DukeEugene is a Russian hacker, heavily tattooed with a large swastika on his chest. He specializes in developing malicious software for Android phones. The malware is aimed at stealing credentials and data in order to drain its victims’ bank accounts. Despite developing malware, DukeEugene isn’t a very great coder, but he’s well-known and has many connections in the cybercriminal underground – developers, crypters, hosting providers. His business is successful, but he has a big problem. He finds a possible way to solve it but he has to put everything he’s worked for on the line.

Participants:

Simon Williams, Senior Director, Government & Law Enforcement Liaison, Intel 471

Jeremy Kirk, Executive Editor, Cyber Threat Intelligence, Intel 471

Information stealing malware is one of the most common ways that organizations end up infiltrated by malicious hackers. For several years, one type of infostealer called Raccoon Stealer ruled them all. If a computer was infected with Raccoon Stealer, all data – ranging from login credentials, payment card data, cryptocurrency accounts, session tokens – are vacuumed up from the machine and sent off to the hackers. Raccoon Stealer was dead easy to use and didn’t require coding knowledge. This meant that anyone could start stealing data from other people’s computers. It also had great customer service. But the elusive operator of Raccoon made critical mistakes – including a revealing photograph on Instagram – that jeopardized his business and himself.

Participants:

Quentin Bourge, Lead Cybercrime Analyst, Threat Detection

Jeremy Kirk, Executive Editor, Cyber Threat Intelligence,

In 2006, a new type of malware appeared on the scene. Its name was Zeus. It was enormously profitable for its cybercriminal developers, who used it to steal tens of millions of dollars from businesses and organizations of all sizes. Those behind the scheme had honed a new model: cybercrime-as-as-service, where individuals focus on their specialities – creating malware, employing money mules, acting as system administrators. Zeus frustrated victims and left some in ruins. It defeated security processes in financial systems. And it led law enforcement along trails that that went from small businesses in America to Eastern Ukraine and Russia. Sometimes, the trails ran cold. But eventually, one threat actor’s luck ran out.

Participants:

Jason Passwaters, CEO and Co-Founder, Intel 471

Jim Craig, Senior Director, Intelligence Collection Management, Intel 471

Jeremy Kirk, Executive Editor, Cyber Threat Intelligence, Intel 471

The online game Axie Infinity is colorful and eye catching. It resembles Pokemon and is filled with cute digital creatures. To play the game, players use virtual currency to buy and sell these creatures and can earn it by battling each other. In 2021, the company behind Axie Infinity was worth $3 billion and backed by Silicon Valley dollars. But this virtual world and the enormous amount of virtual money in this world came into the sights of an adversary. In a matter of minutes in March 2022, Axie Infinity saw nearly $600 million worth of virtual currency stolen from its wallets. The hackers weren’t just cybercriminals. They were nation-state hackers from North Korea. But investigators were hot on their heels.

Participants:

Erin Plante, Vice President, Investigations, Chainalysis

Jeremy Kirk, Executive Editor, Cyber Threat Intelligence,

Over many years, a cybercriminal gang likely based in Russia built a huge network of interconnected, hacked computers. They did this one inbox at a time. They sent spam messages with fake documents and malicious links, tricking people into opening malicious software. The network of hacked computers was called Qakbot, or QBot. The botnet was used by cybercriminal gangs to infiltrate computers, steal their data, conduct financial crime and deploy ransomware. But in 2023, law enforcement hacked the hackers. They cut Qakbot off from the cybercriminal group that controlled it. They also removed Qakbot from hundreds of thousands of infected computers, a mission that stretched across the internet. But the battle against this group continues.

Participants:

Selena Larson, Senior Threat Intelligence Analyst, Proofpoint
Jeremy Kirk, Executive Editor, Cyber Threat Intelligence, Intel 471

In the early 2010s, a group of malicious hackers had a goal: to build a Durango, which was the code name for Microsoft’s next-generation gaming console eventually known as the XBox One. They did this by stealing reams of data: authentication keys, personal data, login credentials and proprietary gaming documents. Arman Sadri was on the fringes of the group. He was a gaming hacker who taught himself programming languages such C# and C++ and how to hack games like Call of Duty. He sold gaming cheats, or mods. His eventual goal was a legitimate job in the games industry. Eventually, Microsoft hired him to debug XBox games, which was a dream job. But it was the start of his life unravelling. Microsoft fired him. The FBI wasn’t long behind him. Arman didn’t recognize when he’d gone too deep, and his years-long dalliance on the edge with computers led him to a place from which he’s still recovering.

Participants:

Arman Sadri, Founder, The Good Hackers

Jeremy Kirk, Executive Editor, Cyber Threat Intelligence, Intel 471

Bluma Janowitz is a social engineer and red team agent. She specializes in what are called red-teaming exercises, which are designed to test an organization’s defenses against malicious hackers. She might try to trick employees into giving up sensitive information over the phone or drop USB drives in places where curious people might put them in their computers. She talks her way into buildings and does discreet Wi-Fi scans, taking photos along the way. These techniques are known as social engineering. Threat actors have been using social engineering as a tool to gain access for decades, and in fact, it remains one of the most potent ones today. Bluma does these exercises to help companies get better at security. That’s because access is everything. If access control is compromised, the consequences can be severe. In this episode of Cybercrime Exposed, Bluma describes two of her engagements. Would you fall for the tricks?

Participants:

Bluma Janowitz, Social Engineering and Red Team Agent

Jeremy Kirk, Executive Editor, Cyber Threat Intelligence, Intel 471

In one long weekend in May 2023, a cybercriminal gang called Clop conducted one of the largest data breaches on record. The supply-chain attack affected thousands of organizations and millions of people. The group dumped terabytes of health care data, personal and corporate records on the internet in an effort to extort the victims. CLOP’s attack epitomizes the challenges in fighting professional cybercriminal gangs generating billions of dollars a year in profit. Will Clop, whose members are likely in Russia or Eastern Europe, be held to account?

Participants:

Will Thomas, Cyber Threat Intelligence researcher, Equinix Threat Analysis Centre

Jeremy Kirk, Executive Editor, Cyber Threat Intelligence, Intel 471

Bex Nitert is an incident response and forensics professional in Australia. She describes herself as a digital firefighter who helps organizations after they’ve been hacked. She often investigates phishing, the term for stealing login credentials with the aim of taking over accounts and systems. There’s a threat actor who created a managed phishing service to help other cybercriminals steal usernames and passwords. Bex found him operating in the open. And there are indications his operation may take a darker turn.

Participants:

Bex Nitert, Incident Response and Forensics Professional

Jeremy Kirk, Executive Editor, Cyber Threat Intelligence, Intel 471

Introducing Cybercrime Exposed, a podcast from Intel 471 that explores how malicious hackers undermine the systems we trust.