The dumbest thing I ever bought. Yeah, the dumbest thing I ever bought is a Canon DSL camera, 5D Mark II. Somewhere around 2007, I started getting into photography. DSLR cameras were just getting popular, and I wanted one. But I was too poor to afford it. I was obsessing over the Canon Rebel cameras, wishing I could have one, constantly looking at eBay to see what was out there. And every now and then, I'd find one undervalued, listed way below what it should be at.
And so I bought the cheap one and I used it for a few days and then sold it for more than I bought it. I did that three times and eventually had enough money to get the camera for myself. Basically, it was a free Canon Rebel. And I used the crap out of it. I probably took thousands of photos with it. I shot models sometimes, but my favorite was architecture. I especially loved derelict or abandoned buildings. And after a year of taking all these photos,
Canon was launching a new camera, the 5D Mark II. Oh, how I started wishing I could get that. And for some reason, I just couldn't resist. And I pre-ordered it. The thing cost $2,500, and it was absolutely something I could not afford at the time. But I thought it was my ticket to becoming a professional photographer. So I spent every last penny I had on it and even went into debt to buy it. Oh, it was amazing. Full frame sensor. It took perfect photos. But here's the problem.
I felt this thing was way too expensive to take anywhere. Like if I'm walking around in abandoned buildings with thousands of dollars in camera gear around my neck, I might get robbed. And if it got scratched, I would have cried. So I never took that camera anywhere and brought my cheaper one with me instead, the one I didn't mind if it got broke or stolen. But this changed my whole relationship with photography after that.
I had all this camera gear, and because I was too afraid to use it, I didn't shoot much at all. I realized my dreams of being a pro photographer were done, and it was a dumb idea to buy this thing. I don't know what I was thinking at the time. So I tried selling it.
But the thing is, selling something that expensive is tricky. You could easily get scammed or robbed, and it was very nerve-wracking. On top of that, nobody was really buying these super high-end cameras, so I ended up selling it for way less than what I paid for it. Now, I say that was the dumbest thing I bought because yesterday I bought something way dumber. These are true stories from the dark side of the internet. I'm Jack Recider. This is Darknet Diaries.
This episode is sponsored by Exonius. Complexity is inevitable in IT and security, and it's increasing. Exonius is here to help you control it. As a system of record for all digital infrastructure, the Exonius platform correlates asset data from existing tools to provide an always up-to-date inventory, uncover security gaps, and automate response actions. Go to exonius.com slash darknet to learn more and get a demo. That's exonius, spelled A-X-O-N-I-U-S. exonius.com slash darknet.
This episode is sponsored by ThreatLocker. Ransomware, supply chain attacks, and zero-day exploits can strike without warning, leaving your businesses' sensitive data and digital assets vulnerable. But imagine a world where your cybersecurity strategy could prevent these threats. That's the power of ThreatLocker, zero-trust endpoint protection platform. Robust cybersecurity is a non-negotiable to safeguard organizations from cyber attacks.
Threat Locker implements a proactive, deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team. This least privileged strategy mitigates the exploitation of trusted applications and ensures 24-7, 365 protection of your organization.
The core of ThreatLocker is its Protect suite, including application, allow listing, ring fencing, and network control. Additional tools like the ThreatLocker detect EDR, storage control, elevation control, and configuration manager enhance your cybersecurity posture.
and streamline internal IT and security operations. To learn more about how ThreatLocker can help mitigate unknown threats in your digital environment and align your organization with respect and compliance frameworks, visit threatlocker.com. That's ThreatLocker.com. Yeah, all right. So let's start at the beginning here. First of all, what do you want to be known as if I call you names?
Yeah, it's fine. Jarrett, done, works. I'm all over the internet, and I'm full of dogs. It's perfectly fine. And then if not, then most people would know me as this app, I guess, or stuck over one. I'm going to jump to the chase for you right now. Jarrett. aka Stack, executed a wild and astonishing robbery. He stole millions of dollars in cryptocurrency.
which is why I call this episode Stack Attack. But his grand heist is so different that it had me questioning far more than stolen money. It cracked open a door that I didn't even know was there, leading me through a maze of questions that I'm still trying to find my way through.
And it's also a story I think a dozen people have told me to look into at this point. Have you heard of meme coins? They're like jokes, but in the form of cryptocurrency. They're really weird and nobody seems to understand why they have any value at all. Yeah. There's no inherent value. The whole pitch is that there is no pitch. And you might say, oh, I would never buy something with no value.
Oh yeah? Then are you saying you never bought name brand clothes or food or medicine? The store brand, ibuprofen, has the exact same ingredients as the Advil brand, and it's just as effective and is honestly the exact same product. Yet people still prefer the Advil brand, even though it costs twice as much. And that's marketing for you. That's storytelling for you. Stories alone give value and meaning to otherwise meaningless or valueless things.
So anyway, people are buying cryptocurrencies simply as a joke. Almost like they're laughing at themselves, like they know they're buying a meme coin and it's a stupid idea, but they're like, yeah, let's do that. And then they feel stupid even after doing it. It's very strange. Now, do you like crypto and NFTs or is this something you're just poking at and making fun of and being like, what idiots are buying all this stupid stuff?
I should, I should, I guess, give a lot of context. I'm bad at context. It's raging autism. So I've been in crypto since maybe 2011 or 12. I used to make YouTube videos. The intro I used to give was... I have lost multi-millions many times over. I'm still here grinding now. I've kind of fallen disillusioned now. I used to really believe in the revolutionary aspect of this entire thing and kind of...
separation of finance and state and all that kind of stuff. And I was very much on board with causing a lasting change, I guess. But I've kind of been disillusioned and I'm not really sure where I fit in a spectrum of a believer or not these days because it pays the bills. However, I have this looming core case, and so I don't really know where I stand. I'm a developer. I'm not a very great developer. Somebody recently described me as a CFOG programmer, but I don't believe so.
