A

If your Social Security number is out there at at best, you could probably just, you know, freeze all your credit, you know, credit accounts.

B

They're all out there. I have a database of every Social Security number.

A

Hector Monser was responsible for some of

B

the most notorious hacks ever committed.

A

Special Agent Chris Tarbell. Hackers and FBI informants participated in some of the world's most infamous hacks that caused up to $50 million in damages. A life in the shadows, cyber attacks on the rise.

B

Welcome to Hacker in the Fed. Free episode number 134 for those bastards. Keeping track. I'm Chris Tarbell, former FBI special agent working my entire career in cyber security. And I'm joined as always by my buddy, my friend, the greatest podcast co host ever, Hector Monserrat. For those that don't know, Heck was a former black hacker who once faced 125 years in prison for his many years of hacking under his codename Sabu. He probably got your ass once or twice. Our stories collided in June 2011 when I arrested him and then convinced him to work with me at the FBI. Heck is now a Red Teamer, researcher, cybersecurity expert, and co founder of Safe Hill.

A

All right. It sounds great.

B

It does. Thank you. Even though I it up there in a little bit.

A

Yeah, we got to keep that in because it makes you feel like human.

B

Oh yeah.

A

With the audience.

B

I love the fresh open every week. There's not a lot of podcasts that do that. They, they have their canned opening and

A

all that cut and paste as Corny is burnt out. You get tired of it.

B

Yeah. Throwback to I'll do it live it, I'll do it live.

A

Oh yeah, yeah. Whatever happens to that guy.

B

Is he still around? I think so. I think he's still writing books. Once on a Bill O'Reilly.

A

Yeah, yeah, yeah, Bill O'Reilly. That's right. That's right. So that guy was a jerk.

B

Oh, I'm sorry. Without using proper nouns, do you want to tell about an old adversary finally reaching back to you?

A

You talk about that thing I showed you? Yeah, yeah, yeah. Without using proper nouns and anything like that. I, it's, I, I think it's cool to talk about.

B

I think, I think it's awesome.

A

Yeah, yeah, yeah. No, so I, I'll, I'll, I'll kind of share here. Right. So, so many moons ago, your boy Heck, this guy, you know, I was, I was advantageous and, and a bit of an adversary. Kind of a jerk too.

B

I don't think advantageous is the right word.

A

Well, selfish, if anything, you know, or maybe adventurous. I think that's the right word. Sorry, I kind of went in a different direction.

B

That's your whole sexual adventure, but that's a whole different thing.

A

Yeah, there's a different. There's a different one conversation. But, yeah, so, you know, I made this. I made some mistakes in the past, and. And unfortunately, with some victims that. That were part of that. And I'm talking about the hacking stuff, by the way, guys, nothing else. And. And so naturally, I'm a human being. I'm a human being with feelings, and I care. Right? You guys heard me before. I say I'm a humanist and I care about people, even though my past actions may have indicated not so much. But actually, yeah, I do care. And so about six years ago, I sent off an apology to one of the victims, and they finally got back to me this weekend, and I think the response was pretty good. It wasn't like, hey, let's go out for drinks and be best friends now, right? But it was like, hey, listen, you hurt me and you're an asshole, but, hey, I forgive you and I'm doing great. Thank you. And that's it. And, you know, it hit me deep in the heart, you know, I felt. I felt happy that, you know, that I could get. I could. I could reach that point of, you know, forgiveness with this person. You know, I know I put them through a lot of shit, especially during the hacking times. And. And, you know, I'm glad we reached that point now. Whether I'm going to have a relationship with that person or not at this point is irrelevant. I don't think so. But I was happy to get that message. It kind of. It kind of shifted my mood this weekend.

B

I thought it was fantastic. I thought they, you know, they. They said, hey, you hurt me, but my life is good and I've moved on. Thanks. I. And they said, I forgive you. And that's really all you're looking for. I mean, you know.

A

Oh, yeah.

B

You know, you fucked with them, they didn't fuck with you. But, you know, I thought it was good, a good closure for you.

A

Yeah, no, it was. It was a fantastic closure, man, And. And allowed me to take the rest of my time, Chris, to sit back and be even more reflective and think, you know, and it inspired me, actually, that. That message inspired me.

B

Oh, wow.

A

Because, yeah, it inspired me because it reminded me that, hey, I want to continue to continue to give back to the community and do more. And hopefully over time, I may not Level set the. The karma. Right. I mean. I mean, I level said it, but I think that I'll be able to make an impact on people's lives and, you know, at least become a better person more and more as I go forward. And I was happy with that. You know, shout out to that person.

