A few years back I used to play this really stupid mobile game. I don't even remember what it was called. You had the party of fighters and you leveled them up or something. But the thing was, in the game there was an online chat option. And at any moment you could look at the people chatting to see what they're talking about in the game.
Well, if you've played any game that has online chat options, you know how toxic it can be. And this place was no exception. People were selling in-game gold that wasn't even possible. It was just all scams, because there was no way to send gold to anyone in the game. And there was just some real vile hatred spewed all over the place. The thing is, the people that did this felt like they could just hide behind their username that they created a minute ago. Because the worst case scenario is that they just might get banned from the game.
But I was a network security engineer. And I wanted to see if there was a way to learn more about the people that were saying rude stuff in chat. So I started a packet capture on my phone. All network traffic coming in and out of the phone was captured. And then I started looking through it. It wasn't easy. It's like looking for a needle in a haystack. But eventually I found what the packets looked like when they sent chat messages to me. And it was not encrypted.
which made it easy to crack the packet open and see exactly what was in those messages. And amazingly enough, the network traffic showed a lot more information about that user who was chatting than what was showed in-game.
In the game, all you see is a person's username. There's no way to see anything more about them. But the packets showed their username and user ID, which was just a very long number. Now, I was also noticing this game was interacting with one of their servers, and I saw how the game would look up user details. So I crafted my own packet to send to their server to look up a user and whoa.
The server gave me their email address and IP address, and with an IP I can look up their general location of where they are in the world.
So armed with this, I went back into the game and waited for someone to start saying rude, horrible stuff. And there was this one guy being a real jerk, spamming all kinds of rude stuff, calling people names, and it was just not nice. And I told him, hey, stop being rude or else. He's like, or else what? I'm like, or else I'll tell everyone here your real name. I already know everything about you. And it was then when I grabbed all the packets from this chat, found his user ID, put it into the website, got his email and IP address.
And actually from there, I looked up his email on Google and got his first and last name. Well, of course, he called my bluff, knowing there's no way in game to see someone's real name. In fact, he never even entered his real name in the game. So how would I know it? So now he starts aiming his attacks towards me, calling me names and taunting me. So I think I remember his name was Evan. So I started just writing Evan in the chat room over and over and over. Just that word, Evan, Evan, Evan, Evan.
He stopped chatting for a minute. He was like, who are you? I'm like, are you gonna be nice now or do you want me to say your last name to you? He tested me by saying, go ahead, I don't believe you know it. So I dropped the first part of his email address and chat and he stopped talking for a minute.
Then he asked, Adam, is that you? And I'm like, no, dude, I'm not Adam. I'm the guy who's just trying to stop you from being rude. Go find a hobby that doesn't include being mean to people. And I guess this spooked him because he logged out of the game, and I never saw him again. These are true stories from the dark side of the internet.
I'm Jack Recider. This is Darknet Diaries.
For this story, we're headed to the Middle East. So my name is Muhammad al-Doub. In Arabic, we spell it Hamid al-Doub. Yeah, so where are you now? In Kuwait, as always. It's where I'm from. Muhammad is in his 30s now, but ever since he was a teenager, he was fascinated with computers.
Well, Kuwait generally is a very connected sighting, so it's extremely easy to get hooked on early. And with my, let's say, age group, the internet entering our houses in the late 90s, getting hooked early on on technology, I think it was very straightforward. But then I actually entered the
in Kuwait University, the College of Engineering in the computer and software engineering department. So I graduated as an engineer in that aspect. Then after graduation, I actually went into cybersecurity. So my entry into cybersecurity was around 2010.
He got a job in the government of Kuwait, securing systems. And pretty early on, he saw the importance of the internet and securing all the stuff on it. In my earlier years, around 2010 and 2011, I actually got introduced to the late Dan Kaminsky, and his guidance was really amazing on how I knew an upcoming person like me.
would do to get properly into cybersecurity. And I think with the emergence of social media and it taking the political and the public scene equated by storm, it was just natural for me to use that platform to discuss cybersecurity, provide awareness.
