Catching A Cybercriminal [ML B-Side]

AbdelKader Cornelius, a German Threat Researcher and an expert on the cybercrime ecosystem in German-speaking countries - shares a story about how he helped the German police put a sophisticated local cybercriminal behind bars, by uncovering tiny mistakes that this hacker did in the past.

Hosted By

Ran Levi

Exec. Editor @ PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Abdelkader Cornelius

Threat Researcher, CEO @ Invsign GmbH

Abdelkader Cornelius has spent almost 15 years researching cybercrime and the underground economy in German-speaking countries.

Episode Transcript:

Transcription edited by SODA

[Abdelkader] Law enforcement is always behind you. We are a lot, we are many, and we are tracing you. Someday we will get you.

[Ran] Hi and welcome to Syberism’s Malicious Life B-Side, I’m Ren Levy.
In this B-Side episode, we’re traveling to Europe. Abdelkader Cornelius is a German threat researcher and CEO of Invsign, a company specializing in cybersecurity innovation, and an expert on the cybercrime ecosystem in Germany, Austria and Switzerland.
Being a threat researcher in Germany isn’t easy. The German law prohibits any action that might assist cybercriminals in any way, and so things like bribing one crook to provide information about another, for example, are out of the question.
Still, Abdelkader spent more than a decade researching the various hacker forms in German-speaking countries, and in this episode he’ll share with us a story about how he ended up helping the German police put a local cybercriminal behind bars. And this hacker was no easy catch. You might say he was a grizzled veteran, someone who managed to evade the law for 15 years. But everyone makes mistakes, and this guy’s Achilles heel, it turns out, was an old Minecraft account.
Nate Nelson spoke with Abdelkader Cornelius.
Before I let you go, a quick reminder of our live Ask Us Anything online event that will take place on June 13th, 12pm East Coast, 9am West Coast. Join us as we’ll be celebrating Malicious Life’s 5th birthday, reminiscing about how the podcast was born, discussing the challenges of creating a story-oriented technical podcast, and most importantly, answering all of your questions. Write it down, June 13th, 12pm Eastern, 9am Western, and you can already tweet us your questions or email them to ran@ranlevi.com.
That’s it for now. Enjoy the interview.

[Nate] Abdelkader, tell me about how you first came across the main character in our story today.

[Abdelkader] That’s a funny thing because I first discovered or detected that actor or that person on the German speaking cyber crime community through my day-to-day research and day-to-day work. So it’s like going into these forums, reading the latest stuff, looking at the conversation, people looking for, let’s say, services and so on, and people offering services, and he’s been very, very active, very, very long active on this community.
So the first time I detected him online has been 2009, and he had a very high user rank. So he didn’t pay money and so on, so he had a good reputation from his customers and over thousands of posts and threats, and that German speaking hacking community.
And if you wanted to compromise a website or get your hands on the latest SQL injection and so on, you’ve been led or directed to this specific entity and should contact him, tell him what you want to achieve, and he would support you.

[Nate] So as you start to watch this guy, tell me, what do his actions, what do his marketplaces look like?

[Abdelkader] Yeah, what the listeners need to know is that the German speaking cybercrime communities have never been very close, like the top two communities we know from the Russian speaking area or other countries. So it’s been very easy to get in there. So all you had to do is to register or create a new username and choose a password, and just be active.

[Nate] Wouldn’t that make it harder to track one person if anyone can use a pseudonym or create multiple accounts?

[Abdelkader] It’s been very easy to detect his activity because it’s been everything open and in public and he didn’t share any personal information or didn’t even leave any ICQ or Java or any other contact address in the forums he had to reach out to him via private message.
But his targets and his services have been there in plain text on the German forums, and it’s still today. So nothing changed.

[Nate] Okay, tell me though how he evolved over the years. I imagine he started off doing smaller jobs and then built up over time?

