Cybercrime , Fraud Management & Cybercrime , Ransomware
The Ransomware Files, Ep. 10: Dr. Ransomware, Part 2A Cardiologist Stands Accused of Being a Ransomware Kingpin. But Is He the Victim?
Is a practicing cardiologist living in Venezuela also a ransomware mastermind? If U.S. prosecutors are to be believed, Moises Luis Zagala Gonzalez is a cybercriminal polymath.
He's on the FBI's Most Wanted list for cybercrime, but people who know him say the accusations cannot be true. Zagala is charged in federal court in New York with developing ransomware applications called Jigsaw and Thanos that infected organizations and companies around the world between April 2019 and March 2021 (see: Feds Say 'Multi-Tasking Doctor' Built Thanos Ransomware).
But Zagala's wife says there's a reason for her husband's predicament. How does the evidence the U.S. government revealed so far stack up against her claim? The second part of the "Dr. Ransomware" episode looks at the evidence.
After the charges were announced against Zagala in May, many Venezuelans took to social media to describe their shock, including his wife, Rosanny.
"We are in shock but seeking legal advice both here and in the USA to defend ourselves," she writes in a message circulated on WhatsApp. "Moises had his email accounts hacked a few years ago, and apparently they were used along with his identity to scam.
"With the greatest respect, I clarify that Moises is a man of integrity, a family man, with values and principles who would never lend himself to such acts. God willing, we'll get the right legal team to clear his name."
The U.S. government has revealed some of the evidence it holds in a criminal complaint. It revolves around email, PayPal and a cryptocurrency account. The government also has personal information Zagala provided to Customs and Border Protection when he entered the United States.
Tony Martino is director of the Northeast Cybersecurity and Forensics Center at Utica University in New York. A digital forensics expert with more than 20 years of experience, he says the user attribution evidence released so far is "flimsy."
"I'm not trying to create Moises Zagala's defense for him," Martino says. "And I'm not willing to say it's not him. There's just too much here. It seems too difficult for this to be exactly true the way it's written. Could anyone this smart be that sloppy? And it seems like the answer is 'No.'"
"The Ransomware Files" is a podcast miniseries available on Spotify, Apple Podcasts, Google, Audible, Stitcher and more. I’m exploring the impact of ransomware, one of the greatest crime waves to ever hit the internet. Schools, hospitals and companies have fallen victims to cybercriminals encrypting their data and demanding payment. But IT pros are fighting back, and they have stories of resilience and fortitude.
If you enjoyed this episode of "The Ransomware Files," please follow it on a podcast platform and leave a review. Also, the show has a Twitter handle, @ransomwarefiles, that tweets news and happenings about ransomware.
If you would like to participate in this project and tell the information security community about your organization's brush with ransomware, please get in touch with me at firstname.lastname@example.org or direct message me here on Twitter. I'm looking for other people, organizations and companies that can share their unique experiences for the benefit of all until ransomware, hopefully, is no longer a threat.
Speakers: Alexander Mindlin, Assistant United States Attorney, Eastern District of New York; Anthony Martino, director of the Northeast Cybersecurity and Forensics Center at Utica University; Thomas Holt, Professor, School of Criminal Justice, Michigan State University; Ana Vanessa Herrero, Journalist; Jeremy Kirk, Executive Editor, Information Security Media Group.
Production Coordinator: Rashmi Ramesh.
Special thanks to Ana Vanessa Herrero in Caracas for reporting and research that contributed to this episode. Special thanks to Alexandra Perez, David Perera, Tom Field, Mathew Schwartz and Anna Delaney for other production assistance. Thank you to Intel471 for sharing cybercrime intelligence useful for this episode.
The Ransomware Files theme song by Chris Gilbert/© Ordinary Weirdos Records. Other original music in this episode by Chris Gilbert, Finley Kirk and Jeremy Kirk. Additional music by Podcastmusic.com and Uppbeat.io.
