> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona.
>
> “Epic opsec troll,” they claimed.
If this were really a fictitious persona meant to lead investigators away from their true identity, they'd never admit to such. This sounds like someone trying to deflect upon being found out. I'd wager that this person is going to be caught.
Krebs has an image of a mind-map at the end of the article showing links between the aliases.
Yes. I'm pretty sure if you spoke to an intelligence analyst they would tell you there's no such thing as an opsec troll.
Everything your target does (including misdirection) gives or risks giving away information, and there's no way someone who is actually in control of events would blow a cover because even if you were 99% certain it was false, you would have to continually waste resources trying to confirm that. In particular if they invested a lot in building this persona and you were on to them it's much more likely they would just go dark, wait and plan how to pick up with a new persona.
Let's just not believe anything said by an untrustworthy person. What they say should not calculate in what we believe to be true, but only evidence we can verify.
Well yes, but I doubt that Krebs is really posting this data dump for random Internet readers like us. Some other investigator might find some useful hints in it, though.
> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona. “Epic opsec troll,” they claimed.
This is called a "double cover story", a classic deflection when someone is caught or exposed.
"You fell victim to one of the classic blunders! The most famous is 'never get involved in a(nother) land-war in Asia', but only slightly less well-known is this: Never go up against a once-Korean-resident when death is on the line! Aha-haha-hahaha!"
Interestingly, Kiber- is how a Russian would transliterate "Cyber-". At first I thought he must be Russian, by the nickname alone (I'm a Russian speaker).
Something I don't understand is why people don't appreciate /expect misdirection.
For instance, a malicious actor, of even basic sophistication, coming from a Russian ip and occasionally using Cyrillic and missing grammatic artcles is probably not Russian. Similarly a malcious actor with a pseudonym including the term patriot, coming from a US IP and using terms like howdy probably is not American.
There's a case to be made for expecting misdirection more often, but the fact remains that most people, including malicious actors, don't have the foresight and skill to pull it off. You do need both. Unless you plan a consistent fake story from the very start of an identity, execute it consistently, and hermetically isolate it from any others, you'll leave clues.
It also seems like a bad opsec if he creates multiple aliases for the same theme. Wouldn't you want to have one us soldier, one Russian, one African, etc. if you are trying to create red herrings?
Even the soldier persona is consistent though. The trouble with opsec like this is (1) you always have to win and (2) almost everything - even total randomness tends to create a pattern (since you the negative space of trying not to stand out itself tends to make you stand out).
Maybe he is operating at the next level. He is deflecting because the investigators will think that he is trying to lead them away from this true identity and become even more convinced of it, which is exactly what he wants.
Right, there's something odd about this. That image from 2022 of a person's legs [Kiberphant0m?] in army fatigues ought to be a dead giveaway. For starters why would anyone be stupid enough to do that, second I'd recon the floor pattern alone might be enough to reveal the person, again why do that? Surely those involved would have have thought of that? Alternately they're on the room-temperature side of dumb.
Of course, that doesn't include the image being a ruse for other schema.
> Alternately they're on the room-temperature side of dumb.
When combined with the uses the claimed for their botnet, the person we're talking about leaves an impression of having emotional maturity of a 10 year old.
So, you might not be very far when it comes to non-technical skills.
Eh; let's wait and see. For any claim for insight there's an equivalent claim for fabrication. any such analysis that relies on this is inherently flimsy.
> “Type ‘kiberphant0m’ on google with the quotes,” Buttholio told another user. “I’ll wait. Go ahead. Over 50 articles. 15+ telecoms breached. I got the IMSI number to every single person that’s ever registered in Verizon, Tmobile, ATNT and Verifone.”
SBF levels of self-pwning right there. When, not if, they catch him, the Feds are going to hang this clown out to dry.
I'd rather see them hang out to dry the 15+ telecoms who gave away "the IMSI number to every single person that's ever registered in..." because doing so was cheaper than investing in security.
This seems like it would be rather easy for the government to narrow down. Check the logs of who applied for an NSA job on or around the date the screenshot was posted and cross reference any that are/were located in South Korea. I would think that would produce a rather short list that a bit more investigation would crack.
The guy seems arrogant, and arrogant = sloppy. He'll get caught.
what a great article, I loved seeing the links that Krebs (?)/Unit 221B (?) dug up and all the info they managed to connect. It felt like I was reading a detective story. It sounds like this guy is doomed, the NSA application date alone basically identifies him
If you have enough data, i wonder how much of this digging can be automated these days with good LLM prompts. Doing it manually is very time-consuming.
