The War Driver | Investigation
49:21 Share

Welcome to True Spies. Week by week, mission by mission, you'll hear the true stories behind the world's greatest espionage operations. You'll meet the people who navigate this secret world. What do they know? What are their skills? And what would you do in their position?

This is True Spies. I was the first person to hack into systems on an aircraft carrier while it was at sea. Same with a nuclear submarine. I was able to change the intelligence that the commander in the battlefield was looking at while he was deciding where to deploy tanks and where his planes were going to drop bombs. Basically, I'm a hacker for hire, doing work for the good guys, helping companies secure their environment. This is True Spies. Episode 81.

The War Driver. Did you know that every device you use that connects to the Internet has a unique address? It's called an Internet Protocol or IP address. It's how the Internet identifies different computers, routers and websites. Every IP address contains location information. Are you using an open Wi-Fi connection right now? Maybe in a coffee shop, a hotel lobby, a public library?

If so, you should know that without private password protection, someone skilled in cyber espionage who wants to find you badly enough, someone like our true spy can use their IP address to locate you. It can lead them right to you. My name is Matt DeVoe.

the CEO of OODA LLC. I get brought in to help people solve really complex problems, often with a cybersecurity or geopolitical nexus. So countering large scale or sophisticated cyber crime or cyber espionage,

Matt DeVoe is a veteran of many cyber espionage ops involving war driving. For those unfamiliar with war driving, what it entails is that you go around with a laptop, special software and an antenna to pick up Wi-Fi signals. One person driving, one person operating the laptop. We were looking for open Wi-Fi signals, publicly accessible. It really is a bit of a shot in the dark. And he's the kind of hacker you hire.

If you need to find someone using their IP address. Where there used to be hundreds in a particular city, you now have thousands. It is crazy noisy because you're seeing all of these access points just broadcasting. You know, the way that Wi-Fi works, if you have an access point, is typically announcing to the world, "Here I am and here's my name. Do you want to connect to me?" So what we were basically doing was driving around collecting that data.

This story revolves around a cyber hunt for a needle in a haystack. Then it follows the tangled thread from that needle as it winds around an international spy triangle. From a victim on one continent, through a mysterious go-between on a second continent, to a mastermind of corporate extortion on a third. It's an example of the lengths that some entities are prepared to go to in order to secure a strategic asset.

But first things first, our cyber espionage specialist is very keen to point out that he's not an operative of a state security service. I'm not a spy. I know you've interviewed a lot of people who are actually CIA officers. I have never been an employee of the Central Intelligence Agency or other agency, but have worked closely with them in the past as a contractor and ran what was kind of the private sector, you know, equivalent agency.

Matt is being a little modest here. While he may not be a spy in the strictest sense of the word, within the world of cyber espionage, he's a bit of a legend. The portion of work that I do is seen as almost a black magic to the traditional spies, resulting in them thinking that I'm the most dangerous person that they know and I think that they're the most dangerous people that I know because we have this swap of skill sets. Matt's superpower is breaking into computer systems

And he has a self-confessed weakness for phones. Lots of phones. Whenever I travel with the real spies, the CIA veterans, etc., I'm the comms guy. I am the guy with 10 phones. I'm the guy that they're reaching out to to make sure that their mobile phones are secure and what applications that they should be using.

Over the years, Matt DeVoe has built up a clientele and a reputation for being able to help people out of sticky situations. So countering large scale or sophisticated cyber crime or cyber espionage or working with companies to identify the risks in their environment as a red teamer, which basically means that I'm a hacker for hire doing work for the good guys, helping companies secure their environment.

Which is why the client in this story, a US-based multinational corporation, came to Matt when a rather sticky situation started to develop between them and one of their African subsidiaries. I got a call from an executive at the firm that they had this complex problem that they were trying to solve around what was a very interesting extortion-like series of emails that they had received.

Of course, that word "interesting" depends on your point of view. To the client, it looked like a worrying and potentially financially damaging case of extortion. We knew it was going to be tricky based on some things that had confronted this company in the past that were related to cyber espionage and some assets that they controlled in Africa.

