Smashing Security podcast #386: The $230 million crypto handbag heist, and misinformation on social media

They're only 20, they're only 21. I think they've done a pretty good job. I don't know, you

Think they have so well, well done, well done you're saying, well done from I'm

Not saying well give you

A little golf clap, nice one, nicely done you'll say

Smashing Security, episode 386. The $230 million crypto handbag heist and misinformation on social media with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security, episode 386. My name is Graham Cluley. And I'm Carole Theriault. Another late night recording for me. Maybe for you, depending on where you are in the world.

I'll be back in the office soon. It's a mystery.

Nobody knows, but you'll be back in the same time zone soon. Very soon. Now, we have a packed show, but before we kick off, let's thank this week's wonderful sponsors, 1Password, Vanta and SentinelOne. I'm going to be talking about cryptocurrency and handbags.

And I'm going to look at the glut of disinformation on the socials and what can we do about it. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, today I've got a fascinating story for you. About a couple of young fellas who have been arrested and charged in the United States of America. So this is the story of 20-year-old Malone Lam, is one of these fellows, of Miami, and Jean Diel Serrano, 21, of Los Angeles. So both in their early 20s. So very young adults. Very young. And, oh, by the way, some of this story is only possible to tell because of some extraordinary investigative work done by Zach XBT. Are you familiar with Zach XBT? No. Hi, Zach. Hi, Zach, if you're listening. Zach is a crypto investigator who you can follow on Twitter. Over 600,000 people are following Zach XBT on Twitter because his investigations are very interesting. He's well known for exposing scams and hacks and unethical practices in the crazy world of cryptocurrency. Cool. And he regularly uses his expertise with the old blockchain analysis to track down funds that may have been stolen and identify people behind crypto crimes. So he's a cool guy to have on your side if you find yourself at the sharp end of a cryptocurrency scam. If you want to know who's got your money and maybe how to get it back. You would call in someone like Zach XBT.

OK, yeah, I'm following you. Good. All right. That's a lot of wonga.

Would be a lot for some two

Young guys who are mostly interested in, I don't know, Lynx aftershave and. Well, 50 million would be a lot, wouldn't it? What about almost one quarter of a billion dollars of cryptocurrency? I correct in surmising that's $250 million? Almost.

So it was round about, I think it was $230 or $240 million.

Okay, how did they do this? How did they do this? Do you know? I want to hear. Well, hang on. It's not just the amount of money that they are accused of stealing, but the fact that they are accused of stealing it from one person. Yeah. I don't think there's a Band-Aid big enough, you know.

According to Zach XBT, this crypto investigator, the hackers were remarkably inept because not only did they fail to cover the tracks of this alleged hack. By the way, insert lots of allegeds and things during the rest of this. This is all allegations, all allegations, right? Hasn't gone through the court system yet. But not only did they fail to cover their tracks, which is why the arrests have happened so quickly because this breach of this cryptocurrency wallet only happened a month ago. Right. But it appears the hackers also documented their crimes, making it easy for the feds to build a case against them. In fact, they didn't just document their crimes. They actually recorded the entire heist in a movie. What? They recorded themselves talking on a Discord channel, and you can see them typing to each other you can hear them celebrating the theft of a quarter of a billion dollars near enough oh

We're done we're done so they were so confident at how their ruse they thought let's just record it online what. Are they wearing little masks and stuff so we can't tell who they are and all this? You don't see them on the screen. You just see their conversation. Wondering that might give away a lot of information if you have a real time effort going on Discord at the same time that 250 million dollars goes whoop.

Yeah, because they're texting each other, they're incriminating themselves and so occasionally when they're moving their windows and things on the screen there may be other pieces of information which are revealed which may indicate their true identities, their usernames. They're only 20!

They're only 21! I think they've done a pretty good

job! I don't know! Well done! You're saying well done! Nice one! Nicely done you're saying!

I'm just surprised they got as far as they did. You know whatever, I was just an idiot at that age so maybe perhaps I'm projecting.

