Deep Dive
- Chris Rock is a security researcher with a decade-long reputation.
- He has engaged in both white and black hat activities, including hacking banks and governments.
- He considers hacking as a job, regardless of its ethical implications.
Shownotes Transcript
Just a content warning from the top here. There is quite a few swear words in this one. I don't know.
Do these content warnings even to help anyone? Let me know if you like knowing if there's swear words coming up or not someone who's been on my radar for the last decade is a guy named Chris rock. Not that Chris rock, a different Chris rock, a White guy in australian. And I know him as a security researcher. But as soon as I got on a call with him, I started learning that his way more than just a researcher.
Yes, i'm a public house for my research, but not public for that side of the the recent size. For me, for me it's just a geek. And whether it's it's a water black makes no difference. I think that sort of so have you .
done black hat gigs before?
H yeah this this is the doing. There's n ven is like this is the norm. Um I I know a lot of people, you know the White hat. I are used to be a black hat and not I mean, for me it's like I don't give a shit with it's what a black you are happy. Yes.
the indicates that you're doing criminal activity. So you you don't give a shit if .
you're doing criminal activity. No, it's funny. I make a lot of people do the whole you know hacking is not a crime and surely ship that's the public at the your sigh but at the end of that, when you have a beer with them, when you talk you like that so it's all bush IT. I'm essentially transparent about what I do.
So what what black head stuff have you does not when you were leaving, I mean that i'm sure you stole your mom's credit or or something, but that's small potatoes compared to when you're adult.
I suppose. We done everything we've done. We ve done banks, we've done government, we have done telcos.
We've done big oil companies just of exploration Prices. So yeah no Normal stuff. I to say no, so Normal fall black.
No, I don't. I'm not i'm not tracking. So you're telling me you rob the bank and then just like took the money.
Are doing our information and .
exercise like it's just a kenna do. Yes, I transform. There's a lot of people around the world that will pay you to get .
into these banks and transfer money. Yes, you will give you will brought my brain here a sorry body. I don't even know where to go.
that you got multi angles and the look you not might not be have to cover at all in this goal, just an explosive. I think the future, I got thirty something, your career that you got to stick into the network to fit is okay.
Have you ever been arrested? no. How are you this good that you're able to rob banks and not get arrested?
Is is not that i'm that good. So you have to be stupid to get cold, my good, the world to oyster. I mean, we get we get rise in this world. I mean, I train forensics, anti forensics. So really it's just like the no like it's I feel sorry for the people that do get caught because men he shouldn't be have and shit you that know when you got five years as tenuous experiences like you have done for in twenty twenty easy.
These are true stories from the dark side of the internet. I'm jack ritter. This is dark net dies.
This episode is sponsored by Sonia. Complexity is inevitable in IT and security, and its increasing estonians is here to help you control IT as a system of record for all digital infrastructure, the aconites platform corporates asset data from existing tools to provide an always up to date inventory, uncover security gaps and automate response actions.
Go to x onias dot com slash dark net to learn more and get a demo that's aonian spelled A X O N I U S X onias dot com flash dark net. This episode is has brought you by feroni. So many security incidents are caused by attackers finding and exploited excessive permissions.
All IT takes us one exposed folder, bucket or a to cause a data bridge crisis. The average organization has tens of millions of unique permissions and sharing links. Even if you could visualize your cloud data exposure, IT would take an army of admins years to write size privileges with how quickly data is created and shared.
It's like painting the golden gate bridge verona built least privilege automation verona continuously eliminate data exposure while you sleep by making intelligent decisions about who needs access to data and who doesn't, because the onus knows who can and who does access data. The automation safely remediative risky permissions and links, making your data more secure by the minute, even when you're not logged in. Verona is classifying more data, revoking permissions, enforcing policies and trigger ing alerts to their I R.
Team to review on your behalf to see how verona can reduce risk while removing work from your plate. Head on over to verona dotcom side dark net and start your free trial today that verona spelled V A R O N I S dot com flash dark nant. Are you so who are you and what you do?
So roman, I is Chris rock on fifty fifty one now so my cray started when my parents vote me um you know my first computer which didn't was like the computer but I was the atari twenty six hundred and and from there went to you know and sixty four a mayor and and an IBM client ah I was the born at the right time for computers. Love hacking a uh you know I consider myself on the spectrum like I prefer the company of computers and people so for me see in spending six hundred twenty thousand and in part of the future is natural and have done that since so is ten seven years old so he spend that much time in front of us something um you ve become good at outside in my home the last forty years on a cabo.
Um then I went to university, I think um didn't like any IT was coating uh hay coating, jock at you you I wasn't really to me so then I went into the into the sector um so I was I T flash really r to eighty percent in security twenty percent。 But I I went into the banking sector assay by the next ten years in banks, in a train banks that you could probably ten years in banks. And then um someone said to me, you know, what do you want to do now? So you know, I need some pain testing.
And then then I pentecost company of pentecost for another ten years after that around the world. And then one of my customers from paint testing, one of the same solution, I said, I gonna, I teach some source parks together, like elastic and some of that. And I I did that, and I really laugh IT.
And then why did you give IT to the rest of the world so I can never look at which was essentially ly, the platform winning. Now see one supersize, so we roll that out. I got a lot attraction, and, uh, I, since I was my full time geek, I N D, C, O, C, monster. S, I, A monster.
What a sem does is IT collects all the security logs of an organization and alerts when there's a security incident. And Chris made his own called sea monster, which came about because he was breaking in the companies and saying things like all if he had logging turned on, he could saw me. And those companies were like, will set up lying so we can see you.
