The REKK Wreck

Speaker 1: Wreck was a public Telegram channel. The group had more than 30,000 followers at the time that US federal court filings caught up to it in December 2023. If you had Telegram, you could find it, you could read it, and for a fee, you could hire the people who operated it. According to a complaint filed by Amazon in the US District Court for the Western District of Washington on December that year, quote, Wreck operates a Telegram channel with over 30,000 followers where they brazenly advertise services that they fully admit are fraudulent. The product they're selling on the channel was a service and it had to do with refunds. This scheme gets pretty elaborate. It involves bribery and social engineering, but the basic idea is dirt simple. It is a very elaborate version of a thing that a lot of people have done non fraudulently. Customer orders an item on the Internet. Typically, some expensive. A laptop or a game console, an iPad, just a bunch of MacBook Airs. Amazon was the named retailer in the complaint, but Rex own marketing makes it very clear that they can hit a whole wider catalog of retailers. Once the product ships, and is received by the customer, the customer pays Wreck a percentage of the item's purchase price. The customer gets the item, and then Rec embarks on like a social engineering project. They set off to do the work of getting the customer's money refunded by the retailer for the item that they actually did receive through, returning empty boxes full of bricks, for example, manipulating shipping data, phishing employees for their credentials to mark things as legitimately returned, bribing mail carrier employees, developing custom malware. This gets elaborate. But the basic idea is the customer keeps the item and assumes the liability, the retailer eats the loss, and Wreck gets their cut of the original sticker price. This is a refund scheme or refund fraud or just refunding depending on who you ask.

Speaker 2: This seems like a lot of work.

Speaker 1: It's a ton of work. It's so much work.

Speaker 2: For not that much payoff.

Speaker 1: They actually stitched together a shocking amount of money on this little marginal thing of of refund fraud. The thing I found fascinating about this, it's not like a dark web in the weeds crazy international cybercrime. I liked this because this is a normal web thing. It's like normie Internet crime. Mhmm. And we don't get to talk about that a lot. It's normie Internet crime. It's normie cybercrime. It's like, I want

Speaker 2: a new laptop, but I don't really wanna pay for it. So how do I steal it without stealing it? I pay a different company to steal it.

Speaker 1: And I keep it, and I pay them a little bit of a cut. You got the idea. The name of the channel was Reck, r e k k, because it sounds a little like Raticus, as in Dominatus Raticus, the man charged with the scheme. And this sort of tranche of court filings, how we know about it and why we're talking about it here today. So let's start this very loose summer chat episode here with the story of Wreck on Hack'd. How

Speaker 2: is your summer going, Jordan?

Speaker 1: It's pretty good. It's the it's the middle of summer. It's there's there I know there isn't where you are, but there is sun where I'm

Speaker 2: at. It's pumping rain where

Speaker 1: I am. It's just not somewhere where you are. Yeah.

Speaker 2: We are we are have flood advisories. There is so much rain. Yeah. The rivers and stuff. All the melt the snow melt from the Yeah. High up in the peaks, plus all the additional rain, are making some of the rivers a little bit high and flowy than they should be. So So

Speaker 1: when there's some neighborhoods along the river in that city, I remember being a teenager having to move sandbags down to the edge of one particular neighborhood. It's no joke.

Speaker 2: It is real, but other than that, it's been lovely so far. We actually needed some rains. I don't think anybody's upset that rain has come, but it is, a lot of rain.

Speaker 1: And I can imagine that. Yeah. Well Yeah. Stay dry out there.

Speaker 2: I'll try. I'll try. Try your promise. We try.

Speaker 1: I'll try. Oh, lord. How we try.

Speaker 2: It's hard to play tennis, and it's hard to fly fish. It's hard they can't do any of the fun summer activities because this the rivers are too high and fast, and the tennis courts are are soaked in water.

Speaker 1: A little something

Speaker 2: down. Been little little forced r and r time to play with the, the AI agents to see what's let's see what's up, build some fun things. I think I'm gonna build a new hacked, podcast website as well.

Speaker 1: We we could use a new website. I think it'd be it'd be fun to have a new new website, me we even make a little project out of it.

Speaker 2: We used to have a website, and then we just went to, like, a Linktree. I feel like that was a a smart pivot from keeping the old one up. But now with Claude Design Sure. You could see the website in, like, forty minutes. It's, like, where are you?

Speaker 1: Kick one out. Let's see what happens. If you see a new, hacked podcast website, check it out. Thanks for listening. This is gonna be a a a chatty episode where we talk about a few stories. Like I said, it's kinda summer. The sun is out. I don't have a big icy drink, but I should. I had, a pretty well researched story about, like, the strange tale of the death of a crypto hustler, Which is interesting, but my God it's summer. We've got stuff going on This episodes going live the day that we are recording it so not a lot of time to chop up all that archival so Rather than taking an episode off we thought we would bring you something light something summery, some normie Internet crime to kick us off. Let's get into it. Let's get into it. Refund engineering. It's a deep dive. The way that we know about all this was 12/03/2024, Lithuanian authorities arrested a man in the city of Vilnius and seized, this was we have Amazon's filings. We have court filings here. This was Amazon's filings. They when they got him, €5,000,000 in cryptocurrency, which to your point about all the work that goes into just shaving off a little margin on an iPad, it adds up. €5,000,000.

Speaker 2: More than I would have expected.

Speaker 1: It's no joke. But if you're running

Speaker 2: custom malware, you're hacking into Amazon, like, we're

Speaker 1: getting this We get into forged police reports. It's so high effort. I'm floored by it. 700 k euros in cash on him at time of arrest from what I can tell. Domitas Radicus was charged in Lithuania with fraud and money laundering and faces a maximum of eight years if convicted. There's many numbers floating around but they are all in the millions. And the single largest retailer was Amazon. It is why we have so many filings from them telling the other side of this whole scheme. And again, Wreck was not the only name this operated under and Wreck and its subsidiaries were not the only parties in town. This is a whole

Speaker 2: thing. Yeah. Well, I spend a decent amount of time in odd little subcommunities, audio files, stuff, things like that. And Sure. It it is probably a daily if weekly, if not daily post in there that somebody buys something, opens the box, and it's either a brick or it's like, something like eating monitors, they'll buy a thousand dollar pair, and there'll be, like, a $10 pair in the box. So somebody's bought them, taken out the other ones, put in cheap ones, and returned it.

Speaker 1: Sure. And then the automated system sent that back out to someone else. And now they're returning it saying there was rocks in the box. And who does Amazon look to given that they never actually opened the box to be like, well, either you're lying or the person who returned it before you is lying.

Speaker 2: And now we have no way to prove it. Yes.

Speaker 1: Yeah. It's a supply chain at scale vulnerability that some people have figured out. It's like, oh, this is requires basically no technical skill to overcome. It's just sort of brute forcing these customer service systems and lying with a straight enough face.

Speaker 2: And Totally.

Speaker 1: Because it's the each time it's a new customer doing it, there isn't really a great trail. It's It's very hard to tell who's behind this. Refunded engineering is like a a term of art, kind of, for the people who do it. Prosecutors at Amazon just call it flat out refund fraud. The practitioners themselves kind of just conversationally in the documents, call themselves refunders. There are legal definitions. There was one that I found. It was a in a Department of Justice Oklahoma 2023 thing against a different one of these. Described them as instructing fraud customers to purchase a product of their choice at one of many retailers they targeted, collect information about the order, and then contact the retailer to initiate a fraudulent refund transaction using a variety of methods tailored to the particular retailer. It's fraud as a service. Customer keeps the product. Operator does the fraud. Operator takes a cut. You got the idea. Explain this

Speaker 2: to me. If you were if you were willing to do this level of fraud as a service, why wouldn't you just do the fraud? Like, why the cut?

