A what's going on?

It's dexter.

So we're doing something a little different this week.

While our team is away for the holiday, We're going to bring you an episode of a podcast called click here.

It's produced by our friends that recorded Future News and PRX, and it's all about the people who are making and breaking our digital world.

Today's episode follows a hacking group called Elusive Comet.

They don't rely on zero days or ransomware.

They just use charm and zoom to fall into their trap.

You don't need to be reckless, just polite.

Here's Dina temple Rastin, the host of click Here, with the story.

Jake Gallen used to work behind the velvet ropes in Las Vegas.

Among other things, he worked the cabanos at Planet Hollywood and for a while he thought that life sparkled.

You know, it's funny because when I was going to UNLV, I was in a fraternity there, and you'd say, yeah, you know, I would love to have a nightclub job because I can continue this type of lifestyle.

But it got a little old once you get.

Into that lifestyle.

After about a year, you're like, man, this kind of sucks.

It wasn't just that he was awake when the rest of his friends were asleep, or that he missed all kinds of milestones in other people's lives.

It was just kind of lonely, and he worried that he'd never find something as exciting where he'd be making that kind of money until one day he was on a Reddit forum and found Ethereum, the cryptocurrency.

So I found Ethereum in twenty sixteen on a Reddit forum called Wall Street Bets.

To Jake, trading ethereum, the second largest cryptocurrency after Bitcoin, felt like opening a secret door into a whole new world, one that was intoxicating, unpredictable, and full of promise.

I was very fascinated by this idea of how it kind of strips power away from a lot of the central authorities, and for me, I was very certain that this was going to be the industry that changes the world.

I still have that.

Believer, and like so many true believers, he didn't want to just watch from the sidelines.

So we started training crypto and then he stumbled into the world of NFTs that short for non fungible tokens.

There are blockchain based collectibles, think beanie babies, but with code, and before long he'd carved out a reputation in one of the strangest corners of the NFT universe, a niche known as historical NFTs.

Think of them as relics, pixelated artifacts from Crypto's adolescence.

So's one of the largest Mooncat collectors at the time.

Mooncats primitive, quirky, little pixelated pictures of cats and among the very first NFTs ever minted.

And I said that I had some that I was interested in auctioning off.

They were valuable, a kind of Mickey Mental Rookie card of the blockchain.

This wasn't an obvious career choice for a health science major, but Jake understood collectibles in a kind of visceral way because he'd lived it.

I had actually owned an antique store in Vegas with my father.

That was my first business, and so we are very knowledgeable in this world of like antiquities and collectibles.

Which is probably why Southeby's came calling.

Yes, that's Southeby's the one that sells Van Goes.

Six Sasi painting by Vassin Vngeur sendor Remo Marte.

Painted in eighty eighty seven.

And they asked him if you wanted to participate in their second ever NFT auction.

It was a huge deal.

One of the world's oldest auction houses was now moving into digital.

Ward eleven million, two d and fifty thousand euros adiuge.

And just like that, Jake was suddenly orbiting Crypto Royalty, rubbing elbows with celebrities like Steve Aoki and Paris Hilton.

He was hosting panels, being interviewed live streaming, He started a podcast, and his profile exploded.

And in the middle of all this, he made an unusual decision.

In the crypto world, everyone hides, they use avatars or fake names VPNs on top of VPNs, that's the culture, anonymous, encrypted and untouchable.

But not Jake Gallon.

He in essence doxed himself.

Since I started in twenty seventeen, you know, being a docs person was unheard of.

That was like a very rare thing to do.

He used his real name, told people what he owned, where he worked, what he bought into.

He thought the transparency would help him earn trust, so he leaned into it.

You know, well, obviously it makes you a target, but it also makes you a little bit more respectable and it leads, in my opinion, to more opportunities.

That openness got him noticed.

He started getting nonstock media requests three, five, sometimes eight interviews a week, so when a show called Tactical Investing reached out in April, it was just another thing he had to fit in into his schedule.

