So Jake is going to talk about attribution, which I can only presume is going to be
exclusively about either Russia or China. So let's give Jake a big round of applause.
Have a great time. Thank you.
Thank you everyone. Great to see everyone here. I seriously don't see enough beverages in
people's hands though, so maybe you should fix that. But my name's Jake. I'm the CISO for
risk-based security. Been doing a bunch of vulnerability and data breach intelligence stuff
for quite some time. I want to also recognize Lee Johnstone for all the work and the creation
of the data and everything. So the talk here is today it's Cyber Whodunit Attribution Analysis
Through Arrest History. So we really are going to play a cyber drinking game. You guys are
just going to have to get over it because we're going to say cyber a ton through this talk.
So any time you see in the slides that it says cyber or you hear me say cyber you're going to
say cyber, you should drink. And I only see a few beverages over here, so we'll see. Um, and I
don't care if it's beer or root beer, so no pressure. Alright, so if you look back over the
last five years, data breaches just keep occurring at alarming rates, right? It's, it's
just ridiculous, uh, the amount. And it just shows that it's not getting better. And so it
doesn't matter how many blinky lights, boxes we buy from security vendors, we're still just
seeing a ridiculous amount of breaches. In fact, 2015 was the most amount of breaches that
we've ever, ever tracked. When you look at it from, uh, you know, how are these things
occurring, there's that old 1970s thought process I think from the FBI that says the insider,
right? But when you look at the data from 2015, it shows that 77% of them are actually coming
from the outside, right? Now an insider may hurt you the worst, but it shows in terms of
likelihood the outside where it's occurring. And then when you break it down by the breach
types, it just hackings through the roof, right? So we're just seeing a ton, ton of hacking and
it's been that way the whole time. So, uh, we're just seeing a ton, ton of hacking, and it's been
the last couple years. When you look at it from where it's happening, what countries, where
these organizations are that are being impacted, it's just, this isn't just a USA issue, right?
Now while the USA and the, uh, UK are accounted for 46 plus percent of the breaches, it's not
just there, right? So it is a world issue. And year to date, we still suck, right? We're not
getting any better. Uh, over 2000 data breaches confirmed already, and it's the most amount of
records that we've ever lost in a single year. We're already at over 1.1 billion records being
lost, and we still have a couple months to go. So, um, not seeing much improvement at this point.
The question we get all the time when we're tracking these data breaches is, who's behind all
this stuff, right? Who is behind and causing all of these data breaches? It comes up all the
time, specifically the hacking events. Who's behind it? So this leads us to this whole concept
of attribution, right? And if you try to get your head wrapped around attribution and what does
it really mean, you can start looking on Google. And, uh, you can start looking on Google. And, uh,
you can start looking on Wikipedia, right? And that gives us a few different ideas about what
attribution is in other disciplines. So, in social psychology, attribution is a process of
explaining calls and behavior and events. In copyright law, it's about crediting the work. In
journalism, it's about attribution to a source, right? So you start to get familiar there. Now,
in the cyber world, we basically just want to know, who did this, right? We want to know, what
the hell did you just do? What actually happened? What was done? And, uh, and, and, and, and, and,
and then finally, why? Why did you do this? What are the motives? Can I have some reasons,
right? So if you think about it, you always hear this saying, you know, knowledge is power, but
in these days and times, it's really starting to be attribution is power, right? And this seems to
be the case. We want to know what's going on, who's behind all of this stuff. So, nothing
brought this attribution debate and problem, um, more clear than the Sony breach in December
2014, right? So, we should all remember this whole, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh,
whole, uh, GOP guardians of the peace post credit, taking credit for this breach. Um, and
there was serious debate over this breach. What was the motives? Who did it? And it was so
ridiculously bad about the back and forth, it led just to a ridiculous amount of lulls from the
security community, right? So, we actually created these cyber war attribution bingo cards.
It still exists if you want them. You can go out to the website and generate your own cards and
play along, right? And see what happens. But if you're not up for games, then then there was a
couple guys that created the Sony hack attribution generator. So, you can go to the website and
then sort of refresh to get what you want. So, this, you go to this first one and you get the
nice report here about a Sony manager behind it. I don't like that one. Uh, Romania organization?
Hmm, that's better. Well, now we have North Korea, right? Here's a nice detailed report. You
can just keep refreshing, right? So, you guys can get reports. They weren't the only one. We
actually had another website created called whohackedus.com. You can get attribution reports
here. Here we get, uh, China, right? Crouching pants. Uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh,
and a hidden dragon. So, there's your China reference starting. But if you don't want a
detailed report and that's just too much, guess what? We had the industry create cyber
attribution dice. So, you can just roll the dice and get the answer, right? And why would you
pay for high price forensic when you can just roll the dice, right? That's probably the best
attribution you're gonna get anyways. Some people weren't so thrilled about the cyber dice and
they said, you know what we need? We need a magic eight ball. And guess what? Twitter answered.
