> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona.
>
> “Epic opsec troll,” they claimed.
If this were really a fictitious persona meant to lead investigators away from their true identity, they'd never admit to such. This sounds like someone trying to deflect upon being found out. I'd wager that this person is going to be caught.
Krebs has an image of a mind-map at the end of the article showing links between the aliases.
Let's just not believe anything said by an untrustworthy person. What they say should not calculate in what we believe to be true, but only evidence we can verify.
> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona. “Epic opsec troll,” they claimed.
This is called a "double cover story", a classic deflection when someone is caught or exposed.
It also seems like a bad opsec if he creates multiple aliases for the same theme. Wouldn't you want to have one us soldier, one Russian, one African, etc. if you are trying to create red herrings?
Maybe he is operating at the next level. He is deflecting because the investigators will think that he is trying to lead them away from this true identity and become even more convinced of it, which is exactly what he wants.
"You fell victim to one of the classic blunders! The most famous is 'never get involved in a(nother) land-war in Asia', but only slightly less well-known is this: Never go up against a once-Korean-resident when death is on the line! Aha-haha-hahaha!"
Eh; let's wait and see. For any claim for insight there's an equivalent claim for fabrication. any such analysis that relies on this is inherently flimsy.
> “Type ‘kiberphant0m’ on google with the quotes,” Buttholio told another user. “I’ll wait. Go ahead. Over 50 articles. 15+ telecoms breached. I got the IMSI number to every single person that’s ever registered in Verizon, Tmobile, ATNT and Verifone.”
SBF levels of self-pwning right there. When, not if, they catch him, the Feds are going to hang this clown out to dry.
Any insight based on histogram of the timing of this person's posts, particularly ones responding to a just slightly earlier post? (ie was clearly awake and not an artificially-delayed response).
Krebs knows about this timezone analysis technique, wonder if he didn't check this or it was inconclusive?
Is that effective for people who aren't literally being paid a salary to do this stuff 9-5? A lot of people who spend too much time on computers have totally out of wack sleep schedules that would look like they're operating from very different timezones.
In theory, sure, in reality it's almost always much more benign and they have terrible Opsec over time that allows people to piece together their identity. Especially if they reuse usernames across services.
I feel like leaving a bunch of misdirection would also risk potentially just leave real traces behind that in some ways.
At least in my mind leaving some false trails behind, when I run through scenarios, seems like it could leave actual trails / to the point of not being worth the extra risk.
Being a high-stakes criminal is too difficult. One slip-up and you're compromised. There's a million opportunities for slip ups and there's a million opportunities for investigators to get lucky.
> Immediately after Kiberphant0m logged on to the Dstat channel, another user wrote “hi buttholio,” to which Kiberphant0m replied with an affirmative greeting “wsg,” or “what’s good.”
It's kind of unfortunate for him that he didn't do a better job of referencing Beavis and Butthead. If his username was "Cornholio" or even "Bungholio", it could read as someone directly referencing the show and potentially unrelated to the other account, making his deniability a bit more plausible.
Huggingface bought its biggest competitor, Gradio (still used more than Streamlit) for an "undisclosed" amount of money a year or so before hand. I'd wager HF paid on the orders of 1-5 million.
I did toy with the idea of trying do analysis of HN aliases and keywords. It never went anywhere, because I forgot about it, but a longer weekend is coming:D But yeah, language betrays, who we are in references alone.
Seems like the guy has been fucking around for a while. No wonder none of our allies want to share intelligence or plans with us. The US Military is a liability when it comes to keeping shit secret, they leak like a sieve. They need to get a handle on this shit, who knows what this guy has given to the Russians or Chinese.
Not sure Signal would have made a difference for this criminal. All the data on them I saw in the article was likely captured by someone in the channel / group message.
It’s just plain poor opsec, but I kind of expect that from someone with poor enough judgement to be a criminal.
> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona.
>
> “Epic opsec troll,” they claimed.
If this were really a fictitious persona meant to lead investigators away from their true identity, they'd never admit to such. This sounds like someone trying to deflect upon being found out. I'd wager that this person is going to be caught.
Krebs has an image of a mind-map at the end of the article showing links between the aliases.
Let's just not believe anything said by an untrustworthy person. What they say should not calculate in what we believe to be true, but only evidence we can verify.
> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona. “Epic opsec troll,” they claimed.
This is called a "double cover story", a classic deflection when someone is caught or exposed.
It could be a triple cover story. The faked double cover story is meant to deflect.
Maybe even skipping the quadruple cover story and going straight to the quintuple. A true pro.
I always play the (2n+1) game myself. (Or do I??)
"Fuck everything, we're doing five covers." ... "Put another misdirect on that fucker, too."
Good luck, I’m behind seven cover stories
It also seems like a bad opsec if he creates multiple aliases for the same theme. Wouldn't you want to have one us soldier, one Russian, one African, etc. if you are trying to create red herrings?
Maybe he is operating at the next level. He is deflecting because the investigators will think that he is trying to lead them away from this true identity and become even more convinced of it, which is exactly what he wants.
Truly next level would be for him to be one of the investigators.
