WEBVTT

00:00:00.000 --> 00:00:04.440
JACK: Hey, it’s Jack, host of the show. I was talking with some online criminals the other day,

00:00:04.440 --> 00:00:10.440
which I guess I talk to criminals a lot. It’s kinda weird. But someone told me a story that

00:00:10.440 --> 00:00:15.180
really put me in deep thought. Okay, so, the story goes – and I have no way of confirming

00:00:15.180 --> 00:00:19.260
this is true, but this guy swears it’s true; he told me that he knows this guy,

00:00:19.260 --> 00:00:25.500
an online scammer, hacker, criminal guy who was caught and arrested in 2016. Now, at that time,

00:00:25.500 --> 00:00:31.680
Bitcoin was just worth $600 per coin. The police seize everything from this guy; his computers,

00:00:31.680 --> 00:00:38.220
his phones, all electronics, CDs, thumb drives, everything. But they didn’t take his notebook

00:00:38.220 --> 00:00:45.300
and in that notebook was the private key to his Bitcoin wallet. He was able to stash it in a safe

00:00:45.300 --> 00:00:53.280
place before going to prison. Currently he’s still in prison and Bitcoin has risen above $30,000 per

00:00:53.280 --> 00:00:59.880
coin. This guy’s wallet has eighteen Bitcoins in it. He’s due to get out next year and the police

00:00:59.880 --> 00:01:05.520
still don’t know about his hidden Bitcoin. It was only worth $10,000 when he got arrested,

00:01:05.520 --> 00:01:12.060
but today it’s worth almost a million dollars. All he’ll need to do to get that Bitcoin is to find

00:01:12.060 --> 00:01:18.120
the private key in that notebook he wrote down five years ago. That’s such a trip for me to think

00:01:18.120 --> 00:01:24.420
about, a criminal losing everything, starting from scratch, but the day he walks out of jail,

00:01:24.420 --> 00:01:30.300
he’ll be a millionaire all because he was able to hold onto that Bitcoin the whole time.

00:01:30.300 --> 00:01:41.640
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet.

00:01:41.640 --> 00:01:53.400
I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

00:01:53.400 --> 00:02:00.780
JACK:

00:02:00.780 --> 00:02:05.280
Today, we hear a story from Chris Davis and like many people in this podcast,

00:02:05.280 --> 00:02:07.200
his story starts out in high school.

00:02:07.200 --> 00:02:11.640
CHRIS: It’s funny; I actually didn’t finish high school which was

00:02:11.640 --> 00:02:17.280
a bit weird. I dropped out in grade eleven and moved out on my own. I started picking

00:02:17.280 --> 00:02:24.840
up odd jobs working on people’s computers and pulling cable through ceilings and stuff like

00:02:24.840 --> 00:02:30.060
that to network small offices, and that sort of turned into a career path for me.

00:02:30.060 --> 00:02:33.780
JACK: Chris grew up in Canada and his home life was rough. He ventured out on

00:02:33.780 --> 00:02:38.340
his own at a young age and he somehow was able to get by. At the same time,

00:02:38.340 --> 00:02:43.920
he loved computers and learning about protocols and coding and operating systems and networks.

00:02:43.920 --> 00:02:48.900
CHRIS: I went from that to a lot of contract work.

00:02:48.900 --> 00:02:54.420
I ended up with a contract working for the federal government which turned into a bigger

00:02:54.420 --> 00:02:59.100
job working for the federal government in Canada. Did that for many years.

00:02:59.100 --> 00:03:01.680
JACK: What was – where did you work there?

00:03:01.680 --> 00:03:08.940
CHRIS: Well, I worked in a lot of different areas. Some of it I can’t talk about; some of it I can.

00:03:08.940 --> 00:03:09.780
It’d be…

00:03:09.780 --> 00:03:14.460
JACK: Was it like, intelligence? Were you doing Canadian top-secret intelligence stuff?

00:03:14.460 --> 00:03:24.900
CHRIS: Some of it was. A lot of it was doing cyber-security related red team work,

00:03:24.900 --> 00:03:33.600
so we’re doing exploitation or attack simulations. I’ve done that type of work

00:03:33.600 --> 00:03:38.436
for just about every major government department in the federal government.

00:03:38.436 --> 00:03:44.400
JACK: Whoa, whoa, whoa, let’s slow down here. Chris really didn’t want to talk about his time

00:03:44.400 --> 00:03:49.800
working for Canada’s intelligence agencies, but you know what? This is common for everyone I’ve

00:03:49.800 --> 00:03:54.300
met who’s worked there. I can barely get anyone to even say what department they worked in,

00:03:54.300 --> 00:04:00.720
and the same goes for the UK, too. I’ve met people who are a part of GCHQ but won’t peep a word of it

00:04:00.720 --> 00:04:06.180
with me. But that won’t stop me from looking into it more. So, what is NSA’s equivalent in Canada?

00:04:06.180 --> 00:04:12.780
Well, it’s called the Communications Security Establishment, or CSE. Yeah, it’s pretty secretive

00:04:12.780 --> 00:04:17.520
of what goes on in there, but I’ve found a recruitment video, so let’s take a listen.

00:04:17.520 --> 00:04:22.740
HOST1: [MUSIC] You may be the smartest person on your block. You may have the best marks in the

00:04:22.740 --> 00:04:28.440
history of your program. You may have written some of the most robust code ever, speak and write ten

00:04:28.440 --> 00:04:34.440
languages fluently, or be scarily bright in math, physics, or engineering, but we have just one

00:04:34.440 --> 00:04:40.740
question for you. Can you keep a secret? We are the Communications Security Establishment Canada.

00:04:40.740 --> 00:04:47.340
We’re serious, really serious about our mission. We provide the government of Canada with foreign

00:04:47.340 --> 00:04:51.960
signals intelligence and protect information of national interest through leading-edge technology.

00:04:51.960 --> 00:04:58.920
We do all this while facing the increasingly complex threat of cyber-terrorism. But back to the

00:04:58.920 --> 00:05:03.420
keeping a secret part; [00:05:00] you see, that motherload of information we’ve talked about has

00:05:03.420 --> 00:05:09.540
enormous strategic and economic value to Canada. As you can imagine, it is highly prized by those

00:05:09.540 --> 00:05:15.360
who would create chaos and threaten our safety and security. How we protect it is top-secret.

00:05:15.360 --> 00:05:21.000
JACK: I don’t know if Chris worked at CSE or not and I don’t know if he was a full-time

00:05:21.000 --> 00:05:26.640
employee or just a contractor. I guess he’s good at keeping secrets though, huh? But all

00:05:26.640 --> 00:05:30.480
I have to go by is the statement that he just said a moment ago, that he was…

00:05:30.480 --> 00:05:35.400
CHRIS: …doing exploitation or attack simulations, so I’ve done that type of

00:05:35.400 --> 00:05:39.900
work for just about every major government department in the federal government.

00:05:39.900 --> 00:05:45.480
JACK: Yeah, I guess the citizens of Canada must really trust the government. Yeah,

00:05:45.480 --> 00:05:49.080
we know we can’t ask what you’re doing and we know you can’t tell us,

00:05:49.080 --> 00:05:54.840
but we just assume you’re on the good side, I guess. There’s no transparency at all.

