This Former Hacker Wants to Make the Internet a Better Place
Why is no one listening to the Seattle ex-spammer trying to shed light on the Web's vulnerabilities
By Drew Atkins
October 9, 2015
In The Sky Lounge bar of Tokyo’s Prince Park Tower, Rick Seely is winding down the day with a beer and some conversation. A longtime American expat nearing retirement age, Seely looks out at the megacity at dusk, the lights of nearby skyscrapers flickering on, Japan’s Eiffel Tower replica glowing orange. Rick is discussing the chances his son, Bryan, a young ex-Marine and increasingly famous hacker in Seattle, will be murdered.
“I always thought he’ll just disappear one day,” Rick says, sipping his Asahi lager. “Bryan will get the wrong people angry, and that’ll be it.” He stares out the windows, his expression not so much forlorn as accepting of a tough truth. “We’d never hear from him again. He’d be ‘disappeared’ by someone.”
With a big mustache and warm intelligence, Rick seems every bit the good dad. His concern is mixed with a deferential attitude, letting his boy make his own mistakes. This is the first time he’s discussed Bryan with someone outside the family, he says.
There are things he needs to get off his chest.
He can’t understand why Bryan commits federal crimes, the type that gets people put away for life. Why he willfully pisses off criminal enterprises and multimillion-dollar scam networks, one of which used to employ him. Bryan has an ex-wife, three kids and pays the bills through IT jobs and contracts. Why is he pulling the tails of tigers?
Rick and Bryan had a frigid relationship for many years, but it’s thawing. They talk more now, to the extent that Bryan—whom I had only met once at the time—connected us via email prior to my extended trip to Japan, in case I wanted to meet up with a local. But Bryan’s motives remain a mystery to his father.
Bryan’s former attorney, Bellevue-based Brian Muchinsky—who once said the federal government would have Bryan “dead to rights” on some serious crimes—would later say his client is simply a good guy out to expose wrongdoing. Muchinsky would, later still, revise his opinion, saying Bryan had scammed him out of money and was no longer his client.
Months later, I’m back in Seattle, talking to Bryan and presenting his father’s assessments and predictions for a possible “disappearance.” Bryan laughs, saying his father’s a really smart guy, and plays the “I’m just doing the right thing” card. But a few beers and persistent questions get him to reflect more deeply, and his motivation becomes clearer. To him, his work is a form of self-redemption—and a form of revenge.
The work of hackers is a distant thing to most people, with seemingly little effect on their day-to-day lives. It’s the province of virtuoso coders in hoodies. Money or personal information gets stolen. Governments steal secrets from enemies and allies.
Users of adulery-enabling service Ashley Madison find their names leaked online. That’s the long and short of it.
But there are other forms of hacking that inflict damage on thousands of small businesses on a daily basis. Bryan Seely would know. Between 2008 and 2010, he worked on this side of things, conducting what is known as “map spamming.” He says the recession drove him to it, eliminating his IT position at a law firm and leading him to become a scam operation’s technical architect. And for his attempts to make amends, he could get thrown in prison, or possibly worse.
To illustrate, let’s say you’re a locksmith with a small shop on the outskirts of a big city. If nearby customers Googled a locksmith service, yours wouldn’t often be the top result. Through a few relatively simple tricks, however, you manage to fabricate listings on Google, Yelp, yp.com (formerly Yellowpages.com) and other sites. You create fake businesses with specific addresses all over the region, using phone numbers that forward to your own. It doesn’t matter that there’s no storefront at these locations—locksmiths do most of their business remotely. Business owners can do this themselves with some light self-training, or by hiring someone like Seely.
Eventually, the calls pour in, and you need help answering them all. You set up a call center. You don’t have enough locksmiths to handle all the business, so you start selling leads to nearby competitors. If you’re ambitious, you buy some ads and hire someone to game the online search results even further, making your competitors less prominent through spammy bad reviews, flags and other tricks, and bumping up your own listings. If you’re especially ambitious, you start listing locations outside the city, region and state. There’s no real limit.
