MR. ROBOT HACKING WIKI

1. Smart Home / IoT Takeover (Susan Jacobs' House)

Darlene and fsociety compromise the entire smart home automation system of E Corp general counsel Susan Jacobs. They manipulate IoT devices to make the house uninhabitable, forcing Susan out so fsociety can use it as their base of operations.

• Thermostat Control: Setting extreme temperatures to make the house uncomfortable
• Audio System: Playing loud music at maximum volume at all hours
• Alarm System: Repeatedly triggering the security alarm
• Smart Shower: Manipulating water temperature controls
• Attack Vector: Compromised centralized home automation hub (Crestron/Control4-like system)
• Entry Point: Default credentials on IoT devices, UPnP/SSDP protocol exploitation

2. Femtocell Planning

Darlene begins planning the construction of a modified femtocell to intercept FBI cellular communications. This sets up the season's primary technical operation.

• Concept: Small cellular base station modified to act as a rogue cell tower
• Target: FBI agents' cellular phones at the E Corp field office
• Goal: Intercept calls, SMS, and data to monitor the FBI investigation

1. Ray's Dark Web Marketplace

Elliot discovers that Ray operates a dark web marketplace similar to Silk Road, running as a Tor hidden service. The marketplace facilitates illegal trade using cryptocurrency for payments and PGP for encrypted communications.

• Platform: Tor hidden service (.onion address)
• Payments: Bitcoin with tumbling/mixing for anonymity
• Communications: PGP/GPG encryption for buyer-seller messages
• Goods: Drugs, weapons, stolen data, human trafficking

2. Kernel Panic Concept

The episode title references a kernel panic -- an unrecoverable fatal error in the Unix/Linux kernel. When the kernel detects an internal error it cannot safely recover from, it halts the system to prevent data corruption. The equivalent in Windows is the Blue Screen of Death (BSOD).

• Causes: Hardware failure, corrupt kernel modules, driver bugs, out-of-memory conditions
• Diagnostic: dmesg, /var/log/kern.log, kernel crash dumps

1. Dark Web Site Migration

Elliot is coerced into migrating Ray's dark web marketplace to a new server. This involves database migration, web application deployment, and Tor hidden service reconfiguration.

2. Linux Single-User Mode (init 1)

The title references init 1, which boots Linux into single-user/rescue mode with root access and minimal services. This is a physical access attack vector -- anyone with console access can reboot into init 1 and gain root without a password.

1. Logic Bomb

A logic bomb is malicious code inserted into a system that remains dormant until specific trigger conditions are met (a date, time, user action, or system event). Unlike a virus or worm, it does not self-replicate -- it simply waits and executes.

2. Femtocell Construction

Darlene continues building the rogue femtocell for the FBI operation, using hardware and software components to create an IMSI catcher:

• Hardware: Commercial femtocell unit with custom firmware, SDR (Software Defined Radio)
• Software: OpenBTS, OsmocomBB, or YateBTS for GSM stack implementation
• IMSI Capture: Reads the International Mobile Subscriber Identity from target phones
• Principle: Phones connect to the strongest signal -- the rogue tower overpowers legitimate towers

1. AES Encryption & Cryptographic Concepts

The .aes extension references the Advanced Encryption Standard, the encryption algorithm at the core of the 5/9 hack. AES-256 is the strongest variant, using a 256-bit key with 14 rounds of substitution-permutation operations.

• AES-256-CBC: Cipher Block Chaining mode, requires IV (Initialization Vector)
• AES-256-GCM: Galois/Counter Mode, provides authenticated encryption (integrity + confidentiality)
• Key Space: 2^256 possible keys -- brute force is computationally infeasible

2. Master-Slave Database Architecture

The title references database replication architecture (now called primary-replica) where one node handles writes and others handle reads. Understanding this architecture is critical for attacking data at rest -- you must compromise all replicas.

