One day Connor Tumbleson got an email saying his identity has been stolen. And this was one of the strangest days he’s ever had.SponsorsSupport for this show comes from Quorum Cyber. Their mantra is: “We help good people win.” If you’re looking for a partner to help you reduce risk and defend against the threats that are targeting your business — and especially if you are interested in Microsoft Security — reach out to Qurotum Cyber at quorumcyber.com.Skiff is a collaboration platform built for privacy from the ground up. Every document, note, and idea you write is end-to-end encrypted and completely private. Only you and your trusted collaborators can see what you’ve created. Try it out at https://skiff.com.Support for this show comes from AttackIQ. AttackIQ’s security optimization platform emulates the adversary with realism to test your security program, generating real-time performance data to improve your security posture. They also offer free training. Head to attackiq.com to get a closer look at how AttackIQ can help you today.Sourceshttps://connortumbleson.com/https://krebsonsecurity.com/2022/10/glut-of-fake-linkedin-profiles-pits-hr-against-the-bots/Snippet from Darknet Diaries ep 119 about North Korean’s getting tech jobs to steal bitcoin https://www.youtube.com/watch?v=v1ik6bAwELAAttributionAssembled by Tristan Ledger.Sound design by Garrett Tiedemann.Episode artwork by odibagas.Mixing by Proximity Sound.Theme music created by Breakmaster Cylinder.
I remember this one time I really botched a job interview. I was young, in my early 20s, and I applied to do surveillance at a casino. You know, the eye in the sky, watch 20 monitor screens at once and try to find someone cheating or stealing things in the casino, and then call the security guards on them. Well, I got an interview with the head of casino security and things were going well.
We hit it off and he liked my resume. But then he asked me one last question. If you saw me stealing in the casino, would you turn me in? Now, I was dumbfounded by this question. What is this, some kind of ethics test? I mean, he's the head of security. If I saw him stealing, who would I even report it to? I was baffled on how to answer this. But I wanted this job bad.
So I did a whole bunch of mental gymnastics to try to read his face and see what answer he wanted. I mean, the first thing that popped into my mind was that quote from the Godfather. Here, listen. You're my older brother, and I love you. But don't ever take sides with anyone against the family again. Don't take sides against the family? Who do you think started the whole casino business?
It was mobsters. So what did this head of security cherish more? Family or the law? It's an impossible thing to answer. I felt as if I was on the poker table, going head to head with him, trying to read what cards he was holding. And my job was what was on the line. Well, I blurted out, Of course I wouldn't turn you in. You're my boss.
And with that, he stood up and said, thanks for coming in, but we're looking for someone else. Good luck. And he reached out to shake my hand. I quickly realized my mistake. Taking the family side was the wrong answer. It's the definition of corruption. Even if he wanted me to always protect the family, this was just too soon of a test to ask me something like that.
I wasn't part of the family yet. Siding with him. was taking sides against the casino itself. And if he was actually corrupt, he wouldn't show his cards like that so early in the first interview with someone. So I reversed my position. I shouted, no, no, no, I would definitely turn you in. The casino is who I work for, not you.
He smiled and shook his head and walked me to the door and said, better luck next time, kid.
These are true stories from the dark side of the internet. I'm Jack Recider. This is Darknet Diaries. This episode is brought to you by SpyCloud. For some people, ignorance is bliss.
But for you, as a security practitioner, that's not the case. I went to spycloud.com to check into my darknet exposure, and I won't tell you what it is, but spoiler alert, I found some things that are pretty eye-opening. From breach exposures to info stealing malware infections, knowing what criminals know about you and your business is the first step to setting things right.
Resetting stolen passwords and addressing the enterprise access points that have been stolen by malware helps you protect your business from ransomware, account takeovers, and online fraud. With SpyCloud, you have a trusted partner to fight the good fight with.
Their automated solutions, which is built on over 350 billion recaptured assets from the criminal underground, ensure you're not in the dark when it comes to your company's exposure to cybercrime. To get your full Darknet exposure report, visit spycloud.com slash darknetdiaries.
That's spycloud.com slash darknetdiaries. This episode is sponsored by Delete Me. In episode 133, I spoke to Connor Tumbleson about some people from who knows where who were stealing his identity.
