Experience the ultimate flexibility with the Isolation API, allowing you to securely Quisque pellentesque id ultrices lacus ornare elit vitae ullamcorper. Learn More

The surprising identity behind some of the internet’s most nefarious hacks and why sometimes criminals are more willing to talk than victims of a crime — we discuss the dark side of the web with Darknet Diaries host Jack Rhysider.

Key topics:

  • Hacking
  • Financial crime
  • The surprising identity of many hackers
  • What the deep web really means

About Jack Rhysider

Jack Rhysider is a veteran to the security world. He gained his professional knowledge of security by working in a Security Operations Center for a Fortune 500 company, a place where threats are detected and stopped. During that time he was exposed to hundreds of client’s networks ranging from schools, to government, to banks, and commercial organizations. Jack created Darknet Diaries in 2017, because he couldn't find the stories he was seeking anywhere else.

Where to find Jack:

JACK RHYSIDER

I had been using bulletin boards before the Internet, right, and some other protocols before the Internet to see, OK, we can get online using - dialing into this modem and all these kinds of things. And so it was always to me, I was like what are, what are all the different communication channels? And for a long time people thought the Internet was just websites, right? And so I'm like, "no, I'm on IRC, I'm on FTP servers, I'm logged into Shells," all these kinds of things. So to me it's just all these different protocols and technologies that I'm just fascinated with and I'm always getting my hands into. And yeah, the darknet is something that I explored and was like, "ooh, this is kind of an interesting place, it's got lots of different things."

MATT ASHBURN

Hi there and welcome to NeedleStack, the podcast for professional online research. I'm your host Matt Ashburn and I keep the lights on to get on the dark web.

JEFF PHILLIPS

And I'm Jeff Phillips, tech industry veteran and curious to a fault. Today we're continuing our deep dive into the dark web, and in this particular episode we're looking to add a little more context to it through some real-life stories. We're actually joined by the host of the Darknet Diaries podcast and - its host Jack Rhysider. Jack, welcome to the show!

JACK RHYSIDER

Hi, thanks for having me. I'm reporting live from the darknet!

JEFF PHILLIPS

Excellent. For those of you on the video podcast, you'll notice Jack has chosen to not show his actual face. And Jack, I've noticed online it seems you try to limit your image and background information about yourself as much as possible online. Why is that? Is it related to the show and the work you do or - what's behind that?

JACK RHYSIDER

I think it's the future! I think we've got people using avatars for their images all over the place and we're seeing more and more of that, but yeah I mean, for me there's a lot of reasons. I am a content creator and there are people who want to, I don't know, get to know me, stalk me, hack me, all these kind of things, and this just happens to tons of content creators. And since I'm talking about the hacker world, I got to just kind of have that line of separation there. So yeah, I take a step back from private information on the Internet and really do what I can. I'm a big proponent for online privacy and so here I can make a video appearance without showing my face and I think that's kind of fun. But at the same time I'm using this sort of filter that gives me kind of a cartoon look. So it's not completely empty.

JEFF PHILLIPS

No, I like that. That's a great point. It is better than - we've had some people we've talked to that have to go completely dark and that makes it a little more challenging. Thank you.

MATT ASHBURN

Yeah, it kind of reminds me of a bit of a Max Headroom effect, so I'd like to know the name of the filter. It'd be pretty cool to see.

JACK RHYSIDER

I'm using Snapchat.

MATT ASHBURN

Ah, there we go. Yeah, plenty of stuff there. Well, I like that better than the cat filters, I think. On Darknet Diaries, your podcast, you tell a lot of stories from the dark web that explores the culture, really, around hacking and cybersecurity. What really made you want to start telling those stories?

JACK RHYSIDER

I think it was because when I was listening to the news for InfoSec and this sort of thing, there was, like, breaking news, right? It was like, "Oh, here's the stuff that happened in the last hour, in the last day, or in the last week," and a lot of that was missing tons of pieces. "Well, we don't know who did it." What did they actually steal? "We don't know what they actually stole." Okay, are there any leads? "Well we don't know." There's all this "we don't know" stuff. And I'm like, I'm tired of this kind of news, I want news where I do know. And so they're like, "well, we won't know that for five years." Okay, well, then tell me the story in five years. And nobody was really telling me that story five years later of like, "hey, we actually know everything now, do you want to know it all?" And for some reason, we just kind of like, "no, that's five years old, I don't want to know that." But not me. I want to know it. So now, okay, who's the person who did it? Here's the kid's name. All right, why did they do it? Because they were bored in school. And how did they get arrested? What'd they steal? How did the FBI catch them? What was the damage caused to the company? Like, now we have all the answers. So this is what I do - I'm a slow news junkie. I go back and I say, now we know the whole story. Now it's the right time to tell it. And that's what I do.