But little did he know the other instigators were investigating him… or so they thought…
> This sounds like someone trying to deflect upon being found out. I'd wager that this person is going to be caught.
that's what a super epic opsec troll would want you to think
"You fell victim to one of the classic blunders! The most famous is 'never get involved in a(nother) land-war in Asia', but only slightly less well-known is this: Never go up against a once-Korean-resident when death is on the line! Aha-haha-hahaha!"
https://www.youtube.com/watch?v=pRJ8CrTSSR0
Eh; let's wait and see. For any claim for insight there's an equivalent claim for fabrication. any such analysis that relies on this is inherently flimsy.
Or it’s part of the troll.
Bothsidesism has crept into ... US counterintel agitprop?
> “Type ‘kiberphant0m’ on google with the quotes,” Buttholio told another user. “I’ll wait. Go ahead. Over 50 articles. 15+ telecoms breached. I got the IMSI number to every single person that’s ever registered in Verizon, Tmobile, ATNT and Verifone.”
SBF levels of self-pwning right there. When, not if, they catch him, the Feds are going to hang this clown out to dry.
Any insight based on histogram of the timing of this person's posts, particularly ones responding to a just slightly earlier post? (ie was clearly awake and not an artificially-delayed response).
Krebs knows about this timezone analysis technique, wonder if he didn't check this or it was inconclusive?
Is that effective for people who aren't literally being paid a salary to do this stuff 9-5? A lot of people who spend too much time on computers have totally out of wack sleep schedules that would look like they're operating from very different timezones.
You can also schedule your posts, commits, etc to go out at some fixed hours each day.
I guess we'll soon find out how well the NSA normalizes its databases. Bring on that schema, folks.
Couldn't literally all of this just be a bunch of misdirection?
In theory, sure, in reality it's almost always much more benign and they have terrible Opsec over time that allows people to piece together their identity. Especially if they reuse usernames across services.
It's always crappy opsec that gets people otherwise very savvy.
I feel like leaving a bunch of misdirection would also risk potentially just leave real traces behind that in some ways.
At least in my mind leaving some false trails behind, when I run through scenarios, seems like it could leave actual trails / to the point of not being worth the extra risk.
Being a high-stakes criminal is too difficult. One slip-up and you're compromised. There's a million opportunities for slip ups and there's a million opportunities for investigators to get lucky.
True, but you only hear about the ones who slipped up. I wonder what is the actual proportion of criminals being caught due to poor opsec.
> Immediately after Kiberphant0m logged on to the Dstat channel, another user wrote “hi buttholio,” to which Kiberphant0m replied with an affirmative greeting “wsg,” or “what’s good.”
It's kind of unfortunate for him that he didn't do a better job of referencing Beavis and Butthead. If his username was "Cornholio" or even "Bungholio", it could read as someone directly referencing the show and potentially unrelated to the other account, making his deniability a bit more plausible.
They already arrested them right?
>‘BUTTHOLIO’
These guys always seem to have the most stereotypical or corny hacker handles. Is that expected / desirable in that community?
corny
I see what you did there.
The real question is: who calls their company "Snowflake"? It's just crying to get stomped on.
Snowflake is a type of multidimensional schema. It's a normalized star schema. Both named for the appearance of their entity relationship diagrams.
Snowflake did the biggest epic fail of the ZIRP era. They bought streamlit (a python GUI front end for ML demos) for 800 MILLION dollars.
https://techcrunch.com/2022/03/02/snowflake-acquires-streaml...
Huggingface bought its biggest competitor, Gradio (still used more than Streamlit) for an "undisclosed" amount of money a year or so before hand. I'd wager HF paid on the orders of 1-5 million.
[delayed]
Comparing a disclosed sale price to an unknown theoretical sale price is a bit unfair though. Maybe it was 801 million.
That is amazing! What a coup. I thought streamlit was pretty cool, but surely it wasn't $800m cool.
Give them a break. They need tp.
I do think it’s funny how that might be a character revealing moment, suggesting the hacker is Gen X or at least elder millennial age.
I did toy with the idea of trying do analysis of HN aliases and keywords. It never went anywhere, because I forgot about it, but a longer weekend is coming:D But yeah, language betrays, who we are in references alone.
I believe the hacker known as 4chan once explained they choose their handles “for the lulz”
Legion of Doom / Masters of Deception would like a word.
Phiber Optik just doesn't have the same haha you said peepee vibe.
Yes
Seems like the guy has been fucking around for a while. No wonder none of our allies want to share intelligence or plans with us. The US Military is a liability when it comes to keeping shit secret, they leak like a sieve. They need to get a handle on this shit, who knows what this guy has given to the Russians or Chinese.
My two cents:
- The "hacker" (I'm reluctant to use this term" seems to be too high profile for some reasons;
- We should discard Telegram
What does "discarding" Telegram mean?
We should not use Telegram -- sort of. I wonder whether Signal is better.
Not sure Signal would have made a difference for this criminal. All the data on them I saw in the article was likely captured by someone in the channel / group message.
It’s just plain poor opsec, but I kind of expect that from someone with poor enough judgement to be a criminal.
Signal is absolutely better. Telegram is e2ee in name only