1. Handshake Protocols

The episode explores various handshake mechanisms critical to network security:

• TCP Three-Way Handshake: SYN → SYN-ACK → ACK (connection establishment)
• TLS/SSL Handshake: Certificate exchange, key negotiation, cipher suite selection
• WPA Four-Way Handshake: The handshake that can be captured and cracked offline

2. Anonymous Tip to FBI (Ray's Dark Web Site)

Elliot anonymously reports Ray's dark web marketplace to law enforcement using privacy tools to prevent attribution:

• Tor Browser: Anonymous web access
• Guerrilla Mail / ProtonMail: Anonymous email services
• FBI De-anonymization: Network Investigative Techniques (NITs), traffic correlation, server exploitation

3. Prison Reveal

The revelation that Elliot has been in prison reframes all earlier hacking scenes. Ray was a corrupt prison official, and the "website migration" occurred on prison computers -- demonstrating that hacking can happen even in the most controlled environments.

1. PKCS#12 Certificate Files

The .p12 extension references the PKCS#12 format, which bundles a certificate with its private key in a password-protected container. Used for client authentication, code signing, and S/MIME email encryption.

2. Operational Security (OPSEC) Compartmentalization

With Elliot in prison, Darlene takes leadership of fsociety, applying strict compartmentalization -- each member knows only their specific task, not the full plan. This is a core OPSEC principle borrowed from intelligence tradecraft.

1. THE FBI FEMTOCELL + RUBBER DUCKY HACK (Season Centerpiece)

This is the most important hack of Season 2. Angela plants a modified femtocell and a USB Rubber Ducky inside the FBI's temporary field office at E Corp headquarters.

Phase 1: Femtocell Hardware Preparation

The commercial femtocell is reflashed with custom firmware to act as a rogue cellular base station (IMSI catcher). It mimics a legitimate cell tower with a stronger signal, forcing nearby phones to connect.

• Base Hardware: Verizon Network Extender or similar commercial femtocell
• Firmware: Custom build using OpenBTS/OsmocomBB GSM stack
• Signal Strength: Overpowers legitimate towers, forcing phone connections
• Capabilities: Voice call interception, SMS interception, data interception, location tracking

Phase 2: USB Rubber Ducky Payload

The Hak5 USB Rubber Ducky is programmed with a DuckyScript payload that opens a reverse shell on the FBI agent's Windows workstation. It executes in seconds, appearing as a normal USB drive.

Phase 3: Angela's Social Engineering

Angela gains physical access to the FBI floor using her E Corp employee credentials combined with social engineering techniques:

• Pretexting: Fabricating a legitimate reason to be on the FBI floor
• Tailgating: Following authorized FBI personnel through secured doors
• Confidence: Acting as if she belongs, using her E Corp badge for plausibility
• Timing: Executing during a narrow window of opportunity

Phase 4: Femtocell Deployment & Interception

Angela hides the femtocell device inside the FBI office. FBI agents' phones automatically connect to it because it presents the strongest signal. All cellular communications are now routed through fsociety's rogue infrastructure.

• Voice Calls: Recorded and forwarded to fsociety
• SMS Messages: Intercepted in real-time
• Mobile Data: Captured and analyzed
• Location Data: FBI agent locations tracked via cell tower triangulation

Phase 5: Network Compromise via Rubber Ducky

The Rubber Ducky's PowerShell payload provides a reverse shell into the FBI's network, granting fsociety access to investigation files, case evidence, and internal communications about the 5/9 hack.

1. Hidden Process Techniques

The episode explores process hiding -- techniques for concealing malicious processes from system monitoring tools:

• Kernel Rootkits: Hook system calls (sys_getdents) to filter process entries from /proc
• LD_PRELOAD Hijacking: Override shared library functions to hide process information
• DKOM (Direct Kernel Object Manipulation): Unlink process entries from the kernel's task list
• Process Hollowing: Spawn a legitimate process and replace its code with malicious code
• Process Doppelganging: Use NTFS transactions to load malicious code

2. FBI Hack Exploitation

fsociety begins actively exploiting the access gained through the femtocell and Rubber Ducky, exfiltrating FBI investigation data and monitoring agent communications in real-time.

