We're sunsetting PodQuest on 2025-07-28. Thank you for your support!
Export Podcast Subscriptions
cover of episode The $1.5 Billion Crypto Heist & Vibe Coding Beats Big Tech Interviews

The $1.5 Billion Crypto Heist & Vibe Coding Beats Big Tech Interviews

2025/3/16
logo of podcast Hacked

Hacked
AI Chapters Transcript
Chapters
Bybit, a major cryptocurrency exchange, was hacked, resulting in the loss of nearly $1.5 billion in Ethereum. The attack involved a Trojan transaction and exploited both software and human vulnerabilities.
  • Bybit experienced a significant hack on their Ethereum cold wallet.
  • The hackers used a Trojan transaction to manipulate transaction data.
  • The North Korean Lazarus Group is suspected to be behind the attack.

Shownotes Transcript

As all of you are aware, well, about two hours ago, Bybit experienced a hack on our Ethereum code wallet. So this particular record gets broken pretty often. But as it stands right now, this is the story of the biggest crypto heist of all time. Hackers have managed to hack the UI of all of the Sinus computers.

So that although we saw it was the correct URL of the safe wallet, but maybe it was not. Or it could be, I'm just saying all the possibilities, I'm not accusing anything. It could be that the safe server was hacked, so it was sending this, but we don't know. That was the voice of Ben Zhao, CEO of Bybit. Almost immediately, I think like a couple of hours after discovering that his company had become the victim of this record-setting hack.

In late February 2025, Bybit, a major cryptocurrency exchange, suffered a devastating breach, losing nearly 1.5 billion US dollars in Ethereum. After signing 30 minutes later, then we got the emergency call that our cold Ethereum wallet is drained.

To execute a heist of this scale, the attackers exploited both software and people using something called a Trojan transaction. And in all of the confusion that followed, analysts quickly traced stolen crypto across multiple blockchain networks, with early signs pointing to a very well-known group with a history of state-sponsored cybercrime, North Korea's Lazarus Group, and their ongoing Trader Trader program.

The impact rippled across crypto markets. Markets were already rippling for a bunch of other reasons. And the hack raises questions not just for Bybit. How did the attackers infiltrate a security layer, this cold wallet system that's supposedly pretty trusted? Could this happen again? And will more nation state hackers increasingly turn to cryptocurrency theft as like a geopolitical weapon?

So the maximum damage that we have witnessed currently so far is the total amount of around 401,000 Ethereum that's been hacked. This is the affected amount. We've got a lot of stories to get to. Vibe Coding has entered the lexicon since our last episode. Big Vibe Coder. Huge Vibe Coder. Big Vibe Coder over here.

But first, I think we unpack what seems to have happened here in the Bybit hack. What might be the largest crypto heist of all time and another escalation in state-sponsored cyber heists here on Hacked. Hey, Jordan, how you doing? I'm doing good, Scott. How you doing? Pretty good. Pretty good. Just vibing out. You're vibing? You're vibe coding. Famously, you're vibe coding a lot.

I have fallen in love with vibe coding. You actually have. Yeah, I've become slowly entrenched in it. You're really deep in it. We can talk about that in a bit, but I think right now we should talk about the show's presenting sponsor, Push Security. Push Security. Hacked is brought to you by Push Security. They keep you safe in the browser. They keep your identities locked down. We're going to talk about them a little later in the show, but Hacked is brought to you by Push Security. Vibe coding.

I can't wait to talk about it, honestly. We have a good story about vibe coding. We're not just talking about that concept. And we're going to save saying that word one more time for that section of the show. Because right now, we have a crypto heist to talk about. This one was fascinating. There's a lot of these.

And there's a lot of state-sponsored cybercrime. And then every so often one comes along that's just one heck of a fire show. It's big. It's technically really complicated. It's quite murky what's happened. But the CEO came out and spoke publicly. And there's been a bunch of blockchain forensics that's already taken place. So in a pretty rapid, like a pretty compressed period of time, we got a really good sense of what had happened in this heist.

Um, and it's just, it's colossal $1.5 billion. I've been employing a heist scale for a few years. The oceans 11 system, 2001 oceans 11 store in George Clooney, they stole 160 million us dollars. So this is the better part of 10 oceans 11th.

Okay, well, here's where I go with it. Okay. North Korea has an annual GDP of about $23 billion. Oh, that's a good one. So when a state-sponsored hack happens and they steal $1.5 billion... That's big. That's about 6% of their national GDP, which is huge. Wow.

Just to put that into context, if you were to deal 6% of America's, the United States of America's GDP, which is $27.8 trillion, that would be $1.6 trillion. Yeah, sure. That's a huge chunk of the, well, currently, the national deficit for the United States. Yeah, sure. And it's very technically sophisticated what they've done here. There's social engineering. There's technical stuff going on. But-

You made a billion and a half dollars doing it. Like anything is efficient if it makes you a billion and a half dollars. That's what makes this a fascinating story. Learning lots about your inner morals. I didn't say good. I said efficient. Unless you started with $1.7 billion, anything that gets you up to 1.6 was certainly efficient, especially when it was probably a bunch of people in a room. Okay. So let's start –

I'm going to start really high level because it took me a while to wrap my brain around my understanding of what occurred here. The big story compressed down. Their goal was to get a piece of malware called Plot Twist onto the system of someone at the cold wallet company that Bybit used. This was a supply chain attack with many, many other steps, but it was fundamentally a supply chain attack. So-

Hoo boy. Bybit's Ethereum cold wallet was considered secure due to being offline and protected by this multi-signature authorization system. Multiple different parties had to approve transactions. It's not connected to the internet most of the time. This is safe, right? It's called safe? Exactly. We're going to get to, yeah, safe wallet. The company is safe and then in brackets wallet. So you're going to hear us say safe wallet. It's kind of confusing because are we talking about cold wallet? Yes, we are. But the specific brand of cold wallet is safe wallet.

On February 21st, 2025, during a routine transfer from Bybit's cold wallet to its operational hot wallet, which is connected to the internet, hackers activated malicious code injected into SafeWallet's interface.

They performed this thing called a Trojan transaction, which manipulates the transaction data displayed by Bybit's signers, showing this is a real legitimate transfer. Everything's all good, while secretly executing this hidden malicious set of instructions to transfer it elsewhere to the thieves, essentially.

As we heard a little bit in the intro, the CEO, Ben Zhao, confirmed he was the last person to sign using a Ledger hardware wallet. He noted that there were some limitations on this. There's a lot of code that gets churned up. It's this sort of big flurry of a moment, and there weren't really clear transaction details.

