DA
Darknet Diaries
Jack Rhysider
Trial Testimony and Final Sentencing
From 175: Bayrob — Jun 2, 2026
175: Bayrob — Jun 2, 2026 — starts at 0:00
Hey, it's Jack, host of the show. What a fun show this has been to make over the years. I am having such a blast doing this. And I think this episode is one that sent me on an adventure that I'll never forget. It's a big and wild story, so let's not waste any time . These are true stories from the dark side of the internet . I'm Jack Resider . This is Darknet Diaries . This episode is sponsored by Threat Locker. The weird part about modern cyber attacks is how normal they look. The attacker logs in from Chrome, uses PowerShell, runs a remote admin tool your IT team already trusts. There's no custom malware, no dramatic movie hacker moment, just normal tools used in the wrong way . That's part of why ThreatLocker exists. Threatlocker helps organizations control what software can run, what it can do, and how systems communicate. If attackers get credentials or land on a machine, they'll have a much harder time moving through the environment. Because security teams are realizing something important. The problem isn't always unknown software anymore. Sometimes it's trusted software, being used by the wrong person. If you want to see how ThreatLocker works, go to threatlocker.com slash darknet and book a demo today. That's threatlocker.com slash darknet to book a demo . Meet Liam. Yeah, I'm Lima Mar ku. I work with Semantic and I've been there since 2004 and I work in the security response department and analyze malware. I've seen you before. Have you been on TV? I have been on TV. So I was part of the team at Semantic that analyzed uh Stuxnet, the virus that was infecting uh equipment at uranium enrichment plants in Natance in Iran. Yeah, you were the one of the early ones to to explain this is what this is what was discovered. That's right. We we were we were the team that uh discovered what Stuxnet did, what the payload was, how it worked, how it had spread, who it was targeting. Um yeah. And then because of that, uh I was in a documentary that was shortlists for an Oscar in 2016, uh called Zero Days, and by Academy Award winning uh director Alex Gibney . Um so if you you want to know uh what I do uh in my job, you can see it all there. And then also Kim Zetter wrote a book about it as well and uh that whole story and my work and my team's work was featured in that book as well. Yeah, Stuxnet was a huge deal, which really revealed the length that NSA will go to create malware. And I covered Stuxnet in episode 29, if you're interested, and I actually interviewed Kim Zetter for that one. And so after that, Liam continued to investigate threats. I think he has the most fun investigating novel threats, that is, threats that the world has never seen before or figured out yet. And so one day, a new piece of malware showed up on Liam's desk. Yeah, so our customers at Symantec, uh, they'll get malware on their machines and then they'll send it to us for analysis. So I got this file that I wanted to analyze for this customer, and when I started looking at it, it's something felt off about it compared to the other malware that we would look at regularly. It just it wasn't running the mill. There was something different about it. There's a lot to do when analyzing new malware, but first you need to collect a sample of it. And Liam didn't have a complete sample yet And I understood that they were trying to defraud customers of eBay. So I decided to name it I couldn't use eBay as a trade name, so I decided to call it Bay Rob because they were robbing customers of eBay. And what the malware was doing was it was sitting on your computer and, when you tried to connect to the eBay website, it would intercept your connection and it would inject false information into your browsing session. And it made it look like the false information was actually coming from the eBay He wrote up a little thing and published what he knew about this malware, but he still didn't qu haveite all the pieces for it yet, and he really wanted to know more about it. The sample he got wasn't quite enough for him to fully infect a machine, to watch this malware, like it seemed to be infected, but it would never actually do anything on his machine. So he went on a hunt to learn more and had to think like a victim. How do victims get hit with this? How is it delivered? How do you get infected? And he learned where the watering holes were that people were going to get infected with this, specifically through phishing emails and Craigslist posts. I kept searching to see if I could find that missing piece and I just kept on looking through our telemetry and looking to see where I might find this. And I knew there was some places where this was probably going to be distributed. So I was looking in those places, like on Craigslist, for example, in email, looking to see if I could find any places where I could find a complete package that would help me to analyze it from beginning to end and understand exactly what the attackers were doing, how they were making money, where they were sending the money, the the entire thing. I wanted to know it all. And it turns out that the reason I couldn't solve the entire problem was because the attackers were geofencing their fraud so that it could only happen in America and only happen in certain locations within America. And I was in Ireland at the time, I was based in Ireland. So when I tried to connect to these auctions, because they were posting these fraudulent auctions, because I wasn't in America, I wasn't authorized to see this fraudulent data. That's already impressive to me that this malware only worked for Americans. If anyone else in the world would be infected by it, they're basically immune to it. Wild. So since he couldn't get scammed by these fraudulent eBay auctions, he tried to find someone who had been scammed by them. And he did find someone who lost thousands of dollars after trying to buy a car on eBay. And I managed to discover who that victim was. I reached out to that victim and she had actually signed up for an auction after she had been uh He was able to get the malware off her machine and analyze it, and he discovered how it works and what it does, how the infection happens and how the criminals use it to steal money, but he wanted to see it in action still, so he got a plan. I posed as her, I recorded my entire session, and I went online and I bought this car. And as part of the uh fraudulent information that they were injecting into the eBay website, they injected a chat window where you could chat about this fraudulent auction. And when you chatted you thought you were talking to eBay support, but you're actually talking to these attackers. So I recorded this entire thing. I went then I bought a car. I talked to the attackers tried to engage them as much as possible to see if their English was good and tried to talk about different hours of the day to see when they might be awake and not. And I recorded this entire thing and ended up being successful buying this car and going all the way through with the transaction to the point where they send me information about a money mule where I was meant to send my money. And that was where I stopped. I didn't actually go through and send any money. But at that point I had victim information, I knew exactly how the threat worked, I knew exactly how much money they were making, and I understood how the whole thing worked. And more importantly I had a video of exactly how it would work from beginning to end. And what I did was I published that a blog saying, here's the threat, here's how it works, here's how you can protect yourself, here's what it looks like, here's a video of me buying a car, here's a video of me talking to the attackers, and publish that. Liam's blog post was well received. People liked it and shared it. A lot of people read it. And after posting it, Liam kind of moved on to other things. He felt like he pretty much got to the bottom of this. Like he created signatures for how people can detect this and what command and control servers it uses. This was enough information for companies to create antivirus rules and block these servers. And that should have been it for Liam researching this Bay Rob malware. But the Bay Rob malware started changing after that. So they would name their command and control servers various different things. They picked random uh names for the URLs of their command and control servers, but then they started putting my name in there um so they had uh domain names like uh gayasoleem.com uh tinycockleem.com lean the mule.com uh thank you, Lean.com ye,ah a, variety of different vari ations of that over the years. And then also because there was a little encrypted section underneath that, they could also leave a message in the malware that they knew only I would see or someone who was analyzing the malware O'C. And then they left messages in there like semantic does group masturbation was one of them. So just over years they would leave these messages in there for me. And of course when I saw that that made me more um intereste d in understanding what was going on. My favorite message they left for him in the malware was semantic team is a big hen coop chicken smart . Hen coop chicken smart, what does that mean ? And all this mocking and taunting actually made Liam want to look more into this Bay Rob malware. His name in the malware is what drew him back into this. So he got a computer and set it up in the lab and got infected with a fresh copy of the malware and went to analyze it further. Now, because he worked at Symance Tech, this gave him access to some pretty powerful malware analysis tools. So he ran this through there. I was able to see where they were connecting, where they were hosting, um where they uh how they were routing their traffic, um, how we could get become part of that routing, how we could see some of their messages, how we could infiltrate, how they communicated, and that was super, super important in understanding the entire attack. The way this malware routes across the planet is fascinating to me. The way they were protecting their identity was they were routing their traffic through infected machines. So that if someone like me or law enforcement tried to trace them to their original location, it would be very difficult to do that because they would jump through multiple infected machines in multiple countries. So if you saw their first IP address and you tracked that down, you would get a victim. And even if you monitored that victim machine, you would get another victim in another country and to go and trace it all the way back to their home machine would be very very difficult. So it was a really smart way for them to hide their hide their traces. Clever, right? So the attackers would never directly connect to their command and control server. or their victims Heck, they wouldn't even talk amongst each other directly. Instead, they would always use at least three hops through their infected victims to communicate with anything, even just Googling things. And if they wanted to connect to a victim, they'd go three hops to their command and control server and then three hops to the victim. This made it incredibly difficult to trace even just what country the Bay Rob gang is located in. And at the time there were over 6,000 computers infected by this Bay Rob malware, and any of them could be part of this proxy chain. And that gave Liam an idea. If they're using the infected computers to connect through, then does that mean the infected computer Liam has