WEBVTT 00:00:00.000 --> 00:00:04.680 JACK: When I was a teenager living at home with my dad, it always felt like he was invading my 00:00:04.680 --> 00:00:10.560 privacy. He would do things like open and read the mail that I got, or he would go 00:00:10.560 --> 00:00:16.080 into my room when I wasn’t there. He says he was picking up trash or collecting dirty cups, 00:00:16.080 --> 00:00:20.920 but I always suspected he was going through my things for some reason. [MUSIC] Sometimes he’d 00:00:20.920 --> 00:00:25.680 barge into my room when I was there, too, and I didn’t like that. What if he saw me 00:00:25.680 --> 00:00:30.680 doing something on my computer that I didn’t want him to see? So, I set up an early warning 00:00:30.680 --> 00:00:36.240 system so I would know when he was coming. I would sometimes put sheets of newspaper just 00:00:36.240 --> 00:00:42.240 outside my door. I’d arrange it in such a way that he’d have to step on it to get to my door, 00:00:42.240 --> 00:00:47.880 and the crinkle of the newspaper would tip me off that someone’s coming. This worked for a while, 00:00:47.880 --> 00:00:52.280 especially just hearing him complain ah, there’s newspaper all over the floor; what’s going on out 00:00:52.280 --> 00:00:57.200 here? That way, I would know he’s coming in. But one day, he decided to be tricky. 00:00:57.200 --> 00:01:01.200 He wanted to come in my room but didn’t want to make noise with the newspaper, 00:01:01.200 --> 00:01:07.760 so he came up to my door very slowly and quietly, and gently picked up the newspaper 00:01:07.760 --> 00:01:14.880 so that it didn’t make a single crinkle noise. With the early warning system deactivated, 00:01:14.880 --> 00:01:20.000 he opened my door and came right in. I was sitting on my bed reading one of my 00:01:20.000 --> 00:01:25.440 schoolbooks. I was baffled that he didn’t trip my alarm and I asked dad, how did you get in 00:01:25.440 --> 00:01:31.040 without the newspaper making noises? He held up the paper to show me he had picked it up, 00:01:31.040 --> 00:01:38.120 and he said I’m always two steps ahead of you. Glad to see you’re doing homework, and left. Well, 00:01:38.120 --> 00:01:45.920 little did he know that I was four steps ahead. I had wired a proximity sensor up to my door that 00:01:45.920 --> 00:01:50.080 he didn’t know about, and if someone came up to the door, a little light would blink in my room, 00:01:50.080 --> 00:01:54.640 letting me know that someone’s getting close. When he came up to get the newspaper, I saw the 00:01:54.640 --> 00:01:58.840 little light blink. I was playing games on my computer and I turned the monitor off, grabbed 00:01:58.840 --> 00:02:04.400 a schoolbook and jumped in bed, and acted like I was reading. This is what you have to do sometimes 00:02:04.400 --> 00:02:16.097 to catch someone in the act. Two steps ahead isn’t enough. Sometimes you need to be four steps ahead. 00:02:16.097 --> 00:02:18.400 (INTRO:) [INTRO MUSIC] These are true stories from the dark side of 00:02:18.400 --> 00:02:37.188 the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTO MUSIC ENDS] 00:02:37.188 --> 00:02:43.240 JACK: [MUSIC] 00:02:43.240 --> 00:02:47.440 Content warning; there are multiple swear words in this episode. If you’d rather not 00:02:47.440 --> 00:02:52.060 hear bad language, you’ve been warned. Okay, so you don’t want your real name. 00:02:52.060 --> 00:02:52.500 OS: No. 00:02:52.500 --> 00:02:56.140 JACK: Okay, so we’ll just make up – we’ll just make up something; Frank or Tim or… 00:02:56.140 --> 00:03:00.360 OS: I don’t know. Like, I’ll fucking do a random name generator. Let’s see what that says. 00:03:00.360 --> 00:03:01.620 How about that? 00:03:01.620 --> 00:03:03.400 JACK: Yeah. 00:03:03.400 --> 00:03:09.520 OS: We’ll let the ether tell us what it should be. Let’s call it Owl Stalker. 00:03:09.520 --> 00:03:16.396 JACK: Wait a minute. What kind of name generator are you…? It’s like a video game name generator? 00:03:16.396 --> 00:03:19.040 OS: Basically, yeah, dude. 00:03:19.040 --> 00:03:21.820 JACK: Owl Stalker? 00:03:21.820 --> 00:03:26.120 OS: Yeah, why the fuck not? 00:03:26.120 --> 00:03:28.200 JACK: Alright, I tried to use that name, 00:03:28.200 --> 00:03:33.200 but I just can’t bring myself to call him Owl Stalker this whole episode, 00:03:33.200 --> 00:03:37.880 so I’m just going to abbreviate his name to O-S and call him Os for short. 00:03:37.880 --> 00:03:46.040 OS: Yeah, just from a background perspective of early days, I used to run around in the warez 00:03:46.040 --> 00:03:55.440 scene as a wares administrator and a rooter, and also a crypto encryption cracker for games 00:03:55.440 --> 00:04:01.840 in disk. So, some of the largest groups that are out there, I was actually not only hosting 00:04:01.840 --> 00:04:08.640 for the zero-day drops of the warez scene, but also producing zero-day for the warez scene. 00:04:08.640 --> 00:04:16.480 JACK: Ah, the old warez scene in the 90s. Warez is short for softwares, but it specifically means 00:04:16.480 --> 00:04:21.920 pirated software. [MUSIC] Warez groups would buy software, whether a video game or an app, 00:04:21.920 --> 00:04:26.080 and then crack it so that you wouldn’t need a license or a serial key for it to run, 00:04:26.080 --> 00:04:31.400 and then distribute it for anyone to download and use free of charge. In the warez scene of the 90s, 00:04:31.400 --> 00:04:36.400 you could download pretty much any popular game or app without paying for it. Today, 00:04:36.400 --> 00:04:40.720 that’s kind of gone away since apps and games require internet connections for them to run, 00:04:40.720 --> 00:04:44.600 but this was the 90s where internet wasn’t that fast, and this was also a time before 00:04:44.600 --> 00:04:49.280 torrenting was a thing. So, he was on IRC, the Internet Relay Chat, and was setting up 00:04:49.280 --> 00:04:54.200 servers to be the place to go when you wanted to download the pirated software. But he wasn’t 00:04:54.200 --> 00:04:58.680 always distributing pirated software. When he got his first gateway computer, 00:04:58.680 --> 00:05:02.520 he wasn’t sure what to do with it, [00:05:00] but then a friend told him to check out IRC, 00:05:02.520 --> 00:05:07.200 where he can meet others. So, he figured out how to get into chat rooms to see what was there. 00:05:07.200 --> 00:05:13.440 OS: My nice baud modem decided to dial-up a pop-on. The first ten minutes that I’m in, 00:05:13.440 --> 00:05:18.960 I actually get popped. I had to rebuild my computer all the way from the ground 00:05:18.960 --> 00:05:24.080 up and at that time, it was all floppy disks to build the system, 00:05:24.080 --> 00:05:28.540 and I vowed to never let that happen again. I was pissed. 00:05:28.540 --> 00:05:34.080 JACK: This is what started him down a tour of the dark side. He was already fascinated with what 00:05:34.080 --> 00:05:39.480 computers could do, and so when his computer got hit with a virus, it immediately fascinated him to 00:05:39.480 --> 00:05:44.400 want to know more. He started asking around about how something like this could happen, 00:05:44.400 --> 00:05:49.800 which led him eventually to these warez groups which were doing illegal things. 00:05:49.800 --> 00:05:58.520 OS: So, I went and learned and trained and taught myself actually how to program. Then I actually 00:05:58.520 --> 00:06:02.680 kinda just made a decision as I matured and I saw some of the other big groups really starting to 00:06:02.680 --> 00:06:08.600 get taken down, like our peer groups in that warez scene starting to get hit really hard; 00:06:08.600 --> 00:06:14.200 several friends of mine that, you know, I had met through the years of being in 00:06:14.200 --> 00:06:17.840 that scene actually going to jail. I was like dude, I don’t want that to be me. 00:06:17.840 --> 00:06:20.720 JACK: So, he decided to go in a totally new direction 00:06:20.720 --> 00:06:25.640 in life. After being hunched over his PC for years, secluded in his bedroom, 00:06:25.640 --> 00:06:30.800 he straightened his back and went outside, and started training. 00:06:30.800 --> 00:06:35.280 SERGEANT: One, two, three, four, United States Marine Corps. 00:06:35.280 --> 00:06:35.667 PRIVATES: One, two, three, four, United States Marine Corps. 00:06:35.667 --> 00:06:39.760 OS: Alright, I chose the Marine Corps specifically ‘cause it was – I shopped around. All the other 00:06:39.760 --> 00:06:44.080 branches had already built cyber-security units and were already in the process of 00:06:44.080 --> 00:06:49.000 – they were one step ahead of where the Marine Corps was, and so I said you know what? I want 00:06:49.000 --> 00:06:54.240 to go in the Marine Corps specifically for this. I walked into a recruiting station and said hey, 00:06:54.240 --> 00:06:59.400 are you guys doing stuff with computers, to protect computers? It wasn’t even cyber-security, 00:06:59.400 --> 00:07:02.640 right? That didn’t even have a name at that point. They were like hey, look, 00:07:02.640 --> 00:07:05.960 we really don’t have a whole lot of options here. We’ll see how you 00:07:05.960 --> 00:07:13.120 test. I tested really high on the entry level and was guaranteed to go into the 00:07:13.120 --> 00:07:19.507 role that I played in the military which was the cyber-security side of the house, right? 00:07:19.507 --> 00:07:22.307 SERGEANT: If I die in the combat zone… 00:07:22.307 --> 00:07:27.398 PRIVATES: If I die in the combat zone… 00:07:27.398 --> 00:07:27.436 SERGEANT: Hike me up and ship me home. 00:07:27.436 --> 00:07:27.474 PRIVATES: Hike me up and ship me home. 00:07:27.474 --> 00:07:33.040 JACK: The Marine Corps boot camp is thirteen weeks long, and it’s brutal. By the time you’re done, 00:07:33.040 --> 00:07:38.600 you’ll be in the best shape of your life. There are no computers in boot camp. Instead, 00:07:38.600 --> 00:07:43.640 you’re trained on how to be a killer. You learn to fight, you learn to use weapons, 00:07:43.640 --> 00:07:49.040 you learn to overcome fear and any obstacle that might be in your way. I say all this 00:07:49.040 --> 00:07:53.600 because it reminds me of a very specific scene in the movie Full Metal Jacket. 00:07:53.600 --> 00:07:54.300 HARTMAN: Toejam! 00:07:54.300 --> 00:07:55.560 TOEJAM: Sir, yes, sir! 00:07:55.560 --> 00:07:57.060 HARTMAN: 0300; infantry. 00:07:57.060 --> 00:08:00.940 JACK: The movie follows marines through boot camp and into the Vietnam war. 00:08:00.940 --> 00:08:02.160 ADAMS: Sir, yes, sir! 00:08:02.160 --> 00:08:04.040 HARTMAN: 0300, infantry. 00:08:04.040 --> 00:08:07.040 JACK: When they’re finished with boot camp, that’s when they’re assigned their occupation. 00:08:07.040 --> 00:08:08.031 ADAMS: Sir, yes, sir! 00:08:08.031 --> 00:08:12.060 HARTMAN: 1800; engineer. You go out and find mines. Cowboy! 00:08:12.060 --> 00:08:13.600 COWBOY: Sir, yes, sir! 00:08:13.600 --> 00:08:16.240 HARTMAN: 0300; infantry. Taylor! 00:08:16.240 --> 00:08:19.145 JACK: Then, one guy stands out; Joker. 00:08:19.145 --> 00:08:19.160 HARTMAN: Joker! 00:08:19.160 --> 00:08:20.920 JOKER: Sir, yes, sir! 00:08:20.920 --> 00:08:25.640 HARTMAN: 4212; basic military journalism. You gotta be shitting me, 00:08:25.640 --> 00:08:30.000 Joker. You think you’re Mickey Spillane? You think you’re some kind of fucking writer? 