WEBVTT

00:00:00.000 --> 00:00:04.520
JACK: One time when I was in middle school, my mom bought some cookies at the store and

00:00:04.520 --> 00:00:09.880
put them in the cupboard. After school one day, I saw the box and it wasn’t opened yet. I opened

00:00:09.880 --> 00:00:15.680
it up and took two cookies. They were so good, so I went back and got two more. I was still hungry,

00:00:15.680 --> 00:00:20.960
so I went and got four more and ate them, too. At this point, I looked and over half

00:00:20.960 --> 00:00:29.360
the box was gone. I thought oh no, I’m gonna be in trouble for eating over half a box of cookies.

00:00:29.360 --> 00:00:34.440
I didn’t like getting in trouble, [MUSIC] so I stood there and looked at the box and tried

00:00:34.440 --> 00:00:41.600
thinking what I could do. But there was no way to undo it, so my twelve-year-old self came up

00:00:41.600 --> 00:00:48.480
with the idea that maybe if the whole box is completely gone, box and all, then maybe my

00:00:48.480 --> 00:00:55.160
mom will just forget she bought it altogether. So, I took the whole box out of the cupboard,

00:00:55.160 --> 00:00:58.600
covered the area with some other food so it didn’t look like anything was missing,

00:00:58.600 --> 00:01:04.520
and I ate them all. Then I threw the empty box away in the outside trash bin and covered it up

00:01:04.520 --> 00:01:10.600
with some more trash. You know what? It worked. She didn’t notice. At least, she never mentioned

00:01:10.600 --> 00:01:16.520
to me anything about the cookies, and I didn’t get in any trouble. I think she really did forget

00:01:16.520 --> 00:01:22.880
that she bought them, and so, my plan worked. I tell you this story because in this episode,

00:01:22.880 --> 00:01:29.824
you’ll hear a similar story, but one with much higher stakes, and it doesn’t end so well.

00:01:29.824 --> 00:01:36.320
(INTRO): [INTRO MUSIC] These are true stories from the dark side of

00:01:36.320 --> 00:02:00.300
the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

00:02:00.300 --> 00:02:08.560
JACK: In 2016, Adam applied for his first proper IT job at what we’ll call the Academy.

00:02:08.560 --> 00:02:14.160
ADAM: So, it’s essentially a high school. I think it’s private. It’s based in a small

00:02:14.160 --> 00:02:19.840
town not too far from me. There were kids right down to starting high school all the

00:02:19.840 --> 00:02:23.800
way up to just before they’re ending high school. The only difference is is I think

00:02:23.800 --> 00:02:27.680
some of the students are private. That’s pretty much the only way I can describe it.

00:02:27.680 --> 00:02:29.760
JACK: He’d been looking for a job for a while

00:02:29.760 --> 00:02:32.980
and was excited to start work at this fancy UK high school.

00:02:32.980 --> 00:02:39.200
ADAM: I started my first day. Now, in that first day, I got paperwork as you do when you join a new

00:02:39.200 --> 00:02:44.760
company, and in that paperwork it said please tick here if you’ve lived overseas before, so I ticked

00:02:44.760 --> 00:02:50.040
that box. Then on the next page it said please go to this box down here, and it says are you

00:02:50.040 --> 00:02:55.860
willing to pay for a criminal record check in the country you were previously in? I went oh, okay.

00:02:55.860 --> 00:03:01.640
JACK: This was a problem for Adam. He did have a criminal record from a past

00:03:01.640 --> 00:03:07.800
life in another country and wasn’t sure how they’d react to this. He wondered

00:03:07.800 --> 00:03:11.060
if this would keep him from getting the job. Are you smoking a cigarette?

00:03:11.060 --> 00:03:12.120
ADAM: Yeah, sorry.

00:03:12.120 --> 00:03:19.320
JACK: No, it’s fine. Adam’s dad is from the UK and his mother is from Thailand, but he was born in

00:03:19.320 --> 00:03:24.120
Australia. Growing up, he always liked computers. His dad owned a computer repair shop, [MUSIC] and

00:03:24.120 --> 00:03:28.480
he loved learning how things worked, and loved playing games like RuneScape, and eventually

00:03:28.480 --> 00:03:32.600
figured out a way to hack the game in order to get it to do things it wasn’t supposed to.

00:03:32.600 --> 00:03:39.280
ADAM: I think it did start with RuneScape for me, the first game I ever played. So,

00:03:39.280 --> 00:03:42.360
there was a battlefield where you could play single player,

00:03:42.360 --> 00:03:46.480
and I started getting into modifying it so there could be more people,

00:03:46.480 --> 00:03:52.300
more AI players against me. That’s when I started liking it more, if that makes sense.

00:03:52.300 --> 00:03:54.760
JACK: But when Adam starts high school,

00:03:54.760 --> 00:03:59.680
some unlucky things happen to him. Some older kids decide to pick on him.

00:03:59.680 --> 00:04:04.200
ADAM: I would have to go and get my dad milk and bread from the shop after he’d

00:04:04.200 --> 00:04:07.280
come home from work and after I got home from school. That’s when I would usually

00:04:07.280 --> 00:04:13.720
bump into them. Most of the time they would take the money that my dad had given me to

00:04:13.720 --> 00:04:17.640
go get bread and milk or whatever he wanted me to get. It started off with can I have a

00:04:17.640 --> 00:04:23.106
dollar to give me a dollar to right, you’re gonna give me everything in your wallet.

00:04:23.106 --> 00:04:27.720
JACK: [MUSIC] Adam knew this wasn’t right, but wasn’t sure what to do. These kids were

00:04:27.720 --> 00:04:31.880
much bigger than him, so standing up to them might mean he gets hurt. But

00:04:31.880 --> 00:04:36.580
he was sick of getting his stuff stolen over and over, so he went to the police.

00:04:36.580 --> 00:04:40.120
ADAM: The police would put me in the back of the police car,

00:04:40.120 --> 00:04:44.600
drive down to where these kids were that were bullying me, make me get out of the police car,

00:04:44.600 --> 00:04:50.160
and basically get them to say sorry to me, which obviously made things a lot worse. So, I lost

00:04:50.160 --> 00:04:54.700
my faith in the police because obviously it did make things worse. It started getting physical.

00:04:54.700 --> 00:04:58.511
JACK: That move backfired pretty badly.

00:04:58.511 --> 00:05:03.080
ADAM: It stopped being more, so, give me your money, and started being give

00:05:03.080 --> 00:05:08.680
me your money or I’m going to punch your face in. Eventually it got to that point

00:05:08.680 --> 00:05:13.440
where they were kicking me on the floor, chasing me down alleyways and everything.

00:05:13.440 --> 00:05:18.120
JACK: He gets to the point where he’s scared just to go walk through his neighborhood.

00:05:18.120 --> 00:05:23.200
Adam says his coping strategy was just to stop going to school. He would spend time

00:05:23.200 --> 00:05:28.120
at home on his computer. Eventually he gets called into the principal’s office about his

00:05:28.120 --> 00:05:32.440
attendance. He tries to explain that he’s being bullied and doesn’t want to come to school.

00:05:32.440 --> 00:05:37.080
ADAM: I had just at that point had enough of it. I was even scared to go around the corners

00:05:37.080 --> 00:05:42.600
to the corner shop by myself in my own area where I lived, so I would rather just be on

00:05:42.600 --> 00:05:48.280
the computer. I guess having friends over the internet was a lot easier than trying to go

00:05:48.280 --> 00:05:54.080
out and make friends in person at the time. So, the result of that was they thought that I was

00:05:54.080 --> 00:06:00.780
just I guess a trouble student and just, yeah, expelled me and sent me to a behavior school.

00:06:00.780 --> 00:06:05.600
JACK: A behavior school in Australia is the place where trouble-making teenagers go as

00:06:05.600 --> 00:06:10.360
a last chance at education. We call them alternative schools here in the US. The

00:06:10.360 --> 00:06:15.060
one he got sent to was far away from home, which also meant it was far away from those bullies.

00:06:15.060 --> 00:06:20.600
ADAM: It was a really fresh start, and I made a lot of friends. Now obviously, they didn’t know

00:06:20.600 --> 00:06:25.440
anything about what I was like in my previous high school or what I’m like in my local area,

00:06:25.440 --> 00:06:31.480
but I found it very easy to get along with them and get involved in things that I never

00:06:31.480 --> 00:06:36.520
expected to get involved in. So, I started hanging out with them, smoking cigarettes,

00:06:36.520 --> 00:06:44.120
drinking alcohol. Ended up eventually getting into fights with people, and it just became,

00:06:44.120 --> 00:06:47.800
I guess, normal for me. But it was a fresh start, if that makes sense.

