A

Hello everyone, this is Tom Uren and I'm here for another between two nerds discussion with the Gruk. G'day, Gruk. How are you?

B

I'm good. Yourself, Tom?

A

I'm well. This week's edition is brought to you by Kroll Cyber. So a few weeks ago, maybe a month or two ago, there was a UN report that came out and it was talking about the use of technology by transnational organized crime in Southeast Asia. One of the things that really leapt out at me was just how much organized crime was using Telegram. So in that report they talked about a very large Telegram market for criminal services, particularly cyber criminal fraud, phishing, that kind of thing. And the organized crime group actually guaranteed the market and they vetted vendors and stuff like that. And I wrote a piece that talked about how Telegram turbocharges crime. And ever since then I've had that lens in my head and whenever I see a story about a cybercriminal, all of a sudden all the parts where Telegram was involved just leap out of me. So this week, and Patrick and I briefly spoke about this on Seriously Risky Business, a Canadian man was arrested and he's allegedly the person or one of the people behind the Snowflake data breaches. So this was a string of data breaches where Snowflake is a cloud database analytics type company. Different companies were uploading data and they were just using credentials without mfa. And some of these people then had their credentials stolen by info stealers. And then this person, the allegation is it's a guy called Alexander Mocha, they acquired the credentials, maybe bought them, and then just stole a whole lot of data. Now in the wake of his arrest.

B

So we're talking about a very, very elite, top tier hacker.

A

Yeah. So part of the point is it was just so simple. Credentials download data, bang, off you go. Now there'd been a couple of, I guess, profile pieces that sort of step through the history of the online accounts associated with this hack. And what leapt out of me was, first of all, it seems that he was hugely into Telegram.

B

It's the Telegram to infostealer pipeline.

A

Yeah, exactly. And so I thought today we could talk about some of the human aspects around that. What difference does it make that Telegram exists? Would this crime, we won't answer this question, I don't think, but would this crime have occurred without Telegram?

B

Right, I'm just going to rephrase your question, which is, would this crime have occurred with these people without Telegram? Because it seems to me that the fundamental vulnerability was these credentials There are credentials that allow access to this and to this valuable data. So someone would figure that out, but it's. Would it be a couple of 20 year olds in like Canada and Turkey? Or would it be, you know, Russian professionals, for example? Would be the alternative, I think.

A

Yes. So one of the questions I'm interested in is were they, I want to use the word radicalized by Telegram. So let me just sort of paraphrase part of the story. So this is from research firm Intel 471 and one of the Personas was a member of more than 25 Telegram channels or groups authoring more than 1400 posts. The groups and channels are associated with adult content, leaked data sets, malware logs and sim swapping.

B

So this actor, that's the big three, isn't it? It's you know, adult content hacking and extortion. Yeah.

A

This actor had been a key figure within Telegram channels or groups, including Star Sanctuary and Star Chat, which is one of the biggest sim swapping communities. So there's other communities that I've written about, one in particular called the com, which is similar sort of thing. People get involved in this rather large community of thousands of people which are involved in, you know, sim swapping, different types of fraud, social engineering, data breaches, extortion, identity theft, cryptocurrency theft, et cetera, et cetera. Yeah. So I'm wondering if Telegram doesn't exist, does this person even fall into that social set?

B

Yeah.

A

Did they get radicalized by that app? Radicalized is a loaded term.

B

Yes. So first of all, I think we should talk about what Telegram actually is because it's billed as an encrypted messenger and the security community loves to go on about how like it's not encrypted. When I think that the real thing is like it's not a messenger. Right. Like it's a social media platform. It doesn't have like publicly available posting and pages and stuff like that. It's just these group channels are like the main draw. That's where all this stuff is happening. So essentially it's very much just a social media platform that has communities that develop on it. And the encrypted messenger sort of framing is just completely wrong because.

A

Yeah, that seems like it's neither encrypted nor a messenger. Yeah, like that's to me a lot more like discord than anything else.

B

Yes, yes, very much. Except I think it runs more easily on phones, for example. It's existed for longer, it's got better integration with bots and things like that. Like, they actively encourage writing bots. Like, that's all SDKs, it's all officially supported. They've got APIs, it's all documented. And I think it's a cultural thing as well. Right. Discord is very much like the gamer space, which. Not that that doesn't have radicalization issues, but it's separate. So I think.

A

I mean, if Telegram went away, probably they would migrate to Discord, because they do mention quite often that this person was also active on Discord or.

B

Yes.

A

Or some of those communities are also active on Discord.

B

Right. Like these are communities that are going to find each other because now that they've got shared sense of community, they will find a way to communicate. They might have discovered that community on Telegram, but now that they're part of that community, it doesn't need to be married to Telegram. It can migrate anywhere as a community. And yeah, I think they will find new recruits wherever they go, as long as there's some sort of publicly accessible space. Like, they'll get new people who will be radicalized or indoctrinated or who would conform to the norms of that community, which happened to be radical and criminal.

