WEBVTT 00:00:00.160 --> 00:00:04.800 JACK: I want to make sure I pronounce your name right, so can you say your name for me? 00:00:04.800 --> 00:00:06.960 HIEU: My name is Hieu Minh Ngo. 00:00:06.960 --> 00:00:11.026 JACK: Hieu was born in Vietnam. 00:00:11.026 --> 00:00:18.400 HIEU: [Music] I’m grown up in a small town in Vietnam. It’s called Cam Ranh. I was — started 00:00:18.400 --> 00:00:27.840 to be a hacker when I was very young, maybe around fourteen, fifteen years old. Then, 00:00:27.840 --> 00:00:37.360 kind out of curiosity, you see? You know, wondering about how the internet — working. 00:00:37.360 --> 00:00:44.480 Back then, the internet was very expensive and super slow. That’s one of the reasons 00:00:44.480 --> 00:00:56.240 that I started to hack and steal a few internet dial-up accounts to be able to use it. Without 00:00:56.240 --> 00:01:04.760 pay anything. That’s kinda the — my first time I got into trouble, when I was fifteen years old. 00:01:04.760 --> 00:01:10.320 JACK: This was around 2004, a time when 56k modems were the most popular way to get online. 00:01:10.320 --> 00:01:14.480 The way it worked is you dialed a phone number and connected to the ISP that way, 00:01:14.480 --> 00:01:18.320 and they would connect you to the internet. But the ISP would charge you by the minute 00:01:18.320 --> 00:01:21.600 to go online. Can you imagine that, being charged for every minute you're 00:01:21.600 --> 00:01:25.200 on the internet? That’s how it worked back then. Hieu couldn't afford that, 00:01:25.200 --> 00:01:29.520 so he figured out a way to use someone else’s account, basically stealing someone else’s 00:01:29.520 --> 00:01:35.760 ISP connection to get online, and that meant other people were paying for him to get online. 00:01:35.760 --> 00:01:44.560 HIEU: Just a few months using these stolen internet dial-up accounts, I got kinda a 00:01:44.560 --> 00:01:51.760 paperwork sent to my house. My parents, they got very surprised, and then they told me, 00:01:51.760 --> 00:02:01.040 what’s that about? Then I told them it’s related to some stolen internet accounts. 00:02:01.040 --> 00:02:08.080 JACK: The paperwork said that Hieu did $5,000 in damage, and his father had to pay the fees. 00:02:08.080 --> 00:02:13.200 That’s a lot of money. His father was pretty mad and sent him away to go live with his uncle in 00:02:13.200 --> 00:02:19.680 Ho Chi Minh City. Little did everyone know, it was going to be there in Ho Chi Minh City where 00:02:19.680 --> 00:02:27.360 he was going to build a darknet service and was going to make a fortune doing it. 00:02:27.360 --> 00:02:32.080 (INTRO): [INTRO MUSIC] These are true stories from the dark side of 00:02:32.080 --> 00:02:54.234 the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS] 00:02:54.234 --> 00:03:01.520 JACK: His dad recognized that Hieu was really into computers, and Ho Chi Minh City is a big 00:03:01.520 --> 00:03:06.640 city that has better schools to learn computers. So, Hieu got enrolled in classes and started 00:03:06.640 --> 00:03:09.600 studying. His parents would check in with him to make sure he was doing his schoolwork. 00:03:09.600 --> 00:03:15.120 HIEU: I was learning a lot. I was learning about web programming. I 00:03:15.120 --> 00:03:18.640 built my first website, hieupc.com; I remember. 00:03:18.640 --> 00:03:21.120 JACK: He was learning about operating systems, networking, 00:03:21.120 --> 00:03:26.466 and cybersecurity all at high school. He really loved computers and was hooked on learning more. 00:03:26.466 --> 00:03:33.360 HIEU: [Music] I went to the internet cafe to use the internet because the internet at my house 00:03:33.360 --> 00:03:41.760 is very slow. So, I went to the internet cafe and I — the moment I — been there, 00:03:41.760 --> 00:03:51.360 I passed to one of the computer screens and I saw that computer screen — kinda very dark, 00:03:51.360 --> 00:03:59.280 some kind of dark background and the font size is very weird and also the color of 00:03:59.280 --> 00:04:05.760 the text is also — it looked cool, like green color and stuff like that. I asked the guy, 00:04:05.760 --> 00:04:15.720 what’s this forum about? Then he told me it’s about the dark web in Vietnam. 00:04:15.720 --> 00:04:23.840 JACK: Ooh, Vietnam’s dark web? That sounds interesting. Are you ready to go there? 00:04:23.840 --> 00:04:28.800 Hieu was fascinated by it. He learned how to access it, where to go. For him, 00:04:28.800 --> 00:04:34.560 it was like finding a whole hidden place online filled with really fascinating stuff; 00:04:34.560 --> 00:04:40.720 hacker forums, forbidden item marketplaces. It really emphasized the power of the internet. This 00:04:40.720 --> 00:04:46.720 was all unregulated. The government, the police, they can't stop what goes on on the dark web, 00:04:46.720 --> 00:04:52.120 and that really fascinated him. There’s this whole section of the internet where anything goes? 00:04:52.120 --> 00:04:59.680 HIEU: They're talking about hacking, they're talking about sharing sensitive information, 00:04:59.680 --> 00:05:03.680 and also bank accounts and also some hacking 00:05:03.680 --> 00:05:09.000 techniques too — and it got me wondering how it did that. 00:05:09.000 --> 00:05:15.200 JACK: Yeah, but so, I think maybe a normal person would look at that and say, wow, 00:05:15.200 --> 00:05:18.062 there’s stolen stuff here, there’s illegal things here. 00:05:18.062 --> 00:05:18.074 HIEU: Right. 00:05:18.074 --> 00:05:21.560 JACK: Maybe this isn't for me. Maybe I should go back to the clear web. 00:05:21.560 --> 00:05:22.680 HIEU: Right, true. 00:05:22.680 --> 00:05:23.280 JACK: What? 00:05:23.280 --> 00:05:30.960 HIEU: You know why? Because back then, right, underground forums — very fun, though. They’re 00:05:30.960 --> 00:05:39.200 always sharing, and they don’t mind about money. Sometimes they hack something; they just post it 00:05:39.200 --> 00:05:46.080 for free for everybody, not really into business or trading or dealing anything. They just like 00:05:46.080 --> 00:05:54.240 sharing techniques, you know? But, you know, when I got into that, I say, man, it’s something that 00:05:54.240 --> 00:06:02.880 I’d — really wondering. I watched on the — movie and TV about hackers. Very cool. That’s why I 00:06:02.880 --> 00:06:11.320 say I want to learn that. I want to be a member in that — hacking forums, underground hacking forums. 00:06:11.320 --> 00:06:16.880 JACK: So, this became his obsession, how to hack. What are the techniques? He would learn 00:06:16.880 --> 00:06:21.440 about a vulnerability and then use Google search queries to find websites that were vulnerable, 00:06:21.440 --> 00:06:26.560 and it was like the whole internet opened up to him in new ways. He was finding that thousands of 00:06:26.560 --> 00:06:32.560 websites are vulnerable to a variety of different attacks, and he was just getting into one after 00:06:32.560 --> 00:06:38.000 another with simple techniques like default passwords and SQL injection. But the extent of the 00:06:38.000 --> 00:06:42.800 damage he was doing was — he just hacked into the site and put something on the website that said, 00:06:42.800 --> 00:06:48.080 ‘Pwned by Hieu.pc’, which is the name he was using at the time, and also the name of the website that 00:06:48.080 --> 00:06:52.880 he made as a teenager. But the whole time, he was just curious, not using his access to make any 00:06:52.880 --> 00:06:58.080 money or stealing anything. He just liked learning and liked the excitement you get from getting into 00:06:58.080 --> 00:07:02.640 places that you're not supposed to be in. It made him feel clever and smart and powerful, 00:07:02.640 --> 00:07:06.360 and he was teaching others how to do it. After all, he was still in high school. 00:07:06.360 --> 00:07:13.360 HIEU: I shared lots of hacking techniques and then also social engineering techniques. 00:07:13.360 --> 00:07:22.000 But the thing — the more I shared, the more the people — they know about me on these underground 00:07:22.000 --> 00:07:31.600 hacking forums, and eventually they voted me as an administrator in one of these forums very popular 00:07:31.600 --> 00:07:46.720 in Vietnam. After that I joined a few forums in Russia and even in Eastern Europe as well, 00:07:46.720 --> 00:07:55.280 too. So, I keep learning, but the thing — when rarely making money, you know? Before that, 00:07:55.280 --> 00:07:58.640 it’s just sharing for free, sharing the knowledge, sharing the techniques. 00:07:58.640 --> 00:08:02.320 JACK: [Music] From posting on the forums and being an administrator to one of them, 00:08:02.320 --> 00:08:07.680 he started becoming more known. So, he met a guy, one of the forum users, and this guy’s like, hey, 00:08:07.680 --> 00:08:13.600 listen up, Hieu. Your ability to hack into websites is actually worth a lot of money. 00:08:13.600 --> 00:08:17.440 Do you want to team up? Do you want to hack places and give me what you find and then 00:08:17.440 --> 00:08:22.400 I’ll pay you for it? The guy explained how together they could make all this money, 00:08:22.400 --> 00:08:25.760 and Hieu didn’t have much money at the time and was interested. 00:08:25.760 --> 00:08:32.800 HIEU: You know, when talking about money, when I was very young, I said, man — I saw 00:08:32.800 --> 00:08:43.040 the people making lots of money, too, by using stolen identity and credit cards. You know, 00:08:43.040 --> 00:08:52.240 to make some money and be able to buy some stuff, it’s very cool, right, like some technology stuff 00:08:52.240 --> 00:09:01.680 or some new devices, something cool for myself without asking my parents. So, that’s why I said, 00:09:01.680 --> 00:09:12.560 yeah, okay, let’s — so, let’s do it. Then the guy, he moved to my apartment, living with me, 00:09:12.560 --> 00:09:24.226 and then I — during the nighttime, after school, I started to hack lots of e-commerce websites. 00:09:24.226 --> 00:09:29.200 JACK: [Music] E-commerce sites, like places you go to buy things online like clothes or computers, 00:09:29.200 --> 00:09:35.680 kitchen items, travel tickets, a lot of these sites back then ran on WordPress or PHP or 00:09:35.680 --> 00:09:40.000 ASP and didn’t have the best security, and it’s kind of like a numbers game, 00:09:40.000 --> 00:09:45.760 right? If there are a million e-commerce websites on the internet and one percent of them has poor 00:09:45.760 --> 00:09:50.400 security, that’s ten thousand websites that are just sitting there vulnerable, 00:09:50.400 --> 00:09:55.760 way more than enough for someone like Hieu to go through. So, the idea was to get into these 00:09:55.760 --> 00:10:00.720 sites and plant a listener that would capture when someone would enter their credit card to 00:10:00.720 --> 00:10:05.040 buy something on there, and then Hieu would give those credit card details to this guy 00:10:05.040 --> 00:10:09.840 he’s teamed up with. The guy will somehow convert the cash for both of them. Hieu 00:10:09.840 --> 00:10:14.800 was seventeen at the time, a senior in high school. So, after school and on the weekends, 00:10:14.800 --> 00:10:20.960 Hieu and this guy would get busy scouring the internet for a vulnerable site to hit. 00:10:20.960 --> 00:10:30.240 HIEU: Back then, lots of websites, right, they used the language called PHP or ASP. 00:10:30.240 --> 00:10:38.000 It’s — contained lots of vulnerabilities. Then I searched on Google with those keywords, 00:10:38.000 --> 00:10:46.960 some of the Google dork that — to be able to find out for me all the lists of the websites. 00:10:46.960 --> 00:10:54.720 I put on a customize tool that I programmed, and then I just — clicked scanning, and it just 00:10:54.720 --> 00:11:03.760 kinda automated scanning for the vulnerabilities. Then it would give me the list of the vulnerable 00:11:03.760 --> 00:11:12.705 websites, and then I would explore that to be able to obtain the credit card information. And… 00:11:12.705 --> 00:11:15.736 JACK: Okay, so what was the first site that you made money from? 00:11:15.736 --> 00:11:22.720 HIEU: The first website is — I remember it’s located in the UK, 00:11:22.720 --> 00:11:28.480 right? That website is still very popular nowadays in the UK, but I don't want to mention that. 00:11:28.480 --> 00:11:32.280 JACK: That’s funny. Yeah, what kind of site is it? Is it banking? Is it a…? 00:11:32.280 --> 00:11:38.160 HIEU: No, this website is a e-commerce website selling electronics stuff, 00:11:38.160 --> 00:11:43.120 and that website, it got a SQL injection vulnerability. 00:11:43.120 --> 00:11:46.880 JACK: So you found a website through Google dorking in your scans… 00:11:46.880 --> 00:11:47.440 HIEU: Right. 00:11:47.440 --> 00:11:50.320 JACK: …you tested it for SQL injection; it worked, 00:11:50.320 --> 00:11:54.560 and what is that feeling like to get into a website using SQL injection? 00:11:54.560 --> 00:12:03.760 HIEU: It’s like a gold mine. I said, wow, this is so many credit card information. Like, that day; 00:12:03.760 --> 00:12:12.000 man, so excited, though. The feeling is kinda like you control something. You have a power. You feel 00:12:12.000 --> 00:12:20.720 like you’ll be able to break into anything if you have time and you have the resources. You 00:12:20.720 --> 00:12:32.240 feel like you’re on top of the world. You can be able to get anything. I feel so excited. Like, 00:12:32.240 --> 00:12:42.960 it’s hard to say, to explain that, but — feel like, so happy, intently so happy, though. 