- Cyrus Peikari, Anton Chuvakin, Security Warrior, January 2004;
- Dark Ridge, A delayed strainer by Fravia+, July 26, 1999;
- Davide Eynard, HcuStory, June 11, 2014;
- Department of Justice, Hacker and Ransomware Designer Charged for Use and Sale of Ransomware, and Profit Sharing Arrangements with Cybercriminals, May 16, 2022;
- Department of Justice, An amended affidavit and complaint in support of an application for an arrest warrant against Moises Luis Zagala Gonzalez, May 16, 2022;
- Malpedia, Hakbit aka Thanos ransomware, November 1, 2021;
- Nyotron, RIPlace Evasion Technique, Oct. 12, 2020;
- Recorded Future, New Ransomware-as-a-Service Tool ‘Thanos’ Shows Connections to ‘Hakbit’, June 10, 2020;
- Security Intelligence, From Thanos to Prometheus: When Ransomware Encryption Goes Wrong, November 1, 2021;
- Talon @ S2WLAB, Quick analysis of Haron Ransomware (feat. Avaddon and Thanos), July 22, 2021;
- Unit 42, Palo Alto Networks, Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa, Sept. 4, 2020;
- ZDNet, Iranian state hacker group linked to ransomware deployments, Oct. 15, 2020;
Jeremy Kirk: The last episode of The Ransomware Files described perhaps one of the most odd and intriguing criminal cases involving ransomware. Moises Luis Zagala Gonzalez is a cardiologist. He was charged by the U.S. government in May 2022 with creating ransomware programs called Jigsaw and Thanos. The government alleges he’s an old-school hacker from the late 1990s who got into ransomware as a side hustle alongside his career as a doctor in Ciudad Bolivar, a city in southeastern Venezuela.
Alexander Mindlin: He's accused essentially of conspiring with users of his ransomware to carry out ransomware attacks on victim networks.
Kirk: Moises is now 55 years old, which is pretty far out of the typical age range of someone in the ransomware business. By all appearances, he comes from a real high-achieving family. There’s a brother who is dental specialist, another brother is a lawyer and yet another is in a high-ranking job in the national police. People who know him and his family are dumbfounded and say the accusations could absolutely not be true.
Pedro Jose Yepez: I’m still hallucinating because he’s a medical colleague, and he was my university professor.
Kirk: Is the U.S. government’s case against him accurate in that Moises Zagala is a criminal polymath?
Tony Martino: There's just too much here. It seems too difficult for this to be exactly true the way it's written. I mean, could anyone this smart be that sloppy? It seems like the answer is no.
Kirk: In part 2 of Dr. Ransomware, we’re going to try to answer some of the big questions around this fascinating case. Is possible for a medical doctor to be deeply involved in cybercrime? Will he be extradited to the United States? What does he and his family have to say? We also have information that suggests what legal defense Moises might employ were he to face the charges levied against him. We’ll analyze how that defense might stand up against the evidence that the U.S. government has so far released.
This is The Ransomware Files. I’m Jeremy Kirk.
In this podcast mini-series, I’m exploring the impact of ransomware, one of the greatest crime waves to ever hit the internet. Schools, hospitals and companies have fallen victim to cybercriminals encrypting their data and demand payment. But IT pros are fighting back, and they have stories of resilience and fortitude.
Kirk: To understand more about Moises Zagala and this story, we need to understand more about Venezuela. For at least 15 years, Venezuela has faced particularly trying circumstances. Political and economic turmoil have had a ruinous effect on the daily lives of Venezuelans. The country has been under sanction by the United States and other countries for years for alleged human rights issues, corruption and authoritarianism.
And although Venezuela is rich in oil, falling oil prices over the last few years and government mismanagement has meant a continuing economic crisis. It has made life extremely difficult for its 30 million people. There’s high inflation, high unemployment and for those who do have jobs, low wages. And health care has suffered greatly.
For example, if you get sick and go to a hospital in Venezuela, there’s a chance the facility may not have adequate access to clean water. It may not have much medicine. The group Doctors Without Borders says the health system there is in tatters. Doctors face very trying conditions. While hospitals are supposed to be safe places, in Venezuela, they’ve often turned into battlegrounds. Doctors have been often the most vocal about the country’s deteriorating conditions. That has made them targets of opponents even when they’re on duty in a hospital.
Ana Vanessa Herrero is a journalist in Venezuela who has been helping me with this episode. She has written about Venezuela’s health care system and has witnessed confrontations in hospitals. In fact, in 2014, she was trying to interview a patient about the conditions and was chased out of a hospital by men with guns.
Ana Vanessa Herrero: It's still violent. Very, very violent. So being a doctor here is not only heroic, you need a lot of skills to survive being a doctor in a public hospital in Venezuela. Not only because of the wages, but because you're actually in deal in real danger if you work at a hospital.
Kirk: Then, there’s the terrible pay. In 2019, National Public Radio published a story describing the low wages of doctors and nurses. One doctor told NPR he made just $12 a month from two jobs at public institutions. It’s estimated that half of the country’s doctors have left the country because of the poor conditions. Medical professionals who work for private clinics may, of course, make more.
