Transcription performed by LeahTranscribes[START OF RECORDING]
JACK: I want to make sure I pronounce your name right, so can you say your name for me?
HIEU: My name is Hieu Minh Ngo.
JACK: Hieu was born in Vietnam. HIEU: [Music] I’m grown up in a small town in Vietnam. It’s called Cam Ranh. I was — started to be a hacker when I was very young, maybe around fourteen, fifteen years old. Then, kind out of curiosity, you see? You know, wondering about how the internet — working. Back then, the internet was very expensive and super slow. That’s one of the reasons that I started to hack and steal a few internet dial-up accounts to be able to use it. Without pay anything. That’s kinda the — my first time I got into trouble, when I was fifteen years old.
JACK: This was around 2004, a time when 56k modems were the most popular way to get online. The way it worked is you dialed a phone number and connected to the ISP that way, and they would connect you to the internet. But the ISP would charge you by the minute to go online. Can you imagine that, being charged for every minute you’re on the internet? That’s how it worked back then. Hieu couldn’t afford that, so he figured out a way to use someone else’s account, basically stealing someone else’s ISP connection to get online, and that meant other people were paying for him to get online.
HIEU: Just a few months using these stolen internet dial-up accounts, I got kinda a paperwork sent to my house. My parents, they got very surprised, and then they told me, what’s that about? Then I told them it’s related to some stolen internet accounts.
JACK: The paperwork said that Hieu did $5,000 in damage, and his father had to pay the fees. That’s a lot of money. His father was pretty mad and sent him away to go live with his uncle in Ho Chi Minh City. Little did everyone know, it was going to be there in Ho Chi Minh City where he was going to build a darknet service and was going to make a fortune doing it.
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: His dad recognized that Hieu was really into computers, and Ho Chi Minh City is a big city that has better schools to learn computers. So, Hieu got enrolled in classes and started studying. His parents would check in with him to make sure he was doing his schoolwork.
HIEU: I was learning a lot. I was learning about web programming. I built my first website, hieupc.com; I remember.
JACK: He was learning about operating systems, networking, and cybersecurity all at high school. He really loved computers and was hooked on learning more.
HIEU: [Music] I went to the internet cafe to use the internet because the internet at my house is very slow. So, I went to the internet cafe and I — the moment I — been there, I passed to one of the computer screens and I saw that computer screen — kinda very dark, some kind of dark background and the font size is very weird and also the color of the text is also — it looked cool, like green color and stuff like that. I asked the guy, what’s this forum about? Then he told me it’s about the dark web in Vietnam.
JACK: Ooh, Vietnam’s dark web? That sounds interesting. Are you ready to go there? Hieu was fascinated by it. He learned how to access it, where to go. For him, it was like finding a whole hidden place online filled with really fascinating stuff; hacker forums, forbidden item marketplaces. It really emphasized the power of the internet. This was all unregulated. The government, the police, they can’t stop what goes on on the dark web, and that really fascinated him. There’s this whole section of the internet where anything goes?
HIEU: They’re talking about hacking, they’re talking about sharing sensitive information, and also bank accounts and also some hacking techniques too — and it got me wondering how it did that.
JACK: Yeah, but so, I think maybe a normal person would look at that and say, wow, there’s stolen stuff here, there’s illegal things here.
HIEU: Right.
JACK: Maybe this isn’t for me. Maybe I should go back to the clear web.
HIEU: Right, true.
JACK: What?
HIEU: You know why? Because back then, right, underground forums — very fun, though. They’re always sharing, and they don’t mind about money. Sometimes they hack something; they just post it for free for everybody, not really into business or trading or dealing anything. They just like sharing techniques, you know? But, you know, when I got into that, I say, man, it’s something that I’d — really wondering. I watched on the — movie and TV about hackers. Very cool. That’s why I say I want to learn that. I want to be a member in that — hacking forums, underground hacking forums.
JACK: So, this became his obsession, how to hack. What are the techniques? He would learn about a vulnerability and then use Google search queries to find websites that were vulnerable, and it was like the whole internet opened up to him in new ways. He was finding that thousands of websites are vulnerable to a variety of different attacks, and he was just getting into one after another with simple techniques like default passwords and SQL injection. But the extent of the damage he was doing was — he just hacked into the site and put something on the website that said, ‘Pwned by Hieu.pc’, which is the name he was using at the time, and also the name of the website that he made as a teenager. But the whole time, he was just curious, not using his access to make any money or stealing anything. He just liked learning and liked the excitement you get from getting into places that you’re not supposed to be in. It made him feel clever and smart and powerful, and he was teaching others how to do it. After all, he was still in high school.
HIEU: I shared lots of hacking techniques and then also social engineering techniques. But the thing — the more I shared, the more the people — they know about me on these underground hacking forums, and eventually they voted me as an administrator in one of these forums very popular in Vietnam. After that I joined a few forums in Russia and even in Eastern Europe as well, too. So, I keep learning, but the thing — when rarely making money, you know? Before that, it’s just sharing for free, sharing the knowledge, sharing the techniques.
JACK: [Music] From posting on the forums and being an administrator to one of them, he started becoming more known. So, he met a guy, one of the forum users, and this guy’s like, hey, listen up, Hieu. Your ability to hack into websites is actually worth a lot of money. Do you want to team up? Do you want to hack places and give me what you find and then I’ll pay you for it? The guy explained how together they could make all this money, and Hieu didn’t have much money at the time and was interested.
HIEU: You know, when talking about money, when I was very young, I said, man — I saw the people making lots of money, too, by using stolen identity and credit cards. You know, to make some money and be able to buy some stuff, it’s very cool, right, like some technology stuff or some new devices, something cool for myself without asking my parents. So, that’s why I said, yeah, okay, let’s — so, let’s do it. Then the guy, he moved to my apartment, living with me, and then I — during the nighttime, after school, I started to hack lots of e-commerce websites.
JACK: [Music] E-commerce sites, like places you go to buy things online like clothes or computers, kitchen items, travel tickets, a lot of these sites back then ran on WordPress or PHP or ASP and didn’t have the best security, and it’s kind of like a numbers game, right? If there are a million e-commerce websites on the internet and one percent of them has poor security, that’s ten thousand websites that are just sitting there vulnerable, way more than enough for someone like Hieu to go through. So, the idea was to get into these sites and plant a listener that would capture when someone would enter their credit card to buy something on there, and then Hieu would give those credit card details to this guy he’s teamed up with. The guy will somehow convert the cash for both of them. Hieu was seventeen at the time, a senior in high school. So, after school and on the weekends, Hieu and this guy would get busy scouring the internet for a vulnerable site to hit.
HIEU: Back then, lots of websites, right, they used the language called PHP or ASP. It’s — contained lots of vulnerabilities. Then I searched on Google with those keywords, some of the Google dork that — to be able to find out for me all the lists of the websites. I put on a customize tool that I programmed, and then I just — clicked scanning, and it just kinda automated scanning for the vulnerabilities. Then it would give me the list of the vulnerable websites, and then I would explore that to be able to obtain the credit card information. And…
JACK: Okay, so what was the first site that you made money from?
HIEU: The first website is — I remember it’s located in the UK, right? That website is still very popular nowadays in the UK, but I don’t want to mention that.
JACK: That’s funny. Yeah, what kind of site is it? Is it banking? Is it a…?
HIEU: No, this website is a e-commerce website selling electronics stuff, and that website, it got a SQL injection vulnerability.
JACK: So you found a website through Google dorking in your scans…
HIEU: Right.
JACK: …you tested it for SQL injection; it worked, and what is that feeling like to get into a website using SQL injection?
HIEU: It’s like a gold mine. I said, wow, this is so many credit card information. Like, that day; man, so excited, though. The feeling is kinda like you control something. You have a power. You feel like you’ll be able to break into anything if you have time and you have the resources. You feel like you’re on top of the world. You can be able to get anything. I feel so excited. Like, it’s hard to say, to explain that, but — feel like, so happy, intently so happy, though.
