A couple unexpectedly find $10.5 million in their cryptocurrency account, and in Cambodia people are being forced to commit pig-butchering scams.
All this and more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, who are flying solo again this week.
Warning: This podcast may contain nuts, adult themes, and rude language.
Episode links:
- DeFi bug accidentally gives $90 million to users, founder begs them to return it - CNBC.
- Compound boss begs users to return $90 million worth of cryptocurrency they were accidentally gifted - Robert Leshner on Twitter.
- Couple mistakenly given $10.5m from Crypto.com thought they had won contest, court hears - The Guardian.
- Mother accused of spending spree after mistakenly receiving $10 million in crypto bungle heads to trial - 9 News.
- Sold to gangs, forced to run online scams: inside Cambodia’s cybercrime crisis - The Guardian.
- ZÈRTZ game.
- ZÈRTZ - Wikipedia.
- GIPF project - Wikipedia.
- The Capture - BBC iPlayer.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Kolide – the SaaS app that sends employees important, timely, and relevant security recommendations concerning their Mac, Windows, and Linux devices, right inside Slack.
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. So they park it on your drive, right, with the keys. Is that then your car?
CAROLE THERIAULT. No.
GRAHAM CLULEY. You don't think you can just take it?
CAROLE THERIAULT. No, I don't.
GRAHAM CLULEY. But it's all right for you to take $10 million?
CAROLE THERIAULT. No, I don't think—
GRAHAM CLULEY. You're saying there's nothing to compel you? There's no legal requirement, you reckon?
CAROLE THERIAULT. Ladies and gentlemen, this is gaslighting. Exactly what's going on right now. Okay, this is called twisting one's words. All I'm saying is, is it should be the same way both ways.
UNKNOWN. Smashing Security, Episode 293: A Massive Crypto Bungle and the Slave Scammers with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 293. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Ah, Carole, you're back. Thank goodness. We've all been worried about you after your husband got COVID. Tell us what happened.
CAROLE THERIAULT. I got COVID.
GRAHAM CLULEY. You got COVID?
CAROLE THERIAULT. I tried really hard not to get COVID. But I suspect it's quite hard to do in a house with just one loo, right?
GRAHAM CLULEY. Oh, you didn't make him go out in the garden?
CAROLE THERIAULT. No, I didn't.
GRAHAM CLULEY. Or you go out in the garden.
CAROLE THERIAULT. Yeah, that's what I should have done.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. I'm not as ill as him, of course, right?
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Of course.
GRAHAM CLULEY. You sound all right at the moment, I'll be honest with you, but you were quite rough at the end of last week.
CAROLE THERIAULT. Yeah, I know. I know. Well, we'll see how we go.
GRAHAM CLULEY. And you pulled out of the Smashing Security live event at NISC.
CAROLE THERIAULT. No, I chose very responsibly not to go over on the day that I tested very positive for COVID.
GRAHAM CLULEY. But it was okay because we had a puppet. We had a deepfake of you, which acted as though it were you, and people couldn't tell the difference really. Everyone seemed very happy.
CAROLE THERIAULT. Well, how about we get this show on the road? And before we kick off, let's thank this week's sponsors, Bitwarden and Collide. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. I'm going to be talking about how cryptocurrency bungles have really excelled themselves.
CAROLE THERIAULT. Okay, and I'm gonna ask you whether you would hire an ex-scammer.
GRAHAM CLULEY. Nope.
CAROLE THERIAULT. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chum chum, do you consider yourself a lucky person?
CAROLE THERIAULT. Uh, yes, I do think I'm fairly lucky.
GRAHAM CLULEY. Yeah, yeah, really? Yeah. Why?
CAROLE THERIAULT. I've got a pretty good life other than having COVID at the moment. Life's pretty sweet, right?
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Uh, so, and I'm thinking that's down to luck rather than talent, intelligence, charm, wit, bravery.
GRAHAM CLULEY. I definitely think that. I definitely don't think it can be anything to do with intelligence, charm, or wit. Um, fortune favors the brave goes the old adage, doesn't it? But it also favors the jammy, the lucky, the fluky. Whether you're lucky enough to be born into European royalty, which I wasn't.
CAROLE THERIAULT. I don't know if that's lucky.
GRAHAM CLULEY. You don't?
CAROLE THERIAULT. Well, no. Do you?
GRAHAM CLULEY. I think it'd be quite good to be like a second cousin, so you wouldn't have very many duties, but you'd have rich relatives to bail you out or give you a palace or something to live in. I think that'd be quite handy.
CAROLE THERIAULT. Okay, I didn't know that was something you were looking for, a palace. I'll keep my eyes peeled for you.
GRAHAM CLULEY. And also, if the FBI or someone wanted to question you about some serious offence, You'd be able to turn a blind eye to it.
CAROLE THERIAULT. They wouldn't know what door to use in your palace.
