Episode Show Notes


[START OF RECORDING] JACK: In my early twenties, I worked in a nightclub. I wasn’t doing anything special; just washing dishes and stuff. But one day I overheard something that I still remember today. One of the servers was taking a customer’s drink order and for some reason I heard the order. It was standard cocktail for some reason I knew this drink cost $4.00. When the server came back with the drink, the customer pulled out his cash and asks, how much is it? The server told him it was $5.00. She was scamming customers who paid in cash. She would pocket the $1.00 extra and claim it was a tip, and then give $4.00 to the bartender to ring it up. Clever stuff. I was even a little mad I didn’t think about it even though I didn’t have to deal with money at all, but still, I loved trying to figure out ways to exploit the system in my early twenties. But whatever; I was now in this new awkward position. Do I tell management about this? I get anxiety about stuff like this.

She might lose her job because of me or maybe even get arrested because of me. I know some of you are saying no, no, no, it was her actions that caused her to lose her job. But still, do you understand that feeling I’m talking about where if you say something, it can have life-changing results for someone else? I didn’t say anything but the nightclub figured it out anyway and she ended up getting fired. This is a form of insider threat. She was in a position that she was taking advantage of. Insider threats are people who are hired by a company and then those people exploit the company that they’re working for for some kind of extra gain. Over 50% of companies claim to be victims of insider threats but what does this look like in the hacker world?

(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

JACK: Okay, so, do you want to talk to me about probably the worst time of your life? You ready to relive this moment?

G.EXODUS: Yeah. We can relive it. Let’s do this.

JACK: Okay. Let’s start with what’s your name?

G.EXODUS: My name is Ghost Exodus.

JACK: Ghost Exodus. I like the sound of that. It actually does sound like a cool hacker name, doesn’t it? But to understand Ghost Exodus, I think it’s important to go back to a time; a time where we’re all waking up, looking around, looking for answers about life.

G.EXODUS: I was nineteen just turning twenty.

JACK: The year was 2004 and what Ghost Exodus is about to do is gonna drastically change his life.

G.EXODUS: Well, I mean, the circumstances involved in my life might surprise you because I’ve never talked about them to anyone before on the internet.

JACK: But let’s talk about what he’s doing just before this big change.

G.EXODUS: Prior to that, I was a classical concert pianist. [PIANO PLAYING WITH MUSIC] Music was pretty much the center-focus to my life.

JACK: He’s actually really good at piano and what you’re hearing right now is actually him playing. Not only that but he’s also really good at violin. Check this out. [VIOLIN PLAYING] When he was two years old, his mom and dad split up. She went to live in another state and gave full custody to his dad. His dad had other problems and a tough time raising a kid on his own. By the time Ghost Exodus was ten years old, he was adopted by the family next door. His mom would send him photos and letters sometimes but he would only be able to see them during psychological counseling sessions. Eventually, his real mom stopped sending letters and he lost contact with her. When he was a teenager, he hired a private detective to try to find his biological [00:05:00] mother. She was living in Texas. He went to see her; they reunited. He got to meet his biological brothers and sisters for the first time at nineteen years old. He decided this was the family he wanted to live with, so he moved in with his biological mother to rebuild his long-lost family.

G.EXODUS: [MUSIC] My mother was a pastor married to a pastor and because of my music abilities, I became the music director for my family’s church.

JACK: It makes sense, right? He wanted to be part of this family and he can, by playing music in the church that they’re involved with. Okay.

G.EXODUS: But the extent of it was just so extreme that, I don’t know, I just felt choked, like all creativity was just being bled from me.

JACK: The church was very strict and rigid and demanding of Ghost Exodus. He started wondering if this was a cult, even.

G.EXODUS: It was led by a megalomaniac. My life was very micromanaged at the time.

JACK: What the heck kind of recipe is this? A twenty-year-old looking for answers in life hires a private eye to find his birth mother, meets his brothers and sisters for the first time, moves in with them, gets inducted into a super-strict church, and is not happy with how his life is being micromanaged.

G.EXODUS: From 2004 to 2008 is when I was involved with this ministry. But in 2008, I finally got myself excommunicated. That’s when I just, I don’t know, I just let loose. [MUSIC] I became this eccentric loose cannon.

JACK: During this time, Ghost Exodus also had an interest in computers; playing video games and downloading pirated software. But he was also seeing what hacktivists like Anonymous were doing at the time, raising awareness for injustices in the world. This interested him so he gravitated towards where this kind of stuff was taking place online.

G.EXODUS: There was a lot of injustice that really affected me by this type of ministry. Growing up in the rough neighborhoods that I grew up in, I saw this need to use hacking as the means to help people who didn’t have a voice and to help people who didn’t have the technical capabilities to defend themselves. This was during a time when cyber-bullying was this type of – it’s like an epidemic. There were no real, viable means to help people who were experiencing cyber-bullying. Schools were not up to – did not have a policy that knew how to deal with this. Law enforcement neither had any type of platforms where they could reach out and help people who were being affected by cyber-bullying. In my own life, my life being dominated and being controlled, being constantly subjected to ridicule and injustice, I just took my experience and then tried to find some type of solace by helping others.