So Matt had a corporate client who was being made to feel distinctly nervous that someone knew all about the vulnerabilities of one of their African assets. But what does he mean by asset? Because of client confidentiality, Matt isn't able to reveal what kind of asset, the country in Africa, or even the region of the African continent. But let's just say it was some kind of strategic natural resource.

An anonymous informant was sending Matt's client emails containing information that no one outside the company should have, hinting they could potentially release this information to the world. Information that, should it become public knowledge, would cause Matt's client a serious headache. There was a significant risk of extortion developing. Somehow the identity of this informant and the origin point of the leaking information needed to be tracked down

and the underlying motivations uncovered. But where on earth would you start in a case like this? But let's park this story and find out more about our true spy. How did Matt DeVoe acquire this in-depth understanding of the world of cyber espionage in the first place? And what drew him into that world? It all began back in Matt's school days.

When most kids were trading the latest collectible cards, Matt and his pal made an altogether more unique transaction.

I was an outdoorsy kid that also had a nerdy streak. I grew up in a very rural area in Vermont, was educated in a one-room schoolhouse up until sixth grade, and really got my first encounter with a computer when a new kid moved to town who had one, and I was able to trade him a hunting rifle because we were all hunters and fishers and going out snowshoeing and cross-country skiing, and he wanted to partake in those activities.

That schoolboy wheeler dealing pulled Matt into a whole new world. I was curious as to this computer that he had. I think by nature, you know, I'm a purist with regards to the word hacker in the intent that it basically means someone who wants to understand how technology works and will dissect it, you know, or break it in order to understand that or to make it better. Right from when Matt received that very first computer, he was looking for ways to get it to operate outside the normal parameters.

Of course, our technology was fairly limited at the time, but that was certainly a passion of mine. If there was a program that I found in a magazine and I typed it up into my Commodore 64, what could I do to make it better? What could I do to change variables and adapt the program for my own use? So from an early age, Matt had a hacker's mindset.

But his real epiphany came a little later in his education. I had this weird "aha" moment. I was in college, was studying computer science.

in political science, but in political science, I had a focus on national security threats and even more focused on what we called asymmetric or gray area phenomena like terrorism, et cetera. And I knew from my computer science work and my contact with the hacker community and seeing what was happening, that these technologies that we were building were incredibly vulnerable to attack.

By "we", Matt's talking about the United States government and any companies or agencies engaged in legitimate activities. And in this second, more significantly seismic "aha" moment, Matt realized just how vulnerable technologies could make society. Any society, American or otherwise. So he began writing and speaking about the threats of cyberattack and information warfare.

This attracted him a fair amount of attention and some pretty spectacular graduate job opportunities. The first job that I had out of grad school was working for a defense contractor where I set up and ran the first red team for the Department of Defense that allowed me to travel anywhere that the Department of Defense was located and hack into classified or unclassified systems.

And then I would brief the commander of that particular location with regards to what they needed to fix. A RED team emulates a cyber attack. For example, they might behave like a cyber criminal trying to steal money from a bank, including taking money out of the bank to show it can be done. In Matt's case, after stealing the money, he sits down with the bank security team and teaches them how to secure their systems from that kind of future attack.

and gives the money back. A red team becomes really an effective sparring partner. The analogy I always like to use is that if you were scheduled to box against Mike Tyson in a boxing match, would you want to train just in a gym hitting a static punching bag or would you want to have a sparring partner that could emulate Mike Tyson and have you dodging punches and kind of learning how to operate in that space?

Of course, it's essential that the client trusts you not to run off with the swag. The question has come up, you know, dozens of times over the course of my career, and I always tell the client that if my team were criminals, we wouldn't be working for an hourly rate targeting their bank. We would be living on a beach in Belize because we're very successful at what we do. Which, judging by Matt's client base, has obviously been a compelling reassurance.

And he was in the right place at the right time, beginning his career just when the large-scale threats of cybersecurity, or rather insecurity, were beginning to be widely recognized. Matt's great timing and rapidly growing cyber expertise led to him having some pretty remarkable firsts for a 24-year-old. I was the first person to hack into systems on an aircraft carrier while it was at sea.

