
Hacker Publishes 2TB of Data from Cayman National Bank - andruby
https://twitter.com/DDoSecrets/status/1195899716653010945
======
jokoon
After watching The laundromat, I think it's big news.

Although I will always be curious why countries are letting those small,
insignificant islands and countries manage all this wealth, and why they're
trusted to do it. This can't be secure or safe. I'm curious about the
diplomacy and the political implications of this.

What if their office get robbed? What if the island gets attacked? What if one
of those shady bank defaults? What if one of the people who manage it suddenly
die? I mean apparently there is a long list of why it's risky, and I don't
understand how this is even legal at all. How do you wire all this money to
such a small place, and how can they trust so few people to hide so much
money? I have so many questions.

~~~
gxqoz
A recent piece in The Guardian argues that South Dakota and other US states
are actually becoming the go-to place to store anonymously your illicit cash
and make sure that your heirs can inherit it without taxes forever:
[https://www.theguardian.com/world/2019/nov/14/the-great-
amer...](https://www.theguardian.com/world/2019/nov/14/the-great-american-tax-
haven-why-the-super-rich-love-south-dakota-trust-laws)

Partly because the US has compelled other countries to provide more
transparency without joining that transparency organization itself.

"Congress responded with the Financial Assets Tax Compliance Act (Fatca),
forcing foreign financial institutions to tell the US government about any
American-owned assets on their books. Department of Justice investigations
were savage: UBS paid a $780m fine, and its rival Credit Suisse paid $2.6bn,
while Wegelin, Switzerland’s oldest bank, collapsed altogether under the
strain. The amount of US-owned money in the country plunged, with Credit
Suisse losing 85% of its American customers.

The rest of the world, inspired by this example, created a global agreement
called the Common Reporting Standard (CRS). Under CRS, countries agreed to
exchange information on the assets of each other’s citizens kept in each
other’s banks. The tax-evading appeal of places like Jersey, the Bahamas and
Liechtenstein evaporated almost immediately, since you could no longer hide
your wealth there.

How was a rich person to protect his wealth from the government in this scary
new transparent world? Fortunately, there was a loophole. CRS had been created
by lots of countries together, and they all committed to telling each other
their financial secrets. But the US was not part of CRS, and its own system –
Fatca – only gathers information from foreign countries; it does not send
information back to them. This loophole was unintentional, but vast: keep your
money in Switzerland, and the world knows about it; put it in the US and, if
you were clever about it, no one need ever find out. The US was on its way to
becoming a truly world-class tax haven."

~~~
bouncycastle
> place to store anonymously your illicit cash

What if I just want a place to anonymously store my legally gained cash?

Unfortunately, it seems the normal people lost their privacy nowadays at the
expense of the criminals and the "If you've got nothing to hide, you've got
nothing to fear" argument has taken a stronghold in the financial sector.

~~~
karambahh
Because the social contract of most countries is that your legally gained cash
is to be taxed in one form or another and thus has to be known by the tax
authorities?

You can argue that your assets are to be private to the general public but
some countries do not have that assumption (Norway comes to mind).

~~~
bouncycastle
By "legally gained cash" I mean that taxes have already been paid for it.

~~~
jobigoud
It's a trust but verify thing I believe. If the cash is anonymized, how can
they know if the owner of this cash did in fact pay their taxes on it? Either
they blindly trust everyone to properly declare all of their income, or they
need to have some form of traceability.

~~~
bouncycastle
So everyone is assumed to be a criminal until proven otherwise?

~~~
RugnirViking
How else do you propose taxation is assured? Blind trust?

~~~
squiggleblaz
Tax assets not transactions.

Land ownership is registered for good public purposes which does not
unreasonably destroy privacy concerns - it's usually obvious who (person or
business) controls the land anyway (who should a tenant pay the rent to? who
gets to decide if you can be a tenant?) and it gives people a great deal of
confidence that they know that whoever is recorded in the government land
registry as having a right to sell the property actually has that right. The
common law approach of having to hold a series of documents that identify a
continuous line of owners going back to some unconfirmable initial grant by a
long dead king is not in the interest of the purchaser of the land.

Moreover, the market distortions taxing land (as the primary source of
government income) will have are generally positive. A person can no longer
buy a house in the hope that the land it sits on will double in value. They
can only buy a house in the hope that they are capable of making a profit out
of it; the land purchase merely gives them the right to improve it.