They executed this hidden contract upgrade. They swapped the two wallets and approximately 401,000 Ethereum, $1.46 billion was transferred from Bybit's wallet to the hacker controlled addresses within like moments. There were no cryptographic weaknesses here. The vulnerability was through manipulated user interfaces on people's screens and a compromised like human trust social engineering moment. So,

We're digging into the tech side of it now a little bit here. You want me to or are you going to dig into it? I want to lob my understanding of it at you and see if it checks out with what you're understanding. Yeah.

So the attackers targeted a software developer working for SafeWallet, the company, the multi-signature wallet platform used by Bybit for cold storage. They described themselves on their website. I checked. This is still up. The most trusted decentralized custody protocol and collective asset management platform. ColdWallet, for anyone that doesn't know, is an offline storage solution for cryptocurrency. It's disconnected from the internet.

And what happened is the SafeWallet developer downloaded a fake version of an application called Docker. Docker is a piece of software that lets you package software stuff up. It's a virtualization thing. Not interesting to this. They downloaded a fake version of it.

And that fake version contained a piece of malware called plot twist. The whole goal of this was to get plot twist into the safe wallet system. And it granted the attackers this persistent remote access to the developer's computer. They were running a Mac and now the hacker had access into the system.

The way they did this, the way they got this dev to click on this funky link was a social engineering tactic. We've talked about it before. Apparently, it's been formalized in North Korea's Lazarus Group ecosystem. It's called their Trader Traitor Program. It's dubbed that by the law enforcement of the West. And it's basically... Law enforcement deserves accommodation with that. They are quite good at naming things. We've talked about this before, but it's always like Blazing Stallion Eagle Front. Yeah.

Force. All TraderTrader basically is, is you pose as a tech recruiter, like a blockchain project coordinator. You pose as someone with a big implied bucket of cash behind you, and you just start a conversation with someone. You get them invested in the whole situation, and then you send the thing over. They use that to steal AWS tokens and credentials, enabling the access to the safe wallet backend and get these malicious plot twist scripts running on the system. So,

The way we figured this all out so quickly, and I find this fascinating, I was trying to get him on the show for this episode and couldn't make it happen in time. It starts with a character named ZachXBT. He's this renowned crypto investigator. He described himself as a former rug pull victim turned forensics kind of anonymous person on the internet who digs into these things. So he's got a chip on his shoulder and he's going after it? 100%. That's totally it. Really cool character. Really want to talk to him for the show.

meticulously traces the stolen Ethereum across wallets and blockchain networks and figured out based on some preliminary test transactions that this was all linked to some wallets that had previously been used in Lazarus Group operations.

Um, that was confirmed by Arkham intelligence, which is like a blockchain analytics firm that was then confirmed publicly by the FBI who stated publicly in an announcement. This is part of that trader trader operation. Be aware that this is happening. A lot of job offers aren't real. There are apparently state sponsored hackers. Uh, and that's what occurred here. Bringing us to Lazarus group, also known speaking of names as guardians of peace or hidden Cobra.

Hidden Cobra. Hidden Cobra. Hidden Cobra. Seemed to be... Yeah. ...a juxtaposition. There's layers to this thing. They are...

widely widely thought to be operated by the north korean government they've been active since 2009 they've been implicated in a bunch of hacks we've talked about in the show 2014 sony hack the swift banking attacks countless cryptocurrency heists we talked about the ronin network hack in 2022 they've been around uh for for a long long time all evidence would point to them

There's a bunch of stuff about how they laundered the funds, something called peel chaining, which involves essentially just like imagine a firework going off where it's suddenly just like an initial lump sum is just divided into thousands of intermediary wallets. And it immediately becomes you're trying to track the analytics across these, which makes what Zach was able to do pretty remarkable.

But the next major thing in the hours immediately following, as we discussed in the intro, Bybit's CEO, Ben Zhao, immediately acknowledges the bridge publicly, says that they have enough kind of capital to be able to honor everyone's investments in the platform. They hadn't locked down some kind of withdrawals. It's sort of been locked down, but generally speaking, people could get their money out. So this wasn't a...

real run on the bank situation as a time of recording it seems like everyone's stuff is okay they immediately secured a bridge loan of 80% of lost a theorem to stabilize the reserves and get everything to be okay it's quite the loan dude but here's the question they get a bridge loan in real money or do they get a bridge loan that's actually a really really good question yeah I don't know

Like, do they go to a real bank, borrow some real money, and go on the internet and buy Ethereum with it to be like, eh, we filled the tank back up. Yeah, sure. And by that point had Lazarus Group...

turned the Ethereum into fiat capital from someone like, were they buying their own stolen? Exactly. Yeah. It wasn't a weird way. Was there some Swiss bank somewhere acting as the head eating tail of the Aurora Boris? That is this financial crime. It's a cool question. I don't think we know the answer to it yet.

They offered a 10% bounty of $140 million for recovery information. I sure hope Zach Expetit got that bag. And the reason they are not replying to emails right now is... They're spending it? Yeah, good for them. You know? What an arc from rug pull victim. To wealthy investigator. Exactly. Online personality and investigative. And now retiree.

Um, that's kind of the bybit story as of right now, we've got the better part of $1.5 billion vanished into the nebulous underworld that is cryptocurrency laundering with seemingly a state sponsored group behind it is my understanding of what occurred. Uh, copacetic with yours, Scott. Yeah. The, the thing for me is like the, the, the beauty of the hack. Hmm.

for lack of better words, is the fact that they had access. They probably saw the back end of the system. Then they got to work creating the Trojan, waiting for the one day. They probably even identified the victim that they wanted. So it would have had to have been very specific, like trigger points. Like it needs to be from these wallets because they have the balance that we're going after. Like this is the Moby Dick. And it's like they waited for it. And yeah, just a few little JavaScript injections. Yeah.

Everybody hits the go button to do something that's like a standard part of their business operations and all of the trust check marks in the back end that need to be met for the transaction to occur. And then they just hijack that transaction and turn it into their own. It's kind of beautiful, but also devastating. Catastrophic. The people that I feel the worst for in this story is the developers at Safe. Because it's like, I feel like they...

This could be crippling to their business. And it sounds like they make a very well thought out tool to do what they're trying to do. And they've spent a lot of time considering things. And then for something like this to happen. Completely. Was brutal for them. Like they're the people that I feel worst for in this entire operation. Yeah. There have been a few stories like this. Supply chain attacks always reveal weak links. Mm-hmm.

