Mic Drop: Tracking a Ghost

Summary5 min read

Podcast: Click Here
Host: Dina Temple-Raston
Episode: Mic Drop: Tracking a Ghost
Release Date: January 31, 2025

In the Mic Drop: Tracking a Ghost episode of Click Here, host Dina Temple-Raston delves into the intricate world of cybersecurity through the lens of Jamie O'Reilly, a renowned Australian cybersecurity expert. The episode unpacks the rise and fall of the enigmatic encrypted messaging app, Ghost, and the coordinated efforts of international law enforcement to dismantle its criminal network.

Introduction to Jamie O'Reilly and Devolon

The episode opens with Dina Temple-Raston introducing Jamie O’Reilly, who shares an anecdote about his early experiences with hacking:

Jamie O'Reilly [00:15]: "My uncle started noticing the Internet bill increase greatly because I was downloading MP3s."

O'Reilly, founder of Devolon, describes his company as akin to a cybercriminal group in terms of expertise but with a mission to protect:

Jamie O'Reilly [03:26]: "We are the closest thing to a cybercriminal group or a nation state bad actor that you will find. And we work with banks and governments and enterprises around the world to try and hack them before the bad guys do."

Discovery of Ghost

Approximately a year prior to the episode, O'Reilly discovered Ghost on a darknet app store named Encryptados. Ghost touted itself as the future of secure encrypted communication, emphasizing complete anonymity and advanced encryption features.

Jamie O'Reilly [04:17]: "This is where I first became aware of Ghost."

Dina elaborates on Ghost's unique selling points, highlighting its ability to offer three layers of encryption without requiring personal information from users, making it particularly attractive to criminals.

Features and Appeal of Ghost

Ghost's appeal lay in its robust security features:

Anonymity: Users did not need to provide personal information such as phone numbers.
Cryptocurrency Payments: Subscriptions were paid for using cryptocurrencies, further obscuring user identities.
Self-Destructing Messages: The app included a system that could delete messages from both sender and recipient devices.

Jamie O'Reilly [04:23]: "The Internet responded with a piece of software that was specialized to extract dial up passwords from Windows computers."

These features made Ghost a preferred tool for illicit activities, ranging from drug trafficking to orchestrating violent crimes.

Law Enforcement Response and Operation Kraken

Recognizing the threat Ghost posed, intelligence agencies across six countries, including Australia’s Federal Police, initiated Operation Kraken. The operation aimed not only to shut down Ghost but also to infiltrate its network and identify its users. Early efforts focused on undermining Ghost’s infrastructure, which was surprisingly vulnerable due to its reliance on outdated technology.

Jamie O'Reilly [08:06]: "And it's kind of the worst type of software criminals could use as well, because it gives direct access to all of their devices through one entry point."

Technical Exploits and Infiltration

Operation Kraken capitalized on Ghost’s technical shortcomings. Police discovered that Ghost was running on an obsolete BlackBerry enterprise server, providing an easy target for intrusion. By deploying a malicious update masquerading as a legitimate software update, law enforcement installed a backdoor into Ghost’s system.

Jamie O'Reilly [08:06]: "And police had a toehold, but they wanted more than that. They wanted to crack into the phones of Ghost users."

This strategic move granted access to 376 devices, allowing authorities to gather critical evidence without alerting the app's administrators or its user base.

Arrests and Operational Outcomes

The infiltration led to significant breakthroughs. JJ Yoonjong, identified as the operator of Ghost, was arrested along with over 30 other individuals involved in various criminal activities facilitated by the app. Authorities seized $9 million in cryptocurrency, around 200 kilograms of illegal drugs, and prevented over 50 threats to human life.

Jamie O'Reilly [10:34]: "We allege hundreds of criminals, including Italian, organized crime, motorcycle gang members, Middle Eastern organized crime, and Korean organized crime, have used Ghost in Australia and overseas."

Operation Kraken's success was not confined to Australia alone; coordinated efforts resulted in international arrests and the dismantling of criminal networks utilizing Ghost.

Analysis of Ghost's Vulnerabilities and the Future of Criminal Communication

O'Reilly reflects on Ghost’s downfall, attributing it to the app’s inherent technical flaws rather than any advanced countermeasures by its developers. The reliance on outdated technology and lack of robust security protocols made Ghost susceptible to infiltration.

