CHAPTERS
- 0:00 – 3:01
Scattered Spider and the UK retail attacks (M&S, Co‑op, Harrods)
Joe explains what “Scattered Spider” is and why it’s been blamed for disruptive attacks hitting major UK retailers, with similar activity spilling into the US. He frames the group as loosely coordinated, attention-seeking, and unusually chaotic compared to traditional cybercrime gangs.
- •Recent high-profile UK retail disruption tied to ransomware-style incidents
- •Scattered Spider as a CrowdStrike nickname for a loose, distributed collective
- •Discord/Telegram coordination rather than a rigid hierarchy
- •Motivations: money, notoriety, and chaos more than hacktivism
- 3:01 – 5:12
Clout-driven hacking culture: from Twitter to closed channels
The conversation shifts to how social platforms changed hacker incentives, rewarding attention and “infamy.” Joe argues modern clout-chasing has moved from public Twitter/X to more insular Telegram/Discord communities while keeping the same status dynamics.
- •Social media reoriented hacking toward public recognition and clout
- •Twitter’s “followers/retweets/likes” era as a turning point (e.g., LulzSec)
- •Today’s bragging and recruitment happens inside private channels
- •Why “glamorizing” groups (merch/figurines) can feed the problem
- 5:12 – 7:52
Inside “the Com”: teen delinquency, sextortion, and coercive abuse
Joe outlines the broader online ecosystem (“the Comm”) that Scattered Spider emerges from, including serious harms beyond network intrusion. He describes sextortion and the disturbing coercion tactics used to intimidate victims and establish dominance.
- •“The Com” as a large online subculture of delinquency (mostly boys)
- •Sextortion mechanics and why it’s so damaging
- •“Cut signs” and coercive self-harm as a power display
- •These behaviors have historical precedent in earlier teen hacker crews
- 7:52 – 10:17
How organizations get hacked: social engineering → lateral movement → ransomware
Joe demystifies break-ins: many start with basic social engineering (helpdesk calls, phishing) rather than movie-style coding. Once inside, attackers escalate privileges, spread through networks, and deploy ransomware that can cripple operations.
- •Helpdesk impersonation and phishing as common initial access vectors
- •Post-compromise ‘real hacking’: exploiting internal weaknesses to expand access
- •Ransomware basics: encryption, ransom notes, Bitcoin payment demands
- •Why ransomware is currently the dominant cybercrime threat
- 10:17 – 18:36
Personal defense basics and the looming risk of cyber-physical harm
They discuss practical steps that reduce risk (password managers, avoiding weak/reused passwords) and why attackers pick the easiest targets. The chat expands to future cyber-physical stakes, including autonomous vehicles and failures in “smart” systems.
- •Password managers as a high-leverage personal security upgrade
- •Attackers target the ‘easiest bucket’—raise your baseline difficulty
- •Autonomous vehicle hacking as a plausible future threat surface
- •Smart devices and automation increase dependency and blast radius
- 18:36 – 22:03
From chaotic good to chaotic evil: why teen hacking turned criminal
Joe argues two accelerants drove the moral shift: clout incentives (social media) and monetization (Bitcoin/crypto). The ability to get paid anonymously transformed pranks and exploration into extortion and organized cybercrime pathways.
- •Twitter/X as a cultural accelerant; Bitcoin as a financial accelerant
- •Crypto’s anonymity lowers friction for extortion and laundering
- •Early ‘carding’ vs modern ransomware: traceability and scale differences
- •Gift cards as a lower-tech alternative for extracting value
- 22:03 – 26:41
Noob Persistent Threats (NPTs): underestimated teens, big consequences
Joe distinguishes professional ransomware ‘cartels’ from teen hacking culture, while emphasizing that teens can still be extremely dangerous through persistence and audacity. He explains why these groups are often “gettable” yet still cause outsized damage.
- •Organized ransomware groups operate like businesses with defined roles
- •Teen gangs are less structured but increasingly effective (e.g., Scattered Spider)
- •‘NPT’ framing: not advanced, but persistent and threatening
- •Poor operational security and low fear of consequences drive repeated success
- 26:41 – 33:03
Where cybercrime clusters: Russia’s ecosystem and North Korea’s money hacks
Joe explains why major cybercrime operations are often linked to Russia/Eastern Europe, including informal rules like not targeting Russia or former Soviet states. He also highlights North Korea’s unusual model: state-backed hacking explicitly for revenue generation via crypto theft.
- •Signals of Russian-based gangs: language, working hours, holiday patterns
- •The “don’t hack Russia” rule and what happens when it’s broken
- •Ransomware affiliate models mean attackers can be globally distributed
- •North Korea’s distinctive focus on stealing crypto to fund the regime
- 33:03 – 37:42
Cyber as warfare: NATO thresholds, Stuxnet, and the NotPetya catastrophe
They explore when cyberattacks might be treated like kinetic attacks and why governments hesitate to invoke war-like frameworks. Joe tells the Stuxnet story as targeted cyber sabotage, then contrasts it with NotPetya—an uncontrolled worm that caused massive global collateral damage.
