WEBVTT

00:00:00.000 --> 00:00:05.400
JACK: Good versus evil. This is something I think about a lot, and I’ve come to the

00:00:05.400 --> 00:00:10.860
conclusion that it’s not a fair fight. [MUSIC] The good team has virtues such as ethics and morals,

00:00:10.860 --> 00:00:16.440
and tries to do what’s right. But the evil team by definition lacks virtues.

00:00:16.440 --> 00:00:20.880
They have no problem breaking the law or playing dirty to complete their objectives,

00:00:20.880 --> 00:00:27.300
but the good team will uphold the law. So, if you have an evil hacker in the world, they’re not

00:00:27.300 --> 00:00:33.420
gonna play fair or with morals to accomplish their mission. They’re going to deceive, lie, cheat,

00:00:33.420 --> 00:00:39.300
threaten, break laws, and be reckless. It doesn’t matter what it takes for them to be successful,

00:00:39.300 --> 00:00:45.480
and the hackers on the good team don’t do that stuff. They’re accountable, responsible,

00:00:45.480 --> 00:00:51.660
honest, considerate, and strive to have excellence in all that they do. To me,

00:00:51.660 --> 00:00:58.440
this means it’s not a fair fight. One side fights dirty and acts in bad faith and can’t be trusted,

00:00:58.440 --> 00:01:04.020
while the other can’t fight like that since their hands are tied to morals and integrity.

00:01:04.020 --> 00:01:09.840
But as you get into the weeds, it’s so hard to figure out who’s good and who’s evil and what’s

00:01:09.840 --> 00:01:14.460
right and what’s wrong. Sometimes you have to break the law to do what’s right. Sometimes

00:01:14.460 --> 00:01:19.020
good people just don’t know they’re breaking the law because there’s so many stupid laws out

00:01:19.020 --> 00:01:23.160
there that just should be removed. Sometimes there’s good people with good intentions,

00:01:23.160 --> 00:01:29.700
but their actions have horrible consequences. There’s also people who seem to be evil but

00:01:29.700 --> 00:01:35.580
they’re just misunderstood. What they’re doing might be controversial or really hard,

00:01:35.580 --> 00:01:43.020
but they know someone has to do it to make the world right. But with all that said, I still

00:01:43.020 --> 00:01:49.740
believe this story is about how a bad company hired an evil group to hack into good people.

00:01:49.740 --> 00:02:01.440
INTRO: [INTRO MUSIC] These are true stories from the dark side of the internet. I’m

00:02:01.440 --> 00:02:19.800
Jack Rhysider. This is Darknet Diaries. [INTRO

00:02:19.800 --> 00:02:20.394
MUSC ENDS]

00:02:20.394 --> 00:02:22.800
JACK: I’m recording this call to use on the podcast Darknet

00:02:22.800 --> 00:02:24.360
Diaries. That’s alright with you, correct?

00:02:24.360 --> 00:02:26.400
MATTHEW: Yes, that’s fine, yep.

00:02:26.400 --> 00:02:29.790
JACK: Alright, so let’s start with what’s your name and what’s your title?

00:02:29.790 --> 00:02:35.760
MATTHEW: My name is Matthew Earl. I’m the managing partner of ShadowFall Capital Research.

00:02:35.760 --> 00:02:37.140
JACK: What is this ShadowFall?

00:02:37.140 --> 00:02:44.700
MATTHEW: We are a short-focused firm that looks into companies that are listed that we

00:02:44.700 --> 00:02:49.020
think are either using aggressive accounting; sometimes that’s just aggressive accounting,

00:02:49.020 --> 00:02:57.540
sometimes that’s possibly fraudulent practices or unethical conduct by management. Or it might be…

00:02:57.540 --> 00:03:01.320
JACK: [MUSIC] I’ve never heard of a short-focused firm before and had to

00:03:01.320 --> 00:03:04.860
spend some time figuring this out, but basically what Matt does is he looks for

00:03:04.860 --> 00:03:09.660
companies that are about to tank in the stock market and then short that stock,

00:03:09.660 --> 00:03:15.240
which means if their stock price goes down, Matthew makes money. As a short seller,

00:03:15.240 --> 00:03:21.600
he’s gotta do his homework into which companies are ripe to be shorted. Back in 2015, Matthew

00:03:21.600 --> 00:03:27.660
started watching a German payment company called Wirecard AG. They had announced that they were

00:03:27.660 --> 00:03:33.360
going to buy an Indian company for over 300 million euros which just didn’t seem right.

00:03:33.360 --> 00:03:40.620
MATTHEW: When I looked at that acquisition, it didn’t look as though it was worth 340 million

00:03:40.620 --> 00:03:45.886
euros. I thought well, that’s kind of interesting, and I’ll dig a bit more into this company.

00:03:45.886 --> 00:03:50.880
JACK: [MUSIC] Matthew was interested because an over-valued buy might mean that Wirecard

00:03:50.880 --> 00:03:56.220
[00:05:00] was misrepresenting themself or mismanaging their money or doing something wrong,

00:03:56.220 --> 00:04:02.520
which makes it a good target to short the stocks. As he looked into things, it became obvious.

00:04:02.520 --> 00:04:04.920
MATTHEW: This looks like a classic accounting fraud.

00:04:04.920 --> 00:04:07.740
JACK: To add to that, Wirecard also had a checkered past.

00:04:07.740 --> 00:04:11.760
MATTHEW: As I looked into the history of the company, there were allegations

00:04:11.760 --> 00:04:16.980
that had been raised in the past against it that it was embroiled in money laundering.

00:04:16.980 --> 00:04:20.400
JACK: These allegations went back a couple years. German prosecutors

00:04:20.400 --> 00:04:24.900
investigated Wirecard about money laundering connections to online gambling in the US.

00:04:24.900 --> 00:04:30.420
They even raided Wirecard’s offices but didn’t come up with anything. Wirecard

00:04:30.420 --> 00:04:34.800
insisted they weren’t doing anything wrong, but Matthew wasn’t convinced.

00:04:34.800 --> 00:04:37.320
MATTHEW: Then when I conducted more research into the company,

00:04:37.320 --> 00:04:41.820
I worked out that it seemed as though they had set up an entire structure,

00:04:41.820 --> 00:04:48.180
a network of companies that were used for money laundering purposes.

00:04:48.180 --> 00:04:53.340
JACK: At this point, Matthew invests in shorting Wirecard, believing that this company’s stocks are

00:04:53.340 --> 00:04:57.960
going to go down once the truth catches up with the company. [MUSIC] He also felt that authorities

00:04:57.960 --> 00:05:03.060
and the public needed to know about this, but he wanted to protect himself from backlash,

00:05:03.060 --> 00:05:08.880
so he published under an alias; Zatarra Research. The report dropped on February,

00:05:08.880 --> 00:05:15.780
2016. It alleged that Wirecard was deceiving its shareholders, was tied up in money laundering,

00:05:15.780 --> 00:05:21.960
and had defrauded Visa and Mastercard. Wirecard didn’t like these accusations and pushed back,

00:05:21.960 --> 00:05:28.320
saying Zatarra’s claims were baseless. At this point, things took a bad turn for Matthew Earl

00:05:28.320 --> 00:05:34.020
because in the following months, his Zatarra cover got blown. In December, a document was

00:05:34.020 --> 00:05:39.120
spread around online, accusing him of criminal insider trading and market manipulation.

00:05:39.120 --> 00:05:43.380
MATTHEW: It was extremely concerning because obviously very serious allegations

00:05:43.380 --> 00:05:47.700
were within the document, again, accusing me of being a criminal,

00:05:47.700 --> 00:05:53.640
of falsifying all the research, of being in – colluding with journalists.

00:05:53.640 --> 00:05:58.440
JACK: Even worse, the document had creepy surveillance photos of Matthew.

00:05:58.440 --> 00:06:02.280
MATTHEW: There were pictures taken of my house, of myself opening the front door,

00:06:02.280 --> 00:06:07.260
and it was very clear from those pictures that the photographs had been taken not in

00:06:07.260 --> 00:06:10.260
the winter months of December but they had been taken in the summer months.

00:06:10.260 --> 00:06:14.640
JACK: [MUSIC] Someone had been watching Matthew for months,

00:06:14.640 --> 00:06:19.680
but he was just finding out about it now. This put him on high alert. It wasn’t much

00:06:19.680 --> 00:06:23.760
later that he noticed a strange car parked on his street. He lived in a

00:06:23.760 --> 00:06:27.960
cul-de-sac with only a few houses, so it was easy to spot something out of place.

00:06:27.960 --> 00:06:32.940
MATTHEW: Suddenly I saw a black Mercedes Coupe that had parked outside, and there were a couple

00:06:32.940 --> 00:06:37.740
of guys that were looking around. It just seemed unusual as it happened. Because it

00:06:37.740 --> 00:06:42.000
seemed so unusual, I took a photo of it, of the vehicle and the license plate, and it was around

00:06:42.000 --> 00:06:50.460
9:00 in the morning. I was going into London later that day and as I was driving up to the station,

00:06:50.460 --> 00:06:55.920
I noticed that their vehicle suddenly appeared. I realized that they had been – there was a car

00:06:55.920 --> 00:07:02.520
following me. Not quite certain, but then as I got out of the car to go to the station, I’d realized

00:07:02.520 --> 00:07:10.740
I had left my wallet at home. So, I turned ‘round and this black Mercedes Coupe; I don’t think he

00:07:10.740 --> 00:07:18.420
expected me to turn around. He just kind of froze and was staring at me. It was quite obvious that I

00:07:18.420 --> 00:07:23.820
was being followed at that point, so I just went straight home. I noticed then, when I got home,

00:07:23.820 --> 00:07:29.520
that there was another car where there was a guy sat in there with a camera taking photos as well.

