Rachael Lyon:
I'd I I do wanna I mentioned this quote, though, just, for funsies that I that was on your the Chinese, cybercrime ecosystem. It said, the data you leave on the Internet knows you better than your mother, which, I guess I was on a China based blog on social engineering techniques. I just thought that was fascinating. It almost feels like when, not if, right, these these things are gonna happen with identity. And I'm kinda I'm kinda curious. There's a couple of things. You know, a, how does the monetization piece happen? Like, I imagine, like, a swap meet or something and it's a bulk you can bulk this. You know, but for those who like a little competition, how do you know how valuable your information is? I mean, maybe I wanna I wanna be a little bit more on the the higher end, not the lower end, but I I'm just kinda curious, like, how the valuation can work.

Trevor Hilligoss:
Yeah. I mean, it's, it's funny. There isn't this swap meeting. I like that. That's that's kinda fun to picture. I get it kinda is like that. Yeah. I mean, you know, it it's very platform dependent, I would say.

[01:03] Reputation Drives Cybercrime Forums

Trevor Hilligoss:
You know, if you look at if you look at criminal, forums, you know, depending on the there's a whole ecosystem of forums I could talk about with English speaking and Russian speaking and ne'er the two shall meet and all that. But, there definitely is like a there is that side of it where, you know, it's a, let me look at what other people have for sale and let me adjust my prices accordingly. There's another aspect though that I feel like people kind of don't really focus on as much. Financial is certainly important, but a lot of these actors are motivated just as much, honestly, if not more, by clout, by gaining reputation. Right? We see even, you know, down to it's been a lot of reporting on the calm lately, which is kind of this community of, highly, aggressive, young, typically men, that are committing crimes, physical and cyber. Right? And cloud is like everything right there. Your reputation is is so important. But that's also true for kind of the higher tiers.

Trevor Hilligoss:
You know, one of the reasons that disruption some of the recent disruptions that have happened of the cybercrime like op endgame is is awesome. Right? They're coming out there with this this video, and they're, like, putting out these people's, like, embarrassing photos, on a government website. Part of the reason that's so successful is because you're tearing apart their reputation. They are now fully exposed. I mean, it's embarrassing for part of it. The other side of it is like, look, your OPSEC sucks, Right? Clearly, your face is on a website, a government website. Like, you are compromised. And that's hard to recover from.

Trevor Hilligoss:
I mean, essentially, those people largely have to go away and come back under a different name. So it just just kind of shows you how how important, you know, their reputation is to them. So again, I think finance the financial aspect of it is very important. I don't want to diminish that at all. But, you know, there's another part of it, which is just, hey, I'm going to share this data because it makes me look cool. And all my friends will say, hey. Great job. And then maybe I'll sell it, you know, later.

Rachael Lyon:
That's that's, I I think a little bit about, you know, in in in a recent years, you know, I guess when you wanna, beat these kind of things, you know, are we gonna become a society where we're like, alright. Well, I guess you know my dirty laundry. Oh, well, whoopsie. You know, and it doesn't become a big deal. I mean, is that kinda what we're working towards as a society where it just gets a little, alright. It's out there. Maybe it's kinda freeing. I don't know.

Trevor Hilligoss:
I hope not. Yeah. I hope not. It's interesting. You mentioned China, and we do a lot of work. One of my researchers, a fantastic China Researcher. She's brilliant. She she did that piece you were referencing previously, her and one other researcher.

Trevor Hilligoss:
You know, she she's really highlighted one of the interesting things about the Chinese ecosystem is, we and when I say we, I am referring to the West, US, Europe, that kind of group. We get enraged when something happens. Right? Like when I remember when I was in government when the OPM breach happened, and that pissed everybody off. It's like, Oh my gosh, my data's not secure. Now China knows all my information. There really doesn't happen the same way in China. There's China and Chinese people, unfortunately, have kind of realized that their information is not private. It's not private from the government.

