120: Voulnet
This is the story about when Mohammed Aldoub, AKA Voulnet, (twitter.com/Voulnet) found a vulnerability on Virus Total and Tweeted about it.
Sponsors
Support for this podcast comes from Cybereason. Cybereason reverses the attacker’s advantage and puts the power back in the defender’s hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.
Support for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.
Sources
https://www.cyberscoop.com/story/trial-error-kuwait-mohammed-aldoub-case/
Listen and follow along
Transcript
A few years back, I used to play this really stupid mobile game.
I don't even remember what it was called.
You had the party of fighters and you leveled them up or something.
But the thing was, in the game, there was an online chat option.
And at any moment, you could look at the people chatting to see what they're talking about in the game.
Well, if you've played any game that has online chat options, you know how toxic it can be.
And this place was no exception.
People were selling in-game gold that wasn't even possible.
It was just all scams because there was no way to send gold to anyone in the game.
And there was just some real vile hatred spewed all over the place.
The thing is, the people that did this felt like they could just hide behind their username that they created a minute ago because the worst case scenario is that they just might get banned from the game.
But I was a network security engineer and I wanted to see if there was a way to learn more about the people that were saying rude stuff in chat.
So I started a packet capture on my phone.
All network traffic coming in and out of the phone was captured, and then I started looking through it.
It wasn't easy.
It's like looking for a needle in a haystack.
But eventually I found what the packets looked like when they sent chat messages to me.
And it was not encrypted, which made it easy to crack the packet open and see exactly what was in those messages.
And amazingly enough, the network traffic showed a lot more information about that user who was chatting than what was showed in game.
In the game, all you see is a person's username.
There's no way to see anything more about them.
But the packets showed their username and user ID, which was just a very long number.
Now, I was also noticing this game was interacting with one of their servers, and I saw how the game would look up user details.
So I crafted my own packet to send to their server to look up a user, and whoa.
the server gave me their email address and IP address.
And with an IP, I can look up their general location of where they are in the world.
So armed with this I went back into the game and waited for someone to start saying rude horrible stuff and there was this one guy being a real jerk spamming all kinds of rude stuff calling people names and it was just not nice and I told him hey stop being rude or else he's like or else what?
I'm like or else I'll tell everyone here your real name.
I already know everything about you.
And it was then when I grabbed all the packets from this chat, found his user ID, put it into the website, got his email and IP address.
And actually from there, I looked up his email on Google and got his first and last name.
Well, of course, he called my bluff, knowing there's no way in game to see someone's real name.
In fact, he never even entered his real name in the game.
So how would I know it?
So now he starts aiming his attacks towards me, calling me names and taunting me.
So I think I remember his name was Evan.
So I started just writing Evan in the chat room over and over and over, just that word, Evan, Evan, Evan, Evan, Evan.
He stopped chatting for a minute.
He was like, who are you?
I'm like, are you going to be nice now?
Or do you want me to say your last name too?
He tested me by saying, go ahead, I don't believe you know it.
So I dropped the first part of his email address in chat and he stopped talking for a minute.
Then he asked, Adam, is that you?
And I'm like, no, dude, I'm not Adam.
I'm the guy who's just trying to stop you from being rude.
Go find a hobby that doesn't include being mean to people.
And I guess this spooked him because he logged out of the game and I never saw him again.
These are true stories from the dark side of the internet.
I'm Jack Reeseider.
This is Darknet Diaries.
This show is sponsored by DeleteMe.
DeleteMe makes it easy, quick, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable.
Delete Me knows your privacy is worth protecting.
Sign up and provide DeleteMe with exactly what information you want deleted, and their experts will take it from there.
DeleteMe is always working for you, constantly monitoring and removing the personal information you don't want on the internet.
They're They're even on the lookout for new data leaks that might re-release info about you.
Privacy is a super important topic for me.
So, a year ago, I signed up.
Delete me immediately got busy scouring the internet looking for my name and gave me reports of what they found.
Then they got busy deleting things.