00:07:29.520 --> 00:07:34.560
JACK: Whoa, this is like a movie. Matthew called the cops and said to send someone

00:07:34.560 --> 00:07:39.240
by. Matthew also called his lawyer who offered to send an ex-special forces guy

00:07:39.240 --> 00:07:43.380
to come protect Matthew. Matthew turned him down; he wasn’t excited that people

00:07:43.380 --> 00:07:48.180
were watching his house and his family, but he didn’t feel like bodily harm was coming his way.

00:07:48.180 --> 00:07:50.100
MATTHEW: It was just a very odd few days.

00:07:50.100 --> 00:07:52.740
JACK: It got weirder. A couple of days later,

00:07:52.740 --> 00:07:57.300
two men from an investigative agency called Kroll showed up at his door.

00:07:57.300 --> 00:08:02.580
MATTHEW: They asked me; they said, are you Matthew Earl? I said, yes. They said, you’ve got a strong

00:08:02.580 --> 00:08:07.440
interest in Wirecard, haven’t you? I said, well, I’ve written on the company. They said yes,

00:08:07.440 --> 00:08:12.480
but would you like to talk to us about it? They were quite sinister and quite creepy, in fact.

00:08:12.480 --> 00:08:16.500
JACK: Matthew didn’t want to talk to them about anything. The two men let him know

00:08:16.500 --> 00:08:21.660
that they were there on behalf of Wirecard and gave him a letter. It was from Jones Day,

00:08:21.660 --> 00:08:26.580
a law firm representing Wirecard. Matthew says the letter accused him of collusion,

00:08:26.580 --> 00:08:30.960
conspiracy, defamation, liable, and market manipulation. That was

00:08:30.960 --> 00:08:34.680
just the beginning. The surveillance and threatening letters continued for months.

00:08:34.680 --> 00:08:39.060
MATTHEW: With the sinister nature of the surveillance, what’s their ultimate

00:08:39.060 --> 00:08:44.760
intention? Is it to intimidate just from a distance or is it to go further beyond that,

00:08:44.760 --> 00:08:48.360
I guess? Because I can tell you it’s not nice having car – vehicles parked

00:08:48.360 --> 00:08:52.440
outside your house and being followed to the station. [00:10:00] When I drove out with my

00:08:52.440 --> 00:08:59.880
children in the car, there were the vehicles following me then. We had have our – the school

00:08:59.880 --> 00:09:04.560
have passwords put up with the school so that when we collected the children from the school,

00:09:04.560 --> 00:09:10.320
that those passwords had to be given so that no strangers could take them,

00:09:10.320 --> 00:09:15.720
had to have the police around. They took it so seriously with the surveillance that our home

00:09:15.720 --> 00:09:23.100
line was put on rapid response, so if we were to dial 999, your equivalent of 911, and even just

00:09:23.100 --> 00:09:29.280
hung up, then the police would automatically send a response vehicle ‘round. It was pretty

00:09:29.280 --> 00:09:35.640
stressful and frightening, certainly for the first couple of weeks.

00:09:35.640 --> 00:09:37.680
JACK: What was the worst part of all this for you?

00:09:37.680 --> 00:09:45.720
MATTHEW: I think it was the uncertainty as to what they would do,

00:09:45.720 --> 00:09:50.040
because obviously they had gone to the lengths to put me under surveillance,

00:09:50.040 --> 00:09:57.720
to try to discredit myself. It was, well, would they be satisfied with that or would

00:09:57.720 --> 00:10:01.920
there be anything else that they would – would there be any physical danger?

00:10:01.920 --> 00:10:07.290
JACK: [MUSIC] On top of everything, Matthew started getting these suspicious e-mails.

00:10:07.290 --> 00:10:11.040
MATTHEW: They were relentless. They came thick and fast. Ultimately,

00:10:11.040 --> 00:10:17.460
over I guess three years, I received well over 3,000 e-mails.

00:10:17.460 --> 00:10:21.660
JACK: He could always tell that there was something a little bit off about these e-mails,

00:10:21.660 --> 00:10:26.040
but they were put together in a pretty convincing way. He got e-mails with links

00:10:26.040 --> 00:10:31.020
that looked like they came from his sister. He’d get a Dropbox link that supposedly came

00:10:31.020 --> 00:10:35.310
from his friends and family, and he’d get links to news articles about Wirecard.

00:10:35.310 --> 00:10:38.700
MATTHEW: It was astonishing just how much information,

00:10:38.700 --> 00:10:42.660
detail, they had in order to craft these e-mails that they were sending to me.

00:10:42.660 --> 00:10:46.320
JACK: Which surprised Matthew because he didn’t feel like he had much of a social

00:10:46.320 --> 00:10:50.760
media presence. He was on Twitter, but didn’t have Facebook or LinkedIn.

00:10:50.760 --> 00:10:53.940
MATTHEW: Whoever was sending these e-mails clearly had an understanding

00:10:53.940 --> 00:11:00.000
as to what subject matters I was interested in, who my friends were, who my family were.

00:11:00.000 --> 00:11:04.140
JACK: There were so many e-mails coming in. At one point, Matthew was worried that one of his

00:11:04.140 --> 00:11:08.040
kids might pick up his phone and play a game and accidentally click on a suspicious link.

00:11:08.040 --> 00:11:13.500
MATTHEW: It was horrible, very stressful. Then ultimately, as time passed, it just became very

00:11:13.500 --> 00:11:20.160
frustrating because you think well, why won’t they ever stop? Just give it a rest, right? They

00:11:20.160 --> 00:11:21.060
didn’t. That was the thing.

00:11:21.060 --> 00:11:26.700
JACK: Matthew believes that somehow he didn’t click on any of the bad links. [MUSIC] But

00:11:26.700 --> 00:11:33.120
who was sending these to him? He knew the Kroll investigators and Jones Day were with Wirecard,

00:11:33.120 --> 00:11:38.400
but were these e-mails from them, too? Matthew showed them to his lawyer.

00:11:38.400 --> 00:11:42.060
MATTHEW: They were amazed. They said that this

00:11:42.060 --> 00:11:46.620
level of sophistication within the e-mails was something they thought

00:11:46.620 --> 00:11:51.200
could almost be state-sponsored. They said it was just unbelievable.

00:11:51.200 --> 00:11:56.880
JACK: It turns out Matthew wasn’t the only person on the receiving end of these relentless hacking

00:11:56.880 --> 00:12:01.560
attempts. A journalist who had also written about Wirecard were getting these weird e-mails,

00:12:01.560 --> 00:12:05.700
too. Matthew told this journalist he’s getting the same e-mails and asked what

00:12:05.700 --> 00:12:12.300
to do. The journalist suggested Matthew send the e-mails to Citizen Lab in Toronto, Canada.

00:12:12.300 --> 00:12:17.760
In the spring of 2017, Matthew got in contact with Citizen Lab and started showing his

00:12:17.760 --> 00:12:23.340
e-mails to them. By this point, Citizen Lab already had quite a case built on who might

00:12:23.340 --> 00:12:28.320
be sending these e-mails. So, I called the researchers at Citizen Lab to get the story.

00:12:28.320 --> 00:12:32.880
JOHN: [MUSIC] I’m John Scott-Railton. I’m a senior researcher at Citizen Lab

00:12:32.880 --> 00:12:36.480
at the University of Toronto’s Munk School, and with me is…

00:12:36.480 --> 00:12:39.600
ADAM: I’m Adam Hulcoop, a research fellow at the Citizen Lab.

00:12:39.600 --> 00:12:44.220
JACK: Citizen Lab is all about protecting free expression, transparency, and accountability

00:12:44.220 --> 00:12:49.260
on the internet. They put a real emphasis on helping defend human rights organizations and

00:12:49.260 --> 00:12:54.060
other groups from cyber-attacks, people that might not be able to defend themselves. John

00:12:54.060 --> 00:12:58.560
says the primary focus is to understand digital threats against civil society.

00:12:58.560 --> 00:13:03.480
JOHN: This is like, threats against journalists and human rights defenders, opposition

00:13:03.480 --> 00:13:09.720
politicians, and so on. A big focus of our work is that these groups face the same kind of threats

00:13:09.720 --> 00:13:14.160
that are also pointed against governments and industry. They usually can’t pay for security.

00:13:14.160 --> 00:13:18.840
JACK: In my mind, you’re superheroes because there are people who are desperately in need

00:13:18.840 --> 00:13:22.860
of help and you’re just gonna help them free of charge. It’s amazing what you do.

00:13:22.860 --> 00:13:25.680
JOHN: It’s absolutely an area of need. You’d be amazed at how many

00:13:25.680 --> 00:13:30.420
organizations are doing really important work around the globe but are not really

00:13:30.420 --> 00:13:33.646
equipped to protect themselves. They’re too busy protecting others.

00:13:33.646 --> 00:13:37.560
JACK: [MUSIC] That’s what made Matthew Earl a good fit with Citizen Lab. He was just one

00:13:37.560 --> 00:13:41.580
guy up against whoever was bombarding him with e-mails. Citizen Lab was able

00:13:41.580 --> 00:13:48.180
to step in and help. Adam says their work is rooted in open-source intelligence, or OSINT.

00:13:48.180 --> 00:13:54.660
Are you a forensics person, a [00:15:00] threat intelligent – how do you know these techniques?