Speaker 1: It's you

Speaker 2: know, it's like, I'm doing this for 10% when I could do it, like, for FireSale resale. Like, if you were to buy, you know, whatever, pick something, a laptop for $2,000. Totally. If I were to buy a $2,000 laptop and sell it on FireSale on Facebook Marketplace, I'm getting, what, like, 1,400 maybe? $12.50 if it's brand new in box. That's probably more than the cut that they're taking. So, like, why why do this as a service?

Speaker 1: Yeah. No. Don't get it. So so the different the cuts that you're talking about, there was a rack took, like, 30% depending on how you were paying for it. It was different with crypto and PayPal. There's there's price charts for all this stuff. Some took fifteen and twenty two tiers. There's a pricing ladder to quote the MKBHD thing. They're just trying to get you to climb up it. My theory is the reason that they would give away 70% of the value in this situation, if they're keeping 30, is basically they're paying for your paper trail with the seller. So you show up and you're buying something off Amazon, they go, I know who that is. That's Scott. That's real guy Scott. He buys stuff all the time. He must have gotten a bad thing. We ship a gazillion items. This issue comes up. If, new buyer in, insert country in Eastern Europe shows up and starts buying $200,000 worth of laptops, it doesn't matter that they've kept that margin because Amazon's just gonna go like, this is a fraud operation. So I think what they're renting from you is your legitimacy as a customer. That's my theory. I

Speaker 2: had a I had a run-in with a restaurant the other day with, just a guy sat next to you at a bar, and he worked in a sales role in a company Got it. And said like, it's selling, like, RVs and, you know, ATVs and side by sides and random stuff like that. He was just sitting at the bar. We started chatting. And he said that in that industry, it's gotten insane, the amount of people that yeah. He said that the banks actually have gotten so tight and restrictive with their financing because the amount of bank fraud going on. He says that every single day, they have two to four people come in who kind of fit a mold. They have a really high credit score. They're new to Canada. They come in with all these things, and then they try and buy a lot of stuff. Like, they try and buy $2,300 worth of things. And the banks previously used to approve them because they have this great credit score, you know, this good income on paper, all the rest of this stuff. And then they make the first payment, fire sale the stuff, leave the country. And he said that the banks have been burned so much that they have become so tight with who they will approve that that the the retailers are now policing it when they get people that come through the door that fit this kind of, you know, I've never really bought in here. I'm new to Canada, but I have an 890 credit score.

Speaker 1: Yikes.

Speaker 2: I wanna buy a quarter million dollars worth of stuff. And they're just like, yeah. Sure. Fill up the credit application, then they just throw it in the garbage and be like, sorry. You were declined. Because they just don't wanna

Speaker 1: Yeah.

Speaker 2: Sure. Even wanna press the banks to do it anymore because they they still wanna have access to the credit when they have real clients that come in and actually wanna buy stuff.

Speaker 1: Yeah. Sure.

Speaker 2: So it's not just online. It's going on everywhere.

Speaker 1: And, like, just to follow that sequence of thoughts down the line, what a bummer for the person who's just like, I finally made it to Canada. I've built my life here. I've I've gotten my stuff all figured out. It's time to buy that boat. No one will sell me a boat or an RV or whatever it is. It's like, ah, that's that's a downer. Interesting. Yeah. I mean, is it refund fraud? Refund oh, that's not even a refund. That's just buying stuff you've never have an intention of paying for. That's like lease fraud,

Speaker 2: I guess. Yeah.

Speaker 1: Yeah. Lease fraud. It's being, like, yeah. I'll keep paying paying you back for it. Wink. And then you got a quarter.

Speaker 2: A million dollars of debts, fire sale everything for $200, and just disappear.

Speaker 1: This is a total tangent, but it is an interesting knock on effect of, like, a predatory leasing system of, like, there's no amount of money we won't lend you if you're willing to buy a crazy depreciating asset on on wheels. And it's,

Speaker 2: like, cool.

Speaker 1: Yeah. You're We're never coming back to this country. Yeah.

Speaker 2: What's your monthly payment tolerance? Yeah. I'll take it all, please.

Speaker 1: Yeah. Sure. And, like, both sides think they're getting the other one in a in a kind of ruse. Like, you're so screwed. You have no idea. Anyway, the wreck case file, how we know about all this. Twenty twenty three, December seventh, Amazon and a cohort of people versus just a 20 or something John does, basically. There was, like, 27 named defendants, 20 doe operators, 20 customers across six countries, The US, UK, Canada, Greece, Lithuania, and The Netherlands. This is how we know who Domuntas Radekis is, this Lithuanian national. He was identified via an IP address tied to a fraudulent kind of refund. There were vouchers that were posted on this wreck Telegram channel that were then triangulated through just like civil subpoenas that Google, Reddit, PayPal, all these different providers went after. That's a lot of subpoenas. It suggests a concerted prosecution at scale effort with different companies kinda coordinating. Very interesting. Self reported volume as per those complaints. This is Rex copy, basically. If you go to the channel and you look at the what is this? It was did they, quote, fraudulently refunded over 100,000 orders from retailers, and then in brackets, not just Amazon. They're fighting that most

Speaker 2: Amazon.

Speaker 1: A lot of it, but not all of it. Well, I just like that. Like, we're so much more than Amazon refund fraud. Like, do you wanna mess up Costco? And some people said yes. As an aside, don't defraud Costco. I like Costco. Costco is great. Costco is the best. They got samples. They treat their workers right. And where else can you buy a flat of Frank's RedHot sauce? Like, what a sick place.

Speaker 2: In two liter bottles is indeed you need 24 liters of Frank's RedHot. The other drink. Hot sauce.

Speaker 1: I really like hot sauce. I'm trying to get the sodium down, but Frank's is still the go to. The other day, I opened my fridge, and the little, like, shelf thing that holds all the sauces in had broken. So all my sauces

Speaker 2: Too much hot sauce?

Speaker 1: Literally, a two liter of Frank's hot sauce from Costco exploded all over the floor. And the, like, third thought I had after a bunch of cursing inside my head was, I guess, I have to go back to Costco.

Speaker 2: Now I only have 11 more bottles.

Speaker 1: Exactly. I'm like a prepper, but instead of Culligan jugs of water, it's just Frank's hot sauce. I will rule the wasteland, Scott. Let's talk about, the playbook here. So, like, how how did this actually work? We've nodded to it a little bit. First thing is, like, basic social engineering of the the retailer, which social engineering is, like, it's such a fun term because it is both so its own thing and also just a synonym for lying on the phone. Like, the basic version of this here is you call customer service, you lie about the package, and get the refund. This was a thing that Rec would do kind of on the customer's behalf. From one of those Amazon filings, quote, Rec uses sophisticated methods to obtain the refund, including social engineering Amazon customer service. Where it gets interesting is the next part of that sentence, which is phishing Amazon employees. So sample case from the complaint, the name defendant Andrew Ling orders five iPads through Amazon. He's working with Wreck. And then rather than bribing anyone, Wreck phished the credentials of a fulfillment center employee, used those fish fish credentials to log into Amazon's internal system remotely, marked those iPads, like, found his specific purchase, marked them as returned. So no lying occurring here.

Speaker 2: Didn't have to ship them back. Nothing.

Speaker 1: Didn't have to ship them back.

Speaker 2: Flagged a refund in the system.

Speaker 1: And to your early that's a crazy amount of work. Like, you have Amazon fulfillment center. But you sort of realize how low in the hierarchy those credentials are because it's like, well, what can we do? It's like, we can say that you returned some iPads.

Speaker 2: Yeah. We can say that something showed up. That's one thing that we have access to do. I just wanna back you up. Let's start at the very beginning. So say I'm a I'm a wreck curious person. You know? I'm I'm I'm wanna dabble my toes in some light refund fraud. Yep. What's the what's the process? Do I just reach out to them and say, hey. I'm looking to buy a new MacBook Pro. I would like to not pay $6,000 for it. It'd be really great if I just gave you $1,000, and then I got it for free.