Luckily, they weren't out to destroy his reputation or extort him, but think of the damage that could be done. We all have data out there, which data brokers use to make profit. Anyone on the web can buy your private details to do anything they want. This can lead to identity theft, phishing attempts, harassment, and unwanted spam calls. But there's a solution called Delete Me.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found. And they got busy deleting these things. It was great to have someone on my team when it comes to privacy. Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for my listeners, you can get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code DD20 at checkout. The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code DD20 at checkout. That's joindeleteme.com slash darknetdiaries code DD20.
So let's start out with who you are. What do you do?
Yeah, so I'm Connor Tumbleson. I'm just kind of an engineer here in Tampa, kind of really gone up the steps over the years. I think I'm our director of engineering now, so I kind of just really do a lot of tech stuff.
The main thing to know about Connor is he spent years in the tech industry. He's a great programmer, which has led him to become a director of engineering. And he's content in his current role. He's definitely not job-seeking. However, his resume is pretty nice, and he's got a whole list of skills under his belt, and he has a great GitHub.
GitHub is a place where people go to share programming code they made, and Connor has wrote a lot of code. So Connor has published a lot of this code to GitHub for other people to see. If you go there, you can see what code he's been writing since 2011. In fact, he's posted new code 51,000 times over the last 12 years. And what's interesting about GitHub is
is you can go back through those years and see every line of code that he shared and what date he shared it. Okay, September 14th, 2022, you get an email.
Yeah, I mean, it's crazy. I'm sitting at lunch, you know, and your phone goes off and I get just one of those weird subject titles that I think is just an easily deletable one. I think it word for word was something like, Connor, your identity is stolen.
It does have a spammy taste to it, doesn't it? I think I've probably gotten spam like this before. You know, click here to see if my identity is stolen.
And I was just like, yeah, this is probably spam because it came from kind of an address I didn't recognize. It looked like a bunch of kind of foreign characters I didn't recognize. And I was like, oh, yeah, this is this is a delete. But then before I deleted, I saw it in an attachment. I was like, OK, I'm on my phone.
This is, I think, probably an easy preview, especially since it was kind of a suspect email. But thankfully, I could just preview it and I previewed it and it was like my resume, but it wasn't. I was like, this is really odd.
The e-mail was from a guy named Andrew. Andrew is also a programmer, but he's just starting out in college and has only posted a little bit to GitHub, Andrew said someone found him and messaged him on GitHub and offered him a job. But when Andrew asked more questions about the job, he was told he had to act like Connor to get the job.
I kind of just quickly ate my lunch, you know, and kind of ran back to my computer and just jumped on to view it, you know, in Gmail. And at that point when I expanded it for real, I saw it was way more than like my resume. It was like an introduction of me from like a, I was really rough reading it from very first inspection because it was like someone trying to pretend they were me.
Because not only was the email just clearly wrong, but the address was like an address that was for sale on Zillow kind of right around where I live. Then it was my resume. Then it was like information about a company. And then it was information of like a fake cover letter I wrote. And at this point, I'm thinking, holy cow, what is going on here?
Because now I think this is actually legitimate because there's someone that's put a great deal of effort into taking a lot of my true, you know, like earned achievements, whatever, school, everything, but then mixed it with a bunch of things that are lies, which I think, funny enough, boosted my resume in a way. But, yeah, they weren't true.
It was just a mixture of lies and truth in a huge document.
Okay, wow. They took Connor's real resume, but changed just a few things, like the email address, physical address, and a few other accomplishments. But all this sounds really spooky. I mean, to get an email from someone explaining all this?
The person sending the email could be trying to help, or they could be trying to scam Connor into paying them to scrub this information off of some website or something? What was the real intention of this Andrew guy who emailed him?
Yeah, so it was weird. He was telling me that there was this guy, Maris, and it's just a guy that was hiring him to be an engineer. And I was like, OK, what does that have to do with me? And then he says, like, you know, in the next sentence in the email, he's like, it turns out I was supposed to pretend to be you and I didn't feel comfortable with it and sent me the doc.
So I read that, I read the doc, and I'm still thinking, this is weird. Because as you just mentioned, like, I'm getting suspicious that the guy just wants me to sign into something, buy something. So I just sent a quick response. And I said, so to get this right, you were hired at a company and then paid to pretend to be me for an interview.
