158: The man behind The Missing Cryptoqueen

We're joined by special guest Jamie Bartlett, of the chart-topping "The Missing Cryptoqueen" podcast, in this bumper episode where we discuss his investigation into the OneCoin cryptocurrency scam, the Russian cybercriminals behind Evil Corp, and the mysterious leaks about the NHS that have turned oh-so-political...

All this and much much more can be found in the latest edition of the "Smashing Security" podcast, hosted by computer security veterans Graham Cluley and Carole Theriault.

Visit https://www.smashingsecurity.com/158 to check out this episode’s show notes and episode links.

Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Special Guest: Jamie Bartlett.

Sponsored By:

Support Smashing Security

Links:

Russian hacking group "Evil Corp" accused of targeting American businesses — CBS News, YouTube.
Evil Corp donuts — YouTube.
International law enforcement operation exposes the world’s most harmful cyber crime group — National Crime Agency.
Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware — U.S. Department of the Treasury.
UK Government Releases Photos of Russian Hackers, Whose Lives Look Awesome — Motherboard.
Hackers with high-placed daddies ‘Evil Corp’ member designated by U.S. Treasury is son of former Russian mayor — Meduza.
The Missing Cryptoqueen — BBC Sounds.
Jeremy Corbyn reveals dossier 'proving NHS up for sale' — The Guardian.
Reddit links UK-US trade talk leak to Russian influence campaign — TechCrunch.
Corbyn v Johnson: BBC election debate round-up — YouTube.
Stammer Time! — Cassetteboy on Twitter.
The Inside Story of Labour's 'NHS For Sale' Leak — Motherboard.
More proof NHS is up for sale as Amazon exploits NHS for free — TruePublica.
Tweet by Rik Ferguson about his fragrant armpits — Twitter.
nuud.
Accused of Killing a Gambino Mob Boss, He’s Presenting a Novel Defense — The New York Times.
Graham and Carole appear on the BeerConOne Stream — Twitch. Graham & Carole show up at about 1 hour 48 minutes into the show.
The Beer Farmers raise funds for the Electronic Frontier Foundation and Mental Health Hackersy The Beer Farmers : BeerConOne. — GoFundMe.
The Radio Adventures Of Dr. Floyd.
Smashing Security merchandise (t-shirts, mugs, stickers and stuff)

Privacy & Opt-Out: https://redcircle.com/privacy

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

JAMIE BARTLETT. In a way, we could say that all of us do that. You can go onto LinkedIn and you'll see everyone exaggerating their achievements, using, you know, speak— getting invited to a— I'm not saying you two.

GRAHAM CLULEY. Oh, I do.

CAROLE THERIAULT. It's a point of contention.

ROBOT. Smashing Security, episode 158: The Man Behind the Missing Crypto Queen with Carole Theriault. Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 158. My name's Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. And this week, Carole, we are joined by, oh, a god of the podcast, a very popular podcast host. It is the star of The Missing Crypto Queen. It's Jamie Bartlett. Hello, Jamie.

JAMIE BARTLETT. Hello. I mean, I'm not really the star. I'd say, um, Ruja Ignatova is the actual star. I'm just the presenter.

CAROLE THERIAULT. No, you're kind of the star.

GRAHAM CLULEY. You're not the crypto queen. We should explain that. It's not you, right? She hasn't gone that deep undercover and got the—

CAROLE THERIAULT. Great Halloween costume for you there.

JAMIE BARTLETT. You know, you say that. I know I will finally accept this is a successful podcast if next Halloween someone goes dressed as the missing crypto queen, Dr. Ruja. That's my mark of success.

CAROLE THERIAULT. An excuse to buy a very expensive dress.

JAMIE BARTLETT. All right. I can give you some advice.

GRAHAM CLULEY. We'll talk a little bit more about the missing crypto queen later in this show, but during the course of it, you do raise this possibility that maybe she's had plastic surgery and changed her appearance. To avoid detection.

CAROLE THERIAULT. Oh, Graham, can we not tell everyone everything?

GRAHAM CLULEY. Oh, okay. All right. Shall we just get on with the show?

JAMIE BARTLETT. Yeah.

GRAHAM CLULEY. Carole, what's coming up on the show this week?

CAROLE THERIAULT. Thanks to this week's sponsors, LastPass. Its support helps us give you this show for free. Now, Graham is looking at the loot that a few cybercriminals walk around with, just in case you thought crime didn't pay. Jamie's going to give us some great insight into the missing crypto queen and making it and all the background information. And I'm going to get a little political on this show, just a smattering of digital snafu. All this and loads more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now, chums, chums, Jamie, I don't know you too well. Do you drive a car, Jamie?

JAMIE BARTLETT. I've got a car. Sorry, I've got a license, but I don't have a car though.

GRAHAM CLULEY. Well, that's halfway there, isn't it?

JAMIE BARTLETT. Yeah, I think so. More than halfway.

GRAHAM CLULEY. If you did have a car, are you the sort of person who would decorate it with pictures of skulls and knuckle dusters and all kinds of evil stuff like that?

JAMIE BARTLETT. I'd probably consider it, yeah.

CAROLE THERIAULT. I know, I'm thinking, I'm thinking I've got an old car and, you know, why not let its last few years of life be cool?

GRAHAM CLULEY. Well, Carole, would you cover yours with sort of camouflage to try and maybe, you know, fit into—

CAROLE THERIAULT. Oxford camouflage? Would I have pictures of students everywhere?

GRAHAM CLULEY. Bicycles? Something like that?

CAROLE THERIAULT. Well, some Oxford spires?

GRAHAM CLULEY. You know, some people would. And the kind of people who would are the two Russian nationals who've just had charges filed against them by the US authorities, because they're alleged to have run a global cybercrime organisation called Evil Corp.

CAROLE THERIAULT. So sorry, do you know if they're registered under that name?

GRAHAM CLULEY. I don't know what the rules of running a Russian business are.

CAROLE THERIAULT. You should do more research on these stories, Graham.

GRAHAM CLULEY. Well, Carole, I suspect they're not paying tax, OK? So they probably haven't bothered to also register their business.

JAMIE BARTLETT. Wasn't that Dr. Evil from Austin Powers? Didn't he run like Evil Corp?

GRAHAM CLULEY. Well, yes, I was— it an Evil Corp? It was certainly was an organization in Mr. Robot, because if you remember Elliot, the hero of Mr. Robot, he attempts to destroy the largest conglomerate in the world called E-Corp, which he has renamed to Evil Corp. But this particular— this Russian Evil Corp run by these two guys is said to be responsible for some of the worst computer hacking and bank fraud schemes of the past decade, said to have stolen $100 million through spamming out email attachments, which then helped them break into bank accounts and steal large amounts of cash.

CAROLE THERIAULT. Okay, no offense, Graham, but that's like chump change compared to Crypto Queen.

GRAHAM CLULEY. Well, we'll be coming on to the Crypto Queen later. Is everything going to be trumped by the crypto? Should we just fast forward to Jamie's segment of the show and talk about the Crypto Queen?

CAROLE THERIAULT. Let's go.

GRAHAM CLULEY. Now look, the National Crime Agency, the NCA here in the UK, Smashing Security have described Evil Corp as the world's most harmful cybercrime group and the most significant cybercrime threat to the whole UK. I mean, that's pretty strong stuff, isn't it?

CAROLE THERIAULT. That they know about.

GRAHAM CLULEY. Well, that they know. I mean, they also know about other threats to the UK on the cybers, like Piers Morgan, for instance. He'd be pretty dangerous and a significant threat, I think. But no, they're saying these guys are the most significant cybercrime threat. Who are out there.

JAMIE BARTLETT. I'm amazed at that, $100 million, and they say that's the most significant cybercrime threat.

GRAHAM CLULEY. Well, at least $100 million, but these guys have been operating for 10 years. They've got quite a large infrastructure, as we will hear, and the US authorities have just placed a $5 million bounty on the head of their leader, a guy who goes by the code name of Aqua. His real name is Maxim Yakubets.

CAROLE THERIAULT. Well, because he can just get out of any situation just like water.

GRAHAM CLULEY. Maybe. Wow.

CAROLE THERIAULT. Like it.

JAMIE BARTLETT. Like it.

CAROLE THERIAULT. I love these guys. Evil Corp. Aquaman.

GRAHAM CLULEY. He is a 32-year-old living in Moscow. He's been thought to have been running this for the last 10 years. The cops have been investigating him for the last 5 years. And according to law enforcement, he has employed scores of people to run his operation from the basements of smoky Moscow cafes. Why are you thinking of applying for the job, Carole?

CAROLE THERIAULT. You know, I don't know. He's obviously very successful at what he does.

GRAHAM CLULEY. It's interesting how quickly you turn.

CAROLE THERIAULT. Well, I'm just looking into it. I'm keeping an open mind. Isn't that what we're supposed to do?

