The Crypto Bros Hack Back

The impossibility of being hacked in the mind of someone unhacked (that being me, at least before the events described in this story).

Text within this block will maintain its original spacing when published

                It's strange how paranoia can link up with reality now and then. 
                                                                                 - Philip K. Dick

It All Started With A PDF

I knew this to be true - that it started with the PDF - for quite some time before I proved it to be true.

This particular PDF had a particularly dodgy origin story. It wasn’t just that it had come from people involved with cryptocurrency exchanges, though that is certainly worth at least one red flag. Nor was it just because it came from people involved with cryptocurrency exchanges in China, though that is probably worth at least a few more red flags beyond the first. This PDF came from people involved in cryptocurrency, in China, and in the proximity of a cryptocurrency exchange called “Hoo” that had been refusing to give its “customers”¹ their money back for over a month.

Put bluntly, we’re talking about thieves. Or more specifically: we’re talking about a tool of thievery bent into the shape of a Portable Document (by thieves). A concatenation of roughly 1.6 million ones and zeroes (201,713 bytes) given the blessing of digital existence by cryptocurrency thieves acting anonymously and well out of the reach of European jurisprudence. Oh, and one that was distributed to the world on Telegram, which in my admittedly brief experience seems to be the shadiest / most financial scam² riddled social media platform³.

What could go wrong?

The Almighty TL;DR

This is a spooky story about getting hacked (or at least suffering a major security breach) and surviving with my online life and bank account intact. There’s a lot of backstory but if you don’t care about the details and just want to jump straight to the scary stuff here’s a link that will take you there.

The fact that this is a story with an ultimately happy ending (I am posting this from the very social media accounts that I am reasonably sure the hackers were targeting) implies that it’s also a story about the ways in which sacrificing the time and convenience necessary to maintain at least decent opsec online can pay huge dividends in a crisis.

And finally I know that reading can be a little dry compared to the visceral experience of living an experience like this. While it won’t get you all the way there, maybe listening to this little bit of spooky Nachtmusik as you read will help you get a better sense of the vibe:

1×

0:00

-36:58

---

Background Solemnification

A few weeks ago I wrote an essay claiming that the cryptocurrency industry is evil and that you should maybe be afraid of it that got read and discussed by a lot more people than I ever expected and brought with it some kind of micro reputation in the already-pretty-micro world of cryptocurrency related social media. I followed that up with some guesses about the mechanics of how a certain large cryptocurrency scam sitting at the heart of the entire industry may have pulled off the largest financial crime since Bernie Madoff⁴. Needless to say these posts (along with a couple of other Medium posts and threads on The Privatized Public Square⁵ containing various ugly truths that our crypto bro overlords might have preferred stay untruthed) did not endear me to the cryptocurrency in-crowd.

All of which is sort of a roundabout way to say that it is quite plausible that the shadowy figures wielding malicious PDFs in my direction were specifically targeting me with this PDF⁶. Certainly in the weeks prior to these events my social media accounts - all of them, not just Twitter - were absolutely crawling with what at least appeared to be Chinese sock puppets in the employ of that centrally located mega scam cryptocurrency. Weird DMs on reddit, obvious sock puppet follows/friend requests on the Facebook⁷ platforms, bizarre WeChat activity, you name it. Thus it’s not much of a stretch for me to wonder whether whoever was behind all that activity had, in the course of monitoring my accounts, noticed my recent Telegram and Twitter activity and decided (correctly) that this would be a moment a well crafted social engineering attack could slip past my defences⁸.

Now, mind you, I’m not generally the easiest mark. I don’t just go opening PDFs - or any kinds of files - in these kinds of circumstances. Being both a naturally somewhat paranoid person as well as a relatively experienced Computer Professional I am all too aware that the the foundations under the towering edifice of cybersecurity are actually made of quicksand⁹ . I was also very aware of recent events like the Axis Infinity hack, wherein North Korea’s Lazarus Group¹⁰ pulled off what I believe is the largest¹¹ heist in human history¹² by means of… a PDF¹³.

Despite all that I was extremely interested in the contents of this PDF. It purported to contain - and in fact it did contain - the thoughts of a senior executive at the aforementioned Hong Kong based¹⁴ cryptocurrency exchange called Hoo about The Situation. It was a Serious Situation that was of particular interest to me because the visions I was given by The Oracle of Tulips placed special emphasis on the moment that the first cryptocurrency exchange refused to give its customers victims back their money. Hoo was, if not the absolute first crypto exchange to close its lambo doors, definitely the first that had ever claimed it was trading over $1 billion USD per day on good days. And just to make things even more interesting an exchange called AEX Global had closed its gullwing doors on more or less the same day as Hoo, citing a “billion dollar bank run“ as the reason, which isn’t exactly something you read every day. For this and other reasons I had become convinced AEX and Hoo were, if not literally the same (incredibly shady) company, at least run by the same (incredibly shady) crowd of people.

---

Lo, a subscribe button:

---

The Situation As Of The Ides Of July

Hoo (and AEX) had halted withdrawals around the ides of June. As of one month later, on or around the ides of July, the operators of Hoo (and AEX) had, rather than give their customers victims the ability to withdraw any cryptocurrencies that hold actual fiat¹⁵ value like bitcoin and ethereum, spent an entire month¹⁶ notifying the public each and every day about a handful of altcoins¹⁷ worth literally fractions of a cent that were being made available for customer victim withdrawal again. These announcements would inevitably be accompanied by assurances to the effect that the owners of Hoo (and AEX) were working really hard on Fixing The Situation and they would reënable¹⁸ the withdrawal of cryptocurrencies with actual fiat value “soon”.

