00:27:50.419 When he was questioned by the police, Zain told them that he was not involved with the 00:27:50.419 --> 00:27:55.299 scam and he had been hacked, but the digital forensics team was able to disprove this by 00:27:55.299 --> 00:27:58.519 collecting data on his computer. 00:27:58.519 --> 00:28:03.470 [00:30:00] The NCA have provided some example calculations to demonstrate just how big this 00:28:03.470 --> 00:28:04.740 operation was. 00:28:04.740 --> 00:28:09.070 They estimate that one malware infection advert showed on twenty-one million web browsers 00:28:09.070 --> 00:28:13.230 each month, with Angler being downloaded on approximately 16,000 computers. 00:28:13.230 --> 00:28:15.879 Remember, this is one advert in one month. 00:28:15.879 --> 00:28:21.370 From that, they estimated that 5%, so about 800 of these computers didn’t have up-to-date 00:28:21.370 --> 00:28:26.220 Antivirus, and Angler could exploit the holes in their systems and deploy the ransomware. 00:28:26.220 --> 00:28:27.470 How many individuals paid up? 00:28:27.470 --> 00:28:31.760 It’s almost impossible to know, but a few research security reports suggest that the 00:28:31.760 --> 00:28:36.169 average is 40% of business ransomware victims do pay the ransom. 00:28:36.169 --> 00:28:37.860 Let’s do some math here. 00:28:37.860 --> 00:28:41.330 The individual people who were hit by the ransomware didn’t have IT departments to 00:28:41.330 --> 00:28:42.330 turn to. 00:28:42.330 --> 00:28:46.029 They didn’t have people on-hand to advise them if this was a scam or real. 00:28:46.029 --> 00:28:50.110 I doubt most people told anyone, and if they did, they’d have to say they were on a porn 00:28:50.110 --> 00:28:54.210 site when this came up, which is embarrassing, not something that many are gonna want to 00:28:54.210 --> 00:28:55.210 admit to. 00:28:55.210 --> 00:28:59.779 I think the percentage of individuals who paid up in this scam is way higher than 40%, 00:28:59.779 --> 00:29:04.539 but let’s go low; let’s say only 10% of the 800 users that were hit with the Reveton 00:29:04.539 --> 00:29:06.830 ransomware screen actually paid the ransom. 00:29:06.830 --> 00:29:10.370 That’s eighty victims paying up at $200 each. 00:29:10.370 --> 00:29:13.660 That makes Zain $16,000 a month. 00:29:13.660 --> 00:29:17.610 With multiple adverts running per month, you can multiply these figures considerably. 00:29:17.610 --> 00:29:20.460 But there were costs involved with this scam, though. 00:29:20.460 --> 00:29:21.519 It wasn’t all profit-making. 00:29:21.519 --> 00:29:25.480 Zain had to purchase the web traffic and bid for advert slots. 00:29:25.480 --> 00:29:29.870 Raymond had to be paid to launder the money, and he had to pay exchange fees and transfer 00:29:29.870 --> 00:29:30.870 fees. 00:29:30.870 --> 00:29:32.639 Of course, not all the profits went to Zain. 00:29:32.639 --> 00:29:34.909 The Russians would take some of the cut, too. 00:29:34.909 --> 00:29:39.649 The NCA had said across the five-year span of this operation, Zain moved at least five 00:29:39.649 --> 00:29:44.509 million dollars using multiple crypto-currency platforms and online accounts. 00:29:44.509 --> 00:29:53.090 His personal profits they say were almost $900,000 by the time of his arrest in 2017. 00:29:53.090 --> 00:30:00.710 [MUSIC] Meanwhile, in the Southern District Courts of Florida, in March 2018, Raymond 00:30:00.710 --> 00:30:04.500 was indicted and charged with conspiracy to commit money laundering. 00:30:04.500 --> 00:30:08.769 Raymond had been linked to the MoneyPak ransom payments and transfers through Liberty Reserve 00:30:08.769 --> 00:30:11.360 and his online username was Mike Roland. 00:30:11.360 --> 00:30:16.110 He was charged that between October 2012 and March 2013, he was involved in laundering 00:30:16.110 --> 00:30:19.470 the money obtained by the Reveton ransom scam. 00:30:19.470 --> 00:30:24.399 It was actually a failed transfer of $840 between two Liberty Reserve accounts that 00:30:24.399 --> 00:30:25.630 gave him away. 00:30:25.630 --> 00:30:30.940 Prosecutors estimated that in the span of one year, Raymond moved about $93,000 collected 00:30:30.940 --> 00:30:32.850 from these ransomware payments. 00:30:32.850 --> 00:30:35.090 Raymond went to court and was found guilty. 00:30:35.090 --> 00:30:40.910 The judge sentenced him to eighteen months in jail with three years supervised release. 00:30:40.910 --> 00:30:45.230 He accepted a plea deal to have one of these charges dropped. 00:30:45.230 --> 00:30:49.789 Microsoft somehow unwittingly found themselves dragged into this case after they employed 00:30:49.789 --> 00:30:54.039 Raymond, but unsurprisingly, they didn’t make any official comment on this. 00:30:54.039 --> 00:31:00.470 Zain’s trial in the UK was scheduled for February 2018 but it was cancelled when Zain 00:31:00.470 --> 00:31:02.760 was sectioned under the Mental Health Act. 00:31:02.760 --> 00:31:08.110 The details are unclear here; something like Zain had been put in a hospital in London 00:31:08.110 --> 00:31:09.239 for treatment. 