We have the attribution eight ball, right? Now, unfortunately, it hasn't been active here
recently. So, whoever's behind this account, I'd appreciate if you could step up your game and
start tweeting out some stuff again for us. But, Twitter's not just enough. So, we have Duo that
comes up, right? And they create the actual attribution eight ball. And of course, it's
China. And you gotta love the pictures behind there, right? It was China and, and who's
showing, right? So, we see that. Then we see good old Swift on security when we're talking
about the MySpace breach and should we blame Russia or what's going on. Saying, hey, we need
another magic eight ball. And at this point in time, because we know the, uh, the attribu,
attribution eight ball's so important, Threatbutt comes to the rescue. And so, no offense to
Duo, but Threatbutt creates an attribution eight ball. And if you don't know about Threatbutt,
you should. Because, uh, they basically provide the maximum protection from threatening
thready threats like China. So, we're really pleased that they were able to help us out here.
So, thanks to Threatbutt for all your hard work. So, with all of the lulls aside, I mean, it's a
serious issue. When people joke about stuff like this, it's because there's something behind it,
right? And the jokes are funny, but let's get back to the Sony breach and walk through it. And
the point was, who did this thing, right? Everyone wanted to know. And for the purposes of this
talk, there was basically two major viewpoints. One was North Korea and the other one was an
insider, also known as not North Korea, right?
And so, on the North Korea side, we predominantly had CrowdStrike and the FBI. And on the
insider, also known as not North Korea, we had Norse, Mark Rogers, and Kim Zetter from Wired
coming out with information. So, here's, here's from Norse, right? So, Norse basically was not
involved in the case itself, but they were, they said they were doing their own investigation. And
they said that the Norse data was pointing towards a woman who called herself Lena and claimed to be
connected with this, the GOP hacking group. Norse believed that, uh, they identified the woman
who had worked at Sony in Los Angeles for about 10 years and then was involved with it. And so, what
comes from them is, we are very confident that this was not an attack masterminded by North
Korea, right? So, they're coming out pretty vocal. It's not like, it may be. It's, we're
pretty, we're pretty damn confident it's not them. Then you have Mark coming out, basically
saying he wasn't seeing hard evidence either. And he has some really good articles that if you
haven't read, you should go to his website and read to better understand his point of view. But he
mentioned things like the broken Eng, English that was being used for attribution looked really
too deliberate, right? Uh, the code that was written on a PC with the Korean local, um, makes
it actually probably not North Korea. Uh, hard coded pass and passwords and what not really did,
uh, make it seem like someone knew that information from Sony from the inside. And one of
the other things that he said too was blaming North Korea was an easy way out for people. Uh,
including the security vendors that were brought in and paid and Sony management and all that
because of the whole interview movie and everything. It was just sort of an easy way to do
it. And you can see here, even after the FBI started to come out and saying it was North
Korea, he was still saying, I still don't believe that that's the case. Kim Zetter from Wired,
she basically published a story saying that the evidence was flimsy. Uh, it's a, again, a
great article if you want to get some more information about it.
Uh, and she basically was saying that the assertions about, about who's behind it, um, should
be, you should be skeptical of these things. And it's easy for attackers to plant these false
flags or point to North Korea and, and those sorts of things. And a lot of the evidence that
was presented was circumstantial, right? And then here's, uh, Dimitri from CrowdStrike. So he
comes in and basically says, North Korea. And that's it, North Korea, nothing else. Now,
what's funny is that Black Hat, I ran into Dimitri for the first time, uh, and he said,
hey, Dimitri, your, your face is going to pop up several times in my talk at DEF CON. And we
sort of had a spirited debate for about an hour. Uh, he still believes it's North Korea and
that's that, right? Now, what was also interesting was we started to see this attribution
stuff go really in the mainstream, right? Here you have Mark Rogers and Dimitri on PBS doing a
live debate on attribution. Who did it, right? So we're seeing this isn't just, you know, in our
industry, it's starting to come out more and more people trying to figure out what's going on.
So then we have Sony, and this is sort of mid-December 2014, they publish a more, uh,
official update and a statement basically saying that as a result of our, our investigation and
close collaboration with other government agencies, the FBI has now enough information to
conclude that North Korean government is responsible. So pretty definitively from, from
the FBI. No matter, even though that, that came out, we still are seeing CrowdStrike vs.