JACK: Everyone has their own soft spot for something. You know it’s your soft spot when you see someone or something suffer and it just tears you up inside. You can’t stop thinking about it. Ghost Exodus didn’t like seeing people getting bullied online because the results are horrible; like, a naïve kid might make a YouTube video and speak his mind about something, but he looks a little funny or talks a little funny and he gets mocked and made fun of. Somebody from the internet decides to get his real name and phone number and try to call him and mock him more, and maybe even call his parents and mock them. This kind of thing can easily result in years of depression all because you made one stupid video on YouTube. Ghost Exodus hated to see when the internet trolls would dogpile on someone and ruin that person’s life, so he wanted to do something about it.

G.EXODUS: I originally was a member of the Insane Masterminds Crew. I had always been a lone wolf my whole life and I really didn’t want recognition. I didn’t want to join my peers doing any type of activities. I was completely content hacking on my own and learning on my own. But I had bought some books and I realized how much more I could learn if I had joined a crew. I found the Insane Masterminds Crew and they had recruited me. I enjoyed this great camaraderie and I was able to expedite or greatly and vastly learn more in a group setting. From there, I was like well, if I could be a member of this really cool-ass group, why don’t I start a group of my own that is fueled with my own ideals? [00:10:00] I could recreate it in my own way.

JACK: Ghost Exodus became better at hacking. He learned a lot from this crew, so much that he was able to start his own hacking group, and he named it ETA.

G.EXODUS: [MUSIC] The Electronik Tribulation Army. Social injustice was the forefront but that was like our buckler and sword. This is really legitimate. I’m not trying to sell myself here. We became vigilantes and that’s what I saw myself as, as some type of social justice mechanism to try to reach out and find people who were being affected ‘cause it was so easy to try to rectify what they were going through. Then try to empower them by teaching them ways to defend themselves. I don’t know, it started really small with just us doing stupid shit like learning SQL injections and cross-site scripting and phishing. We didn’t really have any type of modus operandi. We were doing these things for the sheer exploration of it. I come from a generation where hacking wasn’t to make a name for yourself. That was kind of the direction I was taking the group. We did things for the sheer curiosity of it.

The internet was like, this great nexus of infinite puzzles and that’s what kept me going, is that every single nexus in this great, vast network called the internet was like this great, amazing puzzle. I’m always really drawn to puzzles so hacking for curiosity is where I started and that’s where the ETA originated with. I kind of took the vestiges of my generation and brought it with me. But as we became more sophisticated and we started bringing in these crazy Jedi hackers, we’ve seen that we could do more. We started evolving into hacktivism and then hacktivism took us into cyber-vigilantism and then that just took us into some really dark places where I started to kind of lose control of myself. We kind of lost sight of what we had originally wanted to accomplish in those original stages.

JACK: Like many hacktivist groups, ETA grew and gained momentum. But the members of the group were getting sloppy, cocky, or trying to outdo each other. There was this sort of tick-tock swing that became unsustainable.

G.EXODUS: We just lost control. I mean, I lost control, let’s just be honest. I was probably the one who lost control.

JACK: Yeah? How so?

G.EXODUS: It started really getting to my head and it started to take control of my life. This megalomaniac church cult took everything from me. It left me with a self-esteem that was completely broken and hacking was a way to rebuild myself. But in so doing, I became this narcissist, this ego-driven maniac. I just became this pathological hacker. The more I did it, the more I boasted of it. I lost control of who I was until I didn’t have an offline life anymore. At the time, I was married. I had just had a kid. I didn’t know how to stop. By 2009, I really realized I had a problem.

JACK: He started playing around with botnets which simply defined, a botnet is a large group of computers that you control but you don’t own, so you really don’t have permission to control them.

G.EXODUS: [MUSIC] When I had seen what they could do, I don’t know, my mind was blown. They’re so versatile. You can use them for good purposes, you can use them for bad purposes. You can sell them, you can lease them, you can rent them. I mean, they superseded anything that we were doing like keylogging, host-booters, denial-of-service. I had seen the potential for using them as this badass freaking weapon that can pretty much – you can do anything. You can use it to leverage other people. It’s just too much power in the hands of – in my hands. Yeah.

JACK: Now, the story goes, another guy name Isaac starts messing with Ghost Exodus at this time, doing things like doxing Ghost and calling the cops on him, stuff like that. But not just that; Isaac was targeting other members of ETA, too, like finding out where one of them lived [00:15:00] and going and vandalizing his house. Isaac’s motives aren’t clear to me and I tried to message him but he never messaged me back. I’ve watched some of his streams and videos online and he does things that just don’t make sense to anyone. Like, he makes cringy internet prankster videos. It wasn’t just Isaac who was doing this; there were a few other people working with Isaac to do this, too. My guess is that they were just trying to cause chaos, maybe take over ETA or dissolve it somehow, or just flex in some weird internet way. I don’t know, but when Isaac was doxing and calling the cops on Ghost Exodus, this was really freaking him out.

