#954 - Joe Tidy - Chasing The Most Hated Hacker In History

What's happening with Scattered Spider?

Well, Scattered Spider is the name of this very loosely coordinated collective of hackers that are, we think, currently causing havoc around the UK and the US as well.

So, I don't know if you've heard about the news of the MS cyber attack and the co-op cyber attack.

So, there's a really big, if you're not in the UK, there's a really big chain of supermarkets called MS, very much loved, over 100 years old, one of the pillars of the high street.

And around Easter time, there was a cyber attack, which started causing problems for M ⁇ S, and it just got worse and worse and worse for them because

initially they said, actually, we can't take orders on the internet, which for a massive company like M ⁇ S is really bad.

Then we started seeing logistics problems, empty shelves in some stores.

And then around this same time, there was a very similar attack on the co-op.

Again, another big supermarket chain in the UK.

They also do funeral services and insurance as well.

That attack wasn't as bad, but again, we're seeing disruption at stores, empty shelves, real chaos behind the scenes.

And around the same time, we saw an attack on Harrods, obviously the luxury retailer in London.

So everyone's wondering what on earth is going on.

And things have got progressively worse.

And then we hear the last couple of days, there are attacks on US retailers as well.

And everyone is pointing towards this really infamous group called Scattered Spider.

And they're not a normal cybercrime gang.

They haven't named themselves that.

They are, you know, not very organized.

They come together on Discord and Telegram.

A little bit like, have you heard of Anonymous?

Yes.

Yeah, so they're a little bit like that, but more out for cybercrime and money and infamy than sort of hacktivism.

So

one company called CrowdStrike started looking at this activity coming from this sort of corner of the cybercrime ecosystem.

And they said, Who are these people?

Are they doing the same kind of tricks to get into places?

So they nicknamed them Scattered Spider.

Spider is the name that CrowdStrike gives cybercrime groups, and scattered is what they the term they give for you know because they're looser net all over the place.

And actually, I'm looking right now at the CrowdStrike scattered spider figurine.

Um, it's very controversial, actually, that they've done this, but here you go.

So this is the

so they sell these on their merch website.

And like I say, quite controversial, actually, because it kind of glamorizes these

guys.

And there are some people who would, who would say we shouldn't really glamorize cyber criminals because

the type of individuals that we think Scattered Spider are, very young, probably teenagers in the US and UK, they will love the attention of having their own figurine.

Do you think that social media platforms like Twitter have sort of changed what hackers' motivations are from just exploration or exploitation to now fame, cloud chasing, stuff like that?

Absolutely, yeah.

When I wrote this book, my publisher, on the first draft, my publisher said, yeah, that's all great, but can you answer some questions as to how this has happened and why this has happened?

And they really kind of challenged me.

And I work for the BBC.

So normally, you know, we've got to be very careful about giving opinions and putting our necks on the line in terms of theories about things.

But it was quite good because I landed on this.

There are two kind of factors, which I think have turned teenage hackers from largely benevolent groups of people that are out to, you know, they're out to make a name for themselves, but they're also out to make the internet a safer place to where we are now.

where we've got cybercrime gangs, teenage gangs that are causing mayhem and trying to make money.

And I think Twitter is a very that you could kind of see at that point when Twitter becomes mainstream, this shift starting to take place.

Because of course before Twitter, social networks were about being social with your network, whereas Twitter sort of invented the idea of followers and retweets and likes and, you know, clout online.

And that's when we started seeing in 2011, when Twitter was really on the ascendancy, we saw Lulsec, the first of this conveyor belt of teenage cybercrime gangs.

Yeah, there's no one flexing their recent

ransomware exploitation on their personal Facebook account.

That wouldn't work.

But on

Twitter, that would be great.

Yeah, absolutely.

And we know from interviews with arrested hackers and convicted hackers, they loved it.

They loved the attention back then.

And I think where we are now is slightly different because I think what we're seeing is they have come off Twitter or X, whatever they're calling it.

And now it's more in the kind of insular communities.

But

they're still after that online clout and that infamy.

It's just they're in their own channels in Telegram and Discord.

I was going to say, where do these people live?

Yeah, Telegram and Discord, yeah.

So if we're talking about Scattered Spider, which very much formed the last part of my book, because I talk about the kind of this gradual shift to where we are now, but scattered spider, they're part of this larger collective known as the COM, the community, which is a group of thousands of online delinquents really largely boys obviously it always is and they're causing mayhem and in some cases doing some really nasty stuff like sextortion do you know what sex dortion is no

so sextortion is this horrible sort of criminal harassment campaign where you trick someone into sending you nudes.

So I would, I might befriend someone on the internet and strike up a relationship, a romantic relationship, send them some nudes that they think are of me, but

I'm a criminal.

I'm a man,

not the young girl they think I was, convince them into sending me nudes, and then you start extorting them saying, if you don't pay me, then I'm going to release all these pictures.

So we see that kind of activity in the comm, and we see some really nasty stuff, some other stuff like,

There's some, it's really nasty, but but like cut signs.

Have you heard of cut signs?

No.

So like, you know, a fan sign where if you're a big fan of someone, you will hold a sign up saying, I love them, or you hold their name, or their band name.

A cut sign is like that, but you literally cut into your own skin the names of hackers, the names of hackers that are extorting you or

wow.

So the hackers are saying that you need to show me that you've self-harmed my name into your arm.

Yeah.

to show devotion or to make them feel powerful.

There's a

Excuse me.

There's a bit in my book where

there's a gang called Lizard Squad that was around in 2014, 15.

And they destroyed someone's online life.

They hacked all of this kid's accounts.

And in order to get them back, he had to make a cut sign and say, Lizard Squad made me do this.

So although people are really shocked about what we're seeing in the comm now,

this kind of activity has been around for a while.

We know it's there.

We've got the history history for it.

So scattered spider are part of this larger online cyber crime nastiness.

They're a very kind of small niche of this much larger group of largely unskilled cyber people.

You wouldn't even call them cyber criminals.

But then they come together with a little bit of skill and a lot of balls and take on these big hacking campaigns.

It seems, I don't know.

I have to assume that although MNS is a 100-year-old institution, I would like to think that their cybersecurity isn't 100 years old.

How

if you've got to have someone with talent, I assume.

How do they get into a system of any kind?

Is this cyber hacking or is this social engineering or is this some combination of the two?

It's yes, a combination of the two.

I think the initial entry is usually through social engineering.

But to be honest with you, I mean, a lot of hacking is that.

to get into a system it's not really like in the movies where you kind of hunch over a laptop typing code furiously to get in.

Normally, it starts with like an email that you can trick someone into downloading an attachment or you call up.

This is what we think happened with the latest attacks is that they call up the IT help desk and they pretend to be a member of staff and they say, you know, I've forgot my password.

Can you let me in, please?

And it sounds so stupid.

But it works.

And then what often happens is once they are in, that's when you would argue the hacking starts that's when they find a vulnerability that allows them to spread themselves throughout the network deploy ransomware which is this type of malicious software that scrambles a company or a victim's computer and systems and servers makes that data completely unreadable useless brings computers to their knees and that is where they send the the ransom note saying If you want the key, pay us in Bitcoin, certain amount, and we'll give it back to you.

And ransomware is by far the number one problem in cyber right now.

Right.

So this is social engineering.

Pretend to be Julie from the front

from reception who's locked herself out.

Find the person who is sufficiently gullible or doesn't stick to protocol and actually allows you in in some ways.

Then you've got access to some intranet type.

system that means that you can access other bits.

Maybe some more sort of spreading from there.

I would imagine maybe you, as that person, email someone else an attachment, which gets you more access to a higher admin level.

Yes,

you're a side criminal.

Well, I'd look, what can I say?

I'm uh, uh, I am a young British man, um, but no, I mean, my password manager is a fucking mess, so I would be bad at that.

It's good that you've got one, yes, you're way

step ahead of most people if you've got a password manager.

I had who was the FBI's most wanted guy, that hacker, for a while.

Fuck, Kevin Mitnick, no, uh, maybe He was on the show probably about three years ago or so.

And he'd gone through all of this stuff that he'd done.

He'd broken himself out of jail twice and all of this bullshit.

And I got to the end of it and I was like, hey, man, I'm fucking terrified.

Like,

what do I do?

And he's like, dude, just use a use a password manager.

Like the TLDR

9010 solution is just get a password manager and use that.

Someone once said to me, there are buckets of how difficult you are to hack.

