118: Hot Swaps

When I was in college, I had some interests, and among them were gambling and programming.

Specifically, I liked craps, where you throw the dice and the Perl programming language.

Now, the thing about craps is that there are so many different kinds of bets you can do.

It's a little dizzying how much there is.

So I decided to make a little program that rolls the dice thousands and millions of times to try to simulate the game to find an effective betting strategy.

First, I tried the typical betting strategy, putting money on the pass line, placing odds, and then rolling the dice.

After 100,000 rolls, the game showed that I had a massive amount of debt.

Definitely not a good strategy for the long run.

So then I tried placing money right on numbers, betting on the come line, the field, all the things.

None had a positive result.

All put me in debt, which is expected, right?

The house always wins.

The game is designed that way.

There's no way around it.

But maybe there was.

I mean, the game of craps was invented in the 1700s, and they didn't have a computer to simulate all the possible betting variations to see if one would work, right?

So perhaps my little program could discover some surefire betting strategy, one where the player always wins in the long run.

So I kept trying night after night running new betting simulations and algorithms and trying to find something.

And eventually I tried playing around with buy bets.

Buying the 2 or 10 will result in double your money if it hits.

And I ran this simulation 100,000 times.

And guess what?

The program showed I'd made a positive amount of money.

What?

I ran it again and again and it showed the betting strategy was working.

This was a surefire way to make money in craps in the long term.

So I immediately went online and I found an online casino and I opened an account and began betting this strategy.

But it wasn't winning.

I was losing money.

And I noticed something.

I forgot to calculate the VIG.

When you place this bet, the house charges you 5% to buy it.

I didn't know that, so my program was wrong and gave me wrong results.

But this made me think, hold on, there are a lot of rules and craps.

Surely one of these online casinos screwed up the logic of the rules and has an error.

I mean, it's just a human who programmed it, and how much could they possibly know about craps to program it effectively?

So I started opening account after account on all these different online casinos and looking at the craps games to see if they followed the rules.

And yeah, every one of them did follow the rules.

And I never found a way to make money on craps.

My interest in gambling sort of dried up after that.

But man, I sure tried.

These are true stories from the dark side of the internet.

I'm Jack Reeseider.

This is Darknet Diaries.

This show is sponsored by Delete Me.

Delete Me makes it easy, quick, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable.

Delete Me knows your privacy is worth protecting.

Sign up and provide DeleteMe with exactly what information you want deleted and their experts will take it from there.

DeleteMe is always working for you, constantly monitoring and removing the personal information you don't want on the internet.

They're even on the lookout for new data leaks that might re-release info about you.

Privacy is a super important topic for me.

So a year ago, I signed up.

DeleteMe immediately got busy scouring the internet looking for my name and gave me reports of what they found.

Then they got busy deleting things.

It was great to have someone on my team when it comes to protecting my privacy.

Take control of your data and keep your private life private by signing up for Delete Me.

Now at a special discount for my listeners, get 20% off your Delete Me plan when you go to join deleteme.com slash darknet diaries and use promo code dd20 at checkout.

The only way to get 20% off is to go to joindeleatme.com slash darknet diaries and enter code dd20 at checkout.

That's joinedeleatme.com slash darknet diaries code dd20.

This episode is sponsored by my friends at Black Hills Information Security.

Black Hills has earned the trust of the cybersecurity industry since John Strand founded it in 2008.

Through their anti-siphon training program, they teach you how to think like an attacker.

From SOC analyst skills to how to defend your network with traps and deception, it's hands-on, practical training built for defenders who want to level up.

Black Hills loves to share their knowledge through webcasts, blogs, zines, comics, and training courses all designed by hackers for hackers.

But do you need someone to do a penetration test to see where your defenses stand?

Or are you looking for 24-7 monitoring from their active SOC team?

Or maybe you're ready for continuous pen testing where testing never stops and your systems stay battle ready all the time.

Well, they can help you with all of that.

They've even made a card game.

It's called Backdoors and Breaches.

The idea is simple.

It teaches people cybersecurity while they play.

Companies use it to stress test their defenses.

Teachers use it in the classroom to train the next generation.

And if you're curious, there's a free version online that you can try right now.

And this fall, they're launching a brand new competitive edition of Backdoors and Breaches, where you and your friends can go head-to-head hacking and defending just like the real thing.

Check it all out at blackhillsinfosec.com/slash darknet.

That's blackhillsinfosec.com/slash darknet.

So, a while back, I did episode 112.

It's called Dirty Comms, which does a little peek behind the curtain on who's doing sim swapping today and how they're doing it.

And you should probably listen to that one first before this one, but you don't need to.

And one of the people I mentioned in that episode who was doing this was Joseph Harris.

Well, after the episode aired, Joseph reached out to me and told me I got some of the parts wrong about him.

And so I went back and just deleted all mentions of him altogether.

Because it turns out in my research, I didn't realize there were two different Joseph Harrises and I was getting one mixed up with the other and ugh, it was a problem.

But while I was clearing things up with him, I asked him, hey, you've got quite the story.

Do you want to come on the show and tell us?

And he said, yes.

Where would you like to start?

I could go all the way back how I kind of got into hacking or I could, you know, start right at the tail end of it, where it all started with the big hacker.

Yeah.

So, you know,

how did you get into it?

I imagine, this is my guess.

Video games, you decided to figure out some sort of cheat or hack into them and or a way to manipulate it in a way that shouldn't be, and then that just kept going.

That's pretty accurate.

So I'm not sure if you've heard of a small little game called RuneScape or Club Penguin.

These are some online multiplayer games he was playing when he was 11 and 12 years old.

And as you play any online multiplayer game, you start to see how some people have some really cool accounts.

Either they're high-level or they have hard to get items.

It's just rare stuff that's sought after.

And eventually, Joseph learned that there's a whole secondary market for these accounts.

Some video game accounts were selling for 500 to 1,000 US dollars, real money, which was a lot back then for a 12-year-old.

He dabbled in trying to manipulate the game, to try to get some free items.

And that sort of worked.

But he thought, hmm, maybe there's just a way to take over someone else's account and sell it.

So originally, I started kind of as a social engineer finding out ways to dox these accounts and then trick the email providers into re-saying their Yahoo, their AOL, whatever their provider was, and then just take the accounts and then sell them for money.

He dox the player to take over their account.

Okay, let's look at this.

What he means by dox here is he wanted to know what their name and email address was that was connected to their in-game account.

And he might figure this out by asking people in the game, hey, I have this really cool thing I want to show you.

Can I email it to you?

Or something to tease out this information from someone.

And once he knew their email address and name he could start looking them up online to try to find where they lived then he tried to call up their email provider to try to convince them that it's his account aol for example they'd reset passwords with your they'd ask hey what's your first name last name you tell them that which you know that's not pretty hard to get and then they would ask what's your security question you didn't need to know that because afterwards they'd ask okay what's your address you would only have to provide them a correct zip code and they'd straight up reset the password for you So it was a lot easier back then, but you know, essentially, all you need to know is someone's name and address and you can completely take over their AOL account.

So that's what he was doing when he was 12, trying to social engineer the email providers to reset the password so he could get access to that email account.

And what's little Joseph do once he gets into someone's email account?

Well, he resets the password for their RuneScape or Club Penguin account so that he could get access to that in-game player's account.

And then he'd change the email address associated with it and sell it what was your highest one that you sold i think i sold

my highest was a thousand five hundred i sold for this one account and the you know that was the highest amount i just sold for one at once and got a thousand five hundred from it what was that for rune scape uh that was actually for club penguin but rune scape i had some pretty big sales too but i would sell the gold so i would get you know a couple hundred if i had a decent amount of gold or i would just it wasn't like an individual sell at at once like it would be a slow gradual sell for the RuneScape stuff but the club penguin was the thousand five hundred like closing deal just one account sold it for a thousand five hundred hundred just hearing that alone makes me pause because in this scenario we don't have a hacker trying to break into some corporation we have a pretty clever social engineer trying to hack their way into your email account when the crosshairs are pointed at just regular people individuals like you and me, suddenly it feels like the wind changes and the air gets colder.

I mean, are your accounts secured to the point that it would withstand this?

Imagine if someone wanted to get into your email account and called Google or Yahoo to pretend to be you and try to get your account reset.

You think your defenses will hold, right?

I mean, we seem to be putting a lot of trust into the person who works at the email provider that they aren't susceptible to social engineering attacks in this scenario and it all comes down to that i guess but it sounds like they are vulnerable to this kind of attack now all this happened a while back like 10 years ago and since then email providers have made it harder for people to reset their passwords this way i mean there's two-factor authentication now and secondary passwords and all this was added because it was getting abused by people like joseph I start transitioning to these original usernames.

Like, for example,

say I had wanted Doc on Xbox.

That might be worth some money because it's short.

Or if I got the name game or something, elite, something like that, that's worth money.

And there's a larger community based around it.

And there's most multiple sites where people want these OG usernames.

So I start, Clubpen went, I was kind of over it.

It wasn't making as much money because I had taken as many accounts as I could, really.

So I started, and there was a bigger community around these things.

So I started morphing into these OGs, and suddenly I learned about Bitcoin because, and I think Bitcoin, wow, this is great.

