Hong Kong Deepfake Heist + Three Million Toothbrush Botnet + Hacked Canada

Speaker 1: I think it's time for for a little trivia.

Speaker 2: Hit me.

Speaker 3: Was there question one.

Speaker 2: Question one.

Speaker 3: Was there a botnet made up of 3,000,000 Internet connected toothbrushes that were terrorizing the Internet when they weren't terrorizing plaque?

Speaker 2: That sounds so far fetched that I can't imagine you just made it up, so I'm gonna go with true.

Speaker 3: It's a double bluff. No. But it sounded so far fetched that a lot of people thought it was true. Question number two. Was there an elaborate deep fake theatrical production used to stage a massive 200,000,000 Hong Kong dollar corporate heist?

Speaker 2: That sounds like a for sure.

Speaker 3: Yeah. That definitely did happen. Question number three. Is Craig right? Satoshi Nakamoto?

Speaker 2: No. The answer is no. But true. That is that is the the trivia thing that you asked.

Speaker 3: I have framed this all as trivia. Like, maybe for legal reasons, but if he is Boise not making a great case, and the stakes of the case he should be making are very high. No. Yes. Maybe. We've got a bunch of fascinating stuff to talk about, but do you know the thing I'm most excited to talk about, Scott? Mhmm. I'm excited to take all our listeners on a tour of of our of our homeland. It's the hacked Canada tiny stories about Canada tour.

Speaker 2: Oh, well, there's some big stories about Canada that we're working on that we're coming out with,

Speaker 4: as

Speaker 2: soon as the future. Yeah.

Speaker 3: Yeah. True North, strong, and hacked. Three stories from the North.

Speaker 2: Strong and oppressed.

Speaker 3: Jesus. Flipper zero bad. Air Canada chatbot weird. And a strange identification system proposed to visit, call them adult sites. Who knows what's even going on up here? The fog of war is thick, but one thing is for certain, you're listening to Hacked. I'm working on my broadcast transitions. Did you enjoy that?

Speaker 2: I did. That was perfect.

Speaker 3: You like that? That was good.

Speaker 2: Amazing.

Speaker 1: But the question you kicked

Speaker 3: it all off with, my friend, how you doing?

Speaker 2: I'm good. I'm good. I'm, just got back. Did a little week surfing in Nicaragua, which is why I was absent last episode. Apologize and will be absent actually, I believe, in the next episode because you did that interview a lot of his way. And the Internet to Nicaragua maybe isn't, broadcast quality per se.

Speaker 3: Well, we're happy to have you back, man.

Speaker 2: Yeah. Excited for a few of the interviews and and things we got coming up for the show in the next few episodes. We're finally getting to the Scott's Crypto Corner book review. Believe we're gonna be doing an episode, talking about, Douglas' Going Infinite and Zeke Fox's, number go up.

Speaker 3: Mhmm.

Speaker 2: So that should be a good one. Zeke is coming on the show, which is exciting. We haven't done the interview yet, but it's coming up. But, really yeah. Really will not we'll keep all my thoughts till that episode.

Speaker 3: No crypto. There's I I want a mild correction. I think the newest name is this the Scott, crypto rage cage was the most recent. It's the most recent title.

Speaker 2: Bitcoin is up to 73,000 after,

Speaker 3: Don't you have egg on your face?

Speaker 2: Apparently apparently, the world has found new value for it and has shot its price up. So excited to hear any theories on what that value is. Please drop me a a chat on Twitter at, Hack Podcast.

Speaker 3: I'm excited to hear from you. Almost as excited as we are to introduce some of our newest patrons on Patreon. That's right. Hackhackpodcast.com redirects to our Patreon, and, boy, do we appreciate all the support.

Speaker 2: Absolutely. You know who I support?

Speaker 3: Tell me. We haven't done this in, like, four episodes. I'm very I'm, like, looking forward to this part.

Speaker 2: Danielson. Danielson. My favorite karate kid.

Speaker 3: Yes. Danielson, thank you so much. Smokeione, that's a fun one to say. I'm glad I got that one. Smokeione, thank you.

Speaker 2: And Brad. Everybody loves a Brad.

Speaker 3: It's all about Brad. It's all about Brad. Noib. Thanks, Noib. Really do appreciate it.

Speaker 2: Andrew Naylor.

Speaker 3: Andrew Naylor. Nailed it.

Speaker 2: Love it.

Speaker 3: Nailed

Speaker 2: it. Nailed it.

Speaker 4: Nailed it. Nailed it. Nailed it. Nailed it.

Speaker 3: Nailed it. Nailed it.

Speaker 4: Nailed it.

Speaker 3: Nailed it. Nailed it. Nailed it. Nailed it. Nailed it. Nailed it. Nailed it. Nailed it. Nailed it. Nailed it. Wauxera. Thank you so much for your support

Speaker 2: Topher the gopher, also known as just Topher. Just Topher. Offended you. Just Topher.

Speaker 3: Again, too loose with it. Ruru Day, thank you so much for your support. And last but not least, Scott, take it across the finish line.

Speaker 2: Hackle.

Speaker 3: Hackle.

Speaker 2: Hackle.

Speaker 3: Thank you, everybody. It means a lot to us. We haven't, done a Patreon shout out in a little bit, but, does mean the world to us. If you wanna support the show, hackedpodcast.com redirects to our Patreon, and, it means a lot.

Speaker 2: Definitely. Definitely. Merchstore.hackedpodcast.com. Get some stuff if you want it. If you don't want it, totally understand.

Speaker 3: I'm not here to pressure you. This is not a hybrid. Yeah. Maybe you don't need a bucket hat, but you probably do.

Speaker 2: Hey. Visor season is coming soon. It is March. Visors will be needed by, like, May at the latest.

Speaker 3: Yes. So get yours now. You can find all that stuff if you just go to hackedpodcast.com. I think what hackedpodcast.com/store is is where you can purchase that that hat? No. Nope. Make sure

Speaker 2: it's storestore.hackedpodcast.com.

Speaker 3: That's why I keep you around.

