When experts in a field accuse you of promoting “snake oil,” is the proper response to:
- Double down and argue with them
- Sue them for not showing you proper respect after you paid $115,000 to be able to present at a conference without prior review by organizers, or
- Slink away and lick your wounds?
Robert Grant seems to have picked #1 and #2. And this week, some hackers may have sent him a message that his decisions have consequences. They appear to have hacked one of his sites and dumped data which at the very least, will embarrass some of his investors. At worst, it may result in ethics charges against some of his investors and regulator inquiries about whether Grant has fully complied with SEC requirements. But let’s start with reviewing how we got to the point where someone might be motivated to hack Grant’s site(s) or embarrass him.
Robert Edward Grant is the founder & CEO of Strathspey Crown LLC. Grant describes the company as having “a broad portfolio of company and asset holdings spanning healthcare, clean energy, social media, and financial technology. His interests and work in mathematics and physics led to the discoveries and disruptive approach to cryptography, on which Crown Sterling is founded.”
In August, Crown Sterling paid gold sponsorship fees to UBM LLC (aka Black Hat USA). For their $115,000, they were allowed to give a sponsored talk that was not first reviewed by Black Hat. Grant used the talk to present their approach to cryptography (an approach that this site will not pretend to understand).
Grant’s talk didn’t go over as well as Grant might have liked, especially when Don Guido of Trail of Bits got up and confronted him. You can see a bit of that confrontation here. The clip and controversy attracted attention on Twitter, with predictable results.
What started in Vegas didn’t stay in Vegas
The confrontation and criticisms of Grant’s paper and presentation mushroomed, with PC Magazine reporter Max Eddy quoting cryptography expert Jean-Philippe Aumasson of Teserakt who described Crown Sterling as having, “all the signs of ‘snake oil’ crypto: extravagant claims, total lack of experience in the domain, no technical documentation, no testable software, no reference.” Aumasson was not the only harsh critic. When Bruce Schneier brushes off his Doghouse column to call you “complete and utter snake oil,” you know there’s cause for concern.
In response to mounting criticism, Black Hat basically disappeared Crown Sterling from the site’s program and coverage of the conference on their site. Crown Sterling then sued Black Hat. Mike Masnick of TechDirt has a write-up about the lawsuit.
In a phone conversation with Gizmodo after filing the suit, Grant reportedly said that the security industry was responding negatively to his company and its research because it wasn’t ready for the change he’s trying to incite:
“I think there’s quite a bit of fake news that’s gone on here. And you know the fact is this is a very disruptive concept. And if anything we probably underestimated the amount of industry concern that would get generated as a result of this. But hey, it is what it is”
Apparently the security industry was still not ready for the change he’s trying to incite as comments in response to a lengthy piece Ars Technica ran generally resulted in snarky comments and more boos. And one month later, in response to a press release from Crown Sterling, Schneier did a second post about their claims, writing, in part, “Is anyone taking this company seriously anymore?”
It doesn’t get much worse than that.
But then it did get worse
Yesterday, an anonymous source pointed me to a paste and a data dump. The paste begins by mocking “Time AI.” But of note, the paste suggests that when they dug into things,
Our agent found all sorts of criminal activity and decided to publish everything to corrupt the initial creation of the time AI causing the issue.
It’s easy to anonymously accuse people of criminal behavior. So what proof did they offer? They appear to have gained access to a private forum called shoutMD. shoutMD is a site owned by Alphaeon Corporation, a private company founded by Robert Grant, who sits on its board. And according to the hackers:
Since the api to search members practically drooled the permissions information for each user, he chose one and recovered his password in the future, then sent it back to 2019.
After reading the entire paste, it seems clear that the hackers spent quite a bit of time reading the members’ info and the forum posts. And quoting from the posts, the zine accuses Grant of scamming investors:
Multiple scams were identified in the post content. Investors ask for their
actual shares (somehow he received money and didn’t distribute them), complain about various doublespeak, and more.
DataBreaches.net will not quote all of the posts that the hackers quoted in the zine (the posts are all available in the data dump on an onion site), but even if what the hackers claim about Grant’s behavior and investors’ concerns is true, would it be “illegal?” That is a question that this site is not qualified to answer.
But claiming that Grant is scamming investors is not the only allegation of wrongdoing by Grant that the zine makes. There are other accusations as well.
Regardless of whether the data dump reveals any wrongdoing by Grant, it does reveal conduct by identifiable physicians that can be problematic for the physician investors. In discussing how to boost their profits from a medication they invest in and use in their practices (Jeauveau, which is made by Grant’s company, Evolus), the doctors share their strategies with each other. As examples, one physician wrote:
I am pricing it at the same price I had priced Botox for the last five years. But, I have now raised the price of Botox once I started using Jeuveau. If you price it less than you have been charging for Botox patients will view it as a cheaper product, which it is not. This way I have increased my profit on both products but people will have a incentive to use Jeuveau.
I tell my patients that the price of Botox went up because I’ve had multiple price increases but did not want to increase their cost. Now that I have a premium product to offer them that I can get for a little less than I paid for Botox I can extend that discount to them.
Do they tell their patients that they are investors in it Jeuveau if they are investors in it?
The hackers compiled a list of more than 100 physicians who are allegedly promoting Jeuveau on social media without disclosing that they have a financial investment in the product.
If that’s true, then those physicians could be charged with ethics violations if the data were sent to their respective state medical licensing boards.
So Who ARE These Masked Attackers/Revealers of Secrets?
DataBreaches.net does not know, but notes that the paste ends with some shouts “to everyone calling out what kind of fraud this guy is. Also shoutz to h0n0, el8, d1kl1ne, zf0, 4nt1s3c, etc.”
Somehow, this does not seem like the end of their interest in Grant. And I note that they called their zine, “Volume 1.”
Grant did not respond to this site’s questions to him about the hack and the alleged wrongdoing. This post may be updated if a response is received.