Mar 21, 2024
On March 15, The Capitol Forum’s Teddy Downey had a conversation with Joseph Cox, one of the founders of 404 Media, on his latest investigation into how hackers and fraudsters are gaining access to sensitive drug ordering tools and then advertising some of the most tightly controlled drugs in the country, including fentanyl. The full transcript, which has been modified slightly for accuracy, can be found below.
TEDDY DOWNEY: Good morning, everyone. And thanks for joining us today for our conversation with Joseph Cox on “How Hackers Dox Doctors to Order Mounds of Oxy and Adderall”. I’m Teddy Downey, Executive Editor here at The Capitol Forum. And our guest today, Joseph Cox, is one of the founders of 404 Media, a journalist‑founded digital media company exploring the ways technology shapes and is shaped by the world. I can’t say enough good things about 404. The work they do is extremely high impact. It is read by decision‑makers, the public, just an incredible community of people. And we have an amazing partnership with them that we are so happy with to support the work that Joseph and his team are doing. And this is one of the articles that we partnered up on. First, Joseph, thank you so much for doing this. Really appreciate it.
JOSEPH COX: Of course.
TEDDY DOWNEY: And just really quickly, if you have questions, we’re going to talk for about 10 or 15 minutes and then we’ll open it up for questions. If you have questions, please either enter them into the questions tab in the control panel or shoot us an email at editorial@thecapitolforum.com.
And so, Joseph, maybe you can just run us through like what happened with this piece. I mean, it’s just an incredible story. And maybe you could give us sort of just a little bit of depth of what you found and tell us a little bit of the story about how these how these hackers are getting all this ordering all this oxycodone or Adderall.
JOSEPH COX: Sure, sure. I mean, I’m sure we’ll drill down into the some of the specifics. But like, the very high-level view is that I spend a lot of time in criminal chatrooms, especially on the app Telegram. I’m sure many listeners are familiar with. I join these groups and I see what these people are doing. A lot of that is SIM swapping. A lot of that is hacking. But I kept seeing these screenshots of these drug panels I hadn’t seen before. And it’s the panels used by medical practices to basically fulfill electronic prescriptions, e‑scripts. And there were lots of photos of drugs as well, apparently showing the others being successful.
So, I’m trying to figure out how are these people using these panels? How are they gaining access to them? And how are they ordering the drugs? And again, the sort of brief overview is that they are hacking and stealing the identities of doctors. They will do this by especially getting their DEA number. And then there’s the other number which is given by the Department of Health. You don’t actually need to phish. I’ve since learned that you can look that up if you have some information about a doctor. But they do that first of all.
Then they have to get the doctor’s really personal information, like their Social Security number, and various other pieces of PII. We’ll probably talk about this in a bit, but the way they do that is through these highly available and popular underground bots that let you dox basically anybody in America. And I know that sounds like an exaggeration, but it’s really not for reasons we’ll get into.
Fraudsters then take that information and they create an account in the doctor’s name, with the doctor’s identity, on one of these third-party portals. And I don’t think members of the public even know these portals or pieces of software exist. It’s an industry that they may interact with, but they don’t know about it. They just get that prescription and move on with their life. But the fraudsters go into there. They then add patients which relate to real people, in a way stealing their identity as well. And they will push prescriptions out to a CVS. Or I have seen photos of Walgreens as well, but I didn’t go down that rabbit hole quite far enough. But there was at least evidence of that as well. And then various, mom and pop pharmacies as well.
At the end of that, they then send a runner—I guess you could use the word mule as well, whatever, somebody else who’s also in on the scheme—to go and pick up those narcotics, those prescription medications, with an ID if they need it. Also, very easy for these people to get. And then at the end of that pretty convoluted, admittedly, process, they have whatever drug they ordered. And to me, it sounds complicated. To the fraudsters, they’re kind of like, well, yeah. This is just what we do. This is simple. I don’t think people should underestimate how resourceful some of these hackers and fraudsters and scammers are. Like, you may think why would they ever target these third-party prescription portals? It’s like, just assume they’re going to. If there’s an opportunity, they’ll take it. That’s sort of the scheme from a 30,000-foot level.
TEDDY DOWNEY: I’d love to drill down in a couple. So, when the dox—how do they—I kind of want to walk through the mechanics because it seems like they have different strategies.