Speaker 2: Podcast.com goes to the Patreon. Store.hackedpodcast goes to the store.

Speaker 3: The logic tracks.

Speaker 2: Sub domains. Who knew? Who knew?

Speaker 3: Who knew? It's been weird up here in Canada, my friend.

Speaker 4: Mhmm.

Speaker 2: But Spicy times.

Speaker 3: Spicy times. The first one I wanna talk about so chatbots. Chatbots. So a Canadian guy named Jake Moffat, successfully sued Air Canada after being misled by the airline's chatbot policy about their bereavement travel terms. So airlines have policies to provide discounts for people urgently flying because somebody died. These are very important policies. Following his grandmother's death, Moffat books a flight from Vancouver to Toronto and goes looking for information on the website about the bereavement rates, where he was, you know, purchasing his ticket. Speaks with the chatbot on the website to find out what the terms are, and the chatbot inaccurately instructed him to book his flight immediately and request a refund within ninety days. This is importantly not how Air Canada's bereavement policy works. Jake files the claim, gets denied, then presents a screenshot of the chatbot's advice, and his refund request is rejected. In this rejection, Air Canada argues two major point points. First is that while the chatbot provided incorrect info, it also provided a link to another page on their website that on that page did contain the correct information. So it was like, like a truth and a lie situation. And then they made a very weird abstract argument about it being this sort of separate entity that was not their responsibility. Both stances were dismissed by the tribunal, and Moffat's sort of persistence in this led to a ruling in his favor granting him this this partial refund and additional damages. And as of the time we're recording, I checked this morning, the chatbot is disabled on Air Canada's website.

Speaker 2: This is great. This is if if this had come out any other way, we'd be in for a world of hurt with random

Speaker 3: I know.

Speaker 2: AI chatbots telling us random things that weren't actually right. So I'm so happy that this small lesson I'm so happy that this person took it to court Yeah. Because the 2 or $4,000 or whatever he was fighting for in regards to his ticket refund is probably nothing compared to what his legal bill was. So so kudos to you, my friend. The the world owes you a favor, at least Canadians do, for setting the precedent that these chat bots can't just make stuff up.

Speaker 3: Yeah. Yeah. For a bunch of reasons, there should be a penalty for the race to replace customer service people with, chatbots that have no internal model of the world. Like, the idea that a representative of the company can just tell you incorrect stuff that you can then act on that the company is not liable for is, like, that's a we can all immediately say see why that's not a great idea. That's not what this technology is for. And the fact that it was being used on Air Canada's website, this quickly is, like, pretty shocking to me, to be honest.

Speaker 2: Well, it's also shocking that they they must have trained the chatbot on Air Canada's policies and procedures and that it got it so wrong, which is wild to me. Yeah. So I'm not sure if that's indicative of just bad training or whether it's indicative of them not setting the right boundaries for what the chatbot was allowed to do, but it's just just just bad stuff. Like, it actually it reminds me of the Watsonville Chevrolet. I don't know. I think we chatted about this in a previous episode, but, like, one of the first big chatbot headaches was, some Chevy dealer in some place called Watsonville, which I do not know where it is. I'm gonna assume Kentucky or Wyoming. The, chatbot on their site, and it said powered by ChatGPT and all the rest of it. And people just started training it to say yes to everything and that and then to pair it back that it was legally binding. So people started, like, buying Chevy Tahoe's for a dollar and like setting all these, I'm pretty sure the the people that were trolling it on the internet weren't taking them to court being like, no, you owe me a Chevy Tahoe, but that would be really funny if they actually had taken them to court.

Speaker 3: I feel like what's happening here is there's some enterprising folks out there that realized very quickly, hey, if we show up to these companies and saying, we figured out how to plug the OpenAI chat GPT API into a chatbot. You can replace a lot of your customer service people with this. It's gonna save you this much money and look at how good the results are. And they've they've just been on a sales tour for the last year and a half. And I'm I'm hoping these stories are sort of a big megaphone blast into the world. Like, this is not an appropriate application of this technology. That's not what this should be for. Because people will figure out, you can compromise this thing with plain language, which means if you just put on the Internet, you're gonna get a chatbot on your site telling people, yeah, a Chevy Tahoe costs a nickel. And, yeah, you can just request a refund on your on your airplane ticket. It's like it's not it's not a good idea.

Speaker 2: The yeah. It's I feel maybe this is my own bias against these AI bots, but, like, I feel like they become really good at conversation. Yeah. Like like, they're like, the old Turing test to be, like, whether you can identify it. Is Is it Turing test? I can't remember what the test is for AI.

Speaker 3: Yeah. Turing test.

Speaker 2: If if it Turing test. Yeah. Of, like, whether you can identify whether it's human or an AI. I feel like they're they're crushing that thing. But the the the part of them then being trustworthy and having the right information, I feel like they're not crushing as much.

Speaker 4: Mhmm.

Speaker 2: So I'm I'm sure it's only a matter of time, but I I rarely have discussions with ChatGPT to get answers for questions that I want answers to

Speaker 3: Right.

Speaker 2: Where the answers are actually the answers.

Speaker 3: I feel like whether or not ChatGPT can pass a blind kind of conversational touring test with someone is like, yeah, probably in a lot of cases it can. But the difference is that a company employs a human being, they kind of become liable for a lot of that human being's actions and it is not established that a company is liable for the actions of a chatbot.

Speaker 2: Yeah.

Speaker 3: And how you train a chatbot is just fundamentally different than a human being. And, also, like, you could fire a human being. You can get angry at a human being. There's penalties and incentives for a human being that just don't exist for a chatbot. So, yeah, it it can probably pass that test in a lot of situations, but when it fails to, you got no move whatsoever.

Speaker 2: Well, the like like, customer service agent, like, the word agent is actually like a like a

Speaker 3: really powerful term.

Speaker 2: Like, the to, like so it's like in a legal sense, it's a powerful term. Yeah. It's like an agent is essentially the spokesperson for a company in that regard. And once you have a chatbot agent, like, you need to be held liable for what it says. If people are using the information that it's providing to make decisions, then you should be liable for the information it's providing.