A

Yeah, it's human. The problem I have with the word radicalized is that it implies. Well, what happens is people just take the values of the community they're in, and if you're in what we would call a normal community, that's just good behavior.

B

Right, Right. Yeah, It's.

A

It's every day we call it radicalized.

B

It's everything we do as a norm, everything they do is a crime. Right. And it's like we happen to think that, you know, stealing money, doxing people, and being just a terrible human being is not a good norm. That's. That's a bad thing to do.

A

But you still hesitated using the word radicalized.

B

Yeah, I think it's loaded. It's got a lot of baggage. I think that they're conforming to the norms of a particular deviant community. Deviant in the sort of academic sense of, like, it's different from. Not that it's necessarily worse, although it is, but it's. But it's different. You know, I think that's the salient point, is it's not the same as regular civil society. It's deviant.

A

Neither of us like the word radicalized because it implies a value judgment. But these people are just terrible.

B

They do deserve to be judged.

A

And so you buy that thesis that people somehow find that community on Telegram and they get drawn into it? Do extreme things.

B

Yeah, yeah. So there's this thing called a purity cycle. And it's the sort of social phenomenon that when you join a community, they will have a thing that defines them as that community. It might be like we're communists or, you know, we're vegetarian. No. We're vegan. No. We don't eat anything that has roots. Right. Essentially what happens is the utopian, idealized version of what that group believes. The ideal member is sort of keeps walking further away from what they are. And so people, they start spiraling. Like you have to become more and more extreme in your dedication to the sort of unachievable ideal.

A

Why is that? Is that because part of being in a group is demonstrating that you're different?

B

Yeah, well, they're demonstrating that you're part of the group.

A

Right, right. So it's the performative.

B

Yes, it's very much so. It's. Yeah. Like if we're the group that wears, you know, occasionally we wear red stuff, then we always wear red stuff too. We only wear red to anyone.

A

The more you wear red, the more you demonstrate your commitment.

B

And so therefore it's a, it builds on itself. Like you can't, you can't become less committed than someone else. It's a ratchet. So it's called a purity cycle because you become more pure to this ideal that you have. But I don't think that that's the best framing for what happens in these communities because it's not necessarily like they don't have like the ideal criminal that they're trying to become. You know, like they're not having self criticism sessions of, you know, like, what have you done that has not been up to the ideals of the perfect criminal. Right. Like, let's confess.

A

So I imagine it's more about cred and social standing and.

B

Right, Japes. Right? Exactly. So it becomes a sort of thing of like, oh, you know, look how hard Corey is. He bought like info stealer stuff and then he went and like read someone's emails. So like that's now your new floor. Right. Like, if you want to be cool, you have to do something slightly better than that. Like that's your bare minimum table stakes. And so it progresses and then you start being able to do the stuff like, oh my God, dude, the FBI is so going to get us. Oh my God, this is so wild. Because you see that in the logs all the time. These guys will do crimes and they'll be laughing about like how criminal they are because it doesn't register. Right. Like it's not really happening in a way.

A

Yeah, the concept of long term consequences is not yet developed in their brains.

B

Yeah, exactly. So I think this is what happens is they sort of get into this purity cycle and it's this deviant ideology of the thing that they're doing is transgressive. Right. We're stealing, we're hacking, we're being cool. And I mean unlike my generation, of course, which did not actually have a purity cycle about hacking and developing exploits or security research that was ours was completely different. Whereas in this case the young people.

A

All the middle aged cybersecurity people were snow white during their youth. Upholding upstanding citizens.

B

Yeah, some sort of messaging community where people chatted to each other and goaded each other into doing sort of more and more extreme security things. That is not at all what I remember. But what's so interesting is like these are the same dynamics that get used with terrorist groups because you need, like you kind of need to convince someone that they should kill other people for an idea. Not even necessarily an idea that they understand particularly well. You know, be kind of abstract, you know, like it's the, you know, we're trying to achieve communism or unity or a people's homeland. These vague things that you can believe in. Like yes, that sounds great, I want that. But it's.

A

Yeah, they're big, but they're also diffuse.

B

Right. It's, it's a sort of a people's homeland. But like where are the borders? What's your immigration policy? You know, like these are, you know.

A

Like what's the taxation with details?

B

Yeah, like are you going to be like a parliamentary democracy? Are you going, you know, there's like all of these details which are irrelevant at this point because you know, revolution now, details later.

A

Yeah.

B

So anyway, like when you're, when you're trying to get these people to do stuff, you kind of. So first of all you want young men because young men are dumb and they want to impress other young men and other older men who seem cool and they will do stuff and they have no concept of long term consequences.