- •Why ‘act of war’ classification is politically and strategically fraught
- •Stuxnet as precision sabotage of Iranian centrifuges
- •NotPetya as a destructive ‘fake ransomware’ worm that escaped Ukraine
- •Real-world economic consequences (e.g., Maersk reverting to pen-and-paper)
- 37:42 – 42:37
How cybersecurity firms and police catch hackers: follow the money and the mistakes
Joe describes investigative techniques like tracing crypto flows, plus a recurring reality: criminals often get caught through arrogance and operational blunders. He previews the Julius Kivimäki case, where a catastrophic self-own exposed extensive evidence.
- •Attribution methods: TTPs, infrastructure clues, and financial tracing
- •Why ‘covering tracks’ (OpSec) is harder than executing the hack
- •Cybercriminals frequently get lazy, sloppy, or overconfident
- •Small errors can unravel an entire identity and history
- 42:37 – 45:48
Lizard Squad’s Christmas takedown and Joe’s first on-air hacker interview
Joe recounts the 2014 Christmas DDoS attacks that knocked Xbox Live and PlayStation Network offline, and how it became his first major cyber story. He describes the frantic newsroom push to book a hacker interview and how he traced sources to reach “Ryan.”
- •DDoS as ‘traffic flooding’ that can still cause major disruption
- •Impact of attacking gaming networks during peak holiday demand
- •Joe’s rapid attempt to locate and interview an anonymous hacker
- •The early thread connecting teen notoriety to larger cybercrime trajectories
- 45:48 – 54:29
Julius Kivimäki: harassment, bomb hoaxes, swatting, and ‘haunted’ victims
The discussion expands from pranks to sustained cruelty: Kivimäki’s alleged tactics included harassment campaigns, bomb threats, doxing, swatting, and weaponizing deliveries to terrorize families. Joe emphasizes the psychological toll and how “anonymous” power bleeds into real life.
- •Escalation from online attacks to real-world intimidation and danger
- •Bomb hoax against a Sony executive leading to armed questioning
- •Swatting and doxing as long-running harassment tools
- •Victim impact: fear, instability, and persistent trauma
- 54:29 – 59:16
The Vastaamo psychotherapy breach: a four-minute intrusion with life-altering fallout
Joe explains how weak security enabled the theft of highly sensitive therapy notes for tens of thousands of patients. He details the extortion campaign—first against the company, then directly targeting victims—highlighting the unique severity of this data type and its long-term harm.
- •Simple exploitation of exposed servers; poor security practices and accountability
- •Extortion escalation: company ransom → leaks → victim-by-victim blackmail emails
- •Why therapy notes are among the most sensitive data imaginable
- •Reported long-term trauma for victims; allegations of suicides linked to the breach
- 59:16 – 1:09:20
Capture, extradition, and courtroom drama: Red Notice, Paris arrest, and conviction
Joe walks through the international hunt, the Interpol Red Notice, and the unexpected Paris arrest after a domestic disturbance call. He then summarizes the Finnish trial structure, evidence challenges, the conviction, and the bizarre episode where Kivimäki disappeared after being granted bail.
- •Interpol Red Notice mechanics and why it’s a ‘nuclear option’
- •Paris arrest via identity suspicion on a Romanian passport alias
- •Finnish judge-led trial (no jury) and holistic evidence assessment
- •Bail fiasco and police ‘GeoGuessr’-style Airbnb identification
- 1:09:20 – 1:15:52
The ‘most wanted’ cybercriminal hunt in Russia: EvilCorp and Maksim Yakubets
Joe recounts traveling to Moscow to investigate EvilCorp and the Yakubets family, aiming to hear the accused side directly. The reporting turned tense and risky, raising questions about state tolerance, money laundering links, and the dangers journalists face when probing Kremlin-adjacent cybercrime.
- •EvilCorp as an ‘OG’ Russian cybercrime operation with family leadership
- •$10M reward and the challenge of pursuing suspects inside Russia
- •Interview with Yakubets’ father and his denials vs visible wealth indicators
- •Intimidation, surveillance fears, and a colleague later forced to flee Russia
- 1:15:52 – 1:25:44
When security itself breaks the world: the CrowdStrike outage and regulation gaps
They revisit the 2024 CrowdStrike update that triggered widespread Blue Screen of Death failures across critical systems, causing global disruption. The episode closes on whether regulation can catch up, the security–convenience tradeoff, and looming challenges like quantum decryption timelines and underpaid public-sector cyber roles.
- •CrowdStrike update bricking millions of machines and disrupting airlines/services
- •Legal and financial fallout (major lawsuits) still unfolding
- •Most breaches still rely on old tactics: unpatched systems + social engineering
- •Future risks: Q-Day, harvest-now-decrypt-later, and public-sector talent shortages
- 1:25:44 – 1:26:41
Wrap-up: Joe Tidy’s book and where to find his work
Chris and Joe close with Joe’s book details and release timing across regions and formats. They end by teasing future investigations and continued coverage of emerging cybercrime stories.
- •Book: “Ctrl Alt Chaos: How Teenage Hackers Hijacked The Internet”
- •Release and distribution plans (UK, Finland, US; audiobook)
- •Chris praises Joe’s reporting and communication style
- •Closing remarks and episode end