00:08:30.000 --> 00:08:32.740 JOKER: Sir, I wrote for my high school newspaper, sir. 00:08:32.740 --> 00:08:36.400 HARTMAN: Jesus H. Christ. You’re not a writer. You’re a killer. 00:08:36.400 --> 00:08:40.828 JOKER: A killer; yes, sir! 00:08:40.828 --> 00:08:46.040 OS: [MUSIC] I didn’t think about the fact that the Marine Corps is this elite military and 00:08:46.040 --> 00:08:52.880 they’re trained to do nothing but kill, right? That’s literally all they are. I looked at it 00:08:52.880 --> 00:09:01.720 more as a means to an end, to go get the hands-on experience, right, from the government and really 00:09:01.720 --> 00:09:08.680 get trained up on government capabilities. That’s kinda how I looked at it, then I hit boot camp 00:09:08.680 --> 00:09:17.280 and went oh fuck, what did I do? Got stripped of everything that I was and rebuilt to who I am to 00:09:17.280 --> 00:09:22.520 some degree today, right? But how did I come back and go into that computing side of it? I mean, 00:09:22.520 --> 00:09:29.640 that was my end goal. I set a goal prior to going in and I made agreements with the Marine Corps 00:09:29.640 --> 00:09:36.840 that I would be provided that. Well, of course, now, later on, I’m realizing how lucky I was, 00:09:36.840 --> 00:09:42.320 because there are no guarantees. When you sign a contract with the government, whatever, military 00:09:42.320 --> 00:09:47.200 or any other freaking government service, you’re not guaranteed a damn thing, and particularly 00:09:47.200 --> 00:09:53.880 with the military, right? But how I transitioned back in out of that fighting mentality – I mean, 00:09:53.880 --> 00:09:59.000 I always kept it with me, right, because we were trained to fight first. But what was really cool 00:09:59.000 --> 00:10:04.900 is that [00:10:00] we were the ones that were defining how to fight with digital aspects first. 00:10:04.900 --> 00:10:09.960 JACK: So, were you doing mostly offensive or defense, forensics, incident response? 00:10:09.960 --> 00:10:17.000 OS: So, I did both. It just really depended on where I was and what I was doing. When I was 00:10:17.000 --> 00:10:23.200 typically not in a forward-deployed state, then it was defensive. Even in a deployed state, we would 00:10:23.200 --> 00:10:29.440 do defensive forensic stuff, you know, working with our signals intelligence or intelligence 00:10:29.440 --> 00:10:34.920 professionals as well. We would take and consume that. They would bring us physical devices, 00:10:34.920 --> 00:10:40.400 like I said, chip off-type stuff, like where we would actually go desolder chips on a board 00:10:40.400 --> 00:10:45.600 and actually analyze it at that level, but then also offensive kind of stuff. 00:10:45.600 --> 00:10:47.680 JACK: How long did you spend in there? 00:10:47.680 --> 00:10:52.480 OS: I spent five years active duty, long enough to realize that I made 00:10:52.480 --> 00:10:56.480 a really freaking awesome and terrible decision all in one. 00:10:56.480 --> 00:10:58.920 JACK: Why was it awesome and terrible? 00:10:58.920 --> 00:11:01.120 OS: Well, it was awesome because I got to go do some really cool 00:11:01.120 --> 00:11:05.560 shit and learn a lot of really cool shit, and it sucked because – I mean, 00:11:05.560 --> 00:11:09.600 again, go talk to a marine; you hate it while you’re in and you love it while you’re out, 00:11:09.600 --> 00:11:19.140 right? The life of a marine is not – it’s not an easy life, man. It’s not at all. 00:11:19.140 --> 00:11:23.880 JACK: But this experience really did level up his understanding of computers, and specifically 00:11:23.880 --> 00:11:30.280 cyber-security. So, with this experience and know-how, he landed a job at a consulting company. 00:11:30.280 --> 00:11:35.720 OS: They were doing forensics and other cyber-security kinda stuff, 00:11:35.720 --> 00:11:49.360 right? This is early 2010s, just to give perspective of timeframe here. 00:11:49.360 --> 00:11:55.400 I got cherry-picked by an individual to come into this consulting firm. 00:11:55.400 --> 00:12:00.200 JACK: They had him start by doing digital forensics; analyzing an infected computer 00:12:00.200 --> 00:12:05.400 to try to understand more about the malware, looking for clues in a network or system that 00:12:05.400 --> 00:12:11.120 showed signs of intrusion, stuff like that. But they also had him doing some attack-type work too, 00:12:11.120 --> 00:12:15.800 where he would be assigned to try to get into a computer or a website or a network to test 00:12:15.800 --> 00:12:26.480 how secure it was. He did that for a while, but then he got a new assignment. [MUSIC] The 00:12:26.480 --> 00:12:31.440 government of Puerto Rico hired this consulting agency to come do some work. 00:12:31.440 --> 00:12:34.800 HOST: 18 degrees above the Equator at that sweet 00:12:34.800 --> 00:12:39.940 spot where the Atlantic embraces the Caribbean is the island of Puerto Rico. 00:12:39.940 --> 00:12:44.560 OS: In Puerto Rico, they sold the work and they were like okay, cool. We need to staff 00:12:44.560 --> 00:12:51.240 resources. Hey, do you have availability? Cool. Welcome to this project. That’s just 00:12:51.240 --> 00:12:57.360 kinda how it goes. In consulting firms, you get assigned to projects, right? It was sold to me 00:12:57.360 --> 00:13:06.060 as – initially that we were going down there to do IT operas – like, operational improvements. 00:13:06.060 --> 00:13:11.600 JACK: What he was told was that for this project, him and a team would go down, audit the network, 00:13:11.600 --> 00:13:18.160 evaluate it, and see if there were any areas to improve to make the network more secure. Okay, 00:13:18.160 --> 00:13:23.360 so you pack your bags, you head out. How long did you think you were gonna be there? 00:13:23.360 --> 00:13:29.400 OS: That’s a hilarious question. I realistically thought that I was only gonna be there for 00:13:29.400 --> 00:13:36.960 maybe two to three weeks tops. We were gonna come in, evaluate their technical capabilities and 00:13:36.960 --> 00:13:42.760 look at like okay, cool, you got this 1970s IBM mainframe. You might want to update that, right? 00:13:42.760 --> 00:13:48.280 JACK: Little did he know, he would be staying there much longer than a few weeks. He arrives 00:13:48.280 --> 00:13:53.000 in Puerto Rico, and all goes as planned for a while. He sees what’s there and yeah, 00:13:53.000 --> 00:13:57.680 there are areas for them to improve the network to make it easier to maintain, get work done, and be 00:13:57.680 --> 00:14:02.980 more secure. So, he’s writing up all his findings and giving them suggestions on how to improve. 00:14:02.980 --> 00:14:08.320 OS: Then the next thing I know, we’re in the middle of a meeting with the governor 00:14:08.320 --> 00:14:13.560 of Puerto Rico and he’s like, I love the work that you guys have going on and that 00:14:13.560 --> 00:14:22.960 you’ve done for us. I have a problem. He goes, we are losing millions and millions 00:14:22.960 --> 00:14:29.040 of dollars a month through the lottery of Puerto Rico, and we don’t know how. 00:14:29.040 --> 00:14:36.080 JACK: [MUSIC] Now, to begin with, the governor of Puerto Rico is the highest person who has 00:14:36.080 --> 00:14:40.800 executive authority there, so the fact that they got to meet with the governor was pretty 00:14:40.800 --> 00:14:47.680 interesting. But this is a unique challenge, huh? To help figure out how they’re losing millions of 00:14:47.680 --> 00:14:52.880 dollars through their state lottery. Os was intrigued by this problem, but he wasn’t sure 00:14:52.880 --> 00:14:58.680 where to start. He had to learn and get familiar with how the lottery system worked. The lottery 00:14:58.680 --> 00:15:03.640 had weekly drawings. [00:15:00] The drawings themselves were physically done live on TV, 00:15:03.640 --> 00:15:08.160 not electronic like how some lotteries are. A bunch of balls go into a drum, and then they 00:15:08.160 --> 00:15:14.240 draw one ball out at a time, showing the camera, and that’s how the winning numbers are announced. 00:15:14.240 --> 00:15:17.760 People would buy lottery tickets at special places that sold them, 00:15:17.760 --> 00:15:22.200 and if your numbers matched the numbers drawn, you win money. You don’t have to match all the balls, 00:15:22.200 --> 00:15:26.240 though. Even a partial match, like if your ticket contained three out of the five numbers, 00:15:26.240 --> 00:15:32.720 you also won. This Puerto Rico lottery is a big deal. It’s been running since 1934 and is ran by 00:15:32.720 --> 00:15:38.080 the Department of Treasury. Of course, a lottery is set up to generate revenue for the government, 00:15:38.080 --> 00:15:42.240 since the amount of the payoffs is never more than the amount of money generated 00:15:42.240 --> 00:15:47.040 through ticket sales. But in this case, the payouts were more than the ticket sales; 00:15:47.040 --> 00:15:50.360 a lot more. Millions of dollars were being lost in the lottery. 00:15:50.360 --> 00:15:57.920 OS: We regrouped as a team and said hey, let’s think through this. What are all the possible 00:15:57.920 --> 00:16:03.400 reasons behind it? Maybe systems aren’t just communicating and updating fast enough because 00:16:03.400 --> 00:16:09.400 the network connectivity between Building A and Building B is absolutely horrible. 00:16:09.400 --> 00:16:15.480 Maybe some clerical error in their systems, like their – we’re talking, you know, as we started 00:16:15.480 --> 00:16:23.120 to do our IT analysis, they were still running Windows 95 on some systems in the early 2010s, 00:16:23.120 --> 00:16:29.200 right? It’s like, hm, okay, so maybe you’re just – your processes aren’t that good. 00:16:29.200 --> 00:16:33.360 Maybe they haven’t done a reconciliation of their books in a long time, so hey, 00:16:33.360 --> 00:16:40.460 let’s bring in our forensic accountants and have them go actually look at their numbers. 00:16:40.460 --> 00:16:46.160 JACK: So, their forensic accountant looked through the ledger; how much was paid out and 00:16:46.160 --> 00:16:52.400 how much was bought. Yeah, sure enough, millions of dollars more were paid out than were bought, 00:16:52.400 --> 00:16:56.960 which means the lottery was losing money, which is not supposed to happen. The lottery 00:16:56.960 --> 00:17:01.680 is set up to always generate money, not lose money. But these accountants couldn’t figure 00:17:01.680 --> 00:17:06.200 out why. They did confirm that there were significant losses in the system, 00:17:06.200 --> 00:17:09.560 but from their analysis, it looked like all of the money was just going 00:17:09.560 --> 00:17:15.660 to legitimate winners, [MUSIC] and nothing suspicious at all. This mystery grew deeper. 00:17:15.660 --> 00:17:22.480 OS: We then went and started at the very onset of the process. Like, 00:17:22.480 --> 00:17:29.760 let’s go physically look at where the actual lottery balls are stored and how they’re stored. 