This is like 2012, 2013.

I'm like, this is great because before with PayPal, sometimes people would reverse on me or sometimes I'd have people calling up PayPal, getting their money back.

But in this case, Bitcoin was peer-to-peer.

I could, someone could send me money.

They can't take it back.

So I love the idea of crypto and Bitcoin.

And that's essentially I was trained.

But then I started realizing, okay, why don't I start going after these people that actually might have Bitcoin and stuff like that?

And that's when I kind of, it wasn't just me having this idea, but that's where the whole Bitcoin idea started.

Because once you get the money, you know, you get to keep it essentially, you know, so then I started transitioning from OG usernames to, oh, wow, why don't I just take emails of people that have Bitcoin?

Oh, whoa, this is so much more serious.

Taking someone's video cam account is one thing, but trying to steal their Bitcoin, that's taking this to a new level.

It's straight up robbing them at this point.

And he already had all the skills he needed to do this.

He'd start by looking for people posting about Bitcoin and then try to figure out what their email was, perhaps phishing them if he couldn't figure it out.

And then he'd learn what their name and address was, and he'd try to call up the email provider to trick them into resetting the password for him.

And from there, he was rooting around their emails, looking for anything related to Bitcoin that he could steal.

But the problem was he wasn't finding anyone good to target.

He'd find people who had Bitcoin, but they didn't have money on an exchange or he couldn't get into their email.

He needed some help.

And someone had found a GMX vulnerability.

GMX is an email service based in Germany.

And what he had was a vulnerability that let him take over any email address that he wanted at GMX.

Well, this was great for Joseph.

It made the process so much easier.

Now he didn't have to call anyone to get it reset.

He could do it all himself.

Now, this vulnerability is somewhat interesting.

So let me explain to you how it works.

Essentially, it's a session manipulation.

You needed two GMX accounts, one that's brand new that you can log into, and then the target account that you want to log into.

So you start by logging into your own account, then open a new browser, go to GMX, and say you want to reset the password on your target account, but just before clicking the reset button, you need to put an active session that you have on your other account into this browser to make it look like you're already logged in.

Now, when you click reset password, it sees that you have an already logged in session and it just lets you reset the password.

This was a pretty serious vulnerability on GMX.

Imagine just being able to take over anyone's account you wanted.

And he tested it and it worked.

And so now he was on the hunt to find GMX users who had Bitcoin.

I didn't know how to target these people or who to really go for, so I was just using Google and type in like keywords Bitcoin and like GMX.

With a few Google searches, he started seeing people talk about Bitcoin on forums that had GMX email addresses.

So he'd use this vulnerability, get into that person's email account and start looking for anything Bitcoin related.

But over and over when he did this, he just wasn't finding anything.

Until one day, he does find someone who has an account on a Bitcoin exchange.

I got into their blockchain wallet and I remember seeing like 20, 25 Bitcoin, which at the time was like 5k and I was freaking out because 5k was a lot of money.

I was 17 at the time, but he had a secondary backup phrase, so I couldn't actually withdraw the money.

So I was basically just sitting on this account and couldn't withdraw any of the money.

Ah, so close.

A secondary passphrase was used, which screwed him up.

But this was close enough that he knew he was on the right path.

He just needed to keep looking.

And eventually he was going to find some money.

Okay, so there was this site called Cripsy, which was an altcoin trading website back in 2013 through like, I think they actually got seized because the guy scammed out or something there was a legal case with it actually i think he took all the people's money but that's a different story but essentially it used to be a very popular altcoin trading platform i got into someone's cripsy account and they had a thousand dollars and i don't even remember what altcoin it was it's definitely not one that's around today but they had that i exchanged it for bitcoin and then i exchanged that bitcoin for paypal

And that was his first crypto heist.

$1,000.

And the way he would get the Bitcoin into his PayPal wallet was using local Bitcoins.

This is a site where you could just connect with another person on the internet who wants to trade Bitcoin with you.

In this case, he found someone who he could send Bitcoin to and they would send him money through PayPal.

It worked.

It's like a natural high.

Like it's,

I could compare it to a feeling of like a drug feeling.

Like it was a rush for sure.

This is still 2014.

I'm sort of, I'm still under 18.

I'm still kind of a new person to these things.

You know, and I'm after that, I didn't have much success with it.

I was actually making more money selling these usernames still.

So my focus still wasn't like, oh, crypto is an easy way to get rich yet.

It was still like, hey, you know, that's cool.

There's a chance you can do stuff with it.

But I was still looking at these usernames.

But in 2015, that sort of changed a bit.

A major event happened that would turn out to be a gold mine for Joseph.

The website BTCE had suffered a data breach.

BTCE is a crypto exchange.

You could go there and buy Bitcoin, sell Bitcoin, and a bunch of other types of cryptocurrency too.

Well, in 2015, their user database was stolen by someone.

No money was stolen, just the user details.

And this included the username, the password hash, the address, and how much Bitcoin was in their wallet.

And I knew some people that I'm not sure if you've heard of them, Lizard Squad,

but they had access to the database.

And in 2015, one of their members hit me up and started asking me if I could help them get into these accounts because I was very good with AOL and Yahoo still.

I still could social engineer into them pretty well.

So they started listing me off these Bitcoin emails

that were on BTCE.

And also the thing about BTCE, it showed their balance.

So they could link me people with 100,000 Bitcoin and essentially I'd have their email.

I'd just try to break into their email.

Now keep in mind, he didn't have access to this BTCE database dump.

That would have been like the motherlog to him.

But he was happy to work with the people who did have access to it to try to steal Bitcoin from the specific users they gave him.

My first one that I got for them was this Yahoo.

It was one of the bigger ones on the list, and it had

six figures in crypto in it.

It was like, at the time, it was probably thousands of Bitcoin because Bitcoin's a lot lower, but it had six figures in it.

I got into the Yahoo, I reset the BTCE, and there's another pen code.

It's basically you have to enter this passcode to access the funds.

I don't know the passcode so I pass it to my friend who gave me it and he says he's going to send the fake ID and I'm not sure what happened after that.

When he handed it over, the person he was working with said they lost access to that account and didn't get any money from it.

And Joseph just wasn't sure if that was true or they were just saying that they wouldn't have to pay him his cut of the stolen funds.

But the person who had the BTC database kept working with Joseph, giving him one one or two accounts at a time to see if he could actually steal Bitcoin from them.

But it was at the time, I think I made $10,000 to $20,000.

It wasn't like a,

I mean, Bitcoin was a lot lower at the time, but still it was about $10,000 to $20,000 from BTCE stuff.

That was going all right.

But he was only getting a trickle of targets from this list.

He definitely wanted his hands on the whole database so he could just go hog wild in there.

I mean, a database full of usernames, email addresses, and how much crypto they had would have been golden for Joseph, the guy who's been getting into email accounts for years, but he couldn't get his hands on the database.

So he went back to stealing usernames from people.

Think about like Twitter, Instagram, stuff like that.

He'd get into the email associated with their account and reset their Twitter password and then get into those accounts and sell those to other people.

He was definitely playing hard in this account market, too, becoming well known for having some pretty incredible accounts.

Gosh, you're you, you,

You have so much stuff going on.

Oh, yeah.

Yeah, it's.

I mean, this it starts in you know 2010 where I'm social engineering stuff and it goes all the way to 2018.

That's an eight-year kind of thing.

We're about halfway through this spree of his, so stay with us because we're gonna take a quick break.

But when we come back, everything goes off the rails.

This episode is sponsored by Vanta.

In today's fast-changing digital world, proving your company is trustworthy isn't just important for growth, it's essential.

That's why Vanta is here.

Vanta helps companies of all sizes get compliant fast and stay that way with industry-leading AI, automation, and continuous monitoring.

So, whether you're a startup tackling your first SOC2 or ISO 27001 or an enterprise managing vendor risk, Vanta's trust management platform makes it quicker, easier, and more scalable.

Vanta also helps you complete security questionnaires up to five times faster so you can win bigger deals sooner.

The results?

According to a recent IDC study, Vanta customers slashed over $500,000 a year in costs and are three times more productive.

Establishing trust isn't optional.

Vanta makes it automatic.

Visit vanta.com/slash darknet to sign up for a free demo today.

That's vanta vanta.com slash slash darknet

so uh i mean what's your what's your moral compass like at the well nowadays it's not now i'm talking about when we're yeah when you were doing btce kind of stuff it's sort of kind of gone into the natural order of what who cares it's online it's sort of like when i'm doing these acts online i don't feel guilty at all you know i remember in early days i kind of felt guilty about it, but you know, when you're looking behind a computer screen, you're not, I'm not, I would never be able to rob someone at gunpoint with a gun, but I'm looking behind a computer screen.

I don't see who I'm hurting.

I mean, now I can obviously see it's wrong, but back then, I honestly didn't really have a moral compass.

I was willing to go the lengths to get these people's accounts, and I didn't feel guilty about it.

I'm not staring them in the face.

I'm just essentially just able to take these accounts, and I'm not, I'm not sweating about it.

I sleep fine at night.

