Poker is such an interesting game. Cards get dealt, money gets bets, and the winner is not the person with the best hand. What's the person who plays the best? The game is to play the person, not the cards. In fact, some of the top poker players don't even consider it gambling. Here, take this clip from the movie Rounders, for example. Why does this still seem like gambling to you? I mean, why do you think the same five guys make it to the final table of the World Series of Poker every single year? What are the luckiest guys in Las Vegas? It's a skill game, Joe.
It's a good point, right? There is a lot of skill in poker. And with the right playstyle, you could do pretty well. Because when you play poker, you're playing against another person. Not against a casino or some machine. There's another person sitting on the other end of the table, and it's you versus them.
Can you make them believe you have a good hand when you don't? Or can you call them out when they're bluffing? Being able to read the person is critical. But then there's online poker, places that let you gamble for real money against real players on a computer. But it's a lot harder to read the player when you can't see them. And when there's a lot of money involved with something like this, people will go to extraordinary lengths to try to get an edge.
Take the story of Darren Woods. In 2011, he won a world series of poker bracelet, and he enjoyed playing online poker a lot. But his win rate on the online games were really high. The online poker community watched him play and meticulously took notes. They determined Darren had to have been cheating because he was winning some very strange hands. But how?
Well, as it turned out, Darren had set up 50 different accounts at this online poker site and was playing multiple accounts at once. So basically, he could, in fact, see some of the other cards dealt on the table, since he controlled multiple seats on the table. And how does this give you an advantage, you might ask?
Well, we know there are four aces in a deck of cards. And if he had one ace in his hand, and there were two aces on the board, and that last ace was in one of his other players' hands, then he knew for a fact his real opponents did not have another ace. And this is a small edge that he had on his opponents, but it was enough for him to win pretty big.
And with the help of players reporting this, the poker website figured out what he was doing, banned him and called the cops. Darren pled guilty to some of his charges and ended up being sentenced to 15 months in prison over this. I say all this because I want to tell you about how someone tried to cheat at high stakes online poker. These are true stories from the dark side of the internet.
I'm Jack Resider. This is Dark Knight Diaries.
There's this poker player who lives in Finland named Jens Kilonin. And for the last 15 years or so, he's been raking it in. He started playing poker with his friends back when he was a kid. Here's an old interview of him of how he got started. I started with friends like 17 years old, like in Canada. And just read some books and slowly started. And like in a year, I already played pretty high, like 5, 10. And normally we'd hold them 10, 20.
and just pretty quickly it's always been a pretty quick move upwards and I'm born a three year old or I think I cashed in a three year old and from that I started just grinding my way up and I never depicted anything or like that.
Rining his way up, he did. He was a really good poker player. He was getting better and better at poker and playing bigger and bigger pots and making pretty good money from it. In 2009, he played in the European poker tournament and took first place in the no limit Texas hold him event. The prize was 1.1 million US dollars. Around this time, Yen's began playing a lot of high stakes online poker.
but still played in in-person tournaments too. Here's a clip of him getting into a tournament in 2012, which had a $1 million buy-in. The youngest player in the field, 22-year-old Jens Kalon had decided to put up the entire million himself. I mean, I view this more as you know.
Wow, the fact that he could afford to put a million of his own dollars on the line for this tournament
He's obviously doing pretty good to afford that. And from what I could tell, I think he lost it all in that tournament. But that didn't stop Jens from playing even higher stakes. Jens was really good at online poker at this point and would play in major online tournaments with millions of dollars as the grand prize. But then in 2013 came the European poker tournament in Barcelona, Spain.
ThePokerStars.com European Poker Tour has hit its 10th season and is back where it all began, Barcelona. This tournament was held at the Arts Hotel in Barcelona. It's a five-star luxury hotel, which is right on the edge of the sea, too. The tournament was in one of the conference rooms and there's a casino right next to it, too. This was a good-sized event. I looked at some video of it. I counted 20 full poker tables in the room during the tournament.
Jens and his buddy Henry flew from Finland to Barcelona to participate in this tournament. They stayed in the same room together. And I should quickly explain who Henry is. Henry lives in Finland, not far from where Jens lives, and they hang out at each other's house sometimes and go on trips together. At one point, Henry and Jens took a two-month trip to South America, so there's a trusting bond between them.
On day two of the tournament, Jens busts. He loses all his chips. He's out of the running. Jens walks away from the poker table, looks around and decides to go up to his room and surf the internet on his laptop, which was in his room. So he goes up the elevator to his floor. He gets his room key out. It's a little mag stripe hotel key card. He swipes it into the lock.
but the lock doesn't open. Red light flashes, indicating it's not the right key. He tries again, and again, and again. He can't get the key to open the door. He goes down to the front desk. They re-sync his room key for him and tell him, go on up, try again. It should work now. He goes up to his room, tries the key, and it works. The door opens, he goes in. But as soon as he enters the room, he immediately notices something isn't right.
He knows exactly where he left his laptop that morning. It was on the desk, but his laptop was not there on the desk. His laptop charger was there, sitting in the exact spot where his laptop should have been, but no laptop. He looked around the room a little bit, but he couldn't find the laptop anywhere in his room. He thought maybe Henry borrowed it, or it was stolen.
He goes down to the casino and finds Henry playing poker and asks him. And Henry says he hasn't touched Jens' laptop. But Henry says his room key wasn't working that day either. Huh, that is pretty strange. Jens goes back up to the room to search for his laptop some more. But when he gets in the room, he sees the laptop is right there on the desk exactly where he left it earlier that day. What?
His mind starts racing. He's questioning his sanity at this point. Was it really gone a minute ago? But he remembers clearly seeing the charger there on the table by itself without the laptop. And now the laptop is there where the charger was. He remembers this clearly because it was just 10 minutes ago. Jens starts to get scared. Someone had been in his room in the last 10 minutes and they put his laptop in the exact place where he left it.
He thinks the person might still be in the room right now too, hiding in the bathroom or something. So he darts out of there, gets into the elevator, goes down to reception, and talks with the guest relations supervisor Leia.