00:12:42.960 --> 00:12:46.080 JACK: Do you give each other a high five or do you…? 00:12:46.080 --> 00:12:51.760 HIEU: Right. Me and him would give a high five and hug, and I say, yeah, we did it, 00:12:51.760 --> 00:13:01.360 we got it. I think we’d be able to make lots of money from this not just selling the information 00:13:01.360 --> 00:13:10.720 but also using that. He’s so excited and we was laughing the whole night, I remember. We was 00:13:10.720 --> 00:13:19.600 very young. Back then he was eighteen and I was seventeen. He’s saying, yes, let’s do it this way. 00:13:19.600 --> 00:13:28.080 We use all the credit card information, right? Every day we was getting slowly around fifty to 00:13:28.080 --> 00:13:36.800 a hundred credit cards from that website alone. [Music] We was playing on the poker website. 00:13:36.800 --> 00:13:42.640 JACK: Of course they took the stolen credit cards to a gambling website. I should have guessed! No, 00:13:42.640 --> 00:13:46.480 they weren't actually gambling with it. What they were using this poker website 00:13:46.480 --> 00:13:52.720 for was to launder the money. See, back in the late 2000s, online poker casinos didn’t always 00:13:52.720 --> 00:13:58.400 have the most strict security and verification controls. They were happy to take anyone’s money 00:13:58.400 --> 00:14:02.800 whether it was stolen or not. So, he created an account at the casino, loaded it up with 00:14:02.800 --> 00:14:07.600 as much stolen money as he could, and he might make three or four of those kind of accounts, 00:14:07.600 --> 00:14:12.640 and then he would have all those accounts join a poker table where his buddy was in and just try 00:14:12.640 --> 00:14:17.440 to lose as many hands as possible as he could to his buddy. Then his buddy would get all the 00:14:17.440 --> 00:14:22.720 chips and cash them out at the local bank. This technique is called chip dumping. Now, 00:14:22.720 --> 00:14:26.320 the casino was aware of these sort of things and would try to spot people doing this, 00:14:26.320 --> 00:14:30.880 so he had to do things to avoid the fraud detection, and his tricks were working. 00:14:30.880 --> 00:14:38.960 HIEU: We was — be able to — making a day like, $1,000, $1,000 USD a day. Then we 00:14:38.960 --> 00:14:47.440 split the money fifty-fifty. I spend on — I used that money to spend on stupid stuff; 00:14:47.440 --> 00:14:54.760 vacation and also taking us out and — easy money, easy go, technically. 00:14:54.760 --> 00:14:59.520 JACK: Can you imagine that setup? A hacked website is supplying them with a constant 00:14:59.520 --> 00:15:04.640 stream of eighty new credit cards a day. They’d take those cards, deposit the money into a casino, 00:15:04.640 --> 00:15:10.560 move the chips to another player, cash it out, and then go spend that money on something fun. Like, 00:15:10.560 --> 00:15:14.560 where do you even focus here? Do you want to get more credit cards or cash out more 00:15:14.560 --> 00:15:18.960 at the casino or just enjoy a good time with all the money you have? For them, it was all 00:15:18.960 --> 00:15:22.880 of that. They wanted more cards, and then they’d be busy trying to drain them all as fast as they 00:15:22.880 --> 00:15:28.240 could to launder the money. But as Hieu found more and more sites vulnerable to his attacks, 00:15:28.240 --> 00:15:34.400 he was sometimes stumbling upon whole databases of customer credit card details. Websites shouldn't 00:15:34.400 --> 00:15:38.640 be storing their customer credit card details like that, and this was even a surprise to 00:15:38.640 --> 00:15:44.160 him. But this meant sometimes he could find thousands of credit cards in a single day. 00:15:44.160 --> 00:15:51.280 HIEU: Eventually I went back on the underground hacking forums and sell the information. Visa 00:15:51.280 --> 00:16:01.840 and Mastercard I’d sell for like fifty cents for one information. American Express and Discover, 00:16:01.840 --> 00:16:08.280 Discover card, I’d sell for — from one dollar to three dollars, you know, different… 00:16:08.280 --> 00:16:09.520 JACK: That sounds so cheap. 00:16:09.520 --> 00:16:09.584 HIEU: Right, very cheap. 00:16:09.584 --> 00:16:15.600 JACK: So, you're telling me the full credit card information was — you were selling that, 00:16:15.600 --> 00:16:18.400 and the people could take that credit card and buy 00:16:18.400 --> 00:16:20.720 something for a few hundred dollars with that, right? 00:16:20.720 --> 00:16:27.280 HIEU: Right. That’s true. They can go on eBay and buy, or either they — back then, 00:16:27.280 --> 00:16:31.360 very easy, though. You can just use these stolen accounts, stolen bank accounts or 00:16:31.360 --> 00:16:37.600 stolen credit card information. You deposit it into PayPal and then you withdraw. It’s 00:16:37.600 --> 00:16:47.360 so easy. You’d just take a few days, a few weeks to be able to get the real money out. 00:16:47.360 --> 00:16:49.680 JACK: I’m surprised you were selling it so cheap, though. 00:16:49.680 --> 00:16:53.840 HIEU: Very cheap though, because — so many, so much information. 00:16:53.840 --> 00:16:59.440 JACK: That’s crazy cheap. Usually cards are like, I don't know, ten to fifty dollars per card, 00:16:59.440 --> 00:17:03.520 because theoretically each card should be worth a few hundred dollars before fraud detection 00:17:03.520 --> 00:17:08.480 kicks in to make the card invalid. Rarely I’ll see them for five dollars or less, but fifty 00:17:08.480 --> 00:17:14.320 cents a card? Wow. That’s what Hieu was selling them for because he just had so many, because 00:17:14.320 --> 00:17:18.960 he just kept finding more and more e-commerce sites that were vulnerable to SQL injection, 00:17:18.960 --> 00:17:24.080 which means the websites’ form field wasn’t as secure as it should be, right? So, he can go 00:17:24.080 --> 00:17:30.480 and type something onto a form field in a website, and that triggers the vulnerability, and suddenly 00:17:30.480 --> 00:17:36.000 he can see whatever’s in the database, like an admin’s password hash. Then he could crack that 00:17:36.000 --> 00:17:41.120 password hash and log into the site as the admin. Sometimes that alone would give him credit card 00:17:41.120 --> 00:17:46.160 details to the site, because some sites did not treat their customer credit card data properly. 00:17:46.160 --> 00:17:53.440 HIEU: They show everything on the admin panel. Like, you just clicked on the customer 00:17:53.440 --> 00:17:57.760 option, right; it’d show you the list of customers, and when you clicked on 00:17:57.760 --> 00:18:01.400 the credit card information, it’d pop out credit card information. 00:18:01.400 --> 00:18:06.560 JACK: I mean, when I hear that, I immediately think that’s a PCI violation. PCI is Payment Card 00:18:06.560 --> 00:18:10.640 Industry, and for you to be able to accept credit cards for your business, the credit 00:18:10.640 --> 00:18:16.000 card company has to verify that you're properly storing customer credit card data. If you aren't, 00:18:16.000 --> 00:18:20.960 then you will lose the ability to process transactions and can be fined quite severely. So, 00:18:20.960 --> 00:18:25.840 Hieu kept focusing on finding more and more sites to hack into and take all the customer 00:18:25.840 --> 00:18:29.840 credit cards that the site would store in their database. He spent years doing this, 00:18:29.840 --> 00:18:36.066 mostly selling the cards in bulk on the dark web. He was finding and selling tons of credit cards. 00:18:36.066 --> 00:18:42.280 HIEU: [Music] More than a hundred thousand credit card information. 00:18:42.280 --> 00:18:49.680 JACK: He gets done with high school and decides he’s had enough of this. His pockets were 00:18:49.680 --> 00:18:54.560 overflowing with cash and he knew what he was doing was wrong, so he decided to leave town. 00:18:54.560 --> 00:19:01.520 HIEU: Then I saved up some money because I know this couldn't last long. We was 00:19:01.520 --> 00:19:07.360 making like more than a year, and it’s kinda getting harder because they know the tricks, 00:19:07.360 --> 00:19:12.240 right? They fixed the vulnerabilities. So, 00:19:12.240 --> 00:19:18.480 getting harder. I saved up some money; I paid for the school fee in New Zealand. 00:19:18.480 --> 00:19:22.960 JACK: His sister was living in New Zealand, so he decided to go see her and go to school there. 00:19:22.960 --> 00:19:26.400 He knew that what he was doing was wrong and could potentially get him arrested, 00:19:26.400 --> 00:19:30.960 but he grappled with it. He went back and forth convincing himself it’s okay to take 00:19:30.960 --> 00:19:35.760 these cards. These websites should secure their site better, and if it wasn’t him taking it, 00:19:35.760 --> 00:19:40.480 then it would surely be someone else taking it, so why not me? But then flipping it and being like, 00:19:40.480 --> 00:19:44.880 no, this is stealing, this is illegal. I’ll get in trouble for this. The move to New Zealand 00:19:44.880 --> 00:19:53.680 gave him a fresh start. He wanted to become a good student who was learning computer science. 00:19:53.680 --> 00:20:01.040 HIEU: [Music] When I got into New Zealand, I stayed there for a few months, not doing anything 00:20:01.040 --> 00:20:07.040 illegal. I tried to be a good student at the school, learning about computer networking and 00:20:07.040 --> 00:20:17.520 be a computer scientist, you know? But things couldn't work out. I started to — hacking again 00:20:17.520 --> 00:20:24.880 after talking with a few friends, a few hackers on the internet. They’re saying they need credit 00:20:24.880 --> 00:20:32.480 cards, and I need money because my family couldn't afford to send me much money. So, 00:20:32.480 --> 00:20:40.120 I say yes. So, let me find out if New Zealand have some websites that I can obtain the credit 00:20:40.120 --> 00:20:50.480 card information. I hacked into a few e-commerce websites in New Zealand. The same thing; it’s 00:20:50.480 --> 00:21:00.314 just some basic vulnerabilities, and I got into the database and I got the stolen credit cards. 00:21:00.314 --> 00:21:04.240 JACK: He was able to sell the credit card data to make some money, but with all these cards, 00:21:04.240 --> 00:21:08.960 he decided to use a few himself, which was probably a dumb idea. 00:21:08.960 --> 00:21:17.840 HIEU: I used those stolen credit card information to buy electronic stuff like a laptop and cell 00:21:17.840 --> 00:21:28.000 phone on similar — like eBay. They called it Trade Me platform. I used the stolen credit cards on 00:21:28.000 --> 00:21:36.960 that website, and I got stuff and then I sell that to the same platform to make money. Gotta 00:21:36.960 --> 00:21:47.600 laundry the stuff, you know, to get the real cash. But eventually I made a mistake then using 00:21:47.600 --> 00:21:58.080 the stolen credit card to buy the music concert tickets to the Ticketmaster. I bought a thousand 00:21:58.080 --> 00:22:05.640 and thousand music concert tickets to sell to all the people with a cheaper price. Then when… 00:22:05.640 --> 00:22:07.640 JACK: You bought a thousand concert tickets? 00:22:07.640 --> 00:22:09.520 HIEU: Right. I bought a lot. 00:22:09.520 --> 00:22:11.280 JACK: Wow. 00:22:11.280 --> 00:22:21.280 HIEU: I resell that to all the people on the platform. But the thing, you know — a few of 00:22:21.280 --> 00:22:28.880 the people, they bought my music concert tickets; they got problem when they tried 00:22:28.880 --> 00:22:37.040 to enter the stadium or tried to enter the concert, right? They got denied because this 00:22:37.040 --> 00:22:46.000 ticket has got — invalid because it’s considered as a fraudulent ticket. They got so mad and they 00:22:46.000 --> 00:22:52.080 got so scared, and then they also complain to the law enforcement, to the police in New Zealand. So, 00:22:52.080 --> 00:22:58.640 the police in New Zealand, they freeze my account on the platform and also freeze my bank account. 00:22:58.640 --> 00:23:04.880 So, I got so scared. They also called me and called my sister. Almost a year stay in New 00:23:04.880 --> 00:23:12.320 Zealand — I got into trouble, and the moment I got that phone call from the law enforcement, 00:23:12.320 --> 00:23:17.560 I got so scared. I bought a ticket; I ran away. I ran back to Vietnam. 00:23:17.560 --> 00:23:23.200 JACK: Oh, boy. Hieu was on the run. The police were now looking for him, but he was able to 00:23:23.200 --> 00:23:29.040 get away and find refuge in Ho Chi Minh City in Vietnam. He escaped the police and didn’t 00:23:29.040 --> 00:23:34.800 suffer any consequences from this. Lucky break. We're gonna take a quick ad break here, but stay 00:23:34.800 --> 00:23:40.800 with us because this is not gonna be the last time that the police go looking for him. His operation 00:23:40.800 --> 00:23:48.800 is about to go stratospheric. Hieu gets back to Vietnam. He’s around twenty years old at this 00:23:48.800 --> 00:23:53.280 point. He goes to see his mother and his father, and they heard about his fraudulent concert ticket 00:23:53.280 --> 00:23:59.200 thing, and they were mad. They scolded him. They shamed him. Hieu was just lying back to them. 00:23:59.200 --> 00:24:07.680 HIEU: I gave them only false promises, you know? I told them I will be a good boy and 00:24:07.680 --> 00:24:16.480 I will be a better person, not doing anything illegal. I kinda feel very ashamed, you know? So, 00:24:16.480 --> 00:24:22.880 my mom, she was crying a lot. But back then I was twenty years old, nineteen years old. 00:24:22.880 --> 00:24:30.320 I tried to be a good person. I didn’t touch the computer within six months when I got back from 00:24:30.320 --> 00:24:41.040 New Zealand. I told my mom I want to go to Ho Chi Minh City to learn computer science 00:24:41.040 --> 00:24:48.560 at the university in Ho Chi Minh City. My mom, my dad, they kinda believed me that 00:24:48.560 --> 00:24:55.040 I’m kinda a changed person, and hopefully this time will be the last chance for me. 00:24:55.040 --> 00:24:58.080 JACK: So, around 2009 he moved to Ho Chi Minh City 00:24:58.080 --> 00:25:02.240 and enrolled in the computer science and cybersecurity program at the university. 