And he responds and goes, yeah, I'm about to go to class. But here's a few log snippets of just a Slack channel.
It seems like this guy Andrew is responding to questions Connor has, but is equally as confused as Connor is about this. I mean, imagine someone messages you on GitHub, offers you some paid work, and when you say, yeah, that sounds great, then they ask you to pretend to be someone else?
So Andrew was sending more information over to Connor, screenshots of Slack chat that he had with this Maris person.
And at this point, I'm actually just getting attached to this, because in the screenshot he sends me, he's talking about... the interview that's supposed to be in like a few hours time that I'm looking at of me that he is like, you know, no longer attending. And this is crazy because I'm also talking to a coworker next to me at this point. Like, should I join this interview? What is going on?
Like, I feel like someone is pretending to be me in an interview later today. And that is kind of crazy to think about.
Oh, right. This is an online video interview, and it's all set up where the company is expecting Connor to join and be interviewed. And it was in a few hours. This just gets wilder and wilder. Connor starts wondering if he should join the interview.
And just to see what's going on, at the least he can inform this other company that they shouldn't hire him because he's not actually applying for the job. And that's going to be awkward to explain to them for sure. All the while, Connor is trying to figure out why they took his resume to copy. What was it about Connor that made his resume special?
Yeah, and I think that's what really kind of really sketched me out or made me feel a bit uneasy. Because at the end of the day, I thought, why not just make some AI generator random document if you're trying to go out there and get jobs? Connor still feels like he needs more details from Andrew. Something just isn't adding up still. I'm trying to actually email him a lot.
I'm saying like, hey, I need more info here. I dug deeper into this and it's more creepy than I thought. And I was like... Hey, what more can you give me? Can you give me all your email communications? Can you tell me more? And he was like, sorry, I'm going to class. And I was like, oh, so the person that's helping me through this is like no longer available. How did Andrew get involved in this?
He mentioned that he kind of just got cold emailed, like just a random email, presumably from his GitHub, where someone reached out and said they were looking for a partner to join him and needed a bit of development experience. And this was a guy that was kind of a fresh developer right out of school that was looking for a kind of place to work, and it seemed like a great chance.
So I think he continued moving forward with his employment. As they said, they needed a good English-speaking engineer. And he fit all those boxes. Andrew ends up joining this company. They get invited to a Slack channel. And the same day he joins a Slack channel, roughly a few hours later, he ends up getting just a bunch of messages.
Now, when Andrew joined this Slack chat, he was greeted by someone just named PND. This PND person, his acronym, ends up posting to Andrew and says, hey, you're going to pretend to be this person. And it's a link to that document that he ends up linking or kind of sharing to me.
And that's when Andrew realizes, I don't really want to be part of this because Connor looks like a kind of English-speaking engineer. Why am I pretending to be him? And Maris, I mean, Maris or the PND, we don't really know who this person is, says, yeah, Connor's not our engineer. Is that going to be a problem for you? And he says, yeah, that violates his ethical kind of behavior.
And Andrew just ends up leaving and taking a bunch of information with him. So I'm thinking to Andrew, this guy's amazing. Just leaked a bunch of information to me from this whole thing. And I guess lost a job in the process. Probably not the best job, but for someone looking for work, I guess a job was a job.
Hmm, I wonder how big of a decision this was for Andrew. A college kid looking for work, finding a job that pays, but having to turn it down because it violates his ethics? I bet there are quite a lot of college kids that would be up for it, you know?
And I wonder if this is a tactic, that this Marist person or P&D person targets college kids because they need the experience and work and are more willing to take non-ethical jobs? I don't know. Anyway, for Connor to get an email like this, it absolutely derailed his ability to concentrate on anything at work that day. I mean, he had to go to an interview that he did not set up.
And how do you even prepare for something like that? Actually, it doesn't matter, since there just wasn't much time to prepare for it anyway.
Yep, exactly. So I think I opened it around noon, and the interview was at 4 or 4.30. So it was a pretty quick turnaround on all this.
Andrew sent Connor all the information to join the interview.
