Summary6 min read

Hacker and the Fed – Episode 129

"The Crypto Hacks Funding North Korea"

Release Date: April 30, 2026
Hosts: Chris Tarbell (former FBI Special Agent) & Hector Monsegur (aka Sabu, ex-blackhat/Anonymous/LulzSec, Red Teamer, co-founder SafeHill/Sefhil)

Episode Overview

In this free episode, Chris and Hector bring their trademark banter and deep expertise to dissect a string of high-profile recent crypto hacks and related developments, with a special focus on how North Korea is leveraging these cybercrimes to fund its regime. The duo explores how vulnerabilities, failed mitigations, insider threats, and persistent social engineering campaigns are allowing hostile state actors to launder billions—all while industry players seemingly fail to adapt. The hosts also touch on the security failures of modern SaaS tools, the proliferation of insecure APIs, and accountability gaps in both cyber and physical spheres.

Key Topics & Insights

1. Crypto Hacks and North Korea’s Operations

[40:37–45:27]

Persistent Exploitation: Hector launches into a "mini rant" about North Korea’s systematic use of ransomware and crypto scams, lambasting both repeat victims and the broader industry for failing to stop these attacks.
- "They're using Americans and Germans and Italians and the French and whoever else they could use ... can we find people dumb enough to be victims and have them pay us, and then we'll victimize them again over and over ... using all of the different protocols and laughing our ways to the fucking bank." – Hector [41:00]
Technical Mastery:
- North Korean groups are now experts in blockchain protocols, rapidly breaking large thefts into many wallets, layering transactions, routing through privacy networks like ThorChain, and offloading to Chinese OTCs.
- One cited hack: Over $1.5B laundered through similar means in the past year.
- "The North Koreans have mastered this space ... they know how your stupid ThorChain works, how SegWit works, how Bitcoin works. They're using it better than you do." – Hector [43:21]
Industry Accountability:
- Hector criticizes firms tracking old coins but being "utterly ineffective" when it comes to North Korea’s laundering. Continual victim blaming is debated:
- "How many fucking times do you have to be a victim before you are complicit?" – Hector [45:10]

2. The Ongoing North Korean Social Engineering Campaign

[35:23–38:32]

Case Example: Michael Fang, a crypto dev, narrowly avoids compromise after clicking a Teams link from a "known" VC contact, which downloaded a malicious file.
- North Korean ops maintain persistent engagement, sometimes for over a year, and even meet targets in person. (Hector: "They know what systems they're running, who they hang out with, what time they go to sleep... They are legitimate adversaries." [36:29])
- Chris highlights how the attackers exploit time pressure and default trust in business contexts.
- "If someone tells you you have to do something in a hurry or you can't tell anybody about it, they're fucking frauding your ass." – Chris [38:09]

3. US Soldier Arrested for Insider Crypto Betting

[15:24–23:56]

Main Story: Kenyon “Ken” Van Dyke, a special forces soldier involved in the operation that captured Venezuela’s president, used classified info to place winning bets ($33K → $409K) on Polymarket regarding the raid outcome.
- "We talk about these insider trades ... We are not for this shit. We are also for accountability." – Hector [16:34]
Selective Justice Concerns:
- Hector contrasts this prosecution with the lack of action against multi-million-dollar oil trading insiders who routinely position themselves ahead of big geopolitical events.
- He questions: "What about all the insiders that shorted and have been shorting oil and longing oil ... in the millions ... not hearing anything, bro." [17:37]
Polymarket’s Role:
- Surprised that Polymarket proactively reported suspicious trades to the DOJ, possibly to curry favor as pressure on regulation mounts.

4. The Litecoin Blockchain Hack – Zero Day or Inside Job?

[24:11–27:57]

Incident Overview:
- Litecoin suffered a 13-block reorg (32 mins), exploiting a quietly patched but undisclosed vulnerability in the MimbleWimble extension block protocol.
- RPC server operators, not miners, remained vulnerable due to "silent patching"—a major process failure.
- Hector’s assessment: "What they did was they privately and quietly patched the issue. The problem: if you’re using a public platform like GitHub ... researchers can track the code changes." [25:09]
How it Should Have Been Done:
- Public disclosure, CVE assignment, explicit patch messaging.
- "If they had just announced, released a patch, and forced everyone to update, this would have been avoided."

5. API & SaaS Security Debacles: Fireflies AI Case

[28:01–34:08]

Vulnerability:
- AI-powered meeting transcription app Fireflies leaked US government emails, audio, and sensitive firm data via an unauthenticated API endpoint.
- Researcher found 44 .gov emails exposed with a single API call; the issue was reported in April and still unpatched weeks later.
- Prior similar disclosure (Aug 2025) also ignored.
Hector’s Take:
- "It comes to a point where you're like, what is going on here? Where are these people going to school where they're learning how to build GraphQL endpoints with no authentication?" [29:33]
- "This is like peak 2002, hey, I just learned PHP."
Potential Cause:
- Chris speculates on AI-written code and "vibe coding" (shipping without understanding), with Hector reiterating the importance of basics like access control, regardless of how code is generated.

Memorable Quotes & Notable Moments

On visualization in cybersecurity:
- Hector likens AI system architecture to the structure of a Toyota Supra, using the engine, harness, and orchestrator as analogies to demystify MLM/AI stacks.
  - "If you're looking at AI ... let's look at a car. The engine is your model, the car that's your harness ... the driver, that's your orchestrator." [09:05]
- Chris: "People would love to see this." [11:03]
On API vulnerabilities:
- "What is going on here? Where are these people going to school ... GraphQL endpoints with no authentication." – Hector [29:33]
- "This is the laziest possible thing ... especially in 2026." – Hector [31:59]
On response to North Korea:
- "North Korea is building weapons with this fucking crypto money. And one day they're going to shoot a missile at South Korea, Japan, maybe one of our ships ... That's what we're heading to." – Hector [44:10]
On selective prosecution:
- "Accountability is great. I want to see more." – Hector [23:56]