Same with a nuclear submarine. I was able to change the intelligence picture that the commander in the battlefield was looking at while he was deciding where to deploy tanks and where his planes were going to drop bombs. It really allowed me to attract attention to how big the risk was.

Matt certainly did attract attention. His skills were taken up by those at the highest levels of the military. I then also parlayed that into creating a red team that basically worked as the cyber adversary during classified coalition missions, what we would call Five Eyes exercises: US, Canada, Australia, New Zealand and the UK. In these exercises, Matt played the cyber bad guy.

It was tremendously exciting because we were running these operations out of a warehouse in Virginia Beach. And then one year I was in the back of a tractor trailer that we converted into a kind of a Mission Impossible style command center outside of Blanford, UK. So it was really exciting to be able to travel around and engage in these red team operations. I got to work with fascinating military commanders because this was a topic area that was so new.

All great experience in learning how to exploit cyber insecurities and, more importantly, how to think like a hacker to advise clients who need protection. If you want to use a thief to catch a thief, Matt is the closest thing to a thief who you can actually trust. Let's go back to the story we opened this episode with. Remember, Matt was approached by a client representing an American-based multinational company with assets in Africa.

And they were worried about one of those assets in particular, because they'd started receiving anonymous emails showing that someone with inside knowledge was leaking sensitive information about the African subsidiary. A situation that, as we've said, could very easily turn into extortion. All we know is that in this triangular case of cyber espionage, bad actor A, an inside man within an African subsidiary owned by Matt's client,

was feeding sensitive information to a go-between, B, in a location unknown. This go-between was sending Matt's client the information in a way which suggested that they had the power to make that intel widely available. Intel that had the power to significantly damage the reputation and potentially the net worth of an asset Matt's client was trying to sell. This was presumably being done at the behest of a shady and unknown instigator.

Let's call them Entity C. And in the beginning, all Matt had to go on were those quasi-extortionate emails the company was receiving. Where would you begin investigating a tangled web like this?

We started with two parallel efforts. One was working with the company to identify if there was ways we could see how the information was leaking out of their network. This was a specific facility in Africa, you know, it had its own kind of closed network. So we started studying that network to see if there was a way that that information was being compromised that way. Having initiated a search for informant A on the African subsidiary's computer network,

Matt turned his attention to GoBetweenB because if he could track down the identity of either A or B, that would likely lead him to instigate a C. To hunt GoBetweenB, Matt decided to use a passive form of email phishing. That's phishing spelt with a PH, a type of online scam where a criminal will send you an email impersonating a legitimate organization with a link that seems to take you to a legitimate company website.

These messages often ask you to fill in information about yourself. But it's a cyber Trojan horse, and any information you send goes straight to the scammer. In this case, Matt didn't need the go-between to respond. Cannily, he used something called passive phishing. We set a trap.

Given the fact that the individual had emailed these documents in, we had an email address that we could correspond with. So we'd replied to the email, but we replied with a web bug.

It's similar to phishing, but a little bit more passive. With phishing, you are typically trying to get the recipient to click on a link and go to a server. Similar to if you receive an email from somebody and in their signature, they have their company logo. And there are two ways that that logo might be displayed. The first is they might have technically attached it to the email as a file, or they might have

Or they might have displayed it as what we call inline HTML, in that that image exists on a public web server and all that the email does is have the HTML code saying, "Display this image in this email message." What we did was the latter. That bug was a white, one-by-one pixel image, invisible to the recipient and hosted on a server under Matt's control.

So all the go-between had to do was open the email. When the recipient opened the email, it gave us the IP address that they were currently located at when they opened that email address. Remember, that IP, or Internet Protocol Address, is a unique identifier to the device being used, and potentially its location.

The trap worked and we now had the IP address for the person that was originating these emails that were of such concern. This was the first breakthrough. But where was this shady cyber courier? London? Moscow? The Maldives?

Not quite what Matt had been expecting.

It was definitely a surprise given that we were working an international case, you know, around resources in Africa to find that the sender of the email was located so close to our offices in the investigation that we had launched.