GRAHAM CLULEY. I mean, here we are, 3 impoverished podcasters, and we're talking about these Russians.

CAROLE THERIAULT. I don't think I would say I'm impoverished. Would you say you're impoverished?

GRAHAM CLULEY. Well, you know, I mean, maybe not impoverished, no.

JAMIE BARTLETT. Okay. But you're starting to feel it, aren't you? Now that you've heard that $100 million is being made, suddenly you do feel a little bit poor.

GRAHAM CLULEY. You do. I mean, there's a guy in his early 30s, here I am, 50, you know.

JAMIE BARTLETT. A failure. What have you achieved compared to this guy?

GRAHAM CLULEY. Yeah, what have I managed to do? He's got himself a pseudonym, he's got himself a Lamborghini, it's covered in camouflage. He's got another one which is covered in pictures of skulls and knuckle dusters. He's got scores of people working for him from smoky Moscow cafes. He's defrauded and stolen money from bank accounts of members of the public and businesses using the Dridex malware.

CAROLE THERIAULT. So you're contemplating going to the dark side?

GRAHAM CLULEY. Well, I don't know, Carole. Do you think I should? I mean, do you think now we've been doing this show—

CAROLE THERIAULT. I don't think you'd be very successful at it, actually. I think you could try. I'm not endorsing it, but, you know.

GRAHAM CLULEY. Well, he's been operating for 10 years, and 8 people in the network have already been sentenced. The money launderers, the network of money launderers, because once the money's stolen, the money is moved into accounts and ultimately comes back to Evil Corp. Over 40 years in prison those guys have been sentenced to. And—

CAROLE THERIAULT. So they're in prison in Moscow?

GRAHAM CLULEY. Oh, no, no, no, Kyrill. That's not quite how it works.

CAROLE THERIAULT. That's what I thought. I just wanted to be clear.

GRAHAM CLULEY. Because yes, these chaps are known about, have been known about for some years, and they are operating fairly openly in Russia. In fact, if you click on some of the links in the show notes, we've got, for instance, a link to a YouTube video of them burning rubber in their sports cars, doing donuts in the main streets of Moscow, holding up traffic.

CAROLE THERIAULT. Oh, is that where all the hot men are?

GRAHAM CLULEY. So, so they've got all these supercars with personalised number plate, translates to the word thief. They spent over a quarter of a million pounds on their wedding. This guy Yakubets, it looks like something from the Eurovision Song Contest. There are lasers everywhere and chandeliers and fancy lighting. You know, it's— these guys are living very ostentatiously.

CAROLE THERIAULT. And living the dream as far as you're concerned, right? Because you feel impoverished.

GRAHAM CLULEY. I don't know if I really want to go and do a doughnut.

CAROLE THERIAULT. Do you want a laser? Do you want to go do a doughnut?

GRAHAM CLULEY. No. And the laser stuff is a bit more Dr. Evil, isn't it, I think, than evil core.

JAMIE BARTLETT. But do you even know how to do a doughnut? Donut in a car?

GRAHAM CLULEY. I wouldn't know how to do it. I don't even know how to reverse park, let's be honest. So I mean, the chance of me doing a donut are fairly remote. What about you, Jamie? Can you donut?

JAMIE BARTLETT. Well, no, maybe— I think I know in theory how you do it, but I've always looked on admiringly at the people that can. But no, never had the courage to try it. But the thing is about this is, looking at this story makes me think immediately, with all of these cybercrime cases, When you see how much money you can make and you get to be able to have Eurovision weddings and donut-themed cars in car parks, you think to yourself, well, why would you work for the local authority on cybersecurity?

CAROLE THERIAULT. Maybe they give you a free croissant in the morning.

GRAHAM CLULEY. A donut, surely, Carole, not a croissant.

JAMIE BARTLETT. Or a donut, yeah.

GRAHAM CLULEY. Well, these guys were fairly jammy, you know, because you may say, why would they work for the local authorities helping them secure their defenses? Well, Yakubets also had a sideline because he was also giving direct assistance, according to the US authorities, to the Russian government's malicious cyber efforts.

JAMIE BARTLETT. What a surprise.

GRAHAM CLULEY. Yes, what a surprise indeed. And of course, this is probably what's been protecting him from having his collar felt because they thought, well, you know what you're doing, you could be rather handy because we've got a little bit of hacking we'd like to do ourselves.

CAROLE THERIAULT. Okay, so these guys are still operating now.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. And everything is just tickety-boo and the US is saying these dudes are bad and the NCAA are saying these dudes are bad and we've got a bounty on their heads and, but they're out there having a great time and you're thinking of joining them because you want to be the next Charles.

GRAHAM CLULEY. Well, no, no, steady on, steady on. I don't want them coming around and making me an offer I can't refuse. So that wouldn't be good, right? But certainly what's happening is that the US has said, There's $5 million if you help us catch these guys. It's going to be more difficult for these guys to operate internationally. They're clearly going to have to probably stay in Russia rather than go on holidays to the Algarve, or they once toddled off to Dubai, for instance, on a bit of a beano. They're not going to be able to do that so easily. So in some ways their wings have been clipped, but I think it's going to be hard for the Americans to actually get their hands on them and extradite them, isn't it?

CAROLE THERIAULT. Uh, yeah, it's kind of interesting how much money they might be putting into it. I guess what they wanna do is warn their people and say, hey, look, watch out for these things. But I'm not hearing any of that, right? Like, well, how are they getting us with email phishing attacks?

GRAHAM CLULEY. Yeah. So they have a very sophisticated piece of malware called Dridex.

JAMIE BARTLETT. Mm-hmm.

GRAHAM CLULEY. And that is spammed out via email attachment and then it puts up fake dialogues. It might steal your passwords for your online bank accounts. And they've been evolving Dridex. I think we've actually spoken about it in a past episode of Smashing Security. They've been evolving it in different ways in order to fool people, in order to get past the antivirus defenses that many people have in place.

CAROLE THERIAULT. But imagine I wasn't actually interested in cybersecurity at all.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. How would I stop this from coming onto my computer?

GRAHAM CLULEY. Best way is to keep yourself patched, run an up-to-date antivirus, and hope that it really is up to date. Even that's not gonna be a 100% security against it. You can also, of course, uh, have two-factor authentication in place and, uh, for things like your bank accounts, keep an eye open for suspicious transactions.

CAROLE THERIAULT. It's like you've said all this before.

GRAHAM CLULEY. Well, yeah, I mean, it is common advice, right?

CAROLE THERIAULT. Okay, I just thought it'd be good to share, you know.

GRAHAM CLULEY. Yeah, but I don't think the authorities are simply interested in warning people about this. I think they want to try and curb these activities. And these are two youngsters, I mean, I say youngsters, they're like early 30s at best, but they have been bragging rather a lot over the years on social media, posting up pictures of their high-speed car chases. They've also posted up videos of them sort of falling off hoverboards, or at one point they appear to be cavorting with baby lion cubs on their oriental carpets.

CAROLE THERIAULT. They live in a country whose leader has had pictures of himself bare-chested in the woods.

GRAHAM CLULEY. Oh, Crow, I don't know if you've ever seen my wedding photos, but they're quite similar to that. To be honest.

JAMIE BARTLETT. In the 1990s, the UK government was thought to have a sort of policy towards radical Islamists, which was basically, you can live in London, do what you want overseas, but just don't attack us. And as long as you leave us alone, we'll leave you alone. And it's felt like for quite a few years that in Russia, it's been the same. You carry on with your cyber attacks on these other countries we don't much like, we will leave you alone, we'll leave you to it. But don't turn against us. If you do, then you're going to be in trouble. And it's a perfect situation, isn't it, for the Kremlin? Because they have this distance from them. And I wonder whether— I mean, the US probably knows they're never going to extradite them, they're never going to arrest them, but it's all about a sort of power play. You're just publicizing the fact that there are these malicious actors in Russia that are being allowed to operate openly and freely. Because I think that that's really becoming one of the sort of diplomatic tools that people are leaning on each other, accusing each other of various types of corporate espionage and stuff. Yeah. So it's probably just an announcement to just lean on Russia a bit more.

CAROLE THERIAULT. Think about it the other way though, right? Imagine someone living in the UK or the US hacking into some poor Russians who are, you know, falling for some scam.

JAMIE BARTLETT. Yeah, I'm wondering whether our governments are ever a little bit lax if it was the other way around. You know, we're just going to target Russian businesses, and whether our government says, okay, um, you know, we're going to look the way. And we don't— I have no idea. I have no idea. Be interesting.

CAROLE THERIAULT. Maybe in next podcast.

GRAHAM CLULEY. Well, one of the, uh, members of Evil Corp is believed to be the son of a former mayor of one of the big cities over in Russia. So there certainly were links to politicians.

CAROLE THERIAULT. Yep. Networking kids.