in his lab has a 1 in 6,000 chance of seeing a connection from these attackers? Maybe. So he gets this infected computer back online, puts some packet captures on it, and waits a long time . Like over a month. And he never saw anything. It all started off under my desk, actually, in the office. I had my little test machine under my desk and I I set it up there and I ran the malware and I was very And then I started to realize oh there's an algorithm that they're using to decide which machine to connect to. Yeah, get this. After Liam had his infected machine online for a month, listening for connections from these criminals, he noticed the malware suddenly changed after a month of being online. More code was added to it. And this code had all the details for how the proxy chain worked. So to begin with, a machine had to be infected for 30 days before it even received the proxy chain code at all. And so he analyzed this proxy chain code and he saw that not all infected machines have the same weight for being used by the hackers to hop around. So then I understood that it was if you had a higher bandwidth, you had a better chance of being used. If you were in different geographies, you had a better chance of being used. So it went from underneath my desk to a server in the west coast of uh US, then to a server in the east coast of uh the US. This time with a beef year server with higher bandwidth. And now this gave him a one in four hundred chance that these attackers might connect through his machine. But still, after sitting there listening for any proxy traffic coming through, nothing . He looked at this proxy chain code again, and he learned that before they would use a computer in the proxy chain, they would take a screenshot of that computer and look at it to see if this looked like a normal person's computer. Because if it looked like a threat researcher like Liam's computer or a cop, they might notice something off and not connect to that machine. These hackers would vet every single computer before using it in that proxy chain. Holy cow. So Liam had to make sure his computer in his lab looked like someone's home comp uter. But on top of that, Liam also discovered that if the infected computer was in Romania, it would be given priority in the proxy chain. Basically it had a higher chance of being chosen for their first hop , which might also be a clue as to where these guys are from. So we rented a computer in Romania, infected it with this malware, beefed it up with a fast internet connection, made it look like a regular user's computer, and waited 30 days for the proxy chain code to come on, and then waited some more. This time he thought he had a 1 in 40 chance of them connecting to his machine now. And eventually they would connect to my machine as their first machine in the chain, which meant I got their home or what I thought was their like home IP address. So I was getting these addresses in in Romania in Bucharest and in a town called Brashov. And every now and again they would slip up and you would see that that's exactly where they were coming from. So by using those proxies, not only was I able to see where they were coming from originally, but also I got to see like an absolute treasure trove of information that they sent across that network because they felt they were protected. So we would see first of all they would see them setting up their campaigns. So I would see them transferring all the files that they needed to run their fraud. I could see them Google searching for for images or for text that they were going to use. I could see them setting up email campaigns. Wow, what an amazing insight he had to these attackers. These guys were using this proxy network for everything. Every time they'd check email or move money, or yeah, even searching Google, they were unknowingly routing their traffic through Liam's computer. Or at least sometimes it would be chosen to go through Liam's computer, and he was capturing it all. But just because Liam was in the connection path capturing this data, the data was unreadable. And that's because these guys were encrypting everything. All communications to the command and control server was encrypted. All communications between the different attackers was encrypted. He could tell these guys were talking over Jabber, but couldn't see any of the messages since they were using OTR off the record, which does end-to-end encryption on all Jabber chats. So most of the time, Liam had nothing but encrypted gibberish, but only every now and then that he'd see a small blip where something wasn't quite encrypted all the way, or metadata about a connection would tell him what they were doing right now . And by this point, Liam had been investigating and tracking this malware for years and has a way deeper understanding of who's behind this compared to his first blog post. I was analyzing the malware and I knew where they were connecting and I could see where they were connecting all over the world. And I was like, I can't do anything about this, but I know law enforcement could go and they could get these servers and these computers and these addresses and they could actually take action on them. So we went searching for law enforcement who would work with us on this case, and we had a long list of all of the uh things that the attackers were doing. And that was how we ended up contacting the FBI. But as it turned out, the FBI was already on this. Hi, I am uh Stacey Whittaker. I am now a retired FBI agent. Um, in 2007, I was a pretty new FBI agent, had only been in for a year, and was still learning kind of my job. But yes, so I had been contacted very early on by one of the initial victims of the Bay Rob group. She had reached out, I was working in the Cleveland division at the time, and so she reached out to the Cleveland FBI office to report that she had been victimized on eBay. And so I had simply answered her phone call when she called the office and talked to her about what had happened to her, and she explained to me that she had tried to purchase this vehicle on eBay and that she had supposedly won the auction, she had paid for the vehicle approximately $8,600 , and then she never received the car. It was supposed to be transported to her and she never received it. And on the initial phone call, that was, that was pretty much all that she knew. Um, and so I had asked her, as we typically do in the FBI, to report this information to IC3 is uh IC3.gov is a website that we use to collect information from victims of all different types of crime related to the internet primarily. And so she did. She re she went to IC3 and she reported it. And at the time I thought that was the end of that conversation. Because of course, for $8,600, the FBI typically is not going to open a case. Um, but she actually called me back about two or three days later and told me that it was explaining to me that she had figured out on her own that her computer was infected with a virus and it was related to this eBay fraud. And it took a little bit of convincing to convince me that she actually was correct. She sent me Liam's report on Bay Rub. And so I read that was the first time I had read his report about this virus. And so basically I had decided to go out and meet with her. I took a computer forensic examiner from our office with me so that we could look at her computer. We could verify that she was in fact, infected on her computer with this virus, which we did. And so because of that, because she was infected with malware, we were then able to open investigation, even though it was such a small amount of money that we are talking about. And it was around here in 2007 is when Liam got in contact with FBI special agent Stacy to tell her all about what he learned. But even with all that information, the FBI didn't make any progress on this case. In fact, for the first five years of this case being opened, very little happened with the FBI. It was uh very slow and very frustrating. Very slow and frustrating. Um so one thing I would say about I think this case is is a very good example of the evolution of the FBI um in many ways as well. So in the beginning in two thousand and seven, that was a time when we in the FBI we didn't work hand in hand with private sector right so even though I ended up talking with Liam in 2007 we shared some information a little bit but then we kind of went our separate ways we didn't talk again until 2012 because that was kind of the way that we did things at that time in the FBI. We didn't share information too much with the private sector. We would, you know, do subpoenas, we would do search warrants, and we would gather information, but we didn't necessarily work hand in hand like we do today . Also, at that time, we didn't necessarily work very many investigations that touched overseas either. So, again, I was a new agent in the FBI and I opened this investigation and pretty quickly was able to determine that all the money was going overseas. I was tracking the money, was figuring out where it was getting picked up in different countries in Europe . And when I figured that out and I was talking with the other agents on my squad, their reaction was basically, oh, you need to close that case. Um again, this is in 2007, and we just didn't um have as much visibility and as much partnership with other countries as we do today. And so I refused to close the case and kept working it and kept collecting information, even though I was very limited in what I could do, I was talking with the, I mean, we did have an FBI office in Bucharest in Romania. And so I was sending information to our FBI office over there to try to initially it was simply sending them information on the money mules that were picking up the money. So I was able to track the money being sent via Western Union. And initially it was getting picked up in Greece, and then it was in Hungary, and then it was Romania, it was several different countries in Europe where money was getting picked up. So I didn't necessarily know at first that it was Romania. But most of the money mules were using Rom anian IDs when they would pick up the money. So for five years, all I'm really able to collect for the most part is victim information, right? I'm I'm creating the spreadsheet of all these different victims that I've identified. I'm identifying money mule accounts or IDs and money transactions and I'm collecting all of that information. Now even though Stacy was new at the FBI, she was pretty sharp, especially with computers, since she was a computer programmer in the Air Force before this, and was really intrigued by this case. Probably more intrigued than anyone else at the time. But she knew if she was gonna solve this, she was gonna need more help on the investigation. I bring in CSIPs eventually to help on the legal side. And then I end up talking with Liam again in 2012, who connects us with Owen. And at this point, I'm figuring out that this is a very sophisticated group that we're dealing with obviously and especially from all the work that Liam had already done. I knew, you know, although I was on the cyber squad in Cleveland, I didn't have a super techie background. Um certainly a little bit but nowhere near as much as Ryan so I definitely needed some help on that side of things and so I asked Ryan to work on this case with me. Yeah so my name's Ryan McFarlane. I' them IR practice lead at Trusted Tech, but at the time I was a cyber agent. I was coming from DC, where I spent two years at our National Cyber Investigative Joint Task Force working whole of government counteroperations against China and was