They had no idea.
Thursday, January 30, 2020
Dave shares a particularly exposing sextortion scam. Joe has a story of a million-dollar scam that targeted college students in Miami just trying to pay their tuition. The catch of the day comes straight from The U.S. President. Later in the show, part two of Carole Theriault’s interview with Jamie Bartlett, the brains and host behind The Missing Cryptoqueen, an amazing BBC podcast about trying to get to the bottom of the OneCoin scam.
Links to stories:
Jamie Bartlett: [00:00:00] It destroys relationships because people recruit their friends and family into the scam in good faith. They believe it. They think it’s real. They get that family to invest. When it’s revealed to be a scam, they’ve got to explain to their family that they’ve lost their money.
Dave Bittner: [00:00:16] Hello, everyone. And welcome to the CyberWire’s “Hacking Humans” podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I’m Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:33] Hi, Dave.
Dave Bittner: [00:00:34] Got some good stories this week. And later in the show, part two of Carole Theriault’s interview with Jamie Bartlett. He’s the host of “The Missing Cryptoqueen.” That is the BBC podcast that tried to get to the bottom of the OneCoin scam.
Dave Bittner: [00:00:47] But first, a word from our sponsors, KnowBe4. So what’s a con game? It’s fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors at KnowBe4 can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We’ll find out later in the show.
Dave Bittner: [00:01:20] And we are back. Joe, why don’t you start things off for us this week?
Joe Carrigan: [00:01:24] Dave, this week, I have a story from David Ovalle – the Miami Herald.
Dave Bittner: [00:01:27] OK.
Joe Carrigan: [00:01:27] He wrote about a scam on WeChat. Now, for our American users who may not be familiar with what WeChat is, it’s a Chinese Facebook. You can think of it as Chinese Facebook. However, it’s much more than just Facebook. They do payment transactions through there, and there’s all kinds of different networking things. It’s got a billion users, right? It’s like Facebook Plus Plus. And it averages a billion users a month.
Dave Bittner: [00:01:50] Really at the center of a lot of everyday life for a lot of people in China.
Joe Carrigan: [00:01:54] Right. And Chinese people outside of China as well.
Dave Bittner: [00:01:56] OK.
Joe Carrigan: [00:01:57] Right?
Dave Bittner: [00:01:57] Yeah, yeah.
Joe Carrigan: [00:01:57] Because that’s who this story affects.
Dave Bittner: [00:01:59] OK.
Joe Carrigan: [00:01:59] So the scammers targeted college students at the University of Miami by offering them a tuition discount for the tuition that they had to pay to the university. So the students didn’t have to pay anything upfront. So the scammers would say, just give me your login to your account portal where you pay your tuition. And the students, if they gave them that, they would log in, and the students would see that their tuition had been paid.
Dave Bittner: [00:02:22] Really?
Joe Carrigan: [00:02:23] Yep. Then the students would send payment to the people who pay the tuition, but they’d send, like, 15% to 30% less. So there’s a financial incentive to pay the tuition to this discounted service. It’s like some kind of service that – I don’t know how they present it to the Chinese students. But they would offer them the discount. And of course, if the students would see that their tuition had paid in full, and then they’d happily pay the 85% or 70% of their tuition to the company that paid the tuition.
Dave Bittner: [00:02:50] Right.
Joe Carrigan: [00:02:50] But then a couple of weeks later there’d, be a clawback of that money – right? – because that credit card charge was fraudulent.
Dave Bittner: [00:02:55] Oh.
Joe Carrigan: [00:02:56] So these companies are using stolen credit cards to commit fraudulent transactions, then collecting real money from these students. And then the students are out most of their tuition money.
Dave Bittner: [00:03:06] I see.
Joe Carrigan: [00:03:07] Right? Because university, when they have the transaction challenged, they essentially say to the student, well, you didn’t pay your tuition, right? Because now you still owe us the whole year of tuition.
Dave Bittner: [00:03:17] Because the university ultimately did not get the money.
Joe Carrigan: [00:03:20] That’s correct.
Dave Bittner: [00:03:21] Wow.
Joe Carrigan: [00:03:22] Right.
Dave Bittner: [00:03:23] Interesting. So the student gets this message. They give their login information to the bad guys.
Joe Carrigan: [00:03:29] That’s right.
Dave Bittner: [00:03:29] They pay the tuition.
Joe Carrigan: [00:03:30] Right. And the student sees that the tuition is paid in their account.
Dave Bittner: [00:03:33] Right.
Joe Carrigan: [00:03:34] And then they send the money – a portion of the tuition, a large portion of the tuition to these scammers.
Dave Bittner: [00:03:39] And that money, they don’t get back.
Joe Carrigan: [00:03:41] No. In fact, there is a quote from the University of Miami police detective, Thomas Carrigan.
Dave Bittner: [00:03:45] I’m sorry, who?
Joe Carrigan: [00:03:46] No relation.