The same advantages may be visible for taxation of share holdings: instead of
simply trying to profit from someone else's actions, you would buy shares
because you think the dividends will exceed other income sources for the same
purchase. It may be legitimate to have anonymous share holdings which require
active detective work, so it's possible this would be an unreasonable invasion
of privacy.

~~~
mcny
> Tax assets not transactions.

I know I've said that we shouldn't do public policy by taxes but taxing wealth
instead of income probably isn't easy. We can tax income because one person's
income is another person's expense if I understand how this works.

~~~
Nasrudith
Reminds me of annecdote of old tax policies on things like silverware and the
difficulty in believing and searches from one austere preacher who anomalously
for his station didn't own a single set. And others like the tax on windows
which lead to boarding up of windows in slums and became derided as a tax on
light and air.

The answer seems to be that how well it works varies heavily on what the
asset.

------
cookie_monsta
Strangely under-reported is that the same hacker is offering up to 100k to
others who perform similar acts of hacktivism:

[https://www.vice.com/en_us/article/vb5agy/phineas-fisher-
off...](https://www.vice.com/en_us/article/vb5agy/phineas-fisher-offers-
dollar100000-bounty-for-hacks-against-banks-and-oil-companies)

~~~
dmix
So this activist has somehow profited from his “hacktivism” and he wants to
spread his wealth to other activists?

~~~
daveguy
Or possibly someone who became wealthy in the software/opsec industry who
believes what they do is for the good of humanity. To a person with a net
worth of 100MM+ 100k would not be significant.

The funds didn't necessarily come from the hacktivism.

Edit: Given the bounty is paid in bitcoin, somewhat more likely the funds are
donations/fees from hacking. Not likely it came from funds deposited to an
exchange (traceable account). Could also be someone who was mining in 2009
(and not from the hacking itself).

~~~
marcusjt
Or possibly the payment is offered in bitcoin because that's how anyone
"performing similar acts of hacktivism" would want to be paid?

~~~
daveguy
Yes. That's what the edit (from a few minutes after the original post) says.

------
chelmzy
Pastebin with translated guide on how they hacked the bank:

[https://pastebin.com/8rXhtqgr](https://pastebin.com/8rXhtqgr)

~~~
badrabbit
It doesn't tell you how they infiltrated to begin with so that they can sniff
cookies and keystrokes. But my guess is they phished an employee.

Edit: I missed that part,sorry.

~~~
goatsi
I thought it was pretty clear. They had already developed a Sonic Wall VPN
exploit. They used zmap to scan for vulnerable devices then grepped the
hostnames for "bank". When they exploited the VPN it gave them the whole
network.

>In this case, on the other hand, it was the same Windows domain passwords
that were used to authenticate against the VPN, so I could get a good user
password, including that of the domain admin. Now I had full access to his
network

~~~
tetha
To me, the scary part about this is: After Equifax, this is another big
hack... and practically, it's one layer of defense and that's it. Shellshock,
one password, everything's fucked. And yes, expletives are appropriate there.
The rest is largely access maintenance, keyloggers and execution.

That's scary. Maybe I'll need to badger my boss about a serious pentest of
everything.

~~~
badrabbit
Dude, forget a pentest, have a security architect look things over. Simple
segmentation and endpoint firewall witha good edr might have stopped this.
Everyone misses the basics, a lot of networks were pieced together 10+ years
ago when people were not as security conscious as they are now.

~~~
SlowRobotAhead
Our first pen test, before I took over as CTO... We had a JSON file with admin
credentials on a shared drive. IT company needed it there so some tool could
log in as admin and do some robot work.

Fired them, and good riddance. But... STUPID SIMPLE things can get overlooked
for years until you have someone else come in and test.

+1 for pentests.