Yes, they apparently incriminated themselves. They were discussing how they were going to launder the funds. It's like they've got all this money now because that's the thing right, I don't know if you've ever had 240 odd million dollars in your pocket. No. Let me tell you, it's not that simple having money because how are you going to spend it? Right. It's a pain. It's burning a hole in your pocket, isn't it? It's like, well, what can I do with this? What are you going to buy with it? Are you just going to buy pizza? What are you going to do? Is this really a problem that people face? I think it is a problem. Friend of the show, Geoff White, he's written a book all about how you launder money and rinse money, which you've grabbed through cybercrime. It's complicated to do. And of course, it can be complicated to follow the leads as well. So they were talking about how they're going to launder the funds. They even taunted cryptocurrency investigator Zach XBT by name. I guess they were thinking, you know, he's going to be after us and...

We're going to just flip him the Vs.

Yeah. And they failed to understand what was going to become of them. So reports suggest that the heist began on August the 19th of this year, so just about a month ago. And from what I've read, it looks like these men allegedly contacted their intended victim by posing as Google support. They used a spoofed telephone number, they tricked the victim into sharing their screen. One of the things they did was they rang up at one point claiming to be from the cryptocurrency exchange and they said, "You know that there's been a breach of your account, we need to be careful, we need to confirm your identity. Can you share the last four digits of your private key? Don't send us the whole private key." They said, "Oh, wow, the last four digits." Now it's clever, it's so clever because

That's what you do with credit cards right? Well that is what you do with credit cards and bank cards, yeah.

But the last four digits alone weren't going to allow these scammers to access the account, right? And it's not as though they had the rest of the private key. But what they said.

But they've raised their chances quite a bit. They have. But listen to this. Listen to this. Okay. What they said to this victim was, "Don't worry," they said, "Can you take a photograph of the private key and crop the picture so we only see the last four digits?" Jesus. Oh my god, it's kind of clever. See, 20, 21, just saying.

They also duped him into resetting the multi-factor authentication protecting his wallet and so they were able to transfer the funds. Allegedly, allegedly.

I'm not thinking this guy was a complete idiot if he allegedly fell for all this. But yeah, it's scary. You think you'd be really careful with that amount of money, right? You'd... Of course. And of course you're panicking. Well,

Exactly, because you think Google have rung you up, you think the crypto company has contacted you.

And they've worked hard on their little pitter patter to convince you pretty quickly. So what we've got here is a couple of dweebs with 230 million dollars in their pockets. What are they going to do with it? It's like I said, well what are they going to do? It well... girls, girls, girls. Thanks a lot for your big car, but yeah, thanks.

Another woman who received a designer handbag is a food blogger and podcaster. I found her on TikTok. Her name is Skylar Harrison.

Me and my two girlfriends walk over to the section, and this kid, I'm going to refer to him as a kid. I mean, he was definitely over the age of 18 or 21, hopefully, because he was at the club, but he looked pretty young. He comes towards me, and he's like, I got this for you. And he hands me the box. He opens it and he's like, do you like it? And I was like, yeah, I do. But is it real? And he was like, of course it's real. It's for you. You can have it and just walks away. Anyways, while I'm at the club, I see one other, it's a light pink one, I think. And then the day after, so yesterday, I think, I saw a girl post a TikTok about how she got gifted one by the same guy, same club. Hers I think was lime green but yeah that was it. He literally just walked away. He handed it to me. This is it. It's beautiful but to be honest it's not really my style.

Wow, so that's Skylar again. She declined to go out with five of these guys. As far as we know, they didn't manage to get any girlfriends. So if you're currently trying to amass a multi-million fortune, if you're spending all your time building your dot-com company or engaged in cryptocurrency scams or whatever it may be that you're doing out there folks, don't imagine that once you have all this money you're actually going to succeed in getting yourself a girlfriend. It doesn't always work.

Not only that, but it's a guarantee that you're not going to go under the radar.

Right, exactly. Carole, what's your story for us this week? Okay, so last week, Pew, the research group, they published a report that said basically more than half of US adults, so 54%, occasionally get our news from social media. And this, they say, is up slightly compared to the last few years. I think a lot of news breaks on social media and it is where a lot of people hang out. You're more likely to get your news, I suspect, from social media these days than tune in to the nightly news at nine o'clock.

