WEBVTT

00:00:00.000 --> 00:00:00.114
Episode 154 [START OF RECORDING]

00:00:00.114 --> 00:00:04.640
JACK: I just heard about this thing called K&R insurance. I didn’t even know this was possible.

00:00:04.640 --> 00:00:09.680
K&R stands for ‘kidnapping and ransom’. If you think you're a likely target for kidnapping and

00:00:09.680 --> 00:00:14.480
people are gonna hold you until you pay a ransom, then this might be worth buying. Why do I know

00:00:14.480 --> 00:00:19.640
this? I just ran across an article that said a guy was kidnapped in Toronto and held for

00:00:19.640 --> 00:00:25.640
ransom. They wanted him to pay a million dollars, and then they’ll let him go. I think he paid it,

00:00:25.640 --> 00:00:30.640
and then they dumped him off in a park and they sped off. Why did they kidnap him? Because they

00:00:30.640 --> 00:00:36.600
knew he had cryptocurrency, a lot of it. He was the founder of a crypto-based startup, and if he

00:00:36.600 --> 00:00:41.320
didn’t have the money, surely his company did. Well, at least that’s what the thieves thought,

00:00:41.320 --> 00:00:49.680
and they were right. Scary stuff. (INTRO): [INTRO MUSIC] These are true stories

00:00:49.680 --> 00:00:59.240
from the dark side of the internet. I’m Jack Rhysider. This is Darknet

00:00:59.240 --> 00:01:14.280
Diaries. [INTRO MUSIC ENDS] JACK:

00:01:14.280 --> 00:01:18.570
Let’s see, what are you using for a mic here? CONOR: SteelSeries headset. Is it bad?

00:01:18.570 --> 00:01:21.200
JACK: It sounds good. CONOR: Yeah? Perfect.

00:01:21.200 --> 00:01:26.160
JACK: So, are you ready to tell us about the worst time of your life?

00:01:26.160 --> 00:01:28.120
CONOR: Yeah. I’m ready. JACK: It always seems so weird

00:01:28.120 --> 00:01:32.000
to me to be digging into stories like this because it is — it’s probably a hard

00:01:32.000 --> 00:01:36.280
thing to talk about, isn't it? CONOR: Yeah, it is, especially when

00:01:36.280 --> 00:01:40.280
it just happened. But I mean, it’s been four or five years now, so, I’ve kind of

00:01:40.280 --> 00:01:43.280
overcome it at this point. JACK: How old are you now?

00:01:43.280 --> 00:01:48.240
CONOR: Twenty-five. JACK: Okay. So, I bet all this started

00:01:48.240 --> 00:01:52.260
in a video game somewhere, didn’t it? CONOR: Yeah, yeah, it did.

00:01:52.260 --> 00:01:54.960
JACK: What game was that? CONOR: Completely right. [Crosstalk]

00:01:54.960 --> 00:01:56.240
Minecraft. JACK: Oh, okay,

00:01:56.240 --> 00:02:01.320
I was gonna guess Minecraft or Roblox. CONOR: Yeah. There’s actually — they're both

00:02:01.320 --> 00:02:07.000
involved at certain points throughout the story, so, that was a fantastic guess. [Music] Yeah,

00:02:07.000 --> 00:02:11.480
so, it was really Minecraft where I got into everything. Ever since I was younger, I’ve always

00:02:11.480 --> 00:02:16.400
had an obsession with computers and technology, and I was always kinda reserved when I was a

00:02:16.400 --> 00:02:22.960
kid. So, a lot of the time I spent online and on computers and on video games. In my younger years,

00:02:22.960 --> 00:02:31.800
that was Minecraft specifically. So, yeah, I used to play Minecraft multiplayer servers.

00:02:31.800 --> 00:02:38.000
One day I just got bored and I decided to just join a server and start messing with people, which

00:02:38.000 --> 00:02:42.520
I cruelly took enjoyment in at the time. JACK: So, messing with — is that

00:02:42.520 --> 00:02:44.160
like griefing? CONOR: Just — yeah,

00:02:44.160 --> 00:02:48.520
griefing, that’s the term. Exactly. JACK: Yeah. So, is that using in-game

00:02:48.520 --> 00:02:50.960
mechanics to just screw with them or were you doing more than that?

00:02:50.960 --> 00:02:55.560
CONOR: In-game mechanics, yeah, just to mess with them, or just trolling them in the chat

00:02:55.560 --> 00:03:03.080
like a little kid. But yeah, I was doing that for a while. I had eventually joined one server,

00:03:03.080 --> 00:03:10.840
and I had seen this other player on the server teleport into blocks. So, Minecraft’s obviously

00:03:10.840 --> 00:03:16.880
made of blocks. This guy teleported a couple of blocks downwards, and I was impressed. I didn’t

00:03:16.880 --> 00:03:22.800
know what he was doing. So, I think he kinda knew that I was messing around with the server.