GRAHAM CLULEY. Well, maybe. Maybe that's the thing stopping them. Who knows? But I think there's all kinds of ways you can be lucky. You could be the first person ever hired by Amazon, not one of their delivery guys, but the guy who was sort of helping Geoff Bezos sellotape up the parcels. They've probably made a fortune, haven't they?
CAROLE THERIAULT. I think if you think luck is just wealth, then you're right on all these fronts.
GRAHAM CLULEY. Oh, okay. Well, sometimes good fortune can also fall into your lap from the strangest places. Go on. So, for instance, last year there was a bug in a cryptocurrency service called Compound. And what Compound managed to do was by accident, by mistake, they gave away $90 million worth of crypto to their users. They accidentally sent it to them. And then—
CAROLE THERIAULT. Like to all of them? Like a little share?
GRAHAM CLULEY. Well, you know, lots of people got something. Yes. Of different amounts. And then their founder, their CEO, went on to Twitter.
CAROLE THERIAULT. Guys, can you give it back, please? Seriously?
GRAHAM CLULEY. Yes, exactly. He begged them.
CAROLE THERIAULT. You would. You would. You would.
GRAHAM CLULEY. He said, would you mind awfully giving it back? He said, it'd really be helpful. And he said, if you do, I will give you a 10% bug bounty. If you'll do the honest thing and return most of it to us.
CAROLE THERIAULT. Right. So you got 10 grand. Okay. Give me back, give me back 90 or give me back 9 and I'll give you 1 type thing.
GRAHAM CLULEY. Well, it's very quick maths, Carole, for someone who's still got COVID, isn't it? You're not that foggy headed, but yeah, perhaps.
CAROLE THERIAULT. My amazing constitution.
GRAHAM CLULEY. But he went on to say, look, otherwise, if you don't pay it back, it's going to be reported as income to the IRS. And most of you are doxxed because I know all of your names and addresses.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. I think he didn't realize that free money minus taxes is still better than no free money. So I don't think people would worry particularly that they had to pay taxes if they'd been given a large sum of money.
CAROLE THERIAULT. No, well, you can pay taxes on illegal earnings or, you know, you just have to declare it. You just have to declare it and say, look, I have this money. I'm not going to tell you how, but here's the taxes and the taxman's happy.
GRAHAM CLULEY. Well, you could just say it's been given to me by crypto.com.
CAROLE THERIAULT. Exactly. As a gift.
GRAHAM CLULEY. I presume so. A loyalty payment of some kind. Anyway, word has now reached me from a land down under where women glow and men plunder— of some— I'm talking about Australia— of something a little similar. The curious case of Jatinder Singh and his partner, Thamanagori Manivel. Now, that couple are currently in jail.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Not in the same jail cell. I think they've actually split up since. I'm not sure. But anyway, they are facing up to 20 years in an Australian prison. Oh my God. Of all the prisons to be in. Imagine being in one with no culture.
CAROLE THERIAULT. I'd be all right with that compared to others.
GRAHAM CLULEY. What, you think Australia is better? Yes.
CAROLE THERIAULT. Where do you want to be?
GRAHAM CLULEY. Have you not seen Cell Block H? Have you not seen—
CAROLE THERIAULT. You've got to be in a Chinese prison.
GRAHAM CLULEY. Well, no, I haven't been in a Chinese prison. Or Russian.
CAROLE THERIAULT. Would you like to be there?
GRAHAM CLULEY. But I've seen enough soaps to know what being in an Australian women's prison can be like.
CAROLE THERIAULT. Right, good, yes.
GRAHAM CLULEY. Anyway, it doesn't matter. That's not relevant right now. Now you're wondering, You're wondering what they're doing in that prison. Well, they allegedly stole money from a cryptocurrency company called Crypto.com, a big cryptocurrency company. How did they allegedly steal the money, you ask? I'll tell you, Kroll.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. They didn't hack in.
CAROLE THERIAULT. This is great.
GRAHAM CLULEY. Mm-hmm. They did. You don't have to ask questions.
CAROLE THERIAULT. No, it's good.
GRAHAM CLULEY. Because you've got COVID, you can take it easy.
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. They didn't hack in. They didn't burgle the HQ. Instead, they were given the money.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. So let me explain what happened. Jatinder Singh is a cryptocurrency trader.
CAROLE THERIAULT. Check.
GRAHAM CLULEY. He's been doing it for a while. He's amassed something like $49,000 worth of cryptocurrency on the Crypto.com trading site using his debit card.
CAROLE THERIAULT. Okay, so that's money from his hard-earned cash.
GRAHAM CLULEY. Yeah, he's doing all right. Yeah. Yeah. Not done anything wrong there. Sounds like everything's going well. But then he wants to conduct some more trades, and for some reason or another, he uses his partner Manivel's debit card, creates another account.
CAROLE THERIAULT. Well, maybe she has a bigger balance.
GRAHAM CLULEY. Who knows?
CAROLE THERIAULT. Right.
