Crime Articles 2020

2024 2023 2022 2021 2020 Crime Articles - H 2020 Crime List - H 2021 2020 2019 2018 2017

Police Arrest 21 WeLeakInfo Customers Who Bought Breached Personal Data
26.12.2020 Crime Thehackernews

21 people have been arrested across the UK as part of a nationwide cyber crackdown targeting customers of WeLeakInfo[.]com, a now-defunct online service that had been previously selling access to data hacked from other websites.

The suspects used stolen personal credentials to commit further cyber and fraud offences, the NCA said.

Of the 21 arrested—all men aged between 18 and 38— nine have been detained on suspicion of Computer Misuse Act offences, nine for Fraud offences, and three are under investigation for both. NCA also seized over £41,000 in bitcoin from the arrested individuals.

Earlier this January, the US Federal Bureau of Investigation (FBI), the UK National Crime Agency (NCA), the Netherlands National Police Corps, the German Bundeskriminalamt, and the Police Service of Northern Ireland jointly seized the domain of WeLeakInfo.com.

Launched in 2017, the service provided its users a search engine to access the personal information illegally obtained from over 10,000 data breaches and containing over 12 billion indexed stolen credentials, including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts.

On top of that, WeLeakInfo offered subscription plans, allowing unlimited searches and access to the results of these data breaches during the subscription period that lasted anywhere from one day ($2), one week ($7), one month ($25), or three months ($70).

The cheap subscriptions made the website accessible to even entry-level, apprentice-type hackers, letting them get hold of a huge cache of data for as little as $2 a day, and in turn, use those stolen passwords to mount credential stuffing attacks.

Following the domain's seizure in January, two 22-year-old men, one in the Netherlands and another in Northern Ireland, were arrested in connection with running the site. WeLeakInfo's Twitter handle has since gone quiet.

NCA said besides being customers of the website, some of the arrested men had also purchased other cybercrime tools such as remote access Trojans (RATs) and crypters, with three other subjects found to be in possession of indecent images of children.

"Cyber criminals rely on the fact that people duplicate passwords on multiple sites and data breaches create the opportunity for fraudsters to exploit that," NCA's Paul Creffield said. "Password hygiene is therefore extremely important."

Ex-Cisco Employee Convicted for Deleting 16K Webex Accounts

15.12.2020 Crime Threatpost

The insider threat will go to jail for two years after compromising Cisco’s cloud infrastructure.

A man has been sentenced to two years in jail after being convicted of hacking Cisco’s Webex collaboration platform in an insider-threat case brought to the U.S. District Court in California.

Sudhish Kasaba Ramesh, 31, admitted that he broke into Cisco’s cloud infrastructure in 2018, hosted on Amazon Web Services, about four months after he resigned from the company. From there, he said in his plea agreement that he deployed a code from his Google Cloud Project account, which automatically deleted 456 virtual machines that host the WebEx Teams application.

As a result, 16,000 WebEx Teams accounts were shut down for up to two weeks; and, the incident cost Cisco about $1.4 million in remediation costs, including refunding $1 million to affected customers, according to a court announcement.

The defendant was further sentenced to serve a one-year period of supervised release following the 24 months in prison. And, in addition to jail time, the court ordered Ramesh to pay a $15,000 fine for intentionally accessing a protected computer without authorization and recklessly causing damage to Cisco.

He will begin serving the sentence on February 10, 2021.

It’s unclear why Ramesh mounted the attack or how he was able to access Cisco’s infrastructure after he was no longer working for the company.

Insider threats – be they disgruntled former employees, rogue employees or clueless workers who accidentally create risk – are an ongoing top danger for companies. Often, employees are groomed by outsiders. According to A 2019 study from OpenText, between 25 to 30 percent of data breaches involved an external actor working with an internal person in an organization.

“We used to focus on external threat actors, but now, when compromising the network, many have someone on the inside, whether it’s because they bribed them or blackmailed them,” Paul Shomo, senior security architect with OpenText, said at the time.

The insider-threat issue has been exacerbated by the transition to remote work. In the past, insider threats from employees and others given access to the network were more easily monitored because they were inside the network perimeter, and so malicious activity could be more easily detected.

“Even while employees continue to work from home, they still require access to corporate assets to do their jobs well,” said Justin Jett, director of compliance and audit at Plixer, in a recent Threatpost column. “Without access, some employees can’t perform their duties at all. Organizations must define long-term policies for how employees access company-owned assets, especially if they intend to allow employees to work from home indefinitely. Such policies should include restricting access by role, as well as other security measures like requiring employees to be connected to the corporate VPN.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.

Former Cisco Employee Sentenced to Prison for Webex Hack
15.12.2020 Crime Securityweek

An Indian national who moved to California on an H1-B work visa was sentenced to 24 months in prison last week for accessing and damaging Cisco’s network.

The man, Sudhish Kasaba Ramesh, 31, admitted on August 26, 2020, to intentionally accessing the network without authorization, and to causing damage to it. Ramesh is a former Cisco employee, who resigned in April 2018.

In his plea agreement, Ramesh admitted to illegally accessing Cisco cloud infrastructure hosted on Amazon Web Services.

During the unauthorized access, which took place on September 24, 2018, Ramesh installed code that eventually resulted in 456 virtual machines for Cisco’s Webex Teams application being erased.

Ramesh said the code deployment was a reckless act and admitted to consciously disregarding the substantial risk that the action would result in damage to Cisco.

Ramesh’s conduct resulted in more than 16,000 Webex Teams accounts being closed for up to two weeks. However, the action did not result in customer data being compromised.

To restore the damage, Cisco spent roughly $1.4 million in employee time and had to refund in excess of $1 million to affected customers.

On July 13, 2020, Ramesh was indicted with one count of intentionally accessing a protected computer without authorization and recklessly causing damage. In addition to the prison term, he was also sentenced to one year of supervised release and ordered to pay a $15,000 fine.

Ramesh, who is not in custody at the moment, will begin serving the sentence on February 10, 2021, the Department of Justice announced.

Russian Alexander Vinnik sentenced in Paris to five years in prison for money laundering
9.12.2020 Crime Securityaffairs

Russian citizen Alexander Vinnik was sentenced in Paris to five years in prison for money laundering and ordered to pay 100,000 euros in fines.