And increasingly, with these very elaborate cold wallet, hot wallet, multi-signatory systems that should be really, really complicated because they are a very thin wall between people and billions of dollars, which is a pretty big carrot. There is...

Somewhere in that system, there's just a person sitting at a computer. And if you can get access to their computer, you essentially have imbued yourself with all of the authority that they have over that wildly important set of transactions. Yeah. It's like it wasn't someone at Bybit. It wasn't someone with the billions of dollars of cryptocurrency. It was just a person that had the right dev access into this system because they were just doing their job who just...

the right, like the right bit of social engineering on the wrong day that you click on that one file and suddenly this giant thing has been set in motion. It's a kind of humbling in a weird way. Like, yeah, fascinating. There's like a interesting tech side to this because the,

All of the new development tools, almost everything is written in open source. We're using Docker. Docker is a virtualization container. You can set up essentially a virtual computer that's running a specific part of your application. Often those containers, you're cloning them off of Docker Hub. There's a search engine full of pre-built versions of these things. You need a Postgres SQL server to

Download the one from Docker. Yeah, it's just like they're templates and you can just go and grab them and they're like pre-set up and pre-configured. You don't have to like do anything. The real question becomes how many of those templates have state level malware injected in them? Because that's where my mind goes because I know that they have this issue too with like Visual Studio Code has like probably become in the history of like

Small IDEs for lightweight coding, like stuff that vibe coders like. Sure. We'll get to it. Visual Studio Code is the biggest, I'd say, small-scale IDE these days. And if you're not using full Visual Studio, if you're not building massive, big native applications, you typically, like most people, are writing code in Visual Studio Code. Okay.

It's extendable. So there's a plugin interface and you can download all these extensions and it's a public plugin market. So how many of those plugins have malware injected in them that are giving people access to code bases and copying API keys and auth credentials? And this kind of links back to the identity attack conversations with Adam from a few weeks ago about like,

I don't know, the more access that like, the more we're letting people kind of like, I see how corporations get to the point where they're like, you can't install anything on your computer. You can't run anything on your computer unless it's in an authorized list, because it's like,

Especially for developers who move, there's an expectation that you're going to move quickly, solve problems, utilize tools that make you more efficient like AIs or Docker templates or plugins and extensions and VS Code. And it's like, how many of those have potential security risks in them? And the answer is, they could have potential security risks in them. The answer is, all of them could have potential security risks in them.

It's funny to think about, how do I put this? I know folks who have jobs where the most catastrophic thing that could happen is not that catastrophic if someone got into their system. The worst thing that could happen is like a ransomware attack of a small, teeny tiny little organization. And their computers are like military grade locked down by some IT person there who was like just, you know, thumbtacks on corkboard conspiratorial. Like, I swear to God, nothing's getting in.

That this could happen to a developer, like a human error, but like that this could happen to a developer whose system was, we learned standing between a state sponsored cyber crime group and a billion and a half dollars is like, that's just fascinating. That's just an interesting, uh,

That's an interesting tension when I think about like the elementary school teacher whose computer is like, like nuclear is like a silo that requires two keys turned at the same time to turn it on kind of thing. The, the human error is like, it's the whole thing. I know, but, but it's like, I don't even like, what is the human error in this case? You clicked on a funny link. You clicked on a funky link that someone sent him.

Oh, did he? Did he actually click on a link? That's my understanding of it was that he was sent a link. So the Trader Trader program, I don't know what the narrative like conceit was, whether this was a recruitment or a blockchain project. I don't know what the narrative was.

And they were like, hey, do a coding exercise in this Docker and then send it back to us. And through the execution of it, it installed the malware. Yeah, he was sent something and ran. That's my understanding at this stage. And again, this is like, we're like two weeks out. So this is all pretty murky. But my understanding was that they downloaded a fake Docker application and ran it. And that's what happened. So it was just a human, it was social engineering. Yeah.

It was those people we saw at DEF CON in the booth making the call. Just a really well-spun lie. Hey, we got a job at Anthropic coming up for $750,000 a year. Are you interested? Download this Docker and complete the three exercises in it and send it back to us. Lead code style interview test. Like, get in here. Yeah. Yeah. You dangle a carrot in front of someone's face. Sometimes they go for it. It's human. It's really natural. I think...

I'm going to take a little bit of a distraction here, as I do. I will take a small deviation here. I'm familiar, Matt. To chase the thought that just jumped into my mind. And when we look at, this is going to be a commendation for the traditional financial sector, is what I'm about to say. Because if we look at this ultra-techie, young,

Most people that are into crypto are younger. There's the crypto bandwagoners, but the people that are crypto people, they're often tech-rooted, very cyber-smart. And they've somehow created an industry that is so rife with bank heists and theft that

But on the other side of that coin, the fiat currency world, a world that I would look to as like a dinosaur. Crypto exists because the fiat world and the traditional banking sectors aren't the greatest solution. It's like VHS rental in a Netflix world. Totally. It's slow. It's costly. Yeah. Cumbersome. I get it. I get the desire to look for an alternative.

So maybe they just don't ever get reported, but how many times can you think of in your last 20 years of your life that you've heard of a digital heist? Because money is numbers in a database table in the financial system just as much as it is in the crypto system. So it's like the crypto system, like this theft by the Lazarus Group for $1.5 billion...

is the single largest heist that they've apparently ever had. But they're, I saw it just had the stat up. Yeah. Last year alone, they only got 1.34 billion out of 47 other attacks. So like when you look at it, like the, they did 40, 47 of these things last year.

Like I can't think of a single digital hijacking and digital heist from a traditional bank anywhere in that sphere There's so much friction in those systems and so many redundancies and like the thing that crypto does good is it bypasses a lot of really cumbersome expensive like Transfer protocols basically. It's just like sending money sucks Internationally and there's a lot of there's just more efficient ways of being able to do it But that friction is also a redundancy. It's like

If you were to manage to move the numbers in the computer around, there's just a lot more of a safety net for catching it before it gets anywhere. Anyone who's ever had a credit card stolen knows this to be somewhat at least true. There's redundancies, there's backstops, and those don't get lesser the higher up you go. The larger the sums of money, the stronger the redundancies are because they don't want to piss off their big customers.

They'll in some cases swallow the cost, which is kind of what we're starting to see with things like Bybit. They're reaching that level of institutional like capital that they can kind of like eat it, create redundancies and safety nets that most people couldn't in this case, an unfathomably large loan and a $1.140 million bounty to find the sons of bitches responsible. Like it's, it's just different when you get to that scale.