Dave Bittner: [00:03:48] (Laughter) I’d say it’s your long lost cousin, Tommy.
Joe Carrigan: [00:03:54] It’s funny. I do have an Uncle Thomas that lives in Florida.
Dave Bittner: [00:03:56] OK.
Joe Carrigan: [00:03:56] But not in Miami.
Dave Bittner: [00:03:58] OK.
Joe Carrigan: [00:03:58] He says they’re out that money, and they’re very distraught. And the students had no idea. But no, that money is gone. This is not the first time this has happened. This has happened at Penn State, at UC San Diego and other universities as well. In fact, three years ago at the University of Washington, more than 100 students were scammed out of $1 million from this scam.
Dave Bittner: [00:04:19] Wow. So I suppose there’s a veil of legitimacy here. It must look like an up-and-up company. Do you have any insights on how they’re convincing the students that this discount comes to pass?
Joe Carrigan: [00:04:32] I don’t know about that. And the story doesn’t really go into how they convince them that there’s – this discount is legitimate. But the students do see that their tuition has been paid until that transaction gets marked as fraudulent. The university is fine with it. Once that person gets their credit card bill and says, hey, I don’t go to the University of Miami…
Dave Bittner: [00:04:48] Right.
Joe Carrigan: [00:04:48] …They file a fraudulent charge complaint. And the money gets taken back from the university, and then the student is out the money.
Dave Bittner: [00:04:55] I can see from the student’s point of view, they might say, well, what do I have to lose here?
Joe Carrigan: [00:04:59] Right.
Dave Bittner: [00:04:59] Because they’re not asking me to pay them until they’ve paid my tuition.
Joe Carrigan: [00:05:02] Right, exactly.
Dave Bittner: [00:05:03] And once I see that the my tuition has been paid off, I’m in great shape. I’ll send them the money. And everything’s good.
Joe Carrigan: [00:05:09] Yeah.
Dave Bittner: [00:05:10] But it ends up not playing out that way.
Joe Carrigan: [00:05:12] It doesn’t. And it takes about a month for the shoe to drop on this one.
Dave Bittner: [00:05:15] So the victims are out their money. And on top of that, their tuition has not been paid.
Joe Carrigan: [00:05:19] That’s right. Yeah, somebody has essentially stolen these students’ tuition money.
Dave Bittner: [00:05:23] Wow. Tuition ain’t cheap these days (laughter).
Joe Carrigan: [00:05:25] No, it is not. I mean, if you think about this, a hundred students at University of Washington getting scammed out of a million dollars, that’s an average of $10,000 a person.
Dave Bittner: [00:05:34] Wow. All right, well, it’s something to keep an eye out for. Certainly, if you’ve got any friends or family who are attending a university, let them know to be on…
Joe Carrigan: [00:05:45] Right.
Dave Bittner: [00:05:45] …The lookout for these sort of things.
Joe Carrigan: [00:05:46] Yeah, they’re capitalizing on the fact that Chinese students come to America. They may not be great with English language. They’re far from home. And their connection is WeChat. And it’s a very familiar environment to them.
Dave Bittner: [00:05:56] I see. I see. So sort of a trusted thing from back home.
Joe Carrigan: [00:06:01] Right.
Dave Bittner: [00:06:01] So they’ve already got a feeling of – I don’t know – affection or confidence in this.
Joe Carrigan: [00:06:06] Right. They have some kind of affinity for it.
Dave Bittner: [00:06:08] Yeah, affinity. That’s the word I was looking for. Wow. My story this week comes from BleepingComputer. And this is about a new extortion scam taking advantage of Nest video cameras. Now, this starts out like a kind of thing that we’ve described before. And that’s where you get an email that says, I have captured videos of you behaving badly. You know, while you were doing something that you’d be embarrassed for people to see you doing it at your computer…
Joe Carrigan: [00:06:38] Right.
Dave Bittner: [00:06:38] …I took over your webcam. And I have video of you. And if you don’t pay me this money, I’m going to release that video to the rest of the world and all your friends and family, and you’ll be very embarrassed.
Joe Carrigan: [00:06:49] Right. And of course, they always say that, I have hacked into your email as well, and I have all your contacts and…
Dave Bittner: [00:06:54] Right. Yes, they have your…
Joe Carrigan: [00:06:55] …You’re going to get it.
Dave Bittner: [00:06:55] But they have your email address, but they also have your password.
Joe Carrigan: [00:06:58] Right.
Dave Bittner: [00:06:59] And typically, it’s an old password…
Joe Carrigan: [00:07:01] Yep.
