Transcription performed by LeahTranscribes[START OF RECORDING]
JACK: I was just reading up on these Beatles superfans called Apple Scruffs. They weren’t the crazy fans you see screaming their heads off trying to grab at the Beatles any chance they could. No, the Apple Scruffs thought that was lame. They liked the Beatles so much that they dedicated years of their life to trying to support the Beatles. They were like, look, the Beatles are important. How do we make their lives better? So, they spent tons of time figuring out the exact location of where the Beatles would be every day and then go there to try to help, often holding back Beatlemania crowds or offering flowers or food or to run errands. Over time, they would get to know the Beatles. There are some stories of them even sneaking into places to act as staff in order to help them even more. George Harrison would later write a song called Apple Scruffs, where he said he loves them. I’m astonished to see what incredible lengths that some music fans go to. They’ll cross continents just for a fleeting moment with their idols or endure relentless weather or camp out for days, showing a level of devotion that defies logic. The risks and sacrifices that some fans make is truly remarkable.
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: Okay, are we ready to get started?
PROFESSOR DUBSTEP: Yeah, that’s fine, but could you use — the name for me, could you use Professor Dubstep?
JACK: Professor Dubstep. I like that.
PROFESSOR DUBSTEP: Yeah, that’s fine.
JACK: So, Professor Dubstep, where does this start?
PROFESSOR DUBSTEP: The story?
JACK: Mm-hm.
PROFESSOR DUBSTEP: [MUSIC] Well, picture this; kind of early 2014. I was thirteen, sitting there working on my Minecraft server. It was breaking all the time. The host was terrible. The staff were fighting and I kinda just wanted to do something else. Knife Party, which is a musical act, had a new album coming out in 2014, and it was delayed. It was taking ages.
JACK: Professor Dubstep was into this band, Knife Party, and wanted to hear their new album, and saw Knife Party was interviewed on a podcast and wondered if there was any mention of the new album in the interview, and there was. [MUSIC] Not only did they talk about it, but Knife Party actually played a snippet from the new album. Whoa, cool! Professor Dubstep is actually into making dubstep music themself, so this wasn’t so hard for them to just download the podcast and grab that song out of it and listen to it on its own.
PROFESSOR DUBSTEP: I was like, well, this is kind of good. I’ll chop this together a little bit and then I’ll upload it to SoundCloud so that other fans can hear it and enjoy it as well. I put it up there. I didn’t expect it to get much popularity. But a few hours go by; I go back to working on my server. Then I check my SoundCloud after a couple of hours and the plays are just racking up; 10,000, 20,000. I open Twitter and Twitter is blowing up, too. The EDM — the electronic dance music news blogs have posted about it and said, oh, the track’s been uploaded to SoundCloud early and it’s a leak, blah, blah, blah, which it wasn’t.
JACK: Professor Dubstep didn’t care to correct anyone, though. They just watched the madness unfold silently. But because people thought it was an early leak, they started sending them some private messages.
PROFESSOR DUBSTEP: So, checking in my SoundCloud messages — and I saw I had a message from Dinodriller, and he was saying that I had some cool — well, he thought that I had some cool music, some cool, unreleased things. I had another message from Spintire, who — it was basically — he was asking to add me on Skype and talk some more. So, I took this opportunity and I’m like, well, we’ll see what he wants. So, he adds me up and he says, oh, so, how are you getting these things? I explain. I say, well, I don’t actually have anything. It’s just kind of blown into something that it wasn’t — but that I do like to look around and see if there’s hidden things that are kind of not really in — supposed to be in the main public view but are made public accidentally and things like that, or things that appear early. He said that he likes to do the same sort of thing, you know, looking in, trying to find open directories on servers and things and accidentally-public info. So, we kind of connected and we had a chat about that, and we were talking about that for hours.
JACK: [MUSIC] Yeah, there’s a ton of stuff on the internet that shouldn’t be there. I’m very aware of the site Shodan which scours the internet looking for private stuff accidentally exposed publicly, like being able to view surveillance cameras, license plate readers, servers with default passwords, and entire databases that are just open. But that site is mostly exposing cyber-security flaws on websites. It’s not really a place to go find unreleased music. We’re trying to solve a different problem here. Maybe Google dorking can help. I know I’ve found quite a bit of music this way. You could search Google for any music files with the band name in the file name, and Google will happily show you tons of music that you can easily download, and sometimes you can find things that probably shouldn’t be public. So, they’re going over these strategies in chat, different ways to find music online, but the conversation just kept going. They’re sharing more secret ways to discover things. One of them starts talking about the website Bitly, which is a URL shortener.
PROFESSOR DUBSTEP: It just allows you to shorten links, but they had a glaring flaw in their system where if you add a ‘+’ to the end of any shortened link that was made while logged into an account — and you could just — you could click on the public user profile of these accounts and see everything that they’d ever shortened using the service, and many of the links that we were looking at music-related would always be made by a management account, for example, and they would share internal things on the link shortener as well, and we’d be able to just see those and download them.
JACK: So, one thing music production companies or dubstep managers do is promote the hell out of the musicians that are under them. So, together, Professor Dubstep and Spintire go on Twitter and check out these management companies, and yeah, they see managers using Bitly links to promote some bands. For instance, they might use it to link to some promotional flyers or tour dates or new releases, and they were using Bitly to shorten URLs for promotions. So, Professor Dubstep would use the Bitly bug to see what else this management company has used Bitly for, which gave them tons of links to go through and check out. A lot was for public consumption, but sometimes they’d find things which shouldn’t be in the public.
PROFESSOR DUBSTEP: [MUSIC] Exactly. It would either be audio or Photoshop documents or sometimes were internal memos like promotion plans for upcoming releases and things, and just being able to get kind of a look into the inner workings of these labels and management companies of how they function and how they put their things together and make their plans, which was really interesting.
JACK: This would give them new content to post on SoundCloud or Reddit.
PROFESSOR DUBSTEP: On Reddit there was — Reddit also has direct messages, and a message came through to my inbox from a guy called Jay Brown. He added me on Skype as well, and we got to talking. He was a different kind of person. He was what’s known as a dubplate trader. Now, dubplates are a nickname for unreleased music, and in more modern times that’s just come to be on an MP3 file, basically, just an MP3 file that’s not released to the general public, and there’s a whole scene of trading these files in small circles. [MUSIC] It’s kind of like Pokemon cards; less-valuable cards are treated way differently to ones that are rarer, and it’s the exact same with dubplates. So, this guy called Jay Brown comes to me and he says, oh, I’ve got some stuff. Do you want to check out what I’ve got? I’ve got this and that and this and that, kind of presenting it as if he were some kind of drug dealer or something. I wasn’t really interested in anything he had. There was one specific track which was Knife Party’s Suffer, and I didn’t have anything that I wanted to give him because I wasn’t a trader. I had my couple of things that I found on my link shorteners, and I decided that I would try and make something out of nothing. [MUSIC] So, I took a clip of this radio recording and I kind of chopped it together into something that sounded semi-reasonable and presented it to him.
JACK: Like, you were creating your own music that sounded similar, or…?
PROFESSOR DUBSTEP: No…
JACK: …editing it in a way that…?
PROFESSOR DUBSTEP: …it was editing an unreleased track in a way to make it sound as if it was an original source file, but when it actually wasn’t a source file. So, it’s trying to make something seem real but that wasn’t so that he would believe it and send me the thing that he had that was real. It was quite a scheme. It was quite a scheme.
JACK: Yeah, it does introduce quite an interesting situation of like, when you’re dealing with official releases, it’s coming from the official channel, right? But when you’re trying to get your hands on these unofficial releases, you — there isn’t any legitimacy to it. It could be from them, it might not be from them, and you were playing into that, of like, you know what? You’re not gonna know if this is from Knife Party or not. I’ll put a little clip in there from Knife Party just to kind of make you think it is, but then I’m just gonna make it up after that.
PROFESSOR DUBSTEP: Yeah, that’s pretty much how it went. If you were good at this, making something sound semi-legitimate, these traders didn’t really know much better. It was quite easy to convince them of something and to kind of ignore what their own ears were telling them, and it worked.
JACK: [MUSIC] This is getting wild. Not only was Professor Dubstep looking for unreleased tracks or dubplates, as they say, but they were taking popular songs and putting in changes to make it seem like a new mix by that musician. Pretty shady and deceptive. But as a teenager, it doesn’t seem so bad to play around with someone else’s creation and see if someone will believe you that it’s original.
