Most security breaches don't begin with sophisticated code or elaborate technical exploits. They begin with a phone call, a convincing email, or someone at a help desk who just wanted to be helpful. The human layer is often the weakest link, and the criminals who understand that are the ones causing the most damage.
My guest today is May Chen-Contino. She's the CEO of Unit 221B, a threat disruption company that delivers actionable intelligence to enterprises, law enforcement, and government agencies. Her background spans cybersecurity, fintech, and SaaS leadership at companies like PayPal and eBay, and she brings a distinctly mission-driven lens to the work, shaped equally by a career in business and a background as a Krav Maga instructor.
Unit 221B operates less like a typical security vendor and more like a specialized investigative unit, with a team that includes tenured ransomware experts, incident responders, and former law enforcement, all focused on one outcome: criminal arrest. May has seen firsthand how ransomware gangs operate with their own codes of conduct, how a younger generation of cybercriminals is throwing those rules out entirely, and why paying a ransom is increasingly a bet that doesn't pay off.
We talk about why social engineering has overtaken technical hacking as the dominant attack vector, what organizations and individuals should never do in the aftermath of a breach, and how crimes against children online often go unreported for the worst possible reasons. May also shares a story from her own experience being scammed on eBay, and what she did about it, which tells you everything you need to know about how she approaches this work.
“A small incident is not that different from a big incident. It's just the level of stress and visibility that comes with it.” - Bryce Austin Share on XShow Notes:
- [1:28] May shares her background and how she came to lead Unit 221B, a threat disruption company serving enterprises, law enforcement, and government.
- [1:41] May traces her path into cybersecurity, explaining how a lifelong sense of justice and a friendship built through Krav Maga training led her to a team of investigators doing real criminal work.
- [5:55] May recounts being scammed while selling luxury shoes on eBay, describing how a fraudulent PayPal email convinced her the sale had failed after she had already shipped the item.
- [8:22] Rather than accepting the loss, May engaged the scammer directly, intercepted her own shipment through FedEx, and used a photoshopped payment screenshot to flip the situation on him.
- [11:36] The story ends with May recovering her shoes, followed by a candid note that this approach carries real risk and is not something she would recommend to others.
- [12:57] May outlines Unit 221B's core work, including criminal investigations, threat intelligence, pen testing, and incident response, all oriented toward federal prosecution and criminal arrest.
- [16:52] The evolving threat landscape, contrasting professional ransomware organizations that tend to honor agreements with a younger generation of cybercriminals who operate without limits.
- [18:44] May describes this younger criminal group in detail, noting members are predominantly 14 to 26 years old, English-speaking, and motivated as much by social status as financial gain.
- [21:49] May explains why wiping systems and restoring backups after a breach is one of the most damaging mistakes an organization can make, eliminating evidence and removing any path to prosecution.
- [23:04] She walks through Unit 221B's incident response process, covering digital forensics, insider threat identification, and determining who is behind an attack before advising on next steps.
- [26:32] May addresses the ransom payment question directly, recommending against paying as a default while acknowledging that knowing your adversary is essential to making the right call.
- [28:04] The discussion covers the legal and PR dimensions of a breach, including notification obligations and why some organizations choose to go public about what happened.
- [31:08] May pushes back on the perception that law enforcement doesn't help, explaining that federal agencies are understaffed and must prioritize cases, but are genuinely committed to the work.
- [34:08] The issue of victims deleting evidence before reporting, and how frequently this forecloses any possibility of investigation or prosecution.
- [34:55] The conversation turns to crimes targeting children, including sextortion, and why open dialogue between parents and kids is critical to getting victims to come forward before lasting harm is done.
- [37:18] May reflects on a keynote she gave at Harvard's Bold Conference for young women, describing the tension between advice to build an online presence and the real safety risks that come with it.
- [38:51] May shares practical security guidance for young people online, including being mindful of what appears in video backgrounds, using strong passwords, and enabling two-factor authentication.
- [40:35] May identifies AI-assisted attacks and social engineering as the two most significant forces reshaping the threat landscape, with technology now available to both attackers and defenders equally.
- [43:45] May describes Unit 221B's invite-only intelligence platform, which brings together top investigators, law enforcement, and private sector experts to collaborate and move cases forward.
- [45:10]Listeners can find Unit 221B at unit221b.com and on LinkedIn, and anyone facing a threat or needing guidance can reach out.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- May Chen-Contino – LinkedIn
- Unit 221B – LinkedIn
- Unit 221B
Transcript:
May, thank you so much for coming on the podcast today.
Thank you, Chris. I'm really excited to be here.
Absolutely looking forward to our conversation. Can you give myself and the audience a little bit of background about who you are and what you do?
Yes, I am the CEO of Unit 221B. Unit 221B is a threat-disruption company delivering actionable threat intelligence and cybersecurity to enterprises, law enforcement, and government, with a long history of tenured threat intelligence, ex-ransomware, active ransomware experts, incident responders, and other cybersecurity professionals dating back 30 years.
That's awesome. How did you get into the industry? Because it seems like no one in cybersecurity ever goes to school for this, but they just end up there.