Mohammed has built quite the Twitter following. His name there is Volnet. And he won't tell me what that means, but Volnet is what he goes by. Today, he has 73,000 followers. But to get there, he shared a lot of knowledge about security on Twitter. I did many, I would say, tweet storms where I take a certain malware sample that is just fresh, currently being used to attack some entity in the Gulf region. Then I would go
live in Twitter, trying to analyze the malware, how it works, what it does to the systems. So it was kind of something that we do for the community, for the crowd, and people would love it, people would engage with it.
After college, he was able to get a job with the Kuwaiti government. He was tasked with doing things like securing systems, analyzing malware, and other cybersecurity work. And he was getting good at security, scaling up, and his popularity was growing on Twitter. With that, new doors started to open up for him.
And then at 2018, I actually left that government job. And then I did my first official cybersecurity training, which was abroad. It was in the Netherlands. So I went on to give an Android malware analysis course for the Dutch police, actually. So it was kind of interesting because that was the first official training that I delivered outside of Kuwait to an audience in Europe.
He particularly liked training. Teaching people new things is fun. So he looked around for more training opportunities. I actually got accepted into the Black Hat as a trainer, and that was for me. That was a dream come true. I never thought, you know, usually in my earlier years doing the government work, I would dream of visiting Black Hat, you know.
Black Hat is an annual security conference in Las Vegas, which takes place the week before DEF CON. And Black Hat is more geared towards security professionals and the people who want to learn how to secure their systems better. The training there I hear is pretty good. So to be selected as a trainer, made Mohamed feel proud. And specifically, he was planning on teaching a course about securing API endpoints. But the year was 2019. And he got a word that he was going to be a trainer in the early part of that year, like February or March.
But Black Hat doesn't come until August, so he had five months to prepare. And it's in those five months that this story takes place. A story that changed his life.
Now, one thing Muhammad likes doing is examining the latest malware, and specifically he was interested in malware that was somehow used in Kuwait where he lived. So, of course, being in the Gulf region, there are many interesting threat actors, especially from, for example,
Iran from other countries, from Israel, other entities and countries in the world. So obviously, the Gulf region was heavily targeted, and so it was usually something similar regular that we try to hunt for threats, try to look for state actors attacking certain entities. As a government employee, he would sometimes get sent some malware to analyze, which was cool.
But because he quit his job, he needed to find a new place to keep tabs on the latest malware going around and Kuwait. And one of the best avenues to look for such things is through using virus total. Virus total. This is a fascinating website. OK, so the free service they offer is that if you find some malware, you can upload it to their site and it'll tell you what type of malware it is. And this is really helpful for security teams to get information about.
any malware they found on their network. I mean, think about it. Suppose your computer is running poorly, you open up Task Manager and see a service running on there and you wonder, is this supposed to be here? Well, you can grab it, upload it to VirusTotal, and it'll tell you if any antiviruses consider this to be harmful and any extra information about that malware.
So yeah, security teams all over are constantly uploading malware to this site. But if you have a premium membership, you get a bonus feature. If someone uploads some malware to VirusTotal, then it's a file that it's never seen before, then you can get an alert. So security researchers might be interested to see what this new file might contain, and they can download it and analyze it. Muhammad loved this feature.
And I would use it to actually look for attacks that are targeting Kuwait, malware samples being uploaded from Kuwait, from other countries in the region, because they would be of interest to my line of work, obviously. And as he said before, he'd sometimes grab some malware from this site, virus total, and begin live streaming as he examines it to look to see what's in it.
And because he spoke Arabic, it also helped him understand threats targeting the Gulf region better too. He found some pretty interesting stuff this way and would tweet about it and then see some major security companies publishing alerts about it shortly after. And this is what I would call security research.
