One of the teens behind the 2015 hack on UK telco TalkTalk has been indicted in the US over a huge cryptocurrency heist.
Elliott Gunton, 19, is facing five separate charges ranging from computer fraud and abuse to wire fraud and aggravated identity theft. Potential penalties for the offences range from two to 20 years in prison.
Gunton (AKA "Planet") – along with co-defendant Anthony Tyler Nashatka of New York (AKA "Psycho") – is accused of accessing cryptocurrency exchange EtherDelta and emptying user accounts. No total figure for the fraud is given in the documents (PDF), but one account lost about $800,000. The alleged offences date back to 2017.
The indictment claims that the two used a variety of techniques to get access to EtherDelta's hosting account on Cloudflare. This included redirecting phone calls to a Google Voice account in order to access two-factor authentication checks, the document says.
They then allegedly accessed Cloudflare systems and redirected the DNS settings to an IP address registered to a UK company. By setting up a fake EtherDelta website, they could then access complete account details whenever a customer attempted to log in. These details could then be used to access and empty the actual customer accounts.
Elliott Gunton was in court in Norwich last month, when he was found guilty of money laundering and computer misuse offences.
Gunton accessed Australian telco Telstra's systems to seize control of an Instagram account with more than a million followers. At the time of his arrest, police found a Bitcoin wallet containing more than £400,000 in the cryptocurrency earned from flogging account details on cybercrime forums. He was ordered to hand that money to police.
He was also found to be in breach of his Sexual Harms Prevention Order (SHPO) after cops found a copy of a disk cleaner and deletion tool on his laptop. SHPOs normally include a condition that prevents suspects from deleting any internet history so police can easily monitor compliance. Indecent images of children were found on his computer when the then 16-year-old was convicted of the TalkTalk attack in 2016.
Although he was sentenced to 20 months, he was immediately released due to time served on remand. He was also served with a three-and-a-half-year community order restricting his internet and software use. ®