00:05:54.840 --> 00:05:58.980
CHRIS: You’re right, there’s much less transparency. I think we’re more laid back

00:05:58.980 --> 00:06:03.600
than our American friends. I think there are people that certainly don’t trust the government

00:06:03.600 --> 00:06:10.440
and there are some – there are sort of some freedom of information-type acts and whatever

00:06:10.440 --> 00:06:15.720
but I think that all-in-all, you’re right; we’re just a little more laid back about that stuff. But

00:06:15.720 --> 00:06:22.500
anything that you do for the security services in Canada that’s – or in the intelligence space

00:06:22.500 --> 00:06:25.260
gets sealed for 101 years or something.

00:06:25.260 --> 00:06:29.760
JACK: So, you can imagine what kind of exposure and skills he picked up doing

00:06:29.760 --> 00:06:33.240
this kind of work. Now, somewhere in this time he gets married and

00:06:33.240 --> 00:06:38.460
still has a burning desire to learn more about computers, tech, hacking, whatever.

00:06:38.460 --> 00:06:42.480
CHRIS: So, when I’d get home from work, I’d be on the computer trying to learn more,

00:06:42.480 --> 00:06:45.840
trying to see what the bad guys are up to, and this guy,

00:06:45.840 --> 00:06:51.480
Curador, [MUSIC] was bragging about all the different e-commerce sites he’d compromised

00:06:51.480 --> 00:06:57.780
and was publishing people’s personal credit card information online. He was just being a jackass.

00:06:57.780 --> 00:07:04.680
JACK: A person named Curador had posted online that he broke into different e-commerce websites,

00:07:04.680 --> 00:07:09.900
stole a bunch of credit cards, and then posted them to his own websites for anyone

00:07:09.900 --> 00:07:15.360
to use. Curador was really bragging about what he did and how bad the security was

00:07:15.360 --> 00:07:20.640
for the places he hacked into. He actually called himself the saint of e-commerce,

00:07:20.640 --> 00:07:24.285
and he would call up radio shows and boast about what he did.

00:07:24.285 --> 00:07:28.380
HOST2: [MUSIC] Welcome to Internet News Radio. Curador said he likes

00:07:28.380 --> 00:07:31.320
to compare himself to the main character in the movie The Saint.

00:07:31.320 --> 00:07:35.040
CURADOR: Basically it’s my delusions of grandeur coming into full view.

00:07:35.040 --> 00:07:37.080
HOST3: You’ve got potentially several

00:07:37.080 --> 00:07:39.660
law enforcement agencies in several countries tracking you.

00:07:39.660 --> 00:07:40.051
CURADOR: Yeah. It doesn’t concern me at all. They couldn’t, they’re bad law enforcement.

00:07:40.051 --> 00:07:47.820
CHRIS: I don’t know, it just sort of bothered me that he was being – he was bragging so much

00:07:47.820 --> 00:07:53.040
and being so full of himself. I noticed he hit a couple of Canadian companies

00:07:53.040 --> 00:07:57.360
and for some reason that triggered me, I guess. [MUSIC] I started going after him.

00:07:57.360 --> 00:08:03.420
JACK: Ah, interesting challenge, huh? Can someone who develops exploits and carries

00:08:03.420 --> 00:08:07.920
out hacks for the Canadian government track and find this arrogant criminal?

00:08:07.920 --> 00:08:13.680
Chris was on the trail. Step one is to look at the logs, but

00:08:13.680 --> 00:08:19.500
news agencies and victims weren’t publishing logs, so he had to go get them himself.

00:08:19.500 --> 00:08:24.960
CHRIS: Phone people up and say hey, can I help you with the problem you have? I’m not gonna

00:08:24.960 --> 00:08:30.420
charge you anything. I just want to try to catch this guy. More often than not they’re like yeah,

00:08:30.420 --> 00:08:36.480
sure, have access to the inside of my network, have access to my logs. I wrote a bunch of

00:08:36.480 --> 00:08:42.960
firewall rules for one of them, helped a guy with – do some filtering on his router and,

00:08:42.960 --> 00:08:47.820
whatever. Yeah, they just really hand me access to whatever I asked for.

00:08:47.820 --> 00:08:52.320
JACK: He was able to get the network logs and web server logs of this criminal activity,

00:08:52.320 --> 00:08:55.860
and this was a wake-up call for these e-commerce sites. They weren’t familiar

00:08:55.860 --> 00:09:00.120
with all the things that criminals could do and thought they had secured their sites very well,

00:09:00.120 --> 00:09:05.280
so they appreciated the help from Chris. He started discovering things from these logs.

00:09:05.280 --> 00:09:10.080
CHRIS: He would hide himself a little bit when he’d breach a site, and then he’d come back later

00:09:10.080 --> 00:09:18.180
and not hide. So, when he’d come back later, it did look like normal web traffic. It didn’t

00:09:18.180 --> 00:09:22.620
look like part of the breach, but when you take three or four of them together and you go hm,

00:09:22.620 --> 00:09:27.960
why within half an hour or an hour of the breach – before it’s published, before anybody knows

00:09:27.960 --> 00:09:34.200
about it, is there always this same IP address from Wales showing up to look around the site?

00:09:34.200 --> 00:09:38.580
JACK: This is the power of looking at multiple victims’ logs, trying to correlate them. Using

00:09:38.580 --> 00:09:43.800
geolocation, Chris figured out that Curador was somewhere in the UK. Next,

00:09:43.800 --> 00:09:46.020
Chris looked at what exploits he was using.

00:09:46.020 --> 00:09:49.920
CHRIS: The exploits he was using were vulnerabilities that were discovered

00:09:49.920 --> 00:09:55.740
by a friend of mine named Jeff Forrestal, so I knew exactly how this kid was doing it. I went

00:09:55.740 --> 00:10:00.300
to the RCMP in Ottawa and they didn’t seem to want to do anything with it. [00:10:00]

00:10:00.300 --> 00:10:03.240
Then one of the victims that was in Pennsylvania I guess had called their

00:10:03.240 --> 00:10:09.180
local field office of the FBI. I got a phone call at lunch one day from this FBI agent

00:10:09.180 --> 00:10:15.060
who said hey, I hear you’re working on this. Can you share what you got? I said sure, and I kinda

00:10:15.060 --> 00:10:21.960
became friends with the SA and shared everything. They took it from there and worked with the

00:10:21.960 --> 00:10:30.360
various police forces in the UK, and showed up at his door one early morning and made the arrest.

00:10:30.360 --> 00:10:35.400
Then I got a phone call from him at like, 6:00 in the morning that day and he said hey, we made

00:10:35.400 --> 00:10:41.460
the arrest, and thanks very much, and the FBI is doing a press release on this. I tried very hard

00:10:41.460 --> 00:10:48.480
to get your name in that release but they don’t want to acknowledge that somebody else helped us.

00:10:48.480 --> 00:10:52.200
He said so, I’m not saying this but if you were to put out your own press release,

00:10:52.200 --> 00:10:57.360
that might be a good idea. I had a friend of mine that was a journalist for one of the major papers

00:10:57.360 --> 00:11:01.440
in Canada and I called him and I said, what should I do? He’s like, I’m writing your press release

00:11:01.440 --> 00:11:06.360
for you right now; I’ll send it out. I said okay, and then all these TV trucks and stuff showed up

00:11:06.360 --> 00:11:12.750
at my house and gave my career a bit of a boost there in the late 90s or right around 2000.

00:11:12.750 --> 00:11:18.165
JACK: Now, almost immediately after the arrest, PBS Frontline decided to do an episode on this.

