Mon Dieu! Suspected French ShinyHunters gang member in the dock
Man seized in Morocco is now presumably sleepless in Seattle
A French citizen was scheduled to appear before a US court on Friday on a nine-count indictment related to his alleged involvement in the ShinyHunters cybercrime gang that trafficked in identity and corporate data theft and sometimes extortion.
Twenty-one-year-old Sebastien Raoult, aka Sezyo Kaizen, was arrested last year in Morocco and extradited to the US this week. Raoult and two co-conspirators were indicted on nine counts — conspiracy to commit computer fraud and abuse, conspiracy to commit wire fraud, four counts of wire fraud and three counts of aggravated identity theft — by a grand jury in 2021.
Since early 2020, the ShinyHunters crew has stolen "millions of customer records" and sold sensitive data belonging to more than 60 companies in Washington state and elsewhere around the world, according to the US Attorney's office.
The unnamed victims include tech companies, an international stock trading company, a clothing business, a video game developer, and a nutrition and fitness concern.
"Too many bad actors believe they can illegally access proprietary information and personal financial information by hiding behind a keyboard," US Attorney Nick Brown said in a statement.
If found guilty, Raoult could spend a good chunk his life behind bars. The conspiracy to commit computer fraud and abuse charge carries a maximum of 10 years in prison, while conspiracy to commit wire fraud count is punishable by 27 years, and wire fraud itself by an additional by 20 years, if the court so decides.
Additionally, aggravated identity theft carries a mandatory minimum two-year prison term to follow any other prison sentence imposed in the case.
Two other French citizens, 23-year-old Gabriel Kimiaie-Asadi Bildstein aka "Kuroi" and "Gnostic Players," of Tarbes and 22-year-old Abdel-Hakim El Ahmadi aka "Zac" and "Jordan Keso" of Lyon, are also charged in the indictment, but remain uncuffed.
According to the court documents [PDF] the trio's alleged criminal activities started with targeted phishing emails "designed to deceive and dupe recipients into disclosing login credentials and access keys."
To make the emails look convincing, prosecutors say the crew imitated legitimate websites and log-in pages for legitimate service providers including, among others, a "computer code hosting and development platform used for software development and version control using 'git,'" a messaging and communication platform, and a US-based cloud provider.
- FBI smokes ransomware Hive after secretly buzzing around gang's network for months
- UK Cyber Security Centre's scary new story: One phish, two phish, Russia phish, Iran phish
- Bloke allegedly stole, sold private info belonging to 'tens of millions' globally
- Crims steal data on 40 million T-Mobile US customers
These, of course, weren't real websites, but rather ones controlled by ShinyHunters and used to steal victims' credentials. The crooks allegedly used this access to sneak onto corporate networks and snoop around accounts and infrastructure, looking for valuable files such as customer records, source code, and internal user data, which they then stole and sold on various underground forums.
In some cases, to maintain persistence to these accounts, the criminals also changed the account settings and passwords, or deployed tools to bypass password logins completely, the indictment says. Their access also allowed them to illicitly mine for cryptocurrency of victims' computers, the court documents say.
They also allegedly demanded ransom payments on occasion, publicly leaked the stolen data, and redirected traffic from the victim company's website to a domain that shows an image of a muscled man wearing all black, raising his fists in the air, with the words "Hacked by Shiny Hunters" below him.
"Such conduct was designed to, among other things, promote the ShinyHunter Group's notoriety, substantiate the group's hacking ability and the authenticity of the hacked data, and in turn to facilitate monetization, whether through sales or ransom payments," according to the indictment. ®