0:02

Let. Me Stop you for it's a heck

0:04

of. A. Bunny Sq

0:06

couple questions and should we are can a

0:09

bar. Yeah, no matter how ahmed

0:11

soccer I'm sorry if a. And

0:14

so we love We Love Talkers! From

0:19

recorded future news, I'm Dina. Temple

0:21

Rest and this is click. Here

0:23

is might drop and extended cut

0:26

of an interview we did that

0:28

we think you might wanna hear

0:30

a little more. Today we're talking

0:32

to Analyst ones John Dimaggio about

0:34

something we found pretty crazy. A

0:37

dark web court for hackers.

0:39

Someone didn't pay you some agreement.

0:42

Go right. Tone take belong your

0:44

own aims You taken to court. Will

0:48

be right back. If

0:56

you're looking for a daily guide to

0:59

cyber security news and policy, sign up

1:01

for the Cyber Daily. From recorded future

1:03

news, it serves up the day's most

1:06

interesting and important cyber stories from our

1:08

sister publication, The Record, and then aggregates

1:10

all the big cyber stories you might

1:12

have missed from news outlets around the

1:15

world. Just go to The Record.media and

1:17

click on Cyber Daily to get all

1:19

you need to know about the world

1:21

of Cyber Security right in your inbox.

1:25

What? If someone you love asked you to

1:27

help them die, what would you say? This

1:30

is the powerful question at the heart of

1:32

the ultimate choice. The series follows the journey

1:34

of Michael and his wife and as they

1:37

grapple with his request to choose the way

1:39

he wants to die. I'm Rob Crib and

1:41

through their story I learned a lot about

1:43

my own family. I hope the shows a

1:46

way to start conversations many of us want

1:48

to have. But rarely do. The

1:51

ultimate choice is out now. i'm

1:58

dina temple mosque And this is

2:01

just here's me. So

2:05

let me just start with the easy one. Could you

2:07

introduce yourself to us, please? Sure.

2:09

I'm John DiMaggio. I'm the chief

2:11

security strategist at analyst one. It's

2:14

a threat intelligence company in Virginia. And

2:17

John is known for a lot

2:19

of things, but recently probably best

2:21

known for something called the ransomware

2:23

diaries. It's

2:26

a kind of multi-volume set of reports

2:29

about the time he spent lurking in

2:31

hacker chat rooms and inside Lockbit, which

2:34

is one of the world's most notorious

2:36

ransomware gangs. I've talked to Lockbit for

2:38

a long time, the

2:40

leader of Lockbit. Lockbit's up. It's

2:42

short for Lockbit Support. And

2:45

he was one of the administrators of the group for

2:47

years, although now he's thought to be in charge

2:49

of the gang, which isn't

2:51

much of a gang anymore, at

2:53

least hasn't been since February. Today,

2:56

we can announce that the National Crime

2:58

Agency has successfully infiltrated

3:00

and fundamentally disrupted Lockbit.

3:03

We talked to Lockbit about all that in

3:05

our last episode. We have hacked the

3:08

heaters. The

3:11

operation had John punch in the air. It's

3:14

been years of work where we haven't

3:16

had a lot of wins. So it

3:18

felt amazing. It felt really good. I

3:20

went out to dinner that night. I

3:24

had a glass of really expensive bourbon. I

3:26

mean, it was a nice night. But

3:28

then John noticed something he hadn't

3:30

expected. It wasn't only

3:32

law enforcement that was punching the air.

3:35

People in the dark web were too.

3:37

When he went down, a lot

3:39

of criminals took joy in that.

3:41

And there was a lot of

3:43

trash talking and what

3:45

almost seemed to be a bit of a celebration. It

3:48

turns out, just a few

3:50

weeks before Operation Chronos seized

3:52

Lockbit's infrastructure, Lockbit's sub was

3:54

an arbitration. In the inner

3:56

recesses of the dark web. What

3:59

you are witnessing... Some

4:01

experts said compared to club

4:03

the bones court for half.

