JACK: Hey, it’s Jack, host of the show. What a fun show this has been to make over the years. I’m having such a blast doing this, and I think this episode is one that sent me on an adventure that I’ll never forget. It’s a big and wild story, so let’s not waste any time. Meet Liam. LIAM: Yeah, I’m Liam O’Murchu. I work with Symantec and I’ve been there since 2004, and I work in the Security Response Department and analyze malware.
JACK: I’ve seen you before. Have you been on TV?
LIAM: I have been on TV. So, I was part of the team at Symantec that analyzed Stuxnet, the virus that was infecting equipment at uranium enrichment plants in Natanz in Iran.
JACK: Yeah, you were one of the early ones to explain this is what was discovered.
LIAM: That’s right. We were the team that discovered what Stuxnet did, what the payload was, how it worked, how it had spread, who it was targeting. Yeah, and then because of that I was in a documentary that was shortlisted for an Oscar in 2016 called Zero Days by Academy Award-winning director Alex Gibney. So, if you want to know what I do in my job, you can see it all there. Then also, Kim Zetter wrote a book about it as well, and that whole story and my work and my team’s work was featured in that book as well.
JACK: Yeah, Stuxnet was a huge deal which really revealed the length the NSA will go to create malware. I covered Stuxnet in Episode 29, if you’re interested, and I actually interviewed Kim Zetter for that one. So, after that, Liam continued to investigate threats. I think he has the most fun investigating novel threats; that is, threats that the world has never seen before or figured out yet. So, one day, a new piece of malware showed up on Liam’s desk.
LIAM: [Music] Yeah, so, our customers at Symantec, they’ll get malware on their machines and then they’ll send it to us for analysis. So, I got this file that I wanted to analyze for this customer, and when I started looking at it, something felt off about it compared to the other malware that we would look at regularly. It just — it wasn’t run-of-the-mill. There was something different about it.
JACK: There’s a lot to do when analyzing new malware, but first you need to collect a sample of it, and Liam didn’t have a complete sample yet. He really wanted to know what this malware does and what it does to the victim and what’s the objective of it, and who are the people who created it, and how does it spread?
LIAM: I understood that they were trying to defraud customers of eBay. So, I decided to name it — I couldn’t use eBay as a trade name, so I decided to call it Bayrob ‘cause they were robbing customers of eBay. What the malware was doing was it was sitting on your computer, and when you tried to connect to the eBay website, it would intercept your connection and it would inject false information into your browsing session, and it made it look like the false information was actually coming from the eBay legitimate URL. So, you wouldn’t notice that anything was different. Then they were using that to sell you things that didn’t exist on eBay.
JACK: He wrote up a little thing and published what he knew about this malware, but he still didn’t quite have all the pieces for it yet. He really wanted to know more about it. The sample he got wasn’t quite enough for him to fully infect a machine to watch this malware. It seemed to be infected, but it would never actually do anything on his machine. So, he went on a hunt to learn more, and had to think like a victim. How do victims get hit with this? How is it delivered? How do you get infected? He learned where the watering holes were that people were going to get infected with this, specifically through phishing e-mails and Craigslist posts.
LIAM: I kept searching to see if I could find that missing piece, and I just kept on looking through our telemetry and looking to see where I might find this, and I knew there was some places where this was probably gonna be distributed, so I was looking in those places, like on Craigslist, for example, in e-mail, and looking to see if I could find any places where I could find a complete package that would help me to analyze it from beginning to end and understand exactly what the attackers were doing, how they were making money, where they were sending the money, the entire thing. I wanted to know it all. It turns out that the reason I couldn’t solve the entire problem was because the attackers were geofencing their fraud so that it could only happen in America and only happen in certain locations within America. I was in Ireland at the time; I was based in Ireland. So, when I tried to connect to these auctions — ‘cause they were hosting these fraudulent auctions — because I wasn’t in America I wasn’t authorized to see this fraudulent data.
JACK: That’s already impressive to me that this malware only worked for Americans. If anyone else in the world were to be infected by it, they’re basically immune to it. Wild. So, since he couldn’t get scammed by these fraudulent eBay auctions, he tried to find someone who had been scammed by them, and he did find someone who lost thousands of dollars after trying to buy a car on eBay.
LIAM: I managed to discover who that victim was. I reached out to that victim, and she had actually signed up for an auction after she had been defrauded the first time. She went — she found another auction that was very similar and she signed up for that, and she had gotten the entire package, the entire malware package. I spoke with her, and she was prepared to share that with me.
JACK: He was able to get the malware off her machine and analyze it, and he discovered how it works and what it does, how the infection happens, and how the criminals use it to steal money. But he wanted to see it in action still. So, he got a plan.
LIAM: [Music] I pose as her. I recorded my entire session, and I went online and I bought this car. As part of the fraudulent information that they were injecting into the eBay website, they injected a chat window where you could chat about this fraudulent auction. When you chatted you thought you were talking to eBay support, but you were actually talking to these attackers. So, I recorded this entire thing. I met them, I bought a car, I talked to the attackers, tried to engage them as much as possible to see if their English was good, and tried to talk to them at different hours of the day to see when they might be awake and not.
I recorded this entire thing and ended up being successful buying this car and going all the way through with the transaction to the point where they send me information about a money mule, where I was meant to send my money, and that was where I stopped. I didn’t actually go through and send any money. But at that point I had victim information, I knew exactly how the threat worked, I knew exactly how much money they were making, and I understood how the whole thing worked. More importantly, I had a video of exactly how it would work from beginning to end. What I did was I published that, a blog, saying here’s the threat, here’s how it works, here’s how you can protect yourself, here’s what it looks like, here’s a video of me buying a car, here’s a video of me talking to the attackers, and I published that.
JACK: Liam’s blog post was well received. People liked it and shared it. A lot of people read it. After posting it, Liam kinda moved on to other things. He felt like he pretty much got to the bottom of this. Like, he created signatures for how people can detect this and what command-and-control servers it uses. This was enough information for companies to create antivirus rules and block these servers. That should have been it for Liam researching this Bayrob malware. [Music] But the Bayrob malware started changing after that.
LIAM: So, they would name their command-and-control servers various different things. They picked random names for the URLs on their command-and-control servers, but then they started putting my name in there. So, they had domain names like gayassholeliam.com, tinycockliam.com, liamthemule.com, thankyouliam.com. Yeah, a variety of different variations of that over the years. Then also, because there was a little encrypted section underneath that, they could also leave a message in the malware that they knew only I would see or someone who was analyzing the malware would see, and then they left messages in there like — ‘Symantec does group masturbation’ was one of them. So, just over the years they would leave these messages in there for me. Of course, when I saw that, that made me more interested in understanding what was going on.
JACK: My favorite message they left for him in the malware was ‘Symantec team is a big hen coop chicken smart’. Hen coop chicken smart? What does that mean? All this mocking and taunting actually made Liam want to look more into this Bayrob malware. His name in the malware is what drew him back into this. So, he got a computer and set it up in the lab and got infected with a fresh copy of the malware, and went to analyze it further. Because he worked at Symantec, this gave him access to some pretty powerful malware analysis tools. So, he ran this through there.
LIAM: I was able to see where they were connecting, where they were hosting, where they — how they were routing their traffic, how we could become part of that routing, how we could see some of their messages, how we could infiltrate how they communicated, and that was super, super important in understanding the entire attack.
JACK: The way this malware routes across the planet is fascinating to me.
LIAM: The way they were protecting their identity was they were routing their traffic through infected machines so that if someone like me or law enforcement tried to trace them to their original location, it’d be very difficult to do that because they would jump through multiple infected machines in multiple countries. So, if you saw their first IP address and you tracked that down, you would get a victim, and even if you monitored that victim machine, you would get another victim in another country. To go and trace it all the way back to their home machine would be very, very difficult. So, it was a really smart way for them to hide their traces.
JACK: Clever, right? So, the attackers would never directly connect to their command-and-control server or their victims. Heck, they wouldn’t even talk amongst each other directly. Instead they would always use at least three hops through their infected victims to communicate with anything, even just googling things. If they wanted to connect to a victim, they’d go three hops to their command-and-control server and then three hops to the victim. This made it incredibly difficult to trace even just what country the Bayrob gang is located in. At the time there were over 6,000 computers infected by this Bayrob malware, and any of them could be part of this proxy chain. That gave Liam an idea. [Music] If they’re using the infected computers to connect through, then does that mean the infected computer Liam has in his lab has a 1 in 6,000 chance of seeing a connection from these attackers? Maybe. So, he gets this infected computer back online, put some packet captures on it, and waits a long time, like over a month, and he never saw anything.
LIAM: It all started out under my desk, actually, in the office. I had my little test machine under my desk, and I set it up there and I ran the malware, and I was very disappointed to see that they never connected to my machine. Then I started to realize, oh, there’s an algorithm that they’re using to decide which machine to connect to.
JACK: Yeah, get this; after Liam had his infected machine online for a month, listening for connections from these criminals, he noticed the malware suddenly changed after a month of being online. More code was added to it, and this code had all the details for how the proxy chain worked. So, to begin with, a machine had to be infected for thirty days before it even received the proxy chain code at all. So, he analyzed this proxy chain code and he saw that not all infected machines have the same weight for being used by the hackers to hop around.