00:06:47.800 --> 00:06:53.120
JACK: Adam’s mother is from Thailand, which makes him half-Thai, which means he was hanging

00:06:53.120 --> 00:06:58.680
out with the other Asian kids at school. But some of these kids were smoking cigarettes

00:06:58.680 --> 00:07:05.666
and drinking alcohol. It turns out that some of them were in an Asian high school gang.

00:07:05.666 --> 00:07:08.120
ADAM: [MUSIC] There was this little Chinese red envelope that they gave

00:07:08.120 --> 00:07:12.400
me and they said if you want to join us, put one dollar in here and then

00:07:12.400 --> 00:07:16.600
give it to this guy who was meant to be our boss. I did the day after school.

00:07:16.600 --> 00:07:18.720
JACK: Adam took this really seriously.

00:07:18.720 --> 00:07:23.520
ADAM: To be honest – and looking back, I find it a little bit funny, but I went to the teacher in

00:07:23.520 --> 00:07:27.000
the school and I said hey, these guys approached me and they said I should join this gang. What

00:07:27.000 --> 00:07:34.840
should I do? I mean, at the time I thought it was a good idea because from all the bullying

00:07:34.840 --> 00:07:40.600
and not being liked in high school and being scared of going around the corner to go buy

00:07:40.600 --> 00:07:46.160
food in my own area to now having what I thought at the time was really, really powerful friends,

00:07:46.160 --> 00:07:51.600
and no one’s gonna mess with me anymore. The main reason it started was because

00:07:51.600 --> 00:07:57.880
naturally I’m a very quiet and shy person, so I’ve always been very shy around people,

00:07:57.880 --> 00:08:03.060
so in groups, I’m not one to really talk a lot, if that makes sense.

00:08:03.060 --> 00:08:07.640
JACK: From being the kid that everyone used to pick on who was too scared to leave the house,

00:08:07.640 --> 00:08:14.200
he finds strength in being part of a group. Now he was someone to be scared of,

00:08:14.200 --> 00:08:21.560
which gives him a sense of power and strength and safety, and perhaps overly confident, because he’s

00:08:21.560 --> 00:08:26.800
starting to get into fights at school fairly frequently, and starts selling marijuana too,

00:08:26.800 --> 00:08:31.786
because this wasn’t just a little high school gang; it was actually connected to a larger one.

00:08:31.786 --> 00:08:36.400
ADAM: [MUSIC] So, our boss, who sort of looked after all of us young guys – most of us were

00:08:36.400 --> 00:08:43.040
under sixteen, seventeen years old. I think at the time I was one of the oldest ones. He was I

00:08:43.040 --> 00:08:48.840
think eighteen and then his boss was I think twenty-four, twenty-five. Then he had a boss

00:08:48.840 --> 00:08:54.640
above him who we never saw, but apparently he was in his forties come over from China or something,

00:08:54.640 --> 00:09:01.860
and he was involved in a more heavier gang that was also running the drug side of this gang.

00:09:01.860 --> 00:09:05.600
JACK: This gang was trafficking drugs and using the high schoolers to try

00:09:05.600 --> 00:09:09.960
to sell it. They’d hand him some weed and say hey, go sell this.

00:09:09.960 --> 00:09:14.840
ADAM: We’d have two weeks to sell it. If we didn’t sell it, we’d get taxed for not selling it,

00:09:14.840 --> 00:09:19.920
so it’s worth I think – off the top of my head, it was worth $200. We’d have to sell it

00:09:19.920 --> 00:09:27.880
for $350. If we didn’t sell it, we’d then have to pay the $350 to our boss as a tax in punishment.

00:09:27.880 --> 00:09:31.800
JACK: Of course, Adam didn’t want to be punished, so he found ways to sell the

00:09:31.800 --> 00:09:38.400
weed as a sixteen year old. This goes on for a while, but then one day someone told Adam

00:09:38.400 --> 00:09:44.400
a made-up story about another kid and that this other kid was hurting girls. That made Adam mad

00:09:44.400 --> 00:09:49.800
and went looking for this guy, and found him, and beat him up pretty badly. One of the people

00:09:49.800 --> 00:09:55.360
that Adam was with took the guy’s phone, and this resulted in Adam getting arrested.

00:09:55.360 --> 00:10:00.320
ADAM: The law is over there that if it’s a serious assault and then someone picks up a

00:10:00.320 --> 00:10:04.120
mobile phone and puts it in their pocket, so steals a mobile phone,

00:10:04.120 --> 00:10:10.720
it’s then classified as robbery in company, and that is quite a serious charge to have over there,

00:10:10.720 --> 00:10:16.520
which is what essentially I got charged with and resulted in me ending up in prison.

00:10:16.520 --> 00:10:23.000
JACK: After Adam gets out of prison, his family decides to move to the UK for a fresh start. His

00:10:23.000 --> 00:10:27.000
behavior had been hard on his parents and he didn’t want to cause them any more problems.

00:10:27.000 --> 00:10:31.840
ADAM: So, when I got out in Australia, one of the main reasons we wanted to move over here

00:10:31.840 --> 00:10:36.280
was that I didn’t know how to make normal friends, because a normal person to me,

00:10:36.280 --> 00:10:39.720
from the last four, five years, was someone who wanted to get into a fight

00:10:39.720 --> 00:10:44.640
every weekend. I didn’t want to get back into that because I didn’t want to get taken away,

00:10:44.640 --> 00:10:49.440
or I didn’t want to put myself in a position where I was taken away to prison again. I

00:10:49.440 --> 00:10:52.800
was just like, you know what? I can’t do this anymore because if I keep doing this,

00:10:52.800 --> 00:10:56.480
I’m gonna either end up dead or back in prison for the rest of my life, in and out.

00:10:56.480 --> 00:11:00.840
JACK: So, it was hard for Adam to integrate himself into society. A lot was different for

00:11:00.840 --> 00:11:05.880
him. He had just come out of prison, he had just moved to the UK, and he didn’t have any friends,

00:11:05.880 --> 00:11:10.600
and wasn’t even sure what kind of friends he wanted to make. Life was weird for a while.

00:11:10.600 --> 00:11:14.760
ADAM: I ended up doing some warehouse work and going back and forth between different

00:11:14.760 --> 00:11:19.520
jobs. I ended up as a debt collector at one point. Eventually led to – I think

00:11:19.520 --> 00:11:24.360
it was 2016 when I eventually sorta said you know what? I’ve got skills

00:11:24.360 --> 00:11:31.000
in computers and IT and my dad’s been for years telling me to get a job in IT. So,

00:11:31.000 --> 00:11:35.320
I took the plunge and I jumped straight into an apprenticeship, [MUSIC] which was very bad money,

00:11:35.320 --> 00:11:40.060
but at the end of it, I would have got my foot in the door within the IT industry.

00:11:40.060 --> 00:11:45.960
JACK: This apprenticeship was where they asked him about his criminal record. The job was to

00:11:45.960 --> 00:11:51.840
do IT work at the Academy. Think of it like a private high school; maybe 1,000 students,

00:11:51.840 --> 00:11:55.960
and it wasn’t too far from where he was living at the time with his parents. He didn’t think they’d

00:11:55.960 --> 00:12:00.280
be interested in him, but he applied anyway and they called him in for an interview. They

00:12:00.280 --> 00:12:05.320
liked him during the interview and offered him a job. He took it and was really excited about it,

00:12:05.320 --> 00:12:10.400
but it was only then when he was getting onboarded and he had to fill out some paperwork that he saw

00:12:10.400 --> 00:12:15.680
this question; are you willing to pay for a criminal record check? At no point did any

00:12:15.680 --> 00:12:21.320
of this come up before. He put his pen down and met with one of the people who interviewed him.

00:12:21.320 --> 00:12:26.320
ADAM: So, I went and I spoke to one of the – I think it was an assistant principal or

00:12:26.320 --> 00:12:30.100
something at the time, and I said look, I really got to speak to someone. It’s really important.

00:12:30.100 --> 00:12:33.240
JACK: She listened to his story and he told her all about the

00:12:33.240 --> 00:12:36.500
assault in Australia and how he beat someone up and got arrested.

