> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona.
>
> “Epic opsec troll,” they claimed.
If this were really a fictitious persona meant to lead investigators away from their true identity, they'd never admit to such. This sounds like someone trying to deflect upon being found out. I'd wager that this person is going to be caught.
Krebs has an image of a mind-map at the end of the article showing links between the aliases.
Yes. I'm pretty sure if you spoke to an intelligence analyst they would tell you there's no such thing as an opsec troll.
Everything your target does (including misdirection) gives or risks giving away information, and there's no way someone who is actually in control of events would blow a cover because even if you were 99% certain it was false, you would have to continually waste resources trying to confirm that. In particular if they invested a lot in building this persona and you were on to them it's much more likely they would just go dark, wait and plan how to pick up with a new persona.
> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona. “Epic opsec troll,” they claimed.
This is called a "double cover story", a classic deflection when someone is caught or exposed.
Gotta pump those numbers up. Those are rookie numbers in this racket. I myself, I have fourteen cover stories with an infinite loop at number 10 that directs you back to 4.
Let's just not believe anything said by an untrustworthy person. What they say should not calculate in what we believe to be true, but only evidence we can verify.
I respectively disagree. If someone is shown to be unreliable then of course you won't take what they say at face value, but there's still information there. A deliberate lie may still contain something useful and reveal something about the person.
In fact assuming someone to be truthful isn't a good prior, knowing that they may be "untrustworthy" doesn't tell me much, since I didn't start off thinking otherwise.
but then we're not "trusting" what they're saying, just analyzing a statement for unintentional or partial truths. the assumption is not one of credibility. everything this person is doing is dubious as hell. this means every statement or action must be analyzed with the assumption is bunk, and then you pick out possible truths.
the picture of the army gear, for example, consists of gear that could be purchased at any surplus store. I'm not in the US but I could easy acquire that, and I know enough about exif data to be able to alter an image to use GPS coordinates at a US Army barracks in SK.
meanwhile if they were showing a picture of them sitting with, say, a 240B MG, or something that actually proves they're in the US Army I might believe them.
while bartending back in the day I used to have a coworker who, after a few drinks one night, eventually confessed she was a camgirl for a while. she went by April, who was really Stefani -- nether of which were her real names, but were just layers to keep stalkers off of her back. she had friends on the other side of the country take pictures of their dorm to help further the story. I totally believe a serious cracker would take similar precautions; OPSEC on OPSEC
You can analyze a lie only if you know that the speaker is trying to convince you into performing an action. Binary statements about facts cannot be judged without knowing the truth. They could be used only for self-analysis of the analyzer and maybe if you want to exercise some tail chasing.
Watch The Princess Bride and you will find a wonderful scene about choosing the right cup there.
von Neumann proved that you can extract fair results from a biased coin without knowing the bias. No truth needed.
While it doesn’t really apply to this situation, it’s all to say that i disagree with you saying there’s only information in the truth.. There’s information in everything.
I can't help myself: is this the famous logic by which tech people don't trust apple, microsoft, amazon, meta, or google products?
Or does it not apply to corporations? What's the distinction, if so? It certainly seems common to not to apply it to corporations.
Not sniping here, I actually think this is solid logic, maybe with some exceptions but generally applicable. I feel like it's so commonly and happily not applied when it comes to the above companies (and others) that I find it stunning to see it stated so clearly here.
This FAANG stuff is coming a bit from left field here. I have my thoughts on their involvement with the US government, but I cannot testify if those thoughts are the same for any other tech person on this platform. Lots of other stuff to say, but generally, I tend to apply the same mental tools to everyone. You should ask everyone else for their opinions individually though.
Well yes, but I doubt that Krebs is really posting this data dump for random Internet readers like us. Some other investigator might find some useful hints in it, though.
"You fell victim to one of the classic blunders! The most famous is 'never get involved in a(nother) land-war in Asia', but only slightly less well-known is this: Never go up against a once-Korean-resident when death is on the line! Aha-haha-hahaha!"
Interestingly, Kiber- is how a Russian would transliterate "Cyber-". At first I thought he must be Russian, by the nickname alone (I'm a Russian speaker).
Something I don't understand is why people don't appreciate /expect misdirection.
For instance, a malicious actor, of even basic sophistication, coming from a Russian ip and occasionally using Cyrillic and missing grammatic artcles is probably not Russian. Similarly a malcious actor with a pseudonym including the term patriot, coming from a US IP and using terms like howdy probably is not American.
There's a case to be made for expecting misdirection more often, but the fact remains that most people, including malicious actors, don't have the foresight and skill to pull it off. You do need both. Unless you plan a consistent fake story from the very start of an identity, execute it consistently, and hermetically isolate it from any others, you'll leave clues.
You need actual evidence to make claims like this and be believed. "Possibly not Russian/American" is self-evident due to how easy misdirection is, but "probably not Russian/American" is a matter of probability for which you've presented no meaningful data or argument.
Not that it's necessarily the case here, but you'd be surprised how many grand capers were only busted because the actor made an embarrassingly dumb mistake in leaving some obvious trail.
It's not unheard of to apply some occam's razor just in case while keeping misdirection in mind. Even masterminds aren't perfectly rational actors that cross all their t's.
If your company just got pwned, you'll probably be thankful to have an excuse to tell your investors that it was a Russian/etc "state actor" and therefore they should feel sympathy for you being the victim of a foe that far outclasses your assuredly reasonable and competent security measures.
