back to indexBrett Johnson: US Most Wanted Cybercriminal | Lex Fridman Podcast #272
link |
I was on the run for four months, stole $600,000.
link |
I was in Las Vegas, Nevada.
link |
One day I had stolen the night before
link |
and stolen 160K out of ATMs.
link |
Went in the next morning, I woke up,
link |
signed on to cartersmarket.com,
link |
which was ran by Max Butler, the Iceman.
link |
And there's my name, US Most Wanted on it.
link |
And that gets your attention.
link |
That was my real name with US Most Wanted beside of it.
link |
Nobody knew my real name in that environment at all,
link |
but then they did.
link |
And it was talking about me being part
link |
of the Secret Service, Operation Anglerfish,
link |
So of course, they're all like.
link |
Everybody's after you.
link |
They're like, oh yeah, we're gonna get this son of a bitch.
link |
The following is a conversation with Brett Johnson,
link |
a former cyber criminal who built the first
link |
organized cybercrime community called Shadow Crew
link |
that is the precursor to today's Darknet
link |
and Darknet markets.
link |
He's referred to by the United States Secret Service
link |
as quote, the original internet godfather.
link |
He has been the central figure in the cybercrime world
link |
for almost 20 years.
link |
Placed on the US Most Wanted list in 2006
link |
before being convicted of 39 felonies for cybercrime,
link |
escaped from prison, and then eventually being locked up,
link |
served his time, and now is helping people understand
link |
and fight cybercrime.
link |
This was a raw, honest, emotional, and real episode.
link |
Brett has caused a lot of pain to a lot of people,
link |
and yet his own story is full of trauma and pain,
link |
and also redemption and love.
link |
This is a good time to say that I have and I will
link |
talk to people who have served time in prison,
link |
and perhaps people who currently are in prison.
link |
I will try to do my best to both empathize
link |
with the person across from me and not let them sugarcoat,
link |
explain away, or dismiss the crimes they committed.
link |
This is a tough line to walk,
link |
because if you close your heart to the other person,
link |
you'll never fully understand their mind and their story.
link |
But if you open the heart too much,
link |
you can be manipulated to where the conversation
link |
reveals nothing honest or real.
link |
This requires skill and willingness to take the risk.
link |
I don't know about the skill part,
link |
but I'd like to take the risk.
link |
I always wear my heart on my sleeve.
link |
If I get hurt for it, that's life.
link |
As I've said, I want to understand
link |
what makes a person do these crimes,
link |
the particular characteristics of their temporary
link |
or permanent madness, their justifications,
link |
but also their humanity.
link |
I believe each of us have the capacity
link |
to become both the criminal and the victim,
link |
the predator and the prey.
link |
It's up to us to avoid these paths
link |
or to find the path to redemption.
link |
It's on each of us.
link |
It's our responsibility and burden
link |
of being human in a complicated and dangerous world.
link |
This is the Lex Friedman podcast.
link |
To support it, please check out our sponsors
link |
in the description.
link |
And now, dear friends, here's Brett Johnson.
link |
You were convicted of 39 felonies for cybercrime
link |
placed on the US most wanted list in 2006,
link |
escaped from prison.
link |
You built the first organized cybercrime community
link |
called Shadow Crew that is the precursor
link |
to today's darknet and darknet markets.
link |
And for all this, the US intelligence service
link |
called you the original internet godfather.
link |
So first question, how did your career
link |
as a cybercrime criminal begin?
link |
My life of crime begins when I'm 10 years old.
link |
10 years old, man, think about that.
link |
I mean, you were probably playing the robots
link |
You know, usually kids are doing the Lego bit,
link |
getting involved with sports, everything else.
link |
And with me, it wasn't like that.
link |
With me, I'm from Eastern Kentucky.
link |
Eastern Kentucky is one of these,
link |
it's like parts of Texas, parts of Louisiana,
link |
that if you're not fortunate enough to have a job,
link |
you may be involved in a scam, hustle, fraud,
link |
whatever you want to call it, man.
link |
I was, my parents, my mom was basically
link |
the captain of the entire fraud industry.
link |
So this is a woman that at one point,
link |
she's stealing a 108,000 pound Caterpillar D9 bulldozer,
link |
tramming it down the road.
link |
You know, at another point, she's taking a slip
link |
and falling a convenience store trying to sue the owner.
link |
We had a neighbor she acted as a pimp for at one point.
link |
That's my mom, my dad.
link |
Wait, wait, wait, the neighbor acted as a pimp?
link |
My mom prostituted, I mean,
link |
she acted as a pimp for a neighbor.
link |
Her name was Debbie and my mom used to sell her out.
link |
Debbie needed money and my mom would find men
link |
for her to sleep with for cash
link |
and she'd take a part of the cash.
link |
So Sauna's like she diversified the methodologies
link |
by which she hustled.
link |
Very, had that entrepreneurial spirit.
link |
You know, we see that a lot with cyber criminals,
link |
you know, that sense of being that entrepreneur.
link |
So what was the motivation you think for her?
link |
Is it basically the rush of playing with the system
link |
or being able to know the rules
link |
and break the rules and get away with it?
link |
My mom's a complex character.
link |
She is, there's no one single motivation.
link |
So my mom was the individual, she's still alive.
link |
My mom was the individual who tested people.
link |
She wanted to know how far she could abuse you
link |
and you come back and still love her.
link |
So, and that was with every relationship she's ever had.
link |
She would cheat on the men she was involved with.
link |
She would abuse her children, me and Denise.
link |
Psychological, physical?
link |
Oh, it was mental, emotional, physical,
link |
everything, everything.
link |
I mean, she used to beat me and Denise with belt buckles,
link |
you know, and that ended when she was,
link |
I forgot what we had done.
link |
I think that it may have been the part
link |
where she accused me of stealing her marijuana,
link |
but she was hitting me and Denise.
link |
We were living in a single wide trailer at that point.
link |
She was hitting me and Denise.
link |
We were on the bed trying to get away from it.
link |
And Denise kicks her through a closet is what happens.
link |
And Denise stands up and she said,
link |
you're through hitting me.
link |
And that was the last time that mom hit us at that point.
link |
So sorry to take us there.
link |
You're, for people who know you
link |
and people should definitely watch
link |
some of your lectures online.
link |
You're extremely charismatic and fun and jolly
link |
and whatever word you want to use.
link |
But, you know, if we look at that kind of life,
link |
there's darkness there, there's a struggle there.
link |
There's a lot of darkness.
link |
So if you, how did you feel?
link |
If you go back to the mind of the kid you were
link |
with your mom, was there sadness?
link |
Was there things like depression, self doubt,
link |
all those kinds of things, or did you see this crime,
link |
this chaos as ultimately exciting?
link |
You know, I don't think,
link |
back then I didn't view it as exciting.
link |
Now it becomes exciting when I start being involved
link |
in cyber crime, all right?
link |
But back then it was simply a means to an end
link |
So you take a 10 year old kid
link |
and the way I get involved in crime is,
link |
like I said, my mom was the fraudster.
link |
My dad was a good guy.
link |
He just forgot he was this good guy.
link |
You know, he was always, he always had these principles,
link |
but his issue was is he loved my mom so much,
link |
he was scared of her leaving.
link |
So if she wanted to do something, commit crime,
link |
cheat on him, whatever,
link |
he would pretty much just put up with it the one instant.
link |
So, I mean, this woman used to,
link |
she used to bring men home in front of him,
link |
tell him that, hey, I'm leaving you.
link |
I don't love you anymore.
link |
I want you to die, blah, blah, blah, blah, blah.
link |
There were two instances where the man,
link |
where he can't take it anymore.
link |
And the first instance, I was,
link |
I guess I was seven or eight.
link |
My sister Denise is a year younger than I am.
link |
My dad actually files for divorce,
link |
files for divorce at that point.
link |
My mom kind of goes crazy.
link |
My dad, I was with my dad.
link |
My sister was with my mother
link |
because that's that Eastern Kentucky mentality.
link |
You know, men stay with men, women stay with women.
link |
So he was filing for divorce.
link |
Me and my dad, we were living in an apartment.
link |
My mom was living with her grandparents
link |
and with her parents bouncing back and forth
link |
And I remember I was sleeping in the bed.
link |
We had a single wide bed.
link |
My dad slept on the sofa.
link |
I woke up one night
link |
and there was some sort of ruckus in the living room.
link |
So I wake up and I walk into the living room
link |
and my mom has a knife to my dad's throat.
link |
And basically you're not going to steal my son from me.
link |
My mom was this individual
link |
that when she knew she went so far,
link |
like I said, she was always this person that tested.
link |
What can I do this to you?
link |
And you'll still come back.
link |
She knew, she was always also this person
link |
that if she went too far, she knew it.
link |
And she would always try to divert that into something else.
link |
All right, so she knew at that point she'd went too far.
link |
So what does she do?
link |
She gets up crying, goes to the bathroom
link |
and pretends to slit her wrists
link |
so that my dad Ray will respond to that,
link |
not respond to what she's just done to him.
link |
That was my mom in a nutshell.
link |
She had a history of doing this kind of stuff.
link |
Motivations as far as fraud with her,
link |
I think with her it was, she was an LPN.
link |
She had a very good nurse, but she didn't want to work.
link |
It was a lot of it.
link |
So with her, it was easier for her to commit fraud.
link |
And when I say commit fraud,
link |
it was against businesses, against people.
link |
I remember at one point she's buying
link |
over the counter capsules and emptying the capsules out
link |
and putting some other crap in there
link |
and selling at a speed and people were buying it.
link |
She did anything she could for money.
link |
And of course I get involved with that.
link |
What happens is we were in Panama City at that point
link |
and my mom leaves my dad and the way she left my dad,
link |
my great grandfather had died.
link |
My mom tells all three of us, hey, I'm taking the kids
link |
and we're going back to Eastern Kentucky
link |
to attend the funeral.
link |
Well, that was her leaving.
link |
Me and Denise didn't know it.
link |
She didn't pack any of our clothes at all.
link |
She stows her clothes in the trunk of the car
link |
and she leaves my dad and I don't get to see my dad again
link |
for I think five, six years, something like that.
link |
My mom, like I said, she used to bring men home
link |
in front of my dad.
link |
She would, he'd sit there and cry and beg her not to do it.
link |
She'd do it anyway.
link |
When she leaves him, she kept up that.
link |
So we were living at my grandparents house.
link |
My grandfather, he had converted the house.
link |
He had raised the house up
link |
and built apartments underneath of it.
link |
So me and my sister and my mom lived
link |
in one of the apartments underneath
link |
and that whole side of the family was just nuts, was nuts.
link |
My granddad, Paul, he would,
link |
this is a man that he didn't want you
link |
to eat any of his food.
link |
So, you know, there was no such thing
link |
as me and Denise going upstairs to eat.
link |
If he found out me and Denise was taking a bath,
link |
we were allowed to bath and bathe in two inches of water
link |
because he didn't want to have to pay the water bill.
link |
You know, if you couldn't have the TV on,
link |
when he went to bed at night,
link |
you had to have the television, the volume.
link |
You could watch it, but without volume
link |
because if he heard it, he would get up
link |
in the middle of the night
link |
and he would kick the power breaker,
link |
turn off all the power on you.
link |
This is my, this is my, the family, right?
link |
So my mom, she used to leave me and Denise at home
link |
for days, man, for days.
link |
She'd go out and, you know, party.
link |
And I mean, sometimes she'd take me into these with her.
link |
We'd wait in the car.
link |
Sometimes we'd wait in the living room
link |
as she went and partied and everything else.
link |
Most of the time she left us at home
link |
and my entry into crime, Denise walks in one day,
link |
she's nine years old, man.
link |
She walks in one day
link |
and she's got a pack of pork chops in her hand
link |
and looked at her and I said, where'd you get that?
link |
She's like, I stole it.
link |
And you know, it's like, show me how you did that.
link |
So she takes me over
link |
and she shows me how she steals food,
link |
how she's stuffing it down her pants.
link |
So we start stealing food.
link |
I'm like, hell yeah, let's do that shit.
link |
So start stealing food.
link |
And we get to the point where we're wanting a sandwich.
link |
Well, you can't stuff a loaf of bread down your pants.
link |
So there was a Kmart in the shopping center.
link |
I go over to the Kmart, get a hoodie off the rack,
link |
take the tags off of it, wear it out, work just fine.
link |
And the way you steal bread
link |
is you put the hoodie over your shoulder,
link |
stuff a loaf of bread down the sleeve
link |
and you walk out with it.
link |
So we started doing that.
link |
How'd you figure that out?
link |
Just thought pattern.
link |
So there's like strategic thinking here.
link |
Yeah, you know, you can't wear the hoodie
link |
and put the bread down here
link |
cause you might mash the bread when you zip it up
link |
or they might notice the bread.
link |
Yeah, we have to think through that.
link |
You gotta think through it.
link |
But you gotta realize by this point,
link |
I'm already seeing what my parents are doing.
link |
You know, I'm already seeing the plotting.
link |
That kind of puzzle solving
link |
was something you were already developing yourself
link |
individually cause you're pretty young.
link |
Yeah, 10 years old, pretty young.
link |
But seeing how they act, how they respond to things.
link |
And my mom, I guess you could call it a good thing,
link |
they never kept any of that hidden from the kids.
link |
You know, there was no discussions behind closed doors.
link |
All that happened in front of everybody.
link |
And from your young minds perspective,
link |
seeing that kind of crime, you basically,
link |
you know, a lot of us kind of grow up
link |
thinking there's rules you're not supposed to break.
link |
If you see other humans breaking those rules,
link |
then you realize those rules are just human made.
link |
But it gets worse than that.
link |
I was in an environment where there were no decent people.
link |
I didn't really meet my first decent person
link |
until I was 16 years old.
link |
That was a high school teacher.
link |
So what happens is, you know, we start shoplifting food.
link |
My mom finds out that we've been stealing stuff
link |
and you know, she joins us.
link |
Yeah, she comes in, you know, I've got the television,
link |
I've got the Atari 2600, play the hell out of it.
link |
She starts seeing this shit.
link |
She's like, where'd this come from?
link |
And I'm like, well, we found it.
link |
She's like, you didn't find that.
link |
Denise, Denise stands up, we stole it.
link |
My mom, show me how you did that.
link |
And she gets her mom too, to join in.
link |
And she used to run me and Denise
link |
as these little shoplifters.
link |
We'd take, you know, we'd steal stuff for her.
link |
We would distract security
link |
and her and my grandmother would steal stuff.
link |
They got caught doing that.
link |
But that's the entry into crime.
link |
And Denise, you know, I'm adamant and I kind of mean it.
link |
But the truth is I say, and I do mean it,
link |
that I'm responsible for my choices as an adult, all right?
link |
I believe that when you're a child, you can't control that.
link |
The adults in your environment control what you do.
link |
Once you're an adult though, your choices are yours.
link |
Now that being said, there's some,
link |
you can't dismiss that childhood
link |
influencing what I did as an adult.
link |
You can't do that.
link |
I mean, it was kind of written on slate that,
link |
hey, this guy's gonna be this guy when he grows up.
link |
That's like sometimes that one person you meet,
link |
that decent person can turn the tide of your life.
link |
Absolutely, absolutely.
