WEBVTT

00:00:00.000 --> 00:00:03.600
JACK: A few years back, I used to play this really stupid mobile game. I don’t even remember what it

00:00:03.600 --> 00:00:08.960
was called. You had a party of fighters and you level them up or something. But the thing was,

00:00:08.960 --> 00:00:14.480
in the game there was a online chat option, and at any moment you could look at the people chatting

00:00:14.480 --> 00:00:19.280
to see what they’re talking about in the game. Well, if you’ve played any game that has online

00:00:19.280 --> 00:00:24.960
chat options, you know how toxic it can be, and this place was no exception. People were selling

00:00:24.960 --> 00:00:29.040
in-game gold that wasn’t even possible; it was just all scams, because there was no way to

00:00:29.040 --> 00:00:34.720
send gold to anyone in the game. There was just some real vile hatred spewed all over the place.

00:00:34.720 --> 00:00:39.120
The thing is, the people that did this felt like they could just hide behind their username

00:00:39.120 --> 00:00:43.040
that they created a minute ago, because the worst case scenario is that they just might

00:00:43.040 --> 00:00:49.120
get banned from the game. But I was a network security engineer, and I wanted to see if there

00:00:49.120 --> 00:00:55.760
was a way to learn more about the people that were saying rude stuff in chat. [MUSIC] So, I started a

00:00:55.760 --> 00:01:01.280
packet capture on my phone. All network traffic coming in and out of the phone was captured,

00:01:01.280 --> 00:01:05.760
and then I started looking through it. It wasn’t easy; it’s like looking for a needle

00:01:05.760 --> 00:01:11.040
in a haystack, but eventually I found what the packets looked like when they sent chat messages

00:01:11.040 --> 00:01:17.760
to me, and it was not encrypted which made it easy to crack the packet open and see exactly what was

00:01:17.760 --> 00:01:24.160
in those messages. Amazingly enough, the network traffic showed a lot more information about

00:01:24.160 --> 00:01:30.640
that user who was chatting than what was showed in-game. In the game, all you see is a person’s

00:01:30.640 --> 00:01:36.160
username. There’s no way to see anything more about them. But the packets showed their username

00:01:36.160 --> 00:01:42.160
and user ID, which was just a very long number. Now, I was also noticing this game was interacting

00:01:42.160 --> 00:01:47.520
with one of their servers, and I saw how the game would look up user details, so I crafted my own

00:01:47.520 --> 00:01:54.320
packet to send to their server to look up a user, and whoa, the server gave me their e-mail address

00:01:54.320 --> 00:02:00.320
and IP address. With an IP, I can look up their general location of where they are in the world.

00:02:00.320 --> 00:02:04.640
So, armed with this, I went back into the game and waited for someone to start saying

00:02:04.640 --> 00:02:09.600
rude, horrible stuff. There was this one guy being a real jerk, spamming all kinds of rude stuff,

00:02:09.600 --> 00:02:15.120
calling people names, and it was just not nice. I told him hey, stop being rude or else.

00:02:15.120 --> 00:02:20.160
He’s like, or else what? I’m like, or else I’ll tell everyone here your real name.

00:02:20.160 --> 00:02:24.800
I already know everything about you. It was then when I grabbed all the packets from this chat,

00:02:24.800 --> 00:02:30.080
found his user ID, put it into the website, got his e-mail and IP address. Actually, from there,

00:02:30.080 --> 00:02:36.880
I looked up his e-mail on Google and got his first and last name. Well of course, he called my bluff,

00:02:36.880 --> 00:02:40.960
knowing there’s no way in-game to see someone’s real name. In fact, he never even entered his real

00:02:40.960 --> 00:02:45.520
name in the game, so how would I know it? So, now he starts aiming his attacks towards me, calling

00:02:45.520 --> 00:02:50.800
me names and taunting me. So, I think I remember his name was Evan, so I started just writing

00:02:50.800 --> 00:02:57.600
‘Evan’ in the chat room over and over and over. Just that word, ‘Evan’, ‘Evan’, ‘Evan’. He stopped

00:02:57.600 --> 00:03:03.680
chatting for a minute. He was like, who are you? I’m like, are you gonna be nice now or do you

00:03:03.680 --> 00:03:09.600
want me to say your last name, too? He tested me by saying go ahead, I don’t believe you know it.

00:03:09.600 --> 00:03:15.040
So, I dropped the first part of his e-mail address in chat, and he stopped talking for a minute.

00:03:15.040 --> 00:03:21.760
Then he asked, Adam? Is that you? [INTRO MUSIC] I’m like, no, dude. I’m not Adam. I’m the guy

00:03:21.760 --> 00:03:26.080
who’s just trying to stop you from being rude. Go find a hobby that doesn’t include

00:03:26.080 --> 00:03:31.600
being mean to people. I guess this spooked him, because he logged out of the game

00:03:31.600 --> 00:03:37.600
and I never saw him again. (INTRO):

00:03:37.600 --> 00:03:44.400
These are true stories from the dark side of the internet.

00:03:44.400 --> 00:04:02.679
I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

00:04:02.679 --> 00:04:05.120
JACK: For this story, we’re headed to the Middle East.

00:04:05.120 --> 00:04:10.840
MOHAMMED: So, my name is Mohammed Aldoub. In Arabic, we spell it م.محمد الدوب.

