Hacking With Sebastien Raoult From ShinyHunters – Act 1: The French Connection

Join me to hear about how three Frenchmen from the ShinyHunters hacking group hacked over 60 companies to take home some “good booty”. This is eCrimeBytes Season 3 Episode 3 – Hacking With Sebastien Raoult From ShinyHunters – Act 1: The French Connection.

Sources:

• https://www.justice.gov/usao-wdwa/pr/member-notorious-international-hacking-crew-sentenced-prison
• https://www.courtlistener.com/docket/66762522/united-states-v-bildstein/
• https://www.leparisien.fr/faits-divers/la-hacker-francais-sebastien-raoult-condamne-a-3-ans-de-prison-et-5-millions-de-dollars-damende-aux-etats-unis-09-01-2024-7LWKBCB63BFVXN3DNSQPBFCCU4.php (Photo)
• https://www.moroccoworldnews.com/2023/01/353716/cybercrime-morocco-extradites-sebastien-raoult-to-us (Photo)
• https://www.vosgesmatin.fr/faits-divers-justice/2024/01/09/cybercriminalite-juge-aux-usa-sebastien-raoult-est-condamne-a-trois-ans-de-prison (Photo)
• https://france3-regions.francetvinfo.fr/grand-est/vosges/epinal/temoignage-le-hackeur-vosgien-sebastien-raoult-bientot-fixe-sur-son-sort-aux-etats-unis-son-pere-temoigne-2899889.html (Photo)
• https://cybersecuritynews.com/hacker-from-shinyhunters-group/

Transcript:

00:00:10:00 – 00:00:33:32
Keith
What’s up, you crazy bastards. Welcome to another week of eCrimeBytes. This is where I research the court documentation and roast the criminals so you don’t have to. This week, it’s season three, episode three. We’re going to be talking about a hacking group called ShinyHunters, and specifically, one person from that group Sebastien Raoult was caught and tried.

00:00:33:36 – 00:01:06:53
Keith
So we’re going to talk about that. So Sebastien Raoult. He goes online by a moniker called Sezyo Kaizen. And Sebastien’s about 20 years old. That’s the individual that’s caught. There’s two coconspirators as part of this group. There’s Gabriele Buildstein. Gabriele goes online as Kuroi spelled K u r o i or also goes online is Gnostic players Gnostic spelled g n o s t

00:01:06:53 – 00:01:37:14
Keith
i c. And then their last coconspirator is Abdel-Hakim El Ahmadi. That’s his name. And he goes online as Zac. I mean, you would have to with a name like that, right? You don’t want something really complicated and you got to go with Zac or a.k.a. Jordan Keso. All right. Kind of random, right? So the crime in this episode that I’m going to bring you is conspiracy to commit computer fraud and abuse.

00:01:37:25 – 00:02:04:19
Keith
That’s the main crime here. There’s also conspiracy plus wire fraud involved and there’s some aggravated ID theft. It all kind of wraps up into that computer fraud and abuse. The victims here. It depends on who you ask. Okay. I saw in the paperwork that that could be 60 plus US companies. So there’s at least 60 U.S. companies. And who knows how many foreign companies that U.S. authorities can’t investigate.

00:02:04:19 – 00:02:30:13
Keith
So they didn’t tally. They said there were over 650 user accounts involved and ShinyHunters themselves, they said they claimed at least 120 million plus customer records that they had stolen. So it really depends on who you ask on how big this crime is. The technology here is going to be phishing. Now, if you’re confused by the word phishing, don’t worry.

00:02:30:17 – 00:02:57:24
Keith
I got some graphics coming up that’s going to explain this whole process for you. If you do know what it is, then, hey, we’re on the same page. That’s that’s how they compromise individuals in this case and eventually get their hands on a lot of information. So I picked this case because it was international. I’ve picked a lot of domestic United States cases, and this is one that I could pick where the attackers from were from overseas.

00:02:57:24 – 00:03:14:07
Keith
And there’s a couple of very interesting wrinkles in the case here because they’re overseas. So you want to stick with me and I’ll explain those in a minute. So with that, let me just go ahead and get into Act One. This is the one I’m calling the French Connection. Okay.

00:03:14:07 – 00:03:34:12
Keith
So Sebastien Raoult spelled raoult a.k.a Sezyo Kaizen and I’ll spell it once for you it’s s e z y o space k a i z e n he he is of this group ShinyHunters.

