There is one thing Kevin Mitnick, Sebastien Vachon-Desjardins, Adrian Lamo, Albert Gonzalez, and Jeanson James Ancheta have in common. All of them used to be cybercriminals, and every single one had to answer to law enforcement for their wrongdoings.
One could argue there is something poetic about the cat-and-mouse game cybercriminals play with police officers. And following the plot of our favorite blockbusters, bad guys should, with no exception, be held accountable for their actions.
Indeed, as threat actors improve their tactics, the technology used to capture them improves as well. Yet, it doesn’t necessarily mean that all crooks will sooner or later be punished – due both to their advanced skills and affiliations with nation-states that turn a blind eye to their crimes.
“Most cybercriminals remain at large because their activities are either not yet detected or unreported. Many cybercrime gangs work hand-in-glove with nation-states who either turn a blind eye or actively assist them by supplying technology, identifying targets, and offering plausible deniability when confronted,” A.N. Ananth, Chief Strategy Officer at Netsurion, told Cybernews.
Despite that, cyber police and international security services actively prosecute online criminals. Stories of arrests, carried out in coordination with agencies throughout the globe, constantly make the headlines. As such, recently, the City of London Police arrested seven teenagers in relation to the famous Lapsus$ extortion group, while the Russian domestic intelligence service, the FSB, detained 14 REvil ransomware affiliates.
“Cybercriminals are usually caught by the coordinated efforts of law enforcement. Europol, for example, busted the infrastructure of the crime gang behind Emotet, and it required coordinated action across multiple countries,” Ananth added.
The people about to be discussed were – or still are – some of the most notorious cybercriminals of their times. And in their cases – whether by luck, law enforcement’s efforts, or the involvement of third parties – justice was served.
Sebastien Vachon-Desjardins: "Jesse James meets the 21st century"
Sebastien Vachon-Desjardins, a former IT specialist for Public Services and Procurement Canada, might be more known for the group he was affiliated with – NetWalker. The ransomware gang pioneered the double extortion method and operated during the rise of the COVID-19 pandemic, with the majority of its 450 victims located in the US.
The group hacked into hospitals, schools, and other institutions, threatening to leak stolen data if the ransom demands were not met. Using such a method, NetWalker managed to obtain an estimated $60 million over its run.
“With every advancement in software comes both new capabilities for tracing criminals and also the potential for those systems to be exploited. The development of evasion software will ultimately exist for every new tool we create,” Paul Tracey, Founder and CEO at Innovative Technologies, told Cybernews.
The gang was busted in January 2021 with the arrest of Vachon-Desjardins, who was one of its most active affiliates – and allegedly still worked for the Canadian government while participating in ransomware attacks. He is also suspected of having ties with other notorious hacker groups, such as REvil.
At the same time, law enforcement authorities in the US, Canada, and Bulgaria shut down NetWalker’s dark web system.
“This seizure was performed by Bulgarian law enforcement in cooperation with the United States. Had that partnership not occurred, it's possible that the server would not have been seized, and Vachon-Desjardin would be as invisible to global law enforcement as he was beforehand,” said Mike Pedrick, VP at Cybersecurity Consulting at Nuspire.
During the arrest, authorities seized 719 Bitcoin, valued at $28 million at the time, and $600,000 in cash. Vachon-Desjardins was extradited to the United States from Canada.
He was sentenced to 20 years in prison and ordered to forfeit $21.5 million. In this case, US District Judge William Jung exceeded the recommended 12-to-15-year jail term to make an example of Vachon-Desjardin.
Pedrick added: “For many crimes, sentencing is based on impact and compounded per victim. If this practice was applied to cybercriminals like Vachon-Desjardin, the 20 years that he was sentenced to would be considered a laughably light sentence.”
Pedrick points out that in his sentencing of Vachon-Desjardin, Jung himself agreed with this sentiment, saying: “I would have given you life.”
Adrian Lamo: “Homeless hacker”
Adrian Lamo was different in every way. Instead of sipping on a cocktail while on a yacht somewhere in the Caribbean, he moved between abandoned buildings and friend’s couches. All of his cyber-related activities happened from an old Toshiba laptop that was missing seven keys – typically while he was sitting in an internet cafe.
In the early 2000s, this man with no fixed address was considered one of the world's most famous hackers. Lamo turned in whistleblower Chelsea Manning to law enforcement by hacking into the New York Times network and revealing that Manning had passed classified documents to WikiLeaks.
