WEBVTT 00:00:00.000 --> 00:00:03.280 JACK: The older generation gives us so much 00:00:03.280 --> 00:00:07.120 guidance and wisdom that I don’t know where we’d be without them. 00:00:07.120 --> 00:00:09.400 They teach us the dangers of the world and give 00:00:09.400 --> 00:00:13.280 us the insights that would take us decades to figure out on our own. 00:00:13.280 --> 00:00:17.272 But the internet… doesn’t have an older generation still. 00:00:17.272 --> 00:00:21.760 [MUSIC] We’re still in the first generation of users. It’s only been 30 years since AOL 00:00:21.760 --> 00:00:28.400 brought millions of people online for the first time. And oh how the internet has changed since… 00:00:28.400 --> 00:00:33.840 I fear that when there’s no older generation to guide the younger generation on how to be safe 00:00:33.840 --> 00:00:39.920 online, that there’s a lot of kids who will learn the hard way. I know when I was a teen, 00:00:39.920 --> 00:00:44.800 I screwed around so much on the internet that I swear, I got a new virus on my family computer 00:00:44.800 --> 00:00:51.240 every week. There was no one around to show me why that happened or how to fix it. My 00:00:51.240 --> 00:00:56.360 grandma and dad barely knew how to turn it on, much less handle these kind of problems. 00:00:56.360 --> 00:01:01.000 Schools weren’t teaching computers yet, and when they finally did, they taught basic things like 00:01:01.000 --> 00:01:06.520 how to type or use some sort of application. Nowhere in the curriculum was anything about the 00:01:06.520 --> 00:01:13.640 dangers of downloading software, shopping online, or going to chat rooms. That kind of stuff is only 00:01:13.640 --> 00:01:21.320 taught by family, or in my case, by nobody. In fact, the older generation often relies on the 00:01:21.320 --> 00:01:28.520 newer generation to teach them about computers. So many times I’ve seen parents ask their kids to 00:01:28.520 --> 00:01:34.840 set up the new computer or show them how to use social media. Kids teaching parents the dangers 00:01:34.840 --> 00:01:40.920 of social media is like kids teaching parents street smarts. But that’s the world we’re in, 00:01:40.920 --> 00:01:48.440 because it’s so new. What will the internet look like in 2060? There will be better educated users, 00:01:48.440 --> 00:01:53.480 users who grew up with parents who have seen the darker side of the internet and can warn 00:01:53.480 --> 00:02:00.240 them about it and show them the dangers. But that time is not here yet. We’re still in the age of 00:02:00.240 --> 00:02:10.257 the younger generation guiding our light. I sure hope they know where they’re going. 00:02:10.257 --> 00:02:12.600 (INTRO): [INTRO MUSIC] These are true stories from the dark side of 00:02:12.600 --> 00:02:33.180 the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS] 00:02:33.180 --> 00:02:40.480 JACK: The other day, someone found me, and he was willing to open up and share what he 00:02:40.480 --> 00:02:46.240 knows about some online communities that I don’t have visibility into. I’ll tell you right now, 00:02:46.240 --> 00:02:50.320 this episode isn’t so much a story as it’s more of a tour of what’s 00:02:50.320 --> 00:02:55.120 going on in some of these underground groups, groups that are home to hackers, 00:02:55.120 --> 00:02:59.840 scammers, and thieves. [PHONE SOUNDS] Hello. 00:02:59.840 --> 00:03:01.280 DREW: Hello. 00:03:01.280 --> 00:03:03.720 JACK: What’s up, man? 00:03:03.720 --> 00:03:05.480 DREW: Not much. 00:03:05.480 --> 00:03:09.920 JACK: Is there a name that I should refer to you as when I’m talking about you on this episode? 00:03:09.920 --> 00:03:11.680 DREW: You can call me Drew. 00:03:11.680 --> 00:03:16.071 JACK: You sure? I don’t know if that’s your real name or not, but it sounds like a… 00:03:16.071 --> 00:03:16.800 DREW: Oh no, it’s not. 00:03:16.800 --> 00:03:18.880 JACK: Okay. Just Drew, okay. Sounds good. 00:03:18.880 --> 00:03:19.800 DREW: Yeah, just Drew. 00:03:19.800 --> 00:03:22.440 JACK: Oh, so first of all, I want to clarify; 00:03:22.440 --> 00:03:25.480 it’s okay to record this call to use it on the podcast Darknet Diaries? 00:03:25.480 --> 00:03:27.220 DREW: Yes, you have permission. 00:03:27.220 --> 00:03:29.760 JACK: Okay, then it is recording. 00:03:29.760 --> 00:03:37.940 DREW: Alright. So, basically – do you want the full story? 00:03:37.940 --> 00:03:39.960 JACK: Yeah. 00:03:39.960 --> 00:03:46.880 DREW: Alright, so, it starts at age thirteen at Roblox, like playing Roblox, 00:03:46.880 --> 00:03:49.660 and I found that you could get discounted Roblox. 00:03:49.660 --> 00:03:54.360 JACK: Okay, sorry, already I’m lost. Roblox is just outside of my peripheral view, 00:03:54.360 --> 00:03:58.720 and I don’t really get it. So, I need to pause here for a moment, do some research, 00:03:58.720 --> 00:04:03.760 and I’ll be right back. [MUSIC] Okay, so first of all, Roblox is a video game, 00:04:03.760 --> 00:04:08.160 but it’s more than that; it’s a video game platform which gives you the tools to make 00:04:08.160 --> 00:04:12.160 your own video game. If you build something cool, others might want to come play it, 00:04:12.160 --> 00:04:19.480 too. However, there’s this thing called Robux. It’s the in-game currency of Roblox, and some 00:04:19.480 --> 00:04:26.200 user-made Roblox games require you to pay Robux in order to play it. Do I have this right so far? 00:04:26.200 --> 00:04:30.400 DREW: Yeah, you’re getting that right, except I think that one thing to keep in mind is that 00:04:30.400 --> 00:04:34.840 little kids want in-game currency and they’re willing to do anything for it 00:04:34.840 --> 00:04:37.680 ‘cause they don’t have the physical money for it ‘cause their parents don’t want to spend money. 00:04:37.680 --> 00:04:39.800 JACK: Can you buy it with real cash? 00:04:39.800 --> 00:04:42.420 DREW: Yes, you buy – you can only buy it with real cash. 00:04:42.420 --> 00:04:44.360 JACK: Oh, you can’t earn it in-game? 00:04:44.360 --> 00:04:45.874 DREW: No, it’s not a… 00:04:45.874 --> 00:04:46.040 JACK: Okay. 00:04:46.040 --> 00:04:49.920 DREW: …in-game earnable commodity. So, these kids want it and they can’t pay for it ‘cause 00:04:49.920 --> 00:04:53.760 they’re kids and their parents don’t want to pay for their game all the time. So, they go 00:04:53.760 --> 00:04:59.680 to these websites where they can just complete surveys and do ads, and they can get Robux for it. 00:04:59.680 --> 00:05:05.800 JACK: Okay, already I’m seeing potential for abuse here. So, there’s real money going in and 00:05:05.800 --> 00:05:11.040 real money coming out of Roblox, because if you manage to create a game that people are willing 00:05:11.040 --> 00:05:16.520 to pay to play, you can get money as the game creator. So, if you can somehow get people to 00:05:16.520 --> 00:05:22.280 play your game whether legitimately or not, you get paid. But on the other side is how people 00:05:22.280 --> 00:05:27.760 are getting Robux. As Drew said, kids don’t have money, so they go to these websites and 00:05:27.760 --> 00:05:34.000 they sit there and fill out surveys and watch ads to get Robux. These ad servers make money 00:05:34.000 --> 00:05:37.640 from their clicks and pay a percentage to the kids that are clicking the links. 00:05:37.640 --> 00:05:40.440 DREW: Yeah, that’s exactly the model. A lot of it’s – you can scan, to be honest. 00:05:40.440 --> 00:05:43.680 JACK: Yeah, and not all these sites pay out, either. So, you’re kinda lucky if 00:05:43.680 --> 00:05:47.760 you actually get Robux from doing all this work. You know if a thirteen-year-old really 00:05:47.760 --> 00:05:52.880 wants some Robux and sees an option to get some free ones, they’re gonna click a link, 00:05:52.880 --> 00:05:56.160 install some software, [MUSIC] or sign up for something and give their e-mail and phone 00:05:56.160 --> 00:06:01.040 number. Drew’s friends had set up one of these ad servers and was running Google Ads to make 00:06:01.040 --> 00:06:06.240 it easier for kids to find his server and come on by and click all the links to earn Robux. 00:06:06.240 --> 00:06:11.240 DREW: The profit margins were insane. So, it would cost him like, $6 to pay a kid for like, $50 worth 00:06:11.240 --> 00:06:15.680 of income for him. He’d have like 2000 kids a month and he was making $1,000 to $2,000 a day, 00:06:15.680 --> 00:06:20.280 and that was the most I had ever seen. He was like – oh, then I caught them every day. It was very 00:06:20.280 --> 00:06:26.280 cool to see. He’s my age; he’s like, fourteen, fifteen, and he’s doing this every single day. 00:06:26.280 --> 00:06:33.960 JACK: Suddenly, the game wasn’t to play Roblox but to commoditize and monetize the kids who 00:06:33.960 --> 00:06:40.440 were willing to sit and watch ads to get Robux. Like I said, that’s just the front end. You can 00:06:40.440 --> 00:06:45.840 imagine all the tactics to game the back end, such as cloning a popular Roblox game and then 00:06:45.840 --> 00:06:50.120 somehow attacking the original to make it go down so that everyone flocks to yours because yours 00:06:50.120 --> 00:06:55.560 is up. Now you’re getting paid Robux, and there’s all kinds of black hat strategies that are talked 00:06:55.560 --> 00:07:00.460 about on hacker forums that discuss this, which is where Drew and his friend were hanging out. 00:07:00.460 --> 00:07:05.200 DREW: He probably accumulated like, $30,000 off that. Him and his friend both had $30,000 and 00:07:05.200 --> 00:07:08.900 they’re like okay, we’re making this much money. How are we going to multiply this? 00:07:08.900 --> 00:07:12.160 JACK: They look around on the forums to see what other people are doing, 00:07:12.160 --> 00:07:17.200 and that’s when they learned about vanilla gift cards. These are gift cards that you might receive 00:07:17.200 --> 00:07:22.920 for a job well done at work, or as a present of some kind. It’s a Visa gift card that you can use 00:07:22.920 --> 00:07:27.900 anywhere that accepts Visa cards, and if you have one, you might be curious how much money is on it. 00:07:27.900 --> 00:07:30.160 DREW: People need to check their gift card balance, 00:07:30.160 --> 00:07:33.960 so they look up gift card balance or vanilla gift card balance. 00:07:33.960 --> 00:07:37.600 JACK: So, what his friends did was set up a site that looked just like 00:07:37.600 --> 00:07:41.600 the Visa vanilla gift card site, and it had a little form to fill 00:07:41.600 --> 00:07:45.020 out and enter your card details in order to check your balance. 00:07:45.020 --> 00:07:47.920 DREW: They collect the card information. They have an automated checker to check 00:07:47.920 --> 00:07:50.480 the balance of the card against the real site, 00:07:50.480 --> 00:07:57.520 and then they sell the card which they cash out through various methods like G2A or minds.com. 00:07:57.520 --> 00:08:03.480 JACK: Their site steals anyone’s gift card who enters it in. But of course, nobody would go 00:08:03.480 --> 00:08:09.080 to this page since it’s unknown, and if you do a Google search for vanilla gift card balance check, 00:08:09.080 --> 00:08:15.040 you get the official Visa’s page as a first link. However, there’s a way to get your site to almost 00:08:15.040 --> 00:08:19.960 instantly show up above the first search result, and it only costs one or two bucks per click. 00:08:19.960 --> 00:08:25.800 [MUSIC] That’s by using Google Ads. Drew’s friends would spend tons of money on Google Ads to get 00:08:25.800 --> 00:08:32.540 their fake vanilla gift card balance checker to show up as the first link when you Google for it. 00:08:32.540 --> 00:08:36.160 DREW: People don’t know the difference between two URLs a lot of the time, or at least they’re not 00:08:36.160 --> 00:08:41.000 trained to know. They just click the first result, they press on the ad. It’s a phishing page. 00:08:41.000 --> 00:08:45.280 JACK: They enter their card details, see their balance, and before they can spend it, their 00:08:45.280 --> 00:08:50.880 card is emptied by Drew’s friends. But of course, Drew’s friends aren’t the only ones stealing cards 00:08:50.880 --> 00:08:55.760 this way. There’s a whole group of people who have made dozens of websites for all the various gift 00:08:55.760 --> 00:09:00.000 cards to try to get anyone who’s checking their gift card balance to click the link. 00:09:00.000 --> 00:09:03.720 DREW: This is the one that probably the most – I’ve done this – I’ve been involved in this one 00:09:03.720 --> 00:09:07.520 for the longest that I’ve ever been involved in anything before. Yeah, it really disciplines me 00:09:07.520 --> 00:09:14.760 the most, ‘cause I’ve been a participator of this, I’ve been a spectator, I’ve been a – purposely 00:09:14.760 --> 00:09:20.380 trying to take it down for years. Now, it’s like, everyone’s – once I stopped, I hated it. 00:09:20.380 --> 00:09:25.440 JACK: Yeah, Drew here could no longer stand by and watch his friends make thousands of 00:09:25.440 --> 00:09:30.280 dollars from a little bit of work. He learned how to clone a website which is really easy, 00:09:30.280 --> 00:09:34.600 and set up his own phishing site, and he started running Google Ads himself to try to get people 00:09:34.600 --> 00:09:40.880 to give him cards, which is horrible. It’s stealing money from people. It’s wrong, 00:09:40.880 --> 00:09:47.360 and it totally sucks to have someone steal your card in this way. But why are people answering 00:09:47.360 --> 00:09:55.440 their gift card details on a random site? Come on! So, Drew is running this scam for a while, 00:09:55.440 --> 00:10:01.560 and it’s giving him some extra money, but he had a gambling problem. Anytime he had excess cash, 00:10:01.560 --> 00:10:07.040 he’d go online and try to double it or triple it or quadruple it. In fact, a lot of people in 00:10:07.040 --> 00:10:12.440 this community have gambling problems, so even though he was making some money as a teenager, 00:10:12.440 --> 00:10:17.360 it was gone immediately. So, he starts looking at what else he can get involved with so he 00:10:17.360 --> 00:10:23.600 can make more money, and that’s when he came across a forum called OGUsers. [MUSIC] This is 00:10:23.600 --> 00:10:29.760 a forum where you can buy and sell social media accounts; Instagram accounts, Snapchat accounts, 00:10:29.760 --> 00:10:34.840 Kik, Skype usernames, you name it. Not just that, but other accounts too, like Roblox 00:10:34.840 --> 00:10:39.280 accounts and other video game accounts. He was one of the early ones to join OGUsers. 