00:12:36.500 --> 00:12:40.560
ADAM: She turned around and she said okay, that’s fine. Well,

00:12:40.560 --> 00:12:44.440
let’s apply for your criminal record check and we’ll – yeah,

00:12:44.440 --> 00:12:49.500
nothing to worry about. Now, she didn’t put any of that in writing, but yeah.

00:12:49.500 --> 00:12:55.840
JACK: While the criminal record was still being processed, Adam started working at the Academy,

00:12:55.840 --> 00:12:59.240
thinking they must have known and thought it was okay anyway. [MUSIC] So,

00:12:59.240 --> 00:13:02.200
he starts getting training and doing general IT support for the school,

00:13:02.200 --> 00:13:06.480
things like resetting passwords, replacing broken keyboards, and installing software.

00:13:06.480 --> 00:13:10.760
He liked doing IT support and felt like he was part of the team and the school spirit,

00:13:10.760 --> 00:13:15.640
and was getting to know some of the students and staff. He was doing good and learning fast. Now,

00:13:15.640 --> 00:13:20.040
this school had a lot of computers. They were in the classrooms and computer labs and in the

00:13:20.040 --> 00:13:24.360
library and the office, and teachers had some, too. He was tasked with going around these

00:13:24.360 --> 00:13:29.200
computers and fixing any issues they might have. Now, if a computer was connected to the network,

00:13:29.200 --> 00:13:34.440
he could just log into it with his username and password. But some computers weren’t connected to

00:13:34.440 --> 00:13:40.320
the network, and for those, Adam had to use the local admin username and password to get into

00:13:40.320 --> 00:13:45.160
them. Now, this is different than the domain admin password which can control everything.

00:13:45.160 --> 00:13:51.360
The local admin password theoretically only lets you into that one computer. But

00:13:51.360 --> 00:13:57.680
the way the Academy set it up is that all the computers used the same local admin password.

00:13:57.680 --> 00:14:00.280
ADAM: All the student computers throughout every

00:14:00.280 --> 00:14:04.800
classroom in the Academy had a particular password for the local admin account.

00:14:04.800 --> 00:14:10.160
JACK: Adam noticed this pattern which actually is a security issue. If all

00:14:10.160 --> 00:14:13.240
the computers use the same local admin password,

00:14:13.240 --> 00:14:19.440
then having that one password pretty much gets you into everything. But this made Adam wonder;

00:14:19.440 --> 00:14:26.260
wait a minute, could this local password also be the global domain admin password, too?

00:14:26.260 --> 00:14:31.040
ADAM: This was probably about a week and a half into the job. So, the computers in the

00:14:31.040 --> 00:14:35.960
classrooms have a particular password, and I pretty much – from that particular password,

00:14:35.960 --> 00:14:40.480
because it was the same one at every single computer in the school, I’ve pretty much figured

00:14:40.480 --> 00:14:45.800
out what it might be and I asked this guy who I was working with who was more senior than me,

00:14:45.800 --> 00:14:49.440
and he kinda smiled. That’s what I figured out what the password was.

00:14:49.440 --> 00:14:54.640
JACK: A week and a half into his role as an IT apprentice, and he guessed what the domain admin

00:14:54.640 --> 00:14:59.880
password was. This is not good. Junior employees should probably not have this kind of access

00:14:59.880 --> 00:15:05.440
early on. There’s a concept in IT called least privilege, which means you should not give users

00:15:05.440 --> 00:15:09.600
access to more than what’s necessary for them to do their job. [MUSIC] While it’s true that nobody

00:15:09.600 --> 00:15:15.640
gave Adam the global admin password, he was able to easily guess what it was based on patterns of

00:15:15.640 --> 00:15:20.760
what he saw in the first week there. This really is bad practice too, since the admin password

00:15:20.760 --> 00:15:26.240
should be the most guarded and protected password on the network, and not so easily guessable.

00:15:26.240 --> 00:15:31.320
ADAM: As far as I’m aware, there was one admin account which had full access across

00:15:31.320 --> 00:15:35.160
the entire network infrastructure that had one particular password,

00:15:35.160 --> 00:15:41.400
and then every employee had one particular password which is very easy to guess. All

00:15:41.400 --> 00:15:46.130
their network was set up in a way with a certain prefix that was used for every one.

00:15:46.130 --> 00:15:51.360
JACK: Oh, right; sometimes schools will assign passwords which is a combination of your name

00:15:51.360 --> 00:15:55.800
and birthday or something. So, if you just know someone’s name and you know the pattern,

00:15:55.800 --> 00:16:00.200
all you gotta do is find out their birthday and now you can have access to their account.

00:16:00.200 --> 00:16:03.720
A better method is to force users to pick a password when they sign up for

00:16:03.720 --> 00:16:08.280
their account. This way, there’s just no default password at all. As time goes on,

00:16:08.280 --> 00:16:13.040
Adam becomes more aware of these issues and the passwords, but he’s still too new

00:16:13.040 --> 00:16:18.600
to really do anything about it. Part of him doesn’t really know if this is a problem,

00:16:18.600 --> 00:16:23.320
and part of him doesn’t really know how to fix it. Part of him just wants to follow what he’s

00:16:23.320 --> 00:16:38.200
supposed to do and not call the current system crap. A few months go by of him working there,

00:16:38.200 --> 00:16:44.480
and that’s when the school finally got his criminal record back and took a look at it.

00:16:44.480 --> 00:16:48.560
ADAM: When they got it back, they then turned around and pulled me into the office in front of

00:16:48.560 --> 00:16:54.140
the principal, and she said you didn’t declare this. I said well, yes I did. I spoke to you

00:16:54.140 --> 00:17:00.160
– spoke to this lady, and she said don’t worry. It was her exact words. I said yes, and she goes

00:17:00.160 --> 00:17:06.426
well, you’re gonna have to worry. Unfortunately we can’t keep you here. You’re sacked, basically.

00:17:06.426 --> 00:17:10.840
JACK: [MUSIC] The school didn’t want people who had a criminal record for assault working around

00:17:10.840 --> 00:17:16.800
children. But to Adam who had been trying his best to make a new life, this felt like a betrayal.

00:17:16.800 --> 00:17:23.920
ADAM: For them to turn around and say right, we can’t have you here, I was angry. From my

00:17:23.920 --> 00:17:29.040
perspective at the time, I had wasted the last month or two months or whatever it was trying

00:17:29.040 --> 00:17:33.600
to learn and getting used to the school, making friends with the IT department,

00:17:33.600 --> 00:17:38.440
the teachers, for them to turn around and just say no, we don’t care whether you’re

00:17:38.440 --> 00:17:45.017
changed or you’ve done things to make yourself better; end of the day, you can’t be here.

00:17:45.017 --> 00:17:45.104
JACK: While the school was investigating his background they also discovered something

00:17:45.104 --> 00:17:45.197
else about him. Reports of this story say Adam was posting classified ads saying he had some

00:17:45.197 --> 00:17:45.303
computers for sale but then wasn’t actually giving anyone computers that he was selling. I don’t know

00:17:45.303 --> 00:17:45.400
the full details of that, but this combined with this criminal past is why the school let him go.

00:17:45.400 --> 00:17:52.720
Adam was angry. He wanted to do something, but there was nothing to do about it. It’s not okay to

00:17:52.720 --> 00:18:01.880
lash out on someone just for firing him over this, so begrudgingly, he moves on. He gets a different

00:18:01.880 --> 00:18:07.240
IT job, and this one they’re fine with his past. It was never an issue for them. He picks up a lot

00:18:07.240 --> 00:18:13.600
of new IT skills at this job. He learned about domain controllers, Active Directory, Office 365,

00:18:13.600 --> 00:18:19.080
and managing computers and using Microsoft tools. At the same time, he liked playing first-person

00:18:19.080 --> 00:18:25.200
shooter games online, and this led him into the online game cheat community. That led him

00:18:25.200 --> 00:18:30.640
into learning more about hacking and exploiting computers. But all that was just innocent stuff,

00:18:30.640 --> 00:18:35.720
though. After a while, he took his newly-acquired skills and went and got an even better IT job,

00:18:35.720 --> 00:18:41.720
this time as a senior technician, which taught him even more new skills. After a few years of working

00:18:41.720 --> 00:18:47.680
in IT, Adam’s life was looking up. He had a job as a senior technician, he had a relationship,

00:18:47.680 --> 00:18:51.840
and after being scared to get to know people for so long, he really put himself out there

00:18:51.840 --> 00:18:59.200
and started to make friends. [MUSIC] But all this changes after a bad breakup in October of 2020.