GRAHAM CLULEY. Good to have connections. So, uh, and of course, countries all around the world are hacking each other. There's a lot of this going on, but it's good. It really is good. And I think this is encouraging to see the US authorities really taking a hard line finally. Against Russian hacking.

CAROLE THERIAULT. I thought you were going to say, I think it's really good that he finally got a really cool car.

GRAHAM CLULEY. No, it's a gross car. Forget the cybercrimes. This is sort of crimes against fashion and good taste. When you see the pictures of these cars—

CAROLE THERIAULT. Why do you never ask me for a lift when I get mine out?

GRAHAM CLULEY. Well, I don't think yours is— Have you still got that red leather chrome and the dice hanging up as well?

CAROLE THERIAULT. Fake leather, actually.

GRAHAM CLULEY. Leatherette. Well, Jamie, I think it's time for us to move over to you. And find out something about the missing crypto queen.

JAMIE BARTLETT. What do you want to know?

CAROLE THERIAULT. Okay, so first thing, let's assume that not all our listeners took our advice to go and listen to it. But a lot of them I'm sure did, but give a little vignette on basically the whole story.

JAMIE BARTLETT. Yeah, yeah, yeah. So basically what happened was 2014, a woman turns up out of nowhere, Bulgarian-German businesswoman. She's 34 years old. It's called Ruja Ignatova. And she says to the world, You've all heard about bitcoin. Maybe you think you've missed the boat on bitcoin, but don't worry, I've got a new one. I've got the next bitcoin. It's going to be bigger, it's going to be better, it's safer, it's simpler. The bitcoin people are too technical anyway, they're arrogant. This is going to be bitcoin for the masses that you can really use in the local shops, and it's called OneCoin. I've invented it, and would you like to invest? And if you invest now, just like with bitcoin, you're getting in at the very beginning, price is going to shoot up and you can make a fortune.

CAROLE THERIAULT. Wasn't this at a time when there were loads of new coins coming up? Like there were tons of different coins. I mean, every day I'd be looking online going, oh, there's another one.

JAMIE BARTLETT. But I think the real golden age was actually 2016 when there were ICOs every other weekend and people are pouring money into these initial coin offerings. But yeah, you're right, 2014, I think that was when Ethereum first arrived. So there were these new coins arriving and there was this sort of a sense that bitcoin was just the start and there were others coming and hers was one of them. And so she says all this and very, very quickly this spread so fast. So by March 2017, over €4 billion has been poured into this cryptocurrency. Two-factor.

CAROLE THERIAULT. That's money, okay? That's money. €4 billion, okay? Not €100 million, measly million.

JAMIE BARTLETT. $100 million was poured in just from the UK. $100 million. So we're talking about colossal amounts of money.

GRAHAM CLULEY. And all these investors, all these people thought they were going to make a fortune themselves.

JAMIE BARTLETT. Yeah, they thought that they were going to get 10x, 20x, 30x, 100x on their investment because they were buying these coins at practically nothing. And Ruja was saying within a couple of years they'll be worth $100 each and who knows what beyond that. People were amassing these coins, 175 countries, I estimate around a million or so people invested. And then in October 2017, she disappears. She has not been seen since.

CAROLE THERIAULT. So she disappears, like she just, she just, she just poofs, right? She's out. She's gone.

JAMIE BARTLETT. More or less, yeah, yeah. She takes a flight from Sofia, Bulgaria, which is where her head office is and where she lives, to Athens, Greece, and is never seen again.

CAROLE THERIAULT. She's the CEO and founder of the coin.

JAMIE BARTLETT. The visionary, the messiah, the nexatoshi. I mean everything. She is the genius behind this coin who everyone worshipped. She vanishes off the face of the earth and then of course the podcast is trying to find her but also to uncover the fact that this is a colossal pyramid scam and trying to work out how she's managed to pull it off.

GRAHAM CLULEY. Because that's the thing, I mean it wouldn't really matter if she had disappeared if those people who'd invested would be able to cash out their coins.

JAMIE BARTLETT. Like Satoshi Nakamoto, right? Who never appeared.

GRAHAM CLULEY. And you know, that would have been great, but my understanding, as I remember listening to the podcast, there was no way to get your money out. The promise was that this was going to happen. There was promise, oh, it's a blockchain, it's all been recorded properly. But all people really got was a website where the current price of the OneCoin was increasing all the time, so they thought their investment was increasing?

JAMIE BARTLETT. Yeah, exactly. So the idea was you buy your coins, you get your coins into your account, you open a web— you open an account on the OneCoin website, and then when you send the money, you get the coins into your account. So you can open it up, look and see, oh, I've now got 100 OneCoin, I've got 1,000 OneCoin. And the price kept updating, and the price kept going up and up and up and up every month. Wow. And The promise was very soon you will be able to exchange your coins back for real money again at the price, at the price on the website. But there were no, there was no blockchain behind any of this. It was just a number on a screen. There was nothing behind it. It was probably an SQL database in an office in Sofia and someone was just changing the price. So everyone thought they were sitting on, some people thought they had millions of dollars worth of OneCoin. And they had nothing at all. And to be honest, this is called a crypto scam and everyone called it a crypto scam. And we called it, you know, the missing crypto queen, because she called herself the crypto queen, but really it's actually just an old-fashioned pyramid scam. But you're using a fake cryptocurrency as the product. I mean, did you, was your mom ever like an Avon lady or a Tupperware? Because my mom used to sell Avon products. Do you remember that stuff you had? You get your friends around. Avon is makeup.

GRAHAM CLULEY. Yeah, there's Avon, there's Amway, there's lots of these multi-level marketing schemes, aren't there? Where there seems to be so much pressure to recruit more people to go underneath you rather than actually, you know, the product selling because it's a good product.

JAMIE BARTLETT. So that's the kind of the definition difference is that if you've got a product to sell and it's this kind of real physical thing and you can make your money that way, That's legal. There's nothing illegal about it. And yes, it's a controversial way of selling because of the pressure that you're under to sell to your friends and family, but it's not illegal. And so Avon and Amway, they're legal companies, but if you've got no product, but you're selling in this kind of, you sell to your friends and then they sell to their friends and you build a pyramid beneath you, and the bigger the pyramid gets, the more profit you make, 'cause you get these commissions all the time, then that becomes an illegal pyramid scheme. Scam, and that's really what OneCoin was. It was an old-fashioned pyramid scam, but using all the hype of cryptocurrencies and especially bitcoin to make people think they were buying something that was not only useful bit of makeup or Tupperware, but a cryptocurrency that's going to keep going up in value. I mean, what could be more perfect? You don't have to have your garage full of Tupperware.

CAROLE THERIAULT. When I was listening though, I was kind of thinking, why Why are people actually buying into this when she's saying 100x? Do you think, because you've talked to so many of them, did you feel it made reasonable sense when you heard their reasons to believe, or did you think they drank the crypto Kool-Aid and were just in love with her?

JAMIE BARTLETT. There's a bit of that, but think about it this way as well. What returns were people making on bitcoin?

CAROLE THERIAULT. Yeah.

JAMIE BARTLETT. So when she turns up and says you're going to make 100% because you're 1,000% or whatever, they look at bitcoin and they hear the story about someone who spent 10,000 bitcoin on a pizza or whatever it was. And whatever that, you know, those stories— I, I invested, uh, $5 in bitcoin in 2010 and now I'm a millionaire.

CAROLE THERIAULT. So, or there's the guy who invested loads on a computer, threw the computer in a Welsh dump somewhere, realized he'd become a gazillionaire, and then tried to pay the council to find his house.

JAMIE BARTLETT. Exactly. So these insane returns don't seem that insane because they've happened. And so, but she was also very, very credible. I mean, they weren't targeting bitcoin specialists. They weren't targeting the blockchain experts. They were targeting ordinary people who maybe had read an article in the newspaper about these bitcoin millionaires and thought, ooh.

CAROLE THERIAULT. I have a very big question here that occurred to me while I was listening to the podcast repeatedly. How was it possible, do you think, that magazines like The Economist and others of, with such a huge repute would not have done due diligence to actually find out if she actually was worth all that. She did have a PhD. I remember you doing the research on that. Was it really that much of a smokescreen? Or did people fail in doing any digging, do you think?

JAMIE BARTLETT. Oh, that's a good question and a tough one to answer, because there were slightly different things she did. But she was very, very good at sounding extremely believable to people. And she'd take little clips little bits of media coverage she'd had and packaged them all up, taking advantage maybe of some people's laziness to present such a believable image that she was the next Steve Jobs. I mean, she appeared on what looked like the COVID of Forbes magazine. Go online and there's a picture of her on Forbes magazine, front cover, like this amazing— Zuckerberg's on there and Jobs is on there and Buffett and all that, and then there she is and you think, wow. Now, Actually, what that was was a paid advertisement in a local Forbes Bulgarian franchise.