G.EXODUS: When these things started to escalate, I really started to panic. I made the decision to risk everything and make a complaint with the Internet Crime and Complaint Center, hoping that they might involve themselves and try to put an end to what Isaac was doing. But they never followed through with it and because at this time I had a thirteen-month old child and my wife at the time, she was stressing, I didn’t know how to stop this. What led to my crime was – my crime, in a nutshell, was my taking this circumstance into my own hands, taking the law into my own hands. What I thought of doing was infecting as many computers as possible in order to launch this botnet attack against some of the websites that these guys were using as a platform to communicate, to collaborate, as a means to send a message to try to show them hey, back off.

JACK: Now, at the time, Ghost Exodus was working as an overnight security guard in the Carrell Clinic in Dallas, Texas. This place is huge. It looks like a hospital; it has six stories and it’s a big building. But it closes down at night, so there’s no patients in the building overnight or anyone except security. This is a clinic that treats spine, shoulder, knee, and ankle injuries. Ghost Exodus was the night security guard for this building. [MUSIC] He would walk the grounds and make sure the doors are locked and no vandalism was occurring. He would often sit in the front lobby of the building where he could watch the security cameras for the entire clinic.

G.EXODUS: Now, where I worked in the foyer, in the entrance at the Carrell Clinic, they had a wireless access point that was really, really weak. At nighttime, that was the time when I did my studying. That’s when I did my hacking, and that’s the time I used to really direct my crew. But the access point was so weak, it would always drop my connections.

JACK: So, he started hunting and poking in the network, looking for a computer that had a more reliable internet connection.

G.EXODUS: I ended up finding this computer which turned out to be a server.

JACK: This server he got access to controlled the heating, ventilation, and cooling for the whole building.

G.EXODUS: It ran the SCADA software used to control the heating, ventilating, and air conditioning system for the Carrell Clinic. But the idea was, I’m gonna use this computer, I’m gonna install LogMeIn so I can access it remotely from my laptop at my guard station. But the firewall was blocking the incoming connection and instead of reconfiguring LogMeIn – excuse me, reconfiguring TeamViewer, I decided to use the browser-based LogMeIn.

JACK: With that, he was able to establish a persistent remote connection to this HVAC server.

G.EXODUS: Basically, I used it for chatting on AOL Instant Messenger, using it for MySpace, and I used it to buy card magnets off of Vistaprint.

JACK: Definitely against the rules of what he should be doing as a security guard. But I’m not sure if it’s against the law. Now, sitting there in a large medical clinic all night long, he started to realize how many computers are in this building. At the same time, he’s fascinated with botnets and is trying to build one himself, [MUSIC] so he gets the idea to try to get some of the computers in this clinic to join his botnet. All he would need to do is execute one tiny program on that computer and this would make it join his botnet. So, during his night patrol, he would wander the halls and look for potential computers he could exploit. But each computer he came across was locked, password protected. Unless you were a nurse or a doctor, you would not be able to unlock it. He looked up how he could get into a locked computer and found a tool called Ophcrack. See, Windows stores your password as a hash. Windows creates the hash when you set the password by running it through a special algorithm.

But a hash only works in one direction; you can’t take a hash and convert it back to a password. So, whenever you enter [00:20:00] your password, Windows runs it through that same hashing algorithm and if the resulting hash matches that hash from when you created the password, then Windows knows you entered a matching password. Ophcrack looks at the hashes stored in Windows and tries to find a password that matches that hash. It’s sort of a brute-force password-cracking method because it’s gonna look at millions of hashes to try to find one that matches the one in Windows. Basically, Ophcrack is a way to find passwords for Windows computers. But what’s more is that you could put an Ophcrack CD in a computer and boot to it and it’ll try to search through the hashes in Windows to find a matching password to it.

Ghost Exodus loaded Ophcrack on a CD and his botnet on a USB drive and he made his rounds through the clinic, looking for a computer to sit down and use. He would put the Ophcrack CD in the tray, reboot the computer, wait for Ophcrack to find a password, then he’d write that password down, take the CD out, reboot the computer, and now he has the password to log in with. Once he’s in, he’d popped the USB drive into the computer and run the malware to join this computer to his botnet. From there, he’d take the USB drive out, lock the computer, and walk away. He did it. It worked. He had a new node on his botnet so he went and did it again. But while he was doing it again, he realized this could be a good motivator for some of the other people in his hacking group to do this, too. He brought a little laptop with him to work, turned on the webcam for it, and made a video.

G.EXODUS: Hey, what’s up, everybody? [JAMES BOND MUSIC] It’s Ghost Exodus. You’re on a mission with me; infiltration.

