Loading summary
A
You're freaking out because it's an important meeting. Screw it. I'm just going to download this update, get back online. Security researchers in the space are saying, I mean, I would have probably fell for this too. Hector Monseager was responsible for some of
B
the most notorious hacks ever committed.
A
Special Agent Chris Tarbell and FBI informants
B
participated in some of the world's most
A
infamous hacks that caused up to $50 million in damages. A life in the shadows, Cyber attacks on the rise.
B
Welcome to Hacker in the fed. Free episode 127. Little Extra Energy for Jonathan this morning. We're going hard.
A
Hector, little bit of little, little bit of extra, a little bit of extra coffee today.
B
I'm Chris Tarbell, former FBI special agent working my entire career in cyber security. And I'm joined as always by my buddy, my friend, my podcast co host, my travel mate this week, Hector Monserkor.
A
Hey, how are you?
B
Hector's a former black hat hacker who once faced 125 years in prison for his many years of hacking under the code name Sabu. Our stories collided in June 2011 when I arrested him and then convinced him work with me at the FBI. Hector is now a red teamer, researcher, cybersecurity expert, and co founder of SafeHill. Hello, buddy.
A
Hey, how you doing brother? You know, every time you read that, that intro, I think to myself, damn, I'm glad I chose like a neutral name like Sabu and it wasn't like the Ass Master 3000 or something, you know what I mean? That would have been a hell of a name.
B
Power bottom 69.
A
Yeah, no, I'm glad I went with Sabu.
B
I don't think you would have been the great and powerful Sabu nearly if you had a stupid name.
A
That is so true. That is so true. How you doing, buddy? How's it going?
B
I'm doing all right. I got, we got to see each other out in la. Big shout outs to GP SEC for having us out there and doing their, one of their conferences. So we had a good time with those guys. Again, Guidepoint Security shout out.
A
Yeah, big shout out to Guide Point Security. It was a really good event for the, for the event that they kind of held this year in, in Orange County. I got to say it was really dope. I liked how they had the, the, like the format where you had, you had the stage, you had then the audience, but right behind that you had all like the different vendors and different groups of people. So like it was very like it was there, it was all Intimate.
B
I like how every time you shouted out a different vendor, they, they, they, they got excited. Woo.
A
Yeah.
B
Yeah.
A
When I shouted out 10 of the leg.
B
Yeah.
A
Hell yeah.
B
I don't know how excited the Palo Alto guy was, but he wasn't.
A
In fact, I walked by his table, they tried to wave at him and he just completely ignored me. I was like, oh, okay, my bad boy.
B
Sorry bro.
A
Yikes. No, it was great seeing you bro. And got to hang out with you. We went to buy, you know, we went jean shopping.
B
It was nice to do a little shopping together.
A
Yeah, yeah.
B
I don't know if we've ever shopped together before. That may be the first.
A
No, but it was very typical. Like when a husband and wife go shopping where the, like the wife goes inside shopping and the other he's outside waiting. I was the husband, I was the
B
wife, he was the wife.
A
Yeah.
B
It is funny, I walked in the store not knowing if they sold men's
A
jeans there, but it worked out. I think you, you may have bought a unisex pair, but it's fine.
B
No, no, I've wore these jeans for years. I love them.
A
I got you, bro. Hey, so it's obvious you like jeans. What if like, you know, somebody is like cave diving and they find a pair of like pristine, you know, 150 year old Levi's and they put up for auction, would you be the guy to buy them?
B
No, I don't like jeans that much
A
because there's people that do that.
B
I know. Yeah, but the other, the crazier part of that story is cave diving. I cannot imagine going cave diving. Like there's, I, you can watch like YouTube documentaries and all that about oh my God, 17 people have died in this cave. And the guy's like, oh, I gotta go in there, I gotta go check this out. Yeah, it always goes bad.
A
Well, I remember watching a video on YouTube many years ago. Maybe some of the folks listening may remember that video, but it was a guy, he was like cave diving or whatever the hell, he's exploring caves and he found an old mine that was, you know, closed off for like 80 years or something. And in there he found three pairs of Levi's, of jeans, like on the floor. They were crispy as hell, right? And he was like, first off, why are they here? And the theory he came up with in the video was, well, they, it was like towards the entrance, but not really. It was like kind of, you know, beyond the entrance. So it was like, maybe these guys, you know, they changed and they Just. They just left their clothes there, kept. Kept working and just moved on with their lives. Well, anyways, he got the jeans out, and then he got them appraised, and they were worth, like, thousands of dollars each.
B
Wow.
A
You know?
B
Yeah, there's a lot of caves around here where I live, and so people like to explore, and I'm. It's not really my thing. I'm cool. Not going to caves.
A
Yeah, yeah. I like watching the videos, but I'm not gonna do it. I'm not gonna find me at a cave anytime soon.
B
But will you travel? You traveled all right, Coming back and all that. Everything went well.
A
I'll be honest with you guys. Be honest with you, Chris. Yeah, travel's pretty hard, man. Yeah, that's. That cross country trip is not easy. It's long. Especially when you get older and a big guy like me and you in a little cubicle and, you know, you start getting some anxiety. I always get anxiety. If it's longer than four hours, I get anxiety automatic.