LIAM: So, then I understood that it was — if you had a higher bandwidth, you had a better chance of being used. If you were in different geographies, you had a better chance of being used. So, it went from underneath my desk to a server in the West Coast of the US, then to a server in the East Coast of the US.
JACK: This time with a beefier server with higher bandwidth, and now this gave him a 1-in-400 chance that these attackers might connect through his machine. But still, after sitting there listening for any proxy traffic coming through, nothing. He looked at this proxy chain code again, and he learned that before they would use a computer in the proxy chain, they would take a screenshot of that computer and look at it to see if this looked like a normal person’s computer, because if it looked like a threat researcher like Liam’s computer or a cop, they might notice something off and not connect to that machine. These hackers would vet every single computer before using it in that proxy chain. Holy cow. So, Liam had to make sure his computer in his lab looked like someone’s home computer.
But on top of that, Liam also discovered that if the infected computer was in Romania, it would be given priority in the proxy chain. Basically, it had a higher chance of being chosen for their first hop, which might also be a clue as to where these guys are from. So, he rented a computer in Romania, infected it with this malware, beefed it up with a fast internet connection, made it look like a regular user’s computer, and waited thirty days for the proxy chain code to come on, and then waited some more. This time he thought he had a 1-in-40 chance of them connecting to his machine now.
LIAM: Eventually they would connect to my machine as their first machine in the chain, which meant I got their home — or what I thought was their home IP address. So, I was getting these addresses in Romania, in Bucharest, and in a town called Brasov. Every now and again they would slip up and you would see that that’s exactly where they were coming from. So, by using those proxies, not only was I able to see where they were coming from originally, but also I got to see an absolute treasure trove of information that they sent across that network, because they felt they were protected. So, we would see — first of all, we would see them setting up their campaigns. So, I would see them transferring all the files that they needed to run their fraud. I could see them Google searching for images or for text that they were gonna use. I could see them setting up e-mail campaigns.
JACK: Wow, what an amazing insight he had to these attackers. These guys were using this proxy network for everything. Every time they’d check e-mail or move money, or yeah, even searching Google, they were unknowingly routing their traffic through Liam’s computer, or at least sometimes it would be chosen to go through Liam’s computer, and he was capturing it all. But just because Liam was in the connection path capturing this data, the data was unreadable. That’s because these guys were encrypting everything. All communications to the command-and-control server was encrypted.
All communications between the different attackers was encrypted. He could tell these guys were talking over Jabber, but couldn’t see any of the messages since they were using OTR, Off The Record, which does end-to-end encryption on all Jabber chats. So, most of the time Liam had nothing but encrypted gibberish, but only every now and then would he see a small blip where something wasn’t quite encrypted all the way, or metadata about a connection would tell him what they were doing right now. By this point Liam had been investigating and tracking this malware for years, and has a way deeper understanding of who’s behind this compared to his first blog post.
LIAM: I was analyzing the malware and I knew where they were connecting. I could see where they were connecting all over the world. I was like, I can’t do anything about this, but I know law enforcement could go and they could get these servers and these computers and these addresses and they could actually take action on them. [Music] So, we went searching for law enforcement who had worked with us on this case, and we had a long list of all of the things that the attackers were doing, and that was how we ended up contacting the FBI.
JACK: But as it turned out, the FBI was already on this.
STACY: Hi, I am Stacy Whittaker. I am now a retired FBI agent. In 2007 I was a pretty new FBI agent. I had only been in for a year and was still learning kind of my job. But yeah, so, I had been contacted very early on by one of the initial victims of the Bayrob Group. She had reached out. I was working in the Cleveland division at the time. So, she reached out to the Cleveland FBI Office to report that she had been victimized on eBay. So, I had simply answered her phone call when she called the office and talked to her about what had happened to her. She explained to me that she had tried to purchase this vehicle on eBay and that she had supposedly won the auction. She had paid for the vehicle, approximately $8,600, and then she never received the car. It was supposed to be transported to her and she never received it.
On the initial phone call, that was pretty much all that she knew. So, I had asked her, as we typically do in the FBI, to report this information to IC3. Ic3.gov is a website that we use to collect information from victims of all different types of crime related to the internet, primarily. So, she did. She went to IC3 and she reported it. At the time I thought that was the end of that conversation, because of course, for $8,600, the FBI typically is not going to open a case. But she actually called me back about two or three days later and told me that — it was explained to me that she had figured out on her own that her computer was infected with a virus and it was related to this eBay fraud.
It took a little bit of convincing to convince me that she actually was correct. She sent me Liam’s report on Bayrob. So, I read — that was the first time I had read his report about this virus. So, basically, I had decided to go out and meet with her. I took a computer forensic examiner from our office with me so that we could look at her computer, we could verify that she was, in fact, infected on her computer with this virus, which we did. So, because of that, because she was infected with malware, we were then able to open an investigation even though it was such a small amount of money that we were talking about.
JACK: It was around here in 2007 is when Liam got in contact with FBI Special Agent Stacy to tell her all about what he learned. But even with all that information, the FBI didn’t make any progress on this case. In fact, for the first five years of this case being open, very little happened with the FBI.
STACY: It was very slow and very frustrating, very slow and frustrating. So, one thing I would say about — I think this case is a very good example of the evolution of the FBI in many ways as well. So, in the beginning, in 2007, that was a time when we in the FBI, we didn’t necessarily work hand-in-hand with private sector, right? So, even though I ended up talking with Liam in 2007, we shared some information a little bit, but then we kinda went our separate ways. We didn’t talk again until 2012, because that was kinda the way that we did things at that time in the FBI. We didn’t share information too much with the private sector. We would do subpoenas, we would do search warrants, and we would gather information, but we didn’t necessarily work hand-in-hand like we do today. Also at that time, we didn’t necessarily work very many investigations that touched overseas, either.
So, again, I was a new agent in the FBI, and I opened this investigation and pretty quickly was able to determine that all the money was going overseas. I was tracking the money, was figuring out where it was getting picked up in different countries in Europe, and when I figured that out and I was talking with the other agents on my squad, their reaction was basically, oh, you need to close that case. Again, this is in 2007 and we just didn’t have as much visibility and as much partnership with other countries as we do today. So, I refused to close the case and kept working it and kept collecting information even though I was very limited in what I could do. I was talking with the — we did have an FBI office in Bucharest in Romania, and so, I was sending information to our FBI office over there to try to — initially it was simply sending them information on the money mules that were picking up the money. So, I was able to track the money being sent via Western Union, and initially it was getting picked up in Greece and then it was in Hungary and then it was Romania.
It was several different countries in Europe where money was getting picked up. So, I didn’t necessarily know at first that it was Romania, but most of the money mules were using Romanian IDs when they would pick up the money. So, for five years, all I’m really able to collect, for the most part, is victim information, right? I’m creating this spreadsheet of all these different victims that I’ve identified. I’m identifying money mule accounts or IDs and money transactions, and I’m collecting all of that information.
JACK: Now even though Stacy was new with the FBI she was pretty sharp, especially with computers, since she was a computer programmer at the Air Force before this. And was really intrigued by this case, probably more intrigued than anyone else at the time. But she knew if she was going to solve this, she was going to need more help.
STACY: I bring in CCIPS eventually to help on the legal side, and then I end up talking with Liam again in 2012, who connects us with Eoin. At this point I’m figuring out that this is a very sophisticated group that we’re dealing with, obviously, and especially from all the work that Liam had already done, I knew — although I was on the cyber squad in Cleveland, I didn’t have a super techie background, certainly a little bit, but nowhere near as much as Ryan. So, I definitely needed some help on that side of things. So, I asked Ryan to work on this case with me.
RYAN: Yeah, so, my name’s Ryan Macfarlane. I’m the IR practice lead at TrustedSec, but at the time I was a cyber agent. I was coming from DC, where I spent two years at our National Cyber Investigative Joint Task Force working the whole of government counter-operations against China, and was transferring back to Cleveland, and got to Cleveland. The first thing I ended up getting asked to do was to work with Stacy on this case.
JACK: So, Stacy starts bringing Special Agent Ryan up to speed on this case.
RYAN: Now, I land in Cleveland and start working this case with Stacy. I spent the first six months to a year just going after all the infrastructure that these actors were using, and working with the US Attorney’s Office in Cleveland and CCIPS to get legal process and a ton of technical coverage on the Bayrob Group.
JACK: Of course, one thing the FBI is good at is following the money. They learned that these criminals use money mules a lot. So, when the criminals would trick a victim into sending them thousands of dollars like through an eBay auction or something, the victim didn’t actually send that money directly to the criminals. Instead, the criminals hired someone else to collect that money, keep a portion of it, and then forward the rest to someone else, and then they would forward that money again to someone else, and eventually it would be forwarded all the way to the criminals or turned into cryptocurrency and then given to the criminals.