At the end of March 2019, during doing that usual threat hunting work, I found the sample that resembled some sort of a banking malware that was uploaded from Kuwait. Okay, already this is interesting. Mohammed saw that some never-before-seen malware was uploaded to VirusTotal and downloaded it, looked at it, and found it was targeting a bank.
It didn't say what bank? Well, Mohammed had a pretty good hunch that this was some sort of banking malware. And so he's looking at this completely unknown malware targeting a bank that was uploaded from somewhere in Kuwait. Fascinating, right?
Well, if you think that's fascinating, you might be a geek. Now many people on the planet are looking through brand new malware, uploaded a virus total, trying to figure out what's going on there. But this is what Mohammed does, because he loves discovering this new stuff, because it poses all kinds of questions. You know, what bank was this for? Did the victim upload it, or the person who created this malware upload it? Did it actually infect something and steal any money? What does it do?
And this is why people like following him on Twitter because he digs up some pretty interesting stuff sometimes. So I came on to download it and analyze it and actually discussed on Twitter, submitted the hashes for that piece of malware so that anybody in the region could search for those hashes in the environment and see if they got that attack or that malware. Okay, so we started a Twitter thread and at the time we had around 40,000 followers on Twitter.
He wrote, quote, for those interested in banking security, these are some highly probable indicators of compromise from the local banking swift attack that you might have heard about, end quote. Now in the news at the time, there were some other stories going around about banks getting hacked and money stolen using the swift money transfer system. Muhammad saw this malware and had a hunch that it might somehow be related to those attacks and felt like it was important to tweet about what he was finding.
He went on and posted file names and file hashes on Twitter. And you can think of a file hash sort of like a files fingerprint. Instead of posting the files himself on Twitter, he posted the hash. And that's so other people can look through their file hashes to check if they have this malware on their systems too. And posting file hashes like this is preferred because it's not posting any sensitive data that's in the malware, just in case it contained a password or an IP address or something related to the victim.
So interestingly, I found some strings in those pieces of malware that I think would be beneficial for people to use to search for an environment, which is what I shared.
So one technique for analyzing malware is to run the command strings on it. This will search the malware for any human readable words. And it just spits out a list of words for you to see. And this might give you some clues as to what's going on, like any internal notes left in the code or other information that is human readable. Muhammad looked at the code for human readable words, and one word stood out for him. GBK admin.
Why does this malware have the word GBK-admin in it? Is that a username? Is that the name of the malware? Is GBK-admin something important? He had no idea and just decided to tweet it, telling his followers, take note that the malware has GBK-admin in it, and that might mean something.
So the malware sample itself didn't really point at a certain bank with certainty. Which made him feel confident that his Twitter posts were fine. He's not naming a bank. He's careful not to post any sensitive information. So he posted a bunch of stuff he found, had some conversations with people about it, and then sort of closed up his research into this and was done with it. Moving on to other things. After all, he didn't work in the banking sector. So all he can do is just warn other people that there's some banking malware going around and Kuwait,
And since he's done that, he can now do something else. Not much more for him to do about this.
Well, a few days later, we saw a tweet from the Gulf Bank of Kuwait's Twitter account saying they had a service disruption. And this service disruption resulted in them losing $9 million. Yeah, 2.8 million Kuwaiti dinars. Very interesting that the Gulf Bank of Kuwait was reporting a problem. Yeah, I realize that something definitely was off because
This thing doesn't have a normal toe to all banks, you know, a problem in your transaction with that kind of big loss. And then the bank publicly talked about it. So obviously something was really off there. And that's why it got the attention of the country, like everyone Kuwait was talking about. What did the Gulf make mean by that statement? We're going to take a quick ad break here, but stay with us because this story just got interesting.
This was a very interesting tweet that Mohammed was reading. The Gulf Bank suffered a service disruption that resulted in a loss of $9 million. Two days after Mohammed found some banking malware uploaded by someone in Kuwait.
