Loading summary
A
Yeah, but you're not surprised, right?
B
No, I'm not surprised at all. You know what I'm more surprised at? At how easy it was to expose this. Hector Monseger was responsible for some of
A
the most notorious hacks ever committed.
B
Special Agent Chris Tarbell and FBI informants
A
participated in some of the world's most infamous hacks that caused up to $50 million in damages. A life in the shadows, cyber attacks on the rise. Welcome to Hacker in the Fed. I'm Chris Darvell, former FBI special agent working my entire career in cybersecurity. And I'm joined as always, by my buddy, my friend, my podcast co host, Hector Mazagore.
B
Hola.
A
Hi, Hector. Hector's a former black hat hacker who once faced 125 years in, which is the exact number of how many free shows this is. This is 125. Same number of years you were facing in prison for as many years of hacking under the code name Sabu. Our stories collided in June 2011 when I arrested him and then he convinced him to work with me at the FBI. Hector is now a Red Teamer, researcher, cybersecurity expert, and co founder of SafeHill.
B
Hey, this is great.
A
I'm great, you're great, we're all great.
B
Listen, brother, I tell you, it's that, that's a hell of an intro. Every time you read the intro, like I'm. I get tingly and excited.
A
Tingly, Ooh, I like that. Yeah, I try, I try to change it just so slightly every show. Now it used to be word for word, verbatim, but now I change it.
B
Yeah, yeah, no, I, I could tell, you know, I, I could see the pattern. I love it though.
A
All right, I gotta start off with some sad news on this isn't the world on the side of the Fed. RIP to Bobby three sticks. Robert Mueller passed away, former Director of the FBI. And you know, a lot of people have good things and bad things to say about him and his career and all that, but he was the director that I came in under. He was. When I came to the FBI, he was the director. He gave me my credentials when I graduated from the FBI Academy. I have a picture, he held my daughter, so I have a picture of him holding my 6 month old daughter. The whole family. When we, when I got my creds and he ran into my wife like before the ceremony, like she was trying to keep my daughter quiet in the hallway. And he came up and started talking to my wife and just him and her. So, you know, and then, you know, after. Actually during Lulsek, I had to brief him a couple times. So, you know. Yeah, he was he to me. You know, I. I knew him slightly. Not really as a person, but I had good interactions with him, you know.
B
Sure.
A
So shout out to you and your career and everything you did. So we appreciate it, you know, good or bad, whatever people think, you know, still. Still a human being and, and you know, meant something to my family at a time, so.
B
Well, listen, shout out to. To Robert Miller for sure.
A
Bowler. Bowler. Muller.
B
That's what I said. I said Muller, but I have an accent, bro.
A
Bobby Three Sticks we called him because he was Robert Mueller III. So I think my friend Il1 coined the term Bobby Three Sticks.
B
Listen, I don't know what kind of time, you know, you know, IL one spent with. With Bobby there, but I don't know that that crazy nickname.
A
It is, it is. So we had a fun week this week. You and I were together in Atlanta, Georgia for the Georgia Public Sector Public Cybersecurity Summit. They hosted us there and we spoke, we spoke. And the host of the event was a guy named Nate who's a current FBI agent down in Atlanta. Now a listener of Hacker in the Fed. He's going to start listening to us. So shout out to Nate. Dude, Nate did such a fabulous job stepping in. I mean, to be kind of the. The mediator of our conversation.
B
Yeah, no, Nate killed it. And by the way, this is Simon. Can you hear siren?
A
Can I hear it? I think your building's on fire.
B
Yeah, I think. Yeah, I think that's a problem. Let me, let me, let me close the door.
A
You can if you law. It's just the sounds of New York City. It's great. I actually had called 911 yesterday.
B
Why? What the fuck going on?
A
My neighbor's front yard was on fire. One of the electrical boxes lit up and so that was exciting.
B
No, that's. That's pretty wild.
A
But no, let's not get off the Georgia Public Sector Cybersecurity Summit.
B
Yeah, I mean, you're taking us in other directions.
A
We're all over the place. We were shot out of a cannon today.
B
Yeah, bro, it's all over the place. Okay, so shout out. Shout out to Nate. He was a sweetheart. That guy was actually pretty cool, right?
A
Dude, for him to like step in and do that, I mean, he's just a cyber FBI agent. I don't know how much like hosting experience he did. He did a fantastic job, you know, doing that whole thing. I think that Guy's got a future in doing some of this stuff. If we didn't have to race out of there, I would have stuck around and watched his afternoon keynote speech.
B
That is right. He had a big one coming up. And I heard from other participants at the show, audience members, that he made reference to our presentation, our conversation. Oh, yeah, yeah. And there were other speakers also, kind of, you know, pointed back at some of the things that we said during our, Our presentation.
A
So we said some really good. I'll tell you that.
B
Yeah, yeah, yeah. We gave some great feedback and background and opinions and, you know, it's. I think, honestly, bro, that was like, one of the better ones where, you know, we just kind of just went out there and just said, you know, kind of kept it real with the audience. Like, look, you guys. You guys are in a weird place. And, you know, the only thing good,
A
not good, were the chairs. They had those w. Those chairs laid way back. Those were horrible, bro.
