WEBVTT

00:00:00.000 --> 00:00:03.100
You know, usually when we picture a high stakes

00:00:03.100 --> 00:00:06.700
bank heist, the robbers are wearing ski masks.

00:00:07.019 --> 00:00:08.679
Right. They're dressed in all black. Exactly.

00:00:08.839 --> 00:00:11.199
The entire point is to be invisible, right? To

00:00:11.199 --> 00:00:15.039
be a shadow and leave absolutely zero trace of

00:00:15.039 --> 00:00:17.399
their actual personality behind. Yeah, because

00:00:17.399 --> 00:00:20.140
anonymity is, well, it's the primary defense

00:00:20.140 --> 00:00:22.920
mechanism for any illicit activity. The less

00:00:22.920 --> 00:00:25.699
of yourself you reveal, the safer you are from.

00:00:26.519 --> 00:00:29.420
leaving a forensic trail. But imagine if instead

00:00:29.420 --> 00:00:32.140
of a ski mask the bank robber kicked the door

00:00:32.140 --> 00:00:35.780
down wearing like a neon pink mascot suit. Oh

00:00:35.780 --> 00:00:37.759
man. And instead of just silently handing over

00:00:37.759 --> 00:00:40.409
a bag for the vault cash They demanded the teller

00:00:40.409 --> 00:00:42.829
sing a pop song, broadcast the whole thing on

00:00:42.829 --> 00:00:44.990
a live stream, and then, I don't know, handed

00:00:44.990 --> 00:00:48.570
out flyers detailing their personal, highly polarizing

00:00:48.570 --> 00:00:50.570
political opinions. See, in that scenario, you

00:00:50.570 --> 00:00:52.170
wouldn't know if you were dealing with a criminal

00:00:52.170 --> 00:00:54.210
mastermind, a political extremist, or just someone

00:00:54.210 --> 00:00:57.210
playing a massive, highly illegal prank. Right.

00:00:57.469 --> 00:00:59.429
The threat models we use to predict behavior,

00:00:59.490 --> 00:01:01.810
they completely break down when an attacker doesn't

00:01:01.810 --> 00:01:04.969
act rationally. And that tension, that bizarre

00:01:04.969 --> 00:01:07.969
contradiction, is what we are exploring in today's

00:01:07.969 --> 00:01:11.310
Deep Dive. We're unpacking the incredibly chaotic

00:01:11.310 --> 00:01:14.409
two -year lifespan of a black hat hacktivist

00:01:14.409 --> 00:01:17.590
organization known as SiegedSec. It is a wild

00:01:17.590 --> 00:01:20.450
timeline. It really is. So we've got a comprehensive

00:01:20.450 --> 00:01:22.810
stack of sources in front of us today anchored

00:01:22.810 --> 00:01:26.209
by a detailed Wikipedia article to trace exactly

00:01:26.209 --> 00:01:29.870
how this group operated between early 2022 and

00:01:29.870 --> 00:01:33.200
mid 2024. Yeah, we're looking at a wildly unconventional

00:01:33.200 --> 00:01:37.079
intersection of internet meme culture, highly

00:01:37.079 --> 00:01:40.040
sensitive cybersecurity breaches, and intense

00:01:40.040 --> 00:01:42.579
ideological warfare. Which is just such a strange

00:01:42.579 --> 00:01:45.659
mix. It really forces you to rethink what a modern

00:01:45.659 --> 00:01:47.620
cyber threat actually looks like. Absolutely.

00:01:47.680 --> 00:01:49.939
It moves us away from that classic idea of state

00:01:49.939 --> 00:01:52.540
-sponsored hackers in dark rooms and toward highly

00:01:52.540 --> 00:01:54.700
decentralized, culturally motivated internet

00:01:54.700 --> 00:01:57.260
subcultures. Yeah. But before we jump into the

00:01:57.260 --> 00:01:58.819
timeline, though, we need to set some ground

00:01:58.819 --> 00:02:01.159
rules for this deep dive. Very important. Because

00:02:01.159 --> 00:02:03.599
the source material we are covering today contains

00:02:03.599 --> 00:02:07.599
highly politically charged content. I mean, SiegeSec

00:02:07.599 --> 00:02:10.439
targeted organizations on both the left and the

00:02:10.439 --> 00:02:12.180
right sides of the political spectrum. We were

00:02:12.180 --> 00:02:15.580
all over the map. They were. We are talking about

00:02:15.580 --> 00:02:18.099
everything from debates over gender -affirming

00:02:18.099 --> 00:02:21.120
care legislation to international military conflicts

00:02:21.120 --> 00:02:24.159
in the Middle East to conservative political

00:02:24.159 --> 00:02:27.289
think tanks. So it's heavy stuff. Exactly. So

00:02:27.289 --> 00:02:29.810
to you, our listener, we want to be absolutely

00:02:29.810 --> 00:02:32.469
clear here. We are going to impartially report

00:02:32.469 --> 00:02:34.909
on the contents of this source material. We are

00:02:34.909 --> 00:02:37.569
not taking any sides, and we are not endorsing

00:02:37.569 --> 00:02:39.610
any of the viewpoints held by the hackers or

00:02:39.610 --> 00:02:43.069
by their targets. Our mission here is strictly

00:02:43.069 --> 00:02:46.150
to convey the factual events, the underlying

00:02:46.150 --> 00:02:49.090
mechanisms of these hacks, and the ideas exactly

00:02:49.090 --> 00:02:51.580
as they are contained in the original text. Because

