162: Hieu

I want to make sure I pronounce your name right. So can you say your name for me? My name is Hu Min-Roh. Hu was born in Vietnam. I'm growing up in a small town in Vietnam. It's called Camp Rang. I was started to be a hacker when I was very young, maybe around 14 or 15 years old. And then I checked out a couple of cars. You know, wondering about how the internet was working and back then the internet is very expensive and super slow. That's one of the reasons that I started to hack and still a few internet dials per cows to be able to use it without paying anything. That's kind of the my first time I got into trouble when I was like 15 years old. This was around 2004. A time when 56K modems were the most popular way to get online. The way it worked is you dialed a phone number and connected to the ISP that way and they would connect you to the internet. But the ISP would charge you by the minute to go online. Can you imagine that being charged for every minute you're on the internet? That's how it worked back then. You couldn't afford that. So you figured out a way to use someone else's account, basically stealing someone else's ISP connection to get online. And that meant other people were paying for him to get online. And just like a few months, you know, few months using these stolen internet dials over cows. I got kind of a paperwork sent to my house and my parents they got very surprised and then they told me what's up out and then they told them, you know, is related to some stolen internet accounts. The paperwork said that he did $5,000 in damage. And his father had to pay the fees. That's a lot of money. His father was pretty mad and sent him away to go live with his uncle in Ho Chi Minh City. And little did everyone know it was going to be there in Ho Chi Minh City where he was going to build a dark net service. It was going to make a fortune doing it. These are true stories from the dark side of the internet. I'm Jack Recyder. This is Dark Net Diaries. This episode of Dark Net Diaries is brought to you by Flashpoint. 2025 has proven to be a pivotal year for security leaders. It's not just cyber threats anymore, physical risks, and geopolitical tensions are colliding, creating a web of challenges no one can afford to ignore. That's where Flashpoint comes in. As one of the largest private providers of threat intelligence, Flashpoint delivers what security teams need most. Clarity. By combining cunning edge technology with the expertise of world-class analyst teams, their IGNITE platform gives organizations instant access to critical data, expertly analyzed insights, and real-time alerts, all in one seamless platform. From Fortune 500 companies to government agencies, Flashpoint is a name trusted to keep people, assets, and operations secure. To access some of the industry's best threat data and intelligence, visit Flashpoint.io today. That's Flashpoint.io. This episode is sponsored by DRADA. Let's face it, if you're leading GRC at your organization, chances are you're drowning in a sea of spreadsheets every day, balancing security, risk, and compliance in an ever-changing landscape of threats and regulatory frameworks can feel like running a never-ending marathon. Enter DRADA's Agenetic Trust Management Platform designed for leaders like you. DRADA automates the tedious tasks, security questionnaires, responses, continuous evidence collection, and much more, saving you hundreds of hours each year. With DRADA, you can spend less time chasing documents and more time solving real security problems. With DRADA, you also get access to a powerful trust center, a live customizable product that supports you in expediting your never-ending security review requests in the deal process. It's perfect for sharing your security posture with stakeholders or potential customers cutting down on the back and forth questions and building trust at every interaction. Ready to modernize your GRC program and take back your time? Visit DRADA.com slash Darknet Diaries to learn more. That's DRADA spelled DR-AT-8. DRADA.com slash Darknet Diaries. His dad recognized that he was really into computers. And Ho Chi Minh City is a big city that has better schools to learn computers. So he got enrolled in classes and started studying. His parents would check in with him to make sure he was doing a schoolwork. I was learning a lot. I was learning about web programming. I'd be my first website, hupc.com, I remember. He was learning about operating systems, networking, and cyber security all at high school. He really loved computers and was hooked on learning more. I went to the internet cafe to use the internet because internet at my house is very slow. So I went to the internet cafe and the moment I been there, I passed to one of the computer screen. And I saw that computer screen, it's very dark. Some kind of dark background. The font side is very well. Also the color of the test is also like local green color and stuff like that. And I asked the guy, what's this forum about? And then he told me this is about the dark web in Vietnam. Oh, Vietnam's dark web? That sounds interesting. You ready to go there? Q was fascinated by it. He learned how to access it, where to go. For him, it was like finding a whole hidden place online. Filled with really fascinating stuff, hacker forums, forbidden item marketplaces, it really emphasized the power of the internet. This was all unregulated. The government, the police, they can't stop what goes on on the dark web. And that really fascinated him. There's this whole section of the internet, where anything goes. They're talking about hacking, like talking about, you know, like sharing sensitive information. And also like bang, and also some hacking techniques too, you know, like, and it got me, you know, wondering how they did that. Yeah, but so I think maybe a normal person would look at that and say, wow, there's stolen stuff here, there's illegal things here. Maybe this isn't for me. Maybe I should go back to the clear web. Right, that's true. What? You know why we got back then, right? Under crowd forums, very fun though. They always sharing and they don't mind about money. Like they sometimes they hack something, they just pause it for free for everybody. Not really like into business or trading or dealing anything. It's just like sharing techniques, you know. But you know, like, when they got into that, I say man, you know, it's something that, you know, I really wonder when I watch on the movie and TV about like hackers, very cool. That's why, you know, I say, yeah, I want to learn that, you know, I want to be a member in that hacking forums, underground hacking forums. So this became his obsession. How to hack? What are the techniques? Like he would learn about a vulnerability and then use Google search queries to find websites that were vulnerable. And it was like the whole internet opened up to him in new ways. He was finding that thousands of websites are vulnerable to a variety of different attacks. He was just getting into one after another with simple techniques like default passwords and SQL injection. But the extent of the damage he was doing was he's just hacked into the site and put something on the website that said, poned by Hupc, which is the name he was using at the time. And also the name of the website that he made as a teenager. But the whole time he was just curious. Not using his access to make any money or stealing anything. He just like learning and like the excitement you get from getting into places that you're not supposed to be in. It made him feel clever and smart and powerful. And he was teaching others how to do it. After all, he was still in high school. I say a lot of like hacking techniques and that also like social engineering techniques. But the thing that you know, like the more I say, the more the people they know about me, on these underground hacking forums and eventually they they they voted me as an administrator in one of these forums, very popular in Vietnam. And after that, you know, I chon a few a few forums in Russia and even like in the Eastern Europe as well too. So I keep learning but the thinning when really my kid money, you know, before that, it's just straightering for me, serrindinalis, serrindic techniques. From posting on the forums and being an administrator to one of them, he started becoming more known. And so he met a guy, one of the forum users. And this guy's like, he's a synop you. Your ability to hack into websites is actually worth a lot of money. Do you want to team up? Do you want to hack places and give me what you find and then I'll pay you for it? The guy explained how together they can make all this money and he didn't have much money at the time. It was interested. And you know, like when talking about money, when was very young, I say, man, you know, like I saw the people making a lot of money too, by, you know, by using like stolen at the end of the city and really call. And you know, like to make some money and then be able to buy some stuff if it's very cool, like some technology stuff or some new devices, something cool for myself, with them asking my parents. So that's why, you know, I said, yeah, okay, let's do it. And then the guy, he moved to my apartment, living with me and then I, you know, living the night night time. After the school, I started to hack a lot of e-commerce sites. Like places you go to buy things online, like clothes or computers, kitchen items, travel tickets, a lot of these sites back then ran on WordPress or PHP and didn't have the best security. And it's kind of like a numbers game, right? If there are million e-commerce websites on the internet and 1% of them has poor security, that's 10,000 websites that are just sitting there vulnerable way more than enough for someone like Hugh to go through. So the idea was to get into these sites and plant a listener that would capture when someone would enter their credit card to buy something on there. And then Hugh would give those credit card details to this guy he's teamed up with. And the guy will somehow convert the cash for both of them. Hugh was 17 at the time, a senior in high school. And so after school and on the weekends, Hugh and this guy would get busy scouring the internet