The man went on trial in Paris for having defrauded nearly 200 victims across the world of 135M euros using ransomware.

Alexander Vinnik allegedly headed the Bitcoin exchange BTC-e, he is charged with different hacking crimes in Russia, France, and the United States.

The French court acquitted Vinnik of charges of extortion and association with a cybercrime organization.
In 2017, Greek Police arrested the Russian national Alexander Vinnik and they accused the man of running the BTC-e Bitcoin exchange to launder more than US$4bn worth of the cryptocurrency.

The authorities reported that since 2011, 7 million Bitcoin went into the BTC-e exchange and 5.5 million withdrawn.

According to the Greek media outlet the Daily Thess, the FBI tracked Alexander Vinnik for more than a year.

The man is charged by the US authorities with fraud and money laundering for more than $4 billion worth amount of Bitcoin (BTC) resulting from criminal activities, the US prosecutors requested his extradition in July 2017.

Vinnik is also accused to be responsible for the failure of the Japanese bitcoin exchange Mt. Gox.

Mt. Gox was the biggest Bitcoin exchange at the time of the shut down in 2014 that occurred after the platform was the victim of a series of cyber heists for a total of $375 million in Bitcoin.

The U.S. authorities speculate the Russian man stole funds from Mt. Gox, with the help of an insider. The stolen funds were transferred to a wallet managed by Vinnik and funds were laundered through his platform BTC-e-service during a three-year period.

In July 2018 there was a twist, a Greek lower court agreed to extradite Vinnik to France to face with charges with hacking, money laundering, extortion and involvement in organized crime.

French authorities accused Vinnik of defrauding more than 100 people in six French cities between 2016 and 2018.

French prosecutors revealed that among the 188 victims of the Vinnik’s attacks, there were local authorities, businesses, and individuals across the world.

In June, New Zealand police had frozen NZ$140 million (US$90 million) in assets linked to a Russian cyber criminal. New Zealand police had worked closely with the US Internal Revenue Service on the case and the investigation is still ongoing.

Vinnik continues to deny charges of extortion and money laundering and did not answer magistrates’ questions, his lawyer also announced that is evaluating whether to appeal.

French prosecutors believe Vinnik was one of the authors of the Locky ransomware that was also employed in attacks on French businesses and organizations between 2016 and 2018.

At his trial, Vinnik explained that he was not the kingpin of the organization, he claimed t have served only as a technical operator executing the instructions of BTC-e directors.

Vinnik was convicted of money laundering but prosecutors didn’t find enough evidence to convict him of extortion.

“The court convicted Vinnik of money laundering but didn’t find enough evidence to convict him of extortion, and stopped short of the 10-year jail term and 750,000 euros in fines that prosecutors had requested.” reported the Associated Press.

“One of his French lawyers, Ariane Zimra, said his conviction for money laundering “doesn’t make sense,” arguing that cryptocurrency is not legally considered “money.”

Police arrest two people over stealing sensitive data from defense giant
7.12.2020 Crime Securityaffairs

Italian police arrested two people that have stolen 10 GB of confidental and alleged secret data from the defense company Leonardo S.p.A.
Italian police have arrested two people that have been accused of stealing 10 GB of confidental data and military secrets from defense company Leonardo S.p.A.

Leonardo is a state-owned multinational company and one of the world’s largest defense contractors.

The press release published by the Italian police states that the duo carried out a serious attack on the IT structures of the Aerostructures Division and the Aircraft Division of Leonardo SpA.
The two people are the former employee of the IT security management of Leonardo SpA, Arturo D’Elia, who is currently in jail, and Antonio Rossi, head of the CERT (Cyber Emergency Readiness Team) of Leonardo, which is subject to a precautionary measure of home custody.
The head of Leonardo’s cyber-emergency team was placed under house arrest for allegedly misrepresenting the scope of the attack and hindering the investigation.

The prosecutors state that Leonardo’s security systems did not detect the malware that was allegedly used by the unfaithful employee.

The CNAIPIC of the Central Service of the Postal and Communications Police and the local police have arrested a former employee and a manager of the aforementioned company. The former is suspected of unauthorized access to the computer systems, unlawful interception of electronic communications, and unlawful processing of personal data, the latter for have attempted to hijack the investigation and cover the crime.

In January 2017, the internal cybersecurity structure of Leonardo SpA reported anomalous network traffic, outgoing from some workstations of the Pomigliano D’Arco plant. According to the experts, the traffic was generated by an alleged implant used to exfiltrate the data.

The anomalous traffic was directed towards a web page called “www.fujinama.altervista.org”, which was already seized by the police.

One of the two suspects allegedly used USB keys to infect 94 workstations with a Trojan. The press release published by the police doesn’t include technical details about the malware used to exfiltrate the info, it only reported that the malware poses as the legitimate Windows file “C:\Windows\system32\cftmon.exe” to evade detection.

The duo has used the malware to steal the data between 2015 and 2017 and it back to a command and control server (‘fujinama.altervista.org.’).
Local media reported that forensic copies of the first machine infected with the malware have been disappeared. The copies of the “patient zero” system handed over to the police were illegible.

Media reported that the exfiltrated data included confidential accounting information and military designs.

“Overall, data for 10 gigabytes, that is about 100,000 files , concerning administrative-accounting management, the use of human resources, the procurement and distribution of capital goods, as well as the design of civil aircraft components and military aircraft for the Italian and international market were exfiltrated.” reads the press agency AGI reports. “Also capture credentials for accessing personal information of Leonardo spa employees,”

Leonardo issued the following statement.

“With regards to the current measures adopted by the Naples judiciary, Leonardo announces that the investigation comes from a complaint by the Company’s security that has been followed by others. The measures concern a former collaborator who is not an employee of Leonardo, and a non-executive employee of the Company.” reads the statement.