Leah listens to Jens' story and does two things. First, she recodes the lock on the door and recodes both Henry and Jens' hotel room keys. She says this way. If someone did have a duplicate key, the duplicate key would no longer be active because the code has changed on the door. And second, she tells them she'll work with security to look at the hallway cameras for that time.
Jens goes back up to his room. He opens the laptop and turns it on, but something's wrong. It boots to a black screen, which says, Windows failed to start. A recent hardware or software change may be the cause. Do you want to repair or start normally? Huh? Jens' computer was working fine up until this point. Now it's showing an error? And when he gets past that screen, it gives another warning. Do you want to restore your computer?
This is super strange. Something went on here and it's freaking him out. He goes down to meet with Leia again, the hotel supervisor. She tells him the cameras in that specific hallway. Yeah, they haven't been working for the last week. So they have no CCTV footage of whoever entered his room at that time. Leia doesn't seem to be taking this matter seriously and says they'll continue to investigate, but she doesn't say how.
Jens goes back up to his room. He swipes the room key card in the door and it's not working again. No matter how many times he swipes or how he swipes, the door just doesn't open.
Huh? Yen's runs back to reception, tells Leia. Leia re-sinks his card, and then walks with him personally to his room to check on this lock. The card now opens the door just fine, but as soon as they get in, Yen's immediately sees that his laptop had gone missing again.
Jens is in complete shock. He doesn't even know how to explain what's happening. Leia calls hotel security. They apologize and agree to upgrade his room to a suite, which is two floors up. Jens decides to go downstairs and look for some friends, and he asks them if he can use their laptop. He immediately goes to all his online poker accounts and shuts them all down, thinking someone must be trying to hack his accounts.
After that, he goes to talk with Leia again. She's on the phone, talking in Spanish. She asks Jens, can you describe your laptop? He says, it's a heavy, fugitsu, celsius laptop. She says, it's been found. It's in the lobby. Security has it. She tells him to wait a minute. She goes and gets it, brings it back to him. At this point, Jens is on the verge of a panic attack. Who keeps stealing his laptop?
Why does this keycard keep getting deactivated? Why did the laptop show up in the lobby? If a thief took it and panicked, why not throw it in the sea? He opens it up, it boots up just fine, but something is different. Normally, when it boots up, it's password protected, and he has to enter his password to get in. But it's no longer asking for the password, and it's just booting right up into Windows. Okay, so he definitely knows someone has hacked his computer.
He takes the laptop to the poker tournament and starts telling their IT and security teams about this. Everyone there is pretty friendly and helpful. The poker tournament security team takes down all his information and begins to investigate. Jens and Henry go up to their new upgraded suite and head to bed for the night.
Thinking there has to be some security camera footage somewhere of whoever did this, and now that two different security teams are looking into it, surely they'll find out something by morning, and they both rest their head down on their pillows for the night.
but it's hard to sleep. I mean, the day started with losing the tournament and ended with them getting their room broken into at least three times and is laptop hacked. When that happens to you, you can't relax. The computer feels defiled and gross, and your sense of security is eroded.
And at this point in the story, I'm now wondering, how can someone even get in the room like that? And I have a few theories. First, you might be thinking that someone might have just brushed up against them in the lobby and cloned his card. Yeah, I don't think so. That typically works for RFID type of cards. This was a mag stripe card. So in order to clone it, you would have to swipe the card through a machine. I guess it's possible someone pickpocketed him, clone the card, and then put it back in his pocket.
But it just seems unlikely that that would happen twice in one day. But then you also have the problem of making both guest room keys invalid. How's that happening? Well, because this is a Magstripe card, it's possible that a powerful magnet can be put next to or under the lock. And so when a card gets near the lock, the magnet screws up the data on the Magstripe and ruins it.
So there's two types of way mag stripes work, loco and haiko. This is loco-ercivity and haiko-ercivity, which pretty much means how well the mag stripe will retain data on the card. Like your credit card isn't going to be reprogrammed anytime soon, so it needs to hold the data on there for years. So it uses haiko, but a hotel room key will have its data rewritten many times, maybe once a day. So it uses loco.
And because it uses Loco, it's easy for a magnet to screw up the card. And so if someone wanted to go in that room, but did not want anyone coming in while they were there, they could put a magnet on the door, which would ruin whatever card was swiped and stop them from entering. This would alert whoever's in the room and also buy them a couple minutes to get out. And as they're leaving, they could remove the magnet from the lock and walk away. Okay, so that's a good theory on how the cards got ruined.
But still, how did someone get the key to get in? Maybe it was plucked from a cleaning card. Or maybe someone went to the front lobby and posed as Yen, saying, my key doesn't work in my room. Can you reset it for me? And then they give Yen's room number. Would the front desk check the ID before issuing a card to a guest like this? Is it possible to social engineer the front desk person to do it without checking ID?
Yeah, that is possible. But then the camera didn't work in that specific hallway. Did someone know that? And that's why this room was targeted? Perhaps this was an inside job. Someone who worked at the hotel knew those cameras didn't work and had access to reprogram keycards. They could certainly be in on this. This is the type of stuff that raced through Jens' mind all night long as he tried to sleep.
Five thirty in the morning. Hello? Your taxi is ready. What taxi? The taxi to the airport. With whose name? No name, just the room number. Jens tells a person on the phone they didn't order a taxi and that person hung up. Was this a wrong number? A mind game of some kind? How strange. Jens lays awake for an hour thinking about this.
Eventually falls back asleep. 9.30 in the morning. Jens wakes up. Hello? Do you want to make a business? What? Do you want to make a business? Huh? About what? About the woman. No. And Jens hangs up the phone.
Two phone calls in one morning for the wrong number. Or was it the wrong number? Were these calls just some strange attempt at checking to see if somebody was in the room? Or verifying where Jens was staying?
Jens has a meeting with hotel security at noon, so he gets ready and goes downstairs to meet with Leia. She has an older guy with her, who is the head of hotel security. He doesn't seem interested in helping, though. He says, well, look, we already upgraded your room to a suite and your laptop's not missing now, and you said there's nothing else missing, so there's no problem, right?