“By the time I stopped in 2010, we had 3,126 fake businesses listed around the country,” Seely says. He is describing his part in a scam—based in Southern California and run by a man he simply refers to as “Rob”—that remains in operation today, bringing in $10 million annually by Seely’s estimation. As evidence, he presents Excel spreadsheets of still-listed fake phone numbers, as well as thousands of fake online reviews that can be found on Yelp business listings across the country. Over the course of an hour, demonstrating fake listings and showing how they’re created, he backs up his claims with a great deal of thoroughness.
Seely’s listings were for auto-glass repair companies instead of locksmiths—no matter. Any business that offers a service—landscaping, garage door repair, locksmithing and so on—is fair game, he says. It’s not a technically advanced hack, but it’s lucrative.
According to the Washington State Department of Licensing, there are five licensed businesses in Seattle with “locksmith” in their business or trade name. The top result on Google, Fast Locksmith, is not one of them. A search for “locksmith” on yp.com yields more than 3,800 results in the city. When licensed companies like Broadway Locksmith are approached, the owners and staff respond eagerly with variations of “How long have you got to talk about this?”
“These scammers are so organized,” says Broadway Locksmith’s Bjorn Madsen. “They call us all the time, offering $20 leads. They have national phone banks and call centers. They pay Google and Yelp and buy out all their ad results. It’s a big, big problem for honest, licensed businesses.”
Citing a growing disgust with himself, Seely quit scamming in 2010, and went on to carve out a normal IT career in Seattle. Three years later, seemingly on a lark, he decided to check up on the state of map spamming. Rather than seeing an improvement in security by Google and others, he realized things had gotten worse. Much worse.
For a time after that, Seely became the epitome of a failed whistleblower. From late 2013 to early 2014, he harped at Google about the sort of issues he used to exploit, going so far as to reach out to individual project managers and engineers. No one at the company took him seriously, he says, rejecting his work as trivial spamming. Journalists and law enforcement agents met the issue with a similar disbelief. So, in a bid for attention, he resorted to drastic measures.
Creating fake listings is not the only thing semiskilled hackers can do on Google. They can also manipulate existing listings. They can change the hours of business, or even phone numbers and addresses. As Wired magazine reported last year, citing Seely’s work, these activities can be enough to bury a business. Fake listings on Google Maps are particularly pernicious because it is so widely used as a substitute phone directory. Imagine how many people locked out of their homes rely on a Google search to find a locksmith, for example. Seely says Google is extremely slow to respond to complaints by businesses whose listings have been manipulated, and every day that a company’s phone number remains incorrect can mean lost revenue.
To draw attention to the issue, in February 2014, Seely created two phone accounts, which he then attached to the Secret Service office in Washington, D.C., and the FBI field office in San Francisco. By manipulating search results, the new numbers became the default contact numbers for the two offices. He set up the numbers to forward calls to the actual agencies, only with the conversations now being recorded through an automated online system.
“I could’ve done this for every congressman, the White House, mayors, lawyers, banks, foreign embassies, you name it,” Seely says. “I could’ve recorded everything, and no one would’ve noticed for a long time, because the phone number I set up just forwards to the original. So everyone’s getting to the right destination. No one would think anything went wrong.”
The moment the hack went live and the calls started recording, Seely realized he was in over his head. He had wiretapped two major federal agencies, a serious crime. With each new call that was recorded, the hole got deeper. He contacted some former Marine buddies for advice, and they told him to turn himself in immediately. It was his only hope of avoiding jail time.
Walking into the Secret Service office in Seattle and informing agents there of his crime, he got roughly the same reaction he received from Google—a “stop wasting our time” attitude. Seely still fumes at the memory.
“For me to pull this off and them to roll their eyes, I just had to say, ‘Screw you. Pick up your phone and call your D.C. office right now,’” Seely says.