B
Were you able to sleep at all or no?
A
Oh, I had, like, little micro naps. Yeah, I tried to sleep. I tried to do the sleep thing and it didn't work. I just kept waking up. But I did watch the 1992 version of Romeo and Juliet when I was up. It was great. I love that movie. You know the one with Leonardo DiCaprio?
B
Oh, that one. Leo, did you.
A
Oh, that was so good.
B
Do you ever watch the old one from, like, the 60s?
A
Yeah, yeah.
B
There was boobs in it. I couldn't believe it. In high school, they showed us a movie with boobs in it.
A
Yeah, yeah, yeah. Well, I like the Leo one because there's some really great actors. I would say my favorite character in that entire film was definitely Mercutio. Mercutio killed it.
B
Oh, yeah.
A
Oh, yeah. Mercutio killed it. And then even Tybalt was displayed by John Leguizamo, the Prince of Cats. He was pretty good, too.
B
Yeah, I might have sold this out. I haven't seen this in a while.
A
You haven't seen it?
B
I've seen it before, but it's been a long time.
A
Well, Mercutio's character's really dope. I think his rendition was fantastic. Tybalt was great. The rest of Leo was. You know, it was. It was. It was young Leo, you know, it was before he became the Leo of today. But it was cool. Here's what I didn't like about the story. Good thing about the story.
B
Yeah.
A
As you. As we get older and we start Reading those old stories from way back in the days. Like, you know, Snow White, right? The dwarves and all that. As a kid, you're like, oh, my God, it's a really cool story, but actually a grown ass man. You started listening to the story, you're like, man, that sounds kind of weird. You know, with. With. With Snow White, right? Oh, sorry. Steeping Beauty. That's a. That's a terrible example, right? Sleeping Beauty is messed up because once you start reading into the story, you're like, okay, she's a girl. She got sick. Obviously she fell. She fell asleep in a coma. Coma state. And then here comes a prince and procreates with her. When you look at the original stories, right? And you find out that the only reason why she woke up wasn't because the prince kissed her. It's because the print. Damn, I don't want to go that deep.
B
He kissed her?
A
No. He forced himself on her and got her pregnant and the babies were born and they woke her up.
B
That's not the Disney version I saw.
A
Well, it's not. It's not a Disney story, bro. So when you look at Romeo and Juliet, there's something they put an emphasis on. She's very young. She's literally a little girl. And Leo. Not Leo, but Romeo is an older character. Like, he's a man having sex with women. So the premise is like, you know, Leo goes to the Capulet party, he meets Juliet, and she's supposed to be like a young, really young girl virgin. He's already like a man at this point, right? And, like, it turns into a whole big thing. The story is fucking crazy.
B
It's not that crazy. I mean, you were in the Epstein files.
A
You need to shut the fuck up with the EP file shit, because I am not. I was not a participant in the.
B
Anybody want to go check out the epine files? Just look up the word sabo, see if it's in there. It's in there.
A
Yeah. And it's not me communicating with anybody. Somebody mentioned me in a email. This guy. This guy over here. I swear.
B
Oh, man. All right, guys. Thanks for all the help. You guys are doing great on the Patreon. Sign up and help us out there. Great on the merch. Keep ordering your hacker in the Fed merchandise hacker in the Fed dot com. We really appreciate it. Again, we are doing whatever we can do to keep this show free. We don't want to put commercials on it. We don't want to talk about some stupid product that we don't really agree with. Or we don't don't like. So if we like a product, guess what? We talk about it like like we like what GP SEC is GuidePoint is doing things so you know, we, we, we mention it not you know. So keep it the show free. Help us on Patreon. Join the Patreon. We just did 45 minutes talking some and having some fun over there. Keep ordering your shirts and your sweatshirts and and that sort of thing at hacker the fed dot com. We really do appreciate it.
A
That's right.
B
You ready to get into the cybers, Hector?
A
Oh man, I'm not really sure, brother. I think, I think we should extend the Patreon episode. Everything else except cyber.
B
Oh, you want to keep this the cyber free episode?
A
No, no, we can't. The feast of purpose.
B
Yeah, I wonder if they'd log. They just log off.
A
Yeah, I want to hear, I want to hear terrible bad news.
B
Please. I need to know what was broken into and stolen. This week our first story looks like Axios supply chain attack. Initial access has been revealed so the North Korean link actors that compromise Axios maintainer Jason Saman via sophisticated social engineering. So during a late March 2026 fake Microsoft Teams video call the attackers displayed a realistic quote Something on your system screen is out of date prompt tricking imminent to download and executing a malicious bina disguising as a teams update or fix which installed a RAT granting full access device access and exfiltration with publishing his credentials. And this enabled the malicious release of the axios breach on March 31st and pulled a typo squat crypto JS package deploy additional rats to downstream users so a fake teams update seems to be what caused the Axios supply chain attack.