However, Moises Zagala has stayed around. He works at a private clinic in Ciudad Bolivar, which is a city of about 400,000 people in southeastern Venezuela. After the charges were announced, many people took to social media to describe their shock. A man named Marcos Lima Martinez tweeted this:
Marcos Lima Martinez: The news has shocked us, but I think we have to be cautious before making judgements. He was my professor of cardiology, and I can attest that is a very prepared person. Surely, Dr. Zagala has a lot to say, and it is fair that he can defend himself.
Kirk: Ana reached out to Pedro Jose Yepez, who was Moises’ student around 2013. He says that Moises was brilliant, strict and astute. Pedro tweeted this after the news about Moises became public:
Yepez: I’m still hallucinating because he’s a medical colleague, and he was my university professor.
Kirk: Ana also reached Marcos Rodriguez Mejias, who is now a doctor and was also one of Moises' students. He says that Moises encouraged his students to work hard and travel around the world. In turn, Moises would talk about his family, and wines he likes and his travels. Moises’s way of teaching was different than other teachers, Marcos says. He was smart and very didactic. Marcos says he projected the image of a man who is quite morally responsible. Marcos says Moises told his students that they should make an effort to live with dignity. Overall, Marcos says he has doubts that Moises was capable of doing what he is accused of. Other Venezuelans had light-hearted reactions. Someone tweeted in reply to Pedro Jose Yepez’s tweet that Moises is “our own Walter White,” in reference the lead character in the TV series “Breaking Bad.” Walter’s a high school chemistry teacher who, faced with a terminal illness, starts manufacturing and selling illicit drugs.
I want to make clear here as I did in part 1 that the allegations made by the U.S. government against Moises have not been tested in court. He is charged in federal court in the Eastern District of New York with one count of attempted computer intrusions and one count conspiracy to commit computer intrusions. No part of this podcast should be taken as implicating his guilt. However, we are going to explore if - hypothetically - aspects of the U.S. government’s allegations may be true.
With all that background about Venezuela, what’s daily life like for Moises in Ciudad Bolivar? It suffers from poor water supplies, erratic electricity and has been a hub for political protests for years. What you’re hearing is the sound of a protest. For years, demonstrators in Venezuela banged on pots and pans to protest food shortages.
We might have a clue to a part of Moises’ life from a Twitter account we found with a username of “@moiseszagala.” The account has been deleted, but hundreds of tweets from it are still on the internet archive. We weren’t able to definitively link this account with Moises Zagala. The photograph on the account was fuzzy but sort of looked like three people who resembled other people we’d seen on Zagala's social media accounts.
Between 2019 and 2020, it was an active account. The person controlling it would frequently reply to tweets from another Twitter account run by Hidrobolivar. That’s the water utility for the state of Bolivar in Venezuela, which includes Ciudad Bolivar.
The person tweeted sometimes several times a day about the water supply issues in the state. It was often biting, sharp commentary with kind of a dark tinge. For example, Hidrobolivar would post photos of a meeting. @moiseszagala would reply: “Half of the city is without water. What is this meeting about? A birthday?” In another, Hidrobolivar posted photos of some infrastructure work on a pump motor and @moiseszagala responded: “They totally abandoned the water service. They stayed on Twitter. Nothing else.”
I chatted with Ana under the assumption that this account belonged to Moises.
Herrero: It shows you how the day-to-day life is. He is a doctor who is actually very worried about the running water situation. And he's constantly going on Twitter to demand access to water services.
Kirk: As you heard in the last episode, we’ve been trying to get in touch with Moises since shortly after the charges were announced. Moises has a brother in Caracas named Guillermo. He runs his own prosthodontics clinic, which is a dental specialty that can involve procedures such as replacing teeth. Ana reached out to Guillermo on Facebook Messenger.
Herrero: I need to tell you what happened today. Um, I contacted Guillermo.
Kirk: Oh great. What… what… did he have to say?
Herrero: I said that you and I were working on this. He immediately attacked me.
Kirk: Hmmm. Yeah, not a good start. Here’s how it went down over Facebook Messenger.
Herrero: Hello, doctor. Good day and thanks for adding me.
Hola doctor, feliz dia y gracias por agregarme.
Guillermo Zagala: You really must believe that we are stupid or we don't have enough to eat. Do me the favor of bothering me more. I'm going to file a complaint for harassment.
De verdad ustedes deben creer que nosotros somos estupidoes o no tenemos para comer hagame el favor de molestar mas ya voy a ponerle una denuncia por acoso.
Herrero: I understand your annoyance. It's the first time I've contacted you. If you want to talk, I remain at the ready.
Entiendo su molestia. Es la primera vez que lo contacto. Si quiere conversar, quedo a la orden.