00:03:34:16 – 00:03:52:32
Keith
Okay. He is the individual I have on your screen right now. So I did some research and I tried to find some profile pictures and it looks like this is what he posted on his social media. So I’m just going to show you a flavor. This is probably the most used picture that I saw out there when I was doing my research, which is just him doing a selfie and he’s got a long hair.

00:03:52:32 – 00:04:01:00
Keith
So if you stuck with me a few episodes ago, we did a lot of gentlemen with long hair. We’re back to a long hair criminal again.

00:04:01:00 – 00:04:12:05
Keith
Not always, because now I have three other pictures and I think the picture with the short hair may have been taken earlier in his life. Kind of almost looks like he’s at school or something there.

00:04:12:10 – 00:04:34:13
Keith
The other two pictures on the right hand side that I have for you are just all of these are undated, but those look like same era of the first picture that I showed you. So these four pictures, these are the ones that show up over and over and over when I did my research on Sebastien. So what did Sebastien do for the group

00:04:34:13 – 00:05:04:30
Keith
ShinyHunters. According to the government, he developed source code and fishing websites. Okay, so what does this mean? Okay, source code I’ll address right now, because this one’s easy. Source code is the it’s basically you write text. And you run it through this compiler and it turns it into an application on a computer. So you can imagine your web browser right at one point existed as source code.

00:05:04:30 – 00:05:23:46
Keith
There was a programmer that wrote something that said make a screen that looks like this in computer terms, and then they run it through a compiler. And when that happens, it eventually makes an application that you get to know as your web browser, your web browser there. So in this case, Sebastien, he developed code like this for hacking tools.

00:05:23:46 – 00:05:47:10
Keith
So he would write source code for different tools that would do different things that I’ll explain as the case go along, goes along. Phishing, hold on a second. I got a few graphics that I’ll explain in a second here. So he did both of these for the group ShinyHunters. Now, ShinyHunters wasn’t just Sebastien, it was at least the three individuals that I told you about at the beginning.

00:05:47:15 – 00:06:09:39
Keith
They like in other episodes I’ve told you, usually when you have multiple people, you have roles that people will fulfill doing different things. And Sebastien’s role was developing the source code and making these phishing websites, and the other two gentlemen’s roles were different. I didn’t want to get into them too deeply because I don’t have documentation saying they actually did it.

00:06:09:44 – 00:06:42:54
Keith
I’ll explain a little more of that in a minute. You just stick with me. So ShinyHunters is a group that Sebastien belongs to and their hacking group. And they started in 2020 and they marketed hacked data from more than 60 companies in that were located in the United States. So what that means is they would go hack data from companies, then take that stolen data and go on these forums and then post it for a profit.

00:06:42:54 – 00:07:05:32
Keith
They’ll say, Hey, a million customer records for X amount of dollars on a forum, and then you would have some illicit buyer that would say, Hey, here’s some money, would give me those million records, and then that person would take the million records and probably try to make some kind of money off them by making credit cards or doing some kind of fraud.

00:07:05:37 – 00:07:37:19
Keith
So in the grand scheme of things, they were the ones that broke into places, stole the information, and then offered that stolen information for sale. So some of the things that ShinyHunters had to do to trick their victims, well, there was this thing called phishing. And if you don’t know what it is, it’s spelled with a p h p h i s h i n g and it’s that if you’re just jumping in here and you’re not a computer person, don’t worry.

00:07:37:19 – 00:07:58:33
Keith
I’m trying to explain this stuff to you. It’s not a rod and reel. It’s basically sending out real ish looking emails to individuals from established. It looks like it comes from established companies, but they come from the attacker and then the end user, which is the victim, would typically click on it. It looks like it would be that realistic company.

00:07:58:33 – 00:08:20:18
Keith
They would type in their username and password and their login credentials would be stolen by the attacker and you get the picture. The attacker then go use their username and password at the real site and then have access to their victim’s funds or whatever it is that site provides. This is what they did generally as a group according to the government.

00:08:20:23 – 00:08:52:08
Keith
Now they would go and register these phishing domains and to make them look real. So for instance, if you had an eBay, like there’s a real eBay that came out there. Right. And if you try to make it look like an eBay company, you might make it look a little different. Right. So maybe you misspell eBay, maybe you have two A’s instead of one and it’s E B A A Y, and the people that see it don’t really think much about it.