Here’s an example of one such altcoin announcement.

Pat yourself on the back if you’ve actually heard of any of these cryptocurrencies.

There are many, many more such announcements on the Hoo Exchange feed, which, unlike CEO Ruixi Wang’s personal account¹⁹ on The Privatized Public Square, does not seem to have been deleted yet.

Recall that AEX had announced a billion dollar bank run and, if necessary, remind yourself how many millions are in a billion²⁰ - you can easily see why the customers victims of this scam had been growing increasingly irate and less understanding with each passing day. Every tweet by CEO Wang was immediately flooded with tens to hundreds of responses. My unscientific estimate is that roughly 90%²¹ of those responses amounted to “give me my fucking money back you monster”. A small but representative sample:

One depressing truth hinted at by these tweets is that people who lose all their money in cryptocurrency scams tend to be among the less eloquent members of our species.

This ritual of Hoo and Wang’s accounts tweeting about how customers could now withdraw GARBAGECOIN_X and SHITCOIN_Y followed by a small tidal wave of social media fury directed at Ruixi Wang became depressingly routine over the course of the month²².

Crypto Seeks Its Own Level

On July 15th something changed. Suddenly instead of the customers victims draping every utterance by CEO Ruixi Wang in irate tweets, the employees were doing the irate tweeting…. though “irate” might be an insufficiently angular word to describe the incandescence of their rage.

Remarkable eloquence.

Apparently these employees had not been paid their last month’s wages and they were feeling both upset and loquacious about it, as victims of capitalist exploitation with access to social media are wont to be. Their online outbursts came in many emotional shapes and hues but were unified by their agreement about not having been paid as well as by the fact that they all were posted in the Chinese language from low follower count sock puppet/bot accounts that had previously been used to shill cryptocurrencies.

Some appealed to Wang’s good nature. Some seemed honestly confused. And some of them were so full of rage that they straight up doxxed him, posting his passport photos and a map to the house where they thought he was living in London²³ onto social media… hundreds of times in a row:

And when I say hundreds of times in a row, I mean at least 30 times in a row.

Future doctoral dissertations in the field of economics will no doubt be written about the borderline total moral and intellectual failure of the professional journalistic class on the topic of cryptocurrencies, but for now it suffices to note that the events surrounding Hoo (and AEX) had more or less been completely ignored by the entire body of English language journalists not named Molly White and not river otters who had somehow figured out how to operate a smartphone. Being curious, I decided to reinstall Telegram²⁴ and see what I could find out - I both wanted to observe/listen to the reaction of the customers to this new development as well as see if any of the employees of Hoo would talk to me about what was going on²⁵.

A Candleful Of Rage

Much to my surprise one of the few Telegram accounts I was able to fully verify as an employee of Hoo²⁶ actually did decide to speak to me, and at considerable length. I had been told to seek this employee out by a particularly crestfallen customer victim located in the vicinity of Gold Coast Africa²⁷ who was coming to grips with the fact that he had lost his life’s savings. Said customer victim had been communicating with this employee and felt that he (the employee) seemed particularly sympathetic to the plight of the newly impecunious victims.

What the employee told me explained both his sympathy for the victims as well as the broader outpouring of employee rage I was seeing on The Privatized Public Square. He informed me that not only had the employees of Hoo not been paid their last month’s pay cheque, most of them also had held their life’s savings in cryptocurrency accounts at Hoo - accounts that were now frozen, just like the customers’ accounts. He went further and said there was an incredible amount of dirt on Hoo’s business broadly and Ruixi Wang’s actions in particular that some of the employees wanted to release publicly, but before they invoked the nuclear option of going public they wanted to be really, truly sure they would not get their money back.

Then all of a sudden someone telegrammed an image purporting to be a sign that had been posted on the door of the offices of Hoo. This sign implied (and my source confirmed) that the Chinese police had within the last few hours shown up at the Hoo office, seized all the assets, and locked out the employees.

Plot twist!

Dramatic, to say the least²⁸.

But then things got even weirder - much weirder, I remember thinking at the time - when the Hoo exchange website came back to life cyber Lazarus²⁹ style just a few hours later³⁰. Users in Telegram confirmed they were able to log in again (though predictably they were still unable to withdraw funds).

My first, totally unsupported by evidence thought was that the Chinese police had decided they would catch bigger fish by running the site as a honey trap for a period. For one thing, there was some reporting a bit after the ides of June (30 days before the hack) claiming that the Chinese authorities had accused several unnamed cryptocurrency exchanges of laundering drug money. For another thing operating a internet criminal enterprise in honey trap like fashion to catch more crooks is exactly what the far more³¹ constrained-by-thousands-of-years-of-ponderous-western-philosophizing-about-innate-human rights agency known as the FBI would do has done.

“In Media Portable Document Res”

It was in the midst of the previously described flurry of events that someone posted the malevolent PDF in one of the many Telegram chat rooms devoted to Hoo³². As mentioned it contained a sort of open letter from someone in Hoo’s senior management about The Situation. Here's a small excerpt; you can read the rest here if you're interested.

In the land of the coins the man who makes it to Dubai is king.

