(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

DEFCON, Hotel Sneek & Peeks, and The Law

with one comment

DEFCON 26 was last week and as usual there was some hacker drama. It is an inevitability that drama will rise out of the con because, well, hackers know drama! In fact, they cause a lot of drama and that is their thing as a community. So, this year’s drama is brought to you by two factors. The first factor is that the DEFCON community has a long history of being kinda unruly and causes mischief, and some of that mischief is illegal while other pranks just cause heartburn for the people and the venues that the conferences are held at. However, in a post Mandalay Bay mass shooting era, the pranks and the mischief may not be tolerated as well by the casino’s like Mandalay Bay or Caesar’s because they are on edge and the community of hacker snowflakes need to take that into account when they attend.

While the conference owners/operators try to combat and police their hackers, it is still not uncommon to find attendee’s doing things that might damage the systems of the casino (like mess with WIFI using deauth) or to mess with the artwork (e.g. put googly eyes on all the statues and artwork in Caesars) So it is understandable why, as some have said this year, that “Caesar’s hates us” In fact, when you have a convention like DEFCON in Vegas and the whole town is being told not to use ATM’s, you phone, your blue tooth, your wireless, or anything electronic while the con is there, you pretty much have a bad reputation that YOU are in fact reinforcing right?

Just sayin…

Anyway, this last DEFCON we had a new wrinkle post the mass shooting at Mandalay as I alluded to last year. It seems that since the shooting the hotels have decided that they can “sneak & peek” any room they feel they need to in case the occupant might be planning something like this incident. Now you have a zillion hackers known for odd if not bad activities in the properties and a conference on hacking where shenanigans go on all the time and add this new rule and you get wailing and gnashing of teeth. It seems that the hotel had been just opening doors and walking in on guests there for DEFCON as well as going into their rooms while they were out and pawing through their things. In some cases it was said that the hotel security people had taken things like lock picks from the rooms, confiscated, because REASONS! People took to Twitter and complained saying that this was illegal and made things more dangerous for women (some had been walked in on and at least one may have been walked in on by someone not in security) and this was illegal search and seizure! The Fourth Amendment was being violated and this was targeting poor hackers!



Well, yes you security snowflake you were being profiled because look at your collective history! Honestly people, you have a bad reputation with the hotels and you expect anything else? At best we are tolerated for the money kids, we are not a beloved institution that is welcomed to Vegas, you need to wake up. While I personally think it is pretty shitty that these security folks were walking on on people with no knock in some cases, it is also my opinion that it is not illegal and that the Fourth Amendment is not being violated here because they are not doing so at the behest of the government or agents thereof, i.e. cops. I had an interesting exchange with a lawyer I know on Twitter about this and the salient point he gives is that you are not really given Fourth Amendment privileges here and that the contract you sign when you rent the space allows for these actions. What’s even more salient is that it is likely in the small print you are signing off to!





The gist here is as I said, you cannot rely on the Fourth Amendment here and that they have the legal right to do what they did. It’s sucky, but it is the law and you have to abide by it or not stay in their casino. Now, given what happened last year with the mass shooting, and that the Mandalay Bay is in fact suing the victims of the attack as a pre-emptive strike on law suits against them for allowing this to happen, you kinda see what the situation is right? The casino’s are covering their asses and using the law to do so. In a case where you, the snowflake hacker who wants to act all furtive and hide shit all week denying access to the room “because reasons” does not exactly engender the right tone to make the Casino think you are just a snuggy bear and not going to potentially do something like a mass shooting right? Think about it, how many of you all went out there and put the DND sign all week? If you were in the hotel security shoes and have to profile your guests now because of a mass shooting terrorist incident how would it look to you as a security professional?

Hotels are soft targets and as that goes they have to tread the line between security and ease of access and fun. In the case of attacks like that which was carried out at Mandalay Bay, you have to realize that the “Soft Targets” are the hardest to secure from a security perspective. Fuck, come on you guys YOU ARE SUPPOSED TO BE SECURITY PROFESSIONALS RIGHT? You should get this if anyone ever could! Yes, it is shitty for them to just be walking in on people but once again, they have the right to do so just as you have the right to not stay at their brand anymore. However, what if you denied them access by adding your own layer of security to stop them from at least walking in on you?

Say you are at the hotel and you know they can do this, or in fact anyone else with a modicum of technological know how, ya know, like HACKERS, who can pick locks and bypass PROX CARDS! What do you do in a situation like that to protect yourselves? Well, you could start by getting a simple door stop or a door stop with an alarm right? For all the women who were walking in on and scared, this technology might have made some difference in the threat right? It would have stopped the door from being opened and given you warning that something was happening. These tools would give you the ability to enhance your personal security AND allow you to call the front desk in the knowledge that unless they have a battering ram they are not going to get into the room quickly and you can make the call.