How much time do you think the average American spends on social media platforms a day? A day?

It's going to be less than 25 hours a day. I can be fairly confident of that. Let's narrow it down. Okay, so let's assume that people sleep for eight hours a day and then mostly not on social media then. So that gives us 16 hours remaining. I'm going to say eight hours a day.

You're such a ridiculous person. The average American, the answer is two hours and 14 minutes a day. Okay, so two hours a day, not eight. It's not a full-time job. It's a part-time job. Two hours and 14 minutes a day. I think people are on longer than that. This is probably what people say they are.

Oh, I would agree. Because you know what I've seen? A lot of people these days, and I think they're actually making TV programs with this in mind now. I've noticed a lot of people now, when they watch TV, they are dual screening. They're looking at their phone while they're watching TV.

Yeah, I'm not cool enough to do that. But yeah, a lot of my younger buddies do that constantly.

Yeah, exactly. So I'm thinking, you know, this is— And I mean, okay, you get it. Socials as we know are designed intrinsically to be checked all the time. They're difficult to look away from because there's always something interesting popping up around the corner. And I mean what else are you going to do while you're commuting to work or having a coffee or, you know, let's be honest, a poo.

Don't you think it's time we started using Wi-Fi repellent paint in lavatories? You couldn't get a signal in there. That'd be a great idea, wouldn't it?

I think it's kind of ironic that we're filling our heads with poop from the socials as we literally evacuate our bodies. Now who might you think are the head social media honchos when it comes to people going to them for their news fix? So who's the numero uno news fix social site according to Pew?

I'm going to say TikTok.

And I didn't say TikTok. I said Twitter. I said Facebook. And it's way ahead. Where do people go to get their news? This is probably because you're not thinking of it as a social media platform. YouTube. Yep, YouTube, highest usage amongst U.S. adults with 83 percent using the platform. Can you guess how long do people play on YouTube every day?

You're going to say something eight hours. No, it's 46 minutes.

Yeah, there's a maximum of two hours. So okay, yeah. And the next after that is Facebook. Seven out of 10s say they use it and spend on average 30 minutes a day or 31 minutes a day on Facebook.

Okay, 46 plus 31. Let me see what's left over.

We know if we've been listening to this show that many nasty things lurk on these social sites, right? So the deepfakes, my new word, rom-conners. Rom-conners, romance cons. Did you come up with that? It's not mine. No, no, no. I stole it, but I love it. Crypto nonsense, misinformation campaigns, disinformation campaigns, poison ads, all the stuff. All of these things are for us, you and me, the average Joe and Josie's out there. And our job is to slalom through every time we use these sites to get our news fix and hope that we're not hitting something bad. Now, some experts place the blame, I'm interested in your view on this, right? On the fundamentals, how the social media platforms actually work. So typically these sites reward you if you have more followers, more likes, more shares. You know, people want to hear what you're saying. And to build up this following, you don't tend to push out moderate viewpoints, right? They don't get the eyeballs, the shares, the likes. But you certainly don't get the same ones that comments that are more extreme in viewpoint might. Do you agree with that?

Yeah, I do agree with that. In my particular world, the thing I'm obviously fascinated, well, one of my interests is Doctor Who. And there are, it's a very fractious community. There are people who aren't very happy with Doctor Who, or maybe some of the decisions made by the production team in the last few years. And those people who maybe are against certain things happening in Doctor Who get all of the eyeballs and it feels like people are deliberately making videos being outraged and angry and you know they're really right on the edge in terms of opinions compared to the average sort of laid back fan and I suspect they're doing it because they make more money because they get more views which means that it's feeding into them and so that they are having to churn out more and more outrage and shocked and astonished videos because that is what actually works with the algorithm and gets them more views and makes them more money.

I think you're absolutely right. While I was researching this story, I found a CBS interview with a guy called Chris Bale. He's the founder of Duke University's Polarization Lab. Right. And he says the incentive structure on social media platforms leads to more extreme content rising to the top, right? As algorithms promote what gets high engagements, reactions, comments, and shares. I wonder, do you know which tweet, for example, I know you're a twatower or a tweeter or whatever, an exer. Do you know what your most successful tweet was and would you share it with us?

