They're only 20, they're only 21. I think they've done a pretty good job. I don't know, you think they have?

You think they have? Well done, well done, you're saying well done from Carole Theriault.

I'm not saying well done.

There's your little golf clap, nice one, nicely done, you're saying. Smashing Security, episode 386, the $230 million cryptohandbag heist and misinformation on social media with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 386. My name is Graham Cluley.

And I'm Carole Theriault.

Another late night recording for me. Maybe for you, depending on where you are in the world.

I'll be back in the office soon.

It's a mystery. Nobody knows, but you'll be back in the same time zone soon.

Very soon. Now we have a packed show, but before we kick off, let's thank this week's wonderful sponsors: 1Password, Vanta, and SentinelOne. Now coming up on today's show, Graham, what do you got?

I'm going to be talking about cryptocurrency and handbags.

And I'm going to look at the glut of disinformation on the socials and what can we do about it. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, today I've got a fascinating story for you.

Okay.

About a couple of young fellas who have been arrested and charged in the United States of America.

Okay.

So this is the story of 20-year-old Malone Lamb, is one of these fellows, of Miami, and Jeanne Dill Serrano, 21, of Los Angeles. So both in their early 20s.

So very young adults.

Very young. And oh, by the way, some of this story is only possible to tell because of some extraordinary investigative work done by ZackXBT. Are you familiar with ZackXBT?

No. Hi, Zack.

Hi, Zack, if you're listening. Zack is a crypto investigator who you can follow on Twitter. Over 600,000 people are following ZackXBT. Smashing Security on Twitter because his investigations are very interesting. He's well known for exposing scams and hacks and unethical practices in the crazy world of cryptocurrency. And he regularly uses his expertise with the old blockchain analysis to track down funds that may have been stolen and identify people behind crypto crimes. So he's a cool guy to have on your side if you find yourself at the sharp end of a cryptocurrency scam. If you want to know who's got your money and maybe how to get it back, you would call in someone like ZackXBT.

Okay. Yeah, I'm following you. All right. Now, in the last few days, we've seen a press release by the US authorities about the arrests and charges against Malone Lamb and Jean-Deale Serrano, and they are accused of stealing and laundering some cryptocurrency. Now, what makes this case unusual is the amount of cryptocurrency. Because I think you would agree with me that stealing $50 million worth of cryptocurrency—

That's a lot of wonga.

Would be a lot, wouldn't it?

For two young guys who are mostly interested in, I don't know, Lynx aftershave and—

I don't know. 50 million would be a lot, wouldn't it? What about almost a quarter billion of cryptocurrency? A quarter billion of cryptocurrency.

Am I correct in surmising that's $250 million? Almost.

So it was roundabout. I think it's $230 or $240 million. Geez. Okay. Well, hang on. It's not just the amount of money that they are accused of stealing, but the fact that they are accused of stealing it from one person. There is a guy in Washington, D.C. right now with a hole the size of a quarter of a billion dollars in his cryptocurrency. I shouldn't laugh. I imagine he's rather depressed. He's lost a quarter of a billion dollars. Unless you're, you know, Geoff Bezos or something, you're gonna— it's gonna hurt. It's gonna hurt, I suspect.

Yeah, I don't think there's a band-aid big enough, you know.

Now, according to Zackxbt, this crypto investigator, the hackers were remarkably inept because not only did they fail to cover the tracks of this alleged hack— by the way, insert lots of allegeds and things during the rest of this. This is all allegations, all allegations, right? Hasn't gone through the court system yet. But not only did they fail to cover their tracks, which is why the arrests have happened so quickly, because this breach of this cryptocurrency wallet only happened a month ago, right? But it appears the hackers also documented their crimes, making it easy for the feds to build a case against them. In fact, they didn't just document their crimes, they actually recorded the entire heist in a movie.

What?