JACK: His video has this James Bond music in it and he’s got a hoodie on. He’s walking around the building, looking over his shoulder, acting super suspicious, like a spy.

G.EXODUS: What we gotta do is we gotta drop a botnet. Oh my gosh, what an audacious bastard.

JACK: He’s claiming it’s an office he broke into but you and I know this was the clinic where he worked as a security guard.

G.EXODUS: I actually purposely avoid that video because it makes me really embarrassed. It’s a propaganda video that was aimed at some of the younger generations, some of the younger hackers ‘cause they’re so easily impressionable. I was trying to make this video to inspire them to emulate the things that I was showing in the video, ‘cause I wanted them to spread our bots.

JACK: He shows a key card that has the word ‘security’ written on it with a marker.

G.EXODUS: I tell my viewers that this was a key card that I’ve swiped. In other words, I want them to believe that I stole it.

JACK: He holds up a CD for the camera. It says Ophcrack on it and he holds up a USB drive which he says has the botnet on it. He goes up the elevator, walks the halls, uses his key card to get into places, finds a desk, and sits down. It’s actually a nurse’s station but the video just seems like it’s a typical office. He starts typing stuff on the keyboard but then he stops and puts on latex gloves.

G.EXODUS: Yeah, you know, what’s funny is I already start touching the computer before I put on the gloves. All of that was just, yeah, tricks.

JACK: He gets into the computer using Ophcrack, then plugs the USB stick into it and begins copying files over to the computer. You can see all this on the video. The botnet he was using was called Rxbot. It’s an open-source botnet made in C++ that anyone can just download and use.

G.EXODUS: We had done our research of what antivirus software would detect the Rxbot. On some of these systems, you might actually – I don’t know if it’s in the video but they had McAfee Antivirus, so I was disabling it.

JACK: He disabled the antivirus and ran the program to join this computer to the botnet. The script runs, then deletes itself. Job’s done.

G.EXODUS: There it goes. It’s melted. That’s all I needed.

JACK: Now, he was building this botnet so he could wage a denial-of-service attack on Isaac on July 4th which was about a month away. He released this video on YouTube to get other people to be inspired to do similar acts to build up his botnet. What is the reaction from people when you dropped this video?

G.EXODUS: It was mixed. There were some who had the right mind to tell me, you know, Ghost, I don’t think this is a good idea. Ghost, I think this is gonna backfire. I’m like no, no, it’s not gonna backfire. I’ve never been caught, I’m never gonna get caught. I’m too careful. Then there was other people, those to who it was catered for. They’re just like oh, you’re such a badass, oh, you’re so cool. Where can we get this botnet? That’s what [00:25:00] drove me, is that type of reaction. I wanted it to be controversial. I didn’t want it to just always go my way. That was my objective, to be controversial and to really just create this persona of controversy. I certainly did that to a T.

JACK: Ghost Exodus would eventually install this botnet on fourteen computers within the medical clinic. Then once they were installed, he would go back to the lobby where he would normally sit to do his job, and he would open up his tiny laptop. From the security desk, he would tell his botnet to attack, [MUSIC] flooding the target computer with so many packets that it would take the target offline.

G.EXODUS: I tested out the bots, the botnet pool that we had accumulated back in June of 2009 during the Iranian presidential elections, OpIran. I used these bots in OpIran and in response to the death of Neda Agha-Soltan, that peaceful women’s rights protester who was murdered. It didn’t cause any significant damage to the systems. I had actually used the bot several times from there. But yeah, after we had – after I had installed them, yeah, we had tested them out. On several occasions, I attacked 94chan with them. But I especially used them, like I said, in OpIran.

JACK: When he would have his botnet all put together and enter a target victim and hit launch and see his target go down, this was the feeling of winning.

G.EXODUS: It’s euphoria. It’s like winning the lottery. Whatever chemicals are secreted by the brain whenever you’re gambling, that’s the same feeling. That’s the same chemical reaction that is going on in my mind that just keeps me pathologically doing it over and over and over. It’s this great gratification that’s like, if you’re not gratifying yourself in this fashion, then you’re not relevant, basically. I don’t know, it was a feeling of relevance, of the utmost relevance.

JACK: I mean, you can’t be thinking that this is gonna play out right.

G.EXODUS: You know, in some of my – I kept an online journal, okay, on vampirefreaks.com. This was a feeling I had on the forefront of my mind at the time, that I believe I’m going to be arrested. I knew that time was coming.

JACK: After the break, we’ll find out if Ghost Exodus’ premonition comes true. At this point, Ghost Exodus was posting screenshots of this HVAC computer that he hacked into in the clinic. He didn’t say where this HVAC computer was that he accessed; he just wanted to flex a little and get some street cred that he hacked into a computer and this one happened to control the heating and cooling of a building.

G.EXODUS: There was a new recruit in the ETA who went by the moniker Immortal. He had taken the screenshots of the HVAC SCADA software that I had taken and posted it on a security blog that was seen by Wesley McGrew.

