It’s human nature: when we do something we’re excited about, we want to share it. So it’s not surprising that cybercriminals and others in the hacker space love an audience. Darknet Diaries, a podcast that delves into the how’s and why’s and implications of incidents of hacking, data breaches, cybercrime and more, has become one way for hackers to tell their stories – whether or not they get caught.
Darknet Diaries creator and host Jack Rhysider joined 1Password’s Michael Fey (aka Roo) on the Random but Memorable podcast to chat about some of the fascinating cybercrime stories he’s covered recently. Read highlights from the interview below or listen to the full episode for answers to questions you might never have thought to ask, such as:
- What nefarious shenanigans are some of today’s hacker teens up to?
- How can I get someone else to pay for my burrito?
- What’s a hacker’s version of a microtransaction?
Bonus: Find out how Darknet Diaries gets these stories and who wants to take credit for them!
Editor’s note: The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.
Michael Fey: What are some of the wildest stories that you’ve covered recently?
Jack Rhysider: The one that really caught me by surprise was one I called Dirty Coms. It’s a story about the scams and hacks teenagers are doing online. People are breaking into rich people’s Bitcoin wallets. It’s not uncommon for some of the kids in these circles to have $100,000 to $1 million licks in a Saturday night. And then they’re going crazy in chat, like, “Hey, I just stole this much Bitcoin! Now what should I do? I’ve got a million bucks!”
It’s just a wild peek into this strange circle that’s going on, and that took me by surprise. When you think about who’s stealing Bitcoin, you might be thinking, “Oh, organized cyber gangs and the Russians.” You don’t think of some teenager in Oakland, California, who’s doing it. It’s wild.
MF: When I was a teenager, my Friday nights were a bucket of popcorn and watching Hercules followed by Xena. I wasn’t hacking people’s computers.
JR: When we were teenagers, Pirate Bay was going around. We had the Warez scene. You’d swap music or maybe video games or movies and download that stuff because you’re a teenager and you see other people do it online. People were making audio demos and video demos. It was a cool underground place. This is where teenagers were in the ’90s and early 2000s online.
Then, in the mid-2010s or so, you had Anonymous. There were a lot of teenagers in Anonymous. We all know what trouble they got into. They were DDoSsing places they didn’t like as a protest. They were hacking into places. It became a threat.
What is the teenage subculture doing today? They’re technocrats, the tech-affiliated people who want to rebel. It’s wild just to see how things have evolved over time. You don’t hear about Anonymous hacking anything these days. It’s fizzled out as far as their hacking presence goes.
MF: I guess it’s possible I had a copy of Doom II back in the day that wasn’t entirely legit. I guess this is the latest evolution of that. Outside of teens hacking Bitcoin wallets, is there a particular type of data breach or hacking gang that’s really caught your attention?
JR: I’m fascinated with what teenagers are doing because it goes into all kinds of areas you just never expected. These kids aren’t just stealing Bitcoin. They’re doing whatever they can however they can. The other day I saw a post from somebody who works at Taco Bell. Their post was something like, “$5 for a coupon for free food. $30 for a password reset for any user at tacobell.com. $90 for a full account. Here’s your username and password.”
Somebody who works at Taco Bell is selling their access to whatever you want. I don’t really know Taco Bell that well, but I know this works for Chipotle. If you can take over someone else’s Chipotle account, their credit card may be attached to it. Then, you can order Chipotle and get that free burrito. I think this might also be happening at Taco Bell. Like, “Hey, I work at Taco Bell. How can I make money surreptitiously while I work here without breaking too many rules or laws? I’m not just giving free burritos out to people. But I’m doing this weird thing online.”
“These kids aren’t just stealing Bitcoin. They’re doing whatever they can however they can."
Hilton’s Honors is another example. People have Hilton’s Honors rewards. You can get a free hotel night’s stay if you can take over someone’s account, and they have enough Honor rewards points. You could just say, “Hell, yeah. Here’s my name. Here’s my points. Please use this to book me a room.” People are stealing someone else’s points to get into the rooms.
MF: You just don’t hear about this. They aren’t shutting down oil pipelines or disrupting the meat industry. It’s small pockets of people doing nefarious nonsense.
JR: I think a lot of stores accept a certain amount of loss. They’re going to have people returning things and will lose items to theft. They don’t actually investigate how this got scammed or refunded or whatever the case is. They’re just like, “Look, sorry, your Chipotle account got taken over. Here are your points back. We’ll give you two free burritos if you stay as a customer.”
You get these weird clues – like people in Chipotle’s subreddit saying, “How come I’ve bought all these burritos? – that something is going on. Something I’ve seen in the Spotify subreddit a lot is, “Somebody keeps listening to music on my account, and it’s not me. I didn’t listen to these songs. I don’t know why this is happening.” There are all these people who are like, “Me too! Somebody listened to those exact same songs on my account!”
Why are all these accounts listening to this music? My theory is there are certain songs that get played to make money. You get 0.01 cents, or whatever, for playing a song. If somebody can take over a big swath of Spotify accounts and then play the same songs… and these are crappy songs. These are songs you’ve never heard of. They’re just garbage. But if you could play it, then Spotify will give that creator a royalty check.
MF: You know what this is, Jack? It’s like the microtransaction version of hacking.
