The Real Talk:
- How a Secret Service undercover operative spent three years meeting international cybercriminals in Thailand, Macau, and Dubai, and what those face-to-face meetings reveal about the way threat actors actually operate
- Why nation-state attackers play an entirely different game than financially motivated cybercriminals (and why your defenses are probably only built for one of them)
- The uncomfortable truth about your employees: they’re your greatest asset and your widest attack surface, and a sticky note on a windshield proves it
🔗 Ep 82 – Operation Carder Kaos: A Secret Service Operative’s Guide to the Human Threat
A Closer Look:
The Man Behind the Cover Richard LaTulip didn’t learn undercover tradecraft at a training academy. He learned it at Indiana University: drinking games, bar conversations, and reading the room. As a Secret Service operative who infiltrated international cybercrime networks during the birth of the underground economy, Richard had no playbook, no safe house, and no backup team with MP5s behind the door. His anonymity and believability were the only things standing between him and a very bad night in Macau. That same skill set now informs his work as Field CISO at Recorded Future.
Financially Motivated vs. Nation-State: Know Your Adversary Eric Brown, CISSP pressed Richard on what organizations actually look like from the other side of the curtain, and the answer redraws the threat map entirely. Ransomware-as-a-service groups have HR departments, performance quotas, and a low barrier to entry. If your defenses are solid, they move on. Nation-state actors are an entirely different story. No ROI timelines. No quarterly reviews. They assemble surgical teams for specific objectives, crack the code, extract the intelligence, and disappear. SolarWinds wasn’t a smash-and-grab. It was a precision intelligence operation. Richard’s message to clients is simple: if a nation state is interested in what you hold, it’s a never-ending game.
The Parking Lot Gambit and Why Humans Always Bite Richard’s favorite example of social engineering isn’t a sophisticated phishing kit. It’s a handwritten note on a windshield. “I know what you did. If you don’t want your wife to find out, pay me 10 bitcoin.” People paid. Not because there was evidence against them, but because guilt and fear are universal human exploits. From the “I Love You” virus to the invisible body challenge malware campaign, the most effective attacks aren’t technical. They’re psychological. Scattered Spider doesn’t breach systems. It breaches people.
The CISO as Ambassador, Not Gatekeeper Richard’s prescription for transforming security from cost center to value center: break down the silos. Stop yelling requirements at finance, product, and engineering. Start understanding their goals and become a trusted ally. Jennifer Lotze echoed this from her time at CISA, pointing out that the organizations doing it right aren’t just running audits and shelving the results. They’re bringing everyone to the table, from HR to the help desk, and making security a shared cultural lift. Nick Mellem agreed, noting that tabletops done well don’t just test your IR plan. They expose the communication gaps nobody knew existed. When the business sees you as someone with their interests at heart, you gain advocates and the political capital to actually get things done. As Richard put it, you can’t get elected sitting in a basement, and you can’t run a business behind a locked-down network either.
Bottom Line:
The best social engineer in the room doesn’t always have the best technical skills. Sometimes they just know how to order a round of drinks and listen. Richard LaTulip spent years exploiting human psychology against international cybercriminals, and the playbook he developed is the same one threat actors are running against your organization right now. Education, culture, and cross-functional collaboration aren’t soft skills. They’re your hardest line of defense.
Tune into the full episode to hear Richard’s stories from Macau and Phuket, how Eastern European intelligence operatives used Facebook to extract classified intelligence from lonely Americans in rural North Dakota, and why the most dangerous thing your employees do isn’t clicking phishing links. It’s oversharing.
🔗 Ep 82 – Operation Carder Kaos: A Secret Service Operative’s Guide to the Human Threat
Listen wherever you get your podcasts – Subscribe to our YouTube channel to stay up to date on breaking cybersecurity news.
Learn more at www.itauditlabs.com
Richard’s book Operation Carder Kaos is available on Amazon and Routledge.
