People take pictures of paramilitary officers marching in formation in Tiananmen Square in Beijing, China.
Thomas Peter | Reuters
The following is a modified excerpt from CNBC cybersecurity reporter Kate Fazzini’s “Kingdom of Lies: Unnerving Adventures in the World of Cybercrime, ” which is now available wherever books are sold.
Bo Chou, now working somewhere else in Asia, says he feels like his past life was boring. He’s had no interest, he says, in regaling people with tales of his time as a hacker for China’s People’s Liberation Army. (Some names, locations and personal details have been changed to protect confidential sources.)
The rare few people who actually do know this about him press him for information, but he doesn’t budge.
It’s not just because it’s supposed to be secretive. It is. It’s because it was boring, utilitarian, cog-in-a-wheel stuff.
Now the Russians, that’s what Bo wants to talk about.
He was always more interested in the Russians, he says, because they are flashier. After his work in the Army, it was Russian hackers he looked to for inspiration. Bad boys.
Tupac and camp
Bo remembers back around 2012, he started following the exploits of a well-known “carder,” Valery Romanov. Carders are criminals who steal credit card numbers from those breaches against major retailers that you’ve heard of. The carder then sells the information on the dark web or uses the number to purchase easy-to-sell commodities like mobile phones, tires or gift cards, which they can convert to cash.
The carders are flashy and not averse to posting their success on social media. They post selfies with stacks of cash or next to fancy cars. Valery Romanov poses in one next to a cash counting machine, and throws up a gang sign with his free hand. He posts memes featuring Tupac Shakur lyrics. It’s pure camp. Bo is jealous.
Valery is fun and ultra-capitalist with a persona much bigger than anyone working in a Chinese hack farm could ever dream of. Bo doesn’t want to emulate him. Just enjoy the show. He gets interested in rap music because of Romanov.
Then Romanov disappears. Captured on some island by the American FBI.
Bo, living in the business center suburbs of Shanghai, gets a job at one of the hotels there, as a doorman. He misses being an engineer. He misses the excitement of his dark web friends. The hotel is exciting, welcoming expats from all over the world for convention after convention after convention. Home improvement, medical devices, housewares, computers, financial firms, non-profits and NGOs.
He decides to enter the gig economy. Get a side hustle.
Perfect targets, perfect data
Bo loves data. He’s good at data. He likes combing through it, making sense of it. The visitors to the hotel are perfect targets, with perfect data.
He uses a commonly available type of malware that can help him get as much information on a company as quickly as possible. He delivers it through USB devices that he scatters around the convention center, making it easy for unwitting professionals to pick up and stick right into their computers, computers with all those spreadsheets and proprietary client lists. He endeavors not to do this in his own hotel. That would be too close to home, and frankly, rude, he says.
Bo finds a great, cheap supplier from down south who sells him thousands of USB storage devices for around $100. Then he goes down to the area that sells lots of mass-produced tchotchkes and buys a few beautiful, polished, modern-looking silver bowls.
Then Bo loads malware on each device. He creates a very professional looking sign, one that mimics whoever is sponsoring the convention in color and font, and puts the USB devices in the beautiful silver bowl. “Free USB Storage. Welcome guests!” He leaves them, surreptitiously, in the lobbies of the hotels or the convention center cafeteria or, if he can slip in, its press room, where all the media outlets take their breaks and meetings.
In the early days of this scheme, convention-goers pick up the devices and use them much more frequently than they do when he tries it months and years later. Many people have learned such freebies might be risky, and Bo is fine with that. Because the ones who pick them up are enough. He isn’t greedy.
Once the simple malware loaded onto the USB drives is installed onto their computers, Bo grabs as many spreadsheets — just spreadsheets — as he can from their machines. The malware will probably be caught in a routine scan by some corporate technology team when the travelers get back to New York or San Francisco or London or Brisbane, but by then it will be too late.
Bo will have everything he needs, including all of the emails and personal details of the individual’s business contacts. He particularly likes getting business plans, budgets, future merger ideas. Then, after all this excitement, the denouement.
Big data, little marketplace
What does Bo do with this valuable information? He has an account on a legitimate, U.S.-based website for freelancers, and he sells this business intelligence to other companies. Companies that love the breadth and depth of his data but have no idea where it came from and know better than to ask.
The freelancer platform is fairly simple. The baseline price for one “gig” is $5, which is where anyone using it to sell goods starts. Bo picks a simple interface, lists his location as Japan, uses a special program and a virtual private network — a program that masks his movements from the Chinese government. To an outside observer, it would look like Bo’s computer is pinging from a Tokyo apartment complex.
From there, he offers “curated” lists made up of “publicly available” corporate information on big players in all the industries that have trade shows in Shanghai. Building materials. Finance. Risk and compliance. Even money laundering.
He starts with a $5 price tag for a basic report. Of course, his intel is good so the business quickly grows. And he is so good at curating it, business contacts recommend him to others in their industry. He becomes especially popular with salesmen looking for detailed prospect lists. He becomes a master at PowerPoint, making the data even more digestible to his less-than-tech-savvy customers.
The platform helps him get paid in all kinds of currencies — U.S. dollars, euros, cryptos — all of which are far more valuable than his local currency. The problem is the scheme is so lucrative and so easy he finds himself at the point where he can’t afford to give it up. And he’s looking over his shoulder everyday, afraid he’s going to be spirited away in an airplane like his former hero Romanov.