WEBVTT

00:00:03.161 --> 00:00:07.920
JACK: [MUSIC] Put on your travel shoes. For this story we’re going south of the border. Actually,

00:00:07.920 --> 00:00:13.520
much more south than you think. Go on past Mexico, past Panama, past the equator, even. Keep on going

00:00:13.520 --> 00:00:18.240
past Brazil and there you’ll find Uruguay. It’s a small country about the size of the state of

00:00:18.240 --> 00:00:24.320
Missouri. In February 2017 one of the top medical providers in the capital city of Montevideo got

00:00:24.320 --> 00:00:31.680
hacked. [MUSIC] This medical provider has a whole network of clinics and healthcare facilities. The

00:00:31.680 --> 00:00:36.080
hacker broke in through the provider’s website, accessed the database and took a ton of patient

00:00:36.080 --> 00:00:40.560
records. A week later the hacker sent a ransom e-mail to the medical providers showing they had

00:00:40.560 --> 00:00:45.280
confidential data and demanded they pay fifteen Bitcoin. If they didn’t get the Bitcoins they

00:00:45.280 --> 00:00:50.320
said they would publically release the patient details of everyone who had HIV and cancer.

00:00:50.320 --> 00:00:55.600
The note went on to say the price will go up by five Bitcoins every day they don’t pay.

00:00:55.600 --> 00:01:00.240
It’s unclear if the medical provider paid the ransom or not. In some news articles it said they

00:01:00.240 --> 00:01:05.200
did pay but someone close to this case told me the e-mail didn’t even have a Bitcoin address in it.

00:01:05.200 --> 00:01:10.000
Either way the patient records never actually got leaked. The medical provider immediately

00:01:10.000 --> 00:01:15.840
began investigating who this hacker was. [MUSIC] They worked with local police to

00:01:15.840 --> 00:01:20.480
try to track down who was behind the extortion. After seven months they got their break. They

00:01:20.480 --> 00:01:25.440
were able to track down the IP address of who sent the e-mail to an apartment in Montevideo.

00:01:25.440 --> 00:01:31.600
The police raided the apartment and were totally stunned with what they found.

00:01:31.600 --> 00:01:37.200
There were tons of electronic devices everywhere; laptops, cell phones, hard drives, crypto-wallets,

00:01:37.200 --> 00:01:40.960
and thumb drives. The police felt like they hit the jackpot and thought this person probably

00:01:40.960 --> 00:01:45.360
hacked many other places too. They arrested Alberto Hill, the guy that lived there and

00:01:45.360 --> 00:01:50.160
owner of this stuff. They took him to jail and seized loads of equipment from his home.

00:01:50.160 --> 00:01:56.640
Uruguayan police took from Alberto’s apartment the following items; 1,400 US dollars, 8,000 euros,

00:01:56.640 --> 00:02:01.760
150 Brazilian dollars, and 3,000 Uruguayan pesos, six laptop computers,

00:02:01.760 --> 00:02:06.320
five cell phones, a device used to clone credit cards, and 125 blank credit cards,

00:02:06.320 --> 00:02:11.280
and an additional 30 normal credit cards. Thirteen hard drives, a drive duplicator, a few

00:02:11.280 --> 00:02:17.040
routers, a flashlight, a magazine full of CDs, a whole stack of hardware Bitcoin wallets, two fake

00:02:17.040 --> 00:02:23.600
toy coins that say Bitcoin on them, sixteen USB drives, two printers, a Guy Fawkes Anonymous mask,

00:02:23.600 --> 00:02:29.040
and a guillotine. On the laptops they found hacking tools, programs, and viruses. Uruguayan

00:02:29.040 --> 00:02:33.840
police presented all this to Alberto and he made a verbal confession saying he did in fact hack into

00:02:33.840 --> 00:02:40.160
the medical provider and he did send the extortion e-mail. Alberto went to prison for a long time.

00:02:40.160 --> 00:02:45.520
Case closed, right? End of story? ALBERTO: Hold on, hold on. My name is Alberto Hill

00:02:45.520 --> 00:02:49.920
and I have something to say about this. JACK: Alberto says there’s one tiny detail

00:02:49.920 --> 00:02:54.320
that isn’t right about this story. ALBERTO: I tell you Jack, I did not do it.

00:02:54.320 --> 00:03:02.160
I didn’t do it and I am innocent. JACK (INTRO): [INTRO MUSIC]

00:03:02.160 --> 00:03:08.800
These are true stories from the dark side of the internet.

00:03:08.800 --> 00:03:11.920
I’m Jack Rhysider. This

00:03:11.920 --> 00:03:27.760
is Darknet Diaries. [INTRO MUSIC ENDS] JACK:

00:03:27.760 --> 00:03:31.920
Alberto Hill is a 41 year old Uruguayan. He was arrested and sentenced to prison for

00:03:31.920 --> 00:03:36.560
hacking into a medical facility and conducting extortion. He’s actually the first hacker to

00:03:36.560 --> 00:03:41.680
ever serve prison time in Uruguay but he says he didn’t do it. So why did he get arrested?

00:03:41.680 --> 00:03:45.120
ALBERTO: Yeah, very good question. JACK: Alberto has a lot to say about this

00:03:45.120 --> 00:03:49.360
story and I spent a few weeks with him exchanging dozens of e-mails and looking at tons of court

00:03:49.360 --> 00:03:55.200
documentation, news reports, and articles. I even hired a translator to decode some of this stuff.

00:03:55.200 --> 00:03:58.880
I talked with Alberto [00:05:00] for hours to fully understand his story.

00:03:58.880 --> 00:04:01.120
It all started three years ago. [MUSIC] Alberto

00:04:01.120 --> 00:04:07.760
was working for the Uruguayan government. ALBERTO: I was in charge of security of a company

00:04:07.760 --> 00:04:10.720
of the government here in Uruguay. JACK: He’d been working for the government

00:04:10.720 --> 00:04:15.920
for four years as a security consultant securing systems, investigating malware, and conducting

00:04:15.920 --> 00:04:20.880
security audits. Before that Alberto was working with Interpol doing digital forensics.

