Season 3 / Episode 140
Alexey Ivanov was exactly the kind of person to benefit from the early-2000's dot-com boom: He was bright, talented, and knew his stuff. His only problem was the fact that he was born in Chelyabinsk, a sleepy Russian town in the middle of nowhere…when he sent his resume to American companies, nobody was willing to bet on him.
Alexey came up with a 'brilliant' idea: hacking American corporations, and then blackmailing them - forcing them to hire his services as a 'security consultant.'
- Episode 22
- Episode 23
- Episode 24
- Episode 25
- Episode 26
- Episode 27
- Episode 28
- Episode 29
- Episode 30
- Episode 31
- Episode 32
- Episode 33
- Episode 34
- Episode 35
- Episode 36
- Episode 37
- Episode 38
- Episode 40
- Episode 42
- Episode 43
- Episode 44
- Episode 45
- Episode 46
- Episode 47
- Episode 48
- Episode 49
- Episode 50
- Episode 51
- Episode 52
- Episode 53
- Episode 54
- Episode 55
- Episode 56
- Episode 57
- Episode 58
- Episode 59
- Episode 60
- Episode 62
- Episode 63
- Episode 64
- Episode 65
- Episode 66
- Episode 67
- Episode 68
- Episode 70
- Episode 71
- Episode 72
- Episode 73
- Episode 74
- Episode 75
- Episode 77
- Episode 78
- Episode 79
- Episode 80
- Episode 81
- Episode 82
- Episode 83
- Episode 84
- Episode 85
- Episode 86
- Episode 87
- Episode 88
- Episode 89
- Episode 90
- Episode 91
- Episode 92
- Episode 93
- Episode 94
- Episode 95
- Episode 96
- Episode 97
- Episode 98
- Episode 99
- Episode 100
- Episode 101
- Episode 102
- Episode 103
- Episode 104
- Episode 105
- Episode 106
- Episode 107
- Episode 108
- Episode 109
- Episode 110
- Episode 111
- Episode 112
- Episode 113
- Episode 114
- Episode 115
- Episode 116
- Episode 117
- Episode 118
- Episode 119
- Episode 120
- Episode 121
- Episode 122
- Episode 123
- Episode 124
- Episode 125
- Episode 126
- Episode 127
- Episode 128
- Episode 129
- Episode 130
- Episode 131
- Episode 132
- Episode 133
- Episode 134
- Episode 135
- Episode 136
- Episode 137
- Episode 138
- Episode 139
- Episode 140
- Episode 141
- Episode 142
- Episode 143
- Episode 144
- Episode 145
- Episode 146
- Episode 147
- Episode 148
- Episode 149
- Episode 150
- Episode 151
- Episode 152
- Episode 153
- Episode 154
- Episode 155
- Episode 156
- Episode 157
- Episode 158
- Episode 159
- Episode 160
- Episode 161
- Episode 162
- Episode 163
- Episode 164
- Episode 165
- Episode 166
- Episode 167
- Episode 168
- Episode 169
- Episode 170
- Episode 171
- Episode 172
- Episode 173
- Episode 174
- Episode 175
- Episode 176
- Episode 177
- Episode 178
- Episode 179
- Episode 180
- Episode 181
- Episode 182
- Episode 183
- Episode 184
- Episode 185
- Episode 186
- Episode 187
- Episode 188
- Episode 189
- Episode 190
- Episode 191
- Episode 192
- Episode 193
- Episode 194
- Episode 195
- Episode 196
- Episode 197
- Episode 198
- Episode 199
- Episode 200
- Episode 201
- Episode 202
- Episode 203
- Episode 204
- Episode 205
- Episode 206
- Episode 207
- Episode 208
- Episode 209
- Episode 210
- Episode 211
- Episode 212
- Episode 213
- Episode 214
- Episode 215
- Episode 216
- Episode 217
- Episode 218
- Episode 219
- Episode 220
- Episode 221
- Episode 222
- Episode 223
- Episode 224
- Episode 225
- Episode 226
- Episode 227
- Episode 228
- Episode 229
- Episode 230
- Episode 231
- Episode 232
- Episode 233
- Episode 234
- Episode 235
- Episode 236
- Episode 237
- Episode 238
- Episode 239
- Episode 240
- Episode 241
- Episode 242
- Episode 243
- Episode 244
- Episode 245
- Episode 246
- Episode 247
- Episode 248
- Episode 249
- Episode 250
- Episode 251
- Episode 252
- Episode 253
- Episode 254
- Episode 255
- Episode 256
- Episode 257
Hosted By
Ran Levi
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Special Guest
Ray Pompon
Director F5 Labs, Threat Research, for F5 Networks
Twenty years in infosec matching security requirements to business objectives, identifying technical risks, and ensuring regulatory needs are met.