JACK: Do you give each other a high five or do you…?
HIEU: Right. Me and him would give a high five and hug, and I say, yeah, we did it, we got it. I think we’d be able to make lots of money from this not just selling the information but also using that. He’s so excited and we was laughing the whole night, I remember. We was very young. Back then he was eighteen and I was seventeen. He’s saying, yes, let’s do it this way. We use all the credit card information, right? Every day we was getting slowly around fifty to a hundred credit cards from that website alone. [Music] We was playing on the poker website.
JACK: Of course they took the stolen credit cards to a gambling website. I should have guessed! No, they weren’t actually gambling with it. What they were using this poker website for was to launder the money. See, back in the late 2000s, online poker casinos didn’t always have the most strict security and verification controls. They were happy to take anyone’s money whether it was stolen or not. So, he created an account at the casino, loaded it up with as much stolen money as he could, and he might make three or four of those kind of accounts, and then he would have all those accounts join a poker table where his buddy was in and just try to lose as many hands as possible as he could to his buddy. Then his buddy would get all the chips and cash them out at the local bank. This technique is called chip dumping. Now, the casino was aware of these sort of things and would try to spot people doing this, so he had to do things to avoid the fraud detection, and his tricks were working.
HIEU: We was — be able to — making a day like, $1,000, $1,000 USD a day. Then we split the money fifty-fifty. I spend on — I used that money to spend on stupid stuff; vacation and also taking us out and — easy money, easy go, technically.
JACK: Can you imagine that setup? A hacked website is supplying them with a constant stream of eighty new credit cards a day. They’d take those cards, deposit the money into a casino, move the chips to another player, cash it out, and then go spend that money on something fun. Like, where do you even focus here? Do you want to get more credit cards or cash out more at the casino or just enjoy a good time with all the money you have? For them, it was all of that. They wanted more cards, and then they’d be busy trying to drain them all as fast as they could to launder the money. But as Hieu found more and more sites vulnerable to his attacks, he was sometimes stumbling upon whole databases of customer credit card details. Websites shouldn’t be storing their customer credit card details like that, and this was even a surprise to him. But this meant sometimes he could find thousands of credit cards in a single day.
HIEU: Eventually I went back on the underground hacking forums and sell the information. Visa and Mastercard I’d sell for like fifty cents for one information. American Express and Discover, Discover card, I’d sell for — from one dollar to three dollars, you know, different…
JACK: That sounds so cheap.
HIEU: Right, very cheap.
JACK: So, you’re telling me the full credit card information was — you were selling that, and the people could take that credit card and buy something for a few hundred dollars with that, right?
HIEU: Right. That’s true. They can go on eBay and buy, or either they — back then, very easy, though. You can just use these stolen accounts, stolen bank accounts or stolen credit card information. You deposit it into PayPal and then you withdraw. It’s so easy. You’d just take a few days, a few weeks to be able to get the real money out.
JACK: I’m surprised you were selling it so cheap, though.
HIEU: Very cheap though, because — so many, so much information.
JACK: That’s crazy cheap. Usually cards are like, I don’t know, ten to fifty dollars per card, because theoretically each card should be worth a few hundred dollars before fraud detection kicks in to make the card invalid. Rarely I’ll see them for five dollars or less, but fifty cents a card? Wow. That’s what Hieu was selling them for because he just had so many, because he just kept finding more and more e-commerce sites that were vulnerable to SQL injection, which means the websites’ form field wasn’t as secure as it should be, right? So, he can go and type something onto a form field in a website, and that triggers the vulnerability, and suddenly he can see whatever’s in the database, like an admin’s password hash. Then he could crack that password hash and log into the site as the admin. Sometimes that alone would give him credit card details to the site, because some sites did not treat their customer credit card data properly.
HIEU: They show everything on the admin panel. Like, you just clicked on the customer option, right; it’d show you the list of customers, and when you clicked on the credit card information, it’d pop out credit card information.
JACK: I mean, when I hear that, I immediately think that’s a PCI violation. PCI is Payment Card Industry, and for you to be able to accept credit cards for your business, the credit card company has to verify that you’re properly storing customer credit card data. If you aren’t, then you will lose the ability to process transactions and can be fined quite severely. So, Hieu kept focusing on finding more and more sites to hack into and take all the customer credit cards that the site would store in their database. He spent years doing this, mostly selling the cards in bulk on the dark web. He was finding and selling tons of credit cards.
HIEU: [Music] More than a hundred thousand credit card information.
JACK: He gets done with high school and decides he’s had enough of this. His pockets were overflowing with cash and he knew what he was doing was wrong, so he decided to leave town.
HIEU: Then I saved up some money because I know this couldn’t last long. We was making like more than a year, and it’s kinda getting harder because they know the tricks, right? They fixed the vulnerabilities. So, getting harder. I saved up some money; I paid for the school fee in New Zealand.
JACK: His sister was living in New Zealand, so he decided to go see her and go to school there. He knew that what he was doing was wrong and could potentially get him arrested, but he grappled with it. He went back and forth convincing himself it’s okay to take these cards. These websites should secure their site better, and if it wasn’t him taking it, then it would surely be someone else taking it, so why not me? But then flipping it and being like, no, this is stealing, this is illegal. I’ll get in trouble for this. The move to New Zealand gave him a fresh start. He wanted to become a good student who was learning computer science.
HIEU: [Music] When I got into New Zealand, I stayed there for a few months, not doing anything illegal. I tried to be a good student at the school, learning about computer networking and be a computer scientist, you know? But things couldn’t work out. I started to — hacking again after talking with a few friends, a few hackers on the internet. They’re saying they need credit cards, and I need money because my family couldn’t afford to send me much money. So, I say yes. So, let me find out if New Zealand have some websites that I can obtain the credit card information. I hacked into a few e-commerce websites in New Zealand. The same thing; it’s just some basic vulnerabilities, and I got into the database and I got the stolen credit cards.
JACK: He was able to sell the credit card data to make some money, but with all these cards, he decided to use a few himself, which was probably a dumb idea.
HIEU: I used those stolen credit card information to buy electronic stuff like a laptop and cell phone on similar — like eBay. They called it Trade Me platform. I used the stolen credit cards on that website, and I got stuff and then I sell that to the same platform to make money. Gotta laundry the stuff, you know, to get the real cash. But eventually I made a mistake then using the stolen credit card to buy the music concert tickets to the Ticketmaster. I bought a thousand and thousand music concert tickets to sell to all the people with a cheaper price. Then when…
JACK: You bought a thousand concert tickets?
HIEU: Right. I bought a lot.
JACK: Wow.
HIEU: I resell that to all the people on the platform. But the thing, you know — a few of the people, they bought my music concert tickets; they got problem when they tried to enter the stadium or tried to enter the concert, right? They got denied because this ticket has got — invalid because it’s considered as a fraudulent ticket. They got so mad and they got so scared, and then they also complain to the law enforcement, to the police in New Zealand. So, the police in New Zealand, they freeze my account on the platform and also freeze my bank account. So, I got so scared. They also called me and called my sister. Almost a year stay in New Zealand — I got into trouble, and the moment I got that phone call from the law enforcement, I got so scared. I bought a ticket; I ran away. I ran back to Vietnam.
JACK: Oh, boy. Hieu was on the run. The police were now looking for him, but he was able to get away and find refuge in Ho Chi Minh City in Vietnam. He escaped the police and didn’t suffer any consequences from this. Lucky break. We’re gonna take a quick ad break here, but stay with us because this is not gonna be the last time that the police go looking for him. His operation is about to go stratospheric. Hieu gets back to Vietnam. He’s around twenty years old at this point. He goes to see his mother and his father, and they heard about his fraudulent concert ticket thing, and they were mad. They scolded him. They shamed him. Hieu was just lying back to them.
