Edition 13 – The Thing with the Wanted Posters
I remember being at a networking event hosted by a university, the year being 2022. I saw someone higher up from the Bundeskriminalamt, hanging around by himself. His mind clearly was no longer with the conference, he was having a glass of wine and a snack, I think. I am somewhat hesitant to force people back into working mode once they've shut off for the day, but then again, this was a networking event and I had a genuine question I wanted to ask. Why was it so hard for German law enforcement writ large to talk about their work when it came to their cybercrime-related investigations? More directly: To talk about their findings in particular, once their part of the investigation was finished? Or, even more directly: Why didn't they tell the public about cybercriminals they had identified?
During investigations they're not talking because it would endanger the operation, after the investigation they're not talking because the case is now with the prosecution and hence it is their decision to talk or keep quiet, a perfect Catch-22. Either way, they won't talk.
This person said: "Yeah, we're sort of envious of the F.B.I.". Because the Americans were publishing Wanted posters and the Germans were not. The Americans seemed to have a strategy while the Germans were not halfway thinking this through on a strategic level.
Cue to a couple weeks ago: The BKA has published yet another Wanted poster. It’s far from the first one. All over Germany, law enforcement seems more aggressive nowadays. There are many reasons for that, the one I am hearing most often is this: They want to let everybody know that they have had capabilities all this time. Of course, I'm a reporter and conveying this message to me is good and easy PR. Things have changed.
Putting out the word
The reason I'm writing all of this is because during the last couple of years I was part of four investigations that ended up identifying people for the first time publicly. Even if we didn't use their full names – broadly speaking: for privacy reasons, in stories like this, what’s being done most commonly is to use the first name and the initial of the last name, so I'd be referenced as Hakan T. – these were the very people law enforcement agencies had been investigating and trying to maybe even catch and put in prison here in Germany. And then we published stories about them. As you can imagine, the job of catching criminals gets harder after their names, identities and lifestyles have been "in the press".
So I've been in the position of putting out the word about cybercriminals, sort of making things "officially known", once we hit that publish button. I'll get to that in a second. Which is why I wanted to talk a bit about the reporting process in this edition of the newsletter. There are some (finer) points that I think are worth mentioning.
The cases
Ransomware Group | Wanted Poster | Reporting |
|---|---|---|
REvil | ||
Conti | ||
Black Basta |
If you disagree with any of this, as always, feel free to reach out: readwritenewsletter@proton.me or even directly: hakan.25 on Signal
The caveat
As a caveat: This is my personal opinion, which has evolved throughout the years. Also, more importantly, the reporting has been a team effort. Final decisions get made by the team, ultimately by higher-ups. Lawyers have their say as well, rightly so. That being said, this is where I'm at right now.
Why publish in the first place
One of the main arguments I'm hearing in discussions is this one: Why publish in the first place? If we know that law enforcement is already on the case and they have identified someone, why not let them do their job? They will catch that person eventually, hopefully. And sometimes, they do, years later.
But the people we are talking about continue in the meantime. They hack their way into companies, encrypt the data, send a ransom note. And the public simply deserves to know who these people are, pilfering millions of dollars. There's a reason why the Bundeskriminalamt in their yearly update on cyber-related crimes has called ransomware one of the biggest threats to Germany.
I don't know whether it makes a difference for the company to know who actually has them hacked, but I sincerely think that it makes life harder for many of the perpetrators. They instantly know that their world got a bit smaller. Certain countries are out of reach now, because if they travel there, they might end up being extradited to Germany. And while these people might be rich, they're also vulnerable in that way.
Mistakes get made
Also consider the case of Mr. Shchukin: During the reporting process, we were able to find out that he vacationed in Turkey. There's a legal treaty between Germany and Turkey. Authorities over here could've tried to have Mr. Shchukin extradited. Put him in detention, review the evidence, have a judge decide whether that's enough to send him to Germany.
But that outreach has never happened. For whatever reason. After the Wanted poster was released recently, one person familiar with the case was clearly upset about the whole situation, speaking about a "chance missed".
In other words: Law enforcement also make questionable decisions, and those need to be answered publicly. Simply waiting is not really an option.