So we knew that the IP address was in Washington, D.C., and we wanted to collect some intelligence with regards to, you know, where was the recipient when they opened it. Now, they could be sitting in a coffee shop or a public library or a hotel lobby. This was where war driving came in. It might sound straightforward, cruising the streets with a car full of electronic gadgetry designed to pick up Wi-Fi signals.

But Matt didn't even know if his target was using a public, open-access Wi-Fi connection. If that go-between was using private, password-protected Wi-Fi, the tracking effort would fail. War driving has become increasingly difficult to collect any useful information just based on the proliferation of Wi-Fi access points. And also, the protocol is much more secure.

People are putting passwords or putting an access point, you know, where you have to put in a last name and a room number at a hotel in order to gain access to the Wi-Fi. So, much more difficult proposition these days. For this war-driving effort, Matt and his team use laptops loaded with special software and fitted with antennas. There's typically two or three people in the vehicle, someone to drive while the others operate the computers and software.

searching through all the available Wi-Fi networks in the target neighborhoods. So you can imagine driving around Washington, D.C. with this specialized equipment, an endeavor that I've done multiple times and assessments in the past. Would the IP address be something that was accessible via public open Wi-Fi access points? It really is a bit of a shot in the dark because you don't know. You know, this IP address could have been associated with a home router.

Matt had managed to narrow down the search to a few specific neighborhoods in DC, and he was expecting that the target would be using an impersonal, neutral location, like a coffee shop or library. A location with open access Wi-Fi and an IP address that would lead Matt right to the front door. But just in case they weren't, as well as driving the streets, he was also doing what he calls "deep technical analysis" on that IP address.

And this is where he made a significant breakthrough. We found another technical indicator associated with that IP. We were able to narrow it down to a specific residence. In other words, Matt succeeded in tracing the GoBetweens IP address to a specific house in DC. Now he knew the actual house where the GoBetween was sending the quasi-extortioned emails from.

It was surely just one more easy step to identifying the go-between. But that's where Matt's investigation hit a bit of a brick wall. Unfortunately, the entity, you know, the ID that we discovered associated with this IP address did not make any sense.

There was no clear nexus whatsoever with regards to the investigation that we were conducting. It was just a normal person, no connection to the industry, no connection, you know, whatsoever. It just did not fit the profile of anyone of interest. They'd found themselves down a cyber cul-de-sac. Where do you go from here?

Hello, True Spies listener. This episode is made possible with the support of June's Journey, a riveting little caper of a game which you can play right now on your phone. Since you're listening to this show, it's safe to assume you love a good mystery, some compelling detective work,

and a larger-than-life character or two. You can find all of those things in abundance in June's Journey. In the game, you'll play as June Parker, a plucky amateur detective trying to get to the bottom of her sister's murder. It's all set during the roaring 1920s,

And I absolutely love all the little period details packed into this world. I don't want to give too much away because the real fun of June's journey is seeing where this adventure will take you. But I've just reached a part of the story that's set in Paris.

And I'm so excited to get back to it. Like I said, if you love a salacious little mystery, then give it a go. Discover your inner detective when you download June's Journey for free today on iOS and Android. Hello, listeners. This is Anne Bogle, author, blogger, and creator of the podcast, What Should I Read Next? Since 2016, I've been helping readers bring more joy and delight into their reading lives. Every week, I take all things books and reading with a guest and guide them in discovering their next read.

They share three books they love, one book they don't, and what they've been reading lately. And I recommend three titles they may enjoy reading next. Guests have said our conversations are like therapy, troubleshooting issues that have plagued their reading lives for years, and possibly the rest of their lives as well. And of course, recommending books that meet the moment, whether they are looking for deep introspection to spur or encourage a life change, or a frothy page-turner to help them escape the stresses of work, or a book that they've been reading for years.

school, everything. You'll learn something about yourself as a reader, and you'll definitely walk away confident to choose your next read with a whole list of new books and authors to try. So join us each Tuesday for What Should I Read Next? Subscribe now wherever you're listening to this podcast and visit our website, whatshouldireadnextpodcast.com to find out more. Let's recap.