JR: Scraping pennies off of every transaction. And not letting the accounting department know. That’s where 1Password can come in. You can have a good, complex password for your Spotify account.
MF: Exactly. I appreciate you keeping it on brand and bringing it back home. Let’s talk about how you’re covering some of these stories. Have you had to find your way into some murky circles to get the inside scoop?
JR: I think it’s luck. There are three kinds of luck in the world. Dumb luck where you just stumble upon a random winning lottery ticket. Then there’s luck after a lot of hard work. You just keep digging and digging and digging. At some point, you’ll find gold after you just dig enough.
Then there’s the third kind of luck, which is, “I’m lucky in that people are bringing me stories.” This is luck I’ve actually created for myself because I’ve created the show that digs into this kind of stuff. I think what’s happening is the people who are sharing these stories are actually doing this stuff. They’re the criminals behind it. Some of them have been caught. Some are just in the circles, watching others do it.
They hear my show and are like, “This guy isn’t someone from mainstream media who doesn’t understand who the hacker named 4chan is. He understands this and isn’t painting it in a scary way.”
“I’ve had federal agents message me."
People are bringing me these stories. They’re like, “I just got out of prison. I don’t know who you are, but people are telling me I should tell you my story. Here’s my indictment.” I’m like, “Oh, wow. This is an interesting story you have here.”
There was someone from the NSA who tapped me on the shoulder when I was at Def Con one year and was like, “Would you like the NSA to tell you a story?” I’m like, “Yeah, but I don’t think the NSA is going to tell me a story.” He’s like, “I think I can make it happen.”
The story that came out of that connection was Operation Glowing Symphony. The NSA actually came on the record and talked to us about how they hacked ISIS and all the different things that happened. It was actually US Cyber Command, but it’s close enough.
Then there are people in these comms – communication circles – that are like, “Hey, have you ever looked into SIM swapping? Do you ever want to have a story about that?” I’m just like, “How do you know this?” They’re like, “Well, I’m in these circles.”
“All the players in this space are tuned in."
Or, “Hey, I’m the one who made that tool you mentioned. I was the guy you mentioned in that episode. I got arrested in New York.” I’m like, “Oh, okay. You’re that guy.”
I’ve had federal agents message me too. In fact, law enforcement and attorneys have reached out and said, “Yeah, I was the one who worked that case. I can’t believe you got him to admit all that because I couldn’t get him to admit all that on the stand.”
It just goes to show that all the players in this space are tuned in.
MF: The last time you were on the show, you mentioned that the news reporting of cybercrime is “the first draft of history,” and the media often doesn’t get it right from the outset. Do you think that’s still the case?
JR: There’s just all this guessing of who did it and why they did it and what they took and how impactful it could be. But we’re often not creative enough to come up with ideas about how the crime could hurt someone.
For example, you’ll hear someone say, “Well, they took a list of email addresses of these users. What is that even going to do?” They can’t think of what harm that can lead to in the bigger picture.
When I listen to the news, I cringe because it’s just so lacking context. People are talking sideways – it’s everyone. We’re guessing, and it’s all wrong. That’s why I want to not be in that situation. I want to wait until I know what’s going on. It’s funny because a lot of people, when the latest news is breaking, they’re like, “Oh, Jack, jump on this. Make an episode on this.” I’m like, “Okay, in three years, because I don’t know anything right now.” I’m definitely a slow news junkie. I don’t like to jump into things until I know all the stuff.
MF: Do you have any predictions for the year or for the future?
JR: We’ve had different phases of technology. The first big technology phase was the industrial revolution, and then the electrical age, and then the computer age. I think AI is the next phase.
What you’ve got here are computers that are smarter than us and can do things in a quicker and better way than we can. What is it going to mean? We’ve seen ChatGPT show us how to find bugs in code. You can exploit this like, “Oh, here’s a smart contract. Can you help me find the bug in here?” That could be a million-dollar bug bounty or just stealing stuff.
Now AI is our hacker front. It’s the criminal front, maybe. But at the same time, we now have AI as the defense front saying, “Hey, here’s my code. Help me find the bug in it.”
“I’m excited to see the world of AI and how it affects security."
Why can’t we integrate that into development tools to begin with? Like, “Let’s run it through AI and make sure that it’s good before you push it.” Maybe it’s some automated testing environment at some point or something like that.
I’m excited to see the world of AI and how it affects security and changes everything in our whole world.
MF: Do you have any advice for folks or businesses to prevent being exposed to the kinds of things that you’ve seen in the past or stuff that you think is coming in the future?
JR: I think data is a liability. I’m constantly disappointed when I go to my barber, and they’re like, “Fill out this form and give us your name and phone number.” Like, “Dude, I just need a haircut.” Why are so many companies collecting so much data on us? It’s for marketing or whatever. But no, it’s not. There are so many places that I’ve never gotten an email from and never been marketed to. It drives me crazy.
Just this week, I’ve been hearing rumors that the InfraGard website got hacked. This is where you report things to the FBI if you’re a victim of a crime. You make an account on this website. That whole database is now for sale on the dark web, supposedly. Holy cow. If the FBI can’t secure their own data, how can my local barber do any better? Stop collecting data on people. There’s no need for it. It’s going to be a liability.
MF: Where can people go to find out more about you or check out the podcast?
JR: I make the podcast Darknet Diaries. You can find it in any podcast player. Just search for it and you’ll find it!