00:10:39.280 --> 00:10:44.600 DREW: So, I’m the 700th user to make an OGUser account. There’s hundreds of thousands now, 00:10:44.600 --> 00:10:48.160 and this is my – this is probably the most valuable thing I’ve ever had in my life. So, 00:10:48.160 --> 00:10:52.280 I’m really early onto this forum, so I look reputable. The thing is, things that matter 00:10:52.280 --> 00:10:57.800 on forums are seniority, like how long you’ve been there, and vouchers. The longer you’ve been there, 00:10:57.800 --> 00:11:03.560 the more vouchers you can accumulate anyway. So, basically I’m on the forum, and I start manually 00:11:03.560 --> 00:11:09.800 making usernames that are just bad. Like, I’m making @dataframes on Kik to sell, ‘cause people 00:11:09.800 --> 00:11:13.300 like a good Kik username ‘cause that’s how they talk to other fraudsters. They want to look cool. 00:11:13.300 --> 00:11:18.840 JACK: So, the people who were already on OGUsers before him were making some pretty good sales. For 00:11:18.840 --> 00:11:23.640 instance, if you have a short, catchy username on Twitter, that goes for more money, and I’ve talked 00:11:23.640 --> 00:11:29.320 about OGUsers in the past, on other episodes, and how horrible it can be. Drew was seeing how people 00:11:29.320 --> 00:11:34.600 were making money selling accounts, so he just decided to go on Kik and find some clever-sounding 00:11:34.600 --> 00:11:39.160 usernames that weren’t registered yet and just register them, and then try to sell them for like, 00:11:39.160 --> 00:11:44.920 $15 each. Well, his listings weren’t selling, but the other users on the forum saw what he 00:11:44.920 --> 00:11:49.280 was trying to do, and he was trying real hard to make money, and they wanted to sort of throw 00:11:49.280 --> 00:11:54.880 him a bone. So, they started buying a few off him. Now, creating a new user on Kik and trying to sell 00:11:54.880 --> 00:11:59.960 it on OGUsers, that’s not illegal; it’s similar to buying a .com domain and trying to sell it. 00:11:59.960 --> 00:12:04.040 DREW: This is not unethical at all, what’s – obviously it’s gonna turn extremely horrible. 00:12:04.040 --> 00:12:04.880 JACK: Yeah. 00:12:04.880 --> 00:12:07.120 DREW: Give me ten minutes; it’s gonna be miserable, but… 00:12:07.120 --> 00:12:08.280 JACK: Oh, sure. 00:12:08.280 --> 00:12:12.880 DREW: …it starts off pretty innocent. It’s like, okay, I’m making a hundred bucks and you know, 00:12:12.880 --> 00:12:17.080 I get a – I remember I got a vanilla gift card for my birthday present. 00:12:17.080 --> 00:12:22.080 JACK: So, with the money he has, he goes on OGUsers to try to find something to buy, 00:12:22.080 --> 00:12:25.440 something that he hopes he can resell for a higher price later. 00:12:25.440 --> 00:12:28.420 He finds a really good username for a price that was pretty low. 00:12:28.420 --> 00:12:31.960 DREW: So, I get it for very cheap ‘cause someone is trying to quick sell it ‘cause they needed the 00:12:31.960 --> 00:12:36.800 money instantly. They may be facing some sort of struggle or they’re just broke, 00:12:36.800 --> 00:12:40.440 and they – ‘cause what happens a lot is people have nice usernames and they go broke, 00:12:40.440 --> 00:12:43.280 and they sell the username to get some money back. So, yeah, 00:12:43.280 --> 00:12:46.600 that probably happened there. He sold a really nice @ for like, $200 to me. 00:12:46.600 --> 00:12:53.320 JACK: Some lingo; an @ is a username. A lot of usernames have the @ symbol in front of them, 00:12:53.320 --> 00:12:55.540 so they just shorted it to @ on these forums. 00:12:55.540 --> 00:12:57.200 DREW: I sold this one for probably like, 00:12:57.200 --> 00:13:03.226 $350. Now I made $150 in a day and I’m a proud little fourteen-year-old. 00:13:03.226 --> 00:13:08.160 JACK: [MUSIC] Of course, the danger is, once you get one taste of the potential, 00:13:08.160 --> 00:13:14.640 you get hooked. It’s like blood to a shark. So, he goes deep on OGUsers, trying to snipe 00:13:14.640 --> 00:13:21.200 more cheap deals and sell them for higher. Along the way, he learns more about how OGUsers works. 00:13:21.200 --> 00:13:25.280 DREW: Alright, so here’s some introduction to usernames market. There’s a service 00:13:25.280 --> 00:13:29.360 called swapping. Not SIM-swapping; not to be confused with SIM-swapping. It’s whenever you 00:13:29.360 --> 00:13:33.680 take an account username from one account to another, but with permission. You do 00:13:33.680 --> 00:13:37.440 this in an automatic fashion because people can manually take the account before you claim it. 00:13:37.440 --> 00:13:41.720 JACK: What he’s saying is suppose the account you want to buy is stolen. If you buy it, 00:13:41.720 --> 00:13:46.400 there’s a chance the account holder can contact Instagram support or whatever and recover their 00:13:46.400 --> 00:13:51.800 account. So what a lot of people do on OGUsers is as soon as they buy a stolen username, they change 00:13:51.800 --> 00:13:56.720 the username to something else. This makes it so nobody has that username now, and you can just 00:13:56.720 --> 00:14:01.640 register a new account with that username. So, you can abandon the account you just bought, because 00:14:01.640 --> 00:14:06.360 if somebody recovers it and gets their old account back, it’ll have a different username and it won’t 00:14:06.360 --> 00:14:12.520 be the same as what they used to have. But here’s the problem; everyone on OGUsers sees when someone 00:14:12.520 --> 00:14:17.080 buys a stolen username, and they know you’re gonna change the username, so you can create a 00:14:17.080 --> 00:14:23.080 new account with that username. So, what they’ll do is they’ll try to snipe that account from you 00:14:23.080 --> 00:14:27.400 by constantly trying to create a new username with that name, hoping that when you change it, they’ll 00:14:27.400 --> 00:14:32.240 get it before you have a chance to make a new one. There’s an internal war that happens whenever a 00:14:32.240 --> 00:14:36.960 sale happens on OGUsers, and some people lose their account right after they bought it. 00:14:36.960 --> 00:14:40.400 DREW: Well, the only way to beat this, or the potential of this, is to have an automated system 00:14:40.400 --> 00:14:46.320 called a swapper or a claimer or a turbo. These are all the same thing. Turbo is the original 00:14:46.320 --> 00:14:51.680 name for it. So, the turbo automatically uses an Instagram endpoint to claim this username for you. 00:14:51.680 --> 00:14:55.560 JACK: This is madness. There’s no trusting anyone in these groups. Seriously, 00:14:55.560 --> 00:15:00.020 there’s a constant barrage of users trying to hack users. It’s endless. 00:15:00.020 --> 00:15:02.440 DREW: People would – Graham Ivan Clark, 00:15:02.440 --> 00:15:04.620 for instance, the guy who did – the guy who hacked Twitter… 00:15:04.620 --> 00:15:09.920 JACK: He’s talking about Graham Ivan Clark, and that’s the guy who hacked Bill Gates’ Twitter, 00:15:09.920 --> 00:15:15.200 Elon Musk, Joe Biden, and Barrack Obama’s Twitter accounts, and posted a scam to 00:15:15.200 --> 00:15:19.720 people to send him Bitcoin. Graham was in these groups before he was arrested. 00:15:19.720 --> 00:15:23.920 DREW: Before he was a simmer, he would limit people’s PayPal service. He would 00:15:23.920 --> 00:15:27.880 call PayPal and tell them – just tell them this person’s committing fraud. 00:15:27.880 --> 00:15:32.600 JACK: So, when people buy accounts on OGUsers, they can use PayPal to do it. What Graham 00:15:32.600 --> 00:15:37.560 was doing was reporting certain accounts to PayPal to try to get their accounts frozen, 00:15:37.560 --> 00:15:41.040 just to grief people and sort of attack the community he was part of. 00:15:41.040 --> 00:15:46.760 DREW: Then the account agent would be like oh, shoot, he is committing fraud, or they’d try to 00:15:46.760 --> 00:15:50.680 convince them that the account’s under eighteen. They did this to Ninja’s account on stream. 00:15:50.680 --> 00:15:54.240 JACK: So, Ninja is a Twitch streamer popular for playing Fortnite. In fact, 00:15:54.240 --> 00:15:58.680 he’s the most-followed Twitch channel out there, and his real name is Richard Tyler Blevins. 00:15:58.680 --> 00:16:01.200 DREW: My group of friends, they were in a call, and they were like, 00:16:01.200 --> 00:16:05.320 we want to do something funny. Like, they want to hack a mainstream guy. So, they go to Ninja’s 00:16:05.320 --> 00:16:11.080 PayPal and they manage to get it limited. They say that they’re Ninja, actually. They’re like hey, 00:16:11.080 --> 00:16:16.600 I’m Tyler Blevins and I’m not the proper age to run this account. How do I close it down? 00:16:16.600 --> 00:16:21.000 The support agent’s like, what? You’re not the proper age? I’m like yeah, I put fake information, 00:16:21.000 --> 00:16:26.200 but I need to close this out ‘cause I’m gonna turn eighteen soon. That’s the general method, 00:16:26.200 --> 00:16:31.400 or was the method. I doubt this works anymore. It’s been so many years. But yeah, they limited 00:16:31.400 --> 00:16:38.840 Tyler – Ninja’s account. I thought that was kinds funny. It’s like, what did you gain from limiting 00:16:38.840 --> 00:16:43.960 Ninja’s account? But then there’s a deeper thing where they actually limit people’s PayPal as a 00:16:43.960 --> 00:16:49.280 service. If you have someone who you don’t like, [MUSIC] you can chargeback them, which means you 00:16:49.280 --> 00:16:54.600 can send them a transaction and then take the money back. That was a very big hustle. People 00:16:54.600 --> 00:16:59.560 would buy things that they had the upfront money for, but then just take the money back and get the 00:16:59.560 --> 00:17:04.900 product. So, like you could get an OG username for a thousand dollars; just charge them back. 00:17:04.900 --> 00:17:09.840 JACK: I particularly hate chargebacks because the victim is so powerless in that situation. If 00:17:09.840 --> 00:17:14.160 someone steals your credit card and buys something online, you can tell the credit card company hey, 00:17:14.160 --> 00:17:18.200 I didn’t make this purchase; please reverse it, and the credit card company will do what’s called 00:17:18.200 --> 00:17:23.080 a chargeback. They’ll take the money back from what was sent to the merchant, but on top of that, 00:17:23.080 --> 00:17:28.640 they send the merchant a $15 penalty. So, that can be abused. People can buy things, 00:17:28.640 --> 00:17:32.880 get the item that they wanted, and then issue a chargeback, and the credit card company will 00:17:32.880 --> 00:17:38.560 side with the cardholder almost every time. Anyway, this is just another example of how 00:17:38.560 --> 00:17:42.840 people in these communities attack each other. In fact, over the course of its existence, 00:17:42.840 --> 00:17:49.520 the OGUsers website itself has been breached at least three times, exposing all the data on the 00:17:49.520 --> 00:17:55.800 users who are registered there. Since Drew was a member, this meant his account had been in a few 00:17:55.800 --> 00:18:01.280 of these breaches. So, I have to ask you now; have you been ripped off by any of these kind of scams? 00:18:01.280 --> 00:18:03.920 DREW: Okay, so I’ve been scammed by people for thousands of dollars, 00:18:03.920 --> 00:18:06.220 at times tens of thousands of dollars by my own friends. 00:18:06.220 --> 00:18:09.020 JACK: You’ve been scammed by – for $10,000? 00:18:09.020 --> 00:18:10.620 DREW: Probably more. 00:18:10.620 --> 00:18:12.220 JACK: How did you get scammed? 00:18:12.220 --> 00:18:18.040 DREW: Yeah, I mean – alright, so, the biggest infighting of anything I’ve ever seen is criminals 00:18:18.040 --> 00:18:22.000 versus criminals, ‘cause criminals have no boundaries, no limits, and they have full 00:18:22.000 --> 00:18:26.800 anonymity. [MUSIC] You know how when they do the prison studies, it’s like, guards, 00:18:26.800 --> 00:18:30.920 whenever they have no – guards whenever they’re masked will do anything to a prisoner. Well, 00:18:30.920 --> 00:18:36.040 imagine what criminals who are masked will do to other criminals. So, they will extort you, 00:18:36.040 --> 00:18:41.080 they will – if you manage – if they manage to get your dox, which is obviously a compilation of 00:18:41.080 --> 00:18:47.440 your personal information, they will literally do anything to you. They will swat you just like they 00:18:47.440 --> 00:18:54.000 did to the men who wanted @Tennessee, but they’ll do it to your own friend. They will extort you, 00:18:54.000 --> 00:18:57.960 they will pizza bomb you, and then there’s obviously some grimmer things; like, they’ll 00:18:57.960 --> 00:19:04.160 pull your SSN and they’ll open a loan. But those are the fundamental bad things, I’d say. 00:19:04.160 --> 00:19:06.020 JACK: So, it sounds like you got doxxed. 00:19:06.020 --> 00:19:09.780 DREW: Oh, certainly, many times. Probably at least three times. 00:19:09.780 --> 00:19:15.120 JACK: So, his full details were exposed, and of course, that landed in the hands of 00:19:15.120 --> 00:19:20.480 someone who wanted to extort him. So, that person contacted him and threatened him. 00:19:20.480 --> 00:19:25.480 DREW: They tell you I’m going to send packages or I’m gonna contact 00:19:25.480 --> 00:19:29.040 your parents if you don’t do this and give me this money. Sometimes they’ll 00:19:29.040 --> 00:19:33.240 make you make signs of their – signs of them on you, like they’ll make you 00:19:33.240 --> 00:19:36.720 write their Instagram username on you or they’ll do things – like, they’ll… 00:19:36.720 --> 00:19:40.240 JACK: What do you mean write the Instagram name on you? I don’t understand. 00:19:40.240 --> 00:19:42.040 DREW: Like, on your forehead. 00:19:42.040 --> 00:19:47.200 JACK: Okay, so you write their name on your forehead and then take a picture to show… 00:19:47.200 --> 00:19:48.194 DREW: Yeah, it’s… 00:19:48.194 --> 00:19:49.460 JACK: …that I’ll do whatever you want? 00:19:49.460 --> 00:19:56.480 DREW: Yeah, it’s like some sort of alphaing thing. You know what I mean? It’s very weird. It’s that 00:19:56.480 --> 00:20:02.120 type of thing, like a dominance thing, I guess. I’ve never understood that. Then they’ll do more 00:20:02.120 --> 00:20:05.560 consequential things; like, they’ll tell your – they’ll tell you that you’re gonna tell your 00:20:05.560 --> 00:20:09.520 parents that you’re a cyber criminal or that you did something that you didn’t do. Like, 00:20:09.520 --> 00:20:15.640 they’ll say that I’m gonna call your dad and say that you extorted me even though I don’t even know 00:20:15.640 --> 00:20:23.080 him. They’ll do things that would affect a kid, ‘cause it’s normally kids versus kids in reality. 