Apps can let you spy on strangers in bars, a gang of cryptocurrency thieves turns to kidnap and assault, and have you joined the mile-high evil twin club?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Mark Stockley of the brand-new "The AI Fix" podcast (co-hosted with Graham!).
Talk about nepotism.
Warning: This podcast may contain nuts, adult themes, and rude language.
Episode links:
- Hoos Out Tonight? Dundee medical student launches new app which reveals ‘hot’ pubs - The Courier.
- ‘It’s completely invasive’: New app lets you spy on SF bars to see if they’re poppin’ - San Francisco Standard.
- Florida Man Convicted in Violent Crypto Theft Spree - Crypto Daily.
- Inside a Violent Gang's Ruthless Crypto-Stealing Home Invasion Spree - Wired.
- Man charged over creation of ‘evil twin’ free WiFi networks to access personal data - Australian Federal Police.
- Police allege 'evil twin' in-flight Wi-Fi used to steal info - The Register.
- Australian charged for ‘Evil Twin’ WiFi attack on plane - Bleeping Computer.
- Suno - make a song about anything.
- The AI Fix podcast - hosted by Graham Cluley and Mark Stockley.
- Putty Pals - Nintendo Switch.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- 1Password Extended Access Management – Secure every sign-in for every app on every device.
SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
FOLLOW US:
Follow us on Twitter at @SmashinSecurity, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.
THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. Kiss Kassay?
MARK STOCKLEY. It's a brilliant new podcast.
CAROLE THERIAULT. I didn't know you were hosting a podcast, Mark. Who are you doing that with?
UNKNOWN. Smashing Security, episode 379: Private Nights, Evil Twins, and Crypto Home Invasions with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 379. My name is Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault. Graham, you sound a bit funny.
GRAHAM CLULEY. Oh, I do. I'm a little bit under the weather. I've got something stuck up my nose or coming out of my nose. So apologies, listeners. But the good news is that we're joined by a special guest this week. Someone who's been on the show many times before, but under a new guise this week. It's Mark Stockley of the AI Fix podcast.
MARK STOCKLEY. Hi!
CAROLE THERIAULT. Hey, AI Fix! What is this? Qu'est-ce que c'est?
MARK STOCKLEY. It's a brilliant new podcast.
CAROLE THERIAULT. I didn't know you were hosting a podcast, Mark. Who are you doing that with?
MARK STOCKLEY. Some chap called Graham.
CAROLE THERIAULT. Graham.
GRAHAM CLULEY. Hello.
CAROLE THERIAULT. Graham Graham?
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Okay, no, I knew, I knew. I was just trying to give some excitement.
MARK STOCKLEY. Did you make us a cake? Are there decorations? I can't see.
CAROLE THERIAULT. Why? Because I'm a girl?
MARK STOCKLEY. Wow. You went there, I didn't. I just, because you're nice.
CAROLE THERIAULT. Listeners, I'm a little insecure about this new podcast. You know, it's going to blow us out of the water.
GRAHAM CLULEY. Oh, I don't think so.
CAROLE THERIAULT. You know, you've got two knowledgeable middle-aged men.
GRAHAM CLULEY. Yeah, the podcast run by a couple of old white guys.
MARK STOCKLEY. We thought there aren't enough podcasts with a couple of white guys talking about AI.
GRAHAM CLULEY. Yeah.
MARK STOCKLEY. You know, it's a new niche.
GRAHAM CLULEY. So Mark, tell me, what's The AI Fix all about?
MARK STOCKLEY. It's about AI, which is artificial intelligence.
CAROLE THERIAULT. Is it?
GRAHAM CLULEY. Not artificial insemination.
MARK STOCKLEY. Well, sometimes. Yeah, it's a podcast about AI and it's for people who want to listen to something about AI and not fall asleep. I think that's probably the best way to describe it.
GRAHAM CLULEY. So we're going to dive headfirst into the hilarious, bizarre, and downright mind-boggling, it says here, world of artificial intelligence. You and me, Mark, we're going to discover AI and share some weird stories, and who knows what we'll find on the way.
CAROLE THERIAULT. Well, I'm not nervous about it at all. It's super great. I'm super happy.
GRAHAM CLULEY. Great. Thank you very much. Anyway.
MARK STOCKLEY. I think you should come on.
CAROLE THERIAULT. Come on.
MARK STOCKLEY. Come and try out the furniture.
GRAHAM CLULEY. Be our first guest, maybe.
MARK STOCKLEY. Sit in the AI Fix sofa. You can put up some decorations and make a cake.
GRAHAM CLULEY. Frankly, we could do with another listener.
CAROLE THERIAULT. Well, look, I have a new cat. I'm very busy. But before we kick off, let's thank this week's wonderful sponsor, 1Password. It's their support that helps us give you this show for free. Coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. Oh, I am going to be getting hep to the jive, daddy-o.
CAROLE THERIAULT. Okay, Mark, good luck with the AI Fix. What's your topic?
MARK STOCKLEY. I am going to talk about criminals getting their digital comeuppance.
CAROLE THERIAULT. And we're going to see if evil twins do exist. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, Daddy-O, Daddy-O, are you hep to the jive?
CAROLE THERIAULT. As a jazz lover, this is really upsetting. Jesus.
MARK STOCKLEY. Just as a human with ears, this is really upsetting.
GRAHAM CLULEY. I like nothing more on a Saturday night than cutting a rug, digging some crazy chick, and laying some skin on the dance floor.
CAROLE THERIAULT. It's all bollocks.
GRAHAM CLULEY. Hey, Carole, don't get bent out of shape. This is me, Graham, talking here. But what you may not know about me, listeners, is that this cat has got the cream.
So I say to you squares, get with it, Jackson, because the ginchiest thing you ever saw is a 50-something podcaster cooking with gas. Ya dig?