00:04:10.840 --> 00:04:14.800
JACK: Yeah, so where are you now? MOHAMMED: In Kuwait,

00:04:14.800 --> 00:04:18.880
as always. It’s where I’m from. JACK: Mohammed is in his thirties now,

00:04:18.880 --> 00:04:22.800
but ever since he was a teenager, he was fascinated with computers.

00:04:22.800 --> 00:04:28.800
MOHAMMED: Well, Kuwait generally is a very connected society, so it’s extremely easy

00:04:28.800 --> 00:04:35.840
to get hooked on early. With my, let’s say age group, with the internet entering our houses in

00:04:35.840 --> 00:04:40.560
the late nineties, getting hooked early on on technology, it was – I think it was very

00:04:40.560 --> 00:04:46.160
straightforward. But then I actually entered the Kuwait University, the College of Engineering,

00:04:46.160 --> 00:04:51.440
and the Computer and Software Engineering Department, so I graduated as an engineer

00:04:51.440 --> 00:04:56.000
of that aspect. But then after graduation, I actually went into cyber security. So, my

00:04:56.000 --> 00:05:02.240
entry into cyber security was around 2010. JACK: He got a job in the government of Kuwait

00:05:02.240 --> 00:05:05.760
securing systems, and pretty early on, he saw the importance of the internet

00:05:05.760 --> 00:05:10.560
and securing all the stuff on it. MOHAMMED: In my earlier years, around 2010

00:05:10.560 --> 00:05:17.280
and ‘11, I actually got introduced to the late Dan Kaminsky, and his guidance was really amazing on

00:05:17.280 --> 00:05:25.920
how a new-and-upcoming person like me would do to get properly into cyber security. I think with

00:05:25.920 --> 00:05:32.880
the emergence of social media and it taking the political and the public scene in Kuwait by storm,

00:05:32.880 --> 00:05:39.040
it was just natural for me to use that platform to discuss cyber security, provide awareness.

00:05:39.040 --> 00:05:44.480
JACK: [MUSIC] Mohammed has built quite the Twitter following. His name there is Voulnet,

00:05:44.480 --> 00:05:50.000
and he won’t tell me what that means, but Voulnet is what he goes by. Today he has

00:05:50.000 --> 00:05:55.600
73,000 followers, but to get there, he shared a lot of knowledge about security on Twitter.

00:05:55.600 --> 00:06:01.680
MOHAMMED: I did many – I would say tweet storm is where I take a certain malware sample that is just

00:06:01.680 --> 00:06:07.360
fresh, currently being used to attack some entity in the Gulf region, then I would go

00:06:07.360 --> 00:06:13.280
live in Twitter, trying to analyze the malware, how it works, what it does to the systems. So,

00:06:13.280 --> 00:06:17.920
it was kinda something that we do for the community, for the crowd. People

00:06:17.920 --> 00:06:22.320
would love it. People would engage with it. JACK: After college, he was able to get a job with

00:06:22.320 --> 00:06:27.600
the Kuwaiti government. He was tasked with doing things like securing systems, analyzing malware,

00:06:27.600 --> 00:06:31.520
and other cyber security work. He was getting good at security, scaling up,

00:06:31.520 --> 00:06:36.800
and his popularity was growing on Twitter. With that, new doors started to open up for him.

00:06:36.800 --> 00:06:42.720
MOHAMMED: Then at 2018, I actually left that government job, and then I did my first official

00:06:42.720 --> 00:06:48.320
cyber security training, which was abroad. It was in the Netherlands, so I went on to give a

00:06:48.320 --> 00:06:54.960
malware – an Android malware analysis course for the Dutch police, actually. So, it was

00:06:54.960 --> 00:06:59.040
kinda interesting because that was the official – the first official training that I delivered

00:06:59.040 --> 00:07:05.680
outside of Kuwait to an audience in Europe. JACK: He particularly liked training. Teaching

00:07:05.680 --> 00:07:10.400
people new things is fun, so he looked around for more training opportunities.

00:07:10.400 --> 00:07:15.760
MOHAMMED: I actually got accepted into Black Hat as a trainer, and that was – for me, that was a

00:07:15.760 --> 00:07:23.440
dream come true. I never thought – usually, in my earlier years doing the government work, I would

00:07:23.440 --> 00:07:27.520
dream of visiting Black Hat, you know? JACK: [MUSIC] Black Hat is an annual security

00:07:27.520 --> 00:07:32.400
conference in Las Vegas which takes place the week before Defcon, and Black Hat is more geared

00:07:32.400 --> 00:07:37.280
towards security professionals and the people who want to learn how to secure their systems better.

00:07:37.280 --> 00:07:42.880
The training there I hear is pretty good, so to be selected as a trainer made Mohammed feel

00:07:42.880 --> 00:07:48.480
proud. Specifically, he was planning on teaching a course about securing API endpoints. But the

00:07:48.480 --> 00:07:54.560
year was 2019, and he got word that he was going to be a trainer in the early part of that year,

00:07:54.560 --> 00:08:01.440
like February or March. But Black Hat doesn’t come until August, so he had five months to prepare.

00:08:01.440 --> 00:08:11.200
It’s in those five months that this story takes place, a story that changed his life.