00:18:59.200 --> 00:19:05.600
ADAM: I guess it really was crushing. I got into a really deep depression. I wasn’t too pleased with

00:19:05.600 --> 00:19:11.360
the job that I was in because I felt at the time that I was being heavily underpaid for what I was

00:19:11.360 --> 00:19:18.780
actually doing. I don’t think everything was – at the time and even now, things weren’t very good.

00:19:18.780 --> 00:19:24.680
JACK: His personal problems made him restless and he was starting to grow frustrated at work. One of

00:19:24.680 --> 00:19:30.120
his supervisors was always giving him a hard time about something. All this added up and it made it

00:19:30.120 --> 00:19:35.800
hard for him to sleep at night. So, he spends a lot of late nights playing video games and looking

00:19:35.800 --> 00:19:41.400
at hacker websites and forums, learning about malware and how to break into systems, and what

00:19:41.400 --> 00:19:46.600
you could do if you did break into something, like how to read other people’s e-mails or cover your

00:19:46.600 --> 00:19:55.480
tracks or read messages on Teams and Slack without people knowing. Late one night in January of 2021,

00:19:55.480 --> 00:20:01.060
after watching a film, he goes to check his e-mail before bed and notices something.

00:20:01.060 --> 00:20:08.000
ADAM: My e-mail address in the autofill for the Academy popped up. I thought oh,

00:20:08.000 --> 00:20:10.840
I think there’s a lot of curiosity just to see if they’d change it,

00:20:10.840 --> 00:20:13.880
because it had been a long time now. Obviously the first thought in my

00:20:13.880 --> 00:20:18.680
mind is yeah, they definitely changed the password to the admin Office 365 account.

00:20:18.680 --> 00:20:25.280
JACK: The Academy fired him four years ago, but he still had that local admin password memorized

00:20:25.280 --> 00:20:32.000
for the computers there. Now that he knows a lot more about computers, he was curious to see, one,

00:20:32.000 --> 00:20:39.920
if that was still a valid password, and two, if it was also the domain admin password. [MUSIC] So,

00:20:39.920 --> 00:20:47.040
he goes to the Office 365 login screen, which is just office.com. This is the tool the Academy used

00:20:47.040 --> 00:20:52.200
to manage the school’s network, like usernames and e-mail boxes and that sort of thing. He goes

00:20:52.200 --> 00:20:57.680
to the Office 365 login screen, he types in the school’s domain, and the admin username,

00:20:57.680 --> 00:21:02.880
and the admin password, which he still had memorized all this time. What do you know,

00:21:02.880 --> 00:21:09.540
it worked. First try, even. He was logged into the school’s admin portal on Office 365.

00:21:09.540 --> 00:21:14.720
ADAM: I felt like it was an achievement at the time because – I was more surprised that it

00:21:14.720 --> 00:21:20.920
worked because obviously it’s been so many years now. I would have thought from working in IT that

00:21:20.920 --> 00:21:25.600
you’d change passwords more often, if that makes sense. It felt like an achievement getting in,

00:21:25.600 --> 00:21:32.180
and then it kind of progressed onto being motivated to find out how much more I can get to.

00:21:32.180 --> 00:21:36.880
JACK: From within the Office 365 portal, one could potentially configure and view

00:21:36.880 --> 00:21:41.480
the computers in the network. You could see what users there are, reset their passwords, look at

00:21:41.480 --> 00:21:46.320
what e-mail accounts there are, configure Skype, see SharePoint sites, and look at and configure

00:21:46.320 --> 00:21:51.400
the Active Directory settings. It’s the heart of the network. This is what makes everything else

00:21:51.400 --> 00:21:56.520
function at the school. He hadn’t really thought about the Academy that much since being fired,

00:21:56.520 --> 00:22:03.440
and he learned so much since then. Specifically, he now really knew his way around Office 365. But

00:22:03.440 --> 00:22:09.200
since he got into the Academy’s admin panel, he was curious to see what was their setup like.

00:22:09.200 --> 00:22:15.220
How good was their security? He decides to poke around, but just looking though; no touching.

00:22:15.220 --> 00:22:20.880
ADAM: So, the account I was on only had access to certain things like changing users’ passwords.

00:22:20.880 --> 00:22:25.960
Now, this was what I can understand was just sort of the lower-level IT guy’s

00:22:25.960 --> 00:22:32.560
account that they used. I wanted to get access to more permissions, so I had to look through

00:22:32.560 --> 00:22:38.720
the groups, and I found three accounts with – in particular which had super administrator access,

00:22:38.720 --> 00:22:45.800
so essentially giving me free reign over the entire Office 365 side of things. I identified

00:22:45.800 --> 00:22:51.240
who they were. One of the first things I’d done after I’d done that was I went into – they call

00:22:51.240 --> 00:22:57.960
it eDiscovery on Office 365, and I went in there and just made sure that there was no alerts.

00:22:57.960 --> 00:23:01.920
JACK: [MUSIC] This is something Adam had learned on his own time since getting fired

00:23:01.920 --> 00:23:06.320
at the Academy. He knew what kind of security alerts would generate just by being there,

00:23:06.320 --> 00:23:09.340
and was watching to see if he was triggering any of them.

00:23:09.340 --> 00:23:13.960
ADAM: Then I changed passwords for one of the accounts that had super administrator rights.

00:23:13.960 --> 00:23:19.840
Changed the password and logged into it, and went through some of the e-mails, just having a look

00:23:19.840 --> 00:23:25.900
round, seeing what other things they had on their setup, domains that were connected to Office 365.

00:23:25.900 --> 00:23:32.760
JACK: Oh, well, this is no longer just looking anymore. He’s changed a superuser’s password

00:23:32.760 --> 00:23:38.520
and logged in as them and is reading their e-mails. He’s done what’s called privilege

00:23:38.520 --> 00:23:42.000
escalation. The first login didn’t have all the permissions he wanted,

00:23:42.000 --> 00:23:47.680
so he switched to this account which did give him all the control and access he wanted. So,

00:23:47.680 --> 00:23:53.520
now he’s basically in god mode. With the click of a button, he could bring down the whole network

00:23:53.520 --> 00:23:59.480
if he wanted, but he didn’t want to; he was still just curious and wanted to look around.

00:23:59.480 --> 00:24:05.240
ADAM: So, I think at the time, my thought process was just, I want to find out as much

00:24:05.240 --> 00:24:10.640
as possible without doing as much damage. So, changing this one particular password,

00:24:10.640 --> 00:24:15.320
I firstly looked at that account just to see if it was being used. So, after I got it, I checked

00:24:15.320 --> 00:24:20.320
that there was no alerts. I then set – delegated mailbox access to that account so I could check

00:24:20.320 --> 00:24:24.640
the inbox and see if anyone had been using it, you know, sending e-mails out, reading e-mails,

00:24:24.640 --> 00:24:30.280
which they hadn’t. I had figured that no one was using it, no one was gonna care. If someone tries

00:24:30.280 --> 00:24:35.320
to log in it in five, six weeks, they’ll just say oh, I forgot the password, and change it.

00:24:35.320 --> 00:24:39.960
JACK: At this point, it’s now 1:00 in the morning, and specifically it’s Saturday morning,

00:24:39.960 --> 00:24:47.880
January 16th, 2021. So far, Adam has full superuser access to Office 365 for the Academy,

00:24:47.880 --> 00:24:52.760
but this is a Cloud portal and while the computers in the Academy get their configuration

00:24:52.760 --> 00:24:58.040
and authorization from the Cloud portal, he’s not actually in the school’s network or any of their

00:24:58.040 --> 00:25:04.560
computers in the school. He’s curious to see if he can actually get in there. He remembers there was

00:25:04.560 --> 00:25:10.640
a way for the IT staff to VPN into the school from home. A VPN is a secure, private connection to

00:25:10.640 --> 00:25:16.640
the internal school network. So, his curiosity is leading him to see if he can find VPN access into

00:25:16.640 --> 00:25:21.540
the school’s network. [MUSIC] He starts looking through e-mails to try to find a VPN password.

00:25:21.540 --> 00:25:27.800
ADAM: I happened to come across on one of the Help Desk accounts – had sent an e-mail out to someone,

00:25:27.800 --> 00:25:34.560
basically with a file, a VPN file, and told them to use a certain prefix and characters

00:25:34.560 --> 00:25:41.480
for their password, which I, at that point, then switched from Office 365, the website,

00:25:41.480 --> 00:25:47.720
closed that down, and I was very determined to get into their network no matter what. So,

00:25:47.720 --> 00:25:52.480
I didn’t know what password it was, I didn’t know what account I had to use. I spent maybe

00:25:52.480 --> 00:25:58.280
the next two hours trying to get into it. They had a method of saving passwords,

00:25:58.280 --> 00:26:00.720
which again surprised me that they had kept the same method,

00:26:00.720 --> 00:26:06.600
but it was quite simple once I had guessed the Office 365 one to follow the pattern.