So he's got quite a bit experience in both the offensive and defensive side of cyber security. So while I was talking to Chris, he started to tell me about a job that he had in the middle. And i'm not even sure what kind of job this was. It's not exactly a penetration test and it's not exactly in instance.
Response research and engagement is probably word board. So when I was doing pinting, people would say, Chris, you seem like a guy that would do aside activities and then I will get approach for these outside activities and then, you know, around the world to, you know, hacking to this person and hacking in this, you know, get these secrets of that stuff that essentially working.
So through word of mouse, there is someone in the middle who needs a hacker's help and heard that crisis, the guy to call for these sort of things. So he calls up and says.
can we meet they usually they were in person. So in this case, I flew to neutral area. So I flew to a stumbling turkey and then met over dinner to talk, excited that the April phone that's .
that's quite I mean, already i'm entry right because it's like, hey, we have this job. If you want more details, make me in turkey yeah and .
I sign IT off the cough because that is the natural for me. And I know a lot of painters, as I say, that side of the world, they said in a forensic report or the incident response. But once you live IT, uh any guys through, uh, very interesting. Well, like it's you know jacky, you know an example you get every week. H whatever you get I check text comes but when you on the other side, you know I doesn't work like that obviously um know there there's no tax but you've got ta get your money and things expensive benefits buna laptop script, P D P money, getting your money wash or of different well you a great learning to but a lot of us like to experience that.
Lisa, yeah, why is this engagement? Tell me, tell me more about how this um was pitched to you and what you what's the job and stuff yeah so.
uh so I met this guy. Words go in mike I I met mike and and mike work for a company um and our rich middle esters a who essentially he was one of five brothers and eight of the brothers was worth about a billion dollars but he was only where two hundred million dollars so he was like the pole loser of the family I know that sounds really weak, but he had to tide bigger of this to compete with his brothers to get to that billionaire at us and that's why he would know he would engage hacker's to a system with um his business activity.
So in this case that was put forward to me that one of his subsidiaries, he thought that there was stealing money and then moving that money to another company in another offshore company and um and also the I pay for that company. So he asked, what about set in, in, in, in funding out when I was true? And then to recover as much fun as as possible.
We're dealing with a few meg rich billionaire from the middle east here. But the one brother isn't quite a billionaire ET, and he's keen on hiring a hacker's help to investigate where some .
of this money went in this exercise that was a, you know, a cash deal. And I was offered gold in a break case, which is pretty useless. Getting gold, I would says, but you get to get offered, you know.
different of currencies.
gold, in a brief cases. We know when I hate that story at first, but I thought was just like a sheet story. But now they had cash ready to go for the exercise. And but they placed a proposal I could get also like being not a native from that part, the world that was pretty useless for.
okay. So did you meet with this multimillion ae directly and turn no.
that you always guys on an agent. So I don't want to sound rude, but when you're dealing with middle iceni, you don't to deal with you know the yes, you deal with all, I sah you deal with a White guy. E because they don't want to have any directory to the foreigners so I I met with an ancient of the the rich guy and um he was from south africa and he a human eye discussed and what was replied the time that Chris.
this is not a Normal incident response of engagement or exercise or whatever is you call IT. When when I hear that they wanted this extra layer between, like the client and you IT makes me think that they want like plausible deniability. So like if you get caught, they can be like we don't having access on our payroll and not i'm not sure who you have, but that's that's not our problem and and you'll just leave you in the dust like do you see if that way too?
So the inside, yes, you will. Spot on. IT was essentially one level remote. And the reason I has a tired with my language and before about talking about White eye, we refer them as what skirt where? So like the middle with long, but that was just good. Where will not made, uh, a western guy so there's always a western I dealing with a western guy. That's the language that we would use for the sort of isomers.
So since this client has heard that Chris done a mercenary y type work before they wanted him to come investigate this left see if he can help them build a case against the guy who took IT spot on.
And the parts of the world that essentially are the world west. So I midday, for example. They do not good to give two ships about, you know, the law or that stuff.
So they need if you need to have and do bank to get the money return. Although if you need to hack and to come, you do IT. It's it's Normal.
And when you dealing with like government sponsor stuff, it's Normal activity for that. Don't me don't put you american brian on. It's think of is like the wildwood .
now typically with a penetration test, you are given a scope. You know like you can hack into this stuff but don't hacked in to that stuff. But he wasn't given a scope.
He was told by any means necessary, conduct your investigation and on a typical incident response, you would be given some internal network access, or at least access some logs or documents to come through to figure out what happened. But here's the problem. All this company knew was that they gave this money to an investment firm and they didn't get what they expected.
So they wanted Chris to pretty much do the incident response by getting into that investment firm and coming through their logs and documents to try to find proof that they did was appropriate. This money, or still money, or steal intellectual property. So really all they gave, Chris, was this suspected company's name. And the people who work there, they were like, here's our suspects. We don't have any other details now .
they we got a list of names. So these eight names and and what information I knew about them would be fine. Numbers of, personally modern is working moderate.
And in the company, nothing else that was completely. Then you earn your fucking money and and get so about any mains necessarily. So the names .
you were given on the employees that worked there.
some in the company and some outside the company, because the the theory was the money was going into this company and then going out to another company, another investment firm that was essentially going to see the I pay from the subsidiary and then launch another iteration of that with the IP and the funds that was coming from the visual investment company.
And so what are you are like? First steps, what do you get? What you get? Go on. What do you do?
So the first step was, so we had a number of together was that was in a single target. We had essentially I targets on our list.
So essentially we essentially map out the person know the internet, dumb research on who this person is, how they, how they live their lives, linked in in a social media, that sort of stuff, getting that sort of information obvious ly, find numbers, see more addresses, physical addresses, and how about that? And then find an attack OK. Who we going to go after first, and we're going to go after the prime time first.
