Hackers from Vietnam and Canada have been arrested for their parts in what the U.S. Department of Justice is calling one of the worst data breaches in U.S. history.
The indictments, which were unsealed by the U.S. Attorney’s Office in Atlanta on March 6, charge Viet Quoc Nguyen and Giang Hoang Vu from Vietnam and Canadian David-Manuel Santos Da Silva with having broken into eight email service providers and using the stolen data to earn millions of dollars.
According to a statement released by the U.S. Attorney’s Office in Atlanta, Nguyen assisted by Vu broke into the email service providers (ESPs) and stole an estimated 1 billion email addresses and names.
Da Silva is charged with money laundering in connection with the case. The breach started in 2009, and Vu was arrested in the Netherlands in 2012. Da Silva was arrested in Fort Lauderdale, Fla., where he tried to enter the United States through the airport there. Nguyen remains a fugitive.
In addition to charging the three with stealing email addresses and names from the email service providers, the DoJ is charging them with breaking into the ESPs’ computer systems and then using their email software to send spam messages using their facilities remotely. The normal business of those ESPs is to provide legitimate email marketing services for companies.
The DoJ statement said Nguyen and Vu used Da Silva’s firm, 21 Celsius, to handle the sales from the spam messages sent out by Nguyen and Vu. Da Silva’s marketing site Marketbay.com has apparently been shut down as a result of the arrests. A message on the site announces that the company is discontinuing all of its products and services, but does not say that the shutdown is related to Da Silva’s indictment.
Vu was extradited to the United States in February 2014 and pled guilty on Feb. 5, 2015. He will be sentenced in April. Da Silva was arraigned on March 5 in Atlanta.
According to a statement by FBI Special Agent Reginald Moore, the indictments and arrests were part of a joint project by the FBI and the U.S. Secret Service. “The Secret Service worked closely with the Department of Justice and the FBI to share information and resources that ultimately brought these cyber criminals to justice,” said Moore in a prepared statement. “This case demonstrates there is no such thing as anonymity for those engaging in data theft and fraudulent schemes.”
According to the indictments filed in the U.S. District Court for the Northern District of Georgia, Nguyen and Vu used a phishing scheme to plant malware on the computers of employees in the ESPs. The malware then gave the men access to the log-in information, which gave them access to the email addresses and names contained in the databases of each company.
In addition, the men gained access to the email software, which in turn allowed them to use their victims’ own software to send out spam messages selling products such as Adobe Reader. Da Silva’s company handled the payments and paid a commission to Nguyen and Vu. The Adobe software that the men were selling is actually available for free directly from the company.
Security researcher Brian Krebs reported that he was able to obtain a copy of the phishing emails sent to employees of the ESPs. The email is a fairly typical spear phishing email that pretends to be from a friend of an employee at one of the ESPs. It gives what is purported to be a link to wedding photos, but which is actually a link that implants the malware to the unsuspecting victim.
If there is any good news about this breach, it is that the only information that was apparently stolen was names and email addresses. There was no theft of credit card numbers or Social Security numbers, and no breach of any other personal information. Unlike some breaches that attempt identity theft, this particular breach seems to have been solely for the purpose of sending out spam.
Still, the spam resulted in sales that allowed Vu and Nguyen to make over $2 million, according to investigators. That money came from commissions paid by Da Silva’s company for the bogus software sales. DoJ investigators said in the statements regarding the indictments, as well as in the indictments themselves, that Da Silva was aware that the emails being sent by Nguyen and Vu were spam.
“Those individuals who line their pockets with money gained through deceiving others should know they will not go undetected and will be held accountable,” said Internal Revenue Service Agent in Charge Veronica F. Hyman-Pillot, who was also involved in the case against the hackers. “IRS Criminal Investigation is committed to unraveling financial transactions to ensure that those who engage in these illegal activities are vigorously investigated and brought to justice.”
The indictments were brought as part of an international investigation that included the FBI, Secret Service, IRS Criminal Investigation Service and law enforcement agencies in the Netherlands.