Ever wondered how far a fan would go to get a sneak peek of their favorite artist’s unreleased tracks? In this episode, we uncover the audacious story of some teens bent on getting their hands on the newest dubstep music before anyone else.SponsorsSupport for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.
I was just reading up on these Beatles superfans called Apple Scruffs. They weren't the crazy fans you see screaming their heads off, trying to grab at the Beatles any chance they could. No, the Apple Scruffs thought that was lame. They liked the Beatles so much that they dedicated years of their life to trying to support the Beatles. They were like, look, the Beatles are important.
How do we make their lives better? So they spent tons of time figuring out the exact location of where the Beatles would be every day and then go there to try to help, often holding back Beatlemania crowds or offering flowers or food or to run errands. And over time, they would get to know the Beatles.
There are some stories of them even sneaking into places to act as staff in order to help them even more. George Harrison would later write a song called Apple Scruffs, where he said he loves them. I'm astonished to see what incredible lengths that some music fans go to.
They'll cross continents just for a fleeting moment with their idols or endure relentless weather or camp out for days showing a level of devotion that defies logic. The risks and sacrifices that some fans make is truly remarkable. These are true stories from the dark side of the internet. I'm Jack Recider. This is Darknet Diaries. This episode is sponsored by Mint Mobile.
With big wireless providers, what you see is what you get. Somewhere between the store and your first month's bill, the price you thought you were paying magically skyrockets. With Mint Mobile, you'll never have to worry about gotchas ever again. When Mint Mobile says $15 a month when you purchase a three month plan, they mean it.
All plans come with high-speed data, unlimited talk and text, and you can use your own phone with any Mint Mobile plan and bring your phone number along with your existing contacts. To get this new customer offer with your new three-month premium wireless plan for just $15 a month, go to mintmobile.com. That's mintmobile.com slash darknet.
Cut your wireless bill to $15 a month at mintmobile.com slash darknet. $45 upfront payment required, equivalent to $15 a month. New customers on first three-month plan only. Speed slower above 40 gigabytes on unlimited plan. Additional taxes, fees, and restrictions apply. See Mint Mobile for details. Support for this episode comes from Delete Me. Feels like a war out there.
Companies all over trying to scrape and store all kinds of personal data about me. My phone number, address, family members, where I work, sexual orientation, club affiliations, income level, what kind of car I drive. It's just endless. And every now and then I Google myself and just get freaked out about the amount of data there is about me out there. This is why I use delete me.
I registered there and told them what to look for about me. They were able to discover what sites have data on me and took steps to get that information removed for me. That's my favorite part. It's like getting help in this war. Their scouts know exactly where to look and they'll tell me what they found about me.
And if they can't remove it themselves, they'll give me recommendations on how to get it removed or mitigate it. Take control of your data and keep your private life private by signing up for Delete Me. Now at a special discount for Darknet Diaries listeners. Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code DD20 at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code DD20 at checkout. That's joindeleteme.com slash darknetdiaries, code DD20.
Okay, are we ready to get started? Yeah, that's fine. But could you use the name for me? Could you use Professor Dubstep? Professor Dubstep. I like that.
Yeah, that's fine. So, Professor Dubstep. Where does this start?
The story? Well, picture this. Kind of early 2014, I was 13, sitting there, working on my Minecraft server. It was breaking all the time. The host was terrible. Staff were fighting, and I kind of just wanted to do something else. Knife Party, which is a musical act, had a new album coming out in 2014, and it was delayed, it was taking ages.
Professor Dubstep was into this band, Knife Party, and wanted to hear their new album, and saw Knife Party was interviewed on a podcast, and wondered if there was any mention of the new album in the interview. And there was! Not only did they talk about it, but Knife Party actually played a snippet from the new album! Whoa! Cool! Professor Dubstep is actually into making Dubstep music themself.
So this wasn't so hard for them to just download the podcast and grab that song out of it and listen to it on its own.
I was like, well, this is kind of good. I'll chop this together a little bit and I'll upload it to SoundCloud so that other fans can hear it, you know, and enjoy it as well. I put it up there. I didn't expect it to get, you know, much popularity. But a few hours go by, I go back to working on my server.
And then I check my SoundCloud after a couple of hours and the plays are just racking up, like 10,000, 20,000. And I open Twitter and Twitter is blowing up too. The EDM, the Electronic Dance Music news blogs have posted about it and said, oh, the track's been uploaded to SoundCloud early and it's a leak, blah, blah, blah.
Which, it wasn't. Professor Dubstep didn't care to correct anyone, though. They just watched the madness unfold silently. But because people thought it was an early leak, they started sending them some private messages.
So, checking in my SoundCloud messages and... I saw I had a message from DinoJella. He was saying that I had some cool, well, he thought that I had some cool music, some cool unreleased things. And I had another message from Spintire, who was basically just asking to add me on Skype and talk some more. So I took this opportunity and I'm like, well, we'll see what he wants.
So he adds me up and he says, oh, so how are you getting these things? And I explain, I say, well, you know, I don't actually have anything. It's just kind of blown into something that it wasn't.
but that I do like to look around and see if there's hidden things that are kind of not really supposed to be in the main public view, but are made public accidentally, and things like that, or things that appear early. And he said that he likes to do the same sort of thing, looking and trying to find open directories on servers and things, and accidentally public info.
So we kind of connected, and we had a chat about that, and we were talking about that for hours.
Ah, yeah, there's a ton of stuff on the internet that shouldn't be there. I'm very aware of the site Showdown, which scours the internet looking for private stuff accidentally exposed publicly, like being able to view surveillance cameras, license plate readers, servers with default passwords, and entire databases that are just open.
But that site is mostly exposing cybersecurity flaws on websites. It's not really a place to go find unreleased music. We're trying to solve a different problem here. Maybe Google-dorking can help. I know I've found quite a bit of music this way.
You could search Google for any music files with the band name in the file name, and Google will happily show you tons of music that you can easily download. And sometimes you can find things that probably shouldn't be public. So they're going over these strategies in chat, different ways to find music online. But the conversation just kept going.
They're sharing more secret ways to discover things. One of them starts talking about the website Bitly, which is a URL shortener.
It just allows you to shorten links. But they had a glaring flaw in their system where if you add a plus to the end of any shortened link that was made while logged into an account, And you could click on the public user profile of these accounts and see everything that they'd ever shortened using the service.
And many of the links that we were looking at, music-related, would always be made by a management account, for example. And they would share internal things on the link shortener as well, and we would be able to just see those and download them.
So one thing music production companies or dubstep managers do is promote the hell out of the musicians that are under them. So together, Professor Dubstep and Spintire go on Twitter and check out these management companies. And yeah, they see managers using bit.ly links to promote some bands. For instance, they might use it to link to some promotional flyers or tour dates or new releases.
And they were using bit.ly to shorten URLs for promotions. So Professor Dubstep would use the Bitly bug to see what else this management company has used Bitly for, which gave them tons of links to go through and check out. A lot was for public consumption, but sometimes they'd find things which shouldn't be in the public. Yeah, exactly.
It would either be audio or Photoshop documents or sometimes there were internal memos like promotion plans for upcoming releases and things. And just being able to get kind of a look into the inner workings of these labels and management companies of how they function, how they put their things together and make their plans, which was really interesting.
This would give them new content to post on SoundCloud or Reddit.
On Reddit, Reddit also has direct messages. And a message came through to my inbox from a guy called Jay Brown. He added me on Skype as well. We got to talking. He was a different kind of person. He was what's known as a dubplate trader. Now, dubplates are a nickname for unreleased music. And in more modern times, that's just come to be on an MP3 file, basically.