Jens can't seem to explain to security the severity of this. Jens asks, how many cameras are broken in the hotel? And the man says, oh, only eight. Jens asks, can you check the elevator cameras? And the security guard says, no, there's too many visitors and there's too much footage to look through. Jens says, but we've narrowed it down to a 10 minute window.
Security doesn't seem interested in helping. They just want this problem to go away. His suspicion is growing that this might be an inside job. But before he leaves, security hands him a printout of the logs of what key cards opened his room for that previous day.
It's kind of hard to read. And at this point, Jens is tilted. He's crushed. And so he just puts the logs in his pocket and walks away. Jens felt like this meeting went terrible. And now there's like no chance of figuring out who went into his room. He goes to meet with the poker tournament security. Maybe they have found something. But the poker tournament security team, we're trying to say that Henry might have done all this.
But Jens wasn't buying it. If Henry wanted to do this, he would have done it at Jens's house if he wanted to. Why do it here? It made no sense and there was no help from this security team either. Jens was crushed. He was so confused why nobody was taking him seriously and conducting a major investigation about this. He was so worried that his hands and legs were shaking and he felt like he was going to vomit at any moment.
He takes the room access logs out of his pocket and starts to look through it. It doesn't make sense at first, but he studies it more. He's able to connect some dots. It shows the exact time when the cleaning service came in, and the exact time when someone came to restock the minibar. And it also shows when each guest came in the room with the code from their key. So this actually makes a perfect timeline of events. It shows when Jens and Henry visited the room,
and exactly when their cards stopped working. But in the logs, it also showed there was a third guest keycard that had opened the door. Just when Jens went downstairs to reception that first time to reprogram his card, someone with a third guest keycard had entered the room exactly 2 minutes and 41 seconds before Jens came in and found his laptop gone for the first time.
Jeez, maybe they were hiding in the bathroom when he was in there. Jens was getting even more scared after looking at this, and even more angry that the hotel security didn't see the same log entry just as alarming as him. Either security couldn't read their own logs, or they didn't care, or they were trying to cover something up.
Jens couldn't take this anymore. He started packing his bags to get out of there. He was going back home to Finland. This was no place for him now and as he was going through the lobby he ran into another player that knew him and he told that player his laptop was just stolen and that player said the same thing happened to him.
That player said, the cameras were working on the floor where he was staying. So Jens took this player to hotel security and tried to explain, look, the same thief who stole my laptop probably stole his laptop. And can you look at the cameras in that hallway? But security said, oh, there's nothing we can do right now, not until 8 a.m. tomorrow. So Jens all fed up, just left the hotel and left Barcelona and flew back to Finland. And where does Jens go? When he gets back home, straight to Mico.
My name is Mikko Hupanen. I am the Chief Research Officer for F-Secure Corporation, which is a security company headquartered in Helsinki, Finland. F-Secure is known for creating a pretty good antivirus tool, and since it was right there in Finland, it made sense for Jens to bring his laptop to them for analysis.
Well, he contacted us. He was looking for somebody to go through his laptop because it was suspecting that, you know, it wasn't just about stealing the laptop. Maybe somebody was trying to put something on the laptop. So he brought it into our laptop. He parked in our parking place with his Audi R8 and brought the laptop into our lab. Miko and his team took a look at the laptop. They scanned it and examined it from malware.
And yeah, it was infected. So the reason why all of this happened was that somebody had manually installed a Java runtime and a Java-based remote access toolkit, which would basically send a screenshot to a remote address every time the attacker requested. And that basically means you see the poker cards
Another person is holding, and if you know anything about poker, well then you know that if I know your cards, I'm going to win. Aha! This was targeting Yen specifically, or at least a high roller online poker player specifically, the malware would send screenshots of the laptop to someone who presumably would be at the same online poker table as Yen's.
clever. Yeah, it's kind of interesting when you think about the amount of money that's take here. These high rollers who play poker online, who have been playing poker online for years, the potential of money you can steal from a player like this is hundreds of thousands of dollars or even millions of dollars. And we've found several cases like this. And it's not always about a physical break in. We have one
high roller we were working with a famous poker player who actually had been infected for almost a year and the reason why he started suspecting that there's something weird was that he he was keeping very close statistics about his winnings.
And historically he was making roughly the same rate of winnings in the real world on real poker tables and in the online poker tables and then suddenly started looking different and he was always losing in the long run he was losing in the online games and he couldn't figure it out. So eventually started suspecting that there's something wrong with the laptop he brought the laptop to us we analyze the laptop and yes.
There was this tool for calculating pot odds, which contained, again, a remote access Trojan. And we discussed how did he get this tool on his laptop, and he had installed it by himself. So why did you install this tool? Well, it was recommended to me by someone he plays against regularly in online tables.
And that someone had set everything up from the beginning, had this trojanized pot or calculator created, had it posted online on the download site, then just waited until a high roller, he would know what would be downloading and installing it. And the attacker was so clever because he wasn't just immediately starting to
wait for big hands and go all in and steal the money. He was carefully and slowly using these in online games for 12 months without, I mean, until it was, you know, people started suspecting that something is wrong. So he was able to make hundreds of thousands of dollars with this ongoing scam. And this is
This is a great lesson also for people who do important things with their computers. I mean, if you are a poker player and you use a laptop,
where hundreds of thousands of dollars go through the laptop. Well, you should be keeping very safe, very close tabs on that laptop. You don't install random junk on it. You don't play, you know, doom on it. You don't watch porn on it. If you're not with the laptop, you put the laptop in a safe. And these guys are millionaires. I mean, if you want to do something else, buy another laptop. But this laptop is your tool
And as a professional, you don't fuck around with your tools. You keep good care of your tools. That's what I told him. And I believe he believed me. But I can't imagine a skilled high roller poker player being able to write malware and then distribute that malware and get it going. So there had to be another person involved.
to do that. That's correct. That's correct. So these guys had outsourced the development of the malware to third parties. Basically, they were going to online programming sites for freelancers and had someone to write these programs for them. So, Mico and his team at F-Secure, being the curious researchers they are, they began trying to figure out who was behind this. Obviously, most malware writers don't want to be caught, so they don't leave
clues about themselves within the virus code, but one of the most typical ways we have been able to figure out who's involved with a piece of malware is who is record. Who is record is a public record of who owns a domain name. Every domain name in the world is registered by someone, and sometimes whoever registered it has their information printed right there on it.