Jamie O'Reilly [11:01]: "I started to take a look at under the Hood and look at the infrastructure publicly. I realized, okay, this is really just a matter of like, inexperienced group of people who have just gotten lucky for this long."

This event underscores a broader trend where criminal groups are moving away from centralized encrypted messaging services toward more fragmented and less secure communication methods. O'Reilly suggests that the transient nature of such apps, often held together by "digital duct tape and baling wire," ensures their eventual downfall.

Jamie O'Reilly [12:11]: "I know, hand on heart, that there is a death clock that starts as soon as they launch and really, it's about how long can they last before they get shut down."

Conclusion

Mic Drop: Tracking a Ghost offers a compelling narrative of how sophisticated law enforcement operations can effectively dismantle even the most ostensibly secure criminal communication platforms. Through Jamie O'Reilly's expertise and the coordinated efforts of international agencies, the episode highlights both the vulnerabilities inherent in such systems and the relentless pursuit by authorities to maintain cybersecurity and public safety.

Notable Quotes:

Jamie O'Reilly [00:15]: "My uncle started noticing the Internet bill increase greatly because I was downloading MP3s."
Jamie O'Reilly [03:26]: "We are the closest thing to a cybercriminal group or a nation state bad actor that you will find."
Jamie O'Reilly [04:17]: "This is where I first became aware of Ghost."
Jamie O'Reilly [08:06]: "And it's kind of the worst type of software criminals could use as well, because it gives direct access to all of their devices through one entry point."
Jamie O'Reilly [10:34]: "We allege hundreds of criminals... have used Ghost in Australia and overseas."
Jamie O'Reilly [11:01]: "I realized, okay, this is really just a matter of... inexperienced group of people."
Jamie O'Reilly [12:11]: "There is a death clock that starts as soon as they launch."

This episode not only illuminates the dark corners of the cyber underworld but also showcases the critical role cybersecurity experts and law enforcement play in combating digital threats.

