CSI: Cyber (2015) s01e12 Episode Script
Bit By Bit
My name is Avery Ryan.
I was a victim of cyber crime.
Like you, I posted on social media, checked my bank account balance online, even kept the confidential files of my psychological practice on my computer.
Then I was hacked, and as a result, one of my patients was murdered.
My investigation into her death led me to the FBI, where I joined a team of cyber experts to wage a war against a new breed of criminal hiding on the Deep Web infiltrating our daily lives in ways we never imagined faceless nameless lurking inside our devices, just a keystroke away.
Danny It's all right.
It's Come come join me and your brother.
Good evening, Detroit.
This is your eye in the sky.
It appears a portion of the downtown area is experiencing a power outage.
Traffic in the area is at an absolute standstill.
Police are on the scene to manage any outbreaks of violence or looting.
However, thus far, only a handful of minor incidents have been reported.
I've got 25 blocks of downtown Detroit in the dark.
Backup systems are completely unresponsive.
You guys sure this is a case for the FBI? We're FBI Cyber, this is exactly our kind of case.
From what we can tell, you're experiencing a cyber intrusion.
Your power grid's been hacked.
We just got an update from Detroit River Electric, and they're still working on the power outage in the downtown area.
Uh The smart grid allows for complete control of the city's entire power supply from this room.
Right now, someone else is in control.
SCADA systems like this should be impenetrable.
But someone remotely hacked in, then locked out every computer here by erasing the startup disk.
Even if you two successfully recover the disk and reboot the system, you'll still have to counter-hack the target to get the power back on.
Yeah, we're halfway there already.
The odd thing about all this is the blackout affects only 25 blocks.
When I hacked the New Hampshire grid, I took out the whole state.
Oh, so we bragging now? No, no.
Raven's asking the right question.
Why limit this power outage to such a focused area? A hacker's objective is usually to affect as many people as possible.
This was a precision attack.
There will be another phase to this outage.
He's using the SCADA attack as camouflage.
The faster we get those lights on, the sooner we will uncover what our target's true intensions are.
Really? The whole state of New Hampshire, huh? I wanted a three-day weekend.
- Hey, by the way - Yo.
happy two-month anniversary.
We dating? No, stupid.
Two months at the Cyber Crime Division.
You're officially in the family.
Don't mess up.
I want you to stick around.
Got a live feed to the Emergency Operation Bureau's incident map.
The blackout is affecting the central hub of the city, both the government and the financial districts.
Our target could be looking to hit the federal building, district court, city jail, baseball stadium, three banks or countless privately owned businesses.
Power outage is a great way to disable security alarms.
There are several incidents of traffic gridlock.
Whatever our hacker's doing, he's gonna want to make a getaway.
So let's focus on the buildings on the fringe of the blacked out area of the city.
Locations still in the dark, but where the target won't get caught in the traffic jam caused by the blackout while trying to flee.
And let's rule out any area that borders the rail line.
It's a bad idea to cross the tracks and risk getting trapped behind a closed train crossing.
Hey, guys, we're back online! We're back in control, but the lights still aren't on.
Yeah, that's gonna take a minute.
Our hacker's still active in the system.
Raven's writing a patch to seal the intrusion.
Wait a minute.
If he's still active in the system, that means he needs to maintain a live connection to the power station for some reason.
Nelson, can you inject malicious code into Raven's patch? Infiltrate his laptop before you boot him off.
Tag him so we can track him.
If he uses that computer again, we'll know where he is.
We may get a location and possibly his identity.
I want that power on and that hacker in handcuffs.
You got it boss.
I'm on it.
Yeah, Pa, power's still out.
I'm just gonna check out the store.
Hey! Who the hell are you?! Police responded to the security alarm, found the store owner's son, Benjamin Christos, shot dead.
Single father, two children.
Was he here when the power went out, Detective Dorn? Store wasn't open today.
We figured he came to protect the property against possible looters interrupted the robbery.
It's an auto safe dialer.
It cycles through every possible combination till it lands on the right one.
All the thief needed was time.
Explains why the computer maintained a live connection to the power grid.
Had to ensure that the lights and the alarm systems stayed off.
Looks like the power outage was masking a jewelry store robbery.
Well, what did they take? From what we can tell, the thief left empty-handed.
We do know most of the jewelry's on consignment.
- The Christos don't own it.
- That computer It was in the vault when first responders arrived.
Why lock a computer in a vault? Well, there's one way to find out.
Somebody went to all this trouble they even killed a man to leave with absolutely nothing? I'm not buying it.
All right.
No modem installed, no way to connect to the Internet.
There's only one thing on it.
A bitcoin account with a zero balance.
This wasn't a jewel heist.
This was a bitcoin heist.
Ben came down to check on the store.
The blackout I should've come with him.
But he talked me out of it.
There was a computer in the vault.
It's the bitcoin computer.
Benjamin's idea.
I really don't understand it.
But he was so passionate.
He said bitcoin was the currency of the future.
Ben was taking over the family business, and I promised I would trust his judgment.
But now my son was killed over over this this imaginary currency? Do you know how many bitcoins you had? Almost half a million dollars' worth.
Most of our retirement.
In order to access and steal your bitcoin, the thief would have needed the passkey to your account.
And it was stored on the computer in the vault.
Who else knew it was there? Ellis, no.
He wouldn't.
Stephen.
Our oldest son.
He was supposed to take over the business, but Ben had so much more ambition.
Drive.
I-I begged them both to run it together, but the boys didn't see eye to eye.
Thank you both.
We'll be in touch.
Bad blood between brothers.
Half a million dollars at stake.
And Stephen would have known that taking the bitcoin over the jewelry was hassle-free.
Transfer it from one account to another, it's well, almost untraceable.
No serial numbers.
Nothing to fence.
Sounds like we have to have a little chat with Stephen Christos.
Yeah.
When the power came back on, so did the jewelry store's security camera.
Is this Stephen? No.
I have never seen that man before in my life.
Is this the man who murdered our son? Took our grandchildren's father from them? Now we have a face.
We just need a name.
So, no luck identifying our bitcoin thief, huh? No, sir.
Ran the facial recognition.
Big dead end.
Guy's not in the FBI database.
But the bitcoins have provided an interesting lead.
The biggest misconception about bitcoins is that it's anonymous.