It’s my suggestion you spend the money and use them…

For a bunch of people who claim to be security professionals including and up to physical security you all seem kinda snow-flake like to me of late. Either don’t use their hotels anymore or assess the situation and adjust accordingly. For fucks sake people! I have said it before and I will repeat myself now, you are now targets of not only hotel searches because you seem scary but also because YOU ARE TARGETS OF NATION STATES BECAUSE YOU ARE AN ASSET!! How long till you finally figure this out? Hotel sneak and peeks by nation state actors including our own are NOTHING NEW! It’s just that now you are the targets as well because you now work in a space where you can and will be targeted.

Wake up.



UPDATE: Dave Cochran makes a reasonable point about the dickishness level of the no knock on the people involved here. Yes, it is dickish, but, it is still not against the law per the cited text here. So, yeah, you don’t like it you can go elsewhere or you can try to get the hotels to not be dicks about it.

See what works.

Written by Krypt3ia

2018/08/14 at 14:13

Posted in DEFCON

QAnon and Qclearancearchive: Another False Flag Influence Campaign by Russia?

leave a comment »

Recently the bowels of 4chan erupted with an ongoing thread’s dire warnings from an anonymous poster named “Q” into the real world. The posts, consisting of word jumbles and conspiracy wet dreams began to take on a new life in the real world at protests over Trump, MAGA, and the fight against all that is sane. I had looked at the original posts on Reddit in 2017 when they started and just shrugged it off as just another conspiracy hoax cum disinformation campaign by person’s unknown. How it would become an issue today just before the mid-term elections few could have conceived.

As you can see the posts are little more than bad haiku but, the conspiracy nuts on Reddit and 4chan and now a couple other aggregation sites (more on that later) have been busily using their cognitive dissonance to make crazy connections from these posts to a globalist conspiracy the likes of which even Alex Jones could not come up with himself! Basically the stories all lead to an overarching New World Order conspiracy that has everything, Illuminati, NWO, Soros, Pizzagate, and other crazy ideas all wrapped up in a bow being spoon fed crumbs about by someone allegedly inside the government with what is known as a “Q” clearance (DOE clearance) Of course Q cannot give just a straight narrative or a drop of classified data, no, it has to be this whack haiku as you see above.

I have tried to read more of this than a few pages but literally I started to go insane from reading this drivel, so I moved on to reading the output from a QAnon conspiracy site that archives and “makes sense” for the lay reader all the juicy secret conspiracies that are in the Q “archives” and man, it is full of cognitive bias, mental illness, and fantasy. I will not make you read it all here but if you do want to look for yourselves you can check the links at the bottom I will gift you all with. More interestingly though, I wanted to cover the movement as it stands today and to show you some of the information I was able to wrest from the archive site itself. The data that I got actually show’s real names of people involved (well, real I guess) that perhaps can be drilled down on some more later on.

Seen above are just some of the crazy ideas these people have about hidden codes in Q posts as well as the interaction of Trump on his Twitter feed. It seems these idiots believe that “Q” is in contact with Trump over Twitter and they are working together to destroy the globalist NWO conspiracy of lizard people ruling the world!

I shit you not.

So yeah, it’s a fair bit insane so please medicate if you plan on wading any further into the nutbaggery. However, I want to direct you to the site that this stuff came from and in particular the guy(s) who created it and are running it. At the top of this post you can see the image of a Twitter account for a “Iambecauseweare” which it turns out is the owner/operator (self proclaimed) of the a clearinghouse of all things Q and a primer of sorts for those who want to know the great truth and get involved.

This site is a font of Q information but, when you start to look under the hood, then you can see that there are some interesting threads to tug on. The site has a lot of information but what I was more interested in was that they have a penchant for creating pdf’s for the masses to conveniently download. Using Foca, I aggregated all the pdf’s and then ripped out all their metadata to see who was creating these things.

Out of about 200 pdf’s I have come up with 8 user names in the metadata. In this group one of them is a known conspiracy author (William Milton Cooper) but the others are all unknown people to me. Four of the accounts are just short names and no help but the other two, Mark C. Duncan and Martin Jr. Donald, seem to be legit names on the face of it. Now since they were all pdf’s there was not as much rich metadata as there would have been had they been Word files but at the very least we have some names to work with here.