00:25:02.240 --> 00:25:13.680 HIEU: But during that first year I went to hang out with all the old-school hackers in Vietnam. 00:25:13.680 --> 00:25:20.080 They all black hat hackers. They heard about — I got problem, I got trouble in New Zealand 00:25:20.080 --> 00:25:26.640 by using stolen credit cards. I say, yes, that’s why I don't want to touch the computer anymore. I 00:25:26.640 --> 00:25:33.360 got so scared. I almost got caught. [Music] They told me, you know, why you don’t think about US 00:25:33.360 --> 00:25:41.080 identity or personal information? It should be safer. It should be — easily to sell that. 00:25:41.080 --> 00:25:46.080 JACK: So, these hackers were telling him, yeah, of course you got in trouble for stealing stolen 00:25:46.080 --> 00:25:49.680 credit cards, man. Don’t mess with money. The police are gonna get mad if you do that. That 00:25:49.680 --> 00:25:54.640 was your mistake. They take credit card theft very seriously. Heck, I bet the US Secret Service 00:25:54.640 --> 00:25:58.960 probably has a case opened on you. What you should have done is gone into the business of 00:25:58.960 --> 00:26:04.320 stealing the identities of US citizens and sell that. Not only can you make money doing that, 00:26:04.320 --> 00:26:09.440 but the Secret Service doesn't give a crap about stolen identities. In fact, nobody does. They’ll 00:26:09.440 --> 00:26:13.680 never come after you for stealing identities, especially if you stay here in Vietnam. 00:26:13.680 --> 00:26:19.920 They can't touch you. So, you should try stealing US identities. So, Hieu starts looking into it. 00:26:19.920 --> 00:26:25.040 My goodness, he thinks, they're right. Stealing identities and selling that is far less of a crime 00:26:25.040 --> 00:26:30.800 than stealing credit cards and just as valuable on the dark web. He wasn’t sure why it was valuable, 00:26:30.800 --> 00:26:34.160 but if he could get all the personal details of someone like their address, 00:26:34.160 --> 00:26:38.320 social security number, phone number, work history, the type of car they have, 00:26:38.320 --> 00:26:41.680 then people will buy that up like crazy on the dark web. So, 00:26:41.680 --> 00:26:46.400 he starts looking around for places that might have all this information on US citizens. 00:26:46.400 --> 00:26:54.800 HIEU: I did it in — kinda in the long term. I just see whatever I see in front of me, 00:26:54.800 --> 00:27:05.040 and the money, it kinda blind my eyes. I thought it should be safer 00:27:05.040 --> 00:27:09.400 in Vietnam. This is US identities; it should be fine. 00:27:09.400 --> 00:27:13.360 JACK: I mean, the logic checks out, right? Stealing identities of people in a far, 00:27:13.360 --> 00:27:17.520 far away country — no chance of them catching him in Vietnam, right? 00:27:17.520 --> 00:27:30.000 HIEU: Eventually I spent almost a month — recon and also doing lots of OSINT to 00:27:30.000 --> 00:27:37.200 get me a list of all the data brokers in the US to be able to provide this data. 00:27:37.200 --> 00:27:42.720 JACK: Data brokers; of course. They would absolutely have a ton of people’s 00:27:42.720 --> 00:27:46.800 identities. Okay, so if you don’t know, a data broker is a company that spends an enormous 00:27:46.800 --> 00:27:54.480 amount of effort gathering up as much information as they can about you. Here’s how they do it; 00:27:54.480 --> 00:27:58.080 number one, they’ll copy the whole phone book into their database. That’s got everyone’s name 00:27:58.080 --> 00:28:02.000 and phone number. Then they’ll take a copy of all the county records. This includes 00:28:02.000 --> 00:28:07.120 who owns which property, court records, marital status. Then they’ll look at your 00:28:07.120 --> 00:28:11.680 social media account and scoop up any photos that you have taken of yourself and posted, 00:28:11.680 --> 00:28:16.560 e-mail addresses you list, affiliations, like which school you went to or place you work. 00:28:16.560 --> 00:28:22.000 LinkedIn is being scraped by data brokers all day, which you personally have told 00:28:22.000 --> 00:28:27.120 what your skills are, who your coworkers are, where you work, and what you look like. Now, 00:28:27.120 --> 00:28:31.440 to me that’s already spooky enough that someone would go through all this trouble to get all 00:28:31.440 --> 00:28:37.200 this data on me by doing all that. [Music] But some data brokers go far deeper and are way more 00:28:37.200 --> 00:28:42.480 sinister at getting data on us. They have been known to install trackers on your phone which 00:28:42.480 --> 00:28:46.800 typically just comes along for the ride on popular apps. Like, a data broker may pay an 00:28:46.800 --> 00:28:52.560 app developer to put a tracking pixel on the app so that they can track people even more. 00:28:52.560 --> 00:28:57.760 This means a data broker is often collecting cell phone data which could include your phone number, 00:28:57.760 --> 00:29:03.840 the app usage, but more interestingly, up-to-the-minute location information. 00:29:03.840 --> 00:29:08.000 Some data brokers go even further and set up antennas around town and watch 00:29:08.000 --> 00:29:12.000 what phones interact with those antennas, and they can track your phone location that 00:29:12.000 --> 00:29:16.560 way. Some have been known to put little sensors on roads to identify which cars 00:29:16.560 --> 00:29:21.120 have passed down that road, and take pictures of license plates going by, too. Of course, 00:29:21.120 --> 00:29:25.920 purchasing history is important to them. I’ve heard stories of data brokers buying 00:29:25.920 --> 00:29:31.600 your purchase history data from retail stores. If you don’t know, a lot of retail stores are 00:29:31.600 --> 00:29:35.680 very closely tracking all the purchases you make with your credit card and have a complete 00:29:35.680 --> 00:29:39.760 history of everything you've ever bought with that card in their store. Sometimes they even 00:29:39.760 --> 00:29:44.160 track where you are in the store and what you stop to look at to see what interests you. 00:29:44.160 --> 00:29:50.320 Yes, absolutely, data brokers are buying up all this data that the stores are collecting on you, 00:29:50.320 --> 00:29:54.320 because this consumer behavior is worth gold to these data brokers. So, 00:29:54.320 --> 00:29:59.520 why do these data brokers do this? Why do they go to such great lengths to build databases on us? 00:29:59.520 --> 00:30:05.360 Because there’s a lot of people who are willing to buy this data. Your data is very valuable, 00:30:05.360 --> 00:30:10.800 and I’m not talking about selling it on the dark web. We’ll get to that. Data brokers often sell 00:30:10.800 --> 00:30:16.560 their data to law enforcement, and this has been a growing problem over time. I feel like 00:30:16.560 --> 00:30:23.200 law enforcement has found a loophole to ignore the Fourth Amendment. As a refresher, the Fourth 00:30:23.200 --> 00:30:27.360 Amendment says you have a right to privacy from the government. The government should not be 00:30:27.360 --> 00:30:34.240 able to see into your life without a warrant or probable cause, but they are through data brokers. 00:30:34.240 --> 00:30:38.480 There’s something called a third-party doctrine now which says if you give your data to a third 00:30:38.480 --> 00:30:43.040 party, you no longer have a reasonable expectation of privacy from that data. 00:30:43.040 --> 00:30:47.280 So, that means if you have money in the bank, the bank can share your data with the government 00:30:47.280 --> 00:30:52.080 without a warrant, and law enforcement can purchase your location data from a data broker 00:30:52.080 --> 00:30:59.200 without a warrant because it’s commercially available data. Data brokers are trying to ruin 00:30:59.200 --> 00:31:04.240 the Fourth Amendment. I want you to look a little closer at where this data is coming from. Yes, 00:31:04.240 --> 00:31:09.760 a lot of it is publicly sourced, but a lot is not. A lot is data that you think is just private 00:31:09.760 --> 00:31:15.120 between you and the party you trusted your data with. But they're selling that data to others. 00:31:15.120 --> 00:31:20.800 So, if you think it’s safe and secure but it’s secretly being scraped and sold, I would 00:31:20.800 --> 00:31:26.560 say that’s spying on you, which — the government isn't allowed to spy on its own citizens. I mean, 00:31:26.560 --> 00:31:31.760 mass surveillance is against the law flat out, but they can get away with it because 00:31:31.760 --> 00:31:36.800 data brokers are the ones doing the spying and the mass surveillance, not the government, 00:31:36.800 --> 00:31:42.000 and then they're selling it to the government. Now, I’ve tried to remove my digital footprint 00:31:42.000 --> 00:31:47.120 as much as possible, but there are still things that I’m forced to do which hurts my privacy, 00:31:47.120 --> 00:31:52.960 and I hate it. For instance, any time I see a doctor, I can't do it under a fake name. They 00:31:52.960 --> 00:31:58.560 have a strict policy where I have to prove my identity in order to get medical treatment, 00:31:58.560 --> 00:32:04.400 and then my medical records are being passed around to millions of people. 00:32:04.400 --> 00:32:11.040 HIPAA isn't there to protect our privacy. It’s there to assist others to get our data. 00:32:11.040 --> 00:32:17.680 The portability part of it means they're making it easy to package up our data and send it to whoever 00:32:17.680 --> 00:32:24.560 asks for it, and there are millions of people and entities that can access HIPAA and patient data. 00:32:24.560 --> 00:32:29.520 Second is banks. There are laws in place where the banks have to verify who you are before they do 00:32:29.520 --> 00:32:35.520 business with you, know-your-customer-type stuff. The banks are forced to report certain activity 00:32:35.520 --> 00:32:39.920 to the government. So, millions of customers’ banking data is going to the government again 00:32:39.920 --> 00:32:45.280 without a warrant. Lastly, I hate all this public record stuff. If I buy a house, get married, 00:32:45.280 --> 00:32:51.360 go to court, start a business, get arrested, all that is public record and it gets abused all day, 00:32:51.360 --> 00:32:56.800 every day, because it is. I have no choice when it comes to these matters. 00:32:56.800 --> 00:33:02.160 My banking history, medical information, marital status, there’s no way to opt out of any of it, 00:33:02.160 --> 00:33:06.880 and data brokers are just licking their lips, sucking it up as fast as they can, 00:33:06.880 --> 00:33:11.680 and they're profiting off of it, and they're using it to strip away my rights. But don’t 00:33:11.680 --> 00:33:15.120 think it stops there. Data brokers are just companies trying to make money, 00:33:15.120 --> 00:33:20.960 so they have no problem selling your data to Walmart, Facebook, Google, insurance companies, 00:33:20.960 --> 00:33:27.040 credit card agencies, ad agencies, because all these businesses would love to know more about who 00:33:27.040 --> 00:33:33.120 you are so that they can target you with ads or to calculate the risk of doing business with you. 00:33:33.120 --> 00:33:40.480 These data brokers absolutely do not want you to know they exist. They do a great job at hiding 00:33:40.480 --> 00:33:45.760 their presence in the world. Let me give you an example. I’m going to list eight of them for you, 00:33:45.760 --> 00:33:50.080 and I bet you've never heard of any of these companies, yet there’s a high chance that 00:33:50.080 --> 00:33:58.160 all of them know exactly what you're doing right now. Merkle, LocatePLUS, 00:33:58.160 --> 00:34:09.840 LiveRamp, MicroBilt, Venntel, SafeGraph, X-Mode Social, Court Ventures. I certainly 00:34:09.840 --> 00:34:19.760 don't know anything about these companies, but Hieu was learning a lot about them. 00:34:19.760 --> 00:34:28.000 HIEU: [Music] I find out, right, that there are a few key players in this data business related to 00:34:28.000 --> 00:34:39.600 the US. They provide this data to law enforcement, to lawyers, to private investigators, stuff like 00:34:39.600 --> 00:34:46.080 that. I think, man, it’s very difficult to get this information. You have to 00:34:46.080 --> 00:34:55.280 prove yourself. You have to be verified. So, that’s why I put lots of time, almost a month, 00:34:55.280 --> 00:35:05.680 and I hacked into two different data brokers, very popular ones. The first one is this LocatePLUS. 00:35:05.680 --> 00:35:11.280 JACK: LocatePLUS is a data broker that markets itself to people doing background 00:35:11.280 --> 00:35:17.200 checks and investigations. They get their data from criminal records, property records, 00:35:17.200 --> 00:35:21.320 the phone book, and also gather social security numbers and date of birth. 