CAROLE THERIAULT. Revolting!

JAMIE BARTLETT. Which—

GRAHAM CLULEY. Come on, Carole, we've all done that.

JAMIE BARTLETT. Which in Bulgarian said paid advertisement in— But no one— I mean, who reads Bulgarian apart from Bulgarians?

CAROLE THERIAULT. Are you kidding me?

JAMIE BARTLETT. So she took that and she sent that all around the world. I met people in Uganda that had invested their life savings into this because they saw her on what they thought was the front cover of Forbes magazine. Now the question, I suppose, then is, well, why does a local Bulgarian franchise of Forbes magazine— why do they do adverts that look identical to the front cover? But that's it. I don't know. I can't answer that. But then The Economist— yes, she spoke at an Economist event in Bulgaria.

CAROLE THERIAULT. Oh, again in Bulgaria. You see, even in my research subsequently after listening to the podcast, right, I did not notice those. I basically probably did an image search on her and then saw all the covers.

JAMIE BARTLETT. Yeah.

CAROLE THERIAULT. And didn't question them.

JAMIE BARTLETT. The thing is, she appears there. Yeah, exactly. She appears there. And I think you think to yourself, well, I'm sure they would have checked. And I think everyone's thinking everyone else is checking. But from The Economist perspective, what they would probably say is, look, This was a legal company. It was operating in Bulgaria. She won the Bulgarian Businesswoman of the Year Award in 2014. I mean, who organized that? I don't know. How legitimate was that? I don't know. But you look at that and you think, okay, that seems fine to me, then we'll have her as a speaker. And so what she did was every time someone didn't quite do the due diligence they might have done or relied on someone else's research, She'd build that into her profile, and that would mean the next people who should check would say, oh, The Economist checked, so that's fine. So when Thom Jones sang at her birthday party in 2016— Yes, he probably— his advisor— Cryptocurrency— No, no, no, that's Neil Diamond. That's Neil Diamond, yes.

GRAHAM CLULEY. We're talking about the green, green grass of Bulgaria is the one we should be doing.

JAMIE BARTLETT. So she's got the wrong guy. So yeah, just like you. Thom Jones' advisor probably looked and said, well, she's been on the COVID of Forbes and she's the economist.

GRAHAM CLULEY. Come on, if you're the manager for Thom Jones, you're not even going to do that. You're just going to say, someone's come along with a whole load of cash, Thom. You don't have to wash your hair.

CAROLE THERIAULT. Get yourself to Bucharest.

JAMIE BARTLETT. They're a legal company. They exist. They function legally in Bulgaria. So what's the problem? Exactly. That, I think, that's a real thing of our age. In a way, we could say that all of us do that. You can go onto LinkedIn and you'll see everyone exaggerating their achievements, using, you know, speak, getting invited to a— I'm not saying you two.

GRAHAM CLULEY. Oh, I do. Yeah. But everyone does it.

JAMIE BARTLETT. It's a point of contention. Everyone does it, don't they? And you do a little talk somewhere, you get invited to do a talk and the people organizing it are busy. Or maybe you get invited to come on a podcast or go on the TV and every— the producers are busy and stressed and then you clip that up and then you show that to everyone and then they get you on next time because you've been on this program and you build up like that. Are you a fraud, Jamie?

CAROLE THERIAULT. Just gonna check. Is this really Jamie? Yeah, exactly.

GRAHAM CLULEY. I mean, we've been joking about this, but it's really so sad hearing some of the stories of people. There's a woman who you spoke to who was a fervent believer in OneCoin And you actually play a recording of someone who was a skeptic arguing with her for ages. And she's now turned around and she's now like formed this support group for people who've lost money. But it's—

CAROLE THERIAULT. That was delicious audio, that segment. It's almost— I mean, beautiful.

GRAHAM CLULEY. I had a friend who joined a religious cult and listening to some of the episodes of The Missing Cryptocurrency really reminded me of that cult-like fervor of there's nothing which Dr. Ruja can have done wrong, and for you to question her means that you're, you know, we have to close you off, we can't speak to you because you're just spreading lies, just like the BBC are spreading lies about OneCoin.

JAMIE BARTLETT. Yeah, they came back to us and said, you know, propaganda, fake news, all of that stuff. And the, one of the most insightful interviews I did for this was someone who didn't know much about OneCoin at all but had specialized in religious, new religious movements and cults. And she had so— she was a professor from the London School of Economics and so insightful about describing some of the behaviors of supporters of OneCoin. So I said to her, surely when Dr. Ruja vanishes in 2017, the believers, the people that really bought into OneCoin, would start to question, is this all she said it was? And Eileen Barker said, you don't understand, she has your money. Once you've invested your money And once you believe this is going to change the world, you can find a reason for this. She's disappeared.

CAROLE THERIAULT. She's got you by the short and curlies, right?

JAMIE BARTLETT. You don't want to admit it because it's very hard to admit you've been fooled. And people would rather— would rather— you put your reputation into this, you put your money into this, you put years of your life into this sometimes, and you would rather find a reason why she's disappeared. That's because she's, uh, she's gone into hiding because the banks are going to take her down and the governments are scared of her, but she'll be back soon. It's easier psychologically for you to do that. And I thought, yeah, it was right. It started to sound a bit more like a religious movement really than an investment opportunity. But you know what? This is one of the awkward things about OneCoin. Sometimes when you listen to the legitimate crypto enthusiasts, they also have the same kind of fervor. You know, bitcoin, you can't criticize bitcoin. This is the greatest thing ever. And so there are similarities in one coin to lots of different movements as well, you know, different behaviors that we all have. That's what I enjoyed about it as a story. I thought it said something about society as a whole.

CAROLE THERIAULT. Now, while you were recording this, when were you most shit scared?

GRAHAM CLULEY. Well, yeah, there's some scary moments.

CAROLE THERIAULT. I didn't know if it was kind of dramatized a bit or because, but I felt it. I felt it.

JAMIE BARTLETT. Well, first thing is, to be honest, there are people like that Jen McAdam, the Scottish woman, and Tim Curry, who was the person she argued with, who was a skeptic, who've been calling out OneCoin since late— well, Tim Curry's been saying about this since late 2015, and it's much scarier for them than it is for me when I turn up with the BBC and I've got these lawyers and I've got, you know, all of that stuff. I don't think I was ever as scared as they might have been doing this. But probably the scariest bit was going into the— anyone who's not listened to this podcast won't— will think this is ridiculous, but going into the beauty pageant. Yes. I know that will sound a bit of a tangent.

CAROLE THERIAULT. Yeah, it's a good teaser.

GRAHAM CLULEY. It was a truly surreal moment in the podcast, I have to say.

JAMIE BARTLETT. It really was. It really was. And we didn't know at that point. Quite early on in our investigation, we didn't really know what we were dealing with. We'd heard that there's possible involvement of, you know, dark shadowy forces, organized crime groups, who knows really who's behind OneCoin. And then we bowled up to an event, the first cryptocurrency beauty pageant organized by OneCoin, basically talked our way in and then sat there in the corner with a really big microphone with everyone sort of staring at us thinking, what on earth have we got ourselves into here? But we just felt like we had to— you know, we had to go. But we— it was one of those moments where you think it's a great idea on paper and you're like, yeah, yeah, brilliant, let's do it, amazing. And then you get there and think, oh God, what are we doing here? Yeah, but now we gotta stand up and walk out without anyone noticing. Yeah, it was weird. Yeah, it was very weird. Was it exhausting though?

CAROLE THERIAULT. Was it— was the pace of doing the show exhausting? Because you guys travel all over the place, or how long did you do that?

GRAHAM CLULEY. Yeah, how does something like this start, Jamie? Did you come up with the idea of the podcast, or were you approached, or what happened?

JAMIE BARTLETT. Here's the weirdest thing about it, um, and it was exhausting by the way, because the story kind of unfolded as we were doing it. And, and some podcasts, because you obviously got like your podcasts, and then which are sort of, they go over several years. Yeah, well, you're on 100 and episode 50, 158, is it? Yeah, wow. So, but then you've got the ones that are just 8 episodes on one story, which is obviously this one, and they're quite different even though they're both called podcasts, aren't they, and what they're about and how they are structured and everything. But some of the people that make those podcasts, they make all of them and then they release them week by week, but they're already made, they're all finished, they're all done, legal and checked, and— but they're just slowly releasing them for the tension. But we were making each one as we were going.

CAROLE THERIAULT. So cool, because we're so glad to hear that.

GRAHAM CLULEY. And you were getting feedback from listeners, weren't you, and leads and things?

JAMIE BARTLETT. It was astonishing. Yeah, well, that's what we knew would happen because we realized just how big this story was, and we thought when we release episode 1 and 2, um, people are going to come back at us. OneCoin's going to come back at us, uh, investors are going to come up with stories. Maybe listeners will have spotted Dr. Ruja and will phone us up. So we thought we can't make them all. We made some of them, obviously, but we, we couldn't make them all. We left a lot of gaps, and each episode, we were changing them sometimes right up to literally a couple of hours before they were published.