They would get these money mules by putting ads on Facebook or Craigslist advertising a legit job, like a work-from-home type of thing. Then they’d trick the money mule and lie to them about why they’re accepting this money and where they’re sending it and what’s happening. The strange thing here is that even though the money mule is tricked into thinking they’re doing some legit work, being a money mule is actually illegal, and these people could get arrested for this. We’re now more than five years into this investigation, and the FBI started bringing even more people into this case.
BRIAN: I’m Brian Levine. At the time I was the cyber-crime prosecutor at the Computer Crime and Intellectual Property Section in Washington, DC.
JACK: That’s under the Department of Justice.
BRIAN: Yes, it’s part of the Department of Justice. I was also the national coordinator for all the computer hacking and IP prosecutors around the country, one of whom was Duncan Brown, who was in AUSA, assistant US attorney in the Northern District of Ohio, and was brought in by Duncan and Stacy to help on the case.
JACK: Stacy and Ryan looked over the case more. They got a lot of information from Liam at Symantec, who discovered all this stuff about the way the proxy chains work and how he’s infiltrated the chain and even captured some interesting things. Also, Liam suggested they talk with Eoin, so they called Eoin up.
EOIN: My name is Eoin Miller. I worked on AOL’s cert team from 2011 to 2016. I received a report of abuse on my network from a specific IP at a specific time, and was told it was related to potential Bayrob activity. I went ahead and started taking a look at that and started pivoting around. We were able to connect specific domains that they were using and accessing with various accounts, various AOL accounts that were being used in order to tunnel traffic through us. AOL allowed anyone to sign up for a free account and then tunnel network traffic through our dial-up IP allocation space. So, we were basically like a very large, free, open-proxy service, and we’re also a free e-mail provider.
Basically we built a full packet-capture indexing system — at the time it was called Moloch and is now called Arkime — we had deployed at ISP level. So, us and others as well that offer those same types of services were heavily being leveraged by this group in order to create new accounts, chat with people, all that good stuff. So, we just started digging around and seeing when they would connect in, where they would connect from, start going through all of the network traffic that they had presented to us.
JACK: So, Eoin from AOL was now feeding the FBI bits and pieces of things that he was seeing. At the same time, Liam was still listening to the traffic going over the proxy chains, and every now and then he’d see them connect to the proxy chain as their first hop, which likely meant the criminals are connecting to this from their home. [Music] So, he would call the FBI and say, look, I have a strong suspicion that these are the IP addresses of the criminals, and they’re in Romania. So, the FBI would contact the Romanian police and ask them, could you find out whose IP this is and go see if those are our guys?
RYAN: The Romanian National Police were great. They would go and they’d come back and they’d say, we just talked to a really nice schoolteacher, and we are sending the Romanian National Police all over Romania. They were just — the more doors they knocked on, the more we realized something was going on that we just didn’t understand.
JACK: What? So, even though they’re using six or seven hops through this proxy chain before doing anything malicious, that still wasn’t good enough to hide their tracks. These attackers were doing something even before going into the chain to hide their tracks even more. Like, for a while their connections were all coming from a schoolteacher’s home in Romania and then into the proxy chain, or it would come from some other house in Romania, and never for a long period of time. Their home base seemed to move all over the city. These guys were really good.
BRIAN: It was really challenging at this point because at least at that time the Department of Justice was very careful about the legal process that it issued. We had to justify what we were doing, which was very challenging because we would often get back what we would describe as nothing, because everything was encrypted and I would have to go and make an explanation as to why this was beneficial to keep doing this kind of legal process. They would say, look, you’re getting nothing. Why do you want — why are you wasting your time continuing this process? What we realized was these guys were so sophisticated that you just had to get all information you could all the time for as long as you could, ‘cause you didn’t know what was gonna end up being helpful in the end. It was all about bread crumbs.
JACK: The FBI continued to collect all the data they could. They had Liam feeding them data that was captured at Symantec. They had Eoin feeding them what he saw at AOL, and they were interviewing victims and money mules and logging as many chats as they could. I think they did a controlled buy and tried to talk with these hackers as much as they could. But much of this resulted in nothing since it was all encrypted and obfuscated and wrapped in so many layers.
STACY: We were doing all of those things. We were collecting information from Romania, we were collecting it from Liam. I think one of the biggest breakthroughs came from Eoin at AOL, so I’ll let him, yeah, talk about that.
EOIN: Yeah, sure. So, one of the members of the group was typing in his e-mail address to log in on gmx.de or one-on-one internet. They did not use SSL at the time for the log-in form. So, when he typed in his e-mail address, [music] he typed in his personal e-mail address and then went, oops, and then logged in with his quote, unquote, “work” e-mail address. So, we have the same IP address at the same — within ten seconds, like typing in someone’s e-mail address and then this actor’s e-mail address.
JACK: That’s such persistence on the investigators, but also such discipline on the attackers. The attacker accidentally typed the wrong e-mail address, and even though the log in failed for that e-mail, it was a curious enough clue for Eoin to look further into it. The e-mail address was raduspr@gmx.de. So, was there anything to find for this raduspr name?
EOIN: At the time Facebook was pretty easy for looking people up based on e-mail address, and just — here you go. Here he is. Then, oh, alright, pivot around. Alright — oh, they have YouTube channels, lots of skydiving, and it was like T&T Brothers or something like that, a bunch of posts on various forms for off-road vehicles and stuff in Romania and everything else. It was just like pictures, everything you could want. It’s like, I don’t know who anyone else is, but I’m pretty sure this is who this is.
BRIAN: So, we sent them, AOL, a search warrant for all of this data, and they said, alright, it’s a lot of information. Come on in and let’s explain it to you as we give you that information. So, we came in. I remember it was Stacy and Ryan, and it was unbelievable.
JACK: Brian, the DOJ prosecutor for this case, was thrilled.
BRIAN: So, what we started doing at that point was we had used legal process. We did hundreds or thousands of different legal process in this engagement, both domestically and abroad. So, once we had a sense of who one of these actors was, we had more information that we could provide to Romania. We did that through a Mutual Legal Assistance Treaty request, shortened as an MLAT, and they started going up and doing whatever they did in Romania to try and get us helpful information pursuant to these legal process. One thing we found was the existing process of MLATs back and forth was too slow for this case because the criminals kept changing their infrastructure. So, we had to work with our Office of International Affairs to create a faster process or a abbreviated version of the MLAT process.
JACK: What they would do is actually moving locations, right?
BRIAN: They were moving — well, we didn’t know what they were doing. We just kept getting different IP addresses and different information. So, what we discovered through Romania’s response to our MLAT request was that there were three people that were communicating with each other, one of which was the person that Ian had identified with encrypted communications. We could not get through those encrypted communications, and Romania could not as well. We could see that in their home, on their non-criminal machines where they weren’t encrypting all their traffic, they were going to cryptocurrency websites and specific ones that we knew this group was focused on, but that wasn’t really strong evidence. It wasn’t enough to indict them or extradite them or anything else. It just made us think we had the right people. But for quite a bit of time at that point, we were like, alright, we think we know who the three people are, but we just don’t — because they’re encrypting everything, we don’t really have enough evidence to extradite them or to indict them.
JACK: So, at this point we’re going on year seven or eight of this FBI investigation.
RYAN: Right around this time we’re in pursuit mode, right? So, we’re trying to get as much visibility into their infrastructure, and around this time we get a data intercept on their systems that are controlling all their malware. [Music] So, they had a multi-layer command-and-control infrastructure where all the malware was reporting up to the first layer, and then that layer was forwarding on to a couple of servers that were hosted in different places. We were able to, as a team, figure out where those servers were located. So, we went — with legal process we got a data intercept on a couple of these top-level command-and-control servers, and we were able to see the communications for all the botnet, which meant that we got to see when they updated their malware, what some of their campaigns looked like, how they were loading additional plugins. So, at this time this group had a number of different lines of business.
They were treating all these infected systems — and it was about 400,000 of these systems at the time — as a commodity, right? Every computer could do a bunch of different functions. We saw them instructing these computers to join mining pools and mine cryptocurrency for them. They could be used as proxies, and some of those proxies were sold on AlphaBay to other cyber-criminals out there. They were doing some ad fraud, they were mining those systems for credit card information, which they then sold on AlphaBay as well. So, they were AlphaBay vendors. They were replacing your internet browser with a custom version of their own internet browser. Everything that was done over that internet browser was uploaded to a couple of servers in North Carolina. Then we’d actually see them go and mine through all that data. So, if they needed Bank of America accounts, they could jump in there and show me all the Bank of America accounts that I have log-in information to. They could go to Chase and issue a command to say, show me all the Chase data I’ve taken.
JACK: Whoa. So, while the FBI is ramping up their efforts, the criminals were also ramping up their sophistication and streams of revenue. This has grown quite significantly from its meagre eBay fraud with 6,000 infected nodes to now a worldwide plague of hundreds of thousands of computers infected, stealing everything they could and selling everything that they thought was valuable. They were making millions of dollars now, and the FBI really wanted to stop them at this point. But these guys were good, like really good. They had a sophisticated proxy network. They used PGP for all their e-mails. They used end-to-end encrypted Jabber chats when they’re communicating to each other, and encrypted everything that they were sending back and forth between them and the command-and-control server. The FBI couldn’t even follow the money since it used a whole vast network of money mules that would scour the world. On top of that, they were somehow constantly moving around in Romania, changing IP addresses all the time so the Romanian police couldn’t find them, either.