I mean, that's why it's the preferred currency of the Deep Web.
It's used to fund drug deals, hit men, human trafficking, but it's not actually that anonymous.
Is this a bitcoin lecture or did you make an actually discovery here? Oh, right.
Sorry.
I accessed the block chain, which is a public ledger that records every bitcoin spent.
Every cent's accounted for where it came from and where it went.
And each transaction is listed as a long sequence of randomized numbers.
Ah.
So you can't tie it to a person, but you can tie it to an account, right? So, it's like a stock market transaction.
I mean, you can see somebody bought You just don't know who.
Exactly! But if you know the amount that you're looking for, you can find any bitcoin transaction that's ever been made.
Even when it's stolen, there is a record of the bitcoin movement.
All you need is the amount, date and time.
So, this is last night's robbery.
What we're looking at is our thief"s bitcoin account.
As of today, worth just shy of 500,000 U.
S.
Dollars.
Now, of course, the bitcoin market fluctuates so dramatically that this many bitcoins could very be easily be worth over a million dollars in the very near future.
Explains why someone went to such lengths to steal it.
Mm-hmm.
So, what digital dust can we follow here to catch our thief? Well, every bitcoin account is protected by a 64-character passkey.
And if you have the passkey, you can unlock the account.
And whoever has the passkey to this account is probably our killer.
Well, that's odd.
Our thief"s bitcoin account is protected by two passkeys.
Typically, it's just the one.
Yeah, it's like a safe deposit box.
It requires two keys to open it.
Which might just imply our bitcoin thief has an accomplice.
Hey, guys! The malicious track worked.
I pinpointed the exact location of the bitcoin thief"s computer.
This is Agent Elijah Mundo.
I need a SWAT team at 5280 Clinton Place.
- Clear! - Well, there's our thief.
Looks like we're not the only ones interested in stolen bitcoins.
All right.
Thanks, bud.
All right.
Krumitz ran the name we got off the victim's I.
D.
We are looking at the infamous Brian Kramer.
Apparently he made a living robbing large bitcoin accounts he found on the block chain.
This was his fifth.
Tracked charitable contributions from bitcoin accounts to find his targets.
Laceration of the throat looks like C.
O.
D.
He bled out, but over here, it looks like our victim was sliced open.
And patched up multiple times.
He was tortured.
Closed the wounds with Super Glue.
Battlefield first aid.
It's commonly used by people with military training.
Torture the victim and patch him up.
Keep him live long enough to talk.
Detroit PD is still trying to locate Stephen Christos.
Hasn't answered calls from his family.
We can't wait this out.
Track his cell phone.
Get a GPS location on him.
Okay, got it.
Hard drive's been removed.
Whoever did that to him was definitely after the stolen bitcoins.
If they had the hard drive, why torture him? 'Cause the passkey wasn't on the hard drive.
Door was barricaded by the dresser.
Bought our victim a little time.
Long enough for our thief to take the passkey out of the computer.
Bad guy breaks through the door.
Tries to access the bitcoin account, he can't.
Tortures the thief - for the passkey.
- Sounds good.
Unfortunately, it's all speculation.
The answers died with his laptop.
Not necessarily.
Took the hard drive, but not the RAM chip.
Still might be a way to get some answers.
RAM keeps track of the programs your computer's running while it's on.
The moment the computer loses power the RAM starts to forget.
Information decays.
Freezing it stops the process.
Most people don't go to a bar after they find out their brother's been murdered and their family robbed.
I needed a drink, okay? I would imagine so.
What are you implying? Why don't you tell us about these e-mails, Stephen? We accessed your phone.
You got a call at 6:17 from your mother.
She told you about the break-in and that your brother had been murdered.
Even though your brother was dead, all you cared about was the money.
'Cause the next thing you did was check the balance of the store's bitcoin account.
You found it at zero.
I knew those damn bitcoins were a bad idea.
Unregulated, uninsurable, I tried to warn my parents and my brother I said bitcoins are too risky.
If they get stolen, they're gone.
You can't get them back.
But you tried to get them back.
Four hours ago you contacted bounty hunters by e-mail and negotiated a price to recover the stolen bitcoins.
Did you really think bitcoin bounty hunters were the answer to all your problems? You'll get the money back, then you can take over.
My parents had just lost a son! And now they were staring at poverty.
Did they tell you they used their retirement to keep the business afloat? That my brother's bright idea was to convert to bitcoin?! No! I'd imagine they didn't.
After all the years of hard work, all they gave up, the only thing I could think to do was get the money back.
For them.
Not me.
Look at that.
You see that? That's the work of the men you hired.
Do they look like the kind of men who give back money? We need information.
All I have is a Web site.
And an, and an e-mail address.
That's it.
They said they would contact me.
These are incredibly dangerous men, Stephen.
They lurk in the Deep Web.
In a world you can't even begin to imagine.
They've already killed one man.
You have started something you can't undo.
Bounty hunters' Web site and e-mail address are a wild goose chase.
Well, that's no surprise.
These bounty hunters specialize in bitcoin retrieval.
They think of themselves as elites.
They're skilled, educated, tech-savvy So we can't bet on them making any mistakes.
It gets worse.
Our bitcoin thief was no bozo, either.
We got the results from the degraded images we recovered from the thief's computer RAM.
This is a botnet a massive group of maliciously infected personal computers or bots from all around the country, harnessed together.
Basically, it's a network of computers used for evil.
But the people who own the computers have no idea that they're part of an evil empire.
After the computers are infected, the hacker has full control over every single computer on the network.
That's roughly 20,000.
Unsavory characters, like our dead thief, rent out their botnets to send spam e-mails, perform DDoS attacks, mass identity theft you know, all that good illegal stuff.
Can you tell if our thief connected to the botnet before the bounty hunters broke down that motel room door? What?! What? What is it, Krumitz? He sent two separate messages to two separate computers, somewhere in the botnet.
It must've been the passkeys.
Like a bank robber hiding his stash until the heat dies down and he can recover it and get away.
Are you saying two random computers two in 20,000 are secretly storing the passkeys? And the owners don't know it? That's not the bad part.
The RAM got us to the botnet.
But it was far too degraded to tell me which of these two people have them.
But the bounty hunters have the thief"s hard drive.
And that means they know which two people have the passkeys.
They have the digital treasure map.