00:26:06.600 --> 00:26:12.960
JACK: After a few hours at guessing VPN passwords, he finally gets it. He

00:26:12.960 --> 00:26:17.360
successfully VPNs into the school’s network, which means he’s connected to the school as

00:26:17.360 --> 00:26:24.440
if he’s inside the school itself. But he’s at home and he hasn’t hidden his tracks at all;

00:26:24.440 --> 00:26:29.960
he’s made all these connections to Office 365 and the VPN directly from his home’s

00:26:29.960 --> 00:26:36.520
network connection. Adam realized that and it was like that moment when I ate that half-box

00:26:36.520 --> 00:26:41.680
of cookies and I realized I had gone too far; Adam had crossed the line and all

00:26:41.680 --> 00:26:47.220
his activity could easily be traced back to him. He had to think about what he should do.

00:26:47.220 --> 00:26:52.040
ADAM: When I did get into it, I think this is where the turning point was where I thought,

00:26:52.040 --> 00:26:58.080
right, I’ve not done anything to hide myself at all, and this has turned from just me being

00:26:58.080 --> 00:27:06.120
curious to more malicious now, and I’ve got myself in trouble, basically. There’s no way

00:27:06.120 --> 00:27:11.680
around it. They’re gonna easily find this person logged in from this IP address at

00:27:11.680 --> 00:27:16.240
this time. Who’s that person? Don’t know who they are. Let’s report it to the police. So,

00:27:16.240 --> 00:27:20.906
I think that’s when the tables had turned to more destruction.

00:27:20.906 --> 00:27:22.920
JACK: [MUSIC] He gets up out of his chair and does something else for

00:27:22.920 --> 00:27:26.920
a little bit just to think about the situation. His real IP which

00:27:26.920 --> 00:27:31.640
is registered under his real name is what he used to do all this with. Yeah,

00:27:31.640 --> 00:27:38.520
he crossed the line a few times with what he’s done already; changing passwords, reading e-mails,

00:27:38.520 --> 00:27:44.640
and brute-forcing his way into the VPN. He thought surely he’s going to be in trouble for this.

00:27:44.640 --> 00:27:49.520
ADAM: I know what’s gonna happen. There’s a fifty percent chance they’ll come in and they’ll say oh,

00:27:49.520 --> 00:27:54.120
why isn’t this password working anymore? Who’s changed this? They’ll do a little internal

00:27:54.120 --> 00:27:59.320
investigation and they’ll conclude that someone’s been on the network and they’ll just change

00:27:59.320 --> 00:28:04.560
passwords. Or there’s a fifty percent chance that they’ll look deeper into it and call the police.

00:28:04.560 --> 00:28:11.080
Calling the police is what I wanted to avoid, so I couldn’t avoid it, so my next thoughts were,

00:28:11.080 --> 00:28:16.800
right, let’s try and get rid of as much as possible to try and cover my tracks.

00:28:16.800 --> 00:28:22.120
JACK: So, he’s in the network but doesn’t know which computer he’s on. He wants to learn more

00:28:22.120 --> 00:28:26.440
about the network and uses an IP scanner to get a lay of the land, which gives him a list of all

00:28:26.440 --> 00:28:30.840
the computers in the network. He figures out he’s on the main computer that everyone logs

00:28:30.840 --> 00:28:35.720
into from home, but there’s nothing good on this computer. The main infrastructure with all the

00:28:35.720 --> 00:28:40.440
good stuff is where he wants to get into, but that’s on a different part of the network. So,

00:28:40.440 --> 00:28:45.986
he consults the spreadsheet of all the computers he found earlier and picks his next target.

00:28:45.986 --> 00:28:52.240
ADAM: [MUSIC] So, I found a computer which was in the – I believe it was in the IT workshop

00:28:52.240 --> 00:28:57.720
somewhere, and I had thought that maybe if I could get into that computer, then there might

00:28:57.720 --> 00:29:03.220
be an RDP icon saved which saved credentials that might get into the domain controller.

00:29:03.220 --> 00:29:08.520
JACK: What he’s doing is a classic example of lateral movement, which is the foundation of a

00:29:08.520 --> 00:29:13.160
lot of cyber attacks. It’s when the attacker manages to get a foothold in one system and

00:29:13.160 --> 00:29:17.280
then pivots around the network, hopping from one system to another until they find what

00:29:17.280 --> 00:29:21.280
they’re looking for. At each step, there’s a vulnerability that can be used to get closer to

00:29:21.280 --> 00:29:26.480
the target. Adam kept hopping from one system to another to try to get to the computer he wanted,

00:29:26.480 --> 00:29:30.160
and not having strong passwords in a network really helped him get around

00:29:30.160 --> 00:29:34.760
a lot easier. Eventually, Adam was able to Remote Desktop to a computer,

00:29:34.760 --> 00:29:39.960
and from there, Remote Desktop to another computer which was in the IT workshop.

00:29:39.960 --> 00:29:46.080
ADAM: Then from there, as I’d thought might be the case, there was sort of saved credentials. I

00:29:46.080 --> 00:29:50.600
think there was domain controller 1, domain controller 2, there was a backup server,

00:29:50.600 --> 00:29:55.860
I think there was a gateway server, and a couple other servers as well. I think at that point I

00:29:55.860 --> 00:30:02.140
had realized how far I’d come into the network. I basically had access to everything from now.

00:30:02.140 --> 00:30:07.040
JACK: Just from knowing the school’s domain and guessing the admin password that he thought he

00:30:07.040 --> 00:30:13.240
knew years ago, Adam has worked his way into the entire infrastructure in just a few hours.

00:30:13.240 --> 00:30:18.160
ADAM: From what I remember, was once I had gained access to all the infrastructure,

00:30:18.160 --> 00:30:22.920
I had then started [MUSIC] the process of wiping the entire servers that I

00:30:22.920 --> 00:30:31.400
was on. As I was doing that, I went onto office.com and I saw a list of devices.

00:30:31.400 --> 00:30:36.600
JACK: He sees a list of all the devices connected to the mail server. Now,

00:30:36.600 --> 00:30:42.880
this is thousands of mobile devices. It’s every phone and tablet that had e-mail access. Now,

00:30:42.880 --> 00:30:48.200
most of these were devices owned by either teachers, students, or parents,

00:30:48.200 --> 00:30:52.740
which had all connected to Office 365 to get their e-mails and files.

00:30:52.740 --> 00:30:57.240
ADAM: I highlighted the box to select all and I clicked the Wipe button.

00:30:57.240 --> 00:31:02.880
JACK: When you log into Outlook from your personal device, you’ll get a prompt saying do you want

00:31:02.880 --> 00:31:07.600
to add this organization to your device? But what you might not know is doing so can give

00:31:07.600 --> 00:31:13.440
the administrator the power to fully wipe your entire mobile device. This is actually a security

00:31:13.440 --> 00:31:17.480
feature; if you lose your phone, the IT admin can wipe the device which makes it so nobody can

00:31:17.480 --> 00:31:22.160
see what was on that phone, because you don’t want the wrong person seeing sensitive information. But

00:31:22.160 --> 00:31:30.240
what’s crazy is the IT admin can wipe thousands of devices with just a few clicks. Adam had just

00:31:30.240 --> 00:31:40.320
attempted to wipe 2,947 devices through his access that he had on Office 365. People would be waking

00:31:40.320 --> 00:31:48.320
up to their phone being factory reset. [MUSIC] All their pictures, texts, and files completely gone.

00:31:48.320 --> 00:31:53.440
Once that was done, Adam took a look at the domain controller itself to see what he can do on that.

00:31:53.440 --> 00:31:58.320
ADAM: There was a command that we had used in the company that I was working with a couple

00:31:58.320 --> 00:32:05.200
times to just do a complete wipe. Essentially, the command makes the computer or server not

00:32:05.200 --> 00:32:10.200
be able to boot because it deletes everything. It’s a take ownership of all folders and then

00:32:10.200 --> 00:32:17.920
it deletes all folders, basically. I ran that on I think the domain controller.