WESLEY: My name is Wesley McGrew. That was 2009. At that time, I was a research associate at Mississippi State University where I was working on a PhD dissertation [00:30:00] on control – industrial control systems and SCADA security. There was a tie-in with that and that’s partially how I got involved with it.

JACK: Now, Wesley, being a smart student, had a blog where he was just writing stories about information security.

WESLEY: Called mcgrewsecurity.com.

JACK: Sometimes hackers would write to him and call out other hackers or brag about what they did, or just send him weird stuff to see if he would post it.

WESLEY: Another member of the group, he went by the name Immortal, got in touch with me and was in touch with me for a good period of time apparently just to brag about different things to see if I would write about them.

JACK: Immortal was claiming to be part of the Electronik Tribulation Army and was boasting about what he had done and wanted Wesley to write about it. I guess Immortal wanted to be famous.

WESLEY: I was in touch with Immortal over a period of I don’t even know how long. He would message me various things. The most memorable one of which being – around about that time, there was a North Korean missile test and he had it in his head that he wanted to hack North Korea; this being very difficult due to their limited attack service. But he thought he’d done it. He thought he had found a target for his attacks. He showed it to me via MSN Messenger or AOL Instant Messenger or whatever it was at the time. I had to let him know that hey, this is a South Korean site. He didn’t know the difference between North and South Korea so that sort of sets the stage there for Immortal. Later on, and probably a few weeks after that, he was aware either from my site or from something that I had published that I was interested in industrial security systems and SCADA security. So, he sent me some screenshots of a system that he had claimed to have hacked. It was screenshots of an HVAC system at a hospital.

JACK: Wesley was writing his PhD thesis on the security of industrial control systems so this really interested him. He began investigating it further.

WESLEY: [MUSIC] At that point, all I had was a set of PNG or JPEG screenshots that he had sent me, static screenshots. What I saw in those was sort of a – the human-machine interface of this SCADA system showing operating rooms, showing the heating, ventilation, and air conditioning, chillers for medicines and medical equipment and implants and things like that, that sort of stuff. That piqued my interest right there and I wanted to find out more about it but not through talking to Immortal. I started doing image searches and open-source intelligence based off the pictures that I was seeing in these HMI screenshots. I was able to identify this being the Carrell Clinic. I’ve never physically been there but there are other facilities connected to it that used the same HVAC system. I was also able to find a forum post on a hacker forum where Ghost Exodus had posted these screenshots saying that he had hacked into these things.

JACK: While it was a thrill for Ghost Exodus to launch a DDoS attack on his targets, it was also a thrill for Wesley to try to track down who Ghost Exodus was.

WESLEY: It’s very exciting, right? I mean, I don’t think anybody – I tell folks even now, I don’t do anything I don’t enjoy. Back then, we worked for the forensics training center and loved investigating things, loved doing computer forensics, loved doing the open-source science; still love doing the open-source intelligence thing. Yeah, it was very exciting and interesting to do that sort of stuff.

JACK: So much fun that it practically consumed Wesley.

WESLEY: From there, I wanted to [MUSIC] find out as much about Ghost Exodus as I could. That being a Thursday, I spent the rest through that weekend amount of time, so, three, four days, gathering as much as I could through open-source intelligence, though searches and various – anything I could to put together what wound up being two burned DVD-fulls of information about Ghost Exodus, who I didn’t even know. Despite finding all this about him, despite finding eight gigs worth of information, I didn’t know his name. I knew that he was a security guard at that hospital. I had the videos from YouTube of him putting malware onto the nurses’ station computer. I had other videos that he had recorded while he was at work, [00:35:00] just gigs and gigs of stuff about him. That following Monday, we contacted the Jackson, Mississippi FBI and handed that information over.

JACK: Now, the FBI likes handling bigger cases than this; threats against the country or civilians or crimes over one million dollars in damage, but the evidence that Wesley collected made it real easy for the FBI to follow up on. Like, Ghost Exodus had a YouTube video of him breaking into office buildings. I mean, come on, if a hacker’s gonna post videos like that and show their face and everything, they’re definitely asking for a knock on the door, right? But also, the way Wesley framed it to the feds made it seem pretty important.

WESLEY: Right, well, I think this is a little bit different than a website defacement or some active hacktivism in that, from all the information and it’s visible about this, it’s a healthcare facility, right? It’s patient information. People’s personal healthcare records are sensitive and there’s a potential for that to be exposed here or to be accessed in some unauthorized way. The HVAC system, the controls on that, had the potential to spoil medicines, to cause them to have to re-sterilize equipment, to cause them to have to throw away implants that had gone above or below acceptable temperatures, things like that. There’s an impact of this to the victim organization. I did not see this as an act of activism that had any particularly positive result. That sort of factors into the decision to report this. You report it because it’s a crime and it seems to have – it’ll have a [MUSIC] potential real impact on organizations and individuals.