JOSEPH COX: Yeah.
TEDDY DOWNEY: These bots, what information are they getting from these bots? Tell us about these bots. They’re basically breaking into data that has been bought and sold any number of times in this sort of opaque data broker world. And maybe you can walk us through a little bit of like that opaque data and like how fragile or how vulnerable it is to being stolen, how it gets stolen and like what is in the data. That would be amazing. Because it’s second nature to you. But even though I’ve read all your stuff about this, I still—kind of my head spins a little bit when I’m trying to understand it.
JOSEPH COX: Yeah, absolutely. And this is like the most interesting part to me to be honest. So, I have used these bots myself. I have paid $15 in bitcoin or whatever to obtain personal information of my target with their consent. Obviously, with their consent because I’m doing a journalistic investigation.
And you type in their name and the state that they’re from, and what you get back is their date of birth, their Social Security number, their unique driver’s license number, a list of their current and past physical addresses, the names of their relatives, their past and current addresses as well. Sometimes you get phone numbers, historical and current. You get the telecom provider linked to each of those. So, your T‑Mobile or your Sprint or whatever—not Sprint anymore—but whatever telecom is going to be linked to it. And that’s obviously a mountain of data. And it gives you basically everything you need to, if not steal somebody’s identity, at least have a very, very good shot at it.
As for where the data actually comes from, it is—at least a lot of cases I’ve seen—credit header data. Now, in the States, when you go and you open a credit card with a bank or whatever, your credit header data, your information, gets transferred to the big three credit bureaus. And that header data is everything above the actual credit report. So, it’s like the personal information that identifies you. That’s the header data. Everything under there, your actual credit, that’s something else. That’s part of the credit report.
What the big three bureaus do is that they actually sell, trade or otherwise distribute credit header data. So, like a massive amount of companies. And if they don’t distribute it directly to a company, another one will sell it to another one. And it creates this honestly very dizzying, opaque ecosystem of companies that buy and sell and use credit header data. And that will trickle down from the bureaus to stuff like insurance companies or bail bondsman, skip traces, bounty hunters, essentially. I’ve seen some that are like alumni companies, where maybe if you move house, somehow your university or your college always knows where you are to then ask you for more money. Like, how do they always know where I am? It’s the credit header data.
So, there are debates over what parts of that transfer are legitimate and what parts maybe should be curtailed? And that’s a conversation I’m sure we’ll get into later. The CFPB’s actively discussing that. But where the hackers come in, and the fraudsters come in, is that in various points in that supply chain, hackers are injecting themselves. What I found is that in some cases, there are companies that will get the credit header data, and they’ll become a reseller, such as, oh yeah. We’ll then sell it to the bounty hunters or the bail bondsmen or even to law enforcement.
Well, the hackers just present themselves as somebody you can use to buy that data, and then they get in there. And sometimes they do that by compromising legitimate accounts. I spoke to a few people involved in a case where a former law enforcement officer, his identity was stolen by hackers, who then used that to pretend to be him and then get access to the data. Other times they just make one. It sort of almost doesn’t matter because it’s so case‑by‑case on how each individual hacker gets in.
But the end result is that super sensitive data, that no member of the public really thinks like, oh, when I open a credit card, it’s going to end up with some hacker, five, six, seven steps away in a supply chain. That’s exactly what’s happening. And then that’s being used to dox doctors. I mean, it’s not in this piece. But some of the other ones I’ve written about those bots, there are hyper‑violent criminals who use these bots, that will use it to dox each other, to then rob each other of Bitcoin, all of that sort of thing. And there’s a quote in this article which says that these bots are basically the biggest issue when it comes to identity theft in the country. And I don’t have the data to support that. That’s just what the fraudster said. But with the potency of the data, I would definitely agree. Because I’ve seen the data myself when they tested it.
TEDDY DOWNEY: I think of a phishing scam and they email me and try to get me to put my stuff in. But they don’t really even need to do that. They basically have enough where they can set up an account in your name basically. What exactly happens or what are some kind of like examples of like how they take over these people’s accounts on the software, when it comes to the software?