00:04:20.880 --> 00:04:24.720
He has an Associate’s Degree, an Engineering Degree, and a Master’s Degree all related to

00:04:24.720 --> 00:04:29.440
computers. He’s also very knowledgeable about crypto-currencies and has written papers on them,

00:04:29.440 --> 00:04:33.920
even given a few talks. ALBERTO: I was in a conference. I was

00:04:33.920 --> 00:04:43.600
talking about security and Bitcoins. Then I was selected to go to Sao Paulo Brazil for the ICS2

00:04:43.600 --> 00:04:48.720
Conference. I was talking about Bitcoins and security also.

00:04:48.720 --> 00:04:53.200
JACK: He gave a few other talks as well, mostly talking about Bitcoins and crypto-currencies.

00:04:53.200 --> 00:04:56.400
Alberto’s been studying and working in computer-related jobs for the last

00:04:56.400 --> 00:05:00.800
twenty years and most of that time has been focused on security. He is a PMP,

00:05:00.800 --> 00:05:04.560
or Project Management Professional, and this certification is not easy to get.

00:05:04.560 --> 00:05:08.880
He’s even a certified ethical hacker. Yeah, that’s actually a certification which teaches you

00:05:08.880 --> 00:05:13.120
all of the tools that a hacker uses to break into places. When you’re securing companies it’s good

00:05:13.120 --> 00:05:17.600
to know exactly what tools the hackers are using to break into things. Taking the certified ethical

00:05:17.600 --> 00:05:22.960
hacker exam is common in the InfoSec community. I’m actually a certified ethical hacker, too.

00:05:22.960 --> 00:05:27.040
One of the most valuable assets to have if you’re doing security work is to be endlessly

00:05:27.040 --> 00:05:31.520
curious and Alberto is always wondering how secure the websites are that he visits.

00:05:31.520 --> 00:05:35.520
ALBERTO: It’s something that you just can’t control. It’s stronger than you.

00:05:35.520 --> 00:05:42.640
I see a system and I just can’t help start looking at the source code. I start modifying things. It’s

00:05:42.640 --> 00:05:48.000
stronger than me; I cannot – it’s like a drug. I think it’s the mind of a hacker that you have

00:05:48.000 --> 00:05:51.600
the curiosity to be successful. JACK: When he visits a website he can’t

00:05:51.600 --> 00:05:55.520
help himself but to poke at it a little. He’ll check if any strange ports are open

00:05:55.520 --> 00:06:00.080
or glaring security problems. Alberto has found vulnerabilities in sites and reported

00:06:00.080 --> 00:06:06.720
them so they can fix it. It’s just something he does sometimes. On Saturday morning in 2015

00:06:06.720 --> 00:06:12.320
he stumbled upon something interesting. ALBERTO: I was in bed with a computer and my

00:06:12.320 --> 00:06:17.840
girlfriend told me that she wanted access to the medical institute and she wanted to see

00:06:17.840 --> 00:06:21.600
something about her health records. JACK: He was helping her use this medical

00:06:21.600 --> 00:06:25.600
provider website to check her health information. While using it he decided to

00:06:25.600 --> 00:06:30.080
poke at it a little bit and check if there were any obvious vulnerabilities. Now to be honest,

00:06:30.080 --> 00:06:34.880
I’ve poked at my medical provider’s website before and I’ve found vulnerabilities and reported them.

00:06:34.880 --> 00:06:39.920
This isn’t that crazy of an idea but Alberto found a massive vulnerability with this medical

00:06:39.920 --> 00:06:45.520
provider’s website. Just for fun he tried to log in as the username admin with the password admin

00:06:45.520 --> 00:06:52.240
and it worked. [MUSIC] He was logged in as the administrator to the medical facility.

00:06:52.240 --> 00:06:58.000
ALBERTO: This couldn’t be so easy. I mean, admin/admin, and I had access to all the systems

00:06:58.000 --> 00:07:04.720
that which – not only about medical information but it was about all the medical information,

00:07:04.720 --> 00:07:12.320
the medication, the finances of the company. That was crazy. With admin/admin you could access to

00:07:12.320 --> 00:07:18.240
all of that, you could create more users. You could see the information about every user,

00:07:18.240 --> 00:07:22.640
not only their medical information but also personal information. That was crazy.

00:07:22.640 --> 00:07:28.800
JACK: Alberto couldn’t believe what he was seeing. I looked this up and since 1970 computer companies

00:07:28.800 --> 00:07:34.640
have been using admin/admin as the default login. That’s over 45 years that we’ve known not to use

00:07:34.640 --> 00:07:40.640
this username/password combo yet it still exists on systems today. Alberto found it on a medical

00:07:40.640 --> 00:07:45.360
provider’s system. In terms of severity of this vulnerability for the medical provider,

00:07:45.360 --> 00:07:52.000
this is a solid ten out of ten. Critical, red alert; stop everything and fix it immediately.

00:07:52.000 --> 00:07:56.800
That’s probably the most well-known vulnerability. It’s easy to execute. You can use it to exploit

00:07:56.800 --> 00:08:02.400
from anywhere in the world and has the capability to do major damage to the company. In fact of all

00:08:02.400 --> 00:08:07.840
vulnerabilities this one might be the most severe one in existence. Alberto knew he had to act

00:08:07.840 --> 00:08:11.360
quickly and do something about this. ALBERTO: I immediately sent an

00:08:11.360 --> 00:08:15.680
e-mail to the CERT of Uruguay. JACK: CERT, which stands for Computer Emergency

00:08:15.680 --> 00:08:19.760
Readiness Team is a government-ran team that helps protect the government from cyber-attacks.

00:08:19.760 --> 00:08:23.760
ALBERTO: But not also to the government, also to critical systems

00:08:23.760 --> 00:08:28.320
such as the medical institutions. JACK: Right, the goal of CERT is not just

00:08:28.320 --> 00:08:32.480
to protect governments but also to protect the nation from cyber-security threats. There are

00:08:32.480 --> 00:08:37.040
CERTs ran by governments all over the world. So if you find a vulnerability in an important company

00:08:37.040 --> 00:08:41.280
the right course of action is to report it to the CERT who can then contact that company and

00:08:41.280 --> 00:08:46.160
sort it out. That’s just what Alberto did. He sent an e-mail to the Uruguayan CERT, telling

00:08:46.160 --> 00:08:50.880
them exactly what vulnerability he found including his own IP address so they know which connection

00:08:50.880 --> 00:08:54.960
was his that logged into the system. ALBERTO: In two hours they replied to me

00:08:54.960 --> 00:08:58.400
and they say okay, [00:10:00] it is confirmed. They admitted the problem

00:08:58.400 --> 00:09:02.560
is right. There is a big problem there. JACK: Alberto felt relieved that the CERT was

00:09:02.560 --> 00:09:06.880
now working towards contacting the medical provider and resolving the issue but he had a

00:09:06.880 --> 00:09:10.960
hunch the site had many more problems. ALBERTO: I noticed that the system was

00:09:10.960 --> 00:09:17.680
very weak and I was sure that it had many other security issues. I don’t know. I

00:09:17.680 --> 00:09:22.880
knew that it was easy to hack that system but I didn’t do anything else.