00:32:17.920 --> 00:32:24.583
JACK: Okay, so, this isn’t just wiping your tracks. You knew this.

00:32:24.583 --> 00:32:24.594
ADAM: Yeah.

00:32:24.594 --> 00:32:29.960
JACK: This is wiping out the entire – I mean, their – the heart of the infrastructure.

00:32:29.960 --> 00:32:36.400
ADAM: Yeah, and I think at this point it was well, if I’m gonna get caught, I might as well get them

00:32:36.400 --> 00:32:43.640
back for what they’d done to me. I think that was my thinking at the time. It was very destructive,

00:32:43.640 --> 00:32:50.680
malicious actions. It was like, right, let’s just release all the anger, everything that I’ve had

00:32:50.680 --> 00:32:58.280
against them and just wipe everything, make their life as difficult as it can be on Monday morning.

00:32:58.280 --> 00:33:00.100
JACK: What about backups?

00:33:00.100 --> 00:33:05.320
ADAM: There was a backup server and a secondary backup server that I started

00:33:05.320 --> 00:33:09.120
running the commands on. It was at that point that I found this

00:33:09.120 --> 00:33:13.160
IP address just on this spreadsheet and it had nothing written next to it,

00:33:13.160 --> 00:33:18.280
so there was two IP addresses with a username and password in that document, which was a completely

00:33:18.280 --> 00:33:23.040
separate username and password from any of the methods that I had used to get in previously,

00:33:23.040 --> 00:33:27.040
so I was a bit interested to find out what it was. Then surprisingly,

00:33:27.040 --> 00:33:31.960
when I logged into it, it was a hypervisor, basically, and it had those two hypervisors.

00:33:31.960 --> 00:33:36.200
JACK: What he logged into was a virtual machine host. That is,

00:33:36.200 --> 00:33:42.040
this one computer housed and controlled many other computers inside it, and it was from this

00:33:42.040 --> 00:33:47.800
host machine that he could do whatever he wanted to the subsystems, such as delete them entirely,

00:33:47.800 --> 00:33:51.160
and it was on this virtual machine where the backups were for this network.

00:33:51.160 --> 00:33:56.120
ADAM: The backups were completely wiped as well. I mean, all of these actions are really

00:33:56.120 --> 00:34:01.720
stupid and I think at the time I just thought this is their backup server;

00:34:01.720 --> 00:34:03.900
this is probably everything they have.

00:34:03.900 --> 00:34:09.520
JACK: From here, he works his way backwards out of the network, deleting, destroying,

00:34:09.520 --> 00:34:15.800
or degrading every computer that he could log into on his way out. When he tries to log back into

00:34:15.800 --> 00:34:22.240
some servers, all he sees is a black screen. The last thing he deletes were all the user accounts,

00:34:22.240 --> 00:34:30.920
making it so nobody had a valid login anymore. Adam was letting out a lifetime of anger,

00:34:30.920 --> 00:34:33.600
and I don’t think it was just from how this school treated him,

00:34:33.600 --> 00:34:38.080
but it was from how previous schools treated him and how bullies treated him,

00:34:38.080 --> 00:34:42.000
and this recent breakup made him feel, and the anger he was getting from his current

00:34:42.000 --> 00:34:47.240
job. There have been multiple times in his life where he felt like a victim and was powerless,

00:34:47.240 --> 00:34:52.440
and he even went to the police for help when he was a kid, which didn’t actually help at all. Then

00:34:52.440 --> 00:34:57.280
there was a time when he joined a gang and saw a glimpse of power and strength in numbers, but

00:34:57.280 --> 00:35:04.200
that escalated out of control and he wound up in prison. But now that sense of power has returned,

00:35:04.200 --> 00:35:11.000
power over the network, power over those who have wronged him, and he was exercising that power

00:35:11.000 --> 00:35:17.400
with great vengeance and furious anger. What’s it like at the end of all this? ‘Cause I mean,

00:35:17.400 --> 00:35:25.143
by the time you’re done, you’re just leaving a wreckage of smoldering – you’ve ruined everything.

00:35:25.143 --> 00:35:25.154
ADAM: Yeah.

00:35:25.154 --> 00:35:27.800
JACK: What’s that feeling like at the end of all that?

00:35:27.800 --> 00:35:32.920
ADAM: It was more – so, getting towards the end of doing what I had done,

00:35:32.920 --> 00:35:38.560
it was more panic. I guess I wanted to go to sleep, but I also wanted to process what

00:35:38.560 --> 00:35:43.160
I had actually just done. So, it was all kind of – went very quickly. There wasn’t

00:35:43.160 --> 00:35:47.840
really much thought process or time to think about what I was doing, other than just do it,

00:35:47.840 --> 00:35:53.540
just get it over and done with. So, I finished up and I think I went to sleep.

00:35:53.540 --> 00:35:59.640
JACK: This attack was pretty devastating for the school. The UK was on lockdown due to the pandemic

00:35:59.640 --> 00:36:04.960
at the time, and the students were remote learning from home. Adam had obliterated the Academy’s

00:36:04.960 --> 00:36:10.280
whole infrastructure, meaning students couldn’t connect to school and there were no shared drives.

00:36:10.280 --> 00:36:15.880
SharePoint was down, e-mails were down, and absolutely none of the logins worked. But it

00:36:15.880 --> 00:36:20.520
hadn’t just wiped out the school’s infrastructure; many of the students’ and teachers’ devices that

00:36:20.520 --> 00:36:25.800
connected to the school were also wiped, too. Hundreds, maybe thousands of devices were

00:36:25.800 --> 00:36:32.840
screwed up from this. Somewhere around 5:00 AM, he crashes for the night. The next day,

00:36:32.840 --> 00:36:39.480
he wakes up and checks back in. It’s bad. The servers are all offline still, but he finds a

00:36:39.480 --> 00:36:44.240
few more things that are still up, and he logs into them and uninstalls some key software on

00:36:44.240 --> 00:36:49.560
those systems, too. Then he logs out of everything altogether and just thinks about what happened.

00:36:49.560 --> 00:36:54.560
ADAM: I was worried about what was going on. I was searching on Google to see if

00:36:54.560 --> 00:37:00.040
there’s been any news about the school going down. I was really panicking about

00:37:00.040 --> 00:37:04.000
what has happened. I did think about wiping my computer, but at that point,

00:37:04.000 --> 00:37:08.880
I had thought I couldn’t get into the firewall to wipe the logs, so no matter what I do,

00:37:08.880 --> 00:37:12.380
they’re gonna come for me. They know who I am as soon as they look into it.

00:37:12.380 --> 00:37:17.200
JACK: The days after that are a fog of paranoia for him. He calls in sick to

00:37:17.200 --> 00:37:21.640
his current job because he’s too anxious to work. Were you living with your mom and dad?

00:37:21.640 --> 00:37:23.060
ADAM: Yes, yeah.

00:37:23.060 --> 00:37:25.160
JACK: Did they have any clue?

00:37:25.160 --> 00:37:27.880
ADAM: No, no. I mean,

00:37:27.880 --> 00:37:32.800
my dad sort of suspected something was up when I kept looking out the window.

00:37:32.800 --> 00:37:38.040
JACK: That’s an interesting picture. You’re looking out the window a lot

00:37:38.040 --> 00:37:40.140
and your dad’s like, is everything alright?

00:37:40.140 --> 00:37:45.200
ADAM: Yeah, yeah. There was definitely a little paranoia. I’d take the dog out for

00:37:45.200 --> 00:37:49.840
a walk twice a day and I’m walking outside – leave the house and I’m looking left,

00:37:49.840 --> 00:37:53.920
looking right, seeing if there’s any police cars around, because obviously in Australia,

00:37:53.920 --> 00:37:59.560
I have a little bit of experience of what the police are like. I was looking around

00:37:59.560 --> 00:38:05.400
for anything out of place, and it was just very, very paranoid couple days.

00:38:05.400 --> 00:38:10.200
JACK: So, Monday he calls in sick. He doesn’t go to work at all. Tuesday he

00:38:10.200 --> 00:38:15.200
calls in sick again. Wednesday he calls in sick still. The anxiety,

00:38:15.200 --> 00:38:19.680
stress, paranoia of all this just makes it so he cannot concentrate on anything

00:38:19.680 --> 00:38:25.720
work-related. [MUSIC] Thursday, he sleeps in and wakes up, goes to take the dog for a walk.