00:35:21.320 --> 00:35:30.720 HIEU: The first one I hacked into is the LocatePLUS, and the second one is the MicroBilt. 00:35:30.720 --> 00:35:37.840 JACK: MicroBilt collects data on US citizens which includes criminal history, employment history, 00:35:37.840 --> 00:35:43.680 address history, and social security numbers. They also keep records of your utility payments, 00:35:43.680 --> 00:35:49.600 rent payments, loan payments, and stuff like that to see if you pay your bills on time. The 00:35:49.600 --> 00:35:54.480 big credit bureaus use this one, like Experian and Equifax, because your credit score is a reflection 00:35:54.480 --> 00:36:00.080 of how well you pay your bills. But not only that; landlords use MicroBilt, employers do background 00:36:00.080 --> 00:36:04.320 checks on it, and lenders look to see how much of a risk you are before doing business with you. 00:36:04.320 --> 00:36:13.120 HIEU: So, the two companies, LocatePLUS and MicroBilt, I hacked them a few times. First; 00:36:13.120 --> 00:36:20.960 SQL injection. The second one, the file upload vulnerabilities, and the third one, cross-site 00:36:20.960 --> 00:36:29.840 scripting. When I got into the database, right, I steal the customer logins of the law firm, 00:36:29.840 --> 00:36:35.920 and then I used that to be able to log into the platform and make queries. 00:36:35.920 --> 00:36:40.880 JACK: Okay, interesting. He didn’t get into the main data broker database. Instead, 00:36:40.880 --> 00:36:45.840 he was just able to get into the web portal side of things which had user accounts, 00:36:45.840 --> 00:36:50.560 and that’s the people who use the site to do background checks and look-ups with. He was 00:36:50.560 --> 00:36:57.600 able to steal some of their log-ins. So, now he could log into the site and use it as if 00:36:57.600 --> 00:37:04.360 he was a lawyer or a cop or an investigator who’s been vetted by the site to look up anyone’s data. 00:37:04.360 --> 00:37:09.440 HIEU: I could sell your name, the state that you've been living or the city you live in, 00:37:09.440 --> 00:37:17.280 and that’s all. It will pop out the possible people’s identity related to that name, 00:37:17.280 --> 00:37:24.160 and — in the city, and you can get the social security number, driver’s 00:37:24.160 --> 00:37:31.920 license, all the previous ten year’s addresses that you've been living, even the current one. 00:37:31.920 --> 00:37:39.200 Also we obtained your relatives, your family members, right? You can also get the information. 00:37:39.200 --> 00:37:44.160 JACK: Now, these sites charge for their service. It’s often a pay-per-search kinda thing. So, 00:37:44.160 --> 00:37:48.960 when he would search, it would go to someone else’s bill. He thought if he did a lot of 00:37:48.960 --> 00:37:53.600 searches on one user, then their bill would go way up and then they’d investigate — what’s going 00:37:53.600 --> 00:37:57.760 on here? And they would find out that he’s been using their account and they would shut 00:37:57.760 --> 00:38:03.360 it down. So, he would cycle through all the accounts he had to spread out his activity. 00:38:03.360 --> 00:38:12.680 HIEU: [Music] I remember I was using more than five thousand accounts on MicroBilt alone. 00:38:12.680 --> 00:38:18.480 JACK: So, with his access, he could look anyone up and get their full name, maiden 00:38:18.480 --> 00:38:24.960 name, phone number, e-mail address, where they live, address history, social security number, 00:38:24.960 --> 00:38:30.640 driver’s license, where they work, work history, and the VIN number for their car. 00:38:30.640 --> 00:38:36.200 He decides to build a website to charge users to be able to look up people in this database. 00:38:36.200 --> 00:38:42.400 HIEU: Because so much information. Then I built a website and then I took that 00:38:42.400 --> 00:38:48.480 website — I sell to all the cyber criminals around the world for like, one dollar for 00:38:48.480 --> 00:38:54.640 one search, kinda like one-for-one information, one identity, basically. 00:38:54.640 --> 00:39:00.320 JACK: The first week of him launching this website, he made $5,000 from people doing 00:39:00.320 --> 00:39:05.760 searches on it. It was an instant hit. He wasn’t sure why people were using his site to search for 00:39:05.760 --> 00:39:11.680 other people, but he didn’t care. He just saw the money coming in and was like, yeah. Interestingly, 00:39:11.680 --> 00:39:17.320 this was the early days and crypto wasn’t really adopted so well yet, so he wasn’t accepting that. 00:39:17.320 --> 00:39:21.760 HIEU: Back then, I didn’t use Bitcoin. We used Liberty Reserve. 00:39:21.760 --> 00:39:25.760 JACK: Liberty Reserve was sort of like a PayPal in the way that you could send money 00:39:25.760 --> 00:39:31.200 to someone online, except they didn’t do much in regards of checking people’s identities. So, 00:39:31.200 --> 00:39:36.560 it became known as the place for criminal transactions around 2010. It was the go-to 00:39:36.560 --> 00:39:41.120 place for stuff like that for a while. So, he was getting tons of Liberty Reserve dollars 00:39:41.120 --> 00:39:45.040 and they were piling up in his account there. Then he was using some Vietnamese 00:39:45.040 --> 00:39:49.440 money mules that he found on the dark web to send them his Liberty Reserve dollars, 00:39:49.440 --> 00:39:54.760 and they’d cash it out and give him cash. Things were looking good for a few months. 00:39:54.760 --> 00:40:02.720 HIEU: But, you know, the thing is not stable because the two companies, they find out about the 00:40:02.720 --> 00:40:11.120 vulnerabilities, so they shut down and they also fixed the vulnerabilities. Kinda like me and them, 00:40:11.120 --> 00:40:17.120 we’d been playing the cat-and-mouse game. They fixed the vulnerability, 00:40:17.120 --> 00:40:23.320 I’d find another one, so we’d keep hacking and fixing. So, I got tired. 00:40:23.320 --> 00:40:28.240 JACK: He was getting tired of constantly trying to find new ways to stay in the system. They 00:40:28.240 --> 00:40:34.240 were getting good at detecting him and geeking him out. So, he stops to think about it. He thought, 00:40:34.240 --> 00:40:42.160 why struggle to maintain access when he could just become a paying user of the site? [Music] Now, 00:40:42.160 --> 00:40:46.480 MicroBilt would only allow certain people to use their site. You had to be a professional 00:40:46.480 --> 00:40:51.360 investigator or a cop or in a position that you can be trusted with this data. 00:40:51.360 --> 00:40:56.640 There’s a serious vetting process. So, Hieu decided, why not try to act like a 00:40:56.640 --> 00:41:02.160 private investigator and get in? Step one, create a driver’s license with a fake name. 00:41:02.160 --> 00:41:08.000 HIEU: At first I got the license through Google, but it didn’t work. I tried to 00:41:08.000 --> 00:41:13.360 do Photoshop and stuff like that, but it couldn't work out. It’s not good quality. 00:41:13.360 --> 00:41:16.480 JACK: Okay, that didn’t work. Time for Plan B. 00:41:16.480 --> 00:41:20.320 Try to impersonate someone who is allowed to have an account there. 00:41:20.320 --> 00:41:32.320 HIEU: So, I did an OSINT through gathering all the list of e-mails address belonging 00:41:32.320 --> 00:41:41.280 to private investigators. You know, when I hacked into MicroBilt and LocatePLUS, right, 00:41:41.280 --> 00:41:47.360 I got the e-mail address already. I got all the list already. So, 00:41:47.360 --> 00:41:58.000 I used that to do phishing. I was phishing them to a malware so I can — got into the computer. 00:41:58.000 --> 00:42:04.000 JACK: Wow; so, the five thousand users that he got from MicroBilt, he could see which ones were 00:42:04.000 --> 00:42:09.360 private investigators and get all those e-mails and also their data from the data broker to know 00:42:09.360 --> 00:42:13.840 everything about them, and then send them phishing e-mails. If they clicked the link, 00:42:13.840 --> 00:42:19.120 he would infect their computer with malware, essentially giving him access to their computers. 00:42:19.120 --> 00:42:22.640 When he got access, he would look around to see if he could find any 00:42:22.640 --> 00:42:28.880 identifying documents for these private investigators so he could impersonate them. 00:42:28.880 --> 00:42:36.080 HIEU: One of the private investigators, I remember he was living in Michigan in 00:42:36.080 --> 00:42:46.080 the US. I got into his computer through the malware. I got all the data on his computer, 00:42:46.080 --> 00:42:54.800 including the private investigator license, even his passport, his social security numbers, 00:42:54.800 --> 00:43:00.720 and I got — I mean, I got everything. Back then, the people, they still got a habit 00:43:00.720 --> 00:43:06.720 of saving all the sensitive stuff on their desktop inside the spreadsheet, 00:43:06.720 --> 00:43:11.440 right? Kind of like an Excel file storing the username and password, 00:43:11.440 --> 00:43:18.800 like sensitive information in that file. I got that file, too. So, I got all the information; 00:43:18.800 --> 00:43:28.560 date of birth and driver’s license, stuff like that. So, I impersonated as him under his name. 00:43:28.560 --> 00:43:38.640 I obtained an account at MicroBilt. So, I got the MicroBilt account officially. I was using 00:43:38.640 --> 00:43:44.840 that maybe a month or two. So, they find out it’s a fake account. So, they shut down my account. 00:43:44.840 --> 00:43:49.840 JACK: So, he’s realizing MicroBilt is giving him a lot of trouble and decides to look at another data 00:43:49.840 --> 00:43:55.880 broker to maybe register an account there. That’s when he found a data broker called Court Ventures. 00:43:55.880 --> 00:44:01.600 HIEU: Court Ventures provided an API and data access for the 00:44:01.600 --> 00:44:07.240 people through Macquaries to be able to obtain the US identity. 00:44:07.240 --> 00:44:12.480 JACK: Oh, this is even better, he thought. If he could get API access to make queries and do 00:44:12.480 --> 00:44:17.360 searches, that’s a whole lot easier to integrate into his website. They were just like the others; 00:44:17.360 --> 00:44:22.000 they had address history, criminal history, full identity data, and yeah, investigators, 00:44:22.000 --> 00:44:27.120 cops, fraud detection agencies, and credit bureaus loved using Court Ventures to look up 00:44:27.120 --> 00:44:34.080 people’s data. He found a private investigator in Singapore and was able to obtain all his details 00:44:34.080 --> 00:44:37.883 and was going to impersonate him to try to get an account at Court Ventures. [Music] 00:44:37.883 --> 00:44:47.920 HIEU: I got his license and I’d be impersonating that guy, the private investigator in Singapore, 00:44:47.920 --> 00:44:56.240 and then I used that to apply the Court Venture account. I paid for them. I was dealing with them 00:44:56.240 --> 00:45:03.440 like a real businessman. I said, yeah, I was doing it for a big company doing background 00:45:03.440 --> 00:45:13.920 checks for Microsoft, Google. So, I need lots of queries every month to do background checks. 00:45:13.920 --> 00:45:22.560 They’re okay with that because I paid for them and I told them I want to have a good deal. Then 00:45:22.560 --> 00:45:32.400 the CEO of that Court Venture company, they gave me a good deal. I remember fourteen cents; 00:45:32.400 --> 00:45:39.440 fourteen cents for one information. So, I say, yes, okay, we making a business contract, 00:45:39.440 --> 00:45:45.520 too. I faked the signature. I faked the name, everything. So, I send back to him, 00:45:45.520 --> 00:45:50.200 and they didn’t verify anything. They just keep going. Like, they ‘okay’ everything. 00:45:50.200 --> 00:45:54.480 JACK: Okay, he got the account. He could do searches on people now. Good, good, 00:45:54.480 --> 00:45:58.800 he thought. But he wanted that API key, so he applied for it, 00:45:58.800 --> 00:46:01.820 and a few weeks later, they gave it to him. [Music] Incredible. 00:46:01.820 --> 00:46:10.880 HIEU: So, I got the account, man. I say, oh, oh my god, I got the API access to almost 200 million US 00:46:10.880 --> 00:46:16.920 identity right there, and only to do — to integrate that into my website. That’s all. 00:46:16.920 --> 00:46:24.720 JACK: Yeah, 200 million US citizens’ details were in this data broker. That’s over 60% of 00:46:24.720 --> 00:46:31.040 all US citizens’ data. That’s incredible. At fourteen cents per look-up, he could sell each 00:46:31.040 --> 00:46:35.840 of those searches for a dollar on his website. His grand plan was starting to come together. 00:46:35.840 --> 00:46:41.600 HIEU: So, at that time, my website is still on the clear web. You know, 00:46:41.600 --> 00:46:50.560 anybody can gain access, but most of the clients that I have is all cyber criminal. Technically, 00:46:50.560 --> 00:46:59.280 I didn’t care what they — whatever they had been using these identities. So, I just keep selling 00:46:59.280 --> 00:47:11.720 to the API of the Court Venture. I remember every month I was making more than $120k a month, USD. 00:47:11.720 --> 00:47:16.320 JACK: Yeah, he really didn’t care who used the site or why. He didn’t even ask. All he knew is 00:47:16.320 --> 00:47:20.800 that people liked using it to look up people, and he could make a nice profit off it. So, 00:47:20.800 --> 00:47:24.480 it seemed like a good business model to him. But even though he was making 00:47:24.480 --> 00:47:30.800 $120,000 a month, he still had a massive bill to pay to Court Ventures every month. 