Hey, this is Jack, host of the show. What a fun show this has been to make over the years. I'm having such a blast doing this. And I think this episode is one that sent me on an adventure. And I'll never forget. It's a big and wild story. So let's not waste any time.
🎵 Music
These are true stories from the dark side of the internet.
🎵 Music
I'm Jack Resider. is Darknet Dyer.
🎵 Music
This episode is sponsored by ThreatLocker. The weird part about modern cyber attacks is how normal they look. The attacker logs in from Chrome, uses PowerShell, runs a remote admin tool your IT team already trusts. There's no custom malware, no dramatic movie hacker moment, just normal tools used in the wrong way. That's part of why ThreatLocker exists. Threatlocker helps organizations control what software can run, what it can do, and how systems communicate.
If attackers get credentials or land on a machine, they'll have a much harder time moving through the environment. Because security teams are realizing something important. The problem isn't always unknown software anymore. Sometimes it's trusted software being used by the wrong person. If you want to see how ThreatLocker works, go to threatlocker.com slash dark end and book a demo today. That's threatlocker.com.
🎵 Music
This episode is sponsored by Meter, the company building networks from the ground up. If you employ and work with IT engineers, you're gonna know how hard it is for them to do their job well. What your business needs is performant, reliable, secure networking infrastructure. But what you get is IT resource constraints, unpredictable pricing, and fragmented tools.
What you and your engineers need is a modern platform you can all trust to support your business. Enter Meter. Meter delivers a complete networking stack, wired, wireless, and cellular, in one solution that's built for performance and scale. Alongside their partners, Meter designs the hardware, writes the firmware, builds the software, manages deployment, and runs support. That means less time your employees spend writing to multiple vendors and more time working and improving your IT systems.
Meter's full stack solution covers everything from first sight survey to ongoing support, giving you a single partner. all your connectivity needs. Thanks to Meter for sponsoring this show. Go to meter.com slash darknet to book a demo now. That's spelled M-E-T-E-R. Meter.com slash darknet and go book a demo. Meet Liam.
Yeah, I'm Lima Marku. I work with Semantic and I've been there since two thousand and four and I work in the security response department and analyze malware.
I've seen you before. Have you been on TV?
I have an on TV. Uh so I was part of the team at Semantic that analyzed uh Stuxnet, the virus that was infecting uh equipment at uranium enrichment plants in Netans in Iran.
Yeah, you were the one of the early ones to to explain this is what this is what was discovered.
That's right. We we were we were the team that uh discovered what Stuxnet did, what the payload was, how it worked, how it had spread, who it was targeting. Um Yeah, and then because of that, uh I was in a documentary that was shortlisted for an Oscar in two thousand sixteen, uh called Zero Days, and by Academy Award winning uh director Alex Gibney.
Um so if you you wanna know uh what I do uh in my job, you can see it all there. And then also Kim Zetter wrote a book about it as well and uh that whole story and my work and my team's work was featured in that book as well.
Yeah, Stuxnet was a huge deal, which really revealed the length that NSA will go to create malware. And I covered Stuxnet in episode twenty-nine, if you're interested, and I actually interviewed Kim Zetter for that one. And so after that, Liam continued to investigate threats. I think he has the most fun investigating novel threats, that is, threats that the world has never seen before or figured out yet. And so one day a new piece of malware showed up on Liam's desk.
Yeah, so our customers at Symantec, uh they'll get malware on their machines and then they'll send it to us for analysis. So I got this file. that I wanted to analyze for this customer and when I started looking at it it something felt off about it compared to the other malware that we would look at regularly. It just it wasn't running the mill. There was something different about it.
There's a lot to do when analyzing new malware, but first you need to collect a sample of it. And Liam didn't have a complete sample yet. He really wanted to know. What this malware does and what it does to the victim and what's the objective of it and who are the people who created it and how does it spread?
And I understood that they were trying to defraud customers of eBay. So I uh decided to name it I couldn't use eBay as a trade name, so I decided to call it Bay Rob because they were robbing customers of eBay. And what the malware was doing was it was sitting on your computer, and when you tried to connect to the eBay website, it would intercept your connection and it would inject false information into your browsing session.
And it made it look like the false information was actually coming from the eBay legitimate URL. So you wouldn't notice that anything was different. And then what they were using that to sell you things that didn't exist on eBay.
He wrote up a little thing and published what he knew about this malware, but he still didn't quite have all the pieces for it yet, and he really wanted to know more about it. The sample he got wasn't quite enough for him to fully infect a machine, to watch this malware, like it seemed to be infected, but it would never actually do anything on his machine.
So he went on a hunt to learn more and had to think like a victim. How do victims get hit with this? How is it delivered? How do you get infected? And he learned where the watering holes were that people were going to get infected with it. Specifically through phishing emails and Craigslist posts.
I kept searching to see if I could find that missing piece, and I just kept on looking through our telemetry and looking to see where I might find this. And I knew there was some places where this was probably going to be distributed, so I was looking in those places like on Craigslist, for example.
in email um looking to see if I could find any places where I could find a complete package that would help me to analyse it from beginning to end and understand exactly what the attackers were doing, how they were making money, where they were sending the money, the the entire thing. I wanted to know it all. And it turns out that the reason I couldn't solve the entire problem was because the attackers were geofencing their
Fraud.
So that it could only happen in America and only happen in certain locations within America. And I was in Ireland at the time, I was based in Ireland. So when I tried to connect to these auctions, because they were posting these fraudulent auctions, because I wasn't in America, I wasn't authorized to see this. fraudulent data.
Well, that's that's already impressive to me that this malware only worked for Americans. If anyone else in the world would be infected by it, they're basically immune to it. Wild. So since he couldn't get scammed by these fraudulent eBay auctions, he tried to find someone who had been scammed by them, and he did find someone who lost thousands of dollars after trying to buy a car on eBay.
And I managed to discover who that victim was. I reached out to that victim. And she had actually signed up for an auction after she had been uh defrauded the first time. She went, she found another auction that was very similar and she signed up for that and she had gotten the entire package, the entire malware package. And uh I spoke with her and she's prepared to share that with me.
He was able to get the malware off her machine and analyze it. And he discovered how it works and what it does, how the infection happens and how the criminals use it to steal money. But he wanted to see it in action still. So he got a plan.
I posed as her, I recorded my entire session and I went online and I bought this car. And as part of the uh fraudulent information that they were injecting into the eBay website, they injected a chat window where you could chat about this fraudulent auction. And when you chatted you thought you were talking to eBay support, but you're actually talking to these attackers.
Um so I recorded this entire thing. I went and I bought a car, I talked to the attackers, tried to engage them as much as possible to see if their English was good and tried to talk them at different hours of the day to see when they might be awake and not. and I recorded this entire thing and ended up being successful buying this car and going all the way through with the transaction to the point where they send me information about a money mule where I was meant to send my money.
And that was where I stopped. I didn't actually go through and send any money. But at that point I had victim information, I knew exactly how the threat worked, I knew exactly how much money they were making. And I understood how the whole thing worked. And more importantly, I had a video of exactly how it would work from beginning to end. And what I did was I published that.
uh a blog saying here's the threat, here's how it works, here's how you can protect yourself, um, here's what it looks like, here's a video of me buying a car, here's a video of me talking to the attackers, and publish that.
Liam's blog post was well received. People liked it and shared it. A lot of people read it. And after posting it, Liam kind of moved on to other things. He felt like he pretty much got to the bottom of this. Like he created signatures for how people can detect this and what command and control servers it uses. This was enough information for companies to create antivirus rules and block these servers.
And that should have been it for Liam researching this Bay Rob malware. But the Bay Rob malware started changing after that.
So they would name their command and control servers various different things. They picked random uh names for the URLs of their command and control servers, but then they started putting my name in there. Um so they had uh domain names like uh gayasso lean dot com uh tinycocklean.com lean the mule dot com uh thank you lean.com yeah a variety of different
uh variations of that over the years. And then also because there was a little encrypted section underneath that, they could also leave a message in the malware that they knew only I would see or someone who was analyzing the malware would see. And then they left messages in there like
Uh, Semantic does group masturbation was one of them. So just over years they would leave these uh messages in there for me. And of course when I saw that that made me more um interested in understanding what was going on.
My favorite message they left for him in the malware was, Semantic Team is a big hen coop chicken smart. Henkoop Chicken Smart, what does that mean? And all this mocking and taunting actually made Liam want to look more into this Bay Rob malware. His name in the malware is what drew him back into this. So he got a computer and set it up in the lab and got infected with a fresh copy of the malware and went to analyze it further.
Now because he worked at Symance Hech, this gave him access to some pretty powerful malware analysis tools. So he ran this through there.
I was able to see where they were connecting, where they were hosting, um, where they uh how they were routing their traffic, um, how we could get become part of that routing, how we could see some of their messages, how we could infiltrate, um, how they communicated. And that was super, super uh important in understanding the entire attack.
The way this malware routes across the planet is fascinating to me.
the way they were protecting their identity was they were routing their traffic through infected machines. so that if someone like me or law enforcement tr tried to trace them to their original location, it would be very difficult to do that because they would jump through multiple infected machines in multiple countries. So if you
saw their first IP address and you track that down, you would get a victim. And even if you monitored that victim machine, you would get another victim in another country. And to go and trace it all the way back to their home machine would be very, very difficult. So it was a really smart way for them to hide their hide their traces.