Any insight based on histogram of the timing of this person's posts, particularly ones responding to a just slightly earlier post? (ie was clearly awake and not an artificially-delayed response).
Krebs knows about this timezone analysis technique, wonder if he didn't check this or it was inconclusive?
Is that effective for people who aren't literally being paid a salary to do this stuff 9-5? A lot of people who spend too much time on computers have totally out of wack sleep schedules that would look like they're operating from very different timezones.
You can, but a lot of these pattern analyses work out because people get sloppy and overconfident over time, and don't use these measures even if their lives are on the line.
I wonder how unique those floor tile patterns are? If that's taken on a military base in Korea, it might be possible to find the exact location of the photo.
In theory, sure, in reality it's almost always much more benign and they have terrible Opsec over time that allows people to piece together their identity. Especially if they reuse usernames across services.
Kinda like how the big mastermind criminals like Capone get away with murder and racketeering but get fucked on tax evasion.
Reading this guy's posts, his ego is the biggest issue, and it will be his downfall. The "I literally can't get caught" mentality inevitably leads to carelessness and blabbermouthing.
I feel like leaving a bunch of misdirection would also risk potentially just leave real traces behind that in some ways.
At least in my mind leaving some false trails behind, when I run through scenarios, seems like it could leave actual trails / to the point of not being worth the extra risk.
Yeah. If you have a choice of giving an adversary no information or false information, no information seems safer. The choice of false information is information. Same way that people are terrible at picking random numbers and fraudsters are often caught because they avoid round numbers.
> Immediately after Kiberphant0m logged on to the Dstat channel, another user wrote “hi buttholio,” to which Kiberphant0m replied with an affirmative greeting “wsg,” or “what’s good.”
It's kind of unfortunate for him that he didn't do a better job of referencing Beavis and Butthead. If his username was "Cornholio" or even "Bungholio", it could read as someone directly referencing the show and potentially unrelated to the other account, making his deniability a bit more plausible.
Being a high-stakes criminal is too difficult. One slip-up and you're compromised. There's a million opportunities for slip ups and there's a million opportunities for investigators to get lucky.
There's a line at the beginning of Ocean's 11 to the effect of "the house always wins in the long run... unless you bet it all on a great hand, win, and then walk away."
Jesus. Let’s tick another box on our late capitalism bingo card: our soldiers are so desperate for cash and so cynical around institutions that they’ve started doing mercenary crime.
I can’t be the only person who has read of such situations throughout history.
The bungholio name is a reference to the bevis and butthead name where they’d say, “I am cornholio, I need TP for my bunghole”. You really had to be there.
Huggingface bought its biggest competitor, Gradio (still used more than Streamlit) for an "undisclosed" amount of money a year or so before hand. I'd wager HF paid on the orders of 1-5 million.
I doubt Gradio is used more than streamlit. And so does Google [1]
I know that's not exact, but if more people used Gradio, you'd expect at least a somewhat similar number of people searching for it online. Gradio is not even in the same ballpark as Streamlit here.
I don't know what to say except that the overwhelming majority of HF spaces are made as Gradio demos and that gradio's whole design makes it far easier to do async things unrelated to reloading the webpage - which is a huge thing for ML/AI demos.
I don't claim you're wrong, but I claim that gradio is far more effectively profitable to know than streamlit is - i.e. Gradio demos are used far more for a top AI paper demo (i.e. NeurIPS system demos) than Streamlit is.
Salesforce purchased Mulesoft for $6.5 billion. Mulesoft was so successful they decided to buy a different ETL tool Informatica. But the deal fell through. Mulesoft has about 1500 clients vs 9500 clients for Informatica.
No way, HF didn't have anywhere near that kind of money when they acquired Gradio. I think they did it back in 2020 or 2019. I know for a fact it was a tiny sum.
I did toy with the idea of trying do analysis of HN aliases and keywords. It never went anywhere, because I forgot about it, but a longer weekend is coming:D But yeah, language betrays, who we are in references alone.
Seems like the guy has been fucking around for a while. No wonder none of our allies want to share intelligence or plans with us. The US Military is a liability when it comes to keeping shit secret, they leak like a sieve. They need to get a handle on this shit, who knows what this guy has given to the Russians or Chinese.