00:08:11.200 --> 00:08:15.360
Now, one thing Mohammed likes doing is examining the latest malware,

00:08:15.360 --> 00:08:20.560
and specifically he was interested in malware that was somehow used in Kuwait, where he lived.

00:08:20.560 --> 00:08:26.960
MOHAMMED: So, of course being in the Gulf region, there were many interesting threat

00:08:26.960 --> 00:08:34.320
actors especially from, for example, Iran, from other countries, from Israel, other entities

00:08:34.320 --> 00:08:41.120
and countries in the world. So, obviously the Gulf region was heavily targeted, and

00:08:41.120 --> 00:08:47.840
so, it was usually something regular that we tried to hunt for threats, tried to look for

00:08:47.840 --> 00:08:52.880
state actors attacking certain entities. JACK: As a government employee, he would sometimes

00:08:52.880 --> 00:08:57.120
get sent some malware to analyze, which was cool. But because he quit his job,

00:08:57.120 --> 00:09:01.760
he needed to find a new place to keep tabs on the latest malware going around in Kuwait.

00:09:01.760 --> 00:09:07.200
MOHAMMED: One of the best avenues to look for such things is through using VirusTotal.

00:09:07.200 --> 00:09:12.400
JACK: VirusTotal; this is a fascinating website. [MUSIC] Okay, so the free service they offer is

00:09:12.400 --> 00:09:16.160
that if you find some malware, you can upload it to their site and it’ll tell you what type

00:09:16.160 --> 00:09:20.560
of malware it is. This is really helpful for security teams to get information about

00:09:20.560 --> 00:09:24.160
any malware they found on their network. I mean, think about it; suppose your computer’s

00:09:24.160 --> 00:09:28.400
running poorly. You open up Task Manager and see a service running on there and you wonder,

00:09:28.400 --> 00:09:32.880
is this supposed to be here? Well, you can grab it, upload it to VirusTotal, and it’ll tell you

00:09:32.880 --> 00:09:38.320
if any antiviruses considered this to be harmful and any extra information about that malware.

00:09:38.320 --> 00:09:42.800
So yeah, security teams all over are constantly uploading malware to this site.

00:09:42.800 --> 00:09:48.000
But if you have a premium membership, you get a bonus feature; if someone uploads some malware

00:09:48.000 --> 00:09:53.840
to VirusTotal and it’s a file that it’s never seen before, then you can get an alert. So,

00:09:53.840 --> 00:09:58.320
security researchers might be interested to see what this new file might contain,

00:09:58.320 --> 00:10:03.520
and they can download it and analyze it. Mohammed loved this feature.

00:10:03.520 --> 00:10:10.160
MOHAMMED: I would use it to actually look for attacks that are targeting Kuwait, malware samples

00:10:10.160 --> 00:10:15.680
being uploaded from Kuwait, from other countries in the region, because they would be of interest

00:10:15.680 --> 00:10:19.600
to my line of work, obviously. JACK: As he said before, he’d sometimes grab

00:10:19.600 --> 00:10:24.880
some malware from this site, VirusTotal, and begin live-streaming as he examines it to look to see

00:10:24.880 --> 00:10:29.200
what’s in it. Because he spoke Arabic, it also helped him understand threats targeting

00:10:29.200 --> 00:10:34.720
the Gulf region better, too. He found some pretty interesting stuff this way and would tweet about

00:10:34.720 --> 00:10:39.920
it, and then see some major security companies publishing alerts about it shortly after. This

00:10:39.920 --> 00:10:46.480
is what I would call security research. MOHAMMED: Yeah, in March, the end of March 2019,

00:10:46.480 --> 00:10:54.880
I’m doing that usual threat hunting work. I found a sample that resembled some sort of a banking

00:10:54.880 --> 00:10:59.840
malware [MUSIC] that was uploaded from Kuwait.

00:10:59.840 --> 00:11:06.400
JACK: Okay, already this is interesting. Mohammed saw that some never-before-seen malware

00:11:06.400 --> 00:11:13.280
was uploaded to VirusTotal, and downloaded it, looked at it, and found it was targeting a bank.

00:11:13.280 --> 00:11:18.400
It didn’t say what bank, but Mohammed had a pretty good hunch that this was some sort

00:11:18.400 --> 00:11:23.920
of banking malware. So, he’s looking at this completely unknown malware targeting a bank

00:11:23.920 --> 00:11:30.720
that was uploaded from somewhere in Kuwait. Fascinating, right? Well,

00:11:30.720 --> 00:11:35.920
if you think that’s fascinating, you might be a geek. Not many people on the planet are looking

00:11:35.920 --> 00:11:40.320
through brand-new malware uploaded to VirusTotal, trying to figure out what’s going on there,

00:11:40.320 --> 00:11:45.200
but this is what Mohammed does, because he loves discovering this new stuff,

00:11:45.200 --> 00:11:50.720
because it poses all kinds of questions; what bank was this for? Did the victim upload it or

00:11:50.720 --> 00:11:56.320
the person who created this malware upload it? Did it actually infect something and steal any money?