00:09:22.880 --> 00:09:27.680
JACK: After that Alberto forgot about this. Once he reported it, it was no longer in his hands and

00:09:27.680 --> 00:09:36.560
he went on with his life. [MUSIC] Two years pass. In February 2017 someone hacked into the same

00:09:36.560 --> 00:09:42.640
medical facility and took the patient records. It’s unclear exactly what vulnerability was used.

00:09:42.640 --> 00:09:47.040
The hacker sent an e-mail to the medical provider demanding fifteen Bitcoins or they’d release the

00:09:47.040 --> 00:09:52.080
patient data they collected. The medical facility began an investigation. They contacted the police

00:09:52.080 --> 00:09:57.840
who called this case Operation Bitcoins. ALBERTO: It took them seven months in order to

00:09:57.840 --> 00:10:06.000
do something and what they did led them to issuing two search warrants to two people; one was me.

00:10:06.000 --> 00:10:09.520
One was me in my house and the other was a person I do not know.

00:10:09.520 --> 00:10:13.280
JACK: The police came to his house, knocked on his door, but he wasn’t home so they

00:10:13.280 --> 00:10:16.400
left a note saying to come to the police station so they could talk to him.

00:10:16.400 --> 00:10:21.680
ALBERTO: I was wondering why. I had no idea. I went to the police with my girlfriend,

00:10:21.680 --> 00:10:27.440
a friend, and his girlfriend. The Interpol appeared. They told me

00:10:27.440 --> 00:10:31.760
do you know why you’re here? I say no. JACK: Alberto’s head was racing with what this

00:10:31.760 --> 00:10:36.160
was all about. Still he had no idea why the police wanted to talk to him. He was thinking

00:10:36.160 --> 00:10:40.080
maybe it was because of a recent order of some computer parts that he got directly

00:10:40.080 --> 00:10:44.080
from China. But then the police asked him if he knows about the medical provider he

00:10:44.080 --> 00:10:50.400
reported the issues about two years ago. ALBERTO: I said huh, okay. I felt such a relief

00:10:50.400 --> 00:10:55.600
because I felt nothing to care about that. I was, I mean, okay, they want to ask me questions about

00:10:55.600 --> 00:11:00.640
how I got access to that. I was so relieved when they told me it was about this.

00:11:00.640 --> 00:11:04.640
JACK: Alberto told them everything about how he was able to use admin/admin to access the

00:11:04.640 --> 00:11:08.880
medical provider’s website and to see all kinds of information that he shouldn’t be allowed to see.

00:11:08.880 --> 00:11:13.280
He told them exactly step-by-step how he was able to find the vulnerability and got access.

00:11:13.280 --> 00:11:23.920
ALBERTO: At one point they showed me a paper with the e-mail asking for the – the extortion e-mail

00:11:23.920 --> 00:11:34.080
and they asked me okay, you sent this? I said no, I did not. They asked me several times until

00:11:34.080 --> 00:11:40.720
they told me well, I have here a paper from the internet company saying that your IP

00:11:40.720 --> 00:11:48.080
– that this e-mail was sent from your IP. I said it’s impossible. I didn’t tell him that

00:11:48.080 --> 00:11:53.280
you’re lying, but it was not possible. JACK: The police just heard Alberto explain how

00:11:53.280 --> 00:11:57.840
years ago he was able to hack into the website so this caused a lot of suspicion.

00:11:57.840 --> 00:12:03.200
To be safe the police held Alberto in jail that night. His girlfriend came to visit him.

00:12:03.200 --> 00:12:13.440
ALBERTO: She brought me food to eat and some medication for my asthma because I was frozen.

00:12:13.440 --> 00:12:20.880
It was a very bad situation for me but I was feeling that it was going to be – everything clear

00:12:20.880 --> 00:12:28.080
and they were going to have the evidence that I didn’t do anything. The morning after that,

00:12:28.080 --> 00:12:34.640
my girlfriend took me coffee and something to eat. She didn’t know anything. She

00:12:34.640 --> 00:12:40.720
didn’t know anything, what’s going on. JACK: The police took Alberto out of the cell but

00:12:40.720 --> 00:12:45.360
instead of letting him go they put him in the back of a police car and took him to his own apartment.

00:12:45.360 --> 00:12:50.240
The police put on latex gloves and began going through his things, and Alberto had a lot of

00:12:50.240 --> 00:12:55.120
things; electronics and computers everywhere. Here’s one of the police officers explaining what

00:12:55.120 --> 00:13:00.720
they found in this search. [FOREIGN LANGUAGE] When we started to search in his laboratory we found

00:13:00.720 --> 00:13:05.360
stickers, key chains, and books about Bitcoin. He told us that he was in Argentina on the 7th

00:13:05.360 --> 00:13:09.440
of August buying and selling Bitcoin therefore we were not wrong in what we were doing. There was

00:13:09.440 --> 00:13:14.000
also a lot of information about credit cards and machines that could clone chips and cards.

00:13:14.000 --> 00:13:18.400
We found several electronic cards and chip cloners which he bought directly from China.