PROFESSOR DUBSTEP: Well, that’s the thing, is it’s unspeakable. You never speak that you did an edit to it or something because it would give the whole game away. Me and Spintire kind of kept doing this between ourselves. We thought this was quite a good idea, that we would make some more fake things or edits and we could use them to float in these trading circles and just drain their whole collection of rare things without actually causing any damage ourselves to any of these releases, because the dubplate trading scene, it does cause massive damage. No matter how big or small the artist is, if their unreleased track gets leaked online in some way, depending if it had a release planned or not, once it’s leaked, it’s over for that track forever. So, it really — it’s not something to — it’s just not a good thing for the music scene, really.
JACK: Because they recognized that publishing unreleased tracks hurts the artist, Professor Dubstep stopped posting unreleased tracks publicly. By the way, Professor Dubstep actually makes music themselves, too.
PROFESSOR DUBSTEP: Well, I play — I’m a multi-instrumentalist, but also, I make dubstep myself, and this is something that I was learning to do at the time.
JACK: So, this was a way to learn more about the music-making process.
PROFESSOR DUBSTEP: I’m interested in these — unreleased music, but more to just listen to it and break down what’s going on with it, because not all of it remained unreleased. Some of it was just early versions of things, work-in-progress versions of songs that would then come out and be almost entirely different. So, it was interesting to just hear the differences between them, for me.
JACK: Okay, can I ask you a question about dubstep?
PROFESSOR DUBSTEP: Mm-hm.
JACK: I’m afraid to ask this publicly, but what’s the deal with all the dolphins in dubstep?
PROFESSOR DUBSTEP: The dolphins? What do you mean?
JACK: You shared with me a playlist of dubstep music…
PROFESSOR DUBSTEP: Yeah, yeah.
JACK: …and in there is a track called Elephant by Barely Alive.
PROFESSOR DUBSTEP: Oh, right, yeah.
JACK: So…[MUSIC] this is the song, and they think this song’s about elephants, but it’s clearly not. So, listen to this part.
SONG1: Elephant…
JACK: There’s an elephant there, right?
PROFESSOR DUBSTEP: Mm-hm.
JACK: Right there was…
SONG1: Elephant…
JACK: That’s the dolphin. [MUSIC] Oh, I think…yeah, I see the dolphin in there. Let me show you another one.
PROFESSOR DUBSTEP: Yeah, actually, I never put two and two together. That is a dolphin, isn’t it?
JACK: Dolphin on Wheels.
PROFESSOR DUBSTEP: [MUSIC] Oh, that’s the Dillon Francis tune, isn’t it?
SONG2: Do you love your grandparents?
JACK: Yeah.
SONG2: Dolphin…[DOLPHIN SOUNDS]
JACK: There’s a dolphin there, clearly, right? That’s the name of the song, Dolphin on Wheels.
PROFESSOR DUBSTEP: Mm-hm.
JACK: Alright, so another song you sent me was Cash by Barely Alive.
PROFESSOR DUBSTEP: [MUSIC] Yeah, I remember that one.
JACK: Do you hear that beep, beep, beep? Another song you sent me; Borg by FuntCase. [MUSIC] Pew, pew, pew. Bang…
PROFESSOR DUBSTEP: So, I think…
JACK: Bang by Wavedash…
PROFESSOR DUBSTEP: …you might be onto something. [MUSIC]
JACK: [LAUGHING] You’ll hear it there. Gem Shards by MUST DIE!…[MUSIC] That is a dolphin, is it not?
PROFESSOR DUBSTEP: I have to concede on this. It is.
JACK: The dolphin is the lead singer in every dubstep song that you sent me.
PROFESSOR DUBSTEP: It might actually be true, because a lot of dubstep is kind of self-referential.
JACK: Yeah, well…[CROSSTALK]
PROFESSOR DUBSTEP: Yeah, it wouldn’t surprise me if…
JACK: I went through Skrillex’s songs, and this is the dolphin I found in Skrillex. [MUSIC] [LAUGHING] That is a dolphin song.
PROFESSOR DUBSTEP: Oh, it’s been a long time since I heard that one.
JACK: Even in Skrillex. So, while I’m researching this episode, dolphin after dolphin kept showing up as the lead singer in all these songs, and it’s driving me crazy. Is this a thing? So, I Googled it, and, no. Nobody knows about this. There’s no results about this. So, I started formulating my own theories, and I’ve been dying to ask you about this. Okay, so, first of all, dolphins are one of my top-five favorite animals. I love dolphins. They’re so smart and amazing to watch. So, for me to find a whole genre of music that has one of my favorite animals featured in it song after song, it’s gorgeous to me. When I hear a dolphin in a song, the biggest grin comes on my face and I actually try to sing along with it, barking and chirping. So, I wonder if just — the dubstep community loves dolphins as much as I do.
PROFESSOR DUBSTEP: I mean, you’ve got a point. You’ve got a point. Dolphins are a very intelligent animal, so it’s — dubstep is very intelligent music, clearly.
JACK: I also wonder if there are sounds in the dolphin language that speak to us in a really profound way. Like, it might express an emotion that we just don’t have words for in English, but dolphins do and they can somehow teach us more about ourselves, and dubstep artists add these sounds in because they know the power of dolphins and want to help us ascend to new heights.
PROFESSOR DUBSTEP: Yeah, well, we are — we all do come from the sea originally, so, you know, some common ancestor might have — we’re just going back to our roots in a way.
JACK: The other thing I wonder is — since this is such a popular part of dubstep — if the dolphin is a secret mascot. Like, if you go to EDM parties, would I see people with dolphin stickers and patches and tattoos all representing some inner group where you’re not allowed in certain parties unless you have a dolphin tattoo or something?
PROFESSOR DUBSTEP: It’s a secret society.
JACK: Okay, sorry, I refuse to believe that’s a total accident. But when I Google this, nobody is talking about this, so I feel like it’s some closely-guarded secret. But whatever, we’re moving on. So, Professor Dubstep was loving all these early tracks, but only trading with a select few people.
PROFESSOR DUBSTEP: It was kind of a little triangle. It was me, Dino, Jay, and Spintire. We’d sit there, the four, kind of not talking to each other but relaying between each other, and these tracks would go around in that little circle like that. Dinodriller, he was fourteen — at the time, a fourteen-year-old dubstep producer, the same age as me. We’d just hang out on Skype now and then.
JACK: Dinodriller somehow got the attention of Excision, who was a big-time dubstep artist. Excision had quite a few big hits and was pretty popular, and saw how Dinodriller was trying to come up in the scene.
PROFESSOR DUBSTEP: Yeah, ‘cause Excision does — he does a lot of things to support the underground artists in the scene and help them get some exposure and things. He owns a record label that was called Rottun Recordings which he signed a lot of up-and-coming people to, actually help them get a head start. So, Dino was one of these up-and-coming producers Excision was trying to help out. So, he invited young Dino over to the house in Canada to make some new tunes.
JACK: Oh, and by the way, if you’re wondering if Excision uses dolphins in their music, here’s a snippet from his song, Asteroid.
SONG3: [MUSIC] Get back…
JACK: Brrp, brrp, brrp. What do these chirps mean? Okay, so, Excision and Dinodriller were working together at Excision’s house making some cool music, and he was really helping Dinodriller out a lot, actually. But since Dino was also into trading unreleased tracks, he couldn’t help but wonder; what unreleased stuff does Excision have? Being right there in his house made him very curious. One day, Excision invited Dinodriller to come over and work on some music while he’s at the gym. This meant Dinodriller was going to be there alone, so he gets on Skype to tell Professor Dubstep and Spintire the plan.
PROFESSOR DUBSTEP: [MUSIC] When Dino goes to Excision’s house, Dino will go and dig through all — the old hard drive and things and search for some unreleased or work-in-progress goodies and things from people in the scene.
JACK: No; so, Dino was — had a nefarious plan for visiting Excision’s house.
PROFESSOR DUBSTEP: Yeah.
JACK: Oh, my gosh. So, Excision wasn’t around and trusted — so, that’s the thing; this is betrayal at this point. He trusted Dino to — come on in when I’m not around. It’s cool. You’re a musician. I like your stuff. We’re hanging out, we’re friends.
PROFESSOR DUBSTEP: Yeah.
JACK: Now Dino’s like, ah, it’s working as planned. I can — I’ve got full access to your stuff.