link |
So what happens is, you know, the abuse,
link |
everything continues on, when I'm 15,
link |
my dad was in Panama City, Florida.
link |
My mom was in, you know, we were in Hazard, Kentucky.
link |
She was dating this guy.
link |
My mom was this woman that the abuse would,
link |
it was crazy abuse, man, just crazy stuff.
link |
She would tell me and my sister, you know,
link |
that she gave up her life for us,
link |
that she was gonna leave one day and never come back,
link |
that we'd find her dead in a ditch someplace.
link |
She'd go out and date these men and she'd come back
link |
and she'd talk about how these men were abusing her.
link |
You know, so she'd be dating this guy
link |
and she'd come back and she'd, you know,
link |
start talking about how he had tried to rape her,
link |
you know, trying to get me to respond to that.
link |
And I would respond to that.
link |
Make no doubt, I would respond to that.
link |
Well, what happens is, and I knew that,
link |
I don't know if I knew it was abuse at that age, all right,
link |
but I knew things were fucked up.
link |
And I was talking to my dad in Panama City
link |
and I really had it in my head
link |
that I was gonna go down and live with my dad.
link |
And I called my dad one day.
link |
I was set to go to, me and my cousins
link |
were gonna go see Return of the Jedi.
link |
It had came out again in the theaters.
link |
So I called my dad, it was a Sunday,
link |
called my dad and he told me,
link |
he had either gotten married
link |
or he was about to get married to this woman.
link |
And basically Brett Johnson
link |
wasn't gonna go down to Florida.
link |
You know, I was gonna stay in Hazard.
link |
I had to call my dad from payphone,
link |
but the result of that was I walked him into a hospital,
link |
got in an elevator and a woman got in the elevator
link |
at the same time and I snapped
link |
and beat the hell out of her right there.
link |
And I was 15, didn't really know what the fuck happened.
link |
Didn't really know, but.
link |
Just anger came from somewhere.
link |
And you know, the elevator,
link |
beat the hell out of this lady.
link |
Turned out she looked a shitload like my mom,
link |
but the elevator doors open.
link |
And one of the security guards,
link |
I played basketball with his son.
link |
So he saw me immediately.
link |
I knocked the hell out of him, took off running,
link |
made it back to the house where my grandparents were.
link |
They didn't know what had happened.
link |
So I didn't say anything.
link |
About an hour later, Kentucky state police,
link |
they pull up in the front yard and two of them get out
link |
and I'm sitting on the front porch and me and my cousins are
link |
and they start walking up where everybody starts walking
link |
And I'm like, I just remember saying, what do you want?
link |
Well, you know what they wanted.
link |
They wanted to arrest Brett Johnson and they arrested me.
link |
I went in and I told them everything.
link |
Spent three months in a county jail.
link |
They didn't have juvenile facilities in that county.
link |
So I spent three months in solitary, went to trial,
link |
pled guilty to assault in the first degree.
link |
The judge sentenced me to time served
link |
and a psychological evaluation
link |
where they sent me to Louisville, Kentucky.
link |
Spent 30 days up there and they cut me loose.
link |
They wanted me to have counseling after that
link |
and never went to counseling.
link |
You know, I wanted to, but mom was like, don't need it.
link |
And so never went to counseling.
link |
And I became this pariah in the county. It's crazy, man.
link |
I mean, not a day goes by that I don't think about that.
link |
That moment in the elevator.
link |
And what happens is, you know, you're 15.
link |
Fuck man, you're 15.
link |
So I go back to the high school that I was in
link |
and I'm this piece of shit.
link |
So everybody, you're not the outcast.
link |
So I moved, we moved, we were in Whitesburg at that point.
link |
I finished up the year there and moved back to Perry County,
link |
which is where Hazard is.
link |
So we moved there and they've got three high schools here.
link |
They've got MC Napier, they've got Hazard High School
link |
and then they've got Dills Combs High School.
link |
So I was within, me and Denise were within
link |
half mile of MC Napier.
link |
Show up there the first day of school
link |
and I met me and my mom and my sister
link |
were walking into the school and the kids won't let me in.
link |
The kids stand out there, he's not coming in.
link |
So my mom starts raising hell and I'm like,
link |
nah, let's just go, let's go.
link |
So from there it was, we went down to the city school,
link |
Hazard and the principal tells my mom,
link |
Denise can come, he can't.
link |
So my mom wants to raise hell and I'm like, no,
link |
let's just take me to this other school.
link |
So this other school was like 15 miles away
link |
and country high school.
link |
So I go there and they accept me
link |
and I walked in the first day
link |
and this English teacher
link |
name's Carol Combs, I walked in
link |
and handed her the paper, she was my homeroom teacher
link |
and she heard this voice,
link |
that is the way she explains it today,
link |
she heard this voice and she looks up
link |
and she was like, son, have you ever done any drama before?
link |
And I'm like, no maam,
link |
but I'm interested in the academic team,
link |
I was this quick recall guy, right?
link |
And she's like, no.
link |
She's like, drama.
link |
I'm like, no, I'm not interested in theater,
link |
I'm interested in academics.
link |
Well, she was the head of the drama department
link |
and head of the academics department.
link |
So the deal was, tell you what,
link |
you can get on the academics team
link |
if you start with theater too.
link |
And I was like, okay.
link |
So what happens is she was the only,
link |
she was the first decent person I met in my life
link |
and she became this kind of surrogate mother to me.
link |
So under her tutelage,
link |
I become one of the top academic team guys in the state.
link |
Around there, I was captain of the team,
link |
I was this just scourge across all the counties
link |
in that part of Kentucky.
link |
If we had a meet, it was like,
link |
Jesus Christ, that's Brett Johnson.
link |
And it was like, she used to tell people
link |
they would, the high school that I came from was Whitesburg
link |
and the first time that Whitesburg came against us,
link |
she told me, I was talking to her about a year ago
link |
and she told me, she's like, Brett,
link |
she said, that first meet against Whitesburg,
link |
she said, the captain came in, looked at you and said,
link |
oh, you've got that Johnson boy on your team?
link |
And she said, my response was that Johnson boy is our team.
link |
So, but I did that and then with theater,
link |
I ended up, my senior year,
link |
I won best actor and actress in the state.
link |
Only guy to ever do that in the state.
link |
So, did pretty well, man, did pretty well.
link |
Had scholarships coming out of high school
link |
and everything else and I'm the idiot that turned them down.
link |
Ask you a funny question.
link |
You'd make a hell of a, I mean,
link |
of all the many things you could probably do,
link |
you would make a hell of a actor.
link |
I'm very good on stage.
link |
I'm very good on stage.
link |
Have you acted professionally anywhere or not?
link |
Not professionally.
link |
We've done the college circuit and stuff like that.
link |
What happened was is, so I turned down the scholarships,
link |
you know, scared of leaving, I guess is what it was.
link |
Started in community college
link |
and the community college there hires
link |
a new theater director out of California.
link |
Well, he knew the guy
link |
that ran the San Jose State Theater program.
link |
A guy named Edward Emmanuel was his name.
link |
His claim to fame, he had written the Three Ninjas movie.
link |
Remember that, the three little ninja kids
link |
back in the eighties, he had written this damn film
link |
and it had made a shitload of money.
link |
So, he invites Ed Emmanuel to come down and see the play
link |
and Ed had written this Civil War piece.
link |
So, we put that on.
link |
I was doing like, it was a multiple role thing.
link |
I was doing like 18 different roles in the show.
link |
So, Ed sees the show and he was like, scholarship.
link |
He said, look, he said,
link |
right now you're a big fish in a small pond.
link |
We'll make you a big fish in a big pot.
link |
And I was like, deal.
link |
So, I took the scholarship, man.
link |
And he was like, I'll be back in two weeks.
link |
Two weeks later, this guy flies back in.
link |
He drives down to where I'm living.
link |
I'm out shooting ball with one of my cousins and friends.
link |
He pulls up and he gets out of the car
link |
and I was like, I'm walking over to him.
link |
I was like, hey man, I'll walk you in.
link |
You can meet my parents.
link |
He's like, no, I got it.
link |
So, I keep shooting ball.
link |
He walks in the house, stays about 15 minutes,
link |
walks out, white as a sheet, doesn't say a word to me,
link |
gets in the car, leaves.
link |
I don't hear from him again.
link |
Had no idea what went on.
link |
Takes me a couple of weeks.
link |
What happened is my mom, he walks in and introduces himself.
link |
My mom pulls a knife on the guy.
link |
You are not going to steal my goddamn son from me.
link |
Scares the guy to death.
link |
He bugs out and kind of broke my spirit at that point.
link |
So, went into, just full fledged into scams,
link |
crimes, everything else.
link |
I had already been, when I was a minor,
link |
I'd already been kind of brought up
link |
on that side of the family with the crimes
link |
that they were doing.
link |
My mom was drug trafficking, the pimp stuff,
link |
illegally mining coal, charity fraud.
link |
Illegally mining coal?
link |
Yeah, wildcatting coal.
link |
Can you explain that?
link |
Yeah, so, to properly mine coal,
link |
you have to get a permit, all right?
link |
Eastern Kentucky, a lot of people don't,
link |
they can't afford the permits.
link |
They can get them a piece of equipment.
link |
You get a dozer or a loader or whatever you're going to get
link |
or an auger or what have you.
link |
So, you start mining, but you don't get the permit.
link |
So, you don't have to do the, you don't have to pay.
link |
Back then, it was like $3,500 for a two acre permit
link |
or $5,000 for a two acre permit.
link |
Let you strip mine the coal on that.
link |
Then you have to pay for the reclamation on top of that.
link |
So, once you uncover the pit, take the coal out,
link |
you have to cover back up the pit, sow grass,
link |
make sure everything is environmentally friendly.
link |
You got a silt pond, everything else at that point.
link |
So, the whole idea is you buy an acre of land
link |
or some area of land and then you can,
link |
there's a whole process you're supposed to go through.
link |
How many people involved in a mining,
link |
the smallest number of people required
link |
for a mining operation?
link |
You can do it with three or four people.
link |
So, you've got your loader operator,
link |
you've got your dozer operator.
link |
You need, you can farm out the trucking to someone
link |
if you need that or trucking company if you need to do that.
link |
Then you've got your, whoever owns the business as well.
link |
So, very few people can run an operation like that
link |
and profit fairly well as long as
link |
you don't have to do the reclamation,
link |
all that crap on top of it, all right?
link |
The reclamation gets pretty expensive.
link |
So, if you're uncovering a pit of coal,
link |
a pit, so a ton of coal is basically about 36 cubic inches
link |
is what a 2000 pounds of coal weighs
link |
if you're in Eastern Kentucky
link |
because it's at the weight of the bituminous coal
link |
The fact that you know this is awesome.
link |
The fact that you know exactly the volume
link |
of a ton of coal, I mean, it's great.
link |
Yeah, you learn this shit, right?
link |
Can you rattle this shit off?
link |
So, you uncover the pit and then you've got to sell the pit.
link |
Well, the thing is, is that,
link |
where are you gonna sell the coal?
link |
Well, you sell it to one of these other coal tipples
link |
that knows that they're buying the shit illegally.
link |
So, back then a ton of coal was,
link |
they'd give you like 36 bucks per ton is what that is.
link |
And you'd have to go out and you'd test the BTUs on it.
link |
You take a sample to the lab, test the BTUs,
link |
you take that into the company.
link |
British Thermal Unit.
link |
So, you'd test what the BTU on the coal was.
link |
How pure the coal is.
link |
How pure the coal is, what BTU it burns at.
link |
Back then, a good BTU was around 12.9
link |
was what you'd get, all right?
link |
So, 12.9 coal, $36 a ton.
link |
You'd take that sample over to the coal tipple.
link |
They'd say, okay, we'll buy this for you.
link |
How many trucks you got or how many tons you got?
link |
And you'd say, this is what we've got.
link |
Then you'd hire the trucking company.
link |
And where you get it out because you've got the agents
link |
that are looking for you by this point
link |
because the people that you've bought the rights
link |
to whoever the landowner is,
link |
you said you're gonna give them $2 a ton or whatever this is.
link |
Well, the other people there,
link |
are you paying them off or are you not?
link |
Well, if you're not paying them off, guess what?
link |
They know your ass is mining it illegally.
link |
They're gonna report you.
link |
Well, all of a sudden, you've got all these inspectors
link |
that are coming around and everything.
link |
Hey, we know what you're doing.
link |
So, they're looking for you to get the pit out.
link |
So, when do you get the pit out?
link |
Right in dead of night.
link |
So, you're loading it up two o clock in the morning,
link |
hauling this ass out is what you're doing.
link |
You sell it out from there.
link |
And your mom ran operations like this?
link |
And you said you worked the mine too when you were younger?
link |
Yeah, I learned how to run a loader, run a dozer,
link |
learn how to clean off a pit, everything like that.
link |
So, this is the lifestyle you grow up in.
link |
You learn how to do this stuff.
link |
And so, I knew how to do charity fraud as well,
link |
insurance fraud, so.
link |
Can we break down some of these?
link |
Charity fraud, it's much more romantic than what it sounds.
link |
It was basically, it was basically standing beside the road
link |
with a sign and a bucket taking up collections
link |
for homeless shelters, for abused women,
link |
for children, stuff like that.
link |
Then later on, I branched off.
link |
When I started off on my own,
link |
I would set up my own charity company
link |
and do some telemarketing and go on by
link |
and collect checks and things like that.
link |
We're gonna talk about that.
link |
But actually, can we just step back
link |
and talk about your mom and your dad?
link |
Given all of that, given all the abuse,
link |
the complex ways that she played with love,
link |
to see how far she can push you and the people around her,
link |
and they still love her.
link |
Today, do you love her?
link |
You know, I called my dad yesterday.
link |
My dad, he's dying now.
link |
He's got a heart condition.
link |
He's not gonna get the operation to fix it.
link |
So he's like, fuck it, I'm ready to go.
link |
And I'm like, I looked at him,
link |
because hell, I'm 52 now.
link |
Prior to 52, I'd have been like, no, you need to do this.
link |
But I looked at him and I was like, I understand.
link |
And so he's not gonna get the operation.
link |
I was talking to him yesterday and he asked me,
link |
he's like, have you seen your mom?
link |
And I was like, dad, I've not talked to her
link |
for about two years.
link |
And I told him, I was like, I love my mom,
link |
but my mom is not a good person.
link |
And he told me, I was talking to him on the phone yesterday,
link |
and he told me that it took him several years
link |
to really understand that.
link |
You know, he loved her too,
link |
but it takes, when you're getting abused like that,
link |
especially my dad, my dad came from a good family,
link |
everything else, and, you know, upstanding family.
link |
And I think that when you're that victim of abuse,
link |
you know, you've never seen it before,
link |
you've never encountered it, and then it happens,
link |
well, you're like that frog in water all of a sudden.
link |
You know, you get to the point where it gradually increases
link |
until how do you get out of it?
link |
Everybody else sees what's happening, but you don't.
link |
I grew up in that environment though, you know,
link |
so it took me a long time to come to terms with that.
link |
My sister came to terms with it long before I did.
link |
You know, my sister, she's been a decade
link |
without talking to my mom,
link |
like she had tried to commit suicide, I didn't know that.