And it, of course, had the Zoom link and the time and the company and the meeting. And I was like, oh, this is crazy. I'm going to use this for sure. So then I join it. But I actually joined the interview about five minutes before it starts. And I'm just kind of sitting in a Zoom channel. You know, it's the Zoom waiting room. I can't really talk to anyone yet. I'm stuck there.
And my fear is I'm sitting in this meeting and someone isn't enjoying before me like another person. And then I'm stuck in kind of a debate. But thankfully, the interviewer, he shows up early and adds me. And we both jump on video, kind of sitting in the same spot I am now.
And I say, hey, before we jump into interviews, you're not going to believe anything I'm going to tell you, so I'm going to go really quick. And I just proceed to tell this guy, and I think I just spew it out as quick as I can, of saying, like, I didn't apply for this job, but I am indeed the person that you have all the documentation for. And he starts getting really confused here, trying to not
him. And I'm trying to explain, no, this is legitimate. I'm the real Connor, but I did not apply for this job. And he starts joking with me, well, your resume is really good. We were hoping this was a real interview. And while we're talking, I'm trying to explain what happened from my perspective, that I got an email. I'm asking him, can you share from your perspective who applied for the job?
And while we're talking about this, because he lets me know that it was on Upwork, that my fake self applied for the job. Then he tells me that there's another Connor Tumbleson in the waiting room. And at this point, I'm kind of freaking out a bit because now another fake Connor has decided to join the call and he's trapped in the meeting room.
And this interview guy, he goes, hey, why don't you change your name, turn off your camera and just sit in this call? And I was like, holy cow, that is amazing. It was your idea. I love it. I want to sit here and figure out what's going on. So I change my name, you know, I turn off my Zoom camera and I'm sitting in the call when he admits another Connor Tumbleson.
And this is where the story goes even crazier is I then sit in a call and listen to a guy with kind of this accent that I can't place. I think I can safely say it's probably not American, but I don't know where. And this guy then proceeds to say that he's Connor Tumbleson.
And not only that, he starts reading off all my accomplishes, even says his GitHub address, which is odd because I haven't changed my alias online alias in like 20 years. So Ibotpeaches everywhere is me. So to hear someone say that, it was just extremely upsetting. And I'm just sitting in this call, listening to this guy proceed to just list things.
I can tell he's reading the sheet word for word that I'm looking at.
Man, I can't even imagine being in this scenario. Listening in on an interview with someone else pretending to be you? Trying to get this job? What? All the time fake Connor is speaking, the real Connor is muted, listening. How does he respond to all this? How would you respond to this situation?
If I were him, I'd be freaking out, wondering if I'm being pranked and wanting to know who this guy is that's pretending to be me. And who put him up to this?
Yep, definitely that. And I'm talking to some co-workers at the same time during this because we're just all sitting around because they're all at this point involved in the story. And I couldn't stay on mute any longer. It was just really, really rough. I thought I could sit there and just listen to information. But I turned my camera on and kind of just started talking.
And I said, hey, I'm the real Connor Tumbleson. So who are you? And I didn't get, I think, more than five, 10 words out of my mouth. And he just dropped the call. which was pretty sad because I really wanted to figure out if we could have just a candid conversation of why this was happening. But he left the call immediately. What was going through your mind after that interview?
Just the fact that another Conor joined the call, a fake me, I was so confused because I was under the impression initially that this guy I was talking to, Andrew, had ended up joining the call and going forward with this. And I was like, why would he do that? He just leaked it all to me. I couldn't really figure out in my head how there was actually someone joining the call.
So this P&D person set up this interview and asked Andrew to join it and pretend to be Conor. Andrew said no for ethical reasons, but then someone else pretending to be Connor did join the call. Who was that person?
Yeah, exactly. So at that point, I'm talking to the interviewer again because the other Connor has left the call. I was like, hey, do you mind just sending me everything you have? I was asking for who applied, how did he apply, etc. This guy goes, yeah, sure. Can I have your e-mail address? I was like, hey, just take the e-mail they gave you and take the two off the end of it.
it was such an embarrassingly copied email. It was just my email with a number two at the end. So sure enough, this company, they then email me and it's just screenshots of Upwork. And it's, this is where I got way more creeped out is it was a fake Upwork of me. And once again, it was a highly detailed resumes accomplishments.
