WEBVTT 00:00:00.000 --> 00:00:05.080 JACK: When I was in college I had some interests, and among them were gambling and programming. 00:00:05.080 --> 00:00:10.200 Specifically I liked craps, where you throw the dice, and the Pearl programming language. Now, 00:00:10.200 --> 00:00:14.360 the thing about craps is that there are so many different kinds of bets you can do. It’s a little 00:00:14.360 --> 00:00:19.400 dizzying how much there is, so I decided to make a little program that rolls the dice thousands, 00:00:19.400 --> 00:00:25.920 millions of times to try to simulate the game to find an effective betting strategy. [MUSIC] First, 00:00:25.920 --> 00:00:29.960 I tried the typical betting strategy; putting money on the Pass Line, placing odds, and then 00:00:29.960 --> 00:00:36.280 rolling the dice. After a 100,000 rolls, the game showed that I had a massive amount of debt, 00:00:36.280 --> 00:00:41.480 definitely not a good strategy for the long run. So, then I tried placing money right on numbers, 00:00:41.480 --> 00:00:45.640 betting on the Come Line, the Field, all the things. None had a positive 00:00:45.640 --> 00:00:50.280 result. All put me in debt, which is expected, right? The house always wins. 00:00:50.280 --> 00:00:55.120 The game is designed that way. There’s no way around it. But maybe there was. 00:00:55.120 --> 00:00:59.200 I mean, the game of craps was invented in the 1700s, and they didn’t have a computer 00:00:59.200 --> 00:01:03.040 to simulate all the possible betting variations to see if one would work, 00:01:03.040 --> 00:01:09.040 right? So, perhaps my little program could discover some surefire betting strategy, 00:01:09.040 --> 00:01:15.360 one where the player always wins in the long run. So, I kept trying night after night, 00:01:15.360 --> 00:01:20.560 running new betting simulations and algorithms and trying to find something. Eventually, 00:01:20.560 --> 00:01:26.920 I tried playing around with Buy bets. Buying the two or ten will result in double your money if it 00:01:26.920 --> 00:01:33.840 hits, and I ran this simulation 100,000 times, and guess what? The program showed I’d made a positive 00:01:33.840 --> 00:01:40.160 amount of money. What? I ran it again and again, and it showed the betting strategy was working. 00:01:40.160 --> 00:01:46.520 This was a surefire way to make money in craps in the long-term. So, I immediately went online 00:01:46.520 --> 00:01:51.680 and I found an online casino, and I opened an account and began betting this strategy. 00:01:51.680 --> 00:01:58.160 But it wasn’t winning; I was losing money, and I noticed something. I forgot to calculate the vig. 00:01:58.160 --> 00:02:04.080 When you place this bet, the house charges you 5% to buy it. I didn’t know that, so my program was 00:02:04.080 --> 00:02:11.480 wrong and gave me wrong results. But this made me think hold on, there are a lot of rules in craps. 00:02:11.480 --> 00:02:16.960 Surely one of these online casinos screwed up the logic of the rules and has an error. I mean, 00:02:16.960 --> 00:02:21.080 it’s just a human who programmed it, and how much could they possibly know about craps to 00:02:21.080 --> 00:02:26.400 program it effectively? So, I started opening account after account on all these different 00:02:26.400 --> 00:02:32.720 online casinos and looking at the craps games to see if they followed the rules, and yeah, 00:02:32.720 --> 00:02:37.680 every one of them did follow the rules, [INTRO MUSIC] and I never found a way to make money 00:02:37.680 --> 00:02:47.260 on craps. My interest in gambling sort of dried up after that, but man, I sure tried. 00:02:47.260 --> 00:02:52.000 (INTRO): These are true stories from the dark side 00:02:52.000 --> 00:03:15.234 of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS] 00:03:15.234 --> 00:03:19.320 JACK: So, a while back, I did Episode 112. It’s called Dirty Coms, which does 00:03:19.320 --> 00:03:24.320 a little peek behind the curtain on who’s doing SIM-swapping today and how they’re doing it, 00:03:24.320 --> 00:03:27.800 and you should probably listen to that one first before this one, but you don’t need to. One of 00:03:27.800 --> 00:03:32.760 the people I mention in that episode who was doing this was Joseph Harris. Well, after the 00:03:32.760 --> 00:03:38.120 episode aired, Joseph reached out to me and told me I got some of the parts wrong about him. So, 00:03:38.120 --> 00:03:42.760 I went back and just deleted all mentions of him altogether, because it turns out in my research, 00:03:42.760 --> 00:03:46.720 I didn’t realize there were two different Joseph Harrises and I was getting one mixed up with the 00:03:46.720 --> 00:03:51.920 other, and ugh, it was a problem. But while I was clearing things up with him, I asked him hey, 00:03:51.920 --> 00:03:57.280 you’ve got quite the story. Do you want to come on the show and tell us? He said yes. 00:03:57.280 --> 00:04:01.560 JOSEPH: Where would you like to start? I could go all the way back how I kinda got into hacking 00:04:01.560 --> 00:04:06.780 or I could start right at the tail end of it, where it all started with the big hack. 00:04:06.780 --> 00:04:13.600 JACK: Yeah, so, how’d you get into it? This is my guess; 00:04:13.600 --> 00:04:18.640 video games. You decided to figure out some sort of cheat or hack into them, 00:04:18.640 --> 00:04:23.180 and – or a way to manipulate it in a way that it shouldn’t be, and then that just kept going. 00:04:23.180 --> 00:04:25.560 JOSEPH: That’s pretty accurate. So, 00:04:25.560 --> 00:04:29.600 I’m not sure if you’ve heard of a small little game called RuneScape or Club Penguin. 00:04:29.600 --> 00:04:33.480 JACK: These are some online multiplayer games he was playing when he was eleven and twelve 00:04:33.480 --> 00:04:38.840 years old. As you play any online multiplayer game, you start to see how some people have 00:04:38.840 --> 00:04:43.480 some really cool accounts. Either they’re a high level or they have hard-to-get items; 00:04:43.480 --> 00:04:48.000 it’s just rare stuff that’s sought after. Eventually, Joseph learned that there’s a 00:04:48.000 --> 00:04:54.800 whole secondary market for these accounts. Some video game accounts were selling for $500 to 00:04:54.800 --> 00:05:01.040 $1,000 US dollars, real money, which was a lot back then for a twelve-year-old. He 00:05:01.040 --> 00:05:05.800 dabbled in trying to manipulate the game to try to get some free items and that sort of worked, 00:05:05.800 --> 00:05:11.680 but he thought hm, maybe there’s just a way to take over someone else’s account and sell it. 00:05:11.680 --> 00:05:16.480 JOSEPH: So, originally, I started kind of as a social engineer finding out ways 00:05:16.480 --> 00:05:21.800 to dox these accounts and then trick the e-mail providers into resetting their Yahoo, their AOL, 00:05:21.800 --> 00:05:25.380 whatever their provider was, and then just take the accounts and then sell them for money. 00:05:25.380 --> 00:05:30.560 JACK: He’d dox the player to take over their account. Okay, let’s look at this. [MUSIC] What 00:05:30.560 --> 00:05:35.440 he means by dox here is he wanted to know what their name and e-mail address was that 00:05:35.440 --> 00:05:40.760 was connected to their in-game account. He might figure this out by asking people in the game hey, 00:05:40.760 --> 00:05:44.320 I have this really cool thing I want to show you; can I e-mail it to you? Or something 00:05:44.320 --> 00:05:49.240 to tease out this information from someone. Once he knew their e-mail address and name, 00:05:49.240 --> 00:05:53.600 he could start looking them up online to try to find where they lived. Then 00:05:53.600 --> 00:05:59.480 he tried to call up their e-mail provider to try to convince them that it’s his account. 00:05:59.480 --> 00:06:04.360 JOSEPH: AOL, for example, they’d reset passwords with your – they’d ask hey, what’s your first 00:06:04.360 --> 00:06:08.440 name, last name? You’d tell them that, which – that’s not pretty hard to give, and then 00:06:08.440 --> 00:06:12.520 they would ask what’s your security question? You didn’t need to know that because afterwards they’d 00:06:12.520 --> 00:06:16.200 ask okay, what’s your address? You would only have to provide them a correct zip code and they’d 00:06:16.200 --> 00:06:21.480 straight-up reset the password for you. So, it was a lot easier back then, but essentially, all you 00:06:21.480 --> 00:06:25.460 need to know is someone’s name and address and you can completely take over their AOL account. 00:06:25.460 --> 00:06:30.640 JACK: So, that’s what he was doing when he was twelve, trying to social engineer the 00:06:30.640 --> 00:06:34.680 e-mail providers to reset the password so he could get access to that e-mail 00:06:34.680 --> 00:06:38.760 account. What’s little Joseph do once he gets into someone’s e-mail account? Well, 00:06:38.760 --> 00:06:43.760 he resets the password for their RuneScape or Club Penguin account so that he could 00:06:43.760 --> 00:06:48.240 get access to that in-game player’s account. Then he’d change the e-mail 00:06:48.240 --> 00:06:52.160 address associated with it and sell it. What was your highest one that your sold? 00:06:52.160 --> 00:06:59.080 JOSEPH: I think I sold – my highest was $1,500 I sold for this one account, 00:06:59.080 --> 00:07:04.040 and that was the highest amount I just sold for all at once and got $1,500 from it. 00:07:04.040 --> 00:07:06.720 JACK: What was that for? RuneScape? 00:07:06.720 --> 00:07:10.120 JOSEPH: That was actually for Club Penguin, but RuneScape I had some pretty big sales, 00:07:10.120 --> 00:07:16.120 too. But I would sell the gold, so I would get a couple hundred if I had a decent amount of gold, 00:07:16.120 --> 00:07:19.600 or I would just – it wasn’t like an individual sale at once. It would be a slow, 00:07:19.600 --> 00:07:25.080 gradual sale for the RuneScape stuff. But the Club Penguin was the $1,500. Like, 00:07:25.080 --> 00:07:28.000 closing deal, just one account, sold it for $1,500. 00:07:28.000 --> 00:07:35.640 JACK: Hm, just hearing that alone makes me pause because in this scenario, we don’t have a hacker 00:07:35.640 --> 00:07:41.320 trying to break into some corporation. We have a pretty clever social engineer trying to hack 00:07:41.320 --> 00:07:47.520 their way into your e-mail account. When the crosshairs are pointed at just regular people, 00:07:47.520 --> 00:07:53.520 individuals like you and me, suddenly it feels like the wind changes and the air gets colder. 00:07:53.520 --> 00:07:59.440 I mean, are your accounts secured to the point that it would withstand this? Imagine if someone 00:07:59.440 --> 00:08:05.040 wanted to get into your e-mail account and called Google or Yahoo to pretend to be you and tried to 00:08:05.040 --> 00:08:11.800 get your account reset. You think your defenses will hold, right? I mean, we seem to be putting 00:08:11.800 --> 00:08:16.520 a lot of trust into the person who works at the e-mail provider, that they aren’t susceptible to 00:08:16.520 --> 00:08:21.960 social engineering attacks in this scenario, and it all comes down to that, I guess. [MUSIC] But 00:08:21.960 --> 00:08:27.320 it sounds like they are vulnerable to this kind of attack. Now, all this happened a while back, 00:08:27.320 --> 00:08:30.920 like ten years ago, and since then, e-mail providers have made it harder for people to 00:08:30.920 --> 00:08:34.920 reset their passwords this way. I mean, there’s two-factor authentication now and secondary 00:08:34.920 --> 00:08:39.720 passwords, and all this was added because it was getting abused by people like Joseph. 00:08:39.720 --> 00:08:45.000 JOSEPH: I start transitioning to these original usernames. Like, for example, 00:08:45.000 --> 00:08:49.200 say I had – wanted Doc on Xbox. That might be worth some money because it’s short, 00:08:49.200 --> 00:08:53.520 or if I got the name Game or something, Elite, something like that, that’s worth 00:08:53.520 --> 00:08:57.520 money and there’s a larger community based around it, and there’s most – multiple sites 00:08:57.520 --> 00:09:03.400 where people want these OG usernames. So, I start – Club Penguin, I was kinda over 00:09:03.400 --> 00:09:08.520 it. It wasn’t making as much money because I had taken as many accounts as I could, really, so I 00:09:08.520 --> 00:09:12.760 started – and there was a bigger community around these things, so I started morphing to these OGs, 00:09:12.760 --> 00:09:18.040 and suddenly I learn about Bitcoin, be – and I think Bitcoin, wow, this is great. This is like, 00:09:18.040 --> 00:09:23.960 2012, 2013. I’m like, this is great because before with PayPal, sometimes people would reverse on me, 00:09:23.960 --> 00:09:29.200 or sometimes I’d have people calling up PayPal getting their money back. But in this case, 00:09:29.200 --> 00:09:34.560 Bitcoin was peer-to-peer. Someone could send me money; they can’t take it back, so I love the idea 00:09:34.560 --> 00:09:40.840 of crypto and Bitcoin. That’s essentially how I got into it, but then I started realizing okay, 00:09:40.840 --> 00:09:46.760 why don’t I start going after these people that actually might have Bitcoin and stuff like that? 00:09:46.760 --> 00:09:52.360 That’s when I kinda – it wasn’t just me having this idea, but that’s where the whole Bitcoin idea 00:09:52.360 --> 00:09:58.800 – because once you get the money, you get to keep it, essentially. So, then I start transitioning 00:09:58.800 --> 00:10:05.746 from OG usernames to oh wow, why don’t I just take e-mails of people that have Bitcoin? 00:10:05.746 --> 00:10:10.520 JACK: [MUSIC] Oh, whoa, this is so much more serious. Taking someone’s video game 00:10:10.520 --> 00:10:15.520 account is one thing, but trying to steal their Bitcoin? That’s taking this to a new 00:10:15.520 --> 00:10:20.560 level. It’s straight-up robbing them at this point. He already had all the skills 00:10:20.560 --> 00:10:25.240 he needed to do this. He’d start by looking for people posting about Bitcoin and then try 00:10:25.240 --> 00:10:29.160 to figure out what their e-mail was, perhaps phishing them if he couldn’t figure it out, 00:10:29.160 --> 00:10:32.960 and then he’d learn what their name and address was, and he’d try to call up the e-mail provider 00:10:32.960 --> 00:10:38.120 to trick them into resetting the password for him. From there, he was rooting around their e-mails, 00:10:38.120 --> 00:10:43.920 looking for anything related to Bitcoin that he could steal. But the problem was, 00:10:43.920 --> 00:10:49.720 he wasn’t finding anyone good to target. He’d find people who had Bitcoin, but they didn’t 00:10:49.720 --> 00:10:54.320 have money on an exchange, or he couldn’t get into their e-mail. He needed some help. 00:10:54.320 --> 00:10:57.386 JOSEPH: Someone had found a GMX vulnerability. 