JOSEPH COX: Yeah, when it comes to the phishing, all they’re really going to need to phish is the DEA assigned number, which is given to all medical professionals who can prescribe schedules, medications. You’re not going to get that from one of the bots because that’s not credit header data. So, they’re going to need to phish that in some way. And that would be email or phone is what the fraudster told me. I can imagine any sort of scenario where you just pretend to be a colleague or you pretend to be from another practice and be like, hey, I need to verify this or whatever. You can do that any number of ways.
As for how they’re able to take over accounts, I mean, I would phrase it almost differently in that the fraudsters and the hackers get the information and then create a new account in the doctor’s name. It’s a really interesting blend of hacking and identity theft at the same time. Like, I don’t think this would be possible if the doctor already has an account on one of the platforms. Because to the platform, they would be saying, why is this doctor making two accounts. This is really, really strange.
So, I imagine it’s not going to be successful all of the time. But one of these fraudsters just has to be successful once essentially. They find the right platform where this doctor doesn’t have an account, and then they spin one up with all that information that they got from the bot in a few minutes. And the timing of this is the fraudster told me they can dox a doctor in the specific zip code, which, of course, is vital because you are going to a physical pharmacy. At the end of it, you need the doctor to be at least in the same state, probably even closer than that. They can do that in 15 to 20 minutes. So, it’s very quick.
TEDDY DOWNEY: So wild. So, they open this account. And one thing you bring up that I kind of wanted to touch on because I thought it was really interesting. These are vulnerable people in some respects. They’re overworked. They’re tired. They’ve got a million things that they’re doing. I mean, just take one look at these people at these pharmacies or just generally talk about what’s going on in the health care industry and staff being cut everywhere. These people are overworked. That came up in the story. I wonder does that make them better targets? I mean, does that make this a more fruitful place for—I mean, it probably doesn’t stop a hacker, but it probably helps therm. If you’re tired, if you’re overworked, that type of thing makes it easier to phish. How should we think about that?
JOSEPH COX: Yeah. So, there was a really good, I think, USA Today piece about sort of the labor issues inside pharmacies and being overworked and everything you just said. My colleague, Emanuel Maiberg, did a somewhat similar story about LabCorp and workers there being really overworked and that sort of thing. Obviously, they’re not one and the same, but they’re broadly the same sort of issues, right?
The point being it just increases the chance for mistakes to be made. And I can imagine that you’re a pharmacist. You have a ton of people to get through because there’s a massive queue. Sometimes pharmacies can be quite chaotic environments because of all of this overworking and understaffing and all of those issues. And you, as a pharmacist, receive a digital, an electronic, prescription that looks like it’s coming from a real doctor. We’re not talking about swiping a doctor’s physical pad and faking their signature. The prescription has come in. And for all intents and purposes, it looks legitimate. Because in a way, it is legitimate. It is using the real prescription system with a real doctor’s information.
So, that all looks good. The pharmacist then could look at it and be like, oh, this is very suspicious. Because they’re ordering a bunch of a controlled substance all of a sudden, something like that. And look, it’d be great if they could catch that. I don’t think that’s going to happen 100 percent of the time. And it’s interesting from a security perspective, because you have the cybersecurity stuff and the identity theft sort of material on one side. And then you have the last line of defense, which is just a human pharmacist who has to deal with like a very human problem of making a judgment call on whether this is legitimate. And even if it looks a bit unusual, does that pharmacist really have time to phone up and be like, hey, I got this legitimate looking prescription, but it doesn’t feel right. I mean, maybe they do, maybe they don’t. But there’s cybersecurity and human factors here at play.
TEDDY DOWNEY: And we’ve got a couple of questions in here already. But before that, I do want to get to some of the companies that you mentioned and kind of just go through the types of software and like what is going on here? You mentioned a company called Tebra, MastersRx. These seem like sort of intermediary software providers, almost like a CRM or whatever, for the doctors where you can do scheduling or whatever. I’m curious, what do these three software systems do? Is this something that doctors use to like type in their prescriptions, right?
JOSEPH COX: Yeah, these are the targets basically by the hackers and the fraudsters. And Tebra is the main one I can talk about because they responded. The other companies didn’t respond to, I think, months of requests for comment or at least a couple of months. What Tebra does is it basically offers like an all-in-one software solution for medical practices. So, you’re a medical practice. You buy the software or license it, I guess. And this gives you the ability to schedule appointments with your patients. It gives you the ability to communicate with them through a website or an app or very, very common practice across medical practices now. And crucially, it can also handle the electronic prescription aspect of it.
