Government Hacking Tools Are Now in Criminals' Hands (with Lorenzo Franceschi-Bicchierai)

This stuff was probably used for really bad things. And I'm speculating, but I don't think this is a crazy theory. The Russian government maybe wanted to find out the position of some Ukrainian troops. They could have used this, and then they could have killed it. Hello, and welcome to the 404 Media Podcast, where we bring you unparalleled access to hidden worlds, both online and IRL. 404 Media is a journalist-founded company and needs your support To subscribe, go to 404media.co. As well as bonus content every single week, subscribers also get access to additional episodes where we respond to their best comments. And they get early access to our interview series too, like this episode. Gain access to that content at 404media.co. This week, we're joined by Lorenzo Franceschi Biccari. He is a writer from the technology website TechCrunch. I have known Lorenzo for years and years and years. Actually, all of us have at 404 Media. We all used to work with him at Motherboard, the technology section of Vice. And he really was an inspiration to me. I remember when he published an article about how the Italian government malware company hacking team was selling its government spyware to the Drug Enforcement Administration. And I was like, wow, you can figure this stuff out by looking in contracting records and all of that sort of thing. And that got me very interested in the industry. And me and Lorenzo collaborated on a bunch of articles when we were both at Motherboard, including an investigation into the company called Azimuth Security, which you'll definitely hear about in the interview in a minute. But they sell, or rather sold, an array of hacking tools to Western government agencies. They were seen as the quote-unquote good guys in the industry, and that's why we covered them. But as this conversation shows, the company that came after Azimuth, it had something of a problem. A guy called Peter Williams, who sold a bunch of hacking technology to a Russian company. And it looks like that ended up in the hands of the Russian government and then later Chinese groups as well. There's some nuance there that you'll definitely hear in the episode, but I really, really hope you enjoy this conversation. All right, Lorenzo, welcome to the show. Thank you. Very excited to be here. Yeah, it's funny doing this with a friend. I just said that in another take that we started. But we will try to keep it as professional and rigid and on point as possible. No, obviously, we're just going to chat shit. We are professionals, yeah. We're going to talk about the O'Day industry for a while. So just to lay some groundwork, what is Trenchant? What is this company? Yeah, I think this is a good place to start. But Trenchant is the hair, basically, of the two companies that we profiled, I guess, in 2017 or 18 at this point. Azimuth and Lynchpin Labs. They were sort of sister startups that developed Zero Days out of Australia, but they had offices in all the countries that are part of the Five Eyes, which is the intelligence alliance made by the English-speaking countries, Canada, Australia, New Zealand, the UK, and the US. And shortly after we wrote about them, actually, they were sold to L3, a relatively large defense contractor, and they renamed Lynchpin Labs and Azimuth into this division called Transient. And I think it's fair to say that they are considered one of the best shops in terms of developing finding vulnerabilities, developing exploits. And because they're part of this U.S.-based defense contractor, they only sell to the Five Eyes. Yeah, I remember going or attempting to go to the London office of Linchpin Labs, because at the time, as you say, back in 2017, 2018, they were really, really secretive. And the industry sort of back then was, yes, it was coming out and you had like these big conferences where companies would sort of be a little more upfront with the idea that, hey, we buy zero days and we sell them to the government. These guys were not like that. They were incredibly, not underground, that wouldn't be fair, but they kept themselves to themselves. So we managed to figure out, oh, these are like the best companies for selling zero days and not just the exploits, but the malware as well to Western governments. So basically no one had heard of at the time. Do you think that's why we wrote it? Yeah, I think at the time the market was different. The cybersecurity industry was a little bit different. I think at the time there were still people that didn't want to talk about the fact that they developed Zero Days. I don't remember when the first offensive con was organized. This is like a Berlin-based conference that essentially gathers Zero Day exploit makers, spyware makers. I think it was the first big one that was public. So yeah, at the time, Asimuth and Lynchpin Labs were great examples of where the market was. You know, they were relatively public. Mark Dowd was a very well-known hacker. And he was the CEO of Azimuth. Yeah, the founder of Azimuth. People knew what he was doing, but he wasn't like advertising it on Twitter. You know, on Twitter, he was just another cybersecurity guy. And to answer your question more directly, yeah, that was the interest, the public interest in that story was, well, you know, you've heard about NSO Group, you've heard about Hacking Team, but here's this other company that you probably have never heard of, and they're doing even more important work or even more impressive work. And since then, it's become much more normalized. You know, now sometimes a source reaches out and says, hey, have you heard about this company? You should write about it. I'm like, well, why? You know, the existence of a company that sells zero days is not interesting anymore. The story now is, and you know, in part it's always been, but the story is like, what are they doing? Who are they selling to? Did they sell to the wrong people? Did they break any laws? You know, export laws now are a thing that's much more established, although not super effective. so yeah now it's just more like what are these companies doing who is behind them is there an interesting character behind them are they doing anything bad but the mere existence of a company is not that interesting and I think the conferences