00:38:25.720 --> 00:38:29.760
ADAM: As I was going in the front door, I sort of turned around ‘cause I noticed something

00:38:29.760 --> 00:38:34.440
on the corner of my eye, and there was a car parked sort of across the road and there was

00:38:34.440 --> 00:38:39.480
two guys in the car. I thought oh, that’s a bit weird. I’ve never seen them before. The way out,

00:38:39.480 --> 00:38:43.520
they were looking at me. But as soon as I shut the door and got inside the house,

00:38:43.520 --> 00:38:47.840
walked into the living room, took the lead off the dog, I heard really,

00:38:47.840 --> 00:38:53.080
really loud knocks on the door, and I knew instantly, yeah, this is the police. My mom

00:38:53.080 --> 00:38:57.760
went to go get the door and there was about ten or fifteen police officers.

00:38:57.760 --> 00:39:01.680
JACK: Adam calmly lets them in and tells them straight up.

00:39:01.680 --> 00:39:05.200
ADAM: I said I know what this is about. Everything you need

00:39:05.200 --> 00:39:08.480
is in here. Nothing’s been wiped. Let’s get it over and done with.

00:39:08.480 --> 00:39:11.560
JACK: He leads them to his room and shows them where

00:39:11.560 --> 00:39:14.540
he did everything from and confesses to it all.

00:39:14.540 --> 00:39:19.720
ADAM: In Australia, with my experience with the police when I was arrested and everything,

00:39:19.720 --> 00:39:24.720
I didn’t want to go through going lying about what had happened. It’s very, very obvious

00:39:24.720 --> 00:39:30.200
– working in IT, it’s very, very obvious that there was enough evidence to convict me for it,

00:39:30.200 --> 00:39:36.140
so I’m not gonna make their life harder and – because that’ll just make my life harder as well.

00:39:36.140 --> 00:39:38.720
JACK: Did they handcuff you?

00:39:38.720 --> 00:39:43.880
ADAM: No, no. They were actually really, really good. So, we walked upstairs,

00:39:43.880 --> 00:39:47.000
I showed them all my computer equipment, where my phone was,

00:39:47.000 --> 00:39:51.440
gave them all the passwords to the computer and my phone, and they basically said yeah,

00:39:51.440 --> 00:39:56.440
you can have a cigarette or a smoke before you go. We had a little chat about – interestingly,

00:39:56.440 --> 00:40:00.960
they were very interested in my setup and they were asking what sort of components I had in my

00:40:00.960 --> 00:40:05.580
computer. Then we literally walked outside, got in the car, and they drove me to the police station.

00:40:05.580 --> 00:40:08.480
JACK: The police had brought fifteen officers,

00:40:08.480 --> 00:40:13.680
so they were prepared for a struggle. Adam, being so cooperative, caught them off-guard.

00:40:13.680 --> 00:40:18.760
ADAM: They did say that usually the majority of the cases that they come across with cyber crime,

00:40:18.760 --> 00:40:22.760
they never catch the people that are involved in these attacks on schools

00:40:22.760 --> 00:40:28.260
and businesses. So, this was kind of a first for the particular officer who arrested me as well.

00:40:28.260 --> 00:40:32.760
JACK: The attack was so destructive. The police were actually asking Adam to help

00:40:32.760 --> 00:40:37.360
make sense of what happened so they can help get the school’s servers back up and running again.

00:40:37.360 --> 00:40:41.440
ADAM: The main thing that they wanted was the commands that I had run and what servers I had

00:40:41.440 --> 00:40:46.560
run them on, because from what I was told, they only had the logs of me getting into

00:40:46.560 --> 00:40:54.080
that first VPN computer and without restoring the servers that I had destroyed, basically,

00:40:54.080 --> 00:40:59.120
they couldn’t get the logs off the other servers. So, we went through a list together. One or two

00:40:59.120 --> 00:41:03.600
times I went to the police station, sat down with them, and they listed out all the servers

00:41:03.600 --> 00:41:10.586
and asked me to sort of map out in which way I went and what command I had run on each server.

00:41:10.586 --> 00:41:14.920
JACK: [MUSIC] To make matters worse, the head of IT and senior technician were actually off

00:41:14.920 --> 00:41:20.280
work recovering from Covid. This had left the most junior technician in the school

00:41:20.280 --> 00:41:24.640
scrambling around to try to work out why all these systems were down. The school even got

00:41:24.640 --> 00:41:31.720
Microsoft involved at some point and paid them £15,000 to help restore the systems. But yeah,

00:41:31.720 --> 00:41:36.840
I mean, to try to restore from – a whole network with no backups, yeah,

00:41:36.840 --> 00:41:45.463
starting from scratch is – oh my gosh, it’s – with no data in there to review or to look back on or…

00:41:45.463 --> 00:41:45.474
ADAM: Yeah.

00:41:45.474 --> 00:41:47.640
JACK: …configurations, oh my goodness.

00:41:47.640 --> 00:41:52.480
ADAM: Yeah, yeah. So, it was quite bad. I think it was about a week to immediately

00:41:52.480 --> 00:41:56.720
get everything back up, everything that was down back up to the running state,

00:41:56.720 --> 00:42:01.720
and for the students and the teachers to use the system again. But from what I’m told,

00:42:01.720 --> 00:42:08.520
it took almost a month from start to finish to actually get everything back into a stable place.

00:42:08.520 --> 00:42:13.560
JACK: Okay, so, did they say how they caught you?

00:42:13.560 --> 00:42:20.520
ADAM: No, I mean, I pretty much assumed – so I had said in the car, in the drive back from the

00:42:20.520 --> 00:42:25.120
police station, one of the investigating officers, the main officer in charge of the investigation,

00:42:25.120 --> 00:42:29.480
he – I said to him, so, you obviously caught me via my IP address. He turned

00:42:29.480 --> 00:42:32.860
around and gave me a little smile and he said you know I can’t answer that.

00:42:32.860 --> 00:42:39.120
JACK: While he did try to destroy all the logs, he wasn’t able to clear everything. He never was

00:42:39.120 --> 00:42:45.240
able to get into the firewall which would show what IP was his. My guess is that the school saw

00:42:45.240 --> 00:42:50.680
what IP had logged in or they asked Microsoft what IP logged in Office 365 that night? Then

00:42:50.680 --> 00:42:56.360
they handed that IP address to the UK police who could then get a warrant from the ISP and figure

00:42:56.360 --> 00:43:02.720
out who had that IP at the time, which would then lead directly to Adam and his address. Adam lived

00:43:02.720 --> 00:43:07.160
with his parents, but he had a separate internet connection just in his own name. When the police

00:43:07.160 --> 00:43:12.480
found his IP and looked him up and found he was an aggrieved former employee, you can imagine it

00:43:12.480 --> 00:43:17.720
was a pretty open and shut case. But after he’s questioned and processed, they released him from

00:43:17.720 --> 00:43:23.200
custody to go home and wait for his court case which was scheduled for March of 2021.

00:43:23.200 --> 00:43:26.840
He’s still employed by this IT company,

00:43:26.840 --> 00:43:34.760
but he’s not showing up much. He’s making up some wild excuses not to

00:43:34.760 --> 00:43:36.514
come in. I mean just crazy stuff. His employer is starting to get a bit worried about him.

00:43:36.514 --> 00:43:40.200
ADAM: I had a disagreement with my employer and it was about money.

00:43:40.200 --> 00:43:53.240
JACK: Well there was a disagreement about using the company credit card. Supposedly

00:43:53.240 --> 00:43:56.632
Adam was using the company credit card in ways he shouldn’t have. So they asked him to turn the card

00:43:56.632 --> 00:43:56.727
back in and he did. But after he gave them back the corporate card, he continued to buy things

00:43:56.727 --> 00:43:57.880
he wasn’t allowed to buy. This really set off his employer. Who started accusing him of misconduct.

00:43:57.880 --> 00:44:14.500
On top of that they saw him doing things in the computer systems he wasn’t supposed to be doing

00:44:14.500 --> 00:44:15.840
too. Sort of doing things outside his duties that were a little iffy. So they decided to fire Adam.

00:44:15.840 --> 00:44:21.840
ADAM: That really, really, really made me angry and the following steps to that was

00:44:21.840 --> 00:44:27.840
that I had thought, you know, let’s send them a message. Now, they weren’t very

00:44:27.840 --> 00:44:33.060
smart in the way after they sort of got rid of me, changing passwords and everything.