MATT ASHBURN

Yeah, I love that. So it's really more of a curiosity that got you involved. Were you using the dark web very much before then?

JACK RHYSIDER

Yeah, I mean, I was definitely curious, going out there and checking it out, like, this is neat that there's this alternative protocol that you can use. It doesn't - it's not so much like I was a user of the darknet. I was more of just a fascinated person in technology, right? So I had been using bulletin boards before the Internet, right, and some other protocols before the Internet to see, okay, we can get online using - dialing into this modem and all these kind of things. And so it was always to me, I was like, what are, what are all the different communication channels? And for a long time, people thought the Internet was just websites, right? And so I'm like, "no, I'm on IRC, I'm on FTP servers, I'm logged into Shells," all these kind of things. So to me it's just all these different protocols and technologies that I'm just fascinated with and I'm always getting my hands into. And yeah, the darknet is something that I explored and was like, "ooh, this is kind of an interesting place, it's got lots of different things." Some stuff I was doing was, as I was working as a network security engineer, I was trying to look for alerts and things that were related to the company I was working for - if our domain name showed up somewhere on the dark web - and so I'd kind of put out some alerts for me to look around for stuff like that, as well as checking out just to see what kind of forums there are out there and what the communities are like there.

JEFF PHILLIPS

Now, sometimes you're talking to - I mean, may I say it - to criminals on the show, right, or hackers and things. How do you find your subjects for the podcast and why do you think they're willing to go on the record with you and walk through what all was happening as they tell the story, like you mentioned, years later, as you get the full picture?

JACK RHYSIDER

Yeah, I think, I think there's enough shows out there that have, like, expert opinions, yeah, and they're like, "oh yeah, you know, I've been in this field for 20 years and this is my expert opinion," and it always seems so high-level. Like, that's some 20,000 foot view, that's not the "oh my gosh, I really don't know what to do" kind of situation. Because that's what - when you're in the trenches and you're getting hit with some sort of attack or breach or you're the one actually doing it, you have a totally different viewpoint of what happened and you can speak from this "I" standpoint like, "I did this" and "we did this" and all this kind of thing, and not this expert, let's back up from that and say "you should do this" and "you should do that," because there's a difference between that. When the rubber hits the road, there's a totally different story we want to say. And that's what I'm attracted to, is these people who are actually there for the breach or did the breach or arrested the criminal or whatever the case is. But yeah, I am drawn to the criminal side of it as well. We hear these stories of, like, okay, these hackers got into this thing and all this stuff and it was all this sophisticated stuff, but then, you know, you look in a store and you're like, no, they just found a Post-It note somewhere and that's hardly even a breach, that's just, like, just a simple mistake that someone made. It's not even a hack, right? It's just like, "I stumbled upon this Post-It note and now I can get into your stuff." And so I like these, let's look into this to see what the hackers, quote unquote, actually did to do this, and you learn all this nuance to it that you never would have realized before. And so it's really fun for me to hear exactly how these people did it. I mean, sometimes I even call them out on the show like, "that's the most unsophisticated lamest hack I've ever heard." And they're like, "I know it should not have worked, but that's exactly how it happened." And now it's like, well, this is really stupid that it was so easy. So, yeah, I mean, I really like this firsthand opinion and viewpoint of everything.

MATT ASHBURN

I love the fact you've been able to demystify a lot of that stuff through that humanization, right, and bring in the human element. And the criminals are out there. They're motivated, like most people are, by similar qualities, so it's pretty interesting to see that.

JACK RHYSIDER

Yeah, you get this image in your head when you just hear "hackers took this thing" like, oh, yeah, it could be Russian criminals, it could be some Eastern European. No, it was some teenager in fifth period class and Miss Wilson's Junior High.

MATT ASHBURN

They're not all hiding in back alleys wearing dark hoodies. That's not how that works.

JACK RHYSIDER

Yeah, I love bringing those images to life and saying, this is exactly where it was done and who did it and how all that happened.

MATT ASHBURN

You know, speaking of that, we've been talking a lot about misconceptions of the dark web and darknets in general in some previous episodes. Did you have any beliefs that were changed as a result of doing your show or getting more involved and more aware of what's going on in the dark web? Anything that surprised you?