Just an MP3 file that's not released to the general public. And there is a whole scene of trading these files in small circles. It's kind of like Pokemon cards. Less valuable cards are treated... way differently to ones that are rarer. And it's the exact same with dub plates. So this guy called Jay Brown comes to me and he says, Oh, I've got some stuff. Do you want to check out what I've got?
I've got this and that and this and that. Kind of presenting it as if he was some kind of drug dealer or something. I wasn't really interested in anything he had. There was one specific track, which was Knife Party's Suffer. And I didn't have anything that I wanted to give him because I wasn't a trader. I had my couple of things that I found on my linked shorteners.
And I decided that I would try and make something out of nothing. So I took a clip of this radio recording and I kind of chopped it together into something that sounded semi-reasonable and presented it to him.
Like you were creating your own music that sounded similar or editing it in a way that...
an original source file when it actually wasn't a source file. So it's trying to make something seem real that wasn't so that he would believe it and send me the thing that he had that was real. It was quite a scheme. It was quite a scheme.
Yeah, it does introduce quite an interesting situation of like, when you're dealing with official releases, it's coming from the official channel, right? But when you're trying to get your hands on these unofficial releases, there isn't any legitimacy to it. It could be from them, it might not be from them. And you were playing into that of like...
you know what you're not gonna know if this is from knife party or not but i'll put a little clip in there from knife party just to kind of make you think it is but then i'm just gonna make it up after that yeah that's that's pretty much how it went and um if you were good at this um you know making something sound semi-legitimate these traders didn't really know much better it was it was quite easy to convince them of something and to kind of ignore what their own ears were telling them and it worked
This is getting wild. Not only was Professor Dubstep looking for unreleased tracks or dub plates, as they say, but they were taking popular songs and putting in changes to make it seem like a new mix by that musician. Pretty shady and deceptive. But as a teenager, it doesn't seem so bad to play around with someone else's creation and see if someone will believe you that it's original.
Well, that's the thing. It's unspeakable. You never speak of that you did an edit to it or something because it would give the whole game away. And me and Spintire kind of kept doing this between ourselves.
We thought this was quite a good idea that we would make some more fake things or edits and we could use them to float in these trading circles and kind of just drain their whole collection of rare things. without actually causing any damage ourselves to any of these releases. Because the dub plate trading scene, it does cause massive damage, no matter how big or small the artist is.
If the unreleased track gets leaked online in some way, depending if it had a release planned or not, you know, once it's leaked, it's over for that track forever. So, you know, it really, it's not something to, well, it's just not a good thing for the music scene, really.
Because they recognize that publishing unreleased tracks hurts the artists, Professor Dubstep stopped posting unreleased tracks publicly. And by the way, Professor Dubstep actually makes music himself, too.
Well, I play, I'm a multi-instrumentalist, but also I make Dubstep myself, and And this is something that I was learning to do at the time. So this was a way to learn more about the music-making process. I'm interested in his unreleased music, but more to just listen to it and break down what's going on with it. Because not all of it remained unreleased.
Some of it was just early versions of things, you know, work-in-progress versions of songs that would then come out and be almost entirely different. So it was interesting to just hear the differences between them for me. Okay, can I ask you a question about Dubstep?
Mm-hmm.
I'm afraid to ask this publicly, but what's the deal with all the dolphins in dubstep? The dolphins? What do you mean? You shared with me a playlist of dubstep music. Yeah. And in there is a track called Elephant by Barely Alive. Oh, right, yeah. Okay, so... This is the song, and they think this song's about elephants, but it's clearly not. So listen to this part.
There's an elephant there, right? But right there was, that's the dolphin.
Oh, I think, yeah, I see what you mean. You hear the dolphin in there. and let me show you another yeah actually i never i never put two and two together that is a dolphin isn't it dolphin on wheels oh that's the dylan francis tune isn't it yeah there's a dolphin there clearly right that's the name of the song dolphin on wheels all right so another song you sent me was cash by barely alive
Yeah, I remember that one. You hear that? Yeah. Another song you sent me. Borg by Funtcase. Bang. Bang by Wavedash. You might be onto something. You hear it there. Gem Shards by Must Die. That is a dolphin, isn't it? I have to concede on this. It is.
The dolphin is the lead singer in every dubstep song that you sent me.
It might actually be true because a lot of dubstep is kind of self-referential.
Yeah, well, I went through Skrillex's songs and this is the dolphin I found in Skrillex. That is a dolphin song.
It's been a long time since I heard that one.
Even in Skrillex.
So while I'm researching this episode, dolphin after dolphin kept showing up as the lead singer in all these songs, and it's driving me crazy. Is this a thing? So I Googled it, and no, nobody knows about this. There's no results about this. So I started formulating my own theories, and I've been dying to ask you about this. Okay, so first of all, dolphins are one of my top five favorite animals.
I love dolphins. They're so smart and amazing to watch. So for me to find a whole genre of music that has one of my favorite animals featured in it, song after song, it's gorgeous to me.
And when I hear a dolphin in a song, the biggest grin comes on my face, and I actually try to sing along with it, barking and chirping.
So I wonder if just the dubstep community loves dolphins as much as I do.
I mean, you've got a point. You've got a point. Dolphins are a very intelligent animal, so dubstep is very intelligent music, clearly.
I also wonder if there are sounds in the dolphin language that speak to us in a really profound way. Like it might express an emotion that we just don't have words for in English. But dolphins do. And they can somehow teach us more about ourselves. And dubstep artists add these sounds in because they know the power of dolphins and want to help us ascend to new heights.
Yeah, I mean, we all do come from the sea originally. So, you know, some common ancestor might have, you know, we're just going back to our roots in a way.
And the other thing I wonder is, since this is such a popular part of dubstep, if the dolphin is like a secret mascot, like if you go to EDM parties, would I see people with dolphin stickers and patches and tattoos all representing some inner group where you're like not allowed in certain parties unless you have like a dolphin tattoo or something? It's a secret society. Okay, sorry.
I refuse to believe that's a total accident. But when I Google this, nobody is talking about this, so I feel like it's some closely guarded secret. But whatever. We're moving on. So Professor Dubstep was loving all these early tracks, but only trading with a select few people.
It was kind of like a little triangle. There was me, Dino, Jay, and a spin tire. And we'd sit there. It was like a four, kind of not talking to each other, but relaying between each other. And these tracks would go around in that little circle like that. Dino Driller, he was, at the time, a 14-year-old dubstep producer, same age as me. We'd just hang out on Skype now and then.
Dino Driller somehow got the attention of Excision, who was a big-time dubstep artist. Excision had quite a few big hits and was pretty popular, and saw how Dino Driller was trying to come up in the scene.
Yeah, because Excision does a lot of things to support the underground artists in the scene and help them get some exposure and things. He owns a record label that was called Russian Recordings, which he signed a lot of up-and-coming people to actually help them get a head start. So Dino was one of these up-and-coming producers that Excision was trying to help out.
So he invited young Dino over to the house in Canada to make some new tunes. Oh, and by the way, if you're wondering if Excision uses dolphins in their music, here's a snippet from his song Asteroid.
What do these chirps mean? Okay, so Excision and Dino Driller were working together at Excision's house, making some cool music, and he was really helping Dino Driller out a lot, actually. But since Dino was also into trading unreleased tracks... He couldn't help but wonder, what unreleased stuff does Excision have? And being right there in his house made him very curious.
One day, Excision invited Dino Driller to come over and work on some music while he's at the gym. This meant Dino Driller was going to be there alone. So he gets on Skype to tell Professor Dubstep and Spintire the plan.
When Dino goes to Excision's house, Dino will go and dig through all the old hard drives and things and search for some unreleased or work-in-progress goodies and things from people in the scene.
No, so Dino had a nefarious plan for visiting Excision's house?
Yeah.