CAROLE THERIAULT. Did you AI how to talk like someone who is a jazz cat? Yes, I did.
GRAHAM CLULEY. I am, of course, describing the typical night out that I like to enjoy in hip language. You can imagine me donning my smoking jacket, my espadrilles, my plus fours, hitting the hip happening joints in my hometown.
But the question you also have to ask yourself when you're going out for the night is where to go. That's the difficult question to answer because you want to go somewhere where there is what I believe is known by the kids as a vibe, somewhere that is hot.
Well, I wouldn't have had a problem if I lived in Dundee in Scotland, where an enterprising student has launched an app for your smartphone, Android and indeed iPhone, and it's called Whoz Out Tonight. Whoz is spelt with an H.
So it's who's out tonight, which is my approximation of a Scottish accent.
CAROLE THERIAULT. So it's an app to find out who's about, who's out, who's doing what.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Yeah, connect. That's right.
GRAHAM CLULEY. It's got around about 3,000 users. It was put together by a fourth-year medical student called Thom Whitelaw, and he developed Whoz Out Tonight so that people could— well, the app can track your location, and it guides partygoers to the best spots in town, it says.
MARK STOCKLEY. And hasn't this app already been invented about 20,000 times? Yeah.
CAROLE THERIAULT. He's already taking a chip out of our show, Graham. I'm just saying.
GRAHAM CLULEY. Because there was, was it Foursquare? Foursquare.
That's right. Foursquare, where you could be king of a location.
MARK STOCKLEY. Yeah. Grindr.
GRAHAM CLULEY. Yeah. Grindr could do it.
And that you had extras with Grindr, of course. It sort of gave you a little radar.
You are within 13 feet of a penis, if that was what you were looking for.
CAROLE THERIAULT. Dick alert. Dick alert.
Us girls need that too, you know.
GRAHAM CLULEY. There goes the sonar. So, this app tracks your location, and this guy Thomas, he developed it after having some previous bad experiences.
He was describing to the media how he went out with his friends one night in Dundee, and there they are barrelling down the road, and they went to one venue. They paid £5 to get in, and what did they find?
CAROLE THERIAULT. Nothing.
GRAHAM CLULEY. No one was there. It was this place isn't happening.
CAROLE THERIAULT. Okay, I've been out a lot.
GRAHAM CLULEY. Carole, you're still in your 40s.
CAROLE THERIAULT. Yeah, I've been out a lot, and you can sniff out an empty joint pretty easily. It doesn't take much.
GRAHAM CLULEY. But hang on, there is a difference between you and me and Mark, and that is that you are a female.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Yes, you're right. You've got boobies, which means that you can get into these places typically for free, whereas Mark and I—
CAROLE THERIAULT. No one wants to be in an empty joint, whether it's free or for a fiver.
GRAHAM CLULEY. No, but if it's happy hour or something, you could go in for a cocktail with your gaggle of girls and you could have fun there, and then us men would pay to gain access to you.
CAROLE THERIAULT. It's so gross. It's so gross.
GRAHAM CLULEY. Well, not like that.
CAROLE THERIAULT. It's so gross.
GRAHAM CLULEY. I'm not suggesting—
CAROLE THERIAULT. Gather in the chickens, let the cocks in.
GRAHAM CLULEY. Typically, the men have to pay to get in, and only then do they discover either that it's empty, or there's no one there that they find particularly attractive.
CAROLE THERIAULT. Yeah, it's not a guarantee of, you know, getting laid, a fiver. Seriously, if that's what you're hoping to get for a fiver—
GRAHAM CLULEY. This is Dundee we're talking about, Carole. I'm sure it probably is quite good.
CAROLE THERIAULT. Good God.
GRAHAM CLULEY. So they went somewhere else, and they paid another £5, and then they realised it was an over-40s night. So it probably would've been us three in there at that time.
CAROLE THERIAULT. What were their objectives? Like if they wanted to go out and boogie or—
GRAHAM CLULEY. They just want to go out there. They're medical students. They just want to go out and get drunk and disembowel someone or whatever it is medical students do. Play with some corpses. What do medical students do?
MARK STOCKLEY. Do we really want to go there?
CAROLE THERIAULT. I'm thinking it's rhetorical question. Just ignore him.
MARK STOCKLEY. Yeah.
GRAHAM CLULEY. Anyway. They ended up spending £15, and they were really, really disappointed. Oh!
CAROLE THERIAULT. Okay, wow. I'm feeling for them now.
GRAHAM CLULEY. And they said by the time they went somewhere there were actually people, it was 2 AM. And the bouncers said, "No, you're not allowed in now.
MARK STOCKLEY. It's too late." So, is Dundee a big place?
GRAHAM CLULEY. It's a city.
CAROLE THERIAULT. It's got a university.
GRAHAM CLULEY. It's home of the Dundee Cake as well.
MARK STOCKLEY. It took them until 2 AM to find someone.
GRAHAM CLULEY. They're medical students. They're probably quite, quite drunk.
MARK STOCKLEY. So they basically, they stayed in the place that was empty.
GRAHAM CLULEY. Well, they said they didn't, but they may have bought a drink on the way. Just to get—
MARK STOCKLEY. Did they write the app in the place that was empty? They just used the silence, took the opportunity, spent a few hours, made the app, found someone with the app, 2 AM, £15 well spent.
CAROLE THERIAULT. I'm interested in knowing why this is on our show at the moment.
MARK STOCKLEY. Because—
GRAHAM CLULEY. Because—
MARK STOCKLEY. I'm glad you asked that question.
GRAHAM CLULEY. This medical student who's behind the app, he says that safety and privacy are a priority for him. He says that the app shows locations to your, quote, friends. These are people you've pre-approved. And the map doesn't show how you are travelling to a particular location.
CAROLE THERIAULT. What do you mean how? Like skateboard, donkey?
MARK STOCKLEY. Skiing?
