Smashing Security podcast #158: The man behind The Missing Cryptoqueen

In a way, we could say that all of us do that. You can go on to LinkedIn and you'll see everyone exaggerating their achievements, getting invited to a... I'm not saying you two. Oh, I do. Yeah, it's a point of contention. Smashing Security, episode 158.

The Man Behind the Missing Crypto Queen, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 158. My name's Graham Cluley.

And I'm Carole Theriault. And this week, Carole, we are joined by, oh, a god of the podcast, a very popular podcast host. It is the star of the missing crypto queen. It's Jamie Bartlett. Hello, Jamie.

Hello. I mean,

I'm not really the star. I'd say Ruja Ignatova's the actual star. I'm just the presenter.

No, you're kind of the star.

You're not the crypto queen. We should explain that. It's not you, right? She hasn't gone that deep undercover and got the... Great Halloween costume for you, Anna.

You know, you say that. I know I will finally accept this is a successful podcast if next Halloween someone goes dressed as the missing crypto queen, Dr. Ruja. That's my mark of success.

I'll do it. An excuse to buy a very expensive dress. All right, I can give you some advice.

We'll talk a little bit more about a missing crypto queen later in this show, but during the course of it you do raise this possibility that maybe she's had plastic surgery and changed her appearance to avoid detection and we

Not tell everyone everything, oh

Okay, all right, shall we just get on with the show? Yeah, Carole, what's coming up on the show this week?

Thanks to this week's sponsors LastPass and support helps us give you this show for free. Now Graham is looking at the loot that a few cyber criminals walk around with, just in case you thought crime didn't pay. Jamie's going to give us some great insight into the missing crypto queen and making it and all the background information. And I'm going to get a little political on this show, just a smattering of digital snafus. All this and loads more coming up on this episode of Smashing Security.

Now, chums, chums. Jamie, I don't know you too well. Do you drive a car, Jamie?

I've got a car. Sorry, I've got a license, but I don't have a car, though.

Well, that's halfway there, isn't it?

Yeah, I think so. More than halfway.

If you did have a car, are you the sort of person who would decorate it with pictures of skulls and knuckle dusters and all kinds of evil stuff like that?

I'd probably consider it, yeah.

I know I'm thinking I've got an old car and you know why not let its last few years of life be cool.

Well Carole, would you cover yours with sort of camouflage to try and maybe you know fit in Oxford?

Camouflage would I'd have pictures of students everywhere, bicycles, something like that. Well some Oxford spires.

You know some people would and the kind of people who would are the two Russian nationals who've just had charges filed against them by the US authorities because they're alleged to run a global cybercrime organization called Evil Corp.

So, sorry, do you know if they're registered under that name?

I don't know what the rules of running a Russian business are.

We should do more research on these stories, Graham.

Well, I suspect they're not paying tax, OK? So they probably haven't bothered to also register their business.

Wasn't Dr Evil from Austin Powers, didn't he run Evil Corp?

Well, yes. Was it an Evil Corp? It certainly was an organization in Mr Robot, because if you remember Elliot, the hero of Mr Robot, he attempts to destroy the largest conglomerate in the world called E-Corp, which he has renamed to Evil Corp. But this particular, this Russian Evil Corp, run by these two guys, is said to be responsible for some of the worst computer hacking and bank fraud schemes of the past decade. Said to have stolen $100 million through spamming out email attachments, which then helped them break into bank accounts and steal large amounts of cash.

OK, no offense, Graham, but that's chump change compared to Crypto Queen.

Well, we'll be coming on to the Crypto Queen later. Is everything going to be trumped by the Crypto Queen? Shall we just fast forward to Jamie's segment of the show and talk about the Crypto Queen instead? Get a clip on, let's go. Now, look, the National Crime Agency, the NCA here in the UK, have described Evil Corp as the world's most harmful cybercrime group and the most significant cybercrime threat to the whole UK. I mean, that's pretty strong stuff, isn't it?

That they know about.

Well, that they know. I mean, they also know about other threats to the UK on the cybers, like Piers Morgan, for instance. He'd be pretty dangerous and a significant threat, I think. But no, they're saying these guys are the most significant cybercrime threat who are out there.

I'm amazed at that. $100 million, and they say that's the most significant cybercrime threat.

Well, at least $100 million. But these guys have been operating for 10 years. They've got quite a large infrastructure, as we will hear. And the US authorities have just placed a $5 million bounty on the head of their leader, a guy who goes by the codename of Aqua. His real name is Maxim Jakobetz.

Well, because he can just get out of any situation, just water? Maybe. Wow, I love these guys. Evil Corp, Aquaman. He Is a 32-year-old living in Moscow. He's been thought to have been running this for the last 10 years. The cops have been investigating him for the last five years. And according to law enforcement, he has employed scores of people to run his operation from the basements of smoky Moscow cafes. Well, I'm just looking into it. I'm keeping an open mind. Isn't that what we're supposed to do? I mean, here we are, three impoverished podcasters, and we're talking about these Russians.

I don't think I would say I'm impoverished. Would you say you're impoverished?

Well, you know, I mean, maybe not impoverished, no.

Okay, but you're starting to feel it, aren't you? Now that you've heard that $100 million is being made, suddenly you do feel a little bit poor.

You do. I mean, there's a guy in his early 30s. Here I am, 50, you know, a failure. What have you achieved compared to this guy? Yeah, what have I managed to do? He's got himself a pseudonym. He's got himself a Lamborghini. It's covered in camouflage. He's got another one which is covered in pictures of skulls and knuckle dusters. He's got scores of people working for him from smoky Moscow cafes. He's defrauded and stolen money from bank accounts of members of the public and businesses using the Dridex malware.

So you're contemplating going to the dark side?

Well, I don't know, Carole. Do you think I should? I mean, do you think now we've been doing this show very successful at it, actually?

I think he could try. I'm not endorsing it, but you know.

Well, he's been operating for 10 years, and eight people in the network have already been sentenced — the money launderers, the network of money launderers — because once the money's stolen, the money is moved into accounts and ultimately comes back to Evil Corp. Over 40 years in prison, those guys have been sentenced to.

So they're in prison in Moscow?

Oh no, no, no, Carole. That's not quite how it works.

That's what I thought. I just want to be clear.