Clever, right? So the attackers would never directly connect to their command and control server or their victims. Heck they wouldn't even talk amongst each other directly. Instead they would always use at least three hops through their infected victims to communicate With anything, even just Googling things. And if they wanted to connect to a victim, they'd go three hops to their command and control server and then three hops to the victim.
This made it incredibly difficult to trace even just what country the Bay Rob gang is located in. And at the time there were over 6,000 computers infected by this Bay Rob malware, and any of them could be part of this proxy chain. And that gave Liam an idea. If they're using the infected computers to connect through, then does that mean the infected computer Liam has in his lab has a one in six thousand chance of seeing a connection from these attackers? Maybe.
So he gets this infected computer back online, puts some packet captures on it, and waits. a long time. Like over a month. And he never saw anything.
It all started off under my desk actually in the office. I had my little test machine under my desk and I I set it up there and I ran the malware and I was very disappointed to see that they never connected to my machine. And then I started to realize, oh, there's an algorithm that they're using to decide which machine to connect to.
Yeah, get this. After Liam had his infected machine online for a month, listening for connections from these criminals. He noticed the malware suddenly changed after a month of being online. More code was added to it, and this code had all the details for how the proxy chain worked. So to begin with, a machine had to be infected for 30 days before it even received a proxy chain code at all. And so he analyzed this proxy chain code and he saw that not all infected machines have the same weight.
For being used by the hackers to hop around.
out. So then I understood that it was if you had a higher bandwidth, you had a better chance of being used. If you were in different geographies, you had a better chance of being used. So it went from underneath my desk to a server in the west coast of US, then to a server in the east coast of the US.
This time with a beefier server with higher bandwidth. And now this gave him a one in four hundred chance that these attackers might connect through his machine. But still, after sitting there listening for any proxy traffic coming through, nothing. He looked at this proxy chain code again and he learned that before they would use a computer in the proxy chain, they would take a screenshot of that computer and look at it to see if this looked like a normal person's computer.
Because if it looked like a threat researcher like Liam's computer or a cop, they might notice something off and not connect to that machine. These hackers would vet every single computer before using it in that proxy chain. Holy cow. So Liam had to make sure his computer in his lab looked like someone's home computer.
But on top of that, Liam also discovered that if the infected computer was in Romania, it would be given priority in the proxy chain. Basically, it had a higher chance of being chosen for their first hop. Which might also be a clue as to where these guys are from.
So we rented a computer in Romania, infected it with this malware, beefed it up with a fast internet connection, made it look like a regular user's computer, and waited 30 days for the proxy chain code to come on, and then waited some more. This time, he thought he had a 1 in 40 chance of them connecting to his machine now.
And eventually they would connect to my machine as their first machine in the chain, which meant I got their home or what I thought was their like home IP address. So I was getting these addresses in in Romania, in Bucharest and in a town called Brashov. And um
Every now and again they would slip up and you would see that that's exactly where they were coming from. So by using those proxies, not only was I able to see where they were coming from originally, but also I got to see like an absolute treasure trove. of information that they sent across that network because they felt they were protected.
So we would see, first of all, they would see them setting up their campaigns. So I would see them transferring all the files that they needed to run their fraud. I could see them Google searching for for images or for text that they were going to use. I could see them setting up email campaigns.
Wow, what an amazing insight he had to these attackers. These guys were using this proxy network for everything. Every time they'd check email or move money, or yeah, even searching Google, they were unknowingly routing their traffic through Liam's computer. or at least sometimes it would be chosen to go through Liam's computer, and he was capturing it all.
But just because Liam was in the connection path capturing this data, the data was unreadable. And that's because these guys were encrypting everything. All communications to the command and control server was encrypted. All communications between the different attackers was encrypted. He could tell these guys were talking over Jabber, but couldn't see any of the messages since they were using OTR off the record, which does end-to-end encryption on all Jabber chats.
So most of the time Liam had nothing but encrypted gibberish, but only every now and then that he'd see a small blip where something wasn't quite encrypted all the way, or metadata about a connection would tell him what they were doing right now. And by this point, Liam had been investigating and tracking this malware for years, and has a way deeper understanding of who's behind this compared to his first blog post.
I was analyzing the malware and I knew where they were connecting and I could see where they were connecting all over the world and I was like, I can't do anything about this, but I know law enforcement could go and they could get these servers and these computers and these addresses and they could actually take action on them. So
We went searching for law enforcement who would work with us on this case and we had a long list of all of the uh things that the attackers were doing. And that was how we ended up contacting the FBI and
But as it turned out, the FBI was already on this.
Hi, I'm uh Stacy Whitaker. I am now a retired FBI agent. Um in two thousand seven. I was a pretty new FBI agent, had only been in for a year and was still learning kind of my job. But yes, so I had been contacted very early on by one of the initial victims of the Bay Rob Group. She had reached out I was working in the Cleveland division at the time, and so she reached out to the Cleveland FBI office to report that that she had been victimized on eBay.
And so I had uh simply answered her phone call when she called the office and talked to her about what had happened to her. And she explained to me that she had tried to purchase this vehicle on eBay.
Um, and that she had supposedly won the auction, she had paid for the vehicle approximately eighty six hundred dollars, and then she never received the car. It was supposed to be transported to her and she never received it. And on the initial phone call, that was That was pretty much all that she knew. Um and so I had asked her, as we typically do in the FBI, to report this information to IC3 is a iC3.gov is a website that we use to collect information from victims of all different types of
crime related to the internet primarily. And so she did. She re she went to IC three and she reported it. And at the time I thought that was the end of that conversation because of course for eighty six hundred dollars the FBI typically is not going to open a case. Um, but She actually called me back about two or three days later and told me that it was explaining to me that she had figured out on her own
That her computer was infected with a virus and it was related to this eBay fraud. And it took a little bit of convincing to convince me that she actually was correct. She sent me Liam's report. on Bay Rob. Um and so I read that was the first time I had read his report about this virus. Um and so basically I had um Decided to go out and meet with her. I took um a computer forensic examiner from our office with me.
so that we could look at her computer, we could verify that she was in fact infected on her computer with this virus, which we did. And so because of that, because she was infected with malware, we were then able to open investigation, even though So it was such a small amount of money that we are talking about.
And it was around here, in two thousand seven, is when Liam got in contact with FBI special agent Stacy to tell her all about what he learned. But even with all that information, the FBI didn't make any progress on this case. In fact, for the first five years of this case being opened, very little happened with the FBI.
It was uh very slow and very frustrating. Very slow and frustrating. Um so one thing I would say about I think this case is a very good example of the evolution of the FBI um in many ways as well. So in the beginning in 2007, that was a time when we in the FBI we didn't necessarily work hand in hand with private sector.
Right. So even though I ended up talking with Liam in two thousand and seven, we shared some information a little bit, but then we kind of went our separate ways. We didn't talk again until 2012. because that was kind of the way that we did things at that time in the FBI. We didn't share information too much with the private sector. We would, you know, do subpoenas, we would do search warrants and we would gather information, but we didn't necessarily work hand in hand like we do today.
Um also at that time we didn't necessarily worked very many investigations that touched overseas either. So again, I was a new agent in the FBI and I opened this investigation and pretty quickly was able to determine that all the money was going overseas. I was tracking the money, was figuring out where was getting picked up in different countries in Europe.
And when I figured that out and I was talking with the other agents on my squad, their reaction was basically, oh, you need to close that case. Um again, this is in two thousand and seven and we just didn't um have as much visibility and as much partnership with other countries as we do today. And so I refused to close the case.
um and kept working at and kept collecting information even though I was very limited in what I could do. Um I was talking with the I mean we did have an FBI office in Bucharest in Romania. And so I was sending information to our FBI office over there to try to initially I was simply sending them information on the money mules that were picking up the money. So I was able to track the money being sent via Western Union.
And initially it was getting picked up in Greece and then it was in Hungary and then it was Romania. It was several different countries in Europe um where money was getting picked up. So I didn't necessarily know at first that it was Romania. Um, but most of the money mules were using Romanian IDs when they would pick up the money. So for five years, all I'm really able to collect for the most part is victim information.
Right. I'm I'm creating the spreadsheet of all these different victims that I've identified. I'm identifying money mule accounts um or IDs and money transactions and I'm collecting all of that information.
Now even though Stacy was new at the FBI, she was pretty sharp, especially with computers, since she was a computer programmer in the Air Force before this. And she was really intrigued by this case, probably more intrigued than anyone else at the time. But she knew if she was going to solve this, she was going to need more help on the investigation.
I bring in C Sup. eventually to help on the legal side. And then I end up talking with Liam again in 2012, who connects us with Owen. And at this point, I'm figuring out that this is a very sophisticated group. that we're dealing with obviously. And especially from all the work that Liam had already done. I knew, you know, although I was on the cyber squad in Cleveland, I didn't have a super techie background.
Um, certainly a little bit, but nowhere near as much as Ryan. So I definitely needed some help on that side of things. And so I asked Ryan to work on this case with me.
Yeah. So my name's Ryan McFarlane. I'm the IR practice lead at Trusted Tech, but at the time I was a cyber agent. Uh I was coming from DC where I spent Two years at our national cyber investigative joint task force working whole of government counter operations against China. and was transferring back to Cleveland and got to Cleveland and the first thing I ended up getting asked to do was to work with Stacy on this case.
So Stacy starts bringing special agent Ryan up to speed on this case.