00:13:54.660 --> 00:13:58.560
ADAM: I think that’s just sort of the – that’s

00:13:58.560 --> 00:14:04.140
the study of computer forensics, of attacking techniques. As we’ve been doing this year over

00:14:04.140 --> 00:14:09.180
year and these are the things you learn, these are the techniques and tricks and investigative

00:14:09.180 --> 00:14:14.400
steps that you learn and you share in your community of investigators and with your peers.

00:14:14.400 --> 00:14:19.080
JACK: Citizen Lab takes their work seriously. Their research is evidence-based, they’re ethical,

00:14:19.080 --> 00:14:24.480
and work with the victims to compile evidence and build cases. They rely on victims sending them

00:14:24.480 --> 00:14:30.720
suspicious e-mails or infected machines, and also on publicly-available data when building a case.

00:14:30.720 --> 00:14:35.580
Citizen Lab’s investigation into the hacking group began a bit before they heard from Matthew

00:14:35.580 --> 00:14:40.020
Earl. A Reuters journalist writing about Wirecard was the first to tip them off.

00:14:40.020 --> 00:14:44.760
ADAM: Someone had sent us a ping saying hey, you know, something weird; I’ve gotten these – this

00:14:44.760 --> 00:14:49.080
strange set of e-mails and something seems wrong. Can you guys take a look at this?

00:14:49.080 --> 00:14:54.480
JACK: John and Adam said it looked like a somewhat convincing phishing e-mail. So, this phishing

00:14:54.480 --> 00:14:59.100
e-mail that you first got, how good was it? Was it really good to the point where you would have

00:14:59.100 --> 00:15:03.780
been tricked or the average person would have been tricked to clicking it, or was it kind of lame?

00:15:03.780 --> 00:15:09.480
JOHN: I would say it was like the kind of phishing e-mail that winds up being statistically

00:15:09.480 --> 00:15:15.480
effective against a certain percentage of any basic users. Adam, what do you think?

00:15:15.480 --> 00:15:19.620
ADAM: Yeah, I would say it’s very convincing. I would say the majority of the samples that

00:15:19.620 --> 00:15:27.540
we examined, they really were copies of notification messages that everybody gets

00:15:27.540 --> 00:15:31.680
throughout the course of using the internet and communicating with friends and family.

00:15:31.680 --> 00:15:37.140
JACK: [MUSIC] These e-mails were meticulously crafted specifically for the target victims.

00:15:37.140 --> 00:15:42.120
That much was certain, and it seemed like all of the victims were involved with researching

00:15:42.120 --> 00:15:48.120
Wirecard and exposing Wirecard, so the question was were the hackers within

00:15:48.120 --> 00:15:52.920
Wirecard sending these phishing e-mails, or who was behind this? If you clicked on them,

00:15:52.920 --> 00:16:02.580
what would they do? We’ll try to answer those questions after the break. Stay with us.

00:16:02.580 --> 00:16:07.440
The researchers at Citizen Lab got right to work investigating these e-mails. They created a sort

00:16:07.440 --> 00:16:12.300
of sandbox computer which let them click the link, a safe place to allow them to what they

00:16:12.300 --> 00:16:16.980
call ‘detonate the link’ to see what happens. When they clicked it, it took them to a site

00:16:16.980 --> 00:16:22.110
which asked for their login credentials. Adam says the page looked pretty legit.

00:16:22.110 --> 00:16:26.400
ADAM: When you click that link, the phishing site you land on knows who

00:16:26.400 --> 00:16:30.600
is coming and they can pre-load that text and pre-load that screen to make it look

00:16:30.600 --> 00:16:34.920
like – you’ve already been signed into your Gmail; just re-enter your password for us.

00:16:34.920 --> 00:16:38.640
JACK: That’s the goal, to get you to enter your password. If these hackers could get

00:16:38.640 --> 00:16:43.020
the password to the victim’s e-mail, they would have access to the e-mail and be able

00:16:43.020 --> 00:16:47.040
to read what that person was working on and what they’re gonna do next. That was

00:16:47.040 --> 00:16:52.020
the intention of these phishing e-mails. While John and Adam were looking over these e-mails,

00:16:52.020 --> 00:16:55.740
they noticed something about the phishing links. Here’s Adam.

00:16:55.740 --> 00:16:59.400
ADAM: We took a look at an e-mail and sure enough, in there, we found some

00:16:59.400 --> 00:17:05.870
suspicious links that were shortened using a URL shortener. That kind of sparked the investigation.

00:17:05.870 --> 00:17:13.020
JACK: Hm. A good example of a URL shortener is TinyURL or Bitly. Basically, what they do is take

00:17:13.020 --> 00:17:17.760
a really long URL, something that’s hard to type or memorize, and shorten it into something small

00:17:17.760 --> 00:17:23.460
and tidy. When you click on the shortened URL, it redirects you to the longer URL automatically.

00:17:23.460 --> 00:17:28.620
This makes it easier to share, but if you’re a hacker working with long phishing links,

00:17:28.620 --> 00:17:35.820
a URL shortener is a way to hide what the actual URL is, because you might be hesitant to click on

00:17:35.820 --> 00:17:41.280
a [MUSIC] website which is in another country or has some weird domain, but people use Bitly links

00:17:41.280 --> 00:17:46.800
all the [00:20:00] time, so it’s more common for us to see and therefore, we might click on it.

00:17:46.800 --> 00:17:51.480
John and Adam started to dig into these shortened URLs to use by this hacking group.

00:17:51.480 --> 00:17:54.780
ADAM: We started to peel them back and take a look. Okay,

00:17:54.780 --> 00:17:58.860
where does this shortened URL come from? Where was it residing?

00:17:58.860 --> 00:18:03.540
JACK: Fortunately for Citizen Lab, this hacking group didn’t use a commercial

00:18:03.540 --> 00:18:09.240
shortener like Bitly. They used shorteners created with open-source software, and this

00:18:09.240 --> 00:18:15.420
particular software conveniently sequenced each shortened URL which was an amazing find for Adam.

00:18:15.420 --> 00:18:23.400
ADAM: As we started to look closely and examine this publicly-available URL shortener, we learned

00:18:23.400 --> 00:18:30.720
that hm, interestingly, you could enumerate the different short URLs that were generated by this

00:18:30.720 --> 00:18:34.980
software. So, that’s what we did. We started enumerating through the different short URLs

00:18:34.980 --> 00:18:40.306
that were already created and present hosted on the same shortener, the same site, if you will.

00:18:40.306 --> 00:18:44.820
JACK: [MUSIC] Enumerating meant they could just add one more number to each URL and

00:18:44.820 --> 00:18:49.320
see the phishing URLs that the hacking team was sending out. The link shortener software

00:18:49.320 --> 00:18:54.120
they were using was easy to step through every shortened URL that was ever made,

00:18:54.120 --> 00:19:00.480
which gave Adam and the team a massive amount of information related to this hacking group. They

00:19:00.480 --> 00:19:04.440
were starting to collect enough information on this shady hacker group at this point,

00:19:04.440 --> 00:19:12.000
and they decided to give them a name. Dark Basin was what Citizen Lab named this hacking group.

00:19:12.000 --> 00:19:16.800
Adam and John and the team at Citizen Lab began walking through all of the shortened URLs,

00:19:16.800 --> 00:19:21.900
saving all of these pages to put in a sort of file that they were building on Dark Basin.

00:19:21.900 --> 00:19:27.840
ADAM: We had to actually create scripts that would do this enumeration for us on a continuous basis.

00:19:27.840 --> 00:19:34.020
We would wake up in the morning and just be faced with thousands of new phishing links,

00:19:34.020 --> 00:19:38.280
like, daily for quite a period of time. Every day we were waking up to thousands

00:19:38.280 --> 00:19:46.200
and thousands of new phishing links and just this massive pile of information. To me, personally,

00:19:46.200 --> 00:19:50.580
that was very exciting in the sense that we knew we were onto something very, very big here with

00:19:50.580 --> 00:19:56.940
that quantity of attack telemetry. That was certainly, I would say from an investigative

00:19:56.940 --> 00:20:01.440
standpoint, the highlight to me. It got us very hooked into the investigation and it really

00:20:01.440 --> 00:20:06.480
made it clear to us that there’s definitely something worth the effort to uncover here.

00:20:06.480 --> 00:20:10.560
JACK: E-mails were sent to victims with phishing links in them, but now Citizen

00:20:10.560 --> 00:20:15.060
Lab just uncovered a huge amount of those phishing links. They didn’t have the e-mails,

00:20:15.060 --> 00:20:18.780
but they could now see all the websites that they were trying to send victims to,

00:20:18.780 --> 00:20:24.480
websites that looked like logins to a victim’s account, but really weren’t. [MUSIC] Suddenly,

00:20:24.480 --> 00:20:29.460
they were able to see how wide this campaign was by looking through thousands of phishing

00:20:29.460 --> 00:20:34.860
websites and analyzing them. But they wanted to take this a step further. Adam had a plan.

00:20:34.860 --> 00:20:37.140
ADAM: As we started to look at more and more of them,

00:20:37.140 --> 00:20:43.020
we were seeing that the operators of this shortener had encoded the target’s e-mail

00:20:43.020 --> 00:20:49.920
address into that un-shortened URL. This is where it really started to unravel.

00:20:49.920 --> 00:20:54.780
JOHN: Yeah, so it’s a bonus when the threat actor provides a mechanism for the list of

00:20:54.780 --> 00:20:58.620
targets. We just crawled all the shorteners that we could find; first, the ones that we

00:20:58.620 --> 00:21:03.900
found in this message, and then others that were linked to it with infrastructure analysis.