Oh my gosh. So Excision wasn't around and trusted. This is betrayal at this point. He trusted Dino to come on in when I'm not around. It's cool. You're a musician. I like your stuff. We're hanging out. We're friends. Yeah. And now Dino's like, it's working as planned. I've got full access to your stuff.
That's exactly it. I'm going to grab some hard drives. We were sitting there on Skype like, oh, look for this and that and this and that. Sending him file names like, look if there's this thing and this clicks thing and blah, blah, blah. Meanwhile, Excision was out at the gym. We'd just be sitting there like, hey, get this, get that. Eventually, Dino ran out of old hard drives to comb.
So we're like, well, there's stuff missing from here that should be there. So the final location that was searched was Excision's actual sock drawer for CDs and USB drives. And what did he find in Excision's sock drawer? old CDs with the things on that we were looking for. I'm not kidding. There was a demo from Skrillex called Dimbo, which was a demo of one of his biggest songs, Kyoto.
And there was just all kinds of things on there, just work-in-progress things that had never come out, that no one had ever heard before.
Mostly made by Excision.
Well, there was some Excision, there was some Skrillex... There was some knife party, some nausea, all kinds of things that these communities had been looking for for years and begging for. It was right there on these CDs in the sock drawer. And they were now being sent to us on Skype.
Dino was pretty careful to just copy everything right there in the house and put it all back exactly where it was so Excision wouldn't know anything got taken. And then he passed it around.
Yeah, shares it with me and Spintire and we just listened to it together like, oh, this is amazing. This is really interesting stuff. That's kind of unbelievable. And I thought that would be the end of it. But no. After a week or so, literally just a week, some of these things started to leak onto Reddit. Dino was trying to blame me for it and saying, oh, well, you must have traded this.
and telling everyone that I was trading it and leaking it and this and that. And I nearly got the blame pinned on me for it. I nearly did. But the way that I found him out was that some of the things that leaked were things that I was never sent. So it must have meant that he'd traded two batches of things that were slightly different.
One to me, and other batches to whoever else, which contained different files. So I caught him out, and I managed to spin it back around and say, no, I can prove that it was you, that this is the reason for these leaks. So Dino leaked it and blamed it on you. Yeah, well, he didn't leak it. He sent it to the traders, like Jay Brown.
Mm-hmm.
The traders like this idea of providing the public this stuff. It gives them a thrill. They're like, oh, look at that. I'm getting a lot of upvotes, getting a lot of downloads, making some waves, got an article written about it. This is going great. That's what they thrive on, right?
It's more that the traders themselves thrive on them.
just have the status of having these rare things so they can go to can go to people and say oh i've got this and that and i want i want that and this and they can trade them for that and then eventually it just everyone goes in the loop and carries on doing that between each other until eventually someone posts it online then once it's posted that song is burned in the trading community it's no longer a rare item to have
Christmas 2015, there was an event called Leakmas, where hundreds of things got leaked onto Xtrill, onto Reddit. All of the things that Dino had taken from Excision's house, all of them leaked. There wasn't one single thing that didn't get leaked. And it was all just because it was being traded like crazy. Did Excision ever figure out that Dino did this? No, to this day, he's never realized.
Never, never, never found out.
We're going to take an ad break here, but stay with us because this story is going to go way off the rails. Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure. I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call. I'm sure they can help. But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can. Black Hills believes that great intro security classes do not need to be expensive, and they are trying to break down barriers to get more people into the security field. And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to blackhillsinfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training. That's BlackHillsInfosec.com. BlackHillsInfosec.com.
Professor Dubstep was getting deeper into the unreleased Dubstep trading scene. 2016 comes around. The tactics that traders were using to obtain the unreleased music files was changing a little bit. And there were a couple of incidents where artists had played a DJ set at a club and someone would go up after the show and just take the USB drive straight out of the mixer. Whoa!
With all the secret stuff on it. Yeah. They'd go right up on stage and grab the equipment. Yeah, well, it's Pioneer CDJ systems. You basically just put a small USB flash drive into the top. So if someone walked past it, they could just swipe it really easily. And no one would notice until it was too late. Well, I mean, doesn't the music immediately stop?
If it's after the show's just finished, there's like a small window where someone could grab it and no one would notice.
That's some balls, you know? To go to a live show, see that performing artist you like, and then to steal their files right from under their nose.
Yeah, it's been known to happen about three or four times in the space of one year.
Holy moly, the lengths these people go to to get unreleased music is unreal. And I think it's a testament to just how dedicated and motivated the fans were to hear more, to get the latest stuff. Like you don't see consumers just like going to a sewing trade show and stealing the latest sewing machine from the demo booth, you know, because that passion doesn't exist there.
Music has this way to give us a meaning to life. It can be our therapist, our best friend, our lover, and our dance partner. It moves us in a way that not much else can. So some people would risk getting arrested to steal a thumb drive with new music on it.
Yeah, it happened plenty of times. There was a guy called Snails who was blowing up in the scene in late 2015. He had his USB stolen. All of the files from it leaked onto Reddit. Skrillex had his USB stolen as well. All of those things ended up leaking in late 2016 onto Reddit. Again, you know, it's something that keeps happening.
I think it still happens to this day that artists have their USB drives stolen out of the equipment on stage.
What do you do here? Weld your USB drive into your equipment?
Or what about putting a decoy USB drive in, but it's really a trap? If somebody goes to grab it, they get electric shock.
It's also interesting to just parse the idea that music is just files. It's data on a computer or a USB drive in this case. And I never thought about applying cybersecurity to music, you know? Like it's acoustic sound waves, not computer files, but no, it is computer files. And so it needs its own version of cybersecurity too. Okay, so let's talk about Reddit.
The pop and subreddit for all this was Xtrail. which is a place to post links to unofficial dubstep music. You know, live recordings from concerts, radio mixes, stuff that wasn't on the artist's official Spotify or YouTube or SoundCloud, but it is from that artist. And these alternate versions are sometimes better than the original version.
And fans were loving this subreddit to listen to new mixes.
Leakers in the scene were frowned upon. So things actually being leaked, whoever leaks something is, you know, it burns their reputation.
That's the nuanced thing about it, though. While people went crazy over leaked tracks and would get a lot of people excited, the subreddit had to take action on this to avoid being labeled as a leak site and get shut down. So they'd remove the leaks and ban the leakers.
Because it was, you know, it just goes, one thing, they're traders, they don't like things leaking. And two, it does damage things. Three, it invites trouble, it invites legal trouble if you are the one to leak something.
The Xchill subreddit is layered like an onion though. Basic stuff was on skin level. Peel it back and you find some juicier content. Traitors with rare stuff. There were rules though. No piracy allowed. And no posting unreleased music. But the rules were often abused.
So the outside, Extral, looked like a place that was just a rampage of things, totally uncontrolled. But actually behind the scenes, it was kind of a front. So if an artist was cool and contacted the moderators of the subreddit or the people in charge, they could say, please prevent this thing from leaking. There's release plans for it soon. Would you mind keeping it off?
If they were nice about it, they could get their brand added to the filter so that nothing could be posted.
It really takes a certain set of eyes to understand what's going on in X-Show. Because even when something is posted, are you familiar enough with that band and that track to know if this is legit or made up or a leak at all?
So late 2016 rolls around. Spintire comes to me on Skype and says, look, we've got this old password of Skrillex's. I say, okay, well, how? How does this happen? And he kind of hesitates to explain it at first and just says, oh, just look at it. Just try it on these things. Just try it on the old Skype account. Okay. It works. It logs straight in. To Skrillex's Skype account.
Yeah, and it was an old inactive account. It was dead. It was not being used. But the password worked, and I said, well, how'd you get this? Yeah, good question.
Skrillex is the biggest name in dubstep. He's a Grammy award-winning artist loved by millions of people. He has millions of followers on Twitter, too. To get his password on Skype is a pretty big deal.
