Modified Elephant

Speaker 1: So this is a story about some very incriminating letters. Letters discovered on the hard drives of a group of people in India. And the letters implicate this group of people, many of whom are in jail today, in a terrorist plot to kill the prime minister and seize power of the government. They're one of the main pieces of evidence against these people. The police searched their computers in connection with this deadly incident that happened in 2018. And these letters are, you know, publicly at least, what implicates these 16 people as being coconspirators in this insurgent plot. The letters are why they say the charges were laid. The letters are why these people are in jail today. And in 2020, lawyers for one of the accused, an activist named Rona Wilson, were able to get a cloned copy of his hard drive, the one where the police found those letters, which is where the trouble starts. Or depending on who you believe where the trouble gets revealed. Because once that cloned hard drive made it into the hands of security researchers, it started to become clear that the laptop that had this key piece of evidence on it also had malware on it that had been used to, amongst other things, place those letters on that computer. The report made no claims about who placed the files, only that they definitively had been placed. And then this past month, a second security firm put out another story, suggesting who was behind the hack. There's some a little bit of history to get through in this one, but really, it is about some very real cyber forensics. This is the modified elephant conspiracy here on hacked. Scott, welcome back. How are you doing?

Speaker 2: I am good. Thank you, Jordan. How are you?

Speaker 1: I'm doing good. Happy to happy to have you.

Speaker 2: Well, thank you. I'm happy to be back.

Speaker 1: Yeah. Got you back just in time for a complicated one.

Speaker 2: Let's hear it. This sounds extra exciting.

Speaker 1: If you go back far enough, you end up talking about some, like, in the weeds historical stuff that is not going to be the focus of this show or this episode or my expertise at all.

Speaker 2: I like the weeds. I live in the weeds.

Speaker 1: I know you do. You're you're a weedy kinda guy, but I'm gonna try and give enough of, like, a, I guess, a primer on this that you've got, you know, your feet under you. And I'm gonna try and refer to some sources that understand the nuances of Indian politics better than I do. But what this ends up being about is cyber forensics and how we confirm the genesis of, like, digital evidence when digital security can be really hard to maintain.

Speaker 3: Mhmm.

Speaker 1: Very broadly speaking, there's a few players in this that you need to know for any of it to make sense. First is the Bhima Khorogan 16, the 16 people in jail or under house arrest today.

Speaker 4: Until this year, few had heard of the Bhima Khorogan battle or its sheer importance for the Dalit community, especially the Mahars.

Speaker 5: The Dalit are celebrating this, Bheema Korygaon victory.

Speaker 1: Bheema Korygaon in this context refers to the two hundred year anniversary of the battle of Bheema Korygaon. It's this battle of historical importance to the Dalit people who when you hear about, like, the caste system in India, the Dalit were historically kind of the lowest rung on that caste system. They're a, presently and historically persecuted group. And in 2018, it was the two hundred year anniversary of the Battle of Bhima Khorogown. This big, battle where a small Dalit army won against a much bigger one. And there was this large event organized in the town of the same name. So you had Dalit people, activists who fight for Dalit rights, political leaders all gathered for this two hundred year anniversary event. A celebration of this anniversary and in some ways kind of a protest against the current government which a lot of folks in this group say continues to disenfranchise, the Dalit. First day of the anniversary goes great. There were speeches and music and dancing, all good. But on the second day of the event, January 1, first day of twenty eighteen, a group of people from a nearby area, marched to the Bhima Corghaun anniversary. What happens next is a matter of debate in the court, but what is claimed by the defense is that the mob was that was marching on the event was chanting anti Dalit slogans as they approached the anniversary and they began to attack. What we know for certain is that violence broke out, thirty five people were injured with two deaths. This sparked Dalit protests around the country and over the days that followed more than 300 people were arrested by the police in Mumbai alone, some as young as 14, many still in prison. This was like a big news story in India. It was a violent clash over this long standing political and racial tension. The next important milestone in the story takes place a few months later in April. This is Faye D'Souza, a journalist in India who has covered this at length on her series, the whole story.