Yeah. Anyway, that just jumped into my mind. Oh, it's fascinating. We hear about it. We've talked about this for like five years straight now. We talk about crypto heists because they're so common. This one's amazing because it's so big. Big. And it's interesting. It's like if we tried to make...

A single episode covering all of the digital bank heists in the traditional financial sector. I think we'd be like, I haven't done any research into this. This is all just. I know what you're saying. Yeah. But like, they never make the news. We never see them trending and headlining where it's like, it seems like every day there's another one about a crypto heist.

Yeah, it's if we were to try and cover every crypto heist, we would have to go to a daily news show. We would have to become like the daily and it would just be a churn. And the story would always be the same.

And if we were to do one for every major traditional financial, there's an interesting argument to be made that that sector, like the traditional finance sector is matured to a point where the heist is now sort of just rent seeking. And like, it's just, it's like, it's baked into it. It's like, no, the theft is taking place. It just doesn't, you just don't have to put on a bandit's mask anymore. You can just.

You can just make your cash in different ways. But in any case. I'm going to take one more digression just as you know the protocol. So you mentioned money transferring, which immediately triggered in my head an article that I read. I think it was even this morning lying in bed. And it was about Remitly. Remitly. Remitly. You must have seen the TV ads for Remitly or on like sports feeds. Yeah, they're like a...

Last time I was surfing in Nicaragua, we ran into the Ramitli promotional team eating lunch at the restaurant we were in. They're like one of those apps. I was just crushing some waves. And the guy asked me if I wanted to send money online conveniently across 100 different currencies. Yes, exactly. So this is not an ad for Ramitli. This is anything but. It's not.

That's funny. But essentially, they're one of those apps set up for like, oh, you're an immigrant to North America. You have, you make. Oh, to send money. Sure. You send money home. Like they're set up to do that. They charge like outrageous fees. Like it's something like 12% processing fees or something. But anyway, so they're public, remotely. They're like the biggest. And I read an article in Investor News the other day. I can't remember who it was. Maybe it was Fortune Mag.

that a hedge fund has now taken out a $4 billion short position in them because, and this is the best part, they did a reverse image search on all of their reviews for their app, and it turns out that a majority of them are stock photos. Oh, no. So they're like, oh, these people are manufacturing positive sentiment in their reviews, which I'm sure happens in a number of companies. Yeah.

And all of the other people that have real photos hate them and are complaining about it. Like, we're going to take... So they took a $4 billion short position against... Another random deviation, but... No, that... I thought just the way that they detected...

that maybe they should take the short position by like doing, like writing a piece of code to go through and iterate and then do a reverse search against stock libraries to see how much of their reviews are faked. I thought it was brilliant for like a small hedge fund. Validating that suspicion of being like, I'm pretty sure this product, it's like I've looked at this product. It seems really bad. I think it's really bad. All these reviews seem to think it's positive. I've developed a theory. Even still, the risk tolerance is,

Of being like a four billy. I'm going to put four bills on the line. We're pretty sure about this one, guys. Four billion. You got to go on a real publicity tour telling people that that product sucks because people could go a real long time without noticing that. That's fascinating. Well, then the beauty is, too, is like just the fact that it is such an interesting way to figure out that it maybe is not a great product.

I think they had some major leaderships leave too, which is also triggering it. But I imagine this is getting a lot of press because it's an interesting way to be like, we're shorting this company because they're lying to you. I just want to very briefly loop back to, we were talking about fiat heists versus crypto heists. It's 1.5 billion. You got the...

Razzlecon and Dutch won in the billions. All these multi-billion dollar crypto heists. I looked up largest fiat heist of 2024, the Easter Sunday heist, which occurred in the early morning hours of March 31st, 2024, just about a year ago to date. They broke into a Garterworld facility, which is like a private security firm. Stole ATM transfers or something. It was like 20 million bucks. Yeah.

But here's the thing. That's not even a digital heist. This is true. What I was talking about is there's been so many crypto digital heists occur. How many fiat digital heists? I know that people can take a gun and go demand money. That happens. And that has happened forever. For eons. Well, always has, always will. But I take your point. Moving the decimal in the computer, the social engineering hack, but for dollars and cents. Who?

When is like, like if we consider like all of the major crypto exchanges and companies that have fallen, um,

Like, show me the equivalent in Wells Fargo. Show me the equivalent in Hong Kong Bank. Show me all of the massive banking institutions. You just don't see them. So it's like an interesting... Anyway, we can go to the ad oasis. But I just found it... If people were spending so much time stealing crypto, what if they spent all that time stealing digital currency? Or like digital fiat? Seems a lot harder. Yeah.

We should probably tell folks about who the show is brought to them by. We should. I think it's brought to them by Push Security. Yeah, Push. The guys at Push are great. They're fantastic. They make a great product. We like working with them. We like telling folks about them. It's not every day that something comes along where I'm like, damn, I should have thought of that. How did I not think of that? And this is one of those products. Push Security is 100% one of those products.

The problem they're tackling is identity attacks. You know, we talked about it a little bit earlier in the episode. Phishing, credential stuffing, session hijacking, account takeover. Basically the number one cause of breaches right now. And their approach, well, it's pretty interesting. Instead of trying to lock down everything at the infrastructure level, they start where people actually work, which is inside of the browser. They built a browser extension that observes employees, creates corporate identities, and logs into their work apps. Which, when you think about it, makes a heap of sense.

And because they've got that visibility, they can see exactly how the identities are being used. You know, are people using stolen credentials? Are they reusing passwords across them? Have they figured out ways to bypass and skip multi-factor authentication? Are they using a local account when they should be using the single sign-on authority? And the kicker is when they do find all those vulnerabilities, they can automatically enforce controls all right there, right in the browser.

But it's not all just about protecting identities. Push are monitoring them too. In real time for attacks using adversary in the middle toolkits, clone login pages, which are becoming a big deal with AI because you can clone them very easily, stolen credentials and stolen session tokens. It's endpoint detection response, except all inside the browser. The team, obviously we had Adam on, super sharp, killer research, red team backgrounds.

They put out great research. They're just smart, great people. We respect them. We respect their product. And that's why they're our sponsor. Push Security. It's a super smart approach. It's a really solid team. It's interesting research. You should check them out. Go to pushsecurity.com to learn more. We are beginning to lose some of the hackers and visionaries who laid the foundation of the cybersecurity industry.