GRAHAM CLULEY. Who knows? Maybe he sees a great opportunity, needs a different debit card. Now, Crypto.com doesn't like that. It says you should be using your own account, not someone else's, to trade and your own debit card. Right. And when they find out that he's done this, they say, look, that's against our rules. You shouldn't have done that. What we'll do is we'll refund $100, which you've paid to set up this account and do whatever trades you've already done. We'll refund that to Jatinder's partner, Manivel, the one who he's taken the debit card from.
CAROLE THERIAULT. But she complained?
GRAHAM CLULEY. I don't think she's complained. I think Crypto.com have just identified that his username does not match that of the card. And I think probably for money laundering reasons or whatever, they try and do ID checks on who is using cryptocurrency websites. And they think, hang on, this doesn't match up with your card, therefore we have to close this account. Oh, you've spent $100 already. Don't worry, we'll refund that because, you know, we recognize that you're a trader in good faith, blah, blah, blah. We want you to carry on doing this.
CAROLE THERIAULT. Okay. Right.
GRAHAM CLULEY. So you would expect now to see $100 be transferred into Manivel's account.
CAROLE THERIAULT. Yeah, as to what they explained. Right.
GRAHAM CLULEY. Exactly.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. But that's not what happened. Okay. Instead, Crypto.com says that an employee of theirs in Bulgaria— I don't know why that's relevant, but they say in Bulgaria— okay— made a mistake in the Excel spreadsheet.
CAROLE THERIAULT. Ah, good old— it's always Excel's fault. It's always Excel's fault.
GRAHAM CLULEY. And rather than paste in $100—
CAROLE THERIAULT. it was just 1 cent.
GRAHAM CLULEY. Itself, right? They accidentally pasted in not 1,000 or 10,000. No, what they did was they pasted in the account number, the Crypto.com— pardon, the Crypto.com account number of the previous job that worker had been working on, right? So everyone who's on Crypto.com has an ID number. And so they pasted in the number, which was the user number into the field of how much money they were going to refund him.
CAROLE THERIAULT. So the little dollar sign wasn't a giveaway. So, right.
GRAHAM CLULEY. And it came to $10,474,143.
CAROLE THERIAULT. And then pressed, without double-checking, pressed the send now.
GRAHAM CLULEY. Yes, transfer. Right, exactly.
CAROLE THERIAULT. Bet they're in a bit of a pickle.
GRAHAM CLULEY. Hmm. It strikes me that Crypto.com have just leaked one of their users' account numbers as well, which is 10,474,000.
CAROLE THERIAULT. Guys, maybe take that one offline if you haven't already, just in case.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. So they moved this money into Mannivel's bank account in May 2021.
CAROLE THERIAULT. Right. They're like, job done, ticks it off the list.
GRAHAM CLULEY. And meanwhile, can you imagine? Can you imagine opening your banking app, checking your balance and going, hello, this is all right?
CAROLE THERIAULT. Honestly, I would call them up and go, they've obviously made a crazy-ass error. They're going to be freaking out. Wouldn't you?
GRAHAM CLULEY. Well, apparently the court has heard, right, is that Jatinder, her partner, said to her, oh well, that's, um, what happened was the other day on the Crypto.com app, I received a notification saying that they were running a competition to give away $10 million. What? And maybe we've won it, he said to his partner.
CAROLE THERIAULT. Is he being honest or is he full of poo poo.
GRAHAM CLULEY. Well, that's for the court to decide, Carole. That's for the court to decide.
CAROLE THERIAULT. He sounds like he's part of this now. Why would he say that? I don't understand.
GRAHAM CLULEY. Well, this is the argument that is being given to court, is they say there was a notification in the app saying there was a competition, someone's going to win $10 million, and then suddenly $10 million turns up in their account from Crypto.com. Now, Crypto.com says we don't actually run competitions like that.
CAROLE THERIAULT. Yeah. Can you prove that? Where did you see that? Exactly. Yeah.
GRAHAM CLULEY. And we didn't send out a notification. So that's the first mistake that's happened, is Crypto.com has moved $10.5 million into someone's bank account rather than $100. The second mistake they made is that it then took them a full 7 months until they noticed that they'd made that blunder, that they'd moved the money. They didn't spot the $10.5 million had disappeared.
CAROLE THERIAULT. 7 months. This is ridiculous.
GRAHAM CLULEY. So they didn't notice until December 23rd last year, just before Christmas. And of course, someone else is having a great Christmas.
CAROLE THERIAULT. Can you imagine?
GRAHAM CLULEY. It's alleged that Manovell transferred large amounts of this life-changing windfall into different accounts, transferred it to her friends, gave away some to her family, used it to buy a $1.2 million luxury home with a cinema, home gym, 4 bathrooms, made a down payment on another home.
CAROLE THERIAULT. Would you do that? Would you have done that? I mean, 7 months though, and they haven't come knocking for it. You just assume at one point they are going to.
GRAHAM CLULEY. Don't you kind of think finders keepers? Maybe if they haven't noticed by now, um, uh, maybe—
CAROLE THERIAULT. I don't know.
GRAHAM CLULEY. My partner has told me I've won a competition. He said we won a competition, you know.