And hackers will always go for the easiest bucket who can i hack who uses the same passwords across multiple accounts who uses weak passwords if you take yourself out of that easy bucket into the slightly harder bucket massively reduce your chance of getting hacked yeah why like even if you're the target but you're a difficult target there's so many more easy targets fuck it we might as well go for them okay so um ransomware what

This is this can just totally debilitate computer systems, companies.

If MNS can't get eggs on the shelves, shelves it seems it's pretty comprehensive yeah absolutely ransomware completely cripples an organization it's like going back to medieval times you're pen and paper you really are and sometimes we've had situations where ransomware has hit hospitals for example and they can't even function in any way you'd imagine like some of the systems some of the scanning systems they use in hospitals for example they've been infected by ransomware so they're down as well so yeah i i i would not want to be in an organization where they've been hit with ransomware.

MNS is going through a tough time.

I wonder whether, or probably more likely when, we will see the first

vehicle hack, autonomous driving vehicles.

I drove from Palm Springs to Newport Beach last week.

Very nice.

And I was in a, it was lovely.

I mean, it was way too hot in Palm Springs, but, and I was in a rented Nissan Rogue, a new one, and it had

normal run-of-the-mill, medium-level trim Nissan Rogue, and it had this radar-guided cruise control and lane assist that was keeping in lanes.

And would, if you just knocked the indicator on, would allow you to change it.

I was like, this is

assisted autonomous driving in a fucking Nissan Rogue, right?

Old school petrol, two-liter, chug, chug, chug American car, like Japanese American car in America.

And I just remember thinking, I've been in Waymo's.

Waymo is now available on Uber here in Austin.

And

I thought, holy shit, like if these ransomware attacks, you need, as

the level of kinetic importance to people's lives increases.

the level of security around those systems needs to increase.

I have to assume you've thought about this, autonomous driving and the potential risks to cybersecurity.

Yeah, yeah.

We haven't seen anything like you're talking about.

But, I mean, yeah, it's just, it does seem almost inevitable that someone will find a way to cause havoc with autonomous driving.

It's

a bleak thought.

But of course, the companies that are behind these

cars, they know that too.

And you hope and you pray that they are pretty much on top of security.

Jesus Christ.

We've got to the point of hope and prayer.

Forget your password manager.

Just get on your knees and, you know.

Have you read a book called Robo-Apocalypse?

No.

It's so good.

Spielberg brought the rights to it a few years ago.

He never actually did anything with them, but it would make and is going to make an awesome movie if they ever make it one day.

So in that book, it's about how AI kills us all.

And one of the ways that they initially get that first kind of like...

50% of humanity dead is they take over the driverless cars.

And the description of what can happen is, it's always, it's always stuck with me.

But not to scare anyone, that's not going to happen.

It's going to be fine.

It's going to be fine.

Okay.

Super duper cybersecure, I'm sure.

Well, yeah,

up until you're reporting on it for BBC News, mate.

And then I'm going to ring in.

I'm going to say, Joe said to me from a, from a, I'm locked inside of my Tesla, which I don't yet own, in Austin, Texas.

People from outside are trying to Molotov cocktail it.

People from inside are trying to hack it.

I'm fucked.

Okay, so

on that point, there was very recently, only like three weeks ago, some tech CEO in some American company,

a city, I can't remember which one.

It was a self-driving city, so whatever.

Maybe San Fran or Austin or something.

Something like that.

He was stuck in one of these cars and it just kept going around the car park and he couldn't get it to stop.

And it was funny, but also like, hmm, a bit worrying.

I've got, look, you're the guy for me to give this take to.

I've said this before, but I have switched off the autonomous toggle on Uber in Austin.

So you just, it's on the back end of the settings.

Do you want to be more likely to be matched with an autonomous vehicle?

And I've said no.

Reason being, every time that there is a vehicle that's 10 minutes away, that's a Waymo, it takes 20 minutes to get to me.

Every single time.

And every single time that we do the journey, they say it's going to take 15 minutes for me to get home from the east side of town or whatever.

And it always takes nearly double.

And I realized why.

And it's because Waymos outwardly are so obvious.

They're these big, like bulbous, clunky things, lidar on top, and you know, additional Jaguar shit.

And it's white, right?

So it really stands out.

I think there's two reasons why humans behave on the road.

One is because of fear of retribution, especially in America with a very heavily armed populace.

And the second one is guilt at sort of inconveniencing somebody else.

So safety and

human fucking decency, I suppose, as the two.

The problem is when you see a Waymo, there's no one in the driver's seat, and you can't see if there's anybody in the back.

So, they just get cucked at every single junction, no one lets them out, everybody's like, Pedestrians will just, I will too, when I go on a walk around Austin, I'll just happily walk out.

I'm like,

it's 100 feet away, it's going to 30 miles, it'll slow down, I'll be fine.

You wouldn't do that if there was a human driving the car, so it means that until you can program in retributive tailgating and beeping the horn and flashing the lights from the waymo to somebody else or until you end up with more than 50 of the cars on the road being autonomous you don't have this level of coordinate it's an arms race right it's an arm it's an arms race of uh uh like

being

mean as drivers and unfortunately the waymo has come without any ammunition uh tesla self-driving people got a hold of this take online and said that that's different because uh Tesla self-driving is trained on real drivers, so you do have more natural, merging, sort of more aggressive driving styles are built in because competent drivers are the drivers that this has been built on, whereas Tesla focused on software, Waymo focused on hardware, and yeah, with Waymo, it's just it's like being in the back of the car with your mum all the time.

Is that Tesla thing true?

Have you have you done a comparison?

No, I've never been in a Tesla that's got full self-driving, uh but i also know that the tesla full self-driving community online is um like

very evangelist it's like oddly oddly militant uh so i don't know i guess i'll wait and see until i get into one but yeah that's my that's my current working thesis on autonomous vehicles

i thought you were going to say you don't do that because of like the safety concerns but actually yeah it's i i also thought you were going to say they're slow because they're slow and like

they're very safe aren't they but no i i i hadn't appreciated the other other people on the road.

Before we continue, if your sleep's not been right, you're taking ages to nod off, waking up at random times and feeling groggy in the morning.

Mementis' sleep packs are here to help.

They are not a typical knock-you-out supplement that's just overloaded with melatonin.

Only the most evidence-based ingredients, perfect doses to help you fall asleep more quickly, stay asleep throughout the night, and wake up feeling more rested and revitalized in the morning, which is why I take these every single night and why I trust Mementis with my life or at least my sleep, because they make the highest quality supplements on the planet.

What you read on the label is what's in the product, and absolutely nothing else.

And if you're still unsure, they've got a 30-day money-back guarantee so you can buy it completely risk-free, use it every night for a month.

And if you do not like it for any reason, they'll just give you your money back.

That's how confident they are that you love it.

Plus, they ship internationally.

Right now, you can get a 35% discount on your first subscription and that 30-day money-back guarantee by going to the link in the description below or heading to livemomentous.com/slash modern wisdom and using the code modern wisdom at checkout.

That's That's L-I-V-E-M-O-M-E-N-T-O-U-S.com slash modern wisdom and modern wisdom, a checkout.

Going back to the youth, these youths online, I think I've heard you say that today's youth hacking culture has tipped from chaotic good into chaotic evil, apart from clout.

Is there anything else that's triggered some moral decline in this scene?

Yeah, so we mentioned earlier about the rise of Twitter.

I would put that very much as one of the reasons we've seen this shift.

I would also say the rise of Bitcoin as well.

Because if you think about when Bitcoin started becoming valuable and useful as a store of value or as something you could buy things with, sort of 2011, 12, 13, that's when we saw this shift.

And certainly looking at some of the people I do in my book, they go from not even thinking about money, just doing it for the lulls and for the clout, to thinking, hang on a minute, I can make some money here.

And as soon as you start introducing Bitcoin into the lives of young teenage boys, you're looking at trouble.

So

without cryptocurrency, would this be even harder again?

Yeah, I think without cryptocurrency, a lot of cybercrime that happens these days would be a lot harder.

Because the great thing about crypto, of course, if you're a cyber criminal, is that I can steal crypto or I can extort crypto from someone and then it goes to my wallet and people don't know who I am.

No banks banks can stop that.

And if I can find a way, and it's becoming harder now, but if I can find a way to launder that Bitcoin, I can get it out of the system, turn it into money I can use.

Happy days.

If we without Bitcoin, you get things like bank card fraud, that kind of thing.

And we did see that in some of the early days of hacking.

But of course, that's easy to trace and track and stop if you're a bank.

And one of the guys in the book, the main hacker that we follow, who started as a teenage cyber criminal, ended up becoming one of the most wanted criminals in the world.