Miko checked the malware to see if any custom domains were used and looked up the who is record for those domains. But typically cyber criminals will register domains anonymously. So you can't see who owns it. But there are more techniques you can use. Historical who is records. Maybe at first they didn't register it anonymously and then switched to be anonymous at some point. Miko and the team at F secure kept looking at the malware for clues.
When Jens was in Barcelona, he wanted to call the police, but the poker tournament people didn't want him to because they said they'll contact the police themselves. So Jens followed up with the poker star's staff to see what the update was, but they didn't contact the police right away. In fact, it wasn't until weeks later that they finally reported this to authorities.
Jens was upset that the investigation was not acted on quicker. F-Secure was able to get some details to Jens about who they think did this, but it wasn't the whole picture. F-Secure posted a blog post, titling this type of attack and evil-made attack. And this is where you trust the items that are in your hotel room are secure, but someone with access to your room could hack into your stuff.
On top of that F-Secure classified this, not as a fishing attack or even a whaling attack, but a sharking attack, because it targeted poker sharks. At this point, the investigation totally stalled out. The poker star's team wasn't doing much, the hotel wasn't doing anything, the authorities were quiet, and F-Secure concluded their investigation.
So I know this story because Jens wrote it all out the day after it happened on a poker forum, and I tried many times to get Jens to come on this show and tell his story, but he declined all my invitations and said it's too soon to tell the story, even though it happened seven years ago.
And so that makes me think that either Jens felt threatened by whoever hacked him, or he thinks it's just not safe to talk about this for other reasons. Maybe he didn't want to talk bad about poker stars, since he likes competing in their tournaments. I don't know. But this forum post that Jens wrote blew up. It has over 1,300 replies at this point, which is a lot for this poker forum. So let's read what everyone says.
The first interesting post I see here is from Lee Jones, the head of communications for the tournament ran by poker stars. Lee confirms Jens' story is accurate and says they are doing what they can to investigate, but they're limited in the authority that they have, like they can't pull surveillance video or door logs, but he does say he was contacting the police about all this.
And then there was another post further on down by a US poker player named Scott Seaver. He says the same thing happened to him in Berlin and Jason Kuhn too, and poker stars wouldn't help either of them. He doesn't go into detail about what happened to him, but Scott Seaver has won three World Series of Poker Tournament bracelets.
I reached out to him, but no reply. He mentions that this happened to Jason Coon too, which is another US high stakes poker player. But when I looked into Jason's story, it has a different attack method. One where he was online playing against someone else going head to head with another player, and he thought he was going to win that hand, but then he got disconnected from the server, forcing him to fold.
Okay, back to this forum post. Scrolling down, there's another story. From another high roller named Ankush Mandaviya, he's also known as Pistons 87. He's a US high stakes poker player, and he says he was staying at the same hotel as Jens at the same poker tournament, and Ankush also said he received a few mysterious phone calls, and multiple times he went up to his room, but his key card wouldn't work either. He says his computer was crashing while in Barcelona, but he didn't think anything of it until he read Jens' post.
and it all became clear. When Enkush got home, his computer was no longer password protected, which was really weird because it always is password protected. And every time he would try to boot it up, it would just crash and show a blue screen. The story does seem to match exactly. I reached out to Enkush, but no response.
So that forum post alone seems to outline five major poker players who were victims to this attack. Jens, the guy Jens met at the hotel who said the same thing happened to him. David, Jason and Enkush. On top of that, Miko told me he helped remove malware on two more poker players computers. So that's seven victims that I count. Whoever this hacker was was pretty busy.
Then, a year later, in 2014, the Danish police issued a statement saying they are investigating a high-stakes Danish poker player for allegedly planning Trojan viruses on other high-stakes poker players. They say the software that was installed would allow the hacker to see the other player's whole cards, or the ones that are phased down that you aren't supposed to see.
This would allow the hacker to play on the same online table as his victims and make millions of dollars off them by cheating. The Danish police continued to say they interviewed a victim who claimed someone disabled the video surveillance of his house, then broke into the house, planted the malware on his laptop, and left. I thought breaking into a hotel room was crazy. Now this hacker is breaking into the homes of high-stakes poker players? This is even crazier.
But after that, silence. No more information from the Danish police. For four more years. Then, in December 2019, the final card was dealt.
The Danish police raided the home of a hacker and seized 4 million US dollars worth of Danish money. They had evidence that this was the hacker who had been planting Trojans on the poker player's computers. The evidence they had was that one day he was walking with another friend and told the story to him, and that friend called the police. From there they were able to find other evidence on his computer which showed he had access to other player's cards.
The Danish police gave him a $3.9 million fine and sentenced him to two and a half years in prison. However, the Danish police refused to say the name of this person. So I went back to the poker forums to see what people were saying. Now the Danish police describe this man they arrested. He was 32 years old in 2014. He's Danish and he won a European poker tournament once before.
So if you look up all the Danish poker players who have won European poker tournaments, it quickly boils down to one person, Peter Yepson, sometimes known as Zupp. Now, I'm not saying Peter Yepson is who did this. I want to be clear, this is speculation. And if I get anything to counter this claim, I will update this audio here.
But Peter Yepson is no longer part of the poker team he was once on. They dropped him years ago, and his blog has remained dormant for years, and his social media accounts have been silent for a while too. So he's gone completely quiet, and appears to have stopped playing poker. I at least can't find him. And that might be because he might be in a Danish prison.