CAROLE THERIAULT. Don't worry about it, honey. Don't worry about it, Manny. We got this.
GRAHAM CLULEY. Another $4 million was transferred to a Malaysian bank account. That's where Manivel comes from, and her sister's based out there. Hundreds of thousands of dollars allegedly given to each of her daughters. Another friend has his $1.2 million mortgage.
CAROLE THERIAULT. Yeah, yeah. So they spread the wealth, blah, blah, blah, blah, blah, and get themselves—
GRAHAM CLULEY. Furniture, luxury cars, all sorts like that.
CAROLE THERIAULT. Like a gangster. Yeah.
GRAHAM CLULEY. And now Crypto.com, now they're hot on the case now, right? Now they've noticed this 7 months later.
CAROLE THERIAULT. Wait a minute.
GRAHAM CLULEY. They've sprung into—
CAROLE THERIAULT. Just hold on a second. I think something here is a little awry. Okay.
GRAHAM CLULEY. What's going on here?
CAROLE THERIAULT. Right.
GRAHAM CLULEY. Right. And so they are contacting the lawyers of Manivel and Jatinder Singh. And they're saying, "Uh, could we have our money back, please?" And nobody's replying. No one's acknowledging receipt. And so, funny that, isn't it? Put your head in the sand.
CAROLE THERIAULT. La la la.
GRAHAM CLULEY. Hopefully they'll go away. Hopefully they'll lose interest.
CAROLE THERIAULT. Yeah, because 10 million is not enough for them to keep their—
GRAHAM CLULEY. So, um, They also had not very much success contacting Manivel's sister in Malaysia. So she's not responding either. They just had a single, like one line just saying, thank you, received, or something like that, just like through an email, but they never went into any conversation. So Crypto.com say, well, there wasn't a competition. We don't send out push notifications. We would never have given away $10 million. Singh and Manivel are saying—
CAROLE THERIAULT. Although we didn't notice for 7 months, weirdly, but yeah. So—
GRAHAM CLULEY. Manivel tried to leave the country. She was arrested at Melbourne Airport in March. They say she was trying to flee to Malaysia on a one-way ticket, and she had a large amount of money on her.
CAROLE THERIAULT. I do kind of think I agree with you. Like, if in the crypto world, if I accidentally gave you £10 million, right? Yes. Or 10 million bitcoin, or not you, some stranger, they're not going to give it back. And no one's going to help me source that and get it back. They're going to say, well, it's gone. You fucked up. Right?
GRAHAM CLULEY. But isn't there some responsibility on the recipient to say, did you mean?
CAROLE THERIAULT. Ethically, yeah. But I don't know about legally.
GRAHAM CLULEY. If someone, Carole, left outside your house, I don't know, an Aston Martin car with the keys in it.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. What if they parked it on your drive because it's very convenient for your lugubrious neighborhood? So they park it on your drive.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. With the keys. Is that then your car?
CAROLE THERIAULT. No.
GRAHAM CLULEY. You don't think you can just take it?
CAROLE THERIAULT. No, I don't.
GRAHAM CLULEY. But it's all right for you to take $10 million?
CAROLE THERIAULT. No, I don't think—
GRAHAM CLULEY. You're saying there's nothing to compel you? There's no legal requirement, you reckon?
CAROLE THERIAULT. Ladies and gentlemen, this is gaslighting. Exactly what's going on right now. Okay, this is called twisting one's words. All I'm saying is, is it should be the same way both ways. If someone makes a mistake bank and pays someone $100 million or £10 million or £5, can they go to the bank or to the bitcoin exchange or whatever exchange and say, oh, can we just, you know, let's go back in time, you know, rewind, rewind.
GRAHAM CLULEY. But in this case, they have to ask. You can't just undo it at the bank level because the money's been moved from place to place.
CAROLE THERIAULT. Exactly. You know, I get it. I get it. Okay, so what's happened?
GRAHAM CLULEY. Nothing.
CAROLE THERIAULT. We don't know.
GRAHAM CLULEY. Well, Crypto.com are asking for the house to be sold, all proceeds to be returned to them. They want all the money back. And this couple, if they're found guilty, of this theft and subterfuge, they could face up to 20 years in an Australian prison.
CAROLE THERIAULT. Says who though? Says just— I don't know where the law— where's the precedent on this one?
GRAHAM CLULEY. Well, because it's theft, Crow, allegedly.
CAROLE THERIAULT. Yeah. It's not theft though.
GRAHAM CLULEY. You're not giving back something which belongs to someone else. I mean, even if it was a goof.
CAROLE THERIAULT. It was a goofy gift. I received lots of those in my life, Graham.
GRAHAM CLULEY. Oh, now you're admitting it. Now you're admitting it. Interesting. Carole, what's your story for us this week?
CAROLE THERIAULT. Okay, so question is, would you hire a person who boasted about having scammed people in the past to the tunes of like thousands and thousands and thousands?
GRAHAM CLULEY. Oh, golly, no. No, absolutely not.