Because yes, these chaps are known about, have been known about for some years, and they are operating fairly openly in Russia. In fact, if you click on some of the links in the show notes, we've got, for instance, a link to a YouTube video of them burning rubber in their sports cars, doing donuts in the main streets of Moscow, holding up traffic.

Oh, is that where all the hot men are?

So they've got all these supercars with personalized number plates. Translates to the word thief. They spent over a quarter of a million pounds on their wedding, this guy Jakubets. It looks like something from the Eurovision Song Contest. There are lasers everywhere and chandeliers and fancy lighting. You know, these guys are living very ostentatiously.

And living the dream as far as you're concerned, right? Because you feel impoverished.

I don't know if I really want to go and do a donut.

Do you want a laser? Do you want to go do a donut?

No, and the laser stuff is a bit more Doctor Evil, isn't it, I think, than Evil Corp.

Do you even know how to do a donut in a car?

I wouldn't know how to do a donut. No, you see, there you go. I don't even know how to reverse park, let's be honest. So I mean, the chances of me doing a donut are fairly remote. What about you, Jamie? Can you donut?

Well, no, maybe. I think I know in theory how you do it, but I've always looked on admiringly at the people that can, but no, never had the courage to try it. But the thing is about this is looking at this story makes me think immediately with all of these cybercrime cases, it's when you see how much money you can make and you get to be able to have Eurovision weddings and donut-ing cars in car parks, you think to yourself, well, why would you work for the local authority on cyber security?

Maybe they give you a free croissant in the morning. A donut, surely, Carole. Or donut, yeah.

Well, these guys were fairly jammy, you know, because you may say, why would they work for the local authorities helping them secure their defenses? Well, Jakubets also had a sideline because he was also giving direct assistance, according to the US authorities, to the Russian government's malicious cyber efforts. What a surprise. Yes, what a surprise indeed. And of course, this is probably what's been protecting him from having his collar felt because they thought, well, you know what you're doing. You could be rather handy because we've got a little bit of hacking we'd like to do ourselves.

Okay, so these guys are still operating now. Yeah. And everything is just tickety-boo, and the US is saying these dudes are bad, and the NCA are saying these dudes are bad, and we've got a bounty on their heads, but they're out there having a great time, and you're thinking of joining them because you want a bit of extra cash. Oh, steady on. I don't want them coming around and making me an offer I can't refuse. So that wouldn't be good, right? But certainly what's happening is that the US has said there's five million dollars if you help us catch these guys. It's going to be more difficult for these guys to operate internationally. Yeah. It's kind of interesting how much money they might be putting into it. I guess what they want to do is warn their people and say, hey, look, watch out for these things. But I'm not hearing any of that, right? How are they getting us with email phishing attacks?

Yeah. So they have a very sophisticated piece of malware called Dridex. And that is spammed out via email attachment and then it puts up fake dialogues. It might steal your passwords for your online bank accounts. And they've been evolving Dridex. I think we've actually spoken about it in a past episode of Smashing Security. They've been evolving it in different ways in order to fool people, in order to get past the antivirus defenses that many people have in place. But—

Imagine I wasn't actually interested in cybersecurity at all. How would I stop this from coming onto my computer?

Best way is to keep yourself patched, run an up-to-date antivirus and hope that it really is up-to-date. Even that's not going to be 100% security against it. You can also, of course, have two-factor authentication in place for things like your bank accounts. Keep an eye open for suspicious transactions.

It's like you've said all this before.

Well, yeah. I mean, it is common advice, right? I—

Just thought it'd be good to share, you know.

Yeah, but I don't think the authorities are simply interested in warning people about this. I think they want to try and curb these activities. And these are two youngsters, I mean, I say youngsters, they're in their early 30s at best. But they have been bragging rather a lot over the years on social media, posting up pictures of their high speed car chases. They've also posted up videos of them sort of falling off hoverboards. Or at one point they appear to be cavorting with baby lion cubs on their oriental carpet.

They live in a country whose leader has had pictures of himself bare-chested in the woods.

Oh, Carole, I don't know if you've ever seen my wedding photos, but they're quite similar to that, to be honest.

In the 1990s, the UK government was thought to have a sort of policy towards radical Islamists, which was basically you can live in London, do what you want overseas, but just don't attack us. And as long as you leave us alone, we'll leave you alone. And it's felt like for quite a few years that in Russia, it's been the same. So you carry on with your cyber attacks on these other countries we don't much like. We will leave you alone. We'll leave you to it. But don't turn against us. If you do, then you're going to be in trouble. And it's a perfect situation, isn't it, for the Kremlin? Because they have this distance from them. And I wonder whether the US probably knows they're never going to extradite them, they're never going to arrest them, but it's all about a sort of power play. That you're just publicizing the fact that there are these malicious actors in Russia that are being allowed to operate openly and freely because I think that that's really becoming one of the sort of diplomatic tools that people are leaning on each other, accusing each other of various types of corporate espionage and stuff. So it's probably just an announcement to just lean on Russia a bit more.

Think about it the other way though, right? Imagine someone living in the UK or the US hacking into some poor Russians who are, you know, falling for some scam.

Yeah, I'm wondering whether our governments are ever a little bit lax, if it was the other way around, you know, we're just going to target Russian businesses and whether our government ever says, okay, you know, we're going to look the other way. And I have no idea. I have no idea. Maybe in next podcast.

Well, one of the members of Evil Corp is believed to be the son of a former mayor of one of the big cities over in Russia. So there certainly were links to politicians. Yeah, networking kids. Good to have connections. Yeah, good to be connected. And of course, countries all around the world are hacking each other. There's a lot of this going on. But it's good. It really is good. And I think this is encouraging to see the US authorities really taking a hard line, finally, against Russian hacking.

I thought you were going to say, I think it's really good that he finally got a really cool car.

No, no, it's a gross car. Forget the cybercrimes. This is sort of crimes against fashion and good taste when you see the pictures of these cars that they bought.

Make sure you never ask me for a Lyft when I get mine.

Well, I don't think yours is. Have you still got that red leather and the dice hanging up as well?

Fake leather, actually. Leatherette.

Well, Jamie, I think it's time for us to move over to you and find out something about the missing crypto queen.

What do you want to know? Okay, so first thing, let's assume that not all our listeners took our advice to go and listen to it. But a lot of them I'm sure did, but give a little vignette on basically the whole story.