Yes, you're right. I, too, fell into the industry by accident, but it was the home I never realized I needed or belonged to. A very short background of me: Even as a small child, I was very justice- and truth-oriented. I wanted fairness, and I will say, too, part of that, I think, is my personality. Part of that, my father is a brilliant lawyer, and I think it's still a lot of, like, “Your word is your bond,” and so bought a young childhood mind.
The short story there is that a good friend of mine—we actually went to training to be Krav Maga self-defense instructors together and in doing very painful, very grueling, like 18-day, 12-hour courses, punching, fighting each other, getting knocked out, all kinds of fun things that we can cover if you want to know more about that, basically said, “Hey, my background more broadly has been in business, scale, revenue, technology, SaaS products.”
Fast forward, he said, “Hey, look, I know this brilliant team of hackers, engineers, whitehats, and they're doing real work. They're catching criminals. They're hunting bad guys, and they just need some structure to understand how they can actually help more people scale the business and do more good work, and you help the team.” And at the time, I was running something else. I was like, “Oh, man, I'm so busy, but that sounds really cool. Maybe I can help because I never say no to a friend.” And also, I was like, “That sounds really cool. I kind of want to know some more.”
Fast forward, meet the team. Absolutely fall in love. Immediately, I'm like, “How do I be in this industry, this whole life of mine? I've been in martial arts in various justice-seeking personal endeavors of finding truth, and this is the place where I should have been this whole time.” So, addicted. Fast forward to today. We're super happy. We built a phenomenal team with a number of different skills off the backbone of those really core, finite, brilliant cyber professionals who've just seen it all for quite a long time.
I love it when people are very justice-oriented. It resonates well with me and my family and just the outlook that we have. I'm really excited about that. One of the things I do ask of my counter-scam, counter-fraud, and cybersecurity guests is if they've ever been a victim of a scam, a fraud, or a cybersecurity incident.
Because if you and I, who are experts in these fields, and we've been around doing this and we live and breathe this, if we can't get it right 100% of the time, the guests, the listeners, just everyday people shouldn't feel less than, they shouldn't feel horrible, embarrassed, because they were targeted by criminal organizations, not some random dude in his basement, so to speak. Do you have a story that you could tell us about that?
Yes, and one, thank you for asking that question and kind of just trying to reinforce the point that you shouldn't be embarrassed, or especially if you're a victim of a target, that you're an innocent person doing your best and some nefarious criminal, whether it's a sophisticated organization or some guy in their basement anywhere in the world is deciding to target you, which is no fault of your own.
One, when I laugh that you ask any cybersecurity professional if they've been targeted, the answer is no. Nothing's happened. We've never been breached. It's fine. We are 100% locked up. You ask any human if they've been scammed, the answer is yes, 100% of people have fallen victim to a scam of some sort. And whether or not it's specifically cybersecurity, I think is the definition point, where you talk about scamming or social engineering attacks or manipulation. That's all a part of different types of cyber attacks, of course.
That is also a common part of human behavior in all types of targeting, both offline and online. I think if I go, “OK, has our company, have I personally, been victim of a ransomware or a breach?” That answer is no, but so many of our good customers and really professional people with long tenure—more than I do in this industry — have fallen victim to very sophisticated scams, at no fault of their own. I think that's one really important piece.
Two, let's talk about the scams. I have a fun story that I hope will maybe shed some light or give some people some perspective. Maybe this is why I knew cybersecurity was my home when this happened. But the short story is I was selling a pair of old luxury shoes on eBay. And also, just for reference point, I love eBay. I used to work at eBay and PayPal, had a phenomenal time. Nothing about this company is scam-worthy. They're a phenomenal enterprise.
But I was selling a pair of shoes and I was like, “Oh, sweet. I'm going to make a couple hundred dollars on eBay. Can't wait. This is a great way to get rid of some stuff. Make a couple bucks.” In the process that eBay puts together to prevent their sellers from being scammed and buyers from being scammed, they set up the two accounts. You have to validate your payments on both sides. I, as the buyer, and the seller have to validate that I have payments hooked into their account.
And then they don't release payment to you, the seller, until you've confirmed that you've shipped the product by uploading a shipping label or some sort of verification that the item has been sent. I'm not going, “Hey, just give me the money,” and the person never gets the item. Which, that is a totally different scam. That does happen. We won't talk about that right this second.
But, in the world of me being the verified seller and somebody really trying to legitimately ship a product, I submit my product to eBay. It gets purchased within a couple days. I'm like, “Sweet. This is awesome. What a win.” I then go run immediately to my local FedEx and I'm like, “All right. I'm going to ship this product. I'm going to upload it.” And then their money is being held on their account side in escrow, not released to me until I validate. I rush off to ship it to prove the value so I can complete the transaction.
I come back home with my great FedEx verification and upload it and then put it into eBay. And all of a sudden, I get an immediate email from PayPal going, “Sorry. We can't release the funds.” A long, very well-crafted fake email to tell me why the money is not there and I'm not getting paid. And immediately, I'm like, “Damn it. I've been scammed.” And then I'm like, “It's my fault. What did I do wrong?” I should have thought, “How would I have seen this coming?” It's part of a very intelligent workflow that is common to this buyer and seller platform.