Segment Timestamps & Highlights

| Topic | Start | End | |---------------------------------------------------------------|-----------|-----------| | Banter, Plant Smells, FBI Academy | 01:27 | 06:42 | | SafeHill Team/Visualizing AI as a Car | 07:07 | 12:50 | | Industry News/Patreon Structure Discussion | 13:17 | 15:17 | | Insider Trading by U.S. Soldier & Policy Gaps | 15:24 | 23:56 | | Litecoin Reorg Hack (Zero Day vs. Inside Job) | 24:11 | 27:57 | | Fireflies AI API Data Leak/General API Security Failures | 28:01 | 34:08 | | Labeling of U.S. Agencies (DoD v Dow, etc. - lighthearted) | 34:16 | 35:18 | | North Korea’s Social Engineering Attacks on Crypto Developers | 35:23 | 38:32 | | Microsoft and Security in Public Sector | 38:36 | 39:54 | | North Korea Crypto Laundering Rant | 40:37 | 45:27 |

Notable Style & Tone

Candid, irreverent banter: Unfiltered language and inside jokes abound, but always in service of driving home technical or industry points.
Depth with accessibility: Complex subjects (AI, blockchain exploits, API abuses) are explained with analogies and real-world context.
Practical perspectives: Both hosts continually relate back to professional experience—former law enforcement and hacker perspectives—in their critiques and advice.

Final Takeaways

North Korea remains a highly successful, persistent threat actor in the crypto sector, not just stealing but laundering vast sums while industry experts and victims fail to keep pace.
Organizations—especially those entrusted with sensitive data—continue to neglect fundamental security (e.g., API authentication), with damaging but easily preventable outcomes.
Calls for greater accountability are pointed not just at individuals caught breaking rules, but at institutions and the industry as a whole for enabling persistent, repeat failures.
As always, the human element—through poor decisions or social engineering—remains a primary vector for compromise, regardless of technology.

“If someone tells you you have to do something in a hurry or can’t tell anybody about it—they’re fucking frauding your ass.”

— Chris Tarbell [38:09]

For more stories and deeper dives, check out the hosts’ Patreon and follow their upcoming AI visual analogy post on LinkedIn.