~~~
pc86
So after firing the vendor, who on your side got fired for allowing it in the
first place?

~~~
badrabbit
Why would anyone get fired, explicit approval and imppicit incompetence should
be handled differently. If pentests get people fired, no one wants a pentest.
Refusing to accept and resolve pentest results can be fireable but a pentest
is suppose to help you improve what you have already.

------
slovenlyrobot
I had a quick peak at the web server log, it's tiny. The typical legitimate
egress from this network is likely somewhere well under 1gb/day, yet somehow
these people managed to upload at least 2TB without being noticed

In a well-maintained network an upload like this should have paged someone as
it was happening, probably sometime in the first 5-10 minutes. Say your
outbound pipe was 100mbit, if it is pegged for 15 minutes I can't see any
reason why a small installation like this wouldn't want to know they've just
spat out 11GB of data for some unknown reason

Even divvying things up over 14 days (per the age of the data), its still
around 6GB/day. This should have shown up in a monitoring graph somewhere, or
triggered a page

~~~
draw_down
Maybe. Do we know how they exfiltrated it? They may have done it in a rate-
limited fashion.

~~~
nvr219
Or had someone local to just put it all on usb

------
gruez
magnet of the torrent since the site seems to be overloaded:
magnet:?xt=urn:btih:5b1b0092848d0b8e2f08d825111264c4818a2df3

------
asymmetric
A .torrent file hosted by the Internet Archive, since DDOSecret is apparently
being DDOSed:
[https://web.archive.org/web/*/https://data.ddosecrets.com/fi...](https://web.archive.org/web/*/https://data.ddosecrets.com/file/Sherwood/Sherwood.torrent)

~~~
black_puppydog
This size of dataset does seem to me like a good case of why the current
torrent format is lacking. Many people might be interested in generally
seeding for this torrent, and maybe pulling some of the files. But few are
actually going to download the full 2TB. At the moment, I can select
individual files to download and seed, ignoring the rest, but I cannot say
"download what I want, and then seed random blocks up to a size of X GB." It's
quite conceivable that in a few months, the bigger, less "popular" files will
be very hard to come by.

That's (maybe the) one thing I think IPFS gets really right: full availability
of the whole dataset, regardless of the popularity of the individual blocks.
There were some BEPs about that IIRC, but they never got anywhere. I always
figured archive.org and similar collection hosters would be interested in this
sort of thing, so that people can just "donate 1 TB to archive.org" or such.

~~~
22c
I agree with what you're saying, although there is not really a reason why
this can't be done with BT client-side. It's just that, AFAIK, no torrent
client supports this.

BT will, by default, prefer to download the least popular blocks. Client-side
just needs a setting to "stop downloading after X blocks", divide your 1TB by
the block size, and that's how many blocks you need to download to get 1TB.

I will add though, unfortunately with this torrent (at least the one that I am
attempting to download), simply seeding a certain number of blocks is not very
helpful. The files are mostly in a few giant zip files.

------
m0zg
This is going to be swept under the rug faster than Epstein, assuming it even
surfaces in the mainstream press at all. Lots of rich people run their stuff
through the Cayman Islands, probably more than through Panama. So far, as far
as I can tell, no mention in the US. The entire front pages of major national
newspapers (WaPo and NYTimes) are dedicated to their single-minded mission of
telling everyone that orange man is bad.

~~~
hurrdurr2
Regrettably the media needs to publish what gets the most clicks;
unfortunately what gets the most clicks these days is partisan stories that
gets readers riled up.

That Panama leak story was also quickly "forgotten" by the MSM.

~~~
glofish
Are you blaming the media for getting people what they want?

As long as people demand the click-bait only the ones that provide such
content will survive. Let's thank our luck that it is not Infowars style
clickbait, so some resemblance of sanity still remains.

FWIW the Panama papers have had a noticeable impact, especially where it
matters most, clawing money back

[https://en.wikipedia.org/wiki/Panama_Papers](https://en.wikipedia.org/wiki/Panama_Papers)

~~~
zionic
>Are you blaming the media for getting people what they want?

Media is not inherently profitable, it's a loss leader whose ultimate product
is influence and the manufacture of consent.

------
badrabbit
From what I read the hack was not sophisticated at all. If they had decent
endpoint protection this would not have happened. Maybe they disabled defender
after the initial access and privesc because defender blocks Get-Keystrokes
and other things in empire,even with significant modification.

Anyway, I don't care about the hacktivism and propaganda (don't really get it
-- tbh,rich people bad/corrupt?) But would very much be interested in any
post-incident analysis of what happend.

But here's what stands out to me: they're talking about using empire and hvnc.
Empire is by design detectable,you could use the techniques in empire in your
own malware though. Most rats and bots (take trickbot) let you sniff key
strokes, run commands,etc... So I guess they used psexec or winrm to access
the hosts(no vlan segmentation or firewall on endpoints!?). I ask all this
because the specific MO is significantly different than what is seen with
criminal actors and crimeware(like Carbank which She mentions). And to me, it
does corroborate the story that this was likely an independent hacker
motivated by hacktivism as opposed to a bigger conspiracy to burn some group
and plant false records in the leak (which could still less likely be the
case)

Very exciting,righteous hack.

