Hacking Humans 9.29.22
Ep 214 | 9.29.22

A cryptoqueen on the run and the cons she got away with.

Transcript

Jamie Bartlett: This German Bulgarian businesswoman, Dr. Ruja, appears out of nowhere and basically says you've heard of bitcoin, but it's really - that's for tech geeks and nerds. I've created one that's better than bitcoin. It's simpler. It's smoother. And it's called OneCoin.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and digging a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, Carole Theriault is back with Jamie Bartlett talking about the missing crypto queen. 

Dave Bittner: All right, Joe, before we jump in here, we have a couple items of follow-up here. What do we got? 

Joe Carrigan: We do. We have a note from Dustin who writes in (reading) hi, Dave and Joe. I had a weird scenario that I was hoping you two could shed some light on. We're switching my 3-year-old child to a new pediatrician. In speaking with the new pediatrician, they needed my child's previous medical records. So the process went as followed. I called the old pediatrician and told them, I'm the father of insert child's name here, and I'd like their health records faxed to the new office. They told me, we cannot fax it. There's too many documents, but we can print it out, and you can come pick it up. I hate that in the year 2022 that data-sensitive fields such as health care rely on archaic transmission systems. I would agree with that. There is - why can't we have a data file that you can import and export? 

Dave Bittner: Yeah. 

Joe Carrigan: But I digress. Oh, here I am falling in line with his digressions. I went to the office a few hours later, and to my surprise, all I had to do was sign a paper stating my relationship to the patient. And off I went with the health records. No identification required. What would stop a bad actor from pretending to be a relative calling in for printed paperwork and falsifying a signature to obtain health record data? I'm not sure if this is just laziness on my previous pediatrician's part - parenthetically, he says, which is one of the many reasons we're leaving them - or if this is something other people should be aware of. I would love to hear your thoughts. Thanks, Dustin. 

Dave Bittner: So I mean, this is very interesting. I suspect there's probably a combination of things here. It could be a little bit of laziness. I'm not familiar with the chapter and verse of HIPAA regulations and what is required versus what's recommended in terms of health records. I would imagine there is a - this is a low-risk kind of thing. I mean, the odds that someone would call in for the medical records of a child and then also show up in person to gather those records, I think that's probably very small chance of that happening. 

Joe Carrigan: Yeah. And does the staff know who you are? I mean, they might recognize you and go, yeah, that's the kid's father. 

Dave Bittner: Right, right. Yes, it could be that the staff sort of leaves it to their discretion that if somebody comes in and they're, you know, looking nervous and sweating profusely or something like that, they'll say, oh, we're going to need to see some ID here. But who knows? 

Joe Carrigan: Yeah, but these good attackers wouldn't do that, though. Good attackers - you know, bad guys are really good at just walking in and being nonchalant and going, yeah, I'm just going to act like I'm supposed to be here. 

Dave Bittner: Right. Right. 

Joe Carrigan: One of the things they do. 

Dave Bittner: Could also be just a legacy policy from the good old days when folks didn't really have to worry about this and... 

Joe Carrigan: That's correct. 

Dave Bittner: And that's that. And it's in need of an update. But I agree... 

Joe Carrigan: And this is the way we've always done it. 

Dave Bittner: Yeah. I would probably - it would make me more comfortable to see at least a little security theater. 

Joe Carrigan: Yeah. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: Can I see an ID, please? 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: It would also make me more comfortable if they would just send the stuff directly to the other - to the other pediatrician, right? What stops them from just mailing it? That's a bit more secure. 

Dave Bittner: That's right. That's right. 

Joe Carrigan: Why can't we just pack this up into a big manila envelope and ship it across town to the new pediatrician in the U.S. Postal Service? That's a fine way to do this. I'd be happy with that. But this - yeah. I'm a little bit concerned here, but I'm not - I don't think it's that big of a risk factor. I'd like to know what happens when you don't go to a pediatrician's office but you go to an adult doctor's office and ask for this. 

Dave Bittner: Well, I was - yeah. I was just thinking because, like, if you go to see a specialist, they manage to send the information to your primary care physician. And I suspect there's some kind of automated and hopefully encrypted way that they do that. But who knows? 