The domain was registered 225 days ago and done so anonymously, and with GDPR now, you get fuck all when you are trying to do OSINT on these kinds of things (thanks EU) so I am gonna have to rely on these names and some digging to get anywhere else. I started some cursory searches on these names and did not find much in the way of data. A second pass has yielded some information on Mark C. Duncan;

This Mark C. Duncan has two reviews in his Amazon list for books on conspiracy theories. One on the Mason’s and the other on Alien abductions. Well, this could very well be the guy but I have yet to get much else on him which makes me want to keep searching and I will. The other name that came out of the metadata was “Martin Jr. Donald” which is an interesting way to put that in your system’s metadata. I am going to assume that the name is Donald Martin Jr. and a search of this name is just as obtuse. The hits that come up first for this name are all about a 400lb guy in Ohio that asphyxiated his nephew by sitting on him…

Which, yeah, anything is possible here. I see no other digital bread crumbs (snerk look it up in the archives) to go on with this. So I am kinda at a dead end here unless they make some more mistakes. However, I would like to direct you to the language of the posts and pdf’s. Either these people are the most illiterate of sorts, or, English is not their first language.

All in all this is a nightmare to read and I would not recommend anyone do so. However, given recent events in Ohio and other places where QAnon’s have started showing up (including Trump rallies) I would suggest that we pay a little more attention to this movement. I suspect that at the very least this is yet another Russian active measure that is at best supported by the GRU and at worst, run by the GRU. Given that the movement has self realized and is now in the real world, I would think that if the GRU wasn’t already supporting or running this campaign, they soon will be as well.

I will leave you with the links here and move on from here. I will take a peek at their site intermittently to see if they leak anything else. There was no Cyrillic this time in the data, no keyboard layout, no language packs. Just some names that could be crazies in the states here who are just acting out because Trump has given them the air they need to do so. At worst though, here we go again with the active measures just before the mid terms.

Kinda convenient though huh?




It seems that some are buying into the coincidences that QAnon may be a new take on another Q, a book called Q by “Luther Bisset” a nome de plume for a couple authors of this Italian novel

Screenshot from 2018-08-06 16-39-05

While this is a close comparison I am doubtful that this is a giant prank against the Alt-right/Nazi/Trumpistanians. If it is in fact a prank, it has now gone way past that into action and terrible possible repercussions. The fact that these idiots are now showing up in the Trump Nuremberg rallies and elsewhere, and that he has tacitly accepted it all to his repertoire should scare the alleged pranksters greatly.

After looking into this whole debacle I have to say that this story doesn’t quite wash for me. This whole story isn’t just all about boomers to start. How many boomers are on fucking reddit? Fuck, for that matter how many are out there actively on 8chan or 4chan?


Nope, this is something else. Maybe, if it was a prank, it took on a life of it’s own but if Q is still posting, then these guys are about to get into a world of pain as I am sure now the federal authorities are interested in this because it has become a real world issue. Even if it was a prank to start, it may also be that the Russians decided to take this on and amplify this to their own ends. The whole dialog is very Trumpian and adds to the chaos.


You guys decide for yourselves.


Written by Krypt3ia

2018/08/05 at 15:34

Maria Butina: The Knockoff Anna Chapman

leave a comment »


The arrest of Maria Butina, the poor man’s Anna Chapman has opened a whole new avenue of investigation by the amateur spy hunters as well as the professionals this week. As it turns out, Maria had been under surveillance for a while and a known quantity to the FBI/DOJ as well for some time. Butina was even in the news cycles back in 2016 attached in stories to Alexander Torshin, a Russian Oligarch cum Bratva/Mobster with ties to the FSB and to Putin. This however did not make her a household name and in effect many people in the media were caught off guard I think when the feds arrested her and presented the affidavit in court on her FARA violations and flight risk potential.

Butina had been a fixture in 2015-2016 with the NRA circles and in fact it seems that she and Torshin had been a part of a plot to funnel money to the NRA as well as attempt to garner access to the Trump campaign/admin as well as others in the Republican party vis a vis entree from the NRA itself and a certain person 1, in the affidavit. Person one turns out to be Paul Erickson, an alleged master of the political universe in his own mind. He and Butina had been living together and it has become clear that it was a task that Butina felt she had to carry out to complete her mission per conversations the feds have picked up during their surveillance of her.