1. Python for Offensive Security

Python is the primary scripting language for hacking in Mr. Robot. Key Python libraries used in offensive security:

• Scapy: Packet manipulation and network scanning
• Requests: HTTP library for web exploitation
• Paramiko: SSH protocol implementation
• Pwntools: CTF and binary exploitation framework
• Impacket: Network protocol implementation (SMB, MSRPC, Kerberos)

2. Encrypted Archives for Exfiltration

The .p7z extension references 7-Zip encrypted archives using AES-256, commonly used for secure data exfiltration:

3. Dark Army APT Operations

The Dark Army operates as a state-sponsored Advanced Persistent Threat (APT) with sophisticated capabilities:

• Zero-Day Exploits: Previously unknown vulnerabilities reserved for critical operations
• Supply Chain Attacks: Compromising trusted software/hardware providers
• Extreme OPSEC: Time-based operations, compartmentalization, elimination of compromised operatives

1. Stage 2 Revealed: UPS Firmware Attack

The season finale reveals that the 5/9 hack had a Stage 2 -- designed to physically destroy E Corp's paper backup records by compromising UPS (Uninterruptible Power Supply) firmware to cause battery thermal runaway and fires.

• Target: UPS systems with network management cards (APC, Eaton, CyberPower)
• Attack: Modified firmware overrides battery charging safety limits
• Effect: Overcharging lithium-ion batteries causes thermal runaway (swelling, fire, explosion)
• Goal: Destroy paper records E Corp is using to rebuild financial data

2. IT-to-OT Network Pivoting

The attack requires lateral movement from IT networks to OT (Operational Technology) networks that control the UPS systems. This is one of the most critical attack paths in modern ICS security.

• SCADA Protocols: Modbus, DNP3, BACnet -- often lack authentication
• Default Credentials: Many ICS devices ship with hardcoded or default passwords
• Air Gap Myth: OT networks are often not truly air-gapped from IT networks

1. UPS Firmware Manipulation (Stage 2 Core)

The core of Stage 2 is revealed: malware that modifies the firmware of UPS (Uninterruptible Power Supply) units in E Corp's paper record storage buildings. The attack targets battery charging circuitry to cause thermal runaway -- overcharging lithium-ion batteries until they overheat, swell, and catch fire.

• Attack Target: UPS network management cards (NMC) with web interfaces
• Firmware Modification: Override charging safety limits and temperature cutoffs
• Physical Effect: Thermal runaway in lithium-ion battery packs
• Goal: Building fires destroying paper records

2. Hardware Security Module (HSM) Access

Elliot tries to access E Corp's HSM (Hardware Security Module) to recover the encryption keys from the 5/9 hack. HSMs are tamper-resistant hardware devices used to manage cryptographic keys, performing encryption/decryption operations in a secure hardware environment.

• HSM Standards: FIPS 140-2 Level 3 or 4 certified
• Tamper Protection: Physical intrusion detection, key zeroization on tamper
• Vendors: Thales (nCipher), Gemalto, Utimaco

1. Reversing Stage 2 from Inside E Corp

Elliot, now working as an E Corp cybersecurity technician, attempts to patch the UPS firmware vulnerability from inside, deploying clean firmware updates without alerting the Dark Army.

• Challenge: Craft clean firmware image that reverses malicious modifications
• Method: Deploy through E Corp's management infrastructure
• Stealth: Must appear as routine maintenance, not remediation

2. Network Segmentation (IT vs OT)

E Corp's network architecture features segmentation between IT and OT networks. Elliot must navigate Active Directory permissions, change management procedures, and network boundaries to reach the UPS controllers.

3. Insider Threat: Tyrell as CTO

Tyrell Wellick is installed as E Corp's new CTO, providing the Dark Army with insider access at the executive level. This is privilege escalation via social position -- the most dangerous form of insider threat.

1. FBI Femtocell Setup

Building toward the FBI femtocell hack execution. The modified femtocell intercepts all cellular communications passing through it by acting as a rogue base station with a stronger signal than legitimate towers.

2. Darlene as Double Agent (HUMINT)

Darlene cooperates with the FBI as an informant while secretly feeding information to fsociety. This is classic HUMINT (Human Intelligence) tradecraft applied to cyber operations -- a double-agent operating across organizational boundaries.

