Fancy Bear Goes Phishing: The Dark History of the Information Age in Five Extraordinary Hacks 
by Scott J. Shapiro.
Penguin, 420 pp., £10.99, May, 978 0 14 199384 3
Show More
Show More

It had been​ twenty years since my last research trip to the British Library when, in November last year, I received an email with the subject line: ‘Important information about our recent cyber incident’.

As you may be aware, we are currently experiencing a major technology outage as a result of a cyber attack. Following confirmation that this was a ransomware attack, we’re aware that some data have been leaked. While this appears to be from our internal HR files, we recommend that if you have a British Library login with a password that you use elsewhere, you change it on other sites as a precautionary measure.

A dull enough standard warning. But a week later the British Library wrote again: ‘Important information about your data’. The cybercriminals had breached the library’s Customer Relationship Management (CRM) databases. ‘At a minimum these databases contain the name and email address of most of our users. For users of some of our services, these databases may also contain a postal address or telephone number.’

The attack, which took place on 28 October, began with the wholesale copying of records held by the library’s finance, technology and HR departments. Then the hackers ran a keyword search for any references to sensitive terms such as ‘passport’ or ‘confidential’, both on the library network and on the personal drives used by staff. Finally, parts of the CRM databases were backed up and deleted from the network. No bank or credit card details were stolen, according to the British Library’s official review. Nor was there evidence that the library’s Electoral Roll database was compromised. The hackers demanded 20 bitcoins, then worth £600,000. When the library refused, citing government policy prohibiting publicly funded institutions from paying ransoms, the stolen data was auctioned off on the dark web.

Fortunately for me, the hackers will have gained little from reselling an ancient AOL account and the address of the since demolished squat in Denmark Street where I spent 2003 with seven dissolute members of a mediocre metal band. The British Library itself was less fortunate. It was forced to spend at least £6 million to rebuild its digital services – almost half of its total cash reserves. Full access to the print collections was only restored last month. Both its extensive sound archive and the UK Web Archive, which aims to preserve websites and some social media for future generations, remain inaccessible.

Worse was to come. In June, several major London hospitals declared a critical incident and launched an urgent appeal for blood donations after a ransomware attack targeted Synnovis, a company that conducts blood testing and provides transfusions for the NHS. More than a thousand procedures were postponed, including at least a hundred cancer treatments. As well as disrupting essential services, the hackers stole around 400 gigabytes of data, including results of blood tests for sexually transmitted infections such as HIV, along with patients’ names, dates of birth and NHS numbers. Qilin, the group behind the attack, demanded $50 million from Synnovis and leaked the data after no payment was made. In August, the High Court granted Synnovis an injunction against Qilin and Telegram, the messaging app used by Qilin to publish the victims’ data. In response, Telegram took down the channel in question. But by that time, 900,000 people had already had their health information posted online.

Journalists, government agencies and private intelligence companies have tried to establish Qilin’s identity and motivations. ‘Our attacks are not accidental,’ an anonymous representative from Qilin told the Register. ‘We choose only those companies whose management is directly or indirectly affiliated with the political elites of a particular country. The politicians of these countries do not keep their word, they promise a lot, but are in no hurry to fulfil their promises.’ Despite such statements, most analysts are sceptical. Qilin’s track record suggests its targets are chosen at random.

Over the past two years, groups such as Qilin attacked the Royal Mail, the Guardian, the BBC, British Airways, Boots and MGM Resorts. As Scott Shapiro writes in Fancy Bear Goes Phishing, ‘cybercrime is a business, and businesses exist to turn a profit. Cybercriminals don’t want to read your email or use your webcam to spy on you making dinner. They are, by and large, rational people out to make a living.’ And it’s a good one. In 2023, ransomware gangs extorted more than $1 billion from victims, according to research by Chainalysis, a blockchain intelligence company. Most of the payments were greater than $1 million. An even more significant source of revenue for cybercriminals is cryptocurrency. Over the same period, according to Chainalysis and TRM Labs, where I used to work, hackers stole $1.8 billion worth of bitcoin, ethereum and other crypto from institutions and investors around the world. Separately, the equivalent of more than $12 billion was paid into crypto wallets associated with scams and investment fraud.

What happens to all this loot? Conventional money laundering involves three stages, known by investigators as ‘placement’, ‘layering’ and ‘integration’. Stolen funds or proceeds from crime are paid into bank accounts (‘placement’) before being moved around to make them harder to trace (‘layering’). Finally, the funds are used to make legitimate investments or acquisitions, from gold to prepaid gift cards (‘integration’). Placement carries the greatest risk: in the US, regulated financial institutions are obliged to report anyone paying in sums greater than $10,000, while the National Crime Agency requires British banks to report suspicious deposits. Banks such as Barclays and NatWest restrict the amount of cash a customer can pay in each year.