You know, I land in Cleveland and uh start working this case with Stacy and I spent the first, you know, six months to a year just going after all the infrastructure that these uh actors were using and working with The U.S. Attorney's Office in Cleveland and CCIPs to get legal process and a ton of technical coverage on the Bay Route group.
Of course, one thing the FBI is good at is following the money. They learn that these criminals use money mules a lot. So when the criminals would trick a victim into sending them thousands of dollars, like through an eBay auction or something, the victim didn't actually send that money directly to the criminals. Instead, the criminals hired someone else to collect that money
keep a portion of it and then forward the rest to someone else. And then they would forward that money again to someone else. And eventually it would be forwarded all the way to the criminals or turned into cryptocurrency and then given to the criminals. And they would get these money meals by putting ads on Facebook or Craigslist, advertising a legit job, like a work from home type of thing.
And then they trick the money mule and lie to them about why they're accepting this money and where they're sending it and what's happening. And the strange thing here is that even though the money mule is tricked into thinking they're doing some legit work, Being a money mule is actually illegal, and these people could get arrested for this. We're now more than five years into this investigation, and the FBI started bringing even more people into this case.
I'm Brian Levine. At the time, I was a cybercrime prosecutor at the Computer Crime and Intellectual Property section in Washington, D.C.
That's under the Department of Justice.
Yes, it's part of the Department of Justice. I was also a national coordinator for all the computer hacking and IP prosecutors around the country. one of whom was Duncan Brown, who was in an AUSA assistant US attorney in the Northern District of Ohio, um, and was brought in by Duncan and Stacy to help on the case.
Stacy and Ryan looked over the case more. They got a lot of information from Liam at Symantec, who discovered all this stuff about the way that proxy chains work and how he's infiltrated the chain and even captured some interesting things. And also Liam suggested they talk with Owen, so they called Owen up.
My name is uh Owen Miller. I worked on uh A AOL's cert team from 2011 to 2016. I've received a uh report of abuse uh on my network. um from a specific IP at a specific time um and was told it was related to potential bay rob activity. Um I went ahead and started taking a look at that and started pivoting around. Uh we were able to connect uh specific domains that they were using and accessing um with various accounts, uh various AOL accounts.
uh that were being used in order to tunnel traffic through us. Uh AOL allowed anyone to sign up for a free account and then tunnel network traffic through our dial-up IP allocation space. So we were basically like a very large free open proxy service. And we're also a free email provider. And uh basically we built a full packet capture indexing system. At the time was called Moloch and is now called Archemy.
uh we had deployed at uh ISP level. And so us and others as well uh that offer those same types of services were heavily being leveraged by this by this uh group in order to, you know, create new accounts, chat with people, all of that good stuff. And so we just started digging around and seeing when they would connect in, where they would connect from, start going through all of the network traffic that they had presented to us.
So Owen from AOL was now feeding the FBI bits and pieces of things that he was seeing. And at the same time, Liam was still listening to the traffic going over the proxy chains. And every now and then he'd see them connect to the proxy chain as their first hop. Which likely meant the criminals are connecting to this from their home? So he would call the FBI and say, Look, I have a strong suspicion that these are the IP addresses of the criminals. And they're in Romania.
And so the FBI would contact the Romanian police and ask them, could you find out whose IP this is and go see if those are our guys?
And the Romanian National Police were great. And they would go and they'd come back and they'd say, you know, we just talked to a really nice school teacher. And we were sending the Romanian national police all over Romania. And uh they were just You know, the the more doors they knocked on, the more we realized something was going on that we just didn't understand.
What? So even though they're using six or seven hops through this proxy chain before doing anything malicious, that still wasn't good enough to hide their tracks. These attackers were doing something even before going into the chain to hide their tracks even more.
For a while their connections were all coming from like a school teacher's home in Romania and then into the proxy chain, or it would come from some other house in Romania. And never for a long period of time. Their home base seemed to move all over the city. These guys were really good.
It was really challenging at this point because at least at that time, the Department of Justice was very careful about the um leg legal process that it issued. Um, and we had to justify what we were doing, which was very challenging because we would often get back. what we would describe as nothing because everything was encrypted and, you know, I would have to go and make an explanation as to why this was beneficial to keep doing this kind of uh legal process.
And they would say, look, you're getting nothing. Why do you want wh why are you wasting your time continuing this process? And what we realized was these guys were so sophisticated. That you just had to get all information you could all the time for as long as you could because you didn't know what was gonna end up being helpful in the end. It was all about breadcrumbs.
The FBI continued to collect all the data they could. They had Liam feeding them data that was captured at Symantec. They had Owen feeding them what he saw at AOL. and they were interviewing victims and money mules and logging as many chats as they could. I think they did a controlled buy and tried to talk with these hackers as much as they could. But much of this resulted in nothing, since it was all encrypted and obfuscated and wrapped in so many layers.
We were doing all of those things. We were collecting information from Romania. We were collecting it from Liam. Um I think one of the biggest breakthroughs came from Owen at AOL. So I'll let him talk about that.
Yeah, sure. So um one of the members of the group uh was typing in his email address to log in on like uh gmx.de or one-on-one internet. Uh they did not use SSL at the time for the login for. So when he typed in his email address, he typed in his personal email address and then went, oops, and then logged in with his with his, you know, quote unquote work email address. And so we have the same IP address.
at the same within like you know 10 seconds like typing in someone's email address and then this actor's three email address.
Oh wow, what a tiny slip-up. In the year that Owen was monitoring this crew, this is the only time they slipped up like this. That's such persistence on the investigators. But also such discipline on the attackers. The attacker accidentally typed the wrong email address, and even though the login failed for that email, it was a curious enough clue for Owen to look further into it. The email address was raduspr at gmx.de. So, was there anything to find for this Radu SPR name?
And at the time, you know, Facebook was pretty easy for looking people up based on email address and just Here he is. And then, oh, all right, pivot around. All right. Oh, they had YouTube channels, lots of skydiving. I think it was like TNT Brothers or something like that. Bunch of posts on like various forums for like off-road vehicles and stuff in Romania and everything else. And it was just like
you know, pictures, everything you could want. And it's like, I don't know who anyone else is, but I'm pretty sure this is who this is.
So we sent them AOL a search warrant for all of this data and you know, they said all right This is a lot of information. Come on in and let's explain it to you as we give you that information. So we came in, I remember it was Stacey and Brian and it was unbelievable.
Brian, the DOJ prosecutor for this case, was thrilled.
So what we started doing at that point. was we had to use legal process. We we did hundreds or thousands of different legal process in this engagement. both domestically and abroad. And so once we had a sense of who one of these actors was, we had more information that we could provide to Romania. Um we did that through a mutual legal assistance treaty request. Shortened as an MLAT and
Uh they started going up and doing whatever they did in Romania to try and get us helpful information pursuant to this legal process. One thing we found was the existing process of MLATs back and forth was too slow for this case. because the criminals kept changing their infrastructure. So we had to work with our Office of International Affairs to create a faster process or a abbreviated version of the MLAP process.
What they were doing is actually moving locations, right?
They were moving well, we didn't know what they were doing. We just kept getting different IP addresses and different information. So what we discovered through Romania's response to our MLAT request. was that there were three people that were communicating with each other, one of which was the person that Ian had identified with encrypted communication. And we could not get through those encrypted communications and Romania could not as well. Um, we could see that in their home.
um, on their non criminal machines where they weren't encrypting all their traffic, they were going to cryptocurrency websites.
and specific ones that we knew this group was focused on, but that wasn't really strong evidence. It wasn't enough to indict them or extradite them or anything else. It just made us think we had the right people. But For quite a bit of time at that point, we're like, all right, we we think we know who the three people are, but we just don't because they're encrypting everything, we don't really have enough evidence to extradite them or to indict them.
So at this point we're going on year seven or eight of this FBI investigation.
Right around this time, uh you know, we're in pursuit mode. Right. So we're trying to get as much visibility into their infrastructure. And around this time we get a a data intercept on their systems that are controlling all their malware. So they had a a multi-layer command and control infrastructure.
Where
Where all the malware was reporting up to the first layer and then that layer was forwarding on to a couple of Servers that were hosted in different places. And we were able to, as a team, figure out where those servers were located. So we went uh with legal process, we we got a data intercept. on a couple of these top level command and control servers. and we were able to see the communications for all the botnet, which meant that we got to see when they updated their malware.
what some of their campaigns looked like. how they were loading additional plugins. So at this time, this group had a number of different lines of business. They were treating all these infected systems and it was about 400,000 of these systems at the time. as as a commodity, right? And every computer could do a bunch of different functions. We saw them instructing these computers to join mining pools.
and mine cryptocurrency for them. They could be used as proxies, and some of those proxies were sold on Alphabet to other, you know, cyber criminals out there. They were doing some ad fraud. Uh they were mining those systems for credit card information, which they they then sold uh on Alpha Bay as well, so they were Alpha Bay vendors. They were replacing your internet browser with a custom version of their own internet browser.
and everything that was done over that that internet browser was uploaded to a couple of servers in North Carolina. And then we'd actually see them go and mine through all that data. So if they needed, you know, Bank of America accounts, they could jump in there and show me all the Bank of America accounts that I have login information to. They could go to Chase and issue a command to say, show me all the Chase data I've taken.