JACK RHYSIDER

Yeah, I mean, one of the things that is just kind of a thing that bothers me about kind of the misconception part of it is there's this image of this iceberg that shows up sometimes where people are like, "oh, the deep web has, like, 90% of the stuff in the world," and I'm like, that's not related to the darknet. That's just, like, in my house here, I've got all these devices, they're not exposed to the Internet. The Internet can't get to my computer sitting here on my desk. The Internet cannot get to my phone sitting here on my desk, at all. So that's part of the deep web or the dark links or whatever the case is that they're trying to say, like, there's - 90% of the Internet is there, it's just that it's not publicly accessible, it's not on the darknet, there's no hit, like, there's like tons of data out there that, you know, is available to certain people. No, it's just private. It's private in a company, it's private in a house, whatever. It's not necessarily part of the dark web. And so I hate that image keeps going around, like 90% of the world has got this deep web stuff and it's confusing.

MATT ASHBURN

And I've been guilty of that myself, using that very famous iceberg diagram. I have to admit, as much as I'm ashamed to admit that. But yeah, you're right, there is like this mystique that people get with this stuff where we have the deep web, it's very mysterious. No, it's just not accessible, or easily accessible, on the public Internet, right, it may require a login or may be behind some other network or something like that.

JACK RHYSIDER

Yeah, yeah, I think that's the one that bugs me the most.

MATT ASHBURN

Yeah. One of the other common threads that we've seen, and I think this is highlighted in some of the interviews that you've conducted, there's really a retaliatory or adversarial nature even among the different groups and actors that are committing criminal acts or fraud or those types of things on the dark web or facilitated using the dark web. What are some of the craziest things that you've seen in that regard?

JACK RHYSIDER

There are so many, I'm just having trouble coming up with something. I always think it's interesting that people go through a lot of steps just to get, like, a free burrito or free pizza, right? So there's all these accounts for sale and stuff. You can get a Netflix account. You can get a Chipotle account. You can get a Hilton Honors Account and say, "yeah, I'll buy that from you for a couple of bucks," and then that's tied to somebody's actual Chipotle account, right? So you pop it into your phone, and now you can order a burrito and get it sent to you or whatever. This is always interesting to me, just to see these little things that people are going for out there. But, I mean, that can scale up, right? You can get that Hilton Honors Account and try to get a free stay at a Hilton because you're using someone else's account to get into that room and stuff, but that's getting more risky now, and that's surprising me too. Like, you would actually go and stay in a, in a - like, it's one thing getting a burrito delivered to your neighbor's house and then going and standing there waiting and saying, "hey, thanks for bringing it," but it's another thing actually going to use a fake, a fraudulent hotel account and actually stay there the night. That's just causing something - something bad is going to happen from that.

JEFF PHILLIPS

It's a different level of stress between those two, getting the free burrito and assuming someone's identity at a hotel, for sure. We talked about how on the show you'll have, you may have the criminal side, but you also have, you'll have investigators or cybersecurity professionals that are kind of, if we put them in versus kind of scenario. Do you find that it's as easy to get those investigators or those cybersecurity professionals to open up and tell you about their - tell their side of the story on the podcast as compared to the criminals?

JACK RHYSIDER

I don't really think it is. One thing that happens is that I have a lot of CEOs email me saying "I'd like to be an expert on your show." And I say, "Oh, well, actually, can you tell me about the time when your business was hacked or breached?" And they're like, "well, I can't talk about that." Like, that's the good story I'm looking for. If you want to be on the show, you've got to be very humble and vulnerable and tell me about the worst day ever at work, and they don't want to do that. They have a PR obligation to be like, "no, we're secure, and we never talked about that publicly." Right? So a lot of CEOs absolutely hate the idea of telling about the day they got breached. So that just never happens. I never get that experience. And then when we have defenders and people who were attacked, a lot of times they're under NDA where they can't talk about the breach that occurred, or they're just not allowed to share it. And I say, "Okay, after all the stuff you can't say, like the company name, the date, location, maybe even the name of the malware, let's just redact all the stuff that's redactable is that still allow us to tell the story? You can just be general and stuff." And I still have trouble with that, right? So, there's just this - it's hard for me to do that. But that's the space I love playing in, is that stuff that - we're not allowed to talk about that? Let's talk about that. So I just keep looking around for people who eventually do have something that they can share, and it becomes a very interesting story when that does come out. And I think that's why we go to conferences, too, is to hear - we know we've got these certain problems, and we're looking for people who have the same problems so that we can kind of help each other solve it. And so when I bring up these problems, it really does resonate with a lot of people like, "oh my gosh, that happened to us," and "how did they solve it?" It's really profound to some listeners.

