Meet Cybercriminals in 2022 • TechCrunch
Arrested, seized, doxed and remanded in custody. These are just some of the ways police and prosecutors around the world brought down the biggest cybercrime operations of the year, even if it meant resorting to new and unconventional eyebrow-raising methods. From hiding billions of bitcoin under the floorboards to teenage hackers gatecrashing Fortune 500 networks, this year saw some of the most striking breaches – and the highest-profile arrests.
As we close out 2022, we look back at the cybercriminals we lost this year… to the law.
Sanctions and seizures hit the crypto scene
US officials made some big gains against crypto-money laundering in 2022. At the start of the year, the Justice Department said it had seized more than $3.6 billion worth of bitcoins allegedly stolen in the 2016 hack of crypto exchange Bitfinex, and that it had arrested a married couple suspected of laundering the money.
The pair – Ilya Lichtenstein, 34, and Heather Morgan, 31 – face up to 25 years in prison if convicted of conspiracy to launder money and defraud the US government.
Later in the year, the Office of Foreign Asset Control (OFAC), a watchdog within the US Treasury Department tasked with enforcing sanctions violations, announced that it had sanctioned decentralized cryptocurrency mixing service Tornado Cash for its role in enabling billions of dollars of cryptocurrency. to be washed through its platform.
Tornado Cash, along with other mixers such as AlphaBay, allows customers to hide the source of their crypto funds when participating in a transaction in exchange for a fee. It mixes potentially identifiable or tainted cryptocurrency funds with others to hide the source and destination of crypto assets. More than $1.5 billion in proceeds of crime, such as ransomware and fraud, has been laundered through Tornado Cash to date, experts estimate.
US Doxes alleged Conti ransomware member
In August, the US government shared an image of a suspected Conti ransomware operator known as “Target”, the first time it has outed a major ransomware player. The program also offered up to $10 million for information leading to the identification and location of Target, along with four other alleged Conti members known as “Tramp,” “Dandis,” “Professor,” and “Reshaev.”
The State Department said Conti has conducted more than 1,000 ransomware operations targeting US and international critical infrastructure. Most recently, the gang infiltrated 27 government institutions in Costa Rica and demanded a ransom of 20 million dollars.
Another gang that took a devastating hit in 2022 was Netwalker, a ransomware gang that has been linked to a number of high-profile incidents, including an attack on the University of California San Francisco, which paid a ransom demand of more than $1 million, and an attack targeting anti-cyber threat startup Cygilant. Between August 2019 and January 2021, ransomware attacks involving NetWalker pulled in $46 million in ransoms, according to cryptocurrency analysis firm Chainalysis.
In October, Sebastien Vachon-Desjardins, a 34-year-old from Quebec, was sentenced in a Florida court in October after pleading guilty to charges related to his involvement with NetWalker. Vachon-Desjardins, who worked as an IT consultant for Public Works and Public Services in Canada, was previously arrested by Canadian police in January 2021 and sentenced to seven years in prison. During a search of his home, law enforcement authorities discovered and seized 719 bitcoins and $790,000 in Canadian currency.
James Zhong, the hacker who stole billions of Silk Road’s bitcoin
In a surprising but anticlimactic conclusion to one of the government’s longest-running cyber cases, the mystery of notorious dark web drug market Silk Road’s missing billions was solved. In November, US federal agents said they found $3.36 billion worth of bitcoin that had been stashed in a popcorn box under the bathroom cabinet floorboards of the hacker’s home nearly a decade earlier. Prosecutors brought charges against the hacker, a Georgia resident named James Zhong, whose plea deal with the FBI saw him forfeit the massive cache of cryptocurrency, along with $600,000 in cash and other precious metals.
Somewhat confusingly, Zhong is the second hacker to eventually sell Silk Road’s stolen billions – albeit at a lower exchange rate than today. In 2020, a hacker going by the alias Individual X dropped another huge cache of Silk Road’s bitcoin that they had stolen years earlier during a hacking spree spanning 2012 and 2013. The Justice Department’s latest seizure closed the door on another billion-dollar mystery, although the feds kept secret how the funds were stolen or how they came to find the hacker, long after Silk Road founder Ross Ulbricht was jailed.
Raccoon Stealer operator charged with mass password theft
US officials in October charged a Ukrainian national for his alleged role in the Raccoon Infostealer malware-as-a-service operation that infected millions of computers worldwide. Mark Sokolovsky, who goes by the web handle “raccoonstealer,” is accused of playing a leading role as a key administrator of malware that prosecutors say was used to steal more than 50 million unique credentials and forms of identification from victims around the world since February 2019 .
Sokolovsky is charged with computer fraud, wire fraud, money laundering and identity theft and faces up to 20 years in prison if found guilty. Sokolovsky is in Amsterdam awaiting extradition to the United States.