Now, the Danish police say this hacker was planting Trojans on players between 2008 and 2014. So, I tried to find what Peter was up to before 2008, and I found this amazing interview. So, I'm sitting here with Peter Sapiepsen from Denmark, who actually had a pretty scary scam coming to him through a mail the other day. Can you tell us about it, Peter?
Yeah, what happened was that I was playing on full tilt and I've been doing really well for that night and just a couple of hours after my session ended and I received an email in my inbox and they wanted to tell me about a cash gain that they were doing, that they wanted to fill with Scandinavian players.
And I think we wrote like three or four emails back and forth. I asked about the buy-in and all kinds of stuff. And in the end, he sent me an email with a link. In the link, there was a specific place at the home page where I could download information about lines and everything. And right when I was supposed to download it, I noticed that the file was supposed to be a PDF, an Acrobat Reader file, but it was actually an Excel file.
So I was like, that's weird. I downloaded anyways, but I did it into a secure folder that was monitored by my antivirus. And right away when I started downloading, it said that, wait, this is a Trojan horse. Oh my god. This is a pretty advanced scam, isn't it? Yeah, I've never seen anything like it. I've never heard, I mean, in the poker business, I've never heard of anything like it.
I've never heard about anyone getting scammed that way. It wouldn't be a surprise if we saw a couple other guys in your league, so to speak, that would get the males like this. You want to warn them about this, right?
Just a few people can avoid being scammed by people like that. That would be great. So I think people should just generally be very careful when they download stuff online. Yeah, so what do you think? Is there any chance to get holo guys like this? I mean, could you know? I mean, I wouldn't have made this for you.
i don't really know but but i'd say that professional guys like these i mean they probably way way over nonsense yeah of course it's impossible to to catch guys like that because they they don't even leave any electronic traces or anything no no no
A lot of hackers I talk to say they got in hacking because they got hacked, and it fascinated them to want to know everything about how to do it. Again, I don't know whether Peter Yepsen is the hacker behind all this or not. The Danish police refused to give the name, and I've only come to his name from my own deductions, but it's possible that if he was hacked in 2008, this might meant he was immediately fascinated with it to the point where he wanted to learn how it was done.
But if Peter was hacked himself, then this means there was more than one hacker doing stuff like this. In fact, after news got out and it was suspected that Peter was behind this, Jens made a follow-up forum post with his thoughts.
Yen said this is the first time to his knowledge that anyone has gone to prison for this type of hack, and that this problem has plagued Nordic poker players for quite some time. He says the rumor is that there's a Swedish gang involved with this, but they have strong connections to the underworld that nobody is brave enough to go up against and seek justice. Yen's writes that Peter may have joined this gang. Yen's doesn't know if it was Peter who hacked him or someone else.
So once I read that, I immediately started to Google, Swedish gang hacking high roller poker players, found some interesting stuff. There's not a lot of evidence, but there is accusation there are three men from a Swedish biker gang who did try to hack high roller players.
The authorities are investigating this, but that's all I got. And honestly, when I look into the other crimes that this motorcycle gang was accused of, I kinda don't want to dig any further. Because some suspect this biker gang murdered a Swedish guy who started an online poker news site.
So it sounds like while one hacker was arrested and put in prison, a few might still be on the loose. The mystery still remains as to who is behind this and how they did it all. Your whole card still might not be safe. But I find this story fascinating because of the extreme lengths that some hackers go to just to get an edge, an online poker.
There's been an update to the story. In December 2020, the Eastern High Court of Denmark announced that they did in fact arrest Peter Yepsen and put him on trial for hacking poker players. And he was found guilty and was sentenced to three years in prison. The police also confiscated $3.6 million from him. And he also must pay $144,000 to one of his victims.
Oh, so back to Miko. One of the things I like doing on this show is introducing you to people who are legends in the cybersecurity space and Miko is a legend. I mean, he's got 200,000 followers on Twitter at this point and is known worldwide as an information security expert. So while we have him here, let's get to know him. And you've almost, you're almost born like in connection with the internet, right? Like you were born, what? On the day ARPANET was created or something?
Close. I was born in late 1969 and TCP IP. Well...
The TCP IP protocol comes from the innovations which were done in in California in October 1969 or maybe November 1969. So basically I'm as old as the internet. But of course, that doesn't mean anything. Most people had no idea about op on it or internet or any of that until 1990s when the web made the internet something people actually were aware of.
Yeah. Yeah. And then you pretty much spent your whole life focusing on the internet ever since you were able to. I started programming at the age of 14 in 1984. That was because we got a Commodore 64 into our family. And that happened because my mother, my late mother, Rauha, bought us a computer from her work, which was the state computing center. So
I guess it runs in the family. My mother spent all her life working with the state computing center. She wasn't a programmer, but of course she did understand the importance of technology and computers. So that got me into programming at an early age. By the time I was 16, I had already sold my first programs. I was writing utilities. And of course, I was writing games as well. So that's where I started with computers.
Let me do the math here. You've been at the same company for almost 30 years now. That is correct. I joined a company called Data Fellows in 1991 as employee number six. The company was established in 1988.
I'm still there today. The company isn't called Data Fellows anymore because we renamed the company to F-Secure in 1999 when the company went public. But yeah, it is the same company. I've been working there all my life. And I guess if you would be employee number six in a Silicon Valley company for 30 years and the company grows big and grows public while you're there, you would end up
To be very wealthy individual it doesn't work exactly like that over here in Finland but i'm still at the same company and i gotta tell you it's been a wild ride i've seen a company change from a small startup to.
to a player which works all over the world. We now have offices in 29 countries around the world. In June 1991, Miko started working at F-Secure, doing security-type work. And because of all this, he's a bit of a malware historian. So I took this chance to talk with him about some of the early malware we ever saw, like brain. Brain was found in 1986, which means I wasn't in the industry yet, but I did.
end up analyzing brain by the time I started doing malware analysis professionally because I wanted to analyze every single virus there was and when I started doing virus analysis in the early days there were very few viruses we weren't receiving you know thousands of new samples every day we would get a new malware sample in the mail on a floppy maybe once a week
So I did go through the brain.a code as well when I started professionally doing Mulder analysis. Brain is actually how I first learned who Mika was because of a video he made about it. And brain today is such an important piece of Mulder history because it was the first PC virus ever.