00:08:52:08 – 00:09:13:22
Keith
They just kind of their mind does a little word complete. It looks like eBay and they type in their username and password and then they have the eBay username and password for that victim. So to get that process started, the attacking group has to register those false looking domains that kind of looks like the real domain that they’re tricking their users into.

00:09:13:37 – 00:09:45:28
Keith
And they registered a bunch of them and the court documentation outlined them. There was like provider one, provider two, provider three, and they didn’t give the victim names, they just gave them labels like that to keep the victim anonymous. So what would happen is ShinyHunters would make these phishing emails and they would phish certain individuals, but they wouldn’t just, you know, fire at the general population.

00:09:45:28 – 00:10:19:04
Keith
They were very smart in who they targeted so they would target IT people and technical people inside corporations. Ones that would have great access in those corporations. So you can imagine like somebody that works for ebay, right? Maybe a system administrator if you were to target them and get them to do that whole phishing email compromise, you may get usernames and passwords of that very powerful user in that corporation to their resources.

00:10:19:09 – 00:10:46:18
Keith
And if their resources are things like GitHub or GitLab, which are cloud providers that hold source code, which is the crown jewels for places like eBay, because their source code is their website, kind of a big deal, right? Okay. So if you’re not followin me I got some pictures I’ll I’ll show you in a second. So, again, they were very smart in how they targeted their individuals.

00:10:46:23 – 00:11:11:44
Keith
They didn’t even they didn’t even go out there and do the what the human legwork of finding these individuals by by visually looking at all the LinkedIn profiles. They wrote computer programs to go out there and do it in bulk. So that way it might take me, Keith, let’s say an hour to find a good target if I search through LinkedIn.

00:11:11:49 – 00:11:29:30
Keith
But if I write a program to look for certain things, maybe in a couple of minutes I’ll have a thousand targets that then I can then look at those thousand and go, Hey, these ten targets are the best targets. And I get started right away. That’s what I’m saying here is they wrote computer programs to make that process really efficient.

00:11:29:32 – 00:11:32:20
Keith
So they were really on their game.

00:11:32:20 – 00:11:48:46
Keith
Now what I’m going to do is I’m put an image on your screen right now. This is the I’m going to explain what phishing is. Okay? This is the first step in a phishing compromise. Let me explain some things to you first. You you’re the circle down there kind of the shaded green.

00:11:48:46 – 00:12:10:52
Keith
Okay. This is your perspective. The green is the nice, the good guy part of this whole scenario. You’ve got some real company out there. Let’s just say it’s GitHub, okay? And if you’re not familiar with GitHub, they hold source code for their users and a lot of times their users are corporations, and corporations have a lot of money.

00:12:10:52 – 00:12:35:10
Keith
So if you can compromise a corporation’s GitHub account and you could steal their source code, you could potentially bribe them or something like that and make some money out of it. So what you can imagine is on the upper right hand corner, you have some real company like GitHub that this phishing criminal wants to pretend that they are.

00:12:35:15 – 00:12:57:41
Keith
So what they’re trying to do is they’re trying to make it pretend like this real company is sending you an email that looks legitimate. So this green arrow says this looks like a real email to your perspective. Now, what’s really happening behind the scenes is the the phisher over on the left hand side in the triangle and you see the is actually sending you a phishing email.

00:12:57:46 – 00:13:26:59
Keith
So to you it might look like a real email, but behind the scenes it’s actually coming from somebody else. And it’s got it’s, it’s not actually real. It’s sending you to URLs that aren’t really the company’s website and things like that. So now putting the next slide on the screen for you and you can see I have a couple of things and I took away a few things, so I took away the the email arrows here and now we are into the user making a connection.

00:13:26:59 – 00:13:49:15
Keith
Okay. So you can imagine at this point, a user has received an email that they think is legitimate from this company, but actually came from the phisher that says something like, Hey, you got to log in to your account to fix some detail or otherwise your account will be frozen. People a lot of times will freak out my God, I got a log in and go do that.