I connect dots really well. And I've contributed, I guess, to a little bit going on Ethereum. I contributed heavily to Steam. And I was actually a blog producing witness on a bunch of side chains. I've had a problem with EOS for a while. I went to WAX. WAX is a gaming chain. It's like an EOS fork. Really good. very close to EOS. And then Solana is built different and they really do tailor the entire thing to welcome and promote new developers.
Once I found Solana, I kind of found a place for myself, I guess. So he's contributed to the development of many cryptocurrency projects out there. And it was Solana, the fifth largest cryptocurrency that he felt most at home in. And he put his focus there. But one thing Jarrett just can't help doing. is looking for bugs in the code that can be exploited for money. Because if a bug is present in a crypto project, it could result in catastrophic losses for everyone involved.
The bug hunting. I'm trying to get a square understanding of this because are you looking for bugs and then reporting them so they get fixed or are you looking for bugs and then exploiting them? So I will tell you, I have in the past reported any number of bugs.
that have gone on deaf ears reported bugs all over the place so i reported a bug to uh radium and uh orca whirlpools at one point orca dismissed it as out of out of uh scope because they don't support that particular program i guess i don't know why And then also, they could all be in the ends of basically stuff. There's nothing we could do to prevent good market behavior. So that's that kind of wall you hit.
In short, no, I usually try to report these things. In total, I've been paid, I think, two bulk bannies that are significant. Jared claims that he had information about FTX's downfall before it became public. FTX was a huge crypto exchange that was discovered to be mismanaging its money and lying about it, and the founder ended up going to jail. A lot of people lost a lot of money because of it, and Jarrett tried to warn his government by telling them to look into FTX.
In November 2022, I withdrew my reapplication to Canadian forces, hoping to bring my concerns to the right people about FTX, and perhaps make a difference. However, the recruitment process took too long, and by the time I withdrew my application, damage had already been done in the broader crypto ecosystem.
Knowing now that should I ever be left in a moral conundrum with hundreds of millions and user funds at risk, surely leading to another bloodbath of worldwide suicides, the only way to be heard is through dramatic and impactful action, because without a theatrical display, nobody ever really listens.
He wished he could have been more dramatic and theatrical to warn people about the FTX collapse. That makes me wonder what he's thinking here. Like, what does it mean to be more theatrical about warning people? What do you consider yourself? Are you trying to make things better? Are you securing the internet to the crypto? Are you evangelizing it? Or are you sticking your finger in someone's eye? I really wish I knew.
I really wish I did. If I knew, I would have some kind of idea of where I'm going. Even in 2023, you didn't have a clear direction? No, not at all. In 2023, that was the first anniversary after my mom's death. The 25th there, when they released that outage report, I was... How did your mom die? She was mercy. Canada killed her. She fell and broke a hip and she was interoperable, so they put her out of her misery.
Oh, my gosh. That must have been so sudden and surprising. Yes, it was. So she was already on palliative. We knew she was on the way out, and it's a very long story. It is what it is, and it's probably for the better. I just still struggle with, it's been a very important day of the year. I struggle. Jarrett had a hard time coping with the death of his mother. He loved her dearly. She was everything to him.
But it was a complicated relationship. I read his psychiatric report. It said she had her own mental health issues and would do crazy things like set her own house on fire. So like Jarrett came home from school three different times with his house on fire. He got addicted to cocaine early on when he was like a teenager and just had a wild upbringing.
And he wanted me to add that the psychiatric report is questionable, since the NHS screwed it up a little bit by putting the wrong ID on there and misspelled his last name. In February 2023, He was grieving her loss pretty hard because it was the one-year anniversary of her death. And he turned to his computer to cope. Perhaps that's a safe outlet if he's just playing video games or watching YouTube. But what he decided to do...
was attack the Solana network. Solana is a type of cryptocurrency. It's the fifth biggest coin in terms of market cap. It's kind of a big deal. And Jarrett knew some of its weaknesses. So he started messing with it.
I was out of my mind, always grieving, and I was trying to do as much data as I could. So I was queuing as many recursive transactions as I possibly could. The validator is running clockwork because they can optionally do this Geyser plugin and get additional money by running these threads.
Blockwork is a scheduling software. The thing is, I figured out that you could do recursive transactions. So you actually have a transaction that calls another transaction in the same slot. Which obviously, if you have enough money to pay Piper, that's terrible for blockchains or any competing network. He was able to generate block sizes so large that it overwhelmed the network and transactions were getting clogged.
Of all of the transactions, by bite size, I was 4%. I was the user or bot submitting 4% of everything on Solana in that particular block. Yes. Or for a few... How... How did that? You must have had a really beefy system. No, it was just using their threads. So I was queuing transactions that would then call themselves on-chain.
whenever there were certain conditions met. However, I then found out that I could just have them call themselves immediately, which is the recursion that I think got broken. Solana reported a 20-hour outage on February 25th, 2023. They experienced unusual block sizes, which when rebroadcasted through the network, ended up degrading the service. So they put Solana in maintenance mode to fix the problem. Essentially, no Solana transactions could occur pretty much that whole day.
And I can't exactly confirm it was Jarrett who took down Solana during that time. My guess is he contributed to whatever problems that were going on. But the thing is, is that he was never blamed for this. Solana never came out and said they know who did it or anything like that.
I have to admit, I didn't think it was possible to cripple a cryptocurrency's network so badly that it can be taken offline like this. $2 billion are traded every day on Solana, and for all that to come to a halt because some guy is having a bad day, that's just wild to me. How did you get started with PumpFun? Totally the CBO salon. I lost the coin on April Fool's Day, April 1st of this year.
It was called BunkerCoin. I bought it and I appeared back. And all I did was copy the first half of a paragraph from the Bitcoin white paper and threw it in there. And then I threw up a Pumfine coin. It's the very first time in my life I've ever used Pumfine at that point. And I called it BunkerCoin Futures. And it's it for Fool's Day.
