Академический Документы
Профессиональный Документы
Культура Документы
)
)
)
)
)
No. 14 CR 318
Hon. Gary Feinerman
history and characteristics, including a previous run-in with the FBI for the same
type of crime, and the need to send a message to other cybercriminals that they will
face severe punishment.
Factual Background
A.
Long before NullCrew was launched, the defendant was working on behalf of
hacking groups Net-Bashers and TeamPoison (or TeaMp0isoN), the latter of which
in 2011 and 2012 carried out several high-profile cyber-attacks against the United
Nations, NASA, NATO, and several other large corporations and government
entities. The defendant operated under the name Corps3 and Corps3_TP. 1
When the defendants cyber-attacks on behalf of TeamPoison were traced
back to his family residence, FBI agents obtained a search warrant, which they
executed on December 22, 2011. The defendant, seventeen at the time, was
confronted by FBI agents and admitted to hacking on behalf of TeamPoison,
including the computer servers of a foreign government. The defendant stated that
he had been involved in hacking and with the hacking community for
approximately four years. He also admitted his involvement in the use of a botnet
(i.e., a network of compromised computers) to carry out cyber-attacks.
The defendants confrontation with the FBI had little impact on him. As the
defendant later wrote, I remember when [another hacker] tried to say I was
1
TeamPoison largely disbanded in 2012 following the arrests of two of its members.
defending my crimes I commited 2 for TeaMp0isoN. LOL [Laugh out loud]. Im not
sorry for anything Ive hacked.
B.
Even though TeamPoison faded away with the charges against some of its
members, the defendant avoided arrest and his hacking continued unabated. He
went on to become a prolific and technically skilled hacker who, operating on behalf
of a new group named NullCrew, attacked a series of businesses, universities, and
government entities in the United States and throughout the world.
To do so, defendant and other members of NullCrew (such as Individual A)
identified vulnerabilities in victims computer systems for the purpose of hacking
those systems. They shared those vulnerabilities with each other and, thereafter,
coordinated their efforts to exploit those vulnerabilities to break in and steal
confidential information, including encrypted and unencrypted sensitive personal
information for thousands of individuals.
Though the defendant was careful to use end-to-end encryption services when
communicating with fellow NullCrew members and other hackers, FBI agents were
able to recover from his computer some of those chats and they bring to light the
defendants day-to-day efforts to find and exploit new victims. They also reveal the
defendants utter disregard for the damage he was bringing about.
The chats are reproduced here as they appeared in the chat logs; errors in spelling and
punctuation have not been corrected.
2
Take, for example, a series of chats the defendant had with a fellow hacker on
April 26, 2014. The defendant began by proposing that NullCrew go after more
sensitive targets (My proposition was to hack servers that actually matter.
Something like, nsa satellites. traffic ICS / SCADA [Supervisory Control And Data
Acquisition].). The defendant emphasized that he had many ideas for doing so,
given [his] skills.
The defendant chatted about the universities he was attacking that day for
NullCrews so-called Schools Out cyber-attack, starting with University A
([University A] here I come. Again.). The defendant explained that the reason he
hacked [University A] again was that a buddy challenged him to break back in.
The defendant bragged about what he was stealing (Jacking so much shit from
[University A] lol [laugh out loud]), including Full names, Addresses, Phone
numbers, Usernames, Institution they belong to, Passwords, and Emails.
The defendant also talked about several other victims he was targeting that
daye.g., that he was [h]acking isreal isps [Internet Service Providers] just for the
fuck of it, owning [University C], and breaking into the computer science server
for University D. As the defendant said at one point, Id be so fucked if I got raided
now . . . Hacking like five servers at once. Three united nations based. . . . two
universities.
To publicize these cyber-attacks, defendant and Individual A maintained
Twitter accounts, including @NullCrew_FTS and @OfficialNull, which they used to
announce their attacks, ridicule their victims, and publicly disclose confidential
information they had stolen through their cyber-attacks. The defendant, Individual
A, and other members of NullCrew hid their true identities by using aliases when
communicating with the public and with each other. The defendant used the aliases
Orbit, @Orbit_g1rl, crysis, rootcrysis, and c0rps3. Below is an example from
September 2, 2012 of the defendant taunting his victim, saying were coming for
you two hours before posting the stolen data:
confidential witness who was working with the FBI. The defendant and Individual
A stole from Company As databases the usernames and passwords for over 12,000
of Company As customers, intentionally causing damage to Company As computer
servers.