Norse quite a bit. And there were a few others, but those were the most loudest, if you will, um,
talking about this stuff. Actually, FireEye and Mandiat, um, who was hired by Sony, they
also, they were pretty quiet in the press. Kevin Mandiat did come out and say a few things such
as, um, the, the, the, the attacks that happened in South Korea in 2013 were very similar,
the same, uh, that was being used for Sony. So they attributed those 2013 hacks to North Korea,
so therefore it was Sony behind, er, uh, North Korea behind this. So we were actually at RBS,
we were documenting this whole thing and we've got this big article, like a breakdown
of it, trying to track everything that was going on. And we started to think, right, you have
these two, you know, you've got CrowdStrike and you've got Norse that are these two ridiculously
funded VC companies, the hottest threat intelligence, with ridiculously polar opposite, like,
it's an insider and this is North Korea and they were both sort of arguing. So it made us to
sort of start to think these bold statements, um, if you make this bold statement and it turns
out to be wrong, does it mean that the intelligence you sell sucks? Can't be trusted, right? You
come out and say, oh, this is, this is, this is, this is, this is, this is, this is, this is
definitely it and it's proven wrong, then is your product any good? So what we see happen is, is
in January, so all that stuff's going on in December 20, 2014, then we see, um, the FBI comes
out and again says, hey, look, it definitely is, uh, North Korea behind this. A week or so
after that update, then we see Krebs come out and say that there's some rumors that Norse is
about to implode, right? And they're the ones, remember, that said it was an insider, not
North Korea. Whether that has to do with it or not, it's quite interesting.
Further on that, in March of 2016, you can see this tweet sadness defined. This is the RSA
booth. It looks like they threw down huge amount of money for a booth and then it was this, kind
of this deserted smaller thing, right? So, not so good. And everyone was immediately worried,
right? We're gonna lose the live attack map. And while most people that I know could care
less about that, they like showing it to management to get more budget, right? Like, look
at the, we get serious stuff in cyber, right? We need help. But, the good news is, we have,
good old threat butt that's come back to help us again. Serious, right? The threat butt
internet hacking attack attribution map. And you can see here, by leveraging the patent
clown strike technology, they've made it even better, right? So, they did give credit to, uh,
Pew Pew, but they make all the threat stuff better, so. Alright. So, why is this attribution
stuff so hard? And, it's actually even hard to put in, into words, but I, and there's people
that are, that disagree. If you're in this space, I'm sure you're already upset. You're
upset at me or tweeting me bad things or whatever, but the, the reality is, it's still
challenging, right? So, I want to put out a few things of why attribution in the cyberspace is a
little tricky. So, a lot of the attributes that you typically see in the real world, just
don't exist in the cyber world. So, that sort of hardcore CIS, CSI forensics investigation
work just isn't as possible, right? It's considered to be easy to spoof some of these
things, plant these things. Uh, it's considered to be easy to embed other people's works.
Tools, exploits, malware. You know, just because you see this sample of this in this particular
attack, doesn't mean it was the exact same person, right? Someone could have easily taken that
code. Now, for people in this space, they'll, they'll get a little snippy sometimes and say,
well, if the source code wasn't available, there was no way it could have been found. I
mean, there's, there's lots of debates about this stuff, but it makes it challenging. And
then, that whole sort of concept of not having a, a physical territory, right? Some markers
that you'll hear in the cyber warfare world, um, or the traditional warfare
world, like an assembly zone, boundaries to cross, you know, being able to track things back,
specifically like a missile launch. All those sorts of things just, they just don't really
exist in the cyber space, right? And honestly, I have so many slides to get through, because as
I'm working on this talk, there's just more and more shit happening, right? So, then we have
the DNC that gets hacked, right? Um, so, right? And then it's actually so bad that Jeff and
Black Hat have to decide they gotta raise some money for them to get better at security, it
seems. So, uh, anyways.
Um, so this one, we have the, we have the, the issue, right? And then we have Guccifer 2.0
that comes out and takes credit for the breach, right? So, now we're starting to look at
attribution in terms of taking credit for it. So, if you know anything about the original
Guccifer, it was a Romanian man who hacked, uh, lots of high-profile government accounts,
claimed to hack Hillary's private email servers, all those sorts of things. And Guccifer 2.0 goes
on to say, uh, that Guc- Guccifer may have been the first one who penetrated Hillary's and
other Democratic mail servers, but he's the only one who penetrated Hillary's and other
Democratic mail servers. He certainly wasn't the last. No wonder any other hacker could have
easily got into these DNC servers, right? So, then, again, now we go immediately in the press
to, alright, cyber attribution and questions there, right? And so everyone's immediately
trying to figure out who did this. It seems like an absolute broken record. And, uh,
Dimitri's back, right? So, he's back. And CrowdStrike tells us this time it's Russia. Now,
what's interesting for this one, it's a little bit different than the, the Sony one. There was a
lot of people sort of arguing on, on both sides on the Sony one, but so far most people seem to
agree and are saying that it's, it's Russia in this particular case. Actually, the only one so
far that I've seen that hasn't said it was Russia was Donald Trump was being interviewed and
he said something like, Russia, Russia, eh, it's probably China. So, um, now China's
somehow brought in, allegedly, so. But here we actually have Fidelis, um, they're another
security company and they came out and they basically said they are also very confident that it's Russian
actions or actors. And what they said it was, was do they, that they looked at the code, uh,
there was a use of the Russian alphabet keyboard and the time zones it was compiled in, some of
the, the malware and those sorts of things. They also went on to say that the evidence pointing
to Russia was so convincing it would have to have been a very elaborate scheme, um, for it to be
anyone else. And so, that's a little, um, I don't know. I look at it and I start thinking,
these are the things that people complain about the last time around that could be spoofed and all
those sorts of problems. So, if it is, the wording that they're using is a little tough. Alright, so
then the media right now still isn't clear. There's another article that's published saying,
hey, is this an individual? Is this a Russian front? Um, even though I see most of the security
people agreeing, they're sort of saying experts aren't so sure. Can you imagine that? We don't
agree in the security world. Uh, CrowdStrike, what were the ones hired by the DNC? But again,
everyone sort of does point to Russia right now. We have Clinton stating it's Russia. She draws
some sort of line to Trump, maybe. Um, it's a bit confusing because it sounds like the DNC's been
owned for a really long time. So, in my mind, I don't even, Trump wasn't even considered a
candidate then, but now we're blaming him for potentially being, doing it. And, and my sort of,
the reason why I think this one's interesting is because now it's just not who did it, it's who's
behind it trying to orchestrate and make people, you know, do these hacks, right? So, we're just
getting more and more of this.