00:10:57.386 --> 00:11:01.480 JACK: [MUSIC] GMX is an e-mail service based in Germany, and what he had was 00:11:01.480 --> 00:11:07.520 a vulnerability that let him take over any e-mail address that he wanted at GMX. Well, 00:11:07.520 --> 00:11:11.840 this was great for Joseph. It made the process so much easier. Now he didn’t have to call anyone 00:11:11.840 --> 00:11:16.560 to get it reset; he could do it all himself. Now, this vulnerability is somewhat interesting, so let 00:11:16.560 --> 00:11:23.000 me explain to you how it works. Essentially, it’s session manipulation. You needed two GMX accounts, 00:11:23.000 --> 00:11:27.600 one that’s brand-new that you can log into, and then the target account that you want to log 00:11:27.600 --> 00:11:33.800 into. So, you start by logging into your own account, then open a new browser, go to GMX, 00:11:33.800 --> 00:11:37.840 and say you want to reset the password on your target account. But just before clicking the 00:11:37.840 --> 00:11:43.480 reset button, you need to put an active session that you have on your other account into this 00:11:43.480 --> 00:11:49.520 browser to make it look like you’re already logged in. Now when you click reset password, 00:11:49.520 --> 00:11:55.480 it sees that you have an already logged-in session and it just lets you reset the password. This was 00:11:55.480 --> 00:12:01.040 a pretty serious vulnerability on GMX. Imagine just being able to take over anyone’s account you 00:12:01.040 --> 00:12:08.800 wanted. He tested it and it worked, and so now he was on the hunt to find GMX users who had Bitcoin. 00:12:08.800 --> 00:12:11.560 JOSEPH: I didn’t know how to target these people or who to really go for, 00:12:11.560 --> 00:12:16.020 so I was just using Google and typing in like, keywords ‘Bitcoin’ and ‘GMX’. 00:12:16.020 --> 00:12:20.520 JACK: With a few Google searches, he started seeing people talk about Bitcoin on forums 00:12:20.520 --> 00:12:24.560 that had GMX e-mail addresses, so he’d use this vulnerability, 00:12:24.560 --> 00:12:29.440 get into that person’s e-mail account, and start looking for anything Bitcoin-related. 00:12:29.440 --> 00:12:34.000 But over and over when he did this, he just wasn’t finding anything, 00:12:34.000 --> 00:12:38.160 until one day he does find someone who has an account on a Bitcoin exchange. 00:12:38.160 --> 00:12:43.280 JOSEPH: I got into their blockchain wallet and I remember seeing like, twenty, twenty-five Bitcoin, 00:12:43.280 --> 00:12:48.440 which at the time was like, 5k and I was freaking out because 5k was a lot of money. I was seventeen 00:12:48.440 --> 00:12:53.280 at the time. But he had a secondary backup phrase, so I couldn’t actually withdraw the 00:12:53.280 --> 00:12:57.180 money. So I was basically just sitting on this account and couldn’t withdraw any of the money. 00:12:57.180 --> 00:13:01.800 JACK: Ah, so close. A secondary passphrase was used which screwed him up, but this 00:13:01.800 --> 00:13:06.640 was close enough that he knew he was on the right path. He just needed to keep looking, 00:13:06.640 --> 00:13:08.960 and eventually he was going to find some money. 00:13:08.960 --> 00:13:14.200 JOSEPH: Okay, so there was this site called Cryptsy which was an altcoin trading website 00:13:14.200 --> 00:13:18.560 back in 2013 through like – I think they actually got seized because the guy scammed 00:13:18.560 --> 00:13:22.600 out or something. There was a legal case with it, actually. I think he took all the 00:13:22.600 --> 00:13:27.360 people’s money. But that’s a different story. But essentially, it used to be a very popular altcoin 00:13:27.360 --> 00:13:32.880 trading platform. I got into someone’s Cryptsy account and they had $1,000 in – I don’t even 00:13:32.880 --> 00:13:37.080 remember what altcoin it was. It’s definitely not one that’s around today. But they had that; 00:13:37.080 --> 00:13:42.280 I exchanged it for Bitcoin, and then I exchanged that Bitcoin for PayPal. 00:13:42.280 --> 00:13:49.600 JACK: That was his first crypto-heist; $1,000. The way he would get the Bitcoin into his PayPal 00:13:49.600 --> 00:13:54.440 wallet was using LocalBitcoins. This is a site where you could just connect with another person 00:13:54.440 --> 00:13:58.440 on the internet who wants to trade Bitcoin with you. In this case, he found someone who 00:13:58.440 --> 00:14:03.013 he could send Bitcoin to, and they would send him money through PayPal. It worked. 00:14:03.013 --> 00:14:09.560 JOSEPH: It’s like a natural high. I could compare it to a feeling of a drug feeling. It was a rush 00:14:09.560 --> 00:14:16.360 for sure. This is still 2014. I’m still under eighteen, I’m still kind of a new person to 00:14:16.360 --> 00:14:22.160 these things. After that, I didn’t have much success with it. I was actually making more 00:14:22.160 --> 00:14:27.360 money selling these usernames still. So, my focus still wasn’t like oh, crypto’s an easy way to get 00:14:27.360 --> 00:14:32.400 rich yet. It was still like hey, you know, that’s cool; there’s a chance you can do stuff with it, 00:14:32.400 --> 00:14:37.666 but I was still looking at these usernames. But then in 2015, that sort of changed a bit. 00:14:37.666 --> 00:14:42.600 JACK: [MUSIC] A major event happened that would turn out to be a gold mine for Joseph. The website 00:14:42.600 --> 00:14:50.560 BTCE had suffered a data breach. BTCE is a crypto exchange. You could go there and buy Bitcoin, 00:14:50.560 --> 00:14:55.480 sell Bitcoin and a bunch of other types of cryptocurrency, too. Well, in 2015, 00:14:55.480 --> 00:15:01.720 their user database was stolen by someone. No money was stolen, just the user details, and 00:15:01.720 --> 00:15:07.400 this included the username, the password hash, the address, and how much Bitcoin was in their wallet. 00:15:07.400 --> 00:15:10.240 JOSEPH: I knew some people that I’m not sure if you’ve heard of them; Lizard Squad. 00:15:10.240 --> 00:15:10.800 JACK: Yeah. 00:15:10.800 --> 00:15:16.760 JOSEPH: But they had access to the database. In 2015, one of their members hit me up and 00:15:16.760 --> 00:15:20.520 started asking me if I could help them get into these accounts, because I was very 00:15:20.520 --> 00:15:25.920 good with AOL and Yahoo still. I still could social engineer into them pretty well. So, 00:15:25.920 --> 00:15:33.080 they started listing me off these Bitcoin e-mails on – they were on BTCE that – with – and also, 00:15:33.080 --> 00:15:38.800 the thing about BTCE, it showed their balance. So, they could link me people with 100,000 Bitcoin 00:15:38.800 --> 00:15:42.420 and essentially, I’d have their e-mail; I’d just try to break into their e-mail. 00:15:42.420 --> 00:15:48.200 JACK: Now, keep in mind, he didn’t have access to this BTCE database dump. That 00:15:48.200 --> 00:15:52.000 would have been like the motherload to him. But he was happy to work with the 00:15:52.000 --> 00:15:57.300 people who did have access to it to try to steal Bitcoin from the specific users they gave him. 00:15:57.300 --> 00:16:01.640 JOSEPH: My first one that I got for them was this Yahoo. It was one of the bigger ones on 00:16:01.640 --> 00:16:09.080 the list and it had six figures in crypto in it. At the time, it was probably thousands of 00:16:09.080 --> 00:16:14.560 Bitcoin because Bitcoin’s a lot lower, but it had six figures in it. I got into the Yahoo, 00:16:14.560 --> 00:16:20.680 I reset the BTCE, and there was another PIN code. It’s basically, you have to enter this passcode to 00:16:20.680 --> 00:16:25.520 access the funds. I don’t know the passcode, so I pass it to my friend who gave me it, 00:16:25.520 --> 00:16:30.400 and he says he’s gonna send the fake ID. I’m not sure what happened after that. 00:16:30.400 --> 00:16:34.280 JACK: When he handed it over, the person he was working with said they lost access 00:16:34.280 --> 00:16:38.520 to that account and didn’t get any money from it. Joseph just wasn’t sure if that 00:16:38.520 --> 00:16:42.920 was true or they were just saying that so they wouldn’t have to pay him his cut of 00:16:42.920 --> 00:16:47.800 the stolen funds. But the person who had the BTC database kept working with Joseph, 00:16:47.800 --> 00:16:52.100 giving him one or two accounts at a time to see if he could actually steal Bitcoin from them. 00:16:52.100 --> 00:16:57.720 JOSEPH: But it was – at the time, I think I made $10,000 to $20,000. It wasn’t like a – I mean, 00:16:57.720 --> 00:17:04.480 Bitcoin was a lot lower at the time, but still, it was about $10,000 to $20,000 from BTCE stuff. 00:17:04.480 --> 00:17:10.320 JACK: That was going alright, but he was only getting a trickle of targets from this list. He 00:17:10.320 --> 00:17:15.040 definitely wanted his hands on the whole database so he could just go hog wild in there. I mean, 00:17:15.040 --> 00:17:19.720 a database full of usernames, e-mail addresses, and how much crypto they had would have been 00:17:19.720 --> 00:17:24.200 golden for Joseph, the guy who’s been getting into e-mail accounts for years. But he couldn’t 00:17:24.200 --> 00:17:29.160 get his hands on the database, [MUSIC] so he went back to stealing usernames from people. 00:17:29.160 --> 00:17:32.200 JOSEPH: Think about Twitter, Instagram, stuff like that. 00:17:32.200 --> 00:17:36.560 JACK: He’d get into the e-mail associated with their account and reset their Twitter password, 00:17:36.560 --> 00:17:40.600 and then get into those accounts and sell those to other people. He was definitely 00:17:40.600 --> 00:17:44.760 playing hard in this account market too, becoming well-known for having 00:17:44.760 --> 00:17:51.620 some pretty incredible accounts. You have so much stuff going on. 00:17:51.620 --> 00:17:59.240 JOSEPH: Oh, yeah. Yeah, it’s – I mean, this – it starts in 2010 where I’m social engineering stuff, 00:17:59.240 --> 00:18:02.380 and it goes all the way to 2018. That’s an eight-year kinda thing. 00:18:02.380 --> 00:18:05.520 JACK: We’re about halfway through this spree of his, 00:18:05.520 --> 00:18:09.480 so stay with us because we’re gonna take a quick break, but when we come back, 00:18:09.480 --> 00:18:27.672 everything goes off the rails. So, I mean, what’s your moral compass like at this point? 00:18:27.672 --> 00:18:29.260 JOSEPH: Well, nowadays it’s… 00:18:29.260 --> 00:18:32.130 JACK: Not now; I’m talking about when, where… 00:18:32.130 --> 00:18:32.154 JOSEPH: Oh, at the time? 00:18:32.154 --> 00:18:34.200 JACK: Yeah, when you were doing BTCE kinda stuff. 00:18:34.200 --> 00:18:39.880 JOSEPH: It sort of kinda of got into the natural order of what — who cares; it’s online. It’s sort 00:18:39.880 --> 00:18:45.600 of like, when I’m doing these acts online, I don’t feel guilty at all. I remember in the early days I 00:18:45.600 --> 00:18:51.320 kinda felt guilty about it, but you know, you’re looking behind a computer screen. I’m would never 00:18:51.320 --> 00:18:55.680 be able to rob someone at gunpoint with a gun, but I’m looking behind a computer screen. I don’t 00:18:55.680 --> 00:19:00.600 see who I’m hurting. I mean, now I can obviously see it’s wrong, but back then I honestly didn’t 00:19:00.600 --> 00:19:05.440 really have a moral compass. I was willing to go the lengths to get these people’s accounts, 00:19:05.440 --> 00:19:09.760 and I didn’t feel guilty about it. I’m not staring them in the face. I’m just essentially 00:19:09.760 --> 00:19:15.440 able to take these accounts, and I’m not sweating about it. I sleep fine at night. I’m taking money 00:19:15.440 --> 00:19:20.520 and it’s – the last thing on my mind is oh, I should feel bad about that. It’s a terrible 00:19:20.520 --> 00:19:25.280 mindset to have looking back at it, but I was – that was my mindset at the time. There wasn’t 00:19:25.280 --> 00:19:30.280 really a solid moral compass when it came to my online activities. I never swatted people; 00:19:30.280 --> 00:19:35.280 that was a moral compass for me where – because I always thought people could get hurt if someone 00:19:35.280 --> 00:19:41.120 did that, so I never did anything physically to possibly put someone in danger. But when it 00:19:41.120 --> 00:19:46.340 came to taking people’s e-mails or doing stuff to people online, there was really no moral compass. 00:19:46.340 --> 00:19:49.080 JACK: Oh, interesting. So, 00:19:49.080 --> 00:19:53.708 physically hurting anyone was the line. You’re like, I’m not going past that. 00:19:53.708 --> 00:19:53.720 JOSEPH: Yes. 00:19:53.720 --> 00:19:56.640 JACK: There was a lot of swatting going on. The circles you were in, 00:19:56.640 --> 00:19:58.992 people were swatting like crazy because that’s just… 00:19:58.992 --> 00:20:00.440 JOSEPH: Right, and I have been swatted a few times, 00:20:00.440 --> 00:20:04.720 and I just – I always heard stories about people dying over swatting, and honestly, 00:20:04.720 --> 00:20:09.400 that was my limit. I don’t want anyone getting hurt because of one of my actions. 00:20:09.400 --> 00:20:10.540 JACK: Wait, you got swatted? 00:20:10.540 --> 00:20:16.640 JOSEPH: Oh, yeah. Definitely around that time. I got a Skype message and the person said hey, you 00:20:16.640 --> 00:20:21.880 have @darkness on Twitter. You’re gonna give it to me or I’m gonna swat you. I basically just said 00:20:21.880 --> 00:20:27.240 no, I’m not gonna do that, absolutely not, playing the tough guy attitude. Said okay, you’re gonna 00:20:27.240 --> 00:20:32.880 get swatted. So, I’m a little on edge. They posted my address; I know they have the capability. 00:20:32.880 --> 00:20:36.520 JACK: How do you think they got your address? 00:20:36.520 --> 00:20:41.800 JOSEPH: Well, I mean, I used to register domain names, so I might have not always had the best 00:20:41.800 --> 00:20:46.920 opsec. I obviously didn’t in some cases when I was younger, and if they can find an old domain 00:20:46.920 --> 00:20:52.040 I registered when I was fourteen, fifteen, they – my address was public on those at the time. 00:20:52.040 --> 00:20:59.760 So basically, yeah, I hear – I – expecting it. I hear banging on the door and then I rush up 00:20:59.760 --> 00:21:04.840 from the basement all the way there. Then my mom says go downstairs; you need to hide down there. 00:21:04.840 --> 00:21:09.920 I said no, the – this is the police. Her facial expression changed ‘cause she thought we were 00:21:09.920 --> 00:21:14.920 getting robbed or something. But she’s like, okay. I’m like, we just need to go out. So, 00:21:14.920 --> 00:21:19.920 we go out. It’s the swat team. They line us up against the house, pointing guns at our back, 00:21:19.920 --> 00:21:24.240 and then eventually they realize there was no hostage. Apparently I had – according to 00:21:24.240 --> 00:21:29.200 the swatter, I had killed my sister, which I don’t even have a sister or any siblings, 00:21:29.200 --> 00:21:33.200 amongst other things, and that I would shoot any police officer that would come in the door. So, 00:21:33.200 --> 00:21:38.320 they obviously realized that was a false flag, and I basically just said someone 00:21:38.320 --> 00:21:43.840 online wanted my username. They’re like oh, okay, and they just left after that. 00:21:43.840 --> 00:21:50.960 JACK: I mean, at some point, your parents have to, I don’t know, notice something, 00:21:50.960 --> 00:21:54.840 right? Like okay, so there’s swatting going on, you’ve got some strange amount of money. Like, 00:21:54.840 --> 00:21:57.340 what are you spending this money on? Is it noticeable by your parents? 