Yeah, so basically what happened was 2014, a woman turns up out of nowhere, Bulgarian-German businesswoman. She's 34 years old. It's called Ruja Ignatova. And she says to the world, you've all heard about Bitcoin. Maybe you think you've missed the boat on Bitcoin, but don't worry. I've got a new one. I've got the next Bitcoin. It's going to be bigger. It's going to be better. It's safer. It's simpler. The Bitcoin people are too technical anyway. They're arrogant. This is going to be Bitcoin for the masses that you can really use in the local shops. And it's called OneCoin. I've invented it. And would you like to invest? And if you invest now, just like with Bitcoin, you're getting in at the very beginning. Price is going to shoot up and you can make a fortune.

Wasn't this at a time when there were loads of new coins coming up? Like there were tons of different coins. I mean, every day I'd be looking online going, oh, there's another one.

But I think the real golden age was actually 2016 when there were ICOs every other weekend and people are pouring money into these initial coin offerings. But yeah, you're right. 2014, I think that was when Ethereum first arrived. So there were these new coins arriving and there was this sort of a sense that Bitcoin was just the start and there were others coming. And hers was one of them and so she says all this and very quickly this spread so fast so by March 2017 over four billion euros has been poured into this cryptocurrency.

That's money. Okay, that's money. Four billion. Okay, not 100 million. A measly million.

A hundred million was poured in just from the UK. A hundred million. So we're talking about colossal amounts of money.

And all these investors, all these people thought they were going to make a fortune themselves.

Yeah, they thought that they were going to get 10x, 20x, 30x, 100x on their investment because they were buying these coins at practically nothing and Ruja was saying within a couple of years they'll be worth a hundred dollars each and who knows what beyond that and people were amassing these coins. 175 countries. I estimate around a million or so people invested. And then in October 2017 she disappears. She has not been seen.

So she disappears like she just poofs, right? She's out.

More or less. Yeah, she takes a flight from Sofia, Bulgaria which is where her head office is and where she lives to Athens, Greece and is never seen again. Which is a CEO and founder of the coin, the visionary, the messiah, the next — I mean everything. She is the genius behind this coin who everyone worshipped. She vanishes off the face of the earth. And then of course the podcast is trying to find her but also to uncover the fact that this is a colossal pyramid scam and trying to work out how she's managed to pull it off.

Because that's the thing. I mean it wouldn't really matter if she had disappeared if those people who'd invested would be able to cash out their coins like Satoshi Nakamoto, right, who never appeared. That would have been great. But my understanding, as I remember listening to the podcast, there was no way to get your money out. The promise was that this was going to happen. There was promise that it was a blockchain, it's all being recorded properly. But all people really got was a website where the current price of the OneCoin was increasing all the time. So they thought their investment was increasing.

Yeah, exactly. So the idea was you buy your coins. You get your coins into your account. You open an account on the OneCoin website. And then when you send the money, you get the coins into your account so you can open it up, look and see, oh, I've now got 10 OneCoin. I've got 100 OneCoin. And the price kept updating and the price kept going up and up and up and up every month. And the promise was very soon you will be able to exchange your coins back for real money again at the price, at the price on the website. But there was no blockchain behind any of this. It was just a number on a screen. There was nothing behind it. It was probably an SQL database in an office in Sofia. And someone was just changing the price. So everyone thought they were sitting on — some people thought they had millions of dollars worth of OneCoin. And they had nothing at all. And to be honest, this is called a crypto scam. And everyone called it a crypto scam. And we called it the missing crypto queen because she called herself the crypto queen. But really, it's actually just an old-fashioned pyramid scam. But you're using a fake cryptocurrency as the product. I mean, was your mum ever like an Avon lady or a Tupperware? Because my mum used to sell Avon products. Do you remember that stuff? You get your friends around. Avon is makeup.

Yeah, there's Avon, there's Amway. There's lots of these multi-level marketing schemes, aren't there, where there seems to be so much pressure to recruit more people to go underneath you rather than actually, you know, the product selling because it's a good product.

That's the definition difference is that if you've got a product to sell and it's this real physical thing and you can make your money that way, that's legal. There's nothing illegal about it. And yes, it's a controversial way of selling because of the pressure that you're under to sell to your friends and family. But it's not illegal. And so Avon and Amway, they're legal companies. But if you've got no product, but you're selling in this you sell to your friends and then they sell to their friends and you build a pyramid beneath you. And the bigger the pyramid gets, the more profit you make because you get these commissions all the time. Then that becomes an illegal pyramid scam. And that's really what OneCoin was. It was an old fashioned pyramid scam, but using all the hype of cryptocurrencies and especially Bitcoin to make people think they were buying something that was not only useful bit of makeup or Tupperware but a cryptocurrency that's going to keep going up in value. I mean what could be more perfect? You don't have to have your garage full of Tupperware.

When I was listening though I was thinking why are people actually buying into this when she's saying 100x? Do you think because you've talked to so many of them, did you feel it made reasonable sense when you heard their reasons to believe? Or did you think they drank the crypto Kool-Aid and were just in love with her?

There's a bit of that. But think about it this way as well. What returns were people making on Bitcoin? So when she turns up and says, you're going to make 100% because you're 1,000% or whatever, they look at Bitcoin and they hear the story about someone who spent 10,000 Bitcoin on a pizza or whatever it was. And those stories, I invested five dollars in Bitcoin in 2010 and now I'm a millionaire.

Or there's the guy who invested loads on a computer, threw the computer in a Welsh dump somewhere, realized he'd become a gazillionaire and then tried to pay the council to find.

Exactly. So these insane returns don't seem that insane because they've happened. But she was also very, very credible. I mean, they weren't targeting Bitcoin specialists. They weren't targeting the blockchain experts. They were targeting ordinary people who maybe had read an article in the newspaper about these Bitcoin millionaires and thought, oh.

I have a very big question here that occurred to me while I was listening to the podcast repeatedly. How was it possible, do you think, that magazines like The Economist and others of huge repute would not have done due diligence to actually find out if she actually was worth all that? She did have a PhD. I remember you doing the research on that. Was it really that much of a smokescreen or did people fail in doing any digging, do you think?

