Dutch police announced late last week that they’d arrested three young men, aged between 18 and 21, suspected of cybercrimes involving breaking in, stealing data, and then demanding hush money.
The charges include: computer intrusion, data theft, extortion, blackmail, and money laundering.
The trio were actually arrested a month earlier, back in January 2023, but the details of the arrest were kept secret until now, presumably to allow undercover investigations to continue.
Legally authorised undercover operations by cybercops can bring surprising results, even if those operations don’t ultimately lead to suspects being identified, or to actual servers and data being seized.
Late last year, for example, we wrote about a trick that the Dutch police used for some time against the DEADBOLT ransomware gang, who scramble unpatched QNAP network storage devices over the internet, and demand payment in Bitcoins to decrypt the ruined files.
The Dutch cops didn’t know who was behind the ransom demands, but they were able to “cheat the crooks back” by buying decryption keys for 155 victims, but then pulling the rug out from under the crooks before the payment went through.
The cops figured out a lawfully approved way to disown their payments on the blockchain (and thus to retain their Bitcoins) immediately after getting the decryption keys but before the criminals could claim the cryptocash.
Loosely speaking, the cops deliberately did a double-spend when buying the decryption keys, paying the very same Bitcoinage both to the crooks and, soon afterwards, to themselves. By carefully choosing the transaction fees they offered in each case, the cops were able to lure the crooks into assuming that the original payment was certain to go through, and thus to release the decryption keys quickly. The cops then jumped in with a duplicate transaction with a better fee, thus gazumping the crooks and clawing the funds back. Sadly, the DEADBOLT crooks have now learned simply to wait “for the cheque to clear” before shipping their “product”.
No honour amonst thieves
Intriguingly, these latest Dutch arrests relate to cybercriminality going back to March 2021, when the suspects would have been two years younger still.
Despite their youth, the police claim that the suspects were blackmailing victims for more-than-grown-up sums of money:
As far as we can ascertain, the blackmail money demanded in each incident ranged from €100,000 to more than €700,000. … In the past few years, the prime suspect, [now 21], appears to have had a criminal income of €2,500,000.
Even worse, the police note that paying the blackmail didn’t always work out:
In many cases, stolen data was leaked online even after the affected companies had paid up.
Simply put, if you’ve ever wondered how much you can trust the crooks who just broke into your network by paying for their silence…
…the answer might very well be, “Not a bit.” (Pun intended.)
What to do?
For advice into how network intruders typically get in, how to detect them if they do, and how to keep them out in the first place, listen to this insighful interview with Peter Mackenzie, Director of Incident Response at Sophos.
This is a cybersecurity session from the Sophos Security SOS Week 2022 that will alarm, amuse and educate you, all in equal measure. (Full transcript available.)
Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.
Another way to help yourself, and everyone else, is to report cybercriminal activity to the police.
The Dutch police would love to hear from you, especially if you may have any information about recent cybecriminality that might relate to the suspects above (the Dutch generally don’t name suspects, and haven’t done so here) – for example because you were blackmailed with the threat of stolen data being leaked online or of further, more destructive, attacks.
You can find out more about how Dutch law enforcement is taking on cybercrime on the police website, and read a short briefing document for IT specialists that gives tips not only on how to keep cybercrooks out in the first place, but also how to preserve useful evidence for police and the courts if attackers do get into your network.
Learn more about Sophos Managed Detection and Response:
24/7 threat hunting, detection, and response ▶