Looks a lot better than getting pwned by some jackass American teenager. So if the attack came from a Russian IP, or used some Cyrillic characters or something like that, there's a "face saving" incentive to take that probable misdirection at face value.
> False attribution is a core lesson in malice 101
I was always surprised to see security researchers confidently attributing some attack to a specific group based on easily falsifiable things like localization, alphabet, time zone, coding "style", specific targets, etc.
Even if researchers can undeniably link one attack to a certain group (like when they publicly take responsibility) and can label their style accordingly, all those indicators have to already be at least semi-public. If the researchers have access to them, so do other other actors who are free to fake or imitate them. The confidence is probably more for the media reporting.
It also seems like a bad opsec if he creates multiple aliases for the same theme. Wouldn't you want to have one us soldier, one Russian, one African, etc. if you are trying to create red herrings?
Even the soldier persona is consistent though. The trouble with opsec like this is (1) you always have to win and (2) almost everything - even total randomness tends to create a pattern (since you the negative space of trying not to stand out itself tends to make you stand out).
Right, there's something odd about this. That image from 2022 of a person's legs [Kiberphant0m?] in army fatigues ought to be a dead giveaway. For starters why would anyone be stupid enough to do that, second I'd recon the floor pattern alone might be enough to reveal the person, again why do that? Surely those involved would have have thought of that? Alternately they're on the room-temperature side of dumb.
Of course, that doesn't include the image being a ruse for other schema.
> Alternately they're on the room-temperature side of dumb.
When combined with the uses the claimed for their botnet, the person we're talking about leaves an impression of having emotional maturity of a 10 year old.
So, you might not be very far when it comes to non-technical skills.
Maybe he is operating at the next level. He is deflecting because the investigators will think that he is trying to lead them away from this true identity and become even more convinced of it, which is exactly what he wants.
Eh; let's wait and see. For any claim for insight there's an equivalent claim for fabrication. any such analysis that relies on this is inherently flimsy.
This seems like it would be rather easy for the government to narrow down. Check the logs of who applied for an NSA job on or around the date the screenshot was posted and cross reference any that are/were located in South Korea. I would think that would produce a rather short list that a bit more investigation would crack.
The guy seems arrogant, and arrogant = sloppy. He'll get caught.
But probably after they arrested him, to help with negotiations.
And to pop that bubble of false confidence.
The way he acted, would be a very red flag for me, if I were to hire him. Maybe skillfull, but careless. And that is not acceptable in that line of work. (Neither it is in the military)
> “Type ‘kiberphant0m’ on google with the quotes,” Buttholio told another user. “I’ll wait. Go ahead. Over 50 articles. 15+ telecoms breached. I got the IMSI number to every single person that’s ever registered in Verizon, Tmobile, ATNT and Verifone.”
SBF levels of self-pwning right there. When, not if, they catch him, the Feds are going to hang this clown out to dry.
I'd rather see them hang out to dry the 15+ telecoms who gave away "the IMSI number to every single person that's ever registered in..." because doing so was cheaper than investing in security.
randomized IDs and linked lists, which correspond to entries in DBs elsewhere.
IMEI 123456789 has ID sjkadnasf8uywjerhsdu, and then in the hyper locked down Mongo instance used by billing knows that sjkadnasf8uywjerhsdu relates to John Smith, credit card number xxxx xxxx xxxx xxxx
make it so you have to crack all of em, instead of just nailing one and walking out w/ all the crown jewels
Yeah, in separate databases on separate systems. The network plane of a phone provider should only be able to access a database mapping IMSI -> account ID, and the billing/customer service department should only be able to access a database mapping account ID -> actual account data.
Unfortunately, anything involving phones is based on literally decades of stuff that was made in a time where every participant in the network was trusted by default, and bringing up the legacy compatibility stuff to modern standards is all but impossible.
Any insight based on histogram of the timing of this person's posts, particularly ones responding to a just slightly earlier post? (ie was clearly awake and not an artificially-delayed response).
Krebs knows about this timezone analysis technique, wonder if he didn't check this or it was inconclusive?
Is that effective for people who aren't literally being paid a salary to do this stuff 9-5? A lot of people who spend too much time on computers have totally out of wack sleep schedules that would look like they're operating from very different timezones.
You can, but a lot of these pattern analyses work out because people get sloppy and overconfident over time, and don't use these measures even if their lives are on the line.
what a great article, I loved seeing the links that Krebs (?)/Unit 221B (?) dug up and all the info they managed to connect. It felt like I was reading a detective story. It sounds like this guy is doomed, the NSA application date alone basically identifies him
If you have enough data, i wonder how much of this digging can be automated these days with good LLM prompts. Doing it manually is very time-consuming.
Having worked with LLMs over the past year+ trying to get them to do useful things in various contexts, the real work is typically pretty boring data acquisition (e.g. scraping) + ETL and then making that data available to the LLM.
I think this whenever I read a modern detective novel (Bosch). So much of their work seems to be looking up data from different databases and trying to make connections or recognize patterns.
I assume the FBI or whomever has automated this to some degree already, and I really hope someone does a great writeup of how LLMs/agents can do even more.
In theory, sure, in reality it's almost always much more benign and they have terrible Opsec over time that allows people to piece together their identity. Especially if they reuse usernames across services.
Kinda like how the big mastermind criminals like Capone get away with murder and racketeering but get fucked on tax evasion.
Reading this guy's posts, his ego is the biggest issue, and it will be his downfall. The "I literally can't get caught" mentality inevitably leads to carelessness and blabbermouthing.