Well, Hamid was starting to put the pieces together. Of course, I did those pieces together, but I did put them in my mind, but I was very careful not to actually came up with a conclusion in public. That would try to public link these two incidents because there wasn't a lot of, let's say, concrete proof for me to be able to do that.
So it really, I would say, you know, familiar. It sounded like there's a possible connection there.
But yeah, he didn't say anything publicly about any theories that he had that might connect a malware he found to Gulf Bank. He just watched Twitter, talk about it, and he observed. Okay, so the Gulf Bank is Kuwait's fourth largest bank. At the time, they self-reported that they had $2.25 billion in capital, and that losing $9 million was only less than half a percent of their total capital.
But again, I want to emphasize the word losing here, not stealing or robbed. The Gulf Bank never did say the money was stolen or that they were robbed. Only that there was a service disruption that resulted in them losing millions of Kuwaiti dinars. Well, a few days after that, the next news we saw from the bank was that they fired their general manager of IT without explaining publicly why.
And the general manager seemed particularly surprised by this and said it was unjust that they asked him to leave something big at the bank was happening. And they weren't being transparent about what it was. And I want to add in here, the only reason why I know what the bank's general manager of IT said about him being fired was because of the amazing reporting that Sean Lingus did at Cyber Scoop News. He did an article about Mohammed's story, which is how I know about any of this.
The next week, Mohammed goes to a security event in Kuwait to hang out with other people in infosec and socialize. But while he's at this event, socializing his phone rings. I got a call, someone from the cyber country, the cyber, let's say branch of the police, where they handle complaints related to cyber crime.
They told him that there's a possibility that the Gulf Bank is going to complain to the police about his tweets, the ones that talk about the malware that he found on VirusTotal, and they asked him to come down so that they can question him. He agrees to be there, but was nervous about this whole thing now.
Well, of course, it would be worth because that bank is powerful. And because I was extremely careful in my wording of all the research that I did, not to include anything that would link, obviously, to a certain entity or a certain bank. Because I was talking in general, mentioning things that are already de-anonymized, like password hashes, talking about malware attacks in general, or talking about certain malware without attributing it to a certain entity by name. So legally, I was in the clear.
Regardless of what I have, let's say concluded or guessed, but in the back of my mind. So I went to the questioning and I asked me, are those your tweets? I said, yes. Did you mean the golf bank had a complaint? Did you mean them in your, for example, tweet? I said, no, I didn't mention them. I didn't mean them in my tweets. And that was the end of the questioning.
Okay, so maybe this is a routine part of the investigation where the bank is just doing their due diligence by following up any clues or leads about the incident. And since Muhammad had tweeted about the banking ma where he found, maybe there was more to it. So that's why the police were questioning him. After talking with him, he felt relieved and thought that's probably the end of that. It was then that interesting things happened actually.
Around that time I had to go to the USA accompanying my wife because she was visiting her mother who was being treated and was very sick in the United States. So I flew to the US and while I was in the US I got a call that I need to be present for investigation by the public prosecution.
They wanted him present for an investigation because they wanted to ask him more questions about what he knew about this incident at the Gulf Bank. Did he know more than what he was tweeting about? The second round of questioning was a little worrisome for him, but he knew he was innocent and wanted to cooperate.
So he told them that he's in the U.S., helping take care of a sick family member, and he can't come on the date they requested. But he'll be happy to come in as soon as he gets back to Kuwait. And he even showed them his return ticket on when he'll be back and they said, okay, no problem.
So he finished up his trip to the US and went back to Kuwait and went to talk with the investigators. But they said, because he didn't show up on the date they requested, he's now being charged. Because the public persecution went on with investigation, didn't wait for my arrival. I was regarded as an absentia, so it was I was accused of, let's say,
charging the Koayilo, which means abuse of a mobile device, which means that you have used a mobile device to do something a little bad. It was the way the Koayilo was, let's say, worded, and that I was disclosing trade secrets of the complainant.
What Muhammad's tweets have now led him to being accused of abusing a mobile phone device and leaking trade secrets? Something has clearly gone very wrong. I was worried, but there wasn't a thing I could do about it.