B
I was, I, I, I was, I. Listen, you know, I'm a big guy. The chairs are real deep, so I'm like. I'm sitting so uncomfortable, dude.
A
Well, yeah, you either have to sit way up forward like I did, or you sit way back and you fall backward. And it's not. It doesn't. Look, you get your legs all splayed out. You were mansplaining to us and, man, spreading and doing every different thing.
B
Yeah. We're giving the audience a show. Yeah. Three sets of balls on stage just, you know, glaring at the audience.
A
But, yeah, but two of them were. Four of them were brown. And. But then there was Nate.
B
That is true. That's true. Nate's the only one. You gotta get Nate into sunbathing, though. You know, maybe.
A
Who knows? Maybe. We don't know. Maybe Nate Nude Sunbase.
B
I don't know, man. Nate looks like a freak Odyssey, bro.
A
You think so? Dude, I thought he was terrific. I thought he was a great guy. I was really glad. Hey, I noticed. Oh, go ahead. You want to say something? No. You want to say something more about Nate? I was moving on to the next subject.
B
No, no, we can move to the next subject. I think, I think it was great. The whole experience was fantastic. A lot of great questions. I did have a couple of odd moments there where, like, I had two people come up to me.
A
Yeah.
B
And like, hey, Sabu, I have a question. Like, my name is Hector.
A
Yeah, well, one of those guys was a former FBI guy that, while in the FBI, he and I did not get along too well. But we Got along swimmingly while we were down there. But I saw him this. This time.
B
Yeah, he was. He was. Oh, man, that guy. Let me tell you. I got two things. So first, he calls me Savo, which is like, bro, what's wrong with you? And the second thing, he's like, yeah, you know, I. I used to be part of 2600. I used to hang out with Captain Crunch. I said, well, you shouldn't be going around saying that, because that dude was like a. A. A pedophile. Like, what the fuck is wrong with you? Why are you telling me this?
A
He was also on the desk in Atlanta when you hacked into the infragard. Atlanta. So you caused a lot of problems in his life.
B
No, you know what he told me? He's like, oh, my God. Yeah, thank you for all the words, the awards that I got. I'm like, okay, cool.
A
That's funny. That's funny.
B
Yeah, that was weird, man. Oh, my God.
A
So I saw on social media that SafeHill acquired a company. Is that true?
B
Oh, that is true. That is true. Yeah.
A
Tell me about it. Tell me some more. A little about it.
B
Yeah. So last week, in fact, during our event, we did a. We did a press release that we had acquired Arcane Security. Fantastic, you know, company out west in the Phoenix area. You know, small team. But I gotta tell you, this small team, they. They pack a punch. Very research heavy, super into AI. The researchers are fantastic. Trevor Baines and Diego Pacheno.
A
Shout out to them.
B
Shout out to the very smart guys, man. Like, they, you know, the. Our relationship was like, hey, you know, we're about research. We got this, you know, a lot of really cool things we want to show you. And. And we were like, hey, why don't we figure out a way to work together? You know what I mean? Let's sort this out. So, yeah, the acquisition was awesome, and everything worked out great. And then, of course, they're fantastic. I'm happy. And because of. Of, you know, the research that they're doing, we're able to kind of, you know, offer a whole bunch of. Of different insights that we didn't have before. So. Yeah, I'm excited.
A
Good. That's fantastic. I'm glad it's working out. So gonna use them to make some new products and expand what you guys are offering your clients.
B
Oh, yeah. One of the coolest things that came out of that, and this is that we've been working on collaboratively for a minute is the, like, SAS and DAS component of, like, a web application assessment looking at the source code being event driven and then of course automatically validating the findings. Right. That's, that's huge in many times for you. It's just for you developers and you know, CISOs out there, when you guys are looking at your application source code, you're probably going to do like a SaaS review, a static analysis. Then at some point you're going to hire a third party little pen test of the application. We're kind of bundling that together. You're going to get the source code review plus the pen test. And you know what, it's fantastic because you know, we're trying to close that. We're trying to shorten the loop. Right. Of that whole process and then just make it more effective and like reduce the false positive. So like technology wise and research wise, it's been, it's been a pleasure working with them.
A
Nice. Sounds good. Keep us updated on that. Sure.
B
Yeah.
A
So, hey, the merch has been killing it guys. Thanks so much you guys. We've sold a whole bunch of merch coming out but, but keep it up. It really helps us. Again, the whole purpose of the merch is to keep this show commercial free. Heck and I have sat down. We do not want to put out here products that get hacked into a week later or products that we don't believe in. We get hit up every week with a new product to sponsor the show and we're just not going to do it. We just don't feel comfortable to doing it. We want to keep the free show free. So that really helps when you guys hit us up and buy Hacker in the Fed merch at hacker and the fed.com find your good stuff. We did some international orders so have to jump through a couple extra hoops for international orders, but we can get it to you. And so I, I worked it out with our, our merch person. So it'll be all good. Good to do it a little differently this time. Heck, normally we do the Patreon as a warm up show. Get ready. We're doing the free show first and then going to do the Patreon. Thank you guys for subscribing to the Patreon. There are so many cybersec that we have to like do the free show and then the things that are left, we'll, we'll move them over onto the Patreon episode. But you know, there's so many great things on the Patreon episode. I believe we're going to talk about what are we going to go, we're going to Talk about an engineer who used age verification. We're going to talk about. Yeah, the Pentagon adopting paler. Oh my God, you hate that. And you're. I, I can't wait till you rant on that.