00:02:51.580 --> 00:02:54.020
in the world of cybersecurity analysis, adopting

00:02:54.020 --> 00:02:56.520
an objective lens is really the only way to understand

00:02:56.520 --> 00:02:58.599
the mechanics of an attack. Right. We have to

00:02:58.599 --> 00:03:00.419
look at the data, the methods, and the stated

00:03:00.419 --> 00:03:03.979
motives without validating the ideology behind

00:03:03.979 --> 00:03:06.139
them. Okay, so let's unpack this. To understand

00:03:06.139 --> 00:03:08.919
the damage seeds that caused, we first have to

00:03:08.919 --> 00:03:11.500
understand who they claim to be. because it just

00:03:11.500 --> 00:03:14.639
shatters that stereotype of the serious brooding

00:03:14.639 --> 00:03:17.639
hacker. Oh, completely. So SiegeSec, which is

00:03:17.639 --> 00:03:20.580
short for Siege Security, they emerged on the

00:03:20.580 --> 00:03:23.900
messaging app Telegram in April 2022. Right.

00:03:24.300 --> 00:03:27.139
They were led by a user going by the alias Veo,

00:03:27.419 --> 00:03:30.330
along with other key members known as Cry. and

00:03:30.330 --> 00:03:32.849
mirrorless, and they commonly self -described

00:03:32.849 --> 00:03:35.909
as the gay furry hackers. Which is, I mean, it's

00:03:35.909 --> 00:03:38.349
an intentionally disarming moniker. Yeah, it

00:03:38.349 --> 00:03:40.750
sounds like a joke. Exactly, and Telegram acts

00:03:40.750 --> 00:03:43.069
as a perfect incubator for this kind of subculture

00:03:43.069 --> 00:03:45.490
because of its architecture. It offers encrypted

00:03:45.490 --> 00:03:47.830
channels where users can be completely anonymous.

00:03:48.129 --> 00:03:50.300
But it also feels like a social network. Yes,

00:03:50.439 --> 00:03:52.939
it functions like a social media feed. It allows

00:03:52.939 --> 00:03:55.400
for the rapid sharing of memes, inside jokes,

00:03:55.580 --> 00:03:58.259
and hyper -specific cultural references right

00:03:58.259 --> 00:04:01.759
alongside a highly technical exploit code. Wow.

00:04:02.060 --> 00:04:04.039
So in the beginning, their motives seemed almost

00:04:04.039 --> 00:04:06.639
entirely rooted in aggressive internet trolling.

00:04:07.020 --> 00:04:09.360
Like, for example, in July 2023, they targeted

00:04:09.360 --> 00:04:11.719
the University of Connecticut. The Yukon hack.

00:04:11.949 --> 00:04:14.889
Right. The source notes, they used a vulnerability

00:04:14.889 --> 00:04:18.430
in the university's listserv to send out spoofed

00:04:18.430 --> 00:04:21.410
emails to undergraduate students. They falsely

00:04:21.410 --> 00:04:23.930
announced the unfortunate passing of Rodenka

00:04:23.930 --> 00:04:26.129
Marek, who is the university's president. Which

00:04:26.129 --> 00:04:28.750
is just a massive disruption for a campus. Yeah.

00:04:29.029 --> 00:04:31.069
Now for those who might not know, what exactly

00:04:31.069 --> 00:04:33.410
is a listserv and how do you even weaponize it?

00:04:33.589 --> 00:04:37.740
So a listserv is essentially a legacy automated

00:04:37.740 --> 00:04:40.720
email broadcasting system. Universities use them

00:04:40.720 --> 00:04:43.660
to send one message to thousands of students

00:04:43.660 --> 00:04:46.660
at once. OK, so a giant mailing list. Exactly.

00:04:47.079 --> 00:04:50.060
And if a system like that is outdated or misconfigured,

00:04:50.139 --> 00:04:52.660
it might not properly verify who is actually

00:04:52.660 --> 00:04:54.779
sending the email. Ah, I see. The hackers found

00:04:54.779 --> 00:04:57.759
a flaw in that authentication process. They forged

00:04:57.759 --> 00:05:00.720
or spoofed the sender's address to look like

00:05:00.720 --> 00:05:02.959
it was coming from an official university admin.

