DA

Darknet Diaries

Jack Rhysider

175: Bayrob

Jun 2, 20261h 36m
Summary

In this episode of Darknet Diaries, host Jack Rhysider explores the complex investigation of Bayrob, a sophisticated malware gang that defrauded eBay users for years. The episode centers on the investigative work of Liam O’Murchu, a security researcher at Symantec who first encountered the malware while analyzing novel threats. Unlike common cyberattacks, Bayrob utilized a highly intricate proxy chain that routed traffic through thousands of infected machines worldwide to conceal the attackers’ true location. The narrative details the evolution of this digital cat-and-mouse game, highlighting the persistence required to track criminals who actively taunted researchers and utilized advanced obfuscation techniques. The story spans years, covering the collaboration between private sector experts, such as Liam and investigators from AOL, and the FBI. Listeners learn about the challenges of cross-border cybercrime, the frustration of working with encrypted data, and the legal hurdles of the time regarding international information sharing. Ultimately, the episode serves as a compelling case study on the persistence of both the perpetrators and the dedicated professionals working to dismantle one of the most elusive fraud rings of its era.

Updated Jun 4, 2026

About This Episode

It started with a fake car listing on eBay.

What looked like a simple online scam quietly grew, over more than a decade, into one of the most sophisticated cybercrime operations the FBI had ever traced. Custom malware. Opsec off the charts. Fleets of infected computers mining cryptocurrency for someone else. Millions of dollars siphoned from victims who had no idea.

This is the story of Bayrob and the three men from Romanian who were behind it. And the long, strange road that led American investigators to their door.

Sponsors

Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.

This show is sponsored by Meter, the company building networks from the ground up. Meter delivers a complete networking stack - wired, wireless, and cellular - in one solution that’s built for performance and scale. Alongside their partners, Meter designs the hardware, writes the firmware, builds the software, manages deployments, and runs support. Learn more at meter.com.

This show is sponsored by Maze. Maze uses AI agents to triage and remediate cloud vulnerabilities by figuring out what’s actually exploitable, not just what’s theoretically risky. They remove the noise, prioritize vulns that matter, and manage remediation, so your team stops wasting time on meaningless vulns. Visit MazeHQ.com/darknet for more information.

Support for this episode comes from NetSuite. NetSuite gives you visibility and control of your financials, planning, budgeting, and of course - inventory - so you can manage risk, get reliable forecasts, and improve margins. NetSuite helps you identify rising costs, automate your manual business processes, and see where to save money. KNOW your numbers. KNOW your business. And get to KNOW how NetSuite can be the source of truth for your entire company. Visit www.netsuite.com/darknet to learn more.

This episode is sponsored by Chainguard. Chainguard builds container images the right way — minimal, hardened, and built from source every single day. We’re talking images with zero known CVEs, designed from the ground up for production. No bloat. No mystery packages. No 2 a.m. patching marathons because some transitive dependency lit up your dashboard. Stop patching images that are insecure. Start shipping clean. Head to chainguard.dev to see how secure your software supply chain can really be.

Listen to Darknet Diaries in Podtastic

For listeners, not advertisers

More Episodes

176: NSL

Jul 7, 20261h 6mSummary

In this episode of Darknet Diaries, host Jack Rhysider interviews Nick Merrill, an early internet pioneer who inadvertently became the center of a landmark legal battle over government surveillance. After starting one of the first internet service providers in New York City during the mid-nineties, Merrill’s trajectory changed permanently when he received an unexpected visit from the FBI. He was handed a National Security Letter (NSL), a directive demanding sensitive customer data while imposing a strict gag order that forbade him from disclosing the request to anyone, including his business partners or legal counsel. Merrill recounts his decision to challenge the constitutionality of the NSL, arguing that it violated the First, Fourth, and Fifth Amendments by bypassing judicial oversight and enforcing prior restraint on speech. With the assistance of the ACLU, who recognized the letter as a rare opportunity to challenge a secretive tool of the Patriot Act, Merrill embarked on a decade-long legal fight against the federal government. The episode provides an insightful look into the delicate balance between national security powers and individual constitutional rights in the digital age.