I'll used to go to a one, two. In this case, we were the the prime tag was bob, but we had all these other tag as like Alice and gina of the stuff. And maybe we don't.
After ball first, we mapped out these other people first when we do an exercise like this, and we're talking big money. When we do exercises like this, we own. We don't just send like a blind like they are wrong to.
So all we got successful, well, essentially, are in the whole world. So and we talk about level one, level two, levels race. Like level one is the inner circle, know any sky, bob's wife, bob's kids saw us to stuff and you have a allier to, you know, things like account is lawyers, gene saw so so gl two.
And then you have the three, like the affiliate on the outside. So we might target in this case, we would target level three, level two years. And when I say target as in own email, so you can actually if we send to the email to bub, he would reply to when wouldn't think I think that makes sense. Not formally dog idiot at gem alto comsec, a real person we would need to take get level three, able two and then once we're a comfortable with a lise assets. Now I know that sounds would like very exhaustive, but when you're doing these sort of peaks, that is level two, level three come in handy down the track.
Wow, this guy, I serious. I've told you many times, don't open attachments on emails or click on links from text from people you just don't know. But what Chris doing is he's targeting people this guy, bob, did know, getting into their emails and their network first so that when it's time to tark a bomb, he'll be sent an email from someone he does know and perhaps even a document that he's been expecting.
Like for instance, if you get an email from your doctor with the lab results included, that would likely be an attachment that you would think is safe to open. This is the kind of stuff that Chris was trying to do to avoid any suspicion that bob is being hacked into or spied on. This, to me, has a level of sophistication that I am impressed by. yes. So what made do you interested in bob as supposed to .
the other seven bob is the boss said that he was say essentially he's target number one ah on at least like you know if you'd like A A C of american decades he is like the ice of hot.
You got my sense. okay. So you are onna, start with. And if you need more information, you go down the .
line with actually, no, we didn't reverse. I remember I talked about we like a level three first, level two, level one. So we essentially bottle up because we have you email, you need to understand, you need to read the emails.
I can get the personality of bob before you approach bob. So you need to know, you know, bob's dealing with giant. What's the Normal language? Fly between bob and giant. So you compromise giant, you get the, the, the, you know the from emails from bob, I can see the language and and what time of day I will get sent, you know, that sort of stuff. So we do not do the first time until last.
if I make so as Chris kids to know more about bob, he started hacking into everyone around bob, their emails, their computers, their phones, their locations. This allows him to see who's in POS orbit and how does communication look between them. And at the time, Chris had some really nice vulnerabilities and adobe P, D, F reader and would send emails to someone and getting them to open the PDF. And that would allow to install a remote access. Children get access to their computer.
Yes, said in that the addie was enough to get you probably four or five of the eight people, and also the a lot of the inter I listen to this will now that you know, once you got much shelter, this prety much time over. And that seems like k logue and stuff. But the more complex seeing is that we did is um we didn't have access to the investment .
firm that bob is moving, access B A P2P company. But even though he could get the children installed, he just couldn't get a connection into the machine when they were in the office.
Ah so we wouldn't get the show, we wouldn't get the shell return to us. That was either some sort of aggress backfilling that we couldn't get an open shell. So we would have patios of being clicked on, but we couldn't get a remote session from the target. So we had to do was supposed .
to happen here is IT is IT metpath yed that you've used.
So yes or no, in this case, we would use metpath IT as a pen test, but we would do our own custom PDF that we would run against A V so we would upload against in the first over my show. And not nothing picked that up. And so we would send the P D F off um that when I was double clicked IT within remote connect back to us on report for four, three, eight, whatever that we thought would get back to an negress poor back to us that would then essentially have a listener like metal boy, but we would have our own listeners listings in his he wanted .
to get into the company's network. He was hoping there he'd finds some file servers or something which could offer him more evidence of what I taken. And this company was a small investment company and didn't have a dedicated office, but instead was working out of a coworking type space, kind of like we work.
But to break into an office in another country, you really need to come prepared. You need all the plans, plan a, plan b, plan c and escape routes too. This is isn't a mock exercise. This is planning for keeps and potentially very dangerous.
The first plan never works s like it's just one of those things in life and that never works. So one in chance you you're right. Multiple a is one of those things you have to plan for. The worst.
the goal was to get access to this company's network. But where's that companies, the network? And how do you get into IT without being caught? This is where the more you know about that company, the Better he discovered this company had a wifi network set up in the building.
And what's more is the wifi they were running was using web encrypt. An this was years ago when web wasn't so uncommon. Today we use W, P, A, which is much more secure about web, had some vulnerabilities.
If you could get a radio near the web wifi router, you could intercept enough begins and packets to get on their wifi network. So that was the goal. Get in the building, get within range of their wifi router, and plan to device to listen to and capture the web packets we hate.
You had to do custom build out. So I got an entine, another ball that was like at the tiniest mother ball at the time, and then built up on a linux stack with wifi hacking in the things like party and and reverse shelters, like playing and stuff on that, that we would use, that we would plant close to the VC.
So he loads up his kid full of cool gadget and flies over to that country. You got any sort of way you dress up when you .
go out to these things, look, black or blue suit and with with a White show and tie like it's just the it's just the even if it's fish the great he like in Q I, you just does .
what you wait not what a .
black hacker looks like exactly right and and so yes, who do like some stuff that doesn't command respect over there, but suit guy over there in their right respect.
He goes to the office building and starts planning out how to get in .
is the easy part a what guy in a suit with the laptop, with the someone holding, like lots of books, someone like the door and right, like it's one of those in paint testing stories that you probably heard a million old.
but people that works in the U. S. Or even in australia. But if you're a White guy walking into a ba place with a bunch of people that don't look the same, you're now now you're out of place.