GRAHAM CLULEY. Yeah, that kind of critical information is not shared, apparently, by the app. Or what routes that you're taking, because they don't want to share that. They just want to say when you check into somewhere. And he was asked by the press, how do you stop abuse? And he said, don't worry about that. We've got inbuilt measures in place to stop abuse.
CAROLE THERIAULT. Sounds like 90% of the companies.
GRAHAM CLULEY. He says the main one is your location will not be shared with people you haven't accepted as friends on the app. Right.
CAROLE THERIAULT. That's what you want to know. You want to— I'm going to be responsible for choosing people that I know, and you're responsible for making sure that the right information is shared with them. Got it. Okay.
MARK STOCKLEY. Yeah, makes sense.
GRAHAM CLULEY. Makes sense. So in principle, if that data is held securely, if the app has been developed by professional app developers rather than in a bar while they're waiting to find some girls, then everything should be fine, right? Everything should be okay because they're only going to notify people who you've friended via the app as to where your location is.
If you're not friends of anyone, you would be able to see that there are maybe 80 people checked in at a particular venue, but you won't be able to see who specifically is in that bar. So you'll be able to see the popularity of a place, but you won't be able to see who is there. I don't know if it tells you what gender they are.
CAROLE THERIAULT. It might say that, oh, and three of your friends are there too. Well, yes.
GRAHAM CLULEY. But if you're friends, then it will actually tell you that Brian and Cluffy and Stringberg are there as well.
MARK STOCKLEY. I don't want to jump ahead or second-guess what's going to happen next, but I've got a bad feeling about this. And my bad feeling is, when somebody says to me that my privacy and security is important to them, I get the same feeling as when somebody tells me their call is important to me.
GRAHAM CLULEY. Well, so far, the only people who've used Whose Oot to Neet are these 3,000 students, I imagine, in Dundee. And I imagine this—
CAROLE THERIAULT. That's not chump change.
GRAHAM CLULEY. No, it's not. But I imagine they're all so bladdered that they haven't actually had the compos mentis to actually test the security of the app to see if there are any vulnerabilities.
CAROLE THERIAULT. Oh, right. Go and read the terms and conditions that you always make fun of me for. Right, they should all do that now.
GRAHAM CLULEY. Or they haven't vulnerability tested it, or no one's actually—
CAROLE THERIAULT. Kids are better than most. Kids are better than most, I think. I don't know, I'm defending the kids. They're pretty smart.
GRAHAM CLULEY. Well, there is a new app on the scene now. So that's one of them, but this is happening all around the world. Another one has hit the streets of San Francisco. So there is an app called Two, the number 2, Night.
CAROLE THERIAULT. What? You're— okay, you're annoyed by something.
GRAHAM CLULEY. It sounds— yeah, the name. Number 2 Night. It's a little bit like a Prince song.
CAROLE THERIAULT. What's wrong with Prince?
GRAHAM CLULEY. Well, Prince is all right, but the names of his songs sometimes have a number 2 instead of the word 'two', or 'You' is a capital U on its own.
MARK STOCKLEY. Carole, do you want to be on a podcast?
GRAHAM CLULEY. 2Night allows users to check livestreams of bars and clubs to determine if they have the right vibe. And the chap who's created this app has predicted that demand's going to be really high, because he says San Francisco night scene, he's had problems navigating it.
What it does is his company has set up a network of cameras across San Francisco venues that let app users see how busy events are, not by people checking in, but instead by them looking at the livestream video from particular bars.
CAROLE THERIAULT. Oh, I quite like that. I think I do, because if I were a 20-something kid wanting to go out and party, especially if I'm in the States and it's a long drive, you know, it's not an A to B. I'm not living in New York and it's easy to get to. It's far, you want to check and make sure it's worth its salt.
GRAHAM CLULEY. Well, it has divided opinion because although there may be some advantages, for instance, you may be able to get a sense of the male-female ratio, for instance, or—
CAROLE THERIAULT. Yeah, that would be my first worry. Is there too many girls in the house?
MARK STOCKLEY. Shit, I'm not going. I'm sorry, I don't wish to speak out of turn, but I think that's a big assumption in San Francisco.
GRAHAM CLULEY. I could go work out the male-male ratio. If your club is full of Hell's Angels or ventriloquists or something, you may choose not to want to go there, Carole. So working out the ratio and who actually is there, I think it makes a lot of sense.
But it's interesting that you think this is a good idea because they've suffered a real backlash on social media because bar-goers are claiming their privacy is being invaded. People say, forget that shit, they're saying.
GRAHAM CLULEY. We don't like the idea of being videoed when we go to a bar. Just go to a bar and decide if you like it.
If it's not cool, go to another bar. And some of the bars are upset because some of them are saying, we've been listed on this app and we haven't actually signed up for this, but it's advertising that we're members of the network.
GRAHAM CLULEY. So people are saying this is a privacy issue because other people can see that you're constantly at the bar drinking away and you're getting a bad reputation. That's what they're worried about.
CAROLE THERIAULT. They're worried about their boss.
GRAHAM CLULEY. Or you're doing the fandango.
CAROLE THERIAULT. They're worried about their boss seeing the video of them just chugga-chugga. Right.
MARK STOCKLEY. I don't know about you guys, but if I don't want to be seen and I don't want people to know what I'm doing, I go to a bar.
GRAHAM CLULEY. But if you— maybe you don't mind being seen at the bar, but you don't want other people who don't go to the bar seeing that you're there. Like, for instance, your partner, or maybe your boss, because you've got a big project to hand in at 8 o'clock the following morning.
CAROLE THERIAULT. Oh no, okay, but think about it.
GRAHAM CLULEY. And you're out there getting blathered.
CAROLE THERIAULT. Think about it. Okay, so say you don't want your tutor to know that you've gone out instead of written your essay, right?
So you've gone out to one of the bars. Is the tutor gonna spend his time going through every single bar, all the live footage to see if they can spot you?