• Burner Phones: Prepaid disposable phones for single-use communication
• Dead Drops: Pre-arranged locations for leaving/collecting information
• Compartmentalization: Each operative knows only their specific task

1. Metadata Surveillance

The FBI uses metadata analysis to track Dark Army operations. Phone metadata (call detail records, cell tower logs, timing patterns) reveals communication networks without accessing content.

• CDR (Call Detail Records): Who called whom, when, for how long
• Cell Tower Logs: Physical location of phones at specific times
• Pattern Analysis: Identifying relationships and meeting patterns

2. IDS/IPS Evasion - Living Off the Land

Elliot evades E Corp's Intrusion Detection Systems by using Living Off the Land (LOtL) techniques -- using legitimate system administration tools rather than known hacking tools, making his activities blend with normal operations.

• LOtL Tools: PowerShell, WMI, PsExec, native OS utilities
• Advantage: No malware signatures to detect; activities appear legitimate
• Evasion: Blends with normal admin traffic in IDS/SIEM logs

3. Whiterose's Long-Term Social Engineering of Angela

Whiterose manipulates Angela through deep psychological manipulation, targeting beliefs and emotional vulnerabilities. This represents the most advanced form of social engineering -- changing a target's fundamental worldview over an extended period.

1. Stage 2 Execution: UPS Thermal Runaway Attack

The UPS firmware exploit triggers, causing battery thermal runaway across not one but 71 E Corp buildings. The Dark Army expanded the attack from a single target to dozens, overwhelming Elliot's ability to stop it.

• Attack Chain: Compromised firmware → override charging safety limits → thermal runaway → fire/explosion
• Scale: 71 buildings simultaneously targeted
• Impact: Physical destruction of paper records and building infrastructure
• Casualties: The attack results in deaths -- the first time the hack has lethal consequences

2. Emergency Lateral Movement

Elliot races to issue emergency commands to halt the UPS firmware attack, pivoting through E Corp's network to reach OT systems controlling UPS units in remote buildings.

• Lateral Movement: Moving from compromised system to access others in the network
• Living Off the Land: Using legitimate admin tools and credentials
• Emergency Patching: Attempting to push firmware fixes to remote UPS controllers

3. Physical Security & SOC Response

The single-take format showcases physical security measures (badge access, security guards, locked server rooms) and real-time Security Operations Center (SOC) incident response, with analysts reviewing alerts and logs as the attack unfolds.

1. False Flag Attribution

The Dark Army stages evidence to make the 71-building attack appear to be state-sponsored by Iran. False flag operations in cyber warfare involve planting misleading evidence to misdirect attribution.

• Planted Evidence: Foreign-language strings in malware code
• Infrastructure Mimicry: Using IP addresses/infrastructure associated with Iranian APT groups
• TTP Imitation: Mimicking Tactics, Techniques, and Procedures of known Iranian groups
• Compilation Timestamps: Setting timestamps to match Iranian business hours

2. Digital Forensics Investigation

The FBI conducts forensic analysis of the compromised UPS controllers:

• Forensic Disk Imaging: Bit-for-bit copies of compromised firmware/storage
• Firmware Analysis: Reverse engineering modified firmware binaries
• Chain of Custody: Maintaining legal admissibility of digital evidence
• Attribution Challenges: Distinguishing real IOCs from planted false flags

3. Evidence Destruction

Characters destroy digital evidence linking them to Stage 2:

1. FBI Femtocell Hack Execution

The femtocell attack against the FBI reaches full operational capability. The modified femtocell inside the FBI field office intercepts all cellular communications:

• Hardware: Modified consumer femtocell + USRP (Universal Software Radio Peripheral) SDR
• Software: OpenBTS or OsmocomBB for GSM/3G stack
• Capture Tool: Wireshark for traffic capture and analysis
• Interception: Voice calls, SMS, mobile data, location data

2. SS7 Protocol Exploitation

The femtocell leverages weaknesses in SS7 (Signaling System 7), the protocol suite governing global telecommunications. SS7 was designed in the 1970s with no authentication, allowing anyone with network access to intercept calls and SMS.