We’re going to take a quick ad break here but stay with us, becausae the FBI is not giving up.
Liam, over at Symantec, kept watch over what was going on over the wires. And at one point he saw a scam going on in progress!
LIAM: I reached out to some people who were about to become victims because I was able to see their information as the auction was in progress, and I saw their telephone number. I called them and I said, you are being victimized. I’m calling you. I’m not trying to sell you anything. I’m telling you now you’re about to get scammed because of this auction, and they wouldn’t believe me. They would think I was trying to scam them. Then they would go ahead and I would see that they continued and they bought the fraudulent car even though I’d actually warned them.
JACK: I’m sure you’ve heard the phrase that in cybersecurity the defenders have to be right all the time, but hackers only need to be right once to get in. But in this scenario, the hackers were essentially on defense, since they had to be super careful not to reveal anything about themselves, because one slip-up and the FBI would swoop in on them and it’d be all over.
LIAM: It is very interesting that what we were doing was we were waiting for their one slip-up. We were getting mountains and mountains of data, and we knew that they were protecting themselves, but they couldn’t be right all the time. It’s so, so difficult to be right all the time and to have failsafes everywhere. Eventually they did make those tiny, tiny slip-ups. It was like, you know, one ten-second period out of three years of monitoring data that broke the case. So, it was incredible.
STACY: That’s what Brian was referring to earlier when he was talking about — you know, we’re doing all this legal process and we’re, at that time, getting some pushback on — why are you continuing to capture all this data? It’s because, yeah, it’s all encrypted and we’re not getting a lot out of it, but we have to continue capturing it, watching for those one little mishaps where they make a mistake. That’s the only time we can get information that is gonna reveal to us who these people are.
RYAN: At the time we had the largest data intercept in the bureau because…
JACK: For this case?
RYAN: For this case, because it was all going — all the command-and-control traffic was going through these servers. We had to keep re-upping because we were getting little snippets here and there. Occasionally we’d catch them e-mailing a new e-mail account that we hadn’t seen before, and that turned out to be one of their money mules. Their opsec wasn’t nearly as good as these guys’ opsec. So, we were able to start to pull that thread back and work different angles. We had to go brief the Deputy Attorney General during this case because we had done a T3, and Department of Justice doesn’t — that’s such a big legal process that they don’t like to use it, especially for long durations. So, we had to justify that we’re seeing all this encrypted traffic. We are seeing mistakes occasionally, but we had to basically go talk to the DAG and say, hey, this is why we need to do this.
BRIAN: The reason we had to talk to the DAG, if I remember correctly, was this was the first time in the history of the Department of Justice that we did a wire tap on a server. Previously wire taps were invented because of phones. You would listen to the mafia talk to each other. You’d listen to the narcos talk to each other. They’re like, wait, this is a computer. Why would you even do a wire tap? Maybe — and there were arguments that we didn’t even have to, but we wanted to have belt and suspenders. We didn’t want to make any mistakes here. Because we were getting contemporaneous electronic traffic through the server, we wanted to have a wire tap, but this confused a lot of people in the Department of Justice who didn’t quite get it.
JACK: Whoa, these guys are really taking this case seriously. They had a T3 wire tap on the command-and-control server, which happened to be in North Carolina. T3 is short for Title 3, which is where they have to get authorization from an attorney general who grants them approval to the data intercept. In this case, the hosting provider for the server was shown the T3 and was able to put a tap in and give the FBI full captures of everything going in and out of that command-and-control server. But that still didn’t help because it was all encrypted, and these Title 3s expire after thirty days, so they had to keep renewing it again and again and convince the attorney general that they still need to keep it active in hopes that someday they’ll see something that will give them the smoking evidence to arrest these guys. But month after month, they were not finding anything important.
STACY: We also had a Title 3 on one of the main e-mail accounts as well. So, we were watching the e-mail coming through, too. Even though it was encrypted, the body of the e-mail was encrypted, but the e-mail title, the e-mail headers, was not. So, we would get the title of the e-mail, and that was the only information that we would see, was just the title.
BRIAN: You said that normally the bad guy only has to be right once, and that was sort of flipped around, but that’s potentially to identify them. Remember that when — in order for us to indict them, extradite them, and then if they want to go to trial, which these cyber-criminals almost always do, we had to be able to prove guilt beyond a reasonable doubt. These cases are a lot harder to do that with — than with a standard case, because you’ve gotta remember you’re dealing with a jury. So, ultimately it’s not like you’re gonna be able to go to trial on one mistake. You’re gonna have to build a body of evidence.
STACY: So, they were using an e-mail service that we were able to gather information from, as well. So, we literally had over 16,000 e-mails that we had to sit and review, every single one, pulling out victim information, pulling out money mule information, and information on money transactions, and gathering all of that data together, too, to be used later on down the road in trial.
BRIAN: Most of their e-mails were PGP-encrypted, right? Ryan explained to me — ‘cause I believe the FBI can do anything if they want to. So, Ryan explained to me that PGP stands for pretty good…
RYAN: Pretty good privacy.
BRIAN: Pretty good privacy. So, I said, Ryan, it’s only pretty good. Could you get through that encryption? Ryan said, no, you’re not putting the right emphasis. It’s pretty good privacy. That’s how you should be interpreting that.
RYAN: Then I also told Brian that I’m only moderately good.
JACK: [Music] At some point Liam found something incredible. He was continually capturing all the data through his node that he sneakily set up in their proxy chain, and they were using Jabber to send messages between each other. They had enabled OTR, which is end-to-end encryption on their Jabber chats. So, all Liam could see was that someone was saying something over that port, but he couldn’t see what they were saying.
LIAM: So, Jabber is encrypted, and there are different settings that you can use. By default, the setting for attachments is not — it doesn’t default to encryption. So, your text, all the messages that you sent, are encrypted, but attachments are not encrypted, and that was the mistake that they made. They were talking to each other and we couldn’t see what it was that they were talking about, but if they sent an attachment like an Excel spreadsheet with all of their accounting in it or a picture of their desktop, that was not encrypted, and we could extract that from the network and we could see what it was.
RYAN: That being said, the majority of the attachments they sent were encrypted. They just occasionally — they’re human, too — forget to encrypt something or there’s — something doesn’t work right.
JACK: Whoa, this is something I did not know, that if you take the extra steps to add OTR to Jabber in order to encrypt all your messages, it still doesn’t encrypt attachments, and that’s a whole separate process to enable, and apparently it’s extra tricky to do. It’s interesting because these guys were clearly making every effort they could to stay hidden, and they still couldn’t reliably keep their stuff encrypted. So many places for your data to leak. So, one day Liam saw an attachment which wasn’t encrypted, and it was a gold mine for this case.
LIAM: We got to see them transferring spreadsheets, talking about all of the transactions, how much money they were making, who were the victims, what were the credit card numbers of the victims, what were the home addresses of the victims, what money mules they were using, the identity of all the money mules.
JACK: This was huge because it listed each of the members of this group and how much money they each made. Here’s what it said; member MF got 25%. Member linx got 25%. Min got to take 10%. Amy took 25%, and Raul got 15%. This essentially showed how many members were involved and their abbreviated nicknames. They even took extra steps to obscure their hacker names. Like, later they would find out that Amy stood for Amightysa. By this point, the FBI also stood up an infected machine in their office to watch some of this traffic, too, and it’s remarkable to think that these criminals were feeling clever and thinking they were super sneaky and laying low, while in reality a lot of their traffic was being routed right through the FBI’s office. But that wasn’t all Liam captured. He saw another attachment sent over Jabber.
LIAM: A picture of their desktop that they had transferred between each other, two members had transferred between each other, and they were trying to figure out why something wasn’t working with their malicious campaign. So, one of the Bayrob members had taken a screenshot and had transferred it to another one, but they had actually gone through my proxy machine at that time. So, I could see this. They were using encrypted chat, actually. So, I couldn’t see the chat, but because the pictures that they sent in the chat were not encrypted, I got this rare opportunity to see this image get transferred across — just like flash across my network.
When we decoded it we saw that it was the attacker’s desktop, and he was inside a VN machine. Then he had his control panel, his attacker’s control panel on the desktop, and he had a Facebook campaign that they were using to try and find victims on the desktop, and he was running that campaign through a hacked account. So, he had the hacked account information there as well, and we could see how many machines they had infected, and we could basically see the entire attack, the entire fraud campaign from beginning to end right in that one screenshot, and it just — it was just a total encapsulation of all their fraud in one picture.
JACK: The screenshot is incredible for this case. You can see this guy’s desktop. You can see he’s logged into a victim’s Facebook page. You could see he’s posted an ad, work from home, to try to recruit a money mule, and you could see the command-and-control server in the background. You could see he has chats open with somebody called Masterfraud, which is interesting because MF was one of the people getting 25% of the cut. So, now they start linking; MF must be Masterfraud. They could also see he’s encrypted his computer with TrueCrypt, since that was a process running in the background, which might be helpful later.