Twenty four years experience in designing and implementing scalable controls, systems, and processes to meet business and compliance objectives
Twenty five years building complex network security designs and implementations with an emphasis on high-availability and security.
Operation Flyhook, Part 1
Do you ever wonder how different you’d be today if you grew up under a different set of circumstances?
Like, I can imagine, maybe, that I wasn’t born in Israel. So I might not have joined the Navy, which became so integral to the skill set I developed and the kind of man I am today. And, you know, I’m obsessed with history, but maybe I wouldn’t be so into it had I grown up in a less historically significant part of the world. I could’ve gone into a different line of work. Or what if, in another life, I grew up rich, and didn’t have to work at all? Then I could spend all my days doing what I really want to do…
INTRO TO ALEXEY
The year is 1999.
The internet is now in homes around the United States, and the world. Yahoo, Ebay, Amazon–what were just startups a few years earlier are now the hottest companies in the world. Really, any half-baked company with a “.com” at the end is running rampant in the stock market, even if all they do is sell toys or pet food. Whole new industries are popping up, and millions of jobs along with them. Everybody wants in.
Alexey Ivanov is exactly the kind of person to benefit from the boom because, when it comes to coding, he’s little short of prolific. According to his CV, Alexey’s either good or proficient in HTML, Javascript, SQL, C, C++, Assembler, good or excellent with MS-DOS, Linux, Solaris, every version of Windows, with a comprehensive understanding of LAN, WAN, DNS, TCP/IP FTP, DNS, equally proficient with IBM, Sun Microsystems, HP and Cisco hardware. And that’s just a sampling from a much longer list–to read out his entire CV now would take too long.
The point here is that Alexey knew his stuff. He could’ve qualified for a job at any internet company in the world. But Alexey Ivanov was born into a different set of circumstances than you and I. He was a lot like us in other ways–bright, talented, technical–but, instead of being from America, or Germany, or Japan, Alexey was born in Russia. And not even Moscow, or St. Petersburg, but…
“[Ray] from a little place called Chelyabinsk which is kind of in the middle of nowhere in Russia.”
That’s Ray Pompon, Director of F5 Labs.
“[Ray] It was a little famous for a while because that’s where a meteor landed and it’s caught on film.”
There’s a lot of great footage of it on YouTube: a loud bang, people flying across rooms from the shockwave, building walls and roofs busting open, things flying, and the bright, godlike meteor that looked like God himself was coming down to visit earth. Talk about a cursed place.
“[Ray] it’s kind of like heavily polluted and there was a lot of kind of Soviet missiles, radioactive work there.”
JOB HUNT
Maybe if you or I grew up there–amid the radioactivity, the pollution, dodging meteors falling from space–we would’ve ended up like Alexey Ivanov and his friends.
“[Ray] these guys are really sharp technically. But they had nowhere to go with this. […] At the time, there was nothing to really do with this in Russia. There wasn’t a big tech industry.”
So what do you do, with all the potential in the world and nowhere to use it?
Alexey first tried what many of us in his position would: getting the hell out of Chelyabinsk. In April, 1999, he started looking for jobs in America. He did so, though, with a little twist. Rather than just applying to jobs one by one, he went to Dice.com–a careers website–and downloaded a database from their servers. “It was easy,” he later recalled. With the raw data, he didn’t have to drudge through job postings one by one. Quote: “I wrote some scripts, and in a few hours I was sending my resume to 5,000 jobs.”
Among those thousands of jobs, he got plenty of replies. But all of them went cold when Alexey revealed that he lived in Russia, had no experience working for American companies, and would need sponsorship to move. You could imagine how demoralizing it would’ve been: knowing he was good enough, yet still having no prospects. What was he to do–a computer whiz with nowhere to productively use his skills?
Perhaps you can tell where this is going.