CAROLE THERIAULT. What about if the person didn't say a word, but you found out somehow later that they had been a successful scammer? Would you call them out and say, look, I'm not very happy?
GRAHAM CLULEY. Oh no, I'm a coward. I wouldn't necessarily confront them.
CAROLE THERIAULT. But they're your employee.
GRAHAM CLULEY. I might— well, I might fire them for another reason, like body odor or something. I might find some other excuse to get rid of them. I don't know if I'd want to say you're right.
CAROLE THERIAULT. Right, because you'd be afraid for your life then, because scammers are killers.
GRAHAM CLULEY. Well, well, they might be. You don't know. You don't know what their lengths they'll go to.
CAROLE THERIAULT. Okay, well, I want to see if this story changes your mind on this any. Okay.
GRAHAM CLULEY. All right.
CAROLE THERIAULT. So we're going to the other side of the world, over to Thailand, and you are perusing Facebook as you do, right? And you see an ad for an admin job that's right up your street. You're like, that's a very nice weekly pay packet.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. And it all looks good. And the job happens to be in Cambodia, which is a different country, of course, but it's just an hour flight away, capital to capital. So it's not really a big deal.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And plus you've got money, all the money you'll be making, you'll be able to travel back and forth.
GRAHAM CLULEY. So this is an in-person job. You actually will— I would have to go over there.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Exactly. Right.
CAROLE THERIAULT. And everything's looking tickety-boo. And when you get there, things take an absolutely wild turn because there is no admin job. There is only a scammy, scammy scam job. So in short, you are told, okay, something along the lines of you need to target the pig, fatten the pig before butchering the pig.
GRAHAM CLULEY. Sorry, who's the pig in this story?
CAROLE THERIAULT. Which I've managed to translate to finding a target to woo, to scam, right?
GRAHAM CLULEY. Right.
CAROLE THERIAULT. And then woo the crap out of them until they're brimming with trust and then start hitting them up for moolah. These are their terms. This is according to The Guardian, links in the show notes.
GRAHAM CLULEY. Oh, like a romance scam. When you say woo, woo, woo.
CAROLE THERIAULT. Well, there is investment scams, any type of scam. Romance scams, investment scams.
GRAHAM CLULEY. But you're basically gaining the trust of someone in order to trick them out of money by some method. And that's your job.
CAROLE THERIAULT. This is your job, right? And you're told your role is to scour the internet for victims you could trick into investing in an online scam.
GRAHAM CLULEY. So they're quite upfront about this, and they're advertising these jobs on Facebook.
CAROLE THERIAULT. Yes. Well, well. Not as this, right?
GRAHAM CLULEY. Ah, they're just saying it's an admin job, right? Right.
CAROLE THERIAULT. So you may, you may at this point kind of go, uh, hey, I think there's been some kind of mix-up. I'm not a scammer. I just want to do a bit of paperwork, right?
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And apparently this attitude of yours does not go down so well. This is according to Lai Thi Lan, okay? She's a woman who found herself in exactly this situation, and she explained in The Guardian that if she refused to do the work She would be told that she'd be taken to the 8th floor of the building compound to be beaten or electrocuted.
GRAHAM CLULEY. What the f— What? What? Yes!
CAROLE THERIAULT. Yes! Okay? 8th floor. Weird. Okay? Lan was then told later by other workers that she had been sold to this criminal gang that was running this enterprise, and that she was now owned by the company.
GRAHAM CLULEY. You're kidding me.
CAROLE THERIAULT. Nope. Lan says she would work between 14 and 16 hours a day with only short toilet breaks. If you spent more than 10 minutes in the bathroom, your pay would be docked. Lunch and dinner were brought at the table where staff worked, and she'd been promised a salary of something like $800 to $900 US, and the first month she received, uh, $200 only, and the second and third month she received nothing.
GRAHAM CLULEY. Sorry, I'm still upset about the 10-minute toilet break.
CAROLE THERIAULT. Right?
GRAHAM CLULEY. Because sometimes—
CAROLE THERIAULT. Things can take a while for some people, right?
GRAHAM CLULEY. They can.
CAROLE THERIAULT. Especially if she's stressed out, which she would be.
GRAHAM CLULEY. If I've got a copy, you know, if I've got the newspaper and things, or the cricket on, it's going to take longer than that. Okay, so that's nasty.
CAROLE THERIAULT. She was told she had to earn 300 million dong, or 12 $1,000 for the company each month.
GRAHAM CLULEY. That's a lot of dong.
CAROLE THERIAULT. We had a lot of dong. Every 5 days, she had to attract 2 new customers to be tricked into sending money. If she didn't meet her targets, her pay would be deducted and the bosses would threaten her with violence.
GRAHAM CLULEY. And there's, yeah, there's a constant threat of being taken up to this mythical 8th floor where they have the electrodes.
CAROLE THERIAULT. Yeah, for electrocution. Exactly. Now you kind of think, oh, you know, this must be a one in a million story. And in fact, There's been a recent crackdown in Cambodia that there was more than 1,400 foreign nationals that were rescued and returned home to their neighboring countries, including Vietnam and Thailand. And many think there are thousands and thousands more waiting rescue.
