Search the Community

IMAGINE: ONFOKUS / GETTYIMAGES The hacker turned against his former partner, accusing him of stealing his fair share of a $16,000 heist. There’s no honor among thieves, including those who steal cryptocurrency. On Tuesday, the Department of Justice announced that a SIM swapper who stole almost $17,000 with an accomplice pleaded guilty to aggravated identity theft in a case of criminal partnership gone wrong. The SIM swapper, 20-year-old Kyell Bryan ended up doxing and swatting his former partner, according to the hacker’s guilty plea. Doxing refers to the common and unsavory online practice of revealing a person’s real identity and other personal information such as home address in order to harass them. Swatting refers to another dangerous and sometimes fatal internet harassment tactic in which someone pretends there’s an emergency at their target’s home, prompting police to send a SWAT team. In June of 2019, Bryan and Jordan Milleson worked together to steal the password of an employee working for an unidentified cellphone carrier using one of several phishing websites Bryan set up. They then used the password to login into the company's internal network, which allowed them to steal the phone number of victims in what is a typical SIM swapping attack. At that point, they used their control of the phone number to break into the victim’s cryptocurrency account and steal cryptocurrency valued around $16,847.47, according to the Department of Justice. Hours later, Bryan and other accomplices started suspecting that Milleson had “snaked” them. In other words, they believed Milleson had not given them their fair share of the heist. Bryan and the others then began to try to identify Milleson, whom at the time only knew by an alias. Soon, they figured out Milleson used the nickname “Chikri,” and they asked a chat room for help doxing him. Bryan then learned Chikri also went by Jordy and started asking around for more information about him. At the time of the message, someone called the Baltimore County Police Department claiming he shot his father and was going to shoot himself. The person then gave the police Milleson’s address, and threatened to shoot the cops if they showed up. When they did show up, there was no emergency at all. Milleson was sentenced to two years in prison on May 5, 2021. Bryan faces two years in prison for aggravated identity theft. Subscribe to our new cybersecurity podcast, CYBER. Subscribe to our new Twitch channel. Via vice.com

One of the biggest encrypted chat apps in the world just showed how a device used to decrypt messages can be hacked and tampered with. IMAGE: JACK GUEZ/AFP VIA GETTY IMAGES) Moxie Marlinspike, the founder of the popular encrypted chat app Signal, claims to have hacked devices made by the phone unlocking company Cellebrite, which has famously worked with cops to circumvent encryption such as Signal's. In a blog post Wednesday, Marlinspike not only published details of new exploits for Cellebrite devices, but seemed to suggest that Signal's code could be theoretically altered to hack Cellebrite devices en masse. Marlinspike claims (whether you believe this portion of the post or not is up to you) that while he was on a walk he happened to find a Cellebrite phone unlocking device: Cellebrite devices are used by cops to unlock iPhones in order to gather evidence from encrypted devices. This can include photos and messages on the device, potentially including Signal messages. Along with his colleagues, Marlinspike analyzed the device and found that it included several vulnerabilities that could allow an attacker to include an "otherwise innocuous file in an app" that when it gets scanned by a Cellebrite device exploits it and tampers with the device and the data it can access. To be clear, this is a pretty ballsy show of force. Marlinspike published details about the exploits outside of normal "responsible disclosure" guidelines and suggested that he is willing to share details of the vulnerabilities as long as Cellebrite does the same with all the bugs the company uses to unlock phones, "now and in the future." In a slightly nebulous final paragraph. Marlinspike said that future versions of Signal will include files that "are never used for anything inside Signal and never interact with Signal software or data," perhaps implying these could be designed to tamper with Cellebrite devices. We reached out to Signal to ask them to clarify what Marlinspike meant exactly in the last paragraph of his blog post. Cellebrite did not immediately respond to a request for comment. In their analysis of the device, Signal researchers also found that it contained packages signed by Apple, and likely extracted from the Windows installer for iTunes version 12.9.0.167. According to Marlinspike, this could be a copyright violation. Via vice.com