Who gets to know? The criminal angle
There's this fascinating moment (to me at least), most commonly near the end of the reporting process. That's when you as a team write down all of the findings and reach out to every person and entity that materially appears in the reporting, e.g you accuse them of having done something wrong. This is generally called the "Right of Reply". They have to be able to respond both in a timely manner and have their reply included in the article, e.g. denying having done something wrong.
This moment is fascinating for three reasons:
You've been working on something for quite a long time, hoping that you can do so unnoticed, and once that “do you want to reply”-mail gets sent, that part is over.
While you think that you know all of the facts, you still might be wrong. You might be only seeing a piece of the puzzle, there might be more to the story.
The other side now knows what you know.
While the last item is very similar to the first one, I’d see those two separately. The first one applies to reporting in general: You send the mail, your investigation moves on to the next phase. The other side knowing what you’re knowing (or rather: are thinking about publishing) sets off movement on their part.
Take one of the three cybercriminals mentioned above for example: If we're going to write in our story about him owning a watch that can cost somewhere between ten to seventy thousand dollars, we will have to ask him about that watch. If we're going to ask him about the vacation in Turkey, he'll know how we know these things. The associated social media accounts go dark. The WhatsApp profile picture suddenly vanishes.
By that point, we have everything archived already, obviously, but they're doing this so other people don't get a chance to peek into their world, they're private people.
So, when I said earlier things are "officially known", that's why. We ask them directly. They're one of our first readers, so to speak, they know the rough details of what is going to come.
Who gets to know? The law enforcement angle
But also consider this: Prior to running a story like this, one obvious question arises: What has law enforcement been up to? Do they know about this person? Are they working on an operation to have him extradited?
So, naturally, as a reporter I reach out to law enforcement as well and try to have “on background” conversations. In these conversations law enforcement can talk a bit more freely without having to fear that I’ll quote them with everything they’re saying. What I get out of this: A clearer picture whether something is up.
Access journalism
There’s this thing in journalism referred to as “access journalism”. In simple terms: if you’re too close to power, power will eat you up and more often than not you will see things like people in power do, and your reporting accordingly runs the risk of no longer being fair.
Consider this: Years ago, I had a conversation with national security people telling me that it would harm their ongoing investigation if we were to publish the existence of a specific server.The hackers would know about them being surveilled, and stop using that server, which was located in Germany. The government would lose sight.
My initial gut reaction, a bit childlike, was to definitely publish. But that’s why I like to work in teams. After some thinking and discussions, we decided that this particular piece of information was not crucial to the investigation itself. And just including something because we were able to find it out, is not enough.
After all: What’s the real value of putting information like this in a story? It would not make a tangible difference. Weighing this against the argument that the government would effectively lose sight, changed my mind. We didn’t include the information about the server in the story.
Working together with law enforcement
The short version: I don't.
But let's take this argument seriously for a second. We're all using sort of the same methods anyway. Osint Industries, leaks, Whatsmyname, Pydriller and all these ever-changing tools out there. Why not work together, what's so different?
Well, I'd like to be talking with cybercriminals. That's why I reach out to them. I want to understand why they're doing what they're doing. I'd be interested in hearing from Oleg Nefedov directly how he managed to slip away from being extradited to the United States after already having been in a courtroom in Armenia. Think of that situation for a moment, what an insane thing it is to have happened to you.
But who'd be talking with me if I'd be passing on that type of information to law enforcement? Nobody.
So when I said that we’re using “sort of” the same methods, there are still a lot of differences. Tools are, after all, just one skillset. There’s a reason why (law enforcement) agencies have special rights. They don’t need my input, and if they think they do, it’s not a good sign.
I'm very fine with giving talks in front of law enforcement, being in touch with them about tools and techniques, and also talking about "IoCs", if that helps me get a story or understand it better, but that's just regular, professional conduct. They do their job, I do mine.
The “missing” poster
Going back to the Wanted posters and the stories we published: There's a fourth story I worked on, dealing with hackers, working for an intelligence agency. There as well, we didn't name the hackers, but we know that law enforcement knows about them.
To this day, there are no Wanted posters in this case, the espionage one.
Money, theft, extortion get your face on a Wanted poster. Writing tools that facilitate decade-long political espionage doesn’t. That's clearly also a sign. About what's accepted behaviour – and what is not.