CAROLE THERIAULT. Presumably this is outside the bar, not inside the bar.
GRAHAM CLULEY. No, it's inside the bar. It's inside.
So— These cameras are ins— I've just said it 3 times. I'll say it again. They're inside the bar.
MARK STOCKLEY. So where are the cameras? They're inside, Mark.
GRAHAM CLULEY. Mark, what's your story for us this week?
MARK STOCKLEY. Well, you guys know that I love a story about criminals who aren't as smart as they think they are. And so my story today is all about an absolutely horrible individual called Rémy Saint-Félix and his gang.
CAROLE THERIAULT. I love his name. Rémy Saint-Félix.
MARK STOCKLEY. Anyway, he turned out to be a lot less tech savvy than he thought. And that's good news for all of us, but particularly for people living in North Carolina, Florida, Texas, and New York.
Because Saint-Félix is a horrific individual who's just been convicted of a series of violent home invasions and is now facing 7 years to life.
CAROLE THERIAULT. Okay, I don't like his name very much anymore.
MARK STOCKLEY. No. So strangely, this guy is a cryptocurrency thief, and there's nothing unusual about that, you might think. When cryptocurrency was booming, you couldn't go a week without somebody, normally the owner, siphoning off half a billion dollars in bitcoin from some dodgy online exchange or abusing a smart contract to ransack somebody's collection of monkey pictures.
But Felix wasn't like those thieves. Now, crypto theft is never victimless and it can cause significant harm, but it is at least normally bloodless. But St. Felix and his gang were not bloodless.
They targeted cryptocurrency owners and they broke into their homes. And then once they were inside, they threatened and even tortured the occupants in an attempt to get them to transfer money or hand over passwords. Oh boy, that's really nasty.
CAROLE THERIAULT. It'd be really annoying if you'd lost your little gizmo where all that information was on and you wanted to give it to them as well. You'd be, "I don't know where I put it."
GRAHAM CLULEY. Oh, your little hardware key.
CAROLE THERIAULT. Yeah, don't break my toe.
MARK STOCKLEY. Anyway, thankfully, they only carried out a handful of these raids before they were caught, and they didn't make much money. And in fact, they'd actually have been much better off staying online, which is where they started.
So the origins of the gang start with a chap—now, if you like St. Felix's name, you're going to love this one. So the origins start with a chap by the name of Jared Seemongold, who cut his teeth on SIM swaps, working bizarrely with a group of people that he met in Minecraft.
Which is easily the weirdest thing about the whole story. I mean, I thought Minecraft was this sort of charming educational game for kids.
It's the one thing online that I had no problems with my kids spending all day on. But who knew? It turns out it's a gateway to violent home invasions.
I should just let them use TikTok or something. Anyway, so SIM swap is where you trick a phone company into transferring somebody's phone number to your device.
And that allows you to receive their two-factor authentication codes when they log into an online account. So, you know, you type in your username and password and then your phone says, you know, now you need to type in this six-digit code that appears on your phone.
And so if you've guessed someone's password and you've stolen their phone number through a SIM swap so you can get their 2FA codes, then you can break into their crypto accounts and you can steal their money. And it sounds like Seemongold was actually quite successful at this. And in one case, he even managed to steal $3 million from a single victim.
CAROLE THERIAULT. I'm dying to know how he gets into proper home invasions to make this even more complicated.
MARK STOCKLEY. Well, that's a really, really good question. And the details on this case don't go into that very much.
But it seems after a year or so of doing this, he started to think about ways to target people that he couldn't hack. So for example, one of the victims was someone that he had stolen money from online, but he knew there was more money to be had.
CAROLE THERIAULT. So he's going back to another previous victim. Yeah.
MARK STOCKLEY. In order to do a SIM swap, for that to work, you also have to guess someone's password, which means they either have to be reusing passwords or they have to have a password you can guess. So there's this whole group of other people who've got slightly better online security that aren't going to be vulnerable to that kind of attack no matter what.
And so this guy, Semangull, approached St. Felix and two others, and then St. Felix recruited a bunch of other people until they had a gang of about a dozen. And although the crimes happened in the real world, obviously very little happens in the real world today that doesn't also touch the online world somehow.
So the gang took steps to protect themselves online, and they were using cryptocurrencies, of course, and they liked Monero, which does a much better job of keeping you anonymous than Bitcoin. Which is only pseudonymous, right?
And they use the Telegram encrypted messaging service to plan their crimes. Because for some reason, criminals always use Telegram rather than Signal. I don't know why.
But if you tell me that you're a Telegram user, I'm basically going to assume that you're either a crook or you're a Russian mill blogger. Those are your only two options.
GRAHAM CLULEY. Telegram is the Russian encrypted messaging service, isn't it? I think they— Yes. I wonder if that could possibly be connected to the cybercrime angle.
MARK STOCKLEY. Very popular with ransomware gangs. Just going to leave it there. Anyway, as you know, both of you, staying hidden online is hard.
And in the words of the US Department of Justice, although the members of this violent conspiracy tried to cover their tracks through encrypted communication and anonymous financial transactions, they were not beyond the reach of our dedicated investigators and prosecutors. And you can say that again.
CAROLE THERIAULT. I don't think I could, actually.
MARK STOCKLEY. I'd like to hear Graham say it in jive. Don't think we got time. So I'm deliberately not going to go into the details of the invasions because they are actually horrifying.
And they must have been an unimaginable ordeal for the people who were involved. So instead, I'm going to focus on the criminals because I'm absolutely not above poking fun at awful individuals.
But just so that you know, these were violent crimes with real victims. Now, one of the invasions happened in North Carolina in April 2023.
And it started with members of Felix's gang disguising themselves as construction workers by wearing safety vests and khaki pants.
GRAHAM CLULEY. They sound at the moment they're Village People, I think, is how they've dressed themselves up. Which is truly terrifying if they showed up in the middle of the night in my house.