It was great to have someone on my team when it comes to protecting my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now, at a special discount for my listeners, get 20% off your Delete Me plan when you go to join deleteme.com/slash slash darknet diaries and use promo code dd20 at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknet diaries and enter code dd20 at checkout.
That's joindeleatme.com slash darknet diaries code dd20.
This episode is sponsored by my friends at Black Hills Information Security.
Black Hills has earned the trust of the cybersecurity industry since John Strand founded it in 2008.
Through their anti-siphon training program, they teach you how to think like an attacker.
From SOC analyst skills to how to defend your network with traps and deception, it's hands-on, practical training built for defenders who want to level up.
Black Hills loves to share their knowledge through webcasts, blogs, zines, comics, and training courses all designed by hackers.
For hackers.
But do you need someone to do a penetration test to see where your defenses stand?
Or are you looking for 24-7 monitoring from their active SOC team?
Or maybe you're ready for continuous pen testing, where testing never stops and your systems stay battle ready all the time.
Well, they can help you with all of that.
They've even made a card game.
It's called Backdoors and Breaches.
The idea is simple.
It teaches people cybersecurity while they play.
Companies use it to stress test their defenses.
Teachers use it in the classroom to train the next generation.
And if you're curious, there's a free version online that you can try right now.
And this fall, they're launching a brand new competitive edition of Back Doors and Breaches, where you and your friends can go head to head hacking and defending just like the real thing.
Check it all out at blackhillsinfosec.com slash darknet.
That's blackhillsinfosec.com slash darknet.
For this story we're headed to the Middle East.
So my name is Mohamed al-Dub.
In Arabic we spell it Hamid al-Dub.
Yeah so where are you now?
In Kuwait as always.
That's where I'm from.
Mohammed is in his 30s now, but ever since he was a teenager, he was fascinated with computers.
Well, Kuwait generally is a very connected society, so it's extremely easy to get hooked on early.
And with my, let's say, age group, you know, the internet entering our houses in the late 90s, getting hooked early on on technology.
It was, I think it was very straightforward.
But then I actually entered the Kuwait University, the College of Engineering, in the Computer and Software Engineering Department.
So I graduated as an engineer in that aspect.
Then after graduation, I actually went into cybersecurity.
So my entry into cybersecurity was
around 2010.
He got a job in the government of Kuwait, securing systems.
And pretty early on, he saw the importance of the internet and securing all the stuff on it.
In my earlier years, around 2010 and 11, I actually got introduced to the late Dan Kaminsky.
And his guidance was really amazing on how
a new and upcoming person like me would do to get properly into cybersecurity.
And I think with the emergence of social media and it taking the political and the public scene in Kuwait by storm, it was just natural for me to use that platform to discuss cybersecurity, provide awareness.
Mohamed has built quite the Twitter following.
His name there is Volnet.
And he won't tell me what that means, but Volnet is what he goes by.
Today, he has 73,000 followers.
But to get there, he shared a lot of knowledge about security on Twitter.
I did many,
I would say, tweet storms where I take a certain malware sample that is just fresh, currently being used to attack some entity in the Gulf Region.
Then I would go,
you know, live in Twitter trying to analyze the malware, how it works, what it does to the systems.
So it was kind of something that we do, you know, for the community, for the crowd.
And people would love it, people would engage with it.
After college, he was able to get a job with the Kuwaiti government.
He was tasked with doing things like securing systems, analyzing malware, and other cybersecurity work.
And he was getting good at security, scaling up, and his popularity was growing on Twitter.
With that, new doors started to open up for him.
And then at 2018, I actually left that government job.
And then I did my first official cybersecurity training, which was abroad.
It was in the Netherlands.
So I went on to give malware,
an Android malware analysis course for the Dutch police, actually.
So it was kind of interesting because that was the first official training that I delivered outside of Kuwait to an audience in Europe.
He particularly liked training.
Teaching people new things is fun.
So he looked around for more training opportunities.
I actually got accepted into Black Hat as a trainer.
And that was for me, that was a dream come true.