Oh, that's a good question and a tough one to answer because there were slightly different things she did, but she was very, very good at sounding extremely believable to people. And she'd take little clips and little bits of media coverage she'd had and package them all up, taking advantage maybe of some people's laziness to present such a believable image that she was the next Steve Jobs. I mean she appeared on what looked like the cover of Forbes magazine. Go online and there's a picture of her on Forbes magazine front cover, like this amazing, Zuckerberg's on there and Jobs is on there and Buffett and then there she is and you think wow. Now actually what that was was a paid advertisement in a local Forbes Bulgarian franchise, which in Bulgarian said paid advertisement.

Go on Carole, we've all done that.

Which in Bulgarian said paid advertisement, but no one, I mean who reads Bulgarian apart from Bulgarians? So she took that and she sent that all around. I met people in Uganda that had invested their life savings into this because they saw her on what they thought was the front cover of Forbes magazine. Now, the question, I suppose, then is, well, why does a local Bulgarian franchise of Forbes magazine, why do they do adverts that look identical to the front cover? But I don't know. I can't answer that. But then The Economist, yes, she spoke at an Economist event in Bulgaria.

Oh again in Bulgaria. You see even my research subsequently after listening to the podcast, I did not notice those. I basically probably did an image search on her and then saw all the covers and didn't question them.

Because the thing is she appears there. Exactly. She appears there and I think you think to yourself well I'm sure they would have checked and I think everyone's thinking everyone else is checking but from The Economist perspective what they would probably say is, look, this was a legal company. It was operating in Bulgaria. She won the Bulgarian Businesswoman of the Year Award in 2014. I mean, who organized that? I don't know. How legitimate was that? I don't know. But you look at that and you think, OK, that seems fine to me. Then we'll have her as a speaker. And so what she did was every time someone didn't quite do the due diligence they might have done or relied on someone else's research she'd build that into her profile and that would mean the next people who should check would say oh The Economist checked so that's fine. So when Thom Jones sang at her birthday party in 2016, yes he probably his advisor.

Crypto queen, no no that's Neil, that's Neil Diamond. That's Neil Diamond. Oh, right.

We're talking about the green, green grass of Bulgaria is the one we should be doing.

You've got the wrong guy. Just like you. Thom Jones' advisor probably looked in and said, well, she's been on the cover of Forbes and she's the economist. Come on, if

You're the manager for Thom Jones, you're not even going to do that. You're just going to say, someone's come along with a whole load of cash, Thom. You don't have

To wash your hair. Give yourself to Bucharest. They're a legal company. They exist. They function legally in Bulgaria. So what's the problem? Exactly. That, I think, that's a real thing of our rate. In a way, we could say that all of us do that. You can go on to LinkedIn and you'll see everyone exaggerating their achievements, using, you know, getting invited to a... I'm not saying you two. Oh, I do. Yeah. But everyone does it to some extent. Everyone does it, don't they? And you do a little talk somewhere. You get invited to do a talk and the people organising it are busy or maybe you get invited to come on a podcast or go on the TV and the producers are busy and stressed and then you clip that up and then you show that to everyone and then they get you on next time because you've been on this programme and you build up like that. Are you a fraud, Jamie? Just go check. Is this really Jamie?

Yeah, exactly. I mean, we've been joking about this but it's really so sad hearing some of the stories of people. There's a woman who you spoke to who was a fervent believer in OneCoin. And you actually play a recording of someone who was a skeptic arguing with her for ages. And she's now turned around and she's now formed this support group for people who've lost money.

That was delicious audio, that segment. That whole thing was just beautiful.

I had a friend who joined a religious cult and listening to some of the episodes of the missing cryptocurrency really reminded me of that cult-like fervour of there's nothing which Dr. Ruja can have done wrong. And for you to question her means that we have to close you off, we can't speak to you because you're just spreading lies. Just like the BBC are spreading lies about OneCoin. Yeah, they came back to us and said, you know, propaganda, fake news, all of that stuff. And one of the most insightful interviews I did for this was someone who didn't know much about OneCoin at all but had specialized in religious new religious movements and cults and she had so she was a professor Eileen Barker from the London School of Economics and so insightful about describing some of the behaviors of supporters of OneCoin.

You by the short and curlies, right? You don't want to

Admit it because it's very hard to admit you've been fooled. And people would rather, you put your reputation into this, you put your money into this, you put years of your life into this sometimes and you would rather find a reason why she's disappeared that's because she's gone into hiding because the banks are going to take her down and the governments are scared of her but she'll be back soon. It's easier psychologically for you to do that and I thought yeah it was right, it started to sound a bit more like a religious movement really than an investment opportunity. But you know what this is, this is one of the awkward things about OneCoin. Sometimes when you listen to the legitimate crypto enthusiasts, they also have the same kind of, you know, Bitcoin, you can't criticize Bitcoin. This is the greatest thing ever. And so there are similarities in OneCoin to lots of different movements as well, you know, different behaviors that we all have. That's what I enjoyed about it as a story. I thought it said something about society as a whole.

Now while you were recording this, when were you most shit scared?

Well yeah there's some scary moments.

I didn't know if it was kind of dramatized a bit or because but I felt it, I felt it. Well first thing is to be honest there are people like that Jen McCadden the Scottish woman and Tim Curry who was the person she argued with who was a skeptic who've been calling out OneCoin since late, well Tim Curry's been saying about this since late 2015 and it's much scarier for them than it is for me when I turn up with the BBC and I've got these lawyers and I've got you know all of that stuff. So I don't think I was ever as scared as they might have been doing this.

It was a truly surreal moment in the podcast I have to say. Really was, it really was. And we didn't know at that point, it was quite early on in our investigation, we didn't really know what we were dealing with. We'd heard that there's possible involvement of dark shadowy forces, organized crime groups, who knows really who's behind OneCoin. And then we bowled up to an event, the first cryptocurrency beauty pageant organized by OneCoin, basically talked our way in and then sat there in the corner with a really big microphone with everyone sort of staring at us thinking what on earth have we got ourselves into here?

Now we've got to stand up and walk out without anyone noticing.

Yeah it was weird, yeah it was very weird.