CAROLE THERIAULT. Heavenly in a bit though, because it's quite fun. Did you suffer? Did you suffer though after you finished? After you kind of put out your last episode, did you have a bit of paradise syndrome? You know, where you're kind of like, what do I do with myself now?

JAMIE BARTLETT. Of course, yeah. And I used to get that when I used to do exams and stuff. You'd look forward to the moment it was over, and then the minute it was over, you're you don't know what to do with yourself. But I mean, me and Georgia, who's the producer, who's in it quite a lot—

CAROLE THERIAULT. yeah, yeah, no, high five to her for all the production.

JAMIE BARTLETT. Amazing. Oh, incredible, incredible stuff. Yeah, really great. She was so great to work with. And but we would be, we'd be up at 6 AM on the phone to each other, and then midnight in bed, be phoning each other. What's good? Yeah, what's the date? And then suddenly, Graham, it's not just us. So it really was. But I mean, the thing is, for those who've listened, they'll know that maybe there are bits of the story that haven't quite fully finished. And so, yes, it's— ah, we're gonna be another one. Let's just say we, we're still talking basically every day. But you're talking seriously, right? Yeah, we're talking every day, all the time. I mean, the thing about it is though, and that those people that have followed this story will understand this. It gets very weirdly addictive. You know, you become obsessed with this woman, and every weekend you're just, you know, what's the latest? Has there been a thing? And look at these videos.

GRAHAM CLULEY. And are you— when you go around Homebase, are you, are you sort of looking down the aisles just thinking, could that be?

CAROLE THERIAULT. Yeah, because that's what she'd be hanging out. She'd be buying some doorknobs down at Homebase, which doesn't—

JAMIE BARTLETT. I don't think exists anymore. Funny you should say that, but I did spot Jeremy Corbyn in my local local home base the other day.

CAROLE THERIAULT. So, well, of course he's there, he hasn't got anything else to do.

JAMIE BARTLETT. It was a while ago now, actually, but, um, someone did tell me that they'd seen her in London recently, uh, and swore that it was her. And I've, I've been getting a lot of people telling me they've seen her all over. So you know what I did? I personally do keep an eye open. You know why? Because I was told by someone that she's, she's so, um, brazen about what she does that she would have found out where I go and where I work, and she'd probably drive by me just to see what I look like.

CAROLE THERIAULT. Do you think she may have perhaps sociopathic tendencies? Perhaps? Because it wasn't her first show at the rodeo, was it?

JAMIE BARTLETT. No, it wasn't. No. And, um, just so, Graham, to answer your question, you said how did it come about? Just so I can— because I'm— because it's quite interesting that Georgia was approached by someone, one of her friend's friends, who was in a pub going on about it, saying, oh, I found this amazing new cryptocurrency 'You know, this is amazing, I'm gonna make loads of money.' She started looking into it and thought, 'This is weird.' Phoned me up because she knew I'd covered these stories in the past and said, 'Have you ever heard of OneCoin?' And the thing is, I said no. She said, 'Oh, that's funny because it's a cryptocurrency where there's been billions of dollars invested.' And I said, 'No, that's impossible I'd know about it,' because I, you know, I wrote a book about the darknet in 2014 and I really covered cryptocurrencies and bitcoin. And I'd never heard of it. And it, and it was so weird because the whole of the crypto world, it kind of passed them by because they look— they looked at it and just thought, this is a Ponzi scheme, this is a pyramid scam, this has nothing to do with us. So they ignored it. And the mainstream press looked at it and thought, oh, this is a cryptocurrency story, that's for them, those crypto specialists, to look at. And it kind of was just missed by everyone. And then they get on the COVID of Bulgarian Forbes, and we all, uh, oh yeah, yeah, it's almost like an echo chamber thing.

CAROLE THERIAULT. I bet they were making a lot of noise. Do you know if they were doing any investment in like social media ads and that sort of thing to try and target particular victims?

JAMIE BARTLETT. That's a good question. I, I, I don't know if they were running social media.

GRAHAM CLULEY. Well, they may not have been, but of course the people who are trying to recruit other people, yeah, exactly, they were probably the ones wasting their money giving it to Facebook and Twitter or whatever, trying to get more OneCoin. And the truth is, OneCoin still going, right? Are there still people out there who still believe in it?

JAMIE BARTLETT. This is what makes the story so fascinating. There's a lot of people that still believe in it. In fact, a handful of them posted a picture the other day from the OneCoin head office in Sofia. They're still going. They're still denying they're a scam. People are still investing all the time in this because not everyone listens to the BBC's podcast. So how are they gonna— and if they do— what fools!

CAROLE THERIAULT. Don't worry, don't worry, we've got the rest of them. BBC played this, we've got about the rest.

JAMIE BARTLETT. And then one coin people, even if you did listen to it, you'd say, oh yeah, well guess what, BBC's fake news because they're scared of the crypto revolution. So you can't— it's so difficult to change people's minds.

CAROLE THERIAULT. Yeah. And what's really annoying is that not only is their money tied in, but people have made a lot of cash because, because they're selling a kind of education plan and they're getting money back.

JAMIE BARTLETT. Yeah, this is what people think, that everyone lost out who put money in, but that's not true because it's a pyramid scam. People at the top of the pyramid were making loads of money. We interviewed one guy who was making over a million dollars a month selling OneCoin because he's— so you get a 10% commission on every package you sell to people, and you'd sell a package for €5,000, you know, €5,000 worth of OneCoin, and you get 10%. And then if they sell and then their friends sell and then your pyramid gets bigger, then you get like— it gets very— the only thing more complicated than cryptocurrencies and blockchains is multi-level marketing compensation schemes. Honestly, it's like you get a matching boat, like you have the, you have a strong leg and a weak leg, and you get sales volume per week, and then your weak leg is deducted from your strong leg, and what's left over you're paid out a percentage of that, and 40% in real money, 60% in one coin, that kind of thing. So people at the top who are near the top of the pyramid, they were making lots of money, but then of course most pyramid schemes Nearly everyone loses out. It's only those who got in early.

CAROLE THERIAULT. It's just, it's a mind-boggling experience, even to listen to and to imagine. And that's still going. You're just reminding me of this podcast, remember that? The Shrink Next Door, Graham? And it was about this guy who had basically had fooled his patient into basically taking over his life. But literally, the whole idea is like 20 years, people just snowed. People can believe anything, can't they?

JAMIE BARTLETT. It's amazing. It's amazing.

CAROLE THERIAULT. But then there's a lot of things that happen in reality that are pretty crazy. I mean, didn't Elon Musk just, you know, release a crazy-ass car? You know?

GRAHAM CLULEY. I mean— Oh, that's insane, isn't it? Well, Jamie, it's an incredible podcast. Well done for putting it together. It's been an extraordinary story. I mean, we've only really sort of dipped our toe into it. I think we'd strongly recommend listeners to our show go and check out The Missing Crypto Queen. You will not be disappointed. And I, I really hope there are more developments in the story. I've seen some in the news, but, uh, I'm sure there are probably a few more episodes of The Missing Crypto Queen to come.

CAROLE THERIAULT. Yeah. And if our listeners, if you happen to spot her anywhere, maybe not just report it to Jamie, but take a picture, send it over.

JAMIE BARTLETT. Please, please do.

CAROLE THERIAULT. Just for a bit of photo evidence. Please.

JAMIE BARTLETT. Yes. It's the case is still open. I am still here. I'm never going to stop. Never going to stop. I don't care whether the BBC pays me anymore. I'm just going to keep going.

CAROLE THERIAULT. Jamie, I see. I love your obsession. Can we be friends? Can I check in occasionally and just go, how's it going? Are you alive?

GRAHAM CLULEY. I think this will be— I think this is something that's going to stay with you for 20, 30 years. I'm not suggesting it'll be a— of course you're going to do other exciting and interesting things, but it feels like something which is going to be there, a bit like background radiation, all the time until this woman is imprisoned. I think you're right.

JAMIE BARTLETT. And you know, the weird thing is, if she's caught and extradited and goes to prison, there'll be a certain— I would never say sadness, because this is what she needs. And for this thing to really finally stop, her being sentenced would help. But there'll be a small bit of me that will miss the search for her when that happens.

CAROLE THERIAULT. Well, you could go visit her in prison.

GRAHAM CLULEY. Oh, I will. Yeah, it would help. But of course there have been cult members in the past where the leader has been imprisoned and people just carry on believing, don't they? Well, that's true. That's true.