4:09

Sounds. A little off brand tie

4:11

know, but if you think about

4:13

it, even hackers in the dark web

4:15

running criminal enterprises need to abide by

4:17

some basic rules. Like. If

4:20

you do work for someone then they

4:22

promised to pay you. They should do

4:24

so. A. Kind of honor among

4:26

thieves thing. Someone says

4:28

over the years hackers have adopted a process

4:31

to make sure that the basic. Rules.

4:33

Of the criminal world get follow. They

4:35

have a court system one party will

4:37

go in in in post the claim

4:39

of what how they were wronged and

4:41

the other party will then be contacted

4:43

in have the ability to show their

4:45

side. And according to a

4:47

report published by Analyst One, literally

4:50

dozens of complaints go through arbitration

4:52

process every day. The

4:55

proceedings are held in sort of virtual. Apartments

4:57

Convened. Inside some of the most

4:59

established Russian speaking. Discussion. And

5:02

southern. Some have been around for over. Twenty years

5:04

so they are there sir A coveted

5:06

as is the place to go and

5:08

you grow and rank and refutation ah

5:11

has as you spend time there and

5:13

talk in in in in the house

5:15

criminal activities where where people buy into

5:17

what you're doing. So these forums

5:19

with names like X, Ss, and

5:21

exploit actually serve to functions. People

5:23

buy and sell services that someone

5:25

might be selling access to a

5:27

network someone else might have a

5:29

hack into. But if one of

5:31

these deals between them the south,

5:33

there's a way to make things

5:36

right. Hackers can

5:38

file grievances and present evidence.

5:40

Like a beach communication logs. There could

5:42

be database logs that could be victim

5:44

of a seesaw river. it might be.

5:46

They can post all that and they

5:49

share and. Other people on the farm

5:51

can also a. Know

5:53

they're more like peanut gallery and

5:55

jerk. And

5:58

then it all goes to a kind of. hacker version

6:00

of a judge. There's like a

6:02

judge who is an administrator, a senior

6:05

administrator of a forum, who's supposed to

6:07

have this unbiased assessment of it and

6:09

then award a winner of the case.

6:15

And just like a real court, after

6:17

a verdict, there are damages assessed, usually

6:19

in the range of a hundred to

6:21

a few thousand dollars. Once that award

6:23

is determined, whatever they determine needs to

6:25

be paid out, must be paid. And

6:27

if you don't. If you do

6:29

not pay, you are banned from the forum.

6:32

What's even more crazy about all of this

6:34

is the other Russian

6:36

forums follow suit. And just

6:38

to make sure, everyone knows who refused

6:40

to respect the court's judgment and didn't

6:42

pay their fine. They're marked

6:44

as. A ripper, but it basically means

6:46

scammer, which is sort of like a disgrace in

6:49

that community. This

6:55

is what happened to lockbits up in January. Only

6:58

it wasn't a matter of just a couple

7:00

of thousand bucks. Allegedly, there was

7:02

a $10 million payout. Lockbits

7:06

up was planning a ransomware attack, but first

7:08

he needed to get into the victim's network.

7:11

So he partnered with someone who had

7:13

access to that network. And

7:15

they started to discuss payment. The

7:18

broker, John says, wanted to be

7:20

paid upfront before Lockbit executed the

7:22

attack. The only problem was- Lockbit

7:25

doesn't work that way, so he told

7:27

him, no, you'll get paid once we

7:29

have results and victims begin to pay.

7:32

So the access broker essentially

7:34

said, okay, gave him access,

7:37

provided that access essentially for free, believing

7:39

that he would get paid after the

7:41

fact. But allegedly, when the

7:44

$10 million ransom payment eventually came

7:46

through, the access broker asked

7:48

for nearly half the money. $4

7:52

million. That's what he felt

7:54

his cut was of that $10 million. And

7:57

of course Lockbit felt that was a ridiculous amount.