00:13:18.400 --> 00:13:22.960
Then he had a lot of hard drives, computers, four or five monitors, and surveillance cameras with

00:13:22.960 --> 00:13:28.880
remote access to them. This does seem like a lot of equipment for one guy to have in his apartment

00:13:28.880 --> 00:13:33.120
and the police kept finding what looked like hacker paraphernalia and asked Alberto why he

00:13:33.120 --> 00:13:37.440
had it. First they asked why had had so many hard drives and he said he had about fifty of

00:13:37.440 --> 00:13:41.600
them and he was buying them broken, dirt cheap from eBay and he was doing research to try to

00:13:41.600 --> 00:13:46.080
see what kind of data he could scrape off of a broken hard drive. Alberto was writing a research

00:13:46.080 --> 00:13:50.000
paper about what data is left on hard drives when you sell them on eBay. Then there were

00:13:50.000 --> 00:13:54.560
seven laptops. Alberto’s not a guy who throws out old computers that are no good. Instead he

00:13:54.560 --> 00:13:57.520
keeps them around in case he needs them. [00:15:00] He likes to experiment with different

00:13:57.520 --> 00:14:02.160
operating systems and applications and having multiple computers to do this is handy. Then he

00:14:02.160 --> 00:14:06.320
had about ten cell phones but he simply goes on to say these are all phones that he’s used over

00:14:06.320 --> 00:14:10.480
the years and he just didn’t throw any of them out. They just piled up in drawers over time.

00:14:10.480 --> 00:14:13.600
[RUMMAGING] You know what, now that I think about it,

00:14:13.600 --> 00:14:18.160
in my drawer here I’ve got three, four, five, six cell phones myself that’s just kind of piled

00:14:18.160 --> 00:14:21.520
up over the years so I guess I do the same thing, too. [MUSIC] He also had a bunch of

00:14:21.520 --> 00:14:26.320
thumb drives. Some of these were storage drives but many were hacking devices; rubber duckies,

00:14:26.320 --> 00:14:30.240
Bash Bunnies, to name a few. While Alberto says yes, these are tools a

00:14:30.240 --> 00:14:34.480
hacker would use you have to know what tools a hacker would use in order to protect yourself.

00:14:34.480 --> 00:14:39.120
But he just had them around for learning purposes. He had a bunch of Ledger wallets.

00:14:39.120 --> 00:14:44.240
These look like USB sticks but they’re actually hardware Bitcoin wallets. These are really handy

00:14:44.240 --> 00:14:48.560
if you want to store your Bitcoins offline like for instance in a safe, but it is kind of strange

00:14:48.560 --> 00:14:52.800
to have a whole stack of them, though. ALBERTO: There was a company in France and

00:14:52.800 --> 00:14:57.600
I was the person that was the reseller of them here in this part of the world.

00:14:57.600 --> 00:15:02.240
I’ve got a box full of Ledger wallets. JACK: You know, I have one of these Ledger wallets

00:15:02.240 --> 00:15:06.960
myself and in fact up until this point, all the stuff he has I have about the same stuff in my

00:15:06.960 --> 00:15:12.400
lab. It’s not uncommon to see a security engineer with a lab full of equipment but Alberto had some

00:15:12.400 --> 00:15:17.600
stranger stuff that the police kept asking him about. For instance he had a credit card cloner

00:15:17.600 --> 00:15:22.560
and a bunch of blank credit cards. [MUSIC] The first thing the police thought was that he was

00:15:22.560 --> 00:15:27.920
buying stolen credit card numbers online and then printing his own credit cards but when the police

00:15:27.920 --> 00:15:34.960
asked him why he had this he told them… ALBERTO: I was making a test of security with the

00:15:34.960 --> 00:15:38.320
credit cards, especially with the chip. JACK: He goes onto explain that he’s using the

00:15:38.320 --> 00:15:42.800
machine to conduct research on the chip and pin features of the cards. He explains that

00:15:42.800 --> 00:15:47.840
that card writer was never used and every one of the cards were blank. He says the cloner itself

00:15:47.840 --> 00:15:52.480
is easy to get and legal but it’s the software on the cloner that’s the hard part to obtain.

00:15:52.480 --> 00:15:56.880
Even hotels have cloners to make room keys with but then there are thirty actual

00:15:56.880 --> 00:16:02.160
credit cards with his name on them. ALBERTO: Actually, many of them are expired.

00:16:02.160 --> 00:16:11.280
I have had them since 1995 so I was – I never got rid of credit cards. I was

00:16:11.280 --> 00:16:15.760
always storing them after they expired so I was collecting them.

00:16:15.760 --> 00:16:19.680
JACK: Besides credit cards there was a lot of cash found in his apartment. Specifically the

00:16:19.680 --> 00:16:26.960
police found 1,400 US dollars, 8,000 euros, 150 Brazilian dollars, and 3,000 Uruguayan pesos.

00:16:26.960 --> 00:16:31.920
Now think about how much cash you have stashed away at home and compare it to the roughly $13,000

00:16:31.920 --> 00:16:36.880
the police found at Alberto’s. Would you say this is a suspiciously large amount of money to keep

00:16:36.880 --> 00:16:42.080
at home? Well, the police did. The Uruguayan money makes sense because that’s where he lives and even

00:16:42.080 --> 00:16:45.760
the Brazilian money makes sense because it’s the neighboring country and he was just there

00:16:45.760 --> 00:16:51.280
to give a talk. But the police wanted to know why he had so many US dollars and euros.

00:16:51.280 --> 00:16:55.600
ALBERTO: Why did I have that? Because of transaction with Bitcoins. While

00:16:55.600 --> 00:17:04.800
the euros were because of a transaction that I made selling a couple of Bitcoins to tourists

00:17:04.800 --> 00:17:15.600
here in Uruguay, the Bitcoin was, I don’t know, for probably 4,000 euros each.

00:17:15.600 --> 00:17:23.760
It was a couple of Bitcoins so I got 8,000 euros from that. The US dollars, I think they say

00:17:23.760 --> 00:17:28.720
less than $2,000. That was also from operations from Bitcoins.

00:17:28.720 --> 00:17:31.840
JACK: According to the police report, they said they found a guillotine.

00:17:31.840 --> 00:17:39.360
ALBERTO: Oh, that’s very funny, Jack. My mother really laughed a lot when you sent me an

00:17:39.360 --> 00:17:45.680
e-mail asking me that question because I don’t have a device to cut heads in my house.

00:17:45.680 --> 00:17:53.200
I have many things but not that. A guillotine is a device to cut paper in a perfect way,

00:17:53.200 --> 00:17:56.960
in a flawless way, just cut paper. JACK: In fact, the maker of the paper-cutting

00:17:56.960 --> 00:18:00.080
device actually does call it a guillotine, too. Lastly, he also

00:18:00.080 --> 00:18:05.680
had an Anonymous mask hanging on the wall. ALBERTO: Yeah, well, the mask, why did I buy that

00:18:05.680 --> 00:18:11.680
mask? Well, I just wanted to buy it because I like to collect all those kinds of things related to

00:18:11.680 --> 00:18:17.440
hacking. I have many t-shirts also related to security and to hacking, to Anonymous,

00:18:17.440 --> 00:18:25.520
and I have it in my house. Of course, when they saw that it was the final evidence

00:18:25.520 --> 00:18:29.600
that I was a super criminal, of course. JACK: Alberto tried desperately to explain the

00:18:29.600 --> 00:18:33.680
reason why he had all these things to the police but the evidence was just too much.