Cyber espionage expert and white hat hacker Matt DeVoe is trying to crack a challenging case of e-blackmail spanning three continents for a US-based corporate client. If he can unlock the identity of just one of the bad actors in this intercontinental spy triangle, he'll be a lot closer to cracking the entire case. But he's hit a wall. He's traced the physical address where the emails are being received and sent by GoBetweenBee,

but it just looks like a normal family with no hint whatsoever of a connection to industrial espionage.

And then the question becomes, do you have a cyber attacker that is using this person's Wi-Fi access point in order to read these emails? Are they more sophisticated than we had anticipated? Because that is also common as well. You know, I've worked dozens of cases where you narrow it down to a particular place and come to find out it's just the Wi-Fi is inadequately protected and the criminal has connected to the Wi-Fi and is basically using that to obfuscate themselves.

Was there someone who had been connecting to this Wi-Fi access point that made sense, you know, in the context of this case that we were investigating? Would you have a clue where to search next? With can-do tenacity, Matt and his team didn't treat the situation as a problem, but rather as an opportunity to do something different.

We had to pivot and engage in additional analysis and open source collection to see if we could find any reasonable reason why this IP address was associated with opening that email. In parallel, though, we were also doing what we call a deep technical analysis on the IP.

And that's where we got lucky and we found another technical indicator associated with that IP. And that technical indicator had an identity of a real person associated with it based on the ID of the person, you know, the identity that we had associated with that IP address. So basically seeing other entities that had connectivity into that person. And we ended up discovering somebody

who happened to make a lot of sense in the context of the case that we were working. Here's a translation of what Matt just said. What he did was comb through all the people that the go-between was exchanging emails with from that IP address, looking for someone likely to be connected with cyber espionage. And Matt's team found that someone. But just what was it that made this person suspicious?

They made a lot of sense because there was a link to China and monetary payments with regards to activities and business being done in China. And we suspected based on past activity targeting this company that there might be a Chinese state-sponsored espionage nexus in this case. So when we identified a person who had close proximity to this ID,

that had that nexus to China. When Matt says nexus, he means that the fingers of suspicion were all pointing to and intersecting in China, specifically a Chinese company. The suspected go-between B was being paid handsomely to go on speaking tours to China, lecturing on a topic that Matt can't reveal the details of, but he describes diplomatically as relatively obscure.

In other words, the kind of topics you wouldn't normally get large fees to speak about. Not only that, this person of interest was identified as having the kind of technical skill required to set up a disguised email address. An address of the type being used to send the quasi-extortion emails to Matt's client. But in an intriguing twist, the go-between wasn't doing this from their own home.

So what we discovered based on this nexus was that the sender of these emails was actually using the Wi-Fi at the in-laws residence. So we had identified the in-laws house, you know, based on the IP address. And instead of going to a coffee shop or a hotel lobby to read these emails, they were actually being read at the in-laws house, which we thought was a fairly interesting dynamic.

In what could be seen as thumbing a secretive finger to the in-laws, the go-between was carrying out their illicit activities from their spouse's parents' place.

Perhaps they thought it'd be the perfect cover. It just seemed interesting that you would engage in this activity that was, I don't want to describe it as criminal, it was definitely questionable. You would think that you wouldn't set up your in-laws house as being a place of origination for that activity. It is quite possible that they didn't get along with the in-laws. It is also quite possible that they got the alert.

that the email had been received and they just couldn't resist, you know, at dinner to go and check the email. And thus were on the in-laws' Wi-Fi when they did so. We will never know the exact dynamic that led to the email being opened at that particular residence. You may remember that Matt was pursuing a two-pronged attack in the hunt for African informant A.

That second prong was to examine the communications of all the employees at the African subsidiary with access to sensitive information, looking for any messages that might point to the identity of informant A. It didn't take long. Within just a few days, Matt and his team struck gold. Now we turned our attention inward and looked at the logs for that company's network traffic.

to see if anyone had communicated with that individual. And now we had a much broader suite of identifiers. We had instant message usernames and we had email addresses beyond the one that was used to send these anonymous emails.