WikiLeaks is a non-profit organization founded by Julian Assange, which has been publicly releasing confidential information, such as details of war crimes committed by the US Army during the war in Iraq, a US Army manual for Guantanamo prison camp, and stolen emails allegedly showing that the Democratic National Committee had unfairly favored Hilary Clinton over her rival, Bernie Sanders, during the 2016 presidential race.
Manning, a former United States Army soldier who exposed the nature of warfare in Afghanistan and Iraq, was sentenced to 35 years in prison days later. Although Lamo expressed regret about her lengthy sentence, he thought that doing nothing would’ve caused him to wonder whether those documents “would end up costing lives, either directly or indirectly.”
Manning and Lamo were no strangers – or at least, not exactly. Manning reached out to Lamo after reading about a hacker convicted of breaking into computers at the New York Times, Yahoo!, and Microsoft in 2004. She asked him: “If you had unprecedented access to classified networks 14 hours a day, seven days a week for eight-plus months, what would you do?”
Lamo did not hesitate with his answer.
In August 2003, Lamo was charged with the New York Times hack and other intrusions. When first skulking around the New York Times database of telephone and social security numbers, belonging to over 3,000 contributors to the paper's Op-Ed page, he jokingly added himself to the list of pundits as a “hacking expert.” Some employees were still using their social security numbers as passwords, giving Lamo all-too-easy access.
In 2004, he pleaded guilty to one felony count of computer crimes against Microsoft, LexisNexis, and the New York Times. He was sentenced to six months’ detention and two years probation, with an additional ordered payment of $65,000.
“Cybercriminals take advantage of the anonymity of the internet. Cybercriminals know the limitations of law enforcement and can figure out where the best places are to host their malicious activities. They know to diversify their tactics and infrastructure across different countries, so it is harder for law enforcement bodies to understand the full scope of their cybercrime,” Luis Corrons, Security Evangelist at Avast, commented.
Lamo admitted to various news outlets that his decision to turn in Manning cost him a lot: he was constantly receiving death threats, as well as hate messages from the hacking community.
At the age of 37, Lamo was found dead, although no definitive cause of death was identified.
“Ten or fifteen years ago, when the notorious hackers were active, attack methods and defenses were in their infancy and remarkably simple. Over the years, fewer and fewer cybercriminals are getting caught, and there is no reason to expect this will increase, which is why the focus is on having the strongest defense possible,” said John Gunn, CEO at Token.
Albert Gonzalez: most prolific financial scammer
Albert Gonzalez thought big: if he was going to commit a crime, it had to be grandiose. He stole and sold over 170 million card and ATM numbers between 2005 and 2007, although his journey started way before then.
At the age of 14, Gonzalez hacked into NASA, attracting interest from the Federal Bureau of Investigation (FBI). After that, his interest in hacking continued to grow.
In the early 2000s, he was accused of standing behind the ShadowCrew group, which carried out a similar fraud and hacking scheme with millions of credit cards online. Thousands of people were registered on the group’s website, which put up card numbers, email accounts, and counterfeit documents (such as passports and driver's licenses) up for auction.
Gonzalez was apprehended but escaped a prison sentence after he agreed to turn in 19 ShadowCrew members.
“After a lot of work, law enforcement officials were able to identify and capture Albert for multiple counts of credit card fraud, and during that time, they were able to turn him into an informant. He ultimately led to the arrest and dismantling of the ShadowCrew fraud group,” said Josh Bartolomie, VP of Global Threat Services at Cofense.
For Gonzalez, however, a life of cybercrime was far from over.
“There is a lesson learned here,” added Bartolomie. “While in custody [as a] turned informant, Albert was responsible for one of the largest credit-card frauds identified up until that time.”
In this manner, Gonzalez served as a paid informant for the US authorities while continuing to illegally obtain and sell credit card details online. During this period, he and his accomplices accessed over 170 million credit card and ATM numbers from organizations, including 45.6 million credit and debit card numbers from TJX Companies.
His illicit operation compromised BJ's Wholesale Club, DSW, Office Max, Boston Market, Barnes & Noble, Sports Authority, and T.J. Maxx.
All this meant Gonzalez was illegally raking in millions of dollars, spending his days in luxurious apartments and throwing grand parties.
In 2008, however, the fairytale life came to an abrupt end, and Gonzalez was arrested at the National Hotel in Miami Beach, Florida. In 2010, he was sentenced to 20 years as part of a plea deal for a string of hacks and the Heartland Payment Systems case, in which 130 million card numbers were stolen.