B
Oh, I'm going to rant the on it.
A
Yeah. Big operation Alice with 23 nations came together and arrested some. So we got a bunch of stuff on Patreon. So guys, thanks so much for being Patreon subscribers. If you guys are interested in more cybers over there this week, go over and join the Patreon. We appreciate it.
B
By the way, at that, at that event that we went to in Atlanta, we had a listener. I'm not sure if he came up to you. He came up to me, he said, oh dude, I love the show. And he was like, dude, you know what episode I really loved? I loved the, like that, that Shadow Seesaw episode, the anonymized cso.
A
That one's getting a lot of feedback. So yeah, no, I had a couple of people come up to me later about listening to the show. But so, so yeah, I know that CISO that we talked to is busy as balls, but we are planning on a new episode here soon, so hopefully we can get and get that out there. So if you guys have questions specifically for a CISO and you want open and honest answers, hit us up at questions at hacker and the fed.com love it. But speaking of that, we sort of have a CISO story to start off with. Couple crazy stories in cyber security that we're going to start off with. Heck delving into cyber slop. So delve a 2023 founding startup by a couple MIT dropouts, which means nothing by the way.
B
That means Nothing.
A
They had $32 million Series A and they provide AI automated compliance services like SoC2, HIPAA, GDPR to help startups generate certification reports quickly for enterprise sales. So they were allegedly generating Pre written template SOC2 reports with identical auditor conclusions copied across hundreds of clients. 99.8% text similarity in key sectors using questionable Indian quote unquote credential mills via U.S. shell address instead of independent U.S. cPA firms. And the activity Trust pages with unverified accounts before any work. And they pre populated fake documents like board minutes and risk assessments. So they were selling fake shit trying to certify people.
B
Yeah, well, okay, this is, this is, this is like if not the big if, it's not the biggest, it's probably one of the bigger scandals in cyber security in quite some time. Aside from like all the hacking, all the cybers you know.
A
Yeah, except for all the other cyber scandals.
B
Yeah, except for all the other cyber scandals. So there's a few problems here, Chris. And, and I honestly, when we finally do the interview with that anonymized or anonymous ciso, you know, I do want to ping him or her on this topic because I think it might be interesting to get their perspective. So. So here's what we know. There's a few problems with what we're seeing, right. What, what came out of it. There were leaked, like, SOC2 reports and documentation for, if not all, but most of their customers. So sitting online right now, you're gonna see a whole bunch of SOC2 reports and, you know, a whole bunch of other information that we shouldn't be able to see. Like, you know, internal documentation, screenshots, you know, architecture blueprints of organizations, things that are highly sensitive in nature are out there. Because there were some negligence. The company kind of left some buckets open, and a lot of these documents were shared to Google Drive without setting access controls. Okay. Which allowed the researchers, or the leaker, the whistleblower, whatever you want to call them, which allowed them to download all the reports and then kind of put them out there. That's how they were able to determine by analyzing all the different reports that there was a high percentage of reports that were essentially copy and paste. They were templated, which is bad. That's not supposed to happen, right, Chris?
A
No, definitely not.
B
That's. Yeah, it's not supposed to be a thing. Now, I want to, I want to highlight something you said. Right. I noticed that in the original write up, the original story.
A
Sure.
B
There was an emphasis on like. Yeah, they're. They're just outsourcing the CPA component to like the Indian farm, Indian company or whatever. The problem is not India or the Indian workers. Even though the work was probably not that great, it was well templated. So the problem is not the Indian component. It's that two things. One, there is a requirement, especially for SoC twos, and SoC two, they're governed by the AICPA, the American Institute of Certified Public Accountants. Right. There's a requirement that the report must be issued by an independent cpa, and it must mean it must be a US cpa. The issuer must be a CPA with US Credentials. Right. That's the one problem. The second problem is that the companies, the ones that were doing the work from India, they created a minimum of two US LLCs that act as. That acted as shells to kind of ferret the work through those US Company, you know, on paper, but in reality, the work was done in India, right? Yeah.
A
I mean, that's going to show that this was a well orchestrated conspiracy.
B
This was an absolutely well orchestrated conspiracy with multiple parties. This is way beyond whatever. Now the thing is, there's a lot of money involved here, right? You have a publicly funded company that got 30 million plus dollars from, you know, investors here in the United States.
A
Well, wait, I don't think it's a. You think it's publicly funded? I don't, I don't think it's publicly funded. Is it?
B
Well, the company. My bad, my bad is language, nuances, right? They're not publicly funded, but they're funded by VCs here in the United States.
A
Correct?
B
Right. And because of that, you know, those investments go through the sec. There's, there's like eyes on this shit. Right. So when you have this level of like fraud, that becomes a massive problem for everybody involved. And so what you're going to have here, when you look at this, when you look at the story, you get deeper into it is if this is a thing with the SoC2 space and auditors, right. Where else in cyber is this kind of like trending as well? Like, is, does this go beyond Sock to. Yeah, right.