HIEU: I gave them only false promises, you know? I told them I will be a good boy and I will be a better person, not doing anything illegal. I kinda feel very ashamed, you know? So, my mom, she was crying a lot. But back then I was twenty years old, nineteen years old. I tried to be a good person. I didn’t touch the computer within six months when I got back from New Zealand. I told my mom I want to go to Ho Chi Minh City to learn computer science at the university in Ho Chi Minh City. My mom, my dad, they kinda believed me that I’m kinda a changed person, and hopefully this time will be the last chance for me.
JACK: So, around 2009 he moved to Ho Chi Minh City and enrolled in the computer science and cybersecurity program at the university.
HIEU: But during that first year I went to hang out with all the old-school hackers in Vietnam. They all black hat hackers. They heard about — I got problem, I got trouble in New Zealand by using stolen credit cards. I say, yes, that’s why I don’t want to touch the computer anymore. I got so scared. I almost got caught. [Music] They told me, you know, why you don’t think about US identity or personal information? It should be safer. It should be — easily to sell that.
JACK: So, these hackers were telling him, yeah, of course you got in trouble for stealing stolen credit cards, man. Don’t mess with money. The police are gonna get mad if you do that. That was your mistake. They take credit card theft very seriously. Heck, I bet the US Secret Service probably has a case opened on you. What you should have done is gone into the business of stealing the identities of US citizens and sell that. Not only can you make money doing that, but the Secret Service doesn’t give a crap about stolen identities. In fact, nobody does. They’ll never come after you for stealing identities, especially if you stay here in Vietnam.
They can’t touch you. So, you should try stealing US identities. So, Hieu starts looking into it. My goodness, he thinks, they’re right. Stealing identities and selling that is far less of a crime than stealing credit cards and just as valuable on the dark web. He wasn’t sure why it was valuable, but if he could get all the personal details of someone like their address, social security number, phone number, work history, the type of car they have, then people will buy that up like crazy on the dark web. So, he starts looking around for places that might have all this information on US citizens.
HIEU: I did it in — kinda in the long term. I just see whatever I see in front of me, and the money, it kinda blind my eyes. I thought it should be safer in Vietnam. This is US identities; it should be fine.
JACK: I mean, the logic checks out, right? Stealing identities of people in a far, far away country — no chance of them catching him in Vietnam, right?
HIEU: Eventually I spent almost a month — recon and also doing lots of OSINT to get me a list of all the data brokers in the US to be able to provide this data.
JACK: Data brokers; of course. They would absolutely have a ton of people’s identities. Okay, so if you don’t know, a data broker is a company that spends an enormous amount of effort gathering up as much information as they can about you. Here’s how they do it; number one, they’ll copy the whole phone book into their database. That’s got everyone’s name and phone number. Then they’ll take a copy of all the county records. This includes who owns which property, court records, marital status. Then they’ll look at your social media account and scoop up any photos that you have taken of yourself and posted, e-mail addresses you list, affiliations, like which school you went to or place you work.
LinkedIn is being scraped by data brokers all day, which you personally have told what your skills are, who your coworkers are, where you work, and what you look like. Now, to me that’s already spooky enough that someone would go through all this trouble to get all this data on me by doing all that. [Music] But some data brokers go far deeper and are way more sinister at getting data on us. They have been known to install trackers on your phone which typically just comes along for the ride on popular apps. Like, a data broker may pay an app developer to put a tracking pixel on the app so that they can track people even more. This means a data broker is often collecting cell phone data which could include your phone number, the app usage, but more interestingly, up-to-the-minute location information.
Some data brokers go even further and set up antennas around town and watch what phones interact with those antennas, and they can track your phone location that way. Some have been known to put little sensors on roads to identify which cars have passed down that road, and take pictures of license plates going by, too. Of course, purchasing history is important to them. I’ve heard stories of data brokers buying your purchase history data from retail stores. If you don’t know, a lot of retail stores are very closely tracking all the purchases you make with your credit card and have a complete history of everything you’ve ever bought with that card in their store. Sometimes they even track where you are in the store and what you stop to look at to see what interests you.
Yes, absolutely, data brokers are buying up all this data that the stores are collecting on you, because this consumer behavior is worth gold to these data brokers. So, why do these data brokers do this? Why do they go to such great lengths to build databases on us? Because there’s a lot of people who are willing to buy this data. Your data is very valuable, and I’m not talking about selling it on the dark web. We’ll get to that. Data brokers often sell their data to law enforcement, and this has been a growing problem over time. I feel like law enforcement has found a loophole to ignore the Fourth Amendment. As a refresher, the Fourth Amendment says you have a right to privacy from the government. The government should not be able to see into your life without a warrant or probable cause, but they are through data brokers.
There’s something called a third-party doctrine now which says if you give your data to a third party, you no longer have a reasonable expectation of privacy from that data. So, that means if you have money in the bank, the bank can share your data with the government without a warrant, and law enforcement can purchase your location data from a data broker without a warrant because it’s commercially available data. Data brokers are trying to ruin the Fourth Amendment. I want you to look a little closer at where this data is coming from. Yes, a lot of it is publicly sourced, but a lot is not. A lot is data that you think is just private between you and the party you trusted your data with. But they’re selling that data to others.
So, if you think it’s safe and secure but it’s secretly being scraped and sold, I would say that’s spying on you, which — the government isn’t allowed to spy on its own citizens. I mean, mass surveillance is against the law flat out, but they can get away with it because data brokers are the ones doing the spying and the mass surveillance, not the government, and then they’re selling it to the government. Now, I’ve tried to remove my digital footprint as much as possible, but there are still things that I’m forced to do which hurts my privacy, and I hate it. For instance, any time I see a doctor, I can’t do it under a fake name. They have a strict policy where I have to prove my identity in order to get medical treatment, and then my medical records are being passed around to millions of people.
HIPAA isn’t there to protect our privacy. It’s there to assist others to get our data. The portability part of it means they’re making it easy to package up our data and send it to whoever asks for it, and there are millions of people and entities that can access HIPAA and patient data. Second is banks. There are laws in place where the banks have to verify who you are before they do business with you, know-your-customer-type stuff. The banks are forced to report certain activity to the government. So, millions of customers’ banking data is going to the government again without a warrant. Lastly, I hate all this public record stuff. If I buy a house, get married, go to court, start a business, get arrested, all that is public record and it gets abused all day, every day, because it is. I have no choice when it comes to these matters.
My banking history, medical information, marital status, there’s no way to opt out of any of it, and data brokers are just licking their lips, sucking it up as fast as they can, and they’re profiting off of it, and they’re using it to strip away my rights. But don’t think it stops there. Data brokers are just companies trying to make money, so they have no problem selling your data to Walmart, Facebook, Google, insurance companies, credit card agencies, ad agencies, because all these businesses would love to know more about who you are so that they can target you with ads or to calculate the risk of doing business with you.
These data brokers absolutely do not want you to know they exist. They do a great job at hiding their presence in the world. Let me give you an example. I’m going to list eight of them for you, and I bet you’ve never heard of any of these companies, yet there’s a high chance that all of them know exactly what you’re doing right now. Merkle, LocatePLUS, LiveRamp, MicroBilt, Venntel, SafeGraph, X-Mode Social, Court Ventures. I certainly don’t know anything about these companies, but Hieu was learning a lot about them.
HIEU: [Music] I find out, right, that there are a few key players in this data business related to the US. They provide this data to law enforcement, to lawyers, to private investigators, stuff like that. I think, man, it’s very difficult to get this information. You have to prove yourself. You have to be verified. So, that’s why I put lots of time, almost a month, and I hacked into two different data brokers, very popular ones. The first one is this LocatePLUS.
JACK: LocatePLUS is a data broker that markets itself to people doing background checks and investigations. They get their data from criminal records, property records, the phone book, and also gather social security numbers and date of birth.
HIEU: The first one I hacked into is the LocatePLUS, and the second one is the MicroBilt.
JACK: MicroBilt collects data on US citizens which includes criminal history, employment history, address history, and social security numbers. They also keep records of your utility payments, rent payments, loan payments, and stuff like that to see if you pay your bills on time. The big credit bureaus use this one, like Experian and Equifax, because your credit score is a reflection of how well you pay your bills. But not only that; landlords use MicroBilt, employers do background checks on it, and lenders look to see how much of a risk you are before doing business with you.
