162: Hieu

Um, I want to make sure I pronounce your name right, so can you say your name for me?

My name is Hyu Mingo.

Hieu was born in Vietnam.

I'm growing up in a small town in Vietnam.

It's called Cambran.

I was

started to be a hacker when I was very young, maybe around like 14-15 years old.

And then it's just kind of kind of like out of courage,

you know, like wondering about how the internet working and

and um back then the internet is very expensive and super slow.

That's one of the reasons that I started to hack and steal uh a few um internet dialog accounts

to be able to use it uh without m paying any anything.

That's kinda the my my first time I got into trouble when I was like 15 years old.

This was around 2004, a time when 56K modems were the most popular way to get online.

And the way it worked is you dialed a phone number and connected to the ISP that way, and they would connect you to the internet.

But the ISP would charge you by the minute to go online.

Can you imagine that being charged for every minute you're on the internet?

That's how it worked back then.

You couldn't afford that.

So he figured out a way to use someone else's account, basically stealing someone else's ISP connection to get online.

And that meant other people were paying for him to get online.

And

just like a few months, you know, a few months using these stolen internet dive accounts,

I got kind of like a paperwork sent to my house.

And my parents, they got very surprised.

And then they told me what's about.

And then

I told them, you know, it's

related to some stolen internet accounts.

The paperwork said that Hugh did $5,000 in damage and his father had to pay the fees.

That's a lot of money.

His father was pretty mad and sent him away to go live with his uncle in Ho Chi Minh City.

And little did everyone know, it was going to be there in Ho Chi Minh City where he was going to build a dark net service and was going to make a fortune doing it.

These are are true stories from the dark side of the internet.

I'm Jack Reeseider.

This is Darknet Diaries.

This episode is sponsored sponsored by my friends at Black Hills Information Security.

Black Hills has earned the trust of the cybersecurity industry since John Strand founded it in 2008.

Through their anti-siphon training program, they teach you how to think like an attacker.

From SOC analyst skills to how to defend your network with traps and deceptions, it's hands-on, practical training built for defenders who want to level up.

Black Hills loves to share their knowledge through webcasts, blogs, zines, comics, and training courses all designed by hackers.

For hackers.

But do you need someone to do a penetration test to see where your defenses stand?

Or are you looking for 24-7 monitoring from their active SOC team?

Or maybe you're ready for continuous pen testing where testing never stops and your systems stay battle ready all the time.

Well they can help you with all of that.

They've even made a card game.

It's called Backdoors and Breaches.

The idea is simple.

It teaches people cybersecurity while they play.

Companies use it to stress test their defenses.

Teachers use it in the classroom to train the next generation.

And if you're curious, there's a free version online that you can try right now.

And this fall, they're launching a brand new competitive edition of Back Doors and Breaches where you and your friends can go head to head hacking and defending just like the real thing.

Check it all out at blackhillsinfosec.com slash darknet.

That's blackhillsinfosec.com slash darknet.

This show is sponsored by Delete Me.

DeleteMe makes it easy, quick, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable.

DeleteMe knows your privacy is worth protecting.

Sign up and provide DeleteMe with exactly what information you want deleted and their experts will take it from there.

DeleteMe is always working for you, constantly monitoring and removing the personal information you don't want on the internet.

They're even on the lookout for new data leaks that might re-release info about you.

Privacy is a super important topic for me.

So a year ago, I signed up.

DeleteMe immediately got busy scouring the internet looking for my name and gave me reports of what they found.

Then they got busy deleting things.

It was great to have someone on my team when it comes to protecting my privacy.

Take control of your data and keep your private life private by signing up for Delete Me.

Now at a special discount for my listeners, get 20% off your Delete Me plan when you go to join deleteme.com slash darknet diaries and use promo code dd20 at checkout.

The only way to get 20% off is to go to joindeleatme.com slash darknet diaries and enter code dd20 at checkout.

That's join delete me.com slash darknet diaries code DD20.

His dad recognized that Hugh was really into computers.

And Ho Chi Minh City is a big city that has better schools to learn computers.

And so Hugh got enrolled in classes and started studying.

His parents would check in with him to make sure he was doing his schoolwork.

I was learning a lot.

I was learning about like web programming.

I'd be my first website, hupc.com, I remember.

He was learning about operating systems, networking, and cybersecurity all at high school.

He really loved computers and was hooked on learning more.

I went to the internet cafe,

you know, to use the internet because the internet at my house is very slow.

So I went to the internet cafe,

and I, the moment, you know, I been there, I passed to one of the computer screen

and I saw that computer screen

currently very dark, you know, some kind of dark background, and the font side is very weird, and also like the

color of the text is also like look cool, you know, like green color and stuff like that.

And I asked the guy, you know, what's this forum about?

And then he told me that it, you know, this is about the dark web in Vietnam.

Oh, Vietnam's dark web?

That sounds interesting.

You ready to go there?

Hugh was fascinated by it.

He learned how to access it, where to go.

For him, it was like finding a whole hidden place online filled with really fascinating stuff.

Hacker forums, forbidden item marketplaces.

It really emphasized the power of the internet.

This was all unregulated.

The government, the police, they can't stop what goes on on the dark web.

And that really fascinated him.

there's this whole section of the internet where anything goes they're talking about hacking they're talking about you know like sharing sensitive information and also like bank account and also some hacking techniques too you know like and it got me you know wondering how they did that yeah but but so i think maybe a maybe a normal person would look at that and say wow there's stolen stuff here there's illegal things here maybe this isn't for me.

Maybe I should go back to the clear web.

Right, that's true.

What?

You know why?

Because back then, right,

underground forums, very fun, though.

They always sharing and they don't mind about money.

Like, they

sometimes they hack something, they just post it for free for everybody.

Not really like into business or trading or dealing anything.

It's just like sharing techniques, you know.

But, you know, like when they got into that, I say, man, you know, it's something that, you know, I really wondering.

I watch on the movie and TV about like hackers.

Very cool.

That's why, you know, I say, yeah, I want to learn that.

You know, I want to be a member in that hacking forums.

underground hacking forums.

So this became his obsession.

How to hack?

What are the techniques?

Like he would learn about a vulnerability and then use Google search queries to find websites that were vulnerable.

And it was like the whole internet opened up to him in new ways.

He was finding that thousands of websites are vulnerable to a variety of different attacks.

And he was just getting into one after another with simple techniques like default passwords and SQL injection.

But the extent of the damage he was doing was he just hacked into the site and put something on the website that said pwned by Hugc, which is the name he was using at the time.

And also the name of the website that he made as a teenager.

But the whole time he was just curious, not using his access to make any money or stealing anything.

He just liked learning and like the excitement you get from getting into places that you're not supposed to be in.

It made him feel clever and smart and powerful.

And he was teaching others how to do it.

After all, he was still in high school.

I shared a lot of like hacking techniques and that, also, like social engineering techniques.

But the thing that, you know, like the more I share,

the more the people they know about me

on these underground hacking forums.

And eventually

they voted me as an administrator in one of these forums, very popular in Vietnam.

And after that, you know, I joined

a few forums

in Russia.

and even like in the Eastern Europe as well too.

So I keep learning, but the thing went really making money.

You know,

before that, it's just sharing for fee, sharing the knowledge, selling the techniques.

From posting on the forums and being an administrator to one of them, he started becoming more known.

And so he met a guy, one of the forum users, and this guy's like, hey, listen up, Hugh.

Your ability to hack into websites is actually worth a lot of money.

Do you want to team up?

Do you want to hack places and give me what you find and then I'll pay you for it?

The guy explained how together they can make all this money.

And he didn't have much money at the time.

I was interested.

And you know, like when talking about money, when I was very young, I say, man, you know, like I saw the people making a lot of money too by, you know, by using like stolen identity and ready call.

And,

you know, like.

to make some money and then be able to

buy some stuff if very cool, right?

You know, like some technology stuff or some new devices, something cool for myself without asking my parents.

So

that's why, you know, I say, yeah, okay, let's, so let's do it.

And then

the guy, he moved to my apartment

living with me.

And then I, you know, during the

night time,

after the school, I started to hack a lot of e-commercial websites.

E-commerce sites, like places you go to buy things online, like clothes or computers, kitchen items, travel tickets.