Joe Carrigan: Yeah, hopefully encrypted. That's what we say, hopefully encrypted. 

Dave Bittner: Yeah. I mean, you know, we've talked before about how it's sort of a pain in the butt that your primary care physician can't email you things because email is not considered secure enough for medical stuff, but faxes are and, you know, so... 

Joe Carrigan: Right. Yeah. 

Dave Bittner: Yeah. It's definitely a system that is ready for disruption (laughter). 

Joe Carrigan: I would agree. I would agree. 

Dave Bittner: So what else do we have, Joe? 

Joe Carrigan: Earlier, we were talking about bandwagoning. I think that was last episode or maybe the episode before it. But Jay wrote in to say (reading) hello, Dave and Joe. I have a similar technique I've noticed in various messaging platforms that allow for group messaging in that someone will bring you into a group usually talking about crypto coin or NFT drops. The conversation is streaming as you join. Every participant is a bot acting out a dialogue-heavy play. Usually, the main user is telling all the good things about the coin or service or NFT, and the bots express interest. And this tries to instill a herd mentality, as well as FOMO, fear of missing out. Because, of course, Dave, it's a limited-time window. 

Dave Bittner: (Laughter) Right. Right. 

Joe Carrigan: Limited time offer, act now, supplies are limited. This is similar to the bot change on YouTube channels, where one bot will express interest in crypto, and the other bots will respond to the first comment expressing satisfaction with X person's service. And even more bots, yeah, I've heard of X, how do you contact X, right? (Laughter) It's, you know, it's - I'm trying to think of the show that this is reminding me of, but I can't remember it off the top of my head. 

Dave Bittner: (Laughter) I remember there was an episode of "The Simpsons" where a... 

Joe Carrigan: Right. 

Dave Bittner: ...Bunch of folks were calling in to the, like, the single-guy phone line or something and - but it ended up only being guys. There were no women (laughter)... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...On the line at all. It was like a... 

Joe Carrigan: Are there any women on the line? 

Dave Bittner: ...You know, it was some kind of party line. 

Joe Carrigan: Yeah. 

Dave Bittner: And it was, you know, it was only (laughter) - only all the usual suspects of single men in... 

Joe Carrigan: Right. 

Dave Bittner: ...Springfield called in. It was pretty funny. 

Joe Carrigan: (Laughter) Jay goes on to say, you have - I have to block group messages on various servers because of this. I assume that they usually get my contact details from some failed pig butchering attempts, which I also don't fall for. Well, that's good. My contact details get passed around to try other methods to rope me into things. Too bad there isn't a do-not-contact list for messaging apps. That is never going to exist (laughter). So - not that it would stop these people but rather encourage them. And I think that's a good point, that if you actually did have a do-not-contact list, it would be the people that you'd want to contact, and the bad guys would be after you. 

Dave Bittner: Yeah. 

Joe Carrigan: And additionally, you really can't have a do-not-contact list across multiple platforms like this because they don't integrate. And you're probably don't even have the same username on all the platforms. 

Dave Bittner: Right. Right. Yeah, I mean, I think about just for plain old vanilla text messaging that you can - for example, you can set it up to - if someone's not in your contact list, it'll go into a different folder, which is a nice... 

Joe Carrigan: Right. 

Dave Bittner: ...Way to filter some of this stuff. But you're right. Across platform, across various social media services, I'm not sure how you could get a handle on this, but... 

Joe Carrigan: Yeah. 

Dave Bittner: Yeah. It's an interesting scam and sort of a pain to get out of. 

Joe Carrigan: Yeah. I mean, you just don't go into the groups, you know? I mean, you know this is happening, Jay. This is - they're coming after you for - because, you know, you're probably interested in cryptocurrency and NFTs. And once they know that you're interested in that, then they're going to just hound you forever. That's just the way it is. So maybe get a new username and tell the people you care about. But I imagine that's also not a trivial task. 