00:13:49:19 – 00:14:10:28
Keith
They click on a button. They’re not thinking because they’re thinking, I got to go fix my account. And when they click on that button, it goes to the phisher’s website instead of the real company’s website. So you think you’re going to something like, geez, what was my example, GitHub? And you’re actually going to a phishing website that kind of looks like GitHub.

00:14:10:28 – 00:14:30:25
Keith
You think you’re going to GitHub because the the location looks real in your menu bar and all the graphics look real, but it’s actually being controlled by the phisher and that’s why I put the little smiling emoji down there. And you’re probably like, Keith, why? Why is your emoji winking at me? And I’m going to tell you I’m going to set things straight.

00:14:30:25 – 00:14:57:57
Keith
Right now. He’s actually not winking at you. Our emoji is so fucking hardcore that our emoji has a teardrop tattoo. That’s the only way. That’s the only way I could represent it was it looks like he’s winking, but he has a teardrop tattoo because he is really, ShinyHunters they are hardcore. All right, so the last slide I’m going to put on the screen for you here, this is what happens next.

00:14:57:57 – 00:15:27:53
Keith
So you can imagine as a user, you think you’re putting your username and passwords into the real website, but it’s going into the hacker’s website, so they’re getting your username and password, your legitimate username and password. So then when they have it just behind the scenes, they go log into GitHub and now anything that you had access to at GitHub they now have access to because they just phished your login credentials.

00:15:27:53 – 00:15:55:08
Keith
So that’s how that whole attack works. And that is how ShinyHunters mainly got, you know, they compromised and got the the data that they got in this case, according to the court documentation. Now, if you’re a security person or even if you’re not a security person, you’ve heard of this thing called multi-factor authentication or two factor authentication, that’s when you use a username and password.

00:15:55:08 – 00:16:13:21
Keith
But a lot of times you will have some application on your phone that’ll either pop up or it’ll give you a code that you have to put into the website. Well, guess what they thought ahead. They dealt with that too. So whenever there was two factor authentication that would typically pop up on somebody’s phone, they’d be ready for it.

00:16:13:26 – 00:16:39:27
Keith
And they had the fake web pages and everything that made it look like you were putting your second factor authentication into the legitimate site. And really it was just kind of going through their phishing website and they were still able to get into two factor authenticated protected accounts. Okay. So that’s kind of mind blowing, right? They’re able to get into accounts that were they had a higher level of protection on them.

00:16:39:31 – 00:17:09:24
Keith
Now I’m going to stop here and say don’t let that deter you from putting multi-factor authentication on your accounts. You should still have it on your accounts. What I’m saying is, is the attack is sophisticated enough that they developed a mechanism to deal with this security roadblock, that security out in their way. Okay. So what would happen at this point?

00:17:09:36 – 00:17:29:03
Keith
They’re in some kind of resource. So they’ve broke into a company using phishing technique and now they have access to GitHub or maybe the company’s website or something like that. So a lot of times what they would do is they would deface the resource that they broke into, like the website.

00:17:29:03 – 00:17:33:44
Keith
And here’s a picture that the court paperwork showed of a defacement that they did.

00:17:33:49 – 00:17:55:39
Keith
It’s kind of a guy in a fighting stance. This is hacked by ShinyHunters and it has some computer kind of stuff in the middle there showing you a UID equals zero, GID equals zero, which is in Unix terms root, which is the super user. And then, well, actually says groups woot. That’s a hacker term, not a computer, not a UNIX term.

00:17:55:44 – 00:18:03:59
Keith
And then it says the bighter they shine the darker the shadow grows. And then they have a link to their Twitter page, which I will show you a little later

00:18:03:59 – 00:18:16:45
Keith
on. So that’s one thing they would do if they broke in. They wouldn’t always do that. Other times they would steal personally identifiable information from customers of that victim.

00:18:16:54 – 00:18:44:13
Keith
So you can imagine maybe they break into like a stock trading place. They would steal the stock trading account, financial information, or they might break into a place that has a database of personally identifiable information. And they would strip out that database and take it back. There’s, you know, a ton of different ways they can get the PII, but when they get in there, their number one goal is getting things like PII out of there so they can monetize it.

00:18:44:17 – 00:19:05:50
Keith
Now, one of the things they would do once they have this personal information is they would go to other well-known websites and do this process that’s called credential stuffing, which is, hey, I know usernames and passwords of maybe website A for Keith Jones. I know Keith Jones might be on a website B, but I don’t know his username and password there.