8:00

to that up front, I told you I'd

8:02

pay you but it won't be anywhere near close to that. So

8:04

the access broker took Lockbit's up to Hacker

8:07

Court and won and I guess

8:09

the judge decided that four million was the

8:11

right amount that this access broker

8:13

should have? They did. And then

8:16

Lockbit's up did the one thing that you're

8:18

really not supposed to do. He

8:20

ignored the court's decision. Lockbit now said

8:22

he refused to pay them anything because

8:25

by initiating that case they made their

8:27

whole dispute public or at least public

8:29

to these anyone who has access to

8:31

these forums and reporters ended

8:33

up hearing about it and it was, you

8:35

know, widespread news. That's sort of a sin

8:38

amongst criminals is to put your information out

8:40

there publicly. So if that hadn't happened he

8:42

claimed that he would have paid him something

8:44

but because he did that that sort of

8:47

made him like a rat. It was

8:49

the principle of the thing? It was the principle.

8:51

100% the principle. Yes,

8:54

that's correct. It

8:56

was the principle. Lockbit's

8:59

up was banned from two of

9:01

the major Russian-speaking forums and he

9:04

was marked with this kind of hacker's scarlet letter.

9:06

It is now ordered that you shall

9:08

wear upon your bosom for the rest

9:11

of your natural life the

9:13

scarlet letter A. But

9:18

the sort of surprising thing is that

9:20

for once John says Lockbit's up may

9:22

have been in the right. I mean these

9:25

guys are all unethical. You're all criminals. No

9:27

one's gonna feel bad for you but if

9:29

you just look at it from a business

9:31

and an illegal aspect you can't expect someone

9:33

to come in after the fact and ask

9:35

for a ton of money for something that

9:37

they gave you for free and just had

9:39

crazy expectations. John

9:44

thinks that if Lockbit's up case had gone

9:46

to real court instead of the hacker court

9:48

things might have turned out a little differently.

9:50

You know I've heard both sides.

9:52

I've looked at the evidence. It's

9:55

rare that I agree with Lockbit but you know

9:57

I try to be unbiased in my work. I

9:59

followed the evidence, I do analysis, I don't put my

10:01

own judgment in it. And everything I

10:03

could see was I was thinking about how we would handle

10:06

things here in the US. And

10:08

if you had two parties and you never agreed

10:10

on a price, and then you gave the person

10:12

whatever they were selling, whatever you're

10:14

selling for free, and then expected a specific

10:16

amount after the thing was used or whatever,

10:18

well, of course, there's going to be arguments

10:21

and disagreements on how much that was, especially

10:23

when you're asking for a large amount. They

10:25

should have signed a contract. Absolutely.

10:28

They should have. No,

10:30

but seriously, if they put this in writing and

10:32

you went to this arbitration thing, it would have

10:34

made this a lot cleaner. And

10:36

I don't think at that point Lockbit would have

10:39

had as much of a problem arguing back. But

10:42

that's the thing is there was no agreement. There

10:44

was only arguments. We

10:47

talked to Lockbits up by encrypted message a

10:49

few weeks ago, and he told us a

10:52

version of events that was pretty close to

10:54

John's. He said he

10:56

took that same case to other forums and

10:58

they sided with him. So

11:00

it was kind of a split decision. From

11:06

recorded future news, this has been Mike Drop.

11:09

It was produced by Sean Powers and Kat

11:11

Shooknett. I'm Dina Templerassen. We'll

11:14

be back on Tuesday with an all new episode

11:16

of Click Here. Have a great

11:18

weekend. Looking

11:25

for more of the cybersecurity and intelligence coverage

11:27

you get on Click Here? Then

11:29

check out our sister publication, The

11:31

Record, from recorded future news. You'll

11:34

get breaking cyber news from reporters in

11:36

New York, Washington, London, and Kiev, among

11:39

others. And you'll see

11:41

for yourself why it attracts hundreds of

11:43

thousands of page views every month. Just

11:46

go to therecord.media.