for a vulnerable site to hit. Back then, a lot of web siren, they used like the language called PHP or ASP, it's contained a lot of vulnerabilities. And then I searched on Google with those keywords, you know, some of the Google Docs that to be able to find out for me on the list of the website. And I put on the customer tool that I program. And then I just clicked scanning and it just called automated scanning for the vulnerabilities. And then it will give me the list of the vulnerable website. And then I will exploit that to be able to obtain the redcon formation. And what was the first site that you made by me is I remember it's located in the UK. Right, that's website is still very popular now in the UK. But I don't want to mention that. That's fine. But yeah, what kind of site is it? Is it a banking? Is it a... No, that's website is e-commerce on website selling like electronic stuff. And in that website, it got single-intraction, very ability. So you found a website to Google doorking in your scans. It tested it for SQL injection. It worked. And what is that feeling like to get into a website using SQL injection? It's got like a goldmine. I say, wow, you know, like this is so many credit conformation. Like a day, I mean, so excited though, like the feeling is got like you can join something. You have a power. You feel like you'd be able to block into anything. If you have time and you have the resource and you feel like you're on top of the world, you know, you can be able to get anything. And I feel like so excited. Like the world is hard to say to explain that. But feel like so happy. So happy. So happy. Do you give each other a high five or a job? We give high five and help. And I say, yeah, we did it. We got it. And I think we'll be able to make a lot of money from this. And not just selling the information, but also like using that. And he's so excited. And we was laughing the whole night. I remember. And we was very young. Back then he was like 18 and I was like 17. And he said, yes, let's do this way. We use all the credit conformation, right? Every day we was getting like slowly around like 50 to 100 trend call from that website alone. And we was playing on the poker website. Of course, they took the stolen credit cards to a gambling website. I should have guessed. No, it weren't actually gambling with it. What they were using this poker website for was to launder the money. See back in the late 2000s, online poker casinos didn't always have this most strict security and verification controls. They were happy to take anyone's money, whether it was stolen or not. So he created an account at the casino loaded it up with as much stolen money as he could. And he might make three or four of those kind of accounts. And then he would have all those accounts join a poker table where his buddy was in and just try to lose as many hands as possible as he could to his buddy. Then his buddy would get all the chips and cash them out at the local bank. This technique is called chip dumping. Now the casino was aware of these sort of things. I would try to spot people doing this. We had to do things to avoid the fraud detection and his tricks were working. And we was able to make like a day like 1000 in 1000 USD a day. And then we split the money like 50-50. I spent on like I used that money to spend on stupid stuff, vocation and also like tucking girls out and you know like easy money, easy gold technically. Can you imagine that setup? A hacked website is supplying them with a constant stream of 80 new credit cards a day and they take those cards deposit the money into a casino move that chips to another player, cash it out and then go spend that money on something fun. Like where do you even focus here? Do you want to get more credit cards or cash out more at the casino or just enjoy a good time with all the money you have? For them it was all of that. They wanted more cards and then they'd be busy trying to drain them all as fast as they could to longer the money. But as he found more and more sites vulnerable to his attacks, he was sometimes stumbling upon whole databases of customer credit card details. Websites shouldn't be storing their customer credit card details like that and this was even a surprise to him but this meant sometimes he could find thousands of credit cards in a single day. Eventually I went back on the undergrad hacking forums. I sell the information. Visa and MasterCard I sell for like 50 cents for one information and American Express and Discover Car I sell for from $1 to $3. That sounds so cheap. For telling me the full credit card information was you were selling that and the people could take that credit card and buy something for a few hundred dollars with that. Right. That's true. They can go on eBay and buy or either they'll you know back then very easy though you can just use the stolen account or stolen bank account or stolen credit card information you debauch it into PayPal and then you withdraw. It's so easy. You just took a few days and a few weeks to be able to get the real money out. Surprise you were selling it so cheap though. Very cheap though. Because so many so much information. That's crazy cheap. Usually cards are like I don't know 10 to $50 per card because theoretically each card should be worth a few hundred dollars before fraud detection kicks in and makes the card invalid. Rarely I'll see them for like $5 or less but 50 cents a card. Wow. And that's what he was selling before because he just had so many because he just kept finding more and more e-commerce sites that were vulnerable to SQL injection which means the websites form field wasn't as secure as it should be right so he can go and type something onto a form field in a website and that triggers the vulnerability and suddenly he can see like whatever's in the database like an admin's password hash and then you could crack that password hash and log into the site as the admin and sometimes that alone would give him credit card details to the site because some sites did not treat their customer credit card data properly. This show everything on the admin panel like you got to do you just click on the customer option right is show you the list of customer and when you click on the red confirmation it pops out of red confirmation. I mean when I hear that I immediately think that's a PCI violation PCI is payment card industry and for you to be able to accept credit cards for your business the credit card company has to verify that you're properly storing customer credit card data if you aren't then you will lose the ability to process transactions can be fine quite severely so you kept focusing on finding more and more sites to hack into and take all the customer credit cards that the site would store in their database and he spent years doing this mostly selling the cards in bulk on the dark web he was finding and selling tons of credit cards. Morning 100,000 red confirmation he gets done with high school and decides he's had enough of this as pockets were overflowing with cash and he knew what he was doing was wrong so he decided to leave town and then you know I saved up some money because I know this couldn't last long we was making like money in a year and it kind of getting harder because they know the chicks right and they fish the Bernalibu teeth so getting harder and I saved up some money I paid for the school fee in New Zealand. His sister was living in New Zealand so he decided to go see her and go to school there he knew that what he was doing was wrong and could potentially get him arrested but he grappled with it like he went back and forth convincing himself it's okay to take these cards like his website should secure their site better and if it wasn't him taking it then it would certainly be someone else taking it so why not me but then flipping it and being like no this is stealing this is illegal I'll get in trouble for this the move to New Zealand gave him a fresh start he wanted to become a good student who was learning computer science when I got into New Zealand I stayed there for a few months not doing anything illegal try to be a good student at the school learning about computer networking and being a computer scientist you know but um things couldn't work out I started to hack in again uh after talking with our few fans of few hackers on the internet and they say you know they need to record and you know and I need money because my family couldn't afford to send me much money so I say yes so let me find out if in New Zealand have some websites that I can obtain the credit card information and I hack into a few uh it can also website in New Zealand yet the same thing you know it's just some basis and vulnerabilities and I got into the database and I got the stolen record he was able to sell the credit card data to make some money but with all these cards he decided to use a few himself which is probably a dumb idea and I used that those stolen really confirmation to buy electronic stuff like laptop and cell phone on um similar like eBay they call it Chami platform I used that I used the stolen credit card on that website and then I got the stuff and then I sell that to to the same platform to Mac money got I learned with the stuff you know like to to get the real cash but uh eventually you know I made a mistake there uh used in the stolen red call to buy the uh news it concert tickets to the ticket master and I bought a thousand and a thousand visit concert tickets to sell to all the people with a cheaper price and then when you bought a thousand concert tickets right I bought a lot and I just resailed that to all the people on the platform but the thing you know like a few of the people they bought mine visit concert ticket they got robbed when they tried to enter the stadium or try to enter the concert right they got denied because this ticket you know is got invalid because it's got a consider as a thought-telling ticket and they got so mad and they got so scared and then they also come back to the law enforcement to the police in New Zealand so the police in New Zealand they fees my account on the platform and also fees my bank account so I got so scared they also call me and call my sister almost a year stay in New Zealand