00:19:05:55 – 00:19:33:13
Keith
Let me try to reuse his username and password from website A over at website B and see if he reuses them as well. And you would not believe how many times people actually reuse that in that username and password. So this is a very common technique that hackers use in order to access or branch out into more accounts or make a person more of a victim than just that one account.

00:19:33:18 – 00:19:47:10
Keith
Now, when they break in and steal this personally identifiable information, they would need to monetize it. We’ve talked about this in prior episodes, but there are forums out there that people can post this type of information to for profit.

00:19:47:10 – 00:19:55:09
Keith
One of the forums was called RaidForums, and I have a picture on your screen now of one of the postings, and I know it’s really hard to read.

00:19:55:09 – 00:20:10:01
Keith
The court documentation is really grainy. I apologize. This isn’t something I did. This is just the best resolution I could get out of it. So you can see here, this is sort of the whole posting. But what I’m going to do is I’m going to zoom in on the important

00:20:10:01 – 00:20:16:06
Keith
stuff. So now this screenshot shows you just the tidbits from the message we care about.

00:20:16:11 – 00:20:37:56
Keith
And you can see it says, Hey dear RaidForums community. Here is a bunch of databases we’ve broken into and we only sell things that we’ve broken into ourselves. And then because it’s court paperwork, there’s a ton of redactions of all the victims names. So you can’t even see who they are. But you can imagine they’re probably real company names there.

00:20:38:01 – 00:21:10:27
Keith
And then it lists how many victims they got out of each one. And there’s things in here that say like 48 million plus 10 million plain text. So I would guess that would mean 48 million accounts, but 10 million of them are in plain text passwords, which means you could probably get in pretty easily. Other ones just say things like 28 million and then other ones say users and technologies tables, which doesn’t tell you much unless maybe, you know who the victim is.

00:21:10:32 – 00:21:37:41
Keith
So there’s a listing of at least I’d say, 20-25 victims in this one message on RaidForums. And then they give a sample to show they’re not kidding around. They’ve got the goods. They posted a sample so you can look at this and go, No shit, They’ve broken into this. Now, one of the two things I found interesting was one is they had a Twitter presence I told you about, and I’ll show you that in a minute.

00:21:37:45 – 00:22:02:26
Keith
But the other was they have an email address. So I highlighted it here that this is not part of the message. I highlighted the box here and it’s just ShinyHunters at X M P P dot JP. And just offhand, I’m not even familiar with that domain. I don’t see that quite often, but it may people may use it for things like this where they try to stay anonymous.

00:22:02:26 – 00:22:04:07
Keith
I’ll have to do a little more research into that

00:22:04:07 – 00:22:33:00
Keith
domain. Now what I’m going to do is I’m going to pop on a conversation and your screen from the court documentation because I thought, this is interesting. This victim, Sebastien, is talking about with his coconspirators. And this victim is a fitness and diet company. And I just thought it was an interesting chat where he basically he’s talking with somebody else and he says, how many users on this victim’s network do you have?

00:22:33:04 – 00:22:50:19
Keith
And he says, go dump, I can find private individuals for you who will be willing to buy it to steal a credit card of an overweight family man. Hey, I’m way I know it’s on the screen and you can’t see me right now, but I’m re I’m raising my hand on the overweight family man. This guy, he’s talking about me.

00:22:50:24 – 00:23:12:01
Keith
I’m the victim in this case. Okay, So Sebastien goes out and he says, Nobody gives a damn as long as they have the money. Well, if there are 3 million, that will sell for $3,000. Now, to me, that seemed kind of cheap for 3 million people. But I’m not an attacker. I don’t do a lot of analysis financially and what they get per person.

00:23:12:01 – 00:23:19:46
Keith
But $3,000 for 3 million people seems like not enough money. But that’s just my gut

00:23:19:46 – 00:23:41:05
Keith
reaction. Okay, so ShinyHunters, you can imagine ShinyHunters, they did their phishing that worked. They have internal company access to all these different companies, 60 plus companies around the United States. In some instances, they had their source code. So it’s bigger than having company access.