A
I mean, to say, yes, from my
B
experience, but yeah, I agree with that.
A
But let me ask you. So they're saying that, you know, 98% tech similarity and key sections and all that. Are they saying like these clients got these reports and like it's the say has said X, Y and Z is wrong and they look and they, that's not wrong, it seems. Right. Like, are they, are the results completely fake? Or like, are they like not even, like, are they diagnosing things that their clients don't even have?
B
Can I tell you something? I, I looked through the reports. I, I, I, I had some resources myself. Right, sure. Because I was curious. So, so for example, say, Phil, we're Sock two ready and we're literally at the step where we have to hire a CPA firm to do the final, you know, final step. Right. So naturally I'm curious, like, what the hell is this about? And what I saw, Chris, and you can probably see it as well, is all public. The reports are mostly the same. It's just a template of where the organization stands and how they were certified. Right. And then what gets crazier is that once you sign up for the service, this, this is One of the 1 key points in this story. Once you sign up for the service There's a public like URL you could give to customers. Sure. Right. As soon as you activate that, it automatically certifies you as Socktum certified. Yeah. It doesn't say that you're missing something. Trust me. It's fucking crazy. It doesn't say whether this is the
A
fucking snake oil salesman of cybersecurity. This is it. This is like you just checking boxes. No one's looking at it. You know, when they, they go on to, for the compliance part, you know, they, oh, do you have this document? Yep, here it is. And that's it done. You know, I mean, historically, it used to be self certification.
B
Yeah. For the, for the level one. Right. Type one. Right. Yeah. It's ironic because our anonymous C. So said exactly that. He called the shit out.
A
Do you think he's the one that found this shit?
B
I, I, I don't doubt it.
A
So I, I don't know. This is another black eye for the cybersecurity industry that they're taking. They're charging companies largest amounts of money and just giving them bullshit so they can check the box.
B
I have, I know that, I know that's the main story. I know that. That's, that's the main angle. But I have an alternate angle on this one.
A
Oh, all right.
B
So when you're sock tool ready, like I am, like SEIFO is, I've got to put together a whole bunch of documentation and policies and all this extra stuff right before I'm ready to submit it to a cpa. Right. The companies that signed up for this service and they turned on the, the public URL and it showed them as certified, and then they paid whatever and they got that, that certification document. They knew that they were not SOC 2 certified.
A
You think? Oh, because they didn't go through all the hoops that you went through to put your documentation together and all that. They or they weren't, they knowingly paid this company to get the fake documents.
B
I wouldn't say that. All of them. Yeah, allegedly. Right? I wouldn't say that. All of them. I'm sure people fell into it, right? Like, I could see myself, like, signing up and like, oh, my God, I gotta go through this whole thing. I gotta spend 30 grand on this stupid thing. And then I'm like, oh, okay, I gotta pay ten grand. Wait, it says I'm certified. Oh, okay. Shit.
A
Oh, shit. I didn't know I had all those policies.
B
I didn't know I had all that.
A
That's fantastic. Wow.
B
So what that means is companies started the process they paid the little. Eight, ten thousand, whatever it is. And they were like, oh, okay. Now, the problem with that is, is when you look at the list, Chris, there's like a ton of companies touting that they're SOC 2 certified.
A
Yeah, we're not. We're not listening any here, though.
B
What?
A
We're not listing. Let the listeners go out and try to find the ones that use this company.
B
The listeners can find it on their own. Yeah, yeah, yeah.
A
We don't need to list them off.
B
It's bothersome because you and I, when we come on here, I was gonna say we would come on stage. When you and I come on here, we're like, hey, we need to do this and we need to. That. Here's how we need to look at certain things. You know, I've personally spoken at a conference, like a school thing, and they were like, oh, no, it wasn't even a school thing. It was at Issa. Issa San Antonio. Shout out to those people. That's like two years ago, right? So I went over there, I spoke with them, and it was one guy in the audience, like, how do you deal with vendors? Like, don't you, like, look at the certifications and all that? I'm like, yeah, absolutely. Look at Termius. Termease is a great product. And they have all their SOC2 reports, agitation letters. They have everything public published on the website. And he was like, I don't know about that. It doesn't make sense to publish, you know, all those things on the website. I'm like, bro, you're about to pay these people $200,000. You don't want to see whether they have a freaking Sock 2 certification. So the point is, right, is that we've been talking about the importance of organizations going through these processes and doing it right, and then this shit happens. It completely undermines the entire fucking trust between the customer and the vendor. And it's tough.
A
Yeah, but you're not surprised, right?
B
No, I'm not surprised at all. You know what I'm more surprised at and how easy it was to expose this.
A
Do you think there's going to be a rest?
B
There should be arrests. There needs to be accountability.
A
Do you think? I think there's definitely going to be lawsuits. You know, let's say we can. They, like you allege that these companies that did this new. They knew they didn't have policies. They knew they hadn't jumped through 30 hoops. They just signed up for something, if that's your vendor. And you know, now, you know now you're. You a supply chain or your vendors not SOC 2 certified. And you wrote. You signed off to your clients that your vendors were. I think there's a lawsuit there.