00:05:03.160 --> 00:05:05.329
And the system just bought it? Yep. The listserv

00:05:05.329 --> 00:05:08.089
did the rest, distributing the fake death announcement

00:05:08.089 --> 00:05:11.110
to the entire student body. That is crazy. And

00:05:11.110 --> 00:05:12.870
when the Hartford Current newspaper interviewed

00:05:12.870 --> 00:05:17.910
the leader, Veo, about this incident, Veo just

00:05:17.910 --> 00:05:20.230
casually explained the technical vulnerability

00:05:20.230 --> 00:05:22.389
and said they did it for the lots. Right, for

00:05:22.389 --> 00:05:25.230
the lulz. It feels less like a traditional cybercrime

00:05:25.230 --> 00:05:28.029
syndicate and more like a, I don't know, a weaponized

00:05:28.029 --> 00:05:30.529
digital flash mob. They were hacking for the

00:05:30.529 --> 00:05:32.389
punchline. That's a great way to put it. But

00:05:32.389 --> 00:05:36.110
how does a group motivated by the lulz move from

00:05:36.110 --> 00:05:38.990
a college prank to the kind of targets we see

00:05:38.990 --> 00:05:41.199
next on this timeline. Well, the jump happens

00:05:41.199 --> 00:05:44.180
because the psychology of a troll demands constantly

00:05:44.180 --> 00:05:46.779
escalating shock value. Oh, sure. A fake email

00:05:46.779 --> 00:05:49.060
gets boring. Exactly. It only gets you so much

00:05:49.060 --> 00:05:51.279
attention. To keep the audience entertained and

00:05:51.279 --> 00:05:53.220
to feed their own egos within these telegram

00:05:53.220 --> 00:05:56.000
channels, they have to find bigger, more secure

00:05:56.000 --> 00:05:58.500
doors to kick down. And they found some massive

00:05:58.500 --> 00:06:02.139
doors. I mean, in February 2023, they hit Atlassian.

00:06:02.339 --> 00:06:04.519
Yeah, that was a big one. Atlassian is a major

00:06:04.519 --> 00:06:06.860
Australian software provider that builds tools

00:06:06.860 --> 00:06:09.410
used by thousands of corporations globally. They

00:06:09.410 --> 00:06:13.290
used stolen employee credentials to leak 13 ,000

00:06:13.290 --> 00:06:15.829
employee records. But it wasn't just data. No.

00:06:16.040 --> 00:06:18.620
They didn't just leak names and emails, they

00:06:18.620 --> 00:06:20.759
leaked the physical floor plans for Atlassian

00:06:20.759 --> 00:06:23.920
offices. Which crosses a very significant threshold.

00:06:24.079 --> 00:06:26.639
How so? Well, you're moving from a purely digital

00:06:26.639 --> 00:06:30.000
nuisance, like data theft, to enabling potential

00:06:30.000 --> 00:06:32.680
physical security threats. Anyone with malicious

00:06:32.680 --> 00:06:35.860
intent in the real world now has a literal map

00:06:35.860 --> 00:06:38.879
of your corporate headquarters. That is terrifying.

00:06:39.300 --> 00:06:41.360
The sources mentioned they used stolen credentials

00:06:41.360 --> 00:06:43.800
for this. Does that mean they, like... guest

00:06:43.800 --> 00:06:46.759
passwords or is there a more sophisticated mechanism

00:06:46.759 --> 00:06:49.160
at play here? Usually this involves a technique

00:06:49.160 --> 00:06:52.000
called credential stuffing. It's actually quite

00:06:52.000 --> 00:06:54.120
crude but highly effective. Okay, how does that

00:06:54.120 --> 00:06:57.709
work? Hackers buy massive databases of usernames

00:06:57.709 --> 00:07:00.509
and passwords that were exposed in older, totally

00:07:00.509 --> 00:07:02.610
unrelated breaches. Oh, because people reuse

00:07:02.610 --> 00:07:05.129
their password. Exactly. Because people terribly

00:07:05.129 --> 00:07:07.189
reuse the same password across multiple accounts,

00:07:07.569 --> 00:07:09.870
the attackers use automated software to rapidly

00:07:09.870 --> 00:07:12.370
test those old passwords on new targets, like

00:07:12.370 --> 00:07:15.250
Atlassian's employee portals. It's not a brilliant

00:07:15.250 --> 00:07:18.290
feat of coding. It's literally just jiggling

00:07:18.290 --> 00:07:20.990
thousands of digital doorknobs until one happens

00:07:20.990 --> 00:07:23.850
to click open because an employee reused a password.

00:07:23.689 --> 00:07:26.610
That makes perfect sense. It's terrifyingly simple.

00:07:27.329 --> 00:07:29.149
But SeedShack didn't stop at corporate software.

00:07:29.790 --> 00:07:34.370
In 2023, they compromised NAO portals. Not once,

00:07:34.709 --> 00:07:39.230
but twice. They leaked over 3 ,000 internal documents

00:07:39.230 --> 00:07:42.149
from portals with very serious sounding names,

00:07:42.589 --> 00:07:44.430
like the Joint Advanced Distributed Learning

00:07:44.430 --> 00:07:47.069
Portal and the Logistics Network Portal. Right.

00:07:47.350 --> 00:07:49.509
NATO actually had to publicly announce they were

00:07:49.509 --> 00:07:51.949
investigating the breaches. No. You're probably

00:07:51.949 --> 00:07:53.449
thinking what I was thinking when I read this.

00:07:53.689 --> 00:07:56.850
Did a group of telegram trolls just steal nuclear

00:07:56.850 --> 00:07:59.149
launch codes from a military alliance? Right.

00:07:59.149 --> 00:08:01.670
It sounds catastrophic. Yeah. But not quite.