And I said, well, how'd you get this? Eventually he explains, he says that databases have leaked from all kinds of sites. There was quite a lot of databases that got stolen and uploaded online in 2016. There was Dropbox, had their database stolen. Last.fm had their database stolen. Myspace had their database stolen as well.
And they're all just uploaded to this thing called, I think it was Leaked Source. And you could basically pay $20 a month for access to this. and it would give you access to all of these databases, so you could just view the results, the hashed passwords and things.
You could just take the hash and just decrypt it yourself, because they were really poorly protected, just standard MD5, which almost the whole MD5 table had been cracked by that point.
God, this is about to get insane. Huge database breaches with millions of usernames and password hashes. Combine that with the ravenous fans willing to stop at nothing to break into dubstep artists' digital lives and steal whatever they can to post it to Xtrill. And Skrillex is one of the first to get a working password for the biggest dubstep artist in the world.
my goodness my brain is running a million miles an hour right now there is going to be an all-out onslaught of people they're going to be trying to hack into these musicians files hey yo i'm eating fun dip right now so what we've done basically is just put the email in that we that we knew of of these artists and if they had a result come up from some old old database that had been leaked
that was poorly encrypted, you could take that hashed result and decrypt it and just hope that their security was not so great and that they kept reusing this password for all this time and use the same one on every site or whatever.
And dang, that is a sweet combination of Last.fm, Dropbox, and Myspace. pretty much means every dubstep artist would be somewhere in those database breaches. It was just a matter of finding the right username or email to use because those three sites were used a lot by musicians. Dropbox is extremely popular for file sharing.
And if a musician has a label or a manager or someone else that they're collaborating with, sharing their work in progress on Dropbox is very common in this circle. Last.fm and MySpace are places where you can go to post your music, which when you're an up-and-coming artist, you definitely want to be posting everywhere. And yes, MySpace is still around.
So, yeah, I'm just imagining, like, wait, hold on a second. We've got Skrillex's password. It works on an old Skype account. This has got to be the pinnacle of the whole story.
We got into Skrillex's Dropbox. Skrillex's Dropbox is the... We actually didn't manage to get in there, but... We tried a bunch of different accounts after Skype, and none of it was working. So all of the other things had been closed off. So you couldn't get into his Dropbox? No.
Nice job, Skrillex. Either he wasn't reusing passwords or heard about this database breach and changed all his passwords. Either way, he was ahead of the hackers here. And my goodness, if they got into Skrillex's Dropbox, that would be the most epic thing, to hear his latest stuff before anyone else. That would be insane.
But they couldn't get in. No. So we decided instead that maybe his manager would be a good target to try and look, to see if there was anything leaked in the databases for his manager. And so we had a look in, and there was... It was a really old result from 2008, but the same result appeared in all of the databases.
So it had a good chance of working in some maybe old sites that had been inactive, would have been used in the past for sharing music and stuff internally. To me and Spintai, we sat there on Skype and we tried it on the Mediafire page, which worked and logged us in. And there was some interesting stuff in there. There was Photoshop documents.
There were a couple of unreleased tracks that had never come out before, never even been heard. Skrillex tracks?
Mm-hmm.
Yeah.
Hot diggity. That's, I mean, I don't know if you're seeing it the way I'm seeing it, but that's got to be the biggest find ever so far, at least in this story.
In a way it was, but at that time we were hearing so many tracks from the traders that it kind of didn't seem as big to us as it actually was. And what we were doing as well, logging into the accounts and things, We didn't really kind of realize how deep that was really going because that's way further than just trading something in a small circle that's been got from another trader.
That's going into someone's account and taking something directly. And we were just doing it as if it was nothing, really, which is really ridiculous when I think back to it now. It's ridiculous. That's a huge invasion of privacy. But, you know, it worked.
we got these tracks and kind of made a resolve to ourselves that other people would be doing this at the same time as us other people would be figuring this out who would get these things and then trade them and leak them so that's what me and Spintire were basically saying with each other it's better that we're doing it and we can keep these things safe and listen to them between ourselves and have the interest with it and then keep it secret keep it from leaking
So part of keeping it from leaking is changing this manager's password or deleting it out of there or something, right?
Yeah, so we'd go in, we'd grab the files and then either just change the password straight up so that no one else could get into the account or to contact the person that we'd logged into and say, we've compromised your account, you need to change this password. And which many of the times we actually did that, we'd contact them and said, You know, you've been compromised here.
This is how it happened. You need to change your passwords.
Whoa, what a weird moral compass that is. They knew breaking into someone else's account is wrong. But their attitude was, if it's not us who breaks in, it'll surely be someone else who breaks in and they could cause big problems. So it's better that we do it so we can fix it.
And for the incentive of getting in and fixing it, we'll just take a listen to whatever we find along the way and just keep it for ourselves.
We decided to look in these databases for Dino's, if he'd had his passwords leaked in some database, and that we could try them out on the Skype.
Oh, wow. Dino was that guy who stole things from Excision and then leaked that stuff to other people, then tried to blame Professor Dubstep for the leak.
Yeah. This is where it gets good. Oh. So we had a look and there was one. There was, well, there was one password that had been leaked five or six times on different services. So that just indicates that he's using it on everything and maybe hasn't realized that it's compromised. So we took that password and we logged into his Skype. It worked first time. It was six characters.
It was really basic. We just logged straight in and we could see his chats and we could see him talking to some guy called Shane. And Shane was the owner of Xtrail. And they were talking with each other about trying to hack into accounts using these databases. So they were doing it themselves and trying to figure it out, as me and Spintire were also doing it between each other.
Oh, interesting. It's almost like there are two teams on this now, Spintire and Professor Dubstep, and then Dino and Shane. Spying on the other team might be really useful here.
So one of the targets that Dino was trying to hack into while we were watching him was us, me and Spintire. So he was looking in these databases trying to find our info and we were watching him do it and watching him attempt to get into our accounts like live in real time.
What accounts of like your Skype account?
Yeah, anything he could manage. Our Skype, our Dropboxes, SoundClouds, anything basically.
Oh, so Dino's talking with Shane like, hey, you have Professor Dubsteps. Do you see them in this at all in the data? Yeah, I see them in the database. Oh, cool. Let's check their password. Try logging in. Like, this is the chats you saw. And then it's like, no, it didn't work. Oh, bummer.
Yeah, exactly that. Literally just a real-time feed of watching him try to hack into us. No, I think more what it was was that he was paranoid and he was trying to see if we were sharing stuff behind the scenes and keeping things from him. Because everyone in this little trading game was backstabbing each other. It's just what was happening. Everyone was backstabbing each other.
Well, I mean, so what is your reaction to that? Like, if somebody's trying to hack me, I'd be like, whoa, whoa, whoa, this is now... I've got to be very careful with this person. How did you react to this?
Well, me and Spintai were just sat there like... wow, we're actually seeing this. They're actually trying to get into our stuff right now. This is strange. This is a lot to break down. But we were just sat there like, oh, well, good thing we have proper security on ourselves, otherwise we'd be screwed.
But here's the funny bit.
It's like, yeah, you're scared. You feel like, okay, I could be screwed here. This person is clearly attacking us. But you're in their Skype looking at their messages. So you're also attacking them.
Yeah. Exactly.
I don't know whose side to take here. You're both in the wrong.
We are both in the wrong. Everyone in this story is in the wrong. There is no right here whatsoever. The only thing that is marginally right is contacting people to say that you're compromised. That's the only good thing.
I got to have a hero that I want to cheer for and I don't know what to do.
