Transcription performed by Leah Hervoly www.leahtranscribes.com
[START OF RECORDING]
JACK: Poker is such an interesting game. Cards get dealt, money gets bet, and the winner is not the person with the best hand; it’s the person who plays the best. The game is to play the person, not the cards. In fact, some of the top poker players don’t even consider it gambling. Here, take this clip from the movie Rounders, for example.
MIKE: Why does this still seem like gambling to you? I mean, why do you think the same five guys make it to the final table at the World Series of Poker every single year? What are they, the luckiest guys in Las Vegas? It’s a skill game, Joe.
JACK: It’s a good point, right? There is a lot of skill in poker and with the right playstyle, you could do pretty well because when you play poker, you’re playing against another person, not against a casino or some machine. There’s another person sitting on the other end of the table and it’s you versus them. Can you make them believe you have a good hand when you don’t? Or can you call them out when they’re bluffing? Being able to read the person is critical. [MUSIC] But then there’s online poker, places that let you gamble for real money against real players on a computer. But it’s a lot harder to read the player when you can’t see them. When there’s a lot of money involved with something like this, people will go to extraordinary lengths to try to get an edge. Take the story of Darren Woods.
In 2011, he won a World Series of Poker bracelet and he enjoyed playing online poker a lot, but his win rate on the online games were really high. The online poker community watched him play and meticulously took notes. They determined Darren had to have been cheating because he was winning some very strange hands. But how? Well, as it turned out, Darren had set up fifty different accounts at this online poker site and was playing multiple accounts at once. Basically, he could in fact see some of the other cards dealt on the table, since he controlled multiple seats on the table. How does this give you an advantage, you might ask?
Well, we know there are four Aces in a deck of cards and if he had one Ace in his hand and there were two Aces on the board, and that last Ace was in one of his other player’s hands, then he knew for a fact his real opponents did not have another Ace. This is a small edge that he had on his opponents but it was enough for him to win pretty big. With the help of players reporting this, the poker website figured out what he was doing, banned him, and called the cops. Darren pled guilty to some of his charges and ended up being sentenced to fifteen months in prison over this. I say all this because I want to tell you about how someone tried to cheat at high stakes online poker.
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: There’s this poker player who lives in Finland named Jens Kyllönen, and for the last fifteen years or so, he’s been raking it in. He started playing poker with his friends back when he was a kid. Here’s an old interview of him of how he got started.
JENS: I started with friends like, seventeen years old, I think. Just read some books and slowly started. In a year, I already played pretty high, like 5/10 No-Limit Hold’em, 10/20, and just pretty quickly – it’s always been a pretty quick move upwards. I played a free roll. I think I cashed in a free roll and from that I started just grinding, grinding my way up.
JACK: [MUSIC] Grinding his way up he did. He was a really good poker player. He was getting [00:05:00] better and better at poker and playing bigger and bigger pots, and making pretty good money from it. In 2009, he played in the European poker tournament and took first place in the No-Limit Texas Hold’em event. The prize was 1.1 million US dollars. Around this time, Jens began playing a lot of high stakes online poker but still played in in-person tournaments, too. Here’s a clip of him getting into a tournament in 2012 which had a one million dollar buy-in.
HOST1: The youngest player in the field, twenty-two-year-old Jens Kyllönen, decided to put up the entire million himself.
JENS: I mean, I argued it’s more as kind of a gamble. It’s not how I normally would play, like with micromanagement anyway. It’s sort of like, I could either buy something nice like a nice car or a house or play this tournament. I just feel like I’m gonna get more out of playing this tournament than doing one of those other stuff.
JACK: Wow, the fact that he could afford to put a million of his own dollars on the line for this tournament; he’s obviously doing pretty good to afford that. From what I could tell, I think he lost it all in that tournament. But that didn’t stop Jens from playing even higher stakes. Jens was really good at online poker at this point and would play in major online tournaments with millions of dollars as the grand prize. But then in 2013 came the European Poker Tournament in Barcelona, Spain.
HOST2: [MUSIC] The PokerStars.Com European Poker Tour has hit its tenth season and it’s back where it all began; Barcelona.
JACK: This tournament was held at the Arts Hotel in Barcelona. It’s a five-star luxury hotel which is right on the edge of the sea, too. The tournament was in one of the conference rooms and there’s a casino right next to it, too. This was a good-sized event. I looked at some video of it and I counted twenty full poker tables in the room during the tournament. Jens and his buddy Henri flew from Finland to Barcelona to participate in this tournament. They stayed in the same room together and I should quickly explain who Henri is. Henri lives in Finland, not far from where Jens lives, and they hang out at each other’s house sometimes and go on trips together. At one point, Henri and Jens took a two-month trip to South America. So, there’s a trusting bond between them.
On day two of the tournament, Jens busts. He loses all his chips. He’s out of the running. Jens walks away from the poker table, looks around, and decides to go up to his room and surf the internet on his laptop which was in his room. [MUSIC] He goes up the elevator to his floor. He gets his room key out. It’s a little magstripe hotel key card. He swipes it into the lock [SWIPE, NEGATIVE BEEP] but the lock doesn’t open. A red light flashes, indicating it’s not the right key. Huh. He tries again, and again, and again. He can’t get the key to open the door. He goes down to the front desk. They re-sync his room key for him and tell him go on up, try again. It should work now. He goes up to his room, tries the key, and it works. [SWIPE, DOOR UNLOCKS] The door opens; he goes in.
But as soon as he enters the room, he immediately notices something isn’t right. He knows exactly where he left his laptop that morning. It was on the desk. But his laptop was not there on the desk. His laptop charger was there, sitting in the exact spot where his laptop should have been, but no laptop. He looked around the room a little bit, but he couldn’t find the laptop anywhere in his room. Huh. He thought maybe Henri borrowed it or it was stolen. He goes down to the casino and finds Henri playing poker, and asks him. Henri says he hasn’t touched Jens’ laptop. But Henri says his room key wasn’t working that day, either. Huh, that is pretty strange. [MUISC] Jens goes back up to the room to search for his laptop some more but when he gets in the room, he sees the laptop is right there on the desk, exactly where he left it earlier that day. What? His mind starts racing.