I never thought, you know you usually in my earlier years uh in doing the government work i was i would dream of visiting black hat you know black hat is an annual security conference in las vegas which takes place the week before defcon and black hat is more geared towards security professionals and the people who want to learn how to secure their systems better the training there i hear is pretty good so to be selected as a trainer made muhammad feel proud and specifically he was planning on teaching a course about securing api endpoints but the year was 2019 and he got word that he was going to be a trainer in the early part of that year like February or March but Black Hat doesn't come until August so he had five months to prepare and it's in those five months that this story takes place a story that changed his life
Now one thing Muhammad likes doing is examining the latest malware and specifically he was interested in malware that was somehow used in Kuwait where he lived.
So of course being in the Gulf region, there were many interesting threat actors, especially from, for example, Iran, from other countries, from Israel,
other entities and countries in the world.
So obviously, the Gulf region was heavily targeted.
And
so it was usually something similar, regular that we try to hunt for threats, try to look for state actors attacking certain entities.
As a government employee, he would sometimes get sent some malware to analyze, which was cool.
But because he quit his job, he needed to find a new place to keep tabs on the latest malware going around in Kuwait.
And one of the best avenues to look for such things is through using VirusTotal.
Virus Total.
This is a fascinating website.
Okay, so the free service they offer is that if you find some malware, you can upload it to their site and it'll tell you what type of malware it is.
And this is really helpful for for security teams to get information about any malware they found on their network.
I mean, think about it.
Suppose your computer is running poorly, you open up Task Manager and see a service running on there and you wonder, is this supposed to be here?
Well, you can grab it, upload it to VirusTotal, and it'll tell you if any antiviruses considered this to be harmful and any extra information about that malware.
So yeah, security teams all over are constantly uploading malware to this site.
But if you have a premium membership, you get a bonus feature.
If someone uploads some malware to total and it's a file that it's never seen before then you can get an alert so security researchers might be interested to see what this new file might contain and they can download it and analyze it muhammad loved this feature and i i would use it to actually look for attacks that are targeting kuwait malware samples being uploaded from kuwait from uh other countries in the region because they would be of of interest to my line of work obviously and as he said before he'd sometimes grab some malware from this site, VirusTotal, and begin live streaming as he examines it to look to see what's in it.
And because he spoke Arabic, it also helped him understand threats targeting the Gulf region better too.
He found some pretty interesting stuff this way and would tweet about it and then see some major security companies publishing alerts about it shortly after.
And this is what I would call security research.
Yeah, and in March,
at the end of March 2019, I, in doing that usual threat hunting work, I found a sample that resembled some sort of a banking malware that was uploaded from Kuwait.
Okay, already this is interesting.
Mohamed saw that some never-before-seen malware was uploaded to VirusTotal and downloaded it, looked at it, and found it was targeting a bank.
It didn't say what bank, but Mohammed had a pretty good hunch that this was some sort of banking malware.
And so he's looking at this completely unknown malware, targeting a bank that was uploaded from somewhere in Kuwait.
Fascinating, right?
Well,
if you think that's fascinating, you might be a geek.
Not many people on the planet are looking through brand new malware, uploaded to VirusTotal, trying to figure out what's going on there.
But this is what Mohammed does, because he loves discovering this new stuff, because it poses all kinds of questions.
You know, what bank was this for?
Did the victim upload it or the person who created this malware upload it?
Did it actually infect something and steal any money?
What does it do?
And this is why people like following him on Twitter because he digs up some pretty interesting stuff sometimes.
So I came on to download it and analyze it and actually discussed on Twitter, submitted the hashes for that piece of malware so that anybody in the region could, you know, search for those hashes in the environment and see if they got that attack or that malware.
Okay, so he started started a Twitter thread and at the time he had around 40,000 followers on Twitter.
He wrote, quote, for those interested in banking security, these are some highly probable indicators of compromise from the local banking Swift attack that you might have heard about, end quote.
Now, in the news at the time, there were some other stories going around about banks getting hacked and money stolen using the Swift money transfer system.