00:31:09.239 --> 00:31:14.710 But while there, in hospital, digital forensics showed he was still conducting ransomware 00:31:14.710 --> 00:31:18.739 scams and laundering money using the hospital’s WiFi. 00:31:18.739 --> 00:31:22.139 He was re-arrested again and put back in jail. 00:31:22.139 --> 00:31:25.200 These further charges prompted a change in plea from Zain. 00:31:25.200 --> 00:31:29.070 He now pled guilty to eleven charges in total. 00:31:29.070 --> 00:31:33.529 Acquisition, user possession of criminal property, three counts of blackmail, three counts of 00:31:33.529 --> 00:31:38.570 fraud by false representation, and four counts of unauthorized acts with intent to impair 00:31:38.570 --> 00:31:43.840 the operations of a computer or creating risk of serious damage. 00:31:43.840 --> 00:31:50.559 On April 9th, 2019, Zain Qaiser was sentenced to six years and five months at the Kingston 00:31:50.559 --> 00:31:53.129 County Court. 00:31:53.129 --> 00:31:58.850 The judge told him that his case and his cyber-attacks were so extensive, there had not been a comparable 00:31:58.850 --> 00:32:01.970 case found. 00:32:01.970 --> 00:32:07.679 What Zain did could be classified as a common scam going around now called sextortion. 00:32:07.679 --> 00:32:09.139 These are growing in popularity. 00:32:09.139 --> 00:32:14.370 They’re so successful that criminals don’t even need to put ransomware on your computer. 00:32:14.370 --> 00:32:15.649 Sometimes an e-mail is good enough. 00:32:15.649 --> 00:32:20.289 I mean, imagine if you got an e-mail that said hey, I know you’ve been going to porn 00:32:20.289 --> 00:32:21.659 sites and I’m a hacker. 00:32:21.659 --> 00:32:24.480 I secretly recorded you masturbating over the web cam. 00:32:24.480 --> 00:32:28.769 Send me Bitcoin or I’m gonna tell your family and boss. 00:32:28.769 --> 00:32:30.330 E-mails like this are becoming common. 00:32:30.330 --> 00:32:34.739 I got one the other day and I traced it back to a guest blog post I wrote on a website 00:32:34.739 --> 00:32:35.739 a while back. 00:32:35.739 --> 00:32:38.139 It had my e-mail address posted there. 00:32:38.139 --> 00:32:42.619 These scammers scraped my e-mail off that website and sent me this e-mail expecting 00:32:42.619 --> 00:32:44.710 me to pay money. 00:32:44.710 --> 00:32:48.179 These e-mails are scary and it’s hard to ask for help or know what to do. 00:32:48.179 --> 00:32:53.600 I’m pretty sure most of them are scams, though, and some will try to show you proof 00:32:53.600 --> 00:32:58.450 by showing you your password but my Darknet Diaries listeners are savvy enough to know 00:32:58.450 --> 00:33:02.109 that there are tons of breaches [00:35:00] going on all over the world and your password 00:33:02.109 --> 00:33:06.019 is probably out there on the darknet, along with your e-mail. 00:33:06.019 --> 00:33:09.409 Just having that really isn’t proof of anything. 00:33:09.409 --> 00:33:13.840 Without proof of anything that’s actually embarrassing or any evidence, what are they 00:33:13.840 --> 00:33:15.610 really holding ransom? 00:33:15.610 --> 00:33:18.149 Zain could have used his skills for good. 00:33:18.149 --> 00:33:19.980 He could have been a white hat hacker. 00:33:19.980 --> 00:33:23.460 He was obviously very technically skilled and good at advertising. 00:33:23.460 --> 00:33:26.779 He could have defended companies against threats and hacks like this. 00:33:26.779 --> 00:33:31.190 He could have had a respectable career, but instead he chose this route. 00:33:31.190 --> 00:33:35.220 He allowed his greed and ego to grow with him which led him straight to the arms of 00:33:35.220 --> 00:33:37.850 the NCA and FBI. 00:33:37.850 --> 00:33:41.749 Although he’ll most likely get out of jail in three years, he will probably have a hard 00:33:41.749 --> 00:33:44.019 time landing a good job after that. 00:33:44.019 --> 00:33:48.529 If Zain is released from prison in three years’ time, he’ll be twenty-seven years old then. 00:33:48.529 --> 00:33:54.100 He’ll have blackmail, fraud, money laundering, distribution of ransomware, and hacker as 00:33:54.100 --> 00:33:59.340 labels that will follow him from now on, all for a few years of free money. 00:33:59.340 --> 00:34:01.419 Was it worth it? 00:34:01.419 --> 00:34:04.070 Only Zain can answer that. 00:34:04.070 --> 00:34:10.980 JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries. 00:34:10.980 --> 00:34:15.850 Hey, if you didn’t notice by now, this show has a whole new logo, new artwork, new website, 00:34:15.850 --> 00:34:16.850 everything. 00:34:16.850 --> 00:34:18.230 Check it out at darknetdiaries.com. 00:34:18.230 --> 00:34:21.990 If you head over there, you can also buy shirts and stickers if that’s your sort of thing, 00:34:21.990 --> 00:34:24.570 and I hope that is your sort of thing. 00:34:24.570 --> 00:34:28.820 This episode was created by me, the zettabyte man, Jack Rhysider. 00:34:28.820 --> 00:34:33.410 Research and writing help this episode was by Fiona Guy; editing by the dark-haired Damienne, 00:34:33.410 --> 00:34:37.300 and the theme music was created by the trebly-talented Breakmaster Cylinder. 00:34:37.300 --> 00:34:38.040 See you.