Web Application Security

Interview With A Blackhat (Part 3)

[Please note that this series of posts discusses criminal activities from the perspective of the criminal. This may be distressing to some readers; please exercise caution.]

This is part 3/3 of my interview with “Adam” – a blackhat (hacker engaging in criminal activity) who has decided to go legit. During this part of the interview we discuss, among other things, the rationale behind Adam’s desire to go legit, how he and others in the community see “whitehats” (legitimate hackers in general – not a specific reference to WhiteHat Security!) and why the punishment doesn’t appear to be deterring the crimes. If you missed the previous parts you can see them here: part 1 and part 2.

Q: How do you perceive the risk involved in going to jail? Why isn’t the punishment deterring the crime?

A: I’ve thought about it, for about 10. Suppose it could be a bad thing. Wonder if the staff do banking in jail? Hmmm. Also, people ask, ‘doesn’t the jail term scare you? Losing the money?’ If the Feds can find 100 dollars I’ll give them all of it. You see, working in the underground everyone has hundreds of names, passports, etc. If the Feds can find one they can have them all. You use fake identities and then you give the money to a cafe you own then they feed to through into a bank. It all looks legit. Doesn’t have to be a cafe — can be nightclubs etc. Or you can provide a service to a legit business and they feed it through.

It’s super hard to gather evidence for the crime, and even so the money is impossible to find. Ten or eleven mil over 10-13 years for a 10-15 year sentence. I can’t really say what it’d be like without freedom as I’ve always had it so I can’t imagine losing it.

Q: What’s the difference, in your opinion, between a talented blackhat and a script kiddy? How would you rank yourself?

A: Everyone starts somewhere it just depends on if you move on. A script kiddy will never get on the legit underground as the elders make anyone who even tries to get into the ug develop botnets, viruses, worms etc. — like a right of passage. Skids are used as the door matt. Am I a skid? I hope not, would have been a waste of time making the first automated server infection botnet. Lol.

Q: How many hours a week do you think you dedicate to your blackhat activities?

A: When I fancy a new venture – e.g. a new 0-day is released — anything up to two days non stop. 8-9 hours sleep then two days again. But on average about 8-10 hours a day. It is a job after all. 🙂

Q: What were the job prospects in your area for someone with your skill sets and background prior to going into criminal activity? How much money could you make if you hadn’t gone into criminal activity?

A: I got offered a job to work as a cyber security specialist for a rather large company. For the money? I’d earn in a year at that job what I would in about a fortnight black hatting.

Q: What do you think the biggest misperceptions are of the blackhat world by the security community?

A: That we’re all tied to the mafia, we want the world to burn and we are all Russian. For example 90% of the carders I know donate huge amounts to charities (80-90k a year) I know of carders who went to Africa and bought thousands of mosquito nets. Just because we found a way to make super fast money doesn’t mean we want the world to go bankrupt, people to die, people to go homeless. It’s a lot like business. If someone is dying of cancer and you hold the cure I bet you’d make them pay — it’s the same mentality, exploiting someone’s case for my own good. We are good people.

Q: What made you decide to want to go legitimate?

A: They’re only so many credit cards in the world. 🙁 Also, I suppose getting paid to find 0-days, hack systems and do it legally is more appealing.

Q: How much stress do you think being a Blackhat has been on you, worrying about being caught?

A: Being caught has always been a concern, if I wasn’t concerned about being caught I’d be stupid. Sometimes I go days and nights with no sleep wondering when I’d get raided. Sometimes I took it to the extreme and slept during the day and hacked on at night. I felt more comfortable knowing if I was to be raided at least I’d be awake.

Q: What do you think other blackhat friends will say once they find out you have gone legit? Is there any cause for concern or do you believe they’ll let you do what you want?

A: No I think they’ll be fine with my decision. I asked several of the guys I’m close to and all seemed ok with the prospect of me turning white [legit]. There really isn’t a hatred of whitehats from the blackhats. In fact, quite the opposite. If we stayed with viruses from 2000 because we were never challenged we’d be so out-dated and not capable of making a tenth of the amount of money we make currently. Most blackhats love whitehats for that reason.

Q: What do you plan to do now that you are legitimate?

A: I’ve had and have many ideas on things I’d like to do. I’d like to do some research into the time it takes from when blackhats find 0-days to [when] whitehats find them. That’s always being an interest to me. I’m also planning on releasing the exploits + patches I commonly used and further develop 0-Day research to compete with the blackhats.

Q: Do you worry that your past will come back to haunt you in the future?

A: It’s a worry, if someone can find the evidence; if not, it’s just an advantage I posses 🙂