[Abdelkader] It’s a little bit like he learned and he got better and better. He started with small e-commerce sites, small web shops, small, let’s say, infrastructures belonging to midsize businesses or small businesses in the German speaking area and offered access to the back ends. That happened for a couple of years. So he never did anything else.
He never, let’s say, shared his knowledge, how good he is and how he could be good as him or as himself. But over the years, let’s say he evolved, he got better in his skills. The targets, they got much more bigger and bigger.
So by the end of his last years, he’s been very successful in infiltrating large enterprises in the German speaking countries and large enterprises like financial institutions from the healthcare industry or even the automotive industry. And he didn’t stop with just compromise the website and getting to the back end and also got in or he also started to exfiltrate data to look for specific data you’re interested in and also sharing or selling that data to, let’s say, specific entities or groups interested in intellectual property and so on.
What he also did or what also changed in the years is that he started to write tutorials how to be as good as him and sell them. So not just for 50 euros or 100 euros, it’s been 500 euros or 1,000 euros. And his, let’s say, premium tutorial has been over 3,000 euros with videos, with hands-on support, choosing the right infrastructure to start your attacks against infrastructures or the other infrastructures, which tools, where to buy these tools to compromise and to attack, where to sell your data, to scan and filter the data, the valuable against the non-valuable data you find in an infrastructure.
And what is the difference between getting into an e-commerce backend or getting into a healthcare backend?

[Nate] And is there anything else you could tell me about his typical techniques, tactics, procedures?

[Abdelkader] He never used, let’s say, ready-made custom or tools you were able to purchase on the dark web. He never relied on something sold by other cybercriminals. A lot of his scripts and tools he used, he wrote by himself. He invested a lot of time and effort in reconnaissance, so to understand the victims. He invested a lot of time to read manuals posted on the internet or available via Google from the manufacturers of the anti-fraud systems.
So to circumvent them, he also invested a lot of time and effort to see if there are any jump hosts or, let’s say, initial access available to specific infrastructures. Or what I know today after the investigation is that he taught everything himself during his study in IT at the university here in Germany. He went to the university and then he got taught everything around, well, IT and vulnerabilities and so on, and he used it for his, let’s say, business.

[Nate] And to be clear, for how many years were you tracking this guy before the big event that
we’re about to get to?

[Abdelkader] He’s been active since 2009, and the first time I detected him has been in 2012.

[Nate] Okay, so one day he up and disappears out of the blue. Describe for me what happened from your perspective, what you saw, what you were feeling.

[Abdelkader] So if you logged in into this forums and there has been no post by this user, it’s been strange. You did see it directly because at this Cybercrime forums, the latest 50 posts, they’ve been on the top of the page and there you could see all the stuff and there’s been nothing.
And then I looked in after a couple of hours again and again, nothing. And then also other users started to ask you questions. Where is he? What happened to him, et cetera.
And I also reached out to my contacts and asked them, okay, do you know where he is? Did he tell you something? Is he on vacation and so on? But it’s also not possible because he always told his customers and also the users when he’s on vacation and when he’s back and so on and so forth. So it’s been really, really, really strange.

[Nate] And then you get a call.

[Abdelkader] Yes. Yes. Yes. I got a call from the state criminal police office responsible for cyber criminal investigations. And you must know and understand that here in Germany, there’s, well, 16 states or federal states and each state is responsible for cyber crime investigations. And it depends where the most of the victims were or are that the state is responsible for the investigation.
So they called me and they told me, please go and find and look up or tell us everything and anything you find about that specific username. And it’s been like, I can tell you right now everything and anything about that username. And they told me, no, please do it right and investigate some time and research everything you find in your sources, you got in your reports and then come back to us.

[AD] The attack surface has never been larger or more diverse, yet defenders are still forced to piece together intelligence from numerous siloed solutions that produce a flood of alerts in order to detect and end complex malicious operations. No more.
Defenders can now leverage AI-driven Cybereason XDR powered by Google Chronicle to predict, understand and end sophisticated attacks with the only solution on the market that delivers planetary-scale protection that allows them to predict attacker behavior through a revolutionary, operation-centric detection and response approach.
Cybereason and Google Cloud are dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about Cybereason XDR powered by Google Chronicle at www.cybereason.com.

[Nate] So does working with law enforcement change anything about how you conduct your investigation? Is there anything different that you do?

[Abdelkader] The research I did, it must be, well, legal. Yeah, so I can’t do anything, let’s say, the easy way and just to bribe other cyber criminals or to purchase anything or to bribe that will pay them to get info and so on.
So I had to do and reach out to them like a police officer or a cyber crime investigator from the law enforcement agency. But why they reached out to me is because I got a huge and vast, let’s say, network of sources and the cyber crime economy or the underworld economy in the German speaking area. So during my research in the years before, I already collected a lot of intel about that person. That’s law enforcement also did the same, but only publicly available content. So they’ve been never able to read private messages, they never somebody shared private message conversations with potential law enforcement agents on these forums.
It’s something I got. They never had their hands on Java communication. So the cyber criminals are communicating via a pigeon. It’s a messenger and with the OTR plugin activated, so it’s encrypted messaging and they never get their hands on screenshots done by the people in that conversation. So that’s one of my sources also shared with me. With law enforcement also, they had their hands on has been his Minecraft profile.