That’s a little different. It wasn’t that Capone couldn’t handle taxes, it was that until that point nobody used it as a serious mechanism to take town criminals. It was only validated as a good approach by the Supreme Court a few years before. In fact, one of the primary pieces of evidence of his tax evasion were from communications from his lawyer about how much tax to pay to make his tax history legit in light of the recent effectiveness of tax convictions.
I feel like leaving a bunch of misdirection would also risk potentially just leave real traces behind that in some ways.
At least in my mind leaving some false trails behind, when I run through scenarios, seems like it could leave actual trails / to the point of not being worth the extra risk.
Yeah. If you have a choice of giving an adversary no information or false information, no information seems safer. The choice of false information is information. Same way that people are terrible at picking random numbers and fraudsters are often caught because they avoid round numbers.
It would make sense if doing something illegal to do the former, but also leave "slip ups" that are complete red herrings, create trails to people that seem like opsec fails but are actually just framing others, etc.
All about plausible deniability. Layers and layers and layers of dead ends that seem real.
In this way, if you do actually slip up, it becomes near impossible to distinguish the real slip-ups with the orchestrated ones.
The problem is that false “slip ups” provide information. Sure, you waste investigator’s time, but once they rule out the false lead they have a bunch of information:
- if the false slip-up used only public information about, you likely don’t have access to confidential information about that space. If it used confidential information, you do.
- The geography and demographics of the false lead are probably not near-misses. The point of misdirection is to misdirect, so you likely won’t frame a coworker that will bring investigators to your own door.
- Any mistakes in the false slip-up, from spelling to factual to timing, may reveal info.
IMO this is a “too clever by half” scenario: leaving any trace at all is information. Leaving none is wiser.
Example: you’re a master hacker. You’re going to repeatedly access a compromised system. Is it better to set an alarm for 3am each time to suggest you’re in a different time zone, or to use a RNG to close an alarm time?
I say the RNG is better. Using 3am gives psychographics. Random isn’t clear if there’s any planning at all, or if you travel, etc.
I don't get how such people could be as verbose as shown in this quite precise article. And I'm not even getting into the idea that he could be a US soldier ...
he's not. it's gear you can order online or get at any local surplus store. I'm not even in the US and a quick look shows it's trivial to get.
it's another layer of obfuscation. strippers telling you their name is April (but then whispering to you that their real name is Stefani)... but their real name is actually Angela, and it's just another deflection to keep off the stalkers.
I wonder how unique those floor tile patterns are? If that's taken on a military base in Korea, it might be possible to find the exact location of the photo.
> Immediately after Kiberphant0m logged on to the Dstat channel, another user wrote “hi buttholio,” to which Kiberphant0m replied with an affirmative greeting “wsg,” or “what’s good.”
It's kind of unfortunate for him that he didn't do a better job of referencing Beavis and Butthead. If his username was "Cornholio" or even "Bungholio", it could read as someone directly referencing the show and potentially unrelated to the other account, making his deniability a bit more plausible.
Being a high-stakes criminal is too difficult. One slip-up and you're compromised. There's a million opportunities for slip ups and there's a million opportunities for investigators to get lucky.
There's a line at the beginning of Ocean's 11 to the effect of "the house always wins in the long run... unless you bet it all on a great hand, win, and then walk away."
For internet crimes? Almost none in perpetuity. I’d think you’d need to go off the grid totally for a few years and come back without any reference to a prior life.
For physical crime, my gut says quite a few people have avoided identification for decades until they were essentially caught by turning themselves in. Ted Kaczynski comes to mind, but there must be a few others.
Perfect OPSEC to me, means near total isolation from socialization. Not something most people are capable of.
If you’re a professional criminal of any kind you weigh the risks knowing that perfection is impossible. The government is a business with a monopoly on violence. The goal is to keep their ROI for catching you as low as possible. Every single man hour spent finding you is costing money and there’s a man upstairs who wants to see some results that reflect the money spent.
Once you understand that premise, it’s easy to understand the why and how criminals are caught. The ones who are caught are always the ones who don’t know when to fold. Always the ones not to cash in and retire.
The ones who get away with it, they fold they retire and society forgets about them and the ROI drops precipitously on catching them. Research statistics on cold cases.
The bungholio name is a reference to the bevis and butthead name where they’d say, “I am cornholio, I need TP for my bunghole”. You really had to be there.
Huggingface bought its biggest competitor, Gradio (still used more than Streamlit) for an "undisclosed" amount of money a year or so before hand. I'd wager HF paid on the orders of 1-5 million.
I doubt Gradio is used more than streamlit. And so does Google [1]
I know that's not exact, but if more people used Gradio, you'd expect at least a somewhat similar number of people searching for it online. Gradio is not even in the same ballpark as Streamlit here.
I don't know what to say except that the overwhelming majority of HF spaces are made as Gradio demos and that gradio's whole design makes it far easier to do async things unrelated to reloading the webpage - which is a huge thing for ML/AI demos.
I don't claim you're wrong, but I claim that gradio is far more effectively profitable to know than streamlit is - i.e. Gradio demos are used far more for a top AI paper demo (i.e. NeurIPS system demos) than Streamlit is.
Salesforce purchased Mulesoft for $6.5 billion. Mulesoft was so successful they decided to buy a different ETL tool Informatica. But the deal fell through. Mulesoft has about 1500 clients vs 9500 clients for Informatica.
No way, HF didn't have anywhere near that kind of money when they acquired Gradio. I think they did it back in 2020 or 2019. I know for a fact it was a tiny sum.