transferring back to Cleveland and got to Cleveland and the first thing I ended up getting asked to do was to work with Stacy on this case. So Stacy starts bringing special agent Ryan up to speed on this case. You know, I land in Cleveland and uh start working this case with Stacy and I spent the first, you know, six months to a year just going after all the infrastructure that these uh actors were using. And working with the U.S. Attorney's Office in Cleveland and C CIPS to get legal process and a ton of technical coverage on the Bay Route group. Of course, one thing the FBI is good at is following the money. They learn that these criminals use money mules a lot. So when the criminals would trick a victim into sending them thousands of dollars like through an eBay auction or something, the victim didn't actually send that money directly to the criminals. Instead, the criminals hired someone else to collect that money, keep a portion of it, and then forward the rest to someone else. And then they would forward that money again to someone else and eventually it would be forwarded all the way to the criminals or turned into cryptocurrency and then given to the criminals. And they would get these money mules by putting ads on Facebook or Craigslist, advertising a legit job, like a work from home type of thing. And then they trick the money mule and lie to them about why they're accepting this money and where they're sending it and what's happening. And the strange thing here is that even though the money mule is tricked into thinking they're doing some legit work, being a money mule is actually illegal. And these people could get arrested for this. We're now more than five years into this investigation, and the FBI started bringing even more people into this case. I'm Brian Levine. At the time I was a cybercrime prosecutor uh at the Computer Crime and Intellectual Property section in Washington, D.C. That's under the Department of Justice. Yes, it's part of the Department of Justice. I was also a national coordinator for all the computer hacking and IP prosecutors around the country, one of whom was Duncan Brown, who was in an AUSA, Assistant U.S. Attorney in the N orthern District of Ohio , and was brought in by Duncan and Stacy to help on the case. Stacy and Ryan looked over the case more. They got a lot of information from Liam at Symantec, who discovered all this stuff about the way that proxy chains work and how he's infiltrated the chain and even captured some interesting things. And also Liam suggested they talk with Owen. So they called Owen up. I worked on uh AOL's cert team from 2011 to 2016. I received a report of abuse uh on my network um from a specific IP at a specific time and was told it was related to potential bay rob activ ity. I went ahead and started taking a look at that and started pivoting around. We were able to connect uh specific domains that they were using and accessing with various accounts, uh various AOL accounts uh that were being used in order to tunnel traffic through us. Uh AOL allowed anyone to sign up for a free account and then tunnel network traffic through our dial-up IP allocation space. So we were basically like a very large free open proxy service. And we're also a free email provider. And uh basically we built a full packet capture indexing system. At the time was called Moloch and is now called Archemy. We had deployed at ISP level. And so us and others as well that offer those same types of services were heavily being leveraged by this group in order to create new accounts, chat with people, all of that good stuff. Um and so we just started digging around and seeing when they would connect in, where they would connect from, uh start going through all of the network traffic that they had presented to us. So Owen from AOL was now feeding the FBI bits and pieces of things that he was seeing. And at the same time, Liam was still listening to the traffic going over the proxy chains. And every now and then he sees them connect to the proxy chain as their first hop, which likely meant the criminals are connecting to this from their home. So he would call the FBI and say, look, I have a strong suspicion that these are the IP addresses of the criminals, and they're in Romania . And so the FBI would contact the Romanian police and ask them, could you find out whose IP this is and go see if those are our guys? And the Romanian National Police were great, and they would go and they'd come back and they'd say, you know, we just talked to a really nice school teacher and we were sending the Romanian national police all over Romania. And they were just, you know, the the more doors they knocked on, the more we realized something was going on that we just didn't understand. What? So even though they're using six or seven hops through this proxy chain before doing anything malicious, that still wasn't good enough to hide their tracks. These attackers were doing something even before going into the chain to hide their tracks even more. Like for a while their connections were all coming from like a school teacher's home in Romania and then into the proxy chain or it would come from some other house in Romania. And never for a long period of time. Their home base seemed to move all over the city. These guys were really good. It was really challenging at this point because, at least at that time, the Department of Justice was very careful about the leg legal process that it issued. Um, and we had to justify what we were doing, which was very challenging because we would often get back what we would describe as nothing because everything was encrypted, and you know, I would have to go and make an explanation as to why this was beneficial to keep doing this kind of uh legal process. And they would say, look, you're getting nothing. Why do you want why are you wasting your time continuing this process? And what we realized was these guys were so sophisticated that you just had to get all information you could all the time for as long as you could because you didn't know what was going to end up being helpful in the end. It was all about breadcrumbs. The FBI continued to collect all the data they could. They had Liam feeding them data that was captured at Symantec. They had Owen feeding them what he saw at AOL, and they were interviewing victims and money mules and logging as many chats as they could. I think they did a controlled buy and tried to talk with these hackers as much as they could. But much of this resulted in nothing since it was all encrypted and obfuscated and wrapped in so many layers. We were doing all of those things. We were collecting information from Romania. We were collecting it from Liam. I think one of the biggest breakthroughs came from Owen at AOL. So I'll let him yeah talk about that. Yeah, sure. So um one of the members of the group uh was typing in his email address to log in on like uh gmx.de or one-on-one internet. Uh they did not use SSL at the time for the login form. So when he typed in his email address, he typed in his personal email address and then went, oops, and then logged in with his with his, you know, quote unquote work email address. And so we have the same IP address at the same within like you know, 10 seconds, like typing in someone's email address and then this actor's three email address. Oh wow, what a tiny slip-up. In the year that Owen was monitoring this crew, this is the only time they slipped up like this. That's such persistence on the investigators. But also such discipline on the attackers. The attacker accidentally typed the wrong email address, and even though the login failed for that email, it was a curious enough clue for Owen to look further into it. The email address was rad us pr at gmx.de . So was there anything to find for this Radu SPR name. And at the time, you know, Facebook was pretty easy for looking people up based on email address and just, here you go. Here he is. And then, oh, all right, pivot around. All right. Oh, they had YouTube channels, lots of skydiving. I think it was like TNT Brothers or something like that. Bunch of posts on like various forums for like off-road vehicles and stuff in Romania and everything else. And it was just like, you know, pictures, everything you could want. And it's like, I don't know who anyone else is, but I'm pretty sure this is who this is . So we sent them AOL a search warrant for all of this data and you know they said all right, this is a lot of information, come on in and let's explain it to you as we give you that information. So we came in. I remember it was Stacy and Brian and it was unbelievable. Brian, the DOJ prosecutor for this case was thrilled. So what we started doing at that point was we had to use legal process. We we did hundreds or thousands of different legal processes in this engagement, both domestically and abroad. And so once we had a sense of who one of these actors was, we had more information that we could provide to Romania. Um we did that through a mutual legal assistance treaty request, shortened as an MLAT, and uh they started going up and doing whatever they did in Romania to try and get us helpful information pursuant to this legal process. One thing we found was the existing process of MLATs back and forth was too slow for this c ase because the criminals kept changing their infrastructure. So we had to work with our Office of International Affairs to create a faster process or a abbreviated version of the MLAP process. What they were doing is actually moving locations, right? They were moving well, we didn't know what they were doing. We just kept getting different IP addresses and different information. So what we discovered through Romania's response to our MLAT requests was that there were three people that were communicating with each other, one of which was the person that Ian had identified with encrypted communications. And we could not get through those encrypted communications, and Romania could not as well . We could see that in their home, on their non-criminal machines where they weren't encrypting all their traffic, they were going to cryptocurrency websites and specific ones that we knew this group was focused on, but that wasn't really strong evidence. It wasn't enough to indict them or extradite them or anything else. It just made us think we had the right people . But for quite a bit of time at that point, we're like, all right, we we think we know who the three people are, but we just don't, because they're encrypting everything, we don't really have enough evidence to extradite them or to indict them. So at this point, we're going on year seven or eight of this FBI investigation. Right around this time, uh you know, we're in pursuit mode, right? So we're trying to get as much visibility into their infrastructure. And around this time, we get a data intercept on their systems that are controlling all their malware. So they had a multi-layer command and control infrastructure where all the malware was reporting up to the first layer and then that layer was forwarding on to a couple of servers that were hosted in different pla ces. And we were able to, as a team, figure out where those servers were located. So we went with legal process, we we got a data intercept on a couple of these top-level command and control servers , and we were able to see the communications for all the botnet , which meant that we got to see when they updated their malware , what some of their campaigns looked like, how they were loading additional plugins. So at this time this group had a number of different lines of business. They were treating all these