00:21:57.340 --> 00:22:03.400 JOSEPH: No. My money – I more just saved it, had in my PayPal. Yeah, I’d buy stuff like 00:22:03.400 --> 00:22:11.160 video games or card – cards and stuff like that, but I wasn’t going out buying the new designer 00:22:11.160 --> 00:22:16.860 outfit or anything like that. So, it wasn’t very noticeable to my parents that I had money. 00:22:16.860 --> 00:22:19.040 JACK: Like, Pokemon cards? 00:22:19.040 --> 00:22:22.960 JOSEPH: Yu-Gi-Oh, actually. I was a Yu-Gi-Oh kid as a kid, 00:22:22.960 --> 00:22:26.340 and there was these rare cards, so yeah, I’d buy Yu-Gi-Oh cards. 00:22:26.340 --> 00:22:35.720 JACK: Okay, so, what did you parents say from – at this? Are they privy at all to your whole thing? 00:22:35.720 --> 00:22:39.680 JOSEPH: My parents know I’m into these accounts, they know I have these. They don’t necessarily 00:22:39.680 --> 00:22:44.880 know that I’m just straight-up stealing them, but they know people want my accounts and they’re 00:22:44.880 --> 00:22:48.920 willing to go to strange lengths, but they’re not really suspicious. They trust me as their 00:22:48.920 --> 00:22:54.320 son. They’re not like Joseph, what are you up to down there? You up to no good? That 00:22:54.320 --> 00:22:58.880 thought never crossed their mind. My family has always been very supportive of me and 00:22:58.880 --> 00:23:02.720 never really – you know, always had trust in me. There was discipline in my family, 00:23:02.720 --> 00:23:09.960 but they weren’t super uptight discipline. They weren’t questioning and taking away stuff from me. 00:23:09.960 --> 00:23:13.320 JACK: Yeah, I mean, it’s kind of a good excuse, right? You tell your parents yeah, 00:23:13.320 --> 00:23:16.360 I mean, this is my Twitter account. Somebody wanted it; what am I gonna 00:23:16.360 --> 00:23:22.200 do? It totally separates you from the whole rest of the illegal activity you’re doing, 00:23:22.200 --> 00:23:25.080 and it doesn’t – it’s not even about the illegal activity. So, 00:23:25.080 --> 00:23:30.580 the first time the cops come to your house, it’s because you were a victim, not even a criminal. 00:23:30.580 --> 00:23:32.284 JOSEPH: Yeah, exactly. 00:23:32.284 --> 00:23:32.312 JACK: It’s kind of ironic. 00:23:32.312 --> 00:23:38.240 JOSEPH: The first time the cops come to my house, I’m a victim, you know? [MUSIC] It would only be 00:23:38.240 --> 00:23:43.920 about – it would be about six, seven months later where the cops actually show up to my 00:23:43.920 --> 00:23:47.100 house for something illegal, and suddenly I’m not the victim; I’m the perpetrator. 00:23:47.100 --> 00:23:49.300 JACK: Yeah. Yeah, and… 00:23:49.300 --> 00:23:53.920 JOSEPH: But that’s not about SIM-swapping. That’s about taking an Instagram account. 00:23:53.920 --> 00:24:00.543 JACK: Okay, let’s go into it. What happens when the cops come back? 00:24:00.543 --> 00:24:05.600 JOSEPH: Alright. Okay, so, I had – in 2015 there was – I’m sure you know there’s sort 00:24:05.600 --> 00:24:11.760 of a – certain accounts with big followings get – you can make money off them if you – by 00:24:11.760 --> 00:24:15.640 promoting people. Like, if I have a big page with millions of followers, 00:24:15.640 --> 00:24:21.680 people pay me to shout out their products. So, in about 2015, I had broken into an AOL account 00:24:21.680 --> 00:24:27.040 of this guy that had this massive car page on Instagram, had over three million followers, 00:24:27.040 --> 00:24:32.400 and I had just taken it from him. Then I had – I had the account for about two weeks before he got 00:24:32.400 --> 00:24:36.760 it back, but I had made a little money off it. I had actually linked my friend’s phone number 00:24:36.760 --> 00:24:43.520 to the account. So eventually, this guy – most people, you steal their account, they’re not going 00:24:43.520 --> 00:24:48.400 to go the extra mile, but this guy had a vengeance out for me. He put in his own money to get the 00:24:48.400 --> 00:24:52.880 people to investigate into it. Eventually, they traced that phone number to my friend, 00:24:52.880 --> 00:24:58.880 and then my friend to me. They still didn’t have any – enough reason to arrest me or anything, 00:24:58.880 --> 00:25:02.660 but they had enough to get a warrant on my house and essentially seize all my computers. 00:25:02.660 --> 00:25:06.960 JACK: They said they were going to look through his devices to see if they could find any evidence 00:25:06.960 --> 00:25:10.880 of him committing crimes. They didn’t charge him with anything because they didn’t have enough 00:25:10.880 --> 00:25:14.320 evidence, and they were going to look through his computers to see if they could find something on 00:25:14.320 --> 00:25:21.320 him. Of course, his computer was full of chat logs and evidence of him stealing accounts and Bitcoin, 00:25:21.320 --> 00:25:26.920 and when that day winds down and he goes back to his room, he has no computers at all to work on. 00:25:26.920 --> 00:25:30.480 JOSEPH: Actually, my friend comes by and just drops off his computer. Funny enough, 00:25:30.480 --> 00:25:34.560 I had actually just ordered a new computer a week earlier, and that comes in, too. So, 00:25:34.560 --> 00:25:41.040 I get my – I get access to the internet again within – less than twenty-four hours. That 00:25:41.040 --> 00:25:45.960 doesn’t really scare me at all. I’m still gun-ho to do stuff, you know? 00:25:45.960 --> 00:25:49.160 JACK: Okay, so you have – or, 00:25:49.160 --> 00:25:53.200 did you continue to try to take and sell usernames at that point, or you’re like…? 00:25:53.200 --> 00:25:57.720 JOSEPH: Yeah, but I stayed away from those big million-follower accounts. So, 00:25:57.720 --> 00:26:00.960 I still continued usernames, but those million-follower accounts, 00:26:00.960 --> 00:26:08.560 I had stayed away from. I was sort of a little shy with those. Then it was that same year where 00:26:08.560 --> 00:26:14.760 I finally got ahold of that BTCE e-mail list. Someone I knew – I had helped a guy get into a 00:26:14.760 --> 00:26:20.760 Sprint account, and in return he gave me that BTCE e-mail list. So, now I have control of 00:26:20.760 --> 00:26:25.640 the e-mail list and suddenly I can start going through the list and trying to take accounts. 00:26:25.640 --> 00:26:29.840 JACK: This was the golden list, the list of people’s names, e-mail addresses, and how much 00:26:29.840 --> 00:26:36.240 cryptocurrency they had at the BTCE exchange. Of course, Joseph was very happy to get this list. 00:26:36.240 --> 00:26:41.200 JOSEPH: Oh yes, definitely, 100%. I’m nineteen at the time, so I’m out of high school. So, 00:26:41.200 --> 00:26:47.080 I can do this all day, essentially. Yeah, it was a really big deal for me to have that, 00:26:47.080 --> 00:26:50.346 because I thought that was the pinnacle of getting stuff. 00:26:50.346 --> 00:26:53.720 JACK: [MUSIC] He’d combed through the list, looking for accounts that had a lot of Bitcoin 00:26:53.720 --> 00:26:57.440 in it, and then looked to see what e-mail addresses were associated to that. Now, 00:26:57.440 --> 00:27:01.280 as you know, typically when you log into an e-mail account, all you need is an e-mail 00:27:01.280 --> 00:27:06.520 address and a password. So, he first wanted to see if he could figure out the password. Joseph 00:27:06.520 --> 00:27:10.160 was getting more savvy in the hacking scene, and he signed up for a website which let you 00:27:10.160 --> 00:27:14.520 put in an e-mail address and it would search all the public database breaches out there 00:27:14.520 --> 00:27:18.400 and tell you any cracked passwords that were associated with that e-mail address. 00:27:18.400 --> 00:27:23.520 JOSEPH: You’d search in the e-mail into this leak site, and it would display the public passwords 00:27:23.520 --> 00:27:28.080 of them. So essentially, I’m copying these passwords, I’m trying them with variants. Like, 00:27:28.080 --> 00:27:34.440 if the password’s ‘cooldog122’, I might try ‘kooldog’ with a K or maybe ‘cooldog122!’ 00:27:34.440 --> 00:27:38.840 with an exclamation point at the end and just hoping – I’d try a few variants of – that are 00:27:38.840 --> 00:27:42.520 commonly – I’ve found commonly associated and then just try to sign into the e-mail 00:27:42.520 --> 00:27:47.680 account. An interesting one where people thought they were being slick is I remember 00:27:47.680 --> 00:27:53.040 commonly seeing something like a password, like a complex password, and then maybe an @ symbol, 00:27:53.040 --> 00:27:58.200 and then paypalcom. Eventually, I just pieced together oh, for linkedin.com, 00:27:58.200 --> 00:28:03.440 it’s linkedincom. For MySpace, it’s myspacecom. Let me just use their common password and then 00:28:03.440 --> 00:28:08.600 let’s try yahoocom. Oh, yahoocom works. So, they’re just using a vary – their common 00:28:08.600 --> 00:28:13.680 password with basically just the site afterwards, and that was actually a common strategy it seemed 00:28:13.680 --> 00:28:18.000 like a decent amount of people were using. So, I kinda picked up on it and always tried it. 00:28:18.000 --> 00:28:22.200 JACK: Oh wow, that’s interesting. So, even though people were using different passwords 00:28:22.200 --> 00:28:26.920 on every site which is what you should be doing, the way they were changing it was guessable, 00:28:26.920 --> 00:28:30.820 and Joseph was able to piece this together and make some money from this. 00:28:30.820 --> 00:28:33.640 JOSEPH: Just to see if I can get lucky, and in some cases, 00:28:33.640 --> 00:28:38.720 I did. There was a few accounts where I got lucky and I entered the password correctly 00:28:38.720 --> 00:28:42.240 and just straight-up reset their account. I’d say in that little run, 00:28:42.240 --> 00:28:48.800 I made about thirty Bitcoin or so, which at the time was about $10,000 to $15,000. 00:28:48.800 --> 00:28:54.760 JACK: Hm, well, after a while, this list had grown cold. It got passed around a lot, and all 00:28:54.760 --> 00:28:59.520 the accounts with big Bitcoin had already been drained or moved. He was getting into accounts, 00:28:59.520 --> 00:29:05.160 opening the lid, and seeing nothing in there. So, lots of hacking, but not many hits. 00:29:05.160 --> 00:29:10.680 JOSEPH: So, I’m doing that, but it’s at that point where I’m sort of – I had a group of 00:29:10.680 --> 00:29:15.760 friends who was suddenly targeting different people. They were saying BTC isn’t the move; 00:29:15.760 --> 00:29:18.240 instead, we should start targeting altcoin investors. 00:29:18.240 --> 00:29:22.520 JACK: So, while Bitcoin is sort of the flagship cryptocurrency, there are many 00:29:22.520 --> 00:29:26.560 other cryptocurrencies out there. Anyone who wants to start their own cryptocurrency can, 00:29:26.560 --> 00:29:31.320 and there’s lots of money that gets poured into these altcoins. Now, around then, 00:29:31.320 --> 00:29:35.880 Joseph was seeing the people in his circle starting to get into SIM-swapping. This 00:29:35.880 --> 00:29:40.440 is where you can try to take over someone’s phone so they could then reset the password 00:29:40.440 --> 00:29:45.240 on an e-mail account. Well, since Joseph was literally in the business of resetting 00:29:45.240 --> 00:29:49.800 passwords and getting into e-mail accounts, it made sense for him to start learning how to do 00:29:49.800 --> 00:29:55.340 SIM-swapping and see how that can be added to his tool belt. So, he started dabbling with it. 00:29:55.340 --> 00:30:00.080 JOSEPH: Back then, SIM-swapping was fairly easy. You could – you would – back then, 00:30:00.080 --> 00:30:04.520 they would ask for the last four digits of social. Oh hey – I’m calling up AT&T; 00:30:04.520 --> 00:30:09.480 hey, I’m trying to – I just got a new cell phone, I have a new SIM card, I’m trying 00:30:09.480 --> 00:30:15.200 to activate my device on that SIM card. They’d say okay, well, what’s your name? You’d say it, 00:30:15.200 --> 00:30:19.080 then they’d ask for your last four social security number. You’d give it to them, 00:30:19.080 --> 00:30:24.320 and there’s – you can buy basically almost anyone’s social security number off the dark 00:30:24.320 --> 00:30:30.960 web for essentially three bucks, so you just buy their social at three bucks and call up AT&T, 00:30:30.960 --> 00:30:36.220 Verizon, T-Mobile, and they’ll just activate the device for you. So, it’s really easy. 00:30:36.220 --> 00:30:41.320 JACK: But while Joseph did it a few times, he wasn’t doing it that much really, until 00:30:41.320 --> 00:30:45.680 he got in with this group of online criminals who were doing SIM-swaps to steal people’s 00:30:45.680 --> 00:30:51.800 cryptocurrencies. Specifically, this group was focused on people with a certain kind of altcoin. 00:30:51.800 --> 00:30:57.280 JOSEPH: Augur, which was the first ERC-20 token to be featured on the Ethereum blockchain; 00:30:57.280 --> 00:31:03.520 it was essentially the first Ethereum altcoin on the blockchain. I believe the persons I was 00:31:03.520 --> 00:31:09.760 involved with actually targeted that company and they got a list of all the pre-sale investors, 00:31:09.760 --> 00:31:14.440 basically everyone who had deposited money when they were launching. So, 00:31:14.440 --> 00:31:17.860 they had the list of all the basically ICO investors, and it would show their address… 00:31:17.860 --> 00:31:19.080 JACK: How’d they get that? 00:31:19.080 --> 00:31:22.880 JOSEPH: I think they actually SIM-swapped the people in Augur and I believe they had 00:31:22.880 --> 00:31:27.160 it uploaded on Google Drive or something just to keep – a spreadsheet, essentially. 00:31:27.160 --> 00:31:30.360 JACK: That’s wild, all the SIM-swapping that happens, 00:31:30.360 --> 00:31:35.640 ‘cause you know, SIM-swapping to get an @ account, yeah, okay, I covered that, 00:31:35.640 --> 00:31:39.560 SIM-swapping to get some Bitcoin, but now here we go; SIM-swapping just to get a database. 00:31:39.560 --> 00:31:41.400 JOSEPH: Right. 00:31:41.400 --> 00:31:46.200 JACK: Even if you get a SIM-swap, how are you gonna get the database? You gonna…? 