Trevor Hilligoss:
It's not private from individuals. And this concept of big brother is maybe not fully accepted, but it's certainly acknowledged much more than it is for us here. So I think that's kind of the shadow that we need to avoid. I really hope that we never get to that point where, my social security number being on the internet is a foregone conclusion. I do really hope that we, in the Western world can align ourselves in such a way to make that unlikely. And so that ten years from now, you know, when my kids are in their first data breach, they can get angry about it, as they should. Right? Instead of just assuming that, you know, well, it's bound to happen.

Rachael Lyon:
Yeah. I like that.

Jonathan Knepper:
Yeah. Well, I think I think all of all of the we you're talking about. Right? Like, we we still really don't want our data out there. I think, you know, things like data brokers and so on are very scary to us. And but, you know, how do we stop that proliferation of data, right? If the data is not there to be stolen, isn't that better? Do government regulations like GDPR and CCPA play a role in that? And do they help protect us? And what else should be being done?

Trevor Hilligoss:
Yeah. I think GDPR went a long way. I I am a I'm a fan. It will shock absolutely no one that I'm a bit of a privacy absolutist. So, yes, I definitely think, you know, any kind of regulation, you know, it's a fine line to tread. We don't want regulation to the point where it stymies innovation. But we do need regulation that forces compliance with some of the very obvious things. You mentioned data brokers.

[06:42] "Opt Out of Cookie Tracking"

Trevor Hilligoss:
You know, there's a lot that you can do. You can opt out. When you see that little pop up that asks if you want to enable cookies, what that's really telling you is, hey, do you want to be tracked? Because online, the cookies that are being dropped, the vast majority, 90% plus, have nothing to do with anything you care about. They have everything to do with tracking your activity online. And, you know, it ranges from a referral type stuff so that, hey, if I find the website through Google, I want to make sure that the website knows that I came from Google. Right? Or if I came through ChatCBT, I want to make sure there's marketing reasons that that's an important thing. But there's a lot more kind of less savory things that those tracking cookies do. And that's why if you're on Facebook and you've been you know, shopping around for a tent, all of a sudden, hey, why am I seeing so many ads for tents? Well, it's because Facebook knows.

Trevor Hilligoss:
Right? And so it's tailoring your ads to deliver that. And maybe that's a good thing. You know, I've certainly bought ads that I've seen. I'm ashamed to admit, tailored advertising does work. But, you know, it is definitely a, it is a compromise, right? If Facebook knows, well, maybe I'm okay with Facebook knowing, right? Maybe I trust Facebook. But what happens if that data wasn't just sold to Facebook? What if that data was sold to somebody that is maybe less interested in selling you something and maybe more interested in selling you, right, your data? Or maybe not, and maybe they just really suck at their security, and they're dumping all that data to an elastic cluster that's exposed without a password. Right? So the proliferation, that's a hard word to say, the proliferation of our information is worrisome. And and but there are things that you can do about it.

Trevor Hilligoss:
And again, you know, I think that's that's where I like to see regulation is, allow me to make the decision. Give me the choice to say, nope, don't put that cookie on my device. Thank you very much. I'll go about my day.

Rachael Lyon:
I have noticed some of those, and maybe I just can't see the little x, but you do go particularly on the phone, some of these websites. And it it doesn't even give you a choice, really. I mean, it's you have to kind of accept or you can't move on. Yeah. And then I'm like, well, I guess I won't be shopping with these people anymore. But I would love it to get more granular control like that. So tell me this is correct. I guess there was some recent spy cloud research.

Rachael Lyon:
It's really interesting. The average individual has as many as 52 unique usernames, emails, and two twenty one passwords exposed on the dark net across, like, you know, personal professional identities, which is crazy to me. You know, it's how do we need to start rethinking, like, identity security? And I don't know, is that face? Is it, you know, DNA or I mean, but how how how could we kinda start thinking about this maybe a little bit differently to make it a little bit harder?

Trevor Hilligoss:
Yeah. It is scary. You know, I when I first started working for SpyCloud a couple years ago, I'd I'd just left, the government. And, one of the first things I did, I ran my my email and my wife's email in SpyCloud. And I went, oh, that sucks. Right? It's like, oh, that's not I wish you know, maybe ignorance is bliss. I didn't wanna know that. But, no.