I don't know off the top of my head. I could probably, oh no, actually, I'm not allowed access to Twitter analytics anymore because Elon Musk makes me pretend to be a business and give him thousands of pounds to find out. So I don't know, I'm afraid, no. All right, okay. But this Polarization Lab founder also had this to say, which I found interesting. So he says, quote, when we look at people who are highly politically active on Twitter, we find that about 70% of the content about politics is generated by just 6% of the people. Soft moderation. Is that where you leave it to other users to moderate themselves rather than hiring people to do it? And one, the study that I saw, it's about footnotes, warning labels and blurring filters were examined. And anyway, they claim of this paper, link in the show notes, right? It is interesting. I've seen people leave community notes in the past on some of Elon Musk's own tweets where they've gone, that's not actually true what you've posted there or what you've retweeted to your millions and millions of followers.

And I mean, we even saw California this week in an effort to calm political misinformation now requires social media companies to moderate the spread of election-related deepfakes. So basically, the world over, it seems, people are grappling with how to get the misinformation genie back in the bottle. But, you know, were they to ask me, I've got a good idea.

Have they not asked you?

No, they haven't. Well, they might have. I haven't read all my email. But here's my idea, right? Okay. But it takes all of us for this to work. And I'm hoping you're going to be on board, Graham.

Of course I will be.

Okay, so I'm using the premise, if we want social media companies to do better, we need to hit them where it hurts. And that's the wallet, right? So I suggest that we all take a first step and fight for no social media on the loo. Okay, so you have to come up with a cute little hashtag for this. But instead of filling your head with nonsense from socials while you're enjoying your private time, perhaps instead, you know, delete unwanted photos, review your security settings, or, you know, just go old school and read the ingredients on your shampoo bottle. Because, I mean, seriously, this will make an impact. We spend about 10 to 30 minutes a day, apparently, on the bog. That's 10,000 minutes a year. And I think we're speaking with our wallets, by which I mean our butts, which, you know, seems apropos when we talk about social media.

So I've just asked AI to come up with some. I don't know if it's going to be any good, right? Leave the scrolling for the toilet paper. Give your thumbs a break. They deserve it.

What do you do with your thumbs?

Oh, I see. Okay. Don't let your phone drown in the porcelain sea. Oh, yeah. Yeah, poetic. Keep your private business private. I didn't mean, when I asked the question, I didn't mean taking photos. Flush your worries, not your feed. All right. Sorry, AI is just rubbish, isn't it?

Any listeners out there that can beat AI, we're dying to hear from you. Thank you very much. That's my story for this week.

For today's podcast comes from SentinelOne, which secures and protects every aspect of your cloud in real time. Discover all your assets and deploy AI-powered protection to shield your cloud from build time to run time. On top of that, SentinelOne offers threat hunting, visibility and remote administration tools to manage and protect any IoT devices connected to your network. Looking for a cloud-native application protection platform? SentinelOne is your ultimate CNAP solution. Go to smashingsecurity.com for more information and a free demo. See what a flexible, cost-effective and resilient cloud security platform can do for your organization with SentinelOne. That's smashingsecurity.com slash SentinelOne. Quick question. Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices? Well, 1Password has an answer to this question, and it's called Extended Access Management. 1Password Extended Access Management helps you secure every signing for every app on every device, because it solves the problems traditional IAM and MDM can't touch. Go and check it out for yourself at 1Password.com slash smashing. That's 1Password.com slash smashing. And thanks to the folks at 1Password for supporting the show. Whether you're starting or scaling your company's security program, demonstrating top-notch security practices and establishing trust is more important than ever. Vanta automates compliance for SOC 2, ISO 27001 and more, saving you time and money while helping you build customer trust. Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI. Over 7,000 global companies like Atlassian, Flow Health and Quora use Vanta to manage risk and prove security in real time. Get $1,000 off Vanta when you go to Vanta.com slash smashing. That's Vanta.com slash smashing for $1,000 off. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. It doesn't have to be security related necessarily.