JAMIE BARTLETT. You know, every time I think— every time I thought— because I thought what happened two weeks ago was that the brother of Ruja Ignatova, Konstantin Ignatov, was— he was arrested in March 2019 because he took over OneCoin when she disappeared. And he admitted two weeks ago or three weeks ago in a US court, he pleaded guilty to multiple counts of fraud in connection with OneCoin as part of a plea agreement. And I thought this, finally, this is the moment that OneCoin dies. And it— but it's still going.

CAROLE THERIAULT. Fascinating, isn't it? Totally.

GRAHAM CLULEY. Kroll, I think we should move on, shall we? Kroll, what have you got for us? LastPass. How are you going to follow that?

CAROLE THERIAULT. Yeah, okay, I'll follow this. No problem.

GRAHAM CLULEY. Tell us your brilliant story from the world of computer security and privacy.

CAROLE THERIAULT. Easy peasy lemon squeezy. Oh, well, it's not from computer security, Graham. Um, I don't know if you know this, but in a few days' time, on the day that this podcast is made available to the world, it is election day in the US.

GRAHAM CLULEY. Yes, it is.

CAROLE THERIAULT. And I don't know how you guys feel about it, but it's a pretty scary event for me. I mean, there are a lot of people out there who want a better UK but are stumped as to how to get it. And the thing is, this UK election has been racing ahead at a clip that makes people like Ben Johnson's 100-meter time look positively slow.

GRAHAM CLULEY. You should compare it with Boris Johnson's 100-meter time, I think.

CAROLE THERIAULT. Is that quite fast?

GRAHAM CLULEY. See how they compete. Maybe that's how we should decide elections in future. Just get the different leaders, give them a 100-meter race. And see who wins. I mean, I think that'd be fair, wouldn't it?

CAROLE THERIAULT. Are you guys feeling at all uneasy about it, or you already know what you're doing and it's all cool?

GRAHAM CLULEY. Well, I know what I'm doing in my constituency. I know who I'm voting for, and I'm fairly confident that that person's going to win. But—

CAROLE THERIAULT. All right, so you're just going with the flow?

GRAHAM CLULEY. Well, where I live, it's fairly easy choice. I'm a little bit worried about what the overall outcome is going to be, though. It's a weird position to find yourself actually hoping for a hung parliament. Rather than anyone to win. But that's the point.

JAMIE BARTLETT. No, you see, a hung parliament would be read as the people have spoken and they've said they're quite happy with more hung parliament, so carry on.

GRAHAM CLULEY. Out of the options at the moment, I think I probably am, but as weak as possible.

JAMIE BARTLETT. Yeah, I haven't— you know what, I mean, I still haven't really decided what I'm going to do.

CAROLE THERIAULT. You know, I thought I decided yesterday, and now I'm doing this story, I was like, oh God.

GRAHAM CLULEY. I'll chat to you after the show, Carole, and I'll tell you what Oh yeah, no, and I'll just do what you say.

CAROLE THERIAULT. Now, okay, so basically, but you know what, it's not just our politics. World politics are a bit scary these days thanks to things like flipping fake news and the fact that so many a content provider out there says they're not responsible for what is pushed out on their sites. But sometimes on these sites, there are some juicy truths that get through as well, right? So just because there's a lot of fake crappy stuff out there doesn't mean there's not a few gems once in a while. Agree. Okay.

JAMIE BARTLETT. Yeah, of course. Yeah. Agreed. You gotta find them, but they're out there. Okay.

CAROLE THERIAULT. Just for, you know, anyone outside the UK, why would you bother following UK elections? Right. So high level facts, Graham, you're much more okay on this stuff than I am. So if I forget anything, you just jump in and interrupt me. No pressure. You would normally. Okay. We've got crackpot media buffoon Boris Johnson, our current prime minister. Yes. He's up for the, he's up for his post. And we have testy faux leather elbow patch Jeremy Corbyn. I'm sure they're faux leather. And that's basically the two main players, would you agree?

GRAHAM CLULEY. Yes. Of the people who are likely to become prime minister, those are the most likely. By far, I'd say. According to the opinion polls, yes.

CAROLE THERIAULT. Yes. And we all know we can trust those 100%. One of the big issues that they're debating is the UK National Health Service, a beautiful system which is getting a lot of heat. Listeners that don't really understand, it's like a loved system, but for the last decade, the system has been smacked with austerity and it has less money for services, staff, and equipment, and it's kind of hobbling along right now.

GRAHAM CLULEY. Yeah, I think it'd be fair to say most of the population considers it very much loved, but it's also considered vastly under-resourced. Particularly now.

CAROLE THERIAULT. I mean, we did have a little time of austerity, which was timed with a huge uptick of ageing populations, so that was a really smart thing to do, because of course microcracks might become huge wounds.

GRAHAM CLULEY. A lot of NHS workers come from Europe, which we appear to be detaching ourselves from as well, which could be a challenge as well going forward.

CAROLE THERIAULT. Fun times in the UK as well right now. During the recent debate between these two party candidates, Corbyn and BoJo, they were discussing the NHS, and during this debate, Corbyn reveals a heavily redacted 450 51-page document, his aha moment. And he says that the document proves that US negotiations were hoping to secure "full access" to Britain's health sector as part of a bilateral trade deal. Yep. What? Right? This is a big deal. And Corbyn said that Labour had obtained official documents which showed that this would be the case, that the US is demanding that the NHS will be on the table in talks in a post-Brexit trade deal. So lots of people are thinking, this must be fake news, this must be fake, what's going on, this is a bit weird. But it turned out that perhaps it wasn't fake news. Johnson replied to this, puffed up his chest as only he knows how. Ruffled his hair. And said, this is an absolute invention, this is completely untrue, puff, puff, puff.

GRAHAM CLULEY. Stammer, stammer.

CAROLE THERIAULT. Other than circumstance. Yeah, Maybe we should link to Stammer time. Just for those who haven't seen it, go look at the show notes. There's a little cute Easter egg for all of you there. Under no circumstances whatever will this government or any Conservative government put the NHS on the table in A trade negotiation. RNHS will never be for sale. Okay, so you're thinking, okay, bravo. This must be a storm in the teacup. But what's this document? Right, and labor is staying totally stum about where they got it from. Johnson, of course, is demanding to know the source of the leak. It's a bit similar to the whole Trump stance on the whistleblower, right? You know, with the Ukraine-Zelensky case. But whilst all this is going on, they didn't get a lot of time to play that game because Reddit came forward last Friday confirming that an unredacted document was uploaded as part of a campaign that has been reported as originating from Russia.

GRAHAM CLULEY. Russia again? Yeah. They're really becoming the bogeyman in this episode, aren't they?

CAROLE THERIAULT. But what's interesting is you think, okay, Russia, this is all fake news, fake news, fake news. It's being branded in a lot of this media that I saw today, and there's the ones you'll see in the show notes, as a Russian disinformation campaign. And while Johnson has denied Labour's accusation that the NHS will be carved up, it does seem that the document is actually genuine.

GRAHAM CLULEY. So what you're saying, that the document does appear to have genuinely been leaked from the government.

CAROLE THERIAULT. Well, the government, yes, but not by the government. No, no. Via this Russian sidestep. Potentially.

GRAHAM CLULEY. So your theory or the feeling is that maybe the Russians have deliberately distributed this on Reddit in order to meddle with the election chances of either Corbyn or Johnson. Oh, don't take my word for it.

CAROLE THERIAULT. Let me tell you what Reddit said in the story. Right? They said its investigation had found a pattern of coordination between the now banned accounts on its site and a Russian campaign uncovered by Facebook earlier this year. And they said, "This group provides us with an important attribution for the recent posting of the leaked UK documents," the ones we're talking about, "as well as insights into how adversaries are adapting their tactics." As a result of the investigation, we're banning 61 accounts under our policies against vote manipulation and misuse of the platform. So basically, Reddit, the social network, suspects that Russian operatives were behind the leak of sensitive trade data, likely with the intention of impacting the UK's general election campaign. Right. Yeah.

GRAHAM CLULEY. Now, because they want a particular side to win.

CAROLE THERIAULT. I don't think anyone knows at this stage other than the cause, crazyola, right? I'm sure that'll all come out in the wash.

GRAHAM CLULEY. It just adds though to the general uncertainty amongst the population, isn't it, as to you can't know anything. No. You can't trust any piece of information because you're always trying to second-guess, well, why has that information come out? And is what has been reported actually true? Or is there some sort of undercurrent of mischief-making which is going on.

JAMIE BARTLETT. What's amazing about this, right, I mean, it's like no politicians have heard of Reddit. I mean, but this is probably the first time 95% of MPs even know what Reddit is. Imagine what other amazing things are on there for them to learn about. I mean, there's all sorts of stuff on there. If they just spend 5 minutes scrolling through Reddit, they'll find things that blow their minds.

GRAHAM CLULEY. Oh, there are cat memes. Fantastic.