Speaker 1: I think that the numbers would come from them, but you basically have it. You you would this was in the past when these channels were, alive, and we are not recommending you do this. I am explaining how this works.

Speaker 2: Yeah. Yeah. Uh-huh.

Speaker 1: You would the user, Andrew Ling in this hypothetical hypothet allegedly, would go to the Telegram channel where you can there's a it's a Telegram channel. There's a bunch of sub threads, and one of them would be to hire the people where you would then be connected directly with a person. You wouldn't get to cite the numbers theoretically. It would be creepy track. Quote. They'd say, if you're willing to do the financial tracks transaction through crypto, it's 25% cut that we keep of the original sticker price. That's what you pay us. If you're doing it over PayPal, it's 30. They would set you the price. And then, basically, how much you wanna go in for is up to you in terms of how much you try and return. I would imagine there's some coordination on the item, in terms of how they would do it, but I think at that point, you're handed off to an individual person in the channel.

Speaker 2: K. So I've got my estimate. I accept my estimate.

Speaker 1: Okay.

Speaker 2: Now I go order the MacBook Pro. I pay for it, put it on my Visa card, do a legit transaction for it, and then I essentially hand them the keys, and they are the ones that now go into the refund cycle.

Speaker 1: That is my understanding of it. Now the mechanism by which, you hand the keys to borrow your language, I do not understand that. I'm not sure if you give over the Amazon account, which would be wild because you're giving it over to the people that phished the Amazon person. It's like, look at who you're getting to bed with here, but you have the basic structure of it right.

Speaker 2: K. Just just just for my own sake and the list

Speaker 1: It's a great question. It's a great question. So let's say you've gone through all that. And now you're trying to wonder what are they doing on the back end. That's what we're going through here. So lying flat out just like I need a refund.

Speaker 2: Phishing and hacking into Amazon.

Speaker 1: Phishing Amazon employees. If you can't hack them, join them. As the old saying goes, bribe Brilliant. This is where warehouse workers come in. Amazon sued seven former Amazon operations employees by name, allegedly took bribes between, like, about a course of a year in 2022, 2023. Just being like, we're gonna bribe you and you are gonna approve refunds. Quote, each worked in Amazon's operations organization, which is responsible for handling product returns. Together, the seven Amazon insider defendants provided over $500,000 worth of fraudulent returns to rec and its users. On average, I I tried to, like, napkin math this. The per return insider take looks like it's between 50 and $90.90 dollars. So each time you approve one of these things, you make about that much money. The money gets a little murky, but that was kind of the number that stood out to me. Just trying to work that out.

Speaker 2: It real it really feels like something I see on The Sopranos. Sure. You know? Like, it doesn't it doesn't feel like cybercrime. This feels like old school organized crime.

Speaker 1: It's very I was watching casino over my very lazy weekend, and it it has casino energy of just like Yeah. We came up with a scheme. It's like, this is not tech leading the horse. It's like

Speaker 2: Yeah. This is this is like we paid off the truck driver

Speaker 1: Literally.

Speaker 2: To know he's about to get jacked. We robbed the truck, and now we have DVD players. Like, I think it's, like, episode two or something. This feel this has that energy where it's like, hey. You know, I'm gonna give you a $100 every time you press go on an order number that I give you, And you're not gonna ask any questions, and sorry about being criminally charged in the future.

Speaker 1: It has the, fraud as a service decentralized structure that we love here at Hacked where it's, like, it's fundamentally a Telegram channel where we operate this massive grift at scale, and I find that super interesting. But the grift itself is, like, who do we pay off to make sure this thing falls off the truck and nobody's wise to it? Very old school organized crime energy. Speaking to my

Speaker 2: old school Oh, I was gonna just jump in. Do you remember old school Amazon? Like, OG Prime? Like, I can't even remember the year it would have been, but I remember buying things off Amazon, and they would ship you the wrong expensive thing. And then you would hit refund, and they'd be like, yeah. Don't like, we'll send you what you ordered, but just keep it. And I was like, this is

Speaker 1: kind of remember that.

Speaker 2: Crazy model. Yeah. It didn't live long, that model.

Speaker 1: I went into the, I wanna get back to the bribery of it. But I was at the the mail place just down the road the other day, and I go in there, and I was returning something. And it was from a large online retailer. And I kinda just handed it over, and they, like, scanned it current. They're like, hey. You're you're all done. And I was like, oh, that's that was really easy. Like and the person said, and I appreciated this, this is from the mail place, said to me, and I quote, yeah. Maybe a little too easy. And I was like, oh, dang. Right. Because you're the front line of this. I'm just the, like, the horrible back end of the e commerce return economy of just people being like, I bought another 11 d five things and I'm returning all of them and now you had to ship them to me and now you have to ship them back. It's like, right. You just watched that all day. It's probably a little icky after a while in here. And just Yeah.

Speaker 2: Robots scan people returning things. Yeah. It's like buyer's remorse. Like, my wife's famous for it. She'll go to the mall, buy something, and then the next day, she'll return it. And it's not that she doesn't want it. It's just that she, like, gets remorse, and then the remorse takes over, and she returns it. And she doesn't thankfully do it with online shopping because that would be There

Speaker 1: you go. It's a lot of shipping. It's a

Speaker 2: lot of shipping.

Speaker 1: A lot

Speaker 2: of shipping. Carbon for nothing.

Speaker 1: That's kind of the way I think of it. Yeah. But if you're trying to do it as fraud at scale, boy, let me tell you, bribing the Amazon employees is just the tip of the iceberg because you can also bribe mail people, documented in a parallel case. There's so there's we're talking about Rec and it's sort of, like child organization, Devo, which will come up in a minute. This was a different one, Simple Refunds. But from a a case against them, the guy behind all that, Almarish, quote, recruited insiders at UPS and the US Postal Service, who would input false scans into the order tracking history to make it appear as though items had been lost in shipping, stolen from the mail, or returned to the company. So you bribe a mail person to say, hey, we lost this box that felt like it had about, I don't know, 11 MacBooks in it. We don't know what happened to it. And meanwhile, it was delivered, and the person keeps the laptops. Rec gets their 30% cut. You get the idea. But while you're bribing them, what if you could, manipulate? Let's dive right into it. I'm trying to present them as this, like, nice menu of options. It's like I'm just gonna outline how they do this.

Speaker 2: A la carte fraud.

Speaker 1: Amazon ran a controlled buy through outside counsel during one of these kind of, like, busts over the last couple years. And this is just I've just I'm just quoting you from these complaints I have in front of me here. Quote, UPS tracking data showed indications of manipulation. The Roswell, Georgia sorry. The UPS data indicated that the package was being returned to center because a customer in Roswell, Georgia had refused delivery of the package even though the package was never in Georgia, and the investigator never refused delivery. After Amazon had issued a refund for the purported undelivered package, the investigator received the package at the intended address, and UPS shipping data was updated to reflect the delivery. So, basically, somewhere has all that. Someone with access to UPS' system was editing tracking records in the middle of the shipment, a variation on the proceeding thing. Lot of work. Lot of work. You could put rocks in a box? I'm sure. That's also an option?

Speaker 2: Like, stealing stealing $5,000,000 on the Internet these days seems like it could be done with one of these things, not with an orchestration of all of these things.

Speaker 1: It's a lot of work. It's much more normal business economics. If you think of the number of people they had to hire in the business, in order to the next one is rec request refunds for products, and then they ship back a box with something else. The the best documented one I found, this was the simply refunds case, was someone getting a refund for, quote, bulky tools for returning an envelope filled with plastic toy frogs. Cute. Cute. They had people forging false police reports saying stuff had been stolen.

Speaker 2: That was From their graves and their from their deck.