Guillermo Zagala: Ms. - I’ll repeat. Please do not bother me anymore. I'm going to take photos of this chat, and I'm going to report you for harassment. Enough hurting people. You don't care about anyone's life. Garbage!!
Sra le repite haga el favor de no molestar mas le voy a tomar fotos a este chat y la voy a denunciar pro acoso. Ya basta de hacer dano, a uds no les importa la vida de nadie. Basuras!!
Kirk: While Ana tackles the tough task of contacting Moises’ family, let’s look at a hypothetical tangent relevant to this case: What drives someone to get into cybercrime? Financial need would be an obvious reason. But if what the U.S. government alleges is at least somewhat true - which is at minimum is that Moises is an seasoned software developer - could there be something deeper in play here than just earning some side money?
If you’ve listened to part 1, you’ll remember that in the late 1990s, Moises was allegedly part of an elite group of hackers called High Cracking University. It’s alleged that he operated under the nickname Aesculapius, who is the Greek god of medicine. High Cracking University specialized in “cracking” software, or removing digital protections. Software vendors put those protections in place to make it harder to look at the source code and try to prevent using the software without paying for it. But High Cracking University’s mission wasn’t profit by selling unlicensed software but rather to conquer the intellectual challenge of breaking it.
Thomas Holt is a professor in the School of Criminal Justice at Michigan State University. He researches the behavioral traits of people who get involved in computer hacking and malware. Thomas says he sees recognizable patterns in the criminal complaint against Moises.
Holt: Some of what you describe and some of what's in the criminal complaint matches with what you can observe about aspects of the hacker culture even today. And to some degree, also, the way in which an economic situation might affect the choice to go into, say, a legit career versus a cybercrime career. It makes sense. There's a lot of that, obviously, in Romania and certain parts of Russia with the notion that there's national police tolerance of foreign targeting, where, you know, just as long as you're not messing up too hard here, we're going to allow you to keep going.
Holt: Given the amount of work that would be involved, this would not have been something I imagined he could have pulled off without anyone noticing the amount of time he spent on a computer. I would think that there'd be quite a bit of time management unless his family wasn't around or gave him a lot of time, that sort of calls to question when was he doing the work and where and to what extent did his day job suffer at times because of his side hustles?
Kirk: Not only did this person have the time to create ransomware, but Aescalapius had time for customers, too. Aescalapius was polite, responsive and quite helpful to those who bought the tools even when the customers aired mild criticisms. For example, in June 2019 on one hacking forum, someone wrote this to Aesculapius in regards to the Jigsaw ransomware.
Jigsaw customer: The ransomware’s design looks like crap. You should work on that.”
Aescalapius: Thanks for your opinion. I did add a metallic skin to the decryptor, but for the ransomware itself that would increase the size without adding functionality. So I’m not that convinced to do it but there is already a transparency class and a skinning system - very user friendly - included in the project for those who want it to look better and wish to activate that too.
Kirk: Even the government’s criminal complaint notes the positive feedback received by the developer of Jigsaw and Thanos . Here’s another exchange with a Jigsaw customer.
Jigsaw customer: Sir, I really need to say this. You are the best developer ever.
Aesculapius: Thank you, that is nice to hear. I’m very flattered and proud.
Kirk: That sort of response is almost like - I don’t know - criminal job satisfaction?
Holt: Seeing some of the comments in the criminal complaint also from customers, makes me wonder if there's some degree of ego development that's at play here to where even if he didn't make gobs and gobs of money, the notion that people are giving him extremely positive feedback and talking about how simple the tool is to use, how you don't have to have a substantive coding background in order to be effective, even running the affiliate model - that to me speaks of someone who's probably in it to some extent for the community recognition, perhaps that notion that "I am good, I'm competent. People like what I do." And you saw that to some degree in the '90s, where it was about social reinforcement. Even to some degree still, there's some of that, but the criminal side of it, particularly the ransomware side of it, you don't see that ego stroke being quite as comparable to the profits that a person is going to make.
Kirk: There’s also what Thomas calls the “deviant aspect” of cybercrime.
Holt: Could be the deviant aspect of it, and maybe slightly attractive. Also, there's a lot of fun in being bad, and that is sort of the emotional management part of it. That could be at play here also.
Kirk: Now we have a few things in the mix. A bit of ego, deviant attraction, money, perhaps even some necessity. So another big question is how much money did the development and sale of Jigsaw and Thanos net?
The short answer is there are some figures but overall its till unclear. We can look to the 20-page criminal complaint written by FBI Special Agent Chris Clarke to get some answers. So, let’s try to tally the money.