00:11:18.165 --> 00:11:18.648
HOST4: [MUSIC] Due to the graphic –[SCRAMBLED CHANNELS]

00:11:18.648 --> 00:11:25.320
HOST5: Made possible by contributions to your PBS station from viewers like you. Thank you.

00:11:25.320 --> 00:11:28.620
JACK: I found an old VHS recording of this episode. Now,

00:11:28.620 --> 00:11:33.300
this happened back in the winter of 2000 and guess what? Chris is in the video.

00:11:33.300 --> 00:11:37.680
HOST6: Chris Davis tracked him, following electronic footprints around the world

00:11:37.680 --> 00:11:43.260
without leaving his computer terminal, and he caught him and notified the FBI.

00:11:43.260 --> 00:11:45.540
CHRIS: Their bragging got to me. I just wanted to say okay, look,

00:11:45.540 --> 00:11:46.980
you’re really not this good. You’re not as good as

00:11:46.980 --> 00:11:50.700
you think you are. I’m guessing I have a really good idea how you’re doing this.

00:11:50.700 --> 00:11:56.640
JACK: The FBI and UK police figured out what ISP owned the IP that did these attacks from

00:11:56.640 --> 00:12:00.840
and asked that ISP for information on what customer was using that IP

00:12:00.840 --> 00:12:06.000
during the time of the attacks. From here, the authorities found the home address of Curador,

00:12:06.000 --> 00:12:09.420
who was in a little town in Wales in the UK.

00:12:09.420 --> 00:12:12.060
CHRIS: A little town called Clynderwen just outside of Cardiff.

00:12:12.060 --> 00:12:15.300
HOST6: [MUSIC] UK headquarters for the villain

00:12:15.300 --> 00:12:21.480
Curador turned out to be a bedroom in rural Wales, littered with broken computers and new age

00:12:21.480 --> 00:12:29.160
books, pop cans and ash trays, and a TV set where twice a day a bored teenager indulges an addiction

00:12:29.160 --> 00:12:37.700
to reruns of the 60s spy series The Saint. Curador is Raphael Gray, eighteen years old.

00:12:37.700 --> 00:12:41.700
JACK: They arrested him and took him to a nearby town to be processed,

00:12:41.700 --> 00:12:47.280
then they let him to go to face a judge later on. But then the producers of PBS

00:12:47.280 --> 00:12:55.140
Frontline had this idea. They thought what if Chris and Curador could meet up in person?

00:12:55.140 --> 00:13:01.740
CHRIS: They said hey, can we fly you to Wales to go meet this guy that you helped the FBI arrest?

00:13:01.740 --> 00:13:07.020
I was like okay, I guess so. Is that normal? Is that what we’re supposed

00:13:07.020 --> 00:13:11.520
to do? We’re supposed to go hang out with the guy after we bust him? Okay.

00:13:11.520 --> 00:13:15.180
So, they flew me to Wales, put me up in this fancy hotel.

00:13:15.180 --> 00:13:19.900
JACK: So, Chris and the team from Frontline went to Curador’s home in Wales.

00:13:19.900 --> 00:13:20.340
CHRIS: This is your room?

00:13:20.340 --> 00:13:21.210
CURADOR: Yeah.

00:13:21.210 --> 00:13:25.980
HOST6: He’s remarkably friendly considering that just weeks earlier he’d opened his

00:13:25.980 --> 00:13:31.080
door to be swarmed by a squad of police officers and an FBI agent.

00:13:31.080 --> 00:13:35.160
CURADOR: All-in-all there was like, ten of us in this room all crowded round,

00:13:35.160 --> 00:13:40.320
but there was less floor space in here than there is now, a lot less. So, they’re all crammed in

00:13:40.320 --> 00:13:46.320
here. Four of them wore plain clothes and there was one guy wearing a sort of grey trench coat

00:13:46.320 --> 00:13:49.860
looking very disheveled, unshaven, and could seriously look like he had some jet lag.

00:13:49.860 --> 00:13:53.151
CHRIS: I’m guessing that’s FBI, yeah?

00:13:53.151 --> 00:13:56.880
CURADOR: Yeah. That was confirmed later on. He wouldn’t admit it to

00:13:56.880 --> 00:13:59.700
begin with. He claimed to be a Welsh police officer with a strong accent.

00:13:59.700 --> 00:14:05.040
HOST6: Raphael sees himself as a fairly typical hacker, not so much a crook as a nuisance.

00:14:05.040 --> 00:14:09.240
CURADOR: I think obviously I’m just a very nosey person.

00:14:09.240 --> 00:14:14.460
I’m like your nosey neighbor on steroids, basically. There is a lot of adrenaline,

00:14:14.460 --> 00:14:18.240
if nothing else, while you’re trying to track it down. I’ll sometimes do – I’ll spend two

00:14:18.240 --> 00:14:22.140
days solidly trying to do something without sleep, without anything, just constantly trying

00:14:22.140 --> 00:14:25.920
to do it. When you finally get through, the relief is – not just from the fact you got in,

00:14:25.920 --> 00:14:30.840
but now you can sleep. Your body is just literally crying out in relief from every possible avenue.

00:14:30.840 --> 00:14:36.120
HOST6: They are explorers, tirelessly traveling, fueled on caffeine,

00:14:36.120 --> 00:14:43.620
looking in cyber windows, trying cyber doorknobs because they’re bored or just because they can.

00:14:43.620 --> 00:14:46.920
JACK: [MUSIC] But what – so, what was it like meeting this guy?

00:14:46.920 --> 00:14:54.780
CHRIS: It was – you know, it was weird, obviously. He really seemed like kind of a

00:14:54.780 --> 00:15:04.860
charming, goofy, kinda nerdy kid. He was eighteen. [00:15:00] He did not come from a rich family or

00:15:04.860 --> 00:15:12.900
probably have a lot of wonderful options of fun things to do in the small town that he lived in.

00:15:12.900 --> 00:15:23.760
I think we do see a lot of cyber-crime born out of a lack of career options and socioeconomic issues

00:15:23.760 --> 00:15:28.920
in various places around the world. I think it was a little bit of that. I kinda felt sorry for

00:15:28.920 --> 00:15:35.580
him a bit, I guess. He definitely could have made better choices but when you’re eighteen,

00:15:35.580 --> 00:15:40.200
you’re – you do dumb things when you’re eighteen. We all do.

00:15:40.200 --> 00:15:42.300
JACK: Yeah.

00:15:42.300 --> 00:15:49.740
CHRIS: Yeah, I think I liked him. That was really all there was to it. We kinda got

00:15:49.740 --> 00:15:55.560
along. We didn’t stay in touch or anything. I’d love to know what he’s up to now.

00:15:55.560 --> 00:16:00.240
JACK: Did you feel bad for getting this kid arrested? It’s obviously his actions,

00:16:00.240 --> 00:16:02.580
but how do you – do you deal with that mentally?

00:16:02.580 --> 00:16:09.960
CHRIS: Yeah, I did a little bit, I guess. I think that it was – he was doing something

00:16:09.960 --> 00:16:16.500
wrong and needed to stop, and that was the way to make it stop. I don’t feel bad about that.

00:16:16.500 --> 00:16:24.060
I feel bad – I don’t feel bad about what I did. I feel empathy for the situation he was in,

00:16:24.060 --> 00:16:28.860
I think. I also – I made dumb choices when I was eighteen. Not like that;

00:16:28.860 --> 00:16:35.700
I didn’t end up in jail or anything, but you feel for the guy, right?