Trevor Hilligoss:
You know, it it it varies from person to person. It varies with your age, especially. If you look at somebody that's quite young, you know, talk about digital exhaust, right? Your digital exhaust kind of grows proportional to your online activity. So those of us that are hyper online and have done so for twenty, thirty years, we have a lot of digital exhaust. So, again, it's scary. I think it's important that people recognize that and are aware that their data is out there. Maybe, you know, PyCloud's pretty good at aggregating that, but we don't own the trademark on aggregation. Criminals can aggregate data too.

Trevor Hilligoss:
So, you know, you bring up biometrics. I think biometrics is definitely a part of the solution. I use face unlock for a lot of things. Your fingerprints can work quite well. You know, there's other types of authentication through hardware tokens that can certainly make things more difficult. It's not going to solve the entire problem. Right? It's, you know, holistic is a pretty important part of the holistic identity. There's a lot of other things that can happen, especially nowadays.

Trevor Hilligoss:
You know, we're what, two months away from tax day? Well, actually, oh, geez. Yeah. Two months and a day as of the recording. And that's so but, you know, again, it's a game of interest. Right? Limit your exposure as much as you possibly can. Be aware of what's out there. I'd recommend anybody to go to checkyourexposure.com. You can put in your Gmail account, whatever you want.

Trevor Hilligoss:
We'll tell you what's out there for you. That's a good step. Find out what the criminal might know about you, remediate those. And then from then on, you know, limit your your digital exhaust as much as you possibly can.

Rachael Lyon:
Making notes.

Jonathan Knepper:
So, Trevor, you you began in in the army. How how did this experience, impact your view of the cyber crimes, and and how has this shaped your career? You've you've given us so much so much info today. Right? It it's obvious that you've been through a lot of this already.

Rachael Lyon:
Can I can I add on to that though too, John? Because the other piece of this that I'm always fascinated about, you know, when you were a little boy, Trevor, growing up, you're like, you know, I really wanna go into cybersecurity. Or or was it or was it kind of a a more winding path that brought you to the army and and this career?

Trevor Hilligoss:
Yeah. That's funny. Oh, man. I'm gonna I'm gonna get ripped for this. I always wanted to be an FBI agent. That was my that was my goal. So I wanted to be in the FBI, which, you know, I guess there's a checkbox next to that in a way. I did work for the FBI.

Trevor Hilligoss:
I wasn't an FBI agent, but I was a special agent. What? Just for the DOD. Offline. No, I joined the army. I joined the army as, you know, it's called a forward observer. So I was essentially attached to infantry platoons to, you know, provide terminal guidance for artillery and mortars and aircraft delivered munitions and all that kind of stuff. Nothing the farthest away from cybersecurity you could think of. I went into I became a special agent with army CID, after doing that for a while, and quickly realized that, you know, responding to crime scenes at 3AM was not really my favorite activity.

Trevor Hilligoss:
And, and I did grow up. My dad was an electrical engineer. So I grew up around computers. I grew up working on computers. I knew how to code a little bit, didn't really enjoy it, but I could. And And so that was kind of a natural transition, I think, for me to go into cybersecurity at the federal level. And I stuck with that. I did, I guess, six years, I think, seven years, something like that, in federal service.

Trevor Hilligoss:
Ended up getting the chance to go and work on an FBI cyber task force towards the end there. Worked some fantastic cases with some great agents and analysts. Learned a ton. And that really has I mean, it was kind of my formative years, I guess. And then coming into the private sector is very much a continuation of that. I think one of the most amazing things, the things that really drew me to cybersecurity is, well, I guess two things. One is you'll never do the same thing twice. It is a constant if you're not learning every single day, then I imagine you're sleeping every day.

Trevor Hilligoss:
I mean, I don't know how you can do this, and not learn constantly, which I personally think is so much fun. I am absolutely the most ADHD person on the earth. I do not like doing the same thing for more than a few minutes at a time. So context switching is an A plus for me, and cybersecurity allows that. So that's number one. And then the second thing is, you know, I it sounds cliche, but, I really like making a difference. That's why, that's why I went into law enforcement. And I feel like cybersecurity, you can make a huge impact.