00:20:23.080 --> 00:20:27.720 JACK: Okay, so Drew was hit with this and he didn’t want to tell his parents, so he just 00:20:27.720 --> 00:20:32.920 sent them some money, and they went away. But there was another time when he was scammed, 00:20:32.920 --> 00:20:37.560 which was even stranger. While all this is happening, he’s still playing Roblox, 00:20:37.560 --> 00:20:41.800 right? In fact, at this point he’s made his own game with his friends and he wants to attract 00:20:41.800 --> 00:20:47.520 some users to the game so that he could possibly make money and make some of those Robux. He had a 00:20:47.520 --> 00:20:52.240 little game going, and it was all set up and it was good, but it just didn’t have many players. 00:20:52.240 --> 00:20:54.360 DREW: So, you want to get your game on Roblox to 00:20:54.360 --> 00:20:57.440 the front page so you get more players so you make more money. 00:20:57.440 --> 00:21:03.760 JACK: But how do you do it when you’re a conniving teenager? You find a way to 00:21:03.760 --> 00:21:07.840 falsely inflate the numbers to make your game look more popular so people join. 00:21:07.840 --> 00:21:11.800 DREW: Basically, it’d be a bot that makes your game look more popular than it is, 00:21:11.800 --> 00:21:16.180 so – and it would use a botnet to do it. It would have players that didn’t exist join the game. 00:21:16.180 --> 00:21:23.320 JACK: But he didn’t have a bot. Instead, he hired a service like a Roblox botmaster kind of thing, 00:21:23.320 --> 00:21:28.160 someone who specializes in getting more players into your Roblox servers for a fee. [MUSIC] But 00:21:28.160 --> 00:21:32.840 they aren’t real players at all; they’re just bots. But Drew didn’t have enough money to hire 00:21:32.840 --> 00:21:37.800 this person, so his friends gave him the money to pay this guy, so he gets his friends’ money 00:21:37.800 --> 00:21:43.120 and pays this botmaster a few hundred dollars to turn it on. The botmaster takes the money, 00:21:43.120 --> 00:21:49.600 but doesn’t deliver users to his game. Instead, Drew thinks when he was screen sharing one day, 00:21:49.600 --> 00:21:54.920 he accidentally revealed something that identified who Drew really was. This 00:21:54.920 --> 00:22:01.120 essentially meant the botmaster knew Drew’s real name and identity and address. So, 00:22:01.120 --> 00:22:07.600 instead of sending him bots in his game, the botmaster tried to extort Drew and said give 00:22:07.600 --> 00:22:13.240 me $500 or I’ll make your life hell. This botmaster guy proceeded to show Drew his 00:22:13.240 --> 00:22:19.220 real name and address and said listen, pay me or else you’re gonna be sorry. I know where you live. 00:22:19.220 --> 00:22:26.720 DREW: So one day, me and my dad were home. I was living with my father. Just a random 00:22:26.720 --> 00:22:30.920 package comes to the door and it’s underneath my name. He was like, did you order this? I was like, 00:22:30.920 --> 00:22:34.220 no. I’m like, thirteen. I don’t have any use for USPS packing stuff. 00:22:34.220 --> 00:22:40.520 JACK: Okay, so what he got was some empty flat boxes from the United States Post Office. Now, 00:22:40.520 --> 00:22:45.680 if you go to usps.gov and you click Shop and then Priority Mail, 00:22:45.680 --> 00:22:50.880 all the priority mail packaging supplies are free, so you can just order some boxes, 00:22:50.880 --> 00:22:54.680 as many as you want, and all you have to do is pay for the shipping cost. So, 00:22:54.680 --> 00:22:59.880 that’s what he got. Because he didn’t pay that botmaster the $500 he asked for, 00:22:59.880 --> 00:23:07.280 he got a few boxes in the mail. Okay, that’s a little spooky, but no big deal, right? 00:23:07.280 --> 00:23:11.600 DREW: Then two months later, 10,000 boxes show up. Now I’m like, 00:23:11.600 --> 00:23:18.040 coming home from school and I’m like oh, this isn’t good. [MUSIC] The entire front yard is 00:23:18.040 --> 00:23:21.440 filled up and my dad’s not home from work; I was like okay, how do I hide this situation? 00:23:21.440 --> 00:23:26.120 JACK: As he says to me, there were pallets of boxes. They filled up his entire front 00:23:26.120 --> 00:23:31.760 porch and the walkway, and there were even more. Stacks and stacks of flattened USPS 00:23:31.760 --> 00:23:36.920 priority mail boxes were at his door, and they were addressed to him. As you can imagine, 00:23:36.920 --> 00:23:41.600 being a fifteen-year-old kid seeing this, you get scared. You don’t want your parents to know, 00:23:41.600 --> 00:23:45.560 either. So, his dad wasn’t home yet and Drew had to think quick. 00:23:45.560 --> 00:23:50.400 DREW: I move all these packages away from the house to some random place. Obviously this is 00:23:50.400 --> 00:23:55.880 very illegal and dumb. I regret this horribly, but I just moved them to this random – like, 00:23:55.880 --> 00:24:00.720 nearby a lake. It takes probably upwards of three hours. I do it by myself, 00:24:00.720 --> 00:24:03.800 just carrying, running with these packages, trying to put them away. 00:24:03.800 --> 00:24:08.080 JACK: He didn’t put them in the lake, just next to it, and it worked. Well, I mean, 00:24:08.080 --> 00:24:14.080 at least his dad didn’t find out. But was – along this time, were there messages that you 00:24:14.080 --> 00:24:19.260 were getting of like, do this for me or else you get more boxes, or some clear reason? 00:24:19.260 --> 00:24:21.840 DREW: Yeah, it’s like, pay me back or get more 00:24:21.840 --> 00:24:26.440 boxes. Then they obviously began contacting my father and whatnot. 00:24:26.440 --> 00:24:28.360 JACK: Pay you what? How much did they…? 00:24:28.360 --> 00:24:30.600 DREW: They wanted $500. 00:24:30.600 --> 00:24:33.400 JACK: He was only around fifteen years old at the time, 00:24:33.400 --> 00:24:36.640 and so he tells them that he doesn’t have $500 and he doesn’t even know where 00:24:36.640 --> 00:24:41.160 to get $500 from. But that didn’t matter to whoever was doing this. 00:24:41.160 --> 00:24:46.360 DREW: These are probably sixteen-year-old kids. They’re like, I don’t care. 00:24:46.360 --> 00:24:52.200 JACK: After he didn’t send them more money, they sent him another order of 10,000 USPS packing 00:24:52.200 --> 00:24:59.000 boxes to his house. Once again, he sees them as he’s walking home from school one day and is like, 00:24:59.000 --> 00:25:04.080 oh man, not again, and immediately starts doing the same plan as before, 00:25:04.080 --> 00:25:08.360 throwing as many as he can under his arms and running them to a nearby empty piece of land by 00:25:08.360 --> 00:25:13.960 a lake. He was able to stash them all away before his dad got home, and again, his dad didn’t find 00:25:13.960 --> 00:25:21.440 out about this. Phew. But this time, someone was walking around the lake and saw all these boxes, 00:25:21.440 --> 00:25:28.000 and investigated. Shipping labels were still on a few, which had Drew’s name and address. 00:25:28.000 --> 00:25:30.200 DREW: The Homeowner’s Association’s like, why is there a bunch of boxes 00:25:30.200 --> 00:25:33.120 here? They look at the name on the boxes, they come to the house; they’re like, 00:25:33.120 --> 00:25:38.140 why do you have a bunch of boxes near this lake? Then I’m like okay, I moved the boxes. 00:25:38.140 --> 00:25:39.200 JACK: His dad, of course, 00:25:39.200 --> 00:25:44.320 hears about this from the Homeowner’s Association, and Drew gets in trouble. 00:25:44.320 --> 00:25:48.800 DREW: The biggest trouble is first of all, I didn’t move those boxes back to the house in 00:25:48.800 --> 00:25:57.800 one day. The next day I woke up unbelievably sore. It was so much weight to move. But the 00:25:57.800 --> 00:26:00.760 main punishment was obviously being grounded for months and not – like, 00:26:00.760 --> 00:26:07.040 no computer. [MUSIC] So then, for probably twelve months of my life, 00:26:07.040 --> 00:26:12.720 I had to cut boxes every single weekend to put into the recycling bin, ‘cause there’s…and we 00:26:12.720 --> 00:26:19.200 had to fill the entire garage with boxes, like to the brim with boxes, like stacked up upon stacks. 00:26:19.200 --> 00:26:21.280 JACK: They all went in the recycling bin. 00:26:21.280 --> 00:26:27.560 DREW: I mean, across months; we had to split it up months and months. One month, I get to work, 00:26:27.560 --> 00:26:33.640 I just fill up the entire recycling bin with boxes I had to cut up with a knife and arrange them so 00:26:33.640 --> 00:26:37.380 we could maximize the amount of boxes we recycle ‘cause this would have taken forever otherwise. 00:26:37.380 --> 00:26:42.360 JACK: Right. Yeah, and that’s the thing, is did you come clean to your dad and say actually, 00:26:42.360 --> 00:26:47.680 we were trying to falsely inflate our Roblox server, 00:26:47.680 --> 00:26:50.260 and so we paid this guy, and now he’s getting back at us? 00:26:50.260 --> 00:26:53.640 DREW: Yeah, afterwards I did, but he never knew about it initially, 00:26:53.640 --> 00:26:58.400 obviously, because I knew it was sketchy so I shouldn’t – I wasn’t saying anything about it. 00:26:58.400 --> 00:27:03.280 JACK: It’s just such a complex story for your – for a teenage son to tell his dad. 00:27:03.280 --> 00:27:07.520 Like alright, this is the reason that all this shit just happened. 00:27:07.520 --> 00:27:07.834 DREW: Yeah. 00:27:07.834 --> 00:27:13.000 JACK: Like, wait, tell it to me a third time, ‘cause I’m not getting it. ‘Cause here we are, 00:27:13.000 --> 00:27:16.600 forty-five minutes into this call and I’m just now understanding it myself. I 00:27:16.600 --> 00:27:20.760 can’t imagine how many times you had to explain it to your dad. 00:27:20.760 --> 00:27:21.160 DREW: Yeah. 00:27:21.160 --> 00:27:23.840 JACK: Well, that – I think that’s a funny story. 00:27:23.840 --> 00:27:27.480 Are you able to laugh at it now or are you still upset from that whole thing? 00:27:27.480 --> 00:27:29.960 DREW: Both. It’s hard to laugh at it, obvious, 00:27:29.960 --> 00:27:34.380 ‘cause it’s like man, why did I do that? But it is what it is. 00:27:34.380 --> 00:27:37.200 JACK: What is the lesson you learned from that? 00:27:37.200 --> 00:27:40.040 DREW: Alright, there’s so many. First of all, 00:27:40.040 --> 00:27:44.750 don’t be doxxable. I learned a lot about opsec from that. 00:27:44.750 --> 00:27:46.260 JACK: Mm. Let’s talk about that for a second. 00:27:46.260 --> 00:27:50.280 DREW: I love opsec research now. It’s my favorite thing to read about. 00:27:50.280 --> 00:27:55.240 JACK: So, how – what are the tricks to not be doxxable? 00:27:55.240 --> 00:27:59.380 DREW: Alright, so, are we talking by the FBI or are we talking about a person? 00:27:59.380 --> 00:28:02.000 JACK: By another teenager. 00:28:02.000 --> 00:28:06.720 DREW: Alright. If you want to avoid another teenager, best – my best advice to you is 00:28:06.720 --> 00:28:10.440 don’t screen share anything, ‘cause you will accidentally screen share something. It’s too 00:28:10.440 --> 00:28:16.080 revealing, I promise you. Even if you think that you are only screen sharing Discord, they may see 00:28:16.080 --> 00:28:20.600 an IRL friend’s name. Don’t link accounts to your – don’t link accounts to your Discord, 00:28:20.600 --> 00:28:26.040 like your Spotify, ‘cause they can see who you’re following, who follows you, and your account. 00:28:26.040 --> 00:28:30.360 Pretty much have a fake persona and don’t treat it as the same e-mails, ‘cause if they know one 00:28:30.360 --> 00:28:36.800 of your e-mails for business or something, they could just do a leak search up, find a password, 00:28:36.800 --> 00:28:41.400 see if you have commons, stuff like that. So, don’t reuse passwords, don’t link accounts to 00:28:41.400 --> 00:28:46.560 your Discord, don’t screen share, and just don’t trust people online. They could be your friends, 00:28:46.560 --> 00:28:50.200 but – and you may accidentally share your identity ‘cause you think they’re harmless, 00:28:50.200 --> 00:28:54.840 but you never know what a friend will become in two years on the internet. Could be anything. 00:28:54.840 --> 00:28:56.720 JACK: And don’t click on stuff. 00:28:56.720 --> 00:28:59.500 DREW: Oh yeah, obviously; don’t get IP-logged. 00:28:59.500 --> 00:29:04.600 JACK: Yeah. So, alright, so that’s one lesson you learned from this. 00:29:04.600 --> 00:29:07.280 What else did you learn from the cardboard boxes? 00:29:07.280 --> 00:29:12.400 DREW: Okay, so, aside from the opsec – aside from my opsec failures, obviously; never making those 00:29:12.400 --> 00:29:19.480 again, but I learned some moral things like why am I involved with these people on the internet? 00:29:19.480 --> 00:29:28.760 I make no money, or all the money I make, I lose. Then more like, where are my priorities 00:29:28.760 --> 00:29:33.960 at? ‘Cause I’ve always been a very good student in school. I’ve always taken school really seriously. 00:29:33.960 --> 00:29:40.480 JACK: Drew was realizing that the community he was involved with was pretty toxic and not good 00:29:40.480 --> 00:29:46.960 for society. But he didn’t cut himself off of it. Instead, he got back in these forums and in the 00:29:46.960 --> 00:29:52.880 chat rooms just to study them and watch them and learn what they were doing. Yeah, I mean, 00:29:52.880 --> 00:29:58.040 just coming out and saying hey, I’ve got all this information and I want to share it with you; why? 00:29:58.040 --> 00:30:06.040 DREW: I don’t like the community. I very much look down on the community, pretty much. If I could, 00:30:06.040 --> 00:30:13.640 I would report every single one of these kids to the FBI. Sadly, that would be self-detrimental, 00:30:13.640 --> 00:30:22.480 obviously, because of my history. I’m looking to obviously gain more knowledge 00:30:22.480 --> 00:30:28.040 on the community. I want to document all of it and one day hopefully look back on it and 00:30:28.040 --> 00:30:34.520 realize – talk about how crazy the internet was whenever I was on it, like my years as a kid. 00:30:34.520 --> 00:30:41.640 JACK: Whoa. For some reason, this hits me in a weird way. When I was a kid on the internet, 00:30:41.640 --> 00:30:45.960 the internet was very different, and there was a whole cohort of people I instantly 00:30:45.960 --> 00:30:50.600 connect with today, because they were there for it. I’m talking about the Warez scene; 00:30:50.600 --> 00:30:55.560 MUDs, AOL chat rooms, phreaking, cracking, and just hearing this noise by itself brings back 00:30:55.560 --> 00:31:03.440 so many memories. [Windows 95 Startup sounds] [MUSIC] I look back at that as the good old days, 00:31:03.440 --> 00:31:07.280 despite everything being a thousand times harder to do back then, because the term user-friendly 00:31:07.280 --> 00:31:13.640 didn’t exist yet. It still felt like simpler times. What was happening online was innovating 00:31:13.640 --> 00:31:19.720 a thousand times faster than the clunky, outside world. Being online felt counter-culture, 00:31:19.720 --> 00:31:25.280 and new things would constantly be springing up, like Napster, hacking groups, and The Pirate Bay. 00:31:25.280 --> 00:31:29.680 Police and major media corporations couldn’t figure out how to stop us. There were so many 00:31:29.680 --> 00:31:35.240 times we were laughing at authorities for how ineffective they were at policing the internet. 