Loading summary

Transcript195 lines

[00:00]
A
The show is so thick, we are going to do the free show and then whatever the stories that are left over, we're going down on the Patreon. We're definitely this week on the Patreon going to hit up the Palantir manifesto. Hector's very passionate about it. I can't wait to hear what he has to say about the whole thing. Hector Monseager was responsible for some of the most notorious hacks ever committed.
[00:23]
B
Special Agent Chris Tarbell. Hackers and FBI informants participated in some
[00:27]
A
of the world's most infamous hacks.
[00:29]
B
Caused up to $50 million in damages. A life in the shadows, cyber attacks on the rise.
[00:47]
A
Welcome to Hacker in the Fed. Free Episode number 129. I'm Chris Tarbell, former FBI special agent working my entire career in cyber security. And I'm joined as always by my friend and podcast co host, Hector Monsegor. Hi, Heck.
[01:02]
B
Hey.
[01:03]
A
Hector is a former black hat hacker who once faced 125 years of prison for his many years of hacking our computer systems under the codename Sabu. Our stories collided in June of 2011 when I arrested Heck and then convinced him to work with me at the FBI. Hector is now a Red teamer, researcher, cybersecurity expert, my bestie and co founder of SafeHill.
[01:28]
B
Hey, what's up brother? How you doing over there?
[01:30]
A
Good. I've missed you. And now your voice sounds good. You were banged up there for a while and now you sound beautiful coming on the mic loud.
[01:38]
B
Hey, listen, I come on the mic many times.
[01:40]
A
Oh my God. Do you. Does it smell like bleach? Well, you've muted yourself now.
[01:44]
B
Oh, there we go, there we go.
[01:47]
A
No, I'm sure you made some strange comment about bleach.
[01:51]
B
Bleach? Yeah, I said, well, that's very specific, bro. You speak from experience. But I'm good, I'm chilling, bro. Yeah, I was banged up for a minute. My voice is still a little raspy. But I think we'll, you know, we're gonna be all right. We're chilling.
[02:04]
A
Can I tell you a quick come story now that we've brought it up, bro?
[02:07]
B
This is the free story, it's not the Patreon.
[02:08]
A
I know, I know, I know, but it's, it's FBI related, so people will love it. So FBI and jism all in the same story. So the way the FBI Academy is set up is there's a little courtyard in the middle that you kind of walk through. Imagine kind of like the Pentagon, a little bit, not so structural but there's a courtyard you walk through and everybody walks through. And you, you stick with your class. Everyone goes to the class at the same time and all that. It does things. So we go from the gym over to firearms and all that. We have meals, we go to breakfast all together. We go to lunch together, we go to dinner together. And you have to go through this courtyard to get there. You don't have to, but it's the fastest way. That's what we all do it because it's raining. And so we're doing this. And there's this one day we're going through there and things are starting to bloom. So we got, I got to the academy. My class started on March 15th. So about a month or so in, you know, April 15th and all that, things are starting to bloom. It's a nice spring day and all that. And there's this white plant and I don't know what the fudge it is. Someone told me what it is. But when it blooms, it smells just like rancid.
[03:09]
B
Come, man, what the hell, bro?
[03:13]
A
There's a plant out there. Trust me, it smells like, like, like lots of it. It smells like a freaking bukkake.
[03:21]
B
So how do I find it? How do I find that? Do I like go on Google and type in FBI rancid? Oh my God.
[03:26]
A
No, no, it's, it's a common plant. It's not just FBI, but that plant happens to be in the courtyard. I found it so interesting to sit in the courtyard at that time and watch people walk by. And they, you'd see them, they kind of pick, pick the head up and
[03:40]
B
be like, what the fuck?
[03:41]
A
And then they'd recognize the smell. Oh yeah. And then the look on their face
[03:45]
B
is like, what is that?
[03:47]
A
Why is that here?
[03:48]
B
They, they call that the J. Edgar Hoover special. You know that it's on purpose Maybe.
[03:55]
A
I don't know, but I, I like. And then once you like, you see their face and they like know what that smell is. It's, it's. Then everyone's in on the gag. And then everyone stays there and watches the next group come and, well, not come, but watch them walk through.
[04:09]
B
Yeah, yeah, yeah. Wow, bro. That's so insane. I got. Now, now I'm curious. I have to go there and visit.
[04:13]
A
You're not allowed in. You. I couldn't get in.
[04:16]
B
I was about to ask like. So is that like, is it like multi layered security? No, no public folks can go, no civilians type of thing.
[04:25]
A
So in order to get to this location that I'M talking about, you'd have to go get past a marine guard post on quantico, then get past the FBI police at the front gate, and then get past the FBI badge security system, and then get past another live FBI person, and then you may be able to find it if you get there. But that. That's what. In order to get to this. Or you could parachute in, but you'd be arrested.
[04:50]
B
Yeah. That is so crazy. So tell me about the. The FBI police. Are they. So they're FBI agents who.
[04:58]
A
No, they're not agents. It's a whole different force. They're. They're more. I would say they're more security, but they're police. I mean, they have rest of powers and all that.
[05:07]
B
So for like the military, they're like mps in a way.
[05:11]
A
The mps are there to police the military personnel. I would say the FBI police is there to protect the FBI.
[05:18]
B
Oh, okay. It's a different mission.
[05:22]
A
Yeah. I mean, they'll make arrests around the building if someone does anything. They're sworn law enforcement, but not so much to. They're not there to like, arrest FBI agents for doing stupid shit.
[05:33]
B
That is so bugged out. So how does one join that force?
[05:36]
A
You just apply. I mean, there's a. There's a thing I. There was some people. That's how they start. They get their foot in the door. I knew a guy who started off as FBI police and then became an FBI agent.
[05:47]
B
Wow, look at that, bro. That's so crazy. Yeah. The things that you learn. Like, I love life because every day you're learning something new. It's a random ass fact, but I find it fascinating.
[06:00]
A
Yeah, yeah. It's a whole different thing. I mean, so. Oh, it's the calorie pear tree, also known as the Bradford pear or ornament pearl. This plant most commonly associated with the smelling like human semen. It's a popular flowering tree planted in many cities and suburbs for its white blossom. I knew it was white and fall colors, but in spring, flowers have a. A very known scent.
[06:34]
B
It says so, bro, can you. Can you send me the name of that and signals I could check it out later? I gotta. I. I'm not gonna have to buy a plant or something.
[06:42]
A
You want your house to smell like this?
[06:45]
B
Why not? If you have guests coming over, you're like, hey, look, check this out.
[06:48]
A
You know, why don't you just buy a cactus and jerk off on it?
[06:52]
B
Nah, bro, that's. Listen, those cactus.
[06:55]
A
Man, the free show is getting randy today.
[06:58]
B
Yeah, I think this Is. I think it's a Patreon show. There's no way it's a free show, bro. This is, I think, I think there's an identity crisis right now, bro.
[07:07]
A
I mean, not to mix up our messaging here or anything. How are things over at Sefhil?
[07:14]
B
Sefield is good. SEFO is good. I want to share something really fun. I'll make it really short. So at Sefield, we have, we have a broad team with broad experience. They're all doing different things and they're all researching different things.
[07:29]
A
A broad team, which I love. That sounds like a bunch of women.
[07:33]
B