So, it’s this all-in-one software tool that sounds absolutely great for a medical practice. Like if I was running one, I could absolutely see why I would go to one of these turnkey solutions. It looks like it would make everything so much easier. But it does also present, not just a security risk, but I would just say an opportunity for fraud if the fraudsters are able to get into it. To their credit, when I was still trying to figure out how the fraudsters were actually doing this, initially it was like, oh, the hackers are just breaking into accounts. And there is some indication of that. I saw hackers selling accounts as well, which I don’t really go into in the piece because I might do another one on that. But to Tebra’s credit, they do say like we enforce two factor authentication and all of that sort of thing. That’s all well and good. That doesn’t necessarily stop a fraudster from creating an account in the first place. But that is this—shadow industry is far too strong because it’s there. You can go look. But again, it’s an industry that I don’t think members of the public even give a second thought to, but which is crucial for this scam.
TEDDY DOWNEY: Now, one name that is familiar to me—and then we’ll get into the pharmacy side of this next—but the McKesson. They had a platform too, effectively, I mean, I know they have these, I mean, when we’ve written about them, they have a really big presence in the oncology practice market where they’re the buyer for oncology practices. So, I’m curious, how did McKesson—do they have a software platform also? Or how did you stumble across McKesson?
JOSEPH COX: Yeah, I mean, you definitely know more about McKesson than me. But what I can say is what I saw in this big Telegram group, which is that, again, scrolling through, looking for more evidence, and I come across a video in which an apparent fraudster is filming their laptop or their computer screen, and they’re navigating this portal with McKesson branding. I mean, it is their site for all intents and purposes and appearances. And they’re scrolling through and clicking on the logo and seeing various like controlled substances pages. And if I recall correctly, that particular fraudster was advertising access. As in, like they weren’t saying necessarily, I’ll buy drugs for you. But hey, I got into this account and I can make it available to you.
Again, I think that’s going to come up in the future piece, the account selling. But that’s the evidence I saw. And rather frustratingly, like a lot of these companies their response, as I said, to the requests for comment. And I’m always open to just having a frank, sometimes even an off the record, discussion with these people and these companies. Because we’ve found evidence you’ve been compromised and you should know about this. And, of course, it’d be great if you’d provide a statement as well. But a little frustrating that people didn’t get back to me, yeah.
TEDDY DOWNEY: Yeah, I hear what you’re saying. And especially since there’s no—your story is actually talking a lot about how sophisticated these fraudsters are and what kind of world there needs to be to stop that from happening. Like you talk about solutions that are at the origin of how they’re even getting in the door to do this type of stuff. But it’s a lot. I expect them to never call me back or not call me never. But it’s much more antagonistic when we’re saying, hey, we found out that, I mean, the stuff that a lot of these companies do is knowingly engaging in these kind of anti-competitive conducts. But you’re coming at it from the criminal side. You’d think that there would be more interest in like, hey, we don’t like this. We’re going to cut it off. Similar to what you got from Tebra, right?
JOSEPH COX: Yes, and CVS as well. CVS we’re actually very open to having conversations and did provide a statement. They were actually very helpful. And, of course, sometimes that happens, sometimes it doesn’t. But I think you’re right in that I’m not even necessarily putting the blame on these platforms or portals. It’s more, wow. This entire fraud process exists. And apparently, we don’t know about it, you know.
TEDDY DOWNEY: The last thing – and then I want to get to these questions I’m delaying. But it does seem, again, I don’t want to bring up this overwork thing too much because it was kind of a tangential point in your piece. I mean, I look at these people in the pharmacies, the idea that they’re going to stop you because their ID looks a little off. I mean, they’re just churning. I mean, they’re getting through. They’re just trying to survive. They’ve got long lines. They’ve got understaffing. How are they reasonably going to be like, oh, this is legit? This is the person. This isn’t the person. I mean, you’ve done that piece on how good fake IDs are getting. I imagine that’s cake for these people.
JOSEPH COX: It’s so easy to get a fake ID nowadays. And the piece you’re referring to is when there’s an online service using a “neural network” to generate photos of fake IDs. Obviously, that’s not the same as physical, but it’s cheap and easy and incredibly convincing, yeah. Like, you hear that step of, oh, they need a fake ID. That’s not the hard part. That is not the hard part.