00:31:35.240 --> 00:31:41.720 But to the kids who are going through their teens today and part of the online counter-culture, 00:31:41.720 --> 00:31:47.720 is this what they’re going to look back at as the good old days? Are these the kinds of 00:31:47.720 --> 00:31:55.280 stories that will shape them into who they’ll be later in life? Maybe. We don’t know how it’s going 00:31:55.280 --> 00:32:02.720 to end up for them, but it’s like they’re going through a similar painful crucible just as I did, 00:32:02.720 --> 00:32:07.920 just with all gas and no brakes. Stay with us, because after the break, 00:32:07.920 --> 00:32:19.440 Drew starts naming names. Okay, so some lessons learned, some things there. What’s another – let’s 00:32:19.440 --> 00:32:27.440 get into another story here. So, what’s another thing you’ve seen, a way to make money online? 00:32:27.440 --> 00:32:31.740 DREW: Let’s think. What have I seen kids doing lately? 00:32:31.740 --> 00:32:33.180 JACK: Let’s get into SIM-swapping, then. 00:32:33.180 --> 00:32:34.540 DREW: We can talk about SIM-swapping. 00:32:34.540 --> 00:32:38.160 JACK: Okay, so, by this point, you probably know what SIM-swapping is, 00:32:38.160 --> 00:32:42.760 but if not, I’ll be real quick. SIM-swapping is when someone tricks the phone company to 00:32:42.760 --> 00:32:47.280 move your cell phone number to their phone. Just like when you get a new cell phone, 00:32:47.280 --> 00:32:50.880 you need to tell the phone company that you have a new phone and that you want your number to 00:32:50.880 --> 00:32:56.000 work on that. Now, it shouldn’t be possible for someone to just take your phone number, 00:32:56.000 --> 00:33:00.480 but there are ways it can be done. The first way is going to sound obvious. 00:33:00.480 --> 00:33:04.800 DREW: You get a insider at these companies, normally a – what we call a ‘manny’ or a 00:33:04.800 --> 00:33:11.080 manager to give you their login or to just do swaps whenever no one’s looking 00:33:11.080 --> 00:33:19.080 for an imaginary customer. So, these insiders are frequently paid about $10,000 per swap, 00:33:19.080 --> 00:33:22.460 and this is the beginning of SIM-swapping. This is how SIM-swapping started. 00:33:22.460 --> 00:33:27.320 JACK: Okay, so that’s one way to do a SIM-swap. Obviously if you’re a manager of a mobile phone 00:33:27.320 --> 00:33:32.320 store, you have the ability to do that. If you do that for one of these kids, 00:33:32.320 --> 00:33:37.960 you can make some serious money, easily over $1,000 per number. Maybe even $10,000 per 00:33:37.960 --> 00:33:43.500 number. But there’s a new way these kids are doing it, and it’s wild, feral even. 00:33:43.500 --> 00:33:46.680 DREW: So, it starts at the fact that you’re not calling the phone company; 00:33:46.680 --> 00:33:53.720 you’re actually – the new way is called remo snatching. Remo is short for remote tablet. So, 00:33:53.720 --> 00:33:58.840 you are going to T-Mobile. T-Mobile is the easiest place to hit right now. You go to a T-Mobile, 00:33:58.840 --> 00:34:04.940 you run in, [MUSIC] you take the store manager’s tablet from his hands; you run out. 00:34:04.940 --> 00:34:11.440 JACK: Okay, I get it. If you have the store manager’s tablet, that’s the device that’s 00:34:11.440 --> 00:34:15.720 authorized to move phone numbers. So, it makes sense that by stealing that, 00:34:15.720 --> 00:34:21.800 you can do a SIM-swap on someone. But wait, it’s not that easy. Let’s back up. Let’s back 00:34:21.800 --> 00:34:27.480 way up. [MUSIC] First, you need to know who to SIM-swap. Identifying the target can take 00:34:27.480 --> 00:34:31.760 a long time, and there’s a lot of steps, and I want to break that down. We’ve talked about 00:34:31.760 --> 00:34:36.080 SIM-swapping on the show in the past, such as in the episode called The Pizza Problem 00:34:36.080 --> 00:34:40.320 and Tennessee. These are two stories where people were targeted simply because they had 00:34:40.320 --> 00:34:45.440 high-value usernames on Instagram and Twitter. Okay, so that’s one reason to target someone, 00:34:45.440 --> 00:34:50.320 to get control of their username and sell it on OGUsers for a few thousand dollars. But 00:34:50.320 --> 00:34:54.580 I feel like that’s old hat now. There’s a whole new crime wave that’s springing up. 00:34:54.580 --> 00:34:59.160 DREW: The things I see people SIM-swap for are bank logs, which are bank logins, 00:34:59.160 --> 00:35:01.920 where they wire out money or they use a transfer. 00:35:01.920 --> 00:35:07.760 JACK: Okay, so, banks; while this is big in this community, it’s really hard to 00:35:07.760 --> 00:35:11.920 actually do it. So, first they have to figure out a valid login for the user, 00:35:11.920 --> 00:35:15.800 and we’ll get into how they know passwords later. But for now, just assume that they 00:35:15.800 --> 00:35:20.160 have a working username and password for a bank account. So, they log into the account. 00:35:20.160 --> 00:35:23.400 DREW: But they’d have no way to withdraw it, ‘cause you would have to receive a OTP, 00:35:23.400 --> 00:35:27.640 or a one-time pin, in order to withdraw the funds. So, they start SIM-swapping 00:35:27.640 --> 00:35:34.040 the person to receive the one-time passcode. SIM-swapping banks is actually a crazy hustle, 00:35:34.040 --> 00:35:37.480 ‘cause the thing is that there’s a bunch of money in banks, but it also requires that you 00:35:37.480 --> 00:35:41.320 have real-world knowledge of money laundering, ‘cause you are literally stealing the person’s 00:35:41.320 --> 00:35:46.380 money and you have to find a way to not make it traceable to you. It’s extremely hard, obviously. 00:35:46.380 --> 00:35:51.800 JACK: Right, so while there’s some really savvy people playing in that space, the easier target 00:35:51.800 --> 00:35:57.440 is going after people who have cryptocurrency, because with cryptocurrency, it’s stupid easy 00:35:57.440 --> 00:36:02.440 to grab all the money in a wallet and just send it to an anonymizing service like Tornado Cash 00:36:02.440 --> 00:36:08.680 and cash out. Since this an easier target now, it means more people are going after cryptocurrencies 00:36:08.680 --> 00:36:14.240 now. Okay, so, it makes sense for these kids to target people with high-value crypto wallets, 00:36:14.240 --> 00:36:19.820 but how do you find someone with a big, fat crypto wallet? Well, it takes a whole bunch of steps. 00:36:19.820 --> 00:36:23.600 DREW: So, this is a huge market that – I don’t know how underground it is, 00:36:23.600 --> 00:36:30.000 but it seems pretty underground. People use what we call a combo list, or basically a leaked 00:36:30.000 --> 00:36:35.480 database that are password and e-mail, except the passwords have been de-hashed, obviously, 00:36:35.480 --> 00:36:42.600 like ran through RainbowCrack or John the Ripper. They run them through – looking 00:36:42.600 --> 00:36:46.140 for these things called commons, which are passwords that are used across multiple sites. 00:36:46.140 --> 00:36:49.920 JACK: Okay, so you’ve heard of major websites suffering from data breaches, right, 00:36:49.920 --> 00:36:54.760 where the whole user database is stolen. If you’re a customer at one of these sites, you might just 00:36:54.760 --> 00:37:00.200 shrug and maybe change your password and carry on, hoping that nothing comes back and hits you, 00:37:00.200 --> 00:37:05.640 right? Well, this data is golden in these circles. [MUSIC] First, you can head over to a site like 00:37:05.640 --> 00:37:14.040 raidforums.com or nulled.2, or cracked.2. These sites post tons and tons of full database leaks. 00:37:14.040 --> 00:37:19.240 It might cost you a few bucks to get it, but you can download them right there. We’re talking major 00:37:19.240 --> 00:37:24.560 websites that have been breached; their databases are right there, easy to grab, sites like Adobe, 00:37:24.560 --> 00:37:30.080 the Alaska Voter database. There’s an Apple database there, apparently. Adult Friend Finder, 00:37:30.080 --> 00:37:35.320 the Android Forums, and that’s just a small example from the A’s. Inside these database 00:37:35.320 --> 00:37:40.600 dumps could be a bunch of things, but they typically have a person’s name, their username, 00:37:40.600 --> 00:37:45.640 their e-mail, maybe their phone number, maybe their address, and their password. But their 00:37:45.640 --> 00:37:50.320 password is typically hashed in the database, which means you can’t actually see what it is. 00:37:50.320 --> 00:37:56.320 But this is where tools come in that can crack password hashes. It’s hard to crack a single hash 00:37:56.320 --> 00:38:02.320 if that’s all you want to do, but when you have a hundred million records in the Adobe database, 00:38:02.320 --> 00:38:08.920 for instance, you’ll likely be able to find some hashes that aren’t very strong. Now you have valid 00:38:08.920 --> 00:38:15.680 usernames and passwords for people. Now, take that username or e-mail address and cross-reference it 00:38:15.680 --> 00:38:22.560 with other data breaches. Is this person reusing passwords? Are there usernames and passwords in 00:38:22.560 --> 00:38:31.520 the Adobe breach that also work on Netflix? Sadly, yes. Yes, a lot of people just pick 00:38:31.520 --> 00:38:37.200 one password and then use that on all the sites they have accounts for. So, now just by cracking 00:38:37.200 --> 00:38:43.560 a database dump, you’ve got access to someone’s Netflix account, and this opens up a whole new 00:38:43.560 --> 00:38:50.600 massive market in the underground communities. People will buy Netflix accounts for $2.50 each, 00:38:50.600 --> 00:38:55.720 because that’s obviously way cheaper than paying the $18 a month for a premium subscription. 00:38:55.720 --> 00:39:01.280 DREW: [MUSIC] Alright, so, let’s extrapolate Netflix to Walmart, Chipotle, Nordstrom, 00:39:01.280 --> 00:39:06.936 OnlyFans, Surfshark, NordVPN, Macy’s Credit, Buffalo Wild Wings, Papa Johns. 00:39:06.936 --> 00:39:12.880 JACK: There are sites you can go to to buy user accounts for any of these websites. You might even 00:39:12.880 --> 00:39:18.680 get a combo pack for a bunch of logins, say $10 for the whole pack. But wait, you might wonder why 00:39:18.680 --> 00:39:24.920 would anyone want to buy a Chipotle login? Well, now you’re stumbling into the case of the mystery 00:39:24.920 --> 00:39:30.320 burrito orders that people are reporting on the Chipotle subreddit. You can download a Chipotle 00:39:30.320 --> 00:39:35.880 app on your phone and use it to order food, but the app is often connected to your credit card, 00:39:35.880 --> 00:39:42.680 so you can use someone else’s Chipotle account to order a burrito for you, and then they pay for 00:39:42.680 --> 00:39:49.800 it. The same goes with Papa Johns; free pizza if you have a valid login of someone else’s account. 00:39:49.800 --> 00:39:55.000 This enters us into the world of pizza plugs, which I’ve been watching closely for a while. 00:39:55.000 --> 00:40:01.640 It’s kind of mythical. There’s these chat rooms where you can go and make a food order such 00:40:01.640 --> 00:40:06.840 as three large pizzas, and someone in the chat room will take your order and ask you for like, 00:40:06.840 --> 00:40:14.520 $5. Then they’ll use the stolen pizza account to log in, create the order, and then send you 00:40:14.520 --> 00:40:20.400 the pizza. It cost them $2 or $3 to buy the account; they make $5 from this. You get three 00:40:20.400 --> 00:40:26.840 pizzas for $5, and oh, the account holder is the one who’s paying for it. I’m telling you, 00:40:26.840 --> 00:40:32.560 this goes so much deeper than I have time for. Oh, and the lingo for buying and selling these valid 00:40:32.560 --> 00:40:38.160 logins is just logs, so there’s a whole bunch of people out there looking through database dumps, 00:40:38.160 --> 00:40:44.200 trying to find valid logs to as many places as they can so they can sell these logs for profit. 00:40:44.200 --> 00:40:46.680 DREW: Then you start selling $30 logs for Apple, 00:40:46.680 --> 00:40:49.760 ‘cause people can use your connected Apple credit card to play some Macbook orders. 00:40:49.760 --> 00:40:55.160 They charge $50 for those logs. You get ten orders of that a day, that’s $500 a day. 00:40:55.160 --> 00:41:00.760 JACK: A really popular one going on right now is Hilton Honors logins, because these logs can get 00:41:00.760 --> 00:41:07.040 you a few night’s stay in a fancy hotel for free. Okay, so, there’s two types of accounts 00:41:07.040 --> 00:41:14.520 you can get; FA and NFA. That is, full access and non-full access. All the accounts we just listed 00:41:14.520 --> 00:41:20.960 are basically NFA, non-full access. A full access account is one that has all these valid logins, 00:41:20.960 --> 00:41:28.000 plus a valid e-mail account login. So, that means if you can get into someone’s Outlook or Gmail, 00:41:28.000 --> 00:41:31.800 then you can easily reset the password for any of these other accounts that you want to get 00:41:31.800 --> 00:41:36.600 into. It really does give you full access into someone’s digital life, and there’s 00:41:36.600 --> 00:41:39.920 a little tool that people use that once they get into someone’s e-mail account, 00:41:39.920 --> 00:41:44.160 they can quickly search through all the e-mails to see if there’s anything of value in these e-mails. 00:41:44.160 --> 00:41:48.120 DREW: It’s called Yahoo Arranger, the program that does this. It automatically searches the 00:41:48.120 --> 00:41:52.240 key terms inside the Yahoo or the websites that you want to see if they’re signed up for. So, 00:41:52.240 --> 00:41:57.760 if you want to see that they’re signed up for Amex or Bank of America or Chipotle, 00:41:57.760 --> 00:42:00.960 then you just use Yahoo Arranger and you see. 00:42:00.960 --> 00:42:06.680 JACK: Crazy, huh? But it’s really not that complex if you don’t have FA accounts, 00:42:06.680 --> 00:42:10.960 too. You can just take a database dump and convert it to a combo list; this is just a 00:42:10.960 --> 00:42:16.120 formatted list showing username: password, and you could take this combo list and have a tool 00:42:16.120 --> 00:42:21.560 just automatically try logging into tons of sites to check if the password works anywhere. 