Speaker 6: By April, Pune police started searches in the residence of eight people. Now they searched the act the, homes of activist, Shona Wilson, human rights lawyer, Surendra Gadling, Dalit rights activist, Sudhir Dawale. The computers of Wilson and Gadling were seized. Now this is an important point. This you should remember. Let's put a pin in that.

Speaker 1: Pune Police, the police from the larger district where all of this kind of happened, started conducting searches in the homes of eight people, including a guy named Rona Wilson, whose laptop this is kind of all about, who are all in attendance at this anniversary event. Rona Wilson is a Dalit rights activist. The search in April is when his computer gets seized by the police. In May, an Indian anti terrorism law was used to bring charges against these people based on the incriminating evidence found on Rona Wilson's laptop.

Speaker 6: The police also searched at the workplaces and residences of Mahesh Raub, who was a land rights activist, and Shoma Sen, who was a English professor. They were also both arrested.

Speaker 3: And in

Speaker 1: June 2018, the arrest began. Their main piece of evidence cited to the press, the letters they found on Wilson and several other people's computers. The question is what did these letters say?

Speaker 6: Now the police basically said that they found electronic evidence on these computers that they had seized, that the group was involved in a plot to assassinate the prime minister, Narendra Modi.

Speaker 1: Okay. This is the last bit of history I'm gonna go through here, and then it's all computer stuff. The next character or, you know, kind of group you need to know for this cybersecurity story to make sense is the, the Maoist branch of the Communist Party of India. Beauty. The Communist Party of India is like a normal political party. They're legal to join, legal to vote for. The Maoist branch is a outlawed guerrilla military insurgency based in the jungles of India. They have been engaged in like an active violent conflict with the state for decades. It is a crime to be a member of this group. It's a crime to support this group. They're a nas nationally designated terrorist organization. The letters that were found on the hard drive by this investigation tell a very strange and remarkable story. The Maoist military insurgency, they are deep off the grid. Rona Wilson and the rest of the academics, politicians, activists that have been arrested, they are not fighting in the jungle. They are very much on the grid members of society in India. These letters found on Wilson's laptop reveal a plot. That these 16 people had been conspiring with the Maoists, not just sympathizing, but actively planning this conspiracy with them. According to these letters to and from the arrested, using their legal names, which is poor operational security, Wilson had been corresponding with the Maoist party attempting to coordinate the delivery of arms and munitions to help them in their fight in their fight. And much more than that, he was really laying out the architecture of an assassination attempt against Prime Minister Modi, whom Wilson is in real life an outspoken critic, that he and his network were gonna be able to assist in funneling resources from Russia and China. He was suggesting in person meetings between Wilson and the Maoists. In no uncertain terms, these letters are outlining a plan to overthrow the state.

Speaker 6: Smuggling weapons and funding Maoist activities in an attempt to overthrow the government. So these are really, really serious accusations. At this point, being investigated by the Pune police.

Speaker 2: When you refer to these as letters, are we talking about emails? Are we talking about Word documents that were to be printed and mailed?

Speaker 1: That's a great question. So when we refer to them as letters, we're referring to, very specifically Microsoft Word documents that either were to be or had been printed and mailed.

Speaker 2: I would have assumed just in given today's day that any any high functioning terror cell would be at least having use of cell phones and maybe some some basic encrypted emails. But k. So these are real letters. Like, we're talking about, like, 1950 snail mail. Print it. Sign it. Put it in an envelope. Put a stamp on it. Mail it to the jungle. Letters.

Speaker 1: I don't wanna I might be wrong about this, but I think one of them was literally typed in, like, the old courier typewriter font, which, again, in Microsoft Word. Like, it does have a really old timey, conspiracy aesthetic to it.

Speaker 2: I like that.

Speaker 1: Except for the fact that they were discovered on computer hard drives.

Speaker 2: Mhmm. Mhmm. So they were they were gorilla conspiratal communications that somebody spent the time to type up in word and would then print and then somehow have delivered to people in the jungle.

Speaker 1: I think when it's a conspiracy, you call them communiques, but otherwise, you nailed it.