00:11:56.320 --> 00:12:01.440
What does it do? This is why people like following him on Twitter, because he digs up

00:12:01.440 --> 00:12:05.840
some pretty interesting stuff sometimes. MOHAMMED: So, I came onto – downloaded and

00:12:05.840 --> 00:12:11.200
analyze it, and actually discussed on Twitter, submitted the hashes for that piece of malware

00:12:11.200 --> 00:12:15.520
so that anybody in the region could search for those hashes in their environment and see if

00:12:15.520 --> 00:12:19.200
they got that attack or that malware. JACK: Okay, so, he started a Twitter thread,

00:12:19.200 --> 00:12:25.280
and at the time, he had around 40,000 followers on Twitter. He wrote, quote, “For those interested in

00:12:25.280 --> 00:12:30.720
banking security, these are some highly-probable indicators of compromise from the local banking

00:12:30.720 --> 00:12:35.760
SWIFT attack that you might have heard about.” End quote. [MUSIC] Now, in the news at the time, there

00:12:35.760 --> 00:12:41.040
were some other stories going around about banks getting hacked and money stolen using the SWIFT

00:12:41.040 --> 00:12:46.240
money transfer system. Mohammed saw this malware and had a hunch that it might somehow be related

00:12:46.240 --> 00:12:50.960
to those attacks, and felt like it was important to tweet about what he was finding. He went on

00:12:50.960 --> 00:12:56.880
and posted file names and file hashes on Twitter, and you can think of a file hash sort of like a

00:12:56.880 --> 00:13:01.840
file’s fingerprint. Instead of posting the files themself on Twitter, he posted the hash.

00:13:01.840 --> 00:13:05.520
That’s so other people can look through their file hashes to check if they have this malware

00:13:05.520 --> 00:13:10.960
on their systems, too. Posting file hashes like this is preferred, because it’s not posting any

00:13:10.960 --> 00:13:16.800
sensitive data that’s in the malware, just in case it contained a password or an IP address or

00:13:16.800 --> 00:13:22.880
something related to the victim. MOHAMMED: So, interestingly, I found some strings

00:13:22.880 --> 00:13:27.600
in those pieces of malware that I think would be beneficial for people to use to search for in

00:13:27.600 --> 00:13:32.720
their environment, which is what I shared. JACK: So, one technique for analyzing malware is

00:13:32.720 --> 00:13:38.400
to run the command ‘strings’ on it. This will search the malware for any

00:13:38.400 --> 00:13:43.280
human-readable words, and it just spits out a list of words for you to see.

00:13:43.280 --> 00:13:49.520
This might give you some clues as to what’s going on, like any internal notes left in the code or

00:13:49.520 --> 00:13:55.760
other information that is human-readable. Mohammed looked at the code for human-readable words, and

00:13:55.760 --> 00:14:07.120
one word stood out for him; GBKADMIN. [MUSIC] Why does this malware have the word GBKADMIN in it?

00:14:07.120 --> 00:14:14.320
Is that a username? Is that the name of the malware? Is GBKADMIN something important?

00:14:14.320 --> 00:14:19.280
He had no idea and just decided to tweet it, telling his followers take note that

00:14:19.280 --> 00:14:23.360
the malware has GBKADMIN in it, and that might mean something.

00:14:23.360 --> 00:14:25.600
MOHAMMED: So, the malware sample itself didn’t really

00:14:25.600 --> 00:14:29.680
point at a certain bank with certainty. JACK: Which made him feel confident that his

00:14:29.680 --> 00:14:34.560
Twitter posts were fine. He’s not naming a bank, he’s careful not to post any sensitive

00:14:34.560 --> 00:14:39.440
information, so he posted a bunch of stuff he found, had some conversations with people about

00:14:39.440 --> 00:14:44.560
it, and then sort of closed up his research into this and was done with it, moving on to

00:14:44.560 --> 00:14:49.520
other things. After all, he didn’t work in the banking sector, so all he could do is just warn

00:14:49.520 --> 00:14:53.760
other people that there’s some banking malware going around in Kuwait, and since he’s done that,

00:14:53.760 --> 00:14:59.360
he can now do something else. Not much more for him to do about this. Well, a few days later, we

00:14:59.360 --> 00:15:07.680
saw a tweet from the Gulf Bank of Kuwait’s Twitter account saying they had a service disruption.

00:15:07.680 --> 00:15:12.560
This service disruption resulted in them losing $9 million.

00:15:12.560 --> 00:15:20.080
MOHAMMED: Yeah, 2.8 million Kuwaiti dinars. JACK: Very interesting that the Gulf Bank

00:15:20.080 --> 00:15:24.880
of Kuwait was reporting a problem. MOHAMMED: [MUSIC] Yeah, I realized that something

00:15:24.880 --> 00:15:31.280
definitely was off because this thing doesn’t happen normally to all banks, you know, a problem

00:15:31.280 --> 00:15:37.120
in your transaction with that kind of big loss, and then the bank publicly talking about it. So,

00:15:37.120 --> 00:15:42.720
obviously something was really off there. That’s why it got the attention of the country. Like,

00:15:42.720 --> 00:15:48.560
everyone in Kuwait was talking about it. What did the Gulf Bank mean by that statement?

00:15:48.560 --> 00:16:04.640
JACK: This was a very interesting tweet that Mohammed was reading.