Enter Where Warlocks Stay Uplate, an interview series dedicated to documenting the history of cybersecurity. Inspired by the seminal book Where the Wizards Stay Uplate, The Origins of the Internet, this interview series aims to capture the stories, insights, and legacies of the pioneering figures who shaped the field of cybersecurity from its inception to the present day.

Each month, two long-form video interviews will be released on the Warlocks Project's YouTube and Spotify channels, featuring candid conversations in which cybersecurity pioneers share their technical achievements, as well as their personal journeys, challenges, and ethical dilemmas they faced along the way. This project has a huge supporting cast, including Emmy-winning producer, a Harvard anthropologist and historian, and the former editor of Frack Magazine and more.

Guests were members of such groups as Cult of the Dead Cow, Woo Woo, and Root. Check out their anthropological map on wherewarlocksstayuplate.com to see just how large this project is. Where Warlocks Stay Uplate is now available to stream on YouTube and Spotify, and soon it will be available wherever you get your podcast fix.

Looking for a boost in the bedroom? HIMS is here to help with personalized ED treatment options, and it's all online. HIMS is changing men's health care by providing you with access to affordable sexual health treatments from the comfort of your couch. HIMS provides access to a range of doctor-trusted ED treatments like chewable...

hard mints, Viagra, Cialis, and their generics are up to 95% cheaper. The process is 100% online, so there's no need for any uncomfortable visits. You just answer a series of questions on their site and a medical provider will determine the right treatment option if prescribed and your medication ships directly to you for free. No insurance needed. One low price covers everything from the treatments to ongoing care. With hundreds of thousands of trusted subscribers, HIMS can help you find the ED option that works for you. So

Start your free online visit today at hymns.com slash hacked. That's H-I-M-S dot com slash hacked for your personalized ED treatment options. hymns.com slash hacked. The products mentioned are chewable compounded products which are not approved by or verified for safety and effectiveness by the FDA. Prescriptions require an online consultation with a healthcare provider who will determine if appropriate. Restrictions apply. See website for details and important safety information. Subscription required. Price varies based on product and subscription plan.

Scott, what do you like best about Shopify? Oh, Shopify. Well, the cha-ching sound, you know, I adore. But actually... You mean this cha-ching sound? Yes, Jordan. That cha-ching sound. But truthfully, I love Shopify just because it is a well-thought-out, well-designed, well-conceived, well-executed service.

That makes my life easier. And what more can you ask for in today's world than paying for a service that you don't hate, that you actually love? I like Shopify in the same way that I like a lot of kind of creative software. For a lot of people, you got an idea in your head, you want to put it out into the world, but you don't have the right tool to do it. Selling stuff on the internet is one of those things that seems like it should be really trivial and simple because Lord knows everyone is doing it. And then you try and figure out how, and it's complicated.

Not with Shopify. Shopify lets you plug all the different stuff you want into one place, gives you a really nice, clean, easy front end for people to shop from, lets you receive payment, lets you run your product through it. It's how we got the hacked store running,

far easier than a bunch of other tools that exist. We genuinely really appreciate it. That's what I love about Shopify. Yeah, yeah, I completely agree. It is as complicated as you want it to be, or you can use it at a pretty high level like we do, and it's very easy. So upgrade your business and get the same checkout we use with Shopify.

Sign up for your $1 per month trial period at shopify.com slash hacked, all lowercase. Go to shopify.com slash hacked, H-A-C-K-E-D, to upgrade your selling today. Scott, one more time. That's shopify.com slash hacked.

Every once in a while, a new security tool comes along and just makes you think, this makes so much sense. Why has nobody done this already?

And why didn't I think of it? Well, Push Security is one of those tools. I'm in a browser right now. Most of us do pretty much all of our work in a browser nowadays. It's where we access our tools and apps using our digital identities. Push turns your employees' browsers into a telemetry source for detecting identity attack techniques and risky user behaviors that create the vulnerabilities that identity attacks exploit.

It then blocks those attacks or behaviors directly in the browser, in effect, making the browser a control point for security. Push uses a browser agent like Endpoint Detection Response uses an endpoint agent. Only this time, it's so you can monitor your workforce identities and stop identity attacks like credential stuffing, adversary in the middle attacks, session token theft.

Think back to the attacks against Snowflake customers earlier this year. These are the kind of identity attacks that Push helps you stop today. You deploy Push into your employees' existing browsers: Chrome, Arc, Edge, all the main ones. Push then starts monitoring your employees' logins so you can see their identities, apps, accounts, and the authentication methods that they're using.

If an employee gets phished, Push detects it and blocks it in the browser so those credentials don't get stolen. Like we said before, it's one of those products where you ask yourself, why isn't everyone already doing this? The team at Push all come from an offensive security background. They do interesting research.

into identity SaaS attack techniques and ways of detecting them. You might know of the SaaS attack matrix. Well, that was the folks at Push that helped develop it. And those are the kind of attacks that they're now stopping at the browser. A lot of security teams are already using Push to get better visibility across their identity attack services and detect attacks that they couldn't previously see with endpoint detection or their app and network lock.

I think this is an area that's blowing up and not just identity threat detection response, but also doing threat hunting at the browser level. Like it just makes sense. Push security is leading the charge here. It's a very cool product, a very cool team, and it's well worth checking them out. Push security.com slash hacked. That's push security.com slash hacked. Are we vibing out yet? I think we're vibing. I think we're getting a vibe coding.

Let's get to the high coding. So there's this clip where if everything is as it appears of a Columbia university representative trying to decide whether a student built a piece of software to cheat on coursework or just to cheat on job applications. So when, when you mentioned that there are some classes at Columbia that do teach some foundational league code, uh,

either courses or topics, could this software be used for those classes? You're never going to be in a class where your data structure professor is on a one-on-one Zoom with you, asks you to share your screen, and then watches you code up legal, like that's not a thing at Columbia. So yeah, I guess it could work, I guess, but I mean, the same way that if I made a new browser, then the new browser could be used to Google up questions. It would just be such a roundabout, useless way of using the product.

But it could happen if a teacher did choose to do that with a student or multiple students in the class. In the case where you are in a one-on-one Zoom with your professor and they ask you to share your screen to make sure that you're not looking at any solutions online, then theoretically, yes, you could use a tool. But frankly, it's my first time thinking about it being used like that. Back up.