TEDDY DOWNEY: Yeah, yeah, totally. I mean, these people you just can’t really reasonably expect that the pharmacist is able to spot this. It’s just not reasonable. I mean, you’d have to have a whole – now, you might be able to have a more robust process for review, like how to be a little bit more secure, more like TSA, like check to see if it’s a real ID or something like that maybe. But, as it is now, you can’t expect the worker to be able to police this. And we’ve got a bunch of questions here. I want to get through these. First question is any additional details shared by bad actors on how they steal real providers’ data to register with EHRs? We talked about that a little bit.
JOSEPH COX: Yeah, I would just bring it back to the bots. I said, well, data is available. I would just really, really stress the ease of it. And I think that’s a big part of it. Like the barrier to entry has been lowered so much for people to conduct fraud, that, yes, it’s pretty sophisticated that they struggle with these parts of the scam together. It doesn’t require any sophistication to actually get a doctor’s personal information. Because as I said, you enter it into the bots and it’s there. That’s the thing I keep coming back to is these bots. I can’t stress enough how easy it is to do it.
TEDDY DOWNEY: Next question here. Yeah. I mean, I would say personally, that is just horrifying. I mean, I’ve been super creeped out. Like a lot of times, I’ll read a 404 story and I need to take a shower. Because I’m like how does this world do this with this data and these data brokers?
JOSEPH COX: You’re not the first person to mention specifically about a shower. Yeah, a lot of people say that. It’s a constant refrain.
TEDDY DOWNEY: It’s like this is happening in the ether, to me or to everybody. And like, I just need to like wash it away. I don’t know. There’s something about it. But the data broker, how many people, like how many different hands is your data is touching. And just how clearly that is an unsafe way to conduct business. Have you all done any other work on this CFPB role? I mean, one of the things that I’m actually surprised that, again, it’s like, well, this is clearly insane, right? This supply chain of information. This can’t continue. And by the way, it’s already out there. So, how much can like this—we’re just talking about kind of like reining it in, in the future ostensibly. But, I mean, in D.C., the financial lobby against header data is like, well, regulating header data is so crazy. What a crazy thing to do. But you read your stories and like how could you not? This is just like a basic protection, like the most basic privacy protection. Because it’s just so obvious that you can’t let this crazy system continue. What’s your view on what needs to happen to regulation of that header data to prevent this from happening in the future?
JOSEPH COX: Yeah. A couple of things. The first thing I’ll say is that, in a somewhat new development, the DOJ is going against people who like use or otherwise maintain these bots. I mean, I think I’ve only seen one or two so far. But there has been a criminal complaint against somebody who was using one of these so-called TLO bots, called TLO. But just because that’s a product from TransUnion doesn’t necessarily mean the data is from TransUnion. That’s like the brand in the underground. But DOJ is arresting people. So, that’s one way. That’s not going to work. You can’t arrest everybody who’s using these. How would they even do that technically, identify them? That’s very much a Whac-A-Mole.
I think that, first of all, it’s a sort of lack of information on where exactly is this information, credit header data, even ending up? Like, I have never seen a comprehensive list that say that every company is receiving this data. And I don’t know if that list even exists necessarily. Like, I don’t know if even the big three bureaus have that list because they give the data to somebody else, who then may give it to somebody else.
So, first of all, you’ll be trying to establish even who has this data, what companies and the scale of that? All we know is that a lot of companies have it basically, but I can’t be more specific than that, rather annoyingly. Then on the points of where you say, like it’s already out there. And I think that’s going to be true in some cases. But from my understanding, some of these bots are using live API access into like a data broker.
So, it’s not like it’s not like the hackers have just bought a big database. Like they haven’t just bought like literally a CSV file and they’re hosting that. It’s more I send my request to the criminal bot. The criminal bot accesses an API with the data broker and then pulls the information. So, theoretically, if there was to be action against those individual data brokers, it could actually cut off the data.