00:17:29.760 --> 00:17:34.160 JACK: Now, since this is the governor asking for help, they had all the clearances and 00:17:34.160 --> 00:17:38.640 permission they needed to make a visit where the lottery is conducted. He got to get up 00:17:38.640 --> 00:17:42.380 close and personal with the lottery balls themselves and analyze them. 00:17:42.380 --> 00:17:48.500 OS: Yeah, I got to touch and examine the balls, dude. It was pretty fun. 00:17:48.500 --> 00:17:54.200 JACK: The balls seemed fine. None of them were an odd weight or size that 00:17:54.200 --> 00:17:59.080 would make them more or less likely to be drawn. It didn’t seem like that was the 00:17:59.080 --> 00:18:01.960 problem. So, next, he looked around and asked… 00:18:01.960 --> 00:18:07.480 OS: Who all has access to this? Alright, you got cameras, you got door badge access systems… 00:18:07.480 --> 00:18:12.360 JACK: He was given the names of everyone who had access to the lottery equipment. Controls seemed 00:18:12.360 --> 00:18:17.440 to be properly in place. Only a few people had access to the balls and drawing room. 00:18:17.440 --> 00:18:25.440 OS: Then we start down the process of okay, so, day of or day before, what’s your process? Do 00:18:25.440 --> 00:18:31.480 you have a reconciliation? Yep, all of these balls get moved – these racks of lottery balls 00:18:31.480 --> 00:18:37.600 get moved over and get staged. They get counted again, they get allocated, they get signed off 00:18:37.600 --> 00:18:46.760 on. There’s the huge accountability process pre-day. The same day of the lottery drawing, 00:18:46.760 --> 00:18:52.760 they go through again first thing in the morning. They do a check-in at lunch and then right before 00:18:52.760 --> 00:18:59.900 the actual drawing itself, they do another check and then they roll them out to the public view. 00:18:59.900 --> 00:19:05.000 JACK: So, the public view is really TV. Every week, the drawing is done live, 00:19:05.000 --> 00:19:09.680 broadcasted on their local TV channel. This is a big deal in Puerto Rico; 00:19:09.680 --> 00:19:14.560 many tune in while holding their tickets to see if their numbers are drawn. 00:19:14.560 --> 00:19:19.600 OS: We actually had the opportunity to walk out with the balls. 00:19:19.600 --> 00:19:24.240 JACK: He means he was able to shadow and keep his eye on the lottery balls 00:19:24.240 --> 00:19:28.880 at every step of the way between when he examined them and when they were drawn 00:19:28.880 --> 00:19:34.708 on live TV. This way, nothing could be swapped or changed on his watch. 00:19:34.708 --> 00:19:41.440 OS: [MUSIC] So, we walked the balls out to – with the actual employee. There was two employees that 00:19:41.440 --> 00:19:49.120 were assigned to do nothing but manage the lottery balls. That’s it. That was their sole job. Day in, 00:19:49.120 --> 00:19:53.920 day out, they would go in, do accountability, reconcile sheets, and basically count them, 00:19:53.920 --> 00:19:57.680 make sure everything was good to go. The way that they sort them; it’s not like we 00:19:57.680 --> 00:20:02.640 – how we see here in the United States, ours are, [00:20:00] where they’re these plastic 00:20:02.640 --> 00:20:08.840 ping-pong balls. These are like little plastic beads – they’re a little bigger than a bead, 00:20:08.840 --> 00:20:14.440 but they have a hole through the middle of them and they’re stored – instead of a plastic 00:20:14.440 --> 00:20:22.760 container with locks on them, they’re stored – they slide the beads down a metal rod and each 00:20:22.760 --> 00:20:28.720 rod held a certain number of lottery balls, and they would lock, each one of those. So, 00:20:28.720 --> 00:20:34.600 it was like this gigantic wooden box with ten rows of these lottery balls in it with 00:20:34.600 --> 00:20:42.960 ten locks on the front of it, right? So, they’re rudimentary but tamper-proof to some degree, but 00:20:42.960 --> 00:20:53.360 they had full accountability day in and day out of them. Even more heightened on the day of drawing, 00:20:53.360 --> 00:21:00.080 they had full accountability of the physical asset that – the lottery balls themselves. 00:21:00.080 --> 00:21:04.640 Once they would actually go through, they would dump them into the hopper, and then it would 00:21:04.640 --> 00:21:11.920 actually do the hopper draw. It would actually roll a ball down. There was a panel of employees 00:21:11.920 --> 00:21:19.680 for the lottery of Puerto Rico that sat up front that that ball, when it came out – they started 00:21:19.680 --> 00:21:25.320 from left to right – the first person on the left would get it, put the ball on the little – on the 00:21:25.320 --> 00:21:30.200 actual tray. They would have the empty trays and they’d slide the ball down the little empty tray, 00:21:30.200 --> 00:21:34.800 document on a piece of paper what the number was, and then they would continue to do that 00:21:34.800 --> 00:21:38.440 for the entire drawing, and it would go all the way down. Then whenever they would fill 00:21:38.440 --> 00:21:43.880 up an actual lottery ball holder, they would lock them up, they would hand them back to the 00:21:43.880 --> 00:21:50.640 individual. They had chain of custody forms and all sorts of craziness. Then it would go – then 00:21:50.640 --> 00:21:59.200 all of those paper sheets would actually go into a review room where there were four analysts that 00:21:59.200 --> 00:22:05.360 would sit in a review room, and they had them – from start to finish, they had them in order. 00:22:05.360 --> 00:22:11.880 So, they would watch a video and pair up how the balls were inside of the actual metallic rack 00:22:11.880 --> 00:22:17.160 and validate that yes, that’s correct; that’s the correct ball, that’s the correct drawing number, 00:22:17.160 --> 00:22:22.320 et cetera, et cetera, et cetera, right? Then what – that would get them put into the computing 00:22:22.320 --> 00:22:27.680 system for the lottery of Puerto Rico, and what would happen then is that would go back into a 00:22:27.680 --> 00:22:37.120 database, and that database would then be shared with the government of Puerto Rico’s printing 00:22:37.120 --> 00:22:45.720 group, and they would go do a print run of all of the winning numbers in the newspaper. Then they 00:22:45.720 --> 00:22:53.080 would also take and actually do – on the news that night – a live notification. It’s published live; 00:22:53.080 --> 00:22:59.280 the Puerto Rican lottery, you can watch it locally and national TV live, but then they do a recap on 00:22:59.280 --> 00:23:05.240 the news like we do here in the United States to some degree. So, the physical security process 00:23:05.240 --> 00:23:12.560 was fully sound. There was nothing that we could find that was amiss. It was like okay, 00:23:12.560 --> 00:23:16.800 they’ve got accountability all the way through when they’re printing the numbers. We even 00:23:16.800 --> 00:23:21.800 validated the numbers, right? We’re like, that’s right in the paper. Yep, it’s right on the news. 00:23:21.800 --> 00:23:26.720 JACK: So, after analyzing the system, they felt like the physical security of the balls 00:23:26.720 --> 00:23:32.240 and drawing process was fair and secure. Their next step was for them to follow the numbers. 00:23:32.240 --> 00:23:37.320 Once the officials recorded the winning numbers, where do they go next? Well, another government 00:23:37.320 --> 00:23:41.240 department handled the next part. See, there was one department in charge of the drawing, 00:23:41.240 --> 00:23:44.880 and then there was another department in charge of the payouts. So, they went to the 00:23:44.880 --> 00:23:49.600 payouts department and they found the systems where the winning numbers were entered. They 00:23:49.600 --> 00:23:54.480 confirmed that the winning numbers did in fact match up with what was actually drawn. Next, 00:23:54.480 --> 00:23:59.640 there is a database that gets updated. The database has a list of every single lottery 00:23:59.640 --> 00:24:04.840 ticket purchased and what numbers that ticket had. The database takes the winning numbers 00:24:04.840 --> 00:24:10.080 and updates all the tickets in the database to indicate if the ticket is a winner and how 00:24:10.080 --> 00:24:15.240 much should be paid out. They go and meet with the team that manages this database. 00:24:15.240 --> 00:24:19.400 OS: The database administrator goes, who are you and why are you here? Who’s 00:24:19.400 --> 00:24:24.720 authorized you to be in here to audit me? I know how to do my job. Leave me alone, 00:24:24.720 --> 00:24:28.160 and really was standoffish. I’m like hm, that’s a little odd. 00:24:28.160 --> 00:24:34.280 JACK: That is a little odd, but when I was the admin of firewalls for a company, 00:24:34.280 --> 00:24:38.560 I was very protective of them, myself. I, too, would ask for credentials of anyone 00:24:38.560 --> 00:24:43.680 asking to see what’s inside, just to make sure. So, maybe this is fine. 00:24:43.680 --> 00:24:50.280 OS: So, at that point, we’re like okay, we gotta look at the database system itself. So, 00:24:50.280 --> 00:24:54.680 it’s a Db2 database and I’m like alright, that’s a pretty sound, 00:24:54.680 --> 00:24:59.560 solid financial database. I mean, companies today still use it; highly transactional, 00:24:59.560 --> 00:25:05.920 makes sense. [00:25:00] Go through, look at the security configurations and settings. 00:25:05.920 --> 00:25:11.560 I didn’t know enough about it, so we hired a professional to come in that was specifically 00:25:11.560 --> 00:25:18.660 a Db2 database administrator. He looks at it and he’s like dude, everything looks sound and solid. 00:25:18.660 --> 00:25:23.800 JACK: The database administrator checked a few things, first seeing who has access, 00:25:23.800 --> 00:25:29.160 and it was everyone who was supposed to have access; just the IT team who was responsible 00:25:29.160 --> 00:25:35.400 for maintaining it. Nobody else. Next, he looked at the logic of how the database gets updated, 00:25:35.400 --> 00:25:40.680 but that was fine. The tickets that should have been winners were updated properly, and 00:25:40.680 --> 00:25:49.040 the tickets that were losers were shown to not pay out anything. So, this database looked fine. Next, 00:25:49.040 --> 00:25:54.080 he went down to where people were buying lottery tickets and getting paid for their winnings. 00:25:54.080 --> 00:25:58.960 OS: We audited that process, where individuals would go 00:25:58.960 --> 00:26:03.120 cash in their lottery tickets. We went and audited several of those stations on the 00:26:03.120 --> 00:26:08.640 island ‘cause they were specific locations. It’s not like you could go to any gas station. They had 00:26:08.640 --> 00:26:14.900 very specific set up locations where you could go cash in your lottery ticket for winnings. 00:26:14.900 --> 00:26:21.080 JACK: This, too, all looked just fine. Nothing strange or unusual here, either. [MUSIC] So, 00:26:21.080 --> 00:26:26.240 him and the team looked again to see how much money was missing from the lottery while they 00:26:26.240 --> 00:26:33.240 had watched the whole thing take place. Something strange happened; the lottery showed no losses for 00:26:33.240 --> 00:26:37.800 the weeks that they were there investigating this and shadowing people and auditing the 00:26:37.800 --> 00:26:46.920 payout stations and analyzing the databases. Huh, that’s odd. But that’s a clue in itself. 