“The Company, which is obviously the injured party in this affair, has provided maximum cooperation since the beginning and will continue to do so to enable the investigators to clarify the incident, and for its own protection. Finally, it should be noted that classified or strategic data is processed in segregated areas, without connectivity, and not within the Pomigliano plant,”

Hacker Gets 8 Years in Prison for Threats to Schools, Airlines
1.12.2020 Crime Securityweek

A North Carolina man was sentenced to 95 months in federal prison for his involvement in multiple cyber and swatting attacks.

The man, Timothy Dalton Vaughn, 22, known online under monikers such as “WantedbyFeds” and “Hacker_R_US,” was indicted in early 2019 and pleaded guilty in November 2019.

He admitted to sending threats, conveying false information concerning the use of explosives, intentionally damaging a computer, hacking, and possessing child pornography.

Responsible for making threats of shootings and bombings to numerous schools located in the United States and United Kingdom, Vaughn was sentenced to 95 months in prison for child pornography and 60 months for each of the other charges. He will serve the terms concurrently.

According to the United States Department of Justice, Vaughn was a member of an international collective of hackers and swatters known as Apophis Squad.

The group operated by placing threatening phone calls, sending bogus email reports of attacks at schools, and launching distributed denial-of-service (DDoS) attacks, all meant to cause disruption.

At least 86 school districts were targeted with emails threatening armed students and explosives, the DoJ said. In these emails, Vaughn and others claimed the detonation of a bomb, land mines on sports fields, and rocket-propelled grenade heads under school buses.

Vaughn and others also falsely claimed that men with weapons and explosives hijacked a flight traveling from London to San Francisco.

Furthermore, Vaughn engaged in DDoS extortion in early 2018, when he demanded 1.5 Bitcoin (approximately $20,000 at the time) from a Long Beach company, threatening he would launch a DDoS attack on the firm’s website. He then proceeded with the attack, when the company refused to pay.

Law enforcement also discovered that Vaughn possessed sexually explicit images and videos depicting children.

Indian National Gets 20-Year Jail in United States for Running Scam Call Centers
1.12.2020 Crime Thehackernews

An Indian national on Monday was sentenced to 20 years in prison in the Southern District of Texas for operating and funding India-based call centers that defrauded US victims out of millions of dollars between 2013 and 2016.

Hitesh Madhubhai Patel (aka Hitesh Hinglaj), who hails from the city of Ahmedabad, India, was sentenced in connection with charges of fraud and money laundering.

He was also ordered to pay restitution of $8,970,396 to identified victims of his crimes.

Earlier this January, Patel pleaded guilty to wire fraud conspiracy and general conspiracy to commit identification fraud, access device fraud, money laundering, and impersonation of a federal officer or employee.

"The defendant defrauded vulnerable US victims out of tens of millions of dollars by spearheading a conspiracy whose members boldly impersonated federal government officials and preyed on victims' fears of adverse government action," said Acting Attorney General Brian C. Rabbitt of the Justice Department's Criminal Division in a statement.

The "sentence demonstrates the department's commitment to prosecuting high-level perpetrators of such nefarious schemes. Even fraudsters operating scams from beyond our borders are not beyond the reach of the US judicial system."

The first-ever large-scale, multi-jurisdictional investigation targeting the India call center scam industry saw the US Department of Homeland Security (DHS) and Treasury Inspector General for Tax Administration (TIGTA) charging Patel and 60 co-conspirators for orchestrating a "complex scheme" that involved employees based out of call centers in Ahmedabad masquerading as officials from the IRS and US Citizenship and Immigration Services (USCIS).

Besides impersonation, the call center employees were found to engage in telephone call scams designed to con victims by threatening them with arrest, imprisonment, fines, or deportation for failing to pay alleged money owed to the government.

"Those who fell victim to the scammers were instructed how to provide payment, including by purchasing general purpose reloadable (GPR) cards or wiring money," the Department of Justice said. "Upon payment, the call centers would immediately turn to a network of 'runners' based in the US to liquidate and launder the fraudulently obtained funds."

Patel — who was arrested in Singapore before getting extradited to the US in April last year — had previously admitted to running multiple call centers, including one named HGLOBAL, to carry out his telefraud schemes, in addition to corresponding by email and WhatsApp messages to exchange credit card numbers, telephone scam scripts, and call center operations instructions with his co-defendants.

To date, a total of 24 domestic defendants associated with the money laundering scam have previously been convicted and sentenced to terms of imprisonment of up to 20 years.

Two Romanians Arrested for Running Malware Encryption Services
24.11.20 Crime Securityweek

Two Romanians suspected of running services for encrypting malware and testing it against antivirus engines were arrested last week.

Allegedly the operators of the CyberSeal and Dataprotector crypting services, as well as of the Cyberscan service, the duo is said to have provided aid to more than 1,560 criminals.

The services, Europol says, were used for crypting a variety of malware types, including information stealers, Remote Access Trojans (RATs), and ransomware families.

The illegal services were being offered on underground portals, at prices ranging between $40 and $300, depending on license conditions. The two provided constant updates and support to their customers.

Prices for the counter antivirus service, which helped cybercriminals test the detection rates for their malware samples until they could ensure the malware was fully undetectable (FUD), ranged from $7 to $40.

Four houses were searched in Bucharest and Craiova as part of an operation conducted by Romanian police in cooperation with the FBI, the Australian Federal Police (AFP), the Norwegian National Criminal Investigation Service (Kripos), and Europol.

In addition to arresting the two, law enforcement took down backend infrastructure in Romania, Norway and the United States to disrupt the criminal services.

Former Microsoft worker sentenced to nine years in prison for stealing $10+ million
12.11.20 Crime Securityaffairs

A former Microsoft worker was sentenced to nine years in prison for a scheme to steal $10 million in digital currency.
Volodymyr Kvashuk (26), a former Microsoft software engineer, was sentenced this week to nine years in prison for a scheme to steal $10 million in digital currency.

Kvashuk is a Ukrainian citizen living in Renton, Washngton, was responsible for helping test Microsoft’s online retail sales platform.
The man was involved in the testing of Microsoft’s online retail sales platform and abused testing access to steal “currency stored value” (CSV) such as digital gift cards. Kvashuk used email accounts associated with other Microsoft employees for his fraudulent activity.