00:03:22.800 --> 00:03:27.120
He was doing the same thing. So, I had messaged him, private-messaged him, in the server and we

00:03:27.120 --> 00:03:32.840
ended up talking on Skype. That was the beginning of everything, really. This is back when I was

00:03:32.840 --> 00:03:38.680
probably eleven or twelve years old. JACK: So, this is where you start learning

00:03:38.680 --> 00:03:42.400
glitches and hacks of some kind. CONOR: Yeah. So, this guy was a programmer.

00:03:42.400 --> 00:03:48.080
He was a Java programmer, but he had his own custom code, a client, on Minecraft that he

00:03:48.080 --> 00:03:54.880
used to carry out various exploits or little glitches. We had eventually — I had eventually

00:03:54.880 --> 00:04:00.840
befriended him, and we would go on these servers together and mess with people just for fun

00:04:00.840 --> 00:04:08.240
because we enjoyed it. But alongside programming and Java, he was also partaking in social

00:04:08.240 --> 00:04:14.360
engineering. At that time I had no idea what it was until he introduced me to it. So,

00:04:14.360 --> 00:04:19.360
we would join servers, we’d mess with the admin of the servers, so, the owner, and there was

00:04:19.360 --> 00:04:24.640
one — at one point — the first time it happened, we had joined this server. He was talking to the

00:04:24.640 --> 00:04:28.880
admin kind of in a friendly way, and then eventually a couple hours later, he logged

00:04:28.880 --> 00:04:33.720
into the admin’s account on Minecraft on the server and took it over and deleted everything.

00:04:33.720 --> 00:04:37.760
I had no idea what was going on at this time. JACK: Let me give you a little bit more context.

00:04:37.760 --> 00:04:42.640
Minecraft is a game where players can create their own servers with unique content and stuff, and

00:04:42.640 --> 00:04:47.880
sometimes you even need to pay to play on some of these player-made servers. Somehow, this guy was

00:04:47.880 --> 00:04:52.760
able to find the person who’s the administrator to this Minecraft server, access their account,

00:04:52.760 --> 00:04:56.360
and delete the whole server. What? CONOR: I eventually had figured out he

00:04:56.360 --> 00:05:01.360
socially-engineered the admin of this server into giving him the two answers to his secret questions

00:05:01.360 --> 00:05:05.780
on his Minecraft account, reset his password, logged in, and destroyed the server.

00:05:05.780 --> 00:05:11.320
JACK: Oof, the admin got pwned. No more Minecraft server. Now, at the time, to take control of

00:05:11.320 --> 00:05:15.360
someone’s Minecraft account, you had to log into Mojang’s website, the creator of Minecraft,

00:05:15.360 --> 00:05:19.400
and what you needed to do is have the username and password. But if you didn’t have the password,

00:05:19.400 --> 00:05:24.680
you could reset the password if you knew the answers to the two secret questions. Like, what

00:05:24.680 --> 00:05:29.760
was your first car and who was your sixth-grade teacher? Since he watched his friend do this,

00:05:29.760 --> 00:05:33.480
he wanted to learn how to do it, too. CONOR: [Music] So, for example, let’s say the

00:05:33.480 --> 00:05:38.640
admin’s secret question was ‘What’s your first pet’s name?’ Second question was ‘What’s your

00:05:38.640 --> 00:05:42.480
hometown?’ or ‘What school did you go to?’ The second one’s no problem. You can easily

00:05:42.480 --> 00:05:47.640
find that out; a simple Google search. The first question is the tough one. So, what we used to do

00:05:47.640 --> 00:05:53.680
is — say we’d join a server, we’d find the admin, we’d target him, and we’d know his first question

00:05:53.680 --> 00:05:58.520
was ‘What was your first pet’s name?’ So, we’d say — or I would say in the chat, oh, my little kitten

00:05:58.520 --> 00:06:06.120
died today, Buttons. Have you ever had any pets before? We’d try and get talking to the admin.

00:06:06.120 --> 00:06:10.680
I’d try and get him to divulge the answer to that question. So, I’d say, what was your first pet’s

00:06:10.680 --> 00:06:16.200
name? Unbeknownst to him, here I am typing it out, putting it into his Mojang account,

00:06:16.200 --> 00:06:21.360
getting ready to reset it. That was the first experience of socially engineering someone.

00:06:21.360 --> 00:06:25.280
JACK: This is Conor Freeman, by the way. I should have probably introduced you to him earlier,

00:06:25.280 --> 00:06:30.440
but I forgot. He liked the sense of power that these little hacks gave him. When you get control

00:06:30.440 --> 00:06:34.280
of a server like that, you become unstoppable. You have full control of the server now,

00:06:34.280 --> 00:06:39.560
and you can delete it all if you wanted. There’s something alluring about that, that sense of

00:06:39.560 --> 00:06:44.800
power. [Music] But to me, it’s quite a funny power dynamic. A TV show I really like — I think it’s

00:06:44.800 --> 00:06:49.200
hilarious — is called Trailer Park Boys, and it’s about life in a trailer park. But the thing that

00:06:49.200 --> 00:06:54.080
intrigues me about the show is the immense power struggle that’s going on in this trailer park.