Fast forward. I do not recommend this as a professional. This is not my advice to the public to do this. However, I am emboldened as a human. I cannot believe this person is taking advantage of me and I must seek vengeance at all possible costs. I'm like, “How do I counteract this scam?” And while this is happening, the scammer decides to reach out to me on the platform to be like, “Hey, I see there's been a mistake.” Basically, to scam me out of more money.
“Something's wrong with my PayPal account. You probably got the same email I did.” Very well-crafted fake email. “Hey, why don't we go off-platform? You can Zelle me or…” insert whatever other payment platform. “We can work there. I'll make sure you get paid. I'm so sorry for the inconvenience. PayPal's crazy. They won't release my money for 30 days.” It's a long sob story.
A regular person might be like, “Wow, this real person really cares and is trying to pay me for my goods.” I'm already, “F-U.” I decide to engage the scammer at this buyer. And I'm like, “Oh man, what a shame. You're right. I would love for you to pay me. I already shipped the boots, so you're getting them either way.” And in back of my mind, I'm like, “He really is getting them. That's a shame.” I happened to have a friend at the time, in e-commerce shipping, mentioned to me, “Oh, by the way, you can frequently call FedEx and put a stop in place and have the buying the item reverse.”
Everyone went, “No, that's possible.” I immediately called FedEx again, same day, and was like, “Don't ship that item. Make sure it doesn't get released and see if the warehouse where the item is can stop it.” And they fortunately are able to. It's not always possible. But catch it early enough, they can stop it. But then, I proceed to engage with the scammer because I'm like, “I'm taking this all the way to the finish line.” One, I'm rerouting the item to myself, not mentioning that to the scammer. The scammer is going, “Hey, let's connect bank accounts. You can give me some more money. I'll get it to you.”
And basically, writes a sob story about, “If you send me a little money and then that way, I'll have a little bit of money from you. We can connect accounts and then we'll make sure that I'll pay the item plus your money back and we'll be all good.” And I was like, “Wow, what a great idea. Thank you.” I proceed to go to a screenshot of the platform I was using. Let's just type it up. They say it was Zelle. “Photoshop, a payment sent.”
I'm like, “Five emails?” Because I'm like, “Two can play this game.” And I was a graphic designer on my first job out of school. And I was like, “OK, we can make fake emails together.” Sure enough, send him a message, “Go to…the money's in your account. I sent you a bunch of money. Can you just pay me that back plus the shoe cost? It'll be so fun.” Because then I do to the boots, “You'll pay me back. We'll be on our way. Sorry for the hassle. This has been terrible.”
The guy's like, “I don't see the money in my account.” And I'm like, “What the hell? I sent it to you.” And I escalate the conversation where I'm like, “I gave you the money. I have my shoes. What are you? Are you a scammer? Are you trying to scam me?” The guy's like, “No, no, no, no. I'm really trying to figure this out with you.” I was like, “Well, now I'm pissed. Now I'm worried.” I've been writing all this urgency. “Why don't you send me a little bit of money? If you send me a little bit of money, I'll know your account for sure. I'll route you that money back as promised. Let's just do that. And then that way, we'll be square.”
And this is now like, I'm crushing a two-week time frame down into this very simple question. Because I was determined to find a solution. Again, I had more time. This was like decades ago where I was like, “I've got the time to do this.” As a professional now, I'd be like, “You can keep the shoes.” But at the end of the story, the conclusion is basically, we're talking until near midnight on like, let's say, Thursday.
The delivery date for the shoes was maybe, like, Friday morning. And so I was going, “Hey, why don't you send me some money? I'll confirm the account, and then I'll take that little bit of money as payment for the shoes. And once you verify you have the shoes, then we'll settle the rest.” He's, “Oh, OK. That seems good.” Sure enough, I send him a message in the morning. And he's like, “Hey, I don't know if I send you the payment.” And he's starting to get wise to my equal frustration here.
I get my shoes back, open the box, take a photo, and send a photo of my hand with the shoes and just write in explicit, F-U-M-F. And then he's writing back to me, “I can't believe you're a B-word. I can't believe you’re, like, I can't.” On and on and on that I've scammed him. And I was like, “Good luck.” All that is to say for the average person, choose wisely where you choose to engage. That could have gone totally differently.
It's not always intelligent to chase down somebody who's threatening you. You have to know there's consequences involved. -May Chen-Contino Share on X
It's not always intelligent to chase down somebody who's threatening you. You have to know there's consequences involved. And also, I think some people, including myself, very high sense of justice and righteousness. And if you choose to do that, do your best at it. Show up your defenses, talk to professionals, ask your friends, and then decide accordingly.
I love that story. That is an awesome story. With Unit 221B, what are the types of projects that you guys take on? Where is your expertise as a company?
Yes. The type of projects where we really specialize is criminal investigations, which I emphasize criminal investigations, not cyber criminal investigations, since quite frankly, both cyber crime has evolved immensely. And because our team, the way we focus on what is the impact or the outcome, us for a real win here is a criminal arrest at the federal level. Like a very bad guy either stealing large sums of monies or hurting children, scamming individuals, wanting to cause high harm to not just a nameless organization with a ton of money.