ALEXEY STARTS HACKING
According to CSO Online, Alexey already had some experience with cybercrime by this point. Not long after graduating from Chelyabinsk Technical State University–one of the better schools in his region–he’d fallen in with a group of hackers who operated a company called “tech.net.ru.” Their specialty was a time-honored classic: stealing credit cards, then using them to buy things online.
“[Ray] they had built this entire bot infrastructure that would create fake accounts on PayPal and eBay and then hold auctions, fake auctions or real auctions with fake people to buy stuff.”
Botnets, credit card laundering, fake identities. The real trick, though, was the shipping process. tech.net.ru would use their stolen cards to order, say, books and CDs from Amazon or Barnes and Noble, and have them shipped to different locations in neighboring Kazakhstan. They’d hire young women to receive the packages, then a member of the company would make the hours-long trip to come pick them up and drive them back home. Then they re-sold the merchandise to stores around Chelyabinsk, which coveted the CDs in particular. (Evidently, much of the supply of commercial CDs in Chelyabinsk were cheap pirates from Bulgaria.)
“[Ray] there’s a lot of thought here in this. You know, a lot of enterprise, entrepreneurial thinking.”
Carding was pretty small game. It was much more fun and, usually, more profitable, to hack companies directly. Like, for example, when they targeted a new payment processing startup called PayPal. Alexey was the brains behind that one. It was a three-pronged approach: First, they installed malware onto eBay that collected email addresses associated with customers who used PayPal. Second, they set up their own domain: PayPal.com, but with an uppercase “i” instead of a lowercase “L,” with a homepage that copied the real thing as closely as possible. Next, the hackers emailed those eBay customers, promising a $50 prize they could claim by logging into the mirror site. The customers who fell for it handed their PayPal logins straight to tech.net.ru. Easy as that.
It wasn’t quite as lucrative as it sounds, though. As Alexey later said, quote: “We weren’t really malicious. We could have sent it to thousands of people, but we only sent it to 150. We got about 120 passwords. We did that mainly for fun.”
Alexey wasn’t what you’d call a prolific hacker at this point. He was small-time. But that might be because his heart just wasn’t in it. The same year he was hacking PayPal accounts, he was sending out resumes to get a real, honest job in the tech industry. But, as we said, it just wasn’t working out.
ALEXEY’S IDEA
It was only at the apex of these two paths: down one, trying to find honest work, and the other, making ends meet through dishonest means, that Alexey Ivanov came up with the idea that earned him a Malicious Life episode. As he told CSO Online, quote: “I thought: ‘Why don’t I convince [companies] about my skills, and in order for me to convince them, I have to demonstrate them.’” End quote.
Alexey’s idea–for how to “demonstrate” his skills to potential employers–was inspired by one of the earliest hacks he’d ever pulled off.
It was December, 1997. He was still a student when he and a friend breached the servers of a local ISP, then downloaded a database of usernames and passwords. The teenagers didn’t do anything nefarious with the data–it was mostly just an exercise in whether they could pull it off. They notified the ISP and, remarkably, their victim offered them jobs. The salary was only about $75 a month, so they turned it down, but it was the seed of something much bigger.
ALEXEY’S HACKER M.O.
“[Ray] it’s kind of like a precursor of what we would see in ransomware where people’s networks are get broken into. Stuff would get messed with and then they would get potentially like a blackmail note or a ransom note to say like hey, we got your stuff. Pay us some consulting fees, like $50,000, and we will tell you what we did, we will tell you how to fix it and we will give you back your data.”
A prosecutor for the United States Department of Justice wrote about what it was like to be at the receiving end of one of Alexey’s famous security “consultations.” Here’s the slightly oversimplified account, from “How to be a Digital Forensic Expert Witness.” Quote:
“[L]ate one evening you get a telephone call from your work that something is wrong with the computer network. When you arrive and review the logs, you learn that someone has gained access to your system, grabbed the password file, and FTP’d it to an IP address registered in Russia. You also learn that the intruder probably gained initial access through a still active account that had been assigned to a former employee. Once the intruder elevated his privileges to system administrator, he installed a sniffer to capture user names and passwords. Using an employee account, the intruder gained access to a server that processed credit card transactions of customers, and FTP’d a large file back to Russia.