But it filled immediately. I didn't expect anything to happen. And once I got back in bed, I went back to the theater. My two salons would become ten salons, which is significant. So I guess I was hooked on the casino at that point. Hump Fun. To research this episode, I actually created an account on there and used the site for a few days. And he's absolutely right. It feels like a casino. And it's pretty addictive because of that. And the meme coins I bought on there yesterday...
absolutely are the dumbest things I ever bought in my life. I kept finding myself lost in a daze, staring at the screen, watching my bags. Then suddenly waking up, realizing I'm betting on memes. And I say to myself, what in the world are you doing? So what PumpFun is, it's a place that anyone could go to and make a meme coin on the Solana network. It's very easy and fast. And then others can buy your meme coin from you if they want on the site. The site looks a lot like 4chan.
And as you're there, you're just bombarded with endless messages of new coins being created and what coins people are buying and selling. And it's wildly popular. So before your eyes, you're watching a coin get created by someone and then hundreds of people are buying that coin all in the first five minutes of it existing.
And I only went there to research this place. I only spent like a few bucks on meme coins. Like for $2, you can buy 30,000 meme coins. As I used the site myself, I got familiar with the game. It's called Pump Fun because the game is to pump and dump. A meme coin's relevancy only lasts a few minutes sometimes. Then it crashes into oblivion. So the game is to jump in on a coin, hoping more people are going to buy it after you do. And if they do, your holdings go up.
And then you need to get out before that goes back down. And so the people holding that coin will use every strategy they can to get others to buy it after them. And as I played this game, I too became someone trying to convince others to... Get in on this coin. It's hot. Pump it. And then as soon as they jump in, I jump out. Dump it.
It's ruthless in that way because you see the other people who are buying the coin and you want to think they're on your team. They're going to help you pump it. But no, they're just looking for a way to get out before you do. Everyone's trying to take each other's money. And that's the game. That's the gamble. And I think that's what draws a lot of people to come play at the site.
One of my favorite towns to visit is Las Vegas, and everyone knows when you gamble. The house always wins. It's a rigged game. Yet they still gamble. They put their luck on the line and bet real money, even after knowing the games they're playing are not fair. But I love Las Vegas because there's nowhere else in the world which is as wild and crazy as it. It's incredibly entertaining and fascinating to experience, and I learn a lot from that town.
such as how to stay focused in a chaotic environment, how to see through the glitz and glam and notice what something really is, and maybe even a glimpse of what humanity is really like. I met some people who use PumpFun regularly, and even they think what they're doing is laughable. Like, he was telling me he made bank off of...
fart coin or a squirrel called peanut the other day or something ridiculous. Because when you're buying meme coins, you're buying something that is just so bizarre that you end up questioning your own sanity. But it's fun.
Because it's interesting and weird, and we all like interesting things. You go there, you make a token, you share it with your friend and your family, and then they come in and buy an app. It's on a bonding curve, so the first person that buys, buys it for the very cheapest. And as more people buy...
If it was only buyers, for instance, the price just continues to go up per token. So the idea is that you eventually sell your tokens for a gain after you have shared it with close friends and family for them to buy after you, whether it's each word for their friends or not. however you want to describe it, legally it is friends and family. And then you make a gain on their loss, essentially.
That's basically it. It's made to look like 4chan, I guess, with the comments and such. And there's a cute little interface with flashing lights on the landing page. You say cute little interface. I'm looking at it now. It is ugly. Yes, it is horrifying. The site is right out of bizarro internet land. The layout is weird. The images and coin names are a cringe. It's all moving way too fast for anyone to be able to read. Things are jumping off the screen, constantly trying to get your attention.
And so Jarrett was playing around on the site quite a bit, launching coins, running trading bots, and being pretty active on PumpFun, tweeting about it too. And a recruiter on LinkedIn got a hold of me and said, you should apply for a couple jobs. And I said, sure, why not? Regredgingly, actually.
And I had like two or three interviews with Pump, different founders, and I got an offer. So they paid for my passport, paid for my flight, paid for a couple other things. I got a thing day renewal of my passport and a ticket.
That was actually the same night, and then I flew over to the UK. I've only left Canada once in my life before this. So Jared got hired by PumpFun and moved to the UK. And he knew this was a crazy idea, to move to a new country for some wacky crypto project, but was excited about it too.
I was just excited just to work in a real office again. I've been remote first since like 2013 when I worked for Research in Motion. It was my last in-person job. Like the guys that literally called themselves Black Brand, they're now out of business. It's a long career of... isolation and addiction and stuff. I really wanted to be part of an organization that was young and fit and looking forward to it.
achieving stuff. They were already one of the number one earning apps anywhere in crypto. It's a very long story. I don't really know, but the main thing is I wasn't on my medication. Probably not thinking straight, that's one thing. What was the medication you're on? I'm on antipsychotics once a month via Depo, and I'm also on Alvance or Vyvanse, which you're in America, so Vyvanse. I fix my own ears up there. What is that treat? Radiation. Okay, so you go to London.
You meet with the creators of this. What is your opinions of them? Oxford, yeah. Yeah, I flew to Oxford. They're all younger. They're all in student housing in Oxford. There was this black diamond they threw. It was their second masquerade or third or whatever. What was your first opinion of them? I don't really know. I didn't anticipate the CTO was the CTO. I actually mistook them as an employee. They're all young 20s and very unexperienced.
I guess is the word. How many people were there? There's three co-founders and I was the first hire outside the founding team. He moved into a shared living space with the other co-founders. But after a short while, they all moved to London and got an Airbnb there for everyone to stay at. And they also rented an office. We got a rental last minute.
across from the Buckingham Palace via booking.com, which was the Buckingham Gate Residences. This was actually a pretty posh place they rented for the team to do work out of. And if you're wondering, how does PumpFun make money? Well, they charge a 1% fee for every trade that happens on the site. So I'll send you this link in a sec. Let me just load it up for a sec, Tom. Yesterday they made... That's actually gone down a whole bunch. They made $520,000 yesterday. Okay, let me look at it.