[Nate] And why would that be relevant?

[Abdelkader] Because a lot of cyber criminals, they do a lot of mistakes in their early years. And the first and only mistake that guy did is he had a profile on Minecraft and that’s been tied or that’s been connected with an email address that’s been then also used in a public dump of a no defunct cybercrime forum from Germany.
And so I used my sources. So my digital sources, my contacts in the underground economy. I used a very nice and good tool, a lot of people are using Maltego to connect the dots, to connect my sources, to connect the intel. Went through all my reports, everything I collected in the past and created a dossier for them, shared it with the law enforcement agency. And then radio silence.

[Nate] Okay. But does all this data really matter, right?
Like the Minecraft thing, is an old Minecraft profile, does it really matter towards looking into a cybercrime?

[Abdelkader] Yes. Yes, it does.It does. It does.
Because the Minecraft profile or his, let’s say, identity he used in the Minecraft profile has been later on tied to a compromise of an e-commerce website because the server he used to compromise the e-commerce website has been purchased with an account where the email address used in the Minecraft profile has been the same.

[Nate] Are those, would you say, the ways that he slipped up that allowed you to find everything about him and what amounts to, it sounds like a relatively short amount of time?

[Abdelkader] Yeah. His mistakes has been, he’s been too active in the community a lot of years. So he posted a lot of content around his activities, so the targets, they’ve been tied or they’ve been attached to his identity. So if you had his username and you went through the history of the forums, you could see, okay, that’s been his target, that’s his victim and so on.
The early years, he didn’t care, but that’s just for his first or two years around any operational security, like he’s used email services in my country, which, well, if the law enforcement or the court asks for the details of the infos, they will share it. So he didn’t, he used them with his home address IP and his major mistake he did in his early years is he thought that doing business with other people on the forums is like doing business with friends. So in his chats, he’s been too friendly and that’s been only the first year. So he changed his OpsSec very, very fast and he’s been very, very good.
And that’s because a lot of his, let’s call them friends in the community where they got raided and arrested by law enforcement over the years. And he did see what happens if you do, well, cyber crime in Germany and police or law enforcement gets their hands on you. And that’s why he got very, very suspicious and cautious, but the internet never forgets anything.

[Nate] You know, now that you’ve mentioned it a couple of times, your cyber underground contacts, how do you develop this kind of network that helps you out?

[Abdelkader] It’s trust and that is trust without supporting the cyber crime ecosystem. You must know that my, or since the compromise or the heck of my uncle’s web shop, I taught myself everything around IT and started research or the research in, okay, where do these criminals work and live? And that’s been the late 2000s and from there on I created my, let’s call them avatars or legends on these forums.
Every time I come across a forum, I’ve been active there or I created an account and started reading and posting in, it’s called a non or sections which are not, let’s say dangerous or could put you behind bars. So there are areas on these forums where they talk about the weather, for example, yeah, or going on vacation or talking about cryptos and so on. So you can post their content, which is, yeah, which doesn’t support the ecosystem.
And the thing is with these communities or as a research on the underground community, if you’ve got an account with very, which is very old, an aged account, five years, six years, 10 years, and you got, we never ever got, let’s say, no one said you scammed or you ripped another community member and they see, okay, he’s been a long time actor, he got many, many posts and so on. So he must be a senior and we can reach out to him, we can trust him. So with these age and old accounts, people just reach out to you and ask for your opinion or they throw and drop you samples or malicious software samples, yeah, for example, a couple of years ago, somebody just shared with me in the Russian community VMware escape, which is sold later on for 560,000 euro.

[Nate] It sounds there like you’re kind of getting into dicey territory.

[Abdelkader] It’s getting much more difficult to do this because over the years here in my country, we got more and more anti-cyber crime laws. So you must see and look what is allowed now by law in the country where I live. So it’s very, very, very difficult today in regards, if you compare it with the past.