00:47:30.800 --> 00:47:42.960 HIEU: I was paying for Court Venture every month from $20,000 to $35,000 USD per month. Yeah, 00:47:42.960 --> 00:47:48.800 they're happy and I’m happy as well. So, we’re kind of in a win-win situation. 00:47:48.800 --> 00:47:53.680 I keep running that website for over two years, 00:47:53.680 --> 00:48:00.880 and I was making more than $3 million USD by selling the US identities. 00:48:00.880 --> 00:48:09.360 JACK: It makes me wonder, is any of this illegal? I mean, can you squarely point at who the victim 00:48:09.360 --> 00:48:16.880 is here in this situation? Do you know the story of Irate Joe's? It’s an interesting one. So, 00:48:16.880 --> 00:48:20.400 there’s this US grocery store called Trader Joe’s. It’s fantastic. I love 00:48:20.400 --> 00:48:24.960 it. A majority of food there at Trader Joe's is the Trader Joe's branded stuff, 00:48:24.960 --> 00:48:31.040 and people get hooked on that brand. Well, up in Vancouver, Canada, they were begging 00:48:31.040 --> 00:48:34.800 Trader Joe's to come open a store here, but Trader Joe's refused. They're like, 00:48:34.800 --> 00:48:40.640 nah, we only focus in the US. We're not going international. So, some guy in Vancouver is like, 00:48:40.640 --> 00:48:45.520 you know what? I’m gonna open my own Trader Joe's in Canada. Why not? Because if they're 00:48:45.520 --> 00:48:50.320 not gonna do business here, then there’s probably no jurisdiction issues or harm. It should be fine. 00:48:50.320 --> 00:48:54.400 So, he crosses the border into Washington State, buys a ton of Trader Joe's stuff, 00:48:54.400 --> 00:48:59.920 and drives it back to Vancouver and opens up a little shop called Pirate Joe's. He charged 00:48:59.920 --> 00:49:03.920 more than Trader Joe's did because of the logistics of it, but hey, people in Vancouver 00:49:03.920 --> 00:49:09.120 were happy to get some of their favorite food items finally. Trader Joe's was like, 00:49:09.120 --> 00:49:14.160 hey, you can't do that. Pirate Joe's was like, nyah, nyah, we're in Canada. Your US laws don’t 00:49:14.160 --> 00:49:19.440 apply here. He was right. Trader Joe's had a really hard time getting anywhere legally, 00:49:19.440 --> 00:49:26.000 but eventually they convinced a US court to force a trademark infringement on Pirate Joe's, 00:49:26.000 --> 00:49:31.760 saying the name of the store is too similar to Trader Joe's, and they're smugglers. So, 00:49:31.760 --> 00:49:38.160 what did they do? Pirate Joe's dropped the P and renamed the store to Irate Joe's, 00:49:38.160 --> 00:49:44.240 and they clearly put all over their store, ‘We are unaffiliated, unauthorized, and unafraid’. 00:49:44.240 --> 00:49:49.920 Trader Joe's was furious that they stayed open and started banning them from coming into the store to 00:49:49.920 --> 00:49:54.960 buy stuff. They banned the owner who was driving twice a week to buy $5,000 worth of groceries from 00:49:54.960 --> 00:49:59.680 Trader Joe's. Then he got his coworkers to go to different Trader Joe's and try to buy stuff from 00:49:59.680 --> 00:50:02.960 there, but Trader Joe's started figuring out which stores in Washington they were visiting 00:50:02.960 --> 00:50:07.280 and buying food in the shop, so they would block these other people from purchasing things. So, 00:50:07.280 --> 00:50:11.840 Irate Joe's started asking their customers to help stock the store. They're like, hey, 00:50:11.840 --> 00:50:16.320 if you’re going to Washington, please pick some stuff up for us at the store. Soon, 00:50:16.320 --> 00:50:21.440 dozens of people were now helping stock the shelves at Irate Joe's. I’m telling you, 00:50:21.440 --> 00:50:26.320 people really love Trader Joe's stuff, and crowd-sourcing the buying was working for them. 00:50:26.320 --> 00:50:29.680 But Trader Joe's was putting more and more limits on how much people could buy in the 00:50:29.680 --> 00:50:34.640 stores that were close to Vancouver. The guy who owned Irate Joe's is like, bro, 00:50:34.640 --> 00:50:40.560 I’m your biggest customer by far. I buy more than anyone else in this store. What is your 00:50:40.560 --> 00:50:46.240 deal? We're not asking for anything special. We just want to buy what you have. But Trader Joe's 00:50:46.240 --> 00:50:53.280 kept giving them legal trouble, and eventually Irate Joe's shut down from the expensive legal 00:50:53.280 --> 00:51:00.480 fees that they kept facing. Again, here’s a situation where I wonder, who’s the victim? 00:51:00.480 --> 00:51:06.240 Trader Joe's sure thought it was them. But what do you think? I mean, when I was a teenager I 00:51:06.240 --> 00:51:10.960 used to buy things from the Dollar Store and then sell them on eBay for five dollars each. 00:51:10.960 --> 00:51:17.200 If it’s legal for data brokers to sell identities of US citizens, why would it be 00:51:17.200 --> 00:51:22.080 illegal for Hieu to buy those and resell them for more? This is the part I don't get. It’s 00:51:22.080 --> 00:51:27.200 apparently perfectly fine for a data broker to buy and sell identifying information on US citizens, 00:51:27.200 --> 00:51:32.720 but it’s not for Hieu? In Hieu’s case, he didn’t hack into the site. He didn’t 00:51:32.720 --> 00:51:39.120 steal anything. He was a paying customer of Court Ventures and was paying them a 00:51:39.120 --> 00:51:44.080 lot of money for all the searches people did, and they seemed to be fine with that, 00:51:44.080 --> 00:51:48.800 happy that Hieu was their customer. So, he had his little website set up and accepted 00:51:48.800 --> 00:51:54.800 payment from Liberty Reserve, and users could search Court Venture database through the API. 00:51:54.800 --> 00:52:01.840 HIEU: At first that website’s called ussearching.info and then eventually 00:52:01.840 --> 00:52:09.840 superget.info and findget.me, stuff like that. I — changing the domain name constantly to 00:52:09.840 --> 00:52:19.200 avoid law enforcement. I was selling more than — a little more than three million 00:52:19.200 --> 00:52:26.520 US identities during that two years from 2010 to 2012. 00:52:26.520 --> 00:52:32.880 JACK: Okay, let me do some math. Okay, three million searches, fourteen cents per search; 00:52:32.880 --> 00:52:38.480 that’s $420,000 that he paid to Court Ventures in all this. Geez, 00:52:38.480 --> 00:52:43.280 that’s a lot of money Court Ventures made off him. That was fine for him 00:52:43.280 --> 00:52:49.360 because he made over $2.5 million in profit after that. Unbelievable. 00:52:49.360 --> 00:52:56.160 HIEU: During 2011, right, I dropped out of school. I didn’t 00:52:56.160 --> 00:53:00.480 study and finish the university anymore because I was thinking, 00:53:00.480 --> 00:53:08.480 man, I was making lots of money. Every month I was making up to $120k per month. 00:53:08.480 --> 00:53:11.240 JACK: What were you using the money for that you were getting? 00:53:11.240 --> 00:53:17.440 HIEU: Back then I was too young, too dumb. Lots of money I spent on stupid stuff, 00:53:17.440 --> 00:53:26.640 on five-star hotels and business class. I spent lots of money on stupid things, 00:53:26.640 --> 00:53:31.760 and I wasted lots of money for cars and luxury stuff. 00:53:31.760 --> 00:53:33.600 JACK: What kind of car did you have? 00:53:33.600 --> 00:53:38.080 HIEU: I have — I was having three different cars, 00:53:38.080 --> 00:53:48.160 two sport cars. One of them is a BWM, the convertible one, and another one 00:53:48.160 --> 00:53:56.240 is a customized car, like a full customized one that — I don't even know what kind of car is it, 00:53:56.240 --> 00:54:06.720 but kind of one of the — I remember I used that car to be in a contest for a good customized car, 00:54:06.720 --> 00:54:15.200 and I won a prize as well, too. You know, I spent so much money on that car and customized 00:54:15.200 --> 00:54:21.480 it and fine-tuned that car. The other car that I have is a luxury car, Lexus, right? 00:54:21.480 --> 00:54:25.000 JACK: Yeah, so, what did your parents think of all this money? 00:54:25.000 --> 00:54:32.640 HIEU: I was lying to them; you know, I was working for a international bank in the US, 00:54:32.640 --> 00:54:38.960 and they hired me to protect the system and also building their website. You know, 00:54:38.960 --> 00:54:47.200 all the lies. When I’d meet up with all the people kinda the same age, even the people that I know on 00:54:47.200 --> 00:54:58.720 the street, they’d ask me why I am so rich. I lied to them because my family wasn’t a wealthy family. 00:54:58.720 --> 00:55:07.200 They got everything for me. That’s why. So, I kinda — lying with each other, 00:55:07.200 --> 00:55:11.040 with different stories, you know? Then I was kinda very tired, though. 00:55:11.040 --> 00:55:16.880 JACK: What were the people that were using your site — do you know what they were — why 00:55:16.880 --> 00:55:23.648 they were searching for people? What was the point of them paying for people’s searches? 00:55:23.648 --> 00:55:31.840 HIEU: Good question. The question — the answer for this at that time, 00:55:31.840 --> 00:55:40.400 I didn’t care much about how did they use this information. All I know — maybe they 00:55:40.400 --> 00:55:46.080 used that to impersonate somebody or even they used it to bypass the 00:55:46.080 --> 00:55:52.280 credit card transaction, authentication, whatever. [Music] That’s all I know. 00:55:52.280 --> 00:55:58.160 JACK: So, like he said, this went on for years. He was able to automate a lot of it, 00:55:58.160 --> 00:56:03.360 so he would only do a few hours of work a week to keep it all going. Life was going great for him. 00:56:03.360 --> 00:56:11.320 HIEU: Eventually Court Venture, right, they got acquired by the Experian. 00:56:11.320 --> 00:56:19.040 JACK: Oh, interesting. In December 2011, Experian bought Court Ventures. Now, Experian is one of the 00:56:19.040 --> 00:56:24.240 three major credit bureaus in the US. They create a credit score for every US adult. 00:56:24.240 --> 00:56:29.120 Rental places and loan agencies will check your credit score before doing business with you. So, 00:56:29.120 --> 00:56:33.680 Experian loved the data that Court Ventures had on people so much that they just bought 00:56:33.680 --> 00:56:39.120 it outright. I couldn't find what the purchase price was for 200 million US citizens’ data, 00:56:39.120 --> 00:56:46.160 but I imagine it was in the millions of dollars. Now, after Experian bought Court Ventures, 00:56:46.160 --> 00:56:52.720 the Secret Service contacted Experian and was like, you know that company you just bought? 00:56:52.720 --> 00:56:57.840 Yeah, well, we have reason to believe that they are giving data to someone who is illicitly 00:56:57.840 --> 00:57:05.040 reselling it to criminals. Experian is like, what? Say that again. Court Ventures never 00:57:05.040 --> 00:57:11.520 told them this in the trade deal. So, Experian quickly shut down Hieu’s account and cooperated 00:57:11.520 --> 00:57:18.080 with the Secret Service. In fact, Experian was so mad that they sued Court Ventures for not 00:57:18.080 --> 00:57:23.360 taking action on this earlier. I suspect the lawsuit was because they were misrepresenting 00:57:23.360 --> 00:57:33.083 their business in the trade deal. So, the Secret Service now had their eyes fixed on Hieu. [Music] 00:57:33.083 --> 00:57:40.400 HIEU: One of the court requests from the US Secret Service — asking about the status of my account, 00:57:40.400 --> 00:57:47.200 the fake account. Eventually they shut down my account at Court Venture. 00:57:47.200 --> 00:57:52.240 JACK: They shut down his account entirely, but he had a back-up plan in case this did 00:57:52.240 --> 00:57:57.280 happen. He had a second account, not one he made, but one he stole the password to, 00:57:57.280 --> 00:58:00.640 someone else’s account. He could use their account to continue to 00:58:00.640 --> 00:58:04.960 do look-ups. But he no longer had that API access where he could automate it. 00:58:04.960 --> 00:58:10.000 HIEU: That belonged to one of the company — one of the US data brokers as well, 00:58:10.000 --> 00:58:17.280 too. It’s called ussearchingfor.com, something like that. I don't remember. It’s a long name. 00:58:17.280 --> 00:58:25.440 But anyway, this company — I got one of the accounts through a phishing attack, and I 00:58:25.440 --> 00:58:32.120 used that to do — manually searching identity for all the people who still need the service. 00:58:32.120 --> 00:58:36.720 JACK: He wanted to get another API connection to Court Ventures. This 00:58:36.720 --> 00:58:40.960 hand-searching stuff was just taking way too much time, so he starts e-mailing them; hey, 00:58:40.960 --> 00:58:45.760 how come you shut off my API connection? I need it back. But what he didn’t know is that because 00:58:45.760 --> 00:58:51.600 the Secret Service were investigating him, it was them who was responding to his e-mails. 00:58:51.600 --> 00:59:02.640 HIEU: They were making up a story that they will offer me a good API connection not only to the 00:59:02.640 --> 00:59:12.240 US identity data but also the UK identities data. I was like, whoa, it’s a good business account, 00:59:12.240 --> 00:59:18.560 too good to be true, [music] but at that time the money just blind my eyes. I said, okay, it looks 00:59:18.560 --> 00:59:26.720 good. But the thing, they — I feel something suspicious going on, too, something not right. 