They recorded themselves talking on a Discord channel, and you can see them typing to each other. You can hear them celebrating the theft of a quarter of a billion dollars, near enough. "Oh my God! Oh my God, bro, bro, I'm gonna spaz out. Yo, we're done, we're done. I'm spazzing out."

So they were so confident at how their ruse, they thought, let's just record it online. What are they wearing, little masks and stuff so we can't tell who they are and all this?

You don't see them on the screen. You just see their conversation.

You just see their screens.

Exactly. You hear them talking. You see their conversation going on.

Right.

And you hear their whoops of delight. And I think they were possibly a little bit astonished as to how much money they were grabbing. They maybe weren't expecting it.

I'm just wondering, that might give away a lot of information if you have a real-time effort going on Discord at the same time that $250 million goes whoop.

Yeah, because they're texting each other, they're incriminating themselves. And so occasionally when they're moving their windows and things on the screen, there may be other pieces of information which are revealed, which may indicate their true identities. They're using their—

They're only 20, they're only 21. I think they've done a pretty good job. I don't know. You think they have?

You think they have? Well done, well done. You're saying well done from Carole?

I'm not saying well done.

Carole gives you a little golf clap. Nice one. Nicely done, you'll say.

I'm just surprised they got as far as they did. I, you know, whatever. I just was an idiot at that age, so perhaps I'm projecting.

Yes, it appears they've somehow incriminated themselves. They were discussing how they were going to launder the funds. It's they've got all this money now, because that's the thing, Carole, right? I don't know if you've ever had $240-odd million in your pocket.

No.

Let me tell you, it's not that simple having money, because how are you going to spend it?

Right.

It's a pain. It's burning a hole in your pocket, isn't it? It's well, what can I do with this? What are you gonna buy with it? Are you just gonna buy pizza? What are you gonna do?

Is this really a problem that people face?

I think it is a problem. Friend of the show, Geoff White, he's written a book all about how you launder money and rinse money, which you've grabbed through cybercrime. It's complicated to do. And of course it can be complicated to follow the leads as well. So they were talking about how they're gonna launder the funds. They even taunted cryptocurrency investigator ZachXBT.

Oh, by name.

I guess they were thinking, you know, he's gonna be after us and—

We're gonna just flip him the Vs. Yeah.

And they failed to understand what was gonna become of them. So, reports suggest that the heist began on August 19th of this year. So, just about a month ago. And from what I've read, it looks like these men, allegedly, allegedly, contacted their intended victim by posing as Google Support. They used a spoofed telephone number, they tricked the victim into sharing their screen. One of the things they did was they rang up at one point claiming to be from the cryptocurrency exchange. And they said, you know, that there's been a breach of your account. We need to be careful. We need to confirm your identity. Can you share the last 4 digits of your private key? Don't send us the whole private key, they said.

Oh, wow.

We just want the last 4 digits. Now it's clever. It's clever, this crime.

It's so clever. Because that's what you do with credit cards, right?

Well, that is what you do with credit cards and bank cards. But the last 4 digits alone weren't going to allow these scammers to access the account, right? And it's not as though they had the rest of the private key, but what they said—

But they've raised their chances quite a bit.

They have. But listen to this. Listen to this.

Okay.

What they said to this victim was, don't worry. They said, can you take a photograph of the private key? And crop the picture so we only see the last 4 digits.

Oh my God.

They had already compromised this guy's computer so they could see his screen. So when he cropped it in Microsoft Paint or whatever he was using, they saw all the key.

Jesus. Oh my God. It's kind of clever. See, 2021, just saying.

They also duped him into resetting the multifactor authentication protecting his wallet. And so they were able to transfer the funds. Allegedly. Allegedly.

I'm not thinking this guy was a complete idiot if, you know, he allegedly fell for all this. But yeah, it's scary. You'd think you'd be really careful with that amount of money, right? And of course you're panicking.

Well, exactly. Because you think Google have rung you up, you think the crypto company has contacted you.

And they've worked hard on their little pitter-patter to convince you pretty quickly.