GRAHAM CLULEY. Well, it's slave— it sounds, it sounds like slavery, doesn't it, really?
CAROLE THERIAULT. Yes, doesn't it? Just Lan's colleague, if I can use that term colleague, he was forced to work on romance scams. So Tuan was stuck in the same compound, and the romance-style scams centered around a fake online shop. And he said, "We called it selling emotions." And he would troll Facebook dating for targets. I didn't even know Facebook had a dating thing.
GRAHAM CLULEY. Oh, they do. It's the most horrendous.
CAROLE THERIAULT. Oh, right. See?
GRAHAM CLULEY. No, I haven't been on it, obviously.
CAROLE THERIAULT. Sure, of course not.
GRAHAM CLULEY. No, I think we talked about it way back when, is the whole horror of Facebook introducing a dating component. But apparently it does.
CAROLE THERIAULT. Yeah, you're ringing a bell. COVID fog. Um, and he'd say, he'd say, I'd pretend to be a woman to flirt with guys, and after flirting back and forth to create trust in them, I'd lure them in into buying stuff like a pyramid scheme. The deeper they got sucked in, the worse it'd be for them.
GRAHAM CLULEY. Okay, look, these guys have got the wrong idea.
CAROLE THERIAULT. Which guys?
GRAHAM CLULEY. The people who've been tricked into working at the scam company. Because rather than saying, oh, hi, I'm a woman, la la, I'm really interested in you, or I've great investment for you. Why don't they say, hey, I'm stuck working for a scam operation where they're threatening to electrocute me?
CAROLE THERIAULT. Yeah, they're probably not checking any of the logs. Yeah, you won't even go to a scammer that you know is a scammer and say you're a scammer.
GRAHAM CLULEY. But it's a great story. It's a great story. That's the one they should be using to pull on the heartstrings and saying, can you send me an airfare to get out of here?
CAROLE THERIAULT. Can I just say my story isn't done yet? My story is not done because these two, how do we know about their stories? Because they got out. You want to know how they got out?
GRAHAM CLULEY. They dug a tunnel.
CAROLE THERIAULT. Crazier than that, I would argue.
GRAHAM CLULEY. Okay, let's hear it.
CAROLE THERIAULT. Okay, so most would have remained captive until the authorities had enough to raid the compounds. And the only way, of course, to leave the compound was by paying a huge ransom fee, which neither, you know, Tuana or Lan could afford. But they do manage to get out, and they get out by literally breaking free with a dozen other colleagues. Okay, according to The Guardian, some male staff fired Molotov cocktails to startle the work compound security officers. Then dozens raced from the building. Okay, so men in dark uniforms chasing frantically after them, waving sticks. Lan and Tuan and others jump into the water along Cambodia-Vietnam border and swam for their lives. Okay, there's even a video of this that's been shared widely online.
GRAHAM CLULEY. Is this true? Is this— is all of this true?
CAROLE THERIAULT. How do I know? It's according to The Guardian.
GRAHAM CLULEY. Exactly.
CAROLE THERIAULT. I wasn't there personally. I was not there. I have it on very good, reliable sources. Links in the show notes. One 16-year-old boy drowned during this escape.
GRAHAM CLULEY. Oh my God.
CAROLE THERIAULT. And not all of them made it. Another man who couldn't swim was dragged back and was seen being beaten. So Lan and Tuan are two of the lucky ones. They were able to break away from the gang and eventually get back home to Thailand. Now, I ask you again, Before I carry on with the story, if you heard this and they were the employees that you were hiring, they were like, actually, well, once, yeah, I kind of did, but I didn't want to. This is what happened to me. Would you hire them then?
GRAHAM CLULEY. Oh, would I hire one of these people who's escaped? I'm still slightly dubious about this story, to be honest, Carole. I'm not sure I believe it all because it's extraordinary.
CAROLE THERIAULT. Well, it's kind of complicated because Thailand, who has actually raised the alarm on this, saying this is definitely happening, and estimate that there's 3,000 more Thai workers trapped in these conditions. And the issue became so acute that in August, the US downgraded Cambodia to the worst level possible in its trafficking in persons annual report. And a UN special rapporteur likened the conditions in these compounds to a living hell. So put that in your pipe and smoke it. But when you get back home, you think your problems might be over. You know, mom and dad going, "Oh, God, thank God you're back. We were worried about you. We didn't hear from you," and everyone hugging and kissing. But in fact, no. The majority of people that have returned from such compounds, about 70%, have been prosecuted, according to the Royal Thai Police.
GRAHAM CLULEY. Because they scammed people in Thailand.
CAROLE THERIAULT. Because they may have scammed people in Thailand, and there are some bona fide scammers out there. But there are also people who get sucked into this scammy world, and it's a bit of a hornet's nest, because if you get it wrong, you either let a scammer go free, or you make a victim pay double time for being a victim.