We found something relatively quickly. We were looking at a lot of data, so it took a few days to sort out. But we did find where an employee at this facility was communicating over instant messenger with this person of interest that we had identified in Washington, D.C. A direct link from informant A in Africa to go between B in Washington, D.C.,

They had now definitively identified two points of the triangle. Now we had an employee on the inside that was communicating with an outsider as a proxy that was again now communicating back to the company with these sensitive documents. So that employee and their access and behavior

on the internal corporate network, right? Which of course, if you have a company, the laptop and computer systems that are being provided to the employees are the company's property. So they are monitoring those devices and they are monitoring that network traffic. Now we focused in our attention on that employee of interest. We needed to find out why. The why was crucial to the whole investigation. Matt needed to know what was motivating the leaks.

since that knowledge would very likely lead him to who was behind the entire espionage scheme. We basically collected all of the information regarding that employee's network traffic. We found additional communications, and this is where it gets really interesting. We found communications with an individual in China that we believe could not prove to be associated with the state intelligence apparatus.

This confirmed something that Matt had been suspecting all along: the involvement of a Chinese company who were trying to acquire the resources owned by the African subsidiary. At this point in his investigation, Matt was starting to close in on all three points of the cyber espionage triangle. Now we had a direct communications link between the employee that was leaking the information

So, you know, just to kind of adjust the chain, you have a suspected Chinese intelligence operative. That's Instigator C. Communicating with an insider. We've been calling this person Informant A. An insider at this company that is collecting documents, sending them to a go-between proxy.

That's go-between B in Washington, D.C. Who is anonymizing them and sending emails to the company that had this kind of extortionist kind of perspective to them. If Matt could find out who was the source of the leaks in Africa, and more especially what the motivation was behind the leaking, he might be able to help his client prevent this type of activity from happening in future. When we looked at the employee, it became a matter of trying to understand

Why would they do this? What type of operation was this? Were they being paid by this Chinese intelligence operative or was there something more nefarious at stake? So Matt's team went back into the material stored on Informant A's computer, on the lookout for anything that might provide some sort of explanation for the leaks. And there was indeed something more nefarious.

the individual was actually engaged in illegal activity in the realm of child pornography. And we believe the intelligence operative had cued into that and was coercing the person into participating in this scheme. We pulled an image of the employee's computer for our team to analyze. And that is when they noticed that there was this illegal material that was on the computer.

The moment they found evidence that Informant A was consuming child pornography, they knew they'd found the motivation behind the leaks. The instigating Chinese entity C were using their knowledge of Informant A's criminal child porn habit to blackmail them into acting as a corporate spy. Because should it come to light, that habit would not only be a career-ending disclosure, but would make Informant A the subject of a criminal investigation.

Immediately, Matt and his team followed a standard procedure in a situation involving child pornography. At that point for us, given the sensitivities of the crime and having worked with law enforcement on similar cases in the past, we instantly shut down everything.

The law is very clear that when you encounter this material, you basically shut down the machine that you're working on and you secure the evidence for law enforcement. So that's what we did at that point in time. We maintained the chain of custody on the evidence. We shut down all of the investigation material that we had around this employee's computer. The actual computer itself was seized by law enforcement and it became a criminal case with regards to the child pornography.

But why did Instigator C go to this much trouble? At the bottom of it all was an intelligence operation designed to make the resource owned by the African subsidiary troublesome.

In fact, so troublesome that it would become less attractive to potential buyers and ultimately nice and cheap for the Chinese entity to acquire. So you have this fairly complex triangle that takes place of Chinese intelligence finding a vulnerable employee, getting that vulnerable employee to engage in this nefarious activity.

Having a third party serving as the proxy/go-between that is sending this information into the company in the hopes that the company will view this resource as something that is troublesome, something that is a headache and accelerate the potential for this asset to be acquired. The Chinese company were hoping that a quick, cheap sell-off for an apparently troubled African asset would seem increasingly attractive to the US parent company.

Matt's intel prompted his client to take swift action because it turns out that this wasn't the only resource they owned that was being targeted in this way. So the company found it to be incredibly insightful and it also allowed them to focus some of their activities with regards to their security posture around other assets.

because they knew that they were directly being targeted. And actually, as a result of this investigation, we did find other instances in which state-sponsored cyber attackers were actively penetrating the company and trying to get access to information. Again, all around trying to create favorable market conditions for them to acquire resources in Africa.