You're thinkings, right. But when you let me show middle of in companies like a western in there, because these people are being trying outside of the middle, we trust in the bank that you know, time, region and all stuff IT comes with an inherent to you like you're thinking is, you know, the work I sticks out of place, but no over there. A what I do, you do what I said, because if you have done any work in middle, I employee, you know the best german engineers and and the best you know english uh you know financing something. It's it's not unusual for that coming pretty much around the show that my sense.
So he's LED in the building, no problem. And it's a coworking space between there's a lot of small businesses working out of this building and he can use that to his advantage because everyone is used to seeing strangers roaming around .
and getting access. The building was really easy because I was like he said that was a co working space and then finding out that they were on applause that had one of those communal kitchens, like for us, that was like, easier as I have to get pass, you know, a reception. So someone, what are you doing here? I was essentially, you know, I making a coffee, pulling the mark by force, seeking something behind that, and then go, we had a device planted in to get this loss.
If they say for him, you said we a few times, who who else is on your team?
Yes, when we talk, we are talking about about owning level three, level two lever, one targets. I mean, there might be twenty targets behind the same. And so we're talking about know bob's to bobs loyd bobs account bob seem um an extreme case box.
You can do that all by itself. I mean that would be a year long exercise and is not worth the effort. So I always work in a time um today these activities just to make that loyal easy, if that make sense. okay.
So IT was fairly uneventful for getting in, but he managed to slip in, go into their kitchen, go behind their mind wave, plugged in this little computer with an antenna, and then slip out of the building. Now him or his team can access this little device remotely because he has its own soul connections, so that he couldn't just access that from anywhere in the world. Their first goal is to get on the wifi network.
To do that, they are gonna a, have to crack the web protocol. They log into that little device and fire a tol called aircraft. What this does is that intercepts as many wifi packets as I can.
If you think about IT, wifi is wireless. So the packets are just flying through the air all over the place. It's pretty easy to tune.
You're intended to. You just see them and grab them. Today's modern W. P. A protocols make IT, so even though you can grab the packet out of air, you can see what in them.
But with web encryption, there are vulnerabilities in which you could grab enough packets to be able to decide for IT and get into the wifi yourself, which is what they did after running aircraft N G long enough. They got their little device on the office wifi, which now they have a little machine on the inside, giving them an inside look into their network. A networks can shows them a few devices that are there, and then they look at what ports are open on those systems, and then they can guess what devices those might be.
They find a file server which employees were using to store documents in such. And remember, this is an investment firm. So there are managing a lot of money and have to maintain relationships with people and know which businesses they are invested in. So all this must be documented somewhere. And this file server t was exactly where IT all was.
you know, fall services and supply that and email service. And that's how we got into that company. We couldn't get in through the whole or my paid at this point.
Chris has a huge amount of visibility into this investment firm and the suspects who might be stealing this funny intellectual property, he's got a ridiculous amount of listeners in place, full access to the network, like he can look at all the files on their file servers and email servers, full access some of the suspects computers to remote access ros put on. He's able to see every email and and out.
And he also has key logger on their computers, so you can see what their using names and passwords were. But he also has access to emails and computers with people around the suspects, family members, friends, doctors. He's also looking to see what kind of bank accounts these people have, just in case he needs to get in there and take a look to see where money is going. So with all this access, he starts finding stuff that the client .
might be interested in. I follow and they we're talking about in the investment. And you would say like a you know bobs and then you would say things like I pay and stuff like that, which we would run fast coin saying is this is sort of stuff that you worried about liking you to somebody else and and then we would see that to our handler.
Od say, yes, no, yes, keep targeting that. So the stuff so you started starting building a picture and and any exercise went for a long time. I I don't want to, but I think this one went for nine plus months on this, on this exercise, so which is a continual string.
So over that time, you're reading every email back and forth um and and so you would get a that sort of information and learning how they spoke and and how they think and proper language. So you start pacing the puzzles together on what this guy is actually doing. And because outside is polite, we don't keep a shit. What he's doing is essentially he's what he's doing client is is what you want is is what you suspected um is no emotion like we give this is a job and then we would give that yes no how do you want us to proceed and they go from there.
The client kept telling him he's on the right track, keep finding more details and send them over. And like he said, he maintained his access for quite a while as he gathered all this info. But he doesn't want his presence to be detected, so he has to be very careful not to be seen.
So essentially, what would we would do with a black and exercise? We might compromise. So I tag is around the world, and the last hot would be from the home country.
So for example, what we want compromise a hotel in pakistan and an bin india. And in another, they know these countries participate ended forex with each other, the singly war with each other. So you would pop your traffic, girl says. And then the last hot would be in this case, that was, was cute, so that since the last hot before the tag would be A Q A, I pay. We, they are in the talk at that time in I was sentient, didn't know just what I.
my gosh, just to just to log into their gmail. You're like what we can do IT from australia. Let's let's get over there and log in from there.
I'll tell you what, I got a plan. First we're gona hack into an airbnb texan, then we're gona hop over from there to hack into a telecomm der in that country. And then from the telecom provider, that's when we're going so great.
Yeah and great. So when you talk like that, when people talk about the luck, a little black book, we would simply have a network of these compromise. How not to tell way to talk, we would have a network of a path we could use when we want to do a hat job, and we're not going to from the local mcDonalds or from your home for examples.
So we would have this retired list of our own proxies, not tall anything like that. We do our own proxies to do the hops that we want, likely, definitely, to do india, pakistan SHE like a bangle there like a city, hate each other. Is now, how can you give us your different?
You for this activity is not going to happen. So we would use the the walls of the world to benefit us. So that would be a black book talk.