JAMIE BARTLETT. But the thing is about the whole story, like the way I see it, is that the Russian tactics, which have been evolving over quite a few years now, have really focused on leaked strategic documents, you know, not making things up because that's maybe risky or doesn't work so well. But there's a lot of ways you can get leaked. There's a lot of ways you can you can find doxing. There's a lot of weak points in society. You know, like political parties have terrible security and they send all sorts of very sensitive material amongst themselves, as we saw in the US election with the famous Clinton emails. Like, there's a lot of weak points in a democracy that aren't well defended. Or in any bureaucracy. In any bureaucracy. And so, as a journalist, I know that nothing works quite so well as adding the word leaked to something, even if it's not leaked. But if you say leaked, it sounds really exclusive, even though it's been on Reddit for weeks. Add the word leaked to it, and suddenly it's an exclusive. Everyone starts talking about it. And if you're the Russians, very easy probably to get hold of a document that was a trade envoy's discussion. I'm sure there's all sorts of people that had that and didn't have amazing security. And you're right, I don't think the purpose is necessarily to get one side elected or another. It's just to make everyone confused and angry, disagreeing, bitter, nothing can be trusted, because that weakens the resolve of countries that you might consider to be your enemies. And it's very, very cheap. It's so cheap to do this. I mean, it's like could have been one person did this in a day.

CAROLE THERIAULT. The irony of the whole thing, though, really, right, is that it went up on Reddit, but it caught hardly any traffic at all. But somehow it ends up in there in the labor camp, right? And you must, they must have just been the cow that got the cream, that the cow, the cat that got the cream.

JAMIE BARTLETT. The cow gives the cream.

CAROLE THERIAULT. What are cows doing now? That's almost like a cannibalistic— the cat that got the cream, right? Because they must have been reading it going, oh my God, oh my God, it's so juicy. You know, and fair play to them, they did reject it before they went on national television with it, so we didn't have any with micro cameras going in and trying to find out some secret information. Yeah, yeah. But the whole idea here is, see, they're basically saying— so Corbyn's saying, look, you're trying to sell off the NHS in some way post-Brexit. Johnson's saying, no, no, no, no, no, no, and you know, I have this document to prove it. And they're like, pish, pash, push, who gave you this document? And And he's now gone a bit quiet now. So there's no contesting saying this is absolutely fake from the Conservative Party that I could find. But what is a little bit interesting is that last July, there was news items or murmurings that Amazon were partnering with the NHS to stream the health service advice via Alexa, right? Which all this information is already available online, but using voice. So what do you mean, like NHS Direct?

GRAHAM CLULEY. So they have that website where I can go and I can say, I've got a paper cut, and you go through a sort of flowchart that eventually tells me to go to A&E or something, or you're having a heart attack. So I would be able to say that to Alexa instead, say, I've stubbed my toe, or I've got a pain in my groin, what should I do?

CAROLE THERIAULT. Or you'd say, what are the symptoms of this? How do I treat this? Right? Okay. All right.

GRAHAM CLULEY. Yeah. So that's the deal that Amazon are trying to do with the NHS, or NHS trying to do with Amazon.

CAROLE THERIAULT. But this week, it seems that responses to Freedom of Information requests published by the Sunday Times show that the contract will also allow Amazon access to information on symptoms, causes, and definitions of conditions. So basically, all relatable copyrightable content and data and other materials is going to be shared with Amazon. Now, not patient data, okay, I have brackets here, at this time, right? But no patient data is currently being shared. And, you know, they've made a lot of statements on the NHS website about the great security measures they have in place to stop that sort of thing. So there's a little ray of sunshine there, I'm sure everything will be fine. But the thing that's kind of shocking is that they didn't get any payback. So this is basically being offered to Amazon for free, right? So the UK is considered a world leader in compartmentalizing and basically organizing all this huge wealth of health information. And it's now been shared with one of the richest, well, the richest man in the world's company.

GRAHAM CLULEY. Is it that NHS are gonna give all kinds of data to Amazon to process and do data mangling on?

CAROLE THERIAULT. Whatever they like, yes.

GRAHAM CLULEY. Or is this an Alexa deal where you can, and speak to a database and get information on your symptoms.

CAROLE THERIAULT. So in July, it was presented as a, hey, we're partnering with Amazon to give you some Alexa. Yes. But a recent Freedom of Information request revealed, right, and this was published by the Sunday Times, that the contract between Amazon and NHS was much, much bigger than we all originally thought. And they're not just going to be giving power to Alexa to be able to help people, but they're also sharing with Amazon information on symptoms causes, definitions, conditions, basically this huge, huge, huge copyrightable database of health information.

GRAHAM CLULEY. Can I be devil's advocate for one moment? Which is that the NHS obviously needs lots of processing power and probably wants to make use of big data and, you know, rightly or wrongly, thinks that that would help people live fuller and healthier lives.

CAROLE THERIAULT. That's certainly the conservative view, yeah.

GRAHAM CLULEY. Well, okay, I know I'm just, like I said, the devil's advocate.

JAMIE BARTLETT. Oh, the Labour Party will do this as well. We know that they will. They will, because it will offer savings. It will. We're struggling with an ageing population, like, and there will be great benefits to patients from sharing all this data, won't there? That's sure.

GRAHAM CLULEY. And my question really is, okay, so you're highlighting this and saying, oh, this isn't the big concern. Well, what big technology companies could they partner with who aren't American? You know, it's not like there's a UK company who can decide to do all this data mangling for you, is there? All the powerhouses are over there.

JAMIE BARTLETT. All the signs are that one of the next big growth areas in digital technology is going to be health data, and the NHS holds what must be, must be the best data set of databases about people's health anywhere in the world. So all the big tech— we've got decades, I would hope people's entire lives have been datafied on the NHS. Amazing stuff. And when we start processing that, amazing findings and things to learn and preventative things we can, we can take on board. So you've got to think that all the big technology companies are going to be desperate to get their hands on this data, which worries me a great deal. I think that the, the, if the UK is going to develop a really healthy and competitive tech sector, it's going to be in health data, it's going to be in health apps, it's going to be in the next sort of wave of diagnosis tools and stuff. And we have to invest in UK-based companies to be able to do that, rather than just outsourcing it to the big players who've already got all the processing power.

CAROLE THERIAULT. I agree. You know, that privatization, we've seen it here in the UK with lots of things, trains, everything, you know, privatization is a very delicate operation. And I think it needs to be approached very cautiously. And right now, both sides are denying that there's any privatization going on, but I think you're probably right. There's no other way to maintain it without the rich funds of the private sector.

JAMIE BARTLETT. We should probably do it. We should do all this stuff 'cause of the benefits, but it's gonna have to be so carefully regulated that you're gonna want it to be with a company that's, I mean, maybe it's a public-private partnership company. Maybe it's a company that the government owns owns some proportion of the shares in, or, but a company based here at the very least would be forced to follow very strict UK-based regulations. And so you'd just be able to control a bit better how that data was used.

GRAHAM CLULEY. Maybe we need to nationalise Amazon and Google and some of these companies, at least in their UK operations. Maybe that'll be on the manifesto next time.

CAROLE THERIAULT. Very, very, very happy story for me. I have no idea what my end result is other than say— Time for sponsors. Yeah, it was. That's what's been on my mind this week. Excellent. Don't you love a win-win situation? Imagine if you could have both enterprise-wide password management with single sign-on. What is single sign-on? Well, Graham, let me dazzle you. Single Sign-On is designed to connect employees to high-priority apps, all without needing the user to log in at every single hurdle. Now, by combining these two services, our friends at LastPass may have just revolutionized security at the enterprise level. Learn more at lastpass.com/smashing. You don't need to say the forward slash.

GRAHAM CLULEY. Ah. And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

JAMIE BARTLETT. Do I say that as well? Pick of the Week. Beautiful.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily. Better not be. Well, my Pick of the Week this week is not really security-related, although it Huzzah! It is a problem sometimes you might encounter at a security conference, because I don't know if any of you have encountered the issue of smelly armpits and bad body odor.

JAMIE BARTLETT. I mean, that's not just something you get at security conferences.

CAROLE THERIAULT. Yeah, Graham, we don't hang out that much anymore, so it's not been so much of a problem.

GRAHAM CLULEY. Hasn't been so much of an issue. Well, I have to say, just recently I was saying to my lovely wife, I was saying, you know, 'Look, you know, I've noticed that I seem to be a bit stinky,' I thought. And I'd go away and I'd wash my armpits and I'd come back and I'd say, 'I'm still stinking. What on earth is going on?' Oh, you haven't heard about deodorant? Is this what this is? And so for some reason it wasn't working. And I thought, 'This is a bit funny.' And I saw a tweet written by a hairy, a rather— well, you may know him actually, Rik Ferguson, who works He's a long-haired, heavy metal kind of chap who works as a cybersecurity expert at Trend. He's a dude. And he was recommending, he said that his life had been transformed by a different method of cleaning his armpits. And it's called NUUD. N-U-U-D.