A
Yeah. Well let me tell you something. This is a hell of a story because what it shows you, what it highlights is that these North Korean actors spend a lot of time building out these multi stage, multi payload, multi vector long term campaigns and they're successful at it and they're leveraging all the nuances of things that pisses off as humans because if you look at the at kind of how it's structured here, right. The North Koreans were well aware and this they could, they could have leveraged always intelligence and a whole bunch of other mechanisms right. To identify that you know the target in this case leveraged or use Microsoft Teams. Microsoft Teams sometimes for you guys, I know for me sometimes it breaks, there's an error. I gotta update something, I gotta download something. It was able to leverage that. That's the nuance and then they leveraged a new technique. It's not new now today, but it's relatively new in terms of social engineering which is like click fix. You know we talked about click fix before, what that looks like, right? Put up a fake pop up message. Your team's installation is messed up. You can't join this call. The pop up is there in the background. You see people, right? There's people trying to talk to you. You're freaking out because it's an important meeting. Screw it, I'm going to download this update, get back online. Security researchers in the space are saying, I mean I would have probably fell for this too.
B
Yeah, yeah. So they always catch you. Fraudsters are going or cybercriminals. They're going after you at a time of need. They try to rush you. You know, they'll get older people because older people want to help. They'll get you when you have to and you're not thinking straight, you know, and like don't tell anybody type thing. But in this one they exfiltrated it. You know, they probably, you know, you don't want to log into your call too long because you don't want to sit there and have small talk with a bunch of people you don't like. You know, your call scheduled for 3 o' clock and you log in at 2:59 and then you're like, oh, I can't get in because I didn't update the software. I didn't look this, I didn't plan ahead. So just rushing through it, you see the thing, it's like all right, you know, and we see it all the time. This, this application needs to be updated and being rushed to get on it. You know, clicked on the button update and then it popped them. So you know, the attack vector was, you know, it started off as a multi week social engineering chain, you know, through LinkedIn and Slack impersonations, then moved into a realistic fake Slack workspace. Then they scheduled the fake Microsoft Teams video call and it culminated in a real time guidance to install the malicious binary during the live call. So not new, but very effective, extremely effective.
A
They used all the different things that you and I have been discussing. Maybe we have a North Korean act listening to our freaking episodes here.
B
We are not in a conspiracy.
A
No, no, no, we're not part of that. But they took everything we've discussed over the last several years and put it all together into one attack path and they were successful in it. Even the rat itself could have been a small, as small and meaningless as an Info state, you know what I mean? And what, what, what did it get? Credentials. They got browser sessions and tokens. They got keys enough to compromise that package, the Axos package. And so now the question that you should all have is how would you deal with this when you have security research in our space on Twitter and LinkedIn saying, I probably would have fell for this. What about for the rest of you who are not security researchers?
B
Do you think you would have fell for it?
A
That's a great question. My, my honest answer is no. But you never know.
B
I may, because I feel that pressure when I'm coming on a call. And you know, also being like the computer guy, you don't want the computer to not work. Like if we were getting onto a call with people that wanted us to do a speech or something like that, and they're not like the computer people, they're just, you know, the events people. Like, I think, oh, oh, they're paying me, I gotta get on here, I gotta do this. I don't want to look like a dumbass, you know. And like I said, you're used to that popping up when you jump on a call.
A
Yeah, yeah, yeah, no, it's a great point, man. It's, it's a tough one because again, you know, if there's, there's enough of like pressure to hop on this call, a lot of people are probably going to do the same thing, probably going to fall for it, you know, and so if you're, if your endpoint protection like EDRs are not catching that payload, you're screwed at that point. You're going to fall for it, you're going to execute it, you're going to run it and then boom, here's the consequences. And it wasn't like this was like a two week affair. Like they pro, this is a long term project. And there's other ones we're going to discuss I think today and over the next couple weeks where this one bigger story where they did the same exact thing with another company and it was like six months in the making. They even went down to meet with the maintainers at a conference and they even put money into, into the project. Drift. That's what I'm talking about, Drift. I'm not. Yeah, you saw, you saw that one, right? The North Koreans stole 250 plus million dollars in one shot. And what was the, what was the attack path? This accept that they sent somebody to a conference to meet with the maintainers, right? To meet with the project developers and then they didn't Put a million dollars in crypto into the project to get enough access. This is where money talks, Chris. Right? They got enough access to make the maintainers purposely download their malware, execute it, and voila, bada bing. It's crazy.
B
Yeah. I don't know how many stories we're gonna get to today, but I would say the vast majority of them are involved North Korean actors. We're seeing a real shift here in what North Korean actors are doing. You know, we were seeing a lot of, like, crypto wallets going after and draining local wallets. They're sort of pivoting now to a more persistent access to, like, the developer endpoints, you know, moving downstream to government enterprise software stacks where they will have persistent access to inject into, you know, developing code and all that, like the supply chain. Is that a natural evolution or are they being forced that way because people are reacting to, you know, taking their crypto on to cold wallets? Like, where. Why are we seeing this evolution? What's your thoughts?