Where even that harms a lot of people at that organization. If a big company loses millions of dollars, that could lead to layoffs. Day-to-day people could lose their jobs if you're on the security team and your executive team says, “It's your fault.” There are so many implications that could harm regular, innocent people who become victims of an anonymous, large-scale cyberattack, including ransomware incidents. For our team, we do threat intelligence investigations work. We do pen tests. We do red teams. We respond to incidents and handle pretty sophisticated high-level incidents.
Our team, hence the name Unit 221B, the unit is like military unit or SWAT team. We had the history of the company, this very specialized SWAT team. And it was like, “Hey, when anybody in the industry had a problem, it's like I know a guy and call the bat phone. It would, like, ring to us at RTE. And they would jump in and either do digital forensics or adversarial countermeasures, or actually figure out who the threat actor was, get attribution to that criminal.”
But it was very much like the people fighting the good fight to protect innocents, including large corporations as well as innocent victims tied up in that. The people who just, like, get left behind when there's no recourse. An average person who gets a sextortion scam or extortion scam out of their personal income that nobody can stop and often doesn't qualify for a federal level investigation.
There isn't a lot of support for that type of crime. Short version in terms of Unit 221B, where we're focused now and where we're scaling towards, helping more people in terms of that speed to criminal investigations impact with our technology platform, which is a threat intelligence platform with our team's long-tenured expertise across all those backgrounds and different diverse structures of cybersecurity, of normal criminal security or criminal justice, so to speak.
To make sure we can help more people with different applications for the one criminal who's not staying in his cybercrime lane. He's like, “I'm only going to do this one thing.” He's like, “Maybe I'll ransomware a company. Maybe I'll steal a DoorDash gift card. Maybe I'll also, like, convince the trial to give me new photos. Wouldn't that be a fun activity? What should I do today?”
I know you can't talk about your means and your methods of how you do things, and that's always sort of proprietary. I don't want to ask you about that, but what are some of the current attacks, kind of scenarios and things that you're seeing that's concerning? Kind of the direction of where this is going these days?
A lot of nation state threat actors, ransomware organizations that are overseas are quite frankly very professional organizations. They often have their own code of conduct, morals and ethics. -May Chen-Contino Share on XOh, that's a great question. There are many. I'll only focus on maybe two. The two that I think that are the worst of the worst kind of tie up in terms of how the cybercriminals themselves is evolving. A really good example of that evolution is that ransomware is a good example of this. A lot of nation state threat actors, ransomware organizations that are overseas are quite frankly very professional organizations.
They often have their own code of conduct, morals and ethics where they're like, “Hey, we're just trying to take the money. You give us the money. We won't do X. We won't do the thing that you don't want.” And it's a pretty professional transaction. There's often a negotiator, but it's one of those things that those criminal networks, relatively speaking. I think like any old mob movie have a sense of pride in their work and sophistication as well as doing good work and keeping their word.
Then their criminal enterprise succeeds, which I think is, in a way, game appreciates game. I get it. At the same time, like, stop ransomware in large companies that are hurting people. Then the other impact is that the newer types of cybercriminals, especially the younger ones that we follow, there is an organization that we specialize in that the average age tends to be about 14 to 26 years old. They're predominantly young men across English-speaking countries, like Five Eyes countries: UK, US, Canada, UK, New Zealand, where the common tongue is English.
That's how they're crossing borders to work together. But if you're a young person yourself and you're not a part of a professional criminal organization, you have the leverage to basically do whatever you want. Because you don't have, like, let's say an older, longstanding organization that says, “Hey, that's our line; don't cross it.” And a lot of young people are looking for community and, quite frankly, just pride, ego.
They want to look cool to their friends, which is like a classic human behavior of any child. You want to be accepted. You want to be heard. You want to find people who are like mine and share interest. And that where you all, you know, share a common interest, this particular community's common interest is high harm. And is chaos at all, like, at all costs. It's, “Hey, why don't I decide to ransomware this company? And also why don't I decide to sextort and extort a young girl” who's, if you're a 16-year-old boy and you're sextorting a 16-year-old girl, that's another young girl.
But to you, you're like, “That's my peer. And I don't like her. Maybe she rejected me.” Like maybe there's some sort of bad blood there. “She made me look stupid at school,” insert whatever, or it's an anonymous victim across borders. And you're trying to prove yourself in your criminal organization to look cooler, get more accolades to your other peers, including older peers, the ones that are in their twenties to say, “Hey, look, like, I'm cool. Like, you should bring me in. I can do more. I can cause more harm.”
The short answer there is, one, the threat intelligence and investigations work for that criminal organization that happens to be targeting the largest companies in the world with all kinds of attacks, predominantly social engineering, to their third parties or vendors or BPM very successfully, as you probably seen in the media. We do a lot of work with that type of client as well as government law enforcement where they're prosecuting those federal investigations, building those cases, collecting data on that criminal's attribution.
Their information where they're located, the types of crimes to put together a large federal case to stop the harm. And then likewise in doing that work, hopefully that puts that criminal at a disadvantage or stops a campaign, saves a victim sometimes, which is a huge win to our team and/or causes a disruption to get that criminal arrested, which would be the win to protect future children, future entities, organizations from being harmed.