00:08:01.730 --> 00:08:03.930
And this is a crucial distinction in understanding

00:08:03.930 --> 00:08:06.649
modern cyber warfare. OK, break it down for us.

00:08:06.810 --> 00:08:08.889
They didn't breach the classified air gapped

00:08:08.889 --> 00:08:11.329
mainframes where active military operations are

00:08:11.329 --> 00:08:14.449
planned. They breached third party portals, things

00:08:14.449 --> 00:08:17.470
like unclassified training platforms or logistical

00:08:17.470 --> 00:08:20.769
web forums. NATO is a massive bureaucracy. And

00:08:20.769 --> 00:08:23.310
like any large organization, its outer perimeter

00:08:23.310 --> 00:08:26.050
is full of smaller, less secure web applications

00:08:26.050 --> 00:08:29.259
used for everyday administration. So the weakest

00:08:29.259 --> 00:08:32.200
link isn't the military -grade encryption, it's

00:08:32.200 --> 00:08:35.080
like the unpatched web forum used for a training

00:08:35.080 --> 00:08:38.259
seminar. Precisely. It's a classic supply chain

00:08:38.259 --> 00:08:40.779
or peripheral vulnerability. But still! Yeah,

00:08:40.899 --> 00:08:43.620
the reputational damage is still immense. To

00:08:43.620 --> 00:08:46.279
the public, a headline that reads NATO hacked

00:08:46.480 --> 00:08:49.620
projects a narrative of weakness, which is exactly

00:08:49.620 --> 00:08:52.659
the kind of chaotic publicity a group like SiegedSec

00:08:52.659 --> 00:08:55.240
thrives on. Which brings me to the event that

00:08:55.240 --> 00:08:57.960
I am genuinely struggling to wrap my head around.

00:08:58.080 --> 00:09:02.500
Oh, the Idaho one. Yes. In November 2023, SiegedSec

00:09:02.500 --> 00:09:05.129
hacked into the Idaho National Laboratory. This

00:09:05.129 --> 00:09:07.809
is a massive U .S. federal research facility

00:09:07.809 --> 00:09:10.029
dealing with nuclear energy. They compromised

00:09:10.029 --> 00:09:12.610
the Oracle HR system and leaked personal employee

00:09:12.610 --> 00:09:14.490
data. Yeah, let's break down the how on that.

00:09:14.610 --> 00:09:17.090
An Oracle HR system is a massive database storing

00:09:17.090 --> 00:09:19.529
highly sensitive personnel files, social security

00:09:19.529 --> 00:09:22.230
numbers, home addresses, banking details for

00:09:22.230 --> 00:09:24.679
payroll. So how do you even get into that? Breaching

00:09:24.679 --> 00:09:28.279
it typically involves either finding an unpatched

00:09:28.279 --> 00:09:30.860
software vulnerability, sometimes called a zero

00:09:30.860 --> 00:09:33.600
-day flaw, meaning the software creator has had

00:09:33.600 --> 00:09:36.860
zero days to fix it. Right. Or, more commonly,

00:09:37.200 --> 00:09:39.679
a sophisticated phishing campaign that tricks

00:09:39.679 --> 00:09:42.740
an HR employee into handing over their administrative

00:09:42.740 --> 00:09:46.179
login. And once they have that data, they didn't

00:09:46.179 --> 00:09:48.909
just dump it online. A few months later... In

00:09:48.909 --> 00:09:53.169
February 2024, they literally mailed ransom payment

00:09:53.169 --> 00:09:55.909
requests directly to the employees' physical

00:09:55.909 --> 00:09:59.070
homes. That is a severe psychological tactic.

00:09:59.169 --> 00:10:01.750
It obliterates the boundary between the digital

00:10:01.750 --> 00:10:04.629
and physical worlds, tells the victim, we don't

00:10:04.629 --> 00:10:06.450
just exist on your computer screen, we know where

00:10:06.450 --> 00:10:08.850
your family sleeps. It is absolute psychological

00:10:08.850 --> 00:10:11.649
terror. But then you read the actual ransom demand.

00:10:11.929 --> 00:10:14.230
They didn't ask for millions of dollars in untraceable

00:10:14.230 --> 00:10:16.429
Bitcoin. No, they didn't. They demanded that

00:10:16.429 --> 00:10:19.309
the U .S. nuclear laboratory research creating

00:10:19.309 --> 00:10:22.070
real -life cat girls. I have to push back here,

00:10:22.509 --> 00:10:25.950
because how do these two realities coexist? How

00:10:25.950 --> 00:10:29.570
does a group demanding anime tropes possess the

00:10:29.570 --> 00:10:32.250
operational focus to navigate the cybersecurity

00:10:32.250 --> 00:10:35.809
of a federal laboratory and terrorize its employees?

00:10:36.120 --> 00:10:38.700
It's the ultimate paradox of modern cyber threats.

00:10:38.879 --> 00:10:41.360
We tend to think of hacking groups as monolithic

00:10:41.360 --> 00:10:44.720
entities where everyone is a hyper -focused mastermind.