It seems that Butina, and Torshin with the help of Erickson and one other person yet unnamed, were able to potentially funnel money through the NRA to the Trump campaign and to the tune of 30 million dollars. With this access and her machinations to meet and greet as many players as possible (a list was provided by Erickson it seems to hit up with his direction) they would also have access and influence over CPAC, the conservative political action group as well. With this kind of access it seems that perhaps, with more information to come to confirm this, Russia had an access and influence campaign that changed the Republican platforms stance on Russia to be more along the lines of what Trump is evincing today.

Poor Man’s Anna Chapman:

After all the information started coming out post the affidavit’s publication online it then became an interesting rabbit hole to go down and see just how this operation was carried out and with what skill. After looking at things myself I am going to say here that I do not believe this was a well thought out operation that was being run by the likes of the SVR nor the FSB. I think that this was a condoned and “let’s see what happens” kind of operation that was a sideshow to the main events of the influence operations by the GRU and SVR that we are all dealing with today. I say this for a few reasons;

1) Torshin is connected to the FSB but he is not FSB: He in fact likely is an asset of the FSB much like some mobsters have been to the CIA in the past.

2) Torshin and Butina’s utter lack of OPSEC leaves me to believe that this was not a managed operation by the FSB/SVR/GRU because plainly it was so inept

3) Butina seems to be a clean skin (i.e. no history as an operative) but does have a backstop story of being a Russian business owner. She isn’t really a classic kind of “illegal” because she did not have a cover identity and paperwork like the illegals busted back in 2010 who were actually trained in tradecraft and sent here undercover.

In fact the absolutely poor OPSEC with which these two carried out communications online and off is a sign to me that there were no official handlers to the operation. If there were then they were negligent to the point of idiocy. There is even an amusing exchange between Butina and Torshin about being on a phone call and it being insecure where Butina recommends using WhatsApp but it is not clear if Torshin could handle using it and that they went silent so to speak. It seems overall that they did not and the feds have quite a bit of material on them both.

Add to this the fact that they carried a lot of these conversations in email and on facebook and Twitter and you can see a clear pattern of lack of tradecraft as opposed to what we have all seen come out of the indictments recently of the GRU operation against the DCCC and DNC as well as the disinformation operations. So once again I am gonna call it as amateur hour with a side of Anna Chapman Sparrow wannabe syndrome. This can also be reinforced with Torshin’s comments on how Butina is like and or had surpassed Anna in her operations.

A Noisy Operation:

What Maria Butina lacked in tradecraft, she easily made up for in ability to entice 54 year olds like Erickson with sex and access though. It seems that she played on this quite a bit and thought of herself as the next Anna super spy given all these photos she had taken by Oleg Volk, a photographer with a gun fetish in Tennessee. Her portfolio there is all guns all the time and since she was playing the part of a Russian NRA right to bear arms supporter it all fit the greater theme. However, even with her sex appeal and her playfulness, she managed to not be overly subtle either and her connections to Torshin were pretty clear. The media and certain people in the government noticed and asked for her to be investigated as well as her connections to the NRA.

As you can see from the text here she was a known quantity but all of these people around her did nothing to report her. They all just went along with the money and the possible access to her and Russia via Torshin. It really amazes me how people can just eschew all ethics and morals when large sums of money are being handed to them in order to further their own cause. As for the Republicans and the access there, like I said above I believe there is much more yet to come on her connections to individuals and the movements of money from them to NRA to Trump. I look forward to more of this coming out and in fact a little teaser yesterday was that a new player showed up at court for Butina’s hearing on being a flight risk.

That new player is a prosecutor who’s specialty is with trials concerning espionage. It turns out that though she has been arrested on FARA issues, she may in fact be later charged with espionage given that this prosecutor has shown up. It is also interesting that during the hearing there were two guys from the Russian consulate there and the reason that Butina was remanded without bail was the concern that she had packed all her things, moved money overseas, and that the consulate folks looked like they were planning an exfil if she was let go.


Players Yet To Be Named:

I also have to wonder who Person 2 is as well as others out there who had connections and or friendships with Butina. They all must be shitting bricks right about now I would think. One of those people mentioned in the articles I got in my OSINT searches was Cleta Mitchell. I looked her up and wouldn’t you know it, she is involved on the International Foundation for Electoral Systems board as well as seems to have raised the alarm about Russia, the NRA, and money and access being funneled from it to Trump.

I guess she saw it all up close and personal…

I wonder when we will have some more names added to the list and perhaps some indictments or at the least subpoena’s served on this matter. Overall though, this case could be a lynch pin for the Mueller investigation in a couple of ways. Certainly there is the money angle, and Mueller is following the money most certainly. The players here could end up helping the investigation for immunity as well. However, the big thing for me is that in this net of collusion and money, we may see even more republicans touched by this case. It seems pretty clear that the Republicans changed their attitudes toward Russia after the money spigot opened and perhaps this NRA money funnel and perhaps to CPAC will crack open and give us some answers on why people like Nunes and Gowdy for instance, are so available to subverting the constitution in favor of Trump and Russia.