The message was like, hey, you know doing a cohort of individuals with leaders in the industry for my channel.

Would love to interview you.

So I respond and say, hey man, sure, yeah, I'd love to.

A week later, he logged onto zoom ready for his interview.

But this was not just any interview, this was a trap.

I'm Dina Templewrestent and this is click here, a podcast about all things cyber and intelligence.

We tell true stories about the people making and breaking our digital world today.

We're used to watching for a shady link, a sketchy email, a too good to be true promise.

But what if danger comes wrapped in something ordinary, A zoom call, a friendly face, a simple request.

You don't need to be careless, just courteous.

Stay with us.

From Record of Future News, This is click Here.

Jake Gallon had always known that.

Deciding to use his real name publicly and talking so openly about his life would be a risk, so he made sure his security was air tight.

I generally consider myself to be very careful.

I mean I have.

Maybe five to ten different hardware wallets with different assets.

On top of it, multiple computers which hold different types of wallets.

So anytime he got an interview request, he would vet them thoroughly.

And that's exactly what he did in April when he got an interview request from a YouTube show.

He'd never heard of something called Tactical Investing.

Did they have mutual followers?

Check history of posts with the original check check a show that appears to be a real show.

Hey, guys, what is up?

It is Alexander here back with Tactical Investing, and in today's video, I want to do a step by step staking.

The YouTube channel had close to one hundred thousand subscribers, had like six years of posting history.

I had interviews with people that I'm familiar with in the industry, and had a bunch of recent posts, posting videos every few days or so.

So we said yes, and he was excited.

By this point.

He was CEO of a crypto company and they had a new product.

He wanted to demo.

So the day of the interview, he logged on and it started like so many interviews before it, but the host had his camera off.

So when we get on the interview, he has his screen off, and he says, do you mind that I'm going to keep my screen off?

Why wouldn't he want his camera on?

He was a YouTuber after all, That alone set off a flicker of doubt in Jake's mind, but just a flicker.

This industry is, you know, it's full of pseudononymous and anonymous people.

But what was weird is that he's a YouTuber.

But then the guy kept talking.

He sounded confident, casual, and Jake he let the flicker fade.

So I'd actually watched a handful of his interviews, you kind of understand who this person is, or like what their interview style is like.

It sounds just like him, literally just like him.

And pretty quickly he wasn't just feeling relaxed, he was feeling kind of impressed.

The questions were smart, technical.

The interviewer clearly understood Emblem Vault, the crypto company that Jake was running.

What he was asking me actually was was kind of nuanced, questions about emblem vault, which to understand what elmbum vault is, you have to be pretty deep into the industry.

So what any founder would do when somebody really gets it, he let his guard down.

And so after about thirty or forty minutes into the interview, the gentleman says, okay, I would love for you to demo Agent Hustle.

Agent Hustle not a nineteen seventies crime show, but an AI tool for tracing blockchain activity.

And Jake was really proud of it.

So when the interviewer said he'd give Jake access to share his screen, he just clicked shared his screen and walked the interviewer through the tool.

When the call ended, Jake thought it had gone pretty well.

I tell him, hey, he is a great interview.

He asked the right questions, and he says he'll be up in a few days, and then that's it.

Everything is fine.

But everything was not fine.

It started the next day Jake got a notification that a Mooncat NFT that he'd bought for one hundred thousand dollars was suddenly sold at the bargain basement price of one thousand dollars.

And then I see another sale happen.

I get another notification from open Sea saying that another sales happened, very.

Low ball, and his heart started to raise.

And I know there's a hack that's happening.

I don't know how or what or why.

He scrambled change passwords, reached for every security switch he knew.

Just minimizing the blast radius of what was going on, trying to figure out what was happening.

And then came the moment everyone dreads.

He was logged out of his email, his social media, and every time he tried to regain control, the hacker just kicked him right back out.