are a great example there's Exacon, there's OffensiveCon their talks are online I mean Apple's head of security research engineering SEER team, whatever that acronym means went to Exacon to give a keynote and he finished it saying, please look at your conscience and what you're doing because if you don't know where your work ends and you're not sure that you're contributing to the good of the world, maybe you should do another job or maybe you should work for us, which was pretty crazy. I've heard, I think it was this conference, but I heard that talk from Apple made people cry. Not in a, oh, we're being insulted way, but in a inspirational way, people who then went and saw that talk, who really do believe in, you shouldn't sell offensively, you should sell defensively, you should help Apple and that sort of thing. But you mentioned that, yes, stories back then in 2017, and definitely now, as you say, it is much more about who these companies sell to. And as you said at the time, everyone heard of NSO Group, and they sell to various authoritarian regimes, and then loads of other companies, like Hacking Team as well, selling to Sudan, whatever. Azimuth and Lynchpin were interesting because they sold to Western democracies. And we'd never seen that before. So Azimuth and Lynchpin Labs are now Trenchant. They have this reputation for only selling to the, I'm going to say, quote unquote, good guys. Obviously, that has radically changed in lots of different ways. That was just sort of the sentiment at the start. And if you want to be more specific, yes, they sold to the Five Eyes Alliance. So they have that reputation. but something which you've done fantastic coverage of something happened which has now maybe not shattered that reputation but has like really really harmed it there is someone called peter williams who worked at trenchant an indictment is unsealed well actually you correct me if i'm wrong you knew this before the indictment so maybe you want to take it from there yeah so So this must have been July or August. And somebody told me, hey, have you heard of this John Dugan or John something? Apparently, he sold zero days to people he shouldn't. He works at Transchant. He sold them to some bad guys. I'm not sure if it was North Korea or China or Russia. And I mean, my first reaction was, I don't believe you. I think this sounds crazy. But, you know, the sources that I had were relatively, they were credible. They were people I knew. And so I was like, all right, let's see if this is true. And the big problem at the beginning was that I didn't have the name. It was like John Dugan, John something. So you weren't sure, sort of thing. Yeah. I wasn't sure who this person was, other than the fact that apparently, allegedly, they were catrenciant. Then I got the name, and it was Peter Williams, which was good to have a name, but it was a very generic name. A lot of people are called Peter Williams. I think what actually at the time made me more convinced that there was a story there was that there was a UK business records website that showed that he had just resigned from trenchant. This was like 13 of August, something like that, mid-August. And my sources were saying, well, he didn't just resign. He was basically fired because of this. And at some point I heard sort of like a side quest. Somebody told me, well, actually, there was another story that involves Peter Williams. and it's that he tried to scapegoat one of his employees. At this point, what I heard was that this Peter Williams had stolen some zero days or some exploits, some malware from Transhunt and sold it to someone he should not have sold it. This other story was basically that at some point, Peter Williams tried to frame one of his employees and he launched an internal investigation. They eventually fired his employee. And the other interesting thing about this story was that the employee got a notification from Apple saying, we believe you have been a target of mercenary spyware. Just briefly on that maybe, because you've covered those notifications a lot and they're also quite recent in that Apple will now notify users of its products that they suspect have been targeted by government spyware. What's the deal sort of there? What's happening there? Yeah, this is a huge development in the last few years. What Apple is doing essentially is, when they detect some sort of a spyware campaign, they investigate, and when they determine that it was an NSO group or one of these companies, they send notifications to the people they believe were targeted. And, well, first of all, this shows you how much Apple can see from a device, which I think it's good. I don't want Apple to tell me if they believe I've been hacked. People on the other side of the fence, meaning the Citizen Labs of the world, the Access Nows of the world, say that this has really changed the game. You know, back 10 years ago, these people, these researchers needed, you know, a random Ethiopian journalist, so to speak, you know, like somebody that they didn't even know to reach out to them saying, hey, I think I've been hacked. And that's like, you know, that doesn't scale. It's very hard to do that kind of work. Now people receive these notifications. Apple actually tells them, please go to Access Now. They can help you. And that has led to so many investigations. And it's led to even investigations that we don't know about. So Citizen Lab doesn write about all the investigations that they do maybe because the victim doesn want to maybe because they I don know it not that interesting to be a public story Same with Happiness International But yeah in the last few years because of these notifications we heard of so many so many cases And we don know how many notifications Apple sends but we can get an idea by the fact that they say they send to more than 150 countries And usually they do in batches So if somebody receives a notification it means that likely they part of a group You know, maybe they're like Catalan politicians and Spain has targeted them or Hungarian journalists and something like that. So yeah, so this transient employee had gotten one of these notifications and it was kind of unclear why, although now in hindsight, we can imagine. Yeah, it's like a complicated wrinkle to the story. So you have this person inside Trenchant, Peter