Cybercriminal devoid of boundaries gets 10-year prison sentence

Serial extortionist of medical facilities stooped to cavernous lows in search of small payouts

A rampant cybercrook and repeat attacker of medical facilities in the US is being sentenced to a decade in prison, around seven years after the first of his many crimes.

Robert Purbeck, 45, pleaded guilty back in March to two counts of computer fraud and abuse related to cybercrimes affecting at least 19 different victims.

The Meridian, Idaho, man was also ordered to pay more than $1 million in restitution to those victims, as previously agreed at the plea hearing, and will serve three years of supervised release following his prison term.

"Purbeck's crimes reflect the efforts of a callous and brazen cybercriminal who not only hacked into numerous computer servers and stole sensitive personal information from both private and public actors, but also threatened to extort many of his victims and disclose their data," said US attorney Ryan K Buchanan. 

"Thanks to the tireless work of law enforcement, Purbeck's time of hiding behind a computer to steal, threaten, and intimidate is over."

The extent of Purbeck's theft, threats, and intimidation was laid out in great detail in the Northern District of Georgia's sentencing documents. The man who adopted the "LifeLock" moniker, and at other times the super cool "Studmaster" pseudonym, was known for his aggressive extortion tactics that in one case ran a medical business into the ground.

Not every attack Purbeck carried out was covered, although the ones that were vividly illustrated what kind of person the so-called Studmaster was.

In the same month Purbeck bought access to the servers of a medical clinic in Griffin, Georgia, from which he stole sensitive personal information belonging to more than 43,000 people, he also targeted a California dentist referred to only as "AY" in court.

The sentencing memo [PDF] submitted by the prosecution, which argued for a long (five-year-plus) sentence, states that Purbeck gained access to the dentist's systems and attempted to extort her for $10,000 worth of Bitcoin in "return" for not publicizing her patient's data on the web.

Purbeck sent 27 extortion emails containing varying degrees of threatening language. Some merely threatened the viability of AY's practice:

If you do not pay me then I will be forced to cause you much consternation. I will be forced indeed to cause the closure practice. I will text each of your customers their SSN and DOB… You will be screwed in California. Further, I will sell the details I have obtained on your practice on my darkweb page devoted to identity theft.

Other emails were even more dark, the sentencing memo claims, alleging Purbeck threatened to place AY's family members on various sex offender registers. He was quoted as saying:

Just so you know. I have access to several or more likely more than 100 police stations throughout the US. I can label your family members as sex offenders in any of those districts. You won't even know the districts where warrants have been issued in your name for crimes such as forcible rape and felony injury to a child among many other sadistic crimes I can pin on you and your family members. Even if you only get questioned at an airport it will be inconvenient. This is circle one of the hell I can put you in.

The prosecutors noted that AY suffered damages to the tune of $92,095 as a result of Purbeck's extortion attempts against her and her patients.

He seemed to really have it in for the dental sector, as a year later a Florida orthodontist, known only as "DS," was on the receiving end of the extortionist's handiwork.

In a similar fashion, Purbeck gained access to the systems of DS' practice, stole patient data, and used it as leverage to extort the orthodontist for $15,000 worth of Bitcoin, say prosecutors. 

Over the following ten days, Purbeck harassed DS with a series of emails and SMS messages, says the memo. Some contained patient data such as their name, date of birth, and social security number (SSN). Further down the line, Purbeck stooped lower, identifying DS's daughter, a minor, as an intimidation tool.

Purbeck wrote in one email:

"And most importantly sweet [name of DS's minor child], born the [date of birth] is [social security number]. She currently attends [name of school] and will hopefully continue to do so in a safe and secure way. Fear not my new friend, I do not mean threat or harm to your sweet child, I just needs you to be aware of what I know [sic] control. What I have."

The following day, the memo claims, Purbeck texted DS's wife demanding the extortion payment be paid before he started contacting patients.

DS refused to pay Purbeck, who then followed through with his threat to inform his patients in a ploy to ramp up the pressure to pay the ransom. One patient was sent a text containing an X-ray of their teeth, for example.

The text read:

"I'm not going to [expletive] with your families credit or bank accounts. However I do want you to make [DS] aware that there are consequences to not securing his network. I am extending you and your family a courtesy. If he does not reply to me tomorrow I will start draining his other clients bank accounts and his daughter [identifying daughter's name] accounts."

Purbeck even messaged teenage patients, threatening to sell their SSNs to criminals looking for a "fresh start."

Similar to AY, DS ultimately suffered extensive losses. The court heard these amounted to  $285,980.13 – a huge amount spent on forensic audits, notifications, remediation, and legal fees that eventually forced DS to sell his practice.

For two years after, DS said he and his family were on the brink of bankruptcy.

AY, DS, and the Griffin clinic, were just three of the 19 people and organizations victimized by Purbeck, says the memo, submitted late last week.

The government adds that others included:

  • the City of Newnan police department

  • A Locust Grove medical clinic

  • A former mayor in Michigan

  • A medical billing service in Alaska

  • An optometry clinic

  • A dialysis clinic

  • A church in Stone Mountain

  • A correctional facility

  • Am Idaho health department

  • Others

The list also included, abhorrently, a safe house for women and children who were victims of domestic violence.

The FBI raided Purbeck's home in August 2019, seizing devices that contained the personal data of 132,000 people. He admitted during an interview in his backyard that he was the individual behind the Lifelock moniker, responsible for various attacks including AY's, made $48,000 from various extortion attempts, and engaged in "some minor identity theft" like creating bank accounts using the data he stole.

Purbeck was indicted in March 2021, after which time, as The Register previously reported, he tried on multiple occasions to recover his devices that were seized by the FBI. He also tried to counter-sue those who arrested him, alleging among other things that his genitals were groped during the process, allegedly bringing on a bout of PTSD that required a psychotherapist's intervention.

Commenting on Purbeck's sentencing this week, Sean Burke, Acting Special Agent in Charge of FBI Atlanta, said: "Cyber extortion is unfortunately a rapidly growing threat and highlights the ever-growing need for corporations to remain vigilant in cybersecurity efforts. This sentencing is just one example of the FBI working together to hold criminals that hide behind their computers accountable, regardless of their location." ®

More about

TIP US OFF

Send us news


Other stories you might like