Gotcha. This is kind of a, maybe a law enforcement-ish question, but I've kind of heard it asked and curious your take on it. A lot of times people, if they have been a victim of something, whether the process of remediation, they, “Well, we're just going to delete everything, burn everything to the ground, and just rebuild stuff or just back it, just restore everything from backups. We're not going to keep track of what happened necessarily.” How much of a challenge is that for, uh, on the prosecution side and dealing with law enforcement? If the person has, “Well, I got, uh, I got sextorted, but I just deleted everything because I wanted to get rid of it all. I wiped my phone.”
Yes. That's actually a very, very important piece to any investigation. Exactly to that point, if you're an individual and you're being sextorted, or you're a large organization, if you go in and erase all of the evidence and the footprints, especially in a large company, ransomware. If you go in and are like, “OK, they took something. We don't know how they got in. Let’s restore all the backups, just destroy all security, wipe everything.”
You have almost no further recourse because the only way you can have recourse or actually discover what's happened, where the leak is—you frequently don't know. And I'll say too, a lot of enterprise organizations, and many organizations have really great security because they focused on it for many years. And especially like their systems and their actual technology is frequently really locked up well with the correct protocols in place for security.
It's really the humans that start to impact the weak point. -May Chen-Contino Share on XIt's really the humans that start to impact the weak point. If you have great security, but then insert an admin or someone on your financial team or someone at your help desk says, “Oh yeah, I can reset that password for you.” Or maybe the password is weak. Maybe it's not 2FA-protected and, or somebody willingly gives up the keys to the castle in some form under a social engineering attack. That's really the rest of these organizations.
When that happens, if you just restore all the backups and wipe all the information, you don't actually know what was taken. You don't know what actually happened. You don't know how they got in. Is this threat persistent? It is an insider at your company starting to intentionally target you? And that's like, “Hey, that person is going to continue to work with that threat actor and go, ‘Hey. FYI, they called cyber insurance.They called unit 221B. Now they're coming for you.’” That's problematic. That's happened.
That's happened where we've gotten a tipoff and that puts us at a disadvantage to if you don't have even the digital forensics to then provide to any type of law enforcement, maybe it's the FBI or putting together an IC3 in terms of like, “This is what happened. This is what was taken without that information.” Frequently, law enforcement can't build the case without tying it back to true evidence. We always recommend, for as long as possible, shore up the defenses that you think is possible and, like, involve any incident response team that you're comfortable with.
Whether that may be sometimes just recommended by your cyber insurance. And that's the only option you have, but work with a shop around as quickly as possible. Usually within the same day, we get tons of emergency calls. Pick a team you feel comfortable with cause you're going to be on an emotional roller coaster ride for the next, like, two to four weeks, as long as it's going to take to make sure that the evidence is locked down. And we try to both from the digital forensic side, see literally what happened in technology, how they got in, where they got in, what's the leak? Is there still one?
Is it, you know, are they in email? Are they in Slack? Are they still getting access to the data?
And then, more importantly, who are the people in the company at risk where sometimes it's a mistake. Sometimes it's intentional with an insider. And then more importantly, who is the criminal organization that's doing the attack? Because then the last piece, the outcome of what you decide to do to us, it really, really matters on who the criminal organization is.
As a kind of defiant man before, if you are a professional organization and you have a long history of, “You give me money. I’ll do what I say. I'll keep my word, and no one gets hurt.” If that is true, and especially has been a longstanding truth in a lot of cyber crimes, that's one avenue. The other avenue, this newer avenue, these type of younger cyber criminals, they will say, “Give me a bunch of money. I'm also going to then not do anything with your data. I'll protect it. I'll give it back to you. But then nothing else will happen.”
They will take your money. They will upload your data. They will then take their buddies and take all that data apart to see what other crimes they can perpetrate from the data set they got. That Snowflake is a really great example of this at that, familiar with that data leak, where they'll frequently not keep their word to cause more high farm. Deciding an outcome and knowing your adversary is a really key piece in that type of IR mitigation after you've collected the hard evidence of what's happened.
That's going to be really challenging for organizations to determine. “Do we,” aside from the practical, “Do we pay the ransomware? Do we not pay the ransomware? Can we recover? Can we not recover? What's this going to do to us on a PR basis? But, like, what if we pay it and then they still dump the data?” It's going to be a very anxiety-ridden decision that organizations make.
Yes. And I would say we deal with that. I'll say it this way. To your point, there's very few people at a lot of these organizations who have experienced this type of crime or any type of ransomware incident. Frequency is new territory for them. And then based on their budget, team members’ availability, they have to decide, “Can I afford to work with a vendor who specializes in this? And is the data critical enough that we actually need to put potentially hundreds of thousands or millions of dollars in this type of wrap-up and protection?”
That's just a tough decision every business owner has to make for themselves and their security team in order to decide how bad they're going to let this get without professional help. Because very few organizations have security teams that have tons of experience in doing, like, hundreds of ransomware week to week where that is a specialization.
Two, even fewer of those teams truly do specialize in understanding the adversary. For us at Unit 221B, we care about that very deeply because we're focused on federal prosecution and criminal arrests. Our point is, if we know as many adversaries as we can and track the channels, when they pop up elsewhere in an incident, we're like, “Oh, that's the group we already know about.” And that happens, ironically, very often. We'll very often see that kind of thread line of, like, we've been following them for five years or even one year or even at six months.
