10 arrests that shook the cybercrime underworld

Crime in the virtual world has long been a tough nut to crack for law enforcement agencies and the courts. Getting to the bottom of a cyberattack and then gathering

Crime in the virtual world has long been a tough nut to crack for law enforcement agencies and the courts. Getting to the bottom of a cyberattack and then gathering enough hard evidence to secure a conviction is no easy task. But the situation is gradually changing, and hackers – from those who steal personal photos of stars in the nude to the organizers of multi-million dollar scams – are now more frequently being brought to trial.

The start of the 21st century was a veritable gold rush for cybercriminals. A rapidly increasing Internet audience that wasn’t always that computer savvy, the dawn of online payment systems, and legislation that lagged well behind technology all made for rich pickings with little risk of being caught – something that always attracts criminal attention. Unsurprisingly, it didn’t take long for unethical and blatantly illegal scams to grow from one-man operations into well-organized businesses. However, the good news is that with every passing day these cybercriminal gangs face greater risks than ever before. To demonstrate this we’ll look at 10 recent cases that have ended with the cybercriminals in the dock.

Call me nude: Hacking for sexy photos

If you’re young, pretty, and have recently become famous, immediately make your password more complex and install total protection on your computer. This is the lesson that Canadian singer Carly Rae Jepsen learned the hard way. Last year hacker Christopher David Long accessed her personal data and files, including naked photos of her. According to some sources, the police began investigating the hack in March 2012; at the time Long was trying to sell the photos to the tabloids. The details of the investigation and the fate of the photos have not been disclosed, but the most important thing was that Long was finally charged in December, according to The Vancouver Sun.


First class ticket to jail: ZeuS botmaster pays for stolen millions

Algerian hacker Hamza Bendelladj was arrested at a Bangkok airport in early January after local police were tipped off by FBI agents who had been tracking the 24-year-old for three years. They suspected him of being behind a botnet based on the notorious ZeuS. Bendelladj is alleged to have netted up to $20 million from just one of a series of illegal transactions involving 217 banks and financial institutions. Not surprisingly, when he was busted he was enjoying a luxurious lifestyle and jetting around the world in first class. He now faces extradition to the US and a court case in the state of Georgia.

Sharp card dealt: 12 years for stolen data

At the beginning of February, Dutch cybercriminal David Benjamin Schrooten, better known as Fortezza, was sentenced to 12 years. He was part of a criminal group responsible for the theft of over 100,000 credit card numbers that were then sold on a special underground website for stolen card details. Sentences had already been handed down to some of his accomplices, while others are waiting for their cases to be heard. Interestingly, the investigation revealed that Schrooten tried to hack other similar “carding” forums in a bid to disrupt their activities and steal their customers. He was meticulous in covering his tracks, but the long arm of the law eventually caught up with him in Romania and he was extradited to the US.

The criminal group stole more than 100,000 credit card numbers and then sold the details to other criminals.

105 years for sextortion

At the end of January the FBI arrested Karen “Gary” Kazaryan, 27. This particular hacker wasn’t after material gain; he focused on cracking Facebook, Skype and email accounts belonging to women. Once he had access Kazaryan changed the password, which locked victims out of their own online accounts. Once he controlled the accounts, Kazaryan searched emails and other files for naked or semi-naked pictures of the victims, as well as other information, such as passwords and the names of their friends. He then used that information to coerce his victims into taking their clothes off in front of a web camera. Investigators found approximately 3,000 nude or semi-nude pictures of women on Kazaryan’s computer – some of them he got from hacked accounts while others were saved from Skype sessions.  In total, authorities have brought 30 charges of unauthorized computer intrusion, and if found guilty on all of them, he faces 105 years behind bars.

DDoS attack – an attack that uses multiple computers to simultaneously overwhelm a server and make legitimate access impossible or extremely unstable.

Anonymous behind bars: Ideological hacking is still a crime

anonThe “hacktivist” movement hacks or takes down websites in order to make a political point, rather than to earn money. However, this is still illegal, and the UK’s Southwark Crown Court has confirmed that hacktivists are subject to the same penalties as conventional cybercriminals. According to BBC News, hackers Christopher Weatherhead and Ashley Rhodes got 18 and 7 months in prison respectively for organizing DDoS attacks targeting PayPal, MasterCard, Visa and others. The Anonymous activists were unhappy that these organizations tried to hinder fundraising for WikiLeaks. According to the judge, the hackers took extremely sophisticated precautions to conceal their identity, but the investigation was still successfully wrapped up.

‘Anonymous’ Krasnoyarsk-style: DDoS attack with political overtones

Police in Krasnoyarsk investigated two very similar cases this winter. A court in the Siberian city handed a 25,000 ruble fine and two years on probation to Pavel Spassky after the radio-electronics college student set up a DDoS attack on two government websites on May 6-7, 2012. A similar case was brought against another Krasnoyarsk resident for an attack on the kremlin.ru website on May 9. The latter accused maintains his innocence, but faces up to four years in jail if convicted.

Making millions: 100 euros at a time

Eleven members of a criminal gang arrested in Spain this February had been earning about 1 million euros a year by spreading the Police virus. This is a cyberextortion tool, accusing the victim of committing some offense and blocking his computer until a “fine” of 100 euros is handed over. The malware also steals the victim’s personal data. A final sentence has not yet been handed down in this case, but in recent years Spain has jailed a number of hi-tech offenders.

Ali-Baba and the 4 thieves

Just a week ago, four cybercriminals were arrested in Dubai after allegedly stealing at least $2 million from companies in the Emirates. Using a few scams and hacker techniques, the attackers were siphoning funds into their bank accounts as well as overseas. Some members of the gang, which includes people of Asian and African origin, have fled the country – a warrant for their arrest has been issued by Interpol.

10 years for a star

In a rare case – a hacker was sentenced to 10 years in prison and a $66,000 fine, even though the prosecution demanded only a six-year sentence. Christopher Chaney was convicted of illegally accessing the email accounts of celebrities, including Scarlett Johansson, Christina Aguilera and Mila Kunis. The most widely reported consequence was the theft and publication of nude photos of the stars, some of whom chose to appear in court in person to support the prosecution’s case. However, from a security perspective there’s another interesting detail – Cheney had a very simple system to get past most passwords. He just pressed the “Forgot password” button and answered a couple of simple questions – easily finding the answers in open sources and celebrity bios. This was a huge success, not just once or twice but 50 times!


A family business

At first glance, Vladimir Zdorovenin and his son Kirill ran a legal online business. However, as established by the US authorities, online stores owned by the Zdorovenins were occasionally drawing down funds from their clients’ cards without approval. Funds were also taken from cards where the details had been obtained illegally (e.g. bought at underground forums). The family had already gone on the run, but in January the Swiss authorities detained Vladimir and deported him to the US to serve a three-year jail term. Kirill’s whereabouts remain unknown.

As we can see, it is not that easy to hold cybercriminals liable – and the process does not always run smoothly. Despite these problems, the global battle against cybercrime is noticeably turning in favor of the authorities: experts are cooperating with law enforcement agencies, courts are learning to deal with new types of material evidence, and increasingly cybercriminals are ending up where they belong – behind bars.

David Lenoe at Security Analyst Summit

David Lenoe, Adobe PSIRT group manage, discusses the Sandbox bypass press release which offered only partial disclosure, leaving much to be left unaddressed in terms of potential vulnerabilities. [youtube http://www.youtube.com/watch?v=kMnF3xDnAQg&feature=youtu.be?rel=0]