$340 million in fees they've collected? Yes. That's not including TVL. That's just fees. The site is apparently crazy popular. Tens of thousands of meme coins are made every day there. And they were experiencing explosive growth. No wonder they wanted to hire developers. The site was probably barely able to stay on the tracks.
And it's strange to me that this is the wacky world we live in, where joke tokens have such a wild demand, where the site creators can make hundreds of millions of dollars from this. And see, here's the thing for me. I want to understand the world. I want it to make sense. And whenever I learn about something that doesn't make sense at all, I used to dismiss it and say, ah, those people are obviously stupid or that's fake or that's wrong or something.
But now when I hear something really absurd, I lean into it. And I stay there until it makes sense to me. Like, I still don't understand why the game Banana is the third most popular game on Steam. Can somebody please explain that to me? Most of the time, when I figure out a mystery like that, it's a big waste of time for me because I'll just learn that I was lied to on the onset and I saw something fake or something which made me believe something else.
But in this case, we can see exactly how much money this site is making because the blockchain is public for anyone to see. And yeah, they've made hundreds of millions of dollars on this site. How are meme coins so popular that millions of dollars are being spent on them every day? The more Jarrett learned about PumpFun, the more concerned he grew with the whole company. But to start with, one of the first things that happened when he arrived is they held a black tie party, which was wild.
Outrageous. There was a horse, like a miniature horse. There was fire dancers. There was 200 oysters that were bought. We spent like $20,000 in the bar. He started thinking this place is more crazy than he realized. In short, I think they're committing any number of... That one's tens of thousands of times a day, actually, because there's like 20,000 of these tokens launched every day. The first thing that I didn't really give much thought to is there's no KYC or AML across the entire board.
Okay, so KYC is Know Your Customer, and AML is Anti-Money Laundering. Personally, I don't want anyone in the world to know I bought a meme coin from this place. So I definitely don't want to be putting my actual name as the owner of that. And think about if I went into a casino in Vegas to gamble. There's nobody collecting my name before I can gamble there.
But regulations are starting to come up everywhere in crypto land. And it's very difficult to know what to follow and how. So I'm just not sure if the site is required to do any KYC or not. Then Jarrett also thinks that there's a whole financial advice problem on the site. See, the government has made it illegal for me to give you financial advice. If I wanted to give you financial advice, I'd have to be registered with the SEC.
And Jarrett tells me that there are loads of people on PumpFun who are, in fact, giving financial advice, saying things like, buy this crypto coin and you'll get rich. Is that illegal? Jarrett thinks so. So he tells me the site's official stance is that we're all friends and family on the site because you can give financial advice to your friends and that's not illegal. I looked on the site for a privacy policy or a terms of service and they don't exist.
So from what I can tell, the site does not post any rules of what's allowed or not allowed. But there's one part of the site which is worth mentioning. To launch a coin, you need to create an account, name the token, and give it a logo or something. But to pump it, you can go live. Flip on your camera and tell the world why they should be buying your token. And of course, because you're the creator, if the token goes up, you make money.
But can you think of any problems that might arise on a site where you can make money live streaming and everyone is anonymous and no age checks are required? So the live streaming feature. So if you go and create a coin, and actually it'll show you on that landing page if anybody's live streaming, and you can kind of get the gist. This was one of the things that caused me very much grief. I remember I said to my friend's boyfriend, how could I work on this?
this this feature their last shooting platform allows for the sexualization of young girls uh for financial gain operating without koic or anal protections thus exacerbating potential for exploitation and abuse
So basically, anybody can live stream on the site. And what that really means and how this came to be, in fact, how they noticed it while I was there, is that questionably of age girls were sexualizing themselves on camera, like as a live streaming platform for sex cameras, whatever you call them.
Corrigan. The point is there's no KYC. There's no even attempt to prove that everybody's of age. So, for instance, when one of the founders joined one of these streams that were happening on Telegram at the time,
because they were excited and wanted to integrate it live on the site because there's a major boost in traffic and thieves and all that. He joins, and somebody else is on the audio for this Telegram chat and says, this girl is 12 years old. And she says, nah, baby, I'm 21. And that was the extent of the... of the KYC there. I did not ask Jared to show me evidence of underage girls streaming on the site.
And Jared Stoyer told me they didn't want to see it either. I did see sexual photos of adults, though, on the site. Let me read a tweet from you that the PumpFun Twitter account wrote on June 13th, 2024. We at PumpFun are fully committed to a family-friendly user experience. Trading memes should be a fun experience for the whole family. That is why we resolutely condemn the porn meta that has taken over our site.
But we can only accomplish that with your help. Please send all the porn you find to our intern. And it has the intern's email address. And see, that's what I mean about pump fun. You can't tell if what you're looking at is a joke or real.
But as I spent time on the site myself, I can tell you it's definitely not family-friendly. I saw way too many buttholes while I was there for sure. And the site has a strong resemblance of 4chan, which is known for being the underbelly of the internet, where the scummiest of content is posted and shared. But heck, even 4chan has rules. And I sat in on the very first Twitter spaces that PumpFun held.
10,000 people joined it, and the craziest question got asked. This question actually contains a square word, so if you don't want to hear square words, skip ahead two minutes. One last thing. I seen you guys getting a lot of fun about this, and I was very curious about it because I was trying to defend y'all.