He started by carding, which is where you take credit cards and you use the numbers and the details to spend without the owner knowing.

And the banks usually reimburse the owner.

And what's interesting about that is

when they first arrest him and they're going through all the bank receipts, they work out he spent about 33,000 euros, which you'd think, like, that's quite a lot of money for, I think he was like 15, 16.

And when you look at the things he's spending the money on, it's, of course, what you would do.

We've both been 14, 15-year-old boys.

It's PlayStation games.

It's the latest phone.

It's Netflix subscription.

He even went and bought some land.

He brought like a little bit of land into

call himself a lord.

Like his highland titles.

And, you know, that's what you would do if you had unlimited money.

But of course, the problem with that is when you get arrested, it's all there and the police have got it all.

And, you know, it's very hard to hide from.

Whereas cryptocurrency makes that way easier.

The other way that you could do it, I'm not giving anyone any ideas because this is how some cyber criminals work, is through gift cards.

So you don't say to someone, send me $200

in a ransom, for example.

You say, send me $200 worth of gift cards.

And then you can sell those online for $190.

So then you get, you you know, you have to shave a little bit off each time.

Oh, okay.

That's interesting.

But they're untraceable.

So.

You've said teenage hackers are sort of a kind of digital cartel.

Should we be thinking about them more like organized crime than bored kids in bedrooms?

What's the tension there?

Well, I think

modern ransomware groups, for example, these really, really well-run, highly organized, money-oriented gangs like, I don't know, Evil Core or Lockbit.

There's loads of them.

Conti was another one.

They are like modern cartels.

They are run with, you know, there's someone who develops the malware.

There's someone that sends out the phishing emails.

There's someone that does the extortion negotiations.

There's 24-7 customer service on the Dartnet websites for these things.

But the teenage hacking gangs, they are slightly different.

They're becoming more organized now with the likes of Scattered Spider.

But it is a different type of culture.

It's more of a hacking culture than a hacking organization.

I wouldn't necessarily put them in the same bracket.

But certainly, if you look at the rise of the teenage hacking gangs, every single step of the way, they've been underestimated.

There's a researcher called Alison Nixon, who she features quite a lot in my research.

And she came up with this new phrase for these types of gangs.

She calls them NPTs, which stands for noob persistent threats.

So they're newbies, they're noobs, but it's play, it's a play on this very famous and well-used term, APTs, which stands for advanced persistent threat.

So she's sort of poking fun at them.

But she says, you know, they're not advanced, but they are persistent and they are a threat.

And we should take them seriously.

And to be honest, I've been doing this job quite a long time now.

And we don't.

We don't take them seriously.

seriously.

Every time there's a case like we're seeing right now in the UK, people are shocked.

How can this be done by teenagers from their bedrooms?

Well, we know from history that this is how they work.

They've just rolled the dice enough times.

They just keep on going.

Yeah.

And also

they don't really care about getting caught.

This is the other thing about these teenage gangs.

Unlike the cybercrime gangs that are based in Russia or places where law enforcement in the West can't really get them,

these guys are very very grabbable.

They're very gettable.

In the last about year and a half, there's been six arrests of teenagers and sort of early 20s hackers that are thought to be from the scattered spider culture or community because they're in the UK and the US.

And they don't protect themselves very well.

They don't actually disguise their voices when they call up IT desks pretending to be someone else.

Stuff like that.

It's called operational security.

And these groups, these NPTs, are terrible at it because they don't seem to care.

What are the patterns or dynamics about how young kids get pulled into these communities online?

What's the typical trajectory of one of these people?

It's nearly always the same.

Every single hacker I've ever met has had the same pathway.

It's computer games.

So Minecraft or RuneScape or whatever it is,

probably Fortnite these days,

probably still Minecraft, it's so popular.

So you get into gaming and you play with your mates, and then you start wanting to be better.

So you buy some extra bits for your character, or you find some shortcuts, some cheats.

Then you find yourself on a hacking forum and you find ways to become better at the game and cheat the game.

Then you find yourself sort of drawn away from the game and drawn towards more fun ways to have fun on the internet.

i.e.

hacking.

And it always starts off as just a bit of fun.

See,

what happens if I type that in there?

What happens if I go into this server over here?

Oh, where am I?

This is exciting.

And then it's, oh, quick, you escape.

Oh, that was, that was wrong.

I shouldn't have been there.

And then it's, hang on a minute, what else can I do?

And then it goes on from there.

And then as soon as you start bringing money into it, Bitcoin, then it can quite quickly become serious cybercrime.

And that's...

That is the path that I have personally seen speaking to all the hackers that I've interviewed over the years, but also the NCA, the National Crime Agency, in 2015, they did

a kind of massive research of all the convicted cyber criminals, and it was exactly the same.

It was step one, gaming, step two, gaming cheats, all the way down until serious cybercrime.

So it is a cliche, but it's true.

Where are most of these people?

You mentioned Russia.

I always, when I think hacking group, I just think, oh, it's the, what is it, IRA or whatever in Russia or some

G-R-U?

G-R-U.

There's loads of them, loads and acronyms.

What is it?

Where are all of these?

You mentioned these two notable, or at least Scattered Spiders notable because they're primarily English speaking in the US and the UK, but that's a rarity, I guess.

It is, yeah.

That's probably why they're so interesting as well, because we're like, well, hang on a minute.

They could be upstairs

in the bedroom.

So if you're looking at the kind of, if we take the whole cybercrime ecosystem, these are the people that are out to make money, defrauding, stealing money, extortion, ransomware, all that kind of stuff.

They could be anywhere.

But the biggest gangs are organized and run, we think, from Russia, Eastern Europe.

And we know this because there are lots of lots of kind of like hints that you get.

So, for example, I spoke to a guy who deals with ransomware negotiations.

And I said, how can you be so sure that they're in Russia?

And he said, well, they speak and they plan in Russian on Russian forums.

They

work in Moscow hours.

And they don't ever answer you on public holidays in Russia.

So, you know,

there's a few hints there.

But of course, the actual affiliates, the people that are carrying out the everyday attacks, we don't know where they are.

They could be anywhere.

And there was a very famous arrest of an IT expert in Canada.

who was, you know, an upstanding citizen of the Canadian IT scene.

And he was working for a Russian cybercrime gang called Netwalker.

And I actually, on that one, I was really interesting because someone, one of my contacts, sent me the negotiation portal for when Netwalker was extorting this university.

And it was during the pandemic.

And I was, over the course of about three weeks, I watched this negotiation, this extortion take place.

What do you mean by the portal?

Like a chat?

Like a private chat type thing?

Yeah, so if you if you get hit with ransomware, you'll have on your screen, on your computer, a pop-up saying, hey, you've been hit by ransomware.

Go to this darknet website, which is like a jumble of numbers and letters, dot onion,

and we can

start the negotiation.

They always, it's really, really kind of like irritating and frustrating, but they always like frame themselves as

we are here to help.

Follow this link.

We will help you.

You know, we'll get you through this.

And of course,

they're the bastards who are trying to extort.

But it was fascinating watching this Netwalker ransomware group extort San Francisco.

I think it was

Southern California University or something.

And they were like, this is during the pandemic.

We are working on a vaccine.

Please, we haven't got any money.

Leave us alone.

And they're like, how much you got?

And they're like, oh, no, $750,000.

That's nothing.

I can't even buy McDonald's with that.

Send more.

And it ended up, they paid,

I think it was $1.2 million to these guys.

Anyway, so he turned out to be in Canada.

But most, we think,

if you look at the arrests, they could be anywhere, but they are normally based in Russia.

Then you've got

North Korea.

They are very, very big on the hacking scene.

But what's really interesting about North Korea is they're the only country that we know of in the world that, as well as doing cyber spying, which we all do, every country does it, UK and US, all over it.

But North Korea does that.

Plus, they steal cryptocurrency and they are very, very good at it.

They just stole, oh, what was it now?

I think it was like,

I can't even remember.

It was like 1.5 billion.

The country of North Korea or

the country of North Korea has a cyber team.

That they've always denied this, of course, but they have a cyber team that is dedicated to making money for the regime by hacking.

They used to do banks, but now they do cryptocurrency companies.

But they're unusual.

Most countries don't have that.

Most countries just have their cyber spies and they're out to project power, steal secrets.

In some cases, they'll be used in military.

So Russia, we know, has hacked against Ukraine in the war, for example.