BRIAN: The challenge that we had was there’s all this encrypted traffic. We think we have the three guys, but we can’t get any substantive evidence connecting any one of them specifically other than the first mistake to the scheme. That’s when we found out that one of the other two had decided to travel to Miami, to the United States. This could only be because after ten years of committing this scheme and nobody knocking on their doors, they felt like they were pretty secure at this point. They had really amazing opsec, as Ryan mentioned, and this particular guy, whose name was Tiberiu Danet, had completed in international programming competitions and had even had an internship at Google in the US before he switched over to crime. So, he had friends in the US and was — we got advanced intelligence was gonna come to the US.
JACK: Arrest him on sight.
BRIAN: Well, that was our initial thought, but we knew if we arrested him — first of all, we didn’t have enough evidence yet. But even if we had got that evidence while he was there, if we arrested him, we thought the other two would flee and we’d never see them again. They would go to Russia or somewhere else where we couldn’t get them.
RYAN: And when he was coming into the country, we actually had no technical information tying any one of these individuals to the Bayrob infrastructure. The Romanian National Police had very similar data intercepts up on their homes, and guess what they weren’t seeing; any connection to the Bayrob infrastructure. They weren’t talking to the servers, they weren’t talking to the proxies, they weren’t talking to Tor off of their home internet connection.
JACK: So their home ISP was clean, completely clean.
RYAN: There was a little bit of encrypted traffic that we couldn’t explain, but there wasn’t anything that we could do with it. So…
STACY: So, I like to refer to what Brian’s talking about when this guy comes to Miami as Christmas in May. We were so excited for this to happen. We only had — I think about maybe a ten-day lead that he was coming to the United States, and we had to put together an operation to gather as much information on him as we possibly could when he was here. We had ten days to prepare to do that. BRIAN: So, we decided to get a search warrant. We didn’t need a search warrant, technically, because there’s a border exception. What we wanted to do is when he came across the border, we wanted to search all his digital devices, and we were hoping he’d have a lot of digital devices on him and that this would break the case. But the exceptions to the search warrant requirement were really under attack at the time and continue to be, in part, after Snowden and part due to a number of events that were going on. So, we didn’t want to rely just on a exception to the warrant requirement, especially if we had time to get an actual warrant. So, we did get an actual warrant, and maybe you guys could take it from there.
JACK: Did you go to the airport?
STACY: We did.
RYAN: We did.
STACY: Yes. We were down in Miami, both of us, with a whole group of support people from the Miami division as well as from FBI headquarters to — as Brian said, we were gonna do a search warrant on every device that he had. We were hoping it was gonna be a lot of devices. It ended up not being very much. He did not have a laptop with him. He had his phone and a camera, and I think that was it.
RYAN: We had a full surveillance team on him. He was coming into the country with another individual. So, from the time he stepped on US soil, we had a team that was essentially tracking his activity to see if he was making any contacts or did anything that would indicate he was part of this group.
JACK: So, the FBI gets short notice of him coming to the US, and scrambles to come up with a plan and to meet him at the airport. What they wanted to do was look through his devices to see if they can see any evidence of him involved with this Bayrob Group in order to lead to an arrest. They thought if they interrogated him, that would spook him and he’d tell the others, and they’d all go into hiding. So, the plan was to somehow get ahold of his devices and search them without him knowing they got searched.
STACY: So, the Border Patrol was actually the ones that sat down. They have to do their interview when you come through. CBPS will interview you. So, they did an interview with him and kind of made it take a little bit longer. But they collected his devices and then provided them to us. We were sitting in a back room. He didn’t even know there was approximately thirty people in this back room all because of him to review his devices, to image his devices. So, Customs and Border Patrol did an interview with him, collected his devices, passed them to us so we could then have our computer forensic examiners image his devices, and he had no idea.
JACK: Then you gave it back and he left the airport without knowing everything you copied.
STACY: Yes.
BRIAN: He did not know, but he was pissed enough and realized he wasn’t gonna do this — he wasn’t gonna make this mistake again. So, he had — he was communicating with the other members of the group through a encrypted messaging app, Jabber, but it was saving logs. He changed — after this whole incident, he didn’t think he was identified, but he’s like, let’s stop recording those logs, and he changed his password on his phone to the Romanian for ‘US customs can blow me.’
JACK: Wow. So, the FBI took full forensic snapshots of everything on his phone, and he had no idea they were there. Then they tailed him the whole time he was in the US like ghosts.
STACY: So, he was here in the United States for — I believe it was about twelve days. So, we had him under constant surveillance almost that entire time. He wasn’t just in Miami; so, he landed in Miami. They were in Miami for a couple days. They went to DC for a couple days, then they went up to New York, and then ended up in Boston. We knew he was gonna end up in Boston, ‘cause that’s where he flew out of.
JACK: They took a look at the data they got from his phone.
RYAN: Stacy and I are in the Miami field office reviewing this almost immediately. This was the best opportunity we have to actually get some visibility that we can tie directly to an individual who we think is a member of the Bayrob Group. We’re rolling through this phone, through all the data, and we come across the Jabber chats. For the first time ever we actually find communications that were encrypted but are decrypted or unencrypted on the endpoint on his phone talking about Bayrob Group operations. They’re talking about crypto-mining and how much they’re making a month crypto-mining. He’s talking to the head of the group, who’s in Romania. At that time they were making about $6,000 a month mining their network of infected systems.
JACK: Masterfraud.
RYAN: Masterfraud, yeah. Incredibly technically gifted cyber-actor out there.
BRIAN: By the way, I just — I always want to tell people when you’re naming your criminal character, when you’re giving your criminal alias, it’s best not to name yourself after the crime because it may sound really cool at the time, cool to all your friends, the other group, but when you’re eventually caught — and you will eventually be caught — it dramatically limits your available defense, defenses. So, here it limited his defense to Masterfraud who? I never heard of any Masterfraud. You can’t argue with that point. This wasn’t fraud. Everyone understood what we were doing. No.
JACK: Brian and Stacy were able to look through the chats which were logged on the phone that they got a snapshot of, and most of what they saw was benign, nothing to do with this Bayrob malware operation at all. But because Ryan and Stacy knew this case very well, they would spot tiny clues. Like, MF was mentioned every now and then, very rarely, and they knew MF was short for Masterfraud, one of the leaders of this organization. So, little things like that would start to make them see the network of who he’s talking to. Another thing they found were chats mentioning a file name that they knew only existed on that command-and-control server that they had access to. So, this linked him to knowledge of that command-and-control server.
RYAN: We have a direct tie from this individual to Bayrob Group operations, and we know we’ve got the right people.
BRIAN: So, at that point we could have arrested him. We had enough evidence at that point to arrest him.
JACK: While he was in the US.
BRIAN: While he was in the US. So, this was a difficult decision because he was a high-value target. We figured of these three people, he was probably the second-most important. But Masterfraud was still in Romania, and we knew if we arrested him, Masterfraud would flee, or we felt like that was pretty likely.
JACK: They hoped they can eventually capture the whole gang, or most of them at the same time. So, they let him leave the country.
BRIAN: We let him leave the country. Part of the reason we felt comfortable doing that was we had worked with Romania for so long at this point. I personally had been to Romania something like seven times. So, we knew that we could work with them to successfully extradite…
JACK: You went to Romania seven times just for this case?
BRIAN: Just for this case, yeah. So, this is where it started getting exciting. Because Danet was here and we got that additional information from the Jabber chat log, we were able to go to grand jury, get this indictment, do an extradition package to Romania, and then I think both of you went over there, correct, as part of the arrest and take-down?
STACY: Yeah, we both went along with — we took four computer forensic examiners with us as well. So, there was a team of six of FBI over there.
JACK: They identified the names and addresses of the three main men behind this Bayrob malware campaign. There was Bogden Nicolescu, AKA Masterfraud, Tiberiu Danet, AKA Amightysa, Radu Miclaus, AKA Minolta, AKA Raduspr. The goal was to arrest all three at the exact same time so none of them could tip off the others. So, the FBI and the Romanian police had to split up.
STACY: Yes, yeah. So, all three of them were in different locations, so we had to split up. So, yes, Miclaus had unexpectedly left town. They thought that he would be — I believe he was living in Brasov, also where Nicolescu was living. So, they expected him to be there, but he had left town the day before and had gone to visit his grandmother in a completely different city in Romania. So, they had to figure out where he was and do surveillance on him, and then they stopped him in his vehicle on his way back to Brasov.
RYAN: Stacy, you were in Bucharest and I was Brasov, which was where Nicolescu had a home at the end of a street. We were there when RNP made entry into the various locations that we had.
JACK: So, what’s it like going in their house and collecting that stuff?
STACY: It was interest — it was very different. They have a different process than we do. So, I think we found it very interesting to watch the Romanian National Police and see how they do things, how they collect evidence versus the way that we do it. Then because we were there, the nice thing was we were then able to, a couple days later, take all of the evidence with us and take it back to the United States with us.
JACK: So they caught them, and took all their devices back to the United States. But the Bayrob gang was still in a jail in Romania. We’re going to take an ad break here but stay with us because the next step is to get them to the United States andn prosecute them.