00:06:54.080 --> 00:06:58.720
There’s a huge clash between the park supervisor and a couple guys who are always scheming to

00:06:58.720 --> 00:07:02.400
make money off of other people in the park. Then there are some drug dealers that live at home

00:07:02.400 --> 00:07:06.000
with their mom. I mean, there’s a power struggle right there. Then there’s a guy who doesn't even

00:07:06.000 --> 00:07:10.800
live in the trailer park who comes by to try to assert his dominance over the park. It’s this

00:07:10.800 --> 00:07:16.800
incredible battle for power. All for what, though? To get the respect of the people in the trailer

00:07:16.800 --> 00:07:21.160
park? It just seems so meaningless on the grand scheme of things, but they take this tiny trailer

00:07:21.160 --> 00:07:26.560
park so seriously, as if it’s their whole world. I like it maybe because I grew up in different

00:07:26.560 --> 00:07:31.200
trailers myself, so I can relate. But it just makes me think that there’s this huge battle going

00:07:31.200 --> 00:07:37.680
on over a Minecraft server that a few hundred people play, and it’s all taken so seriously,

00:07:37.680 --> 00:07:42.760
too. Anyway, after a while, Minecraft hacking got old to Conor, and he was wondering what

00:07:42.760 --> 00:07:46.920
else is out there to mess around with, and he found some hacking forums which explained

00:07:46.920 --> 00:07:50.640
all kinds of new stuff he could do. CONOR: Yeah, a lot of socially — social

00:07:50.640 --> 00:07:55.640
engineering things. Like, back in the day, people used to do refund scams. So,

00:07:55.640 --> 00:08:01.120
say you’d order something on Amazon. You’d get onto Amazon after it’s said ‘delivered’ on

00:08:01.120 --> 00:08:05.440
Amazon and say it hasn’t arrived. Someone might have stolen it off my porch or something like

00:08:05.440 --> 00:08:09.840
that. You’d get a refund and get your money back. That was a huge thing back then. It still is now,

00:08:09.840 --> 00:08:15.200
but it’s a lot less prevalent because Amazon have kinda caught on. There was other kind of scams

00:08:15.200 --> 00:08:22.680
and schemes. People would do return programs, did scam-return programs. So, SteelSeries was targeted

00:08:22.680 --> 00:08:28.040
a lot back then. You could basically create a support ticket to say that you’ve bought a pair

00:08:28.040 --> 00:08:32.880
of SteelSeries headphones. They're not working; can I get a return? They would send you out a

00:08:32.880 --> 00:08:36.200
free headset and they wouldn't ask for anything in return. The only thing you had to do was send them

00:08:36.200 --> 00:08:42.160
a picture of the headset or a serial number, which you could source from eBay or some kind of online

00:08:42.160 --> 00:08:46.520
marketplace where people are reselling them. JACK: Hold on, Conor. You're using

00:08:46.520 --> 00:08:51.140
a SteelSeries headset right now. CONOR: Yeah, no, I paid for this one.

00:08:51.140 --> 00:08:53.320
JACK: Okay. CONOR: Yeah, it’s not

00:08:53.320 --> 00:08:57.240
from back then. This is a long time ago. JACK: [Music] So, refund scams were becoming

00:08:57.240 --> 00:09:00.880
a thing back in 2018 or so. There were instructions on how to do it,

00:09:00.880 --> 00:09:05.480
but some people did not feel comfortable calling up somewhere and lying to someone

00:09:05.480 --> 00:09:09.800
to try to convince them that you want a refund. So, there were actually people

00:09:09.800 --> 00:09:13.480
you could hire to do it for you. CONOR: Exactly. So, that was the makeup

00:09:13.480 --> 00:09:18.040
of it. Essentially you’d order — that was — Apple products were huge. So, essentially you’d order

00:09:18.040 --> 00:09:23.640
something, you’d have — you’d order something, you’d go to — a ‘refunder’ they were called on

00:09:23.640 --> 00:09:29.800
the forums, and you would say, hey, I ordered a Macbook for $1,200. Can you refund it for me

00:09:29.800 --> 00:09:34.480
and I’ll give you twenty percent? So, the refunder would log into your account or they’d call Amazon

00:09:34.480 --> 00:09:39.520
and pretend to be you, and they’d execute this kind of scam on Amazon. They’d socially-engineer

00:09:39.520 --> 00:09:43.960
the rep into believing that the item was never delivered. They’d get a refund for their customer,

00:09:43.960 --> 00:09:49.080
and then they get twenty percent of the total order value. That was a huge thing on that

00:09:49.080 --> 00:09:56.680
forum. There were so many people doing it. JACK: So, you would pay a scammer $200, $400,

00:09:56.680 --> 00:10:00.320
and then that’s how you’d get your Macbook. CONOR: Yeah, exactly.