B

Yeah, I. I doubt that person listens to our show, but if they do, you know, good on you for, you know. You know, finding. Finding the strength to. To forgive heck and what he did back in the day and, you know, not being, you know, being a nice human being to do it. So, I don't know, I just wanted. I enjoyed you sending that to me, and I enjoyed the closure of it, and I enjoyed, like, the maturity of everything on both sides.

A

Yeah, no, that was fantastic. You know what's the crazy part? So for a long time, I had a public email. It was like. I think it was like, hector, public gmail.com or whatever. Yeah, I've since lost that. I lost that access years ago. I forgot the password and whatever, but before I lost that account. And it probably has a bunch of great emails in it right now. I wish I could get into it. If anybody at Google want to reach out to me, hit me up. But. But all jokes aside, I used to receive some amazing emails in there. A lot of stuff was like, you know, anonymized. Hey, Hector, I know what you did. Thank you for helping me. And then goodbye. Right? A lot of those random emails in there. Because there's a lot of people that. That realize that even during my time when I was working with you, I was telling people, get the fuck away from me. Leave me alone. Get away from me. And they were upset. They were upset at the time because they thought I was an asshole. They thought I was just a bad person. When in reality I'm like, can you just get the hell out away from me? Cause I don't want you to get involved in this shit that I'm going through. But I can't tell you what it is, you know?

B

Yeah, I think that's one thing that people that don't have, like, a public voice don't understand. You know, you do. We do this podcast and, you know, there's a lot of people on the Internet that don't like. I mean, they don't like what we're doing. But there are so many people, so many of our listeners that reach out to us and just say, hey, thanks for what you do, guys. I'm glad you guys are doing this for us. It really is uplifting. It's uplifting to come in. You know, someone at a speech comes and just wants to shake our hands. You know, once in a while somebody wants to give you a hug because, you know, we inspired them to do something, you know, or hearing the people saying, you know, hey, I got into red teaming because the story Heck told, or I want to join the FBI because I heard your adventures in the FBI, it's really, really makes you feel good. You know, you have your loved ones at home and the people that are around you and all that, and so they don't let you get too big for your britches. But when you have a fan or something say, you know, what that we mean to them. And having never met us, I mean, they've never met us in person. It's the first time they've ever met us, or they've never met us and they just listen to us.

A

It.

B

It really does mean a lot. And not to get all mushy, but, you know, because right before we turned the mics on, I was telling Heck how much I love him. I literally can tell this guy anything. And he tells me, hey, man, that's great. That's great for you. You're. I can see you're excited about it and I love you for it. And I, you know, he doesn't judge on anything on anybody. He really does come across just like he does on the show. He, Lily, is a humanist and just loves people for who they are. You know, I've seen this guy give his last dollar to some guy in the street because maybe that guy needs it more than him. Even though it's Hex last dollar. So when Hex says he's a humanist, he fucking doesn't just preach it. He, he actually does it. How things going on at Seafood? Everything going well?

A

Yeah. No, no, say Phil, say feels fire, bro. It's, you know, as, as everybody knows now we're, we're like the investment round, the seed round specifically. So there's been like a lot of demos, a lot of meetings we got to put together, Data room, all that stuff's been really cool. But on the research side, it's been even more fantastic. So I'm going to give you guys some insider here. So on the research side, one of the modules that we created for Secure iq, and this is for some of you in here that are probably doing similar work, you're building out a SaaS tool, right? A static analysis tool, source code review tool. I'm about to give you the insider, right? So One of the cool things that I wanted to build out for our harness, right, that goes around the AI model that we're using is to kind of feed that model as much knowledge as it needs to understand different vulnerability classes. And so I created a corpus. And so what I want you guys to think about is this. Imagine a scenario where you guys have to create some sort of application, a module, something. And that thing has to know. It has to have your knowledge, right? You can't rely on what the model knows because the model only knows what it knows by sleuthing and enumerating websites and archives and forums. But maybe you have a specialty that the model doesn't really know, doesn't really get. Even if it does research, it's probably not going to find the answers that you're hoping it gets. So what you do is you build out a corpus. And that corpus is essentially like a markdown file. And inside that markdown file you're gonna say, hey, this is the purpose for this file. Here's a description of this topic. Here's like all the correlations, you know, of frameworks, like security frameworks or guidelines. And then here's what a vulnerable piece of code looks like. Here's what a safe piece of code looks like. This damn camera, this Chinese intelligence agents are getting me. And then. And so what you're doing is you're doing a knowledge transfer between you and your. Your AI harness and your. Your whole ecosystem. And so I've been building out a massive skill set, massive set of markdown files, a massive corpus full of all this different knowledge stuck in my head for the purpose of this discovering and identifying vulnerabilities. Once we have that, we're going to throw right into our platform. And the cool thing is we are planning to open source a lot of this in the future. So if you guys are hardcore developers and hackers, expect some sort of release from us within the year. It'd be fun.