I did toy with the idea of trying do analysis of HN aliases and keywords. It never went anywhere, because I forgot about it, but a longer weekend is coming:D But yeah, language betrays, who we are in references alone.
Seems like the guy has been fucking around for a while. No wonder none of our allies want to share intelligence or plans with us. The US Military is a liability when it comes to keeping shit secret, they leak like a sieve. They need to get a handle on this shit, who knows what this guy has given to the Russians or Chinese.
Jesus. Let’s tick another box on our late capitalism bingo card: our soldiers are so desperate for cash and so cynical around institutions that they’ve started doing mercenary crime.
I can’t be the only person who has read of such situations throughout history.
The root of all failure at the level of the society is the fungibility of inherited wealth into political power, which rapidly gets deployed to impoverish everyone else including soldiers, and on its way it tramples institutions once revered.
This Krebs guy is a doxxer through and through, I wouldn't take anything that he writes down as being serious. If he thinks he knows something and he has palpable proof for it then he should contact the relevant authorities.
Revealing people names and addresses and implying that they have done something illegal, while the person doing that (this Krebs guy) does not represent the Law/the relevant authorities. See the Boston bombings debacle on this very website.
> why you believe that means nothing he writes is serious?
See the Boston bombings debacle on this very website.
Not sure Signal would have made a difference for this criminal. All the data on them I saw in the article was likely captured by someone in the channel / group message.
It’s just plain poor opsec, but I kind of expect that from someone with poor enough judgement to be a criminal.
Not recommending Telegram, but personally, I suspect that signal is compromised. They've been permanently storing sensitive user data in the cloud for a long time time (https://community.signalusers.org/t/proper-secure-value-secu...) but the very first sentence of their Terms and Privacy page still claims "Signal is designed to never collect or store any sensitive information." and they've been asked multiple times but refuse to update their privacy policy. I suspect that lie is being kept there as a giant dead canary.
Making the change to start keeping exactly the data that the government has been asking them to turn over isn't a very good look. "Securing" user's data with something as week as a PIN isn't great either. https://www.vice.com/en/article/pkyzek/signal-new-pin-featur...
Note that the "solution" of disabling pins mentioned at the end of the article was later shown to not prevent the collection and storage of sensitive user data. It was just giving users a false sense of security. To this day there is no way to opt out of the data collection.
> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona.
>
> “Epic opsec troll,” they claimed.
If this were really a fictitious persona meant to lead investigators away from their true identity, they'd never admit to such. This sounds like someone trying to deflect upon being found out. I'd wager that this person is going to be caught.
Krebs has an image of a mind-map at the end of the article showing links between the aliases.
Yes. I'm pretty sure if you spoke to an intelligence analyst they would tell you there's no such thing as an opsec troll.
Everything your target does (including misdirection) gives or risks giving away information, and there's no way someone who is actually in control of events would blow a cover because even if you were 99% certain it was false, you would have to continually waste resources trying to confirm that. In particular if they invested a lot in building this persona and you were on to them it's much more likely they would just go dark, wait and plan how to pick up with a new persona.
There are robots for everything social now- including manufacturing personas.
It's not about the volume of manufactured personas, it's about the tool-marks that can be analyzed.
> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona. “Epic opsec troll,” they claimed.
This is called a "double cover story", a classic deflection when someone is caught or exposed.
It could be a triple cover story. The faked double cover story is meant to deflect.
Maybe even skipping the quadruple cover story and going straight to the quintuple. A true pro.
I always play the (2n+1) game myself. (Or do I??)
Good luck, I’m behind seven cover stories
Gotta pump those numbers up. Those are rookie numbers in this racket. I myself, I have fourteen cover stories with an infinite loop at number 10 that directs you back to 4.
Where do you use 11-14 for?
Higher dimensional investigations.
Plot twist, I'm actually undercover as you.
"Fuck everything, we're doing five covers." ... "Put another misdirect on that fucker, too."
That reminds me of the escalating “trace buster” scene in “The Big Hit.”
https://youtu.be/2VY_xxL2jL0?si=9hf6ibvtHFCGuCNL
Context https://theonion.com/fuck-everything-were-doing-five-blades-...
Let's just not believe anything said by an untrustworthy person. What they say should not calculate in what we believe to be true, but only evidence we can verify.
I respectively disagree. If someone is shown to be unreliable then of course you won't take what they say at face value, but there's still information there. A deliberate lie may still contain something useful and reveal something about the person.
In fact assuming someone to be truthful isn't a good prior, knowing that they may be "untrustworthy" doesn't tell me much, since I didn't start off thinking otherwise.
but then we're not "trusting" what they're saying, just analyzing a statement for unintentional or partial truths. the assumption is not one of credibility. everything this person is doing is dubious as hell. this means every statement or action must be analyzed with the assumption is bunk, and then you pick out possible truths.
the picture of the army gear, for example, consists of gear that could be purchased at any surplus store. I'm not in the US but I could easy acquire that, and I know enough about exif data to be able to alter an image to use GPS coordinates at a US Army barracks in SK.
meanwhile if they were showing a picture of them sitting with, say, a 240B MG, or something that actually proves they're in the US Army I might believe them.
while bartending back in the day I used to have a coworker who, after a few drinks one night, eventually confessed she was a camgirl for a while. she went by April, who was really Stefani -- nether of which were her real names, but were just layers to keep stalkers off of her back. she had friends on the other side of the country take pictures of their dorm to help further the story. I totally believe a serious cracker would take similar precautions; OPSEC on OPSEC
You can analyze a lie only if you know that the speaker is trying to convince you into performing an action. Binary statements about facts cannot be judged without knowing the truth. They could be used only for self-analysis of the analyzer and maybe if you want to exercise some tail chasing.