We don’t start off at a great point. The FBI openly admits in the criminal complaint that the total number of copies of malware allegedly sold by Moises is unknown.
We know that Jigsaw sold for $500 U.S. dollars a copy. The underlying source code was available for $3,000 U.S. dollars.
The FBI alleges that Moises took in $4,580 for malware between August 2019 and April 2020 via an unspecified e-commerce platform, which may have been Shoppy (there's Shopee and Shoppy both. Can you confirm the spelling for this, please?). But we don’t know what was sold to get that money.
Moises is also accused of developing Thanos, which if you remember, builds other customized ransomware program. It’s known in the malware business as ransomware builder. Now this is where the real money may have been.
The FBI alleges that forensic data showed that 38 copies of Thanos were sold. It appears Thanos was offered for $500-$800. 38 X $500 is US$19,000. OK. So we’re up to $23,580.
But Moises is also accused of running what’s called an affiliate program around Thanos. There’s a whole cybercriminal economy around ransomware and an important part of it are these programs. In a ransomware affiliate program, someone supplies the ransomware and other infrastructure, and separate groups of cybercriminals use it to infect organizations. In that arrangement, usually the criminals who use the ransomware pay a 20-30% share of a ransom back to the ransomware developer.
We know that there were quite a few victims of ransomware programs that were created by Thanos. Those ransomware variants went by the names such as Prometheus, Haron or Avaddon, Spook, Hakbit, Midas. They infected businesses and organizations around the world throughout last year: Peru, Mexico, Canada, Chile, Brazil, Italy, France and more.
We don’t know the terms under which Thanos was offered but we can try to at least get a low-ball figure of what it might have brought its developer. In 2021, the average ransom demand in the U.S. was around $2.2 million. Now, of course that’s just the demand, not the amount that victims actually paid. The amount usually comes down after negotiations and of course sometimes isn’t paid at all.
Alright, so let’s just pretend that a company hit by a variant of Thanos pays a $500,000 ransom. So that’s just a quarter of the average ransom asked in 2021. Alright. So what’s the cut for the developer of Thanos? Let’s just take the low side, 20%. Twenty percent of $500,000 is $100,000.
So even if just three deals went through in a year, that’s $300,000 U.S. dollars. That kind of money would put someone as a top statistical earner really anywhere in the world, let alone Venezuela. Now this is just back-of-napkin speculation and we do not know the full details, but it’s an idea of just how money a ransomware affiliate program could potentially generate for someone.
Meanwhile, Ana dug up something very interesting. After the charges against Moises were announced in May 2022, several Venezuelans took to Facebook, Twitter and WhatsApp. WhatsApp has a role in distributing community news. Ana says that someone writes a message, which then gets forward to several groups and then on and on. It’s how people get information, particularly outside of Venezuela’s capital, Caracas. Ana found a message that Moises’ wife, Rosanny, has posted on WhatsApp.
Kirk: Wait, wait. So say that again. So she says that his email had been hacked, and that somebody else is using his identity for all of this stuff?
Herrero: She says "he's not the person they say he is. He is a good person. He's a doctor. He's not a hacker. This is very regular, and we're looking for lawyers here and the United States to fight back."
Kirk: Here’s the message in full.
Rosanny Zagala: First of all, we are going through a terribly hard situation as a family. We are in shock, but seeking legal advice both here and in the USA to defend ourselves. Moises had his email accounts hacked a few years ago, and apparently they were used along with his identity to scam. We are - just like you - shocked with the news. It's something we don't wish on anyone. With the greatest respect, I clarify that Moisés is a man of integrity, a family man, with values and principles who would never lend himself to such acts. God willing, we'll get the right legal team to clear his name.
Primeramente estamos atravesando una situación dura terrible como familia. Estamos en shock pero buscando la asesoria legal tanto aqui como en USA para defendernos. A Moisés le hackearon sus cuentas de correos hace algunos años y al parecer se usaron junto con su identidad para estafar. Estamos al igual q ustedes impactados con la noticia, es algo q no se lo deseamos a nadie. Con el mayor de los respeto les aclaro q Moisés, es un hombre integro, de familia, con valores y principios q jamas se prestaria para tales echos. Dios mediante conseguiremos al equipo legal adecuado para q limpie su nombre.
Kirk: This was an incredible find, particularly since we’d been having so much trouble directly getting a hold of Moises. If Moises ever did face the charges in a U.S. court, it appears he may claim he’s been hacked. We’re going look more closely later to see how that squares with the evidence the U.S. government has cited. But at least in the court of public opinion in Venezuela, the explanation immediately resonated.