Like, I'm taking money, and it's the last last thing on my mind is oh oh i should feel bad about that it's it's a terrible mindset to have looking back at it but i was if that was my mindset at the time there wasn't really a solid moral compass when it came to my online activities i never swatted people that was a moral compass for me where because i always thought people could get hurt if someone did that so i never i never did anything physically like to possibly put someone in danger.

But when it came to taking people's emails or doing stuff to people online, there was, there was really no moral compass.

Oh, interesting.

So

physically hurting anyone was the line.

You're like, I'm not going past that.

And there was a lot of swatting going on.

I mean, the circles you were in, people are swatting like crazy because that's.

And I have been swatted a few times.

And I just, I always heard stories about people dying over swatting.

And honestly, that, you know, that was my limit.

I don't want anyone getting hurt in because of one of my actions.

Wait, you got swatted?

Oh, yeah.

Definitely around that time.

I got a Skype message and the person said, hey, hey, you have at darkness on Twitter.

You're going to give it to me or I'm going to swat you.

I basically just said, no, I'm not going to do that.

Absolutely not.

You know, playing the tough guy attitude.

He said, okay, you're going to get swatted.

So I'm a little on edge.

You know, they posted my address.

I know they have the capability.

How do you think they got your address?

Well, I mean, I used to register domain names.

So I might have not always had the best OPSEC.

I mean, I obviously didn't in some cases when I was younger.

And if they can find old domain I registered when I was 14, 15, my address was public on those at the time.

So basically, yeah, I hear, I expecting it.

And, you know, I hear bang on the door.

And I rush up from the basement all the way there.

And then my mom says, go downstairs.

You need to hide down there.

I said, no, this is the police.

And she kind of, her facial expression changes because she thought we were getting like robbed or something.

But she's like, okay, I'm like, we just need to go out.

So we go out.

It's the SWAT team.

They line us up against the house, pointing guns at our back.

And eventually, they realized there was no hostage.

Apparently, I had, according to the swatter, I had killed my sister, which I don't even have a sister or any siblings, amongst other things.

And that I would shoot any police officer that would come in the door.

So, they obviously realized that was a you know, a false flag.

And I basically just said someone online wanted my username.

They're like, oh, okay.

And they just left after that.

I mean,

at some point, your parents have to, like,

I don't know, notice something, right?

Like, okay, so there's swatting going on.

You've got some strange amount of money.

Like, what are you spending this money on?

Is it noticeable by your parents?

No, no, I'm my money, I more just saved it, had it my PayPal.

I, yeah, I buy stuff like video games or like

card game, like cards and stuff like that.

But I, I wasn't going out buying the new designer outfit or anything like that.

So it wasn't very noticeable to my parents that I had money.

Like Pokemon cards?

Yu-Gi-Oh!

actually.

So I was a Yu-Gi-Oh!

kid as a kid and there was these rare cards.

So yeah, I'd buy Yu-Gi-Oh!

cards.

Okay.

So,

I mean, what do your parents say from

this?

Are these privy at all to like your whole thing?

I mean, my parents know I'm into these accounts.

They know I have these.

They don't necessarily know that I'm just straight up stealing them, but they know people want my accounts and, you know, they're willing to go to strange lengths.

but they're not really suspicious.

They trust me as their son.

They're not like, Joseph, what are you up to down there?

Like, is you up to no good?

Like that thought, you know, never crossed their mind.

My family's always been very supportive of me and never really, you know, always had trust in me.

There was discipline in my family, but they weren't super, you know, uptight discipline.

They weren't, you know, questioning and taking away stuff from me.

Yeah, I mean, it's kind of a good excuse, right?

Do you tell your parents like, yeah, I mean, you know, this is my Twitter account.

Somebody wanted it.

What am I going gonna do like it totally like separates you from the whole rest of the illegal activity you're doing and it doesn't it's not even like about the illegal activity so the first time the cops come to your house it's because you were a victim not even a criminal yeah exactly the first time the cops come to my house i'm i'm a victim you know uh

it would only be about

uh it would be about six seven months later when the cops actually show up to my house for something illegal and suddenly i'm not the victim i'm the perpetrator.

Yeah, so yeah, and that, but that's not about sim swapping, that's about taking an Instagram account.

Okay, let's let's go into it.

What happens when the cops come back?

Okay, so I had in 2015, there was the, I'm sure you know, there's sort of a

certain accounts with big followings get, you know, you can make money off them if you, by promoting people.

Like if I have a big page with millions of followers, people pay me to shout out their products so in about 2015 i had broken into an aol account of this guy that had this massive car page on instagram had over 3 million followers and i had just taken it from him and then i had i had the account for about two weeks before he got it back but i had made a little money off it and i had actually linked my friend's phone number to the account and so

Eventually this guy, most people, you steal their account.

They're not going to go the extra mile, but this guy had a vengeance out for me.

He put in his own money to get the people to investigate into it.

And eventually they traced that phone number to my friend.

And then my friend to me.

And they still didn't have any, you know, enough reason to arrest me or anything.

But they had enough to get a warrant on my house and essentially seize all my computers.

He said they were going to look through his devices to see if they could find any evidence of him committing crimes.

And they didn't charge him with anything because they didn't have enough evidence.

And they were going to look through his computers to see if they could find something on him.

And of course, his computer was full of chat logs and evidence of him stealing accounts and Bitcoin.

And when that day winds down and he goes back to his room, he has no computers at all to work on.

And actually, my friend comes by and just drops off his computer.

And funny enough, I had actually just ordered a new computer a week earlier, and that comes in too.

So I get my computer, I get access to the internet again within less than 24 hours.

And that doesn't really scare me at all.

I'm still gung-ho to do stuff, you know.

Okay, so you have, or like, did you, did you continue to try to take and sell usernames at that point?

Yeah, but I, I stayed away from those big million follower accounts.

So I still continued usernames, but those million follower accounts I had stayed away from.

I was sort of a little shy with those.

And then it was that same year where I finally got a hold of that BTC email list.

Someone I knew I had helped the guy get into a sprint account, and in return, return he gave me that BTC

email list.

So now I have control of the email list and suddenly I can start going through the list and trying to take accounts.

This was the golden list, the list of people's names, email addresses, and how much cryptocurrency they had at the BTC exchange.

Of course, Joseph was very happy to get this list.

Oh, yes, definitely.

100%.

I mean, I'm 19 at the time, so I'm out of high school, so I can do this all day, essentially.

Yeah, it was a really big deal for me to have that because I thought that was the pinnacle of just getting stuff.

He'd comb through the list, looking for accounts that had a lot of Bitcoin in it, and then looked to see what email addresses were associated to that.

Now, as you know, typically when you log into an email account, all you need is an email address and a password.

So he first wanted to see if he could figure out the password.

Joseph was getting more savvy in the hacking scene, and he signed up for a website which lets you put in an email address and it would search all the public database breaches out there and tell you any cracked passwords that were associated with that email address.

And you'd search in the email into this leak site and it would display the public passwords of them.

So essentially I'm copying these passwords.

I'm trying them with variants.

Like if the password's cool dog122, I might try cool dog with a K or maybe cool dog122 with an exclamation point at the end and just hoping I try a few variants of that are commonly I've found commonly associated and then try to just sign into the email account.

An interesting one where people thought they were being slick is I remember commonly seeing something like a password, like a complex password, and then like maybe an ad symbol and then PayPal comm.

And eventually I just pieced together, oh, for linkedin.com, it's LinkedIn comm.

For MySpace, it's MySpacecom.

Let me just use their common password and then let's try YahooCom.

Oh, YahooCom works.

So they're just using a very, their common password with basically just the site afterwards.

And that was actually a common strategy.

It seemed like a decent amount of people were using.

So I kind of picked up on it and always like tried it.

Oh, wow.

That's interesting.

So even though people were using different passwords on every site, which is what you should be doing, the way they were changing it was guessable.

And Joseph was able to piece this together and make some money from this.

Just to see if I can get lucky.

And in some cases, I did.

There was a few accounts where I got lucky in and I entered the password correctly and just straight up reset their account.

And I'd say in that little run, I made about 30 Bitcoin or so, which at the time was about $10,000 to $15,000.

Well, after a while, this list had grown cold.

It got passed around a lot, and all the accounts with big Bitcoin had already been drained or moved.

He was getting into accounts, opening the lid, and seeing nothing in there.

So lots of hacking, but not many hits.

So I'm doing that, but it's at that point where I'm sort of, I had a group of friends who was suddenly targeting different people.

They're saying BTC isn't the move.

Instead, we should start targeting altcoin investors.

So, while Bitcoin is sort of the flagship cryptocurrency, there are many other cryptocurrencies out there.

Anyone who wants to start their own cryptocurrency can, and there's lots of money that gets poured into these altcoins.

Now, around then, Joseph was seeing the people in his circle starting to get into sim swapping.

This is where you can try to take over someone's phone so they could then reset the password on an email account.

Well, since Joseph was literally in the business of resetting passwords and getting into email accounts, it made sense for him to start learning how to do sim swapping and see how that can be added to his tool belt.

So he started dabbling with it.

Back then, you know, Sim swapping was fairly easy.

You could, you would, back then they would ask for last four digits of social.

Oh, hey, I'm calling up AT ⁇ T.