Trevor Hilligoss:
I remember when I was working general crimes, you'd respond to a horrific situation. Somebody has the worst day of their life. And for that person and that person's family, that is a huge event. And you can do a fantastic job. You can work that case, you can take care of the victims, the witnesses, make sure that you bring justice to them. And that's hugely fulfilling, but it's a limited impact. I mean, I don't want to minimize that, but it is a point in time. And it's after the fact.

[16:19] Proactively Prevent Crimes in Cybersecurity

Trevor Hilligoss:
And that's the thing that's really hard. It was really hard for me is, I can't there's not a lot of prevention there. There's showing up and making sure you're doing right by the victim and by the justice system. But what the bad thing has already happened. And so what I think is really cool about cybersecurity is not only can you have a massive impact, I mean, millions, protecting millions, if not billions of accounts every single day. And each one of those accounts is a person. Right? There's a there's a human being that has their hopes and dreams behind that. But you can also prevent the crimes from happening in the beginning.

Trevor Hilligoss:
And that's really the that's the holy grail of law enforcement. Right? I don't want to show up to the crime scene. I don't want there to be a crime scene. Let me make it so that that crime scene never has to happen. Nobody has to be victimized. And so I I love that. I love that about cybersecurity, and I I don't think I'll ever, yeah, I don't think I'll ever leave.

Rachael Lyon:
Yeah. It's it's a great industry. We were talking about that, I think, last week. You know, just the learning something new every day. I can't imagine another industry where you have that opportunity and it changes so much. So, you know, it's it's feels good to learn. I don't you know, I I just, everything about that. Now I think I have to I don't know if this is an obvious question, but maybe.

Rachael Lyon:
It you've seen so much in your career, Trevor. You know, I mean, you've been behind the curtain and and all of these things. I mean, is there anything that even surprises you anymore?

Trevor Hilligoss:
Oh, absolutely. Yeah. Yeah. Definitely. Yeah. I'm constantly surprised, in in good ways and bad ways. You know, it's a little bit of both. Yeah.

Trevor Hilligoss:
You know, I don't know. The threat actor never ceases to amaze me. It I've, you know, I've arrested these guys. I've sat in the courtroom as they got convicted and sentenced. I've gone on extradition flights and sat next to some poor dude in handcuffs for six hours. There's still new stuff every single day. I will hear about something some threat actor did or some criminal did, and it's like, Didn't have that on my bingo card, which, you know, I sometimes it's funny and sometimes it's sad, but it's always entertaining.

Rachael Lyon:
It's probably gonna feel good. I think you've said that recently there was, I don't know, someone got some jail time from a case that you were working. And I imagine that feels really good because that's not always the case, right, when it comes to these kind of crimes.

Trevor Hilligoss:
Yeah. Yeah. That was so that was, guy's name is Mark Sokolovsky. He was one of the developers of the Rat Queen Infostealer. And in this last December in in 2024, he, well, he plead guilty and he was sentenced. So, yeah, I mean, that's, you know, it sounds kind of, I don't know. It sounds kind of bad to say you're glad that somebody's in jail. But, like, the way that I look at it is, you know, we don't get those wins all the time.

Trevor Hilligoss:
Right? I mean, that was that was a crazy story. You know, he was in Ukraine. The war kicked off. He fled Ukraine, happened to go to The Netherlands, which is, you know, a great partner to The United States. And and, you know, they were able and willing to arrest him and then extradite him. And it was a there's so much. I mean, I could I could talk for weeks about that whole that whole case and and all the steps. But, you know, because we don't always get that resolution.

Trevor Hilligoss:
Right? In fact, usually we don't. A lot of these cyber criminals, a lot of these guys are they're really top tier. You know, they're sitting in places where the government doesn't care. You know, they're not attacking their citizens. They're attacking our citizens. So, there really isn't isn't a lot of the actual enforcements. You know, the silver bracelet's part of it. Doesn't doesn't always happen.