JACK: So, the FBI searched the homes of this group, and they were really hoping to catch them in the act with their computers open so they wouldn’t have to crack any passwords and unlock computers, but when they entered the house, all the computers were off and locked. But as they looked around, they were able to solve one of the mysteries they had, which was how this group kept moving around with their IP addresses so much, sending the Romanian police to the wrong address so many times. One of the things they found were these large directional antennas.
BRIAN: What we realized with these directional antennas, which made for great trial exhibits, was that they were never using their home internet when they were involved in criminality. They would hack into another account in Bucharest, and Bucharest is a very big city. It’d be like doing it in Manhattan. So, every time they would just hack into a different person’s home Wi-Fi, and that would be the start of their proxy chain. They would start there, then at least towards the end, as Danet explained it to us, they would go to Tor, then from Tor they would go through their proxy chain, which was typically one to three infected computers, and then from there they would go to America Online where Eoin was seeing them, and then from there, that’s when they would use commercial ISPs like Google, Facebook, eBay, etc.
RYAN: So, the way they were operating is they would actually meet up. Everybody would essentially get a standard build. So, their laptops were all built out the same way, and Nicolescu would configure them to be essentially — they get the cyber-crime package, which means multiple levels of encryption. So, they were running Linux with LUKS on it, and then they had a couple of TrueCrypt containers on it, and then Nicolescu had written his own encryption software for — because TrueCrypt was no longer being updated.
JACK: So, that’s five layers of encryption just to unlock the laptop?
RYAN: Yeah, four or five different layers, and everybody in the group got the same package, essentially. They also — that was not the extent of it. They also got some networking gear. So, each of them got a custom flashed router, and that custom flash router would allow them to proxy their traffic between their different houses. Their operational security was that their first hop from their house was using a directional Wi-Fi to the internet. That individual — say Nicolescu was in Brasov; he would establish that on the router, the custom flashed router.
Then he would communicate to the other group that his router was set up, and everybody would tunnel their traffic for the group through that stolen Wi-Fi, through the router at that location, and then they’d switch the router the next week to another individual’s home, and that was why we were seeing the encrypted traffic between the two locations that we couldn’t explain. It was their tunnelled, encrypted traffic that was then being sent over stolen Wi-Fi using the directional antennas, then to Tor or a proxy network into infected systems, then up into the command-and-control infrastructure. So, again, they were doing a pretty good job of hiding their tracks.
LIAM: So, when I was seeing IP addresses that I thought could identify the address of the attackers, it turns out they were using directional antennas to steal their neighbors’ Wi-Fi. So, the addresses that I was seeing were very rarely their actual home address, and I had to look at the data very, very carefully to understand when had they slipped up, and they weren’t using their neighbors’ stolen Wi-Fi. They were actually using their own home IP address by mistake, and those slip-ups are very, very rare.
JACK: The FBI wanted to prosecute these three in the United States, but in order to do that, they had to convince the Romanian police to allow them to extradite these three to the US to face trial there. But in order to get extradition approval, they had to have clear evidence as to who everyone was in this case and what they did.
STACY: ‘Cause it might not be necessarily clear to other people that when we’re indicting this group, we can’t just say this is the group and they did all these things. We need to be able to say this person is Masterfraud and this person is Amightysa, and this is the roles that they — each individual played within the group. So, for a long time, yeah, we knew who the three people were that were running everything, but we could not say which one was which as far as their criminal moniker was concerned. So, it wasn’t until we got Danet’s phone and then we were able to — Ryan was able to connect his log-in activity with his vacation time that we were finally able to say this person is this person, and this person is this person.
BRIAN: So, the extradition was seamless with Romania because of all this background work we had done. So, this was amazing. We got them into the US in a couple of months.
JACK: They get the three guys on US soil and then go in to question them. First they start with Danet, AKA, Amightysa. They show him all the evidence they have against him and basically said, look, you’re definitely going to be found guilty. We have a ton of proof. But if you plead guilty, we’ll try to get your prison sentence much lower.
RYAN: So, Danet ends up pleaing, and we confronted him with the evidence during a proffer session. During our investigation, one of the things we did with the evidence collection is we had really good visibility into when they were logging into and logging off of all of their criminal accounts. We didn’t know it at the time, but this information ended up being incredibly valuable because it established this pattern of life for all the different actors. We could see when they were online doing — in their criminal accounts and when there were large gaps. When we were able to get Danet’s personal computer and search that, he liked to travel, and he vacationed a lot, and he also took photos of everywhere he went. He was an avid photographer. So, we could see through the photo metadata when he was in these certain locations, and then we overlaid it with all the criminal account data, and you could see that every time one of these accounts went dark, Danet was on vacation.
BRIAN: He logged on faithfully to the criminal account multiple times a day, every day, except for the exact periods of times when he went on vacation. There was something like thirty vacations. I remember we talked to him, and I said to him, look — we created a spreadsheet or a diagram to show this, and I said, look, if there were five overlaps in vacations, that would be curious. If there were ten, hm, something’s going wrong here. But with thirty, you are the guy. You are Amightysa.
JACK: Danet told them a lot. One thing he said was how many other members were involved in this back in Romania. As it turns out, he listed six other members and what roles they had. This was huge for the FBI, to paint a full picture of this group, each member and their operations. Okay, so Danet pled guilty, and he was sentenced to ten years in prison, and was cooperating. The other two weren’t talking and they were just sticking to their not-guilty pleas. So, it meant that this case was gonna go to trial. Now, you would think the hard part is over for the FBI and the prosecutors can take it from here, but the opposite is true. In the month before the trial, the FBI had to work harder than ever.
RYAN: Well, to explain how this process works, we worked — we all worked probably straight thirty days. My wife at the time — so, I’ve got fifteen-year-old triplets, and she’s from Colombia. I told her, listen, for the next month, month and a half, I’m not going to be at home. I’ll be at the office pretty much the entire time. She takes the kids, heads down to Colombia, and that’s the same for all of our families, right? They didn’t get to see us. We were in the office. A ten-hour day was probably a short day. This is go time.
JACK: Because now the FBI had to convince a jury that these men are guilty beyond doubt, but it’s always very tricky to present electronic evidence to a jury, since a lot of times they aren’t very tech savvy or know what this evidence even means.
BRIAN: I gotta say, the most important — I guess at the end of the day for the jury, the most important piece of evidence came from the fact that Danet, when he was cooperating, told us everybody else who worked with the Bayrob Group. Stacy — we talked with Stacy and Ryan and we decided that there was not enough evidence to indict any of those people, ‘cause we couldn’t just indict them based on one criminal saying these are the guys, ‘cause the jury’s not necessarily gonna believe a criminal. So, Stacy said to me, well, why don’t we just go over to Romania and talk to them and try and get them to testify? I said, well, I don’t — why would they come to the United States, risk being arrested, to testify when we don’t have any evidence against them? Stacy brought up the good point; they don’t know we don’t have any evidence against them. So, Stacy and I went back to Romania right before trial, and we ended up flipping — what was it, five out of six?
STACY: Yeah.
RYAN: [Crosstalk] All three of us went back.
STACY: Yeah.
BRIAN: Oh yeah, sorry, you were…
RYAN: Yep, and we flipped five out of six of them.
BRIAN: Five out of six.
STACY: And they agreed to come to Cleveland and testify at trial.
JACK: What’s in it for them?
STACY: So, again, they didn’t know that we didn’t have enough evidence to include them.
RYAN: Well, to be honest, we had a lot of information on them, right? So, we knew that they were involved. We knew what their roles were in this because we had a number of individuals at this point in time that were telling us that they were involved and what their roles were and what their criminal monikers were. So, we did know what accounts they were using and what their job was within the group. But we — at the time we didn’t feel — I mean, we could have tried to indict them.
BRIAN: We could have.
RYAN: …extradited them. So, it wasn’t an empty threat. It was just, we didn’t feel like we had enough because in these cases, we really only indict and extradite folks when we’ve got a really bulletproof case.
JACK: Yeah. Your track record is 99% conviction rate.
BRIAN: And they have to have had a significant role, too. We’re not gonna just necessarily indict everybody who did anything. So, basically we talked to these people individually, and they believed that cooperating was in their best interest, and a lot of them felt really bad about what — ‘cause a lot of them had moved on at this point. It took so long to do this case. A lot of them now had kids and had a regular job and were so embarrassed. Some of them were crying when we were talking to them, and not because they were scared of the consequences, but I think because they were humiliated by the fact that they had done this and people now knew they…
JACK: So, what’s the option you give them? Can you come testify please, or come testify, or we have evidence on you…?
BRIAN: I’m gonna jump in on this one. There was no quid pro quo or anything. It was purely optional. They had to — we didn’t make any promises to them. They had to believe that this was in their best interest or just want to do it out of their own…
JACK: So, it’s just a matter of, hey, come clean.
BRIAN: Well, it was ten years later. They remembered, all of them remembered waking up and Nicolescu and Danet and Miclaus being gone and word starting to spread. Everyone was freaking out there because there weren’t too many extraditions from Romania to the US. I think cyber-criminals in Romania felt like the worst thing that could happen was they’d be prosecuted in Romania if they were caught, and in Romania you kinda got a slap on the wrist. You wouldn’t spend much time in jail. So, this was like seismic when these arrests happened in Romania, and they just wanted to curry favor, I think, at that point. They wanted to be helpful. They didn’t want to risk any bad things happening to them.