So what we've got here is a couple of dweebs with $230 million in their pockets. What are they going to do with it? It's what I said, what are they going to do with it?

Girls, girls, girls.

Exactly. Because what they really, really don't have in their life are friends, right? They don't have much in the way of friends. They certainly don't have girlfriends. So these guys apparently were allegedly spending $500,000 a night at nightclubs. They were buying hundreds and hundreds of bottles of champagne. It's like, "Hey, hey, we're having a party. Well, I'm gonna buy everybody in the club a bottle of champagne." Wow. One of them was sent a message by one of these guys. And he said, "I've got you a present. We'll call it an early birthday gift, a thank you gift. I appreciate you so much."

Subtle.

Subtle.

Classy.

Very classy.

You know, has gravitas.

Gave it to a complete stranger in the hope that she'd go out with him. Her response was, "I've already got a boyfriend. I'm not interested."

Thanks a lot for your big car, but yeah, thanks.

Another woman who received a designer handbag is a food blogger and podcaster. I found her on TikTok. Her name is Skylar Harrison.

Me and my two girlfriends walk over to the section, and this kid— I'm gonna refer to him as a kid. I mean, he was definitely over the age of 18 or 21, hopefully, because he was at the club, but he looked pretty young. He comes towards me and he's like, "I got this for you." And he hands me the box, he opens it, and he's like, "Do you like it?" And I was like, "Yeah, I do, but is it real?" And he was like, "Of course it's real, it's for you, you can have it," and just walks away. Anyways, while I'm at the club, I see one other, it's a light pink one, I think. And then the day after, so yesterday, I think I saw a girl post a TikTok about how she got gifted one by the same guy same club. Hers, I think, was lime green.

But yeah, that was it.

He literally just walked away. He handed it to me. This is it. It's beautiful. But to be honest, it's not really my style. Wow.

So that's Skylar. Again, she declined to go out with either of these guys. As far as we know, they didn't manage to get any girlfriends. So if you're currently trying to amass a multimillion fortune, if you're spending all your time building your dot-com company or engaged in cryptocurrency scams or whatever it may be that you're doing out there, folks, don't imagine that once you have all this money, you're actually going to succeed in getting yourself a girlfriend. It doesn't always work.

Not only that, but it's a guarantee that you're not going to go under the radar.

Right, exactly. Carole, what's your story for us this week?

Okay, so this week, Pew, the research group, they published a report that said basically more than half of U.S. adults, so 54%, occasionally get our news from social media. And this, they say, is up slightly compared to the last few years. And research group Statista also report that Americans are using social media as a source of news, with 38% of adults in the U.S. currently using social media for information about the 2024 presidential election.

Yeah. So conservatively, I think you and I can say that 2 out of every 5 people in the US, their viewpoints are being slightly formed, at least in part, by reading the socials. And I suspect it's probably higher than that. I think a lot of news breaks on social media. And it is where a lot of people hang out. You're more likely to get your news, I suspect, from social media these days than tune into the nightly news at 9 o'clock.

How much time do you think the average American spends on social media platforms a day?

A day?

A day.

It's going to be less than 25 hours a day. I can be fairly confident of that. OK, let's narrow it down. It's good. OK, so let's assume that people sleep for 8 hours a day and they're mostly not on social media then. So that gives us 16 hours remaining. I'm going to say 8 hours a day. You're such a ridiculous person. Why? The average American, the answer is 2 hours and 14 minutes a day. Okay. Sorry. Sorry. All right. Two hours a day, not eight. It's not a full-time job. I think people are on longer than that. I think, I mean—

Oh, I would agree. This is probably what people say they are.

Because you know what I've seen? A lot of people these days, and I think they're actually making TV programmes with this in mind now. I've noticed a lot of people now when they watch TV, they are dual screening. They're looking at their phone while they're watching TV.

Yeah, I'm not cool enough to do that. But yeah, a lot of my younger buddies do that constantly.