B

That'd be cool. Looking forward to it. Looking forward to see what you guys put out, because you guys got some good shit.

A

Stuff.

B

Yeah, I love it. Love it. All right, let's get into the show. Heck. So a phishing email led to a breach of the US Food giant Rich Foods. So a sophisticated fishing attack, I think that's an oxymoron. Do you think sophisticated phishing attack is a.

A

Is a proper term at this point, though? It's. It's. Yeah. When they say sophisticated, I think that it. What they really mean is highly targeted or targeted.

B

Yeah. So November 13th of 2025, a compromise of a single employee email account at First Advantage Corporation, which is a background screening vendor for rich foods Corporation attack. Yeah. The attacker access and downloaded the inbox contents containing sensitive data of approximately 200 rich food products associates, individuals, primarily employees. The data included full names, Social Security numbers, driver's license information and it was not discovered until November 17th and notifications were finally sent out April 22nd of 2026. So again, not, not a big deal. Only 200 employees and all the information was stored in the inbox. How do you prescribe? And that's the reason I want to put this story in. How do you prescribe? People contain having emails, you know, holding, you know, old, old emails and all this information, you know, as attachments and all that stored in an inbox.

A

That's a tough one because if this company, the one that the, in this case the vendor that was compromised, if they've been doing this for a long time, even if they change their methodology, say okay guys, what we're going to do is for our customers employee records we're probably going to store in like a secure enclave, a secure, like a box or a share file or something cool. But because of all sorts of guidelines, regulations, rules, they can't just delete all of those old emails. Chris. Yeah, right. So regardless of the change of methodology today, the adversary who's compromised that accounts for that vendor is still going to be able to access all the employee information going back to the beginning of that company's time. And so it's a tough one. Right? And here's what I know. After compromising so many companies as a black hat, but now also as a professional by email and OAuth and all these different mechanisms, investments, rather vectors, Sorry, this is actually pretty rampant. This is why when an adversary targets a law firm, they don't, they don't care about the website. They're going for email accounts, they're going for employees. Because in Those emails are PDFs, contracts, archives, links to documents. Email is detrimental to a lot of these organizations. Detrimental. Now what's even worse is it sounds like the adversary sent out a phishing campaign with a lure to a landing page which then harvested credentials. And what that tells us is that this third party vendor did not enforce MFA on their employee accounts.

B

Correct.

A

That's worse. That is worse.

B

That's a big thing. But, but you did see, so you know, again there's no public attribution or anything but I mean, thank God, I mean they did the right thing. They have offered the affected individuals. Two years of credit monitoring and identity restoration.

A

Wow, look at that.

B

I'm so sick of that. I am so over credit monitoring and identity restoration because there's. You're, you're not. What, what are you restoring? How are you restoring identity? How are you getting rid of my Social Security number? And my driver's like this off the Internet.

A

No, there's nothing you could do once you're compromised. I say you're done. If your Social Security number is out there at, at best you could probably just, you know, freeze all your credit. You know, credit accounts.

B

They're all out there. I have a database of every Social Security number. Yeah, so yeah, this whole credit monitoring thing is all fucking bullshit.

A

Yeah, it's, it's, it's, it's, it's. It reminds you. What reminds me of back in the days. Even now I think if you put like an anti theft. Remember that bar people used to put in steering wheels?

B

You know, what the hell? The wheel lock, it was some sort of lock, whatever.

A

Some.

B

The club, what was it called? The club.

A

The club.

B

There you go.

A

The club.

B

Yeah.

A

Dude, that held back like a couple of thieves. Novice thieves. It didn't do anything. I mean, shit, when you could take off the steering wheel and maneuver the car with a fucking Phillips. It doesn't mean anything. The car is still gone. You know what I mean?

B

Yeah, but there's also nothing they can do about this. If you work for a company and that company uses a third party vendor, you have no say that your data's living on somebody's email account. Um, so you've done nothing wrong and yet, you know, you get fucked.