On February 1, 2014, the defendant, through the Twitter account
@NullCrew_FTS, announced their computer attack against Company A. The
defendant wrote: Whelp, lets start things off properly - nullcrew.org/[Company
A].txt . . . hacked by #NullCrew. The next day, the defendant published a link to a
website where he had published copies of database tables and credentials for a
computer server Company A rented from a third party. The materials on that
website included a section marked tblCredentials, containing a list of Company A
customer credentials in the form of 12,000 account username and password pairs.
The defendant, Individual A, and others, acting on behalf of NullCrew,
launched a number of similar cyber-attacks against other victims, including the
following identified in his plea declaration:
On October 23, 2012, defendant and others participated in a cyberattack on, and gained unauthorized access to, computer systems
belonging to U.S. State A;
Between July 19, 2013, and May 28, 2014, defendant and Individual A
participated in a cyber-attack on, and gained unauthorized access to,
computer systems belonging to University A;
Between January 17, 2014, and April 15, 2014, Individual A gained
unauthorized access to computer systems belonging to Company B and
defendant compiled the data stolen from Company B;
Between January 23, 2014, and April 15, 2014, defendant and
Individual A participated in a cyber-attack on, and gained
unauthorized access to, computer systems belonging to University B;
and
Individual A:
Individual A:
Defendant:
Defendant:
Defendant:
Hours later, the defendant reached out to a freelance journalist about the
upcoming release, stating: Hope youre ready for over a gb [Gigabyte] of data on
4/20 from 8-10 different high profiled targets. The journalist responded, clearing
my schedule now :). The defendants post on April 20, 2014 likewise taunted his
victims. As the defendant wrote about University B:
For one of the international science organization, the defendant not only
published stolen data, he published a screenshot of his access to the webmasters
email account with the password having been changed:
Loss Amount
cost of any harm caused by his criminal conduct. Beyond the general rules for
calculating loss under the Guidelines, an additional comment expands the definition
of actual loss to include certain additional harms, whether or not reasonably
foreseeable, in cases brought under 18 U.S.C. 1030, as here. U.S.S.G. 2B1.1, cmt.
n.3(A)(v)(III). The commentary to the Guidelines states that for such offenses:
actual loss includes the following pecuniary harm, regardless of
whether such pecuniary harm was reasonably foreseeable: any
reasonable cost to the victim, including the cost of responding to an
offense, conducting a damage assessment, and restoring the data,
program, system, or information to its condition prior to the offense,
and any revenue lost, cost incurred, or other damages incurred because
of interruption of service. Id. (emphasis added).
As further described in the attached loss calculation chart (Exhibit B), the
government received information from some of the defendants victims regarding
the losses they sustained responding to the incident, conducting a damage
assessment, restoring the system, and revenue lost.
Victim
University A
University B
Company A
Company B
Company C
Total
Loss
$9,985.00
$16,000.00
$691,500.00
$2,360.00
$72,365.00
$792,210.20
Based on the handful of victims who provided data regarding its loss, the
defendants cyber-attacks caused in aggregate at least $792,000 in loss to victim
companies, universities, and government entities. Those costs include responding to
10
The defendants offense involved ten or more victims, which generates a 2level enhancement under 2B1.1(b)(2)(A)(i). The defendants numerous victims
include the samples of those identified by the defendant in his plea declaration
(University A and B, Company A, B, C, and D, and U.S. State A), as well as the
many others, including victims whose stolen data was released on April 20, 2014
(e.g., U.S. State B, a network solutions company, a credit union, and two
international science organizations) and victims whose information was hacked but
not released before the defendants arrest (such as University C and D and a
webhosting company).
C.
Sophisticated Means
D.
12
password,
which
likewise
constitutes
sensitive
or
private
information.
E.
The offense level is increased four levels because the offense involves a
conviction
under
18
U.S.C.
1030(a)(5)(A),
pursuant
to
Guideline
2B1.1(b)(18)(A)(ii).