A lot of these sites back then ran on WordPress or PHP or ASP and didn't have the best security.

And it's kind of like a numbers game, right?

If there are a million e-commerce websites on the internet and 1% of them has poor security, that's 10,000 websites that are are just sitting there vulnerable.

Way more than enough for someone like Hugh to go through.

So the idea was to get into these sites and plant a listener that would capture when someone would enter their credit card to buy something on there.

And then Hugh would give those credit card details to this guy he's teamed up with.

And the guy will somehow convert the cash for both of them.

Hugh was 17 at the time, a senior in high school.

And so after school and on the weekends, Hugh and this guy would get busy scouring the internet for a vulnerable site to hit.

Back then, a lot of websites, right?

They used the language called PHP or ASP.

It contains a lot of vulnerabilities.

And then I searched on Google with those keywords,

you know, some of the Google Doc

that to be able to find out for me on the list of the website.

And I put on the customized tool that I programmed, and then I just click scanning, and it just kind of automated scanning for the vulnerabilities.

And then it will give me the list of the vulnerable website,

and then I will explore that to be able to obtain the red code information.

So, what was the first site that you first website is?

I remember it's located in the

UK.

That website is still very popular nowadays in the UK.

But I don't want to mention that.

That's fine.

But yeah, what kind of site is it?

Is it banking?

Is it a...

No, that's website is e-commerce website selling like electronic stuff.

And that website, it got single injection

vulnerability.

So you found a website through Google Dorking and your scans.

Right.

You tested it for SQL injection.

It worked.

And what is that feeling like to get into a website using SQL injection?

It's kind of a gold mine.

I say, wow, you know, like this is so many great confirmation.

Like a day, I man, so excited though.

Like the feeling is kind of like you control

something.

You have a power.

You feel like you'll be able to break into anything

if you have time and you have the resource.

and

you feel like uh you on top of the world you know you can be able to get anything

and i feel like so excited like the it's it's hard to say to to to explain that but

feel like

uh

so happy technically so happy though like

do you give each other a high five or

i i me and me we give high five and how can I say yeah we did it we we got it and and and I think you know we will be able to make a lot of money from this um not just selling the information but also like using that

and he's so excited and we was laughing the whole night.

I remember and we was very young he back then he was like 18 and I was like 17.

And he said yes uh let's do this way.

We use all the red card information, right?

Every day we was getting like slowly around like 50 to 100 credit cards from that website alone.

And we was playing on the poker website.

Of course they took the stolen credit cards to a gambling website.

I should have guessed.

No, they weren't actually gambling with it.

What they were using this poker website for was to launder the money.

See, back in the late 2000s, online poker casinos didn't always have the most strict security and verification controls.

They were happy to take anyone's money, whether it was stolen or not.

So he created an account at the casino, loaded it up with as much stolen money as he could, and he might make three or four of those kinds of accounts.

And then he would have all those accounts join a poker table where his buddy was in and just try to lose as many hands as possible as he could to his buddy.

Then his buddy would get all the chips and cash them out at the local bank.

This technique is called chip dumping.

Now the casino was aware of these sort of things and would try to spot people doing this.

So he had to do things to avoid the fraud detection.

And his tricks were working.

And we was able to max in like

a day, like

thousand and thousand USD a day.

And then we split the money like 50-50.

I, you know, I spend on like, I use that money to spend on stupid stuff, vacation, and also also like tucking girls out and you know like easy money easy go technically

can you imagine that setup a hacked website is supplying them with a constant stream of 80 new credit cards a day and they take those cards deposit the money into a casino move the chips to another player cash it out and then go spend that money on something fun

Like, where do you even focus here?

Do you want to get more credit cards or cash out more at the casino or just enjoy a good time with all the money you have?

For them, it was all of that.

They wanted more cards, and then they'd be busy trying to drain them all as fast as they could to launder the money.

But as Hugh found more and more sites vulnerable to his attacks, he was sometimes stumbling upon whole databases of customer credit card details.

Websites shouldn't be storing their customer credit card details like that, and this was even a surprise to him.

But this meant sometimes he could find thousands of credit cards in a single day.

Eventually, I went back on the underground hacking forums.

sell the information.

Visa and MasterCard, I sell for like 50 cents

for one information.

And American Spread and Discover,

Discover Call,

I sell for from

$1 to $3.

You know, different.

That sounds so cheap.

So, but you're telling me the full credit card information was you were selling that, and the people could take that credit card and buy something for a few hundred dollars with that, right?

Right.

That's true.

They can go on eBay and buy

or they either they, you know, back then, very easy though.

You can just use the stolen account, a stolen bank account or stolen red card information.

You debouse it into PayPal and then you withdraw.

It's so easy.

It just took a few days and few weeks to be able to get

the real

money out.

I'm surprised you were selling it so cheap, though.

Very cheap, though.

Like, because so many, so much information.

That's crazy cheap.

Usually cards are like, I don't know, $10 to $50 per card because theoretically, each card should be worth a few hundred dollars before fraud detection kicks in to make the card invalid.

Rarely I'll see them for like $5 or less, but 50 cents a card?

Wow.

And that's what he was selling them for because he just had so many because he just kept finding more and more e-commerce sites that were vulnerable to SQL injection, which means the website's form field wasn't as secure as it should be, right?

So he can go and type something onto a form field in a website, and that triggers the vulnerability.

And suddenly he can see like whatever's in the database, like an admin's password hash.

And then he could crack that password hash and log into the site as the admin.

And sometimes that alone would give him credit card details to the site because some sites did not treat their customer credit card data properly.

They show everything on the admin panel.

like you gotta you you just click on the customer uh option right it show you the list of customer and when you click on the red confirmation it pop out with red confirmation ready card information i mean when i hear that i immediately think that's a pci violation PCI is payment card industry.

And for you to be able to accept credit cards for your business, the credit card company has to verify that you're properly storing customer credit card data.

If you aren't, then you will lose the ability to process transactions.

and can be fined quite severely.

So Hugh kept focusing on finding more and more sites to hack into and take all the customer credit cards that the site would store in their database.

And he spent years doing this, mostly selling the cards in bulk on the dark web.

He was finding and selling tons of credit cards.

More than 100,000

reconfirmation.

He gets done with high school and decides he's had enough of this.

His pockets were overflowing with cash and he knew what he was doing was wrong.

So he decided to leave town.

And then, you know, like I saved up some money

because I know this couldn't last long.

We was making like more than a year and it kind of getting harder because they know the chicks, right?

And they fish the vulnerable beauties.

So

getting harder.

And I saved up some money.

I paid for the school fee in New Zealand.

His sister was living in New Zealand, so he decided to go see her and go to school there.

He knew that what he was doing was wrong and could potentially get him arrested, but he grappled with it.

Like he went back and forth, convincing himself it's okay to take these cards.

Like these websites should secure their site better.

And if it wasn't him taking it, then it would surely be someone else taking it.

So why not me?

But then flipping it and being like, no, this is stealing.

This is illegal.

I'll get in trouble for this.

The move to New Zealand gave him a fresh start.

He wanted to become a good student who was was learning computer science.

When I got into New Zealand, I stayed there for a few months,

not doing anything illegal, trying to be a good student at the school, learning about computer networking and be a computer scientist, you know.

But

things couldn't work out.

I started to hacking again

after talking with a few fans, a few hackers on the internet.

And they say, you know, they need red core.

And, you know, and I need money because my family couldn't afford to send me much money.

So I say, yes, so let me find out if in New Zealand have some website that I can obtain the red core information.

And I hacked into a few

e-commerce website

in New Zealand.

Yeah, the same thing, you know, it's just some basis and vulnerabilities.

And I got into the database and I got the stolen red car.

He was able to sell the credit card data to make some money, but with all these cards, he decided to use a few himself, which is probably a dumb idea.

And I used

those stolen red confirmations to buy electronic stuff like laptop and cell phone on

similar like eBay.

They call it TradeMe platform.

I use that.

I use the stolen red code on that website.

And then I got the stuff and then I sell that

to

the same platform to McMoney.

Kinda learned the stuff, you know, like to get a real cash.

But eventually, you know, I made a mistake that

using the stolen red call

to buy the

music concert tickets to the ticket master.

And I bought a thousand and thousand music concert tickets to sell to other people with a cheaper price.

And then when you bought a thousand concert tickets?