JACK: The FBI took Wesley’s report and got to work. They did some Google searches and found Ghost Exodus’ Gmail address. From there, they searched for his Gmail address and found a Craigslist post that Ghost Exodus made which had his resume on it but not Ghost Exodus’ real name. They contacted the security companies on his resume and then cross-referenced it with the security guards working for the Carrell Clinic. Just like that, they had the name of their suspect. Ghost Exodus was Jesse McGraw. The FBI created an indictment for Jesse McGraw and got a warrant for his arrest. [MUSIC POWERS DOWN]

G.EXODUS: It’s Friday evening at 11:00 p.m. on June 26, 2009. One of the things I used to do was drive around the clinic just to make sure nobody was breaking into the underground parking garage. I see this van and I’m thinking, ah, that’s gotta be the cleaning crew’s van. I don’t think much of it. [MUSIC] It’s my last night and I’m training a new employee who has never worked a shift a day in his life. It’s my last night because I’m also about to start my new job at Global Data Guard as an entry-level network security analyst. I’m driving around, I park, I go inside. I meet the new employee and suddenly, out of nowhere, I’m surrounded by about three FBI agents and two, I don’t know, state police or senior police officers just shouting ‘where’s the gun? Where’s the gun? Where’s the gun?’ I’m like, I lock up. I don’t even know what’s going on. I still reel from that night. I’m like, what gun?

They’re like, the one from your video. I’m like, which video? Now, we’re having a shouting match ‘cause we’re trying to figure this out. They’re like, the one from your MySpace! I’m like, which MySpace? He pulls up his phone and looks. I was like oh, that’s fake. Besides, I can’t carry a gun here anyways. He was like, are you Jesse McGraw? I’m like, yes. He’s like, are you Ghost Exodus? I’m like, maybe. I can’t remember what it was but I think that’s what I said. But anyways, what I’m gonna tell you is being raided by the FBI, there’s nothing quite like it. There’s a level of sheer terror that they use [00:40:00] to immobilize people that they’re putting under arrest and to get them to cooperate, to get them to confess. Just being swarmed like that, I still look over my shoulder to this very day. Even though I know that that type of thinking is irrational, I still get those feelings. It pretty much ended very quickly. They take me down to the station and then they interview me.

I’ve never been arrested before. He says, if you confess to everything that you’ve done here, then maybe the judge will go easy on you. Here’s a paper and pen; I know you’re a good writer. I’m thinking, maybe if I confess to what I’ve done, I can go home. I didn’t know that I would be incriminating myself. This is what really sealed my fate. There was no way I could fight this case after I had self-incriminated. You know, a lot of people think that once you’ve been arrested by law enforcement or the FBI or the Secret Service, that they’ve been watching you, they know everything about you, but that is not true. ‘Cause if they knew, then they would not need you to confess. That’s something that I had learned years later, was that one of the tactics that law enforcement use other than fear is to convince you that things are gonna go lenient, things are gonna go and work in your favor as long as you confess. But by self-incriminating, you’re basically handing them – you’re basically signing your life away. I just didn’t see it at the time.

JACK: So, you fessed up.

G.EXODUS: I confessed to everything that I had done in relation with the Carrell Clinic. The one thing I didn’t do, and this is pretty well-known, is that I did not give up my friends.

JACK: The police didn’t let him go home that day. They just put him right in jail.

G.EXODUS: I’m transferred to Seagoville Jail where I remained for two years as I’m fighting my case. My first week in jail, I was just so terrified. I didn’t shower for a week. I didn’t eat, hardly. I actually had my cell mate bring me food for a while.

JACK: Now, once news spread of his arrest, Wesley blogged about this case, claiming he was the one who called the FBI on Ghost Exodus. As you can imagine, this had some consequences for Wesley.

WESLEY: I had sex toys mailed to me, I had lots of phone calls. I have just gigs and gigs of crap here on my computer of logs of them talking about coming to my house and kidnapping me, and just various attacks. Overall, more bluster than anything. I don’t know that I ever felt personally, physically threatened by any of them but there was a lot of talk and a lot of harassment from other members of McGraw’s hacker group, the Electronik Tribulation Army. Various members of that group would try to attack my website, denial-of-service attacks. One of them, he went by the handle Fixer, he was the main bad actor along those lines, along the harassment lines. Eventually, he pled guilty to charges of CFA, Computer Fraud and Abuse Act, for denial-of-service attacks against my website in order to – as part of an agreement to have charges against him dropped for witness intimidation. He was the main bad actor on that.

JACK: When you’re posting it publically, did you kind of expect something like that?

WESLEY: You know, I really didn’t know what to expect one way or the other. Obviously, that’s the sort of thing that can happen. You would think that with the leader of your hacking crew, such as it is, being arrested and having given the feds all of the information about all the members of the crew, you’d think they’d be on their best behavior and wouldn’t want any additional bad attention, but there you go.