Muhammad saw this malware and had a hunch that it might somehow be related to those attacks and felt like it was important to tweet about what he was finding.
He went on and posted file names and file hashes on Twitter.
And you can think of a file hash sort of like a file's fingerprint.
Instead of posting the files himself on Twitter, he posted the hash.
And that's so other people can look through their file hashes to check if they have this malware on their systems too.
And posting file hashes like this is preferred because it's not posting any sensitive data that's in the malware, just in case it contained a password or an IP address or something related to the victim.
So
interestingly, I found some strings in those pieces of malware that I think would be beneficial for people to use to search for an environment, which is what I shared.
So one technique for analyzing malware is to run the command strings on it.
This will search the malware for any human-readable words.
And it just spits out a list of words for you to see.
And this might give you some clues as to what's going on, like any internal notes left in the code or other information that is human-readable.
Mohammed looked at the code for human-readable words, and one word stood out for him.
GBK admin.
Why does this malware have the word GBK admin in it?
Is that a username?
Is that the name of the malware?
Is GBK admin something important?
He had no idea and just decided to tweet it, telling his followers, take note that the malware has GBK admin in it, and that might mean something.
So the malware sample itself didn't really point at a certain bank with certainty.
Which made him feel confident that his Twitter posts were fine.
He's not naming a bank.
He's careful not to post any sensitive information.
So he posted a bunch of stuff he found, had some conversations with people about it, and then sort of closed up his research into this and was done with it.
Moving on to other things.
After all, he didn't work in the banking sector, so all he can do is just warn other people that there's some banking malware going around in Kuwait.
And since he's done that, he can now do something else.
Not much more for him to do about this.
Well, a few days later, we saw a tweet from the Gulf Bank of Kuwait's Twitter account saying they had a service disruption.
And this service disruption resulted in them losing $9 million.
Yeah, 2.8 million Kuwaiti dinars.
Very interesting that the Gulf Bank of Kuwait was reporting a problem.
Yeah, I realized that something definitely was off because
this thing doesn't happen normally to all banks, you know, a problem in your transaction
with that kind of big loss.
And then the bank publicly talked about it.
So obviously something was really off there.
And that's why it got the attention of the country.
Like everyone in Kuwait was talking about it.
What did the Gulf Bank mean by that statement?
We're to take a quick ad break here, but stay with us because this story just got interesting.
Starting a new solo project is really overwhelming.
When I started this podcast, I suddenly had to worry about writing, editing, researching, interviewing, and so much more, all alone.
And when you're starting something new, finding the right tool that not only helps you out, but simplifies everything can be a game changer.
For millions of businesses that tool is shopify
shopify is the commerce platform behind millions of businesses around the world and 10 of all e-commerce in the us from household names like mattel and gymshark to my own t-shirt shop which is shop.darknetdiaries.com and i love shopify because of how easy it makes getting my business online and once it's there shopify has built-in tools to help me create execute and analyze my online marketing campaigns so get started with your own design studio with hundreds of ready-to-use templates Shopify helps you build a beautiful online store to match your brand's style.
If you're ready to sell, you're ready for Shopify.
Turn your big business idea into
with Shopify on your side.
Sign up for your $1 a month trial and start selling today at shopify.com/slash darknet.
Go to shopify.com/slash darknet, shopify.com/slash darknet.
This was a very interesting tweet that Mohamed was reading.
The Gulf Bank suffered a service disruption that resulted in a loss of $9 million
two days after Mohamed found some banking malware uploaded by someone in Kuwait.
Hmm.
Mohamed was starting to put the pieces together.
Of course, I did those pieces together, but
I did put them in my mind, but I was very careful not
to actually come up with a conclusion in public that would try to publicly link these two incidents because
there wasn't a lot of, let's say, concrete proof for me to be able to do that.
So it really, it was eerily, I would say,
familiar.
It sounded like there's
a possible connection there.
But yeah, he didn't say anything publicly about any theories that he had that might connect the malware he found to Gulf Bank.