They even had like a random Laravel certification I got from a few years ago. And I didn't even put that on anywhere except in a tweet. So I was like, This is a crazy amount of detail that someone went to to make a real truthful, but also exaggerated in a lot of regards, Upwork account of me.
Stay with us. There's more after the break. This episode is sponsored by Arctic Wolf. Arctic Wolf, an industry leader in managed security operations, surveyed a thousand security and IT professionals across the globe to better understand them. What are their top priorities, current challenges, and future concerns?
This survey revealed some startling findings, and you can discover them all in the State of Cybersecurity 2024 Trends Report. Learn why the number of insider threats spikes severely, what lessons can be learned from the year-over-year change, and how many organizations disclose a breach. and what cyber attacks struck 70% of organizations.
Download the State of Cybersecurity 2024 Trends Report today at arcticwolf.com forward slash darknet. That's arcticwolf.com forward slash darknet. Okay, so let's recap. Someone made an Upwork profile using Connor's resume and information, and they were using that fake profile to apply for real jobs, then getting someone else to act like Connor for the job.
Then that person would sit in an interview and pretend to be Connor. Yeah, so Upwork is a place that freelancers can go to look for jobs. Anything from design to IT or legal professionals, freelancers will make an account saying what skills they have and that they're available to work on these projects.
And either someone messages the freelancer about a job or a job gets posted on Upwork and freelancers can apply for it. Someone made an Upwork account using Connor's details, some real, some fake, and applied for jobs saying, look how great my profile is. I want to come work for you.
Yeah. And I think I honestly had never really used Upwork or, you know, only slightly heard of it myself at the time. So I was also Googling, what is this thing? And yeah, just as you described, it seemed like It was just an ad hoc applying to a job as an individual using my fake information.
So at this point, now that I have screenshots of my fake Upwork account, including my real photo that was like a recent work photo, I was like, okay, this is getting really crazy now. I thanked the interviewer for really letting me sit on the call. I said, thanks for this info and took all that info and then wrote another large email to Andrew where I honestly asked him, was that you on the call?
Because I really had no idea what was going on at this point because I couldn't really figure out how a third Connor joined the call. And Andrew, after he gets back from class, actually responds and he gives me a ton of information. He not only sends me every email that he, you know, went back and forth with this Marist person to like establish this fake employment.
But he also sends me screenshots of all these Slack channels where he only joined that day as, you know, part of joining this kind of paid work thing. So now I basically have Upwork screenshots, Slack screenshots, and email screenshots.
And as Connor looked through the information Andrew sent over, he realized that some of the people communicating to Andrew also seem to be impersonators. Like Maris, for instance, was a real person with a nice GitHub and stuff, but it was probably not the real Maris who was messaging Andrew.
It's like a never-ending circle of just bouncing between fake emails. And that's where it just gets crazy. I'm trying to follow this weirdness of I can't trust anything. Everyone's fake. The person Andrew is talking to is not even Maris because Maris is just another impersonated individual. So I'm just really losing track of who's real or not.
A lot of these trails seem to come back to the person in the Slack chat app calling themselves PND. PND is who told Andrew to impersonate Connor for the job. And he's also telling everybody what to do in this chat room. PND might also be Maris. I don't know. But it seems that PND has a website called PND Design, which offers coding and web design services.
And this gives Connor a new thread to pull on.
P&D, I find their website because they just explained it in their Slack channel, a P&D design. I just start, you know, doing basic things, trying to figure out other websites P&D design built. I'm just trying to figure out who owns P&D design. I end up finding the person who owns it. I call them once or twice. No one ever picks up. I email them. No one ever responds. I don't know what to do.
I just wanted to talk to someone who was associated with P&D design and they just never respond to any of my reaching out. I don't remember if I put it in the blog post, but I called a lot of the numbers that were in the document that Andrew got from P&D. And those numbers were like these American embassies in foreign countries. I was like, this is crazy.
I was like, I don't even mean to call these numbers. And here I am thinking it's some official number for a business, and I'm calling embassies.
It was just, it was strange. Giving a fake phone number. I love it. It reminds me of this scene from the classic movie, The Blues Brothers.
Those cops took your license away. They got your name, your address. No, they don't got my address. I falsified my renewal. Put down 1060 West Addison. 1060 West Addison? It's Jiggly Field.