Right.

I bought a lot.

Wow.

And I resell that to other people on the platform.

But the thing, you know, like a few of the people they bought my

music concert ticket,

they got problem when they tried to enter the stadium or try to enter the concert, right?

They got denied because this ticket, you know, it's got invalid because it's considered as a fraudulent ticket.

And they got so mad and they got so scared.

And then they also complained to the law enforcement, to the police in New Zealand.

So the police in New Zealand feased my account on the platform and also feased my bank account.

So I got so scared.

They also called me and called my sister.

Almost a year, stayed in New Zealand.

I got into trouble.

And the moment

I got that phone call from the law enforcement, I got so scared.

I bought the ticket.

I ran away.

I ran back to Vietnam.

Oh boy.

Hugh was on the run.

The police were now looking for him, but he was able to get away and find refuge in Ho Chi Minh City in Vietnam.

He escaped the police and didn't suffer any consequences from this.

Lucky break.

We're going to take a quick ad break here, but stay with us because this is not going to be the last time that the police go looking for him.

His operation is about to go stratospheric.

Hugh gets back to Vietnam.

He's around 20 years old at this this point.

He goes to see his mother and his father, and they heard about his fraudulent concert ticket thing, and they were mad.

They scolded him, they shamed him.

And Hugh was just lying back to them.

I

give them all the phones, promises, you know, tell I told them, you know, I will be a good boy and will be a better person, not doing anything illegal.

You kind of feel like very ashamed, you know.

So my mom was crying a a lot but back then I was like 20 years old 19 years old tried to be a good person I didn't touch the computer within six months when they got back from New Zealand

and I thought I told with my mom you know I want I want to go to Ho Chi Minh City to learn computer science at the university in Ho Chi Minh City.

My mom and my dad, you know, they kind of believe me that, you know, I'm kind of a change person.

And

hopefully this time will be the last chance for me.

So around 2009, he moved to Ho Chi Minh City and enrolled in the computer science and cybersecurity program at the university.

But during that first year, I went to

kind of to hang out with others,

old school hackers.

in Vietnam.

They own blackhead hackers.

They heard about, you know, I got problem, I got trouble in New Zealand by using stolen red card.

I say, yes, you know, that's why I don't want to touch the computer anymore.

I got so scared.

I almost got caught.

And they told me, you know, why you don't think about U.S.

identity or personal information?

It should be safer.

It should be easily to sell that.

So these hackers were telling him, yeah, of course you got in trouble for stealing stolen credit cards.

Man, don't mess with money.

The police are going to get mad if you do that.

That was your mistake.

They take credit card theft very seriously.

Heck, I bet the U.S.

Secret Service probably has a case opened on you.

What you should have done is gone into the business of stealing the identities of U.S.

citizens and sell that.

Not only can you make money doing that, but the Secret Service doesn't give a crap about stolen identities.

In fact, nobody does.

They'll never come after you for stealing identities.

Especially if you stay here in Vietnam.

They can't touch you.

So you should try stealing U.S.

identities.

So Hughes starts looking into it.

My goodness, he thinks.

They're right.

Stealing identities and selling that is far less of a crime than stealing credit cards and just as valuable on the dark web.

He wasn't sure why it was valuable, but if he could get all the personal details of someone, like their address, social security number, phone number, work history, the type of car they have, then people will buy that up like crazy on the dark web.

So he starts looking around for places that might have all this information on U.S.

citizens.

I didn't

calendar in the long term.

I just see whatever I see in front of me.

And the money, it just kind of fly my eyes.

And I thought that should be safer.

And I'm in Vietnam.

And this is U.S.

identity Subify.

I mean, the logic checks out, right?

Stealing identities of people in a far, far away country, no chance of them catching him in Vietnam, right?

And eventually, I

spent like almost a month.

I recon and also

doing a lot of ocean

to

get me a list of only data broker in the U.S.

to be able to provide this data.

Data brokers, of course,

they would absolutely have a ton of people's identities.

Okay, so if you don't know, a data broker is a company that spends an enormous amount of effort gathering up as much information as they can about you.

Here's how they do it.

Number one, they'll copy the whole phone book into their database.

That's got everyone's name and phone number.

Then they'll take a copy of all the county records.

This includes who owns which property, court records, marital status.

Then they'll look at your social media account and scoop up any photos that you have taken of yourself and posted, email addresses you list, affiliations, like which school you went to or place you work.

Like LinkedIn is being scraped by data brokers all day, which you personally have told what your skills are, who your coworkers are, where you work, and what you look like.

Now, to me, that's already spooky enough, that someone would go through all this trouble to get all this data on me by doing all that.

But some data brokers go far deeper and are way more sinister at getting data on us.

They have been known to install trackers on your phone, which typically just comes along for the ride on popular apps.

Like a data broker may pay an app developer to put a tracking pixel on the app so that they can track people even more.

This means data broker is often collecting cell phone data, which could include your phone number, the app usage, but more interestingly, up-to-the-minute location information.

Some data brokers go even further and set up antennas around town and watch what phones interact with those antennas, and they can track your phone's location that way.

Some have been known to put little sensors on roads to identify which cars have passed down that road and take pictures of license plates going by too.

Of course, purchasing history is important to them.

I've heard stories of data brokers buying your purchase history data from retail stores.

And if you don't know, a lot of retail stores are very closely tracking all the purchases you make with your credit card and have a complete history of everything you've ever bought with that card in their store.

Sometimes they even track where you are in the store and what you stop to look at to see what interests you.

And yes, absolutely, data brokers are buying up all this data that the stores are collecting on you because this consumer behavior is worth gold to these data brokers.

So why do these data brokers do this?

Why do they go to such great lengths to build databases on us?

Because there's a lot of people who are willing to buy this data.

Your data is very valuable.

And I'm not talking about selling it on the dark web.

We'll get to that.

Data brokers often sell their data to law enforcement.

And this has been a growing problem over time.

I feel like law enforcement has found a loophole to ignore the Fourth Amendment.

As a refresher, the Fourth Amendment says you have a right to privacy from the government.

The government should not be able to see into your life without a warrant or probable cause.

But they are through data brokers.

There's something called a third-party doctrine now, which says if you give your data to a third party, you no longer have a reasonable expectation of privacy from that data.

So that means if you have money in the bank, the bank can share your data with the government without a warrant.

And law enforcement can purchase your location data from a data broker without a warrant because it's commercially available data.

Data brokers are trying to ruin the Fourth Amendment.

And I want you to look a little closer at where this data is coming from.

Yes, a lot of it is publicly sourced, but a lot is not.

A lot is data that you think is just private between you and the party you trusted your data with.

but they're selling that data to others.

And so if you think it's safe and secure, but it's secretly being scraped and sold, I would say that's spying on you, which the government isn't allowed to spy on its own citizens.

I mean, mass surveillance is against the law, flat out, but they can get away with it because data brokers are the ones doing the spying and the mass surveillance, not the government.

And then they're selling it to the government.

Now, I've tried to remove my digital footprint as much as possible, but there are still things that I'm forced to do, which hurts my privacy and I hate it.

Like, for instance, anytime I see a doctor, I can't do it under a fake name.

They have a strict policy where I have to prove my identity in order to get medical treatment.

And then my medical records are being passed around to millions of people.

HIPAA isn't there to protect our privacy.

It's there to assist others to get our data.

The portability part of it means they're making it easy to package up our data and send it to whoever asks for it.

And there are millions of people and entities that can access HIPAA and patient data.

Second is banks.

There are laws in place where the banks have to verify who you are before they do business with you.

Know your customer type stuff.

And the banks are forced to report certain activity to the government.

So millions of customers' banking data is going to the government again without a warrant.

Lastly, I hate all this public record stuff.

If I buy a house, get married, go to court, start a business, get arrested, all that is public record.

And it gets abused all day, every day, because it is.

I have no choice when it comes to these matters.

My banking history, medical information, marital status, there's no way to opt out of any of it.

And data brokers are just licking their lips, sucking it up as fast as they can.

And they're profiting off of it.

And they're using it to strip away my rights.

But don't think it stops there.

Data brokers are just companies trying to make money.

So they have no problem selling your data to Walmart, Facebook, Google, insurance companies, credit card agencies, ad agencies, because all these businesses would love to know more about who you are so that they can target you with ads or to calculate the risk of doing business with you.