Dave Bittner: Right. Right. All right, well, thanks to everyone who wrote in to us. We would love to hear from you. Our email is hackinghumans@thecyberwire.com. All right, Joe, let's jump into our stories this week. Why don't you start things off for us? 

Joe Carrigan: Dave, I have a story from Siladitya - I'm hoping I'm saying that right - Siladitya Ray over at Forbes. And the story is about how, in the last week, there have been two large companies hit by social engineering attacks. And good news, Dave, I'm a customer of both companies (laughter). 

Dave Bittner: (Laughter) All right. 

Joe Carrigan: So the first one is Uber, and the second one is Rockstar Games. And there is a bad guy who calls himself Teapot. They think he might be associated with the Lapsus$ Group. 

Dave Bittner: Yeah, yup. 

Joe Carrigan: It's hard to say - one too many S's in that name, Dave. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: But Teapot says that the breach at Uber, he pretended to be an IT employee and got an employee to give up login credentials, which, is, essentially, how - the same way that Twitter was breached, if you remember the Twitter breach... 

Dave Bittner: Right. 

Joe Carrigan: ...Where that guy got access to (laughter) people's accounts, like Barack Obama, and then used that access to conduct some kind of harebrained cryptocurrency scheme. You know, I'm almost mad that he didn't do something better with that, but I'm actually happy that that's what it was because... 

Dave Bittner: Yeah. 

Joe Carrigan: It's a - you know, yes, he squandered a great resource. But fine, let him blow an attack like that. That's good. 

Dave Bittner: Right, right. 

Joe Carrigan: But the - this guy, Teapot, I don't know what he got from Uber. I would imagine that he was in there, probably looking for my credit card information. 

Dave Bittner: (Laughter). 

Joe Carrigan: Probably, specifically, my credit card information. 

Dave Bittner: But that's an interesting aspect of this, that so far, it seems as though - first of all, there's speculation that this was a teenager. 

Joe Carrigan: Yeah. 

Dave Bittner: And that there really doesn't seem to be any financial motive. There's no ransomware. That it might have just been done for fun. 

Joe Carrigan: It could have been. It could have been. But the Rockstar, they - he has taken a bunch of videos of the game. 

Dave Bittner: Right. 

Joe Carrigan: And there's not really a lot of technical details about how he broke into Rockstar. But, you know, I will tell you, these are videos of a project that's in development. And no developer, and especially game developers, want to have their project out in the public view before it's completed. 

Dave Bittner: Yeah. 

Joe Carrigan: It's kind of like taking a profile picture of yourself halfway through a haircut. 

Dave Bittner: (Laughter). 

Joe Carrigan: It's not a good look, right? And they're... 

Dave Bittner: Right. (Laughter). 

Joe Carrigan: ...You know, and I'm sure that they're like, oh, this is just going to be terrible. People are going to be critiquing our halfway-through work, and it's - what a frustrating thing. 

Dave Bittner: Yeah. 

Joe Carrigan: There is a great quote from Rachel Tobac, who's one of our favorite social engineering experts, and she says, the hard truth is that most organizations in the world could be hacked this way. Many organizations don't use multifactor authentication internally and don't use password managers, which leads to leaving passwords and credentials in easily searchable places once an intruder gets in, which is absolutely true. There's a couple of other interesting stories that are referenced in the story, like last month, both Cloudflare and Twilio were targeted in a type of social engineering attack, a phishing attack. It worked at Twilio, but it did not work in - at Cloudflare. Do you have any guesses as to why it didn't work at Cloudflare? 

Dave Bittner: I'm going to - I'll take multifactor authentication for 500, Alex. 

Joe Carrigan: Very good, but not specific enough. 

Dave Bittner: (Laughter). 

Joe Carrigan: Because they were using hardware tokens for multifactor authentication. So they have - at Cloudflare, all their technical staff has to use a hardware token to authenticate. 

Dave Bittner: Right. 

Joe Carrigan: And this article points out that in 2018, Google said that - get this, Dave - none - none - zero of its 85,000 employees had been successfully phished in over a year because they had implemented hardware-token-based authentication. 