A

So this is like terrorist groups. Right. I'm always trying to translate what you're saying into the current cybercrime ecosystem where I don't. Like there is no organization that's trying to recruit people. Yeah, it's so it's all organic.

B

Right. So here's the other thing is that terrorism is, it's kind of big. Not sure if you're aware of that. It's sort of Difficult to define, but you've got the sort of this formal hierarchical system like the IRA or the ETA or Hezbollah or something like that. You've got officers and then middle managers and then foot soldiers. And then you have this other concept which was leaderless resistance. Generally speaking, the weakness of that hierarchical system is that there has to be communication between these different layers. And that communication can be detected. And it becomes a way for security services to dismantle the group. If you capture a foot soldier and you monitor his communications, then you get his manager, and then you capture the manager's communications and you get the leader. And then from the leader, you see who else he's talking to and the whole thing unravels. So the way around that is to minimize the communication between these different layers. And the most extreme form of that is to just have no communication at all, right? To have no covert, private underground links directly between the group and the leaders. And then I think what we're talking about here is leaderless resistance without these public leaders. Right? So the idea with a leaderless resistance as a revolutionary movement is that you've got your public figures who say, won't someone rid me of this troublesome priest? And that's the way that they give communications. And then these sort of revolutionary groups would go out and do what they've been instructed to do in line with the general ideologies of the leaders that they believe in. That doesn't exist here. You just have the group's doing whatever they think is in line with their group ideology.

A

Right? Right, yeah. So my sort of translation to the modern Internet would be that you have criminal influencers who sort of set the agenda just by doing stuff.

B

Right.

A

So they're not, they're not verbalizing an ideal, they're doing stuff and other people are copying it.

B

Right. But it's also going to be stuff like they will watch movies and TV and that will give them an idea of sort of what they want to be. Because this is just like it's an idea, it's a fantasy that they're working towards, right? So it may as well be like Mr. Robot or like the Godfather part three or whatever. Like it doesn't matter where the ideas come from. So I think that once they get into the idea of like we're being criminals, they're going to start pulling from all of these different strands. So in a traditional terrorist movement, one of the things that starts to happen is the edges that do the actual work tend to become much more extreme than the center. That gives the Directions. And so it's because the people doing the actual work, like, they don't have the strategic vision of like carrying out.

A

Terrorist operations, you mean? In this case.

B

Yeah, yeah.

A

So because management is still work ruckus, just have, you know.

B

Yeah. So like, basically the center, like the leaders of a terrorist group, have a political vision that they're trying to achieve, and they're looking at violence as a way of achieving that political objective. And so they will ramp up and ramp down the violence as necessary to try and achieve that objective. And if they can keep in constant communication with these groups, they can maintain an internal sense of norms, like a sense of process and purpose. And like, you can explain, like, the reason that we're going slow right now is because things are going our way and we want to keep it going like this, blah, blah, blah. So if we start killing a whole bunch of people, it's going to make things worse for us. Whereas right now it's good, etc.

A

That disconnect between the frontline operatives and management, that sounds very familiar to me from working in a big bureaucracy like I remember, and that there's often this disconnect between the two. Like one survey in one of the intelligence agencies, frontline workers were not that happy. And the higher up you went in management, the more rosy everyone thought everything was.

B

And these are organizations where you can actually have communication.

A

That's right. That's public service. You just email people.

B

Terrorists are not having the Friday standup. There's not this level of comms where you can basically get everyone in a room and be like, this is our one week to let loose, get together, do some icebreaking trust exercises, you know, and get to know each other.

A

That's right.

B

No, so absolutely. And, you know, the more tactical you are, like, the closer you are to the actual work and the less sort of big picture you have, the less you're going to see how your work fits into the sort of grand vision.

A

Right.

B

And so you're just going to see that your work is frustrated, that it's, you know, you could be doing more.

A

Of whatever it is you're meant to be doing.

B

Yeah, right, right. It's, you know, you don't get enough resources, your proposals keep getting shot down. You know, whenever things screw up, you don't get support from management. You always know that you could do a better job if you were just allowed to let loose. Right. That's the dynamic that we have at play here. Except that there is no strategic, there.

A

Is no senior management.

B

So when There's a lot of pressure, and you can't do that sort of communication, which is basically the case for a terrorist group. The edges tend to become more and more radical because they hit these purity cycles where you and the five other people that blow things up and shoot people will start going, you know, the problem is we're not shooting enough people or blowing enough stuff up, because that's obviously the way to achieve what we want to achieve, because we all know that we're trying to achieve the people's homeland. Yeah. So, like, basically, they become more and more extremist in their violent tendencies.

A

And in this case, there is no center. So there's no restraining.

B

There's absolutely no one saying, okay, we need to go hard now or we need to go soft. Because they don't actually have a center. They don't have anyone crafting a political strategy that their actions are supposed to further. Well, they're just.

A

I mean, is there even a point other than just to have fun?