I got into trouble and the moment I got that full call from the law enforcement I got so scared I bought the ticket I ran away I ran back to Vietnam oh boy Hugh was on the run the police were now looking for him but he was able to get away and find refuge in Ho Chi Minh City in Vietnam he escaped the police and didn't suffer any consequences from this lucky break we're gonna take a quick ad break here but stay with us because this is not going to be the last time that the police go looking for him his operation is about to go stratospheric this episode is sponsored by spy cloud with ransomware affecting 85 percent of organizations in the past year and fishing becoming the top entry point to ransomware taking action on your company's exposure has never been more critical I recently visited spycloud.com to check my dark net exposure and was shocked to discover just how much stolen identity data criminals have at their disposal spy clouds new identity threat report reveals that nearly half of all corporate users have been infected by info stealer malware at some point with 63.8 billion distinct identity records now circulating on the dark web the scale of this threat is staggering what's even more alarming is that only 38 percent of organizations can actually detect these historical identity exposures that create ongoing risk knowing what's putting you in your organization at risk from stolen credentials to session cookies to PII it's critical for protecting against identity based threats like account takeover session hijacking yes even ransomware with spy cloud you're never in the dark about your company's exposure from third party breaches successful fishes or info stealer infections read the full report and check your dark net exposure for free at spy cloud com slash dark net diaries that's spy cloud dot com slash dark net diaries you get back to be it now he's around 20 years old at this point you go to see his mother and his father and they heard about his fraudulent concert ticket thing and they were mad they scolded him they shamed him and he was just lying back to them I gave them on the phones promises you know tell I told them you know I will be a good boy and we'll be a better person not doing anything illegal it kind of feel like very ashamed you know so my mom sick was trying a lot but back then I was like 20 years old 19 years old try to be a good person I didn't touch the computer within seismon when they got back from New Zealand and I told with my mom you know I I want to go to Ho Chi Minh City to learn computer science at the university in Ho Chi Minh City my mom my dad you know they call him believe me that you know I'm call a change person and um hopefully this time will be the last chance for me so around 2009 he moved to Ho Chi Minh City and enrolled in the computer science and cybersecurity program at the university but during that first year I went to kind of to hang out with others uh old school hackers in Vietnam they own black head hackers they heard about you know I got problem I got trouble in New Zealand by using stolen red call by saying yes you know that's why I don't want to test computer anymore I got so scared I almost got caught and they told me you know why you don't think about US identity or personal information it should be safer it should be easily to sell that so these hackers were telling him yeah of course you got in trouble for stealing stolen credit cards man don't mess with money the police are gonna get mad if you do that that was your mistake they take credit card theft very seriously heck I bet the US secret service probably has a case open on you what you should have done is gone into the business of stealing the identities of US citizens and sell that not only can you make money doing that but the secret service doesn't give a crap about stolen identities in fact nobody does they'll never come after you for stealing identities especially if you stay here in Vietnam they can't touch you so you should try stealing US identities so he starts looking into it my goodness he thinks the right stealing identities and selling that as far less of a crime than stealing credit cards and just as valuable on the dark web it wasn't sure why it was valuable but if he could get all the personal details of someone like their address social security number phone number work history the type of car they have then people will buy that up like crazy on the dark web so he starts looking around for places that might have all this information on US citizens I didn't tin color in the long term I just see what I've I see it in front of me and the money it's a color blind my eyes and I thought as soupi saver and I'm in Vietnam and this is US identity soupi fi I mean the logic checks out right stealing identities of people and a far far away country don't chance of them catching him in Vietnam right and eventually I spent like almost a month I recon and also doing a lots of ocean to get me a list of only data broker in the US to be able to provide these data data brokers of course they would absolutely have a ton of people's identities okay so if you don't know a data broker is a company that spends an enormous amount of effort gathering up as much information as they can about you here's how they do it number one they'll copy the whole phone book end of their database that's got everyone's name and phone number then they'll take a copy of all the county records this includes who owns which property court records marital status then they'll look at your social media account and scoop up any photos that you have taken of yourself and posted email addresses you list affiliations like which school you went to or place you work like linked in is being scraped by data brokers all day which you personally have told what your skills are to your co-workers are where you work and what you look like now to me that's already spooky enough that someone who would go through all this trouble to get all this data on me by doing all that but some data brokers go far deeper and are way more sinister at getting data on us they have been known to install trackers on your phone which typically just comes along for the ride on popular apps like a data broker may pay an app developer to put a tracking pixel on the app so that they can track people even more this means data broker is often collecting cell phone data which could include your phone number the app usage but more interestingly up to the minute location information some data brokers go even further and set up antennas around town and watch what phones interact with those antennas and they contract your phone's location that way some have been known to put little sensors on roads to identify which cars have passed down that road and take pictures of license plates going by two of course purchasing history is important to them I've heard stories of data brokers buying your purchase history data from retail stores and if you don't know a lot of retail stores are very closely tracking all the purchases you make with your credit card and have a complete history of everything you've ever bought with that card in their store sometimes they even track where you are in the store and what you stop to look at to see what interests you and yes absolutely data brokers are buying up all this data that the stores are collecting on you because this consumer behavior is worth gold to these data brokers why do these data brokers do this why do they go to such great lengths to build databases on us because there's a lot of people who are willing to buy this data your data is very valuable and I'm not talking about selling it on the dark web we'll get to that data brokers often sell their data to law enforcement and this has been a growing problem over time I feel like law enforcement has found a loophole to ignore the fourth amendment as a refresher the fourth amendment says you have a right to privacy from the government the government should not be able to see into your life without a warrant or probable cause but they are through data brokers there's something called a third party doctrine now which says if you give your data to a third party you no longer have a reasonable expectation of privacy from that data so that means if you have money in the bank the bank can share your data with the government without a warrant and law enforcement can purchase your location data from a data broker without a warrant because it's commercially available data data brokers are trying to ruin the fourth amendment and I want you to look a little closer at where this data is coming from yes a lot of it is publicly sourced but a lot is not a lot of data that you think is just private between you and the party you trusted your data with but they're selling that data to others and so if you think it's safe and secure but it's secretly being scraped and sold I would say that spying on you which the government isn't allowed to spy on its own citizens I mean mass surveillance is against the law flat out but they can get away with it because data brokers are the ones doing the spying and the mass surveillance not the government and then they're selling it to the government now I've tried to remove my digital footprint as much as possible but there are still things that I'm forced to do which hurts my privacy and I hate it like for instance anytime I see a doctor I can't do it under a fake name they have a strict policy where I have to prove my identity in order to get medical treatment and then my medical records are being passed around to millions of people HIPAA isn't there to protect our privacy it's there to assist others to get our data the portability part of it means they're making it easy to package up our data and send it to whoever asks for it and there are millions of people and entities that can access HIPAA and patient data second is banks there are laws in place where the banks have to verify who you are before they do business with you know your customer type stuff and the banks are forced to report certain activity to the government so millions of customers banking data is going to the government again without a warrant lastly I hate all this public record if I buy a house get married go to court start a business get