JACK: [MUSIC] Ghost Exodus’ court case dragged on and on. You might wonder why there would be such a lengthy trial considering he had already confessed to hacking the clinic. Well, they were trying to pin extra things on him. [00:45:00] Like, the cops were saying he hacked into NASA but he was saying he didn’t do that. They wanted him to turn in other members of ETA so he could get less time. But he wasn’t gonna turn anyone else in. This went on for two years before his sentencing and that whole time, he was in jail. On March 17th, 2011 is your sentencing.


JACK: What did they give you?

G.EXODUS: 110 months which equals nine years.

JACK: Nine years for two counts? One was hacking into that HVAC server and the other was installing malicious code on the nurses’ stations. But remember; he only got into that HVAC computer because his WiFi was spotty and he wanted to browse the internet faster, not because he did anything bad to the HVAC system. I mean, okay, yes, he did; he wasn’t supposed to install remote-control software on that server and he wasn’t even supposed to access that system and he did that, but he did it only to chat online and to shop, not to be malicious and attack the clinic or anything else. You could compare this to him breaking into an office that he shouldn’t have gone in just to watch TV or something. But he was charged as if he stole stuff, caused damage or ruined something. It’s just odd here that his intent had nothing to do with his sentence. The court was harsh on him because this was a medical clinic.

Because what kind of jerk hacks into a medical clinic, right? The court showed how he had access to patient records and private info but he insisted he never took any of that or looked at any private info at all, and he just used these computers to wage a denial-of-service attack on other computers. Nine years seems like an awfully long time. But I think the court didn’t recognize or understand the intent and use of these computers. They simply saw that someone hacked into a bunch of computers at a medical clinic and this seemed to cloud their judgement of what that meant. I mean, people who are convicted of manslaughter often serve less than nine years. Not that I think Ghost Exodus should go without punishment, but nine years? Really? That just seems extra-harsh. So, he went to prison for a long, long time. Spending that long of a time in prison can really mess you up.

G.EXODUS: Whenever you spend a long time in prison, you get used to the environment. It becomes a part of you, a part of your psyche. You’re controlled on a minute-to-minute, day-to-day, hour-to-hour basis. You become accustomed to violence. You become accustomed to all types of things that are only exclusive if you’ve ever been a prisoner.

JACK: At some point, he somehow sneakily borrowed a computer to contact his lawyer while he was in prison. When he was caught doing this, they threw him in the SHU, [MUSIC] solitary confinement, where he had almost no interaction with other people, very little activity, and it’s extra strict. He stayed a whole year in the SHU. This affected him physically and psychologically. Fluids began collecting in his lungs and he began to lose weight and became very frail. He describes this experience as torture. But after thirteen months, he got out of the SHU and was able to serve normal prison time. After seven and a half years in prison, they let him out on good behavior. When he got out, he was able to connect with his wife but he was a different person now. She was a different person, too.

G.EXODUS: My family was very worried that I was playing them, like I hadn’t really changed at all. Any time I sat down at a computer my wife immediately began to panic ‘cause she thought I was hacking. If I said I wasn’t, she thought I was lying. These are things she was revisiting because that’s how we used to be over a decade ago. In her mind, I’m still playing the same games; I’m still playing them. But I wasn’t. While I was on home confinement, while serving home confinement through a halfway house, she’s so afraid that I’m doing this again that she kicks me out of the house, threatens to call the FBI to search my laptop. I now realized I’m in a dangerous situation. I’m financially co-dependent. I have nowhere to go.

JACK: At the same time, he had a friend who wanted to go to Nigeria to visit some friends and ultimately end up in Israel which would be quite the adventure. Ghost Exodus knew this guy and thought ‘this guy is not gonna be able to make this kind of trip on his own.’

G.EXODUS: He was just a mama’s boy, a Cosmopolitan-type of kid, very preppy. He’d never had any – doesn’t have any street [00:50:00] smarts.

JACK: The combination of Ghost Exodus needing a place to go and being afraid of the FBI, and this guy wanting to leave the country, go to Nigeria, Ghost decides to go to Nigeria with him.

G.EXODUS: [MUSIC] That’s one of the things that I picked up in prison, is this need to escape ‘cause you spend years ruminating on leaving. The environment is so depressing, so stressful, you constantly just daydream and fantasize about escaping. When you leave prison, sometimes you find yourself in that same feeling because you haven’t fully acclimated back to society yet. I kind of carried that over when I was released. The extremity of those thoughts or those actions were based on thoughts I had originally had while incarcerated. What I ended up doing is I started doing research on cargo ships. I come to find out leaving the country by cargo ships is the easiest way to come in and go undetected.