Williams, who you're hearing about. Well, they've stolen malware and maybe they've given it to the bad guys and they're trying to cover it up by blaming this other employee at the company. What do you do with that information and what do you publish before we get to the next bit? Yeah, so once we could confirm the case of the scapegoat, so to speak, we reported that story. And honestly, at that point, it was kind of a strategy. We didn't have the other story. We had the name, but we had no concrete information. There was no indictment. I heard this from multiple sources, but you can't write an article saying Peter Williams from Trenchant committed a crime based on anonymous sources. Like, you're going to get sued, rightfully so. So we published the story, and actually, and this is my fault, I'm not super diligent about checking court records. So I hadn't checked for a while. And again, one of the challenges was that, you know, there's a lot of Peter Williams. So after I published the story, I think the same day or maybe the next morning, I go to Pacer, I check, and there it is, a very recent case involving Peter Williams. I go, there's like a certain indictment. It was a very short document. It identified this Peter Williams, didn't say where he worked. It said he worked at Company One or Company A. And it said that he had stolen eight trade secrets. So there was no reference to Trenchon. There was no reference to all three areas. Didn't say what the trade secrets were. I was pretty sure it was him. But again, there's a lot of Peter Williamses. So that was very frustrating. Also, because at that point, I had reached out to pretty much everyone who could know, you know, DOJ, FBI, the Australian Signals Intelligence, embassies. I reached out to everyone. Nobody answered. But the document was there. It was sitting there. And at that point, I knew that other people, other journalists were going to see it. Right. And yeah, then a week later, more or less, we reached out again to DOJ. And this time, DOJ was like, yeah, on background, blah, blah, blah. This is him. This is a L3 Harris employee. So on background, DOJ confirmed that, yes, the Peter Williams you're talking about from Trenchant is the one and the same Peter Williams in this court record, which is just saying sort of vaguely, he allegedly stole a trade sequence or whatever. Yeah, now that I think about it, I think actually that document, the most interesting detail was that I think they said that he sold to a Russian buyer. And that was definitely the most interesting part of that document, even though we didn't know who that Peter Williams was. But once we confirmed that that was Peter Williams, we knew that it sold to Russia, which is pretty bad on its own. And that was before we knew actually what happened, which is even worse. And we'll talk about that now. So that court record comes out, you're building up the reporting, you know, the usual cybersecurity press start looking at this as well, but then we get more information. So what does he do? Because he's convicted that, right? So what did Peter Williams do? Yeah, I think a few days after the document, more documents dropped. And there was even a hearing that I did not attend, but Patrick O'Neill attended it from Bloomberg. And between the core documents, the new core documents and the hearing, we started finding out exactly what happened. And what happened was even worse than what I heard. Essentially, what the DOJ was alleging, and then he admitted to, so that's what he did, is that at some point in around 2022, when he was already, I think he was already the general manager at Transcham. So essentially the head of the whole hacking unit. He started taking some trade secrets, which in this case were vulnerabilities, exploits, maybe even, you know, full-fledged products that you could just plug in and deploy. And he sneakily put them on USB sticks, took them out of the offices. I think he took them out of both the office in Sydney and in the US, in DC. So he was doing this like systematically over three years. At some point, the FBI got wind of something, that something was happening at Trenchant, that some secrets were getting out. We'd love to know how they came across that. Yeah, that's not clear from the court documents. And it would be great to know. So the FBI finds out, they go to Trenchant, and they actually go to him and say, hey, we would like to ask you some questions. I think at this point they didn't know it was him or they didn't even suspect. But, you know, he's the general manager. He's the person to ask and to ask for collaboration. Because at this point, maybe Trenchant got hacked. Maybe he got hacked or somebody got hacked and these things were getting stolen by China or Russia. So the FBI approaches Peter Williams. He collaborates. And that's when we get to the scapegoat. This is like March of last year, more or less a year ago. Trenchant opens an internal investigation. They end up firing this guy. But the FBI is still asking questions. And in the summer of last year, they go back to Peter Williams and say, we know it was you. I don't think people talk enough about how messy it is to actually run an online business, or at least how messy it can be. You start with a simple idea and suddenly you've got one tool for your website, another for payments, something else for email, another thing for analytics, and none of them really talk to each other. It gets chaotic really fast. That's why Shopify exists. Shopify is the commerce platform behind millions of businesses worldwide and about 10% of all ecommerce in the US, from huge brands to people just starting from scratch to 404 Media's merch store. Instead of juggling a bunch of different tools, Shopify brings everything into one place. You can build your store with ready-to-use templates that actually look good, manage inventory, process payments, track analytics, all from one dashboard. And when it comes to actually getting customers, Shopify makes that easier too. You can run email and social campaigns right from the platform. So you're not duct taping together five different services, and it feels like they all talk to Shopify. If you ever get stuck, they've got 24-7 support, which is huge when you're trying to figure things out on your own. Shopify just simplifies everything so you can focus on actually