00:31:46.200 --> 00:31:50.400 JOSEPH: You see, they must have reset the person’s Gmail, and I’m not sure they were 00:31:50.400 --> 00:31:53.240 necessarily looking for that. It’s hit or miss sometimes with these things. You can 00:31:53.240 --> 00:31:58.120 do all this work and still not make money, which is – you’re not gonna get everything first try, 00:31:58.120 --> 00:32:02.800 but they got these Augur people and they must have had their spreadsheet backed up 00:32:02.800 --> 00:32:08.720 with Google Drive and – or something basically to easily keep track of it. They download this, 00:32:08.720 --> 00:32:12.920 and this is even more valuable. This shows Ethereum address – it’s like essentially the 00:32:12.920 --> 00:32:18.826 BTCE thing. It shows Ethereum address, their – how much money they bought, and their e-mail. 00:32:18.826 --> 00:32:24.360 JACK: [MUSIC] Whoa, did you follow that? When this Augur cryptocoin initially launched, 00:32:24.360 --> 00:32:29.680 there was a pre-sale where investors could buy some early. The CEO of Augur was saving 00:32:29.680 --> 00:32:34.360 all these investors’ names in a spreadsheet and storing it on Google Drive. This group 00:32:34.360 --> 00:32:39.440 then SIM-swapped the CEO, probably just looking to steal some crypto, but instead 00:32:39.440 --> 00:32:44.120 went into his Google Drive account and found the spreadsheet of all the initial investors; 00:32:44.120 --> 00:32:50.840 their e-mail and how much Augur they bought. This list was amazing for this particular group 00:32:50.840 --> 00:32:57.040 of criminals. Joseph was seeing these people go down the list, targeting every one of the whales, 00:32:57.040 --> 00:33:00.480 trying hard to get into each of their accounts. He wanted to do it too, 00:33:00.480 --> 00:33:06.000 but they wouldn’t give him the list. It was too valuable for them. He did help this group get 00:33:06.000 --> 00:33:11.120 into other crypto-related accounts though, and he says at the time, AOL and Yahoo e-mails were the 00:33:11.120 --> 00:33:15.880 easiest to break into because it didn’t take much for him to call up and convince them that he was 00:33:15.880 --> 00:33:21.200 the owner of the account to get the password reset. Let’s just reenact one of these calls, 00:33:21.200 --> 00:33:27.520 right? So, you call up Yahoo and they say yes, Yahoo, how can I help you? What do you do? 00:33:27.520 --> 00:33:32.440 JOSEPH: Okay, [MUSIC] hi, I’m Joseph Harris. I’m trying to reset my Yahoo e-mail address. Okay, 00:33:32.440 --> 00:33:40.440 what’s your e-mail? Docman123@yahoo. Pull up the account; okay, we need you to verify your 00:33:40.440 --> 00:33:47.560 security question answer on file, and – or you have a card on file that you can verify. Now, 00:33:47.560 --> 00:33:53.320 what I would do before I would call Yahoo in a lot of cases was I’d call up the billing department; 00:33:53.320 --> 00:33:57.680 call up Yahoo, say hey, I’m trying to add a card to my Yahoo account. I’m actually thinking about 00:33:57.680 --> 00:34:04.800 making a purchase, Yahoo small business. I need to make sure my card’s on file. They’d say okay, 00:34:04.800 --> 00:34:08.040 you don’t have a card on file. I’m like weird; I thought I just added it. Like, 00:34:08.040 --> 00:34:12.080 would you like you – me to add the card for you? So, you give them a fake Visa. It doesn’t 00:34:12.080 --> 00:34:16.400 have to be valid at all. It doesn’t actually bill anything. Just give them a fake Visa, 00:34:16.400 --> 00:34:19.400 give them a security code, and they register on the account, 00:34:19.400 --> 00:34:24.440 then call back the regular Yahoo support. Hi; oh, we see you have a card on file. Could you 00:34:24.440 --> 00:34:28.840 verify the last four digits of the card for it? You know that Visa because you added it. 00:34:28.840 --> 00:34:32.520 Tell them the last four digits of the card; okay, we have success – they’d actually 00:34:32.520 --> 00:34:36.640 say congratulations, which I always thought was funny, because if someone who lost access to their 00:34:36.640 --> 00:34:41.520 e-mail, why would they want to be congratulated? But for me, congratulations; you got the account, 00:34:41.520 --> 00:34:45.720 essentially. So, I always thought it was a funny word choice. They’d say congratulations, 00:34:45.720 --> 00:34:51.200 we can add an alternate e-mail to you, we can do this, and what I would do is I’d say 00:34:51.200 --> 00:34:57.720 these security question answers I have on file, they’re – I think someone might know them. Could 00:34:57.720 --> 00:35:03.680 you transfer me to a manager so I can update them permanently in the system? They’d transfer me to 00:35:03.680 --> 00:35:08.400 a manager and I would tell them these security questions, they’re compromised. Someone else 00:35:08.400 --> 00:35:14.440 knows them. Could you update them on file? I would call them and they would essentially permanently 00:35:14.440 --> 00:35:21.400 update the original security questions answers. So, if docman1337@yahoo is trying to get their 00:35:21.400 --> 00:35:26.440 account back, they call. What’s your – what’s the name of your first pet? Oh, my first pet is 00:35:26.440 --> 00:35:30.720 this. That’s not what we have on file. They can’t even get their Yahoo back because I’ve updated 00:35:30.720 --> 00:35:35.200 their original questions with a manager, so now they can’t even get their e-mail address back. 00:35:35.200 --> 00:35:41.560 JACK: Man, he’s scary. This worked very well for him to get into these e-mail accounts, 00:35:41.560 --> 00:35:46.200 and at the time, he was getting into a lot of them. He didn’t have any other job, 00:35:46.200 --> 00:35:53.440 so he would just focus on this all day. So, he was mastering the dark art of e-mail compromise, 00:35:53.440 --> 00:35:58.760 but because he was doing this often, he would always be on the lookout for easier ways to do it, 00:35:58.760 --> 00:36:06.480 such as looking for bugs in some of these e-mail providers. One day, he found a bug in Gmail which 00:36:06.480 --> 00:36:12.560 let him reset anyone’s password. See, at the time, if you told Google that you forgot your password, 00:36:12.560 --> 00:36:17.440 it would look at your cookie history to see if you ever logged into that account before. If you 00:36:17.440 --> 00:36:21.640 didn’t have a session cookie from the past, it would ask you some really hard questions 00:36:21.640 --> 00:36:27.240 to do the account reset. But if it did see that you had a cookie from a past login, 00:36:27.240 --> 00:36:32.080 it would only ask you some easy questions to let you back into the account, because it 00:36:32.080 --> 00:36:37.780 probably meant that you were the rightful owner. [MUSIC] So, Joseph decided to make fake cookies. 00:36:37.780 --> 00:36:42.680 JOSEPH: My bug was essentially – I was able to get it so it would appear that way for any 00:36:42.680 --> 00:36:48.960 account. So, when I tried to reset a password on the form, it would show that I had signed 00:36:48.960 --> 00:36:54.520 into that e-mail before, so now suddenly when I reset the password, the form is registering as 00:36:54.520 --> 00:36:59.000 this person is signed into this e-mail right now. If they fill out a basic amount of information, 00:36:59.000 --> 00:37:02.600 we either give it back to them, or in some cases they would just straight-up let you change your 00:37:02.600 --> 00:37:08.200 password right away. It was so heavily reliant on cookies back then that even if you had the 00:37:08.200 --> 00:37:12.560 wrong answers filled out, it would still let you reset the password because it’s like, 00:37:12.560 --> 00:37:16.920 this person’s signed into the account right now. It just would reset for it. 00:37:16.920 --> 00:37:21.960 It was a terrible bug with Google. It was never publicly disclosed. It wasn’t like it was big 00:37:21.960 --> 00:37:26.840 news. I’m sure if it was big news, Google would be getting all kinds of stuff for that, but it 00:37:26.840 --> 00:37:32.040 was never – it was sort of – I found it and I told a few friends, but it was never a public bug that 00:37:32.040 --> 00:37:36.920 everyone was doing. So, Google eventually fixed that after about a month, but for a whole month, 00:37:36.920 --> 00:37:40.760 yeah, you could essentially – as long as the account wasn’t two-step, you could basically 00:37:40.760 --> 00:37:46.400 just – you could do the trick and then you could essentially just reset anyone’s Gmail. Some cases 00:37:46.400 --> 00:37:51.680 it didn’t work, but – and most cases it would just reset the Gmail account with not knowing 00:37:51.680 --> 00:37:56.160 any information, because it registered that your cookies – essentially that you were signed into 00:37:56.160 --> 00:37:59.900 the Gmail account right now, sort of speaking, your cookies are attached to this Google account. 00:37:59.900 --> 00:38:03.680 JACK: So you see, there were lots of different tricks he was using to get 00:38:03.680 --> 00:38:08.440 into accounts, but it doesn’t stop there. This group was giving him users to target, 00:38:08.440 --> 00:38:13.080 and they were heavy into SIM-swapping to get into e-mails and accounts. So, 00:38:13.080 --> 00:38:20.360 he was learning how to SIM-swap pretty well, too. So, once you get someone’s Yahoo account, 00:38:20.360 --> 00:38:25.640 it – you probably get in the zone; it’s probably go, go, go time. What are you doing? 00:38:25.640 --> 00:38:32.680 [MUSIC] Lock the door, put the headphones on, let’s go. What is it that’s going on? 00:38:32.680 --> 00:38:36.800 JOSEPH: I’m typically looking for – if it was crypto, I’m obviously looking for their crypto 00:38:36.800 --> 00:38:40.314 wallet. Do they have a backup? Do they have a form I can reset? That’s actually what I’m… 00:38:40.314 --> 00:38:44.400 JACK: Do you have a certain tool that’s looking through the e-mail? 00:38:44.400 --> 00:38:48.520 JOSEPH: No, I’m manually searching it because I don’t want to miss anything. A tool, they can 00:38:48.520 --> 00:38:52.600 miss something, but I’m going through – if it’s a crypto person, I’m going through every e-mail, 00:38:52.600 --> 00:38:57.520 any lead that could possibly lead to something because I don’t want a machine to miss it, 00:38:57.520 --> 00:39:01.560 so I’m just manually looking through. Yeah, it’s time consuming, but if you’re – go 00:39:01.560 --> 00:39:04.714 through it too quick, you’re gonna overlook something that could lead to something else. 00:39:04.714 --> 00:39:09.880 JACK: So, rattle off the first five searches you might do. 00:39:09.880 --> 00:39:14.240 JOSEPH: Well, if it’s – if it was – depending on with Yahoo, for something else, 00:39:14.240 --> 00:39:18.520 I would be looking at their Google Cloud, their OneDrive account and try to see if 00:39:18.520 --> 00:39:23.160 they have any pictures or backups saved there. But with Yahoo, they have Yahoo Documents, 00:39:23.160 --> 00:39:27.160 so I might be looking through your Yahoo Documents or I might be searching keywords 00:39:27.160 --> 00:39:32.640 relating to crypto, something like that. Yahoo Documents; see if they have any backup. If I’m 00:39:32.640 --> 00:39:35.960 looking – if I know specifically they have an Ethereum wallet, I might search up the 00:39:35.960 --> 00:39:40.620 keyword ‘Ethereum wallet JSON’ and see if they have the Ethereum wallet backup there. 00:39:40.620 --> 00:39:47.080 JACK: Now, another place he liked digging through was people’s Google Drive or OneDrive. These are 00:39:47.080 --> 00:39:52.360 private storage places that people use to put sensitive information on so you don’t lose it, 00:39:52.360 --> 00:39:57.500 and he would find ways into this and start looking around for interesting stuff there. 00:39:57.500 --> 00:40:01.200 JOSEPH: A lot of people do store their seeds and their private keys in their e-mail. It’s 00:40:01.200 --> 00:40:06.000 a terrible habit to have, but back then especially, you’d see people that would 00:40:06.000 --> 00:40:09.680 write down their private keys in their Cloud storage or something like that, 00:40:09.680 --> 00:40:13.720 or have their backup taken a photo of and be in Yahoo Photos, something like that. 00:40:13.720 --> 00:40:18.480 JACK: What’s the trick to try to find these things? Are you just looking for seed phrase and…? 00:40:18.480 --> 00:40:23.840 JOSEPH: Yeah, or – yeah, exactly, I’m just going through, looking through Sent inbox, 00:40:23.840 --> 00:40:29.200 seeing if they have sent themselves an e-mail. I might do from this e-mail to my e-mail, see if 00:40:29.200 --> 00:40:33.720 they did that, going through photos, just manually searching, making sure I don’t miss anything. 00:40:33.720 --> 00:40:37.280 JACK: So, you’re also looking through Dropbox and any other place that they might… 00:40:37.280 --> 00:40:41.760 JOSEPH: Oh, of course. If I can get into their Apple account – if 00:40:41.760 --> 00:40:45.920 someone hasn’t turned off their sync settings, automatically if they take a photo of my seed, 00:40:45.920 --> 00:40:50.200 I’m gonna see it in the iCloud unless they change their settings, and not everyone’s gonna go into 00:40:50.200 --> 00:40:55.880 their iCloud and disable it so it syncs to iCloud. Most people have their sync option 00:40:55.880 --> 00:41:00.800 on so if they take a photo, I can see that photo of whatever they took in their iCloud. 00:41:00.800 --> 00:41:05.920 JACK: Ooh, most of the time, both Android and Apple phones will automatically send photos 00:41:05.920 --> 00:41:11.400 taken on the phone to Google Photos or iCloud. Because Joseph knew this, 00:41:11.400 --> 00:41:15.200 he would get into there and look through the photos taken on the phone to try to 00:41:15.200 --> 00:41:21.080 find anything good. Some people don’t even know their photos are synced this way, 00:41:21.080 --> 00:41:26.840 and this makes me pause to think too, because what if he’s not there to steal cryptocurrency? What 00:41:26.840 --> 00:41:32.520 if he’s there to steal nudes or incriminating photos or just private stuff that you don’t 00:41:32.520 --> 00:41:39.280 want leaked? This is way too easy for someone to get into the photos taken on my phone. I 00:41:39.280 --> 00:41:44.160 think the problem here is that we want phones with cool features that are easy to use. Sure, 00:41:44.160 --> 00:41:48.080 you could set your phone to not back up the photos to the cloud, but now you’ve gotta find 00:41:48.080 --> 00:41:53.800 a way to backup these photos yourself somewhere, which is a lot more work. It’s harder to do. So, 00:41:53.800 --> 00:42:02.080 we opt for easier methods to do things even though they’re less secure. Eventually, Joseph got his 00:42:02.080 --> 00:42:09.040 hands on the full list of Augur investors and was going wild with that. He had lots of ways 00:42:09.040 --> 00:42:15.064 into accounts, but sometimes they would all fail, and that’s when he had to try to SIM-swap it. 00:42:15.064 --> 00:42:19.080 JOSEPH: [MUSIC] I have a burner Android phone that cost me twenty, thirty bucks that I ordered 00:42:19.080 --> 00:42:25.120 off eBay or some site, or got off Craigslist. I have a SIM card that I just paid and bought 00:42:25.120 --> 00:42:35.200 online from eBay or some reseller, and I got a phone. I’ve just called up AT&T or Verizon, 00:42:35.200 --> 00:42:40.520 verified my details, and gave them my SIM card, and now I have the phone in my hand 00:42:40.520 --> 00:42:45.720 and I’m going on gmail.com and I’m typing in the person’s e-mail, and then I see a phone option; 00:42:45.720 --> 00:42:49.760 I’m typing in that phone number and I’m getting a text directly to that phone in my hand, 00:42:49.760 --> 00:42:54.780 reading off that code, typing it in my web browser, resetting that person’s e-mail password. 