“The sentencing of hacker Albert Gonzalez to 20 years in prison and millions of dollars in restitution was the stiffest verdict imposed for a financial crime and at the time, the longest US prison term in history for a cybercrime,” Sherlyn Rijos-Altman, Account Director at Montner Tech, told Cybernews.
Kevin Mitnick: FBI’s most wanted hacker
To this day, Kevin Mitnick’s name is popular in cybercriminal circles, although it’s been over two decades since his arrest. The man behind wire fraud, as well as high-profile hacks into computer networks and telephone systems of major corporations, was finally arrested in 1995 by the FBI after being proclaimed their “most wanted hacker.”
Mitnick’s cybercriminal story began when he was only 12 years old: the boy used reverse engineering on the Los Angeles public transportation transfer system to get free rides.
Although his journey began with simple social engineering, he eventually advanced to hacking into computer networks of companies like Digital Equipment Corporation (DEC), Sun Microsystems, and Motorola.
“Most cybercriminals are great innovators. They tweak technologies to make them work to their advantage. This is what Mitnick did at the young age of 16. By tweaking the system, Mitnick was able to access DEC's internal network. The DEC system was the key to creating the early operating system used for 16-bit minicomputers. Kevin Mitnick copied all the files but never did anything malicious with the data,” said James Chang, Senior Manager at Velocity IT.
With time, however, Mitnick’s crimes were becoming less and less benevolent. He stole computer passwords, altered computer networks, read private emails, and accessed federal computers.
“Mitnick benefited from a lack of investigators who understood how to investigate cybercrimes. But since he was in the US, it was a matter of time for him,” Darren Mott, a retired FBI Special Agent who spent his career investigating cybercrimes, told Cybernews.
Mitnick was first charged and sentenced in 1988, although during his supervised release, he managed to hack into Pacific Bell voicemail computers. A few more years on the run followed – before Mitnick’s fatal encounter with a security consultant, Tsutomu Shimomura.
Mitnick understood that hacking from a fixed landline would attract attention, so he started opting for cellular phones for mobile network access. The only thing he lacked was the code – which was possessed by Shimomura.
By using source address spoofing and TCP sequence prediction, Mitnick was able to connect to Shimomura’s home server and download the necessary software.
Shimomura was, to say the least, not happy. The work he completed to track Mitnick through a dozen systems via evidence he found on a copy of his stolen software is nothing but astonishing. With the help of the cellular company, he narrowed down the attacker’s location to Raleigh, North Carolina.
“The mistake that Kevin made was hacking Tsutomu Shimomura to obtain code pertaining to cell phones. This turned Shimomura into a bloodhound, and he helped the authorities ultimately locate Kevin. The FBI couldn’t trace him due to his channeling his activities through cloned cell phones, but Shimomura was a cellular expert,” Eric Florence, cybersecurity analyst, told Cybernews.
Shimomura managed to identify Mitnick’s exact apartment by cooperating with an FBI radio surveillance team. In 1995, Mitnick was eventually captured. Law enforcement also seized over 100 cloned cellular phones he used to hide his location and fake IDs.
Irina Tsukerman, a geopolitical analyst, had an opportunity to hear directly from Mitnick about his exploits – and according to her, narratives about his arrest differ quite a bit.
“Kevin Mitnick himself denies that he had relied on hacking as a means of breaking into and taking over computer systems; both in person and in his book, he claims that he socially engineered his way into these systems by getting passwords which facilitated his entry. He and his defenders claimed that many claims against [him] were fabricated or exaggerated by the media – and that law enforcement, to a great extent, relied on these accounts as evidence to charge him, even though he did not cause all that much damage.”
In 1999, Mitnick pleaded guilty to a variety of charges, including wire fraud, possession of unauthorized access devices, and interception of wire or electronic communications. He was sentenced to 46 months in prison, on top of another 22 for violating his 1989 parole.
Mitnick served five years in prison and eight months in solitary confinement – he recalled that this was due to law enforcement officials, who convinced a judge he could launch nuclear missiles by whistling into a pay phone.
Today, Mitnick is back in the world of cyber as a computer security consultant and seller of security exploits, conducting gray hacking activities. He was released in 2020 and successfully appealed the prohibition to use communication technology, later writing and publishing the chronicles of his crimes, Ghost in the Wires.