Then we start seeing that group causing harm to other clients of ours or prospective clients that come to us and go, “Oh, my God. This happened and it's the group you're watching. Help us.” But that is, like, a very niche line of you have to find the fit and the organization has to decide to spend the dollars. And then to your point, the thing that we then start to coach that customer immediately on is that PR impact and legal impact. We have a cybersecurity lawyer in-house and from his perspective, it's like, “OK, at some point, you'll have to notify customers.”
You have to understand what the impact is, notify the customers. You have to file a few different compliance things from a legality perspective. You have to decide what your next step is going to be. Are you going to try to work with law enforcement to prosecute? Are you going to try to just, like, sweep it under the rug and hope for the least amount of bomb blasts possible, try to mitigate it down? Your PR is a company. Are you actually going to go to the public and turn this around and say, “Hey, look. Yeah, we got hit by this awful attack. It was awful. And here's what we did to fix it.”
Knowledge share, which we also love to see. We love to see people just go, “Hey, look. This happened to me. Don't feel ashamed. And here's how you can stop it. And here's what will happen in terms of you're going to be in misery for a really short, painful time. And you'll survive. You'll get to the other end.” Versus not engaging in that. We tend to let our clients know all the possible outcomes in those steps and say it's really up to you to decide where your risk tolerance is.
How much accountability does your team really have to have in this or you want to have in this to be like, “This was our fault and we're fixing it.” Versus, like, “We were the victim. Let's not talk about it.” Which, again, human nature. But with our completely appropriate answers. We just do our best to give all the possible outcomes so the client can decide themselves.
From your perspective, what do you think the ratio is of companies that either pay or don't pay the ransomware and those that do or don't work, actually engage with law enforcement. Do you have kind of a sense of—I want to be careful about the customers that you've dealt with or your industry experience—kind of the breakdowns of how that works out?
That is a really, really important point. I will give you our professional advice that we tell everyone who calls us up with an emergency, but it really comes down to what makes sense. You know your business, we do not. Our professional advice for any ransomware at all, don't pay it. Don't engage. And it's just never worth it. And it's one of those things that the only reason we feel strongly about the don't pay, a little bit like, “Don't negotiate with terrorists.”
When Cybercrime Gets Personal Share on XBut also, it's frequently, like, again, if you know your adversary and you know they have a history of, “Hey, you know, this is a common—it’s an old ransomware that's pretty common.” There's a few that have, like, you know, over the past few years that really prolific ransomware, Zeppelin, Lockbit, for example, are—we actually, my co-founder, Lance James, is a specialist in ransomware. He's actually cracked Zeppelin and Lockbit. It's one of those things.
Those clients come to us and we're just like, “Don't pay it. We'll crack.We already got this.” But that's like, if you have that plan B and security, then we're like, “You don't have to because don't worry, we got you.” And then you proceed to the next steps. That's not true of all ransomware, too. When it's this criminal organization I mentioned, this younger criminal group, knowing that they're probably going to take your money and continue to exploit you and cause harm, we're like, “Then you've given them a bunch of money, sometimes millions of dollars, and they're still perpetrating the crime. Stop the bleeding another way. Work with law enforcement to actually decide how you want to move the next step.”
But our recommendation is always notify law enforcement. Notify your legal team, or get a good legal counsel assigned to that, if necessary, as well in some cases, engage a good PR team or publicity to actually show you're putting… Share on XBut our recommendation is always notify law enforcement. Notify your legal team, or get a good legal counsel assigned to that, if necessary, as well in some cases, engage a good PR team or publicity to actually show you're putting the right message forward. And then that decision is yours. Frequently, if the ransom is payable and you feel like this is a good way to go.
You've got the right people in place to actually lose that money and just hope for the best. Maybe they won’t. That's an outcome that we've seen that happens. And then companies are like, “All right, I paid, like, a million dollars, but I guess this was the least amount of harm.” They're often happy. We're seeing that less and less as an organization. And that, I think, informs a lot of our, like, “Hey, look, it doesn't pay to pay.”
Is there a general willingness of your customers, or customers in general, or victims in general, to work with law enforcement? Or is it just like, “Well, we don't think they're going to help, so we don't even want to bother them.”
Oh, I feel so strongly about this. I feel like there's a lot of misinformation about law enforcement in general and especially with—I think the misinformation comes to law enforcement right now, especially at the federal level, like Homeland Security, FBI, any type of large federal agency, even overseas agencies, NCA, the UK, or RCMP. They're notoriously understaffed and under-budgeted.
The problem with the federal law enforcement is they have to take cases that effectively end up being a slam dunk for prosecution and that meet the federal compliance record. A lot of people think, “Law enforcement doesn't do anything. They don't care.” And it's simply because they can't. If somebody stole $10,000 from you, that sucks. That's $10,000. That was a huge amount of money for an individual, but not enough for law enforcement to actually go and prosecute and do something to help you.