“A former Microsoft software engineer was sentenced today in U.S. District Court in Seattle to nine years in prison for 18 federal felonies related to his scheme to defraud Microsoft of more than $10 million, announced U.S. Attorney Brian T. Moran.” reads the press release published by DoJ.

“In February 2020, KVASHUK was convicted by a jury of five counts of wire fraud, six counts of money laundering, two counts of aggravated identity theft, two counts of filing false tax returns, and one count each of mail fraud, access device fraud, and access to a protected computer in furtherance of fraud.”

Stolen digital currency value could be redeemed to obtain Microsoft products or gaming subscriptions, then the former Microsoft worker has resold them online.

Microsoft fired the man in June 2018 after it discovered the fraudulent scheme.
U.S. District Judge James Robart sentenced the Ukrainian man and ordered him to pay more than $8.3 million in restitution. According to the DoJ, Kvashuk could be deported following his prison term.

“Stealing from your employer is bad enough, but stealing and making it appear that your colleagues are to blame widens the damage beyond dollars and cents,” Seattle U.S. Attorney Brian Moran said in a news release.

Kvashuk used part of the earnings of his activity to buy a Tesla and a $1.7 million lakefront home.

Russian cybercriminal Aleksandr Brovko sentenced to 8 years in jail
4.11.20 Crime Securityaffairs

Russian cybercriminal Aleksandr Brovko has been sentenced to eight years in jail for his role in a botnet scheme that caused at least $100 million in financial damage.
The Russian cybercriminal Aleksandr Brovko (36) has been sentenced to eight years in jail for his role in a sophisticated botnet scheme that caused at least $100 million in financial damage.

Brovko pleaded guilty in February to conspiracy to commit bank and wire fraud, he was an active member of several elite Russian-speaking underground forums.

“For over a decade, Brovko participated in a scheme to gain access to Americans’ personal and financial information, causing more than $100 million in intended loss,” said Acting Assistant Attorney General Brian C. Rabbitt of the Justice Department’s Criminal Division. “This prosecution and the sentence imposed show the department’s commitment to work with our international and state counterparts to bring cybercriminals to justice no matter where they are located.”

Aleksandr Brovko is accused to have used his programming skills to create a botnet that facilitated the large-scale theft and use of stolen personal and financial information.

The scripts developed by the cyber criminal were used to parse log data collected from botnet and searched for personally identifiable information (PII) and account credentials. The man also determined the validity of stolen account credentials and assessed whether compromised financial accounts could have had used to conduct fraudulent transactions.

In some cases, the man manually chacked the stolen information.

“As reflected in court documents, from 2007 through 2019, Brovko worked closely with other cybercriminals to monetize vast troves of data that had been stolen by “botnets,” or networks of infected computers. Brovko, in particular, wrote software scripts to parse botnet logs and performed extensive manual searches of the data in order to extract easily monetized information, such as personally identifiable information and online banking credentials.” reads the press release published by the DoJ. “Brovko also verified the validity of stolen account credentials, and even assessed whether compromised financial accounts had enough funds to make it worthwhile to attempt to use the accounts to conduct fraudulent transactions.”

The Russian man possessed and trafficked over 200,000 unauthorized access devices consisting of both personally identifying information and financial account details.

Brovko was involved in the illegal practice between 2007 and 2019.

According to The Register, Brovko was retained by co-conspirator Alexander Tverdokhlebov, who was sentenced to over nine years in 2017 after pleading guilty to possessing 40,000 stolen credit card numbers and controlling a botnet composed of up to 500,000 infected computers.

“Aleksandr Brovko used his programming skills to facilitate the large-scale theft and use of stolen personal and financial information, resulting in over $100 million in intended loss,” said US Attorney Zachary Terwilliger. “Our office is committed to holding these criminals accountable and protecting our communities as cybercrime becomes an ever more prominent threat.”

Russian Sentenced to Prison in U.S. for Role in Cybercrime Scheme
4.11.20 Crime Securityweek

The United States on Monday announced the sentencing of a Russian national for his role in a scheme involving the theft and trading of personal and financial information.

The man, Aleksandr Brovko, 36, admitted in February to conspiring to commit bank and wire fraud. Documents presented in court revealed that he was active on multiple elite, online forums where Russian-speaking cybercriminals traded tools and services.

Between 2007 and 2019, Brovko collaborated with other cybercriminals for the monetization of large amounts of data stolen through botnets. He created scripts that were used to parse botnet logs, but also performed manual searches of the data, to extract the information that could be easily monetized.

Furthermore, he checked the validity of stolen account credentials and determined whether the compromised financial accounts had enough funds to be used in fraudulent transactions.

Over the course of the conspiracy, Brovko trafficked more than 200,000 records consisting of personally identifying information or details on financial accounts, court documents reveal.

Brovko’s actions resulted in estimated intended losses of more than $100 million. He was sentenced to eight years in prison.

“For over a decade, Brovko participated in a scheme to gain access to Americans’ personal and financial information, causing more than $100 million in intended loss. This prosecution and the sentence imposed show the department’s commitment to work with our international and state counterparts to bring cybercriminals to justice no matter where they are located,” Acting Assistant Attorney General Brian C. Rabbitt of the Justice Department’s Criminal Division said.

$100M Botnet Scheme Lands Cybercriminal 8 Years in Jail

3.11.20 Crime Threatpost

Aleksandr Brovko faces jail time after stealing $100 million worth of personal identifiable information (PII) and financial data over the course of more than 10 years.

Authorities have sentenced a hacker to eight years in prison for trafficking stolen personally identifiable information (PII) and online banking credentials resulting in losses totaling over $100 million.

Aleksandr Brovko, 36, formerly of the Czech Republic, pleaded guilty in February to conspiracy to commit bank and wire fraud, the Department of Justice (DoJ) said on Monday. The DoJ said that between 2007 and 2019, Brovko worked closely with other cybercriminals to monetize vast troves of data that had been stolen by botnets.

“For over a decade, Brovko participated in a scheme to gain access to Americans’ personal and financial information, causing more than $100 million in intended loss,” said Acting Assistant Attorney General Brian C. Rabbitt of the Justice Department’s Criminal Division, in a statement issued Monday. “This prosecution and the sentence imposed show the department’s commitment to work with our international and state counterparts to bring cybercriminals to justice no matter where they are located.”