00:26:46.920 --> 00:26:54.560 OS: That’s why we kinda saw a slow trickle when we first got to the island and were inside. Really, 00:26:54.560 --> 00:26:58.600 we identified the hard stop was when we went and actually 00:26:58.600 --> 00:27:02.280 had the interview and sat with the database team. 00:27:02.280 --> 00:27:06.280 JACK: That was the same database team that was questioning him for being there, 00:27:06.280 --> 00:27:12.200 so his hunch was that if this stopped happening once he started poking his nose in things, 00:27:12.200 --> 00:27:16.000 then he thinks this might be an insider. 00:27:16.000 --> 00:27:18.600 OS: So, we take this all back to the governor and we’re like man, 00:27:18.600 --> 00:27:22.720 there – the only thing that this is pointing to – you’ve got an insider somewhere, and we don’t 00:27:22.720 --> 00:27:29.040 know what it is. It’s on the digital element. The governor of Puerto Rico looks at me and the team 00:27:29.040 --> 00:27:35.760 and goes, I know you’re here for security elements. Go do whatever you have to do 00:27:35.760 --> 00:27:42.560 to figure this out. You are indemnified of anything – of any digital crime or 00:27:42.560 --> 00:27:47.440 physical crime on the island to figure out how the hell I’m losing this money. I said, 00:27:47.440 --> 00:27:54.840 can I get that in writing? He said, absolutely. So, to this date, I own an indemnification of 00:27:54.840 --> 00:28:02.340 committing any crime on the island of Puerto Rico, which is pretty cool. I’m like, fuck yeah. 00:28:02.340 --> 00:28:07.800 JACK: Now, by this point, he’s been there for over a month trying to figure this out. So, 00:28:07.800 --> 00:28:11.440 while he thought he was only gonna be there a few weeks, he’s now flying into the island 00:28:11.440 --> 00:28:16.840 every week and flying back home on the weekends. But now, he suspects someone inside the lottery 00:28:16.840 --> 00:28:31.040 is doing something sneaky. But who? Stay with us because after the break, he goes four steps ahead. 00:28:31.040 --> 00:28:36.600 Os has examined every aspect of the network and found nothing that would suggest the lottery is 00:28:36.600 --> 00:28:41.440 losing money. He has confirmed that before he got there, it was losing a lot of money, 00:28:41.440 --> 00:28:45.880 but whatever was happening stopped since he’s arrived. This makes him believe that there’s 00:28:45.880 --> 00:28:50.720 an insider somewhere that stopped once they saw he was investigating. But now the governor of 00:28:50.720 --> 00:28:57.160 Puerto Rico, the highest executive position on the island, has granted him full indemnity and 00:28:57.160 --> 00:29:02.788 that he may investigate this however he wants, even if it requires breaking the law to do it. 00:29:02.788 --> 00:29:05.880 OS: [MUSIC] Absolutely. That’s why they gave me indemnity, ‘cause I… 00:29:05.880 --> 00:29:11.360 JACK: You were referring to – can I break into a network? 00:29:11.360 --> 00:29:14.220 OS: Can I break into a building? 00:29:14.220 --> 00:29:17.000 JACK: Like, were you asking the governor that? 00:29:17.000 --> 00:29:21.120 OS: Yeah. I was like, what do you mean by free reign? He’s like, do whatever you need to do. 00:29:21.120 --> 00:29:25.600 I was like, so you’re telling me I could go break into a building and I won’t get arrested if – or, 00:29:25.600 --> 00:29:29.240 if I get arrested, then I’m indemnified and you’ll drop all charges and you’ll bail me out? He’s like 00:29:29.240 --> 00:29:37.200 yeah, and I’ll invite you over to my house to have Chinchon and freaking – some Cuba libres. 00:29:37.200 --> 00:29:40.440 JACK: This is exciting. 00:29:40.440 --> 00:29:46.720 OS: I geeked out. Like, what the fuck? He was totally – like, me being a pen tester, I’m like, 00:29:46.720 --> 00:29:52.380 what the fuck? I just got indemnified by the government of Puerto Rico to do what? Okay. 00:29:52.380 --> 00:29:59.840 JACK: This is so unusual. I don’t even – because he’s pretty much been given permission to hack 00:29:59.840 --> 00:30:05.360 into the [00:30:00] government of Puerto Rico to find this insider, which is like a penetration 00:30:05.360 --> 00:30:10.880 test, right? But typically this is done just to check how secure the network is. In this case, 00:30:10.880 --> 00:30:16.240 he was going to hack into the network to try to catch someone conducting criminal activity 00:30:16.240 --> 00:30:20.760 inside the lottery’s network. So, that’s a totally different objective from a normal 00:30:20.760 --> 00:30:26.480 penetration test. Also, pen testers typically have what’s called a get out of jail free card, 00:30:26.480 --> 00:30:30.160 where the head of security has granted them permission to hack into the network 00:30:30.160 --> 00:30:35.080 or break into the building. But in Os’ situation, he has a literal get out of 00:30:35.080 --> 00:30:39.320 jail free card from the governor which allows him to break laws if he wants. 00:30:39.320 --> 00:30:45.160 If he gets arrested, he could just show it to get out of jail. Now, Os has done a number of 00:30:45.160 --> 00:30:49.200 penetration tests before he did offensive work while in the Marines, but he’s also conducted 00:30:49.200 --> 00:30:53.680 a number of them as a consultant. So, he’s experienced at this and already has a good 00:30:53.680 --> 00:30:58.480 lay of the land since he’s been there auditing this whole process for the last month. He knows 00:30:58.480 --> 00:31:03.440 how everything is working and who all the people are that make it work. The first thing he does 00:31:03.440 --> 00:31:08.600 is notify the FBI. Now, you might be wondering, why would be FBI be interested in what’s going 00:31:08.600 --> 00:31:14.200 on in the lottery of Puerto Rico? Well, that’s because Puerto Rico is a territory of the US, 00:31:14.200 --> 00:31:19.200 so there’s actually an FBI field office over there, and Os thought this was a criminal case 00:31:19.200 --> 00:31:24.360 worthy of the FBI knowing about, and that he was investigating it and had permission to do so. 00:31:24.360 --> 00:31:28.440 OS: They were like alright, go investigate, get everything that you can. You have carte blanche 00:31:28.440 --> 00:31:33.600 to do whatever you want, right? Like, literally carte blanche. Mind you, up into that point, 00:31:33.600 --> 00:31:38.240 I had been suit and tie every freaking day, right, as a consultant is, usually on your customer’s 00:31:38.240 --> 00:31:46.200 site. I freaking dropped into straight civilian clothes, acting like a tourist. I did some things 00:31:46.200 --> 00:31:53.740 to change my appearance and walked right into the government building and started to look around. 00:31:53.740 --> 00:31:57.960 JACK: He went into this building because he knew this is where the database and main 00:31:57.960 --> 00:32:02.640 network for the lottery payout system actually sat. He figures if he can get into the building, 00:32:02.640 --> 00:32:07.080 he might be able to get into the network covertly. But you might wonder if he has 00:32:07.080 --> 00:32:11.520 full permission from the governor, why not just get official authorization to log into 00:32:11.520 --> 00:32:17.600 the network systems himself? Well, he did that, remember? He found nothing. That might have been 00:32:17.600 --> 00:32:23.000 because it’s very obvious that he was in there looking around for this particular 00:32:23.000 --> 00:32:28.840 thing. If you’re some insider hacking the system and you’re trying not to get caught, 00:32:28.840 --> 00:32:33.880 you’re not gonna be in the network doing bad stuff when you have auditors looking over your shoulder, 00:32:33.880 --> 00:32:40.880 right? So, he wants to go in covertly to see if he can find malicious insider activity when they 00:32:40.880 --> 00:32:46.240 think they aren’t being watched. [MUSIC] So, he heads into this government building with the goal 00:32:46.240 --> 00:32:51.800 of finding a way into the network. But to be successful, he needs to bring some supplies. 00:32:51.800 --> 00:32:56.960 OS: Full-on lock pick set. Like, that was number one. I had two laptops with me. I 00:32:56.960 --> 00:33:01.080 carried them everywhere I went. I had my forensics laptop and my offensive security 00:33:01.080 --> 00:33:06.480 laptop. The standard tools that I also carry is a pocket knife and a flashlight, right? 00:33:06.480 --> 00:33:09.720 JACK: Looking like a tourist, he heads into the government building. Now, 00:33:09.720 --> 00:33:14.160 this is a publicly-accessible building with places that citizens can go and take care 00:33:14.160 --> 00:33:18.360 of things like permits or even cash in lottery tickets there. On top of that, 00:33:18.360 --> 00:33:22.860 he’s been in this building a few times already as he was auditing the whole lottery process. 00:33:22.860 --> 00:33:28.640 OS: There was a door that – where I knew the finance office was. Like, the finance 00:33:28.640 --> 00:33:35.200 office, you’re – say you’re walking down a hallway and you come to a T intersection. To the right, 00:33:35.200 --> 00:33:40.160 there was a sign that said Finance but straight ahead, like ten feet ahead past 00:33:40.160 --> 00:33:45.200 that T intersection on the right-hand side, there was a door. I was like hm, I wonder if that’s 00:33:45.200 --> 00:33:51.600 where they keep physical financial records. Might be a computer in there that’s unlocked, right? So, 00:33:51.600 --> 00:33:57.800 that’s what I was thinking off the top of my head. I look up and there’s no cameras pointed 00:33:57.800 --> 00:34:03.120 at this door. They’re pointed down the main corridor facing towards where the entrance of 00:34:03.120 --> 00:34:08.920 the government of Puerto Rico’s entrance is, and then down the corridor of where the finance office 00:34:08.920 --> 00:34:16.320 main door is, but there’s not one facing – or towards me or facing behind my back at that door, 00:34:16.320 --> 00:34:20.080 because there was an end of a hallway. So, there was nowhere you could go, basically, 00:34:20.080 --> 00:34:27.720 at the end of it. So, I’m like okay, so I just lean up against the freaking wall and 00:34:27.720 --> 00:34:30.980 jiggle the handle. It’s locked, so I pull out my lock pick set. 00:34:30.980 --> 00:34:36.160 JACK: He starts trying to pick the lock which is not a fast or easy thing to do. It takes time and 00:34:36.160 --> 00:34:40.720 patience and lots of trial and error. You might not have the right tool at first and you need to 00:34:40.720 --> 00:34:46.040 try a different one. You don’t know if you need to turn the lock to the right or left to unlock it, 00:34:46.040 --> 00:34:51.160 so it’s kind of like throwing darts in the dark. At the same time, he’s nervous and 00:34:51.160 --> 00:34:55.120 someone could be coming around the corner at any moment and see what he’s doing and 00:34:55.120 --> 00:35:01.068 question him. But after a short while, he gets the lock open [00:35:00] and opens the door. 00:35:01.068 --> 00:35:06.440 OS: [MUSIC] I pop the lock on this door. I was correct; it was the Finance Department. I was 00:35:06.440 --> 00:35:10.800 correct; it’s where all the physical freaking documents were. I was correct that there were 00:35:10.800 --> 00:35:14.720 computers in there. I was incorrect in identifying that there might be people 00:35:14.720 --> 00:35:20.480 fucking sitting in there. So, four people turn the fuck around and look at me and go, what are 00:35:20.480 --> 00:35:25.980 you doing here? How did you open that door? That door’s supposed to be locked. I’m like oh, shit. 00:35:25.980 --> 00:35:29.960 JACK: He just goes right back out into the hallway and closes the door. 00:35:29.960 --> 00:35:33.440 He sees that people were getting up to come see what he was doing. 