It was like whack a mole with his life.

He tried to revoke permissions on revoke cash no.

Look, and I could see more Mooncats being listed, and then I see other collections being listed.

And then a chilling realization.

Oh fuck, this is like a full on like somebody has my seat phrase.

Seed phrase like a master key to all of his wallets and NFTs.

Which is crazy because I've never written that seed phrase down anywhere nowhere digitally.

It's written down on a piece of paper inside of a save.

That's when it clicked.

Breaking into his computer was as good as breaking into his safe.

How much did you lose?

It's about between one hundred and fifty to two hundred thousand, depending on how you value the assets themselves.

Jake was gutted and pretty confused.

Who would do this and how?

His gut told him that this had to be connected to that interview.

But what kind of hacker launches a YouTube channel and runs it for six years just so they can scam someone.

None of it made sense, so he called nine one one, actually SEAL nine one one.

The official name is Open Security Alliance, but everybody just says SEAL.

There were a team of white hat hackers who respond to crypto attacks.

We do everything from people who got fished for one thousand dollars to kidnappings to big North Korean heists.

There's all sorts of crazy things.

Whatever people need, we'll figure out a way to do it.

When we come back, the SEAL team gets to work, the FBI steps in, and the real host of Tactical Investing sends a very unexpected message, stay with us.

Nick Box is an incident responder at SEAL, and they've worked on thousands of crypto hacking cases like Jakes.

Yeah, it's just you know, we're always on call.

Some days are a lot worse than others.

Yesterday I woke up and it felt like every single threat actor we were looking at had decided to do something at the exact same time.

Fridays are worse.

I think a lot of hackers know that if they start hacking on Friday, the FEDS won't get involved until Monday.

Nick didn't waste any time trying to get to the bottom of what happened.

First thing we do in triage is give them a set of instructions to follow.

Apparently phrasing you're supposed to actually is unplug your computer from the Internet.

Disconnect your computer from the Internet.

I wish I would have knowne that probably would have saved myself a lot, a lot of money.

Then came the forensic work, retracing every click, and as they dug Nick Spidey sense started tingling he'd seen something like this before.

Yeah, you know, as soon as we heard he suspected a zoom call, we immediately start to think it's DPRK.

DPRK North Korea the most prolific crypto thieves on the planet, and they've been using Zoom too.

Traders and even crypto companies with fake job interviews and investor.

Calls, and they play a video of a person that might be the person you're supposed to be meeting with, and they look bored and they're not talking, but it's actually a loop of a video, and then they tell you over text that there's trouble with the audio.

And then they write, oh, we've seen this problem before.

Just go to this link, a link to malware.

But Jake didn't click on anything like that.

There was no fake video.

He just had a conversation one he thought was a pretty good one.

The fake interview was new.

We hadn't seen this vector before.

We realized it probably wasn't North Korea.

So the team went back to the drawing board.

They went over everything again and that's when they caught it.

They kept trying to get him to screen share.

The screen share that Jake used to demo agent hustle.

And while there are lots of things you can do to protect yourself from a hack, antivirus software, avoid spamy leaks, there's one thing that's as hard to see coming as it is easy to fall for social engineering hackers exploiting somebody's humanity, their ego, their enthusiasm, their fears.

When it came time to demo his project, Jake was enthusiastic.

They just launched this new AI tool and he wanted everyone to know about it, so he wasn't quite as focused as he went through the screenshare process.

They had a Zoom account where the name on the account was Zoom, and then they requested remote control and a notification pops up on Zoom that says something like Zoom is requesting permission or remotely controller device.

In that moment, it didn't look like a red flag.

It just looked like part of the process.

People just think it's requesting permission to share my screen, but it's actually requesting permission to remotely control your desktop.

Jake barely remembers clicking, which is exactly how the best hacks work.

When you do get hacked, it's like a magic trick, like an illusion.

It's like when someone pulls a coin from behind my ear.