00:10:44.740 --> 00:10:47.019
Like in the movies. Exactly. But the reality

00:10:47.019 --> 00:10:50.279
of these telegram -based groups is heavily decentralized.

00:10:50.820 --> 00:10:53.460
You likely have one or two members who possess

00:10:53.460 --> 00:10:56.100
genuine, highly specialized technical skills,

00:10:56.440 --> 00:10:58.940
the ones actually exploiting the Oracle HR system.

00:10:58.960 --> 00:11:01.500
But the cultural face of the group, the people

00:11:01.500 --> 00:11:03.960
writing the ransom notes and demanding cat girls,

00:11:04.340 --> 00:11:06.649
might just be the loudest most chaotic voices

00:11:06.649 --> 00:11:09.230
in the chat room. Wow. The barrier to entry for

00:11:09.230 --> 00:11:11.509
causing catastrophic damage is lower than ever.

00:11:11.970 --> 00:11:14.129
One person with the right exploit can hand the

00:11:14.129 --> 00:11:17.230
keys over to a dozen internet trolls. So the

00:11:17.230 --> 00:11:19.669
technical tools to cause global panic are incredibly

00:11:19.669 --> 00:11:22.629
cheap, but the motives remain entirely absurd.

00:11:22.789 --> 00:11:25.590
But as we move through the source material, those

00:11:25.590 --> 00:11:28.580
motives take a very sharp turn. Having established

00:11:28.580 --> 00:11:31.240
they could breach major, highly secure networks,

00:11:31.860 --> 00:11:34.580
SiegeSec began weaponizing those technical skills

00:11:34.580 --> 00:11:37.659
for hyper -specific ideological warfare. They

00:11:37.659 --> 00:11:40.799
launched hashtag op trans rights. Right. They

00:11:40.799 --> 00:11:43.740
pivoted from the lulz to self -appointed moral

00:11:43.740 --> 00:11:46.690
arbiters. Starting in June 2023, they targeted

00:11:46.690 --> 00:11:49.629
U .S. government entities to protest bills restricting

00:11:49.629 --> 00:11:51.690
gender -affirming care. Yeah, that was a major

00:11:51.690 --> 00:11:53.809
shift. They leaked data from the city of Fort

00:11:53.809 --> 00:11:56.649
Worth, Texas, the Nebraska Supreme Court, and

00:11:56.649 --> 00:11:59.990
South Carolina police files. Then, in 2024, they

00:11:59.990 --> 00:12:03.090
followed it up with hashtag OpTransRights2, where

00:12:03.090 --> 00:12:05.110
they successfully breached and leaked data from

00:12:05.110 --> 00:12:07.490
a conservative media outlet called Real America's

00:12:07.490 --> 00:12:09.750
Voice and a church called River Valley Church.

00:12:09.889 --> 00:12:11.710
And it wasn't just domestic U .S. politics either.

00:12:11.909 --> 00:12:14.669
No. During the Gaza -Israel conflict, they intervened

00:12:14.669 --> 00:12:17.669
on a geopolitical scale, attacking Israeli telecommunications

00:12:17.669 --> 00:12:19.990
providers like BZEC, where they leaked info on

00:12:19.990 --> 00:12:22.590
nearly 50 ,000 customers, and another provider

00:12:22.590 --> 00:12:25.549
called CELCOM. The sheer breadth of the targeting

00:12:25.549 --> 00:12:28.090
is staggering. They're inserting themselves into

00:12:28.090 --> 00:12:31.370
incredibly complex, deeply entrenched cultural

00:12:31.370 --> 00:12:33.970
and geopolitical conflicts, basically acting

00:12:33.970 --> 00:12:37.049
as an unauthorized digital militia. It really

00:12:37.049 --> 00:12:39.230
makes me wonder about the evolution of hacktivism

00:12:39.230 --> 00:12:42.250
itself. Because when you look back at older groups,

00:12:42.669 --> 00:12:44.690
like Anonymous, during their peak in the late

00:12:44.690 --> 00:12:48.269
2000s, their targets felt very generalized. Right,

00:12:48.570 --> 00:12:50.909
broad strokes. Yeah, it was a broad, sweeping

00:12:50.909 --> 00:12:53.429
anti -establishment sentiment. The government,

00:12:53.889 --> 00:12:55.850
big corporations, the Church of Scientology.

00:12:55.909 --> 00:13:01.090
Sure. SiegeSec represents a shift toward hyper

00:13:01.090 --> 00:13:04.710
-specific, highly polarized culture war flashpoints.

00:13:05.350 --> 00:13:07.950
It's pinpointing exact legislative debates and

00:13:07.950 --> 00:13:10.929
media narratives. Why the shift? Well, hacktivism

00:13:10.929 --> 00:13:12.789
always mirrors the culture of the internet at

00:13:12.789 --> 00:13:14.950
the time. A decade ago, the internet felt more

00:13:14.950 --> 00:13:17.169
like a unified monoculture, so the targets were

00:13:17.169 --> 00:13:19.710
broad. That makes sense. Today, we live in highly

00:13:19.710 --> 00:13:22.649
fragmented, algorithmically driven bubbles. Trolls

00:13:22.649 --> 00:13:25.149
eventually get bored of just causing chaos. They

00:13:25.149 --> 00:13:27.230
crave moral justification for their actions.