Speaker 1: But you need to show the police report, so why don't we forge a police report? And then the last one was custom malware. One of the other ones called Noir. They developed malware that would target retailers websites to facilitate a refund by just sort of trying to go around the fraud prevention. That was the vaguest one, so I don't know what that means. We've seen these documents refer to custom malware as, like, someone ran a script, so we don't really know what it means. But getting into the weeds a little bit at that point. So there's a lot of ways you can do this, Scott.

Speaker 2: Just jumps off the page of me is that this time could have been spent if

Speaker 1: you're gonna be a

Speaker 2: criminal, like, be a criminal, you know? Like Yeah. Like like the I feel like one malware for hire crypto locker thing, you get the right target, you make $5,000,000, and it's, like, one one target, one headache, one piece of software, you know, one month. This seems like a business that had lots of illegal stuff going on and lots of human problems, you know, bribing and coercing and manipulating and social engineering and developing malware and deploying malware and phishing people and all for something that if you just phish the right person, you'd have the $5,000,000 entirely. I think I know that's probably not the perspective on this, I should say, but it's the perspective on this that I'm taking.

Speaker 1: My my read on it, I think, is kinda similar to that, which is that this was not this was like an opportunity tape type thing that scaled. Yeah. Not a how do we make money thing, and then you find it.

Speaker 2: Did it once and you're like, oh, we could do this again.

Speaker 1: Literally. Someone on the squad returned something. Or Yeah. To be honest with you, given how many of these are, someone sees the scam being done by someone else. I don't know who the first one is. We've got Noir. We've got Wreck. We've got Devo. We've got Simply Refunds. I don't know who did it first, but if a thousand people see that ad and a 100 of them choose to take up the service, one of them might think to themselves, I'm just gonna run my own version of that service. I think that's the numbers that lead to these things blossoming the way that they have.

Speaker 2: Mhmm.

Speaker 1: So Radekous is running wreck. Amazon sues in December 2023, and the main channel goes quiet. And if you're thinking to yourself it's because Radekous has decided to sort of, like, lay low, it's not. I think you just decided that the specific Telegram channel was no longer safe to use, and immediately two new Telegram channels appear, Devo refunds and Devo vouchers. It's the same business, exact same pricing, exact same operator and marketing copy. The opening post claimed that Rec had been retired, but by the time that Amazon caught up with this the new one, Devo, it's like it had 58,000 subscribers, almost double the original.

Speaker 2: Crazy.

Speaker 1: Amazon embarks on another controlled buy, like, their internal investigators, something I learned they have a crazy whole they have their own internal investigation team.

Speaker 2: This doesn't surprise me.

Speaker 1: No. Who, like, works with their fancy lawyers and stuff. They order an Apple Watch through Devo. Devo tells them, you know, create a new email, just wait. They get the delivery. They get the email from Amazon customer service. Shows up in the inbox asking for a police report, and Devo immediately supplies the forged police report saying the item was stolen, kind of proving what's going on here. And they file this amended complaint naming Radicus. And within roughly an hour of the filing hitting of the docket, both those Devo channels are immediately wiped and taken down, which shows I found this fascinating that someone on the inside at Devo was monitoring federal court filings in real time because that was the only place the name showed up in that little window. Radekis keeps operating for another six months and then Lithuanian police arrest him on 12/03/2024. He is so far the only person in this whole universe to face physical custody anywhere. There's like 26 other named defendants, seven Amazon warehouse people, but those are all or were already resolved civilly. Radicus is the the face of this whole thing.

Speaker 2: So that all of the people that took bribes and stuff, they just had civil charges? Like, they were sued essentially by Amazon?

Speaker 1: So far, that's what I can tell.

Speaker 2: Okay. Okay.

Speaker 1: We're getting into the edge of what I know about this, but that's my sense of it. The Radicus is the only dude who's really, like, true. Criminal. That was kinda where the research started was like, hey. Someone's been charged with this, and that's weird. Yeah. So the macro numbers as per this so Amazon hire I think they hired Deloitte. I don't know if it's Amazon or maybe Walmart. But Deloitte gets hired, big consulting firm, and they do a 2024 report. And they said that out of 685,000,000,000 in total US returns, roughly 15.14% are estimated to be fraudulent, which puts you at about a $100,000,000,000 lost.

Speaker 2: Okay. Wait. Back that up. Say that number again. $685,000,000,000 in returns?

Speaker 1: Not for this specific operation, but in The US returns world, that number is six eighty five. If 15% of it is fake, you're looking at about $103,000,000,000, which is up a little from the previous year.

Speaker 2: The scale of returns

Speaker 1: I mean $2,000,000,000.

Speaker 2: The scale of returns, the thing that shot off the page of me there, $685,000,000,000 it returns.

Speaker 1: Better part of a trilly. That's a lot of

Speaker 2: Yeah. IPads.

Speaker 1: That's a shit ton of iPads. It's Yeah. Yeah. I'm thinking of the person at the mailbox being, like, some might say too easy. Like, yeah. It's it's it's a big number. Yeah. And the 15% fraudulent, like, obviously, they're pursuing this, but it it's kind of revealing of margins because you wouldn't opt they're not doing this out of the the kindness of their hearts. They're doing this because an the frictionless return process leads to people making purchases they might think harder about. The the math must be mathing at this scale. You obviously wanna get 15% down, it tells you a lot about what the margins on these businesses are, and it's really fascinating.

Speaker 2: Well, in traditional retail, you know, they they had shrinkage, which is, like, stuff that's staff steal. Staff steal probably more than people that come in off the street. And I think the rates back in the day were, like, one to two percent. So to go to 15

Speaker 1: I know that.

Speaker 2: So so if if you've got 680,000,000,000 in returns and only 15% of that is fraud, Mapping that all the way back to gross revenue is probably somewhere in the same range.

Speaker 1: It's just

Speaker 2: modern retail theft is refund fraud.

Speaker 1: It's refund fraud. Yeah. I think that that 15% number, this is a report by a a group of people that have been hired on by a company to show what a big problem fraud is. I think you always need to take these consultant kind of numbers with some sort of a a grain of salt. I'm not even shit talking. Like, just you you simply have to. So Yeah. If that number was gonna be high or low, I would think the incentives would push it to be high. But if it was even 10%, if it was 8% or seven or six, that's still a huge multiple more than in person retail, like fraud. So it's kind of interesting.

Speaker 2: Yeah. Yeah. 685,000,000,000 in returns. That's It's pretty crazy. That number is just stuck in my head.

Speaker 1: I know. It's, it's I thought this was an interesting one to start with. Everyone here has probably returned something online, and you we always hear stories about how these systems often don't even want the item back or that it's an automated system that's easy to trick. We've all heard about this, and it leads to this question that is sort of answered in these documents. How would you build that vulnerability in this hundreds of billions large system into something that delivers, fraud at scale? Yeah. We didn't know much about it till these documents. They're a couple years old now, but I'd never seen them, and I found it really interesting. Totally.

Speaker 2: Yeah. Yeah. Fascinating contemporary organized crime. Totally.

Speaker 1: Yeah. Fraud as a service, marketing on Telegram. Yeah. Curious to see where it go next. We we we cover a lot of big geopolitical stories, and I liked this as, like, this is something that people are doing. Their customers are average folks, and that's not something you see often.

Speaker 2: Well, that that makes me just wonder, like, you know, just to look into the same space. Like, we all know the, like, porch pirates. Like, people that come and steal your packages off your porch. Like, that's a massive Huge. Industry of theft. Like, that that that is, I guess, what you consider current retail theft or, like, the contemporary version of retail theft is just following the Amazon truck and just stealing everything off everybody's It's the petty version.

Speaker 1: Yeah. Yeah. That's the nonorganized petty version. It's like, I'm just gonna pick that thing up. It looks heavy and valuable.

Speaker 2: Very untargeted. Just go and box to box, load them in your car, and drive away. The yeah, it's it's funny the delivery economy, we haven't quite figured out how to deal with it yet.

