148: Dubsnatch

1h 29m

Ever wondered how far a fan would go to get a sneak peek of their favorite artist’s unreleased tracks? In this episode, we uncover the audacious story of some teens bent on getting their hands on the newest dubstep music before anyone else.

Sponsors
Support for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.

Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.

Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.


Listen and follow along

Transcript

I was just reading up on these Beatles super fans called Apple Scruffs.

They weren't the crazy fans you see screaming their heads off, trying to grab at the Beatles any chance they could.

No, the Apple Scruffs thought that was lame.

They liked the Beatles so much that they dedicated years of their life to trying to support the Beatles.

They were like, look, the Beatles are important.

How do we make their lives better?

So they spent tons of time figuring out the exact location of where the Beatles would be every day and then go there to try to help, often holding back Beatlemania crowds or offering flowers or food or to run errands.

And over time, they would get to know the Beatles.

There are some stories of them even sneaking into places to act as staff in order to help them even more.

George Harrison would later write a song called Apple Scruffs, where he said he loves them.

I'm astonished to see what incredible lengths that some music fans go to.

They'll cross continents just for a fleeting moment with their idols or endure relentless weather or camp out for days showing a level of devotion that defies logic.

The risks and sacrifices that some fans make is truly remarkable.

These are true stories from the dark side of the internet.

I'm Jack Reeseider.

This is Darknet Diaries.

This episode is sponsored by my friends at Black Hills Information Security.

Black Hills has earned the trust of the cybersecurity industry since John Strand founded it in 2008.

Through their anti-siphon training program, they teach you how to think like an attacker.

From SOC analyst skills to how to defend your network with traps and deception, it's hands-on, practical training built for defenders who want to level up.

Black Hills loves to share their knowledge through webcasts, blogs, zines, comics, and training courses all designed by hackers.

For hackers.

But do you need someone to do a penetration test to see where your defenses stand?

Or are you looking for 24-7 monitoring from their active SOC team?

Or maybe you're ready for continuous pen testing, where testing never stops and your system stays battle ready all the time.

Well, they can help you with all of that.

They've even made a card game.

It's called Backdoors and Breaches.

The idea is simple.

It teaches people cybersecurity while while they play.

Companies use it to stress test their defenses, teachers use it in the classroom to train the next generation.

And if you're curious, there's a free version online that you can try right now.

And this fall, they're launching a brand new competitive edition of Backdoors and Breaches, where you and your friends can go head-to-head hacking and defending just like the real thing.

Check it all out at blackhillsinfosec.com/slash darknet.

That's blackhillsinfosec.com/slash darknet.

This show is sponsored by Delete Me.

DeleteMe makes it easy, quick, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable.

Delete Me knows your privacy is worth protecting.

Sign up and provide DeleteMe with exactly what information you want deleted, and their experts will take it from there.

DeleteMe is always working for you, constantly monitoring and removing the personal information you don't want on the internet.

They're even on the lookout for new data leaks that might re-release info about about you.

Privacy is a super important topic for me.

So a year ago, I signed up.

Delete Me immediately got busy scouring the internet looking for my name and gave me reports of what they found.

Then they got busy deleting things.

It was great to have someone on my team when it comes to protecting my privacy.

Take control of your data and keep your private life private by signing up for Delete Me.

Now at a special discount for my listeners, get 20% off your Delete Me plan when you go to joindeleteme.com/slash darknet diaries and use promo code dd20 at checkout.

The only way to get 20% off is to go to joindeleetme.com slash darknet diaries and enter code dd20 at checkout.

That's joindeleatme.com slash darknet diaries code dd20.

Um okay, are we ready to get started?

Uh yeah, that's fine.

But um could you use uh the name for me, could you use Professor Dubstep?

Professor Dubstep?

I like that.

Yeah, that's fine.

So, Professor Dubstep,

like,

where does this start?

The story?

Well, picture this.

Kind of early 2014.

I was 13, sitting there working on my Minecraft server.

It was breaking all the time.

The host was terrible.

The staff were fighting.

And I kind of just wanted to do something else.

Knife Party, which is a musical act, had a new album coming out in 2014.

And it was delayed it was taking ages professor dubstep was into this band knife party and wanted to hear their new album and saw knife party was interviewed on a podcast and wondered if there was any mention of the new album in the interview and there was not only did they talk about it but knife party actually played a snippet from the new album whoa cool

professor dubstep is actually into making dubstep music themselves so this wasn't so hard for them to just download the podcast and grab that song out of it and listen to it on its own.

I was like, well, this is kind of good.

I'll chop this together a little bit and I'll upload it to SoundCloud so that other fans can hear it, you know, and enjoy it as well.

I put it up there.

I didn't expect it to get, you know, much popularity.

But a few hours go by.

I go back to working on my server.

And then I check my SoundCloud after a couple of hours and the plays are just racking up like 10,000, 20,000.

And I open Twitter and Twitter is blowing up too.

The EDM, the electronic dance music news blogs have posted about it and said, oh, the track's been uploaded to SoundCloud early and it's a leak, blah, blah, blah.

Which it wasn't.

Professor Dubstep didn't care to correct anyone though.

They just watched the madness unfold silently.

But because people thought it was an early leak, they started sending them some private messages.

So um, checking in my SoundCloud messages and

I saw I had a message from Dino Driller.

He was saying that I had some cool,

well, he thought that I had some cool music, some cool unreleased things.

And I had another message from Spintire, who

it was basically just asking to add me on Skype and talk some more.

So I took this opportunity.

I'm like, well, we'll see what he wants.

So he adds me up and he says, oh, so how are you getting these things?

And I explain, I say, well, you know, know, I don't actually have anything.

It's just kind of blown into something that it wasn't.

But that I do like to look around and see if there's, you know, hidden things that are kind of not really

supposed to be in the main public view, but are made public accidentally and things like that, or things that appear early.

And he said that he likes to do the same sort of thing, you know, looking and trying to find open directories on servers and things and accidentally public info.

So we kind of connected and we had a chat about that and we were talking about that for hours.

Yeah, there's a ton of stuff on the internet that shouldn't be there.

I'm very aware of the site Showdown, which scours the internet looking for private stuff accidentally exposed publicly.

Like being able to view surveillance cameras, license plate readers, servers with default passwords, and entire databases that are just open.

But that site is mostly exposing cybersecurity flaws on websites.

It's not really a place to go find unreleased music.

We're trying to solve a different problem here.

Maybe Google dorking can help.

I know I found quite a bit of music this way.

You could search Google for any music files with the band name in the file name, and Google will happily show you tons of music that you can easily download.

And sometimes you can find things that probably shouldn't be public.

So they're going over these strategies and chat, different ways to find music online.

But the conversation just kept going.

They're sharing more secret ways to discover things.

One of them starts talking about the website Bitly, which is a URL shortener.

Yeah, well, it just allows you to shorten links.

But they had a glaring flaw in their system, where if you add a plus to the end of any shortened link that was made while logged into an account,

And you could click on the public user profile of these of these accounts and see everything that they'd ever shortened using the service.

And many of the links that we were looking at, music related, would always be made by a management account, for example.

And they would share internal things on the link shortener as well.

And we would be able to just see those and download them.

So one thing music production companies or dubstep managers do is promote the hell out of the musicians that are under them.

So together, Professor Dubstep and Spintire go on Twitter and check out these management companies.

And yeah, they see managers using bit.ly links to promote some bands.

For instance, they might use it to link to some promotional flyers or tour dates or new releases.

And they were using bit.ly to shorten URLs for promotions.

So Professor Dubstep would use the Bitly bug to see what else this management company has used Bitly for, which gave them tons of links to go through and check out.

A lot was for public consumption, but sometimes they'd find things which shouldn't be in the public.

Yeah, exactly.

It would either be audio or Photoshop documents, or sometimes internal internal memos like promotion plans for upcoming releases and things.

And just being able to get kind of a look into the inner workings of these labels and management companies of how they function, how they put their things together and make their plans, which was really interesting.

This would give them new content to post on SoundCloud or Reddit.

On Reddit,

Reddit also has direct messages.

And a message came through to my inbox from a guy called Jay Brown.

He added me on Skype as well and we got to talking.

He was a different kind of person.

He was what's known as a dub plate trader.