This sort of stuff and the, and the conversation about who, what is there to be gained and who can
gain from these, these attacks. Alright, now we're getting a little more interesting in the
DNC because shortly after the DNC, uh, hack was attributed to Russia, it's now reported that
there's a professional cyber attack that hit the Russian government. So, we start thinking
hack back now, right? And so, some articles come out saying that the NSA is likely hacking
back, uh, due to the DNC hack. Now, most of you are giving me blank looks, but I'm not
giving you blank looks. Dirty looks saying, hey, you think this is the first time that we haven't
been hacking all over the place, the NSA hasn't been hacking. But other, other people will say and
start to believe that this may be the first major time that, you know, a sanctioned nation
state hack back has occurred, right? So, we just keep going down this path. So, it leads us to
the question of, does it actually matter if we get cyber attribution correct? Do we even care,
right? For most companies and organizations where you work, does it really matter who attacked
you? You've got to deal with the breach, you've got to deal with the problem, you've got to deal
with the fact that you got hacked is the issue. That's not going to change a whole lot about
financials or whatever else, right? Uh, but for other cyber attribution, it does really matter.
Because after the Sony attack, right? When the FBI concluded it was North Korea, then the
USA imposed new sanctions on North Korea in response. In, uh, February of 2016, Congress sends
North Korea cyber sanctions bill to Obama, uh, saying that anyone that's caught aiding the
country's cybercane, they're going to get, uh, penalties now as well.
So, we're seeing the attribution leading to real world things. So, last month, North Korea
expressed their thoughts about the US sanctions. Uh, the foreign ministry issued a statement
carried by the Korean Central News Agency, basically saying the sanctions on Kim and 10
other ind- and officials were peppered with lies and fabrication, and then went on to say that
now that the US has declared war on the DPRK, any problem arising in relations with the US will
be handled under the latter's wartime law.
So, we're seeing things, even though there's a lot of rhetoric that comes out of certain
countries, we're seeing things escalate based on attribution. And then just a few days ago, um, now
it's reported that the United States is considering economic sanctions on Russia for hacking,
right? Nefarious activities in the cyberspace, and that economic sanctions have been used
before, and they could possibly be used in preparing for response of cyber threats. So, how
can we actually figure out what's going on behind these hacks? Uh, no so- so- so- so- so- so- so-
why can't we might be a better question, right? No security firms typically tend to agree, uh, we
can't trust when people are claiming attacks, easy to hide IP addresses via, you know, proxy
servers, Tor, etc. Correlations, as we've already talked about, between certain pieces of
malware really aren't just hard evidence, although people in this space will debate that, uh, to
the death. Uh, information and evidence many times isn't fully shared to protect sources, so
just say, trust me, this is what it is. And then there's this whole behavioral analysis
of- of doing analysis of writings and things like that, which doesn't come across to many as
very hard evidence. So then, as we go from there, then the question becomes, do we actually need
to improve our cyber attribution capabilities? And, you know, I don't really care for the- the
folks that think that they're doing it really awesome and it's well enough or perfect, that's
great. There's still others that aren't so sure, but I think that if we're gonna be punishing
countries and getting more of this active war rhetoric, we better be damn sure that when we
come out and say something, that we have to do something about it. So, uh, I think, uh, we
actually know what's going on. And so regardless of whether you're on one side or the other in
terms of how we are with attribution right now, I think we can all agree that we need to
continue to invest in and improve a digital attribution. It's clear that the imp- impact
have. And there are a lot of smart people working on this, so I- I think that's great.