A

Yeah, well, this one thing I'll say is that both companies in question, the, the victim company and the vendor both did report to the ags of their respective states with business. That's good, that's progress. We're getting somewhere. You know, I'm happy to see that. I'm not sure what the, the end result is going to be there, but usually when we see a story like this, it's kind of swept under the rug and it's only leaked after the fact. You know, insider, whistleblower, someone gets pissed off and releases it. Or a journalist catches wind of what happened and does a story, an expose or a dossier of sorts. But these guys, you know, listen, they realize they messed up and you know, they try to do their thing, they try to report it.

B

I don't know who you're trying to kid. They ain't gonna do shit on this you know that? Yeah. Heck, another hacker in the fed episode. Another GitHub story.

A

Oh, of course.

B

Microsoft's GitHub banned security researcher who posted zero day Windows exploit because company quote ruined their life. Expert claims action is vindictive and promises further retaliation. So GitHub, which again is Microsoft owned, banned the account of security researcher Nightmare eclipse around May 23rd after the researcher publicly released multiple Windows Zero Day exploits and POCs. The researcher claims banned is retaliatory. After Microsoft allegedly ignored reports, withheld bounties and quote, ruined their life, the researcher moved the exploits to the Git lab and ongoing threats of more disclosures on July 24, July 14. So we'll see what happens. This is big.

A

No, listen, I, I can tell you guys right now, so there's, there's some nuance to the story that I want to share with the audience because, and even you, Chris, I know you're not, you're not on like infosec, Twitter like that, right?

B

I'm on info so X. You're on old Twitter. I'm on X.

A

That is true. That is true. But this story, there's a lot of nuances to it and I want to try to give you guys like a rough timeline and as to why we ended up here. This is a much bigger story than not. Okay. This is not just like a one off thing that happened. This has to do with the security community, full of researchers, hackers and all that good stuff. And Microsoft, specifically with Microsoft's Microsoft Security Response center, the msrc. So the way it usually works is if you identify a vulnerability, whether it escalates privilege or allows you to escalate privileges or not. Maybe it could be the not of service attack, some sort of information leak. Doesn't matter the severity. In most cases you just go to Microsoft through the msrc, you report it and over time they might send you some swag or they'll put your name on a webpage. I don't think they pay any bounties, but the recognition is good enough for many researchers that they'll continue to support that Microsoft ecosystem by submitting bugs to them.

B

It's a good career move.

A

It could be a good career move, especially for those that want to build a career and they're really good at finding bugs, but they don't know how to, they don't want to publish those bugs and you know, cause any sort of ethical conundrums.

B

Sure.

A

So going to MSRC and getting published is like, hey, we have the cve. So this is Microsoft. We have the cve. It's, here's the issue. It was discovered by so and so John Doe. Yeah, that's great for your career. It goes in your resume, it goes in your GitHub, it goes on your, it's part of your repertoire now you're Microsoft supported researcher. The problem is, is that Microsoft has had a really terrible history. I'm sure you guys have paid attention over the last three, four years of Chris and I doing the show that they have a really weird issue with security researchers Sometimes they're very open and accepting and they have some really good team members at the msrc. Some of them I do know myself and then others are very structured. At the end of the day it is a business and you know, they do follow their strict guidelines and sometimes they're just jerks. And this is what happened here with Nightmare Eclipse. And I know he has like they have two or three other names or they go by but they try to report bugs to Microsoft. Microsoft in some cases ignored them or didn't triage properly or, or claims that the bugs that were found were false positives or. The point is they kind of messed up with this person and so they started releasing their research online for free. And what happens when you do that? It kind of creates a quiet storm of rumblings and oh, I don't know, this is a zero day. It pushes Microsoft to kind of change their, their, their strategy on fixing bugs and timelines and it forces them in a corner. Now Microsoft purchased GitHub. GitHub told us, even post purchase it was the big thing. And Microsoft told us so GitHub is going to be his own entity. It's not going to interfere with Microsoft and vice versa. But that, that became a lie because as soon as his research, yeah, as soon as the researcher started posting his research on GitHub, he got banned. But here's the crazy part, Chris. He left the Microsoft ecosystem and went to GitLab and then GitLab also banned him. Okay, we're not talking about remote command execution vulnerabilities like Eternal Blue or anything like that that would give you access of someone's computer remotely over the Internet. That's what we're talking about here. We're talking about localized local privileges escalation issues that yes, could affect you, but the, the, the, the, the barrier of entry is much larger, meaning the risk is probably slightly lower than like a rce.

B

Sure.

A

Low enough that the research. Right. Yeah, it could have pissed off Microsoft, but it didn't have to go where it Went, which is. It is a repeat of the Geo hot story. Chris, when you met me, you remember that I was attacking a certain company called Sony.