Dave Bittner: [00:07:01] …That they’ve taken from one of the big password dumps, one of the big databases that are out there. Well, the bad guys are taking that to the next level. In this scam, it starts out that way, where they say – same sort of email. We’ve got some video of you. And then they send you to a webpage. And when you go to that webpage, that webpage has live video feeds on it of Nest surveillance cameras. Now, it’s not your Nest surveillance camera. It’s just a Nest surveillance camera. And the folks who have been looking at this have seen that the video feeds are actually coming from Nest’s official website. So I guess Nest has some demo cameras up there, and these folks have hacked into that feed or, you know, taken advantage of the public availability of that feed.
Joe Carrigan: [00:07:47] Yeah, I think that’s what they’re doing because those feeds are just, essentially – you can address them with a URL…
Dave Bittner: [00:07:53] Yeah, yeah.
Joe Carrigan: [00:07:53] …And put them in any website.
Dave Bittner: [00:07:54] Exactly.
Joe Carrigan: [00:07:55] Yeah.
Dave Bittner: [00:07:55] Exactly. But what it does is, it lends that extra bit of legitimacy…
Joe Carrigan: [00:08:00] Right.
Dave Bittner: [00:08:00] …To the scam because you go and look at this, and you say, oh, these people are capable of hacking into webcams.
Joe Carrigan: [00:08:07] Right.
Dave Bittner: [00:08:07] Like, they’ve got some webcams right here. And then they ask you to pay the ransom, which can be substantial. In this case, they’re asking for 500 euros in bitcoin or iTunes gift cards, you know, standard sorts of things.
Joe Carrigan: [00:08:22] Right.
Dave Bittner: [00:08:22] But kind of taking it to that next level. They said this has really taken off at the beginning of this year. And they’ve already seen a total of – nearly 1,700 people have been victimized by this this year already.
Joe Carrigan: [00:08:35] And is that 1,700 people who have sent bitcoin to these folks?
Dave Bittner: [00:08:38] No, no. I think the number of emails that have been delivered…
Joe Carrigan: [00:08:41] OK.
Dave Bittner: [00:08:42] …Where people have sort of, you know, been exposed to this, I suppose. I don’t know how many people actually paid. But…
Joe Carrigan: [00:08:48] I’d like to get a bitcoin address. Of course, they could be having one bitcoin address per email they send out. Those are free as well.
Dave Bittner: [00:08:54] Right.
Joe Carrigan: [00:08:54] But it’s easier to manage just one bitcoin address. And this scam strikes me as kind of a lazy scam, right? So I would like to see the bitcoin address because you can look at the bitcoin addresses online on a blockchain explorer and see if anything has been sent to it.
Dave Bittner: [00:09:09] Right, right.
Joe Carrigan: [00:09:10] And see when it was sent to it, actually, too.
Dave Bittner: [00:09:12] Yeah. Yeah, it’s interesting – the evolution of these campaigns and how they grow more sophisticated.
Joe Carrigan: [00:09:18] Yeah.
Dave Bittner: [00:09:19] They try new things that they work. And I don’t have a crystal ball or anything. But I can see, you know, looking towards the future that this sort of increased sophistication is probably something we can expect.
Joe Carrigan: [00:09:29] Right. You know, they’re using these – just the Nest cam demo feeds. That’s also – strikes me as lazy. That could’ve been done better as well. I’m going to get into how it could have been done better. But it sure could have been done better.
Dave Bittner: [00:09:40] Yeah, well, there’s no shortage of unsecured web cameras out there. You go on to like – on Shodan.
Joe Carrigan: [00:09:45] Right.
Dave Bittner: [00:09:45] Look for them there (laughter).
Joe Carrigan: [00:09:46] Yeah, you can look for them on Shodan. There are other search engines as well.
Dave Bittner: [00:09:48] All over. Yeah.
Joe Carrigan: [00:09:50] There are literally thousands of these things around the internet, maybe even tens of thousands, hundreds of thousands.
Dave Bittner: [00:09:56] Yeah.
Joe Carrigan: [00:09:56] Lots of them.
Dave Bittner: [00:09:57] Yeah. All right. Well, that is my story this week. It is time to move on to our Catch of the Day.
0:10:04:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:10:07] Our Catch of the Day this week comes from The Scambaiters on Twitter. They are @thescambaiters. And that is an account that tracks these sort of things, collects them, shares them with the public for everyone’s benefit. And this one – Joe, this is a good one. I’m going to do my best here. You know, our president of the United States, Donald Trump…
Joe Carrigan: [00:10:25] Yes.
Dave Bittner: [00:10:25] …Of course, he’s kind of busy right now. He’s got a lot going on in his life.
Joe Carrigan: [00:10:28] Yes.
Dave Bittner: [00:10:29] But he’s not too busy to try to be helpful to people all around the world. He’s reaching out personally to people to help them gather money that’s been left on their behalf. Let me just see if I can do this justice.
Joe Carrigan: [00:10:41] I think that’s how he wins elections, Dave, is his…
Dave Bittner: [00:10:42] (Laughter) Gives everybody millions of dollars.
Joe Carrigan: [00:10:46] Right.