00:10:00.320 --> 00:10:04.394
JACK: Instead of paying full price for it. CONOR: Mm-hm.

00:10:04.394 --> 00:10:07.720
JACK: Okay, what other ways to make money? How were kids doing it?

00:10:07.720 --> 00:10:14.280
CONOR: There was a lot of cracking services which are still around now, but again, cyber hygiene has

00:10:14.280 --> 00:10:20.360
gotten better, and — as well as that service’s security has gotten better, thankfully. But back

00:10:20.360 --> 00:10:27.240
then you could crack most online accounts like — what’s an example? Hilton hotel was

00:10:27.240 --> 00:10:32.600
a massive one. People that had Hilton accounts, that stayed a lot in Hilton hotels, you’d build

00:10:32.600 --> 00:10:38.880
up these points and you could spend the points on free rooms in Hilton branches worldwide. So,

00:10:38.880 --> 00:10:42.520
what people would do is crack these accounts. They’d load up a massive list of usernames

00:10:42.520 --> 00:10:48.040
and passwords and try them against the Hilton log-in page, try and land a few accounts that

00:10:48.040 --> 00:10:54.720
had points on them, and they’d then resell them on these forums to people looking to use…

00:10:54.720 --> 00:11:00.560
JACK: This one always surprised me, because if I go on there and I buy a Hilton account with a

00:11:00.560 --> 00:11:06.240
ton of points and I actually go to the hotel and I stay there with these stolen points,

00:11:06.240 --> 00:11:08.400
I’m in the room now. CONOR: Yeah.

00:11:08.400 --> 00:11:11.380
JACK: If they want to say, hold on, this is some stolen points…

00:11:11.380 --> 00:11:16.360
CONOR: Yeah, looking back on it now, it’s insane. But I, myself, would never do that because — just

00:11:16.360 --> 00:11:20.680
the stupidity of it. If that person who owned that account was to call up Hilton and say,

00:11:20.680 --> 00:11:25.720
look, I didn’t book this room, you're one phone call away from somebody knocking on the door and

00:11:25.720 --> 00:11:32.120
saying, hey, this isn't your account and you’ve stolen this room. But people got pretty brave.

00:11:32.120 --> 00:11:37.800
People didn’t care. Pizza Hut was another big one. So, you’d order pizzas and you’d build up points,

00:11:37.800 --> 00:11:42.040
and people would then try and crack your Pizza Hut account, and you could use these points to

00:11:42.040 --> 00:11:46.160
get pizzas on other people’s accounts. You’d just walk into the store, use their points,

00:11:46.160 --> 00:11:50.100
and walk out with a free pizza. JACK: It reminds me of pizza plugs as well.

00:11:50.100 --> 00:11:53.800
CONOR: Yeah. But pizza plugs is slightly different. They're mostly carders, so,

00:11:53.800 --> 00:11:57.320
they're credit card fraudsters. So, they’d use stolen cards and order

00:11:57.320 --> 00:12:01.000
the pizza for collection or delivery. JACK: A pizza plug is where you find someone

00:12:01.000 --> 00:12:05.080
who will give you really cheap pizzas. Like, for five bucks, they’ll send you three large

00:12:05.080 --> 00:12:08.800
pizzas or something. What they're doing is they're using a stolen credit card to order

00:12:08.800 --> 00:12:12.720
the pizzas to be sent to you, and then you just pay them like, five bucks for it.

00:12:12.720 --> 00:12:18.520
CONOR: But again, that’s insane because you're associating stolen card details with your own

00:12:18.520 --> 00:12:23.840
address. If you — say you get it delivered with a stolen card — not the brightest.

00:12:23.840 --> 00:12:30.440
JACK: Cook groups, is this a thing? CONOR: Cook groups

00:12:30.440 --> 00:12:34.160
in terms of clothes online? JACK: Yeah.

