🎙️
AIPodify
Shows

Darknet Diaries

These 8 Companies You've Never Heard Of Sell Your Personal Data to the Cops Ep. 162: Hieu

Guest: Hieu Minh NgoAugust 5, 2025
cybercrimedata privacydata brokershackingsql injectioncfaaidentity thefttax fraudmoney launderingdark webcybersecuritylaw enforcementvietnamus secret servicelegal systemprivacy laws
These 8 Companies You've Never Heard Of Sell Your Personal Data to the Cops 🚨 Ep. 162: Hieu

Episode Summary

AI-generated · Mar 2026

AI-generated summary — may contain inaccuracies. Not a substitute for the full episode or professional advice.

Hieu Minh Ngo, a Vietnamese hacker, shares his remarkable journey from a curious teenager stealing internet dial-up accounts to a sophisticated cybercriminal, and his eventual transformation into a cybercrime fighter. This episode delves into his ventures hacking e-commerce sites for credit card data, then building a "people search engine" that sold millions of US identities to other criminals. Host Jack Rhysider critically examines the controversial landscape of data brokers, questioning their pervasive, often hidden, collection and sale of personal data, and argues against the severe application of the Computer Fraud and Abuse Act (CFAA) in Hieu's case.

The episode details Hieu's early life in Vietnam, where he began hacking at 14 out of curiosity, progressing to stealing credit card information from vulnerable e-commerce websites and laundering money through online poker sites via "chip dumping" [12:42]. He sold Visa and Mastercard details for as little as "fifty cents for one information" due to the sheer volume he obtained [15:51]. After a close call with New Zealand police for buying concert tickets with stolen cards, Hieu was advised by other hackers that stealing US identities would be "safer" and less pursued by law enforcement [25:20]. This led him to target US data brokers.

Jack Rhysider provides an in-depth explanation of data brokers, revealing how they legally compile vast amounts of personal data from public records, social media, phone trackers, and purchasing histories, then sell it to law enforcement, marketers, and insurance companies [27:30]. Hieu successfully hacked into LocatePLUS and MicroBilt using techniques like SQL injection, file upload, and cross-site scripting, eventually impersonating a private investigator to gain official API access to Court Ventures, a data broker holding "almost 200 million US identity" records [34:46], [46:10]. His website, operating on the clear web, charged $1 per search, generating over $120,000 USD monthly while paying Court Ventures up to $35,000 USD, accumulating over $2.5 million in profit [47:11].

Hieu was eventually lured to Guam by the US Secret Service [60:57] and arrested, learning only later that his site facilitated "tax returns" fraud, causing over "$60 million USD" in damages to US citizens, particularly in New Hampshire [65:07], [66:10], [71:33]. Jack strongly critiques the CFAA, under which Hieu was charged for "unauthorized access" (violating terms of service) [67:15], comparing it to the Aaron Swartz case [69:21]. He highlights the irony of prosecuting Hieu for reselling data he paid for from data brokers who legally collect and sell identities, and notes that data brokers like Court Ventures and MicroBilt never publicly disclosed their breaches or notified affected individuals [79:03]. After serving seven years of a thirteen-year sentence, Hieu was released and now works for the Vietnamese government, fighting cybercrime and aiding victims, expressing deep remorse for his past actions [89:44], [90:45], [91:46].

Listeners will walk away with a stark awareness of the legal ambiguities and ethical concerns surrounding data brokering, the potential misapplication of cybercrime laws, and the profound implications for personal privacy in the digital age. The episode challenges the perception of who constitutes a "victim" or "criminal" in the complex world of data exploitation.

👤 Who Should Listen

  • Anyone concerned about digital privacy and the commercialization of their personal data.
  • Cybersecurity professionals interested in the history of darknet operations and data breaches.
  • Individuals wanting to understand the legal and ethical complexities surrounding data brokers and privacy laws.
  • Listeners interested in true crime stories involving international cyber fraud and the journey of a reformed hacker.
  • Those curious about the application and impact of the CFAA (Computer Fraud and Abuse Act) and its implications for online behavior.
  • Victims of identity theft or tax fraud seeking to understand how their data might be exploited and the systemic vulnerabilities involved.