00:42:21.560 --> 00:42:26.120 DREW: Then they use software such as Sentry NBA, OpenBullet, or SilverBullet to thereby 00:42:26.120 --> 00:42:30.040 automatically check all these combo lists. So, this is not a manual process, 00:42:30.040 --> 00:42:34.320 and it goes at probably 5,000 CPM, which means it goes at 5,000 attempts per second, 00:42:34.320 --> 00:42:41.120 a lot of the times. People sell upwards of, I’d say, 5,000 logs a day on their shops. I personally 00:42:41.120 --> 00:42:46.160 can see – it tells you how much stock a shop has, so you can tell how many sales you’re getting per 00:42:46.160 --> 00:42:53.000 day. I’ve seen people sell upwards of 10,000 accounts per day at $3.50 per account; $35,000. 00:42:53.000 --> 00:42:59.480 JACK: Okay, so now it should be clear how someone can get a bunch of valid logins to 00:42:59.480 --> 00:43:04.320 various sites. Okay, but I only wanted to say all that because that will help 00:43:04.320 --> 00:43:09.040 you understand how we find someone who has a lot of cryptocurrency to target. 00:43:09.040 --> 00:43:12.800 DREW: The most popular database I’ve ever seen in my years of being here is 00:43:12.800 --> 00:43:17.520 the Ledger database. [MUSIC] Ledger is a company that provides physical cold 00:43:17.520 --> 00:43:20.880 wallet storage for Bitcoin. Well, what does it say about someone if they buy a 00:43:20.880 --> 00:43:27.940 Ledger wallet? It means they have Bitcoin. So, thereby, that’s your perfect target for crypto. 00:43:27.940 --> 00:43:36.280 JACK: Oh, very interesting. Ledger is a physical crypto wallet, and in 2020, the user database 00:43:36.280 --> 00:43:44.200 was breached. Five months later, the database was posted to raid forums. In the database is e-mail, 00:43:44.200 --> 00:43:49.680 name, physical address, and phone number. No passwords or crypto keys were in there. But 00:43:49.680 --> 00:43:55.600 with a little cross-referencing, one can take the e-mail address from the Ledger database and see 00:43:55.600 --> 00:44:01.960 if it matches any e-mails in another database, and from there, seeing if there are any known 00:44:01.960 --> 00:44:08.280 passwords for that e-mail address. Then you can try plugging that e-mail address and password into 00:44:08.280 --> 00:44:16.040 Coinbase or Binance or Kraken or FTX or Gemini or any crypto exchange to see if it’s a valid 00:44:16.040 --> 00:44:21.320 login. These are all crypto exchanges where people keep their cryptocurrency. Of course, 00:44:21.320 --> 00:44:26.600 if you know someone’s username and password at a crypto exchange, it means big trouble 00:44:26.600 --> 00:44:31.840 for them. But there’s a few safety checks that these exchanges put in place to thwart 00:44:31.840 --> 00:44:37.840 kids like this. First, there’s a lot of value just knowing if the person is registered at, 00:44:37.840 --> 00:44:43.560 say, Coinbase. Forget about their password for a second; is this e-mail even registered here? 00:44:43.560 --> 00:44:47.440 If you type in someone’s e-mail address and a bogus password, 00:44:47.440 --> 00:44:52.360 it won’t give you any clue on whether that e-mail is registered there or not. However, 00:44:52.360 --> 00:44:56.840 if you try to sign up for a new account with an e-mail address that already exists, 00:44:56.840 --> 00:45:03.280 then bingo. Coinbase will tip its hand and say that e-mail is already registered here. So, 00:45:03.280 --> 00:45:08.280 this is how someone can take the Ledger database dump and figure out who has accounts on Coinbase 00:45:08.280 --> 00:45:13.760 or Gemini or Kraken or Binance or wherever, and then cross-reference that with other 00:45:13.760 --> 00:45:20.120 database dumps to try to figure out what the password is on those accounts. Now, if a thief 00:45:20.120 --> 00:45:26.000 has a valid e-mail and password to your crypto account, there’s still a big hurdle in the way; 00:45:26.000 --> 00:45:32.320 2FA. All the crypto exchanges require you to enable two-factor authentication. They urge 00:45:32.320 --> 00:45:37.000 you to get something like Google Authenticator or Authy, which is an app on your phone that has 00:45:37.000 --> 00:45:42.600 a six-digit number that you have to have in order to log in. But at the bare minimum, they’ll send 00:45:42.600 --> 00:45:48.200 you a text message with the six or seven-digit code to log in. So, just by having a username 00:45:48.200 --> 00:45:55.320 and a password isn’t enough to get into someone’s crypto account. You also need that 2FA code. The 00:45:55.320 --> 00:46:04.300 vast majority of Coinbase users use text-based codes. Can you see where we’ve arrived now? 00:46:04.300 --> 00:46:08.280 DREW: Well, a lot of people on Coinbase have millions of dollars, so that’s where 00:46:08.280 --> 00:46:13.480 this new simming wave is coming from. They’re using commons from databases, getting into 00:46:13.480 --> 00:46:17.680 Coinbase – this is all automated – and then they get their balance; they had SIM-swapped 00:46:17.680 --> 00:46:23.440 them. It’s massively profitable. It’s arguably the most profitable thing you can do right now. 00:46:23.440 --> 00:46:29.120 JACK: Now, at this point, we have enough information to SIM-swap the target. We know 00:46:29.120 --> 00:46:33.440 they have a Ledger wallet and we know they have a Coinbase account, and we have their username 00:46:33.440 --> 00:46:39.520 and password. All that’s needed now is to take control of their phone number so that we can get 00:46:39.520 --> 00:46:47.560 texts so that we can log in. But while this might be enough to SIM-swap someone, the thieves take 00:46:47.560 --> 00:46:53.120 this a step further to try to figure out how much is in the account before SIM-swapping someone. 00:46:53.120 --> 00:46:55.600 DREW: I don’t even know if you’re gonna believe me whenever I tell you this, 00:46:55.600 --> 00:46:59.320 but there was an exploit in Coinbase for about one month where you could check the balance of 00:46:59.320 --> 00:47:03.760 any valid password and username. You could – no matter what. You didn’t need to have any sort 00:47:03.760 --> 00:47:07.680 of access except username and password. So, you didn’t need to SIM them to see their balance. So, 00:47:07.680 --> 00:47:13.040 people just ran millions upon millions of combos, combo list through Coinbase, 00:47:13.040 --> 00:47:18.140 and just found the millionaires of Coinbase. There’s obviously millions of those. 00:47:18.140 --> 00:47:21.280 JACK: That is, if you just had a valid username and password, 00:47:21.280 --> 00:47:27.400 you could see how much was in the user’s Coinbase account. This made it crystal clear exactly who to 00:47:27.400 --> 00:47:34.560 target for a juicy SIM-swap. But you still need that 2FA code to get in and move the money. It’s 00:47:34.560 --> 00:47:39.720 just that you didn’t need it to see the balance for a while. Now, I’ve sort of confirmed this; 00:47:39.720 --> 00:47:45.600 Bleeping Computer ran an article back in October 2021 saying that 6,000 Coinbase 00:47:45.600 --> 00:47:51.920 customers had their crypto wallets drained due to a flaw in Coinbase’s 2FA system. Now, 00:47:51.920 --> 00:47:58.240 I’m pretty sure it’s talking about this bug that Drew just said. Knowing exactly how much money 00:47:58.240 --> 00:48:04.000 that someone has in their account is vital to making your SIM-swap more successful. 00:48:04.000 --> 00:48:07.800 [MUSIC] There’s one last bit about Coinbase; if you have a valid username and password and 00:48:07.800 --> 00:48:13.160 you log in, you’ll see whether or not that user has text message 2FA or something like Google 00:48:13.160 --> 00:48:18.040 Authenticator, because the page will tell you which code it’s looking for. The vast majority of 00:48:18.040 --> 00:48:24.320 Coinbase users use text-based 2FA. However, there still may be a problem if the thief doesn’t know 00:48:24.320 --> 00:48:29.040 the phone number. Sometimes they just don’t, and if you’re going to SIM-swap someone, you need that 00:48:29.040 --> 00:48:35.680 phone number, right? But there’s a clue sitting right there on the page, and it shows the last two 00:48:35.680 --> 00:48:41.160 digits of the phone number, and it specifically says enter the seven-digit code we just sent to 00:48:41.160 --> 00:48:48.680 xxx-xxx-xx37 or whatever the last two digits are. That little clue of just knowing what the last 00:48:48.680 --> 00:48:53.640 two digits of the phone number are are enough for these thieves to get the full phone number. 00:48:53.640 --> 00:48:58.160 DREW: So, you have to do this thing called number tracing or ISP doxxing. So, the endpoint – here’s 00:48:58.160 --> 00:49:02.480 what it’ll tell you on the endpoint; the endpoint will tell you the real name of the person and 00:49:02.480 --> 00:49:08.440 it’ll tell you the last two numbers of the phone number. With this information, you have to do a 00:49:08.440 --> 00:49:14.200 BeenVerified or a White Page search on the person. So, typically it starts at well, find their name, 00:49:14.200 --> 00:49:18.800 find their approximate location, find their phone number. There’s a million ways to do this. My best 00:49:18.800 --> 00:49:25.040 advice is – de-hashed the e-mail, go to their – their opsec wasn’t too good, these e-mail owners, 00:49:25.040 --> 00:49:29.920 or else they wouldn’t be password-leaked. Their IP or something’s gonna be in there that you can use 00:49:29.920 --> 00:49:35.840 to approximately geolocate them, then do a people search on White Pages or BeenVerified in that area 00:49:35.840 --> 00:49:41.760 with their name, and then you’ll find their phone number that will match the last two of the hint. 00:49:41.760 --> 00:49:48.520 JACK: Okay, so that’s how these SIM-swappers are choosing their targets today. At this point they 00:49:48.520 --> 00:49:52.960 know the username, the password, the phone number, and the account balance to know if 00:49:52.960 --> 00:49:57.280 it’s going to be a juicy grab. Oh, and you can quickly look up what kind of carrier the phone 00:49:57.280 --> 00:50:04.080 number belongs to so you can SIM-swap using the right carrier. But this is a big setup 00:50:04.080 --> 00:50:09.920 process just to figure out who our SIM-swapping target’s gonna be. In fact, it’s so much work, 00:50:09.920 --> 00:50:15.880 this is a market just in itself. Just identifying a list of targets and selling this information is 00:50:15.880 --> 00:50:22.920 its own racket. So, while it seems like a lot of work, someone could just step in right here, buy 00:50:22.920 --> 00:50:30.720 the data, [MUSIC] and go for a SIM-swap. Okay, so, now we’re ready for the big SIM-swap event. So, 00:50:30.720 --> 00:50:34.240 you remember how the process got started, right? Someone ran into a T-Mobile store, 00:50:34.240 --> 00:50:38.440 snatched the tablet from the store manager’s hands, and ran out of there. This is called a 00:50:38.440 --> 00:50:44.160 remo, remote tablet-grab. But we’re still not ready for that part yet. Before you steal the 00:50:44.160 --> 00:50:49.480 manager’s tablet, you need the manager’s password that’s on the tablet, right? So, you need to do 00:50:49.480 --> 00:50:55.186 recon on the store, figure out everything you can about the manager to try to social-engineer them. 00:50:55.186 --> 00:50:57.640 DREW: [MUSIC] Just calling up the manager and being like hey, 00:50:57.640 --> 00:51:03.080 this is John working with the EIT Help Desk at T-Mobile. Can you please tend 00:51:03.080 --> 00:51:06.200 to this ticket? They send you a fake URL, you enter your manager login. 00:51:06.200 --> 00:51:11.680 JACK: Okay, so now you have the manager’s password to log into the tablet, and we know how to get the 00:51:11.680 --> 00:51:16.520 tablet. But let me tell you, this is a major problem that T-Mobile is trying to battle, 00:51:16.520 --> 00:51:20.800 and there are internal memos going around right now of procedures of what to do if 00:51:20.800 --> 00:51:26.080 this happens at your store. One thing is to immediately call the IT Help Desk and get the 00:51:26.080 --> 00:51:31.520 tablet disabled as fast as you can, and get that manager account disabled. So, when this happens, 00:51:31.520 --> 00:51:36.800 stores typically get the tablet disabled within ten minutes. So, we’ve gotta back up again 00:51:36.800 --> 00:51:42.120 because we’ve only got this ten-minute window, and you’ve gotta do everything in that. So, 00:51:42.120 --> 00:51:46.960 you need to be prepared, and we have not done our preparations yet. So, what you need to know 00:51:46.960 --> 00:51:52.260 here is that this isn’t done by one person; the snatcher is just one pawn in this game. 00:51:52.260 --> 00:51:55.360 DREW: Obviously people on Telegram aren’t the type of person to go run 00:51:55.360 --> 00:51:59.920 into a store. They pay some idiot that they know IRL to go run into the store for them. 00:51:59.920 --> 00:52:02.800 JACK: That person who runs in and grabs it and runs out is 00:52:02.800 --> 00:52:04.980 really getting paid the lowest on the list here. 00:52:04.980 --> 00:52:09.240 DREW: Probably making $200, bro. I’ve seen people pay their runners so little. 00:52:09.240 --> 00:52:13.240 JACK: So, they pay $200 for someone to go in and grab the tablet and bring it 00:52:13.240 --> 00:52:17.720 back out to them. They have to be set up nearby, because they only have ten minutes to do this, 00:52:17.720 --> 00:52:22.880 remember? So, the person who ultimately has the tablet in their hands is particularly skilled 00:52:22.880 --> 00:52:28.320 at navigating the T-Mobile software to do the SIM-swap. Maybe that’s because they worked in 00:52:28.320 --> 00:52:34.200 the store before or they saw a video on how it’s done. But still, the person who’s actually typing 00:52:34.200 --> 00:52:39.960 on the tablet doing the SIM-swap isn’t the same person who’s gonna steal the cryptocurrency from 00:52:39.960 --> 00:52:44.640 Coinbase users. That’s a whole ‘nother group of people who have collected all those Coinbase logs 00:52:44.640 --> 00:52:50.640 and are waiting for someone to do a remo. They all get organized inside a Telegram chat room, 00:52:50.640 --> 00:52:56.640 and people are willing to pay a person to do a remo swap sometimes $10,000 per number. I’m 00:52:56.640 --> 00:53:00.120 just trying to confirm that when they’re in this Telegram channel and they’re like okay, 00:53:00.120 --> 00:53:07.240 I hope somebody gets a remo tonight; I’ve got three accounts I really want to do, all you 00:53:07.240 --> 00:53:11.940 need to do is provide that phone number to the person who did the re – who got the remo, right? 00:53:11.940 --> 00:53:18.914 DREW: Perfect, man. You sound like a real swapper right now. You’re using our lingo; remo. 00:53:18.914 --> 00:53:23.000 JACK: I’m ready, man. The quote is, you either die a hero or you live 00:53:23.000 --> 00:53:27.720 long enough to become a villain, and that’s – I think that’s true. 00:53:27.720 --> 00:53:31.227 DREW: Yeah. It’s funny, but yeah… 00:53:31.227 --> 00:53:31.905 JACK: It’s Batman. 