infected systems, and it was about 400,000 of these systems at the time , as a commodity, right? And every computer could do a bunch of different functions. We saw them instructing these computers to join mining pools and mine cryptocurrency for them. They could be used as proxies and some of those proxies were sold on alphabet to other you know cyber criminals out there. They were doing some ad fraud. Uh they were mining those systems for credit card information, which they they then sold uh on Alpha Bay as well, so they were Alpha Bay vendors. They were replacing your internet browser with a custom version of their own internet browser. And everything that was done over that internet browser was uploaded to a couple of servers in North Carolina. And then we'd actually see them go and mine through all that data. So if they needed, you know, Bank of America accounts Whoa, so while the FBI is ramping up their efforts, the criminals were also ramping up their sophistication and streams of revenue. This has grown quite significantly from its meager eBay fraud with 6,000 infected nodes to now a worldwide plague of hundreds of thousands of computers infected, stealing everything they could and selling everything that they thought was valuable. They were making millions of dollars now, and the FBI really wanted to stop them at this point. But these guys were good. Like really good. They had a sophisticated proxy network. They used PGP for all their emails. They used end-to-end encrypted jabber chats when they're communicating to each other and encrypted everything that they were sending them back and forth between them and the command and control server. The FBI couldn't even follow the money since it used a whole vast network of money mules that would scour the world. And on top of that, they were somehow constantly moving around in Romania, changing IP addresses all the time, so the Romanian police couldn't find them either. We're gonna take a quick ad break here, but stay with us because the FBI is not giving up . This episode is sponsored by ChainGuard. $50 in tokens. That's how much it took for an AI to autonomously find, confirm, and exploit a remote crash bug that has been sitting in OpenBSD for 27 years. That's the work of Mythos, the AI model anthropic unveiled earlier this month. This is the security team's new reality. Attackers are using AI to weaponize code faster than any team can review it. Your scanners can tell you something went wrong, but by then it's already too late. You can't patch your way out of a broken trust model. ChainGuard solves this at the source. ChainGuard's libraries and container images are built from source, verified all the way down, and carry near zero CVEs. If something goes in, they can prove where it came from. And right now they're offering Chain Guard libraries and actions free until the end of the month, zero malware on all the libraries you and your AI agents use. The next attack is already being written. Go to ChainGuard.dev to get ahead of it and to build safely with trusted open source. That's chainguard.dev Liam over at Symantec kept watch over what was happening on the wires. And at one point, he saw a scam happening in progress. I I reached out to some people who are about to become victims because I was able to see their information as the auction was in progress and I saw their telephone number and I called them and I said, you are being victimized. I'm calling you, I'm not trying to sell you anything. I'm telling you now you're about to get scammed because of this auction. And they wouldn't believe me. They would they would think I was trying to scam them, and then they would go ahead and I would see that they had continued and they'd bought the fraudulent car even though I'd actually warned them. I'm sure you've heard the phrase that in cybersecurity, the defenders have to be right all the time, but hackers only need to be right once to get in. But in this scenario, the hackers were It's it is it is very interesting that uh what we were doing was we were waiting for their one slip up we were getting mountains and mountains of data and we knew that they were protecting themselves, but they couldn't be right all the time. It's so so difficult to be right all the time and to have fail safes everywhere. And eventually they didn't make those like tiny, tiny slip-ups. It was like, you know, you know, one ten second period out of three years of monitoring data that, you know, broke the case. So it was yeah, it was incredible. And that's what Brian was referring to earlier when he was talking about, you know, we're doing all this legal process and we're at that time getting some pushback on why are you continuing to capture all this data? It's because yeah, it's all encrypted and we're not getting a lot out of it, but we have to continue capturing it, watching for those those one little m mishaps where they make a mistake. That's the only time we can get information that is gonna reveal to us who these people are. And at the time we had uh the largest data intercept in the bureau because of all this case. For this case, because it was all going through all the command and control traffic was going through these servers and we had to keep re-upping because we were getting little snippets here and there. Occasionally we'd catch them emailing a new email account that we hadn't seen before and that turned out to be one of their money mules. And their OPSEC wasn't nearly as good as these guys' OPSEC. So we were able to start to pull that thread back and work different angles. Uh we had to go brief the Deputy Attorney General during this case because we had done a T3 and and Department of Justice doesn't you know that's such a a you know a a big a legal you know uh process that uh they don't like to use it especially for long duration so we had to justify that we're seeing all this encrypted traffic we are seeing mistakes occasionally but, we had to basically go talk to the the DAG and say, hey, this is why we need to do this. The reason we had to talk to the DAG, if I remember correctly, was this was the first time in the history of the Department of Justice that we did a wiretap on a server. Previously, you know, wiretaps were invented because of phones. You would listen to the mafia talk to each other, you'd listen to the narcos talk to each other. And they're like, wait, this is a computer. Why would you even do a wiretap ? And maybe and and there were arguments that we didn't even have to, but we wanted to have belt and suspenders. We didn't want to make any mistakes here. And because we were getting contemporaneous electronic traffic through the server, we wanted to have a wiretap, but this confused a lot of people in the Department of Justice who didn't quite get it. Well, these guys were really taking this case seriously. They had a T3 wiretap on the command and control server, which happened to be in North Carolina. T3 is short for Title III, which is where they have to get authorization from an attorney general who grants them approval to the data intercept. In this case, the hosting provider for the server was shown the T3 and was able to put a tap in and give the FBI full captures of everything going in and out of that command and control server. But that still didn't help because it was all encrypted, and these title IIIs expire after 30 days, so they had to keep renewing it again and again and convince the Attorney General that they still need to keep it active in hopes that someday they'll see something that will give them the smoking evidence to arrest these guys. But month after month they were not finding anything important. We also had a tit uh title three on one of the main email accounts as well. So we were watching the email coming through too, and even though it was encrypted, the body of the email was encrypted, but the email title, the me email headers was not. So we would get the title of the email and that was the only information that we would see. It was just the title. You said that you know normally the bad guy uh only has to be right once and that was sort of flipped around. Um, but that's potentially to identify them. Remember that when in order for us to indict them, extradite them, and then if they want to go to trial, which these cyber criminals almost always do, uh we had to be able to prove guilt beyond a reasonable doubt. And these cases are a lot harder to do that with than with a standard case because you got to remember you're dealing with a jury. So ultimately, it's not like you're gonna be able to go to trial on one mistake. You're gonna have to build a body of evidence. So they were using um an email service that we were able to gather um information from as well. And so we literally had over sixteen thousand emails that we had to sit and review, every single one, pulling out victim information, pulling out money mule information, and information on money transactions, and gathering all of that data together too to be used later on down the road in trial. Most of their emails were PGP encrypted, right? And Ryan explained to me, because I I believe the FBI can do anything if they want to. So Ryan explained to me the PGP stands for pretty good. Pretty good privacy. Pretty good privacy. And so I said, Ryan, it's only pretty good. Could you get through that encryption? And Ryan said, no, you're you're not putting the right emphasis. It's pretty good privacy. That's how should be interpreting that. And then I also told Brian that I'm only moderately good . At some point, Liam found something incredible. He was continually capturing all the data through his node that he sneakily set up in their proxy chain, and they were using Jabber to send messages between each other. And they had enabled OTR, which is end-to-end encryption on their Jabber chats. So all Liam could see was that someone was saying something over that port, but he couldn't see what they were saying. So Jabber is encrypted and there are different settings that you can use and by default the setting for attachments is not, it doesn't default to encryption. So your text, all the messages that you sent are encrypted, but attachments are not encrypted. And that was the mistake that they made. They were talking to each other and we couldn't see what it was that they were talking about. But if they sent an attachment like an Excel spreadsheet with all of their accounting in it or a a picture of their desktop, that was not encrypted and we could extract that from the network and we could see what it was. Yeah that being said, the majority of the attachments they sent were encrypted. They just occasionally, you know, they're they're human too. Forget to f forget to encrypt something or there's a you know something something doesn't work right. Whoa, this is something I did not know. That if you take the extra steps to add OTR to Jabber in order to encrypt all your messages, it still doesn't encrypt attachments, and that's a whole separate process to enable, and apparently it's extra tricky to do. And it's interesting because these guys were clearly making every effort they could to stay hidden and they still couldn't reliably keep their stuff encrypted. So many places for your data to leak. And so one day Liam saw an attachment which wasn't encrypted and it was a gold mine for this case. We got to see them transferring spreadsheets, talking about all of the transactions, how much money they were making, who were the victims, what were the credit card numbers of the victims, what were the home addresses of the victims, what money meals they were using, the identity of all their money meals. This