Now, we had... I mean, there was some specific malware cases before brain on other platforms, for example, on Amiga and Apple II, but the first PC virus is important because we're still fighting PC viruses today. That's basically where it started from. And I revisited the brain code in 2011 on the 25th anniversary of brain.
Basically, because our marketing people and sales people asked me that, you know, it's going to be the 25th anniversary of the first PC virus, would you like to, you know, say something on this, or should we do something about this? And we had a meeting about it, and they suggested we would build some kind of an awareness campaign on malware, whatever, something boring. And I just told them, you know, that's a bad idea. Why don't we instead
put me in a plane and I go and try to find the guys who wrote the first pc virus 25 years ago and that's what we did and of course I said that because I knew there was a lead because in the code of brain.a virus there is a street address an address which points to a street in the city of Lahore which is a city in Pakistan
So in 2011, I went to Lahore to look for the guys who wrote the brain virus. And we did a video about this. You can watch the video on YouTube. There's a link to that video in the show notes. You really should check it out. It's awesome. But malware made in 1986 is very different than the malware today. Back then...
First of all, writing viruses was not illegal. If you wrote a piece of malware and you infected the whole world, you didn't break a single law. The laws in any of the countries at the time didn't take crime like this into account at all. Second of all, the early malware writers didn't have
They didn't have motives. They didn't really gain anything by writing these early viruses, which were spreading on floppy disks or over early networks. They basically got just chuckles out of the idea that their malware was spreading around the world.
And it is interesting because i i've met during the early days i met some of the early virus writers in particular i remember this one. One kid 16 year old kid who was from Finland and and i found him he was spreading some of his malware in bbs systems of the time where it was being spread over modems from one computer to another.
and I spoke with him on the phone and I spoke with his parents and it was fairly eye-opening because he told me that, you know, he's living in this small rural town in central Finland in the middle of
Nowhere. There's nothing or there's no neighbors. There's just snow basically. And he's bored out of his mind. He can't escape. He's with his mother and father in the middle of nowhere, but he does have a computer and he does have a modem and he wrote this virus. He called the virus Cinderella. And then when he saw that the virus was spreading from one computer to another,
And eventually he saw that the virus spread to California. He somehow felt that he couldn't escape, but his virus could. And that was his motive for writing viruses back then years and years ago.
So the motives of the virus writers have completely changed. If you talk to current online criminals, nobody's writing malware for fun. Nobody's doing it for anything like that. It's all about money. It's all about organized crime, trying to make money with ransomware and botnets or its governmental activity or spying. So the good old days of, you know, happy hackers is long gone.
Yeah, but I'm also thinking like when a virus hits today, it's got a plan. Like it's going to take my contacts list or spread an email or try to find something internal or take control. What these viruses back in the 80s and 90s weren't doing stuff that sinister, were they?
Most of the early viruses either did nothing except spread further, or they might be destructive. We saw surprisingly many examples of malware, which would just overwrite hard drives on certain dates or things like that. Or they would do something visible. They would play music. They would show you animations. They would play games with the users. And I've always found that part of
of malware or early virus is very interesting and many of them look actually pretty nice when you look at them with today's eyes and you sort of
respect the art in the early viruses when you look at it today. I definitely wasn't respecting that back then when I was fighting these viruses, but this is one of the reasons why I've been volunteering at the Internet Archive and curating a collection of old viruses which you can now run safely in your browser by executing the original code of viruses from the 1980s and 1990s
especially the kind of viruses which actually show you stuff, show you animations, or maybe play music on your computer. And that's something you can all check out by visiting the Malvern Museum at the Internet Archive.
If you ever get bored, this is an interesting site to explore. Some of this malware just has like a message display, like this one. Just prints out a note on the screen which says, Terminator message, don't be afraid. I am a kind virus. Have a nice day. Goodbye. Press any key to continue.
And then it just quits, that's it. No damage just affects your computer to say hi and then it moves on. And then there's other ones that display like weird graphics or they make the screen look glitchy. That's just it. Graphics and sounds. Nothing more. That's the virus. And I guess what makes it a virus is that somehow these programs were installed and ran on your computer without your consent or your doing.
Miko's favorite malware of all time is the whale virus. Whale was found in 1990 and it's one of the big mysteries we still don't understand in the early days of malware. Early viruses started to get more and more complicated. They started to use encryption because they were being fought by antivirus software such as the software we were writing back then. Another early software which still exists today is McAfee. McAfee is actually older
by one year then then if secure and obviously McAfee is still around now.
An easy way to evade detection was to use encryption. So you would just encrypt the code of the malware and the antivirus guys like me, we couldn't find a way to detect the malware because it's encrypted. You could change the key for every sample and all that. However, the weak point of that technique is that we can pick up a detection signature from the decryption loop. So,
This is when we started finding viruses which would use metamorphic or polymorphic algorithms, including whale. Every time the whale malware would replicate to a new file, it would rewrite itself. So it would basically recompile the binary. It would look different every time. And this was
This was really groundbreaking at the time. And there were plenty of mysterious messages left inside of the malware and plenty of early researchers spent a lot of time trying to figure out what was the motive of where did it come from, who wrote it.
And we still don't know that. And these techniques of hiding malware under polymorphic encryption, it became accessible to anybody. Anybody who was writing viruses around two years later, when a Bulgarian virus writer called Dark Avenger released a toolkit called MTE, mutation engine.
And this was basically a toolkit you could use to wrap any program inside a layer of polymorphic encryption and this was really complicated. You would replicate sample twice and there wouldn't be a single byte which would be constant in these two samples. So detection was a nightmare.