00:53:31.905 --> 00:53:32.960 DREW: You’re using the terms. 00:53:32.960 --> 00:53:36.101 JACK: Okay. 00:53:36.101 --> 00:53:36.154 DREW: Yeah, I know. I hear you. I hear…[inaudible]. 00:53:36.154 --> 00:53:41.240 JACK: So, people are in Telegram and they’re like, alright – what was it, like Friday night, 00:53:41.240 --> 00:53:45.360 Saturday night, and someone’s like okay, I think we’re gonna try. They tell the group; 00:53:45.360 --> 00:53:49.386 I’m gonna drive down there, I’m gonna try and grab the tablet. I’m all set. 00:53:49.386 --> 00:53:50.420 DREW: [MUSIC] It’s extremely intense. 00:53:50.420 --> 00:53:54.640 JACK: Yeah, there’s all these people, they’re locking their bedroom doors. Like, don’t come in, 00:53:54.640 --> 00:53:59.800 dad, I’m gonna be busy tonight. Don’t come in the room, whatever you do. Then they go okay, 00:53:59.800 --> 00:54:06.630 we’ll give you some personal time. Like, that would be the [LAUGHING]. Sorry. 00:54:06.630 --> 00:54:09.680 DREW: Oh, definitely. I know what you’re talking about. It does happen; 00:54:09.680 --> 00:54:12.800 people are like, oh, I can’t do it right now. I have to eat dinner. 00:54:12.800 --> 00:54:13.490 JACK: Yeah. 00:54:13.490 --> 00:54:15.720 DREW: It’s like bro, we literally have ten minutes to do this. There 00:54:15.720 --> 00:54:19.960 is no time for dinner. It’s either dinner or $100,000. You choose. 00:54:19.960 --> 00:54:22.080 JACK: Yeah. 00:54:22.080 --> 00:54:24.480 DREW: This is really – this is not an exaggerate – this is really how 00:54:24.480 --> 00:54:27.000 it is sometimes. Our remos are so short. 00:54:27.000 --> 00:54:30.840 JACK: This is what I love imagining, is the actual person behind the screen, 00:54:30.840 --> 00:54:36.680 and if it is a teenager, then yes, there is this possibility of it all going wrong any second, 00:54:36.680 --> 00:54:43.800 because they’re living at home and they’ve gotta clean their room. Alright, so, besides that, 00:54:43.800 --> 00:54:51.300 they’re in Telegram, they get the message; okay, I got the remo. What’d you say, $10,000 per number? 00:54:51.300 --> 00:54:55.160 DREW: So, I’ll break it down to you based on carrier. So, 00:54:55.160 --> 00:54:59.000 T-Mobile at the moment costs you about $5,000 per swap. If they’re a fraud victim, 00:54:59.000 --> 00:55:03.000 then it costs you $7,500. A fraud victim has special protections on their account, 00:55:03.000 --> 00:55:09.560 but they’re still bypassable. Verizon is going to cost you upwards of probably $50,000. Verizon 00:55:09.560 --> 00:55:14.600 is extremely well secured, but it’s still possible if you have the right equipment. Like, 00:55:14.600 --> 00:55:19.560 you need a branch manager login which is a very high position. So, you need to be able 00:55:19.560 --> 00:55:24.560 to pay off that Verizon manager a lot, and you can’t hack them. You can’t – it appears, 00:55:24.560 --> 00:55:28.080 right now. I could be wrong. Maybe we’ll find new findings. But they pretty – you literally just 00:55:28.080 --> 00:55:32.640 need a insider. You can’t rat him or anything. For AT&T, I think that people are starting to decrease 00:55:32.640 --> 00:55:40.760 their prices down to $4,000, $2,000…$2,000 to $3,000 because their opus tool is not too secure. 00:55:40.760 --> 00:55:44.920 JACK: Okay, so this person who does the remo snatch lets everyone 00:55:44.920 --> 00:55:48.946 know hours before that they are planning to do a remo that night. 00:55:48.946 --> 00:55:52.120 DREW: [MUSIC] So, the activator is the person who coordinates the remo snatch. 00:55:52.120 --> 00:55:55.440 JACK: So, the activator tells everyone in the Discord channel that they’ve got the 00:55:55.440 --> 00:56:00.360 remo and they’re ready for orders. Immediately, people in Telegram start giving him information; 00:56:00.360 --> 00:56:05.040 phone number and ICC ID. That’s all they need to begin the process of moving the 00:56:05.040 --> 00:56:09.920 phone number from the customer’s phone to the thief’s phone in Telegram. It’s 00:56:09.920 --> 00:56:16.480 an intense ten minutes. Time is ticking and at any moment, that tablet will become deactivated, 00:56:16.480 --> 00:56:20.600 so they’ve got to go as fast as they can, swapping out as many numbers as 00:56:20.600 --> 00:56:27.860 they can in that time frame. On a good night, an activator can make over $100,000 from doing this. 00:56:27.860 --> 00:56:29.840 DREW: Yeah, at that point, you just go hit your lick. 00:56:29.840 --> 00:56:31.120 JACK: More lingo. 00:56:31.120 --> 00:56:36.960 DREW: The lick is whenever you jug someone, but I’ll use more plain language. A lick is 00:56:36.960 --> 00:56:42.400 a successful log, or a log – so, a log means login in our lingo. So, 00:56:42.400 --> 00:56:46.280 whenever you hit a lick, it means that you withdrew their balance. It’s yours; 00:56:46.280 --> 00:56:49.840 you won. So, there’s multiple ways that you can use this vernacular. You could say, 00:56:49.840 --> 00:56:53.920 this person looks like a lick. This person looks like a easy target, in other words. 00:56:53.920 --> 00:56:58.746 You could use I hit a lick today, meaning I hit a successful withdrawal on a Coinbase account. 00:56:58.746 --> 00:57:02.240 JACK: [MUSIC] So, now these guys have control over their targets’ phone numbers, 00:57:02.240 --> 00:57:04.905 and it’s time for them to work as fast as they can. 00:57:04.905 --> 00:57:08.800 DREW: You’re sweating profusely. You go reset the Yahoo password. You’re on a proxy 00:57:08.800 --> 00:57:13.760 near them utilizing a residential proxy nearby the target location, 00:57:13.760 --> 00:57:17.000 log into their Yahoo, reset the password of the Yahoo because most of the time, 00:57:17.000 --> 00:57:22.000 it’s not the same as their Coinbase. We receive the Coinbase device authentication link, 00:57:22.000 --> 00:57:25.320 still sweating profusely. Your holder should be receiving codes this entire time; 00:57:25.320 --> 00:57:32.720 you’re screaming at your holder to send you the code immediately or you’re not gonna pay them. 00:57:32.720 --> 00:57:35.952 JACK: What? Sorry, a holder is who again? 00:57:35.952 --> 00:57:39.320 DREW: A holder is someone that’s actually holding onto the phone that’s receiving the OTP. So, 00:57:39.320 --> 00:57:41.400 most of the time, the people that have the targets and balance aren’t gonna 00:57:41.400 --> 00:57:43.620 hold the phone themselves ‘cause that’s bad operational security. 00:57:43.620 --> 00:57:44.680 JACK: Holy cow. 00:57:44.680 --> 00:57:50.680 DREW: They have a designated holder, people who just hold the cell phones 00:57:50.680 --> 00:57:54.200 just so that the person with the leads or targets doesn’t get caught. 00:57:54.200 --> 00:57:58.800 JACK: Oh man, so there’s a holder involved with this whole thing, too. Yes, holders get paid 00:57:58.800 --> 00:58:03.200 for just being the ones who bought the phone and got the number switched over to it. Okay, 00:58:03.200 --> 00:58:07.840 so the person who wants to do the lick might first start by going to the victim’s e-mail and 00:58:07.840 --> 00:58:12.240 resetting the password. On a lot of e-mail providers, in order to reset the password, 00:58:12.240 --> 00:58:17.840 a text is sent to you. So, the e-mail provider sends the text and the holder tells the person 00:58:17.840 --> 00:58:21.720 what the text is, and they get the access to the e-mail account, and from there, 00:58:21.720 --> 00:58:27.080 they try to log into Coinbase. Upon putting in the username and password, it sends a text to 00:58:27.080 --> 00:58:32.480 the phone that the holder has, and the holder has to give the code to this person. The person now 00:58:32.480 --> 00:58:36.320 logs into Coinbase. But there’s typically a check in Coinbase and it says something 00:58:36.320 --> 00:58:41.160 like well, we don’t recognize this device. We’re sending you an e-mail to verify it’s you. Well, 00:58:41.160 --> 00:58:45.760 the person’s already in their e-mail account, so they just have to wait for the e-mail and 00:58:45.760 --> 00:58:52.440 click yeah, it’s me, and Coinbase lets them in. Now they’re in someone’s Coinbase account which 00:58:52.440 --> 00:58:58.920 might have $30,000, $100,000, or sometimes even more than a million dollars in it. 00:58:58.920 --> 00:59:04.720 DREW: Then you swap the balance to Coinbase Pro so that you’re able to withdraw the funds, 00:59:04.720 --> 00:59:10.620 and then you withdraw it to your Exodus or your MetaMask or your Electrum wallet. 00:59:10.620 --> 00:59:15.360 JACK: The reason why they transfer it to Coinbase Pro is because there’s a higher daily withdraw 00:59:15.360 --> 00:59:20.440 limit there. But there’s a safety check there, too. Before you can withdraw funds from Coinbase, 00:59:20.440 --> 00:59:25.240 there’s one more 2FA check, so you need to get another text message from the holder to initiate 00:59:25.240 --> 00:59:30.640 the transfer. But there’s still yet another security hurdle; Coinbase has a maximum daily 00:59:30.640 --> 00:59:35.900 withdraw limit, and sometimes people have more than that. But Drew says that’s not a problem. 00:59:35.900 --> 00:59:40.640 DREW: Yeah, there’s a few workarounds. People use exploits I can’t talk about, 00:59:40.640 --> 00:59:47.880 but there are ways to withdraw $250,000 or a million dollars. You can withdraw 00:59:47.880 --> 00:59:51.520 massive amounts of money. There are – one way that everyone knows that I can say to 00:59:51.520 --> 00:59:57.240 you is there is a certain bot out there on a forum that is able to spam request 00:59:57.240 --> 01:00:02.520 all at the same time to overwhelm them and allow them to withdraw a bunch of batches 01:00:02.520 --> 01:00:09.020 of smaller transactions. But there is other ways as well that are more directly exploits. 01:00:09.020 --> 01:00:14.320 JACK: Jeesh, these kids are determined. Why wouldn’t they be when there’s a 01:00:14.320 --> 01:00:19.280 potential one-million-dollar-lick that they can score from this? 01:00:19.280 --> 01:00:22.960 DREW: The new generation of crypto-swappers – I probably know at least personally ten 01:00:22.960 --> 01:00:29.280 millionaires who are all under the age of sixteen who I know for a fact can’t be lying, 01:00:29.280 --> 01:00:35.040 seen them send transactions live, seen them hit million dollars licks live. 01:00:35.040 --> 01:00:39.960 As for the older generation, the ones that were there extremely early with 01:00:39.960 --> 01:00:46.080 the crazy $20-million-dollar Michael Turpin targets, they have $15 million, $10 million, 01:00:46.080 --> 01:00:52.080 and they’re in new hustles like NFTs and phishing. Like, really high-level things. 01:00:52.080 --> 01:00:58.200 JACK: Okay, Michael Turpin is a cryptocurrency investor, but he has a few startups in this 01:00:58.200 --> 01:01:03.080 space too, like Transform Group and BitAngels. [MUSIC] In January 2018, 01:01:03.080 --> 01:01:10.280 someone did the steps you just heard to hack into Turpin’s crypto wallet and steal $23 million worth 01:01:10.280 --> 01:01:17.240 of crypto out of it. $23 million stolen in one night. You know as soon as the person got that, 01:01:17.240 --> 01:01:21.240 they had to pay all the people down the line that helped them get there. In this case, 01:01:21.240 --> 01:01:27.600 it was insiders working at AT&T that helped do this. Well, once this guy stole the $23 million, 01:01:27.600 --> 01:01:32.240 he still wasn’t happy. He tweeted, stole $23 million and still can’t stay away 01:01:32.240 --> 01:01:37.240 from drugs. Stole $23 million and can’t get my shit straight. Turpin, of course, 01:01:37.240 --> 01:01:41.800 went to the police who started investigating and were able to find some pretty solid evidence that 01:01:41.800 --> 01:01:48.560 led them to a guy named Nicholas Truglia who was twenty-one, living in Manhattan, and Joel Ortiz, 01:01:48.560 --> 01:01:54.880 eighteen, living in Boston with his mom and dad. They arrested both of these young men. 01:01:54.880 --> 01:02:02.120 Joel Ortiz was sentenced to ten years in prison. Court records show that Nicholas had over $70 01:02:02.120 --> 01:02:08.760 million in assets at the time of his arrest. He pled guilty and is still in court, waiting 01:02:08.760 --> 01:02:14.480 to be sentenced. But as for Michael Turpin, he was really mad that he lost $23 million. 01:02:14.480 --> 01:02:19.360 Of course he would be, but he also had fifty other crypto accounts and they were all fine, 01:02:19.360 --> 01:02:23.920 so I’m not sure what percentage of his crypto funds were stolen, but he was still furious, 01:02:23.920 --> 01:02:30.720 so mad that he sued both Nicholas and AT&T. He sued AT&T for $200 million, claiming the 01:02:30.720 --> 01:02:35.240 person who talked with him on the phone said his phone number is secure and cannot be SIM-swapped, 01:02:35.240 --> 01:02:40.160 yet it was. He wants AT&T to admit that they are the biggest reason why his money 01:02:40.160 --> 01:02:46.360 was stolen. However, the judge dismissed the case. But Turpin also sued the hacker, Nicholas, 01:02:46.360 --> 01:02:53.600 and he won that lawsuit. The judge favored on the side of Turpin and granted him $75 million. So, 01:02:53.600 --> 01:03:01.600 while Turpin lost $24 million, he was ultimately given $75 million in compensation. Wild stuff. 01:03:01.600 --> 01:03:05.680 DREW: Big advice to crypto-investors out there or someone holding Coinbases, 01:03:05.680 --> 01:03:09.680 this is gonna be very useful for you. Use designated e-mails for things that 01:03:09.680 --> 01:03:15.160 you do. Separate your personal e-mail from your crypto-investor e-mail, I would say. 01:03:15.160 --> 01:03:22.120 JACK: Alright, this makes sense. We’ve now graduated from don’t reuse passwords to don’t 01:03:22.120 --> 01:03:28.800 reuse e-mails on high-profile accounts. If you have an e-mail address that was just for your 01:03:28.800 --> 01:03:33.880 crypto exchange and you used it nowhere else, then it would be really hard to discover that 01:03:33.880 --> 01:03:39.320 e-mail address and try to crack it, because after all, you need a username and a password to get 01:03:39.320 --> 01:03:45.120 into these places, so why not make the username really hard to find? If your username is the same 01:03:45.120 --> 01:03:49.240 e-mail address that you use for everything, then that’s like giving half of your login to 01:03:49.240 --> 01:03:54.680 whoever you chat with. Now, we just went over the 100 steps it takes to SIM-swap someone and 01:03:54.680 --> 01:03:59.640 steal all their money, but I want to take a step back and look at this for a moment. This wasn’t 01:03:59.640 --> 01:04:05.600 a quick and simple method to do this. It took a whole lot of research to find just a good target, 01:04:05.600 --> 01:04:09.600 and this is important to know, because people ask me questions all the time like oh, what’s the 01:04:09.600 --> 01:04:14.800 real danger if I put my birth date on my Facebook profile? They’re expecting some sort of quick and 01:04:14.800 --> 01:04:20.000 simple way a hacker can use it against them, but it’s not always quick and simple. If these kind 01:04:20.000 --> 01:04:25.040 of criminals get a whiff that you’ve got something that they want, they will case out your life and 01:04:25.040 --> 01:04:31.000 build a massive report on you so that they can completely own your digital life and become you. 01:04:31.000 --> 01:04:34.840 Every little scrap of extra information they can get about you can potentially 01:04:34.840 --> 01:04:40.760 mean a massive payday for them. If some obscure website you had an account with gets breached and 01:04:40.760 --> 01:04:45.240 they get the password you used and you reuse that password somewhere else, that just opens 01:04:45.240 --> 01:04:49.040 doors for them. Obviously getting into your e-mail and phone number is valuable to them, 01:04:49.040 --> 01:04:53.160 so they’ll really love it if you just post that publicly, but then there are the little things; 01:04:53.160 --> 01:04:58.320 what city you’re in, what browser you use, what things you like, where you like to get coffee, 01:04:58.320 --> 01:05:03.040 and who your family members are. All these things can be used to exploit you further. 