Hey, you know, I'm trying to swap.

I just got a new cell phone.

I have a new SIM card.

I'm trying to activate my device on that SIM card.

And they'd say, okay, well, what's your name?

You'd say it.

Then they'd ask for your last social security number.

You'd give it to them.

And

you can buy basically almost anyone's social security number off the dark web for like essentially three bucks.

So you just buy their social three bucks and call up AT ⁇ T, Verizon, T-Mobile, and they'll just activate the device for you.

So it's really easy.

But while Joseph did it a few times, he wasn't doing it that much, really.

until he got in with this group of online criminals who were doing sim swaps to steal people's cryptocurrencies.

cryptocurrencies and specifically this group was focused on people with a certain kind of altcoin auger which was the first erc20 token to be featured on the ethereum blockchain it was essentially the first ethereum altcoin on the blockchain And I believe the persons I was involved with actually targeted that company and they got a list of all the pre-sale investors, basically everyone who had deposited money when they were launching.

So they had the list of all the basically ICO investors and it would show their address.

How'd they get that?

I think they actually sim swapped the people in Augur and I believe they had it uploaded on like Google Drive or something, you know, just to keep track, like a spreadsheet essentially.

Now that's wild.

All the sim swapping that happens because, you know, sim swapping to get

an ad account.

Yeah, okay.

I covered that.

Sim swapping to get some Bitcoin.

But now here we go.

Sim swapping just to get a database.

Right.

But I mean, even if you get a sim swap, how are you going to get the database?

You're going to.

That's, you see they must have reset the person's gmail and i'm not sure they're necessarily looking for that it's hit or miss sometimes with these things you can do all this work and still not make money which is you know you're not going to get everything first try but they got these auger people and they must have had their spreadsheet backed up with google drive and or something basically to easily keep track of it.

And they download this and this is even more valuable.

This shows Ethereum address.

It's like essentially the BTCE thing.

It shows Ethereum address, how much money they bought, and their email.

Whoa, did you follow that?

When this Augur crypto coin initially launched, there was a pre-sale where investors could buy some early.

And the CEO of Augur was saving all these investors' names in a spreadsheet and storing it on Google Drive.

And this group then sim swapped the CEO, probably just looking to steal some crypto, but instead went into his Google Drive account and found the spreadsheet of all the initial investors.

Their email and how much Augur they bought.

bought.

This list was amazing for this particular group of criminals.

Joseph was seeing these people go down the list, targeting every one of the whales, trying hard to get into each of their accounts.

And he wanted to do it too, but they wouldn't give him the list.

It was too valuable for them.

He did help this group get into other crypto-related accounts, though.

And he says at the time, AOL and Yahoo emails were the easiest to break into because it didn't take much for him to call up and convince them that he was the owner of the account to get the password reset.

Let's just reenact one of these calls, right?

So you call up Yahoo

and they say, Yes, Yahoo, how can I help you?

What do you say?

Hi, I'm Joseph Harris.

I'm trying to reset my Yahoo email address.

Okay, what's your email?

Docman123 at Yahoo.

Pull up the account.

Okay, we need you to verify your security question answer on file.

And

or you have a card on file that you can verify now what I would do before I would call Yahoo in a lot of cases was I'd call up the billing department call up Yahoo say hey I'm trying to add a card to my Yahoo account I'm actually thinking about making a purchase

Yahoo small business I need to make sure my cards on file and they'd say okay

we don't have a card on file I'm like weird I thought I just added it like would you like you me to add the card for you so you give them a fake visa it doesn't have to be valid at all it doesn't actually bill anything just give them a fake visa give them security code and they register on the account then call back the regular yahoo support hi oh we see you have a card on file could you verify the last four digits of the card for it and you know that visa because you added it you tell them the last four digits of card okay we've successfully they'd actually say congratulations which i always thought was funny because if it's someone who lost access to their email why would they want to be congratulated but for me congratulations you you got the account essentially so i always thought it was a funny word choice they'd say congratulations we can add an alternate email to you we can do this and what I would do is I say these security question answers I have on file they're I think someone might know them could you transfer me to a manager so I can update them permanently in the system they transfer me to a manager and I would tell them these security questions they're compromised like someone else knows them could you update them on file and i would call them and they would essentially permanently update the original security questions answers.

So if DocMan1337 Yahoo is trying to get their account back, they call,

what's the name of your first pet?

Oh, my first pet is this.

That's not what we have on file.

They can't even get their Yahoo back because I've updated their original questions with a manager.

So now they can't even get their email address back.

Man, he's scary.

This worked very well for him to get into these email accounts.

And at the time, he was getting into a lot of them.

He didn't have any other jobs.

So he would just focus on this all day.

So he was mastering the dark art of email compromise.

But because he was doing this so often, he would always be on the lookout for easier ways to do it, such as looking for bugs in some of these email providers.

And one day he found a bug in Gmail, which let him reset anyone's password.

See, at the time, if you told Google that you forgot your password, it would look at your cookie history to see if you ever logged into that account before.

And if you didn't have a session cookie from the past, it would ask you some really hard questions to do the account reset.

But if it did see that you had a cookie from a past login, it would only ask you some easy questions to let you back into the account because it probably meant that you were the rightful owner.

So Joseph decided to make fake cookies.

My bug was essentially I was able to get it so it appeared that way for any account.

So when I tried to reset a password on the form,

it would show that I had signed into that email before.

So now suddenly when I reset the password, the forms registering as this person is signed into this email right now.

If they fill out a basic amount of information, we either give it back to them or in some cases, it would just straight up let you change your password right away.

It was so heavily reliant on cookies back then that even if you had the wrong answers filled out, it would still let you reset the password because it's like, this person's signed into the account right now.

It just would reset for it it was a terrible bug with google it's it was never publicly disclosed it wasn't like it was big news i'm sure if it was big news google would be getting all kinds of stuff for that but it was never it was sort of i found it and i told a few friends but it was never like a public bug that everyone was doing so google eventually fixed after about a month but for a whole month yeah you could essentially as long as the account wasn't two-stepped you could basically just

you could do the trick and then you could essentially just reset anyone's gmail some cases cases it didn't work, but in most cases, it would just reset the information, the Gmail account with not knowing any information because it registered that your cookies, essentially, that you were signed into the Gmail account right now, as we were speaking.

Your cookies are attached to this Google account.

So, you see, there were lots of different tricks he was using to get into accounts, but it doesn't stop there.

This group was giving him users to target, and they were heavy into sim swapping to get into emails and accounts.

And so, he was learning how to sim swap pretty well, too.

So so once you get someone's Yahoo account,

you probably like get in the zone.

Like it's probably go, go, go time.

What are you doing?

Like you lock the door, put the headphones on, let's go.

And what is it that's going on?

I'm typically looking for, if it was crypto, I'm obviously looking for their crypto wall.

Do they have a backup?

Do they have a form I can reset?

Do you have a certain tool that's looking through the email?

No, I'm manually searching it because I don't want to miss anything.

A tool, they can miss something, but I'm going through, if it's a crypto person, I'm going through every email, any lead that could possibly lead to something because I don't want a machine to miss it.

So I'm just manually looking through.

Yeah, it's time consuming, but you know, if you go through it too quick, you're going to overlook something that could lead to something.

So rattle off like the first five searches you might do.

Well, if it's, if it was, if it depending on it with Yahoo, for something else, I would be looking at their their Google Cloud or their OneDrive account and try to see if they have any pictures or backups saved there.

But with Yahoo, they have Yahoo documents, so I might be looking through your Yahoo documents or I might be searching keywords relating to crypto, something like that.

Yahoo documents, see if they have any backup.

If I'm looking, if I know specifically they have an Ethereum wallet, I might search up the keyword Ethereum wallet JSON and see if they have the Ethereum wallet backup there.

Now, another place he liked digging through was people's Google Drive or OneDrive.

These are private storage places that people use to put sensitive information on so you don't lose it.

And he would find ways into this and start looking around for interesting stuff there.

A lot of people do store their seeds and their private keys in their email.

It's a terrible habit to have, but back then especially, you'd see people that would write down their private keys in their cloud storage or something like that or have their backup taking a photo of and be in Yahoo Photos, something like that.

What's the trick to try to find these things?

Are you just looking for seed phrase and

yeah or yeah exactly I'm just going through looking through send inbox seeing if they have sent themselves an email I might do from this email to my email see if they did that going through photos just manually searching making sure I don't miss anything.

So you're also looking through Dropbox and any other place that they might oh of course if I can get into their Apple account you know if someone if someone hasn't turned off their sync settings automatically if they take a photo of my seed I'm gonna to see it in the iCloud unless they change their settings.

And not everyone's going to go into their iCloud and disable it so it syncs to iCloud.

You know,

like most people have their sync option on.

So if they take a photo, I can see that photo of whatever they took in their iCloud.

Most of the time, both Android and Apple phones will automatically send photos taken on the phone to Google Photos or iCloud.

And because Joseph knew this, he would get into there and look through the photos taken on the phone to try to find anything good.

Some people don't even know their photos are synced this way.

And this makes me pause to think too, because what if he's not there to steal cryptocurrency?

What if he's there to steal nudes or incriminating photos or just private stuff that you don't want leaked?