00:18:33.680 --> 00:18:37.120
The police were blown away by the amount of hacker paraphernalia found.

00:18:37.120 --> 00:18:41.360
They thought if he talked like a duck and looked like a duck, then he probably is a duck.

00:18:41.360 --> 00:18:44.960
They had certainly thought they had captured a cyber-terrorist. Who else would have all

00:18:44.960 --> 00:18:50.400
these computer parts? The police seize all his stuff including the guillotine and mask.

00:18:50.400 --> 00:18:54.560
No matter how much Alberto explained the police simply didn’t listen and grew more excited

00:18:54.560 --> 00:18:58.720
with each new device they found. [00:20:00] The police were making a big mess in his apartment,

00:18:58.720 --> 00:19:02.560
taking things apart and leaving stuff all over the floor. Alberto grew more desperate,

00:19:02.560 --> 00:19:07.280
trying to explain the reasons why he owned each and every thing in his apartment. This continued

00:19:07.280 --> 00:19:14.320
all morning long for hours. Then around 1:00 p.m. a new police officer showed up. He had a

00:19:14.320 --> 00:19:18.800
quick chat with the police in his apartment and then pulled Alberto aside for a talk.

00:19:18.800 --> 00:19:23.360
Alberto could tell he had more authority and was more serious than the other policemen.

00:19:23.360 --> 00:19:32.080
ALBERTO: He started to tell me that okay, I had to confess about the e-mail otherwise they would

00:19:32.080 --> 00:19:38.800
go and do the same thing we’re doing in my house with my girlfriend and with my mother.

00:19:38.800 --> 00:19:45.280
He kept on insisting on that and I was thinking to myself okay, if I admit that

00:19:45.280 --> 00:19:54.720
I know I am certain that they do not have any evidence or IP that links me to that e-mail.

00:19:54.720 --> 00:20:01.520
Of that, I’m sure. If I say okay, I sent the e-mail, later I said that I would be able to

00:20:01.520 --> 00:20:08.480
prove that no, that there is no link between that mail and me. I will

00:20:08.480 --> 00:20:16.400
avoid all the pressure, all the psychological pressure that they’re putting on me so

00:20:16.400 --> 00:20:22.720
I decided to say okay, I sent the e-mail. JACK: [MUSIC]

00:20:22.720 --> 00:20:27.440
When the police threatened to raid his mother’s house he confessed to writing the ransom e-mail

00:20:27.440 --> 00:20:30.960
because he knew he could prove he was innocent in court and he wanted to save

00:20:30.960 --> 00:20:34.240
the grief of his mother and girlfriend being questioned and searched.

00:20:34.240 --> 00:20:40.960
ALBERTO: A few minutes after I admit that, I was surprised that my girlfriend appeared. They

00:20:40.960 --> 00:20:44.080
had taken her to my house. JACK: She was surprised to see Alberto

00:20:44.080 --> 00:20:47.360
handcuffed and being treated poorly. It was embarrassing to Alberto.

00:20:47.360 --> 00:20:52.640
ALBERTO: At that point she was arrested. JACK: The police took Alberto and his girlfriend

00:20:52.640 --> 00:20:56.560
to jail as well as many boxes of electronics. Alberto was able to

00:20:56.560 --> 00:21:00.560
go directly to court that day. ALBERTO: It was a forsaken, long period

00:21:00.560 --> 00:21:07.600
of time where they were asking me questions that were irrelevant because of the lack of knowledge

00:21:07.600 --> 00:21:16.560
about computers that the judge and the prosecutor have. They were asking me irrelevant questions.

00:21:16.560 --> 00:21:21.760
They didn’t know what to ask me. Well, it was very frustrating for me because I wanted to tell the

00:21:21.760 --> 00:21:27.040
truth but I was unable to explain myself in order for them to understand because they didn’t have

00:21:27.040 --> 00:21:34.000
the knowledge to understand the situation. They hardly know what an IP address was so

00:21:34.000 --> 00:21:38.160
that’s for you to have an idea of how frustrating it was, the whole situation.

00:21:38.160 --> 00:21:43.920
JACK: [MUSIC] That court day was over. Alberto was taken back to his jail cell and while walking

00:21:43.920 --> 00:21:48.640
there he saw the boxes of stuff they took from his apartment and noticed something. One of the

00:21:48.640 --> 00:21:53.760
items he had in his apartment was a thing called a USB Killer. This is a device that looks like

00:21:53.760 --> 00:21:59.520
a regular USB drive but it’s got a very dangerous side to it. When you plug it in it charges a large

00:21:59.520 --> 00:22:05.200
capacitor up and then discharges it quickly, zapping the port with a huge power surge.

00:22:05.200 --> 00:22:08.880
This causes a massive electronic shock and usually kills whatever you plug

00:22:08.880 --> 00:22:13.840
into it such as a laptop. It’s designed to test the search capabilities of USB ports

00:22:13.840 --> 00:22:18.880
but usually it just destroys whatever you plug it into. Alberto saw they had taken this and was

00:22:18.880 --> 00:22:23.120
trying to tell them not to plug it in. ALBERTO: I told them please, to be careful

00:22:23.120 --> 00:22:31.680
with that because it could destroy any device that has a USB port. He said okay, okay.

00:22:31.680 --> 00:22:34.160
JACK: They took him back to his cell for the night.

00:22:34.160 --> 00:22:39.520
ALBERTO: My girlfriend also was arrested and she spent the night there in the Interpol

00:22:39.520 --> 00:22:46.160
building. The interrogation for her was not nice. They told her, for example,

00:22:46.160 --> 00:22:55.120
that I had admitted everything and that I told that she was the mind behind everything,

00:22:55.120 --> 00:23:00.960
things like that they told her. They were playing with her mind. It was stupid.