00:59:26.720 --> 00:59:30.720 JACK: Apparently there was another guy that was doing the same thing as Hieu, 00:59:30.720 --> 00:59:36.080 also reselling data broker data, but the Secret Service caught that guy who was in the UK, 00:59:36.080 --> 00:59:40.720 and that guy was assisting the Secret Service to catch other people doing the same. So, 00:59:40.720 --> 00:59:44.640 that’s what felt off to Hieu. He was talking to both the Secret Service, 00:59:44.640 --> 00:59:49.680 an agent named Matt O'Neill, and a guy from the UK named Mark who got caught reselling identities. 00:59:49.680 --> 00:59:55.600 HIEU: His name is Mark. He still keeps communicating with me through e-mail and 00:59:55.600 --> 01:00:06.960 even called me through — I remember; through Skype back then. They said they wanted me to 01:00:06.960 --> 01:00:18.960 go to the US and also go to Australia, go to Hawaii. I say, no, I don't want to go there. But 01:00:18.960 --> 01:00:25.920 Matt O'Neill and Mark, they collaborated together and they lured me to Guam. 01:00:25.920 --> 01:00:29.200 JACK: They told him if he can meet them in Guam, they’ll give him all the things 01:00:29.200 --> 01:00:33.920 he needs for his API access. They made up a story of why they need to meet him in person, 01:00:33.920 --> 01:00:37.600 something like, oh, the big boss really wants to meet you. You're one of our best customers, 01:00:37.600 --> 01:00:40.080 and we can get the contract signed right then and there. 01:00:40.080 --> 01:00:44.560 HIEU: Then we can open a big party, you know? So, 01:00:44.560 --> 01:00:48.960 we can have fun together and then you can fly back to Vietnam. Everything good. 01:00:48.960 --> 01:00:53.680 JACK: So he decides to fly to Guam, which is kind of near Southeast Asia. 01:00:53.680 --> 01:00:57.360 He figures it’s the closest option that they gave him, and it looks safe. 01:00:57.360 --> 01:01:04.720 HIEU: I didn’t do any research about Guam. I thought it’s just an island. Nobody cares. 01:01:04.720 --> 01:01:10.240 I heard that some Vietnamese people, they’re living over there as well, too. Maybe it’s 01:01:10.240 --> 01:01:18.800 fine. If there’s any problem, I will go to talk to my people asking for help. Then I bought a ticket 01:01:18.800 --> 01:01:28.320 and then I went to Guam with my sister, because back then my English is not really well, and I 01:01:28.320 --> 01:01:38.160 went there with her together. The moment I landed at the international airport, they escorted me to 01:01:38.160 --> 01:01:47.440 US custom office. That moment, that very moment, I feel like, man, something going on, something 01:01:47.440 --> 01:01:59.440 fishy. Then they told me, sit down, Hieu. We want to talk to you a little bit. I was so nervous. I 01:01:59.440 --> 01:02:07.200 was trembling, like, man. It was shocking. I was saying, man, something’s not right. 01:02:07.200 --> 01:02:19.200 They put a stack of paper — I remember maybe ten inches thick, very thick documents, 01:02:19.200 --> 01:02:26.080 and they told me, we know about you. We know everything about you, maybe more than your 01:02:26.080 --> 01:02:41.360 family knows about you. [Music] That moment, I say, man, it’s over, it’s over, and that’s it. 01:02:41.360 --> 01:02:49.280 I felt like I was on top of the world, and right now I was living in hell. That’s it. They sent 01:02:49.280 --> 01:02:59.520 me to the jail in Guam after that, and I sent my sister back to Vietnam. I told the 01:02:59.520 --> 01:03:05.200 prosecutor and the US Secret Service agent — I say, my sister had nothing to do with 01:03:05.200 --> 01:03:16.560 this. It’s all about me. So, they released my sister, and I was staying in the jail in Guam 01:03:16.560 --> 01:03:22.400 for more than — a little more than two months, and then they sent me back to the mainland, 01:03:22.400 --> 01:03:29.040 the US mainland, to many different jails. They sent me to Hawaii, to Los Angeles, 01:03:29.040 --> 01:03:39.040 Nevada, they sent me to Oklahoma, New Jersey, and then New York, and then New Hampshire. 01:03:39.040 --> 01:03:45.360 JACK: New Hampshire is where his case was going to be tried, so that was his final destination. 01:03:45.360 --> 01:03:50.160 He was stuck in prison through the entire legal battle. Apparently the US prosecutor who first 01:03:50.160 --> 01:03:55.360 investigated him was in New Hampshire, and so that’s why his trial was there. Reflecting back 01:03:55.360 --> 01:04:00.800 on how he got caught, he has a few theories. First, he blames Brian Krebs, a cybersecurity 01:04:00.800 --> 01:04:05.840 journalist who did an article that said how criminals can look up people on the dark web, 01:04:05.840 --> 01:04:09.760 and Hieu’s website is listed there. So, he thinks that’s how the Secret Service 01:04:09.760 --> 01:04:14.480 probably first learned about my website. On his website he made a few mistakes. 01:04:14.480 --> 01:04:20.240 The first week of having it, he used a hosting provider but registered it under his real name, 01:04:20.240 --> 01:04:23.920 but then he changed the registration to an anonymous name, but those past records are 01:04:23.920 --> 01:04:28.160 still visible. Second, he used to have his personal e-mail address on the website for 01:04:28.160 --> 01:04:34.160 contact details. So, these slip-ups would have easily traced someone to Hieu. I also 01:04:34.160 --> 01:04:37.920 believe that the Secret Service probably used his site, did some searches on people, 01:04:37.920 --> 01:04:43.360 and then tried to correlate that with the logs at Court Ventures to pinpoint exactly which user Hieu 01:04:43.360 --> 01:04:48.400 was using for his site. But this whole time, he wasn’t sure exactly why he was arrested. 01:04:48.400 --> 01:04:54.240 He was paying for these searches in full. Where’s the fraud here? Where’s the crime? 01:04:54.240 --> 01:04:59.040 But it wasn’t until after his arrest where he learned what people were using his site for. 01:04:59.040 --> 01:05:07.360 HIEU: The federal court, they told me the information that I stole and also — sell that 01:05:07.360 --> 01:05:13.360 to other people, they’re using it for tax returns. That’s something new to me. I never knew that, 01:05:13.360 --> 01:05:18.720 tax returns. Then I find out what’s tax return, and it’s very serious. 01:05:18.720 --> 01:05:24.080 JACK: What people were doing was going to Hieu’s site, looking someone up, getting all their 01:05:24.080 --> 01:05:29.680 details, and then try to file the taxes for that person. See, here in the US, we pay taxes to the 01:05:29.680 --> 01:05:34.480 government all year, and typically people overpay on their taxes so they get a big return come tax 01:05:34.480 --> 01:05:38.560 season. So, a lot of Americans get a check for maybe a few thousand dollars every year 01:05:38.560 --> 01:05:43.200 from the government because they’ve overpaid on their taxes. Well, criminals know this, 01:05:43.200 --> 01:05:49.680 so they file tax returns on other people, and they put on there that they should get a $2,000 refund. 01:05:49.680 --> 01:05:53.840 Then the IRS processes the tax filing, and they look at it, and it looks legit, 01:05:53.840 --> 01:05:59.680 and sends this person a $2,000 check. When the real person goes to file their taxes, 01:05:59.680 --> 01:06:04.240 the IRS is like, oh, no, no, no, you've already filled it out. We’ve already sent you a check. 01:06:04.240 --> 01:06:10.720 Now suddenly there’s a bunch of Americans saying, oh no, I didn’t. Give me my money. 01:06:10.720 --> 01:06:16.720 There is a big problem. So, the Secret Service was investigating this because Hieu’s people 01:06:16.720 --> 01:06:23.680 search engine was complicit in helping criminals defraud a lot of American citizens. Apparently 01:06:23.680 --> 01:06:27.200 there were a lot of people in New Hampshire that someone stole their tax return check. 01:06:27.200 --> 01:06:30.240 HIEU: You know, I got so much information, 01:06:30.240 --> 01:06:34.720 and then it turns — kinda like thousands and thousand of victims in New Hampshire. 01:06:34.720 --> 01:06:42.080 JACK: Okay, there’s the V word, victim. We found a victim, the people of New Hampshire who didn’t get 01:06:42.080 --> 01:06:48.800 their tax refunds. Okay, sure, they're victims of identity theft. I’ll give them that. But typically 01:06:48.800 --> 01:06:54.960 the IRS will understand and pay them anyway, essentially giving out two refund checks. So, this 01:06:54.960 --> 01:07:00.240 makes the IRS the victim. But then you could say, no, it’s the US taxpayer that’s the real victim, 01:07:00.240 --> 01:07:08.080 because this is money that’s just lost. It drives me nuts how much money the IRS loses on this every 01:07:08.080 --> 01:07:15.120 year. Like, every single year the IRS will give out billions of dollars to criminals submitting 01:07:15.120 --> 01:07:22.880 tax refund scams. I just have to ask, IRS, when are you gonna take this problem seriously? You're 01:07:22.880 --> 01:07:29.600 world-class at collecting our money but terrible at distributing it to the right people. Billions 01:07:29.600 --> 01:07:36.080 of tax dollars are lost every year because a criminal asked you for money. How is this 01:07:36.080 --> 01:07:44.320 acceptable? So, what were your charges? Because I have no idea what you're actually guilty of still. 01:07:44.320 --> 01:07:50.680 HIEU: Yes; technically you can read that on the US courts’ records. 01:07:50.680 --> 01:07:56.560 JACK: Okay, fine, I will. Alright, he’s charged with three items here. All three are violations of 01:07:56.560 --> 01:08:02.640 the CFAA. Figures, right? The first specifically says he used a data broker in a way that they 01:08:02.640 --> 01:08:07.440 didn’t authorize him to use. It’s against their terms of service to resell the data that you're 01:08:07.440 --> 01:08:12.960 given access to or to impersonate someone to get an account there, and he did that. He absolutely 01:08:12.960 --> 01:08:18.720 violated their terms of use, and that is what the Secret Service is saying he’s going to prison for, 01:08:18.720 --> 01:08:25.680 unauthorized access, which we can guess means that he impersonated an authorized user, 01:08:25.680 --> 01:08:30.800 which is against their terms of use. You know how many of us violate the terms of use on websites? 01:08:30.800 --> 01:08:37.200 We all do all the time. Like, if you ever let someone use your Spotify or Netflix login, 01:08:37.200 --> 01:08:44.880 that’s the same violation, unauthorized access. He’s being charged with that sort of thing. 01:08:44.880 --> 01:08:50.080 Second item; specifically it says he’s personally gained money from violating his access, and the 01:08:50.080 --> 01:08:55.440 third item is that it was in excess of $5,000. So, all three of these are CFAA violations, 01:08:55.440 --> 01:09:00.560 and it drives me nuts that if you violate a website’s terms of service, it’s a federal crime. 01:09:00.560 --> 01:09:05.200 I don't know why it’s not just a civil issue, a problem between you and the website. Like, 01:09:05.200 --> 01:09:10.240 why is it a federal crime? I think the site has grounds to terminate you, ban you, 01:09:10.240 --> 01:09:15.200 and probably even sue you for violating their terms of service, but prison time? I think that’s 01:09:15.200 --> 01:09:21.920 just going too far. But that’s how it is. It’s a federal offense to violate a website’s terms 01:09:21.920 --> 01:09:29.680 of use. I’d be remiss if I didn’t mention Aaron Swartz here. Aaron was an MIT student, and because 01:09:29.680 --> 01:09:34.960 he was a student, he had access to academic research papers through a place called JSTOR. 01:09:34.960 --> 01:09:38.880 Well, he thought this information was so valuable to the world that he was downloading it and 01:09:38.880 --> 01:09:43.760 publishing it for free. The world should have this academic research, not keep it exclusive only for 01:09:43.760 --> 01:09:48.800 university students. But JSTOR was pissed. They called the feds on Aaron for violating 01:09:48.800 --> 01:09:54.080 their terms of service, and the DOJ charged him with thirteen felony counts, and he was facing 01:09:54.080 --> 01:09:58.320 thirty-five years in prison. They told him, look, if you take a plea deal, you'll probably 01:09:58.320 --> 01:10:05.840 only do six months in prison, but he absolutely did not want a felony on his record, a felony 01:10:05.840 --> 01:10:14.320 for violating the terms of service. The pressure was too much for him, and Aaron killed himself. 01:10:14.320 --> 01:10:19.520 So, after that, politicians were like, whoa, whoa, whoa, why does the CFAA have it written 01:10:19.520 --> 01:10:26.480 in there that unauthorized access to a website is a federal crime? People are dying over this. 01:10:26.480 --> 01:10:32.240 Just because you violated a website’s terms of use should not be a federal crime. So, 01:10:32.240 --> 01:10:39.920 Aaron’s Law got proposed, which asks to change the CFAA to stop saying that a terms of use violation 01:10:39.920 --> 01:10:48.800 is a federal crime. But sadly, the law didn’t get passed. Can you tell I hate the CFAA? See, 01:10:48.800 --> 01:10:55.600 here, I’m upset about this because first of all, these data brokers are collecting data 01:10:55.600 --> 01:11:00.960 on us without our permission. So, there should be — they should be the ones that are doing illegal 01:11:00.960 --> 01:11:06.937 things. Second of all, they're selling this data for fourteen cents per look-up. You're selling it… 01:11:06.937 --> 01:11:10.240 HIEU: Very cheap. JACK: …for one dollar per look-up. Yeah, so… 01:11:10.240 --> 01:11:10.907 HIEU: Right. 