link |
What got me so bad is she said at one point
link |
that she always thought someone was gonna come in
link |
and save us, and my response, just immediate response,
link |
not even thinking about it, my response was,
link |
well, Denise, I knew no one ever was.
link |
And looking at things now,
link |
I think that's where our paths diverged.
link |
Me, it was, if you wanna do it,
link |
if anybody's gonna take care of you,
link |
you gotta take care of yourself.
link |
You're on your own.
link |
You're on your own, you know, it's up to you.
link |
And Denise has always been that child
link |
that has expected someone to come in and save her.
link |
Well, and almost like it's all going to be okay, somebody.
link |
Yeah, and I knew it wasn't.
link |
Unless you make it okay, it ain't gonna be okay.
link |
So, you know, I was.
link |
Are you able to forgive her, your mom?
link |
My boundary with my mom, the reason I've not spoken with her,
link |
over two years ago, I started this legal career of mine.
link |
I've been the guy who has,
link |
I spent a lot of time thinking about my past
link |
and those choices and what brought those choices around.
link |
So I'm big about taking responsibility for my actions.
link |
I think it's really important you have to do that.
link |
Well, my mom, not so much.
link |
So I was talking to her, you know,
link |
and I would start saying, you know,
link |
she would start the conversation talking about,
link |
she didn't understand
link |
why Denise wouldn't speak to her anymore.
link |
That was one of her tropes.
link |
So, and my response started to become,
link |
well, because you were the abuser
link |
and you spent your life doing that to her.
link |
So it's more healthy for her not to talk to you.
link |
So she's still not able to see the flaws
link |
in her ways of the past.
link |
So my ultimatum to my mom was, look,
link |
when you're able to admit
link |
that you abused the people in your life,
link |
accept that responsibility
link |
and be able to discuss it with me, we'll have a talk.
link |
Other than that, I don't want to talk to you anymore.
link |
So for the first year it was, you know,
link |
calling, cussing my wife out, cussing me out,
link |
you know, I don't need you, blah, blah, blah, blah, blah.
link |
And then finally it started to taper off
link |
and she's never really contacted me after that point.
link |
And your dad is dying.
link |
What do you take from the way he's taken on death?
link |
Just saying, fuck it.
link |
You know, it's the man.
link |
And what have you learned from your dad?
link |
What do you love about your dad?
link |
He's one of these guys that, you know, like I told him,
link |
I told my dad about the abuse and everything else.
link |
And there was a point.
link |
So, you know, I told you about the elevator stuff,
link |
but before that, man, it was,
link |
it took me 40 years to talk about that,
link |
but it also took me 40 years to talk about,
link |
there was a point that my mom and dad would leave the house
link |
and I would urinate in the floor.
link |
Is that like out of anger?
link |
Piss on the carpet.
link |
Carpet pissers like the Lebowski, right?
link |
It really tied the room together, dude.
link |
It really tied the room together.
link |
I was talking about that
link |
and this lady comes up to me after the presentation
link |
and she had a career previous to that
link |
where she dealt with abused kids.
link |
And she told me, she was like,
link |
Brett, she's like, it's a control mechanism.
link |
The only control you had was that.
link |
And she's like, kids do that.
link |
And I was like, so I'm not unique.
link |
She's like, no, you're not unique in that.
link |
So that, you know, this whole history of abuse,
link |
Denise dealt with it by drinking,
link |
by trying to commit suicide, things like that.
link |
And then finally she escapes.
link |
I'm the kid that didn't.
link |
And not only that, my wife pointed out to me that,
link |
again, it's that Eastern Kentucky mentality stuff.
link |
You know, the male's expected to do things.
link |
So with me, it was almost like I stepped up
link |
to take part in those crimes
link |
so that Denise didn't have to.
link |
And she was able to avoid all that.
link |
Other than that one shoplifting stuff,
link |
Denise doesn't break the law anymore.
link |
She goes off to be a, she's a good parent.
link |
She's an angry parent.
link |
She's a good parent.
link |
She's a teacher, a good citizen overall.
link |
I was just the guy that kept right on going with it.
link |
So let me ask you about that.
link |
So your life of cyber crime.
link |
In describing some of the things you did or knew about,
link |
"'I once stole several thousand dollars worth of coins
link |
"'from a family trying to sell them
link |
"'to put a new roof on their home.
link |
"'Another time, I sent a counterfeit cashier's check
link |
"'to a victim and he ended up being arrested for it.
link |
"'I lied to family, friends, everyone I knew.
link |
"'I was a truly despicable person.'"
link |
"'One of my Ukrainian associates script
link |
"'had someone who owed him money kidnapped and tortured.
link |
"'He posted pictures of it online.
link |
"'Another member, Iceman,
link |
"'used to flood his enemy's email addresses
link |
"'with child pornography, then called the police on them.'"
link |
That's some stories.
link |
Can you tell some of these stories that stand out to you
link |
that are particularly despicable or representative
link |
or interesting when you look back
link |
that defined your approach and who you were at that time?
link |
Let me say that I did not care about my victim, all right?
link |
I cared about me, is what I cared about.
link |
It's rough to admit that.
link |
You don't give a shit what you're doing to anybody else,
link |
you only care about you.
link |
But that's the truth of the matter.
link |
I didn't care about the victims.
link |
The lady, that wasn't even at the beginning of my career
link |
as a cyber criminal, that was right at the last of it.
link |
By that point, Shadow Crew had made
link |
the front cover of Forbes, August of 04.
link |
October 26th of 04, Secret Service had shut us down,
link |
33 people arrested, six countries in six hours.
link |
I was the guy that was publicly mentioned as getting away.
link |
What happened was is I was the guy who was,
link |
I had kind of invented this crime
link |
called tax return identity theft
link |
and was stealing a lot of money.
link |
I went through all my stateside savings
link |
and Shadow Crew gets shut down.
link |
I don't have any way to come in with any money,
link |
so I start running counterfeit cashier's checks,
link |
defrauding people with that,
link |
having them send products or bullion collections,
link |
what have you, by COD, collect on delivery,
link |
and I would pay with it
link |
with a counterfeit cashier's check.
link |
This lady was on eBay.
link |
She had been collecting these silver coins all of her life.
link |
You know, the U.S. currency used to be,
link |
the coins used to be silver,
link |
so she had a whole collection of these things,
link |
like, I don't know, 80, 90 pounds of this stuff,
link |
and I'm a very good social engineer.
link |
So, convinced her that I was a legitimate person,
link |
that, you know, hey, send it to COD,
link |
you can use my FedEx account to do that
link |
or my UPS account to do that.
link |
I'll pay with a cashier's check,
link |
you can take it in, same as cash.
link |
She believed that, she was, even on the ad,
link |
and we talked on the phone and everything else,
link |
she had told me that she was a single parent,
link |
and it was the only money that she had
link |
to put a roof on the house for her and her kids,
link |
and I didn't give a damn.
link |
I didn't give a damn.
link |
What was more important was me at that point.
link |
Can I ask you a question about the social engineering aspect?
link |
So maybe specifics like the methodology,
link |
email, you said phone,
link |
maybe you could discuss this process
link |
from a bigger philosophical perspective
link |
of what is it about human beings
link |
that makes it possible to be social engineer,
link |
to be victims of fraud?
link |
So, first let me say that I became a social engineer
link |
as a child, all right, because the adults in my environment,
link |
as a child, I had to know exactly what they were thinking
link |
and be able to try to manipulate that for survival.
link |
So I became a social engineer for survival initially,
link |
all right, and one of the things that I've seen
link |
with a lot of cyber criminals is the exact same thing.
link |
They're really expert ones.
link |
They become a social engineer as a child,
link |
then later on, they use those tools to victimize others.
link |
Which is fascinating because you're,
link |
in order to understand what others are thinking,
link |
you have to be extremely good at empathy.
link |
So you have to like really put yourself
link |
in the shoes of the other person.
link |
And yet, in order to do cyber crime,
link |
you have to not care about the pain
link |
that might cause them once you manipulate them.
link |
So you have to empathize and yet not care.
link |
Exactly, and I would argue,
link |
I would argue that that is not a sociopath
link |
because a cyber criminal, and I was no different,
link |
most cyber criminals justify those actions.
link |
So the justification becomes what's important.
link |
With me, the justification was why I did it for my family,
link |
did it for my wife, did it for my stripper girlfriend.
link |
So, and I believe those justifications.
link |
That's a good story, I heard that one.
link |
I like that, because I care about love a lot.
link |
Yeah, so the big picture of that is trust.
link |
How do you establish trust with a potential victim?
link |
All right, now I would argue online
link |
that that trust is established through a combination
link |
of technology, tools, social engineering.
link |
All right, so we trust our tech.
link |
We trust our cell phones, we trust our laptops.
link |
A lot of times we don't understand how they operate,
link |
but we trust the news that comes across the line.
link |
We trust the phone numbers that show up.
link |
We trust IP addresses if we're advanced enough
link |
to look at an IP address or a domain
link |
or anything else like that.
link |
Criminals use tools to manipulate that,
link |
spoof phone numbers, spoof browser fingerprints,
link |
whatever that may be, whatever the tool may be.
link |
Then that lays a base level of trust.
link |
At that point, you shoot in with the social engineering
link |
and lay whatever story that is in order to manipulate
link |
that victim to act not out of reason,
link |
but out of emotion all of a sudden.
link |
This is fascinating about the way humans interact
link |
with the world, which is you're almost too afraid
link |
to not trust the world.
link |
You have to find a balance.
link |
You have a lot of conspiracy theories now
link |
about distrusting institutions and thinking
link |
like everything around us.
link |
It's like I've been listening to people
link |
who believe the earth is flat.
link |
And that conspiracy theory is fascinating to me
link |
because it basically says that you can't trust anybody.
link |
Like everything you hear is a lie.
link |
So that's one, you can live that life
link |
or you can live a life
link |
where you're just naively trusting everything.
link |
And we as humans have to,
link |
because that life is kind of full of happiness
link |
if nobody screws you over.
link |
Cause you meet people with the joyful heart
link |
and you get excited and all that kind of stuff.
link |
But if you do that too much, you're gonna get burned.
link |
So you have to find some kind of balance
link |
in terms of optimizing happiness where you trust,
link |
I mean, but verify and on the internet
link |
that becomes really tricky.
link |
You're almost too afraid to distrust everything
link |
cause you'll never get anything done on the internet.
link |
But then if you trust too much, you can get screwed over.
link |
And so the social engineering comes in where you're like,
link |
I'm not sure if I should trust this.
link |
You kind of help them build the narrative
link |
where it's like, it's good.
link |
So in a lot of the times that social engineering
link |
is just feeding into what the victim wants to believe.
link |
It's not really coming up with a brand new story at all.
link |
It's just knowing what that victim is,
link |
what the motivations of that victim is
link |
feeding into it at that point.
link |
So you have to, again,
link |
that social engineer has to almost immediately know
link |
what's driving that person that they're talking about.
link |
If I'm working on a phone,
link |
talking to someone over the phone,
link |
I have to know within seconds what I need to say,
link |
how I need to act to interact
link |
with that customer service agent
link |
or whoever I'm talking to on the other end of the line.
link |
So fascinating because you truly are empathizing
link |
with the other person.
link |
This business man, Steven Schwarzman.
link |
And I've talked to a few times.
link |
He mentioned this thing that,
link |
the way you build deep relationships
link |
is you really kind of notice
link |
the things that people are telling you.
link |
Like what they want and what they're bothered by,
link |
what are their big problems in their lives?
link |
Because everybody's saying that all the time
link |
and most of us are just ignoring it.
link |
But if you take the time to listen,
link |
you know somebody at that point.
link |
Absolutely you do.
link |
Then you have to be able to dismiss it.
link |
You have to dismiss it after.
link |
You're looking for that just to see
link |
how I can manipulate that is what you're trying to do.
link |
So the lady was one story,
link |
another truly despicable story.
link |
We'll get to script in a second.
link |
But another truly despicable story.
link |
We were one of the really first groups
link |
that started phishing attacks.
link |
So that is a social engineering attack.
link |
That's another social engineering attack.
link |
That's sending that fake email out
link |
that looks like it's coming from a website
link |
or your financial organization or whatever
link |
and saying, hey, we've got a security problem.
link |
We need you to update your account information.
link |
Well, back then no one had ever seen a phishing attack.
link |
So you could ask for all the information.
link |
You were getting just complete identity profiles
link |
on a phishing email.
link |
Nowadays you can't do that.
link |
Nowadays you look for basically credentials
link |
because everyone is aware of phishing.
link |
But back then it was complete information.
link |
We had phished out, I don't know, 200,000 eTrade accounts.
link |
That's what we had the login credentials for.
link |
The login password, yeah.
link |
Login password, complete social, date of birth,
link |
mother's maiden account information, everything else.
link |
So we had access to those eTrade accounts.
link |
eTrade initially had no security in place.
link |
So you could cash out the account,
link |
ACH the money out to whatever account you wanted to,
link |
went through just fine.
link |
Made them alive on that for four to six months.
link |
eTrade got to the point where you couldn't
link |
do any ACH coming out.
link |
They locked everything down.
link |
Well, you're still sitting on thousands of eTrade accounts.
link |
How do you make money on that?
link |
That's a good question.
link |
So what you do is you find some fat cat that's
link |
got his retirement invested in blue chips.
link |
Same time you find a penny stock,
link |
you open up a brand new account, buy into that penny stock,
link |
cash the fat cat out, buy into that same penny stock,
link |
bump and dump schemes all of a sudden.
link |
So you're destroying people's retirement accounts
link |
for just a few thousand dollars.
link |
And of course, eTrade's response is, not our problem.
link |
It's your problem.
link |
You shouldn't give up your password
link |
or what have you at that point.
link |
And you still see that issue today with Zelle scams
link |
and things like that.
link |
So you know, the instant payment that they have.
link |
So it's the same kind of operation,
link |
same type of difference with different payment mechanisms.
link |
You find an easy way to exploit a system,
link |
and typically the financial organization, not our problem.
link |
Our system's secure, it's the humans, it's their errors.
link |
You know, you've got some culpability in that,
link |
and you're just trying to avoid paying the part of the bill
link |
is what's going on.
link |
One of the things, just to stand fishing for a bit,
link |
is it really makes me sad because there's been people
link |
on all kinds of platforms, including YouTube comments,
link |
They figured out emails somehow.
link |
So people are now seeing the followers
link |
of this particular podcast who are fans,
link |
they're finding them on platforms like LinkedIn and YouTube
link |
and so on, and they are figuring out
link |
ways to get to those people by another channel, which
link |
I suppose seems more authentic to those people.
link |
So they send them an email from what looks like me,
link |
and with this kind of loving message.
link |
The interesting thing, the emails
link |
sound like something I would write.
link |
So these aren't even, at this stage, it's not even,
link |
it doesn't feel automated.
link |
Or if it's automated, there's a human in the loop
link |
that's really fine tuning it to a specific,
link |
or maybe I'm very predictable.
link |
But it's very loving in the way I would write that message.
link |
So think about that, all right?
link |
So when Phishing first comes out,
link |
you could look at the language of the text or the website
link |
and say, eh, if you were paying attention, that's so OK.