You're not going to... I'm telling you now, you're not going to get one. I don't want to glorify any of this because it's not. It's a terrible thing. The double plate trading, the hacking, it's all just damaging to everyone involved. The artists, the people doing the hacking, you know, the... It's dangerous stuff, and it's just a bunch of kids who don't know better doing it at the time.
You know, we were 14, 15, just sat there. Spintire was a lot older. He was about 30.
All this reminds me of one of those old heist movies where the criminals steal the cash, but then when they get away and they're all just sitting around looking at the stolen money and each other... They all start wondering if they can trust each other. Clearly, these are criminals you're working with, willing to break the law for this money. Are they going to steal it from me?
And then you realize, yeah, someone is going to steal my cut. So then you steal their cut first and get out of there. Well, here we have both sides completely not trusting each other and are actively trying to hack into each other's accounts to keep an eye on them. But it's interesting that Dino was working with Shane, who was the moderator and owner of the Xtril subreddit.
Through these chats, they could clearly see how involved Shane was in the trading scene. He really liked collecting dub plates and getting his hands on unreleased stuff.
So we carry on, right? We try and get some more targets. We think of other sites that we can try and log into. So we take a look at Box.com, which is a cloud storage provider usually used by small businesses, big businesses, record labels, production companies, anything. It's very popular because they offer great group collaboration options.
So we take Skrillex's manager's password and we try it on the box.com account and it logs us straight in, straight into the inner workings of Skrillex's record label. We get in there and we can see all their upcoming releases and their production files, promotion plans. Upcoming releases for Skrillex? For Skrillex and all the artists on his label. Wow. That sounds like a big treasure trove.
There was a couple of terabytes worth of files in there. Holy cow. Box.com is a little bit more advanced. They send login notifications for unrecognized logins. So one of the first things we did was go into the settings and have a look. Did it say that we'd logged in? And this guy, this account that we'd logged into, he turned off the login notifications. So he had no idea that we'd got in there.
None.
Oh my gosh. There's a lesson there, isn't there?
Yeah. Leave something on for something like that, which is heavily relating to your business. You need to have these notifications turned on to tell you if your security is compromised.
Unreleased tracks are worth more than demos. Demos are just early versions or remixes of songs people have already heard. But unreleased tracks, nobody's ever heard yet.
Okay, so give me a list of things you found on there. There was unreleased Skrillex songs, there was individual audio assets for some Skrillex things, and the other artists on his label, like the individual master stems and things for songs, multi-tracks. so that you could basically break them down into their parts and things. Everything was stored in those.
Photoshop documents, promotion plans, documents saying what they were going to be doing for the next year or two years even. Internal voice recordings, meetings between the label executives and things. It was all kinds of stuff that really should, you know, it's confidential things and it was really unprotected files. There was no individual passwords on folders and things.
It was just all open with 50 other accounts shared on all of them. My gosh.
I'm just trying to think of what that could... If that did get in the public, what kind of ruckus that would have caused.
Yeah.
A very large amount. What we did is we copied the share link for each folder that was in there. And we set the permissions on that so that anyone with that share link could still view the folder even though they're not logged in. And we also copied the collaborator invite links for the folders because that option was not password protected.
So we could invite a new burner account so that we would still have access for ourselves on new accounts altogether and the original one would be closed down, so no one else would be able to get access to it apart from us.
Oh, that's interesting. I want to make sure you understand this. They accessed Skrillex Manager's box.com account, okay? And they saw these folders there and made the parent one shareable. And what this means is that anyone with that link can now view the contents of that folder and all the subfolders without needing a username or password.
So now they don't need to log back in to see what new files were uploaded. They can just use that share link to get in there and view it without logging in at all. On top of that, the manager had the ability to invite new collaborators. So they just made a new email account and invited themselves as collaborators and then told the manager, hey, look, your account is insecure.
You should change the password, which fixed the manager's account so that no one else could use the same exploit to get in. No other hacker could get in the same way.
This is a backdoor persistence into Skrillex's whole media company.
Yeah. But it's a backdoor in a way that I never thought it would be a backdoor, right?
If I say, oh, I have backdoor access to box.com, you're thinking, oh, wow, you've got some malware planted and reverse SSH shell.
Nope, just a share link. Oh, yeah. It gives you a total different perspective of what a backdoor even is.
Yeah, because it's a backdoor that you can just, it's built into the site.
It's built into the site, exactly.
The only reason we were able to get these in the first place is because people don't exercise proper security. They use the same password on every site for years and years and years and don't enable two-factor authentication on their accounts either. So it's just open. If you've got the password, then you can just walk straight in and do whatever.
You'd ransack the place if you so wanted to, which is ridiculous.
I'm just sitting here thinking about this, letting it sink in. A backdoor is built into all the file sharing sites like Box.com, Google Drive, iCloud, Proton Drive, Dropbox, whatever. Because if there exists a shared folder link, anyone with that link can see into that folder. It's a feature of the site itself. You can't take that away or it ruins the point of the site.
And what you think is yours and private really isn't if there are public links to it. When you make something shareable and you say, only people with this link can see this file, it feels like this is still private, but it's not. It's security through obscurity. Your link is hidden, but not secure. And if that link gets out, it's viewable by anyone without a username or password.
And I've been doing cybersecurity for decades and nobody is talking about auditing Dropbox links to make sure only the stuff that should be public is public. Because every file and folder may have that option and going through them all is simply unreasonable to do by hand.
And when you're moving at the speed of business, nobody's going back to clean up or check what folders have sharing links or what don't. I say it's best to treat everything on your cloud storage as if it is publicly accessible and only temporarily put things up there if you want to share it with someone privately and then remove it as soon as they get it.
I also want to draw your attention to websites like urlscan.io. This is a site that is attempting to look at URLs to see if they're safe or malicious. But users can go there and search the site to see what URLs are in the database. And sometimes you can find URLs that probably shouldn't be in the public, but they are.
Imagine if you take a photo of your kid and it's on Google Drive, but then you want to create a link to show it to grandma. And you specifically say, only people with this link can see this photo. And you email the link to grandma. Well, then grandma has some browser plugin that examines all the links to make sure they're safe to click.
So when this link gets examined somewhere, bingo, bango, suddenly that link to your kid's birthday party is now floating around on the internet in all kinds of databases, being clicked on by who knows who. URL scan collects links like that. Hybrid analysis is another tool. Cloudflare Radar URL scanner is another. Not to mention, DNS providers all over the world are logging things too.
It's not just Google Drive and Dropbox. There are tons of other online storage websites that you could look for. iCloud, Box.com, Sync, Ignite, IONOS, Hydrive, AWS S3 Buckets, Proton Drive, and so many more. The list goes on and on. So the data is available. It's just a matter of sifting through it to find something juicy.
In this case, they were looking specifically for dubstep music and stepping over anything else that they came across. Okay. So it was just you and Spintire that got access to this? Yeah. And you just kept it between you. Nobody shared it beyond that, right?
So I thought, how I wish. Because as usual, a few weeks went by and other people started to hint that they had these files. Well, the traders got access to some things, didn't they? There was no explanation for it other than that Spintire must have shared it with someone. So I quizzed him on it and I said, you know, if you have, I'd rather you just tell me. I won't be angry, I just want to know.
He still denies it. So I start thinking, oh, well, someone else must have got access somehow. Like, aside from us, someone else must have initially got access to the account. So I treat it as that for a while. Let Spintire have the benefit of the doubt. We carry on going. We think of some more accounts to try and get into different people.
Another thing we were trying was a management company for Diplo and Major Lazer, who are a bit closer to pop music. And we tried his managersbox.com account based on what we'd found in these leaked databases. And sure enough, password worked. It logged us in. There was another couple of terabytes of data in there. There was a lot more than just Major Lazer in there.
There was Diplo, there was A-Track, there was Dylan Francis, Kill The Noise. There were about 20 different artists under this management company, and we could view all of their stuff from within this Box.com account.
