Narrator

From Recorded Future News and prx, this is Click here.

Dena Temple-Raston

Hey, it's Dena. Today we're revisiting a story we first aired last year. We sat down with Dan Guido. He's a cybersecurity expert, a Red Team specialist, and someone who's spent years probing the defenses of governments, corporations in some of the most sophisticated systems in the world. And yet, when it comes to stealing cryptocurrency, he says the weakest link often isn't the technology, it's the person holding the wallet. In this conversation, we talk about social engineering. The small manipulations, convincing stories, and carefully crafted deceptions that can unlock fortunes without ever breaking the code. Because hackers have learned something important, it's usually easier to hack a human being than a blockchain. Take a listen.

Benson

But before we do start a call, I just want to give you an introduction about myself and our team. So my name is Benson. I'm currently part of.

Narrator

That's the voice of an actual hacker, not a voiceover or recreation. And he's in mid scale.

Benson

And my background speaks of tech and crypto. And joining alongside me, a co author. This piece is Alex.

Narrator

We rarely get to hear something like this. No modulated voice, just a guy pretending to be a journalist looking to take over someone's computer.

Dena Temple-Raston

He's from a hacker group called Elusive

Narrator

Comet, and they don't use zero days or ransomware. Their weapon of choice is charm and zoom, and in a world of remote work and screen shares, that can be pretty dangerous.

Dan Guido

It's hard to pay attention to all these hacks because there's just so many of them. So, like, bringing up an individual like, oh, this person got hacked? Well, like, yeah, him and like 10,000

Dena Temple-Raston

other people from Recorded Future News and PRX. This is click Here, a podcast about how technology is changing everything. I'm Dena Temple Rastan, and today we talk to one of the people who was targeted by Elusive Comet. He's a cybersecurity expert, he runs red teams, he fights nation state hackers. And yet the Elusive Comet hackers took aim at him anyway.

Dan Guido

Yeah, to any hackers out there listening, not a strategy I would recommend.

Dena Temple-Raston

That's right after the break. Stay with us. Support for Click Here comes from Serval. Every company says AI will make employees more productive, but most employees are still stuck waiting on it, waiting for app access and password resets, waiting for someone to fix a laptop issue so they can get back to work. That operational drag adds up fast, and IT teams are overwhelmed trying to keep up. Servil was built to automate that work. You describe what you want in plain English and Servl builds it for you. No complicated workflow, no consultants, just faster support and fewer tickets, slowing everyone down. The platform is designed to eliminate repetitive tickets so it can focus on strategic work instead of constant firefighting. The company guarantees customers can automate 50% of it tickets. Learn more or start a free four week pilot at serble.com clickhere that's S E-R-V-A-L.com clickhere serval.com clickhere Support for Click Here comes from NPR's Planet Money podcast. Curious about the economic forces shaping your daily life, the Planet Money podcast makes the economy make sense by telling stories about the people inside it. Take the wnba. Most people heard the leak, landed a

Narrator

big new collective bargaining agreement.

Dena Temple-Raston

But Planet Money went deeper inside the negotiations themselves. They found a Nobel Prize winning economist helping players make their case with something, surprisingly, a pie chart. Because the real fight wasn't just about bigger salaries, it was about revenue share and whether players would finally get a bigger piece of a rapidly growing business. Planet Money explained why that matters and why this deal could reshape women's sports for years to come. That's what Planet Money does. It takes ideas that sound abstract. Collective bargaining sanctions labor markets and turns them into stories that feel immediate and human. Other episodes have explored why Pokemon cards are outperforming some investments, or how Russia's economy adapted after years of sanctions and what a 750 pound restaurant robot says about the future of work. Planet Money is economics told through curiosity, surprise and great storytelling. Follow NPR's Planet Money podcast and understand how money shapes the world.

Narrator

Dan Guido runs a cybersecurity company with a curious trail of bits.

Dan Guido

I like the name. There's a lot. There's a lot to like about it. There's a long story about that. It's like alternately ancient Mayan death chant. It's like a punk rock band, fun little play on words to describe the trail of digital evidence that you leave behind on computers.

Narrator

It's a company trusted by the likes of darpa, Facebook and a variety of crypto platforms. So you'd think that would put him

Dena Temple-Raston

off limit to hackers.

Narrator

It didn't.

Dena Temple-Raston

Last April, Dan got a message on Twitter. Someone claiming to be a reporter from Bloomberg Crypto wanted to set up an interview over zoom.

Narrator

Now Bloomberg Crypto is a real thing, a unit of Bloomberg News focused on digital currencies, blockchain tech and the billionaires who orbit them. In other words, A perfectly plausible place for someone like Dan to appear. So at first he was flattered a journalist wanted to talk to him about crypto.

Dena Temple-Raston

Of course they did.

Narrator

And then the flattery wore off. Then the flags, the red ones, started to wave.

Dan Guido

The fact that a Bloomberg News person like, wouldn't talk over text, wouldn't talk over signal, wouldn't talk over email. They really insisted on Twitter DMs or Telegram. They said, oh yeah, or we'll do Telegram, which is like a huge, huge red flag. And then the email confirmation from a Gmail address, like, I don't think so.