Alright. So this leads us to the Arrest Tracker Project. So what we wanted to do was we
wanted to collect data to hopefully better understand, um, what's going on with cyber
crimes, right? Another viewpoint, uh, of- to add
attribution and a- a much different lens, right? And so Arrest Tracker was originally
founded by Lee Johnstone. Uh, he's also the founder of Cyber War News, if you've ever
followed any of his stuff. Really smart researcher. And so it was founded in 2013. Uh, and
the project aims to track computer intrusion incidents resulting in arrest, uh, detaining of
persons, uh, seizure of goods, and all sorts of other things. Uh, tracking incidents from all
cyber. Again, if you have alcohol, drink. I've been trying to say it as much as I can. Also, if
you notice in the lower right hand corner it says cyber on every slide. So I wanted to make
sure we were gonna get to where we needed to for later tonight. Um, and hacking related
incidents. Um, so right now there's- there's, uh, over 1,400 incidents collected. And it's more
than just arrests, but we ended up finding out that there's- if you just say you're only gonna
track arrests, there's a lot that goes on it. So there's- it's- it's- it's more than that.
We're- we're labeling it cyber crime. And now, uh, as of today, the project is officially
launching. You can go out and sign up and- and check it out. So, uh, it's- it's- it's a
website. You can check things out, et cetera. So it's arresttracker.com. So, the, uh, fields
in there, we're trying to figure out all the different fields that we're trying to track. And
with any project, if you've ever- ever done data work, you start out and try to track a few
fields and all of a sudden you're like, what about these? And you just keep adding stuff on,
right? Um, but so far we're trying to figure out things like the profile, uh, name, alias,
gender, age, location, are they part of hacker collectives, operations, all those sorts of
things. Uh, in terms of the incident, when did it occur, which country, arrested, charged,
raided, all that sort of stuff. So, uh, we're trying to figure out all the different fields.
And then even looking at things like courts, um, was there a deal, was there trial, fines,
fine amounts, convicted, sentenced, all those sorts of things. And even some more things about,
um, the legal side and- and authorities. Alright, so what can Arrest Tracker help us with?
Well, first, we definitely need to recognize there's some limitations with the data, right?
So, some- click disclaimer. So, if you're a data scientist or a data security metrics nerd
and you want to come give me grief, I get it. But we're trying to start looking at the data
so we can have some data sets to look at as we improve and get better. But you have to remember,
uh, there are some limitations. We have to remember that this is mostly about arrest data, right?
Arrest incidents is what we have the most of. And so it tells the story from that viewpoint.
Uh, we've expanded, as mentioned, to cover more cyber crime and we're going to continue to
map as- as much as we can. We're using data based on reported, uh, arrests and raids, right?
So, we're gathering everything we can from the media. So, if the reporting is bad or wrong,
it's an issue, right? We do source everything in there to try to have our own attribution to where
we got the information from. And if the courts are wrong, which- when has that ever happened?
Right? Um, that's an issue too. But we're pulling all the data that we can in and- and put it in.
So, we also need to remember that in many cases the government allegedly would rather track and
follow criminals instead of arresting them for various reasons. So, again, we're only- we're
only adding in data here that- that has had some sort of, uh, crime, prosecution, arrest, et cetera.
So, with that said, what can an arrest tracker tell us? Well, quite a bit, actually. Um, so,
detailed statistics about crime arrest, who's behind these data breaches and crime, what are
the demographics, what's going on with extradition, details on sentences, monetary fines, um,
learning about law enforcement and what's going on, certain judges and how do they view cases,
and then profile a hacker and I'm sure anything else that you guys can think of we can ask the
dataset. So, most people al- always are asking us, you know, what it- what it- what it
is a hacker? What's the profile of a hacker? And, you know, the media basically has settled in on
the ski mask behind the laptop, right? We all agree on that. I sort of thought it might be
funny and interesting if I asked Google Images what it was and- and here it is and what I found
here was as long as you have a hoodie on, you're a hacker in Google's mind. But we also
have a couple new faces now with Mr. Robot, right? So, this is- these are some new faces of
what a hacker is. But what's even more interesting is these are the real faces from arrest
tracker behind the project, right? So, we're- we're tracking what- what folks look
like and all those sorts of things as well. So, it- you- you can see, uh, this helps us better
understand. So, looking at the timeline, here's a- an eye chart for people way in the back,
um, shows that there's been crime and incidents going back to the 1970s, right? Uh, there was
some and you can see that over the- of the course, but really not a lot of activity in this
space or incidents that we've tracked until the 2000s. If you drill in closer on the 2000s, you
can see that things are on the rise without a doubt, right? We're seeing a lot more ac- activity
in this space. So, the cyber incidents over the past decades, the 70s we saw two, 80s, 37,
1990, uh, 59 incidents in the 2000s, 345, and the- and the current decade, 988 incidents. So,
we're seeing quite a bit that we're adding in. Now, that being said, there is a lot of old
research. So, uh, jerichovatrician.org is on his to-do list. It's been on it for a while,
actually. I'm gonna have to give him some grief to go through some of these old books and pull
out some more incidents from the 70s and 80s. So, definitely- definitely- definitely- definitely
need more help and more research putting in some of the older things as well. So, the oldest
incident from the 70s we actually have is from 1971. And that's this, uh, screenshot of what
the, uh, arrest tracker profile looks like where we're trying to capture all the different bits
of data. Um, and so you can see here, Hugh Jeffrey Ward. It occurred in 71. He was 29 years
old at the time. He was accused of breaking into the ISD computer systems and stealing data.