Whoa, so while the FBI is ramping up their efforts, the criminals were also ramping up their sophistication and streams of revenue. This has grown quite significantly from its meager eBay fraud with 6,000 infected nodes. to now a worldwide plague of hundreds of thousands of computers infected, stealing everything they could, and selling everything that they thought was valuable. They were making millions of dollars now, and the FBI really wanted to stop them at this point.
But these guys were good. really good. They had a sophisticated proxy network. They used PGP for all their emails. They used end-to-end encrypted jabber chats when they're communicating to each other and encrypted everything that they were sending in back and forth between them and the command and control server.
The FBI couldn't even follow the money since it used a whole vast network of money mules that would scour the world. And on top of that, they were somehow constantly moving around in Romania, changing IP addresses all the time, so the Romanian police couldn't find them either. We're gonna take a quick ad break here, but stay with us because the FBI is not giving up.
This episode is sponsored by Net Suite. Every business is asking the same question. How do we make AI work for us? Sitting on the sidelines is not an option because one thing is almost certain. Your competitors already know how. No more waiting with Net Suite by Oracle. You can put AI to work today. It's a unified suite that brings your financials, inventory, commerce, HR, and CRM into a single source of truth.
That connected data is what makes your AI smarter. It intelligently automates routine tasks, delivers actionable insights, help you cut costs, and make fast AI-powered decisions with confidence. From software and IT services to healthcare, equipment manufacturing, financial services, and many other great American industries, NetSuite delivers a customized solution for your business.
If your revenues are at least in the seven figures, get their free business guide to mystifying AI at netsuite.com slash darknet. That guide is free for you, but only if you go to netsuite.com slash darknet. NetSweet dot com slash darknet. This episode is sponsored by ChainGuard.$50 in tokens. That's how much it took for an AI to autonomously find, confirm, and exploit a remote crash bug that has been sitting in OpenBSD for 27 years.
That's the work of Mythos, the AI model Anthropic unveiled earlier this month. This is the security team's new reality. Attackers are using AI to weaponize code faster than any team can review it. Your scanners can tell you something went wrong, but by then it's already too late. You can't patch your way out of a broken trust model. ChainGuard solves this at the source. ChainGuard's libraries and container images are built from source, verified all the way down, and carry near zero CVEs.
If something goes in, they can prove where it came from. And right now they're offering Chainguard libraries and actions. Free until the end of the month. Zero malware on all the libraries you and your AI agents use. The next attack is already being written. Go to ChainGuard.dev to get ahead of it and to build safely with trusted open source. That's ChainGuard. Dot dev. Liam over at Symantec kept watch over what was happening on the wires, and at one point he saw a scam happening in progress.
I I reached out to some people who are about to become victims. Um because I was able to see their information as the auction was in progress. And I saw their telephone number and I called them and I said, You are being victimized. I'm calling you. I'm not trying to sell you anything. I'm telling you now you're about to get scammed because of this auction and they wouldn't believe me.
they would they would think I was trying to scam them and then they would go ahead and I would see that they had continued and they had bought the fraudulent car even though I'd actually warned them.
I'm sure you've heard the phrase that in cybersecurity, the defenders have to be right all the time, but hackers only need to be right once to get in. But in this scenario, the hackers were essentially on defense since they had to be super careful not to reveal anything about themselves because one slip up and the FBI would swoop in on them and it would be all over.
what we were doing was we were waiting for their one slip up. We were getting mountains and mountains of data and we knew that they were protecting themselves, but they couldn't be right all the time. It's so so difficult to be right all the time and to have fail safes everywhere.
And eventually they did make those like tiny, tiny slip-ups. It was like, you know, you know, one ten second period out of three years of monitoring data that, you know, broke the case. So it was yeah, it was incredible.
And that's what Brian was referring to earlier when he was talking about, you know, we're doing all this legal process. And we're at that time getting some pushback on why are you continuing to capture all this data? It's because yeah, it's all encrypted and we're not getting a lot out of it, but we have to continue capturing it, watching for those those one little m mishaps where they make a mistake. That's the only time we can get information that is gonna reveal to us who these people are.
And at at the time we had uh the largest data intercept in the Bureau.
For this case.
For this case, because it was all going through all the command and control traffic was going through these servers. and we had to keep re upping because we were getting little snippets here and there. Occasionally we'd catch them emailing a new email account that we hadn't seen before, and that turned out to be one of their money mules. And their opsec wasn't nearly as good,
as these guys OPSEC. So we were able to start to pull that thread back and work different angles. Uh we had to go brief the deputy attorney general during this case because we had done a T three and and Department of Justice doesn't you know, that's such a uh a l you know, a a big a legal, you know, uh process.
That uh they don't like to use it, especially for long duration. So we had to justify that we're seeing all this encrypted traffic. We are seeing mistakes occasionally, but we had to basically go talk to the the DAG and say, hey, this is why we need to do
The reason we had to talk to the DAG, if I remember correctly, was this was the first time in the history of the Department of Justice that we did a wiretap on a server. Previously, you know, wiretaps were invented because of phones. You would listen to the mafia talk to each other, you'd listen to the narcos.
talk to each other and they're like, wait, this is a a computer. Why why would you even do a wiretap? And maybe and th and there were arguments that we didn't even have to, but we wanted to have belt and suspenders. We didn't want to make any mistakes here. And because we were getting contemporaneous electronic traffic through the server, we wanted to have a wiretap. But this confused a lot of people in the Department of Justice who who didn't quite get it.
Whoa, these guys are really taking this case seriously. They had a T3 wiretap on the command and control server. which happened to be in North Carolina. T three is short for Title three, which is where they have to get authorization from an attorney general who grants them approval to the data intercept. In this case, the hosting provider for the server was shown the T3 and was able to put a tap in and give the FBI full captures of everything going in and out of that command and control server.
But that still didn't help because it was all encrypted. And these title threes expire after 30 days. So they had to keep renewing it again and again and convince the attorney general that they still need to keep it active in hopes that someday they'll see something that will give them the smoking evidence to arrest these guys. but month after month they were not finding anything important.
We also had a tit uh title three on one of the main email accounts as well. So we were watching the email coming through. too and even though it was encrypted, the body of the email was encrypted, but the email title, the me email headers was not. So we would get the title of the email, and that was the only information that we would see, was just the title.
You said that You know, normally the bad guy uh only has to be right once and that was sort of flipped around. Um, but that's potentially to identify them. Remember that when in order for us to indict them, extradite them, and then if they want to go to trial, which these cyber criminals almost always do. uh we had to be able to prove guilt beyond a reasonable doubt.
And these cases are a lot harder to do that with than with a standard case because you gotta remember you're dealing with a jury. So ultimately it's not like you're gonna be able to go to trial on one mistake. You're gonna have to build a body of evidence.
So they were using um an email service that we were able to gather um information from as well. And so we literally had over 16,000 emails that we had to sit and review, every single one, pulling out victim information, pulling out money mule information and information on money transactions. and gathering all of that data together too to be used later on down the road in trial.
Most of their emails were PGP encrypted, right? And Ryan explained to me'cause I I believe the FBI can do anything if they want to. So Ryan explained to me the PGP stands for pretty good. Pretty good price.
Crap.
A pretty good privacy. And so I said, Ryan, it's only pretty good. Could you get through that encryption? And Ryan said, No. You're you're not putting the right emphasis. It's pretty good privacy. That's how how you should be interpreting that.
I also told Brian that I'm only moderately good.
At some point Liam found something incredible. He was continually capturing all the data through his node that he sneakily set up in their proxy chain, and they were using Jabber to send messages between each other. and they had enabled OTR, which is end to end encryption, on their Jabber chats, so all Liam could see was that someone was saying something over that port, but he couldn't see what they were saying.
So Jabber is encrypted and there are different settings that you can use and by default the setting for attachments is not It doesn't default to encryption. So your text, all the messages that you sent are encrypted, but attachments are not encrypted. And that was the mistake that they made.
they were talking to each other and we couldn't see what it was that they were talking about. But if they sent an attachment like an Excel spreadsheet with all of their accounting in it or a a a picture of their desktop, that was not encrypted and we could extract that from the network and we could see what it was.
Yeah, that being said, the majority of the attachments they sent were encrypted. They just occasionally, you know, they're they're human too. Forget to f forget to encrypt something or there's a you know, something something doesn't work right.
Whoa, this is something I did not know. That if you take the extra steps to add OTR to Jabber in order to encrypt all your messages, it still doesn't encrypt attachments? And that's a whole separate process to enable and apparently it's extra tricky to do. And it's interesting because these guys were clearly making every effort they could to stay hidden, and they still couldn't reliably keep their stuff encrypted.
So many places for your data to leak. And so one day Liam saw an attachment which wasn't encrypted and it was a gold mine for this case.
see them transferring spreadsheets, talking about all of the transactions, how much money they were making, who were the victims, what were the credit card numbers of the victims, what were the home addresses of the victims, what money mules they were using, the identity of all their money mules.
This was huge because it listed each of the members of this group and how much money they each made. Here's what it said. Member, MF got 25%. Remember, Lynx got twenty-five percent. Min got to take ten percent. Amy took twenty-five percent, and Raoul got fifteen percent. This essentially showed how many members were involved in. And their abbreviated nicknames. They even took extra steps to obscure their hacker names. Like later they would find out that Amy stood for a mighty essay.