HIEU: So, the two companies, LocatePLUS and MicroBilt, I hacked them a few times. First; SQL injection. The second one, the file upload vulnerabilities, and the third one, cross-site scripting. When I got into the database, right, I steal the customer logins of the law firm, and then I used that to be able to log into the platform and make queries.
JACK: Okay, interesting. He didn’t get into the main data broker database. Instead, he was just able to get into the web portal side of things which had user accounts, and that’s the people who use the site to do background checks and look-ups with. He was able to steal some of their log-ins. So, now he could log into the site and use it as if he was a lawyer or a cop or an investigator who’s been vetted by the site to look up anyone’s data.
HIEU: I could sell your name, the state that you’ve been living or the city you live in, and that’s all. It will pop out the possible people’s identity related to that name, and — in the city, and you can get the social security number, driver’s license, all the previous ten year’s addresses that you’ve been living, even the current one. Also we obtained your relatives, your family members, right? You can also get the information.
JACK: Now, these sites charge for their service. It’s often a pay-per-search kinda thing. So, when he would search, it would go to someone else’s bill. He thought if he did a lot of searches on one user, then their bill would go way up and then they’d investigate — what’s going on here? And they would find out that he’s been using their account and they would shut it down. So, he would cycle through all the accounts he had to spread out his activity.
HIEU: [Music] I remember I was using more than five thousand accounts on MicroBilt alone.
JACK: So, with his access, he could look anyone up and get their full name, maiden name, phone number, e-mail address, where they live, address history, social security number, driver’s license, where they work, work history, and the VIN number for their car. He decides to build a website to charge users to be able to look up people in this database.
HIEU: Because so much information. Then I built a website and then I took that website — I sell to all the cyber criminals around the world for like, one dollar for one search, kinda like one-for-one information, one identity, basically.
JACK: The first week of him launching this website, he made $5,000 from people doing searches on it. It was an instant hit. He wasn’t sure why people were using his site to search for other people, but he didn’t care. He just saw the money coming in and was like, yeah. Interestingly, this was the early days and crypto wasn’t really adopted so well yet, so he wasn’t accepting that.
HIEU: Back then, I didn’t use Bitcoin. We used Liberty Reserve.
JACK: Liberty Reserve was sort of like a PayPal in the way that you could send money to someone online, except they didn’t do much in regards of checking people’s identities. So, it became known as the place for criminal transactions around 2010. It was the go-to place for stuff like that for a while. So, he was getting tons of Liberty Reserve dollars and they were piling up in his account there. Then he was using some Vietnamese money mules that he found on the dark web to send them his Liberty Reserve dollars, and they’d cash it out and give him cash. Things were looking good for a few months.
HIEU: But, you know, the thing is not stable because the two companies, they find out about the vulnerabilities, so they shut down and they also fixed the vulnerabilities. Kinda like me and them, we’d been playing the cat-and-mouse game. They fixed the vulnerability, I’d find another one, so we’d keep hacking and fixing. So, I got tired.
JACK: He was getting tired of constantly trying to find new ways to stay in the system. They were getting good at detecting him and geeking him out. So, he stops to think about it. He thought, why struggle to maintain access when he could just become a paying user of the site? [Music] Now, MicroBilt would only allow certain people to use their site. You had to be a professional investigator or a cop or in a position that you can be trusted with this data. There’s a serious vetting process. So, Hieu decided, why not try to act like a private investigator and get in? Step one, create a driver’s license with a fake name.
HIEU: At first I got the license through Google, but it didn’t work. I tried to do Photoshop and stuff like that, but it couldn’t work out. It’s not good quality.
JACK: Okay, that didn’t work. Time for Plan B. Try to impersonate someone who is allowed to have an account there.
HIEU: So, I did an OSINT through gathering all the list of e-mails address belonging to private investigators. You know, when I hacked into MicroBilt and LocatePLUS, right, I got the e-mail address already. I got all the list already. So, I used that to do phishing. I was phishing them to a malware so I can — got into the computer.
JACK: Wow; so, the five thousand users that he got from MicroBilt, he could see which ones were private investigators and get all those e-mails and also their data from the data broker to know everything about them, and then send them phishing e-mails. If they clicked the link, he would infect their computer with malware, essentially giving him access to their computers. When he got access, he would look around to see if he could find any identifying documents for these private investigators so he could impersonate them.
HIEU: One of the private investigators, I remember he was living in Michigan in the US. I got into his computer through the malware. I got all the data on his computer, including the private investigator license, even his passport, his social security numbers, and I got — I mean, I got everything. Back then, the people, they still got a habit of saving all the sensitive stuff on their desktop inside the spreadsheet, right? Kind of like an Excel file storing the username and password, like sensitive information in that file. I got that file, too. So, I got all the information; date of birth and driver’s license, stuff like that. So, I impersonated as him under his name. I obtained an account at MicroBilt. So, I got the MicroBilt account officially. I was using that maybe a month or two. So, they find out it’s a fake account. So, they shut down my account.
JACK: So, he’s realizing MicroBilt is giving him a lot of trouble and decides to look at another data broker to maybe register an account there. That’s when he found a data broker called Court Ventures.
HIEU: Court Ventures provided an API and data access for the people through Macquaries to be able to obtain the US identity.
JACK: Oh, this is even better, he thought. If he could get API access to make queries and do searches, that’s a whole lot easier to integrate into his website. They were just like the others; they had address history, criminal history, full identity data, and yeah, investigators, cops, fraud detection agencies, and credit bureaus loved using Court Ventures to look up people’s data. He found a private investigator in Singapore and was able to obtain all his details and was going to impersonate him to try to get an account at Court Ventures. [Music]
HIEU: I got his license and I’d be impersonating that guy, the private investigator in Singapore, and then I used that to apply the Court Venture account. I paid for them. I was dealing with them like a real businessman. I said, yeah, I was doing it for a big company doing background checks for Microsoft, Google. So, I need lots of queries every month to do background checks. They’re okay with that because I paid for them and I told them I want to have a good deal. Then the CEO of that Court Venture company, they gave me a good deal. I remember fourteen cents; fourteen cents for one information. So, I say, yes, okay, we making a business contract, too. I faked the signature. I faked the name, everything. So, I send back to him, and they didn’t verify anything. They just keep going. Like, they ‘okay’ everything.
JACK: Okay, he got the account. He could do searches on people now. Good, good, he thought. But he wanted that API key, so he applied for it, and a few weeks later, they gave it to him. [Music] Incredible.
HIEU: So, I got the account, man. I say, oh, oh my god, I got the API access to almost 200 million US identity right there, and only to do — to integrate that into my website. That’s all.
JACK: Yeah, 200 million US citizens’ details were in this data broker. That’s over 60% of all US citizens’ data. That’s incredible. At fourteen cents per look-up, he could sell each of those searches for a dollar on his website. His grand plan was starting to come together.
HIEU: So, at that time, my website is still on the clear web. You know, anybody can gain access, but most of the clients that I have is all cyber criminal. Technically, I didn’t care what they — whatever they had been using these identities. So, I just keep selling to the API of the Court Venture. I remember every month I was making more than $120k a month, USD.
JACK: Yeah, he really didn’t care who used the site or why. He didn’t even ask. All he knew is that people liked using it to look up people, and he could make a nice profit off it. So, it seemed like a good business model to him. But even though he was making $120,000 a month, he still had a massive bill to pay to Court Ventures every month.
HIEU: I was paying for Court Venture every month from $20,000 to $35,000 USD per month. Yeah, they’re happy and I’m happy as well. So, we’re kind of in a win-win situation. I keep running that website for over two years, and I was making more than $3 million USD by selling the US identities.