00:35:33.440 --> 00:35:38.760 OS: I was like oh, here I go, I’m going to fucking Puerto Rican jail. This is gonna suck, 00:35:38.760 --> 00:35:45.920 right? I was freaking the hell out, dude. I didn’t know if I could believe the governor 00:35:45.920 --> 00:35:52.400 of Puerto Rico or not. Is he really gonna bail me out of jail? How long is it gonna take for 00:35:52.400 --> 00:35:59.120 them to realize that I’m in jail, right? Those are thoughts going through my head when that happened. 00:35:59.120 --> 00:36:04.800 JACK: He had to think fast. He did some mental calculus; should he run? Well, that 00:36:04.800 --> 00:36:08.600 would certainly make him look more suspicious and it could get him kicked out of the building for 00:36:08.600 --> 00:36:14.760 good. Instead, he wanted to contain this problem to just this office, so he walks around to the 00:36:14.760 --> 00:36:20.760 front door of this finance office and he tries to think of a story. Because he’s been there before, 00:36:20.760 --> 00:36:26.080 he remembers that the floor above him is where the passport office is, and that’s what he decides to 00:36:26.080 --> 00:36:31.320 use as an excuse. He was going to act like a lost tourist not able to speak Spanish and was 00:36:31.320 --> 00:36:36.720 looking for the passport office. So, he puts on a face and walks into the finance office. 00:36:36.720 --> 00:36:42.280 OS: I’m like hey, I was told to come here because this is the passport office. So, 00:36:42.280 --> 00:36:46.240 the director of finance for the entire government of Puerto Rico was one of the 00:36:46.240 --> 00:36:51.240 guys that was sitting in the back, right? He walks out and he’s like, 00:36:51.240 --> 00:36:56.680 that door was not unlocked. I was like, it was. I just pushed on it. I don’t know. Sorry, 00:36:56.680 --> 00:37:02.520 sir. I’m really…I lost my passport. I’m trying to go to Cuba. Because at the time, you could 00:37:02.520 --> 00:37:07.840 fly from Puerto Rico to Cuba. You couldn’t fly direct from the United States to Cuba, 00:37:07.840 --> 00:37:12.040 but you could fly to Puerto Rico and then fly from Puerto Rico to Cuba as a United States citizen, 00:37:12.040 --> 00:37:16.440 right? This director of finance was giving me the side eye but he’s like yeah, follow me. 00:37:16.440 --> 00:37:23.400 JACK: He gets escorted to the passport office. He was trying to contain his stress on the way, 00:37:23.400 --> 00:37:27.520 and on the walk there, the head of finance was curious of the situation. 00:37:27.520 --> 00:37:33.640 OS: Well, he drops me off at the passport office and I walk in. I’m like hey – so, 00:37:33.640 --> 00:37:38.960 I fill out a bunch of documents and act like I need to get a freaking – my passport, 00:37:38.960 --> 00:37:45.520 basically, freaking renewed because I had lost it or whatever, and waited 00:37:45.520 --> 00:37:48.480 ‘til he left. I just kinda sat ‘cause there were quite a few people in there, 00:37:48.480 --> 00:37:52.960 and I just sat and just kinda waited for about half an hour or so, if I recall, 00:37:52.960 --> 00:38:01.580 and then bounced out and continued on down the path. Totally almost got fucking popped. 00:38:01.580 --> 00:38:06.280 JACK: He left the building. That was enough excitement for a day. Who knows 00:38:06.280 --> 00:38:09.560 what would happen if they called security on him or caught him on 00:38:09.560 --> 00:38:14.020 another floor trying to open other doors? He decided to leave and let things cool down. 00:38:14.020 --> 00:38:21.080 OS: Ended up in a – and going back the next day. I had already seen what looked like a 00:38:21.080 --> 00:38:25.680 lunch room area up on the third floor. So, this is – mind you, the government building’s like, 00:38:25.680 --> 00:38:31.840 seven stories tall. I was like, it looks like a little lunch room. I was like, 00:38:31.840 --> 00:38:38.040 I’ll go check that out today. So, I head up to the third floor. Mind you, Finance was on first 00:38:38.040 --> 00:38:44.640 floor. Second floor was the passport office, so – opsec was in terrible aspects of multiple things, 00:38:44.640 --> 00:38:49.640 and I included this in my report to the governor of Puerto Rico. I was like dude, 00:38:49.640 --> 00:38:54.160 you have all these financial records that are sitting – your physical financial records are 00:38:54.160 --> 00:38:57.840 sitting on the first floor. You have hurricanes and flooding continuously 00:38:57.840 --> 00:39:02.480 on this island; you might want to think about moving that to a higher level. Shit like that. 00:39:02.480 --> 00:39:05.400 Those were kinda other recommendations that we were putting out there for him. 00:39:05.400 --> 00:39:10.680 JACK: He gets up to the lunch room area, then walks around the hallways near there. He sees 00:39:10.680 --> 00:39:16.480 another door and tries to guess what’s inside it. He puts his ear up to the door. No noises 00:39:16.480 --> 00:39:22.800 are coming from inside. There are no windows to see in, either. He walks around the halls. No 00:39:22.800 --> 00:39:27.400 signs as to what this office might be, and it’s not connected to any others; 00:39:27.400 --> 00:39:33.800 it’s sort of a secluded office with no signage. Hm. He pulls out his lock picks 00:39:33.800 --> 00:39:39.720 and starts working on the lock. [MUSIC] After a few minutes, he gets it open and looks inside. 00:39:39.720 --> 00:39:45.120 OS: When I opened the door, man, it’s like, freaking inch and a half, 00:39:45.120 --> 00:39:50.080 two inches of fucking dust all over the fucking floor, dude. I look to my 00:39:50.080 --> 00:39:57.480 right and there’s three PCs lined up in a row that have plastic pulled over them. There’s 00:39:57.480 --> 00:40:01.400 no lights on in here, so I’m like okay, cool. [00:40:00] So, I literally pull 00:40:01.400 --> 00:40:07.960 my flashlight out and make my way over the computers, dude. Lo and behold, one’s running. 00:40:07.960 --> 00:40:14.560 JACK: Nice. This is great for him; a room that nobody ever visits. It’s dark, it’s quiet, 00:40:14.560 --> 00:40:20.000 and it has a running computer. This could be gold. If this computer is connected to 00:40:20.000 --> 00:40:26.140 the lottery network, then he can use it to watch and gather data he needs to catch the insider. 00:40:26.140 --> 00:40:33.120 OS: I close the door behind me and I actually set my laptop up against it so if, 00:40:33.120 --> 00:40:37.560 for whatever reason, someone came in, it would knock it over and alert me to – it wasn’t a big 00:40:37.560 --> 00:40:42.920 room. It was probably the size of – I’d say it was probably a fifty foot by fifty foot, 00:40:42.920 --> 00:40:50.120 but it would give me enough time to at least lock down everything that I was doing. I’m like, oh, 00:40:50.120 --> 00:40:54.520 sweet. Let’s go check this out. So, I lift the plastic off the monitor. I’m like, let’s see 00:40:54.520 --> 00:41:01.600 if it even works. Turn the monitor on; presented with a log-in screen for Windows 98 with the admin 00:41:01.600 --> 00:41:12.800 account. I’m like hm, it’s not gonna be this easy, right? Like, admin, admin. Nah, doesn’t work. So, 00:41:12.800 --> 00:41:19.280 I sit there and I’m like, let’s just sit here and think through this and logically – if I were 00:41:19.280 --> 00:41:24.160 the administrator or system administrator for the government of Puerto Rico and was running 00:41:24.160 --> 00:41:31.680 a 1998 system, what would I use as the password for admin to get on the system? So, I run through 00:41:31.680 --> 00:41:38.680 your typical default list of passwords for admin, like admin/admin, admin/administrator, admin/root, 00:41:38.680 --> 00:41:44.880 freaking – et cetera, et cetera. I try this over a period of a couple hours ‘cause I didn’t want to 00:41:44.880 --> 00:41:49.980 potentially trip if they had any alarms, like multiple failed log-in attempts on a system. 00:41:49.980 --> 00:41:54.280 JACK: None of his log-in attempts worked. He couldn’t guess the right password. He found 00:41:54.280 --> 00:41:59.240 some open Ethernet ports and tried plugging into them, but none of them worked. He thought 00:41:59.240 --> 00:42:04.200 about unplugging the one running computer from the network and plugging his laptop into it, 00:42:04.200 --> 00:42:08.760 but he wasn’t sure if this computer was running anything important. He wanted to 00:42:08.760 --> 00:42:13.960 be as quiet as possible. So, he went home for the night to rethink and strategize. 00:42:13.960 --> 00:42:23.000 OS: I’m like, alright; Metasploit, what do you have for 1998 Windows systems? 00:42:23.000 --> 00:42:29.200 There was a boot screen freaking – what is it? The accessibility feature – I can’t 00:42:29.200 --> 00:42:33.600 remember what the actual vulnerability was, but basically ended up being able 00:42:33.600 --> 00:42:38.960 to create an exploit that I could plug in a USB and bypass the log-in screen. 00:42:38.960 --> 00:42:43.720 JACK: Okay, so Metasploit is a really cool toolkit with lots of exploits and 00:42:43.720 --> 00:42:48.560 vulnerabilities that are all prepackaged and ready for you to just hack into things. He 00:42:48.560 --> 00:42:53.200 creates this USB drive with the exploit payload on it, and if the exploit works, 00:42:53.200 --> 00:42:57.200 he should be able to just go back to that computer, plug in the USB drive, 00:42:57.200 --> 00:43:02.000 and get into the system. [MUSIC] So, he goes back the next day, heads up to the same room, 00:43:02.000 --> 00:43:07.920 picks the lock to get it open, puts his laptop against the door as a rudimentary alarm system, 00:43:07.920 --> 00:43:13.360 and pulls out his malicious USB stick, and puts it in the computer running Windows 98. 00:43:13.360 --> 00:43:17.720 OS: Drop it in, get full access. Sweet. 00:43:17.720 --> 00:43:23.600 JACK: He’s now on this computer as an administrator. Amazing. But he quickly 00:43:23.600 --> 00:43:27.280 realizes he’s only administrator for this computer. It doesn’t give 00:43:27.280 --> 00:43:31.840 him access to anything else. He checks the network status. Yes, 00:43:31.840 --> 00:43:37.420 this computer is on the network and yes, he can reach the lottery network from here. Fantastic. 00:43:37.420 --> 00:43:47.280 OS: I’m like, alright, I’ve got this access into this system, I’m local admin. Is there 00:43:47.280 --> 00:43:55.560 any antivirus running on it? It didn’t flag for my exploit to come on, so that’s kinda cool. No 00:43:55.560 --> 00:44:03.800 local antivirus on the system. Connected to the network. So, I’m like alright, so, I have 00:44:03.800 --> 00:44:11.920 a couple options here; I can either unplug and hope that they’re not doing freaking 802.11x, like 00:44:11.920 --> 00:44:21.840 NIC-based security or if they’re doing Mac address filtering security, et cetera, et cetera. I start 00:44:21.840 --> 00:44:27.240 thinking through, like, what are my options here? Do I install tools locally on this system or do I 00:44:27.240 --> 00:44:33.120 unplug the NIC from the system and then jack in with my pen testing laptop? Well, in the meantime, 00:44:33.120 --> 00:44:38.600 I’m like alright, well, I have local admin. Let me go ahead and dump the credential files. 