Perhaps they are trying to hide their guilt because, gee, there’s kompromat on them as well.

Maybe some pics of Butina, guns, and naked senators somewhere…


Written by Krypt3ia

2018/07/19 at 19:06

Extortion Phish: Your Password is XXXX

leave a comment »

I started seeing a pivot on the extortion phish plots that I reported on a while back. The new iteration of these exploits starts off with the simple statement that the extortionist knows your password and actually states it in the first sentence of the email. On average the passwords that I have seen have been ones that the users actually do have in use on the internet at various places and become very agitated and panicky when they get these emails. Thankfully though the majority in my environment have had training and report these to me so I get to see them and work all this out as to who may be doing this.

I wanted to put this post out though to let others know about this pivot in the attack and the use of some psychology of fear tactics to get a knee jerk reaction out of the marks in hopes of getting them to cough up bitcoin. Of course in these they want a large sum upward of three thousand dollars which makes me wonder if they actually do have passwords or access to passwords from a dump somewhere or that these guys are brazen in their attempts.


I will directly come to the point. I know that XXXX is your pass word. More importantly, I’m aware about your secret and I’ve proof of your secret. You do not know me personally and no one employed me to look into you.

It’s just your bad luck that I found your misadventures. Actually, I installed a malware on the adult video clips (porn) and you visited this web site to have fun (you know what I mean). When you were watching videos, your browser started functioning as a Rdp (Remote desktop) with a key logger which gave me accessibility to your display and webcam. Right after that, my software collected every one of your contacts from your messenger, social networks, and email.

Next, I put in more time than I probably should have into your life and made a double display video. 1st part displays the video you were watching and second part shows the recording from your web cam (its you doing inappropriate things).

Frankly, I am willing to forget about you and let you get on with your regular life. And my goal is to offer you two options that may make it happen. Those two choices either to ignore this letter, or simply pay me $2900. Let us explore those 2 options in details.

Option 1 is to ignore this email message. Let’s see what is going to happen if you opt this path. I will definitely send out your video recording to all of your contacts including relatives, colleagues, and so forth. It won’t help you avoid the humiliation your self will feel when relatives and buddies uncover your dirty details from me.

Option 2 is to make the payment of $2900. We will call it my “privacy charges”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will erase the recording immediately. You move on with your routine life as though nothing ever occurred.

At this point you must be thinking, “I’ll just go to the cops”. Without a doubt, I’ve covered my steps to ensure that this mail can’t be traced to me also it won’t stop the evidence from destroying your daily life. I’m not looking to dig a hole in your pocket. I am just looking to get paid for the time I placed into investigating you. Let’s assume you have decided to create pretty much everything vanish entirely and pay me the confidentiality fee. You’ll make the payment by Bitcoin (if you don’t know this, search “how to buy bitcoins” in search engine)

Required Amount: $2900
Receiving Bitcoin Address: 19aJnFC6UdNjiMRtP766hVsn7Wg4KXQHbZ
(It’s cASe sensitive, so copy and paste it)

Tell nobody what you should be utilizing the Bitcoins for or they might not give it to you. The method to obtain bitcoin can take a few days so do not wait.
I’ve a specific pixel in this e mail, and at this moment I know that you’ve read through this email. You now have 2 days to make the payment. If I do not get the BitCoins, I will send your video to all your contacts including family members, co-workers, and so on. You better come up with an excuse for friends and family before they find out. However, if I receive the payment, I will erase the video immediately. It is a non-negotiable one time offer, thus please do not ruin my personal time & yours. Your time has started.


I will directly come to the point. I’m aware XXXXX is your password. More importantly, I do know about your secret and I have proof of your secret. You don’t know me and no one hired me to investigate you.

It is just your bad luck that I found your blunder. In fact, I actually placed a malware on the adult videos (pornographic material) and you visited this website to experience fun (you know what I mean). While you were watching video clips, your internet browser initiated operating as a Rdp (Remote control desktop) that has a keylogger which provided me accessibility to your display screen and also cam. Immediately after that, my software program obtained all your contacts from your messenger, facebook, and email.

After that I gave in much more time than I should’ve exploring into your life and generated a two screen video. First part shows the recording you had been viewing and second part shows the capture from your web camera (its you doing inappropriate things).