And by this point, the FBI also stood up an infected machine in their office to watch some of this traffic too. And it's remarkable to think that these criminals were feeling clever and thinking they were super sneaky and laying low. While in reality, a lot of their traffic was being routed right through the FBI's office. But that wasn't all Liam captured. He saw another attachment sent over Jabber.
a picture of their desktop that they had transferred between each other. Two members had transferred between each other and they were trying to figure out why something wasn't working with their camp their malicious campaign. So one of the Bayrod members had taken a screenshot and had transferred it to another one, but they had actually gone through my proxy machine at that time, so I could see this. They were using encrypted chat actually, so I couldn't see the chat, but because
the pictures that they sent in the chat were not encrypted. I got this rare opportunity to see this image get transferred across, just like flash across my network. And when we decoded it, we saw that it was the attacker's desktop. and he was inside a VM machine and then he had his control panel, his attacker's control panel on the desktop, and he had a Facebook campaign that they were using to try and find victims uh on the desktop and
he was running that campaign through a hacked account, so he had the hacked account information there as well. And we could see h um how many machines they had infected and we could basically see the entire attack uh the entire fraud campaign from beginning to end, right in that one screenshot. And it was just it was it was just it was just a total encapsulation of all their fraud in one picture.
The screenshot is incredible for this case. You can see this guy's desktop. You can see he's logged into a victim's Facebook page. You can see he's posted an ad, work from home to try to recruit a money mule. And you can see the command and control server in the background. you can see he has chats open with somebody called Master Fraud, which is interesting because MF was one of the people getting 25% of the cut. So now they start linking, MF must be master fraud.
and they could also see he's encrypted his computer with TrueCrypt, since that was a process running in the background, which might be helpful later.
The challenge that we had was there's all this encrypted traffic. We think we have the three guys, but we can't get any substantive evidence connecting any one of them specifically other than the first mistake. to uh the scheme. And that's when we found out that one of the other two had decided to travel to Miami, to the United States.
And this could only be because after ten years of committing this scheme and nobody knocking on their doors, they felt like they were pretty secure at this point. They had really amazing OPSEC as Ryan mentioned. And this particular guy, who whose name was Tebayu Dinet,
Had competed in international programming competitions, and had even had an internship at Google in the U.S. before he switched over to crime. So he had friends in the U.S. and was we f we got advanced intelligence was gonna come to the US.
Arrest them on site.
Well we that was our initial thought, but we knew if we arrested him for first of all we didn't have enough evidence yet. But even if we uh got that evidence while he was there, if we arrested him we thought the other two would flee and we'd never see him again. They would go to Russia or somewhere else where we couldn't get them.
When he was coming into the country, we actually had no technical information tying any one of these individuals. to the Bay Rob infrastructure. The Romanian National Police had very similar data intercepts upon their homes, and guess what they weren't seeing? any connection to the Bayrob infrastructure. They weren't talking to the servers, they weren't talking to the proxies, they weren't talking to to Tor off of their their home internet connection.
The whole ISP was clean.
There was there was a little bit of encrypted traffic that we couldn't explain, but there wasn't anything that we could do with it. So
So I like to refer to what Brian's talking about when this guy comes to Miami as Christmas in May. We were so excited.
Ha ha ha.
For this to happen, we only had, I think, about maybe a ten day lead. that he was coming to the United States and we had to put together an operation to gather as much information on him as we possibly could when he was here and we had ten days to prepare to do that.
So we decided to get a search warrant. We didn't need a search warrant technically because there's a border exception. What we wanted to do is when he came across the border, we wanted to search all his digital devices. And we were hoping he'd have a lot of digital devices on him and that this would break the case. But the exceptions to the search warrant requirement were really under attack at the time and continue to be, uh, in part after Snowden, in part
a number of events that were going on. So we didn't want to rely just on a exception to the warrant requirement, especially if we had time to get an actual warrant. So we did get an actual warrant and maybe you guys could take it from there.
Yeah.
Did you go to the airport?
We did, yes. We were down in Miami, both of us, um, with a whole group of support people from the Miami division as well as from FBI headquarters. To, as Brian said, we were gonna do a search warrant on every device that he had. We were hoping it was gonna be a lot of devices. It ended up not being very much. He did not have a laptop with him. He had his phone and a camera. And I think that was that was it.
And we had a full surveillance team on him. Yes. And he was coming into the country with uh with another individual. So from the time he stepped on US soil, we had a a team that was essentially tracking his activity to see if he was making any contacts or did anything that would indicate he was part of this group.
So the FBI gets short notice of him coming to the US and scrambles to come up with a plan and to meet him at the airport. What they wanted to do is look through his devices to see if they can see any evidence of him involved with this bay rob group in order to lead to an arrest. They thought if they interrogated him, that would spook him and he'd tell the others and they'd all go into hiding.
So the plan was to somehow get a hold of his devices and search them without him knowing they got searched.
So the uh Border Patrol was actually the ones that, you know, sat down. They have to do their interview when you come through. C B has to interview you. So they did an interview with him. um and kind of made it take a little bit longer, but they collected his devices and then provided them to us. We were sitting in a back room that he didn't even know there was approximately thirty people in this back room. um all because of him to review his devices, to c to image his devices.
So um Customs and Border Patrol did an interview with him, collected his devices, passed them to us so we could then um have our computer forensic examiners image his devices. And he had no idea.
And then he gave it back and he w he left the airport without knowing everything it copied.
He did not know, but he was uh he was pissed enough and realized I that he wasn't gonna do this. uh he was gonna make this mistake again. So he had he was communicating with the with the other members of the group through a encrypted messaging app jabber, but it was saving logs. And he changed after this whole incident He he didn't think he was identified, but he's like, let's stop recording those logs. And he changed his password on his phone to the Romanian for US Customs Can Blow Me.
Wow, so the FBI took full forensic snapshots of everything on his phone, and he had no idea they were there. And then they tailed him the whole time he was in the US like ghosts.
And so he was here in the United States for I believe it's about twelve days. So we had him under constant surveillance almost that entire time. Um and he wasn't just in Miami. So he landed in Miami. They were in Miami for a couple of days. Um, they went to D C for a couple of days, then they went up to New York and then ended up in Boston. And we knew he was gonna end up in Boston'cause that's where he flew out of.
They took a look at the data they got from his phone.
🎵 Music
Stacy and I are in the Miami field office reviewing this almost immediately. Because this is the best opportunity we have to actually get some visibility that we can tie directly to an individual who we think is a member of the Bay Rob group. And we're rolling through this phone, uh, through all the data, and we come across the jabber chats. And for the first time ever.
We actually find communications that were encrypted but are decrypted or unencrypted on the endpoint on his phone talking about. Bayrob Group operations. They're talking about Crypto mining and how much they're making a month crypto mining. He's talking to the head of the group in who's in Romania. At that time they were making about six thousand dollars a month mining their network of infected systems.
That's your fraud.
Master fraud, yep. Uh incredibly technically gifted Cyberactor out there.
And by the way, I just I I always wanna tell people When you're naming your criminal character, when you're giving your criminal alias It's best not to name yourself after the crime because it may sound really cool at the time, cool to all your friends, the other group, but when you're eventually caught, and you will eventually be caught. It dramatically limits your available defense.
Defense is. So here it limited his defense to master fraud who? I had never heard of any master fraud. You can't argue at that point that this wasn't fraud. Everybody everyone understood what we were doing. No.
Brian and Stacy were able to look through the chats which were logged on the phone that they got a snapshot of, and most of what they saw was benign, nothing to do with this Bay Rob malware operation at all. But because Ryan and Stacy knew this case very well, they would spot tiny clues. Like MF was mentioned every now and then, very rarely, and they knew MF was short for master fraud, one of the leaders of this organization.
So little things like that would start to make them see the network of who he's talking to. And another thing they found were chats mentioning a file name that they knew only existed on that command and control server that they had access to. So this linked him to knowledge of that command and control server.
We have a direct tie from this individual to Bayrop Group Operations, and we know we've got the right people.
So at that point we could have arrested him. While he was in the US So we so this was a difficult decision. Because he was a high value target. He we we figured of these three people he was probably the second most important. But master fraud was still in Romania. And we knew if we arrested him, Master Fraud would flee, or we felt like that was pretty likely.
They hoped they can eventually capture the whole gang, or most of them at the same time. So they let him leave the country.
We let him leave the country. And part of the reason we felt comfortable doing that was we had worked with Romania for so long at this point. I personally had been to Romania something like seven times. And so we knew that we could work with them to successfully extradite Just for this case, yeah. So this is where it started getting exciting. Because the net was here and we got that additional information from the Jabber chat log, we were able to go to grand jury.
get this indictment, do an extradition package to Romania. And then I think both of you went over there, correct? As part of the arrest and takedown.
Yeah, we both went along with we took four computer forensic examiners with us as well. So there was a team of six of FBI over there.
They had identified the names and addresses of the three main men behind this Bay Rob Malware campaign. Bogdan Nicolescu, aka Masterfraud. Tiberiu Dinet, aka A Mighty SA. Radu Miklaus, aka Minolta, aka Radu Spr The goal was to arrest all three at the exact same time so none of them could tip off the others. So the FBI and the Romanian police had to split up.
Yes. Yeah. So all three of them were in different locations. So we had to split up and so yes, McClellus had unexpectedly left town. They thought that he would be I believe he was living in Brushhoff also where Nicoleska was living. Um and so they expected him to be there, but he had left town like the day before and had gone to visit his grandmother in a completely different city in Romania.