00:44:38.600 --> 00:44:43.560 JACK: When you have users on a computer, their username and password hash is stored somewhere 00:44:43.560 --> 00:44:48.720 on that computer. When you’re administrator, you can see the password hash. Now, the password 00:44:48.720 --> 00:44:53.280 hash isn’t the password; it’s the result of the password when it’s passed through an algorithm, 00:44:53.280 --> 00:44:57.560 and it looks like scrambled letters. So, he grabs this hash file to try to crack 00:44:57.560 --> 00:45:01.880 the passwords on this computer, because [00:45:00] with the USB exploit he used, 00:45:01.880 --> 00:45:06.720 he just bypassed the log-in process. He didn’t actually use a password to get in. So, 00:45:06.720 --> 00:45:09.960 he thinks if he can crack the password on this computer, 00:45:09.960 --> 00:45:14.640 then he can try using this username and password to get into other computers on the network. 00:45:14.640 --> 00:45:20.200 OS: So, I dropped that to my thumb drive, pull that off, throw that into my pen test laptop. 00:45:20.200 --> 00:45:24.880 JACK: He then runs a tool called John the Ripper to try hundreds of thousands of passwords to 00:45:24.880 --> 00:45:30.800 see if they match the hash. The program can try hundreds of passwords per second or more 00:45:30.800 --> 00:45:35.840 depending on how fast the computer is, so he knows this will take a while, and just lets it run. 00:45:35.840 --> 00:45:39.520 OS: So, I’m like you know what? Fuck it. They haven’t been aware that this 00:45:39.520 --> 00:45:43.960 system’s online. They’re not gonna know if it goes offline, so I unplug… 00:45:43.960 --> 00:45:47.320 JACK: He only unplugged the network cable, not the power cable. 00:45:47.320 --> 00:45:51.400 OS: …and actually leave it unplugged overnight just to see what happened, 00:45:51.400 --> 00:45:58.440 right? So, I leave the room, I leave it unplugged overnight, go and build 00:45:58.440 --> 00:46:04.480 another thumb drive that has a bunch of tools on it like Nmap and freaking man-in-the-middle 00:46:04.480 --> 00:46:08.760 tools. But basically, I build my tool suite onto a thumb drive that I can take and actually 00:46:08.760 --> 00:46:13.786 just run off of my thumb drive instead of installing directly onto the system, right? 00:46:13.786 --> 00:46:16.920 JACK: [MUSIC] With all kinds of extra tools, he heads back the next day, 00:46:16.920 --> 00:46:20.720 goes up to the floor, picks the lock, gets back in, sets the laptop against the door, 00:46:20.720 --> 00:46:25.360 and goes back to the computer. He plugs the computer back into the network port and all 00:46:25.360 --> 00:46:30.800 is fine. So, he plugs in the USB drive and starts to run one of these tools he brought. 00:46:30.800 --> 00:46:33.540 OS: So, I actually enumerate the network. 00:46:33.540 --> 00:46:38.320 JACK: This is the typical first thing a pen tester does to get a lay of the land. Enumerating the 00:46:38.320 --> 00:46:43.520 network is basically getting a map of what’s out there. You can ask certain systems what 00:46:43.520 --> 00:46:48.960 other computers do they know about, and they’ll be happy to tell you. Nmap scans are also common 00:46:48.960 --> 00:46:53.540 which can scan a whole range of IP addresses inside the network to see if anything responds. 00:46:53.540 --> 00:46:58.960 OS: I knew the IP address ranges for the IT systems over in the lottery, 00:46:58.960 --> 00:47:03.120 so I was like well, let me see if I can ping those IP addresses and see 00:47:03.120 --> 00:47:06.640 how this network looks. It was like – basically looked flat. 00:47:06.640 --> 00:47:12.000 JACK: I like to think of a flat network like an empty hull of a ship. If it’s just one big, 00:47:12.000 --> 00:47:18.080 open space in the hull and there’s a hole in the hull, the entire hull can fill up with water. So, 00:47:18.080 --> 00:47:23.880 a good idea is to segment your network so that if someone gets into one part of your network, they 00:47:23.880 --> 00:47:29.320 are completely blocked off from getting into other parts. So, what he found is this long-forgotten 00:47:29.320 --> 00:47:34.560 computer not only was connected to the network, but it could reach every part of the network 00:47:34.560 --> 00:47:40.480 since nothing was blocking it. This was fantastic for Os who wanted to find a way into the systems 00:47:40.480 --> 00:47:46.040 he thought were suspect. But now it’s closing in on the end of the third day. He’s thinking 00:47:46.040 --> 00:47:51.320 it’s starting to get risky if he has to come back here every day and pick a lock and sneak in, so 00:47:51.320 --> 00:47:57.000 he sets up a reverse shell to this computer. This allows him to go back to the hotel and from there, 00:47:57.000 --> 00:48:01.600 he can remotely connect into this computer and use it as if he’s sitting right in front of it. So, 00:48:01.600 --> 00:48:06.400 he goes back to the hotel and looks at the scans that he was doing on the lottery’s IP range. 00:48:06.400 --> 00:48:11.080 OS: I find a web server that has port 80 and I’m like alright, 00:48:11.080 --> 00:48:12.820 that’s cool. I wonder if it’s open from the outside. 00:48:12.820 --> 00:48:14.320 JACK: By ‘open to the outside’, 00:48:14.320 --> 00:48:17.560 he means can he get to it from the World Wide Web and not the local network? 00:48:17.560 --> 00:48:26.960 OS: So, I ran a scan on the outside of the network as well. Again, fortunately for us, we had already 00:48:26.960 --> 00:48:33.440 been given the IP addresses for the entirety of not just the lottery, but the government of Puerto 00:48:33.440 --> 00:48:37.680 Rico because as we were talking with them, we’re like look, maybe someone compromised them from 00:48:37.680 --> 00:48:43.120 the outside and you’re getting money siphoned off, right? Maybe that’s a possibility. So, 00:48:43.120 --> 00:48:51.840 we asked and they provided. So, I run a port scan against the outside, find the web server 00:48:51.840 --> 00:48:57.920 that enumerates at the same version of Drupal that I had. I go through the Metasploit table; 00:48:57.920 --> 00:49:04.120 there’s an exploit for remote code execution, exploit for – and it’s running on a Linux system. 00:49:04.120 --> 00:49:08.240 JACK: So, when trying to exploit a system and get unauthorized access to it, 00:49:08.240 --> 00:49:12.400 the more you know about it, the better. A scan might show you what kind of server is running, 00:49:12.400 --> 00:49:16.560 what kind of web framework is on that. In this case, Drupal was the web framework 00:49:16.560 --> 00:49:21.000 and the operating system was Linux. On top of that, you might get versions of what software 00:49:21.000 --> 00:49:25.320 is on that system. If you know what version it’s running, you can go look to see if that 00:49:25.320 --> 00:49:30.880 version has any known vulnerabilities that you can exploit. Os found a vulnerability for that 00:49:30.880 --> 00:49:35.800 version of Drupal and tried to exploit it from the outside, and [MUSIC] bingo, 00:49:35.800 --> 00:49:40.920 it worked. He got in, which is always a rush to hack into a system from the outside. 00:49:40.920 --> 00:49:45.880 OS: I was like, holy fuck yes. Literally, the whole team was sitting around the table and 00:49:45.880 --> 00:49:50.240 I’m sitting there freaking – I’m drinking a Mai Tai at this point. I’m like fuck yes, check this 00:49:50.240 --> 00:49:54.560 out. I’m doing my due diligence with screenshots and all that other shit, right? They were like, 00:49:54.560 --> 00:50:02.000 are you fucking serious? I’m like, yeah. So, I do general commands to show [00:50:00] who am I, 00:50:02.000 --> 00:50:12.400 and it shows root. Then I actually do freaking a dump of basically the file structure and freaking 00:50:12.400 --> 00:50:17.920 show that it’s actually the Puerto Rican web server, right, not just some random-ass server, 00:50:17.920 --> 00:50:23.920 dude. Start pinging internal IP addresses that they had already grabbed forensic images off 00:50:23.920 --> 00:50:32.040 of as well, too. They were like, holy shit. I’m like yeah, from the hotel WiFi, bro. What’s up. 00:50:32.040 --> 00:50:37.360 JACK: Excellent. He’s now in a system inside the lottery’s network, 00:50:37.360 --> 00:50:41.520 and from here he’s able to get into other computers and route traffic to this Linux 00:50:41.520 --> 00:50:46.200 server so he can capture and analyze the traffic in the network. This is the man-in-the-middle 00:50:46.200 --> 00:50:52.000 attack that he was wanting to do. It’s kind of like a wire tap but for network traffic. So, 00:50:52.000 --> 00:50:56.640 once he’s got all this set up, he watches the traffic day in and day out. 00:50:56.640 --> 00:51:02.480 OS: Basically, this is – yeah, we’re about, what, month three and a quarter at this point. So, 00:51:02.480 --> 00:51:07.680 what we did is we actually started laying low once I actually had popped everything and had access, 00:51:07.680 --> 00:51:14.760 and just started monitoring. We were sitting just at the hotel monitoring. I’m chilling, 00:51:14.760 --> 00:51:22.320 hanging out. We know that the drawing goes, we know that the actual input goes 00:51:22.320 --> 00:51:26.920 the night of the drawing, but doesn’t start the payouts ‘til the morning. 00:51:26.920 --> 00:51:38.360 We see a log-in from the individual – one of the database individual systems into the mainframe, 00:51:38.360 --> 00:51:50.320 which was abnormal to see that. Then, at that point we said okay, we need to go basically 00:51:50.320 --> 00:51:56.720 get on this mainframe. So, the governor of Puerto Rico forced the CIO to give us physical 00:51:56.720 --> 00:52:04.360 access into that mainframe. They basically pulled the CIO from his job and placed him 00:52:04.360 --> 00:52:14.760 on temporary leave. We have administrative access on this mainframe, this IBM mainframe 00:52:14.760 --> 00:52:19.980 where the database is running, and we put some monitoring tools on and just started monitoring. 