And these data brokers absolutely do not want you to know they exist.

They do a great job at hiding their presence in the world.

Let me give you an example.

I'm going to list eight of them for you.

And I bet you've never heard of any of these companies, Yet there's a high chance that all of them know exactly what you're doing right now.

Merkle, Locate Plus, Live Ramp, MicroBuilt, Ventel, SafeGraph, XMode Social,

Court Ventures.

I certainly don't know anything about these companies,

but Hugh was learning a lot about them.

And I found out, right,

there are a few key players in this data business related to the US.

And they provide these data to law enforcement, to lawyers, to private investigators, stuff like that.

And

I see him, man.

It's kind of like very difficult to get this information.

You have to prove yourself.

You have to

being verified.

So that's why I put a lot of time, like almost a month, and I hack into two different data broker, very popular one.

The first one is this

Locate Plus.

Locate Plus is a data broker that markets itself to people doing background checks and investigations.

They get their data from criminal records, property records, the phone book, and also gather social security numbers and date of birth.

The first one I hack into

is the Glocate Plus,

and the second one is the MicroBuild.

MicroBuild collects data on U.S.

citizens, which includes criminal history, employment history, address history, and social security numbers.

They also keep records of your utility payments, rent payments, loan payments, and stuff like that to see if you pay your bills on time.

The big credit bureaus use this one like Experian and Equifax because your credit score is a reflection of how well you pay your bills.

But not only that, landlords use microbuilt, employers do background checks on it, and lenders look to see how much of a risk you are before doing business with you.

So the two companies, Loki Plus and MicroBuild, I hacked them a few times.

First, single injection, the second one, the five upload vulnerabilities.

And the third one, cross-site scripting.

When I got into their database, right,

I steal the customer logins of their laptop.

And then I use that to be able to lock it into the platform and market queries.

Okay, interesting.

He didn't get into the main data broker database.

Instead, he was just able to get into the web portal side of things, which had user accounts.

And that's the people who use the site to do background checks and lookups with.

He was able to steal some of their logins.

So now he could log into the site and use it as if he was a lawyer or a cop or an investigator who's been vetted by the site to look up anyone's data.

I can set your name, the state that you've been living in, or the city you live in, and that's all.

If we pop out the possible people identity related to that name and in that city,

and you can get the social security number rivalization on the previous 10 years addresses that you've been living even the current one

and

also

you will obtain your relatives your family members right you can also get the information now these sites charge for their service it's often a pay per search kind of thing so when he would search it would go to someone else's bill and he thought if he did a a lot of searches on one user, then their bill would go way up and then they'd investigate what's going on here.

And they would find out that he's been using their account and they would shut it down.

So he would cycle through all the accounts he had to spread out his activity.

I remember I was

using more than 5,000 accounts on Myrobuild alone.

So with his access, he could look anyone up and get their full name, maiden name, phone number, email address, where they live, address history, social security number, driver's license, where they work, work history, and the VIN number for their car.

He decides to build a website to charge users to be able to look up people in this database.

Because so much information.

Then I built a website.

And then I, through that website, I sell to all the cyber criminals around the world

for like $1

for

search.

Kind of like one dollar for one information, one identity based basically.

The first week of him launching this website, he made $5,000 from people doing searches on it.

It was an instant hit.

He wasn't sure why people were using his site to search for other people, but he didn't care.

He just saw the money coming in and was like, yeah.

And interestingly, this was the early days and crypto wasn't really adopted so well yet, so he wasn't accepting that.

Back then, I didn't use BitCon.

We used Liberty Reserve.

Liberty Reserve was sort of like a PayPal in the way that you could send money to someone online, except they didn't do much in regards to checking people's identities.

So it became known as the place for criminal transactions around 2010.

It was the go-to place for stuff like that for a while.

So he was getting tons of Liberty Reserve dollars and they were piling up in his account there.

Then he was using some Vietnamese money mules that he found on the dark web to send them his Liberty Reserve Reserve dollars and they'd cash it out and give him cash.

And things were looking good for a few months.

But, you know, the team is not stable

because the two companies they find out about the vulnerabilities.

So they sat down

and they they also fixed the vulnerabilities.

Kinda like me and them, you know, like

uh we've been playing the the cat and mouse game.

Kinda like they fixed the vulnerability beauty.

I fired out another one.

So we just keep hacking and fishing.

So I got kind of tired.

He was getting tired of constantly trying to find new ways to stay in the system.

They were getting good at detecting him and kicking him out.

So he stops to think about it.

And he thought, you know, why struggle to maintain access when he could just become a paying user of the site?

Now, Microbuilt would only allow certain people to use their site.

You had to be a professional investigator or a cop or in a position that you can be trusted with this data.

And there's a serious vetting process.

So Hugh decided, well, why not try to act like a private investigator and get in?

Step one, create a driver's license with a fake name.

At first, I got the license to Google, but it didn't work.

I tried to do Photoshop and stuff like that, but couldn't work out.

It's not good quality.

Okay, that didn't work.

Time for plan B: try to impersonate someone who is allowed to have an account there.

So I

did an uh kind of an osynd

to gathering on the list of emails address

belong to rival investigator.

And you know, when I hacked into my review and look at plus, right,

I got the email address already.

I got on the list already.

So I used that to do phishing.

I was phishing them

to a malware so I can

get into the computer.

Wow.

So the 5,000 users that he got from MicroBuild, he could see which ones were private investigators and get all those emails and also their data from the data broker to know everything about them and then send them phishing emails.

And if they clicked the link, he would infect their computer with malware, essentially giving him access to their computers.

And when he got access, he would look around to see if he could find any identifying documents for these private investigators so he could impersonate them.

And one of the private investigators, I remember he was living in Michigan in the U.S.

And I got into his computer to the malware.

I got all the data on his computer,

including like the private investigator license, even his passport, his social security numbers.

And I got, I mean, I got everything.

And back then, you know, like the people, they still got a habit

saving all the sensitive stuff on their desktop inside the

spreadsheet, right?

Kind of like an Excel file, storing the username and password, like sensitive information in that file.

And I got that file too, you know, I saw I got all the information.

they had birth and driver license, stuff like that.

So I impersonated as him under his name.

I obtained an account at

MicroBuild.

So I got a MyBuild account officially.

I was using that, maybe a monitor.

So they find out this is a fake account.

So they shut down my account.

So he's realizing MicroBuild is giving him a lot of trouble and decides to look at another data broker to maybe register an account there.

And that's when he found a data broker called Court Ventures.

Court Ventures providing API and data access for the people to making queries to be able to obtain the US identity.

Oh, this is even better, he thought.

If he could get API access to make queries and do searches, that's a whole lot easier to integrate into his website.

They were just like the others.

They had address history, criminal history, full identity data.

And yet, investigators, cops, fraud detection agencies, and credit bureaus loved using Court Ventures to look up people's data.

He found a private investigator in Singapore and was able to obtain all his details and was going to impersonate him to try to get an account at Court Ventures.

I got his license

and I impersonated

that guy,

the rival investigator in Singapore, and then I use that to apply the code venture account

and I pay for them you know I was dealing with them like real businessmen you know like I say yeah I'm I was I was doing for big company doing background check for Mars

Google so I need a lot of curious every month to do background check and they okay with that because I pay for them and I told them you know I want to have a good dude.

And then

the CEO of that court venture company, they gave me a good deal.

Like, I remember like 14 cents, 14 cents for one information.

So I say, yes, okay, we make a business contract too.

Like, I pay the signature, I paid name, everything.

So I sent back to him and they didn't verify anything.

They just keep going.

They okay everything.

Okay, he got the account.

He could do searches on people now.

Good, good, he thought.

But he wanted that API key.

So he applied for it.

And a few weeks later, they gave it to him.

Incredible.

So I got the account, man.

I said, oh, oh, my God.

I got the API asset to like almost 200 million US identity right there.

And all I need to do, you know, to integrate that into my website, that's all.

Yeah, 200 million US citizens details were in this data broker that's like over 60% of all US citizens data that's incredible and at 14 cents per lookup he could sell each of those searches for a dollar on his website his grand plan was starting to come together so at that time my my website is is still on the uh cli web you know like anybody can gain access but most of the clients that I have is all some criminal around the world

And technically, I didn't care

whatever they've been using this identity.