He just watched Twitter, talk about it, and he observed.
Okay, so the Gulf Bank is Kuwait's fourth largest bank.
At the time, they self-reported that they had $2.25 billion in capital and that losing $9 million was only less than half a percent of their total capital.
But again, I want to emphasize the word losing here, not stealing or robbed.
The Gulf Bank never did say the money was stolen or that they were robbed, only that there was a service disruption that resulted in them losing millions of Kuwaiti dinars.
Well, a few days after that, the next news we saw from the bank was that they fired their general manager of IT
without explaining publicly why.
And the general manager seemed particularly surprised by this and said it was unjust that they asked him to leave.
Something big at the bank was happening, and they weren't being transparent about what it was.
The next week, Mohammed goes to a security event in Kuwait to hang out with other people in InfoSec and socialize.
But while he's at this event socializing, his phone rings.
I got a call.
Someone from the cybercrime department, the cyber, let's say, branch of the police, where they handle complaints related to cybercrime.
They told him that there's a possibility that the Gulf Bank is going to complain to the police about his tweets, the ones that talk about the malware that he found on Virus Total.
And they asked him to come down so that they can question him.
He agrees to be there, but was nervous about this whole thing now.
Well, of course, you would be worried because that bank is powerful.
And because I was extremely careful in my wording of all the research that I did not include anything that would
link obviously to a certain entity or certain bank, because I was talking in general, mentioning things that are already de-anonymized, like password hashes, talking about malware attacks in general, or talking about certain malware without attributing it to a certain entity by name.
So legally, I was in the clear,
regardless of what I have, let's say, concluded or guessed in the back of my mind.
So I went to the questioning and they asked me, are those your tweets?
I say, yes.
Did you mean
the Gulf Bank made a complaint?
Did you mean them in your, for example, tweet?
And I said, no, I didn't mention them, didn't mean them in my tweets.
And that was the end of the questioning.
Okay, so maybe this is a routine part of the investigation where the bank is just doing their due diligence by following up any clues or leads about the incident.
And since Mohammed had tweeted about the banking malware he found, maybe there was more to it.
So that's why the police were questioning him.
After talking with them, he felt relieved and thought, oh, that's probably the end of that.
It was then that, you know, interesting things happened, actually.
Around that time, I had to go to the USA, accompanying my wife, because she was visiting her mother, who was being treated and was very sick in the United States.
So I flew to the US and while I was in the US I got a call that I need to be present for investigation by the public prosecution.
They wanted him present for an investigation because they wanted to ask him more questions about what he knew about this incident at the Gulf Bank.
Did he know more than what he was tweeting about?
This second round of questioning was a little worrisome for him, but he knew he was innocent and wanted to cooperate.
So he told them that he's in the US helping take care of a sick family member and he can't come on the date they requested, but he'll be happy to come in as soon as he gets back to Kuwait.
And he even showed them his return ticket on when he'll be back and they said, okay, no problem.
So he finished up his trip to the US and went back to Kuwait and went to talk with the investigators.
But they said, because he didn't show up on the date they requested, he's now being charged because the public prosecution went on with investigation uh didn't wait for my arrival uh i was regarded as in absentia so it was i was i was accused of uh let's say uh
uh charging the kuwaiti law which means abuse of a mobile device which means that you have used a mobile device to do something you know bad it's it was the way the kuwaiti law was let's say worded and that i was disclosing trade secrets of of the complainant
What?
Mohammed's tweets have now led him to being accused of abusing a mobile phone device and leaking trade secrets?
Something has clearly gone very wrong.
I was worried, but
there wasn't a thing I could do about it.
So the only thing I could do about it was to prepare a solid defense.
So he hires a lawyer to help make sure he navigates this criminal charge properly.
When a big bank is bringing down charges against you and they've reported that they've lost $9 million,
you want to take this very seriously, even if you're completely innocent.
So he was being very cautious.
And there was part of him wondering, how much of this is related to hacking?
