It's the murkiest of worlds – and most cybercrimes go unreported. For the criminals, the money to be made is worth the risks. But how do they do it? One insider, Kate Fazzini, has broken ranks to reveal the world of digital fraud and corporate extortion. Will Pavia meets her.
A few months ago I received an alarming email from someone called Julian Diggle. Diggle claimed to have found a password I used for social media accounts on an adult website.
"You visited this website to experience fun," he wrote. He claimed to have hacked into my computer, taken control of its web camera, and produced a short film of me experiencing my fun. "You've got fine taste OMG," he said.
"You have only two alternatives," he continued. If I disregarded his email, he would send his documentary to everyone in my address book. He asked me to imagine "the disgrace" of this, particularly "should you be in a romantic relationship". Option two was to pay him US$1,000 – £820 – in Bitcoin.
I was pretty sure it could not be true. I haven't experienced fun for years. On the other hand, this person had my password. What if Diggle took footage of me staring, slack-jawed, at my laptop, stitched it together with some hot adult fun and sent the video to my mother and to my boss at The Times? Well, my mother would probably struggle to open it. But still, what then?
"The porn email!" Kate Fazzini exclaims, as if recognising an old friend across the room. "It's very common. It's sextortion, with the emphasis on the sex."
Fazzini, 39, is a professor of cybersecurity – she has been a reporter on cyberwarfare for The Wall Street Journal and also a combatant, as part of a cybersecurity team in a major bank. She now works for CNBC. She knows a lot of the hackers on the other side, too: the "carders" who steal credit card numbers, the ransomware crews, the Diggles of this world. Written almost like a novel, her new book, Kingdom of Lies, offers a vivid account of how these gangs of black hat hackers spreading from Romania to China extort money from individuals like me and the most powerful Wall Street banks, and how the white hats are trying to stop these people who can halt global companies in their tracks and produce digital campaigns to sway popular opinion.
We meet in a sushi place in Queens, New York, that has good wifi. She's sitting near the window, working on her laptop, two phones set out on the table beside her.
Fazzini explains the con of Diggle and his porn email. It works like this: a hacking attack against a social media site, website or bank exposes a huge haul of email addresses and passwords, which are then sold on the dark web, the precincts of the internet that run on an encrypted network, shielded from the prying eyes of search engines.
All Diggle and his colleagues have done is gone to a dark web forum and bought some passwords, she says. Then they claim that they are inside our computers, monitoring our every move. "There is no hacking involved whatsoever. We are so afraid that our computers are watching us that we believe all these crazy things they claim are possible. We are so afraid that we fall for it." Those emails are big business, she says. "They have been very successful, to the tune of billions of dollars."
Kingdom of Lies begins with pen portraits of a whole series of characters mixed up in this world: a sort of hackers' version of the prologue to The Canterbury Tales. We meet a tall, suave German Fazzini calls Sig Himelman (she has changed the names of people, companies and even a few places). Himelman is considered "an influential hacker", although, like Diggle, he doesn't actually do any hacking.
In the summer of 2014, after one too many run-ins with the German police, he drives into Romania to start something in one of the hacking towns that are springing up all over eastern Europe. The tech company that he founds looks rather like a Silicon Valley start-up: it has a lovely open-plan office with bean bags. Himelman hires ten hackers who target American law firms. They lock up the companies' files with ransomware and then charge them between US$500 and US$5,000 for a digital key that will release those same files. Along with the key, his company sends a helpful PowerPoint presentation explaining how the firm can stop other hackers. Himelman portrays this as almost a public service. He's also convinced that tech companies, even criminal ones, need to include women in their workforces and hires a local girl, a teenager named Rene Kreutz, who speaks good English, to be his company's "customer service" department.
While Kreutz is busy explaining to distraught and enraged "customers" how they can regain control of their own system, a chap in Shanghai is developing a novel method to break into the systems of American companies. Bo Chou was trained, partly at least, by the Chinese government: he worked for a Shanghai-based unit of the People's Liberation Army, where his job was to hack into US corporations and steal their data. Fazzini says that other hackers think the Chinese rather basic, lacking in grace and stealth. Bo Chou thinks so, too.
He leaves the army and ends up working in a hotel frequented by western businessmen. He starts buying USB storage devices from a cheap supplier in southern China, loading them with malware and scattering them in baskets around a nearby convention centre, with a sign mimicking the logo of the company sponsoring each conference held there. "Free USB Storage!" the sign says. "Welcome guests!" When the guests plug in one of his USB keys, Bo's malware is installed and he gets into their laptops and swipes as many spreadsheets and contact lists as he can find. The intelligence he gleans from them he sells on an American website called Fiverr, which offers business services to entrepreneurs. "Companies love the breadth and depth of his data but have no idea where it came from and know better than to ask," Fazzini writes.