00:16:35.700 --> 00:16:49.440
JACK: This was all going on while he was in Canada working as a contractor.

00:16:49.440 --> 00:16:56.160
CHRIS: Anyway, I left that and went down to Austin, Texas in 2005 and

00:16:56.160 --> 00:17:01.140
joined Dell. I was the technical lead for their security team

00:17:01.140 --> 00:17:07.980
for a few years. It was a very small team. There was like, five or six of us for

00:17:07.980 --> 00:17:14.100
pretty much all of global security for Dell. As you could imagine, that was pretty stressful.

00:17:14.100 --> 00:17:20.520
It was 100,000 employees and 80,000 computers on the wire at any given second.

00:17:20.520 --> 00:17:23.820
I think Dell’s budget at the time in the mid-2000s, they probably spent more on coffee

00:17:23.820 --> 00:17:29.580
than they did on cyber-security, so it was a bit of a uphill battle. Then I had a friend of mine

00:17:29.580 --> 00:17:37.500
at Georgia Tech, a guy named David Dagon who was starting a anti-botnet company called Damballa.

00:17:37.500 --> 00:17:41.280
We chatted and he said hey, why don’t you come out to Atlanta? I can’t pay

00:17:41.280 --> 00:17:44.280
you as much but it’ll be more fun. I said absolutely, get me the hell outta here.

00:17:44.280 --> 00:17:47.580
JACK: He took a pay cut and moved to Atlanta to help this startup. But

00:17:47.580 --> 00:17:51.540
after doing that for a while, his wife convinced him to move back to Ottawa,

00:17:51.540 --> 00:17:56.400
the capital of Canada, and once there, he started a company called Defense Intelligence.

00:17:56.400 --> 00:18:02.700
CHRIS: Which was focused a lot more on defense and blue-team-type work than the

00:18:02.700 --> 00:18:06.660
attack stuff. Our focus was compromised detection and compromised mitigation.

00:18:06.660 --> 00:18:10.680
JACK: Now, one of the things about being a network defender is that you have to constantly

00:18:10.680 --> 00:18:16.320
keep an eye on what the bad guys are doing, what tools are out there, their techniques, and what

00:18:16.320 --> 00:18:22.200
services criminals like using. Chris likes to stay a step ahead of the bad guys by knowing all this.

00:18:22.200 --> 00:18:27.180
CHRIS: One of the things that I’ve done over the last several years, [MUSIC] the last, well,

00:18:27.180 --> 00:18:33.960
fifteen years or whatever of my life has been building relationships with people that own

00:18:33.960 --> 00:18:39.360
infrastructure that bad guys love to use. So, it could be domain registrars, dynamic DNS providers,

00:18:39.360 --> 00:18:45.960
hosting providers. Those relationships which start out with me meeting them at a conference

00:18:45.960 --> 00:18:53.760
and buying a beer, I’ve sort of moved those into more formal arrangements where we’ve got

00:18:53.760 --> 00:19:03.720
contracts in place and I can get access to data around what bad guys are up to, particularly in

00:19:03.720 --> 00:19:10.740
how they set up the infrastructure used prior to an attack. At that time, I was really good

00:19:10.740 --> 00:19:14.760
friends – still am really good friends – with a guy that owns a very large dynamic DNS provider

00:19:14.760 --> 00:19:19.920
which I won’t name just ‘cause I don’t want to burn him. So, one of the things that I would do

00:19:19.920 --> 00:19:25.980
is I would review the authoritative main server traffic flowing in and out of his environment

00:19:25.980 --> 00:19:32.520
to look for new spikes, new patterns which is often indicative of a new botnet growing.

00:19:32.520 --> 00:19:37.080
JACK: So, Chris took a look at some of the logs from this DNS provider and found

00:19:37.080 --> 00:19:41.880
something interesting. He was noticing that at a certain time of day, there was a huge spike

00:19:41.880 --> 00:19:48.720
of traffic all going to a few domains. [MUSIC] So, why would you see a spike in traffic? Well,

00:19:48.720 --> 00:19:54.540
maybe it’s a news site that’s covering breaking news or a big sale at an online store or some

00:19:54.540 --> 00:20:00.000
sports website that’s playing a live game. But spikes like that are more like plateaus;

00:20:00.000 --> 00:20:06.600
they jump up at first but then stay high for an hour or so and then die down. What Chris saw was

00:20:06.600 --> 00:20:12.180
a spike that hundreds of thousands of computers were calling a certain website, but only for like,

00:20:12.180 --> 00:20:18.000
one second and then stopping. [00:20:00] Huh, why would they do that all in sync at the same

00:20:18.000 --> 00:20:23.880
exact moment, then stop? He looked at the domains that these computers were calling, and they were

00:20:23.880 --> 00:20:35.340
weird. One was butterfly.bigmoney.biz. Another was quertasdf.sinip.es. These were not news sites or

00:20:35.340 --> 00:20:40.920
even popular sites at all. When Chris would go to them, they displayed nothing on their website, so

00:20:40.920 --> 00:20:46.140
why were hundreds of thousands of computers going to these seemingly empty sites at the same time?

00:20:46.140 --> 00:20:53.460
CHRIS: Sort of were able to start to put together a picture of ooh, this is a really big botnet.

00:20:53.460 --> 00:20:57.360
It wasn’t just one botnet; it was actually multiple botnets sort of under one umbrella.

00:20:57.360 --> 00:21:00.840
JACK: The reason why there are a bunch of computers hitting all these domains at

00:21:00.840 --> 00:21:06.120
the same time is because those were infected computers looking for commands of what they

00:21:06.120 --> 00:21:11.520
should do next. Those servers they were reaching out to are known as command and control servers,

00:21:11.520 --> 00:21:15.780
and when you have a lot of infected machines that all get their commands from a central server,

00:21:15.780 --> 00:21:21.840
this is a botnet. [MUSIC] He was able to work with some friends and see what malware was used here,

00:21:21.840 --> 00:21:26.940
and systems were being infected with something called the Butterfly Bot. Now,

00:21:26.940 --> 00:21:32.880
Butterfly Bot was somewhat already known but it really wasn’t doing much out there. So, it seemed

00:21:32.880 --> 00:21:39.840
like someone might have taken the Butterfly Bot malware toolkit and was building a botnet with it.

00:21:39.840 --> 00:21:44.340
Chris looked at the command and control server logs a little bit more and determined that whoever

00:21:44.340 --> 00:21:50.880
was running this botnet was probably somewhere in Spain. So, Chris combined the Butterfly Bot and

00:21:50.880 --> 00:21:56.760
the botmasters being in Spain, and called this the Mariposa botnet, which means Butterfly in Spanish.

00:21:56.760 --> 00:21:59.100
CHRIS: We went ahead working with Panda.

00:21:59.100 --> 00:22:03.060
JACK: Panda Security is an antivirus company in Spain, and he figured they

00:22:03.060 --> 00:22:06.840
might be able to help since they battle stuff like this all the time in Spain.

00:22:06.840 --> 00:22:10.140
CHRIS: We leaned on them to help with some language barrier stuff and to help

00:22:10.140 --> 00:22:16.380
us analyze the binaries. So, they helped – we kinda put together this working group called

00:22:16.380 --> 00:22:22.560
the Mariposa Working Group which was Panda, ourselves, Georgia Tech, and a few other folks.