Sokolvsky’s arrest led to a surge in new Mars Stealer campaigns, including mass targeting of Ukraine in the weeks following Russia’s invasion, and a large-scale effort to infect victims with malicious ads. However, in November, a security research and hacking startup told TechCrunch that it had found a code flaw that makes it possible to lock out operators of the Mars Stealer malware from their own servers and free their victims.
Seller of WhatsApp hacking technology pleads guilty
Signal Jammers, Wi-Fi Hacking Tools and WhatsApp Hacking Tools. These are some of the things that a Mexican businessman admitted in federal court to selling for both commercial and personal reasons. The Justice Department accused Carlos Guerrero of, among other things, arranging the sale of hacking tools to Mexican politicians, and of using other equipment he sold to intercept the telephone conversations of an American rival. It shows that it is not just nation states and governments with powerful phone spying technology at their disposal.
Lapsus$ rounded up once, twice
The Lapsus$ gang came to prominence in 2022. The data extortion group, which first appeared a year earlier, quickly claimed a number of high-profile victims, including Okta, Microsoft, Nvidia and Samsung.
While the gang once seemed invincible, a number of its members were arrested in March this year. In a statement given to TechCrunch at the time, the City of London Police confirmed that seven people aged between 16 and 21 had been arrested in connection with Lapsus$.
News of the arrests came just hours after a Bloomberg report revealed that a teenager based in Oxfordshire, UK, is suspected of masterminding the Lapsus$ group. Researchers investigating the gang’s recent hacks said they believed the 16-year-old, who uses the online name “White” or “Breachbase,” was a leading figure in Lapsus$, and Bloomberg was able to track down the suspected hacker for his personal information was published online by rival hackers. Weeks later, British police said they had charged two of the teenagers with several cyber offences.
SSNDOB, a marketplace for stolen social security numbers, is no more
U.S. officials announced in June the removal of SSNDOB, a notorious marketplace used to trade personal information — including social security numbers, or SSNs — of millions of Americans.
The landmark operation was conducted by the FBI, IRS and DOJ, with assistance from the Cyprus Police, and saw authorities seize four domains that host the SSNDOB marketplace.
The SSNDOB listed the personal information of approximately 24 million individuals in the United States, including names, dates of birth, SSNs and credit card numbers and generated more than $19 million in revenue, according to prosecutors. Chainalysis separately reported that the marketplace has received nearly $22 million worth of bitcoin in over 100,000 transactions since April 2015, although the marketplace is believed to have been active for several years before the final seizure.
Ex-Amazon engineer convicted of Capital One data breach
Also in June, Paige Thompson, a former engineer in Amazon’s cloud division, was convicted of a breach that compromised the personal and financial information of 100 million CapitalOne customers in 2019. The breach was one of the largest bank heists in US history, which included the theft of credit scores , limits and balances, and also affected one million Canadians. Thompson was accused of using his knowledge as an Amazon software engineer to breach CapitalOne’s cloud storage, hosted on Amazon’s servers, and compromise the cloud storage of several other companies, including Vodafone, Ford and Ohio’s state motor vehicle agency. Prosecutors said the former Amazon engineer was “one bad day away from sharing the data she stole.” As such, Thompson was sentenced to time served, allowing her to avoid prison.
A major REvil operator was extradited to the US
With a $10 million bounty on their heads after a brazen ransomware attack on Kaseya that spread to hundreds of downstream customers, it was only a matter of time before the REvil ransomware group’s luck would run out. That’s what happened to Yaroslav Vasinskyi, a 22-year-old Ukrainian citizen, who was arrested in Poland in October and later arraigned and extradited to Dallas, Texas to face hacking and fraud charges stemming from his alleged involvement with REvil . Vasinskyi is one of two other alleged REvil members charged by US prosecutors in connection with the attack on Kaseya. It was only after the FBI recovered the decryption key that victims were able to regain access to their encrypted files.
UK arrests teenagers linked to Uber and GTA hacks
In September, police in London confirmed that a 17-year-old teenager suspected of being involved in high-profile breaches of ride-hailing giant Uber and Rockstar Games had been charged with multiple counts of computer misuse and breaching bail.
Those hacks were two of the most high-profile of 2022. Uber, which said it believed a hacker affiliated with Lapsus$ was responsible for the attack, was forced to take several of its internal tools offline while it expelled the hacker from its network. Shortly before Uber’s Slack system was taken offline, Uber employees received a message that read: “I am announcing that I am a hacker and Uber has suffered a data breach.” The hacker also reportedly said that Uber drivers should be paid more.
In the case of Rockstar Games, the attacker – who also goes by the alias “TeaPot” – claimed to have gained access to Rockstar Games’ internal Slack messages and early code for an unannounced Grand Theft Auto sequel by gaining access to an employee’s login credentials.