Not sure Signal would have made a difference for this criminal. All the data on them I saw in the article was likely captured by someone in the channel / group message.
It’s just plain poor opsec, but I kind of expect that from someone with poor enough judgement to be a criminal.
> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona.
>
> “Epic opsec troll,” they claimed.
If this were really a fictitious persona meant to lead investigators away from their true identity, they'd never admit to such. This sounds like someone trying to deflect upon being found out. I'd wager that this person is going to be caught.
Krebs has an image of a mind-map at the end of the article showing links between the aliases.
Yes. I'm pretty sure if you spoke to an intelligence analyst they would tell you there's no such thing as an opsec troll.
Everything your target does (including misdirection) gives or risks giving away information, and there's no way someone who is actually in control of events would blow a cover because even if you were 99% certain it was false, you would have to continually waste resources trying to confirm that. In particular if they invested a lot in building this persona and you were on to them it's much more likely they would just go dark, wait and plan how to pick up with a new persona.
There are robots for everything social now- including manufacturing personas.
Let's just not believe anything said by an untrustworthy person. What they say should not calculate in what we believe to be true, but only evidence we can verify.
Well yes, but I doubt that Krebs is really posting this data dump for random Internet readers like us. Some other investigator might find some useful hints in it, though.
> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona. “Epic opsec troll,” they claimed.
This is called a "double cover story", a classic deflection when someone is caught or exposed.
It could be a triple cover story. The faked double cover story is meant to deflect.
Maybe even skipping the quadruple cover story and going straight to the quintuple. A true pro.
I always play the (2n+1) game myself. (Or do I??)
"Fuck everything, we're doing five covers." ... "Put another misdirect on that fucker, too."
Good luck, I’m behind seven cover stories
> This sounds like someone trying to deflect upon being found out. I'd wager that this person is going to be caught.
that's what a super epic opsec troll would want you to think
"You fell victim to one of the classic blunders! The most famous is 'never get involved in a(nother) land-war in Asia', but only slightly less well-known is this: Never go up against a once-Korean-resident when death is on the line! Aha-haha-hahaha!"
https://www.youtube.com/watch?v=pRJ8CrTSSR0
Interestingly, Kiber- is how a Russian would transliterate "Cyber-". At first I thought he must be Russian, by the nickname alone (I'm a Russian speaker).
Something I don't understand is why people don't appreciate /expect misdirection.
For instance, a malicious actor, of even basic sophistication, coming from a Russian ip and occasionally using Cyrillic and missing grammatic artcles is probably not Russian. Similarly a malcious actor with a pseudonym including the term patriot, coming from a US IP and using terms like howdy probably is not American.
False attribution is a core lesson in malice 101.
There's a case to be made for expecting misdirection more often, but the fact remains that most people, including malicious actors, don't have the foresight and skill to pull it off. You do need both. Unless you plan a consistent fake story from the very start of an identity, execute it consistently, and hermetically isolate it from any others, you'll leave clues.
Spot on, chap.
It also seems like a bad opsec if he creates multiple aliases for the same theme. Wouldn't you want to have one us soldier, one Russian, one African, etc. if you are trying to create red herrings?
Even the soldier persona is consistent though. The trouble with opsec like this is (1) you always have to win and (2) almost everything - even total randomness tends to create a pattern (since you the negative space of trying not to stand out itself tends to make you stand out).
Maybe he is operating at the next level. He is deflecting because the investigators will think that he is trying to lead them away from this true identity and become even more convinced of it, which is exactly what he wants.
Truly next level would be for him to be one of the investigators.
Let's skip of this step and go the next: It's a rogue AI.
But little did he know the other instigators were investigating him… or so they thought…
Right, there's something odd about this. That image from 2022 of a person's legs [Kiberphant0m?] in army fatigues ought to be a dead giveaway. For starters why would anyone be stupid enough to do that, second I'd recon the floor pattern alone might be enough to reveal the person, again why do that? Surely those involved would have have thought of that? Alternately they're on the room-temperature side of dumb.
Of course, that doesn't include the image being a ruse for other schema.
> Alternately they're on the room-temperature side of dumb.
When combined with the uses the claimed for their botnet, the person we're talking about leaves an impression of having emotional maturity of a 10 year old.
So, you might not be very far when it comes to non-technical skills.
Eh; let's wait and see. For any claim for insight there's an equivalent claim for fabrication. any such analysis that relies on this is inherently flimsy.