00:22:22.560 --> 00:22:25.440
JACK: Collectively, the group combined their powers to try

00:22:25.440 --> 00:22:29.700
to stop the Mariposa botnet which was growing in size. Over a million

00:22:29.700 --> 00:22:32.880
computers were now infected at this point, and it was pretty dangerous.

00:22:32.880 --> 00:22:37.380
CHRIS: It was capable of doing a lot of different things. It was capable of

00:22:37.380 --> 00:22:43.080
distributed denial-of-service attacks, keystroke logging, credential theft, and the different

00:22:43.080 --> 00:22:47.940
botmasters were using it for different things. We did see a lot of DDoS attacks. By default,

00:22:47.940 --> 00:22:53.400
the credential theft would occur as soon as the thing was installed. I’ve never been one to really

00:22:53.400 --> 00:23:01.440
focus on the features of the piece of malware. To quote George Kurtz at CrowdStrike, he once said

00:23:01.440 --> 00:23:05.820
“If someone’s shooting at you, do you turn around and dig the bullet out of the wall and try to

00:23:05.820 --> 00:23:11.700
figure out what caliber it is?” So, I’ve always thought about that and thought no, you probably

00:23:11.700 --> 00:23:16.440
want to know who the guy is and why he’s shooting at you. So, that’s the features and functionality;

00:23:16.440 --> 00:23:20.400
well, it gives a bad guy remote access to your computer to do whatever he wants. That’s bad.

00:23:20.400 --> 00:23:24.840
JACK: Right, this thing was ugly, so the working group wanted to end it. But how

00:23:24.840 --> 00:23:28.920
do you stop a botnet? It has hundreds of thousands of computers, if not millions of

00:23:28.920 --> 00:23:33.960
computers connected to it. What are you gonna do, go through every one and disinfect it? No,

00:23:33.960 --> 00:23:39.240
that’s not gonna work. But remember, they all call back to that central command and control

00:23:39.240 --> 00:23:45.120
server for instructions. So, their theory was if they could take over or take down

00:23:45.120 --> 00:23:49.620
those command and control servers, that would render this botnet ineffective.

00:23:49.620 --> 00:23:53.400
CHRIS: [MUSIC] The plan was that we were going to take all the command and control domains that

00:23:53.400 --> 00:23:58.380
we knew about which was, again, multiple botnets under one umbrella that we were calling Mariposa,

00:23:58.380 --> 00:24:02.280
and we were gonna take all of their command and control domains away at the same time, two days

00:24:02.280 --> 00:24:05.700
before Christmas, I think, if I remember right. Maybe it was the 21st or the 22nd of December.

00:24:05.700 --> 00:24:09.660
JACK: One of the things Chris is good at is connecting with other companies to work together,

00:24:09.660 --> 00:24:14.580
so he reached out to the DNS providers that this botnet was using. Chris showed

00:24:14.580 --> 00:24:19.020
them that these domains were being abusive, and the DNS provider took those domains down,

00:24:19.020 --> 00:24:23.520
which effectively neutralized this botnet. Infected systems could no longer send

00:24:23.520 --> 00:24:27.720
their stolen data back to the central server or get further instructions. So,

00:24:27.720 --> 00:24:32.220
those systems were still infected, but at least they weren’t leaking data or doing anything more.

00:24:32.220 --> 00:24:35.400
CHRIS: We went ahead and did that; we pointed it all to our sinkhole,

00:24:35.400 --> 00:24:42.120
and that’s when we started to notice exactly how big the botnet was. It was huge. ‘Cause

00:24:42.120 --> 00:24:44.700
when you take the command and control domains away and you point them to your sinkhole,

00:24:44.700 --> 00:24:49.500
you get to see all the victims trying to communicate with command and control. I

00:24:49.500 --> 00:24:53.700
think in the first twenty-four hours, we had fourteen million unique IP addresses

00:24:53.700 --> 00:24:57.900
hit the sinkhole. It was the biggest botnet I had ever seen in my life and it still is.

00:24:57.900 --> 00:25:03.300
JACK: Wow, that’s a lot. This was a win for the Mariposa Working Group. Next,

00:25:03.300 --> 00:25:07.440
Chris was trying to investigate who was behind this botnet. Were they

00:25:07.440 --> 00:25:12.960
state sponsored? Were they criminals? What clues in the malware and command and control servers

00:25:12.960 --> 00:25:17.280
might lead them to [00:25:00] figure this out? Working with Panda and some other researchers,

00:25:17.280 --> 00:25:23.220
he was able to figure out who had been connected to the command and control servers as admins. From

00:25:23.220 --> 00:25:28.920
there, he was able to trace this back to some IPs that belonged to an ISP. Again, it was somewhere

00:25:28.920 --> 00:25:36.720
in Spain. He somehow got the ISP to tell him who that IP address was registered to, which gave him

00:25:36.720 --> 00:25:44.340
names, phone numbers, and e-mail addresses of the people suspected to be behind the Mariposa botnet.

00:25:44.340 --> 00:25:48.000
CHRIS: We kinda put this together in a nice report, sent it to Guardia Civil which was

00:25:48.000 --> 00:25:53.760
the federal police force in Spain, also in coordination with the FBI.

00:25:53.760 --> 00:25:55.920
They went and arrested these two guys.

00:25:55.920 --> 00:26:01.260
JACK: These guys apparently had some nice things in their home, with no real means to prove where

00:26:01.260 --> 00:26:06.060
they got it from. It seemed like these were the guys behind this,

00:26:06.060 --> 00:26:10.140
or at least they were some kind of criminals. But now that the police had arrested them,

00:26:10.140 --> 00:26:13.500
Chris and everyone else pretty much wiped their hands with this and went

00:26:13.500 --> 00:26:19.998
back to work. [MUSIC] But then a few days later, Chris’ internet goes down.

00:26:19.998 --> 00:26:21.360
CHRIS: We had fiber run to the office and our fiber provider – we noticed that the internet

00:26:21.360 --> 00:26:26.520
was down and our fiber provider started phoning us and said hey, we’re getting a huge amount of

00:26:26.520 --> 00:26:30.768
traffic destined to your – I think we had a /24 of IP space or something. We were like, oh. Then

00:26:30.768 --> 00:26:36.900
he was like oh shit, this is really bad. This just dropped part of the university. It just

00:26:36.900 --> 00:26:39.960
dropped a government office. We’re starting to lose connectivity all over the place.

00:26:39.960 --> 00:26:42.840
JACK: They quickly start looking at the traffic and notice something;

00:26:42.840 --> 00:26:49.740
the Mariposa botnet was back online and it was attacking them directly. But how

00:26:49.740 --> 00:26:52.560
is this possible? The guys behind the Mariposa botnet were arrested.

00:26:52.560 --> 00:26:56.640
CHRIS: They went and made the arrest and they released them the same day.

00:26:56.640 --> 00:27:02.460
The Guardia Civil went and made the arrest of these two fellows and seized some equipment,

00:27:02.460 --> 00:27:08.820
apparently. At the time, I guess they weren’t really familiar with cyber-crime

00:27:08.820 --> 00:27:14.580
in Spain and didn’t have a lot of policies and procedures on what to do,

00:27:14.580 --> 00:27:19.680
so they – I think they held them for twenty-four hours and then they released these two people.

00:27:19.680 --> 00:27:24.660
Those two people managed to get one or two of the command and control domains back the next day.

