Promising compsci student sold key-logger, infects 16,000 machines, pleads guilty, faces jail

What a Shames


A 21-year-old computer science student, who won a Programmer of the Year Award in high school, has admitted selling key-logging malware out of his college dorm room.

On Friday, Zachary Shames, an undergraduate at James Madison University in Virginia, US, pleaded guilty in a federal district court to one count of aiding and abetting computer intrusions. His plea was accepted by Judge Liam O’Grady.

In 2015, Shames made the JMU dean's list. Now he faces up to 10 years in the clink.

According to the Eastern Virginia district attorney's office, Shames was responsible for developing and selling more than 3,000 copies of a key-logger program called Limitless Logger that was used to infect at least 16,000 machines.

Shames went onto hacker forums to tout his $25 keystroke-logging spyware, which once installed on a victim's computer recorded passwords and other sensitive information. The malicious code attempted to encrypt itself to hide from antivirus packages, and logged keypresses were siphoned off to a website called limitlessproducts.org.

Shames was eventually snared by FBI agents after selling his software from a PayPal account that was registered in his real name, according to court documents obtained by The Register. That PayPal account was connected to an email address – hfmephobia@gmail.com – that answered support queries for the malware and was also the contact address for the domain name limitlessproducts.org. Shames had registered that domain under his real name and home address, too.

An ice hockey fan and one-time country club waiter, Shames built the software nasty while he was in high school, according to the DA's office. When he graduated from Langley High, in Fairfax, Virginia, he continued to develop and peddle his malware online from his JMU dorm room in Shenandoah Hall. He was arrested and charged after the Feds, armed with a search warrant, swooped in March 2016.

According to his LinkedIn page, Shames, a 3.7 GPA student of Great Falls, Virginia, worked as an intern at Northrup Grumman from 2015 to August of last year, developing front-end website code and backend Java software and managing a MySQL database. In 2014, he spent four months interning at Neustar, where he carried out various sysadmin tasks. His GitHub page shows he had worked on a bunch of JavaScript projects and Slack bots.

In happier times ... Spyware author Zach Shames

"I am a Junior at James Madison University working towards a degree in Computer Science," the malware author boasts on his personal website.

"I am really interested in developing cool new programs and I want to expand my skills to make me a more well-rounded programmer. I have been programming for the past six years, and in my spare time I do freelance design jobs and coding for various programs/websites. I am passionate about anything and everything internet and technology."

Here's how passionate he was. According to prosecutors, "Shames developed malicious software, known as a keylogger, that allowed users to steal sensitive information, such a passwords and banking credentials, from a victim’s computer.

"Shames sold his keylogger to over 3,000 users who, in turn, used it to infect over 16,000 victim computers. Shames developed the initial versions of his keylogger while attending high school in Northern Virginia, and continued to modify and market the illegal product from his college dorm room."

The kid will be sentenced on June 16. ®

Similar topics


Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading

Biting the hand that feeds IT © 1998–2022