00:23:00.960 --> 00:23:05.120
She knew nothing. JACK: This took a major psychological toll

00:23:05.120 --> 00:23:09.920
on his girlfriend. Her whole life was now flipped upside down. She couldn’t imagine how this could

00:23:09.920 --> 00:23:14.640
have happened to her. She was really taking this terribly and couldn’t sleep at all while in jail,

00:23:14.640 --> 00:23:19.840
worrying that she might not ever get out. Alberto was very worried also, realizing that all this

00:23:19.840 --> 00:23:24.640
looks very bad to the courts and admitting to the e-mail made everything worse. His anxiety

00:23:24.640 --> 00:23:28.160
was becoming very high and he was worried about what happened to his girlfriend.

00:23:28.160 --> 00:23:35.760
ALBERTO: At that point you are in a cell that is very small. All you can do is think and that’s

00:23:35.760 --> 00:23:46.160
what I did. I thought. JACK:

00:23:46.160 --> 00:23:49.760
Alberto spent the night in the freezing jail with very little sleep.

00:23:49.760 --> 00:23:53.520
When he woke up he was taken back into the court room to testify.

00:23:53.520 --> 00:23:58.320
ALBERTO: At that point my mother was aware of [00:25:00] everything and she got me a lawyer.

00:23:58.320 --> 00:24:04.800
During the interrogation the prosecutor asked me huh, in this pen drive you have twelve viruses.

00:24:04.800 --> 00:24:10.480
How do you explain that? I was like oh my god, what? No, I don’t want to do that. I don’t

00:24:10.480 --> 00:24:13.920
want to explain that, waste my time. JACK: It’s common for information security

00:24:13.920 --> 00:24:18.320
professionals to play around with viruses. They’ll load them up on a thumb drive and see if they can

00:24:18.320 --> 00:24:23.040
infect the lab device but the prosecutor had such little knowledge of computers that Alberto

00:24:23.040 --> 00:24:27.120
didn’t think he would understand. ALBERTO: I just said okay, I’m sorry,

00:24:27.120 --> 00:24:34.560
yeah, I have viruses. Well, I don’t know. The prosecutor got the file and said you have a

00:24:34.560 --> 00:24:41.600
USB Kill. What’s a device that has a name of Kill? I thought to myself why the hell did I

00:24:41.600 --> 00:24:47.680
tell about the USB Kill device? Oh my god. JACK: Things did not go well for Alberto during

00:24:47.680 --> 00:24:53.440
court. Piles of evidence showed he was a very capable hacker and knew a great deal about Bitcoin

00:24:53.440 --> 00:24:58.160
and admitted to hacking into the medical provider and admitted to sending the e-mail.

00:24:58.160 --> 00:25:01.760
He only admitted to the e-mail because he wanted to save the grief of his girlfriend

00:25:01.760 --> 00:25:09.440
and mother getting harassed by the police. ALBERTO: At the end of the day my lawyer called

00:25:09.440 --> 00:25:20.960
me. He said I am so sorry but you are going to prison. I was charged with two things;

00:25:20.960 --> 00:25:27.840
one was extortion and another thing was fraudulent access to secret information.

00:25:27.840 --> 00:25:32.720
JACK: Alberto was found guilty and he was being sent to a long-term prison

00:25:32.720 --> 00:25:37.120
where he would have to stay for years. ALBERTO: That day I really thought it was the

00:25:37.120 --> 00:25:44.720
end of the world for me. I was really, really – I don’t know, my mind was blocked. I never thought

00:25:44.720 --> 00:25:48.640
something like that would happen to me. JACK: A few days after court he was put on a

00:25:48.640 --> 00:25:53.440
bus and sent to a prison very far away. He knew his life had changed forever and still

00:25:53.440 --> 00:25:58.400
couldn’t believe it. After the court ruling, the news of this hit major news outlets. The

00:25:58.400 --> 00:26:02.960
police lined up all the electronics they took from his house and put them on display for the media.

00:26:02.960 --> 00:26:07.280
The equipment filled up a very large conference table. On the table you see his cell phones,

00:26:07.280 --> 00:26:12.560
laptops, USB drives, blank credit cards, credit card cloner, routers, and the iconic Anonymous

00:26:12.560 --> 00:26:17.280
mask, and so much more. This was the first time a hacker had gone to prison in Uruguay so it was a

00:26:17.280 --> 00:26:21.600
big deal. The police may have hyped up the story too, thinking it was a great achievement for them

00:26:21.600 --> 00:26:26.400
to have captured a dangerous hacker. The media really wasn’t kind either, because what kind of

00:26:26.400 --> 00:26:32.240
jerk steals patient records and tries to use them for extortion? By the time Alberto arrived at the

00:26:32.240 --> 00:26:38.480
prison he was already very popular. ALBERTO: The first day that I arrived the

00:26:38.480 --> 00:26:47.840
people that were in my cell asked me what crime did I commit? I said no, I commit a computer crime

00:26:47.840 --> 00:26:52.960
and well, I hacked a system. They say oh, you’re the hacker! Oh my god,

00:26:52.960 --> 00:27:00.240
you’re my hero, I want to be like you! Can you hack the [inaudible] of my girlfriend? I was like

00:27:00.240 --> 00:27:07.920
oh, my god. I cannot believe it. The other people that arrived after me in jail

00:27:07.920 --> 00:27:14.880
told me that oh, you’re the hacker, oh my god. I want to be like you.

00:27:14.880 --> 00:27:21.760
I was realizing the magnitude that this case has in the press. It was in every newspaper

00:27:21.760 --> 00:27:29.440
in Uruguay. It was in every TV news in Uruguay, in every radio program. It was

00:27:29.440 --> 00:27:37.200
everywhere. Everybody knew about this case. Prison is a word I have never

00:27:37.200 --> 00:27:44.160
thought I could be in, where you’re surrounded by people that lived in a world of crime.