00:27:24.660 --> 00:27:29.760
JACK: I’m not sure how they got it back, but if you could somehow send one more

00:27:29.760 --> 00:27:33.660
command to all the infected systems that there’s a new command and control server,

00:27:33.660 --> 00:27:38.700
then suddenly the botmaster has control of everything again. I guess

00:27:38.700 --> 00:27:42.660
they planned for something like this and conducted their contingency plan.

00:27:42.660 --> 00:27:48.120
CHRIS: Then they leveraged it to create a massive DDoS attack against us in

00:27:48.120 --> 00:27:55.320
Ottawa which took out our fiber provider, part of a university, a couple government offices.

00:27:55.320 --> 00:27:59.520
A lot of different businesses suddenly had no internet for about an hour and a half, two hours.

00:27:59.520 --> 00:28:03.780
JACK: See, both Chris and the team at Panda Security were proud of their takedown and arrest,

00:28:03.780 --> 00:28:07.320
and so they published reports about this Mariposa botnet and how they

00:28:07.320 --> 00:28:11.100
were able to take it down. Well, they guys that got arrested saw the report

00:28:11.100 --> 00:28:15.180
and they knew exactly who to seek revenge on for getting them arrested.

00:28:15.180 --> 00:28:19.980
CHRIS: Then after we managed to wrestle it back from them and stop the DDoS,

00:28:19.980 --> 00:28:26.820
I think it was like, three days later they showed up at Panda Lab’s headquarters looking for jobs.

00:28:26.820 --> 00:28:29.684
JACK: What? What? Really?

00:28:29.684 --> 00:28:31.860
CHRIS: Yeah. Yeah.

00:28:31.860 --> 00:28:39.660
Yeah, I get a message from Pedro Bustamante who ran the research lab at Panda Antivirus. He goes,

00:28:39.660 --> 00:28:41.940
you’re never gonna effing believe this. I said, what? He’s like,

00:28:41.940 --> 00:28:43.980
these guys showed up this morning looking for jobs, both of them.

00:28:43.980 --> 00:28:51.000
JACK: Wow, that’s audacious, huh? To build a massive criminal botnet and then ask for

00:28:51.000 --> 00:28:55.800
a job at the security company who took you down, all while still waging a major

00:28:55.800 --> 00:29:00.180
attack on Chris’ company. Well, because they didn’t stop their criminal behavior,

00:29:00.180 --> 00:29:04.680
the police arrested them again and the botnet was sinkholed once again.

00:29:04.680 --> 00:29:07.920
Once they were arrested again, that was that. Chris was done with this incident.

00:29:07.920 --> 00:29:13.380
CHRIS: Yeah, it sort of went out of my hands. I know the FBI and Guardia Civil did a big press

00:29:13.380 --> 00:29:20.700
release. I think we got thanked in that, so that was nice. Then, yeah, it was sort of out of my

00:29:20.700 --> 00:29:28.080
hands. I would get these inquiries from the FBI every now and again for some updates and victim

00:29:28.080 --> 00:29:34.260
counts from the sinkhole or can you send us over a dump of log data, and that was about it.

00:29:34.260 --> 00:29:38.220
JACK: In the end, the Spanish police discovered this botnet was ran by a

00:29:38.220 --> 00:29:43.620
cyber-gang called the DDT. A guy named Ruiz was the leader and Rivera and Rios

00:29:43.620 --> 00:29:48.240
were also part of it. I believe they served some time in jail in Spain for their actions,

00:29:48.240 --> 00:29:52.440
and that was the last we heard about the Mariposa botnet. Or was it?

00:29:52.440 --> 00:29:57.840
CHRIS: Fast-forward a couple years later and I get a phone call from the FBI saying hey,

00:29:57.840 --> 00:30:00.120
can you come to Slovenia to testify at this trial?

00:30:00.120 --> 00:30:06.120
JACK: [MUSIC] Come to Slovenia? But these guys were all from Spain; what’s Slovenia have to do

00:30:06.120 --> 00:30:12.480
with this? [00:30:00] Well, as it turns out, the guys arrested in Spain didn’t actually write the

00:30:12.480 --> 00:30:19.920
Butterfly Bot. They bought it from a guy in Slovenia, a guy named Iserdo, and Iserdo was

00:30:19.920 --> 00:30:25.980
arrested for being the creator of this malware. So, here’s the next big question, is this guy

00:30:25.980 --> 00:30:34.680
created the malware itself but did not build this Mariposa botnet. He just created the malware.

00:30:34.680 --> 00:30:39.720
So, there’s this – I mean, how do you feel about this? Just because a person

00:30:39.720 --> 00:30:43.680
creates – Smith & Wesson can’t be tried for all the murders that have happened

00:30:43.680 --> 00:30:48.420
with Smith & Wesson weapons, right? So, what do you think of how this works?

00:30:48.420 --> 00:30:56.520
CHRIS: Well, I think that there’s intent and one of the things that cyber-criminals – a lot of them

00:30:56.520 --> 00:31:01.020
make the same mistake over and over again which is I’m gonna build this thing and I’m gonna say hey,

00:31:01.020 --> 00:31:06.960
you’re only allowed to use this to test your own stuff. Whatever, but the intent

00:31:06.960 --> 00:31:18.900
of the code is to be stealthy, to hide, to do this, to do that. It’s to commit cyber-crime.

00:31:18.900 --> 00:31:25.320
It’s pretty obvious that that was the intent of the Butterfly kit. Then on top of that,

00:31:25.320 --> 00:31:31.080
they got logs of him having conversations with people about the cyber-crime they’re

00:31:31.080 --> 00:31:37.320
committing using his tool. Then they’ve got them – people paying him for the tool,

00:31:37.320 --> 00:31:45.120
saying I’m about to use this for cyber-crime, and him taking their money. It was a lot of different

00:31:45.120 --> 00:31:49.020
laws that were broken there. It wasn’t just he built a kit and had nothing to do with it.

00:31:49.020 --> 00:31:52.800
JACK: The FBI was assisting with this investigation because Slovenia was kind

00:31:52.800 --> 00:31:57.180
of new to investigating cyber-crime, and so the FBI was more of an observer and

00:31:57.180 --> 00:32:02.520
just helping out with the case. So, Chris went to Slovenia to testify about what he

00:32:02.520 --> 00:32:07.380
witnessed going on with the Mariposa botnet and how the Butterfly Bot worked. In the end,

00:32:07.380 --> 00:32:17.040
Slovenia courts found Iserdo guilty, and he had to serve almost five years in prison.

00:32:17.040 --> 00:32:24.180
When Iserdo got out of prison in 2017, Bitcoin was booming. It just crossed $10,000 per coin

00:32:24.180 --> 00:32:30.120
for the first time, and so he immediately jumped into Bitcoin. He built a website called NiceHash

00:32:30.120 --> 00:32:34.680
which was one of the more popular mining pools for Bitcoin miners. [MUSIC] Basically when you’re

00:32:34.680 --> 00:32:39.360
mining Bitcoin, doing anything on your own is quite hard, but if you pool together with a bunch

00:32:39.360 --> 00:32:43.140
of other people, then you have a much higher chance of making money at it. So, he created

00:32:43.140 --> 00:32:49.020
a mining pool that anyone can join and contribute their computing power to it to make some Bitcoin.