As fate might have it, I actually had in my possession a burner computer specifically for doing riskier internet things like this. It was a $200 Windows beater machine with no links to me or the rest of my online life. Given that a) the PDF contained very intriguing content and b) I thought the worst that might happen was that this beater computer would get hacked/get a virus/whatever, I downloaded it. On the off chance that the PDF was somehow so malicious that it could somehow do damage beyond the confines of this walled off Windows machine, I decided to run it though a handful of online virus check tools like VirusTotal³³, thinking they would surely at least flag it if there was risky content. After these threat assessment services gave the PDF a universal "all clear", I gingerly, timidly, and maybe even shyly opened it up on my burner computer through Gmail³⁴ and read the contents³⁵.

Whoops.

(If you actually want to know the technical details of what went on with the PDF in question you can find the them here in a twitter thread I published a few weeks after I published this piece. There’s also a bit of a technical discussion with some actual malware experts about this PDF over on reddit. Didn’t want to bog down the less technical folks here but if you think I’m making this shit up/have lost my mind, click the links and take a gander at the credentials of the people who agree that this PDF is malicious.)

Just Like In A Real Movie

The payoff for handling this infernal document came approximately 24-48 hours later. I have described what happened to people as “being hacked like in a movie” because the visual and audio cues were substantial and extremely dramatic.

It was mid-day, 2:57PM to be exact. I was on my MacBook Air, which is my standard daily driver computer that I use for being on the internet and related tasks and not the cheap Asus running Windows with which I opened the PDF³⁶, though I did at least handle the PDF file with on both machines and who knows what evil the macOS thumbnail preview may have wrought.

All of a sudden windows started opening. A lot of windows. And then the text to speech reader activated and began stuttering while presumably attempting to read all these open windows. The effect was not unlike Jodi's 1990s work 'My%Desktop' that was recently made the first piece of "net art" officially canonized by the curators of the Museum of Modern Art (albeit with considerably less humour). I was able to notice that many of these windows seemed to be the small, centrally located type of window that comes up when you view elements of your OS X keychain... But I didn't have time to ascertain what I was looking at because I also noticed someone³⁷ tabbing the active focus application over to GPG Tools³⁸.

I reached for the power button and held it down for what seemed like an awfully long time but was probably not a long time at all as the text to speech lady stuttered and stammered... and then poof the computer was off.

At this point I knew I had been hacked. If you are still lucky enough to count yourself among the unhacked, let me assure you that it is not a good feeling.

I assumed (and still assume, given the lack of any security updates pertaining to accessibility features from Apple since this happened) that there was some way for an attacker to hook into the text to speech reader and get all the characters being read sent to themselves over the internet as the onscreen words are processed by the accessibility framework. Perhaps it was related to “Universal Control" one of the many, many terrible ideas given form by the engineers at 1 Infinite Loop in the last few years.

“Universal Control” - which is enabled by default - seems to be functionality created specifically to ensure that if one of your Apple devices is hacked the attackers can easily control all the other devices by pushing the mouse pointer off the edge of the first machine’s screen and “onto” the desktops of the other devices.

Aside from the fact that you should file “Universal Control” in the incredibly long list of features to immediately disable after logging into a new installation of macOS, it has historically been the case that an up to date macOS with all security patches installed has been at least reasonably difficult to actually hack... But the fact that these attackers had managed to get through my firewall³⁹, onto the burner Windows machine, and then leapfrog to the MacBook suggested they were at a minimum quite skilled, which in turn increased the likelihood that they had managed to penetrate devices on my network beyond just the Windows burner and the new MBA. I unplugged my router and pondered my next move.

On the plus side⁴⁰ the fact that they went for my keychain in this blatant (and loud) fashion suggested that they hadn't achieved root level access to the computer yet. They just had some kind of access to... something. I had also had the good fortune of having my fingers on the keyboard when all this started so it seemed likely I had managed to power down the machine before they had got everything they might have wanted to get from it - or at least that's what I told myself.

Over the course of the night I managed to convince myself that, all things considered, having my keychain hacked or some data exfiltrated from this computer wasn’t the end of the world. I don’t store much of anything in my laptop’s keychain. I keep backups. I encrypt important stuff. I actively avoid things like Apple’s entire iCloud ecosystem. Any account I have of even moderate importance has multi-factor authentication turned on and my most important accounts got upgraded to physical hardware based authentication when I joined The Privatized Public Square a few months ago⁴¹. All in all I suspect I am probably a pretty annoying person to hack, given that my online existence is something of a rabbit's warren made up of many, many accounts registered with many different email addresses managed by several different email address providers each with a unique and cryptographically strong password... and critically never, ever, ever linked to the string of characters the government requires that I enter into the "name" section of my tax returns⁴². But while I was quite sure that this maze of online accounts built up over a lifetime of paranoia⁴³ would provide at a minimum some lead time as whoever had hacked me tried to figure out who I actually am, where I actually live (sometimes, at least), and who I might be banking with, I was quite unsure about what to do with my phone. The system design of an iPhone makes iPhone attacks extremely difficult to pull off but unlike a lot of the Apple zealots on the Apple discussion fora who greet any and all questions about potential hacks with “Apple devices can’t be hacked,” I knew that no man made device is infallible. I decided to keep my phone mostly off in the unlikely event it had been compromised in some way but to generally assume it was “safe” and use it when I needed to communicate.