Dave Bittner: Well, I read in some of the stories that one of the ways that this person got in to Uber was just by pounding the victim with multifactor authentication requests - you know, send me the number, send me the number, send me the number. And so eventually, it just wore the person down... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Where they just got exasperated and said, just leave me alone. Here's the number. Leave me alone. And that was it. 

Joe Carrigan: Yeah. Yeah. And that's not possible with, like, a FIDO alliance key - like, a YubiKey or a Google Titan or any anything else that's FIDO Alliance-compatible... 

Dave Bittner: Right. 

Joe Carrigan: ...Or approved. You can't badger somebody for it because it's public-private key encryption. 

Dave Bittner: Yeah. 

Joe Carrigan: And you just can't get it. IGN, who is a game news source, is reporting that the FBI is now involved, so maybe there will be some consequences for Teapot. I don't know that that's the case, though, but they have caught other people like this in the past, so maybe. 

Dave Bittner: Yeah. Well, here's hoping. 

Joe Carrigan: Right. 

Dave Bittner: It's an interesting story, and we will have a link to that in the show notes. Joe, for my story this week, I want to start out by asking you, in your estimation, what has been the most covered event in the world over the past couple of weeks? 

Joe Carrigan: It is - I'm going to guess that it is the untimely passing of Queen Elizabeth II. 

Dave Bittner: Yes, I believe you are correct. 

Joe Carrigan: OK. 

Dave Bittner: I have no numbers - I have no actual numbers to back up this claim, but it feels right, and therefore, I believe it's true (laughter). 

Joe Carrigan: It's like when a pope dies, Dave. There's just - that's all the news talks about. 

Dave Bittner: Yeah. Yeah. So I have an article here from securitynewspaper.com, who's a aggregator of security news, and it's titled "Phishing Alert: Giving Your Condolences for Queen Elizabeth II Can Leave Your Data in the Hands of Cybercriminals." This is from - research from Proofpoint, who's a cybersecurity company. They've been seeing some fraudulent emails where the bad guys pose as Microsoft. And what they're saying is - I'll read you a little bit of the message that is going out here. It says, Microsoft is launching an interactive AI memory board in honor of Her Majesty Queen Elizabeth II. To complete it, we need the assistance of our users. Pardon me - it says within this board, neural networks will accumulate, analyze, and organize millions of memorable words and thousands of letters and photos, receiving them from all over the globe. It gets memos from famous people, people close to the queen, and people who just want to say some words of sorrow. Today we are writing the global history, each of us, and altogether, no matter where we are now, a heavy loss unites us. You can learn more or take part in the creation of the Elizabeth II memory board in your Microsoft account. And then there's a box to click that says, Her Majesty's memory. 

Joe Carrigan: That is... 

Dave Bittner: And Joe, what do you suppose happens when you click through to leave... 

Joe Carrigan: That is... 

Dave Bittner: ...Your fond memories of the queen? 

Joe Carrigan: Oh, I'm betting almost - I'd bet almost all my money that that is a phishing landing page for your Microsoft 365 credentials. 

Dave Bittner: You are correct, sir. 

Joe Carrigan: Ah, yes, I win. 

Dave Bittner: That is exactly what it is. And evidently, they're using some kind of phishing framework called EvilProxy, which is a reverse proxy landing page, which helps them harvest credentials, and also try to bypass multifactor authentication. So... 

Joe Carrigan: Yes. 

Dave Bittner: ...You know, I mean, this is something that we talk about all the time, how these folks will use a world event to push people's buttons. And this story emphasizes that as well, that really what they're doing is they're manipulating everyone's emotional state. A lot of people are very sad about the passing of the queen. And so sharing their memories, feeling like they're part of a community who are mourning together - that's something that's going to attract a lot of folks. And you can see how that would be effective here. 

Joe Carrigan: Yeah, yeah, absolutely. I mean, if I was somebody who cared about anybody that calls themselves royal, which I'm not... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...As an American - you know, a former colony of the United Kingdom... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...I'm not very interested in this. But, you know, my wife actually was visibly sad when she told me. She was very upset. So absolutely - this takes a - this woman was really well loved by people. People seem to have a very positive mental image of her, so why not, as a bad guy, exploit that? 