Now, dub plates are a nickname for unreleased music

and in more modern times that's just come to be on an mp3 file basically.

Just an mp3 file that's not released to the general public.

And there is a whole theme of trading these files in small circles.

You know, it's kind of like Pokemon cards.

You know, less valuable cards are treated way differently to ones that are rarer.

And it's the exact same with double plates.

So this guy called Jay Brown comes to me and he says, oh, I've got some stuff.

Do you want to check out what I've got?

I've got this and that and this and that.

Kind of presenting it

as if he was some kind of drug dealer or something.

I wasn't really interested in anything he had.

There was one specific track.

which was knife parties suffer

and I didn't have anything that I wanted to give him because

I wasn't a trader.

I had my couple of things that I found on my link shorteners and

I decided that I would try and make something out of nothing.

So I took a clip of this this radio recording and I kind of chopped it together into something that sounded semi-reasonable and presented it to him.

Like

you were creating your own music that sounded similar?

No.

Editing it in in a way that...

You said editing an un-release track in a way to make it sound as if it was an original source file

when it actually wasn't a source file.

So it was trying to make something seem real that wasn't so that he would believe it and send me the thing that he had that was real.

It was quite a scheme.

It was quite a scheme.

Yeah, it does introduce quite an interesting situation of like when you're dealing with official releases, it's coming coming from the official channel right but when you're trying to get your hands on these unofficial releases you there isn't any legitimacy to it it could be from them it might not be from them and you were playing into that of like you know what you're not gonna know if this is from knife party or not but i'll put a little clip in there from knife party just to kind of make you think it is but then i'm just gonna make it up after that

yeah that's that's pretty much how it went and um if you were good at this um you know making something sound semi-legitimate these traders didn't really know much better it was it was quite easy to convince them of something and to kind of ignore what their own ears were telling them

and it worked

this is getting wild not only was professor dubstep looking for unreleased tracks or dub plates as they say but they were taking popular songs and putting in changes to make it seem like a new mix by that musician pretty shady and deceptive but as a teenager it doesn't seem so bad to play around with someone else's creation and see if someone will believe you that it's original.

Well, that's the thing, it's unspeakable.

You never speak that you did an edit to it or something because it would give the whole game away.

And

me and Spintire kind of kept doing this between ourselves.

We thought that it was quite a good idea, that we would make some more fake things or edits, and we could use them to float in these trading circles and

kind of just drain their whole collection of rare things without actually causing any damage ourselves to to any of these releases.

Because the double plate trading scene,

it does cause massive damage, no matter how big or small the artist is.

If the unreleased track gets leaked online in some way, depending if it had a release planned or not,

once it's leaked, it's over for that track forever.

So

it really...

It's not something to...

Well, it's just not a good thing for the music scene, really.

Because they recognize that publishing unreleased tracks hurts the artist, Professor Dubstep stopped posting unreleased tracks publicly.

And by the way, Professor Dubstep actually makes music himself, too.

Well, I play, I'm a multi-instrumentalist, but also I know Dubstep myself.

And this is something that I was learning to do at the time.

So this was a way to learn more about the music making process.

I'm interested in his unreleased music, but more to just listen to it and break down what's going on with it.

Because not all of it remained on release, some of it was just early versions of things,

you know, work-in-progress versions of songs that would then come out and be almost entirely different.

So it was interesting to just hear the differences between them for me.

Okay, can I ask you a question about dubstep?

I'm afraid, I'm afraid to ask this publicly, but what's the deal with all the dolphins and dubstep?

The dolphins,

what do you mean?

You shared with me a

playlist of dubstep music.

And

in there is a track called Elephant by Barely Alive.

All right, yeah.

Okay, so

this is the song.

And

they think this song's about elephants, but it's clearly not.

So listen to this part.

There's an elephant elephant there, right?

Right there was

that's the dolphin.

Oh, I think, yeah, I see we have the dolphin in there.

And let me show you another one.

Yeah, actually, I never put two and two together.

That is a dolphin, isn't it?

Dolphin on wheels.

Oh, that's a Dylan Francis tune, isn't it?

Yeah.

There's a dolphin there, clearly, right?

That's the name of the song, Dolphin on Wheels.

All right.

So, another song you sent me was Cash by Barely Alive.

You hear that?

Beep, beep, beep, beep, beep, beep.

Another song you sent me, Borg by Funt Case.

Bang.

I think bang by wave dab.

You hear it there.

Gem Shards by Must Die.

That is a dolphin, isn't it?

I have to concede on this, it is.

The dolphin is the lead singer in every dub step song that you sent me

you know it might actually be true because um

a lot of uh a lot of dubstep is kind of self-referential yeah well i kind of i went through i went through skrillix's songs and this is the this is the dolphin i found in skrillix

that is a dolphin song a long time since i heard that one even in Skrillix.

So while I'm researching this episode, dolphin after dolphin kept showing up as the lead singer in all these songs.

And it's driving me crazy.

Is this a thing?

So I googled it and no, there's nobody knows about this.

There's no results about this.

So I started formulating my own theories.

And I've been dying to ask you about this.

Okay, so first of all, dolphins are one of my top five favorite animals.

I love dolphins.

They're so smart and amazing to watch.

So for me to find a whole genre of music that has one of my favorite animals featured in it, song after song, it's gorgeous to me.

And when I hear a dolphin in a song, the biggest grin comes on my face and I actually try to sing along with it, barking and chirping.

So I wonder if just the dumpstep community loves dolphins as much as I do.

I mean,

you've got a point.

You've got a point.

Dolphins are a very intelligent animal.

So

dumpstep is very intelligent music, clearly.

I also wonder if there are sounds in the dolphin language that speak to us in a really profound way.

Like it might express an emotion that we just don't have words for in English, but dolphins do, and they can somehow teach us more about ourselves.

And dubstep artists add these sounds in because they know the power of dolphins and want to help us ascend to new heights.

Yeah, well, we are, I mean, we all do come from the sea originally, so, you know.

You know, some common ancestor might have, you know, we're just going back to our roots in a way.

And the other thing I wonder is, since this is such a popular part of dubstep if the dolphin is like a secret mascot like if you go to edm parties would i see people with dolphin stickers and patches and tattoos all representing some inner group where you're like not allowed in certain parties unless you have like a dolphin tattoo or something it's a secret society okay sorry i refuse to believe that's a total accident but when i google this nobody is talking about this so i feel like it's some closely guarded secret but whatever we're moving on so professor dubstep was loving all these early tracks, but only trading with a select few people.

It was kind of like a little triangle.

There was

me, Dino,

Jay, and a spin tire.

And we'd sit there with like a four, kind of not talking to each other, but relaying between each other.

And these, these tracks would go around in that little circle like that.

Dino Driller, he was 14, at the time, 14-year-old dubstep producer, you know, same age as me.

We'd just hang out on Skype now and then.

Dino Driller somehow got the attention of excision who was a big time dubstep artist like excision had quite a few big hits and was pretty popular and saw how dino driller was trying to come up in the scene yeah because excision does he does a lot of things to support the underground uh artists in the scene and you know help them get some exposure and things you know he he owns a record label that was called russian recordings which he signed a lot of uh a lot of up-and-coming people to actually help him get a head start.

So Dino was one of the one of these up-and-coming producers that Excision was trying to help out.

So he invited young Dino over to the house in Canada

to make some new tunes.

Oh, and by the way, if you're wondering if Excision uses dolphins in their music, here's a snippet from his song Astra.

What do these terms mean?

Okay, so Excision and Dino Driller were working together at Excision's house, making some cool music, and he was really helping Dino Driller out a lot, actually.

But since Dino was also into trading unreleased tracks, he couldn't help but wonder, what unreleased stuff does Excision have?

And being right there in his house made him very curious.

One day, Excision invited Dino Driller to come over and work on some music while he's at the gym.

This meant Dino Driller was going to be there alone.

So he gets on Skype to tell Professor Dubstep and Spintire the plan.

When Dino goes to Excision's house, Dino will go and dig through all the old hard drives and things and

search for some unreleased or work-in-progress goodies and things from people in the scene.

No,

so Dino

had a nefarious plan for visiting Excision's house.

Yeah.

Oh my gosh.