link |
So that's not an English speaker who wrote that, typically.
link |
But as time has went on, as the awareness of what a Phishing
link |
attack looks like, we have people
link |
that are sitting down now and making sure
link |
that the language is proper.
link |
It gets worse than that, though.
link |
If you look at business email compromise,
link |
so the way a business email compromise typically works
link |
is the attacker will find a payroll person, find a CEO.
link |
He will fashion a spear phishing email, which
link |
is that's a Phishing attack that's targeting
link |
one specific individual.
link |
So he'll fashion a spear phishing email.
link |
And the way he does that is he pulls all the information
link |
he possibly can on that person, that CEO.
link |
Maybe he'll spear that CEO just to get their login credentials
link |
to their email, just to read the emails.
link |
And he'll go in there, and he'll start
link |
reading all these emails.
link |
He'll specifically read the emails to the payroll
link |
department, see what that relationship is.
link |
Are they talking about their kids,
link |
talking about relationships, talking about vacation?
link |
What are they talking about?
link |
How are they talking?
link |
Are they friendly?
link |
What are they doing, all right?
link |
So then he decides, well, I'm going to go ahead
link |
and spear phish the payroll department as well.
link |
So then he spear phishes in, gets those credentials.
link |
At the same time, he creates a Unicode domain
link |
in whatever the company name is, all right?
link |
So instead of that English alphabet I,
link |
he's got that Russian letter that looks like an I
link |
but without the dot on top, all right?
link |
Comes back into the email, into the payroll email,
link |
blocks the real CEO's email, replaces that with the Unicode
link |
email that he's got, and then sends out a message
link |
using the correct language, the correct relationships,
link |
everything else, and says, hey, we're updating
link |
our account status, I need you to send this payment
link |
instead of over here, they've set up a new account,
link |
send all payments over here now.
link |
And that is business email compromise in a nutshell,
link |
all right, works great.
link |
Probably the larger the organization,
link |
the more susceptible to that kind of attack
link |
because there's like a distribution of responsibility
link |
to where you're more likely to believe that,
link |
okay, this other person is responsible,
link |
I'm sure they secured everything.
link |
I'm okay listening to this.
link |
So that's business email compromise,
link |
and those crimes, and that's one of the things
link |
you see about cybercrime.
link |
Cybercrime's not really sophisticated.
link |
It's not, the attacks are not sophisticated.
link |
The stat is 90% of every single attack uses a known exploit.
link |
It's not zero day attacks, they're out there,
link |
but if you're a criminal waiting on a zero day to profit,
link |
you're gonna starve to death.
link |
The meat and potatoes are that 90%, known exploits.
link |
And then the rest is, well, you're saying it's,
link |
maybe you mean it's not technically sophisticated,
link |
but it's social engineering sophisticated.
link |
Very sophisticated on that end, very sophisticated.
link |
I mean, it's a fascinating study of that.
link |
That establishment of trust and then using that trust
link |
to defraud that victim.
link |
That is something.
link |
I wish, obviously, all of these folks
link |
are really good at hiding.
link |
I wish you could tell their stories in a way,
link |
which is why you're fascinating,
link |
is you're able to tell these stories now,
link |
because it is studying human nature by exploiting it,
link |
but you get to understand our weak points,
link |
our hope, our desire to trust others.
link |
Also, the weak points and the failures of digital systems
link |
and at scale, humans have to connect.
link |
This is a weird question, asking for a friend.
link |
Is spear phishing itself illegal?
link |
What's the legality here?
link |
Oh, it's all illegal.
link |
So here's what, okay, let me construct an example.
link |
So if my friend were to spear phish like a CEO, right,
link |
and get their information and after they get control,
link |
say, of their Twitter account,
link |
they tweet something loving and positive, what's the crime?
link |
Unauthorized access of advice.
link |
What will be the punishment, do you think?
link |
That becomes questionable.
link |
So no monetary loss, or was there a monetary loss?
link |
Probably not, all right?
link |
So you have to figure out who the victim is
link |
before charges are pressed.
link |
Now, the crime would be unauthorized access, all right?
link |
But no real victim on that,
link |
unless the person whose account you took over
link |
takes exception to that.
link |
So there's not really standard fines.
link |
Probably nothing's gonna happen, right.
link |
So, I mean, that's kind of interesting,
link |
because it's, so when I got the ransomware,
link |
when I got the zero day attack on the QNAP mass,
link |
they basically say the criminal is QNAP, the company,
link |
for having so many security vulnerabilities.
link |
They're like, you are the victim of QNAP's incompetence.
link |
That's the way they kind of phrase it.
link |
And see, I don't agree with that.
link |
I don't agree with that at all.
link |
Let's, so I've got 130 page class action lawsuit
link |
printed out at the house, I've been going through it,
link |
that catalogs how SolarWinds lied for years
link |
about their vulnerabilities, and they lied to investors.
link |
The people who came in, the honorees who they would hire,
link |
would, you know, they would not pay attention to them
link |
when they said, you know, you've got these issues,
link |
they would say, go away, shit like that for years,
link |
until SolarWinds, you know, the attacks become apparent.
link |
My view on that is that the only person
link |
responsible for the crime are the criminals
link |
who did the attacking, the actual criminals, not SolarWinds.
link |
Now, does that mean that SolarWinds isn't all fucked up?
link |
They are, and there needs to be some accounting in place.
link |
But the only individual, the only people responsible
link |
for crime are the criminals, and that's either online,
link |
in the physical world, what have you.
link |
Being an idiot is not a crime.
link |
You know, being criminally negligent is,
link |
and I think that SolarWinds is certainly responsible,
link |
not responsible, they're culpable for what happened.
link |
Can you actually tell folks about SolarWinds?
link |
What is it, what are some interesting things
link |
that you're aware of?
link |
SolarWinds was very, it provided a backbone of security
link |
for hundreds, thousands of different companies.
link |
If you looked at, a lot of security companies
link |
were using SolarWinds that would allow you
link |
to get a snapshot of the entire system
link |
that they were working on.
link |
So what happens is, is you get a Russian group that comes in
link |
and they basically, they hack into SolarWinds
link |
and get access to it, and it allows them
link |
to view every single thing, I mean, every single thing
link |
about every single client that SolarWinds had at that point.
link |
So entire snapshots of all the IP that was going on,
link |
all the emails, all the communications,
link |
every single secret that was going on with those companies.
link |
If a company had software like Microsoft,
link |
it allowed them to look at the source code
link |
of everything that was going on.
link |
I mean, it's just a complete and total nightmare, all right?
link |
And something that you are not going to recover from.
link |
I mean, it's done at that point.
link |
You know, there's not been a lot of news lately about it,
link |
but the fact of the matter is, is that's the type of attack
link |
that's a catastrophic attack.
link |
So there's a huge amount of information
link |
that was read, saved elsewhere probably.
link |
And so now there's people sitting on information.
link |
So think about one of the attack vectors
link |
has been Microsoft Outlook 365, things like that.
link |
This allowed the attackers to look
link |
at the source codes of that.
link |
So they have the source code now,
link |
so they go through it line by line.
link |
Where are the vulnerabilities?
link |
Let's find new vulnerabilities, new zero days.
link |
You know, I said zero days aren't common,
link |
but this opens up an entire new threat surface
link |
So it's a completely catastrophic attack.
link |
Once all the chips are down, everything's tallied up,
link |
people are going to be like, yeah, we're done.
link |
All right, this whole computer thing,
link |
we tried it and we're walking away.
link |
That's terrifying.
link |
So you're saying that there's not been obvious
link |
big negative impact from that yet.
link |
There's been a lot of negative impact,
link |
but we're just starting.
link |
So the capacity for destruction is huge here.
link |
How much involvement from nation states
link |
do you think there is on this?
link |
You know, it's interesting.
link |
So you've got Iran, you've got North Korea,
link |
China, Russia, you got the big four.
link |
You also got Brazil.
link |
You've got all these other countries
link |
that are interested in the United States as well.
link |
Nation states are interesting
link |
depending on who the nation state is.
link |
All right, so Russia is very good about working
link |
with the type of criminal that I used to be.
link |
You know, they'll enlist these guys
link |
and steal information or what have you,
link |
then Russia will take the information they want to,
link |
and they'll basically go off and sell whatever you want to
link |
and make some money.
link |
China's all about IP.
link |
North Korea is about stealing money
link |
because they really don't know
link |
what the hell else to do right now, but...
link |
So North Korea is actively involved in cybercrime.
link |
They've stolen a shitload of Bitcoin, everything else.
link |
So absolutely, they're actively involved with that.
link |
Very, very skilled attackers, very skilled.
link |
But even if you look at, you know,
link |
I told you that stat about 90%, all right?
link |
So even though SolarWinds is going to be
link |
the number one attack,
link |
the followup to that is this NotPetya attack that happened.
link |
And so that was the most sophisticated attack
link |
launched by the Russian Sandworm Group
link |
using all known exploits throughout.
link |
So it's not, again, it's not...
link |
You're right in the sophistication
link |
is typically not technical sophistication,
link |
but it's a social engineering sophistication.
link |
How do you get these things put together
link |
in line to attack and succeed?
link |
But when you get access to the source code,
link |
that's where technical sophistication could really do
link |
And that's when you find out real quick,
link |
that's what separates the men from the boys in this game.
link |
All right, because all of a sudden it's not,
link |
I don't have to worry about social engineering.
link |
I've got source codes and I've got professionals
link |
that are looking at that.
link |
And that's your ass.
link |
Which then enables probably even more powerful
link |
social engineering methods too.
link |
I mean, it's just the cascade of...
link |
Is this terrifying to you, by the way?
link |
That this world that we're living in,
link |
as we put more and more of ourselves on the internet,
link |
into the metaverse, that there's so many more
link |
attack vectors on our wellbeing?
link |
What's terrifying to me, I used to preach it on Shadow Crew,
link |
is the idea that the perception of truth
link |
is more important than the truth itself.
link |
It doesn't matter what the facts are,
link |
it matters what I can convince you of.
link |
That's what's terrifying to me.
link |
So you look at deep fakes, you look at fake news,
link |
all this stuff that's going out,
link |
that becomes truly terrifying.
link |
Maybe there's an angle where it's freeing,
link |
if nothing is true and you can't trust anything.
link |
But you see, we as human beings, we wanna trust.
link |
We do, we need human interaction.
link |
And for that human interaction,
link |
you have to have a degree of trust.
link |
But it's more like you let go of an idea of absolute truth
link |
and it more becomes like a blockchain style consensus.
link |
So you let go of like, you know what?
link |
There's this human dream, you get this on the internet,
link |
you get like facts, as if there's at the bottom,
link |
at the bottom, there's one turtle that's holding
link |
this scroll that says, these are the truths of the world.
link |
The problem is, I mean, maybe believing
link |
that is counterproductive.
link |
Maybe human civilization is an ongoing process of consensus.
link |
And so it's always going to be, everything is shrouded
link |
and you can call them lies or you can call them inaccuracies
link |
or you can call them delusions.
link |
It's constantly going to be, it's going to be a sea of lies
link |
and delusions, but our hope is to over time
link |
develop bigger and bigger islands of consensus
link |
that allows us to live a stable and happy society.
link |
Don't call it true, call it a stable consensus
link |
that creates a high quality of life
link |
for the inhabitants of the island.
link |
I like it, I mean, I like it.
link |
I mean, we're going to agree on this.
link |
And then don't use outlook, no, I'm just kidding.
link |
So maybe a step back, you mentioned, I'd love to talk
link |
about ShadowCrew, maybe this is the right time
link |
to actually, yeah, let's go to ShadowCrew
link |
because it's such a fascinating story.
link |
So tell me the story of building ShadowCrew,
link |
the precursor to today's darknet and darknet markets.
link |
This is why you're the original Godfather.
link |
This is it, this is it.
link |
I faked a car accident to get married,
link |
got the money from that.
link |
I remember, like my dad, man.
link |
I'm the guy that, you know, I get from mom,
link |
I get the criminal mindset.
link |
From dad, I get that, don't want him to leave.
link |
To get married, what's that story?
link |
How did you fall in love there?
link |
My first girlfriend was a preacher's daughter
link |
and crazy over her, dated her for five years.
link |
And she figured out pretty quickly that,
link |
well, not quickly, it took her five years
link |
to figure out that Brett Johnson is not the man of God.
link |
I could talk it, but more that agnostic than anything,
link |
she breaks up with me.
link |
So I was at the community college.
link |
You'd make one hell of a preacher by the way.
link |
I've got that Langston Hughes problem.
link |
I'm looking for Jesus to show up and he just doesn't.
link |
So I was at the community college
link |
and I was a straight asshole.
link |
I was arrogant, conceited, everything else.
link |
And I had posted an advertisement
link |
on one of the billboards looking for an adult babysitter,
link |
hot blonde, you know, come visit me in the library.
link |
Buddy of mine shows up and he's like, Brett.
link |
And I was like, yeah.
link |
He's like, hottest girl in school, right down the hall.
link |
And I was like, serious?
link |
And I was like, let's go see.
link |
Walk over and there's these two guys that are hitting on her.
link |
So I just walk up and me and Todd, that was my buddy,
link |
walk up and I'm just sitting there and listening.
link |
And they're giving the spill and everything.
link |
And she's just kind of taking it in.
link |
Finally, I looked over and I was like,
link |
you want to get out of here?
link |
And one of the guys looks at me and he's like, hey,
link |
we're talking to you.
link |
And I was like, well, you're talking at her.
link |
You're not talking to her.
link |
I'm about to save her ass from you.
link |
Yeah, that's a smooth pick up line, by the way.
link |
If I ever heard one, that's good.
link |
You want to get out of here?
link |
So start dating, and she was the girl
link |
that screwed my brains out.
link |
And I fell head over heels.
link |
We got married six months later.
link |
That's what love does.
link |
That's what it does.
link |
And she didn't know I was a crook.
link |
She knew I was very bright.
link |
She knew I did a lot of theater, stuff like that.
link |
Got a job at, I was in hazard.
link |
There was no jobs to be had, so I got a job in Lexington,
link |
because we were going to be moving to the UK.
link |
Got a job in Lexington at Lexmark testing printer boards,
link |
So I would leave on a Thursday night,
link |
work three 18 hour shifts at Lexmark,
link |
come back home on Monday.
link |
Got married, faked a car accident
link |
to get the rest of the money that I needed to get married.
link |
And the faking on that, man, I had bought a Chevy Spectrum
link |
Gave like $500 for it.
link |
My aunt had previously defrauded USAA insurance
link |
on a car accident, and she was telling me all about it.
link |
She's like, look, go down to this chiropractor.
link |
Make sure you get the insurance where
link |
they'll pay for a rental car.
link |
They'll pay lost wages.
link |
I was like, they pay lost wages?
link |
She's like, yeah, they pay lost wages.
link |
She's like, by the way, you work for me.
link |
And I was like, I work for you.
link |
And you get to define the wage.
link |
And you could also define how long you were unable to work.
link |
And the chiropractor will sign off on any damn thing.
link |
So my cousin, Ronnie, he figures out that I'm going.
link |
He finds out I'm going to fake this car accident.
link |
So he comes to me.
link |
He's like, hey, man, can I get in on that?