Speaker 2: Okay. Okay. Okay. And instead of using, you know, any of the million encrypted messages that you can use these days, we're gonna literally type a letter in Word, incur your font, print it, put it in an envelope, somehow figure out a way to get it to somebody who's in the middle of a jungle in some form of timely manner.

Speaker 1: You seem to have a really good grasp on the whole situation. See, a letter is just so much more personal.

Speaker 2: Maybe I was there. Maybe I was there.

Speaker 1: So on 09/01/2018, the Pune police hold this press conference, an important press conference that will come up later, in which they, break protocol and disclosure of evidence, but in which they, to the nation, share these letters with journalists and the public, presenting their primary piece of evidence. Proof of what, you know, they, the government, had been hinting at for some time. That there were now Maoists, not just in the jungles, but in the cities. Urban Maoists, as prime minister Modi would go on to call them in a speech shortly after. A term coined in response to this incident.

Speaker 5: Three days ahead of elections in Chhattisgarh, the prime minister shifted BJP's poll campaign in Topgir addressing a rally in Jagdallpur. He launched a no holds barred attack on the alleged Maoist sympathizers or urban Naxals. The prime minister said the so called urban Maoists were remote controlling violence and killings in Chhattisgarh. While they themselves lived in air conditioned houses, they did not let the fruits of development reach the people on ground. Let's listen in.

Speaker 1: The Bhimakor Gown 16 had been arrested, and this long multi year trial commences. So several years go by. Some of the 16 are still in prison, others are under house arrest, but the case is kinda slowly grinding its way through the courts. But in 2018, Rona Wilson's legal defense finally gets a hold of a cloned copy of the hard drive, the hard drive of the laptop where they found these letters. And they reach out to a security firm called Arsenal Consulting to perform some cyber forensic analysis on this drive. This case is still ongoing, so Arsenal very politely told us they could not talk with us on the record about the report until the trial ends. But the report speaks for themselves. And here is what it found. On an afternoon in June 2016, several years before the violence at the Bemelkor gown anniversary, Rona Wilson gets a bunch of emails from his friend and fellow activist, a person named Varvara Rao, another one of the people arrested. In the emails, his friend Rao was urging him to read this statement from another, you know, civil liberties group to just just click on the link. Mhmm. Yeah. Always a good idea on this show to click on links.

Speaker 2: Yeah. Absolutely.

Speaker 1: Instead, Arsenal found. The link actually deployed something called Netwire. You heard of Netwire?

Speaker 2: I haven't heard of Netwire.

Speaker 1: You might not have heard the name, but you know what it is. I think you taught me about these. Netwire is a remote access trojan.

Speaker 3: Mhmm.

Speaker 1: It's consumer level, deployable. It's pretty easy to get your hands on, and it does what most remote access trojans do.

Speaker 2: Give you access?

Speaker 1: It gave the attacker access and control of Wilson's device. The malware logged Wilson's keystrokes, his passwords and browsing activity. But arsenal kept digging Beyond Netwire to try and work out if the attacker did something beyond just monitoring Wilson's activity. They ever took control of his computer to do something with it. Which is when they recovered some system file information showing that the attacker had done something else. They had created a hidden folder on Wilson's laptop, and into that folder they placed 10 files. A collection of incredibly incriminating letters between Comrade Wilson and the mouse party. Actually, the thing I find funny about and this might not make it in. The thing I find funny about that is that he never goes by comrade Wilson anywhere else, like, in in real life. But they kinda they gave him the little nom to plume for this.

Speaker 3: And I thought that was fun.

Speaker 2: For some color, a little color, you know, just to liven things up. He's a comrade.

Speaker 1: The same letters the Pune police had gone on television and read for the entire country. The evidence against the 16 had been planted. So Arsenal digs deeper. In their initial report, they confirmed that the letters had been created in Microsoft Word. And while Wilson did have Word installed on his system, the version that the letters were created with was newer than the one Wilson had installed. They were then able to confirm that while the letters were on Wilson's hard drive, they'd never actually been opened by his computer. They had, with absolute certainty, been created on another machine and remote transferred into a hidden folder that Wilson never accessed.