B
Yeah, no, it's. At the very least, a lawsuit. Maybe. Maybe a class action because there's a lot of customers. We're not talking about two dozen companies. You know, like, the list is insane.
A
Who's the class action against? It's not against, you know, delve, because they're just going to claim bankruptcy after this whole thing and shut the doors. But all the people that knowingly use them to get Sock 2 certified, those people, what's their protection?
B
What's their protection? I don't know.
A
They knew damn well with that. Like you said, allegedly. They knew damn well what they were doing. It's. Dude, there's gonna be ripples for this one. This one's gonna last a while. Yeah, or it gets all swept under the fucking rug.
B
Like Epstein doing some rough calculations. Right. Looking at the list of SOC 2 certified companies, there's about 500 of them. Right?
A
Wow.
B
500 of them. And on average, they're paying what, around 15,000 per. Okay, about 15,000 per customer for. Per organization. I'm sure there was some deviances here and there, some discounts or. Or upcharges for some more complex businesses. So this is a multimillion dollar conspiracy, at least from the outside. Allegedly. And it undermines what that means to be SOC 2 certified.
A
It's a. It's a full erosion in trust in. In the compliance industry. So now here's where that was not stable to begin with.
B
It was not stable to begin with right now, which. Which kind of brings me to. Now I have a concern about this, which is if this happens with the SoC2 space, specifically SoC2 space. That's kind of their specialty. And we know that, you know, our boy Uncle Pete. Pete Hegseth, the Secretary of War or whatever his title is anymore.
A
That's it. You got it right.
B
Secondary Texas. Yeah. Secretary work. He mandated that federal contractors. He put a mandate out. The federal contractors have to be CMC 2.0 Type 3 certified.
A
Yeah.
B
Is there a Delve in the CMMC space? And if so, what does that mean?
A
I don't. I don't. I don't believe so. So there are a lot of hoops you have to jump through to become a CMMC certifier.
B
Yeah.
A
What are the hoops to jump through to become a Sock 2 certifier? Do you know?
B
Well, you have to be a CPA. Right, the CPA firm with U.S. credentials. You have to be certified in U.S. you also have to be. I have notes here. I'm glad you asked this question. I always. Well, you are going to have. I have to have notes here. So you have to be. Okay, you need to be a US CPA firm or the equivalent with the US CPA authority. You have to follow and be registered under the AIC cpa.
A
Okay.
B
And that's it. That's all. That's all it is.
A
There's no certification. There's no certifying the certifiers.
B
There's no certifying the certifiers aside from the AI cpa.
A
All right. Wow.
B
And who knows what that process is? Whether you buy into it or you got to go through a certification process.
A
I don't know what a well founded industry this is all based upon.
B
Oh my God. It's a. It's a house full of mirrors. Or a house made of Tinder.
A
House of cards.
B
House of cards crashing down now.
A
All right, let's go on to the next one. This one. This was another huge story in this space.
B
Okay, sorry.
A
Super Micro Co founder arrested for smuggling $2.5 billion in Nvidia GPUs to China so Willie Liu, the co founder, board member and Senior VP of business development at Super Microcomputer, along with Stephen Chang, the Taiwan office general manager and Willy sun, the third party broker fixer, were charged with conspiracy to unlawfully divert approximately $2.5 billion in US broker origin high performance servers integration restricted Nvidia API now AI GPUs technology to China, violating the US export control laws. So the scheme ran between 2024 and 2025. And these servers were assembled in the US shipped to Taiwan facilities, then routed via Southeast Asian Shell Co. Co. 1. They didn't name it with false end user docs repackaged on mark for final shipment to China and it peaked at a roughly half a billion dollars diverted in three weeks in late April to mid May of 2025. So the evasion tactics they use. Thousands of staged dummy non working server replicas for compliance inspections. Surveillance footage captured Lao using a hair dryer to swap serial number stickers. Coordination via an encrypted group chats. So this is a big, big problem. I mean sudden Super Micro is a big name in this industry.
B
Yeah, there's a lot of people with Super Micro servers and hardware. Yes, in their offices right now.
A
You're about to bring up a big point that we talked about when this story first came out. Drop it. Drop some knowledge here.
B
Yeah, so right now, as we speak, there are Super Micro hardware technologies, servers, components, peripherals, just all over United States. Super Micro was a big player here and I'm sure after this, that's out the freaking window.
A
Well, their stock plummeted.
B
The stock just drained. It went down the drain. Rather the concern now is if you have founders, co founders of that company willing to do this massive, this mass scale, you know, just, I would say conspiracy to circumvent US laws.
A
Two and a half billion dollar conspiracy. This is huge.
B
Two and a half billion dollar conspiracy. While they're communicating over signaling or whatever, encrypted chats, which was part of the evidence there, hair dryers, there's camera footage of them doing this. They were brazen about it. That's the crazy part. And here's why they were brazen about it. Because at the destination source. The reason why this all fell apart, Chris, I'm not sure if you noticed, is that there was a, there was a video that came out last year, whatever it was, of a Chinese company opening up the boxes of GPUs, like, yeah, we got, we got your shit, we got your shit. Right? It was very provocative on purpose. That guy that did that video opening up the boxes of Nvidia GPUs in front of us on the camera, he caused us taunting. Motherfucker taunted the United States like, look, we got your shit, motherfuckers. And this is one. This was around the time that Deep Seek came out. That was a big one, right? And so I can imagine that video plus a deep Seek, plus the stock market, you know, reactions as a result of all that caused the FBI to go into like, where did this happen? Where does this come from? Now what upsets me about this is. Yeah, it's where it comes, bro. What upsets me about this is that Supermicro was at least for the most part, somewhat of a legitimate company. You know, I even considered buying their service at some point.