was huge because it listed each of the members of this group and how much money they each made. Here's what it said. Member, M F got 25%. Member, Lynx got twenty-five percent. Min got to take ten percent. Amy took twenty-five percent, and Raoul got fifteen percent. This essentially showed how many members were involved and their abbreviated nicknames. They even took extra steps to obscure their hacker names. Like later they would find out that Amy stood for a mighty SA. And by this point, the FBI also stood up an infected machine in their office to watch some of this traffic too. And it's remarkable to think that these criminals were feeling clever and thinking they were super sneaky and laying low. While in reality, a lot of their traffic was being routed right through the FBI's office . But that wasn't all Liam captured. He saw another attachment sent over Jabber. A picture of their desktop that they had transferred between each other, two members had transferred between each other, and they were trying to figure out why something wasn't working with their camp their malicious campaign. So one of the Bayrod members had taken a screenshot and had transferred it to another one, but they had actually gone through my proxy machine at that time, so I could see this. They were using encrypted chat actually, so I couldn't see the chat, but because the pictures that they sent in the chat were not encrypted, I got this rare opportunity to see this image get transferred across, just like flash across my network and when we decoded it we saw that it was the attacker's desktop and he was inside a VM machine and then he had his control panel his attacker's control panel on the desktop and, he had a Facebook campaign that they were using to try and find victims on the desktop, and he was running that campaign through a hacked account, so he had the hacked account information there as well, and we could see um how many machines they had infected and we could basically see the entire attack, uh the entire fraud campaign from beginning to end, right in that one screenshot. And it was just it was it was just it was just a total The screenshot is incredible for this case. You can see this guy's desktop. You can see he's logged into a victim's Facebook page. You can see he's posted an ad, work from home to try to And you could see the command and control server in the background. You could see he has chats open with somebody called Master Fraud, which is interesting because MF was one of the people getting 25% of the cut. So now they start linking MF must be master fraud. And they could also see he's encrypted his computer with TrueCrypt since that was a process running in the background, which might be helpful later. The challenge that we had was there's all this encrypted traffic. We think we have the three guys, but we can't get any substantive evidence connecting any one of them specifically other than the first mistake to uh the scheme. And that 's when we found out that one of the other two had decided to travel to Miami, to the United States. And this could only be because after 10 years of committing this scheme and nobody knocking on their doors, they felt like they were pretty secure at this point. They had really amazing OPSEC, as Ryan mentioned. And this particular guy, who whose name was Tebayu Din et, um had competed in international programming competitions, and had even had an internship at Google in the U.S. before he switched over to crime. So he had friends in the U.S. and was we got advanced intelligence was gonna come to Well, we that was our initial thought, but we knew if we arrested him well, first of all, we didn't have enough evidence yet. But even if we uh got that evidence while he was there, if we arrested him , we thought the other two would flee and we'd never see him again. They would go to Russia or somewhere else where we couldn't get them. And when he was coming into the country, we actually had no technical information tying any one of these individuals to the Bay Rob infrastructure. The Romanian National Police had very similar data intercepts upon their homes, and guess what they weren't seeing any connection to the Bayrob infrastructure. They weren't talking to the servers, they weren't talking to the proxies, they weren't talking to Tor off of their their home internet conne So their home ISP was clean. Completely clean. Right. So I like to refer to what Brian's talking about when this guy comes to Miami as Christmas in May. We were so excited for this to happen. We only had, I think about maybe a 10-day lead that he was coming to the United States and we had to put together an operation to gather as much information on him as we possibly could when he was here and we had ten days to prepare to do that. So we decided to get a search warrant. We didn't need a search warrant technically because there's a border exception. What we wanted to do is when he came across the border, we wanted to search all his digital devices. And we were hoping he'd have a lot of digital devices on him and that this would break the case. But the exceptions to the search warrant requirement were really under attack at the time and continue to be, uh, in part after Snowden, in part dual a number of events that were going on. So we didn't want to rely just on a exception to the warrant requirement, especially if we had time to get an actual warrant. So we did get an actual warrant and maybe you guys could take it from there. Did you go to the airport? We did. Yes. We were down in Miami, both of us, um, with a whole group of support people from the Miami division as well as from FBI headquarters. To, as Brian said, we were gonna do a search warrant on every device that he had. We were hoping was gonna be a lot of devices. It ended up not being very much . He did not have a laptop with him. He had his phone and a camera. And I think that was that was it. And we had a full surveillance team on him. Yes. And he was coming into the country with uh with another individual. So from the time he stepped on US soil, we had a a team that was essentially tracking his activity to see if he was making any contacts or did anything that would indicate he was part of this group. So the FBI gets short notice of him coming to the US and scrambles to come up with a plan and to meet him at the airport. What they wanted to do is look through his devices to see if they can see any evidence of him involved with this bay rob group in order to lead to an arrest. They thought if they interrogated him, that would spook him and he,'d tell the others and they'd all go into hiding. So the plan was to somehow get a hold of his devices and search them without him knowing they got searched. So the uh border patrol was actually the ones that, you know sat down. They have to do their interview when you come through CBPS to interview you. So they did an interview with him and kind of made it take a little bit longer, but they collected his devices and then provided them to us. We were sitting in a back room that he didn't even know there was approximately 30 people in this back room, um, all because of him to review his devices, to to image his devices. So customs and Border Patrol did an interview with him, collected his devices, passed them to us so we could then have our computer forensic examiners image his devices. And he had no idea. And then he gave it back and he went, he left the airport without knowing everything it copied. He did not know, but he was uh he was pissed enough and realized uh that he wasn't gonna do this uh he was gonna make this mistake again. So So he had he was communicating with the with the other members of the group through a encrypted messaging app jabber, but it was saving logs and he changed after this whole incident. He he didn't think he was identified, but he's like, let's stop recording those logs. And he changed his password on his phone to the Romanian for US Customs Can Blow Me. Wow, so the FBI took full forensic snapshots of everything on his phone, and he had no idea they were there. And then they tailed him the whole time he was in the US like ghosts. And so he was here in the United States for, I believe it was about 12 days. So we had him under constant surveillance almost that entire time. Um and he wasn't just in Miami. So he landed in Miami, they were in Miami for a couple days. Um they went to DC for a couple days, then they went up to New York, and then ended up in Boston. And we knew he was going to end up in Boston because that's where he flew out of. They took a look at the data they got from his phone . Stacy and I are in the Miami field office reviewing this almost immediately because this is the best opportunity we have to actually get some visibility that we can tie directly to an individual who we think is a member of the Bayrop group. And we're rolling through this phone through all the data, and we come across the jabber chats. And for the first time ever, we actually find communic ations that were encrypted but are decrypted or unencrypted on the endpoint uh on his phone talking about bayrob group operations. They're talking about crypto mining and how much they're making a month crypto mining. He's talking to the head of the group in who's in Romania. At that time they were making about six thousand dollars a month mining their network of Master fraud. Master fraud, yep. Uh incredibly technically gifted tire actor out there. And by the way, I just I I always want to tell people when you're naming your criminal character, when you're giving your criminal ali as, it's best not to name yourself after the crime because it may sound really cool at the time, cool to all your friends, the other group. But when you're eventually caught, and you will eventually be caught, it dramatically limits your available defense. Defenses. So here it limited his defense to master fraud, who? I had never heard of any master fraud. You can't argue at that point that this wasn't fraud. Everybody everyone understood what we were doing. No. Brian and Stacy were able to look through the chats, which were logged on the phone, that they got a snapshot of, and most of what they saw was benign, nothing to do with this Bay Rob Malware operation at all. But because Ryan and Stacy knew this case very well, they would spot tiny clues. Like MF was mentioned ever y now and then, very rarely, and they knew MF was short for master fraud, one of the leaders of this organization. So little things like that would start to make them see the network of who he's talking to. And another thing they found were chats mentioning a file name that they knew only existed on that command and control server that they had access to. So this linked him to knowledge of that command and control server. We have a direct tie from this individual to Bayrob Group operations and we know we've got the right people. So at that point we could have arrested him. We had enough evidence at that point to arrest him. While he was in the US. While he was in the U.S. So we so this was a difficult decision because he was a high value target. Of these three people, he was probably the second most important. But master fraud was still in Romania. And we knew if we arrested him master Aaron Powell They hoped they can eventually capture the whole gang, or most of them at the same time. So they let him leave the country. And part of the reason we felt comfortable doing that was we had worked with Romania for so long at this point. I personally had been to Romania something like seven times. And so we knew that we could work with them to successfully extradite. You went to