00:42:54.780 --> 00:42:57.660 JACK: He scored a lot while doing all this. 00:42:57.660 --> 00:43:02.120 JOSEPH: These were still early days, so it’s basically like – I’m not making too 00:43:02.120 --> 00:43:07.800 much. I’m making – I hadn’t made six figures yet even, but by 2017, at the end of the year, 00:43:07.800 --> 00:43:14.160 I had made six figures. But at the time, these were a couple $10,000s at a time kinda hits, 00:43:14.160 --> 00:43:18.200 and crypto wasn’t – this is still 2016, the start of 2017, 00:43:18.200 --> 00:43:24.360 so crypto hasn’t done that little 2017 bull run yet. Ethereum, for example, was still under $10. 00:43:24.360 --> 00:43:30.520 JACK: But this little spree started to wind down. The list of whales to attack was dwindling, 00:43:30.520 --> 00:43:35.200 the Gmail bug that he found got fixed, and the phone companies were starting to get more strict 00:43:35.200 --> 00:43:40.960 at stopping SIM-swap attacks. They were now requiring people to know the account number or 00:43:40.960 --> 00:43:46.720 security number or something else to swap it. So, simming suddenly just became too hard to do. Now, 00:43:46.720 --> 00:43:50.920 most of this crypto he stole, he would just cash it out right away using LocalBitcoins, 00:43:50.920 --> 00:43:57.360 but as 2017 came around, the price of crypto rose dramatically and he decided to just start keeping 00:43:57.360 --> 00:44:02.440 a bunch of it and hold it. Without even doing anything, he was watching his money double and 00:44:02.440 --> 00:44:06.840 triple in value that year. [MUSIC] One day, he came across an account that he wanted to 00:44:06.840 --> 00:44:12.560 get info from, and he found the phone number associated to it. But it was a Verizon number, 00:44:12.560 --> 00:44:17.440 and Verizon just upped their security, making it too hard to do a SIM-swap with them anymore. 00:44:17.440 --> 00:44:24.640 JOSEPH: So, I’m trying to reset a Verizon. They’re gung-ho on this passcode or account number, 00:44:24.640 --> 00:44:30.080 and so, I start to think, account number; how can I get that? Is there a bug I can find to get this 00:44:30.080 --> 00:44:35.600 account number or something? I decide to look for a bug that might disclose the account number. I 00:44:35.600 --> 00:44:40.160 look through pages; I’m not finding anything, then I think what about the quick page thing, 00:44:40.160 --> 00:44:45.240 where – there’s pages with AT&T and Verizon where you quickly pay your bill and you don’t 00:44:45.240 --> 00:44:50.400 need access to the account; you just enter your phone number. So, I look at this quick page page, 00:44:50.400 --> 00:44:55.600 I enter a targets – a Verizon – some random guy’s Verizon number, and then I look at the 00:44:55.600 --> 00:45:00.000 page. It has the account number, but it’s not fully disclosed. But then I’m like, 00:45:00.000 --> 00:45:04.520 why don’t I look a little deeper? So, I look into the sources and I find a – I look in and 00:45:04.520 --> 00:45:10.920 I find a JavaScript variable that has the account number just completely disclosed right there. So, 00:45:10.920 --> 00:45:15.760 I’m now able – I’ve found in the JavaScript that the account number’s completely there, 00:45:15.760 --> 00:45:20.520 so I call right back up to Verizon and instantly get the account with that account number that was 00:45:20.520 --> 00:45:26.160 just disclosed to me. Now, essentially, I’m pretty much the only one in this community 00:45:26.160 --> 00:45:31.520 that’s able to do Verizons, because this was when the social stuff got patched. So essentially, 00:45:31.520 --> 00:45:36.600 I’m like the go-to guy to reset these Verizons accounts because I’m the only one who knows how 00:45:36.600 --> 00:45:41.740 to do them because I’m the only one that has this bug to basically find the account number. 00:45:41.740 --> 00:45:47.920 JACK: Huh. I want to linger here for a second. Joseph found a page on Verizon’s website which 00:45:47.920 --> 00:45:53.800 lets you put in someone’s phone number to pay their bill. Then, if he inspected the source code, 00:45:53.800 --> 00:46:01.720 he could see their account number. Is this a data breach? Yes, I’d say it is. The account number 00:46:01.720 --> 00:46:06.680 should not be known publicly. Even Verizon knew that, and that’s why they asked for that number 00:46:06.680 --> 00:46:11.640 before porting a SIM card over. So, the fact that you could go to this website and just get the 00:46:11.640 --> 00:46:18.680 account number of any phone number you wanted is a data breach. But the thing is, defenders 00:46:18.680 --> 00:46:25.160 or security professionals like myself have a hard time visualizing what a data breach like this can 00:46:25.160 --> 00:46:30.600 actually cause damage to. So what if someone knows my Verizon account number? What are they gonna do, 00:46:30.600 --> 00:46:36.560 pay my bill with it? But I read something the other day that I think captures this problem. 00:46:36.560 --> 00:46:42.240 I’m going to reference the Marine Corps doctrine on war fighting. MCDP 1; yeah, 00:46:42.240 --> 00:46:47.400 I sometimes do read Marine Corps manuals on war fighting, and there’s this section which talks 00:46:47.400 --> 00:46:53.560 about the science, art, and dynamic of war, and the section ends by saying this, quote, 00:46:53.560 --> 00:46:59.120 “We thus conclude that the conduct of war is fundamentally a dynamic process of human 00:46:59.120 --> 00:47:05.120 competition, requiring both the knowledge of science and the creativity of art, 00:47:05.120 --> 00:47:12.280 but driven ultimately by the power of human will.” End quote. This sounds exactly like 00:47:12.280 --> 00:47:17.600 what hackers do. Defending and attacking a network is a human competition. Who’s better 00:47:17.600 --> 00:47:24.200 at their job? This doctrine goes on about how creativity plays a big part in winning a war. 00:47:24.200 --> 00:47:29.280 You have to be able to visualize what could possibly happen, and here’s an example of a 00:47:29.280 --> 00:47:35.520 hacker being able to visualize and be more creative than the defenders. Joseph possess 00:47:35.520 --> 00:47:41.540 a strong creative force. It’s remarkable what he can do with just a little bit of user data. 00:47:41.540 --> 00:47:45.640 JOSEPH: Yeah, like oh, what can we do with account number? Okay, ha, ha, yeah, they know 00:47:45.640 --> 00:47:49.680 the account number. So, you look at this like okay, this is such a little breach, [MUSIC] but 00:47:49.680 --> 00:47:54.340 this one little breach is basically the key to take over anyone’s Verizon account. 00:47:54.340 --> 00:47:59.280 JACK: It’s scary to think about, because when you give this little piece of user 00:47:59.280 --> 00:48:04.360 data to someone like Joseph who’s skilled at SIM-swapping and stealing crypto, it could 00:48:04.360 --> 00:48:09.640 mean hundreds of thousands or millions of dollars in stolen money from users, 00:48:09.640 --> 00:48:13.800 and the weird thing is, Verizon isn’t even going to be blamed when their users 00:48:13.800 --> 00:48:17.680 get their money stolen. I don’t know, I guess I’m just surprised to see such 00:48:17.680 --> 00:48:23.240 creativity and enormous human will that some attackers have. This wasn’t the only time he 00:48:23.240 --> 00:48:27.720 found a vulnerability on a cell provider; he also found a bug on T-Mobile’s website. 00:48:27.720 --> 00:48:33.960 JOSEPH: So, essentially what I did is I had a compromised account number to a T-Mobile account, 00:48:33.960 --> 00:48:38.400 so I signed in with someone else’s T-Mobile account and I just started looking through 00:48:38.400 --> 00:48:44.520 the HTTP traffic. I was looking through requests, I’m visiting every single URL and just basically 00:48:44.520 --> 00:48:49.880 getting a full scope of the requests being sent out, and I stumble upon the WSG one, 00:48:49.880 --> 00:48:55.240 which is a new one, and I notice it has the T-Mobile ID field in it, and it has my – the 00:48:55.240 --> 00:48:59.720 phone number of the person I’m signed into. So, I just – to – it was a very simple thing; 00:48:59.720 --> 00:49:04.320 I just test it with someone else’s phone where I disclose their info. I also said – and then 00:49:04.320 --> 00:49:09.840 I started trying different values after that, so instead of MSIDN, I’d try T-Mobile ID, and then I 00:49:09.840 --> 00:49:13.840 could search them by their e-mail address. So, I was just figuring out these different parameters 00:49:13.840 --> 00:49:19.080 I could use to pull different information or pull up information based off account number 00:49:19.080 --> 00:49:24.820 or e-mail address or phone number, and that’s – and it would just display their information. 00:49:24.820 --> 00:49:29.800 JACK: I’m proper impressed with this. I mean, he’s capturing packets, changing the data on it, 00:49:29.800 --> 00:49:33.320 and replaying them. That’s not some basic skills there. He’s got some 00:49:33.320 --> 00:49:37.280 real hacking chops to figure that out. But what this did is it allowed him to 00:49:37.280 --> 00:49:41.920 read text messages for other T-Mobile users without having to SIM-swap them, 00:49:41.920 --> 00:49:47.680 because he was changing the IMSI number. Joseph was getting pretty dangerous. He’s mastered how 00:49:47.680 --> 00:49:52.080 to get into people’s e-mails, he’s cornered the market on SIM-swapping certain carriers, 00:49:52.080 --> 00:49:58.080 he’s finding some pretty juicy vulnerabilities, and he’s absolutely ruthless about stealing 00:49:58.080 --> 00:50:04.040 people’s cryptocurrencies. He starts learning about how to find even bigger accounts to go 00:50:04.040 --> 00:50:09.880 after, because since crypto was booming, it meant there were a lot of newly-minted millionaires, 00:50:09.880 --> 00:50:16.560 and Joseph was laser-eyed focused on who they were and was targeting them. [MUSIC] Sure enough, 00:50:16.560 --> 00:50:23.520 he got into an account which had over a million dollars in cryptocurrency, and he stole it. 00:50:23.520 --> 00:50:27.880 JOSEPH: At this time, I was a crypto millionaire. There was a hack I 00:50:27.880 --> 00:50:33.560 did that I made millions of dollars essentially by finding a backup seed. 00:50:33.560 --> 00:50:40.960 JACK: This was a big score, his biggest yet. He can’t go into details about this one though, 00:50:40.960 --> 00:50:48.200 but it was exciting for sure. He was walking taller and on a new high for about a week, 00:50:48.200 --> 00:50:50.880 because that’s when the cops showed up. 00:50:50.880 --> 00:50:56.280 JOSEPH: So, they actually went to my old house, my mom’s, where they basically said we want to see 00:50:56.280 --> 00:51:02.480 Joseph. She gave them my new address and gave me a call, a heads-up, that they were on the way. So, 00:51:02.480 --> 00:51:08.040 I was kind of prepared, but they were – I kinda just put my computer somewhere where I – I didn’t 00:51:08.040 --> 00:51:11.240 have time to get rid of it or anything, but I just kinda put it to the side. They 00:51:11.240 --> 00:51:18.080 knocked and they said Joseph Harris, you’re under arrest. Honestly, I’m not – I asked, 00:51:18.080 --> 00:51:22.800 is this about – I knew there was that other charge. Like, is this about the Instagram thing? 00:51:22.800 --> 00:51:27.200 They said yes. Then essentially, they took me to the near police station. I was booked, 00:51:27.200 --> 00:51:32.300 took fingerprints, and then essentially after that, they let me go on a $500 bail. 00:51:32.300 --> 00:51:37.400 JACK: What? He was arrested for stealing that Instagram account from a while back and the cops 00:51:37.400 --> 00:51:43.360 had no clue he had stolen a million dollars a week earlier. So, he got a misdemeanor charge and was 00:51:43.360 --> 00:51:51.410 let go on a $500 bail. Yeah, and I mean, did that scare you at all or were you just like ha, ha! 00:51:51.410 --> 00:51:56.560 JOSEPH: It was sort of like a ha, ha moment in a way, but I did get super careful after that. 00:51:56.560 --> 00:52:01.960 Any time I would use a computer, I just started destroying them, completely just removing all 00:52:01.960 --> 00:52:09.040 – any computers I had – I went probably through like, five Macs within nine months and probably 00:52:09.040 --> 00:52:13.360 destroyed a couple PCs while I was at it. I was just – I would – ‘cause honestly, 00:52:13.360 --> 00:52:19.360 how they got me was they had done forensics on my computer and even though I had – thought I 00:52:19.360 --> 00:52:23.720 had deleted everything, they were – obviously they could still dig into the RAM and see oh, 00:52:23.720 --> 00:52:26.960 this person had Skype logs, so even though he’s deleted everything, 00:52:26.960 --> 00:52:31.120 we can use advanced forensics and find all that he’s been doing. So, I wasn’t 00:52:31.120 --> 00:52:34.680 like – I wasn’t even gonna risk getting caught at that point. I was not gonna risk anything. 00:52:34.680 --> 00:52:38.800 I’m doing bigger bucks. I can afford to buy new Macs. I’m just gonna completely smash, 00:52:38.800 --> 00:52:43.900 scatter these parts in dumpsters and – or wherever I can and just not have physical evidence. 00:52:43.900 --> 00:52:48.192 JACK: Well, tell me about this smash. Was this a social event or did you – what was…? 00:52:48.192 --> 00:52:52.600 JOSEPH: Oh, it wasn’t – I just – it wasn’t a social event. It was just me using tools and 00:52:52.600 --> 00:52:57.760 smashing computers and then putting them in trash bags and throwing them in different areas not 00:52:57.760 --> 00:53:03.320 near my house. So, I mean, that was just my way of saying okay, well, even if I get arrested, there’s 00:53:03.320 --> 00:53:07.840 gonna be no physical evidence. My idea was I just don’t want anyone to get ahold of my computers, 00:53:07.840 --> 00:53:10.980 because I know they got advanced forensics and I’m not gonna take any risks with that. 00:53:10.980 --> 00:53:13.640 JACK: Yeah, I just imagine you taking it to a party and saying hey, 00:53:13.640 --> 00:53:15.680 everyone, give it a good stomp. 