It's quite broad in nature, but we do have some wonderful ladies. They're awesome. But the cool thing is, is that when you have so many different people from different backgrounds, different experiences, you know, sometimes we have these like, these discourse sessions, right? These conversations where it's like, you know, let's go through terminology, let's go through jargon. It's an internal conversation. But, you know, maybe one day we'll do like a public thing, make like a funded webinar, you know, or maybe on one of our shows we'll do something like this.
[08:03]
A
Oh, essentially. That sounds great.
[08:05]
B
Yeah. And so one of the topics was. So for the non technical people in the team, it was how can we translate AI to people that are non technical? They're not even non cyber, right? They might be in marketing, they might be in something else. So I came up with something as you know, Chris, you know, my family and I were big into cars at one point, and we still are. We just got a really cool car project here, I got to show you. But one of the things that, you know, we. That I wanted to kind of help with regards to translation is let's look at a car. You know, let's look at. In fact, let me send you a screenshot of what I built. The team as I was talking. I'm gonna send it to you and signal, maybe we'll share with the team, with the listeners.
[08:52]
A
Why don't you dox us and let everyone know that we use Signal, bro?
[08:57]
B
What else are we gonna use? Telegram. The fuck? Fuck Telegram. So check that, check that picture I just sent you, right?
[09:06]
A
Wow.
[09:06]
B
Now I want to break it down for you, right? So what that is is a schematic, a blueprint of a Toyota Supra. I love the Toyota Supra, especially the 1990s model. It came with a 2JZ motor. Now here's the thing. If you're looking at AI and we're trying to translate to non technical people. Let's start to visualize it in a way that makes sense for people that, you know, may understand or grasp other concepts. Like a car, for example. So with Secure iq, what we built and how we're leveraging AI, you have different layers, right? You have like the model, you have the layer one, you have the harness which goes above the model. You know, we're, you know, leveraging it for inference and, and prompt assemblies and context management. Then you have the Orchestrator. That's layer three. And if you can, if you look at the pictures I sent you, Chris, you can see how it's all layered out. And so you have the Orchestrator, the thing that decides what to do and when to do it and which model to call. And so I used the Toyota supra Mark 4 as the analogy. Right? The engine is your model, the car that's your harness. Right? That includes the chassis, the ecu, the transmission, the fuel system, the driver, the decision maker, the dispatcher, the route planner. That's your Orchestrator. Okay. And that's generally speaking. Okay. And that's, that's what I did this weekend, by the way. I was sitting here like a total jerk, Chris. Looking at Supra blueprints.
[10:40]
A
Dude, whenever you're sitting someplace, you're sitting like a jerk. But that's all right.
[10:45]
B
Yeah. And so that, that's what I came up with. Hopefully we could share that. Maybe you could post that on LinkedIn, I think.
[10:50]
A
Can, can I put this out with the episode when I, when I. Is this public information? Can I put this in the, the weekly post?
[10:56]
B
Yeah, you know what, let me confirm, make sure. I think, I think we have like internal names in there. But if it's, if it's good, then I'll let you know. Yeah, just post it because it's actually really good.
[11:04]
A
Yeah, I think people would love to see this.
[11:07]
B
Oh, yeah, yeah. And maybe if I got to modify, maybe take internal names out, I'll do that.
[11:11]
A
We just blur it. We can blur it.
[11:13]
B
Yeah, but it's great conceptually, right? Because look, the problem, Chris, you know this, the problem with cybersecurity is that it is hard to visualize for people that are non technical. Sometimes people just don't get it. Right. So there's, there's an organization called vissec who have spent years creating conferences. They, they've had several conferences where they were like, hey, can we use visualizations in cybersecurity so that folks just get it? Which led to, you know, the great Folks, I forgot the guys that created it. I'm having a brain fart. But they created bloodhounds, you know, and bloodhound is what? Using graph theory to visualize connections between objects in the active directory domain environment. That right there, the visualization aspect is fantastic. So I'm sorry for the nerd session, but that was a good one. It's fun.
[12:05]
A
Yeah, no, that's really good. It looks nice.
[12:07]
B
Yeah.
[12:08]
A
Is the, Is the Supra engine really center mounted like that?
[12:12]
B
Yes.
[12:12]
A
Really?
[12:13]
B
Absolutely. Well, not, not completely. Obviously it's not. It's not underneath the driver's seat.
[12:18]
A
Not under the driver's seat. It's. But it's like underneath like the windshield. Like it's that far back in the car. In the. Centered in the car.
[12:24]
B
It's a big. It's a big motor.
[12:26]
A
Oh, wow.
[12:26]
B
The 2JZ is massive.
[12:28]
A
Yeah.
[12:29]
B
Yeah, it's a beautiful engine. It's probably one of the most. If you were. If you were to look at human engineering, some people say, well, listen, the B2 stealth bomber or even like the Warthog, right? That's a. It's basically going with wings, right? Yeah. Beautiful engineering. The Supra 2JZ motor, the GT. It's like, you're like, did you was actually create this or aliens created this? You know what I mean? Yeah.
[12:51]
A
There's a lot of theories going around about that.
[12:53]
B
Oh, well.
[12:54]
A
A lot of scientists going up missing. We never. We don't know what's going on.
[12:58]
B
You know what's crazy about that? It's not only American scientists. That's the crazy part. There's been scientists in Germany, scientists in like Russia disappearing.
[13:05]
A
Really?
[13:05]
B
There's even scientists. Scientists in China disappeared. And so now the question is, why isn't anybody taking this serious? Is this a conspiracy theory or coincidence? But why is this a thing? And where are they being disappeared to?
[13:18]
A
I don't know. It's crazy. Anyways, guys, a little bit different on this week's show. We are going to do the free show first. Um, you should have heard us talking about what we talked about before this show. That doesn't even make the Patreon. Um, who knew that my boy liked smelling his own farts so much? But c' est la vie.
[13:36]
B
That's what.
[13:36]
A
Oh, come on. We. We both did. We both did. I. I'll put it myself. But doing the Patreon, the show is so thick. We are going to do the free show and then whatever the stories that are left over, we're going down the. On the Patreon. We're definitely this week on the Patreon gonna hit up the Palantir manifesto. Hector's very passionate about it. I can't wait to hear what he has to say about the whole thing. So support us over on the Patreon, guys. That's how we keep the free show free. Keeping the shit off. Commercials got hit up a couple times this week about putting commercials on the free show again. And every time we tell him, go pound sand. We call it the free show for a reason, because the cheap bastards that won't come and help us out on the Patreon.
[14:19]
B
Yeah, and the whole ad thing, man, I don't think the audience really understands. They don't. I don't think they really know like, the numbers or, or like, because, you know, Chris, when you and I blew up the podcast, like, really threw it out there. We were like, top 2% in, like all cybersecurity podcasts at one point. Yeah, obviously not right now, but when we first started. Yeah, we was up there.
[14:38]
A
We're still pretty high now. We're still. We're still right up there.