Guidelines. What do you guys think about guidelines? Because I've seen a lot of people doing crazy stuff on PumpFun, me included. Would you guys add any guidelines or safety precautions on your website to fight that? Okay, so first of all, I think our ethos is we're super pro-free speech. We want as much content as possible on our platform to go across. However, if there's anything illegal or outright...
a legal base on the platform, we have to take it down. We can't have that burning both as a moral obligation and a business obligation. We don't want to be distributing anything like that or have anything on the platform. So, yeah, that's sort of the way we stand. Have you gotten anything illegal yet? Actually, no. Surprisingly, I was sort of... We've sort of had this moderation team and stuff like that. And surprisingly, there hasn't been anything too shocking.
But obviously we have to be prepared for the worst case scenario. I'm sorry, I just have one last thing to say and then I'll get out of here. For you saying the legal stuff and, you know, basically moderating what happens on PumpFun. I had an idea. And, you know, since I guess I'm talking to Pump Fund right now, can you guys tell me if this is illegal or not? It's an idea for Pump Fund. I was thinking about, well...
I was thinking about fucking a girl live on Pump Fun tonight because my birthday's tomorrow. So I thought it'd be super exciting and crazy and different. But is that illegal or not? I'm genuinely asking. It's something that I'm very serious about. The girl is coming over. Is that illegal? something that i can put on pump fun fucking a girl live um okay so very serious question very very serious question i mean
Okay, let's put it this way. Like we are very free speech oriented. Obviously sort of sexual content does exist on the web. So yeah, I hope you sort of take the answer as we sort of... say it basically. So, yeah. I love you guys so much. Thank you so much for having me up here. Sapuji and Alon, I love y'all. Oh, somebody sent me an interesting link earlier. It was somebody smoking meth on one of these live streams for money. It's actually a tweet here.
they're smoking meth on what has happened to bump on A news site called Decrypt pointed out that PumpFun has seen some pretty gnarly stuff. A young teenager got his mom to bounce her boobs on camera to pump a coin, and when he got it to pump, he sold his whole stake in it. And then there was another guy who went live after creating the Truth or Dare. token and someone dared him to cover himself in isopropyl alcohol and then shoot fireworks at himself.
And so he did it. The guy set himself on fire and burned pretty bad. He was rushed to the Miami hospital where he suffered third-degree burns on a large portion of his body. People do some pretty wild stuff on PumpFun. We're going to take a quick ad break here, but stay with us because Jared's going to top all those stories and do something even more wild. Support for this show comes from Cobalt Strike.
Wouldn't it be nice if real threat actors announced their plans ahead of time so your blue team could prepare? If only that's how security operations worked. What you need is to make sure that your blue team is ready for anything. And Cobalt Strike gives you the tools to test them. Cobalt Strike simulates real-world advanced cyber attacks to enable red teams to proactively evaluate an organization's security readiness and defense response.
Their command and control framework gives red teamers the ability to customize their engagements and incorporate their own tools and techniques, allowing you to stress test specific parts of your incident response capabilities.
Cobalt Strike offers an active user community who share their own extensions through their Community Kit, a centralized repository curated by the Cobalt Strike team. Plus, their latest release introduces Beacon Gate, which offers Red Teamers unprecedented control and flexibility. over payloads. Learn about Cobalt Strike and get a custom demo at CobaltStrike.com slash Darknet. Their website is CobaltStrike.com slash Darknet.
So he's starting to have qualms with the ethics of this project and is questioning if this is even something he should be working on. Then on top of that... He started to get upset with the team and decided to move out of the communal living space and get his own apartment. Aside from all these long-standing concerns,
I'm really bad with money. I was making good money, but the thing is I just spent it all because I am bad with money and I do party. Not anymore. I'm 21 days sober today. I'm trying my best not to be that person.
Thank you. I'd much rather survive this oral ordeal and not drink myself to death. But for a while there, I was going off the rails. So I had the money and I got this apartment. I got in this apartment. I didn't like it very much. Literally, I know it's kind of like standard, especially for central London to have.
and roaches and shit. However, I was very unpleased. I wanted a different room immediately. I asked for them to square up to the day of that month that I had worked, which was halfway through the month, so I could get some money to find a better apartment. They said no. I said...
Can you, like, why do you think this will look like preferential treatment at this point? We have three other people working now. Mind you, the CEO did mention, promised rather that I was going to get weekly pays, which would have helped out a lot. I would not have been in this situation. However, it was monthly, eventually.
And what happened is, I said, well, can you pay all bonuses? And he says, no. Like, bonuses to everyone. So there's our financial and stuff. And so... with a head full of alcohol, and the lack of ADHD meds, and the depression from the loss of his mother, and being in an apartment with mice and rats in a town he's totally unfamiliar with, and working for this mega profitable crypto startup.
which wasn't aligning with his ethics and morals. Everything swirled together into focus for Jarrett. Did you know what you were about to do? Like, were you aware of your actions at all? Psychiatric report confirms that I... was aware of what I was doing. Like, totally unaware of the illegality of my actions. I had no idea any of this fallout would happen. I had no idea that police would care. I didn't think this. I really didn't. So, um...
Unfortunately, I am where I am. I got to deal with the repercussions of my actions. I got to learn there are consequences to my actions, so I'm just resigned to it. So where does this begin? Do you see the vulnerability in the code and then just decide to exploit it as soon as you find it?
Yeah, and funny enough, I did report it a couple of weeks before that. There was just no action to fix it. Well, you're the developer. I know, but I reported it. I tried to tell the CTO. You emailed yourself like, hey, you should fix this. I'm busy. This hack is probably one of the more complex hacks I've ever talked about.
I didn't understand it when Jared explained it. I didn't understand it when I read an article explaining it. I didn't understand it when I asked my DJ and friends to explain it. It took a long time of me reading article after article trying to fully grasp what happened. And I'll summarize it just for the geeks out there who like the technical aspects like me.
When a token is made on PumpFun, it pretty much is just available on PumpFun. But when enough people buy it, it then gets graduated to Radium, which is a DEX, a decentralized exchange. And this makes it a little bit more official because it's on this decentralized exchange now. And so to graduate out of PumpFun into the DEX, PumpFun sends a bunch of Solana along with it in order to fund the liquidity pool on the DEX.