Watch The Princess Bride and you will find a wonderful scene about choosing the right cup there.
von Neumann proved that you can extract fair results from a biased coin without knowing the bias. No truth needed.
While it doesn’t really apply to this situation, it’s all to say that i disagree with you saying there’s only information in the truth.. There’s information in everything.
I can't help myself: is this the famous logic by which tech people don't trust apple, microsoft, amazon, meta, or google products?
Or does it not apply to corporations? What's the distinction, if so? It certainly seems common to not to apply it to corporations.
Not sniping here, I actually think this is solid logic, maybe with some exceptions but generally applicable. I feel like it's so commonly and happily not applied when it comes to the above companies (and others) that I find it stunning to see it stated so clearly here.
We already have direct evidence through Snowden leaks that US big tech corps are US intelligence assets.
This FAANG stuff is coming a bit from left field here. I have my thoughts on their involvement with the US government, but I cannot testify if those thoughts are the same for any other tech person on this platform. Lots of other stuff to say, but generally, I tend to apply the same mental tools to everyone. You should ask everyone else for their opinions individually though.
Well yes, but I doubt that Krebs is really posting this data dump for random Internet readers like us. Some other investigator might find some useful hints in it, though.
> This sounds like someone trying to deflect upon being found out. I'd wager that this person is going to be caught.
that's what a super epic opsec troll would want you to think
"You fell victim to one of the classic blunders! The most famous is 'never get involved in a(nother) land-war in Asia', but only slightly less well-known is this: Never go up against a once-Korean-resident when death is on the line! Aha-haha-hahaha!"
https://www.youtube.com/watch?v=pRJ8CrTSSR0
Interestingly, Kiber- is how a Russian would transliterate "Cyber-". At first I thought he must be Russian, by the nickname alone (I'm a Russian speaker).
Something I don't understand is why people don't appreciate /expect misdirection.
For instance, a malicious actor, of even basic sophistication, coming from a Russian ip and occasionally using Cyrillic and missing grammatic artcles is probably not Russian. Similarly a malcious actor with a pseudonym including the term patriot, coming from a US IP and using terms like howdy probably is not American.
False attribution is a core lesson in malice 101.
There's a case to be made for expecting misdirection more often, but the fact remains that most people, including malicious actors, don't have the foresight and skill to pull it off. You do need both. Unless you plan a consistent fake story from the very start of an identity, execute it consistently, and hermetically isolate it from any others, you'll leave clues.
Attribution is hard, and is a critical part of Threat Analysis.
I generally agree with the quip about American patriot actors, mostly.
You need actual evidence to make claims like this and be believed. "Possibly not Russian/American" is self-evident due to how easy misdirection is, but "probably not Russian/American" is a matter of probability for which you've presented no meaningful data or argument.
Not that it's necessarily the case here, but you'd be surprised how many grand capers were only busted because the actor made an embarrassingly dumb mistake in leaving some obvious trail.
It's not unheard of to apply some occam's razor just in case while keeping misdirection in mind. Even masterminds aren't perfectly rational actors that cross all their t's.
If your company just got pwned, you'll probably be thankful to have an excuse to tell your investors that it was a Russian/etc "state actor" and therefore they should feel sympathy for you being the victim of a foe that far outclasses your assuredly reasonable and competent security measures.
Looks a lot better than getting pwned by some jackass American teenager. So if the attack came from a Russian IP, or used some Cyrillic characters or something like that, there's a "face saving" incentive to take that probable misdirection at face value.
> False attribution is a core lesson in malice 101
I was always surprised to see security researchers confidently attributing some attack to a specific group based on easily falsifiable things like localization, alphabet, time zone, coding "style", specific targets, etc.
Even if researchers can undeniably link one attack to a certain group (like when they publicly take responsibility) and can label their style accordingly, all those indicators have to already be at least semi-public. If the researchers have access to them, so do other other actors who are free to fake or imitate them. The confidence is probably more for the media reporting.
Doubly so since warmongerers will defend your persona and corparations will use the persona as a politically palatable scapegoat.
Spot on, chap.
yea but 2 years prior he used the handle cyberphantom. So the switch is most likely him trying to throw people off.
It also seems like a bad opsec if he creates multiple aliases for the same theme. Wouldn't you want to have one us soldier, one Russian, one African, etc. if you are trying to create red herrings?
Even the soldier persona is consistent though. The trouble with opsec like this is (1) you always have to win and (2) almost everything - even total randomness tends to create a pattern (since you the negative space of trying not to stand out itself tends to make you stand out).
Right, there's something odd about this. That image from 2022 of a person's legs [Kiberphant0m?] in army fatigues ought to be a dead giveaway. For starters why would anyone be stupid enough to do that, second I'd recon the floor pattern alone might be enough to reveal the person, again why do that? Surely those involved would have have thought of that? Alternately they're on the room-temperature side of dumb.
Of course, that doesn't include the image being a ruse for other schema.
> why would anyone be stupid enough to do that
To prove their "credentials" that they are a real world "though guy", in the hopes of gaining social clout in among their peers.
Same reason why some posts classified information on Discord or War Thunder.
> Alternately they're on the room-temperature side of dumb.
When combined with the uses the claimed for their botnet, the person we're talking about leaves an impression of having emotional maturity of a 10 year old.