He’s questioning his sanity at this point. Was it really gone a minute ago? But he remembers clearly seeing the charger there on the table by itself without the laptop. Now, the laptop is there where the charger was. He remembers this clearly because it was just ten minutes ago. Jens starts to get scared. Someone had been in his room in the last ten minutes and they put his laptop in the exact place where he left it. He thinks the person might still be in the room right now, too, hiding in the bathroom or something. He darts out of there, gets into the elevator, goes down to reception, and talks with the guest relations supervisor, Leia. Leia listens to Jens’ story and does two things; first, she re-codes the lock on the door and re-codes both Henri and Jens’ hotel room keys.
She says this way, if someone did have a duplicate key, the duplicate key would no longer be active because the code is changed on [00:10:00] the door. Second, she tells them she’ll work with security to look at the hallway cameras for that time. [MUSIC] Jens goes back up to his room. He opens the laptop and turns it on, but something’s wrong. It boots to a black screen which says ‘Windows failed to start. A recent hardware or software change may be the cause. Do you want to repair or start normally?’ Huh? Jens’ computer was working fine up until this point. Now it’s showing an error? When he gets past that screen, it gives another warning. ‘Do you want to restore your computer?’ What? This is super strange. Something went on here and it’s freaking him out. He goes down to meet with Leia again, the hotel supervisor.
She tells him the cameras in that specific hallway, yeah, they haven’t been working for the last week, so they have no CCTV footage of whoever entered his room at that time. Leia doesn’t seem to be taking this matter seriously and says they’ll continue to investigate, but she doesn’t say how. Jens goes back up to his room. He swipes the room key card in the door, [SWIPE, NEGATIVE BEEP] and it’s not working again. No matter how many times he swipes or how he swipes, the door just doesn’t open. Huh? Jens runs back to reception, tells Leia. Leia re-syncs his card and then walks with him personally to his room to check on this lock. The card now opens the door just fine but as soon as they get in, Jens immediately sees that his laptop had gone missing again. [MUSIC] Jens is in complete shock. He doesn’t even know how to explain what’s happening.
Leia calls hotel security. They apologize and agree to upgrade his room to a suite which is two floors up. Jens decides to go downstairs and look for some friends, and he asks them if he can use their laptop. He immediately goes to all his online poker accounts and shuts them all down, thinking someone must be trying to hack his accounts. After that, he goes to talk with Leia again. She’s on the phone talking in Spanish. She asked Jens, can you describe your laptop? He says it’s a heavy Fujitsu Celsius laptop. She says it’s been found. It’s in the lobby. Security has it. She tells him to wait a minute. She goes and gets it, brings it back to him. At this point Jens is on the verge of a panic attack. Who keeps stealing his laptop? Why does his key card keep getting deactivated? Why did the laptop show up in the lobby? If a thief took it and panicked, why not throw it in the sea? He opens it up. It boots up just fine, but something is different.
Normally when it boots up, it’s password-protected and he has to enter his password to get in. But it’s no longer asking for the password and it’s just booting right up into Windows. Okay, so he definitely knows someone has hacked his computer. He takes the laptop to the poker tournament and starts telling their IT and security teams about this. Everyone there is pretty friendly and helpful. The poker tournament security team takes down all his information and begins to investigate. Jens and Henri go up to their new, upgraded suite and head to bed for the night, thinking there has to be some security camera footage somewhere of whoever did this. Now that two different security teams were looking into it, surely they’ll find out something by morning.
They both rest their head down on their pillows for the night. But it’s hard to sleep. I mean, the day started with losing the tournament and ended with them getting their room broken into at least three times and his laptop hacked. When that happens to you, you can’t relax. The computer feels defiled and gross, and your sense of security is eroded. At this point of the story, I’m now wondering how can someone even get in their room like that? I have a few theories. [MUSIC] First, you might be thinking that someone might’ve just brushed up against them in the lobby and cloned his card. Yeah, I don’t think so. That typically works for RFID-type of cards. This was a magstripe card so in order to clone it, you would have to swipe the card through a machine.
I guess it’s possible someone pickpocketed him, cloned the card, and then put it back in his pocket, but it just seems unlikely that that would happen twice in one day. But then you also have the problem of making both guest room keys invalid. How’s that happening? Well, because this is a magstripe card, it’s possible that a powerful magnet can be put next to or under the lock, and so when a card gets near the lock, the magnet screws up the data on the magstripe and ruins it. There’s two types of way magstripes work; LoCo and HiCo. This is low-coercivity and high-coercivity which pretty much means how well the magstripe will retain data on the card. Like, your credit card isn’t going to be reprogrammed anytime soon, so it needs to hold the data on there for years. So, it uses HiCo.
But a hotel room key will have its data rewritten many times, maybe once a day, [00:15:00] so it uses LoCo. Because it uses LoCo, it’s easy for a magnet to screw up the card. If someone wanted to go in that room but did not want anyone coming in while they were there, they could put a magnet on the door which would ruin whatever card was swiped and stop them from entering. This would alert whoever’s in the room and also buy them a couple minutes to get out. As they’re leaving, they could remove the magnet from the lock and walk away. Okay, so that’s a good theory on how the cards got ruined. But still, how did someone get the key to get in? Maybe it was plucked from a cleaning cart or maybe someone went to the front lobby and posed as Jens, saying my key doesn’t work in my room. Can you reset it for me? Then they give Jens’ room number.
Would the front desk check the ID before issuing a card to a guest like this? Is it possible to social engineer the front desk person to do it without checking ID? Yeah, that is possible. But then, the camera didn’t work in that specific hallway. Did someone know that and that’s why this room was targeted? Perhaps this was an inside job. Someone who worked at the hotel knew those cameras didn’t work and had access to reprogrammed key cards, they could certainly be in on this. This is the type of stuff that raced through Jens’ mind all night long as he tried to sleep. [MUSIC] [PHONE RINGS] 5:30 in the morning. Hello? Your taxi is ready. What taxi? The taxi to the airport. With whose name? No name; just the room number. Jens tells the person on the phone they didn’t order a taxi, and that person hung up. Was this a wrong number?
A mind game of some kind? How strange. Jens lays awake for an hour thinking about this, but eventually falls back asleep. [PHONE RINGS] 9:30 in the morning. Jens wakes up. Hello? Do you want to make business? What? Do you want to make business? Huh? About what? About the woman. No. Jens hangs up the phone. Two phone calls in one morning for the wrong number? Or was it the wrong number? Were these calls just some strange attempt at checking to see if somebody was in the room or verifying where Jens was staying? Jens has a meeting with hotel security at noon, so he gets ready and goes downstairs to meet with Leia. She has an older guy with her who is the head of hotel security. He doesn’t seem interested in helping, though.