01:05:03.040 --> 01:05:07.080 If they know what city you’re in, they can use a proxy in your location to make their traffic 01:05:07.080 --> 01:05:10.680 look like it’s coming from somewhere close to you. If they know what browser you use, 01:05:10.680 --> 01:05:14.440 that’ll help them look more like you when they’re trying to access your accounts, 01:05:14.440 --> 01:05:17.640 and if they know what things you like, that might tell them about some other areas of 01:05:17.640 --> 01:05:21.240 your life to check out, and if they know where you like to get coffee, this might result in 01:05:21.240 --> 01:05:25.440 them meeting you there and picking your pockets while you’re standing in line for your latte. 01:05:25.440 --> 01:05:29.960 If they have information about who your family members are, those family members 01:05:29.960 --> 01:05:34.560 might get targeted. Drew here told me a story about how one time when they wanted to get into 01:05:34.560 --> 01:05:39.840 some guy’s account, they texted the wife posing as the husband to get her to read 01:05:39.840 --> 01:05:45.880 off the 2-factor authentication codes over text messages. The more information they have on you, 01:05:45.880 --> 01:05:50.760 the easier it makes their job. Imagine they had full access to your bank account and decided 01:05:50.760 --> 01:05:55.640 to transfer all the money out, but your bank decided, wait, something doesn’t seem right, 01:05:55.640 --> 01:06:01.440 and they challenge the transfer and say hm, just to make sure it’s you, what’s your birthday? Now, 01:06:01.440 --> 01:06:06.760 that one piece of data that you thought was innocent to just share publicly could have been 01:06:06.760 --> 01:06:13.560 your savior if you didn’t post it to Facebook. I hope you’re convinced now to never share your 01:06:13.560 --> 01:07:20.640 private and personal information on a public website. What do you call this, this group? 01:07:20.640 --> 01:07:24.680 DREW: There’s a few different words. We call it com, first of 01:07:24.680 --> 01:07:28.480 all. I’m sure you’ve heard com, but we just vaguely call ourselves com. 01:07:28.480 --> 01:07:33.920 JACK: Com, spelled C-O-M; it’s short for community, 01:07:33.920 --> 01:07:40.520 and this is new to me. Back in my day, we called it the scene. Now I guess it’s the community. 01:07:40.520 --> 01:07:45.160 DREW: Yeah, we just call it com, though. Then we call – there’s simming com and 01:07:45.160 --> 01:07:50.720 there’s – oh, there’s cracking com, there’s Roblox com, there’s – trying to think. Oh, 01:07:50.720 --> 01:07:58.760 there’s Twitch com. People have bought Twitches. There’s one vanilla com. There’s infosec com. 01:07:58.760 --> 01:08:02.800 JACK: Huh, I wasn’t familiar with infosec com, but I listened to Drew explain it more. The 01:08:02.800 --> 01:08:07.080 way he says it is that there’s some people in the IT security space who want to be part of 01:08:07.080 --> 01:08:12.760 infosec Twitter and respect it as good security researchers, but also want to do things that are 01:08:12.760 --> 01:08:19.520 illegal or unethical, sort of acting like both an innocent white hat and a shady black hat at 01:08:19.520 --> 01:08:25.880 the same time, such as Ryan Phobia Stevenson. This is the guy who reported a few bugs that he found 01:08:25.880 --> 01:08:31.960 in telecom companies and was awarded for it. But then he used those bugs to grab customer data from 01:08:31.960 --> 01:08:37.320 telecom companies and sell them on underground markets. The guy was double-dipping. It sounds 01:08:37.320 --> 01:08:42.720 like there are coms for every little area of focus that people can make money at online. But 01:08:42.720 --> 01:08:48.640 the common thread in all this is that they’re all unethical coms, and that’s why I call them 01:08:48.640 --> 01:08:56.240 dirty coms. These are nasty communities. Let’s talk about NFTs. So, every day in the news I’m 01:08:56.240 --> 01:09:03.880 seeing another attack on NFTs such as somebody scamming someone out of their Bored Ape or… 01:09:03.880 --> 01:09:05.520 DREW: Yeah, of course. 01:09:05.520 --> 01:09:06.400 JACK: Or… 01:09:06.400 --> 01:09:07.440 DREW: The classic… 01:09:07.440 --> 01:09:11.160 JACK: Okay, go on. You’ve seen this. Is it somebody 01:09:11.160 --> 01:09:14.340 from your coms that are conducting these things? 01:09:14.340 --> 01:09:20.040 DREW: Well, yeah. Okay, so, it’s from the initial really, really rich SIM com that 01:09:20.040 --> 01:09:26.080 I had mentioned. So, those initial rich simmers that are not in the current one, 01:09:26.080 --> 01:09:30.320 they now steal NFTs. There’s a notable group of people I know – I’m not gonna say them by name, 01:09:30.320 --> 01:09:33.880 but basically there’s just people who literally go on Discords; 01:09:33.880 --> 01:09:37.320 someone says they need help with an NFT. They message them, they post their links. 01:09:37.320 --> 01:09:44.480 JACK: Huh, I witnessed this firsthand just this week. I was in an NFT Discord. Oh, and 01:09:44.480 --> 01:09:49.480 if you don’t know what NFT is, in this case it’s just digital art that you can buy and sell, and 01:09:49.480 --> 01:09:54.160 these pieces of digital art are going for like, thousands of dollars each, and sometimes even 01:09:54.160 --> 01:09:59.600 hundreds of thousands of dollars each. In Discord, I got a direct message saying I was selected to 01:09:59.600 --> 01:10:05.320 be on a pre-sale list for one of these NFT drops and I have to buy it now. But of course, I didn’t 01:10:05.320 --> 01:10:10.400 click the link. [MUSIC] But someone in the channel did, and the site said in order to mint the NFT, 01:10:10.400 --> 01:10:14.520 you just need to connect your MetaMask crypto wallet and enter your twenty-four-word seed 01:10:14.520 --> 01:10:22.520 phrase. Now, that twenty-four-word seed phrase is not something you should ever share ever. 01:10:22.520 --> 01:10:26.800 That’s the private password, basically, to your crypto wallet, and if you give someone that, 01:10:26.800 --> 01:10:32.360 you basically handed them control of your entire crypto wallet. Well, this person put their seed 01:10:32.360 --> 01:10:37.320 phrase into the bogus website, and as soon as they did, the thief got in their crypto 01:10:37.320 --> 01:10:43.720 wallet and took all their valuable NFTs and sold them for like, half-price. The thief made about 01:10:43.720 --> 01:10:51.360 $40,000 in Ethereum in like, five minutes. It was absolutely crazy to watch this person get their 01:10:51.360 --> 01:10:57.800 account drained right in front of my eyes, and there was nothing that anyone could do to stop it. 01:10:57.800 --> 01:11:02.160 There’s no shortage of stories of people getting digitally mugged and their crypto 01:11:02.160 --> 01:11:07.920 wallet stolen and NFTs, and I think the reason is because these crypto wallets hold tons of money 01:11:07.920 --> 01:11:12.960 and they’re just like browser add-ons. If you connect your crypto wallet to the wrong site, 01:11:12.960 --> 01:11:17.680 it’s game over, and it’s so easy to connect it to the wrong site. It’s kind of like if 01:11:17.680 --> 01:11:22.280 you have your bank account accessible right in the browser as a plug-in, 01:11:22.280 --> 01:11:27.240 and all the sites you’re visiting all want to take a look at it. But this is just the beginning; 01:11:27.240 --> 01:11:31.920 almost every day this happens. There are so many scammers trying to get access to people’s crypto 01:11:31.920 --> 01:11:38.120 wallets, which might have crypto currency in it, or an NFT. The scams are vast and fast, 01:11:38.120 --> 01:11:43.040 coming at you from every angle if you play in this space. For instance, another big scam I 01:11:43.040 --> 01:11:48.880 saw the other day was when an NFT was just about to launch their project, and on launch day is a 01:11:48.880 --> 01:11:53.560 big day. Everyone who wants to be part of it is ready to rush to mint their tokens and hope 01:11:53.560 --> 01:11:58.520 that it goes up in price. So, there’s a frenzy in those moments because there’s a limited supply, 01:11:58.520 --> 01:12:03.560 and you don’t want to be bought out. So, already, when people are in a rush to buy something, 01:12:03.560 --> 01:12:08.560 they’re prone to make mistakes, and typically eager buyers will be in the Discord chat room 01:12:08.560 --> 01:12:13.680 for that NFT to watch what’s going on. But there’s a whole slough of things that can go 01:12:13.680 --> 01:12:19.740 wrong with this. First, the owner of the Discord can get hacked, and here’s how that happens. 01:12:19.740 --> 01:12:24.080 DREW: They built up their credibility through a friend; that’s how it always goes. Hey, 01:12:24.080 --> 01:12:28.840 my friend says that I should talk to you. He eventually – he eases his way 01:12:28.840 --> 01:12:33.560 into sending some sort of file that they can actually Discord token log him with. 01:12:33.560 --> 01:12:37.640 JACK: If you use Discord, chances are you don’t enter your username and password 01:12:37.640 --> 01:12:42.000 every time you visit the site or open the app. That’s because once you authenticate, 01:12:42.000 --> 01:12:47.280 there’s a little authentication token that exists on your computer which keeps you logged in. But if 01:12:47.280 --> 01:12:52.600 you can just take the authentication token, then you can log in as that person without needing a 01:12:52.600 --> 01:12:58.280 password. The authentication token has all the stuff in there, and yeah, if you can get someone 01:12:58.280 --> 01:13:04.200 to install your malware, the malware can steal the token. [MUSIC] Okay, so if you can access a 01:13:04.200 --> 01:13:09.640 moderator’s account on a popular Discord channel that’s about to launch an NFT, then you can make 01:13:09.640 --> 01:13:15.880 a ton of money. All you need to do is copy the official website of this NFT, which is super easy, 01:13:15.880 --> 01:13:21.480 and make a similar-looking URL with one letter different, and change where the money goes when 01:13:21.480 --> 01:13:28.040 someone buys the NFT. Instead of it going to the NFT-maker, it’s now going to your wallet. So, 01:13:28.040 --> 01:13:33.760 now all you need to do is direct people to your page, and since you’re a moderator, you can. 01:13:33.760 --> 01:13:36.860 DREW: Post a main message, guns blazing, as we call it. 01:13:36.860 --> 01:13:40.320 JACK: The message might read, ‘Minting is now live, open to the public, but hurry; 01:13:40.320 --> 01:13:45.200 we’ll be closing in ten minutes’. Some of these Discord channels have over 50,000 people in there, 01:13:45.200 --> 01:13:50.040 ready to buy. You can imagine if 50,000 people see a message like this, that the project has 01:13:50.040 --> 01:13:55.800 gone live and they’re ready to mint, that they’ll come flooding to the site to buy their NFTs. I’ve 01:13:55.800 --> 01:14:02.680 seen this happen over and over. Scammers are infecting Discord and are making over 01:14:02.680 --> 01:14:10.140 $100,000 in ten minutes doing this. But there are other scams that are going on on Discord, too. 01:14:10.140 --> 01:14:15.600 DREW: There is people who actually buy NFT Discords, that people don’t even realize. People 01:14:15.600 --> 01:14:21.280 grow NFT Discords using growth services. They get shout-out packages from people on Instagram, 01:14:21.280 --> 01:14:27.840 verify people. They grow them just to exit scam or just to sell them to someone who will exit scam. 01:14:27.840 --> 01:14:33.640 JACK: Oh yeah, I’ve seen this, too. If you find an NFT project that has 100,000 followers on Twitter 01:14:33.640 --> 01:14:38.680 and 80,000 members on Discord, you’re gonna think that that’s a hot NFT project and be more excited 01:14:38.680 --> 01:14:43.560 about it. But the numbers are all faked. It’s a Discord channel that was just bought last week, 01:14:43.560 --> 01:14:48.440 and it came with 80,000 members already in it, but they’re all bots. So, it creates a false 01:14:48.440 --> 01:14:53.120 buzz about it, and they launch a project and people pay them, and they get nothing for it 01:14:53.120 --> 01:14:57.920 except for some cheap piece of art that was made by someone on Fiverr. The creators just grab the 01:14:57.920 --> 01:15:05.240 money and leave. Again, a scam like this can earn someone over $100,000 if done right. But these are 01:15:05.240 --> 01:15:10.480 certainly pretty involved and complex scams. It takes a long time; you have to build a website, 01:15:10.480 --> 01:15:17.040 buy an NFT server, create all the artwork. It’s not easy and takes some real finesse. But then, 01:15:17.040 --> 01:15:21.720 if that wasn’t enough NFT scams going around, there’s also influencer scams happening. 01:15:21.720 --> 01:15:26.760 DREW: They get a reputable person to be their upfront. They are these 01:15:26.760 --> 01:15:31.560 rich people who are crypto influencers who convince people to fall for these tricks, 01:15:31.560 --> 01:15:35.360 like their friends. They convince their friends to fall for NFT scams, 01:15:35.360 --> 01:15:38.380 and the person setting them up is these millionaire SIM-swappers. It’s horrible. 