Dave Bittner: Yeah. 

Joe Carrigan: Why not? Why not take advantage of it and tell people, hey, let's all get together and remember the good queen and share our words and thoughts. And give me your Microsoft credentials, and everything will be OK. You'll feel better. 

Dave Bittner: Well, one of the things that strikes me about this is how well-written it is, that there aren't any... 

Joe Carrigan: I was going to comment on that. 

Dave Bittner: Yes. 

Joe Carrigan: It is remarkably well-written. 

Dave Bittner: Yeah. There aren't any of the telltale signs in terms of bad English or awkward wording or anything like that. And it really... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Does seem to be written from the heart, which, of course, it is not. 

Joe Carrigan: It almost sounds like it could have come from Microsoft. 

Dave Bittner: Yeah. Yeah. There you go. 

Joe Carrigan: It's a well-written campaign. Yeah. 

Dave Bittner: All right. Well, I will have a link to that story in the show notes as well. Joe, it's time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, this is a first, I think. Our Catch of the Day actually comes from us. You sent this to me. This was sent to an email address at thecyberwire, and just - I included this because - mainly because I wanted everyone to know it happens to all of us. 

Dave Bittner: That's correct (laughter). 

Joe Carrigan: This kind of attack... 

Dave Bittner: That's true. 

Joe Carrigan: We all get subjected to these attacks. 

Dave Bittner: You wouldn't believe the emails we get here at the CyberWire. 

Joe Carrigan: Sure. Some of these... 

Dave Bittner: Here's one. It says, (reading) dear friend, I am Vladimir Petrova (ph), a citizen of Ukraine. I am the only surviving son of my parents. My dad and the rest of my sibling were executed by Russian troops during the raid in the city. I was able to escape with two luggages because I was at the basement of my dad's house when they came to attack us past midnight. I'm presently in the border town and was able to send you this mail. Please, I want you to help me get into your country with my luggages. United Nations, Red Cross people ask me what is content of my luggage, but I say it is my family belongings because I'm in fear of who to trust became I know two luggage is contained money in dollars because my father deal on grain selling export to other countries for every year since 1983. He told me the farm exists longer time ago before me was born. 

Dave Bittner: Good God, that's a long sentence. 

Joe Carrigan: (Laughter). 

Dave Bittner: (Reading) Please help me. And you can invest money in grains businesses in your country, please do reply. Be waiting again for you to writing me back to me. Me English very poor, but me seeking you helping to me. Vladimir Petrova. 

Joe Carrigan: My favorite part of this is the subject line is, good news. 

Dave Bittner: (Laughter). 

Joe Carrigan: Dave, what monster thinks that his family being executed is good news? I don't know. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: That's terrible. The English is, of course, horrible. But you know what? He tries to pass it off by saying, hey; my English is poor, but I'm hoping that you help me. 

Dave Bittner: Yeah. 

Joe Carrigan: This guy... 

Dave Bittner: I almost wanted to read that last line as Cookie Monster. 

Joe Carrigan: Yeah. 

Dave Bittner: Me English very poor, but me seeking you helping me. 

Joe Carrigan: What's in the suitcase - cookies? 

(LAUGHTER) 

Dave Bittner: Well, that would work. There's social engineering that would work on me. 

Joe Carrigan: Yeah. Me, too. 

Dave Bittner: If Cookie Monster came to me and said he needed help smuggling a bunch of cookies, I'd be on board. 

Joe Carrigan: I'd be like, what kind of cookies are they? 

Dave Bittner: Right. Right. Are there any raisins in those cookies? 

Joe Carrigan: Yeah. No? OK. Come on in. Let's help. 

Dave Bittner: Right - very good. 

Joe Carrigan: Aww (ph), crap. They got me. 

Dave Bittner: Yeah. 

Joe Carrigan: They got me with the Cookie Monster scam. 

Dave Bittner: I thought they were chocolate chips, but they were raisins. All right. Well, pretty obvious what's going on here - I mean, they're trying to get you on the hook. This is the standard thing where... 

Joe Carrigan: Yeah. 