Speaker 6: The cyber attacker had had planted the alleged letters for that entire plot. Now this was reported by the Washington Post.

Speaker 1: So this is all pretty damning.

Speaker 2: Sort of damning.

Speaker 1: It's a little damning. But Arsenal doesn't make any claims about who they think placed the files, only that his system had been compromised years prior to his arrest, and the letters have been placed in the folder. Washington Post breaks the story back in 2021. And for for context, the persecute the prosecution of the case has since claimed that their cyber forensic analysis did not find any malware on the system. They just kinda missed it. So it's easy to miss this because of kind of how, like, egregious all of this is starting to seem, but the timeline here is kinda weird. Right? Like, Wilson's computer was breached in twenty sixteen, years prior to the thing that he was arrested for, which let's say for a second we're sort of staring at the, you know, iceberg peak of a little evidence fabrication plot. It's a pretty lucky one. Like, the odds that the people who would be at this event where the violence broke out were the exact same people whose machines had been compromised years before, those odds are pretty slim.

Speaker 3: Mhmm.

Speaker 1: Unless, hypothetically, whoever had installed Netwire on Wilson's computer was actually spying on a whole bunch of people unless they'd compromised the systems of hundreds of folks. And when this Bema Corrigan violence occurred and time came to drop files on these 16 people's computers, they already had their way in. Because this was actually just part of a much faster hacking operation that targeted not dozens, but rather hundreds of individuals across India for nearly a decade. Unless, hypothetically, that is what is going on here.

Speaker 2: Hypothetically. Little little state sponsored monitoring, maybe?

Speaker 1: A little a little hypothetical state sponsored monitoring right after the break. Starting some new isn't just hard. It can be downright terrifying. You put a lot of work into a thing. You're not entirely sure it's gonna work out. You're taking a huge leap of faith. I've started a few things. Now I know I was right for believing in, you know, the idea, the product, despite all of those fears and hesitations. But boy, does it sure help when you have a partner like Shopify on your side. Shopify is the commerce platform behind millions of businesses around the world and 10% of all e commerce in The US. From household names like, well, hacked podcasts merch, to brands just getting started, you can get started with your own design studio with hundreds of ready to use templates. Shopify helps you build a beautiful online store that matches your brand style. Did I mention that that iconic purple shop pay button that's used by millions of businesses around the world? I don't know why I wouldn't. I should. It's why Shopify has the best converting checkout on the planet. It also helps boost conversions, meaning less carts sort of getting abandoned in the parking lot and more sales for you. It's time to turn those what ifs into sign up for your $1 per month trial at shopify.com/hacked. Go to shopify.com/hacked. One more time, that's shopify.com/hacked.

Speaker 7: You thought this was your run club era. Turns out, it was more of a thinking about run club era. The good news? Someone's marathon training is about to start. Sell your workout gear on Depop. Just snap a few photos, and we'll take care of the rest. They get their race day fit, and you get a payout for trying. Someone on Depop wants what you've got. Start selling now. Depop, where taste recognizes taste.

Speaker 8: This episode is brought to you by Fox one. Watch all 104 matches of the FIFA World Cup live in four k for just $19.99 a month with three days free. Build your own multi view, choose up to three streams, and follow player spotlights. Stay on top of every moment with live stats, highlights, and instant replays. The FIFA World Cup, streaming live on Fox one, offers a subject to change. See fox.com for complete terms and conditions.

Speaker 3: No one goes to Hank's for spreadsheets. They go for a darn good pizza. Lately though, the shop's been quiet, so Hank decides to bring back the $1 slice. He asks Copilot in Microsoft Excel to look at his sales and costs and help him see if he can afford it. Copilot shows Hank where the money's going and which little extras make the dollar slice work. Now Hanks has a line out the door. Hank makes the pizza. Copilot handles the spreadsheets. Learn more at m365copilot.com/work.

Speaker 2: And we can't go to India.

Speaker 3: Yeah. It

Speaker 1: was it was kinda rude of me to go there twice before recording this.