Uh, trade secret theft, pled guilty, fined $5,000 and 36 months in prison. So, that's, that's, that's,
months of probation. So, that's 1971. Now, does anyone recognize this picture? That's
laughing, but does anyone really know it? The guy that had the most friends on the internet
for a while? This is Tom! There we go, right? This is Myspace Tom. So, Myspace Tom, uh,
maybe people don't know this, he was a co-founder of, of Myspace, but the media back here
reported him as a real life war games hacker in the 1980s. And so he was also known as Lord
Flathead, uh, aka Myspace Tom. And so this is his profile in arrest tracker. And so in 1985 he
had an issue. He was about 14 or 16 at the time. There's some conflicting reports there. But,
uh, he hacked, allegedly hacked into Chase Manhattan Bank, told his friends how to do it. Uh,
the FBI, uh, raided him in California and seized all of, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh,
his computers. And so no charges or criminal convictions have ever been made in, related to
this instance. He was a miner at this time. So, again, that's one of those reasons why we
expanded out the, the project just from saying these arrests into tracking a bit more stuff. So,
1980s Myspace Tom. And what's interesting about this, as we've been collecting each of these
incidents about the people and what's going on, each incident in, in arrest tracker has
this story to be told, right? And so, from the 90s, you know, we pulled out some folks, you
the Mitnick story's been told many times, even last night, you know, we had the movie night of
the 2600 stuff, but there's many other people in here that each have their own story to be
told. Here's from the 2000s, some notables that you may recognize or not, um, but some of
these folks that you may not know what they were up to and, and they have their own story.
And then here's some more recent interests and some of them have some really bad and sad
consequences of our legal system as well. So, there's lots of other notable arrests out
there for various reasons. Things like the first prosecution of a particular crime, the
severity of a crime, the length of a, a jail time or, or what the fines were, potential
overreaching of regulatory actions, impact to those accused, etc. Alright, so some
statistics on arrests. So, we get asked just absolutely all the time, anytime we mention
arrest tracker, it's the profile of a hacker. That's the biggest question that comes up. So,
we knew that once we had a fair amount of data, we needed to start looking at the
demographics of things.
And so we started with age. And so the youngest age that we have is 12 years old, believe it or
not. Trade it, pirate it, information to the hacktivist group Anonymous for video games. Um,
so, sentenced to 18 months, includes limited access to internet devices, 30 hours of community
service, and under supervision for 6 months. Uh, the boy must also had to choose some sort of
structured activity of his choosing. This was in 2013 in, in Canada. So, 12 years old is the
youngest. And the oldest, though, was 66 years old. Um, uh, John McHugh, a guy named Devilman as
well. Um, mail busted for selling cards on the dark web. Uh, this was in the United Kingdom and he
was jailed for 2 years. So, you can see this one. And so, what that led us to look at is we
knew we had the youngest at 12 and the oldest at 66, but what's sort of the breakdown in the
distribution of ages, right? Most people, when you say, you know, who's hacking, who's doing all
this stuff, it's some bored high schooler, or, uh, you know, on, or some, you know, some
college university student on spring break. Um, but what we saw from the distributions, as you
can see, 18 through 25, 349 incidents, and 26 through 35, 304 incidents. So, those were the
largest groups while there were still other age groups. And that currently leads us to an
average age of 27 years old. And then we want to look at that 27 year olds across all the years to
see, you know, was it, how was it year over year? And it was, it was pretty spot on year over
year in that range. All right, gender equality. Uh, gender equality, uh, gender equality is a
big thing. There's been a lot talked about this all over the place, and so we thought, hey, we
should look at the same thing to see, you know, what's the breakdown in genders, uh, uh, for crime
and arrests, and yeah, it's all guys. So, we still have a little more research to do here,
um, but in general it was 81 plus percent were male, um, and so we're going to do a bit, a
little bit more work in this space, but again, just trying to get those profile demographics.