00:16:04.640 --> 00:16:10.000
The Gulf Bank suffered a service disruption that resulted in a loss of $9 million,

00:16:10.000 --> 00:16:17.520
two days after Mohammed found some banking malware uploaded by someone in Kuwait? Hm. Mohammed

00:16:17.520 --> 00:16:21.120
was starting to put the pieces together. MOHAMMED: Of course I did those pieces together,

00:16:21.120 --> 00:16:27.280
but I was – I did put them in my mind, but I was very careful not to actually – came up

00:16:27.280 --> 00:16:33.600
with the conclusion in public that would try to publicly link these two incidents, because

00:16:33.600 --> 00:16:37.680
there wasn’t much – there wasn’t a lot of, let’s say, concrete proof for me

00:16:37.680 --> 00:16:45.760
to be able to do that. So, it really – it was eerily, I would say, familiar. It sounded like

00:16:45.760 --> 00:16:52.400
there’s a possible connection there. JACK: But yeah, he didn’t say anything publicly

00:16:52.400 --> 00:16:59.200
about any theories that he had that might connect the malware he found to Gulf Bank. He just watched

00:16:59.200 --> 00:17:06.240
Twitter talk about it, and he observed. Okay, so, the Gulf Bank is Kuwait’s fourth-largest bank. At

00:17:06.240 --> 00:17:13.040
the time, they self-reported that they had $2.25 billion in capital and that losing $9 million

00:17:13.040 --> 00:17:19.280
was only less than half a percent of their total capital. But again, I want to emphasize the word

00:17:19.280 --> 00:17:24.720
‘losing’ here, not ‘stealing’ or ‘robbed’. The Gulf Bank never did say the money was stolen

00:17:24.720 --> 00:17:28.960
or that they were robbed, only that there was a service disruption that resulted in

00:17:28.960 --> 00:17:34.000
them losing millions of Kuwaiti dinars. Well, a few days after that, the next news we saw

00:17:34.000 --> 00:17:40.800
from the bank was that they fired their general manager of IT without explaining publicly why.

00:17:40.800 --> 00:17:45.360
The general manager seemed particularly surprised by this and said it was unjust that they asked him

00:17:45.360 --> 00:17:51.280
to leave. Something big at the bank was happening, and they weren’t being transparent about what it

00:17:51.280 --> 00:18:12.640
was. The next week, Mohammed goes to a security event in Kuwait to hang out with other people

00:18:12.640 --> 00:18:18.880
in infosec and socialize. But while he’s at this event socializing, his phone rings.

00:18:18.880 --> 00:18:24.080
MOHAMMED: [MUSIC] I got a call; someone from the cyber crime department. He told me cyber,

00:18:24.080 --> 00:18:29.680
let’s say branch of the police where they handle complaints related to cyber crime.

00:18:29.680 --> 00:18:35.040
JACK: They told him that there’s a possibility that the Gulf Bank is going to complain to the

00:18:35.040 --> 00:18:39.920
police about his tweets, the ones that talk about the malware that he found on VirusTotal,

00:18:39.920 --> 00:18:44.720
and they asked him to come down so that they can question him. He agrees to be there,

00:18:44.720 --> 00:18:48.800
but was nervous about this whole thing now. MOHAMMED: Well, of course you would, because that

00:18:48.800 --> 00:18:54.320
bank is powerful and because I was extremely careful in my wording of all the research that

00:18:54.320 --> 00:19:00.400
I did not to include anything that would link obviously to a certain entity or certain bank,

00:19:00.400 --> 00:19:05.360
that I was talking in general, mentioning things that are already de-anonymized like

00:19:05.360 --> 00:19:11.200
password hashes, talking about malware attacks in general, or talking about certain malware

00:19:11.200 --> 00:19:16.880
without attributing it to a certain entity by name. So, legally I was in the clear,

00:19:16.880 --> 00:19:24.720
I regard myself, what I have, let’s say concluded or guessed at the back of my mind. So,

00:19:24.720 --> 00:19:31.280
I went to the questioning and they asked me, are those your tweets? I say, yes. Did you mean

00:19:31.280 --> 00:19:35.440
– the Gulf Bank made a complaint; did you mean them in your, for example, tweet? No;

00:19:35.440 --> 00:19:38.720
I said no, I didn’t mention them, didn’t mean them in my tweets, and that’s – that

00:19:38.720 --> 00:19:44.000
was the end of the questioning. JACK: Okay, so maybe this is a routine

00:19:44.000 --> 00:19:48.400
part of the investigation where the bank is just doing their due diligence by following up any

00:19:48.400 --> 00:19:54.160
clues or leads about the incident. Since Mohammed had tweeted about the banking malware he found,

00:19:54.160 --> 00:19:59.280
maybe there was more to it, so that’s why the police were questioning him. After talking with

00:19:59.280 --> 00:20:02.400
them, he felt relieved and thought well, that’s probably the end of that.

00:20:02.400 --> 00:20:07.760
MOHAMMED: It was then that interesting things happened, actually. [MUSIC] Around that time,

00:20:07.760 --> 00:20:14.000
I had to go to the USA accompanying my wife because she was visiting her mother

00:20:14.000 --> 00:20:20.880
who was being treated and was very sick in the United States. So, I flew to the US, and

00:20:20.880 --> 00:20:26.320
while I was in the US, I got a call that I need to be present for an investigation by the

00:20:26.320 --> 00:20:30.960
public prosecution. JACK: They wanted him present for an investigation

00:20:30.960 --> 00:20:35.360
because they wanted to ask him more questions about what he knew about this incident

00:20:35.360 --> 00:20:41.360
at the Gulf Bank. Did he know more than what he was tweeting about? This second round of

00:20:41.360 --> 00:20:47.760
questioning was a little worrisome for him, but he knew he was innocent and wanted to cooperate.