B

Allegedly.

A

Allegedly. Allegedly. Right. And the reason why people were attacking Sony at the time is because you had a security researcher named geohot. That was his nickname. He's actually a famous, like, AI researcher now. Okay. By the way, heads up. Update. And so Sony, the company, threatened to sue them and take them to court and do this whole thing and forward them to the FBI, because these companies tend to jump straight to the FBI once they start to have a conflict with a researcher. That's what Microsoft is doing right now. They're literally repeating history. This research is going to become the next jihad, in a sense.

B

Right.

A

Assuming Microsoft continues with their threats and Microsoft public response has been nothing less than terrible. It's just. It's just not aligned with the community. If you look on Twitter or X now, security researchers are sending him or that person their security research. Chris, does that sound familiar to you?

B

It does. History repeats itself.

A

History repeats itself because now that person is getting research from the entire community for him to publish. It's crazy. Microsoft shot themselves in the foot, and they probably have time to fix it if they're, if they're smart.

B

How would they fix this? How would they rebuild? I don't think they have a good reputation in this community. So how would you fix this? This is a PR nightmare.

A

They would have to reach out to people in the community that are leaders. You have a lot of leaders in this community. They could go to Google and bring in Tavis or Mandy from Google Security. Everybody loves that guy. You got El Cam tough, right? They love Tavis. They love El Cam tough. They, they love Robert Graham. Microsoft could reach out to all these different leaders and say, look, let's talk to this guy. Let's get this research, research on board. Let's try to fix this. Or they could just reach out to him directly. You don't need to bring in all these third parties. The reason why I say bringing these third parties is because they've been there, they've gone through this. They've been doing it for 25 years. Dave Attel, another guy, 30 years. We know something.

B

We know Microsoft. They're going to do the opposite direction. They're going to sue this kid.

A

They're going to sue him, and they're going to open up a can of worms that they were not expecting, because for every zero day that he's released, there's another 25, zero days sitting on somebody's desk. All right, so you might see a year of hell from Microsoft Security. Everybody's getting hacked. Maybe we'll see so much hacking here.

B

So AI sticker shock has hit corporate America. So widespread AI sticker shock is hitting enterprises in 2026 as aggressive AI spending delivers uncertain ROI amid balloony costs. Major examples include one unnamed client spending $500 million in one month on Claude licenses without usage caps. And Microsoft canceling most Claude code licenses over cost. And Uber burning through its full 2026 AI budget in four months. This is not going to go well, or it's going to go really well. I can't tell which. Which way are we leaning on this one?

A

So here's what I'll say. The $500 million spent is one or two companies. And researchers online have kind of narrowed it down to two companies because both companies had a token leadership board of sorts. And to give you guys some perspective, there are companies out there that will do like these sprints, and they'll do like a leaderboard for development. Like, hey, whoever submits the most code. Elon tried to do that. Nonsense. Remember when Elon did the email to all of the government employees, the developers, you know, send us the lines of code that you submitted this week, and then those that were like, under threshold were fired. Right. Uber and aws. Amazon did the same thing. Not with the firing part, we don't. Well, we don't know that yet. But they had a leadership board for whoever spent the most tokens. And one of those companies right now is a 5050 split. One of those companies spent a half a billion dollars of tokens. And where did that go to? Was straight to anthropic mostly. Okay, here's what a lot of companies are learning, Chris. Here's the reality. I'm about to give you guys the honest truth from your boy Heck, right? This is your boy. This guy, you know, you can hang out, we hang out with every Thursday. Every Thursday morning. Right? AI is great, is fantastic. It's gonna help you with automation and scalability. It's not a replacement for humans. It might replace some jobs, but it's not an ultimate replacement. And so when you're relying heavily on something that is per token pricing and you're not in control of what that pricing looks like, you're not getting bulk pricing, then this is going to be a repeat over and over. Next time, by this time next year, Chris, I'll make the prediction there's going to be a company that spent a billion dollars in tokens.

B

Well, they're already projecting 2.59 trillion for this year. This year? That's, that's insane. And that, I mean, that's exactly why we're seeing these data centers taken over every community around here.

A

But that's what pisses me the fuck off.

B

Start the rant.