Speaker 1: Yeah. And I feel like there's been such a I've seen all these things of people being like, what if it was a locker with a combo pad? And I'm like, what that's fundamentally misunderstanding is that this system is building margin in for convenience knowing it will come at the expense

Speaker 2: of Totally.

Speaker 1: Like, it will come at the expense of loss and fraud and refunding and all that stuff, but it's like the they know that by making it more convenient, they will lead to more of that kind of loss. It is a strategic choice, is the thing I always come back to.

Speaker 2: Yeah. Cost of doing business. The because because The Cost of business. Because shrinkage is like retail always you always factored for shrinkage in your cost estimates and financial projections. The this would be the same if you could eliminate it's like insurance. Insurance fraud leads to higher insurance costs, and it's like retail theft and retail fraud leads to higher retail

Speaker 1: costs. Retail costs. Yeah.

Speaker 2: And it's like it's a self self fulfilling loop. Exactly.

Speaker 1: And the thing that's interesting about this is, like, a bunch of those I'm not gonna say which ones because it it starts to turn into advertising, but it's like not all of them are gone. Like, not even all the ones that are named in some of these indictments are gone. It's like they persist, and it's like it's a pretty where they can be advertised, I mean, we've talked about what certain social media platforms will and won't let you advertise and when exactly it becomes fraud before. It's not impossible to advertise something like this on a legitimate mainstream platform. And it starts to take on a a color that's a lot more like a drop shipping business than, like, selling ransomware on the dark web, even though it is part of a $100,000,000,000 fraud ecosystem.

Speaker 2: Yeah. Well, like, Meta's Meta's scam advertising that we talked about. Exactly. Yeah. Shocking.

Speaker 1: Exactly. Like, it's like when when we talk about something like that and we say, well, what kind of frauds are we talking about? It's this. It's this kind of thing. It's a weird telegram channel where someone lets you run a scam and sometimes the buyer is the victim and sometimes they're not. And in this case, it's kind of one of the rare instances of one of those things where the person that's found their way to the telegram channel isn't the mark. They're not about to be talked into

Speaker 2: paying for something.

Speaker 1: They're not about to be tricked into paying for a

Speaker 2: course financial

Speaker 1: phished Yeah. Yeah. For a credential. It's one of the rare ones where it's like, no. No. You come in. We're gonna go screw them over. It's a really different relationship.

Speaker 2: Structure. Yeah. It's like, hey. Wanna do some light crime?

Speaker 1: Totally. Getting here. Exactly. Yeah. Yeah.

Speaker 2: Yeah. Exactly. You don't wanna pay full price for that new laptop?

Speaker 1: Yeah. We'll Yeah.

Speaker 2: We'll figure it out.

Speaker 1: Come on. Little storefronts, and you will get scammed if you go into all of them. But there's actually that one storefront that if you go in there, you become one of the scammers. There's definitely, like, they they're offsetting the liability for this to the people. It's why some of the customers were named in these indictments. It's like, I'm sure people being thrown under the bus left, right, and center. But it's it is a fundamentally different relationship.

Speaker 2: Yeah. I wonder if that's like the plea deal that that, they're gonna cut. It's like, I actually have all of the Totally. I have the directory of everybody that's robbed from you. We just help them rob you. Like, here's the list of everybody that actually robbed you.

Speaker 1: But Amazon has that list too. I'm just thinking about this for the first time in real time.

Speaker 2: But they don't know it for sure.

Speaker 1: No. No. They don't know it for sure.

Speaker 2: That's the difference.

Speaker 1: So it's kinda like you can confirm This person who never bought anything more than a $100 before and had only made three purchases suddenly bought $10,000 worth of, you know, gaming consoles or whatever. GPUs. We're suspicious of this. Exactly. Literally, they bought one GPU. This must be fraud. Yeah. There's no way that's the real price. Anyway, very interesting story. Yeah. Cool. Cool. Cool. Fine. Yeah. It's a neat one. Should we kick it over to the add water slide and then we can just chatty chat on the back end. Some summer chatty chat. Starting something new isn't just hard. It can be downright terrifying. You put a lot of work into a thing. You're not entirely sure it's gonna work out. You're taking a huge leap of faith. I've started a few things. Now I know I was right for believing in, you know, the idea, the product, despite all of those fears and hesitations. But boy, does it sure help when you have a partner like Shopify on your side. Shopify is the commerce platform behind millions of businesses around the world and 10% of all e commerce in The US. From household names like, well, hacked podcasts merch, to brands just getting started, you can get started with your own design studio with hundreds of ready to use templates. Shopify helps you build a beautiful online store that matches your brand style. Did I mention that that iconic purple shop pay button is used by millions of businesses around the world? I don't know why I wouldn't. I should. It's why Shopify has the best converting checkout on the planet. It also helps boost conversions, meaning less carts sort of getting abandoned in the parking lot and more sales for you. It's time to turn those what ifs into sign up for your $1 per month trial at shopify.com/hacked. Go to shopify.com/hacked. One more time, that's shopify dot com slash hacked. Think about the last time you heard a breach story on this show. It always starts the same way. Someone, somewhere, saw something too late, an alert buried, a signal missed, an SoC that just couldn't keep up. Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI. They created the Aurora Superintelligence Platform, a fully agentic system powered by the swarm of experts. Instead of single purpose bots or lucky guest LLMs, this swarm is full of deterministic agents that handle whole entire workflows. Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy. And all of this is just off running on their secure operations graph, a constantly updating intelligence engine fueled by more than 9,000,000,000,000 telemetry events every week and over a decade of real world incident response. The system reasons on real signals and real context, not synthetic training data. And the result is the new Aurora Agent SOC. It's the first SOC that is agent led by design. You get agents that coordinate, agents that investigate, agents that respond at machine speed, and hundreds more that automate the repetitive work that normally buries human analysts. Arctic Wolf didn't try and bolt AI onto an an old model. They rebuilt the model entirely. What makes it even more effective is how it works with Arctic Wolf's concierge experience. The team brings customer specific context directly into the platform so every AI driven decision reflects your environment instead of generic assumptions. The automation frees your concierge security team to focus on higher value strategy and proactive risk reductions while the agents handle the grind. If you wanna see what trustworthy production ready AI and security operations actually looks like, go to arcticwolf.com/hacked. Every company says AI will make employees more productive, but most employees are still stuck waiting on IT, waiting for app access, waiting for password resets, waiting for someone to fix a laptop issue so they can get back to work.

Speaker 2: That operational drag, it adds up fast, and IT teams are overwhelmed trying to keep up. Servo was built to automate that work. You describe what you want automated in plain English, and Servo builds it for you. No complicated workflow builders, no consultants, just faster support and fewer tickets slowing everyone down.

Speaker 1: Servo enables IT teams to build automations using plain English instead of drag and drop workflow builders. Platform is designed to eliminate repetitive tickets so IT can focus on strategic work instead of constant firefighting.

Speaker 2: Unlike traditional automation tools, Serval doesn't require consultants or long implementation cycles. Serval positions IT as the AI powered operational backbone of the company, not just a support function. The company guarantees customers can automate 50% of IT tickets and backs it up with a free four week pilot.

Speaker 1: Learn more or start a free four week pilot at serval.com/hacked. That's serval.com/hacked. Serval.comslashhacked.

Speaker 2: And we're back. We're back from the waterslide. We're drinking some water.

Speaker 1: We're drinking water. I didn't drink during

Speaker 2: the waterslide. Summary chat. How about summary things?

Speaker 1: I I had one to start us. I don't know if you got anything you wanna dive into, but I had a I had a follow-up.

Speaker 2: You you go first. I got something that I wanna chat chat. I got a few things I wanna chat about, but you go first.

Speaker 1: I'm I'm looking forward to it. I will We

Speaker 2: we haven't listened to you for the last thirty five minutes. So why don't you just keep going?

