> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona.
>
> “Epic opsec troll,” they claimed.
If this were really a fictitious persona meant to lead investigators away from their true identity, they'd never admit to such. This sounds like someone trying to deflect upon being found out. I'd wager that this person is going to be caught.
Krebs has an image of a mind-map at the end of the article showing links between the aliases.
Yes. I'm pretty sure if you spoke to an intelligence analyst they would tell you there's no such thing as an opsec troll.
Everything your target does (including misdirection) gives or risks giving away information, and there's no way someone who is actually in control of events would blow a cover because even if you were 99% certain it was false, you would have to continually waste resources trying to confirm that. In particular if they invested a lot in building this persona and you were on to them it's much more likely they would just go dark, wait and plan how to pick up with a new persona.
> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona. “Epic opsec troll,” they claimed.
This is called a "double cover story", a classic deflection when someone is caught or exposed.
Let's just not believe anything said by an untrustworthy person. What they say should not calculate in what we believe to be true, but only evidence we can verify.
I respectively disagree. If someone is shown to be unreliable then of course you won't take what they say at face value, but there's still information there. A deliberate lie may still contain something useful and reveal something about the person.
In fact assuming someone to be truthful isn't a good prior, knowing that they may be "untrustworthy" doesn't tell me much, since I didn't start off thinking otherwise.
I can't help myself: is this the famous logic by which tech people don't trust apple, microsoft, amazon, meta, or google products?
Or does it not apply to corporations? What's the distinction, if so? It certainly seems common to not to apply it to corporations.
Not sniping here, I actually think this is solid logic, maybe with some exceptions but generally applicable. I feel like it's so commonly and happily not applied when it comes to the above companies (and others) that I find it stunning to see it stated so clearly here.
Well yes, but I doubt that Krebs is really posting this data dump for random Internet readers like us. Some other investigator might find some useful hints in it, though.
"You fell victim to one of the classic blunders! The most famous is 'never get involved in a(nother) land-war in Asia', but only slightly less well-known is this: Never go up against a once-Korean-resident when death is on the line! Aha-haha-hahaha!"
It also seems like a bad opsec if he creates multiple aliases for the same theme. Wouldn't you want to have one us soldier, one Russian, one African, etc. if you are trying to create red herrings?
Even the soldier persona is consistent though. The trouble with opsec like this is (1) you always have to win and (2) almost everything - even total randomness tends to create a pattern (since you the negative space of trying not to stand out itself tends to make you stand out).
Interestingly, Kiber- is how a Russian would transliterate "Cyber-". At first I thought he must be Russian, by the nickname alone (I'm a Russian speaker).
Something I don't understand is why people don't appreciate /expect misdirection.
For instance, a malicious actor, of even basic sophistication, coming from a Russian ip and occasionally using Cyrillic and missing grammatic artcles is probably not Russian. Similarly a malcious actor with a pseudonym including the term patriot, coming from a US IP and using terms like howdy probably is not American.
I’m guessing any American military member in the Intel or Cyber business would know that these days though.
Years ago when I was in the US military I knew many Russian weapons systems better than their US/NATO counterparts and had developed a decent working vocabulary of Russian words and prefixes in that specific area because it was my job to study Russian equipment.
as an aside, i find that western people, even many hacker news denizens, are unaware that ru-net exists much less that it has its own language, memes, technology, etc.
Right, there's something odd about this. That image from 2022 of a person's legs [Kiberphant0m?] in army fatigues ought to be a dead giveaway. For starters why would anyone be stupid enough to do that, second I'd recon the floor pattern alone might be enough to reveal the person, again why do that? Surely those involved would have have thought of that? Alternately they're on the room-temperature side of dumb.
Of course, that doesn't include the image being a ruse for other schema.
> Alternately they're on the room-temperature side of dumb.
When combined with the uses the claimed for their botnet, the person we're talking about leaves an impression of having emotional maturity of a 10 year old.
So, you might not be very far when it comes to non-technical skills.
Maybe he is operating at the next level. He is deflecting because the investigators will think that he is trying to lead them away from this true identity and become even more convinced of it, which is exactly what he wants.
Eh; let's wait and see. For any claim for insight there's an equivalent claim for fabrication. any such analysis that relies on this is inherently flimsy.
This seems like it would be rather easy for the government to narrow down. Check the logs of who applied for an NSA job on or around the date the screenshot was posted and cross reference any that are/were located in South Korea. I would think that would produce a rather short list that a bit more investigation would crack.
The guy seems arrogant, and arrogant = sloppy. He'll get caught.
But probably after they arrested him, to help with negotiations.
And to pop that bubble of false confidence.
The way he acted, would be a very red flag for me, if I were to hire him. Maybe skillfull, but careless. And that is not acceptable in that line of work. (Neither it is in the military)
> “Type ‘kiberphant0m’ on google with the quotes,” Buttholio told another user. “I’ll wait. Go ahead. Over 50 articles. 15+ telecoms breached. I got the IMSI number to every single person that’s ever registered in Verizon, Tmobile, ATNT and Verifone.”
SBF levels of self-pwning right there. When, not if, they catch him, the Feds are going to hang this clown out to dry.
I'd rather see them hang out to dry the 15+ telecoms who gave away "the IMSI number to every single person that's ever registered in..." because doing so was cheaper than investing in security.
> Immediately after Kiberphant0m logged on to the Dstat channel, another user wrote “hi buttholio,” to which Kiberphant0m replied with an affirmative greeting “wsg,” or “what’s good.”