MARK STOCKLEY. That was the only point in the whole scenario where they were in any way the Village People. But one of them, you're going to love this, Carole, one of them is called Elma Castro.
Anyway, once inside, they coerced the occupants into transferring exactly $156,853 of cryptocurrency. And then after the attack, the criminals had to split the money.
So Castro and Felix both opened cryptocurrency accounts not long after leaving the crime scene. You'd imagine that criminals who are savvy enough to use Monero and Telegram to cover their tracks are going to use some kind of shady offshore exchange rather than one that the FBI can pick up the phone to, say Coinbase.
GRAHAM CLULEY. Oh my goodness, they didn't. They did.
MARK STOCKLEY. Seriously? They opened Coinbase accounts.
CAROLE THERIAULT. And why is that so crazy?
MARK STOCKLEY. Well, if you open a Coinbase account, you're basically, you have to register in the US. And if you've got an account there and you're of interest to the FBI, the FBI pick up the phone and they wave a search warrant at Coinbase and Coinbase goes, here's everything we know about these people.
GRAHAM CLULEY. And when you create an account at Coinbase, they're going to ask you for your ID. They want to know who the hell you are.
CAROLE THERIAULT. Before they let you in. Oh yeah.
MARK STOCKLEY. Yeah. So, I mean, I guess you could always use a false identity. Like, you're a crook, you're into home invasions.
GRAHAM CLULEY. Yes, yes, you definitely would. You're going to have a false ID. Every decent crook would do that.
MARK STOCKLEY. Yes, of course. Yeah. So that nobody would be dumb enough to open a crypto account in their own name. Would they?
CAROLE THERIAULT. Oh, I would. I'd be the idiot.
GRAHAM CLULEY. Elmer Castro does sound like a pseudonym. It doesn't sound like it's his real name.
CAROLE THERIAULT. Yeah, I can't, I'm trying to imagine the mum looking at this tiny little baby going, I know.
GRAHAM CLULEY. Tickle me, Elmer.
MARK STOCKLEY. So within hours— Oh boy. —of the attack, both Castro and St Felix had both opened Coinbase accounts in their own names. And as Graham pointed out, you don't get to open one of those accounts without providing some ID. And so not only did they provide their names, but they also provided their phone numbers, their addresses, their email addresses, and copies of their driver's licenses.
GRAHAM CLULEY. Why didn't they— when they're torturing people to get access to their bitcoin currency or whatever it is, why aren't they also taking the ID information from those people and creating accounts in their victims' names? Wouldn't that be a— well, sorry, I don't want to give people ideas, but wouldn't that have been a—
MARK STOCKLEY. Next time you're doing a home invasion, follow Smashing Security for tips on crime.
CAROLE THERIAULT. Yeah, I bet you didn't think of that in your podcast, Mark. No, I'm kidding.
MARK STOCKLEY. Episode 6, how to use AI for crime. Now, I know what you're both thinking. Because I just said that they provided phone numbers. Right. And we all know that phones can be used to track people. Oh yes. So obviously there's no way they'd be stupid enough to go anywhere near the crime scene with their phones, right? Well, if you're thinking that, you'd be wrong.
CAROLE THERIAULT. No, no, I was just going to say, I wouldn't have thought of that. I mean, yeah, I probably would have. If I'd committed a crime and I was going to the scene, I'd probably leave my phone at home. Wouldn't I? I probably would.
GRAHAM CLULEY. Well, rather than taking a selfie of what you're up to or something. Yeah.
MARK STOCKLEY. This is where I did last night. So, location data from the phones showed that both men had travelled from Florida to North Carolina a few days before the attack. Right. And then returned to Florida a few days after. And then cell tower data put both the phones in the vicinity of the home that was raided in the days before the attack, at exactly the times that camera footage from local residents had spotted a BMW SUV conducting surveillance on the victim's home.
GRAHAM CLULEY. So they go to all the effort of going out of state. It's like, we're not going to do this on our own home turf. We're going to do it far away from where we live so people can't track it back to us. But they do go to the effort of getting themselves a car or something with fake plates to conduct surveillance on the house.
MARK STOCKLEY. Well, I wouldn't go that far. They got themselves a car. Let's leave it there.
CAROLE THERIAULT. No one's a genius in all things, Graham, right? It's like, there's gonna be some blind spots in all of us, and maybe we're exposing a few of theirs.
MARK STOCKLEY. I just feel like, if we were talking about something that wasn't their chosen profession, I might agree with you. It's like, if you're gonna be a genius at one thing, and you're doing crime... crimes, I mean, it seems like an obvious choice to me.
Anyway, so the police don't just have access to phone records. They even also pull details of what money you've spent and where.
Now you'll recall that these criminals were big fans of cryptocurrencies. And so it was natural that they would cover their tracks by buying the things they needed using crypto.
Uh-oh. I'm kidding, they didn't do that. They used a debit card.
The day before the attack, Castro used a debit card at the victim's local Walmart to buy safety vests and khaki pants. And the surveillance cameras at Walmart spotted both Castro and St Felix making the purchase.
And they also spotted a BMW SUV in the Walmart car park that matched the one that was later seen surveilling the victims. But the real treasure trove was the email addresses that Castro and Felix gave to Coinbase.
Oh no. So Castro's email address was associated with an iCloud account which allowed police to access messages exchanged between the two. And in those messages, they discussed going to North Carolina, hiring a car, and staying in a specific hotel.
And the police also found a picture of a very distinct pink pistol that one of the victims had identified during the attack. A pink pistol?
Why would you photograph the gun? I just— Pink!
Well, yeah, you want to look good when you're doing a home invasion, right?
GRAHAM CLULEY. There's probably quite a few iCloud accounts which have something which looks like a pink pistol, to be honest. It's the sort of thing you have to be very careful with if you're sharing your photo stream.