00:12:34.160 --> 00:12:39.840
CONOR: Yeah. JACK: Funny; it was about clothes,

00:12:39.840 --> 00:12:44.000
but it’s called cooking groups. CONOR: Cook groups. Yeah, it’s funny

00:12:44.000 --> 00:12:47.360
you mention that because I used to be hugely into fashion. I still am now, but not as much

00:12:47.360 --> 00:12:52.520
a back then. So, cook groups essentially would be groups that — they would employ bots. So,

00:12:52.520 --> 00:12:57.440
someone would create a macro. So, I don't know if you're aware of what Supreme— I’m sure you are;

00:12:57.440 --> 00:13:02.400
Supreme or, say, Palace, they're world-widely popular streetwear brands. They have weekly

00:13:02.400 --> 00:13:07.480
releases or bi-weekly or whatever way they do it. So, they release a very limited amount of stock

00:13:07.480 --> 00:13:12.920
on a certain day at a certain time, so it’s very hard to guess, especially items — certain items

00:13:12.920 --> 00:13:17.640
like Box Logo hoodies or something like that. So, people would create these macros or scripts

00:13:17.640 --> 00:13:22.720
that would automatically log them into the Supreme website. They’d buy these clothes instantly before

00:13:22.720 --> 00:13:26.320
anyone else could, and then resell them. That’s a part of the cook groups. Or they

00:13:26.320 --> 00:13:31.400
would — people would put their names on an item and someone would — bought it for them and resell

00:13:31.400 --> 00:13:35.400
it to them at a marked-up price. JACK: Yeah, it’s kinda like scalping

00:13:35.400 --> 00:13:36.594
concert tickets. CONOR: Yeah, exactly.

00:13:36.594 --> 00:13:39.560
JACK: So, is this — is there anything illegal about cook groups?

00:13:39.560 --> 00:13:44.810
CONOR: No, not from what I’m aware of. I’m sure it’s against the terms of service, but…

00:13:44.810 --> 00:13:46.980
JACK: Yeah, I didn’t notice that, either. CONOR: …in terms of legality, no.

00:13:46.980 --> 00:13:50.800
JACK: But it is kind of an underground culture there, right? You gotta find a group,

00:13:50.800 --> 00:13:55.280
and sometimes it’s the wrong group you're in, and those guys are just there to rip you off. So, you

00:13:55.280 --> 00:14:00.420
gotta find a trustworthy group that actually has these orders or whatever you're looking for.

00:14:00.420 --> 00:14:04.200
CONOR: Yeah, and that’s the hard thing, 'cause a lot of these people aren't trustworthy because

00:14:04.200 --> 00:14:08.160
what they're doing isn't trustworthy in itself. So, it’s hard to find someone

00:14:08.160 --> 00:14:13.760
that’s actually gonna pull through. JACK: Yeah, it’s amazing to me how big the

00:14:13.760 --> 00:14:18.440
hidden parts of the internet are and all these things going on at once, and we never see it as

00:14:18.440 --> 00:14:23.160
just a common internet user. You'll never see any of this. How are you discovering all these

00:14:23.160 --> 00:14:27.560
different places on the internet? CONOR: Through this forum. The forum

00:14:27.560 --> 00:14:34.800
was massive. I don't really want to say the name of it, but it was probably one of — so,

00:14:34.800 --> 00:14:39.360
Hack Forums was one of the forums that was around a long time. I think it’s been going for fifteen

00:14:39.360 --> 00:14:44.720
years, maybe a little less than that. That would be the oldest kind of clearnet hacker forum that

00:14:44.720 --> 00:14:49.680
I’m aware of. This forum that I was a member of kind of branched off of Hack Forums because

00:14:49.680 --> 00:14:54.600
the admin of Hack Forums was — he was kind of a well-known fed. People didn’t really like

00:14:54.600 --> 00:14:58.720
him and he was really stringent on the rules on that website. So, this forum that I was on kinda

00:14:58.720 --> 00:15:04.800
branched off of Hack Forums and allowed for more black-hat or gray-hat or unethical methods. So,

00:15:04.800 --> 00:15:09.280
all of the scumbags that weren't allowed to advertise their services on Hack Forums kind of

00:15:09.280 --> 00:15:14.440
moved over to this forum that I was a part of. So, I mean, it was a huge range of services offered

00:15:14.440 --> 00:15:19.920
'cause there were so many people on it. JACK: But you call them scumbags.

00:15:19.920 --> 00:15:23.280
You were one of the users. CONOR: I was one of them, yeah.

00:15:23.280 --> 00:15:27.640
JACK: What do you get dabbling in? What’s kind of the first money you're

00:15:27.640 --> 00:15:34.320
making in this kind of world? CONOR: [Music] Thinking back — so,

00:15:34.320 --> 00:15:39.640
Xbox ran a promo a long time ago, or Microsoft ran it. They ran a promo; I think it was a collab with

00:15:39.640 --> 00:15:44.200
Skittles or something like that. So, they still do it now with Mountain Dew and Doritos. Like,

00:15:44.200 --> 00:15:48.600
you buy a bag of Doritos and they’ll have a code on the back of it. You get double XP or something

00:15:48.600 --> 00:15:54.640
for Call of Duty. But way back when, there was a promo that was ran with — I think it was Skittles,

00:15:54.640 --> 00:15:58.640
where you’d buy a pack of Skittles, input the code on the back of the pack of Skittles, and you’d

00:15:58.640 --> 00:16:05.120
get a free seven-day membership or fourteen-day membership on Microsoft Live. But there was people