00:23:41:05 – 00:24:19:39
Keith
They had basically products in their hands. They had, you know, very sensitive things like API key access. And if you’re not a computer nerd like me and that means nothing, don’t worry, it just more keys to the kingdom type of phrasing. They had access to victim cloud resources, which means if they hacked into a victim like, you know, Company A and they had databases and things like that in Amazon Cloud, they would then break into Amazon Cloud and own their data in Amazon Cloud too.

00:24:19:39 – 00:24:52:56
Keith
So it didn’t just exist at the company’s network where their compromise would happen. They’re also known to clone databases, meaning if they found a database, they would just take it all. And then you can imagine this happening to at least 60 companies. That’s a lot of companies that if you take 60 companies and you multiply it, you know, thousands and tens of thousands, maybe millions of victims each company might pull data for, the size of this crime gets immense very quickly.

00:24:53:11 – 00:25:22:04
Keith
So some of the different types of victims, they didn’t name them, but here’s some of the industries. They were in a video game company. There was a clothing company, there was a stock trading company, there was a fitness and diet company. The company industry didn’t seem to matter. They would just target somebody that was available, that had the right everything had to come together right where the phishing email would work and they would have to get the right access inside the company in order to become a victim.

00:25:22:09 – 00:25:50:17
Keith
So later on, law enforcement had evidence they basically well they busted Sebastien. So they had his phone and stuff which had chats from common Internet chat tools like Discord. Now usually I show you these chats and usually I read you these chats. I can’t in this case, because these people are from France. So all three individuals from France, so they all speak in French.

00:25:50:17 – 00:26:09:07
Keith
And it’s just all it’s if I read it, I would murder it. And I will just paraphrase things from now on for you. But this shows up in the court record as evidence in French. A lot of times the important ones are translated if you’re interested.

00:26:09:07 – 00:26:29:04
Keith
Okay, So what I’m putting on the screen now is a little snippet out of the court documentation where they talked about the individuals in ShinyHunters, the three Frenchmen talking to each other on these chat servers, and they were talking about the possible profit or as they referred to it, quote unquote, good booty.

00:26:29:09 – 00:26:50:06
Keith
And I had to pause there for a minute and I just thought, my dear, dear French brothers… in America, in America, good booty means something completely different than it does in France, apparently. But to them, good booty means I broke in and I stole a bunch of shit from a victim

00:26:50:06 – 00:26:57:39
Keith
company. Okay, So ShinyHunters, they maintain accounts on the dark web forums.

00:26:57:39 – 00:27:19:44
Keith
Like I said, like RaidForums. There were other ones. So there was another forum called Exploit, which I’m not familiar with. And then there’s another forum they mentioned called EmpireMarket, which I’m also not all that familiar with. RaidForums has been in the news because it’s been shut down a couple of times. So ShinyHunters, they would post hacked data for sale in these forums.

00:27:19:49 – 00:27:48:22
Keith
They would sometimes sell the same data to multiple buyers. So if you were a bad guy buying this data, you didn’t have any assurance that you were the only person buying this data. So in some cases they would sell the data multiple times and they the law enforcement would track that one data set were sold 13 times for $5,000, which ended up being $65,000 at the end of the day.

00:27:48:27 – 00:28:21:53
Keith
So you could see if they sold to one person, they’d get $5,000. But really they went to 13 individuals and got 65,000 at the end of the day, which is a huge return. So $5,000 that tended to be around the going rate that I saw in this case. Now, somewhere in there there was a turn where ShinyHunters figured out it was more profitable to try to blackmail the victims first so they would try to blackmail the victims and say, Hey, we have all your shit that’s important.

00:28:21:53 – 00:28:45:16
Keith
Like all your source code and access everywhere. Pay us money and we will go away. Well law enforcement confirmed that they figured out at least $425,000 worth of ransom worked. Worked meaning it got to ShinyHunters accounts according to the documentation that I read. Unbelievable. Right.

00:28:45:16 – 00:28:51:40
Keith
So I’m going to pop on a ransom email from this group and you can’t see who the victim is.

00:28:51:40 – 00:29:12:49
Keith
They blocked that out. But I’ll read it to you. This is Shiny Corp at protonmail that com. And if you join us, Protonmail is one of those services that people use to make it more difficult to trace back who sent the email because it’s located in a different country and you know, there’s encryption involved and there’s it’s just more difficult than Gmail.