Speaker 1: Well, no. In that case, I want you to take it away.

Speaker 2: The, mythos. Anthropic's mythos Yes. Claude mythos.

Speaker 1: We've talked about it.

Speaker 2: Yes. The security model that they were like is too powerful to go to the public. We talked about it. I just wanted to have a follow-up brief chat about just how many security patches I'm seeing in software that I use. I'm getting every single thing from, like, our enterprise data servers to, you know, every app on my computer and my phone. You're I'm getting security patches for in in waves. And I have no reason to believe that it is Mythos, but I have no reason to believe that it's not

Speaker 1: because the

Speaker 2: volume is like, I go into my command line and, like, I'm an OSX user and I run, like, brew update, and every single brew package has security updates. And it's the volume of things that I'm seeing in the in the patching and security hardening and all of the software that I touch is I don't know. I can't help but think that this has something to do with these, like, new hyper secure models looking to secure software.

Speaker 1: Sure.

Speaker 2: Just because the volume of it is unlike anything I've ever seen.

Speaker 1: Now from what I understand, for anyone that is unfamiliar, if you didn't listen to this episode a little while ago

Speaker 2: go back and let's do it.

Speaker 1: Go back and let's do it. It's it's a genuinely really, relevant and fascinating story, but it was anthropic. A manufacturer does this big press event where they announce Methos as their new security model or a new model that has a lot of relevancy for security, and they kind of put up this video showing all these vulnerabilities they found and kind of and it's almost Manhattan project esque framing. Say, you know, we're bringing in this select group of partners, big technology companies to get this thing into their hands so they can patch stuff before this gets it public and other potentially bad actors are using it, try this sort of AI security moment.

Speaker 2: It is still not public. Sorry. I was interrupting you. It's called Project Glasswing.

Speaker 1: That was

Speaker 2: Anthropic essentially said I think it was, like, a $100,000,000 in usage of it. They just gave out to organizations to try and secure infrastructure software, common apps, things like that across multiple platforms. And I will say that in the last two weeks, I feel like every single piece of software I've got has had a critical security update all from my iPhone down.

Speaker 1: So this is my question, is if a bunch of software just got a bunch of security updates, but only some software got Glasswing access, I do think that this is you could the sentence Mythos caused people to lock down these bugs is an accurate sentence, but not necessarily because they had access to it, but because this shock and awe campaign caused everyone to go, ah, and review all their stuff and probably have normal Claude analyzing stuff for bugs and doing bug hunting and stuff. But it was almost the thing we talked about in that episode, which was this project last swing was a remarkable marketing push for Anthropic's role in security, which is what you're seeing the downstream effect of.

Speaker 2: Correct. Also, the fact that OpenAI came out with Codex five five and said that it had a lot of the same functionality that, Mythos did. OpenAI went an interesting direction. I actually tried to use it on some of the software that I've written in some open source projects that I was looking at evaluating. I would just hand, like, a I would download and clone a GitHub and then just hand it off to codex and be like, review this for security things. Let me know if it's safe to use. Instantly get kicked to a know your customer login where they want me to upload my ID, take a photo of myself, do all these things, yeah, to verify who I am. Because to get security access in their models, you have to go through a KYC thing Wait. Wait. Wait. Which is kinda brilliant.

Speaker 1: It's it makes absolute sense. I'm glad to hear this, but I wanna make sure I understand. You were trying to get codex to review open source projects that you are not the author of. Correct.

Speaker 2: Well, yeah. Correct. But I had downloaded them and was considering installing them. So I was like, do a review of this and let me know if there's anything given the amount of supply chain attacks going on in open source software right now Yeah. I was just like, review this and tell me if there's anything that I need to be worried about. And it immediately makes

Speaker 1: me feel like like a jailbreak Yes. Trying to get us to find a bug. Can you can you show us some ID? Interesting. Yeah. Woah.

Speaker 2: So they've they've OpenAI has definitely begun rolling out the same kind of functionality, but they're putting it behind a locking key that you have to have to essentially prove who you are to get access for it and have it enabled on your account, which is fine.

Speaker 1: I would bet that becomes industry standard. I I would bet that when those comes out, it's just like there's, like, know your customer stuff in place

Speaker 2: for that. Totally.

Speaker 1: If you can have to do know your customer for making a poly market bet, you probably should have to do it for the, hacker robot. He seems comparable.

Speaker 2: Here is the, infrastructure software being run by this company. Tell me how to break into it. Yeah. With the, like, no.

Speaker 1: I work for them. I'm allowed to be doing it. I'd be like, yeah. No. We we've been down this road before. Yeah. Interesting. Yeah. Yeah. I mean, that's that seem it I wouldn't have guessed because it is, as of right now, the only functionality inside these models that would ever prompt that kind of thing. Like, it's normally if you you can type, the thing will reply. Like, that's sort of how it works. So it is a little bit of a sea change to be like, no. This specific layer of functionality, we need to know who you are. You need

Speaker 2: And the the and there's cybersecurity researchers that are coming out being, like, these models are better than or as good as we are and way faster. Like, they can parse through massive amounts of source code, like, in a in a blink of an eye, look for common problems, look for complex problems. You know, they're at the point now where they're writing math proofs. Like, we've, we've come we've come another gen up in the model quality. And, it the the thing that really triggered this story for me and the reason I was wanted to bring it up is I'm sure everybody is getting flooded with security updates for every piece of software they use, and I can't help but feel like they're connected. Because it's it the the the volume of it is massive. The amount even, like, major companies, like Apple had one. Windows had a zero click RCE. Like, it's finding tons of stuff. The CVE is coming out like crazy, but they're all posting the CVEs in, like, after they fix it. So Apple will identify bugs. They'll fix them all, patch them, push out the updates, critical updates, and then file all the CVEs. So you can literally sit and watch on the CVE database all the different things that are getting, like, identified and fixed.

Speaker 1: Scott's on CVE watch. CVE watch with Scott. CVE watch. It's CVE watch.

Speaker 2: It's CVE watch.

Speaker 1: It's our new segment. This is a summer episode. I'm gonna barely edit, so we will not have music. But you just bank on it in the future,

Speaker 2: listeners. A CVE watch. CV.

Speaker 1: Yeah. If if we start filming these, I'm imagining, like, a little watchtower intro animation where you're, like, you're up there with the little spotlight. I have Sauron in CVEs as they come in. It'll be great. I have a I have one. It's a callback. Thirty five minutes was not enough. The people need to hear from me.

Speaker 2: Yes. They do. Everybody loves your voice, Jordan. Don't be bashful.

Speaker 1: So for years, we've talked about this story before. This is a follow-up. There's the idea that your phone is listening to the conversations you're having to serve you as this old kind of suspicion, conspiracy theory, valid explanation, up to you to decide. You if you listen to the show, you know where we fall on that. 2024, the reason we talked about this on the show is more than just the sort of conspiracy theory was, it's a company called Cox Media Group, c o x.

Speaker 2: Four zero four American Internet company.

Speaker 1: Yeah. They were marketing a product called, quote, active listening that claims to do the thing that the conspiracy theory said we think they're doing. Like, they they took that conspiracy theory and torment Nexus ed it into a product, allegedly. And I find the fallout of this really fun. Their pitch to advertisers was, like, their technology could tap into the audio from smartphones, smart TVs, smart speakers, and then use AI to target ads based on what consumers said and where they lived. An obvious privacy nightmare. A crazy thing to write on a website in my personal, opinion. The company claimed consumers had already consented to this in data collection form, so it was all cool and good and well done.

Speaker 2: In the terms of service, the bottom, it says, hey, we're gonna listen to everything you say? Exactly.