But most cybercrime is done by criminals.

who could be anywhere, but are, yeah, largely kind of organized in Russia and Eastern europe why is that area of the world such a hotbed have they got lax internal scrutiny from the law enforcement is it sort of side-eye allowed by the state to try and fuck up everybody else what's going on well yes so there's this golden rule if you're a russian cyber criminal which is you do not hack russia or former soviet states it's like a kind of unwritten rule if you do you get in lots and lots of trouble and there was a a cyber crime gang called Revil or R-Evil.

And

they were allowed to kind of just run amok for years and years, hacking left, right, and center Western companies, causing huge amounts of problems.

But then, so the story goes, they accidentally hacked Russia, and then suddenly there were some arrests.

So, yeah, there is

that kind of culture in Russia.

Obviously, the Russian government denies this every single time it comes up.

There was this

summit between Biden and Putin.

When was that now?

2021, I think.

It came off the back of some absolutely horrendous ransomware attacks, one of which was against colonial pipeline, which is a really important part of the U.S.

petrol and oil

infrastructure.

And it meant that there was shortages at pumps and panic buying and there was no fuel going up and down the east coast.

So this conversation between Biden and Putin, according to him, was like, you've got to stop your people hacking.

This is no good.

And Putin was like, It's not us.

We get hacked too.

But the evidence really is not really there for that.

This episode is brought to you by WOOOP.

Your body is constantly sending you signals, but without real data, it's easy to overtrain, under-recover, and miss your best performance, which is where Woop's brand new 5.0 comes in.

It is the newest version of the wearable I've trusted for like 2,000 nights now, giving you everything that you need.

24-7 tracking of your heart rate, your sleep, your recovery, your workouts, and more, all translated into clear, personalized, simple data.

And now it's 7% smaller.

It's got 14 days of battery life, health span to track your pace of aging, and hormonal insights for women who want smarter support during their cycle and pregnancy and all of that stuff.

Basically, it is everything that was awesome about Woop, plus tons of new tools to help you optimize your health and performance.

Right now, you can get the brand new Woop 5.0 by going to the link in the description below by heading to join.whoop.com/slash modern wisdom.

That's join.whoop.com/slash modern wisdom.

How close are we to seeing cyber attacks being treated as acts of war?

Oh,

well,

there's this, yeah, there's this thing called, I think it's Article 5 in NATO, which means that when you get attacked and it's a confirmed attack, then everyone else is, you know, piles in.

And it's one of the founding, you know, parts of NATO, one of the tenets.

And some people have said what we've seen in

Ukraine, sorry,

with the attacks against Colonial Pipeline and others, is, oh, could this be Article 5?

There was another attack on the US government, Solar Winds attack, thought to be from Russia.

People are saying maybe that crosses the threshold.

But I think people are very, very scared to bring cyber in the same anywhere near the same kind of

seriousness as a missile.

When in fact, sometimes the damage can be, you know, can be

just as bad.

What was that one that tried to get, was it Iranian

nuclear reactors and it waited around the Stuxnet?

Can you tell me the story behind that?

Oh, just like unbelievable.

You have to take your hats off to them.

So Stuxnet was an attack by, they've never admitted it, but Israel and the US against Iran.

And they were very worried about the uranium enrichment helping to create nuclear weapons for Iran.

So according to the story,

the president at the time said, right, well, what can we do to slow them down?

And someone said,

let's hack them.

And the Stuxnet virus was so specifically and perfectly targeted that it only infected that certain system.

And I think they spread it through USB sticks or something.

They dropped them in the car park.

Absolutely brilliant.

It's dumb, but it works.

That's what they always say in cyber.

It sounds dumb, but if it works, it's not dumb.

And it managed to get inside the system of this very specific machinery that they were using in the Natan's refinery, and it sped up the refinery centrifuges so fast that it caused, apparently, we don't know because obviously Iran would never admit it, but we think it caused physical damage and potentially broke some of those centrifuges and slowed them down.

We don't know how much it slowed them down, we don't know how much damage was done, but it's largely been hailed as one of the most impressive cyber attacks of all time didn't it it was

infected some insane percentage of computers around the world as well like loads and loads of machines had it but it just it didn't do anything it was just is this is this computer attached to an iranian nuclear facility no all right just chill out nothing for you to do maybe you'll get maybe you'll meet someone in future that is and it just did that over and over again that's it and it's really targeted really precise And there have been cases where a country is blamed for releasing something like that.

You're an uncontrollable worm that's got out of hand.

So there's this one called NotPetra, which was 2017, I think it was.

And it was,

well, again,

Russia would never admit this, but it was thought to be from Russia against Ukraine.

And they hacked into a really popular

accountancy sort of software that the Ukrainians used.

And it was a worm that spread uncontrollably, and it was a fake ransomware.

So normally the thing comes up and it says, pay this, and you'll get your files back.

But with NotPetya,

it was a shredder.

It was fake.

Even if you paid, you wouldn't get anything back.

And that spread from Ukraine all over the world.

hundreds of countries affected by this and it caused they think the most damage of any hack ever.

I can't remember the figure now, but it was.

I know one company lost a billion Mersk, the logistics company.

They were back to pen and paper.

So they had ships coming into harbors.

They didn't even know what was on the ships.

They didn't know how to unload it, where it was going.

Absolute carnage.

And it cost them well over a billion.

I can't remember the details of this.

This is like the Wuhan Institute of Virology equivalent of

an online

worm.

Exactly.

And you can't stop it.

The only way to stop it is to inoculate all the computers so that if you get it, they don't get ill.

It's like a vaccine around the world.

What are the

ways that cybersecurity firms find

these sorts of hackers?

Like, what is it?

I know TTP is sort of part of this, but I don't know.

If you're good enough to construct a worm that does ransomware and scrambles and does all the rest of it, I have to assume that you're good enough to be able to hide your tracks.

So it's, yeah, how do the security companies track down who caused it?

Well, a lot of it is follow the money, because if you can follow the trail of

cryptocurrency and Bitcoin, then you might be able to get them.

But

thinking about

that,

there's a part in my book where Julius Kivamaki, this guy that we follow all the way through, he gets caught.

One of the ways that they find out it's him is because he does the biggest self-own in cybercrime history, an absolute monster of a blunder.

Someone in the book called Anti Kuritu, who's a cyber expert, he says that everyone thinks that cyber criminals are masterminds when they're carrying out the hacks, but they're not masterminds at covering their tracks.

They often get a bit lazy or a bit,

you know, arrogant about that part of it because operational security is really, really hard.

So this guy, Kibamaki, he starts sending out, he's got got all these,

the patient data of psychotherapy patients all over Finland, 33,000 people.

He's managed to steal all the notes from the therapists.

So he starts extorting the company by releasing every day 100 new records.

And yeah, this is the kind of stuff that you do not want on the internet.

Like the stuff you say to your therapist.

is the most sensitive information probably that you could ever hope that you know stays stays safe so

day one 100 records day two this is on the dark net day two another hundred records day three another hundred records but then he says to make it easier for all the people on the forum here's a bulk download so you can download all 300 patient data notes instead of having to do one after the other then he goes to bed and then what he doesn't realize is he's accidentally uploaded the entire database of 33 000 patients so he's given away all his bargaining chips, but also he's accidentally uploaded his entire home directory for his computer.

So it's like, for example, I want to send you an email.

I accidentally send all the emails in my inbox and all the attachments and every folder on my desktop as well.

Wow.

So the police found this in the morning and they obviously downloaded it as quick as they could.

He woke up and he realized that what he'd done and he starts deleting files from the server.

The police find an IP address, which is a internet protocol, which is like tells you roughly where the physical computer is.

They find an IP address in that home directory, you know, accidental dump for a computer server, a cloud server company, which is only half an hour away from them in Helsinki.

So there's this race against Ransom Man, that's what he's called, deleting everything as he's going because they've got this massive server that could potentially give them all the clues they need.

They get to the

server farm, pull out the internet cable, severing Ransom Man from his server i put it like this it's a if you imagine a drug dealer the cops are arriving he's trying to flush all the coke

but then suddenly i don't know that they cut off the water or something exactly something like that so he yeah he's nothing he can do so then um they had this they had this massive server

full of all the evidence they needed to track him down.

It was a little bit harder than that.

He did try and use aliases and that kind of thing, but there was just so much there on that server that led them back to him.

And that's what led to, ultimately led to his conviction.

So it's that kind of thing, those mistakes that can be made.

It's Ross Ulbricht at gmail.com.

Yes.

That kind of thing.

Yeah.

Yeah.

Yeah.

Like if you're going to start the biggest online drug-selling network in human history, make sure that your old forum posts aren't linked to your name at gmail.com.