So we always have. And when we're not working, we would essences find this targets for our next assignment. So you always have that little black book like he's talk about before, tools.
We would have compromised targets around the world that we were going to bounce. All the tokyo was just having to be something that I love work, I love packing. Telco, so was one less was gonna come in handy to Carry .
out a task like this, he has to spend quite a bit of time and resources finding vulnerable systems around the world so he can hack into them, only to use that system to jump over to another computer in the world. This way is impossible for anyone to track his role back where he came from. But also think about the fact that he has that little computer behind the microwave in the office that he's targeting.
It's on the same wifi e as the people in the office. So he could use that computer to logging to things like gmail, which would appear to be the same I P. Those people are typically logging in from making gmail think this is Normal activity y and not alert the user after while Chris had collected and delivered enough evidence, but the clients called the police.
Yes, so the evidence was essentially what I suspected that but money that had been sent to the company to build the company was being moved to both personal counts into the that exists to the outside investment firm as well as I pay that was created in the business that the subsidiary was being moved to another investment firm as essentially our colorado, almost, for example. This is the other side.
And have you find where was that smoking gun?
And everywhere that everywhere these guys Operating a luck again, the wb westall Operating the emails by games, by company emails, false service, where everything I was, just the evidence was everywhere.
Just have to put IT all together and connect the dots.
But yeah, and remember, that was not our job. Job was to present what we found. And then I were to the guy is issue because we don't care.
Like to see before I don't. But is this your shit? yes. Now do you want to find more shit? Now we have a shit.
We know go to your job even that's how we Operate because, again, it's not personal. We don't care what the the invention is. This the right shall we on the wrong track?
Which now the, the, the, the payment for this was IT sufficient cause I can imagine them saying here's a beef case of money and then you like, would do that. Kate, we've been been working on this for three months. You like if you wanted to keep more and we need another .
briefcase yeah we we don't. How we Operate is we e'll have a initial fee of finalized ation fee, and then we will have what we call an ongoing face. So yeah, the jobs like this, we like to have over within a month. So initial fave combination phase.
But if you want us to continue monitor the you know these eight people in this outside company, you can add to have a look, a monthly charge, almost like a subscription model where they would pay to at this point out what's going on in these people's life. So you don't want them to think there in yet. So you put you put a quite in front of them and not saying we are graded that quite. You Better to stand by that quiet. You know I might like if you want referral jobs going forward, like if you say half a million, million or female, what do you quiet that you stick to that you inside we need more you like to mica Crystal clear um because this is again this is repaid businesses that that you want.
yes. So i'm just starting to put the picture together of like how much you you charge versus how much they're losing its worth more to them to pay a million or two million to you. And if they're going to recover, what how how much money do you think was was being stolen here in these guys .
on how exactly how much money was being? So I think was two points, five U S. So two point seven five U S. Say a million dollars in this case. But you you got ta think if when you're in business, jack, I in business, but when you when you are working with the customer, they are initial first spin might be other side have is the initial spend once I say how useful you are and then you do report business is like it's an investment for me. There are always investing shit. They always want you going to use your services down the tracks you might do is a bit like a drug deal, like you might give my taste for a half. Now next jobs going to be with to like, you know, like you just they know your work and know your stall and then you know you going to get repay business with with with higher and takes.
I mean, he's dealing with wealthy people hear billion's oil money can if he can prove that he's the go to person to these folks that this could be long term customers of his. And in this case, they were very happy with him. They got enough evidence to take action on this ef.
They think those involved from their side, they had to be really careful about what they presented to the lawyers. But that was, we believe, X, Y, Z, and then get a place to arrest the the lovering later. Wb, at that moment um uh and he said that was essentially they go to get him in jil uh, because that they took IT personally that they were yeah look, I said you got to treat them with respect and if you disrespect them then they get really A A motive and then for them jail was the worst .
case of action for them okay, stories over right they they found you found the the sieve. They put them at him in jail yes.
I always not over there. This is where IT against exciting. Yes.
stay with us. We're going to take an head break, but it's going to get exciting after that. This episode is sponsored by flare that I O as a darkness that is listening.
You know that cyber criminals are always one step ahead, and info dealers are their weapon of choice. These mare attacks harvest everything from saved passwords and section cookies and sensitive data, which is quickly sold off on telegram or other underground platforms. Imagine the damage that could be done if someone takes over your streaming service, e commerce, or even critical business accounts with just a stolen cookie.
This is where a flare di o steps in. Flair di o is a threat exposure management solution with a unique fully searched cybercrime database that specializes in cybercrime channels and info stealer logs businesses. And ten testers can use flare di o to find compromised accounts, detect active sessions and locked them down before criminals due.
And right now, flad I O is offering dark net dar listeners and exclusive two week free trial. Click the link in the description to take control and stay ahead of the threat with flared I O, A leader in continuous threat exposure management. Thank you. Flared that I O for supporting darkness dies. There was enough evidence to prove that the sky bobs stole the money and intellectual property, but they told Chris they were worried about the money.
the company that but was gonna that money is defense. He was gonna get on only body superior lawyers to bodies guys, uh, and use the funds that he saw to fund the exercise so the Chris.
get us back that stolen money, do your job as a hacker by any means necessary and return the money to us, which in my opinion is crazy, because why not just have the police .
return the money? Want to be? Because you thinking american system, not middle system, that I didn't want to fuck around with, that stuff that I didn't want to go through.
We want the money. We want this, we know. And then put a brave together stuff role. So his objective was clear.
get into this guy's bank account while he's in jail and move the money out. This job has essentially turned into a bank eye at this point. And IT seems to me that Chris doesn't have any moral concerns about robbing a no.
no, no. And jack, I listen to A A lot of your your sessions and and and that comes up quite a lot. I don't have that boundary, doesn't make sense.