So I just kept selling

to

the API of the court venture.

And I remember every month I was making more than 120k

per month.

USD.

Yeah, he really didn't care who would use the site or why.

He didn't even ask.

All he knew is that people liked using it to look up people and he could make a nice profit off it so it seemed like a good business model to him but even though he was making 120 000 a month he still had a massive bill to pay to court ventures every month and um

i was paying for court venture every month from

twenty thousand to thirty five thousand usd per month Yeah, they're happy and I'm happy as well.

So it was kind of a win-win situation.

I keep running that website for over two years.

And I was making more than 3 million USD

by selling the U.S.

identity.

It makes me wonder:

is any of this illegal?

I mean,

can you squarely point at who the victim is here in this situation?

Do you know the story of Irate Joe's?

It's an interesting one.

So there's this U.S.

grocery store called Trader Joe's.

It's fantastic.

I love it.

A majority of food there at Trader Joe's is the Trader Joe's branded stuff, and people get hooked on that brand.

Well, up in Vancouver, Canada, they were like begging Trader Joe's to come open a store here.

But Trader Joe's refused.

They're like, nah, we only focus in the U.S.

We're not going international.

So some guy in Vancouver was like, well, you know what?

I'm going to open my own Trader Joe's in Canada.

Why not?

Because if they're not going to do business here, then there's probably no jurisdiction issues or or harm.

Should be fine.

So he crosses the border into Washington state, buys a ton of Trader Joe's stuff, and drives it back to Vancouver and opens up a little shop called Pirate Joe's.

He charged more than Trader Joe's did because of the logistics of it, but hey, people in Vancouver were happy to get some of their favorite food items.

Finally, Trader Joe's was like, hey, you can't do that.

And Pirate Joe's was like, yeah, yeah, we're in Canada.

Your U.S.

laws don't apply here.

And he was right.

Trader Joe's had a really hard time getting anywhere legally, but eventually they convinced a U.S.

court to force a trademark infringement on Pirate Joe's, saying the name of the store is too similar to Trader Joe's and they're smugglers.

So what did they do?

Pirate Joe's dropped the P and renamed the store to Irate Joe's.

And they clearly put all over their store, we are unaffiliated, unauthorized, and unafraid.

Trader Joe's was furious that they stayed open and started banning them from coming into the store to buy stuff.

They banned the owner who was driving twice a week to buy $5,000 worth of groceries from Trader Joe's.

Then he got his coworkers to go to different Trader Joe's and try to buy stuff from there.

But Trader Joe's started figuring out which stores in Washington they were visiting and buying food in the shop so they would block these other people from purchasing things.

So I Rate Joe's started asking their customers to help stock the store.

They're like, hey, if you're going to Washington, please pick some stuff up for us at the store.

And soon dozens of people were now helping stock the shelves at irate Joe's.

I'm telling you, people really love Trader Joe's stuff.

And crowdsourcing the buying was working for them.

But Trader Joe's was putting more and more limits on how much people could buy in the stores that were close to Vancouver.

The guy who owned IRA Joe's is like, bro, I'm your biggest customer by far.

I buy more than anyone else in this store.

What is your deal?

We're not asking for anything special.

We just want to buy what you have.

But Trader Joe's kept giving them legal trouble.

And eventually, irate Joe's shut down from the expensive legal fees that they kept facing.

And again, here's a situation where I wonder, who's the victim?

Trader Joe's sure thought it was them.

But what do you think?

I mean, when I was a teenager, I used to buy things from the dollar store and then sell them on eBay for $5 each.

If it's legal for data brokers to sell identities of U.S.

citizens, why would it be illegal for Hugh to buy those and resell them for more?

This is the part I don't get.

It's apparently perfectly fine for a data broker to buy and sell identifying information on U.S.

citizens, but it's not for Hugh.

In Hugh's case, he didn't hack into the site.

He didn't steal anything.

He was a paying customer of Court Ventures and was paying them a lot of money for all the searches people did.

And they seemed to be fine with that.

Happy that Hugh was their customer.

So he had his little website set up and accepted payment from Liberty Reserve.

And users could search Court Venture database through the API.

And at first, that website is called the

USsearching.info and then eventually like supergate.info

and fireget.me, stuff like that.

You know, I changed the domain like constantly to avoid like law enforcement.

And I was selling

more than

a little more than three million U.S.

identities during that two years from 2010 to 2012.

Okay, let me do the math.

Okay, 3 million searches, 14 cents per search.

That's $420,000 that he paid to Court Ventures and all this.

Jeez,

that's a lot of money Court Ventures made off him.

And that was fine for him because he made over $2.5 million in profit after that.

Unbelievable.

And during 2011, right, I dropped out

the school.

I don't, I didn't study and finish the university anymore because I was thinking that, man, I was making a lot of money.

Every month, like I was making up to 120K

per month.

What were you using the money for that you were getting?

Back then it's too young, too dumb, you know, like a lot of money I spent on stupid stuff, on five-star hotel, and then business class.

I spend a lot of money on like

stupid things.

And I waste a lot of money for cars and luxury stuff.

What kind of car did you have?

I have, I was having like three different cars.

Two are spot calls.

One of them is

BMW.

the convertible one

and another one is a customized call, like phone customized one that I don't even know that you know what kind of car is it, but like kind of like one of the.

I remember I used that call to be in a contest for the like good customized call,

and I won the price as well, too.

You know, like because I spent so much money on that call

and customize that and fine-tune that call.

And the other car that I have is Luxury Call Lesses, right?

Yeah.

So what did your parents think of all this money?

I was lying to them.

You know, I was working for an international bank in the US and they hired me to protect the system and also building their website.

You know, like all the lies, you know.

And when I meet up with all the people, kind of same age, even like the people that I know on the street, they ask me, you know, know, why I am so rich.

And I lied to them, you know, because my family was a well, a wealthy family, and uh, they they uh they got everything from me, that's why.

So, I

kind of

lines with each other with different stories, you know, and I kind of very ties though.

What were the people that were using your site?

What, do you know what they were, why they were searching for people?

What was the point of them paying for people searches?

That's a good question, though.

The question,

you know, like the answer for this,

at that time, I didn't care much about

how

did they use this information.

All I know, you know, maybe they use that to impersonate somebody,

or even like they use that to bypass the red card transaction authentication, whatever that's all i know

so like you said this went on for years he was able to automate a lot of it so he would only do a few hours of work a week to keep it all going life was going great for him eventually court venture right

they got uh they got esquied by the experient oh interesting in december 2011 xperian bought court ventures now experian is one of the three major credit bureaus in the U.S.

They create a credit score for every U.S.

adult, and rental places and loan agencies will check your credit score before doing business with you.

So, Experian loved the data that Court Ventures had on people so much that they just bought it outright.

I couldn't find what the purchase price was for 200 million U.S.

citizens' data, but I imagine it was in the millions of dollars.

Now, after Experian bought Court Ventures,

the Secret Service contacted Xperian and was like, you know that company you just bought?

Yeah, well, we have reason to believe that they are giving data to someone who is illicitly reselling it to criminals.

Xperian is like, what?

Say that again?

Court Ventures never told them this in the trade deal.

So Xperian quickly shut down Hugh's account and cooperated with the Secret Service.

In fact, Xperian was so mad that they sued Court Ventures for not taking action on this earlier.

I suspect the lawsuit was because they were misrepresenting their business in the trade deal.

And so the Secret Service now had their eyes fixed on Hugh.

One of the court requests from the U.S.

Secret Service, you know, asking about the status of my account, the FAI account.

And eventually they shut down my account at a court venture.

They shut down his account entirely, but he had a backup plan in case this did happen.

He had a second account.

Not one he made, but one he stole the password to someone else's account.

And he could use their account to continue to do lookups.

But he no longer had that API access where he could automate it.

That belonged to one of the company, one of the US data blockers as well, too.

It's called the USsearchInfo.com.

Something like that.

I don't remember.

It's a long name.

But anyway, this company, I got one of the account to

phishing attack.

And I used that to do manually searching identity for all the people who still need the service.

He wanted to get another API connection to Court Ventures.

And this hand searching stuff was just taking way too much time.

So he starts emailing them.

Hey, how come you shut off my API connection?