Dave Bittner: [00:10:46] All right, let’s see if I can do this justice here.
Dave Bittner: [00:10:49] (Reading) Attention, my due beneficiary is signed by the president, Donald Trump, overdue fund released today. I am Mr. President Donald Trump, and I am writing to inform you about your bank check draft brought by the united embassy from the government of Benin Republican in the White House. Washington, D.C., has been mandated to be delivered to your home address once you reconfirm it with the one we have here with us to avoid wrong delivery of your check draft worth $9 million United States – $9 million USD that was assigned to be delivered to your home address by honorable President Donald Trump, the president of this great country. This week by a delivery agent Mr. Rochas Jesus also reconfirmed your details for the check delivery by filling the form below and send it immediately to our email for verification. You can also contact my phone number with your info. Best wishes, Donald Trump – president.
Joe Carrigan: [00:11:42] (Laughter).
Dave Bittner: [00:11:44] Wow.
Joe Carrigan: [00:11:45] That’s…
Dave Bittner: [00:11:46] Yeah, pretty good, huh?
Joe Carrigan: [00:11:46] This is awesome.
Dave Bittner: [00:11:47] Yeah (laughter).
Joe Carrigan: [00:11:48] I love this.
Dave Bittner: [00:11:49] Oh, boy.
Joe Carrigan: [00:11:52] This is so obviously a scam. I mean, we’ve seen hundreds of these now. Well, actually, now we’ve seen 83 of them.
Joe Carrigan: [00:12:00] But this one, I don’t know who would fall for this, you know.
Dave Bittner: [00:12:04] Well, as we talk about, there’s built-in filtering here. By someone falling for this, you’ve already got a hot one on the line, right? (Laughter).
Joe Carrigan: [00:12:11] Right. Exactly. That is such a great point about all these.
Dave Bittner: [00:12:16] Yeah.
Joe Carrigan: [00:12:16] That the person that falls for it is the exact person that they want.
Dave Bittner: [00:12:20] Yeah. Yeah. All right. Well, it’s a funny one. And – (laughter) oh, boy. All right. Coming up next, we’ve got Part 2 of Carole Theriault’s interview with Jamie Bartlett. He is the host of “The Missing Cryptoqueen.” That’s a BBC podcast about trying to get to the bottom of the OneCoin scam.
Dave Bittner: [00:12:37] But first, a word from our sponsors, KnowBe4. And now we return to our sponsor’s question about forms of social engineering. KnowBe4 will tell you that where there’s human contact, there can be con games. It’s important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that, they need to recognize phishing emails, of course, but they also need to understand that they can be hooked by voice calls – this is known as vishing – or by SMS texts, which people call smishing. See how your security culture stacks up against KnowBe4’s free test. Get it at knowbe4.com/phishtest. That’s knowbe4.com/phishtest.
Dave Bittner: [00:13:31] And we are back. Joe, we got the second part of Carole Theriault’s two-parter. This was her interview with Jamie Bartlett. He’s host of “The Missing Cryptoqueen” podcast, which you’ve listened to, yes?
Joe Carrigan: [00:13:41] I have, yes.
Dave Bittner: [00:13:42] Yes. Good stuff.
Joe Carrigan: [00:13:43] It is.
Dave Bittner: [00:13:43] And he went to try to get to the bottom of an interesting scam, the OneCoin scam. Here’s Part 2 of Carole Theriault’s interview with Jamie Bartlett.
Carole Theriault: [00:13:52] Welcome to the hotly awaited Part 2 of my interview with Jamie Bartlett, the host and investigator behind “The Missing Cryptoqueen.” If you haven’t heard Part 1, go listen now and then come back. We’ll wait. We kick off Part 2 with me asking Jamie to set the scene. So I asked him to imagine me sitting in a cafe or in a public space, that I was someone who had missed the bitcoin bust. Perhaps I was feeling a little bit disgruntled about that. How would a multi…
Jamie Bartlett: [00:14:22] Multilevel marketer.
Carole Theriault: [00:14:23] Yeah, that’s it – multilevel marketer. How would they actually approach me and make the sale?
Jamie Bartlett: [00:14:31] (Laughter) You know, it’s funny you should say that because the way that we first heard about this story was that the BBC producer was actually approached by a friend of a friend who was basically evangelizing to her about OneCoin.
Carole Theriault: [00:14:44] Oh, wow. So what happened?
Jamie Bartlett: [00:14:45] She was just out with some friends. And like I said, friend of a friend went up to her and said, oh, yeah, yeah, I found this new bitcoin. It’s amazing. It’s called OneCoin. The price is going up. I mean, this is a chance to get rich. And she looked into it a bit and was immediately very suspicious and then found out that the founder was missing. And that was basically how we got involved in this. Assuming you don’t know all the technology behind cryptocurrency, you’re probably going to – someone’s going to approach you and say, you’ve seen Bitcoin. You’ve seen Ethereum. You’ve seen Litecoin. You’ve seen all these new cryptocurrencies bubbling around. This is another one. Don’t worry about the technology behind it. It’s really complicated. But the price is currently $1 to get one OneCoin. And we think that in a year’s time, just like Bitcoin, that price could be up to $100 or $200. This is a – you know, this is really – you’re onto it now. And they’ll always say, ah, I can’t guarantee you’ll make money, just like I couldn’t guarantee with Bitcoin.
