Hi, I'm Natalie Brunel for Bitcoin Magazine and today we have a very special interview
with Jameson Lopp, co-founder and CTO of Kaza and a Bitcoin security expert.
We are checking in with him about the conclusion to an investigation that started with this
2017 swatting event and led him on a journey to become untraceable.
He's going to share things you need to know about Bitcoin, privacy and security.
Jameson, I really want to chat with you a little bit about security because you just
got done with like a four-year investigation, right, that started with you being swatted
and that was a term that I had to learn and now you're sort of at the end of it.
So tell us a little bit about, well, where you're at right now, how you came to the conclusion
of this whole investigation and basically peeling back your identity and rebuilding
it online.
Yeah, so I would say I really spent the first year after the attack digging into privacy
both from a technical standpoint and a legal standpoint.
And it was that first year where I was doing all the learning, I was putting various things
in place, I was walking away from all of my assets and really anything that was tying
my name to my address.
And once I felt like I had that additional layer of security, that's when I kind of pivoted
and I went from being on the defense to being on the attack.
So the next three years were me hunting down my attacker.
And this is an extremely long and boring process.
One of the, I think, most important aspects of it was that I put a bounty out.
That was the only way that I really knew to go about trying to get accurate information
was once again, it's all about incentives.
You have to incentivize the right people to come forward and to work with you.
And then I also learned a lot about the legal system over the coming years and had a lot
of problems trying to get people within the justice system to work with me.
So that was a very frustrating experience.
I certainly wanted to give up at various points.
A lot of people told me to give up at various points.
And it was a combination of spending the resources, determination, luck, certainly, some personal
networking luck that came into play.
And then finally being able to hand over a sufficient level of information to the FBI
so that they could pick up the investigation, use their resources, I assume to subpoena
and dig into various services that were used by the attacker to then de-anonymize them,
track down where the attack actually came from.
And once it was handed over to the FBI, it really turned into a black hole.
They never talked to you about open investigations.
And so it was just sort of out of the blue one day, nearly four years later, when my
attorney tells me that we got them.
And then it turned into the whole justice system and the fact that apparently federal
DAs don't like to prosecute minors.
And so then we had to hold out hope that the state would prosecute.
And thankfully they did.
And it could have fallen apart really at any point in the journey and it's kind of miraculous
that it got to the level that it was actually prosecuted and we ended up with a court case
and a judgment.
Wow.
Okay, wait.
Let's back up and start at the very beginning just to refresh people's memories.
What actually happened four years ago and why did it cause you to go to such lengths
to basically conceal your identity and focus so much on security and privacy?
Right.
So there's something that's called swatting.
It's been around for probably at least 10 years.
Not many people have heard about it because for many years it was kind of a niche thing
that you only really saw happen in the online gaming community.
Or sometimes it would happen to celebrities or political figures.
But essentially someone calls in the right type of threat at your residence.
They claim to be you.
They claim to be at your address.
And they usually say something to the effect of they have hostages or they have weapons
or a bomb or they killed someone.
And it has to be this level of like life or death threat that they know will then trigger
protocols at that law enforcement agency to send out their highest level of response,
which is a tactical team, a swat team, as they're generally called in the United States.
And this is usually done as a prank against people who pissed somebody else off, which
is why it's often celebrities, politicians, so on, so forth.
But it's not just a prank.
And over the past few years, there are several swatting victims who were actually killed
by law enforcement who were responding to their address.
And they thought that the homeowner, the victim, was the dangerous person.
And they were just too trigger happy and ended up getting shot.
So that was my real worry is that what this basically is, is it's a threat of lethal force
that can be arbitrarily pointed at anyone, at least in the United States.
There's some specifics about the United States that make this a bit more dangerous.
But a single anonymous phone call that says the right words can send lethal force to your
house.
And if the wrong thing happens once your house gets surrounded by law enforcement, then you
might have a very bad day.
So I felt like I had to treat this as a serious threat, even though it was really considered
to be a prank.
And the fact that most people who are victims of this threat never get justice, I also felt
it was important to just send a message that if you piss off the wrong person, if you swat
someone who cares enough, you can be tracked down and justice can happen.
It's incredible.
So what was your reaction when you found out that it was actually a juvenile?
And what's the biggest takeaway from that discovery?
Well I knew that that would change things.
It certainly made me more empathetic because I remember being a stupid teenager and doing
stupid things.
And yet it doesn't lessen the actual threat.
The intentions of the person behind it doesn't really matter when it comes to the fact that
this is creating a life or death situation.
So if it had been a mature adult who would fully understand the implications of what
they were doing, it certainly would have been easier on me.
I could have hated them and held contempt for them.
As it is, it's a minor.
They're basically going to get a warning and have to comply with a bunch of court orders.
Otherwise, they do risk worse things happening to them through the justice system.
Are you happy in a way that it caused you to get as deep as you did on the security
level and just concealing and protecting yourself from now on?
And how did you go about doing that?
You obviously spent a ton of money.
Yeah.
So I've learned a lot.