This is way too easy for someone to get into the photos taken on my phone.

And I think the problem here is that we want phones with cool features that are easy to use.

And sure, you could set your phone to not back up the photos to the cloud, but now you've got to find a way to back up these photos yourself somewhere, which is a lot more work.

It's harder to do.

And so we opt for easier methods to do things, even though they're less secure.

Eventually, Joseph got his hands on the full list of Augur investors and was going wild with that.

He had lots of ways into accounts, but sometimes they would all fail.

And that's when he had to try to sim swap it.

I have a Burner Android phone that costed me 20 30 bucks that i ordered off ebay or some site or got off craigslist i have a uh sim card that i just paid and bought online uh from ebay or some reseller and i got

i got a phone and i've just called up atnt

or Verizon verified my details and gave them my SIM card.

And now I have the phone in my hand and I'm going on gmail.com and I'm typing in the person's email and then I see a phone option.

I'm typing in that phone number and I'm getting a text directly to that phone in my hand, reading off that code, typing it in my web browser, resetting that person's email password.

He scored a lot while doing all this.

These are still early days.

So it's basically like, I'm not making too much.

I'm making, and 20, I hadn't made six figures yet, even, but by 2017, the end of the year, I had made six figures.

But at the time, these were a couple 10,000s at a time kind of hits.

And crypto wasn't, this is still 2016, the start of 2017.

So crypto hasn't done that little 2017 bull run yet.

Ethereum, for example, is still under $10.

But this little spree started to wind down.

The list of whales to attack was dwindling.

The Gmail bug that he found got fixed.

And the phone companies were starting to get more strict at stopping sim swap attacks.

They were now requiring people to know the account number or security number or something else to swap it.

So simming suddenly just became too hard to do.

Now most of this crypto he stole, he would just cash it out right away using local bitcoins.

But as 2017 came around, the price of crypto rose dramatically and he decided to just start keeping a bunch of it and hold it.

And without even doing anything, he was watching his money double and triple in value that year.

And one day he came across an account that he wanted to get info from and he found the phone number associated to it, but it was a Verizon number.

And Verizon just upped their security, making it too hard to do a sim swap with them anymore.

So I'm trying to reset a Verizon.

They're gung-ho on this passcode or account number.

And so I start to think, account number, how can I get that?

Is there a bug I can find to get this account number or something?

And I decide to look for a bug that might disclose the account number.

I look through pages.

I'm not finding anything.

Then I think, what about the quick page thing?

Where there's pages with like ATT and Verizon, where you quickly pay your bill and you don't need like access to the account you just enter your phone number so I look at this quick page page I enter a target's a Verizon some random guy's Verizon number and then I look at the page it has the account number but it's not fully disclosed but then I'm like why don't I look a little deeper so I look into the sources and I find a I look in and I find a JavaScript variable that has the account number just completely disclosed right there So I'm now able, I found in the JavaScript that the account number is completely there.

And so I call right back up to Verizon and instantly get the account with that account number that was just disclosed to me and now essentially I'm pretty much the only one in this community that's able to do Verizons because this is when the social stuff got patched so essentially I I'm like the go-to guy to reset these Verizon's accounts because I'm the only one who knows how to do them because I'm the only one that has this bug to basically find the account number.

Huh.

I want to linger here for a second.

Joseph found a page on Verizon's website which lets you put in someone's phone number to pay their bill.

And then if he inspected the source code, he could see their account number.

Is this a data breach?

Yes, I'd say it is.

The account number should not be known publicly.

I mean, even Verizon knew that, and that's why they asked for that number before porting a SIM card over.

So the fact that you could go to this website and just get the account number of any phone number you wanted is a data breach.

But the thing is, defenders or security professionals like myself have a hard time visualizing what a data breach like this can actually cause damage to.

So what, if someone knows my Verizon account number, what are they going to do?

Pay my bill with it?

But I read something the other day that I think captures this problem.

I'm going to reference the Marine Corps doctrine on warfighting.

MCDP1.

Yeah, I sometimes do read Marine Corps manuals on warfighting.

And there's this section which talks about the science, art, and dynamic of war.

And the section ends by saying this, quote, we thus conclude that the conduct of war is fundamentally a dynamic process of human competition, requiring both the knowledge of science and the creativity of art, but driven ultimately by the power of human will.

End quote.

This sounds exactly like what hackers do.

Defending and attacking a network is a human competition.

Who's better at their job?

And this doctrine goes on about how creativity plays a big part in winning a war.

You have to be able to visualize what could possibly happen.

And here's an example of a hacker being able to visualize and be more creative than the defenders.

Joseph possesses a strong creative force.

It's remarkable what he can do with just a little bit of user data.

Yeah, like, oh, what can we do with a count number?

Like, okay, haha, yeah, they know the count number.

So you look at this like, oh, this is such a little breach, but this one little breach is basically the key to take over anyone's Verizon account.

It's scary to think about because when you give this little piece of user data to someone like Joseph, who's skilled at sim swapping and stealing crypto, it could mean hundreds of thousands or millions of dollars in stolen money from users.

And the weird thing is, Verizon isn't even going to be blamed when their users get their money stolen.

I don't know.

I guess I'm just surprised to see such creativity and enormous human will that some attackers have.

And this wasn't the only time he found a vulnerability on a cell provider.

He also found a bug on T-Mobile's website.

So essentially what I did is I had a compromised account number to a T-Mobile account.

So I signed in with someone else's T-Mobile account and I just started looking through the HTTP traffic and I was looking through requests.

I'm visiting every single URL and just basically getting a full scope of the the request being sent out and I stumble upon the WSG one which is a new one and I noticed it has the t-mobile ID field in it and it has my the phone number of the person I'm signed into and so I just to it was a very simple thing I just tested with someone else's phone where it disclosed their info I also said and then I started trying different values after that so instead of MSID and I try a t-mobile ID and then I could search them by their email address.

So I was just figuring out these different parameters I could use to pull different information or pull up information based off like account number or

email address or phone number.

And that's and it would just display their information.

I'm proper impressed with this.

I mean, he's capturing packets, changing the data on it and replaying them.

That's not some basic skills there.

He's got some real hacking chops to figure that out.

But what this did is it allowed him to read text messages for other T-Mobile users without having to sim swap them because he was changing the IMSI number.

Joseph was getting pretty dangerous.

He's mastered how to get into people's emails.

He's cornered the market on sim swapping certain carriers.

He's finding some pretty juicy vulnerabilities and he's absolutely ruthless about stealing people's cryptocurrencies.

He starts learning about how to find even bigger accounts to go after because since crypto was booming, it meant there were a lot of newly minted millionaires.

And Joseph was laser-eyed focus on who they were and was targeting them.

And sure enough, he got into an account which had over a million dollars in cryptocurrency and he stole it.

And at this time I was a crypto millionaire.

There was a hack I did that I made millions of dollars essentially by finding a backup seed.

This was a big score, his biggest yet.

He can't go into details about this one though, but it was exciting for sure.

He was walking taller and on a new high for about a week because that's when the cops showed up.

So they actually went to my old house, my mom's, or they basically said we want to see Joseph.

And she gave them my new address and gave me a call, a heads up that they were on the way.

So I was kind of prepared, but they were, I kind of just put my computer somewhere where I, I didn't have time to get rid of it or anything, but I just kind of put it to the side and they knocked and they said, Joseph Harris, like you're under arrest.

And honestly, I'm not sure.

I

asked, is this like about?

I knew there was that other charge.

Like, is this about the Instagram thing?

And they said, yes.

And then essentially, they took me to the near police station.

I was booked, took fingerprints.

And then essentially after that, they let me go on a $500 bail.

What?

He was arrested for stealing that Instagram account from a while back?

And the cops had no clue he had stolen a million dollars a week earlier.

So he got a misdemeanor charge and was let go on a $500 bail.

Yeah.

And I mean, did that scare you at all or were you just like, ha ha?

I was sort of like a ha-ha moment in a way, but I did get super careful after that.

Anytime I would use a computer, I just started destroying them, completely just removing all, like, any computers I had.

I went probably through like five Macs like within like nine months and probably destroyed a couple PCs while I was at it.

I was just, I would, because honestly, how they got me was they had done forensics on my

my computer and even though I had thought I had deleted everything they were obviously they could still dig into the RAM and see oh this person had Skype logs so even though he's deleted everything we can use advanced forensics and find all that he's been to doing so I wasn't like I wasn't even going to risk D-banding at that point.

I was not going to risk anything.

I'm doing bigger bucks.

I can afford to buy new Macs.

I'm just going to completely smash, scatter these parts and dumpsters

wherever I can and just not have physical evidence.

Well, tell me about this smash.

Was this a social event or did you like what was it?

Oh, it wasn't.

I just, it wasn't a social event.

It was just me using tools and smashing computers and then putting them in trash bags and throwing them in different areas not near my house.

So, I mean, that was just my way of saying, okay, well, even if I get arrested, there's going to be no physical evidence.

My idea was I just don't want anyone to get a hold of my computers because I know they got advanced forensics and I'm not going to take any risks with that.

Yeah, I just imagine you taking it to a party and saying, hey, hey, everyone, give it a good stomp.