So, which countries do most hackers reside in, or what's in our world, what's in the
country of origin for the arrest? Um, we get asked this all the time as well, and everyone
really thinks this is going to be this, you know, it's going to be China, right? This is what it
looks like with just Chinese hackers everywhere. Um, but again, if you think about what we're
doing with arrest data, it's based on arrest data, right? And so obviously for us, United
States is number one, right? You can see there. Note that China's number, number 10 in this. So
there are arrests and there are crime, uh, things going on, but because of the data and the lens
that we're looking through, number one is the United States and number two is the United
Kingdom. Now, collectives. We wanted to get our heads wrapped around, do most folks that, that
get in trouble, um, in a crime, cyber crime area, are they sort of solo, like lone wolf hackers
on their own, or are they part of some sort of collective? And also, if one person gets
arrested, does that lead, does that mean that like a bunch of others are going to follow? And
so arrest tracker, there's 58 known collectives that have had some sort of confirmed
incident. And we see that anonymous is at the top with 130. So anytime that we'll find out about
an issue, if it's related back to a collective, then we go ahead and add it in. Same thing with
hacker operations. We want to start trying to get a better feel for when you talk about these
hacker operations and what they're going after, you know, how many are they and what did they
lead to in terms of arrests or, or any crime sort of prosecution. Right now we know about 21
hacker ops, uh, with operation payback at the top. And for some of you old school folks in
there, you'll laugh at a couple of the other ones.
Alright, so is an arrest inevitable? Are you definitely going to get arrested? So if you look
at it in terms of the data breaches, right? So in 2016 year to date, we already said there's
approximately 2000, uh, data breaches year to date. We've seen 70 confirmed arrests so
far. Uh, in 2015 there were approximately 4000 data breaches and we saw 134 confirmed
arrests. Going back to 2014, sort of the same message, right? Approximately 3000 data
breaches, about 47 arrested. So nowhere are we seeing, um, you know, the, in terms of a data
breach equaling arrests, right? Um, and what's interesting is the data so far shows that
there's 610 days on average from when a crime happens, if you will, until the incident or, or
the arrest. So there's definitely a tail from when something occurs to when there's some sort of
prosecution or raid or whatever. And we're going to continue to add data and stats in that
regard. Alright, so then we started to wonder, maybe silly things, but when would you most
likely to be raided or arrested? Which day would it be? Anyone have a guess? I think I heard it
over here. Hello Monday, right? So someone maybe had a bad case of the Mondays. Could be
really bad, right? Uh, we originally guessed when we thought about it, we thought it would be on a
Friday, but it looks like looking at the data you get to enjoy your weekend and then on Monday it's
gonna be a real bad day for you potentially. And then we started asking other questions like what
part of the year, what month would it be, right? And a rest tracker could tell us that same thing.
No one ever gets this one right, so I won't even ask you guys, but April seems to be, uh, when
more showers can come onto the hacker community as well. So now countries pursuing cybercrime, as
you can easily guess, USA is the most active number one, right? But the top 10's somewhat
surprising in some cases and, and China, no they're not. So, um, they're not the most active,
they're not in the top 10 pursuing cybercrime, okay? Um, we started to look at things like
extradition, extradition, um, and we're currently seeing that only the USA has any, uh,
extraditions that are, are tracked. And there's 42 of them that we're aware of. And so you can
see the top 5 countries, Russia to the United States at 8, uh, Romania to the US 7, Estonia to
the US at 6, Canada to the US at, uh, 3, and the United Kingdom 3 as well. Not every country
allows the USA to extradite folks, but there are treaties in place with more than 100, 100
countries out there. Here's a quick little map of it, you can see in the darker purplish, uh,
color, that's the USA and all the blue ones are places that we allegedly, according to
Wikipedia, have, uh, extradition, extradition treaties. So now we looked at jail time. The
longest jail time that we had, the worst case, we thought what would that be? And what we found
was it was actually crazy. 334 years.
So, uh, a guy in Turkey, he created fake websites, then impersonated banks, and I think the
lesson that a rush tracker will tell all of you right now is don't mess around in Turkey,
because it's bad news there in terms of jail time, right? We started to look at fines, and we
wanted to understand things, what's the average fine, what's most common, uh, the largest fine,
et cetera. And what we found was the average fine that we know of right now is a million US
dollars, but the most common fine that we, that occurred 13 times, uh, within the last, uh,
in the database was $5,600. The largest fine was, uh, the World Pay, Pay Hacker Victor, 8.9
million US, uh, dollars, and he was convicted and tried in a Russian court under FBI charges.
The other thing, too, that goes on is there's some people that just can't help themselves, they
just can't stop. Um, so many times, you know, there, there'll be cases, multiple cases that
are consolidated into one case, so this can be a little bit hard to figure out sometimes, but
we've been able to find through a rush tracker that, uh, seven times, uh, the average fine that
we know of. Uh, 17 people have had multiple arrests. And we're asked all the time, this is
another question we get asked all the time, is how many people when they get busted are
assisting authorities. And so we do have the fields in a rush tracker to track this. However,
it is pretty rare, uh, and it's hard to find this data, but when looking through the database
right now, there are 30 people that have confirmed, uh, to, have, have assisted the
authorities in some fashion. Alright, so getting down to this what is a profile of a hacker.