And how much of this is related to the violation of free speech laws in Kuwait?
So I'm not really a lawyer, but generally the Constitution of Kuwait gives, let's say, a big blanket for freedom of speech, but then it says according to the laws.
And then the laws go on to specify the general protections of the constitution.
So we have laws for cybercrimes, we have laws for print, we have laws for live media, like for example videos, television, radio.
We also have the state security laws.
All of these laws contribute to
further restriction of freedom of speech.
So there are public figures in Kuwait that you cannot, let's say, for example, talk about in any, let's say, bad manner, regardless of your intent.
There are limits to what you can talk.
You can, for example, let's say,
use hate speech against religious or political minorities.
So it goes and on and on about the political aspects, religious aspects or restrictions on free speech, and also the cybercrime part of that.
And the cybercrime, let's say, law was actually interesting because it came out in 2014.
It was supposed to, let's say, address cyber crimes or crimes that are related to cybersecurity, like hacking, for example, fraud.
But then it came to be abused by lawyers, by people
to actually, you know, accuse anyone who would talk badly about you.
So, if you were a government official, if you were like a social media figure and someone was trying to
talk about you in a way you don't like, you can go and then try to sue them according to that law.
And many times it would result, you know, in
verdicts where people have to pay fines.
And I think my case was an example of that because I didn't actually,
you know, do any wrongdoing.
Interesting.
So it sounds like if someone says something damaging towards your company or you, you can take them to court and possibly get them to pay a fine for what they said.
So Muhammad read over his tweets a few more times very carefully, trying to find if he said anything negative towards the Gulf Bank.
But he didn't even mention the Gulf Bank in his tweets at all.
So he felt confident that he didn't do anything wrong.
He did mention the word GBK admin,
And wait a minute, GBK.
Does that stand for Gulf Bank of Kuwait?
Huh.
Even if it did, he didn't know that at the time.
His trial date was set for July 2019.
Now, August, the month after his trial date, is when Black Hat was going to occur in the US.
And Mohammed was scheduled to give a training session at that conference.
So he wanted to wrap up this trial so that he could go to the U.S.
and give his training.
So he goes to court in July.
Just the public prosecutor was there.
The lawyer for the bank didn't even show up.
Mohamed had been planning with his lawyer what to say.
And then we provided a really solid defense.
We, let's say, discussed this aspect that, first of all, it's already protected speech.
Second of all, it didn't mention any bank by name.
It didn't mention specifically any trademark
by the bank.
And the fact that it's absolutely not a secret because the bank already discussed that there's a problem that happened.
There's a problem in their system that resulted in loss of millions of dollars.
So there was no secret that there's something wrong happening at the bank already.
On top of that, there was no any kind of contractual agreement between me and the bank.
That would result in me having any secret shared between me and them.
So anything I would come upon, I would come upon by, let's say, through public sources, which are, of course, not considered secrets.
He says the judge looked convinced and seemed to be on his side.
So he prepares his flight to Las Vegas to attend Black Hat.
He first had to fly to New York and then to Vegas.
The night before my flight to New York, I received a strange phone call in Telegram, you know, that an encrypted phone call in Telegram.
But then when I answered, it was someone very suspicious in the way they're talking.
They're trying to kind ask
about the incident that happened with the bank and then they tried to say, you know, I have some information about
the hack that happened in that bank, trying to, you know, do, try to pull my string.
I felt that someone was trying to pull my leg into discussing this incident, trying to find, trying to, you know, entrap me.
So I realized that this is either someone who is
totally crazy.
Or I would be actually crazy not to think that this was some entrapment attempt by someone, by who I don't know.
You know, a bank doesn't really do that.
Who would try to do that?
I have no idea who would benefit from that.
However,
played it cool, told them that, you know, this is a legal matter, should be talking to legal authorities, blah, blah, blah.
And then I hung up.
What was really suspicious for me is that why would someone try to target me, try to interpret me
in that fashion?
Did I really anger some really powerful folks?
Was that tweet that much, you know, let's say,
strong against?