So, two innocent people have no idea what's coming to them.
And we have no way of warning them.
Hey, what are you doing in my house?! Hey! You get what we came for? Yeah, I got the passkey.
One more passkey and we're a half-mil richer.
You got Krumitz.
Hold on, Krummy, let me transfer you to CTOC.
This came for you, Nelson.
- What's this? - Don't know.
Ajudge won't typically hand out a warrant on the evidence we have.
The RAM was too degraded.
But I pleaded my case and got us into the server farm housing the botnet's command and control server.
I got Krumitz on the big screen.
So, tell me we have names.
Performing a live acquisition now.
We are seconds away from having the same information the bounty hunters do.
The server has a record of every interaction the thieves made with the botnet.
If we don't catch our targets before they get those passkeys, the Christos' savings will be gone forever.
Every cent they have.
Every minute counts, and we're behind already.
Something's wrong here.
Uh, hold on.
What is it, Daniel? He's been disconnected.
I need a win off that server, Krumitz.
The drive's completely corrupted.
From the look of it, someone did this deliberately.
The bounty hunters are covering their tracks.
Damn it.
Deleting is recoverable, but the drive is being overwritten; everything is gone.
I've been monitoring Stephen Christos' e-mail activity.
Bounty hunters just sent a new message.
Due to unforeseen complications, they're upping their price.
"Unforeseen complications.
" That what they're calling murder these days? They made a mistake.
The computer they sent this e-mail from had a parental control program designed to go unnoticed.
Bounty hunters would have no way of knowing it was there.
Parental controls are installed so parents can monitor their children on the Internet.
It tags everything coming in and going out.
Simon, if there's parental controls, it means there's children there.
Yeah, I hear you.
Yes! Parental controls came through.
Just got a physical address on the bounty hunters.
Okay, I'll notify the local authorities to move on the location cautiously.
Meanwhile, let's get you on a plane.
Normally I don't get home from work this early.
I'm just glad my son wasn't home.
Edward Gaines, found in a bathtub bound and gagged.
He suffered a laceration and a concussion.
If the blow to the head hadn't knocked him out, bullet would've been next.
Raven's pulling traffic cam footage looking for faces based on Edward's description.
Did our targets get what they came for? Yep.
The e-mail that Stephen Christos got was sent from this computer.
The bounty hunters now have the first passkey.
Well, they're halfway to their goal, and we're stuck at the starting line.
So what's our play? Do you remember how I fought so hard to bring in Tobin? The cyber division needed someone who could work the cases like a hacker, work the cases from the inside.
We're gonna use that same tactic.
We're gonna work this case from the inside.
Mom and Pop.
The mystery box? Yeah, uh, They gave me all my devices back.
- From your arrest? - Yep.
Look at you, probie no more.
God, it took me six months to get off my probation.
Hmm.
- Who do you know? - Aw, here, you know We need to get inside that botnet.
Avery, the system is fried.
Yes, but the botnet still exists.
So you're thinking we should join the botnet? Well, we could take the botnet's malicious code off Mr.
Gaines' laptop and infect one of ours, and we're in.
Then we'll know what the bounty hunters know, and we'll have a chance to get one step ahead.
First time I ever wanted a computer virus.
I know what you mean.
Let's see what we got.
All right, we're in.
Okay, now that you're connected to the botnet, you should be able to break in and send it commands.
What? You don't think I pay attention when you guys geek out with code speak? I never thought that.
- All right, Avery.
- Ping this entire network.
We are looking for the two computers that have those passkeys.
Okay, the DC I.
P.
Address is Mr.
Gaines' laptop, right here on this desk.
The bounty hunters already took the passkey off that one, but the other one Albuquerque, New Mexico.
- Mm-hmm.
- Hey.
- All right.
- Whoa, too slow.
Yeah.
Hang on.
Nelson, this is a win; this is when we celebrate and high-five our bosses.
No, no, no check out that I.
P.
Address.
It's not static; it's dynamic.
Every time a computer with a dynamic I.
P.
Turns on, it gets assigned a new I.
P.
Address randomly from its Internet service provider.
But, when it turns off, the I.
P.
Address will be randomly reassigned to a different device.
The bounty hunters are still using the I.
P.
Address they recovered from that hard drive.
There you go.
The second passkey's in Albuquerque, but the bounty hunters don't know that.
They're going to the wrong location.
Okay, I'll contact the service provider, figure out the I.
P.
Address our bounty hunters are chasing, find out where they're headed.
Work quickly.
They retrieved that first passkey.
They still brutally beat Edward Gaines.
If they come up empty at this next location, who knows what they'll do.
Krumitz has plotted the bounty hunters' Denver, Colorado.
So there's gonna be a plane waiting for you and your team on the tarmac.
Hey, just got back the results on the footage from the traffic cameras near Edward Gaines's house, and I have security footage from around the motel in Detroit where we found our bitcoin thief.
Cross-referenced every face we found, looking for anyone in both cities in the past 24 hours.
I.
D.
'd two men traveling together.
Jeremy and Henry Spitz, brothers, ex-military, both dishonorably discharged, a long history of violent behavior resulting in arrests.
They fit the profile of our bounty hunters.
We need to expect unpredictable explosive behavior.
All right put out a BOLO on the pair and inform the TSA.
If they're grounded, they're gonna be forced to drive to Denver.
That's gonna buy us some time.
I'll take Raven to Albuquerque, and you're gonna need to find that final bitcoin passkey.
Let's set this trap.
Hello, I'm Special Agent Avery Ryan.
I'm running this operation.
Is everybody out of the house? Yes, our son's staying the night at a friend's.
Hopefully, this will all be over by morning.
This comes to an end here/ This is our Appomattox.
Appomattox, really? You're really gonna compare this to the battle that ended the Civil War? Yeah, why not? You have any idea how many men died in that battle? Appomattox.
Step up your game, man.
- A dynamic what? - It's your I.
P.
Address.
If this is just about my computer, I don't see why I have to leave my home.
Again, ma'am, this is an ongoing investigation.
I have told you as much as I can.
Now I would like to move you into protective custody till we resolve all this.
What's she doing on my computer, anyway? Removing something worth killing for.
Got the passkey.
Sending it to the boys now.
Well, that smile must mean we're on schedule.
Just got the final passkey from Raven.
Krumitz is finishing up inside.