He says well, look, we already upgraded your room to a suite and your laptop’s not missing now, and you said there’s nothing else missing, so there’s no problem, right? Jens can’t seem to explain to security the severity of this. Jens asked, how many cameras are broken in the hotel? The man says oh, only eight. Jens asked can you check the elevator cameras? The security guard says nah, there’s too many visitors and there’s too much footage to look through. Jens says, but we’ve narrowed it down to a ten-minute window. Security doesn’t seem interested in helping. They just want this problem to go away. His suspicion is growing that this might be an inside job. But before he leaves, security hands him a printout of the logs of what keycards opened his room for that previous day. It’s kind of hard to read and at this point, Jens is tilted.
He’s crushed. So, he just puts the logs in his pocket and walks away. Jens felt like this meeting went terrible and now there’s no chance of figuring out who went into his room. He goes to meet with the poker tournament security. Maybe they have found something. But the poker tournament security team were trying to say that Henri might have done all this. But Jens wasn’t buying it. If Henri wanted to do this, he would have done it at Jens’ house if he wanted to. Why do it here? It made no sense and there was no help from this security team, either. Jens was crushed. He was so confused why nobody was taking him seriously and conducting a major investigation about this. He was so worried that his hands and legs were shaking, and he felt like he was gonna vomit at any moment.
[MUSIC] He takes the room access logs out of his pocket and starts to look through it. It doesn’t make sense at first, but he studies it more. He’s able to connect some dots. It shows the exact time when the cleaning service came in, and the exact time when someone came to restock the mini-bar, and it also shows when each guest came in the room with the code from their key. This actually makes a perfect timeline of events. It shows when Jens and Henri visited the room and exactly when their cards stopped working. But in the logs, [00:20:00] it also showed there was a third guest key card that had opened the door. Just when Jens went downstairs to reception that first time to reprogram his card, someone with a third guest key card had entered the room exactly two minutes and forty-one seconds before Jens came in and found his laptop gone for the first time. Jeez, maybe they were hiding in the bathroom when he was in there.
Jens was getting even more scared after looking at this, and even more angry that the hotel security didn’t see the same log entry just as alarming as him. Either security couldn’t read their own logs or they didn’t care or they were trying to cover something up. Jens couldn’t take this anymore. He started packing his bags to get out of there. He was going back home to Finland. This was no place for him now, and as he was going through the lobby, he ran into another player that knew him. He told that player his laptop was just stolen, and that player said the same thing happened to him.
That player said the cameras were working on the floor where he was staying, so Jens took this player to hotel security and tried to explain look, the same thief who stole my laptop probably stole his laptop, and can you look at the cameras in that hallway? But security said oh, there’s nothing we can do right now, not until 8:00 a.m. tomorrow. Jens, all fed up, just left the hotel and left Barcelona, and flew back to Finland. Where does Jens go when he gets back home? Straight to Mikko.
MIKKO: My name is Mikko Hyppönen. I am the chief research officer for F-Secure Corporation which is a security company headquartered in Helsinki, Finland.
JACK: F-Secure is known for creating a pretty good antivirus tool and since it was right there in Finland, it made sense for Jens to bring his laptop to them for analysis.
MIKKO: Well, he contacted us. He was looking for somebody to go through his laptop because he was suspecting that it wasn’t just about stealing the laptop. Maybe somebody was trying to put something on the laptop, so he brought it into our labs. He parked in our parking place with his Audi R8 and brought the laptop into our lab.
JACK: [MUSIC] Mikko and his team took a look at the laptop. They scanned it and examined it for malware.
MIKKO: Yeah, it was infected. The reason why all of this happened was that somebody had manually installed a Java Runtime and a Java-based remote access toolkit which would basically send a screenshot to a remote address every time the attacker requested, and that basically means you see the poker cards another person is holding. If you know anything about poker, well, then you know that if I know your cards, I’m going to win.
JACK: A-ha. This was targeting Jens specifically, or at least a high-roller online poker player specifically. The malware would send screenshots of the laptop to someone who presumably would be at the same online poker table as Jens. How clever.
MIKKO: Yeah, it’s kind of interesting when you think about the amount of money at stake here. These high-rollers who play poker online who are – who have been playing poker online for years, the potential of money you can steal from a player like this is hundreds of thousands of dollars or even millions of dollars. We’ve found several cases like this. It’s not always about a physical break-in. We had one high-roller we were working with, a famous poker player, who actually had been infected for almost a year. The reason why he started suspecting that there’s something weird was that he was keeping very close statistics about his winnings. Historically, he was making roughly the same rate of winnings in the real world, on real poker tables, and in the online poker tables. Then suddenly it started looking different and he was always losing in the long run. He was losing in the online games and he couldn’t figure it out.
Eventually, he started suspecting that there’s something wrong with the laptop. He brought the laptop to us. We analyzed the laptop and yes, there was this tool for calculating pot odds which contained, again, a remote access Trojan. We discussed how did he get this tool on his laptop? He had installed it by himself. Why did you install this tool? Well, it was recommended to me by someone he plays against regularly in online tables. That someone had set everything up from the beginning; had this Trojanized pot odd calculator created, had it posted online on a download site, then just waited until a high-roller he would know would be downloading and installing it. The attacker was so clever because he wasn’t just immediately starting to wait for big hands and go all-in and steal the money.
He was [00:25:00] carefully and slowly using this in online games for twelve months without – until it was – people started suspecting that something is wrong. He was able to make hundreds of thousands of dollars with this ongoing scam. This is a great lesson also for people who do important things with their computers. If you are a poker player and you use a laptop where hundreds of thousands of dollars go through the laptop, well, you should be keeping very safe – very close tabs on that laptop. You don’t install random junk on it. You don’t play Doom on it. You don’t watch porn on it. If you’re not with the laptop, you put the laptop in a safe. These guys are millionaires. If you want to do something else, buy another laptop. But this laptop is your tool and as a professional, you don’t fuck around with your tools. You keep good care of your tools. That’s what I told him, and I believe he believed me.
JACK: But I can’t imagine a skilled high-roller poker player being able to write malware and then distribute that malware and get it going. There had to be another person involved to do that.
