Cyber Criminals – Bad, Mad or Sad?

Article by Sandip Patel KC

As a baby barrister, I was assured that criminals were bad, mad or sad. Much later when I became involved in prosecuting major cybercrime cases, I discovered that most defendants did not fall into any one neat category and that their motivations and goals were often quite nuanced.

There was aka JiLsi who ran Dark Market, a global online bazaar for criminals dealing in drugs, guns and anything criminal, from a London internet café. In the virtual world, JiLsi was a god while in real life, he was a lonely and non-descript young man who I later learned in Misha Glenny’s book “Dark Market” also had a drug problem.

Then there was young Glenn Mangham who from his bedroom successfully hacked Facebook, stole their source code and caused an international stir sparking fears that Facebook was the target of industrial espionage. His actions were “the most extensive and grave” case of social media hacking ever to have come before a British court. His motive, however, was not greed but intellectual challenge. How he managed to infiltrate Facebook confounded some of the best brains at the Serious and Organised Crime Agency (SOCA) and well remember Glenn giving our experts a tutorial when questioned. Glenn was an ingenious young man who had previously breached Yahoo, but no one believed him.

There were the Hacktivists under the banner of Anonymous and their notorious operations. One was Operation Payback when in 2011 Anonymous launched an attack on the media giant Sony and they took down the PlayStation Network and other related PlayStation Websites.

There was Operation Yukon which targeted Pay Pal and Visa among others. Other victims included the FBI, CIA, UK Ministry of Defence and even SOCA when they intercepted a “secure” call between them and US law enforcement.

LulzSec, a splinter group, involved a Jake Davis aka Topiary. They carried out a retaliatory attack on HBGary, a US defence and security company with sensitive US government contracts, posting tens of thousands of sensitive documents including emails on the internet. The breach resulted in Congressional hearings and collapse of the firm. Jake was instrumental in the attack. Jake just 18 years’ old, was arrested in the Shetland islands of Scotland where he lived on his own. He was taken to London by a private jet, and experience which he described as the “best day of his life.” Police confiscated a laptop and a 100-gigabyte hard drive that had 16 different virtual machines. The hard drive also contained details relating to attacks and hundreds of thousands of email addresses and passwords. Jake is now a security researcher, disclosing bugs to corporations as a part of their bounty programs.

Finally, there was young Seth aka Narko who started hacking at 14. When 16, he carried out attacks which impacted major internet exchanges around the world and was described by the Times newspaper as the “cyber-attacks which almost broke the internet.” The massive DDoS attack targeted junk mail tracker Spamhaus, knocking it offline. The company requested help from anti-DDoS specialist Cloudflare, which escalated the attacks. At its peak the attack was channelling 300 gigabits of traffic every second to Spamhaus servers, and the sheer scale of it began to impact on LINX – the London Internet Exchange. This in turn began to slow international internet traffic due to the volume of requests. On arrest, his computer showed multiple global active virtual machines. Data extraction took 36hrs. He had 43 IP addresses and rented servers in countries without mutual assistance. He used multiple online identities. There was 1 million lines of chat evidence. Seth was also a “gun for hire” who took down sites on demand. He had more than £72,000 in a UK bank account and kept multiple Bitcoin accounts. Seth made £10,000 in a good month.

I quickly learned that investigating and prosecuting cybercrime brings unique challenges which are not encountered in most traditional crime investigations including multiple jurisdictional issues, expertise, technology, new investigation workflows and of course, attribution, namely, proving the person in the dock is the virtual perpetrator.