🔑 Key Takeaways

  1. 1.Hieu Minh Ngo, a Vietnamese hacker, transitioned from stealing internet accounts and credit cards to building a "people search engine" that sold US citizens' personal data to cybercriminals on the clear web [38:54].
  2. 2.Hieu gained API access to data broker Court Ventures by impersonating a private investigator, which gave him access to "almost 200 million US identity" records, making over $2.5 million in profit from reselling searches [46:10], [47:11].
  3. 3.The US Secret Service lured Hieu to Guam and arrested him after discovering his site enabled criminals to commit "tax returns" fraud, causing over "$60 million USD" in damages, particularly in New Hampshire [60:57], [65:07], [66:10], [71:33].
  4. 4.Hieu was charged with three violations of the CFAA (Computer Fraud and Abuse Act) for "unauthorized access" by violating a data broker's terms of service, which host Jack Rhysider argues is an overly broad application of federal law [67:15], [68:18].
  5. 5.Data brokers legally collect vast amounts of personal data from public records, social media, phone trackers, and purchasing history, selling it to entities like law enforcement and marketers without widespread public knowledge or consent [27:30], [29:31], [32:39].
  6. 6.Jack Rhysider criticizes data brokers for their lack of transparency, failure to protect data from breaches (Hieu successfully hacked four companies), and not notifying victims when their data is compromised, despite operating legally [79:03], [86:27].
  7. 7.After serving seven years of a thirteen-year sentence, Hieu was released in 2020 and now works with the Vietnamese government, helping law enforcement catch cybercriminals and assisting scam victims, expressing remorse for his past actions [89:44], [90:45], [91:46].
  8. 8.The IRS annually loses "billions of dollars" to tax refund scams, highlighting a significant vulnerability in government financial systems that criminals exploit [67:15].

💡 Key Concepts Explained

Data Broker

Companies that gather vast amounts of information about individuals from various sources (public records, social media, phone trackers, purchasing history) and compile it into profiles to sell to other businesses, law enforcement, and government agencies [27:30]. This episode highlights their pervasive, often hidden, operations and the ethical dilemmas surrounding their legal status, as Hieu Minh Ngo exploited and later impersonated users of such services.

Computer Fraud and Abuse Act (CFAA)

A US federal law that criminalizes unauthorized access to computer systems [67:15]. The episode critiques its broad application, particularly how it's used to prosecute individuals for violating website terms of service, arguing it disproportionately punishes such actions as federal crimes rather than civil issues, referencing the tragic case of Aaron Swartz [69:21].

Chip Dumping

A money laundering technique where stolen funds are deposited into an online gambling account, and then the account owner intentionally loses hands to an accomplice's account at a poker table [13:46]. The accomplice then cashes out the "won" chips, effectively laundering the stolen money into legitimate cash, as Hieu and his partner did with stolen credit card funds.

Third-Party Doctrine

A legal principle in the US that states individuals have no reasonable expectation of privacy in information they voluntarily share with third parties, such as banks or app developers [30:34]. Law enforcement can often access this data without a warrant because it's considered "commercially available," bypassing Fourth Amendment protections against unreasonable searches and seizures.

⚡ Actionable Takeaways

  • Be skeptical of apps and websites that ask for excessive permissions, as they may be collecting and selling your real-time location and other private data to data brokers [28:31], [85:24].
  • Review your digital footprint and privacy settings on social media and other online accounts, as data brokers scrape this information from publicly available sources [27:30].
  • Understand the implications of the "third-party doctrine" on your data, recognizing that information shared with banks or other services might be accessible to the government without a warrant [30:34].
  • Advocate for stronger data privacy laws and reforms to acts like the CFAA, which can penalize terms-of-service violations with federal prison time [69:21].
  • Research data brokers mentioned in the episode (e.g., Merkle, LocatePLUS, MicroBilt, Court Ventures) to understand their data collection practices and potential impact on your privacy [33:40].