There was, I was living with my roommates at the time.

So I did have some, they didn't know exactly what I was doing.

They knew something was up, I'm sure, but they

helped me smash them, but they weren't exactly sure what, what they were smashing for.

I just said, I need to get rid of this.

We're like, okay, Joseph, sure.

So there was sort of these things where my friend would get out the chains, not chainsaw, it's some sort of tool and basically drill into it.

That might have been a drill bit.

I don't remember completely, but yeah, we destroyed it.

I remember us playing around with magnets too.

So there was sort of that, but it wasn't something like that, essentially.

It wasn't one of those things to flex.

It was more, I don't want this to be evidence.

I got to get rid of it.

By this point, he had graduated high school and moved out on his own.

And the story he told his parents was that he was a Bitcoin investor.

Since it skyrocketed that year, it was a believable story.

And it was partially true.

So his parents trusted that he was doing well.

And he started getting more sophisticated with laundering his Bitcoin too.

see when you steal someone's bitcoin it's hard to cash it out without it being tracked to you all the exchanges require kyc or know your customer and you have to give them a valid photo id and tell them who you are and all this kind of stuff and so if there is a crypto heist or some funny business the feds can track that crypto to an exchange and then get the exchange to tell them who cashed out with it and in fact joseph did have an account at an exchange coinbase under his real name and he was cashing out on some of these licks but he could do that because he was cleaning the money first before putting it into his account and cashing it out well so the basic idea is i was paying to have these german binance accounts created a thousand bucks or so at the time i had a lot of money so a thousand bucks wasn't a lot so i'd pay a thousand bucks for a couple of these people that this guy i knew knew a bunch of german people so i'd have him create these binance accounts for me and i would essentially uh slowly launder the money through those i'd change the crypto to a monero then i I take the Monero out, send the Monero to my Monero address, then send the Monero to another Monero address I did.

And I'm sure you know Monero is a privacy coin, so it doesn't show up on the blockchain.

So basically once that's

basically money laundering 101 with crypto, you need to get your crypto to Monero, and you need to send your Monero to another address so there's no transaction.

And suddenly you buy, say, Bitcoin again with Monero or Ethereum, you know, there's no way to tell where that Monero came from originally because it's not public on the blockchain.

so essentially once you buy that ethereum all that shows is that someone bought ethereum with monero but we have no idea where this marinero came from so they can't you know do blockchain analysis and attract oh wait this came from this hack and this hack but all they see is someone's used monero to buy this but there's no proof that i got that illegally there's no proof i'm just a monero user um

makes sense so you've got some money coming into coinbase you're cashing out putting in your bank account you got a uh apartment or a house or something something i have a house with uh four roommates it's not a big house like at the time i'm still i'm i'm still living within my means you know i you see all these crazy stories and i honestly i always kind of looked down on it i'd see people going to la posting their ads and i'd kind of be like oh i've never been really the party type myself i was more just kind of like i had this money i was saving it you know i was i wasn't being i was buying stuff like i bought some usernames and stuff but i wasn't like going out buying Lamborghinis and stuff like that.

Yeah, so

you are doing all this work in an office setting or in your bedroom or what?

I have a little basement area and I have a decent little computer set up and I'm just kind of doing it in there.

There's a big TV that I bought.

I got a TV I can watch that.

I got some game consoles if I want to play some Xbox.

And obviously I got my computer right there.

So I also have a good Mac because I've always been, I always like bringing my Mac and doing stuff on my Mac too.

So those are my main setup.

I got my big PC downstairs and I got my Mac that I use around the house.

I'm just trying to picture it, right?

And

I let's just put it this way.

That house, it's a small little house.

It's just kind of crazy to think.

My friends used to joke about it now, but it's like millions of dollars was stolen in that house.

You know, just crazy to think some small little house, not like even a major place, but the amount of like money that was stolen just in the basement of some, you know, it's not an expensive house.

It's probably worth 100, 200K, and it's four people paying for rent.

I'm not paying, I'm not going out buying a penthouse or anything.

And it's just kind of odd to think, oh, wow, there was millions of dollars that was laundered and stolen through that house.

Did you have like an exit strategy in mind?

Did you say, okay, I'm going to only steal this much money and then I think I'm going to hang it up?

Or what was your that was sort of it.

But it's just that, like you said before, that rush.

One second, you are not a millionaire.

You have thousands of dollars or 100K, but you're not a millionaire.

Then within two seconds, 10 seconds, you instantly have $2 million, $3 million.

Just within like a minute, it's that rush.

It's like an insane natural high that you're like, whoa.

When you have that rush,

when you make it and it's like, oh my gosh, I just did it.

I just have an extra $2 million.

What do you do to maybe celebrate?

Or what do you do after that to just kind of let it linger?

Probably just go out with my friends play video games get some food honestly i remember after my first million dollar one i had my friend and we went to fazoli's it's an italian place and that was my celebration

fazoli's gives you free breadsticks let's go hey i just got a million dollars let's go get some free breadsticks guys on me on me yeah exactly of course it was on me yeah i wasn't having my friend pay

So at this point,

it's like you're insane.

And also, like, it's just a very big rush.

It's enjoyable.

And you've already made your millions of dollars.

So now it's more like you're not even stressing about getting the money.

You're like, I can do this until I make another one.

And at this point, crypto is starting to crash.

I don't know if you remember, but in 2018, Ethereum went from near 1,500 and it started going down, slowly down to 600.

So suddenly my money is, I'm losing like every time crypto is dropping, I'm losing six figures.

That's how much I have.

Anytime it would start dropping, my millions was going down.

I was losing 100 200 300,000 at the time because I had so much that anytime it dropped I'd lose a lot of money So that was starting even though I stole this money that was starting to wear on my mind like oh wow my money's going down.

So I'm getting a rush from doing this and my money's going down.

Why don't I keep doing it?

So up until now, if you had control of someone's phone number and wanted to get into their Gmail account, you could just tell Gmail, hit, reset my password.

And typically the backup way into a Gmail was to get a text to your phone with a link to reset the password.

But Gmail added a new security feature, which somehow messed this up.

So sim swapping someone to try to get into their Gmail account just wasn't working well anymore.

Basically, Gmail was starting to get a little strict.

You try to SimSwap someone, it wasn't letting you because it would give you these unrecognized device errors.

So people were not being able to do Gmails.

But I had actually found a bug with by using a web debugger and sim swapping that I could actually make it it appear as if I've signed into the device before.

Remember how I had done that with Gmail before to be able to reset passwords?

But here, if I controlled someone's SIM and had the SIM device, I could also do it so that I could

essentially appear as if I was signing in the account.

Suddenly the forms letting me reset with just phone number, not even like I'm completely bypassing g off in two-step, which is now in the picture.

So I have this bug to do this stuff.

And I hear about this crowd machine guy.

this crowd machine guy he's talking about the owner and ceo of a crypto company called crowd machine now by this point joseph has moved his sites higher instead of targeting people with crypto why not target companies that have crypto because they'll have way more Now you can go onto websites like CoinMarketCap and see who the biggest whales are in crypto.

And you can see which wallets have over a million dollars.

It's right there for anyone to see because the blockchain is a public ledger.

Joseph found a certain wallet that had a a lot of this crowd machine altcoin in it and it was so much that joseph thought for sure it must be owned by either the company or the ceo and so he set his sights on the ceo of crowd machine thinking surely he must have access to these big wallets somehow and he has two-step security on it he has geoth he has an alternate email normally this guy's not targetable but i decided to try my bug bug on him so at this time i was thinking normally when i did sim swaps i would let other people do the sim for me like they'd hold the sim

but in this case i was i was a little upset about a breakup so i was just kind of in ruthless mode i was like i want to make a lot of money i want to do this i want to do that and i started seeing my friend joelle or uh joelle get arrested and there was um

they got him by tracking the cell phone like kind of location they could see where he was.

Okay, so Joelle Artiz was the first ever person to be arrested and convicted for sim swapping.

Apparently he stole $23 million from someone using a Sim swap attack.

Joelle is currently facing 10 years in prison for this.

Joseph knew him and didn't want to be arrested in the same way by being identified because of what cell towers he was connecting to.

So to do this sim swap, Joseph drove far away from his home in Missouri all the way to Oklahoma.

Yeah, so Oklahoma is like about, oh, I went to Oklahoma City.

That's about an eight to nine hour hour drive.

It's not too far.

Maybe it's a little less than that.

So we drive down to Oklahoma.

My cousin's driving me.

And he doesn't stay long.

He drops me off.

Well, actually, he stays the first day.

And I go to Walmart to buy a cell phone, just a cheap cell phone, which that was my first mistake.

Normally I buy these things on eBay.

And keep in mind,

I haven't held the phone in a while, so I'm a little outdated with how to do it.

What he means is this group he was with got so big that some people specialized in sim swaps and you could just tell them the number you wanted and they would do the sim swap.

And then when you went to do the password reset, you just asked them for the text message and they would tell you what's on the phone.

And that's what he normally would do when he needed to do a sim swap.

But for this particular one, he wanted to do it himself.

Maybe because he had this Gmail bug that he found that he didn't want to share with anyone.