PROFESSOR DUBSTEP: That’s exactly it.
JACK: I’m gonna grab some hard drives.
PROFESSOR DUBSTEP: We were sitting there on Skype like, oh, look for this and that and this and that — sending him file names. Like, could you look if there’s this thing and this other thing, and blah, blah, blah. Meanwhile, Excision was out at the gym. We’d just be sitting there like, get this, get that. Eventually Dino ran out of old hard drives to comb. So, we were like, well, there’s stuff missing from here that should be there. So, the final location that was searched was Excision’s actual sock drawer for CDs and USB drives.
JACK: What did he find in Excision’s sock drawer?
PROFESSOR DUBSTEP: [MUSIC] Old CDs with the things on that we were looking for. I’m not kidding. There was a demo from Skrillex called Dimbow which was a demo of one of his biggest songs, Kyoto, and there was just all kinds of things on there, just work-in-progress things that had never come out that no one had ever heard before.
JACK: Mostly made by Excision.
PROFESSOR DUBSTEP: Well, there was some Excision, there was some Skrillex, there was some Knife Party, some Noisia, all kinds of things that these communities had been looking for for years and begging for. It was right there on these CDs in the sock drawer, and they were now being sent to us on Skype.
JACK: Dino was pretty careful to just copy everything right there in the house and put it all back exactly where it was so Excision wouldn’t know anything got taken, and then he passed it around.
PROFESSOR DUBSTEP: Yeah, shares it with me and Spintire, and we just listened to it together, like, this is amazing. This is really interesting stuff. That’s kind of unbelievable. I thought that would be the end of it, but no. After a week or so, literally just a week, some of these things started to leak onto Reddit. [MUSIC] Dino was trying to blame me for it and saying, oh, well, you must have traded this, and telling everyone that I was trading it and leaking it and this and that. I nearly got the blame pinned on me for it. I nearly did. But the way that I found him out was that some of the things that leaked were things that I was never sent. So, it must have meant that he traded two batches of things that were slightly different, one to me and other batches to whoever else which contained different files. So, I caught him out and I managed to spin it back around and say, nope, I can prove that it was you, that it’s the reason for these leaks.
JACK: So, Dino leaked it and blamed it on you.
PROFESSOR DUBSTEP: Yeah. Well, he didn’t leak it; he sent it to the traders like Jay Brown.
JACK: Mm-hm. The traders like this idea of providing the public this stuff. It gives them a thrill. They’re like, oh, look at that, I’m getting a lot of upvotes, getting a lot of downloads, making some waves. Got a article written about it. This is going great. That’s what they thrive on, right?
PROFESSOR DUBSTEP: Sort of. It’s more that they — the traders themselves thrive on just the status of having these rare things so they can go to people and say, oh, I’ve got this and that, and I want that and this. They can trade them for that, and then eventually it just — everyone goes in a loop and carries on doing that between each other until eventually someone posts it online.
JACK: Then once it’s posted, that song is burned in the trading community. It’s no longer a rare item to have.
PROFESSOR DUBSTEP: [MUSIC] Christmas 2015, there was an event called Leakmas where hundreds of things got leaked onto xTrill, onto Reddit. All of the things that Dino had taken from Excision’s house, all of them leaked. There wasn’t one single thing that didn’t get leaked, and it was all just because it was being traded like crazy.
JACK: Did Excision ever figure out that Dino did this?
PROFESSOR DUBSTEP: No, to this day he’s never realized. He never found out.
JACK: We’re gonna take an ad break here, but stay with us because this story is gonna go way off the rails. Professor Dubstep was getting deeper into the unreleased dubstep trading scene.
PROFESSOR DUBSTEP: 2016 comes around. The tactics that traders were using to obtain the unreleased music files was changing a little bit, and there were a couple of incidents where artists had played a DJ set at a club and someone would go up after the show and just take the USB drive straight out of the mixer…
JACK: Whoa.
PROFESSOR DUBSTEP: …with all the secret stuff on it, yeah.
JACK: They’d go right up on stage and grab the equipment?
PROFESSOR DUBSTEP: Yeah. Well, these pioneer CD Jay systems, they’re — you basically just put a small USB flash drive into the top. So, if someone walked past it, they could just swipe it really easily and no one would notice until it was too late.
JACK: Well, I mean, doesn’t the music immediately stop?
PROFESSOR DUBSTEP: If it’s after the show’s just finished, there’s a small window where someone could grab it and no one would notice.
JACK: Whew, that’s some balls, you know, to go to a live show, say that performing artist you like, and then to steal their files right from under their nose…
PROFESSOR DUBSTEP: Yeah, it’s been known to happen about three or four times in the space of one year.
JACK: Holy moly. The lengths these people go to to get unreleased music is unreal. I think it’s a testament to just how dedicated and motivated the fans were to hear more, to get the latest stuff. You don’t see consumers just going to a sewing trade show and stealing the latest sewing machine from the demo booth, you know, because that passion doesn’t exist there. Music has this way to give us a meaning to life. It can be our therapist, our best friend, our lover, and our dance partner. It moves us in a way that not much else can. So, some people would risk getting arrested to steal a thumb drive with new music on it.
PROFESSOR DUBSTEP: Yeah, it happened plenty of times. There was a guy called Snails who was blowing up in the scene in late 2015. He had his USB stolen, all of the files from it leaked onto Reddit. Skrillex had his USB stolen as well. All of those things ended up leaking in late 2016 onto Reddit. Again, it’s something that keeps happening. I think it still happens to this day that artists have their USB drives stolen out of the equipment on stage.
JACK: Ah, what do you do here, weld your USB drive into your equipment? Or what about putting a decoy USB drive in, but it’s really a trap? If somebody goes to grab it, they get an electric shock. It’s also interesting to just parse the idea that music is just files. It’s data on a computer, or a USB drive in this case, and I never thought about applying cyber security to music, you know? It’s acoustic sound waves, not computer files. But, no, it is computer files, and so, it needs its own version of cyber security, too. [MUSIC] Okay, so, let’s talk about Reddit. The poppin’ subreddit for all this was xTrill, which is a place to post links to unofficial dubstep music. You know, live recordings from concerts, radio mixes, stuff that wasn’t on the artists’ official Spotify or YouTube or SoundCloud. But it is from that artist, and these alternate versions are sometimes better than the original version. Fans were loving this subreddit to listen to new mixes.
PROFESSOR DUBSTEP: Leakers in the scene were frowned upon. So, things actually being leaked — whoever leaks something is — it burns their reputation.
JACK: That’s the nuanced thing about it, though; while people went crazy over leaked tracks and would get a lot of people excited, the subreddit had to take action on this to avoid being labeled as a leak site and get shut down. So, they’d remove the leaks and ban the leakers.
PROFESSOR DUBSTEP: Because it was — it just goes — one thing; the traders, they don’t like things leaking, and two, it does damage things. Three; it invites trouble. It invites legal trouble if you are the one to leak something.
JACK: The xTrill subreddit is layered like an onion, though. Basic stuff was on skin level. Peel it back and you find some juicier content, traders with rare stuff. There were rules, though; no piracy allowed and no posting unreleased music. But the rules were often abused.
PROFESSOR DUBSTEP: To the outside, xTrill looked like a place that was just a rampage of things, totally uncontrolled. But actually, behind the scenes, it was kind of a front. So, if an artist was cool and contacted the moderators of the subreddit or the people in charge, they could say, please prevent this thing from leaking. There’s release plans for it soon. Just, would you mind keeping it off? If they were nice about it, they could get their brand added to the filter so that nothing could be posted.
JACK: It really takes a certain set of eyes to understand what’s going on in xTrill, because even when something is posted, are you familiar enough with that band and that track to know if this is legit or made up or a leak at all?
PROFESSOR DUBSTEP: So, late 2016 rolls around. Spintire comes to me on Skype and says, look, we’ve got this old password of Skrillex’s. I say, okay, well, how? How does this happen? He kind of hesitates to explain it at first and just says, well, just look at it. Just try it on these things. Just try it on the old Skype account. [MUSIC] Okay, and it works. It logs straight in.
JACK: To Skrillex’s Skype account.
PROFESSOR DUBSTEP: Yeah. It was an old, inactive account. It was dead. It was not being used. But the password worked, and I was like, well, how did you get this?
JACK: Yeah, good question. Skrillex is the biggest name in dubstep. He’s a Grammy Award-winning artist loved by millions of people. He has millions of followers on Twitter, too. To get his password on Skype is a pretty big deal.