Robedia seven times just for this case? Just for this case, yeah. So this is where it started getting exciting . Because the net was here and we got that additional information from the jabber chat log, we were able to go to grand jury , get this indictment, do an extradition package to Romania, and then I think both of you went over there, correct? As part of the arrest and takedown. Yeah, we both went along with we took four computer forensic exam iners with us as well. So there was a team of six of FBI over there. They had identified the names and addresses of the three main men behind this Bay Rob malware campaign. There was Bogdan Nicolescu, aka Master Fraud, Tiberiu Dinette, AKA a Mighty SA, Radu Miklaus, AKA Minolta, aka Radu Spr . The goal was to arrest all three at the exact same time so none of them could tip off the others. So the FBI and the Romanian police had to split up. Yes, yes, so all three of them were in different locations, so we had to split up. And so yes, McLeouch had unexpectedly left town. They thought that he would be, I believe he was living in Brushov, also where Nicolesca was living. Um and so they expected him to be there, but he had left town like the day before and had gone to visit his grandmother in a completely different city in Romania. And so they had to um uh figure out where he was and do surveillance on him, and then they stopped him um in his vehicle on his way back to brush off. Stacy, you were in Bucharest and I was in Braz ov, which was where Nicolescu had a a home that at the end of a street. And uh we were there when R<unk>P made entry into the various locations that we had. So what's it like going in their their house and uh collecting that stuff? It was interesting. It was very different. They have a different process than we do. So I think it we found it very interesting to watch the Romanian national police and see how they do things, how they collect evidence versus the way that we do it. Um, and then because we were there, the nice thing was we were there So they caught them and they took all their devices back to the United States. But the Bay Rob gang was still in a jail in Romania . We're gonna take an ad break here, but stay with us because the next step is to get him to the United States and to prosecute them . This episode is sponsored by NetSuite. Every business is asking the same question: How do we make AI work for us? Sitting on the sidelines is not an option because one thing is almost certain: your competitors already know-how. No more waiting with NetSuite by Oracle. You can put AI to work today. It's a unified suite that brings your financials, inventory, commerce, HR, and CRM into a single source of truth. That connected data is what makes your AI smarter . It intelligently automates routine tasks, delivers actionable insights, helps you cut costs, and make fast AI-powered decisions with confidence. From software and IT services to healthcare, equipment manufacturing, financial services, and many other great American industries, Netsuite delivers a customized solution for your business. If your revenues are at least in the seven figures, get their free business guide to mystifying AI at netsuite.com slash darknet. That guide is free for you, but only if you go to netsuet.com slash darknet. netsuite.com slash darknet So the FBI searched the homes of this group, and they were really hoping to catch them in the act with their computers open so they wouldn't have to crack any passwords and unlock computers. But when they entered the house, all the computers were off and locked . But as they looked around, they were able to solve one of the mysteries they had, which was how this group kept moving around with their IP addresses so much, sending the Romanian police to the wrong address so many times. One of the things they found were these large directional antennas. What we realized with these directional antennas, which made for great trial exhibits, was that they were never using their home internet when they were involved in criminality, they would hack into another account in Bucharest. And Bucharest is a very big city. It's it'd be like doing it in Manhattan. And so every time they would just hack into a different person's home Wi-Fi . And that would be the start of their proxy chain. They would start there, then at least towards the end, as Dennette explained it to us, they would go to Tor . Then from Tor , they would go through their proxy chain , which was typically one to three infected computers. And then from there, they would go to America Online where Owen was seeing them. And then from there, that's when they would use commercial uh ISPs like Google, Facebook, eBay, et cetera. So the way the way they they were operating is they would actually meet up and everybody would essentially get a standard build. So their laptops were all built out the same way and and Nicolescu would configure them to be essentially, you know, they get the cybercrime package, which means multiple levels of encryption. So they were running Linux with Lux on it, and then they had a couple of TrueCrypt in containers on it. And then Nicolascu had written his own encryption software uh for because true crypt was no lon no longer being updated. So that's five layers of encryption just just to unlock the hard laptop. Yeah, four or five different layers. And everybody in the group got the same package essentially. And they also, that that was was not the extent of it. They also got some networking gear. So each of them got a custom flashed router, and that custom flash router would allow them to proxy their traffic between their different houses and their their operational security was that their first hop from their house was using a directional Wi-F i to the internet . And that individual, say , you know, Nicolescu was in Brazov, he would establish that on the router, the custom flashed router. And then he would communicate to the other group that his router was set up and everybody would tunnel their traffic or the group through that stolen Wi-Fi, through the router at that location, and then they'd switch the router the next week to another another individual's home. And that was why we were seeing the encryp ted traffic between the two locations that we couldn't explain. It was their tunneled encrypted traffic that was then being sent over stolen Wi-Fi using the directional antennas, then tour or a proxy network, then to infected systems, then up into the command and control infrastructure. So again, you know, they were doing a pretty good job of hiding their tracks. So so when I was seeing uh IP addresses that I thought could identify the address of the attackers, it turns out they're using directional antennas to steal their neighbour's Wi Fi. So the addresses that I was seeing were very rarely their actual home address and I had to look at the data very, very carefully to understand when had they slipped up and they weren't using their neighbor's stolen Wi-Fi. They were actually using their own home IP address by mistake. And those slip-ups are very, very rare. The FBI wanted to prosecute these three in the United States. But in order to do that, they had to convince the Romanian police to allow them to extradite these three to the US to face trial there. But in order to get extradition approval, they had to have Say this is the group and they did all these these things. We need to be able to say this person is master fraud and this person is a mighty SA. And this is the roles that they each individual played within the group. And so for a long time, yeah, we knew who the three people were that were running everything, but we could not say which one was which as far as their criminal moniker was concerned. And so it wasn't until we got Dennett's phone and then we were able to Ryan was able to connect his login activity with his vacation time that we were finally able to say, this person is this person and this person is this person. So the extrad ition was seamless with Romania because of all this background work we had done. So this was amazing. We got them into the US in a couple of months They get the three guys on US soil and then go in to question them. First, they start with Dennett, aka a mighty essay. They show him all the evidence they have against him, and basically said, Look, you're definitely going to be found guilty. We have a ton of proof, but if you plead guilty, we'll try to get your prison sentence much lower. So Danette ends up uh pleaing, and uh we confronted him with the evidence during a proffer session and during our investigation one of the things we did with the evidence collection is we had really good visibility into when they were logging into and logging off of all of their criminal accounts. And we didn't know it at the time, but this information ended up being incredibly valuable because it established this pattern of life for all the different actors. We could see when they were online doing, you know, like in their criminal accounts and when there were large gaps. And when we were able to get Danette's personal computer and search that, he liked to travel and he vacationed a lot and he also took photos of everywhere he went. He was an avid photographer. So we could see through the photo metadata when he was in these certain locations, and then we overlaid it with all the criminal account data, and you could see that every time one of these accounts went dark, Donette was on vacation. The exact periods of times when he went on vacation. And there were something like 30 vacations. And I remember we talked to him, and I said to him, look, we created a spreadsheet or a diagram to show this. And I said, like, you know, look, if there were five overlaps in vacations that would be curious. If there were ten, hmm, something's going wrong here. But with 30, you are the guy. You are a mighty SA . And Danette told them a lot. One thing he said was how many other members were involved in this back in Romania. Now as it turns out, he listed six other members and what roles they had. This was huge for the FBI to paint a full picture of this group, each member and their operations. Okay, so Dinnette pled guilty and he was sentenced to ten years in prison and was cooperating. The other two weren't talking, and they were just sticking to their not guilty pleas. So it meant that this case was going to go to tri al . Now you would think the hard part is over for the FBI and the prosecutors can take it from here, but the opposite is true. In the month before the trial, the FBI had to work harder than ever. Well, to explain how this process works, we worked, we all worked probably straight 30 days. You know, my wife at the time, so I've got 15-year-old triplets and she's from Colomiab, and I told her, listen, for the next month, month and a half, I'm not going to be at home. I'll be at the office pretty much the entire time. She takes the kids, heads down to Colombia. Uh and that's the same for all of our families, right? They didn't get to see us. We were in the office. A 10-hour day was probably a short day. This is go time . Because now the FBI had to convince a jury But it's always very tricky to present electronic evidence to a jury since a lot of times they aren't very tech-savvy or know what this evidence even means? And I gotta say, the most important, I guess at the end of the day for the jury, the most important piece of evidence came from the fact that Dinnette, when he was cooperating, told us everybody else who worked with the Bay Rob group. And Stacy , uh, you know, we talked with Stacy and Ryan, and we decided that there was not enough