Best Infosec-Related Long Reads of the Week, 11/12/22

An exposé on the hack-for-hire industry, 'Cyber slaves' run Cambodia's scam mills, WeChat users go to great lengths to get their banned accounts back, How Canada took down Vachon-Desjardins

Metacurity is pleased to offer our free and paid subscribers this weekly digest of long-form infosec pieces and related articles that we couldn’t properly fit into our daily crush of news. Tell us what you think, and feel free to share your favorite long-reads via Twitter @Metacurity. We’ll gladly credit you with a hat tip. Happy reading!

Inside the global hack-for-hire industry

A joint investigation by Franz Wild, Ed Siddons, Simon Lock, Jonathan Calvert, and George Arbuthnott for the Bureau of Investigative Journalism and the Sunday Times revealed the contents of a leaked database from inside one of the significant “hack-for-hire” gangs. Appin, a now-defunct firm set up in Delhi more than a dozen years ago, supposedly to train a new generation of “ethical” hackers who could help safeguard individuals and businesses from cyberattacks, is alleged to have secretly established a lucrative sideline taking cash from clients around the world to hack individuals.

As Appin grappled with hacking allegations in 2013, its well-trained former employees scattered like seeds and set up new firms to utilise their freshly acquired talents in the computer dark arts. This created a more diversified Indian hacking industry.

Several set up offices in Gurugram, a city of high-rise glass buildings criss-crossed by dusty pot-holed roads on Delhi’s south-western outskirts, where some of the biggest technology companies in the world, including Meta, Google and Twitter, have offices.

One of Appin’s successors was a company called BellTroX, which became the key new player in the hacking industry. The company’s director, Sumit Gupta, who previously worked at Appin, was placed on a US Department of Justice wanted list after he was caught operating a large-scale hacking operation with two American private detectives.

In 2020, the Canadian cybersecurity watchdog, Citizen Lab, published evidence that the company had hacked more than 10,000 email accounts, including those of British lawyers, government officials, judges and environmental groups, on behalf of its clients.

How Cambodia’s scam mills reel in new “cyber slave” workers

Danielle Keeton-Olsen and Lam Nguyen in Rest of World delve into Cambodia’s scam mills powered by indentured “cyber slaves” lured by the promise of work but forced to work online romance and gambling scams and other fraudulent schemes.

Linh Ne came to Bavet in 2021 at 17 years old, she said, accepting a typist job through Facebook. To cross the border, she pushed through forested areas and waded through a ditch filled with waist-high water; only on arrival did she realize she’d been recruited to a scam company that emulated the shopping platform Tiki. Her employers asked her to defraud Vietnamese shoppers, and she said that when she refused, they starved her. She was sold after two weeks to a second company conducting a romance scam, where her boss gave her a guide to manipulate clients. (“I don’t even have a boyfriend yet,” she recalled thinking to herself.) After two days, she was sold again to the workplace she’s worked at since, and which she said doesn’t physically abuse its workers.

Over the year, Linh has hardened. “If you work here long enough, you will be experienced enough to know what is good and what is bad.”

“Please give me a chance”: WeChat users are handwriting apologies to get their banned accounts back

Viola Chou in Rest of World reveals the lengths to which users who have been banned from the popular chat app WeChat will go to get their accounts back, including sending handwritten letters of guilt to redress their violations of China’s strict content rules.

WeChat is the dominant messaging app in China. Citizens depend on their WeChat accounts to not only communicate with each other, but also to order food deliveries, hail taxis, and pay for groceries. During the Covid-19 pandemic, people have been using WeChat to enter public venues — government-assigned QR codes must be scanned before people are allowed in.

Losing one’s WeChat account means getting cut off from social networks, digital wallets, and basic social services. That devastating experience, however, has become increasingly common as the social media app regularly shuts users out for transgressions ranging from spamming to criticizing the government. In October, WeChat banned a large number of accounts after their owners shared images of a rare protest against President Xi Jinping in Beijing, leaving the users scrambling to get back in touch with their friends, family, and work contacts.

WeChat accounts are so essential to people’s social and professional lives that users, after getting banned, are willing to go to great lengths to retrieve them. In some cases, the app asks users for handwritten apologies before unlocking their accounts, and the users have complied.

Taking down a ransomware hacker

Roxanna Woloshyn, Marie-Maude Denis, and Linda Guerriero of the CBC delve into how an FBI investigation into the likely Russian Netwalker ransomware gang led to the arrest of Sébastien Vachon-Desjardins, an IT analyst for the federal government turned ransomware hacker, by a Candian police officer, Lieutenant Det. Denis Simard of the Gatineau police, and the largest seizure of illicit cryptocurrency in Canadian history.

“He was alone with all those police officers, so was kind of lost,” said Simard.

Simard told Vachon-Desjardins he was executing a warrant for his arrest as part of an extradition order on behalf of the FBI.

“His expression was like someone was asking for help,” said Simard. “He was very down. And he wanted me to stay with him…. He [needed] me like a friend…. But I [couldn’t] stay with him. It’s not my case,” said Simard, who had arrested him on two other occasions.

RCMP officers had begun their search of the house, uncovering a goldmine of evidence.

The RCMP found $300,000 in cash in a shoebox under a pair of slippers in a bedroom closet, keys to safety deposit boxes with $400,000 cash inside, cellphones, computers and hard drives with enough terabytes of data to fill a hockey arena if it was printed out and security keys to crypto wallets holding a current value of $21 million US in bitcoin.