So, you might not be very far when it comes to non-technical skills.
> leaves an impression of having emotional maturity of a 10 year old
That fits well with the position of US president or the currently richest person on Earth.
I dare not comment, the thread would be deleted. ;-)
Maybe he is operating at the next level. He is deflecting because the investigators will think that he is trying to lead them away from this true identity and become even more convinced of it, which is exactly what he wants.
Truly next level would be for him to be one of the investigators.
Let's skip of this step and go the next: It's a rogue AI.
But little did he know the other instigators were investigating him… or so they thought…
You'll never catch me!
Eh; let's wait and see. For any claim for insight there's an equivalent claim for fabrication. any such analysis that relies on this is inherently flimsy.
Or it’s part of the troll.
Bothsidesism has crept into ... US counterintel agitprop?
This seems like it would be rather easy for the government to narrow down. Check the logs of who applied for an NSA job on or around the date the screenshot was posted and cross reference any that are/were located in South Korea. I would think that would produce a rather short list that a bit more investigation would crack.
The guy seems arrogant, and arrogant = sloppy. He'll get caught.
He knows he's about to get caught, reason why he hurried to knock NSA's door. They might let him in after all.
But probably after they arrested him, to help with negotiations.
And to pop that bubble of false confidence.
The way he acted, would be a very red flag for me, if I were to hire him. Maybe skillfull, but careless. And that is not acceptable in that line of work. (Neither it is in the military)
> “Type ‘kiberphant0m’ on google with the quotes,” Buttholio told another user. “I’ll wait. Go ahead. Over 50 articles. 15+ telecoms breached. I got the IMSI number to every single person that’s ever registered in Verizon, Tmobile, ATNT and Verifone.”
SBF levels of self-pwning right there. When, not if, they catch him, the Feds are going to hang this clown out to dry.
I'd rather see them hang out to dry the 15+ telecoms who gave away "the IMSI number to every single person that's ever registered in..." because doing so was cheaper than investing in security.
The only data you can't leak is the data you don't have.
Therefore some data should either not be stored at all or deleted after it served its purpose.
Probably hard for a telecom company to not keep IMSI -> account association somewhere
randomized IDs and linked lists, which correspond to entries in DBs elsewhere.
IMEI 123456789 has ID sjkadnasf8uywjerhsdu, and then in the hyper locked down Mongo instance used by billing knows that sjkadnasf8uywjerhsdu relates to John Smith, credit card number xxxx xxxx xxxx xxxx
make it so you have to crack all of em, instead of just nailing one and walking out w/ all the crown jewels
Yeah, in separate databases on separate systems. The network plane of a phone provider should only be able to access a database mapping IMSI -> account ID, and the billing/customer service department should only be able to access a database mapping account ID -> actual account data.
Unfortunately, anything involving phones is based on literally decades of stuff that was made in a time where every participant in the network was trusted by default, and bringing up the legacy compatibility stuff to modern standards is all but impossible.
Why not both?
Anthropic levels of getting seed funding from SBF and ending up a power unto themselves.
It is always really bad opsec that gets them. Always.
It's a good thing that independent cybercriminals like this are so arrogant that they make the most basic opsec mistakes and expose themselves.
I guess we'll soon find out how well the NSA normalizes its databases. Bring on that schema, folks.
Any insight based on histogram of the timing of this person's posts, particularly ones responding to a just slightly earlier post? (ie was clearly awake and not an artificially-delayed response).
Krebs knows about this timezone analysis technique, wonder if he didn't check this or it was inconclusive?
Is that effective for people who aren't literally being paid a salary to do this stuff 9-5? A lot of people who spend too much time on computers have totally out of wack sleep schedules that would look like they're operating from very different timezones.
You can also schedule your posts, commits, etc to go out at some fixed hours each day.
You can, but a lot of these pattern analyses work out because people get sloppy and overconfident over time, and don't use these measures even if their lives are on the line.
what a great article, I loved seeing the links that Krebs (?)/Unit 221B (?) dug up and all the info they managed to connect. It felt like I was reading a detective story. It sounds like this guy is doomed, the NSA application date alone basically identifies him
221B is 221B Baker Street, where Sherlock Holmes lived.
If you have enough data, i wonder how much of this digging can be automated these days with good LLM prompts. Doing it manually is very time-consuming.
The real work doesn't happen in the LLM.
Having worked with LLMs over the past year+ trying to get them to do useful things in various contexts, the real work is typically pretty boring data acquisition (e.g. scraping) + ETL and then making that data available to the LLM.
I think this whenever I read a modern detective novel (Bosch). So much of their work seems to be looking up data from different databases and trying to make connections or recognize patterns.
I assume the FBI or whomever has automated this to some degree already, and I really hope someone does a great writeup of how LLMs/agents can do even more.
Couldn't literally all of this just be a bunch of misdirection?
In theory, sure, in reality it's almost always much more benign and they have terrible Opsec over time that allows people to piece together their identity. Especially if they reuse usernames across services.
It's always crappy opsec that gets people otherwise very savvy.
Kinda like how the big mastermind criminals like Capone get away with murder and racketeering but get fucked on tax evasion.
Reading this guy's posts, his ego is the biggest issue, and it will be his downfall. The "I literally can't get caught" mentality inevitably leads to carelessness and blabbermouthing.