What we found was they were engaging in this nefarious activity with the sole intent of trying to, you know, decrease the acquisition price for these assets to be sold in Africa and making the company, you know, more susceptible to wanting to sell them. Luckily, Matt's unraveling of this tangled three-way operation alerted his client to just how valuable the company's assets really were. They backed out of selling the particular asset Matt had been working on.

as well as some other similar sales. And it prompted the company to completely re-evaluate their activities and expectations about who they'd work with and sell to in the region going forward. Despite his varied career, Matt hasn't seen too many cases quite like this. We do see an incredible amount of just straight out

espionage and stealing of intellectual property. In this instance, there was no real intellectual property to steal. It wasn't like this company had invented a new medical device or a new network technology. It really was the value of the asset. So this was the way that they engaged in cyber operations to try and expand their reach and presence and resources under their control.

This case certainly made Matt realize there's a whole new modus operandi at play. It was eye-opening how deep the cyber element of this was and the use of multiple parties, you know, as kind of proxies, finding the employee, finding this third party to transmit. To this day, the Chinese company's ulterior motives aren't known for sure. But Matt has his suspicions.

The stakes around some of the national strategic objectives where you have this connection that exists between a nation state like China and their private sector or even some of their state-owned companies with regards to their global expansion, that they're willing to engage in

this cyber espionage activity to pursue their own advantage. And it was something where, you know, in working with Western intelligence communities is just not something that was done. So it was, you know, a different perspective, a different global perspective with regards to how these operations were going to be used now and in the future. But what about malfeasant B, that go-between passing on the leaked information from the in-laws' place in Washington, D.C.?

what happened to him or her to this day i do not know how things ended for the go-between they were simply a proxy and there was no you know real evidentiary trail of any wrongdoing you know they were the senders of an email with concerning information

So at that point we believe that they were just being used as almost a tool for hire, proxy for hire. They were likely isolated from the true intent of the activity. There's no knowing for sure, but it's quite possible that the go-between was being used not only to pass on the information, but also to conceal the trail to the true instigators and what was really in play.

It is possible that they were being manipulated to that extent as well, that maybe they thought they were part of a whistleblower or leak type initiative. It was a very gray area because there was no criminal intent that was demonstrated. Strictly speaking, there was nothing illegal about what the go-between had done. But did they suspect something?

The fact that they had traveled to China and paid by Chinese entities, you know, definitely raised our spider sense a little bit with regards to exactly how ignorant they were as to the situation. Matt admits to briefly having doubts about his ability to solve this case.

There were multiple points where we felt like we weren't going to crack it. You know, when we had what we believed to be a great identifier for where the email was opened and we couldn't figure out any nexus for why that individual would be involved. It was sheer tenacity combined with Matt's red team training that got him to that successful outcome.

I often say that the best investigators for activity like this are the red teamers, because what we can do is put on the hat and say, if we were engaging in this activity, what would we do? And that allowed us, I think, to be able to pursue this trail of evidence all the way down to its final conclusion. A very successful conclusion, and in pretty short order. Everything had concluded within the course of about a month.

From when I got the first phone call from the executive to when we closed the laptop and put it in an evidence bag for law enforcement. Time for some self-congratulatory pats on the back then. It is a fun feeling, right? Because you feel like you have solved a very interesting case. We've helped a client. It is the reason why in our office we had a fully operational whiskey bar.

So in an instance like that, typically the team that was involved would go to the whiskey bar and we would pour a shot and have a toast. And then we'd put down our glasses and go work on the next case. If you've enjoyed this episode, you might enjoy other true spy stories on cyber espionage. Like Olympic Games with Eric Chen and Liam O'Murku on their discovery of Stuxnet, a digital weapon designed to attack the physical world.

and trade secrets when we met the cybersecurity experts who defended a cyber attack on the world's largest semiconductor producer in Taiwan. I'm Vanessa Kirby. Here's a taste of next week's encounter with True Spies.