On the other side of the cyberwars, you have hackers who are referred to as "analysts", the white hats who work in the cybersecurity teams of major banks, attempting to defend their systems from constant attacks. A lot of former spies work in the field, too. Fazzini introduces us to a chap called Charlie Mack, who sounds like a hero from Homeland: he's a Harvard-trained lawyer and former intelligence officer who was stationed in Benghazi, Libya, until just before the attacks on the US compound there. Then he went to work in cybersecurity at a large New York institution Fazzini refers to by the pseudonym "NOW Bank", which is seeking to fend off a major cyberattack its team has codenamed "Venice".
"Did Chinese hackers get into the bank to steal all its secrets?" Mack thinks as he paces about heroically. "Yes, but that was a while ago. Are Russians trolling bank networks looking to grab information on Putin's 'friends' and enemies? Sure, but not in this particular case."
This time, the perpetrators seem to be Israelis who pull details of the bank's top investors, target them in a fraudulent investment scheme and then launder the money with the aid of a chap in New Jersey who has set up a baseball memorabilia company.
More often the hackers use what they learn from a bank's internal records about forthcoming mergers and acquisitions for insider trading. This scam, which used to be reserved for actual insiders, is now allowing hackers to make hundreds of millions of dollars on the stock market, Fazzini tells me. In her book, Charlie Mack observes to his boss that, "These guys get all the benefits of insider trading without ever having to rub shoulders with bankers, lawyers or government officials. Luckiest f***s in the world."
Mack misses being a spy, Fazzini writes. Every now and then, when an executive makes a bad lawyer joke, he wants to say, "Listen to me, asshole … I was raiding Gaddafi's compound last year. Do you think I'm being overly f***ing careful?"
Fazzini appears in the book, too, in passing. Careful readers will spot her as the single mum in Charlie Mack's cybersecurity team, whose house burns down. This actually happened to her. In the time frame covered by her book, she also went through a divorce and became a single mother. She thinks these hardships may have caused her to have a closer relationship with many of the analysts and hackers she depicts. "I have had a difficult life, in some ways, in the past few years," she tells me. "There was a way in which people were able to open up to me for that reason. There was a lot of sharing."
Fazzini grew up in Ohio, where her parents worked as schoolteachers. She had a Commodore 64 home computer as a child, on which she and her sister learnt how to programme games. She also had a "black box", an electronic circuit that attached to the phone and worked to stop the local telephone exchange from registering when she had picked up, so she could make free calls to her friends.
While studying English at Ohio State University, Fazzini worked in the college computer shop, surrounded by "computer science guys". Faculties would dump all their old hardware there. "I got to go through boxes of stuff," she says. She also got used to dealing with computer scientists.
After college, Fazzini worked in communications, and got a job at JP Morgan Chase. "I went fairly quickly to work with what was then called IT risk and security management," she says. The bank paid for her to take a master's degree in "strategic cybersecurity enforcement". "I think I always knew that I was good at it," she says.
Then there was the fire, so she had to work in local internet cafés in Queens. That's how she knew about this sushi place, with its good wifi. And there was the divorce, and being a single mother of two. One of the big points Fazzini makes in Kingdom of Lies is that if you can handle these kinds of life challenges, you can handle cybersecurity. Everyone imagines that you need to have been raised on a diet of microchips. It's all a lie, Fazzini writes.
"Can you use a smartphone? Make a PowerPoint? Think on your feet? Ever organise a night out to the movies for your friends that went well? Are you able to charm the pants off women? Did you escape an abusive marriage? Honey, I want you on my cybersecurity team."
The same, she suggests, is true if you want to be a hacker. So much of that business relies on social engineering, as per the Diggle porn email. Rene Kreutz, the teenager in her book, does very well at Sig Himelman's ransomware enterprise in Romania. She introduces a new "menu" for "clients" who have been locked out of their systems. They can pay swiftly and receive a discount, but steadily the price increases, and if they do not pay by a certain deadline their files are destroyed. These innovations help Himelman's enterprise to increase profits by 20 per cent.
Fazzini says that some ransomware operations send their targets a ticking clock, indicating a countdown before they lose their data. An appearance of professionalism is very good for their business models. "A lot of these criminal organisations have a documented reputation with the law firms that do cyberdefence." These firms will say to companies under attack, "Yes, you can pay these guys. We know who they are and they will unlock your information. They have this earned business-to-business reputation. Insurance firms will say, you can pay this guy and we'll cover your payment."
Young Kreutz is rewarded by her boss, the suave German: she gets a raise and her own glass office. When hackers at the firm break into the system of a large technology company in San Francisco, she has another idea. The company is a household name; its chief executive is well known, too. But it appears from his emails and internal messages that he is sexually harassing female staff. He also appears to be using prostitutes. Kreutz suggests they "ransom him for his emails" for US$1 million. She tells Himelman, "We don't ransom the company files. We stay under the radar and spook him just enough to get him to pay up, but not enough for him to call the FBI."