According to the DoJ, Brovko was an active member of several elite, online forums designed for Russian-speaking cybercriminals to gather and exchange their criminal tools and services.

He specifically wrote software scripts used to parse botnet logs and performed manual searches of the data in order to extract “easily monetized” information.

Brovko also verified the validity of stolen account credentials, and assessed whether compromised financial accounts had enough funds to deem them “worthwhile” to use for conducting fraudulent transactions.

“According to court documents, Brovko possessed and trafficked over 200,000 unauthorized access devices during the course of the conspiracy,” said the DoJ. “These access devices consisted of either personally identifying information or financial account details.”

Botnets, or networks of infected computers, continue to show new innovations, expanded scope and increased targeting. In October, a new variant of the InterPlanetary Storm botnet was discovered, which comes with fresh detection-evasion tactics and now targets Mac and Android devices. In August, researchers warned of a peer-to-peer (P2) botnet called FritzFrog that they say has been actively breaching SSH servers since January.

In June, new research emerged about a resurfaced hackers-for-hire group called DarkCrewFriends, which was targeting content management systems to build a botnet. The botnet can be marshalled into service to carry out a variety of criminal activities, including distributed denial-of-service (DDoS) attacks, command execution, information exfiltration or sabotage of an infected system. In May, it was revealed that the Hoaxcalls botnet, built to carry out large-scale distributed denial-of-service (DDoS) attacks, has been actively in development since the beginning of the year.

John McAfee has been arrested in Spain and is awaiting extradition
7.10.20 Crime Securityaffairs

The legendary cyber security expert John McAfee has been indicted on charges of tax evasion by the DoJ, authorities arrested him in Spain
The popular cyber security expert and cryptocurrency evangelist John McAfee has been indicted on charges of tax evasion by the Department of Justice (DOJ). The expert has been arrested in Spain and is awaiting extradition.

According to the indictment, the expert earned millions in income from promoting cryptocurrencies, consulting work, speaking engagements, and selling the rights to his life story for a documentary.

The authorities claim that the McAfee failed to file tax returns for incomes related to a period between 2014 and 2018.

“From 2014 to 2018, McAfee allegedly failed to file tax returns, despite receiving considerable income from these sources.” reads the press release published by DoJ.

“According to the indictment, McAfee allegedly evaded his tax liability by directing his income to be paid into bank accounts and cryptocurrency exchange accounts in the names of nominees.”

The investigators suppose that the income was directed into bank accounts and cryptocurrency exchange accounts in the names of nominees.
According to prosecutors, McAfee allegedly attempted to evade the IRS by concealing assets, including real property, a vehicle, and a yacht, in the names of others.

The indictment does not allege that during these years McAfee received any income or had any connection with the anti-virus company bearing his name.

The DoJ announced the charges after the US Securities and Exchange Commission (SEC) also charged McAfee with fraudulently touting ICOs.

“The Securities and Exchange Commission today charged businessman and computer programmer John McAfee for promoting investments in initial coin offerings (ICOs) to his Twitter followers without disclosing that he was paid to do so.” reads the SEC’s press release.

“According to the SEC’s complaint, McAfee promoted multiple ICOs on Twitter, allegedly pretending to be impartial and independent even though he was paid more than $23 million in digital assets for the promotions.”

McAfee could face a maximum sentence of five years in prison on each count of tax evasion and a maximum sentence of one year in prison on each count of willful failure to file a tax return. The popular expert also faces a period of supervised release, restitution, and monetary penalties.

Let’s remind that a defendant is presumed innocent until proven guilty beyond a reasonable doubt.

Russian Who Hacked LinkedIn, Dropbox Sentenced to 7 Years in Prison
1.10.20 Crime Thehackernews
A Russian hacker who was found guilty of hacking LinkedIn, Dropbox, and Formspring over eight years ago has finally been sentenced to 88 months in United States prison, that's more than seven years by a federal court in San Francisco this week.
Yevgeniy Aleksandrovich Nikulin, 32, of Moscow hacked into servers belonging to three American social media firms, including LinkedIn, Dropbox, and now-defunct social-networking firm Formspring, and stole data on over 200 million users.

Between March and July 2012, Nikulin hacked into the computers of LinkedIn, Dropbox, and Formspring, and installed malware on them, which allowed him to remotely download user databases of over 117 Million LinkedIn users and more than 68 Million Dropbox users.

According to the prosecutor, Nikulin also worked with unnamed co-conspirators of a Russian-speaking cybercriminal forum to sell customer data he stole as a result of his hacks.

Besides hacking into the three social media firms, Nikulin has also been accused of gaining access to LinkedIn and Formspring employees' credentials, which helped him carry out the computer hacks.

"The Court also found that Automattic, parent company of Wordpress.com, was the victim of an intrusion by defendant, although there was no evidence that defendant stole any customer credentials," the Justice Department said.

Nikulin was arrested in Prague on October 5, 2016, by Interpol agents working in collaboration with the FBI, and extradited to the United States in March 2018 after a long extradition battle between the U.S. and Russia.

In 2016, the hacker was charged with nine felony counts of computer intrusion, aggravated identity theft, causing damage to a protected computer, trafficking in unauthorized access devices, and conspiracy.

However, after a long delay of trials due to the coronavirus pandemic, Nikulin was found guilty by a federal jury of the United States in early July this year and was sentenced to 88 months in prison on September 29.

U.S. District Judge William H. Alsup convicted Nikulin of selling stolen usernames and passwords, installing malware on protected computers, conspiracy, computer intrusion, and aggravated identity theft.

Prior to the sentencing hearing on September 29, federal prosecutors sought a sentence of 145 months in prison, that's over 12 years in prison, three years of supervised release, and restitution.

Nikulin has been in U.S. custody since his extradition from the Czech Republic and will be serving his sentence effect immediately.

Russian national Yevgeniy Aleksandrovich Nikulin sentenced to 88 months in prison
1.10.20 Crime Securityaffairs

Russian national Yevgeniy Aleksandrovich Nikulin was sentenced to 88 months in prison for hacking LinkedIn, Dropbox, and Formspring in 2012.
The Russian national Yevgeniy Aleksandrovich Nikulin was sentenced to 88 months in prison in the United States for hacking LinkedIn, Dropbox, and Formspring in 2012.