00:21:03.900 --> 00:21:09.900
JACK: John and Adam found almost thirty different URL shorteners used by this Dark Basin hacking

00:21:09.900 --> 00:21:16.020
group. They kept enumerating and pulling out long URLs, then extracting target e-mails. They figured

00:21:16.020 --> 00:21:20.520
they could look up some of the targets online, try to uncover who these people were in real

00:21:20.520 --> 00:21:25.440
life. Maybe this would shed some light on why they had been targeted in the first place which

00:21:25.440 --> 00:21:31.620
would lead to more clues about who Dark Basin is. Surprisingly, their target database grew to

00:21:31.620 --> 00:21:36.720
thousands of e-mail addresses. While one journalist and Matthew Earl were the victims

00:21:36.720 --> 00:21:41.460
that came to them with these e-mails to begin with, the team at Citizen Lab were uncovering

00:21:41.460 --> 00:21:47.220
that hundreds of people were actually being targeted by this same Dark Basin hacking group.

00:21:47.220 --> 00:21:51.000
They could see that these hackers were targeting unique victims because e-mail

00:21:51.000 --> 00:21:55.020
addresses of the victims were in the phishing URLs. Here’s John.

00:21:55.020 --> 00:22:03.480
JOHN: Just very quickly gave us the sense of a massive scope of targeting. We went

00:22:03.480 --> 00:22:07.500
through the same analytical dance that I think most organizations do

00:22:07.500 --> 00:22:10.320
when they find a big threat actor which is like oh, this has gotta be Russia,

00:22:10.320 --> 00:22:13.590
right? We found a government actor for sure because of all the targets.

00:22:13.590 --> 00:22:17.760
JACK: Because this was such a big hacking campaign, it meant that whoever did this had

00:22:17.760 --> 00:22:21.660
interests in people all over the world in many different sectors. Who would

00:22:21.660 --> 00:22:26.520
do that? Possibly a nation state actor. But you can’t just say oh, it’s Russia,

00:22:26.520 --> 00:22:30.900
without evidence. It’s a decent theory, but we need proof. They kept digging,

00:22:30.900 --> 00:22:35.880
analyzing the targets, building maps and clusters, like where the targets were in the world, and what

00:22:35.880 --> 00:22:39.780
kind of businesses do they work for, like, are they all journalists or do they all work in tech

00:22:39.780 --> 00:22:43.920
or something like that? [MUSIC] [00:25:00] Any commonalities between targets can help paint this

00:22:43.920 --> 00:22:48.780
picture because then you start asking who would have an interest in hacking people like that?

00:22:48.780 --> 00:22:55.680
JOHN: As we expanded out our digging, it became pretty clear that our targets were not just the

00:22:55.680 --> 00:23:01.980
bread and butter of a nation state actor. I just say Russia as an example, but it wasn’t just

00:23:01.980 --> 00:23:09.600
energy companies. It wasn’t just journalists. It was like, people who appeared to be having

00:23:09.600 --> 00:23:16.260
semi-public divorces, random people or people who owned – two people who owned a house-building

00:23:16.260 --> 00:23:24.420
company somewhere. It became pretty clear that because of the sheer variety of the targeting,

00:23:24.420 --> 00:23:29.220
it didn’t make sense for this to be anything other than a bunch of different targeting

00:23:29.220 --> 00:23:35.640
requirements coming from very different kinds of players. We began getting this sense like,

00:23:35.640 --> 00:23:39.720
oh, you know what? This doesn’t look like a government. This looks mercenary.

00:23:39.720 --> 00:23:45.000
JACK: Mercenary. That would mean these hackers are for hire, and a bunch of different people

00:23:45.000 --> 00:23:49.200
all over the world have hired this hacker group to carry out different objectives.

00:23:49.200 --> 00:23:54.060
Because they’re seeing so many random targets, it must mean it’s coming from a hacker group who

00:23:54.060 --> 00:23:59.100
takes random jobs from random people. This was a pretty good assumption, and sometimes

00:23:59.100 --> 00:24:02.820
you have to start with an assumption and work backwards to try to see if there’s evidence

00:24:02.820 --> 00:24:09.420
backing it up. John and Adam started going in this direction. [MUSIC] They wanted to figure out who

00:24:09.420 --> 00:24:14.520
this hacking group was, what motivated them, and maybe most important; who was hiring them?

00:24:14.520 --> 00:24:18.840
JOHN: That kind of discovery really shaped how we began approaching, which is

00:24:18.840 --> 00:24:23.640
we have to then understand okay, there are clusters of targets within here who will all

00:24:23.640 --> 00:24:29.520
be part of the same package that this group was paid to target. We should take these groups and

00:24:29.520 --> 00:24:33.420
start engaging them, try to figure out why they might have been targeted, who might be behind it.

00:24:33.420 --> 00:24:36.480
JACK: This meant doing all that open-source intelligence-gathering,

00:24:36.480 --> 00:24:41.280
or OSINT, for short. They’d have to crawl the web and do a digital investigation to

00:24:41.280 --> 00:24:44.640
figure out who the people were that were being targeted and if

00:24:44.640 --> 00:24:48.960
they were connected to other Dark Basin targets. John says it took a lot of work.

00:24:48.960 --> 00:24:53.640
JOHN: A couple of colleagues at the Citizen Lab spent – I don’t want to say the best years of

00:24:53.640 --> 00:24:59.940
their lives, but they spent a substantial amount of time working with us to OSINT the shit out of

00:24:59.940 --> 00:25:04.890
all of these e-mail addresses to try to figure out who these people were and then to do clustering.

00:25:04.890 --> 00:25:10.500
JACK: What they were trying to do is figure out if the targets had anything in common because

00:25:10.500 --> 00:25:15.540
if they found commonalities, [MUSIC] this could help define who the adversary might be. As groups

00:25:15.540 --> 00:25:19.980
of targets started to take shape, Adam says there were some that bubbled up to the top.

00:25:19.980 --> 00:25:22.800
ADAM: Early in this investigation I would say,

00:25:22.800 --> 00:25:28.800
there was a lot of targeting that was going at these financial clusters and the short sellers

00:25:28.800 --> 00:25:31.980
and the people who were investigating Wirecard; the journalists and so forth.

00:25:31.980 --> 00:25:38.460
JOHN: Basically, everybody who reported on or was critical of the financial practices

00:25:38.460 --> 00:25:45.120
of Wirecard got targeted by this group over years and very extensively. Some

00:25:45.120 --> 00:25:48.900
of those targets were in touch with the lab and were helping us track

00:25:48.900 --> 00:25:51.840
and understand the kinds of things that were hitting their inboxes.

00:25:51.840 --> 00:25:55.620
JACK: Again, that’s the cluster that included that British short seller,

00:25:55.620 --> 00:26:00.120
Matthew Earl, and the Reuters journalist who helped kick off this investigation. But John

00:26:00.120 --> 00:26:03.900
says there’s another clue which really got Citizen Lab’s attention early on.

00:26:03.900 --> 00:26:08.940
JOHN: We do an initial set of clustering. We’ve got clusters who are in the financial

00:26:08.940 --> 00:26:13.320
sector and we’ve got clusters who are kind of in politics that want international targets,

00:26:13.320 --> 00:26:18.480
and then one group really jumps out, and this is a whole bunch of American

00:26:18.480 --> 00:26:23.700
environmental NGOs with familiar names like Greenpeace and a bunch of others.

00:26:23.700 --> 00:26:26.580
JACK: Some of these other groups that were being phished were people who

00:26:26.580 --> 00:26:29.100
were involved with the Rockefeller Family Fund,

00:26:29.100 --> 00:26:33.600
the Climate Investigations Center, and the Center for International Environmental Law.

00:26:33.600 --> 00:26:37.980
JOHN: It wasn’t immediately clear why they were all connected. There were a lot of

00:26:37.980 --> 00:26:41.640
them and it seemed to be – in some cases – some very specific people had gotten really

00:26:41.640 --> 00:26:45.060
heavily targeted, then there were people who were kind of one-step-away connected

00:26:45.060 --> 00:26:52.080
to them. From what began as just desk research eventually wound up as like,

00:26:52.080 --> 00:26:55.980
me hopping on a plane and going and meeting with people and getting groups of people together to

00:26:55.980 --> 00:26:58.680
try to [MUSIC] figure out why on earth they were all being targeted at the same time.

00:26:58.680 --> 00:27:03.390
JACK: John went to a conference at this point which was unrelated to this investigation.

00:27:03.390 --> 00:27:08.940
JOHN: I was at a conference and doing the hallway track where you take a break from the sessions,

00:27:08.940 --> 00:27:12.840
and sitting at a little table. This guy and a couple other people sit down at a table and

00:27:12.840 --> 00:27:16.980
people go around, do the introductions, and he introduces himself. I have this

00:27:16.980 --> 00:27:19.800
holy smoke moment ‘cause he was one of the targets.

00:27:19.800 --> 00:27:24.720
JACK: John was sitting face-to-face with one of the people he had been investigating for quite

00:27:24.720 --> 00:27:30.300
a while, a victim of this phishing campaign. At a large conference like this, it was just sheer

00:27:30.300 --> 00:27:34.800
luck to run into this guy. But John didn’t want to say anything in front of everyone at this table,

00:27:34.800 --> 00:27:40.980
so John got his business card and then called him up later, and things really snowballed from there.