[14:42]
B
Yeah, but. But even then, right? So like, even back then we were high up there, like, you know, top, you know, whatever percent. And then you would get like these ad, you know, reach outs and it was just so ridiculous. The. The readouts that they wanted versus the price they wanted to actually pay for the. For the ads. I'm like, bro, what the hell's the point of this? We could just pay. We'll fund it ourselves or some shit. I don't know. We'll figure it out.
[15:09]
A
Yeah, no, we'll do special content like the Patreon and the merch site. Hit up the merch site, guys. Hacker in the fed dot com. Buy your hacker the Fed merch. Keep the free show free.
[15:18]
B
That's right.
[15:19]
A
All right, brother, you ready to get into this?
[15:20]
B
Yes. Let's hack the planet, bro. Let's do it.
[15:24]
A
US soldier involved in Maduro raid charged with betting on the operation. U.S. special Forces soldier Kenyon Ken Van Dyke, who participated in planning and executing the January 2026 US military raid that captured Venezuelan President Nicholas Maduro, allegedly used classified details to place approximately 13 bets totaling $33,034 on polymarket from late December 2025 through January 26 of 26, profiting over $409,000. He's been charged with unlawful use of confidential government information for personal gain, theft of non public government information, commodities fraud, wire fraud, and all unlawful monetary transactions. We've been talking about this for a few weeks. What's going on with these polymarkets? Heck, this is a big thing now. We talked about foreign soldiers being arrested. Now we got a US Soldier who was part of this very brave takedown that probably is going to be a movie, probably going to be this and that. Being charged criminally, including wire fraud. Wire fraud can carry 20 years with it.
[16:34]
B
Yeah, well, you know, you and I, we talk about these, these insider trades. I'm not happy with it. You're not happy with it. I know that for a fact. We are not for this shit. We are also for accountability. So when I first read the story, I was like, okay, great, there's accountability. But then I sat there and I thought a little bit deeper into it. I'm not happy with this. I'm not happy with this at all.
[16:57]
A
Tell me why.
[16:58]
B
I'm going to tell you why. I'm going to keep you very honest with you. And that is that this man, this soldier, U.S. special Forces. Yeah, he fucked up. Yeah, he made a mistake. Yeah. He just blended the ethical lines and he made a terrible blunder and he has to deal with some sort of consequences. 1,000%. But how much was his bets again? How much money did he make off of this?
[17:23]
A
400. Profiting over $409,000 with making bets at $33,000 in total.
[17:31]
B
Right. So his bets were 33,000, but the results were 400,000. A lot of money.
[17:35]
A
We're talking like 14 15x.
[17:37]
B
Yeah, 14 15x. Cool. What about all of the insiders that shorted and have been shorting oil and longing oil every time. Five to ten minutes before Donald Trump gets on television, and every single time, they're shorting oil or longing oil, depending on what he says. In the millions. Not a $33,000 bet, not a 44,000 result. In the millions. Google that shit, Chris. You're going to see there's multiple insiders making multimillion dollar oil trades right before every goddamn press conference. And for me, it's like, okay, accountability, good. But what's good for the goose is good for the gander. There's got to be consequences across the board. You can't just single out this one soldier and say, hey, we're doing a good job, but you're ignoring.
[18:31]
A
I mean, somebody has to be first. Maybe this is the first one.
[18:36]
B
Well, I don't know about that. We'll see. We're going to have to sit down and see. We're going to have to see where our thumbs are. Asses and wait to see if there's going to be more arrests. And I have a feeling it's not going to be.
[18:45]
A
We don't have to have our thumbs in the asses. We choose to do that.
[18:48]
B
Well, we could do each other's. I'll put my thumb over there. You put your thumb over here. No, but I hope you understand what I'm saying. I'm not being an asshole here, I think, but there's other insiders that have made millions of dollars in bets and they're. I'm not hearing anything, bro.
[19:02]
A
Yeah.
[19:03]
B
And I'm not sure if I, if I'm. If I'm too convinced that this was a good thing. Accountability is great. I don't know. What do you feel about this? What are your thoughts?
[19:13]
A
I guess I never thought of at that angle that it's not getting enough people yet, but I always thought somebody had to go first. I mean, I think this is good that this unregulated market, you know, um, you know, I never understood how low SEC didn't do this. I mean, I guess you didn't have access to it. You could, you know, short sell certain stocks before you made public that a hack happened. But I mean, the SEC would get you, then they'd find you and track you down. This is, you know, this is basically legalizing that. Or not, you know, or anonymizing it more. Yeah, but, you know, so because he profited these, someone lost that $409,000. Sure. I mean, there are victims.
[19:52]
B
Yeah, no, absolutely. That's what I'm saying. Like, I am not. I'm upset in a different way. I'm not upset that he got caught. Right. I don't want to give him a free pass. Obviously, I've made mistakes. I had to deal with those consequences. He made a mistake, he has to deal with the consequences. But you know what I found interesting, Chris, is that I'm not the only one. In fact, a lot of people that don't look like me agreed or said dissimilar on Twitter. There was a lot of MAGA people with, with little flags. US Flags were like, the soldier gets arrested. What about these multimillion dollar oil shorts? Who's getting arrested for those? So this is now this is a bipartisan feeling, like there's something off here.
[20:34]
A
Who are you alleging is letting this go, letting the oil shorters go? I don't think. I just don't think I'm following that aspect of your conspiracy theory.
[20:43]
B
Well, it's that, you know, here's the thing, right, it is a conspiracy theory, right? Now, we do know a couple things though. We do know that the shorts have been happening. We do know that the longs have been happening. Every time there's good news, right, Oil is longs, or rather shorted. Every time there's bad news, right, On a press conference, oil is longed right before it happens. So we, we know that's happening. The thing is, we don't know who's doing those trades.
[21:13]
A
How close is it to the announcement?
[21:15]
B
Within. Within fucking 15 minutes, bro.
[21:17]
A
Like before. 15 minutes before. So I'm gonna guess it's not like an insider. I'm gonna guess it's not someone that is helping craft a speech. It's the person who's like typing it into the teleprompter.
[21:28]
B
Ah, yeah. Or the boyfriend of the cousin of. And it's so close, but it's not real time. It's. But it's close enough.
[21:36]
A
Yeah. It's not, it's not an advisor who's, who's pushing things because they could do it days in advance. They know where the wind' blowing certain things that way.
[21:42]
B
That is true.
[21:43]
A
It's somebody that has just about before access. So.
[21:48]
B
Well, the biggest, the biggest trade, right, was like $900 million. That's what I'm saying. This is what I'm saying. The biggest short so far has been like $900 million. Is documented. It's all over the place. People have talked about this, people have debated this. Who is it who has that kind of money?
[22:06]
A
They what short oil? They, they earned a million. No, no, no. That was put in.
[22:12]
B
That was their position.
[22:14]
A
Wow.
[22:15]
B
Yeah, yeah. So people have made millions upon millions collectively, billions of dollars off of this Iran war.
[22:21]
A
Yeah.
[22:22]
B
