The feds keep chipping away at those thieves and hackers and we are pleased to showcase the recent results of their hard work.

Computer Hacking and Sexual Extortion

On December 9, 2015, the U.S. Attorney’s Office of the Northern District of Georgia announced that a former U.S. State Department employee employed at the U.S. Embassy in London, pled guilty to “perpetrating a widespread, international e-mail phishing, computer hacking, and cyberstalking scheme against hundreds of women in the United States and abroad. Using e-mail passwords obtained by phishing, he hacked into hundreds of victims’ e-mail and social media accounts, stole thousands of sexually explicit photographs, and threatened at least 75 victims that he would release their photos and other personal information unless they agreed to his ‘sextortionate’ demands.

He “tormented” his victims, mostly young females with a focus on members of sororities or aspiring models, by “threatening to humiliate them unless they provided him with sexually explicit photos and videos.”

He posed as an employee of an “account deletion team” for a well-known e-mail service provider and sent phishing emails to thousands of women warning them that their e-mail account would be deleted if they didn’t give him their password. If they gave their password, he then hacked into their e-mail account and social media account and searched for sexually explicit photographs. If he found them, he searched for personally identifiable information about them, including their home and work addresses, school and employment information and names and contact information of family members.

He then threatened the women that if they didn’t give him photos or videos, he would release the photo. If they refused to comply, he would tell them that he knew where they lived, and did in fact send some of the information to family members.

He successfully hacked into 450 online accounts belonging to at least 200 victims. He will be sentenced on February 16, 2016. The U.S. Attorney’s Office reminds anyone who believes they are a victim of hacking, cyberstalking or ‘sextortion’ should contact law enforcement.

Employee theft of trade secrets

Last week, the U.S. Attorney for the Southern District of New York and the New York FBI Office announced that Xu Jiaqiang has been arrested for theft of a trade secret of proprietary source code from his former employer.

According to the allegations, Xu worked as a developer for an unnamed software company and had access to proprietary software and underlying source code of a clustered file system. The company only provided access to the proprietary code to authorized individuals.

Xu resigned from the company and started communicating with undercover law enforcement officers posing as financial investors looking to start a big data storage company. He sent the officers code from his previous employer and remotely installed the proprietary software on networks set up by the FBI, which was confirmed to be functioning software of the previous employer.

Xu admitted to undercover law enforcement that he had used the code to build a copy of the proprietary software to sell to customers. He has been charged with one count of theft of a trade secret, which carries a maximum sentence of ten years in prison. He is being prosecuted by the U.S. Attorneys’ Terrorism and International Narcotics Unit and the National Security Divisions’ Counterintelligence and Export Control Section. Impressive work!
On Tuesday, December 15, 2015, the U.S. Attorney of the District of New Jersey announced that three alleged hackers from Florida, New Jersey and Maryland were charged with a “wide-ranging computer hacking and identity theft scheme that compromised the personally identifiable information (PII) of millions of people and generated more that $2 million in legal profits.”

The individuals were charged with conspiracy to commit wire fraud and conspiracy to commit fraud with electronic mail.

The allegations include writing computer programs that conceal the origin of the email in order to bypass spam filters. They allegedly hacked into the email accounts of individuals and seized control of the mail servers of corporations. Further, they created custom software “that leveraged vulnerabilities in the websites of a number of corporations” which allowed them send out spam that looked like it came from the company. Finally, they stole confidential business information of corporations, including databases containing millions of individuals’ PII, one of which was the employer of one of the alleged hackers. The hacker gave access to the employer’s system to the other hacker through a remote administration tool so they could steal the names, addresses, telephone numbers, and email addresses of former, current and potential customers.

The hackers face a maximum of five years in prison and a fine of greater that $250,000 or twice the gain or loss from the offense for conspiracy to commit fraud and related activity in connection with computers, 20 years in prison and a similar fine for conspiracy to commit wire fraud and 5 years in prison and the same fine for conspiracy to commit fraud and related activity in connection with email.

There is also a request for forfeiture of close to $300,000 in bank accounts, a 2006 Ferrari convertible and a 2009 Cadillac SUV.

Destroying, altering and falsifying medical records

On December 10, 2015, a former Department of Veterans Affairs nurse pled guilty in the Southern District of Florida to “destroying, altering and falsifying records and committing computer fraud.” He faces up to 20 years in prison.

The nurse caused damage to the VA Medical Center in Miami, Florida’s computer system when he falsified the medical records of a 76 year old veteran with whom he had a treating relationship. The patient died, and the nurse tried to cover up the poor quality of treatment he received by attempting to falsify the records. He will be sentenced on February 19th.

Member of “NullCrew” pleads guilty

The U.S. Attorney’s Office in the Northern District of Illinois announced on December 8, 2015 that a member of the hacking group “NullCrew” pled guilty to charges that he “helped launch cyber-attacks on corporations, universities and governmental entities throughout the world.”

He pled guilty to one count of intentionally damaging a protected computer without authorization, which carries a maximum of 10 years in prison. He admitted that he participated in at least seven cyber-attacks while a member of NullCrew, including one against a large Canadian telecommunications company and another against a U.S. state. He will be sentenced on March 9, 2015.

We highlight these prosecutions for several reasons. First, the facts are important to understand as they are real life scenarios that happen every day against individuals and companies and can serve as lessons to learn from. Second, law enforcement is working hard to combat cybercrimes, and victims might want to consider bringing law enforcement into investigations and collaborate with the government to combat cybercrime. Finally, it is good to know that the thieves and hackers are seeing and feeling the consequences. We will continue to update you on the good work of law enforcement in bringing these thieves and hackers to justice.