So what Jared did is he took out a flash loan and bought all the tokens needed to graduate the meme coin over to the DEX, and then he immediately sold the meme coin to pay back the flash loan. Then, using his insider access, he redirected where the Solana was supposed to go. Instead of it going to the decks, it went to somewhere that he controlled.
This would allow him to take anywhere from 1 to 80 Solana coins every time he could get a coin to graduate out of PumpFun and onto the radium decks. But... Jarrett, being Jarrett, wrote a little program to try to do it to not just one or 10 or 20, but thousands, tens of thousands of pump fun meme coins.
Because every time he could get one of them moved over to the DEX, he'd make a few thousand dollars. So he wrote this program and executed it, taking out thousands of flash loans, pumping projects, and redirecting the Solana that was supposed to go to the DEX to somewhere else he controlled. Then he immediately sold it. the meme coins to pay the loan back.
On May 16th, 2024, he decided he was going to execute this program. It was all built and ready, and once triggered, it would just automatically try to hit as many meme coins as possible on PumpFun. I was not thinking straight at all. I was just that out of it that I didn't understand what was going on. I didn't even know what I was writing while I was writing it. It's very interesting. Any idea why you were so out of it? What do you mean by out of it? Probably without...
Probably without antipsychotic medication for about six months would do it. I'm a diagnosed schizoaffective person with a panic disorder. bipolar, and anti-social personality disorder, and depending on how you talk to ADHD, the new psych report. The new psych report believes me to have one diagnosis. He doesn't think there's any psychotic symptoms, nor are there so long, so long when I'm sober.
However, he thinks just ADHD and maybe make it to a personality disorder, but he didn't want to actually declare it. Just needs more success. Gosh, dang, dude. No wonder you're called Stack Overflow. It's a memory leak, isn't it? That's the vibe. My Instagram and my no-law Instagram is 256 bits of confusion. Yes, it's...
That was a lot. You just told me like a whole bunch of diagnostics, right? Just rattled one after another. Yeah, yeah, yeah. Well, the first one was more than 18 years ago, wasn't it? I got diagnosed. The last three years of my life, I've spent more than two years in hospital or permanent, more long-term hospital grounds, I guess, like residences or programs.
I read through Jarrett's psychiatric report. It was conducted on him to see if he knew what he was doing at the time of this hack. The report is kind of dark. The dude was addicted to cocaine his whole life, but he had been off it for the last three years. He's been hospitalized for mental issues six times in the last three years. One was just to go through the excruciating detox from cocaine. And in the report, he admitted to attempt suicide a few times by taking too many meds.
He often has these extreme cases of paranoia where even the smallest things can trigger it. Like, he gets hallucinations sometimes. Little everyday manageable events become not so manageable, or even self-care, all that stuff. It's a slippery slope and insanity, really. A psychological report says that the day he did the hack, he was aware enough to know what he was doing.
but not aware of the legality of what he was doing. It's kind of like the spotlight of consciousness was only focused on the here and now, and no light was shed on the possible future or the consequences. you see this vulnerability, you have this episode, a psychotic episode, and you're just like, oh my gosh, let's see if this can work.
I don't really care. Do you have... I'm thinking about that moment right before pushing enter. Well, yeah, that's the thing. The moment right before pushing enter, and I'm glad you phrased it like that, because it was quite the... Leading up to it, I got paranoid again. I couldn't be in the same building as them. I thought they would lash out and stuff.
I had to, like, surgically move to a cafe for spy and stuff. And, like, I had to sneak around and, like, look around the corners. They couldn't see me and stuff. But then at the very moment, I was hovering over the entry key, right? I stepped back and I said, well... Let's just think about it for a second. Let's draft a tweet here. It was actually a Facebook post. Yeah, I'm going to show you. It got 2.1 million views. This is the tweet. It basically summarizes my thoughts at that very moment.
No. Magic. Everybody be cool. This is a robbery. What'd it do? Stack attack? I'm about to change the course of history and then rot in jail. Am I insane? Nah. Am I well? Very much not. do i want anything my mom raised from the dead and barring that life without parole okay so you string a series of tweets and yeah 2.2 million views this thing
Yeah. So you knew this was going to steal money. Who do you think it was going to steal money from? The users. That's the thing. I limited the damages enough that they could pay to the users. That's not a big deal. Now, did you have any estimate on how much money you would be stealing? $40 million. $40 million. No, it says in Tweet about $80 million, but I was just being silly. If done right.
This heist is going to steal $40 million worth of Solana from the users of PumpFun. In his tweet, he even goes so far as to say it might cause a Solana outage, suggesting that this hack could be so catastrophic to Solana that it causes a chain split. Similar to what happened to Ethereum Classic. I don't know why I said that. The swan fork thing. People laugh about it constantly these days. They quote this thing still and say, I'm not even thinking you're going to cause the fork of swan fork.
It's just very interesting that people think I'm bad. I mean, I was. I was always not well when I wrote this. Okay. So you write the tweet and then hit enter. Yeah. I'm going to start getting phone calls on Telegram over and over again. So I uninstall Telegram. How was that? I went and walked around in circles. And I was running out of battery. One of the employees comes running by me. And like...
I even just put up my hands in a beach sign, but he like ran right by me and looked both ways down the road and ran off in a different direction. I said, well, that's my, that's my hints that I should, I should get some cover. God protected me in that instance. So let's go get some cover.
His program was working flawlessly. He was taking out Flash Loans, pumping projects until it'd flip over to the DEX and then sell those coins to pay back the Flash Loan and then redirect in the Solana that was supposed to go to the DEX. But here's the thing. His program... had one other trick up its sleeve. His mission wasn't to make money. He wanted to be dramatic and theatrical, remember? So his hack was programmed to send the coins he was getting
to random Solana projects that he liked. In fact, he never had possession of the stolen Solana at any time. They were automatically redirected to random people in the world, and he had thousands of wallets that he was sending this money to. There's about 95,000 total addresses that could have potentially received funds out of those. Only about 2,000 did, again, because I'm not good at math, and it was supposed to actually hit everybody more than once. Regardless, yeah.