MIKKO: That’s correct, that’s correct. These guys had outsourced the development of the malware to third parties. Basically, they were going to online programming sites for freelancers and had someone to write these programs for them.
JACK: Mikko and his team at F-Secure, being the curious researchers they are, they began trying to figure out who was behind this.
MIKKO: [MUSIC] Obviously, most malware writers don’t want to be caught, so they don’t leave clues about themselves within the virus code. But one of the most typical ways we have been able to figure out who’s involved with a piece of malware is WHOIS records.
JACK: WHOIS record is a public record of who owns a domain name. Every domain name in the world is registered by someone, and sometimes whoever registered it has their information printed right there on it. Mikko checked the malware to see if any custom domains were used, and looked up the WHOIS record for those domains. But typically, cyber-criminals will register domains anonymously so you can’t see who owns it. But there are more techniques you can use; historical WHOIS records. Maybe at first, they didn’t register it anonymously and then switched to be anonymous at some point. Mikko and the team at F-Secure kept looking at the malware for clues. When Jens was in Barcelona, he wanted to call the police but the poker tournament people didn’t want him to because they said they’ll contact the police themselves.
Jens followed up with the PokerStars staff to see what the update was, but they didn’t contact the police right away. In fact, it wasn’t until weeks later that they finally reported this to authorities. Jens was upset that the investigation was not acted on quicker. F-Secure was able to get some details to Jens about who they think did this, but it wasn’t the whole picture. F-Secure posted a blog post titling this type of attack an ‘evil maid attack’. This is where you trust the items that are in your hotel room are secure, but someone with access to your room could hack into your stuff. On top of that, F-Secure classified this not as a phishing attack or even a whaling attack, but a sharking attack because it targeted poker sharks. [MUSIC] At this point, the investigation totally stalled out.
The PokerStars team wasn’t doing much, the hotel wasn’t doing anything, the authorities were quiet, and F-Secure concluded their investigation. So, I know this story because Jens wrote it all out the day after it happened on a poker forum. I tried many times to get Jens to come on this show and tell his story, but he declined all my invitations and said it’s too soon to tell the story, even though it happened seven years ago. So, that makes me think that either Jens felt threatened by whoever hacked him or he thinks it’s just not safe to talk about this for other reasons. Maybe he didn’t want to talk bad about PokerStars since he likes competing in their tournaments. I don’t know, but this forum post that Jens wrote blew up. It has over 1,300 replies at this point which is a lot for this poker forum. So, let’s read what everyone says.
The first interesting post I see here is from Lee Jones, the head of communications for the tournament ran by PokerStars. Lee confirms Jens’ story is accurate and says they are doing what they can to investigate. But they’re limited in the authority that they have. Like, they can’t pull surveillance video or door logs. But he does say he was contacting the police about all this. Then there was another post further on down by a US poker player named Scott Seiver. He says the same thing happened to him in Berlin, and Jason Koon, too. PokerStars wouldn’t help either of them. He doesn’t go into detail about [00:30:00] what happened to him, but Scott Seiver has won three World Series of Poker tournament bracelets.
I reached out to him, but no reply. He mentions that this happened to Jason Coon, too, which is another US high stakes poker player. But when I looked into Jason’s story, it has a different attack method; one where he was online playing against someone else, going head-to-head with another player, and he thought he was going to win that hand but then he got disconnected from the server, forcing him to fold. Okay, back to this forum post. Scrolling down, there’s another story from another high-roller named Ankush Mandavia. He’s also known as pistons87. He’s a US high stakes poker player and he says he was staying at the same hotel as Jens, at the same poker tournament, and Ankush also said he received a few mysterious phone calls, and multiple times he went up to his room but his key card wouldn’t work, either.
He says his computer was crashing while in Barcelona, but he didn’t think anything of it until he read Jens’ post and it all became clear. When Ankush got home, his computer was no longer password-protected which was really weird because it always is password-protected. Every time he would try to boot it up, it would just crash and show a blue screen. The story does seem to match exactly. I reached out to Ankush but no response. That forum post alone seems to outline five major poker players who were victims to this attack; Jens, the guy Jens met at the hotel who said the same thing happened to him, David, Jason, and Ankush. On top of that, Mikko told me he helped removed malware on two more poker players’ computers. That’s seven victims that I count. Whoever this hacker was, was pretty busy.
[MUSIC] Then, a year later in 2014, the Danish police issued a statement saying they are investigating a high stakes Danish poker player for allegedly planting Trojan viruses on other high-stake poker players. They say the software that was installed would allow the hacker to see the other player’s hole cards, or the ones that are facedown that are you aren’t supposed to see. This would allow the hacker to play on the same online table as his victims and make millions of dollars off them by cheating. The Danish police continued to say they interviewed a victim who claimed someone disabled the video surveillance of his house, then broke into the house, planted the malware on his laptop, and left. Whoa, I thought breaking into a hotel room was crazy. Now this hacker’s breaking into the homes of high stakes poker players? This is even crazier. But after that, silence. No more information from the Danish police for four more years.
Then, in December 2019, the final card was dealt. The Danish police raided the home of a hacker and seized four million US dollars’ worth of Danish money. They had evidence that this was the hacker who had been planting Trojans on the poker players’ computers. The evidence they had was that one day, he was walking with another friend and told the story to him. That friend called the police. From there, they were able to find other evidence on his computer which showed he had access to other players’ cards. The Danish police gave him a 3.9 million dollar fine and sentenced him to two and a half years in prison. However, the Danish police refused to say the name of this person, so I went back to the poker forums to see what people were saying. Now, the Danish police described this man they arrested. He was thirty-two years old in 2014. He’s Danish and he won a European poker tournament once before.
If you look up all the Danish poker players who have won European poker tournaments, it quickly boils down to one person; Peter Jepsen, sometimes known as Zupp. Now, I’m not saying Peter Jepsen is who did this. I want to be clear; this is speculation and if I get anything to counter this claim, I will update this audio here. But Peter Jepsen is no longer part of the poker team he was once on. They dropped him years ago and his blog has remained dormant for years. His social media accounts have been silent for a while, too. He’s gone completely quiet and appears to have stopped playing poker. I, at least, can’t find him. That might be because he might be in a Danish prison. Now, the Danish police say this hacker was planting Trojans on players between 2008 and 2014, so I tried to find what Peter was up to before 2008. I found this amazing interview.