A

The rant. I've heard for years that these industries, the various industries, financial, healthcare, this, that and the other. Oh, we don't have the budget to hire Americans. This is why we have to go to India and find those same caliber employees for a quarter of the price. It's fucking corporate greed. Because if they're able to spend $2 trillion on magic tokens, right, for something to produce the same thing, a human can maybe, you know, in a short amount of time, for sure. I love AI. Don't get me wrong. They could have hired Americans locally to do a lot of these jobs. It's laziness and it's greed and it's showing. It's showing. I want you all to pay attention. When you look at Amazon, you look at Uber, you look at all these companies. Uber's a great example. I love Uber. I use Uber all the time. If you're, you're, if you're Uber engineer or whatever, shout out to you, I use Uber. But you have probably millions of drivers around the world that don't get any sort of benefits and they're driving and delivering for you all fucking day. You could afford to hire these people, but you don't. And instead you're going to burn a half a billion dollars in tokens. That's a half a billion dollars you could use to hire X amount of employees across major cities or small cities, rural cities, here in the United States. You don't do it. And that shit shows. Now we're getting, now we're getting to see that. And when you see tech companies, Chris, that are doing 10,000, 20,000, 30,000 people, layoffs, and they're saying, well, you know, now we have AI. AI could probably replace these people. No, it can't. It might be able to place a number of those people. It might be able to replace or phase out some of those job titles. But without humans, you can't really function as a society. I am not sold on this technocratic bullshit. This is why Peter Thie was fleeing to Argentina. These people are realizing that the shit that they sold you is not. And it doesn't look like it. It doesn't smell like the, you know, what it is you think it is or what they sold you. I Know, I became repetitive there. I'm sorry, this is very anti human what we're seeing here and it's anti worker and I don't like that. Chris, maybe I'm taking it wrong. Chris, am I wrong here? Correct me, bro, please.

B

No, I mean, I see your point of view, but I mean, as someone who uses AI on a daily basis, like I, I don't go a day without using AI to somehow assist me in my life and doing something and completing projects, building businesses or, or whatever I'm using it for today. Today. I don't want to go back to not having it.

A

Sure, I got you.

B

So why, why are you prescribing that businesses should try to live without it?

A

I'm not saying that business, business shits. My bad. I'm not saying that businesses should, you know, remove AI or not use AI. I would recommend people leverage AI, especially if you know how it works, because you can optimize, right? Optimize your usage, build out your own harness. Actually learn how to do some prompts not wasting tokens by asking ineffective questions. You ever read, you ever want to read the book or watch the movie the Hitchhiker's Guide to the Galaxy? Now this is a classic film. Don't screw with me, Chris. It's a classic. I would recommend you read the book when you get bored and then watch the movie because it's kind of fun.

B

This is the third time I've said this today. They've written books, books about me that I haven't read. I don't, I don't read.

A

Well, there's, there's a very important scene in the film at least where you have this society and they find this massive super AI computer, right?

B

Yeah.

A

And you have these two little kids and they're like representatives of that society and they ask a question. The question is like, what's the meaning of life? Everything in the universe, isn't it?

B

42.

A

Exactly right. The computer says, Ah, come back in 2 million years. I have an answer for you. They come back, 2 million years of civilization hoping and praying for that answer when they come back. Well, the answer is 42. You know, the point is, if you ask ineffective questions, you're burning tokens, you're wasting money. Some of that money you could be using towards your workers. You know, it's greed. It's constant fucking greed. I understand that. United States, it follows a free market. I'm with that. I'm a capitalist. I get that. Right. But there's also human aspect that's being forgotten. And this story that you're we're talking about right now Chris, highlights that they're willing to burn $2 trillion on tokens and not give back to the humans actually doing the heavy work. That's all.

B

So heck, Google's security engineer was arrested in a multi million dollar poly market trading scheme. So Google staff information security engineer, I'll say. Michael Spinago. Michelle Spagulo, 36, Italian citizen based in Zurich, allegedly used confidential internal Google year in search 2025 data to place bets on over $1.2 million between October and December of 2025 and it's charged with commodities fraud, wire fraud and money laundering and was arrested in end of May use the username Alpha Raccoon on the crypto based offshore platform. So the Commodities Future Trade Commission filed a parallel civil complaint for insider trading and polymarket has referred the suspicious activity to authorities after Blockchain's transactions has flagged it. So more polymarket people using inside information. We had military personnel getting arrested for this and now we have Google security engineers using inside Google information. I don't see how we're going to stop this because on Polymarket you can literally bet on anything and being that there's anything, somebody will have access to that data.