GRAHAM CLULEY. So if I was a scammer, Yeah, Cambodia. And I did that for a couple of years and made myself enough million dong. I could then go pop over to Thailand and say, oh, I've had a terrible time. Oh my goodness, I had to jump in a river. Oh, Molotov cocktails, electrodes, etc., in order to try and get some sympathy rather than be prosecuted. Is that what you're saying? Some people might be pretending to—
CAROLE THERIAULT. or But presumably, people also fall for it. And there would be a record, right? There would be evidence that she clicked on the link of the ad. There would be an ad, there'd be a paper trail somewhere. There'd be the emails back and forth. There'd be the buying the plane ticket.
GRAHAM CLULEY. Facebook would definitely have tracked everything. Let's be honest.
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. Facebook would have stopped it.
CAROLE THERIAULT. I could call them. They will explain everything. They will explain everything.
GRAHAM CLULEY. Why are Facebook allowing these ads from dodgy people to occur?
CAROLE THERIAULT. Right? Does Facebook even exist anymore? I don't even know.
GRAHAM CLULEY. It's rebranded.
CAROLE THERIAULT. Is it Facebook by Meta or is it Meta Meta?
GRAHAM CLULEY. Meta's the parent company. Facebook, the website, exists. Yes, I'm afraid so.
CAROLE THERIAULT. Okay. And on top of all that, okay, on top of that—
GRAHAM CLULEY. Have you got more?
CAROLE THERIAULT. No, I was just going to say on top of all this, you won't hire them.
GRAHAM CLULEY. Oh yeah, because that's the biggest of their problems that I won't hire them.
CAROLE THERIAULT. Well, it's just the icing on the cake. The straw that breaks the camel's back.
GRAHAM CLULEY. Graham Cluley won't hire me. Oh my goodness. My life is ruined. Yes.
CAROLE THERIAULT. I see more clearly now in this COVID fog.
GRAHAM CLULEY. If you're considering a third-party audit like SOC 2 or ISO 27001, then you should be prepared to answer some tough questions about endpoint security. Auditors want to know that you have a system in place to monitor and maintain compliance across your fleet, which means showing that your staff are using things like disk encryption, screen locks, password managers. If you're not quite sure how you'd go about proving all that, then you need Collide. Collide's an endpoint security tool for Mac, Windows, and Linux devices that gives you the visibility you need to meet your third-party and internal compliance goals. Best of all, Kolide doesn't resort to spying on workers or locking down devices. Instead, it works with end users to resolve issues and relies on their cooperation and informed consent. You can meet your security goals and pass your audit without compromising on privacy. Visit kolide.com/smashing to find out how. If you follow that link, they'll also give you a goodie bag just for activating a free trial. That's K-O-L-I-D-E dot com. Smashingsecurity.com/smashing.
CAROLE THERIAULT. Smashing Security listeners, did you know that Bitwarden is the only open-source, cross-platform password manager that can be used at home, on the go, or at work? Bitwarden's password manager securely stores credentials spanning across personal and business worlds. And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials. These are unique and secure passwords for every single account you access, and it's easy to set up. It's easy to use. I honestly love Bitwarden. I use it at home, use it at work, use it on the go. Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user. Check it out at bitwarden.com/smashing. And thanks to Bitwarden for sponsoring the show.
GRAHAM CLULEY. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
GRAHAM CLULEY. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, my pick of the week this week is not security-related. My pick of the week is a board game, a board game which doesn't have a board, a board game that I have been playing called Zerts.
CAROLE THERIAULT. Oh, okay. I thought it would be the tortilla water full-mouth slapping. I have not played that yet.
GRAHAM CLULEY. You can play tortilla slap.
CAROLE THERIAULT. I'm actually going to a 50th birthday party at the end of the month. So I will set it up for that place. Yes.
GRAHAM CLULEY. Well, Zertz, Z-E-R-T-Z, is an abstract two-player strategy game played with marbles, white, gray, and black. Very nice feeling marbles, by the way. All the pieces in this game really feel nice. It's just like, oh, I like to touch these. Oh yes. Thank you very much. It's a bit like a Bakerlite telephone. You know how nice that feels?
CAROLE THERIAULT. Yeah, I like those.
GRAHAM CLULEY. Yeah, exactly. That's what we're talking about. So you get these lovely marbles and you start off, you build a hexagon made out of marble holders, which come in the pack. And each go you put a marble down and you take one of the holders away from the hexagon, one of the ones which isn't occupied. So over time, the area of play gets smaller and the number of marbles increases and the marbles can jump over each other a bit like in draughts or checkers.
CAROLE THERIAULT. Or is that a Parcheesi? Isn't something like that?