01:11:10.907 --> 01:11:14.160 JACK: The only real thing here is that you're saying, hey, 01:11:14.160 --> 01:11:19.760 I’m just up — I’m doing an upcharge for this and giving you access to more people. It’s 01:11:19.760 --> 01:11:25.280 not really stolen data. It’s actually paying for the data as you're using it, 01:11:25.280 --> 01:11:33.680 and you're right, the unauthorized access is a CFAA violation and I could see them saying that, 01:11:33.680 --> 01:11:39.040 but I’m just so frustrated about this because you didn’t do any money laundering in the US. So, 01:11:39.040 --> 01:11:42.394 for them to say you did the money laundering there, it’s not true. You did that in… 01:11:42.394 --> 01:11:43.680 HIEU: I know. 01:11:43.680 --> 01:11:50.387 JACK: …Vietnam. So, I’m just frustrated on your behalf. 01:11:50.387 --> 01:11:57.440 HIEU: Right. I know, but the thing — is what it is, though. That’s how it worked. Also, 01:11:57.440 --> 01:12:06.280 the damage amount that they put in my case is very huge, though, like over $60 million USD. 01:12:06.280 --> 01:12:11.760 JACK: The prosecutors were saying he caused $60 million in damage. Of course, 01:12:11.760 --> 01:12:15.440 they didn’t explain how they came to that number. It’s kind of impossible 01:12:15.440 --> 01:12:20.080 to look through three million look-ups on Hieu’s site and then connect that to what 01:12:20.080 --> 01:12:24.560 identity theft crimes happened for those people and then add up how much money was earned from 01:12:24.560 --> 01:12:31.040 that. Anyway, all that was secondhand. None of that stolen money was done by Hieu. So, 01:12:31.040 --> 01:12:35.040 they likely just made up some number, but he’s not the one who did the identity theft. 01:12:35.040 --> 01:12:40.240 He’s not the one who did tax fraud scams. So, it’s maddening that they're saying he’s the one 01:12:40.240 --> 01:12:46.240 who’s responsible for all that damage. Like, Hieu is a criminal. He is the bad guy here, 01:12:46.240 --> 01:12:51.120 okay? I’m not trying to say he should have gotten off. He absolutely did break the law. 01:12:51.120 --> 01:12:58.160 What I’m saying is that this is the wrong law to be charging him with, because I hate when the CFAA 01:12:58.160 --> 01:13:02.080 is used like that. They tried to say he was also in trouble for money laundering, but he didn’t 01:13:02.080 --> 01:13:06.640 do any of his money laundering in the US. So, I’m not sure if that one even flies. But none of his 01:13:06.640 --> 01:13:11.920 charges were for any of the credit cards he stole or drained, all those sites that he hacked into 01:13:11.920 --> 01:13:15.760 back then. There’s nothing about all the concert tickets that he bought and then essentially 01:13:15.760 --> 01:13:21.600 scammed all those people. Those are easy charges to slap him with, yet they're completely absent 01:13:21.600 --> 01:13:27.280 here. There is a law around identity theft, but I think it would be hilarious if they charged 01:13:27.280 --> 01:13:32.880 him with that, since that’s the whole business model of what data brokers do already, right? 01:13:32.880 --> 01:13:38.240 They work every day to grab as many identities as they can without anybody’s permission and then 01:13:38.240 --> 01:13:43.920 sell them. Not only that; he didn’t steal the identities. He paid for them. So, the 01:13:43.920 --> 01:13:49.040 theft part would be in question, too. I think the proper crime here that they probably should have 01:13:49.040 --> 01:13:55.280 charged him with is that he was knowingly helping criminals conduct crimes, right? Like aiding and 01:13:55.280 --> 01:14:00.880 abetting and conspiracy, that sort of thing. Hieu knew his site was used by criminals, and they were 01:14:00.880 --> 01:14:05.520 his favorite customers because they would pay for tons of searches. So, he was catering to them, 01:14:05.520 --> 01:14:11.040 making it easier and better for them to use his site. So, while he didn’t do any of the tax fraud 01:14:11.040 --> 01:14:18.240 himself, he did help a lot of people do it. But he wasn’t being charged with aiding and abetting. 01:14:18.240 --> 01:14:23.120 He was being charged with violating the terms of service of a data broker, 01:14:23.120 --> 01:14:27.360 where he was impersonating someone else to get an account there. But the thing is the 01:14:27.360 --> 01:14:33.040 feds would have a much harder time proving his site was intended for criminal use compared to 01:14:33.040 --> 01:14:37.760 simply giving him a CFAA violation, which is easy to convict someone of. Like I said, 01:14:37.760 --> 01:14:43.360 we all violate the CFAA all day, every day. So, in my opinion, the feds charged 01:14:43.360 --> 01:14:47.920 him with the wrong crime because of the almost guaranteed win for them as opposed to charging 01:14:47.920 --> 01:14:53.360 him with the right crime and then struggling to find evidence to prove that he did that. 01:14:53.360 --> 01:14:58.000 By the way, while the feds said that he caused $60 million in damage, nobody was 01:14:58.000 --> 01:15:02.240 asking for restitution there. None of the data brokers were saying he caused them damage. 01:15:02.240 --> 01:15:08.240 So, if he did do all that damage, find that victim and bring them into the case. Because here’s the 01:15:08.240 --> 01:15:13.760 thing; I’m looking at the indictment and there’s not a single company name here or a victim name 01:15:13.760 --> 01:15:18.080 listed at all. Of course not, because the data brokers want to hide from you. So, 01:15:18.080 --> 01:15:22.480 the only thing listed there is Company A, headquarted in New Jersey, and it said he 01:15:22.480 --> 01:15:28.000 did an SQL injection on Company A. Well, by doing a little bit of research, it’s kind of easy to 01:15:28.000 --> 01:15:33.120 figure out that the data broker in New Jersey that they're talking about is USInfoSearch, 01:15:33.120 --> 01:15:38.480 which Hieu did, in fact, steal credentials and used that site, but not much at all. It was 01:15:38.480 --> 01:15:42.720 such a small blip in his story that it’s hardly worth mentioning, yet that’s the company that 01:15:42.720 --> 01:15:48.240 was saying he got unauthorized access to. But here’s the thing; here’s how it all connects. 01:15:48.240 --> 01:15:55.360 Court Ventures was partnered with USInfoSearch. If you were a paid Court Ventures user and you look 01:15:55.360 --> 01:16:01.440 someone up, they had a connection to USInfoSearch, so you'd get results from them, too. I’m just 01:16:01.440 --> 01:16:07.600 connecting the dots here, but that sounds like to me that Court Ventures was reselling data broker 01:16:07.600 --> 01:16:13.760 information that they got from USInfoSearch. Surely whatever deal they had with USInfoSearch, 01:16:13.760 --> 01:16:19.840 they were selling that data for a higher price to their own customers, right? You see my point. This 01:16:19.840 --> 01:16:25.680 story is pretty bizarre. So, you could say this company listed in the indictment, USInfoSearch, 01:16:25.680 --> 01:16:31.520 was the back end and provided data to Court Ventures, and it’s USInfoSearch that the US 01:16:31.520 --> 01:16:37.280 government is saying Hieu got unauthorized access to and profited off that access. 01:16:37.280 --> 01:16:45.040 You say the victims were the people who got their tax fraud or whatever stolen, but I really 01:16:45.040 --> 01:16:55.920 think the victims are the people you were stealing from, right? LocatePLUS, MicroBilt, and the Court… 01:16:55.920 --> 01:16:56.640 HIEU: Right, Court Venture. 01:16:56.640 --> 01:17:02.560 JACK: …Venture. I think those are the people you were robbing or attacking, and I’m surprised 01:17:02.560 --> 01:17:08.800 they — were they part of the case at all? Did they come and testify against you or give evidence? 01:17:08.800 --> 01:17:14.520 HIEU: No, no. I don’t — I didn’t see anybody from these companies. 01:17:14.520 --> 01:17:19.120 JACK: Yeah, but I can't — I just — did you have a good lawyer? 01:17:19.120 --> 01:17:26.960 HIEU: I paid for the lawyer. I spent almost more than — I think up to $700k. 01:17:26.960 --> 01:17:28.340 JACK: Wow. 01:17:28.340 --> 01:17:30.000 HIEU: Yeah, for the lawyer. 01:17:30.000 --> 01:17:36.320 JACK: Because I would have fought to say — yeah, you're saying that he caused $60 million 01:17:36.320 --> 01:17:42.960 in damage. However, he did not actually do any of that damage. He just gave the 01:17:42.960 --> 01:17:48.480 information to someone else, and someone else did the damage. He never did a tax fraud. So, 01:17:48.480 --> 01:17:52.400 you can't say he’s the one who did tax fraud. It’s like if I sell you a lighter 01:17:52.400 --> 01:17:56.880 and then you take that lighter and you burn a building down with the lighter. I’m not in 01:17:56.880 --> 01:18:02.320 trouble for selling you the lighter. The person who burned the building down is. 01:18:02.320 --> 01:18:08.160 HIEU: True. But, you know, back then, lots of people told me the 01:18:08.160 --> 01:18:15.120 same thing. I shouldn't keep — you know, I shouldn't hire a lawyer. I should keep that money. 01:18:15.120 --> 01:18:16.240 JACK: Yeah. 01:18:16.240 --> 01:18:21.200 HIEU: But, you know, my family, they're so worried and they can look up on the internet; 01:18:21.200 --> 01:18:28.720 oh yeah, this is a good lawyer, good rating, five-star rating, international lawyer, whatever, 01:18:28.720 --> 01:18:40.160 in New Hampshire, a professional one. Yes, that’s what happened. I remember every time 01:18:40.160 --> 01:18:52.720 the lawyers and his team meet me up — like, every time, it cost me $5,000 to $10,000 USD. 01:18:52.720 --> 01:19:03.906 An e-mail I sent to him or the lawyer team, it cost me $200 or $300 USD for one e-mail. 01:19:03.906 --> 01:19:06.360 JACK: I know, lawyers are so expensive. 01:19:06.360 --> 01:19:15.280 HIEU: I know, very expensive. But it was easy money; easy go. So, for real, 01:19:15.280 --> 01:19:22.080 I don't really complain about it because at the end of the day, it’s kinda like dirty money. 01:19:22.080 --> 01:19:26.240 JACK: You know, another thing that really bugs me about this whole thing is neither MicroBilt, 01:19:26.240 --> 01:19:32.320 LocatePLUS, or Court Ventures ever told their victims that there was a database breach. 01:19:32.320 --> 01:19:38.000 HIEU: No, they never say — even until now, I search about them and they never 01:19:38.000 --> 01:19:42.760 mentioned anything about it even though it really happened to them. 01:19:42.760 --> 01:19:48.400 JACK: What scumbags. I just — I have no sympathy for these data brokers. I absolutely hate them. 01:19:48.400 --> 01:19:53.280 They take my data without consent. I can't even opt out if I want. They don’t protect it, 01:19:53.280 --> 01:19:57.680 and when it’s lost in a data breach, they don’t even have the decency to tell me that 01:19:57.680 --> 01:20:03.920 my data that they gathered on me got loose. Hieu was desperately trying to get his lawyer 01:20:03.920 --> 01:20:09.280 to help him. But here’s the thing; there’s a 99% conviction rate when the feds slap 01:20:09.280 --> 01:20:15.760 you with a CFAA violation. In all the cases of the feds accusing someone of a CFAA violation, 01:20:15.760 --> 01:20:21.840 I’ve only been able to find two or three cases that the defendant actually won. The rest were 01:20:21.840 --> 01:20:27.040 people pleading guilty or found guilty in trial, and so, the chances of Hieu getting 01:20:27.040 --> 01:20:33.040 off were slim to none. He tried to fight it, but everything they tried just kept getting denied 01:20:33.040 --> 01:20:40.000 by the courts. After a few years of fighting, Hieu got tired and was running low on cash. 01:20:40.000 --> 01:20:45.440 HIEU: My lawyers explained to me I might lose the trial. I might 01:20:45.440 --> 01:20:48.640 get up to forty-five years in federal prison. 01:20:48.640 --> 01:20:49.520 JACK: Forty-five years? 01:20:49.520 --> 01:20:56.320 HIEU: I got so — right; I got so scared. All the charges all combined together — not 01:20:56.320 --> 01:21:03.440 only from New Hampshire, right, but also from the — from New Jersey as well, too. 01:21:03.440 --> 01:21:15.360 So, I got two criminal charges from New Hampshire and New Jersey. So, they all combined together, 01:21:15.360 --> 01:21:24.160 and they said up to forty-five years if I lose. So, my family and me were so scared. So, 01:21:24.160 --> 01:21:35.880 we — plea deals and, yeah, I pled guilty during the summertime of 2015. 01:21:35.880 --> 01:21:44.560 JACK: Guilty, guilty of doing $60 million in damage. When your sentence came up or during 01:21:44.560 --> 01:21:51.440 the plea deal, did you offer to give up your money to reduce the sentence? How did that go? 01:21:51.440 --> 01:21:59.440 HIEU: Oh, yeah. My family also asked them — they want to give back all the money, 01:21:59.440 --> 01:22:03.040 but they said, no, they don’t need that. 01:22:03.040 --> 01:22:05.160 JACK: Really? 01:22:05.160 --> 01:22:13.760 HIEU: Right. They don’t need money. They don’t need any assets. They don’t need anything. So, 01:22:13.760 --> 01:22:20.000 it was it. So — but the thing, you know, I spent lots of money on lawyers, 01:22:20.000 --> 01:22:27.880 on — during my incarceration as well, too, for food and medication and stuff like that. 01:22:27.880 --> 01:22:34.550 JACK: So, they didn’t take any of your money or property or cars or anything? 