We're good to go.
I know we're right in the middle of something, but, uh just wanted to say thanks for getting me off probation.
And giving me all my devices back.
They mean a lot to me.
Got my tablet back today.
You know, I had all my photos in there and my family stuff.
It was good to see my parents again.
Haven't seen them since the trial.
It's complicated.
Well, Sifter and I spoke to the judge.
She agreed to lift your probation.
Wow, that's-that's crazy.
I didn't, I didn't even know he liked me.
No, he he doesn't.
We all set? Oh, yeah.
We embedded a decoy passkey on the computer in the home, one infected with our own malicious code.
So when the bounty hunters try to use that passkey, it'll infect their computer and we'll have complete control over it.
Well, they're reckless and greedy.
They'll want immediate gratification.
We won't have to wait long.
All right, but when they plug in, we'll be able to steal the first passkey back.
Not just steal it.
We have to prove it was on their computer.
That passkey is the only thing that links those men to the murder and the home invasion.
It's what's gonna give us a conviction.
Don't worry, we'll be screen- capturing the entire session.
We lost the connection to the Schaeffers' computer.
He'll get it back online.
Krumitz, what the hell are you doing? Krumitz left his radio.
- We're having technical issues.
- Avery, we just got word.
SWAT's reporting a suspicious-looking SUV that just entered the neighborhood.
How long? Two minutes at most.
Bring up the home security cameras.
I need eyes on the perimeter.
We got it.
Aw We got a problem, Elijah.
Danny, it's okay.
Just come stand by me and your brother.
We'll do anything you ask.
Please, just don't don't hurt my family.
Just take what you want.
No one's stopping you; we're the only ones here.
Check the back, make sure we're alone.
How'd he get here? He came for a video game for his sleepover.
Where's my mom and dad? It's okay, Jeffrey.
Just do what I tell you.
All clear.
- You.
- Me? You got a computer in here somewhere take me to it.
Danny, do what the man tells you to do.
Listen to your mother.
She'll get you out of this alive.
It's, uh, it's upstairs.
Move.
Have your men hold.
I got two FBI agents and an innocent in there.
We storm the house at the wrong time, somebody will get killed.
How the hell did that kid get in there? Avery just spotted him coming in the back door through the security camera.
I need more men in the back there's a hole in that fence.
Fill it.
Now.
How we doing on your end? Trap's set those guys take the bait, we'll have them dead to rights.
Jail for life, and some.
Um, we've got a volatile situation in there, Nelson.
We can't wait long.
Sit.
Okay, you got it, but do you mind lowering your gun? Open the system's folder.
Just give me a minute.
I-I'm not good with computers.
Uh, here, here? Open it.
Now utilities.
Here? You see two, you moron? This is not good, man, we're in trouble.
Look, this guy's gonna go ahead and miss the decoy file.
He has Krumitz looking in the wrong place.
Nelson, these guys have short tempers.
Failure is not an option.
Okay, look, uh I have an idea.
Open that folder there, "Installers.
" Uh You clicked the wrong folder, you idiot.
Ah.
Yes.
No, I didn't.
No, I didn't.
Wait, wait, wait, wait, is that it? Is that it? Is that it? That's it.
Good.
Load it on this.
These men'll be leaving soon, honey.
This will all be over, I promise.
I said no talking.
Of course.
I apologize.
My son needs to go to the restroom.
Yeah, well he can hold it.
And shut up.
Get over there.
It's about time, man did you get it? I got it, calm down.
This is taking too long, bro.
We got to get out of here.
Wait a second.
It's payday.
I'm in.
I'm gonna go ahead and deactivate these fools' Internet.
It's gonna buy me some time to find a passkey before they discover we slipped them a decoy.
Things are getting tense in there, Nelson, we can't wait long.
I'm trying I know, I know.
What the hell is taking so long? Damn signal.
What? Wi-Fi isn't working give me a sec.
Running a diagnostic.
Now what? We got an intrusion.
Son of a Shut that kid up and start talking.
We're running out of time, Nelson.
I know, I know.
Look, just-just wait, okay? Can't wait any longer.
I knew it.
There's no way these two are family.
Look at that picture.
That's the kid, all right.
But who the hell are these two? Something ain't right here.
Talk.
Or die.
FBI! Get down.
Down on the ground! FBI! Drop it now! Your hands where I can see them! Don't move! Everybody okay? You okay? Yeah.
Clear! He'll live.
Entry clear! Encrypted.
We'll never get in.
Did Nelson get the file? I don't know couldn't wait.
Nelson.
Did you get the passkey? Repeat did you get the passkey? Oh, yeah, we got it.
Those fools are going down.
Okay.
Bitcoins are back in your account.
Though you should change your passkey.
I won't need to.
Getting out of the bitcoin business.
In fact we're selling the store.
It's time.
Thank you.
Pop.
I'm sorry.
Promise me you'll stay close to home.
Always.
You ever get sleep? You have any idea how much paperwork is required after you discharge a government-issued firearm? You know, I heard you handled yourself pretty well.
Came face-to-face with an armed killer, heard you took him down, no hesitation.
Come on, man, you got some skills.
Standard FBI training.
"Standard FBI training.
" No, no, no, no, no, no.
You you are the real deal, bro.
Well, I did what I had to do.
You know, a man with a gun in your face, kid in the room, bad guy's got to go down.
Even if it was only a flesh wound.
I mean, really, it's just instinct, at that point.
You know, training takes over, muscle memory kicks in.
And when that guy made a move on me, - his gun taking aim, - Mm-hmm.
bayonet inches from this face Whose bayonet? I could smell the gunpowder residue.
Appomattox, Nelson.
Appomattox.
- Hey.
- Yo.
All I knew was it was on.
Him or me.
And it wasn't gonna be me.
That's right, baby.
That's why you here.
Daniel Krumitz coming through.
Hey.
No, you didn't.
Yes, I did.
You know, uh it's my mother's favorite song.
Me and my pops used to sing it to her every year on her birthday.
Call your parents, Brody Nelson.
Can't.
It's just not the same anymore.
I embarrassed them, went to jail Just not the son they thought they raised.
Call them anyway.
Why do I get the feeling that giving my stuff back is a part of one of your master plans that Elijah's always talking about? I don't know.
Hello.
Hey, Dad? Hey, it's Brody.