A
It's, It's a natural. It's a natural evolution. Right. You know, and plus, the North Koreans, they're. They're, they're siloed into either North Korea or China. Right. So they only have. They're not going to do what we've seen recently over the last year of, like, the, the physical kidnappings. You saw that in France and London. Right. I think it may have even happened here in the US they're not going to do that anytime soon. Maybe, maybe not. But they're going with what works. And what works is they're targeting developers, they're targeting the supply chain, they're targeting the people that, you know, can make decisions. And they're doing it by hiring, getting hired. You know, they're getting into your business, you know, because, you know, you might allow remote from. From home, right, and, or work from home, and you're not properly vetting people. Your HR people are not prepared to vet a potential adversary. That's one, two. They're targeting developers. Why? Developers are easier. You know, there was a point I made a very, like, hot take, you know, point with you before, which is when I was an adversary, the easiest organizations to target, little problem security companies and, and people probably looked at me like I was a psychopath. But back then, a lot of security guys were so, like, egotistical, oh, I'm. I'm fucking great at what I do. I'm not going to get hacked. They were getting hacked, right? And we saw that recently with, you know, I don't I don't want to put them on blast, but we saw that with that, the other supply chain attack with trivia, you know that was another one, right? With the pull request target that led to the compromise of different repositories. It's easier for North Korean actors to go this route because it's working. When it stops working, when there's protections in place, they might start doing the kidnappings, you know what I mean? They might go to that. But it's freaking weird to see how effective it is.
B
Do you think we're going to see an evolution away from the collaboration tools, the teams, the slack where more shifted towards the, the browser based meetings? Like, like if you. Like this wouldn't have been a thing if you're just. You can use teams. Well, I don't know if you can use teams. You use Zoom just within your, your browser and not the application. You think that's a safer bet to, to kind of stop? I mean, yeah, this one specific thing it would stop, but I don't know what else it would do.
A
I'll be honest with you, bro, it's difficult because we've seen these, these, these adversaries even compromise Microsoft.
B
What? Microsoft isn't vulnerable.
A
No, they're absolutely vulnerable. We've seen them compromise elements of Microsoft. We've seen them. Remember that researchers that took over Bing last year? Remember he showed us, he showed I was able to take over Bing just by doing one, you know, takeover app. Remember that one?
B
Yeah.
A
The North Koreans could leverage that and they could leverage that to take over fucking teams, you know, it's like you can't even trust these services anymore. You know, it goes back to that old messaging from like I forgot what general or what what guy in the military said. Yeah, I'm just going back to pen and paper at this point because you can't trust anything that you see. You can't trust your eyes anymore.
B
Not to pick at something, but remember the Sony hack? They went to Pen and paper and was having interns run notes from office to office instead of having emails.
A
Yeah. Listen, shit happens, you know.
B
Shit certainly does happen. All right, Hector, the next one.
A
Yeah.
B
The latest North Korean attack skips the fake interview and goes straight to compromising GitHub users. Oh, so DPRK linked threat actors compromise over 400 GitHub repositories across dozens of organizations from January 15th to, to March 18th by forcing malicious files evolving from polar riding upspring injections. I don't know what the fuck that is. And parallel glass worm Force memo campaign. The infected requires only a get clone followed by opening the folder in VS code, triggering auto execution for credential theft. So this is exactly what we were talking about is that, you know, their escalation, their, their evolution from crypto stealers to getting into a supply chain hack.
A
Yeah. And this one, this one is being termed as task jacker.
B
Oh, I like that.
A
Yeah, this sounds nice, right?
B
I'm a tax jacker.
A
There you go. Well, the, the concept here is that they'll, they'll take over popular enough repositories of libraries or tools or projects, or they'll just create clones with similar names of what it is you're looking for. And inside the repository they'll have a file called Tasks JSON or it's, it's dot VS code slash Tasks JSON which if you open up the repository in VS code, which is a very popular, you know, desktop editor ide, then what would happen is and you grant permission to that folder in VS code, then it'll execute whatever's inside the task JSON, which in this case was like a self propagating, self deleting bash scripts that would just run a bunch of different commands on your computer and then infect your machine and kind of, you know, again, exfiltrate credentials, keys, cookies, et cetera, et cetera. They're absolutely leveraging every tip and trick and technique you can imagine that people are not really aware of on a day to day.
B
I find a lot of these stories that we talk about recently go back to GitHub. Is there a better solution out there?
A
No, because GitHub is only like a host of repositories. It's like, you know, it's like if you go to a website like giphy or whatever, all the post is memes and pictures. It's just a repository of pictures. But what if you could modify those pictures to hold steganography or you know, some sort of payload within the images that somehow will execute out of bounds through, through a Photoshop or something. Right.
B
Do you allow developers at Seal to use GitHub?
A
We use GitHub but you know, we have, you know, policies in place and we have discussions a lot. Every time these stories come out. Just like you and I are reading stories out. Sure. For the audience kind of going over them. I'm having the same conversations my team like, look guys, be careful versus code. You have to Task JSON. Be careful what you're repoing or cloning, be careful you're forking. Look at the code that you're bringing in before you run any or execute anything. Got to kind of look at the code. This is why at Seafood, we're just, we're just completely writing a whole bunch of tools to replace a lot of the open source stuff. Because as much as I love the open source community, the supply chain vector is so massive right now, bro, that it's impossible to replace everything. I'll be very honest with you. This would be a big, massive undertaking for us. But there's going to be a point where we're going to have to audit everything we're using and then freeze them. Freeze the versions and not automatically update libraries and stuff.