• Call Interception: Redirect calls through attacker infrastructure
• SMS Interception: Read SMS messages in transit (including 2FA codes)
• Location Tracking: Query subscriber location in real-time
• Call Forwarding: Silently redirect calls without user knowledge

1. Linux Kernel Module Rootkits (.ko)

The .ko extension references Linux kernel object files -- loadable kernel modules. A malicious .ko file operates at the deepest OS level:

• Syscall Hooking: Intercept system calls to hide files, processes, and network connections
• DKOM: Directly manipulate kernel data structures
• Keylogging: Capture keystrokes at the kernel level
• Persistence: Survive reboots if installed in /etc/modules or initramfs

2. Data Recovery & File Carving

The "don't delete me" title references data recovery -- deleted files can often be recovered because deletion only removes filesystem pointers, not the actual data on disk.

• Autopsy / Sleuth Kit: Open-source digital forensics platform
• PhotoRec: File carving tool that recovers files based on headers/signatures
• Scalpel: High-performance file carver
• extundelete: Recover deleted files from ext3/ext4 filesystems

1. BitTorrent for Mass Data Distribution

The .torrent extension references the BitTorrent protocol for decentralized file distribution. Once data is seeded across the P2P network, it becomes nearly impossible to remove.

• Mechanism: Files split into pieces, distributed across peers
• Resilience: No central server; removal requires taking down all seeders
• Anonymity: Magnet links require no tracker; DHT provides decentralized discovery

2. Reversing 5/9 Encryption & Key Recovery

Elliot works to recover E Corp's encryption keys using Shamir's Secret Sharing -- a cryptographic scheme that splits a secret into parts where a minimum threshold of parts is needed to reconstruct it.

• Shamir's Secret Sharing: (k, n) threshold scheme -- need k of n shares to reconstruct
• HSM Key Recovery: Accessing backup key material from Hardware Security Modules
• Key Fragments: Distributed across multiple secure locations

3. NetFlow Traffic Analysis

FBI conducts NetFlow analysis to trace Dark Army communications by examining network flow metadata:

• NetFlow: Cisco protocol recording source/destination IPs, ports, protocols, bytes transferred
• Correlation: Matching timestamps and packet sizes to de-anonymize traffic
• Pattern Recognition: Identifying communication patterns despite encryption

1. Reversing the 5/9 Hack

Elliot successfully ships E Corp's encryption keys to reverse the original hack. The challenge of PKI (Public Key Infrastructure) key distribution at scale -- distributing decryption keys securely to thousands of systems.

2. Femtocell Data Exfiltration via DNS Tunneling

Data captured by the femtocell is exfiltrated using DNS tunneling -- encoding data within DNS queries and responses to bypass firewalls and content filters.

3. Supply Chain Attack Concepts

The season reveals that the entire attack chain relied on supply chain compromise -- the UPS firmware was intercepted and modified during the update/deployment pipeline.

1. Virtual Machine Detection & Sandbox Evasion

Elliot discovers a target system is running inside a virtual machine. VM detection is critical for malware that needs to evade sandbox analysis and for attackers identifying honeypots.

• MAC Address Prefixes: VMware (00:0C:29, 00:50:56), VirtualBox (08:00:27)
• Process Checks: vmtoolsd, vmwaretray, VBoxService.exe, VBoxTray.exe
• Registry Keys: HKLM\SOFTWARE\VMware, HKLM\SOFTWARE\Oracle\VirtualBox
• CPUID: Hypervisor bit check via CPUID instruction
• WMI Queries: Win32_ComputerSystem model containing "VIRTUAL" or "VMWARE"
• Tool: Pafish (Paranoid Fish) -- automated sandbox/VM detection

2. OSINT on Deus Group Members

Elliot performs open-source intelligence gathering on Deus Group members, including financial records analysis, social media profiling, and network mapping of relationships between the world's most powerful individuals.

1. Targeting Cyprus National Bank

Elliot targets the offshore banking infrastructure used by the Deus Group, performing reconnaissance on SWIFT network infrastructure -- the global system used for international wire transfers between banks.