I now suspect that was The Wrong Choice.

Another Turing Machine Into The Fire

Given that the one absolutely surefire way to avoid being hacked is to not turn on your devices I left the victimized machine powered down. The next morning in order to have some way to access the internet in a totally clean slate unhacked fashion I went and bought a new MacBook Air from the Apple store. I was also planning on buying a new iPhone but on the way to the Apple store I encountered something I had not seen before: a Google store⁴⁴.

Not relying wholly on the big tech company whose security technology had just been totally pwned before my very eyes in spectacular fashion seemed like an excellent idea so I went in and bought a Pixel 5 and a GoogleFi⁴⁵ plan to go with it. GoogleFi meant I could use the Pixel as a hotspot and get very tolerable speeds while leaving my home router in the critical “off” state, and the fact that it (GoogleFi service) came with a permanent VPN was extra appealing at this juncture, even though VPNs are generally far more useless than your average VPN subscriber understands them to be. Thus it was that shortly thereafter I was back online with brand new devices that had never touched the old devices which were still in that critical “off” position.

The Arms Race Begins

I said before that I don’t keep much of anything in my mac’s keychain, which is true. Unfortunately for me, however, as zealous as I am generally about my identifying information, existing in the world of Macs and iPhones without giving a phone number and a billing address⁴⁶ with which to process your writs of credit to the mega corporation called Apple was a bridge of inconvenience too far even for me.

Apple uses these pieces of information - especially the phone number - to link your devices together, which unfortunately means they can be found in your keychains. Given that my keychain had almost certainly been at least partially read by the attackers I was reasonably sure they had gotten ahold of both of these critical pieces of information.

This suspicion was confirmed the next day when I received this Signal message on my iPhone:

+85 is Hong Kong. I haven’t known anyone in Hong Kong since the pre-pandemic era. I’ve also never received a single spam via Signal. Given that I knew that the one personal piece of information I was reasonably sure had been swiped was my phone number I felt pretty comfortable assuming that this came from the same people who had hacked my MacBook… so I ignored it. Did not respond and moved on with my day, figuring that if I didn’t engage them at all on Signal and kept my hacked computer off / disconnected from the internet that the attackers couldn’t really do much.

Little did I know that in a month’s time Apple would announce a massive security flaw in both iOS and macOS. A flaw that Apple would publicly admit was already being exploited “in the wild” by criminals right around the time I got this SMS. A flaw that specifically meant all recent Macs, iPhones, iPads, etc. could be hacked just by looking at maleficent content... and one of the ways that maleficent content could be delivered was instant messages previews.

Bravo, Apple. Bravo.

I will take a moment here to rage about the fact that Apple will give you a security patch but they will never in a million years notify you if they find your device has been hacked - something they absolutely know - when applying that patch. Such are the wounds that liability insurance law has inflicted upon humanity.

Now obviously I haven’t proved beyond a shadow of a doubt that this Signal message has malicious content in the sense of decompiling byte code or locating the IP address it called out to so feel free to be a sceptic despite all the preceding information, but if anyone who works at Signal wants to take a look at the contents of this message to see if I’m correct, get in touch if you need any more information. What I can prove, however, is some of the events that happened in the immediate aftermath of the receipt of this Signal message. Events that fit a fact pattern suggesting these attackers were able to move from any device in my vicinity to almost any other device in my vicinity.

Turing Machines And Fires, Part II

At the time of writing almost two months has passed since the initial breach and the combination of the general frailty of human memory on top of the pressures of the series of escalating hacks that followed I cannot recall what exactly fully convinced me that my first brand new computer had been hacked despite all of the following being true:

1. It had never connected to any previous device I had owned (at least not intentionally).

2. It had been registered with a brand new Apple account.

3. It had only connected to the internet through GoogleFi VPN via a Pixel hotspot.

I have vague memories of generally ghostly things happening on screen. At some point something like an open book icon appearing on my screen and faded out despite the fact that I was not doing anything with books, bookmarks, or anything related to either. I have far less vague memories of Bluetooth refusing to stay “off.” But in any event, I shortly returned this first new MacBook Air to the Apple store and told them I thought it was hacked. The kind folks at the Apple store let me exchange it for a second new MacBook Air⁴⁷, and for that one my memory of discovering the hack is incredibly vivid and the evidence is compelling.

It was roughly 4-5 days after the text to speech event. I was getting increasingly paranoid, checking the Apple system logs⁴⁸ with increasing frequency - at least 5-10 times a day during the 2 days I used this computer. I resorted to making sure that when I did “embarrassing"⁴⁹ things like undressing or things that certain kinds of people might want to keep private like smoking weed, etc. I was in view of the camera, after which I would immediately check the logs. Never saw anything untoward and was slowly able to convince myself I was back in control of my own cyber destiny.

Then, as I was going to bed early one morning, I decided to see what would happen if I was perusing X rated content on my machine… and, well, that did the trick. When I opened the console logs there was a torrent of 3 kinds of events that I can remember:

• Video/audio recording being enabled

• StreamingZipService compressing files and transferring them somewhere

• Both of the above being triggered by something called IMDMessageServicesAgent

My conclusion was that someone was triggering the recording of audio and video on my computer by sending me some kind of instant message triggers. And even though I had opened the logs specifically looking for something exactly like what I was seeing, I was still totally stunned.

And then… the logs stopped. And then moments after that suddenly those 3 kinds of log message were - poof! - gone from the Console logs.