Let’s summarize the criminal activities of the man who was arrested in Prague in October 2016 in an international joint operation with the FBI.

Source: US Defense Watch.com
Nikulin first breached LinkedIn between March 3 and March 4, 2012, the hacker first infected an employee’s laptop with malware then used the employee’s VPN to access LinkedIn’s internal network.

The Russian man stole roughly 117 million user records, including usernames, passwords, and emails.

Nikulin used data stolen from Linkedin to launch spear-phishing attacks against employees at other companies, including Dropbox.

Between May 14, 2012 and July 25, 2012, Nikulin obtained the records belonging 68 million Dropbox users containing usernames, emails, and hashed passwords.

Nikulin also hacked into an employee account of a Formspring engineer and used it to access the company network between June 13, 2012, and June 29, 2012. The hacker stole 30 million user details from the company database.

The data stolen by Nikulin were available on the cybercrime underground between 2015 and 2016, they were offered for sale by multiple traders.

The man always refused to cooperate with the authorities or to plead guilty while he was in prison.

The Russian man was found guilty by a United States jury in early July, he was previously sentenced to 145 months in prison, three years of supervised release, and restitution.

The lawyers of the hacker, Adam Gasner and Valery Nechay, claimed that their client had been already in custody for a total of 48 months already.

Nikulin was sentenced to 88 months in prison, of which he will or 74 months, minus the time already served.

“Nikulin’s sentence breaks down to 64 months on counts two, six and eight related to trafficking in unauthorized access devices and causing damage to a protected computer, and 60 months for counts one, four, five and seven related to computer intrusion and conspiracy. These will all be served concurrently. He will also serve 24 months for aggravated identity theft.” reported the CourtHouseNews website.

“The sentence imposed was 88 months, of which he will serve 85% of that time – meaning he needs to serve 74.8 months of actual custody,” Gasner said. “After deducting the 48 months he has already served, he has 26.8 additional months remaining. So, a little over two years before he is returned home. We wish him well.”

Nikulin was also sentenced to three years of supervised release and the judge ordered him to pay restitution of $1 million to LinkedIn, $514,000 to Dropbox, $20,000 to Formspring, and $250,000 to WordPress parent company Automattic.

Maryland Man Gets 12 Months in Prison for Hacking Former Employer
25.9.20 Crime Securityweek

A Maryland man was sentenced to 12 months and one day in prison for hacking into and damaging the computers of his former employer.

From January 5, 2004, through August 6, 2015, the man, Shannon Stafford, 50, of Crofton, Maryland, was employed at an unnamed international company with thousands of offices worldwide, in the IT department.

Employed at the company’s Washington office, Stafford provided IT technical support to the organization’s Washington, McLean, Virginia, and Baltimore offices. He had access to the system login credentials of other employees and was authorized to use them for technical support.

The organization provided Stafford with a laptop in 2014 and, the same year, he was promoted to technical site lead for the Washington office, but was demoted in March 2015, due to performance issues.

As these issues continued, Stafford was fired on August 6, 2015, yet he did not return the laptop that was provided to him the year before.

On the same day, evidence shows, he repeatedly attempted to remotely access the organization’s network from that laptop, using his credentials and those of a former co-worker. Two days later, using the co-worker’s credentials, Stafford successfully accessed the computer under his desk in the Washington office.

Leveraging the unauthorized access, he erased all file storage drives used by the Washington office, then changed the credentials for the storage management system.

“The deletion of the files caused a severe disruption to the company’s operations and the loss of some customer and user data. Changing the password hindered the company’s efforts to determine what happened and restore access to its remaining files,” the Department of Justice announced.

The company’s Washington users were unable to access their files for roughly three days, until the company was able to restore them from backups. However, customer and user data not included in the most recent backup prior to Stafford’s actions was lost.

During the following weeks, he unsuccessfully attempted to remotely access the organization’s network from his home multiple times using credentials that were not his, and wouldn’t stop even after a company representative asked him to cease and desist his attempts.

On September 14, 2015, Stafford attempted to access the network file storage system at the company’s Baltimore office, with the intent of erasing data, but failed as passwords were changed following his intrusion at the Washington office.

Stafford’s actions resulted in actual losses of at least $38,270. His former employer also incurred legal fees totaling $133,950, as well as a fee of over $21,000 for a forensic investigation.

In addition to prison time, Stafford was sentenced to three years of supervised release and was ordered to pay $193,258 in restitution.

A member The Dark Overlord group sentenced to 5 years in prison
22.9.20 Crime Securityaffairs

A United Kingdom national, member of ‘The Dark Overlord’ hacking group was sentenced to five years in federal prison, announced the US DoJ.
The United Kingdom national Nathan Wyatt (39), a member of ‘The Dark Overlord’ hacking group, was extradited to the United States in December 2019. The man was charged by U.S. authorities on six counts of aggravated identity theft, threatening to damage a protected computer, and conspiracy.

The Dark Overlord threat group hacked multiple US and UK companies and organizations to steal data and threaten them to leak them. Victims of the group operated in several sectors, including in the healthcare, financial, legal, film, and others.

On Monday, in a U.S. district court in St. Louis, Wyatt pleaded guilty to participating in activities associated with The Dark Overlord

Wyatt admitted that starting in 2016, he operated as a member of the popular hacking group and stole sensitive data from its victims. The group then threatened the victims to leak the stolen data unless a ransom (ranging between $75,000 and $350,000 worth of Bitcoin) was paid.

“U.S. District Judge Ronnie White for the Eastern District of Missouri sentenced Nathan Wyatt, 39, who participated in a computer hacking collective known as “The Dark Overlord,” which targeted victims in the St. Louis area beginning in 2016.” reads the press release published by DoJ. ” Wyatt was extradited from the United Kingdom to the Eastern District of Missouri in December 2019. Judge White also ordered Wyatt to pay $1,467,048 in restitution.”