A good criminal will always throw people off with what looks like real information but is actually something bogus.
Yeah, and I think at the same time, I'm trying to behind all the websites that P&D Design built, and they had this weird obsession about disabling right-click. It seems like such an old technique to stop your right click. And I'm just like finding all these sites. And I think that they're in the hundreds of just all these sites disable right click.
They have the same Google Analytics ID and they have this weird footer where it's like, hey, we created it P&D design. But guess what? Our CEOs by CEO crunches and our ITs by IT tech fixes. And the design was via visible dev. And all these companies are P&D basically. Yeah.
That's hilarious. A web design company boasting about how they can create great looking websites, but they didn't even create their own website. The footer says it was made by someone else. Connor wasn't sure what was happening, but thought that maybe companies were hiring an individual to build their sites who then would turn the project over to P&D Design to do the actual work.
But he doesn't know. It was just so frustrating to have all these puzzle pieces and have no idea what the finished picture looks like. But Connor does the only thing he can, but just start emailing companies who P&D claimed to have worked with.
He would write emails saying, Hey, this is going to sound extremely strange, but... I feel like I'm getting my identity something impersonate. I don't know how to explain it. But can you answer a simple question? Did a company PND design build your website? I thought it was a pretty simple ask.
Unfortunately, you know, some people told me some very just rough things like to just mind my own business, ignored me or refused to help me. Except for one guy that I think after I talked a few emails back and forth, understood I was a real person and then finally told me, yes, we had never worked with this company before.
So at this point, I'm realizing that I don't think I can trust a single thing that is going on in this Slack channel, in this email chain. And the story just continues to grow in these weird angles.
Things are just so weird at this point. Was the P&D person in the Slack channel actually affiliated with P&D Design, or were they just impersonating that company too? So many layers of fakeness going on here and impersonations that it's just really hard to know what's real and who to trust here.
So at this point, I felt like I had done a good deal of research. I'd kind of tracked down who I thought was involved, what was going on, all thanks to Andrew kind of leaking this information to me and I think, holy cow, I have a lot of information to finish my blog post and make a presentation.
Connor has tried to reach out to so many people involved, but then realized, hey, wait, why not reach out to Connor? Not the real Connor, but the fake Connor, the one who was impersonating him. So he writes to it. Why are you impersonating me?
I'm emailing myself my fake email. Sure enough, the email account of my fake self responds and just tells me, I don't remember exactly, but I think they said I look cute or something, which I think is the strangest thing, because I'm fuming kind of at this point of why someone's using my real name and everything, and they're just joking around.
Of course, I add that screenshot to the blog post, and I think that's what a lot of folks on Reddit and Twitter all like the most, is just that random screenshot of me emailing myself.
The full response he got back from the fake Connor was, sorry, but you have a great GitHub and you look cute. Of course, Connor's first reaction is anger. But perhaps there's a bit of information in there that's helpful.
Because then I finished that blog post. And I think that's where the story gets even stranger. Because that blog post just skyrockets to the top of Hacker News within, I think, an hour of me posting it. And my poor little Linode server falls over because it's never had more than like 1,000 hits and it's getting 20,000 at it.
What I didn't really recognize with getting to the top of Hacker News is how many people just offered to join your kind of investigation and search. And then I have people everywhere just DMing me, messaging me of other similar emails and similar kind of slacks and messages, but different names.
And I was like, this is a huge story because people are giving me personal examples where they were like an interviewer. Someone was like, I jumped on a call with someone because they wanted to talk through it. And this one guy at a random company was like, we were talking to an interviewee.
who didn't know anything of why he was on the call or who he was talking to, he was asking us questions of why he was there. I was thinking that's crazy because that rings a bell. If you don't know anything of why you're joining a call except given a document a couple minutes before you're supposed to be there, I could see that happening. Then people
are telling me, oh, I live kind of by where P&D Design is, their headquarters. And they're like, we'll go visit the office for you. And I was like, well, thanks. And it starts piecing together some things.
So Connor starts learning all kinds of new things about this mystery from the help of people on the internet. It turns out there's a story that Brian Krebs wrote a while ago, which talks about faked LinkedIn profiles.