You remove the sniffer and are in the process of changing all of the user names and passwords on your system when someone contacts you by way of Internet Relay Chat (IRC). “You system securities suck,” the message tells you. The messenger then introduces himself as an expert in computer security living in Russia, and offers to fix the holes in your security for a fee of $5,000 (US). After consulting with management and the company lawyers, you reply to the Russian “expert” that you do not do business with criminals. That night your web server crashes, effectively shutting down the Internet-based portion of your business. “
“[Ray] In some cases people didn’t pay. Like more things would get deleted or destroyed and data would go somewhere. But they really didn’t know what was going on.”
Alexey and his friends hit websites, companies, banks.
OIB/SPEAKEASY
When he gained root access to the servers of the Online Information Bureau–“OIB”–of Vernon, Connecticut, he was able to steal tens of thousands of credit cards and merchant account information. When the OIB refused to pay a $10,000 fee, he wrote them an email. This is a verbatim reading, quote:
“[n]ow imagine please Somebody hack you network (and not notify you about this), he downloaded Atomic software with more than 300 merchants, transfer money, and after this did ‘rm –rf’ and after this you company be ruined.”
To clarify, “rm -rf” is a command in Linux that wipes all the data in a directory, all at once, recursively. Alexey’s probably referring to a scenario where a hacker runs ‘rm -rf’ in the root folder, wiping out OIB’s entire database in an instant.
Anyway, the message continues, quote:
“I don’t want this, and because this I notify you about possible hack in you network, if you want you can hire me and im always check security in you network. What you think about this.”
An ISP and e-commerce company called SpeakEasy experienced something similar. In October ‘99, Alexey gained admin access to their IT systems, most notably the databases where they held credit card information. Afterwards, Alexey emailed the company, recommending they hire him to perform a security review of the systems he’d just hacked. After refusing to do so for two months, the discourse escalated into threats. In the last week of December, SpeakEasy lost access to some of their IT systems.
And so, at the turn of the millennium, Alexey Ivanov was slowly becoming one of the most prolific corporate hackers in the world. To expand his “security reviews” business, he partnered with a more business-oriented hacker–Vasiliy Gorshkov–also from his hometown. Together, their cybersecurity business was becoming more and more sophisticated, and profitable. Their targets couldn’t stop them. law enforcement couldn’t stop them.
“Invita Security” was a company based in Seattle, near the University of Washington. It was a high-tech, forward thinking network security startup. You’d think, based on that description, that they might have been hired to stop Alexey and Vasiliy. But you’d be exactly wrong. Instead, they were in the market for “security talent,” and liked the look of Alexey’s long, impressive resume. They wanted to hire him.
They reached out to arrange an intro call. Vasiliy was the one who picked up. He spoke the better English of the two.
On the phone, Vasiliy suggested that, rather than a more conventional evaluation process, Invita should let him and Alexey hack into their network. After all, if they could defeat the security company’s own security systems then, surely, it would prove their worth, much more than any job interview could. Invita agreed to the terms. They spent some time preparing for the test and then, in October, challenged the Russians to beat them.
It wasn’t a fair fight. Alexey, with Vasiliy by his side, managed to breach the Invita network in mere minutes. And that was all the evidence Invita needed.
They made the visa and travel arrangements so that Alexey and Vasiliy could come and interview in-person for security analyst/consultant roles. On November 9th, Alexey and Vasiliy said goodbye to their families and, finally, after all this time, headed off to America. They were thrilled, curious, and nervous. On the flight, Alexey ordered drinks to celebrate.
After nearly 48 hours of traveling in all, their plane landed in Seattle-Tacoma International Airport. The Russians stepped off the plane, grabbed their suitcases, and were greeted by some representatives from Invita. Together, the corporate reps and their prospective new hires took the half hour or so drive to the company’s offices. Along the way, Alexey and Vasiliy gazed out the windows at the city that was going to be their new home. One wonders what they were thinking in those moments–two kids who’d never made it far out of Chelyabinsk, let alone America. They drove past the office buildings housing new technology companies, and the downtown restaurants and shops thriving off the new economy. Maybe their hacking days were over. Maybe, instead of attacking these companies, they could be working for one of them.
After about a half hour’s drive, they arrived at their destination–a shared office building, with rows of little startups tucked away in booths. They walked by their soon-to-be colleagues, towards Invita’s offices.
Or so they thought.
“[Ray] They don’t do things – they don’t do half measures, the FBI. So I was starting to go like, oh, this is a really big thing.”