So Excision wasn't around and trusted.

So this is the thing, this is betrayal at this point.

He trusted Dino to come on in when I'm not around.

It's cool.

You're a musician.

I like your stuff.

We're hanging out.

We're friends.

Yeah.

And now, Dino's like, ah, it's working as planned.

I can, I've got full access to your stuff.

That's exactly it.

I'm going to grab some hard drives.

We were sitting there on Skype, like, oh,

look for this and that, and this and that.

Sending him file names, like, oh,

can you look if there's this thing and this Scrix thing and blah, blah, blah.

Meanwhile, Meanwhile, Excision was out at the gym.

We'd just be sitting there like, hey, get this, get that.

Eventually,

Dino ran out of old hard drives at comb.

So we're like, well,

there's stuff missing from here that should be there.

So

the final location that was searched was Excision's actual sock drawer.

for CDs and USB drives.

And what did he find in Excision's sock drawer?

Old CDs with the things on that we were looking for.

I'm not kidding.

There was a demo from Skrillex called Dimbo, which was a demo of one of his biggest songs,

Kyoto.

And there was just all kinds of things on there, just work in progress things that had never come out, that no one had ever heard before.

Mostly made by Excision.

Well, there was some Excision, there was some Skrillex,

there was some knife party, some noisia,

all kinds of things that these communities had been looking for for years and begging for.

It was right there on these CDs in the sock drawer.

And they were now being sent to us on Skype.

Dino was pretty careful to just copy everything right there in the house and put it all back exactly where it was so Excision wouldn't know anything got taken and then he passed it around yeah shares it with me and spintire and um we just listen to it together like oh this is amazing this is really interesting stuff

that's kind of unbelievable

and i thought that would be the end of it but no

After a week or so, literally just a week, some of these things started to leak onto Reddit.

Dino was trying to blame me for it and saying, oh, well, you must have traded this and telling everyone that I was trading it and leaking it and this and that.

And I nearly got the blame pinned on me for it.

I nearly did.

But the way that I found him out was that some of the things that leaked were

things that I was never sent.

So it must have meant that he'd traded two batches of things that were slightly different.

One to me

and

other batches to whoever else which contained different files so I caught him out and I managed to spin it back around and say no

I can prove that it was you that

this that's the reason for these leaks so dino leaked it and blamed it on you yeah well he didn't leak it he sent it to the traders like Jay Brown

And um

the traders like this idea of

providing providing the public this stuff.

It gives them a thrill.

They're like, oh, look at that.

I'm getting a lot of upvotes.

Getting a lot of downloads.

Making some waves.

Got an article written about it.

This is going great.

Like, that's what they thrive on, right?

It's sort of, it's more that they the traders themselves thrive on

just ha the status of having these rare things.

So they can go to can go to people and say, oh, I've got this and that, and I want I want that and this

and they can trade them for that.

And then eventually it just everyone goes in a loop and carries on doing that between each other until eventually someone posts it online.

Then once it's posted, that song is burned in the trading community.

It's no longer a rare item to have.

Christmas 2015, there was an event called Leakmas where hundreds of things got leaked onto onto Xtrill, onto Reddit.

All of the things that Dino had taken from Excision's house, all of them leaked.

There wasn't one single thing that didn't get leaked.

And it was all just because it was being traded like crazy.

Did Excision ever figure out that Dino did this?

No, to this day, he's never realized.

He never, never,

never found out.

We're going to take an ad break here, but stay with us because this story is going to go way off the rails.

This episode is sponsored by Vanta.

In today's fast-changing digital world, proving your company is trustworthy isn't just important for growth, it's essential.

That's why Vanta is here.

Vanta helps companies of all sizes get compliant fast and stay that way with industry-leading AI, automation, and continuous monitoring.

So whether you're a startup tackling your first to SOC2 or ISO 27001 or an enterprise managing vendor risk, Vanta's trust management platform makes it quicker, easier, and more scalable.

Vanta also helps you complete security questionnaires up to five times faster so you can win bigger deals sooner.

The results?

According to a recent IDC study, Vanta customers slashed over $500,000 a year in costs and are three times more productive.

Establishing trust isn't optional.

Vanta makes it automatic.

Visit Vanta.com slash darknet to sign up for a free demo today.

That's V-A-N-T-A Vanta.com slash darknet.

Professor Dubstep was getting deeper into the unreleased dubstep trading scene.

2016 comes around.

The tactics that traders were using to obtain the unreleased music files was changing a little bit.

And there were a couple of incidents where artists had played a DJ set at a club and someone would go up after the show and just take the USB drive straight out of the mixer.

Whoa.

With all the secret stuff on it.

Yeah.

They'd go right up on stage and grab the equipment.

Yeah, well it's it's these pioneer C DJ systems there.

You basically just put a a small USB flash drive into the top.

So if someone walked past it, they could just swipe it really easily and no one would notice until it was too late.

Well, I mean, doesn't the music immediately stop?

If it's after the show's just finished, there's like a small window where someone could grab it and no one would notice.

That's some balls, you know?

To go to a live show, see that performing artists you like, and then to steal

their files right from under their nose.

Yeah, it's been known to happen about three or four times

in the space of one year.

Holy moly, the lengths these people go to to get unreleased music is unreal.

And I think it's a testament to just how dedicated and motivated the fans were to hear more, to get the latest stuff.

Like, you don't see consumers just like going to a sewing trade show and stealing the latest sewing machine from the demo booth, you know, because that passion doesn't exist there.

Music has this way to give us like a meaning to life.

It can be our therapist, our best friend, our lover, and our dance partner.

It moves us in a way that not much else can.

So some people would risk getting arrested to steal a thumb drive with new music on it.

Yeah, it happened plenty of times.

There was a guy called Snails who was blowing up in the scene in late 2015.

He had his USB stolen.

All of the files from it leaked onto Reddit.

Skrylix had his USB stolen as well.

And all of those things ended up leaking in late 2016 onto Reddit.

Again, you know, it's something that keeps happening.

I think it still happens to this day that artists have their USB drives stolen out of the equipment on stage.

What do you do here?

Weld your USB drive into your equipment?

Or what about putting a decoy USB drive in, but it's really a trap?

And if somebody goes to grab it, they get electric shock.

It's also interesting to just parse the idea that music is just files, it's data on a computer or a USB drive in this case.

And I never thought about applying cybersecurity to music, you know?

Like it's acoustic sound waves, not computer files, but no, it is computer files.

And so it needs its own version of cybersecurity, too.

Huh.

Okay, so let's talk about Reddit.

The pop and subreddit for all this was Extreme.

which is a place to post links to unofficial dubstep music.

You know, live live recordings from concerts, radio mixes, stuff that wasn't on the artist's official Spotify or YouTube or SoundCloud, but it is from that artist.

And these alternate versions were sometimes better than the original version.

And fans were loving this subreddit to listen to new mixes.

Leakers in the scene were frowned upon.

So things actually being leaked.

Whoever leaks something is, you know, it burns their reputation.

That's the nuanced thing about it though.

While people went crazy over leaked tracks and would get a lot of people excited, the subreddit had to take action on this to avoid being labeled as a leak site and get shut down.

So they'd remove the leaks and ban the leakers.

Because it was, you know, it just goes, one thing, they're traders, they don't like things leaking.

And two, it does, it does damage things.

Three, it invites trouble.

It invites legal trouble if you are the one to leak something.

The extra subreddit is layered like an onion though.

Basic stuff was on skin level.

Peel it back and you find some juicier content.

Traders with rare stuff.

There were rules though.

No piracy allowed.

And no posting unreleased music.

But the rules were often abused.

So the outside X-Trill looked like a place that was just a rampage of things.

Totally uncontrolled.

But actually behind the scenes,

it was kind of a front.

So if an artist was cool and contacted the moderators of the subreddit or the people in charge, they could could say,

you know, please, you know, prevent this thing from leaking.

There's release plans for it soon.

Just, you know, would you mind keeping it off?

And if they were nice about it, they could get their brand added to the filter so that nothing could be posted.

Really takes a certain set of eyes to understand what's going on in X show.

Because even when something is posted, are you familiar enough with that band and that track to know if this is legit or made up or a leak at all?

So late 2016 rolls around.