But that's that's a really good example, isn't it, of how someone's online presence can start, you know, innocently enough.

You're building something, you're a software developer, you're just asking for advice.

You don't know that in five years' time, you're a massive mastermind side of the business.

You've got to future-proof yourself.

Be careful what RuneScape username you use in 2012, because God knows where you're going to end up 14 years later.

Yeah.

Okay, so we're giving advice now to

I welcome our

internet overlords.

My operational security is horrible.

Okay, so another hack that I knew about, one of the most famous ones,

the Christmas hack of computer games.

And it seems like this sort of kicks off a lot of the story that you've been following.

So what first drew you to this?

What's the story behind Lizard Squad?

Give me the overview.

Yeah, so 2014, Christmas time, there was a ginormous DDoS attack, which is a very low-level form of hacking.

It's like I liken it to when Glastonbury tickets go on sale, everyone lands on the website, and accidentally the website crashes.

It's like that, really, in cybercrime.

If you get enough traffic into a server or a website, you can bring it down.

So the Lizard Squad were part of this, as I said earlier, this conveyor belt of these teen hacking gangs, these NPTs that emerged in 2010s.

And they decided they were going to go after not just Xbox Live, but PlayStation Network as well.

And I don't, I still don't really know how they did it, but they managed to bring these services down for hours and hours on what was, you know, the busiest time of year, Christmas Eve, Christmas Day, Boxing Day.

So that was coincidentally, like that was the first story I ever covered.

And I went into the Sky News.

I used to work for Sky News and I walked into the Sky News newsroom.

I think it was like...

very early on boxing day or the day after boxing day

and they said to me have you heard about this massive massive hack these kids have done?

I was like, what are you talking about?

No.

So then I looked into it and I couldn't believe the power that these kids could wield.

I found it absolutely fascinating.

So my news editor came over to me and he said,

Riley's called, who's the head of Sky News.

He says he wants a lizard on air tonight.

So I was like, right.

How on earth am I going to get one of these anonymous lizard squad hackers to do a TV interview in, you know, six hours, seven hours, whatever it was.

So, anyway, I managed to find one, and it turned out to be this kid who was, I think he was 16 at the time, 17, calling himself Ryan.

And we did an interview, and it was

jumped ahead.

How did you find him?

Oh, just like

going after

a person who says they're involved, and then that turns out they're not, then another person, then another.

I don't even know.

I couldn't tell you how I got to him.

But I went through, I know one of the people I went through was this guy called Vinny, who was part of Lizard Squad, kind of like an adjacent member.

He said he didn't really do anything for them, and I believe him, and he was cleared of all wrongdoing.

And he actually lived in Twickenham, which was like three miles away from the Scottish newsroom.

So

he promised he would get me this kid, Ryan, who was a part of the gang that took out these gaming services.

So anyway, I did this interview with Ryan, who it turned out was Julius Kivamaki.

That's one of the aliases he used: Ryan.

And

that kind of really sparked off in my mind this fascination I've had ever since with cyber crime.

And I've tried to keep tabs on

Ryan or Julius ever since.

But then the trail ran cold because he disappeared for a while.

So then when he pops up as potentially the person behind this ginormous hack in Finland on the psychotherapy centers called Vostamo, I thought, wow, he has had a career.

And my money, Kivamaki is the most hated hacker in history, not just because of the Vostamo hack and the PlayStation and an Xbox one, but also there are lots of times in that sort of 10, 12 year cybercrime career where he has done some really hateful, nasty stuff to not only, you know, people that he wanted to go after, but fellow hackers as well.

What like?

So, there was a Sony executive called John Smedley who

fought back a bit on Twitter against Lizard Squad.

He was like, he wouldn't, he was used to be a prolific tweeter, and he sort of fired back some tweets against these kids, and they didn't like it.

So, they went after him pretty badly.

And

one of the things that Kid Amaki did was he found out that John Smedley was flying from, oh, I think it was from Phoenix to Houston or somewhere.

I can't remember what it it was.

And he convinced the airline that there was a bomb on Jordan Smedley's flight.

And it had to get escorted by fighter jet to a different airport where

he was questioned at gunpoint and all sorts.

Stuff like that.

And there is a litany of situations and incidents where Kivermaki has done some really horrible things.

What you said about what he's done to other hackers as well.

What's in that list?

Well,

there was a kid called Blair Strater

who I spoke to in the book and Kivamaki led probably a three-year harassment campaign against him.

Have you heard of SWATI?

Not SWAT?

Yes, yes.

Where you pretend you call up the police and you say there's a

SWAT team arrive and it's really dangerous and people have died.

So they would do that all day, all night for months against Blair Strater.

They've also got this weird thing, which is still a thing now.

I don't really understand it, but it's um, when you get doxxed, your documents come online, so that means that everyone knows where you live, your real name, all that stuff.

So, for a hacker, that's a pretty bad situation to be in if you're doxed because you, you know, the whole point of it is you're anonymous and you're powerful, and you're, you know, you can disappear at any moment.

So, with Blair, they doxed him, and then Kivamaki and others would send him pizzas, Chinese takeaways, all these kind of deliveries.

At one stage, a lorry load of sand and gravel arrived at his house.

Personally, like if a free pizza turned up at my house, I'd be happy about it.

But when you talk to people who have been victims of this for months, it becomes horrible because you are on edge the whole time.

And the delivery drivers want paying if you haven't paid them, and they get annoyed with you.

So, you know, that kind of harassment is not nice.

There was an article written by another journalist called Kevin Roos who interviewed the Strater family around this time when it was really bad.

And the article was called Haunted by Hackers.

And I've always thought that's such a good headline because for Blair Strater and his family, that's what it was like.

A quick aside, grooming isn't just about looking good.

It's about feeling good.

And the right tools make all the difference.

That's where Manscaped's beard and balls bundle comes in.

It comes with their beard hedger, lawnmower 5.0 Ultra and all the essentials that you need to keep looking sharp from head to toe.

The beard hedger is your precision trimmer featuring 20 adjustable lengths so you can dial in the perfect style, whether it's light stubble or a full Burt Reynolds stash, like I'm rocking here.

And for downstairs, the Lawnmower 5.0 Ultra has a cutting-edge ceramic blade to reduce grooming accidents, 75-minute battery, waterproof technology, and an LED light.

So you could use it as a flashlight if you needed to scare off an intruder, perhaps.

Right now, you can get 20% off and free shipping on the beard and balls bundle by going to the link in the description below or heading to manscaped.com/slash modern wisdom and using the code modernwisdom20 at checkout.

That's manscaped.com/slash modern wisdom and modern wisdom 20.

A checkout.

Yeah, it's ruthless, man.

Okay, so you sit down with this guy.

You don't know.

I mean, this is what, 2014?

2014, yeah.

Yeah.

The first time you do it.

What stuck with you from that first interview?

Just

a complete lack of remorse, caring,

smirking throughout the entire interview.

A lot of honesty.

He didn't sort of make up sort of.

So he didn't hide his face?

No, not at all.

Not at all.

No, no.

He turned up to the Sky News interview on Skype, fully didn't disguise his voice, his face

didn't give a damn.

Surely that's a bad idea.

This is what I'm saying.

OPSEC is terrible.

These ends.

But surely that's something different.

That to me seems like operational security is covering your tracks.

That seems more like a purposeful middle finger.

Absolutely.

Oh, yeah.

And don't forget, well, you don't know this, and I don't know how far you got in the book, but at this point, Kibamaki was already under investigation.

He'd already been arrested.

He was on bail.

So you've got to factor that in.

Wow.

But, but, but, you know, Kibamaki, and there's a few others like him in the the last kind of 10, 15 years, they're a different breed.

So you've got the MPTs who don't care.

They're out to cause chaos, get some money, bit of infamy.

Then you've got the kind of Alison Nixon, the researcher I mentioned earlier, she calls them the centers of gravity.

There are certain teenage hacking hackers who they are

They they are the center of their gangs and everyone follows their lead and you don't necessarily have to be the most technical to be that center of gravity, but you have to be the most ballsy, anarchistic, charismatic, charismatic, and you don't care.

And the thing about that Christmas Day hack was he appeared on

the interview, fully face and voice.

And yes,

it came very quickly afterwards.

There was a knock on his door by the Finnish police, but they never got him on anything.

All the things he told me, either they didn't find evidence or they were too busy on his other cases to look into it.

But

as far as I'm aware, and if you look at his court records, none of that was taken into account with any subsequent convictions.

Do you know what he did in between that and the mental health hack?

Not really.

I know that he traveled a lot.