174: Pacific Rim

May 5, 20261h 30mSummary

In this episode, the podcast explores a multi-year cyber-espionage campaign targeting Sophos, a major provider of network security hardware. The story begins in 2018, when attackers breached a subsidiary, CyberRoam, to gain access to proprietary source code. The investigation revealed a sophisticated, multi-stage operation where actors moved laterally across networks with precision. The situation escalated in 2020 with the discovery of a widespread vulnerability in Sophos firewalls, which allowed hackers to remotely compromise thousands of devices globally. The episode details how Sophos took the unprecedented step of deploying a remote hotfix to patch these devices without direct user intervention—a controversial move that sparks a broader discussion regarding the balance between security, vendor overreach, and user control. Through deep technical analysis and OSINT, security researchers were eventually able to trace the activity back to a specific threat actor in China, identifying how the attackers used virtualized instances of the products to refine their exploits. This episode offers a fascinating look at the high-stakes world of corporate incident response, the long-term persistence of sophisticated threat actors, and the difficult ethical decisions cybersecurity vendors face when protecting their customers at scale.

173: Tarjeteros

Apr 21, 202638 minSummary

El episodio 173 de Darknet Diaries, titulado Tarjeteros, relata la sorprendente historia de Alberto, un joven residente en Yonkers de ascendencia dominicana, quien lideró una operación criminal a gran escala en Nueva York. Tras sumergirse en los foros del internet profundo, Alberto descubrió el mundo del cash-out, donde individuos aprovechan datos de tarjetas de crédito robadas para retirar dinero en efectivo a través de cajeros automáticos. El relato explora cómo Alberto, movido por la ambición, reclutó a un grupo de amigos y conocidos para ejecutar dos audaces atracos bancarios en 2012 y 2013. A través de tarjetas de débito manipuladas con límites de retiro prácticamente ilimitados, el grupo logró extraer millones de dólares de múltiples cajeros por toda la ciudad de Nueva York en tiempo récord. El episodio detalla la logística, la adrenalina y la meticulosa planificación que estos jóvenes llevaron a cabo para evadir sospechas mientras cargaban mochilas llenas de efectivo. Esta crónica analiza no solo el aspecto técnico del fraude, sino también la psicología detrás de estos hustlers, revelando cómo el deseo de una vida mejor los llevó a protagonizar uno de los robos bancarios más grandes en la historia de la ciudad.

172: SuperBox

Apr 7, 20261h 27mSummary

In this episode of Darknet Diaries, host Jack Rhysider explores the unsettling reality of malicious hardware hidden in plain sight. The discussion centers on the SuperBox, a seemingly innocuous device marketed as a premium streaming box capable of providing thousands of movies and live TV channels for a one-time fee. Through the investigation of a cybersecurity researcher known as Deadass, the episode reveals how these devices—widely available on major e-commerce platforms—are actually dangerous, backdoored hardware. The investigation uncovers that the SuperBox functions as a sophisticated, internet-connected botnet node. By analyzing network traffic, the researcher discovered the box performing aggressive ARP scans and internal network reconnaissance, essentially acting as a bridge for malicious actors to pivot into corporate or private networks from within the home. Furthermore, the device uses outdated, unpatched Android software and contains remote management tools, allowing unauthorized external access. Because these boxes are frequently purchased for residential use, they represent a significant, overlooked entry point for intelligence gathering and potential large-scale cyberattacks. The episode highlights the alarming ease with which these devices infiltrate suburban households and the complex, ongoing efforts required to track their reach.

170: Phrack

Feb 3, 202648 min

169: MoD

Jan 20, 20261h 9m

168: LoD

Jan 6, 20261h 20m

167: Threatlocker

Dec 23, 202549 min

166: Maxie

Dec 2, 20251h 4m

165: Tanya

Nov 4, 202551 min

All podcast names and trademarks are the property of their respective owners. Podcasts listed on Podtastic are publicly available shows distributed via RSS. Podtastic does not endorse nor is endorsed by any podcast or podcast creator listed in this directory.