JACK: It makes me wonder, is any of this illegal? I mean, can you squarely point at who the victim is here in this situation? Do you know the story of Irate Joe’s? It’s an interesting one. So, there’s this US grocery store called Trader Joe’s. It’s fantastic. I love it. A majority of food there at Trader Joe’s is the Trader Joe’s branded stuff, and people get hooked on that brand. Well, up in Vancouver, Canada, they were begging Trader Joe’s to come open a store here, but Trader Joe’s refused. They’re like, nah, we only focus in the US. We’re not going international. So, some guy in Vancouver is like, you know what? I’m gonna open my own Trader Joe’s in Canada. Why not? Because if they’re not gonna do business here, then there’s probably no jurisdiction issues or harm. It should be fine.
So, he crosses the border into Washington State, buys a ton of Trader Joe’s stuff, and drives it back to Vancouver and opens up a little shop called Pirate Joe’s. He charged more than Trader Joe’s did because of the logistics of it, but hey, people in Vancouver were happy to get some of their favorite food items finally. Trader Joe’s was like, hey, you can’t do that. Pirate Joe’s was like, nyah, nyah, we’re in Canada. Your US laws don’t apply here. He was right. Trader Joe’s had a really hard time getting anywhere legally, but eventually they convinced a US court to force a trademark infringement on Pirate Joe’s, saying the name of the store is too similar to Trader Joe’s, and they’re smugglers. So, what did they do? Pirate Joe’s dropped the P and renamed the store to Irate Joe’s, and they clearly put all over their store, ‘We are unaffiliated, unauthorized, and unafraid’.
Trader Joe’s was furious that they stayed open and started banning them from coming into the store to buy stuff. They banned the owner who was driving twice a week to buy $5,000 worth of groceries from Trader Joe’s. Then he got his coworkers to go to different Trader Joe’s and try to buy stuff from there, but Trader Joe’s started figuring out which stores in Washington they were visiting and buying food in the shop, so they would block these other people from purchasing things. So, Irate Joe’s started asking their customers to help stock the store. They’re like, hey, if you’re going to Washington, please pick some stuff up for us at the store. Soon, dozens of people were now helping stock the shelves at Irate Joe’s. I’m telling you, people really love Trader Joe’s stuff, and crowd-sourcing the buying was working for them.
But Trader Joe’s was putting more and more limits on how much people could buy in the stores that were close to Vancouver. The guy who owned Irate Joe’s is like, bro, I’m your biggest customer by far. I buy more than anyone else in this store. What is your deal? We’re not asking for anything special. We just want to buy what you have. But Trader Joe’s kept giving them legal trouble, and eventually Irate Joe’s shut down from the expensive legal fees that they kept facing. Again, here’s a situation where I wonder, who’s the victim? Trader Joe’s sure thought it was them. But what do you think? I mean, when I was a teenager I used to buy things from the Dollar Store and then sell them on eBay for five dollars each.
If it’s legal for data brokers to sell identities of US citizens, why would it be illegal for Hieu to buy those and resell them for more? This is the part I don’t get. It’s apparently perfectly fine for a data broker to buy and sell identifying information on US citizens, but it’s not for Hieu? In Hieu’s case, he didn’t hack into the site. He didn’t steal anything. He was a paying customer of Court Ventures and was paying them a lot of money for all the searches people did, and they seemed to be fine with that, happy that Hieu was their customer. So, he had his little website set up and accepted payment from Liberty Reserve, and users could search Court Venture database through the API.
HIEU: At first that website’s called ussearching.info and then eventually superget.info and findget.me, stuff like that. I — changing the domain name constantly to avoid law enforcement. I was selling more than — a little more than three million US identities during that two years from 2010 to 2012.
JACK: Okay, let me do some math. Okay, three million searches, fourteen cents per search; that’s $420,000 that he paid to Court Ventures in all this. Geez, that’s a lot of money Court Ventures made off him. That was fine for him because he made over $2.5 million in profit after that. Unbelievable.
HIEU: During 2011, right, I dropped out of school. I didn’t study and finish the university anymore because I was thinking, man, I was making lots of money. Every month I was making up to $120k per month.
JACK: What were you using the money for that you were getting?
HIEU: Back then I was too young, too dumb. Lots of money I spent on stupid stuff, on five-star hotels and business class. I spent lots of money on stupid things, and I wasted lots of money for cars and luxury stuff.
JACK: What kind of car did you have?
HIEU: I have — I was having three different cars, two sport cars. One of them is a BWM, the convertible one, and another one is a customized car, like a full customized one that — I don’t even know what kind of car is it, but kind of one of the — I remember I used that car to be in a contest for a good customized car, and I won a prize as well, too. You know, I spent so much money on that car and customized it and fine-tuned that car. The other car that I have is a luxury car, Lexus, right?
JACK: Yeah, so, what did your parents think of all this money?
HIEU: I was lying to them; you know, I was working for a international bank in the US, and they hired me to protect the system and also building their website. You know, all the lies. When I’d meet up with all the people kinda the same age, even the people that I know on the street, they’d ask me why I am so rich. I lied to them because my family wasn’t a wealthy family. They got everything for me. That’s why. So, I kinda — lying with each other, with different stories, you know? Then I was kinda very tired, though.
JACK: What were the people that were using your site — do you know what they were — why they were searching for people? What was the point of them paying for people’s searches?
HIEU: Good question. The question — the answer for this at that time, I didn’t care much about how did they use this information. All I know — maybe they used that to impersonate somebody or even they used it to bypass the credit card transaction, authentication, whatever. [Music] That’s all I know.
JACK: So, like he said, this went on for years. He was able to automate a lot of it, so he would only do a few hours of work a week to keep it all going. Life was going great for him.
HIEU: Eventually Court Venture, right, they got acquired by the Experian.
JACK: Oh, interesting. In December 2011, Experian bought Court Ventures. Now, Experian is one of the three major credit bureaus in the US. They create a credit score for every US adult. Rental places and loan agencies will check your credit score before doing business with you. So, Experian loved the data that Court Ventures had on people so much that they just bought it outright. I couldn’t find what the purchase price was for 200 million US citizens’ data, but I imagine it was in the millions of dollars. Now, after Experian bought Court Ventures, the Secret Service contacted Experian and was like, you know that company you just bought?
Yeah, well, we have reason to believe that they are giving data to someone who is illicitly reselling it to criminals. Experian is like, what? Say that again. Court Ventures never told them this in the trade deal. So, Experian quickly shut down Hieu’s account and cooperated with the Secret Service. In fact, Experian was so mad that they sued Court Ventures for not taking action on this earlier. I suspect the lawsuit was because they were misrepresenting their business in the trade deal. So, the Secret Service now had their eyes fixed on Hieu. [Music]
HIEU: One of the court requests from the US Secret Service — asking about the status of my account, the fake account. Eventually they shut down my account at Court Venture.
JACK: They shut down his account entirely, but he had a back-up plan in case this did happen. He had a second account, not one he made, but one he stole the password to, someone else’s account. He could use their account to continue to do look-ups. But he no longer had that API access where he could automate it.
HIEU: That belonged to one of the company — one of the US data brokers as well, too. It’s called ussearchingfor.com, something like that. I don’t remember. It’s a long name. But anyway, this company — I got one of the accounts through a phishing attack, and I used that to do — manually searching identity for all the people who still need the service.
JACK: He wanted to get another API connection to Court Ventures. This hand-searching stuff was just taking way too much time, so he starts e-mailing them; hey, how come you shut off my API connection? I need it back. But what he didn’t know is that because the Secret Service were investigating him, it was them who was responding to his e-mails.
HIEU: They were making up a story that they will offer me a good API connection not only to the US identity data but also the UK identities data. I was like, whoa, it’s a good business account, too good to be true, [music] but at that time the money just blind my eyes. I said, okay, it looks good. But the thing, they — I feel something suspicious going on, too, something not right.
JACK: Apparently there was another guy that was doing the same thing as Hieu, also reselling data broker data, but the Secret Service caught that guy who was in the UK, and that guy was assisting the Secret Service to catch other people doing the same. So, that’s what felt off to Hieu. He was talking to both the Secret Service, an agent named Matt O’Neill, and a guy from the UK named Mark who got caught reselling identities.