growing your business instead of managing tools. Start your business today with the industry's best business partner, Shopify, and start hearing... Sign up for your $1 per month trial today at shopify.com slash media. Go to shopify.com slash media. That's shopify.com slash media. This episode is sponsored by BetterHelp. You know, financial stress can really affect you more than you're thinking. Maybe you're pushing it down. It's tax season. No one wants to deal with it. No one wants to face it. Look, I get it. You know, I've been a contract employee for almost my entire career. Brief stints with W-2s. No one understands the stress of tax season more than me. But if you're worried about it and it's hitting you on an emotional level, that's normal. And sometimes we just need the right kind of support. And that's where BetterHelp comes in. So, you know, BetterHelp is this place where you can get quality therapists that work according to a strict code of conduct. and they are fully licensed in the United States. BetterHelp does internal matching work for you so you can focus on therapy. A short questionnaire helps identify your needs and preferences and then their 12 plus years of experience and industry-leading match fulfillment rate kicks in and that means typically you've got the right person the first time. But if they don't work out, you get somebody else. No harm, no foul. And you can do it at any time based on their tailored recommendations. so if you're feeling that strain this month as i am you know get some better help when life feels overwhelming therapy can help sign up and get 10 off at betterhelp.com slash 404 media that's b-e-t-t-e-r h-e-l-p.com slash four zero four m-e-d-i-a And at that point, Peter Williams realizes there's nothing else he can do but confess and collaborate and hope for, you know, maybe a deal or a more lenient sentence. So, yeah, he admits that actually it was him. He stole a bunch of trade secrets. He gets indicted for eight, but my guess is that he may have stolen more. I don't know if, you know, the FBI didn't have enough evidence or eight was enough to get the sentence that they wanted. We also don't know exactly what these A-Trade secrets are. You know, we guess that they were vulnerabilities or even exploits. We don't know for what products. We can get an idea of what they were from some language in both press release and some core documents where the DOJ says that this could have been used to hack millions of people around the world. So we're probably talking about iPhone, ODAs, Android, Chrome, Windows. So essentially systems that are widely used. These were not like router exploits. So yeah, Peter Williams confesses, the core documents become public and some more details come out and some of them are very interesting. For example, who did he sell to? You know, at the beginning it was like Russian buyer. Turns out this Russian buyer was a company called Operation Zero. And when they launched, they did kind of a stunt. You know, they said, we're looking for Zero Days for iPhones and Android and we're willing to pay $20 million, Which is a big figure at the time. It's still a big figure, but it was like a big attention-seeking stunt. Were they willing to pay that? Maybe. Yeah, I don't know, but they said it. Yeah, I think the context here is that it's already the, you know, the Ukraine invasion is fully, you know, fully ongoing. Russia is like more isolated than ever. And essentially, I think their, you know, their rationale was we need to really offer a lot of money because the researchers that may sell to us are maybe not as many as before because there's sanctions, you're not allowed to sell to companies in Russia, anything. So you need to really incentivize people to do something that potentially will get them in trouble, which is what happened with Peter Williams. And I think actually the dates of when Peter Williams reached out are around the time when Operation Zero announced this. So he probably saw the news and realized, well, that sounds like somebody I could go to. Speaking of money, he made 1.3 million, something like that. So he didn't make 20, but he made some sort of financial benefit. But Trenchant later estimated a loss of 35 million. I guess that's like their value of the tooling. And then Peter Williams made just over a million, which he then used to buy, what, like luxury watches and that sort of thing? Yeah, some luxury watches. Some watch people realized that some of them were fake. Oh, that's good. Some vacations, a big house outside of Washington, D.C. But yeah, the numbers are interesting because, yeah, as you say, like you didn't get 20 million. But, you know, that's maybe because you didn't have the full chain. And, you know, that's something we can get into. But, you know, these days to hack an iPhone or even an Android phone, you need like multiple vulnerabilities. And you need to essentially make them all work together. You know, it's like a multi-step process. And the 20 million or, you know, the highest rewards these days are for something that works end-to-end. They call it end-to-end, an end-to-end exploit or an end-to-end chain or whatever. So essentially something that you can press a button and it goes from targeting you to now I can see everything on your phone. But for that, you need multiple products. So it's possible that Peter Williams only sold a few, you know, only where it maybe was only able to steal some of that. A piece here, a piece there. Maybe something was from Chrome, maybe something was for iOS. So for some reason, it didn't get paid as much as maybe you would have thought. I think the estimated loss we need to look at it a little bit skeptically in the sense that I think they probably also counting you know the time the development time that they need to essentially find new vulnerabilities So I don't know if like they were worth 35 million, but, you know, it's possible that they were close. Yeah, it requires whole teams of people. Like, you know, back when I was covering this more, you know, that could be a team of like four, five, six, up to like 10 people just focused on like an iOS chain or something like that. And as you say, if you want to hack an iPhone, let's say it's a browser vulnerability or something, you go to a malicious website and it hacks your iPhone, you're going to need a