However, that was compromised.
Did the bank really get some pressure from people who linked my tweet to the incident at the bank?
I still don't know who is that person to this day.
But of course, as I said before, it would be crazy not to think it was some sort of related entrapment attempt.
That was strange, and it rekindled his worry about the case.
But he still went to the U.S.
And while in Vegas, his lawyer contacted him and told him the judge had a verdict on the case.
In the end, it was clear
for the judges that it was absolutely not in violation of any law in Kuwait.
So he was cleared of all wrongdoing, which is great news to receive while you're in Vegas, right?
Mohamed tells me he didn't attend any parties there because he was so focused on delivering his training and just wanted to get back to Kuwait as soon as it was over.
And so when he got back to Kuwait, he checked in with his lawyer and all seemed quiet.
All was good.
And he was glad to have this behind him.
And that was August.
September then comes and it passes.
And then in October, he gets another message.
Yeah,
Again, it was the public prosecutors who wanted to investigate this further.
His lawyer explains this is just a matter of formalities.
If the prosecutors bring him to the appeals court and he's still found innocent, then they can say they've exhausted all options in this case and they can leave it be.
This makes it look like the prosecutors worked really hard to solve this case.
And since this was just a formality, there was no new evidence on him or any new charges.
But Muhammad was still worried about it.
I mean, at the least, he's having to spend all this money on legal fees to help him out.
Appeals court took over a year because coronavirus kept delaying the courts.
And waiting for your trial is always nerve-wracking, no matter how confident you are that you're not guilty of anything.
But the trial day finally came and the judge looked at his case.
I was cleared immediately, like on the on the spot.
This gave Mohammed a big sigh of relief.
This meant it was finally over.
And yeah, since then, two years later, it's still over.
There's been no more calls from the police about this.
But what a wild ride that this has resulted in just from finding some malware on VirusTotal and tweeting about what you found.
Now, during that time, there was a large rash of bank robberies happening all over the world.
Someone was going around, usually sending phishing emails to banking employees, hacking into the bank, and then targeting the Swift network to steal millions of dollars from banks.
And many of these worked.
And the United Nations investigated this and published a report.
And this report says the government of North Korea is responsible for robbing banks in Bangladesh, Chile, Costa Rica, the Gambia, Guatemala, India, Liberia, Malaysia, Malta, Nigeria, Poland, the Republic of Korea, Slovenia, South Africa, Tunisia, Vietnam, and Kuwait.
Right there in black and white, this UN investigation report says that in March 2019, a bank in Kuwait was robbed by the government of North Korea.
That's the exact same month and year that the Gulf Bank announced that they had a service disruption and lost $9 million.
This UN report does not say which bank in Kuwait was robbed, but it does say the amount stolen was $49 million.
And so that's a big mismatch in numbers, which means either the Gulf Bank was not robbed, but really did have some kind of weird disruption that made them lose millions of dollars, which means a totally different bank got robbed the same month and year in Kuwait, or the Gulf Bank of Kuwait was not telling the truth, saying it was a service disruption when really it was a robbery,
saying it was $9 million when really it was $49 million.
We don't know the truth to the story.
Yeah.
So there is this variance between the Gulf Bank tweet and the whatever bank the UN report was trying to
hint at.
So, you know, either it happened at a different bank, or maybe there's more to the story than that was
put in the public sources.
I mean, you don't need to comment on this, but I was just thinking it through, right?
Yes.
If it looks like a duck and it walks like a duck, it smells like a duck.
Big thank you to Muhammad Al-Doob.
You can find him on Twitter.
His name there is Voolnet, V-O-U-L-N-E-T.
And while you're on Twitter, why don't you give a follow to Darknet Diaries?
This show is made by me, the space bard Jackry Sider.
Sound design is done by the deletist Andrew Merriweather.
Editing helped this episode by Shift Control Damien.
And our theme music is by the escapist, Breakmaster Cylinder.
How How do you add flavor to an algorithm?
Toss in a Boolean cube.
This is Darknet Diaries.