⏱ Timeline Breakdown

00:00Hieu Minh Ngo introduces himself and talks about starting hacking at 14-15 by stealing dial-up internet accounts.
01:04Jack explains 56k modems and Hieu's early internet theft, leading to a $5,000 bill for his father.
02:08Hieu is sent to Ho Chi Minh City, where he eventually discovers the dark web.
03:09Hieu studies computers and finds Vietnamese dark web forums in an internet cafe.
04:15Jack describes the dark web's allure to Hieu, with unregulated hacker forums and forbidden marketplaces.
05:18Hieu's early hacking was curiosity-driven, sharing techniques rather than seeking profit.
07:22Hieu becomes an admin on hacking forums and is approached by someone offering to pay for hacked data.
08:22Hieu starts hacking e-commerce websites after school, planting listeners to capture credit card details.
10:30Hieu describes using Google dorks and custom tools to find vulnerable PHP/ASP e-commerce sites.
11:32Hieu recalls his first successful hack on a UK electronics e-commerce site via SQL injection, finding a "gold mine" of credit card information.
12:42Hieu and his partner make $1,000 USD/day by using chip dumping on poker websites to launder stolen credit card money.
14:47Hieu finds databases with thousands of credit cards and begins selling them on underground forums for as little as "fifty cents" each.
17:57Hieu leaves high school and moves to New Zealand, attempting to reform and study computer science.
20:07Hieu resumes hacking in New Zealand, buying concert tickets with stolen cards and getting into trouble with local police.
23:12Hieu flees New Zealand back to Vietnam, facing parental disapproval for his actions.
25:20Old-school Vietnamese hackers advise Hieu to steal US identities, claiming it's safer and less targeted by law enforcement than credit cards.
27:30Hieu begins researching US data brokers to find personal identity information.
28:31Jack explains how data brokers collect data, including phone books, county records, social media, trackers, and purchasing history.
30:34Jack criticizes data brokers for exploiting the "third-party doctrine" to sell data to law enforcement without warrants.
33:40Jack names eight data broker companies most people haven't heard of: Merkle, LocatePLUS, LiveRamp, MicroBilt, Venntel, SafeGraph, X-Mode Social, Court Ventures.
34:46Hieu hacks into LocatePLUS and MicroBilt using SQL injection, file upload, and cross-site scripting vulnerabilities.
36:50Hieu obtains customer logins for law firms and uses them to query data broker platforms.
37:53Hieu builds a website charging $1 per search for US identity data, making $5,000 in the first week.
38:54Hieu used Liberty Reserve for payments and Vietnamese money mules to cash out.
39:54Hieu gets tired of the cat-and-mouse game with data brokers patching vulnerabilities.
40:56Hieu decides to impersonate a private investigator to get an official account with a data broker.
41:58Hieu phishes private investigators to obtain their licenses and credentials for impersonation.
43:00Hieu successfully impersonates a Michigan PI to get an official MicroBilt account, but it's eventually shut down.
43:01Hieu discovers Court Ventures, which provides API access to US identity data.
44:01Hieu impersonates a Singaporean private investigator to apply for a Court Ventures account and secures API access for "fourteen cents" per lookup.
46:10Hieu gains API access to "almost 200 million US identity" records through Court Ventures.
47:11Hieu's website makes over $120,000 USD/month, paying Court Ventures $20,000-$35,000 USD/month and profiting over $2.5 million.
48:16Jack discusses the "Irate Joe's" case, questioning who the real victim is when legal businesses are challenged.
51:22Jack highlights the irony that data brokers legally sell identities, but Hieu's resale for $1 is criminal, despite him being a paying customer.
52:26Hieu drops out of university due to his immense income.
53:26Hieu describes spending money on luxury cars and lavish lifestyle, lying to his parents about his wealth.
54:32Hieu admits he didn't care how clients used the stolen identities but suspected it was for impersonation or credit card fraud.
55:40In December 2011, Experian acquires Court Ventures.
56:46The Secret Service contacts Experian about Hieu, leading to the shutdown of his Court Ventures account.