So essentially, I'm just, like I said, a lot of times you know these people probably have a lot of money, but you don't necessarily know how they store it.

So I call this time I call up AT ⁇ T

and I asked to activate it.

They gave me a little trouble at first, but eventually I got them to activate the SIM card.

And then I do my vulnerability to try to make it so that it appears as if I've signed in again.

I pull off the bug.

Okay, at this point, he's in the account.

So he has control over the CEO's phone and his Gmail account, all from within this hotel room.

This is all in a hotel room.

Yeah, and I'm alone in a hotel room.

I've been alone for about five days, so I'm starting to get a little antsy and kind of nervous, and I'm upset about the breakup.

I get it activated.

I use my bug to bypass two-step.

And I reset the code with just the account with just the phone number.

And I'm excited because

I had done it before with another thing, but I had never done it to bypass GIAS.

So I'm like, wow, like this bug's even more effective than I thought.

So I sign in

and

I start looking through his stuff.

Now, I'm seeing some interesting emails, but I decide to go to Google Drive and I'm looking through his files.

And that's when I see a backup to meta MetaMask numeric passphrase, which is, I forget how many.

I think it's like 12 characters.

It's a 12-character word.

I don't know exactly what it's for, but I'm guessing it's for Ethereum.

So I put that new numeric passphrase in MetaMask, loads up the wallet, and I see he has $3 million in his own coin there.

Joseph now has full control of this wallet.

With just a few clicks of the mouse, he can transfer $3 million of this crypto coin to his own wallet.

And so he takes a moment to just look at this.

A tiny smile flashes across his face and he grabs it all.

All $3 million worth of this crowd machine crypto coin.

But I'm like, surely there's more stuff.

So I start I'm

His accounts a super admin on his G Suite So I go through his users and I find the tech guy the guy who built an automated system to send out the investors their coin so I reset his ad his account and I get into the text guy thing and I see that he's he has a script that basically automates the process of sending out these coins to the investors but His bad fault is he backed up his source code for this on Google Drive.

The source code shows exactly how to pull money out of the main wallet for this company, step by step.

So all now Joseph has to do is read what's in the source code and follow it to transfer the money to his own wallet.

So he cracks it open to take a look.

And sitting right there in the source code was the private key for the main crowd machine wallet.

He loads this private key up into his wallet, which gives him control of that wallet.

And I access the private key and it has about 17 million in it.

That is 17 million US dollars worth of this crowd machine cryptocurrency.

Whoa, this was by far the most he's ever had control of.

But at this point, it's still sitting in their wallet.

And of course, he wants to move it to his wallet so only he would be able to control this money.

So I see that this wallet has 17 million in it.

And I already have 3 million.

So I have 20 million total.

But I decide that I don't know what this moral compass was it doesn't me thinking back to it it makes no sense but I decide I'm not going to take everything from them I just take 15 million from them and I leave 5 million still in the crowd cell wallet

what do you think the reason was I think the reason was a slight bit of guilt like do I completely want to take these people completely dry I do I or just leave them with something I think was my mindset which looking back at this I'm gonna tank their coin anyways why wouldn't I just take it all but I do feel at the time I felt slightly bad about just robbing them for everything

that's the biggest hit I've done 20 million is a lot of money so I'm thinking do I

it it was I think it was flawed logic and it was just rush but I do believe that there was a bit of guilt there that I didn't want to take everything from them so that's honestly what I believe I mean like it doesn't like I still don't know why because it's like I should have just if I had done it again I probably I don't know how I would have gone but it just logically, it doesn't make sense for me to only take 15 million, but I do believe there is a bit of guilt about taking such a large amount and hence I left 5 million for them, which in retrospect doesn't make much sense, but I guess I just didn't want to clean them dry.

So he grabs a total of $15 million worth of this crypto coin and closed it all up and shut down for the night.

Whoa, what a lick.

$15 million.

He's pumped and amazed.

But he realizes something.

This is an altcoin.

Specifically, it's an Ethereum-based ERC-20 token.

And because it's Ethereum-based, he can exchange it directly for Ethereum.

But the more he exchanges, the lower the coin will go.

And that's because of how liquidity pools work and stuff.

So essentially, the more he takes out, the more the price goes down.

He realizes he's not going to be able to get anywhere near $15 million if he takes it all out this way.

So he comes up with a plan.

and tries to make a deal with the people he just robbed.

That's correct.

I sent them an email saying, hey, I obviously control the majority, like a large portion of your token sales.

If I was to sell this off, it's clearly going to cause a lot of damage to your token.

You won't come back from this.

Instead of me crashing your token and completely ruining your company, there's an easier alternative.

You can send me $8 million in Bitcoin to my address, and in return, I will return the $14 million I stole.

As a token of good faith, I've sent $1 million back to the crowd cell wallet.

Huh.

Interesting proposal.

Clearly, the company saw that they had $15 million in their coins stolen.

And Joseph knew they raised tens of millions of dollars from their ICO.

Would they want to save their coin or let it crash?

Just this week, I saw a news story that a company called Rary got hacked and lost $80 million.

And they offered a $10 million no questions asked reward to whoever returned the money.

So these things do happen.

But Crowd Machine never replied to Joseph.

Instead, Instead, they were busy dialing the police.

After a day or two of waiting, Joseph decided to just start exchanging this coin for Ethereum.

And just as he expected, this caused the price of the coin to start going down.

By the time he exchanged all his coins for ETH, what he had in his wallet was just a few hundred thousand dollars, nowhere near the $14 million that he started with.

And of course, now all the investors are mad that the coin just tanked.

So that was the part I was at.

And obviously, I was a little bummed out about the way it turned out.

It could have turned out a lot better.

I made some mistakes.

I was low on sleep.

So I wanted to get out of Oklahoma.

So I had my cousin come to pick me up from Oklahoma, the person who dropped me off.

And he gets there, we chill, and then the next day we get ready to leave.

I'm supposed to check out on a Tuesday, but instead I decide

this is just weird.

I'm getting out of there.

So I so we leave.

And actually, I forgot to mention this part, but when we were checking out,

I talked to the thing and the i remember the hotel guests who were checking us out were being kind of acting a bit weird to us like they seemed nervous or they knew seemed like they knew something was up or something and i remember getting in my cousin's car because we're going to stop by walmart to get some supplies to get rid of this stuff and i remember seeing the person as soon as i leave the person at the hotel checkout goes to a van

They literally went to a van.

I waved at them, but they didn't wave back.

And so I thought, okay, that's kind of weird.

I get to the Walmart and I see

a police car parked out.

That kind of spoons me a little bit.

I'm like, okay, whatever.

So I go through the Walmart, get the supplies, and then my cousin has to fill up his car on gas.

So we pull into the gas station.

I remember my cousin telling me his last thoughts before it all happened was, it's a beautiful day.

But I was sitting in the passenger seat and then an undercover agent points a gun at the car windshield and says, get out of the car.

My initial thoughts are, I'm being robbed.

So I get out of the car.

And instead of being robbed, I'm now handcuffed.

And the person shows his badge.

He's part of the Secret Service.

What happened to your cousin?

So that's actually a really tragic part.

He actually, because he was driving me, he actually got booked too.

And his mugshot was featured on the front page of some articles as well.

He was released two days later, but I've always felt terrible about that.

And I think it was kind of bad police work and media because he wasn't even there at the time that the hack was taking place.

So it was sort of just unfortunately he just kind of got, I think he knew kind of what I was up to, but it's just unfortunate that he got kind of flung in the mix.

I've always felt bad about that.

Okay, so they, they, they put you in the back of the police car, they drive you to the station, they interview you, you answer questions.

That's correct, but I'm not telling them any information.

I'm really, I'm trying, in my head, I'm trying to beat around the bush to see what they got on me.

They're asking me these questions, and I'm not giving them the answers.

I can tell they're unhappy and then finally they I just get sick of the interview I say you know what I'm going to back out here you know honestly you guys like I'm whatever do whatever I'm not going to answer any more questions without a lawyer and they kind of look at me and say now are that are you sure that's the route you want to take because the media is going to get this soon and you know you can help us or you can

you might be able to help us or something I just at the time I'm like I'm not I'm obviously not going to rat on my friends or anyone in that they might be interested in.

So I just say, nope, we're done here.

And I go back to an Oklahoma jail cell, which I don't know if you know, but Oklahoma is kind of notorious for a bad jail.

This time, the police questioned him and did not let him go home.

They kept him in jail for the entire investigation, which took months, which is kind of surprising to me that they kept him in jail without giving him any kind of verdict.

Keep in mind, I was one of the first that was arrested.

You know, there was Joel, followed by Ricky, both two I knew, and and then Xavier, who I wasn't really aware of, but too much.

I knew him, but not personally.

Essentially, what happened is I was sent to jail.

Our

appeal happens, you know, the bail set at $14 million.

My lawyer's initial reaction is, we need to get this bail lowered because we need to get him out on bail.

That was strenuous.

I was in jail from September to December before my bail hearing was finally here.

And the judge does lower to a million dollars, but at this time, they don't have everything set.

They don't know what to do with us yet.

They don't know what sentences they're giving out.

Essentially, the judge said, the DA said that I was essentially said the story that I was probably one of the best hackers in America.