00:27:44.160 --> 00:27:50.320
None of them were hackers. They were sexual offenders, killers, drug dealers, people that

00:27:50.320 --> 00:27:58.240
commit very violent crimes, that – their profile was completely different than mine. I have never

00:27:58.240 --> 00:28:04.640
imagined I would be with people like that. JACK: Prison warden made a strict rule announcing

00:28:04.640 --> 00:28:09.040
that because Alberto was a convicted hacker, that he was not allowed to touch any computers

00:28:09.040 --> 00:28:12.880
or electronics. But Alberto’s a nice guy, followed all the rules,

00:28:12.880 --> 00:28:16.240
and people started to like him. ALBERTO: Three months after that I

00:28:16.240 --> 00:28:22.720
was here teaching the inmates the basics of Word in a room with seven

00:28:22.720 --> 00:28:26.960
computers connected to the internet. JACK: He had earned the trust of the prison

00:28:26.960 --> 00:28:31.680
guards and had good behavior while in prison. This prison was actually not that bad; it had a little

00:28:31.680 --> 00:28:36.000
more freedom than most prisons. For instance, if you had good behavior there was an option to get

00:28:36.000 --> 00:28:40.640
out one or two days a week. This might sound weird to Americans but think of it like a combination of

00:28:40.640 --> 00:28:45.120
probation and prison at the same time. When you have probation you’re very restricted on what you

00:28:45.120 --> 00:28:49.040
can do. You may not be able to go out at night or with certain people and you may have to get

00:28:49.040 --> 00:28:54.960
a specific job. In a way probation is kind of like prison but you get to go home. This prison Alberto

00:28:54.960 --> 00:28:59.360
was in let some [00:30:00] inmates go free one day a week. The guards started telling Alberto

00:28:59.360 --> 00:29:03.920
that well, because of his good behavior, in a month they may let him go home one day a week.

00:29:03.920 --> 00:29:08.800
But then something strange happened. ALBERTO: At the end of February somebody went

00:29:08.800 --> 00:29:15.840
to visit me to the jail and they called my name. I wasn’t expecting anyone. I went outside and I

00:29:15.840 --> 00:29:24.000
met a person who I didn’t know and we started talking. He was a person who had many companies

00:29:24.000 --> 00:29:30.320
and he wanted to know about my case because he was surprised about this and he said man, governments

00:29:30.320 --> 00:29:37.600
should hire people like you, not send to jail. A few days after that I was granted – I could go

00:29:37.600 --> 00:29:42.320
outside the jail for 72 hours a week. JACK: This is strange. At this prison,

00:29:42.320 --> 00:29:46.400
usually when you get a free day it starts out with one and then you work your way up to two,

00:29:46.400 --> 00:29:51.040
and you might get three days a week to be able to leave the prison. Also he was expecting it to take

00:29:51.040 --> 00:29:56.400
another month before his first free day but only a few days after the strange visitor appeared he was

00:29:56.400 --> 00:30:02.400
given the maximum free time off. Alberto didn’t know what to think of this and was very surprised

00:30:02.400 --> 00:30:06.480
but he was happy to be getting out half the week now. He found a place to stay near the

00:30:06.480 --> 00:30:09.120
prison on his free days. ALBERTO: The first time I

00:30:09.120 --> 00:30:16.880
went outside this person who I met in prison came to my house and he started talking to me.

00:30:16.880 --> 00:30:21.840
At one point he told me directly, I want you to hack this bank and steal money.

00:30:21.840 --> 00:30:27.600
JACK: The stranger had an elaborate plan all sorted out. He knew exactly which bank to hack

00:30:27.600 --> 00:30:32.640
into and which accounts to target and how much money to steal. He explained the plan thoroughly

00:30:32.640 --> 00:30:37.840
to Alberto. This was becoming even stranger for Alberto. Normally someone asking him to hack into

00:30:37.840 --> 00:30:44.240
something is a simple no but this one seemed more serious. Alberto said no to the man many times and

00:30:44.240 --> 00:30:49.680
he finally left. This stressed Alberto out. ALBERTO: Imagine if that bank got hacked by

00:30:49.680 --> 00:31:00.480
another person after this situation. They would point to me. I would be the person of interest.

00:31:00.480 --> 00:31:07.840
If somebody was hiring me to hack a bank and I did it? No, no way. The funny thing is this bank

00:31:07.840 --> 00:31:12.240
had several security issues. I thought to myself oh, no, oh no, oh my god.

00:31:12.240 --> 00:31:16.960
JACK: This was really troubling Alberto so he reported it to the prison guards. He was able

00:31:16.960 --> 00:31:21.520
to get some Xanax to deal with his anxiety but each week Alberto had free days out of

00:31:21.520 --> 00:31:27.920
prison he would see this stranger. This guy was stalking him, following him home and around town,

00:31:27.920 --> 00:31:31.760
each time asking Alberto if he was ready to help him hack into the bank.

00:31:31.760 --> 00:31:37.120
Alberto started getting really distraught over this and his anxiety was growing more and more.

00:31:37.120 --> 00:31:42.160
He had to take more Xanax to calm himself but his mind was racing. What if that bank gets

00:31:42.160 --> 00:31:46.320
robbed and they blame me? What if I know too much and this guy wants to kill me?

00:31:46.320 --> 00:31:51.680
What if he threatens me? Alberto became more agitated. The pills weren’t working. He took

00:31:51.680 --> 00:31:57.360
more. He didn’t know what to do and he was scared. He took more pills. Finally this started to calm

00:31:57.360 --> 00:32:02.640
him down. He started walking back to the prison where he knew he’d be safer but he was starting

00:32:02.640 --> 00:32:10.400
to get drowsy along the way. ALBERTO: At one point I closed my eyes

00:32:10.400 --> 00:32:16.160
and the next thing was a beep, beep, beep. [BEEPING] I opened my eyes and I was seeing

00:32:16.160 --> 00:32:27.360
a light. They cut all my clothes. I had all kinds of devices in my body and they told me you

00:32:27.360 --> 00:32:32.208
spent – you were two hours in coma. You were there for two hours. [MUSIC]

00:32:32.208 --> 00:32:38.240
JACK: The intense anxiety caused Alberto to over-medicate on Xanax which made him overdose.

00:32:38.240 --> 00:32:41.600
He was found and rushed to the hospital where they were able to revive him

00:32:41.600 --> 00:32:49.680
in time to save his life. He had to spend some time to calm down and take it easy after that.

00:32:49.680 --> 00:32:54.240
Meanwhile Alberto’s lawyer was endlessly trying to get him out of prison. He appealed the case

00:32:54.240 --> 00:33:00.000
but it was not accepted so he appealed again. Again, it wasn’t accepted. Finally on the third

00:33:00.000 --> 00:33:05.200
appeal the lawyer had some good news. ALBERTO: He phoned me and he told me Alberto,

00:33:05.200 --> 00:33:11.840
they filed in your favor but there is only one thing they ask. They ask for $10,000 bail in

00:33:11.840 --> 00:33:18.000
order to release you. I said okay, no problem. I started calling some people. I called my mother.