In the case where the criteria is it meets the federal level for prosecution and you can engage law enforcement, 100% of the time we recommend immediately getting in touch with law enforcement and quite frankly at Unit 221B. We work with a ton of law enforcement daily. We frequently go to a client and say, “Hey, can we notify our partners and contacts? Can they help? Can they jump in?” And we work with our partners because there's so many people in law enforcement who kind of like all of us in the industry.
We got into the industry because we wanted to help people. We wanted to protect victims and do good. And in order to do that, you have to decide, like, “Where can I do the most help? Where can I be successful in either prosecution, or arrest, or to help a victim?” And there's a level of urgency based on the type of victim. Sometimes we'll see a trial victim and we'll call law enforcement and go, “Hey, we're seeing a trial either committing self-harm, or there is a sextortion angle, or it's a sexual component. Is there any way we can shut this down? Can we work with our private sector partners? Can we work with you to protect that child?”
And everyone dives in as quickly as possible. Our mentality is law enforcement does help. The law enforcement agents we work with are just some of the most stellar, upstanding human beings that exist because they care about people and all the misnomers for things that it's one thing when it's, “Hey, law enforcement didn't help me get my 10 grand back.” But if your child has been kidnapped, if you're at threat of an assault or something that's really high-farmed, like, our law enforcement contacts are the ones that are like, “We'll do anytime, day or night. We're going to go and help.”
But then I suppose on the flip side, that isn't to say that if someone stole $10,000 from you, that you shouldn't report it.
You should, local police department. Go to your local police department, see if they will help you. I think the difference is federal versus a local case.
But in general, it's important to report. Even if you don't think there's going to be a positive outcome, the more aware law enforcement is of the scope of problems, it allows them to better allocate resources dependent on what the problems actually are.
Yes, absolutely.
If no one ever reports that they were a victim of ransomware, then government's not going to apply any resources to try to defend against it or to help resolve or track down criminals.
Yes, and that does really matter because in terms of your point, the larger whatever administration, whatever current government is currently active, they do go off of a lot of the financial reporting or any type of reporting for crimes to allocate budget, and that really makes a difference from every level of law enforcement.
You mentioned kids being targeted in crimes, which is absolutely horrific. It's one thing for a corporation to say, “OK, here's how we're going to look at our records. We've been breached. Here's how we're going to go through our logs, and we're going to work with these.” What about individuals who their kid has been sextorted? What kind of detail should they be keeping of the incident and not just, “Oh, let's just delete everything”?
Yes. That is, of course, a very tricky and sensitive topic. Then to your point, keeping the evidence, if you're an underage child, male or female, but in this scenario, it frequently tends to be targeted to underage girls. You can have your parents keeping photos of you. If you're asked to send nude pictures, that's really tough for a parent. Of course, as a person, as that child, incredibly traumatic and damaging.
It's one of those things in that kind of instance, I'll say it this way. I actually gave a talk at Harvard. They hosted something called the Bold Conference, which is a conference specifically. The goal is to have high school and college-age women get excited about different careers in business. From that perspective, it's a lot of common careers and careers that were good business career tracks for anybody, and then career tracks that were interesting to women.
There was also economics, finance track. There was a PR and marketing track, communications track, fashion and makeup track, and then they asked me to keynote. I was like, “Oh, honestly, the ultimate honor.” I was like, “Oh, my God. I get to talk to young girls and relay my story and encourage them. Everything's going to be OK. You're going to grow up one day and you're going to be a badass.”
It was truly something that was special to me, especially because even in my martial arts career, I taught a lot of young women. Seeing their competence build in just being like, “It's going to be OK,” but also, “Here's what you do in a situation that's bad. Here's some tactics that you yourself can protect yourself against.” The thing that was interesting, even a lot of the tracks, and especially the content creator influencer track, they were like, “Get online. Be online every day.
Be personal. Talk about yourself. Talk about your family. Talk about where you live. People love genuine.”
When Cybercrime Gets Personal Share on XI'm sitting there like, “Oh, my God. Oh, my God. Don't. I know. Tell those girls to get off the internet. Tell them to wipe every additional device they have.” It was a really interesting dynamic. From my perspective, if you're a parent of these kids and it is embarrassing, one, of course, having a proactive conversation with your child to be like, “If anything happens, please tell me.” Even if it's embarrassing, even if it's damaging, even if it's the worst of the world, if a parent doesn't know and they can't involve law enforcement or another entity, that child has real damage happen.
Even if it's embarrassing, even if it's damaging, even if it's the worst of the world, if a parent doesn't know and they can't involve law enforcement or another entity, that child has real damage happen. -May Chen-Contino Share on XAgain, we've seen that frequently could lead to suicide or something that is a much high harm, much worse outcome for that child because they feel hopeless and they feel like they cannot even disclose the problem because they're just so ashamed. They think their life is over and they're a young person. In that instance, we recommend you do have to protect the evidence, unfortunately. Get it to the right people in law enforcement. For example, NICMIC works child exploitations. They're a great agency to work with for that type of work and they handle that.
There are agencies dedicated to that support. As a child, communicating to them the education and training that I'm kind of referencing from this talk where I got up on stage and was like, “This is a really dark topic to tell these young kids. Why did they ask me to do this? All the topics are fun and light and cool.” They get to talk about these basically mega celebrities online who they look up to and we go, “Don't do what they're doing. You'll be unsafe. Somebody will target you. Someone's going to harm you.” The talk track there to me changes too.