An agent did so, using the default number that came up in a Google search. Immediately after the agent’s call ended, Seely received a text on his phone, informing him of a new recording. He played both sides of the phone conversation back to the agents. “It was like magic. The look on their faces was like ‘Oh, shit. Kill it with fire. We need to kill this immediately.’”
The Secret Service read Seely his rights and locked him in an interrogation room for a while. They did not jail him, but could do so in the future. He says they simply demanded he immediately cease and desist his call-recording campaign.
“And when the Secret Service tells you to stop something or else,” Seely says, “you stop.”
But Seely never really stopped. The wiretapping ended, but he has continued poking at the federal government and scammers alike. He provided his recordings of FBI and Secret Service calls to the online news organization Gawker, and spoke to Seattle’s KOMO News about his accomplishment. Earlier this year, he created a verified business listing for “Edward’s Snow Den,” made to appear on Google Maps as if it were situated in the White House; and at a local TEDx conference, he gave a speech titled “Wiretapping the Secret Service Can Be Easy and Fun.” This was followed in July by the self-publication of Cyber Fraud: The Web of Lies, a book he cowrote with Muchinsky, his former attorney. In it, he lays out in explicit detail how search-engine scammers operate.
There is a certain braggadocio common to hacker circles, a narrow megalomania. For many hackers, there’s nothing better than proving themselves smarter than a system. They often can’t help but let others know about it. The difference is most hackers do this behind a veil of anonymity. Seely is zealous about putting his name and face out there, perceiving this self-publicity as necessary for his whistleblowing to have any effect.
But this approach has led to emailed death threats, says Seely, from people who don’t want their scam operations publicized. He showed us one example of an anonymously sent text: “When we find you, you are finished.” Upon the announcement of his book, both he and Muchinsky say, the Secret Service has taken a renewed interest in his case, and not in a good way. Muchinsky says the agency could “bring the pain” legally if it doesn’t like what it reads in it, or the book becomes a best seller.
To hear both of them tell it, the feds are saying Seely has had his fun and made his point, and it’s time to shut up already.
Seely says his work has caused Google to disable some, though not all, of the easiest exploitable flaws in its system. But given the fact that he’s a father of three, one a newborn, it might be difficult to understand what’s going through his head as he continues to pursue the issue.
Back in Japan, Rick Seely praises Bryan’s ex-wife for providing a steady home for the children as his son tilts at windmills. For the life of Rick Seely, Bryan’s continued campaign can’t seem anything but irresponsible.
Presented this assessment, Bryan says it’s hard to understand the impression being a scammer made on him. He started out of financial desperation, he says, not quite knowing what he was getting into. He blames this partially on “Rob,” the head of his former auto glass operation, who hired Bryan for his technical expertise. When he describes seeing Rob—whom he calls “one of the worst human beings on earth”—living in an Orange County mansion, raking in millions that would otherwise go to legitimate small businesses, he can’t help but simmer and curse. Rob’s success seems an ongoing injustice, subtly nagging at him like a splinter whenever he thinks about it. He wants to wipe it out.
But in the end, it’s not Rob’s fault that Seely gamed the system for more than two years. He knew what he was doing. No matter how irrational some of this redemption-seeking campaign may seem, it’s something he believes must continue if he’s to look at himself in the mirror.
“I was the bad guy for a while,” Seely says. “I really was, and I can’t forget that. We weren’t physically hurting people, but we were hurting them in other ways. I might’ve caused the breakup of families because a guy was so stressed from losing his business that he got divorced. Kids might be leading much worse lives because of what we did. This is all I know to do to make up for my mistakes.”
When I returned home from Tokyo, a curious note awaited me in my mailbox. It promoted a locksmith with the same address as my apartment building. Previously, I wouldn’t have thought twice about it. But, as Bryan Seely has shown, there’s a world of underground businesses out there, existing in name, fake address, and phone number only, invisible but numerous, lurking just an online search away.