Was it exhausting though? Was the pace of doing the show exhausting? Because you guys travel all over the place or how long did you? Yeah how does—

Something like this start Jamie? Did you come up with the idea of the podcast or were you approached or? Here's the—

Weirdest thing about it and it was exhausting by the way because the story kind of unfolded as we were doing it. And some podcasts, because you obviously got like your podcasts and then which are sort of they go over several years. Well, you're on 100 in episode 158, is it? Yeah. Wow. So but then you've got the ones that are just eight episodes on one story, which is obviously this one. And they're quite different, even though they're both called podcasts, aren't they? And what they're about and how they are structured and everything. But some of the people that make those podcasts, they make all of them and then they release them week by week. But they're already made. They're all finished. They're all done, legal and checked. But they're just slowly releasing them for detention. But we were making each one as we were going. So cool. I'm so glad to hear that that was real.

And you were getting feedback from listeners, weren't you, and leads and things. It was astonishing.

Yeah, well, that's what we knew would happen because we realised just how big this story was. And we thought when we release episode one and two, people are going to come back at us. OneCoin's going to come back at us. Investors are going to come up with stories. Maybe listeners will have spotted Dr. Ruja and will phone us up. So we thought we can't make them all. We made some of them, obviously, but we couldn't make them all. We left a lot of gaps. And in each episode, we were changing them sometimes right up to literally a couple of hours before they were published.

That sounds heavenly in a bit, though, because it's quite fun. That was so exciting. Did you suffer, though, after you finished, after you kind of put out your last episode? Did you have a bit of paradise syndrome, you know, where you're kind of like, what do I do with myself now?

Of course, yeah. And I used to get that when I used to do exams and stuff. You'd look forward to the moment it was over and then the minute it was over you don't know what to do with yourself. But I mean me and Georgia who's the producer who's in it quite a lot—

Yeah, I know a high five to her for all the production amazing incredible. Incredible stuff. Yeah, really great. She was so great to work with and but we would be we'd be up at 6 a.m. on the phone to each other and then midnight in bed be phoning each other. What's good? Yeah, what's the date? And then suddenly it's not just us so it really was but I mean the thing is for those who've listened they'll know that maybe there are bits of the story that haven't quite fully finished and so yes we're gonna be another one let's just say we're still talking basically every day.

When you go around Homebase, are you sort of looking down the aisles just thinking, could that be?

Yeah, because that's where she'd hate me hanging out. She'd be buying some doorknobs down at Homebase, which doesn't necessarily exist anymore, is it?

Funny you should say that, but I did spot Jeremy Corbyn in my local Homebase the other day. So—

Well of course he's there he hasn't got anything else to do.

It was a while ago now actually but someone did tell me that they'd seen her in London recently and swore that it was her. And I've been getting a lot of people telling me they've seen her all over so you know what I did. I personally do keep an eye open you know why? Because I was told by someone that she's so brazen about what she does that she would have found out where I go and where I work and she'd probably drive by me just to see what I look like.

Do you think she might have perhaps sociopathic tendencies perhaps? Because it wasn't her—

First show at the rodeo was it? No it wasn't no and just Graham to answer your question you said how did it come about? Because it's quite interesting that Georgia was approached by someone, one of her friend's friends, who was in a pub going on about it, saying, oh, I found this amazing new cryptocurrency. You know, this is amazing. I'm going to make loads of money. She started looking into it and thought, this is weird. Phoned me up because she knew I'd covered these stories in the past and said, have you ever heard of OneCoin? And the thing is, I said, no. She said, oh, that's funny because it's a cryptocurrency where there's been billions of dollars invested. And I said, no, that's impossible. I'd know about it. Because I, you know, I wrote a book about the dark net in 2014 and I really covered cryptocurrencies and Bitcoin. And I'd never heard of it. And it's so weird because the whole of the crypto world, it passed them by because they looked at it and just thought, this is a Ponzi scheme. This is a pyramid scam. This is nothing to do with us. So they ignored it and the mainstream press looked at it and thought oh this is a cryptocurrency story that's for them those crypto specialists to look at and it kind of was just missed by everyone.

And then they get on the cover of Bulgarian Forbes and we're all yeah yeah it's almost an echo chamber thing I bet they were making a lot of noise do you know if they were doing any investment in social media ads and that sort of thing to try and target particular victim?

That's a good question. I don't know if they were running social media ads. Well, they

May not have been, but of course the people who were trying to recruit other people, they were probably the ones wasting their money giving it to Facebook and Twitter or whatever, trying to get more OneCoin. And the truth is, OneCoin is still going, right? Are there still people out there who still believe in it?

This is what makes the story so fascinating. There's a lot of people that still believe in it. In fact, a handful of them posted a picture the other day from the OneCoin head office in Sofia. But they're still going. They're still denying they're a scam. People are still investing all the time in this because not everyone listens to the BBC's podcast. So how are they going to... Well, what fools!

Don't worry. We've got the rest of them. The BBC played this. We've got the rest. And then OneCoin people, even if you did listen to it, you'd say, oh, yeah, well, guess what?

BBC's fake news because they're scared of the crypto revolution. So you can't... It's so difficult to change people's minds. Yeah. And what's

Really annoying is that not only is their money tied in, but people have made a lot of cash because because they're selling a kind of education plan and they're getting money back.

Yeah. This is what people think that everyone lost out who put money in. That's not true because it's a pyramid scam. People at the top of the pyramid were making loads of money. We interviewed one guy who was making over a million dollars a month selling OneCoin because he's so you get a 10 percent commission on every package. You sell to people and you'd sell a package for 5,000 euros, you know, 5,000 euros worth of OneCoin and you get 10%. And then if they sell and then their friends sell and then your pyramid gets bigger, then you get it gets very, the only thing more complicated than cryptocurrencies and blockchains is multi-level marketing compensation schemes. Honestly, it's you get a matching boat, you have a strong leg and a weak leg and you get sales volume per week and then your weak leg is deducted from your strong leg and what's left over, you're paid out, a percentage of that, and 40% in real money, 60% in OneCoin, that kind of thing. So people at the top who are near the top of the pyramid, they were making lots of money. But then, of course, most pyramid schemes, nearly everyone loses out. It's only those who got in early.