So there's this piece of software called LeetCode. LeetCode is an online coding platform primarily used for preparing for software engineering job interviews. I have never had to use this piece of software, but I'm betting that both you and I, Scott, know people who have. Oh, definitely. I know a good friend of mine from Vancouver used it recently to prepare for job interviews. There you go.

Big tech companies use leet code style problems in their hiring processes. It's like a standardized way to test coding skills. And because of that, a lot of candidates find themselves like grinding through leet code prep as they go into these job applications. It can be job prep, it can be training, but leet code is a big thing in that ecosystem.

I find it to be like a self-fulfilling prophecy. Like when Google started doing this stuff, it was to see how you thought. Like they would bring people in and give them abstract problems and be like, solve this. And then they would literally watch you solve it. And they would see how you like broke down the problem, looked at the potential solutions. Like even if you didn't get it right, they got a good understanding of like how you would tackle a problem in the real world. And now it's just turned into this

like LSAT cram session for software engineers where they just like have to be ready to answer all of these problems. Like write me the pseudo code for Towers of Hanoi. And you're like, okay, here it is. Like they know how to do it like off the back of their hand. Yeah. It felt like as I was reading and learning about it, it felt like sort of the like historical realization of this thing that started in the 90s. Like Microsoft had those famous brain teaser interview questions. Totally, yeah. And then you got Google in the 2000s with like,

like whiteboarding questions, like essentially do math in front of us right now. And it's just kind of kept evolving and becoming more automated and more standardized. And LeetCode is kind of the like ultimate expression of that. The other thing I will say is like, so the friend of mine that used this recently, he would talk to me between his interviews and I helped him do a little prep and stuff. And it was like,

The interviews now are nuts. He had full day interviews where he had to go in and write code in front of the lead software engineers. Put them up on the screen and watch him write code and use the IDE and stuff. I don't know when 24 hours worth of interview time became a thing. Unpaid interviews that are a day long. Yeah, sure.

Yeah. So LeetCode, as I understand it, if you were looking for certain jobs in big, big tech, that's typically what's standing between you and the offer in terms of both training and testing. And Roy Lee, the student in that first clip that we heard, does not like LeetCode. Quote, it made me hate programming.

And he wasn't alone. Comments are always anecdotal, but I sure found a lot of them that echoed that general sentiment of just sort of exhaustion with this system. Quote, LeetCode is literally tech companies telling you to spend months on something to make their interview process cheaper. Quote, LeetCode is the most useless way to test a dev. 99% of us will never use any of these algos in real life. And the last one I'll say here, oh man, they're mad that we're using their method of wasting our time right back at them. That last one is foreshadowing. Mm-hmm.

Uh, the shade here on LeetCode does need to be taken with a grain of salt. As we will see some of this, there's a marketing component to this, but it's still a really fascinating story. So Roy is a sophomore at Columbia. He's been grinding on LeetCode prepping for these like Fang interviews. He's doing exactly what you're supposed to do. I think he says he's put in like 600 hours into this process and he's just, he's miserable going through this.

LeetCode has anti-cheat functionality in it, basically saying like you just you can't ask chat jippity to go do this for you. Roy hits a wall and I'm speculating here, but I think given what he said about this story, I think this has some validity. I can imagine there's something profoundly demoralizing about grinding for hundreds of hours on these technical prep tests and.

when all you read about is about how AI is going to destroy these jobs that you are currently applying for and have just trained for for the last four years of your life. To speak nothing of the fact that you know intellectually the software can solve the thing that it is asking you to do.

Is that good? Is that bad? I don't know. I understand the idea that these companies want people who actually understand what is occurring under the hood of this code. You do not want a vibe coder in a $500,000 a year software engineer position. They're all going to be vibe coders soon. I know. It's complicated. It's weird.

So here's the thing for me. It's like the origin of this was great. When Microsoft was doing it, when Google was doing it, they were doing it to filter out people. They wanted the smartest, the best, and the brightest. And they were willing to pay for it. They just needed to figure out a way to find those people. And it's like they don't want people that studied this and can recall it from memory. They want people that can understand it and figure it out.

So all this has done is... I kind of agree with this guy. The entire sentiment of where this began is ruined. You've just turned this into a history exam. It has nothing to do with how you think anymore, which is what the point of it was. We need people that can take a big problem, break it down into compartmentalized pieces, solve those pieces, and solve the overall issue. And it's like...

that's gone and now it's like these have structures like there's training systems that will walk you through 247 of these puzzles explaining to you exactly how to solve them in the optimal way and it's like that's great training because you'll passively learn from that but at the same time it's like I don't know the entire interview process to me is just kind of

not as good as it used to be. If that one comment I read, and again, it's a YouTube comment. It's, it doesn't mean anything, but it seems apt. Lead code is literally tech companies telling you to spend months on something to make their interview process cheaper. The efficiency of being like, well, if you just want us to know that you're kind of legit enough that we should look at you spend hundreds of hours on this thing. Okay. Bye.

It's like, oh, you can see why that's a bummer and why some people might butt their heads up against it. And maybe why Roy made the call that he's about to make. To me, we're already asking that. It's like, did you go to Stanford? Did you go to Comp Sci? No.

It's like, yeah, but it's like you already spent thousands of hours on that training regimen. Like what's another 500 hours into something else? It's like, it's just, it's essentially a certification. Like they may as well turn it into a certification process, like a little post-grad professional program. And when you graduate with your bachelor's in computing science, you go into this, you spend another 500 hours and you get a certificate in like computer algorithmics. And it's like, here you go. You've passed,

And now you don't even need to do any coding exams at these places. They know you know how to do them. It's like they may as well just do that with it. Like they may as well just put it online. I'm not sure that they're going to be able to given what is about to occur. Because it seems as though the gamification of that certification has been itself gamified. Roy Lee decides to cook up a workaround.

And instead of continuing like the endless prep cycle, he built a piece of software he called interview coder. This is what I was talking about earlier of the grain of salt that there is a little bit of like, this is a marketing story for a piece of software, but I think it's pretty interesting. It takes a photo of what is occurring on the screen during the interview.

runs that through a large language model that analyzes it, produces the correct result, and then feeds it to you outside of whatever computer that you're doing it on that has the anti-cheat stuff on it and allows you to just sort of see the correct answer on the very edge of your peripheral vision and answer it and copy it.

You can instantly process coding problems. You can figure out like the optimal solution to this question they've put in front of you. And because it's sort of because of that way that it works, it's operating undetected by this anti-cheat software the lead code uses. He uses it.

on interviews with Amazon, Meta, TikTok, passes every single interview. This audio I'm about to play is from him, it seems, completing a Amazon job interview and getting a job offer from Amazon. So what I would like you to do is to write me a data structure, so it will be like a class, which inside will do something with the data.