So the data suggests that really there's no single hacker or cyber criminal type, right, that's
sort of a bit all over the place, but if uh, we were forced to say what the profile of the hacker
is based on averages and things that we can find, uh, gender is gonna be a male, the age range
is gonna be 18 to 35 or in the average 27 age range. Again, gonna be in the US. A lot of that is
because again, the arrest data that we source. But if not the USA it's gonna be the UK or Philippines. Uh, the crime will be hacking.
if it's not hacking then after that it would be some sort of cyber fraud or data theft that
we classify. And most likely active since year 2000. Motivation right now, still having
problems tracking that in a relevant way so we're still trying to figure what we can do in
Arrest Tracker to, to make that a bit more clear. Alright, most wanted. Who hasn't been
arrested yet? Well I'm not sure if everyone knows this or not but the FBI at their website
maintains a listing of wanted cyber folks. You can go out there and check it out. There
are 28 total listed as of just this, this week. Uh, they have a profile basically on
everyone that's listed up there so they'll have your, you know, your, your picture and a
wanted poster and then uh, an alias and a whole bunch of other information. You know, weight,
eye color, all that sort of stuff. And then details on the rewards that they'll offer if you
can help bring them down. Some other remarks. Um, and there's this other section that's
called Caution. Uh, that'll put a lot more details on what they were up to and even mention
things like if they're, if they're, if they're, if they're, if they're, if they're
considered a flight risk and all those sorts of stuff. And in this particular case, uh,
offering a reward up to 3 million dollars for the information leading to the arrest or
conviction of this, this particular, um, this particular guy. So you can see here, here's a
listing of all the, the images from the website. Um, the profile looks a little different than
the arrest data that we've been talking about, right? Um, and what's interesting if you had to
guess the total amount of reward money all added up, uh, it's about 4.49 million dollars.
And potential rewards if all these people were, uh, someone informed them to the FBI. What we're
also starting to see too is that, um, how, when hackers are doxed or when information becomes
aware, are they definitely going to get arrested? And so what we saw in March of 2016 is
Ghoshel, many of you know, uh, doxed himself. He revealed himself. Uh, and he described that he
has been active since January 2012, that he was one of the ones that started Opromania. He's
attacked the FBI. Uh, and, and, and, and, and, and, and, and, and, and, and, and, and, and, and, and,
and the government all those sorts of things. So this is you know March 2016. But then here
he's leaking 39 million accounts in protest and that was in June, right? So, uh, all the
information about him, he came out and basically said everything, who he was, etcetera, but
he's still active. And so it's clear that for us we still want to make sure we understand a bit
more about law enforcement,
answer. Alright so as we're wrapping up here now, so what's next for us? Well the actions are
clear for us is data quality is top of our mind, we want to make sure that we continue to have
the best data, that we can have everything that we need to so these, we can answer these
questions as best as we can but at the same time answer all the questions that people have for
us. So if you find something wrong and you log into the project, please tell us right?
There's no pride in authorship, we want to, we want to fix things up. We care about the
data, we want it to be accurate and we want more data. We want to increase coverage of
cyber crime events, we want more data fields per incident, by person, all those sorts of
things. So if you're interested in helping out, please do. For future ideas and features that
we're looking at, we're trying to add more data fields about individual persons. So the
ability to handle complex issues, things that you wouldn't necessarily think like a
Romanian national that lived in Canada for 15 years but then was rested in the United
States, right? We want to be able to try to track some of those things. When we ask, we get
asked about location and profile, we get asked about location and profile, we get asked about
data and what it tests for, we get asked about location and profile, we get asked about
data and we can explain it a bit more. A lot of thoughts have been going into an ability to
track motivation and then mapping to known data breaches so we can understand impacts and all
those sorts of things. You know, are there certain types of hacker profiles that go in after
certain types of industries, et cetera? More work on the most wanted. Some thoughts we've
thought about are, you know, how long are they on the most wanted before they get arrested?
Things like that. Now how many people that have been arrested work for security companies,
right? And then even a subsection for piracy and all those sorts of things. So that's something
So what comes next? Are we going to see arrests in cybercrime prosecution increase or decrease? We think the answer is going to be increasing. We're trying to figure out what the legal environment is going to look like and if that's going to get more harsh.
And then can we take this data from arrest tracker and actually apply it to your work, right? Can you use this to help you not just, you know, laugh about, yeah, it's Monday and April and those sorts of things, but if you're in the legal space, can you look at how things are happening? Are there overreaching regulations in your day-to-day job? Can this help you figure out how to be defensive, et cetera?
So we're open for new ideas. If you're interested in working with us, we'd love it. If you've got other ideas, we're open to that feedback. And if you want to help, definitely please contact us.
So I'm going to stop here.
I want to thank Lee Johnstone for all his hard work founding the arrest tracker project. It's a ton of data. It's a ton of work. I want to thank Brian Martin for all his help. I want to thank everyone else that's been interested and hung out here and been drinking with us for this session. And thanks to the DEF CON CFB team for the opportunity to present.
So believe it or not, this was 140 slides and cyber was pretty much on every single one of them. So I hope you guys had fun playing along. Look forward to seeing you tonight. If you have questions, I'll be over here. Thank you.
Thank you.