They didn't really make a coin appear.

They used a sleight of hand and tricked me.

And with that the hackers had everything remote access files, passwords, wallets.

Once you get you know, remote code execution on someone's computer, you can do a lot.

You can look for all of the high value targets, private keys, SSH keys, access tokens, whatever.

Then they'll get your password manager.

They'll try and take over your Twitter account and your Telegram account.

The Seal team had a hunch maybe this wasn't North Korea, maybe this was someone borrowing from their playbook.

It was actually a group of Western people, a US or Europe or North America based hackers who had had a clever method and were using it a lot.

A method that appeared to be piggybacking on North Korea's mo.

We have seen people try to imitate North Korean tactics, and I think what happened is they heard about this video chat zoom call vector and thought, oh, that sounds like a good idea.

We can modify that to fit to our strengths.

Maybe they even thought that looking like they were North Korean hackers would help them get away with it whatever it was.

Seal wrote about the group and in their report they called them elusive comment.

I don't know if they think we'll just give up because we know that they're beyond the reach of law enforcement or what.

But it's actually the exact opposite of what you should do because there are a lot of federal resources that focus completely on North Korea.

So it's not in your interest if you're a hacker to have them think you're North Korea.

Despite what some people might think.

The FBI is now investigating.

Jake says they reached out not long after he reported the attack and gave him even more detail.

This is a very large scammering that's going on that could total potentially, you know, eight or maybe nine figures and lost to value, and they're all using zim apparently for all of this.

But the FBI wasn't the only one who reached out.

Heyjake, it's Alex.

Otherwise is known as Tactical Investing.

My account was compromised Wednesday of last week.

Tactical Investing is a real YouTube channel run by a real person, Alex Banister.

He's in the Air Force, and to prove who he was, he sent Jake a video of himself in uniform, you know.

For proof I'm in the military.

There's my uniform Air Force and then my last name is Banister.

I'm check it out here.

It's on my uniform.

So the hackers hadn't just fooled Jake they'd hijacked someone else's identity to trick him.

Jake lost a lot that day time money trust.

But what bothers him most is Zoom.

That remote access button that Jake was tricked in depressing, it's not some obscure setting.

It's enabled by default for all personal Zoom accounts.

If you use Zoom, it's probably enabled on your computer right now.

Basically, the whole scam is that if you're a host of a Zoom interview, you can request remote access to the guests.

This is like a default feature that's on.

Like, if you turn that default feature off, this whole thing goes away.

It's literally that simple.

We reached out to Zoom and they told us they take security seriously and that users must give explicit consent before allowing anyone to take control of their screen, which is technically true, but cybersecurity experts say that's not the point.

While no one would be hurt, if Zoom just turned it off from a default setting, it could save unsuspecting victims a lot of time money in hassle.

If they just did, they could easily fix the side just making remote access default off, Like that's literally all they have to do to fix it, but they don't seem to be interested in wanting to make that change.

Jake says he's spoken with people at Zoom.

He's even heard their CEO was made aware of his case, but so far nothing's changed.

So Jake's doing the only thing he can, the only thing he's been doing since he first stumbled into the crypto spotlight.

He's talking about his life and telling people what happened to him, Journalists, crypto traders, Twitter followers, anyone who will listen.

Yeah, it is embarrassing, but I felt like there's it's much more important to keep people protected, to ensure that this doesn't happen again and again and again.

You know, do I want to be the face of this, No, not really, But do I want people to be aware of what's going on?

Yeah?

Absolutely?

This is quick Here.

That was Dina temple Rastin, host and managing editor of the click Here podcast from Record of Future News and PRX.

The show tells true stories about the people making and breaking our digital world.

New episodes come out every Tuesday and Friday.

You can find click Here wherever you get your podcasts, and starting in twenty twenty six, on selected public radio stations will put a link to the podcast in the show notes.

Thank you for listening to kill Switch, and we'll be back in the new year with new episodes.