Carole Theriault: [00:15:44] (Laughter) It almost adds to the trustworthiness of them, the fact that they say that.
Jamie Bartlett: [00:15:48] Oh, yeah. Exactly. Yeah. And, you know, you would couch your language that way, of course. And then they’ll say, and check this out. Look at the founder, the person behind this. She is the most – get all those weirdos in the cryptocurrency base. This woman is credible. She has a master’s degree from Oxford University. She’s got a Ph.D. in law. And that’s true, by the way. That’s not invented. Look at her. Here’s – one of the things they would also often use is they would show a clip of her doing a big talk at a conference organized by The Economist magazine. Room full of bankers and financial experts, and there she is holding court – The Economist sign under her. And then they would show a photograph of her on the cover of Forbes magazine, which looks really legitimate. But it was actually – when we looked into it, it was a paid advertisement…
Carole Theriault: [00:16:36] (Laughter).
Jamie Bartlett: [00:16:36] …In a Bulgarian version of Forbes magazine and the Bulgarian…
Carole Theriault: [00:16:39] No way.
Jamie Bartlett: [00:16:41] And so the cover – it looks like she’s on the cover. It’s an advert, paid-for advert. But in Bulgarian, it says this is a paid advert. This is a paid-for advert, or this is paid-for content. But who speaks Bulgarian but for Bulgarians, of course?
Carole Theriault: [00:16:57] Yeah. So if I do a search – because that’s true. If I do a search just for Dr. Ruja on my search engine, I see these images. I see images exactly like the ones you’re describing.
Jamie Bartlett: [00:17:08] Exactly. Exactly. So you don’t really understand the tech. But you’ve heard about bitcoin. You’ve read an article about some guy that bought a pizza and sold it for $10,000 or whatever. And you then go online and Google her. And she – and you’ve seen this video of her in The Economist. She’s got a Ph.D., master’s degrees. She’s on the cover of Forbes magazine. And the seller’s saying to you, don’t worry about the tech. Look at Ruja. Isn’t she believable? Can’t you trust this woman? And frankly, I’m not surprised a lot of people believed it because it’s really believable. And a lot of people just thought it’s worth a punt. It’s worth a go.
Carole Theriault: [00:17:42] But to the tunes of billions and billions?
Jamie Bartlett: [00:17:46] Well, billions, yeah, but for each person investing $5,000 or $10,000 or $15,000. And that’s quite important because a lot of people, when they looked at the bitcoin story, they didn’t want to make 10% percent on their investment. They didn’t want to make 20%, which would be an amazing annual return.
Carole Theriault: [00:18:00] Yeah.
Jamie Bartlett: [00:18:00] They wanted to get rich. They wanted that this was the chance, like bitcoin, to transform their lives. And the OneCoin marketers would say, to really change your life, invest between 5,000 and 10,000 euros because that is the amount that in two or three years time could turn into hundreds of thousands. That’s a life-changing amount. And the thing about these cryptocurrencies, you’ve missed the boat with bitcoin. You got to remember, with a lot of ordinary people, the minute that price of a bitcoin got to $100 or $500, they felt like they couldn’t afford to buy many and make a lot of money. So the argument was you have to buy when it’s at the beginning, when it’s $1 or 10 cents. That’s the only way you’re going to get fully rich. So you wrap all that up together, you’ve got a pretty compelling offer.
Carole Theriault: [00:18:46] Yeah, one that has proven to be very successful. Now, has the scam destroyed any lives? Have you met anyone who’s, you know, finances are completely in tatters because of OneCoin?
Jamie Bartlett: [00:18:55] The scam is still on – it’s still rolling. There are still people today buying and selling OneCoin right now. There’s a lot of people who don’t know or don’t believe it’s a scam. I’m coming out with this podcast basically saying to them, all your money’s gone. I’m sorry. This is a scam. And that’s a hard conversation to have, obviously. But, I mean, I’ve been all over meeting people that there’s – me and Georgia, the producer, we went to Uganda, some very small – I mean, the remotest places I’ve ever been at. A village that was right on the border between Uganda, Rwanda and the Democratic Republic of Congo, 10 kilometers off a beaten track, 300 miles away from the city, the capital city of Kampala, where Dr. Ruja is a household name. And like, everyone there seems to have invested in OneCoin. I spoke to one woman who – she’d been working…
Carole Theriault: [00:19:47] Wow.