I then get a link to Brian Krebs of just all of his investigative research. And someone links me to one of his articles where he was like investigating all these fake LinkedIn profiles of like the upwards of 100, 200,000 of them. I'm thinking this is insane. There's people – all these fake profiles on LinkedIn. I know they're on Upwork." I was like, the story is huge.
I just unfortunately was one person that's a bit more connected than I think of others that may have no idea their information was harvested to make a real looking profile to then use to get a job from.
So this article is interesting. LinkedIn is where people go to look for jobs and network and do hiring. But there's a huge amount of fake profiles being created every day. These profiles are real tricky, though, because they're like half AI generated and half real. And they take some real information from certain LinkedIn accounts, but then change a few things on it.
And these fake accounts start creating connections and joining groups. And then the fake accounts start applying for jobs. Real jobs. And it's a real pain in the neck for LinkedIn to try to figure out who's real and who's fake on here.
And the comments on this article are just filled with people saying how they've had a bunch of fake people apply for jobs at where they work, and recruiters have to do this extra step at verifying people's actual identity. Which makes me think, how exactly can someone actually get a job using someone else's name?
In the US, you have to fill out tax documents and stuff that if you work there, you can't forge this stuff. Where are the paychecks going to be sent to?
Yeah. I mean, it has to get crazy because at that point you're thinking, let's say that goes successfully and you end up hiring a fake me. We can tell from the Slack conversations,
that had Andrew successfully done this interview, he doesn't need any technical experience at this point because they say all technical requirements should just be gathered and given back to the Slack channel, where presumably a lot of engineers are waiting to do whatever task is requested.
So then I'm thinking at this point, you are basically becoming maybe a project owner, manager, or someone to just manage kind of engineers behind you, but you're just the front-facing English-speaking person. And I think that's a kind of motto in business design that happens and works everywhere. So I'm thinking, why is this happening in a more kind of more malicious intent way of – hiding that.
And I'm thinking maybe this is some Upwork thing where it's easier to hire an individual that's maybe masquerading as a company behind it. And I'm getting confused because I'm thinking, how are you getting paid? What is kind of, you know, the legal, what social numbers, like social security numbers are getting used? Like this is just employment at the end of the day.
I don't think you can hide it or
pay by bitcoin forever there has to be something or some real names come out and then when i'm this blog post is out there and more and more people are reporting this i'm thinking this must be working because so many people are telling me that they're finding like cold emails to them to be part of it or it's happened to them or they've interviewed people they suggest like guess it happened to
There was a time where I was trying to find someone on one of these freelance websites to make a video game for me. And they claimed to be American with great coding skills. But then when I asked for a phone call, the story quickly changed to be a person from India. And it was also not a single person, but a whole team of people ready to work on my project.
So what Connor said may be what's going on here. Get Andrew to be the token American English speaker. and then they can advertise themselves as American-based to ask for a higher rate.
Sometimes people are hesitant to join with another company or work with them versus doing a quick contract job with a single individual. But what if you're like working with a single individual who's kind of hiding behind a company just without your knowledge?
And I think that is maybe what's kind of an attraction on Upwork is you get these individuals kind of even fake me profiles that come in at really low offers of working and say, I'm a single individual. I can do all these tasks with a really great resume. But little do you know if you hire that individual.
that you might have an entire dead team behind you that you just never meet, know, or interact with. And I think that's my current running theory.
Okay, but back to the email the fake Connor sent the real Connor. It said, you have a great GitHub and you look cute. Okay, let's put aside that look cute part. The great GitHub is the curious point for me. Like I said, Connor has contributed code 51,000 times to GitHub in the last 12 years. That, I think, is what is great about it. That alone.
What I mean is you can't go back in time on GitHub and post code. That is, you can't create an account that looks like the person has been there for 12 years and has all this coding experience unless you're spending 12 years posting code on GitHub.
So the fact that Connor has been posting code there for 12 years does, in fact, make him look like a well-established veteran coder who knows his stuff. And that goes a long way with job recruiters.
I think probably on GitHub, it's probably definitely harder to make fake ones because you can just look back, I think, on my profile and see a couple of 10, 15 years of just commit history. I think you're definitely copying and pasting those. Even if you took all the repos, you're going to have a pretty empty historic graph. And... Maybe that's exactly why.