I know that he was carrying a lot of Bitcoin.

I spoke to one fellow Lizard Squad hacker who he went out with in the Netherlands on a jolly, and he was carrying a hardware crypto wallet.

And it had something like $50,000 worth of Bitcoin in and that was apparently just his holiday spending money and of course that Bitcoin now would be worth something like 12 million you know but you're right there is this gap in his story which I would love to find out what what happened but the the actual hack happened in 2018

so he stole the Vostamo database of psychotherapy patient notes in 2018 so there wasn't like a huge gap you can go to 2020 but yeah, there was a gap.

There is a suggestion by a Finnish journalist, which is yet to be confirmed.

And it's all alleged and, you know, huge pinch of salt with this, because I haven't, we don't know if this is true, but he thinks that Kivamaki might be involved in

a hacking, sort of hacking cybercrime thing that happened around that time, which was

Kivamaki aside, whoever did this, it's like the perfect crime.

So, what they did, I'm not going to say Kivamaki because we don't know if it was him, but what they did was they found a website on the ClearWeb.

So, that's the internet that we all know and love, that was advertising darknet drugs marketplaces.

So, it had links for the darknet links.

So, like, as I say, jumble of numbers and letters.onion.

He hacked into that and then changed the links for those darknet websites to his own fake darknet

marketplaces, which had all the things you would imagine, like buy your Coke here, buy your MDMA here, but all the money going into that marketplace was going into his pocket.

And I spoke to the police about this.

I was like, if that is Kivamaki,

why aren't you looking into that?

Like, why isn't that part of your investigations?

Now that he's behind bars, you know, aren't you investigating this?

And the guy, Marco Lepenen, the Finnish police officer, said, we haven't got any complaints.

There are no victims.

Because, of course, no one's complaining.

No one's complaining.

The cocaine that I tried to buy on the dark web, I didn't receive my order for that.

Exactly.

It's the perfect crime, the perfect crime.

But anyway,

I don't know who's behind that one, but there is some vague suggestion that

some journalists have made.

How did he do the Vestamo hack?

Do you know?

Yes,

it took about four minutes.

It was awful.

The security at Vistamo was terrible.

And there have been convictions.

The CEO has been convicted.

He's appealing it, but

the cybersecurity practices at that company were very, very poor.

So he did a scan of open servers with no passwords.

He logged in, saw it all there, downloaded it.

It must have been, well,

no one knows why he did it in 2018, but then he didn't do the extortion until 2020.

But my theory is he couldn't believe his luck.

He downloaded it and then sort of sat with it for a while.

Waiting to see if someone's realized.

I think so.

Because, of course, at some point, we don't know why in 2020

he decided to extort the company.

Ran out of Bitcoin to party with.

You know what I mean?

I need to

party fund.

But

the other really mysterious thing about this character is that

we don't know why he did it because apparently he did have enough money.

Apparently, he was and is very wealthy.

The court fees alone, the lawyer's fees, to try and defend himself, absolutely humongous.

And part of his defense was, why would I do this?

I've got loads of money.

And then they say, well, how much money have you got?

And he says, I can't remember.

It's all in Bitcoin.

It fluctuates by the day based on what the price of Bitcoin is.

So why did that hack hit differently?

What was it about

the Vestamo hack that caused such uproar?

Well,

data breaches happen all the time.

Data is stolen from people all the time, from companies all the time.

And to be honest, it's a kind of just like a little bubbling thing that happens in life all the time.

And, you know, we kind of like take it for granted.

There aren't many situations where people actually are badly affected by that.

But when you've got got a group of people who are already vulnerable because they're in therapy, some of them have had horrendous lives, childhoods, some of them are children.

And when you get that kind of in that kind of like insight into their lives through the patient, through the psychotherapy notes that the therapist is writing down.

Like I said earlier, I mean, that kind of data is the most precious of them all, isn't it?

So

that in itself is pretty bad.

Stealing that that data is pretty bad.

But then what happened next was run of the mill.

So he went to the CEO of AstarMo and he said, give me 400,000 euros worth of Bitcoin and I won't publish the data on the internet.

That didn't work.

So then he started releasing them on the internet, on the dotnet, as I described, 100 a day, which would have carried on if he hadn't messed it up.

And then after that, He went the step even further and he sent out emails to every single one of the victims he could find email addresses for, which is about 27,000 people.

And they all received an email in their inbox on Saturday night after they got out of the sauna in Finland, because everyone has a sauna in Finland on a Saturday night.

And they saw in their inboxes an email from Ransom Man saying, I have got your notes, pay me now, or I will put them on the internet.

And if you can imagine the kind of impact that would have on you or on me, that's horrendous.

But you've got to put yourself in the position of people who are already in in the lowest of low and I spoke to lots of the victims and you know some of these people have still got PTSD and some of these people are scared to leave the house and the impact the long-term impact is absolutely horrendous

although the evidence has never been presented

the lawyer that represents about 4,000 of the victims she says that two of the families have said that people have taken their lives over this.

Did he send that extortion email after

he accidentally leaked all 33 000 yep right okay so he was a last a last roll of the dice to see if he could make some money out of it yeah yeah yeah yeah okay so he

face plan he rose all bricked at gmail.com's his own

computer onto a server the police realize it's 30 minutes away they get in the car they run down there they unplug the computer the internet from the servers.

They now have the servers, and they start to do cyber forensic

stuff.

Yep, took a long time, but they managed to come up with a name.

The funny thing was, of course,

even before the servers, people were wondering, could this be Julius Kivamaki?

Because he was so infamous in Finland by that stage, as all the teenage stuff he'd done.

And then

they, in 2000, I think it's 2022, they they decided they had their man and they wanted to start finding him, but they couldn't find him.

So I think it was late 2023 that they, no, it was late 2022, that they put out an Interpol Red Notice for him.

So they didn't know where he was.

They had a feeling that he was somewhere in Europe, but they didn't know where.

So they put out that it's a bit of a nuclear option, actually, and a bit controversial because Kiver Macki has always said they could have just asked me and I'd have come back.

Whether or not he would have done, I don't know.

Anyway, so this Interpol Red Notice went out for him.

And the detectives in Finland kind of just got on with other cases.

I don't know what a red notice is.

What is that?

Oh, sorry.

It means that

if you are found anywhere in the world, if you've got a red notice out for your arrest, they can arrest you like that.

And then they send you back to wherever the Interpol Red Notice came from.

Assuming that you're somewhere that's got extradition, I imagine.

Oh, yeah, yeah, yeah.

Should have gone to North Korea.

Could have been around.

That's his mistake.

So they put this notice out and then they kind of got on with other things.

And then remarkably, there was this

stroke of luck in Paris whereby someone called in a domestic incident disturbance in the early hours of, I think it was February 2024.

And the police, the French police, went to the house and they were expecting it to be, you know, a...

a woman being abused or something like that.

And they opened the door and everything was fine and there wasn't any danger.

And this man sort of, it was after a night out, so I think he was a bit hungover and still asleep.

They dragged him out of his bed and he they just did some IT, some ID checks.

And he was traveling on a passport for someone called Assan Ahmet,

which is a Romanian passport.

And they were like, well, hang on a minute.

This guy is six foot four, green eyes.

does not look like a Romanian called Assan Ahmet.

So they ran some checks and somehow they unearthed the fact that this was Julius Kivamaki.

So they arrested him on the spot and took him back to the...

Do you know what the disturbance was?

Well, the call went out from a woman who'd been out with

the woman and Kivamaki that night.

And apparently there'd been a big row and she hadn't answered her phone and he was being abusive and aggressive.

But then if you ask Kivamaki, which some journalists did afterwards, apparently it was someone who knew that he was hiding.

And they did it deliberately

to get police to know where he was.

Again, not a very liked person.

Yeah, he doesn't seem like a good guy.

Okay, so he then

gets extradited from

France.

Back to Finland, yep, back to Finland.

And then so begins this months-long time period where they were putting together the case against him

in time for the trial, which was in 2014.

No, 2024, sorry, and led to his conviction.

And what was the court trial process

like?

Claims, defenses, and the

sentence and all of that?

Yeah, so the police had a giant folder evidence against him, not only for the hacking, but also for the blackmail.

It took police ages to get that evidence together for the actual blackmail part of it, because they had to go to, they wouldn't say which US tech giant but they had to go and kind of get some evidence from them and it literally took like 18 months for Google or Amazon whoever it was to send back some details about it but that was one of the crucial pieces of evidence that they needed and eventually yeah he was convicted in Finland they don't have juries they do it all by judges there's three judges that that decide

and and then and they found him guilty on all counts.