HIEU: His name is Mark. He still keeps communicating with me through e-mail and even called me through — I remember; through Skype back then. They said they wanted me to go to the US and also go to Australia, go to Hawaii. I say, no, I don’t want to go there. But Matt O’Neill and Mark, they collaborated together and they lured me to Guam.
JACK: They told him if he can meet them in Guam, they’ll give him all the things he needs for his API access. They made up a story of why they need to meet him in person, something like, oh, the big boss really wants to meet you. You’re one of our best customers, and we can get the contract signed right then and there.
HIEU: Then we can open a big party, you know? So, we can have fun together and then you can fly back to Vietnam. Everything good.
JACK: So he decides to fly to Guam, which is kind of near Southeast Asia. He figures it’s the closest option that they gave him, and it looks safe.
HIEU: I didn’t do any research about Guam. I thought it’s just an island. Nobody cares. I heard that some Vietnamese people, they’re living over there as well, too. Maybe it’s fine. If there’s any problem, I will go to talk to my people asking for help. Then I bought a ticket and then I went to Guam with my sister, because back then my English is not really well, and I went there with her together. The moment I landed at the international airport, they escorted me to US custom office. That moment, that very moment, I feel like, man, something going on, something fishy. Then they told me, sit down, Hieu. We want to talk to you a little bit. I was so nervous. I was trembling, like, man. It was shocking. I was saying, man, something’s not right.
They put a stack of paper — I remember maybe ten inches thick, very thick documents, and they told me, we know about you. We know everything about you, maybe more than your family knows about you. [Music] That moment, I say, man, it’s over, it’s over, and that’s it. I felt like I was on top of the world, and right now I was living in hell. That’s it. They sent me to the jail in Guam after that, and I sent my sister back to Vietnam. I told the prosecutor and the US Secret Service agent — I say, my sister had nothing to do with this. It’s all about me. So, they released my sister, and I was staying in the jail in Guam for more than — a little more than two months, and then they sent me back to the mainland, the US mainland, to many different jails. They sent me to Hawaii, to Los Angeles, Nevada, they sent me to Oklahoma, New Jersey, and then New York, and then New Hampshire.
JACK: New Hampshire is where his case was going to be tried, so that was his final destination. He was stuck in prison through the entire legal battle. Apparently the US prosecutor who first investigated him was in New Hampshire, and so that’s why his trial was there. Reflecting back on how he got caught, he has a few theories. First, he blames Brian Krebs, a cybersecurity journalist who did an article that said how criminals can look up people on the dark web, and Hieu’s website is listed there. So, he thinks that’s how the Secret Service probably first learned about my website. On his website he made a few mistakes.
The first week of having it, he used a hosting provider but registered it under his real name, but then he changed the registration to an anonymous name, but those past records are still visible. Second, he used to have his personal e-mail address on the website for contact details. So, these slip-ups would have easily traced someone to Hieu. I also believe that the Secret Service probably used his site, did some searches on people, and then tried to correlate that with the logs at Court Ventures to pinpoint exactly which user Hieu was using for his site. But this whole time, he wasn’t sure exactly why he was arrested. He was paying for these searches in full. Where’s the fraud here? Where’s the crime? But it wasn’t until after his arrest where he learned what people were using his site for.
HIEU: The federal court, they told me the information that I stole and also — sell that to other people, they’re using it for tax returns. That’s something new to me. I never knew that, tax returns. Then I find out what’s tax return, and it’s very serious.
JACK: What people were doing was going to Hieu’s site, looking someone up, getting all their details, and then try to file the taxes for that person. See, here in the US, we pay taxes to the government all year, and typically people overpay on their taxes so they get a big return come tax season. So, a lot of Americans get a check for maybe a few thousand dollars every year from the government because they’ve overpaid on their taxes. Well, criminals know this, so they file tax returns on other people, and they put on there that they should get a $2,000 refund.
Then the IRS processes the tax filing, and they look at it, and it looks legit, and sends this person a $2,000 check. When the real person goes to file their taxes, the IRS is like, oh, no, no, no, you’ve already filled it out. We’ve already sent you a check. Now suddenly there’s a bunch of Americans saying, oh no, I didn’t. Give me my money. There is a big problem. So, the Secret Service was investigating this because Hieu’s people search engine was complicit in helping criminals defraud a lot of American citizens. Apparently there were a lot of people in New Hampshire that someone stole their tax return check.
HIEU: You know, I got so much information, and then it turns — kinda like thousands and thousand of victims in New Hampshire.
JACK: Okay, there’s the V word, victim. We found a victim, the people of New Hampshire who didn’t get their tax refunds. Okay, sure, they’re victims of identity theft. I’ll give them that. But typically the IRS will understand and pay them anyway, essentially giving out two refund checks. So, this makes the IRS the victim. But then you could say, no, it’s the US taxpayer that’s the real victim, because this is money that’s just lost. It drives me nuts how much money the IRS loses on this every year. Like, every single year the IRS will give out billions of dollars to criminals submitting tax refund scams. I just have to ask, IRS, when are you gonna take this problem seriously? You’re world-class at collecting our money but terrible at distributing it to the right people. Billions of tax dollars are lost every year because a criminal asked you for money. How is this acceptable? So, what were your charges? Because I have no idea what you’re actually guilty of still.
HIEU: Yes; technically you can read that on the US courts’ records.
JACK: Okay, fine, I will. Alright, he’s charged with three items here. All three are violations of the CFAA. Figures, right? The first specifically says he used a data broker in a way that they didn’t authorize him to use. It’s against their terms of service to resell the data that you’re given access to or to impersonate someone to get an account there, and he did that. He absolutely violated their terms of use, and that is what the Secret Service is saying he’s going to prison for, unauthorized access, which we can guess means that he impersonated an authorized user, which is against their terms of use. You know how many of us violate the terms of use on websites? We all do all the time. Like, if you ever let someone use your Spotify or Netflix login, that’s the same violation, unauthorized access. He’s being charged with that sort of thing.
Second item; specifically it says he’s personally gained money from violating his access, and the third item is that it was in excess of $5,000. So, all three of these are CFAA violations, and it drives me nuts that if you violate a website’s terms of service, it’s a federal crime. I don’t know why it’s not just a civil issue, a problem between you and the website. Like, why is it a federal crime? I think the site has grounds to terminate you, ban you, and probably even sue you for violating their terms of service, but prison time? I think that’s just going too far. But that’s how it is. It’s a federal offense to violate a website’s terms of use. I’d be remiss if I didn’t mention Aaron Swartz here. Aaron was an MIT student, and because he was a student, he had access to academic research papers through a place called JSTOR.
Well, he thought this information was so valuable to the world that he was downloading it and publishing it for free. The world should have this academic research, not keep it exclusive only for university students. But JSTOR was pissed. They called the feds on Aaron for violating their terms of service, and the DOJ charged him with thirteen felony counts, and he was facing thirty-five years in prison. They told him, look, if you take a plea deal, you’ll probably only do six months in prison, but he absolutely did not want a felony on his record, a felony for violating the terms of service. The pressure was too much for him, and Aaron killed himself.
So, after that, politicians were like, whoa, whoa, whoa, why does the CFAA have it written in there that unauthorized access to a website is a federal crime? People are dying over this. Just because you violated a website’s terms of use should not be a federal crime. So, Aaron’s Law got proposed, which asks to change the CFAA to stop saying that a terms of use violation is a federal crime. But sadly, the law didn’t get passed. Can you tell I hate the CFAA? See, here, I’m upset about this because first of all, these data brokers are collecting data on us without our permission. So, there should be — they should be the ones that are doing illegal things. Second of all, they’re selling this data for fourteen cents per look-up. You’re selling it…
HIEU: Very cheap.
JACK: …for one dollar per look-up. Yeah, so…
HIEU: Right.