B
Is that what you're prescribing to clients too? You think this is the best approach?
A
That's what organization is going to have to do if you are, let's say you're coding a project, let's say you're creating a web application, mobile application, and you're importing a bunch of different libraries. Some of them are open source, some of them are closed source. Let's say they're open source and you're cloning straight from GitHub. What you're going to have to do is you're going to have to fork that library into your own repository. You have to freeze it after you audit it to make sure there's nothing fugazi in there. There's no task JSON, there's no backdoor bash script. And then if you need to update, you update accordingly. You have to re audit that package in the future for future versions.
B
Yeah, everything's going local, Hector. We were cloud, cloud, cloud off for so long and now we're going back to local for everything.
A
Well, it's because we're as a, as a race of people, we're lazy.
B
What?
A
You know, we're. Yeah, no, we're lazy. We don't want to do the work or do the effort. Look at, look at our speech at Guidepoint when we was on stage with all those people there, right? 2, 300 people there listening and all the vendors and all that. You guys both. I love that. I love what you guys did. You and Victor. At the end, you just looked at me and gave me the last 10 minutes to just preach. Remember that? It's the end of it. And what did I preach? I said, guys, you guys are out here purchasing, buying, acquiring, procuring, all these different tools from all these different vendors, but how many of you are actually sitting there and configuring these tools and understanding how they work? The reality is not a lot of you. And so you then you're confused and surprised when you get hacked. You're like, wait, but I bought all the latest, greatest tools. It's not that, you know, every environment is different. There's no cookie cutters, applications gonna run in your network and automatically be secure. Right. You have to put effort, you have to take time, which a lot of people don't do. Same with open source. You see something you like, oh, I'm going to download that, I'm going to put it into my ecosystem. Have you audited the code? Have you looked at its dependencies? When was the last time this code was updated? Who's actually working on the code? Yeah, I promise you I'm willing to go out on a limb and say that most organizations, especially the Fortune Thousand, are likely compromised by supply chain attacks, you know, and whether or not the adversary is going to ransomware them or whatever, we've yet to see. But a lot of them are compromised as a result of what we're talking about today.
B
So the FBI just named 18 router models that were secretly working for criminals. FBI flash Alert issued on March 12th disclosed AV recon malware campaign compromising approximately 369,000 routers and Internet of Things devices since 2020 across 163 countries. The threat actors exploited an unpatched SOHO router to install AV recon, turning the device into a residential proxies sold via the SOX escort service for fraud, including password spraying and traffic anonymization. The 18 most targeted models were from D Link, Netgear, TP Link. They were explicitly named. So not good. I mean, we talked about this. Again, not to keep saying a guide points thing, that home routers are a huge problem right now as far as giving people access and hot points and all that, and can easily be solved with some flash updates just resetting them. But this seemed a little bit more than just that.
A
Yeah, well, look, you and I have talked about this many times before. We covered this story so many freaking times. Which is. And we even got into like the philosophical part of it, which is like, where does the US Government's. Like where's the fine line between before the US government has to step in and say, okay, you guys need to update your shit. You guys need to stop buying this router from China. We saw recently where the US government said, hey, we're banning imports of edge devices or routers from China, right? Or from outside the US because of stories like this. Right. It doesn't mean that every Chinese manufacturer is an adversarial. But what it means is, is that maybe those companies are producing products that are not secure by default. They don't follow or you know, align with, with our security standards moving forward. And so instead of, you know, the US government stamping a label on every device that says hey, secure, you could buy this, which I know you don't like. That's, that's bullshit. Right? Then their next best option is hey, we're just going to ban all edging edge, not edging edge devices from being imported and American companies gonna have to step up here. Now the problem with that is now you have the insider threat. Can we trust that American company, whoever's going to be, whether it's going to be Cisco or shit, you and I can start a new company to build out routers. Can you trust that organization? Now do they have and will they align with whatever niche framework or whatever policy the US government is expecting? Yeah, these routers are full of issues. They either have backdoors, Chris, they either have terrible Linux, you know, read only distributions from, you know, 15 years ago, which we've seen a lot of, right. Or weak passwords from the jump and bad configurations from deployment. So what do you do at that point?
B
I honestly don't think it's government regulations are going to stop this. The only thing you're going to stop this is the ISPs have to get involved. The ISPs have to start detecting what those edge devices are and shutting off service until it changes.
A
Well, they did a terrible job with the spam problem we had in 2000s. You remember that?
B
That's true.
A
All the, all the ISPs did back then was they blocked port 25, they left open port 587 which the spam continued as a result. The ISPs don't give a. They don't.
B
Yeah, because then you're not going to pay your bill. You, they cut off the service, they're not going to pay your bills, so they're not going to make your money. So yeah, you're probably right on that one.
A
Like look, you know, we could have a whole, you know, economic theory debate on free markets and capitalism and this and that and the other, but it starts to fail and it starts to become a, you know, a virus society when the people up top that are making so much money are like eh, eh, security, it's okay. Do we really want to spend $100 million securing all of our customers or
B
what do we get out of it?