I need it back.

But what he didn't know is that because the Secret Service were investigating him, it it was them who was responding to his emails.

And they was making up a story that, you know, they will offer me a good ABI connection, not only to the U.S.

identity data, but also the UK identities data.

I say, well, you know, it's a good business.

It kind of...

Too good to be true.

But, you know, at that time, the money just blinded my eyes.

I say, okay, it looks good.

But the thing in, you know,

I feel something suspicious going on too.

Something not right.

Apparently, there was another guy that was doing the same thing as Hugh, also reselling data broker data.

But the Secret Service caught that guy who was in the UK, and that guy was assisting the Secret Service to catch other people doing the same.

So that's what felt off to Hugh.

He was talking to both the Secret Service, an agent named Matt O'Neill, and a guy from the UK named Mark, who got caught reselling identities.

His name Mark,

he still keeps communicating with me to email and even call me to, I remember, to Skype

back then.

And

they say, you know,

they want me to go to the US and also go to Australia or go to Hawaii.

I say, no,

I don't want to go there.

But

Matt O'Neill and Mark, they collaborate together and they lure me to Guam.

They told him if he could meet them in Guam, they'll give him all the things he needs for his API access.

They made up a story of why they need to meet him in person.

Something like, well, the big boss really wants to meet you.

You're one of our best customers and we can get the contract signed right then and there.

And then we can open the big party, you know, so we can have fun together.

And then you can fly back to Vietnam.

Everything good so he decides to fly to Guam which is kind of near Southeast Asia he figures it's the closest option that they gave him and looks safe you know I didn't do any research about wam I thought it's just like an island nobody care

and I heard that some of the Vietnamese people they living over there as well too

Maybe it's fine, you know, if any problem, I will, you know, go to talk to my people, asking for help.

And then I bought a ticket and then i went to wam with my sister because at back then you know back then my english is not really really well

and um i went there with her together

and um the moment i landed at the international airport they escorted me to u.s custom office and that moment that that right moment you know i i just feel like man

something going on something something fishy

Yeah.

And then they told me, sit down here, you know, we want to talk to you a little bit.

And I was so nervous.

I was trembling, you know, like, man.

And I was shocking.

I say, man,

something not right.

They put a stack of the paper, like,

I remember, like, maybe like 10 inches thick,

very thick documents.

And they told me, you know, we know about you.

We know everything about you.

Maybe more than your family knows about you.

And that moment, I say, man, it's over.

It's over.

And that's it.

I feel like I was on top of the world.

And right now, I kind of like I was living in hell.

And that's it.

They sent me to the jail in Wam

after that.

And they sent my sister back to Vietnam.

I told the prosecutor and the U.S.

Secret Service agent.

I say, my sister had nothing to do with this.

It's all about me.

So they released my sister.

And

I was

staying in the jail in Wam for like

more than a little more than two months.

And then they sent me back to the mainland, the U.S.

mainland, to many different jails.

They sent me to Hawaii, to Los Angeles, Nevada.

They sent me to Oklahoma, New Jersey, and then New York, and then New Hampshire.

New Hampshire is where his case was going to be tried.

So that was his final destination.

And he was stuck in prison through the entire legal battle.

Apparently, the U.S.

prosecutor who first investigated him was in New Hampshire.

And so that's why his trial was there.

Reflecting back on how he got caught, he has a few theories.

First, he blames Brian Krebs, a cybersecurity journalist who did an article that said how criminals can look up people on the dark web.

And Hughes' website is listed there.

And so he thinks that's how the Secret Service probably first learned about my website.

And on his website, he made a few mistakes.

The first week of having it, he used a hosting provider, but registered it under his real name, but then he changed the registration to an anonymous name, but those past records are still visible.

Second, he used to have his personal email address on the website for contact details.

So these slip-ups would have easily traced someone to Hugh.

And I also believe that the Secret Service probably used his site, did some searches on people, and then tried to correlate that with the logs at court ventures to pinpoint exactly which user Hugh was using for his site.

But this whole time he wasn't sure exactly why he was arrested.

He was paying for these searches in full.

Where's the fraud here?

Where's the crime?

But it wasn't until after his arrest where he learned what people were using his site for.

The federal court, they told me, you know, the information that I stole and also like sell that to other people.

They're using that for tax return.

That's something new to me.

I never know that, you know, tax return.

And then I find out what tax return and then it's very serious.

What people were doing was going to Hughes' site, looking someone up, getting all their details, and then trying to file the taxes for that person.

See, here in the U.S., we pay taxes to the government all year.

And typically people overpay on their taxes.

So they get a big return come tax season.

So a lot of Americans get a check for maybe a few thousand dollars every year from the government because they've overpaid on their taxes.

Well, criminals know this.

So they file tax returns on other people and they put on there that they should get a $2,000 refund.

And then the IRS processes the tax filing and they look at it and it looks legit and sends this person a $2,000 check.

And when the real person goes to file their taxes, the IRS is like, oh, no, no, no, you've already filled it out.

We've already sent you a check.

And now suddenly there's a bunch of Americans saying, oh, no, I didn't.

Give me my money.

And there is a big problem.

So the Secret Service was investigating this because Hughes People's search engine was complicit in helping criminals defraud a lot of American citizens.

And apparently there were a lot of people in New Hampshire that someone stole their tax return check.

And you know, I got so much information and they turned kind of like thousand and thousand victims in New Hampshire.

Okay, there's the V-word, victim.

We found a victim.

The people of New Hampshire who didn't get their tax refunds.

Okay, sure, they're victims of identity theft.

I'll give them that.

But typically, the IRS will understand and pay them anyway, essentially giving out two refund checks.

So this makes the IRS the victim.

But then you could say, no, it's the U.S.

taxpayer that's the real victim because this is money that's just lost.

And it drives me nuts how much money the IRS loses on this every year.

Like every single year, the IRS will give out billions of dollars to criminals submitting tax refund scams.

And I just have to ask, IRS, when are you going to take this problem seriously?

You're world class at collecting our money, but terrible at distributing it to the right people.

Billions of tax dollars are lost every year because a criminal asked you for money.

How is this acceptable?

So what were your charges?

Because

I have no idea what you're actually guilty of still.

Yes.

Terror, you can read that on the the U.S.

court's records.

Okay, fine.

I will.

All right.

He's charged with three items here.

All three are violations of the CFAA figures, right?

The first specifically says he used a data broker in a way that they didn't authorize him to use.

It's against their terms of service to resell the data that you're given access to or to impersonate someone to get an account there.

And he did that.

He absolutely violated their terms of use.

And that is what the Secret Service is saying he's going to prison for.

Unauthorized access, which we can guess means that he impersonated an authorized user, which is against their terms of use.

You know how many of us violate the terms of use on websites?

We all do all the time.

Like if you ever let someone use your Spotify or Netflix login, that's the same violation.

Unauthorized access.

He's being charged with that sort of thing.

Second item, specifically, it says he's personally gained money from violating his access.

And the third item is that it was in excess of $5,000.

So all three of these are CFAA violations.

And it drives me nuts that if you violate a website's terms of service, it's a federal crime.

I don't know why it's not just a civil issue, a problem between you and the website.

Like, why is it a federal crime?

I think the site has grounds to terminate you, ban you, and probably even sue you for violating their terms of service.

But prison time?

I think that's just going too far.

But that's how it is.

It's a federal offense to violate a website's terms of use.

And I'd be remiss if I didn't mention Aaron Schwartz here.

Aaron was an MIT student, and because he was a student, he had access to academic research papers through a place called JSTOR.

Well, he thought this information was so valuable to the world that he was downloading it and publishing it for free.

The world should have this academic research, not keep it exclusive only for university students.

But JSTOR was pissed.

They called the feds on Aaron for violating their terms of service.

And the DOJ charged him with 13 felony counts.

And he was facing 35 years in prison.

They told him, look, if you take a plea deal, you'll probably only do six months in prison.

But he absolutely did not want a felony on his record.

A felony for violating the terms of service.

The pressure was too much for him.

And Aaron killed himself.

So after that, politicians were like, whoa, whoa, whoa, why does the CFAA have it written in there that unauthorized access to a website is a federal crime?

People are dying over this.

Just because you violated a website's terms of use should not be a federal crime.