00:44:33.060 --> 00:44:41.320
JACK: Oh, no. This doesn’t sound good. Adam is really upset at this company for firing him and

00:44:41.320 --> 00:44:46.880
blaming him for things he didn’t do. He has privileged access to their network and knows

00:44:46.880 --> 00:44:53.080
his way around it. [MUSIC] You can guess where this is headed. He waits until late one night on

00:44:53.080 --> 00:44:58.480
a weekend and tries to log into their network. He uses the domain admin credentials that he

00:44:58.480 --> 00:45:04.280
still had written down somewhere to log into this company’s Office 365 portal. From there,

00:45:04.280 --> 00:45:08.640
he gets access to the global administrator account, and from there he spiders around

00:45:08.640 --> 00:45:13.680
to get access to more systems. Then he starts uninstalling software on various computers,

00:45:13.680 --> 00:45:18.840
and it appears he was specifically targeting his supervisors and managers; uninstalling software on

00:45:18.840 --> 00:45:25.160
some IT support systems and then getting into the accounts of the IT director and senior IT staff,

00:45:25.160 --> 00:45:30.600
and he changed their passwords so they couldn’t log in anymore. He tried uninstalling some more

00:45:30.600 --> 00:45:37.200
software and then logged out. Overall, it wasn’t nearly as destructive as he was with the Academy,

00:45:37.200 --> 00:45:41.960
but it was still over the line and criminal, and the company knew immediately who might have

00:45:41.960 --> 00:45:46.000
done this and reported the IP address to the police along with Adam’s name.

00:45:46.000 --> 00:45:50.840
ADAM: The police was – I was on their radar already, so when the report went

00:45:50.840 --> 00:45:55.320
into the police, the cyber crime unit picked up on it and arrested me for it.

00:45:55.320 --> 00:46:00.400
JACK: The same officers came to his house, but this time he wasn’t as cooperative. To

00:46:00.400 --> 00:46:03.480
begin with, he denied doing it, so they handcuffed him and took

00:46:03.480 --> 00:46:08.960
him to custody for two days. He figured this time there’s actually plausible deniability,

00:46:08.960 --> 00:46:14.120
but the police already knew his MO from the Academy case and he ends up admitting that yeah,

00:46:14.120 --> 00:46:18.320
he did get in there and change passwords. But his employer also claimed he made

00:46:18.320 --> 00:46:21.780
thousands of pounds of unauthorized purchases from the company credit card.

00:46:21.780 --> 00:46:26.000
ADAM: So, I did spend it, but it was a civil agreement between me and the director of the

00:46:26.000 --> 00:46:29.880
company. So essentially what happened was there was a civil agreement between us,

00:46:29.880 --> 00:46:33.680
so I spent the money; I went to him, I said look, I spent the money. Are you okay with

00:46:33.680 --> 00:46:39.280
me paying this back out of my wages? He said yes, but what he had then done is – when these

00:46:39.280 --> 00:46:43.440
passwords were changed, is he’s gone to the police and he said to the police he used it

00:46:43.440 --> 00:46:47.680
fraudulently. I never gave him permission to do so. I want him charged for this.

00:46:47.680 --> 00:46:51.040
JACK: So what Adam describes as a loan dispute gets dropped from

00:46:51.040 --> 00:46:54.840
this case because there’s just not enough evidence. But this court case

00:46:54.840 --> 00:46:58.200
with his employer and the court case from the Academy, it rolled up into

00:46:58.200 --> 00:46:59.514
one big case, and it’s still underway, and sentencing is scheduled for January, 2022.

00:46:59.514 --> 00:47:06.120
ADAM: Basically the judge had indicated that it will be a prison sentence as it stands,

00:47:06.120 --> 00:47:10.640
with no other mitigating circumstances. So if he had sentenced me on that day,

00:47:10.640 --> 00:47:16.160
he would have sentenced me to prison, but I think because of my cooperation with the police and how

00:47:16.160 --> 00:47:22.200
open I was as soon as they came, didn’t make it hard for them, he wanted to give my defense teams

00:47:22.200 --> 00:47:27.986
and my solicitors and lawyers the opportunity to get as much mitigating circumstances as possible.

00:47:27.986 --> 00:47:32.240
JACK: [MUSIC] His lawyers say there’s a 50/50 chance that he’ll get prison time or a suspended

00:47:32.240 --> 00:47:37.400
sentence. If he goes to prison, it’ll probably be between six months to three years. He’s

00:47:37.400 --> 00:47:41.400
twenty-eight years old now and spends a lot of time thinking about the upcoming sentencing.

00:47:41.400 --> 00:47:46.480
ADAM: I am pretty worried. I mean, from the start when the police turned up,

00:47:46.480 --> 00:47:54.480
I’ve been very open to owning up to this mistake that I made. So, I don’t like

00:47:54.480 --> 00:48:00.280
thinking about what is going to happen, because I’m just taking it day by day at the moment.

00:48:00.280 --> 00:48:08.360
JACK: Yeah, I think you might have spoiled the soup here because if

00:48:08.360 --> 00:48:12.480
this is your – if this is what you want to do, you’re very knowledgeable of this

00:48:12.480 --> 00:48:16.360
stuff. It sounds like you want to make a career in this, but I mean,

00:48:16.360 --> 00:48:23.880
fighting in the schoolyard – I’ve been in the hiring seat before, and I would have said no,

00:48:23.880 --> 00:48:27.520
that’s fine. You can still come in here. Just don’t fight anybody in here.

00:48:27.520 --> 00:48:28.474
ADAM: Yeah, yeah.

00:48:28.474 --> 00:48:34.240
JACK: But sabotaging two different networks that you worked for previously,

00:48:34.240 --> 00:48:40.940
your previous employers, there’s no way I would hire you anymore. You’re done, I think.

00:48:40.940 --> 00:48:43.600
ADAM: Yeah, yeah.

00:48:43.600 --> 00:48:51.960
JACK: On February 11 2022, Adam’s appeared before the court to be sentenced. The judged

00:48:51.960 --> 00:48:58.240
looked at the case and sentenced Adam to 21 months in prison. He was not able to

00:48:58.240 --> 00:49:02.840
reach out after the sentence to give me any updates. They immediately escorted him to a

00:49:02.840 --> 00:49:11.960
holding cell and transferred him to a prison. He’s due to be released sometime in 2023.

00:49:11.960 --> 00:49:17.000
JACK: Moral of the story is you should always change your admin passwords when someone from

00:49:17.000 --> 00:49:22.600
IT leaves the company, maybe even twice. This should be standard best practices for all

00:49:22.600 --> 00:49:28.160
organizations because if you don’t, you now have someone outside your company who has privileged

00:49:28.160 --> 00:49:34.400
access into your company. In Adam’s case, it was four years after he left the Academy that he used

00:49:34.400 --> 00:49:40.160
the domain admin to log in, a password that he was never supposed to have in the first place,

00:49:40.160 --> 00:49:45.280
but was able to guess it in the first week of being there. But I think on a more personal level,

00:49:45.280 --> 00:49:50.400
you should also change your passwords when you break up with someone who’s close to you,

00:49:50.400 --> 00:49:56.960
like a girlfriend or boyfriend. I’ve seen so many stories where someone took their ex’s password and

00:49:56.960 --> 00:50:03.640
got into their accounts after a breakup and caused significant damage. So, anytime you think someone

00:50:03.640 --> 00:50:08.800
may have seen your password or could have guessed it or actually did have it, [MUSIC] you really

00:50:08.800 --> 00:50:16.800
should change that password when that relationship ends, whether it’s work or personal relationships.

00:50:16.800 --> 00:50:23.520
(OUTRO): A big thank-you to Adam Georgeson for sharing this story with us. As a reminder, you

00:50:23.520 --> 00:50:28.240
can get an ad-free version of this show and bonus episodes. You can do this by either subscribing

00:50:28.240 --> 00:50:35.360
to Darknet Diaries Plus on Apple Podcasts or by visiting patreon.com/darknetdiaries. If you do,

00:50:35.360 --> 00:50:40.200
it’ll also support the show quite a lot, so thank you very much. The show is made by me,

00:50:40.200 --> 00:50:47.640
Captain Jack Rhysider. This episode was produced by the warm-blooded Elizabeth Winter. Sound design

00:50:47.640 --> 00:50:52.040
by the foot-shuffling Andrew Meriwether, and our theme music is by the beautiful Breakmaster

00:50:52.040 --> 00:50:57.160
Cylinder. Do you know the name of the chemical that’s released in your brain after you see

00:50:57.160 --> 00:51:11.520
funny cat pictures on the internet? It’s called dopameme. This is Darknet Diaries.