If you're going to be online, and you're a young girl, and you want to be an influencer, or you want to post content and just be involved in the social media digital world like everyone does, make sure you're really mindful and very aware of what you're posting. If you're outside in front of your house and you're moving the camera around but your street address is right behind you, or your address of your house is right behind you, or you're showing people around your home or anything that is a self-identifying image in your video, be careful.
Having good 2FA, having strong passwords, hopefully a password manager. Teach your kids about personal security so that they don't fall victim to things like getting their Instagram account taken over, getting different iClouds… Share on XBe thoughtful about what you disclose because unless your parents are supporting you and trading your personal security hygiene…. Having good 2FA, having strong passwords, hopefully a password manager. Teach your kids about personal security so that they don't fall victim to things like getting their Instagram account taken over, getting different iClouds hacked. There's plenty of ways in without the actual girl themselves giving up the data.
But it's training the kids about what is security hygiene for a personal and then hopefully having that open dialogue with their parents where that evidence collection is critical in order to involve law enforcement, and that's frequently the worst of the worst, quite frankly.
Yeah, I've heard that often from people in law enforcement that they get the report of an incident but the person has deleted all the conversations from the device.
Yeah.
And it's like, “Well, we'll do the best.”
Yeah, if it's gone, there's frequently no one anything anyone can do.
Oh, absolutely scary, absolutely scary. As we kind of work towards the end of our conversation here, where do you see kind of threats going for corporations and individuals, kind of the future of the threat landscape?
Well, again, I think we have to pick and choose. There's so many factors here. And I will say, I'll speak from the fact of kind of call back to where we focus. With our current customers, and again, we're working like larger enterprise companies where everyone is seeing an increase in these type of attacks and these types of targeting. Of course, ransomware, that's not a new topic. But then the application of how they're perpetrating types of attacks is becoming more advanced, which I think the entire security community can agree.
Additive with AI and machine learning. That's one, it's a tool that both sides have. Both like, threat actors and defenders have the same tool. And it's kind of a race to the bottom of who can use it the best and fastest to perpetrate different protections. But that's still kind of the Wild, Wild West there, better technologies. The other thing is to me that the biggest thing our team talks about with our clients is both from the work we focus on and we care about the human element.
We collect human intelligence. A lot of our investigators do human intelligence work and will do OSINS themselves, OSIN assessments, and we'll focus on what ends up being social engineering attacks because those are the ones that we're seeing as the most successful from these different types of perpetrators. In a social engineering attack, you can have the best defenses in the world.
And if a third-party help desk or even your internal security help desk or your team or an intern, insert any of it, even the CEO, we see executives be the perpetrator of this all the time.
But if you get social engineered from a just trust chain or just a value delivery of like, “Oh yeah, they really need my password,” or, “They really need my access,” or, “I'll just give them this one-time code,” that to me is the weak point that we're seeing now, quite frankly, scaling faster and faster because these young people have technology on their side. It's less about hacking in their basement and really cracking in like the good old days of hacking and even kind of like gray hats, like ethical hackers.
They'll crack in just to be like, “Can I just do it? I just want to see.” They won't cause any more harm, but they'll do it and just be like, “Oh, cool, that happened. That was great. I'm out. No damage done.” Like, yeah, you shouldn't be cracking into things illegally, sure. But that was kind of the old-school thought of like, “Hey, it's kind of cool to just see if I can get them.” This is a different time and a different game.
A lot of these young people are not doing it for the sake of learning. A lot of those professionals then became cybersecurity professionals. And for the sake of just the goodness of knowledge or curiosity, it is to perpetrate high harm at all costs. From our perspective, it's like the human element is where we care the most, especially even with our technology platform. The platform is invite only. And we invite the best investigators, law enforcement, government, across private sector, commercial, anywhere that you are a top performer in your field to the platform to share Intel and work with the community.
So that we can trade information, support each other and actually move forward to these crimes and get these arrests done where the human aspect to me is what gets the actual protection in place and saves these victims. No technology can do that alone.
Yeah. It's always going to be the human element in one way or another.
Absolutely.
Either the human perpetrating or the human victim, you know, it's not a technology versus technology scenario.
Yes. Yes. And a lot of technologies are good, but they're only as good as the end user.
Absolutely. If people want to learn more about Unit 221B, where can they go?
Great question. We love our community. We love everyone. If you want to reach out with a question, even if you're, “Hey, look, I'm scared. I'm under attack and you need to get a hold of us,” you can reach out to us on our website, Unit221B.com. You can also connect with us in different social platforms like LinkedIn, but feel free to come to our team. We have a lot of materials that we share to kind of the broader industry on basic ways to keep yourself protected.
We also handle a lot of these, you know, kind of high-stakes investigation for intelligence work in case you're dealing with some things and need another expert in the field who has a longer tenure about some of these problems and you're just like, “I don't know what this is and I need someone who knows what this is so we can act fast.” We're always happy to have the conversation. Find us on our website, find us on social media, and we're always happy to connect.
Awesome. May, thank you so much for coming on the podcast today.
Oh, thank you so much, Chris. It was a great conversation. I really appreciate it.