Therefore, based on the facts now known to the government, the anticipated
offense level is 27, which, when combined with the anticipated criminal history
category of I, results in an anticipated advisory Sentencing Guidelines range of 70
to 87 months imprisonment, in addition to any supervised release, fine, and
restitution the Court may impose.
Section 3553(a) Factors
A.
13
product of a single, impulsive decision or an isolated incident. They were the result
of meticulous work the defendant undertook day in and day out for years.
It is worth emphasizing that much of the damage the defendant wrought
cannot even be quantified. Businesses, non-profits, and universities suffered
reputational damage when their private data was released and widely reported in
the press. Even the information the defendant divulged caused damage. He
disseminated online the usernames, email accounts, and passwords for thousands of
individuals, which not only violated their privacy and sense of online security, it
exposed them to financial fraud and identity theft.
As for the defendants motivations, it is clear from the way he mocked his
victims publicly and in his private chats that he was driven by a malicious and
callous contempt for those with whom he disagreed. The defendant thought himself
above the law and that he could destroy others with impunity. The fact that the
defendant hacked without an apparent profit motive does not take away from the
seriousness of these crimes. After all, from the vantage point of his victims, the
defendants particular motivations are largely irrelevant; what matters is that their
systems have been compromised and their sensitive and private data have been
released to the general public.
In the past few years, cybercrime has come to occupy our headlines, but the
defendant was ahead of his time, cutting his teeth as teenager eight years ago and
steadily taking on more responsibility within three successive hacking groups. Each
14
Though the defendant has no criminal history, this case is not his first run-in
with the law. When he was seventeen years old, having already spent four years in
the hacking community, the defendant saw firsthand the gravity of his crimes when
his family home was searched as part of an FBI cybercrime investigation. That
confrontation with the FBI should have served as a wake-up call. Instead, the
defendant continued on the same path. Indeed, even after charges in this case, the
defendant repeatedly violated the conditions of release imposed by this Court, all of
which eventually left Magistrate Judge Daniel Martin no choice but to revoke the
defendants bond.
15
In December of 2011, rather than being led away in handcuffs, the defendant
was offered a second chance at leading a law-abiding life. Despite having been cut a
break, and rather than heed the FBIs warning, the defendant upped the ante,
proceeding on a far more destructive course and demonstrating a complete
disregard for the law. Leniency after the defendant engaged in such prodigious
hacking would not serve as just punishment. Nor would it adequately deter the
defendant and others. His unwillingness to stop hacking despite the FBIs
intervention, coupled with his inability to comply with conditions of release in this
case, undercut any assurance that he will somehow manage to abide by the law
after nearly a decade of law-breaking.
General deterrence should also play a significant role in this Courts
sentence. Through the defendants relentless hacking, he rose to prominence and
his downfall has been followed in the press and within the hacking community. This
sentencing thus presents an opportunity to send a message that will be received, a
message that cybercriminals will face lengthy imprisonment. A threat of serious
16
punishment is even more important because hackers often get away with these
crimes undetected.
In sum, a sentence within the guidelines is appropriate and warranted
because of the seriousness of the defendants crimes, the substantial harm he
caused, his history and characteristics, in particular his lengthy track record, and
the need for deterrence and just punishment.
Conditions of Supervised Release
The government requests that the Court impose a guidelines-range term of
supervised release of one to three years. The government further requests that
defendant be required to comply with the following mandatory conditions set forth
in 18 U.S.C. 3583(d) and USSG 5D1.3(a):
17
18
Defendant shall not incur new credit charges or open additional lines
of credit without the approval of a probation officer unless the
defendant is in compliance with the financial obligations imposed by
this judgment.
Defendant shall pay any financial penalty that is imposed and remains
unpaid at the commencement of the term of probation. Defendants
monthly payment schedule shall be an amount that is at least 10% of
the defendants net monthly income, defined as income net of
19
For the foregoing reasons, the United States respectfully requests this Court
impose a sentence with the guidelines range of 70 to 87 months imprisonment and
a three-year term of supervised release.
Respectfully submitted,
ZACHARY T. FARDON
United States Attorney
s/William E. Ridgway
WILLIAM E. RIDGWAY
Assistant U.S. Attorneys
219 South Dearborn St., Rm. 500
Chicago, Illinois 60604
(312) 353-5300
20