HOST3: I’m sitting here with Peter Jepsen from Denmark who actually had a pretty scary scam coming to him through a mail the other day. Can you tell us about it, Peter?
PETER: Yeah. What happened was that I was playing on a full till and I had been doing really well for that night. Just a couple of hours after my session ended, I received an e-mail in my [00:35:00] inbox. They wanted to tell me about a cash game that they were doing that they wanted to film with Scandinavian players. I think we wrote like, three or four e-mails back and forth. I asked about the buy-in and all kinds of stuff. In the end, he sent me an e-mail with a link. In link, there was a specific place at the homepage where I could download information about blinds and everything. Right when I was supposed to download it, I noticed that the file was supposed to be a PDF, an Acrobat Reader file, but it was actually an .exe file. I was like, that’s weird. I downloaded it anyways, but I did it into a secure folder that was monitored by my antivirus. Right away when I started downloading, it said that – wait, this is a Trojan horse.
HOST3: Oh, my god.
HOST4: This is a pretty advanced scam, isn’t it?
PETER: Yeah, I’ve never seen anything like it. I’ve never heard – I mean, in the poker business, I’ve never heard of anything – I’ve never heard about anyone getting scammed that way.
HOST3: I wouldn’t be surprised if we saw a couple other guys in your league, so to speak, that would get e-mails like this.
PETER: Yeah, exactly.
HOST3: You want to warn them about this, right?
PETER: Yeah, I just think that if just a few people can avoid being scammed by people like that, that would be great. I think people should just generally be very careful when they – if they download stuff online.
HOST3: Yeah. So, what do you think, is there any chance to get ahold of guys like this? I mean, could you…
HOST3: …hunt them down?
PETER: No. I don’t really know, but I would say that professional guys like these, they’re probably way over the mountains.
HOST3: Yeah, yeah, of course, of course.
PETER: It’s impossible to catch guys like that. They don’t even leave any electronic traces or anything.
HOST3: No, no, no.
JACK: Hm, a lot of hackers I talk to say they got into hacking because they got hacked, and it fascinated them to want to know everything about how to do it. Again, I don’t know whether Peter Jepsen is the hacker behind all this or not. The Danish police refused to give the name and I’ve only come to his name from my own deductions. But it’s possible that if he was hacked in 2008, this might have meant he was immediately fascinated with it to the point where he wanted to learn how it was done. But if Peter was hacked himself, then this means there was more than one hacker doing stuff like this. In fact, after news got out and it was suspected that Peter was behind this, Jens made a follow-up forum post with his thoughts. Jens said this is the first time to his knowledge that anyone has gone to prison for this type of hack, and that this problem has plagued Nordic poker players for quite some time.
[MUISIC] He says the rumor is that there’s a Swedish gang involved with this, but they have strong connections to the underworld that nobody is brave enough to go up against and seek justice. Jens writes that Peter may have joined this gang. Jens doesn’t know if it was Peter who hacked him or someone else. So, once I read that, I immediately started to Google ‘Swedish gang hacking high-roller poker players’ and found some interesting stuff. There’s not a lot of evidence, but there is accusation there are three men from a Swedish biker gang who did try to hack high-roller players. The authorities are investigating this but that’s all I got. Honestly, when I look into the other crimes that this motorcycle gang was accused of, I kind of don’t want to dig any further because some suspect this biker gang murdered a Swedish guy who started an online poker news site.
It sounds like while one hacker was arrested and put in prison, a few might still be on the loose. The mystery still remains as to who is behind this and how they did it all. Your hole card still might not be safe. But I find this story fascinating because of the extreme lengths that some hackers go to just to get an edge in online poker. [00:40:00] Oh, so back to Mikko. One of the things I like doing on this show is introducing you to people who are legends in the cyber-security space, and Mikko is a legend. I mean, he’s got 200,000 followers on Twitter at this point and is known worldwide as an information security expert. So, while we have him here, let’s get to know him. You’re almost born in connection with the internet, right? You were born, what, on the day ARPANET was created or something?
MIKKO: Close. I was born in late 1969, and TCPIP – well, the TCPIP protocol comes from the innovations which were done in California in October 1969, or maybe November 1969. Basically, I’m as old as the internet but of course, that doesn’t mean anything. Most people had no idea about ARPANET or internet or any of that until 1990 is when the web made the internet something people actually were aware of.
JACK: Yeah, yeah. Then you pretty much spent your whole life focusing on the internet ever since you were able to.
MIKKO: I started programming at the age of fourteen, in 1984. That was because we got a Commodore 64 into our family and that happened because my mother, my late mother Rauha bought us a computer from her work which was the State Computing Center. I guess it runs in the family. My mother spent all her life working with the State Computing Center. She wasn’t a programmer but of course, she did understand the importance of technology and computers. That got me into programming at an early age. By the time I was sixteen, I was – I had already sold my first programs. I was writing utilities. Of course, I was writing games as well. That’s where I started with computers.
JACK: Let me do the math, here. You’ve been at the same company for almost thirty years now.
MIKKO: That is correct. I joined a company called Data Fellows in 1991 as employee number six. The company was established in 1988 and I’m still there today. The company isn’t called Data Fellows anymore because we renamed the company to F-Secure in 1999 when the company went public. But yeah, it is the same company. I’ve been working there all my life. I guess if you would be employee number six in a Silicon Valley company for thirty years and the company grows big and grows public while you’re there, you would end up to be a very wealthy individual. It doesn’t work exactly like that over here in Finland but I’m still at the same company and I gotta tell you, it’s been a wild ride. I’ve seen a company change from a small startup to a player which works all over the world. We now have offices in twenty-nine countries around the world.
JACK: In June 1991, Mikko started working at F-Secure doing security-type work. Because of all this, he’s a bit of a malware historian. I took this chance to talk with him about some of the early malware we ever saw, like Brain.
MIKKO: [MUSIC] Brain was found in 1986 which means I wasn’t in the industry yet. But I did end up analyzing Brain by the time I started doing malware analyzes professionally because I wanted to analyze every single virus there was. When I started doing virus analyzes in the early days, there were very few viruses. We weren’t receiving thousands of new samples every day. We would get a new malware sample in the mail, on a floppy maybe once a week. I did go through the Brain.A code as well when I started professionally doing malware analyzes.
JACK: Brain is actually how I first learned who Mikko was because of a video he made about it.