At this point, they've gained access to terabytes of data from these music managers, which was just too much to download at all. Their hard drives would fill up instantly, so they had to be selective of what they were grabbing. Like, I don't know what this is like to come across this, but I imagine you cancel your weekend plans.
And you're like, I got a whole bunch of cool stuff that just arrived in the mail, and I can't wait to dig in there and listen to stuff. Because you can't speed through listening to these things. You've got to really be like, wow, I'm going to let this one play the whole thing. Nobody else is hearing this but maybe four people in the world. And Diplo made it. Like, wow. Wow.
Yeah, this is where it gets a bit more dangerous because some stuff that they had in that box.com account, they were basically keeping all of their artists and people that were involved in touring and things, production crew, this management company was keeping all of these people's personal documents in there. They're calling them contact sheets.
And that contact sheet would have more than just their contact information on them. It would have the artist's social security numbers, bank routing info, passwords, all kinds of insane stuff that was just supremely dangerous to keep in. largely unsecured folders with no extra passwords on them and seemingly no reason to put that info in the document whatsoever.
And then to not secure your own account properly, it's exposing all people that are millionaires. It's kind of just lucky that none of... Me or Spintire or any of the people that eventually were doing this, that none of them were interested in anything more than just the music. Because the amount of damage that could have come from that is insane.
Here's a situation where the management label for musicians was being careless with the artist's private data. driver's license, social security numbers, and saved passwords were sitting there on these online drives.
And while it wasn't meant for the public to see, there were gobs of people who did have access to this that worked for the management companies or even other musicians could see each other's files. It just goes to show if you're not protecting your own private data, nobody else will either.
These folders all had upwards of 50 people shared on them. Everyone in the business could access these things. The interns could access these things. Anyone could grab these things. Or anyone that got into the account could grab these as well and just have it. And there'd be no notification that it had been compromised. Man, that's too many people to have access to all this.
Because the more people you have involved, the more back doors might be created. Because just think, if a music production company is going to use Dropbox to store all their work in progress, it sounds to me like they don't have an internal file storage system. And maybe no internal network at all. They probably need things like email, chat system.
They got to make social media graphics, a merch store, blog, social media accounts, newsletters, project management, and collaboration tools, and an internal knowledge base for Wiki. Chances are small businesses today are using public-facing websites for all these solutions and not self-hosting things on their own servers and their own data center.
So that means if 50 people work at this place, that's 50 accounts times however many services I just listed. What, 10? So we're talking 500 various logins to different websites now. Who's got permission to see what and where? Small businesses are not auditing these things, and it's an auditing nightmare even if they tried. No, this isn't an ad. I'm not going to try to give you a solution.
I just want to tell you about the problems that arise when you start using Cloud-based solutions, and there are a whole bunch of kids who are desperately trying to exploit those. So these kids had valid usernames and passwords to get into people's accounts, right? Okay, well, that's a problem to begin with, but whatever.
They were grabbing things, but they were also being smart at trying to establish persistence. If the owners of these accounts changed the passwords, they'd be locked out. So they created share links so that even if the account gets locked out, they could see what files are being uploaded later. Cool. but you can really take this to crazy levels. I'm talking about creating ghost logins.
Let me geek out on this for a second because I want to try to break your brain. Okay. So let's consider Zapier and how it can be used maliciously. Zapier is a tool that lets you automate things. So like if I get a new invoice in my email, I can automatically upload that invoice to Dropbox so that the accounting team can see it. Okay. Zapier can do that for you.
But in order for that to work, it's got to have the ability to see your inbox and have the ability to view and upload things to your Dropbox. So to set it up, you need to give it permissions to do that.
Well, now, if a hacker gets into your Dropbox like these kids were doing, and they wanted to maintain their access like these kids wanted, and they could see that you hooked up Zapier to do automation, So now they can create their own fresh Zapier account that they control and connect it to your Dropbox. And this could give them visibility into your Dropbox from Zapier.
And you wouldn't even know they're there because to you, all you see is that Zapier has permission to view your files, but you set that up when you were setting up your invoice automation thing. And this is what I mean by a ghost login. Someone who's in your account who doesn't even need your username or password to stay in.
Change the password all you want, they're still going to stay connected to your stuff. Another way to create a ghost login is to create a secondary login. Some sites allow you to log in through like Google or Microsoft or Facebook or even SSO. And suppose that's how you set up your account, by logging in using your Facebook account.
Now, if a hacker has your password like these kids did and gets in through that, some sites might have the option to connect another login. Like if you used Facebook to log in, the site might let you also connect your Google account too. And so, yeah, a hacker could just create a brand new Google account and connect it to your account and start using that to get into your account from then on.
So even if you change all your passwords, that access would persist. So if you really want to change your passwords, you really need to go through all of the websites that you have to see all of the connected services and alternate logins and everything. It's a mess. It's a mess.
And of course, another way is if the site has a way to generate an API key, you can do that and then access stuff from there. There's so many options to create ghost logins to maintain access to an account, even if the user changes their password. So this is what I mean. If 50 people all have access to someone's driver's license in Dropbox, then perhaps nobody is looking closely at permissions.
And if that's the case, there's a high potential of being able to create a ghost login that stays working for years. And I must say, this is a new territory for security teams to navigate.
You hear about this in like general terms, like least user privilege and this sort of stuff, but you don't have people who are like experts in Zapier account security who will audit what apps you have given permission to regularly. This is a big challenge to keep up with. So with all this data, like terabytes and terabytes from some of the biggest stars in this dubstep world,
Do you ever think like, you know, we can make some money off this?
I wasn't into that, but I would like to find out that Spintire was sort of starting to get into that. I mean, after a while of these things keeping leaking, starting to leak on Reddit, that were meant to be just kept between us and that no one else was supposed to have access to, I clocked on that Spintire must have been being dishonest about it. So I confronted him in mid-October.
I said, are you sharing these? Just tell me right now, are you sharing these? And he says, no, it's not quite like that. I said, well, how is it then? He says, I can't say. I say, is someone paying you for them? He says, yeah. So I think, oh, well. Finally, he's admitted it. I've caught him out in his whole game plan. And he goes on to explain that he...
quit his actual job to sell these files to some rich kid on the other side of the world. I say, well, this goes against every, you know, the whole reason that we were doing this in the first place was to keep these files somewhat safe and prevent these people from getting access to them to be able to, so that they can't do this thing with it. And then he's doing it himself.
It really made me quite angry. You know, I felt misled on the whole thing.
Huh. This is a tricky situation to navigate for a teenager. Like, what do you do when your partner in crime starts doing things you don't approve of? Together, you made a map of all the buried treasures, all the shared links and logins and passwords and ghost logins, terabytes of downloaded data and a whole system of techniques and piles of data to sift through to find more.
And suddenly, both of them are now highly suspicious of each other? Now that it was known that Spintire was selling this stuff, Spintire offered them a cut of the money to keep things quiet and stuff.
I said yes, but what I meant was I'll agree so that he keeps, you know, he thinks that I'm on his side still. So I end the chat and I go and talk to Shane from Extril.
Shane was the moderator and admin of the Extril subreddit. Professor Dubstep was like, listen, these leaks that have been happening lately, I know where they're coming from. Spintire is selling it and I don't want more to leak out. So here are the other things that might leak.
So he agrees and he's like, yeah, you know, we'll do what we can to prevent Spintire from carrying on with the stuff. So we started working together from that point on. on these things. Me and Shane and another friend called Arnie Kurtz.
Arnie was another guy very tuned in to the unreleased music scene, and he was a whiz with all these online services and how their security can be exploited, which could be really handy to break into more shared drives and stuff. And Shane had seen that Dyno wasn't trustworthy, so they stopped working together. So the new crew is Professor Dubstep, Shane, and Arnie. Spintire and Dyno were out.