My assumption is that the hackers were able to observe my screen and rather quickly - though not immediately - noticed me noticing the evidence of their intrusion pouring across my screen in the form of log messages, at which point they reached for their “leave no trace” button⁵⁰. On my end, after a moment of dumbfoundedness, I reached for the power button (again).

Fortunately a) the logs I was looking at were not the only - or even primary - place logs live on macOs these days and b) I have a great deal of professional expertise dealing with the collection and analysis of unruly chunks of information like log files. Even if they scrubbed the most egregious messages from the logs they would still leave a trace... and they did.

How do I know? I spent most of a month writing a tool⁵¹ that collects all the logs from all the sources on a macOS system into a database where they can be easily analysed and then analysing them obsessively, both of which tasks are fortuitously exactly the kinds of information engineering I know far too much about.

Behold, the logs of my camera getting turned on by the kernel 10 times between midnight and the time I noticed the activity:

When I compare the logs of other computer, I can always line up the camera activations with times I actually used Zoom or FaceTime or whatever… But I can assure you that at the time these logs are from I was not activating my own - or any other - camera.

There’s also these logs, showing that at least 4 processes were connected to the camera at that time.

Or these ones, which I can’t conclusively say were pernicious but certainly give off a strong vibe of being so:

What, you may ask, is mdmclient? Well, you can read about it on Apple’s page here. tl;dr: mdmclient is one part of a multilayered device management service Apple offers to their large scale corporate/government customers, the entirety of which is literally invisible to the average Apple consumer⁵². "Profiles", as the overall system is often referred to, allows those large scale customers to limit, monitor, and control the range of possible activities on the devices they give to their employees. In particular it seems designed to stop Joe Cubicle and Jill Homeoffice from engaging in Unapproved Workplace Activities during work hours. Things like watching basketball games, streaming camgirl porn, and gambling in the cryptocurrency markets.

So what, praytell, was it doing on my brand new MacBook Air, downloading and unzipping tons of stuff from a remote Instant Message server? And I do mean tons of stuff… but somehow all of it having to do with the video and audio system⁵³.

That’s just the tip of the iceberg - there are many, many more logs that are suspicious. Processes that don’t appear on my other machines with names like AKAuthorizationRemoteViewService or ViewBridge or com.apple.coremedia.videoencoder. Speech synthesis services. Siri voice activation profiles⁵⁴. Phantom displays (5 of them at one point) being activated despite my use of a single external monitor. I can’t post them all here (nor would you want to look at them) but one thing I will say that it is extremely difficult to separate the dangerous from the innocuous in Apple’s system logs. Weeks of intense analysis of the copious amounts of data spewing from Apple’s data firehose quickly taught me that as suspicious as I may be about any one process, it’s always far, far more likely that that process is totally innocent of my insinuations⁵⁵.

Or at least that’s true individually. It’s quite a different story when you look at the all the other activities and then compare them in aggregate with the activity patterns I’ve collected and observed on a macOS system I have monitored far more closely.

And those camera activations… they cannot be explained by other means.

The Androids Are Watching

At this point the list of “there’s no way this device has been hacked” had shrunk to a single item: my new Google Pixel phone⁵⁶. With the caveat that I was extremely jumpy and poorly rested, it seemed like the phone was... taking screenshots? On its own, unbidden? Being new to Android I wasn’t sure if I was just losing my mind to paranoia or if this was real. But eventually I figured out that there’s a mode Android users can engage to check background processes on Android devices, which is when I found this running on my brand new Pixel:

What, pray tell, is org.codeaurora.ims.autogenerated_rro_product__? Googling it leads to gibberish like this. Given the circumstances this was… unnerving. So I spoke to some friends who hold senior engineering positions at Google (albeit not in the Android division) with similar devices issued to them directly by Google. These friends confirmed that a) they also had the Signal app but b) their Pixels were not running this org.codeaurora.ims.autogenerated_rro_product__ process. Nor were their devices running this far more ominous process:

Now, Qualcomm⁵⁷ is the manufacturer of the chip inside the Pixel 5, so it’s not crazy to think that there was a legit service like this running on the phone. But strings like com.qualcomm.uiremoteclient are just that - strings. Contrary to what many non engineers seem to believe there is absolutely nothing in the way of signature or encryption verification or whatever that stops you from calling your app com.google.spy_on_owner⁵⁸, which means that names similar to ones users would expect to see would be... exactly the kind of thing hackers would use to hide their malicious processes. Thus I wasn't totally surprised to discover that Hybrid-Analysis (a well regarded malware data collector) flags Android processes with this name as at least suspicious.

Finally (and perhaps most alarmingly of all) searching on DuckDuckGo for the string com.qualcomm.uimremoteclient somehow leads to this:

Which is… a student project hosted on the official Qualcomm site that turns your phone into a device that spies on you⁵⁹. Woof.

Given all that, the fact that someone posted this explanation of the process on Reddit a few weeks ago is just kind of the icing on the cake:

I also weirdly found a second user on my phone named… Signal. Like the app, but a user instead of an app. My friends over at the Googolplex could not find any extra users in their phones.