Speaker 1: The marketing on the website, lean I'm just gonna read it to you. Creepy question mark? Sure. Great for marketing question mark? Definitely. Do with that what you will. The story confirms this conspiracy theory that your phone is listening to you for marketing, and that was sort of where we talked about it. The update and why I wanna talk about this here. Cox Media Group, MindSift LLC, and ten ten Digital Works are collectively gonna pay $930,000 to settle FTC allegations. FTC's finding not that this would be immoral, illegal, a privacy violation. None of that stuff. I love this. The finding was concerned with the fact that the surveillance technology did not exist. Active listening was they lied allegedly about the bad idea. You see why I find this so fun? It's not that you did the evil thing. It's that you pretended you could do the evil thing.

Speaker 2: They're getting punished for, like, false advertising. That's hilarious.

Speaker 1: Exactly. It's people being like, we invented mustard gas, and we're gonna release it everywhere, and then you're getting sued for false advertising about the mustard gas.

Speaker 2: Yeah. You actually didn't invest it.

Speaker 1: Exactly. Exactly. Yep. Active listing was repackaged consumer email lists sold at a significant markup to businesses. The company, like, the claim that consumers had consented to voice data collection was just, like, I don't know. F FTC sure dug into it and thought it was worth suing over the accuracy of that statement too. The settlement money is gonna go to the businesses that purchased active listening believing it worked is the only part about this that pisses me off. I do not think that the people that bought this thinking it was a cool, normal, good idea should get that money, but your mileage may vary. FTC did not explicitly rule on whether using phone audio to target ads would be illegal. The violation was lying to customers about doing it, not actually doing it.

Speaker 2: That's so funny. Yeah. Well, that it's kind of like the optimal outcome. You know? Like, it keeps the conspiracy alive.

Speaker 1: Sure. We get to keep talking about it.

Speaker 2: It's like, well, are they actually doing it? And they they weren't found as, like it's like, well, we don't know for sure. Like, we we did know for sure, and now we don't know for sure because they actually got arrested for lying.

Speaker 1: Yeah. But so hope you got it. If you if you advertise, surveillance apparatus technology software or whatever you wanna call this, you better deliver is is kind of a weird takeaway from it. But I'm just I'm I'm glad to see this get shut down. I was glad to see it get shut down with everyone going, that's evil and horrible. I'm embarrassed for the people that bought this product, and I'm glad to see the people that offered this product getting dinged financially.

Speaker 2: Oh, man. There was a I was at a as as, like, a slight knock on to this, a similar similar conversation is I was at a at a family function yesterday afternoon with my in laws. And one of the person that I went with was, like, opened up Facebook afterwards. I can't remember the last time I was on Facebook, but they opened it up. And, of course, the first thing is is, like, suggested friends, somebody that else that was at the function. And he's like, how do they do this? And I was like, well, it's it's either one of two things realistically. It's either they have your location services and people that you spend time around. They align those two accounts, or it's like Bluetooth handshakes between your devices. And they have the ability to read that, know that that device ID reconciles with this account, and then they auto create these things. And same same kinda, like, weird, creepy, but effective things. It's like, hey. You probably know this person. You would just spent three and a half hours within five feet of them.

Speaker 1: Exactly.

Speaker 2: It's like, yes. Yes. I did.

Speaker 1: Oh, yeah. We've their entire business model is pegged on being able to kind of roughly know where you are. In both parts of that sentence, you and where are the operative things. It's like, who are you demographically and where are you? Everything else they can they can figure out from that. They don't need to turn a microphone on. It's No. You you can get everywhere. I've been in I was in Beijing traveling with a buddy who had to re sign up for Facebook to do this. He needed Facebook to get into a different thing. So we re signed up for Facebook and it immediately was like, you probably know Jordan. And it was because we were sitting in the same hotel bar in a hotel room.

Speaker 2: From each other.

Speaker 1: We were five feet from each other. And it had no insight. He was using a fake email, like, you just needed a Facebook account. And it was I was like, yep. Because they know the who and they know the where and that's you can build an empire on that. Super interesting. Yeah. The,

Speaker 2: the other thing I wanted to chat about

Speaker 1: Please.

Speaker 2: Please. Please. Is pass password managers. Oh. Oh, I hear a goblin in the background. You're a goblin.

Speaker 1: Probably not I'm not gonna edit this out. So you get to we all get to find out together how many times my cat's gonna be out over the next twenty minutes or so.

Speaker 2: Password managers. Dashlane, the password manager, not sure if you've heard of it, has been forced to disable a lot of, their user accounts because somebody is trying to brute force into them. And as one of their security features. If somebody's trying to brute force into your account, they just lock it, which all of a sudden becomes a bit of a denial of service attack because I don't know what my life would be like if somebody took away my password manager because I probably wouldn't be able to do very much seeing as I don't think I know any of the 3,964 passwords that

Speaker 1: are stored in it. And that is the last we will say of that for operational security purposes. Exactly.

Speaker 2: True true enough.

Speaker 1: Woah. That's interesting. A denial of service. Woah.

Speaker 2: So I I don't know. There isn't enough details on it. It's kind of ongoing as we're making this episode.

Speaker 1: Yeah.

Speaker 2: But I don't know if the intention is to be a denial of service or if somebody's just trying to do a brute force attack across all dash lanes.

Speaker 1: Yeah.

Speaker 2: But there there's something going on in the background right now. Wow. Literally right now. Like, they're they're tweeting about it, like, as we're recording.

Speaker 1: That's interesting. That would be bad. That would be scary. The password manager is it's yeah. It's the modern key chain. It's it's so important to be able to and like and like you said, to be able to even just knock down there's so many things that I would go I'd rather you lock this down than give away access to it. But the password manager's like, if you lock it down, I I lose access to everything else. Like, the it it's like the one domino that in the domino falling video, where there's the one that triggers the sort of pyramid of all of them, it's that one. It's the first domino.

Speaker 2: It would be really tough for me to show up for work on Monday morning and not have access to my password manager.

Speaker 1: You are you are mostly a password manager at this point.

Speaker 2: Yes. At this point, I've I've migrated everything. I am I I am functionally just an AI with a password manager. I'm the inter interconnect.

Speaker 1: Interesting. Yeah. Okay. Well, use password managers and lock them. I I don't know what to say about that one. Bad.

Speaker 2: It's just just an interesting thing that's actively going on in the background.

Speaker 1: That is fascinating. I had a, I mean, we're truly in the in the summer chatty chat vibes here. The stories have fallen fast This is how you know. Episode or two ago, we talked you and I talked about Boids. I don't remember this. For anyone that missed that one, it was the premise. It was just a old interesting research thing of someone had basically worked out how birds flocked and flew together without smashing into each other. They build this model tracking birdoid objects that has been used in virtual effects, video games, tons of stuff since. Basically tracking how does a murmuration of birds fly through the sky without colliding, the rule set that emerges in a natural phenomenon that can be rendered as an algorithm. I just find that really cool and interesting. So we talked about it on the show, birdoid objects, and a friend to the show, who I I didn't get his permission to mention this, so we'll just call him b. B sends over, an article after the episode goes live because he listens to the show, and it concerned a a set of MIT mathematicians who applied the same sort of process to human beings, and I found this a really fun follow-up. It appeared in the proceedings of National Academy of Scientists who was MIT instructor Carol Bassick, and she was studying how the, like, movement and flow of a human crowd could be used to create a prediction algorithm for when pedestrian paths will shift from ordered nice movement to entangled and people bashing into each other. And it reminded, I think, them and me when I went through it so much of the bird algorithm. There's an element called angular spread to the parameter that describes when people start going in different directions to get away from each other, and then they'll angular spread back to converge off of other people. And the sort of emergent smooth flow of movement of human beings, say through a massive crosswalk or a train station is similar in that it is naturally emergent but documentable same as birds flying through the sky. And isn't that cool and interesting? It is cool and interesting.

Speaker 2: I love it. Also also the, the anomaly, the person that isn't adhering to the Yeah. To the algorithm is all of a sudden the asshole. Yes. You know, the the person that's, like, smashing their way through the crowd. Everybody's like, look at that jerk.