I just ignore them.
MARK STOCKLEY. But that, I mean, that seems bad, right? That seems bad, taking a picture of the gun that you're going to use. But St Felix's Google account was even worse.
So evidently, St Felix likes taking pictures, because he was kind enough to photograph the following things for the police. He took a picture of the victim's licence plate number. He took pictures of the BMW SUV that was seen surveilling the victim's house and visiting Walmart, where the crooks bought their construction outfits.
CAROLE THERIAULT. He trusts tech.
GRAHAM CLULEY. Was he planning to have his family round for a slideshow after the crime? Say, hey, look what we did on our trip.
MARK STOCKLEY. He took a picture of a gun next to some BMW keys in a room with a carpet matching the carpet of the hotel the two men had discussed on the chat found on Castro's phone. Oh.
CAROLE THERIAULT. So all the little points of light align, and they're—
MARK STOCKLEY. So many points of light. And then what about this one?
He took a screenshot of a cryptocurrency account taken the day before the attack, which had exactly $156,853 in it. And the criminals, they had sort of prior information about the account that they were raiding, right. So that's what that screenshot is.
Wow. Now there's one last photograph, and I've saved it to last. 'Cause it's the best one, right.
But rather than me tell you what's in it, I want you to guess. So, based on what I've told you so far, what do you think could be in the last photograph?
CAROLE THERIAULT. Passport photo.
GRAHAM CLULEY. Is it actually a selfie of them at the victim's house?
MARK STOCKLEY. Not quite, not quite. So Felix took a picture of himself posing in the hotel where the gun and the keys were photographed while wearing the construction outfit that he'd bought from Walmart and would later wear at the victim's house.
CAROLE THERIAULT. I think Graham gets that point. That's pretty good.
MARK STOCKLEY. Thank you, Carole.
GRAHAM CLULEY. Carole, what's your story for us this week?
CAROLE THERIAULT. Okay, imagine both of you, you, Graham, you, Mark, you're both in Australia. You're together. You're travelling together on a domestic flight.
MARK STOCKLEY. Are we holding hands?
CAROLE THERIAULT. I'm sure you are. It's perhaps a smaller plane. I don't know who gets the aisle seat, who gets the window seat. How would you guys decide?
GRAHAM CLULEY. The weight distribution is always very controversial, isn't it? I mean, making that decision, especially on a small plane. Speak for yourself. Where someone's gonna sit and where the other one's gonna sit.
CAROLE THERIAULT. It's tricky. Do you both like aisles or both windows?
MARK STOCKLEY. What are you? I'm getting the aisle. I'm getting the aisle. I'm sorry, it's not even, this is not even a conversation. I prefer an aisle.
GRAHAM CLULEY. I want an aisle. I don't wanna be next to the window.
MARK STOCKLEY. Well, I'm very sorry for you that you're sat in the window.
CAROLE THERIAULT. Okay, so Graham, you're sitting on Mark's lap on the plane. And let's be honest, you're both feeling a little weary because, you know, you're nearing the end of your global live podcast show tour for The AI Fix. Okay. Oh, yes, that's right.
GRAHAM CLULEY. 2025. I've always said you should go first with your stories.
CAROLE THERIAULT. You know, you've hit New York, London, Paris, Tokyo, and Perth, and the crowds have been going wild. Your hands hurt from all the autographs. That's what you guys say. Anyway, I'm glad it was autographs. Anyway, Mark has taken to wearing a white microfiber towel around neck to daub his celebrity glow. Graham, you're sporting a flowery silk pajama suit, and you're sitting in the very cozy seats, smooshed in. You're both silently fighting for command of the single armrest between you that you're sharing. Mark's knees are probably gunked into his chest because he's quite tall. He's not that tall. Huzzah, though. Huzzah, the flight has free Wi-Fi. Brilliant. You know, everything else can go to shit, but as long as you can sit there on your phones to check your latest show stats. Oh yeah, yeah. To see if you've kept your hot position. Yeah. You guys are happy. And as you connect, you notice there's two Wi-Fi addresses showing up, both official airline offerings, right? Oh. And you're thinking, this is the life. The airline might have ignored the legroom issue but has splurged to cover, you know, for the data hogs, people like you two. But guys, you'd be wrong. Because it's something much more sneaky and I would say unusual, an evil twin Wi-Fi network. Dun dun dun. Okay, I'll get real sound effects, maybe. Maybe not, I don't know.
MARK STOCKLEY. You've got a budget on this podcast.
CAROLE THERIAULT. Yeah, yeah, yeah, we do, Mark.
MARK STOCKLEY. Yeah, I know that we're in economy. You sent us on a world tour in your mind. Then you stuffed us into economy.
GRAHAM CLULEY. It's true. We're lucky to be in the aircraft at all, I reckon.
CAROLE THERIAULT. So this evil twin Wi-Fi network, okay, this is all according to the Australian Federal Police, the AFP, because back in April an unnamed airline reported suspicious Wi-Fi network activity to the AFP, and they took it seriously. So seriously that just a few weeks later the AFP investigators search a 42-year-old man's baggage at Perth Airport. And what do they find? A portable wireless access device, a laptop, and a mobile phone from his hand luggage. So I was going to pause here and ask you guys, a portable Wi-Fi access device, laptop, mobile, not that suspicious really, is it?
GRAHAM CLULEY. No. Not really, no.
CAROLE THERIAULT. I'm just thinking, is there any reason for someone to have a portable Wi-Fi access device? Can you think of one in our tech world?
GRAHAM CLULEY. 'Cause laptops kind of do it, phones do it. Well, no, it's quite reasonable. I think it's, for instance, it may be that you want to set up your own private little wireless network wherever you are heading to. Rather than relying on whatever a hotel is gonna provide or whatever a conference centre is gonna provide, maybe. Or your cell provider, maybe.