00:13:27.409 --> 00:13:28.610
Right, they want to feel like the good guys.

00:13:28.840 --> 00:13:31.740
Exactly. So these groups adopt the hyper -specific

00:13:31.740 --> 00:13:34.440
language and grievances of niche micro communities.

00:13:34.960 --> 00:13:37.379
They aren't trying to appeal to the global masses

00:13:37.379 --> 00:13:40.320
like Anonymous did. They are trying to be heroes

00:13:40.320 --> 00:13:43.480
to their specific curated telegram audience.

00:13:43.639 --> 00:13:45.879
And to amplify that power, they started forming

00:13:45.879 --> 00:13:49.059
alliances. The outline lists a dizzying array

00:13:49.059 --> 00:13:51.539
of collaborations. They worked with a group called

00:13:51.539 --> 00:13:54.639
Anonymous Sudan for the attacks on Israeli infrastructure.

00:13:55.539 --> 00:13:57.759
They shared anti -NATO motives with a group called

00:13:57.759 --> 00:14:01.000
KittenSec. They even helped form a larger syndicate

00:14:01.000 --> 00:14:03.539
called Five Families, teaming up with groups

00:14:03.539 --> 00:14:05.879
like Ghost Security and Stormous Ransomware.

00:14:06.120 --> 00:14:08.679
The Five Families moniker is an obvious nod to

00:14:08.679 --> 00:14:11.120
the American mafia, showing they were fully leaning

00:14:11.120 --> 00:14:13.799
into the theatricality of organized crime. Oh,

00:14:13.799 --> 00:14:15.860
totally. But the mechanics of these alliances

00:14:15.860 --> 00:14:18.200
are very different from traditional syndicates.

00:14:18.399 --> 00:14:20.879
Let's dig into those mechanics. Are these groups

00:14:20.879 --> 00:14:23.419
merging their leadership, or is it more informal?

00:14:23.610 --> 00:14:25.750
It's highly ephemeral. Think of it less like

00:14:25.750 --> 00:14:29.049
a corporate merger and more like a digital pop

00:14:29.049 --> 00:14:31.450
-up shop. A digital pop -up shop. I like that.

00:14:31.669 --> 00:14:33.769
Yeah. You have disparate groups operating in

00:14:33.769 --> 00:14:36.470
the same dark web forums. One group might have

00:14:36.470 --> 00:14:39.250
an access broker, someone who specializes in

00:14:39.250 --> 00:14:41.610
stealing passwords but doesn't have the time

00:14:41.610 --> 00:14:44.149
to sift through the data. They invite another

00:14:44.149 --> 00:14:47.389
group into a temporary encrypted chat. They pool

00:14:47.389 --> 00:14:50.090
their resources, launch a joint campaign for

00:14:50.090 --> 00:14:52.730
a few weeks to maximize media coverage, and then

00:14:52.730 --> 00:14:54.730
they delete the chat and vanish back into their

00:14:54.730 --> 00:14:57.909
respective corners. It's fluid and opportunistic.

00:14:58.110 --> 00:14:59.929
It's like a dark web of ventures. They just team

00:14:59.929 --> 00:15:02.029
up for one mission and scatter. That's exactly

00:15:02.029 --> 00:15:03.950
what it is. And sometimes those opportunities

00:15:03.950 --> 00:15:06.480
allow them to play Robin Hood. The sources note

00:15:06.480 --> 00:15:08.539
they partnered with hacktivists like BiteMeCrew

00:15:08.539 --> 00:15:11.559
and the well -known hacker MeaArsonCrimeu to

00:15:11.559 --> 00:15:15.240
expose stalkerware apps. Ah, yes, the TruthSpy.

00:15:15.539 --> 00:15:18.039
Exactly, targeting a platform called the TruthSpy.

00:15:18.559 --> 00:15:21.539
What exactly is stalkerware, and why would SiegeSec

00:15:21.539 --> 00:15:24.740
target it? So, stalkerware is a deeply insidious

00:15:24.740 --> 00:15:27.539
category of software. These are hidden applications

00:15:27.539 --> 00:15:29.879
designed to be installed secretly on someone's

00:15:29.879 --> 00:15:33.419
phone, usually by a domestic abuser. That's awful.

00:15:33.629 --> 00:15:36.710
It really is. It monitors the victim's location,

00:15:36.830 --> 00:15:39.330
reads their texts, and listens to their calls

00:15:39.330 --> 00:15:41.769
without their knowledge. By hacking the companies

00:15:41.769 --> 00:15:44.629
that create and sell this software, SiegeSec

00:15:44.629 --> 00:15:47.289
was exposing the infrastructure of digital abuse.

00:15:48.309 --> 00:15:50.830
It highlights that chaotic moral compass, right?

00:15:50.889 --> 00:15:53.549
One week they're extorting nuclear lab employees

00:15:53.549 --> 00:15:56.009
and the next week they're dismantling tools used

00:15:56.009 --> 00:15:58.690
by domestic abusers. But the more noise you make

00:15:58.690 --> 00:16:01.409
and the more alliances you form, the bigger your

00:16:01.409 --> 00:16:03.860
footprint gets. Inevitably. Which brings us to

00:16:03.860 --> 00:16:06.179
their final, most prominent political target.