According to the 2017 indictment, Wyatt used email and telephone accounts to send messages used to threaten the hacked companies of releasing their information.

“a. WYATT registered a telephone account (Account A) used in the course of the conspiracy to register a virtual private network account and Twitter account used by conspirators to conduct the scheme.” reads the indictment.

“b. WYATT registered a telephone account (Account B) used in the course of the conspiracy to send threatening and extortionate text messages to victims.“

The indictment provides details about the criminal activities conducted by Wyatt from February 2016 to June 2017. Wyatt has been arrested in the United Kingdom in 2017 after pleading guilty to separate charges, including blackmail and using stolen payment card data.

Wyatt also admitted that he participated in the conspiracy by creating, validating, and maintaining communication, payment, and VPN accounts that were employed by The Dark Overlord in its attacks.

Wyatt already served 14 months in a UK prison after he pled guilty in a separate indictment related to blackmail, the use of stolen card data, and possession of a fake passport.

According to Wyatt lawyer, Brocca Morrison, the British citizen was not the leader of the group even is he is the only member of the group to have been identified.

“Nathan Wyatt used his technical skills to prey on Americans’ private data and exploited the sensitive nature of their medical and financial records for his own personal gain. Today’s guilty plea and sentence demonstrate the department’s commitment to ensuring that hackers who seek to profit by illegally invading the privacy of Americans will be found and held accountable, no matter where they may be located,” Acting Assistant Attorney General Brian C. Rabbitt of the Justice Department’s Criminal Division said.

'Dark Overlord' Hacker Sentenced to 5 Years in Prison
22.9.20 Crime Securityweek

A United Kingdom national who was a member of ‘The Dark Overlord’ hacking group was sentenced to five years in federal prison, the United States Department of Justice announced this week.

The man, Nathan Wyatt, 39, was extradited to the United States in December 2019. On Monday, he pleaded guilty to participating in activities associated with The Dark Overlord, a threat group that hacked US and UK companies to steal data and hold it for ransom.

Wyatt admitted in a U.S. district court in St. Louis that, starting 2016, he operated as a member of the hacking group known as The Dark Overlord, which compromised the networks of multiple companies, including those in the financial, healthcare, legal, film, and other sectors.

The group, Wyatt admitted, stole sensitive data from the targeted companies, including personal information and patient medical records. The hackers then threatened to make the data public unless ransom amounts ranging between $75,000 and $350,000 were paid, in Bitcoin.

In a 2017 indictment, Wyatt was charged with setting up phone and email accounts that The Dark Overlord group used to send threatening messages to victim companies.

Wyatt admitted in court to “creating, validating, and maintaining communication, payment, and virtual private network accounts” that the hacking group used as part of their scheme.

Prior to being extradited to the US, Wyatt served 14 months in a UK prison, after he pled guilty in a separate indictment related to blackmail, the use of stolen card data, and possession of a fake passport.

Wyatt, St. Louis local media reports, apologized during the Zoom-held hearing, saying he suffered from mental problems. He also said he is now on medication.

Brocca Morrison, his lawyer, pointed out that, although he participated in the scheme, he did not orchestrate it and is the only hacker to have been identified so far.

Moderator of AlphaBay Dark Web Marketplace Gets 11 Years in Prison

4.9.20 Crime Securityweek

A Colorado man was sentenced this week to eleven years in prison for his role as a moderator on the AlphaBay cybercrime marketplace.

The portal provided vendors and purchasers with the possibility to trade illegal goods such as credit card numbers, stolen identity data, guns, drugs, and more.

When taken down in 2017, AlphaBay was the most popular Dark Web marketplace for illegal products, and had over 400,000 users. The portal was launched in December 2014.

A week before the marketplace was shut down, authorities performed raids in three different countries, which resulted in various equipment being seized. Half a year before that, an AlphaBay vulnerability that exposed hundreds of thousands of private messages, along with other user information was discovered.

The man believed to run the marketplace, Alexander Cazes, was arrested in Thailand in 2017 and was found dead in his prison cell days after he allegedly gave his consent to be extradited to the United States.

Law enforcement found Cazes’s laptop in an open and unencrypted state, the U.S. Department of Justice (DoJ) says. Text files and the passwords/passkeys for AlphaBay (including servers and several online identities associated with the marketplace) were also discovered.

In 2018, Ronald L. Wheeler III, who worked as the public relations specialist for AlphaBay, was sentenced to three years and 10 months in prison.

The DoJ announced this week that Bryan Connor Herrell, 26, of Aurora, Colorado, who was a moderator on AlphaBay, being in charge with settling disputes between vendors and purchasers, received an 11-year prison sentence.

Herrell, who used the online monikers of “Penissmith” and “Botah,” also served as a scan watcher, a role in which he monitored for possible attempts to defraud AlphaBay users. Herrell was paid in Bitcoin for his work.

According to the DoJ, the investigation of the AlphaBay marketplace and its former administrators is still ongoing.

Texas man sentenced to 57 months for the hacking of a major tech firm in New York
16.8.20 Crime Securityaffairs

A 31-year-old man from Dallas, Texas, was sentenced last week to 57 months in prison for crimes related to the hacking of a major tech firm in New York.
Tyler C. King (31), from Dallas, Texas, was sentenced to 57 months in prison for crimes related to the hacking of an unnamed major tech company based in New York.

In November, King was accused and convicted of computer fraud and aggravated identity theft, and in June he also pleaded guilty to obstruction of justice charges for having provided fake evidence during his trial.

According to the investigators, the man gained access to the technology firm in 2015 with an accomplice, Ashley St. Andria, who was an employee of the company.

Once gained access to the company’s network, the duo created admin accounts to access to internal resources, including emails of senior executives, personnel files, financial documents, and other proprietary information.

After the IT staff at the company detected the intrusion, it disabled the fraudulent admin accounts, but King and St. Andria once again gained access to its networks and stole business records.
“While on the company’s network, King and St. Andria created unauthorized administrator accounts that gave them access to proprietary company information, including real-time access to the emails of senior company executives, personnel files, and financial records.” reads the press release published by the DoJ.