Brandon Chokins. I actually, I asked somebody at some point, I said, who do you believe to be a more deserving subset of users on Solana? And this is what I came to mind. Hundreds of PumpFun coins were getting hit by this. And as the script continued running, thousands were getting hit. The owners of PumpFun quickly became aware that their site was under attack and were looking for Jarrett. But at that point, someone gave Jarrett some money and he checked into a hotel.
hotel room, not even a block away from the offices to try to lay low for a while. And I'm just trying to catch your emotional reaction when you're seeing it actually working. I'm like, shit, it worked. I didn't... anticipate yeah i mean there's that the first okay the first one when it went through i was like come on yeah then it's obviously multiplying like doing these on a you got an asynchronous and stuff so there's there's many thousands or a couple minutes whatever but like
or at least attempts, right? Because it was, again, many hundreds of thousands in total that failed. However, I guess I was more worried about getting the thing to have more successful transactions than money but emotional response. Again, somebody who's diagnosed...
Personally, with ASPD and potentially mixed personalities, I don't really understand emotion the way that most people do. It's more technical and it's more, like, I don't process emotions in my business is what I should say. Yeah, how does that work? It's like I'm on the moon.
and I have a telescope and I can kind of witness what other people go through by viewing them through the telescope and I can emulate as best as I can and I come off pretty well but I really have no idea what I'm doing. It's just through emulation at a very long distance.
PumpFun creators couldn't stop it. They wanted to, but simply had no tools to combat this. And they just sat there, staring at the devastation unfolding. Thousands of Solana tokens were being taken and redistributed to random Solana projects.
Eventually, the PumpFun team came up with a plan. They increased the transaction fees that were being charged on the site. This way, every time Jarrett bought some PumpFun tokens, he'd be charged a ridiculous amount. And the increase in fees actually did put an end to this because the flash loans... that Jarrett was taken out simply couldn't cover the extra fees required to pump the token anymore. And even if it did, it would likely make this plan be a lot less profitable.
So somewhere between 30 to 60 minutes in, the elaborate and wild robbery of pump fun came to an end. Jarrett was able to pilfer 12,600 Solana coins at the time and send them all to random addresses, other projects that he thought were deserving of the money. He didn't keep a single token for himself. In total, it was about 2 million U.S. dollars worth of Solana. So the victims here were the people who were using these meme coins on PumpFun. They had their liquidity stolen.
PumpFun had to take responsibility for this and spend their own money putting back the liquidity into these projects that got it stolen from. So in the end, the biggest loser here is actually PumpFun. And they were mad.
They learned pretty early on that Jarrett must have been behind this. His sudden disappearance, strange behavior, and wild tweets were clues alone. But tracing this through, they also could see that it was an insider who was redirecting the funds. So they called the police to help them hunt down and arrest Jarrett.
Two days later, they found me. Three days later, actually, they found me. Again, 90 meters from the office. They sent somebody to my sister's house in Canada. In that time. And there was a private... What's it called? The International Security Service was hired to find me, which is why they found me, I guess. But I was just eating a burger across the street. And they saw me and reported me until a warning cop showed up.
Somewhere in the middle of it all, he discovered that his wallet was receiving huge amounts of meme coins, and he couldn't quite understand why. By the time this was all over, he had about $600,000 in meme coins in his wallet. But he just handed the private key of that wallet over to the PumpFun team because he wasn't trying to make money off this himself and felt like he already made the statement he was trying to make.
Two or three in the morning, I was asleep. I was fast asleep. The cops show up, and they knock on the door, and I said, ah, shit, here we go, and knock on the door. This is the first time I've ever been arrested. And they come in. these gentlemen, and it was cordial and stuff. I eventually went to go pick up a glass bottle full of water to pour myself water. I didn't know I was under arrest at this point. And they said, can you put the bottle down?
I just want some water. He says, I'll get you some water. I said, sure. Thank you. Anyway, they're terrifying. I've learned since that the reporter for the alleging party said that I would tend to violence very quickly, which is not true. Categorically, it's historical, all of that stuff. And they were worried they would destroy the evidence upon the police arrival. Body cams will prove otherwise. Then I went to the station. Stayed overnight. They saw me in the morning.
Well, it's a psychiatrist. Three psychiatrists, actually. They said, I probably shouldn't answer questions. I mean, I read a bit of a sermon myself. Listen, I haven't had medication. I have not had medication in six months. I don't think I can answer questions right now. So that's what happened. Then I was in the hospital for a month. I came out. I was late on my rent. Paid my rent.
Dale says that, be here. Been here since. Got drunk for two months straight, pretty well. And then decided one Monday to stop drinking. Started doing recovery groups and have been sober since. The court looked at his case and decided that he'll receive a maximum of 14 years in prison for this and a minimum of seven. How do you feel about that? No, I have no idea.
I'm not really phased. I've been through worse. It's just unfortunate. I'm glad mom's not allowed to see this. I really have my reservations about my nieces knowing that I'm in jail. That will suck for them. But the point is, yeah. I'm not, I see no issue with it. It's a good jail. I mean, no jail is good jail, but it's decay. I mean, it's not like dirt floor. You can get a degree and there's like libraries. I'll be fine. You can buy vapes at the canteen.
You'll be fine. You'll be fine. I'll be fine. I'll be fine. I'll be fine. The funny thing is, I begged for it in the tweet. You just saw the tweet. I begged for it. At that point, anything was better than living with the roaches and mice here in this carnivore. At that point, I really just didn't want to live where I was living. I didn't want to deal with the things anymore. And I thought to myself, Gio's preferable to this. And so I took the stupid thing.