01:22:34.550 --> 01:22:38.400 HIEU: No, no. They didn’t care. It’s like, they don’t need that. 01:22:38.400 --> 01:22:40.320 JACK: They just want you. 01:22:40.320 --> 01:22:42.160 HIEU: They just want me. 01:22:42.160 --> 01:22:46.720 JACK: After pleading guilty, he was sentenced to thirteen years in prison, 01:22:46.720 --> 01:22:52.880 thirteen years for getting access to data broker data which he wasn’t authorized to access. At 01:22:52.880 --> 01:22:58.720 this point I’m wondering what if — instead of Hieu accessing data broker data to sell that, 01:22:58.720 --> 01:23:04.240 what if he just made his own data broker business, you know, for anyone to access? Would that be 01:23:04.240 --> 01:23:08.320 illegal? Like, if Hieu copied all the data out of the phone book and all the court records and 01:23:08.320 --> 01:23:12.880 the county records and scraped some LinkedIn data to build complete profiles on millions of people, 01:23:12.880 --> 01:23:16.400 that’s all public information, right? It wouldn't have been that hard for him to do 01:23:16.400 --> 01:23:22.240 because he’s a clever guy. Are there laws that he would be breaking if he sold that 01:23:22.240 --> 01:23:28.640 data? I guess what I’m wondering is are there laws that data brokers have to follow? Hm. 01:23:28.640 --> 01:23:32.640 Well, I had to stop and look into that. Basically, yes, there are data broker laws, 01:23:32.640 --> 01:23:38.160 and often states regulate them. The gist of the laws is that data brokers have to 01:23:38.160 --> 01:23:45.360 prove that they aren't selling their data to criminals. I mean, think about all the 01:23:45.360 --> 01:23:50.720 dangerous household things we probably all have, right? Box cutters, a hammer, matches, lighters, 01:23:50.720 --> 01:23:56.080 gasoline, bleach. These are all things that can cause a lot of harm and destruction, right? Yet, 01:23:56.080 --> 01:24:00.720 when you go to buy them, the store doesn't verify your intent. They're not like, hey, what are you 01:24:00.720 --> 01:24:06.000 gonna do with that box cutter? You have to prove to us that you're gonna put it to good use. Yet, 01:24:06.000 --> 01:24:12.720 that’s how data brokers treat their customers. Their customers have to show proof that they have 01:24:12.720 --> 01:24:18.880 a legitimate reason to search their data and they're on the approved list of okay people. 01:24:18.880 --> 01:24:22.320 Apparently it’s not good enough for data brokers just to say, hey, you can't use 01:24:22.320 --> 01:24:28.400 this for malicious intent. They have to verify every single user to try to prevent any of 01:24:28.400 --> 01:24:34.320 them from using the data maliciously. So, the approved list is people like law enforcement, 01:24:34.320 --> 01:24:38.560 marketers, investigators, loan agencies, those sort of people. 01:24:38.560 --> 01:24:46.080 That distinction is very fascinating to me. Data brokers are legal, but only if they sell 01:24:46.080 --> 01:24:52.320 their data to an exclusive group of people. I don't like that, not one bit. Of course, 01:24:52.320 --> 01:24:56.800 I don't like that there’s a business out there buying and selling my personal information. 01:24:56.800 --> 01:25:03.360 That’s gross. Go get a real job, alright? But I think I might have a hot take here. I don't 01:25:03.360 --> 01:25:08.640 like that they only sell their data to a certain group of people. I wish they sold it to anyone. 01:25:08.640 --> 01:25:15.120 Only people in some exclusive club can look up my data, a club that I’m not allowed in? 01:25:15.120 --> 01:25:19.600 The reason why states regulate data brokers is because if anyone could search those databases, 01:25:19.600 --> 01:25:24.160 then we’d all be flooded with scammers and identity thieves and stalkers. But to me, 01:25:24.160 --> 01:25:29.120 that’s not the problem. To me, the problem is, one, I don't even know how much data those data 01:25:29.120 --> 01:25:34.960 brokers have on me, and two, I don't even know who has my data. If I could somehow feel the 01:25:34.960 --> 01:25:42.160 sting and pain every time my privacy is lost, I would take my privacy way more seriously. So, 01:25:42.160 --> 01:25:46.000 I know there’s probably apps on my phone that are sending real-time location data 01:25:46.000 --> 01:25:51.200 right now to a data broker, and if someone took that data and saw where I was and came 01:25:51.200 --> 01:25:55.680 to my house and knocked on my door, of course I wouldn't answer 'cause I never answer my door. 01:25:55.680 --> 01:26:00.480 But I just imagine them continually pounding on the door, like, hey, I know you're home. Answer 01:26:00.480 --> 01:26:05.440 the door. Your phone is sending me real-time location data to me right now. I’d immediately 01:26:05.440 --> 01:26:12.640 be like, wait, what app is sending you my location data? I think having a scary moment like that 01:26:12.640 --> 01:26:21.200 would absolutely force me to uninstall apps that are tracking me. So, my hot take is that stalkers 01:26:21.200 --> 01:26:27.200 aren't the problem here. It’s the obsessive collection of my data that’s the problem. If 01:26:27.200 --> 01:26:32.640 data brokers opened themselves up to let anyone search their site, we’d all be way more private 01:26:32.640 --> 01:26:39.600 and secure, because we’d all be taking huge steps into protecting our privacy way more seriously. We 01:26:39.600 --> 01:26:46.000 don’t know what’s out there. We don’t think it’s a problem, and they're trying to hide that from us. 01:26:46.000 --> 01:26:51.200 Of course, the data brokers say they take our privacy seriously and security is their top 01:26:51.200 --> 01:26:57.680 priority. Yeah, well, until it isn't. Hieu got into four different data brokers all by himself, 01:26:57.680 --> 01:27:02.000 and it didn’t look like it was that hard for him to do. Not only that; there’s news story after 01:27:02.000 --> 01:27:07.120 news story of data brokers getting hacked into. The biggest one is when Equifax got 01:27:07.120 --> 01:27:12.160 breached. If the data brokers were so worried about their data getting into the wrong hands 01:27:12.160 --> 01:27:17.280 like scammers and stalkers, then don’t collect it at all, because if there’s one thing I’ve learned 01:27:17.280 --> 01:27:24.880 about doing over 160 episodes on hacking, is that you will fail at securing your network and data 01:27:24.880 --> 01:27:32.400 at some point. There is no safe way to collect and store my personal data, much less sell it. 01:27:32.400 --> 01:27:36.320 The regulators think forcing data brokers to vet every user 01:27:36.320 --> 01:27:41.360 is stopping criminals from accessing the data, but clearly criminals are, 01:27:41.360 --> 01:27:46.480 in fact, accessing the data. Since when do criminals follow regulations? So, really, 01:27:46.480 --> 01:27:52.240 all the regulations are doing is stopping people like you and me, normal citizens, from being able 01:27:52.240 --> 01:27:57.280 to see what’s in there. There are so few people who truly understand what is happening in this 01:27:57.280 --> 01:28:01.920 data broker world since they like to operate in the dark, in the shadows of the internet, 01:28:01.920 --> 01:28:07.440 and they work hard to keep everyone else in the dark. I want to believe that someday privacy will 01:28:07.440 --> 01:28:13.040 be in style again, and we just need enough cool people to tell us it’s worth wanting, because 01:28:13.040 --> 01:28:18.880 data brokers has a bad aesthetic. Surveillance is sterile. It’s cold, gray, and depressing. 01:28:18.880 --> 01:28:25.280 There’s nothing cool or romantic or aspirational about being trackable down to when you're peeing 01:28:25.280 --> 01:28:31.600 or having sex or eating or sleeping, yet these data brokers are feverishly trying to know all 01:28:31.600 --> 01:28:38.480 of that about you and build a complete behavior profile on you and then selling that to millions 01:28:38.480 --> 01:28:47.360 of people who are on the allowed list. I hope someday wanting privacy doesn't make you a weirdo, 01:28:47.360 --> 01:28:57.120 but it makes you cool. Hieu was sentenced in 2015, which meant he’d get out in 2026, because he 01:28:57.120 --> 01:29:02.640 already spent two years in prison by that point. It was there in the New Hampshire prison where he 01:29:02.640 --> 01:29:07.360 learned English and studied all kinds of things. The police asked if he could share his story with 01:29:07.360 --> 01:29:12.320 others to teach them how the darknet works and all that, so he cooperated and told his story and was 01:29:12.320 --> 01:29:17.920 trying to self-rehabilitate to get out early. But when he was in prison, he heard some news which 01:29:17.920 --> 01:29:24.520 really crushed him. That Liberty Reserve website was seized by the feds and the owner was caught. 01:29:24.520 --> 01:29:27.360 HIEU: I heard on the news that he got caught. 01:29:27.360 --> 01:29:32.560 JACK: The thing is, Hieu had a lot of money still in his Liberty Reserve account. But when the feds 01:29:32.560 --> 01:29:38.000 seized the site, they seized all that money, too. How much would — how much did you lose there? 01:29:38.000 --> 01:29:44.480 HIEU: I was saving up over there a little more than $300k. 01:29:44.480 --> 01:29:45.160 JACK: Wow. 01:29:45.160 --> 01:29:54.480 HIEU: You know, I was thinking, man, I will go home and I will get that money. But the 01:29:54.480 --> 01:30:01.600 moment I heard on the news during my incarceration time in 2014 or ‘15, 01:30:01.600 --> 01:30:05.320 I was like, man, it’s over. No more money. 01:30:05.320 --> 01:30:09.680 JACK: So, he continued serving his prison sentence, staying out of trouble. Because 01:30:09.680 --> 01:30:15.040 he had good behavior, they let him out early. After serving seven years in prison, they let 01:30:15.040 --> 01:30:20.880 him out in 2020. There was a lot of complications getting out of prison in the middle of a pandemic, 01:30:20.880 --> 01:30:26.240 so it took him eight months to get home after he was released. But he eventually made it 01:30:26.240 --> 01:30:33.600 back to Vietnam. When you got home in 2020, did you have money remaining from all this? 01:30:33.600 --> 01:30:43.120 HIEU: I still got a little more than $50,000 USD and one apartment. 01:30:43.120 --> 01:30:45.840 JACK: When he got home, he got a job with 01:30:45.840 --> 01:30:50.000 the Vietnamese government to help with their national cyber defense. 01:30:50.000 --> 01:30:58.240 HIEU: The so-called NCSC, the National Cyber Security Center, I’ve been working there for 01:30:58.240 --> 01:31:11.280 four years. I just left NCSC just five months ago because the government, they’d restructured the 01:31:11.280 --> 01:31:17.840 agency, and that’s why I left NCSC, and right now I’m just trying to — mainly 01:31:17.840 --> 01:31:27.680 focusing on cyber crime investigation. I love hunting cyber criminals, technically. 01:31:27.680 --> 01:31:36.320 To the day I got home until now, I was helping law enforcement in Vietnam 01:31:36.320 --> 01:31:43.040 and all the country as well to arrest more than two hundred cyber criminals. 01:31:43.040 --> 01:31:46.400 JACK: He says he also enjoys helping victims of scams and 01:31:46.400 --> 01:31:49.840 identity theft by educating them on what options they have and helping 01:31:49.840 --> 01:31:53.520 them regain control of their life and use the law to help them out. In fact, 01:31:53.520 --> 01:31:57.840 it sounds to me that Hieu feels pretty bad for all the people who got scammed from his service. 01:31:57.840 --> 01:32:05.680 HIEU: I feel like I owe a lot to the people, basically the people in the US. I — kinda like 01:32:05.680 --> 01:32:14.240 I hurt and harmed so many people’s lives, and I kinda always feel ashamed about it. 01:32:14.240 --> 01:32:20.000 JACK: So, he wants to be clear that he is sorry for anyone whose identity got stolen and lost 01:32:20.000 --> 01:32:26.560 money from his website. He truly feels bad about it and has apologized publicly multiple times and 01:32:26.560 --> 01:32:30.960 wants to try to do what he can to correct the wrongs he’s done, which is why he’s helping 01:32:30.960 --> 01:32:45.417 victims now and works with law enforcement to catch cyber criminals in his home country. 01:32:45.417 --> 01:32:48.400 (Outro): [Outro music] Thank you so much to Hieu Minh Ngo for telling us this incredible 01:32:48.400 --> 01:32:54.080 story. This one was wild. I had to stop and think multiple times while making it, 01:32:54.080 --> 01:32:57.840 and I love a good story that puts me in deep thought like that, and I hope it did for you, 01:32:57.840 --> 01:33:02.800 too. I recently read a book about data brokers which was extremely eye-opening, 01:33:02.800 --> 01:33:07.280 and I encourage you all to read it. It’s called Means of Control by Byron Tau. Check 01:33:07.280 --> 01:33:11.680 it out. It’s a total page-turner. You will not see the world the same again after that. 01:33:11.680 --> 01:33:14.960 Don’t forget, you can pick up some really cool shirts at our shop. I 01:33:14.960 --> 01:33:20.640 guarantee you will find a shirt you love there. Go to shop.darknetdiaries.com. 01:33:20.640 --> 01:33:25.920 This episode was created by me, the hackstreet boy himself, Jack Rhysider. Our editor is the 01:33:25.920 --> 01:33:30.480 hash-slashing Tristan Ledger, mixing by Proximity Sound, and our intro music by 01:33:30.480 --> 01:33:36.800 the mysterious Breakmaster Cylinder. They say if you don’t pay for it, then you're the product. 01:33:36.800 --> 01:33:46.400 But what if you pay a data broker to look up your own data? What then, hm? This is Darknet Diaries.