Ryan McFarlane

So they were running Linux with Lux on it, and then they had a couple of TrueCrypt containers on it.

And then Nicolescu had written his own

encryption software uh for because truecrypt was no no longer being updated so that's five layers of encryption just to unlock the laptop yeah four or five different layers and everybody in the group got the same package essentially and they also that was that was not the extent of it they also got some networking gear so each of them got a custom flash router

And that custom flash router would allow them to proxy their traffic between their different houses.

And their operational security was that their first hop from their house was using a directional Wi-Fi to the internet.

And that individual, say, you know, Nicolescu was in Brazov, he would establish that on the router, the custom flashed router.

And then he would communicate to the other group that his router was set up and everybody would tunnel their traffic for the group through that stolen Wi-Fi through the router at that location.

And then they'd switch the router the next week to another individual's home.

And that was why we were seeing the encrypted traffic

between the two locations that we couldn't explain.

It was their tunneled encrypted traffic that was then being sent over stolen Wi-Fi using the directional antennas, then to Tor or a proxy network, then to infected systems, then up into the command and control infrastructure.

So again, they were doing a pretty good job of hiding their tracks.

So Danette ends up pleading and we confronted him with the evidence during a proffer session.

And during our investigation, one of the things we did with the evidence collection is we had really good visibility into when they were logging into and logging off of all of their criminal accounts.

And we didn't know it at the time, but this information ended up being incredibly valuable because it established this pattern of life for all the different actors.

We could see when they were online doing, you know, like in their criminal accounts and when there were large gaps.

And when we were able to get Danette's personal computer and search that, he liked to travel.

and he vacationed a lot, and he also took photos of everywhere he went.

He was an avid photographer.

So we could see through the photo metadata when he was in these certain locations, and then we overlaid it with all the criminal account data, and you could see that every time one of these accounts went dark,