Laundering cryptocurrency involves the same logic but in reverse: rather than smuggling ill-gotten gains into the financial system, the aim is to cash them out without getting caught. Off-ramping dirty crypto is complicated. Every crypto transaction since the invention of bitcoin has been recorded on a freely accessible ledger known as a blockchain. Even armchair sleuths can track the movements of crypto between wallets. ‘Whale Alert’, the best known tracker of ‘large and interesting transactions’, has 2.5 million followers on X. The simplest way to convert crypto into cash is by using an exchange such as Binance or Coinbase, which link the wallets they host to conventional bank accounts. But most exchanges now perform ‘know your customer’ checks, which require individuals to submit a passport or other official document along with a selfie to prove their identity. Banks monitor funds paid into customers’ accounts from crypto exchanges and report potentially dubious transactions. Authorities pursuing crypto heists have the power to subpoena exchanges and compel them to freeze funds held in their wallets.

All this makes converting dirty crypto into cash a bit like selling a stolen Matisse. That is the way one report described the travails of Heather Morgan and Ilya Lichtenstein, a couple in their thirties who last year pleaded guilty to stealing more than 120,000 bitcoin – then worth $4.5 billion – from the Hong Kong-based crypto exchange Bitfinex in 2016. Just how the theft was carried out has not been disclosed. But Lichtenstein, described by one associate as a ‘kind of genius’, is thought to have gained access to the Bitfinex system by sending a phishing email to an employee and then exploiting a security weakness to bypass withdrawal limits and exfiltrate its customers’ bitcoins to various anonymous crypto wallets.

Morgan and Lichtenstein managed to launder a small portion of the stolen bitcoins. After breaking them up into thousands of transactions, they used anonymising transactions called ‘mixers’ to obscure their origins and passed the funds through darknet drug markets before directing them to various exchanges as well as over-the-counter brokers who exchange crypto wallets for suitcases of cash. But Lichtenstein and Morgan, who after the heist restyled herself as a rapper called Razzlekhan, proved to be victims of their own success: the lion’s share of the bitcoins, too large and conspicuous a hoard to move discreetly, remained stranded in Lichtenstein’s crypto wallet. Eventually that wallet, worth $3.6 billion, was traced and impounded by US authorities in what became the largest cryptocurrency seizure in history. The pair are due to be sentenced in Washington DC later this month.

Governments and businesses claim not to negotiate with hackers. Yet the information stolen from them is often so sensitive that ransoms are quietly paid. A member of the collective known as ShinyHunters claimed to have received $370,000 from AT&T to delete stolen customer records involving 110 million phones. The payment was allegedly made in bitcoin by an intermediary, with some of it laundered by the recipients through an online gambling platform: once digital chips acquired with stolen funds are cashed out for new tokens, their crypto trail goes cold.

ShinyHunters, Qilin and Rhysida, the group that hacked the British Library, represent a booming cybercrime industry known as ransomware as a service (RAAS). Healthcare facilities are popular targets because of the enormous amount of personal data they hold. In August 2023, Rhysida attacked Prospect Medical Holdings, a US company operating sixteen hospitals and 166 outpatient clinics. Having stolen half a million personal records, it offered them for sale online for 50 bitcoin ($1.3 million at the time).

Analysis of transactions on the blockchain showed that Rhysida is linked to the Vice Society, a ransomware syndicate notorious for hacking schools and universities. Cryptocurrency wallets shared by the two organisations were found to have received more than $2.5 million in victim payments in July 2022 alone. What has proved harder to establish is where all these outfits are based. Media reports often describe Qilin, Rhysida and Vice Society as Russian and sometimes imply they have direct links to the Kremlin. But while the RAAS sector is indeed dominated by Russian-speaking hackers, they come from all over the former Soviet Union and hold disparate political allegiances. It’s true that the breakdown in relations with the West has removed Moscow’s incentive to co-operate on cybercrime, creating a safe haven for international cybercriminals. As the respected Russia analyst Mark Galeotti recently wrote, rather than being directed by Moscow, such groups probably ‘operate with the state’s benign neglect’.