link |
I was like, yeah, man, you get on that.
link |
So this kid, he's five days younger than I am.
link |
This kid, he goes to the dentist the day
link |
that we're faking it, has a tooth pulled,
link |
tells the dentist not to numb it, not to stitch it,
link |
He shows up the day that we're driving out
link |
to fake the accident.
link |
He's got blood all over his shirt.
link |
He's still bleeding out of the mouth and everything else.
link |
I'm like, are you OK?
link |
He's like, yeah, man, it's going to be good.
link |
It's going to be good.
link |
My mom, by this point, I'm living with my grandparents.
link |
My mom is up in the head of a hollow.
link |
So we're like, we'll just do it up there.
link |
We'll go act like we're visiting my mom on the way back out,
link |
ran over a mountain.
link |
So we go visit and everything, come back out that night,
link |
run over the side of the hill.
link |
Me and Ronnie walk back up.
link |
Of course, it totals the car.
link |
Walk back to my mom's, acting like we've wrecked.
link |
She knows what time it is and everything else.
link |
And file the claims.
link |
So that gets the money to get married.
link |
And me and my wife moved from Hazard to Lexington.
link |
And I'm the kid that my crime, usually, if I was a single guy,
link |
wouldn't break the law.
link |
I would be all right.
link |
But females involved, oh, yeah.
link |
Got to spend the money.
link |
Got to show them gifts.
link |
Everything else was never enough to show love
link |
in some sort of healthy way.
link |
Always had to go overboard.
link |
And typically, it was buying or stealing
link |
some sort of expensive crap.
link |
So that was the thing.
link |
That was the way you show love is by buying expensive gifts.
link |
Or something overboard.
link |
Back then, with Susan, initially, it was,
link |
don't worry about working.
link |
You just worry about going to school.
link |
She was a music major.
link |
I was like, you just worry about going to school.
link |
So don't worry about cooking and cleaning.
link |
So not only was I this guy that was going overboard,
link |
but I was kind of a control freak, too.
link |
So here I am, 60 hour a week job, 18 hour class load,
link |
cooking and cleaning.
link |
Something had to give.
link |
Quit the job and start back in fraud.
link |
And trying to hide that from her at the same time.
link |
So it was initially telemarketing fraud.
link |
The first job I had was a telemarketer at a cemetery,
link |
selling gravesites.
link |
And then that ended.
link |
Went over to work for the Shriners Circus, Shriners
link |
And it was a third party company that
link |
was doing all the telemarketing.
link |
Made really good money doing that.
link |
And then they pivoted over to working with Kiwanis Clubs,
link |
selling food baskets to the food banks and everything.
link |
So I stole the phone list and started at my own Kiwanis Club
link |
and would do the telemarketing, go out twice a week
link |
and pick up checks.
link |
Well, what happened was is I'm going out picking up checks,
link |
go knock on a door.
link |
Turns out one of the persons that I had called
link |
was a law enforcement officer.
link |
So he was like, who are you?
link |
I'm with the Kiwanis Club.
link |
And he's like, no, you're not.
link |
So got arrested, spent three months in a county jail
link |
for theft by deception.
link |
And we had to move from Lexington back to Hazard
link |
and live with Susan's parents.
link |
They had gotten a desktop computer, HP.
link |
And I started surfing around online.
link |
And didn't really know how to make money on eBay.
link |
At about the same time, I'm committing low level frauds
link |
And I don't really talk about that in the past.
link |
The first time I've really talked about that.
link |
But I would pay for it with bad checks.
link |
So more person, so not using a platform like eBay and more.
link |
I would find somebody that had like a stereo system on eBay,
link |
something like that.
link |
And I'd pay for it with a bad check
link |
and would rely on them not to chase me
link |
because they were out of state at that point.
link |
And the dollar amounts were very low.
link |
So got the money to move to finally
link |
did those schemes enough to get the money
link |
to move back to Lexington.
link |
And by this point, I'm doing, like I said,
link |
these schemes on eBay.
link |
And I'm like, there's got to be a better way
link |
to make money on eBay.
link |
So didn't really know how.
link |
One night, I'm watching Inside Edition with Bill Riley.
link |
And they're profiling Beanie Babies.
link |
So I'm sitting there watching.
link |
The one they're profiling is this one called Peanut,
link |
the Royal Blue Elephant.
link |
Selling for $1,500 on eBay.
link |
I'm sitting there going like, shit,
link |
I need to find me a peanut.
link |
My initial thought was, well, there's
link |
got to be one in one of these Hallmark stores
link |
in Kentucky someplace.
link |
So I skip class the next day.
link |
Went out around all the Hallmark stores looking for peanut.
link |
He's on eBay for $1,500.
link |
So after a few hours of that, I'm like, hmm.
link |
Turns out they had a little gray Beanie Baby elephants
link |
Picked up one of those for $8.
link |
Stopped by Kroger on the way home.
link |
Picked up a pack of Blue Rit dye.
link |
Went home, tried to dye the little guy.
link |
So that was a nightmare.
link |
Turns out they're made out of polyester.
link |
Get them out of the bath.
link |
Looks like they've got the mange.
link |
And what happens is, so I'm trying to dye the damn thing.
link |
I'm like, well, that's not going to work.
link |
That's just not going to work.
link |
So I got online, found a picture of a real one,
link |
posted it on eBay, and I was like, well, what I can do
link |
is I can claim that's the one I've got
link |
and then maybe claim that it got messed up in the mail
link |
and work out like that.
link |
So posted a picture of a real one online.
link |
Woman thought I had the real thing.
link |
That social engineering kicks in immediately.
link |
I didn't want to be on the defensive.
link |
I wanted to put her on the defensive.
link |
So as soon as she wins the bid, I send her a message.
link |
Hey, we've not done any business before.
link |
I don't even know if I can trust you.
link |
What I need you to do, protects us both.
link |
Go down the US Postal Service.
link |
Get two money orders totaling $1,500.
link |
Send them to me issued by the US government.
link |
That way we're both protected.
link |
Soon as I get the money orders, I'll send you your animal.
link |
She believed that.
link |
Didn't ask any questions at all.
link |
She believed that.
link |
Sent me the money orders.
link |
I cashed them out.
link |
Sent her the creature.
link |
Immediately got a phone call.
link |
I didn't order this.
link |
My response, lady, you ordered a blue elephant.
link |
I sent you a blue fish elephant.
link |
And she got pissed.
link |
And she kept calling.
link |
What I found out, and that's really
link |
the first lesson of cybercrime that most of these criminals,
link |
including self, learns.
link |
If you delay a victim long enough,
link |
just keep putting them off.
link |
A lot of them, they get exasperated,
link |
throw their hands in the air, walk away.
link |
You don't hear from them.
link |
And none of them, to this day, none of them
link |
complain to law enforcement.
link |
So it's a mixture of you're exhausted by the process,
link |
so it's just easier to walk away,
link |
and second, almost like an embarrassment.
link |
So there's a whole slew of reasons, all right?
link |
There's the exhaustion, certainly.
link |
There's the embarrassment.
link |
So if you figure out, if you look at it today,
link |
where does the embarrassment come from?
link |
Well, the media, family members,
link |
we're all very good about blaming the victim for crimes.
link |
Why would you click on the link?
link |
Why would you send money to somebody you don't know?
link |
So you've got that that's going on.
link |
You've got the issue of, who do you complain to?
link |
Back then, you didn't know.
link |
Do you complain to local police?
link |
Because she's in another state, so which local police
link |
do you complain to?
link |
Do you complain to the feds?
link |
Well, the dollar amounts aren't high enough
link |
to complain to feds.
link |
Feds are going to tell you to go local.
link |
Local's going to tell you, hey, it happened in Kentucky.
link |
Kentucky's going to tell you, well, shit, you're over there.
link |
We need you to come in.
link |
So there's this whole issue of the jurisdiction,
link |
of the blame factor, everything else.
link |
So I got away with that crime and did it under my own name
link |
I kept going and got better at it,
link |
started to understand how to hide identities,
link |
Started selling pirated software.
link |
Pirated software led into installing mod chips.
link |
The initial pirated software was Sega Saturn, PlayStation 1.
link |
Well, you had to have a mod chip in those
link |
to play the pirated disk, so I started
link |
selling and installing mod chips.
link |
That led into installing mod chips in the cable television
link |
boxes so you could watch all the pay per view, which in turn
link |
led into programming satellite DSS cards.
link |
Those 18 inch RCA satellite systems,
link |
pull the card out of it, program it, turns on all the channels.
link |
Started doing that.
link |
Can we just pause?
link |
That is very entrepreneurial.
link |
So just technically, so there's laws and rules
link |
that you're breaking nonstop.
link |
So there's also legitimate ways of doing
link |
that, which is break the rules of the conventions of the past.
link |
That's the first principles thing.
link |
That's what Elon Musk and his ilk do all the time.
link |
That is guts and brilliance.
link |
But when it's crossing the lines of the law,
link |
actually sometimes the law is outdated.
link |
The thing is, as a human being, you
link |
have to then compute the ethical damage you're doing.
link |
Like ethically, the damage you're
link |
doing about other human beings, that is fundamentally
link |
the thing that you're breaking, is you're
link |
adding to the suffering in the world in one way or another,
link |
and you're justifying it.
link |
But in terms of me sort of as an engineer,
link |
that is some gutsy thinking.
link |
That's how Woz and Steve Jobs thought.
link |
That's innovation.
link |
And maybe just think, if you can introspect your thinking
link |
process here, this is a new, I like
link |
how you remember this in HP, this
link |
is a totally new thing to you.
link |
Computers is another domain.
link |
How were you figuring these puzzles out,
link |
presumably mostly alone?
link |
When you were thinking through these problems, is there,
link |
this is a strange question to ask,
link |
but what is your thinking process?
link |
What is your approach to solving these problems?
link |
So the approach is you do something, and you fuck it up,
link |
and you're like, you think back, OK, how do I fix that?
link |
You fix that aspect, you commit the crime again.
link |
And it goes a little bit further, and it screws up.
link |
OK, how do I fix that?
link |
What's the issue on that?
link |
How do I fix that?
link |
So there's not a deep design thinking like that?
link |
Later on, it becomes that.
link |
Once you lay that groundwork of the way
link |
these schemes are working, it becomes that.
link |
And you can apply that to other things in cybercrime
link |
But initially, it's basically trial and error.
link |
You've got a problem, how do you solve that problem?
link |
So I'm committing these crimes under my name,
link |
how do I solve that?
link |
Well, one of the first principles
link |
that we started to teach on Shadow Crew
link |
is all crime should begin with identity theft.
link |
That's one of the main first principles
link |
that a lot of people to this day still don't really get.
link |
All right, why would I commit a crime under my name
link |
if I can do it under your name?
link |
So that's one of the big buffers.
link |
And that takes trial and error to get
link |
to that point where you start to understand
link |
that's the way crime should operate if you're a criminal.
link |
But with me, it's trial and error.
link |
It's that childhood where that mindset
link |
is kind of ingrained in you where you're looking
link |
for ways, let's say nontraditional ways
link |
of getting around things or getting through things.
link |
I mean, one of the questions I'll probably ask this later
link |
is there's also a unique aspect to the outcome
link |
of what you were doing, which is you weren't,
link |
you didn't get caught for a very long time.
link |
We'll talk about why that is.
link |
And the thing is, it's so interesting,
link |
all crime probably should, to be effective,
link |
should start with identity theft.
link |
I like that identity theft
link |
because identity theft can take so many forms.
link |
So yes, so Shadow Crew.
link |
So what's, so as we're, you started with love.
link |
Started with love.
link |
So now we're doing these schemes online.
link |
I'm selling to these,
link |
I'm programming these satellite DSS cards.
link |
And one of the interesting things,
link |
and you still see that to this day,
link |
is something will happen
link |
that will create an industry for criminals, all right?
link |
So what happened is Canada, Canadian judge,
link |
rules about the same time
link |
that I'm doing these satellite cards,
link |
Canadian judge comes out and says,
link |
hey, it's legal for my citizens to pirate those signals.
link |
And his reasoning was is since RCA
link |
doesn't sell the systems up here,
link |
my citizens can pirate it.
link |
Okay, so what happens is is overnight,
link |
about the same time PayPal comes into play.
link |
So PayPal is coming right online at about the same time.
link |
Overnight, a little cottage industry
link |
pops up in the United States.
link |
You go down to Best Buy, buy the system for $100,
link |
take it out in the parking lot, open system up,
link |
pull it, open box up, pull the system out,
link |
pull the card out, throw the system away,
link |
program the card, ship its ass to Canada, $500 a pop.
link |
Started doing that.
link |
Making, you know, $3,000, $4,000 a week doing that.
link |
I'm like, yeah, that's good.
link |
I have so many orders, I can't fill all the orders
link |
and quickly think to myself,
link |
why do I need to fill any of them?
link |
They're in Canada.
link |
You know, who are they gonna complain to?
link |
Because I already found out people don't complain, all right?
link |
They're not gonna complain to anybody.
link |
Especially in Canada.
link |
Especially in Canada.
link |
And I'm having them send money.
link |
That's when PayPal's first into play.
link |
And it amazes me that everybody is using PayPal.
link |
It's like, you don't even have to really ask.
link |
They're like, can we pay by,
link |
yeah, you can pay all day long by PayPal.
link |
And PayPal had no clue what they were doing with security.
link |
So it's like, okay.
link |
So they're sending money to PayPal.
link |
I'm having the PayPal cashed out to bank accounts
link |
in my name at that point.
link |
And I get scared because by that point,
link |
I'm still in four to $6,000 a week.
link |
And I'm like, somebody's gonna be looking at money laundering.
link |
So get it in my head.
link |
I'm like, best thing that I can do
link |
is get a fake driver's license,
link |
open up a bank account using that driver's license,
link |
cash out at the ATM.
link |
No idea where to get a fake ID.
link |
So I get online, looked around.
link |
Spent a couple of weeks looking around.
link |
Thought I found a guy.
link |
He went by the screen name of Fake ID Man.
link |
Thought I found a guy, sent him $200, sent him my picture.
link |
And I'm like, what the hell, man?
link |
He had a little website set up with reviews.
link |
And I'm like, oh, it's all legitimate.
link |
He's building that trust that I talked about.
link |
So the end result, I got pissed.
link |
And there was no site that dealt with anything
link |
criminal or cyber crime related.
link |
The only real avenue you had was an IRC chat session,
link |
internet relay chat.
link |
And that, I'm sure you've been on that.
link |
It's this rolling chat board.
link |
You don't know who the hell you're talking to.
link |
Most of them are full of shit.
link |
You can't trust anybody.
link |
And you're sitting there trying to conduct business.
link |
So if somebody claims they've got a product or service,
link |
Are they just gonna rip you off?
link |
Because in those channels, everyone's a criminal.
link |
I kept looking around and I've happened upon a website
link |
called Counterfeit Library.
link |
And Counterfeit Library only dealt with counterfeit degrees
link |
and certificates, degree mail type stuff.
link |
But they had a forum and no one was using the forum.
link |
So I basically get on there and bitch every day.
link |
I got ripped off, don't know what to do,
link |
bam, bam, bam, bam, bam.