00:33:18.000 --> 00:33:24.800
The next day she put that money in a bank account. She had to make a lot of – fill a lot of documents

00:33:24.800 --> 00:33:30.880
and she gave a paper saying that the money was deposited and they sent a fax to the jail

00:33:30.880 --> 00:33:35.280
saying that I had to be released. JACK: [MUSIC]

00:33:35.280 --> 00:33:39.680
After spending nine months in prison Alberto was set free, was able to return home for the

00:33:39.680 --> 00:33:45.840
first time to his apartment in Montevideo. ALBERTO: I ride to my house. I couldn’t believe it

00:33:45.840 --> 00:33:51.200
when I opened the door and I went to my office. I started seeing hard disc drives. I said what’s

00:33:51.200 --> 00:33:54.720
this? Oh my god, hard disc drives. JACK: He couldn’t believe that there was

00:33:54.720 --> 00:33:56.880
so much stuff left behind [00:35:00] by the police.

00:33:56.880 --> 00:34:01.760
He was totally shocked that they didn’t take every last device and examine it for evidence.

00:34:01.760 --> 00:34:05.280
In his mind he was wondering if the investigators did anything right.

00:34:05.280 --> 00:34:11.360
ALBERTO: I found 29 hard discs. They also left three laptops, three cellular phones. I also

00:34:11.360 --> 00:34:21.360
found money, money from Uruguay, from Paraguay, and Argentina. I also found blank credit cards.

00:34:21.360 --> 00:34:32.400
It was crazy. That explains that the process was – I don’t know if they were not prepared for this or

00:34:32.400 --> 00:34:37.920
what the hell happened. It was all a show. JACK: To Alberto the investigation went wrong in

00:34:37.920 --> 00:34:42.640
a million ways. The police weren’t knowledgeable enough on how to handle this case and didn’t take

00:34:42.640 --> 00:34:46.640
all the evidence, and they handled the evidence poorly. Like, they didn’t clone the laptop’s hard

00:34:46.640 --> 00:34:50.400
drives. Instead they just turned it on to take a look at it. In fact I talked to Alberto for

00:34:50.400 --> 00:34:55.120
hours and a lot of what he had to say was just about how this case was handled so improperly

00:34:55.120 --> 00:34:58.080
which is probably why in the end they caught the wrong guy.

00:34:58.080 --> 00:35:02.400
He sometimes wonders if all this was just done to set him up and have him arrested for some other

00:35:02.400 --> 00:35:07.040
reason. He’s got a few theories about this like maybe it was a big cover-up from something else

00:35:07.040 --> 00:35:11.680
bigger and more shady going on at the medical facility and they needed to distract the media.

00:35:11.680 --> 00:35:15.920
But these are just conspiracy theories cooked up in the mind of a guy who’s been sitting in prison

00:35:15.920 --> 00:35:21.200
for months. After Alberto was convicted and sent to prison the police couldn’t find any evidence on

00:35:21.200 --> 00:35:25.120
his girlfriend so they let her go after one night in jail and rough questioning.

00:35:25.120 --> 00:35:31.680
ALBERTO: She had a very dramatic situation. She started taking a lot of medication to sleep. She

00:35:31.680 --> 00:35:38.880
was having a very bad time. She has never taken any medication in her life for anxiety but she

00:35:38.880 --> 00:35:45.040
started taking that because she couldn’t sleep at night. They told her so many lies about me so

00:35:45.040 --> 00:35:51.280
she was thinking to herself I spent eight years with a person I didn’t know anything about. He was

00:35:51.280 --> 00:35:58.480
a criminal. She was questioning everything because they were lying to her. They were telling her

00:35:58.480 --> 00:36:07.040
all kinds of stupid things that destroyed her. Even the fact that I said that,

00:36:07.040 --> 00:36:12.880
they told her I said that I admitted everything and that she was in charge of everything.

00:36:12.880 --> 00:36:19.440
That was crazy. They played with her mind. The worst thing that they did was that they threat her

00:36:19.440 --> 00:36:26.080
with losing her job. The most important thing that she has; if she loses her job she loses

00:36:26.080 --> 00:36:37.600
everything. They called her company and they told the boss of the company about the situation so she

00:36:37.600 --> 00:36:46.080
had a very difficult issue. She told me that until now she has nightmares, very recurrent nightmares,

00:36:46.080 --> 00:36:53.920
that she is sleeping and she dreams that she’s being arrested, that the doors of her apartment

00:36:53.920 --> 00:37:03.760
is open, that it’s the police. That she’s taken to a cell. I was pretty sad when I heard that because

00:37:03.760 --> 00:37:11.920
it’s been more than a year and she’s still having the consequences of the traumatic interrogation

00:37:11.920 --> 00:37:18.400
process that they applied on her. JACK: After eight years of being together this

00:37:18.400 --> 00:37:23.040
incident caused Alberto to lose his girlfriend. This was simply too much of a bad experience for

00:37:23.040 --> 00:37:28.000
her and she had to leave him to go help herself. As of right now Alberto has only been out of

00:37:28.000 --> 00:37:32.160
prison for five months and is still working with his lawyer to collect the evidence of what they

00:37:32.160 --> 00:37:36.640
took from his apartment. The police have kept most of it still, including some Bitcoin wallets

00:37:36.640 --> 00:37:41.600
which have a lot of money in them. In fact life is very hard for him because most of his computers,

00:37:41.600 --> 00:37:45.360
phones, money, and credit cards are still being kept from him. For instance all his

00:37:45.360 --> 00:37:49.840
two-factor authentication tokens are in police custody making it impossible for him to log into

00:37:49.840 --> 00:37:54.320
certain accounts. But there have been a few things that have gone his way since getting out.

00:37:54.320 --> 00:38:01.840
ALBERTO: After I was released, it was incredible. I got job offers from an important security

00:38:01.840 --> 00:38:10.320
company for a pen testing position in a security company. It was something that I lived; okay,

00:38:10.320 --> 00:38:15.920
okay. Life goes on and is strong than ever. I could spend eight months in jail so if I

00:38:15.920 --> 00:38:20.160
could do that I could do anything in life. That’s the way I see it.