Measured analysis by Galeotti and others hasn’t prevented Western media from blaming Putin for all kinds of ‘disinformation’, a term applied to pretty much any public statement that rejects the Atlanticist consensus. As the US election approached, this paranoia merged with the centrist fear that Russian hackers would engineer Trump’s return to power. (In the end, he didn’t need their help.) With its title reference to a Russian state hacking group – Unit 26165 of the Defence Intelligence Agency (GDU) – and its cover image of a bear in KGB uniform, Shapiro’s book might seem the latest example of this way of thinking. In fact, Fancy Bear Goes Phishing is a bait and switch. Shapiro devotes only one chapter to Russian state hacking: a summary of the GDU’s infiltration of the Democratic National Committee servers in 2016. The rest of the book amounts to a lively and multidisciplinary critique of America’s often neglectful and sometimes malign stewardship of the internet since its inception in the 1970s as a US military project; to this day, 70 per cent of the world’s internet traffic passes through data centres in Virginia.

The complexity​ of modern computing can make cybercrime appear the purview of rogue individuals weaponising their scientific brilliance in the service of chaos. It’s true that hackers are usually intelligent and highly educated. Yet the success of a hack relies less on mathematical prowess or coding pizzazz than on a keen understanding of human psychology. We are all motivated by similar emotions: love, fear, greed. We are crippled with cognitive biases. We take short cuts. ‘Hackers are intuitive cognitive scientists,’ Shapiro writes. ‘They understand how the human mind works.’ Take the ILOVEYOU virus, which infected around 10 per cent of the world’s computers in May 2000 and caused more than $10 billion in damage. The virus arrived in an email with the subject line ILOVEYOU followed by the message ‘kindly check the LOVELETTER coming from me.’ When the recipient opened the attachment, the virus copied itself onto their computer hard drive and deleted any images or Microsoft Office files before directing Outlook to forward the email to the victim’s contact list.

What made ILOVEYOU so infectious was not the originality of its underlying code, but a basic insight: people are more likely to open an email from someone they know – and are more likely still to open an email that promises a declaration of love. ILOVEYOU ‘exploited our “love upcode”’, Shapiro writes, using a programming metaphor. ‘People want to be loved. They want to believe that others love them.’ ILOVEYOU, then, was an early example of ‘phishing’, a technique that continues to power some of the most serious and high-profile cybercrimes. Phishing scams usually cast a wide net to ensnare naive and technologically illiterate users, but the most high-profile cases in recent years have all been examples of ‘spear phishing’, where the attack is tailored to a specific victim.

Spear phishing was the means by which Fancy Bear infiltrated Hillary Clinton’s 2016 election campaign. Billy Rinehart, who was running the campaign for the Democratic primary, received an email with a Google logo asking him to change his password. ‘Hi William,’ the email read. ‘Someone just used your password to sign into your Google account.’ It listed an IP address located in Ukraine, a known destination for cybercriminals. ‘Google stopped this sign-in attempt,’ it continued, advising him to ‘change your password immediately’ by clicking on the ‘CHANGE PASSWORD’ button. Similar personalised emails were sent to dozens of Democratic staffers, including John Podesta, Clinton’s campaign chair. Podesta’s assistant forwarded the email to his IT officer, who replied that it was ‘a legitimate email’. He later claimed that he had meant to write ‘this is not a legitimate email.’ But the damage had been done. Around 60 per cent of recipients clicked on the link, a ‘click-through’ rate that, as Shapiro says, ‘would be the envy of any digital marketer’.

Days later, hundreds of pages of stolen information, including lists of donors and opposition research on Trump, was published online by an individual using the name Guccifer 2.0, a reference to the Romanian hacker Marcel Lehel Lazăr. Under the alias Guccifer, Lazăr had hacked the emails of Colin Powell and other senior officials before being extradited to the US. American intelligence announced that the latter hack was in fact the work of GRU agents hiding behind the Guccifer persona. In July 2018, Robert Mueller, special counsel for the Department of Justice, indicted twelve GDU agents suspected of being involved in the hack on the DNC servers.

Spear phishing is an example of a broader phenomenon known as social engineering, where hackers use psychological manipulation to gain unauthorised access to their quarry. The poster boy for this practice was Cameron LaCroix, a 16-year-old who in 2005 hacked Paris Hilton’s mobile phone and leaked nude photographs of her online. What appeared at first to be a high-tech attack actually involved him posing as a supervisor from head office, calling a T-Mobile store in a small town in California and requesting the username and password needed to access the company’s customer accounts tools. The employee simply gave LaCroix the security information over the phone.