57:47Hieu uses a stolen account for manual searches and tries to get his API access back, unknowingly communicating with the Secret Service.
58:51The Secret Service and Mark (a UK hacker who got caught) lure Hieu to Guam with promises of better API access.
60:57Hieu flies to Guam with his sister and is immediately escorted to US Customs and arrested.
61:59Hieu describes the shock of his arrest and being told, "We know everything about you."
62:59Hieu is jailed in Guam and then transferred to multiple US jails before his trial in New Hampshire.
64:00Hieu theorizes Brian Krebs' article and his own registration slip-ups led to his capture.
65:07Hieu learns in court that his data was primarily used for "tax returns" fraud, which was new information to him.
66:10Jack explains the tax refund scam and criticizes the IRS for losing billions to it annually.
67:15Hieu's charges are three CFAA violations for unauthorized access to a data broker (violating terms of service).
68:18Jack vehemently criticizes the CFAA's broad application, comparing it to Aaron Swartz's case and arguing it should be a civil issue.
70:26Jack questions why data brokers legally sell identities for 14 cents, but Hieu's resale for $1 is criminal.
71:33Prosecutors claim Hieu caused $60 million in damages, which Jack disputes, noting Hieu didn't commit the tax fraud directly.
72:35Jack highlights the absence of charges related to Hieu's credit card theft or concert ticket scams.
73:38Jack suggests aiding and abetting would be a more appropriate charge but less "guaranteed win" for the feds than CFAA.
74:43Jack notes the indictment names "Company A" (USInfoSearch) as the victim, linking it to Court Ventures.
76:55Hieu confirms no data broker companies testified against him.
77:56Hieu details spending "up to $700k" on lawyers.
79:03Jack criticizes data brokers (MicroBilt, LocatePLUS, Court Ventures) for not notifying their victims of data breaches.
80:03Hieu faces the reality of a 99% CFAA conviction rate and the possibility of 45 years in prison.
81:15Hieu accepts a plea deal and pleads guilty in 2015.
82:20Hieu states the government didn't want his money or assets, only him; he was sentenced to thirteen years but released early after seven years.
83:22Jack discusses data broker regulations requiring user vetting to prevent malicious use, but criminals still access data.
84:22Jack argues that if anyone could search data broker databases, people would be more private because they'd understand the risk.
86:27Jack questions data brokers' claims of privacy and security, given Hieu's breaches and other high-profile hacks like Equifax.
87:32Jack laments the hidden nature of data brokers and hopes privacy becomes "cool" again.
88:38Hieu learns Liberty Reserve was seized, losing over $300,000 USD that he had saved there.
89:44Hieu is released in 2020, still has over $50,000 USD and an apartment.
90:45Hieu works for the Vietnamese government's National Cyber Security Center (NCSC) and now focuses on cybercrime investigation, helping arrest over 200 criminals.
91:46Hieu expresses remorse for harming US citizens and works to help victims of scams and identity theft.
92:48Jack thanks Hieu and recommends "Means of Control" by Byron Tau.

Best of this topic

Best cybercrime episodes →Best data privacy episodes →Best data brokers episodes →Best hacking episodes →Best sql injection episodes →

💬 Notable Quotes

"We know about you. We know everything about you, maybe more than your family knows about you." [61:59]
"I feel like I owe a lot to the people, basically the people in the US. I — kinda like I hurt and harmed so many people’s lives, and I kinda always feel ashamed about it." [91:46]
"They say if you don’t pay for it, then you're the product. But what if you pay a data broker to look up your own data? What then, hm?" [92:48]
"I was on top of the world, and right now I was living in hell." [61:59]

More from this guest

Hieu Minh Ngo

All appearances →Best episodes →

📚 Books Mentioned

Means of Control by Byron Tau
Amazon →

Listen to Full Episode

▶ YouTube

📬 Get weekly summaries like this one

No spam. Unsubscribe anytime. By subscribing you agree to our Privacy Policy.

Continue Exploring

🎙️

More from Darknet Diaries

All episodes →

🏷️

More cybercrime episodes

Browse topic →

Best data privacy episodes

Ranked list →

🗂️

Browse all topics

Topic directory →

← All episodes of Darknet Diaries