00:27:40.980 --> 00:27:45.660
JOHN: It was [00:30:00] from that initial connection that I pulled together meetings

00:27:45.660 --> 00:27:49.560
with these organizations, so one of the first pieces of feedback that came back was like,

00:27:49.560 --> 00:27:53.580
oh, we knew something was going on. We had this feeling. Some of the organizations

00:27:53.580 --> 00:27:58.020
had kind of a memory of getting a lot of weird e-mails. Some of the people were sort of like,

00:27:58.020 --> 00:28:01.380
I feel like I’m under attack. Well, link them all together,

00:28:01.380 --> 00:28:07.066
is that they were all doing advocacy on a campaign called the ExxonKnew Campaign.

00:28:07.066 --> 00:28:11.820
HOST: [MUSIC] Guess who knew about climate change decades before most people had even heard of it;

00:28:11.820 --> 00:28:17.400
Exxon Mobile, one of the world’s biggest oil companies. They knew this from their own research

00:28:17.400 --> 00:28:22.980
back in 1977. Ironic, ‘cause now they’re one of the leading opponents of climate change science.

00:28:22.980 --> 00:28:27.360
JACK: This ExxonKnew Campaign involved a bunch of environmental groups that

00:28:27.360 --> 00:28:33.420
alleged that Exxon knew about climate change but lied to the public about it.

00:28:33.420 --> 00:28:39.420
The gist is that this deception strategy helped Exxon make billions of dollars while slowing the

00:28:39.420 --> 00:28:45.120
response to climate change. ExxonKnew compares to what Big Tobacco did in the ‘90s which was

00:28:45.120 --> 00:28:50.160
misleading people about the harmful effects of smoking. For some reason, all these environmental

00:28:50.160 --> 00:28:56.100
groups that were against Exxon were getting phished big-time, and probably hacked. For John

00:28:56.100 --> 00:29:01.740
and Adam, their new acquaintances were a way to get more data on Dark Basin. They coached

00:29:01.740 --> 00:29:06.406
them up to look for phishing e-mails past and present, and put them in a timeline of attacks.

00:29:06.406 --> 00:29:11.040
JOHN: [MUSIC] One of the most remarkable things that came out of our digging was

00:29:11.040 --> 00:29:16.440
that there was this private e-mail thread that had made its way into

00:29:16.440 --> 00:29:20.700
the US press and some articles that were critical of the campaign; ultimately,

00:29:20.700 --> 00:29:25.560
sort of accusing these organizations of somehow conspiring to make the oil industry look bad.

00:29:25.560 --> 00:29:30.900
JACK: This e-mail thread had an agenda for an early meeting between ExxonKnew organizers. It

00:29:30.900 --> 00:29:34.800
included people’s names and e-mail addresses in the header. It outlined a group of goals

00:29:34.800 --> 00:29:40.740
for de-legitimizing Exxon, like devestment and potential media campaigns. The leak popped up

00:29:40.740 --> 00:29:46.440
in the news cycle, and Exxon also posted it to their website with a bunch of information

00:29:46.440 --> 00:29:52.860
about ExxonKnew. They used it as evidence that activists were leveraging the press and public

00:29:52.860 --> 00:29:59.040
officials to damage the company. But for John and Adam, the leak was important because of

00:29:59.040 --> 00:30:03.840
how it matched up with their timeline of Dark Basin phishing against ExxonKnew.

00:30:03.840 --> 00:30:09.120
JOHN: What was fascinating is that when we timelined some of that stuff,

00:30:09.120 --> 00:30:12.360
some of that – we could say, leak-flavored product

00:30:12.360 --> 00:30:17.700
against the phishing, it became clear that [MUSIC] this was this big wave of phishing that happened

00:30:17.700 --> 00:30:22.740
and then stopped right before that leak material was made public.

00:30:22.740 --> 00:30:27.540
JACK: They noticed another wave a few months later. The New York Attorney General who had

00:30:27.540 --> 00:30:31.620
launched a year’s long investigation into Exxon made a court filing that

00:30:31.620 --> 00:30:36.720
accused Exxon of misleading investors about how it accounted for climate change risks.

00:30:36.720 --> 00:30:42.960
Dark Basin phishing e-mails rained down on ExxonKnew members after the filing.

00:30:42.960 --> 00:30:48.060
Wirecard and ExxonKnew offered a ton of circumstantial evidence that showed that

00:30:48.060 --> 00:30:52.680
the Dark Basin hacking group was trying to hack the people who were actively exposing

00:30:52.680 --> 00:30:58.560
these companies’ wrongdoing. But John and Adam found that Dark Basin went way beyond these two

00:30:58.560 --> 00:31:03.720
stories. Their spread was massive. They hit government officials, political candidates,

00:31:03.720 --> 00:31:08.400
financial firms, pharmaceutical companies, advocacy groups, and smaller targets like

00:31:08.400 --> 00:31:14.280
divorce cases. It’s alarming how wide their reach was, but all this data was being

00:31:14.280 --> 00:31:20.760
collected by Citizen Lab to try to understand who Dark Basin was. John and Adam had loads

00:31:20.760 --> 00:31:26.220
of historical data and they’d regularly get new stuff rolling in. The trail was never really cold.

00:31:26.220 --> 00:31:29.700
JOHN: There would be a moment where we’d just be like oh, man, we got nothing. We’re no

00:31:29.700 --> 00:31:35.520
longer – we have all this retrospective stuff but we can’t track them today. Then, as often as not,

00:31:35.520 --> 00:31:39.600
a target would get in touch and say hey, I just got this e-mail today. Here you go, and there

00:31:39.600 --> 00:31:43.440
would be our next piece of infrastructure and we would claw back some visibility.

00:31:43.440 --> 00:31:47.340
JACK: Which was important because John and Adam were still trying to figure

00:31:47.340 --> 00:31:50.820
out who was behind Dark Basin and where they were.

00:31:50.820 --> 00:31:54.960
We can start kind of with you’re – trying to figure out who’s doing this.

00:31:54.960 --> 00:31:58.380
JOHN: Yeah, so this was an interesting challenge for us because we got to the

00:31:58.380 --> 00:32:04.440
mercenary part long before we figured out who the sort of mercenaries were in this case.

00:32:04.440 --> 00:32:09.480
JACK: Fortunately, John and Adam had some help with their investigation into these mercenaries,

00:32:09.480 --> 00:32:15.600
some additional clues to help guide them. [MUSIC] They collaborated with NortonLifeLock which

00:32:15.600 --> 00:32:20.520
is a security application, and they were also tracking Dark Basin, but they called this group

00:32:20.520 --> 00:32:27.660
Mercenary.Amanda. There was this other report from the Electronic Frontier Foundation. Back in 2017,

00:32:27.660 --> 00:32:33.660
EFF had identified an advanced spear phishing campaign that attacked internet freedom advocacy

00:32:33.660 --> 00:32:38.580
groups. The attackers sent out legit-looking e-mails asking people to go to Google, Dropbox,

00:32:38.580 --> 00:32:43.080
and LinkedIn to log in. If they did, [00:35:00] it would steal their login

00:32:43.080 --> 00:32:48.000
credentials. Sounds familiar, right? EFF figured out that whoever was running the

00:32:48.000 --> 00:32:54.480
attacks was probably working out of an office in a particular timezone. John says they saw that, too.

00:32:54.480 --> 00:33:00.660
JOHN: We began spotting all of these different things that started pointing

00:33:00.660 --> 00:33:07.380
to a particular player. The first thing that really clued us in was

00:33:07.380 --> 00:33:14.700
that the timing of the attacks appeared to fit the time frame of India’s timezone.

00:33:14.700 --> 00:33:19.440
JACK: India is a big country, but it only has one timezone, India Standard Time,

00:33:19.440 --> 00:33:26.940
which is GMT+5:30. What John and Adam saw was that the attacks happened within what would

00:33:26.940 --> 00:33:32.880
be a typical work day in India. They also saw that India Standard Time was stamped into some

00:33:32.880 --> 00:33:38.700
of Dark Basin’s phishing code. But some threat actors put in fake clues to throw people off,

00:33:38.700 --> 00:33:42.960
and so it’s possible they faked the timezone in the code and purposely were active during

00:33:42.960 --> 00:33:48.900
business hours in India to hide themselves, but the Indian connection didn’t stop with

00:33:48.900 --> 00:33:53.130
the timezone. Adam says the names of the URL shorteners were another clue.

00:33:53.130 --> 00:33:58.980
ADAM: As we tracked these URL shorteners, they were using an open-source shortening software and

00:33:58.980 --> 00:34:05.640
that software, one of the things that it had was a web UI, like a web front end. They had given them

00:34:05.640 --> 00:34:12.360
titles, and the titles in several cases reflected things that had cultural significance in India.

00:34:12.360 --> 00:34:17.640
JACK: A couple were named after important events like Holi and Rongali. Adam says

00:34:17.640 --> 00:34:21.180
they came across even more helpful information because Dark Basin didn’t

00:34:21.180 --> 00:34:24.600
do much to cover their tracks. They left stuff out in the open sometimes.

00:34:24.600 --> 00:34:28.020
ADAM: We also were able to collect log files from

00:34:28.020 --> 00:34:32.820
the credential phishing websites. They just left them there, left them open.

00:34:32.820 --> 00:34:36.900
JACK: In these log files, John and Adam could see Dark Basin hackers running

00:34:36.900 --> 00:34:42.840
tests to make sure their phishing code worked. The IPs running these tests were from India.

00:34:42.840 --> 00:34:46.560
ADAM: But there were other cases where they worked, where they were – you’d

00:34:46.560 --> 00:34:50.280
have a test with a VPN and then right away, the same link would have been tested again,

00:34:50.280 --> 00:34:54.690
but it was actually coming from an Indian-based broadband provider.