PROFESSOR DUBSTEP: I said, well, how’d you get this? Eventually he explains. He says databases have leaked from all kinds of sites. There was quite a lot of databases that got stolen and uploaded online in 2016. There was — Dropbox had their database stolen. Last.fm had their database stolen. MySpace had their database stolen as well, and they’re all just uploaded to this thing called — I think it was LeakedSource. You could basically pay for — pay $20 a month for access to this, and it would give you access to all of these databases. So, you could just view the results, the hashed passwords and things. You could just take the hash and just decrypt it yourself because they were really poorly protected; just standard MD5, which almost the whole MD5 table had been cracked by that point.
JACK: Oh, my god. This is about to get insane. Huge database breaches with millions of usernames and password hashes; combine that with the ravenous fans willing to stop at nothing to break into dubstep artist’s digital lives and steal whatever they can to post it to xTrill, and Skrillex is one of the first to get a working password for, the biggest dubstep artist in the world? My goodness, my brain is running a million miles an hour right now. There is going to be an all-out onslaught of people that are gonna be trying to hack into these musicians’ files. Yo, I’m eating Fun Dip right now.
PROFESSOR DUBSTEP: So, what we’ve done, basically, is just put the e-mail in that we knew of these artists, and if they had a result come up from some old database that had been leaked that was poorly encrypted, you could take that hashed result and decrypt it and just hope that their security was not so great and that they kept reusing this password all the time and used the same one on every site or whatever.
JACK: Dang, that is a sweet combination of Last.fm, Dropbox, and MySpace. It pretty much means every dubstep artist would be somewhere in those database breaches. It was just a matter of finding the right username or e-mail to use, because those three sites were used a lot by musicians. Dropbox is extremely popular for file sharing, and if a musician has a label or a manager or someone else that they’re collaborating with, sharing their work in progress on Dropbox is very common in this circle. Last.fm and MySpace are places where you can go to post your music, which, when you’re an up-and-coming artist, you definitely want to be posting everywhere. Yes, MySpace is still around. So, yeah, I’m just imagining like, wait, hold on a second. We’ve got Skrillex’s password. It works on an old Skype account. This has got to be the pinnacle of the whole story. We got into Skrillex’s Dropbox.
PROFESSOR DUBSTEP: Skrillex’s Dropbox is the — we actually didn’t manage to get in there, but we tried a bunch of different accounts after Skype, and none of it was working. So, all of the other things had been closed off.
JACK: So, you couldn’t get into his Dropbox.
PROFESSOR DUBSTEP: No.
JACK: Nice job, Skrillex. Either he wasn’t reusing passwords or heard about this database breach and changed all his passwords. Either way, he was ahead of the hackers here. My goodness, if they got into Skrillex’s Dropbox, that would be the most epic thing. To hear his latest stuff before anyone else? That would be insane. But they couldn’t get in.
PROFESSOR DUBSTEP: [MUSIC] No, so we decided instead, maybe his manager would be a good target to try and look to see if there was anything leaked in the databases for his manager. So, we had a look, and there was. It was a really old result from 2008, but it had been — the same result appeared in all of the databases. So, it had a good chance of working in some old sites that had been inactive but had been used in the past for sharing music and stuff internally. So, me and Spintire, we sat there on Skype and we tried it on a MediaFire page, which worked. It logged us in. There was some interesting stuff in there. There was Photoshop documents, there were a couple of unreleased tracks that had never come out before, never even been heard.
JACK: Skrillex tracks.
PROFESSOR DUBSTEP: Mm-hm. Yep.
JACK: Hot diggity, that’s — I mean, I don’t know if you’re seeing it the way I’m seeing it, but that’s gotta be the biggest find ever so far, at least, in the story.
PROFESSOR DUBSTEP: In a way it was, but at that time we’re hearing so many tracks from the traders that it kind of didn’t seem as big to us as it actually was. What we were doing as well, logging into the accounts and things, we didn’t really realize how deep that was really going, ‘cause that’s way further than just trading something in a small circle that’s been got from another trader. That’s going into someone’s account and taking something directly, and we were just doing it as if it was nothing, really, which is really ridiculous. When I think about — think back to it now, it’s ridiculous. That’s a huge invasion of privacy. But it worked. We got these tracks and kind of made a resolve to ourselves that other people would be doing this at the same time as us. Other people would be figuring this out who would get these things and then trade them and leak them. So, that’s what me and Spintire were basically saying with each other. Like, it’s better that we’re doing it and we can keep these things safe and listen to them between ourselves and have the interest with it, and then keep it secret, keep it from leaking.
JACK: So, part of keeping it from leaking is changing this manager’s password or deleting it out of there or something, right?
PROFESSOR DUBSTEP: Yeah. So, we’d go in, we’d take — we’d grab the files and then either just change the password straight up so that no one else could get into the account or to contact the person that we’d logged into and say, we’ve compromised your account; you need to change this password. Which, many of the times we actually did that. We contact them; said, you know, you’ve been compromised here. This is how it happened. You need to change your passwords.
JACK: Whoa, what a weird moral compass that is. They knew breaking into someone else’s account is wrong, but their attitude was if it’s not us who breaks in, it’ll surely be someone else who breaks in, and they could cause big problems. So, it’s better that we do it so we can fix it, and for the incentive of getting in and fixing it, we’ll just take a listen to whatever we find along the way and just keep it for ourselves.
PROFESSOR DUBSTEP: We decided to look in these databases for Dino’s — if he had had his passwords leaked in some database and that we could try them out on Skype.
JACK: Oh, wow, Dino was that guy who stole things from Excision and then leaked that stuff to other people, then tried to blame Professor Dubstep for the leak.
PROFESSOR DUBSTEP: Yeah. This is where it gets good. [MUSIC] So, we had a look and there was one — there was — well, there was one password that had been leaked five or six times on different services. So, that just indicates that he’s using it on everything and maybe he hasn’t realized that it’s compromised. So, we took that password and we logged into his Skype. It worked the first time. It was six characters. It was really basic. We just logged straight in, and we could see his chats and we could see him talking to some guy called Shane, and Shane was the owner of xTrill. They were talking with each other about trying to hack into accounts using these databases. So, they were doing it themselves and trying to figure it out, as me and Spintire were also doing it between each other.
JACK: Oh, interesting. It’s almost like there are two teams on this now; Spintire and Professor Dubstep, and then Dino and Shane. Spying on the other team might be really useful here.
PROFESSOR DUBSTEP: So, one of the targets that Dino was trying to hack into while we were watching him was us, me and Spintire. So, he was looking in these databases trying to find our info, and we were watching him do it and watching him attempt to get into our accounts live in real time.
JACK: Which accounts of? Like your Skype account?
PROFESSOR DUBSTEP: Yeah, anything he could manage; our Skype, our Dropboxes, SoundClouds, anything, basically.
JACK: Oh, so, Dino’s talking with Shane like, hey, do you have Professor Dubstep’s — did you see them in this at all in the data…? Yeah, I see them in the data — oh, cool. Let’s check their password. Try logging in. This is the chats you saw, and then it’s like, no, it didn’t work. Oh, bummer.
PROFESSOR DUBSTEP: Yeah, exactly that. Literally just a real-time feed of watching them try to hack into us. Now, I think more what it was was that he was paranoid and he was trying to see if we were sharing stuff behind the scenes and keeping things from him, because everyone in this little trading game was backstabbing each other. It’s just what was happening. Everyone was backstabbing each other.
JACK: Well, I mean, so what is your reaction to that? If somebody’s trying to hack me, I’d be like, whoa, whoa, whoa, this is now — I’ve gotta be very careful with this person. How would — how did you react to this?
PROFESSOR DUBSTEP: Well, me and Spintire, we just sat there like, wow, we’re actually seeing this. They’re actually trying to get into our stuff right now. This is strange. This is a lot to break down. But we just sat there like, oh, well, good thing we have proper security on ourselves. Otherwise we’d be screwed.
JACK: [LAUGHING] There’s the funny bit, is like, yeah, you’re scared, you feel like, okay, I could be screwed here. This person is clearly attacking us. But you’re in their Skype looking at their messages, so you are also attacking them.
PROFESSOR DUBSTEP: Yeah, exactly.
JACK: I don’t know whose side to take here. You’re both in the wrong.