arrested all that is public record and it gets abused all day every day because it is I have no choice when it comes to these matters my banking history medical information marital status there's no way to opt out of any of it and data brokers are just licking their lips sucking it up as fast as they can and they're profiting off of it and they're using it to strip away my rights but don't think it stops there data brokers are just companies trying to make money so they have no problem selling your data to Walmart Facebook Google insurance companies credit card agencies ad agencies because all these businesses would love to know more about who you are so they can target you with ads or to calculate the risk of doing business with you these data brokers absolutely do not want you to know they exist they do a great job at hiding their presence in the world let me give you an example i'm going to list eight of them for you and i bet you've never heard of any of these companies yet there's a high chance that all of them know exactly what you're doing right now Merkel locate plus live ramp microbuilt ventel safe graph x-mode social court ventures i certainly don't know anything about these companies but he was learning a lot about them and i find out right there are a few key players in this data this is related to like us and they provide these data to law enforcement to lawyers to private investigator stop like that and i see man it can't be very difficult to get this information you have to prove yourself you have to um being verified so that's why i bought a lot of time like almost a month and i hacked into two different data broker very popular one uh the first one is these uh look at plus locate plus is a data broker that markets itself to people doing background checks and investigations they get their data from criminal records property records the phone book and also gather social security numbers and data birth the first one i hacked into the east the locate plus and the second one is the microbuilt microbuilt collects data on us citizens which includes criminal history employment history address history and social security numbers they also keep records of your utility payments rent payments loan payments and stuff like that to see if you pay your bills on time the big credit euros use this one like experience and aquifax because your credit score is a reflection of how well you pay your bills but not only that landlords use microbuilt employers do background checks on it and lenders look to see how much of a risk you are before doing business with you so the two companies look at plus and microbeaut i hacked them a few times first single injection the second one the five upload vulnerabilities and the touch one cross-size scripting when i got into their database when i steal the customer lockings of their life form and then i used that to be able to lock it into the platform and market queries okay interesting you didn't get into the main data broker database instead he was just able to get into the web portal side of things which had user accounts and that's the people who use the site to do background checks on the cups with he was able to steal some of their logins so now he could log into the site and use it as if he was a lawyer or a cop or an investigator who's been vetted by the site to look up anyone's data i can set your name let's say that you've been living all the city you living and that's all if we pop out the possible people identity related to that name and in that city and you can get the social security number rivalization only 10 years addresses that you've been living even the current one and also you will obtain your relatives your family members right you can also get the information you know these sites charge for their service it's often pay per search kind of thing so when he would search it would go to someone else's bill and he thought if he did a lot of searches on one user then their bill would go way up and then they'd investigate what's going on here and they would find out that he's been using their account and they would shut it down so he would cycle through all the accounts he had to spread out his activity i remember i was using more than 5,000 accounts on my debut alone so with his access he could look anyone up and get their full name made a name phone number email address where they live address history social security number driver's license where they work work history and the win number for their car he decides to build a website to charge users to be able to look up people in this database because so much information then i build a website and then i tool that website i sell to all the subliminal a rattle wall for like $1 for one such kind of $1 for one information one identity by spasily the first week of him launching this website he made $5,000 from people doing searches on it it was an instant hit he wasn't sure why people were using his site to search for other people but he didn't care he just saw the money coming in it was like yeah and interestingly this was the early days and crypto wasn't really adopted so well yet so he wasn't accepting that mcdonnell i didn't use speak on we used uh libyte reserve liberty reserve was sort of like a paypal in the way that you could send money to someone online except they didn't do much in regards of checking people's identities so it became known as the place for criminal transactions around 2010 it was the goes to place for stuff like that for a while so he was getting tons of liberty reserved dollars and they were piling up in his account there then he was using some Vietnamese money mules that he found on the dark web to send them is liberty reserved dollars and they'd cash it out and give him cash and things were looking good for a few months but you know the thing is not stable because the two common did they find out about the vulnerabilities or they shut down and then they also fixed the vulnerabilities kind of mean them you know like we've been playing the cat and mouse game kind of the festival right ability i fired out another one so we just keep hacking and fixing so i got kind of tired he was getting tired of constantly trying to find new ways to stay in the system they were getting good at detecting him and kicking him out so he stops to think about it and he thought you know why struggle to maintain access when he could just become a paying user of the site now micro belt would only allow certain people to use their site you had to be a professional investigator or a cop or in a position that you can be trusted with this data and there's a serious vetting process so he decided well why not try to act like a private investigator and get in step one create a driver's license with a fake name at first i got the license to google but it didn't work i tried to do Photoshop and stop play that but couldn't work out it not good quality okay that didn't work time for plan b trying to impersonate someone who is allowed to have an account there so i did an uh kind of an oceant to gathering on the list of emails address belong to rival investigator and you know when i hacked into my review and low look at plus right i got the email address already i got on the list already so i used that to do fishing i was fishing them you know to a malware so i can got into the computer wow so the five thousand users that he got from micro belt he could see which ones were private investigators and get all those emails and also their data from the data broker to know everything about them and then send them phishing emails and if they clicked the link he would infect their computer with malware essentially giving him access to their computers and when he got access he would look around to see if he could find any identifying documents for these private investigators so he could impersonate them and one of the rival investigators i remember he was living in michigan in the us and they got into his computer to the malware i got all the data on his computer including like the private investigator like even his passport his social security numbers and i got i mean i got everything and back then you know like the people they still got a habit saving all the sensitive stuff on their desktop inside the express it right got like an excel file storing the username and password like sensitive information in that file and i got that file too you know i got all the information they have birth and uh rivalization stop like that so i impersonated as him under his name i obtained an account at uh my rebuild so i got a my debil account officially i was using that maybe a monotone sorry if i doubt this is a fake account so they set that my account so he's realizing microbuilt is giving him a lot of trouble and decides to look at another data broker to maybe register an account there and that's when he found a data broker called court ventures court ventures providing api and data access for the people to mucking curious to be able to obtain the uh us identity oh this is even better he thought if he could get api access to make queries and do searches that's a whole lot easier to integrate into his website they were just like the others they had address history criminal history full identity data and yeah investigators cops fraud detection agencies and cred up euros loved using court ventures to look up people's data he found a private investigator in Singapore and was able to obtain all his details and was going to impersonate him to try to get an account at court ventures i got his license and i being busonese and that guy the arrive in the investigator in Singapore and then i used that to apply the uh court ventures account and i pay for them you know i was dealing with them like real business man you know like i say yeah i was i was doing for big company doing background check for marissa google so i need a lot of curious every month to do background check and they okay with that because i pay for them and i i i told them you know i want to have a good deal and then uh the seal of that court venture company they gave me a good deal like i remember like 14 cents 14 cents for one information so i say yes okay we make an abyss in the contractor like i pay the signature i pay name everything