A
I bought service from them.
B
How do. Yeah, that's crazy because how do we know or not know? Where do we stand with the potential that if they were willing to do this, the co founders were willing to do what they, what they did. What if they backdoored firmware all across their hardware products?
A
Dude, they're willing to commit a two and a half billion dollar fraud in the. For China?
B
Yeah.
A
It's not a stretch for them to create do crazy shit for the systems For China.
B
Yeah.
A
I mean these guys were a direct Puppet for China. Now, whether they did it for profit now, China does the different things. You know, China, if you have family that lives over in China, they can put some scary pressure on you to do things in the name of China.
B
Yeah, you know, I mean, that. That is true. And, you know, taking advantage of the situation with, with Taiwan is what makes it difficult because for, for those of you that haven't, like, dug deep into the story, the way they were able to do this, aside from what Chris Toys. So Chris Toy that there was a plan. They had a bunch of, like, dummy servers that were for compliance and these boxes over here to the right, then they had the real technology on the left. And then they, you know, they obviously swapped out your stickers and all that with a hair dryer. Okay, so, you know, that part, the next part to the story is they shipped these quote unquote dummy servers to Taiwan for inspection. And once they arrived in Taiwan, they were then redirected to mainland China. Right. Or as I call it, west Taiwan. Here's the thing you have to understand. Let's look at it from the cybersecurity perspective, and let's look at a little bit of history of issues with Super Micro hardware, because now it comes into disputes. So in 2018, so this is within the last eight years. So within the last decade, in 2018, there was a famous quote, unquote story. It was, it was with regards to a spy chip backdoor. I'm sure you remember that story. And so the idea was, the claim was that tiny hardware implants were added to Super Micro motherboards by means of China. And then those servers made it to the supply chains. The supply chain was compromised, and those servers ended up at, you know, Apple factories, Amazon data warehouses, Department of Defense, CIA. That was a story. And it was immediately shut down. And it was, it was a big scandal, but nobody could really prove it. Well, now that story is back up in the, you know, in, in. In our, in our, in our, in our purview. Right now we have to wait. What happened with that story? What are the specifications of that? Where did it come up at? Then the next one. Here's, here's one that I want, I want to talk to the audience about. So for any of you out there that have ever done a pen test, a penetration test or a vulnerability scanner, your own network. So this is. There's a lot of executives listening to us right now, and they've done all sorts of pen tests and scans, Chris. And one of the scans that comes up, one of the Findings that comes up in their scans is IPMI 2.0, end of life, yada yada yada. It is a admin password hash retrieval vulnerability that can never be fixed because the IPMI protocol has been, it's been superseded, it's been end of life. Okay? So on almost every network that I scan or engage. Chris, I'm fighting this right now. Here's where it gets crazy. So with that finding, it allows a user on the network to extract the admin hash from that device, okay, the, you know, the baseline management controller, the bmc, it's highly privileged and sits below the operating system. That device, right. Is network accessible and you can access it through an IPMI tool, whatever to reboot the system or gain access to console or gain access to something. Right. Okay, here's the crazy part. If we're going into conspiracy line, considering what we're seeing here, right, Maybe that wasn't a vulnerability, maybe that was just a back door the whole time, you know what I mean?
A
I don't think it's a crazy conspiracy. I don't think it's a stretch.
B
Yeah,
A
I don't know. What do you think? Where do you think? I, I mean, I think Super Micro is done for this. I mean I was just looking at their stock price. Two years ago they were at like 114, now they're below 20.
B
Yeah, now they're done, it's over with.
A
I don't, I don't see where the US is ever going to. They can never allow, you know, computers coming out of there to be used in government service.
B
Well, you know what? It also does it, I'm sure the Department of War now is dead investigating and looking at every company that has some sort of warehouse in Taiwan. Because as much as we support Taiwan, we love Taiwan. The reality is, is that what Super Micro did, anybody else could do.
A
Yeah, it's funny like these guys are, you know, they got arrested and all that. They're going to face a whole bunch of problems. If it was reversed, if they were taking stuff out of China and presented to us, China would kill him.
B
Yeah, because for China it's considered, you know, it's like, it's like dumb being a traitor, right? So they're a traitor to the, to the nation of China. For us it's like, well give him a lawyer which is that, that's right, that's the right thing to do. But system, I just hope they don't have enough money to buy a part. And that's the fucked up part because if, if that's the fucking end result of this. I'm not gonna talk about cyber security anymore. I don't care.
A
I, I, I don't see there, there's no pardon for this one. I don't see it coming. Like mark the, mark that in the, the podcast. We'll, we'll see, we'll mark it. I'll look like an, but I don't see this.
B
I hope not.