And then the last part, sort of to actually answer your question, is that I don’t think it’s a controversial point to say—and even though I say this as a journalist. I really don’t try to take a stance on things because that’s not my position. But I think it’s very, very uncontroversial to say I don’t think criminal hackers should be getting access to this data. Like, that’s very, very easy to say. And that’s what’s happening. And do you penalize every single data broker that has then had a compromise in some form? Well, that’s just a Whac-A-Mole in the same way the DOJ goes and arrests every single person who uses the bots. There needs to be something more comprehensive on the use cases and the terms in which the credit header data is distributed in the first place.
TEDDY DOWNEY: Yeah, I think this is something that seems super important that the CFPB is doing. I am shocked at how controversial it is, at least from a lobbying standpoint. But we’ll see how that goes. It seems like they’re going to propose a rule soon on this.
JOSEPH COX: Yeah, I’m very much looking forward to seeing what action is taken and genuinely curious. Because I’m very pleased that they gave me that statement. Because it was interesting to see their perspective in the story.
TEDDY DOWNEY: Yeah, they did respond. And another side of that is you’ve written, your team has written, about the FTC cracking down on data brokers. You said you mentioned DOJ. FTC as well has had some action. Again, it feels a little bit like Whac‑A‑Mole. I mean, it’s important, I think, in the sense that they’re making them delete the data and kind of go through and not retain the data afterwards. It’s like not just the cost of doing business. But it’s hard to see individual crackdown as anything more than Whac‑A‑Mole. But I’m curious to get your take on the importance of the FTC, how complementary what they are doing is with what DOJ and CFPB are up to.
JOSEPH COX: Yeah. So, the FTC has done some really interesting enforcements recently. That was one against X-mode, which is a location data broker. And a few years ago—at this point, quite a while ago—I showed that X-mode was harvesting location data from a massive Muslim prayer app and Muslim dating apps. And then X‑modes customers then included, U.S. military contractors.
Obviously, users of the Muslim prayer app weren’t particularly happy about that. And the FTC came and they’ve banned X-mode from gathering sensitive location data. That’s a really interesting development. And they’re doing more stuff in that space. They have done more stuff in that space. I kind of want to give them credit in that, yes, it’s kind of a Whac‑A‑Mole. Because in the same way we’re talking about the credit header data broker industry, there’s also the industry of location data, which also contains a ton of people, a ton of companies. And, of course, you can enforce against each company. And then that will take a long time or something.
But if I was in the location data industry, I would be pretty scared. It would be like, oh, we can’t do this anymore. Of course, I’m not in their head. That’s just me trying to extrapolate from the people in the industry I have spoken to. But there is a merit, of course, to going against individual companies. I don’t think this necessarily applies to the credit as an issue. Like maybe I’m wrong on that. It certainly applies to the location data, one. But, of course, a federal privacy piece of legislation would be highly effective or potentially highly effective, if written correctly, to deal with a lot of these issues. And maybe that would apply to credit header as well. I’m not sure.
TEDDY DOWNEY: Well, it’s interesting. I mean, I think there’s sort of like different approaches. If you think about the header data, it actually kind of sounds a lot like, by the way, that Google Facebook data problem. They have all this data on people and it goes through all these third party AdTech, whatever, researchers. I mean, there’s an analogous problem. And if you’re talking about, all right, these kind of surveillance business models, you’re talking about kind of two sort of – they’re different problems in that the type of data that’s being gotten is different, that you’ve sort of have this completely unregulated supply chain. And are you going to go at it from who can get the data? Regulate who can access this? Who can it be sold to? Like, what constitutes a sale?
JOSEPH COX: Right.
TEDDY DOWNEY: And then by the way, is it like cracking down on having it and using it, to your point, regulates the industry from a big company standpoint. If you’re going to be a criminal, you’re not paying attention to the FTC rule. But if you want to be a legitimate business, you’re going to be paying attention to the FTC enforcement and the rules. So, it is kind of a fascinating way that all of this kind of fits together.
JOSEPH COX: Yeah. If you’re a fraudster, you’re not going to care about FTC rulings or anything like that. The people who will care are the people, the legitimate ones getting the data. Yes, I totally agree.
TEDDY DOWNEY: We also got a question. Did the bad actors buy data from real data brokers? How did they get access to the wholesale supply? I don’t know. I mean, you really write about more that they’re getting access to the system and then ordering prescriptions. Did you get any sense that there was access to buying it from wholesale? I can’t remember that in the story.