JACK: The only real thing here is that you’re saying, hey, I’m just up — I’m doing an upcharge for this and giving you access to more people. It’s not really stolen data. It’s actually paying for the data as you’re using it, and you’re right, the unauthorized access is a CFAA violation and I could see them saying that, but I’m just so frustrated about this because you didn’t do any money laundering in the US. So, for them to say you did the money laundering there, it’s not true. You did that in…
HIEU: I know.
JACK: …Vietnam. So, I’m just frustrated on your behalf.
HIEU: Right. I know, but the thing — is what it is, though. That’s how it worked. Also, the damage amount that they put in my case is very huge, though, like over $60 million USD.
JACK: The prosecutors were saying he caused $60 million in damage. Of course, they didn’t explain how they came to that number. It’s kind of impossible to look through three million look-ups on Hieu’s site and then connect that to what identity theft crimes happened for those people and then add up how much money was earned from that. Anyway, all that was secondhand. None of that stolen money was done by Hieu. So, they likely just made up some number, but he’s not the one who did the identity theft. He’s not the one who did tax fraud scams. So, it’s maddening that they’re saying he’s the one who’s responsible for all that damage. Like, Hieu is a criminal. He is the bad guy here, okay? I’m not trying to say he should have gotten off. He absolutely did break the law.
What I’m saying is that this is the wrong law to be charging him with, because I hate when the CFAA is used like that. They tried to say he was also in trouble for money laundering, but he didn’t do any of his money laundering in the US. So, I’m not sure if that one even flies. But none of his charges were for any of the credit cards he stole or drained, all those sites that he hacked into back then. There’s nothing about all the concert tickets that he bought and then essentially scammed all those people. Those are easy charges to slap him with, yet they’re completely absent here. There is a law around identity theft, but I think it would be hilarious if they charged him with that, since that’s the whole business model of what data brokers do already, right?
They work every day to grab as many identities as they can without anybody’s permission and then sell them. Not only that; he didn’t steal the identities. He paid for them. So, the theft part would be in question, too. I think the proper crime here that they probably should have charged him with is that he was knowingly helping criminals conduct crimes, right? Like aiding and abetting and conspiracy, that sort of thing. Hieu knew his site was used by criminals, and they were his favorite customers because they would pay for tons of searches. So, he was catering to them, making it easier and better for them to use his site. So, while he didn’t do any of the tax fraud himself, he did help a lot of people do it. But he wasn’t being charged with aiding and abetting.
He was being charged with violating the terms of service of a data broker, where he was impersonating someone else to get an account there. But the thing is the feds would have a much harder time proving his site was intended for criminal use compared to simply giving him a CFAA violation, which is easy to convict someone of. Like I said, we all violate the CFAA all day, every day. So, in my opinion, the feds charged him with the wrong crime because of the almost guaranteed win for them as opposed to charging him with the right crime and then struggling to find evidence to prove that he did that. By the way, while the feds said that he caused $60 million in damage, nobody was asking for restitution there. None of the data brokers were saying he caused them damage.
So, if he did do all that damage, find that victim and bring them into the case. Because here’s the thing; I’m looking at the indictment and there’s not a single company name here or a victim name listed at all. Of course not, because the data brokers want to hide from you. So, the only thing listed there is Company A, headquarted in New Jersey, and it said he did an SQL injection on Company A. Well, by doing a little bit of research, it’s kind of easy to figure out that the data broker in New Jersey that they’re talking about is USInfoSearch, which Hieu did, in fact, steal credentials and used that site, but not much at all. It was such a small blip in his story that it’s hardly worth mentioning, yet that’s the company that was saying he got unauthorized access to. But here’s the thing; here’s how it all connects.
Court Ventures was partnered with USInfoSearch. If you were a paid Court Ventures user and you look someone up, they had a connection to USInfoSearch, so you’d get results from them, too. I’m just connecting the dots here, but that sounds like to me that Court Ventures was reselling data broker information that they got from USInfoSearch. Surely whatever deal they had with USInfoSearch, they were selling that data for a higher price to their own customers, right? You see my point. This story is pretty bizarre. So, you could say this company listed in the indictment, USInfoSearch, was the back end and provided data to Court Ventures, and it’s USInfoSearch that the US government is saying Hieu got unauthorized access to and profited off that access. You say the victims were the people who got their tax fraud or whatever stolen, but I really think the victims are the people you were stealing from, right? LocatePLUS, MicroBilt, and the Court…
HIEU: Right, Court Venture.
JACK: …Venture. I think those are the people you were robbing or attacking, and I’m surprised they — were they part of the case at all? Did they come and testify against you or give evidence?
HIEU: No, no. I don’t — I didn’t see anybody from these companies.
JACK: Yeah, but I can’t — I just — did you have a good lawyer?
HIEU: I paid for the lawyer. I spent almost more than — I think up to $700k.
JACK: Wow.
HIEU: Yeah, for the lawyer.
JACK: Because I would have fought to say — yeah, you’re saying that he caused $60 million in damage. However, he did not actually do any of that damage. He just gave the information to someone else, and someone else did the damage. He never did a tax fraud. So, you can’t say he’s the one who did tax fraud. It’s like if I sell you a lighter and then you take that lighter and you burn a building down with the lighter. I’m not in trouble for selling you the lighter. The person who burned the building down is.
HIEU: True. But, you know, back then, lots of people told me the same thing. I shouldn’t keep — you know, I shouldn’t hire a lawyer. I should keep that money.
JACK: Yeah.
HIEU: But, you know, my family, they’re so worried and they can look up on the internet; oh yeah, this is a good lawyer, good rating, five-star rating, international lawyer, whatever, in New Hampshire, a professional one. Yes, that’s what happened. I remember every time the lawyers and his team meet me up — like, every time, it cost me $5,000 to $10,000 USD. An e-mail I sent to him or the lawyer team, it cost me $200 or $300 USD for one e-mail.
JACK: I know, lawyers are so expensive.
HIEU: I know, very expensive. But it was easy money; easy go. So, for real, I don’t really complain about it because at the end of the day, it’s kinda like dirty money.
JACK: You know, another thing that really bugs me about this whole thing is neither MicroBilt, LocatePLUS, or Court Ventures ever told their victims that there was a database breach.
HIEU: No, they never say — even until now, I search about them and they never mentioned anything about it even though it really happened to them.
JACK: What scumbags. I just — I have no sympathy for these data brokers. I absolutely hate them. They take my data without consent. I can’t even opt out if I want. They don’t protect it, and when it’s lost in a data breach, they don’t even have the decency to tell me that my data that they gathered on me got loose. Hieu was desperately trying to get his lawyer to help him. But here’s the thing; there’s a 99% conviction rate when the feds slap you with a CFAA violation. In all the cases of the feds accusing someone of a CFAA violation, I’ve only been able to find two or three cases that the defendant actually won. The rest were people pleading guilty or found guilty in trial, and so, the chances of Hieu getting off were slim to none. He tried to fight it, but everything they tried just kept getting denied by the courts. After a few years of fighting, Hieu got tired and was running low on cash.
HIEU: My lawyers explained to me I might lose the trial. I might get up to forty-five years in federal prison.
JACK: Forty-five years?
HIEU: I got so — right; I got so scared. All the charges all combined together — not only from New Hampshire, right, but also from the — from New Jersey as well, too. So, I got two criminal charges from New Hampshire and New Jersey. So, they all combined together, and they said up to forty-five years if I lose. So, my family and me were so scared. So, we — plea deals and, yeah, I pled guilty during the summertime of 2015.
JACK: Guilty, guilty of doing $60 million in damage. When your sentence came up or during the plea deal, did you offer to give up your money to reduce the sentence? How did that go?
HIEU: Oh, yeah. My family also asked them — they want to give back all the money, but they said, no, they don’t need that.
JACK: Really?
HIEU: Right. They don’t need money. They don’t need any assets. They don’t need anything. So, it was it. So — but the thing, you know, I spent lots of money on lawyers, on — during my incarceration as well, too, for food and medication and stuff like that.
JACK: So, they didn’t take any of your money or property or cars or anything?
HIEU: No, no. They didn’t care. It’s like, they don’t need that.