Yeah, yeah, yeah, exactly. So I'm thinking, you know, this is—

And I mean, okay, you get it. Socials, as we know, are designed intrinsically to be checked all the time. They're difficult to look away from because there's always something interesting popping up around the corner. And I mean, what else are you going to do while you're, you know, commuting to work or having a coffee or, you know, let's be honest, a poo? I wrote that and then I thought, actually, I wonder if ChatGPT wants to get in on this. So I asked it, "What percentage of people admit to using the phone while on the toilet?" And it wrote, quote, "The percentage seems to typically fall in the range of 75 to 90%, depending on the demographic and how the question is phrased. It's a common behavior across various age groups."

Don't you think it's time we started using Wi-Fi repellent paint in lavatories.

Interesting. Interesting. Interesting.

So you couldn't get a signal in there. That'd be a great idea, wouldn't it?

I think it's kind of ironic that we're filling our heads with poop from the socials as we literally evacuate our bodies. Now, who might you think are the head social media honchos when it comes to people going to them for their news fix? So who's the numero uno news fix social site? According to Pew?

I'm going to say TikTok.

And I'll say—

I didn't say TikTok. I said Twitter. I said Facebook.

And it's way ahead. It's way ahead. Where do people go to get their news? This is probably because you're not thinking of it as a social media platform.

YouTube.

Yep.

YouTube.

Highest usage amongst US adults with 83% using the platform. Can you guess how long do people play on YouTube every day? You're gonna say something like 8 hours. No, it's 46 minutes.

Yeah, there's a maximum of 2 hours. So, okay, yes.

Yeah. And the next after that is Facebook. 7 out of 10 say they use it and spend on average 30 minutes a day or 31 minutes a day on Facebook.

Okay. 46 plus 31. Let me see what's left over.

We know if we've been listening to this show that many nasty things lurk on these social sites, right? So the deepfakes, my new word, romconnors. Romconnors. Romance cons.

Did you come up with that?

It's not mine. It's not mine. No, no, no, I stole it, but I love it. Crypto nonsense, misinformation campaigns, disinformation campaigns, poison ads, all the stuff. All of these things are for us—you and me, the average Joe and Josie's out there. And our job is to slalom through every time we use these sites to get our news fix and hope that we're not hitting something bad. Now, some experts place the blame—I'm interested in your view on this, right—on the fundamentals, how the social media platforms actually work. So typically, these sites reward you if you have more followers, more likes, more shares. You know, people want to hear what you're saying. And to build up this following, you don't tend to push out moderate viewpoints, right? They don't get the eyeballs, the shares, the likes. They certainly don't get the same ones that comments that are more extreme in viewpoint might. Do you agree with that?

Yeah, I do agree with that. In my particular world, the thing I'm obviously fascinated—well, one of my interests is Doctor Who. And there are—it's a very fractious community. There are people who aren't very happy with Doctor Who, or maybe some of the decisions made by the production team in the last few years. And those people who maybe are against certain things happening in Doctor Who get all of the eyeballs. And it feels like people are deliberately making videos being outraged and angry, and, you know, they're really right on the edge in terms of opinions compared to the average sort of laid-back fan. And I suspect they're doing it because they make more money, because they get more views, which means that it's feeding into them. And so they are having to churn out more and more outrage and shocked and astonished videos because that is what actually works with the algorithm and gets them more views and makes them more money.

I think you're absolutely right. While I was researching this story, I found a CBS interview with a guy called Chris Bail. He's the founder of Duke University's Polarization Lab. And he says the incentive structure on social media platforms leads to more extreme content rising to the top, right? As algorithms promote what gets high engagement, reactions, comments, and shares. I wonder, do you know which tweet, for example—I know you're a twatter or tweeter or whatever, an Xer. Do you know what your most successful tweet was and would you share it with us?

I don't know off the top of my head. I could probably—oh no, actually, I'm not allowed access to Twitter analytics anymore because Elon Musk makes me pretend to be a business and give him thousands of pounds to find out. So I don't know, I'm afraid, no.

