Millions of personal data stolen by ethical hacker still floating around dark web

Updated on: 02 March 2023

Stefanie Schappert
Senior journalist

Ethical hacker arrested — Image by Shutterstock.

A so-called ethical hacker and his ransomware gang were arrested in Amsterdam, but authorities say millions of pieces of sensitive personal data stolen by the hackers are still available on the dark web.

Dutch police have arrested three men, including an ethical hacker working for a government-backed vulnerability disclosure institute, in connection with a double extortion ransomware ring that has left millions of its victim's personal information floating around the dark web to be used by other cybercriminals.

The January 23 arrest, announced only this week, follows a two-year investigation by Netherlands intelligence agencies, according to the Dutch news outlet NOS.

The hacker group is accused of extorting millions of pieces of data – and dollars – from numerous Dutch and international companies using a ransomware technique called double extortion.

Double extortion is when a ransomware group not only profits from the victim’s ransom payout, but also by selling the data they stole in the first place, usually to the highest criminal bidder on the dark web.

The trio, aged 18 to 21 years old, is said to have made more than $2.6 million in recent years.

The trove of stolen personal data included individuals' names, addresses, telephone numbers, dates of birth, and more sensitive information such as bank account numbers, credit cards, passwords, license plate details, citizen service numbers, and passport information.

What makes this even more egregious is that one of the 21-year-old hackers was fully employed as an ethical researcher for the government-affiliated Dutch Institute for Vulnerability Disclosure (DIVD).

The so-called “ethical hacker” – identified by police as the ringleader of the gang – was reported to have access to sensitive information and actually took part in DIVD confidential investigations.

One DIVD manager sent an internal Slack memo after the arrest stating there was “no indication he was involved in those kinds of matters,” NOS reported.

"We immediately blocked him and denied him access to our systems,” the crisis manager said.

"We are just as shocked as everyone else... he was a nice colleague,” they said.

Dutch police said the ransom demands were, on average, 100,000 euros (US $105k) per company, but went as high as 700,000 euros (US $745k) depending on the victim.