GRAHAM CLULEY. I don't know.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Anyway, you can jump over. In fact, you have to take if you can take. And slowly the board gets smaller. And after a few plays, you begin to understand the strategy is much deeper than you initially imagined. Because you can lay traps for people. You can force them to take your pieces in order to get the colours that you want in order to win the game. And it's really fun. It's a— I was playing with my son and he said to me, I like this game, Dad, because first of all, I'm able to beat you. But secondly, secondly, it's using his brain in an interesting way. He said it's a bit like chess. He doesn't like playing chess with me because I beat him. But it's a good brain strategy game. It's part of something called the Gipf Project, G-I-P-F, which is a series of abstract strategy games by a German designer called Chris Brumm. I've been curious to try the other games. I haven't played them yet. I've only played Xertz so far, but I expect that they will be equally good. And that is why Xertz is my pick of the week. Great fun.
CAROLE THERIAULT. Okay, well, there you go. Well done.
GRAHAM CLULEY. It's good. Do you play any intelligent games, Kryll?
CAROLE THERIAULT. Do I play any intelligent games?
GRAHAM CLULEY. Yeah, simple yes or no would have sufficed.
CAROLE THERIAULT. Yes, of course I do.
GRAHAM CLULEY. Such as?
CAROLE THERIAULT. I play Quirkle.
GRAHAM CLULEY. Yeah, it's not that intelligent.
CAROLE THERIAULT. It's pretty intelligent.
GRAHAM CLULEY. No, it's not really. It's just dominoes, isn't it, Quirkle?
CAROLE THERIAULT. I play Scrabble.
GRAHAM CLULEY. Yeah, I like Scrabble. Yeah.
CAROLE THERIAULT. I play Wordle.
GRAHAM CLULEY. Okay. Yeah. What's your pick of the week?
CAROLE THERIAULT. Okay, maybe blame COVID, but mine is slightly security related. Oh. And I know, I know. Well, you know, be gentle.
GRAHAM CLULEY. Amusing, isn't it?
CAROLE THERIAULT. My pick of the week is The Capture, a BBC show that just released its second series. And many a folk tweeted and emailed us asking us to cover this one. And now I am. Graham, I can't remember if you watched it or not. I remember telling you about it.
GRAHAM CLULEY. I've seen the first series. I believe there's now a second series out as well.
CAROLE THERIAULT. Yes, there's a second series. Okay, I'll give a quick description for listeners. Just quick, quick. But basically, you have an inspector, Rachel Carey, played by Holliday Granger. She's drafted in to investigate a case, but quickly learns that, you know, disentangling misinformation from the truth is not going to be easy. That's probably the best way to put it. And it basically seems like video footage is not as reliable as one would think. Maybe think deepfakes and that kind of thing. And trying to get to who's behind all these shenanigans is an equally rocky road full of pitfalls and all kinds of stuff. It's a bit MI5, right? Not 9 to 5.
GRAHAM CLULEY. Is it plausible? Do you think they stretch it too much, or do you think it's rooted in reality?
CAROLE THERIAULT. I pass. No, I didn't think it was rooted in reality. But then I don't think any medical show is either. So, you know.
GRAHAM CLULEY. But maybe it's not reality now, but it might be in 10 years' time if deepfakes continue the way they are going, for instance.
CAROLE THERIAULT. Oh, sure, sure. But not on CCTV cameras, I don't think.
GRAHAM CLULEY. Okay, I thought that was a bit, uh, I don't know.
CAROLE THERIAULT. Anyway, whatever.
GRAHAM CLULEY. I don't know.
CAROLE THERIAULT. What do I know? I don't know. Take it up with me in 10 years.
GRAHAM CLULEY. But you liked it? You liked the show?
CAROLE THERIAULT. Yes, yes. But I mean, no, I don't have a lot of energy at the moment. I'm watching a lot of crap, right? So this one—
GRAHAM CLULEY. why have you not got it yet?
CAROLE THERIAULT. Oh, stop it. So my pick of the week is The Capture. It's produced by Peacock, available currently on the BBC iPlayer. Links in the show notes. Enjoy.
GRAHAM CLULEY. Well, that just about wraps up the show for this week. You can follow us on Twitter @SmashInSecurity, no G, Twitter doesn't allow us to have a G, and we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app. And while you're at it, maybe you want to give us a review, give us a 5-star review, say something nice about us. I don't know if it changes the algorithm, but it sure makes us feel a whole lot better. Lot better if you could do something like that. What the fuck was that?
CAROLE THERIAULT. Just give us a review if you like to. Don't worry about that. Huge thank you to this episode's sponsors, Bitwarden and Kolide, and to our wonderful Patreon community. Thanks to them all that this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 292 episodes, check out Smashing smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye.
CAROLE THERIAULT. We didn't even talk about not having a guest this week.
GRAHAM CLULEY. We didn't this week. Carole, we didn't have a guest this week.
CAROLE THERIAULT. We didn't have a guest this week. Did you notice? I didn't notice.
GRAHAM CLULEY. We did have a guest this week until about half an hour before we started recording.
CAROLE THERIAULT. Yes. Don't worry guys, this will not be a normal thing. It won't just be the two of us. We wouldn't be able to stand it either. Yeah. All right, pause.
GRAHAM CLULEY. Hit and stop.
-- TRANSCRIPT ENDS --