And now I got to face the music. You really are a character out of like Sarchar or Camus or Kafka or something. The mice and rats made me, drove me crazy to the point where I committed a crime to go to jail for seven years. But at the same time, I wanted to spread the wealth to everyone else who deserved it. This is ridiculous. This is what it is.
This is all fact. I mean, you're welcome to do your research and cross-reference, but this is the series of events that exactly what happened. I don't even know what to think about this. How do you want this story to end? Like you're going to go to jail and you're going to be watching the news. And what news are you hoping to see? I know invariably that they're going to run off with the money at some point.
all of the user funds, which is much more than 300. Hold on. It's kind of ironic that you said that because when you go to the site, Pumped Up Fund, a pop-up shows up and it says... Pump prevents rugs by making sure all created tokens are safe. They say they're the ones preventing rugs, but you're saying, no, they are going to rug pull. I believe so. I have firm...
It's that last part that really makes me wonder where it says all created tokens are safe. What are you talking about? Should I be concerned they aren't safe? If I go to my bank's website, it doesn't say, we promise your money's safe here. It's a class act anyway. But I firmly believe that that's the end goal for them. Whether or not they go to a centralized version themselves. They pitch themselves as the next FTX. It's a really long story, but I guess in a nutshell, I...
I really wish that I could have some effect where I limit the damages this time around, but I guess I might be able to. Well, it is kind of ironic that Jarrett thought the site was going to rug everyone else, but he rugged them first. Like, really, he's the one who took money from the users, you know? It was only the site that had to reimburse everyone. I guess that's the key there. So when I came over, I didn't anticipate that they were planning this heist.
to be exactly what it is. And now I am firmly convinced that it will be what everybody doesn't expect, apparently. And it's cool. Yeah, they believe that money to be theirs. I have no idea how much they have in TVL. It was $80 million on May 16th or whatever. exponentially more now probably. And so it will be mayhem and carnage. I don't hope for that. I just know that'll happen. Yeah.
So Jared thinks the owners of the site are going to rug pull all the users of PumpFun, take all the money that's locked into the site and close up. But it seems like the site's making a lot of money, so I'm not sure. Like, why butcher a cash cow, you know? But this was Jared's whole point, to try to warn everyone before it happens and to be dramatic and theatrical about it. I seem sold at the time that I was in the right and I still swear that I'm fine by my demons here.
Even in that letter, I'll just read this out loud. I need to be honest. I do not feel remorseful for the damages caused by Baton Corporation Limited. Of late, they've been earning north of one million quid a day from the systemic exploitation of friends and family of people posting unregulated tokens to the site. each and every day. There's absolutely no damage to them. They have not recouped many times over.
I petition you, your honor, to continue the relative harm here. While my actions may have caused temporary disruption, the ongoing practices of the Tonic Corporation Limited posed a far greater and more sustained threat to individuals and families who are unknowingly drawn into these exploitative schemes. So Jarrett pled guilty, and even admitted guilt on Twitter, which got 2 million views. And it was all said that on October 25th, 2024, he was going to be sentenced. However...
Last minute, he changed his mind, and he asked his lawyers to vacate his guilty plea. And they were like, seriously? And they quit. They didn't want to represent him anymore. So he told the court, he's changing his mind. He's not guilty. Which now means there's a much bigger process ahead for this case. And it might take months to solve. So we'll see where Jared ends up in the next few months.
Oh, and this episode was really hard to make because PumpFun is always changing. Just before I was about to publish this, there was a surge in new users at PumpFun. And along with that came a surge of new live streamers. And things got pretty wild. Some guy was holding a goldfish at gunpoint saying, buy my coin or I'll kill the fish. Another guy was live streaming himself pooping for four days.
He was sitting on the toilet for four straight days trying to pump his coin. Another guy locked himself in a dog cage until his coin would hit a certain price. And someone else locked their grandma in a cage until the coin would hit a certain price. I saw the photo. but I'm pretty sure it was fake.
Another guy was firing his gun out the window every time the coin went up a certain amount. And I also heard reports of some live streaming bestiality. And there were reports of people threatening to shoot their pet dog unless their coin pumps. And I heard a report that there was some...
Someone live streaming threatening to shoot their family unless their coin got to a certain height. And someone live streamed themselves tying a rope around their neck saying unless their coin hits a certain amount, they're going to hang themselves. And the coin didn't make it. So he hung himself. But then as the stream continued, some viewers were like, nah, I can see your hand moving. That's fake, bro.
Anyway, all this sparked an outcry on Twitter, especially from the crypto community saying, well, pump fun. You've got people killing themselves on camera. You need to make some rules, guys. You're going to ruin everything. On top of that, the PumpFun team themselves was actively taking down live streams that had repulsive or dangerous content. And it got to be too much. The PumpFun team simply couldn't keep up with the constant stream of awful content that they were trying to remove.
Turned off the live streaming feature altogether and issued a statement. saying they simply can't moderate effectively with the current user base size, and they need to scale up their moderation abilities and make it clear what's allowed and what's not allowed before allowing live streaming back on. All I can say is...
I think this is just Pump Fun's origin story. I don't know what's going to happen next, but it almost feels like one of those internet moments that I'm tuned into now. And I'm going to have a box of popcorn ready for whatever happens next. It was a pleasure, Jack. And if you do get around to publishing this, I just want to say that I recommend everybody get some more fun and more time to touch your guys. That's about it. Thank you.
Seriously. All right. I'll take advice from you. Thank you. I can't trust a bunch. This episode was created by me, the cyber klutz, Jack Recyder. Our editor is Control-Alt-Defeat, a.k.a. Tristan Ledger. Mixing by Proximity Sound, our intro music is by the mysterious Breakmaster Cylinder. Why was the computer tired when it got home? Because I had a hard drive. This is Darknet Diaries.