I ended up getting this commercial marine tracking software. I end up finding a ship that just so happens to disable its automatic identification system. Usually when ships disable the AIS system, it’s because they’re engaged in some type of illegal trafficking activity in international waters. I’m tracking this ship; [MUSIC] I hop on a plane, go to Florida, and I amazingly manage to slip past border patrol and customs agents to actually get to this ship without a ticket, without being authorized with a passport, a ticket, and a shuttle. We go up there and I pose as an Israeli-American. I explain to him that I am an ivory dealer and that I want them to take me to Nigeria, to take me to Nigeria because my main goal was to try to start over in Israel and I was afraid that customs would turn me back.

JACK: Now, I should point out here that when he flew from Texas to Miami, he violated his probation and wasn’t allowed to leave the state. But at this point, he’s standing at the docks with his traveling partner, talking to the captain, trying to get on this ship.

G.EXODUS: I managed to get on the ship. This ship was very interesting because this company is one of the biggest cargo shipping companies in the world but they’re also one of the dirtiest. This is why we specifically selected this as our means to leave the country, because they don’t have much of a conscience. They’ve been busted several times trafficking weapons to Russia, a disassembled tank to North Korea, and ivory to Florida. It’s like, you know what? This is the shipping company we need. We get on board and I explain to them, look, I know that you’re disabling your AIS system. I know you won’t really have a big problem taking us to Nigeria but here’s the deal; I’m into ivory, I know that you’re into ivory. You want to make a buck? Take us to Nigeria.

JACK: The captain said, you’re gonna have to pay if you want a ride, you know. So, the captain gave them a price. They tried to haggle this down but they just couldn’t get the price down to an amount that they could actually pay, so they didn’t get a ride out of there. They waited in Miami for the next ship to arrive, hoping that they might find a better rate. But by that time, his travel partner had called his mom and told her what they were doing. His mom thought it was Ghost Exodus’ idea to leave the country, so she called the police on Ghost Exodus. The police saw this was a violation of his probation to leave the state, so they issued a warrant for his arrest and went down to the docks and arrested him there.

G.EXODUS: When I was leaving prison the second time, I had nowhere to go. I had basically burned every bridge I had and I still had probation to serve; three years. In my mind, I was thinking you know what? I’ve been locked up for so long, I’m constantly worried. I’ve never really decompressed from this experience. Even in society, I felt like I’m still locked up. I still feel that way. [00:55:00] Having nowhere to go, I just said you know what? Screw this. I’m just gonna go on the run. When they pick me up, they’ll pick me up. During that time, I lived in Cedar Hill State Park.

JACK: He was actually living in a forest, homeless at the time.

G.EXODUS: My wife notified my mother. My mother was the one who notified my probation officer who called park authorities. They actually freaking sent a drone to come and try to find me. Can you believe that? I’ve never seen that before. I’ve never heard that type of whine that those drones make before. The thought of it just scared the living daylight out of me. They did this for the better part of about a week looking for me, but they never found me. But then I found myself on a Greyhound bus going to Onalaska, Texas which is by Goodrich in Lake Livingston and I stayed there for about five months, living in the forest. On my way back is when I got picked up.

JACK: ‘Cause of a traffic stop or something?

G.EXODUS: Exactly.

JACK: He was given two more years of prison time for this but this time when he would get out, he would have no probation. The judge saw that he couldn’t serve his probation so he just said, you’re gonna have to stay in prison until all your time is served. But after about a year and a half, they let him go on good behavior which means now, in 2020, he’s finally free; no probation, no more prison time. He can use electronics if he wants and he could focus on rebuilding his life. He’s currently a fry cook since he doesn’t have a car, and needs to find a job within walking distance. In total, he served nine years and eight months in prison all because he installed software on some computers he wasn’t supposed to in the very building he was supposed to be protecting from threats. As for what he plans to do next, he tells me he thinks the forensic examiner on his case was not very good and was one of the reasons he got such a long incarceration, so he’d like to study digital forensics because he doesn’t want an incompetent forensics examiner to ruin anyone else’s life.

(OUTRO): [OUTRO MUSIC] A big thank you to Jesse McGraw, Ghost Exodus, for coming on the show and sharing your story. Stay safe out there and good luck in your future. Also, thanks to Wesley McGrew for coming on and telling us your story. Wesley has finished his PhD in Computer Science and is now a director at cyber operations for a cyber-security company. If you’re all caught-up on Darknet Diaries episodes and want more, you’re in luck; there are now six bonus episodes for Patreon subscribers. By supporting the show through Patreon, it tells me that this show brings value to you. It also shows a new ethic in supporting something you appreciate, so please visit patreon.com/darknetdiaries to unlock bonus episodes in an ad-free feed. Thank you very much. This show is made by me, the local ghost, Jack Rhysider. Original music and sound design was done by the quick blade Andrew Meriwether, editing help this episode by the mega-biter Damienne, and our theme music is by the bz-bz-beep-beep-bloop-boop Breakmaster Cylinder. Even though there’s some CEOs somewhere out there that are now just figuring out what blockchain is and think it’s a cutting-edge technology when actually it’s ten years old now, this is Darknet Diaries.



Transcription performed by LeahTranscribes