Speaker 2: You've been to China too. You've been to have you been to Russia?

Speaker 1: I haven't been to Russia.

Speaker 2: Wow. Well, you're never gonna be allowed to. So

Speaker 1: Hadn't really thought about that. I had thought about that. I'll find a way in. I'm I'm sneaky. I'm I'm I'm clever. But if I what if I was gonna find a way in, me just saying I'm sneaky, I'm clever, I'll find a way in is definitively, the reason I will never get into that country. Exactly. Oh, man. So we're talking about this this month because of what a second cybersecurity firm discovered recently. After the Washington Post story broke in 2021, this little army of cyber forensics professionals started looking into this. And the main one for act two of the story is a company called SentinelOne.

Speaker 3: Mhmm.

Speaker 1: Back in February of this year, SentinelOne published a detailed report on what they are calling modified elephant,

Speaker 3: which is their name for the much larger conspiracy of hacking

Speaker 1: that this was allegedly part of. They conspiracy of hacking that this was allegedly part of. They determined that these 16 people were not the only people that this campaign has gone after. And their February report outlined how these same hackers had targeted hundreds of different lawyers, activists, journalists, academics with the same tactic, phishing emails leading to remote access trojans starting back in 2012. And just like Arsenal, their first report didn't say who they thought was behind it. It was focused on the scale of the operation. What they did point out, and you got way ahead of this, Scott, is that the activity, quote, aligns sharply with Indian state interests. And then this month, they published article number two. Sometime between February and the publishing of this report, an anonymous security researcher reached out to SentinelOne. This anonymous researcher came with some information in hand. Scott, you get remote access into someone's system. You're logging all their passwords and their usernames. You got access to all their stuff. Yep. But you've taught me about this idea of backdoors before.

Speaker 2: Mhmm.

Speaker 1: There would presumably be a temptation to create some kind of backdoor access into those accounts if, say, your Netwire access to their whole system ever went away. Right?

Speaker 2: Well, you know, if you wanted to protect your access to all of their information, you know, why not? Mhmm. Maybe you set up their two factor authentication or backup, reset passwords and emails to go to your stuff. You know, you could do a bunch of different things.

Speaker 1: Well, Scott, these hackers had the same idea. Shocking. In 2018 and it was the same idea, but I'm not sure it was, as well executed as I think you're imagining it. In 2018 and 2019, three of the b McCor gown 16 email accounts were compromised. And as a backup mechanism for the attacker to maintain access to that system, a recovery email and phone number was added to these Gmail and Yahoo accounts. So if the hacker ever lost access to the machine, they could still get into those accounts. These are the accounts belonging to Wilson, his friend, Rao, and an activist and professor in Delhi named Hani Babu. And the researchers at SentinelOne started looking at the recovery emails added to the hacked accounts. And the name on that recovery email belonged to a member of the Pune police.

Speaker 2: You gotta be kidding me.

Speaker 1: The The same department that went on TV and read the letters.

Speaker 3: So

Speaker 1: now this anonymous researcher and SentinelOne are working together, and they keep digging. Amnesty International has now joined in on the fund, their security lab, who we've talked to before. They're all doing their own cyber forensics in concert. This is clearly, some big, dodgy nonsense going on here. But say, hypothetically, you were bending over backwards to engineer a little plausible deniability for the Pune Police. You could say that anyone could theoretically add an email and number as a recovery to an account. Just because their name was on an email added to a a system that was hacked doesn't mean it was the hacker who added that recovery email.

Speaker 2: Of course.

Speaker 1: If you're of course. Right?

Speaker 2: Yeah.

Speaker 1: Maybe it was the Bema Corrigan 16 who framed the Pune police.

Speaker 2: Maybe.