However, at that time we were working closely with the researcher called Friedrich Schulason from Reykjavik and he came up with this clever idea that instead of trying to detect malware with static signatures or looking for certain bytes and certain offsets,
what we would start doing is that we would simply execute the malware in a virtual machine. Basically let the malware run safely as long as it needs to run. So it decrypts the stuff that's hidden by the layer of polymorphic encryption. So we would basically let the malware decrypt itself for us. And the virus writers of the time couldn't figure this out for years. I mean, they just couldn't understand
that no matter how well they were trying to hide the payload, no matter how many layers of encryption they would add, we would still find it. Because the encryption layers they were adding meant nothing. They would in the end end up decrypting the hidden stuff underneath for us and we could detect it just like they wouldn't be encryption at all.
Keep in mind, up until this point, this malware, which was targeting PCs, was just for DOS. Windows wasn't even out yet. So at this time, in the 90s, when Miko was researching this stuff, people would send him this malware in the mail on floppy disks. It was a weird time for malware.
Viruses were really slow to make the jump from MS DOS to MS Windows. MS Windows started to get traction. I mean Windows 3.0 was the first success story and then 3.1 and 3.11. It became bigger and bigger. But all the malware we were analyzing were still running on MS DOS. And of course Windows systems at the time were running on top of MS DOS. So this malware was still partially functional.
Until we then found the very first Windows virus and I remember this very well because it really changed our contacts within the industry. This was 1992 and we found a sample that we believed to be of Windows virus from Sweden and it was very hard to analyze because it was the first Windows virus and Windows at the time was
wasn't as accessible as you might think to, you know, debug or reverse engineer, but me and Isma, one of our coders at the time spent a couple of days trying to figure out this sample and it turned out to be the very first Windows virus in history. So, well, we named it, the finder names the virus, so we called it like Windows virus. And we wrote a description about it, we added detection for it, we were all done, but then
Then we realized that, holy hell, this is news. Right, this has to be news. I mean, the first Windows virus in history. So what should we do? Should we do a press release? Well, the company had never done a press release. So we had no idea how to do a press release, but we had seen press releases. So we just copied the formats, you know, date, location, data fellows has today announced the discovery of the first Windows virus and then go through the technical details. Very important detail.
When we wrote this press release, the first press release in the history of the company, we wrote it in English, not in Finnish. We were headquartered in Helsinki. All of our clients were in Finland, but we automatically assume that, you know, this is an international news item. We have to tell the world. And then when we had the press release ready, we printed it out. We had it in our hands. Then what do you do? Well, we had no idea. So we faxed it to Reuters in London.
And Reuters picked it up. They wrote a wire article about it. They ran with the story. It became news item all over the world. New York Times ran the Reuters story.
The next day we start getting phone calls from research labs all over the world, especially I remember picking up the phone and it's coming from New Jersey. It's the from the TJ Watson Research Center of IBM. And they were very interested about our discovery and they wanted to initiate an official malware sample exchange between IBM and we and we were like, okay, now we are in the big boys league. Now we've really made it.
And that's how we started international contacts with other research labs. And of course, that was very important in the early days for the company. Viruses continued to mutate all through the 90s. MECO was developing new ways of detecting malware and implementing that into the F-Secure Antivirus software. It was also working with software companies to get them to fix the bugs which allowed this virus to run in the first place.
But in the year 2000, email began picking up in popularity. So when email became commonplace in offices, malware started spreading more and more over email attachments instead of floppies. So that's when the era of email worms started. And we saw so many, so fast outbreaks. First with happy 99, then with Melissa. And then the biggest of them all at the time, love letter in May 2000.
Now, this love letter virus, or sometimes known as love book, or I love you, would send an email to thousands of people with this message. Kindly check the attached love letter. And then there was an attachment named loveletterforu.txt.vbs. It's kind of easy to see this as a phishing attempt now, but in 2000, we weren't getting phishing emails very much, and we wanted to see who sent us this love letter.
And while this file looks like a text file, it's actually a visual basic script. Often, Windows will hide the extensions, so for a lot of people, it just looked okay, like a text file. But when you opened it, Windows knows how to execute the commands in the script and runs them.
So what's Love Letter Do when you open the file? Well, it first propagates itself and sends an email to everyone that's in your address book. And then it proceeds to overwrite and corrupt random files on your computer. Office documents, images, and songs essentially get ruined, which are the most valuable files on your computer. Because it would send emails to everyone in the victim's address book, this made the Love Letter virus a worm because it could self-propagate, which made it one of the fastest growing viruses of all time.
Now, when something like this hits the world, and a major virus is spreading, causing destruction. What's an antivirus company like F-Secure do? They get right to work. And that was sort of really exciting back then, because you would typically get woken up at 3 a.m. and there's a massive outbreak going on, and we get the sample. We decode it. We pick a search string or build a detection. We test it. We name them while we write the description.
We test the detection, we ship the detection and we just save the world. So very, very exciting times, except then it happens again two days later and again a day later and again.
Wow, that does sound exciting, to save the world by writing antivirus updates. But yeah, it must be exhausting too. In fact, the most exhausting time for Miko was the summer of 2003, when his team went to do battle against the botnet called So Big.
We saw a massively large run for the first version, that's SOBIC.A. And this was so, so huge outbreak from the beginning because they were using an existing botnet to kickstart the email sending. And the email SOBIC was using to fool people into opening up the attachment were pretty clever. They looked like emails coming in from Microsoft
And they were speaking about an update for security vulnerabilities in your system. This is still the time before Windows Update even existed. So people were still downloading updates manually from Microsoft.com. Well, in this case, you get this prompt for updates for this month.
And it would actually automatically change the month. So if you would receive a so big mail today, it would speak about year 2020 and the current month, which is a neat trick. It actually makes the malware live much longer. And when we were fighting through so big A, we then found so big B and C and D. And then if, and if the fifth version was the largest of the outbreaks,
By the time the so-big F variant showed up, it had infected millions of computers worldwide. But what did this malware do? Well, it's a botnet. So all these millions of computers were under the control of someone. That person could instruct these computers to do something like send an email to millions of people or attack a system. But in order to do that, each of the computers had to reach out to a central command and control computer to get instructions on what it should do.