A

Well, it's human nature bro. It's human nature that if you see an opportunity and the risk is you know, 50 50, you're going to jump on that. It happens a lot. It's like this, this like human psychology, one on one, right? So when Poly Market and Kalshi and all these different prediction markets came into play, we kind of expected this to happen. You and I talked about this from the beginning. You know then we've been talking about it for the last year and a half or whatever. It's been a couple years now. So we knew this was happening. You know what's the one thing that pisses me off about this?

B

What's that?

A

It's always the low guys. The guys low on the totem pole is always the US Special forces guy is always that one random engineer. But there's nothing in terms of what about the, the oil shortages. I see the c, the CFTC is involved here, you know they're, you know, I'm not seeing any stories about any of those big oil shorts that happens over the last you know, six months. And so you know it's, it's interesting that we're seeing some sort of, we're seeing investigations, we're seeing potty market kind of like tracking potential insider threats or insider traders Right. I consider that to be insider threats, by the way, Chris, because if you are a adversary, let's say you're, you're, you're an intelligence officer in China and your goal is to identify patterns in US Politics or something, Right. All you have to do is go to Poly Market, look at anything that kind of aligns with what it is that you're. You're tracking, right? Follow those trades, and the moment you see a bump, a $3 million bet against one thing happening, more than likely as an insider.

B

Sure.

A

Right. And more than likely that thing is going to happen. And then you go back to your, to your leadership, say, hey, I think based off of this prediction marked in history, that this thing that we're tracking might actually happen by tomorrow.

B

Right.

A

So these people trying to make a quick buck don't realize they're actually insider threats at the same time, aside from doing insider trading. So yeah, I'm, I'm totally against this. But how do you stop it? That's your question? I don't have an answer for that.

B

I mean, I think this sort of whack a mole approach is about all they've got. It's the best thing they can, they can do.

A

That's the only thing they could do

B

for now until some regulators come in and that's what they're going to do. They're going to end up shutting down these predictive markets.

A

Well, especially once the Dems get into power. They're big on that, right. So they might look at ways to regulate. There might be like a KYC thing that's going to be enforced because right now you could sign up for Poly Market like today with a VPN and a little crypto in a BS wallet and you could do all the trades you want. Nobody's asking you for your identity. Nobody cares. You know, so maybe KYC is going to be the answer to that. But even then, once Poly Market is KYC and Kyle, she know these bigger prediction markets is one of coinbase too, by the way. If you didn't know, then it's going to go underground and it's going to be the same shit. And that's even worse. Wonder why it's worse because once it's more underground and people are doing like, you know, over the counter trades, you know, over a chain like, you know, Monero or something. How are you gonna track those people? So it's probably in the best interest of the United States government right now to just keep things the way they are, you know, I don't know No, I agree.

B

I don't think they're gonna be able to stop this thing as it changes. So. So a Canadian man was arrested by international authorities and charged with administering Kim Wolf's DDoS botnet. So Canadian national Jacob Butler of 23 of Ottawa was charged with developing and operating the Kim Wolf IoT DDoS for Hire botnet which had infected over 1 million devices worldwide, enabling a record DDoS attacks up to nearly 30 terabits and over 25, 000 attack commands, part of a larger March 2026 disruption of Kim Wolf and related botnets. He was arrested in Ottawa on May 20 and U. S. Complaint unsealed on May 21. So Butler remains in Canadian custody pending the extradition to the US and he faces one count of aiding and abetting computer intrusions up to 10 years. The arrest followed the March 26th international operation that seized C2 infrastructure and disrupted 45 over 45,000 DOS for higher platform. I really can't believe in today's day and age ddos for hire is still a thing. But I guess it is.

A

Yeah, I guess it is. And you know, it's mostly geared towards like gaming and kids. Yeah, that's how ridiculous it is. And these guys are doing these massive networks. They're. And you know, they're, they're putting in all this effort. They're risking their lives, doing 10 years in prison, destroying their potential careers so they could boot some kid off of, you know, Roblox or something.

B

Yeah. For those that don't know what DDoS is, it's distributed denial service attack. So what it does is it takes a bunch of infected computers and it points the traffic at your computer so essentially drowns your computer and information and either kills the computer or at least blocks the connection to it. So they, they, like you said, kicks your, your unit off of gaming. They used to be big in the shoe game. People buying high end shoes and so they, they'd kick other people off right before an auction closed. Yeah, but now the shoe game is, is out.

A

Yeah. No, that shoe game died, bro. Have you seen these? These resellers and scalpers are crying on YouTube because they can't sell their forty thousand dollar investment of sneakers and nobody wants.

B

Yeah, it is, it is dead. So. And it died quick. I don't know. I don't even. I saw that it was dead. I have no idea why. What killed it?