Safari exploit, you're going to need something to get out of the sandbox of Safari, you're going to need something to get persistence on the iPhone, which as far as I can remember is kind of non-existent nowadays, where if you just turn off your iPhone and reboot it, they can't get persistence, basically. right so but even then they will still pay so much money even to get something that's essentially temporary because who turns off their mobile phone no one does yeah and and also i think another important context to all this is that timing and circumstances matter i'm sure a lot of the listeners here remember the case of the fbi going after apple because apple didn't want to help hack the iphone of the san bernardino terrorists that was a very important case because the fbi actually went to court and tried to compel Apple to help. And in the end, they ended up going to Asimov and they got Asimov to help. What I'm trying to say is that in a situation like that, the FBI may be willing to pay more than market rate because it's urgent. They need to get into this iPhone for whatever reason. You know, imagine, you know, this may sound like a crazy example, but it probably happens all the time. You know, there's a terrorist and the NSA needs to know what this terrorist is doing or they want to hack, I don't know, Vladimir Putin's assistant and they need to do it now. So that's going to be worth more than let's just get this iOS zero day in case we need it. And yeah, and so Operation Zero's prices seem crazy, but they're not that crazy. I think the company that is kind of like the bellwether, so to speak, these days is CrowdFence because they've been around for a long time and they're relatively serious. And their prices go up to $7 million for a full chain for iOS. And also, you have to remember, these are brokers. So I go to crowdfants, I give them what they need, I get $7 million, and then they have to sell it. So they have to make some money too. So the end customer will pay more. And they make it into a product. Right. And they make it into something and give it to them. I mean, I remember back when, I think you started writing these, and then occasionally I would write one, then you would write one. But back at Motherboard, it was like, whoa, the hackers are offering a million dollars for an iPhone exploit chain. Then it was free. Then it was five. I remember going to a conference in Singapore that was attended by a lot of people who sell iPhone Zero Days. And I think the figure I got from that conference at the time was yes, five million for a full chain. And that was around seven million. And it's almost kind of what you said earlier about, well, we don't just cover companies now for the hell of it. There has to be something to it. I feel like we don't really cover the prices unless it's like particularly outrageous. You know what I mean? Or there's some sort of interesting factor. But that happens. Peter Williams is convicted. And then I believe he was sentenced recently as well. That sounds like the end of the story. But if anything, it's kind of just the start. I will spoil it a little bit. Your reporting has shown that this is connected, very, very likely connected to Trenchant in some form. looking at all this other activity, I believe it was Google, right, who finds that there is some sort of iPhone malware or iPhone exploitation kit being used in the wild. Tell us about this part first. Yeah, so last year, around this time last year, maybe early 2025, Google finds some sort of hacking campaign targeting iPhones. And they start investigating and they realize that they found something that is kind of unusual, at least unusual to find in the wild. And the way it was used was unusual. So what was unusual about this exploit kit or hacking tool, whatever you want to call it, it was called named Koruna. And essentially, Koruna was like an exploit chain. So a product that included various vulnerabilities, various exploits that could target at the time, I think at the beginning, they could target up-to-date iPhones. So those were zero days. And at the beginning, the first campaign that Google found was launched by some Russian government group. They didn't name it. They used one of those very boring names now that it's like UNC, uncategorized, 6358, whatever. I have to very briefly say that I hate that Google calls it UNC or UNC now because whenever I'm looking at it, I'm like, okay, UNC. And it's like, shit, that's what the fucking Gen Alphas are saying. And they're ruining our naming conventions for the hackers. Yeah. I mean, we got used to this stupid, charming kitten and fancy panda bear or something. Can you just come up with a name? Just come up with a new name. I know there's a lot of names already, but it's like these numbers just don't make any sense. So, but they say it's the Russian government, very likely Russian government, Russian espionage, and they were using it in Ukraine. They essentially deployed it on a few websites that you would only get exploited if you were in Ukraine. And I think it's likely, Google doesn't say this, and they probably don't know because at this point you really need to, you probably would need to look at the devices themselves. But I think the implication was that these Russian spies planted it on some websites and they probably were interested only in a subset of Ukrainian users. Because usually these exploit kits work in phases. They infect you initially and then they look at who you are. They collect some data on your device. And if you are the person that they're interested in, then they deploy the second stage. So I think that's what was happening here. But it was widespread enough that it was on websites. So God knows how many people visited it. I mean, that's still crazy, right? Because usually when we think of iPhone attacks, it will be, oh, NSO Group sent something through the WhatsApp client. I'm just speaking generally. I'm not talking about a specific attack. Or Paragon did something in iMessage or FaceTime or something like that. And it's very targeted. And yes, although you send somebody a link, they click it, or maybe they just go to a website. Maybe relatively few people would do that. but maybe not. And that is a watering hole attack, right? Where you have all these people gather to a website for whatever reason and they get