link |
About the same time I started doing that,
link |
two other guys show up.
link |
One's named Mr. X, he's out of Los Angeles.
link |
Other guy's named Beelzebub,
link |
he's out of Moose Jaw, Saskatchewan.
link |
And we all become buddies.
link |
So a few weeks of me bitching,
link |
a few weeks of them responding.
link |
Beelzebub gets me on ICQ and he sends me a message.
link |
He's like, I went by the screen name of Gollum
link |
at that point, Gollum Fun.
link |
And he's like, Gollum, I can make you
link |
a fake driver's license.
link |
And I was like, well, motherfucker, do it.
link |
And he's like, well, I'm gonna charge you for it.
link |
I'm like, yeah, you are.
link |
I was like, no, you're not.
link |
And he's like, look, man, he said,
link |
this business, if you're gonna do this,
link |
you have to trust people or you're gonna fail.
link |
He said, so I'm gonna charge you $200,
link |
but I'm gonna send you a driver's license.
link |
Well, by this point, I'm friends with the people
link |
who own Counterfeit Library.
link |
We're emailing, chatting, everything else.
link |
And I tell him, I'm like, okay, I'm gonna send you $200.
link |
That way, when you rip me off, I'll have them ban you
link |
and I don't have to deal with you anymore.
link |
And he's like, bet.
link |
So I sent him $200, sent him my picture.
link |
Two weeks later, I get a driver's license.
link |
Name is Steven Schwecki out of Ohio.
link |
And real guy, worked at ADP payroll to this day,
link |
works at ADP, is where the guy works.
link |
Got the driver's license.
link |
And to me, at that point in time,
link |
it was the prettiest thing that I'd ever seen.
link |
You know, I'd never seen a fake ID before.
link |
I thought it was great.
link |
Turns out, you know, looking back, it was like, eh.
link |
That is kind of a strong first step
link |
in creating a fake identity.
link |
Very strong, very strong.
link |
So this is. So that was like, Gasko just,
link |
on the point he made, that if you're gonna be successful
link |
in this, you should have people you trust.
link |
Is he right on that?
link |
Oh, he's absolutely right.
link |
So you have to have, this is like mob.
link |
You have to have an inner circle that you trust.
link |
You know, I'm sure you've probably
link |
heard me say this before.
link |
Successful cyber crime, all right?
link |
There are three necessities to being successful online
link |
if you're a criminal.
link |
Three necessities are gathering data,
link |
committing the crime, and then cashing it out.
link |
All three of those necessities have to work in conjunction.
link |
If they don't, the crime fails.
link |
The problem, and it's a huge problem,
link |
is that one guy can't do all three things.
link |
You know, you've got the people who gather the data.
link |
Basically, the general store sells people
link |
who sell PII, credit card logins, data tools.
link |
They always sell the spoofed phone numbers
link |
and the RDPs, stuff like that.
link |
A lot of the times, those people don't know
link |
how to commit the crime.
link |
And those people certainly don't know
link |
how to launder the money out, put cash in pocket.
link |
So you've got, either because of a skill level,
link |
sometimes a geographic location,
link |
limits what that individual can do, all right?
link |
So you have to rely on people who are good in areas
link |
where you are not in order for that crime to succeed.
link |
And that means you have to trust those people.
link |
So what happens with Shadow Crew, all right?
link |
So Counterfeit Library is the start, all right?
link |
Counterfeit Library transitions over to Shadow Crew.
link |
Right before that transition, there's a Ukrainian guy.
link |
By the name of Dmitry Golubov.
link |
He was a spammer at that point in time.
link |
He saw what we were doing with Counterfeit Library
link |
He was getting all these credit card details
link |
and this kid, I mean, he's a kid.
link |
This kid has an idea.
link |
And his idea was, I wonder if people would buy
link |
stolen credit card details.
link |
That's pretty good Ukrainian Russian accent.
link |
So he picks up the phone, he calls his buddies.
link |
They call their buddies.
link |
They have a physical conference in Odessa.
link |
150 of these cyber criminals show up.
link |
And they launched this idea,
link |
this launches a website called Carter Planet,
link |
which is the genesis of all modern credit card theft
link |
as we know it, all right?
link |
And so, remember I mentioned those three necessities
link |
Dmitry had all the credit data in the world.
link |
And he partnered with all these other Ukrainians
link |
who had all this data as well.
link |
The problem was, is so much fraud had been committed
link |
on that Eastern side of Europe,
link |
that every card had been shut down.
link |
Even if you were a legitimate card holder
link |
and tried to cash it out,
link |
you weren't doing it at that point.
link |
So again, those three necessities,
link |
gathering data, committing crime, cashing out.
link |
Dmitry had the data.
link |
They could commit the crime.
link |
They could not put cash in pocket.
link |
So we were running counterfeit library.
link |
One day I get this message,
link |
or not a message, one day script shows up.
link |
And he posts just on the general forum.
link |
He posts, hey, I've got credit card data.
link |
Give me an address, give me a burner phone number,
link |
wait five business days, order whatever you want to.
link |
We had never seen anything like that.
link |
We were a PayPal fraud and eBay fraud site,
link |
is what we were, and fake driver's licenses.
link |
So then, and we had,
link |
I guess we had two, 3,000 members at that point.
link |
So the response from the members was, that can't be real.
link |
You've gotta be law enforcement.
link |
It's gotta be trying to get us arrested and everything else.
link |
What, let me backtrack a little bit.
link |
So the driver's license that I had got,
link |
Beelzebub had an idea.
link |
What he wanted to do is he wanted to sell driver's licenses.
link |
Mr. X wanted to sell social security cards.
link |
He made a very passable social security card.
link |
Me, I didn't, I had no skill level on that.
link |
I knew PayPal fraud and eBay fraud.
link |
So Beelzebub was like, I'll tell you what,
link |
you be the reviewer.
link |
That way you get every product or service that comes in.
link |
They'll have to send it to you or let you have access to it.
link |
You can learn the entire game.
link |
And because you're not selling anything,
link |
it gives you legitimacy on the reviews, all right?
link |
So I started out as a reviewer,
link |
the only reviewer on Counterfeit Library.
link |
So over the next year, Beelzebub turns out
link |
he was a pot grower.
link |
He goes back to growing pot
link |
because he wasn't making shit selling driver's licenses.
link |
Mr. X, about a year and a half in,
link |
he gets arrested cashing out driver's, not credit cards,
link |
cashing out to casinos, doing some shit with that.
link |
So I'm the only guy left standing
link |
and I'm at the top of the heap.
link |
And it becomes this thing where if I review somebody,
link |
they make a lot of money.
link |
If I don't, you don't do business here.
link |
So script shows up saying he's got this.
link |
I'm the only reviewer on site.
link |
People think he's law enforcement.
link |
First week it goes like that.
link |
After a while, I'm like, okay, I gotta do something.
link |
And I'm scared, man,
link |
because I'm like, he may be law enforcement.
link |
So I get him on ICQ and I'm like,
link |
hey, you have to be reviewed.
link |
He's like, what the hell is that?
link |
So I tell him what it is, he's like, you reviewed me.
link |
I was like, yeah, that's the idea.
link |
So give him a drop address, give him a burner phone number,
link |
wait five business days,
link |
and I try to hit Dell for $5,000.
link |
I get back on ICQ, hey man, it didn't work.
link |
He's like, give me one more chance.
link |
I was like, look, I'll give you one more chance,
link |
but it's your ass after that.
link |
He's like, one more chance.
link |
I go, okay, give him another address, another phone number,
link |
wait another five business days,
link |
hit Thompson's Computer Warehouse for $4,000,
link |
Order goes through, get the products in.
link |
I post that review on Counterfeit Library,
link |
and literally overnight,
link |
we turn from an eBay PayPal fraud site
link |
to a credit theft site.
link |
And that becomes a lot of money really quickly for members.
link |
So we were doing, now it's called CMP fraud,
link |
card not present fraud.
link |
So you hit an online merchant
link |
with stolen credit card data.
link |
Back then, a fairly experienced fraudster
link |
could profit 30 to $40,000 a month, okay?
link |
Just buying laptops, what have you,
link |
and cashing out, put them on eBay for sale
link |
and sell them like that.
link |
And 30 to 40K a month was the profit on that.
link |
Script had a lot of buddies.
link |
He had people like Roman Vega,
link |
these other guys that would sell
link |
not just credit card data,
link |
but counterfeit physical credit cards as well.
link |
Counterfeit, not stolen.
link |
That must be tough to do.
link |
So the connection.
link |
That must be harder than driver's licenses.
link |
So what BOA initially had,
link |
and I became the United States salesperson for BOA,
link |
but what he had was,
link |
is he was the first dumps provider in the United States.
link |
So on the back of your credit or debit card,
link |
there's a magnetic stripe.
link |
Three data tracks on the stripe.
link |
There was the first data track is the customer's name.
link |
Second data track is the card number,
link |
forward slash 16 digit algorithm outside of that.
link |
We'll get back to that in a few minutes.
link |
Third data track is called indiscriminate data.
link |
No one uses it, all right?
link |
So what's bought and sold is the second data track.
link |
It's called the dump.
link |
And the reason that's sold is when you go into a shop,
link |
you insert the card or you swipe the card,
link |
the only information that's sent out for verification
link |
is the second data track, all right?
link |
That goes to the processor bank for verification.
link |
The first data track, that customer's name,
link |
shows up on the screen of the cashier in front of you.
link |
So what typically happens is,
link |
is you buy 10 of these dumps.
link |
You get 10 counterfeit cards
link |
in code track two on all 10 cards.
link |
Track one, you create one fake driver's license.
link |
Track one is just the name
link |
of that one fake driver's license.
link |
That way, when you go in the shop, swipe the card,
link |
track two gets sent off for verification.
link |
Track one shows up on the screen in front of the cashier.
link |
If you ever ask for ID, you pull out the fake ID.
link |
Everyone's a nice, warm, fuzzy.
link |
You walk out with the cameras, Rolex.
link |
And track one could be, it doesn't have to be connected.
link |
It's not connected to track two.
link |
Not connected at all, all right?
link |
That's one of the big problems, all right?
link |
So Scrip brought a host of technical people
link |
into that type of environment,
link |
all committing credit card theft.
link |
We had proxy providers.
link |
We had all these people that were doing this stuff.
link |
We start making a lot of money, a lot.
link |
And the reason that happens is, again,
link |
Scrip did not have the ability to cash out.
link |
So he was reduced to selling things.
link |
And at the same time, he's looking for,
link |
how do I make more money, all right?
link |
The Ukrainians happened upon this thing
link |
called the CVV1 breach, or hack,
link |
is what they called it.
link |
So what happens is, remember I told you track two,
link |
card number forward slash 16 digit algorithm.
link |
You gotta know the algorithm to encode it
link |
so you can swipe the card or take it to the ATM machine.
link |
You gotta know it.
link |
Now we were fishing data from hell.
link |
I mean, we were doing a lot of fishing, a lot.
link |
We were getting pins, we were getting card numbers,
link |
but you can't get that algorithm.
link |
So Ukrainians start testing stuff.
link |
What they found out was no bank
link |
had implemented the hash on track two.
link |
So you take the card number forward slash any 16 digits,
link |
Take it to the ATM, pull cash out,
link |
because you got the pin, all right?
link |
Started doing that.
link |
Well, wait, sorry, I'm trying to understand.
link |
So that means, so if there's no hash,
link |
are they generating random numbers
link |
or do they have valid numbers for track two?
link |
No numbers needed at all,
link |
as long as just the track two was a complete track two.
link |
So it's a valid track two that doesn't match,
link |
so the pin is the thing that gets you in?
link |
So back then, all right, back then,
link |
what we're talking about is you needed,
link |
typically today you need a whole track two.
link |
You need that valid track two.
link |
All right, you need the 16 digit card number,
link |
forward slash, and then whatever that algorithm
link |
does, the other side of it, all right?
link |
Back then, none of the banks had implemented that algorithm.
link |
So while the algorithm was there,
link |
you didn't need it to encode.
link |
So you can make a lot of money with physical of fake.
link |
So much money that card not present fraud.
link |
Card not present fraud, remember I told you,
link |
was $30,000 to $40,000 a month, all right?
link |
That turned into $30,000 to $40,000 a day.
link |
The Ukrainians, again, they can't cash it out.
link |
They've got all the data on the planet,
link |
but they can't cash it out,
link |
those three necessities of cybercrime.
link |
So the deal became, you have to rely on the Americans.
link |
Tell you what, we'll give you 40%.
link |
So you had all these cashiers
link |
that were 40% of $40,000 a day.
link |
Yeah, we'll take that, all right?
link |
Send the rest of it over to buy Western Union
link |
or what have you to your Ukrainian contact.
link |
That's before cryptocurrency came into play.
link |
Now you had a couple of forerunners
link |
with eGold and Liberty Reserve, things like that.
link |
But back then it starts out with Western Union,
link |
then it becomes prepaid cards,
link |
sending track information over,
link |
loading the card up like that,
link |
and then finally you get to eGold, Liberty Reserve,
link |
and then today it's with crypto that's used.
link |
Started stealing a lot of money, a lot.
link |
And that got law enforcement attention.
link |
So we started to see, I mean, it's a crazy ass story.
link |
We started to see IPs coming in
link |
from law enforcement agencies, government agencies,
link |
because back then they didn't know
link |
how to shield their identity either.
link |
So you saw Secret Service, you saw DoD,
link |
you saw all these like, and you're like,
link |
that's interesting.
link |
So, you know, and at the same time,
link |
it was called a hack, but it wasn't a hack.
link |
We had a guy that worked at T Mobile in Los Angeles.
link |
This is the same guy that back then
link |
published Paris Hilton's phone contact list.
link |
That made a lot of news.
link |
Not only did he do that, but it turned out
link |
that the Los Angeles Secret Service Agency
link |
was using T Mobile phones.
link |
So he's getting text messages of the Secret Service
link |
investigating Shadow Crew,
link |
and he posts those damn things on Shadow Crew.
link |
So I'm sitting there going, head of the pile,
link |
I'm sitting there going, this is not gonna end well.
link |
This is not gonna end well.
link |
So at the same time, I had access,
link |
I started out with access
link |
to the Indiana State Sex Offenders Registry,
link |
and I was using that to create bank accounts,
link |
launder the money out, and I would sell the bank accounts,
link |
They shut that down.
link |
The next database I had access to
link |
was the Texas Driver's License database,
link |
and started using that to create fake driver's licenses,
link |
And then finally, we happened upon
link |
the California Death Index, all right?
link |
Complete information, mother's maiden,
link |
socials, DOBs, all that, and it's like,
link |
gotta be a use for that.
link |
Well, you can use it to create identities all day long.
link |
My idea was, I wonder if you could take somebody
link |
that's died and then file for social security death benefit,
link |
not death benefits, but social security benefits
link |
for that individual, and get that recurring paycheck in.
link |
So that takes a lot of research
link |
to start seeing if you can do that.
link |
How does the federal government know if you're dead?
link |
Do federal indexes reference state indexes?
link |
You got all these questions that pop up.
link |
Well, it turns out, federal indexes
link |
don't reference state indexes, it's against the law.