I've had a ton of different weird projects, research things that I've done over the past
decade.
And they usually get triggered by something.
This whole privacy thing ended up getting triggered by that somewhat traumatic event.
But I feel like that particular event ended about as well as it could have with nobody
getting hurt.
And it was a real eye-opener for me that this is the type of thing that everyone assumes
will never happen to them, therefore, why bother putting in the time and the resources
to protect yourself against it?
But for me, since it became such a real thing, especially just being a somewhat public person,
this is something that usually has been relegated to superstar celebrities, people with millions
and millions of fans.
Because what it is, it's kind of a numbers game, where once the size of your audience
grows large enough, then it's just simple math that there's going to be a few deranged
people in that audience.
And so even you yourself, you are a somewhat public person.
You have an audience.
And I don't like scaring people or anything.
But when you have a large audience, these are the type of things you have to start thinking
about.
So I think that anyone who is a public person should consider privacy to be a lot more important
than the average person who doesn't have an audience.
You can't predict what people are going to do.
So think of it as an insurance policy.
So let's talk about three things that people can do.
Obviously, most of the people listening to this are not public figures, and they don't
have their identities necessarily fully out there.
But what are three things that you think everyone should know or remember when it comes to privacy
and owning Bitcoin?
Well, you want to leak as little information as possible.
So what do you need to do to not make yourself a target?
I've said for a long time that the first rule of Bitcoin Club is always talking about Bitcoin.
The second rule of Bitcoin Club is to never talk about your Bitcoin.
So we've seen a lot of highly targeted attacks against specific individuals because they
talked about what exchange they were using or what they were trading, specific software
or hardware or other services they were using.
Because when you start doing that, that starts to give information to potential attackers
to start digging around your sort of online persona and your profile and try to figure
out, hey, maybe this person has a Verizon or an AT&T phone and I can sim swap them and
get into their exchange accounts and wipe out all the money that they have on there,
and so on and so forth.
So that's the first thing is just don't have a loud mouth.
The next one is kind of similar, which is don't flaunt your wealth.
This is something we see a fair amount in the wider crypto community, especially with
people purchasing like art or NFTs or whatever that are worth the millions of dollars and
putting them on their profile and basically saying, look, I have so much money, I can
spend it on this esoteric thing.
And then I think even apart from Bitcoiners, crypto owning folks in general, it's just
good to have a baseline of online hygiene and privacy and security practices.
Install ad blockers on your browser, use password managers to generate unique passwords for
every service that you use, and these are things that don't take more than a few hours.
You can basically spend a weekend improving your online privacy and security, and that
will make you a harder target than 95% of the rest of the people who are on the Internet.
And when it comes to privacy and security, whether it's digital, physical, whatever,
it's not about having a perfect setup.
It's about having a hard enough setup to attack that other people look like more attractive
targets than you do.
Got it.
So don't talk about your Bitcoin, don't flaunt your wealth, and good online hygiene.
Got it.
Just to start to wrap up, what's something you wish you knew before you set off on this
sort of investigation and journey to basically remove yourself and your affiliation with
your assets, your online profiles, and start over again?
How long it takes for lawyers to do things.
It was amazing to me how many tens of thousands of dollars it took just to set up the legal
structures required.
And then once you do that, then you find yourself basically married to spending a lot more money
on these lawyers and accountants to maintain everything.
When you're creating basically layers of protection, you're creating these legal proxies.
And I kind of assumed it was going to be like a one-time set it and forget it type of thing.
But just due to the way that the legal entities work, whenever you're doing your annual updates,
you have to file documents all the time, you have to make sure all the taxes get filed
for all these entities.
And so essentially, you're entering into kind of a lifelong contract of hiring various other
experts to maintain these things for you.
So it is certainly a lifestyle that you have to opt into and not just like a one-time set
up.
Wow.
So if someone wanted to do what you did, what would be the first step or the first resource
you would send them to?
If maybe even they just wanted to start very, very basic and have their computer be online
where it was not connected to any server that people could track down?
Well, at the time, when I was looking into all of this stuff, there were a few books
out there that were a little bit helpful for me.
But there was a book that didn't exist that I tell everybody to go get now.
And that is called Extreme Privacy by Michael Bazell, which of course, not his real name,
but a former, I believe, federal agent of some sort who is even deeper into privacy
stuff than I am.
And if you go buy his, I think the third edition now is like 550 or 600 pages, but you go to
Amazon and pay like $40 for that extreme privacy guide, that will cover so many different aspects
of your life.
And you can start out with just the digital hygiene stuff.
And then if you want to go deeper, you can look into all of the legal entity protection
stuff.
But this is basically a guide written by a guy who works for celebrities and high net
worth individuals to essentially create this whole framework of protection around them.
So he's done it for who knows how many people, and he's learned through a series of mistakes
and things that have gone wrong, exactly what works, what doesn't work.
And you also note that he seems to put out a new edition of this every year, and that's
because things change as a dynamic environment, you have to stay on top of what the latest
tech and the latest legal statutes are.