00:32:49.020 --> 00:32:55.560
This NiceHash mining pool that Iserdo made worked really well. In fact, in 2017, I was actually

00:32:55.560 --> 00:33:01.860
mining using NiceHash myself. I didn’t know it was ran or started by the guy who was a convicted

00:33:01.860 --> 00:33:08.580
criminal at the time, though. At the end of 2017, just as Bitcoin was hitting $13,000 per coin,

00:33:08.580 --> 00:33:15.180
NiceHash announced they had 4,700 Bitcoin stolen from their wallet. This was about 60 million

00:33:15.180 --> 00:33:21.840
dollars that were owed to their users. Iserdo said they were victim to a phishing attack. They

00:33:21.840 --> 00:33:27.720
tried to pay it back, but it took them three years to pay all those stolen Bitcoin back.

00:33:27.720 --> 00:33:32.280
I didn’t get hit by this because when I was mining, I would just immediately withdraw

00:33:32.280 --> 00:33:37.680
my Bitcoin as soon as I earned it. After Chris ran Defense Intelligence for a while,

00:33:37.680 --> 00:33:42.900
he started a new company which was acquired by Endgame. Then he started another company which

00:33:42.900 --> 00:33:48.510
was acquired by CrowdStrike. About six years ago, he started a new company called Hyas.

00:33:48.510 --> 00:33:57.180
CHRIS: So, Hyas focuses on the infrastructure that bad guys like to use and the relationships

00:33:57.180 --> 00:34:05.640
that we have with those infrastructure providers to better identify attacks before they happen. So,

00:34:05.640 --> 00:34:14.880
you can think about any time that an adversary wants to set up a new botnet, they have to get

00:34:14.880 --> 00:34:20.640
servers for command and control, they have to generally buy domain names. If you’re creating a

00:34:20.640 --> 00:34:25.800
phishing attack, you have to set up a website that looks like Bank of America. So, what we’ve done is

00:34:25.800 --> 00:34:31.260
built relationships with the various providers where we see high rates of recidivism, where we

00:34:31.260 --> 00:34:38.100
see the bad guys go back to often, over and over again, and we leverage those relationships to

00:34:38.100 --> 00:34:43.680
tag and track those bad actors and identify campaigns before they become campaigns.

00:34:43.680 --> 00:34:48.180
JACK: He then gives his customers the ability to search through some of the logs that he sort of

00:34:48.180 --> 00:34:53.640
has exclusive access to so that people can track and identify threat actors. One day,

00:34:53.640 --> 00:34:57.405
Chris was looking at his own tool and noticed something unusual.

00:34:57.405 --> 00:35:01.620
CHRIS: [MUSIC] We originally noticed – again, much like Mariposa – spikes in traffic at the

00:35:01.620 --> 00:35:08.400
authoritative level. This was a combination of [00:35:00] registrar partners and dynamic

00:35:08.400 --> 00:35:17.220
DNS partners where we saw traffic spikes that were indicative of a botnet growing.

00:35:17.220 --> 00:35:24.540
But what was most interesting is who the victims appeared to be in the early stages.

00:35:24.540 --> 00:35:28.920
So, where were we seeing the traffic originate from and the patterns of behavior? A normal

00:35:28.920 --> 00:35:33.840
person won’t sit at a keyboard and hit Enter every two minutes and thirty-two seconds over and over

00:35:33.840 --> 00:35:39.780
again all day. That’s not human behavior, right? So, when we see a domain lookup every one minute

00:35:39.780 --> 00:35:44.580
and thirty seconds to the second when the cache – when the TTO expires, when the cache expires,

00:35:44.580 --> 00:35:49.740
we see that cache refresh occur over the course of, say, twenty hours, we know

00:35:49.740 --> 00:35:52.740
that there’s probably a computer inside that environment that’s compromised with something,

00:35:52.740 --> 00:35:57.180
particularly if the domain they’re looking up happens to be a known command and control

00:35:57.180 --> 00:36:02.100
for a piece of malware or various pieces of malware. We saw that type of traffic.

00:36:02.100 --> 00:36:07.380
JACK: Okay, so there’s a potential botnet on the rise again, or something. They see

00:36:07.380 --> 00:36:11.580
a lot of computers on the internet are showing signs of infection since they’re all acting in

00:36:11.580 --> 00:36:16.680
synchronicity again. So, Chris wanted to know what computers are being infected by

00:36:16.680 --> 00:36:21.525
this. When he saw what computers were infected, it really surprised him.

00:36:21.525 --> 00:36:29.880
CHRIS: [MUSIC] It was France’s power grid, like a bunch of nuclear power stations. Then we noticed

00:36:29.880 --> 00:36:36.060
traffic – as we zeroed in on this group of command and control domains, we noticed that

00:36:36.060 --> 00:36:44.700
it was also France’s rail system, hospitals, banks, water treatment systems. It was basically

00:36:44.700 --> 00:36:49.200
critical infrastructure. It was really, really – there was very little that wasn’t critical

00:36:49.200 --> 00:36:52.920
infrastructure that was beaconing to these command and control systems.

00:36:52.920 --> 00:36:58.440
JACK: Whoa, a lot of critical infrastructure related to France was infected by some kind of

00:36:58.440 --> 00:37:04.800
botnet? That’s not good. He wondered if the botmaster had purposefully infected French

00:37:04.800 --> 00:37:10.080
computers or if the botmaster even knew he had infected these systems at all. Sometimes

00:37:10.080 --> 00:37:14.880
botmasters don’t know what they’ve infected; they just launch a virus to the world and whoever gets

00:37:14.880 --> 00:37:19.860
hit gets hit. It’s like spray and pray. So, he dives into this investigation on his own,

00:37:19.860 --> 00:37:24.360
but started showing some of the people he worked with what he found, and others were getting

00:37:24.360 --> 00:37:29.400
curious too and helped investigate. Together, they looked at the malware involved and they

00:37:29.400 --> 00:37:33.480
studied the command and control infrastructure and tried to map out what this criminal has done

00:37:33.480 --> 00:37:38.460
and how sophisticated they were. From adding up all these bits, he felt confident that this

00:37:38.460 --> 00:37:43.920
hacker was sort of mid-level, acting alone, and probably not state-sponsored. Once he had

00:37:43.920 --> 00:37:48.540
enough evidence of what’s going on here, he then reached out to the French authorities.

00:37:48.540 --> 00:37:54.180
CHRIS: Reaching out to the French authorities was a very difficult process.

00:37:54.180 --> 00:37:58.020
We didn’t get a lot of response from anybody.

00:37:58.020 --> 00:38:03.720
I went on some of my trust groups and mailing lists and reached out and didn’t get a lot of

00:38:03.720 --> 00:38:08.880
response from people. So, we actually ended up going to the FBI ‘cause we work with them so much

00:38:08.880 --> 00:38:14.520
and saying can you help us with this? So, we sent them our report. They reviewed it to make sure we

00:38:14.520 --> 00:38:19.380
weren’t crazy and they weren’t going to embarrass themselves. They reviewed it, verified our

00:38:19.380 --> 00:38:26.160
findings, and then they reached out to the French government from their legal attache at the US

00:38:26.160 --> 00:38:31.680
embassy in Paris and delivered our report to them. Then we never heard anything from them since.