Jeanson James Ancheta: first botnet hacker to be charged
By today’s standards, Jeanson James Ancheta’s criminal exploits would likely fall short of being a high-profile computer hijacking. But for law enforcement at the time, his arrest was a milestone, as Ancheta became the first man to be sentenced for controlling large numbers of botnets, spreading malicious software, and financially benefiting from it in 2006.
Ancheta was behind armies of hijacked computers used to launch internet-based attacks. He also sold them to spyware companies and spammers, earning him over $3,000, on top of another $60,000 gained from an adware scam.
The 21-year-old hacker deployed internet worms to overtake PCs running on the Windows operating system, using them as a base for online ad-serving software.
The FBI captured him in a complex operation, where they invited him to their office on the pretext of collecting computer equipment. Ancheta was eventually accused of using the botnet to install adware on various devices, as well as infecting computers at the weapons division of the US Naval Air Warfare Center in China Lake and the Defense Information Systems Agency (DISA.)
“While luck isn't the complete equation, there's a well-known saying: ‘Criminals have to be lucky all the time, whereas law enforcement only has to be lucky one time,’” said David Pickett, Senior Cybersecurity Analyst at OpenText Security Solutions.
He added that exactly how cybercriminals get caught depends on the attack vector: “The most common methods that we observe, from an email defense standpoint, include compromised accounts and servers, anonymizing virtual private networks and servers, Tor network use, traffic routing through multiple countries, traffic originating from countries with unfriendly government relations, and countries with strict privacy laws or lack of extradition agreements depending upon applicable geolocations.”
Ancheta was sentenced to 57 months in prison – which, allegedly, became the longest sentence for spreading computer viruses. He was also ordered to part with a BMW he bought on illegally obtained money and surrender $60,000. Additionally, Ancheta has agreed to repay around $20,000 for hacking into computers at China Lake and DISA.
“The majority of victims of cybercrimes never report them, making it difficult to track and apprehend cybercriminals. Most people do not know where to report them, and even if they do, they seldom receive a positive response. Failure to report cybercriminals makes it difficult to keep an accurate tally of cybercrimes solved. It also prevents law enforcement from collecting the evidence necessary to identify and convict the masterminds behind an attack,” Joe Troyer, CEO and Founder of Digital Triggers, told Cybernews.
Was the punishment… too harsh?
In the US, sentences for cybercrime can range up to 20 years or even more, depending on the severity of the case. But to many, digital offenses might seem incomparable to physical crimes we’re so familiar with – especially when sentences reach those of manslaughter and second-degree murder.
Yet, our online and real lives are not as separate as they might seem. In Spain, two people got arrested for disabling over a third of the sensors that make up the country’s radioactivity alert network, which informs the public in the event of a nuclear accident.
In turn, hacking hospital smart devices could result in countless deaths – as tragically happened with a woman in Germany, who died after threat actors attacked the hospital’s IT systems. Similarly, a ransomware attack led to the collapse of a hospital’s computer network where a woman in Alabama, Teiranni Kidd, was giving birth. Her daughter was born with severe brain damage and later died.
All of this shows just how devastating cyberattacks can be – and we shouldn’t disregard them as something happening behind the screen that is hence unable to hurt us.
“There's still this mentality that because a crime didn't take place in the 'real' world, it shouldn't be punished harshly, but this doesn't account for the fact that the losses people and companies around the world face are definitely more real than ever,” said Alex Alexakis, the founder and CEO of PixelChefs.
And, of course, in the event of data breaches, scams, phishing campaigns, and leaks – while the after-effects might not be as immediate – they are, nonetheless, destructive.
“The evidence of cybercrimes is less obvious than physical crimes but wholly more devastating in the aggregate. It may be time to consider a change in investigative tactics and a dramatic increase in sentences for those who are caught,” said Pedrick.
Bartolomie goes even further, arguing that cyberattacks should be treated more seriously than physical crimes.
“The potential scope and scale for physical crimes are generally restricted – for instance, I can only rob one bank at a time. While with cyber, you could perform the same attack across multiple targets simultaneously.”
On the other hand, there are those who believe that cyber “youngsters” – teenagers who find themselves in the dark alleys of the web before their brains have fully developed – should be re-educated rather than punished. These kids are often more brilliant than malicious, and their profiles tend to differ significantly from that of a typical criminal. Whether society stands to benefit more from their being behind bars or in front of laptops is up to the judicial system to decide.
More from Cybernews:
Subscribe to our newsletter