And that if I got released, that I would

basically be free to do whatever.

I could, you know, they could strike computer elitions, but that wouldn't really stop me.

You know,

so they were explaining the story that if I got out, even if they banned me from the internet while I was facing trial, I'd still be able to to find a way to access the internet and could, and I believe the word they used was, I was a threat to the state of California.

California, because that's where the victim was.

When Crowd Machine was robbed, they quickly called the police who investigated, and that led them to Oklahoma.

And Crowd Machine is based in California.

So the prosecutors of this case were all in California, and they put him on a plane and fly him over to California to be tried.

And strangely enough, the jail that he went to in California was where Joelle R.

T.

S was being kept, the first person ever to be arrested for for sim swapping.

And Joseph knew this guy.

Yeah, we were both locked.

At this time, they were putting us...

This is a state charge, which I'm very grateful it was a state charge, because if it was a federal charge, I probably would have had much more time and I wouldn't have got that halftime.

But we were all we all basically committed crimes to people in San Jose.

There was vict There's a special task force called React

who investigates sim crimes and kind of pioneered the whole arresting stuff.

Like they were the ones that made the first initial SIM crime requests.

They're pretty smart with what they do with that stuff and they were able to

get us.

So Joelle was arrested by React.

Ricky was a state charge in Florida.

Xavier was arrested by React and then I was arrested by React.

And me, Joelle, and

Xavier were all like sent to Elmwood, which is basically the San Jose sort of facility for corrections, which is just, it's not a prison, it's a jail.

So we were basically, they were any charged in Cali, we were all getting sent to Elmwood.

So Joelle was in the pod next to me.

I was in a dorm environment.

So we talked behind the, there was a courtyard that connected the two dorms, and you could talk through the door.

And so, and Joelle and prison they called, or jail they called Joelle Bitcoin.

So I, on my way to court one day, I heard them saying Bitcoin.

I'm like, is his name Joelle?

I'm like, yeah.

And he's like, he's in that pod there.

So I had one of them basically get him to come to the door.

And then we had a brief little conversation there.

Do you remember how they caught you?

I know exactly how they caught me.

Remember that bug I told you on how I was able to reset Gmails with two-step?

Yeah.

So when I was doing it with the web debugger, I must have let

the hotel's IP connect to the phone briefly, the Android device I was using.

So the hotel IP, when pulling off the bug, they were able to pull that off.

Very terrible mistake.

I had VPNs everywhere else, but I'm pretty sure they said that's how they got me, the IP address.

So I think for a brief moment, that hotel IP registered to that phone, and then they subpoenaed the hotel.

And I think my name was, I don't know how.

Obviously, a few of my friends have got arrested.

So maybe they mentioned Doc is Joseph Harris.

And essentially, I'm pretty sure.

I mean, if Joseph Harris, someone who they think may be involved with crypto crimes, is staying at a hotel where $14 million

happened.

Wow, that's odd.

Oh, and also we got a Walmart surveillance footage of him buying the phone.

We don't have his name because he paid with cash, but we know he went to Walmart and bought a phone.

And we also know someone at this hotel where Joseph Harris is staying.

performed this hack.

So it was those two pieces of evidence.

And also, if you remember, I said I was going to destroy all that technology, including the phone I used to hold the sim swap.

That was on me, of course, in the car while we were, we were literally if it if it had been 30 minutes earlier or 30 minutes later I'm that technology would have been gone completely destroyed so it was honestly and that case might have not had as much hold if they hadn't found the device used to perpetrate the hack so they basically caught me red-handed what did jail teach you what did you learn there well first of all it was just It's sort of a reality check.

You know, we take so much for granted.

Walking to Dollar General, getting snacks, going to the movies, hanging out with friends, your freedom's gone.

And jail, in some ways, is worse than prison because jail, you're in this waiting period.

I mean, there's more dangerous people in prison, but jail, there's not much to do at all.

There's in prison, you can get stuff like iPads and certain things, Walkmans to pass the day.

You can go to church and do certain things, activities.

In the jail cell I was in, there was barely nothing to do.

The only thing I could do was I worked out a bit and I read books.

But it's just such a reality check that freedom, like your freedom's gone.

So the biggest thing I learned about this is if I keep on with this,

my freedom's gone.

The prosecutors looked through all his devices, his computer, his phone.

They even read through the text messages that he had with his girlfriend at the time.

And they were surprised to see that a majority of what he stole was still in his possession, since he wasn't spending it wildly.

And Crowd Machine had some strange messaging to its investors, not being completely honest with what was going on.

Joseph went to court and in the end he was found guilty and was sentenced to 16 months in prison.

The fact that I was willing to give up all my money, the fact that I wasn't this person that was going out partying, the fact that I was someone who apparently the DA said was not, didn't seem like an awful person, was sweet to my girlfriend at the time.

And then also the fact that, you know, the crowd machine people weren't being completely honest with the prosecutor.

I think all these three things factored into me getting a very light sentence, which compared to some of these guys, 16 months is very light.

And I've always been grateful for that.

So it's always been sort of a, nah, you got a second chance.

You got lucky in this situation.

If that ever happens again, you're not going to be getting lucky.

So, and of course, there's the morale side of that.

Some of your morals start to come back when you can look in your face.

look what you did look at the people you're hurting so i think all that yeah i definitely learned a lot of lessons and since since then, I haven't committed any more crimes.

I've had no run-ins with the laws.

And, you know, I've obviously, I still do hacking, but in the ethical side of things.

Since getting out of prison, Joseph has been looking for vulnerabilities on websites and reporting them.

He found a big one on Xbox Live and another big vulnerability with Microsoft and a Google bug that would have made him a lot of money if he was still breaking any email addresses.

But he doesn't want to break the law anymore.

So when he finds these vulnerabilities, he reports them ethically and responsibly through a bug bounty program.

And these companies appreciate that he's reporting these vulnerabilities to them and actually paying him for it, which is what he's doing mainly now to get by.

But something I was thinking about was what if he's dashed away some of that crypto before going to jail?

It's gone up so much since he was arrested and he could have came out mega rich.

But his lawyer convinced him it's way better to turn over everything since he'd get a shorter sentence for cooperating.

I mean, I could have played it differently.

I could have gone to jail, maybe done five, ten years,

and came out.

And, you know, I would have been, say, I got five years or something, half-time, do two years, six months.

I could have been out by now and have been a crypto millionaire still.

So, yeah, that very much was a possibility for me.

It just wasn't a route I wanted to personally take.

I'd rather get out in my eight months' time, 16 months with half, and just move that all behind.

Because what I learned is my freedom's more important than

millions of dollars in crypto.

At least for me, that's how it is.

Well, there's some lessons learned for me from listening to this.

First, this React task force only took three days to find and arrest Joseph after CrowdMachine called them, and that is some pretty quick moving.

It sounds like they know how to investigate these cases and are getting better at capturing cyber criminals who steal crypto assets.

So, if you're a victim of one of these kind of cyber heists, see if there's a React task force in your state and reach out to them.

They've got the ability to work with tech companies to gather clues that could lead to catching the person.

Next, it sounds like if you have any crypto assets or digital assets of value, do not store it on the cloud.

For a long time, we used to say, don't keep your crypto at an exchange in case that exchange goes down or leaves town.

And if you don't have your private keys, then it's not your crypto.

So it's already not recommended to leave stuff on the exchange.

But now I want to take it a step further and say, don't store any private keys or seed phrases digitally or in the cloud.

If you took a picture of your private key, that picture might be in your cloud storage.

And if someone got in there and looked at it, game over, you just lost it all.

And if you're storing seed phrases in a text file or even in a password vault, that's also something these digital robbers are laser focused on and will go through every one of your files looking for that.

So the recommended thing to do is put your seed phrase in some fire resistant device or container and store it in a safe.

Also, we should be more protective of our social media accounts.

There's a big industry of people trying to steal these and sell them.

So make sure you're enabling two-factor authentication to protect these.

And don't make the second factor a text message.

Make it like a Google authenticator or some hardware token like a YubiKey.

And secure your email and all important accounts like this.

You've really got to fortify your digital life, and email should be your priority.

You don't want anybody getting in there and rummaging through your private stuff.

And above all, don't click on any links that seem too good to be true because people are trying to fish you all the time and they want to steal whatever digital assets you have that are of value.

So be super cautious about all links that people send you.

Good luck.

A big thank you to Joseph Harris for sharing the story with us.

Joseph is the fourth person ever to be arrested for sim swapping and it's wild to be watching modern crimes are springing up and being introduced into the world.

And if you want to hear more about sim swapping and other digital heists, check out episode 112 called Dirty Comms.

If you like this show, if it brings value to you, consider donating to it through Patreon.

By directly supporting the show, it helps keep ads at a minimum and it tells me you want more of it.

So please visit patreon.com/slash darknet diaries and consider supporting the show.

Thank you.

This show is made by me, the plug, Jackry Sider.

Sound design by the ringer, Andrew Merriweather, and editing help this episode by the holder, Damien.

And our theme music is by the 120-volt brake master cylinder.

I think I lost an electron.

Yep, I'm positive.

This is Darknet Diaries.