01:15:38.380 --> 01:15:42.320 JACK: Yikes, man, you can’t even trust your friends in NFTland. They might be getting paid 01:15:42.320 --> 01:15:47.720 by the scammers to scam you. I’ve dabbled in these NFTs and I’ll tell you, it’s not 01:15:47.720 --> 01:15:54.080 for the beginner. It’s fraught with landmines, hackers, thieves, scammers, criminals, and so 01:15:54.080 --> 01:15:58.115 much more, which to me is fun to see the craziness happening all around. It’s not for everyone, and 01:15:58.115 --> 01:16:03.440 these people are trying hard to reach into your crypto wallet and drain your assets. They can do 01:16:03.440 --> 01:16:40.640 it with impunity, because it’s so hard to trace crypto heists. 01:16:40.640 --> 01:16:45.160 DREW: Those people, that was all for profit, pretty much, 01:16:45.160 --> 01:16:49.240 like Joel Ortiz, Nicholas Truglia, Xavier Clemente. 01:16:49.240 --> 01:16:52.680 JACK: Why are you naming people here? 01:16:52.680 --> 01:16:54.154 DREW: I mean, they’re all public names, arrested in… 01:16:54.154 --> 01:16:57.680 JACK: Oh, okay. Oh, they’ve – these have all been arrested? 01:16:57.680 --> 01:17:00.600 DREW: These are probably the most famous SIM-swappers that have been arrested; 01:17:00.600 --> 01:17:04.920 PlugWalkJoe, AKA Joseph, James O’Connor, whatever. 01:17:04.920 --> 01:17:09.840 JACK: Okay, I’ve gotta look up what these people did. [MUSIC] Alright, Joel Ortiz was arrested for 01:17:09.840 --> 01:17:14.600 SIM-swapping. In fact, he was the first-ever person to be convicted for SIM-swapping. This 01:17:14.600 --> 01:17:23.400 is wild; 2019 is the first time a SIM-swapper was ever convicted. This is truly the definition of a 01:17:23.400 --> 01:17:29.080 modern crime if only three years ago was the first time anyone’s ever been convicted of this. So, 01:17:29.080 --> 01:17:33.520 Joel Ortiz was twenty-one from Boston, and according to police, he scammed forty people 01:17:33.520 --> 01:17:38.560 and stole a total of $7 million conducting SIM-swaps. He was arrested and got ten years 01:17:38.560 --> 01:17:43.520 in prison for this. We already talked about Nicholas Truglia. He’s awaiting sentencing, 01:17:43.520 --> 01:17:48.520 but Drew also mentioned Xavier Clemente. This guy was nineteen years old when he was arrested 01:17:48.520 --> 01:17:53.720 for SIM-swapping. Police say he stole over one million dollars in cryptocurrencies. Then 01:17:53.720 --> 01:17:58.120 there’s PlugWalkJoe, James O’Connor. He was twenty-two, living in the UK, 01:17:58.120 --> 01:18:03.840 when he was arrested for SIM-swapping. Authorities say he stole over $700,000 doing this. But 01:18:03.840 --> 01:18:08.240 the list just goes on and on. There’s Yousef Selassie, a nineteen-year-old from Brooklyn, 01:18:08.240 --> 01:18:11.440 who was arrested for stealing a million dollars in cryptocurrency. 01:18:11.440 --> 01:18:17.360 There’s a guy, goes by the nickname Baby Al Capone; he stole $20 million in cryptocurrency. 01:18:17.360 --> 01:18:21.800 This guy was just fifteen years old when he was arrested. There’s two more guys; 01:18:21.800 --> 01:18:26.600 Ahmad Hared and Matthew Ditman. They’re facing charges for working together to do a SIM-swap and 01:18:26.600 --> 01:18:30.520 steal some crypto, and there’s Eric Meigs, a guy who was arrested for SIM-swapping; 01:18:30.520 --> 01:18:35.920 he stole over $500,000 doing it. Declan Harrington pled guilty to doing SIM-swapping 01:18:35.920 --> 01:18:41.320 attacks, and of course, Shane Sonderman from Episode 106 was arrested for SIM-swapping, 01:18:41.320 --> 01:18:46.000 and currently he’s spending five years in prison. There’s Corey De Rose, a twenty-two-year-old from 01:18:46.000 --> 01:18:51.960 the UK who was accused of stealing 100 Bitcoins and is now facing prison time. Oh, and by the way, 01:18:51.960 --> 01:18:56.920 the items confiscated by the police are incredible; luxury watches, luxury cars, 01:18:56.920 --> 01:19:01.800 penthouse apartments. These kids are blowing it as fast as they get it, and almost all of 01:19:01.800 --> 01:19:06.120 them have gambling addictions, where they’ll put some money in an online casino and spin 01:19:06.120 --> 01:19:10.640 the wheel and try to hit it even bigger. They kind of like showing off what they’re willing to wager 01:19:10.640 --> 01:19:15.120 during live streams and stuff so that others can see how much money they have. It’s nuts. 01:19:15.120 --> 01:19:19.480 DREW: So, on their Telegram channels, they actively post screenshots of their 01:19:19.480 --> 01:19:22.400 targets and how much money is in them and that they just scammed them for millions 01:19:22.400 --> 01:19:27.480 of dollars. You can confirm this because they will literally show you the TxIDs and 01:19:27.480 --> 01:19:32.240 their Bitcoins wallets filled with millions of dollars. They’ll do thousand-dollar giveaways 01:19:32.240 --> 01:19:37.160 every day. They just do ridiculously crazy things with their money ‘cause they’re kids. 01:19:37.160 --> 01:19:41.680 JACK: This list goes on and on. A lot of people are being arrested that are under eighteen years 01:19:41.680 --> 01:19:46.360 old, and so, we just never see their names in the news. Some of them get caught and are just 01:19:46.360 --> 01:19:51.640 forced to give back the cryptocurrency or NFTs they stole, and they just get a stern warning. 01:19:51.640 --> 01:19:58.280 [MUSIC] I don’t know about you, but all this just blows me away. I had no idea what this underground 01:19:58.280 --> 01:20:04.520 community looked like before now. But now I feel like my eyes have adjusted and I can see in the 01:20:04.520 --> 01:20:12.600 dark. Do you feel that way too? I feel like it’s an all-out war zone on the internet right now. 01:20:12.600 --> 01:20:16.720 Yeah, every day we hear about another company getting hit with ransomware or a data breach, 01:20:16.720 --> 01:20:23.600 but all that is nimby. It’s not in my backyard. This is what is in my backyard. This is teenagers 01:20:23.600 --> 01:20:29.960 targeting regular people, and their nicknames are no coincidence. One goes by Baby Al Capone, 01:20:29.960 --> 01:20:35.560 another goes by Billy the Kid. Billy the Kid used to rob trains back in the old days. He 01:20:35.560 --> 01:20:40.160 would just stick up random people and demand money from them, and it seems like the same 01:20:40.160 --> 01:20:45.960 thing is going on here. If you make any mention that you have a lot of cryptocurrency publicly, 01:20:45.960 --> 01:20:49.840 you can probably expect that someone’s gonna want to steal that from you. It’s 01:20:49.840 --> 01:20:53.600 not the most easy thing in the world to keep safe. It’s really tricky. 01:20:53.600 --> 01:20:58.080 So, if you’re holding crypto, I strongly encourage you to not put all your stuff 01:20:58.080 --> 01:21:02.920 in one address. Break it up into different wallets, because if something gets compromised, 01:21:02.920 --> 01:21:07.680 you don’t want them taking the whole piggy bank. Phone companies should probably step up 01:21:07.680 --> 01:21:11.720 their security. It sounds like they’re trying to make it harder, and that’s why people are paying 01:21:11.720 --> 01:21:18.080 $10,000 per SIM-swap today, but how can they eliminate this when there’s insiders who work 01:21:18.080 --> 01:21:23.880 as regional managers who are in on the cut of this? They might get an equivalent to a whole 01:21:23.880 --> 01:21:29.800 year’s worth of salary by helping a SIM-swapper do a million-dollar lick. That could be a tough 01:21:29.800 --> 01:21:34.720 thing to turn down for someone who really needs the money. Maybe the answer is not to use SIM 01:21:34.720 --> 01:21:38.720 cards anymore and just keep a Wi-Fi hot spot in your pocket at all times and bounce your 01:21:38.720 --> 01:21:43.840 phone off it when you need to call someone. I don’t know. Exchanges like Coinbase do a fairly 01:21:43.840 --> 01:21:47.400 good job at making it hard for criminals to get into someone’s account. In fact, 01:21:47.400 --> 01:21:52.280 the exploit that Drew said which let someone check the balance of an account without 2FA, I think 01:21:52.280 --> 01:21:57.080 Coinbase reimbursed all the people who were hit with that exploit, and they continue to improve. 01:21:57.080 --> 01:22:01.040 But perhaps they should force everyone to use Google Authenticator. That would make it harder 01:22:01.040 --> 01:22:05.120 for these people, or maybe give you the option to have a second password on the site that’s 01:22:05.120 --> 01:22:10.040 just for transfers. The problem is, the harder they make it for criminals to steal stuff, the 01:22:10.040 --> 01:22:15.920 harder they make it for users to use the site. So, it becomes a difficult balance. On top of that, 01:22:15.920 --> 01:22:21.720 I’m positive North Korea is hitting Coinbase all the time, trying to find a hot wallet somewhere 01:22:21.720 --> 01:22:27.480 and steal that. So, they really have a heavy load that they’ve gotta defend against. No pressure, 01:22:27.480 --> 01:22:32.520 right? But it seems obvious to me at least that even if you fix a few of these problems, 01:22:32.520 --> 01:22:37.360 the people in these dirty coms just find another way to do it. As the internet moves 01:22:37.360 --> 01:22:42.640 at the speed it does, software and websites don’t always put security first. These are 01:22:42.640 --> 01:22:47.040 some of the consequences for not doing that. Like I was saying at the beginning, 01:22:47.040 --> 01:22:51.080 there’s not a lot of wisdom being passed down from generation to generation on what 01:22:51.080 --> 01:22:55.240 the dangers of the internet are, whether it’s for the users of the site or the 01:22:55.240 --> 01:23:00.000 teenagers trying to hack into them. I think it’s gonna get worse before it gets better. 01:23:00.000 --> 01:23:05.280 It might even take forty more years before we see a world where people go online in a safe, 01:23:05.280 --> 01:23:10.600 responsible manner, where users value their privacy and security above all, 01:23:10.600 --> 01:23:16.120 and know not to install apps or buy devices that put your privacy at risk, 01:23:16.120 --> 01:23:19.560 and have a strong understanding of the digital dangers that are out there, 01:23:19.560 --> 01:23:25.560 and do things to protect themselves. That’s why I thought this episode was important for you to 01:23:25.560 --> 01:23:32.280 listen to. Now you have a much clearer view into why someone would target you and how they do it, 01:23:32.280 --> 01:23:37.200 when maybe you never even thought you were the target before. This is why things like Defcon 01:23:37.200 --> 01:23:41.480 exist, which is a conference that hackers to go to show off all the new ways they’ve learned how 01:23:41.480 --> 01:23:46.800 to hack into things. The primary focus there is to share offensive hacking techniques, 01:23:46.800 --> 01:23:51.840 and sharing these techniques has arguably made security better, because if people don’t share 01:23:51.840 --> 01:23:56.560 them, then we don’t know that problem exists, and you can’t do things to defend against it. 01:23:56.560 --> 01:24:01.360 The real criminals and nation state actors do not share their techniques publicly because they 01:24:01.360 --> 01:24:07.000 don’t want it fixed. We can’t simply ignore that and hope security problems somehow magically get 01:24:07.000 --> 01:24:12.640 fixed. My hope is that now that you’ve heard all these techniques that you will now take 01:24:12.640 --> 01:24:18.760 your digital life more seriously than you were before. I imagine a world where users were so 01:24:18.760 --> 01:24:23.680 well-educated on security that they take it upon themselves to overly secure their environments, 01:24:23.680 --> 01:24:28.520 because they’ve been hit too many times by bad actors or were just taught properly how 01:24:28.520 --> 01:24:35.280 to practice safe internet usage. There’s this part in the TV show Mr. Robot where Elliot, a hacker, 01:24:35.280 --> 01:24:39.360 goes into an office building and he wants to use someone’s computer, and he looks around to try to 01:24:39.360 --> 01:24:44.560 find a good person to social engineer to get them to stand up so he can use their terminal. He sees 01:24:44.560 --> 01:24:51.160 an older lady sniffing Wite-Out, and he thinks okay, surely an older lady sniffing Wite-Out 01:24:51.160 --> 01:24:57.640 would be the perfect candidate to convince to let Elliot use her computer. [MUSIC] Here’s the scene. 01:24:57.640 --> 01:25:00.840 ELLIOT: Hi, Edie. I’m Henry from IT. 01:25:00.840 --> 01:25:01.620 EDIE: Hello. 01:25:01.620 --> 01:25:03.920 ELLIOT: We detected you using some unauthorized 01:25:03.920 --> 01:25:07.820 remote access software to connect to your computer workstation from home. 01:25:07.820 --> 01:25:10.300 EDIE: Oh, my. That can’t be true. 01:25:10.300 --> 01:25:13.800 ELLIOT: Don’t worry; I’m just gonna take a look at your machine and perform 01:25:13.800 --> 01:25:18.040 an assessment to make sure you don’t have an unauthorized desktop sharing service installed. 01:25:18.040 --> 01:25:22.120 EDIE: I’m gonna have to contest that. I harden my install further 01:25:22.120 --> 01:25:25.760 than the standard configuration, including a restrictive host base 01:25:25.760 --> 01:25:30.240 firewall rule set and whitelisting to block unauthorized apps from running. 01:25:30.240 --> 01:25:32.220 ELLIOT: I might have chosen the wrong candidate. 01:25:32.220 --> 01:25:39.800 JACK: Isn’t that just beautiful? That lady knows her digital environment so well and has taken so 01:25:39.800 --> 01:25:46.080 many security precautions. It brings tears to my eyes. Imagine a world where the average internet 01:25:46.080 --> 01:25:51.440 user is that educated and serious about their digital safety. But it’s going to take a long 01:25:51.440 --> 01:25:59.160 time for us to get there. Sometimes things need to break down before they can break through. 01:25:59.160 --> 01:26:07.600 It’s a war zone out there. Be careful, but be brave. Hang in there. You can do it. Take your 01:26:07.600 --> 01:26:23.415 own digital security seriously. Practice good digital hygiene. Good luck dodging the bullets. 01:26:23.415 --> 01:26:27.240 (OUTRO): [OUTRO MUSIC] A big thank you to Drew for sharing this inside look to the various coms and 01:26:27.240 --> 01:26:32.680 what’s going on in there. This show is made by me, SIM Shady, Jack Rhysider. Sound design and 01:26:32.680 --> 01:26:37.960 original music was created by the reactivator, Andrew Meriwether. Editing help this episode by 01:26:37.960 --> 01:26:43.920 the sleeping Damienne, and our associate producer just back from his trip to Pancakes Retirement 01:26:43.920 --> 01:26:49.320 Ceremony, is Ray [REDACTED]. Our theme music is by the heat-bringing Breakmaster Cylinder. 01:26:49.320 --> 01:26:52.840 The one nice thing about getting SIM-swapped is you don’t get any annoying telemarketers 01:26:52.840 --> 01:27:01.480 anymore. Sometimes it’s so bad, I’m not sure which is worse anyway. This is Darknet Diaries.