Yeah, no, it-it's me, Pop, it's me.
I was a victim of cyber crime.
Like you, I posted on social media, checked my bank account balance online, even kept the confidential files of my psychological practice on my computer.
Then I was hacked, and as a result, one of my patients was murdered.
My investigation into her death led me to the FBI, where I joined a team of cyber experts to wage a war against a new breed of criminal hiding on the Deep Web infiltrating our daily lives in ways we never imagined faceless nameless lurking inside our devices, just a keystroke away.
Danny It's all right.
It's Come come join me and your brother.
Good evening, Detroit.
This is your eye in the sky.
It appears a portion of the downtown area is experiencing a power outage.
Traffic in the area is at an absolute standstill.
Police are on the scene to manage any outbreaks of violence or looting.
However, thus far, only a handful of minor incidents have been reported.
I've got 25 blocks of downtown Detroit in the dark.
Backup systems are completely unresponsive.
You guys sure this is a case for the FBI? We're FBI Cyber, this is exactly our kind of case.
From what we can tell, you're experiencing a cyber intrusion.
Your power grid's been hacked.
We just got an update from Detroit River Electric, and they're still working on the power outage in the downtown area.
Uh The smart grid allows for complete control of the city's entire power supply from this room.
Right now, someone else is in control.
SCADA systems like this should be impenetrable.
But someone remotely hacked in, then locked out every computer here by erasing the startup disk.
Even if you two successfully recover the disk and reboot the system, you'll still have to counter-hack the target to get the power back on.
Yeah, we're halfway there already.
The odd thing about all this is the blackout affects only 25 blocks.
When I hacked the New Hampshire grid, I took out the whole state.
Oh, so we bragging now? No, no.
Raven's asking the right question.
Why limit this power outage to such a focused area? A hacker's objective is usually to affect as many people as possible.
This was a precision attack.
There will be another phase to this outage.
He's using the SCADA attack as camouflage.
The faster we get those lights on, the sooner we will uncover what our target's true intensions are.
Really? The whole state of New Hampshire, huh? I wanted a three-day weekend.
- Hey, by the way - Yo.
happy two-month anniversary.
We dating? No, stupid.
Two months at the Cyber Crime Division.
You're officially in the family.
Don't mess up.
I want you to stick around.
Got a live feed to the Emergency Operation Bureau's incident map.
The blackout is affecting the central hub of the city, both the government and the financial districts.
Our target could be looking to hit the federal building, district court, city jail, baseball stadium, three banks or countless privately owned businesses.
Power outage is a great way to disable security alarms.
There are several incidents of traffic gridlock.
Whatever our hacker's doing, he's gonna want to make a getaway.
So let's focus on the buildings on the fringe of the blacked out area of the city.
Locations still in the dark, but where the target won't get caught in the traffic jam caused by the blackout while trying to flee.
And let's rule out any area that borders the rail line.
It's a bad idea to cross the tracks and risk getting trapped behind a closed train crossing.
Hey, guys, we're back online! We're back in control, but the lights still aren't on.
Yeah, that's gonna take a minute.
Our hacker's still active in the system.
Raven's writing a patch to seal the intrusion.
Wait a minute.
If he's still active in the system, that means he needs to maintain a live connection to the power station for some reason.
Nelson, can you inject malicious code into Raven's patch? Infiltrate his laptop before you boot him off.
Tag him so we can track him.
If he uses that computer again, we'll know where he is.
We may get a location and possibly his identity.
I want that power on and that hacker in handcuffs.
You got it boss.
I'm on it.
Yeah, Pa, power's still out.
I'm just gonna check out the store.
Hey! Who the hell are you?! Police responded to the security alarm, found the store owner's son, Benjamin Christos, shot dead.
Single father, two children.
Was he here when the power went out, Detective Dorn? Store wasn't open today.
We figured he came to protect the property against possible looters interrupted the robbery.
It's an auto safe dialer.
It cycles through every possible combination till it lands on the right one.
All the thief needed was time.
Explains why the computer maintained a live connection to the power grid.
Had to ensure that the lights and the alarm systems stayed off.
Looks like the power outage was masking a jewelry store robbery.
Well, what did they take? From what we can tell, the thief left empty-handed.
We do know most of the jewelry's on consignment.
- The Christos don't own it.
- That computer It was in the vault when first responders arrived.
Why lock a computer in a vault? Well, there's one way to find out.
Somebody went to all this trouble they even killed a man to leave with absolutely nothing? I'm not buying it.
All right.
No modem installed, no way to connect to the Internet.
There's only one thing on it.
A bitcoin account with a zero balance.
This wasn't a jewel heist.
This was a bitcoin heist.
Ben came down to check on the store.
The blackout I should've come with him.
But he talked me out of it.
There was a computer in the vault.
It's the bitcoin computer.
Benjamin's idea.
I really don't understand it.
But he was so passionate.
He said bitcoin was the currency of the future.
Ben was taking over the family business, and I promised I would trust his judgment.
But now my son was killed over over this this imaginary currency? Do you know how many bitcoins you had? Almost half a million dollars' worth.
Most of our retirement.
In order to access and steal your bitcoin, the thief would have needed the passkey to your account.
And it was stored on the computer in the vault.
Who else knew it was there? Ellis, no.
He wouldn't.
Stephen.
Our oldest son.
He was supposed to take over the business, but Ben had so much more ambition.
Drive.
I-I begged them both to run it together, but the boys didn't see eye to eye.
Thank you both.
We'll be in touch.
Bad blood between brothers.
Half a million dollars at stake.
And Stephen would have known that taking the bitcoin over the jewelry was hassle-free.
Transfer it from one account to another, it's well, almost untraceable.
No serial numbers.
Nothing to fence.
Sounds like we have to have a little chat with Stephen Christos.
Yeah.
When the power came back on, so did the jewelry store's security camera.
Is this Stephen? No.
I have never seen that man before in my life.
Is this the man who murdered our son? Took our grandchildren's father from them? Now we have a face.
We just need a name.
So, no luck identifying our bitcoin thief, huh? No, sir.
Ran the facial recognition.
Big dead end.
Guy's not in the FBI database.
But the bitcoins have provided an interesting lead.
The biggest misconception about bitcoins is that it's anonymous.
I mean, that's why it's the preferred currency of the Deep Web.