And the idea of this class is that it will literally find media. So there are two operations, and then get. He uploaded that to YouTube. I actually had to do a little bit of a circuit to get that audio because Amazon copyright striked it, which is what makes me think it's real. That is ripped from another upload under the name Handsome Young Korean Male Hacks Amazon's Interview Process with AI Re-Uploaded.

I enjoy that. You know what the best thing is? I assume the interview process will change and adapt, and this will be a flash in the pan. But Roy's going to get a real job offer out of this. Roy might have a business out of this. He's trading $60 a month for this. Yeah, but it's going to go away, I would assume. Of course. The interview process will adapt, unless he wants to stay in. This is like game cheating, but for interviews, if you consider interviews a game.

But he saw a big problem, compartmentalized it, figured out a solution, solved it. This is the whiteboard test. Yeah, he gave his own whiteboard test. Yeah, exactly. Microsoft, you should hire this person. The aftermath of this was like,

It didn't have that quality to it. It wasn't like a round of applause, flowers for the young man. Yeah, I'm sure not. It's like, no, it was crushing. Amazon rescinds the offer. Columbia got a formal complaint from Amazon and had that disciplinary hearing. Roy dips.

He leaves Columbia. Handsome young Korean dips. Handsome young Korean male hacks and dips. He was scheduled for a disciplinary hearing on March 11th. I don't think he stuck around. I won't be on campus when Columbia wants to talk to me. And at the heart of this is this kind of question of like –

Is the system he was trying to game already obsolete by the time he tried to game it? You kind of alluded to this earlier. It was, quote, LLMs will make most human intelligence work obsolete in two years. Why should I care?

I don't have time to work two years in a big tech job or do I want to anymore? Is that are those timelines accurate? I don't know but I get the sense it's almost like a doomerism feeling of like yeah All anyone is telling me none of these jobs will exist anymore The CEOs of these companies are telling us that a lot of these jobs won't exist anymore What what are we doing here? The the thing for me is like yeah right now. Yeah, I

Senior software engineers, people that can pass the whiteboard test off of just instinct, are more valuable than anything. Because it's all of the work that those people hate, the boring fill in the blanks code, these tools crush that. But it's like the, here's a problem, let's make a solution. And it's like the architecture, the problem solving, the

There's nothing out there that does this. We need to create a library that does that. All of the senior stuff still exists. My biggest fear is we're going to age out. The senior devs like me and people that are in our generation are going to age out because even if you're a 27-year-old grad a few years out and you've been using AI for the last three years to optimize your development...

Like the point's going to come when like you're going to be the senior. Right. And you don't understand what's going on under the hood quite as well as you maybe need to. The thing, the thing is though, is that like, I will say like as somebody who's been vibe coding as of recently, it isn't just letting the AI do stuff. Like you still, like you're getting, you're transitively learning so much.

Jordan knows this, but the listeners don't, but I've been building an open source app privately and I'm going to launch it whenever it's done. I wanted to build something multi-platform, OSX, Linux, Windows, so I started using Electron. I talked about it with Adam. It's kind of the heart and soul of so many of these new Chromium-kerneled apps. Yeah,

I'd never built anything in it. I started doing some build-up research, but the research is so much more efficient when it's backed by AI. Instead of just Googling and reading API docs, I just have a conversation with an AI. Eventually you're like, hey, generate me some code. You realize that there's problems in it right away. You learn more about the interface, the stack, every part about it. I'm actually on V5 of this product that I'm building because

Over the first four iterations, I was just learning. Even though I was utilizing AI to do it for lots of things, research, bullshit code, things like that, but you just passively learn. I still think people are going to be... Vibe coding is not just about going to the beach and doing nothing and having to write everything for you. As somebody that is a senior developer, it's really great for me

If I was a junior developer, I don't know if I'd be learning as quick, picking up the intricacies and the tiny details, the efficacies inside of the nuances. So that's, I don't know, I guess time will tell, but man, oh man, is AI getting good at coding. For me, it's like, I wouldn't go as far as saying I'm agnostic on the tech, but the thing that concerns me is the dependency concept. It's that when something pops off,

It's great that you were learning while you were doing this. And I believe it. It's not just type in a prompt and get a piece of software back out. You're still developing software, but it's when shit pops off and something doesn't quite work and it can't solve it. Where is the actor in this situation that knows how to go in and solve things? You're, you're, you are increasingly reliant. And I don't think that's in a lot of cases, like we rely on tools and technology all the time. I'm not going to get into a big panic about that. Um, a lot of engineers use calculators. That's fine. Um,

But I understand how it makes this transitory period of like, so what is it I'm applying for? What is the job here? What does my career ladder look like when this technology is changing so rapidly and all of these threats are kind of in the ecosystem? It's an odd moment. And it all kind of gets expressed right here in this little story. Well, the shot I'd throw back is like that scenario where like,

AI can't figure it out. I would actually contest that a bit because when something goes wrong in code, it's either a logical, the logic has failed somewhere and there's nothing more logical than the AI compared to a human. The AI wins that one, check mark. Often what it is is some protocol changes or some API changes and they publish a new code

API and it's like the old calls don't work anymore. That's often what's breaking things. But nowadays, instead of me going to the API source and reading through their documentation, I can just ask an AI and it summarizes it instantly for me. It's like, oh, the version 1.4 changes, all the changes made to this CRUD operation for this and boom, boom, boom. Here's how the new context needs to look for the call. Would you like me to update it? Yes. Done. Yeah.

So it's like, I just don't know. You don't foresee situations where the concept of over, maybe that's it, the concept of over-reliance on this doesn't really concern you. No, the concept of over-reliance is going to be what kills the industry. Okay. I think we're saying the same thing. Yeah, yeah, yeah. That's the sort of, not threat, but that's the thing I'm alluding to. The thing that I'm referencing when I talk about it now is like the,

AI is good. Here's the problem. Big and wide. I'm doing this in video to Jordan and compartmentalizing a big problem into a bunch of small things. Discrete steps. It's really bad at that. It can't go... No, it can, but you can't just go to a thing and be like, make me this. And then it loses the context of it sometimes. Some of the new AIs are much better with context. But it has a hard time...

solving a massive problem well. It's really good if you give it the small boxes and you're like, hey, do this small thing. Write me the function that does this. Make sure that it's type checking, it's error checking, error handling, it's doing all of these things. It's great at that. But if you go to it and just type into Clio or not Clio, Clio is a law software. Cloud. So you have to say it.

