10 November 2014
Lawrence Baldwin Darknet Spy
On the Hunt for Wall St. Hackers, but Not the Spotlight
By Nicole Perlroth and Matthew Goldstein
November 9, 2014
Lawrence Baldwin is a dark hero of the Internet whom you have probably never
heard of and for good reason.
A decade ago, Mr. Baldwin made a name for himself and his Atlanta-based security
firm, myNetWatchman, by collecting and analyzing digital scourges like malware,
and alerting companies to them. He was a fixture on the security conference
circuit and was often quoted in the press about security threats.
And then he seemed to disappear. Beyond a bare-bones website and a LinkedIn
profile where his only listed interest is chasing down cybercriminals
and smacking them upside the head, Mr. Baldwin largely vanished from
If you look for me on Google, youd be hard pressed to find my
involvement in anything for the last seven or eight years, he said.
Yet Mr. Baldwin is well known to a number of large United States banks and
financial institutions that have turned to him for help in combating increasingly
sophisticated hacking attacks.
He declined to discuss his work for the banks, citing concerns about his
For the past seven years, several security consultants and former law enforcement
personnel say, Mr. Baldwin has immersed himself in the so-called dark web,
using what most describe as unorthodox methods to gather intelligence about
online financial crime. Mr. Baldwin, 49, says that he is able to closely
monitor many of the criminals who he says have made hundreds of millions
of dollars hacking into American banks and corporations.
It is that unusual proximity and the reliable information that it
produces that has made Mr. Baldwin one of the go-to consultants for
financial institutions. Those familiar with his work say he is one of the
consultants used by banks like JPMorgan Chase, which is still dealing with
the fallout from an intrusion that compromised some information for 76 million
households and seven million small businesses.
To his supporters, Mr. Baldwin, who has a degree in computer science from
the University of Hartford, is something of a secret agent. He has
eyes directly on the perpetrator, said one security expert who did
not want to be identified because of Mr. Baldwins preference for a
Another described his work as very cloak and dagger. All agree
that the intelligence he provides is very effective. I would take his
intelligence over anyone elses any day of the week, another said.
Companies often complain that when they are breached, they rarely learn anything
about their attackers from law enforcement. Security companies are also little
help. Many victims of breaches say these companies bury their analysts in
heaps of data without offering any context or attribution. By the time chief
information security officers discover that their data has left the building,
executives complain, the criminals have already moved on.
All of this has created a market for a handful of consultants like Mr. Baldwin
who go undercover and track the criminals activity in real time.
Baldwin stands out because he provides actionable intelligence,
said Avivah Litan, a security analyst with Gartner, the research firm.
Its exact, its original and he barely charges for it, whereas
other firms repackage intelligence from many sources.
She added, Theres a finite number of original sources for
intelligence on bad activities.
Yet while banks and Wall Street firms rely on Mr. Baldwins services,
they do not like to talk about it.
A spokeswoman for JPMorgan said she could not comment on whether the bank
consulted with Mr. Baldwin. JPMorgan, which spends $250 million annually
on digital security, has about 1,000 dedicated security personnel. But the
bank also works with a handful of outside-threat intelligence providers in
addition to consulting firms like Booz Allen Hamilton and Stroz Friedberg
to investigate attacks, said other people briefed on the matter.
For his part, Mr. Baldwin maintains that he did not work directly with JPMorgan
to solve its recent breach.
He was slightly more open in March about his work, as he discussed the details
of a recent attack against a bank during a presentation to the Georgia Banking
Association. Mr. Baldwin asked the attendees not to discuss the talk with
The reason for the banks caution is that the information Mr. Baldwin
provides becomes useless as soon as it is made public and because
many of his clients are not quite sure where Mr. Baldwins information
Two people familiar with his methods said that Mr. Baldwins company
maintains listening posts on Internet service provider networks and infects
tools used by criminals, like underground botnets networks of infected
computers to see what criminals are collecting and where they are
collecting it from. He has also developed a web of contacts across industries
and knows who is stealing information.
He has gone underground and become privy to what theyre
developing, said Ms. Litan, of Gartner. Theres no other
way. Its the way.
A few years ago, law enforcement officials spoke to Mr. Baldwin to ensure
he understood what he could do without breaking the law, according to two
people briefed on the conversation. One concern is that while Mr. Baldwin
has a record of developing intelligence on hacker activity, the information
cannot be used as evidence in a criminal proceeding because of his methods,
and the confidential relationships he uses to gather it.
Still, law enforcement officials who have worked with him describe Mr. Baldwin
as a valuable partner.
Thomas Grasso, a supervisory special agent with the F.B.I., said the bureau
had a very good working relationship with Mr. Baldwin and his company
over the years, and had worked with him and others in the private sector
to stay ahead of online threats.
Mr. Baldwin did not start out as a security guru. Early in his career he
worked at BellSouth, helping to introduce its dial-up network. Immediately,
hackers tried to break in. What began as a curiosity figuring out
who they were and how they attacked their victims became his lifes
In an industry dominated by those who charge high fees for other peoples
intelligence, one person said, Mr. Baldwin stands out as a boy scout
who simply wants to catch criminals and routinely shares information free.
With prosecutions and extraditions of hackers rare, Mr. Baldwin is motivated,
say those familiar with him, to do everything possible to disrupt their
He works closely with the National Cyber-Forensics and Training Alliance,
a nonprofit based in Pittsburgh that brings together law enforcement, private
industry members, security consultants and academic scholars to share information
to prevent and mitigate the threats. The group works closely with many American
banks and corporations and has received contributions in recent years from
Bank of America, Microsoft and Symantec.
Some have likened Mr. Baldwins sleuthing to that of Brian Krebs, the
security blogger who earned attention investigating Russian spammers and
has been pranked by spammers as a result. But security researchers say Mr.
Baldwins investigations take him much deeper into the netherworld of
That explains Mr. Baldwins low profile over the past few years.
Im not a press hound, he said. There are serious
personal safety issues to consider.