CAROLE THERIAULT. You don't want your cell provider to do it.
GRAHAM CLULEY. Maybe you don't want to use your cell provider, you know, but yes, you could set up your own little wireless network.
MARK STOCKLEY. Yeah, maybe if you were on holiday with your kids and you wanted to safeguard what they were connecting to, or you hadn't heard of a VPN or something, or— I'm a bit hung up on what are they going to plug it into if they're planning to use it on the plane. Do they have sockets in first class?
GRAHAM CLULEY. I don't— You need a really long cable. That's the main thing if you want to be on the internet on a plane. No other way to use the internet on a plane that I've ever found.
CAROLE THERIAULT. Really? I've used the internet on the plane.
GRAHAM CLULEY. Oh, come on. Does it actually work?
CAROLE THERIAULT. Well, it depends. What do you do? Do you try and stream high-end movies, or—
GRAHAM CLULEY. No, I'm just trying to connect to send an email. I'm just trying to see the statistics for the latest episode of The AI Fix podcast. And you're very impatient!
MARK STOCKLEY. To be fair, that's a lot of data.
GRAHAM CLULEY. That is a huge amount of data to download. It's a big number. Big, very big number.
CAROLE THERIAULT. So this whole evil twin Wi-Fi network thing. So basically the allegation from the Australian Federal Police is that this 42-year-old man used this portable wireless access device to create a Wi-Fi network with SSIDs very similar to those airlines operate when they offer in-flight access to the internet or for entertainment or whatever. And the AFP stipulate this guy set it up at multiple locations to lure unsuspecting users into believing they were legit services and to sign up into the bogus Wi-Fi hotspot. And the way that this guy did it is once they tried to connect their device, they were taken to a fake web page requiring them to sign in using their email or social media logins. And then those details were allegedly saved on this man's device.
GRAHAM CLULEY. Because the thing is, when you're on an aeroplane, the internet connection is so bad that you will enter your details. You will connect to any Wi-Fi network you can find, which could remotely be one which works, and you will enter your details and you will possibly enter your credit card details. And if it manages to also scoop up your account details for your cryptocurrency exchange or whatever else that they might be able to grab, then, you know, potentially there's— and the kind of people who would use the internet on a plane, which is normally charged at such a ridiculous rate, are probably going to be the high flyers. Aren't I clever? Anyway. This was free.
CAROLE THERIAULT. Okay, in Australia it's free. Free Wi-Fi.
GRAHAM CLULEY. It must be really shit then.
MARK STOCKLEY. Is this the most expensive phishing attack in history?
CAROLE THERIAULT. Well, you know, it's really interesting because apparently he also— so basically he was harvesting legit account details stolen from unsuspecting plane passengers. And apparently he also targeted the Perth airport Wi-Fi. But the question I've got is, had this guy done this at a local cafe, would anyone give a shit? Would anyone be the wiser? Do you think the attention of the AFP would have been there? He went to national or international airports and started, you know, doing this on planes. It kind of seems like a super— I don't know, maybe he was targeting a specific person.
MARK STOCKLEY. Who knows? I can't get past the economics. So I'm just imagining, let's just say a plane ticket costs $1,000, right? So normally a phishing attack, you know, there are frameworks. You basically have to put up a website.
You can do that at like Wix or something. It's essentially free. You can do it in half an hour. You send out a couple of hundred thousand emails. And this guy's out there rubbing his hands together going, if I get on a plane with fake Wi-Fi, I can access as many as 250 people in one go for nothing more than a plane ticket that cost me $1,000. It's so weird.
CAROLE THERIAULT. And the guy's been charged with a laundry list of counts. But what I found interesting is the advice from the AFP.
It was quote, to connect to a free Wi-Fi network, you shouldn't have to enter any personal details such as logging in through an email or social media account. Really? Now I've been on many free Wi-Fi networks and I find that they try and hoover up as many personal details as they can. So I find that a little bit — I don't think that would be an area where you'd suddenly be nervous. That is absolutely a thing.
MARK STOCKLEY. Absolutely a thing. I was gonna say, but the funny thing is if we were doing this story 10 years ago, we'd be like, "Oh no, they're on dodgy Wi-Fi. They're gonna hoover up all your data, and they're gonna steal all your passwords and things like that." But now, pretty much the only danger is that bit where you type in your email address.
And that, or maybe use your social media login, and then that's it. That's it. Because even if you're on some criminal's Wi-Fi, as long as you're using encrypted email, which you almost certainly are, or you're using an encrypted web connection, which you almost certainly are, actually you're fine and they can't really do anything. They can't attack your DNS, they can't get into your traffic. You just have errors and warnings coming up everywhere. So weirdly, the actual danger of this, he could almost have been providing a public service. If his rogue Wi-Fi was actually a faster connection than the airplane, I would connect to the rogue Wi-Fi. He should just advertise himself. He'll make more money. Yes, be legit.
GRAHAM CLULEY. Yes, they'll pay for his plane ticket. In a perfect world, end users would only work on managed devices with IT-approved apps. But every day, employees use personal devices and unapproved apps that aren't protected by MDM, IAM, or any other security tool.
There's a giant gap between the security tools we have and the way we actually work. 1Password calls it the Access Trust Gap, and they've also created the first-ever solution to fill it. 1Password Extended Access Management secures every sign-in for every app on every device. Includes the password manager that you know and love and the device trust solution you've probably heard of on this podcast back when it was called Kolide. 1Password Extended Access Management cares about user experience and privacy, which means it can go places other tools can't, like personal and contractor devices. It ensures that every device is known and healthy safely, and every login is protected. So stop trying to ban BYOD or shadow IT and start protecting them with 1Password Extended Access Management. Check it out at 1password.com/smashing. And thanks to 1Password for supporting the show. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily. It better not be.