Note that this Android device:

1. Was bought at the Google store.

2. Had no apps on it except signal, which I installed at the Google store.

3. Had never connected to any WiFi or Bluetooth other than the WiFi at the Google store.

4. Had all Bluetooth/Wifi/etc etc turned off before leaving the Google store.

Maybe the above screenshots show totally normally processes. Maybe having a second user named Signal on your Android device is normal⁶⁰. Maybe all of this stuff is normal on a new Google Pixel. I’m more than willing to concede that I’m wrong about this Android stuff and these were normal system processes - in fact I would love for that to be the case, because at this point I cannot confirm or disprove these statements myself.

I don’t have the phone any more. I hurled it back into the gaping maw of the Google store⁶¹ as if it were The One Ring being heaved into the fires of Mount Doom.

Still Not The End

At this point I have only my iPhone left as far as communicating with the outside world, which is why it was particularly alarming that as I tried to configure emergency dialing on my iPhone (in case someone physically attempted to enter my residence) my phone suddenly decided to not let me do that. I was searching system settings for “emergency”. I got as far as “emerg”… and then the phone seized up for a second and the search bar just up and retracted itself.

Maybe I was so discombobulated and paranoid at that point that there's an innocent explanation for this but it wasn't something I had ever seen an iPhone do before. It felt like I was being toyed with. A “look what we can do” type move - and one that comports perfectly with at least the lesser of the two major security vulnerabilities announced by Apple in late August of 2022. Taken together with my suspicions about my Android device's continual need to take unrequested screenshots and photographs it meant that at that point I didn't even really have a reliable way to call 911. Needless to say this was Not A Good Feeling⁶².

Pack It Up Before You Pack It In

I’m running out of gas here as far as writing all this out⁶³ but many more things happened over the course of the night of July 20th⁶⁴:

1. I went to turn off the Android and someone hit the power button before I did, I suspect putting it into a fake “off” mode where it was still on.

2. Bluetooth was turning itself on across many devices.

3. An old, out of date computer I had turned on for a moment to look at something ended up in a state where it could not be powered off. I would hold the power button down and it would seem like it was going off, but then when I powered it back up it would come up immediately - no boot chime and no wait time⁶⁵. This is made more alarming when you consider that there was another major Apple hack discovered in January called "NoReboot."

4. A friend’s Windows machine that lives at my space reported that it had discovered/quarantined at least one new malware process.

The How At The End Of The Why

I still cannot say for sure how they did all this. For a while I thought they must have physical proximity to be able to hack all these devices so quickly, but given the revelations about Apple devices’ massive security breaches being actively exploited “in the wild” I now suspect the answer is a lot more obvious: the one device I considered the least hackable/safest to use - my iPhone - was at least to some degree under the hackers’ control. Enough of a degree to communicate with devices near the iPhone over Bluetooth or P2P WiFi.

As far as why they might have done this, one thing that has gone unmentioned is exactly what kind of evidence I was collecting and to whom I was talking in the immediate prelude to the events described enough. Unfortunately given the sensitivities involved I am not at liberty to disclose that kind of information but suffice it to say that while I can’t actually prove these attacks came from any particular organization or person, I have very strong reason to suspect these attacks came from agents of the crypto-sphere who had a strong vested interest in a) stopping me from continuing my research and b) disabling my social media presence if not my entire digital life. At a minimum, given some minor mistakes they made when they took certain actions to reconfigure some of my online accounts, I suspect they were trying to disable my principal account (as they have done to several other cryptocurrency sceptics⁶⁶). That and/or spy on me/gather embarrassing evidence that could be used to discredit me if I ever try to post the fruits of that research.

But nothing is certain. This could all also have easily been the work of a few degenerate malcontented cryptocurrency HODLers⁶⁷ who had stumbled onto the Apple vulnerabilities just as the knowledge of those vulnerabilities was starting to really spread among the cybercrime undersworld and maybe all they were after was trying to swipe my bitcoins and ethereum⁶⁸. I’ll probably never know.

The Postum Of the Scriptum

Several times throughout this saga I discovered the attackers had managed to penetrate and reconfigure some aspect of one of my more critical accounts⁶⁹ which left me wondering if they were just setting everything up for one final giant swipe of my digital life. While in the end the relatively good security practices I’ve used online meant I got to keep control of accounts, my money, and (eventually) my sanity (albeit perhaps not my privacy) it would be hard to overstate how touch and go - and honestly quite terrifying - it all felt for a lot more than a couple of minutes there.

I would also note that as all of this was happening to me - someone with a theoretically extremely high degree of professional education and experience on the subject of computers, data, and all the rest - one thought that continually occurred to me was that your average person who uses a computer/phone/whatever in 2021 would have almost no chance of detecting - let alone stopping - any of this activity quickly enough to prevent the worst potential outcomes that can crop up when unscrupulous internet thieves have achieved control of the inner digital sanctum known as one’s personal computer.

I mentioned earlier that I had upgraded my authorization scheme to entail the use of physical hardware not long before this nightmare all began. My reasoning at the time was exactly this:

“Hardware keys cost like $60-90 and can be set up in less than 20 mildly aggravating minutes. It’s definitely a pain but if I don’t do this and some angry crypto bro nails me with a 0 day hack, I will deeply, deeply regret it. Therefore I should order the hardware immediately.”

Which I did - and boy am I glad I did. Because by the time you find a need to actually set up that multi-factor auth scheme your more tech savvy friends have been nagging you about for years it will be far, far too late. Sure, in the real world (unlike the cryptocurrency world) identity theft⁷⁰, remote monitoring, and unauthorized bank transfers are recoverable incidents, they are still miserable things to deal with. And despite being reversible, they definitely have a real capacity to do at least mild amounts of permanent damage to your reputation, your credit, and your friendships. So I feel compelled to leave you with one final thought:

Don’t fuck around with your online security.