I think overall, the bank cheaped out on IT and paid big time for it.

~~~
arminiusreturns
Here's the thing. While most people on HN tend to be in the global top
performers when it comes to IT, the vast majority of businesses are simply
ripe, low hanging fruit just waiting to be breached, and almost every time it
is because of a failure of management to understand the importance of those
things. Way too many 60 year old men who barely know how to use a computer are
at the top of orgs, and are stuck in the janitorial cost sink fallacy of IT. I
also put a lot of this on the heads of IT directors or senior sysadmins, who
are failing to convey the importance of the matter to those C-levels in terms
they understand.

I have learned this the hard way, having started up an MSP at one point and
done a lot of contracting to help orgs unfuck their infra, I have seen it all
first hand, from 5-30 person lawfirms to fortune 500 oil companies to unicorn
startups. I have been the senior sysadmin who failed to convey things in a way
the got through C-level thick skulls, and most of my career trajectory has
been angled towards keeping up with the sysadmin transition to devops while
learning how to fill that gap so I don't repeat those mistakes. I've failed
multiple times, but each one is a lesson I learn from and try to apply to the
next place, and sometimes C-levels literally just don't care and can't be
reached, and nothing happens till a major breach or lawsuit costs lots of
money.

To me, this is the importance of the CTO/CIO roles. The problem is, again, the
vast majority of America isn't SV. I would say ~%80 of companies I saw didn't
even have those roles, and if they had someone in that role but without the
title (like IT director), they often didn't have a seat on the board or any
real influence with the C's. I have also seen those roles taken by people who
should be in other positions but enjoy the "C" title too much, to the
detriment of the org.

Sorry, this got kind of ranty, but it's an issue I obsess over in trying to
find better solutions for. Basically I'm learning how to hack management
instead of computers these days.

~~~
matheusmoreira
> I also put a lot of this on the heads of IT directors or senior sysadmins,
> who are failing to convey the importance of the matter to those C-levels in
> terms they understand.

Why? Understanding the risks involved before making a decision is the
responsibility of executives. If they calculate that the risks are minimal and
crackers prove them wrong by causing damage to the tune of millions, they have
only themselves to blame.

How many times have people explained the need for things to be done properly,
only for proper infrastructure to be written off as too costly and
unnecessary? The fact is they are taking a calculated risk: they get to spend
less on information security by _assuming_ nothing bad will happen. Claiming
that it's the fault of system administrators is just yet another power move:
scapegoating in order to avoid responsibility.

They make the decisions and should face the consequences.

~~~
arminiusreturns
I'm torn on this one, because for years I took your position... but there were
numerable times I saw directors/seniors fail to convey that information in an
understandable way when the C's might have been open to it when presented
differently. There are certain cases were the C's don't listen at all, and
theres not much that can be done, but there are also cases where the C's just
haven't been presented the information properly.

This is why I am increasingly putting importance on the skills of the Director
or CTO/CIO position, because they need to be the kind of person who can handle
the board/meeting room but still understand the tech enough to a) not be
fooled or lied to and b) understand the real business risks and weigh them
properly while overseeing the implementation of solutions.

So I understand and am sympathetic to your point, but I think there is a lot
more nuance there. Yes, ultimately the buck stops at the C's, but as the
sysadmin who has failed to talk to them well, I still feel like we could do a
much better job on our end. This is why I think a lot of more senior devs/ops
types of people could do extremely well in the C positions if they got their
MBA and had a C-level mentor. Trying to do the opposite, where you try to
tech-ize a traditional MBA C-type fails much more often in my opinion, but,
that's who dominates those positions. I see market opportunity!

------
v4dok
Is there a forum/IM where someone has already found out any interesting parts?
I am unable to download 2TB of data

~~~
danaos
You don't have to download the entire folder. Some parts are less than 10 GB.