link |
It also turns out, the only way the federal government
link |
knows you're dead is prior to 1998,
link |
the family had to file a social security death benefit
link |
for that person, all right?
link |
Which of course most people don't.
link |
Right, prior to 98, it took the family.
link |
After 98, the hospital can do it,
link |
funeral home can do it, or the family can do it.
link |
So a lot more people have it filed after,
link |
if they've died after.
link |
But it's still, there's a lot of people
link |
who probably don't. A lot of people don't.
link |
Because that death benefit's only like $219, okay?
link |
Nobody's thinking about that shit.
link |
So I started to apply for social security benefits.
link |
Nope, number's dormant.
link |
So they want you to come in for a physical interview.
link |
Here I am, you know, 32.
link |
You're not gonna pass as a 65 year old, so no.
link |
So the next idea I had was,
link |
I wonder if you could file income tax returns
link |
Turns out you can, all day long.
link |
So I started doing that.
link |
And I started to steal, once I got ramped up,
link |
because you test everything.
link |
You know, you're testing to make sure,
link |
you gotta figure out what the deposit instrument is
link |
and everything else.
link |
And once you get all that lined out,
link |
I started to steal $160,000 a week,
link |
every week for 10 months out of the year.
link |
By filing fake returns.
link |
Yeah, filing fake tax returns.
link |
So you find a business, and the way the system worked
link |
is the IRS will issue a refund on somebody
link |
before they're able to verify
link |
that that person worked for an employer.
link |
Still works like that today.
link |
And you're keeping the amounts relatively low.
link |
Keep them at $3,000.
link |
Amounts are very low.
link |
But you're still able to achieve scale
link |
because this large index of real people.
link |
I got to where, and I was manual.
link |
Later on, a couple buddies of mine
link |
went automated with it.
link |
Wait, you were doing this by hand?
link |
So there's no code involved?
link |
I'd file a return once every six minutes.
link |
Work 10 hours a day, three days a week.
link |
So clicking on, so typing fast and clicking.
link |
One return every six minutes.
link |
That's changing IP.
link |
That's changing address.
link |
Everything else, one return every six minutes.
link |
For three days a week.
link |
Fourth day, I would take a road trip,
link |
plot out a map of ATMs.
link |
And then the next two days, cash out.
link |
Bam, bam, bam, bam, bam.
link |
Come back home, rinse and repeat.
link |
Turns out that a backpack,
link |
I don't see anybody sitting around here,
link |
but a backpack will hold $150,000 of 20s,
link |
is what it will hold.
link |
So I'd put 150K and 20s in a backpack.
link |
I had a spare bedroom.
link |
I'd come in, toss the backpack in the bedroom.
link |
This is very, very important information.
link |
And the fact that you know it is also very,
link |
first we started with the volume of coal that weighs a ton,
link |
and now a backpack holds $150,000 of 20s.
link |
And then you can multiply that by five 400s.
link |
It's also times 20s coming out of ATM, right?
link |
Each 20 weighs a gram.
link |
Each 20 weighs a gram.
link |
So you can actually go by weight,
link |
which is what federal authorities do
link |
when they get a pallet of cash, they just weigh it.
link |
Oh, they just, they just weigh it.
link |
So 150K is seven and a half keys of cash.
link |
One and a half, 15, oh, that's pretty light.
link |
Yeah, you get a big backpack,
link |
go do a good run with David Goggins with it.
link |
The fact that you know this is great.
link |
So wait, where does that come in with the backpack?
link |
So what happens is I didn't know how to launder money.
link |
All right, so I'm throwing cash in the spare bedroom.
link |
One day you open up the bedroom and you're like,
link |
gotta do something with those backpacks.
link |
And that's when you start learning how to launder money,
link |
cash based businesses, things like that.
link |
I had a production company,
link |
had a couple of detailing company.
link |
I was thinking about going into food trucks,
link |
things like that in Charleston.
link |
Actually, can you pause on that to take a tangent there?
link |
How does money laundering work?
link |
I mean, at that time and what years are we talking about?
link |
This is, by the time the tax return schemes go into play,
link |
we're talking 2002, 2003 is when tax returns start.
link |
And so what, at that time and what you're aware of now,
link |
how it evolved, how does money laundering work?
link |
You know, it's not that much different.
link |
You get a cash based business,
link |
start laundering the money or putting the money through that,
link |
saying the transactions are legal.
link |
You then start depositing into bank accounts.
link |
From bank accounts, my thing was is
link |
have bank accounts in the United States, Mexico, Canada,
link |
and then finally bounce over to Estonia
link |
was the final destination of all this stuff.
link |
And the idea is to try to move them to so many places
link |
that by the end of the day, it looks legal
link |
and you can't trace it all if you're ever caught,
link |
which you ultimately are.
link |
But so cash based businesses, you know.
link |
So when you say, sorry to interrupt,
link |
the cash based businesses,
link |
so you have money that needs to be moved to other people.
link |
So how does that work?
link |
What's the business?
link |
Are people providing you a service
link |
and you're giving them money?
link |
Right, so you do the Ozark thing if you wanna do that.
link |
So you can gamble, cash out something like that.
link |
So it trips to whatever casinos you've got.
link |
You've got your production company or your detail company.
link |
So how many cars are you cleaning a day?
link |
How many companies have you got to do that?
link |
All right, whatever that company is,
link |
it's gotta be cash based.
link |
Somebody's paying you in cash is what you're doing.
link |
You have to have enough of those cash based businesses
link |
where it doesn't look funny.
link |
All right, because if you're a detail company
link |
making $100,000 a month, that's a problem.
link |
Okay, so then you start depositing into that.
link |
Well, because of the Patriot Act,
link |
a suspicious activity report, SARS, came in at $2,500
link |
instead of the 10K that it used to be.
link |
So all of a sudden you've got multiple bank accounts
link |
that you've got to set up, all right?
link |
Fortunately, what you also had
link |
is you had a bunch of prepaid debit cards
link |
that were coming into play at the same time.
link |
So a combination of bank accounts, prepaid debits
link |
that had ACH abilities attached to those as well,
link |
and you start running them all together.
link |
Then once it's out of the United States,
link |
you don't have to worry as much.
link |
You can start funneling that into fewer bank accounts
link |
until finally you've got the one main account
link |
that's over at Bank Letico in Estonia at that point.
link |
That's what you've got.
link |
So a bunch of hops that end up at a place
link |
that you can't trace.
link |
And to give you an idea, I was arrested February 8th, 2005.
link |
My last seizure was 2010.
link |
Got the last seizure notice.
link |
So they got it, but it didn't took them that long
link |
So how do stories like with Script that come into play here
link |
where he had someone who owed him money
link |
kidnapped and tortured.
link |
So when does it turn darker?
link |
It turns darker the more money you make.
link |
Script was a kid that he was stealing enough money
link |
that he was able to buy whatever estate he wanted to.
link |
And he would brag about touring the countryside.
link |
And if he saw property that he liked, he would buy it.
link |
And that was not just a brag, he was doing that.
link |
So this kid is stealing a lot of money.
link |
At the same time, he's got connections politically
link |
because of his family, he's got connections
link |
and that family's got connections with a Ukrainian mob.
link |
All right, so he's got these inroads
link |
and people are looking out for him
link |
and he's stealing a lot of money at the same time.
link |
Somebody doesn't pay him a decent amount of money.
link |
Somebody doesn't pay him.
link |
Now we had never, with Shadow Crew, with Carter Planet,
link |
with Counterfeit Library, we were basically the geeks.
link |
All right, we were just the fraudsters,
link |
the social engineers.
link |
We had never really considered violence.
link |
The rules that I had in play were,
link |
hey, we don't do child pornography,
link |
we don't do counterfeit currency, we don't do drugs.
link |
And the only thing we ended up really obeying
link |
was the child porn stuff, except for Max Butler,
link |
who you mentioned earlier.
link |
Script, someone rips the guy off.
link |
And he comes online on Shadow Crew at that point
link |
and he posts these pictures one day.
link |
And I mean, it was a detailed narrative through the pictures.
link |
Had the guy that rammed in the van,
link |
he had the door open, rammed in the van,
link |
had the guy tied up, had the guy being tortured.
link |
And the response was, this is what happens
link |
when you steal from me.
link |
And that's the first time that violence came into play
link |
at that point, and that's when things got,
link |
you start realizing things are getting a little serious.
link |
How did that make you feel?
link |
The first response is, can't be real.
link |
He's just doing that.
link |
You know, he's wanting to send a message.
link |
Then you're like, no, that's real, that's real.
link |
Were you afraid in your own heart
link |
that you might descend to that too?
link |
Like if you see that, or was it pretty clear to you
link |
that that's a line that some people can cross
link |
and some can't and you're not one of those that can cross it?
link |
You know, I gotta tell you, I joke with my wife.
link |
The joke I tell my wife is, you know,
link |
I knew some guy that had 8,000 Bitcoins.
link |
I might be persuaded to ask him for access to that.
link |
And she was like, how?
link |
And I was like, well, hammer and toes.
link |
And I say that as a joke,
link |
but there's that line where you're like,
link |
I remember who I used to be.
link |
And if you're looking at that kind of money,
link |
I might be persuaded to do that back then.
link |
You know, that's, and I think that was Scripps issue
link |
is it was a lot of money to him.
link |
There's the money.
link |
And then there's, you know, violence can also be gradual.
link |
So over time you do a little more, a little more,
link |
a little more, a little more.
link |
You get used to what's going on
link |
and then I get desensitized.
link |
And you figure, you take somebody like Ross Ulbricht,
link |
the Silk Road guy, all right.
link |
Ross was not a violent guy.
link |
But at that point in time, you know,
link |
he was sitting on 24 million in Bitcoin.
link |
He was the only game in town.
link |
And that 24 now is like, I don't know,
link |
22, 24 billion, some crap like that.
link |
But he felt in danger.
link |
This guy was gonna turn him in.
link |
You know, it was a black mountain and everything.
link |
So Ross thinks he hires a couple hit men to kill the guy.
link |
So it becomes that thing.
link |
And I saw that over and over again.
link |
And I'd like to say I wasn't like that,
link |
but given the same circumstances,
link |
I would have probably done the same thing.
link |
And also when you're, it's not just about money,
link |
there's a lot of other forces.
link |
Like if you're threatened for your wellbeing
link |
or for your wealth or for your power,
link |
all of us operate under different motivations.
link |
Plus that online aspect with those communities like that,
link |
if you're the head guy,
link |
you really feel like you're the parent of these guys.
link |
So somebody is starting to threaten them,
link |
it's like, all right, what do I need to do?
link |
So what do you make of Silk Road?
link |
The Shadow Crew started something that today
link |
you can call dark net and dark net markets.
link |
So these markets that operate, that trade,
link |
trade things, everything from child pornography to drugs,
link |
to, I mean, what else?
link |
What are the dark things that humans want to do
link |
that they don't want anyone to know about?
link |
All of those things.
link |
So can you maybe tell me, you know what?
link |
Let's just even step back.
link |
What is the dark net?
link |
What happens there?
link |
Let's backtrack a little bit more before we get to that.
link |
All right, what Shadow Crew did,
link |
other than dealing in all these stolen wares,
link |
what Shadow Crew did that's really important.
link |
Remember those three necessities that I talked about?
link |
But the important thing is,
link |
is it established trust among criminals, all right?
link |
Because that's a necessity.
link |
You have to be able to trust who you're dealing with
link |
because you have to deal with somebody.
link |
You have to, all right?
link |
So how do you know you're not dealing with a cop?
link |
How do you know you're dealing
link |
with somebody that's skilled?
link |
How do you know you're going to deal with somebody
link |
that's not going to rip you off?
link |
You have to be able to trust that individual.
link |
The Shadow Crew provided
link |
that trust mechanism for criminals.
link |
You had that communication channel, the forums,
link |
where you could reference conversations weeks, months old,
link |
take part and learn from those conversations.
link |
You had vouching systems and review systems in place,
link |
escrow systems in place.
link |
You knew by looking at someone's screen name,
link |
if you could trust the individual,
link |
network with the individual, all right?
link |
And that community of just humans
link |
provided that backbone of trust.
link |
And that's really interesting when you think about it.
link |
You had the trust that was there,
link |
but you also had this,
link |
almost this instantaneous information
link |
that was available about the community
link |
or about cyber crime at large.
link |
And that's still in play today, all right?
link |
So that was the way things were
link |
until a couple of things happened.
link |
And one was cryptocurrency.
link |
The other one was the Tor browser, the dark web.
link |
Now I was working with a secret service,
link |
ripping the secret service off,
link |
when Tor comes into play, all right?
link |
So we got a memo in one day
link |
and it was talking about the Tor browser.
link |
And it was like, we really need to be careful with this.
link |
This is going to be problem.
link |
And so we all fired up the Tor browser
link |
and it turns out it was, this was 2005, early six.
link |
It turns out it was completely unusable,
link |
could not use it at all,
link |
simply because no one was using it
link |
and it was extremely slow.
link |
So for people who don't know,
link |
Tor browser is a way to be completely anonymous.
link |
As long as you properly know how to use it, huge caveat.
link |
All right, so developed by the United States Navy
link |
and they developed it.
link |
I don't know this.
link |
It wasn't the hackers that, interesting.
link |
US Navy, to this day, the number one funder of Tor,
link |
military, to this day, all right?
link |
I mean, the same, I guess with the internet,
link |
the origins are the dark web and DOD.
link |
It was developed so that operatives could communicate
link |
with each other without being identified, all right?
link |
That then goes open source.
link |
They release it, EFF comes in,
link |
start sponsoring and everything else like that.
link |
The next idea was, well, you know,
link |
people can get around their country's firewalls,
link |
whistleblowers can use it, things like that.
link |
Well, someone forgot to mention
link |
that the first adoptees of tech,
link |
if you can use it to launder money or remain anonymous,
link |
And so criminals start to use the damn thing.
link |
So along the same time we get,
link |
well, a few years later,
link |
we get Satoshi Nakamoto pops up
link |
with his ideas for Bitcoin,
link |
and then Ross Ulbrich runs with it.
link |
Ross Ulbrich decides he's gonna start up Silk Road.
link |
So initially the people who were using Tor,
link |
which later is the dark web,
link |
people were using Tor or just talking with each other,
link |
visiting websites, communicating like that.
link |
Someone figured out,
link |
hey man, we could host websites on this thing,
link |
and they have a lot of trouble finding the box.
link |
So that is the advent of Silk Road all of a sudden.
link |
Ross Ulbrich has this idea
link |
that he's gonna change the world
link |
by becoming the largest drug dealer on the planet.
link |
So he opens up the Silk Road
link |
and the only payment instrument he allows is Bitcoin.
link |
So if those people out there are wondering
link |
why Bitcoin is going at what, 44K today?
link |
Yeah, and by the time this is out,
link |
it could be 100,000 or 10,000.
link |
If it's 10,000, I'm going to buy some.
link |
Which is a hilarious statement to make
link |
because that statement would be ridiculously wrong
link |
like five years ago, right?
link |
I know, I know, I know.
link |
People 100 years from now will be laughing,
link |
wait, it was that low back then?
link |
So he only accepts Bitcoin,
link |
and of course the initial use case of crypto
link |
is no one wants to admit it today,
link |
but the initial use case is we're gonna buy a bunch of pot.
