Shauli Zacks
Published on: December 12, 2024
SafetyDetectives recently had the opportunity to interview John Drakopoulos , the founder and CEO of DragonWare, a company that stands out for its dual focus on website development and cybercrime investigation. With a career that began in his early teens, Joh’s journey from a self-taught web developer to a cybersecurity expert reflects a lifelong passion for technology. His unique blend of technical skills and investigative acumen enables DragonWare to bridge the gap between cybercrime prevention and investigation. In this interview, Joh discusses the inspiration behind DragonWare, the challenges of tracking cybercriminals, and the innovative methods his team uses to safeguard organizations from modern cyber threats.
Can you share what inspired you to establish DragonWare and how your background influenced your focus on both website building and cybercrime investigation?
I was fortunate to grow up in a family where technology played a central role. My father was one of the early enthusiasts of computing, and my mother ensured I had everything I needed to pursue my passion. This unique environment allowed me to stay at the forefront of technological developments. Being part of the generation that witnessed the internet’s early days, I quickly became fascinated by it. As a preteen, I started learning programming languages and building websites as a hobby, which back then were vastly different from the complex websites we see today. While growing up I gained degree in Information Technology Engineering.
At 15, I got my first job at an IT company. A chance event caught the owner’s attention, and he began assigning me diverse responsibilities, including computer repairs, software development, and website creation. I even worked on WAP sites, which enjoyed brief popularity at the time. My background in graphic editing and art lessons from a young age gave me a creative edge, allowing me to handle both the technical and design aspects of web development with success. Over time, my dedication to delivering quality results earned the appreciation of my clients, and my client base grew larger and larger.
My path into cybercrime investigation was a natural progression. Like many in this field, there was a period in my teenage years and after when the “black hat” world intrigued me and became part of my identity. However, as I grew older, I had an experience that changed my perspective. A friend fell victim to online fraud, and helping him marked a turning point. It revealed how I could channel my skills into helping others and addressing real-world problems.
Over the years, I’ve come to believe that everyone with a similar background eventually reaches a point of reflection. With time, you calm down and gain a clarity that you didn’t have in your younger years. At that stage, you either leave it all behind or transform it into a profession. For me, it was the latter. I worked as a freelancer for many years, but founding DragonWare was a natural evolution. It allowed me to better organize and scale my services, offering a more comprehensive and structured approach to both website development and cybercrime investigation.
What sets DragonWare apart from other companies offering cybersecurity services, especially in your approach to cybercrime investigation and prevention?
Cybercrime investigation and prevention are, in reality, two distinct areas, even though gaps in prevention often pave the way for insights during an investigation. My background has laid a strong foundation for how we approach both these aspects at DragonWare.
When dealing with a fraud case, one of the first questions we ask ourselves is, “What would we have done?” From there, we reverse-engineer the scenario: “Do the victims have the knowledge or tools they need to prevent this?” This method allows us to bridge prevention and investigation in a way that not only uncovers how the crime occurred but also empowers individuals and organizations to better protect themselves in the future.
Beyond methodology, what truly sets DragonWare apart is our relentless commitment to continuous learning. In this field, for every hour of work, countless hours of research and experimentation are required. To understand how a cybercrime was committed, you must first be capable of executing it yourself. Only then can you recognize the traces, patterns, and strategies used, enabling you to conduct thorough investigations.
This process of constant study and experimentation is integral to everything we do. By remaining dedicated to ongoing education and staying ahead of emerging threats, we ensure that our expertise remains sharp and our work consistently exceeds expectations. This unwavering pursuit of excellence is what defines DragonWare and sets us apart in the cybersecurity landscape.
With your experience in investigating cybercrime cases, what are the most common challenges in tracing evidence and identifying perpetrators?
The specific challenges vary depending on the type of crime. The difficulties are rarely about how the crime was committed—that can almost always be determined eventually—or even why it was done (as motivations, beyond financial gain, can vary). Instead, the real challenge lies in identifying who committed the crime.
These challenges can be categorized into three main areas: technology, the victim, and the state.
In the technology category, theoretically, there can be numerous difficulties since it is a rapidly evolving landscape. However, in practice, most fraud cases follow predictable patterns, and perpetrators often rely on basic tools such as VPNs. The real challenges in this category often come from the victim’s side. For instance, you’d be surprised how many companies host their corporate email servers on shared hosting environments or how many servers retain log files for only three days. That said, technological advancements such as encryption and anonymity tools (beyond VPNs) can present greater challenges. For example, the use of the dark web and cryptocurrencies for anonymous transactions poses significant difficulties.