Or it’s part of the troll.
Bothsidesism has crept into ... US counterintel agitprop?
> “Type ‘kiberphant0m’ on google with the quotes,” Buttholio told another user. “I’ll wait. Go ahead. Over 50 articles. 15+ telecoms breached. I got the IMSI number to every single person that’s ever registered in Verizon, Tmobile, ATNT and Verifone.”
SBF levels of self-pwning right there. When, not if, they catch him, the Feds are going to hang this clown out to dry.
I'd rather see them hang out to dry the 15+ telecoms who gave away "the IMSI number to every single person that's ever registered in..." because doing so was cheaper than investing in security.
The only data you can't leak is the data you don't have.
Therefore some data should either not be stored at all or deleted after it served its purpose.
Probably hard for a telecom company to not keep IMSI -> account association somewhere
Anthropic levels of getting seed funding from SBF and ending up a power unto themselves.
This seems like it would be rather easy for the government to narrow down. Check the logs of who applied for an NSA job on or around the date the screenshot was posted and cross reference any that are/were located in South Korea. I would think that would produce a rather short list that a bit more investigation would crack.
The guy seems arrogant, and arrogant = sloppy. He'll get caught.
He knows he's about to get caught, reason why he hurried to knock NSA's door. They might let him in after all.
Doesn't that just mean they won't ever to subject to prosecution by the International Criminal Court?
what a great article, I loved seeing the links that Krebs (?)/Unit 221B (?) dug up and all the info they managed to connect. It felt like I was reading a detective story. It sounds like this guy is doomed, the NSA application date alone basically identifies him
If you have enough data, i wonder how much of this digging can be automated these days with good LLM prompts. Doing it manually is very time-consuming.
Any insight based on histogram of the timing of this person's posts, particularly ones responding to a just slightly earlier post? (ie was clearly awake and not an artificially-delayed response).
Krebs knows about this timezone analysis technique, wonder if he didn't check this or it was inconclusive?
Is that effective for people who aren't literally being paid a salary to do this stuff 9-5? A lot of people who spend too much time on computers have totally out of wack sleep schedules that would look like they're operating from very different timezones.
You can also schedule your posts, commits, etc to go out at some fixed hours each day.
You can, but a lot of these pattern analyses work out because people get sloppy and overconfident over time, and don't use these measures even if their lives are on the line.
I guess we'll soon find out how well the NSA normalizes its databases. Bring on that schema, folks.
You might be able to get a rough show size and height/weight range from that photo.
I wonder how unique those floor tile patterns are? If that's taken on a military base in Korea, it might be possible to find the exact location of the photo.
Couldn't literally all of this just be a bunch of misdirection?
In theory, sure, in reality it's almost always much more benign and they have terrible Opsec over time that allows people to piece together their identity. Especially if they reuse usernames across services.
It's always crappy opsec that gets people otherwise very savvy.
Kinda like how the big mastermind criminals like Capone get away with murder and racketeering but get fucked on tax evasion.
Reading this guy's posts, his ego is the biggest issue, and it will be his downfall. The "I literally can't get caught" mentality inevitably leads to carelessness and blabbermouthing.
I feel like leaving a bunch of misdirection would also risk potentially just leave real traces behind that in some ways.
At least in my mind leaving some false trails behind, when I run through scenarios, seems like it could leave actual trails / to the point of not being worth the extra risk.
Yeah. If you have a choice of giving an adversary no information or false information, no information seems safer. The choice of false information is information. Same way that people are terrible at picking random numbers and fraudsters are often caught because they avoid round numbers.
> Immediately after Kiberphant0m logged on to the Dstat channel, another user wrote “hi buttholio,” to which Kiberphant0m replied with an affirmative greeting “wsg,” or “what’s good.”
It's kind of unfortunate for him that he didn't do a better job of referencing Beavis and Butthead. If his username was "Cornholio" or even "Bungholio", it could read as someone directly referencing the show and potentially unrelated to the other account, making his deniability a bit more plausible.
A true opsec troll is saving those references for the final standoff, for when they start really threatening him.
Being a high-stakes criminal is too difficult. One slip-up and you're compromised. There's a million opportunities for slip ups and there's a million opportunities for investigators to get lucky.
True, but you only hear about the ones who slipped up. I wonder what is the actual proportion of criminals being caught due to poor opsec.