Better not be.

Well, my Pick of the Week this week is not security related.

Good. My Pick of the Week this week is a YouTube video. During my eight hours on YouTube today, I stumbled across a video made by a Norwegian. Yes, I remember. What a different world it was. Was it a better world? Was that not BlackBerry time?

Yes, I think it was, when phones had keyboards. Yeah. So this video, I think actually millions of people have seen it, but I saw it for the first time today. And it's called Hyperactive. And it is this guy, Lasse Gjertsen, performing as a human beatbox. Now, we've seen beatbox videos before, right?

Yes.

In this particular case he's doing all that but what he's done is he's edited it and it must have taken him a long time I'm sure editing this darn thing but he's edited this together so it's just him looking at the camera with lots and lots of cuts and for having done this in 2005 in his bedroom I think it's pretty impressive and that's why what you can hear right now is him doing his beatboxing but you've really got to see it it's a bit like Max Headroom or something like that have you seen this?

No I haven't, I will, I'm dying to see it so it's called Hyperactive we'll all watch it together listeners.

He looks a bit like Yahoo Serious. Beautiful. Yeah you can imagine apparently this video was so successful it resulted in him getting offers from companies like Chevrolet and MTV to make videos for them. But he apparently, though, he publicly said, no, no, no, no, I'm not doing that. I'm denouncing the whole concept of advertising. It is below prostitution, he said. And so he refused all the offers. Good for him, I suppose. I don't know if he's monetized his YouTube account. I bet he's kicking himself if he hasn't, because he's now had about 15 million views. Anyway, very, very entertaining. And that is my pick of the week.

Very cool. Carole what's your pick of the week? Okay so I've been spending a lot of my time hanging out with people that like games like I mean board games and puzzles and cards and sudoku and killer sudoku and all this kind of stuff and you know I like cards I'm not really into the other stuff and so I convinced my counterparts that we could learn cribbage.

Oh have you ever played cribbage not for many many years that's the one we have these little match sticks there's lots of holes on like it's like a long thin wooden sort of block isn't it where you have to move bits yeah I haven't done it for years.

So invented the 17th century by Sir John Suckling, had to say that name, an English poet playwright and card enthusiast right and basically the game as you said has a special wooden board with pegs to track the points up to 121 first one to get all the points wins and I won't say it was easy to pick up because I've never played cribbage in my life right I would say it took me a week of study about an hour a day but still that's a significant amount of time to learn a game.

What you had to hang on oh yeah hours every day to study it before you could play?

Well you can play but just understand the strategy of like what do you discard and what do you do and how do you actually do well at the game.

So now you're a cribbage master is what you're saying.

No, but I'm kind of addicted. I'm kind of addicted. It's great fun. You can really nerd out. I've downloaded a few cribbage apps to play around with, but I'm not at the point of recommending any of those yet. However, you can noodle about on the Cribbage JD website, link in the show notes. And you can play as a guest and you can figure out the rules from that. Although I do suggest, you know, watching a few tutorials on the tubes first and then probably watch them again and again to try and get the maths in your head. But it gets a huge enthusiastic thumbs up from me. I even bought my beloved Yeti, who doesn't listen to this show, a cribbage board, but in the style of a wooden canoe. And it's called the Paddler's Cribbage. And I got it from L.L. Bean and I totally love it. And link in the show notes to that too. But don't tell him.

Oh, that sounds lovely. No, we won't tell him. Nobody who knows the Yeti, tell him. He's not listening to the podcast, but we don't want to ruin the surprise. Yeah, that's right. Well, that just about wraps up the show for this week. You can follow us on Twitter at Smash Insecurity. No G, Twitter wouldn't allow us to have a G. And don't forget to ensure you never miss another episode. Follow Smash Insecurity in your favourite podcast app, such as Apple Podcasts and Pocket Cast. And thank you to our episode sponsors, 1Password, Fanta and SentinelOne. And of course, to our wonderful Patreon community.

Until next time, cheerio. Bye-bye. Bye. Beautiful. Thank you.