PROFESSOR DUBSTEP: We are both in the wrong. Everyone in this story is in the wrong. There is no right here whatsoever. The only thing that is marginally right is contacting people to say that you’re compromised. That’s the only good thing.
JACK: I gotta have a hero I want to cheer for, and I don’t know what to do.
PROFESSOR DUBSTEP: Yeah, you’re not — I’m telling you now, you’re not gonna get one. I don’t want to glorify any of this because it’s not — it’s a terrible thing, the dubplate trading, the hacking. It’s all just damaging to everyone involved; the artists, the people doing the hacking. It’s dangerous stuff and it’s just a bunch of kids who don’t know better doing it at the time. You know, we were fourteen, fifteen, just sat there. Spintire was a lot older. He was about thirty.
JACK: All this reminds me of one of those old heist movies where the criminals steal the cash, but then when they get away and they’re all just sitting around looking at the stolen money and each other, they all start wondering if they can trust each other. Clearly these are criminals you’re working with willing to break the law for this money. Are they gonna steal it from me? Then you realize, yeah, someone is gonna steal my cut, so then you steal their cut first and get outta there. Well, here we have both sides completely not trusting each other and are actively trying to hack into each other’s accounts to keep an eye on them. But it’s interesting that Dino was working with Shane who was the moderator and owner of the xTrill subreddit. Through these chats, they could clearly see how involved Shane was in the trading scene. He really liked collecting dubplates and getting his hands on unreleased stuff.
PROFESSOR DUBSTEP: So, we carry on. We take some — try and get some more targets. We think of other sites that we can try and log into. [MUSIC] So, we take a look at box.com, which is a Cloud storage provider usually used by small businesses, big businesses, record label production companies, anything. It’s very popular because they offer great group collaboration options. So, we take Skrillex’s manager’s password and we try it on the box.com account, and it logs us straight in, straight into the inner workings of Skrillex’s record label. But we get in there and we can see all their upcoming releases and their production files, promotion plans…
JACK: Upcoming releases for Skrillex?
PROFESSOR DUBSTEP: For Skrillex and all the artists on his label.
JACK: Wow, that sounds like a big treasure trove.
PROFESSOR DUBSTEP: It was a couple of terabytes worth of files in there.
JACK: Holy cow.
PROFESSOR DUBSTEP: Box.com is a little bit more advanced. They send log-in notifications for unrecognized log-ins. So, one of the first things we did was go into the settings and have a look. You know, did it say that we’d logged in? This guy, this account that we had logged into, he’d turned off the log-in notifications, so he had no idea that we had got in there, none.
JACK: Oh, my gosh. There’s a lesson there, isn’t there?
PROFESSOR DUBSTEP: Yeah. You know, leave something on for something like that which is heavily relating to your business. You need to have these notifications turned on to tell you if your security is compromised.
JACK: Unreleased tracks are worth more than demos. [MUSIC] Demos are just early versions or remixes of songs people have already heard, but unreleased tracks, nobody’s ever heard yet. Okay, so, give me a list of things you found on there.
PROFESSOR DUBSTEP: There was unreleased Skrillex songs, there was individual audio assets for some Skrillex things and the other artists on his label like the individual master, master stems and things for songs, multi-tracks, so that you could basically break them down into their parts and things. Everything was stored in there. There was Photoshop documents, promotion plans, documents saying what they were gonna be doing for the next year or two years, even, internal voice recordings, meetings between the label executives and things. It was all kinds of stuff that really should — it’s confidential things and it was really unprotected files. There was no individual passwords on folders and things. It was just all open with fifty other accounts shared on all of them.
JACK: My gosh. I’m just trying to think of what that could — if that did get in the public, what kind of ruckus that would have caused.
PROFESSOR DUBSTEP: It would have caused a lot, a very large amount. What we did was we copied the share link for each folder that was in there and we set the permission on that so that anyone with that share link could still view the folder even though they’re not logged in. We also copied the collaborator invite links for the folders because that option was not password-protected. So, we could invite a new burner account so that we would still have access for ourselves on new accounts altogether, and the original one would be closed down so no one else would be able to get access to it apart from us.
JACK: That’s interesting. I want to make sure you understand this. They accessed Skrillex’s manager’s box.com account, okay, and they saw these folders there and made the parent one shareable. What this means is that anyone with that link can now view the contents of that folder and all the subfolders without needing a username or password. So, now they don’t need to log back in to see what new files were uploaded. They could just use that share link to get in there and view it without logging in at all. On top of that, the manager had the ability to invite new collaborators. So, they just made a new e-mail account and invited themselves as collaborators, and then told the manager, hey, look, your account isn’t secure; you should change the password, which fixed the manager’s account so that no one else could use this same exploit to get in and no other hacker could get in the same way. This is a backdoor persistence into Skrillex’s whole media company. Yeah, but it’s a backdoor in a way that I never thought would be a backdoor, right? If I say, oh, I have backdoor access to box.com, you’re thinking, oh, wow, you’ve got some malware planted and reverse HHS shell. Nope, just a share link. Oh. Yeah, it gives you a total different perspective of what a backdoor even is.
PROFESSOR DUBSTEP: Yeah, because it’s a backdoor that you can just — it’s built into the site.
JACK: It’s built into the site, exactly.
PROFESSOR DUBSTEP: The only reason we were able to get these in the first place is because people don’t exercise proper security. They use the same password on every site for years and years and years and don’t enable two-factor authentication on their accounts, either. So, it’s just open. [MUSIC] If you’ve got the password, then you can just go — you can just walk straight in and do whatever. You could ransack the place if you so wanted to, which is ridiculous.
JACK: I’m just sitting here thinking about this, letting it sink in. A backdoor is built into all the file-sharing sites like box.com, Google Drive, iCloud, Proton Drive, Dropbox, whatever, because if there exists a shared folder link, anyone with that link can see into that folder. It’s a feature of the site itself. You can’t take that away or it ruins the point of the site. What you think is yours in private really isn’t if there are public links to it. When you make something shareable and you say only people with this link can see this file, it feels like this is still private, but it’s not. It’s security through obscurity. Your link is hidden but not secure, and if that link gets out, it’s viewable by anyone without a username or password. I’ve been doing cyber security for decades and nobody is talking about auditing Dropbox links to make sure only the stuff that should be public is public, because every file and folder may have that option and going through them all is simply unreasonable to do by hand. When you’re moving at the speed of business, nobody’s going back to clean up or check what folders have sharing links and what don’t. I say it’s best to treat everything on your Cloud storage as if it is publicly accessible, and only temporarily put things up there if you want to share it with someone privately, and then remove it as soon as they get it.
I also want to draw your attention to websites like URLscan.io. This is a site that is attempting to look at URLs to see if they’re safe or malicious, but users can go there and search the site to see what URLs are in the database, and sometimes you can find URLs that probably shouldn’t be in the public, but they are. [MUSIC] Like, imagine if you take a photo of your kid and it’s on Google Drive, but then you want to create a link to show it to grandma, and you specifically say only people with this link can see this photo, and you e-mail the link to grandma. Well then, grandma has some browser plugin that examines all the links to make sure they’re safe to click, so when this link gets examined somewhere, bingo, bango, suddenly that link to your kid’s birthday party is now floating around on the internet in all kinds of databases, being clicked on by who knows who. URLScan collects links like that. Hybrid Analysis is another tool. Cloudflare Radar URL scanner is another. Not to mention, DNS providers all over the world are logging things, too. It’s not just Google Drive and Dropbox. There are tons of other online storage websites that you could look for; iCloud, box.com, Sync, Ignite, IONOS, HiDrive, AWS, S3 buckets, Proton Drive, and so many more. The list goes on and on. So, the data is available. It’s just a matter of sifting through it to find something juicy. In this case, they were looking specifically for dubstep music and stepping over anything else that they came across. Okay, so, it was just you and Spintire that got access to this.
PROFESSOR DUBSTEP: Yep.
JACK: And just — you just kept it between you. Nobody shared it beyond that, right?