It's used to fund drug deals, hit men, human trafficking, but it's not actually that anonymous.
Is this a bitcoin lecture or did you make an actually discovery here? Oh, right.
Sorry.
I accessed the block chain, which is a public ledger that records every bitcoin spent.
Every cent's accounted for where it came from and where it went.
And each transaction is listed as a long sequence of randomized numbers.
Ah.
So you can't tie it to a person, but you can tie it to an account, right? So, it's like a stock market transaction.
I mean, you can see somebody bought You just don't know who.
Exactly! But if you know the amount that you're looking for, you can find any bitcoin transaction that's ever been made.
Even when it's stolen, there is a record of the bitcoin movement.
All you need is the amount, date and time.
So, this is last night's robbery.
What we're looking at is our thief"s bitcoin account.
As of today, worth just shy of 500,000 U.
S.
Dollars.
Now, of course, the bitcoin market fluctuates so dramatically that this many bitcoins could very be easily be worth over a million dollars in the very near future.
Explains why someone went to such lengths to steal it.
Mm-hmm.
So, what digital dust can we follow here to catch our thief? Well, every bitcoin account is protected by a 64-character passkey.
And if you have the passkey, you can unlock the account.
And whoever has the passkey to this account is probably our killer.
Well, that's odd.
Our thief"s bitcoin account is protected by two passkeys.
Typically, it's just the one.
Yeah, it's like a safe deposit box.
It requires two keys to open it.
Which might just imply our bitcoin thief has an accomplice.
Hey, guys! The malicious track worked.
I pinpointed the exact location of the bitcoin thief"s computer.
This is Agent Elijah Mundo.
I need a SWAT team at 5280 Clinton Place.
- Clear! - Well, there's our thief.
Looks like we're not the only ones interested in stolen bitcoins.
All right.
Thanks, bud.
All right.
Krumitz ran the name we got off the victim's I.
D.
We are looking at the infamous Brian Kramer.
Apparently he made a living robbing large bitcoin accounts he found on the block chain.
This was his fifth.
Tracked charitable contributions from bitcoin accounts to find his targets.
Laceration of the throat looks like C.
O.
D.
He bled out, but over here, it looks like our victim was sliced open.
And patched up multiple times.
He was tortured.
Closed the wounds with Super Glue.
Battlefield first aid.
It's commonly used by people with military training.
Torture the victim and patch him up.
Keep him live long enough to talk.
Detroit PD is still trying to locate Stephen Christos.
Hasn't answered calls from his family.
We can't wait this out.
Track his cell phone.
Get a GPS location on him.
Okay, got it.
Hard drive's been removed.
Whoever did that to him was definitely after the stolen bitcoins.
If they had the hard drive, why torture him? 'Cause the passkey wasn't on the hard drive.
Door was barricaded by the dresser.
Bought our victim a little time.
Long enough for our thief to take the passkey out of the computer.
Bad guy breaks through the door.
Tries to access the bitcoin account, he can't.
Tortures the thief - for the passkey.
- Sounds good.
Unfortunately, it's all speculation.
The answers died with his laptop.
Not necessarily.
Took the hard drive, but not the RAM chip.
Still might be a way to get some answers.
RAM keeps track of the programs your computer's running while it's on.
The moment the computer loses power the RAM starts to forget.
Information decays.
Freezing it stops the process.
Most people don't go to a bar after they find out their brother's been murdered and their family robbed.
I needed a drink, okay? I would imagine so.
What are you implying? Why don't you tell us about these e-mails, Stephen? We accessed your phone.
You got a call at 6:17 from your mother.
She told you about the break-in and that your brother had been murdered.
Even though your brother was dead, all you cared about was the money.
'Cause the next thing you did was check the balance of the store's bitcoin account.
You found it at zero.
I knew those damn bitcoins were a bad idea.
Unregulated, uninsurable, I tried to warn my parents and my brother I said bitcoins are too risky.
If they get stolen, they're gone.
You can't get them back.
But you tried to get them back.
Four hours ago you contacted bounty hunters by e-mail and negotiated a price to recover the stolen bitcoins.
Did you really think bitcoin bounty hunters were the answer to all your problems? You'll get the money back, then you can take over.
My parents had just lost a son! And now they were staring at poverty.
Did they tell you they used their retirement to keep the business afloat? That my brother's bright idea was to convert to bitcoin?! No! I'd imagine they didn't.
After all the years of hard work, all they gave up, the only thing I could think to do was get the money back.
For them.
Not me.
Look at that.
You see that? That's the work of the men you hired.
Do they look like the kind of men who give back money? We need information.
All I have is a Web site.
And an, and an e-mail address.
That's it.
They said they would contact me.
These are incredibly dangerous men, Stephen.
They lurk in the Deep Web.
In a world you can't even begin to imagine.
They've already killed one man.
You have started something you can't undo.
Bounty hunters' Web site and e-mail address are a wild goose chase.
Well, that's no surprise.
These bounty hunters specialize in bitcoin retrieval.
They think of themselves as elites.
They're skilled, educated, tech-savvy So we can't bet on them making any mistakes.
It gets worse.
Our bitcoin thief was no bozo, either.
We got the results from the degraded images we recovered from the thief's computer RAM.
This is a botnet a massive group of maliciously infected personal computers or bots from all around the country, harnessed together.
Basically, it's a network of computers used for evil.
But the people who own the computers have no idea that they're part of an evil empire.
After the computers are infected, the hacker has full control over every single computer on the network.
That's roughly 20,000.
Unsavory characters, like our dead thief, rent out their botnets to send spam e-mails, perform DDoS attacks, mass identity theft you know, all that good illegal stuff.
Can you tell if our thief connected to the botnet before the bounty hunters broke down that motel room door? What?! What? What is it, Krumitz? He sent two separate messages to two separate computers, somewhere in the botnet.
It must've been the passkeys.
Like a bank robber hiding his stash until the heat dies down and he can recover it and get away.
Are you saying two random computers two in 20,000 are secretly storing the passkeys? And the owners don't know it? That's not the bad part.
The RAM got us to the botnet.
But it was far too degraded to tell me which of these two people have them.
But the bounty hunters have the thief"s hard drive.
And that means they know which two people have the passkeys.
They have the digital treasure map.
So, two innocent people have no idea what's coming to them.
And we have no way of warning them.
