Huntress Labs ‘Shot Themselves In The Foot,’ Says Investigations Expert
“They’re experts in their field, but they don’t know anything about regular investigations. The fundamentals of regular investigations are you don’t lie.”
MSP threat detection provider Huntress Labs played a key role in the recent arrest of a hacker, but it got one critical detail wrong: the gender of the culprit.
Huntress in a blog post intentionally described the hacker who was attempting to sell access to an MSP's virtual servers as a woman.
As it turned out, the alleged hacker arrested for the crime was a man: 26-year-old Marquavious Britt of Augusta, Ga.
Retired Boston homicide sergeant detective Joseph MacDonald – who was part of the U.S. Attorney’s Office Organized Crime Strike Force, the Suffolk County District Attorney's Office of Special Investigations, as well as the Major Case Unit now runs a private investigation and consulting practice. He said fabricating a detail without alerting the reader, “destroys their credibility.”
[RELATED: How Alleged Dark Web Hacker ‘w0zniak’ ‘Tried To Put’ MSP Chimera Out Of Business]
“They just shot themselves in the foot,” MacDonald said. “That just kills them. They’re experts in their field, but they don’t know anything about regular investigations. The fundamentals of regular investigations are you don’t lie.”
Eugene O’Donnell, professor of police studies at the John Jay College of Criminal Justice in New York City, said a single mistake – deliberate or otherwise – in a security paper can undermine the entire report.
“There’s a point in the report that becomes a fiction,” he said. “I wouldn’t recommend someone do that. To do it nakedly with no attribution, no explanation, no asterisk. I don’t know who these people are, but as a reader I look for things that pop out as unverifiable or untrue, and untruthful information can be fatal to the overall report.”
MacDonald said in security, you don’t state what you don’t know.
“If you made that up, what else did you make up,” said MacDonald who has testified in hundreds of criminal trials over his 28-year career. “That goes against the grain in legitimizing your investigation. Because what you are doing now is lying. And it destroys your credibility. They’re saying it’s a woman. They don’t even know if it’s a woman or a guy. You’re opening a door that doesn’t have to be opened.”
Huntress CEO Kyle Hanslovan admitted none of the researchers who worked on the project had any biographical information about the hacker. Nevertheless, the company decided to assign the cyber thief a female gender in an apparent attempt to dispel the stereotype that women aren't typically cybercriminals.
"Our team at Huntress purposefully personified this hacker as a business-savvy woman of (offensive) cybersecurity," he wrote, in a statement sent to CRN before news of Britt's arrest broke. "The truth is, we actually don’t know for sure. We personified this hacker as a woman for the sheer fact that there's not enough representation of women in the cybersecurity industry and that there are equally capable cyber criminals out there that are women."
Before the news of Britt's arrest was released, Hanslovan told CRN that security researchers were unable to get any information about the hacker’s gender during their limited interactions.
However, in the post where Huntress described its actions in thwarting a hacker with the screen name w0zniak, it repeatedly referred to the person as a woman.
"In a rare encounter, we found ourselves directly interacting with one of these cybercriminals," the company said in the post, authored by Annie Ballew, identified as security maven for Huntress Labs. The post later reads, "We’re looking at a businesswoman at work. She’s laying out her terms — establishing price, contact information, and evidence to build trust. But what type of businesswoman is she? What are her motivations? Is it all about just a quick payout, or is there more to her plans?"
The post is accompanied by a stock photograph of a woman with a laptop holding a credit card with the caption, "I'll take one MSP please!" intimating that a woman could also be the potential dark web buyer.
The hacker, who was offering to sell access to an MSP’s virtual private server, was tricked by Hanslovan into surrendering documents that were used to warn the MSP, later identified as Atlanta-based Chimera Technologies, and alert the FBI. That alert led authorities to the Jan. 17 arrest of Britt.
Hanslovan said he had no idea their information led to an arrest until Thursday Feb. 6, two days after the Huntress post published, when he got an email linking to a story in the Augusta (Ga.) Chronicle.
“I wish I had known it was a man,” Hanslovan told CRN the evening of Feb. 6. “At 2:47 today is when I learned it, when a special agent reached out to me. If I knew it was a man, I would have included it.”
The Huntress Labs post identifying the cybercriminal as a woman remained live as of Monday afternoon.