Whatever you’ve been putting off doing to make your cyber life more secure, go do it. Because this won’t be Apple’s (or Google’s, or anyone’s) last major security breach. It probably won’t even be their last one in the 3rd quarter of 2022.

---

Lo, another subscribe button:

1

Translated as “victims.”

2

Facebook still has a corner on the health and wellness scam market, even if Youtube is giving them a run for their money recently.

3

Bear in mind that I’ve never been on Discord, which I hear is a particularly rough cyberhood.

4

After more research I would now classify those guesses as wrong on the details but directionally accurate.

5

Also known as “Twitter”.

6

“Spearphishing" is the generally accepted term of art for this behaviour.

7

By which I guess I mean “Meta” but I still can’t take that particular corporate rebranding seriously.

8

If forced to put a number on it I'd say the odds I was spearphished by someone upset about my hypotheses on the extremely niche topic of how certain stablecoins manage their fiat backing at around 65% - better than a coin flip but nowhere close to certainty.

9

Heartbleed. Log4J. Pegasus. Equifax. If those names are not ones you recognize then let me be the bearer of some bad news: as smart as the engineers at the big tech firms are and as much as the advertising done by those firms wants you to believe that their superior engineering will keep your data safe, we actually live in a world where insanely easy to exploit security holes that exist in literally hundreds of millions of devices get discovered at least once a year.

10

Rumours are that they do not call themselves the Lazarus Group, but I for one would like to suggest they stick with it. The image of Lazarus adds a lot to the mystique, especially compared to other names they are rumoured to use like WhoIs Team, or ZINC. If anyone from Lazarus Group ever reads this, take it from a a native English speaker: it’s the name you want

11

Reported in the press at $650 million, though it’s worth reading Molly White’s piece on cryptocurrency market caps before believing that number.

12

Like many people, I have wondered how it came to pass that people from possibly the last area of the world without some kind of access to the internet are so good at hacking. Then I remembered videos like these and remembered that hacking is a skill much any other.  

13

Among the many flaws in my approach to the situation, it is unfortunately the case that the Axie hack had definitely given me a false sense of security about opening suspicious PDFs. When a hack that spectacular happens to a technology, that technology gets a lot of sudden security updates. It’s the same phenomenon that makes your local gas inspector get way more serious about his job every time a local building suddenly blows an entire row of houses to smithereens.

Humans can only keep track of a finite number of the problems our technology’s existence creates for us and whichever one has created the most explosions (of any kind, not just physical) recently is going to get the kind of focused attention that solves the problems causing the explosions. “The squeaky wheel gets the grease,” as they say. Especially when that wheel squeaks so loud that Silicon Valley billionaires get jacked for $650M.

14

At least theoretically Hong Kong based.

15

One thing I definitely blame crypto bros for is the fact that I now wince when reading or typing the word “fiat.”

16

More than long enough to see both that the customers were never going to get any money back and also that the owners and operators of Hoo were going to be dishonest about it for as long as they could get away with.

17

Many call them “shitcoins.”

18

Bringing English diacritics back.

19

As vicious as the responses are to the Hoo official Twitter account, I can assure you they were more vicious on his personal account.

20

1,000

21

There were inevitably a few tweets on each thread urging patience. While most of those were probably bots and/or sock puppets controlled by Hoo, there really were some sad souls who believed that they would get their money back. The human capacity to disbelieve what is in front of one’s own eyes if what one is seeing is disadvantageous to one's own fortune is incredibly powerful.

22

AEX Global was doing the exact same thing but there wasn’t any small tidal wave of Twitter fury. I found this mystifying up until the moment I went in the Chinese language AEX related Telegram channels and realized the reason wasn’t a lack of anger. Different populations speaking different languages adopt different social media channels and the only reason there was no AEX related Twitter fury is because Chinese language speakers… don’t really use Twitter.

23

Seems like a good time to mention that AEX claims to be based in London.

24

I had uninstalled it because I had been told it was not very secure.

25

I think this is called “journalism”. Perhaps some of the writers at The New York Times should give it a try.

26

Via a mechanism that I don’t want to disclose here lest he get in even more hot water than he seemed to be in.

27

Cryptocurrency is different from previous economic manias in several key respects, but maybe chief among them is the fact that it is the world’s very first truly global mania.

28

It also seemed to confirm my suspicions about the link between AEX and Hoo. Or maybe the fact that AEX somehow also got raided by the Chinese police on the exact same day is just a coincidence. Either way all of what’s reproduced here is far from the whole Hoo saga but this piece is about getting hacked and we need to get back to the point. If you want to read more about what happened with Hoo and AEX you can check out otteroooo’s summary thread, my own threads from the days before the initial breach, or on web3isgoinggreat.

And if you have any more recent information about either exchange feel free to reach out. I’d love to know what became of them.

29

Lazarus meaning the dead guy Jesus brought back to life 2,000 years ago, not the stylishly named North Korean hackers of the present day mentioned earlier.

30

!

31

At least when compared to the Chinese equivalent of an agency like the FBI.

32

I don’t remember which one and I’m not about to re-open Telegram to find out.