In the victim category, the biggest challenge is often the delay between when a crime is committed and when the victim decides to involve a professional for investigation. The longer the delay, the harder it becomes to collect evidence. Combined with inadequate security measures within a company, evidence collection can become even more complicated. This delay can stem from a late realization that fraud has occurred or because a company takes time to “weigh” whether or not to admit it has fallen victim to fraud. While there are other challenges, I believe that delay is the most critical one in this category.
In the state category, this refers to the laws of the country from which the perpetrator operated. Even if we have all the evidence, the legislation in the perpetrator’s country may be inadequate or, worse, the state itself may shield the perpetrator by refusing to cooperate with the victim’s authorities. I recall a specific case where we had the perpetrator’s home address, yet the authorities in their country did nothing. These countries may demand compliance with their laws from other nations but systematically protect perpetrators within their borders. Moreover, a lack of communication and coordination between jurisdictions often makes resolving such cases even more challenging.
While developed countries generally have adequate legislation and cooperation agreements in place, it is important to recognize that the majority of cyberattacks do not originate from these nations. Instead, many come from countries where legal frameworks or international cooperation may be less robust, or where there may be political or strategic factors that hinder collaboration with Western authorities. This adds another layer of complexity to global efforts in addressing these crimes.
The above mainly pertains to fraud cases, as the challenges can differ significantly in other types of cybercrime.
How do you ensure that the evidence gathered during your investigations is robust enough to stand up in court? Are there specific methodologies or tools you rely on?
The process and collection of evidence are key in any investigation. The investigator does not have the authority of a judge or a police officer. Our job is to collect all available evidence, identify and map out the steps that led to the crime. For each step in the investigation, we gather the corresponding evidence and document all methodologies, tools, and findings to ensure transparency and reproducibility.
This process guides the police in the direction they need to follow during their own investigation, assisting them in building the case file. Clear, well-documented reports are then prepared, which can be understood even by non-experts, such as judges and jurors. When the evidence can be proven and presented by a certified professional, it is accepted by the court.
Our methodology adapts to the nature of each cybercrime. In such a dynamically evolving landscape, the idea that we follow a “standard approach” is incorrect.
We use a wide range of tools to cover all the needs of the investigation. Specifically, tools for collecting and analyzing digital evidence from hard drives, external devices, and mobile devices, tools for analyzing network traffic and detecting malicious activity, as well as tools for analyzing digital files and memory. All the tools and methods we use are focused on ensuring the integrity and validity of the evidence.
Insider threats are a growing concern for businesses. What key strategies do you recommend to organizations for minimizing these risks through employee training?
Employee training is crucial for minimizing insider threats as it helps employees recognize suspicious behaviors, avoid social engineering traps, and apply secure data practices. It’s important to foster a security culture where everyone feels responsible and comfortable reporting suspicious incidents. Regular training, hands-on simulations, and updates on emerging threats ensure that employees remain informed and prepared. Strict access management and the segregation of duties further enhance data security. Additionally, implementing processes that ensure the proper handling of sensitive information and using monitoring tools can act proactively. Finally, employees should understand how their actions impact the overall security of the organization and be encouraged to actively contribute to its protection.
Something that is often overlooked, but is extremely important, is the level of satisfaction an employee feels with their employer. An employee who feels wronged or underpaid is much more likely to not only betray trust but, more commonly, to disregard security protocols. This is because someone who feels wronged may react by neglecting things they perceive as less important, such as security measures.
Social engineering attacks are becoming more sophisticated. What are the most critical signs employees should be trained to recognize to prevent falling victim?
Social engineering attacks are becoming increasingly sophisticated, and employee training is critical for protection against them. There are many things that an employee should be aware of, but some of the most important signs to recognize include messages that demand immediate action or imply negative consequences, creating time pressure for decisions that leave no room for careful thought. Requests for passwords, personal information, or financial data, especially from unauthorized individuals, should raise red flags. Similarly, requests that seem unusual or outside the scope of an employee’s normal duties, or messages from seemingly familiar contacts using a different email address or phone number, should be questioned.
Attackers often try to build trust by impersonating colleagues, suppliers, or superiors, and may appear to be informed about internal company information. However, these details may be publicly available, and employees should always be suspicious and cross-check such information. Additionally, attackers might provide minimal information to avoid questions or offer excessive details to seem convincing. Messages or phone calls received outside working hours or from unknown sources should also raise serious concerns.
Furthermore, attackers may ask employees to bypass security protocols, claiming urgency or special authorization. Social engineers frequently use techniques such as fear, empathy, or curiosity to manipulate their targets. It is also important to remember that the attacker could be a former employee, or collaborate with one, and thus be in a position to know sensitive internal information. Preventive training and the cultivation of a security culture can significantly reduce the risks posed by such attacks.