00:20:47.760 --> 00:20:53.360
So, he told them that he’s in the US helping take care of a sick family member and he can’t come on

00:20:53.360 --> 00:20:58.880
the date they requested, but he’ll be happy to come in as soon as he gets back to Kuwait.

00:20:58.880 --> 00:21:02.480
He even showed them his return ticket on when he’ll be back, and they said

00:21:02.480 --> 00:21:07.760
okay, no problem. So, he finished up his trip to the US and went back to Kuwait, and went to talk

00:21:07.760 --> 00:21:14.320
with the investigators. But they said because he didn’t show up on the date they requested,

00:21:14.320 --> 00:21:17.520
he’s now being charged. MOHAMMED: Because the public prosecution

00:21:17.520 --> 00:21:22.960
went on with the investigation, didn’t wait for my arrival, I was regarded as in – as abstentious,

00:21:22.960 --> 00:21:31.200
so it was – I was accused of, let’s say, charging the Kuwaiti law, which means abuse of

00:21:31.200 --> 00:21:34.480
a mobile device, which means that you have used a mobile device to do

00:21:34.480 --> 00:21:41.680
something bad. It was the way the Kuwaiti law was, let’s say, worded, and that I was disclosing

00:21:41.680 --> 00:21:47.040
trade secrets of the complaintant. JACK: What? Mohammed’s tweets have now led

00:21:47.040 --> 00:21:52.880
him to being accused of abusing a mobile phone device and leaking trade secrets?

00:21:52.880 --> 00:21:57.040
Something has clearly gone very wrong. MOHAMMED: I was worried, but there

00:21:57.040 --> 00:22:00.160
wasn’t a thing I could do about it. So, the only thing I could do about

00:22:00.160 --> 00:22:04.640
it was to prepare a solid defense. JACK: So, he hires a lawyer to help make sure

00:22:04.640 --> 00:22:10.240
he navigates this criminal charge properly. When a big bank is bringing down charges against you and

00:22:10.240 --> 00:22:15.680
they’ve reported that they’ve lost $9 million, you want to take this very seriously even if

00:22:15.680 --> 00:22:21.760
you’re completely innocent. So, he was being very cautious, and there was part of him wondering

00:22:21.760 --> 00:22:26.960
how much of this is related to hacking and how much of this is related to the

00:22:26.960 --> 00:22:31.920
violation of free speech laws in Kuwait? MOHAMMED: [MUSIC] So, I’m not really a lawyer,

00:22:31.920 --> 00:22:37.680
but generally the constitution of Kuwait gives a big blanket for freedom of speech,

00:22:37.680 --> 00:22:43.600
but then it says according to the laws. Then the laws go on to specify the general protections

00:22:43.600 --> 00:22:50.560
of the constitution. So, we have laws for cyber crimes, we have laws for print, we have laws for

00:22:50.560 --> 00:22:55.680
live media, like, example; videos, television, radio. We also have the state security laws.

00:22:55.680 --> 00:23:02.560
All of these laws contribute to, let’s say, further restriction of freedom of speech.

00:23:02.560 --> 00:23:08.480
So, there are public figures in Kuwait that you cannot, let’s say for example, talk about in any,

00:23:08.480 --> 00:23:13.520
let’s say, bad manner regardless of your intent. There are limits to what you can talk.

00:23:13.520 --> 00:23:21.360
You can’t, for example, let’s say, use hate speech against religious or political minorities.

00:23:21.360 --> 00:23:26.800
So, it goes on and on about the political aspects, the religious aspects, or restrictions on free

00:23:26.800 --> 00:23:32.640
speech, and also the cyber crime part of that. The cyber crime law was actually interesting

00:23:32.640 --> 00:23:40.400
because it came out in 2014 and it was supposed to address cyber crimes or crimes that were related

00:23:40.400 --> 00:23:46.800
to cyber security, like hacking, for example, or fraud. But then it came to be abused by lawyers,

00:23:46.800 --> 00:23:53.200
by people to actually accuse anyone who talk badly about you. So, if you were a government official,

00:23:53.200 --> 00:24:00.960
if you were a social media figure and someone was trying to talk about you in a way you don’t like,

00:24:00.960 --> 00:24:08.000
you can go and then try to sue them according to that law. Many times it would result in verdicts

00:24:08.000 --> 00:24:12.720
where people have to pay fines. I think my case was an example of that, because

00:24:12.720 --> 00:24:19.760
I didn’t actually do any wrongdoing. JACK: Interesting. So, it sounds like if someone

00:24:19.760 --> 00:24:24.880
says something damaging towards your company or you, you can take them to court and possibly

00:24:24.880 --> 00:24:30.240
get them to pay a fine for what they said. So, Mohammed read over his tweets a few more times

00:24:30.240 --> 00:24:36.160
very carefully, trying to find if he said anything negative towards the Gulf Bank. But he didn’t even

00:24:36.160 --> 00:24:41.600
mention the Gulf Bank in his tweets at all, so he felt confident that he didn’t do anything wrong.

00:24:41.600 --> 00:24:49.360
He did mention the word GBKADMIN, though. Wait a minute; GBK. Does that

00:24:49.360 --> 00:24:58.800
stand for Gulf Bank of Kuwait? [MUSIC] Huh. Even if it did, he didn’t know that at the time.