There's a line at the beginning of Ocean's 11 to the effect of "the house always wins in the long run... unless you bet it all on a great hand, win, and then walk away."
To turn it around: what percentage of people are capable of perfect opsec forever?
Jesus. Let’s tick another box on our late capitalism bingo card: our soldiers are so desperate for cash and so cynical around institutions that they’ve started doing mercenary crime.
I can’t be the only person who has read of such situations throughout history.
>‘BUTTHOLIO’
These guys always seem to have the most stereotypical or corny hacker handles. Is that expected / desirable in that community?
corny
I see what you did there.
Give them a break. They need tp.
Why would they need tp?
The bungholio name is a reference to the bevis and butthead name where they’d say, “I am cornholio, I need TP for my bunghole”. You really had to be there.
https://m.youtube.com/watch?v=LHv2dIM3t9I
The real question is: who calls their company "Snowflake"? It's just crying to get stomped on.
Snowflake is a type of multidimensional schema. It's a normalized star schema. Both named for the appearance of their entity relationship diagrams.
Snowflake did the biggest epic fail of the ZIRP era. They bought streamlit (a python GUI front end for ML demos) for 800 MILLION dollars.
https://techcrunch.com/2022/03/02/snowflake-acquires-streaml...
Huggingface bought its biggest competitor, Gradio (still used more than Streamlit) for an "undisclosed" amount of money a year or so before hand. I'd wager HF paid on the orders of 1-5 million.
I doubt Gradio is used more than streamlit. And so does Google [1]
I know that's not exact, but if more people used Gradio, you'd expect at least a somewhat similar number of people searching for it online. Gradio is not even in the same ballpark as Streamlit here.
[1] https://trends.google.com/trends/explore?date=now%201-d&q=%2...
I don't know what to say except that the overwhelming majority of HF spaces are made as Gradio demos and that gradio's whole design makes it far easier to do async things unrelated to reloading the webpage - which is a huge thing for ML/AI demos.
I don't claim you're wrong, but I claim that gradio is far more effectively profitable to know than streamlit is - i.e. Gradio demos are used far more for a top AI paper demo (i.e. NeurIPS system demos) than Streamlit is.
Salesforce purchased Mulesoft for $6.5 billion. Mulesoft was so successful they decided to buy a different ETL tool Informatica. But the deal fell through. Mulesoft has about 1500 clients vs 9500 clients for Informatica.
That is amazing! What a coup. I thought streamlit was pretty cool, but surely it wasn't $800m cool.
Comparing a disclosed sale price to an unknown theoretical sale price is a bit unfair though. Maybe it was 801 million.
No way, HF didn't have anywhere near that kind of money when they acquired Gradio. I think they did it back in 2020 or 2019. I know for a fact it was a tiny sum.
I do think it’s funny how that might be a character revealing moment, suggesting the hacker is Gen X or at least elder millennial age.
I did toy with the idea of trying do analysis of HN aliases and keywords. It never went anywhere, because I forgot about it, but a longer weekend is coming:D But yeah, language betrays, who we are in references alone.
There's no way you could determine how old a person is or what technologies they enjoyed way back in college solely from a username.
Are you just trying to goad them into showing they can? :D
Have fun analyzing the alias I pulled from /dev/urandom!
Knows of the existence of /dev/urandom, must be old! ;)
I believe the hacker known as 4chan once explained they choose their handles “for the lulz”
Legion of Doom / Masters of Deception would like a word.
Phiber Optik just doesn't have the same haha you said peepee vibe.
Yes
Seems like the guy has been fucking around for a while. No wonder none of our allies want to share intelligence or plans with us. The US Military is a liability when it comes to keeping shit secret, they leak like a sieve. They need to get a handle on this shit, who knows what this guy has given to the Russians or Chinese.
"pay-to-play"
They already arrested them right?
No they arrested two others.
My two cents:
- The "hacker" (I'm reluctant to use this term" seems to be too high profile for some reasons;
- We should discard Telegram
What does "discarding" Telegram mean?
We should not use Telegram -- sort of. I wonder whether Signal is better.
Not sure Signal would have made a difference for this criminal. All the data on them I saw in the article was likely captured by someone in the channel / group message.
It’s just plain poor opsec, but I kind of expect that from someone with poor enough judgement to be a criminal.
>We should not use Telegram
But why? There is no better platform for private and small chats.
Signal is absolutely better. Telegram is e2ee in name only