Speaker 3: I I a 100% agree. I have, like, clawed back money from large corporations. I've clawed back money because a person from the company on the phone on a recorded call told me something. I took action based on that, And then something about what they told me turned out to be wrong, and the call was recorded, and we were able to reconcile, and I got the money back. Like, that has actually happened to me. And it concerned air travel, weirdly enough, to this story. No. It wasn't with Air Canada. Anyway, it's like it matters. It matters that there is a a an accountable person because otherwise, it's just this, like, if if Air Canada had won this, it means that companies could just shrug off basically everything they tell their customers. Oh, that was a chatbot. Sorry. Separate entity than us. Yeah. You know? Totally. What can you do? These things suck. Like Well, then why do you have it?

Speaker 2: I don't know. Why is it telling people to do things? Yeah. Totally. I feel like we get bang on this bang on this drum all day long, but I've had the same thing where I've had to go back to recorded phone calls to get refunds on things. And, yeah, there's a reason why they record those calls, and it's pretty amazing. Mine was insurance related, which was even better. Weird.

Speaker 3: That sounds like a fun way to navigate. Yeah. Cool tech, don't use it this way. Anyway actually, speaking of cool tech, you shouldn't think about a certain way. There's another story coming out of Canada and concerns, a device that I know holds a special place in your heart, Scott, the Flipper Zero.

Speaker 2: Yeah. Yeah. I definitely don't own one seeing as they're about to be banned. Yeah.

Speaker 3: What else do

Speaker 4: I need

Speaker 2: to say about that?

Speaker 3: Take that episode down about how you bought and love yours.

Speaker 2: I bought I bought mine because I knew that they were probably gonna be banned at some point, and then now I'm Literally. Definitely don't have it. It's definitely not sitting right beside me. No.

Speaker 3: I'm totally not holding it at the present moment. Yeah. The, Innovation Science and Economic Development, Canada Agency has put forward a proposed ban on the importation sale and use of, amongst other devices, the Flipper Xero.

Speaker 2: So let me I just need to go off a bit on this because it's this thing is getting such a bad name for just being configurable. You know what I'm saying? Yep. Like, you can do things on it, like run a small Wi Fi web server, and therefore, we should ban it because that small web server can expose a security hole in Tesla's, key system. It's like, well, you know, I could buy a micro PC off of AliExpress for, like, $80 and do the exact same thing. So or a Raspberry Pi or any number of other things that has the ability to run a Wi Fi server.

Speaker 4: Mhmm.

Speaker 2: So why is why is the FOBR Zero getting a bad name? Just because it's kind of marketed as a tool. Yeah. And by kind of, I mean, it's marketed as a tool to do these things explicitly.

Speaker 3: But I'm not gonna sand that edge off. It's pretty explicitly marketed that way. There's no good reason to get rid of it.

Speaker 2: But it's yeah. It's like it's it's doing its job. It's proved that there are security vulnerabilities in certain car manufacturers key systems. It's like, great. Like, that's good. Fix those problems.

Speaker 3: A 100%.

Speaker 2: Ban the device.

Speaker 3: Don't ban a security research device if you're worried about the security of other device. It's just it's extraordinarily backwards.

Speaker 2: Yeah.

Speaker 3: For anyone that doesn't know, a Flipper Zero is it is it is marketed as, like, kind of a hacker tool. But what it really is is a small beginner friendly device that lets you interact with wireless signals. RFID, NFC, Wi Fi, as you mentioned, Bluetooth, standard radio. You can do all sorts of fun little hackery projects with it. You can change TV channels. You can clone a hotel key card. You can read a pet's RFID chip. It's a little wireless signal receiver.

Speaker 2: Yeah. Yeah. It's a it's a extensible platform that allows you to pretty much do anything. There's a entire, like, circuit interconnect on it where you can put in custom boards. We did a whole episode about it. I if you have any interest in it and any interest in buying one before they get banned, I recommend you move fastly or quickly. The, we did an episode about it. We had a great, talking Sasquatch, big YouTuber on about it. Go back a few months and give it a listen. Great episode. But, very cool little devices. It's like a it's like a premade microcomputer to do this stuff. It's not it's like my cell phone is running UNIX. So it's like I could just do it on my cell phone. But it's like this is just its own kind of little pre made cutesy toy device for it.

Speaker 3: And it's

Speaker 2: kinda great. And people have really adopted it in a community's developed that is extending it and I don't know. Yeah. It's nice.

Speaker 3: I think it's worth digging into where this is coming from. So car thefts are admittedly a a pretty disproportionate problem in Canada. Just seems to be a thing. Statistically disproportionate. A lot of complicated reasons why that is. Despite all of the versatility that we've discussed, the Flipper Zero does lack a lot of the, capabilities necessary for actually bypassing modern car anti theft production, protections. Yep. Signal amplification relay devices are kind of widely understood. It's like, what if you're gonna buy a thing to steal cars, you're probably buying that. Flipper Zero doesn't let you do that.

Speaker 2: I was just gonna say rolling key generators and stuff like that. Like, the that you can buy a specific device. I can go on the Internet right now and buy a device that is meant to hack rolling key, like, automotive keys. Like, I can I can buy that right now and have it shipped to my house? That's not banned. No. No. But Flipper Zero is banned because in some situations, it can be used to run a phishing or, like, a, like, a man in the middle attack, etcetera, etcetera, and and it is what it is.

Speaker 3: In Canada, you kinda think of the geography in Canada. You drive up, not not a lot of buyers in Alaska. You can drive down, but primarily the buyers for stolen cars exported from Canada aren't in The United States. If you go through the, you know, the land borders, they're extraordinarily well protected. You can get across in other parts. It's a massive open border, but that's not where the the seller the buyers for these cars are. The buyers for these cars are primarily in, across oceans, let's just call it.

Speaker 2: Is that your political wave?

Speaker 3: Yeah. Across oceans.

Speaker 4: Sea

Speaker 2: cans and then go on shipping, freighters that then take them across oceans, notably the Pacific Ocean.