That’s a little different. It wasn’t that Capone couldn’t handle taxes, it was that until that point nobody used it as a serious mechanism to take town criminals. It was only validated as a good approach by the Supreme Court a few years before. In fact, one of the primary pieces of evidence of his tax evasion were from communications from his lawyer about how much tax to pay to make his tax history legit in light of the recent effectiveness of tax convictions.
Now major criminals launder money to avoid that.
I feel like leaving a bunch of misdirection would also risk potentially just leave real traces behind that in some ways.
At least in my mind leaving some false trails behind, when I run through scenarios, seems like it could leave actual trails / to the point of not being worth the extra risk.
Yeah. If you have a choice of giving an adversary no information or false information, no information seems safer. The choice of false information is information. Same way that people are terrible at picking random numbers and fraudsters are often caught because they avoid round numbers.
It would make sense if doing something illegal to do the former, but also leave "slip ups" that are complete red herrings, create trails to people that seem like opsec fails but are actually just framing others, etc.
All about plausible deniability. Layers and layers and layers of dead ends that seem real.
In this way, if you do actually slip up, it becomes near impossible to distinguish the real slip-ups with the orchestrated ones.
The problem is that false “slip ups” provide information. Sure, you waste investigator’s time, but once they rule out the false lead they have a bunch of information:
- if the false slip-up used only public information about, you likely don’t have access to confidential information about that space. If it used confidential information, you do.
- The geography and demographics of the false lead are probably not near-misses. The point of misdirection is to misdirect, so you likely won’t frame a coworker that will bring investigators to your own door.
- Any mistakes in the false slip-up, from spelling to factual to timing, may reveal info.
IMO this is a “too clever by half” scenario: leaving any trace at all is information. Leaving none is wiser.
Example: you’re a master hacker. You’re going to repeatedly access a compromised system. Is it better to set an alarm for 3am each time to suggest you’re in a different time zone, or to use a RNG to close an alarm time?
I say the RNG is better. Using 3am gives psychographics. Random isn’t clear if there’s any planning at all, or if you travel, etc.
Doesn't that just mean they won't ever to subject to prosecution by the International Criminal Court?
I don't get how such people could be as verbose as shown in this quite precise article. And I'm not even getting into the idea that he could be a US soldier ...
he's not. it's gear you can order online or get at any local surplus store. I'm not even in the US and a quick look shows it's trivial to get.
it's another layer of obfuscation. strippers telling you their name is April (but then whispering to you that their real name is Stefani)... but their real name is actually Angela, and it's just another deflection to keep off the stalkers.
same idea with IT OPSEC
You might be able to get a rough show size and height/weight range from that photo.
I wonder how unique those floor tile patterns are? If that's taken on a military base in Korea, it might be possible to find the exact location of the photo.
> Immediately after Kiberphant0m logged on to the Dstat channel, another user wrote “hi buttholio,” to which Kiberphant0m replied with an affirmative greeting “wsg,” or “what’s good.”
It's kind of unfortunate for him that he didn't do a better job of referencing Beavis and Butthead. If his username was "Cornholio" or even "Bungholio", it could read as someone directly referencing the show and potentially unrelated to the other account, making his deniability a bit more plausible.
A true opsec troll is saving those references for the final standoff, for when they start really threatening him.
yeah that's 3 or 4 layers in. until then convince them you're Iranian and Chinese first
Being a high-stakes criminal is too difficult. One slip-up and you're compromised. There's a million opportunities for slip ups and there's a million opportunities for investigators to get lucky.
True, but you only hear about the ones who slipped up. I wonder what is the actual proportion of criminals being caught due to poor opsec.
There's a line at the beginning of Ocean's 11 to the effect of "the house always wins in the long run... unless you bet it all on a great hand, win, and then walk away."
To turn it around: what percentage of people are capable of perfect opsec forever?
For internet crimes? Almost none in perpetuity. I’d think you’d need to go off the grid totally for a few years and come back without any reference to a prior life. For physical crime, my gut says quite a few people have avoided identification for decades until they were essentially caught by turning themselves in. Ted Kaczynski comes to mind, but there must be a few others.
Perfect OPSEC to me, means near total isolation from socialization. Not something most people are capable of.
If you’re a professional criminal of any kind you weigh the risks knowing that perfection is impossible. The government is a business with a monopoly on violence. The goal is to keep their ROI for catching you as low as possible. Every single man hour spent finding you is costing money and there’s a man upstairs who wants to see some results that reflect the money spent.
Once you understand that premise, it’s easy to understand the why and how criminals are caught. The ones who are caught are always the ones who don’t know when to fold. Always the ones not to cash in and retire.
The ones who get away with it, they fold they retire and society forgets about them and the ROI drops precipitously on catching them. Research statistics on cold cases.
>‘BUTTHOLIO’
These guys always seem to have the most stereotypical or corny hacker handles. Is that expected / desirable in that community?
Give them a break. They need tp.
Why would they need tp?
ಠ_ಠ
edit: okay fine I'll bite -- because of chicken piccata
The bungholio name is a reference to the bevis and butthead name where they’d say, “I am cornholio, I need TP for my bunghole”. You really had to be there.
https://m.youtube.com/watch?v=LHv2dIM3t9I
corny
I see what you did there.
The real question is: who calls their company "Snowflake"? It's just crying to get stomped on.
Snowflake is a type of multidimensional schema. It's a normalized star schema. Both named for the appearance of their entity relationship diagrams.
Snowflake did the biggest epic fail of the ZIRP era. They bought streamlit (a python GUI front end for ML demos) for 800 MILLION dollars.
https://techcrunch.com/2022/03/02/snowflake-acquires-streaml...