JOSEPH COX: Yes, this is mentioned just briefly because I think there’s more room for reporting on that. But there was evidence that wholesale distributors were compromised in some fashion. Again, very similar to some of the other evidence I described. It was I have a screenshot or like a photo of somebody on a laptop. And then they’ve put their username into the panel to prove that they have access. They’ll take their username fraudster 612, I’m just making that up. And then they’ll type it into the panel to show that they’re logged in as a way of proof. And I saw something along those lines with wholesale as well. Again, it gets a little bit muddy about, well, are they like using that panel to then order? That’s a little bit tricky. And I’ll continue to work on that. The other thing is just that some of the quantities in the videos and photos published by the fraudsters when they have got the drugs, I mean, that’s like massive boxes of like Xanax and stuff. It’s just like a huge cardboard box just filled with bottles. It’s not personal use. I’ll say that.
TEDDY DOWNEY: Yeah, that wholesale angle is really interesting, especially since you also got the McKesson. I wonder if it’s like on the McKesson platform for ordering. Because they’re kind of big enough conglomerate that it could be either, potentially. Although, I don’t know enough about their software platform. So, I should probably dig into that more. But that is really interesting. Are there any other questions? I think that’s it. I think that’s everything we’ve got.
I guess I have one last question, which is I’m actually surprised that opioids is not more red flags. I’m surprised that they can order that. Like, if you’re going to have any product that has more red flags associated with it, you would think that opening a new account and ordering a bunch of opioids, that would just get flagged. I mean, in some respects, okay, if you’re ordering some Xanax, some Adderall, a mishmash, maybe. But I’m kind of surprised that, especially on the wholesale side, they’ve gotten whacked really badly for not having enough controls on opioids. Were you surprised at all? And also, in terms of the drugs that you saw that was getting bought, how big was opioids as one of the drugs that they’re ordering successfully and getting their hands on?
JOSEPH COX: I mean, opioids was—I mean, there were two main ones. They were opioids. And then there was like Adderall. And I didn’t even personally pay that much attention to Adderall. I was much more focused on the opioids until my editors, Jason Kaplan and Emanuel Maiberg, went in and they were much more drawn to the Adderall part because of the massive Adderall shortage in the states. Their friends and acquaintances and that directly impacted them. So, that made sense.
But yeah, opioids were a sizable enough chunk of the evidence that I was seeing that to me was the focus of the piece. And I agree with you that, like, maybe that should raise red flags. And it’s a little hard. Because, of course, I’m not on the pharmacist’s side. I don’t see what the prescription looks like coming in. I just see what it looks like when the fraudsters send it. But maybe there’s a world—and maybe the platforms already do this to be fair—but maybe there is a world in which you can’t order opioids if you’ve just opened the account like 24 hours ago or something like that. That being said, you’re a doctor. And it’s like, wait. Why do I have to wait time to prescribe medications for my patients? That could actually impact people negatively who genuinely need medication. So, it’s a hard problem, yeah.
TEDDY DOWNEY: Yeah. I also wonder, like, why not set up two‑factor authentication? I guess, can you even do that when you set up an account? I don’t know. I guess you’re setting up the account. So, what’s the point of it?
JOSEPH COX: Right. You don’t even need to bypass the TFA because you’re already—
TEDDY DOWNEY: Yeah, I guess there’s no way to do two‑factor. But maybe some more robust way of setting up the account, proving that—I don’t know. Who knows?
JOSEPH COX: Maybe a video phone call or something like that, where in the same way I have to provide a selfie to my bank or whoever. Which is not foolproof, but it’s still a big ask. Maybe there’s something like that for making these accounts.
TEDDY DOWNEY: We have got one last question here. Do you have any suggestions for doctors on how they might better protect their information from being doxed? I mean, I will just volunteer here that it doesn’t sound like there’s much you can do. But I would love to get your thoughts, Joseph. If you’ve ever gotten a credit card or tried to buy a house or anything, I mean, your header data’s out there. But I’m curious to get your thoughts on this, Joseph.
JOSEPH COX: Yeah, you’re right in that if you’ve interacted with the credit bureaus in any way, they have that data. Now you can go and try to have it removed. There are services. I won’t name any specific ones because I won’t vouch for, like, individual ones necessarily. But there are various online services you can use that you pay and then they remove your data from the internet. The thing is, most, if not basically all of them, don’t really deal with credit header data because it’s such a pain to have it removed from the bureaus. Because, I mean, there’s a legal requirement, right? Because it’s going to be fraud related as well.