JACK: They just want you.
HIEU: They just want me.
JACK: After pleading guilty, he was sentenced to thirteen years in prison, thirteen years for getting access to data broker data which he wasn’t authorized to access. At this point I’m wondering what if — instead of Hieu accessing data broker data to sell that, what if he just made his own data broker business, you know, for anyone to access? Would that be illegal? Like, if Hieu copied all the data out of the phone book and all the court records and the county records and scraped some LinkedIn data to build complete profiles on millions of people, that’s all public information, right? It wouldn’t have been that hard for him to do because he’s a clever guy. Are there laws that he would be breaking if he sold that data? I guess what I’m wondering is are there laws that data brokers have to follow? Hm.
Well, I had to stop and look into that. Basically, yes, there are data broker laws, and often states regulate them. The gist of the laws is that data brokers have to prove that they aren’t selling their data to criminals. I mean, think about all the dangerous household things we probably all have, right? Box cutters, a hammer, matches, lighters, gasoline, bleach. These are all things that can cause a lot of harm and destruction, right? Yet, when you go to buy them, the store doesn’t verify your intent. They’re not like, hey, what are you gonna do with that box cutter? You have to prove to us that you’re gonna put it to good use. Yet, that’s how data brokers treat their customers. Their customers have to show proof that they have a legitimate reason to search their data and they’re on the approved list of okay people.
Apparently it’s not good enough for data brokers just to say, hey, you can’t use this for malicious intent. They have to verify every single user to try to prevent any of them from using the data maliciously. So, the approved list is people like law enforcement, marketers, investigators, loan agencies, those sort of people. That distinction is very fascinating to me. Data brokers are legal, but only if they sell their data to an exclusive group of people. I don’t like that, not one bit. Of course, I don’t like that there’s a business out there buying and selling my personal information. That’s gross. Go get a real job, alright? But I think I might have a hot take here. I don’t like that they only sell their data to a certain group of people. I wish they sold it to anyone.
Only people in some exclusive club can look up my data, a club that I’m not allowed in? The reason why states regulate data brokers is because if anyone could search those databases, then we’d all be flooded with scammers and identity thieves and stalkers. But to me, that’s not the problem. To me, the problem is, one, I don’t even know how much data those data brokers have on me, and two, I don’t even know who has my data. If I could somehow feel the sting and pain every time my privacy is lost, I would take my privacy way more seriously. So, I know there’s probably apps on my phone that are sending real-time location data right now to a data broker, and if someone took that data and saw where I was and came to my house and knocked on my door, of course I wouldn’t answer ‘cause I never answer my door.
But I just imagine them continually pounding on the door, like, hey, I know you’re home. Answer the door. Your phone is sending me real-time location data to me right now. I’d immediately be like, wait, what app is sending you my location data? I think having a scary moment like that would absolutely force me to uninstall apps that are tracking me. So, my hot take is that stalkers aren’t the problem here. It’s the obsessive collection of my data that’s the problem. If data brokers opened themselves up to let anyone search their site, we’d all be way more private and secure, because we’d all be taking huge steps into protecting our privacy way more seriously. We don’t know what’s out there. We don’t think it’s a problem, and they’re trying to hide that from us.
Of course, the data brokers say they take our privacy seriously and security is their top priority. Yeah, well, until it isn’t. Hieu got into four different data brokers all by himself, and it didn’t look like it was that hard for him to do. Not only that; there’s news story after news story of data brokers getting hacked into. The biggest one is when Equifax got breached. If the data brokers were so worried about their data getting into the wrong hands like scammers and stalkers, then don’t collect it at all, because if there’s one thing I’ve learned about doing over 160 episodes on hacking, is that you will fail at securing your network and data at some point. There is no safe way to collect and store my personal data, much less sell it.
The regulators think forcing data brokers to vet every user is stopping criminals from accessing the data, but clearly criminals are, in fact, accessing the data. Since when do criminals follow regulations? So, really, all the regulations are doing is stopping people like you and me, normal citizens, from being able to see what’s in there. There are so few people who truly understand what is happening in this data broker world since they like to operate in the dark, in the shadows of the internet, and they work hard to keep everyone else in the dark. I want to believe that someday privacy will be in style again, and we just need enough cool people to tell us it’s worth wanting, because data brokers has a bad aesthetic. Surveillance is sterile. It’s cold, gray, and depressing.
There’s nothing cool or romantic or aspirational about being trackable down to when you’re peeing or having sex or eating or sleeping, yet these data brokers are feverishly trying to know all of that about you and build a complete behavior profile on you and then selling that to millions of people who are on the allowed list. I hope someday wanting privacy doesn’t make you a weirdo, but it makes you cool. Hieu was sentenced in 2015, which meant he’d get out in 2026, because he already spent two years in prison by that point. It was there in the New Hampshire prison where he learned English and studied all kinds of things. The police asked if he could share his story with others to teach them how the darknet works and all that, so he cooperated and told his story and was trying to self-rehabilitate to get out early. But when he was in prison, he heard some news which really crushed him. That Liberty Reserve website was seized by the feds and the owner was caught.
HIEU: I heard on the news that he got caught.
JACK: The thing is, Hieu had a lot of money still in his Liberty Reserve account. But when the feds seized the site, they seized all that money, too. How much would — how much did you lose there?
HIEU: I was saving up over there a little more than $300k.
JACK: Wow.
HIEU: You know, I was thinking, man, I will go home and I will get that money. But the moment I heard on the news during my incarceration time in 2014 or ‘15, I was like, man, it’s over. No more money.
JACK: So, he continued serving his prison sentence, staying out of trouble. Because he had good behavior, they let him out early. After serving seven years in prison, they let him out in 2020. There was a lot of complications getting out of prison in the middle of a pandemic, so it took him eight months to get home after he was released. But he eventually made it back to Vietnam. When you got home in 2020, did you have money remaining from all this?
HIEU: I still got a little more than $50,000 USD and one apartment.
JACK: When he got home, he got a job with the Vietnamese government to help with their national cyber defense.
HIEU: The so-called NCSC, the National Cyber Security Center, I’ve been working there for four years. I just left NCSC just five months ago because the government, they’d restructured the agency, and that’s why I left NCSC, and right now I’m just trying to — mainly focusing on cyber crime investigation. I love hunting cyber criminals, technically. To the day I got home until now, I was helping law enforcement in Vietnam and all the country as well to arrest more than two hundred cyber criminals.
JACK: He says he also enjoys helping victims of scams and identity theft by educating them on what options they have and helping them regain control of their life and use the law to help them out. In fact, it sounds to me that Hieu feels pretty bad for all the people who got scammed from his service.
HIEU: I feel like I owe a lot to the people, basically the people in the US. I — kinda like I hurt and harmed so many people’s lives, and I kinda always feel ashamed about it.
JACK: So, he wants to be clear that he is sorry for anyone whose identity got stolen and lost money from his website. He truly feels bad about it and has apologized publicly multiple times and wants to try to do what he can to correct the wrongs he’s done, which is why he’s helping victims now and works with law enforcement to catch cyber criminals in his home country.
(Outro): [Outro music] Thank you so much to Hieu Minh Ngo for telling us this incredible story. This one was wild. I had to stop and think multiple times while making it, and I love a good story that puts me in deep thought like that, and I hope it did for you, too. I recently read a book about data brokers which was extremely eye-opening, and I encourage you all to read it. It’s called Means of Control by Byron Tau. Check it out. It’s a total page-turner. You will not see the world the same again after that.
Don’t forget, you can pick up some really cool shirts at our shop. I guarantee you will find a shirt you love there. Go to shop.darknetdiaries.com. This episode was created by me, the hackstreet boy himself, Jack Rhysider. Our editor is the hash-slashing Tristan Ledger, mixing by Proximity Sound, and our intro music by the mysterious Breakmaster Cylinder. They say if you don’t pay for it, then you’re the product. But what if you pay a data broker to look up your own data? What then, hm? This is Darknet Diaries.
[END OF RECORDING]