link |
We need somebody, we need a way to pay for it.
link |
So that's what happens.
link |
Ross, it's really interesting to me.
link |
If you look at motivations of cyber criminals,
link |
the motivations are status, cash, ideology, all right?
link |
My guys, all cash, across the board, all cash.
link |
He really believed he was gonna change the world.
link |
I've been fortunate.
link |
I actually know the guy who ran Silk Road 2
link |
and have talked to the kid, everything else,
link |
and I will tell you that those guys
link |
who are motivated by ideology,
link |
they are a completely different breed.
link |
It's not, you know, the cash guy, it's low hanging fruit.
link |
The ease of, it's hard to stop committing crime,
link |
but it's much easier for a cash motivated individual
link |
to stop than it is that ideology guy.
link |
That Silk Road 2 guy, he's still got it.
link |
You know, he's not breaking the law,
link |
but you can see it's like, he wants to, he wants to.
link |
That's fascinating that, I mean,
link |
the worst atrocities in human history
link |
are committed with people that operate under ideology.
link |
All the other motivations are much weaker.
link |
But you know, you think about it,
link |
with Ross, I mean, very bright guy, very bright guy,
link |
but think about the amount of cognitive dissonance
link |
that the guy's got,
link |
that he thinks he's gonna change the world
link |
by running a drug site.
link |
I mean, certainly, I mean, could he have changed the world?
link |
Yeah, could he have done it like that?
link |
Well, I can steel man those arguments.
link |
I listened to quite a few libertarians
link |
and you can push that to anarchists.
link |
You know, there's a lot of people that argue...
link |
So I actually talked to a professor at Columbia
link |
who actually argues that all drugs should be legalized
link |
and not at a philosophical level, political level,
link |
but the fact that all the negative consequences of drugs
link |
that people talk about actually have to do
link |
with other factors in your life.
link |
I would agree with that.
link |
And so that's, okay, but that's more like a argument
link |
about negative aspects of drugs.
link |
I think the ideology comes in where it's like,
link |
well, nobody should tell you what to do.
link |
You should have the responsibility of your own actions.
link |
Like the government or any other institution
link |
shouldn't be the rule setters,
link |
the constraints for how you live your life.
link |
And so I could see that argument being made
link |
and ultimately if you like create an open market for drugs,
link |
how that could build a better society,
link |
it might break down the outdated, the corrupt,
link |
the bureaucratic institutions.
link |
I mean, you can make that argument.
link |
There's an argument and let's be fair.
link |
I wanna be fair with it.
link |
I mean, did he change the world?
link |
We do have this whole thing called cryptocurrency.
link |
Yeah, in the long arc of history, perhaps.
link |
Yeah, we do have that.
link |
And that might've been for it to take hold in society.
link |
Maybe the darker parts of society at first,
link |
maybe that was necessary.
link |
Right, I mean, maybe, we'll see how it pans out.
link |
Shadow Crew, we had this guy, Albert Gonzalez,
link |
Albert Gonzalez, that's the kid's name.
link |
We had, we were growing so big
link |
that I had to start farming things out.
link |
So the first thing I started farming,
link |
I instituted this review system,
link |
kind of establishing that trust mechanism
link |
even further for criminals to use.
link |
We needed somebody to take care of our tech aspects
link |
So an associate of mine by the name of Kim Taylor,
link |
where we're looking for a forum techie,
link |
he comes to me one night and he's like,
link |
found our forum techie.
link |
I was like, who's that?
link |
And he's like, it's this kid.
link |
And I was like, is he any good?
link |
He's like, well, he knows the software.
link |
And I was like, okay, we'll just sign his ass on.
link |
He went by the screen name of Kumbajonny,
link |
was his screen name.
link |
And he starts selling credit cards after a while
link |
under a screen name of Scarface.
link |
And that CB1 breach where you're cashing out
link |
the track twos at ATMs, $40,000 a day.
link |
So Albert's in New Jersey one day, broad daylight,
link |
and stands at an ATM for 40 minutes, just standing there,
link |
feeding in one ATM card after another, pulling out cash,
link |
taking the 20s out, stuffing them in that backpack.
link |
Meanwhile, just across the street,
link |
a couple of cops just happened to be there.
link |
And they start noticing this kid just standing there.
link |
So 40 minutes, they watch this kid, 40 minutes.
link |
Finally, one cop looks at the other,
link |
let me see what's going on there.
link |
Walks over across the street, Albert's wearing a wig.
link |
He's got the disguise on, everything else like that.
link |
Ask him, kid, what are you doing?
link |
Albert falls apart.
link |
We didn't know Albert had been arrested.
link |
So Albert immediately goes in,
link |
I wanna work for the Secret Service.
link |
At that point in time, Secret Service,
link |
I referred to, and I wanna make sure I don't say,
link |
it's not like that anymore.
link |
But back then, they were fucking idiots, all right?
link |
They had no clue what was going on.
link |
So there was a competence issue
link |
that they were working through is one way to put it.
link |
That's a nice euphemism.
link |
So, or fucking idiots is another way to say it.
link |
So they're just not aware of the digital world.
link |
They had no clue, no clue.
link |
The way that Albert tells them how to catch us
link |
because they looked at him, how do we catch them?
link |
And Albert's like, Albert, I'm serious, I'm serious.
link |
So Albert's like, well, you could try a VPN.
link |
So he explains it to them, they're like,
link |
that's a good idea.
link |
So I quit Shadow Crew.
link |
I was worried about all the news
link |
that was coming in and everything like that.
link |
I'm stealing 160K a week.
link |
I didn't know Albert had been arrested.
link |
I'm worried about being arrested.
link |
I know the writing's on the wall.
link |
And I'm like, I'm quitting.
link |
Where did you see the writing?
link |
The IPs that were coming in,
link |
the text messages about the Secret Service investigators
link |
So the pressure's building.
link |
This is not gonna end well.
link |
This is going to be bad.
link |
So I announced my retirement of February 15th,
link |
I'm sorry, April 15th, 2004 is my retirement.
link |
I think that's the 2004.
link |
And I quit, I walk away.
link |
Well, Albert had been arrested.
link |
They cut him loose.
link |
No one knows he's been arrested.
link |
He comes back into Shadow Crew.
link |
I leave Kim Taylor at the same time.
link |
He's kind of on the run, which if you wanna know that story,
link |
that's a nightmare story in and of itself.
link |
So my second in charge, Kim Taylor, this guy,
link |
there was this guy named David, oh, what was his name?
link |
He was, El Mariachi was the guy's name.
link |
David, yeah, he was a film guy.
link |
So El Mariachi, real name David Thomas,
link |
he's on the run out of Nebraska for check fraud.
link |
He comes to us on Shadow Crew telling us this sad story.
link |
We take up a collection for this guy.
link |
Send it to him, all right?
link |
I get him a job working with a low level carter
link |
trying to make him some money, all right?
link |
El Mariachi, Thomas does this for a few weeks,
link |
comes to me one day and he's like,
link |
man, I'm not making any money.
link |
I'm like, okay, let me see what I can do.
link |
Well, I had a Ukrainian guy by the name of Big Buyer.
link |
He, a real friend of mine.
link |
And I contacted him, I was like, look, man,
link |
I got a guy that wants to do some work.
link |
Can you help the guy out?
link |
And he's like, I got it.
link |
So he sends Thomas enough money to go,
link |
Thomas is in Texas at that point,
link |
sends Thomas enough money to go from Texas
link |
to Issaquah, Washington and rent an office space, all right?
link |
So Thomas goes up there, rents his office space,
link |
him and his girlfriend rents an office space.
link |
And the plan is, is Big Buyer is going to place an order,
link |
get product sent, Mariachi is going to get the product,
link |
list it on eBay, cash out 50 50, easy enough, all right?
link |
So Big Buyer places an order.
link |
First order is outpost.com, $18,000.
link |
The largest order outpost.com had ever received
link |
at that point in time.
link |
Order goes through.
link |
It goes through still.
link |
Goes through, he gets the product, all right?
link |
Mariachi comes back, tells me,
link |
tells my second in charge, Kim Taylor.
link |
Kim Taylor at this point, I'm 33, 34.
link |
He works at the Tattered Cover Bookstore
link |
in Denver, Colorado is where he works at this point.
link |
And he fancies himself Jason Bourne, all right?
link |
He's even got one of the screen names of Jason Bourne.
link |
So I'm like, all right, so Mariachi is telling us
link |
how much money he's making, everything else.
link |
I'm like, well, that's good.
link |
I'm glad you're all right.
link |
Kim contacts me and he's like, I want to go to Issaquah.
link |
And I was like, why?
link |
And he's like, to make some money.
link |
I'm like, you're making money.
link |
He's like, I want to go to Issaquah.
link |
I was like, all right, go, be careful.
link |
So he gets in the car, Saturn is what he's driving.
link |
He drives his little piece of Saturn
link |
all the way up to Issaquah.
link |
Gets there, you know, midnight.
link |
They party all night long
link |
because they've never met each other.
link |
They're just celebrating, partying, drinking,
link |
everything else like that.
link |
Meanwhile, Big Buyer has placed another order
link |
with Outpost.com, $17,000.
link |
The second largest order Outpost.com had ever received
link |
at that point in time.
link |
By this point in time, Outpost knows
link |
the first order was fraudulent.
link |
Guess where it's going?
link |
The exact same address the first order goes.
link |
So Outpost picks up the phone, calls Issaquah PD.
link |
Hey, we got a fraudster.
link |
Issaquah's like, would you mind sending some empty boxes?
link |
And Outpost is like, be happy to.
link |
So the rule was, is on credit card fraud,
link |
if you've got full account access,
link |
you place the order.
link |
The morning it's supposed to arrive,
link |
you sign into the bank account or the credit card account.
link |
If you can sign in, you go pick up your product.
link |
If you can't sign in, you go back to sleep that day.
link |
Well, Big Buyer was the guy who placed the order.
link |
Mariachi and my second in charge are partying, all right?
link |
So they're supposed to contact Big Buyer, they don't.
link |
Meanwhile, Big Buyer is raising hell,
link |
getting up with me like, hey, where are the guys?
link |
I can't find them.
link |
They don't need to pick up this product.
link |
So I can't get in touch with them.
link |
They go down to pick up the,
link |
so Mariachi's got a Cadillac, old 70s Cadillac.
link |
He's got a Cadillac, pulls into the complex.
link |
Now Mariachi's driving,
link |
Kim Taylor's in the passenger seat,
link |
David Thomas's girlfriend's in the back seat.
link |
As they pull into the complex,
link |
going through the parking lot,
link |
Mariachi just happens to glance over and he sees a van
link |
with a guy sitting sideways in the van.
link |
And he looks at Kim Taylor and he's like,
link |
that's an undercover.
link |
And Kim's like, ah, it's fine.
link |
So they pull up to the office complex.
link |
Kim's like, I'll go in and get the packages.
link |
So he walks in, looks at the guy behind the counter.
link |
I believe you have some packages for us.
link |
Guy's like, one second.
link |
So he disappears around the wall,
link |
out pops the Issaquah PD, arrests Kim.
link |
David Thomas is in the car watching all this happen.
link |
He bugs out and they arrest him on the interstate
link |
where he has three fake driver's licenses in his wallet
link |
along with his real driver's license, another no, no,
link |
So David Thomas had outstanding warrants out of Nebraska.
link |
We couldn't bond him out.
link |
Kim Taylor didn't have any warrants.
link |
So we bonded him out.
link |
My third in charge, kid, Seth Sanders was his name.
link |
He bonds him out, uses his girlfriend's account
link |
And I get Kim Taylor to go to Utah
link |
where another friend of mine agrees to house him,
link |
So I think everything's fine and all that.
link |
About three weeks later, this guy in Utah
link |
gets me on the phone.
link |
I'm like, hey, he's got to go.
link |
I'm like, what's going on?
link |
He's like, well, the only thing he's doing
link |
is popping ecstasy tablets every day, all day.
link |
And I'm like, seriously?
link |
I was like, okay, he's got to go.
link |
So we kick him out of there.
link |
By this point, I've got another crew that's coming through.
link |
I mean, I had all these crews running.
link |
Had another crew that's coming through Denver.
link |
Send Kim back to Denver to partner up with these guys.
link |
Kim gets these guys arrested.
link |
So by this point in time, I'm exasperated.
link |
I just want to throw my hands up in the air and walk away.
link |
So my retirement's coming up at the same time.
link |
So I'm like, fuck it, I'm done.
link |
So I tell everybody, the rest of the admins
link |
and the mods there, I'm like, this is what's going on.
link |
You guys need to watch out for this.
link |
We need to ban Kim, not let him back in.
link |
Be careful what's going on.
link |
At the same time I walk away,
link |
Cumberjani, Albert Gonzalez, comes back into play.
link |
He sees everything that's going on.
link |
He uses that to his advantage.
link |
He starts banning everyone that's suspicious of him,
link |
sets up the VPN at the same time and says,
link |
hey, to make sure we're all secure,
link |
I need all transactions to go through this VPN.
link |
VPNs ran by the Secret Service.
link |
All right, Secret Service ends up,
link |
I think they ended up cataloging like $7 million
link |
worth of transactions over the next four or five months.
link |
Shadow Crew makes the front cover of Forbes, August, 2004.
link |
Headline, Who's Stealing Your Identity.
link |
October 26, 2004, United States Secret Service arrest,
link |
33 people, six countries, six hours.
link |
I was in Charleston, South Carolina when I saw it happen.
link |
So you're the one that got away.
link |
I'm the one public.
link |
There were a couple other guys that got away
link |
that they didn't publicly mention.
link |
One, his name was Tron.
link |
But he went by the screen name Tron.
link |
He had access, almost unfettered access to Bank of America.
link |
So what happens is they identified the guy,
link |
Secret Service is in the air to go get him.
link |
They call the Ukrainian police.
link |
Hey, we're coming down to arrest this guy.
link |
Ukrainian cops are like, oh, come on down.
link |
So as soon as they got off the phone,
link |
Ukrainian cops get in the car, go down and tell Tron,
link |
hey, they're coming to get you.
link |
So he bugs out down to South America
link |
and they don't catch him I think for six or seven years
link |
after that, something like that.
link |
But caught him eventually.
link |
Caught him eventually.
link |
Well, let me actually ask you on this point.
link |
You've said that if you do cyber crime eventually,
link |
it's not gonna end well.
link |
It does not end well.
link |
So I don't wanna say that's because
link |
you're gonna be arrested because honestly,
link |
very few people are arrested, all right?
link |
But it doesn't end well because of the type of person
link |
You quoted me earlier, you lie to everybody around you.
link |
You lie to yourself, you lie to your friends,
link |
you lie to your family.
link |
Of course, you lie to your victims.
link |
You don't have any friends.
link |
You know, I went 20 years without friends.
link |
I had associates, I didn't have friends.
link |
And you can't truly trust anybody.
link |
You don't trust anybody.
link |
You don't trust anybody.
link |
You know, I had my wife, I was married for nine years.
link |
I lied to her every single day of those nine years.
link |
And it took her nine years to give up on me,
link |
to realize that I was that piece of shit.
link |
And she leaves at that point.