Trevor Hilligoss:
So to see that happen, especially, you know, one of the great things about that case was there was restitution that was ordered as part of that. So, you know, hopefully, some amount of the people that were victimized had their identity stolen, had their, you know, their lives disrupted, can get some financial compensation for that, from from him. And I and, you know, I think there maybe this is me looking at it through rose colored glasses, but I do think there is a chilling effect of that. Right? I have to imagine that there's some other cybercriminal somewhere that sees that and reads the press release and goes, maybe this isn't where I wanna spend my time. You know, maybe maybe this isn't quite as lucrative as I thought it was, and chooses to not go into that line of work.

Rachael Lyon:
That would be nice. Yeah. I think it probably happens too. It's, accountability. You know, I think a while ago, right, ten years ago, accountability was almost impossible with these kind of things and or attribution, I should say. And and now it's it's encouraging to see over the years how we're getting more sophisticated. The hunters are getting more sophisticated and how we can track down these criminals. And that's that's, like, that's a really cool feeling, I I imagine.

Rachael Lyon:
Yeah.

Trevor Hilligoss:
It it's a cool feeling. I I I do think though one of what makes me most optimistic is actually not, you know, I mean, I I am proud of that case. I'm proud I opened that case and we closed it with an arrest and a and a prosecution and sentencing. But I really love the the trend, I would say, over the past two years, maybe three, depending on how you slice it, where, started in Europe, US is definitely getting to be very on board, where it's disruption first. Right? Hey, we can indict this guy on however many counts of various, you know, wire fraud and conspiracy to commit wire fraud and computer fraud and abuse, whatever. He's going to print that out. He's going to stick it up on his wall. It's a trophy.

Trevor Hilligoss:
Right? Well, all right. Well, what if we can really screw up this guy's life? Right? Like, what if we can grab those pictures from his iCloud account and that embarrassing Facebook photo that he thought he deleted, and make a montage and stick it up on a website somewhere, and publish a GitHub repo with all of his customers' names and their information? I mean, it's like doxing for the good guys. Right? And, you know, it's a different outcome. There's, you know, Mark sitting in a cell right now. Those people are not going to sit in a cell probably ever. But we screwed up their lives. Right? We made an activating event for them. And they were made sad.

Trevor Hilligoss:
So I think if we can make bad people sad, then it's still a win. And we don't really need to compare the two, you know, they're both wins.

Rachael Lyon:
So I I do wanna be mindful of time. I know we've run kind of long, but, you know, honestly, Trevor, we could have a whole podcast of you just talking about, you know, all the things that you've done in your career because it's just so fascinating. But I do wanna be mindful, of everyone's time. So, Trevor, thank you so so much for joining us today. This has been so so fascinating, this conversation.

Trevor Hilligoss:
Yeah. Thanks so much for having me. This was, this was a lot of fun.

Rachael Lyon:
Awesome. Yeah. Thank you, Drew. To all of our listeners out there, Jonathan, we know what we like to tell our listeners. Right? Every week, you gotta smash I'm gonna get you, Jonathan. Smash Smash the like button. Button.

Trevor Hilligoss:
Oh, yes.

Rachael Lyon:
Yes. So you can, you know, get a fresh episode in your in your inbox or on your, you know, your podcast platform of choice. And and as always, please leave us comments. We'd love to hear back from you, you know, on topics you wanna want us to cover, and what you're interested in. So, once again, thanks everyone for joining us this week. And until next time, stay safe. Thanks for joining us on the To the Point cybersecurity podcast brought to you by Forcepoint. For more information and show notes from today's episode, please visit forcepoint.com/podcast. And don't forget to subscribe and leave a review on Apple Podcasts or your favorite listening platform.

About Our Guest

Trevor Hilligoss, SVP of SpyCloud Labs, SpyCloud

Trevor served nine years in the U.S. Army and has an extensive background in federal law enforcement, tracking threat actors for both the DoD and FBI. He is a member of the Joint Ransomware Task Force and serves in an advisory capacity for multiple cybersecurity-focused non-profits. He has spoken at numerous US and international cyber conferences, holds multiple federal and industry certifications in the field of cybersecurity, and is a recipient of the President’s Volunteer Service Award for volunteer service aimed at countering cyber threats. 

Check out his LinkedIn!