• SWIFT: Society for Worldwide Interbank Financial Telecommunication
• Attack Surface: SWIFT Alliance Access terminals in bank networks
• Recon: Mapping financial routing, identifying target accounts

2. Social Engineering of Bank Employees

Pretexting -- creating fabricated scenarios to extract information from bank staff about internal procedures, account structures, and security protocols.

1. Firmware-Level Rootkits (UEFI/BIOS)

Discussion of firmware-level compromise where malware is embedded below the OS layer, surviving OS reinstalls and disk wipes.

• UEFI Rootkits: Persist in motherboard firmware (SPI flash)
• Survival: Cannot be removed by OS reinstall, disk format, or drive replacement
• Detection: Requires firmware integrity checking tools

2. USB Keystroke Injection

The USB Rubber Ducky returns as a physical access attack vector, executing pre-programmed keystroke payloads when plugged into a target system.

1. Lateral Movement Techniques

Advanced lateral movement through compromised networks using Windows domain attack tools:

2. SIM Swapping

SIM swapping involves social engineering a mobile carrier employee to transfer a victim's phone number to an attacker-controlled SIM card, enabling interception of calls, SMS, and 2FA codes.

• Vector: Social engineering carrier call center employees
• Impact: Takeover of phone number, interception of 2FA SMS codes
• Targets: High-value individuals with cryptocurrency, banking access

1. Physical Penetration of Virtual Realty Data Center

The famous near-silent episode follows Elliot and Darlene breaking into a secure server facility in real-time. This is one of the most technically detailed physical penetration testing sequences in television.

2. RFID/NFC Badge Cloning

Access badges are cloned using specialized hardware:

• Proxmark3: Advanced RFID research tool for cloning HID iClass, MIFARE, EM4100 cards
• ACR122U: NFC reader/writer for MIFARE and NFC tags
• Attack Range: Some readers can capture badge data from several feet away
• Write: Clone captured credentials to blank cards

3. Lock Picking

Physical bypass of door locks using professional lockpicking tools: tension wrenches, pick sets, bypass tools. Standard practice in professional red team engagements.

4. Network Tap Installation

Installing a passive network tap to intercept traffic without detection:

• Throwing Star LAN Tap: Passive ethernet tap that requires no power
• Inline Tap: More sophisticated tap that can capture full-duplex traffic
• Advantage: Passive taps are undetectable by network monitoring (no MAC address, no power draw)

5. Boot from External Media

Bypassing OS authentication by booting from a USB drive containing a live Linux distribution (Kali Linux), providing direct access to the filesystem without needing the installed OS password.

6. Security Camera Avoidance

Mapping camera coverage and timing movements to exploit blind spots. Physical pentesters observe camera rotation patterns, identify dead zones, and coordinate movement accordingly.

1. FBI Surveillance Evasion

Counter-surveillance techniques to detect and evade FBI monitoring:

• Tail Detection: Identifying physical surveillance teams through route changes
• GPS Tracker Detection: Sweeping vehicles for planted tracking devices
• RF Sweeping: Detecting hidden listening devices and transmitters
• Device Hardening: Removing batteries from phones, using Faraday bags

2. Log Analysis & SIEM

Forensic log analysis using enterprise tools:

• Splunk: Enterprise log aggregation and analysis
• ELK Stack: Elasticsearch + Logstash + Kibana for log processing
• Windows Event Logs: Security, System, Application logs
• Syslog: Centralized Unix/Linux logging

1. Proxy Chains & Traffic Obfuscation

Using multiple proxy servers to hide traffic origin:

2. IP Camera Default Credentials

Surveillance cameras compromised via default credentials -- a pervasive vulnerability in CCTV systems. Many IP cameras ship with admin/admin or similar defaults that are never changed.

1. Email Header Analysis

Tracing email origins by analyzing email headers:

• Received Fields: Show the path through mail servers (read bottom to top)
• X-Originating-IP: Reveals sender's original IP address
• Message-ID: Can reveal server information and domain
• SPF/DKIM/DMARC: Email authentication records for spoofing detection

2. Encrypted File Systems & Hidden Volumes

Using encrypted volumes with plausible deniability:

• VeraCrypt: Full-disk encryption with hidden volume support
• LUKS: Linux Unified Key Setup for disk encryption
• Hidden Volumes: A second encrypted volume hidden within the first -- even under coercion, the existence of the hidden volume cannot be proven

THE DEUS GROUP HACK -- Complete Multi-Stage Attack Chain

This is the centerpiece hack of Season 4 and arguably the entire series. Elliot and Darlene execute a coordinated attack to drain the bank accounts of every member of the Deus Group during their meeting.