Take a woman named Amalia Guevara who described herself on Facebook as a Zagala family friend.
Amalia Guevara: I know Moises and his family and they are a beautiful family, very united. I have never known them to be involved in anything out of the ordinary. Gustavo and Carlos, who are excellent lawyers, are, like Moises, tremendous professionals. Moises was Efren's doctor and we verified his excellent professionalism and that he is an excellent person. I have a lot of faith, and I pray to God that they can clarify this mess. With today's technology, unusual things happen. People hack accounts and impersonate identities. Because this is happening to Moises and his family, it could happen to us.
Conozco a Moises y a su familia y son una familia hermosa, muy unida y jamás he sabido que estén involucrados en nada fuera de lo normal.. Gustavo y Carlos que son excelentes abogados, son al igual que Moises tremendo profesional y fue médico de Efren y comprobamos el excelente profesionalidad que es y excelente persona. Estoy casi segura, tengo mucha fe y pido a Dios que así sea y que ellos puedan aclarar este embrollo en que tratan de involucrarlo y ojalá la gente sepa entender que estas cosas lamentablemente pasan. Con la tecnología actual, se da pie para que pasen cosa insólitas... La gente hackea cuentas, suplantan identidades y sobre todo, se ve mucho en USA y hasta una película cómica hay sobre el tema de suplantación de identidades... Esto pasa, pero lo triste es que mucha gente sin pensar, hacen leña del árbol caído sin medir consecuencias y emiten de inmediato sin saber detalles, opiniones y comentarios negativos.. Esto que les está pasando a Moises y a su familia, no estamos exentos de que pueda pasarnos o a alguien muy cercano.. La gente es mala y repito.. están
Kirk: She mentioned how people hack accounts and impersonate identities, and she’s totally right. Identity theft happens everywhere. Also, many people in Venezuela have fallen victim to their WhatsApp account being hijacked by fraudsters. Could someone who knew Moises and perhaps his background in computers, think he might make the perfect fall guy?
There’s actually a compelling reason to support the theory that maybe someone has set up Moises. Often when police and security experts are trying to figure out the in-real-life identities of hackers, they refer to something called operational security. It’s the term for the methods used by people online to prevent other people from easily figuring who they really are. The simplest one is don’t use your real name. Another one is: don’t start maliciously hacking using your home IP address. There’s many, many other tricks too to ensure that one’s in-real-life identity isn’t connected to an online persona.
The operational security that is described in the criminal complaint against Moises is absolutely disastrous. In fact, it’s so bad that you’d think that no one in their right mind would have committed crime under those conditions. The affidavit contains all kinds of errors that not even a rookie cybercriminal would make. The mistakes are so egregious it could make one think that maybe someone else is trying to point a finger at Moises Zagala.
Let’s look at the criminal complaint. Much of what the government has revealed so far revolves Gmail and PayPal accounts that allegedly belong to Moises. Alexander Mindlin, the U.S. assistant attorney prosecuting the case, explains.
Mindlin: The complaint lays out an extremely large number of ways in which the conduct is attribute. Among other things, the way that Zagala advertised this software was that he would post on various underground forums, using various of his nicknames, advertising the software, and asking people to contact him, usually on one of a couple of different Jabber addresses. Jabber being just a messaging protocol that is locally stored in general on the server belonging to the relevant user. And in addition, he would sometimes request payments at a certain PayPal. So the most direct connection to start off with there is that PayPal has said that the registered user of that particular PayPal address is a person who gave his name is Moises Zagala and gave his email addresses email@example.com and gave his street address as various addresses in Ciudad Bolivar belonging in turn to Moises Zagala. In turn, if you ask Google who's the registered user of firstname.lastname@example.org, they'll tell you well, it's a person who gave the name Moises Zagala with a certain telephone number. And that number is also the registered number for the PayPal account. And if you then obtain, as the government did, the contents of the email@example.com Gmail account, there's a lot more attribution evidence in there.
Kirk: When the FBI dug around in that firstname.lastname@example.org account, they say they found chats about Jigsaw, files about cryptocurrency wallets held by someone nicknamed Nosophoros – again a nicknamed alleged to be Moises - and an email from someone asking for help in sorting out a license for Thanos.
The FBI also got access to a cryptocurrency account used by Nosophorus. That account used the moiseszagala@gmail address, and the cryptocurrency service had a photograph of Moises plus a photo of his driver’s license on file. The FBI alleges it found that same photo of Moises and the same photo of his driver’s license had been sent from the email@example.com email account to another Gmail account they allege belongs to Moises.