so i send back to him and they didn't verify anything they just keep going like they okay everything okay he got the account he could do searches on people now good good he thought but he wanted that API key so he applied for it and a few weeks later they gave it to him incredible so i got the account man i say oh my god i got the API asset to like almost 200 millions us identity right then and all you need to do you know to integrate that into my website that's all yeah 200 million us citizens details were in this data broker that's like over 60% of all us citizens data that's incredible and at 14 cents per lookup he could sell each of those searches for a dollar on his website his grand plan was starting to come together so at that time my my website is still on the clear web you know like anybody can gain access but most of the clients that i have is also a criminal right world and uh technically i didn't care what they whatever they've been using this identity so i just keep selling um to the a b i up the court venture and i remember every month i was mucking more than 120 paid but month uh usd yeah he really didn't care who'd use the site or why he didn't even ask all he knew is that people liked using it to look up people and he could make a nice profit off it so it seemed like a good business model to him but even though he was making 120 thousand dollars a month he's still a massive bill to pay it's a court ventures every month and um i was paying for court venture every month from 20 thousand to 35 thousand usd per month yeah they happy and i'm happy as well so with what color win-win situation i i keep running that website for over two years and i was mucking more than three million usd by selling the uh us identity it makes me wonder is is is any of this illegal i mean can can you squarely point at who the victim is here in this situation do you know the story of irate jose it's an interesting one um so there's this us grocery store called trader jose it's fantastic i love it a majority of food there at trader jose is the trader jose branded stuff and people get hooked on that brand well up in van koeuvre canada they were like begging trader jose to come open a store here but trader jose refused they're like now we only focus in the us we're not going international so some guy in van koeuvre is like well you know what i'm gonna open my own trader jose in canada why not because if they're not gonna do business here then there's probably no jurisdiction issues or harm should be fine so we cross the border into Washington state buys a ton of trader jose stuff and drives it back to van koeuvre and opens up a little shop called pirate jose he charged more than trader jose did because of the logistics of it but hey people in van koeuvre were happy to get some of their favorite food items finally trader jose was like hey you can't do that and priory jose was like yeah yeah we're in canada your us laws don't apply he was right trader jose had a really hard time getting anywhere legally but eventually they convinced a us court to force a trademark infringement on pirate jose saying the name of the store is too similar to trader jose and they're smugglers so what did they do pirate jose dropped the p and renamed the store to irate jose and they clearly put all over their store we are unaffiliated unauthorized and unafraid trader jose was furious that they stayed open and started banning them from coming into the store to buy stuff they ban the owner who is driving twice a week to buy five thousand dollars worth of groceries from trader jose then he got his co-workers to go to different trader jose and try to buy stuff from there but trader jose started figuring out which stores on Washington they were visiting and buying food in the shop so they would block these other people from purchasing things so irate jose started asking their customers to help stock the store they're like hey if you're going to Washington please pick some stuff up for us at the store as some dozens of people we're now helping stock the shelves at irate jose i'm telling you people really love trader jose stuff and crowdsourcing the buying was working for them a trader jose was putting more and more limits on how much people could buy in the stores that were close to Vancouver the guy who owned irate jose is like bro i'm your biggest customer by far i buy more than anyone else in this store what is your deal we're not asking for anything special we just want to buy what you have but trader jose kept giving them legal trouble and eventually irate jose shut down from the expensive legal fees that they kept facing and again here's a situation where i wonder who's the victim trader jose sure thought it was them but what do you think i mean when i was a teenager i used to buy things from the dollar store and then sell them on eBay for five dollars each if it's legal for data brokers to sell identities of us citizens why would it be illegal for you to buy those and resell them for more this is the part i don't get it's apparently perfectly fine for a data broker to buy and sell identifying information on you as citizens but it's not for you in use case he didn't hack into the site he didn't steal anything he was a paying customer of court ventures i was paying them a lot of money for all the searches people did and they seem to be fine with that happy that he was their customer so he had his little website set up and accepted payment from liberty reserve and users could search court venture database through the api and uh at first that website called the uh us such in dot edfore and then eventually like superget dot edfore and phyget dot me stop like that you know i changed into demand like constantly to avoid like law enforcement and i was selling more than a little more than three million uh us identities living that to use from 2010 to 2012 okay let me do some math okay three million searches fourteen cents per search that's four hundred and twenty thousand dollars that he paid to court ventures and all this which is that's a that's a lot of mining court ventures made off him and that was fine for him because he made over two and a half million dollars in profit after that unbelievable and during two thousand eleven right i dropped out this this the uh the school i don't i didn't study and finish the university anymore because i was thinking that man was making a lot of money every month like i was making up to a hundred and twenty-kate per month what were you using the money for that you were getting maknae is too young to dumb you know like a lot of money i spent on stupid stuff on five star hotel and and and and then visiting class spent a lot of money on like stupid things and i wasted a lot of money for calls and luxury stuff what kind of car did you have i have i was having like three different calls choose our spot calls one of them is uh BMW the convertible one and uh another one is a custom i call like food custom i want that i don't even know that you know what kind of car is it but like kind of like one of the i remember i i used that car to be in a contest for the like good custom i call and i want the price as well too you know because i spent so much money on that call and uh custom my that and five toon that call and the other car that i have is luxury car let's just bring yeah so what did your parents think of all this money i was lying to them you know i was working for um international bank in the us and they hired me to protect the system and also building where their website you know like all the lies you know and when i meet up with all the people kind of the same age even the the people that i know on the street they ask me you know why i am so rich and i lied to them you know because my family was a wealthy family and uh they uh they got everything for me that's why so i i kind of like lines with each other with different stories you know and i kind of very ties though what were the people that were using your sites what do you know what they were why they were searching for people what was the point of them paying for people searches that's good question though the question uh you know like the the answer for this is at that time i didn't care much about how how did they use these information all i know you know maybe they used that to impersonate somebody or even like they used that to bypass the uh really call transaction authentication whatever that's all i know so like he said this went on for years he was able to automate a lot of it so he would only do a few hours of work a week to keep it all going life was going great for him eventually court venture rank they got uh they got sqy by the experience oh interesting in December 2011 experience bought court ventures now experience is one of the three major credit bureaus in the us they create a credit score for every us adult and rental places and loan agencies will check your credit score before doing business with you so experience loved the data that court ventures had on people so much that they just bought it out right i couldn't find what the purchase price was for two hundred million you had a citizens data but i imagine it was in the millions of dollars now after experience bought court ventures the secret service contacted experience and was like you know that company you just bought yeah well we have reason to believe that they are giving data to someone who is illicitly reselling it to criminals experience is like what say that again court ventures never told them this in the trade deal so experience quickly shut down his account and cooperated with the secret service in fact experience was so mad that they sued court ventures for not taking action on this earlier i suspect the lawsuit was because they were misrepresenting their business in the trade deal and so the secret service now had their eyes fixed on you one of the cultural requests from the us secret service you know asking about their status my account the fake account and eventually they shut down my account at a court venture shut down his account entirely but he had a backup plan in case this did happen he had a second account not when he made but when he stole the password to someone else's account and he could use their account to