------
mikorym
_To these people [the very rich], taxes are costs. And costs are there to be
reduced, ideally to zero._ [1]

[1] [https://www.cumex-files.com/en/](https://www.cumex-files.com/en/)

------
Miner49er
A news article on it with more info and the full HackBack:
[https://unicornriot.ninja/2019/massive-hack-strikes-
offshore...](https://unicornriot.ninja/2019/massive-hack-strikes-offshore-
cayman-national-bank-and-trust/)

~~~
neonate
Another related article: [https://www.vice.com/en_us/article/vb5agy/phineas-
fisher-off...](https://www.vice.com/en_us/article/vb5agy/phineas-fisher-
offers-dollar100000-bounty-for-hacks-against-banks-and-oil-companies).

------
oriettaxx
English translation here
[https://pastebin.com/8rXhtqgr](https://pastebin.com/8rXhtqgr)

really great content!

------
Nextgrid
I’ve read the Pastebin and I wonder, where did they send the 200k to be able
to cash them out without getting in trouble? I’ve always assumed that
diverting electronic money is relatively easy, the hard part is to convert it
to a physical or untraceable form without getting caught; I assume the
receiving bank would have kept a record of the incoming transfer and what
happened with that money afterwards.

~~~
pearjuice
Plenty of people on the darkweb allow for flushing of bank transfers to
untraceable crypto currencies. Typical scenario: use an unknown (homeless,
hacked account whatever) person to register bank account, send money to bank
account, withdraw in cash or use digital service to convert to cryptocurrency.
Money is gone and owner of bank account might not even know and can probably
not be held responsible. The reason the hacker got caught was because he made
invalid SWIFT transactions to accounts in Mexico and someone found out the
reported errors and checked other transactions.

------
ptah
This will have as much of an effect as the panama papers: other than some
journalists involved in reporting it getting killed, nothing will change.

~~~
stef25
Supposedly the hacker distributed the money to various good causes.

------
prirun
So what? People with billions don't get in trouble, as evidenced by the 2008
financial scam, er, I mean "crisis".

The kind of people who get in trouble is a mom stealing a pair of socks from
Walmart. That, they will throw the book at. Hiding or stealing billions? No
prob.

------
alexnewman
If someone could tell me what country ownes the Tbills in the caymans
([https://ticdata.treasury.gov/Publish/mfh.txt](https://ticdata.treasury.gov/Publish/mfh.txt)),
i'd really appreciate it.

------
40four
You know it's a good, firey HN debate when you have to scroll down about 3/4
of the page to find the 1st comment thats not a child, chained off the top
comment! :)

------
sillypuddy
Oh good, I forgot my account number. Can someone DM it to me?

------
Shaddox
The read up is very interesting but I don't understand the Sonic Wall VPN
exploit and how they planted the keylogger in the first place.

Was it an inside job?

------
buboard
Oooh Cayman islands, that one must be juicy

------
smarri
Like a Mr Robot sub plot

------
xmly
Where could I download!

~~~
unnouinceput
Search through twitter, there is a torrent as well.

------
Glosster
Reading this, it all seems so doable. Banks must indeed be getting hacked on a
daily basis, it's just that they hide it so well!

------
gingeruser206
Oops.

------
tomohawk
Consider this holocaust survivor.

[https://www.telegraph.co.uk/news/2016/05/16/holocaust-
surviv...](https://www.telegraph.co.uk/news/2016/05/16/holocaust-survivor-was-
not-a-tax-cheat-judge-rules/)

His family is murdered by Nazis but he escapes to the UK. He sets up offshore
funds in the event something like the holocaust happens again, but the tax
authorities go after him.

This is one of many reasons for people to set up offshore accounts that have
nothing to do with illegal activities.

How many people like this has this person hurt?

Where does this belief in the infallibility of the tax man come from?

~~~
lm28469
> How many people like this has this person hurt?

Could be for an holocaust fund, Bezos secret birthday party fund or for your
new 4k TV it's all the same, pay your taxes, then do whatever you want with
your money. It really isn't that complex.

~~~
tomohawk
You seem to be conflating people keeping money in offshore accounts with
cheating on taxes. Some people who have offshore accounts probably cheat.
Other people are not cheating. The referenced person was not cheating, and,
not that he needed it, he had a very good reason for having the offshore
accounts.

Hacking in and publicizing peoples offshore account information hurts both
groups. It's irresponsible. It hurts people who pay their taxes and are not
doing anything wrong. If a government went in and, without any due process,
started convicting people just because they had an offshore account, we would
not be praising that government.