00:16:05.120 --> 00:16:10.120
that had scripts or macros that were brute-forcing this code. So, you’d just set up the script and

00:16:10.120 --> 00:16:14.320
brute-force the code, throw hundreds of thousands of it against it, and you would eventually just

00:16:14.320 --> 00:16:18.720
keep racking up free membership codes, 'cause there was no rate limit or anything on the

00:16:18.720 --> 00:16:25.600
website. So, you could just get fifty to a hundred to even more, thousands of these fourteen-day Xbox

00:16:25.600 --> 00:16:30.880
codes. But I eventually got my hands on that script. So, that was probably the first money

00:16:30.880 --> 00:16:34.520
I made, when I had that script. I had it running and then I was reselling these membership codes

00:16:34.520 --> 00:16:41.800
for like, probably $5 or $10 apiece to people on the forum and eBay and online marketplaces.

00:16:41.800 --> 00:16:47.334
JACK: When I was young, I discovered a way to get free Audible books.

00:16:47.334 --> 00:16:49.320
CONOR: [Laughs] JACK: So, so far I’m

00:16:49.320 --> 00:16:54.320
with you, right? I was hanging out in shady chatrooms, griefing people in video games,

00:16:54.320 --> 00:17:04.600
too, and getting free stuff. But I think this is where our paths are about to diverge. Alright,

00:17:04.600 --> 00:17:10.120
so, this was making a few bucks for you, but not very much because you were just learning.

00:17:10.120 --> 00:17:15.120
What were you, like fourteen years old then? CONOR: Probably thirteen or fourteen, yeah, which

00:17:15.120 --> 00:17:20.880
is insane looking back. After a while of being on this forum, I kinda got bored of it. I kinda — I

00:17:20.880 --> 00:17:26.120
had a relationship with the admin. We talked back and forth, and I think he kinda annoyed me one

00:17:26.120 --> 00:17:32.320
day. So, I just quit that forum, and luckily for me, or unluckily, looking back, there was a new

00:17:32.320 --> 00:17:38.800
forum that opened up called OGUsers, which was an online marketplace where people would buy and

00:17:38.800 --> 00:17:46.480
sell OG, original usernames. So, say, @Jack on Instagram or @Jack on Twitter. They’d buy

00:17:46.480 --> 00:17:52.480
and sell these different usernames for hundreds of thousands of dollars, and that was my next venture

00:17:52.480 --> 00:17:57.480
then, getting into acquiring these usernames. JACK: So, Jack on Twitter is Jack Dorsey,

00:17:57.480 --> 00:18:03.400
the original owner of Twitter. Good luck getting that one. But the thing about OGUsers that I

00:18:03.400 --> 00:18:08.440
think is worth pointing out is half of them were fine and legit reselling, and then half of them

00:18:08.440 --> 00:18:11.820
were social-engineered, stolen accounts. Would you consider that to be true?

00:18:11.820 --> 00:18:16.840
CONOR: I’d say it’s a lot more skewed. I’d say it was probably ninety-five,

00:18:16.840 --> 00:18:20.500
five — ninety-five percent stolen, five percent, if even that, genuine.

00:18:20.500 --> 00:18:25.280
JACK: So, if you're not aware, OGUsers is a place where people are selling usernames.

00:18:25.280 --> 00:18:31.200
That is Twitter accounts, Instagram accounts, Snapchat accounts. Why? Because we all hate it

00:18:31.200 --> 00:18:35.440
when we go to register at one of these places and someone has already taken our name. So,

00:18:35.440 --> 00:18:40.640
some people would pay extra for an account with a cool name. The problem is, the stuff for sale in

00:18:40.640 --> 00:18:46.440
this site is often stolen accounts, where people would hack into that account, get control of it,

00:18:46.440 --> 00:18:51.600
and then sell it on this site, OGUsers. CONOR: Yeah. So, I had a bit of crypto. I

00:18:51.600 --> 00:18:57.680
discovered Bitcoin back when I dabbled in the other things on the other forum, but I had an

00:18:57.680 --> 00:19:03.280
understanding of what crypto was. So, I had a bit of Bitcoin. I had bought a username one day on

00:19:03.280 --> 00:19:07.600
Twitter. I can't remember the exact handle, but I bought it to resell it. I held it for a couple of

00:19:07.600 --> 00:19:12.520
weeks, put it back up for sale, and made a couple of hundred on that. So, that was my first venture

00:19:12.520 --> 00:19:19.800
into buying and selling the usernames. I didn’t last long, though, buying them. [Music] That’s

00:19:19.800 --> 00:19:25.800
when it turned into me then stealing them or being introduced to people that were stealing them,

00:19:25.800 --> 00:19:28.200
and kind of falling into that. JACK: What was your method

00:19:28.200 --> 00:19:33.480
for stealing usernames? CONOR: Breached databases were a huge thing back

00:19:33.480 --> 00:19:41.360
then. I know they're even bigger now. But a lot of people didn’t know how to use them, utilize them,

00:19:41.360 --> 00:19:45.520
or how to find them. So, there were services where — there still is now, I’m sure, but there were

00:19:45.520 --> 00:19:49.280
services where you could search someone’s username or e-mail, and they’ll pull their data from a

00:19:49.280 --> 00:19:55.080
breached database, like their password, username, full name. So, what I was doing was doxing these

00:19:55.080 --> 00:20:00.080
account holders. I would find their e-mail, I’d search the e-mail through the breached databases

00:20:00.080 --> 00:20:05.040
and then find their password, and I’d try my luck at logging into the account with that password.