Speaker 3: And funny thing about sea cans, now that you mention it, a lot of those in our port systems. Yeah. Ton of those in our ports. So there's tons of things you could do to prevent car theft. You could invest more money in security, in our ports. You could create stricter regulations about the anti theft measures that go into these cars that make them prohibitively difficult to steal. We talked about that a ton in the Kia Boys episode. Mhmm. There's a lot of really cool meaningful actions you can take. Banning a hacking gizmo is just, like, a regrettably performative gesture that, if anything, is going to sort of, like, hold back meaningful security research in a country that is saying it is doing this because there is a security problem with cars.

Speaker 2: The only thing I can think of, and maybe if there's some bureaucrat at the g o a, our g o c, government of Canada listening to this, is there something that we just don't know that's not reported in the news? Like, maybe these things are being used to steal, like, Honda civics everywhere. Like, they're push button script kiddie car theft devices. Because, yeah, I agree with you. It does seem performative if it's just exposing security flaws in in in especially when it comes to Tesla. Because one of the things that I keep referencing is that, like, you can kinda use them to trick people into generating a spare key and and making the flipper zero into essentially, a web hotspot. Anyway yeah. If unless there's something that we just don't know about that's not being reported because they just don't want people to know about it and talk about how easy it is to just, you know, steal Toyota RAV fours or something, then then, yeah, I don't it does seem performative to me for sure.

Speaker 3: Good times. Good times. Good

Speaker 2: times.

Speaker 3: So here's one. Do we there's one last Canadian story. It's kinda ranty Canadian episode. Do we to heck with it. There's a bill currently in the committee in the House of Commons here up in Canada that would make it so if you wanna view adult content, you either have to so how do I get into this? That's the best way to do this. Yeah. Proposed to send a bill trying to mandate age verification on explicit websites. The argument it I understand the argument. It is to protect minors. However, the bill importantly doesn't specify a method for verifying users' ages. And looking at sort of some of the available systems in other jurisdictions, the two big things that come up would be either a digital identification system that you have to, you know, plug in to access these sites or a facial recognition software, which has, intuitively raised concerns about anonymity and privacy on the Internet up here in Canada. I I don't think it I think this seems like people go into the grocery store and getting all of the ingredients for a ginormous catastrophic data breach and putting them in the basket and walking them up to the self-service till. This like, what if we had a giant database of identities of people that visited a porno site, seems like the biggest target in the world. I can imagine the episode two years from now where we talk about the data breach. It just seems like such a bad omen.

Speaker 2: I 100% agree with you. The other thing unless they figured out a way to really like, I'm just thinking it through right now, to really, like Yeah. Multi tier, you know, unconnected key systems with I I don't know how they do it, but I agree. It would be have be especially if it was a government contract and built by government contractors, probably be ripe for data breaches.

Speaker 3: I'm sure that they would take their best crack. I I I don't get the sense I don't really have a tinfoil hat about this one. I don't think this this is the first step towards creating a a digital identification system and a social I'm I'm not I'm not meaningfully worried about this. I think this is starting from a a good instinct to try and keep minors off of adult websites, which is a good instinct. But I just think that this is a solution with the actual solution, which is a technical one sort of being shrugged off. And I think until you can propose that in a secure, meaningful way, you shouldn't this bill s 20 two ten, you shouldn't be bringing this forward.

Speaker 2: I got a I got a bigger challenge for you in in regards to Shoot. The fact that adult content is just everywhere on the Internet now. So you literally can't just if if your concern is minor exposure to adult content, then you shouldn't just let minors on the Internet because I don't know when the last time you were on a social network was Reddit, Twitter, or x. Literally, any trending post on x is immediately followed immediately by the top reply which is an only fans person promoting their only fans with explicit content. It's like it's their marketing scheme. Same thing on Reddit. If something's trending, there's only fans people marketing themselves in the comments. And it's just like, there's porn everywhere. I don't know unless unless we start doing unless they're marrying it to, like, image identification technologies. So, like, your web browser will then filter all that stuff out if you haven't verified your ID, like, which is probably a likely solution to that. I just can't see how they're how how mandating identity and facial recognition for explicitly adult content on the Internet or or tagged adult content on the Internet is gonna help because it's just so much of it at this point.

Speaker 3: Yeah. I think you kind of drove past the solution there, which is that, like, this is a hardware level

Speaker 2: problem.

Speaker 3: Yeah. So Software local. Hardware platform combination level problem. The the simplest version of this is that, like, most kids don't most 11 year olds don't have a sufficient side hustle to purchase an iPhone. It's probably being bought for them by a parent. And when the parent gives it to them, they can put, controls on that device because they're handing an Internet connected device to a minor. Totally. If you don't want that minor to see something, that security should largely be occurring at a hardware level. I think there's tons of things that platforms can do to strengthen that and to keep, miners from seeing things they shouldn't be seeing and should be. That would be a great place for a well intentioned law passer to start looking at is what can we be asking these platforms to be doing? Mhmm. There there's some stickiness there, but that those two solutions, large platform and hardware level protection seems like a way better approach to this. Let me turn on your, It seems you've gone to an adult website turn on your webcam is like that's a no You're gonna create a giant underground for something that a lot of people access. It's not a good idea

Speaker 2: Yeah, Totally. If your intention is to, like, you know, sync the the adult porn industry, the legitimate porn industry that has rules and regulations and, you know, brings structure and and probably I don't know. Yeah. I don't know the right words I'm looking for here, but, you know, better than the underground scene in in regards to a number of, you know, rights and and nonhuman trafficking things. The the yeah. I think that any kind of system like this I do I do think that that might be the solution. Like, a good solid platform like iPhone, Microsoft, OSX, you enable child accounts. The computer or the browser has an extension that auto identifies adult content and immediately, like, like, removes it from the page. I think that's the real solution here, is allowing parents to put the boundaries on what their children are allowed to do on the Internet. Maybe there's an issue there in the sense that maybe there's not so many technically savvy parents, but I feel like as the millennial generation and and below becomes the new parents, I feel like that's gonna quickly change. I'm not sure how many millennials exist besides my wife. Love her to death. Yeah. That aren't technically savvy.