But what was really interesting is that every single time that it's said in the paperwork, um, Kivamaki, either by himself or with others, so every charge came with that because they're never quite sure whether or not he did it on his own or not.

They think he might have had help from somewhere, but they don't know where.

There's some discussions right now happening in Finland, like this week, about whether or not there's a suspect in Estonia that might have helped in some way, but we don't know.

But the conviction happened, they said they didn't have anything that

they said that on in the totality of the evidence, he's guilty.

But if you take each individual one, they couldn't quite pin him on each individual one.

It's a strange thing, but the prosecutors are very happy.

The police are very happy.

They said that they took everything kind of holistically and said, right, yes, he did it.

Because of all these bits, none of them are kind of like a smoking gun, but all of them together were enough to convict him.

What was your reaction to the arrest and the trial and stuff as you were following this going on?

Because obviously, this was, you know, a decade after you first sat down with this guy.

That must have been a slightly, I don't know, out-of-body experience for you to see it occurring.

Yeah, it was bizarre because I just had a feeling all those years ago that this kid would be worth watching.

And there were rumors at the time that he'd kind of fled with a stash of...

billions of bitcoin and stuff and i've always been fascinated about what happened after the lizard squad uh takedown at Christmas

and being in the courtroom seeing him as now I think 26 27 years old still cocky still smiling still not really caring about anything was was absolutely fascinating there was this

bizarre moment in the in the trial where

he applied for bail because he was in prison and he was having to leave prison each day to go to the courthouse and he applied for bail to be released so he could you know be a free man until the end of the case.

And although the police objected because they were worried he'd be a flight risk, the judges agreed.

So he was let out.

And then the police were like, Whoa, whoa, whoa, whoa, what are you doing?

This guy is not going to be,

we can't pin him down.

Why have you let him go?

So they very quickly appealed, and the judges were like, Oh, yeah, okay, quick, get him back in.

He wouldn't come in.

He disappeared.

They couldn't find him.

Where did he go?

Well,

the police kept calling him and said, you've got to come back in, you know, court order.

And he's like, I'll see you on Tuesday.

This was like Saturday.

I'll see you Tuesday when the case starts again.

They're like, no, no, come in now.

He's like, no, no, I'm fine.

So anyway, they found his social media handles or somehow like some obscure forum handle that he was using in the past.

And he posted a picture of himself, his hand, holding a bottle of really expensive champagne.

And they saw from the background that it looked potentially like a kind of Airbnb.

And then they figured out that there's no way he could have got an apartment.

He's not in any hotels, so

he's like, there's very only small places he could be.

And they looked at all the pictures of all the Airbnbs in Helsinki and then got the right one, rang the doorbell, and there he was.

Holy fuck.

They geo-gethered their way to finding him.

Yeah.

But all the court cases I have covered in my time as a journalist, people arrive in a suit and they're really polite and they try really hard to make the jury and the judges realize they're good guys.

But just it's classic.

You know, that's that character of that teenage cyber criminal who's just got away with it for so long.

What is it?

He doesn't care.

Yeah.

What is it about his psychology?

Is he completely detached?

Is this guy a psychopath?

Does he, is he just really cocky and out for recognition?

What do you think is driving him?

Well, one thing that kept come, one word that kept coming up is sociopath.

And

it's really difficult and dangerous, I think, to kind of throw these things around.

I'm not a clinical psychologist.

I can't decide on that kind of thing.

But

one of the guys that used to hack with him back in the teenage days says that the thing about him was he just wanted to sort of see watch the world burn.

He just wanted to cause chaos and and damage one of the cops said that um

it's like the kind of guy who likes to get in a fight in a bar but he can do it from behind the computer to protect his bone structure which i've always quite liked

but i don't know i don't know i i i'd like to sit down with him i tried to um get an interview with him during the trial and and and he said yes and his lawyer said yes but the judge blocked it at the last minute so i wasn't able to and then we were talking on text and then he just stopped talking to me that was about when he disappeared actually so maybe that's why he stopped talking to me um and i've tried many times to contact him while he's been in prison but he he won't answer my um my letters dang it so yeah he he uh he remains a bit of an enigma how long's the sentence

very short he'll be out in probably a year and a half from now you should have just waited to publish the book You didn't need to publish it now.

You can do a follow-up.

Like the paperback.

The paperback.

Paperback can can have a

little appendix, additional chapter.

That's the usual way that authors do.

Well, with what's happening right now with MNS, Co-op and Harrods, I think there could be enough for another chapter when the paperback comes out.

We've just brought up a, we've doubled sales.

We've doubled sales.

I don't know.

So I'm interested in this Maxim Jakobetz guy as well that you went and tried to track down.

It seems like you have a penchant

for trying to find Eastern European young men.

No accusation, but

you do seem to have a skill for it.

So what's the story of him and Evil Corps and stuff like that?

Yeah, so Evil Corps are

the kind of OGs of Russian cybercrime.

They were there from the beginning and they evolved as the cybercrime ecosystem evolved.

And they've been kind of run and led by a family, the Yakubats family.

And Maxim Jakubets was the most wanted cyber criminal in the world.

There's a

$10 million

award out for his arrest, him and his right-hand man, Igor Turashev.

So we decided in, I think it was just for the pandemic, so 2019, that we would try and go and find him in Russia.

Because one of the things that I became a bit annoyed about was that the West points fingers at these people,

UK, US, and says, oh, they're cyber criminals, they're guilty, they've done this, that, and the other.

They've stolen $100 million worth of money from innocent people around the world.

But you never hear from the actual cyber criminals themselves.

You never actually, they never get a chance to kind of have their say.

I know that sounds silly, but as a journalist, like, that's kind of like my job.

And that's the bit that interests me is like hearing both sides.

So I remember I was sat in the garden there, and I was just like thinking one afternoon, why don't we go?

Why don't we try and find these people so we did and we searched around moscow and we got all the addresses that were known uh about them and tracked down their supercars and tried to take the go to the garages that they were at um and i managed to find an address that we thought was makim yakubet's but it was actually his dad but we went there and his dad opened the door and we had this absolutely

for me unforgettable interview with um with uh yakobet senior

uh where he was like

so angry with the with the West accusing his son of being a cyber criminal.

And I was saying things like, you know, speaking through my producer, reporter, translator, like, well, how do you explain the Lamborghinis?

He's like, well, they could be rented.

So how do you explain the quarter of a million dollar wedding?

Well, we don't know how much it was.

Have you seen the paperwork?

It's like, well, no, but I went there and spoke to the wedding organizer, you know, and he had an answer for everything.

And what was fascinating about that, and what's become even more fascinating, is we went there in 2019 and put the documentary out.

And I think it was, yeah, last year, the National Crime Agency gave us loads more information about Evil Corps.

And they said it wasn't just these seven or eight men.

It was also the dad.

He's a part of it.

He's in some way involved, money laundering.

You met the mastermind who was in front of you.

You could have snagged him there.

Yeah, yeah.

So, yeah,

that was an amazing trip.

But I didn't enjoy it.

It was the worst assignment I've ever been on.

It was so, and I went to Ukraine as well during the war, but this was worse.

The Moscow trip was worse.

Well, you're in a, what is a, there aren't many countries that you go to that are kind of like adversarial countries that, you know, that are,

um, they're not friends of the UK.

And the BBC out there is seen as an arm of the British government, even though, of course, we're completely independent.

So, like, there's that.

Plus, I'm going there to track down cyber criminals who we know have got links to the Kremlin.

Um, and it was really intimidating the entire time.

We thought we were followed at one stage.

We flew out to um, this place called Yoshka Ola, which is about a thousand uh kilometers east to try and find um uh Igor Turashev.

And we were convinced there were guys in the airport who we saw, who we then saw at our hotel.

Um,

so that kind of thing, you know, isn't isn't nice.

And I'm here complaining, but really um

the the the one that got off the worst was my um fellow reporter on the story with me andrei zakharov who um

was and is a very talented cyber reporter but he helped me out with the whole story and he was there the whole time and maybe it was that or maybe it was something else but he was very quickly put on the enemy of the state list um after

shortly after that and he had to flee the country no way because of the work that you did together we don't know if it was that because he's done a lot of provocative to the criminal.

Right, okay, okay.

And an illustrious history of pissing off the project.

It was after that.

It was after that.

He thinks that it was possibly the straw that broke the camel's back.

But

before he decided to leave, he was followed around the entire city by some nasty looking men for weeks and weeks and weeks.

Horribly intimidating for him.