If you just go to Cloud Opus and be like, yo, make me this app, it'll cough you out a bunch of stuff. It starts to get confused halfway through.

Like it's not great. Like I've had it be like, this is the directory structure that you want your app to have. And here are the files that we're going to build. And then it will give me half of those files because it just forgets about it halfway through. Like they're just, it's just not great. So you still need somebody there to like put the pieces together. And the other thing I'll say is like, if you ask it to do something, it often takes the cheapest route. That's the thing that I've been finding with it is like, like,

make me like do this refactor this to be more like this it'll do it but it'll leave off type checking air handling so you have to go back through and be like hey you know this looks like it's going to be uh security risk and allow for sql injection it's like oh yeah you're right and then it like is like here's how we can fix that i'm like well

Great. I wish you had done it. But that to me feels like a feature, not a tool thing where it's like, it's just like we have acknowledged that seven out of 10 times a developer will ask some question about security redundancy. So why don't we just bake that into the problem? Like bake that into the backend of how this thing works. And just over time, it's just going to,

solve those things. When I started this chat, I said, right now. Sure, there you go. Because it's going to change. It's going to be better. I know there was another article that I stumbled on, I think it was also in Fortune, about how the Anthropic CEO, the IBM CEO, Metas, they're all talking about how AI is supercharging their development teams. And I'll talk about that in a second, because that's crazy. The state of...

AI IDEs, wild. But yeah, it's just supercharging their teams and at the same time it's going to be replacing junior devs. They're just not going to need as many because when you get a senior developer who's got a 4x output to what's expected because they've been supported by AI tools, it's crazy. The industry is in for a rude, rude shock.

There's like this hard, hard, hard tangent. It's like a kind of Victor Turner who had this concept in sociology or anthropology or something that liminality is the root of like human discomfort. When we find ourselves strung between two different well understood states, that's when we're uncomfortable. It's the group of people that doesn't, you don't banish the person and you don't put them in the cage. You make them live on the edge of the society. You just kind of put them over there and that's what we don't like.

And it feels like we're living in this liminal moment where like, we're not quite there yet. We haven't quite gotten to whatever this is gonna turn into, but we're no longer in the world we just came from. We're suspended in this point in the middle and it's discomforting. It's not a good feeling for a lot of people. - We're just in a new technical revolution, like technological revolution. - We're in the middle of it. - Yeah, we're right in the middle of it. Where it's like, we had this with computers, we had this with cell phones. - Totally.

You know, the mobilization of the workforce, the mobilization of communication. Like, do you remember, like, in your lifetime, you would have had, like, a house phone. And, like, when you went outside the house, you wouldn't have got a phone call. Yeah. I think about all of it. Yeah. 100%.

Yeah, all the things that I didn't do when I moved out. And that was like, it's like, okay, a transition had occurred. It had occurred in my mind before it had occurred in the mind of my parents type thing. But I'm not going to get cable. I'm not going to get a landline. I'm not going to do all these things. Yeah, you're a millennial wire cutter. Exactly. The transition had happened when I had the brain plasticity of a 16-year-old and it was fine. Yeah.

But now I'm not and I don't and it isn't. It's just different. Yeah, so this is just another one of those things. I think we talked about it before, but the economic impact of the mobilization of communication and instantaneous communication. So email replacing letter mail and fax machines. Even fax machines, technological revolution. All of a sudden we can send a letter across the world in four and a half minutes instead of four weeks. That was like...

And this is the same thing. We're just further down the hole of the technological revolution. It's like now we're at the point where it's like one of our premier wizardry jobs, the software engineers, is oddly going to be the first thing killed by their own creation. So it's like, yeah. What a time to be alive, Scott. What a time to be alive. But as somebody who likes to build things and doesn't like...

Sure, the minutia. It is amazing. The last couple of weeks, I've been using VS Code, Visual Studio Code. So I've been using some of their extensions inside of VS Code. And last night, I tried Cursor, which is like a branch of Visual Studio Code that's been like...

injected with AI malware. Like it is entirely... No, no, I'm just like saying like it's inside the heart of the system. Like it's not just Visual Studio Code with like a chat room next to it. Copy and pasting different responses into it. It's like, no, we've woven these things together at a foundational level. Yeah, yeah, yeah. AI lives inside of your project. Yeah. So it's like...

And I have to say, and this like this is not a paid ad for cursor, but it should be. Holy fucking shit. It's that big of a difference, huh? It's like it's reading your mind. Like you'll import a library into a file and you'll like go to define the con like like to import like a value and you go to use it and it'll be like, is this what you want to do?

And it'll just show you the code of what you're about to write. And you just hit tab, and it's in your file. And you're like, holy fucking shit. That's all I was thinking. So immediately, I set us up a corporate account. So any of our devs all have cursor licenses now. It's not cheap, but it's not expensive. And for the kind of optimization that that could do, I couldn't even imagine. Strange. Yeah. Roy Lee saw it coming. Roy Lee.

Roy Lee will be just fine. Roy Lee will be just fine. He will end in some massive tech company or start his own maybe. Okay. I think that's another one in the bucket. What do you think? I think that's another great episode of Hacked Podcast brought to you by Push Security. Push Security. They keep your identity safe in the browser where it lives, where we do all of our work. You should check them out. Pushsecurity.com.

I like this one. We got a big old crypto heist and a crazy job application hack. I found those fun. Appreciate you listening. Excited to catch you in the next one.

You are no dummy, but you're kind of acting like one. You used to crush it in school, outsmarting opponents on the field, and now, well, you're still smart, but not exactly challenging yourself. You could be advancing nuclear engineering in the world's most powerful Navy. You were born for it, so make the smart choice. You can be smart, or you can be nuke smart. Become a nuclear engineer at Navy.com slash nuke smart. America's Navy, forged by the sea.

Hey, I'm Ryan Reynolds. Recently, I asked Mint Mobile's legal team if big wireless companies are allowed to raise prices due to inflation. They said yes. And then when I asked if raising prices technically violates those onerous two-year contracts, they said, what the f*** are you talking about, you insane Hollywood a**hole?

So to recap, we're cutting the price of Mint Unlimited from $30 a month to just $15 a month. Give it a try at mintmobile.com slash switch. $45 upfront payment equivalent to $15 per month. New customers on first three-month plan only. Taxes and fees extra. Speeds lower above 40 gigabytes per details.