Two American men charged in 2022 for hacking DEA Portal – Krebs on Security
Two American men have been charged with hacking into one US Drug Enforcement Agency (DEA) online portal that taps into 16 different federal law enforcement databases. Both are alleged to be part of a larger criminal organization that specializes in using fake emergency data requests from compromised police and government email accounts to publicly threaten and blackmail their victims.
The U.S. Attorney for the Eastern District of New York today disclosed criminal complaints against Sagar Steven Singh – also known as “Cry” — a 19-year-old from Pawtucket, Rhode Island; and Nicholas Ceraolo25, of Queens, NY, who reportedly also went after the handles”Judge” and “Ominous.”
The Justice Department says Singh and Ceraolo belong to a group of cybercriminals known to its members as “Will,” which specializes in obtaining personal information about third-party victims, which they then use to harass, threaten or blackmail the victims, a practice known as “doxing.”
“ViLE is cooperative, and its members routinely share tactics and illegally obtained information with each other,” prosecutors charged.
The government alleges that the defendants and other members of ViLE use various methods to obtain victims’ personal information, including:
– deceive customer service employees;
– submitting fraudulent legal process to social media companies to elicit users’ registration information;
-collaborating and corrupting corporate insiders;
– search public and private online databases;
– accessing a non-public US government database without authorization
– illegal use of official e-mail accounts belonging to other countries.
The complaint says that once they got the information of a victim, Singh and Ceraolo would post the information on an online forum. The government refers to this community only as “Forum-1,” and says it is administered by the head of ViLE (referred to in the complaint at CC-1).
“Ore is being pressured to pay CC-1 to have their information removed from Forum-1,” prosecutors allege. “Singh also uses the threat of revealing personal information to pressure victims into giving him access to their social media accounts, which Singh then resells.”
Sources tell KrebsOnSecurity in addition to being members of ViLE, both Weep and Ominous are or were employees of Doxbin, a highly toxic online community that provides a forum to dig up personal information about people and post it publicly. This is supported by the Doxin administrator’s alleged responsibility for a high-profile intrusion at the DEA’s law enforcement data-sharing portal last year.
The government alleges that on May 7, 2022, Singh used stolen credentials to log into a US federal government portal without authorization. The complaint does not specify which agency portal was hacked, but it states that the portal included access to law enforcement databases that track drug seizures in the United States.
On May 12, 2022, KrebsOnSecurity broke the news that hackers had gained access to a DEA portal that taps into 16 different federal law enforcement databases. As reported at the time, the inside scoop on how the hack went down came from KTthe current administrator of Doxbin and the individual referred to in the government’s complaint as “CC-1.”
In fact, a screenshot of the ViLE group’s website includes the group’s official roster, which shows KT at the top, followed by Weep and Ominus.
In March 2022, KrebsOnSecurity warned that several cybercrime groups are succeeding in fake emergency data requests (EDRs), where the hackers use compromised police and government email accounts to submit warrantless data requests to social media firms and mobile phone providers, confirming that the information being requested cannot wait on a warrant because it concerns an urgent matter of life and death.
That story revealed that the previous owner of Doxbin was also part of a teenage hacking group that specialized in offering fake EDRs as a service on the dark web.
Prosecutors say they linked Singh to the hacked government portal because he linked to it from an Internet address he had previously used to access a social media account registered in his name. When they raided Singh’s residence on September 8, 2022 and seized his devices, investigators with Homeland Security found a cell phone and laptop that allegedly “contained extensive evidence of access to the portal.”
The complaint alleges that between February 2022 and May 2022, Ceraolo used an official email account belonging to a police official in Bangladesh to impersonate a police officer in communications with US-based social media platforms.
“In these communications, Ceraolo requested personal information about users of these platforms, under the false pretense that the users were committing crimes or were in life-threatening danger,” the complaint states.
For example, on or around March 13, 2022, Ceraolo allegedly used the Bangladeshi police email account to falsely claim that the target of EDR had sent bomb threats, distributed child pornography, and threatened Bangladeshi government officials.
On or about May 9, 2022, the government says, Singh sent a friend screenshots of text messages between himself and someone he had doxed on Doxbin and tried to push for their Instagram handle. The data included the victim’s social security number, driver’s license number, mobile phone number and home address.
“Look familiar?” Singh allegedly wrote to the victim. “You must follow me if you do not want anything negative to happen to your parents. . . I have all the details involving your parents. . . allow me to do whatever I want to them in malicious ways.”
None of the defendants could immediately be reached for comment. KT, the current administrator of Doxbin, has not responded to requests for comment.
Ceraolo is a self-described security researcher who has been credited in many news stories over the years with discovering security vulnerabilities on AT&T, T-Mobile, Comcast and Cox Communications.
Ceraolos stated partner in most of these discoveries – a 30-year-old Connecticut man named Ryan “Phobia” Stevenson — was charged in 2019 with being part of a group that stole millions of dollars worth of cryptocurrencies via SIM swapping, a crime that involves tricking a mobile carrier into routing a target’s calls and texts to another device.
In 2018, KrebsOnSecurity described how Stevenson earned bug bounties and public recognition from top telecom companies for finding and reporting security holes in their websites, while secretly selling the same vulnerabilities to cybercriminals.
According to the Department of Justice, Ceraolo faces up to 20 years in prison for conspiracy to commit fraud; both Ceraolo and Singh face five years in prison for conspiracy to commit computer hacking.
A copy of the complaint against Ceraolo and Singh is here (PDF).