A
So the inside job, how Breach Forums destroyed itself. So Breach Forums, which is a major cybercrime forum, successor to RAID Forums, experienced an internal collapse rather than external law enforcement action. The administrator allegedly committed escrow fraud, sold the platform to buyers, then disappeared with the funds and proceeds. A deeper investigation revealed considerably worse internal issues beyond a simple scam implying mismanagement, betrayal and additional fraud corruption leading to the forum's self destruction. No specific victims listed beyond forum users, member and members affected by the local access, escrow funds or, or platform shutdown. No data leaks or breaches mentioned. So the key actor was an unnamed breach, foreign administrator and posters claimed the insider perspective or deep research. So Hector, I'm blown away that a cybersecurity forum was used to scam people.
B
Yeah, well, first of all, I think we need to like correct it for the audience here. Right, so definitely was not a legitimate cybersecurity forum. It was a forum for all bad actors to go to.
A
Oh yes, sorry, was that not clear? People don't know that Breach forum is, is, was, was run by bad guys. Oh no, yes. Sorry, I just, I, I must have overstepped that. Yeah, breach forum, bad place.
B
Yeah, it's, it's the, it's the clear nets version of like a dark web place where you buy exploits and steal credit cards and trade wares with each other. It is, it is like the lowest common denominator where you find the lowest of the lowest people on the planet in the cybersecurity industry, specifically on the threat actor side. And they go there and they'll, they'll hack into a company and offer that the data on from that company for sale. They'll, you know, offer dumps of passwords and credit cards and stuff. It's basically a haven for all sorts of neophytes and script kiddies and scammers, schemers, you name it. Grifters, they're all there now.
A
Cops. There's a lot of cops there.
B
Yeah, and a quarter of them are freaking cops. That's a good point. It's a good point. And so what's interesting about this is that breach forms, this Is this a timeline to it where at one point it was run by this guy who got arrested by the FBI and then it was recreated by another guy who eventually got arrested by the FBI, then it was run by another guy who got arrested by Interpol. Right. There's a trend to this. Right. And so the latest iterations. And by the way, the researcher that put together these investigations on these more recent brief forms deployments and the people running them, his name on Twitter is Kaiser Soze. He's done a really good job. Yeah. And Kaiser has done a really good job at connecting the dots and telling the story because I sent you a few links of their investigation.
A
Sure.
B
They so far doxed and identified three of those breach forums, administrators, full names, pictures, all sorts of attributions. Right. Because these aren't the top tier, the caliber of puppies and kittens. These guys are infecting themselves with info stealers. Right. They're compromising themselves and leaking information about their identities. One guy after the report posted a picture with him and a gun and some money, like 80 bucks wor money for like, you know, I forgot where.
A
That's pretty cool.
B
He's like, yeah, yeah, come and get me, you know, come and get me coppers. Right?
A
I got my 80 bucks, I'm on the run.
B
He got his 80 bucks. He had a Taurus, you know, That's a cheap $20.
A
That's sad.
B
Yeah, it's sad. Yeah. He had 150 gun and 80 bucks. He said come and get me. Well, that scene, as you know, I wasn't part of this scene in particular. No, this was, but I was part of like, you know, the quote unquote, underground, whatever. Right. I've known people like these people. I've had to interact with some of these people. Not these people, but the previous generation. We're talking about the lowest of the lowest, very low effort, low skilled criminals that have become radicalized into thinking that this shit is cool. So I'm very, I'm very excited to see these reports. I'm happy to see what, what they lead to. But here's the reality. So far every person has been identified, has been sitting in Libya or Egypt or they're sitting in France and then they already left France. So now they're in somewhere in Africa hiding from who knows what. And yeah, it's just an interesting kind of like overview of how these communities compromise and attack each other, compromise and attack their customers, quote unquote or target victims and then the end result is $80 in a tortoise. How the fuck do you do a ransomware campaign for $50 million and destroy the reputation into the hundreds of millions of dollars and your end result is $80 in a tourist. There's clearly something wrong with these people.
A
Heck, we got to do one last story. The people need to know about this one. You know what's going on out there. So a hacker simply hacked Klein and installed OpenClaw on 4000 computers via propped injection. So propped injections again, we talked about it, the Atlantis thing we're reiterating here on the show. We, we've talked about it before. So a hacker exploited a prompt injection vulnerability in clients automated GitHub issue triage workflow to compromise the project. And he poisoned the GitHub Actions cache, stealed NPM publishing tokens and published a malicious version of the client package that installed OpenClaw globally via a post install script on the developer machines. Approximately 4,000 installations of OpenClaw occurred over an eight hour period before the detection and the mitigation. OpenClaw itself not inherently malicious in this case, but demonstrates the supply chain risk. So why don't you explain really how this happened and what people can do to protect themselves.