00:53:15.680 --> 00:53:18.520 JOSEPH: I was living with my roommates at the time, 00:53:18.520 --> 00:53:23.120 so I did have some – they didn’t know exactly what I was doing; they knew something was up, 00:53:23.120 --> 00:53:29.760 I’m sure, but they helped me smash them, but they weren’t exactly sure what they were smashing. So, 00:53:29.760 --> 00:53:34.000 I just – I need to get rid of this; like okay Joseph, sure, you know? So, 00:53:34.000 --> 00:53:38.320 there was sort of these things where my friend would get out the chain – not chainsaw; 00:53:38.320 --> 00:53:42.160 it’s some sort of tool and basically drill into it. It might have been a drill, but I 00:53:42.160 --> 00:53:47.000 don’t remember completely. Yeah, we destroyed it. I remember us playing around with magnets too, 00:53:47.000 --> 00:53:51.360 so there was sort of that, but it wasn’t – something like that, essentially. It wasn’t 00:53:51.360 --> 00:53:58.946 one of those things to flex; it was more, I don’t want this to be evidence. I gotta get rid of it. 00:53:58.946 --> 00:54:02.680 JACK: [MUSIC] By this point, he had graduated high school and moved out on his own. The story 00:54:02.680 --> 00:54:07.040 he told his parents was that he was a Bitcoin investor. Since it skyrocketed that year, it 00:54:07.040 --> 00:54:12.640 was a believable story and it was partially true. So, his parents trusted that he was doing well, 00:54:12.640 --> 00:54:16.640 and he started getting more sophisticated with laundering his Bitcoin, too. See, 00:54:16.640 --> 00:54:20.360 when you steal someone’s Bitcoin, it’s hard to cash it out without it being tracked to 00:54:20.360 --> 00:54:25.760 you. All the exchanges require KYC, or Know Your Customer, and you have to give them a 00:54:25.760 --> 00:54:30.800 valid photo ID and tell them who you are and all this kinda stuff. So, if there is a crypto-heist 00:54:30.800 --> 00:54:35.560 or some funny business, the feds can track that crypto to an exchange and then get the 00:54:35.560 --> 00:54:40.960 exchange to tell them who cashed out with it. In fact, Joseph did have an account at an exchange, 00:54:40.960 --> 00:54:46.760 Coinbase, under his real name, and he was cashing out on some of these licks. But he could do that 00:54:46.760 --> 00:54:51.984 because he was cleaning the money first before putting it into his account and cashing it out. 00:54:51.984 --> 00:54:57.120 JOSEPH: [MUSIC] Well, so, the basic idea is I was paying to have these German Binance accounts 00:54:57.120 --> 00:55:01.640 created, a thousand bucks or so. At the time, I had a lot of money, so a thousand bucks or so. So, 00:55:01.640 --> 00:55:06.000 I’d pay a thousand bucks for a couple of these people that – this guy I knew knew a bunch of 00:55:06.000 --> 00:55:11.720 German people, so I would have him create these Binance accounts for me and I would essentially 00:55:11.720 --> 00:55:17.200 slowly launder the money through those. I’d change the crypto to Monero, then I’d take the Monero 00:55:17.200 --> 00:55:22.800 out, send the Monero to my Monero address, then send the Monero to another Monero address I did. 00:55:22.800 --> 00:55:28.200 I’m sure you know Monero is a privacy coin, so it doesn’t show up on the blockchain. So basically, 00:55:28.200 --> 00:55:34.040 once – that’s basically money laundering 101 with crypto. You need to get your crypto to Monero, 00:55:34.040 --> 00:55:38.160 then you need to send your Monero to another address so there’s no transaction. Suddenly, 00:55:38.160 --> 00:55:42.720 you buy, say, Bitcoin again with Monero or Ethereum; there’s no way to tell where 00:55:42.720 --> 00:55:46.960 that Monero came from originally because it’s not public on the blockchain. So essentially, 00:55:46.960 --> 00:55:51.960 once you buy that Ethereum, all that shows is that someone bought Ethereum with Monero, but we have 00:55:51.960 --> 00:55:57.640 no idea where this Monero came from, so they can’t do blockchain analysis and then track oh wait, 00:55:57.640 --> 00:56:02.520 this came from this hack and this hack. But all they see is someone’s used Monero to buy this, 00:56:02.520 --> 00:56:07.680 but there’s no proof that I got that illegally. There’s no proof. I’m just a Monero user. 00:56:07.680 --> 00:56:12.080 JACK: Makes sense. So, you’ve got some money coming into Coinbase, you’re cashing out, 00:56:12.080 --> 00:56:16.400 putting it in your bank account, you got a apartment or a house or something? 00:56:16.400 --> 00:56:22.120 JOSEPH: I have a house with four roommates. Not a big house; at the time, 00:56:22.120 --> 00:56:27.360 I’m still living within my means, you know? You see all these crazy stories and I, honestly, 00:56:27.360 --> 00:56:31.360 I always kinda look down on it. I’d see people going to LA, posting their ads, 00:56:31.360 --> 00:56:37.240 and I’d kinda be like oh, I’ve never been really the party type, myself. I was more just kind of 00:56:37.240 --> 00:56:43.120 like – I had this money, I was saving it. I wasn’t being – I was buying stuff; like, 00:56:43.120 --> 00:56:48.020 I bought some usernames and stuff, but I wasn’t going out buying Lamborghinis and stuff like that. 00:56:48.020 --> 00:56:53.880 JACK: Yeah, so, you are doing all this work in an office setting or in your bedroom or what? 00:56:53.880 --> 00:56:57.160 JOSEPH: I have a little basement area. I have a decent little computer setup, 00:56:57.160 --> 00:57:01.280 and I’m just kinda doing it in there. There’s a big TV that I bought; 00:57:01.280 --> 00:57:05.520 I got a TV I can watch. I got some game consoles if I want to play some Xbox, 00:57:05.520 --> 00:57:09.080 and obviously I got my computer right there. So, I also have a good Mac because 00:57:09.080 --> 00:57:13.640 I’ve always been – I always like bringing my Mac and doing stuff on my Mac, too, so those 00:57:13.640 --> 00:57:19.520 are my main setup. I got my big PC downstairs and I got my Mac that I use around the house. 00:57:19.520 --> 00:57:22.040 JACK: I’m just trying to picture it, right? 00:57:22.040 --> 00:57:29.920 JOSEPH: Let’s just put it this way; that house, it’s a small little house. It’s just kinda crazy 00:57:29.920 --> 00:57:33.920 to think – my friends used to joke about it now, but it’s like, millions of dollars was 00:57:33.920 --> 00:57:40.680 stolen in that house. Just crazy to think some small little house, not even a major place, 00:57:40.680 --> 00:57:46.480 but the amount of money that was stolen just in the basement of some – it’s not an expensive 00:57:46.480 --> 00:57:50.200 house; it’s probably worth 100k, 200k, and it’s four people paying for rent. I’m not 00:57:50.200 --> 00:57:56.200 paying – I’m not going out buying a penthouse or anything. It’s just kinda odd to think oh, 00:57:56.200 --> 00:58:00.160 wow, there was millions of dollars that was laundered and stolen through that house. 00:58:00.160 --> 00:58:04.680 JACK: Did you have an exit strategy in mind? Did you say okay, I’m gonna only 00:58:04.680 --> 00:58:07.600 steal this much money and then I think I’m gonna hang it up, or what was…? 00:58:07.600 --> 00:58:11.360 JOSEPH: That was sort of it, but it’s just that – like you said before, 00:58:11.360 --> 00:58:16.000 that rush. One second you are not a millionaire; you have thousands 00:58:16.000 --> 00:58:21.000 of dollars or 100k, but you’re not a millionaire. Then within two seconds, 00:58:21.000 --> 00:58:26.320 ten seconds, you instantly have two million dollars, three million dollars, just within 00:58:26.320 --> 00:58:31.520 a minute. It’s that rush. It’s like an insane natural high that you’re like, whoa. 00:58:31.520 --> 00:58:35.720 JACK: When you have that rush, when you make it and it’s like oh my gosh, 00:58:35.720 --> 00:58:39.920 I just did it; I just have a extra two million dollars, what do you do 00:58:39.920 --> 00:58:44.620 to maybe celebrate or what do you after that to just kind of let it linger and…? 00:58:44.620 --> 00:58:48.600 JOSEPH: Probably just go out with my friends, play video games, 00:58:48.600 --> 00:58:53.080 get some food, honestly. I remember after my first million-dollar one, 00:58:53.080 --> 00:58:58.620 I had my friend and we went to Fazoli’s. It’s an Italian place, and that was my celebration. 00:58:58.620 --> 00:59:02.080 JACK: Fazoli’s gives you free bread sticks. Let’s go – hey, 00:59:02.080 --> 00:59:05.960 I just got a million dollars; let’s go get some free bread sticks, guys, on me, on me. 00:59:05.960 --> 00:59:13.400 JOSEPH: Yeah, of course it was on me, yeah. I wasn’t having my friend pay. So, at this point, 00:59:13.400 --> 00:59:20.040 it’s like you’re insane and also it’s just a very big rush. It’s enjoyable, and you’ve already made 00:59:20.040 --> 00:59:23.920 your millions of dollars so now it’s more like you’re not even stressing about getting the money. 00:59:23.920 --> 00:59:28.520 You’re like, I can do this until I make another one. At this point, crypto’s starting to crash. I 00:59:28.520 --> 00:59:35.600 don’t know if you remember, but in 2018, Ethereum went from near $1,500 and it started going down, 00:59:35.600 --> 00:59:40.480 slowly down to $600. So suddenly, my money – I’m losing – every time crypto’s dropping, 00:59:40.480 --> 00:59:45.400 I’m losing six figures. That’s how much I had. Any time I’d – it would start drop – my millions was 00:59:45.400 --> 00:59:49.840 going down. I was losing $100,000, $200,000, $300,000 at a time because I had so much that 00:59:49.840 --> 00:59:53.800 any time it dropped, I’d lose a lot of money. So, that was start – even though I stole this money, 00:59:53.800 --> 00:59:59.520 that was starting to wear on my mind. Like, oh, wow, my money’s going down. So, 00:59:59.520 --> 01:00:07.466 I’m getting a rush from doing this and my money’s going down. Why don’t I keep doing it? 01:00:07.466 --> 01:00:10.880 JACK: [MUSIC] So, up until now, if you had control of someone’s phone number and 01:00:10.880 --> 01:00:15.560 wanted to get into their Gmail account, you could just tell Gmail hey, reset my password, 01:00:15.560 --> 01:00:19.920 and typically, the backup way into a Gmail was to get a text to your phone with a link 01:00:19.920 --> 01:00:25.400 to reset the password. But Gmail added a new security feature which somehow messed this up, 01:00:25.400 --> 01:00:29.620 so SIM-swapping someone to try to get into their Gmail account just wasn’t working well anymore. 01:00:29.620 --> 01:00:33.560 JOSEPH: Basically, Gmail was starting to get a little strict. You’d try to SIM-swap someone and 01:00:33.560 --> 01:00:37.320 it wasn’t letting you because it would give you these unrecognized device errors. So, 01:00:37.320 --> 01:00:43.200 people were not being able to do Gmails. But I had actually found a bug with – by using a web 01:00:43.200 --> 01:00:48.360 debugger and SIM-swapping that I could actually make it appear as if I’ve signed into the device 01:00:48.360 --> 01:00:53.160 before. Remember how I had done that with Gmail before to be able to reset passwords? But here, 01:00:53.160 --> 01:00:58.200 if I controlled someone’s SIM and had the SIM device, I could also do it so that I 01:00:58.200 --> 01:01:03.160 could essentially appear as if I was signing into the accounts. It’s not only the forms letting me 01:01:03.160 --> 01:01:08.440 reset with just a phone number, not – like, I’m completely bypassing GAuth and two-step, which is 01:01:08.440 --> 01:01:16.040 now in the picture. So, I have this bug to do this stuff and I hear about this Crowd Machine guy. 01:01:16.040 --> 01:01:21.800 JACK: This Crowd Machine guy; he’s talking about the owner and CEO of a crypto company called Crowd 01:01:21.800 --> 01:01:27.200 Machine. Now, by this point, Joseph has moved his sights higher. Instead of targeting people 01:01:27.200 --> 01:01:32.800 with crypto, why not target companies that have crypto? Because they’ll have way more. [MUSIC] 01:01:32.800 --> 01:01:37.440 You can go onto websites like CoinMarketCap and see who the biggest whales are in crypto, 01:01:37.440 --> 01:01:41.840 and you can see which wallets have over a million dollars. It’s right there for anyone to see, 01:01:41.840 --> 01:01:46.240 because the blockchain is a public ledger. Joseph found a certain wallet that had a 01:01:46.240 --> 01:01:51.800 lot of this Crowd Machine altcoin in it, and it was so much that Joseph thought for sure 01:01:51.800 --> 01:01:57.840 it must be owned by either the company or the CEO. So, he set his sights on the CEO 01:01:57.840 --> 01:02:04.160 of Crowd Machine, thinking surely he must have access to these big wallets somehow. 01:02:04.160 --> 01:02:09.880 JOSEPH: He has two-step security on it. He has GAuth, he has an alternate e-mail. Normally 01:02:09.880 --> 01:02:15.480 this guy’s not targetable, but I decide to try my bug on him. So, at this time, 01:02:15.480 --> 01:02:22.160 I was thinking – normally when I did SIM-swaps, I would let other people do the SIM for me. Like, 01:02:22.160 --> 01:02:27.560 they’d hold the SIM, but in this case I was a little upset about a breakup, 01:02:27.560 --> 01:02:31.280 so I was just kind of in ruthless mode. I was like, I want to make a lot of money, 01:02:31.280 --> 01:02:39.200 I want to do this, I want to do that, and I start seeing my friend Joel get arrested, and there was 01:02:39.200 --> 01:02:44.640 – they got him by tracking the cell phone. Like, kinda location, they could see where he was. 01:02:44.640 --> 01:02:49.920 JACK: Okay, so Joel Ortiz was the first ever person to be arrested and convicted for 01:02:49.920 --> 01:02:56.720 SIM-swapping. Apparently he stole $23 million from someone using a SIM-swap attack. Joel is currently 01:02:56.720 --> 01:03:02.120 facing ten years in prison for this. Joseph knew him and didn’t want to be arrested in the same way 01:03:02.120 --> 01:03:07.360 by being identified because of what cell towers he was connecting to. So, to do this SIM-swap, 01:03:07.360 --> 01:03:11.180 Joseph drove far away from his home in Missouri [MUSIC] all the way to Oklahoma. 01:03:11.180 --> 01:03:15.840 JOSEPH: Yeah, so Oklahoma’s about – I went to Oklahoma city. That’s about a eight to 01:03:15.840 --> 01:03:21.080 nine-hour drive. It’s not too far. Maybe it’s a little less than that. So, I – we drive down to 01:03:21.080 --> 01:03:27.600 Oklahoma. My cousin’s driving me, and he doesn’t stay long. He drops me off. Well, actually, 01:03:27.600 --> 01:03:33.160 he stays the first day and I go to Walmart to buy a cell phone, just a cheap cell phone, 01:03:33.160 --> 01:03:38.560 which – that was my first mistake. Normally I buy these things on eBay. Keep in mind, 01:03:38.560 --> 01:03:42.940 I haven’t held SIM – I haven’t held the phone in a while, so I’m a little outdated with how to do it. 01:03:42.940 --> 01:03:47.920 JACK: What he means is this group he was with got so big that some people specialized in SIM-swaps, 01:03:47.920 --> 01:03:51.520 and you could just tell them the number you wanted and they would do the SIM-swap. Then 01:03:51.520 --> 01:03:54.800 when you went to do the password reset, you’d just ask them for the text message 01:03:54.800 --> 01:03:58.920 and they would tell you what’s on the phone. That’s what he normally would do 01:03:58.920 --> 01:04:04.080 when he needed to do a SIM-swap, but for this particular one, he wanted to do it himself, 01:04:04.080 --> 01:04:08.460 maybe because he had this Gmail bug that he found that he didn’t want to share with anyone. 