Loading summary

Transcript44 lines

[00:03]
Dina Templewost
From Recorded Future News and prx, this is Click Here. What's the first thing you ever hacked?
[00:16]
Jamie O'Reilly
My uncle's dial up computer connection. Then he started noticing the Internet bill increase greatly because I was downloading MP3s.
[00:26]
Dina Templewost
This is Jamie O'Reilly, a cybersecurity expert based in Australia.
[00:30]
Jamie O'Reilly
One piece of advice that he gave me when he first introduced me to the Internet actually came back to to haunt him, which was that I could ask the Internet for any possible question and get any answer that I wanted. And I went to Google and asked, how do I get my computer's dial up password?
[00:49]
Dina Templewost
His uncle had put a password on the computer to try to stop Jamie from using it so much.
[00:54]
Jamie O'Reilly
The Internet responded with a piece of software that was specialized to extract dial up passwords from Windows computers.
[01:03]
Dina Templewost
So you thought to yourself, this is magic.
[01:05]
Jamie O'Reilly
Exactly.
[01:08]
Dina Templewost
From a court of future news, this is Click Here's Mic Drop. A longer listen to one of our favorite interviews of the week. I'm Dina Templrest. Earlier this month we told you about an Australian law that now compels technology companies to help law enforcement by creating backdoors into their products. Privacy advocates there were crying foul. But police say that things like encrypted apps allow criminals to commit all kinds of crimes. And in fact, the bad guys were using the same encrypted apps the rest of us were things like Signal or Telegram. But Jamie says one bad guy decided to get a little entrepreneurial and started his own app until police shut it down. We'll explain. Stay with us.
[02:03]
Matt Galloway
This is a message from sponsor Intuit. TurboTax Taxes was waiting to get your money back, which turned into worrying about getting your money back. Now taxes is matching with a TurboTax expert who can do your taxes today and help you get up to a $4,000 refund advance loan fast. Get an expert now on TurboTax.com only available with TurboTax Live. Full service refund has $0 loan fees and 0% APR refund. Advanced loans may be issued by a First Century Bank NA or Web bank term supplies subject to credit approval.
[02:43]
Dina Templewost
I'm Dina Templewost and this is Click Here's Mic. When I got Jamie Reilly on the phone, he had to step away for a second.
[02:53]
Jamie O'Reilly
Sorry, just one second. It's a funny story what I'm currently doing right now. So we're, we're hacking one of the world's largest law firms legally and I've just got a message from someone who is a very high executive in the company and he thinks for the last three days that I'm a support engineer in their business. So I've just had to quickly reply to him because I'm good. I'm getting access to his device as we speak.
[03:18]
Dina Templewost
Jamie is a white hat hacker and founder of an Australian cyber security company called Devolon. And how do I explain what devoln is?
[03:26]
Jamie O'Reilly
Sure. So we are the closest thing to a cybercriminal group or a nation state bad actor that you will find. And we work with banks and governments and enterprise around the world to try and hack them before the bad guys do.
[03:44]
Dina Templewost
Got it. So you're like a red team?
[03:46]
Jamie O'Reilly
Yes. I've spent my life hacking like banks and casinos and some of these like the world's hardest targets.
[03:58]
Dina Templewost
Because of his day job, Jamie needs to keep a close eye on the cyber underworld to keep tabs on the adversaries. And about a year ago he stumbled on a website called Encryptados, which essentially was like an app store for bad guys. And as he scrolled its offerings, he saw a bunch of encrypted messaging apps he'd never seen before.
[04:18]
Jamie O'Reilly
This is where I first became aware of Ghost.
[04:23]
Dina Templewost
Ghost, an app that claimed to be the secure encrypted communication service of the future. It had been around almost a decade and promised, among other things, complete anonymity. Its subscribers didn't have to provide any personal information like a phone number, as they would with signal. Its users were encouraged to pay in cryptocurrency and in return, Ghost would provide them with three layers of encryption. In fact, the app featured a self destruct system that could delete messages both for the sender and the recipient.
[05:01]
Jamie O'Reilly
This message will self destruct in five seconds.
[05:06]
Dina Templewost
In other words, Ghost was made for criminals, allowing them to potentially commit a crime and actually get away with it.
[05:16]
Jamie O'Reilly
All they're doing is they're providing a service that gives criminals a working phone with a working SIM card and that's it. It's got all the encryption apps that needs to be on the app and there's no type of backend connection to the phone or remote management.
[05:34]
Dina Templewost
Those kinds of backend connections are what law enforcement uses in their investigations.
[05:39]
Jamie O'Reilly
So that kind of removes that opportunity for law enforcement to attack. And that's quite concerning for the government and law enforcement because when they don't have that central server to exploit, becomes really difficult to mass collect information on the users.
[05:59]
Dina Templewost
All this doesn't come cheap. A six month subscription to the full Ghost service typically ran about $1,500. The price included a modified smartphone and access to a tech support team. There was even a telegram number to call for more information. So in December 2023, Jamie sent a message asking Ghost about a subscription.
[06:21]
Jamie O'Reilly
So I said, you know, are you a reseller or are you a main provider? And they're like, we are ghosts. And I'm like, okay. I said to them, how many people are using the app? And then they said, this is undisclosed. And then I just.
[06:33]
Dina Templewost