Jamie Bartlett: [00:19:47] …On her passion fruit plantation for 20 years. And she’d been saving up for a maize store so she could stop working on the farm. And rather than by the maize store, she put all of her money into OneCoin – 3,000 euros, which for her was a fortune. I met someone that had sold his goats. I met someone that had sold his land. I mean, this is happening all over the world.
Carole Theriault: [00:20:17] And did you tell them, look – it’s not real? Did you try?
Jamie Bartlett: [00:20:20] We had such a weird experience, actually. And this is what makes pyramid scams, I think, the most insidious type of financial scam. We were speaking to this woman, and it was the son – really, really good guy called Daniel, who had also invested. The son had persuaded his mother to invest this money into OneCoin rather than by the maize store. And so he’d agreed to be, like, our translator to his mom because his mom didn’t speak a word of English. So we’re sitting there, and I said to Daniel, OK, Daniel, can you ask your mother how does she feel now she knows that OneCoin is a scam? How does she feel now she knows the money’s gone?
Jamie Bartlett: [00:20:58] And he kind of didn’t say anything. And then he looked back, and he said, I haven’t actually told her yet. And I said, what? He said, no, I haven’t – I can’t tell – I haven’t been able to tell her it’s a scam. And then he says to me, now she’s asking me – Jamie, she’s asking me, do you know – do you have news about OneCoin? Is it a scam or not? Tell me. I need to know. I want to know what’s happened to my money. And I was like, what am I supposed to say, Daniel? It’s not my job to tell your mother.
Carole Theriault: [00:21:29] (Laughter) Oh, God.
Jamie Bartlett: [00:21:29] So we kind of came up with a weird sort of holding on to that – like, oh, we’re just investigating. But this is the thing – it destroys relationships because people recruit their friends and family into the scam in good faith. They believe it. They think it’s real. They get their family to invest. When it’s revealed to be a scam, they’ve got to explain to their family that they’ve lost their money. That is – could you imagine that? That’s terrible.
Carole Theriault: [00:21:53] No. It is terrible. And it also makes it really difficult to get a second opinion, right? Because you say, well, I want to ask someone else about this, and you’re asking yet, basically, another marketeer what they think.
Jamie Bartlett: [00:22:04] Yeah. And it’s easier – you know, one of the things I noticed about it was that it was easier to push those difficult questions or doubts you had to the back of your mind. No one wants to admit they’ve been scammed, and they don’t want to admit they’ve scammed other people. So one thing I noticed is that people would have doubts, they would know something was up, but as long as OneCoin produced some excuse or some reason why there was a delay in getting your money back, people would grab on to that and believe it because it was easier than admitting the money was gone.
Carole Theriault: [00:22:36] What are you going to do when you find Dr. Ruja, if you find Dr. Ruja, if she still exists and is alive?
Jamie Bartlett: [00:22:41] There is a possibility she isn’t alive anymore. But I reckon – just my personal estimate is maybe there’s a 30% chance she’s dead. And by the end of the podcast, if anyone listens to it, they’ll see how we worked out where we think she is. She’s probably in one of two or three places. The search kind of continues. The FBI – you know, she’s been charged in absentia by the Department of Justice in the U.S. for wire fraud, money laundering, securities fraud and I think – and also bank fraud. We’re not the only ones looking for her (laughter). I mean, the FBI is looking for her as well. And I thought, if we did find out, well, firstly, it’d probably involve me chasing her down the street with a microphone because I doubt she would talk to us.
Jamie Bartlett: [00:23:27] Although you never know. She’s apparently – she’s such an interesting woman. Like, she’s so brazen. You know, she goes up onto the stage and talks about the financial revolution in front of thousands of people knowing it’s not real.
Carole Theriault: [00:23:39] Yeah.
Jamie Bartlett: [00:23:40] I mean, the courage required – so who knows? Maybe she’ll phone me out of the blue. I sometimes think she might turn up at my house just to play with my mind, you know. But if I do find her, there is one question above all I just want from her, which is – I don’t think she ever thought it would get this big. That’s my theory. I think she thought this would be a relatively small, standard scam where – I know this is a horrible way of saying it – but, you know, $10 million or something, like an – you remember, there was a lot of ICO, initial coin offering, scams, where cryptocurrencies would come and go. People would invest a bit of money. It would collapse. Nothing really happened because it wasn’t a huge amount of money. And I think she thought it was going to be that. We can make 10 million euros disappear. Everyone will forget about it, and we’ll be back again. But because of this multilevel marketing aspect, because it was so perfectly done, brilliantly executed, she was so compelling, it just grew so quickly that she couldn’t control it. And before she knew it, she woke up and it was a billion euros, then it was 2 billion, then it was 4 billion. And at that point, you’re trapped.
Carole Theriault: [00:24:46] Jamie, I so hope you find her and are able to ask that question to her directly.
Jamie Bartlett: [00:24:51] I’ll be back on the show if I do.
Carole Theriault: [00:24:55] Brilliant.