continue to do look ups but he no longer had that API access where he could let me long to one of the company one of the us data procre as well too it's called us searchinfor.com something that i don't remember it's a long name but anyway this this company i got one of the account to fishing attack and i used that to do manually searching identity for all the people who who still need the service he wanted to get another API connection to court ventures this hand searching stuff was just taken away too much time so he starts emailing them hey how come you shut off my API connection i need it back but what he didn't know is that because the secret service were investigating him it was them who was responding to his emails and they was mucking up a story that you know they will offer me a good API connection not only to the us at the entity data but also the UK identity data i say well you know it's a good business calling to good to be true but you know at that time the money just blinded my eyes i say okay you look good but the tin you know they i feel something suspicious going on too something not right apparently there was another guy that was doing the same thing as you also reselling data broker data but the secret service caught that guy who was in the UK and that guy was assisting the secret service to catch other people doing the same so that's what felt off the he was talking to both the secret service and agent named Matt O'Neil and a guy from the UK named Mark who got caught reselling identities his name Mark he still keep communicating with me to email and even call me to i remember to Skype back then and um they say you know they they want they want me to go to the US and also go to Australia or go to Hawaii i say no i don't well i don't want to go there but uh Matt O'Neil and Mark they collaborate together and they lure me to warm they told him if he can meet them and warm they'll give them all the things he needs for his API access and they made up a story of why they need to meet him in person something like well the big boss really wants to meet one of our best customers and we can get the contract signed right then and there and and then we can open the big party you know so we can have fun together and then you can fly back to Vietnam everything good so he decides to fly to Guam which is kind of near Southeast Asia he figures it's the closest option that they gave him and looks safe you know i didn't do any research while Guam i thought it's just like an island no big K and uh i heard that some of Vietnamese people they live in over there as well too maybe it's fine you know if any problem I will you know go to talk to my people asking for help and then i bought a ticket and then i went to warm with my sister because back then you know back then my English is not really really well and um i went there with her together and the moment i landed at the international airport they escorted me to US custom office and that moment that that right moment you know i i just feel like man something going on something fishy yeah and then they they told me sit down here you know we want to talk to you a little bit and um i was so nervous car like i was trembling you know like man and i was shaking i said man something something not right they put a stack of the paper like i remember like maybe like 10 inches thick very thick documents and they told me you know we know about about you we know everything about you maybe more than your family knows about you and that's the moment i said man it's over it's over and that's it i feel like i was on top of the wall and right now i call like i was living in hell and that's it they sent me to the jail in warm after that and they sent my sister back to Vietnam i i told with the prosecutor and the US secret service agent i say my sister had nothing to do with this is all about me so they released my sister and um i was uh staying in the jail in warm for like modern a little modern tumult and then they sent me back to the mainland the US mainland to many different general they sent me to Hawaii to lots lots of anshelas Nevada they sent me to okohama, New Jersey and then New York and then New Hampshire New Hampshire is where his case was going to be tried so that was his final destination and he was stuck in prison through the entire legal battle apparently the US prosecutor who first investigated him was in New Hampshire and so that's why his trial was there reflecting back on how he got caught he has a few theories first people in spraying crebs a cyber security journalist who did an article that said how criminals can look up people on the dark web and his website is listed there and so he thinks that's how the secret service probably first learned about my website and on his website you made a few mistakes the first week of having it he used a hosting provider but registered it under his real name but then he changed the registration to an anonymous name but those past records are still visible second he used to have his personal email address on the website for contact details so these slip ups would have easily traced someone to Hugh and i also believe that secret service probably used his site did some searches on people and then tried to correlate that with the logs at court ventures to pinpoint exactly which user Hugh was using for his site but this whole time he wasn't sure exactly why he was arrested he was paying for these searches and full where's the fraud here where's the crime but it wasn't until after his arrest where he learned what people were using his site for the uh federal court they told me you know the information that i stole and also like say that to other people they use it then for tax return that's something new to me i never know that you know tax return and then i i find out what tax return and then it's very serious what people were doing it was going to Hugh's site looking someone up getting all their details and then trying to file the taxes for that person see here in the US we pay taxes to the government all year and typically people overpay on their taxes so they get a big return come tax season so a lot of americans get a check for maybe a few thousand dollars every year from the government because they've overpaid on their taxes well criminals know this so they file tax returns on other people and they put on there that they should get a two thousand dollar refund and then the IRS processes the tax filing and they look at it and it looks a jet and sends this person a two thousand dollar check and when the real person goes to file their taxes the IRS is like oh no no no you have already filled it out we've already sent you a check and now suddenly there's a bunch of americans saying oh no i didn't give me my money and there is a big problem so the secret service was investigating this because Hugh's people search engine was complicit in helping criminals defraud a lot of american citizens and apparently there were a lot of people in new hampshire that someone stole their tax return check and you know i got so much information and it turns kind of like thousand and thousand victims in new hamsy okay there's the v word victim we found a victim the people of new ham sure who didn't get their tax refunds okay sure their victims of identity theft i'll give them that but typically the IRS will understand and pay them anyway essentially giving out two refund checks so this makes the IRS the victim but then you could say no it's the US taxpayer that's the real victim because this is money that's just lost and it drives me nuts how much money the IRS loses on this every year like every single year the IRS will give out billions of dollars to criminals submitting tax refund scams and i just have to ask IRS when are you going to take this problem seriously your world class at collecting our money but terrible at distributing it to the right people billions of tax dollars are lost every year because a criminal asked you for money how is this acceptable so what were your charges because i'm i have no idea what you're actually guilty of still yes um technically you can read that on the u.s. court uh red course okay fine well all right he's charged with three items here all three are violations of the cfa eight figures right the first specifically says he used a data broker in a way that they didn't authorize him to use it's against their terms of service to resell the data that you're given access to or to impersonate someone to get an account there and he did that he absolutely violated their terms of use and that is what the secret service is saying he's going to prison for unauthorized access which we can guess means that he impersonated an authorized user which is against their terms of use you know how many of us violate the terms of use on websites we all do all the time like if you ever let someone use your Spotify or netflix login that's the same violation unauthorized access he's being charged with that sort of thing second item specifically it says he's personally gained money from violating his access and the third item is that it was in excess of five thousand dollars so all three of these are cfa violations and it drives me nuts that if you violate a website's terms of service it's a federal crime i don't know why it's not just a civil issue a problem between you and the website like why is it a federal crime i think this site has grounds to terminate you ban you and probably even sue you for violating their terms of service but prison time i think that's just going too far but that's how it is it's a federal offense to violate a website's terms of use and i'd be remiss if i didn't mention Aaron Schwartz here Aaron was an MIT student and because he was a student he had access to academic research papers through a place called j-store well he thought this information was so valuable to the world that he was downloading it and publishing it for free the world should have this academic research not keep it exclusive only for university students but j-store was pissed they called the feds on Aaron for violating their terms of service and the doj charged him with thirteen felony counts and he was facing 35 years in prison they told him look if you take a plea deal you'll probably