00:20:05.040 --> 00:20:09.200
Because not many people were doing this at that point, I had quite some success with that.

00:20:09.200 --> 00:20:13.320
JACK: Probably most of these were just crappy usernames, though, and you just didn’t even

00:20:13.320 --> 00:20:16.360
care and you just logged back out? CONOR: Yeah, a lot of them were — yeah,

00:20:16.360 --> 00:20:20.680
it was more the thrill of being able to find the password and log in. Or, sometimes you’d

00:20:20.680 --> 00:20:25.320
get a password that’s incorrect or you might add a exclamation mark or an @ or something at the end,

00:20:25.320 --> 00:20:29.680
and that would be the correct one, and you’d get a bit of a thrill out of that. But yeah,

00:20:29.680 --> 00:20:33.720
most of them weren't anything amazing. JACK: Yeah, I imagine that’s a big thrill,

00:20:33.720 --> 00:20:37.000
to be like, yeah, no, wrong password. Then you're like,

00:20:37.000 --> 00:20:40.800
what if I add an exclamation point? Then, bing, you're in. Oh my gosh,

00:20:40.800 --> 00:20:44.020
I’m brilliant, I’m a genius, I’m the best hacker in the world. Look at me.

00:20:44.020 --> 00:20:50.240
CONOR: Yeah, you feel like a genius. JACK: This allowed you to acquire some — Twitter

00:20:50.240 --> 00:20:54.000
and Instagram were your main things? CONOR: Twitter and Instagram, yeah. They're

00:20:54.000 --> 00:20:57.720
still the main ones now. They're the most popular social media. So,

00:20:57.720 --> 00:21:02.080
that’s what people would go for the most. JACK: Conor was making some scratch from all this,

00:21:02.080 --> 00:21:05.720
all in Bitcoin, of course, looking through database breaches, finding passwords that

00:21:05.720 --> 00:21:11.880
would work on Twitter, then stealing those usernames and selling them. Okay, so, roughly how

00:21:11.880 --> 00:21:18.960
profitable was this for you selling OGUsers? CONOR: I don't know. I couldn't quantify a figure.

00:21:18.960 --> 00:21:26.160
Probably $20,000 or $30,000? No, probably a lot less. I didn’t really get into it that deep.

00:21:26.160 --> 00:21:30.400
JACK: He built up a reputation for having quite a bit of usernames for sale on OGUsers. It was

00:21:30.400 --> 00:21:35.160
going well, but then something else caught his attention, something so much bigger

00:21:35.160 --> 00:21:39.560
that eventually made him lose interest in OGUsers altogether. [Music] The thing he

00:21:39.560 --> 00:21:44.280
saw some people doing was SIM swapping. CONOR: Yeah, so, it would start with a target.

00:21:44.280 --> 00:21:50.000
You’ve doxed a user. You’d use various different methods of getting all their information. So,

00:21:50.000 --> 00:21:57.240
their full name, address, phone number, their SSN. There’s a certain website that you can buy credits

00:21:57.240 --> 00:22:03.680
on and input someone’s first and last name and get their SSN. So, you’d have all that information,

00:22:03.680 --> 00:22:08.400
and then you’d — back in the day, it was a lot simpler than it was now. So, say if you were on

00:22:08.400 --> 00:22:15.000
T-Mobile, I would call up and say, hey, my name’s Jack Rhysider. My last four of my SSN is 1234.

00:22:15.000 --> 00:22:19.480
I’ve just lost my phone and my SIM card is inside it. I have a replacement SIM card here. If I give

00:22:19.480 --> 00:22:25.440
you the ISE ID, can you swap my SIM over to this card? The agent would happily do it. Once that’s

00:22:25.440 --> 00:22:29.960
done, your phone number is now mine. JACK: Your phone number is now mine. I

00:22:29.960 --> 00:22:34.520
just think about how scary that sounds. If someone can take your phone number from you,

00:22:34.520 --> 00:22:39.160
they can pretty much become you. So much of our identity is tied to our phone number. Yes, they

00:22:39.160 --> 00:22:43.720
can text the people you know as you. They might be able to call your bank and pretend to be you.