MIKKO: Brain.A is such an important piece of malware history because it was the first PC virus ever. Now, we had – there was some specific malware cases before Brain on other platforms, for example on Amiga and Apple II, but the first PC virus is important because we’re still fighting PC viruses today. That’s basically where it started from. I [00:45:00] revisited the Brain code in 2011, on the 25th anniversary of Brain, basically because our marketing people and sales people asked me that, you know, it’s gonna be the 25th anniversary of the first PC virus. Would you like to say something on this, or should we do something about this?
We had a meeting about it and they suggested we would build some kind of an awareness campaign on malware or whatever, something boring. I just told them that, you know, that’s a bad idea. Why don’t we instead put me in a plane and I go and try to find the guys who wrote the first PC virus twenty-five years ago? That’s what we did. Of course, I said that because I knew there was a lead. Because in the code of Brain.A virus, there is a street address, an address which points to a street in the city of Lahore which is a city in Pakistan. In 2011, I went to Lahore to look for the guys who wrote the Brain virus. We did a video about this; you can watch the video on YouTube.
JACK: There’s a link to that video in the show notes. You really should check it out. It’s awesome. But malware made in 1986 is very different than the malware today.
MIKKO: Back then, first of all, writing viruses was not illegal. If you wrote a piece of malware and you infected the whole world, you didn’t break a single law. The laws in any of the countries at the time didn’t take crime like this into account at all. Second of all, the early malware writers didn’t have – they didn’t have motives. They didn’t really gain anything by writing these early viruses which were spreading on floppy discs or over early networks. They basically got just chuckles out of the idea that their malware was spreading around the world. It is interesting because I’ve met – during the early days, I’ve met some of the early virus writers. In particular I remember this one kid, sixteen-year-old kid, who was from Finland.
I found him. He was spreading some of his malware in BBS systems of the time where it was being spread over modems from one computer to another. I spoke with him on the phone and I spoke with his parents. It was fairly eye-opening because he told me that he’s living in this small, rural town in central Finland in the middle of nowhere. There’s nothing. There’s no neighbors. There’s just snow, basically. He’s bored out of his mind. He can’t escape. He’s with his mother and father in the middle of nowhere but he does have a computer and he does have a modem, and he wrote this virus. He called the virus Cinderella.
Then when he saw that the virus was spreading from one computer to another – and eventually he saw that the virus spread to California. He somehow felt that he couldn’t escape but his virus could. That was his motive for writing viruses back then, years and years ago. The motives of the virus writers have completely changed. If you talk to current online criminals, nobody’s writing malware for fun. Nobody’s doing it for anything like that. It’s all about money. It’s all about organized crime trying to make money with ransomware and botnets or it’s governmental activity or spying. The good old days of happy hackers is long gone.
JACK: Yeah, but I’m also thinking when a virus hits today, it’s got a plan. Like, it’s gonna take my contacts list or spread an e-mail or try to find something internal or take control. These viruses back in the 80s and 90s weren’t doing stuff that sinister, were they?
MIKKO: Most of the early viruses either did nothing except spread further or they might be destructive. We saw surprisingly many examples of malware which would just overwrite hard drives on certain dates or things like that. Or they would do something visible; they would play music, they would show you animations, they would play games with the user. I’ve always found that part of malware or early viruses very interesting. Many of them look, actually, pretty nice when you look at them with today’s eyes and you sort of respect the art in the early viruses when you look at it today.
I definitely wasn’t respecting that back then when I was fighting these viruses. But this is one of the reasons why I’ve been volunteering at the internet archive and curating a collection of old viruses which you can now [00:50:00] run safely in your browser by executing the original code of viruses from the 1980s and 1990s, especially the kind of viruses which actually show you stuff, show you animations or maybe play music on your computer. That’s something you can all check out by visiting the Malware Museum at the internet archive.
JACK: If you ever get bored, this is an interesting site to explore. Some of this malware just has a message display like this one. [BEEPING] It just prints out a note on the screen which says ‘Terminator message. Don’t be afraid. I am a kind virus. Have a nice day. Goodbye. Press any key to continue.’ Then just quits. That’s it. No damage; it just infects your computer to say hi, then it moves on. [MUSIC] Then there’s other ones that display weird graphics or they make the screen look glitchy. But that’s just it, graphics and sounds. Nothing more. That’s the virus. I guess what makes it a virus is that somehow these programs were installed and ran on your computer without your consent or your doing. Mikko’s favorite malware of all time is the Whale virus.
MIKKO: Whale was found in 1990 and it’s one of the big mysteries we still don’t understand in the early days of malware. Early viruses started to get more and more complicated. They started to use encryption because they were being fought by antivirus software such as the software we were writing back then. Another early software which still exists today is MacAfee. MacAfee is actually older by one year than F-Secure. Obviously, MacAfee is still around. An easy way to evade detection was to use encryption. You would just encrypt the code of the malware and the antivirus guys like me, we couldn’t find a way to detect the malware because it’s encrypted. You could change the key for every sample and all that. However, the weak point of that technique is that we can pick up a detection signature from the decryption loop.
This is when we started finding viruses which would use metamorphic or polymorphic algorithms, including Whale. Every time the Whale malware would replicate to a new file, it would rewrite itself. It would basically recompile the binary. It would look different every time. This was really groundbreaking at the time. There were plenty of mysterious messages left inside of the malware, and plenty of early researchers spent a lot of time trying to figure out what was the motive of Whale? Where did it come from? Who wrote it? We still don’t know that. These techniques of hiding malware under polymorphic encryption got – it became accessible to anybody. Anybody was writing viruses around two years later when a Bulgarian virus writer called Dark Avenger released a toolkit called MTE, Mutation Engine.
This was basically a toolkit you could use to wrap any program inside a layer of polymorphic encryption. This was really complicated. You would replicate the sample twice. There wouldn’t be a single byte which would be constant in these two samples, so detection was a nightmare. However, at that time we were working closely with a researcher called Fridrik Skulason from Reykjavik. He came up with this clever idea that instead of trying to detect malware with static signatures or looking for certain bytes in certain offsets, what we would start doing is that we would simply execute the malware in a virtual machine.
Basically, let the malware run safely as long as it needs to run so it decrypts the stuff that’s hidden by the layer of polymorphic encryption. We would basically let the malware decrypt itself for us. The virus writers of the time couldn’t figure this out for years. I mean, they just couldn’t understand that no matter how well they were trying to hide the payload, no matter how many layers of encryption they would add, we would still find it because the encryption layers they were adding meant nothing. They would, in the end, end up decrypting the hidden stuff underneath for us and we could detect it just like there wouldn’t be encryption at all.