So the only thing he could do about it was to prepare a solid defense. So he hires a lawyer to help make sure he navigates this criminal charge properly. When a big bank is bringing down charges against you and they've reported that they've lost $9 million, you want to take this very seriously, even if you were completely innocent. So he was being very cautious. And I was part of him wondering how much of this is related to hacking?
How much of this is related to the violation of free speech laws in Kuwait? I'm not really a lawyer, but generally, the Constitution of Kuwait gives, let's say, a big blanket for freedom of speech, but then it says according to the laws. Then the laws go on to specify the general protections of the Constitution. We have laws for cyber crimes, we have laws for print, we have laws for
live media like for example videos, television, radio. We also have the state security laws. All of these laws contribute to let's say further restriction of freedom of speech. So there are public figures in Kuwait that you cannot let's say for example talk about in any let's say bad manner regardless of your intent. There are limits to what you can talk.
You can, for example, let's say, use hate speech against religious or political minorities. So it goes on and on and on about the political aspects, religious aspects, or restrictions on free speech, and also the cyber crime part of that. And the cyber crime, let's say, law was actually interesting because it came out in 2014. It was supposed to, let's say, address cyber crimes or crimes that are related to cyber security, like hacking, for example, fraud.
But then it came to be abused by lawyers, by people to actually accuse anyone who would talk badly about you. So if you were a government official, if you were like a social media figure and someone was trying to
talk about you in a way you don't like. You can go and then try to sue them according to that law. And many times it would result in verdicts where people have to be fined. And I think my case was an example of that because I didn't actually do any wrongdoing.
Interesting. So it sounds like if someone says something damaging towards your company or you, you can take them to court and possibly get them to pay a fine for what they said. So Muhammad read over his tweets a few more times very carefully, trying to find if he said anything negative towards the golf bank. But he didn't even mention the golf bank in his tweets at all. So he felt confident that he didn't do anything wrong. He did mention the word GBK admin though.
And wait a minute, GBK. Does that stand for Gulf Bank of Kuwait? Huh. Even if it did, he didn't know that at the time.
His trial date was set for July 2019. Now, August, the month after his trial date is when Black Hat was going to occur in the U.S., and Muhammad was scheduled to give a training session at that conference. So he wanted to wrap up this trial so that he could go to the U.S. and give his training. So he goes to court in July. Just the public prosecutor was there, the lawyer for the bank didn't even show up.
Mohammed had been planning with his lawyer what to say.
It's absolutely not a secret because the bank already discussed that there's a problem that happened. There's a problem in their system that resulted and lost off millions of dollars. So there was no secret that there's something wrong happening at the bank already.
On top of that, there was no any kind of contractual agreement between me and the monk. That would result in me having any secret shared between me and them. So I think I would come up on by, let's say, through public sources, which are, of course, not considered secrets.
He says the judge looked convinced and seemed to be on his side. So he prepares his flight to Las Vegas to attend a black cat. He first had to fly to New York and then to Vegas. The night before my flight to New York, I received a strange phone call in Telegram, you know, an encrypted phone call on Telegram. But then when I answered, it was someone very suspicious and the way they're talking, they're trying to kind of ask
about the incident that happened with the bank and then it tried to say, you know, I have some information about the hack that happened in that bank trying to, you know, try to pull my strength. I felt that someone was trying to pull my leg into discussing this incident, trying to find, trying to, you know, entrap me. So I realized that this is either someone who is, you know,
totally crazy or I would be actually crazy not to think that this was some entrapped by someone by who I don't know you know a bank doesn't really do that who would try to do that have no idea who would benefit from that however I played it cool told them that you know this is a legal matter should be taken to legal authorities blah blah blah and then I hung up
What was really suspicious for me is that, why would someone, you know, try to target me, try to interrupt me in that fashion? Did I really anger some really powerful folks? Was that tweet that much, you know, let's say, strong against however that was compromised? Did the bank really get some pressure from people who linked my tweet to the incident at the bank? I still don't know who is that person to this day.