Speaker 3: Wasn't sure where that was going at the beginning of the sentence.

Speaker 2: Yeah. Yeah. Yeah. She's a she's a power iPhone user, but the second you put a computer in front of her, she's she doesn't love it. Let's say that.

Speaker 3: They're unwieldy. Yeah. Put protective barriers around the kids, not necessarily around the content if you don't wanna drive legitimate sex work underground. It's just not Yeah. Which is not a good place for it to be.

Speaker 2: Yeah. Agreed. Well Anyway.

Speaker 3: Rage against the machine has a bunch of Canadian stories.

Speaker 1: Let's kick it over to

Speaker 3: some of our our fine sponsors and then when we come back we'll talk about a pretty wild heist in Hong Kong. Starting something new isn't just hard. It can be downright terrifying. You put a lot of work into a thing. You're not entirely sure it's gonna work out. You're taking a huge leap of faith. I've started a few things. Now I know I was right for believing in, you know, the idea, the product, despite all of those fears and hesitations. But boy, does it sure help when you have a partner like Shopify on your side. Shopify is the commerce platform behind millions of businesses around the world and 10% of all e commerce in The US. From household names like, well, hacked podcasts merch, to brands just getting started. You can get started with your own design studio with hundreds of ready to use templates. Shopify helps you build a beautiful online store that matches your brand style. Did I mention that that iconic purple shop pay button that's used by millions of businesses around the world? I don't know why I wouldn't. I should. It's why Shopify has the best converting checkout on the planet. It also helps boost conversions, meaning less carts, sort of getting abandoned in the parking lot, and more sales for you. It's time to turn those what ifs into sign up for your $1 per month trial at shopify.com/hacked. Go to shopify.com/hacked. One more time, that's shopify.com/hacked.

Speaker 5: When you need to build up your team to handle the growing chaos at work, use Indeed sponsored jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills, certifications, and more. Spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit at indeed.com/podcast. That's indeed.com/podcast. Terms and conditions apply. Need a hiring hero? This is a job for Indeed sponsored

Speaker 6: jobs. Thinking about refreshing the carpet in your home? Now's the time to do it. For a limited time at The Home Depot, get 10% off installed carpet projects on trusted brands like Lifeproof, Lifeproof with PetProof Technology, Home Decorators Collection, and Traffic Master. Plus, with installation starting at just 49¢ per square foot, upgrading your space is more affordable than ever at The Home Depot. Offer valid, 06/11/2026 through 06/28/2026. Exclusions apply for licenses. See homedepot.com slash license numbers.

Speaker 5: We gather here tonight to bring women back to their rightful place.

Speaker 7: The Testaments, a new Hulu original series from the executive producers of The Handmaid's Tale. It's easier to accept a story than believe that the people around you are monsters. The battle isn't over. There comes a time when you have to take action, when you have to choose your own destiny. Watch the new Hulu original series, The Testaments, streaming on Hulu and Hulu on Disney plus for vital subscribers. Terms apply.

Speaker 3: International news. So this is an interesting one. We don't know the name of the company. It has not been included in based on my research, a single piece of coverage about this story. So we're just gonna call it a large multinational company.

Speaker 4: Mhmm.

Speaker 3: An employee at said large multinational company joins conference call. This was a couple weeks ago. They get on the call and their co a bunch of their coworkers are there. Camera's on. And the result of that call, the person is to go ahead with a transfer of 200,000,000 Hong Kong dollars. It turns out the entire call was a deepfake theatrical production. The person got looped into the call through a phishing scheme. Their coworkers, who were, again, on camera, were deep faked based on publicly available video and photography, and the entire thing was a scam to get them to go ahead and transfer this money to the hackers who took the money and ran. Case is the case is the first of its kind in Hong Kong involving deep fake technology. No arrests have been made yet. The cops are still looking into it. And the story went wide because they were trying to get out word that this technology has reached a point where, you can be looking at a person on a Zoom call, and this is possible.

Speaker 2: Yeah. Yep. Had to come. Had to be it was coming at some point. The thing that surprises me most is that it wasn't just one deep fake person that they deep faked an entire team of people. That to me is Yeah. Right? Crazy. Like, it's very sophisticated. Like, I'd say that this is I I would say that if they're at that point where they're like, you know what's gonna make this more convincing

Speaker 4: k.

Speaker 2: If we bring six colleagues to them chat too, if they're at that if they're at that level of sophistication, I think that we are we are in trouble, and you're gonna hear more and more and more about this.

Speaker 3: Yeah. There was a reason I used a theatrical production because there there's something different to me about one person doing this versus a whole bunch of people getting together and casting parts and figuring out who's gonna say what and scripting it all out and then putting on their deep fake masks and going into it. It's very theater kids do cybercrime energy. I'm sure they're not. I'm sure they're very dangerous hackers, but it is just sort of a different tenor, for these types of corporate hacks. For context, 200,000,000 is about 25,000,000 US dollars. This is a large corporate heist. Mhmm. And it was a phishing scheme and a a Zoom call.

Speaker 2: It's crazy. Like, like, I'm I mentioned to you that but, like, while we were in Nicaragua, my my parents in law, got defrauded. Yeah. Some WhatsApp somebody was pretending to be my wife, same name, set up their WhatsApp profile, messaged her, gave her some lie about or messaged her mother, gave her some lie about our phone had broken, her touch screen wasn't working, but she was somehow still able to use WhatsApp. Her SIM wasn't ready. She couldn't call her, etcetera, etcetera.

Speaker 3: No problem.

Speaker 2: But, she needed to pay some bills right away and needed her to send some money on her behalf, and she couldn't do it because her phone was busted. So, of course, loving mother.

Speaker 4: Yep.

Speaker 2: Yeah. I'll help my daughter out.

Speaker 3: So brutal.

Speaker 2: Yeah. Thought she was just being independent. Didn't wanna call me to verify. Next thing you know, $4,200 is on its way to Montenegro. Apparently, the police have tracked it to Montenegro. And then, like, we're talking about a

Speaker 4: Oh, wow.