JACK: Keep in mind, up until this point, this malware which was targeting PCs was just for DoS. Windows wasn’t even out yet. At this time in the 90s when Mikko was researching this stuff, people would send him this malware in the mail on floppy discs. It was a weird time for malware.
MIKKO: Viruses were really slow to make the jump from MS DoS to MS Windows. MS Windows started to [00:55:00] get traction. I mean, Windows 3.0 was the first success story and then 3.1 and then 3.11. It became bigger and bigger, but all the malware we were analyzing were still running on MS DoS. Of course, Windows systems at the time were running on top of MS DoS, so this malware was still partially functional until we then found the very first Windows virus. I remember this very, very well because it really changed our contacts within the industry. This was 1992 and we found a sample that we believed to be a Windows virus from Sweden. It was very hard to analyze because it was the first Windows virus, and Windows at the time wasn’t as accessible as you might think to debug or reverse engineer.
But me and Ismo, one of our coders at the time, spent a couple of days trying to figure out this sample. It turned out to be the very first Windows virus in history. Well, we named it. The finder names the virus so we called it Winvir, like ‘Windows virus’. We wrote a description about it. We had a detection for it. We were all done, but then we realized that holy hell, this is news. Right, this has to be news. I mean, the first Windows virus in history. What should we do? Should we do a press release? Well, the company had never done a press release so we had no idea how to do a press release, but we had seen press releases so we just copied the format; date, location, Data Fellows has today announced the discovery of the first Windows virus, and then go through the technical details.
Very important detail; when we wrote this press release, the first press release in the history of the company, we wrote it in English, not in Finnish. We were headquartered in Helsinki. All of our clients were in Finland, but we automatically assumed that this is an international news item. We have to tell the world. Then when we had the press release ready, we printed it out, we had it in our hands. Then, what do you do? Well, we had no idea. We faxed it to Reuters in London. Reuters picked it up. They wrote a Wire article about it. They ran with the story. It became a news item all over the world. New York Times ran the Reuters story.
The next day, we started getting phone calls from research labs all over the world. Especially, I remember picking up the phone and it’s coming from New Jersey. It’s from the TJ Watson Research Center of IBM. They were very interested about our discovery. They wanted to initiate an official malware sample exchange between IBM and we. We were like okay, now we are in the big boys’ league. Now, we’ve really made it. That’s how we started the international contacts with other research labs. Of course, that was very important in the early days for the company.
JACK: Viruses continued to mutate all through the 90s. Mikko was developing new ways of detecting malware and implementing that into the F-Secure antivirus software. He was also working with software companies to get them to fix the bugs which allowed this virus to run in the first place. But in the year 2000, e-mail began picking up in popularity.
MIKKO: When e-mail became commonplace in offices, malware started spreading more and more over e-mail attachments instead of floppies. That’s when the era of e-mail worms started. We saw so many – so fast outbreaks. First with Happy99, then with Melissa, and then the biggest of them all at the time, Love Letter in May, 2000.
JACK: [MUSIC] Now, this Love Letter virus, or sometimes known as Love Bug or ILOVEYOU, it would send an e-mail to thousands of people with this message, ‘Kindly check the attached love letter.’ Then there was an attachment named LOVE-LETTER-FOR-YOU.txt.vbs. It’s kind of easy to see this is a phishing attempt now but in 2000, we weren’t getting phishing e-mails very much and we wanted to see who sent us this love letter. While this file looks like a text file, it’s actually a visual basic script. Often, Windows will hide the extension, so for a lot of people it just looked okay, like a text file. But when you opened it, Windows knows how to execute the commands in the script and runs them.
What’s Love Letter do when you open the file? Well, it first propagates itself and sends an e-mail to everyone that’s in your address book. Then it proceeds to overwrite and corrupt random files on your computer. Office documents, images, and songs essentially get ruined which are the most valuable files on your computer. Because it would send e-mails to everyone in the victim’s address book, this made the Love Letter virus a worm because it could self-propagate, which made it one of the fastest-growing viruses of all time. Now, when something like this hits the world and a major virus is spreading, causing destruction, [01:00:00] what’s an antivirus company like F-Secure do? They get right to work.
MIKKO: [MUSIC] It was sort of really exciting back then because you would typically get woken up at 3:00 a.m. and there’s a massive outbreak going on. We get the sample, we decode it, we pick a search string or build a detection. We test it, we name them while we rewrite the description, we test the detection, we ship the detection, and we just saved the world. Very, very exciting times. Except then, it happens again two days later, and again a day later, and again.
JACK: Wow, that does sound exciting; to save the world by writing antivirus updates. But yeah, it must be exhausting, too. In fact, the most exhausting time for Mikko was the summer of 2003 when his team went to do battle against the botnet called Sobig.
MIKKO: [MUSIC] We saw a massively large run for the first version. That’s Sobig.A and this was so huge – outbreak from the beginning because they were using an existing botnet to kickstart the e-mail sending. The e-mail Sobig was using to fool people into opening up the attachment were pretty clever. They looked like e-mails coming in from Microsoft and they were speaking about an update for security vulnerabilities in your system. This is still the time before Windows Update even existed, so people were still downloading updates manually from microsoft.com. Well, in this case, you’d get this prompt for updates for this month, and it would actually automatically change the month. So, if you would receive Sobig mail today, it would speak about year 2020 at the current month which is a neat trick. It actually makes the malware live much longer. When we were fighting through Sobig.A, we then found Sobig.B and C and D, and then F. F, the fifth version, was the largest of the outbreaks.
JACK: By the time the Sobig.F variant showed up, it had infected millions of computers worldwide. But what did this malware do? Well, it’s a botnet, so all these millions of computers were under the control of someone. That person could instruct these computers to do something like send an e-mail to millions of people or attack a system. But in order to do that, each of the computers had to reach out to a central command and control computer to get instructions on what it should do.
Some machines were seeing a proxy server getting installed which meant the hackers could funnel their traffic through these botnet computers in order to disguise where they’re coming from. Regardless of what it was doing, this was now a big problem for companies all over the world. They would ultimately spend billions of dollars cleaning up Sobig from infected computers. Now, when a computer gets infected, it has that code on the computer. Somewhere in that code is instructions of what the botnet should do. This is great for antivirus companies to look at to try to stop or reverse engineer the virus. But there was a problem with this code.