PROFESSOR DUBSTEP: So I thought. How I wish, ‘cause as usual, a few weeks went by and other people started to hint that they had these files. Or, well, the traders got access to some things, and there was no explanation for it other than that Spintire must have shared it with someone. So, I quizzed him on it and I said, if you have, just — I’d rather you just tell me. I won’t be angry. I just want to know. He still denies it. So, I start thinking, oh, well, someone else must have got access somehow aside from us. Someone else must have initially got access to the account. So, I treat it as that for a while. I let Spintire have the benefit of the doubt. We carry on going. We think of some more accounts to try and get into, different people. [MUSIC] Another thing we were trying was the management company for Diplo and Major Lazer, who are a bit closer to pop music. We tried his manager’s box.com account based on what we’d found in these leaked databases, and sure enough, the password worked. It logged us in. There was another couple of terabytes of data in there. It was a lot more than just Major Lazer that were in there. There was Diplo, there was A-Trak, there was Dillon Francis, Kill the Noise. There were about twenty different artists under this management company, and we could view all of their stuff from within this box.com account.
JACK: At this point they’ve gained access to terabytes of data from these music managers, which was just too much to download it all. Their hard drives would fill up instantly, so they had to be selective of what they were grabbing. I don’t know what this is like, to come across this, but I imagine you cancel your weekend plans and you’re like, I got a whole bunch of cool stuff that just arrived in the mail and I can’t wait to dig in there and listen to stuff. ‘Cause you can’t speed through listening to these things. You’ve gotta really be like, wow, I’m gonna let this one play all — the whole thing. Like, this is — nobody else is hearing this but maybe four people in the world, and Diplo made it. Like, wow. Wow.
PROFESSOR DUBSTEP: Yeah, this is where it gets a bit more dangerous because some stuff that they had in that box.com account — they were basically keeping all of their artists and people that were involved in touring and things, production crew, they were keep — this management company was keeping all of these people’s personal documents in there, calling them contact sheets, and that contact sheet would have more than just their contact information on them. It would have their artists’ social security numbers, bank routing info, passwords, all kinds of insane stuff that was just supremely dangerous to keep in largely unsecured folders with no extra passwords on them and seemingly no reason to put that info in the document whatsoever. Then to not secure your own account properly — it’s exposing all the people that are, you know, millionaires. It’s kind of lucky that none of — me or Spintire or any of the people that eventually were doing this, that none of them were interested in anything more than just the music, because the amount of damage that could have come from that is insane.
JACK: Here’s a situation where the management label for musicians was being careless with the artists’ private data. Driver’s license, social security numbers, and saved passwords were sitting there on these online drives, and while it wasn’t meant for the public to see, there were gobs of people who did have access to this that worked for the management companies. Or, even other musicians could see each other’s files. It just goes to show if you’re not protecting your own private data, nobody else will, either.
PROFESSOR DUBSTEP: These folders all had upwards of fifty people shared on them. Everyone in the business could have accessed these things. The interns could access these things. Anyone could grab these things. Or, anyone that got into the account could grab these as well and just have it, and there’d be no notification that it had been compromised.
JACK: Man, that’s too many people to have access to all this, because the more people you have involved, the more backdoors might be created. Because, just think; if a music production company is going to use Dropbox to store all their work in progress, it sounds to me like they don’t have an internal file-storage system and maybe no internal network at all. They probably need things like e-mail, chat system. They gotta make social media graphics, a merch store, blog, social media accounts, newsletters, project management and collaboration tools, and an internal knowledge base or Wiki. Chances are, small businesses today are using public-facing websites for all these solutions and not self-hosting things on their own servers and their own data center. So, that means if fifty people work at this place, that’s fifty accounts times however many services I just listed. What, ten? So, we’re talking five hundred various logins to different websites now. Who’s got permission to see what and where?
Small businesses are not auditing these things, and it’s an auditing nightmare even if they tried. No, this isn’t an ad. I’m not gonna try to give you a solution. I just want to tell you about the problems that arise when you start using Cloud-based solutions and there are a whole bunch of kids who are desperately trying to exploit those. So, these kids had valid usernames and passwords to get into people’s accounts, right? Okay, well, that’s a problem to begin with, but whatever. They were grabbing things but they were also being smart at trying to establish persistence. If the owners of these accounts changed the passwords, they’d be locked out. So, they created share links so that even if the account gets locked out, they could see what files are being uploaded later. Cool. But you can really take this to crazy levels. I’m talking about creating ghost logins. [MUSIC] Let me geek out on this for a second because I want to try to break your brain. Okay, so let’s consider Zapier and how it can be used maliciously. Zapier is a tool that lets you automate things. So, if I get a new invoice in my e-mail, I can automatically upload that invoice to Dropbox so that the accounting team can see it.
Okay, Zapier can do that for you. But in order for that to work, it’s gotta have the ability to see your inbox and have the ability to view and upload things to your Dropbox. So, to set it up, you need to give it permissions to do that. Well, now, if a hacker gets into your Dropbox like these kids were doing and they wanted to maintain their access like these kids wanted and they could see that you hooked up Zapier to do automation — so, now they can create their own fresh Zapier account that they control and connect it to your Dropbox. This could give them visibility into your Dropbox from Zapier. You wouldn’t even know they’re there, because to you, all you see is that Zapier has permission to view your files. But you set that up when you were setting up your invoice automation thing. This is what I mean by a ghost login, someone who’s in your account who doesn’t even need a username or password to stay in. Change the password all you want. They’re still gonna stay connected to your stuff. Another way to create a ghost login is to create a secondary login. Some sites allow you to log in through Google or Microsoft or Facebook or even SSL. Suppose that’s how you set up your account, by logging in using your Facebook account. Now, if a hacker has your password like these kids did and gets in through that, some sites might have the option to connect another login.
Like, if you used Facebook to log in, the site might let you also connect your Google account, too. So, yeah, a hacker could just create a brand-new Google account and connect it to your account and start using that to get into your account from then on. So, even if you change all your passwords, that access would persist. So, if you really want to change your passwords, you really need to go through all of the websites that you have to see all of the connected services and alternate logins, and it’s a mess. It’s a mess. Of course, another way is if the site has a way to generate an API key, you can do that and then access the stuff from there. There’s so many options to create ghost logins to maintain access to an account even if the user changes their password. This is what I mean. If fifty people all have access to someone’s driver’s license and Dropbox, then perhaps nobody is looking closely at permissions, and if that’s the case, there’s a high potential of being able to create a ghost login that stays working for years. I must say, this is a new territory for security teams to navigate. You hear about this in general terms like ‘least user privilege’ and this sort of stuff, but you don’t have people who are experts in Zapier account security who will audit what apps you have given permission to regularly. This is a big challenge to keep up with. So, with all this data, terabytes and terabytes from some of the biggest stars in this dubstep world, do you ever think like, you know, we can make some money off this?
PROFESSOR DUBSTEP: I wasn’t into that, but I would later find out that Spintire was sort of starting to get into that. I mean, after a while of these things keeping leaking, starting to leak on Reddit that were meant to be just kept between us and that no one else was supposed to have access to, I clocked on that Spintire must have been being dishonest about it. So, I confronted him in mid-October. I said, are you sharing these? Just tell me right now. Are you sharing these? He says, no, it’s not quite like that. I said, well, how is it, then? He says, I can’t say. I say, is someone paying you for them? He says, yeah. So, I think, oh, well, finally I’ve — he’s admitted it and I’ve caught him out on his whole game plan. He goes on to explain that he quit his actual job to sell these files to some rich kid on the other side of the world. I say, well, this goes against every — the whole reason that we were doing this in the first place was to keep these files somewhat safe and prevent these people from getting access to them, to be able to — so that they can’t do this thing with it, and then he’s doing it himself. It really made me quite angry ‘cause I felt misled on the whole thing.
JACK: Huh. This is a tricky situation to navigate for a teenager. Like, what do you do when your partner in crime starts doing things you don’t approve of? Together, you made a map of all the buried treasures, all the shared links and logins and passwords and ghost logins, terabytes of downloaded data, and a whole system of techniques and piles of data to sift through to find more. Suddenly, both of them are now highly suspicious of each other. Now that it was known that Spintire was selling this stuff, Spintire offered them a cut of the money to keep things quiet and stuff.
PROFESSOR DUBSTEP: I said yes, but what I meant was I’ll agree so that he keeps — he thinks that I’m on his side still. So, I end the chat and then I go and talk to Shane from xTrill.
JACK: Shane was the moderator and admin of the xTrill subreddit. Professor Dubstep was like, listen, these leaks that have been happening lately, I know where they’re coming from. Spintire is selling it, and I don’t want more to leak out. So, here are the other things that might leak.
PROFESSOR DUBSTEP: So, he agrees and he’s like, yeah, we’ll do what we can to prevent Spintire from carrying on with this stuff. So, we started working together from that point on on these things, me and Shane and another friend called Arnie Kurtz.