And so Aaron's law got proposed, which asks to change the CFAA to stop saying that a terms of use violation is a federal crime.

But sadly, the law didn't get passed.

Can you tell I hate the CFAA?

see here i i'm i i i'm upset about this because first of all right these data brokers are collecting data on us without our permission and so there should be they should be the ones that are doing illegal things second of all they're selling this data for 14 cents per lookup you're selling it for one dollar per lookup yeah so right the only real thing here is that you're saying hey i'm i'm just up i'm doing an upcharge for this and giving access to more people.

It's not really stolen data, it's actually paying for the data as you're using it.

And

you're right, the unauthorized access is a CFAA violation, and I can see them saying that.

But

I'm just so frustrated about this because you didn't do any money laundering in the U.S.

So, for them to say you did money laundering there, it's not true.

You did that in

Vietnam.

So, I'm just frustrated on your behalf

i know but the thing is it's what is it though that's how it works

and also the um the damage amount that they put in my case is very huge though like over 60 million usd prosecutors were saying he caused 60 million dollars in damage And of course, they didn't explain how they came to that number.

It's kind of impossible to look through 3 million lookups on Hugh's site and then connect that to what identity theft crimes happened for those people and then add up how much money was earned from that.

And anyway, all that was secondhand.

None of that stolen money was done by Hugh.

So they likely just made up some number, but he's not the one who did the identity theft.

He's not the one who did tax fraud scams.

So it's maddening that they're saying he's the one who's responsible for all that damage.

Like, Hugh is a criminal.

He is the bad guy here, okay?

I'm not trying to say he should have gotten off.

He absolutely did break the law.

What I'm saying is that this is the wrong law to be charging him with because I hate when the CFAA is used like that.

They tried to say he was also in trouble for money laundering, but he didn't do any of his money laundering in the US.

So I'm not sure if that one even flies.

But like none of his charges were for any of the credit cards he stole or drained all those sites that he hacked into back then.

There's nothing about all the concert tickets that he bought and then essentially scammed all those people.

Like those are easy charges to slap him with, yet they're completely absent here.

There is a law around identity theft, but I think it would be hilarious if they charged him with that, since that's the whole business model of what data brokers do already, right?

They work every day to grab as many identities as they can without anybody's permission and then sell them.

And not only that, he didn't steal the identities, he paid for them.

So the theft part would be in question too.

I think the proper crime here that they probably should have charged him with is that he was knowingly helping criminals conduct crimes, right?

Like aiding and abetting and conspiracy, that sort of thing.

Hugh knew his site was used by criminals and they were his favorite customers because they would pay for tons of searches.

So he was catering to them, making it easier and better for them to use his site.

So while he didn't do any of the tax fraud himself, he did help a lot of people do it.

But he wasn't being charged with aiding and abetting.

He was being charged with violating the terms of service of a data broker where he was impersonating someone else to get an account there.

But the thing is, the feds would have a much harder time proving his site was intended for criminal use compared to simply giving him a CFAA violation, which is easy to convict someone of.

Like I said, we all violate the CFAA all day, every day.

So in my opinion, the feds charged him with the wrong crime because of the almost guaranteed win for them, as opposed to charging him with the right crime and then struggling to find evidence to prove that he did that.

And by the way, while the Fed said that he caused $60 million in damage, nobody was asking for restitution there.

None of the data brokers were saying he caused them damage.

So if he did do all that damage, find that victim and bring them into the case.

Because here's the thing, I'm looking at the indictment and there's not a single company name here or victim name listed at all.

Of course not, because the data brokers want to hide from you.

So the only thing listed there is company A, headquartered in New Jersey, and it said he did an SQL injection on company A.

Well, by doing a little bit of research, it's kind of easy to figure out that the data broker in New Jersey that they're talking about is US InfoSearch, which Hugh did in fact steal credentials and use that site, but not much at all.

I mean, it was such a small blip in his story that it's hardly worth mentioning.

Yet that's the company that was saying he got unauthorized access to.

But here's the thing.

Here's how it all connects.

Court Ventures was partnered with US InfoSearch.

If you were a paid Court Ventures user and you look someone up, they had a connection to US InfoSearch.

So you'd get results from them too.

Now I'm just connecting the dots here, but that sounds like to me that Court Ventures was reselling data broker information that they got from US InfoSearch.

Like surely whatever deal they had with US InfoSearch, they were selling that data for a higher price to their own customers, right?

You see my point.

This story is pretty bizarre.

So you could say this company listed in the indictment, U.S.

InfoSearch, was the back end and provided data to court ventures.

And it's U.S.

InfoSearch that the U.S.

government is saying Hugh got unauthorized access to and profited off that access.

You say the victims were the people who got their tax

fraud or whatever

stolen, but I really think the victims are the people you were stealing from, right?

Locate Plus, MicroBuilt, and

the

Aventure.

And

I think those are the people you were robbing or attacking.

And I'm surprised were they part of the case at all?

Did they come and testify against you or give evidence?

No.

No.

I don't, I didn't see anybody.

from this company.

Yeah, but I can't, I just, did you have a good lawyer?

I pay for the lawyer.

Like I spend like almost more than, I think, up to 700 cake.

Wow.

Yeah, for a lawyer.

Because I would have fought to say,

yeah, you're saying that he caused $60 million in damage.

However,

he did not actually do any of that damage.

He just gave the information to someone else and someone else did the damage.

He never did a tax fraud.

So you can't say he's the one who did tax fraud.

It's like if I sell you a lighter and then you say you take that lighter and you burn a building down with the lighter.

I'm not in trouble for selling you the lighter.

The person who

burned the building down is.

Not true.

But you know, back then, you know, like a lot of people told me the same thing.

You know, I shouldn't keep, you know, I shouldn't hire, I shouldn't hire the lawyer.

I just keep that money.

Yeah.

But, you know, like my family, you know, they saw worry and they just look up on the internet, you know, oh, yeah, this is good lawyer, like good, good, good rating, like five-star rating, international lawyer, whatever.

In New Hampshire, you know, like professional one.

And yes,

that's, that's what happened.

I remember like

every time the lawyers

and his team meet me up,

like every

every time, like that, it cost me like five to ten thousand USD.

And an email

I sent to him, all the other lawyer team, like it cost me like

two or three hundred USD for one email.

Lawyers are so

expensive.

I know, it's very expensive, but you know, it's it's why is it, you know, easy money, easy goal.

So, I'm I'm for real, you know, I don't really complain about that.

Like, because I

at the end of the day, it's kind of dirty money.

You know, another thing that really bugs me about this whole thing is neither MicroBuild, Locate Plus, or Court Ventures ever told their victims that there was a database breach.

No.

They never say,

even until now, I suspect about them and they never mention anything about it.

Even though it's really happened to them.

What's come back?

I just, I have no sympathy for these data brokers.

I absolutely hate them.

They take my data without consent.

I can't even opt out if I want.

They don't protect it.

And when it's lost in a data breach, they don't even have the decency to tell me that my data that they gathered on me got loose.

Hugh was desperately trying to get his lawyer to help him.

But here's the thing, there's a 99% conviction rate when the feds slap you with a CFAA violation.

In all the cases of the feds accusing someone of a CFAA violation, I've only been able to find two or three cases that the defendant actually won.

The rest were people pleading guilty or found guilty in trial.

So the chances of Hugh getting off were slim to none.

He tried to fight it, but everything they tried just kept getting denied by the courts.

And after a few years of fighting, Hugh got tired and was running low on cash.

You know, my lawyers explained to me, you know, I may lose the trial.

I may get up to like 45 years in federal prison.

45 years and i got so right i got so scared all the charges like own combined together not only from new hampshire right but also from the uh from

new jersey as well too

so i got two two uh two criminal charges

from new hampshire and new jersey so they own combined together

and they

they say up to like 45 45 years if I lose.

So, so my family and me was so scared.

So, we play uh kind of we played uh plea deals

and um

yeah,

I played guilty uh during the summertime of 2015.

Guilty, guilty of doing 60 million dollars in damage

when

your

sentence came up or during a play deal, did you offer to give up your money to reduce the sentence like and what how did that go oh yeah my family also asked them you know like they want to give back all the money

uh

but they say no they don't need that

really

right

they don't need money they don't need any assets and then they don't need anything

so

it's what it's what is it

so

but the thing you know i spent a lot of money on lawyer

on, you know, like during my incarceration as well, too, you know, like for foods and medication and stuff like that.