So for me, so okay, so this doesn't make sense. I'm just economically right. So if somebody pays you fifty thousand dollars to go get a million dollars out of a bank account, why not you just go get a million dollars and be like, you know, I forget you, i'm just going because to my own money.
I don't need and and that actually happened on jobs before where you take your share as well, but you you need. So in alcs, remember, we were returning the funds. We didn't return the funds in a lubis extra.
Yes, we could have taken money from somebody else account, but that raises flags IT in case. So we were scientists returning the money that was stolen so there's no actual victim doesn't make sense. The money was returned to the rapper person .
um but yeah IT .
does make sense OK okay and remember where after a paid work and where I just how how you my 关注 ing business okay.
so you accept this uh job to get the money back now um how would do you do IT how do you get the money back?
We compromise the bank, which was pretty easy. So we need to use the same sort of techniques of the PDF inside going to the core banking system, finding out, you know, the internal, where the internet banking websites were replacing the front pies to actually law all other names and powers and two factors. And then we would have a log fall of all these name passwords and two factor.
So what he just said was that he found a bank employee fishing email to f, which planted in on their computer, and then he was able to get into their computer from, he helped into the server of the bank's network. And from that he was able to find the front end web server for the online banking, and he can figure the online banking sites so that anyone who logged in user in a passed to be stored in a long file, so that he could see IT. But on top di, he was also giving two fact, the location codes that people are entering, this is incredible, well, is only trying to get access to a single user account, is basically access all the bank users who logged during that window while he was watching. I just can't believe this guy.
I try. The question is why you surprised you you you talk to people you know for years and and the paintings throughout that the people can talk about, it's acting Normal like, you know, you do know. But then he would not play house shit. Banks are locally and internationally like the sheet security that they have out there that are just if there was more bad people in the world.
they'd more being skin down. I guess maybe that's why i'm surprised, is because the hackers of the world is the immune system for all these banks, right? And so what you ve got a hit security bank. So okay, well, there's million hackers out there that are going to fix that .
for your own cake. Yeah, exactly anything is jack. You might have a million hackers. Yeah, eight hundred thousand. And the days are just like new to the industry that this year to five. And you know, if you didn't look at the look the banker of people who were the banks, you this I how to say a thousand I M site, but IT is a smaller number that you need to protect against. But jack, i'll see some banks that what are gone in and i've gone into idea and have a look at, you know, j Smith and IT has the description of where I work. And what I put in the description was the uses password. So you know, password one or password to text in the descriptive field of the l that field because when someone running out and said I got my past where they just read out the description full from the albeit and I couldn't and believe that so they would have IT once passed with on the list of anyone can create that but less to shit that we say um as a pintsch and as is a black up but we've done we've done banks jack where we see other hackers in .
the .
in the bank of cell like .
I just fuck hackers right beside .
us hopefully you like A I recognize you see step exactly right in the video the .
video stuff like that this where they're just hanging out of the bar and suddenly the one guys like i'm going to rob this place you want you in yeah I mean, let's do I right exit .
and you don't know what the day you enough, it's government. You know, if you know other hack is or whatever is, you just work or around each other. The body is.
If you do find tools that they're using, you take a copy of those tools because wake and then use those tools to plant on another target side. So I get the blind fort, not all. So you know, you look at the technic, said they using whether you I would use I P T grape of like signature. You crack the signals and you plant them somewhere else so you might, you know, compromise a target, you know, format that is, before you format the dish, throw the tools on, format that uh, and in ops, you know someone, you know, double it's guy, you know, runs in case and guys can see the deleted. All kid must be this group and then I get the blind for.
oh my god, did you hear that? If Chris really wants to hide, attract, help, plant evidence on services, which makes you look like some nation state hackers were there, which throws off investigators who are on his trail, and he only knows what tools that some of these other hackers used, because in the past, he spotted them on the same servers that he's hacked into and watch what they've done. Okay, so you get to you get to the web page, you're able to see this target bubs use name password to fact authentication code and we're you able to log in and transfer his money out with this?
No, because we needed a transferred than us for your two factor of indication code again. Now the the the problem we had is fucking bobs in jail at this site so he doesn't have access to his tax.
all right, how he going to do online banking from jail? They managed to get as usually my password and wherever the log into his count before he went to jail. But there's this problem with the two F A code now. So the when you go to wire the money out IT ask you for .
another two factor .
interact and you didn't have a way .
to get that second one session lives, that session live. So I wouldn't log us out when we ve got access before we went to job. But when he then asked another transfer, a did like a you need another code to do that transfer so we couldn't move that money out.
You're insane. Okay, so plan a failed. Um how do you how do you do IT? So plan a failed.
And I want to, but I was enough to prove that the money was all not the whole money but a good time of the money was still there. But they had me had some expenses. So um so at this time, remember, we already compromise the bank itself, so which is essentially going in as essentially as a teller. And when a bank teller you're got in the with fucker on so uh any bank teller doesn't have the right, you can be treasure really, really hit the bank and move up or vertically to get the the guys access to make the money.
Interesting if he can pose as a bank teller, get the access they have, they have the power to conduct any transfer they want. And keep in mind, Christian, ten years working in the banking sector, so he knows exactly how banks Operate most.