Frankly, I’m ready to forget about you and let you continue with your life. And I will present you two options which will accomplish this. The two option is to either ignore this letter, or perhaps pay me $3200. Let us explore above 2 options in more detail.

First Option is to ignore this e-mail. Let me tell you what is going to happen if you opt this path. I definitely will send out your video recording to your contacts including friends and family, co-workers, and so on. It doesn’t help you avoid the humiliation your household will must face when relatives and buddies find out your unpleasant videos from me.

Second Option is to make the payment of $3200. We will name it my “confidentiality tip”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will delete the recording immediately. You move on with your routine life as though nothing like this ever occurred.

Now you must be thinking, “I’ll just go to the cops”. Without a doubt, I have covered my steps to ensure this mail cannot be tracked returning to me and it will not stop the evidence from destroying your daily life. I am not trying to steal all your savings. I just want to be compensated for the time I placed into investigating you. Let’s hope you have decided to make all this go away and pay me the confidentiality fee. You’ll make the payment via Bitcoin (if you do not know how, type “how to buy bitcoins” in google)

Required Amount: $3200
Receiving Bitcoin Address: 1JE6Pxdb865yhxc92KfjypcaXHgdAJpdsZ
(It’s CASE sensitive, so copy and paste it carefully)

Tell no person what you should be sending the bitcoin for or they might not sell it to you. The procedure to have bitcoins will take a short time so do not delay.

I have a unique pixel within this e-mail, and now I know that you have read through this email. You have 24 hours in order to make the payment. If I don’t get the Bitcoin, I definitely will send out your video to all of your contacts including family members, co-workers, etc. You better come up with an excuse for friends and family before they find out. Nonetheless, if I do get paid, I’ll erase the video immediately. It’s a non-negotiable offer, thus kindly don’t ruin my personal time & yours. The clock is ticking.


Let’s get straight to the point. I am aware XXXXXXX is your password. More to the point, I am aware about your secret and I have proof of it. You don’t know me and no one paid me to investigate you.

It is just your misfortune that I came across your bad deeds. Let me tell you, I setup a malware on the adult vids (pornography) and you visited this site to have fun (you know what I mean). While you were watching video clips, your web browser started operating as a Rdp (Remote desktop) with a keylogger which gave me access to your display screen and also webcam. Right after that, my software gathered your entire contacts from your messenger, social networks, and mailbox.

Next, I gave in much more hours than I should have exploring into your life and made a two view video. 1st part shows the recording you were watching and next part shows the capture of your cam (its you doing inappropriate things).

Honestly, I want to forget all information about you and allow you to get on with your regular life. And my goal is to present you two options that may accomplish this. These two choices are with the idea to ignore this letter, or perhaps pay me $2900. Let us investigate above 2 options in details.

Option 1 is to ignore this message. You should know what is going to happen if you select this path. I will definately send out your video to all of your contacts including members of your family, coworkers, and so on. It won’t help you avoid the humiliation your household will ought to feel when friends and family find out your dirty details from me.

Second Option is to make the payment of $2900. We’ll call it my “confidentiality tip”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will destroy the recording immediately. You keep your life that none of this ever happened.

At this point you must be thinking, “I should go to the cops”. Let me tell you, I’ve taken steps to ensure this email message can’t be tracked time for me plus it will not prevent the evidence from destroying your daily life. I am not planning to steal all your savings. I am just looking to get paid for time I put into investigating you. Let’s assume you’ve decided to create all of this disappear completely and pay me my confidentiality fee. You’ll make the payment by Bitcoins (if you do not know how, type “how to buy bitcoins” in google)

Required Amount: $2900
Bitcoin Address to Send to: 169rDGiiDxTKknBYgLPDq4sCQJjKgejkni
(It is case sensitive, so copy and paste it)

Tell no one what you should be utilising the Bitcoins for or they possibly will not sell it to you. The process to have bitcoin usually takes a short time so do not put it off.

I’ve a specific pixel in this email message, and at this moment I know that you have read through this email. You now have 24 hours in order to make the payment. If I don’t get the Bitcoin, I will send out your video to your entire contacts including members of your family, co-workers, etc. You better come up with an excuse for friends and family before they find out. Nevertheless, if I do get paid, I will erase the video immediately. It is a non-negotiable offer, so kindly don’t ruin my personal time and yours. The clock is ticking.