01:04:08.460 --> 01:04:13.120 JOSEPH: So, essentially, I’m just – like I said, a lot of the times, you know these people probably 01:04:13.120 --> 01:04:18.000 have a lot of money, but you don’t necessarily know how they store it. So, I call – this time, 01:04:18.000 --> 01:04:23.720 I call up AT&T and I ask to activate it. They gave me a little trouble at first, 01:04:23.720 --> 01:04:30.440 but eventually I got them to activate the SIM card. Then I do my vulnerability to 01:04:30.440 --> 01:04:35.666 try to make it so that it appears as if I’ve signed in again. I pull off the bug. 01:04:35.666 --> 01:04:39.200 JACK: [MUSIC] Okay, at this point, he’s in the account. He has control over the 01:04:39.200 --> 01:04:44.100 CEO’s phone and his Gmail account, all from within this hotel room. 01:04:44.100 --> 01:04:48.120 JOSEPH: This is all in a hotel room, yeah. I’m alone in a hotel room, 01:04:48.120 --> 01:04:52.440 I’m – I’ve been alone for about five days, so I’m starting to get a little antsy and kind of 01:04:52.440 --> 01:04:58.280 nervous and I’m upset about the breakup. I get it activated, I use my bug to bypass two-step, 01:04:58.280 --> 01:05:06.240 and I reset the code with just – the account with just the phone number. I’m excited because I had 01:05:06.240 --> 01:05:11.240 done it before with another thing, but I had never done it to bypass GAuth, so I’m like wow, 01:05:11.240 --> 01:05:18.240 this bug’s even more effective than I thought. So, I sign in and I start looking through his 01:05:18.240 --> 01:05:25.200 stuff. Now, I’m seeing some interesting e-mails, but I decide to go to Google Drive. I’m looking 01:05:25.200 --> 01:05:32.240 through his files and that’s when I see a backup to MetaMask numeric passphrase, 01:05:32.240 --> 01:05:36.000 which is – I forget how many. I think it’s like, twelve characters. It’s a twelve-character word. I 01:05:36.000 --> 01:05:40.800 don’t know exactly what it’s for, but I’m guessing it’s for Ethereum. So, I put that new numeric 01:05:40.800 --> 01:05:49.960 passphrase in MetaMask, it loads up the wallet, and I see he has $3 million in his own coin there. 01:05:49.960 --> 01:05:56.640 JACK: Joseph now has full control of this wallet. With just a few clicks of the mouse, 01:05:56.640 --> 01:06:01.720 he can transfer $3 million of this crypto coin to his own wallet. So, 01:06:01.720 --> 01:06:07.240 he takes a moment to just look at this. A tiny smile flashes across his face and he 01:06:07.240 --> 01:06:11.700 grabs it all, all $3 million worth of this Crowd Machine cryptocoin. 01:06:11.700 --> 01:06:18.720 JOSEPH: But I’m like, surely there’s more stuff. So, I start – I’m – his 01:06:18.720 --> 01:06:24.400 account’s a super admin on his G Suite, so I go through his users and I find the tech guy, 01:06:24.400 --> 01:06:28.800 the guy who built an automated system to send out the investors their coin. So, 01:06:28.800 --> 01:06:34.640 I reset his ad – his account, and I get into the tech’s guy thing, and I see that he’s – he 01:06:34.640 --> 01:06:38.400 has a script that basically automates the process of sending out these coins to the 01:06:38.400 --> 01:06:45.060 investors. But his bad fault is he backed up his source code for this on Google Drive. 01:06:45.060 --> 01:06:50.680 JACK: The source code shows exactly how to pull money out of the main wallet for this company, 01:06:50.680 --> 01:06:55.040 step-by-step. So, now all Joseph has to do is read what’s in the source code and 01:06:55.040 --> 01:07:00.280 follow it to transfer the money to his own wallet. So, he cracks it open to take a look, 01:07:00.280 --> 01:07:05.640 and sitting right there in the source code was the private key for the main Crowd Machine 01:07:05.640 --> 01:07:12.720 wallet. He loads this private key up into his wallet, which gives him control of that wallet. 01:07:12.720 --> 01:07:19.100 JOSEPH: I access the private key and it has about $17 million in it. 01:07:19.100 --> 01:07:27.880 JACK: That is, $17 million US worth of this Crowd Machine cryptocurrency. Whoa, this was 01:07:27.880 --> 01:07:34.000 by far the most he’s ever had control of. But at this point, it’s still sitting in their wallet, 01:07:34.000 --> 01:07:38.500 and of course, he wants to move it to his wallet so only he would be able to control this money. 01:07:38.500 --> 01:07:44.240 JOSEPH: So, I see that this wallet has $17 million in it, and I already have $3 million, 01:07:44.240 --> 01:07:48.680 so I have $20 million in total. But I decide that – I don’t know what this moral compass 01:07:48.680 --> 01:07:53.520 was. Me thinking back to it, it makes no sense, but I decide I’m not gonna take everything from 01:07:53.520 --> 01:07:59.420 them. I just take $15 million from them and I leave $5 million still in the crowdsale wallet. 01:07:59.420 --> 01:08:01.140 JACK: What do you think the reason was? 01:08:01.140 --> 01:08:05.720 JOSEPH: I think the reason was a slight bit of guilt. Like, do I completely want 01:08:05.720 --> 01:08:10.680 to take these people completely dry? Do I – or just leave them with something, 01:08:10.680 --> 01:08:15.160 I think was my mindset, which looking back at it is, I’m gonna tank their coin anyways. Why 01:08:15.160 --> 01:08:20.840 wouldn’t I just take it all? But I do feel at the time I felt slightly bad about just 01:08:20.840 --> 01:08:25.560 robbing them for everything. That’s the biggest hit I’d done; $20 million is a lot of money, 01:08:25.560 --> 01:08:30.000 so I’m thinking do I – it was – I think it was flawed logic and it was just rushed, 01:08:30.000 --> 01:08:34.520 but I do believe that there was a bit of guilt there that I didn’t want to take everything from 01:08:34.520 --> 01:08:41.240 them. So, that’s honestly what I believe. I still don’t know why, because it’s like, 01:08:41.240 --> 01:08:45.640 I should have just – if I had done it again, I probably – I don’t know how it would have gone, 01:08:45.640 --> 01:08:49.760 but it just – logically it doesn’t make sense for me to only take $15 million, but I do believe 01:08:49.760 --> 01:08:54.880 there was a bit of guilt about taking such a large amount, and hence, I left $5 million for them, 01:08:54.880 --> 01:08:59.160 which in retrospect doesn’t make much sense, but I guess I just didn’t want to clean them dry. 01:08:59.160 --> 01:09:04.320 JACK: So, he grabs a total worth of $15 million worth of this crypto coin and closed it all up and 01:09:04.320 --> 01:09:12.320 shut down for the night. Whoa, what a lick; $15 million. He’s pumped and amazed. But he 01:09:12.320 --> 01:09:18.280 realizes something; [MUSIC] this is an altcoin. Specifically, it’s a Ethereum-based ERC-20 token. 01:09:18.280 --> 01:09:23.800 Because it’s Ethereum-based, he can exchange it directly for Ethereum. But the more he exchanges, 01:09:23.800 --> 01:09:29.800 the lower the coin will go. That’s because of how liquidity pools work and stuff. So essentially, 01:09:29.800 --> 01:09:34.080 the more he takes out, the more the price goes down. He realizes he’s not gonna be 01:09:34.080 --> 01:09:38.840 able to get anywhere near $15 million if he takes it all out this way. So, 01:09:38.840 --> 01:09:43.420 he comes up with a plan and tries to make a deal with the people he just robbed. 01:09:43.420 --> 01:09:48.680 JOSEPH: That’s correct. I sent them an e-mail saying hey, I obviously control the – like, 01:09:48.680 --> 01:09:53.400 a large portion of your token sales. If I was to sell this off, it’s clearly going to 01:09:53.400 --> 01:09:57.560 cause a lot of damage to your token. You won’t come back from this. Instead of me 01:09:57.560 --> 01:10:01.680 crashing your token and completely ruining your company, there’s an easier alternative; 01:10:01.680 --> 01:10:07.480 you can send me $8 million in Bitcoin to my address and in return, I will return the $14 01:10:07.480 --> 01:10:12.940 million I stole. As a token of good faith, I’ve sent $1 million back to the crowdsale wallet. 01:10:12.940 --> 01:10:19.840 JACK: Huh, interesting proposal. Clearly, the company saw that they had $15 million in their 01:10:19.840 --> 01:10:25.560 coins stolen, and Joseph knew they raised tens of millions of dollars from their ICO. Would they 01:10:25.560 --> 01:10:32.120 want to save their coin or let it crash? Just this week, I saw a news story that a company 01:10:32.120 --> 01:10:38.960 called Rari got hacked and lost $80 million, and they offered a $10 million, no-questions-asked 01:10:38.960 --> 01:10:45.480 reward to whoever returned the money. So, these things do happen, but Crowd Machine never replied 01:10:45.480 --> 01:10:50.600 to Joseph. Instead, they were busy dialing the police. After a day or two of waiting, 01:10:50.600 --> 01:10:56.120 Joseph decided to just start exchanging this coin for Ethereum. Just as he expected, this 01:10:56.120 --> 01:11:02.120 caused the price of the coin to start going down. By the time he exchanged all his coins for Eth, 01:11:02.120 --> 01:11:07.840 what he had in his wallet was just a few hundred thousand dollars, nowhere near the $14 million 01:11:07.840 --> 01:11:12.920 that he started with. Of course, now all the investors are mad that the coin just tanked. 01:11:12.920 --> 01:11:17.120 JOSEPH: So, that was the part I was at, and obviously I was a little bummed out about the 01:11:17.120 --> 01:11:21.320 way it turned out. It could have turned out a lot better. I made some mistakes; I was low on sleep, 01:11:21.320 --> 01:11:26.560 so I wanted to get out of Oklahoma. So, I had my cousin come to pick me up from Oklahoma and the 01:11:26.560 --> 01:11:32.200 person who dropped me off. [MUSIC] He gets there, we chill, and then the next day, we get ready to 01:11:32.200 --> 01:11:37.800 leave. I’m supposed to check out on a Tuesday, but instead I decide I’m – this is just weird, 01:11:37.800 --> 01:11:43.080 I’m getting outta there, so I – so we leave, and actually, I forgot to mention this part, 01:11:43.080 --> 01:11:50.560 but when we were checking out, I talked to the thing, and the – I remember the hotel 01:11:50.560 --> 01:11:54.640 guests who were checking us out were being kind of – acting a bit weird to us. Like, 01:11:54.640 --> 01:11:59.440 they seemed nervous or they knew – seemed like they knew something was up or something. 01:11:59.440 --> 01:12:03.680 I remember getting in my cousin’s car because we were gonna stop by Walmart to get some supplies 01:12:03.680 --> 01:12:07.440 to get rid of this stuff, and I remember seeing the person – as soon as I leave, 01:12:07.440 --> 01:12:14.520 the person at the hotel checkout goes to a van. They literally went to a van. I waved at them; 01:12:14.520 --> 01:12:20.520 they didn’t wave back. So, I thought okay, that’s kinda weird. I get to the Walmart and I 01:12:20.520 --> 01:12:25.640 see a police car parked out. That kinda spooks me a little, but I’m like okay, whatever. So, 01:12:25.640 --> 01:12:30.960 I go through the Walmart, get the supplies, and then my cousin has to fill up his car on gas. So, 01:12:30.960 --> 01:12:35.960 we pull into the gas station. I remember my cousin telling me his last thoughts before 01:12:35.960 --> 01:12:42.080 it all happened was, it’s a beautiful day. But I was sitting in the passenger seat, 01:12:42.080 --> 01:12:46.640 and then an undercover agent points a gun at the car windshield, says get out of the car. 01:12:46.640 --> 01:12:51.720 My initial thoughts are I’m being robbed, so I get out of the car and instead of being robbed, 01:12:51.720 --> 01:12:55.720 I’m now handcuffed and the person shows his badge. He’s part of the Secret Service. 01:12:55.720 --> 01:12:57.360 JACK: What happens to your cousin? 01:12:57.360 --> 01:13:01.280 JOSEPH: So, that’s actually a really tragic part about it. He actually – because he was 01:13:01.280 --> 01:13:05.440 driving me, he actually got booked too, and his mugshot was featured 01:13:05.440 --> 01:13:08.840 on the front page of some articles as well. He was released two days later, 01:13:08.840 --> 01:13:12.440 but I’ve always felt terrible about that. I think it was kinda bad police work and 01:13:12.440 --> 01:13:17.480 media because he wasn’t even there at the time that the hack was taking place. So, 01:13:17.480 --> 01:13:21.680 it was sort of just – unfortunately, he just kinda got – I think he knew kinda what I was up to, 01:13:21.680 --> 01:13:26.120 but it’s just – unfortunately he got kinda flung into the mix. I’ve always felt bad about that. 01:13:26.120 --> 01:13:29.160 JACK: Okay, so they put you in the back of the police car, 01:13:29.160 --> 01:13:33.360 they drive you to the station, they interview you, you answer questions. 01:13:33.360 --> 01:13:39.200 JOSEPH: That’s correct, but I’m not telling them any information. I’m really – I’m trying – in my 01:13:39.200 --> 01:13:42.680 head, I’m trying to beat around the bush to see what they got on me. They’re asking me 01:13:42.680 --> 01:13:48.240 these questions and I’m not giving them the answers. I can tell they’re unhappy, 01:13:48.240 --> 01:13:52.440 then finally they – I just get sick of the interview. I say you know what? I’m 01:13:52.440 --> 01:13:57.320 going to back out here. Honestly, you guys – I’m – whatever. Do whatever. I’m 01:13:57.320 --> 01:14:01.480 not gonna answer any more questions without a lawyer. They kinda look at me and said now, 01:14:01.480 --> 01:14:04.800 is that – are you sure that’s the route you want to take? Because the media’s gonna get 01:14:04.800 --> 01:14:11.680 this soon and you can help us or you can – you might be able to help us or something. I just, 01:14:11.680 --> 01:14:16.320 at the time, I’m like, I’m not – I’m obviously not gonna rat on my friends or anyone that they 01:14:16.320 --> 01:14:21.720 might be interested in, so I just say nope, we’re done here. I go back to an Oklahoma 01:14:21.720 --> 01:14:26.300 jail cell, which I don’t know if you know, but Oklahoma’s kind of notorious for a bad jail. 01:14:26.300 --> 01:14:30.920 JACK: This time, the police question him and did not let him go home. They kept him 01:14:30.920 --> 01:14:35.800 in jail for the entire investigation which took months, which is kind of 01:14:35.800 --> 01:14:39.380 surprising to me that they kept him in jail without giving him any kind of verdict. 01:14:39.380 --> 01:14:45.440 JOSEPH: Keep in mind, I was one of the first that was arrested. There was Joel followed by Ricky; 01:14:45.440 --> 01:14:49.640 both two I knew, and then Xavier, who I wasn’t really aware of but – too much. I knew him, 01:14:49.640 --> 01:14:56.640 but not personally. Essentially, what happened is I was sent to jail. Our appeal happens, 01:14:56.640 --> 01:15:01.960 the bail’s set at $14 million. My lawyer’s initial reaction is we need to get this bail 01:15:01.960 --> 01:15:07.920 lowered because we need to get him out on bail. That was strenuous. I was in jail from September 01:15:07.920 --> 01:15:14.040 to December before my bail hearing was finally here. The judge does lower it to $1 million, 01:15:14.040 --> 01:15:17.960 but at the time, they don’t have everything set. They don’t know what to do with us yet. 01:15:17.960 --> 01:15:23.800 They don’t know what sentences they’re giving out. Essentially, the judge said – the DA said 01:15:23.800 --> 01:15:27.680 that I was – essentially said the story that I was one of the – probably one of the best 01:15:27.680 --> 01:15:35.040 hackers in America and that if I got released, that I would basically be free to do whatever. 