Carole Theriault: [00:24:55] Jamie Bartlett, podcast host behind “The Missing Cryptoqueen,” a BBC podcast. If you haven’t heard it already, may I recommend very highly that you listen to it now. This was Carole Theriault for “Hacking Humans.”
Dave Bittner: [00:25:09] All right, Joe. Ooh, boy (laughter).
Joe Carrigan: [00:25:12] Yeah.
Dave Bittner: [00:25:13] It’s a lot here.
Joe Carrigan: [00:25:14] It is a lot. It breaks my heart to hear about the woman in Uganda who has given up $3,000 of her life savings, that she was going to buy a store so she could get out of the fields.
Dave Bittner: [00:25:24] Right.
Joe Carrigan: [00:25:25] It’s heartbreaking.
Dave Bittner: [00:25:26] Yep.
Joe Carrigan: [00:25:26] There’s an interesting thing that Jamie says in here – that no one wants to admit that they were scammed.
Dave Bittner: [00:25:31] Yeah.
Joe Carrigan: [00:25:31] Which is common.
Dave Bittner: [00:25:33] Yeah.
Joe Carrigan: [00:25:33] Or admit that they have scammed others, right? That has got to be hard. It’s hard to admit that you’ve been scammed. We’ve seen that a lot. But can you imagine getting duped into something and then unwittingly duping other people into it? That would be…
Dave Bittner: [00:25:46] And your family. And your family, yeah.
Joe Carrigan: [00:25:49] And your family. Yeah, these are your family and your friends, your closest relationships, right? I can’t imagine this. It would be horrible for me if I had done something like this.
Dave Bittner: [00:25:56] Yeah.
Joe Carrigan: [00:25:56] I want to talk about blockchains for a minute.
Dave Bittner: [00:25:58] OK.
Joe Carrigan: [00:25:59] I kind of touched on it last week. In order to understand how blockchains work, you have to understand how a hashing algorithm works.
Dave Bittner: [00:26:04] OK.
Joe Carrigan: [00:26:05] And a hashing algorithm is very simple concept, right? I take some input. It doesn’t matter how big it is or whatever it is. But it puts out a – what’s called digest or a hash of a specific length.
Dave Bittner: [00:26:16] OK.
Joe Carrigan: [00:26:17] And if I change that input a little bit, that hash will change immensely.
Dave Bittner: [00:26:21] OK.
Joe Carrigan: [00:26:22] And it should be very difficult to get from the hash back to the input.
Dave Bittner: [00:26:26] I see.
Joe Carrigan: [00:26:26] And it should be very difficult to find two inputs that have the same hash.
Dave Bittner: [00:26:30] All right.
Joe Carrigan: [00:26:30] That’s what makes a good hash. Those are the three factors. The change – it’s difficult to reverse engineer. It’s difficult to find a collision.
Dave Bittner: [00:26:35] OK.
Joe Carrigan: [00:26:36] A block is just a list of transactions. And then there is a random number in the block called a Nots.
Dave Bittner: [00:26:43] OK.
Joe Carrigan: [00:26:44] Which is just from – for now. And what happens is I’m going to hash that block, and then I’m going to – maybe there’s some kind of restriction on what that hash is, how low that hash has to be. That’s how they maintain the timing of these blockchains, these public blockchains. But what it means is – because that hash is so difficult to find a collision for, that I have a very long public record of everything that has ever happened on the blockchain.
Dave Bittner: [00:27:10] Yeah. And that’s kind of the point here, right?
Joe Carrigan: [00:27:12] That’s the point.
Dave Bittner: [00:27:13] Yeah.
Joe Carrigan: [00:27:13] Right.
Dave Bittner: [00:27:13] Yeah.
Joe Carrigan: [00:27:13] And because everybody’s working to solve for the hash in the blockchain network, then I have something called consensus, right? And I’m doing this at a very high level. There’s a much lower, more deeper way to get into this. But just understand, as long as – like I said last week, as long as 50% percent of the nodes in the network are honest nodes or 50% percent of the power, the hashing power, in the network is honest hashing power, then you can trust the network to have good consensus.
Dave Bittner: [00:27:39] OK. Well, bring it home for us.
Joe Carrigan: [00:27:41] So…
Dave Bittner: [00:27:41] I mean, how does that relate to what – to this story?
Joe Carrigan: [00:27:44] It’s very important you understand that because that’s the foundation of cryptocurrencies, right?
Dave Bittner: [00:27:47] OK.
Joe Carrigan: [00:27:48] There’s always a public blockchain that everybody can trust. And one of the problems with OneCoin is that there is no public blockchain. There’s a blockchain, but you can’t see it.
Dave Bittner: [00:27:59] Oh. So…
Joe Carrigan: [00:27:59] Right.
Dave Bittner: [00:27:59] …There might as well not be one.
Joe Carrigan: [00:28:01] Right. Exactly.