Dave Bittner: ...They have a loot box scam where they're... 

Joe Carrigan: Right. 

Dave Bittner: ...Telling you they need some help getting large sums of cash out of the country. Of course... 

Joe Carrigan: He's going to ask you for money for train tickets or something and then plane tickets and then - it's always going to be more money. 

Dave Bittner: Right. 

Joe Carrigan: That's how these things work. If you send them any amount of money, all they're going to do is ask for more. 

Dave Bittner: Right. All right. Well, thanks to whoever sent that in. Oh, wait. That was me. 

Joe Carrigan: That's right. 

(LAUGHTER) 

Dave Bittner: So thanks to the scammer for sending this to the CyberWire and giving me the opportunity to share it here on the show. We would love to hear from you. If you have something you'd like us to consider for the show, you can email us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, it is always a pleasure to welcome Carole Theriault back to the show. 

Joe Carrigan: It is indeed. 

Dave Bittner: And this week she is speaking with Jamie Bartlett, and they are talking about "The Missing Crypto Queen." Here's Carole Theriault. 

Carole Theriault: So Jamie Bartlett, bestselling author of "The Dark Net," "Radicals" and "The People Versus Tech," has now released a brand-new, much-anticipated book called "The Missing Crypto Queen." To my mind, Jamie, you are the world's authority on the woman who is said to have robbed $200 billion by scamming folks into believing her OneCoin cryptocurrency was the real thing. And only last month, the perp, Dr. Ruja Ignatova, was added to the FBI's Top 10 Most Wanted list. So, Jamie, thank you so much for coming on the show. It's an honor. 

Jamie Bartlett: No, that's quite all right. Yeah, 200 billion, that's maybe quite high... 

Carole Theriault: Right. 

Jamie Bartlett: ...Depends how you measure a scam. But it's definitely one of the biggest Ponzi scheme of the last 20 years, for sure. And I guess me and the FBI, we're the two people that know her better than anyone. 

(LAUGHTER) 

Carole Theriault: If you listen here, these are the pages... 

Jamie Bartlett: I can see it, yeah. 

Carole Theriault: ...Of your hardback book, "The Missing Cryptoqueen." I've only scanned it so far, but it's on my August reading list. 

Jamie Bartlett: Let me know how you enjoy it or not, yeah? 

Carole Theriault: I will. I will. Well, I want to know, are you glad that it's finally finished? Are you glad the book is out? 

Jamie Bartlett: Well, it's horrible writing books, and I don't want to sound like I'm a whinger (ph) because I'm lucky to be able to do it. But it's very stressful, especially this kind of story - petrified about getting little facts wrong, about legal challenges, about threats from people, I mean, all sorts, and horrible reviews, all these, like - it's a really stressful thing. So, oh, yeah, I was just so happy it was out there finally because it's been maybe four years of my life I've been working on this story. 

Carole Theriault: Yeah. 

Jamie Bartlett: So it's definitely a relief to see it out there. But people don't realize when you're doing these kind of investigations, these long form investigations, it's not nice at times. You get very paranoid. You get very worried. You get very nervous. So yeah, I'm just really - I'm relieved. I'm relieved rather than happy, probably. 

Carole Theriault: Well, maybe you should give a quick summary of Dr. Ruja and her scam to our listeners who aren't familiar with the missing crypto queen. 

Jamie Bartlett: Right. The brief version is in 2014, this German Bulgarian businesswoman, Dr. Ruja, appears out of nowhere and basically says, you've heard of bitcoin, but it's really - that's for tech geeks and nerds. I've created one that's better than bitcoin. It's simpler. It's smoother, and it's called OneCoin. And we're early days, so just like how Bitcoin went up in value, OneCoin will go up in value. And it was quite unusual though because it was sold through multilevel marketing, you know, like Avon and Amway and Tupperware and Herbalife. So she said, this is a kind of unique spin that we've got. Anyway, 18 months later, a million people have invested something like 4 billion euros into OneCoin from 175 countries - Japanese businessmen to Ugandan rural farmers, I mean, everyone you can think of in between. And then in October 2017, Dr. Ruja gets on a flight from Sofia, Bulgaria to Athens, Greece, and just disappears. And the whole thing is essentially an old-fashioned pyramid scheme, really, but just with crypto branding laid on top. And she hasn't been seen in public since. 