We don't know who these people are, but here's what we do know. A U. S. Special forces soldier placed $33,000 in bets on poly Market. That's what we do know.
[22:30]
A
But these oil shorts aren't on Poly market. These oil shorts are.
[22:32]
B
No.
[22:33]
A
Are legitimate stock trades.
[22:35]
B
That's right.
[22:36]
A
So the SEC knows who's doing it.
[22:38]
B
They should know who those people are. Yeah, yeah. So
[22:45]
A
I was interested, I was intrigued that this soldier was turned in by polymarket. The polymarket identified, quote, unquote, suspicious trading and made the DOJ reference, which is crazy to me. Right.
[22:58]
B
Because potty market, even though they told themselves to be like, you know, a legitimate platform, Listen, you saw the work I was doing and what did I tell you? Here's why it stopped. Because every other day they were Trade. They were changing the rules, they were changing the platform. People that were making money on Polymarket one day were losing their asses the next because there were constant rule changes. There's no regulation with that. It's fugazi the entire thing. That's my opinion. This fouquet but they turn into soldier. Now the question is, did they do it because they, they suspected it could be problematic for the platform or because the FBI reached out to them? Curious as to what that trade was. We don't know.
[23:42]
A
I'm gonna guess they're under some sort of pressure from DOJ to be regulated and this is them trying to get in bed. And oh look, see, look at this one.
[23:51]
B
You know, this one right here, maybe
[23:53]
A
they knew it was some sort of soldier connected. Who knows? Who fucking knows?
[23:57]
B
Who knows. So yeah, it's a hell of a story. It's a crazy story. The guy made a mistake. You know what I mean? It's, you know, and I'm glad there's accountability. I'm glad there's that. But you know, I want to see, I want to see more.
[24:11]
A
Yeah. Zero day or inside job. Litecoin network suffered a 13 blockchain reorganization. Approximately 32 minutes of history on April 25th after a tax attackers exploited a mimble Wimble extension block protocol vulnerability. A non updated mining nodes accepted invalid mimble Wimble extension blocks transactions that enabled fraudulent peg outs. Oh, peg outs. That means something different in my world to third parties. Combined with a targeted denial service attack that disrupted major mining pools and temporary reduced upgraded hash rates. All invalid transactions reversed by the Org and ballot transactions remained unaffected. The bug is now fully patched. What do you think about this one? Is it a zero day or was it an inside job?
[25:09]
B
Ladies and gentlemen. You know I love you guys, I'm very honest with you guys and I think this was a complete fuck up on behalf of the Litecoin projects. What they did was they identified a potential issue whether it was reported to them or they discovered it themselves. And what they did was they privately and quietly patched the issue. Now the problem with that is if you're using a platform like GitHub, GitLab, BitBucket, a public platform where everybody could see the push request, the pull request, sorry, they're looking at all the changes that are happening in the code. You know, it's very, very much available to researchers, potential adversaries. This was not a zero day. This was something that was fixed a while back. It was just not publicly acknowledged. And because it was not publicly Acknowledged. My boy Chris. My beautiful Chris. The problem is the Litecoin wallet itself was patched. The Litecoin miners themselves were patched, but the Litecoin RPC servers, the ones that are propagating the blockchain messages back and forth, were not patched. The adversary identified this, they confirmed it, they validated it, they tested it, they did a test run, they exploited it, they use several bugs, including the Knowledge service attack. And you know who fucked up here? Litecoin fucked up here. The developers made a terrible, terrible decision to privately patch without acknowledgment and without telling anybody. That's what happens when you do it wrong.
[26:45]
A
How could they have done it right?
[26:48]
B
You acknowledge the issue, you do a public patch and release. You do a disclosure, you get a cve, right? And say, hey, we've identified this issue. You should all patch. Because at that point it's no longer a Litecoin fucked up issue. It's a RPC server operator wasn't following the rules and didn't have a good methodology, didn't patch the servers. The RPC server operators were like, what the hell is this? What the. What is this? Oh yeah, there was a bug that we fixed a month ago. There's no cve, there's no public acknowledgment. So who are you going to blame here? Are you going to blame the RPC server operators? No, right? The miners, the guys that run the mining networks. If they knew enough, they knew enough. But the Litecoin project clearly messes one up terrible. It's not a zero day, guys. It is also not an insider. Maybe there's an insider. Maybe the person that reported the bug told someone else. That could be it.
[27:48]
A
The insider is the person making the bad decision that resulted in this. This fuck up.
[27:53]
B
There you go. That's. You know, I like that. I like that approach, you know. Yeah.
[27:58]
A
Bad decisions. So we'll see what happens.
[28:00]
B
Terrible decision.
[28:02]
A
Zero authentication. Exposing the US Government's emails and private meetings recording to anyone on the Internet. Firefights. Fireflies AI, which is an AI powered meeting transaction. No transcription and summarization service. Expose sensitive data with zero authentication. Leaking US government employees emails, full media recordings, participant lists and AI generated summons to everyone on the Internet. Researcher identified 44.gov emails from a single city agency via one authenticated API call. Over 200 meeting IDs, publicly indexed on platforms and exposed meetings from the Peace Corps, city governments, Cardinal Health, Indian National Trade Committees, Disney related strategy sessions and cybersecurity alerts. HR benefits discussions. The Research reported the issue directly to fireflies on April 7, and the company acknowledged receipt and directed submission via their Bug Bounty Hack 1 program. But then as of April 25, the vulnerability remained unpatched per the original research follow up post. No public remediation or outage announced. A separate researcher reported an incident identical unauthorized unauthenticated access issued in August of 2025 and was also routed to Hacker One with no resolution or updates. So they've been told hacker, and they didn't do shit about it.
[29:33]
B
Yeah, and I'm sure you're noticing a trend. There's a lot of this happening, bro. And not only that, but there's a lot of it happening with regards to API security, or lack of API security. If it's not a supply chain attack, if it's not a social engineering attack. Right, it's an API attack every single time. You know, it comes to a point where you're like, okay, what is going on here? Where are these people going to school where they're learning how to build GraphQL endpoints with no authentication and. Or they're so broad in nature and accessible that anybody with a simple HTTPs proxy could just intercept the request on the website, replay the request, modify a freaking identifier, and get access to all the data on the back end. It's just ridiculous. Like, it's just. This is like, this is like peak 2002, hey, I just learned php. These are the kind of bugs that we're seeing. Yeah.
[30:41]
A
So you ask, like, who are these people going to school and all that? Any chance this shit's being created by AI and people are just slapping it up not even knowing what they're publishing?
[30:50]
B
