The U.S. Department of Justice has unsealed indictments against three hackers for having broken into eight email service providers (ESPs), stealing 1 billion email addresses and names, and receiving $2,000,000 for the sale of products to those email addresses through a “spam” sales scheme.
According to the indictments filed with the U.S. District Court for the Northern District of Georgia, Canadian David-Manuel Santos Da Silva and Viet Quoc Nguyen and Giang Hoang Vu from Vietnam used an email phishing scheme beginning in 2009 to gain access to log-in information from ESP employees, which was then used to access the ESPs databases containing email addresses and names. The hackers then sent spam messages through the ESPs own email servers selling otherwise free software for a profit through Da Silva’s Canadian corporation, 21 Celsius, Inc.
This is yet another example of email phishing using malware, where company employees receive otherwise friendly emails in their team inbox, but, when the seemingly innocuous embedded link to “coupons” or “photos” is clicked, the user’s log-in information is transmitted, giving hackers direct access to the system’s infrastructure. Da Silva, Nguyen and Vu, however, only used this access to retrieve email address and names in order to send out “spam,” and did not obtain any credit card or other financial information.
Da Silva was indicted on March 4, 2015 for with money laundering, after being arrested upon landing in the United States at the Ft. Lauderdale airport on February 5, 2015. Vu was arrested in the Netherlands in 2012, was extradited to the United States in March 2014, and pleaded guilty to conspiracy to commit computer fraud on February 5, 2015. At this point, Nguyen remains a fugitive.
According to a Department of Justice press release, the criminal investigation was handled by the Secret Service, Department of Justice, FBI, IRS, and Dutch law enforcement.