People just, it's easier just to claim one is yours and talk about it.
Yes, I think so too. That's something you can't fake easily. A longstanding reputation of pushing code to GitHub is attractive to employers. So that is exactly why I think Connor got his identity stolen. Someone, I don't know, PND, Maris, saw Connor's GitHub and liked it. And that's why they took his identity. After Connor posted this blog post, he gave a talk at a conference in Tampa.
And someone who read his blog post came up to him after the talk and told him another crazy story. He said,
I don't think I'm doing anything kind of wrong. I'm just working two jobs at once and none of the companies know. And I think, holy cow, this guy's just dumping knowledge out to me. And I was thinking, is this this whole employment remote is crazy.
I stumbled upon this same stuff, too. I recently found a subreddit called r slash overemployed. And it's all about people who are gaming the whole work from home thing, having two full time jobs at the same time. That is, they go to work from nine to five, but are working at two different places at the same time.
And neither company knows they're actually spending half the time at some other company. And yeah, there's articles on this r slash overemployed subreddit that tell you things like how to look productive when you're not at your keyboard and stuff. like having mouse jigglers move your mouse around for you, or how to automate some of the tasks to look productive.
They also have listings of which companies are over-employed friendly. One of the top posts there is someone saying they now work five jobs, bringing in a total of $1.2 million a year, and here's how I did it, ask me anything. And while that's crazy, this gives me all kinds of business ideas.
Like, let's say I get a job working remotely somewhere, but then outsource my job to someone else who wants to do it for half the pay. And yeah, if I could do that, then why not get another job and outsource that to someone else? And so now I've got all these jobs that I'm doing work for, but I'm actually not doing the work for them. Someone else is doing it for me.
I mean, that is clearly unethical, but I guarantee with the wave of working from home jobs out there, That is happening. Oh, and let's not forget what happened to John Woo. I talked with him on Episode 119, and he thinks that someone from North Korea tried applying for a job where he works, who could have very well been trying to get a job there just to steal the cryptocurrency from their company.
Yeah, that's a crazy one too. I think one person tweeted me that one of maybe it's just a state-sponsored unlimited budget, just see how many companies you can join and then extract information.
So did you ever get to like speak with PND or Maris or whoever and say, dude, what is going on here?
No, unfortunately neither. I had sent many emails to Maris, the real Maris email, and never got a response. And I just gave up calling, leaving voicemails with PND. I sent LinkedIn messages. I sent more. I kind of even worded things as I just want to have a good conversation, but just no response.
Is that where we are today?
Yeah. Today, I think where I am now is I continue to just research things people give me and just go through this entirely large list of, I'd say, roughly 100 websites. I'm just continuing to reach out and find contact information for all of them to just see if anyone is willing to talk to me on who built their website, how's the interaction.
and all the communication between them and the company to kind of figure out if I can find any more information besides what I continue to find is just fake emails, generic documents, and any lack of just true, real information. Because I think someone paid someone at some point and knows some real, real info.
What a weird time it's becoming, isn't it? I mean, this is just the modern world that we're in now, where working from home is more popular than ever, and it seems to be ushering a whole new set of scams. Or are they even scams? I guess if you're misrepresenting yourself, then it is a scam.
Even if you're not trying to trick someone to give you money for nothing, just lying to score a contract seems scammy to me. I think if you're hiring today, you should be very cautious of the people who are applying for your position because they might not be real.
And if they are claiming to be someone, maybe double check with the person that they're claiming to be by reaching out to them separately. Just be safe out there as our world keeps evolving and becomes more tricky to navigate. A big thank you to the real Conor Tumbleson for coming on the show and telling us this crazy story. You can see what he's blogging about over at conortumbleson.com.
And don't forget, on the website, darknetdiaries.com, is a link to all the articles mentioned in these episodes, as well as full transcripts of every episode. This show is made by me, the cyber samurai, Jack Recider. This episode was written and produced and edited by the cheerful Tristan Ledger. Sound design was done by Garrett Tiedemann. Mixing by Proximity Sound.
And our theme music is by the mysterious Brickmaster Cylinder. I was once asked in an interview if I'm any good at Microsoft Office. And I told them, I excel at it. And the interviewer asked me, was that an Office pun? And I said, word. This is Darknet Diaries.