Hey, what are you doing in my house?! Hey! You get what we came for? Yeah, I got the passkey.
One more passkey and we're a half-mil richer.
You got Krumitz.
Hold on, Krummy, let me transfer you to CTOC.
This came for you, Nelson.
- What's this? - Don't know.
Ajudge won't typically hand out a warrant on the evidence we have.
The RAM was too degraded.
But I pleaded my case and got us into the server farm housing the botnet's command and control server.
I got Krumitz on the big screen.
So, tell me we have names.
Performing a live acquisition now.
We are seconds away from having the same information the bounty hunters do.
The server has a record of every interaction the thieves made with the botnet.
If we don't catch our targets before they get those passkeys, the Christos' savings will be gone forever.
Every cent they have.
Every minute counts, and we're behind already.
Something's wrong here.
Uh, hold on.
What is it, Daniel? He's been disconnected.
I need a win off that server, Krumitz.
The drive's completely corrupted.
From the look of it, someone did this deliberately.
The bounty hunters are covering their tracks.
Damn it.
Deleting is recoverable, but the drive is being overwritten; everything is gone.
I've been monitoring Stephen Christos' e-mail activity.
Bounty hunters just sent a new message.
Due to unforeseen complications, they're upping their price.
"Unforeseen complications.
" That what they're calling murder these days? They made a mistake.
The computer they sent this e-mail from had a parental control program designed to go unnoticed.
Bounty hunters would have no way of knowing it was there.
Parental controls are installed so parents can monitor their children on the Internet.
It tags everything coming in and going out.
Simon, if there's parental controls, it means there's children there.
Yeah, I hear you.
Yes! Parental controls came through.
Just got a physical address on the bounty hunters.
Okay, I'll notify the local authorities to move on the location cautiously.
Meanwhile, let's get you on a plane.
Normally I don't get home from work this early.
I'm just glad my son wasn't home.
Edward Gaines, found in a bathtub bound and gagged.
He suffered a laceration and a concussion.
If the blow to the head hadn't knocked him out, bullet would've been next.
Raven's pulling traffic cam footage looking for faces based on Edward's description.
Did our targets get what they came for? Yep.
The e-mail that Stephen Christos got was sent from this computer.
The bounty hunters now have the first passkey.
Well, they're halfway to their goal, and we're stuck at the starting line.
So what's our play? Do you remember how I fought so hard to bring in Tobin? The cyber division needed someone who could work the cases like a hacker, work the cases from the inside.
We're gonna use that same tactic.
We're gonna work this case from the inside.
Mom and Pop.
The mystery box? Yeah, uh, They gave me all my devices back.
- From your arrest? - Yep.
Look at you, probie no more.
God, it took me six months to get off my probation.
Hmm.
- Who do you know? - Aw, here, you know We need to get inside that botnet.
Avery, the system is fried.
Yes, but the botnet still exists.
So you're thinking we should join the botnet? Well, we could take the botnet's malicious code off Mr.
Gaines' laptop and infect one of ours, and we're in.
Then we'll know what the bounty hunters know, and we'll have a chance to get one step ahead.
First time I ever wanted a computer virus.
I know what you mean.
Let's see what we got.
All right, we're in.
Okay, now that you're connected to the botnet, you should be able to break in and send it commands.
What? You don't think I pay attention when you guys geek out with code speak? I never thought that.
- All right, Avery.
- Ping this entire network.
We are looking for the two computers that have those passkeys.
Okay, the DC I.
P.
Address is Mr.
Gaines' laptop, right here on this desk.
The bounty hunters already took the passkey off that one, but the other one Albuquerque, New Mexico.
- Mm-hmm.
- Hey.
- All right.
- Whoa, too slow.
Yeah.
Hang on.
Nelson, this is a win; this is when we celebrate and high-five our bosses.
No, no, no check out that I.
P.
Address.
It's not static; it's dynamic.
Every time a computer with a dynamic I.
P.
Turns on, it gets assigned a new I.
P.
Address randomly from its Internet service provider.
But, when it turns off, the I.
P.
Address will be randomly reassigned to a different device.
The bounty hunters are still using the I.
P.
Address they recovered from that hard drive.
There you go.
The second passkey's in Albuquerque, but the bounty hunters don't know that.
They're going to the wrong location.
Okay, I'll contact the service provider, figure out the I.
P.
Address our bounty hunters are chasing, find out where they're headed.
Work quickly.
They retrieved that first passkey.
They still brutally beat Edward Gaines.
If they come up empty at this next location, who knows what they'll do.
Krumitz has plotted the bounty hunters' Denver, Colorado.
So there's gonna be a plane waiting for you and your team on the tarmac.
Hey, just got back the results on the footage from the traffic cameras near Edward Gaines's house, and I have security footage from around the motel in Detroit where we found our bitcoin thief.
Cross-referenced every face we found, looking for anyone in both cities in the past 24 hours.
I.
D.
'd two men traveling together.
Jeremy and Henry Spitz, brothers, ex-military, both dishonorably discharged, a long history of violent behavior resulting in arrests.
They fit the profile of our bounty hunters.
We need to expect unpredictable explosive behavior.
All right put out a BOLO on the pair and inform the TSA.
If they're grounded, they're gonna be forced to drive to Denver.
That's gonna buy us some time.
I'll take Raven to Albuquerque, and you're gonna need to find that final bitcoin passkey.
Let's set this trap.
Hello, I'm Special Agent Avery Ryan.
I'm running this operation.
Is everybody out of the house? Yes, our son's staying the night at a friend's.
Hopefully, this will all be over by morning.
This comes to an end here/ This is our Appomattox.
Appomattox, really? You're really gonna compare this to the battle that ended the Civil War? Yeah, why not? You have any idea how many men died in that battle? Appomattox.
Step up your game, man.
- A dynamic what? - It's your I.
P.
Address.
If this is just about my computer, I don't see why I have to leave my home.
Again, ma'am, this is an ongoing investigation.
I have told you as much as I can.
Now I would like to move you into protective custody till we resolve all this.
What's she doing on my computer, anyway? Removing something worth killing for.
Got the passkey.
Sending it to the boys now.
Well, that smile must mean we're on schedule.
Just got the final passkey from Raven.
Krumitz is finishing up inside.
We're good to go.