00:52:19.980 --> 00:52:26.080 JACK: They were able to watch the logs of the database; who logs in, what changes do they make, 00:52:26.080 --> 00:52:32.680 what data is being updated. With a database like this, there are tons of changes. So, when someone 00:52:32.680 --> 00:52:36.360 comes to cash in their winning lottery ticket, they take it to a place where they can cash it, 00:52:36.360 --> 00:52:40.320 and the clerk scans the ticket. At that point, the scanner will check the database to see if 00:52:40.320 --> 00:52:44.360 it’s a winning ticket or not. So, already the database has a read operation that would show 00:52:44.360 --> 00:52:48.320 the logs. Then the database tells the clerk this is a winning ticket; you should pay this 00:52:48.320 --> 00:52:53.080 amount. When the clerk pays it, it updates the database to indicate this ticket has been 00:52:53.080 --> 00:52:57.680 paid and it shouldn’t be cashed out again. So, every lottery ticket that gets paid, 00:52:57.680 --> 00:53:01.800 there’s an update to the database, which means there’s a lot of logs that he’s gotta sift 00:53:01.800 --> 00:53:07.840 through to try to find anything unusual. So, he’s watching these transactions happen all day, every 00:53:07.840 --> 00:53:12.880 day. A clerk scans a winning lottery ticket; it’s a winner and should be paid out for a dollar, and 00:53:12.880 --> 00:53:19.280 the clerk pays out the dollar. Nothing odd there. But as he looks closer at these logs and analyzes 00:53:19.280 --> 00:53:27.960 them more, he sees something. [MUSIC] He sees someone change the payout amount for a winning 00:53:27.960 --> 00:53:34.920 lottery ticket. They went into the database and made the payout higher than it actually was. 00:53:34.920 --> 00:53:39.400 OS: The payout was supposed to be a dollar, but it would change to like, 00:53:39.400 --> 00:53:46.520 $10,000. You would see the transaction for $10,000 exit, and then you would see 00:53:46.520 --> 00:53:50.640 the amount that was actually paid out go back to a dollar in the database. 00:53:50.640 --> 00:53:57.320 JACK: This was it. This was the smoking gun. Someone inside the lottery IT team 00:53:57.320 --> 00:54:02.360 was going into the database and changing one number, waiting for the payout to happen, 00:54:02.360 --> 00:54:06.760 and then changing it back. This is why when they audited all the transactions before, 00:54:06.760 --> 00:54:10.920 they didn’t find any sign of this happening, because someone’s going in the database and 00:54:10.920 --> 00:54:16.240 wiping the evidence. It was only from sitting patiently, doing some real-time monitoring of 00:54:16.240 --> 00:54:21.840 logs, collecting network traffic, and watching these tickets get paid out that they caught this. 00:54:21.840 --> 00:54:26.040 OS: At the point that I had actually dropped in and we were monitoring and we see this, 00:54:26.040 --> 00:54:31.200 I immediately have to contact the bureau, the FBI field office in Puerto Rico. 00:54:31.200 --> 00:54:36.080 JACK: The governor wanted whoever was behind this arrested and instructed him to contact 00:54:36.080 --> 00:54:41.520 the FBI. Remember, Puerto Rico is a territory of the US, so there’s an FBI field office on 00:54:41.520 --> 00:54:46.680 the island. But before he could give the FBI all this evidence, he needed to figure out who 00:54:46.680 --> 00:54:51.560 the person was that was making these changes, because the problem was whoever was doing this 00:54:51.560 --> 00:54:58.160 was using the username ‘service’ to make these changes, not his actual username. So, it wasn’t 00:54:58.160 --> 00:55:03.160 clear who was going in and making these changes. [00:55:00] But the thing about this database, 00:55:03.160 --> 00:55:09.640 because it’s a super-secure database, the only way to actually make changes to it is to physically go 00:55:09.640 --> 00:55:15.520 into the data center room where the server was and log into it that way. There was no 00:55:15.520 --> 00:55:21.600 way to connect into this thing remotely. This is great because now he just needs to know who was 00:55:21.600 --> 00:55:27.560 in the room during that time that the change was made, and there’s an easy way to figure that out; 00:55:27.560 --> 00:55:34.428 security camera footage. Os gets access to the video and rewinds it to that moment. 00:55:34.428 --> 00:55:40.080 OS: [MUSIC] We’d see him walk into the server room like, two seconds later, log into the mainframe, 00:55:40.080 --> 00:55:44.200 be there for a few minutes, and then leave. So, we were able to tie hey, 00:55:44.200 --> 00:55:49.800 there was a transaction that occurred between here and here. What was this at this time? So, what 00:55:49.800 --> 00:55:56.920 they started doing is taking snapshots on that database, like literally on the hour, basically, 00:55:56.920 --> 00:56:00.680 and they were able to actual – what we were able to point out is look, 00:56:00.680 --> 00:56:06.360 last night’s synchronization of this, this ticket should have paid out a dollar. It 00:56:06.360 --> 00:56:12.040 changed at this time. Here’s camera feed, here’s network access into the mainframe, 00:56:12.040 --> 00:56:16.520 here’s camera feed access to him walking into the server room where the mainframe is, 00:56:16.520 --> 00:56:23.320 here’s the modification into the payout table, and here’s a modification of the actual payout table 00:56:23.320 --> 00:56:29.040 being done again. Here’s him walking out of that server room, badging in back into the database, or 00:56:29.040 --> 00:56:35.460 the IT room, and here’s video feed footage of that as well. So, we nailed, tied down, all the way up. 00:56:35.460 --> 00:56:39.680 JACK: So, this explains what was happening inside the network at the time, 00:56:39.680 --> 00:56:43.480 but what about what’s happening outside the network at the payout 00:56:43.480 --> 00:56:48.240 stations? This operation must have been coordinated with someone outside. 00:56:48.240 --> 00:56:52.520 OS: Yep, so they would say I will be at this payout station at this time, 00:56:52.520 --> 00:56:57.880 so this guy would go in ten minutes beforehand, change the payout amount. The person will walk 00:56:57.880 --> 00:57:02.400 up with a boleto, take a number. They would actually type in the boleto serial number, 00:57:02.400 --> 00:57:07.760 and it would be for $10,000 versus a dollar. He would see the transaction process and then 00:57:07.760 --> 00:57:15.200 immediately go flip it back to a dollar. So, the individuals on the end, at the payout stations, 00:57:15.200 --> 00:57:20.500 didn’t know. They were like oh, this is a $10,000 winning ticket; sweet. Here’s your $10,000. 00:57:20.500 --> 00:57:26.000 JACK: Os has cracked the case. He’s figured out how the millions of dollars are being stolen from 00:57:26.000 --> 00:57:30.900 the lottery, and he knows exactly who did it with all the evidence showing how it was done. 00:57:30.900 --> 00:57:36.200 OS: We called the bureau. We’re like dude, we’ve got soup to nuts evidence of freaking 00:57:36.200 --> 00:57:41.760 fraud right here. Like full on, we know that this is happening; 00:57:41.760 --> 00:57:52.080 definitive – this individual is fully active and doing this. The bureau’s like cool, wrap up all 00:57:52.080 --> 00:57:59.840 your information. This is kinda freaking fun. When you meet with the bureau to do data drops, 00:57:59.840 --> 00:58:05.640 you think you’d go to a field office and go hand them whatever evidence you had. Well, that’s not 00:58:05.640 --> 00:58:12.160 the case here. Because we were the gringos on the island, because they had freaking taken 00:58:12.160 --> 00:58:22.720 and actually put the CIO on leave, and basically we had interviewed and there was already enough 00:58:22.720 --> 00:58:31.120 noise fluttering around and people were starting to kinda talk. The FBI mentioned to us that hey, 00:58:31.120 --> 00:58:38.360 there’s chatter in the cartels that there’s gringos on the island actively investigating. 00:58:38.360 --> 00:58:45.360 Be heads up. That’s why we went in to wait for a little while post me actually having access. One, 00:58:45.360 --> 00:58:51.120 I needed to collect evidence, and two, we were laying low because the cartel – there 00:58:51.120 --> 00:58:56.280 was chatter from the FBI that the cartel was aware that there was some sort of 00:58:56.280 --> 00:59:05.040 investigation going on. But once we actually – so, this is the fun part, though. 00:59:05.040 --> 00:59:08.680 Again, what I was trying to say is that you would think that it would be a field office 00:59:08.680 --> 00:59:14.880 that you go walk this data into. Well, no. Here, I’m a gringo in freaking Puerto Rico, right? They 00:59:14.880 --> 00:59:21.280 call outsiders gringos, right? So, they – the FBI, instead of having – and this tripped me the fuck 00:59:21.280 --> 00:59:26.120 out because I had worked with them tons in the military, right? It tripped me the fuck out when 00:59:26.120 --> 00:59:32.760 they go yeah, meet us at the mall food court and just bring it all on a thumb drive. [MUSIC] I’m 00:59:32.760 --> 00:59:41.720 like, what the fuck? So, I go to the Puerto Rico mall to meet the bureau to transfer the empirical 00:59:41.720 --> 00:59:47.120 data that we have at this point on at least this database administrator making these manipulations 00:59:47.120 --> 00:59:55.640 and payouts, right? And literally meet these two guys wearing casual clothes. We go order our 00:59:55.640 --> 01:00:00.560 food at the little food stall. We’re walking with the trays [01:00:00] and he’s like, you got that 01:00:00.560 --> 01:00:05.120 thumb drive? Just drop it on my tray while we’re walking. Then I do; he grabs it, puts it in his 01:00:05.120 --> 01:00:12.840 pocket, and we go sit down and eat lunch. Kinda fucking wild, right? It’s like, what the fuck? 01:00:12.840 --> 01:00:17.760 JACK: Supposedly the reason for this is safety and security. There are drug cartels on the 01:00:17.760 --> 01:00:23.240 island and the FBI knows that the cartels are watching the FBI field office very closely and 01:00:23.240 --> 01:00:28.720 knows everyone who comes in and out. Since Os was already being talked about by the cartel, 01:00:28.720 --> 01:00:32.520 they didn’t want to tip off anyone that Os might have found something and was meeting 01:00:32.520 --> 01:00:38.160 with the FBI. So, they made it look like it was just a casual lunch meeting. Surely you wouldn’t 01:00:38.160 --> 01:00:42.560 pass along top-secret evidence to someone in a public place where anyone can hear, 01:00:42.560 --> 01:00:45.300 right? That was exactly why they did it there. 01:00:45.300 --> 01:00:51.680 OS: Whenever I made that dead drop to them, they jumped on and looked at it, right? But I get a 01:00:51.680 --> 01:01:00.440 call like, 7:00 that night; hey, meet us at X location. We want a debrief basically of what’s on 01:01:00.440 --> 01:01:10.560 here and walk us through like I’m talking to you right now on the details of what’s happened. I had 01:01:10.560 --> 01:01:16.640 my significant other actually traveling into town that was supposed to be there at like, 9:00. I 01:01:16.640 --> 01:01:23.920 didn’t get out of my debrief until like, freaking almost midnight, and missed picking my significant 01:01:23.920 --> 01:01:32.400 other up at the airport. They were standing at the airport in the dark with the lights off, and 01:01:32.400 --> 01:01:39.680 I wasn’t able to leave ‘cause I’m doing a debrief to the FBI. I tell them hey, my significant other 01:01:39.680 --> 01:01:49.520 is over at the airport. Would y’all mind going and picking them up? They go, sure. So, they drive by. 01:01:49.520 --> 01:01:54.080 JACK: But the FBI didn’t pick anyone up. They just drove by and said they didn’t see anyone, 01:01:54.080 --> 01:01:57.200 and left. So, by the time the debrief was over, 01:01:57.200 --> 01:02:00.120 Os calls his significant other to see what was going on. 01:02:00.120 --> 01:02:03.760 OS: My significant other was just fucking furious, bro. Like, 01:02:03.760 --> 01:02:09.840 just absolutely beyond pissed off. Here I am; I can’t explain shit to them. 01:02:09.840 --> 01:02:14.720 JACK: The reason why he can’t explain this is because it’s a classified case. 01:02:14.720 --> 01:02:18.760 He can’t explain that he was with the FBI the whole time, because what if the cartels 01:02:18.760 --> 01:02:24.560 are tapping his phone or something, right? So, all Os could do is just make up a story. 