Carole Theriault: So, yeah. So no one knows where she is at this point, right? 

Jamie Bartlett: Well, I mean, well, maybe I do, but you'll have to read the book. 

Carole Theriault: (Laughter) Because you've flown all over to do some research for this book, didn't you? 

Jamie Bartlett: Oh, yeah. I mean, it's a combination of going places and - on the ground and checking out her yacht and checking out her sort of holiday home on the beach and to her old addresses and all those kinds of things - but also a lot of online research, a lot of sightings because we've had hundreds of sightings, hundreds of tipoffs. And especially since the FBI added her to their Top 10 Most Wanted Fugitives list, I mean, it's nonstop. And the funny thing is, I'll get one phone call saying, I have definitely, definitely just seen Ruja in a bar - in a beach bar in Greece. And then the next day I get one saying, I've definitely - I saw her yesterday. She's in Thailand. 

Carole Theriault: Wow. 

Jamie Bartlett: People's sort of recollection of things - it's been really fascinating to see actually - were nearly always wrong. 

Carole Theriault: Is it possible that she's dead, do you think? 

Jamie Bartlett: It's definitely possible. You got to think about how many people she ripped off. I mean, her brother, Konstantin Ignatov, who took over the company after her, he had a gun pulled on him by Hells Angels saying, give us our money back, or - (inaudible) more than your life is worth - we'll take, and we'll cut out a body part, I think they said to him. 

Carole Theriault: God. 

Jamie Bartlett: So that's who you - she's - you know, she's upset a lot of people. And then those - the people that might be protecting her might decide she's no longer, you know, worth their trouble. So I've always thought it was 20, 30% possible. But the number of sightings I've had, the quality of sightings, the similarity in a lot of the sightings makes me think not. And then the fact the FBI added her to their Top 10 Most Wanted Fugitives list, I don't think they would if they had information suggesting she was dead. 

Carole Theriault: Yeah, that's a really good point. I mean, I think some listeners out there who are about to go on summer vacays (ph) who... 

Jamie Bartlett: Yeah. 

Carole Theriault: ...Might want to take a read of this book and then keep their eyes peeled to see if she might be lounging out on the beach that you guys are on. 

Jamie Bartlett: Absolutely. Now, let me give you a bit of advice. Firstly, I know your listeners, you know, they're extremely wealthy people. So they're going to be going to the same sorts of bars as Ruja... 

Carole Theriault: (Laughter) Right. 

Jamie Bartlett: ...You know, the multi multimillionaire. So make sure you - when you're in your fancy bars... 

Carole Theriault: Yep. 

Jamie Bartlett: ...Keep an eye out. Remember, take a look at the FBI wanted poster. She's five years older. She's probably slimmer. She's probably got blonde hair. And she has had a lot of plastic surgery. So it's not an easy task... 

Carole Theriault: Yep. 

Jamie Bartlett: ...To spot someone. But by all means, yeah, when you're on your superyacht and another one buzzes by, take a look. Is she on there? 

Carole Theriault: That's right. Grab a few snaps if possible. 

Jamie Bartlett: Yeah, please. 

Carole Theriault: Brilliant. Jamie Bartlett, author and investigator extraordinaire, thanks for coming on the show. 

Jamie Bartlett: Thank you. 

Carole Theriault: I can't wait to get my feet in - my teeth in "The Missing Cryptoqueen." 

Jamie Bartlett: Your feet - jump in with both feet. 

Carole Theriault: This was Carole Theriault for "Hacking Humans." 

Dave Bittner: Joe, what do you make of this? 

Joe Carrigan: Dave, I have been fascinated by this story since I first heard the interview that Carole and Jamie did on our show a while ago... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Years ago. But I went out and I listened to the entirety of that podcast, "The Missing Cryptoqueen," and now Jamie has written a book. I might pick that up. But I saw in the news last week that Ruja Ignatova was added to the FBI's most wanted list, which is very interesting. I was - that was like, ooh, new cryptoqueen news. Let me see what's going on here. 