33

VirusTotal is owned by Google. It also seems to be the preeminent site for checking files for malicious content, though there are a handful of others of note as well.

34

I was sort of hoping that if I opened it through Gmail it would be rendered on Google’s servers rather than on my computer.

35

I have done an extensive analysis of what was malicious about this PDF that I was going to include here but it deserves its own post. But long story short it abuses the old Adobe font system from the 90s to launch some JavaScript - JavaScript that’s stored in a way most analysers can’t see it.

36

In retrospect it seems foolish to have used a crap computer as a burner, because the crap computer is also probably the most vulnerable. But at the time it seemed reasonable to think that I could just turn the computer off (forever) and be done with it.

37

Importantly someone other than me.

38

The standard application suite people use on macs to handle their PGP encryption keys.

39

Perhaps more accurately described as “the firewall checkbox on my shitty ISP provided router.”

40

For me, not the hackers.

41

I upgraded because it seemed clear to me that if you were to look around at the world and contemplate who exactly might have access to the most sophisticated and scary zero day hacks outside of the CIA/FSB/MSS/Mossad, crypto bros would appear pretty close to the top of the list.

I will also point out that it should tell you something about the cryptocurrency industry that I felt upgrading my opsec was necessary just to talk about the industry in public… and then be proved 100% correct just a short time later.

42

I will offer up as evidence of my commitment to the cause the fact that two out of the three major credit ratings agencies in the USA don’t even know that I exist.

43

People have asked me many, many times why I go to such great lengths to conceal/misdirect my online identity. My answer is always the same: I understand how databases work.

44

Spacetime is truly a Möbius strip.

45

Google’s new service that basically is like having WiFi everywhere.

46

You can, however, avoid giving Apple your name, which I had done. In point of fact I avoid giving any online service my real name.

47

Though I suspect they may have entered the reason for the exchange as my preference for a dark grey machine over a silvery grey machine rather than because it had been hacked, but c’est la vie. I wasn’t trying to push a point I couldn’t, at least at that juncture, prove.

48

Or at least what I thought, at that time, were the logs, but which were actually the paltry residue of a logging system Apple has been trying to deprecate for the last two years.

49

Personally I lead a pretty post-embarrassment lifestyle but I don’t judge the many people who are not quite there yet.

50

Any even moderately serious hacker has a tool or script that will erase as much evidence of the intrusion as they can find. The system logs are without question the most important (and also the easiest, especially when compared to some other areas of computer forensics) evidence to get rid of.

51

Maybe one day I will open source this. I found myself very frustrated by the short lifespan of most of the system logs - some don’t even last 5 minutes - and given that I had the skills to solve the problem, I solved the problem.

52

The System Preferences icon for this “Profiles” service is not made visible until someone installs a profile on your machine and profiles are somewhat nontrivial to create.

53

I said that I’m not sure whether these are pernicious log messages but it’s worth noting that mdmclient didn’t show up on my third new machine ever until I downloaded some managed profiles from Apple to de-privatize some of the log messages. Out of something on the order of 65 million log messages from the 3rd MBA not a single one was from mdmclient.

54

I honestly question the sanity of people who choose to use services like Siri, Alexa, etc. that keep the device’s microphone on (and recording!) 24/7/365.

55

Easily over 99% of the log events (many with names even more suspicious than ViewBridge)that I initially thought were “mad sus” turned out to be nothing.

56

Actually it was my second Android phone within 48 hours. The first one I returned because I was jumpy about some events that I was later able to prove were innocuous, so it’s not worth making the first one part of the story.

57

And it’s worth mentioning that Qualcomm chips seem to have repeated issues with security. Last year there was a bug in the chipset that left something like 30-35% of people with several major models of Android phones vulnerable.

58

This is also true on Apple devices, FWIW. I proved this to myself installing some of my own software as a root level process called com.apple.pdfalyzer

59

Theoretically it’s so you can keep track of your bpets. LOL.

60

It’s worth noting that Signal has had some security issues of its own in the last few weeks.

61

Really I just returned it.

62

Understatement.

63

Though at least this time the attempt at writing this all down didn’t trigger my PTSD.

64

The same caveats about my sleep deprived and paranoid state applies to all of these claims except the one about the NoBoot style hack. I managed to capture some video of that but I’m too lazy to dig it up and post it here.

65

I believe I have video of this behaviour but for now you’ll have to take my word for it.

66

Mike Burgersburg of Dirty Bubble Media has had the misfortune of having his accounts swiped twice.

67

AKA “financial suicide bombers”.

68

I do not own any ethereum or bitcoin, but somehow lots of people assume crypto critics are just mad because we lost money investing in bitcoin and therefore probably still are holding some.

69

These details are omitted because they made one small but critical mistake which alerted me to their attempts. I don’t want to post the details lest they improve their tactics on the next person.

70

I feel compelled to mention that two of my close friends who are engineers at Google have had their identities stolen and loans/credit cards taken out in their name. In fact I think one of them had this happen twice. Point being: technical sophistication only gets you so far.

Comments

[Lazy Anonymous Person]

One question, have you considered the possibility that it was Lazarus? They've been going around hacking people using very similar techniques. Since you were on a crypto telegram, they may have posted to try an catch crypto employees, but accidentally found you. They probably decided to take a crack at you anyways. Heck, North Korea is probably pro crypto TBH.

[hautp]

Jesus christ this is the most terrifying thing I've ever read in my life.