Spintaya comes to me on Skype and says, look, we've got this old password of Skrillix's.

I say, okay, well, how?

Like, how does this happen?

And he kind of hesitates to explain it at first and just says, oh, just look at it.

Just try it on these things.

Just try it on

the old Skype account.

Okay.

And it works.

It logs straight in.

To Skrillix's Skype account.

Yeah.

It was an old inactive account.

It was dead.

It was not being used.

But the the password worked.

And I said, well, how do you get this?

Yeah, good question.

Skrillix is the biggest name in Dubstep.

He's a Grammy award-winning artist, loved by millions of people.

He has millions of followers on Twitter too.

To get his password on Skype is a pretty big deal.

And I said, well, how'd you get this?

Eventually he explains.

He says,

databases have leaked from all kinds of sites.

There was quite a lot of databases that got stolen and uploaded online in 2016.

There was Dropbox had their database stolen, LastFm had their database stolen, MySpace had their database stolen as well.

And they're all just

uploaded to this thing called,

I think it was leaked source.

And you could basically

pay $20 a month for access to this.

And it would

give you access to all of these databases.

So you could just view the results, the hashed passwords and things.

You could just take the hash and just decrypt it yourself because they were really poorly protected.

Just standard MD5,

which almost the whole MD5 table had been cracked by that point.

Oh my god, this is about to get insane.

Huge database breaches with millions of usernames and password hashes.

Combine that with the ravenous fans willing to stop at nothing to break into dubstep artists' digital lives and steal whatever they can to post it to Xtrill.

And Skrillex is one of the first to get a working password for the biggest tubstep artist in the world.

My goodness, my brain is running a million miles an hour right now.

There's going to be an all-out onslaught of people.

They're going to be trying to hack into these musicians' files.

Hey, yo, I'm eating fun dip right now.

So what

we've done basically is just put the email in that we knew of

these artists.

And if they had a result come up from some old old database that had been leaked,

that was poorly encrypted you could take that hashed result and decrypt it and just hope that their

that their security was not so great and that they kept reusing this password for all this time and use the same one on every every site or whatever and dang that is a sweet combination of last fm dropbox and myspace it pretty much means every dubstep artist would be somewhere in those database breaches it was just a matter of finding the right username or email to use because those three sites were used a lot by musicians.

Dropbox is extremely popular for file sharing.

And if a musician has a label or a manager or someone else that they're collaborating with, sharing their work in progress on Dropbox is very common in this circle.

Last FM and MySpace are places where you can go to post your music, which when you're an up-and-coming artist, you definitely want to be posting everywhere.

And yes, MySpace is still around.

So

yeah, I'm just imagining like, wait, hold on a second.

We've got Skrillix's password.

It works on an old Skype account.

This is got to be the pinnacle of the whole story.

Like, we got into Skrillex's Dropbox.

Skrillex's Dropbox is the, we actually didn't manage to get in there, but

we tried a bunch of different accounts after Skype, and none of it was working.

So all of the other things have been closed off.

So you couldn't get into his Dropbox?

No.

Nice job, Skrillex.

Either he wasn't reusing passwords or heard about this database breach and changed all his passwords either way he was ahead of the hackers here and my goodness if they got into skrillix's dropbox that would be the most epic thing to hear his latest stuff before anyone else that would be insane but they couldn't get in no

so we we we decided instead that maybe his manager would be a good target to try and look to see if the if there was any anything leaked in the databases for his manager.

And

so we had a look in and there was.

It was a really old result from 2008,

but it had been

i the same result appeared in all of the databases.

So it had a good chance of, you know, working in some in some maybe old sites that had been inactive, but have been used in the past for for sharing uh music and stuff in internally.

So me and Spintai were sat there on Skype and we tried it on the MediaFire page, which worked.

Logged us in.

And there was some interesting stuff in there.

There was Photoshop documents.

There were a couple of on-release tracks that had never come out before, never even been heard.

Skrillex tracks.

Mm-hmm.

Yep.

Hot diggity.

That's...

I mean, I don't know if

you're seeing it the way I'm seeing it, but that's got to be the biggest find ever.

So far, at least in the story.

In a way it was, but at that time

we were hearing so many tracks from the traders that it kind of didn't seem as big to us as it actually was.

And

what we were doing as well, logging into the accounts and things,

we didn't really kind of realize how deep that was really going because

that's way further than just trading something in a small circle that's that's been got from another trader.

That's going into someone's account and taking something directly.

And we were just doing it like as if it was nothing, really.

Which is really ridiculous when I think about it, think back to it now.

It's ridiculous.

That's a huge invasion of privacy.

But you know, it worked.

We got these tracks and

kind of made a resolve to ourselves that other people would be doing this at the same time as us.

Other people would be figuring this out.

who would get these things and then trade them and leak them.

So that's what me and Spintire were basically saying with each other.

Like, it's better that we're doing it and we can keep these things safe and listen to them between ourselves and, you know, have the interest with it.

And then, and then keep it secret, keep it from leaking.

So part of keeping it from leaking is changing this manager's password or deleting it out of there or something, right?

Yeah.

So we'd go in, we'd take it, we'd grab the files and then

either just change the password straight up so that no one else could get into the account

to contact the person that we'd logged into

and say, you know, we've compromised your account.

You need to change this password.

And which many of the times we actually did that, we contacted them, said, you know,

you've been compromised here.

This is how it happened.

You need to change your passwords.

Whoa, what a weird moral compass that is.

They knew breaking into someone else's account is wrong.

But their attitude was, if it's not us who breaks in, it'll surely be someone else who breaks in, and they could cause big problems.

So it's better that we do it so we can fix it.

And for the incentive of getting in and fixing it, we'll just take a listen to whatever we find along the way and just keep it for ourselves.

We decided to look in

these databases for Dino's, if he'd had his passwords leaked in some database and that we could try them out on the Skype.

Oh, wow.

Dino was that guy who stole things from Excision and then leaked that stuff to other people, then tried to blame Professor Dubstep for the leak.

Yeah.

This is where it gets good.

So we had a look and there was one.

There was

well there was one password that had been leaked five or six times on different services.

So that just indicates that he's using it on everything.

And maybe hasn't realized that it's compromised.

So we took that password and we logged into his Skype.

It worked first time.

It was six characters.

It was really basic.

We just logged straight in and we could see his chats and we could see him talking to some guy called Shane.

And Shane was the owner of X-Trill.

And they were talking with each other

about

trying to hack into accounts using these databases.

So they were doing it themselves and trying to figure it out.

As me and Spintire were also doing it.

between each other.

Oh, interesting.

It's almost like there are two teams on this now.

Spintire and Professor Professor Dubstep, and then Dino and Shane.

Spying on the other team might be really useful here.

So, one of the targets that Dino was trying to hack into while we were watching him was us, me, and Spintire.

So, he so he was looking in these databases trying to find our info, and we were watching him do it and watching him attempt to get into our accounts like live in real time.

What accounts of like your Skype account?

Yeah, anything he could manage.

Our Skype, our Dropboxes, dropboxes soundclouds anything basically

oh so so

dino's talking with shane like hey you have uh

professor dubsteps um says do you see them in this at all in the in the data yeah i see them in the data space oh cool let's check their password try logging in like this is the chats you saw and then it's like no it didn't work ah bummer yeah exactly that literally just a real-time feed of watching him try to hack into us no i think more what it was was that he was paranoid and he was trying to see if we were sharing stuff behind the scenes and keeping things from him.

Because everyone in this little trading game was backstabbing each other.

It's just what was happening.

Everyone was backstabbing each other.

Well, I mean, so what is your reaction to that?

Like, if somebody's trying to hack me, I'd be like, whoa, whoa, whoa, whoa, this is now, I've got to be very careful with this person.

How did you react to this?

Well, me and Spintai were just sat there like,

wow, we're actually we're actually seeing this like that they're actually trying to get into our stuff right now

this is this is strange this is this is this is a lot to break down

but uh we would just sat there like oh well you know good thing we have proper security on ourselves otherwise we'd be screwed

but here's the funny bit is like

Yeah, you're scared.

You feel like, okay, I could be screwed here.

This person is clearly attacking us, but you're in there, Skype, looking at their messages.

So you're also attacking them.

Yeah.

Exactly.