And not only that, but they all agreed that Spintire needs to be stopped. So they put filters in place on the subreddit to keep certain tracks from getting posted. But they also started going through the ghost logins and shared links that Spintire had to lock him out. They were changing passwords and disabling shared links.
It's kind of funny that this teenage crew knew exactly the steps to take to keep hackers out, yet the music labels themselves either didn't know or didn't want to stop these kids.
Yeah, I mean, that's kind of what we started doing. Our main plan was just, you know, prevent Spintire from retaining access to these accounts and these folders that we'd spent so long to gain ourselves access to, and then we're locking them off. Specifically to try and prevent things, to prevent this from happening. It is kind of strange that it changed in that way.
I'd cut Spintire off in mid-October. I'd been friends with him for two years at that point. It was difficult to cut him off. It was fun to hang out with. But, you know, it had to be done. Damage was actually being caused and I was recognising that. What a headful to navigate as a teenager, you know?
Like to be sitting in, what, history class? Just thinking in the back of the class what stuff Spintire might steal next. And then to rush home and change more passwords to try to lock them out. But then when you're in there cleaning things up, you're reminded, oh yeah, this is the account with all those banking details for this major musician who's a millionaire. Ah, that's funny.
Not gonna touch that. But I will stop Spintire from getting back in here.
Once they were slowing down spin tire and locking them out the best they could, it was time to start looking for new treasure troves.
I think at the peak of things, we probably had like a network of 25 accounts. It was a lot. I mean, we were doing this sort of stuff just all day, basically, just trying to figure out what could be next, what could Spintire's next target be. You know, what could be something dangerous that he would get access to that he shouldn't get access to, and then go and get access to it ourselves instead.
It was ridiculous.
Their standard system was to find a musician's email address, search for that email address in the breach databases, get the hash, crack the hash, then use that on a whole bunch of sites that musicians might use and hope they might be reusing passwords.
Yeah, I mean, that's the thing as well with Box.com or Dropbox. If you make a shared folder and you invite other collaborators to it, these management companies are inviting 50 people to a folder, and you could go through and browse that list of people and take their names and their email addresses off there, and then you could run those through the database search as well.
So if you spent long enough on it, you could tunnel through to all kinds of places that way by just going on it again and again and again until you get somewhere. And you could build up a network that way.
Of course, you all should know by now the dangers of reusing the same password on multiple sites. Here's a clear reminder why you should never do that. But you should also watch out that you're not too lazy when making different passwords.
Quite a few times, they'd not change it very much. They'd maybe just add a capital letter or an extra number on the end. Or there was one manager that we were looking at, his password was the same thing for everything, but he just changed the letter at the end. And the letter at the end would be the initial of whatever site the account was for.
So if the account password had leaked from MySpace, it would be word and then the letter M at the end. So To get to the password for box.com or Dropbox, you know, you just change the letter at the end to a D or a B, and it would work. You would also not get a notification that that password was compromised because it wasn't.
Oh, yeah, that's interesting because I regularly check all my passwords to see if any of them have been exposed in a database breach, and I change any that do get seen. But if my password is guessable because it's just one letter off on every site, then those would never appear in any database breach to make me want to change it.
Now, one of the songs they got a hold of early was Purple Lamborghini.
Yeah, Purple Lamborghini was something that came from the Diplo's manager's account. One of the artists that they were managing was called Flostradamus. They do DJ sets at the main festivals throughout the year for trap music and dubstep music. And in one of these contact sheets that was stored on this management box was all the passwords for this DJ duo.
And one of them was the password for their Splice account. Splice was a service that offered project file storage for music software. So we got into that and we downloaded it. their DJ set preparation files. And because they were semi-big players, they had all these work-in-progress versions of tracks from other people in the scene. And Purple Lamborghini demo was one of them.
By the way, if you're wondering if there's a dolphin in Purple Lamborghini, there sure is. It's right here. I swear, if I listen to this enough, I'm going to learn the language. Now, the thing is, this is a demo version, which I think is better than the official version. But this demo wasn't released when the official one came out. And I don't think I had any plans of ever getting out.
So at this time, only Professor Dubstep and a handful of people in the world ever heard this.
Yeah.
And basically what happened was, it's been a few months since I cut Spintire off. And... I was missing my friend and I went and unblocked him and I started talking to him again. I said, you know, are you still doing the selling? Because we'd been trying to prevent him from doing it, preventing him from getting anything to sell. He said, no, you know, I've finished with that.
I've cut off those people, realised that they were trading and leaking the things after, blah, blah, blah. So I say, okay, well, you know, should we be friends again? He says, well, sure. Let's go back to how things were a couple of years ago. Just talk about music and not be involved in any of this dodgy stuff. And I say, okay, sure. You know, we kept talking.
It led into, oh, you know, I've got these couple of cool new things. Do you have anything cool new things? And so we share a couple of things back and forth with each other. Like old times, the purple Lamborghini demo was one of those things. About a week goes by, and as usual, it leaks on Reddit. The one single possible corporate spin tire leak. I just, I blew up at him over it.
I thought, you know, this has happened again. You're the only explanation for this thing leaking. It broke my trust again. So I cut him back off, but it's too late by that point. You know, the thing had leaked. That was my own stupid fault.
But December rolls around and we had one last big thing that we wanted to try and do, which was to get into a major laser production account for where they held all their song files and their production files for things that they were working on. Things that you could load up in a music software and see all the individual bits of and... and change things.
So we had the idea to go for one of Major Lazer's production team and see if we could get into their things. So we had one last go on the database and see if we could get the pass to their Dropbox. And we did manage it. We were talking back and forth with each other, me and Arnie and Shane, in a group chat, saying, oh, it's here. There was one specific song that we wanted to get.
It was called Terrorize, featuring Collie Buds. So we logged into this account, and the first thing we searched for was
terrorized project file and uh it was there the actual one that they were that the group were working on at this at the very the very day so we're talking back and forth with each other like oh it's terrorized season it's terrorized season goat greatest of all time but there was more than just that in the dropbox there was there was another terabyte of stuff that was being worked on at that minute like the inner workings of a of a major billboard top 100 pop artist
And everything was there. Individual assets, drum samples, synth files, all kinds. So we grabbed all that stuff. Well, I mean, it was too much to grab. And in many of these cases, it was too much. It was too much there. The things that Spintire had got hold of from before he was cut off had started to, you know, the leaking had really picked up.
And me and Shane and Anu basically decided that we needed to make even more efforts to contact these people who had been compromised. And I'm pretty sure it was Arnie that did this. He rang up the actual manager's phone number and left a message on the voicemail to say, you know, this has happened. This is what will happen next. You need to start taking steps to secure your stuff straight away.
Otherwise the damage would just rack up into hundreds of thousands of dollars. So the legal teams started talking about this, like, oh, how could this happen? Blah, blah, blah, blah, blah. It's impossible. We sort of, we ended up in contact with these legal teams on the false identities to explain to them how it had happened, why it was happening, and... how they could prevent it.
They were basically saying, oh yeah, you know, we had plans for these songs, we had plans for Terrorize, it was going to be like a big thing because so many people wanted the song. And that was, they basically just all cancelled all of that because it was, the potential for it to leak early was there, so they cancelled all of those plans.
Yeah, if you go on Major Lazer's Spotify or YouTube channel, there is no such song as Terrorize. Kali Buds didn't release it either, even though he sings in it. The song never got released, despite there being quite a decent amount of people really looking forward to it. And I guess this is why it got canceled. The hackers ruined it.