infected. That is nuts to happen on an iPhone. Like, because that just like, is not supposed to happen, basically. Yeah, it's almost unprecedented. I think you wrote about one of the first cases, which was in 2019, I think. I can't remember that. I literally don't know what you're talking about. I honestly, I forgot too, because the other day I was kind of called this unprecedented. I was like, is it really? And then, yeah, I found some coverage. this was when the Chinese government deployed also a warring wall attack against iPhones. So the Uyghur, against the Uyghur Muslim minority. But, you know, they're very rare. I think before Corona, there were like two documented cases, one among the Uyghur community and one in Hong Kong. Obviously, in both cases, probably China. But yeah, this is already kind of crazy. It's like, wow, the Russians had just an exploit kit that also they were willing to kind of burn. Because if you use it like that, you're probably going to get caught, especially now in Ukraine. Ukrainians have great cybersecurity people. They also get help from the international cybersecurity community. You're probably going to get caught. And that's what happened. Google called you. And this is where the story gets even crazier because then Google tracks these exploits. At this point, they're not publishing anything, which I think it's interesting for a couple of reasons. I mean, the first one, it makes sense. It's like they don't want to lose visibility. I think maybe at some point they realized that Trenchant was involved and somebody at the US government told them, please don't say anything. This is my theory. I'm speculating, but I think it's possible. But anyway, Google does its job, keeps tracking this campaign. And then it turns out that some of the same tools get used in China by a cyber criminal group. And in this case, they just put it on random websites targeting probably millions of people to steal cryptocurrency. So this thing that went from being a very, a relatively targeted, although you're right, They were not, or at least we don't know, but at the point when Google detects it, it's not like only targeting a few people. It's targeting all the visitors of these websites, goes to China, and it gets used to still cryptocurrency. And at this point, they're not zero days anymore. Apple was probably aware of this campaign. They patched some of them. At this point, they're what the industry calls end days, which means exploits that are used to be zero days, but they still work because some people have not patched their iPhones. I'm going to beef ever so slightly their definition, and I knew we were going to do this because we always disagreed on these definitions. I would say an end day is not about whether the user has updated their device or not. It's end day as in maybe Apple learned about the exploit four days ago, and Apple hasn't pushed the patch yet. But your point stands that it's probably already been fixed or it is being fixed. So it should work on fewer devices. But it's fucking landed in the hands of these Chinese language cyber criminals. And they're pulling it on fucking websites that's going to infect anybody that visits them. Which is somehow even crazier than the previous one. Yeah, I mean, this is literally unprecedented. It may have happened before and we don't know about it. And some companies have never published that report. But there's never been a documented case of like a widespread, completely indiscriminate targeting of millions of iPhones this way, even though they were not up to their iPhones. But this is something that I had no idea about. I just assumed that a lot of iOS devices or most iOS devices, if not all of them, were up to date. But it turns out that there's like 20, 25 percent of people that still have the previous iOS, which to me is crazy. I thought it was much lower than that. Those annoying messages of restart your phone to update it, that sort of thing. I mean, a lot of ordinary people find that really, really annoying. And they're not going to do it. I mean, they're not ideal. But if it's like 80% adoption rate for the latest update, hey, pretty good. But we're also talking a true global scale of the iPhone. So 20% is like an insane number of devices. Yeah, this was unprecedented and kind of crazy that they were burning this, even though at that point it was not zero days, but they were just like, okay, YOLO, we need some cryptocurrency. Let's see how much we can get. Yeah. I'm going to come back to the Trenching connection because that's the reporting you did to sort of link all of this together. But briefly on the Chinese stuff, and look, for listeners, for us as well, this is going to be speculation because we don't know this, but I'm just curious what you think. So there is a line between somehow this Russian government agency or authorities or whatever have this exploit kit for... relatively modern or very modern iPhones. It then ends up with Chinese cyber criminals who are not officially arms of the state. Who knows if they were, you know, a group that sometimes does state operations and now they're doing financial stuff. Who knows? How on earth do we completely speculate? How on earth do we think that iPhone chain ended up with a Chinese? Like maybe it went from the Russians to the Chinese. Maybe the Chinese somehow got it independently. I think the timing would indicate it probably came from the Russians. Just like, do you have any wild theories about that? Yeah, I don't think they're that wild because Google and then Lookout, you know, another mobile cybersecurity firm, and then iVerify and other mobile cybersecurity firm also analyze some of this stuff. And they concluded that most of the code that the Chinese cyber criminals were using was the same that the Russians were using. So it just looks like it exchanged hands. We just don't know exactly how, and this is where we can speculate. But I think the Russian government acquired it from Operation Zero. And then even though Operation Zero on its website says that they only work with Russian companies and Russian organizations, it's possible that they were like, you know what, why don't we get some more money from this? You know, we don't have to just sell it to the Russians. Or they had their own Peter Williams in there as well. Yeah or at some point when the Russians