Phase 1: OSINT & Target Enumeration

Identifying every Deus Group member and mapping their financial infrastructure:

• Financial Records: Cross-referencing leaked data, OSINT, and gathered intelligence
• Account Mapping: Identifying all bank accounts, shell companies, and trusts
• Target Bank: Cyprus National Bank identified as central financial node

Phase 2: Cyprus National Bank SWIFT Compromise

Compromising the banking infrastructure that holds the Deus Group's money by targeting SWIFT messaging terminals:

• Target: SWIFT Alliance Access software on bank workstations
• Method: Network compromise + SWIFT terminal access
• Capability: Issue unauthorized wire transfer orders

Phase 3: Man-in-the-Middle on Financial Transactions

Real-time interception and modification of banking transactions, redirecting wire transfers to accounts controlled by Elliot.

Phase 4: Vishing (Voice Phishing) of Bank Staff

Darlene makes phone calls impersonating authority figures to manipulate bank staff into authorizing transactions. Uses knowledge of internal bank procedures to appear legitimate.

Phase 5: 2FA Bypass via SS7/SMS Interception

Bypassing two-factor authentication by intercepting SMS verification codes:

• SS7 Exploitation: Exploiting telecom signaling protocol to intercept SMS
• SIM Swapping: Alternative method to hijack phone numbers
• Result: Complete bypass of SMS-based 2FA security

Phase 6: Cryptocurrency Laundering

Redirecting stolen funds through cryptocurrency to obscure the money trail:

• Bitcoin Tumblers/Mixers: Break the transaction link between source and destination
• Monero (XMR): Privacy-focused cryptocurrency with built-in obfuscation
• Multi-Sig Wallets: Requiring multiple keys for fund access

1. Automated Wealth Redistribution

Automated scripts distribute stolen Deus Group funds to millions of bank accounts worldwide. The scale of the operation is unprecedented -- a Robin Hood-style wealth redistribution via code.

2. Comprehensive Anti-Forensics

Covering all tracks after the hack:

1. Whiterose's Machine & Industrial Control Systems

The Washington Township power plant houses Whiterose's mysterious machine, controlled by large-scale industrial control systems -- the same class of systems targeted by Stuxnet.

2. Air-Gapped Network Breach

Attempting to access systems that are physically isolated from the internet:

• USB Bridging: Using removable media to cross the air gap
• TEMPEST: Capturing electromagnetic emanations from computer hardware
• Acoustic Side-Channel: Extracting data via audio signals from hardware
• Social Engineering: Convincing someone with physical access to bridge the gap

1. The whoami Command

The episode's title references one of the first commands run after gaining access to a system -- determining who you are and what privileges you have:

2. Identity & Access Management Themes

This deeply psychological episode uses computing metaphors -- processes, identities, access controls -- to explore Elliot's dissociative identity. The "precondition failed" represents the failure of Elliot's constructed reality to meet the requirements of truth.

1. Whiterose's Machine -- Nuclear Facility ICS

Elliot must disable Whiterose's machine before it causes a nuclear meltdown. He interfaces with the facility's industrial control systems to execute an emergency SCRAM (Safety Control Rod Axe Man) -- the emergency shutdown procedure for a nuclear reactor.

2. Malware Kill Switch

Deploying a kill switch to neutralize rogue code controlling the facility.

3. Post-Exploitation Cleanup & Series Conclusion

After the Deus Group hack succeeds, the stolen funds remain distributed due to blockchain immutability -- confirmed cryptocurrency transactions cannot be reversed. The series concludes with computing metaphors: Elliot's consciousness as a running process, the "Hello, Elliot" as a callback to "Hello, Friend" -- a system reboot of identity.