So as you can see from the samples, the extortionist is hoping that you visit porn and that your password was in fact some iteration if not literally the password they provided as a bona fide. If in fact the passwords are correct, it made me wonder if these were just good guesses on the part of the adversaries or do they have access to a dump of some site common to all the users in question. I am currently carrying out an investigation as to that, but, suffice to say that either method would work up to a point to get the fight or flight response of the end user going right?

So, if the adversaries have access to a dump I have to wonder what it is. In the case of some of the information I got from users, I used haveibeenpwnd and did not discover anything in there from old dumps. So, if there is a leak somewhere, it is likely on some hacker site where they are offering up these passwords and these guys decided to use them in this clever way. By sending these emails through open SMTP replays and expecting no response, with no links at all or malware, these phish get through every time bypassing the protections of filters and using sites like to bypass any SPF settings one might have. It’s a smart tactic by an adversary intent on getting that bitcoin really.

Where the emails fail is the amount that they are looking for (nearly 3K) and this is where they tend to lose people I think. Who’s got that kind of money as an office worker? So far the bitcoin wallets are all empty and I suspect these guys are not going to be in the champagne room anytime soon from my users but other places may be different. Having an awareness program and interfacing with your employees is a key to fighting this and other phishing schemes and in my case it seems to be working with users either just deleting the emails or sending them in.

I just have to wonder now what the next iteration will be. Will these guys up the ante and present more hacked info? Maybe some sample clips of these alleged movies as bona fides?





It seems the gambit has worked on some people. One of the bitcoin accounts has over 4 grand in it today. A second has just over 3K.



The phish are coming from the Microsoft domain space for SMTP servers so this is why they are not seen as spoofed. The email addresses are random names and do not exist really according to searches I have performed. So, Microsoft needs to address where these are coming from and maybe seal up the SMTP relay hole they have.

Additionally, the random nature of the email addresses and the Outlook domain make it hard to try to track and block these in defenses that rely on heuristics like subject and sender names. This is a clever means to get these to their targets by bypassing the controls in place without a real remedy.

I fully expect another iteration of this to come along where they add some content or some other key to get the targets to react quickly to their demands and send them bitcoin.

ALSO, it seems to be tracking that the passwords that are being cited in the extortion email are from the LinkedIN password dump in 2016. It may in fact be a melange of dumps but it seems since these are being targeted at corporate email accounts it makes sense that the adversary is using this dump cleverly.


If my stats are right, the adversaries have now made approximately $185,499.50 cents in bitcoins from these phishing emails. I am checking the wallets again to insure I have the right ones in all cases but one of them has  transactions.

Screenshot 2018-07-18_11-57-07





Written by Krypt3ia

2018/07/16 at 18:13

Posted in phish

Defeating Disinformation

leave a comment »

This tweet came up in my feed this morning and it got me thinking. There has been a lot of talk about how disrupting or denying the sources of disinformation could put a stop to it altogether. I for one have not been a proponent of strictly technical solutions to this because they never will work fully and while you can play whack a mole with fake news or disinfo operations, it will always propagate with those who have the cognitive bias and dissonance. What I mean by that is that the mind virus that is fake news or disinformation is just that, those who are disposed to it will propagate it if not create it out of whole cloth for their own reasons be they financial, cultural, or psychological.

While it has been shown that if you give those predisposed to these narratives, the truth once or twice they do not come to the conclusion that they are in fact falsehoods. In fact, the studies thus far have shown that you must repeatedly bombard those individuals with the truth (truth bombs heh) until they actually accept the truth. So, unless you can force these individuals to accept “truth” via other channels than the disinformation feeds, you will have little luck in stopping the disinformation from doing it’s harm and being magnified by those predisposed to their belief in them.

So, what I am saying here is that once again, the technology will not be able to stop the false narratives. The technologies today short of a truly Turing compliant AI that is plugged into the internet as a whole, will not be stopping the disinformation never mind those campaigns of falsehoods by the likes of an Alex Jones because they will be passing them in email, news sites, comments in sites, texts, tweets, over the phone, over the air, …everywhere possible. The reliance or thought of reliance on technologies alone to save us from all this kind of warfare is patently naive. The psychology of why disinformation works and how these things propagate WITH the technology is where we need to focus. More so we need to focus on the psychological aspects in relation to how we might leverage technologies to get the truth into the right minds with repeated viewings is key. Alas though, I fear that this is not what many in the technology space are considering and are relying on algorithms instead of focusing on the animal behind the keyboard. Until we do this I am afraid we are quite doomed to failure.

