The negativity I saw some 10 years ago has just escalated from there. In today’s world, black hats are all about ripping each other off – about flame wars and trolling. It’s counterproductive, if you ask me.DB: Did you ever think you would get caught? MB: No. I was not thinking that long-term, and frankly, I didn’t care. I really had nothing to lose. I was making good money, and I was doing everything I wanted to do. Plus, my family was used to me traveling, so it’s not like they would have missed me or anything. Besides, the police were always looking for me. There were many times that I felt the authorities were nearby. But I was lucky in that I had many friends, some of whom would give me a heads-up now and then. They would tell me to avoid certain contacts, chat rooms, or websites. They would sometimes even tell me to get out of my house. In the meantime, I was able to pull several great heists. Let’s just say at one point I owned half of the customer infrastructure at Telewest – access which allowed me to control about half of the company’s available customer devices. This amounted to a few million in the UK alone. I also secured access to a laptop shop at one point, enabling me to steal 144,000 credit cards in the process. And then there were warehouses, stock markets, and other targets. Even today, I still know of a few systems that are still vulnerable but I could never tell the companies about them because it is illegal to test a computer system without the company’s permission. I could get arrested, and I really don’t want to go back to prison. So yeah, I was never worried about getting caught, and I didn’t get caught, that is, until 2013. DB: How did you prepare for your attack against the UN and the EU? MB: Two people approached me about the job. I had worked with one of the guys a few years before, but I still hardly knew anything about him. We had never met in person. We didn’t know each others' names or nationalities or even what the other looked like, and there was no point in doing so. It was a transaction, so we didn’t bother disclosing things superfluous to the job. Anyway, a guy contacted me through another guy and paid me to hear him and to consider the project. In a short matter of time, I agreed to participate, and it just took off from there.
I had only one objective: to secure access to the carbon credit mechanisms at both the United Nations and the European Union.Shortly after I agreed to help, the guy in charge sent me a list of a few carbon credit traders and asked me to take a look at them. The list was rubbish; there was nothing we could use. So, I created my own lists and infiltrated a few sites for him. We then looked at malware attacks to broaden our reach. To do this, I crafted up a package with a malicious payload, which he in turn distributed to businesses and other entities, including the Indian government and another big site in the UK that shall go unnamed. Eventually, by the magic of the World Wide Web, we had successfully penetrated the UN. DB: What went wrong? MB: At the time, we had unlimited access to the United Nations’ carbon credit mechanism—over 500 million credits were in our control but it all went wrong because of a foolish mistake: the guy I was working with put in the wrong account number when it came time to transfer the stolen credits. In a short while, the guy contacted me, stressing and screaming his head off. He begged me to sort things out, so I logged in to see if I could do anything but it was too late. The system wouldn’t let me process anything. It was concerning but I didn’t feel the need to keep my guard up any more than I usually did. The guy and I just forged ahead and hit the EU, from which we stole 8,000 carbon credits at a value of around £89,000. DB: Under what circumstances did the authorities arrest you? MB: After the job was over, I went back to the Midlands to stay with my mom for a few days. Well, one morning I woke up, and there were 30 police officers in the house. They told me I was under arrest for suspicion of money laundering and for breaching the Computer Misuse Act. I was sent to the police station but I never saw the police. No, I only saw agents who worked for the Serious Organized Crime Agency (SOCA). They interviewed me for 8-16 hours, two days in a row. On the third day, they sent me to court, where I was remanded. They arrested me on six charges. These eventually swelled to 44, but shortly after that, they quickly began dropping off. I ultimately pled guilty to 18 charges, and I was sentenced for only four. In total, I spent around 20 months in prison. I never felt like I belonged there but at the same time, it wasn’t the end of the world. I just kept my head down for the most part. On the side, I took a few web design, business and networking courses. DB: What made you decide to set up your own IT security firm, Red Dragon Security? MB: When I got out of prison, I encountered no resistance in getting on with the rest of my life. In fact, within a week of my release, I was receiving calls from Amsterdam, India and other locations all over the world asking if I was available for work. However, I was on probation (and still am until May of this year), so I couldn’t leave the country. I had to do something in the UK until that time. To be honest, I’ve always had a problem with big businesses.
I know of corporations who pay hackers to infiltrate smaller companies in order to destroy their economic competition. It’s disgusting.I hate when people are exploited. I, therefore, came up with the idea of protecting smaller businesses from these types of security incidents in order to level the economic playing field. This led me to create Red Dragon Security. DB: In what ways does your past influence how you approach security today? MB: My skills have always been offensive-based, so when I approach security, I am able to do so from the perspective of the attacker. However, that doesn’t convey the whole picture. My methods are unique, you see. I’ve been told that I operate differently than hackers. Even the SOCA agents who interviewed me said as much. They said I am more of a planner, like a mastermind who oversees his bank robbers. I’m a big picture kind of guy. Therefore, when I look at how I can help secure a business, I assume the mindset of an attacker but I do not wonder how I can penetrate the business. Instead, I think, “What can I do with my target once I’ve gained access?” Using this method, I am able to understand how different sections of a company might be valuable to an attacker, knowledge which I then use to build a targeted security strategy for that particular company. DB: Are you ever tempted to return to your work as a black hat hacker? MB: No, not really. Don’t get me wrong. I loved hacking. I love how it works and operates but it was the people who made things intolerable near the end. Just as an example, say you hack into a business and steal 100,000 credit card numbers. Stealing the credit cards is the easy part. Getting rid of them is another matter entirely. After all, you can’t sell them to a hacker because they have their own cards they’re trying to make a profit off of. That leaves you with selling the cards to a criminal, which is more hassle than it’s worth. These guys are always coming back and complaining that the cards don’t work, which they use as an excuse to demand more cards. It’s dishonest. With all that in mind, I was honestly getting bored of hacking. When you hit your first 10 or 20 websites, there’s a rush but after 100-200 sites, it just becomes laborious. You have so many credit cards you need to sell, and you’re working with people who are constantly pulling out or who are trying to get out of paying you. You’re better off doing things alone.
Looking back, I’m glad the police caught me when they did.At least I can now invoice a company via PayPal if they hire me to sort out their network. But then again, Red Dragon Security is only temporary. Over next year, I’d like to pursue my broader passions for science and technology and begin sorting out the logistics to create another business. This will involve gathering the necessary security, marketing, finance and business intelligence to do so. For more information about Beddoes and his work, visit http://www.red-dragon-security.com. Editor’s Note: The opinions expressed in this article are solely those of the interviewee, and do not necessarily reflect those of Tripwire, Inc.