A
Yeah, what do we get out? What's the ROI on that? You know what the ROI should be? National security. This is why. Listen, I know a lot of people don't like Pete Hegseth. Uncle Pete, right, Uncle Pete. I like when he goes on TV and he puts policies and says, you know what, we're going to require this moving forward. We're not going to do business with this company moving forward. There's consequences to actions. Right. And so or inaction in this case. Because a lot of what you're seeing is inaction that led to that problem that we have.
B
Yeah. So yeah, yeah, we've seen it. You know, week after week. These edge router, these edge devices, these routers, you know, they're, you know, they're a problem. You know, they FBI sort of whack a mole. This, the SOX excord infrastructure was they say fully disrupted. I don't know about it, but you know, bunch of law enforcement around the country seized 34 domains and got 3,3 and a half million in cryptocurrency frozen. Whether that stops this or just sort of whack a moles, I don't know. I, I, I'm kind of leaning towards the whack a molecule.
A
Well, I remember you took down a massive botnet. We could talk about it, but you took down a massive DNS botnet. You remember that one?
B
To the point where the media said the Internet was going to shut off when we did.
A
I remember that, yeah, yeah. And I remember you had like a server over there. I got to see the server on the floor, you know. But no, Chris and his team did a massive takedown of like a global DNS hijacking network. It was a botnet, a mass in the millions. And you know, I'm not sure. Do you have, did you ever calculate the damages? It, was it like hundreds of millions of dollars or some like, was it like somewhere around. There was like. It was a big operation.
B
Yeah, it was over 100 million.
A
Yeah. So massive operation. Christmas team took that shit down. They did a great job. But guess what? I promise you, almost immediately after another one came right back online. Am I right? Am I wrong?
B
No, you're 100% right.
A
It's a fucking whack a mole. Right. And okay, Chris did a great job, he took him down. But then another network came up right after. What does that tell you? It doesn't mean that Chris didn't do a correct job. What it means is there's other issues that have to be corrected alongside that takedown, including I Don't want to be the policy guy, but you might have to have some sort of fucking policy that says, hey, if you are selling routers into our fucking country, right, provide some sort of fucking attestation or a pen test or we need to fucking invest in some sort of agency is going to take these shits apart and audit them and then accept them or not, right? We don't have any of that. The FBI does. You told me you guys take down. You guys do take. Take apart some hardware, right? Oh, but that's if.
B
Yeah, it has to match exactly. No extra things and all that.
A
But for the rest of us, that doesn't exist. No. And so for the rest of us, this is a consequence, right? We don't have any oversight or anybody looking to see if a router that I'm going to buy on ebay comes from a manufacturer, is a known bad actor. I don't know what the solution is because it's going to cost money and it's always about money at the end of the day. What's the ROI on taking this down? And how many Americans are we going to help with this? Well, now that we're in wartime, right now we're hearing the word, Nash. The words national security be thrown around. Maybe this will be the part of that. You know, the kind of incubator, maybe.
B
We got a couple crypto stories here, Hector. So, April 3rd, the blockchain investigator published a detailed thread on X, exposing circle, which is USDC issuer for approximately 420 million in alleged compliance failures since 2022 across 15 documented cases of delayed, minimal or zero action on freezing or blacklisting stolen or illicit USD funds, despite the token's contract built in freeze blacklist function and terms of services granting discretionary authority. Cases include the 4-1- drift protocol, which was a $280 million hack, and Swapnet was 16 million. Nomad 190 million. Um, and there's other North Korean linked flows. Um, sure. Another week, another crazy crypto story.
A
Yeah, well, shout out. Shout out to Zach XBT for his research and putting all this together. He's done some great work. Um, you know, the reality is, is that there's a lot of people throwing money at crypto. They have no idea what the hell they're doing. They have no fucking idea. They have no clue. Then you have all these different protocols that swap back and forth and contracts and this, that, and all this extra nonsense. It sounds cool, theoretically, until you start looking at the bullshit, you start kind of weaving through all the nonsense. All the jargon, all the technology, and you have a lot of non security people putting together protocols dealing with financial assets, in this case, cryptocurrency. And so, you know, it's gotten so bad. Chris, I'm about to say something. I'm about to give you a hot take.
B
Oh, shit.
A
I'm starting to feel like some of this might be just money laundering. What? You know, it's sort of.
B
In cryptocurrency. Never.
A
It's so ridiculous, some of these hacks that I'm like, there's no way, one after another after another after another. There's no way that none of these are, you know, maybe some of them are victims. Some of these groups are victims, Right? These investors are victims. Maybe the investors are victims. But the leadership of these groups, are they working with North Koreans somewhere? I'm not saying that, but you kind of start asking questions once you start seeing a pattern. How many, how much money in cryptocurrency has North Korea stolen over the last four years? Billions. Yeah, they did the byte. That was a byte bit hack last year for $1.5 billion, and they successfully exfiltrated it. Come on.
B
Well, this is.
A
Now this is getting weird.