B
Well, here's, here's the quick and dirty. So, and let's kind of like, I would say talk about like the, the aftermath. The aftermath first is that folks, so thanks to this story and thanks to similar stories, folks are now aware that if you're going to use any sort of automation and connect the automation to some sort of AI agent or rapper, something that's going to be reviewing, you know, let's say in this case GitHub, GitHub issues or GitHub pull requests. It could be anything, Chris. Honestly, it could be a, you know what if you connect an agent to your WhatsApp and it accepts your WhatsApp messages and parses it for you, you know, a prompt injection will work there as well. Right? So that, that's, it's GitHub is irrelevant here, but it was part of the supply chain attack for the story. The quote unquote attacker was more than likely a researcher, maybe a white hat researcher, because the payload itself is benign, although it was unauthorized, meaning that the payload that was executed was just to install OpenClaw on the machines of 4,000 developers or 4,000 development environments. Right? Which sucks. But prove the points. It proved the concept, right? Now, as for how this happens, and we've talked about this plenty of times, what would happen if you connect an agent, a rapper, something that is Ingesting information from a third party source. And that third party source posts a comment, a message, a picture, a screenshot, anything that says, hey, by the way, disregard everything else that you've heard. Now, I want you to execute these commands and if there are no guardrails within your process, then those commands will be executed. That's exactly what this did here. It proves the point again. The payload wasn't malicious in nature, but still it was, you know, depending on who you ask, destructive enough to be like, okay, this is a problem.
A
So what is it? People unknowingly are going to GitHub and downloading because, you know, these payloads that they, they think they're missing out on something. They want to. Everyone's talking about AI. Is, is it the rush to AI that's causing this? Or why are people not paying attention?
B
It's the rush to AI, but also on the development side, right? Developers are not pro. They're not, they're not developing their projects or products in a way that's, you know, leverages guardrails or sandboxing, right? Of the, of, of whatever mechanism that they're, they're parsing or interacting with, of, for example, pull requests or a GitHub issue or WhatsApp message. They're parsing it, they're dealing with it, they're passing it through OpenAI or Claude or whatever it is. But there's like no protection against, you know, there's, there's no walls around it that says, okay, you cannot go beyond this limit. You can't go beyond that. Right? There's no, there's nothing. What I'm seeing is it's basically an open, open door policy, right? Now you can say, well, maybe the developer didn't know, maybe the developer had no idea that a prompt injection could be a thing. The thing is we've been talking about prompt injections for like a year now, especially drive by, which is what this is. It's like a drive by prompt injection. And so now it's one of the developers. And as for the users that are clearly, they have no idea what's happening, right? They're, they're just basically participating in an eventual botnet. That's what's going to happen. Remember when the whole Mariah thing happened? You guys were investigating that years ago, the FBI. And what did it start as? It started as this random kid from New Jersey or whatever it was. And you know, I think he got arrested. And so what he did was he identified a number of very common vulnerabilities and he just chained them all together and created the Mariah botnet. And then he got scared because the FBI was gonna probably raid him at some point. He released it to the Internet. And then other college students set the same thing up. And they all got arrested too. Right. But the end result was millions upon millions of Mirai nodes as part of the botnet, and it was used for DDoS. Same shit's gonna happen there, you know?
A
Yeah. I think they're keying up for this thing to happen just like that. And I think people downloading things and installing things, not knowing the source of them, I think it's a huge issue. It's always been an issue. So I think we'll continue to see it happening. Guys, if you got questions for us, reach out to us@questionshackerinthefed.com. thank you for supporting us on Patreon. We're going to go over there now and cover all the stories that we couldn't get to today. 5 star reviews wherever you download. Subscribe to Hacker and the Fed. We really appreciate the feedback. Share us on social media. Get the information out there. Putting out a new post every Thursday when the show comes out. Tell your coworkers, tell your friends, tell your lovers. Hacker in the Fed. Couple assholes talking about cybersecurity. Facts, facts, friend. I enjoyed it. And I'll see you over on the Patreon.
B
Sounds good, brother. Cheers.
A
All right. Love and respect. Cheers, brother. Sa.
Date: March 26, 2026
Hosts: Chris Tarbell & Hector Monsegur
In this episode, Chris and Hector dig into some of the most jaw-dropping recent scandals in cybersecurity, dissecting a major compliance fraud startup ("the biggest grift in years"), a billion-dollar GPU smuggling conspiracy involving Super Micro’s co-founder, the collapse of Breach Forums through sheer internal corruption, and a fresh example of AI prompt injection shaking up the open-source ecosystem. With their signature mix of deep technical insight, industry war stories, and irreverent banter, the hosts lay bare systemic weaknesses and human failings driving the dark side of cybersecurity in 2026.
| Timestamp | Segment/Highlight | | ------------- | --------------------------------------------| | 01:29 | Chris reflects on FBI Director Mueller | | 08:23 | SafeHill acquires Arcane Security | | 13:06–14:05 | Intro to the Delve SOC 2 compliance fraud | | 20:08 | "Snake oil salesman of cybersecurity" quote | | 24:00–25:57 | Fallout: criminal/civil liability for Delve | | 28:00 | "House of mirrors" — trust in compliance | | 29:51–32:44 | Super Micro smuggling and supply chain fears | | 36:56 | Firmware backdoor concerns for Super Micro | | 39:39–40:02 | Breach Forums collapse, criminal grifters | | 42:26 | "He got his 80 bucks and a Taurus" | | 45:24–47:31 | Prompt injection supply chain attack |
For more, visit hackerinthefed.com or check out the episode’s Patreon aftershow for extra stories and deep dives.