One of the most virulent contemporary forms of social engineering, not discussed by Shapiro, is ‘pig butchering’, in which scammers develop online relationships with victims and entice them to invest in fictitious cryptocurrency schemes. According to the FBI, nearly $4 billion was lost to pig butchering scams last year in the US alone, a 53 per cent increase on the previous year. According to research by John Griffin, a finance professor at the University of Texas, and Kevin Mei, as much as $75 billion was stolen globally by pig butchering gangs between 2020 and 2024. Although most victims are in their thirties or forties, pensioners who unwittingly hand over their life savings make up an increasing proportion of successful attacks. Suicide is not an uncommon response to such devastating manipulation and the accompanying shame. But it is never an equal contest: blockchain analysis shows that many of the crypto wallets that receive pig butchering funds are linked to transnational organised crime groups. They are run from industrial-scale, multi-million-dollar scam centres, predominantly in South-East Asia, and make use of highly advanced marketing techniques.

Armed with phone numbers and personal data bought on dark web marketplaces, callers – often sporting profile photos of attractive women – make contact with victims under the pretext of having dialled a wrong number before striking up a conversation. Others add multiple phone numbers to a large group chat about a wonderful investment opportunity, full of planted posts from people supposedly spending their gains on foreign travel, fashion and haute cuisine, before directly approaching those who appear interested. Using flirtatious dialogue and playing on the human fear of missing out on a good deal, the scammers persuade victims to buy cryptocurrency and transfer it to their fictitious investment entity. To continue the deception, and encourage the victim to increase their stake, the scammers fabricate screenshots that purport to show how much the funds have grown.

This is only one side of the criminality involved. To acquire staff, the gangs running the scam centres portray themselves as legitimate e-commerce and digital marketing companies offering high salaries and attractive benefits. ‘Successful’ applicants are provided with flight tickets and taxis to take them to their new careers. On arrival, they are stripped of their passports, beaten or threatened with violence and forced to carry out the scams. Despite widespread reporting, pig butchering syndicates continue to flourish. Some are protected by powerful patronage networks. In July 2024, a blockchain intelligence company claimed to have uncovered links between a major pig butchering organisation and members of the Cambodian ruling family.

One obvious way to protect ourselves from cybercrime is to increase investment in cyber defence. In the UK, more than half of all property crime happens online. According to Gallup, hacking became the most feared crime in America as long ago as 2014. Yet the median US company reserves just 2 per cent of its operating budget for IT security. And more than just money is required. As Shapiro writes, ‘cybersecurity is not a primarily technological problem that requires a primarily engineering solution. It is a human problem.’ It is worth remembering that Barack Obama’s computer password was once ‘password’, Mark Zuckerberg (net worth: $196 billion) used ‘dadada’ as his Twitter password and Kanye West’s mobile phone pin code was reportedly 000000.

Much cybercrime can be prevented by adopting cheap and proven safety features such as multi-factor authentication, something that neither the British Library nor T-Mobile operated on their systems at the time they were hacked. As the British Library’s incident report noted with considerable understatement, ‘the lack of multi-factor authentication on the domain was identified and raised as a risk at this time, but the possible consequences were perhaps under-appraised.’

As Shapiro points out, horror stories about viruses, scammers and bots usually portray malign external actors as the greatest threat to cybersecurity. But is that the case? Just over a decade ago, secret files leaked by Edward Snowden, a contractor working at the NSA, revealed that US government agencies had secretly gained access to the databases of Apple, Google, Microsoft and Yahoo, as well as the phone records of all the major mobile networks. They also showed that the UK’s GCHQ had installed physical probes into most of the fibre-optic internet cables coming into and out of the country, allowing it to harvest information without seeking individual warrants. The NSA ‘are intent on making every conversation and every form of behaviour in the world known to them’, Snowden told the Guardian in 2013. ‘What they’re doing [poses] an existential threat to democracy.’ The world’s most prolific hacker was revealed to be the US government. The backlash following Snowden’s revelations forced Congress to repeal the bulk surveillance programme in 2019. ‘At the moment, Americans do not have much to fear from the NSA,’ Shapiro writes. ‘But in the future, they might.’

Send Letters To:

The Editor
London Review of Books,
28 Little Russell Street
London, WC1A 2HN

letters@lrb.co.uk

Please include name, address, and a telephone number.

Read anywhere with the London Review of Books app, available now from the App Store for Apple devices, Google Play for Android devices and Amazon for your Kindle Fire.

Sign up to our newsletter

For highlights from the latest issue, our archive and the blog, as well as news, events and exclusive promotions.

Newsletter Preferences