01:02:24.560 --> 01:02:27.160 OS: I’m so sorry. I fell asleep. 01:02:27.160 --> 01:02:31.760 JACK: But of course, that wasn’t the case. He just couldn’t explain. At least, not here, not 01:02:31.760 --> 01:02:37.880 now. But he returns back to his hotel and stays on the island a little longer to assist the FBI. 01:02:37.880 --> 01:02:44.360 OS: They basically put us on monitored custody. They were following us everywhere we went. 01:02:44.360 --> 01:02:47.200 JACK: He kept meeting with the FBI to provide more 01:02:47.200 --> 01:02:50.900 evidence and information that he had access to that might help the case. 01:02:50.900 --> 01:02:56.440 OS: The bureau took over most of the investigation. We had some limited 01:02:56.440 --> 01:03:00.640 support to them as more ancillary and informational just to fill in 01:03:00.640 --> 01:03:04.480 gaps that they weren’t able to pick up out of what we had provided and whatnot. 01:03:04.480 --> 01:03:12.080 JACK: The FBI was uncovering evidence that the names Os had provided were linked to a cartel 01:03:12.080 --> 01:03:19.080 on the island, [MUSIC] basically an illegal drug smuggling group. The FBI somehow found a cartel 01:03:19.080 --> 01:03:24.680 member with lottery tickets and confiscated the tickets from him. They call the lottery tickets 01:03:24.680 --> 01:03:30.880 boletos there, and so, the FBI was curious; what if they try to cash in these boletos? So, 01:03:30.880 --> 01:03:37.160 they get someone to go undercover into a payout station and hand them one of these boletos that 01:03:37.160 --> 01:03:43.080 was from a cartel member. The payout clerk looks at the serial number on the ticket, 01:03:43.080 --> 01:03:48.480 and back at the undercover agent, and doesn’t even try to cash the ticket. Instead says… 01:03:48.480 --> 01:03:53.640 OS: Pull around back into the garage and then someone would help them out shortly, which turned 01:03:53.640 --> 01:04:00.480 out to be the individual was told to pop their trunk, don’t look back, and go drive to this 01:04:00.480 --> 01:04:06.920 location. So, they popped their trunk, stuff was put into it, they drove to basically where – not 01:04:06.920 --> 01:04:14.000 where they were told to go and basically wherever they went, I don’t know. They popped the trunk to 01:04:14.000 --> 01:04:20.120 look in there to find that they had like, fifty kilos of cocaine and forty freaking assault 01:04:20.120 --> 01:04:26.800 rifles, man. So, not only were they stealing money from the government of Puerto Rico, 01:04:26.800 --> 01:04:32.100 they were also running guns and drugs through that process. 01:04:32.100 --> 01:04:37.720 JACK: Apparently the people who worked at the payout station itself were also part of this. 01:04:37.720 --> 01:04:43.120 They had a system set up that if someone came with a specific ticket, it meant they were a driver for 01:04:43.120 --> 01:04:48.200 the cartel and here for a pickup. So, when the FBI pulled around back and got the car loaded 01:04:48.200 --> 01:04:53.680 up with cocaine and weapons, this was quite a surprise. They realized they had stumbled 01:04:53.680 --> 01:04:59.585 upon something much bigger than just lottery fraud. But somehow it was all linked together. 01:04:59.585 --> 01:05:04.720 OS: [01:05:00] So, a pretty elaborate scheme from the cartel. So, at that point, 01:05:04.720 --> 01:05:08.720 the bureau literally safety-extradited us off the island. They were like, 01:05:08.720 --> 01:05:14.800 y’all gotta get the hell outta here. Like, y’all – you’ve interrupted a huge cartel 01:05:14.800 --> 01:05:21.280 operation and we’re gonna do the takedown, and y’all need to get the hell off the island. 01:05:21.280 --> 01:05:25.200 JACK: So, of course Os booked it out of there. This is why he didn’t want to have his name 01:05:25.200 --> 01:05:30.400 mentioned in this episode, because his life was in danger for uncovering this cartel operation 01:05:30.400 --> 01:05:35.320 in Puerto Rico, which means that even though he still has indemnity from the governor to commit 01:05:35.320 --> 01:05:41.400 crimes on the island, he’ll likely never go back. The FBI indicted ten people involved in 01:05:41.400 --> 01:05:46.040 this case. An indictment is just a charge against someone basically listing reasons why these people 01:05:46.040 --> 01:05:51.320 should be arrested. The indictment claims that these people took 12 million dollars to a nearby 01:05:51.320 --> 01:05:55.920 island and bought cocaine and brought it back to Puerto Rico. They used boats and airplanes to 01:05:55.920 --> 01:06:00.280 traffic the drugs in, and used BlackBerry phones to communicate with, and they even had spiritual 01:06:00.280 --> 01:06:05.800 rituals before doing a big buy. They intended to distribute and sell this in Puerto Rico for 01:06:05.800 --> 01:06:11.000 financial gains. The indictment also claims that three of the people listed were involved 01:06:11.000 --> 01:06:16.400 with laundering money through the lottery. In total, the FBI believed that these ten people 01:06:16.400 --> 01:06:24.320 illicitly generated 127 million dollars from the sale of drugs and weapons and lottery tickets. 01:06:24.320 --> 01:06:29.400 The feds wanted to try to seize all this money if they found it, as well as planes, 01:06:29.400 --> 01:06:34.480 boats, cars, and property that was part of the operation. As I looked through this case, 01:06:34.480 --> 01:06:39.320 it links back to a case where a few years earlier, twenty other people were arrested, 01:06:39.320 --> 01:06:44.720 including the leader of this cartel. A lot of evidence points to testimony from what those 01:06:44.720 --> 01:06:51.200 people said in their trial. Ten individuals were arrested from this operation that Os uncovered. 01:06:51.200 --> 01:06:56.680 The first few I looked at all pled not guilty at first, and then switched to guilty. Those 01:06:56.680 --> 01:07:02.480 people got five to fifteen years in prison for this. One guy held onto his not guilty plea, 01:07:02.480 --> 01:07:07.240 which meant that this case went to trial, which is cool for me because now I can see a lot more 01:07:07.240 --> 01:07:11.800 details about this case, because the court transcripts are publicly available. It turns 01:07:11.800 --> 01:07:15.880 out they were using these winning lottery tickets to launder money. Here’s how they 01:07:15.880 --> 01:07:20.880 did it; [MUSIC] the court records show that they had someone inside the lottery who would produce 01:07:20.880 --> 01:07:25.840 winning lottery tickets. Then those winning lottery tickets were sold to people in the cartel 01:07:25.840 --> 01:07:31.160 for 20% more than whatever it was worth, so if the winning lottery ticket was worth $10,000, the 01:07:31.160 --> 01:07:36.800 cartel members could buy the ticket for $12,000. The reason for this is because the cartel had a 01:07:36.800 --> 01:07:42.080 lot of illicit cash and they wanted a way to make the cash look legitimate. So, when they’d cash in 01:07:42.080 --> 01:07:46.200 the winning lottery ticket, they would get a check from the Puerto Rico lottery and take the check 01:07:46.200 --> 01:07:50.920 to their bank to deposit it. This would allow them to legally declare their winnings on their 01:07:50.920 --> 01:07:56.560 taxes. This way, they had a nice, clean record of where they got their money from. Sneaky stuff. 01:07:56.560 --> 01:08:01.000 Anyway, this guy who went to trial was found guilty, and the judge sentenced him to life 01:08:01.000 --> 01:08:06.080 in prison not just for this lottery stuff but also for the cocaine and weapon smuggling. So, 01:08:06.080 --> 01:08:11.520 this brings us to the guy inside the IT department at the lottery. He was one of the ten that got 01:08:11.520 --> 01:08:17.960 arrested, and he appears to be a really dangerous guy. He was being charged with all four counts of 01:08:17.960 --> 01:08:23.520 drug running and lottery fraud, but I called up Puerto Rico and I spoke to someone who was 01:08:23.520 --> 01:08:28.880 close to him, and they said he was a good guy and just fell in with the wrong crowd. See, 01:08:28.880 --> 01:08:34.360 besides being an IT guy, he also had a private pilot’s license and liked flying planes, 01:08:34.360 --> 01:08:39.800 and on the weekends he would charter tours in his planes to show people around the island. Well, 01:08:39.800 --> 01:08:45.960 this cartel heard about his planes and hired him to move some drugs from one island to another. 01:08:45.960 --> 01:08:52.280 Eventually, he was being hired to do more and more trips for the cartel. He got out on bail 01:08:52.280 --> 01:08:57.040 while the courts figured out what to do with him. At first he pled not guilty, but then he came 01:08:57.040 --> 01:09:01.880 back into court and changed his plea to guilty. The court said okay, come back in four months 01:09:01.880 --> 01:09:07.280 and we’ll determine your sentence. Well, in that four-month timeframe, he somehow got involved with 01:09:07.280 --> 01:09:13.560 this cartel again and was part of a mission where he had to capture someone and take them somewhere, 01:09:13.560 --> 01:09:22.280 and in that mission, he was shot and killed. The police found $30,000 in his car after that. 01:09:22.280 --> 01:09:28.960 This is a surprise ending for me. The IT guy who was changing the numbers in the database 01:09:28.960 --> 01:09:35.720 was shot and killed in the end? While playing the lottery itself is a gamble, this guy was 01:09:35.720 --> 01:09:54.737 gambling with his life. When the stakes are that high, you might either get rich or die trying. 01:09:54.737 --> 01:09:59.280 (OUTRO): [OUTRO MUSIC] A big thank you to Owl Stalker, Os, for sharing this story with us. 01:09:59.280 --> 01:10:02.840 He’s been sitting on this one [01:10:00] for a while, not telling anyone this whole story, 01:10:02.840 --> 01:10:06.760 and I’m thrilled to be sharing it with you which is the first time this story’s ever been told 01:10:06.760 --> 01:10:11.240 publicly. If you like stories like this, if you think they’re valuable, please consider supporting 01:10:11.240 --> 01:10:16.760 the show. I’m an independent creator and I can focus on this full-time through listener support. 01:10:16.760 --> 01:10:21.400 If you donate to the show, you’ll get bonus episodes and an ad-free version of the show. So, 01:10:21.400 --> 01:10:27.400 please visit patreon.com/darknetdiaries and consider supporting the show. Thank you. This 01:10:27.400 --> 01:10:32.640 show is made by me, El Lince Oscuro, Jack Rhysider. Sound design and original music 01:10:32.640 --> 01:10:38.840 was created by the Lobo Loco Andrew Meriwether. Editing help this episode by the Siempre Lista, 01:10:38.840 --> 01:10:43.800 Damienne, and our theme music is done by the Melodica Breakmaster Cylinder. Hey, 01:10:43.800 --> 01:10:54.480 what do you call two monkeys that share one Amazon account? Prime mates. This is Darknet Diaries.