JEFF PHILLIPS

I can imagine. What about the other side? Have you been surprised that any on the criminal side have been willing to speak with you that, kinda, that you might remember that were long shot guests?

JACK RHYSIDER

Yeah, definitely. Well, it's not so much that, it's people who are still active in the criminal scene, right? And I'm just like, why would you tell me this? Like, this is absolutely going to be bad for you if I hear this. But I really feel like I have a responsibility as a journalist and not show like, oh, here's a person who stole a million dollars and they got away with it, and they're perfectly fine. I feel like that's not, I don't know, good journalism. So I really like to wait - like, if somebody comes to me, this happens all the time, somebody comes to me and says, "I did this stuff, I ran this darknet marketplace," whatever the case is, hacked the stuff, stole things, made lots of money, whatever. One of my first questions typically is, were are you arrested for this? Were you caught for this? Do you have a police report that I can see? Were there are articles written about you? And I like asking that because then I know the end, right? So let's just quickly jump to the end. Were you arrested? How much time in prison did you experience from this? And if that is the case, then now we have kind of this - not so much redemption story, but an arc where the person was found to have received punishment for this, right? So there is - people might listen at the beginning of the episode, they go, "oh man, he's making so much money and doing all these hacks and stuff and I want to get into that," but then all of a sudden everything just goes really bad and then you kind of back up as the listener and be like, "no, actually, I don't think I'm going to take this life of crime up myself because it does seem like it's a bad idea." And so I kind of have to have that lesson in there. But I've talked to people, I haven't aired those episodes of people telling me like, this is all the crimes I've committed. And I'm just like, yeah, I'm not gonna air this.

MATT ASHBURN

So on the other side of the house, right, so journalists like yourself or cyber defenders, you mentioned cyber threat intelligence value of going on there and looking for maybe the organization or corporation that you're working for. What's some of the advice that you'd have to other folks that are using the dark web, darknets for cyber defense purposes like that or for cyber intelligence?

JACK RHYSIDER

Yeah, I mean, there are threat intelligence feeds you can subscribe to which will look at this. I mean, they're a little bit more skilled, they know which forums to look into. And it's not just the darknet. There are a lot of clear net websites that have breached repositories as well, it's all over the place. So having someone like a threat intelligence service can really look for specific indicators and stuff for you. So you can say "anything that has my company domain, if you see that in any of your breach data or stuff that you're collecting, let me know and then I'd like to examine that further." And sure enough, there were times where my company had a significant amount of its users show up in a breach, and I was trying to figure out like, okay, well now was our company breached? No, it doesn't seem like it because you look into the breach data, you see companies from all over, it's not just ours. And so now it's like, okay, well, do you think these users may have reused their password at work as well as in here? So now we have to notify these users like, hey, you are in this. But even if they didn't reuse it, it's still good for them to know that they were seen in this breach. So it was - I think it's just beneficial to be able to look through this stuff that the criminals are gathering and looking through and to be able to make it make sense to you, and that's what kind of threat intelligence is, is what's the threat to your business or your network specifically, and threat intelligence can do that. So there are services out there that do this, and you can kind of interact with them to say, this is what we're looking for, and they'll give you that information.

JEFF PHILLIPS

Now, if we go a little deeper on that, you obviously take security seriously on your side, as we talked about with the PII. When you go onto the dark web, are you taking precautions just because of the nature and any kind of the drive-by malware and anything like that, or you just put in Tor on your machine and off you go? For whatever you might be willing to share from how you protect yourself.

JACK RHYSIDER

Yeah, I mean, it depends on what I'm doing. I have my website Darknet Diaries on Tor, and sometimes I just want to check on that to see how it looks, because developing a website on Tor is a really interesting experience. So yeah, in that sense, I'm just going to put it on my browser and go ahead and check it out and get off there when I need to. Other times when I'm digging deeper, I will use something like Tails or a virtual machine and be able to burn that whole operating system down afterwards. Because, you know, one of the things that Tor does is it anonymizes you, right? And so if you're logged into certain things like Facebook and Twitter and things like that, then you're starting to leave cookies behind or be able to be tagged or de-anonymized and stuff like that, so you want to have this sort of fresh install. So it all kind of depends on what it is you're trying to do on there. It's always good to take the extra precaution and say, "let's be safe because we're getting into zones that you can't trust anyone here." So, yeah, it's - I guess it comes down to what you're concerned about.