Speaker 1: Which is when SentinelOne and Amnesty International discovered that the email account had been accessed by an IP address previously identified as being used by the larger modified elephant hacking campaign. In Rona Wilson's case in particular, the anonymous analyst figured out that Wilson's email account got sent another phishing email in 2018 and then appeared to be compromised by the hackers using those same IP addresses. At the exact same moment, the email and phone number connected to the Pune Police got added as recovery contacts. Definitively connecting the Pune Police to the modified elephant IP address. But let's keep digging further because that is what these cyber forensics nerds did. After that, Wilson's email account was used to send out more phishing emails to other targets in the Corrigan case for about two months before Wilson was arrested in 2018. He his email was used to phish other members of this case the same way his friend, Rao's, had been used to target him. For their coverage of this this month, Wired got in touch with a security researcher at Toronto Citizen Lab who confirmed that the, NSO, hacking tool, Pegasus, which we've talked about, had been used to target some of their smartphones. Then to eliminate the remote possibility that maybe the Pune Police didn't control the recovery emails, even if it was the hackers who had added them. The same researcher at CitizenLab went digging through this open source database of a ton of Indian mobile phone numbers and IP addresses, looking for the Pune at ic. In suffix used by the police, email addresses, which is when they found that the number is also linked in a database to the recovery email connected to the hacked accounts for the same Pune police official. Separately, a security researcher named Zashawn Aziz was was able to connect the recovery email and phone number to the Pune Police Official using the leaked database using this, Indian job recruitment site, which underwent this big data leak. And when that leak occurred, it would have forced a two factor authentication between the phone number and the email, which ex which successfully occurred, suggesting that the police controlled both accounts. This is the last last one. Last piece of evidence. If you've tuned out at this point because I said the word phishing and email and account one too many times

Speaker 2: Recovery. Recovery.

Speaker 1: And recovery. This is where the proof ends, and it's the most, like, January have it one.

Speaker 2: You can call the phone number and the guy picks up.

Speaker 1: And says, yes. I did this.

Speaker 2: Yes. I did this. It's actually his voice mail.

Speaker 1: I'm guilty of this. You've reached me.

Speaker 2: At this number, I am a criminal.

Speaker 1: To put a bow on it, you remember the press conference at the beginning of the story where they read out the letters on TV? Mhmm. The citizen lab researcher managed to find a WhatsApp profile associated with the recovery phone number added to the hacked accounts. And that WhatsApp profile has a profile picture. It's a selfie.

Speaker 2: Drumroll.

Speaker 1: And it is the face of the same police officer who went on TV and gave that press conference.

Speaker 2: My mind goes somewhere darker quicker.

Speaker 3: Oh.

Speaker 2: And it it it goes to a a identification and targeting of of people who are in opposition, active Mhmm. Opposition to the government norms, leadership, government leadership norms, and then adding them to a dossier or collection of people who receive advanced monitoring, etcetera, etcetera. You know, I I could see that. That is very dystopian, but it's like, you know, we kinda kinda seems like the modern world's taking a little step towards dystopia every now and then, and, you know, I could see that being a thing. The the thing that makes it that breaks me from that that feeling is the fact that this is just appears to be a regular detachment police officer. If it was a special branch that handled this stuff, they would be probably quite better at it. Yeah. You know, they would have anonymized emails for recovery. Like, the fact that there's not, like, a random this doesn't all end at, like, a random proton mail, you know, dark web proton mailbox

Speaker 1: Sure. Sure.

Speaker 2: Is is shocking to me. Completely. The fact that it goes to someone's personal cell phone and someone's personal email is a bit strange. Or at least one that's linked to one that's linked to someone's personal email. Totally. And then it's, like, that pulls me out of the fact that it's a little bit more state sponsored and maybe it was a bit more ad hoc.

Speaker 3: Mhmm.

Speaker 1: On the defensive side, this is a tangent, but on the defensive side, you know, operational security is it's the weakest link. Right? It's you can have an incredibly advanced IT department and someone that is locked down almost every corner of the system, and then that system collapses because one person clicks on an email. Oh. And it kind of feels like this is my take on this is this is that happening, but on the offensive side, it's that there are there are people who are quite good at what they do, who at a certain point at scale end up collaborating with people, who don't quite have that proton male level of, security. So the system that you compromised three years prior ends up in the hands of a person that doesn't know not to use a phone number that can be worked back to them as a recovery email because they think it's never gonna come up. Yep. That's my take on it.