JACK: Now, even though they had seized everyone’s computers, they still couldn’t get into them. Because remember, each computer was wrapped in five layers of encryption. First was this boot integrity thing making sure that no hardware changed in setting it up. Then they would use LUKS to encrypt the Linux partition, then there was a custom layer of encryption that Masterfraud wrote himself using SSE, then there was a TrueCrypt container, and then there was another TrueCrypt container. Keep in mind that every layer has its own unique, complex password to decrypt. Once they got through all that, then you would boot into Linux, and then finally there were these virtual machines that they would load, and that’s where they would do the work from. I think it took five or eight passwords just to log into work every morning for these guys, which is incredibly impressive.
BRIAN: Masterfraud, he programmed an assembly language. So, a very unusual character. When we got these computers and Danet explained to us what we were seeing, not only was it this multiple levels of encryption; they had built — Masterfraud had come up with himself a kill switch that would enable him to press a single button and encrypt the whole machine, and if he didn’t decrypt it within a certain amount of time, it would just wipe the whole thing. He created his own software-based key-logger, so if the FBI or Romania had put something in the computer, it would have detected and alerted that. So, he was off the charts compared to what we see, even at CCIPS where it’s all very advanced.
RYAN: So, these systems were all configured the same and they had similar tool sets and the same kind of encryption everywhere. So, when Danet pled, he actually was able to provide his password for a couple layers of that — his work platform. So, we were starting to be able to essentially peel back the layers of encryption and see what was in each layer of encryption. So, we’d peel back the first one and we’d get into the Linux operating system that they were using, and we saw that there was some source code for the encryption software, the container software that Nicolescu had written. We’d come across a couple of additional TrueCrypt containers, and we could unpack some of those. We were doing forensic analysis on these systems, and sometimes we’d be able to find a mistake where they left a password somewhere, or we were able to get in because somebody would tell us what their password was.
I remember one of the passwords was ‘pizzakitchen’ in Romanian backwards. That was his password, and it was like a fifteen-letter — or maybe it was longer than that — password, and it needed to be in concert with another password. We only got so far. So, we could only get so far through that encryption because they had been in jail for a bit after being extradited, and their passwords were extremely complex. We could never get in past the layer that Nicolescu wrote. I had actually gone to Quantico; we have a lab there that specializes in helping in these highly-advanced technical situations, and we brought the source code out there, and they analyzed it. We spent a lot of time trying to break into it. Everybody will say the first rule of encryption is don’t write your own. But in this case, Nicolescu was so good that he wrote a pretty solid piece of encrypted container software.
JACK: Wow. So, even the FBI couldn’t crack into these machines. They even tried to crack the passwords by brute-forcing it, but the way SSE and TrueCrypt was set up was they worked in tandem. So, the FBI would have to crack two passwords at the same moment to get through those layers, and that made this astronomically more difficult.
BRIAN: But one of the things we learned is these computers still had value even if they were completely encrypted. So, at trial we were able to show Nicolescu’s tower, which had hard drives that you could just pull in and out like a data center, which is not what a normal person would have. We were able to have the FBI testify, yes, this was on his desk. This was his tower when we came in there. We’ve used all our tools. We are not able to decrypt any of this. That’s pretty powerful when you have all this other evidence that this guy is Masterfraud, ‘cause the jury’s looking at this enormous tower of hard drives. They know this is nothing like their home computer. They know the FBI, with all its power, can’t get into, and they’re thinking, alright, something’s up here.
JACK: With a list of money mules and money-muling being illegal in the United States, were you going around and arresting all these money mules?
STACY: So, we did have conversations with a lot of the money mules, and many of the money mules were arrested by their local police. We did not arrest any of the money mules or prosecute them.
BRIAN: Yeah, so, at trial we had some of the money mules testify, and they were victims as well. In fact, in some ways they were the most-scarred victims based on their testimony. First of all, what the Bayrob Group told them in many cases — they would place advertisements for them on Facebook, on — their machines tended to be infected, as well. So, they — when they would go to Yahoo or Google, they would see an advertisement for a wire-transfer agent. So, they thought this was legit. What the Bayrob Group would tell many of them was that when Americans go and travel in Europe, they often get mugged and lose their passport and lose their money.
So, what we do is we help relatives get the money quickly. So, these people thought they were actually doing something good, that they were helping out, and I will never forget when one of the most prolific money mules testified at trial and the defense attorney tried to cross-examine her and make her — he said, well, you’re calling these people victims now, but you didn’t see them as victims then. She absolutely exploded because she was — she said, I’m so embarrassed. This is the worst thing that’s ever happened in my life. I never knew. I didn’t mean to do this, etc. As he was coming back, he turned to us and the prosecution table and said, one too many questions.
RYAN: We took all the evidence that we had collected over this entire case. We took all of our victim complaints. Stacy and I went through all the ic3.gov complaints. We went out and interviewed hundreds of victims, I felt like, at the end of this, and had some of them come testify at trial. We had a search warrant on a couple of the command-and-control systems, which I had actually stood up a copy of that command-and-control server in our office, and then I invited Liam to come out because he had done so much of the technical analysis that we needed another expert set of eyes on what we were seeing.
JACK: How much money do you think they made?
RYAN: So, we had hard numbers that they had defrauded people out of $4 million.
JACK: To fraud.
RYAN: Well, in total made $4 million.
STACY: At least $4 million. We had identified over a thousand US victims.
JACK: A thousand victims.
RYAN: Just on the eBay fraud alone.
LIAM: What we had estimated they’d made over the entire length of the operation, because they’d been operating for ten years — and we didn’t have accounting for all of those years, but we could see a lot of the output and we were able to estimate over the given period that it was about $4 million.
JACK: Then how big was the botnet?
LIAM: The botnet reached the maximum of about 450,000 machines, and at any one particular time they had hundreds of thousands of machines operating.
BRIAN: That was other key evidence, by the way, because once we arrested them, the botnet stopped.
STACY: I was gonna say, one of my favorite moments in this case was actually — we had been watching this group for almost ten years and had identified, like I said, over a thousand victims of eBay fraud. So, it was so frustrating to know that this was continuing to go on year after year after year. Then finally we were in Romania when they arrested him, and the day after we arrested him I turned to Ryan and I said, Masterfraud is in jail right now. It’s done. We have stopped the fraud and the victimization.
JACK: Okay, so you bring all this evidence. What does the defense bring?
BRIAN: Well, so, the defense’s main defense is the most common defense that you typically see at the Department of Justice, which we refer to as the SODDI defense, which stands for ‘some other dude did it’, which we — I would refer to as the SORDDI defense in this case, ‘some other Romanian dude did it’. So, that was their defense. They didn’t put on witnesses. They challenged our evidence and, as you would expect in a case like this, argued that there was insufficient evidence to say that these were the guys.
JACK: This jury was mostly retired, and a few people didn’t even own cell phones. It was gonna be tricky to present all this evidence to them.
RYAN: Eoin’s doing traffic analysis. Liam’s doing reverse-engineering. We have title — data intercepts on the command-and-control infrastructure. We’re addressing topics like encryption and crypto-mining and being a vendor on the dark web to essentially folks that are not cyber-savvy. Frankly, the entire team did a great job of taking this complex evidence and making it relatable to the jury and understanding a lot of what we did was truly education of what we had and why it was important in very common terms.
JACK: They did it. They were able to convince the jury that both men were guilty.
BRIAN: They were found guilty on all counts. Danet, consistent with the plea agreement, was sentenced to ten years in prison. Miclaus was sentenced to eighteen years, and Nicolescu, who was Masterfraud, was sentenced to twenty years.
JACK: Wow, twenty years. That sounds like a lot.
BRIAN: These are tremendous sentences for a cyber-crime case. What you gotta remember is the judges who sentence — and it’s the judge who sentences; not the jury. They sentence for all kinds of cases. They see terrorism, they see murder, they see all these crazy cases. So, at the end of the day, a lot of judges are like, well, this guy hacked — we’re talking $4 million or $40 million or whatever the case may be. It’s not a billion-dollar Ponzi scheme. It’s not — nobody died, so I’m gonna give them a couple years. We see that all the time. So, it was only because, I think, we had so much great evidence, we had so many victims testify about how it impacted them, the money mules, and the scope of the crime.
We were also able to show that these guys weren’t just doing their criminal job; they were really sadistic. They really wanted to hurt the victims. For example, they developed one phishing e-mail that was supposedly your HIV test result. When you clicked on the link, you were positive. It’s like, why would you do that? I mean, you’re freaking people out way more than even the value of the money. So, I think the judge realized this was a serious group. It was a serious threat. If they get back out there, they may just start up again. So, we felt quite good. Those were some of the highest sentences you’ll ever see, or at least as of that time, in a cyber-crime case. Even today it’s pretty rare.