where the Russian customers are like you know we used this do whatever you want with it Or the owner of Operation Zero felt like he gave his friends at the Kremlin enough time to use these tools decided to sell again because essentially you're selling the same product twice, so you can make more money. And yeah, so it ended up in the hands of the Chinese. But as you say, I think it could be that, I don't know, somebody intercepted this somehow and took it and wanted to use it for their own goals. I don't think it was like an independent, you know, people finding the same vulnerabilities because some of the code is exactly the same and it was in English language and things like that. And then the Chinese cyber criminals added some components to target cryptocurrency wallets and cryptocurrency companies or, you know, cryptocurrency users that have a certain kind of wallet, etc. So, yeah, we don't know how it went from Russia to China. And yeah, we can get into the Peter Williams angle of this at this point, because essentially what we found out is that, you know, based on talking to some former trenchant employees, some of whom were at trenchant when this happened, or rather they were working on some of this. Essentially, when Google published the code and showed some of the code snippets in their public report, some trenchant employees looked at that and said, oh, I worked on that. I recognize that. That's crazy. I recognize the code names. I recognize some of the code. And so they were basically telling us, yeah, this came from trenchant and presumably it came from the Peter Williams leak. Because the circumstances line up. There's a Russian government hacking group using it. Operation Zero sells to Russia. But then, yeah, we don't know how we ended up elsewhere. One small detail from the core documents that hasn't been really looked at too much, mostly because I don't know how to go further there, but the DOJ says that at some point they found some trenchant tools being used in South Korea or by a South Korean group or maybe used against South Korean users. So there's another country where you're like, how did it end up there? I mean, it's possible that, you know, a Chinese hacking group targets South Koreans for both espionage and cryptocurrency, stealing goals. But essentially, it seems like at some point it just got out of control. And it could very well be because Operation Zero, while claiming to only work with Russia, was working with God knows how many people and how many customers. Or their own customers then sold it. Because reasons. Maybe the Russians at some point were like, okay, we don't need this anymore. It's getting caught. It's getting detected. Can we make some money on the side? Who knows? I mean, once these things get out of hands, and especially once you start selling them to these, you know, sketchy, maybe it's a strong word, but kind of, you know, when you go to like even CrowdFence, which is a legitimate company in Dubai with, you know, it's been open for a few years. You just don't know where they end up. As a researcher, you go to them, you give them the tools, they can promise you, it's only going to be used by governments or countries or whatever. Do you trust them? I mean, that is the big question when you go to these companies. You just don't know what it's going to end up. It is really, really crazy. And the only parallel I can really think of is Eternal Blue and sort of those sort of leaks or data exposures, which for those who don't know, there was this fascinating entity called the Shadow Brokers, which are widely just sort of believed to be Russian, although we never really got to the bottom of any of that, right? I briefly spoke to them over some encrypted messaging apps. I can't even remember. It was a pain in the ass to install and use and do all that. It was just like a few emails or whatever, or a few messages or whatever. But they somehow got all of this NSA material. And there was a lot of NSA leaks at the time as well. Maybe it came from those, from leakers as well. It then gets out onto the internet and there's these very, very powerful Windows exploits. They are then picked up by North Korean hackers, right? And they are incorporated into a piece of ransomware, malware, which is then spread all over the place and it causes all of this damage. That's obviously much more high profile, much more destructive. And it was probably a much bigger news event. But frankly, I am much more interested in this stuff and the iPhone stuff because, I don't know, there's like way more unanswered questions and it is like very much a consumer device, obviously, like Windows as well, right? but the attacks there will focus more on infrastructure and that sort of thing. I think this is the case where once all of those pieces are together in one go, it's really going to blow people away. And there already has, you know what I mean? I just think there are still questions to be answered. Yeah, and this goes back to the beginning of our conversation when we were talking about companies that only sell to certain governments. This is what is not supposed to happen. Like a company like Transient and other Western exploit makers and developers, they only sell to, you know, maybe the US or the Western countries because they believe that those countries are going to take care of those exploits and not, well, first of all, they probably don't believe that they're going to be used against innocent people. You know, if you're patriotic, you believe that. But also they probably have to use gifts or some sort of like special devices to send these exploits over. and there's all like this, you know, security clearance things and the security processes. And the whole idea is that these are very precious, they're very useful, and you don't want them to fall into the wrong hands. And what happened here is that this guy had full access to internal networks by design because he's the boss. And he was also a technical person. He used to work at the Australian Signals Directorate. He was a hacker. He wasn't just like a manager, like a business person. So he probably helped develop or, you know, sometimes he looked at the code and he just took it out. And, you know, I think a lot of people have made fun of Transient on Twitter and things like that. And, you know, I mean, this is