I know we're right in the middle of something, but, uh just wanted to say thanks for getting me off probation.
And giving me all my devices back.
They mean a lot to me.
Got my tablet back today.
You know, I had all my photos in there and my family stuff.
It was good to see my parents again.
Haven't seen them since the trial.
It's complicated.
Well, Sifter and I spoke to the judge.
She agreed to lift your probation.
Wow, that's-that's crazy.
I didn't, I didn't even know he liked me.
No, he he doesn't.
We all set? Oh, yeah.
We embedded a decoy passkey on the computer in the home, one infected with our own malicious code.
So when the bounty hunters try to use that passkey, it'll infect their computer and we'll have complete control over it.
Well, they're reckless and greedy.
They'll want immediate gratification.
We won't have to wait long.
All right, but when they plug in, we'll be able to steal the first passkey back.
Not just steal it.
We have to prove it was on their computer.
That passkey is the only thing that links those men to the murder and the home invasion.
It's what's gonna give us a conviction.
Don't worry, we'll be screen- capturing the entire session.
We lost the connection to the Schaeffers' computer.
He'll get it back online.
Krumitz, what the hell are you doing? Krumitz left his radio.
- We're having technical issues.
- Avery, we just got word.
SWAT's reporting a suspicious-looking SUV that just entered the neighborhood.
How long? Two minutes at most.
Bring up the home security cameras.
I need eyes on the perimeter.
We got it.
Aw We got a problem, Elijah.
Danny, it's okay.
Just come stand by me and your brother.
We'll do anything you ask.
Please, just don't don't hurt my family.
Just take what you want.
No one's stopping you; we're the only ones here.
Check the back, make sure we're alone.
How'd he get here? He came for a video game for his sleepover.
Where's my mom and dad? It's okay, Jeffrey.
Just do what I tell you.
All clear.
- You.
- Me? You got a computer in here somewhere take me to it.
Danny, do what the man tells you to do.
Listen to your mother.
She'll get you out of this alive.
It's, uh, it's upstairs.
Move.
Have your men hold.
I got two FBI agents and an innocent in there.
We storm the house at the wrong time, somebody will get killed.
How the hell did that kid get in there? Avery just spotted him coming in the back door through the security camera.
I need more men in the back there's a hole in that fence.
Fill it.
Now.
How we doing on your end? Trap's set those guys take the bait, we'll have them dead to rights.
Jail for life, and some.
Um, we've got a volatile situation in there, Nelson.
We can't wait long.
Sit.
Okay, you got it, but do you mind lowering your gun? Open the system's folder.
Just give me a minute.
I-I'm not good with computers.
Uh, here, here? Open it.
Now utilities.
Here? You see two, you moron? This is not good, man, we're in trouble.
Look, this guy's gonna go ahead and miss the decoy file.
He has Krumitz looking in the wrong place.
Nelson, these guys have short tempers.
Failure is not an option.
Okay, look, uh I have an idea.
Open that folder there, "Installers.
" Uh You clicked the wrong folder, you idiot.
Ah.
Yes.
No, I didn't.
No, I didn't.
Wait, wait, wait, wait, is that it? Is that it? Is that it? That's it.
Good.
Load it on this.
These men'll be leaving soon, honey.
This will all be over, I promise.
I said no talking.
Of course.
I apologize.
My son needs to go to the restroom.
Yeah, well he can hold it.
And shut up.
Get over there.
It's about time, man did you get it? I got it, calm down.
This is taking too long, bro.
We got to get out of here.
Wait a second.
It's payday.
I'm in.
I'm gonna go ahead and deactivate these fools' Internet.
It's gonna buy me some time to find a passkey before they discover we slipped them a decoy.
Things are getting tense in there, Nelson, we can't wait long.
I'm trying I know, I know.
What the hell is taking so long? Damn signal.
What? Wi-Fi isn't working give me a sec.
Running a diagnostic.
Now what? We got an intrusion.
Son of a Shut that kid up and start talking.
We're running out of time, Nelson.
I know, I know.
Look, just-just wait, okay? Can't wait any longer.
I knew it.
There's no way these two are family.
Look at that picture.
That's the kid, all right.
But who the hell are these two? Something ain't right here.
Talk.
Or die.
FBI! Get down.
Down on the ground! FBI! Drop it now! Your hands where I can see them! Don't move! Everybody okay? You okay? Yeah.
Clear! He'll live.
Entry clear! Encrypted.
We'll never get in.
Did Nelson get the file? I don't know couldn't wait.
Nelson.
Did you get the passkey? Repeat did you get the passkey? Oh, yeah, we got it.
Those fools are going down.
Okay.
Bitcoins are back in your account.
Though you should change your passkey.
I won't need to.
Getting out of the bitcoin business.
In fact we're selling the store.
It's time.
Thank you.
Pop.
I'm sorry.
Promise me you'll stay close to home.
Always.
You ever get sleep? You have any idea how much paperwork is required after you discharge a government-issued firearm? You know, I heard you handled yourself pretty well.
Came face-to-face with an armed killer, heard you took him down, no hesitation.
Come on, man, you got some skills.
Standard FBI training.
"Standard FBI training.
" No, no, no, no, no, no.
You you are the real deal, bro.
Well, I did what I had to do.
You know, a man with a gun in your face, kid in the room, bad guy's got to go down.
Even if it was only a flesh wound.
I mean, really, it's just instinct, at that point.
You know, training takes over, muscle memory kicks in.
And when that guy made a move on me, - his gun taking aim, - Mm-hmm.
bayonet inches from this face Whose bayonet? I could smell the gunpowder residue.
Appomattox, Nelson.
Appomattox.
- Hey.
- Yo.
All I knew was it was on.
Him or me.
And it wasn't gonna be me.
That's right, baby.
That's why you here.
Daniel Krumitz coming through.
Hey.
No, you didn't.
Yes, I did.
You know, uh it's my mother's favorite song.
Me and my pops used to sing it to her every year on her birthday.
Call your parents, Brody Nelson.
Can't.
It's just not the same anymore.
I embarrassed them, went to jail Just not the son they thought they raised.
Call them anyway.
Why do I get the feeling that giving my stuff back is a part of one of your master plans that Elijah's always talking about? I don't know.
Hello.
Hey, Dad? Hey, it's Brody.
Yeah, no, it-it's me, Pop, it's me.