00:22:43.720 --> 00:22:49.400
But perhaps the scariest is that they can often recover some of your accounts. Like, if you have

00:22:49.400 --> 00:22:54.880
a Google account and you go there and say, oh, I forgot my password, they might have an option to

00:22:54.880 --> 00:23:01.320
text you a code to confirm it’s you. They text you thinking nobody in the world is gonna have access

00:23:01.320 --> 00:23:08.320
to your phone except you, right? Which you can use to reset a Google account, and now you have access

00:23:08.320 --> 00:23:13.800
to their e-mail, drives, photos, and maybe even their YouTube channel and more. Once they have

00:23:13.800 --> 00:23:18.880
control of your main e-mail account, they can just go through and reset your other accounts.

00:23:18.880 --> 00:23:23.640
Say you lost your Twitter password. It’ll say, okay, no problem. Let’s e-mail you a new one. So,

00:23:23.640 --> 00:23:27.840
now they can get into your Twitter, too. This whole thing hinges on whether or not you can

00:23:27.840 --> 00:23:32.240
convince the T-Mobile customer service rep that you really did lose your phone and to

00:23:32.240 --> 00:23:37.000
get them to switch SIM cards for you. So, were some carriers easier for you than others?

00:23:37.000 --> 00:23:42.240
CONOR: Yeah, T-Mobile by far was the easiest. It was insane. You’d get — sometimes you’d have to

00:23:42.240 --> 00:23:47.280
brute-force these calls. So, you’d have to call ten or fifteen times until you’d get an agent who

00:23:47.280 --> 00:23:52.000
just doesn't care enough, and he’ll just swap it. T-Mobile was insane. You’d just make one

00:23:52.000 --> 00:23:58.040
call and they’d do it willy-nilly, happily just swap the SIM. AT&T was definitely the hardest,

00:23:58.040 --> 00:24:03.680
and then Verizon I’d say was in the middle. Sprint as well, although not many people used it. Sprint

00:24:03.680 --> 00:24:08.080
was another one, and then I think Cricket is what it’s called. Cricket and Sprint were pretty easy,

00:24:08.080 --> 00:24:15.120
too. But as it got harder, people started to look into exploits on the actual websites of

00:24:15.120 --> 00:24:22.160
these carriers. So, there’s a couple of well-known exploits in AT&T and T-Mobile that people would

00:24:22.160 --> 00:24:27.640
use to either retrieve the pin off someone’s account or remotely swap the SIM themselves

00:24:27.640 --> 00:24:33.200
or pull their information or whatever else. JACK: It’s crazy to me how in-depth of knowledge

00:24:33.200 --> 00:24:40.680
you have of this, right? You understand wireless carriers of the world and SIM cards and usernames

00:24:40.680 --> 00:24:47.280
and passwords and computer skills. You're just going higher and higher. Yet, you have to go to,

00:24:47.280 --> 00:24:54.120
I don't know, history class and learn about the war and stuff in the afternoon, and then go

00:24:54.120 --> 00:24:58.920
back to this crazy technical stuff. Did it feel like you were living two different worlds?

00:24:58.920 --> 00:25:08.320
CONOR: Yeah, definitely. Nobody knew about it in my personal life. So, it — that was the thing;

00:25:08.320 --> 00:25:13.440
you kinda have this detached personality where in person you're a completely different guy,

00:25:13.440 --> 00:25:17.280
and then when you're online, it’s like your brain is in a different place. [Music] So,

00:25:17.280 --> 00:25:22.360
you completely dissociate from your real life. So, it’s like two separate personas that you

00:25:22.360 --> 00:25:27.280
have. It was like that the whole time. JACK: Yeah, it’s also interesting to look at

00:25:27.280 --> 00:25:31.160
maybe some of the other kids in school who are trying to build up their social media,

00:25:31.160 --> 00:25:34.440
right? You see these people are on Instagram, and you're like, alright, so,

00:25:34.440 --> 00:25:41.080
you’ve got 300 followers. I can get you an account by this afternoon with a million followers. What’s

00:25:41.080 --> 00:25:46.800
the deal here? There’s no game. How did you be like…? Did you ever look at that like that?

00:25:46.800 --> 00:25:53.040
CONOR: Yeah…it was actually exactly that. When you're young and impressionable like I was,

00:25:53.040 --> 00:25:57.640
I thought I was on top of the world and way smarter than everybody else. So, I would kind

00:25:57.640 --> 00:26:01.560
of look at them and be like, oh, you're an idiot. How do you not know what I know or

00:26:01.560 --> 00:26:07.600
how are you so impressed, or whatever else. JACK: Well, you had to know that what you were

00:26:07.600 --> 00:26:12.240
doing is not exactly the straightforward way to do things. It’s the back way,

00:26:12.240 --> 00:26:16.960
wrong way, and it-works way, but it’s not exactly the way you're supposed to.