00:24:58.800 --> 00:25:05.200
His trial date was set for July 2019. Now, August, the month after his trial date, is when Black Hat

00:25:05.200 --> 00:25:10.320
was going to occur in the US, and Mohammed was scheduled to give a training session at that

00:25:10.320 --> 00:25:16.080
conference. So, he wanted to wrap up this trial so that he could go to the US and give his training.

00:25:16.080 --> 00:25:20.400
So, he goes to court in July. Just the public prosecutor was there. The lawyer for the

00:25:20.400 --> 00:25:24.800
bank didn’t even show up. Mohammed had been planning with his lawyer what to say.

00:25:24.800 --> 00:25:30.880
MOHAMMED: Then we provided a really solid defense. We, let’s say, discussed this aspect that first of

00:25:30.880 --> 00:25:35.200
all, it’s already protected speech. Second of all, it didn’t mention any bank by name,

00:25:35.200 --> 00:25:41.680
it didn’t mention specifically any trademark by the bank, and that the fact that it’s absolutely

00:25:41.680 --> 00:25:46.000
not a secret because the bank already discussed that there’s a problem that happened; there’s

00:25:46.000 --> 00:25:53.040
a problem in their system that resulted in loss of millions of dollars. So, there was no secret

00:25:53.040 --> 00:25:58.960
that there’s something wrong happening at the bank already. On top of that, there was no – any kind

00:25:58.960 --> 00:26:03.520
of contractual agreement between me and the bank that would result in me having any secret shared

00:26:03.520 --> 00:26:09.760
between me and them. So, I think I would come upon by, let’s say, through public sources, which are,

00:26:09.760 --> 00:26:13.760
of course, not considered secrets. JACK: He says the judge looked convinced

00:26:13.760 --> 00:26:18.960
and seemed to be on his side, so he prepares his flight to Las Vegas to attend Black Hat. He first

00:26:18.960 --> 00:26:23.120
had to fly to New York and then to Vegas. MOHAMMED: [MUSIC] The night before my flight to

00:26:23.120 --> 00:26:27.920
New York, I received a strange [PHONE VIBRATING] phone call and a telegram, you know, that – an

00:26:27.920 --> 00:26:33.280
encrypted phone call and telegram. But then when I answered, it was someone very suspicious in the

00:26:33.280 --> 00:26:39.120
way they’re talking. They’re trying to kinda ask about the incident that happened at the bank, and

00:26:39.120 --> 00:26:46.960
then it tried to say I have some information about the hack that happened in that bank, trying to

00:26:46.960 --> 00:26:53.520
do – tried to pull my string. I felt that someone was trying to pull my leg into discussing this

00:26:53.520 --> 00:27:00.800
incident, trying to find, trying to entrap me. So, I realized that this is either someone who is

00:27:00.800 --> 00:27:05.920
totally crazy or I would be actually crazy not to think that this was some entrapment

00:27:05.920 --> 00:27:11.840
attempt by someone. By who? I don’t know. A bank doesn’t really do that. Who would try to

00:27:11.840 --> 00:27:17.840
do that? I have no idea who would benefit from that. However, I played it cool, told them that

00:27:17.840 --> 00:27:22.080
this is a legal matter; it should be taken to legal authorities, blah, blah, blah. Then I hung

00:27:22.080 --> 00:27:30.560
up. What was really suspicious for me is that why would someone try to target me, try to entrap me

00:27:30.560 --> 00:27:37.120
in that fashion? Did I really anger some real powerful folks? Was that tweet that much, let’s

00:27:37.120 --> 00:27:43.520
say, strong against whoever that was compromised? Did the bank really get some pressure from people

00:27:43.520 --> 00:27:50.560
who linked my tweet to the incident at the bank? I still don’t know who is that person to this day,

00:27:50.560 --> 00:27:54.960
but of course, as I said before, it would be crazy not to think it was some sort

00:27:54.960 --> 00:28:01.360
of related entrapment attempt. JACK: That was strange, and it rekindled his

00:28:01.360 --> 00:28:08.400
worry about the case, but he still went to the US. While in Vegas, his lawyer contacted him and told

00:28:08.400 --> 00:28:13.440
him the judge had a verdict on the case. MOHAMMED: In the end, it was clear for the

00:28:13.440 --> 00:28:17.360
judges that it was absolutely not in violation of any law in Kuwait.

00:28:17.360 --> 00:28:22.160
JACK: So, he was cleared of all wrongdoing, which is great news to receive while you’re in Vegas,

00:28:22.160 --> 00:28:26.080
right? Mohammed tells me he didn’t attend any parties there because he was so focused

00:28:26.080 --> 00:28:30.240
on delivering his training and just wanted to get back to Kuwait as soon as it was over. So,

00:28:30.240 --> 00:28:34.800
when he got back to Kuwait, he checked in with his lawyer and all seemed quiet. All was good,

00:28:34.800 --> 00:28:41.440
and he was glad to have this behind him. That was August. September then comes and it passes, and

00:28:41.440 --> 00:28:46.400
then in October, he gets another message. MOHAMMED: Yeah, the lawyer sends me over WhatsApp

00:28:46.400 --> 00:28:49.600
that they have appealed. JACK: [MUSIC] Again, it was the

00:28:49.600 --> 00:28:54.560
public prosecutors who wanted to investigate this further. His lawyer explains this is just a matter

00:28:54.560 --> 00:28:58.880
of formalities. If the prosecutors bring him to the appeals court and he’s still found innocent,

00:28:58.880 --> 00:29:03.760
then they can say they’ve exhausted all options in this case and they can leave it be. This makes

00:29:03.760 --> 00:29:08.560
it look like the prosecutors worked really hard to solve this case, and since this was just a

00:29:08.560 --> 00:29:14.560
formality, there was no new evidence on him or any new charges. But Mohammed was still worried about

00:29:14.560 --> 00:29:19.200
it. I mean, at the least, he’s having to spend all this money on legal fees to help him out.