MIKKO: [MUSIC] Sobig.F had this encrypted code in it which was a mystery for us. We couldn’t crack the encryption and figure out exactly what it was supposed to do.
JACK: The team at F-Secure began trying to crack the encryption of this code which is interesting to think about, right? F-Secure is supposed to defend computers from viruses. But here they are trying to use offensive tools to break and hack and crack the code of this malware which was left on the computer. This was hard because good encryption is hard to break.
MIKKO: But then one of our Hungarian coders figured out how the Runtime encryption works, and we found this code which basically said that on Friday of that week, every single infected computer would contact ten different servers. These would be command and control servers controlled by the malware author.
JACK: They cracked this code on Tuesday and the code said that on Friday, it would reach out to command and control servers for instructions on what to do.
MIKKO: [MUSIC] This left us for four days to contact authorities or contact internet operators or contact CERTs and work together to take down these servers before Friday. There’s actually a timestamp; Friday evening, 10:00 p.m. is when the activity would start. We got most of the servers down fairly quickly by just calling up the operators and telling them what was going on, but some of these were taking none of our words for granted. This funny company from Finland is calling them and asking them to shut down the server. Why would they do that? Then we were working together with the FBI, and then we were calling my contact at the Microsoft headquarters to get [01:05:00] something happening. It was already Friday, early hours of Friday, when we had four servers left.
I remember at some stage, we wanted to get the support of the global CERT community and I tried e-mailing a list of the IP addresses we had decoded from the body of the malware to CERT, Finland. I e-mailed them, then I called them like two hours later to ask what’s happening. They told me that they never got my mail. I was surprised about that. They told me that well, actually, they have massive problems with their e-mail servers because of Sobig.F. Sobig.F outbreak was still so massively spreading that e-mail wasn’t functioning as well as you were hoping for. They asked me if I could fax them the list and of course, we didn’t have a fax anymore because we were considering ourselves to be modern companies, so I printed the list on a piece of paper and I gave it to a friend of mine, Jusu, who worked in the lab, and I told him to go and drive to the CERT headquarters and just deliver it by hand.
He jumped into the car and started driving there, and then got stuck in a traffic jam. We never really have traffic jams in Helsinki. It’s not a big city but there was an accident, so he was stuck. He abandoned his car and ran all the way to the CERT headquarters to deliver the piece of paper hand-to-hand. I still remember how desperate we were. But in the end, we were able to shut down all of the servers except the two last ones. When the threshold date and time came, there were so many thousands of infected machines all over the world that they all tried connecting these two servers. There was just so much traffic, these both servers just crashed under the load which means nothing happened, which means we were successful.
JACK: Taking down a global threat like a botnet is a great feeling. Mikko has gone to battle and brought down a few botnets. He has a few different methods for taking them down.
MIKKO: If you are able to do this right, the whole botnet dies immediately. That’s the best feeling in the world. We’re trying to save the users. We’re trying to defend people’s security. We’re trying to defend their computers and of course, we are doing this for our clients, but when you do something like this, you’re not only protecting your clients and customers. You’re actually protecting the whole world. The whole world is safer because of what you just did. That feels great. That’s one of the things that keeps me running and keeps me in the industry year after year, the feeling that you’re actually able to make a difference, the feeling that you’re actually able to defend the users.
JACK: In fact, when they took down Sobig, they had a bit of a celebration after.
MIKKO: Yeah, when we felt that we’ve just saved the world, we did go and have a party. I guess that just goes with the culture. Since, well, since I was working in Finland, that always meant going to sauna. In Finland, every house has a sauna. Every office has a sauna. Every single F-Secure office I’ve – well, the very first office did not have a sauna but our headquarters today has a sauna floor. It goes with the culture. Yeah, we would be in a sauna having a beer and we would be looking at the news and chuckling on ourselves about how they got the details wrong because we knew exactly what the malware was doing because we had decoded it a couple of hours earlier.
JACK: Okay, so this one I have to ask about. There’s a law named after you. What is the Hyppönen’s Law?
MIKKO: Yeah, I didn’t really coin it as a law in the beginning but someone picked it up and now there’s a Wikipedia page for the Hyppönen Law which is the Hyppönen Law on IOT security. In a nutshell it just says that if something is smart, what it really is, is vulnerable. This is a very pessimistic law but it’s also true. The more functionality and connectivity we add to things, the more vulnerable they become. My favorite example is a wristwatch. If you have a traditional old, cool wristwatch that you have to wind, it’s unhackable. How do you hack a windup old wristwatch? Well, you don’t. Then if you take a modern smart watch with internet connectivity, it might be hard to hack, but of course it is hackable. If it’s smart, it’s hackable, including our smart cars, smart houses, smart cities, smart grids, it’s all hackable.
JACK: What’s kept you on the good side all this time instead of taking your knowledge and saying you know what? I know exactly [01:10:00] what these cyber-criminals do and I see that they’re making much more than I am, and I know how to hide myself – you ever think about that?
MIKKO: Well, Jack, if I would have gone to the dark side, how would you know?
MIKKO: If you look at my Twitter bio, it says I’m a supervillain.
JACK: Oh, yes.
(OUTRO): [OUTRO MUSIC] A big thank you to Mikko Hyppönen for coming on the show, sharing your stories, and teaching us more about malware. You can follow Mikko on Twitter. His name there is just Mikko; M-I-K-K-O. He tells me he’s writing a book about all this, so hopefully that’ll come out soon, and I’m sure it’ll be super fascinating. If you like this show and it brings value to you, consider donating some money through Patreon. By directly supporting the show, it helps keep ads at a minimum. It also allows me to get more people to help make the show and it tells me you want more of it.
Please visit patreon.com/darknetdiaries and consider supporting the show. Thank you. This show is made by me, the never-bluffing Jack Rhysider. Sound design and original music was created by Andrew Merryweather who swears he dreams in color. Editing help this episode is by the heat-syncing Damienne, and our theme music is by the botnet blocker, Breakmaster Cylinder. Even though some people still insist on pushing code to production on a Friday afternoon and that’s really a bad idea, this is Darknet Diaries.
[OUTRO MUSIC ENDS]
[END OF RECORDING]