Dave Bittner: [00:28:01] And is that the point here, that there’s nothing behind the…
Joe Carrigan: [00:28:05] The…
Dave Bittner: [00:28:05] …Behind the man behind the curtain?
Joe Carrigan: [00:28:06] Right.
Dave Bittner: [00:28:06] There’s nothing actually there?
Joe Carrigan: [00:28:08] That’s correct.
Dave Bittner: [00:28:09] I see.
Joe Carrigan: [00:28:09] And that’s kind of my point going into all this – because blockchain is designed as a publicly available database. When someone says we have a cryptocurrency based on a private blockchain, that’s a nonstarter.
Dave Bittner: [00:28:21] I see.
Joe Carrigan: [00:28:21] OK? That should be a nonstarter for anybody. But that’s a very technical thing to understand.
Dave Bittner: [00:28:26] Right. I totally imagine someone saying, there’s a lot of technical stuff behind here, a lot of hand-wave-y (ph) stuff.
Joe Carrigan: [00:28:31] Right.
Dave Bittner: [00:28:31] Don’t worry yourself with all the technical.
Joe Carrigan: [00:28:34] Right.
Dave Bittner: [00:28:34] All you need to know is we’re all going to get rich.
Joe Carrigan: [00:28:36] Right. Exactly (laughter).
Dave Bittner: [00:28:37] Yeah.
Joe Carrigan: [00:28:38] Now, there’s a reason I just gave that overview of blockchain and how it works.
Dave Bittner: [00:28:41] OK.
Joe Carrigan: [00:28:42] If you’re out there and you’re thinking, I have no idea what Joe’s talking about. What’s he saying?
Dave Bittner: [00:28:47] Yeah.
Joe Carrigan: [00:28:47] What’s he…
Dave Bittner: [00:28:48] It’s a feeling I have almost every week on this show.
Joe Carrigan: [00:28:49] Right.
Dave Bittner: [00:28:49] Go on.
Joe Carrigan: [00:28:53] But that’s the feeling that they capitalize on.
Dave Bittner: [00:28:56] Yeah.
Joe Carrigan: [00:28:56] And then you’re exactly right, Dave. They say don’t worry about it; you’re just going to get rich. And it’s never that simple.
Dave Bittner: [00:29:03] Yeah.
Joe Carrigan: [00:29:03] It’s never that simple.
Dave Bittner: [00:29:06] Yeah. Like you say, it’s heartbreaking.
Joe Carrigan: [00:29:08] It is.
Dave Bittner: [00:29:08] And the other part that fascinates me is the possibility that this spun out of control.
Joe Carrigan: [00:29:13] Yeah.
Dave Bittner: [00:29:13] That this was conceived as a contained scam, a get-rich-quick scheme for someone and – we’ll do our thing. We’ll take the money and run, and off we go.
Joe Carrigan: [00:29:25] Right.
Dave Bittner: [00:29:25] But it spun so out of control that, like Jamie said, this woman is trapped.
Joe Carrigan: [00:29:31] Right.
Dave Bittner: [00:29:32] She’s caged in now.
Joe Carrigan: [00:29:33] I don’t know that she’s dead.
Dave Bittner: [00:29:35] Yeah.
Joe Carrigan: [00:29:35] My suspicion is that she is not dead. I base that suspicion on the sheer volume of money she must have. You know, when you have a billion dollars, that’s a lot of money. This scam has taken people for – what did he say? – $15 billion? I don’t know if that’s how much Ignatova has.
Dave Bittner: [00:29:52] Yeah.
Joe Carrigan: [00:29:52] But she has a couple billion, right?
Dave Bittner: [00:29:55] Right.
Joe Carrigan: [00:29:55] So, you know, with that kind of money, you don’t have very many problems when it comes to getting whacked, you know.
Dave Bittner: [00:30:02] Yeah. Sorry, I thought you were going to say that you think she may be alive because just last week, you heard from her…
Joe Carrigan: [00:30:07] No.
Dave Bittner: [00:30:07] …And with an investment opportunity.
Joe Carrigan: [00:30:08] Right.
Joe Carrigan: [00:30:09] No. I’m not going to say that, Dave.
Dave Bittner: [00:30:11] You’re not going to be rich (laughter). All right. Well, as always, thanks to Carole Theriault for bringing us this story. Really interesting interview. Thanks to Jamie Bartlett for taking the time for us. And we want to thank all of you for listening.
Dave Bittner: [00:30:25] And of course, thanks to our sponsors, KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can order up at knowbe4.com/phishtest. Think of KnowBe4 for your security training.
Dave Bittner: [00:30:40] We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:30:47] The “Hacking Humans” podcast is proudly produced in Maryland at the startup studios of DataTribe, where they’re co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I’m Dave Bittner.
Joe Carrigan: [00:31:01] And I’m Joe Carrigan.
Dave Bittner: [00:31:02] Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.