And so they had to um uh figure out where he was and do surveillance on him and then they stopped him um in his vehicle on his way back to Brussels.
Stacy, you were in Bucharest and I was in Vrazov, which was where Nicolescu had a a home that at the end of the street. And uh We were there when RP made entry into the various locations that we had.
So what's it like going in their their house and uh collecting that stuff?
It was interest it was very different. They have a different process than we do. So I think it we found it very interesting to watch. the Romanian national police and see how they do things, how they collect evidence um versus the way that we do it. Um and then because we were there, the nice thing was we were then able to a couple days later take all of the evidence with us and take it back to the United States with us.
So they caught him and they took all their devices back to the United States. But the Bay Rob gang was still in a jail in Romania. We're gonna take an ad break here, but stay with us because the next step is to get them to the United States and to prosecute them. This episode is sponsored by Maze. Security teams are drowning in vulnerabilities. 40,000 common vulnerabilities and exposures, aka C V E's, dropped in 2025 alone, with attackers being able to exploit new vulns in days, not weeks.
Our backlogs are a ticking time bomb. Engineers do not have enough time to manually triage them all, but what if they did? That's the question Maze was created to answer. Maze uses AI agents to triage and remediate cloud vulnerabilities. Traditional Volume scans use rigid rule sets like if CVE is on a publicly exposed asset, make it a critical. But that's silly. Maze's AI agents investigate every vulnerability in your cloud the way your best security engineer would.
figuring out what's actually exploitable, not just what's theoretically risky. They remove the noise, prioritize bones that matter, and manage remediation so your team stops wasting time on meaningless bones. So check out maze at mazehq.com slash darknet to learn all about AI vulnerability management that works. That's Maze, spelled M A Z E. Maze HQ dot com slash darknet.
So the FBI searched the homes of this group, and they were really hoping to catch them in the act with their computers open so they wouldn't have to crack any passwords and unlock computers. But when they entered the house, all the computers were off and locked.
But as they looked around, they were able to solve one of the mysteries they had, which was how this group kept moving around with their IP addresses so much, sending the Romanian police to the wrong address so many times. One of the things they found were these large directional antennas.
What we realized with these directional antennas, which made for great trial exhibits, was that they were never using their home internet when they were involved in criminality. They would hack into another account in Bucharest. And Bucharest is a very big city. It's it'd be like doing it in Manhattan.
And so every time they would just hack into a different person's home Wi-Fi and that would be the start of their proxy chain. They would start there, then at least towards the end, as Dennette explained it to us, they would go to tour. Then from tour, they would go through their proxy chain, which was typically one to three infected computers.
And then from there, they would go to America Online where Owen was seeing them. And then from there, that's when they would use commercial uh ISPs like Google, Facebook, eBay, et cetera.
So the way the way they they were operating is they would actually meet up and everybody would essentially get a standard build. So their laptops were all built out the same way and and Nicolescu would configure them to be essentially, you know, they get the cybercrime package, which means multiple levels of encryption. So they were running
Linux with Lux on it, and then they had a couple of TrueCrypt in con containers on it. And then Nicolescu had written his own encryption software uh for because true crypt was no lon no longer being updated.
So that's five layers of encryption.
It was laptop. Yeah, four or five different layers. And everybody in the group got the same package essentially. And they also that was that was not the extent of it, they also got some networking gear. So each of them got a custom flashed router. and that that custom flash router would allow them to proxy their traffic between their different houses and their their their operational security was that their first hop from their house was using a directional Wi-Fi to the internet.
Um, and that individual, say, you know, Nicolescu was in Brazov, he would establish that on the router, the custom flashed router. And then he would communicate to the other group that his router was set up and everybody would tunnel their traffic for the group through that stolen Wi-Fi through the router at that location and then they'd switch.
the router the next week to another another individual's home. And that was why we were seeing the encrypted traffic between the two l locations that we couldn't explain. It was their tunneled encrypted traffic that was then being sent over stolen Wi-Fi using the directional antennas, then to Tor or proxy network, then to infected systems, then up into the command and control and So again, you know, they were doing a pretty good job of hiding their trap.
So so when I was
Seeing
uh IP addresses that I thought could identify the address of the attackers. It turns out they're using directional antennas to steal their neighbor's Wi-Fi. So the addresses that I was seeing were very rarely their actual home address. and I had to look at the data very, very carefully to understand when had they slipped up and they weren't using their neighbor's stolen Wi-Fi. They were actually using their own home IP address by mistake. And those slip ups are very, very rare.
The FBI wanted to prosecute these three in the United States, but in order to do that, they had to convince the Romanian police to allow them to extradite these three to the U.S. to face trial there. But in order to get extraditional approval they had to have clear evidence as to who everyone was in this case and what they did.
'Cause it might not be necessarily clear to other people that, you know, when we're indicting this group, we can't just say, this is the group and they did all these things. We need to be able to say, this person is master fraud and this person is a mighty SA and this is the roles that they each individual played within the group. And so for a long time, yeah, we knew who the three people were that were running everything, but we could not say which one was which.
as far as their criminal moniker was concerned. And so it wasn't until we got Danette's phone and then we were able to Ryan was able to connect his login activity with his vacation time that we were finally able to say This person is this person and this person is this person.
Yeah. Seamless with Romania because of all this background work we had done. So this was amazing. We got them t into the US in a couple of months.
They get the three guys on US soil and then go in to question them. First they start with Danette, aka a mighty essay. They show him all the evidence they have against him and basically said, look, you're definitely going to be found guilty. We have a ton of proof. But if you plead guilty, we'll try to get your prison sentence much lower.
So Danette ends up uh pleaing and uh we confronted him with the evidence during a uh proffer session. And during our investigation, one of the things we did with the evidence collection is we had really good visibility into when they were logging into and logging off of all of their criminal accounts. And we didn't know it at the time, but this information ended up being incredibly valuable because it established this pattern of life.
for all the different actors. We could see when they were online doing, you know, like in their criminal accounts and when there were large gaps. And when we were able to get Danette's personal computer and search that, uh, he liked to travel. And he vacationed a lot and he also uh took photos of everywhere he went. He was an avid photographer.
So we could see through the photo metadata when he was in these certain locations, and then we overlaid it with all the criminal account data, and you could see that every time one of these accounts went dark. Danette was on vacation.
He he logged on faithfully to the criminal account multiple of times a day, every day, except for the exact periods of times when he went on vacation. And there were something like thirty vacations. And I remember we talked to him And I said to him, look, g we created a spreadsheet or a diagram to show this. And I said, like, you know, look, if if there were five overlaps in vacations, that would be curious.
If there were 10, hmm, something's going wrong here. But with 30, you are the guy. You are a mighty SA.
And Danette told them a lot. One thing he said was how many other members were involved in this back in Romania. And as it turns out, he listed six other members and what roles they had. This was huge for the FBI to paint a full picture of this group, each member and their operations.
Okay, so Danette pled guilty and he was sentenced to ten years in prison and was cooperating. The other two weren't talking, and they were just sticking to their not guilty pleas. So it meant that this case was gonna go to trial. Now you would think the hard part is over for the FBI and the prosecutors can take it from here, but the opposite is true. In the month before the trial, the FBI had to work harder than ever.
Well, to explain how this process works, we worked we all worked probably straight thirty days. You know, my wife at the time So I've got fifteen year old triplets and she's from Columbia and I told her, listen, for the next month, month and a half, I'm not going to be at home. I'll be at the office pretty much the entire time.
She takes the kids, heads down to Columbia, and that's the same for all of our families, right? They didn't get to see us. We were in the office. A 10-hour day was probably a short day. This is go time.
Because now the FBI had to convince a jury that these men are guilty beyond doubt. But it's always very tricky to present electronic evidence to a jury since a lot of times they aren't very tech savvy or know what this evidence even means?
And I gotta say, the most important I guess at the end of the day for the jury, the most important piece of evidence
came from the fact that Danette, when he was cooperating, told us everybody else who worked with the Bay Rob group. And Stacy, uh you know, we talked with Stacy and Ryan and we decided that there was not enough evidence to indict any of those people because we na we couldn't just indict'em based on one criminal saying these are the guys'cause you know y the jury is not necessarily gonna believe a criminal.
So Stacy said to me, Well, why don't we just go over to Romania and talk to them and try and get them to testify? And I said, Well, I don't why would they come to the United States, risk being arrested, um, to testify when we don't have any evidence against them? And Stacy brought up the good point, they don't know we don't have any evidence against them. So Stacy and I went back to Romania right before trial and we ended up flipping what was it, five out of six? Yeah. Five out of six.
All three of us went back. Uh yeah, and we we flipped five out of six of'em.
Five out of six.
And they agreed to come to Cleveland and testify at trial.
And what's in it for them?
So again, they didn't know that we didn't have enough evidence to include them.
To be to be honest, we had a lot of im information on them, right? So we knew that they were involved, we knew what their roles were in this, because we had a number of individuals at this point in time that were telling us that they were involved and what their roles were and what their their criminal monikers were. So we did know, you know, what accounts they were using and what their job was within the group.
But we at the time we didn't feel I mean, we we we could have tried to indict them, we could have extradited them. Uh so it wasn't an empty threat. It was just we didn't feel like we had enough because In these cases, we really only indict and extradite extradite folks when we've got a really bulletproof case.
Your your track record is ninety nine percent conviction rate.