00:34:54.690 --> 00:34:57.900
JACK: This was another piece of the pie. They had the timestamps,

00:34:57.900 --> 00:35:02.160
the URL shortener names, and now IP addresses all linking this to India.

00:35:02.160 --> 00:35:06.660
ADAM: We had these pieces falling into place that were suggestive;

00:35:06.660 --> 00:35:13.380
each piece was another little bread crumb suggesting operators working out of India.

00:35:13.380 --> 00:35:17.460
JACK: To me, at least, all this information Citizen Lab was collecting from their

00:35:17.460 --> 00:35:21.420
investigation was really impressive. I wouldn’t have thought to try to enumerate

00:35:21.420 --> 00:35:26.700
the URL shortener or even look to see if there were log files visible in the phishing websites.

00:35:26.700 --> 00:35:29.760
But with all this information, Citizen Lab now had

00:35:29.760 --> 00:35:35.520
an idea of where Dark Basin was. But they were still hunting for the who.

00:35:35.520 --> 00:35:38.160
JOHN: [MUSIC] Then we get – we get sort of the next layer of clues.

00:35:38.160 --> 00:35:43.320
JACK: John says Dark Basin hackers made some glaring errors when testing their phishing kits.

00:35:43.320 --> 00:35:50.940
JOHN: What really caught our attention is that the operators didn’t just do

00:35:50.940 --> 00:35:55.260
some tests. Their compartmentation was not great. Where it got really

00:35:55.260 --> 00:35:58.380
interesting is that in some cases, to test out things,

00:35:58.380 --> 00:36:03.540
operators would share stuff that might be more personally relevant to them on the shorteners.

00:36:03.540 --> 00:36:08.160
JACK: See, since the hackers set up this URL shortener, they actually used it to

00:36:08.160 --> 00:36:13.680
send links between each other. In one case, a Dark Basin hacker shared a link with another

00:36:13.680 --> 00:36:19.860
Dark Basin hacker which took them to a shared drive, and that had a resume or a CV there.

00:36:19.860 --> 00:36:26.940
JOHN: The CV described a bunch of skills and responsibilities like information-gathering

00:36:26.940 --> 00:36:31.980
about target, create phishing page and campaign for target, e-mail investigation, e-mail tracking.

00:36:31.980 --> 00:36:35.520
JACK: Of all the things a hacker could share to test their phishing kit,

00:36:35.520 --> 00:36:40.980
these guys shared something personal. It was a job description that seemed to look

00:36:40.980 --> 00:36:47.760
a lot like what Dark Basin hackers were doing. Because of this CV, Citizen Lab had somebody’s

00:36:47.760 --> 00:36:52.500
name and the name of a company in India they worked for. John looked the guy up.

00:36:52.500 --> 00:36:57.840
JOHN: The guy, when we looked at him, listed his job description as a penetration tester

00:36:57.840 --> 00:37:04.740
for a company called BellTroX InfoTech Services. It didn’t end there. We also found another person

00:37:04.740 --> 00:37:09.960
who also listed his employer as BellTroX InfoTech Services posting online on a message board.

00:37:09.960 --> 00:37:13.920
JACK: This other guy was offering up more than just a job description. He

00:37:13.920 --> 00:37:16.860
was sharing company secrets, pulling back the curtains.

00:37:16.860 --> 00:37:21.060
JOHN: He’s like hey, let me show you this cool technique that I’ve got. Look at these

00:37:21.060 --> 00:37:27.060
swank-looking phishing pages that I’ve generated. The screenshots included the

00:37:27.060 --> 00:37:29.266
infrastructure that belonged to this operation.

00:37:29.266 --> 00:37:34.140
JACK: [MUSIC] These employees were evidence that BellTroX, a company based in New Delhi,

00:37:34.140 --> 00:37:39.780
was into phishing and probably hacking, too. John and Adam dug deeper.

00:37:39.780 --> 00:37:44.100
JOHN: BellTroX had a web presence [00:40:00] and the web presence described them as doing

00:37:44.100 --> 00:37:49.920
penetration testing, certified ethical hacking, and also medical transcription, and a couple

00:37:49.920 --> 00:37:56.640
of other strange activities. In the marketplace for e-mail compromise,

00:37:56.640 --> 00:38:03.180
certified ethical hacking and penetration testing are unfortunately often used as code language for

00:38:03.180 --> 00:38:06.960
‘we’ll hack inboxes for you.’ We were never able to find out whether they actually did do

00:38:06.960 --> 00:38:12.720
medical transcription, but it seemed like a clever front for their real activity.

00:38:12.720 --> 00:38:17.220
JACK: Was that real activity being Dark Basin a massive hack-for-hire mercenary

00:38:17.220 --> 00:38:22.440
outfit? John says BellTroX left a lot of incriminating info out there in the open.

00:38:22.440 --> 00:38:27.180
JOHN: One of the things that made this investigation possible is that

00:38:27.180 --> 00:38:33.420
BellTroX was noisy. Their people had a lot of stuff that were publicly exposed. This meant

00:38:33.420 --> 00:38:38.040
that they would do things like post online. They had LinkedIn pages with likes and that

00:38:38.040 --> 00:38:41.580
often described exactly what it was that they did, [MUSIC] like e-mail hacking and

00:38:41.580 --> 00:38:48.780
penetration. The LinkedIn profiles ranged a bit, but some of the guys looked like they had been at

00:38:48.780 --> 00:38:54.780
this game for a while and they had profiles, pictures of hacker types with sunglasses and

00:38:54.780 --> 00:39:00.900
binary streaming by in the background and goofy e-mail addresses with 007 in them,

00:39:00.900 --> 00:39:06.840
offering all kinds of wares. Then others seemed a bit more professionalized. It was very clear that

00:39:06.840 --> 00:39:11.280
some of the people who worked at BellTroX were offering what were clearly illegal services.

00:39:11.280 --> 00:39:17.280
JACK: This wasn’t a case of a few bad apples in an otherwise innocent IT company. BellTroX’s

00:39:17.280 --> 00:39:21.780
history of illicit activities went all the way to the top to the guy running the show;

00:39:21.780 --> 00:39:27.600
Sumit Gupta. John says Sumit Gupta has a history in the hack-for-hire business.

00:39:27.600 --> 00:39:35.220
JOHN: The owner of BellTroX has been indicted and charged and is

00:39:35.220 --> 00:39:41.100
currently a fugitive from justice in the US, but not because of this latest case,

00:39:41.100 --> 00:39:45.660
but because there’s an earlier set of cases where he was part of a group working with

00:39:45.660 --> 00:39:49.980
American private investigators to do exactly the same kind of activity.

00:39:49.980 --> 00:39:54.780
JACK: The prior case offers important insight into understanding Sumit Gupta, the work that

00:39:54.780 --> 00:39:59.340
BellTroX was doing, and where their clients were coming from. But to understand this, we’ve got to

00:39:59.340 --> 00:40:04.740
turn back the clock to 2012. It’s a time before NortonLifeLock and Citizen Lab were tracking Dark

00:40:04.740 --> 00:40:09.840
Basin at all, and before the EFF reported about an advanced spear phishing campaign.

00:40:09.840 --> 00:40:15.300
Back in 2012, there were two competing American companies that sold nutritional supplements.

00:40:15.300 --> 00:40:20.700
One was named Visalus and the other was named Ocean Avenue. Some of Visalus’ distributors

00:40:20.700 --> 00:40:26.760
had signed on with Ocean Avenue, so Visalus sued, accusing the distributors of violating

00:40:26.760 --> 00:40:31.560
a non-compete agreement. Amid the ensuing court battle, Visalus hired two private

00:40:31.560 --> 00:40:36.000
investigators to look into Ocean Avenue. They wanted information to bolster their case,

00:40:36.000 --> 00:40:41.460
but things went a little too far. The private investigators hired hackers to break into

00:40:41.460 --> 00:40:47.700
Ocean Avenue’s computers which was totally illegal. One of the hackers was Sumit Gupta.

00:40:47.700 --> 00:40:51.660
[MUSIC] These guys successfully got into Ocean Avenue’s computers,

00:40:51.660 --> 00:40:56.880
but their operation came unglued. One of the hackers got cold feet and confessed to one of

00:40:56.880 --> 00:41:01.800
the targets. This led to a 2015 federal grand jury indictment which named five

00:41:01.800 --> 00:41:05.700
members of the scheme and charged them with ten counts related to conspiracy,

00:41:05.700 --> 00:41:12.060
accessing protected computers, and intercepting electronic communications. Everyone but Sumit,

00:41:12.060 --> 00:41:17.100
who was believed to be in India, pleaded out. The two PIs and their Visalus contact

00:41:17.100 --> 00:41:22.140
were sentenced to probation. The hackers who had fessed up actually had a prior record and

00:41:22.140 --> 00:41:28.080
were sentenced to three years in prison. Sumit’s case was turned into a fugital criminal one. The

00:41:28.080 --> 00:41:33.960
FBI got in touch with their New Delhi branch, but Sumit remained at large. It’s been eight

00:41:33.960 --> 00:41:39.180
years since Sumit was known to be involved in this hack-for-hire scheme with the Visalus

00:41:39.180 --> 00:41:44.580
case. It seems like he’s been busy, too. Sumit has taken this model of working with private

00:41:44.580 --> 00:41:50.520
investigators to the next level. The PI thing is something John says they saw with BellTroX.