really bad for their reputation, but to be honest, it's very, very hard to protect against something like this. You know, this guy was a very well-trusted, you know, it was a former spook. Like, it was a guy that worked, you know, for the Australian government. Probably because he believed in the mission, you know, it was patriotic, he wanted to do good and turned that career into the private sector, still working for spies and governments who we probably believe were the good guys. And at some point, it was like, you know what? I'm just going to make some more money. I'm going to try to make some more money and I'm going to sell to the Russians. And the context that we haven't spelled out is, or maybe we briefly did, but this is while the Ukraine war goes on. Like this stuff was probably used for really bad things. You know, you cannot kill people with an iPhone exploit. and I'm speculating, but I don't think this is a crazy theory. The Russian government maybe wanted to find out the position of some Ukrainian troops that used iPhones. They could have used this and then they could have killed them. Or spies or informants or anything that's sensitive in the war because it's not just the soldiers on the front line. There's all of, you know, tons of other people in infrastructure as well, of course, that they could use this sort of thing to target. And he should have known that. he was selling to Operation Zero, which explicitly says only works with Russian government and Russian corporations. So he knew that this could be used for bad. But at the same time, from a trenchant perspective, it's hard to stop these things. He had to use USB keys inside the office. He couldn't just take stuff out of the network. So it's very hard to defend against this, but at the same time, it does give credence to the criticism from some of the privacy advocates and activists like Citizen Lab, which obviously I respect a lot, but, you know, sometimes they push the narrative that like nobody developing these things can be trusted. And there is a reason why they do it. It's part of their mission and it's okay. But until this case, you could say, well, you know, is it really that bad? Turns out it really can be that bad. Yeah, it can be so bad that someone not only steals the technology, but also it ends up in the hands of the Russians and it ends up in the hands of the Chinese and it infects basically random people on the internet. The only parallel, I mentioned the Eternal Blue one, but there was also Vault 7, right, from WikiLeaks, which was a collection of CIA hacking tools or I guess hacking-related material. And that was a malicious insider who leaked that information. Now, of course, I'm sure some people are also thinking about Snowden and they would draw a parallel there. I guess so, but I would say that was in the public interest. And you may, of course, disagree with the scope of the material that he took. But I think there was great public interest in a ton of that material. And it did lead to reform. It's very important to be revealed. There isn't a public interest in stealing hacking tools and then selling them basically to the Russian government via this Russian company. They're totally different. Yeah, this guy was not a whistleblower. He was just trying to make money. One thing that it's hard to understand, and only Peter Williams could answer this question, is like, why didn't he just go work in Dubai? The money that he made for this stuff is not that much in the grand scheme of things. Yeah, a million. Yeah, he could probably get a salary close to that working for Crowdfence or some other company in Dubai like that. And in that case, you don't even have to completely sell your conscience because maybe they only work with good guys or whatever. So it is really, we don't know why he did it. You know, it's unclear that he had some sort of financial hardship. You know, he bought watches. So it doesn't look like he had to, I don't know, had to pay a mortgage or his stocks went down. I don't know. It doesn't seem like that was the motivation. It just seems like he wanted to make some extra money. And he chose pretty much the worst people to sell it to. Because there's also other exploit brokers. I think my theory here is that I was thinking about it as I was talking is that it would have been harder for him to go to like some sort of a Western broker because they probably knew him or they knew people that worked with him. So he needed to go outside of the circles where he was known because also the offensive cybersecurity industry is very small, relatively small. Everyone knows each other. Everyone talks to each other. So he couldn't just go to a friend of his at like, I don't know, a German company or an Italian company or whatever. He needed to go to someone that was willing to do this and also willing not to ask questions because he approached them under an alias with a, I don't know if they said PGP or something. But yeah, he used like an alias and got paid in cryptocurrency. So he thought that, you know, he thought that nobody was going to catch him. It's still crazy. Even now that the story is out, I still kind of don't believe that it happened because it's just like, how do you go from working with the Australian government to selling to the Russian government during the Ukraine? more. It just seems so crazy. Yeah. Yeah. And I still almost don't believe it, even when you lay it out like that. But that was and is a fascinating story. We'll leave it there for the moment, Lorenzo. Of course, we'll have you back in the future to talk about more zero days in the hacking industry when the opportunity arises. But thank you so much for joining us. Thank you. This was fun. Appreciate it. As a reminder, 404 Media is journalist-founded and supported by subscribers. If you do wish to subscribe to 404 Media and directly support our work, please go to 404media.co. You'll get unlimited access to our articles and an ad-free version of this podcast. You'll also get to listen to the subscribers only section where we talk about a bonus story each week. This podcast is made in partnership with Kaleidoscope and Alyssa Midcalf. Another way to support us is by leaving a five-star rating and a review for the podcast. That stuff really does help us out. This has been For It For Media. We'll see you again next time.