Cybersecurity expert Tyler Robinson was in an online forum, watching when a hacker bragged about selling the data of 700 million LinkedIn users just days ago.
This is the story of people who build false identities to hunt cyber criminals, screen to screen.
"Real trust within these groups can take a very long time, depending on the level of access and information provided to you, you're probably not going to do that within a year or even two years," says Tyler Robinson, CEO, and founder of Dark Element. "Many of our personas have been cultivated and curated over the last five to 10 years."
Even though the private sector owns and operates nearly 90% of critical U.S. infrastructure, things like pipelines and cell phone towers, American companies don’t rely on the government for protection -- they go to people like Robinson, who maintains dozens of personas.
"It does take a lot of backstories where we are providing dogs, pictures of food, different work-related topics, as well as the technical topics. You have credit cards, you've got cell phone numbers you have to maintain," Robinson says.
The more detailed the persona, the better.
"When we have major efforts that we're going at, we do use a screenwriting tool, and the tool helps you build your characters. It helps you get into your motivation for each one. It builds a little dossier," says Chief Intelligence Officer of Treadstone 71 Jeffrey Bardin.
Bardin focuses on cybercriminals in the Middle East and Africa who may be tied to foreign intelligence services. Besides a screenwriting program, he uses translation software and personality tests. But first, Bardin builds detailed profiles of targets, like this one -- blurred for security:
"We're looking at everything from age and birth date and birth location and parents' information and upbringing, schooling and education -- we'll look at their current locations, where they live, where they work. We'll look at their activities outside of work," Bardin says.
These experts have provided information on high-profile ransomware and supply chain attacks you’ve heard about in the headlines -- for both private companies and federal agencies. Non-disclosure agreements bind them but share alarming trends:
Robinson found criminals targeting products that companies often turn to for security -- like threat emulation software Cobalt Strike. Bardin traced a path from the cyberworld to the physical.
Former hackers in Iran shutting down their groups and traveling overseas under the guise of leisure. Instead, he says they’re collecting information on dissidents for Iranian intelligence services.
And the consequences for dissidents can be disturbing.
"Cyber disinformation, misinformation, and character assassination, but eventually into physical termination. Killing somebody," he says.
Even sharing some tactics with Newsy means Bardin will consider modifying his methods, so adversaries don’t catch on.
It’s a job that never ends.
Sasha Ingber at Newsy first reported this story.