Narrator

He was pretty sure this guy asking for an interview wasn't on the up and up. But Dan was intrigued. So he agreed to talk to him over Zoom and pulled out an old Chromebook to take the call.

Dan Guido

And I was ready to join a call and record it on a device that I thought would be impenetrable.

Narrator

But the hackers never showed. So Dan got to work figuring out who had targeted him. And he discovered that he'd been targeted in a hacking campaign launched by Elusive Comet.

Dan Guido

I did figure out what they were up to, which was sort of shocking to me.

Narrator

At the heart of their methods is this a feature built into Zoom that most users never think twice about.

Dan Guido

Zoom is a great product. It enables connectivity and interaction with people the world over and during COVID It definitely, you know, added a ton of value to people's lives. But it has so many features in it that I don't think everyone knows what it can do.

Dena Temple-Raston

Things like remote access.

Dan Guido

There's actually this IT remote support feature that's built into Zoom that allows somebody else to take control of your screen, your keyboard, your mouse, and basically just sort of look over your shoulder and work on your computer.

Narrator

We've talked about this in the past in previous episodes.

Dan Guido

It was just sort of a shockingly easy trick to play that only requires social engineering. And it gets you code execution out the other end.

Narrator

It only takes two clicks and looks a lot like some of the day to day pop ups you get on Zoom.

Dan Guido

You have to go into your system settings in macOS and specifically allow the Zoom application to like interact with the computer, record your screen, whatever. But that's a process that I think a lot of people have been sensitized to and I don't think people know what that really means when they flip those settings.

Narrator

The hackers leverage people's general confusion about technology by adding some expert social engineering and their first step, pressure.

Dan Guido

And they're adding this time pressure of like hey, we need to go to recording next.

Narrator

Some ego stroking.

Dan Guido

They're saying you're so important to talk to. We know all the great work that you've done and like, this is going to be great exposure for you. It's Bloomberg, you know, it's huge. And they just lean into it and lay it on pretty thick. Right away you feel really good about yourself, like, oh, somebody finally noticed me.

Narrator

And they use that to get inside your computer without you even knowing.

Dan Guido

And a lot of people, I think, are willing to take that step and just click these buttons because they don't know what they actually do once they click them.

Narrator

When we come back, we follow Dan into the blockchain trenches where hackers are hoping to trick their unsuspecting victims into handing over millions. We'll be right back.

Dena Temple-Raston

Support for Click Here comes from Quince. Summer always makes me rethink what I'm reaching for every day. Lighter fabrics, better materials. Pieces that just feel good the moment you put them on and they look effortless. That's why I keep coming back to Quince. They focus on high quality essentials. Think breathable linen, soft, organic cotton, washable silk, but without the luxury markup. It's that rare balance where everything feels elevated but still easy. Quince has beautiful everyday pieces like 100% European linen pants, dresses and tops with styles starting at $32. Their denim is soft and easy to wear, and their organic cotton sweaters are perfect for layering on cool summer nights. Everything at Quint's is priced 50 to 80% less than similar brands. And Quints works directly with ethical factories and cuts out the middleman. So you're paying for quality, not brand markup. But it's not just clothing. Quint's has really become a destination for elevated essentials across home, kitchen, bedding and beyond, making it easy to bring a more premium feel into everyday life. I just got a Quince bathing suit that looks like one of those expensive European brands, but for a fraction of the price. Elevate your summer wardrobe. Go to quince.com clickhere and get free shipping on your order and 365 day returns. Now available in Canada too. That's Q-U-I-N-C-E.com clickhere for free shipping and 365 day returns. Quince.com clickhere support comes from wise the

Recorded Future Sponsor

smart way to manage the currencies you need around the globe. Fed up with losing out to hidden fees when you send your money abroad with your everyday bank, choose the Smart wise, you can count on the exchange rate you'd usually find on Google. No unwelcome surprises. Plus, ditch that where's my money feeling. Most transfers arrive in under 20 seconds. Join millions saving billions on hidden fees. Be smart, get wise. Download the Wise app today. T's and C's apply.

Ira Glass

This is Ira Glass of this American Life. Do you know our show? Okay, well, either way, I'm going to tell you about it. We make stories, old fashioned stories that hopefully pull you into the beginning with funny moments and feelings and people in surprising situations. And then you just want to find out what is going to happen and cannot stop listening. That's right. I'm talking about stories that make you miss appointments and ignore your loved ones. This is American Life. Every week, wherever you get your podcasts,

Narrator

Hackers like the ones that targeted Dan Guido are usually looking for something really specific. A crypto wallet.

Dena Temple-Raston

And the reason is simple.

Narrator

It potentially offers a way to make a lot of money really fast.

Dan Guido

A community of attackers out there have realized that if you socially engineer somebody or get malware on their computer, the path to getting a payout is instantaneous. You know, you don't have to navigate through a big company to find the secret formula to Coke, like buried 10 levels deep in some active directory domain. Instead, you've just got a single person's computer that has a private key on it, and as soon as you read it, you can go grab $2 million.