But if you're curious what the dolphin sounds like in it, here you go. This is actually a remix of it I found. The one that got leaked was a little different, but it's wild that this totally unreleased Major Lazer song is out there in the world for anyone to listen to, but because it wasn't an official release, it doesn't have many plays. And it's not an official song by Major Lazer.
It could have been a hit. Major Lazer has three songs on Spotify with over a billion plays, and Collie Buds is pretty popular too. A reggae dubstep crossover song? That's a great idea. but it was never released. The project permanently halted. How odd, you know?
Just to think an early version of a song that gets leaked too soon, it upsets the label so much that they just give up on the song entirely.
A album that was being worked on at the time, Music is the Weapon, that was cancelled too. Well, not cancelled outright, but really delayed. And it only came out in something like 2020, 2021, which was four years after...
all these incidents but we were basically just talking with each other trying to come up with these plans of how can we prevent these things from leaking you know we want to help you to figure this out because we know these people that are involved with this and these legal teams are coming up with these ridiculous plans like oh well we'll fly Spintire out to New York and we'll you know we'll take him to dinner and we'll hand him $30,000 in exchange for his hard drives and
And then that will secure our files. And I was trying to tell him, no, that will not work. We'll just make a copy of it. It's ridiculous. And they were not having it. They were saying, oh, well, this definitely seems like the best idea to me. And I was saying, no, no, please, no, don't do that.
I'm not sure if they actually did that in the end or if they realized that it was not going to help their case. Well, did they know that you had the hard drives full of stuff too? Um... Well, that's the thing. Me, I didn't download all the things. I'd pick and choose a couple of things here and there, but a lot of it was kind of just not so interesting.
The thing is, Professor Dubstep enjoyed listening to early Dubstep tracks, but that wasn't the driving motivation for all this.
Personally, I'm not really a raving fan. I was just more interested in being able to break these things down and look at the production process. Because it could help me to learn how to make better music myself and see how it was being done, how the Billboard Top 100 stuff was being made. And I could use that to help me create better things myself. It's a valuable learning resource.
I feel like that's a stretch. You could go on YouTube and watch people making music and learn from them. You can hang out at groups and circles, other garage bands or whatever the case is, and be like, how are you doing?
Oh, wow, that's an interesting method. But you're like, hmm. I think I'll hack into Diplo's Dropbox to learn on my own. Thanks, I'm good. It's quite a different path to learning.
Yeah, I see your point, but at the same time, it's kind of unprecedented that you can go into a project file and look at the entire... Start to finish process of it.
The entire project files were in these folders. All the effects, samples, everything that was used to make the song. See, most of this music is made in a DAW, a digital audio workstation. So that might be tools like Ableton Live, Adobe Audition or Pro Tools or something like that. These were the tools that you'd have to use to view how these songs were made.
And Professor Dubstep had these tools to examine it all. Not only could they break apart the song, isolating tracks and sounds to see how it was composed, but there were different versions of the same song too. They could see how the song evolved over time. What an amazing thing to explore for someone who wants to make electronic music as their career.
To be able to study how the pros do it in such detail, you never get to see these behind-the-scenes bits. I mean, even me as an up-and-coming podcaster, I would have loved to get my hands on the full project files for This American Life or some show that I was really inspired by.
It would have been huge, and I bet it would have helped me understand the complexities and details of how all this gets put together. But not only that, but to see such a variety of songs and musicians' project files, it really puts them in a unique position to have such a close and upfront understanding of how all this music was made.
You have to know some in-depth music stuff already to be able to figure out what you're even looking at. The fact that I've been able to look at all this and take some insight from it that can help me later on. is basically invaluable. It's priceless.
Just imagine Professor Dubstep in some music class where the teacher's like, here's the proper way to use this effect. And they're just like, no, that's not how Skrillex does it, or Diplo, or Major Lazer, or Excision. Oh, yeah? Well, how do you know? Oh, never mind. Carry on. Anyway, it took them a lot of convincing, but they were finally able to get the legal team to fix all the problems.
At the end of 2016 was the final, you know, called it quits and stopped doing all this hacking stuff. Which, I mean, it's not right to call it hacking, really. It's not even on ScriptKitty level. It's just searching through things and using logic to try and figure out passwords. It's not... It's not really like complex hacker stuff.
It's just, I don't know a good word to use to describe it, but you know.
I've been thinking for a good word to use here this whole episode myself. Thief and stealing isn't quite right because the original copies are still there. I feel like for it to be stealing, you need to rob the person so they don't have that thing anymore. And if you post something online and someone makes a copy of it, that's not stealing. That's just downloading a copy.
And that's what they did, often just downloading copies of things that had public links to it. Was it supposed to be public? No. But was it? Yes. So the term I think that best describes this is exfiltration. They exfiltrated files that were not meant for public consumption, but weren't very well protected. To me, this has the right ring to it. Professor Dubstep, professional exfiltrator.
But yeah, fast forward to... to 2019, and I'd just finished college. I did a music course at college. I'd left all this stuff behind. It was all kind of calmed down. Nothing was leaking anymore. No accounts were being compromised, well, not by me anyway. And I kind of thought, you know, I'll find out what the old people were doing in modern day. I had a chat with Shane.
I had a small talk with Arnie, and Shane was still going on with the stuff from what I could gather Arnie had moved away from doing it and he'd got I think I'm pretty sure he went to work for the FBI and got security clearance top security clearance for something or other
other people in the in the extra crew had some of them had got raided some of them had gone to join the military and things like that you know everyone had gone off to do different things apart from the one guy who who had who had got the most weird and awkward situation possible spentire had gone from being the seller and the leaker of so many hundreds of gigabytes of data.
He had gone from leaking these Skrillex demos and trading them to being on Skrillex's production team himself. and was now technically Skrillex. And with that, Skrillex is one of the ones that is ghost-written, ghost-produced. He's not real. He's just a face for a brand.
So you're saying a lot of Skrillex's music today is made by someone else, and then Skrillex just puts their name on it?
All of it. In 2019, the team was at least five, six people putting together these songs. And that's what it's always been, really. Skrillex's first release in 2009 and 2010, like Scary Monsters and Nice Sprites, his first EP was Ghost Produced by Noisia. to quite a large extent.
Maybe not entirely, but a large portion of all of his sounds over the years have come from other people putting it all together. So yeah, this ghost producing runs deep in the scene. So many of the big players are fake.
Alright, I can't find any article saying that Skrillex doesn't make his own music. Musicians collaborate all the time with other musicians to make music. That is no surprise. But the allegation here is that these musicians aren't crediting the people who helped make the song. So while you think it was them who made it, it really wasn't.
Skrillex is known for being very hands-on with his music, but there are some well-known cases where other big-time musicians have been accused of taking someone else's music and calling it their own without giving proper credit. So this is known to happen. And honestly, I don't know what to think of that.
I mean, on one hand, if an EDM musician is just playing someone else's music, that's called being a DJ. And it's a bit of a stretch to say you made this music. But on the other hand, what do I care if you really wrote this song or had someone else write it for you and you just put your name on it? The music is what matters.
It's fascinating to me, though, because I'm endlessly obsessed with the dark parts of the Internet. And this digital underground is bustling with activity, but with hushed tones, and it's all right under our noses. It's a world we rarely see, but sometimes hear. A big thank you to Professor Dubstep for sharing this story with us. This episode was made by me, the AI adventurer, Jack Recyder.
Our editor is the code conjurer, Tristan Ledger. Mixing done by Proximity Sound, and our intro music is by the mysterious Breakmaster Cylinder.
Ultra Miami, your circuits are about to be blown because next up is an unreleased track by the legendary Breakmaster Cylinder. Overclock your headphones, compile your grooves. It's time to execute some killer dance moves. No lag, no latency. Tonight, we reach peak bandwidth. This is Darknet Diaries.
I'm Jack Recider.
Thank you.