00:41:50.520 --> 00:41:56.340
JOHN: One of the things that we learned pretty quickly is that BellTroX and their people would

00:41:56.340 --> 00:42:01.560
openly solicit online. One of the big audiences that they seemed to be targeting was American

00:42:01.560 --> 00:42:07.740
and Western private investigators, offering all kinds of e-mail based targeting services with,

00:42:07.740 --> 00:42:11.580
in some cases, coded language and in other cases just saying exactly what they would

00:42:11.580 --> 00:42:20.160
do for you. Their pages had endorsements from hundreds of Western private investigators. It

00:42:20.160 --> 00:42:26.340
doesn’t take a very sophisticated person to feel that there’s something off about this company.

00:42:26.340 --> 00:42:30.420
It led to this question; why have all these private investigators

00:42:30.420 --> 00:42:34.980
vouched for this random Indian medical transcription/penetration testing company?

00:42:34.980 --> 00:42:39.600
Imagine if a private investigator is hiring a bunch of hackers; they’re not gonna splash it

00:42:39.600 --> 00:42:42.480
all over the place which is why it was so [00:45:00] interesting that private

00:42:42.480 --> 00:42:45.120
investigators did still feel comfortable vouching for these guys on LinkedIn.

00:42:45.120 --> 00:42:49.980
JACK: This was a big, loud clue along with the others that something wasn’t right

00:42:49.980 --> 00:42:56.580
with this company, BellTroX. This supposedly innocent Indian company was up to something,

00:42:56.580 --> 00:43:01.200
although the PI thing kind of makes sense, right? There’s a vast network

00:43:01.200 --> 00:43:05.220
of professional investigators out there. Why not tap into their market and position

00:43:05.220 --> 00:43:10.546
yourself and services as a go-to tool in their toolbox? Forget the legalities.

00:43:10.546 --> 00:43:14.580
JOHN: [MUSIC] It made us think that maybe the kind of practice that BellTroX is engaged in

00:43:14.580 --> 00:43:18.720
is not that uncommon in the field of private investigations. Subsequent

00:43:18.720 --> 00:43:21.780
discussions with private investigators and others has made it clear that is the case,

00:43:21.780 --> 00:43:27.300
and that a lot of PIs do use this kind of service as part of their investigations.

00:43:27.300 --> 00:43:33.120
JACK: Here’s something else to support that; Sumit Gupta has a Pod.io profile still up on

00:43:33.120 --> 00:43:38.940
the internet. He’s listed as Sumit Vishnoi, one of his known aliases which is also in his court

00:43:38.940 --> 00:43:43.920
records. His profile says he’s with BellTroX which is described as a cyber-intelligence

00:43:43.920 --> 00:43:48.480
company. The clients he’s interested in are private investigators, corporate lawyers,

00:43:48.480 --> 00:43:52.860
corporate investigators, corporate firms, celebrities, and politicians. There’s nothing

00:43:52.860 --> 00:43:58.080
about medical transcription. It’s pretty clear that he and BellTroX were interested in and

00:43:58.080 --> 00:44:03.600
hooked in with private investigators. But what remains unclear is who might’ve been on

00:44:03.600 --> 00:44:09.960
the other end of this client chain. Who hired the PIs? That’s hard for Citizen Lab to say.

00:44:09.960 --> 00:44:15.300
JOHN: The challenge for us is to apply the same level of rigor to all of our investigative pieces,

00:44:15.300 --> 00:44:20.220
and there are pieces that can be seen about these groups and pieces that are not seeable by

00:44:20.220 --> 00:44:25.800
us. For example, it’s very likely the case that anybody who is a big company who hired BellTroX

00:44:25.800 --> 00:44:29.940
may have done it through layers. Maybe they hired a law firm who hired an investigator

00:44:29.940 --> 00:44:34.320
who hired an intermediary who hired BellTroX. We don’t really know. It’s very hard to make

00:44:34.320 --> 00:44:39.360
statements like so-and-so hired so-and-so, even. We want to be careful to get these things right.

00:44:39.360 --> 00:44:45.840
JACK: Citizen Lab doesn’t have hard evidence on somebody like Exxon or Wirecard directly hiring

00:44:45.840 --> 00:44:50.880
BellTroX or even having it done through a middle-man. What they can see is that

00:44:50.880 --> 00:44:55.260
there were all these phishing attacks on sets of targets, and they have a lot of

00:44:55.260 --> 00:45:00.840
circumstantial evidence linking those attacks. You never know for sure when it comes to this,

00:45:00.840 --> 00:45:05.400
so all you can say is that you have a high confidence in your assessment.

00:45:05.400 --> 00:45:10.680
JOHN: Our mental model for what goes on is that private investigators hire BellTroX

00:45:10.680 --> 00:45:14.700
to gain access to material that could then be used in all sorts of different ways. It

00:45:14.700 --> 00:45:19.500
could be leaked to the press, it could be used in a legal dispute to apply leverage,

00:45:19.500 --> 00:45:22.860
it could be about figuring out an opposing party’s strategy in

00:45:22.860 --> 00:45:26.760
something political. Indeed, we think we felt evidence of all those things.

00:45:26.760 --> 00:45:30.660
JACK: When looking at the big picture of this hack-for-hire scheme,

00:45:30.660 --> 00:45:34.800
John says the motivations seemed different than other types of attacks.

00:45:34.800 --> 00:45:40.860
JOHN: What this really showed us was that there is a very large industry that does this and that

00:45:40.860 --> 00:45:45.780
pretty much wherever you scratch, whatever vertical you’re looking at, a component of

00:45:45.780 --> 00:45:51.840
the hacking that large organizations and small organizations face is this kind of

00:45:51.840 --> 00:45:56.160
stuff which is different than ransomware. It’s different than business e-mail compromise. It’s

00:45:56.160 --> 00:46:01.320
different than CEO fraud. It’s just part of the complete breakfast of bad stuff that maybe

00:46:01.320 --> 00:46:05.700
points at an organization. What’s different about this from some of those other cases,

00:46:05.700 --> 00:46:11.280
that the motivations here do not appear to be primarily financial. They’re not trying

00:46:11.280 --> 00:46:15.960
to get into bank accounts. They’re not trying to trigger wire transfers. They’re looking for,

00:46:15.960 --> 00:46:19.080
in some ways, the even more valuable commodity which is a commodity that’s

00:46:19.080 --> 00:46:24.660
directly beneficial to the adversary of a company which is real different than

00:46:24.660 --> 00:46:28.380
a parasitic commercial operation trying to steal a bunch of money.

00:46:28.380 --> 00:46:32.700
JACK: In their report, Citizen Lab calls large-scale hacking operations like Dark

00:46:32.700 --> 00:46:38.100
Basin a threat to democracy. They say it’s a tool for the powerful and can be used to

00:46:38.100 --> 00:46:44.760
attack people who can’t defend themselves. It’s a brazen approach that really stood out to Adam.

00:46:44.760 --> 00:46:48.360
He says the way BellTroX went about their business was shocking.

00:46:48.360 --> 00:46:53.580
ADAM: From my perspective, this kind of activity coming from an organization that – it has the

00:46:53.580 --> 00:46:57.660
public face; like, BellTroX is a company. They’re out there. They’re publicly advertising services

00:46:57.660 --> 00:47:04.440
in and around this sphere, and they’re out there operating completely in the open. To me,

00:47:04.440 --> 00:47:11.400
that’s just even more egregious than what we know is out there. For example, on the dark web, you

00:47:11.400 --> 00:47:19.680
know that there are contractors and people working piecemeal to selling services of this kind, of

00:47:19.680 --> 00:47:25.260
hacking e-mail and hacking social media accounts and so forth, sort of onesie-twosie style. But

00:47:25.260 --> 00:47:34.066
having a company basically existing in public and operating like this is especially egregious.

00:47:34.066 --> 00:47:36.900
JOHN: [MUSIC] Yeah, to build on what Adam’s saying, there’s another problem which is it

00:47:36.900 --> 00:47:41.160
doesn’t look that different from some of the other kinds of phishing that companies face where they

00:47:41.160 --> 00:47:45.120
just look at it [00:50:00] and they’re like, okay, caught this, right? Caught the doing business.

00:47:45.120 --> 00:47:51.660
But the risk behind this is in some ways a lot greater because it’s part of a package of things,

00:47:51.660 --> 00:47:57.240
right? The targeting doesn’t end with the successful exfiltration of an e-mail. It

00:47:57.240 --> 00:48:00.480
would end with the successful use of the information in that e-mail to harm

00:48:00.480 --> 00:48:07.260
somebody, a company, to harm a reputation. Very different stuff, but on the initial technical end,

00:48:07.260 --> 00:48:14.220
it kind of looks the same. We’ve also gotten the sense that big platforms are just starting to

00:48:14.220 --> 00:48:18.720
really come to terms with how bad the problem is. We know that Google, earlier this year,

00:48:18.720 --> 00:48:23.280
for the first time in one of their publications from the TAG Group, they’re talking about this.

00:48:23.280 --> 00:48:27.900
We hope to see other big platforms taking these groups seriously and adding them to

00:48:27.900 --> 00:48:30.960
their list of threat actors that need to be constantly tracked and mitigated against.

00:48:30.960 --> 00:48:35.460
JACK: Keeping tabs on such a big operation takes a lot of committed organizations like

00:48:35.460 --> 00:48:39.540
the Google Threat Analysis Group that John just mentioned. Yet in the end,

00:48:39.540 --> 00:48:43.020
a lot of these groups can only go far because like Citizen Lab,

00:48:43.020 --> 00:48:48.720
they’re using open-source methods. They can’t hack BellTroX to get hard information. That’s illegal.