Well, my Pick of the Week this week is not security-related. It is a service I found online, a website, and I believe it's an app as well on your phone called Suno, S-U-N-O. And what it allows you to do is just type in a few words and via the power of artificial intelligence, it will create a song for you. So you can say, I would like to have a barbershop quartet singing about the insurance industry. And out the other end will come a barbershop quartet. It will write the lyrics, it will do all the music and the backing, and it will do the voice.
That's crazy. And this is enormous fun.
MARK STOCKLEY. Wow.
CAROLE THERIAULT. Computers are cool.
GRAHAM CLULEY. Turns out computers are cool. Now, I have been able to put this to practical use because I've recently started with my co-host Mark Stockley, a podcast called The AI Fix, and we needed some theme music. And what better than theme music created by artificial intelligence.
And so I got Suno to work on it for me. And it came up with a few different versions, which we can hear here, but for the purposes of timekeeping, we won't. No, no, we're not going to hear them.
But there are some links which maybe—
CAROLE THERIAULT. You could do that as a bonus on your own show.
GRAHAM CLULEY. But for instance, we've got an operatic version. I've got a Christmas version à la Michael Bublé. And I've got the, well, something which is a little bit similar to the version which we actually have on the show played on a banjo.
So that is my pick of the week. It's a website called Suno, S-U-N-O, enormous fun. And I've just scraped the surface in how I've described it, but I'd really suggest you go and check it out because it's a great way to make music, but probably really, really bad for genuine musicians. But never mind.
CAROLE THERIAULT. Smashing Security. Someone's looking for a sponsor.
GRAHAM CLULEY. So that is my pick of the week. Mark, what's your pick of the week?
MARK STOCKLEY. Well, my pick of the week is also not security related, but it is a podcast. So if you're intrigued, bewildered, or slightly alarmed by AI, and you want to listen to two other people who are intrigued, bewildered, and slightly alarmed about AI, then I have got a podcast for you.
Oh, and I'm talking, of course, about The AI Fix, which is a brand new podcast from Graham and me. I don't know if we mentioned it. It's about AI and you can get it every week.
It's a great way to stay up to date about AI in a way that doesn't send you to sleep. So we talk about all the latest news and then we try and teach each other something about some aspect of AI.
So if you want a flavor of what we've talked about so far, in the first 5 episodes, we've established that AI probably doesn't exist. We've asked whether fitting guns to robot dogs is just wokeism gone mad.
Graham got cross— not gonna surprise you at all, Carole, but Graham got cross about the R in the name Toys 'R' Us. And I explained why there's a 99.9% chance that AI will wipe us all out.
CAROLE THERIAULT. Ooh, fun.
MARK STOCKLEY. So you can find The AI Fix on all your favourite podcast apps. Just search for The AI Fix. And yeah, if you feel like sponsoring it, go ahead.
GRAHAM CLULEY. Carole, what's your pick of the week? You are allowed to include a podcast if you wish.
CAROLE THERIAULT. Well, thank you very much for the opportunity, Graham. So for my pick of the week this week, it's not going to be your podcast, but it's a game. It's a game for the Switch. It's called Putty Pals. Have you played it, either of you? Putty Pals? Putty, P-U-T-T-Y.
Oh no, I haven't. Yeah, I think you might have missed the boat, and maybe Mark can still play, because it was a recommendation I got from a dad who played with his 10-year-old daughter and had a blast. So I didn't take their word for it, obviously. So I got a copy of my own. I played it with my other half, the Yeti. And it's basically a cooperative puzzle platformer.
That's the term apparently. Basically a two-player and you are these little stretchy characters called Putty Pals and you have to work together to navigate through weird and wonderful worlds. It reminds me a bit of is it Lemmings where you had to work together to get things done? Yeah. But you're kind of each managing one of these Putty Pals and you have to work together.
So you have to kind of tie arms to get across a Velcro bridge, all kinds of cute things. It's a tenor. Every world is kind of unique. It's quite beautiful in the art. It's kid-friendly. Yeah, I bet, Mark, your daughter might like this, I think.
It looks cute. I don't know. It's cute and it's fun and it's kind of smart. It sounds fantastic.
MARK STOCKLEY. Yeah. So it's called Putty Pals.
CAROLE THERIAULT. It's for the Nintendo Switch. It's my pick of the week and I'm not looking for any sponsors.
GRAHAM CLULEY. Fantastic. Well, that just about wraps it up for this episode of Smashing Security. Thanks to our guest, Mark Stockley, for coming on the show. I'm sure lots of our listeners would love to find out what you're up to, Mark, and follow you online. What's the best way for them to find out what you're up to?
MARK STOCKLEY. Well, you can find me online at Mark Stockley. You can also find me at The AI Fix on Twitter, or you can go to theaifix.show and you can see a big picture of me.
GRAHAM CLULEY. Fantastic. And you can follow us on Twitter at Smashing Security, no G, Twitter allows to have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts.
CAROLE THERIAULT. And thank you to our episode sponsor, 1Password, and to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 378 episodes, check out smashingsecurity.com. Wow. Until next time, cheerio.
GRAHAM CLULEY. Bye-bye. Bye.
CAROLE THERIAULT. Do you want to do an extra plug right now on your show? Because I don't think we had enough on the show. Just to make sure people got the name and—
MARK STOCKLEY. The AI Fix.
GRAHAM CLULEY. What about backwards?
MARK STOCKLEY. Yeah. Fix IA The. We'll see what makes it through the edit. There's a challenge for can you edit all of the AI fixes out of that podcast?
CAROLE THERIAULT. Of course I can. Of course I'm a master. Editing queen.
MARK STOCKLEY. That's my challenge. That's my challenge. That's my challenge to you.
GRAHAM CLULEY. Don't give her a challenge like that.
CAROLE THERIAULT. You're going to have to listen and find out if I did. What do you like, Mark?
GRAHAM CLULEY. Jesus.
-- TRANSCRIPT ENDS --