Speaker 2: I I guess that's I guess that's the beauty of, you know, people like all the security and forensic researchers is is they're the people that get to hold the people who aren't as qualified accountable, You know? Because in a in a in an olden era, you know, planted evidence was just planted evidence. But now we've got people who are better at detecting the planted evidence than the people that are planting the evidence. It's not the same as a a bag of weed in the glove box or a gun in your back pocket that you've never seen before. So

Speaker 1: It was hard to say what's gonna happen next in the case of the BIMA core down 16. It's ongoing. But, you know, Arsenal, SentinelOne, and that community of forensics folks seem to have unearthed a pretty damning situation. That these people weren't arrested because the violence that broke out at this event was an intentional plot by urban Maoist insurgents. They were arrested for political reasons. They were targeted by this hacking campaign, and we have no reason to believe that just because they were the first defense to expose this, that they were the first people charged based on fabricated evidence as part of the larger modified elephant campaign. One of those 16 defendants, 84 year old Jesuit priest guy named Stan Swamy, who was a Dalit rights activist that's why he was there, he died in jail last year. Farver Arau who is 81 years old and reportedly in pretty poor health was recently let out on medical bail, which expires in about a week's time from the moment we're having this conversation. Of the other 14, only one has been granted bail. Despite what we've learned, these folks are still in jail. So this isn't the first time something like this has happened. You brought that up. It's not the first time cyber forensics has been used to reveal evidence fabrication, to name one example close to this story. Sentinel one, the group that cracked this kind of open, also unearthed a similar story in Turkey a couple years ago, a case called Egomaniac, in which Turkish police targeted a group of journalists with associations to a TV station that was critical of the governing party. And they did the same thing. They infiltrated a system using a phishing scheme, deployed a remote access trojan to drop files that would be later cited as evidence. And it's a really good thing when cyber forensics can reveal digitally fabricated evidence. It's this really kind of cool collaborative thing where all these different researchers come together to dig through the muck and figure out what happened. And it's a kind of collaborative forensics that couldn't have really happened in the past. But for however many of these cases get tackled in this way, the question kinda remains, you know, how many don't? How many cases that hinge on digital evidence get enough attention or have a defense with enough resources to hire digital forensics? How many people are out there waiting for someone to crack open that hard drive and start digging? Thanks for listening everybody. This was an interesting story and I appreciate it involved waiting into some very sensitive political stuff that's still active and ongoing. I hope we got everything right. If we did, please just get in touch and let me know. I encourage folks to read more about this one. And a big thank you to our patrons on Patreon. That's patreon.com/hackedpodcast. Best ways to support the show. Steve Wang, thank you very much, buddy. Appreciate your support. Chuck Davis, thank you. Janice Newman, appreciate the heck out of it. Ditra Srinivasan, appreciate the heck out of you, and Jamie Murray, thank you very much. That's patreon.com/hackedpodcast. That's another one in the bucket. We will catch you in the next one.

Speaker 4: If you've got an insurance question, you could talk to the butcher at your local grocery store. He'd probably talk about trimming the fat, but it'd be about your brisket, not your insurance policies. Or you could talk to your local GEICO agent. They offer personalized assistance in finding the choicest cuts of coverage for all your insurance needs, which means more money for filet mignon. Or if you're a vegetarian, tofu lay mignon. To find a GEICO agent near you, visit geico.com/local.

Speaker 9: This episode is brought to you by Nespresso. Life moves quickly, and taking care of yourself shouldn't feel like another chore. With the new Nespresso Vertuo Up machine, morning routines become rituals. Whether organizing, getting the household moving, or preparing for the day, your coffee shouldn't ask for more. With Vertuo Up, just press brew and your morning begins. Rich aroma, bold flavor, zero effort. Press to explore. Every coffee, a new world. New Vertuo Up. Shop now at nespresso.com.

Speaker 10: Feel your best and amplify your everyday look with Thrive Cosmetics. Go to thrivecosmetics.com/shine26 for an exclusive offer of 20% off your first order. That's thrive cosmetics, causemetics,.com/shine20six.