evidence to indict any of those people because we na we couldn't just indict them based on one criminal saying these are the guys, because you know you the jury is not necessarily gonna believe a criminal. So Stacy said to me, Well, why don't we just go over to Romania and talk to them and try and get them to testify . And I said, Well, I don't why would they come to the United States risk being arrested to testify when we don't have any evidence against them? And Stacy brought up the good point. The dony't know. We don't have any evidence against them. So Stacy and I went back to Romania right before trial, and we ended up flipping what was it, five out of six? Yeah, five out of six. All three of us went back. Yeah, right. Oh, yeah. Yep. And we we flipped five out of six of them. Five out of six. And they agreed to come to Cleveland and testify at trial. What's in it for them? So again, they didn't know that we didn't have enough evidence to include them. Well to be to be honest, we had a lot of them, right? So we knew that they were involved, we knew what their roles were in this, because we had a number of individuals at this point in time that were telling us that they were involved and what their roles were and what their their criminal monikers were. So we did know, you know, what accounts they were using and what their job was within the group. But we at the time we didn't feel, I mean we we we could have tried to indict them, we could have extradited them. So it wasn't an empty threat. It was just we didn't feel like we had enough because in these cases we really only indict and extradite extradite folks when we've got a really bulletproof . Your your track record is 99% conviction rate. And they and they have to have had a significant role, too. We're not gonna just necessarily indict everybody who did anything. And so basically we talked to these people individually, and they believed that cooperating was in their best interest . And a lot of them felt really bad about what because uh a lot of them had moved on at this point. It took so long to do this case. A lot of them now had kids and had a regular job and were like so embarrassed. Some of them were crying when we were talking to them. And not because they were scared of the consequences, but I think because they were humiliated by the fact that they had done this and people now knew they were So what's the option you give them? Like can you come testify, please, or come testify or we had to decide you. I'm gonna jump in on this one. There was no quid pro quo or anything. It was it was purely optional. They had to we didn't make any promises to them. Um they had to believe that this was in their best interest or just wanna do it out of their own um So it's just a matter of hey, come clean. Well it was ten yeah it was ten years later they remembered, all of them remembered like waking up and Nicolescu and Danette and uh McLeuse being gone and word starting to spread and everyone was freaking out there because there weren't too many uh extraditions from Romania to the U.S. I think cyber criminals in Romania felt like the worst thing that could happen was they'd be prosecuted in Romania if they were caught. And in Romania, you kind of got a slap on the wrist, you wouldn't spend much time in jail. So this was like seismic when these arrests happened in Romania. And they just wanted to create favor, I think, at this at that point. They wanted to be helpful. They didn't risk any any bad things happening to them. Now even though they had seized everyone's computers, they still couldn't get into them. Because remember, each computer was wrapped in five layers of encryption. First was this boot integrity thing, making sure that no hardware changes since setting it up. Then they would use Lux to encrypt the Linux partition. Then there was a custom layer of encryption that MasterFraud wrote himself using SSE. Then there was a true crypt container, and then there was another true crypt container. And keep in mind that every layer has its own unique complex password to decrypt and once they got through all that then you would boot into Linux and then finally there were these virtual machines that they would load and that's where they would do the work from. I think it took like five or eight passwords just to log in to work every morning for these gu ys, which is incredibly impressive. Master Fraud. He programmed in assembly language. So very unusual character. And when we got these computers and Dinette explained to us what we were seeing. Not only was it this multiple levels of encryption, they had built Master Fraud had come up with himself a kill switch that would enable him to press a single button and encrypt the whole machine and if he didn't decrypt it within a certain amount of time, it would just wipe the whole thing. He created his own software based keylogger. So if the FBI or Romania had put something in the computer , it would have detected and alerted that. Um so you know, he was off the charts compared to what we see even at C SIPs where it's all very advanced. So these systems were were all configured the same and they had similar similar tool sets and the same kind of encryption everywhere . So when DeNet played, he actually was able to provide his password for a couple layers of that his work platform. So we were starting to be able to uh essentially peel back the layers of encryption and see what was in each layer of encryption. So we'd peel back the first one and we'd get into the Linux operating system that they were using and we saw that there was some source code for the encryption software, the container software that Nicolescu had written. We'd come across a couple of additional TrueCrypt containers and we could unpack some of those and we were doing forensic analysis on these systems and some sometimes we'd be able to find a mistake where they left a password somewhere or we were able to get in because somebody would tell us what their password was. I remember uh one of the passwords was pizza kitchen in Romanian backwards. That was his password, and it was like a like a fifteen letter, or maybe it was longer than that, password. And it needed to be in concert with another password and we only got so far. So we could only get so far through that encryption because they had been in jail for a bit after being extradited and, their password s were extremely complex , and we could never get in past the layer that Nicolescu wrote. I had actually gone to Quanti co, we have a lab there that specializes in helping in these highly advanced technical situations and we brought the source code out there and they analyzed it and we spent a lot of time trying to break into it and you know everybody will say, you know, the first rule of encryption is don't write your own. But in this case, Nicolescu was so good that he he wrote a pretty solid piece of encrypted contain er software. So even the FBI couldn't crack into these machines. And they even tried to crack the passwords by brute forcing it, but the way SSE and TrueCrypt was set up was they worked in tandem. So the FBI would have to crack two passwords at the same moment to get through those layers. And that made this astronomically more difficult. But one of the things we learned is these computers still had value even if they were completely encrypted. So at trial, we were able to show Nicolescu's tower, which had hard drives that you could just pull in and out like a data center, which was not what a normal person would have. And we're all ha able to have the F BI testify, yes, this was on his desk, this was his tower when we came in there. And you know, we've used all our tools. We are not able to decrypt any of this. And that's pretty powerful when you have all this other evidence that this guy is master fraud, because you know the jury's looking at this enormous tower of hard drives. They know this is nothing like their home computer. They know the FBI with all its power can 't get into it, and they're thinking, all right, that something's up here. With a list of money mules and money muling being illegal in the United States, were you going around and arresting all these money mules? So we did have conversations with a lot of the money mules, and many of the money mules were arrested by their local police. We did not arrest any of the money mules or prosecute them. Yeah, so at trial we had some of the money mules testify, and they were victims as well. In fact, in some ways, they were the most scarred victims based on their testimony. First of all, what the Bayrob Group told them in many cases, uh, they would place advertisements for them on Facebook, on uh uh they their machines tended to be infected as well. So they when they would go to Yahoo or Google, they would see an advertisement for a wire transfer agent. And so they thought this was legit. And what the Bayrob group would tell many of them was that when Americans go and travel in Europe, um, they often get mugged and lose their passport and lose their money. And so what we do is we help relatives get them money quickly. And so these people thought they were actually doing something good, that they were helping out. And I will never forget when one of the most prolific money mules testified at trial, and the defense attorney tried to um tried to cross-examine her and make her, you know, he he said, Well, you're calling these people victims now, but you didn't see them as victims then . She absolutely exploded because she was, she said, I was so embarrassed, this is like the worst thing that's ever happened in my life. I never knew. I didn't mean to do this, et cet.era And he as he was coming back, he turned to us on the prosecution table and said, one too many questions . We took all the evidence that we had collected over this entire case. We took all of our victim complaints. We Stacy and I went through all the IC3.gov complaints. We went out and interviewed hundreds of victims , I felt like at the end of this, and had some of them come testify at trial. We had a search warrant on a couple of the command and control systems, which uh I had actually stood up a copy of that command and control server in our office and then I invited Liam to come out because he had done so much of the technical analysis that we needed another expert set of eyes on what we are seeing. How much money do you think they made? So we had hard numbers that they defrauded people out of four million dollars. Uh defraud? Yeah. Yeah, well, in total, made four million dollars. That's at least four million. We had identified over a thousand US victims. A thousand victims. Just on the eBay fraud alone. What we had estimated they'd made over the entire length of the operation because they've been operating for 10 years and we didn't have accounting for all of those years but we could see a lot of the output and we were able to estimate over the given period that it was about 40 million. And then how big was the botnet? Botnet um reached a maximum of about four and fifty thousand machines. And at any one particular time they had hundreds of thousand machines operating. That was other key evidence, by the way, because once we arrested them, the botlet stopped. Well, and I was gonna say one of my favorite moments in this case was actually, you know, we had been watching this group for almost 10 years and had identified, like I said, over a thousand victims of eBay fraud. And so it was so frustrating to know that this was continuing to go on year after year after year. And then finally we were in Romania when they arrested him. And the day after we arrested him, I turned to