I think the best you could probably try to do is have it changed at the credit bureaus. So that any future data pulls from the credit header data is going to be a different address or something. Which, that being said, doesn’t necessarily stop this issue because you’re not trying to mask your physical location. You’re trying to stop hackers getting access to whatever data that will allow them to steal your identity. Yeah, there’s just no easy solution I’m afraid. When it comes to the DEA number, I mean, maybe stuff like, hey, don’t hand that out necessarily. But that’s still going to be difficult because you may need to do that in the course of your job. So, usually I have advice, but I’m sorry that this is just so complicated and difficult, I can’t really give any good advice, you know?
TEDDY DOWNEY: I’ve got one last question for you. Then I’ll let you go. We’ve taken a lot of your time. Very, very thankful that you did this with us. When you’re on Telegram, what is going on with these criminals that they’re like, let me tell you about how I do this? I find this endlessly shocking and amazing that you guys get these criminals to tell you so much stuff. It’s fascinating. And every time I read it, I can’t believe it. I would love to hear what is going through their mind. Why do you think they’re doing it? Or just like any color on what it’s like to be in these chatrooms and get these criminals to talk to you. It’s kind of just an amazing thing to read about.
JOSEPH COX: Yeah. I mean, I sort of carved out a little bit of a niche here where, especially starting with the Silk Road, which people may be familiar with, the first dark web drug market which Ross Ulbricht ran. And I would talk to people there. I interviewed the drug kingpin of the second Silk Road, all of that sort of thing, while wanted by authorities. And then this extends up to now I talk to like drug traffickers who deal in tons of cocaine and that sort of thing.
The main thing is that I always approach it from a place of genuine respect, and I do mean that. In that, obviously what they’re doing is illegal and I don’t condone the activity. But a part of me just genuinely respects sometimes the ingenuity that’s going on here and the resourcefulness. And I know not everybody would agree with that. But I think that genuinely comes out when I’m asking questions. And they’re like, oh, this person actually wants to know.
Now, to be clear, not everybody will reply. I messaged maybe five fraudsters for this, and then I got like two or three of that. They’ll either not reply or they’ll call you a Fed, which is always fun. But you just keep trying. And you try to obviously verify everything they say as much as you can as you would any other source. But criminals shouldn’t be off limits for journalists. They’re just as important as, like, talking to the authorities sometimes. But yeah, you take their security seriously. You meet them, whether they’re Telegram, Signal or whatever. And you come from a place of respect and they often open up, yeah.
TEDDY DOWNEY: Actually, I lied. I have one more question. You mentioned Bitcoin. Is all of the criminal stuff paid in Tether and Bitcoin or whatever? Like how do the criminals do commerce these days?
JOSEPH COX: Yeah, the vast majority is still in Bitcoin sometimes you’ll see like it’s a little bit Monero which is a more privacy focused coin. But that’s such a pain for people to get that—I mean, when it comes to ransomware, obviously, criminals want the victims to get the cryptocurrency as easily as possible. So, they stick with that. And it sort of applies here as well. If you’re running a criminal credit header bot, you don’t necessarily want to use Monero because that’s a pain for these people to use. Because even if you’re a fraudster, you still want it to be seamless and easy. And that’s kind of what I meant about the lower barrier to entry. And I think the barrier is so low now that people are getting into frauds who may not have done it before, because the bots are that powerful, basically. So, if you can sell access to the bot in Bitcoin, that’s a lot better than Monero or Zerocoin or whatever. It’s the one I see the most of. Tether, you definitely see that in pig butchering. Tether’s not really used in the communities I talk to who are much younger hackers. I don’t know why that is. They just use Bitcoin. It’s reliable for them, I think.
TEDDY DOWNEY: Fascinating stuff. I’m super excited to keep reading about it. I think it’s super interesting. Thank you so much for doing this, talking to our audience. I know we had some very interested listeners here. So, thanks again. Look forward to keeping the partnership going. And really amazing work here.
JOSEPH COX: Thank you so much. Happy to do it anytime.
TEDDY DOWNEY: Awesome. Thanks to everyone for joining the call today. And this concludes the call. Bye‑bye.