I don't know whose side to take here.

You're both in the wrong.

We are both in the wrong.

Everyone in this story is in the wrong.

There is no right here whatsoever.

The only thing that is marginally right is contacting people to say that you're compromised.

That's the only good thing.

I gotta have a hero that I want to cheer for, and I don't know what to do.

You're not gonna, I'm telling you now, you're not gonna get one.

I don't want to glorify any of this because it's not.

It's a terrible thing.

The double plate trading, the hacking, it's all just damaging to everyone involved.

The artists, the people doing the hacking, you know,

it's dangerous stuff and it's just a bunch of kids who don't know better doing it.

at the time.

You know, we were 14, 15, just sat there.

Spin Tire was a lot older.

He was about 30.

All this reminds me of one of those old heist movies where the criminals steal the cash, but then when they get away and they're all just sitting around looking at the stolen money and each other, they all start wondering if they can trust each other.

Clearly, these are criminals you're working with willing to break the law for this money.

Are they going to steal it from me?

And then you realize, yeah, someone is going to steal my cut.

So then you steal their cut first and get out of there.

Well, here we have both sides completely not trusting each other and are actively actively trying to hack into each other's accounts to keep an eye on them.

But it's interesting that Dino was working with Shane, who was the moderator and owner of the X-Trill subreddit.

Through these chats, they could clearly see how involved Shane was in the trading scene.

He really liked collecting dub plates and getting his hands on unreleased stuff.

So

we carry on.

We take some, try and get some more targets.

We think of other sites that we can try and log into.

So we take a look at Box.com, which is a cloud storage provider usually used by small businesses, big businesses, record labels, production companies, anything.

It's very popular because they offer great group collaboration options.

So we take ScrollX's manager's password and we try it on the Box.com account and it logs us straight in, straight into the inner workings of Scrollix's record label.

Well, we get in there and we can see all their upcoming releases and their production files,

promotion plans.

Upcoming releases for Skrillex?

For Skrillex and all the artists on his label.

Wow,

that sounds like a big treasure trove.

There was a couple of terabytes worth of files in there.

Holy cow.

Box.com is a little bit more advanced.

They send login notifications for unrecognized logins.

So one of the first things we did was go into the settings and have a look.

You know, did it say that we'd logged in?

And this guy, this account that we'd logged into, he turned off the login notifications.

So he had no idea that we'd got in there.

None.

Oh, my gosh.

There's a lesson there, isn't there?

Yeah,

you know.

Leave something on for something like that, which is heavily relating to your business.

You know, you need to have these notifications turned on to tell you if your security is compromised.

Unreleased tracks are worth more than demos.

Demos are just early versions or remixes of songs people have already heard, but unreleased tracks nobody's ever heard yet.

Okay, so give me a list of things you found on there.

There was unreleased Skrillex songs, there was

individual audio assets for some Skrillix things and the other artists on his label like the individual master,

you know, know master stems and things for songs multi-tracks so that you could basically break them down into their parts and things everything was stored in there was Photoshop documents promotion plans documents saying what they were going to be doing for the next years or two years even internal voice recordings of meetings between the label executives and things it was it was all kinds of stuff that really should you know it's confidential things and it was really unprotected files you know there was no there was no individual passwords on folders and things.

It was just all open with 50 other accounts shared on all of them.

My gosh.

And I'm just trying to think of what that could, like if that did get in the public,

what kind of ruckus that would have caused?

It would have caused a lot.

A very large amount.

What we did is we copied the share link for each folder that was in there.

And we set the permissions on that so that anyone with that share link could still view the folder, even though they're not logged in.

And we also copied the collaborator invite links for the folders because that option was not password protected.

So we could invite like a new burner account so that we would still have access for ourselves on new accounts altogether.

And the original one would be closed down.

So no one else would be able to get access to it apart from us.

Oh, that's interesting.

I want to make sure you understand this.

They accessed Skrillix Manager's Box.com account, okay?

And they saw these folders there and made the parent one shareable.

And what this means is that anyone with that link can now view the contents of that folder and all the subfolders without needing a username or password.

So now they don't need to log back in to see what new files were uploaded.

They can just use that share link to get in there and view it without logging in at all.

On top of that, the manager had the ability to invite new collaborators.

So they just made a new email account and invited themselves as collaborators and then told the manager, hey, look, your account is insecure.

You should change the password, which fixed the manager's account so that no one else could use this same exploit to get in.

No other hacker could get in the same way.

This is a backdoor persistence into

Skrillix's whole media company.

Yeah.

But it's a backdoor in a way that I never thought it would be a backdoor, right?

If I say, oh, I have backdoor access to box.com, you're thinking, oh, wow, you've got some malware planted and reverse SSH shell.

Nope.

Just a a share link.

Oh.

Yeah.

Yeah.

Like it gives you a total different perspective of what a backdoor even is.

Yeah, because it's a backdoor that you can just, it's built into the site.

It's built into the site, exactly.

The only reason we were able to get these in the first place is because people don't exercise proper security.

You know, they use the same password on every site for years and years and years and don't enable two-factor authentication on their accounts either.

So it's just open.

If you've got the password, then you can just go, you can just walk straight in and do whatever.

You could ransack the place if you, if you so wanted to, which is ridiculous.

I'm just sitting here thinking about this, letting it sink in.

A back door is built into all the file sharing sites, like Box.com, Google Drive, iCloud, ProtonDrive, Dropbox, whatever.

Because if there exists a shared folder link, anyone with that link can see into that folder.

It's a feature of the site itself.

You can't take that away or it ruins the point of the site.

And what you think is yours in private really isn't if there are public links to it.

When you make something shareable and you say only people with this link can see this file, it feels like this is still private, but it's not.

It's security through obscurity.

Your link is hidden, but not secure.

And if that link gets out, it's viewable by anyone without a username or password.

And I've been doing cybersecurity for decades, and nobody is talking about auditing Dropbox links to make sure only the stuff that should be public is public.

Because every file and folder may have that option and going through them all is simply unreasonable to do by hand.

And when you're moving at the speed of business, nobody is going back to clean up or check what folders have sharing links or what don't.

I say it's best to treat everything on your cloud storage as if it is publicly accessible and only temporarily put things up there if you want to share it with someone privately and then remove it as soon as they get it.

I also want to draw your attention to websites like urlscan.io.

This is a site that is attempting to look at URLs to see if they're safe or malicious.

But users can go there and search the site to see what URLs are in the database.

And sometimes you can find URLs that probably shouldn't be in the public, but they are.

Like Imagine if you take a photo of your kid and it's on Google Drive, but then you want to create a link to show it to grandma.

And you specifically say only people with this link can see this photo.

And you email the link to grandma.

Well, then grandma has some browser plug-in that examines all the links to make sure they're safe to click.

So when this link gets examined somewhere, bingo bango, suddenly that link to your kid's birthday party is now floating around on the internet in all kinds of databases being clicked on by who knows who.

URL scan collects links like that.

Hybrid analysis is another tool.

Cloudflare radar URL scanner is another.

Not to mention DNS providers all over the world are logging things too.

It's not just Google Drive and Dropbox.

There are tons of other online storage websites that you could look for.

iCloud, Box.com, Sync, Ignite, Ionos, HiDrive, AWS S3Buckets, ProtonDrive, and so many more.

The list goes on and on.

So the data is available.

It's just a matter of sifting through it to find something juicy.

In this case, they were looking specifically for dubstep music and stepping over anything else that they came across.

Okay.

So it was just you and Spintire that got access to this.

Yep.

And just, you just kept it between you.

Nobody shared it beyond that, right?

So I thought,

how I wish.

Because

as usual, a few weeks went by and other people started to

hint that they had these files or...

Well, the traders got access to some things and there was no explanation for it other than that Spintire must have shared it with someone.

So I quizzed him on it and I said, you know, if you have, just I'd rather you just tell me.

I won't be angry, I just want to know.

He still denies it.

So I start thinking, oh, well, someone else must have got access somehow.

Like aside from us, someone else must have initially got access to the account.

So I treat it as that for a while.

I let Spintire have the benefit of the doubt.

We carry on going, we uh think of some more accounts to try and get into different people.