Step one home through the director of employees, find which ones are the tellers, and find which ones have remote access to the bank where they can do like work from home stuff, maybe like phone support or something, then grab their username hash, cracked the hash, and now you can log in as that teller and move money around, which is exactly what he did as a teller. He transferred bobs money out into another account. So remember.
we talked to at two point in five, and I was only of the two point, two point in five and two point five. Essentially we recover the two point five, the orient two thousand.
two point five million dollars were taken from that day account while he was in jil crazy. This is a black hat bank robbery type stuff. Now i'm starting to put IT off together. And what he means when he says he doesn't care if he does legal black hat type packing, he's like a mercenary hacker for higher, you know and maybe that makes me grey hat or yes, it's illegal but he's helping someone fight a bad guy. But when I don't get is why the bank did not raise alarm bells from modest like if two point five million dollars got transfer out of the bank in a very suspicious manner, you d think they've launch a full on investigation, like bringing the teller who did this transfer and ask them a bunch of questions and looked with the security log for any unusual activity. And if they notice all the user names and passwords are being stored in the logs, then that's a data breach that should be disclosed to their customers and maybe impact their share Price or something.
Yes, so good. In my world, there's people to make transfers disport. So in my world, I can contact, i've thought, bank counts that I can use that can be scrubs.
On the other end, in the sweet network decided that didn't exist. And then IT goes through a laundry process with that moneys claimed over nine month period. So that money gets return. So in the dancing, the question is in in involve skies, no one gave a shit, but had money count and body money was returned. That is no victim doesn't sense, like money, money with the bank.
with my money, since nobody complained, the money was stown that maybe nobody ever investigated this, which means they don't have to hide the money trail either like he was preparing to wear the money to a bank where he can laundry IT and have to come out clean. But since this money rights li belong to the client, they didn't think he needed to go through all the hassle of .
cleaning the money in this guys. We didn't later was just transfer back to the investment firms that was like from bob between investment firms being returned. Me, appropriating return.
How wild. Somehow this all slipped past the bank. I mean, PS later they saw this, but never came public about IT or reverse to transfer. And maybe I was because bobbles and jail and never complained about IT.
Or maybe they wanted to avoid embarrassment of being hacked, or maybe IT was because they saw where the money went and IT was to a very influential person who they didn't wanted disturb or ask questions about. Or maybe they did ask that person questions. That person simply said, yeah, the money was stolen by bob, who's now in jail.
And here's the police report. Thank you so much for reversing the charge. It's this whole thing just come brain up and .
not in this matter. Here we could have created a fight teller and then know I A copy user and then replies and then just the transfer that but we knew we didn't have to effect the customer, just one of their money return to their bank camp, not a washing station like a longer man. Then IT was just that was just going to shape like we didn't have to do any. We didn't have to delete the use that we didn't have to delete the transaction.
I guess when i'm wondering also is like if this is if this is going back to the appropriate person, then why can't I mean, the person your your client is a very to a person in the region, why can't they just go to the bank can be like, listen, I found the guy who stole his money. We need to reverse the charge. Um just do that. This is a legitimate reverse.
That's a great question. What we what what we all I can tell is what we were told, we were told that they feed that that money was going to be used. If the money was there, which I was, the fine was going to be used as in a call Prices like was going to be as threatening out two to three year qual and nobody use.
So is fun at the time that they got that money back that would have that that the bank need a court order. Can you prove IT blood? I will write about that now whether they could have just, you know, either writing that, I don't know, but in their head that's what they will write about.
So keep in mind who we're dealing with here. This guy we're calling bob has the cuts to steal money from an investment firm owned by a super rich guy. Even no bob got cut.
He is still pretty smart. So he's probably got a plan for when all this goes wrong. So it's important for trust to keep eyes on him as he goes to jail. So he watches who bar is messaging and what's he up to.
He he's a kind of guy that I actually have respect for this guy because he's he's pretty counting like and because i've been reading his emacs, I knew him so well instant. Now you know what a fight when you're reading, maybe you don't check, but you know when you read someone's the emails, you know you have a, you have a relationship with them, whether they don't know, but you actually know them inside an answer.
Your bobs quite crafty, but bobs obvious that I am ill card. And he worked with his doctor to get A A A bio hearing that he could get out on bio while this case is going forth. So he was the same in jar awake and then um the doctors right mine is sick. Note which we could verify because we talk to about level two and level three, we had access doctors so we actually say what was going on um that he uses use his doctor take in to get out a at a child um after two weeks in.
Just what happened is we were reading some of the emails when he was in jail, obviously in the outside of gile, and his language chance you must like he was putting IT on, you know, like when you're act that you act, and when you are not act that you look like an idiot. And bob was essentially look like he was acting in his eye. And now I said to the customer, uh, this is not Normal emails like sitting out this.
He was going on fishing trip. He was planning a fishing trip, kind of them of fishing. And I was this all sort of, i'm going to be here at this time and IT was was too much information the thing I think know he's on he knows that you were reading his emails and he he's putting IT on and I said, what this goes a lot right and they think, you know, he's time I got he's possible .
in a so because Chris had such a deep level of this ability to bob, he washing closely to see where he was going.
Well, didn't guy fishing? He was smuggled across the border in a bloody burke. And we track his heads of his are paying.
Look, the guys is not the fuck country. More you guys think he's there is not his in a month. So, you know, all this should talk about, you ve got your best place, not going away.
And he actually escape the system on a second possible, because this was in real time. I maybe a toba year or outside twenty four um essentially the guy I was moving fast, you know car he was in a car. We like to find out that he was in a boat and then he went into the backside with a burka. And then then he would hoped the border and then got a, had another passport, and then I use that. But because we had the IP headers, we could see where X I was like he was understand you, but because lot of people in that world down this, no, he was sitting emails out from his device and I make that could Normally we do get into fined, but this guy was in fine.
I was just the email head is not not I pay, don't get me wrong, and I not let me talk about this, but sometimes we will send the pink packet so you get the this and you get the and you you know your ups mile is like you click on that just some poster is but what IT does a distraction location from you find? Um is that a couple of tons on this project? But IT wasn't a tool that was IT was needed.