But if Moises presents a defense saying he was hacked, the most problematic evidence may come from his own brother. As you may remember, Moises’ brother Gustavo lives in Florida. The FBI reached him although he isn’t mentioned by name in the affidavit. The brother voluntarily spoke to investigators on May 3, 2022, and shared some critical information. First, he told investigators that Moises taught himself computer programming. Gustavo also allegedly showed investigators his phone. On his phone was Moises’ phone number - the one linked to other online accounts - and a second Gmail address for Moises. They allege that some payments that Moises received went to his brother’s PayPal account.
There’s yet another interesting puzzle piece. Moises travelled to the U.S. at some point, and the government obtained records from Customs and Border Protection. Here’s Alexander again.
Mindlin: I mean, the one detail that I think is relevant is that as stated in the complaint, that there are border protection records about Zagala’s entry into the U.S. and the email address in question was firstname.lastname@example.org, which is the address we've talked about. So, the literal guy is linked to the literal email address through his physical passage across U.S. borders.
Kirk: That email address would have been provided by Moises himself. The problem is that we don’t know when he travelled to the U.S. and gave that to border official. The government knows that of course, but it’s not in the criminal complaint. But if he provided his email address to Customs and Border Protection after all this hacky stuff appeared in his Gmail account, it certainly raises questions. Like, why would he still be using a Gmail account that, if his wife’s statement is to be believed, was probably among those that was hacked? All of this digital evidence doesn’t sound good for Moises. Would the government’s case be an easy conviction?
Martino: The user attribution outlined in the complaint is weak, it's flimsy.
Kirk: The voice you’re hearing is from a digital forensics expert who has worked complicated case involving digital evidence.
Martino: My name is Tony Martino. I'm the director of the Northeast Cybersecurity and Forensic Center at Utica University in Utica, New York.
Kirk: Tony reviewed the government’s complaint against Moises. I also brought to his attention the message that Rossany posted on WhatsApp that claims that her husband’s email accounts had been hacked. Tony says with digital evidence, you still have to have a strong link between the cyber world and someone’s body. It’s like the famous cartoon from 1993 in the New Yorker magazine of a dog sitting at a desktop computer who says, “On the internet, no one knows you’re a dog.” So in this case, how do we know it’s not a dog that did this?
Martino: That's always the key in in cyber investigations: who actually did it? Not what user account did it, or even what IP address did it - who was at the keyboard and the mouse when it happened? And that's been a problem since the dawn of cybercrime, everything from fraud to hacking to child exploitation to online auction fraud. It always comes down to who was actually at the keyboard. And so that's always the challenge with cybercrime. Looking at the complaint, the vast majority of the user attribution for electronic items rely on other electronic items. So the things I'm looking for here that I'm not seeing: eventually, we want to tie something to a physical human being. That's inextricable. Well, Moses has an account with PayPal and Moses has a Gmail account; and we can see that the PayPal uses the Gmail account as its login source. Okay, but you're still connecting two electronic points to each other. But if one was untrustworthy, either because it had been hacked, or stolen, or borrowed or given, that automatically makes the other equally untrustworthy. So the challenge here is, how do you get this back to a physical human being? I just don't see where the FBI has done that.
Kirk: Tony says that because much of the government evidence revealed so far revolves around Gmail is also interesting. If Moises did have his account hacked, what did he do about it? Tony says Google is pretty sharp about detecting odd activity on accounts and alerts users when there are anomalies.
Martino: The idea that Moises' email account was hacked years ago and stayed hacked indefinitely through years, through all of these communications, through that account being used in order to launch other accounts... and him never knowing, never being able to do anything about it… Google ignoring the fact that it was getting logged into simultaneously from two different locations - which is always a trigger that then launches a Google screen that says, "We need to prove you're you. We're going to send you a text message or you have to log in using an alternate email." Those kinds of things. Google's pretty good about that. So the idea that Moises is just completely in the blind, has no idea what's going on, someone hacks his email accounts, even plural. Even though we know it goes beyond email here. There's a lot of other things in his name beyond email. And it just goes on for years with him just absolutely having no clue and being able to do nothing about it is not that believable either.
Kirk: Although we’re throwing shade on the government’s evidence, there is an important caveat here. The government doesn’t have to detail all of its evidence, so we’ve only seen a few cards in their hand. In this case, it just had to reveal enough to justify before a judge the issuance of an arrest warrant. So there may be much more evidence - including pieces that are stronger - that could tie Moises to the alleged activity. But Tony says the FBI is probably lacking any evidence from an important source: Venezuela. That’s because of the state of affairs between Venezuela and the U.S. right now. The U.S. suspended diplomatic relations in early 2019 with Venezuela in protest of an election the prior year alleged as unfair. For example, data from Moises’ ISP would be quite useful, but Venezuela wouldn’t be responding to data requests. Tony says that what the government has presented is a lot to swallow, but Tony also says that it could just as well be accurate. But he also says maybe there’s nuance missing here.
