Liam Amarku

So it was...

It was incredible.

So Jabber is encrypted and there are different settings that you can use.

And by default, the setting for attachments is not, it doesn't default to encryption.

So your text, all the messages that you sent are encrypted, but attachments are not encrypted.

And that was the mistake that they made.

They were talking to each other and we couldn't see what it was that they were talking about.

But if they sent an attachment,

like an Excel spreadsheet with all of their accounting in it or a picture of their desktop.

That was not encrypted and we could extract that from the network and we could see what it was.

We got to see them transferring spreadsheets talking about all of the transactions, how much money they were making, who were the victims, what were the credit card numbers of the victims, what were the home addresses of the victims, what money mules they were using, the identity of all their money mules.

picture of their desktop that they had transferred between each other, two members had transferred between each other, and they were trying to figure out why something wasn't working with their malicious campaign.

So one of the Bayrob members had taken a screenshot and had transferred it to another one, but they had actually gone through my proxy machine at that time, so I could see this.

They were using encrypted chat actually, so I couldn't see the chat, but because

the pictures that they sent in the chat were not encrypted, I got this rare opportunity to see this image get transferred across, just like flash across my network.

And when we decoded it, we saw that it was the attacker's desktop.

And he was inside a VM machine.

And then he had his control panel, his attacker's control panel on the desktop.

And he had a Facebook campaign that they were using to try and find victims on the desktop.

And he was running that campaign through a hacked account.