Huggingface bought its biggest competitor, Gradio (still used more than Streamlit) for an "undisclosed" amount of money a year or so before hand. I'd wager HF paid on the orders of 1-5 million.
I doubt Gradio is used more than streamlit. And so does Google [1]
I know that's not exact, but if more people used Gradio, you'd expect at least a somewhat similar number of people searching for it online. Gradio is not even in the same ballpark as Streamlit here.
[1] https://trends.google.com/trends/explore?date=now%201-d&q=%2...
I don't know what to say except that the overwhelming majority of HF spaces are made as Gradio demos and that gradio's whole design makes it far easier to do async things unrelated to reloading the webpage - which is a huge thing for ML/AI demos.
I don't claim you're wrong, but I claim that gradio is far more effectively profitable to know than streamlit is - i.e. Gradio demos are used far more for a top AI paper demo (i.e. NeurIPS system demos) than Streamlit is.
That is amazing! What a coup. I thought streamlit was pretty cool, but surely it wasn't $800m cool.
Salesforce purchased Mulesoft for $6.5 billion. Mulesoft was so successful they decided to buy a different ETL tool Informatica. But the deal fell through. Mulesoft has about 1500 clients vs 9500 clients for Informatica.
Comparing a disclosed sale price to an unknown theoretical sale price is a bit unfair though. Maybe it was 801 million.
No way, HF didn't have anywhere near that kind of money when they acquired Gradio. I think they did it back in 2020 or 2019. I know for a fact it was a tiny sum.
I believe the hacker known as 4chan once explained they choose their handles “for the lulz”
Legion of Doom / Masters of Deception would like a word.
Phiber Optik just doesn't have the same haha you said peepee vibe.
I do think it’s funny how that might be a character revealing moment, suggesting the hacker is Gen X or at least elder millennial age.
I did toy with the idea of trying do analysis of HN aliases and keywords. It never went anywhere, because I forgot about it, but a longer weekend is coming:D But yeah, language betrays, who we are in references alone.
There's no way you could determine how old a person is or what technologies they enjoyed way back in college solely from a username.
Are you just trying to goad them into showing they can? :D
-gopher- space made the comment you are replying to.
Have fun analyzing the alias I pulled from /dev/urandom!
Knows of the existence of /dev/urandom, must be old! ;)
Yes
Seems like the guy has been fucking around for a while. No wonder none of our allies want to share intelligence or plans with us. The US Military is a liability when it comes to keeping shit secret, they leak like a sieve. They need to get a handle on this shit, who knows what this guy has given to the Russians or Chinese.
"pay-to-play"
Jesus. Let’s tick another box on our late capitalism bingo card: our soldiers are so desperate for cash and so cynical around institutions that they’ve started doing mercenary crime.
I can’t be the only person who has read of such situations throughout history.
What does this have to do with late capitalism? This has happened all throughout history and you just said you read about it yourself
The root of all failure at the level of the society is the fungibility of inherited wealth into political power, which rapidly gets deployed to impoverish everyone else including soldiers, and on its way it tramples institutions once revered.
they could have just had an alcoholic parent.
I’m a pretty easy going guy in general but others might take offense.
They already arrested them right?
No they arrested two others.
This Krebs guy is a doxxer through and through, I wouldn't take anything that he writes down as being serious. If he thinks he knows something and he has palpable proof for it then he should contact the relevant authorities.
> This Krebs guy is a doxxer through and through, I wouldn't take anything that he writes down as being serious.
Can you explain your definition of "doxxing" and why you believe that means nothing he writes is serious?
> Can you explain your definition of "doxxing"
Revealing people names and addresses and implying that they have done something illegal, while the person doing that (this Krebs guy) does not represent the Law/the relevant authorities. See the Boston bombings debacle on this very website.
> why you believe that means nothing he writes is serious?
See the Boston bombings debacle on this very website.
> See the Boston bombings debacle on this very website.
I'm familiar. I don't see the relevance considering that the linked article does not reveal anyone's names or addresses.
He did that in the past.
My two cents:
- The "hacker" (I'm reluctant to use this term" seems to be too high profile for some reasons;
- We should discard Telegram
What does "discarding" Telegram mean?
We should not use Telegram -- sort of. I wonder whether Signal is better.
Not sure Signal would have made a difference for this criminal. All the data on them I saw in the article was likely captured by someone in the channel / group message.
It’s just plain poor opsec, but I kind of expect that from someone with poor enough judgement to be a criminal.
>We should not use Telegram
But why? There is no better platform for private and small chats.
Telegram is not E2E encrypted by default, and even if it changed, I wouldn't trust them. It's not private.
Signal is absolutely better. Telegram is e2ee in name only
Not recommending Telegram, but personally, I suspect that signal is compromised. They've been permanently storing sensitive user data in the cloud for a long time time (https://community.signalusers.org/t/proper-secure-value-secu...) but the very first sentence of their Terms and Privacy page still claims "Signal is designed to never collect or store any sensitive information." and they've been asked multiple times but refuse to update their privacy policy. I suspect that lie is being kept there as a giant dead canary.
Making the change to start keeping exactly the data that the government has been asking them to turn over isn't a very good look. "Securing" user's data with something as week as a PIN isn't great either. https://www.vice.com/en/article/pkyzek/signal-new-pin-featur... Note that the "solution" of disabling pins mentioned at the end of the article was later shown to not prevent the collection and storage of sensitive user data. It was just giving users a false sense of security. To this day there is no way to opt out of the data collection.