JACK: [MUSIC] Arnie was another guy very tuned in to the unreleased music scene, and he was a whiz with all these online services and how their security can be exploited, which could be really handy to break into more shared drives and stuff. Shane had seen that Dino wasn’t trustworthy, so they stopped working together. So, the new crew is Professor Dubstep, Shane, and Arnie. Spintire and Dino were out. Not only that, but they all agreed that Spintire needs to be stopped. So, they put filters in place on the subreddit to keep certain tracks from getting posted, but they also started going through the ghost logins and shared links that Spintire had to lock him out. They were changing passwords and disabling shared links. It’s kinda funny that this teenage crew knew exactly the steps to take to keep hackers out, yet the music labels themselves either didn’t know or didn’t want to stop these kids.
PROFESSOR DUBSTEP: Yeah, that’s kind of what we started doing. Our main plan was just prevent Spintire from retaining access to these accounts and these folders that we had spent so long to gain ourself access to, and then we’re locking them off to try — specifically to try and prevent things, to prevent this from — it is kinda strange that it changed in that way. I had cut Spintire off in mid-October. I had been friends with him for two years at that point. It was difficult to cut him off. He was fun to hang out with. But, you know, it had to be done. Damage was actually being caused, and I was recognizing that.
JACK: What a headful to navigate as a teenager, you know? Like, to be sitting in, what, history class, just thinking in the back of the class what stuff Spintire might steal next, and then to rush home and change more passwords to try to lock him out. But then when you’re in there cleaning things up, you’re reminded, oh yeah, this is the account with all those banking details for this major musician who’s a millionaire. Huh, that’s funny. Not gonna touch that, but I will stop Spintire from getting back in here. Once they were slowing down Spintire and locking him out the best they could, it was time to start looking for new treasure troves.
PROFESSOR DUBSTEP: [MUSIC] I think at the peak of things, we probably had a network of twenty-five accounts. It was a lot. We were doing this sort of stuff just all day, basically, just trying to figure out what could be next. What could Spintire’s next target be? What could be something dangerous that he would get access to that he shouldn’t get access to, and then go and get access to it ourselves instead. It was ridiculous.
JACK: Their standard system was to find a musician’s e-mail address, search for that e-mail address in the breached databases, get the hash, crack the hash, then use that on a whole bunch of sites that musicians might use and hope they might be reusing passwords.
PROFESSOR DUBSTEP: Yeah, that’s the thing as well with box.com or Dropbox; if you make a shared folder and you invite other collaborators to it — like, these management companies are inviting fifty people to a folder. You could go through and browse that list of people and take their names and their e-mail addresses off there, and then you could run those through the database search, as well. So, you could — if you spent long enough on it, you could tunnel through to all kinds of places that way by just going on it again and again and again until you get somewhere. You could build up a network that way.
JACK: Of course, you all should know by now the dangers of reusing the same password on multiple sites. Here’s a clear reminder why you should never do that. But you should also watch out that you’re not too lazy when making different passwords.
PROFESSOR DUBSTEP: Quite a few times they’d not change it very much. They’d maybe just add a capital letter or an extra number on the end. There was one manager that we were looking at; his password was the same thing for everything, but he just changed the letter at the end and it would be — the letter at the end would be the initial of whatever site the account was for. So, if the account password had leaked for MySpace, it would be ‘word’ and then the letter M at the end. So, to get to the password for box.com or Dropbox, you’d just change the letter at the end to a D or a B and it would work. You would also not get a notification that that password was compromised, because it wasn’t.
JACK: Yeah, that’s interesting, because I regularly check all my passwords to see if any of them have been exposed in a database breach, and I change any that do get seen. But if my password is guessable because it’s just one letter off on every site, then those would never appear in any database breach to make me want to change it. Now, one of the songs they got ahold of early was Purple Lamborghini.
PROFESSOR DUBSTEP: Yeah, Purple Lamborghini was something that came from Diplo’s manager’s account. One of the artists that they were managing was called Flosstradamus. They do DJ sets at the main festivals throughout the year for trap music and dubstep music. In one of these contact sheets that was stored on this management box was all of the passwords for this DJ duo. One of them was the password for their Splice account. Splice was a service that offered project file storage for music software. So, we got into that and we downloaded their DJ set preparation files. Because they were semi-big players, they had all these work-in-progress versions of tracks from other people in the scene, and the Purple Lamborghini demo was one of them.
JACK: By the way, if you’re wondering if there’s a dolphin in Purple Lamborghini, there sure is. It’s right here. [MUSIC] Ba, ba, ba. I swear if I listen to this enough, I’m gonna learn the language. Now, the thing is this is a demo version, which I think is better than the official version, but this demo wasn’t released when the official one came out and I don’t think had any plans of ever getting out. So, at this time, only Professor Dubstep and a handful of people in the world ever heard this.
PROFESSOR DUBSTEP: [MUSIC] Yeah, and basically what happened was — it’d been a few months since I cut Spintire off, and I was missing my friend. I went and unblocked him and I started talking to him again. I said, you know, are you still doing the selling? ‘Cause we’d been trying to prevent him from doing it, preventing him from getting anything to sell. He said, no, I’ve finished with that. I’ve cut off those people. I realized that they were trading and leaking the things after, blah, blah, blah. So, I was like, okay, should we be friends again? He said, sure. Let’s go back to how things were a couple of years ago, just talk about music and not be involved in any of this dodgy stuff. I say, okay, sure. We kept talking. It led into, oh, I’ve got these couple cool, new things. Do you have any cool, new things? So, we share a couple of things back and forth with each other like old times. The Purple Lamborghini demo was one of those things. About a week goes by and as usual, it leaks on Reddit. The one single, possible culprit; Spintire. I just — I blew up at him over it. Say, this has happened again. You’re the only explanation for this thing leaking. You broke my trust again. So, I couldn’t back off, but it was too late by that point. The thing had leaked. That was my own stupid fault. But December rolls around and we had one last big thing that we wanted to try and do, which was to get into a Major Lazer production account for where they held all their song files and their production files for things that they were working on, things that you could load up into music software and see all the individual bits of and change things.
[MUSIC] So, we had the idea to go for one of Major Lazer’s production team and see if we could get into their things. So, we had one last go on the database and see if we could get the paths to their Dropbox, and we did manage it. We were talking back and forth with each other, me and Arnie and Shane in group chat, saying, oh, it’s here. There was one specific song that we wanted to get. It was called Terrorize, featuring Collie Buddz. So, we logged into this account, and the first thing we searched for was ‘Terrorize project file’ and it was there, the actual one that they were — that the group were working on at the very day. So, we’re talking back and forth with each other, like, oh, it’s Terrorize season, it’s Terrorize season. GOAT, greatest of all time. But there was more than just that in Dropbox. There was another terabyte of stuff that was being worked on at that minute, like the inner workings of a major billboard, top-100 pop artist, and everything was there; individual assets, drum samples, synth files, all kinds. So, we grabbed all that stuff. Well, I mean, it was too much to grab. In many of these cases, it was too much. There was too much there.
The things that Spintire had got hold of from before he was cut off had started to — it would — the leaking had really picked up, and me and Shane and Arnie basically decided that we needed to make even more efforts to contact these people who had been compromised, so — and I’m pretty sure it was Arnie that did it. He rang up the actual manager’s phone number and left a message on the voicemail to say this has happened, this is what will happen next, and you need to start taking steps to secure your stuff straightaway, otherwise the damage would just rack up into hundreds of thousands of dollars. So, their legal team started talking about this. Like, oh, how could this happen? Blah, blah, blah. It’s impossible. We sort of — we ended up in contact with these legal teams under false identities to explain to them how it had happened, why it was happening, and how they could prevent it. They were basically saying, oh yeah, we had plans for these songs. We had plans for Terrorize. It was gonna be a big thing ‘cause so many people wanted the song. That was — they basically just all — cancelled all of that because it was — the potential for it to leak early was there, so they cancelled all of those plans.