All right. Okay. But this Polarization Lab founder also had this to say, which I found interesting. So he says, quote, when we look at people who are highly politically active on Twitter, we find that about 70% of the content about politics is generated by just 6% of the people. And those 6% are people disproportionately very liberal or very conservative. And so when we wander onto social media, we can wrongly conclude that everyone has quite strong and extreme views. And that everyone is sort of out to get everybody else. And that may not be the case.

Yeah, yeah, totally.

Now there are many efforts out there trying to figure out how to control this beast called misinformation. One, ZDNet wrote about, which I, a really interesting article. This is about the Coalition for Content Provenance and Authenticity, the C2PA. This is led by Linux, the Linux Foundation, and it's basically an open standards body looking into embedding metadata or watermarks into images, videos, and audio files. And the specification makes it possible to track and verify the origin, creation, and modification of the digital content. Now, loads of big dudes are in there. Google, Microsoft, Meta, OpenAI, they all contribute. TikTok also joined, apparently the first social media platform to implement content credentials, apparently. But notably, Apple and X are not on board as yet. And my question is, why are they hesitating? There are studies on soft moderation techniques. Have you heard of these?

Soft moderation? Is that where you leave it to other users to moderate themselves rather than hiring people to do it?

One, the study that I saw, it's about footnotes, warning labels, and blurring filters were examined.

Oh, yeah.

And anyway, they claim of this paper, link in the show notes, right? They say that both interventions reduced engagements with posts containing false information with no significant difference between the two approaches. So that's interesting.

It is interesting. I've seen people leave community notes in the past on some of Elon Musk's own tweets where they've gone, 'Uh, that's not actually true, what you've posted there, or what you've retweeted to your millions and millions of followers.' You do worry, though, that some people won't pay any attention to those notes. And they are, of course, posted up later, they're not there at the time of the initial publication of the post or the tweet, they follow later on.

And I mean, we even saw California this week, you know, in an effort to calm political misinformation, now requires social media companies to moderate the spread of election-related deepfakes. So basically, the world over, it seems people are grappling with how to get the misinformation genie back in the bottle. But were they to ask me, I've got a good idea.

Have they not asked you?

No, they haven't. Well, they might have. I haven't read all my email. But here's my idea, right? Okay. But it takes all of us for this to work. And I'm hoping you're going to be on board, Graham.

Of course I will be.

So I'm using the premise, if we want social media companies to do better, we need to hit them where it hurts. And that's the wallet, right? So I suggest that we all take a first step and fight for no social media on the loo. You have to come up with a cute little hashtag for this. But instead of filling your head with nonsense from socials while you're enjoying your private time, perhaps instead, you know, delete unwanted photos, review your security settings, or just go old school and read the ingredients on your shampoo bottle. Because, I mean, seriously, this will make an impact. We spend about 10 to 30 minutes a day, apparently, on the bog. That's 10,000 minutes a year. And I think we're speaking with our wallets, by which I mean our butts, which, you know, seems apropos when we talk about social media.

So I've just asked AI to come up with some. I don't know if it's going to be any good, right? Leave the scrolling for the toilet paper. Give your thumbs a break, they deserve it.

That's got nothing to do with your thumbs. Oh, I see, okay.

Don't let your phone drown in the porcelain sea.

Oh, yeah. Yeah, poetic. Keep your private business private. I didn't mean, when I asked the question, I didn't mean taking photos. All right.

Sorry, AI is just rubbish.

Any listeners out there that can beat AI, we're dying to hear from you. Thank you very much, that's my story for this week.