He is a superb journalist, and I'm still friends with him.

And I know he's doing well now.

But yeah, I can't complain about

handling or treatment when Andre had a really tough time.

Wow, I got scared in a hotel.

Wow.

At least I get to stay in my country, though.

At least I'm in my home country still.

That's nice.

Exactly.

I'll tell you, though, when I got back, I installed a security camera system around my house because I just started feeling a little bit intimidated.

Because I once interviewed a guy who...

He decrypts ransomware.

So like when ransomware is deployed in a system, it scrambles your files.

You have have to pay them to get the key to unlock it.

This guy, Fabian Wasser, is an anonymous researcher from a company called MCSoft.

And he is so good at building his own decryptors that the hackers absolutely hate him.

When he's searching through a piece of malware, he has found on more than one occasion, fuck you, Fabian.

Stuff like that.

They write in their country.

In case he's looking.

In case he finds it, yeah, because they hate him so much.

And he fled his country.

He fled Germany because he was so scared of, you know, some of these gangs are

very, very rich, and it wouldn't be much to drop, you know, 20 grand to go and get someone's legs, yeah, broken or whatever.

Wow.

What was the fallout from that CrowdStrike thing?

Because you've just held up a cool toy monitor

thing.

So, CrowdStrike,

cyber security organization, maker of cool figurines, but

also

subject of a lot of bad press only at the start of this year.

First off, what the fuck happened?

And secondly, is this is that what was the comeuppance of that?

Because I kind of heard about it.

It was a huge deal.

Loads of shit happened and then

nothing.

Well, give it time.

There are some big court cases against CrowdStrike right now.

There are companies like,

oh, is it United, the airline in the US?

They are trying to sue CrowdStrike for something like 7,000 flight cancellations across the day that CrowdStrike caused the world to implode.

So the CrowdStrike problem was,

was it this year?

This year has flown by.

Anyway, so

they did an update for

their CrowdStrike software.

And they're like an antivirus.

And it was a year ago.

19th of July 2024.

Oh, it was okay, last year.

And so CrowdStrike is a kind of like antivirus company, one of the biggest and best in the world, and used by some ginormous corporations, including United, to protect systems from cyber attacks.

They did a really innocuous update where they sent through some really like tiny bits of information to keep the software up to date.

It completely bricked the system.

It caused the blue screen of death on something like, I think it was two and a half million computers around the world.

And that's not just computers like we're talking on now, that's servers that run airlines, those kind of computers.

So, yeah, the world went mad for, I think, like three days.

No computers running, flights cancelled,

online services down, shops offline, massive, massive problems.

It was like some sort of apocalypse was unfolding.

But

we bounced back.

We're still here.

The best image that I saw of that was someone's smart fridge.

Front screen of a smart fridge, which is.

Yeah, yeah, you got BSOD'd on a

fucking Samsung American chiller.

Yeah, it's just, you know, there is

kind of like the uncanny valley, but the equivalent of that for smart homes.

And I still don't think that we're out of the other side of it.

I think that most houses would benefit from a physical switch on the wall for most things.

And that a nice, quite simple up and down.

Your fridge does not need an app.

No.

I mean, look.

Echo Water, that's a hydrogen water company that I love.

I love hydrogen water.

I think it's awesome.

It's like big revolution in health.

What is it?

What's hydrogen water?

So it's a special type.

I haven't got it here, but like imagine that this flask

was able to hydrogenate the water.

So it's actually all self-contained within the unit itself.

So it's a kind of hot thing.

It'll be in the UK in five years' time.

It's big in America.

It's coming big in America.

It'll transport over the Atlantic in about five years' time.

They have an app for your fucking

for your flask.

And it allows you to change the color of the LED and it tracks how much water you've drank.

And I'm like, it's it's cool.

I love the product, but the app to me, and then they did a battery update that you need to over-the-air update your flask from your phone.

I'm like, guys, yeah, yeah, yeah, I know.

It's cool, but there is a, there is just a little, this is, and I think, look, if, you know, CrowdStrike issues another update and I can't get my hydrogen water out of my echo water flask, I'm going to be pissed.

So I think the, the,

way that you

or the way at least that this seems to be explained is that the hackers are always going to be out ahead of

governments,

they're going to be coming up with increasingly

innovative ways to circumvent both security systems and law enforcement to try and track them down.

Is regulation ever going to catch up with how fast dark web hackers, crypto economy stuff can evolve?

Like, is this

a light note at all here, or are we just kind of in it for the long haul?

Make sure that that you've got a password manager downloaded?

Yeah,

I think there are some things that we can do right now today that would make it so much harder for hackers, but we don't because there's a thing of like security versus convenience.

So reusing passwords, keeping your software up to date.

Actually, you know, when you think about CrowdStrike, that was one of the things about CrowdStrike that was so bad was that the people that kept their software up to date, which which is what we're being told all the time, they were the ones that got hit.

If you hadn't have done the software update, then you were fine because it was that thing that breaked your system.

But no, generally speaking, CrowdStrike aside, keep your software up to date,

do two-factor on your or multi-factor,

good passwords.

And it sounds so obvious and I'm bored saying it and I know I can see you falling asleep.

But if we all did this, then the world would be the cyber world would be a safer place, but we don't.

There's a lot of things at the moment about you know quantum computing and AI and deep fakes and stuff, and how this is how the hackers are getting in these days with all these whiz-bang new things.

They're not.

If you look at the list of how hackers are getting in, it's the same old stuff.

Someone said the other day that nothing in nothing in cyber has changed for 20 years.

Social engineering, find a person who's prepared to let you into the system, go from there.

Yeah.

Yeah, but also, you know, once you get in, they're not using the latest and greatest techniques to move around a system.

They're going through something that should have been patched a year ago or two years ago.

How much truth is there to this quantum computing will be able to make all

encryption totally obsolete because it can work out prime numbers in the

split of a second and everyone's fucking Bitcoin is going to be owned by one guy and all of our passwords are going to be released.

Yes, they call it Q Day, the day when the quantum computers can break encryption.

And there's this thing called,

I think it's something like grab now, encrypt later

or decrypt later.

So the idea being that if you ask it, harvest now and decrypt later.

So if you're a spy agency, for example, China or the UK or the US, you can grab all of this.

data that at the moment is encrypted.

So all the most important vital communications are done with really high-grade encryption.

So

if I'm President Trump talking to Prime Minister Starmer, we will talk on a really, really secure line, which if I grab that, it just comes out as gibberish.

But if I grab it now, I might be able to make it un-gibberish when Q-Day.

Oh, fuck.

That's the worry is that, yeah, was that Q-Day will mean that kind of thing happens.

But

I'm trying to be positive.

It is a concern.

The National Crime Agency recently put out advice saying, like, the deadline is 2030.

I think they said you need to get everything

encrypted in a way that is post-quantum encryption safe or post-quantum safe now because of what I just described.

I'm just having a look here.

This is a friend's

A job advertisement for the new head of cybersecurity at His Majesty's Treasury in Britain provoked derision because of its stated pay of £57,000 a year.

That was

the total annual salary, around about $70,000 for the head, the head

of cybersecurity of His Majesty's Treasury in the UK.

Yeah.

Yeah, it's a big problem.

Have we considered

low pay as a vector of risk?

Like just disgruntled workers as a potential, you know, I mean, you don't

insider threat.

They call it insider threat because sometimes there will be people in high levels of power who could be corrupted.

But, you know, that's, I don't want to start, you know, I think that's rare.

That's a rare thing that we see.

They think potentially this is all alleged and all, you know,

reports have come out.

So I'm not saying this is what's happened, but there's a big thing at the moment right now with Coinbase where lots and lots of people have had their crypto stolen or exposed.

And they think that might be inside a threat.

But

yeah, you mentioned the salary there.

The problem with cyber jobs is that you can get paid a lot of money, but not really in the public sector.

It's all in the private sector.

But of course, we need very good people to be in the public sector protecting the way more important stuff

yeah joe you're awesome dude you're really great books books fantastic you're a wonderful communicator where should people go they want to check out all of your stuff oh it's it's um yeah so my book is called control alt chaos how teenage hackers hijack the internet um and it's out on the third or the fifth of june um the book launches the third of june that's why i got confused um and then it'll be in all the usual places and on

audiobook as well.

And it's also coming out in Finland and it'll come out in the US in January as well.

Hooray, dude.

You're brilliant.

Good luck doing more investigations.

I look forward to speaking to you again when you've found some more awful people from Eastern Europe that we can talk about stories to do with.

Thank you, mate.

Thanks for having me on.