A

Well, people realize why the hell am I going to pay $2,000 for a pair of sneakers that I'm never going to wear? Because it's like a commodity now when I could spend my money on my family or go, go. You know, go on a vacation. It's just ridiculous. It's kind of like how, like, you know, there was a point where the troll dolls were worth a lot of money or the beanie babies, you know?

B

Yeah.

A

These are all bubbles. Just like sports cards. I'm. I'm. You know, me, I've been into sports cards for a long time. I have some really cool dope cards. They're probably worth a few bucks, but I know it's a bubble. Eventually, it's gonna crash. There's no way a car that I paid 20 for that now is worth a thousand, is gonna stay a thousand for much longer than. Than it's been. Eventually, everything crashes. It's just. This is what it is. Yeah, but going back to this kid, 23, living in the beautiful city of Ottawa, shout out to all my Canucks out there. There, you know, could have. Could have had a beautiful life. Could have used his skills to get into networking, being like a network engineer, running a strong business, being like a. A CTO of sorts, and. And making himself a half million dollars a year for the rest of his life until he retires. Could have bought himself a nice house or two and had a beautiful family and all that good stuff. And instead, he's online, terminally online, building a service for a bunch of nerds and antisocials that, you know, they just want to attack each other for what? You know, it's just, I. I feel for that person. This. You know me, I'm big on second chances. I hope this person changes their life and, and, you know, let's see what happens if he gets extradited. He's not. I. I hope that's enough to change his life. You know, he just kind of moves on from this because, man, that's just ridiculous.

B

Yeah. For those listening and want to know how you can protect yourself against these things again, these guys went after Internet of things, weaknesses, you know, exposed web cameras, digital photo frames, routers. Update your freaking home routers. Just reset them every 30 days. At least do something to protect yourself, guys. I mean, I don't know how many times we got to tell people this. It is getting out of control.

A

I know we talked about this before, but there was a point when Internet spam was all the rage.

B

Sure.

A

Remember that? You open up the inbox, there's a bunch of spam in there. And it turned out to be. It was a bunch of different groups of people, and there was a lot. There was a lot of like, conspiracies and organizations. Some of it was even supported by like actual companies. And the FBI did a really good job shout out to you and your team and the teams before you and after you, because you guys put in that effort, you put in that work to shut down a lot of those spam groups and crews and organizations. I don't think you guys get enough credit for that. But one of the things that that ISPs, especially Tier 1 ISPs around the country did was they said, you know what, this may not be the best solution, but we're gonna automatically filter out SMTP traffic.

B

Sure.

A

Yeah, right now it wasn't the solution, but it helped curtail a ton of spam until the guy, you know, these groups figured out how to circumvent it and before they got raided by the FBI. It might be a point where the ISPs have to do the same thing with these freaking IoT devices because people clearly are not getting the hints that, hey, you should at least update and or reboot your devices once in a blue moon because you guys are all part of a botnet. You're all contributing to these attacks against the country and your fellow citizens. Something's got to happen. I don't know what that is yet,

B

guys. Reach out to us@questionshackeringthefed.com we'd love hearing from you, love hearing from the people. Support us on Patreon Hacker and the Fed is going to stay commercial free on the free show for as long as we can. Reach out to Safille if you need any help with penetration testing, any services that they can help you out, just reach out on their website and heck will hurt. Will help you do whatever you need. Just got an order out of Nebraska off hacker in the fed.com while we were recording the show. Shout out to my man. Let me, let me give him a shout out. Let's see, let's see. I got his name right here. Ordered while we were talking, Brandon. Thank you, Brandon, for supporting Hacker in the Fed. Five star reviews wherever you download. Subscribe to Hacker in the Fed. Share us on social media. Tell your co workers, tell your friends, tell your girlfriends. Don't tell your wife about your girlfriends, but tell your girlfriend, hey, listen to Hacker and the Fed. We got a couple, a couple guys talking about cyber. Maybe they'll give you something and it'll be good. So friend, enjoy your graduation tomorrow. Hey, you have yourself a good day and love your family because family and friends is all we really matters in this world.

A

That's right. You may not have everything, but you do. You know, when you have your family, you have the loved ones around you. And for those of you that don't have families, you got us here. You got. You can make friends. You got friends out there, and you're part of a beautiful, you know, group of people. The human. The human race. It's a lot of great people out there, man.

B

Just.

A

Just reach out. We're here. Send me an email if you want.

B

He'll talk to you.

A

I'll talk to you.

B

All right, friend. Love and respect. Cheers.

A

Cheers, brother.