RYAN: I think the other thing that is sometimes lost in this is that each one of these victims — this does something different to each one of them, right? So, any one of us may lose $7,000, and we write it up to, man, I made a huge mistake there. But the folks that were being victimized here, they were folks that really couldn’t afford an extra $7,000, right? They were buying a vehicle to get to work. Some of these victims, they’re — it caused a lot of strife in their relationships, where one person in the relationship said, no, that sounds like a scam; don’t do it, and they did it anyway and they lost it, and it started kind of a downfall in that relationship. We had some folks that were divorced over this. We had…
JACK: What was that for?
RYAN: Well, because they basically disagreed that — well, when they lost the money it caused such strife in their relationship that they…
JACK: You idiot, you got scammed.
RYAN: Essentially.
JACK: Wow.
BRIAN: I want to be clear, though; you could be very smart and still fall for this. So, two things I want to make clear. I don’t know if it was clear from the background. When you went to eBay, the mal — if you were infected with the malware, it would make it appear that eBay had an escrow agent protection program, and you were sending the money to a eBay escrow agent who would only release the money once you got the car and were satisfied with it. That was all just the malware. It was a money mule. But anybody would see that and think, alright, that sounds very safe.
JACK: The URLs would say eBay, even.
BRIAN: Yeah, the URLs…
JACK: It was just all malware.
BRIAN: We’re exactly right.
JACK: That’s really sophisticated.
BRIAN: One of the victims who testified at trial was a used car salesman who had a dealership who would buy cars online all the time, and he fell for this, too. He had a very lengthy chat with the Bayrob Group, not knowing it was the Bayrob Group, about this escrow agent program ‘cause he hadn’t seen it before. They must have stayed on with him for an hour to convince him that this was real, and then ultimately he fell for it. I think that helped that the jury looked at this guy testify who was victimized as a car dealer, and were like, oh well, if he fell for it, I would have fell for this.
JACK: With that, the FBI investigation and prosecution was over. All three of the main people involved were arrested, found guilty, and put behind bars. Wow, what an investigation.
RYAN: We’ve got a ton of people to thank for this. So, first of all, the Cleveland field office was with us all the way. So, our cyber squad, our organized crime squad, we had great supervisors that supported us, we had great executive management, fantastic analysts, our computer scientists, our…
JACK: Feels like a lot of interns were going through a lot of data there.
RYAN: Not so much. These are all professional folks that are doing this. We typically don’t have interns on our squads. So, we’ve got a ton of support from the Miami field office. We had Customs and Border Patrol, the US Attorney’s Office…
BRIAN: Including Duncan Brown, Brian McDonough, and [inaudible] Carney, in addition to myself.
STACY: Then, of course, Symantec and AOL were hugely instrumental.
JACK: I imagine eBay was helpful.
BRIAN: eBay was helpful, as was a lot of the brands whose trademarks these guys mimicked in order to trick people. So, we had great cooperation and witnesses from Facebook, from Walmart, from eBay, from Google, from Yahoo, all coming to testify at trial.
JACK: So, what happened to the millions of dollars these guys made? Well, they spent a lot of it as soon as they got their hands on it. The FBI was able to seize some of that, but not enough to pay back all the victims. However, these guys were running huge cryptocurrency farms, basically putting all the infected machines to use to mine crypto. The FBI seized the computers which held those crypto wallets.
RYAN: They did have some cryptocurrency, and actually at this point in time, it’s probably worth a lot of money, but it’s locked in a couple layers of encryption.
JACK: Really? You still haven’t been able to crack it?
RYAN: We haven’t been able to get there.
JACK: Wow, those machines sitting in the FBI evidence room hold the keys to millions of dollars of Bitcoin that the FBI would love to confiscate, but the multiple layers of encryption is just too strong for them to crack. So, it just sits there in a room, unplugged, dormant. How wild. If it was me, I probably would have used that Bitcoin as some kind of bargaining chip to get my sentence reduced. But because they didn’t, it makes me wonder that in twenty years when these guys get out, they might have saved their keys somewhere else that they can still access and come out of prison as millionaires. That’s crazy to think about. In case you were wondering, yes, I did get all these people in the same room to interview them all at once. We all met up at the RSA Conference in San Francisco earlier this year. [To guests] What are you all doing at RSA? What are you hoping to get out of this?
LIAM: To see where AI is going and see if we can cut through the AI hype.
EOIN: I’m just here to talk to you and then get a drink with them. Then that’s — and then I’m going back home.
STACY: That’s what I’m doing. I’m flying to Chicago tomorrow morning for an AVA conference, so…
BRIAN: I spoke on a panel today about ethics in cyber security, and then tomorrow I am speaking on a panel about a framework for measuring the security and safety of AI. So, I was really excited that I could do this as well while I was here.
RYAN: I’m on a panel with Brian talking about AI agent security safety and reliability.
JACK: I’m really intrigued by this whole case because of how much these bayrob guys took their opsec seriously. They deployed all the best practices, and took extra steps to keep the fbi or anyone else from discovering them. It was only from really tiny mistakes, and over the course of 10 years of the fbi and symantec and aol diligently listening and monitoring them, that these mistakes were even found.
And it is one of those case that if the FBI wants to catch you badly enough, even with the best opsec out there, they still can. It might take them 10 years to gather enough evidence though.
And I just want to recap all the things they did here to try to keep the fbi off them since it’s fascinating to me to watch them work.
- First, they didnt talk openly. These guys never casually texted each other about this, or talked about their criminal enterprise over the phone. When they would, they always used encrypted chats. And the FBI also discovered that they often ran the radio in the background when working together in the same room, in order to keep any listening devices from hearing what they were saying.
- Next, they didn’t use their home internet. They used stolen wifi, long antennas which could connect them to wifi a mile away. Then they’d VPN to one of their houses where the proxy chain would begin. They used tor, and proxies, and hacked routers.
- They encrypted everything, everywhere. Or at least they tried to. When moving files they used sftp, when connecting to their command and control server they used ssh, they encrypted their hard drives multiple times.
- They didn’t log anything. At first some jabber logs were saved, but then they turned them off. Logs are like documenting your activities. It’s a liability for criminals.
- They created fake personas. Each of them only used their hacker handles when discussing this work, and never used those handles outside of the work. They were extremely careful in that matter. and then they used abbreviated versions of those handles on top of it. Making it extra confusing.
- They didn’t contaminate work and personal data. The work computer was for work only. Isolated not just with a physical computer, but also a seperate network. Only approved virtual machines could be used for work. Never do anything from your personal computer.
- They reduced who they had to trust as much as possible. Keeping a small circle of who knows about this. They built their own computers, their own malware. And didn’t share it with anyone. They were self sufficient. And those who they did get to help them, often were lied to about what they were doing. This also meant nobody had power over them.
- They had to be paranoid all the time in order to keep up these efforts for years and years.
- And even when they got arrested, two still refused to talk to the cops. And actually dealt with the pressure well. Staying calm and cool.
- They conducted counter intelligence. Trying to know who might be looking for them, and then blocking those IPs and domains.
And they did so much more! But my goodness. This is what it looks like when bad guys have good opsec. They almost made it impossible to be caught. Because even though they did an amazing job at protecting their data from leaking, they didn’t stop every drip. And enough drips can make a puddle.
[End Music]
Thank you so much to my guests, FBI Special Agent Ryan Macfarlane, FBI Special Agent Stacy Diaz, DOJ Prosecutor Brian Levine, Liam O’Murchu Director at Symantec, and Eoin Miller from AOL.
STACY: Now that I’m retired, I’ve created a non-profit called Crypto Cops Academy that is dedicated to teaching law enforcement as well as students all about cryptocurrency, and hopes to, one, instruct law enforcement so that they can better investigate crimes involving crypto, but then also to instruct the students, young people, all about crypto and how it works and how to keep their crypto safe and how to not fall for scams involving cryptocurrency as well.
BRIAN: And because I met and got to work for such incredibly talented people like you’ve talked to today, I started formergov.com, the first directory of former government and military professionals, and happy to have any of your listeners who are former gov — and that’s federal, state, local, tribal, outside the US or military; happy to give them free membership. They can just reach out to contact at formergov.com.
JACK: What an incredible story. Hey, listeners, I’m gonna be releasing a new podcast soon, and it’s by far the most insane, dark, and crazy story that anyone has ever told me and probably will ever tell me, and it’ll be a five-part series. If you want to get in on it when it’s launched, sign up to be a premium listener since I’m gonna be releasing it to those who support me first. All I’m asking is for you to buy me a cup of coffee once a month to show your support. It might not seem like it’s much, but it’s actually huge. It’s way more than you can even imagine.
It fuels me. It carries the show. It gives me hope, and it’s so helpful. So please sign up as a premium subscriber by going to plus.darknetdiaries.com. Hey, when you do, you get an ad-free version of the show and a bunch of bonus episodes that you won’t be able to find anywhere else. So, thank you very much. This episode is created by me, the man in the black hat, Jack Rhysider. Our editor is the touch typist, Tristan Ledger, mixing by Proximity Sound. Our intro music is by the mysterious Breakmaster Cylinder. Why did the man get fired at the keyboard factory? He wasn’t putting in enough shifts. This is Darknet Diaries.
[End of recording] Transcription performed by LeahTranscribes
Transcription performed by LeahTranscribes