Speaker 2: Like a tiny tiny WhatsApp call. Like, pretty like, as far as, like, checks and balances go, like, would have been pretty easy to to see through it. If she'd looked at the contacts' phone number, she would have noticed that the area code was definitely not something that Mikaela would have or my wife would have. The Yeah. Anyway, so you think you think about that level of sophistication probably being more successful than you would imagine. Like, it might seem like something that you would immediately identify as fraud and a scam. Imagine if you were looking at your son on Zoom who was saying, hey, mom. Like, I I need you to wire $6,000 to pay my rent to this woman because my bank account's been hacked, and I can't have access to my money, and I'll pay you back in twelve days, etcetera, etcetera.

Speaker 3: Mhmm.

Speaker 2: Imagine imagine what's about to start happening.

Speaker 3: Totally.

Speaker 2: Like, on a on a recreational level. Like, the the corporate sophistication side will kick in, and there'll become tons of policies and checks and balances. But if you start thinking about applying this technology to everyday people and boomers who love their kids, that's a that's a billion dollar industry right there.

Speaker 3: Yeah. I remember about a year ago we did an episode on pit pig butchering scams which are basically what happened to your in laws and that sucks and I hope they're kind of okay.

Speaker 2: Yep.

Speaker 3: And so much of that is about exploiting the emotional vulnerability that emerges when a person is concerned about a loved one. Totally. And there you need that emotional hook and it is bizarre to say, but there are emotional vulnerabilities in a corporate context. The desire of a person to not mess up in front of their peers, to not suffer embarrassment in a potentially ruthless corporate culture. It's not the same as concern about a loved one, but it is the same kind of identification of an emotional vulnerability and setting up a lot of work to exploit that emotional vulnerability to catastrophic ends. Mhmm. It's the same basic kind of, like, the social engineering is conspicuously similar.

Speaker 2: I'm just like, I I'm just keep running through this in my head about, like, if you got a FaceTime call from your mother.

Speaker 3: Totally.

Speaker 2: And she's like and she's like, your father's in the hospital and blah blah blah. I need you to do this blah blah blah, but, like, can you, like Yeah. It just it just it's gonna be insane unless they can figure out how to stop that stuff. Because, like like, we were talking with our in laws about how, like, there needs to be a like, if anybody's asking for money, if you're about to send money, you have to at least speak to somebody on the phone, which is still very fakable. But imagine if you had a FaceTime call and you could see your daughter and she was like or your mother or your son or whatever. Somebody in your family. And they were just like, yeah. I need this thing blah blah. Can you help me? Of course. It's it's gonna be yeah. I don't know. I'm hoping this is another thing that's gonna need a technological solution, like WhatsApp phone calls. Like, it seems to me, like, every messaging service that I have an account on, I get flooded with garbage, including, like, PlayStation network. Like, I'm constantly getting scams from everywhere and just deleting and banning and blocking and reporting. Pretty much every time I log into a messaging service, I have to report and block at least one account. So they're gonna need to get better at identifying that stuff, and that's probably gonna be an AI solution. I would assume that they're gonna need just like just like we dealt with email spam, we're gonna have to start dealing with messenger spam.

Speaker 3: It's it's tough because, like, so much so many of the genuinely good solutions that center around, okay, if someone calls you with an urgent reason that you need to send money, hang up and call the person back. Yeah. Totally. Reply but call the phone number. Like, these really basic things, but those aren't that's not really how we interact. Your coworker calls you up on Zoom, a family member calls you up. Sorry. Just one second. Let me hang up on you and call you back. It's, like, it's a really unintuitive thing to do. It's smart. It's good personal security, but it is not intuitive to how we communicate with the people that we know in our lives. So, if you can, if a person can get past that filter where you're just, you think you're talking to the person you think you're talking about, Those kinds of personal security policies, call them, are really, really hard to lean on. And I think that, yeah, software level stuff to sort of back you up a little bit. You're like, hey, This person's video looks a little weird. Hey. This we've done a little bit of work to figure out that we think this phone number is being spoofed. Yeah. I don't know what those technical solutions are, but it's like we got we gotta give people a little bit of backup in these situations because the the thing that we ask them to do is really unintuitive, socially, I guess you could say.

Speaker 2: The other issues and we talked about this in the pig butchering one, the supplies here. Like, these people got away with 25,000,000 in one hack, and it's like Totally. Can you imagine what the global market value for scamming is? Just given how many people are employed and are human trafficked and or etcetera etcetera across the globe to become scammers and to execute scams. Like, it's gotta be billions of dollars, organized crime, and it's it's yeah. I don't know. But humans expecting humans to be smart enough to identify it, I don't think is gonna be the answer here. You know, we've had that problem with passwords for, you know, since passwords existed. Go listen to problem with passwords. I think it was, like, episode three. The the the

Speaker 3: Yeah. It's a early one.

Speaker 2: But, but yeah. So I think that the the the technical platforms and the solutions, they're gonna need to do something. Actually, you know, I think think we have that contact at Interpol. If we're gonna have a conversation with them about something, I think scamming would be an amazing episode.

Speaker 3: Yeah. Talk about the global

Speaker 2: size and scale of scamming.

Speaker 3: For sure. There's a story that we're gonna be looking into relatively soon and concerns, for lack of a better term, the Chinese mob and a 200,000 person, scam factory operation that has been likened by experts to modern day slavery. And it it gives you a a pretty gnarly sense of the scale of what is behind a lot of these things. It's like we don't we really don't know who's making these calls and in in a lot of cases, it doesn't look like what you think it looks like.

Speaker 2: Yeah. Speaking of, like, weird pop culture scammy references, like, they're making their way into, like, Hollywood cinema now. Then, in the recent episode of true detective, one of the police officers I don't know if do you saw the new episode? Did our new series, season, didn't you? I I did. Yeah. Yes. Yeah. Yeah. I can

Speaker 3: now remember what you're talking about.

Speaker 2: And so one of the police officers in Alaska, it was Alaska, right? Yeah, Alaska. He was sending money and stuff and paid for a plane ticket and all these things for some woman that he was Whatsapp ing with, and she never showed up. And he'd send her money, and I was like, oh, Hollywood's catching up on this trend. Like, they're they're into, you know, the love scams and things. So So it was it was just good to see in pop culture For

Speaker 3: sure.