01:15:35.040 --> 01:15:40.160 They could strike computer [inaudible], but that wouldn’t really stop me. So, 01:15:40.160 --> 01:15:43.880 they were explaining this story that if I got out, even if they banned me from the 01:15:43.880 --> 01:15:47.560 internet while I was facing trial, I’d still be able to find a way to access the internet 01:15:47.560 --> 01:15:51.560 and could – and I believe the word they used was I was a threat to the state of California. 01:15:51.560 --> 01:15:55.240 JACK: California because that’s where the victim was. When Crowd Machine was robbed, 01:15:55.240 --> 01:15:59.320 they quickly called the police who investigated, and that led them to Oklahoma, 01:15:59.320 --> 01:16:04.880 and Crowd Machine is based in California. So, the prosecutors of this case were all in California, 01:16:04.880 --> 01:16:09.480 and they put him on a plane and fly him over to California to be tried. Strangely enough, 01:16:09.480 --> 01:16:14.800 the jail that he went to in California was where Joel Ortiz was being kept, [MUSIC] the 01:16:14.800 --> 01:16:19.200 first person ever to be arrested for SIM-swapping, and Joseph knew this guy. 01:16:19.200 --> 01:16:24.520 JOSEPH: Yeah, we were both locked – at this time, they were putting us – this is a state charge, 01:16:24.520 --> 01:16:28.120 which I’m very grateful it was a state charge, because if it was a federal charge, 01:16:28.120 --> 01:16:34.320 I probably would have had much more time and I wouldn’t have got that half-time. But we were 01:16:34.320 --> 01:16:42.000 all – we all basically committed crimes to people in San Jose. There was a special task 01:16:42.000 --> 01:16:48.520 force called REACT who investigates SIM crimes and kinda pioneered the whole arresting stuff. 01:16:48.520 --> 01:16:52.640 They were the ones that made the first initial SIM crime request. They’re pretty smart with what they 01:16:52.640 --> 01:16:59.000 do with that stuff, and they were able to get us. So, Joel was arrested by REACT. Ricky was 01:16:59.000 --> 01:17:06.920 a state charge in Florida, Xavier was arrested by REACT, and then I was arrested by REACT. Me, 01:17:06.920 --> 01:17:15.280 Joel, and Xavier were all sent to Elmwood which is basically the San Jose facility for corrections, 01:17:15.280 --> 01:17:20.280 which is – it’s not a prison; it’s a jail. So, we were – basically, they were – any charge, 01:17:20.280 --> 01:17:25.080 then Cali. We were all getting sent to Elmwood. So, Joel was in the pod next to me. I was in the 01:17:25.080 --> 01:17:29.600 dorm environment, so we talked behind the – there was a courtyard that connected the two dorms and 01:17:29.600 --> 01:17:36.480 you could talk through the door, so – in prison they called – or jail they called Joel Bitcoin, 01:17:36.480 --> 01:17:41.320 so on my way to court one day, I heard them saying Bitcoin. I’m like, is his name Joel? I’m like, 01:17:41.320 --> 01:17:44.960 yeah. He’s like, he’s in that pod there. So, I had one of them basically get him 01:17:44.960 --> 01:17:48.140 to come to the door and then we had a brief little conversation there. 01:17:48.140 --> 01:17:50.620 JACK: Do you remember how they caught you? 01:17:50.620 --> 01:17:54.320 JOSEPH: I know exactly how they caught me. Remember that bug I 01:17:54.320 --> 01:17:58.280 told you on how I was able to reset Gmails with two-step? 01:17:58.280 --> 01:17:59.340 JACK: Yeah. 01:17:59.340 --> 01:18:07.560 JOSEPH: So, when I was doing it with the web debugger, I must have let my – the hotel’s IP 01:18:07.560 --> 01:18:14.320 connect to the phone briefly, the Android device I was using. So, the hotel IP, when pointing out 01:18:14.320 --> 01:18:18.760 the bug, they were able to pull that off. Very terrible mistake; I have VPNs everywhere else, 01:18:18.760 --> 01:18:24.200 but I’m pretty – they said that’s how they got me, the IP address. So, I think for a brief moment, 01:18:24.200 --> 01:18:31.760 that hotel IP registered to that phone, and then they subpoenaed the hotel and I think 01:18:31.760 --> 01:18:35.880 my name was – I don’t know how. Obviously a few of my friends have got arrested, so maybe they 01:18:35.880 --> 01:18:42.560 mentioned Doc is Joseph Harris. Essentially, I’m pretty sure – I mean, if Joseph Harris is someone 01:18:42.560 --> 01:18:49.400 who they think may be involved with crypto crimes is staying at a hotel where $14 million happened, 01:18:49.400 --> 01:18:53.760 wow, that’s odd. Oh, and also, we got Walmart surveillance footage of him buying the phone. 01:18:53.760 --> 01:18:58.920 We don’t have his name because he paid with cash, but we know he went to Walmart and bought a phone, 01:18:58.920 --> 01:19:04.120 and we also know someone at this hotel where Joseph Harris is staying performed this hack. So, 01:19:04.120 --> 01:19:08.440 it was those two pieces of evidence. Also if you remember, I said I was going to destroy 01:19:08.440 --> 01:19:14.240 all that technology, including the phone I used to hold the SIM-swap. That was on me, of course, 01:19:14.240 --> 01:19:19.720 in the car while we were – we were literally – if it had been thirty minutes earlier or thirty 01:19:19.720 --> 01:19:24.240 minutes later, I’m – that technology would have been gone, completely destroyed. So, 01:19:24.240 --> 01:19:28.360 it was honestly – and that case might have not had as much hold if they hadn’t found 01:19:28.360 --> 01:19:32.800 the device used to perpetrate the hacks. So, they basically caught me red-handed. 01:19:32.800 --> 01:19:35.660 JACK: What did jail teach you? What did you learn there? 01:19:35.660 --> 01:19:40.840 JOSEPH: Well, first of all, it was just – it’s sort of a reality check, you know? We take so 01:19:40.840 --> 01:19:46.160 much for granted; walking to Dollar General, getting snacks, going to the movies, hanging 01:19:46.160 --> 01:19:51.840 out with friends. Your freedom’s gone. Jail, in some ways, is worse than prison because jail, 01:19:51.840 --> 01:19:57.120 you’re in this waiting period. I mean, there’s more dangerous people in prison, but jail, 01:19:57.120 --> 01:20:04.280 there’s not much to do at all. In prison, you can get stuff like iPads and certain things, 01:20:04.280 --> 01:20:08.720 walkmans to pass the day. You can go to church and do certain things, activities, 01:20:08.720 --> 01:20:13.400 and the jail cell I was in, there was barely nothing to do. The only thing I could do was – I 01:20:13.400 --> 01:20:19.760 worked out a bit and I read books. But it’s just such a reality check. Your freedom’s gone. 01:20:19.760 --> 01:20:25.780 So, the biggest thing I learned about this; if I keep on with this, my freedom’s gone. 01:20:25.780 --> 01:20:30.320 JACK: The prosecutors looked through all his devices; his computer, his phone. They 01:20:30.320 --> 01:20:34.000 even read through the text messages that he had with his girlfriend at the time, 01:20:34.000 --> 01:20:38.240 and they were surprised to see that a majority of what he stole was still in his possession, 01:20:38.240 --> 01:20:43.920 since he wasn’t spending it wildly. Crowd Machine had some strange messaging to its investors, 01:20:43.920 --> 01:20:50.200 not being completely honest with what was going on. Joseph went to court and 01:20:50.200 --> 01:20:55.620 in the end, he was found guilty and was sentenced to sixteen months in prison. 01:20:55.620 --> 01:21:00.120 JOSEPH: The fact that I was willing to give up all my money, the fact that I wasn’t this 01:21:00.120 --> 01:21:04.960 person that was going out partying, the fact that I was someone who apparently 01:21:04.960 --> 01:21:11.680 the DA said was not – didn’t seem like an awful person, was sweet to my girlfriend at the time, 01:21:11.680 --> 01:21:16.600 and then also the fact that the Crowd Machine people weren’t being completely honest with 01:21:16.600 --> 01:21:21.160 the prosecutor, I think all these three things factored into me getting a very light sentence, 01:21:21.160 --> 01:21:25.920 which compared to some of these guys, sixteen months is very light and I’ve always been grateful 01:21:25.920 --> 01:21:30.960 for that. So, it’s always been sort of a nah, you got a second chance. You got lucky in this 01:21:30.960 --> 01:21:35.920 situation. If that ever happens again, you’re not gonna be getting lucky, so – and of course, 01:21:35.920 --> 01:21:39.880 there’s the morale side of that. Some of your morals start to come back when you can look in 01:21:39.880 --> 01:21:44.320 your face, look what you did, look at the people you’re hurting. So, I think all that – yeah, 01:21:44.320 --> 01:21:48.440 I definitely learned a lot of lessons. Since then, I haven’t committed any more crimes. I’ve had no 01:21:48.440 --> 01:21:55.466 run-ins with the laws and I’ve obviously – I still do hacking, but in an ethical side of things. 01:21:55.466 --> 01:21:58.520 JACK: [MUSIC] Since getting out of prison, Joseph has been looking for vulnerabilities 01:21:58.520 --> 01:22:03.280 on websites and reporting them. He found a big on one Xbox Live and another big vulnerability 01:22:03.280 --> 01:22:07.400 with Microsoft and a Google bug that would have made him a lot of money if he was still breaking 01:22:07.400 --> 01:22:11.760 into e-mail addresses. But he doesn’t want to break the law anymore, so when he finds these 01:22:11.760 --> 01:22:16.600 vulnerabilities, he reports them ethically and responsibly through a bug bounty program, 01:22:16.600 --> 01:22:20.880 and these companies appreciate that he’s reporting these vulnerabilities to them and actually paying 01:22:20.880 --> 01:22:26.120 him for it, which is what he’s doing mainly now to get by. But something I was thinking 01:22:26.120 --> 01:22:31.800 about was what if he stashed away some of that crypto before going to jail? It’s gone up so much 01:22:31.800 --> 01:22:37.560 since he was arrested and he could have came out mega-rich. But his lawyer convinced him 01:22:37.560 --> 01:22:42.000 it’s way better to turn over everything, since he’d get a shorter sentence for cooperating. 01:22:42.000 --> 01:22:45.920 JOSEPH: I mean, I could have played it differently. I could have gone to jail, 01:22:45.920 --> 01:22:53.480 maybe done five, ten years, and came out. I would have been – say I got five years or something, 01:22:53.480 --> 01:22:58.480 half-time, do two years, six months, I could have been out by now and been 01:22:58.480 --> 01:23:03.280 a crypto-millionaire still. So yeah, that very much was a possibility for me. It just 01:23:03.280 --> 01:23:07.400 wasn’t a route I wanted to personally take. I’d rather get out in my eight months time, 01:23:07.400 --> 01:23:12.280 sixteen months with half, and just move that all behind, because what I learned is my freedom’s 01:23:12.280 --> 01:23:19.120 more important than millions of dollars in crypto. At least, for me that’s how it is. 01:23:19.120 --> 01:23:24.320 JACK: There’s some lessons learned for me from listening to this. First, 01:23:24.320 --> 01:23:30.200 this REACT task force only took three days to find and arrest Joseph after Crowd Machine called them, 01:23:30.200 --> 01:23:33.760 and that is some pretty quick moving. It sounds like they know how to investigate 01:23:33.760 --> 01:23:38.840 these cases and are getting better at capturing cyber criminals who steal crypto assets. So, 01:23:38.840 --> 01:23:42.560 if you’re a victim of one of these kind of cyber-heists, see if there’s a REACT 01:23:42.560 --> 01:23:46.960 task force in your state and reach out to them. They’ve got the ability to work with 01:23:46.960 --> 01:23:51.320 tech companies to gather clues that could lead to catching the person. [MUSIC] Next, 01:23:51.320 --> 01:23:56.640 it sounds like if you have any crypto assets or digital assets of value, do not store it on the 01:23:56.640 --> 01:24:01.680 Cloud. For a long time, we used to say don’t keep your crypto at an exchange in case that exchange 01:24:01.680 --> 01:24:06.560 goes down or leaves town. If you don’t have your private keys, then it’s not your crypto. So, 01:24:06.560 --> 01:24:10.960 it’s already not recommended to leave stuff on the exchange, but now I want to take it a step 01:24:10.960 --> 01:24:16.160 further and say don’t store any private keys or seed phrases digitally or in the Cloud. 01:24:16.160 --> 01:24:20.400 If you took a picture of your private key, that picture might be in your Cloud storage 01:24:20.400 --> 01:24:25.440 and if someone got in there and looked at it, game over; you just lost it all. If you’re storing seed 01:24:25.440 --> 01:24:29.800 phrases in a text file or even in a password vault, that’s also something these digital 01:24:29.800 --> 01:24:35.360 robbers are laser-focused on and will go through every one of your files looking for that. So, 01:24:35.360 --> 01:24:40.000 the recommended thing to do is put your seed phrase in some fire-resistant device 01:24:40.000 --> 01:24:45.120 or container and store it in a safe. Also, we should be more protective of our social media 01:24:45.120 --> 01:24:49.920 accounts. There’s a big industry of people trying to steal these and sell them. So, make sure you’re 01:24:49.920 --> 01:24:54.800 enabling two-factor authentication to protect these and don’t make the second factor a text 01:24:54.800 --> 01:25:00.080 message. Make it a Google Authenticator or some hardware token like a YubiKey, and secure your 01:25:00.080 --> 01:25:03.960 e-mail and all important accounts like this. You’ve really got to fortify your digital life, 01:25:03.960 --> 01:25:08.320 and e-mail should be your priority. You don’t want anybody getting in there and rummaging through 01:25:08.320 --> 01:25:14.000 your private stuff. Above all, don’t click on any links that seem too good to be true, because 01:25:14.000 --> 01:25:19.200 people are trying to phish you all the time, and they want to steal whatever digital assets 01:25:19.200 --> 01:25:32.217 you have that are of value. So, be super cautious about all links that people send you. Good luck. 01:25:32.217 --> 01:25:35.760 (OUTRO): [OUTRO MUSIC] A big thank you to Joseph Harris for sharing this story with us. Joseph is 01:25:35.760 --> 01:25:39.680 the fourth person ever to be arrested for SIM-swapping, and it’s wild to be watching 01:25:39.680 --> 01:25:44.160 how modern crimes are springing up and being introduced into the world. If you want to hear 01:25:44.160 --> 01:25:50.240 more about SIM-swapping and other digital heists, check out Episode 112 called Dirty Coms. If you 01:25:50.240 --> 01:25:54.560 like this show, if it brings value to you, consider donating to it through Patreon. By 01:25:54.560 --> 01:25:58.760 directly supporting this show, it helps keep ads at a minimum and it tells me you want more of it, 01:25:58.760 --> 01:26:05.040 so please visit patreon.com/darknetdiaries and consider supporting the show. Thank you. This 01:26:05.040 --> 01:26:09.960 show is made by me, the plug, Jack Rhysider. Sound design by the ringer, Andrew Meriwether, 01:26:09.960 --> 01:26:15.120 and editing help this episode by the holder, Damienne. Our theme music is by the 120 volt, 01:26:15.120 --> 01:26:28.200 Breakmaster Cylinder. I think I lost an electron. Yep, I’m positive. This is Darknet Diaries.