CAROLE THERIAULT. Oh Christ, okay, so you're gonna run around naked now?

GRAHAM CLULEY. No, no, no, no, no, no, no. And that's now gonna keep your armpits all clean? This is this weird little, you get this weird little tube tube of stuff and you squirt out a tiny little pea size of it and you sort of, you just rub it into your armpits, Carole. And here's the wonder, here's the wonderful thing, is that you don't have to do anything again for like 4 or 5 or maybe 5 days or so. 3? You don't have to do anything anymore. What do you mean? You don't have to shower? You can shower.

CAROLE THERIAULT. Are you putting this all down your crotch?

JAMIE BARTLETT. No, no, no. Are you just wiping it all?

CAROLE THERIAULT. Are you slathering? Are you bathing in this stuff? Is that what's going on?

JAMIE BARTLETT. It's like a wet wipe for adults.

GRAHAM CLULEY. No, no, it's— I'm purely using it on my armpits. I am showering every other part of me, and you can still shower your armpits should you wish to. All right.

CAROLE THERIAULT. No, keep my arms down. It's like when you have stinky armpits and you always have your elbows glued to your side.

GRAHAM CLULEY. Unlike other ways of dealing with your armpits, it doesn't have aluminium and petrochemicals and all kinds of nasty stuff. It's all natural. And all I can tell you is it really works. And according to Mrs. Cluley, at least she says I don't stink at all anymore. Oh, really?

CAROLE THERIAULT. Are you back in the old days?

GRAHAM CLULEY. So my pick of the week this week, and thank you, Rik, for mentioning it on Twitter because that inspired me to give it a try, is NUUD. N-U-U-D. Links in the show notes. We're not getting a commission. Maybe we should. Maybe they should have a multi-level marketing. Well, yeah, maybe I'm now part of his pyramid. Who knows? Oh dear. Jamie, what's your pick of the week?

JAMIE BARTLETT. Oh, mine seems really boring now, but I read an amazingly interesting article in the New York Times about this guy called Anthony Carmello, right? He's standing trial at the moment in Staten Island because he shot and killed a top gangster called Francesco Carli. Now the thing is, it seems that this, uh, this young man, he's only 25, is Anthony Camelo. It seems that he was really obsessed with these weird online far-right conspiracy theories like QAnon. Have you heard of that one?

GRAHAM CLULEY. That— oh yeah, my goodness.

JAMIE BARTLETT. Yeah, these things that are spreading all over the internet. I spent quite a lot of time studying conspiracy theories in the past. They're very interesting things, and it's, I suppose, sort of related to OneCoin in a way, like You create these information bubbles and nothing can break through. But the interesting thing about this is that his lawyer is basically claiming that because he believed in these conspiracy theories, he's kind of pleading insanity. And the question that the New York Times asks is, and it says that this will become a big issue in the future, is at what point does belief in a far-right conspiracy theory make you legally insane. That is what the court will be considering. Isn't that weird? I mean, but it's kind of— So weird. Yeah.

GRAHAM CLULEY. Maybe it's a question the Senate should be questioning, asking themselves soon as well.

CAROLE THERIAULT. And presumably, you could do it for the far left as well. So basically, if you're not within the acceptable bounds of—

JAMIE BARTLETT. Yeah, you can be locked up. Or you could claim as a defense against terrible, heinous crimes, claims that I was temporarily insane because I believed in this weird conspiracy theory that drove me to these acts. It's based on a belief though rather than I think any kind of psychiatric testing or whatever. Oh my goodness. But as in to have believed so much in this obviously ludicrous theories to the extent that you would then go and kill someone because you thought they were part of the anti-Trump deep state renders you insane. I mean, I don't quite know what I think about this.

CAROLE THERIAULT. Yeah, but it's kind of interesting.

GRAHAM CLULEY. I wonder which conspiracy theories qualify and which don't. So if I believe in like Nessie or something, or the Abominable Snowman, whether there's been some government— there's been some government cover-up which is preventing Nessie having her day in the sun, and so I'm going to take down Anne Widdecombe or something. Oh, I don't know. You know, it's just— it's, it's a bit— but is The whole world— what I've learned from this podcast is the whole world is insane.

JAMIE BARTLETT. Yeah, it's nuts. The world is a bit madder than we let on. You know, I think the great thing that we've all been assuming since the Second World War is that everyone is— democracy and all of our systems are based on the assumption that everyone is roughly rational and sensible, and that's not actually true. And we're finally beginning to realize it, and things are falling apart.

CAROLE THERIAULT. Take heed, children. He speaks sense. Hey, you know what?

GRAHAM CLULEY. It's not just listeners who have to listen to that, Carole. It's you and I, right? What are we doing? We're pod— we do a podcast. Where's the sense in that? Carole, what's your pick of the week?

CAROLE THERIAULT. Okay, I didn't do much work on my pick of the week.

GRAHAM CLULEY. Oh, nice. Okay.

CAROLE THERIAULT. No, no. Well, look, yesterday Graham and I did a charity podcast. Oh, yes.

GRAHAM CLULEY. BeerCon 1 with the Beer Farmers and the Many Hats Club.

CAROLE THERIAULT. And I was a teeny tiny little bit rude, I think.

GRAHAM CLULEY. A bit vulgar, yeah.

CAROLE THERIAULT. A little, well, you know, it was Sunday, I felt free, and maybe, anyway, I think everyone enjoyed it, I think, right? But I thought. Link's in the show notes. My pick of the week would be a bit more family-oriented. Okay, good. Just to make up, you know, address the balance, address the balance. So I found this podcast, which I started listening to, right? And it's called The Radio Adventures of Dr. Floyd. It's been going since 2004, which is kind of cool. Yes, just in itself. And it's a family-friendly twist on old-time radio. It kind of features adventures and exploits from the world's most brilliant scientist, Dr. Floyd. Dr. Floyd thwarts the plans of his evil arch nemesis, Dr. Steve. Everyone hates Steve. But what's kind of cool about it is during all this you learn about people and events that shape history and the earth and all kinds of cool stuff like that. So there's lots of like tidbits of actual useful information. So what I was hoping is that Graham and Jamie You Soon, makes sense in a second, and all our listeners could maybe get one of their kids to check out an episode, just a random episode, because I really like this, but I don't think I'm the target audience. I kind of want the under 10s, under 12s to let me know if they think it's boring or amazing. Take a listen to one episode. The episodes are short, you know, they're not very long.

GRAHAM CLULEY. The Amazing Adventures of Dr. Floyd Radio Adventures. The radio.

CAROLE THERIAULT. Dr. Floyd. Yeah, you can find it in most places where you find your podcasts. And it's quite a fun little family time, right? 6 minutes. Oh, cool. And send me some reviews, thumbs up, thumbs down. I just kind of think this kind of thing, we need more of this. So I'd like to know what you guys think. Okay. That's my pick of the week. I know I'm stretching it, but you know, I've done 157 pick of the weeks. Basically, I'm done. I'm tapped.

GRAHAM CLULEY. I'm tapped. What do you want to quit doing pick of the week? Do you want us to rest the segment? Do you want us to come up with a new idea?

CAROLE THERIAULT. Maybe we should. Maybe 2020 should be a brand new thing.

GRAHAM CLULEY. Maybe we should do that. Carole, do you remember that one time we did the Agony Aunt Corner? Maybe we should bring back the Agony Aunt instead of Pick of the Week.

CAROLE THERIAULT. Everyone loved that.

GRAHAM CLULEY. Everyone loved it. Well, on that bombshell, we just about wrapped it up for this week. Jamie, I know lots of our listeners would love to follow you online and find out more about the missing crypto queen. What's the best way for folks to do that?

JAMIE BARTLETT. Oh, well, you can get The Missing Crypto Queen on BBC Sounds or anywhere else you go. What's the saying everyone says? Or wherever else you download your podcast. Yeah, I mean, that's the best place to go. I mean, I'm on Twitter as well, @JamieJBartlett. I'm still basically there. I'm posting updates. So any new bits of the story that come along, any interesting new rumors I hear, I share them there as well.

GRAHAM CLULEY. Fantastic. And you can follow us on Twitter at Smashing Security, no G, Twitter and mousetaveag, and you can carry on the discussion about the episode over on Reddit. So, Jeremy Corbyn, if you're listening, make sure to check out the Smashing Security subreddit. And listeners, you are the wind beneath our wings.

CAROLE THERIAULT. Thank you for listening, supporting us on Patreon, and giving us shoutouts. It all helps tons. And thank you to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, info and how to get in touch with us.

GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye-bye, adieu, Pick of the Week, adieu.

CAROLE THERIAULT. That was a long show, but you know what was worth it, Clue?

-- TRANSCRIPT ENDS --

158: The man behind The Missing Cryptoqueen

Transcript +