B

No. Exactly Right. So it's a cell. It's a very large cell. A lot of people in it doing a thing that we can sort of. We can term violent or antisocial, at least.

A

Yeah.

B

And doing more of it makes you a better member of that group. And so they start purity spiraling on this antisocial behavior, which is a very, very nice way of saying. There are a bunch of who get.

A

Their academic way of saying it.

B

And they impress each other with how awful they can be to other people, and they get into games of one up and chip with each other on being dicks. But I hesitate to call them radicals.

A

That's right, yeah.

B

Yeah.

A

Radicals implies that they have some sort of purpose.

B

Right.

A

Perhaps another reason why I. Yeah, absolutely.

B

The thing is, like, Telegram creates a space for these communities to find each other and develop. And then the social dynamics of the way that these small communities behave, they're going to get into these sort of spirals of goading each other on. Into more and more extreme behavior. And if it's deviant and criminal to begin with, it's just going to become more deviant and criminal.

A

Right, yeah.

B

And that's not Telegram's fault, except that it created the space for these people to find each other and it didn't do anything to break them up.

A

Yeah.

B

Facebook would be the counterexample, I think, where you've got a platform for people to find groups and to meet each other, and there's sort of a policing to make sure that it's not super extreme, not Particularly criminal. Like, it's not perfect. Obviously, I'm not trying to defend Facebook here, but it's something. Whereas Telegram had nothing. Right. So there's a lot more space for these groups to pursue their purity. Cycle of deviance, incrementality.

A

You've drawn many parallels with terrorist organizations. Right. But do you think that the fact that there's no organization, there's no leadership, there's no central control, does this make it actually worse? I mean, I guess it's not worse in that the purpose of the organization isn't to actually go around. The purpose is less. Well, it's nebulous. It doesn't exist. But does that mean that it just spirals on forever?

B

Yes, I think so. I mean, like, the way I would put it is that this is a strong social dynamic and terrorist organizations take advantage of it and channel it. Whereas here you've got it in sort of raw form. You don't have that sort of organized official structure. I guess one thing is that, you know, while I've said that Telegram didn't have any policing, Facebook does. And so to a degree, this more pervasive environment that you get in Telegram allows these groups to fester, to exist there. But I think if they weren't on Telegram, they would be somewhere else. And then it's just a matter of how many and how big would they be either.

A

So I guess in the fight against isis, it was trying to squash as many of these groups as possible. I guess the potential for terrorism justified stronger action. Whereas so far, you know, a whole lot of data breaches, not a whole lot of action.

B

I think that we recently discussed how data breaches are not actually a political problem, that they don't reach to the level of. Of.

A

That's right. Bigger fish to fry.

B

Yeah. Like, this level of cyber criminality is not sufficient to warrant heavy state action. I mean, there's state action that something's happening which is, you know, good, but it's not. You're not getting, like, an all of government. There's no Manhattan Project, you know, to wipe out cybercrime. Right.

A

It's just.

B

It's not that important, particularly when, you know, if you would just enable multifactor authentication on your goddamn cloud data.

A

Yeah, yeah, yeah. So, I mean, once you've built that community, I kind of agree. It's hard to see it going away. Like, that's what people did with isis, though, right? They tried to.

B

Yeah.

A

And partly, I think that was because that was viewed as a recruitment funnel, whereas, I don't know that these communities deliberately try and recruit. I assume it's just organic word of.

B

Mouth and I think it's like they're probably edgy and cool. So if you're slightly younger and there's this sort of frision of danger around the whole thing, which is probably very exciting, and so you maybe join as a lurker and then you're like, oh, okay, I can find an info stealer and emulate these guys and be cool too. You can see how there's certainly a pipeline into joining that. But I think that the eradication of Telegram, or maybe the policing of Telegram would have an impact in that having a completely unmonitored space that's very easily accessible, it's widely available and sort of anyone can join from their phone. That low friction is going to mean that there's going to be more people who join it. So if you take away that option and say, yes, you can join this community, but you're going to have to download Tor, you're going to have to find the right forum, you're going to have to pay the $50 entrance fee, you're going to, you know, once you start putting those barriers up. Yeah, absolutely. There's going to be a smaller community of criminals because that organic pipeline is just not going to work as well. It's going to be too difficult. Like, I don't think you can eradicate these groups or this sort of growth of deviant antisocial behavior from young men, but I do think you can make it harder to join or harder to find and they will find another outlet to do their thing.

A

I mean, a lot of the stories I've read, these people were outsiders from the beginning.

B

Yeah. You're trying to find a community.

A

Yeah, right. It's not so much that they were turned into outsiders so much as they found a community. Well, obviously what we need is something for outsiders to do that is both edgy and socially productive. Easy solved.

B

Done. Thanks a lot, Tom.

A

Thanks. Thanks, Greg.