B
What? You know, successfully. They, they, they moved it over. But did they have real. Have they converted to real money? Can they really spend that one and a half billion dollars?
A
I have no idea. Yeah, but you know what? I do know that it's, it's in their hands, right? It's not supposed to be in their hands because they're supposed to be checks and balances, right? You know, between USDC and circle and tether and this and that and all these different protocols. Some of them have the capabilities of block or fork and stop a potential bad, you know, transfer. And they're not. These guys are usually successful. And so then you have to ask yourself, what the hell is going on? Do these guys understand the developer's own protocols or is there something else happening here?
B
Well, one of the hot topics when we were out in California talking about is what Google just came out with. You want to get into that for a minute?
A
Yeah, that's a good one. That's a real good one.
B
Yeah. Tell the audience what Google just came out with.
A
Yeah, so Google came out with, you know, an article, blog post, and I think it's arcsive or archive white paper on kind of what their recent success rates have been with, you know, their research into quantum computing. And the reason why this was a point of discussion of discourse at Skype point is because it affects everybody. You know, it kind of highlights what Google's research indicates. It implies that they might be able, with some decent success rates, to be able to kind of solve elliptic curves and be able to, you know, break the potential for encrypted communications or, you know, be able to break, let's say, a bitcoin wallet to kind of simplify for the audience here. Google even stated, you know, kind of roughly that they think a lot of this is really possible by 2029. 2029 is down the block, bro. That's, that's less than three years, you know, two and a half years. And you know, their, their kind of concern is, well, if we could do it, who knows what other people could do. And I think they were implying maybe foreign governments, maybe China, you know, so what you're probably going to see a lot, Chris, is you're going to have to see nist, you know, push for post quantum algorithms. Okay. And then you're going to have to see cryptocurrencies projects like bitcoin move into like a post algorithmic state, including trying to convert everybody to create new wallets that would be protected from this.
B
Conceptually, I think, I think cryptocurrency's got less time than they expected to get their in order for this.
A
Yeah.
B
You know, but what are we doing about like wallets for like Satoshi's, you know, 1.1 million bitcoins, you know, if he, how's he going to move those into a wallet if he doesn't, you know, if he's not alive or around anymore?
A
Well, it becomes, it becomes a honey token, right? It becomes a honey trap. It becomes a, a honey pot. Because if all of a sudden you see Satoshi's bitcoins moving, what does that mean for the rest of bitcoin? It either means that Satoshi's alive, is ready to cash out, which is still bad for the market.
B
Crash it.
A
It would crash the market.
B
It'd be a run on all the crypto and that'd be it.
A
Or it's going to be, it's going to imply that, you know, bitcoin itself is problematic.
B
We know that.
A
Yeah. So here's what I want to kind of touch into this. So they did release a white paper, right. And you guys could find it on the Google Research blog and it discusses, the title is Safeguarding Cryptocurrency by Disclosing Quantum Vulnerabilities Responsibly. So if you're not following this stuff, you're like, what the hell Is this. What the hell is this? Right? Then you sit down and what are they talking about? They're talking about the resources needed to break the elliptic curve, specifically to the cryptography used by bitcoin and other systems. And how they think their thesis is, is way lower in terms of resources needed to break than previously thought. There's one estimate here. So Google says in future, superconducting full tolerant machine could do this with fewer than 500,000 physical qubits. Under its stated or current assumptions, that number is way lower than what it was before. And they're pushing for 2029 to probably be the year when that happens. So now why is bitcoin in scope? Because bitcoin relies on elliptic curve cryptography. It's, it's specifically the hardness of the elliptic curve discrete logarithm problem, I would say. Guys, check out the Google Research blog post. It breaks it down for you because once you start getting into that concept, right, you know, you start to realize that a lot of old bitcoin wallets and like Chris just said, Satoshi's wallet, they're written or built in the old P2PK outputs. It's a public key that's already visibly on the chain. And these are vulnerable at rest attacks or to at rest attacks once the physical components of that quantum computer exists. And that's about 1.7 million bitcoins that are at risk today. Chris. So their thesis.
B
Yeah, yeah. If you're interested in cryptocurrency and want to nerd out a little bit, you know, it is a good read, but scary and I hope, hopefully people are going to, you know, put some protections in place. The people that, that kind of run this stuff. So.
A
Oh, only protection you have is to build a new wallet and then move, move the bitcoin over. That's the only protection you have.
B
Yeah, but again, the, all those crypt, all those bitcoins that are at risk that we know aren't going to be, you know, what's that going to do for the.
A
It's going to ruin that entire market. It's going to crash the market.
B
They might be able to put, they might be able to flag them and put them in place where they can't be cashed out, where they're like a novelty item, like, oh, look at me, I have Satoshi's crypto.
A
You know, that's a good point. Yeah, you could, you could probably flag it and then on the currency, like the crypto exchanges, they could block probably the transfer of those bitcoins. Right, Theoretically, yeah.
B
Unless somebody figures out how to wash them laundry them all out. So. Yeah. Yeah. All right, friend. You got a fun week ahead of you.
A
I have a fun, busy week ahead of me. I want to be hacking. I'm going to be cracking. I'm going to be doing everything. Coding.