[Nate] I just wonder if the police ever end up accidentally investigating your online persona without realizing that you’re on their side. Is there something that you do to prevent that or account for that potentiality?

[Abdelkader] I always, let’s say, make reports and not write down what I do in regards of research.
So even if law enforcement or someone else will contact me someday and tell me, Hey, we got your identity from these community or the forum. Can you tell me something about it? I can show them. I can prove to them. It’s because of my research and so on.
But I can also tell you that a lot of researchers in my country, they don’t care. So they just distribute or send cryptos from A to B or pay other criminals to get access to the forums or purchase malicious software and so on. That’s not allowed. It’s not allowed because it is funding a cyber criminal ecosystem.
And here in Germany, they, well, it could be that you’re supporting or funding a terrorist. Do you know who is at the other end who is receiving the cryptos and what he’s doing with the cryptos?

[Nate] Okay. So back to where we left off.
You submit your dossier and then radio silence. Wrap this up for me.

[Abdelkader] I tried or I reached out to them after a couple of days or weeks and asked for my work I sent to you. It’s a bit good. What was valuable and so on and say, I didn’t get anything back, nothing. And so I got another call one morning from the head of the anti-cybercrime department. Well, he shared the big picture on the full story with me.
First thing he told me is that several pieces of evidence I shared with them were used as the nail on the coffin to put him behind bars were enough for the judge to put him in bars. And what happened is his disappearance in 2020 has been directly related to an arrest of this guy at his working space or in the company where he worked.
So the officers, they got him and they arrested him and they detained him and they got evidence and they monitored his profile and his activities many, many years and they fought or they almost had enough to put him in jail, but he denied that he’s been that specific user. He denied that he’s been doing this and that, and that the evidence is tied to him. And with my research and what the investigator said, we could prove that from the day of his disappearance, never ever anything similar, any similar MO like he did it all the years ago happened again in the German speaking cybercrime community. And also with his Minecraft profile and the server he rented there to conduct the breach. That’s been something they needed.
And as they showed this to him, he confessed in front of his lawyer. And that’s when they then prosecuted him and he got a sentence of four years in prison without parole.

[Nate] So now that we get to see him, what is this guy like?

[Abdelkader] He’s been married, he had three kids, never had any tickets for, I don’t know, speeding ticket or anything similar, never did anything against or anything criminal, but with his attacks and the income he generated with that stuff, he had three cars and two apartments in major cities here in Germany, went four times a year vacation. His wife didn’t have to work, best places, best school and kindergarten for his kids. A lot of influence about this person would never imagined that he would do such a thing.

[Nate] I wonder, you spend a lot of time in the cyber criminal underground where, you know, we have this image of the folks who were down there, they’re seedy, maybe a little bit scary. But now you encounter this guy who seems utterly normal. What was that like for you?

[Abdelkader] Shocked because you always have a picture of a hacker or a cyber criminal in your mind and so on. It’s just an average guy I could be friends with if he’s not a criminal or if you meet him on the street and it’s like he had a family and it’s been, yeah, it’s been, I’ve been shocked at that time, today, after a lot of more cases and incidents and so on. I know that it’s always a guy, a girl, a woman, someone with a very good paid or high salary job. Yes.
So I met today, I can tell you, I met everything from a guy who’s been unemployed until until a doctor, yeah, security consultants. We arrested everything, everyone from, you can imagine, is doing that stuff and that’s what the law enforcement agent told me. That’s what they see every day if they got a suspect.
It’s always a normal guy or normal woman, could be your neighbor.

[Nate] So what do you take away, Carter, from this guy and this investigation?

[Abdelkader] I don’t trust and never trust anyone and anything what you see and read on these on these forums and these searches because during my research, people also wanted money for info or they also shared with me, let’s say, unvaluable stuff that I couldn’t use and I changed my kind of work also how I gather intel on the underground community because I did see and find also gaps in my own OPSEC.
Gaps I identified only because he had that gaps and so I improved also my kind of let’s say underground identity so that cybercriminals won’t see who is or what is my nickname or my avatar I’m using on the cybercrime forums.

[Nate] Is there any last word that you’d like to leave with us?

[Abdelkader] What I can say is that cybercrime doesn’t doesn’t pay off. Yeah, a lot of people say hackers or criminals are two, three or four steps ahead.
But law enforcement is always behind you and people like us, researchers, we are a lot, we are many and we are tracing you.
One day we will get you.