00:38:31.680 --> 00:38:35.820
JACK: But just because he didn’t hear from the French authorities doesn’t mean he can’t poke

00:38:35.820 --> 00:38:40.320
further. Chris contacted the dynamic DNS provider which was controlling the command

00:38:40.320 --> 00:38:45.000
and control server from his botnet and asked for more information on that user. The DNS

00:38:45.000 --> 00:38:49.740
provider gave more information to Chris. He then had a user agent, an IP address,

00:38:49.740 --> 00:38:56.520
and an e-mail address that was used to connect to that user’s account. Chris used geolocation

00:38:56.520 --> 00:39:00.960
to try to figure out where the hacker was located, and it pointed to Morocco.

00:39:00.960 --> 00:39:06.480
CHRIS: [MUSIC] Google-searching that e-mail address, we found that he had a

00:39:06.480 --> 00:39:16.080
outdoor camping company outside of Morocco that would take foreigners on these desert tours.

00:39:16.080 --> 00:39:21.240
Yeah, so we were able to tie it back to that, and that he ran that out of his house and had

00:39:21.240 --> 00:39:26.820
his home address listed. Yeah, so, we were able to really put it down to exactly where he lived.

00:39:26.820 --> 00:39:31.020
JACK: Because the attacker was in Morocco, Chris called him the Kasbah Hacker and published a

00:39:31.020 --> 00:39:36.000
report on this. Some researchers saw this report that Chris and Hyas put out and looked into it

00:39:36.000 --> 00:39:40.500
further. They saw the name of the hacker and started searching around the internet for him.

00:39:40.500 --> 00:39:44.640
They found that he was also taking credit for submitting different security bugs to

00:39:44.640 --> 00:39:49.860
Apple and Dell and Microsoft. This gave an extra clue that the person was familiar with hacking,

00:39:49.860 --> 00:39:54.240
finding bugs, and using them. They also found he used to run a computer repair business,

00:39:54.240 --> 00:40:00.300
and then found his e-mail address was a registered user on some criminal hacking forum. This gave

00:40:00.300 --> 00:40:05.280
them a new username to scour the internet for, and his LinkedIn profile showed that he’s a

00:40:05.280 --> 00:40:09.960
penetration tester and programmer. At this point it’s pretty clear [00:40:00] they found the person

00:40:09.960 --> 00:40:15.900
who completely hacked into France’s power grid, trains, and even nuclear facilities. He was happy

00:40:15.900 --> 00:40:20.400
to report this to the French authorities, but it didn’t look like they were doing much with this.

00:40:20.400 --> 00:40:23.940
CHRIS: So, at the point where you hand it over to law enforcement,

00:40:23.940 --> 00:40:28.620
there’s not a lot you can do past that. You kinda have to hope that they’re gonna do their job and

00:40:28.620 --> 00:40:35.100
stop the bad guy. It seemed like France really was – not really interested in doing anything

00:40:35.100 --> 00:40:42.060
about it. I went back and looked at some traffic earlier today for those

00:40:42.060 --> 00:40:46.560
same command and control domains. There still is French infrastructure that is repeatedly looking

00:40:46.560 --> 00:40:50.040
up the command and control domain every three minutes, twenty-four hours a day.

00:40:50.040 --> 00:40:55.740
JACK: Hm. So, that tells me that system never got cleaned.

00:40:55.740 --> 00:40:58.050
CHRIS: Right. That’s exactly right, or it got…

00:40:58.050 --> 00:41:03.840
JACK: Which also tells me – I mean, I don’t know if you had that submitted in your report that got

00:41:03.840 --> 00:41:09.240
to the French authorities, but it seems to infer that the French authorities didn’t action this.

00:41:09.240 --> 00:41:12.154
CHRIS: That’s exactly what I’m inferring, yes.

00:41:12.154 --> 00:41:12.171
JACK: Oh, my god.

00:41:12.171 --> 00:41:18.120
CHRIS: I tried to be nice about it but that’s exactly what I’m saying, is that the FBI walked

00:41:18.120 --> 00:41:24.000
over and handed this to the French authorities and they, I don’t know, put it in their trash bin.

00:41:24.000 --> 00:41:28.200
JACK: This isn’t the case of one missed memo, either. This entire thing was written up by

00:41:28.200 --> 00:41:33.600
the journalist Brian Krebs who published a pretty detailed article on this. Krebs has a huge reader

00:41:33.600 --> 00:41:37.740
base which would absolutely have French people reading it, so you would think this would get the

00:41:37.740 --> 00:41:42.660
attention of the French authorities, right? But I don’t know. Now, the French critical

00:41:42.660 --> 00:41:46.800
infrastructure wasn’t the only thing hit. One of the big banks in France was also infected,

00:41:46.800 --> 00:41:51.420
too. Chris also listed this bank in the report that he submitted to the French authorities,

00:41:51.420 --> 00:41:54.900
but decided to also reach out to the bank directly and just tell them.

00:41:54.900 --> 00:41:59.520
CHRIS: I talked to one of the security guys at one of the big banks in France that was

00:41:59.520 --> 00:42:06.120
affected. They cleaned things up very quickly. Then afterwards, I don’t know, maybe three weeks

00:42:06.120 --> 00:42:11.220
or so after the FBI had handed the report to the French authorities, I reached back out to

00:42:11.220 --> 00:42:15.780
my contact at the French bank and said oh, have you heard from the French authorities

00:42:15.780 --> 00:42:19.920
about this? ‘Cause you’re listed in the report. He said no, no, we haven’t heard anything but

00:42:19.920 --> 00:42:25.800
we cleaned it up; thanks very much. I was like sure, no problem. Yeah, so, three weeks later,

00:42:25.800 --> 00:42:30.600
the authorities hadn’t reached out to one of their largest banks that was actively breached.

00:42:30.600 --> 00:42:36.180
JACK: Hm. I’m not sure what’s going on here with the French authorities. Is France just

00:42:36.180 --> 00:42:41.460
not able to respond to these kinds of attacks or did they arrest the guy and therefore feel like

00:42:41.460 --> 00:42:48.060
this eradicated the threat? It’s a mystery that I never got an answer to. But I sure

00:42:48.060 --> 00:42:53.760
hope they clean those systems and patch whatever vulnerability was used to infect those systems,

00:42:53.760 --> 00:42:58.380
because hacking will continue until security improves.

00:42:58.380 --> 00:43:07.020
(OUTRO): [OUTRO MUSIC]

00:43:07.020 --> 00:43:12.120
A big thank you to Chris Davis for sharing his stories with us. You can learn more about his

00:43:12.120 --> 00:43:18.480
company Hyas by visiting H-Y-A-S.com. Are you the kind of person who turns this show on to listen

00:43:18.480 --> 00:43:23.160
to it just before bed but then end up getting so into it that you can’t fall asleep for like,

00:43:23.160 --> 00:43:27.840
a whole hour? Well, if that’s you, then I want you to consider donating to the show through Patreon.

00:43:27.840 --> 00:43:32.040
This show obviously gives you some pretty good entertainment, so why not directly support it to

00:43:32.040 --> 00:43:38.580
show your thanks? Visit patreon.com/darknetdiaries and consider donating. Thanks. This show is made

00:43:38.580 --> 00:43:43.740
by me, the Digimon, Jack Rhysider. Sound design was done by the ear-turner Andrew Meriwether,

00:43:43.740 --> 00:43:48.840
editing is done by the AI known as Damienne, and our theme music is done by the potato-smasher

00:43:48.840 --> 00:43:54.600
Breakmaster Cylinder. Even though when something calls itself server-less, you and I both know

00:43:54.600 --> 00:43:59.700
there’s really a server back there somewhere doing all the work, this is Darknet Diaries.