The person on the other end wasn't very chatty. And eventually Jamie just gave up. What he didn't know was around the same time, intelligence agencies in half a dozen countries around the world were interested in Ghost too. They'd found that the app's servers were sitting in France and Iceland, and the app's administrator was based in Jamie's backyard in Australia. And the Aussie Federal Police were already cooking up a scheme not just to take the app down, but to infiltrate it and find out who was using it. It's 3am and AFP officers are leaving the headquarters in Sydney for a series of pre dawn raids as part of Operation Kraken. That story when we come back.
[07:27]
Ian McCartney
When was the last time you said, hmm, I never thought about it that way? The Current aims to give you that moment every single day. Hello, I'm Matt Galloway and our award winning team brings you stories and conversations to expand your worldview. Sometimes they connect to the news of the day, sometimes to the issues of our time. And you'll hear all kinds of people on the Current, from bestselling authors to maybe your neighbor. Find us wherever you get your podcasts now, including YouTube. I'll talk to you soon.
[08:07]
Dina Templewost
Operation Kraken began with a hack. Some 700 members of the Australian Federal Police were on the hunt for whoever it was who was running Ghost. And According to Jamie O'Reilly, breaking into the Ghost Admin's phone was easier than anyone had expected. It was running on an old BlackBerry enterprise server. BlackBerry. Remember those old cell phones?
[08:29]
Jamie O'Reilly
And it's kind of the worst type of software criminals could use as well, because it gives direct access to all of their devices through one entry point.
[08:38]
Dina Templewost
Direct access to everything through one entry point. So police had a toehold, but they wanted more than that. They wanted to crack into the phones of Ghost users. And to do that, detectives used an oldie, but a goodie. They piggybacked on an update. Like any self respecting app, Ghost needed to send out periodic software updates. And police created a virus of sorts that would just hitch a ride with the next update that the Admin sent.
[09:06]
Jamie O'Reilly
Out, and then from there, literally all they would need to do is, you know, upload their own backdoor application to all the phones.
[09:15]
Dina Templewost
And just like that, Aussie detectives had access to 376 different phones that the criminals were using. And the bad guys had no idea. What the officials found on those phones was evidence. Photos of illegal weapons in one, a snapshot of piles of meth in another. There were messages about drug deals and proof of life. Photographs of hostage victims with the muzzle of a gun pressed to their heads. Operation Kraken also found out who was behind all of this. The major operation into a secret encrypted app called Ghost resulted in the arrest of JJ Yoonjong at his family's home. Police raided the home of JJ Yunjong, where he lives with his parents in the suburb of Nawi in southwest state Sydney. They found him with more than $9 million in cryptocurrency. And as the operation continued, police made more than 30 arrests and seized some 200 kilos of illegal drugs and reportedly prevented more than 50 threats to human life. And it wasn't just Australia either. The arrests were coordinated with stings in other parts of the world too. This is AFP's Deputy Commissioner, Ian McCartney.
[10:34]
Jamie O'Reilly
We allege hundreds of criminals, including Italian.
[10:37]
JJ Yoonjong
Organized crime, motorcycle gang members, Middle Eastern organized crime, and Korean organized crime, have used Ghost in Australia and overseas to.
[10:45]
Dina Templewost
Import illicit drugs and other killings. The specter of Ghost loomed especially large in Ireland, where the garda would seize 15 million euros worth of cocaine. And Jamie was watching all of this, wondering how Ghost was able to be such a, well, ghost for so long.
[11:01]
Jamie O'Reilly
I started to take a look at under the Hood and look at the infrastructure publicly. I realized, okay, this is really just a matter of like, inexperienced group of people who have just gotten lucky for this long.
[11:15]
Dina Templewost
The app, it turns out, was riddled with vulnerabilities. Not just relying on an old BlackBerry server, but software that was easily hackable. It turns out what protected Ghost in the end wasn't some brilliant developer, but instead the fact that it was so closely held, people learned about it through word of mouth.
[11:35]
Jamie O'Reilly
We've seen a clear shift of criminal groups move away from these centralized, encrypted messaging services to these more fragmented, where people are literally just spinning up a business which doesn't actually exist. It's just a group of people.
[11:53]
Dina Templewost
So that leaves law enforcement always on the hunt for what new app criminals are using. Though Jamie says that because these kinds of messaging services are put together with the digital equivalent of duct tape and baling wire. They are intrinsically flawed, which means all ghosts eventually get busted.
[12:12]
Jamie O'Reilly
I know, hand on heart, that there is a there is a I call a death clock that starts as soon as they launch and and really, it's about how long can they last before they get shut down.
[12:25]
Dina Templewost
This is Click Here's Mic Drop.
[12:34]
Zach Hirsch
Today's episode was produced by Zach Hirsch, Megan Dietry, Erica Gaeda, Sean Powers, and Dina Temple Raston. It was edited by Karen Duffin, Fact Checked by Darren Ankrum, and contains original music by Ben Levingston with some other music from Blue Dot Sessions. Our staff writer is Lucas Riley and our illustrator is Megan Gough. Martin Peralta is our sound designer and engineer. Click Here is a production of Recorded Future News and prx. Tune in on Friday for Mic Drop, which features our favorite interview of the week. We'll have a new episode of Click Here on Tuesday. We'll see you then.
[13:27]
JJ Yoonjong
If you're looking for a daily guide to cybersecurity news and policy, sign up for the Cyber Daily from Recorded Future News. It serves up the day's most interesting and important cyber stories from our sister publication the Record, and and then aggregates all of the big cyber stories you might have missed from news outlets around the world. Just go to TheRecord Media and click on Cyber Daily to get all you need to know about the world of cybersecurity right in your inbox.