00:16:07.259 --> 00:16:10.179
In July 2024, SiegeSec announced they had breached

00:16:10.179 --> 00:16:12.740
the conservative think tank, the Heritage Foundation.

00:16:12.899 --> 00:16:15.960
A huge target. Massive. Specifically, they were

00:16:15.960 --> 00:16:18.360
targeting them over the Project 2025 proposals,

00:16:18.799 --> 00:16:21.080
which SeedSec released a statement on Telegram

00:16:21.080 --> 00:16:23.980
labeling as an authoritarian Christian nationalist

00:16:23.980 --> 00:16:27.379
plan. Which is a direct, ideologically motivated

00:16:27.379 --> 00:16:30.299
strike against a highly resource, deeply influential

00:16:30.299 --> 00:16:32.700
organization in Washington, D .C. The Heritage

00:16:32.700 --> 00:16:35.700
Foundation immediately pushed back. A spokesperson

00:16:35.700 --> 00:16:38.899
publicly dismissed the breach as a false narrative

00:16:38.899 --> 00:16:41.639
and an exaggeration, claiming all their internal

00:16:41.639 --> 00:16:44.370
systems remained completely secure. That is a

00:16:44.370 --> 00:16:46.649
textbook crisis communications response. Really?

00:16:47.009 --> 00:16:50.029
Oh yeah. Regardless of whether a breach is genuine

00:16:50.029 --> 00:16:52.429
or exaggerated, the immediate goal of the victim

00:16:52.429 --> 00:16:54.750
is to project strength and control the public

00:16:54.750 --> 00:16:57.129
narrative, starving the hackers of the validation

00:16:57.129 --> 00:16:59.710
they are seeking. Well, SiegeSec refused to be

00:16:59.710 --> 00:17:03.210
ignored. To prove they were inside, they retaliated

00:17:03.210 --> 00:17:05.990
by releasing chat logs. And not just any chat

00:17:05.990 --> 00:17:08.910
logs. I know. These were private signal messages

00:17:08.910 --> 00:17:11.750
between the SeedSec leader, VO, and a Heritage

00:17:11.750 --> 00:17:14.089
Foundation executive named Mike Howell. Which

00:17:14.089 --> 00:17:17.529
is just wild. And in those chats, Howell explicitly

00:17:17.529 --> 00:17:19.930
states that he is working directly with the FBI

00:17:19.930 --> 00:17:22.990
and that federal law enforcement is in the process

00:17:22.990 --> 00:17:25.190
of identifying and outing members of your group.

00:17:25.390 --> 00:17:27.809
That is the exact moment the digital wall shatters.

00:17:28.269 --> 00:17:30.789
When you are communicating directly with an executive

00:17:30.789 --> 00:17:33.430
who confirms that the FBI is actively building

00:17:33.430 --> 00:17:36.549
a dossier on your physical identity, the illusion

00:17:36.549 --> 00:17:39.890
of being an untouchable internet prankster evaporates

00:17:39.890 --> 00:17:42.549
instantly. And the consequences of that realization

00:17:42.549 --> 00:17:46.930
were immediate. On July 10th, 2024, right after

00:17:46.930 --> 00:17:49.549
releasing those Heritage Foundation chat logs,

00:17:50.130 --> 00:17:53.049
SiegeSec abruptly announced their total disbandment.

00:17:53.099 --> 00:17:56.119
When stopped entirely and the reasons they gave

00:17:56.119 --> 00:17:58.259
for disbanding are the most telling part of this

00:17:58.259 --> 00:18:01.099
entire deep dive They didn't claim some grand

00:18:01.099 --> 00:18:03.339
ideological victory They stated clearly that

00:18:03.339 --> 00:18:05.279
they were disbanding for our own mental health

00:18:05.279 --> 00:18:08.180
the stress of mass publicity and to avoid the

00:18:08.180 --> 00:18:11.319
eye of the FBI This reveals the fundamental psychological

00:18:11.319 --> 00:18:13.539
paradox of modern hacktivism. What do you mean?

00:18:13.779 --> 00:18:16.359
Well, the internet provides incredible technical

00:18:16.359 --> 00:18:18.900
armor. You can download software to mask your

00:18:18.900 --> 00:18:21.779
IP address, you can use a cartoon avatar, and

00:18:21.779 --> 00:18:23.940
you can operate on encrypted channels. It makes

00:18:23.940 --> 00:18:26.539
causing global chaos feel like a video game.

00:18:26.579 --> 00:18:29.180
Right. But there is no software you can download

00:18:29.180 --> 00:18:31.599
to give yourself psychological resilience against

00:18:31.599 --> 00:18:34.019
the federal government. It's the ultimate irony.

00:18:34.619 --> 00:18:37.640
Here is a group that practically begged for mass

00:18:37.640 --> 00:18:40.740
publicity. They wore the neon pink mascot suit.

00:18:41.039 --> 00:18:43.940
They demanded cat girls purely for the memes.