Support for today's podcast comes from SentinelOne, which secures and protects every aspect of your cloud, in real time. Discover all your assets and deploy AI-powered protection to shield your cloud from build time to runtime. On top of that, SentinelOne offers threat hunting, visibility, and remote administration tools to manage and protect any IoT devices connected to your network. Looking for a cloud-native application protection platform? SentinelOne is your ultimate CNAPP solution. Go to smashingsecurity.com/sentinelone for more information and a free demo. See what a flexible, cost-effective, and resilient cloud security platform can do for your organization with SentinelOne. That's smashingsecurity.com/sentinelone. Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices? Well, 1Password has an answer to this question, and it's called Extended Access Management. 1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM ransomware and MDM can't touch. Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show. Whether you're starting or scaling your company's security program, demonstrating top-notch security practices and establishing trust, is more important than ever. Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust. Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI. Over 7,000 global companies like Atlassian, Sophos, FlowHealth, and Quora use Vanta to manage risk and improve security in real time. Get $1,000 off Vanta when you go to vanta.com/smashing. That's vanta.com/smashing for $1,000 off. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

What a different world it was. Was it a better world?

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.

Better not be.

Well, my pick of the week this week is not security related.

Good.

My pick of the week this week is a YouTube video. During my 8 hours on YouTube today, I stumbled across a video made by a Norwegian called Lasse Jørtson. And he made this video way back in 2005, 19 years ago, before the iPhone existed. Can you imagine what life was like in 2005?

Yes, I remember. Was that the BlackBerry time?

Yes, I think it was, when phones had keyboards.

Yeah.

So this video, I think actually millions of people have seen it, but I saw it for the first time today, and it's called Hyperactive. And it is this guy, Lasse Jørtson, performing as a human beatbox. Now we've seen beatbox videos before, right? In this particular case, he's doing all that, but what he's done is he's edited it. And it must have taken him a long time, I'm sure, editing this darn thing. But he's edited this together, so it's just him looking at the camera with lots and lots of cuts. And for having done this in 2005 in his bedroom, I think it's pretty impressive. And that's why what you can hear right now is him doing his beatboxing, but you've really got to see it. It's a bit like Max Headroom or something like that. Have you seen this, Carole?

No, I haven't. I will, I will. I'm dying to see it.

So it's called Hyperactive.

We'll all watch it together, listeners.

He looks a bit like Yahoo Serious.

Beautiful.

Yeah, you can imagine. Apparently, this video was so successful, it resulted in him getting offers from companies like Chevrolet and MTV to make videos for them. But apparently, though, he publicly said, no, no, no, no, no, I'm not doing that. I'm denouncing the whole concept of advertising. It is below prostitution, he said. And so he refused all the offers. Good for him, I suppose. I don't know if he's monetised his YouTube account. I bet he's kicking himself if he hasn't, because he's now had about 15 million views. Anyway, very, very entertaining. That is my pick of the week.

Very cool.

Carole, what's your pick of the week?

Okay, so I've been spending a lot of my time hanging out with people that like games. I mean, board games and puzzles and cards and Sudoku and Killer Sudoku and all this kind of stuff.

Yeah.

And, you know, I like cards. I'm not really into the other stuff. And so I convinced my counterparts that we could learn cribbage. Have you ever played cribbage? Not for many, many years. That's the one where you have these little matchsticks. Yes! It's like a long, thin, wooden sort of block, isn't it? Where you have to move bits. So invented in the 17th century by Sir John Suckling. Had to say that name. An English poet, playwright, and card enthusiast, right? And basically the game, as you said, has a special wooden board with pegs to track the points up to 121.

What— you had to— well, hang on.

Oh yeah.

Hours every day to study it before you could play.

Well, you can play, but just to understand the strategy of what do you discard and what do you do and how do you actually do well at the game?

So now you're a cribbage master is what you're saying? No, but I'm kind of addicted. I'm kind of addicted. Oh, that sounds lovely. No, we won't tell him.

Yeah, that's right.

Well, that just about wraps up the show for this week. You can follow us on Twitter @SmashingSecurity. No G, Twitter won't allow us to have a G. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts and Pocket Casts.

And thank you to our episode sponsors, 1Password, Fanta, and SentinelOne. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 385 episodes, check out smashingsecurity.com. Until next time. Cheerio, bye-bye.