Ryan and I said, master fraud is in jail right now. Like it's done. We have stopped the the the fraud and the victimiz ation. Okay, so you bring all this evidence. What's the defense bring? Uh well so the defense's main defense is the most common defense that you typically see at the Department of Justice, which we refer to as the Saudi defense, which stands for some other dude did it. Um, which we adj I would refer to as the sortie defense in this case, some other Romanian dude did it. Um so that was their defense. They didn't put on witnesses, they challenged our evidence and as you would expect in a case like this argued uh that there was there was insufficient evidence to say that these were the guys. This jury was mostly retired and a few people didn't even own cell phones . It was going to be tricky to present all this evidence to them. Owen's doing traffic analysis, you know, Liam's doing reverse engineering. Uh we have title, you know, uh data intercepts on the command and control infrastructure we're we're addressing topics like encryption and crypto min ing and being a vendor on the dark web essentially folks that are not cyber savvy. And frankly, the entire team did a great job of taking this complex evidence and making it relatable to the jury and understanding. A lot of what we did it was was truly education of what we had and why it was important in in very common terms. And they did it. They were able to convince the jury that both men were guilty. They were found guilty on all counts. Um Dinnette, consistent with the plea agreement, was sentenced to 10 years in pris on. Um mc uh McClaus was sentenced to 18 years and Nicolescu who was master fraud was sentenced to 20 years. Wow 20 years, that sounds like a lot. That these are tremendous sentences for a cybercrime case. Um what you gotta remember is the judges who sentence and it's the judge who sentences, not the jury. They sentence for all kinds of cases. They see terrorism, they see murder, they see all these crazy cases. So at the end of the day, a lot of judges are like, well, you know, this guy hacked, you know, we're talking four million or forty million or whatever the case may be. It's not a billion dollar Ponzi scheme. It's not nobody died. So I'm gonna give him a couple years. We see that all the time . And so it was only because I think we had so much great evidence, we had so many victims testify about how it impacted them, the money mules, and the scope of the crime. And we were also able to show that these guys weren't just doing their criminal job, they were really sadistic. They really wanted to hurt the victims. For example, um, they developed one phishing email that was supposedly your HIV test results. And when you clicked on the link, you were positive. It's like why would you do that? You know, I mean like you're freaking people out way more than even the value of the mone And so I think the judge realized this was a serious group, it was a serious threat. If they get back out there, uh they may just start up again. And so we felt quite good at those were some of the highest sentences you'll ever see, or at least as of that time in a cybercrime case and even today it's pretty rare. Yeah I think the other thing that is sometimes lost in this is that you know each one of these victims, this this does something different to each one of them, right? So any one of us may lose, you know, $7,000 and we'd we'd, you know, write it up to, man, I made a huge mistake there. But the folks that were being victimized here , um , you know, they were they're folks that that really couldn't afford an extra $7,000, right? They were buying a vehicle to get to work. Uh some of these victims, you know , there it caused a lot of strife in their relationships, where, you know, one person in the relationship said, no, that sounds like a scam, don't do it, and they did it anyway, and they lost it, and it started, you know, kind of a down fall in that relationship. We had some folks that were divorced over this. We had what was that for? Well, because uh they basically disagreed that uh well when they lost the money, it caused such strife in the relationship that they you idiot, you got scammed. Essentially wow. And I I wanna be clear though, like you could be very smart and still fall for this. So two things I wanna make clear. I don't know if it was clear from the um from the background. When you went to eBay , the malware if you were infected with the malware, it would make it appear that eBay had an escrow agent protection program and you were sending the money to an eBay escrow agent who would only release the money once you got the car and were satisfied with it. That was all just the malware. It was a money mule. But anybody would see that and think, all right, that sounds very safe. And the URLs would say eBay even the URLs just all malware. Exactly right. And one of the victims who testified at trial was a used car salesman, like a who had a dealership, who would buy cars online all the time? And he fell for this too. He had a very lengthy chat with the Bay Rob group, not knowing what it was the Bay Rob group, about this escrow agent program because he hadn't seen it before. They must have stayed on with him for an hour to convince him that this was real. And then ultimately he fell for it. And I think that helped that the jury w you know, looked at this guy testify who was victimized as a card dealer and were like, oh well, if he fell for it, I would have fell for this. And with that, the FBI investigation and prosecution was over. All three of the main people involved were arrested, found guilty, and put behind bars. Well, what an investigation. We've got a ton of people to thank for this. So, first of all, the Cleveland Field Office uh was with us all the way. So, our cyber squad, our organized crime squad, we had great supervisors that supported us. We had great executive management, fantastic analysts, our computer scientists, our uh Feels like a lot of interns were going through a lot of data there. Not so much. I mean, these are all professional folks that are doing this. You know, we we typically don't have interns on our on our squads. And uh so we got a ton of support from the Miami field office. We had Customs and Border Patrol, the US Attorney's Office. Including Duncan Brown, uh Brian McDonough, and Om Kulcarney, in addition to myself. Right. And then of course Semantic and AOL were hugely instrumental. I imagine eBay was helpful. EBay was helpful as was a lot of the brands whose uh trademarks these guys mimicked in order to trick people. So we had uh great cooperation and witnesses from Facebook, from Walmart, from eBay, from Google, from Yahoo, uh all coming to testify at trial. So what happened to the millions of dollars these guys made. Well, they spent a lot of it as soon as they got their hands on it. The FBI was able to seize some of that, but not enough to pay back all the victims. However, these guys were running huge cryptocurrency farms, basically putting all the infected machines to use to mine crypto. And the FBI seized the computers which held those crypto wallets. And actually at at this point in time it's probably worth a lot of money, but it's locked in a couple of layers of encryption. Really? Still haven't been able to crack we ha haven't been able to get there. Wow, those machines sitting in the FBI evidence room hold the keys to millions of dollars of Bitcoin that the FBI would love to confiscate. But the multiple layers of encryption is just too strong for them to crack. And so it just sits there , in a room, unplugged, dormant. How wild . If it was me, I probably would have used that Bitcoin as some kind of bargaining chip to get my sentence reduced. But because they didn't. It makes me wonder that in 20 years when these guys get out, they might have saved their keys somewhere else that they can still access, and come out of prison as millionaires. That's crazy to think about. In case you were wondering, yes, I did get all these people in the same room to interview them all at once. We all met up at the RSA conference in San Francisco earlier this year. What are you all doing at RSA ? What are you hoping to get out of this? See where AI is going and see if we can cut through the AI hype. I'm just here to talk to you and then get a drink with them. And that's and then I'm going back home. And that's what I'm doing. I'm flying to Chicago tomorrow mor ning for an ABA conference. So I I spoke on a panel today about ethics and cybersecurity. And then tomorrow I am speaking on a panel about a framework for measuring the security and safety of AI. So I was really excited that I could do this as well while I was here. I'm on a panel with uh Brian uh talking about AI agent security, safety, and reliability . They deployed all the best practices and took extra steps to keep the FBI or anyone else from discovering them. And it was only from these really tiny mistakes, and over the course of ten years of the FBI and Semantic and AOL diligently listening and monitoring them that, these mistakes were even found. And it's one of those cases that if the FBI wants to catch you badly enough, even with the best OPSEC there is, they still can. It might take them ten years to gather enough evidence on you though. I just want to recap all the things they did here to try to keep the FBI off them, since it's fascinating to me to watch them work. First, they didn't talk openly. These guys never casually texted each other about this or talked about their criminal enterprise over the phone. When they would, they would always use encrypted chats. And the FBI also discovered that they often ran the radio in the background when they were working together in the same room in order to keep any listening devices from hearing what they were saying. Next, they didn't use their home internet. They used stolen Wi-Fi, long-distance antennas, and could connect to the Wi-Fi from miles away. And then they'd VPN into one of their houses where the proxy chain would begin. They used Tor and proxies and hacked routers to get online. They encrypted everything, everywhere, or at least they tried to. When moving files, they used SFTP. When connecting to their command and control server, they used SSH. They encrypted their hard drives multiple times. They didn't log anything. At first some jabber logs were saved, but then they turned those off. Logs are like documenting your activities. It's a liability. They created fake personas . Each of them used their hacker handles when discussing this work and never used these handles outside of work. They were extremely careful in that matter. And then they used abbreviated version of those handles on top of it, making it extra confusing. They didn't contaminate work and personal data. The work computer was for work only, isolated, not just with a physical computer, but also on a separate network. Only approved virtual machines could be used for work. Never do anything from your personal computer. They reduced who they had to trust as much as possible, keeping a small circle of who knew about this. They built their own computers, their own malware, and didn't share it with anyone. They were self-sufficient, and those who did get to help them often were l
This excerpt was generated by Smart Features
Listen to Darknet Diaries in Podtastic
For listeners, not advertisers
All podcast names and trademarks are the property of their respective owners. Podcasts listed on Podtastic are publicly available shows distributed via RSS. Podtastic does not endorse nor is endorsed by any podcast or podcast creator listed in this directory.