Some machines were seeing a proxy server getting installed, which meant the hackers could funnel their traffic through these botnet computers in order to disguise where they're coming from. Regardless of what it was doing, this was now a big problem for companies all over the world. They would ultimately spend billions of dollars cleaning up so big from infected computers. Now, when a computer gets infected, it has that code on the computer. And somewhere in that code is instructions of what the botnet should do.
And this is great for antivirus companies to look at, to try to stop, or reverse engineer the virus. But there was a problem with this code. So Big F had this encrypted code in it, which was a mystery for us. We couldn't crack the encryption and figure out exactly what he was supposed to do. So the team at FSecure began trying to crack the encryption of this code.
which is interesting to think about, right? F-Secure is supposed to defend computers from viruses. But here they are, trying to use offensive tools to break and hack and crack the code of this malware, which was left on the computer. And this was hard because good encryption is hard to break. But then one of our Hungarian coders figured out how the runtime encryption works. And we found this code, which basically said that on Friday off that week,
Every single infected computer would contact 10 different servers, so this would be common and controlled servers controlled by the malware author. So they cracked this code on Tuesday, and the code said that on Friday, it would reach out to command and control servers for instructions on what to do.
And this left us for four days to contact authorities or contact internet operators or contact certs and work together to take down these servers before Friday. And there's actually a timestamp Friday evening 10 p.m. is when the activity would start.
And we got most of the servers down fairly quickly by just calling up the operators and telling them what was going on, but some of these were taking none of our words for granted. I mean, this funny company from Finland is calling them and asking them to shut down the server. Why would they do that?
So then we were working together with the FBI and then we were calling my contacts at the Microsoft headquarters to get something happening and it was already Friday, early hours of Friday when we had like four servers left. And I remember at some stage we wanted to get the support of the global cert community and I tried emailing a list
of the IP addresses we had decoded from the body of the malware to shirt Finland and I mailed them then I called them like two hours later to ask what's what's happening and they they told me that they never got my mail and I was
surprised about that and they told me that well actually they have massive problems with their email servers because of so big if so big if outbreak was still so so massively spreading that email wasn't functioning as well as you were hoping for so they asked me if I could fax them the list and of course we didn't have a fax anymore because you know we were
considering ourselves to be modern companies. So I printed the list on a piece of paper and I gave it to a friend of mine who worked in the lab and I told him to go and drive to the third headquarters and just deliver it by hand.
He jumped into the car and started driving there and then got stuck in a traffic jam. We never really have traffic jams in Helsinki. It's not a big city, but there was an accident, so he was stuck. So he abandoned his car and ran all the way to the third headquarters to deliver the piece of paper to hand.
It's still remember how desperate we were. But in the end, we were able to shut down all of the servers except the two last ones. And when the threshold date and time came, there were so many thousands of infected machines all over the world that they all tried connecting these two servers. And there was just so much traffic. These both servers just crashed under the load, which means
Nothing happened, which means we were successful. Taking down a global threat like a botnet is a great feeling. Mikko has gone to battle and brought down a few botnets. He has a few different methods for taking them down. And if you are able to do this right,
The whole botnet dies immediately. And that's the best feeling in the world. I mean, we're trying to save the users. We're trying to defend people's security. We're trying to defend their computers. And of course, we are doing this for our clients.
But when you do something like this, you're not only protecting your clients and customers, you're actually protecting the whole world. The whole world is safer because of what you just did. And that feels great. That's one of the things that keeps me running and keeps me in the industry year after year, the feeling that you're actually able to make a difference, the feeling that you're actually able to defend the users. In fact, when they took down so big, they had a bit of a celebration after.
Yeah, when we felt that we've just saved the world, we did go and have a party. I guess that just goes with the culture.
Well, since I was working in Finland, that always means going to SONA. In Finland, every house has a SONA, every office has a SONA, every single F-Secure office. Well, the very first office did not have a SONA, but our headquarters today has a SONA floor. It goes with the culture. Yeah, we would be in a SONA having a beer, and we would be looking at the news and chuckling on ourselves about how they got the details wrong, because we knew exactly what the malware was doing, because we had decoded it a couple of hours earlier.
Okay, so this is what I have to ask about. There's a law named after you. What is the Hupanin's law? Yeah, I didn't really coin it as a law in the beginning, but someone picked it up and now there's a Wikipedia page for the Hupanin law, which is the Hupanin law on IOT security. In a nutshell, it just says that if something is smart, what it really is, is vulnerable.
And this is a very pessimistic law, but it's also true. The more functionality and connectivity we add to things, the more vulnerable they become. My favorite example is a wristwatch. If you have a traditional old school wristwatch that you have to wind, it's unhackable. Like, how do you hack a windable wristwatch? Well, you don't. And then if you take a modern smartwatch with internet connectivity,
It might be hard to hack, but of course it is hackable. So if it's smart, it's hackable, including our smart cars, smart houses, smart cities, smart crates. It's all hackable. What's kept you on the good side all this time instead of taking your knowledge and saying, you know what? I know exactly what these cyber criminals do. And I see that they're making much more than I am. And I know how to hide myself. You ever think about that?
Well, Jack, if I would have gone to the dark side, how would you know? If you look at my Twitter bio, it says I'm a supervillain. Oh, yes.
A big thank you to Miko Hoopanin for coming on the show, sharing your stories and teaching us more about malware. You can follow Miko on Twitter. His name there is just Miko, M-I-K-K-O. He tells me he's writing a book about all this, and so hopefully that'll come out soon, and I'm sure it'll be super fascinating. If you like this show and it brings value to you, consider donating some money through Patreon by directly supporting the show. It helps keep ads at a minimum. It also allows me to get more people to help make the show.
And it tells me you want more of it. Please visit patreon.com slash darknet diaries and consider supporting the show. Thank you. The show is made by me, The Never Bluffing, Jack Reesider. Sound design and original music was created by Andrew Merryweather, who swears he dreams in color. Editing helped this episode by The Heat Sinking, Damian, and our theme music is by the botnet blocker, breakmaster cylinder.
And even though some people still insist on pushing code to production on a Friday afternoon, that's really a bad idea. This is Darknet Diaries.