Speaker 2: Make it a little bit more known to people that these are going on.

Speaker 3: Yeah. It's so common that if you wanna make a character seem relatable, you have them fall for a a giant Internet grip

Speaker 2: Exactly.

Speaker 4: With a

Speaker 3: 5 figure penalty.

Speaker 2: Yeah.

Speaker 3: But you know what's not causing trouble, Scott? Toothbrushes? 3,000,000 of them. This is we'll we'll keep this one real quick because it's more just to, like, it's a bizarre one. So there's this it's sort of a one said the other said thing between a Swiss newspaper and a security firm. So Argyle or Zeitung, a Swiss newspaper, publishes this very, sensational story about 3,000,000 inter Internet connected toothbrushes being hacked and used to do cyberattacks, kind of a a DDoS story. Mhmm. And the report claims that the attack caused the website to go down for four hours, resulting in millions of dollars in damages. And the story was sourced from cybersecurity firm Fortinet and was widely circulated and republished by global news outlets. The story goes very, very viral. It's remarkable. 3,000,000, internet connected toothbrushes. It paints this picture of a very mundane technology being used for very malicious purposes. Great story. Unfortunately, cybersecurity experts quickly challenged the report, foundationally on a lack of evidence, but really just sort of the implausibility of the whole thing. Mirai botnet, which one of the largest botnets ever at its peak infected 6,650,000 devices. Far fewer than the 3,000,000 toothbrushes claimed. So what, like, what what happened here? A lie went viral. Like, what's what's the story? Or a falsehood rather. And at this stage, it's kinda come down to a disagreement between Fortinet and Auer Gower Zeton. Fortinet issues a clarification stating that the story was a result of a misinterpretation and translation issues leading to a mix up of a hypothetical situation and an actual situation. Fortinet says, we put out this hypothetical, this Swiss newspaper mistranslated it and then published that to the world. Auergar Zeitung, the Swiss newspaper, responds maintaining that Fortinet provided detailed information about the attack and had reviewed the article before publication. And at this point, a lot of people read this story about a 3,000,000 toothbrush botnet, did not read the corrections, and the responsibility for this giant misinformation explosion is, still contested between the newspaper and Fortinet. But what we did get out of it is a whole bunch of memes, a whole bunch of fun chatter about, you know, misinformation in the cybersecurity space. So that was fascinating to read just how quickly a mistranslation or misrepresentation turned into a viral story, that just burst out into the world.

Speaker 2: But the the thing that I I'm I'm googling in the background here is, does somebody make an an Internet connected toothbrush?

Speaker 3: Right?

Speaker 2: Like, is that a real thing? Does it exist and why?

Speaker 3: What's that? What is it for? Why do you need the I love Internet connected stuff. I spend so much of my time on the Internet. Why do you need a toothbrush to be Internet connected?

Speaker 2: Yeah. Apparently, there is one or multiple. So I am

Speaker 3: Oh, yeah. Sorry. Answer to that. Yes. There are. There are Internet connected toothbrushes.

Speaker 2: Crazy. Bizarre. Crazy.

Speaker 3: I'm I'm Kinda wanna

Speaker 2: buy one. I'm reading about a toothbrush right now that three d maps your teeth and tells you when you've missed places. Like, that sounds amazing. Maybe maybe what I'm missing

Speaker 3: in my life

Speaker 2: Oh, no. Is an Internet connected toothbrush.

Speaker 3: Maybe that won't bring it all together. What if this was oh, dang. What if this was a viral ad for Internet connected toothbrushes?

Speaker 2: Dude. Might be onto something.

Speaker 3: I wouldn't I I would be in a sense furious and in another sense deeply impressed.

Speaker 2: Yeah. I'd be mostly impressed.

Speaker 3: I think I'd be mostly impressed. I think I might buy that toothbrush. I'm a give you a half as good at making toothbrushes as you are promoting them. Sold.

Speaker 2: We just unwillingly promoted a toothbrush that does three d mapping of your teeth and tells you when you miss spots to, like, a 100,000 teeth. So Jesus Christ. If this was a marketing campaign, add that to your KPI. Congratulations. You did it.

Speaker 3: In an attempt at covering a a story about misinformation in the tech and security space, we inadvertently participated in it. Last thing I wanna talk with you about because this this goes back to an idea that we've wanted to make something about for a long time concerns the identity of one Satoshi Nakamoto. Mhmm. And this past week, the, crypto open patent alliance and self claimed Satoshi Nakamoto, a man named Craig Wright, will be presenting their closing statements and a trial, in a sense determining if Wright is Satoshi. There's been a really fascinating, court case to be following. The justice in the trial, a guy named James Miller has not said whether or not a decision is gonna be coming out at the end of this. But the sort of outcome of this case that COPPA, this patent alliance, is bringing against Wright could have huge implications on a bunch of other ongoing cases that center around Wright's claim that he is the creator of Bitcoin. I'm not sure that anyone require anyone listening to this requires a rundown of who Satoshi Nakamoto is. What do you think about that?

Speaker 2: No. I don't think so. I think we could summarize it as saying Satoshi Nakamoto was on Internet forums and is believed to be the creator of blockchain and the Bitcoin the Bitcoin.

Speaker 4: Mhmm.

Speaker 2: The interesting like, to me, it seems to me, it seems my opinion is I'm trying to think of better good ways to present this. This is being done for clout. I don't know how much of the database rights, trademark stuff, patent issues there's gonna be. I'm not sure what value he's gonna get out of it if he wins, because a lot of his stuff was shared publicly. It's open source technology, etcetera, etcetera. It's mostly just being done for, hey. I'm the guy, seems like to me. The other thing I will say is that, like, if you are Satoshi Nakamoto accessing the initial wallets and blockchain pieces that you use to create the coin and accessing all of the money, I e Bitcoin, that are sitting in Satoshi Nakamoto's accounts should probably be the number one piece of proof to prove that you're them. Okay. Just saying. Like, if you can sit down in court and log in to the origin wallet and move some Bitcoin around, I'm sure people will then believe you.