Speaker 1: It makes me relate to birds so much better because I'm like, oh, I now I know what it would be like to be flying with one birdoid object that isn't doing its goddamn job. Like, I've been there before.

Speaker 2: Yeah. I've been to Tokyo. Yeah. The even though the the the Japanese people are amazing at it, but the the tourists are always the one that are, like, smashing

Speaker 1: the Spanish. The people. It's an Angular the problem, and that's amazing. We create problems. It was an Angular spread of around 13 degrees. If you if you go more than 13 degrees off axis of that typical spread, that's when you start getting disorder. And there's a cool diagram. This is on mit.edu if you wanna go see it. If I remember, I'll include a link, but you can find it online. There's a great GIF of the order versus disordered scenario tracking people, and you you've seen this before. You've been a part of it, of people sort of seamlessly flowing through each other like the, you know, the tooth comb kind of two going against each other versus just chaos. Really interesting.

Speaker 2: The, the only thing I've got left that I wanted to talk about was, bill c 22 in Canada.

Speaker 1: That I

Speaker 2: wanna get into the great details of it because Yeah. I think we should have, like, a lawyer on to talk about it. But, essentially, the Canadian government is updating their lawful access act,

Speaker 1: which

Speaker 2: is essentially a modernization of surveillance laws to handle the smartphone world we live in.

Speaker 1: And what does that, like, necessitate? Like, that you have to is this one of those you have to show ID to be able to go on things? Is this one of those get rid of VPNs things? We're seeing a lot of those around the world.

Speaker 2: Well, so the it's not just it's not either of those. It's more so, like, the it's made the news very heavily up here in Canada recently because major tech giants are, like, going in front of our parliament being like, you can't do this. Like, we're we're refusing to adhere to this law. You're asking us to weaken encryption to the point that it's, you know, not really good for anything.

Speaker 1: I did read about this. Yeah.

Speaker 2: Yeah. So you're getting people like, major VPN providers, Apple, Google, Meta, all showing up being like, this is bad. You should not be asking us to do this. Signals threatened to pull out of Canada saying, like, they will refuse to adhere to it. So it's not really like an anti VPN law, and it's not like a know your customer thing. You know, it's it's metadata retention so that they can see what you've been up to on your phone for, like, up to a year afterwards. Kind of like it's surveillance y without really judicial oversight. Yeah. It's interesting. I think everybody that if you're especially if you're Canadian, you should go take a look at it because it will significantly change the authority and power that the police have to dig into your life without judicial oversight.

Speaker 1: Yeah. It sounds like I did read a little bit about this, and it sounds like what it would basically be doing in an attempt at getting CSIS, Canadian sent security intelligence service, the ability to obtain digital information during investigations. It puts the onus on the technology providers to adapt their systems, which is like, well, if if they've promised to encrypt their data, but you're making them promise to give you the data if they have a subpoena, that would necessitate, and we've seen this in other jurisdictions, the existence of a backdoor around that encryption.

Speaker 2: Yeah.

Speaker 1: It would create a bunch of backdoors into otherwise secure systems.

Speaker 2: They've put a safeguard in the act that says that the company won't be forced to introduce a systemic vulnerability, I e a backdoor, but they don't really define what systemic vulnerability is. And, you know, you could easily argue that reducing the quality of the encryption is in is, in fact, a systemic vulnerability. So it's I don't know. Anyway, it seems that a lot of people should be aware of and and read up on. You know, we got a lot of this stuff going on globally, access to information, loss of privacy, control of free speech, things like that. And I think this is another part of that campaign.

Speaker 1: Yeah. I don't think that I'm gonna choose to buy the thing that is encrypted and is secure, not because I have any need for it, but it's sort of a matter of principle.

Speaker 2: So I think that's Canada, so you might not be able to buy that anymore because they won't be able to sell it here anymore because they won't adhere to this act.

Speaker 1: So wouldn't choose this one.

Speaker 2: Bummer. Yeah.

Speaker 1: Way to, way to bring down the summer sowed, Scott. Sorry, man.

Speaker 2: Let's, let's pump it back up before we wrap it up.

Speaker 1: It's good. It's important. That one matters.

Speaker 2: Talking about birds, and I'm talking about privacy.

Speaker 1: Talking about birdoid humanoid objects, talking about refund scams. Do we have anything else that we should chat about?

Speaker 2: I don't

Speaker 1: know. What

Speaker 2: else should we talk about? Go check out our YouTube channel. We've been much more diligent about posting things. Back catalog is almost through. We're hoping to get to live recordings of our faces at some point. So you might actually see what we look like and how confused we look during the recording of this. No. I'm just joking.

Speaker 1: The No. No. That occurred to me. I was like, I was watching my own face as we recorded, and I thought I'm regularly, like I'm giving away more on camera than I think I am on microphone. It's gonna be really fascinating to be like, wow. He was much more confused about that than I than I realized from the talking. No. We're gonna do that.

Speaker 2: The thing that gets me

Speaker 1: Go for it.

Speaker 2: I was gonna say the thing that gets me is that I have so many monitors that that I'm constantly tracking around.

Speaker 1: Yeah.

Speaker 2: Like, I'm very rarely, like, engaged with my camera, so that'll be interesting.

Speaker 1: Especially when I realized here I'm right in the middle. I and I got my notes. Something I realized, I don't think we've done in four years, is be like, hey. You should rate and subscribe positively this shit. Like, we're so bad at all of that basic stuff. But like and subscribe at an hour into the episode. I'll say that for the first time in years. Like and subscribe.

Speaker 2: To the YouTube channel.

Speaker 1: Yeah. Both.

Speaker 2: Leave leave a comment that's positive and loving if you Yeah.

Speaker 1: Say nice things because we read them. Yeah. Send nice emails. I don't know.

Speaker 2: We do read like, especially on the Spotify comments, we do read a lot of your comments. Like and when I say a lot of them, I mean all of them. So if you

Speaker 1: They come to the same place. We see them all. So And

Speaker 2: if you send something mean, you'll get screenshot and then talk badly about via Jordan and I in our group chat.

Speaker 1: I think I I fear you have just lit a roaring forest fire by saying that. And I'm not editing this episode, so come what may, brother.

Speaker 2: There you go. There's your summer vibes.

Speaker 1: There's the summer vibes.

Speaker 2: Talk some smack in the comments. Talk some

Speaker 1: smack. Good stuff. K. I think that's it for this one. It's a it's a light one. It's a loose one. It's been great hanging out with you. And I think we'll probably, for another light summer so, catch you in the next one.

Speaker 2: Yeah. K. Take care, everybody. Cheers.

Speaker 3: Where's your playlist taking you? Down the highway, to the mountains, or just into daydream mode while you're stuck in traffic? With over 4,000 hotels worldwide, Best Western is there to help you make the most of your getaway, wherever that is. Because the only thing better than a great playlist is a great trip. Life's a trip. Make the most of it at Best Western. Book direct and save at bestwestern.com.

Speaker 4: You can't reason with the sun. Trust us. We've tried. This summer, it's time to put that angry ball of fire on mute. Columbia's OmniShade technology is engineered to protect you from the sun's harsh rays that can burn and damage your skin. The sun is relentless, but so is our gear. Level up your summer at columbia.com to spend more time outside and less time slathering on aloe lotion. You're welcome. Columbia, engineered for whatever.

Speaker 2: Ryan Reynolds here for Mint Mobile. I don't know if you knew this, but anyone can get the same premium wireless for $15 a month plan that I've been enjoying. It's not just for celebrities, so do like I did and have one of your assistant's assistants switch you to Mint Mobile today. I'm told it's super easy to do at mintmobile.com/switch.

Speaker 5: Upfront payment of $45 for three month plan, equivalent to $15 per month required. Intro rate first three months only, then full price plan options available. Taxes and fees extra. Fee full terms at mintmobile.com.