And they and they have to have had a significant role too. We're not gonna just necessarily indict everybody who did anything. And so basically we talked to these people individually and they believed that cooperating was in their best interest. And a lot of them felt really bad about what'cause
Uh a lot of them had moved on at this point. It took so long to do this case. A lot of them now had kids and had a regular job and were like so embarrassed. Some of them were crying when we were talking to them, and not because they were scared of the consequences. But I think because they humiliated by the fact that they had done this and people now
So what's the option you give'em? Like can you come testify please? Or come testify or we have
No I'm gonna jump in on this one. There was no quid pro quo or anything. It was it was purely optional. They had to we didn't make any promises to them. Um they had to believe that this was in their best interest or just wanna do it out of their own
Um so it's just a matter of, hey, come clean.
Well it was ten years it was ten years later, they remembered all of them remembered like waking up and Nicolescu and Danette and uh McLeos being gone. and word starting to spread and everyone was freaking out there because there weren't too many uh r extraditions from Romania to the US. I think cyber criminals in Romania felt like
the worst thing that could happen was they'd be prosecuted in Romania if they were caught. And in Romania you kinda got a slap on the wrist, you wouldn't spend much time in jail. So this was like seismic when these arrests happened in Romania and they just wanted to create favor, I think at this at that point. They wanted to be helpful. They didn't want to risk any any bad things happening to them.
Now, even though they had seized everyone's computers, they still couldn't get into them. Because remember, each computer was wrapped in five layers of encryption. First was this boot integrity thing, making sure that no hardware changes and setting it up.
Then they would use Lux to encrypt the Linux partition. Then there was a custom layer of encryption that MasterFraud wrote himself using SSE. Then there was a true crypt container, and then there was another true crypt container. And keep in mind that every layer has its own unique complex password to decrypt.
And once they got through all that, then you would boot into Linux and then finally there were these virtual machines that they would load and that's where they would do the work from. I think it took like five or eight passwords just to log into work every morning for these guys. It's incredibly impressive.
master fraud. He programmed in assembly language. So very unusual character. And when we got these computers and Danette explained to us what we were seeing, not only was it this multiple levels of encryption, they had built Master Fraud had come up with himself a kill switch that would enable him to press a single button and encrypt the whole machine and if he he didn't decrypt it within a certain amount of time it would just wipe the whole thing. He created his own software based keylogger.
So if the FBI or Romania had put something in the computer, it would have detected and alerted that. Um so, you know, he was off the charts compared to what we see, even at CSIPs, where it's all very advanced.
So these systems were were all configured the same and they had similar similar tool sets and the same kind of encryption everywhere. So when Danette pled, he actually was able to provide his password for a couple layers of that. his work platform. So we were starting to be able to
uh essentially peel back the layers of encryption and see what was in each layer of encryption. So we'd peel back the first one and we'd get into the Linux operating system that they were using and we saw that there was some source code for encryption software, the container software that Nicolescu had written. We'd come across a couple of additional TrueCrypt containers and we could unpack some of those.
and we were doing forensic analysis on these systems and some sometimes we'd be able to find a mistake where they left a password somewhere or we were able to get in because somebody would tell us what their password was. I remember uh one of the passwords was pizza kitchen in Romanian backwards. That was his password and it was like a p like a 15 letter or maybe it was longer than that password and it needed to be in concert with another password and we only got so far.
So we could only get so far through that encryption because they had been in jail for a bit after being extradited and their passwords were extremely complex. And uh we could never, never get in past the layer that Nicolescu wrote. Uh I had actually gone to Quantico. We have a lab there that specializes in helping in these highly advanced technical situations and we brought the source code out there.
and they analyzed it and we spent a lot of time trying to break into it and you know everybody will say, you know, the first rule of encryption is don't write your own. But in this case Uh Nicolescu was so good that he he wrote a pretty solid piece of, you know, encrypted container software.
Wow, so even the FBI couldn't crack into these machines. And they even tried to crack the passwords by brute forcing it, but the way SSC and TrueCryp was set up was they worked in tandem. So the FBI would have to crack two passwords at the same moment to get through those layers. and that made this astronomically more difficult.
But one of the things we learned is these computers still had value even if they were completely encrypted. So at trial, we were able to show Nicolesky's tower. Which had hard drives that you could just pull in and out like a data center, which was not what a normal person would have. And we were ha able to have the FBI testify, yes, this was on his desk. This was this tower when we came in there. And you know, we've used all our tools. We are not able to decrypt any of it.
And that's pretty powerful when you have all this other evidence that this guy is master fraud, because you know the jury's looking at this enormous tower of hard drives. They know this is nothing like their home computer. They know the FBI with all its power can't get into it. And they're thinking, all right, there's something's up here.
With a list of money mules and money muling being illegal in the United States, were you a going around and arresting all these money mules?
So we did have conversations with a lot of the money mules and many of the money mules were arrested by their local police. We did not arrest any of the money mules or prosecute them.
Yeah, so at trial we had some of the money mules testify.
And
they were victims as well. In fact, in some ways they were the most scarred victims based on their testimony. First of all, what the Bayrob group told them in many cases, uh, they would place advertisements for them on Facebook, on uh Uh they their machines tended to be infected as well. So they when they would go to Yahoo or Google, they would see an advertisement for a wire transfer agent. And so they thought this was legit.
And what the Bayrob group would tell many of them was that when Americans go and travel in Europe, they often get mugged and lose their passport and lose their money. And so what we do is we help relatives get them money quickly. And so these people thought they were actually doing something good, that they were helping out. And I will never forget when one of the uh most prolific money mules testified at trial.
and the defense attorney tried to um tried to cross examine her and make her you know, he he said, Well, you're calling these people victims now, but you didn't see them as victims then. She absolutely exploded because she was she said, I was so embarrassed, this is like the worst thing that's ever happened in my life. I never knew I didn't mean to do this, etc. And he as he was coming back, he turned to us on the prosecution table and said, One too many questions.
We took all the evidence that we had collected over this entire case. We took all of our victim complaints. We Stacy and I went through all the IC3 dot gov complaints. We went out and interviewed hundreds of victims, I felt like, at the end of this, uh, and and had some of them come testify at trial. Uh we we we had a search warrant on a couple of the command and control systems, which uh I had actually stood up a copy.
of that command and control server in our office and then I invited Liam to come out because he had done so much of the technical analysis that we needed another expert set of eyes on what we are seeing.
How much money do you think they made?
So we had hard numbers that they defrauded people out of four million dollars. Uh defraud. Yeah. Yeah. Well, in total made four million dollars.
At least four million. We had identified over a thousand US victims.
Thousand victims
Just on the eBay fraud alone.
What we had estimated they'd made over the entire length of the operation because they've been operating for ten years. And we didn't have accounting for all of those years, but we could see a lot of the output and we were able to estimate over the given period that it was about forty million.
And then how big was the botnet?
Botnet um reached a maximum of about four hundred and fifty thousand machines, and at any one particular time they had hundreds of thousand machines operating.
That was other key evidence by the way because once we arrested them the botanette stopped.
Well and I was gonna say one of my favorite moments in this case was actually, you know, we had been watching this group for almost ten years and had identified, like I said, over a thousand victims of eBay fraud. And so It was so frustrating to know that this was continuing to go on year after year after year. And then finally we were in Romania when they arrested him. And the day after we arrested him, I turned to Ryan and I said,
Master fraud is in jail right now. Like it's done. We have stopped the the the fraud and the victimization.
Okay, so you bring all this evidence. What's the defence bring?
Uh well so the defense's main defense is the most common defense that you typically see at the Department of Justice, which we refer to as the Saudi defense, which stands for some other dude did it. Um which we adj I would refer to as the sortie defense in this case, some other Romanian dude did.
Um so that was their defense. They didn't put on witnesses. They challenged our evidence, and as you would expect in a case like this, argued uh that there was there was insufficient evidence to say that these were the guys.
This jury was mostly retired, and a few people didn't even own cell phones. It was gonna be tricky to present all this evidence to them.
Owen's doing traffic analysis, you know, Liam's doing reverse engineering. Uh we have title you know, uh data intercepts on the command and control infrastructure. We're we're addressing topics like encryption and crypto mining and being a vendor on the dark web to essentially folks that that are not cyber savvy. Uh and frankly the entire team did a great job of taking this complex evidence.
And making it relatable to the jury and understanding. A lot of what we did, it was was truly education of. what we had and why it was important in in very common terms.
And they did it. They were able to convince the jury that both men were guilty.
They were found guilty on all counts. Um Dinette, consistent with the plea agreement, was sentenced to ten years in prison. Um McC uh McLause was sentenced to eighteen years and Nicolescu, who was master fraud, was sentenced to twenty years.
Wow, 20 years? That sounds like a lot.
Th these are tremendous sentences for a cybercrime case. Um what you gotta remember is the judges who sentence and it's the judge who sentences, not the jury, they sentence for all kinds of cases. They see terrorism, they see murder, they see All these crazy cases, so at the end of the day, a lot of judges are like, Well, you know, this guy hacked, you know, uh we're talking four million or forty million or whatever the case may be.
It's not a billion dollar Ponzi scheme. It's not nobody died, so I'm gonna give'em a couple of years. We see that all the time. And so it was only because I think Um we had so much great evidence. We had so many victims testify about how it impacted them, the money mules, and the scope of the crime. And we were also able to show that these guys weren't just
doing their criminal job, they were really sadistic. They really wanted to hurt the victims. For example, um they developed one phishing email that was supposedly your HIV test result. And when you clicked on the link, you were positive. It's like why would you do that?