Narrator

So in the beginning, hackers exploited what used to be a vulnerable corner of crypto wallet tech, something called smart contracts, which sounds like something dreamed up by a Silicon Valley marketing department after a few too many lattes, but really it's just bits of code, small self executing programs written onto the blockchain that essentially say, if X happens, then do Y. Imagine a vending machine, you put in your dollar, press B7, and you get your nacho cheese Doritos. No cashier, no small talk, no tip. That's a smart contract.

Dan Guido

I think about them as like little finance bots. They follow their instructions and they can't do anything else. So, you know, you could have smart contracts that provide loans, right? Anything you can imagine a piece of software doing, they'll, they'll do it.

Narrator

And a lot of smart contracts are wallets where people store crypto tokens so they can be targets.

Dan Guido

Hack them, and it's like a financial pinata. And if you hit them hard enough and you find a way to exploit a vulnerability in them, you get all the cryptocurrencies stored Inside.

Narrator

So hackers went after them as a sort of low hanging fruit. But these days, smart contracts are, well, smarter.

Dan Guido

They're no longer cardboard pinatas, now they're made out of steel. People are writing smart contracts that are pretty reasonably complex. They're like multiple thousands, sometimes tens of thousands of lines long. So now it is harder to hack a smart contract on a blockchain than it is to just go after people's laptops and steal their private keys. And that wasn't true for the last five or six years. That really only flipped, I'd say, a couple months ago.

Narrator

It's become so much harder to hack a smart contract that hackers have had to innovate with things like this zoom hack.

Dena Temple-Raston

And in a lot of ways, it's

Narrator

easier to just go after someone's laptop and steal their private keys than to try to hack a contract. Humans are a lot easier to fool.

Dan Guido

I mean, I feel like we've got enough evidence out there, enough people have been hacked where this seems to be pretty clear.

Narrator

So if you're into crypto, how do you protect yourself? Dan has some words to the wise.

Dan Guido

The number one piece of advice that I always give is just separate your crypto wallet from the device you use every day. I think a single purpose device, you know, some cheap Chromebook that you use to access your giant holdings of cryptocurrency, is the most appropriate strategy. You shouldn't have $2 million or whatever it is at risk every time you talk to some guy on Discord.

Narrator

Trail of Bits has been getting more calls lately. People in crypto suddenly interested in training around operational security, which is good. But Dan Guido says that's not enough.

Dan Guido

The effectiveness of these techniques don't really go down. There are always people out there that haven't seen and internalized this information. And, you know, case in point, the Twitter accounts that contacted me, they're still up. They're seemingly still active. They are Twitter accounts you could talk to right now. And I would bet that there have been additional victims from those same two Twitter accounts since Trailerbitz published our blog on it. So I don't see a good reason for them to stop unless somebody actually tracks down who they are and literally arrests the people behind it.

Narrator

And in the case of Elusive Comet, Dan thinks arrests may be coming. The FBI is investigating, and the hackers are believed to be based in the west, maybe even somewhere inside the United States. Because while crypto might be mostly anonymous, it isn't completely untraceable.

Dan Guido

I think the privacy protections on blockchains are notoriously porous that in a lot of cases where somebody really applies all the effort available to figure out who did what transaction, you can generally track it down. There's also all kinds of operational security mistakes that happen from an attacker perspective too. If you have a single transaction or a single interaction with some company that you're trying to hack that exposes your identity, that information usually just lives out there forever. You can't take it back. So a likelihood over the long term that these guys get caught is probably pretty high in my mind. So enjoy your stolen cryptocurrency while you can, because I don't assume that this is going to last forever.

Dena Temple-Raston

So what do we take away from Dan's experience? Maybe it's this. Security threats aren't just about code, they're about human frailties. Ego, urgency, a momentary lapse in skepticism. So install all the cybersecurity you want, but also keep your skepticism and that ego of yours in check. Click Here is a production of Recorded Future News and prx. Today's show was written and produced by Megan Dietre, Sean Powers, Erica Guida, Zach Hirsch, and Maya Fawaz. It was edited by Karen Duffin and Sarah Cavedo and fact checked by Darren Ancrum. Original music is by Ben Levingston, with additional music from Blue Dot Sessions. Our staff writer is Lucas Riley, our illustrator is Megan Gough, and our sound designers and engineers are Jake Cook and Jesse Niswonger. I'm Dena Tumble Raston, and we'll see you next week.

Recorded Future Sponsor

Support for this program comes from Recorded Future. In cybersecurity, the biggest risk isn't what can be seen, it's what gets missed. Recorded Future analyzes billions of signals to help organizations stay ahead of threats. Recorded Future Know what Matters act first

Recorded Future Cyber Daily Announcer

if you're looking for a daily guide to cybersecurity news and policy, sign up for the Cyber Daily from Recorded Future News. It serves up today's most interesting and important cyber stories from our sister publication the Record, and then aggregates all of the big cyber stories you might have missed from news outlets around the world. Just go to the Record Media and click on Cyber Daily to get all you need to know about the world of cybersecurity right in your inbox.