00:29:12:49 – 00:29:39:11
Keith
Just take my word on it. So this email comes in and it says, Hello ShinyHunters Group. Here we are kindly asking for a deal with you if you don’t know us, just Google it. We have dumped everything from your database linked to your company. We are asking for 1.2 million in Bitcoin or XMR. Otherwise your whole database will be sold or leaked online and your documents will be sent to our contacts in journalism and your reputation will be destroyed.

00:29:39:16 – 00:29:59:44
Keith
Keep in mind that if we don’t come to an agreement that only people will will lose trust in your company, but you will also face justice and pay much more than what we will, we ask, because to them you failed to protect your users sensitive datas. Here are some examples of companies we breach in the past and then they give a twitter

00:29:59:44 – 00:30:01:52
Keith
link.

00:30:01:57 – 00:30:20:38
Keith
So imagine getting that as a commercial company. That’s probably immediately you probably go, I hope this isn’t real. And then you look around and you go, this might be real. Oh shit. And then some people were like, It’s only X amount of money, but if I get reported on this, it’s going to be millions of billions of dollars.

00:30:20:38 – 00:30:48:08
Keith
And that math probably worked out for them where it just was cheaper to pay that the ShinyHunters group. Some other things that ShinyHunters would do, they sometimes would install cryptojacking malware at their victims. And if you don’t know what that means, don’t worry. I’ve got an explanation for you. A layman explanation. So, if you’re familiar with cryptocurrency and how people can mine cryptocurrency.

00:30:48:09 – 00:31:13:12
Keith
See, it’s very computer intensive. It requires a lot of power and a lot of CPU’s, video cards, things like that. So what would happen is ShinyHunters would break into these places that have a lot of power and then they would run these cryptocurrency mining tools and then basically mined cryptocurrency and then take that cryptocurrency for themselves.

00:31:13:12 – 00:31:23:48
Keith
So they would use the resources and power of their victims and then keep the currency in the ShinyHunter’s group, which is, you know, it’s it’s theft.

00:31:23:48 – 00:31:52:41
Keith
So ShinyHunters also had a Twitter account and it’s just S-H Underscore Corp. And I’ve got some examples here on the screen for you. It just says ShinyHunters APT Group, which stands for Advanced Persistent Threat, which is a group that basically will target you and then do what they can to stay embedded in your network. They’re not a drive by hacking type of group.

00:31:52:46 – 00:32:18:10
Keith
And you can see they reposted something from 2020, but they didn’t have a lot of postings themselves. So I clicked over to the replies, which is kind of in the middle of the slide there for you. And you can see they’re, you know, cracking jokes about a Jesus image and then putting a smiley, a frowny face on something else and July 16th of 2023, and then you can see them replying to something else on July 12th, the 2023 related to Uber.

00:32:18:15 – 00:32:19:55
Keith
So you can see their account was

00:32:19:55 – 00:32:36:05
Keith
active. Okay. I don’t know if it was, they would post something and delete it or what it was, but Twitter wasn’t wasn’t really showing me a whole lot more than this at the time I did this research. So things may have been deleted by then. So that’s it for act number one.

00:32:36:09 – 00:32:58:37
Keith
I’ve told you about ShinyHunters, how they break in and all that. Okay, so act number two, which is tomorrow, I’m going to title this one called The Pokey, because this is where Sebastien gets caught and we learn, you know, how he has a come to Jesus moment with law enforcement. So if there’s anything you like in this act, please, this is the number one thing you could do for me.

00:32:58:37 – 00:33:17:08
Keith
I don’t ask for money or anything else. I do all this research. And if you enjoy this research and how I try to, you know, not take it seriously and joke a little bit when I give it to you… just a like, just give me a like, a thumbs up or a like, a subscribe, or follow… whatever it is on your platform.

00:33:17:13 – 00:33:38:41
Keith
It’s immensely helpful for people just getting more views on these type of videos and it helps me out a lot and I really, really appreciate it. And if you’re really feeling like you want to show somebody my work, I would appreciate if you just reshare it. If you reshare a video or reshare the audio podcast that you’re listening to that would just introduce me to new people.

00:33:38:41 – 00:33:50:59
Keith
And I really appreciate that. I would hope they would enjoy it too. So with that, I hope you come back tomorrow because I’m going to jump into Act two of this same episode, which is called The Pokey. So hope to see you then. Thanks.