00:18:44.500 --> 00:18:47.220
But the moment they actually got the full undivided

00:18:47.220 --> 00:18:49.779
attention of the real world, the moment the spotlight

00:18:49.779 --> 00:18:52.299
actually hit them, the psychological pressure.

00:18:52.569 --> 00:18:55.369
completely crush them. You simply cannot maintain

00:18:55.369 --> 00:18:57.789
operational security when you are addicted to

00:18:57.789 --> 00:19:00.849
virality. Wow. Yeah. The stress of managing that

00:19:00.849 --> 00:19:03.390
double life, trying to be a normal person offline

00:19:03.390 --> 00:19:05.829
while knowing you are a highly wanted cyber criminal

00:19:05.829 --> 00:19:09.470
online is an immense unsustainable psychological

00:19:09.470 --> 00:19:12.470
burden. The tools required to hack NATO are cheap

00:19:12.470 --> 00:19:15.089
and decentralized, but the mental fortitude required

00:19:15.089 --> 00:19:18.230
to withstand the FBI is not. OK, let's zoom out

00:19:18.230 --> 00:19:20.769
and summarize this incredible timeline. Over

00:19:20.769 --> 00:19:23.359
just two years, we watched SiegeSec emerge as

00:19:23.359 --> 00:19:25.539
a group of self -proclaimed gay furry hackers

00:19:25.539 --> 00:19:28.400
pulling basic email spoofing pranks on university

00:19:28.400 --> 00:19:31.279
students. Right? From there, they rapidly escalated

00:19:31.279 --> 00:19:33.220
to credential stuffing multinational software

00:19:33.220 --> 00:19:35.799
companies, exploiting unpatched NATO portals,

00:19:36.119 --> 00:19:38.319
and extorting nuclear laboratories with bizarre

00:19:38.319 --> 00:19:41.119
anime demands. It's quite the resume. It is.

00:19:41.640 --> 00:19:44.759
They then pivoted into hyper -polarized ideological

00:19:44.759 --> 00:19:48.029
warfare. inserting themselves into domestic legislation

00:19:48.029 --> 00:19:50.609
debates and international military conflicts,

00:19:51.049 --> 00:19:54.049
forming ephemeral dark web alliances, until they

00:19:54.049 --> 00:19:56.650
finally flew too close to the sun by poking a

00:19:56.650 --> 00:19:58.950
major political think tank. And that drew the

00:19:58.950 --> 00:20:01.809
direct ire of the FBI. Exactly. Causing them

00:20:01.809 --> 00:20:03.650
to psychologically collapse under the weight

00:20:03.650 --> 00:20:06.309
of their own notoriety. It is a remarkable case

00:20:06.309 --> 00:20:08.490
study demonstrating how the democratized tools

00:20:08.490 --> 00:20:12.029
of the internet allow incredibly noosh subcultures

00:20:12.029 --> 00:20:14.910
to project real power on a global scale, but

00:20:14.910 --> 00:20:17.369
also how fragile those groups are when forced

00:20:17.369 --> 00:20:19.910
to face real world consequences. It brings us

00:20:19.910 --> 00:20:21.829
back to that neon pink bank robber we talked

00:20:21.829 --> 00:20:24.470
about at the beginning. The mask siege sec war

00:20:24.470 --> 00:20:26.910
wasn't designed to make them invisible. It was

00:20:26.910 --> 00:20:29.450
designed to make a statement. But the thing about

00:20:29.450 --> 00:20:31.490
wearing a mask that bright is that eventually

00:20:31.490 --> 00:20:34.130
everyone is going to look at you. And once they

00:20:34.130 --> 00:20:36.269
start looking, they don't stop until they find

00:20:36.269 --> 00:20:38.690
out exactly who is inside the suit. The mask

00:20:38.690 --> 00:20:40.769
might protect your identity for a while, but

00:20:40.769 --> 00:20:43.329
it cannot protect your peace of mind. Which leaves

00:20:43.329 --> 00:20:45.829
us with a chilling final thought for you to mull

00:20:45.829 --> 00:20:48.630
over today. We've seen that the tools to cause

00:20:48.630 --> 00:20:51.450
massive disruption are cheap and widely available.

00:20:51.630 --> 00:20:54.910
If a group primarily motivated by internet subcultures

00:20:54.910 --> 00:20:57.730
and memes can successfully breach nuclear labs

00:20:57.730 --> 00:21:00.250
and international defense networks, what happens

00:21:00.250 --> 00:21:02.529
to the future of global cyber security? It's

00:21:02.529 --> 00:21:04.829
a scary question. Will national defense agencies

00:21:04.829 --> 00:21:06.910
eventually have to stop looking just for state

00:21:06.910 --> 00:21:09.609
-sponsored military hackers and start profiling

00:21:09.609 --> 00:21:12.289
niche internet fandoms to predict the next major

00:21:12.289 --> 00:21:15.039
cyber warfare threat? It forces us to reconsider

00:21:15.039 --> 00:21:17.980
entirely who and what constitutes a national

00:21:17.980 --> 00:21:20.619
security threat. It certainly does. Keep diving

00:21:20.619 --> 00:21:22.400
deep and keep asking the big questions.