“In response to the company shutting down the fake administrator accounts, King regained access to the network with the assistance of St. Andria, stole proprietary business records, and – through a series of sophisticated steps, including the use of password-cracking programs – bypassed the company’s security measures. In doing so, King illegally used the credentials of two company employees based overseas. The jury convicted King of conspiring to commit computer fraud, computer fraud, and two counts of aggravated identity theft.”

King was also condemned to 2 years of supervised release, a fine of $15,000 and over $21,000 in restitution.

“Tyler King hacked into a major technology company, damaged its systems, stole its data, and laughed about it, all from the comfort of his sofa in Texas. He will now serve 57 months in federal prison,” stated U.S. Attorney Grant C. Jaquith. “Those interested in hiding behind their keyboards to steal information and damage property should take today’s sentence as a stark reminder that computer hacking is a serious business with serious consequences. I thank the FBI for its exceptional work in bringing King to justice.”

King’s accomplice, Ashley St. Andria (31) of Irving, Texas, pled guilty to computer fraud on August 15, 2018 and was sentenced to time served, and 2 years of supervised release, in March 2020.

Alleged Hacker Behind Massive ‘Collection 1’ Data Dump Arrested
21.5.2020 Threatpost Crime

The threat actor known as ‘Sanix’ had terabytes of stolen credentials at his residence, authorities said.

A hacker accused of selling hundreds of millions of stolen credentials from last year’s “Collection 1” data dump on the dark web has been arrested in the Ukraine.

The Security Service of Ukraine (SSU) took into custody a threat actor known as “Sanix,” who they claim posted 773 million e-mail addresses and 21 million unique passwords on a hacker forum last year, according to a press release. The SSU said it worked with the Ukrainian cyber police and National Police on the investigation. Authorities did not release his real name.

Known as Collection 1, the database of breached emails was discovered on a popular underground hacking forum on Jan. 17, 2019. At the time Troy Hunt, the researcher behind the HaveIBeenPwned database, quantified the trove of data as 1,160,253,228 unique combinations of email addresses and passwords.

“Collection 1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It’s made up of many different individual data breaches from literally thousands of different sources. (And yes, fellow techies, that’s a sizeable amount more than a 32-bit integer can hold.),” he wrote in a January 17, 2019 blog post.

The database appears to be just the tip of the iceberg of stolen credentials Ukrainian authorities found at Sanix’s residence in the Ivano-Frankivsk region of western Ukraine upon his arrest, they said.

“The hacker had at least seven similar databases of stolen and broken passwords, the total amount of which reached almost terabytes,” according to the release. “These included personal, including financial, data from residents of the European Union and North America.”

In all, authorities seized computer equipment with 2 terabytes of stolen information along with phones that show evidence of illegal activities, as well as about $10,000 in cash from illegal transactions in both Ukrainian hryvnias and U.S. dollars, they said.

To track Sanix down, authorities recorded the sale of databases with logins and passwords to e-mail boxes, PIN codes for bank cards, e-wallets of cryptocurrencies and PayPal accounts, they said. They also tracked information on computers being used in botnets and for organizing DDoS attacks.

Initially there was some disagreement by security experts over who actually was responsible for selling the Collection 1 credentials on forums. After they were discovered, Sanix and two other forum users–“C0rpz” and “Clorox”—also claimed responsibility for the data dump.

Security researcher Brian Krebs of the KrebsonSecurity blog identified Sanix early on as the hacker who attempted to sell the 87-gigabyte database, which on the forum was created by C0rpz. However, a month later, researchers from Recorded Future said that C0rpz was the true seller of Collection 1.

“Sanix was the individual identified by Brian Krebs… and our analysis confirmed that this is the same individual who attempted to sell the database originally created by C0rpz,” researchers said at the time.

However, even after Sanix was subsequently banned from the forum, C0rpz posted links to MEGA sharing Collection #1 free of charge to the community, they said.

With the arrest of Sanix, it appears Krebs may have been right, however. At the time Krebs contacted the hacker to delve more into the origin of Collection 1, which Sanix said was already two to three years old. He also told the security researcher that he had other password packages—more than 4 terabytes’ worth—that included fresher credentials.

Sanix is currently cooperating with Ukrainian authorities to prepare “a report on suspicion of unauthorized interference with computers” and their unauthorized sale or dissemination, according to the SSU release.

Ukrainian Police Arrest Hacker Who Tried Selling Billions of Stolen Records
20.5.2020 Thehackernews Crime
The Ukrainian police have arrested a hacker who made headlines in January last year by posting a massive database containing some 773 million stolen email addresses and 21 million unique plaintext passwords for sale on various underground hacking forums.
In an official statement released on Tuesday, the Security Service of Ukraine (SBU) said it identified the hacker behind the pseudonym "Sanix," who is a resident of the Ivano-Frankivsk region of Ukraine, but it did not reveal his actual identity to the media.
In January last year, the hacker tried to sell the massive 87-gigabyte database labeled as "the largest array of stolen data in history," which, according to security experts, was just a fraction of the stolen data Sanix collected.

According to the authorities, Sanix had at least 6 more similar databases of stolen and broken passwords, totaling in terabytes in size, which also included billions of phone numbers, payment card details, and Social Security numbers.
Besides email logins, the database also contained bank card PIN codes, e-wallets of cryptocurrencies, PayPal accounts, and information about computers hacked for further use in botnets and to launch distributed denial-of-service (DDoS) attacks, the SBU said.

At that time, Sanix offered "lifetime" access to the stolen databases for modest amounts ranging from $45 to $65.
The stolen data included personal and financial data from residents of different countries, including the European Union and North America, the authorities said.
Search at his residence resulted in the seizure of computer equipment with 2 terabytes of stolen data, phones with evidence of illegal activities, and more than $10,000 in cash from illegal transactions—190,000 Ukrainian hryvnias (~$7,100) and over $3,000.
Sanix is now facing Ukrainian criminal charges for unauthorized interference with computers and unauthorized sale or dissemination of information with limited access stored in computers.
If found guilty, a combination of these two charges can lead up to 8 years in prison under the Criminal code of Ukraine.

You can watch the video of Sanix's arrest operation, which was carried out jointly with the cyber police, investigators of the National Police under the prosecutor's procedural guidance.