only do six months in prison but he absolutely did not want a felony on his record a felony for violating the terms of service the pressure was too much for him and Aaron killed himself so after that politicians were like whoa whoa whoa why does the cfa have it written in there that unauthorized access to a website is a federal crime people are dying over this just because you violated a website's terms of use should not be a federal crime and so Aaron's law got proposed which asks to change the cfa to stop saying that a terms of use violation is a federal crime but sadly the law didn't get passed can you tell I hate the cfa see here I'm upset about this because first of all these data brokers are collecting data on us without our permission and so there should be they should be the ones that are doing illegal things second of all they're selling this data for 14 cents per lookup you're selling it for one dollar per lookup yeah so it's the only real thing here is that you're saying hey I'm just up I'm doing an upcharge for this and giving access to more people it's not really stolen data it's actually paying for the data as you're using it and you're right the unauthorized access is the cfa violation and I can see them saying that but in my I'm still frustrated about this because you didn't do any money laundering in the US so for them to say you didn't money laundering there it's not true you did that in in the right now Vietnam so I'm just frustrated on your behalf I know but the thing is it though that's how it's worked and also the the damage amount that they put in my case is very huge like over 60 millions USD the prosecutors were saying he caused $60 million in damage and of course they didn't explain how they came to that number it's kind of impossible to look through 3 million lookups on his site and then connect that to what identity theft crimes happened for those people and then add up how much money was earned from that and anyway all that was secondhand none of that stolen money was done by Hugh so they likely just made up some number but he's not the one who did the identity theft he's not the one who did tax fraud scams so it's maddening that they're saying he's the one who's responsible for all that damage like Hugh is a criminal he is the bad guy here okay I'm not trying to say he should have gotten off he absolutely did break the law what I'm saying is that this is the wrong law to be charging him with because I hate when the CFA is used like that they tried to say he was also in trouble for money laundering but he didn't do any of his money laundering in the US so I'm not sure if that one even flies but like none of his charges were for any of the credit cards he stole or drained all those sites that he hacked into back then there's nothing about all that concert tickets that he bought and then essentially scammed all those people like those are easy charges to slap him with yet they're completely absent here there is a law around identity theft but I think it would be hilarious if they charged him with that since that's the whole business model of what data brokers do already right they work every day to grab as many identities as they can without anybody's permission and then sell them and not only that he didn't steal the identities he paid for them so the theft part would be in question too I think the proper crime here that they probably should have charged him with is that he was knowingly helping criminals conduct crimes right like aiding and abetting and conspiracy that sort of thing he knew his site was used by criminals and they were his favorite customers because they would pay for tons of searches so he was catering to them making it easier and better for them to use his site so while he didn't do any of the tax fraud himself he did help a lot of people do it but he wasn't being charged with aiding and abetting he was being charged with violating the terms of service of a data broker where he was impersonating someone else to get an account there but the thing is the feds would have a much harder time proving his site was intended for criminal use compared to simply giving him a CFA violation which is easy to convict someone of like I said we all violate the CFA all day every day so in my opinion the feds charged him with the wrong crime because of the almost guaranteed win for them as opposed to charging him with the right crime and then struggling to find evidence to prove that he did that and by the way while the fed said that he caused $60 million in damage nobody was asking for restitution there none of the data brokers were saying he caused them damage so if he did do all that damage find that victim and bring them into the case because here's the thing I'm looking at the indictment and there's not a single company name or victim name listed at all of course not because the data brokers want to hide from you so the only thing listed there is company A headquartered in New Jersey and it said he did an SQL injection on company A well by doing a little bit of research it's kind of easy to figure out that the data broker in New Jersey that they're talking about is US info search which he did in fact steal credentials and use dad's site but not much at all I mean it was such a small blip in his story that it's hardly worth mentioning yet that's the company that was saying he got unauthorized access to but here's the thing here's how it all connects court ventures was partnered with US info search if you are a paid court ventures user and you look someone up they had a connection to US info search so you'd get results from them too and I'm just connecting the dots here but that sounds like to me that court ventures was reselling data broker information that they got from US info search like certainly whatever deal they had with US info search they were selling that data for a higher price to their own customers right you see my point this story it's pretty bizarre so you could say this company listed in the indictment US info search was the backend and provided data to court ventures and it's US info search that the US government is saying he got unauthorized access to and profited off that access you say the victims were the people who got their tax fraud or whatever stolen but I really think the victims are the people you were stealing from right locate plus microbuilt and the suspension you're finsure and I think those are the people you were robbing or attacking and I'm surprised they were they part of the case at all that they come in and testify against you or or give evidence no no I don't I didn't see anybody from this company but I can't I just did you have a good lawyer I I pay for the lawyer like I spend like almost more than I think up to 700 paid wow yeah for the lawyer because I would have fought to say yeah you're saying that he caused 60 million dollars in damage however he did not actually do any of that damage he just gave the information to someone else and someone else did the damage he never did a tax fraud so you can't say he's the one who did tax fraud it's like if I sell you a lighter and then you say you take that lighter and you burn a building down with the lighter I'm not in trouble for selling you the lighter the person who burned the building down is that's true but you know back then you know like a lot of people told me the same thing you know I shouldn't keep you know I shouldn't I shouldn't hide I shouldn't hide the lawyer I should keep that money yeah but you know like my family you know they sold water and they just look up on the internet you know oh yeah this is good lawyer like good good good rating like five star rating international lawyer whatever in New Hampshire you know like professional one and yes that's that's what happened I remember like every time the lawyers and hit team meet me up like every every time like that it cost me like five to ten thousand USD and an email I sent to him on the on the lawyer team like it cost me like two or three hundred USD for one email I know lawyers are so rich but we're so expensive I know it's very expensive but you know it's it's it's why is it you know easy money easy gold so I'm I'm for real you know I I don't really complain about it like because I end up at the end of the day it's it's called a dirty money you know another thing that really bugs me about this whole thing is neither micro belt locate plus or court ventures ever told their victims that there was a database breach no they never say that even until now I saw the bottom and they never mentioned anything about it even though it's it's really happened to them what's complex I just I have no sympathy for these data brokers I absolutely hate them they take my data without consent I can't even opt out if I want they don't protect it and when it's lost in a data breach they don't even have the decency to tell me that my data that they gathered on me got loose he was desperately trying to get his lawyer to help him but here's the thing there's a 99% conviction rate when the feds slap you with a CFA violation in all the cases of the feds accusing someone of a CFA violation I've only been able to find two or three cases that the defendant actually won the rest were people pleading guilty or found guilty in trial so the chances of you getting off or slim to none he tried to fight it but everything they tried just kept getting denied by the courts and after a few years of fighting you got tired it was running long cash you know my lawyers explained to me you know I may lose the trial I may get up to like 45 years in the therapies in 45 years and it got so right I got so scared all the charges like all combined together and I'll only from new Hampshire right but also from the from New Jersey as well too so I got two two two criminal charges from New Hampshire and New Jersey so they all combined together and they they say up to like 45 years if I lose so so my family and me was so scared so we play a kind of we play a plea deals and yeah I played guilty during a summertime of 2015 guilty guilty of doing $60 million in damage when your your sentence came up or during a plea deal did you offer to give up your money to reduce the sentence like and where how did that go oh yeah my family