Dave Bittner: (Laughter). 

Joe Carrigan: But it was just that she's been added to the list, which means, I guess, that she's alive because that was one of the... 

Dave Bittner: Or the FBI guesses that she's alive. 

Joe Carrigan: Or the - yeah, the FBI guesses that she's alive. But - now, this woman scammed a ton of people out of a large amount of money - 200 billion with a B dollars. Now, she didn't get $200 billion, but she did get away with billions. And that lets you buy a lot of security. And when Jamie says that he's nervous about writing this book, I'd be very nervous about writing this book, too because you're writing an expose on somebody with billions of dollars who obviously is just fine participating in criminal activity. 

Joe Carrigan: But in order for her to evade law enforcement for as long as she has, she's going to have to partner with some pretty unsavory people. And for that reason, I thought that maybe they got everything they could out of her, or they possibly convinced her to let them hold her billions of dollars and then, you know, just took care of her. But I don't think that's the case now. I'm - now that the FBI has added her to the most wanted list, I think, maybe not. Maybe not. Maybe they'll catch her. 

Dave Bittner: Yeah. 

Joe Carrigan: If you're not familiar with what OneCoin was, the idea was, it was a cryptocurrency - Jamie sums this up pretty well - but one of the key red flags was that they had a private blockchain. And that's kind of counter to the use case of a blockchain for a public ledger for a cryptocurrency. If you have a private blockchain, then not everybody can see the blockchain, and then you can't - that means not everybody can see the transactions, or if - you're not looking at transactions like you're looking at a privacy preserving cryptocurrency. Not everybody can run the math to demonstrate that what's being said is true. 

Joe Carrigan: The problem with this is that cryptocurrency - at the time this scam began and probably even now - is still a mystery to most people, right? So they see, ooh, I missed out on this bitcoin, and they're experiencing this FOMO or this - actually, maybe even more than FOMO - maybe this regret that they didn't buy bitcoin when it was at $25. I know I thought I should buy some bitcoin when it was $25, and I really regret that I didn't. But that didn't make me run out and invest in a bunch of - you know, a bunch of my own hard-earned money into other coins. Now, I do have other coins, but I have not put a lot of money into them. So it's something that, if you're going to invest in cryptocurrency even today - I would say, if you're going to buy any cryptocurrency - even bitcoin or Monero or Zcash or whatever - if you cannot afford to just light that money on fire, don't buy a cryptocurrency with it. Right? 

Dave Bittner: Yeah. 

Joe Carrigan: If that would have an adverse impact on you, don't buy it because you may be doing just that. We don't know where this is going. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, there's not a lot of history here. But this was a scam that was - OneCoin was a scam cryptocurrency built on multi-level marketing, so - which is why she didn't get the $200 billion or - yeah because some other people - when other people sold the cryptocurrency, they'd get a cut. So it's like a scam built on top of a scam, Dave. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: You know? 

Dave Bittner: Absolutely. 

Joe Carrigan: And I hope they catch her. This woman has ruined a lot of lives. If you listen to the podcast, to Jamie Bartlett's podcast - I think it's just called "The Missing Cryptoqueen" - you'll hear stories of people who have lost life savings. You know, and there was a story of somebody in Africa who paid - I think she gave up just a couple thousands of dollars, but it took her her entire life to save this up. And, you know, here in America, we don't think of somebody with, you know, losing a couple thousand dollars is a big deal, but in Africa, that is a completely different situation. That's like losing tens of thousands or even hundreds of thousands of dollars. 

Dave Bittner: Yeah. 

Joe Carrigan: It's a bad scam. And this woman is - didn't care who she was impacting. She just went out there and sold this stuff and got a bunch of other people involved in it to sell it. And they made billions, and everybody else suffered. Everybody else lost out. 

Dave Bittner: Yeah. All right, well, our thanks to Carole Theriault for bringing Jamie Bartlett on the show. We do appreciate it. We do appreciate all of them taking the time for us. 

Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.