It's just a mind-boggling experience, even to listen to and to imagine. And it's still going. You're just reminding me of this podcast remember that The Shrink Next Door Graham and it was about this guy who had basically had fooled his patient into basically taking over his life but literally the whole idea is 20 years people just snowed people can believe anything can't they it's amazing but then there's a lot of things that happen in reality that are pretty crazy I mean didn't Elon Musk just you know release a crazy ass car you know

That's insane isn't it well Jamie it's an incredible podcast well done for putting it together it's been an extraordinary story I mean we've only really sort of dipped our toe into it I think we'd strongly recommend listeners to our show go and check out the missing crypto queen you will not be disappointed and I really hope there are more developments in the story I've seen some in the news but I'm sure there are probably a few more episodes of the missing crypto queen to

Yeah, and if our listeners, if you happen to spot her anywhere, maybe not just report it to Jamie, but take a picture and send it over. Please, please do. Yeah, just for a bit of photo evidence.

Please, yes, the case is still open. I am still here. I'm never going to stop. I'm never going to stop. I don't care whether the BBC pays me anymore. I'm just going to keep going.

Jamie, see, I love your obsession. Can we be friends? Can I check in occasionally and just go, how's it going? Are you alive?

I think this will be. I think this is something that's going to stay with you for 20, 30 years. I'm not suggesting it will be a... Of course you're going to do other exciting and interesting things, but it feels like something which is going to be there, a bit like background radiation all the time until this woman is imprisoned.

I think you're right. The weird thing is if she's caught and extradited and goes to prison, there will be a certain, I would never say sadness, because this is what she needs. And for this thing to really finally stop, her being sentenced would help. But there'll be a small bit of me that will miss the search for her when that happens.

You could go visit her in prison.

I will. Yeah, it would help. But of course, there have been cult members in the past where the leader has been imprisoned and people just carry on believing, don't they?

That's true. You know, every time I think, every time I thought, because I thought what happened two weeks ago was that the brother of Ruja Ignatova, Konstantin Ignatov was arrested in March 2019 because he took over OneCoin when she disappeared and he admitted like two weeks ago or three weeks ago in a U.S. court he pleaded guilty to multiple counts of fraud in connection with OneCoin as part of a plea agreement and I thought this finally this is the moment that OneCoin dies and it but it's still going fascinating isn't it totally.

I think we should move on shall we. Carole what have you got for us? How are you going to follow that?

Yeah okay I'll follow this no problem.

Tell us your brilliant story from the world of computer security and privacy easy.

Peasy lemon squeezy. Well it's not from computer security Graham. I don't know if you know this but in a few days time on the day that this podcast is made available to the world it is election day in the UK. Yes, it is. And I don't know how you guys feel about it, but it's a pretty scary event for me. I mean, there are a lot of people out there who want a better UK, but are stumped as to how to get it. And the thing is, this UK election has been racing ahead at a clip that makes people like Ben Johnson's 100 metres time look positively slow.

You should compare it with Boris Johnson's 100 metre time, I think. Is that quite fast? See how they compete. Maybe that's how we should decide elections in future. Just get the different leaders, give them a 100-metre race and see who wins. I mean, I think that'd be fair, wouldn't it?

Are you guys feeling at all uneasy about it? Or you already know what you're doing and it's all cool?

Well, I know what I'm doing in my constituency. I know who I'm voting for. And I'm fairly confident that that person's going to win.

Right. So you're just going with the flow.

Well, where I live, it's a fairly easy choice. I'm a little bit worried about what the overall outcome is going to be, though. It's a weird position to find yourself actually hoping for a hung parliament rather than anyone to win. But that's the point.

No, you see, a hung parliament would be read as the people have spoken and they've said they're quite happy with more hung parliament. So carry on.

Out of the options at the moment, I think I probably am as weak as possible.

You know what? I mean, I still haven't really decided what I'm going to do.

You know, I thought I decided yesterday and now I'm doing this story. I'm like, oh, God.

I'll chat to you after the show, Carole, and I'll tell you what to do if you're in any doubt.

Oh, yeah. No, and I'll just do what you say. Now, okay, so basically, but you know what? It's not just our politics. World politics are a bit scary these days. Things like flipping fake news and the fact that so many content providers out there say they're not responsible for what is pushed out on their sites. But sometimes on these sites, there are some juicy truths that get through as well. Right. So just because there's a lot of fake crappy stuff out there doesn't mean there's not a few gems once in a while. Agree? Okay. Yeah, of course.

Yeah, agreed. You've got to find them. But they're out there.

Okay. Just for anyone outside the UK, why would you bother following the UK elections? Right. So high level facts, Graham, you're much more okay on this stuff than I am. So if I forget anything, you just jump in and interrupt me as you would normally. Okay, we've got crackpot media buffoon Boris Johnson, our current Prime Minister. He's up for the post. And we have testy faux leather elbow patch Jeremy Corbyn. I'm sure they're faux leather. And that's basically the two main players. Would you agree?

Yes, of the people who are likely to become Prime Minister, those are the most likely.

By far, I'd say. Yes, according to the opinion polls, yes. Yes, and we all know we can trust those 100%. One of the big issues that they're debating is the UK National Health Service, a beautiful system which is getting a lot of heat. Listeners that don't really understand, it's like a loved system, but for the last decade the system has been smacked with austerity. And it has less money for services, staff and equipment, and it's kind of hobbling along right now.

Yeah, I think it'd be fair to say most of the population considers it very much loved, but it's also considered vastly under-resourced.

It's particularly now. I mean, we did have a little time of austerity, which was timed with a huge uptick of ageing populations. So that was a really smart thing to do, because, of course, microcracks might become huge wounds. A lot of NHS

Workers come from Europe, which we appear to be detaching ourselves from as well, which could be a challenge as well going forward. Fun times in the UK as well, right now. During the recent debate between these two party candidates, it's Corbyn and BoJo. They were discussing the NHS. Becoming the bogeyman in this episode, aren't they?

But what's interesting is you think, okay, Russia, this is all fake news, fake news, fake news. It's being branded in a lot of the media that I saw today, and there's the ones you'll see in the show notes, as a Russian disinformation campaign. And while Johnson has denied Labour's accusation that the NHS will be carved up, it does seem that the document is actually genuine.

So you're saying that the document does appear to have genuinely been leaked from the government?

Well, the government, yes, but not by the government. No, no. Via this Russian sidestep. Potentially. So

Your theory or the feeling is that maybe the Russians have deliberately distributed this on Reddit in order to meddle with the election chances of either Corbyn or Johnson? Oh, don't take my word for it. Let me tell you what Reddit said in this statement. Right? They said its investigation had found a pattern of coordination between the now banned accounts on its site and a Russian campaign uncovered by Facebook earlier this year. Right. Yeah. Because they want a particular side to win?