also asked them you know like they want to give back all the money but they say no they don't need that really they don't need money they don't need any assets and they don't need anything so it's it's why it's so but to think you know I spent a lot of money on lawyer on you know like during my incarceration as well too you know like for fools and medication and stuff like that so they didn't force they didn't take any of your money or property or cars or anything no they didn't care it's like the only thing I just want you there's a one me after pleading guilty he was sentenced to 13 years in prison 13 years for getting access to data broker data which he wasn't authorized to access at this point I'm wondering what if instead of you accessing data broker data to sell that what if he just made his own data broker business you know for anyone to access would that be illegal like if you copied all the data out of the phone book and all the court records and the county record and scraped some linked in data to build complete profiles on millions of people that's all public information right and it wouldn't have been that hard for him to do because he's a clever guy are there laws that he would be breaking if he sold that data I guess what I'm wondering is are there laws that data brokers have to follow well I had to stop and look into that basically yes there are data broker laws and often states regulate them and the gist of the laws is that data brokers have to prove that they aren't selling their data to criminals I mean think about all the dangers household things we probably all have right box cutters a hammer matches lighters gasoline bleach these are all things that can cause a lot of harm a destruction right yep when you go to buy them the store doesn't verify your intent they're not like hey what are you going to do with that box cutter you have to prove to us that you're going to put it to good use yet that's how data brokers treat their customers their customers have to show proof that they have a legitimate reason to search their data and they're on the approved list of okay people apparently it's not good enough for data brokers just to say hey you can't use this for malicious intent they have to verify every single user to try to prevent any of them from using the data maliciously so the approved list is people like law enforcement marketers investigators loan agencies those sort of people and that distinction is very fascinating to me data brokers are legal but only if they sell their data to an exclusive group of people and I don't like that not one bit I mean of course I don't like that there's a business out there buying and selling my personal information that's gross could get a real job all right but I think I might have a hot take here I don't like that they only sell their data to a certain group of people I wish they sold it to anyone only people in some exclusive club can look up my data a club that I'm not allowed in I mean the reason why states regulate data brokers is because if anyone could search those databases then we'd all be flooded with scammers and identity thieves and stalkers but to me that's not the problem to me the problem is one I don't even know how much data those data brokers have on me and two I don't even know who has my data like if I could somehow feel distinct and pain every time my privacy is lost I would take my privacy way more seriously so like I know there's probably apps on my phone that are sending real time location data right now to a data broker and if someone took that data and saw where I was and came to my house and knocked on my door of course I wouldn't answer because I never answer my door but I just imagine them continually pounding on the door like hey I know your home answer the door your phone is sending me real time location data to me right now I'd immediately be like wait what app is sending you my location data and I think having a scary moment like that would absolutely force me to uninstall apps that are tracking me so my heart take is that stalkers aren't the problem here it's the obsessive collection of my data that's the problem if data brokers open themselves up to let anyone search their sites we'd all be way more private and secure because we'd all be taking huge steps into protecting our privacy way more seriously when we don't know what's out there we don't think it's a problem and they're trying to hide that from us of course the data brokers say they take our privacy seriously and security is their top priority yeah well until it isn't you got into four different data brokers all by himself and it didn't look like it was that hard for him to do not only that there's a news story after news story of data brokers getting hacked into the biggest one is when Equifax got reached if the data brokers were so worried about their data getting into the wrong hands like scammers and stalkers then don't collect it at all because if there's one thing I've learned about doing over 160 episodes on hacking is that you will fail at securing your network and data at some point there is no saved way to collect and store my personal data much less sell it the regulators think forcing data brokers to vet every user is stopping criminals from accessing the data but clearly criminals are in fact accessing the data since when do criminals follow regulations so really all the regulations are doing is stopping people like you and me normal citizens from being able to see what's in there there are so few people who truly understand what is happening in this data broker world since they like to operate in the dark and the shadows of the internet and they work hard to keep everyone else in the dark I want to believe that someday privacy will be in style again and we just need enough cool people to tell us it's worth wanting because data brokers has a bad aesthetic surveillance is sterile it's cold gray and depressing there's nothing cool or romantic or aspirational about being trackable down to when you're peeing or having sex or eating or sleeping yet these data brokers are feverishly trying to know all of that about you and build a complete behavior profile on you and then selling that to millions of people who are on the allowed list I hope someday wanting privacy doesn't make you a weirdo but it makes you cool Q was sentenced in 2015 which meant he'd get out in 2026 because he already spent two years in prison by that point and it was there in the new hamster prison where he learned English and studied all kinds of things the police asked if he could share his story with others to teach them how the dark networks and all that so he cooperated and told his story it was trying to self-rehebiliate to get out early but when he was in prison he heard some news which really crushed him that Liberty Reserve website was seized by the feds and the owner was caught I heard on the news that he got caught and the thing is Q had a lot of money still in his Liberty Reserve account but when the fed seized the site they seized all that money too how much would how much did you lose there I was saving up over there like little more than 300k wow you know I was thinking man I will go home and they will get that money but you know the moment I heard on the new year in mine in Custard Ethan Tam in 2014 or 15 and I say man it's over no more money so he continued serving as prison sentence staying out of trouble because he had good behavior they let him out early after serving seven years in prison they let him out in 2020 there was a lot of complications getting out of prison in the middle of a pandemic so it took him eight months to get home after he was released but he eventually made it back to Vietnam when you got home in 2020 did you have money remaining from all this I still got a little more than 50,000 USD and one apartment when he got home he got a job with the Vietnamese government to help with their national cyber defense they so called it NCSE the National Cybersecurity Center and been working day for like four years I just I just left NCSE just five months ago because you know like the government they they should they should show the agency and that's why I left NCSE and right now I just trying to to many focusing on cybergram investigation and I love hunting cyber criminal technically and to the day I got home until now I was having law enforcement in Vietnam and others country as well to arrest more than 200 cyber criminals he says he also enjoys helping victims of scams and identities left by educating them on what options they have and helping them regain control of their life and use the law to help them out in fact it sounds to me that he feels pretty bad for all the people who got scammed from his service I feel like you know I all a lot to the people it basically the people in the US I got like I hurt and harm so many people life and I got like always feel ashamed about it so he wants to be clear that he is sorry for anyone whose identity got stolen and lost money from his website he truly feels bad about it and has apologized publicly multiple times and wants to try to do what he can to correct the wrongs he's done which is why he's helping victims now and works with law enforcement to catch cyber criminals in his home country thank you so much to you Ming no for telling us this incredible story this one was wild I had to stop and think like multiple times while making it and I love a good story that puts me in deep thought like that and I hope it did for you to I recently read a book about data brokers which was extremely eye opening and I encourage you all to read it is called means of control by Byron Tau check it out it's a total page ternar you will not see the world the same again after that don't forget you can pick up some really cool shirts at our shop I guarantee you will find a shirt you love there go to shop dot darknet diaries dot com this episode is created by me the hack street boy himself jack recider our editor is the hash slashing Tristan ledger mixing by proximity sound and our intro music by the mysterious brake master cylinder they say if you don't pay for it then you're the product but what if you pay a data broker to look up your own data what then hmm this is dark netiaries