Couldn't literally all of this just be a bunch of misdirection?
In theory, sure, in reality it's almost always much more benign and they have terrible Opsec over time that allows people to piece together their identity. Especially if they reuse usernames across services.
It's always crappy opsec that gets people otherwise very savvy.
Kinda like how the big mastermind criminals like Capone get away with murder and racketeering but get fucked on tax evasion.
Reading this guy's posts, his ego is the biggest issue, and it will be his downfall. The "I literally can't get caught" mentality inevitably leads to carelessness and blabbermouthing.
That’s a little different. It wasn’t that Capone couldn’t handle taxes, it was that until that point nobody used it as a serious mechanism to take town criminals. It was only validated as a good approach by the Supreme Court a few years before. In fact, one of the primary pieces of evidence of his tax evasion were from communications from his lawyer about how much tax to pay to make his tax history legit in light of the recent effectiveness of tax convictions.
Now major criminals launder money to avoid that.
It appears the government at times invents laws so they can go after criminal gangs (see RICO)
I feel like leaving a bunch of misdirection would also risk potentially just leave real traces behind that in some ways.
At least in my mind leaving some false trails behind, when I run through scenarios, seems like it could leave actual trails / to the point of not being worth the extra risk.
Yeah. If you have a choice of giving an adversary no information or false information, no information seems safer. The choice of false information is information. Same way that people are terrible at picking random numbers and fraudsters are often caught because they avoid round numbers.
It would make sense if doing something illegal to do the former, but also leave "slip ups" that are complete red herrings, create trails to people that seem like opsec fails but are actually just framing others, etc.
All about plausible deniability. Layers and layers and layers of dead ends that seem real.
In this way, if you do actually slip up, it becomes near impossible to distinguish the real slip-ups with the orchestrated ones.
The problem is that false “slip ups” provide information. Sure, you waste investigator’s time, but once they rule out the false lead they have a bunch of information:
- if the false slip-up used only public information about, you likely don’t have access to confidential information about that space. If it used confidential information, you do.
- The geography and demographics of the false lead are probably not near-misses. The point of misdirection is to misdirect, so you likely won’t frame a coworker that will bring investigators to your own door.
- Any mistakes in the false slip-up, from spelling to factual to timing, may reveal info.
IMO this is a “too clever by half” scenario: leaving any trace at all is information. Leaving none is wiser.
Example: you’re a master hacker. You’re going to repeatedly access a compromised system. Is it better to set an alarm for 3am each time to suggest you’re in a different time zone, or to use a RNG to close an alarm time?
I say the RNG is better. Using 3am gives psychographics. Random isn’t clear if there’s any planning at all, or if you travel, etc.