JACK: Yeah. If you go on Major Lazer’s Spotify or YouTube channel, there is no such song as Terrorize. Collie Buddz didn’t release it either even though he sings in it. The song never got released despite there being quite a decent amount of people really looking forward to it. I guess this is why it got cancelled. The hackers ruined it. But if you’re curious what the dolphin sounds like in it, here you go. [MUSIC] This is actually a remix of it I found. The one that got leaked was a little different. But it’s wild that this totally unreleased Major Lazer song is out there in the world for anyone to listen to, but because it wasn’t an official release, it doesn’t have many plays, and it’s not an official song by Major Lazer. It could have been a hit. Major Lazer has three songs on Spotify with over a billion plays, and Collie Buddz is pretty popular, too. A reggae dubstep crossover song? That’s a great idea. But it was never released. The project permanently halted. How odd, you know? Just to think, an early version of a song that gets leaked too soon, it upsets the label so much that they just give up on the song entirely.
PROFESSOR DUBSTEP: A album that was being worked on at the time, Music is the Weapon, that was cancelled, too. Well, not cancelled outright, but really delayed. It only came out in something like 2020, 2021, which was four years after all these incidents. But we were basically just talking with each other trying to come up with these plans of how can we prevent these things from leaking? We want to help you to figure this out because we know these people that are involved with this. These legal teams are coming up with these ridiculous plans. Like, oh, well, we’ll fly Spintire out to New York and we’ll take him to dinner and we’ll hand him $30,000 in exchange for his hard drives, and then that will secure our files. I was telling — trying to tell him, no, that will not work. He’ll just make a copy of it. That’s ridiculous. They were not having it. They were saying, oh, well, this definitely seems like the best idea to me. I was like, no, no, please, no, don’t do that. I’m not sure if they actually did that in the end or if they realized that it was not gonna help their case.
JACK: Well, did they know that you had the hard drives full of stuff, too?
PROFESSOR DUBSTEP: Well, that’s the thing. Me, I didn’t download all the things. I’d pick and choose a couple of things here and there, but a lot of it was kind of just not so interesting.
JACK: The thing is, Professor Dubstep enjoyed listening to early dubstep tracks, but that wasn’t the driving motivation for all this.
PROFESSOR DUBSTEP: Personally, I’m not really a raving fan. I was just more interested in being able to break these things down and look at the production process ‘cause it could help me to learn how to make better music myself and see how it was being done, how the billboard top 100 stuff was being made, and I could use that to help me create better things myself. It’s a valuable learning resource.
JACK: Hm, I feel like that’s a stretch, you know? You could go on YouTube and watch people making music and learn from them. You can hang out at groups and circles, other garage bands or whatever the case is and be like, how are you doing it? Oh, wow, that’s an interesting method. But you’re like, hm, I think I’ll hack into Diplo’s Dropbox to learn on my own. Thanks, I’m good. It’s quite a different path to learning.
PROFESSOR DUBSTEP: Yeah, I see your point, but at the same time, it’s kind of unprecedented that you can go into a project file and look at the entire start-to-finish process of it.
JACK: The entire project files were in these folders, all the effects, samples, everything that was used to make the song. See, most of this music is made in a DAW, a digital audio workstation. So, that might be tools like Ableton Live, Adobe Audition, or Pro Tools or something like that. These were the tools that you’d have to use to view how these songs were made, and Professor Dubstep had these tools to examine it all. Not only could they break apart the song, isolating tracks and sounds to see how it was composed, but there were different versions of the same song, too. They could see how the song evolved over time. What an amazing thing to explore for someone who wants to make electronic music as their career, to be able to study how the pros do it in such detail. You never get to see these behind-the-scenes bits. Even me as an up-and-coming podcaster, I would have loved to get my hands on the full project files for This American Life or some show that I was really inspired by. It would have been huge, and I bet it would have helped me understand the complexities and details of how all this gets put together. But not only that, but to see such a variety of songs and musicians’ project files — it really puts them in a unique position to have such a close and upfront understanding of how all this music was made.
PROFESSOR DUBSTEP: You have to know some in-depth music stuff already to be able to figure out what you’re even looking at. The fact that I’ve been able to look at all this and take some insight from it that can help me later on is basically invaluable. It’s priceless.
JACK: I just imagine Professor Dubstep in some music class where the teacher’s like, here’s the proper way to use this effect. They’re just like, uh, no, that’s not how Skrillex does it or Diplo or Major Lazer or Excision. Oh, yeah? Well, how do you know? Oh, never mind. Carry on. Anyway, it took them a lot of convincing, but they were finally able to get the legal team to fix all the problems.
PROFESSOR DUBSTEP: The end of 2016 was the final — called it quits and stopped doing all this hacking stuff, which — it’s not right to call it hacking, really. It’s not even on script-kitty level. It’s just searching through things and using logic to try and figure out passwords. It’s not really like complex hacker stuff. It’s just — I don’t know a good word to use to describe it, but…
JACK: I’ve been thinking for a good word to use here this whole episode, myself. ‘Thief’ and ‘stealing’ isn’t quite right because the original copies are still there. I feel like for it to be stealing, you need to rob the person so they don’t have that thing anymore. If you post something online and someone makes a copy of it, that’s not stealing. That’s just downloading a copy. That’s what they did, often just downloading copies of things that had public links to it. Was it supposed to be public? No, but was it? Yes. So, the term I think that best describes this is exfiltration. They exfiltrated files that were not meant for public consumption but weren’t very well protected. To me, this has the right ring to it. Professor Dubstep, professional exfiltrator.
PROFESSOR DUBSTEP: But yeah, fast forward to 2019, and I’d just finished college. I did a music course at college. I had left all this stuff behind. It was all kind of calmed down. Nothing was leaking anymore. No accounts had been compromised. Well, not by me, anyway. I kind of thought, I’ll find out what the old people were doing in modern day. I had a chat with Shane. I had a small talk with Arnie. Shane was still going on with the stuff, from what I could gather. Arnie had moved away from doing it and he’d got — I think — I’m pretty sure he went to work for the FBI and got security clearance, top security clearance for something or other. Other people in the xTrill crew, some of them had got raided. Some of them had gone to join the military and things like that. Everyone had gone off to do different things apart from the one guy who had got in the most weird and awkward situation possible. Spintire had gone from being the seller and the leaker of so many hundreds of gigabytes of data — he’d gone from leaking these Skrillex demos and trading them to being on Skrillex’s production team himself.
JACK: Whoa.
PROFESSOR DUBSTEP: And was now technically Skrillex, because — yeah, and with that, Skrillex is one of the ones that is ghost written, ghost produced. He’s not real. He’s just a face, a brand.
JACK: So, you’re saying a lot of Skrillex’s music today is made by someone else and then Skrillex just puts their name on it.
PROFESSOR DUBSTEP: All of it.
JACK: All of it?
PROFESSOR DUBSTEP: Yeah, there’s a team of — in 2019, the team was at least five, six people putting together these songs, and that’s what it’s always been, really. Skrillex’s first release in 2009 and 2010, like Scary Monsters and Nice Sprites, his first ep, was ghost produced by Noisia to, well, quite a large extent. Maybe not entirely, but a large portion of his sounds over the years have come from other people putting it all together. So, yeah, this ghost producing runs deep in this scene. So many of the big players are fake.
JACK: Alright, I can’t find any article saying that Skrillex doesn’t make his own music. Musicians collaborate all the time with other musicians to make music. That is no surprise, but the allegation here is that these musicians aren’t crediting the people who helped make the song. So, while you think it was them who made it, it really wasn’t. Skrillex is known for being very hands-on with his music, but there are some well-known cases where other big-time musicians have been accused of taking someone else’s music and calling it their own without giving proper credit. So, this is known to happen. Honestly, I don’t know what to think of that. On one hand, if an EDM musician is just playing someone else’s music, that’s called being a DJ, and it’s a bit of a stretch to say you made this music. But on the other hand, what do I care if you really wrote this song or had someone else write it for you and you just put your name on it? The music is what matters. It’s fascinating to me, though, because I’m endlessly obsessed with the dark parts of the internet, and this digital underground is bustling with activity but with hushed tones, and it’s all right under our noses. It’s a world we rarely see, but sometimes hear.
(OUTRO): [OUTRO MUSIC] A big thank you to Professor Dubstep for sharing this story with us. This episode was made by me, the AI adventurer, Jack Rhysider. Our editor is the code conjurer, Tristan Ledger, mixing done by Proximity Sound, and our intro music is by the mysterious Breakmaster Cylinder. Ultra Miami, your circuits are about to be blown, because next up is an unreleased track by the legendary Breakmaster Cylinder. Overclock your headphones. Compile your grooves. It’s time to execute some killer dance moves. No lag. No latency. Tonight, we reach peak bandwidth. This is Darknet Diaries. [MUSIC]
[END OF RECORDING]