Computer engineer hacks own employer, demands $750K ransom


A company’s primary computer engineer launched a cyberattack that attempted to extort $750,000 out of the firm.

Daniel Rhyne, a resident of Warren County, New Jersey, was employed at a US-based industrial firm that provides services to various industries, including electronics, biopharmaceuticals, and food and beverage.

Rhyne was employed as a core infrastructure engineer at the firm and served as the company’s expert on virtual machines, software that functions as a physical computer.

He allegedly exploited his position at the victim company, which is named ‘Victim 1’ in the court documents, as he supposedly created a secret virtual machine (VM) on his company’s network, which allowed him to access the company’s online space that required elevated privileges.

On November 25th, 2023, employees at the company began receiving peculiar notifications initiating a password reset from the company’s domain administrator account.

This account has specific privileges that can change the policies that impact all computers within the company.

Later that day, Rhyne’s colleagues, managers, and company personnel received an email from an external address stating that the firm had been penetrated.

According to the hacker's email, all of the company’s IT administrators had been locked out or deleted from the computer network, all of the company’s backups had been deleted, and an additional 40 random servers would be shut down over a period of 10 days if the ransom wasn’t paid.

The ransom demanded was €700,000 in Bitcoin, which roughly translated to $750,000 at the time.

Law enforcement identified Rhyne as the person who supposedly sent the ransom email demanding money to prevent the deletion of the company’s servers. Rhyne is believed to have performed malicious activity on the company’s network.

After the initial ransom email, law enforcement thoroughly searched Victim 1’s computer network and found unauthorized access to the company’s administrator account on the company’s domain controller.

These controls were carried out from a remote desktop, which turned out to be a hidden VM that Rhyne allegedly created. This VM was used to penetrate Victim 1’s administrator account numerous times between November 10th and November 25th, 2023.

Furthermore, an internal investigation found that the VM was accessed by Rhyne’s company computer and his user account.

The investigation found that certain web searches conducted by Rhyne’s user account and computer matched the queries on the hidden VM. These web searches included “command line to change password,” “command line to change the local administrator password,” and “command line to remotely change the local administrator password.”

The criminal complaint alleges that Rhyne controlled and accessed the hidden VM, which accessed the company’s network without consent and intentionally disrupted the victim company’s network alongside sending extortion emails to the victim company’s employees.