00:48:48.720 --> 00:48:53.340
JOHN: I think one of the challenges with a group like this though is that there’s only so much that

00:48:53.340 --> 00:48:57.720
researchers – whether it’s like NortonLifeLock or Citizen Lab – we can actually do once we get

00:48:57.720 --> 00:49:03.780
to that – the front door of an enterprise and then maybe the personal postings of people. Part

00:49:03.780 --> 00:49:09.060
of what was very important in this case was that there was a criminal investigation that got kicked

00:49:09.060 --> 00:49:15.480
off because those investigations have access to legally-authorized resources that we just don’t.

00:49:15.480 --> 00:49:20.700
JACK: See, this brings us back to the whole good versus evil thing. Adam and John at Citizen Lab

00:49:20.700 --> 00:49:25.380
will only investigate this up to what they’re legally allowed to do. They’re not gonna break the

00:49:25.380 --> 00:49:31.920
law to figure this out, yet whoever is behind Dark Basin apparently has no problem breaking laws by

00:49:31.920 --> 00:49:37.860
hacking into their victims’ accounts. I think Dark Basin is evil, but they’re just the weapon here.

00:49:37.860 --> 00:49:43.860
Whoever is hiring them is the real villain here, right? But when you break down good and evil,

00:49:43.860 --> 00:49:51.240
things turn gray really fast. Because, suppose Wirecard or Exxon did hire Dark Basin to spy on

00:49:51.240 --> 00:49:56.220
journalists and activists. The executives in those companies probably saw the journalists

00:49:56.220 --> 00:50:02.580
and activists as being the evil people trying to wreck the company. The decision-makers were

00:50:02.580 --> 00:50:06.720
trying to protect the company they worked for because in their eyes, the company is great

00:50:06.720 --> 00:50:11.940
and worth fighting for, and there’s a lot of shareholders who also believe in the company.

00:50:11.940 --> 00:50:17.280
I don’t know. I’m trying to find a way that the evil side has an out here, but I’m struggling.

00:50:17.280 --> 00:50:23.700
I just don’t see that whoever hired Dark Basin to hack people’s accounts was acting in good faith

00:50:23.700 --> 00:50:29.520
or had any morals or integrity, because if I saw activists or journalists exposing crimes

00:50:29.520 --> 00:50:34.380
my company committed and I felt that my company was great and worth fighting for, I think the

00:50:34.380 --> 00:50:39.660
right thing to do would be to investigate the crimes and to put a stop to them, repair what

00:50:39.660 --> 00:50:46.380
was done wrong and not silence the news about it or threaten people just so I could keep getting

00:50:46.380 --> 00:50:52.320
away with breaking the law. At the request of some of the targets they were working with, Citizen Lab

00:50:52.320 --> 00:50:57.240
got in touch with the US Department of Justice who started a criminal investigation. So far,

00:50:57.240 --> 00:51:03.300
a guy named Aviram Azari has been indicted and arrested for engaging in a hack-for-hire scheme.

00:51:03.300 --> 00:51:08.340
A lot of the stuff in the indictment sounds pretty familiar at this point. Aviram is an Israeli

00:51:08.340 --> 00:51:13.740
private investigator. He’s charged with conspiring with others to hack computers. He allegedly

00:51:13.740 --> 00:51:19.320
exchanged e-mails with an unnamed co-conspirator who said he had a team of sophisticated developers

00:51:19.320 --> 00:51:24.480
that could break into e-mail accounts. Aviram was invited to India to meet with the senior

00:51:24.480 --> 00:51:29.820
management of this organization which to me sounds like it could be BellTroX or Dark Basin.

00:51:29.820 --> 00:51:34.980
This June, Citizen Lab released their Dark Basin report, and it was widely covered by the press.

00:51:34.980 --> 00:51:42.000
Reuters was able to interview Sumit Gupta, but he denied any wrongdoing. He said all he did was

00:51:42.000 --> 00:51:47.940
help private investigators download e-mails after they gave him login information. He added that he

00:51:47.940 --> 00:51:53.580
was just providing tech support. Although he’s been a fugitive in the US since 2017,

00:51:53.580 --> 00:51:59.820
it appears he’s still at large in India. The Citizen Lab report also prompted responses from

00:51:59.820 --> 00:52:04.980
some of the companies like Exxon and Wirecard. To be clear, the report didn’t accuse them of

00:52:04.980 --> 00:52:10.380
anything. In a New York Times article, an Exxon spokesperson said the company didn’t know of any

00:52:10.380 --> 00:52:15.480
involvement with this specific hacking group identified in the Citizen Lab report. Wirecard

00:52:15.480 --> 00:52:19.380
also told the Financial Times that they didn’t have anything to do with this hacker group in

00:52:19.380 --> 00:52:28.020
India. But coincidentally, Wirecard tanked not long after this Dark Basin report came out.

00:52:28.020 --> 00:52:34.560
JOHN: [MUSIC] What’s interesting is that not long after our report dropped,

00:52:34.560 --> 00:52:41.503
it became clear that there were very serious problems with financial management at Wirecard.

00:52:41.503 --> 00:52:46.740
JACK: [00:55:00] The timing was total coincidence, but in June 2020, things did

00:52:46.740 --> 00:52:52.500
go sideways at Wirecard. Journalists and short sellers like Matthew Earl for years had accused

00:52:52.500 --> 00:52:57.660
Wirecard of financial wrongdoing, but the company had strongly defended its position, saying that

00:52:57.660 --> 00:53:02.940
its critics were colluding to bring them down. In the years after Matthew Earl’s report came out,

00:53:02.940 --> 00:53:09.960
Wirecard’s stock had actually gone up and Matthew had to unload his short position. But according

00:53:09.960 --> 00:53:16.080
to The Wall Street Journal, this year, an audit came back saying Wirecard was missing over two

00:53:16.080 --> 00:53:22.860
billion dollars in money. The fallout was quick. On June 5th, Wirecard headquarters in Germany was

00:53:22.860 --> 00:53:29.340
raided by prosecutors and police. CEO Markus Braun was arrested and the COO, Jan Marsalek,

00:53:29.340 --> 00:53:36.300
had vanished. By the end of June, Wirecard had filed for insolvency; unable to cover its debts.

00:53:36.300 --> 00:53:42.480
John says the collapse of Wirecard and the Citizen Lab report are a welcome atonement for some.

00:53:42.480 --> 00:53:46.980
JOHN: It was a very quick and sort of coincidental turn of events that our

00:53:46.980 --> 00:53:50.940
reporting happened just before that, but it does have the feature of vindicating

00:53:50.940 --> 00:53:54.540
the targets who for years had been saying look, there’s something wrong with this company.

00:53:54.540 --> 00:53:59.400
JACK: That was a big deal for Matthew Earl. He had been harassed with surveillance, legal letters,

00:53:59.400 --> 00:54:04.260
and phishing e-mails for years. It had been going on for so long, it just became normal

00:54:04.260 --> 00:54:10.560
for him. He was relieved when the Citizen Lab report came out linking the phishing to BellTroX.

00:54:10.560 --> 00:54:20.040
MATTHEW: There was a vindication to it as well and also, it made it easier to tell people about

00:54:20.040 --> 00:54:26.760
this whole affair, because if you were to tell someone that there’s a German bank that’s had you

00:54:26.760 --> 00:54:33.540
under surveillance for several years and they’re operating – they’ve got an approach where they’re

00:54:33.540 --> 00:54:42.840
trying to hack into your e-mail and discredit you, then you’d sound a bit like a conspiracy nut

00:54:42.840 --> 00:54:51.600
despite the fact that it’s all true. If you’ve got a reputable organization such as Citizen Lab

00:54:51.600 --> 00:54:58.620
that is able to highlight this and to add credibility to that, then that’s incredibly

00:54:58.620 --> 00:55:04.380
helpful in able to – in being able to tell people about it and describe your experience,

00:55:04.380 --> 00:55:13.200
and know that actually yes, it is true, and you haven’t made it all up.

00:55:13.200 --> 00:55:21.060
OUTRO: [OUTRO MUSIC] A big thank-you to Matthew Earl, Adam Hulcoop, and John Scott-Railton for

00:55:21.060 --> 00:55:26.040
sharing this incredible story with us. You can learn more about Citizen Lab at citizenlab.ca.

00:55:26.040 --> 00:55:31.380
As always, you can visit darknetdiaries.com to see additional links and information, as

00:55:31.380 --> 00:55:37.200
well as original artwork I make for each episode. Speaking of artwork, I’ve been busy making tons

00:55:37.200 --> 00:55:41.700
of designs into t-shirts. You gotta check out the shop which has dozens of shirts right now,

00:55:41.700 --> 00:55:48.480
and I’m sure you’ll find a design you will love. Visit shop.darknetdiaries.com and of course,

00:55:48.480 --> 00:55:54.240
I ship worldwide. This show is made by me, the karate skid, Jack Rhysider. Sound design and

00:55:54.240 --> 00:55:59.220
original music created this episode by Garrett Tiedemann who probably dreams in music. This

00:55:59.220 --> 00:56:03.780
episode was produced by the outdoorsman, Charles bolstere, and editing help this episode by the

00:56:03.780 --> 00:56:08.520
dream-weaver, Damienne. Our theme music is by the advanced persistent beat known as Breakmaster

00:56:08.520 --> 00:56:18.120
Cylinder. Even though I’m in security, it doesn’t mean I’m insecure. This is Darknet Diaries.

00:56:18.120 --> 00:56:18.801
[OUTRO MUSIC ENDS]