Another um Another thing we were trying was a management company for Diplo and Major Laser who are a bit closer to pop music and We tried it his manager's box.com account based on what we'd found in these in these leaked databases and Sure enough password worked it logged us in

There was another couple of terabytes of data in there.

There was a lot more than just major laser that were in there.

There was diplo there was a A-Track, there was Dylan Francis, Killer Noise.

There were about 20 different artists under this management company, and we could view all of their stuff from within this Box.com account.

At this point, they've gained access to terabytes of data from these music managers, which was just too much to download at all.

Their hard drives would fill up instantly, so they had to be selective of what they were grabbing.

Like, I don't know what this is like to come across this, but I imagine you cancel your weekend plans and you're like, I got a whole bunch of cool stuff that just arrived in the mail, and I can't wait to dig in there and listen to stuff.

Because you can't speed through listening to these things.

You've got to really be like, wow, I'm going to let this one play the whole thing.

Like, this is, nobody else is hearing this, but maybe four people in the world.

And Diplo made it like, wow.

Wow.

Yeah, this is where it gets a bit more dangerous because some stuff that they had in that in that box.com account, they were basically keeping all of their artists and people that were involved in touring and things, production crew,

this management company was keeping all of these people's personal documents in there, calling them contact sheets.

And that contact sheet would have more than just their contact information on them.

It would have the

artists' social security numbers, bank routing info, passwords, all kinds of insane stuff that was just supremely dangerous to keep in

largely unsecured folders with no extra passwords on them and seemingly no reason to put that info in the document whatsoever.

And then to not secure your own account properly, it's exposing all people that are millionaires.

It's kind of just lucky that

none of

me or Spintire or

any of the people that eventually were doing this that

none of them were interested in anything more than just the music because the amount of damage that could have come from that is insane.

Here's a situation where the management label for musicians was being careless with the artist's private data.

Driver's license, social security numbers, and saved passwords were sitting there on these online drives.

And while it wasn't meant for the public to see, there were gobs of people who did have access to this that worked for the management companies or even other musicians could see each other's files.

It just goes to show if you're not protecting your own private data, nobody else will either.

These folders all had upwards of 50 people shared on them.

Everyone in the business could access these things.

The interns could access these things.

Anyone could grab these things.

Or anyone that got into the account could grab these as well and just have it.

And there'd be no notification that it had been compromised.

Man, that's too many people to have access to all this.

Because the more people you have involved, the more back doors might be created.

Because just think, if a music production company is going to use Dropbox to store all their work in progress, it sounds to me like they don't have an internal file storage system and maybe no internal network at all.

They probably need things like email, chat system.

They got to make social media graphics, a merch store, blog, social media accounts, newsletters, project management, and collaboration tools, and an internal knowledge base or wiki.

Chances are, small businesses today are using public-facing websites for all these solutions and not self-hosting things on their own servers and their own data center.

So that means if 50 people work at this place, that's 50 accounts times however many services I just listed, what, 10?

So we're talking 500 various logins to different websites now.

Who's got permission to see what and where?

Small businesses are not auditing these things and it's an auditing nightmare, even if they tried.

No, this isn't an ad.

I'm not going to try to give you a solution.

I just want to tell you about the problems that arise when you start using cloud-based solutions.

And there are a whole bunch of kids who are desperately trying to exploit those.

So these kids had valid usernames and passwords to get into people's accounts, right?

Okay, well that's a problem to begin with, but whatever.

They were grabbing things, but they were also being smart at trying to establish persistence.

If the owners of these accounts changed the passwords, they'd be locked out.

So they created share links so that even if the account gets locked out, they could see what files are being uploaded later.

Cool.

But you can really take this to crazy levels.

I'm talking about creating ghost logins.

Let me geek out on this for a second because I want to try to break your brain.

Okay, so let's consider Zapier and how it can be used maliciously.

Zapier is a tool that lets you automate things.

So like if I get a new invoice in my email, I can automatically upload that invoice to Dropbox so that the accounting team can see it.

Okay, Zapier can do that for you.

But in order for that to work, it's got to have the ability to see your inbox and have the ability to view and upload things to your Dropbox.

So to set it up, you need to give it permissions to do that.

Well, now, if a hacker gets into your Dropbox like these kids were doing, and they wanted to maintain their access like these kids wanted, and they could see that you hooked up Zapier to do automation.

So now they can create their own fresh Zapier account that they control and connect it to your Dropbox.

And this could give them visibility into your Dropbox from Zapier.

And you wouldn't even know they're there because to you, all you see is that Zapier has permission to view your files, but you set that up when you were setting up your invoice automation thing.

And this is what I mean by a ghost login.

Someone who's in your account who doesn't even need your username or password to stay in.

Change the password all you want.

They're still going to stay connected to your stuff.

Another way to create a ghost login is to create a secondary login.

Some sites allow you to log in through like Google or Microsoft or Facebook or even SSO.

And suppose that's how you set up your account by logging in using your Facebook account.

Now, if a hacker has your password like these kids did and gets in through that, some sites might have the option to connect another login.

Like if you used Facebook to log in, the site might let you also connect your Google account too.

And so, yeah, a hacker could just create a brand new Google account and connect it to your account and start using that to get into your account from then on.

So even if you change all your passwords, that access would persist.

So if you really want to change your passwords, you really need to go through all of the websites that you have to see all of the connected services and alternate logins and every, it's a mess.

It's a mess.

And of course, another way is if the site has a way to generate an API key, you can do that and then access the stuff from there.

There's so many options to create ghost logins to maintain access to an account, even if the user changes our password.

So this is what I mean.

If 50 people all have access to someone's driver's license and Dropbox, then perhaps nobody is looking closely at permissions.

And if that's the case, there's a high potential of being able to create a ghost login that stays working for years.

And I must say, this is a new territory for security teams to navigate.

You hear about this in like general terms, like least user privilege and this sort of stuff, but you don't have people who are like experts in Zapier account security who will audit what apps you have given permission to regularly.

This is a big challenge to keep up with.

So with all this data, like terabytes and terabytes from some of the biggest stars in this dubstep world,

do you ever think like, you know, we can make some money off this?

I wasn't into that,

but I would like to find out that Spintire

was sort of starting to get into that.

I mean...

After a while of these things keeping leaking, starting to leak on Reddit that were meant to be just kept between us and that no one else was supposed to have access to, I clocked on that spin time must have been being dishonest about it.

So I confronted him in mid-October.

I said, you know, are you sharing these?

Just tell me right now, are you sharing these?

And he says,

no, it's not quite like that.

I said, well, how is it then?

He says, I can't say.

I say, is someone paying you for them?

He says, yeah.

So I think, oh, well, finally,

he's admitted it.

And I've caught him out on his whole game plan.

And he goes on to explain that he quit his actual job to sell these files to some rich kid on the other side of the world.

I say, oh, well,

this goes against every, you know, the whole reason that we were doing this in the first place was to keep these files somewhat safe and prevent these people from getting access to them to be able to, so that they can't do this thing with it.

And then he's doing it himself.

It really made me quite angry because I felt misled on the whole thing.

Huh.

This is a tricky situation to navigate for a teenager.

Like, what do you do when your partner in crime starts doing things you don't approve of?

Together, you made a map of all the buried treasures, all the shared links and logins and passwords and ghost logins, terabytes of downloaded data, and a whole system of techniques and piles of data to sift through to find more.

And suddenly, both of them are now highly suspicious of each other.

Now that it was known that Spintire was selling this stuff, Spintire Tire offered them a cut of the money to like keep things quiet and stuff.

I said yes, but what I meant was I'll agree so that he keeps,

you know, he

thinks that I'm on his side still.

So I end the chat and I go and talk to Shane from X-Trill.

Shane was the moderator and admin of the X-Tril subreddit.

Professor Dubstep was like, listen, these leaks that have been happening lately, I know where they're coming from.

Spin Tire is selling it and I don't want more to leak out.

So here are the other things that might leak.

So he agrees, and he's like, yeah, you know,

we'll do what we can to prevent Spin Tire from carrying on with the stuff.

So we started working together from that point on on these things.

Me and Shane and another friend called Arnie Kurtz.

Arnie was another guy, very tuned in to the unreleased music scene, and he was a whiz with all these online services and how their security can be exploited, which could be really handy to break into more shared drives and stuff.