So they didn't forfeit, they didn't take any of your money or property or cars or anything.

No.

They didn't care.

They said they don't need that.

They just want you.

They said, Walmart.

After pleading guilty, he was sentenced to 13 years in prison.

13 years for getting access to data broker data, which he wasn't authorized to access?

At this point, I'm wondering, what if, instead of Hugh accessing data broker data to sell that, what if he just made his own data broker business, you know, for anyone to access?

Would that be illegal?

Like if Hugh copied all the data out of the phone book and all the court records and the county records and scraped some LinkedIn data to build complete profiles on millions of people, That's all public information, right?

And it wouldn't have been that hard for him to do because he's a clever guy.

Are there there laws that he would be breaking if he sold that data?

I guess what I'm wondering is, are there laws that data brokers have to follow?

Well, I had to stop and look into that.

Basically, yes, there are data broker laws and often states regulate them.

And the gist of the laws is that data brokers have to prove that they aren't selling their data to criminals.

I mean, think about all the dangerous household things we probably all have, right?

Box cutters, a hammer, matches, lighters, gasoline, bleach.

These are all things that can cause a lot of harm and destruction, right?

Yet, when you go to buy them, the store doesn't verify your intent.

They're not like, hey, what are you going to do with that box cutter?

You have to prove to us that you're going to put it to good use.

Yet, that's how data brokers treat their customers.

Their customers have to show proof.

that they have a legitimate reason to search their data.

And they're on the approved list of okay people.

Apparently it's not good enough for data brokers just to say, hey, you can't use this for malicious intent.

They have to verify every single user to try to prevent any of them from using the data maliciously.

So the approved list is people like law enforcement, marketers, investigators, loan agencies, those sort of people.

And that distinction is very fascinating to me.

Data brokers are legal, but only if they sell their data to an exclusive group of people.

And I don't like that, not one bit.

I mean, of course, I don't like that there's a business out there buying and selling my personal information.

That's gross.

Go get a real job, all right?

But I think I might have a hot take here.

I don't like that they only sell their data to a certain group of people.

I wish they sold it to anyone.

Only people in some exclusive club can look up my data.

A club that I'm not allowed in.

I mean, the reason why states regulate data brokers is because if anyone could search those those databases, then we'd all be flooded with scammers and identity thieves and stalkers.

But to me, that's not the problem.

To me, the problem is, one, I don't even know how much data those data brokers have on me.

And two, I don't even know who has my data.

Like, if I could somehow feel the sting and pain every time my privacy is lost, I would take my privacy way more seriously.

So, like, I know there's probably apps on my phone that are sending real-time location data right now to a data broker.

And if someone took that data and saw where I was and came to my house and knocked on my door,

of course, I wouldn't answer because I never answer my door.

But I just imagine them continually pounding on the door, like, hey, I know you're home, answer the door.

Your phone is sending me real-time location data to me right now.

I'd immediately be like, wait, what app is sending you my location data?

And I think having a scary moment like that would absolutely force me to uninstall apps that are tracking me.

So my hot take is that stalkers aren't the problem here.

It's the obsessive collection of my data that's the problem.

If data brokers opened themselves up to let anyone search their site, we'd all be way more private and secure because we'd all be taking huge steps into protecting our privacy way more seriously.

When we don't know what's out there, we don't think it's a problem.

And they're trying to hide that from us.

Of course, the data brokers say they take our privacy seriously, and security is their top priority.

Yeah, well, until it isn't, Hugh got into four different data brokers, all by himself, and it didn't look like it was that hard for him to do.

Not only that, there's news story after news story of data brokers getting hacked into.

The biggest one is when Equifax got breached.

If the data brokers were so worried about their data getting into the wrong hands like scammers and stalkers, then don't collect it at all.

Because if there's one thing I've learned about doing over 160 160 episodes on hacking, is that you will fail at securing your network and data at some point.

There is no safe way to collect and store my personal data, much less sell it.

The regulators think forcing data brokers to vet every user is stopping criminals from accessing the data.

But clearly, criminals are in fact accessing the data.

Since when do criminals follow regulations?

So really all the regulations are doing is stopping people like you and me, normal citizens, from being able to see what's in there.

There are so few people who truly understand what is happening in this data broker world since they like to operate in the dark, in the shadows of the internet, and they work hard to keep everyone else in the dark.

I want to believe that someday privacy will be in style again.

And we just need enough cool people to tell us it's worth wanting.

Because data brokers has a bad aesthetic.

Surveillance is sterile.

It's cold, gray, and depressing.

There's nothing cool or romantic or aspirational about being trackable down to when you're peeing or having sex or eating or sleeping.

Yet these data brokers are feverishly trying to know all of that about you and build a complete behavior profile on you and then selling that to millions of people who are on the allowed list.

I hope someday wanting privacy doesn't make you a weirdo, but it makes you cool.

Hugh was sentenced in 2015, which meant he'd get out in 2026 because he already spent two years in prison by that point.

And it was there in the New Hampshire prison where he learned English and studied all kinds of things.

The police asked if he could share his story with others to teach them how the dark net works and all that.

So he cooperated and told his story and was trying to self-rehabilitate to get out early.

But when he was in prison, he heard some news which really crushed crushed him.

That Liberty Reserve website was seized by the feds, and the owner was caught.

I heard on the news that he got caught.

And the thing is, Q had a lot of money still in his Liberty Reserve account.

But when the feds seized the site, they seized all that money too.

How much did you lose there?

I was saving up over there like a little more than 300K.

Wow.

You know, I was thinking, man,

I will go home and they will get that money.

But,

you know, the moment I heard on the new during my incarceration time in 2014 or 15,

and I say, man, it's over.

No more money.

So he continued serving his prison sentence, staying out of trouble.

And because he had good behavior, they let him out early.

After serving seven years in prison, they let him out in 2020.

There was a lot of complications getting out of prison in the middle of a pandemic.

So it took him eight months to get home after he was released, but he eventually made it back to Vietnam.

When you got home in 2020, did you have money remaining from all this?

I still got

a little more than 50,000 USD

and

one apartment.

When he got home, he got a job with the Vietnamese government to help with their national cyber defense.

They they s they so-called the NCSC, the National Cyber Security Center,

and been working there for like four years.

I just uh I just left uh NCSC uh just five months ago

because, you know, like the government they they sh they restructure the uh agency and that's why I left uh

NCSC and uh right now I just try to to mainly focusing on cybercrime investigation.

And

I love hunting cyber criminals, technically.

And to the day I got home until now, I was helping law enforcement in Vietnam

and other

countries as well to arrest more than 200 cyber criminals.

He says he also enjoys helping victims of scams and identity theft by educating them on what options they have and helping them regain control of their life and use the law to help them out.

In fact, it sounds to me that Hugh feels pretty bad for all the people who got scammed from his service.

I feel like, you know, I owe a lot to the people, especially the people in the U.S.

I

kind of like I hurt and harm so many people's lives.

And I

kind of

always feel

ashamed about it.

So he wants to be clear that he is sorry for anyone whose identity got stolen and lost money from his website.

He truly feels bad about it and has apologized publicly multiple times and wants to try to do what he can to correct the wrongs he's done, which is why he's helping victims now and worked with law enforcement to catch cyber criminals in his home country.

Thank you so much to Hu Ming No for telling us this incredible story.

This one was wild.

I had to stop and think like multiple times while making it.

And I love a good story that puts me in deep thought like that.

And I hope it did for you too.

I recently read a book about data brokers, which was extremely eye-opening.

And I encourage you all to read it.

It's called Means of Control by Byron Tao.

Check it out.

It's a total page turner.

You will not see the world the same again after that.

Don't forget you can pick up some really cool shirts at our shop.

I guarantee you will find a shirt you love there.

Go to shop.darknetdiaries.com.

This episode is created by me, the Hack Street Boy himself, Jeffrey Sider.

Our editor is the hash/slashing Tristan Ledger, mixing by proximity sound and our intro music by the mysterious breakmaster cylinder.

They say if you don't pay for it, then you're the product.

But what if you pay a data broker to look up your own data?

What then?

Hmm?

This is Darknet Diaries.

Diaries