It's kind of unfortunate for him that he didn't do a better job of referencing Beavis and Butthead. If his username was "Cornholio" or even "Bungholio", it could read as someone directly referencing the show and potentially unrelated to the other account, making his deniability a bit more plausible.
They have gone from "I literally can't get caught" to "Oh no, everyone on Hacker News is discussing my l33t hacker identity... checks notes ...Buttholio. Perhaps I should have workshopped that name a bit more."
Any insight based on histogram of the timing of this person's posts, particularly ones responding to a just slightly earlier post? (ie was clearly awake and not an artificially-delayed response).
Krebs knows about this timezone analysis technique, wonder if he didn't check this or it was inconclusive?
Is that effective for people who aren't literally being paid a salary to do this stuff 9-5? A lot of people who spend too much time on computers have totally out of wack sleep schedules that would look like they're operating from very different timezones.
People have wacky schedules but it's about when you never work
You could do an analysis on HN comments.
It's very hard to fake, you'd have to schedule on all channels. For instance don't look at all of a users HN comment's just ones posted less than a hour after it was on the front page.
I always set the time zone on my PC to a fake one. It cause's havoc sometimes and it's not even close to enough. It's hard once someone is after you.
what a great article, I loved seeing the links that Krebs (?)/Unit 221B (?) dug up and all the info they managed to connect. It felt like I was reading a detective story. It sounds like this guy is doomed, the NSA application date alone basically identifies him
If you have enough data, i wonder how much of this digging can be automated these days with good LLM prompts. Doing it manually is very time-consuming.
Having worked with LLMs over the past year+ trying to get them to do useful things in various contexts, the real work is typically pretty boring data acquisition (e.g. scraping) + ETL and then making that data available to the LLM.
I think this whenever I read a modern detective novel (Bosch). So much of their work seems to be looking up data from different databases and trying to make connections or recognize patterns.
I assume the FBI or whomever has automated this to some degree already, and I really hope someone does a great writeup of how LLMs/agents can do even more.
Readit News
>
> “Epic opsec troll,” they claimed.
If this were really a fictitious persona meant to lead investigators away from their true identity, they'd never admit to such. This sounds like someone trying to deflect upon being found out. I'd wager that this person is going to be caught.
Krebs has an image of a mind-map at the end of the article showing links between the aliases.
Everything your target does (including misdirection) gives or risks giving away information, and there's no way someone who is actually in control of events would blow a cover because even if you were 99% certain it was false, you would have to continually waste resources trying to confirm that. In particular if they invested a lot in building this persona and you were on to them it's much more likely they would just go dark, wait and plan how to pick up with a new persona.
This is called a "double cover story", a classic deflection when someone is caught or exposed.
In fact assuming someone to be truthful isn't a good prior, knowing that they may be "untrustworthy" doesn't tell me much, since I didn't start off thinking otherwise.
Or does it not apply to corporations? What's the distinction, if so? It certainly seems common to not to apply it to corporations.
Not sniping here, I actually think this is solid logic, maybe with some exceptions but generally applicable. I feel like it's so commonly and happily not applied when it comes to the above companies (and others) that I find it stunning to see it stated so clearly here.
that's what a super epic opsec troll would want you to think
https://www.youtube.com/watch?v=pRJ8CrTSSR0
For instance, a malicious actor, of even basic sophistication, coming from a Russian ip and occasionally using Cyrillic and missing grammatic artcles is probably not Russian. Similarly a malcious actor with a pseudonym including the term patriot, coming from a US IP and using terms like howdy probably is not American.
False attribution is a core lesson in malice 101.
Years ago when I was in the US military I knew many Russian weapons systems better than their US/NATO counterparts and had developed a decent working vocabulary of Russian words and prefixes in that specific area because it was my job to study Russian equipment.
Deleted Comment
Of course, that doesn't include the image being a ruse for other schema.
To prove their "credentials" that they are a real world "though guy", in the hopes of gaining social clout in among their peers.
Same reason why some posts classified information on Discord or War Thunder.
When combined with the uses the claimed for their botnet, the person we're talking about leaves an impression of having emotional maturity of a 10 year old.
So, you might not be very far when it comes to non-technical skills.
The guy seems arrogant, and arrogant = sloppy. He'll get caught.
And to pop that bubble of false confidence.
The way he acted, would be a very red flag for me, if I were to hire him. Maybe skillfull, but careless. And that is not acceptable in that line of work. (Neither it is in the military)
SBF levels of self-pwning right there. When, not if, they catch him, the Feds are going to hang this clown out to dry.
Therefore some data should either not be stored at all or deleted after it served its purpose.
It's kind of unfortunate for him that he didn't do a better job of referencing Beavis and Butthead. If his username was "Cornholio" or even "Bungholio", it could read as someone directly referencing the show and potentially unrelated to the other account, making his deniability a bit more plausible.
Krebs knows about this timezone analysis technique, wonder if he didn't check this or it was inconclusive?
People have wacky schedules but it's about when you never work
You could do an analysis on HN comments.
It's very hard to fake, you'd have to schedule on all channels. For instance don't look at all of a users HN comment's just ones posted less than a hour after it was on the front page.
I always set the time zone on my PC to a fake one. It cause's havoc sometimes and it's not even close to enough. It's hard once someone is after you.
Having worked with LLMs over the past year+ trying to get them to do useful things in various contexts, the real work is typically pretty boring data acquisition (e.g. scraping) + ETL and then making that data available to the LLM.
I assume the FBI or whomever has automated this to some degree already, and I really hope someone does a great writeup of how LLMs/agents can do even more.