JEFF PHILLIPS

You touched on something there - sorry to follow up - that I'm not familiar with. What makes it - what's difficult about creating a website on the dark web versus on the clear web?

JACK RHYSIDER

Yeah, I mean, you have to only accept connections on Tor, and so you've got to - you've got a server that's on the Internet, but it's not listening to any connections from the Internet. It's only listening to connections from Tor, and so you have to have a - I can't remember all the steps, but you have to be able to get into that network and configure it in these other ways. And so when you have a website on Tor, you want it to be exclusively on Tor, right? And a lot of these websites, when you build them, they're saying, well, let's go to Google Analytics and use that, and let's go to Font Awesome and use those fonts, and let's do jQuery CDNs and all these extra things that it's bringing in from the clear web, and so now when you go to a website, it's doing all these requests to these clear net websites and that's not going to work. And so, one of the things I have on my website is an MP3 player and that MP3 player uses these extensions that are on another - it's like a CDN. So how do I bring that in and not be reliant on any outside source, and it's completely internal or a self-contained website, has been some of the tricky stuff that I've run into.

MATT ASHBURN

So Jack, as we start to wrap up here, what are some of the top resources or takeaways that you want to make sure people understand or bring home from this episode?

JACK RHYSIDER

I think we are constantly under attack as far as there are breaches going on all the time and our data is seen in them, and what we've got to do is kind of secure the things that are important to us. And so, we see our username and password and our email address in breaches all the time. You can go to haveibeenpwned.com to kind of look to see if your stuff has been in there and you should do it frequently. You can even look to see if your password has been seen in a breach. And so, when we see this happening all the time and they're going after our Chipotle stuff and our Hilton Honors and stuff and our Netflix accounts, they're not just trying to get some big licks from us, they'll just take every little thing that they can. We've got to really kind of secure our digital lives, to get more seriously. So we need to be enabling two-factor authentication, maybe using totally different email addresses for certain things, like if you have a bank account or a crypto, that shouldn't be the same email address as maybe Netflix or some of the other services that you use that may be not as secure, like signing up for some forum to talk about hockey or sports, that has a higher chance to be in a breach because it's just run by some people who are probably using some WordPress or something that just gets breached easily. So, you know, you go to these lower-security sites, you shouldn't be using the same passwords and email addresses even as some of your higher-security sites. So you might want to start compartmentalizing it, like if you use one email address for your bank and that's it, that's the only thing you use with that email address, now that's not going to be seen in any breach ever unless that bank gets breached, and that's kind of a nice peace of mind, right? So we should start thinking about this going into the future, of not just use a different complex password on every site, but a different email on every site too, because these criminals are really going after getting into emails and then getting everything from there. So emails are becoming more and more important to secure.

MATT ASHBURN

Yeah, that's a good tip. And another one similar to that is maybe using a slight variation of your name on, like, written material, right? Mailing, actual physical mail, for example. For different groups and organizations, I've seen some people put a different middle name, which represents maybe the name of the company that you gave the information to, as an example. If you start seeing that across other vendors, then you know that your information has been sold or compromised or both. And another tip too, for folks that have Gmail, it's incredibly easy to do that, right? Just add the plus sign and then whatever attribute you'd like and create a different email each and every time. Jack, thank you so much for being here today. That's Jack Rhysider of Darknet Diaries. And thank you also to everyone else who tuned into the show today. If you like what you heard, you can subscribe to our show wherever you get your podcasts, you can watch episodes on YouTube and also view transcripts and other episode info on our website. Be sure to also follow us @needlestack_pod on Twitter. We'll be back next week with more information about the dark web in our listeners' live show dedicated entire to your questions. To register or submit a question ahead of time, visit authentic8 - that's authentic with the number eight - dot com slash needlestack. We'll see you then.

Keep listening

podcast-icon
Podcast

S1E17 | The Silk Road and other dark…
S1E17 | The Silk Road and other dark destinations with Eileen Ormsby

podcast-icon
Podcast

S1E15 | Investigating financial crimes…
S1E15 | Investigating financial crimes on the dark web

podcast-icon
Podcast

S1E13 | Ready to turn out the light? An…
S1E13 | Ready to turn out the light? An intro to the dark web

Close
Close