Is that makes sense? We had enough. The R, P, has. We didn't need A G, P, S. location.
Once bob left the country, there was nothing crisis client could really do about IT. Sally said. Thanks for, let us know. I guess that's IT. Then here's your final .
payment .
that's in any guide. Weird question.
Have you ever killed anybody? actually?
Yeah.
actually this is going to be another on this broadcast here. Have a birth. Have my birth, anybody?
That's another story. You have many kids.
I have many kids. I have have .
many kids see the thing that put Chris rock on my radar is a turkey gave at death con in two thousand and fifteen entitled I will kill you and in this talk he explains exactly .
how do you use hacking to kill someone my career uh painted mercenary um seem found that is research. And uh one of my first death and talks was I was at watching the news in austria and the one of the the news report was a hospital accidentally set up two hundred death notices and set two hundred discharge notices and I went, what the fuck, how is that even possible? And then let let me down the rabbit n of researching the death industry for a medical component and the final direct component on how the system has moved online and the flaws that involves where you could actually physically create a real person, like A A fight person, and how you could kill them.
Okay, so what is through this step? I step how to kill someone?
Yes, so amErica today is very similar around the world. But in the U. S. I have, they used to have a piped by system where the funeral director would fill out half four on how the person, where the person I wear their varied in the stuff next of kin.
And the doctor would fill out the first part of form, which is the cause of death. And the these sort of details name of the victim and and then how I died, that one place of pipe were going to essentially the birth, this and merging y system in that person would be declared red dead. What's happened now that move online? So essentially when somebody dies, the process is the doctor will log on to A U.
S. System called ads, log on with the use name, password, and actually put in what calls the person to die a 跑 那个, uh, in the living, whatever, a hot fire, that's this. And then that information within pass to the fund director, fund director complete their part again, use time password logan.
And that would form the the essentially the dentification in the area system. Now the floor in the system is by the medical. And the final directive component is essentially a if if you want to be registered to to declare people dead, you essentially putting what your license number, your medical license member and your office address down. If anyone who looked at the doctor before to save their real doctor, that only shets online this database all around the world to say where your doctors are, losses to practice the registration number, they are office members, you could really see yourself as a doctor, and then you could, then you could actually kill somebody off the first part. And again, with the fund director component, it's pretty much time as a doctor where you can declare yourself a function director and and form the second part of that form and to give somebody often get actually typical.
And why would you, anna, kill someone?
Well, this multiple rate of why you want to kill someone reversible um yeah if you want to kill your parent, for example, like waiting for they will but they not giving you the money, kill him off and you could kill your boss, you know your boss being and also you can kill just a in a fuck with them or if you have under investigation so you know you've got prosecution and judge in the stuff, you could actually kill them out to make their life more difficult. Oh my got you really think you and so you're saying .
you're saying this far in the death system can also be doing in the birth system.
yes. So this is exactly the time. Well, it's a different system, but exactly the sign is is for for this and you need two parties, so you need the the doctor or midwife, uh, and you need the parents so then you know the name of the child.
Why do the child after that, said the two pots would then make the best certificate? Very climate to the few director the doctor making, if you make IT sih and and if you have a home but you might not even have midwife, so something actually done by the parents. And so once you have uh online yeah have an online system, you have a birth to fix at that persons in born. So in theory you can create um five children. And then when I hit a certain night you could kill them often, get the laugh insurance, but still to both .
of the things. Well, I was that I really like the idea of making a fake persona to use as A A second identity in case i'm i've been based LED to money from the middle east millionaire. And I need .
to leave to exactly, you can anything. And I have one when you can have a hundred so you can have a hundred five people that have different united credit. And so if you screw your life and you get a job and you have to come out and you another job, whatever, you have another clean identity like another virtual day um and is real like it's not he is not that like someone entered in the back end is actually registered person that you can have um you know I suggest you keep itself Young because you might create someone who's zero then um but this is little flaws in the system as well and may have mention that um they don't want people going through life without being very recorded. So you have up till the of five um to get yourself resistant.
So if you have, you can take five years after your virtual person um by reach them five years after they born because I want to cap your people as I go into the school system. You didn't want to be to prevented from going to the school getting drive as losses to stuff on that. So you can you don't have IT is your register .
by you can really you know, when I saw you do this talk at defcon, I was so surprised that, uh, the governments haven't like knocked on your door and said, hey, would you shut up about this? You can't just go making killing people in making babies that are not real. You you're teaching people to do bad things.
yes. So the government haven't done shit even since my talk. Now, my talk was done nine years ago, jack said. The same flaws exist once thing's chance.
If you're intrigued to know more about how to kill someone like a hacker, go to youtube and type in Chris rock dev con. He actually given three talks at death on in the orphans omens. And the second talk, he explains how to overthrow a government.
And I have a sticking suspicion that he's actually done IT or was very much involved with overthrowing a government in the past. Let me know if you like him and you want me to have him back on and tell that story. And his other talk is about how to bypass radio jams and case someone trying to jammin your cell phone. And i'll show you how to get through IT anyway.
A big thanks to Chris coming on the show and giving us a good story. Come join our discord. You can talk to a lot of people who are fans of the show, but it's also my favorite to hang out.
You can find us at discord dot G G slash dark night diaries. And on november nineteen, we are going to be doing A T shirt. Give away some dark g so come on over the discard.
This episode is created by me, the ripped kiti t jack cider. Our editor is the captain in backspace and leger mixing done by music, mysterious matter render. Hey, sir, why am I so bad at women? My name is alexa. This is dark inner dies.