Martino: I'm not trying to create Moises Zagala's defense for him. I'm not willing to say it's not him. It seems too difficult for this to be exactly true the way it's written. I mean, to the points you made, could anyone this smart be that sloppy? It seems like the answer is no. It seems like it's not even possible. One of the things that is largely missing from all of our knowledge of this case is the functionality of how a criminal enterprise would be operating in Venezuela. You know, we're looking at this through the filters of mostly western society and democracies, and how the judicial system works. So we're viewing it all through those glasses. And I don't know that collectively we understand enough about how a criminal enterprise like the one being alleged would operate in Venezuela. Why would there be a need, a desire or a want to involve people who are not technically involved? But for the sake of argument again, being hypothetical, would there be a reason to find Moises Zagala and impersonate him?
Kirk: One question is if Moises will ever face trial. The answer is pretty much no as long as Moises never travels to the U.S. or to a country that has an extradition treaty with the U.S. So if an extradition request was filed, it would likely be ignored. Venezuela does have its own laws against cybercrime. What’s alleged by the U.S. government would constitute at least three felonies there. So there’s also the question of whether the country would perhaps try to prosecute Moises on its own after taking a tipoff from the U.S. Ana has a source in the public prosecutor’s office, and she asked the person about this case.
Herrero: My source was like, "No, no, no, that's not something we're going to investigate by any chance. And we have no idea we're talking about.”
Kirk: To answer the question of why there is little interest comes back to Venezuela and the extreme conditions under which the country finds itself. I mean, look at Bolivar state where Moises lives. Criminal gangs run illegal gold mines where workers are often believed to be victims of human trafficking, including children. As said before, many people don’t have running water. The country’s current president, Nicolás Maduro - who is one of two people claiming the presidency - is actually under indictment by the U.S. for allegedly being complicit in the trafficking of cocaine into the U.S and terrorism. There’s a $15 million reward for information leading to his arrest. Then there’s just other big issues, like the continued destruction of the Amazon rain forest, some of which extends to Venezuela. Ana says when she started asking other top journalists about this case, they expressed little interest.
Herrero: This is a very tiny thing in Venezuela. So let's say that when you talk about Ciudad Bolivar or Bolivar in general, they say "Yeah, you can see bigger fish than this story." For me, I love this story. I think it's an amazing story. But for people here, it's a very, very tiny thing, like a funny story. Like, "oh, look what happened with this doctor," and move on.
Kirk: In thinking about the case and how extraordinary it is, it made me wonder if there is some other twist awaiting us that we just haven’t uncovered. What if the person who sold the ransomware indeed is Venezuelan and is deeply concerned about access to water? What if the person used some of the proceeds to fund infrastructure that improved people’s access to clean water? And how would that fit into the person’s moral calculus since ransomware is deployed against vulnerable targets such as hospitals?
I’ve wandered down the road of fiction here of course, but my point is we may never know the deeper story. That is, unless Moises speaks. The closer we thought we got him, the farther away he felt. His community really circled around him, contesting how such a respected person could be subject to such an accusation. One person told us that after the charges were announced, people briefly spoke about it, but now it’s no longer brought up. As far as Venezuela is concerned, it is case closed.
But if you ever find yourself in Bolivar state in Venezuela with a bit heart trouble and a computer problem, we can tell you who to contact.
This episode of The Ransomware Files was written, researched, edited and produced by me, Jeremy Kirk. It was also researched and reported by the fantastic Ana Vanessa Herrero in Caracas. The production coordinator for The Ransomware Files series is Rashmi Ramesh. Special thanks to Alexandra Perez, David Perera, Tom Field, Mathew Schwartz and Anna Delaney for other production assistance.
The Ransomware Files theme song is by Chris Gilbert of Ordinary Weirdos Records. Other original music in this episode was made by Chris Gilbert, Finley Kirk and myself.
If you enjoyed this episode of The Ransomware Files, please share it and leave a review. It will help keep this project going. The series has its own Twitter handle @ransomwarefiles, which tweets news and happenings about ransomware. I’m on Twitter @jeremy_kirk. If you would like to participate in this project or have an idea for it, please get in touch. The project is looking for other people, organizations and companies who can share their unique experiences for the benefit of all until ransomware, hopefully, becomes a thing of the past.