And Shane had seen that Dino wasn't trustworthy, so they stopped working together.

So the new crew is Professor Dubstep, Shane, and Arnie.

Spin Tire and Dino were out.

And not only that, but they all agreed that SpinTire needs to be stopped.

So they put filters in place on the subreddit to keep certain tracks from getting posted, but they also started going through the ghost logins and shared links that SpinTire had to lock him out.

They were changing passwords and disabling shared links.

It's kind of funny that this teenage crew knew exactly the steps to take to keep hackers out, yet the music labels themselves either didn't know or didn't want to stop these kids.

Yeah, I mean, that's kind of what we started doing.

Our main plan was just, you know, prevent Spintire from retaining access to these accounts and these folders that we'd spent so long to gain ourselves access to, and then we're locking them off.

To try...

specifically to try and prevent things to prevent this from from you know it is it is kind of strange that that it changed changed in that way um i'd cut spin tire off in mid-october and i mean i'd been friends with him for two years at that point it was difficult to cut him off he was fun to hang out with so um but you know i it had to be done damage was actually being caused and i was recognizing that

what a headful to navigate as a teenager you know like to be sitting in what history class just thinking in the back of the class what stuff spin tire might steal next and then to rush home and change more passwords to try to lock him out But then when you're in there cleaning things up, you're reminded, oh yeah, this is the account with all those banking details for this major musician who's a millionaire.

Huh, that's funny.

Not going to touch that, but I will stop Spin Tire from getting back in here.

Once they were slowing down Spin Tire and locking him out the best they could, it was time to start looking for new treasure troves.

I think at the peak of things, we probably had like a network of 25 accounts.

It was a lot.

I mean,

we were doing this sort of stuff stuff just all day, basically, just trying to figure out

what could be next.

What could Spintire's next target be?

You know, what could be something dangerous that he would get access to, that he shouldn't get access to, and then go and get access to it ourselves instead.

It was ridiculous.

Their standard system was to find a musician's email address, search for that email address in the breach databases, get the hash, crack the hash, then use that on a whole bunch of sites that musicians might use and hope they might be reusing passwords.

Yeah, I mean that's the thing as well with Box.com or Dropbox.

If you make a shared folder and you invite other collaborators to it, like these management companies are inviting 50 people to a folder and you could you could go through and browse that list of people and take their names and their email addresses off there and then you could run those through the database search as well.

So you could,

if you spent long enough on it, you could tunnel through to all kinds of places that way by just going on it again and again and again until you get somewhere.

And you could build up a network that way.

Of course, you all should know by now the dangers of reusing the same password on multiple sites.

Here's a clear reminder why you should never do that.

But you should also watch out that you're not too lazy when making different passwords.

Quite a few times they'd not change it very much.

They'd maybe just add a capital letter or an extra number on the end or there was one manager that we were looking at.

His password was the same thing for everything, but he'd just change the letter at the end and it would be the letter at the end would be the initial of whatever site the account was for.

So if the account password had leaked for MySpace, it would be Word and then the letter M at the end.

So to get to the password for Box.com or Dropbox, you know, you just change the letter at the end to a D or a B and it would work.

You would also not get a notification that that password was compromised because it wasn't.

Oh yeah, that's interesting because I regularly check all my passwords to see if any of them have been exposed in a database breach.

And I change any that do get seen.

But if my password is guessable because it's just one letter off on every site, then those would never appear in any database breach to make me want to change it.

Now, one of the songs they got a hold of early was Purple Lamborghini.

Yeah, Purple Lamborghini was something that came from the old Diplo's manager's account.

One of the artists that they were managing was called Flostradamus.

They do DJ sets at the main festivals throughout the year for trap music and dubstep music.

And in one of these contact sheets that was stored on this management box was all of the passwords for this DJ duo.

And one of them was the password for

their Splice account.

Splice was a service that offered project file storage for music software.

So we got into that and we downloaded their DJ set preparation files.

And because they were semi-big players, They had all these work in progress versions of tracks from other people in the scene.

And Purple Lamborghini demo was one of them.

By the way, if you're wondering if there's a dolphin in Purple Lamborghini, there sure is.

It's right here.

I swear if I listen to this enough, I'm going to learn the language.

Now, the thing is, this is a demo version, which I think is better than the official version, but this demo wasn't released when the official one came out, and I don't think had any plans of ever getting out.

So at this time, only Professor Dubstep and a handful of people in the world ever heard this.

Yeah, and basically what happened was it'd been a few months since I cut spin tire off and I was missing my friend and I went and unblocked him and I started talking to him again.

I said, you know, are you still doing the selling?

Because we'd been trying to prevent him from doing it, preventing him from getting anything to sell.

He said, no, you know, I've finished with that.

I've cut off those people, realized that they were...

trading and leaking their things after, blah, blah, blah.

So I say, okay, well, you know, should we be friends again?

He says, well, sure, let's go back to how things were a couple of years ago.

Just talk about music and not do not be involved in any of this dodgy stuff.

I say, okay, sure.

You know, we kept talking.

It led into, oh, you know, I've got these couple cool new things.

Do you have anything cool new things?

And so we share a couple of things back and forth with each other.

Like old times.

The purple Lamborghini demo was one of those things.

About a week goes by, and as usual, it leaks on Reddit.

The one single possible corporate spin tire.

And I can't, I just,

I blew up at him over it.

He says, oh, you know,

this has happened again.

You're the only explanation for this thing leaking.

You broke my trust again.

So I cut him back off, but it's too late by that point, you know, the thing had leaked.

That was my own stupid fault.

But December rolls around and we had one last big thing that we wanted to try and do, which was to get into a Major Laser

production account for where they held all their song files and their production files for things that they were working on.

Things that you could load up in a music software and see all the individual bits of and

change things.

So we had the idea to go for one of Major Laser's production team.

and see if

we could get into their things.

So we had one last go on the database and see if we could get the get the pass to

their Dropbox.

And we did manage it.

We were talking back and forth with each other, me and Arnie and Shane, in a group chat,

saying, oh, it's here.

There was one specific song that we wanted to get.

It was called Terrorize, featuring Collie Buds.

So we were we logged into this account and the first thing we searched for was Terrorize project file and

it was there.

The actual one

that the group were working on at the very

day.

So we were talking back and forth with each other, like, oh, it's Terrorize season.

It's Terrorized Season.

Goat, greatest of all time.

But there was more than just that in Dropbox.

There was another terabyte of stuff that was being worked on at that minute.

Like the inner workings of a major

billboard top 100 pop artist.

And everything was there.

Individual assets, you know, drum samples uh

synth files all kinds so we grabbed all that stuff

well

i mean it was too much to grab and in many of these cases it was too much it was too much there the things that spin tire had got hold of from before he was cut off had started to you know it would the leaking had really picked up and um me and Shane and Arnie basically decided that we needed to make even more efforts to contact these people who have been compromised.

So, and I'm pretty sure it was Arnie that did this.

He rang up actual manager's phone number and left a message on the voicemail to say, you know, this has happened.

This is what will happen next.

You need to start taking steps to secure your stuff like straight away.

Otherwise, the damage would just rack up like into hundreds of thousands of dollars.

So the legal team started talking about this, like, oh, how could this happen?

Blah, blah, blah, blah, blah.

It's impossible.

We sort of, we ended up in contact with these legal teams on the false identities to explain to them how it had happened, why it was happening, and how they could prevent it.

And they're basically saying, oh, yeah, you know, we had plans for these, for these songs, we had plans for Terrorize.

It was going to be like a big thing because so many people wanted the song.

And that was, they basically just all cancelled all of that because it was the

potential for it to leak early was there, so they cancelled all of those plans.

Yeah, if you go on Major Lasers, Spotify, or YouTube channel, there is no such song as Terrorize.

Kalibuds didn't release it either, even though he sings in it.

The song never got released, despite there being quite a decent amount of people really looking forward to it.

And I guess this is why it got cancelled.

The hackers ruined it.

But if you're curious what the dolphin sounds like in it, here you go.

This is actually a remix of it I found.

The one that got leaked was a little different, but it's wild that this totally unreleased Major Laser song is out there in the world for anyone to listen to, but because it wasn't an official release, it doesn't have many plays.