She writes him a discreet email, obliquely referencing something he has said in one of his filthier messages and sends it to him, with the number of a burner phone, a throwaway mobile that links back to her office phone. She gets a call three minutes later via a WhatsApp line and hears "a tired man's voice" who wants to use her "shredding services".
The man asks her if she can guarantee it, and when she offers to put it in writing he thinks better of it. "No! No. That's fine … If you didn't keep your word nobody would ever pay you again, would they?" He tries to assure her that he is really a big fan of women. She assures him that, "If you don't pay within the next ten minutes the rate goes up," before texting him the details of the Bitcoin wallet to which he must make the payment. He does. Kreutz and the company receive US$1.3 million. They split the takings evenly and all go out to a club that night.
Fazzini portrays Kreutz and Bo Chou, the Chinese hacker, with some sympathy. She has less time for a white hat she calls Bob Raykoff, a former air force commander who rose to the top in the military and now makes a living writing pompous, jargon-filled books about "futurethreats" in cybersecurity. After the cyberattack on the bank where Charlie Mack works, executives hire Raykoff for a whopping salary as head of its cybersecurity team.
Fazzini says some military men make good cybersecurity execs because they have, at least, a solid grasp of the security part of the job. But they may also be rather attached to the idea of a hierarchical chain of command, which does not work in cybersecurity, where "a 20-year-old analyst who specialises in examining computer code must be able to quickly raise the alarm".
The other thing military men might struggle with is the idea that they are no longer defending their nation but a multinational corporation. In his first speech to staff from New York and London, with people in Singapore following along by video conference, Raykoff declares, "I wanted to do this job for one reason. I want to protect the people of this country, of the United States of America, and their money and their treasure."
The speech confounds the people from London and Singapore, who deal with European and Asian customers. "Is NOW Bank pulling out of Asia??? :-0", one of them texts to a colleague in New York.
Things start to go wrong at the ransomware company in Romania, too. Fazzini writes that sooner or later, these operations are pulled apart by rivalries between the hackers. In this case, Himelman, the German entrepreneur, becomes jealous of Kreutz and her rising status among her colleagues. He begins a relationship with her and proves equally insecure as a boyfriend. She becomes pregnant, and he cuts her off from her family and friends, insisting that she stay in the house they share, in what steadily becomes an abusive relationship. After their son is born, she escapes with him in the dead of night, catching a train into Germany and travelling across Europe to Spain where, thanks to her nous and the PowerPoint skills she once deployed in ransom messages, she lands a job at a legitimate tech company.
Bo Chou, the Chinese hacker Fazzini writes about, manages a similar leap from the dark side to the light and a job working as a tech project manager in Singapore.
Her book reads like a thriller. The style – sweary, snarky, packed with ribald stories – reminds me of the old US gossip website Gawker, which boasted of publishing the stories journalists cannot tell but talk about in the pub after work. Fazzini says this is actually how she came by a lot of her stories. Charlie Mack, the spy, for instance. You couldn't just ask him about it directly in the office, she says. "But over a whisky he will tell you the most incredible stories. You just sit back and listen."
You probably couldn't tell a lot of the stories she tells as straightforward pieces of journalism either. Fazzini says the principal characters were allowed to see how they were portrayed. But she never visited Romania and she never met Himelman. She did have sources who knew him intimately, though, including a childhood friend of his who now works as a cybersecurity researcher, and hacked into Himelman's computer to get a closer view of his exploits. And, arguably, you learn far more about this world the way Fazzini tells it than you would in a sober news story.
Ironically enough, it's actually become more difficult for Fazzini now that she is a journalist. The people who were her confidants, her fellow drinkers in the back room, look at her more cautiously.
"A few weeks ago I went to this FBI conference. They gave me this scarlet letter, a big orange fluorescent badge that said 'PRESS' on it," she says. "I saw some people with whom I would normally have had nice conversations shrinking away from me."
Her great hope for the book, and I think it's true, is that readers feel as if they are part of the gang. "I want people to be in that back room," she says. "I think that people would be a little less scared if they were in that back room." If they really knew the hackers, she says, they could say, "OK, I don't love this person who's at the other end. I don't have to like them or go along with what they are saying, but I can at least picture them."
Does it make me feel any better to think that Diggle, the porn email man, may be working for an insecure German somewhere in the Transylvanian Alps? Or that he may be a deeply paranoid chap – all hackers are, as Fazzini tells it. Perhaps it does, a little. I also drew a kilobyte of solace from another small detail. Sig Himelman, she writes, is so fearful of being tracked through his phone that he turns to another interface to learn of current events. It doesn't log your movements or scrape your data and he likes the way it feels under his fingers. It's called a newspaper.
Written by: Will Pavia
© The Times of London