I don't think anyone knows at this stage other than the cause, Crazyola, right? I'm sure that'll all come out in the wash.

It just adds, though, to the general uncertainty amongst the population, isn't it, as to you can't know anything. No. You can't trust any piece of information because you're always trying to second-guess, well, why has that information come out and is what has been reported actually true or is there some sort of undercurrent of mischief-making which is going on? What's amazing about this, right? I mean, it's like no politicians have heard of Reddit. I mean, look, this is probably the first time 95% of MPs even know what Reddit is. Imagine what other amazing things are on there for them to learn about. I mean, there's all sorts of stuff on there. If they just spend five minutes scrolling through Reddit, they'll find things that'll blow their minds. Oh, there are cat memes, fantastic.

The irony of the whole thing though really, right, is that it went up on Reddit but it caught hardly any traffic at all, but somehow it ends up in the Labour camp, right? And they must have just been the cat that got the cream, right, because they must have been reading it going, "Oh my god, oh my god, it's so juicy," you know? And fair play to them, they did vet it before they went on national television with it, so we didn't have any micro cameras going in and trying to find out some secret information. But the whole idea here is, see, they're basically saying, so Corbyn's saying, "Look, you're trying to sell off the NHS in some way post-Brexit." Johnson's saying, "No, no, no, no, no." And, you know, "I have this document to prove it." And they're going, "Pish posh. Who gave you this document?" And he's now gone a bit quiet now. So there's no contesting saying this is absolutely fake from the Conservative Party that I could find. But what is a little bit interesting is that last July, there were news items or murmurings that Amazon were going to get, were partnering with the NHS to stream the health service advice via Alexa, right? All this information is already available online, but using voice.

So what, do you mean NHS Direct? So they have that website where I can go and I can say, I've got a paper cut and you go through a sort of flow chart. Exactly. And it eventually tells me to go to A&E or something, or you're having a heart attack. So I would be able to say that to Alexa instead, say, I've stubbed my toe, or I've got a pain in my groin, what should I do?

Or you'd say, what are the symptoms of this? How do I treat this? Right? Okay, all right. Yeah. You know.

So that's the deal that Amazon are trying to do with the NHS, or NHS trying to do with Amazon.

But this week, it seems that responses to Freedom of Information requests published by the Sunday Times show that the contract will also allow Amazon access to information on symptoms, causes and definitions of conditions. So basically all relatable, copyrightable content and data and other materials is going to be shared with Amazon. Now, not patient data. Okay, I have brackets here "at this time," right? But no patient data is currently being shared. And, you know, they've made a lot of statements on the NHS website about the great security measures they have in place to stop that sort of thing. So there's a little ray of sunshine there, I'm sure everything will be fine. But the thing that's kind of shocking is that they didn't get any payback. So this is basically being offered to Amazon for free, right? So the UK is considered a world leader in compartmentalizing and basically organizing all this huge wealth of health information. And it's now been shared with one of the richest, well, the richest man in the world's company.

Is it that NHS are going to give all kinds of data to Amazon to process and do data mangling on? Or is this an Alexa deal where you can speak to a database and get information on your symptoms?

So in July it was presented as a, hey, we're partnering with Amazon to give you some Alexa. Yes. But a recent Freedom of Information request revealed, right, and this was published by the Sunday Times, that the contract between Amazon and NHS was much much bigger than we all originally thought. And they're not just going to be giving power to Alexa to be able to help people, but they're also sharing with Amazon information on symptoms, causes, definitions, conditions, basically this huge, huge, huge copyrightable database.

Health and can I be devil's advocate for one moment which is that the NHS obviously needs lots of processing power and probably wants to make use of big data and you know rightly or wrongly thinks that that would help people live fuller and healthier lives that's certainly the conservative's view. Well okay I know I'm just like I said the devil's advocate.

But the Labor Party will do this as well we know that they will they will because it will offer savings it will we're struggling with an aging population and and there will be great benefits to patients from sharing all this data won't there.

That's sure and my question really is okay so you're highlighting this and saying oh this isn't a big concern well what big technology companies could they partner with who aren't American. You know, it's not like there's a UK company who can decide to do all this data mangling for you, is there? All the powerhouses are over there.

All the signs are that one of the next big growth areas in digital technology is going to be health data. And the NHS holds what must be the best set of databases about people's health anywhere in the world. So all but all the big tech, we've got decades, I hope people's entire lives have been datafired on the NHS. Amazing stuff. And when we start processing that, the amazing findings and things to learn and preventative things we can take on board. So you've got to think that all the big technology companies are going to be desperate to get their hands on this data, which worries me a great deal. I think that if the UK is going to develop a really healthy and competitive tech sector, it's going to be in health data. It's going to be in health apps. It's going to be in the next sort of wave of diagnosis tools and stuff. And we have to invest in UK-based companies to be able to do that rather than just outsourcing it to the big players who've already got all the processing power.

I agree. You know, that privatization, we've seen it here in the UK with lots of things, trains, everything. You know, privatization is a very delicate operation. And I think it needs to be approached very cautiously. And right now, both sides are denying that there's any privatization going on. But I think you're probably right. There's no other way to maintain it without the rich funds of the private sector.

We should probably do it. We should do all this stuff because of the benefits. But it's going to have to be so carefully regulated that you're going to want it to be with a company that's— I mean, maybe it's a public private partnership company. Maybe it's a company that the government owns some proportion of the shares in. But a company based here at the very least would be forced to follow very strict UK-based regulations. And so you'd just be able to control a bit better how that data was used.

Maybe we need to nationalize Amazon and Google and some of these companies, at least in their UK operations. Maybe that'll be on the manifesto next time.

Very, very, very happy story for me. I have no idea what my end result is other than say… Time for sponsors. Yeah, it was. That's what stood on my mind this week. Excellent. Don't you love a win-win situation? Imagine if you could have both enterprise-wide password management with single sign-on. What is single sign-on? Well, Graham, let me dazzle you. Single sign-on is designed to connect employees to high-priority apps, all without needing the user to log in at every single hurdle. Now, by combining these two services, our friends at LastPass may have just revolutionized security at the enterprise level. Learn more at lastpass.com/smashing. You don't need to say the forward slash.