Speaker 3: Yes. It does seem like there would be a pretty easy set of ways to prove that you were Satoshi Nakamoto. So to add a little bit to that, Craig Wright, Australian computer scientist, has claimed since 2016 that he is Satoshi Nakamoto beyond clout, which is certainly, that's a reasonable supposition. Wright is engaged in a series of copyrights events that he has sort of embarked upon with the sort of presumption that he is Nakamoto. He is suing people as Nakamoto, the synonymous creator of Bitcoin. Mhmm. This lawsuit from COPPA against him is essentially attempting to set a precedent that he he is not. Mhmm. They're arguing this clay case trying to make the argument that he is not Satoshi Nakamoto so that in future cases in The UK, you know, high court, he can't start from that presumption. That's really what this is interrogating. If Wright wins, those other legal exchanges he's in the middle of against Coinbase, Kraken, a bunch of other, Blockstream. Cryptocurrency platforms and Blockstream, is a real is a real leg up if he wins this one, and it's a real setback if he doesn't.

Speaker 2: Yeah. His case

Speaker 3: I'm stammering because we're talking about an actively unfolding court case concerning litigious participants. But the case he's made so far has has been interesting to say the least. He had his sister on the stand who tells a story from I think he was 18 or 19, and she saw him dressed up as a ninja. So that when she heard the name Satoshi Nakamoto, she put two and two together and thought surely that must be my Australian brother Craig Wright because she saw him in a ninja outfit one time. It is a series of strange anecdotal defenses to this claim that he is Nakamoto that to me, from everyone I've read, I'm like, oh, man. I feel like there's a really short distance to you proving this, and it's just you cracking open those wallets and moving some stuff around. But, so far that hasn't happened yet.

Speaker 2: Big, big news for you, Jordan. When I was a child, my brother and I used to dress up as ninjas all the time, actually. So new announcement.

Speaker 3: You are.

Speaker 2: I am Satoshi Nakamoto. We're on I'm here first.

Speaker 3: We're on episode 87. And my hope is that the way this podcast I was like, I don't want it to end. I really enjoy making it, but my hope is the way it ends is that on episode 100, you prove that after all of the crypto shit talking, you were Satoshi Nakamoto. That's the last episode. We're done. Like, that would be the perfect way for this to all wrap up.

Speaker 2: Could you imagine? There's there's some untold back stories here. Jordan and I, in our brief, hack was becoming a TV show period, Pitched an entire idea called solving Satoshi

Speaker 4: Mhmm.

Speaker 2: Or seeking Satoshi. It's just a lot.

Speaker 3: It was solving it.

Speaker 2: We were gonna make an entire docudrama series about looking for the real Satoshi Nakamoto. So we would have met Craig, right,

Speaker 4: if we

Speaker 2: had had the opportunity to make that show. And since somebody else has made that show.

Speaker 3: That's true.

Speaker 2: So That's true.

Speaker 3: I would honestly like, I'm not I would honestly really love to interview Craig Wright. I would be fascinated to hear the story from him because I'm not sitting in a courtroom. I'm not listening to I mean, I'm not reading transcripts. I'm reading secondary coverage. I would love to understand, you know, that argument and those claims, but it has been a bizarre, I think even people firmly in his camp would agree this court case has been extremely odd, and maybe the case was not made as well as it could have been. But it is a fascinating one.

Speaker 2: He is more than welcome to drop us a note. Love to have him on the show. Love to chat about it. Maybe we could dress up as ninjas and do a video stream. It'd be great. The, yeah, I don't I I I think it's an interesting the thing for me is that if you're gonna build something like blockchain and Bitcoin, chances are you've put an Easter egg in it somewhere. Like, no developer's immune from putting an Easter egg in things, which we see all the time. If you just Google, you know, any piece of software and the term Easter egg, you'll find Easter eggs laden in in pieces of software. I I can't remember which Microsoft product it was, but it hadn't Microsoft Flight Simulator was an Easter egg inside of it. So you could, like, go into a special menu, put some key commands, and boom, you were, like, in Microsoft Flight Simulator, which to me is just amazing.

Speaker 3: That works.

Speaker 4: Of

Speaker 2: the so there there has to be some fingerprints on the software and Easter eggs that only the the creators would know about. Granted, like, we're fighting over white papers and things like that, which is less sophisticated and less potential for that. But but yeah. I don't know. Even wherever the origin code is, having the original pieces of code and the original proof of concept for it, like, that stuff has to exist. And if you have that, then that would probably strengthen your case too. So yeah. I don't it's it's an interesting claim. I don't think that my personal opinion is that I don't think that we will ever have, even if somebody even if Craig Ray is Satoshi Nakamoto, I don't think any court will ever rule that they are as it will likely be unprovable. So unless some unless some definitive evidence shows up like you log in to the origin wallet, I don't think, I think everybody's SOL. So Yeah. And as much as I love crypto, I would prefer it be open source.

Speaker 3: That's why you invented it.

Speaker 2: Invented it. I invented it and gave it to the people. You're all welcome. Congratulations on your speculative gains. I hope you enjoy all your free money that you've generated out of nowhere.

Speaker 3: Well, this was fun. We haven't done one of these in a minute. Thanks for going on a tour of of our Canada cybercrime and tech gripes with us. That was a lot of fun. Hong Kong heists. Thanks again for listening. This was a fun one. And, yeah, we'll catch you catch you in the next one.

Speaker 2: Take care, everybody.

Speaker 1: You're great at protecting your data, but lots of places could still expose you to identity theft.

Speaker 7: I thought it was safe.

Speaker 1: If that happens, LifeLock gives you a US based restoration agent who will stick by your side from start to finish. Phone calls, filing documentation, preparing insurance claims, your agent handles it all. In fact, we're so confident restoration is guaranteed. Pour your money back. Isn't it nice to have someone like that on your side? Save up to 30% your first year at lifelock.com/podcast.

Speaker 3: Terms apply.