Hey, listen, that's, that's another problem. Vibe coding is an issue. But here's the thing though, you know, here's where Vibe coding becomes interesting. You could tell Claude, OpenAI through Codex, through Cursor to Anti Gravity to whatever it is, forge, whatever you can say, hi, I'm creating web application and I need a CRUD API endpoints to be able to add and edit and modify certain resources. Cool. It builds that for you and you write, this is where the harness. Remember I showed the image. The harness. Okay? It's the harness. Can you do this securely? Can you add authentication or authorization to this? If you, if you're Vibe coding applications and this is the result, then what is it that you're doing? Hey, I'm building an application to X, Y and Z. There's zero harness, there's zero skills or planning. No, it's a problem, you're right. But this kind of level of, you know, of. Of vulnerability of findings is the laziest possible thing. It's the laziest outcome you could have when developing, especially in 2026.
[31:59]
A
Just because you should be checking your API endpoints when you publish something, when you develop a system, that's one of the first things you should check before
[32:07]
B
you go live 1000%. You do not want to create an application of any sort where someone could request your resources. That's all it is. This is access control, Chris. That's all it is. There's access control at the core. This identifier should not be able to access that identifier or the resources therein. If it does, that's a violation. And they're breaking all sorts of threat model guidelines and frameworks. Now, what's crazy is that the US government is using this stuff. That's a problem. There was a point when cisa, when Cecil was at his highest. I don't know where the hell they're at now, but Cecil was developing software. They could have developed software just like this to be used by the US government. I'm not sure that's even a thing anymore. But you know what this, you know what this application does? All it does is when you have a meeting and you invite somebody, they'll invite this thing to take notes of your conversation.
[33:08]
A
Sure.
[33:09]
B
But this thing will then transcribe it for you and upload it to Unsecure Endpoint. That's a problem.
[33:16]
A
Yeah, that's a problem. And I'm sure they, they don't sell it as. They sell it as a secure tool. Otherwise these local governments probably wouldn't use it. I'd hope, but no one's checking them.
[33:27]
B
Well, listen, sometimes it comes down to cost. Right?
[33:30]
A
Always comes down to cost. I mean, so I will say the list of victims that they rattled off there.
[33:35]
B
Yeah.
[33:36]
A
Probably not the most secure conscious of organizations.
[33:41]
B
Yeah, he made a good point. Like some smaller agencies. Right. Some older, like non profits, Peace Corps and stuff like that. I mean, I get it.
[33:48]
A
You know, we're talking. It's, you know, the title is a little misleading. US Government emails and now, you know, we're talking about Peace Corps and Indian National Trade Committees. I mean. Yeah, yeah, I'm sure they, to them, their information is very, you know, sensitive, but it's not like national security.
[34:05]
B
Yeah, we're not talking about the DOD or Dow, whatever. Right.
[34:09]
A
I get it, baby.
[34:12]
B
Well, man, I saw a whole debate on that. DO versus dod. Oh, we'll talk about that later.
[34:16]
A
No, bring it up. You brought it up. Now I'd love to speak about it.
[34:19]
B
Yeah, yeah. There was. There was a meeting. It was like a Senate hearing. Forgot the guy's name, but he went in, he was talking to somebody like, hey, you know, so. So what do you call that department? Department of Defense or Department of War? Like office. The Department of War as stated by President Trump. Guys, like, by means of an executive order. But it's not. I mean, it's. It's not officially that. It's a secondary name. It's Department of Defense. Can you say Department of French? Like. No, it's Department of War. Yeah, it's this level. This level of like, I can't even. I can't even. I came and like, it's right there. But it's hard for me to categorize it. Like, what is this, like, cult, like, behavior, you know, like, what the fuck? What would make you act that way? You know? And I saw that and I was like, you know, I don't know.
[35:12]
A
You want to stay buddy buddy with somebody, you have to. I mean, you have to play the game. That's what Paul said.
[35:17]
B
You have to play the game. Yeah.
[35:19]
A
Someone told me that there's a leader of a certain party and you want to be staying that party, you got to do what they say.
[35:24]
B
It's a deal. D O W, baby.
[35:26]
A
Yeah, that's right. Dow for life. We got our tats about it. Heck, we talk about this almost every week. This story is not really a story, it's just a reminder. Almost got hacked this morning. Crypto developer and open source AI trading agent maintainer Michael Fang narrowly avoided compromise on April 22 when a VC contact previously met in person sent a Microsoft Teams meeting link that upon joining prompted download of a malicious quote, unquote update script. The file was flagged malicious by Claude AI analysis. No installation occurred, but the incident highlights ongoing North Korean linked social engineering targeting Web3 professionals via compromised accounts. We've covered this last week. I believe we covered it a couple of weeks before that. North Korea is going crazy over crypto developers. They are finding them how they're finding them through LinkedIn or whatever it may be, but they are trying to hit them hard.
[36:29]
B
Yeah, because it's the easiest hack for them. You know, they're getting in with very low investment. You know, I would say financial best with time, not so much because it's at least one of these cases. They spent a year, like, you know, talking to the guy. They even met the guy, right, they flew to San Francisco or whatever and then finally they had him take one to Lincoln. Popped them, you know what I mean? So like they're, they're. Listen, I got to say, it's impressive, right? I'm not impressed by like the fact that they're just piece of shits and, and they're funding the North Korean military with these acts, but the, the methodology, the, the persistence, the understanding of the targets. These guys, these, these, these adversaries are like legitimate adversaries, you know what I mean? Like they're really going after people, understanding them, knowing what systems they're running, knowing who they hang out with, know what time they go to sleep, what time they wake up. They know if they have Monero or Bitcoin or Ethereum. They know who, what conferences they're going to and they're meeting these people.
[37:31]
A
Yeah, they're good to the way they deploy it. Like I certainly have that. You know, I don't like to sign on to a meeting until like the exact minute the meeting supposed to start. Because God forbid we have fucking small talk with some, another human being. So yeah, you go into login, all of a sudden, oh shit, I don't have the right software now I'm going to be late. You know, I didn't plan for this and all that, so. They're really, really good about exploiting that, that sense of time, you know, I got to get this done. Let me click on this, I'll make this work so I can go to this meeting. I should have checked this ahead of time. You know, like I've always said, if, if, if someone tells you you have to do something in a hurry or you can't tell anybody about it, they're fucking frauding your ass.
[38:10]
B
Yeah, but listen, they're clever, man. They're leveraging click fix, they're creating malware that good, signatures. They're circumventing EDRs and AVs and they're just getting, they're just making it happen
[38:26]
A
and they're using Microsoft as their fucking target because we all know Microsoft's a piece of shit.
[38:32]
B
Yeah, no, that's a whole other debate and conversation right there.
[38:37]