B
You got some travel this week too.
A
Yeah. Oh, that's a great point. Yeah, I might have to go to pr. I might travel to Puerto Rico to enjoy the weather, but I'm not sure yet.
B
I'll be jealous if you're down there.
A
I'll send you pictures.
B
It's going to be cool here. So, yeah, send me some dudes.
A
Yeah, I'll go to the nude beach and take your pictures.
B
There's no nude beat in Puerto Rico. I know you're tricking me. I tried to find one.
A
Well, technically, every beach is nude. It's just, you know how. How fast the cops want to catch your ass.
B
That's true, that's true. Although most nude beaches you don't want to see who the people that want to be there. Yeah.
A
No, no, no.
B
Not pretty.
A
I'll avoid that like the plague, brother.
B
All right, guys, reach out to us @questionsacker, the fed.com again. Thank you. Thank you. Thank you for your support on Patreon. Thank you for your support on HackerThe.com. buying the merch. Pick that stuff up so we can keep the show for free. Thank you for Safil, for everything. They show five star reviews wherever you download, subscribe to podcasts, share us on social media. Tell your co workers, tell your friends, tell your lovers, tell the person next to you on the bus. Hey, listen to two schmucks talk about cyber security.
A
These guys talk about how gazy the cyber security industry is.
B
Right? Exactly. Exactly. So the last show, I know it was last week, but if you guys missed it, the CISO Part 2. Hot, hot episode. So hopefully you guys are enjoying that and we can make more content just like that for you guys.
A
You saw somebody posted a comment on LinkedIn. You know what they said?
B
What does it say?
A
We need an episode. 3. Everybody pushing for the new episode.
B
It's probably the. The actual anonymous siso that did that.
A
I know, right? It's probably him. Let's do another one.
B
That's funny, man. You just doxed his genitals, you bastard.
A
Oh, I leave the genitals alone.
B
Yeah, it's true.
A
There you go.
B
All right, Freddie. Love and respect.
A
Peace out, brother. All right, bye. Peace. Cheers.
B
Cheers.
Hacker And The Fed
Episode: How One Developer Took Down the Supply Chain
Date: April 9, 2026
Hosts: Chris Tarbell & Hector Monsegur
In this episode, Chris Tarbell and Hector Monsegur dive into a series of recent, high-impact supply chain attacks targeting the software ecosystem, with a major focus on how a single developer’s compromise had downstream effects across the industry. The hosts analyze North Korea’s increasing sophistication and persistence in targeting developers and open-source supply chains, discuss the growing risks of edge devices, and examine looming threats posed by quantum computing to cryptography—particularly cryptocurrency.
The conversation is threaded with their characteristic irreverence, candid hot takes, and pragmatic commentary on industry trends and failures.
Key Segment (10:00–14:48)
"Security researchers in the space are saying, I mean, I would have probably fell for this too." — Hector (11:06)
Key Segment (16:56–19:36)
"It's easier for North Korean actors to go this route because it's working. When it stops working…they might start doing the kidnappings." — Hector (17:44)
Key Segment (21:12–25:45)
.vscode/tasks.json."I'm willing to go out on a limb and say that most organizations, especially the Fortune Thousand, are likely compromised by supply chain attacks." — Hector (27:00)
Key Segment (27:36–35:12)
"Do we really want to spend $100 million securing all of our customers, or…what do we get out of it?" — Hector (31:40)
Key Segment (36:10–38:34)
"I'm starting to feel like some of this might be just money laundering." — Hector (36:58)
Key Segment (38:41–44:34)
"Google even stated…they think a lot of this is really possible by 2029. 2029 is down the block, bro." — Hector (39:45)
"The only protection you have is to build a new wallet and then move, move the bitcoin over." — Hector (43:55)
On naming as a hacker:
"Every time you read that intro, I think to myself, damn, I'm glad I chose like a neutral name like Sabu and it wasn't like the Ass Master 3000." — Hector (01:25)
On real-world effectiveness of social engineering attacks:
"Security researchers in the space are saying, I mean, I would have probably fell for this too." — Hector (11:06)
"I may [fall for it], because I feel that pressure when I'm coming on a call…you don't want to look like a dumbass." — Chris (14:59)
On the arms race of supply chain security:
"They're absolutely leveraging every tip and trick and technique you can imagine that people are not really aware of day to day." — Hector (23:08)
On come-back of local development:
"Everything's going local…we were cloud, cloud, cloud…and now we're going back to local for everything." — Chris (25:45)
On crypto and the potential for insider collusion:
"The leadership of these groups, are they working with North Koreans somewhere?…You kind of start asking questions once you start seeing a pattern." — Hector (37:05)
On quantum computing and crypto’s future:
"Once the physical components of that quantum computer exist…that's about 1.7 million bitcoins that are at risk today." — Hector (43:13)
This episode provides a no-holds-barred look at the multifaceted, evolving threats facing developers, enterprises, and everyday users—from clever social engineering to looming quantum threats. Chris and Hector blend stories from the field with lively banter and clear, actionable advice, making this a must-listen (or must-read, via this summary) for anyone serious about cybersecurity.