But of course, as I said before, it would be crazy not to think it was some sort of related entrapment attempt. That was strange, and it rekindled his worry about the case, but he still went to the US. And while in Vegas, his lawyer contacted him and told him the judge had a verdict on the case. In the end, it was clear for the judges that it was absolutely not in violation of any law and Kuwait.
So he was cleared of all wrongdoing, which is great news to receive while you're in Vegas, right? Mohammed tells me he didn't attend any parties there because he was so focused on delivering his training and just wanted to get back to Kuwait as soon as it was over. And so when he got back to Kuwait, he checked in with his lawyer and all seemed quiet, all was good. And he was glad to have this behind him. And that was August. September then comes and it passes. And then in October, he gets another message. Yeah, the lawyer sends me over WhatsApp that they have appealed.
Again, it was the public prosecutors who wanted to investigate this further. His lawyer explains this is just a matter of formalities. If the prosecutors bring him to the appeals court and he's still found innocent, then they could say they've exhausted all options in this case and they can leave it be. This makes it look like the prosecutors worked really hard to solve this case. And since this was just a formality, there was no new evidence on him or any new charges. But Muhammad was still worried about it. I mean, at the least he's having to spend all this money on legal fees to help him out.
A appeals court took over a year because coronavirus kept delaying the courts and waiting for your trial is always nerve-wracking no matter how confident you are that you're not guilty of anything. But the trial Dave finally came and the judge looked at his case. I was cleared immediately like on the on the spot.
This gave Muhammad a big sigh of relief. This meant it was finally over. And yes, since then, two years later, it's still over. There's been no more calls from the police about this. But what a wild ride that this has resulted in just from finding some malware on virus total and tweeting about what you found.
Now, during that time, there was a large rash of bank robberies happening all over the world. Someone was going around, usually sending phishing emails to banking employees, hacking into the bank, and then targeting the Swift network to steal millions of dollars from banks. And many of these worked.
And the United Nations investigated this and published a report. And this report says the government of North Korea is responsible for robbing banks in Bangladesh, Chile, Costa Rica, the Gambia, Guatemala, India, Liberia, Malaysia, Malta, Nigeria, Poland, the Republic of Korea, Slovenia, South Africa, Tunisia, Vietnam, and Kuwait.
Right there, in black and white. This UN investigation report says that in March 2019, a bank in Kuwait was robbed by the government of North Korea.
That's the exact same month and year that the Gulf Bank announced that they had a service disruption and lost $9 million. This UN report does not say which bank in Kuwait was robbed, but it does say the amount stolen was $49 million. And so that's a big mismatch in numbers.
which means either the Gulf Bank was not robbed, but really did have some kind of weird disruption that made them lose millions of dollars, which means a totally different bank got robbed the same month and year in Kuwait, or the Gulf Bank of Kuwait was not telling the truth, saying it was a service disruption when really it was a robbery, saying it was $9 million when really it was $49 million. We don't know the truth to the story.
Yeah. So there is this variance between the Gulf Bank tweet and the whatever bank the UN report was trying to hint at. So, you know, either it had a different bank or maybe there's more to the story than what that was, you know, put in the public sources.
I mean, you don't need to comment on this, but I was just thinking it through, right? If it looks like a duck and it walks like a duck, it's always like a duck.
Big thank you to Mohammed Al-Dube. You can find him on Twitter. His name there is Vulnet V-O-U-L-N-E-T. And while you're on Twitter, why don't you go and follow to Darknet Diaries. This show is made by me, The Space Bard, Jackary Cider. Sound design is done by the deletist Andrew Meriwether. Editing helped this episode by Shift Control Damien. And our theme music is by the Escapist, breakmaster cylinder. How do you add flavor to an algorithm?
Toss in a boolean cube. This is darknet diaries.