A
Oh, you sent me that link of France celebrating. That was crazy.
[38:40]
B
You saw that? I did, yeah. It was like a, a procession of some sort, right? Like a, like a funeral procession. And yeah, man, it's. Listen, Microsoft has had a hell a hold on entire countries, entire sectors, industries with the software that they selling to us. That is inherently, you know, from what we've seen Historically speaking, at the very least insecure, you know, by default they've chosen to deploy systems with settings that are constantly abused by adversaries. You could enable Windows Defender, which by the way, shout out to Microsoft, because in a way Microsoft Defender has become really, really good. But if you want it to be even better, you have to pay a lot of money for that. If you're an organization, it gets, becomes very expensive very quickly. If you want even more than that and you have to pay, you have to upgrade your Microsoft license and guess what? It becomes exponential after that, price wise. So yeah, shout out to France. They're celebrating the death of Microsoft in France. Now it's just a matter of what Linux or Unix flavor they're going to go with and are they ready for that?
[39:54]
A
So heck, you sent me a thing this week and you called it a mini rant, but you went on and on and on in your voice text. Yeah. Is that a subject you want to talk about on the show? Do you want, you have a little energy for a rant here? We haven't had one in a few weeks.
[40:10]
B
Oh yeah, no, listen baby boy, I could, I could rant about everything. I go, shit, I ran to my mother if you want.
[40:16]
A
Well, don't do that. I love the woman, but I want you to tell the people what the hell you sent me. I think it was a four minute voicemail. You were all bent out of shape about a story we did last week.
[40:29]
B
Remind me, remind me of the topic.
[40:33]
A
I, I, I could just, I can just play the whole thing.
[40:37]
B
No, it sounds like, because, you know, it's like, you know, it's, it's like echoes. We may hear a fart in the background, but part of the rant. So it's a rant on like there's multiple arguments here, right? There's one main issue which is we have people that unfortunately have been victimized by means of ransomware extortion. They're being leveraged by the North Korean governments as useful idiots. Unfortunately, that's really what it is. If you guys are not familiar with the term useful idiots, it's Russian, it's very old, I don't know how to say it in Russian, but essentially it's, you know, you're basic cattle and you're able to leverage you as cattle according to their interests. And so what we're seeing here with North Korea is exactly that. The North Koreans have adopted that useful idiots concepts. And then they're using Americans and Germans and Italians and the French and whoever else they could Use shit. Eventually they'll start turning on the Chinese as well, if they could, which is, can we find people that are dumb enough to be victims and have them pay us? And then we'll victimize them again over and over and over. And we're just going to leverage everything we know about crypto to then exfiltrate the crypto in front of everyone, using all of the different protocols and laughing our ways to the fucking bank. And that's exactly what the commission been doing. Because you know what's crazy? I'll go on Twitter and I'll type in always intelligence or blockchain security and blockchain this and blockchain analysis. And you have all these really smart people that look like what they're, they know what they're doing and they have all these really cool tools and they could track when a stolen Bitcoin from 2018 travels from one wallet to 90,000 wallets and then back into Binance. They're really good with that. But for whatever reason, when it comes to North Koreans, every time they do a crypto scam, right, every time the North Koreans do three steps, right, they'll break the Ethereum or bitcoin into X amount of wallets and then they rebuild and send it to Thor chain and then from Thor chain they send it to a Chinese OTC every single time. They did it last year with Bybit. $1.5 billion last year. One hack.
[43:00]
A
It's crazy. I was talking to my friends at lunch today and they were talking about like, I was talking like, oh, there's a, just this week there was a 292 million there. 292 million. I said, I said it's common to have a billion plus dollar hack on crypto. They, they blew their mind what was going on in this world. People, I don't think people have any idea what the North Koreans are doing in the crypto space.
[43:21]
B
The North Koreans have mastered this space and they've sat there and they read through all the white papers and they know about all your protocols and all your crypto fucking schemes. They know how your stupid torchain works. They know how segwit works. They know how bitcoin operates. They know it and they're using it better than you do. You fucking crypto security companies cannot stop these people. It's fucking crazy. And it's happening over and over and over. And I'm sitting here and you know what I'm thinking about? I'm not here to admonish crypto any, anybody. I'M here to admonish the people that keep making the same fucking mistakes, right? And indirectly, over time, become complicit with this conspiracy to feed the North Korean military industrial complex. That's what it is now. And one day, eventually, the North Koreans are going to shoot a missile and kill somebody. I'm a humanist. I care about people, right? And all this crypto shit is fun and games. We can laugh and post memes about it. But what we're not thinking about is that North Korea is building weapons with this fucking crypto money. And one day they're going to shoot a missile at North Korea, at South Korea. I'm not North Korea. South Korea, Japan, maybe one of our ships out in the sea, maybe in the South China Sea, or maybe blow up Taiwan in the middle of an invasion. That's what we're heading to. And it's crazy when you go online and I've seen people say similar things that I. I'm no genius, Chris. I've seen people make similar arguments. And you know what they get? You know what happens. Why are you admonishing the victims? Why are you pointing your finger at the victims? How many fucking times do you have to be a victim before you are complicit? If you got popped eight times in a crypto scam and you lost $50 million, am I supposed to assume that you know, everything is cool, everything is copacetic, everything's kosher? Or maybe you're part of the conspiracy. There's something amiss, Chris. That's how I feel.
[45:28]
A
All right, guys, again, going over and doing the lives, doing the show. Continuing the show. Bunch of stories over on the Patreon. Support us on Patreon. You guys want to reach out to us? Hit us up at Questions at Hacker in the fed dot com. Love to hear from you there. Help. Help us out. Add. Buy us merch. Hacker in the fed dot com.
[45:48]
B
Yep.
[45:49]
A
Shout out to say Phil and all the support they give us over here at the show. Love, say Phil. Check them out. Go to safill.com, find your shit, get your. Get your pen tested.
[45:57]
B
Oh, yeah, I guess something tested.
[46:00]
A
Five star reviews wherever you download. Subscribe to your podcast, Share us on social media. We're gonna try to put out that thing. Heck talked about the comparing a car to AI. Hopefully he can get it cleaned up and get some approvals to put that thing out there. But look for that on Thursday on LinkedIn. And repost it. Get that out there, push it out, Tell your co workers, tell your friends, tell your wife, Tell your girlfriend, tell
[46:26]
B
your boyfriend, tell your cat.
[46:28]
A
Listen to two schmucks talk about cyber on hacker in the Fed. All right, brother. I'll see you over on the Patreon.
[46:36]
B
All right. Cheers, man. Let's do it.
[46:37]
A
Love and respect. Cheers, Sa.