I also began to parse this tweet out a bit as well on the hacking versus the disinformation campaign. It is quite clear that the hacking and the dumps of information were at some level laced with disinformation but not as a whole was the hack a part of the disinformation campaigns by the GRU. While “not getting hacked” is a good start, the real problems came from other sources and in fact when I looked at the DC leaks stuff and the claims I did come up with some gold that the data did not come from the Clinton Foundation, but instead was DCCC and DNC only to the contrary of what Guccifer 2.0 wanted people to believe.

So yeah, the information being hacked surely added to the mix of disinformation out there but it was not a main contributor to it. Overall, the problems of disinformation rely much more on the psychology of the tribes at play now and the cognitive issues we have within them than the hacking ever did. It turned out at least in the Clinton campaign there was no real “there” there to latch on and make her look even worse with an expose of wrongdoings. The most we got was that they were treating Bernie poorly but really, that was it.

Where were the Benghazi revelations?

Where where the revelations that she and others were running a pedophile ring out of a pizza parlor in DC?

Where was the absolute proof that Clinton had ordered the murders of a number of US citizens and in fact was funneling monies around to places like Panama?

Oh yeah, there were none and this is the reason why the others out there including the GRU and the SVR were creating those narratives on Twitter, Reddit, and elsewhere for those predisposed to those mental virus were living and ready to echo the message to others. When the day comes that we see a dump of information that has been tampered with well enough to detect forensically, then we can parse that out a bit and prove out that a hacked dbase was the cause of disinformation like some of the DC leaks stuff tried to be. Other than that, the two roads do not meet in my book.

The technology is the amplifier but the humans behind the keyboard are the real engines here.


Written by Krypt3ia

2018/07/16 at 16:58

Posted in .gov, .mil, 2016, 2018

2018 Krypt3ia Kryptos Crypto Challenge!

leave a comment »


Ok kids, here it is. You may start now.

Why now?

Well, because it’s hard and no one has time during DEFCON.

Solve the puzzle and you’ll know what to do.

Good luck.


Written by Krypt3ia

2018/06/27 at 13:24

Dear Paul! : The Curious Case of A Letter In A Cache of Files from Andrea Manafort’s Phone Dumped In The Darknet

leave a comment »



The letter you see above was posted in a cache of pictures ostensibly from Andrea Manafort’s cell phone which was hacked back in 2016. The pictures, which were checked for metadata to be sure, are in fact hers and contain quite a bit of visual information that I will not release here including medical data and taxes etc. The interesting bits though were alleged pictures/images of documents in Cyrillic and in English that concern a media company that was set up by Dmitry Firtash and others during Paul’s time working in Ukraine for Viktor Yanukovych. It was during this time that many assume Paul made connections like his second in command Kilimnik (GRU) that are all becoming very important to the obstruction case of Donald J Trump, the 2016 election tampering by Russia, and Manafort’s centrality to it all.

The documents above purport to be either a letter or an email, but it is impossible to tell because there are no headers, and no way to determine which it is. In fact, this could be an outright fake. This is the caution I am making up front here concerning this document in the dump with the rest. Not only is there no data in the page to tell what the source is, there is also no metadata at all to prove out where it came from so it could be a fabrication, but to what end and by whom I wonder? As for the other documents in Cyrillic, they are checking out to be real but they are also elsewhere on the net from other sources in Ukraine and can also be verified by the companies involved.


A map of companies comprising the flow of ownership and money concerning a media company set up in Ukraine

So some of this tracks as real, but the document at the top of the page is not found that I could tell anywhere else. So, is this disinfo? Was Andrea actually the one who had these files sent to her by someone? I suspect that “could” be the case but once again, it is impossible to know completely without metadata that is forensically viable to prove it. So, I would have to ask Andrea, or maybe someone in the media can, if indeed she has seen these documents before and was she party to looking into what her father was up to at some point?

But wait… It get’s more interesting..

Did you really read the document at the top of the post?

Lemme draw out some things…

Paying attention here? It’s subtle but there seems to be some planning here and intonation of criminal conduct with regard to the Ukrtelekom deal there don’t it? My only question now is who is JN? Anyone? Hmmm JN? Oh well, the fact of the matter is that if this is real, well, there may be some ammunition that Mueller may have or want along with those documents in Cyrillic. On the other side, this could be some Ukrainian hackers attempt to drive the narrative. Perhaps Andrea can enlighten us all on the provenance of those documents in the dump…

While she is at it, maybe someone should tell her also not to take pics of her insurance card and other very personal things… Ya know, cuz they may end up in the darknet…

The other documents are being translated so I will have more on them later.



Written by Krypt3ia

2018/06/19 at 15:42

Posted in Manafort