00:29:19.200 --> 00:29:24.560
Appeals court took over a year because coronavirus kept delaying the courts.

00:29:24.560 --> 00:29:29.520
Waiting for your trial is always nerve-wracking no matter how confident you are that you’re

00:29:29.520 --> 00:29:33.280
not guilty of anything. But the trial date finally came,

00:29:33.280 --> 00:29:36.480
and the judge looked at his case. MOHAMMED: I was cleared immediately,

00:29:36.480 --> 00:29:42.000
like on the spot. JACK: [MUSIC] This gave Mohammed

00:29:42.000 --> 00:29:48.400
a big sigh of relief. This meant it was finally over. Yeah, since then, two years later, it’s

00:29:48.400 --> 00:29:53.920
still over. There’s been no more calls from the police about this. But what a wild ride that this

00:29:53.920 --> 00:29:59.040
has resulted in just from finding some malware on VirusTotal and tweeting about what you found.

00:29:59.040 --> 00:30:04.320
Now, during that time, there was a large rash of bank robberies happening all over the world.

00:30:04.320 --> 00:30:08.000
Someone was going around, usually sending phishing e-mails to banking employees,

00:30:08.000 --> 00:30:12.800
hacking into the bank, and then targeting the SWIFT network to steal millions of dollars from

00:30:12.800 --> 00:30:18.880
banks. Many of these worked. The United Nations investigated this and published a report,

00:30:18.880 --> 00:30:25.920
and this report says the government of North Korea is responsible for robbing banks in Bangladesh,

00:30:25.920 --> 00:30:30.720
Chile, Costa Rica, The Gambia, Guatemala, India, Liberia, Malaysia, Malta, Nigeria,

00:30:30.720 --> 00:30:37.040
Poland, the Republic of Korea, Slovenia, South Africa, Tunisia, Vietnam, and Kuwait.

00:30:37.040 --> 00:30:44.400
[MUSIC] Right there, in black and white, this UN investigation report says that in March 2019,

00:30:44.400 --> 00:30:51.920
a bank in Kuwait was robbed by the government of North Korea. That’s the exact same month

00:30:51.920 --> 00:30:58.320
and year that the Gulf Bank announced that they had a service disruption and lost $9 million.

00:30:58.320 --> 00:31:05.280
This UN report does not say which bank in Kuwait was robbed, but it does say the amount stolen was

00:31:05.280 --> 00:31:14.880
$49 million. So, that’s a big mismatch of numbers, which means either the Gulf Bank was not robbed

00:31:14.880 --> 00:31:19.280
but really did have some kind of weird disruption that made them lose millions of dollars,

00:31:19.280 --> 00:31:23.680
which means a totally different bank got robbed the same month and year in Kuwait,

00:31:23.680 --> 00:31:30.160
or the Gulf Bank of Kuwait was not telling the truth, saying it was a service disruption when

00:31:30.160 --> 00:31:35.760
really it was a robbery, saying it was $9 million when really it was $49 million.

00:31:35.760 --> 00:31:41.440
We don’t know the truth to the story. MOHAMMED: Yeah. So, there is this variance

00:31:41.440 --> 00:31:50.400
between the Gulf Bank tweet and the whatever bank the UN report was trying to hint at.

00:31:50.400 --> 00:31:59.200
So, either it targeted a different bank, or maybe there’s more to the story than – that was

00:31:59.200 --> 00:32:05.920
put in the public sources. JACK: I mean, you don’t need to comment on this,

00:32:05.920 --> 00:32:10.560
but I was just thinking it through, right? MOHAMMED: Yeah. If it looks like a duck and it

00:32:10.560 --> 00:32:20.000
walks like a duck, smells like a duck… (OUTRO): [OUTRO MUSIC] A

00:32:20.000 --> 00:32:25.200
big thank you to Mohammed Aldoub. You can find him on Twitter; his name there is @Voulnet,

00:32:25.200 --> 00:32:31.600
V-O-U-L-N-E-T. While you’re on Twitter, why don’t you give a follow to @DarknetDiaries?

00:32:31.600 --> 00:32:36.720
This show is made by me, the space bard, Jack Rhysider. Sound design is done by the deletist,

00:32:36.720 --> 00:32:41.040
Andrew Meriwether. Editing help this episode by Shift+Ctrl Damienne,

00:32:41.040 --> 00:32:44.720
and our theme music is by the escapist, Breakmaster Cylinder.

00:32:44.720 --> 00:32:55.840
How do you add flavor to an algorithm? Toss in a boolean cube. This is Darknet Diaries.