Yeah.
You know, I mean like you're freaking people out way more than even the value of the month. And so I think the judge realized this was a serious group. It was a serious threat. If they get back out there, uh they may just start up again. And so we felt quite good at those were some of the highest sentences you'll ever see, or at least as of that time, in a cybercrime case. And even today it's pretty rare.
Yeah, I think the other thing that is sometimes lost in this is that you know, each one of these victims this this does something different to each one of'em, right? So Any one of us may lose, you know, seven thousand dollars and we'd we'd, you know, write it up to, man, I made a huge mistake there. But the folks that were being victimized here, um, you know, they were they're
Folks that that really couldn't afford an extra$7,000, right? They were buying a vehicle to get to work. Some of these victims. you know, they're it caused a lot of strife in their relationship. where, you know, one person in the relationship said, No, that sounds like a scam, don't do it and they did it anyway and they lost it and it started, you know, kind of a downfall in that relationship. We had some folks that were divorced over this. We had
What was that for?
Well because uh they basically disagreed that uh well when they lost the money, it caused such strife in the relationship that they Essentially.
Wow.
And I I wanna be clear though, like you could be very smart and still fall for this. So two things I wanna make clear. I don't know if it was clear from um from the background. When you went to eBay. The malware i if you were infected with the malware, it would make it appear that eBay had an escrow agent protection program and you were sending the money to a eBay escrow agent who would only release the money once you got the car and were satisfied with it.
That was all just the malware. It was a money mule. But anybody would see that and think, all right, that sounds very safe.
The URLs would say eBay even. Just all malware.
Exactly.
That's really a sophisticated.
And one of the victims who testified at trial was a used car salesman, like a who had a dealership who would buy cars online all the time. And he fell for this too. He had a very lengthy chat with the Bay Rob group, not knowing whether was the Bay Rob group about this escrow agent program'cause he hadn't seen it before. They must have stayed on with him for an hour to convince him that this was real.
And then ultimately he fell for it. And I think that helped that the jury w you know, looked at this guy testify who was victimized as a card dealer and were like, Oh well, if he fell for it I would.
And with that, the FBI investigation and prosecution was over. All three of the main people involved were arrested, found guilty, and put behind bars. Wow, what an investigation.
We've got a ton of people to thank for this. So first of all, the Cleveland Field Office. uh was with us all the way. So our cyber squad, our organized crime squad, we had great supervisors that supported us. We had great executive management. fantastic analysts, our computer scientists, our are uh
Feels like a lot of interns were going through a lot of data there.
Not so much. I mean these are all professional folks that are doing this. You know, we we typically don't have interns on our on our squads. And uh so we got a ton of support from the Miami field office. We had Customs and Border Patrol, the US Attorney's Office.
Including Duncan Brown, uh Brian McDonough and Omiculcarney, in addition to myself.
And then of course semantic and AOL were hugely instrumental.
eBay was helpful as was a lot of the brands whose uh trademarks these guys mimicked in order to trick people. So we had uh great cooperation and witnesses from Facebook, from Walmart, from eBay, from Google, from Yahoo, uh all coming to testify at Trust.
So what happened to the millions of dollars these guys made? Well, they spent a lot of it as soon as they got their hands on it. The FBI was able to seize some of that, but not enough to pay back all the victims. However, these guys were running huge cryptocurrency farms, basically putting all the infected machines to use to mine crypto, and the FBI seized the computers which held those crypto wallets.
Uh they did have some cryptocurrency. Uh and actually at this point in time it's probably worth a lot of money. Locked in a couple of layers of encryption. We ha haven't been able to get there.
Wow, those machines sitting in the FBI evidence room hold the keys to millions of dollars of Bitcoin that the FBI would love to confiscate. But the multiple layers of encryption is just too strong for them to crack. And so it just sits there, in a room, unplugged, dormant.
How wild.
If it was me, I probably would have used that Bitcoin as some kind of bargaining chip to get my sentence reduced. But because they didn't, it makes me wonder that in twenty years when these guys get out. They might have saved their keys somewhere else that they can still access, and come out of prison as millionaires.
That's crazy to think about. Well, in case you were wondering, yes, I did get all these people in the same room to interview them all at once. We all met up at the RSA conference in San Francisco earlier this year. What are you all doing at RSA? What are you hoping to get out of this?
See where AI's going and see if we can cut through the AI hype.
I'm just here to talk to you and then get a drink with them. And that's and then I'm going back home.
And that's what I'm doing. I'm flying to Chicago tomorrow morning, um, for an AVA conference. So
I I spoke on a panel today about ethics and cybersecurity. Um, and then tomorrow I am speaking on a panel about a framework for measuring the security and safety of AI. So I was really excited that I could do this as well while I was here.
Uh I'm on a panel with uh Brian uh talking about AI agent security, safety, and reliability.
🎵 Music
I'm really intrigued by this whole case because of how much these Bay Rob guys took their obsecs seriously. they deployed all the best practices and took extra steps to keep the FBI or anyone else from discovering them. And it was only from these really tiny mistakes, and over the course of ten years of the FBI and Semantic and AOL diligently listening and monitoring them,
that these mistakes were even found. And it's one of those cases that if the FBI wants to catch you badly enough, even with the best OPSEC there is, they still can. It might take them ten years to gather enough evidence on you though. I just want to recap all the things they did here to try to keep the FBI off them, since it's fascinating to me to watch them work.
First, they didn't talk openly. These guys never casually texted each other about this or talked about their criminal enterprise over the phone. When they would, they would always use encrypted chat. And the FBI also discovered that they often ran the radio in the background when they were working together in the same room in order to keep any listening devices from hearing what they were saying.
Next, they didn't use their home internet. They used stolen Wi-Fi, long distance antennas, and could connect to the Wi Fi from miles away. And then they'd VPN into one of their houses where the proxy chain would begin. They used Tor and proxies and hacked routers to get online. They encrypted everything, everywhere, or at least they tried to. When moving files, they used SFTP. When connecting to their command and control server, they used SSH. They encrypted their hard drives multiple times.
They didn't log anything. At first, some jabber logs were saved, but then they turned those off. Logs are like documenting your activities, it's a liability. They created fake personas. Each of them used their hacker handles when discussing this work and never used these handles outside of work. They were extremely careful in that matter. And then they used abbreviated version of those handles on top of it, making it extra confusing.
They didn't contaminate work and personal data. The work computer was for work only, isolated, not just with a physical computer, but also on a separate network. Only approved virtual machines could be used for work. Never do anything from your personal computer. They reduced who they had to trust as much as possible, keeping a small circle of who knew about this.
They built their own computers, their own malware, and didn't share it with anyone. They were self-sufficient, and those who did get to help them often were lied to about what they were doing. This also meant nobody had any power over them. They had to be paranoid at all times in order to keep up these efforts for years and years. And even when they got arrested, two still refused to talk to cops and actually dealt with the pressure well, staying calm and cool the whole time.
They conducted counterintelligence, trying to know who might be looking at them and then blocking those IPs and domains. Yeah, I was told that they found out which IPs that semantic had in the FBI and were blocking those IPs from accessing parts of their network. And they did so much more. But my goodness, this is what it looks like when bad guys have good upsek. They almost made it impossible to be caught.
Because even though they did an amazing job at protecting their data from leaking, they didn't stop every drip. And enough drips can make a puddle.
🎵 Music
Thank you so much to my guests, FBI Special Agent Ryan McFarlane, FBI Special Agent Stacey Whitaker, DOJ prosecutor Brian Levine, and the director from Symantec, Liam Omirku, and from AOL, Owen Miller.
Now that I'm retired, I've created a non-profit called CryptoCops Academy that is dedicated to teaching law enforcement as well as students all about cryptocurrency and hope. to one, uh instruct law enforcement so that they can better investigate crimes involving crypto, but then also to instruct the the students, young people, all about crypto and how it works and how to keep safe um and how to not fall for scams involving cryptocurrency as well.
And because I met and got to work with such incredibly talented uh people like you've talked to today, I started formergov.com, the first directory of former government and military professionals, and happy to have If any of your listeners who are former gov and that's federal, state, local, tribal, outside the US or military, happy to give them free membership. They can just reach out to contact at formergov.com.
What an incredible story! Hey listeners, I'm gonna be releasing a new podcast soon, and it's by far most insane, dark, and crazy story that anyone has ever told me and probably will ever tell me, and it'll be a five-part series. And if you want to get in on it when it's launched, Sign up to be a premium listener, since I'm gonna be releasing it to those who support me first. All I'm asking is for you to buy me a cup of coffee once a month.
to show your support. It might not seem like as much, but it's actually huge. It's way more than you can even imagine. It fuels me, it carries the show, it gives me hope and it it's so helpful. So Please sign up as a premium subscriber by going to plus.darknetdiaries.com. And hey, when you do, you get an ad-free version of the show and a bunch of bonus episodes that you won't be able to find anywhere else.
So thank you very much. This episode is created by me, the man in the black hat, Jack Resider. Our editor is the touch typist. Tristan Ledger. Mixing by proximity sound, our intro music is by the mysterious Brake Master Cylinder. Why did the man get fired at the keyboard factory?
Okay.
He wasn't putting in enough shifts. This is Darknet Diaries.
🎵 Music