And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week. Do I say that as well? Yeah. Pick of the week. Beautiful.

Pick of the week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily. Better not be. Well, my pick of the week this week is not really security related, although it is a problem sometimes you might encounter at a security conference because I don't know if any of you have encountered the issue of smelly armpits and bad body odor.

I mean, that's not just something you get at security conferences.

Yeah, Graham, we don't hang out that much anymore, so it's not been so much of a problem. Hasn't been So much of an issue. Well, I have to say, just recently, I was saying to my lovely wife, I was saying, you know, I've noticed that I seem to be a bit stinky, I thought.

Oh, Christ. Okay, so you're going to run around naked now. No, no, no, no, no, no. And that's now going to keep your armpits all clean. This

Is this weird little tube of stuff. And you squirt out a tiny little pea size of it. And you sort of, you just rub it into your armpits, Carole. And here's the wonder. Here's the wonderful thing. Is that you don't have to do anything again for like four or five or maybe five days or so. You don't have to do anything anymore.

What do you mean? You don't have to shower? You can shower. Are you putting this all down your crotch? Are you just wiping it all? Are you bathing in this stuff? Is that what's going on?

It's like a wet wipe for adults.

No, no. I'm purely using it on my armpits. I am showering every other part of me. And you can still shower your armpits, should you wish to. All right. No, keep my arms down. It's like when you have stinky armpits and you always have your elbows glued to your side. Unlike other ways of dealing with your armpits, it doesn't have aluminium and petrochemicals and all kinds of nasty stuff. It's all natural. And all I can tell you is it really works. And according to Mrs. Cluley, at least, she says I don't stink at all anymore.

Oh, really? Are you back in the old book?

So my pick of the week this week, and thank you, Rik, for mentioning it on Twitter because that inspired me to give it a try, is NUDE, N-U-U-D. Links in the show notes. We're not getting a commission. Maybe we should. Maybe they should have a multi-level marketing. Well, yeah, maybe I'm now part of his pyramid. Who knows? Oh, dear. Jamie, what's your pick of the week?

Oh, mine seems really boring now, but I read an amazingly interesting article in the New York Times about this guy called Anthony Carmelo. He's standing trial at the moment in Staten Island because he shot and killed a top gangster called Francesco Cali. Now the thing is it seems that this young man, he's only 25, is Anthony Carmelo. It seems that he was really obsessed with these weird online far-right conspiracy theories like QAnon. Have you heard of that one? Oh yeah, my goodness. Yeah, these things that are spreading all over the internet. I spent quite a lot of time studying conspiracy theories in the past. They're very interesting things and it's I suppose sort of related to OneCoin in a way. You create these information bubbles and nothing can break through. But the interesting thing about this is that his lawyer is basically claiming that because he believed in these conspiracy theories, he's kind of pleading insanity. And the question that the New York Times asks is, and it says that this will become a big issue in the future, is at what point does belief in a far right conspiracy theory make you legally insane? That is what the court will be discussing, will be considering. Isn't that weird though? I mean, but it's kind of so weird.

Yeah, maybe it's a question the Senate should be asking themselves as well.

And you know presumably you could do it for the far left as well. So basically if you're not within the acceptable bounds of...

Yeah, you can be locked up or you could, what you could claim as a defense against terrible, heinous crimes that I was temporarily insane because I believed in this weird conspiracy theory that drove me to these acts. It's based on a belief, though, rather than, I think, any kind of psychiatric testing or whatever. Oh, my goodness. As in to have believed so much in this obviously ludicrous theories to the extent that you would then go and kill someone because you thought they were part of the anti-Trump deep state renders you insane. I mean, I don't quite know what I think about this. Yeah, but it's kind of interesting.

I wonder which conspiracy theories qualify and which don't. So if I believe in Nessie or something, or the Abominable Snowman, whether there's been some government cover-up which is preventing Nessie having her day in the sun, and so I'm going to take down Ann Widdecombe or something. I don't know. No, it's just... It's a bit... The whole world... What I've learned from this podcast is the whole world is insane.

It's nuts. The world is a bit madder than we let on. You know, I think the great thing that we've all been assuming since the Second World War is that everyone is... Democracy and all of our systems are based on the assumption that everyone is roughly rational and sensible. And that's not actually true. And we're finally beginning to realise it and things are falling apart.

Take heed, children. He speaks sense. Hey, you know what?

It's not just listeners who have to listen to that, Carole. It's you and I. What are we doing? We do a podcast. Where's the sense in that? Carole, what's your pick of the week?

Okay, I didn't do much work on my pick of the week. Oh, nice. Okay. No, no. Well, look. Yesterday, Graham and I did a charity podcast.

Oh, yes. BeerCon1 with the Beer Farmers and the Many Hats Club.

And I was a teeny, tiny, little bit rude, I think. A bit vulgar, yeah. Well, you know, it was Sunday. I felt free. And maybe, anyway, I think everyone enjoyed it, I think. Right? But I thought...

Links in the show notes. My pick of the week would be a bit more family-orientated just to make up, you know, address the balance. What? Do you want to quit doing pick of the week? Do you want us to rest the segment? Do you want us to come up with a new idea?

Maybe we should. Maybe 2020 should be a brand new thing. Do you remember that one time we did the Agony... They loved that. Everyone loved that. Everyone loved it. Well, on that bombshell, we just about wrapped it up for this week. Jamie, I know lots of our listeners would love to follow you online and find out more about the missing crypto queen.

Well, you can get the missing crypto queen on BBC Sounds or anywhere else you go. What's the saying everyone says? Or wherever else you download your podcast. I mean that's the best place to go. I'm on Twitter as well at Jamie J Bartlett. I'm still basically there, I'm posting updates so any new bits of the story that come along any interesting new rumors I hear I share them there as well.

Fantastic and you can follow us on Twitter at Smash in Security, no G. Twitter wouldn't last to have a G. And you can carry on the discussion about the episode over on Reddit. So Henry Corbin if you're listening make sure to check out the Smashing Security subreddit.

And listeners, you are the wind beneath our wings. Thank you for listening, supporting us on Patreon and giving us shout outs. It all helps tons. And thank you to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details and info on how to get in touch with us.

Until next time, cheerio. Bye bye.

Bye bye.

Adieu, pick of the week. Adieu. That was a long show but you know what was worth it.