And it's not an official song by Major Laser.

It could have been a hit.

Major Laser has three songs on Spotify with over a billion plays, and Collie Buds is pretty popular too.

A reggae dubstep crossover song?

That's a great idea.

But But it was never released.

The project permanently halted.

How odd, you know, just to think an early version of a song that gets leaked too soon, it upsets the label so much that they just give up on the song entirely.

A album that was being worked on at the time, Music is the Weapon, that was cancelled too.

Well, not cancelled out, right?

But really delayed.

And it only came out in something like 2020, 2021, which was four years after all these incidents.

But we were basically just talking with each other, trying to come up with these plans of how can we prevent these things from leaking?

You know, we want to help you to figure this out because we know these people that are involved with this.

And these legal teams are coming up with these ridiculous plans like, oh, well, we'll fly Spintire out to New York and we'll, you know, we'll take him to dinner and we'll hand him $30,000 in exchange for his hard drives.

And then that will secure our files.

And I was trying to tell him, no, that will not work.

We'll just make a copy of it.

You know, it's ridiculous.

And they were not having it.

They were saying, oh, well,

this definitely seems like the best idea to me.

And I was saying, no, no, please, no, don't do that.

I'm not sure if they actually did that in the end or if they realized that it was not going to help their case.

Well, did they know that you had the drive or you know, hard drives full of stuff too?

Well, that's the thing.

Me, I didn't download all the things.

I'd pick and choose a couple of things here and there, but a lot of of it was kind of just not so interesting.

The thing is, Professor Dubstep enjoyed listening to early dubstep tracks, but that wasn't the driving motivation for all this.

Personally, I'm not really a raving fan.

I was just more interested in being able to break these things down and look at the production process because it could help me to learn how to make better music myself and see how

it was being done and how the Billboard Top 100 stuff was being made.

And

I could use that to help me create better things myself.

It's a valuable learning resource.

I feel like that's a stretch, you know.

Like,

you could go on YouTube and watch people making music and learn from them.

You can hang out at groups and circles, other garage

bands or whatever the case is, be like, How are you doing?

Oh, wow, that's an interesting method.

But you're like,

I think I'll hack into Diplo's Dropbox to learn on my own things.

I'm good.

Like, it's

It's quite a different

path to learning.

Yeah, I see your point, but at the same time,

it's kind of unprecedented that

you can go into a project file and look at the entire

start-to-finish process of it.

The entire project files were in these folders.

All the effects, samples, everything that was used to make the song.

See, most of this music is made in a DAW, a digital audio workstation.

So that might be tools like Ableton Live, Adobe Audition, or Pro Tools, or something like that.

These were the tools that you'd have to use to view how these songs were made.

And Professor Dubstep had these tools to examine it all.

Not only could they break apart the song, isolating tracks and sounds to see how it was composed, but there were different versions of the same song too.

They could see how the song evolved over time.

What an amazing thing to explore for someone who wants to make electronic music as their career, to be able to study how the pros do it in such detail, you never get to see these behind-the-scenes bits.

I mean, even me as an up-and-coming podcaster, I would have loved to get my hands on the full project files for This American Life or some show that I was really inspired by.

It would have been huge, and I bet it would have helped me understand the complexities and details of how all this gets put together.

But not only that, but to see such a variety of songs and musicians' project files, it really puts them in a unique position to have such a close and upfront understanding of how all this music was made.

Yeah, you have to know some in-depth music stuff already to be able to figure it out what you're even looking at.

The fact that I've been able to look at all this and take some insight from it that can help me later on is

basically invaluable.

It's priceless.

Just imagine Professor Dubstep in some music class where the teacher's like, here's the proper way to use this effect.

And they're just like, no,

that's not how Skrillix does it or, or Diplo, or Major Laser, or Excision.

Oh, yeah, well, how do you know?

Oh, uh,

never mind, carry on

anyway.

It took them a lot of convincing, but they were finally able to get the legal team to fix all the problems.

Yeah, the end of 2016 was the final, you know,

called it quits and stopped doing all this hacking stuff.

Which, I mean, it's it's not right to call it hacking, really.

It's not even on script kitty level, it's it's just searching through things and using logic to try and figure out passwords.

It's not really like complex hacker stuff.

It's just,

I don't know a good word to use to describe it, but you know.

I've been thinking for a good word to use here this whole episode myself.

Thief and stealing isn't quite right because the original copies are still there.

I feel like for it to be stealing, you need to rob the person so they don't have that thing anymore.

And if you post something online and someone makes a copy of it, that's not stealing.

That's just downloading a copy.

And that's what they did, often just downloading copies of things that had public links to it.

Was it supposed to be public?

No.

But was it?

Yes.

So the term I think that best describes this is exfiltration.

They exfiltrated files that were not meant for public consumption, but weren't very well protected.

To me, this has the right ring to it.

Professor Dubstep, professional exfiltrator.

But yeah, fast forward to

2019.

And I just finished college.

I did did a music course at college.

I'd left all this stuff behind.

You know, it was all it was all kind of calmed down.

Nothing was leaking anymore.

No accounts were being compromised.

Well, not by me anyway.

And I kind of thought, you know, I'll find out what the old people were doing in modern day.

I had a chat with Shane.

I had a small talk with Arnie.

And

Shane was still going on with the stuff from what I could gather.

Arnie had moved away from doing it and he he did um he'd got uh

well, I think I'm pretty sure he went to work for the FBI and got security clearance, um, top security clearance for something or other.

Other people in the in the extra crew had some of them had got raided, um, some of them had gone to join the military and things like that.

You know, everyone had gone off to do different things, apart from the one guy who who had who had got the most weird and awkward situation possible, the spin tire.

He had gone from being the the seller and the leaker of so many hundreds of gigabytes of data.

He had gone from leaking these Skrillex demos and trading them to being on Skrillix's production team himself.

And

was now technically Skrillix.

Because, yeah,

and with that, you know, Skrillex is one of the ones that is ghostwritten, ghost-produced.

You know, he's not real.

He's just a face for a brand.

So you're saying a lot of Skrillex's music today is made by someone else and that Skrillex just puts their name on it?

All of it.

There's

a team of...

Yeah, there's a team of...

I mean, in 2019, the team was at least five, six people putting together these songs.

And that's what it's always been, really.

You know, Skrillex's first release in 2009 and 2010, like Scary Monsters and Nice Sprites, his first EP was ghost-produced by Noiser to, well, quite a large extent.

Maybe not entirely, but a large portion of

all of his sounds over the years have come from other people

putting it all together.

So yeah, this ghost producing runs deep in the scene.

So many of the big players

are fake.

All right, I can't find any article saying that Skrillix doesn't make his own music.

Musicians collaborate all the time with other musicians to make music.

That is no surprise.

But the allegation here is that these musicians aren't crediting the people who helped make the song.

So while you think it was them who made it, it really wasn't.

Skrillix is known for being very hands-on with his music, but there are some well-known cases where other big-time musicians have been accused of taking someone else's music and calling it their own without giving proper credit.

So this is known to happen.

And honestly, I don't know what to think of that.

I mean, on one hand, if an EDM musician is just playing someone else's music, that's called being a DJ.

And it's a bit of a stretch to say you made this music.

But on the other hand, What do I care if you really wrote this song or had someone else write it for you and you just put your name on it, the music is what matters.

It's fascinating to me though, because I'm endlessly obsessed with the dark parts of the internet.

And this digital underground is bustling with activity, but with hushed tones, and it's all right under our noses.

It's a world we rarely see, but sometimes hear.

A big thank you to Professor Dubstep for sharing this story with us.

This episode was made by me, the AI adventurer, Jackry Sider.

Our editor is the code conjurer, Tristan Ledger.

Mixing done by Proximity Sound, and our intro music is by the mysterious Breakmaster Cylinder.

Ultra Miami, your circuits are about to be blown because next up is an unreleased track by the legendary Papa Pa Breakmaster Cylinder.

Overclock your headphones, compile your grooves.

It's time to execute some killer dance moves.

No lag, no latency.

Tonight, we reach peak bandwidth.

This is Dark Knight Diaries.

Dark, outside, outside, darkness, outside, sign, side.

Dark,

side, outside, darkness, outside, sign, side.