Confessions of an ID Theft Kingpin, Part I
From Krebs on Security:
At the height of his cybercriminal career, the hacker known as “Hieupc”
was earning $125,000 a month running a bustling identity theft service
that siphoned consumer dossiers from some of the world’s top data
brokers. That is, until his greed and ambition played straight into an
elaborate snare set by the U.S. Secret Service. Now,
after more than seven years in prison Hieupc is back in his home country
and hoping to convince other would-be cybercrooks to use their computer
skills for good.
For several years beginning around 2010, a lone teenager in Vietnam named Hieu Minh Ngo ran one of the Internet’s most profitable and popular services for selling “fullz,”
stolen identity records that included a consumer’s name, date of birth,
Social Security number and email and physical address.
Ngo got his treasure trove of consumer data by hacking and social
engineering his way into a string of major data brokers. By the time the
Secret Service caught up with him in 2013, he’d made over $3 million
selling fullz data to identity thieves and organized crime rings
operating throughout the United States.
Matt O’Neill is the Secret Service agent who in
February 2013 successfully executed a scheme to lure Ngo out of Vietnam
and into Guam, where the young hacker was arrested and sent to the
mainland U.S. to face prosecution. O’Neill now heads the agency’s Global Investigative Operations Center, which supports investigations into transnational organized criminal groups.
O’Neill said he opened the investigation into Ngo’s identity theft
business after reading about it in a 2011 KrebsOnSecurity story, “How Much is Your Identity Worth?”
According to O’Neill, what’s remarkable about Ngo is that to this day
his name is virtually unknown among the pantheon of infamous convicted
cybercriminals, the majority of whom were busted for trafficking in huge
quantities of stolen credit cards.
Ngo’s businesses enabled an entire generation of cybercriminals to commit an estimated $1 billion worth of new account fraud, and to sully the credit histories of countless Americans in the process.
“I don’t know of any other cybercriminal who has caused more material financial harm to more Americans than Ngo,”
O’Neill told KrebsOnSecurity. “He was selling the personal information
on more than 200 million Americans and allowing anyone to buy it for
pennies apiece.”
Freshly released from the U.S. prison system and deported back to
Vietnam, Ngo is currently finishing up a mandatory three-week COVID-19
quarantine at a government-run facility. He contacted KrebsOnSecurity
from inside this facility with the stated aim of telling his
little-known story, and to warn others away from following in his
footsteps.
BEGINNINGS
Ten years ago, then 19-year-old hacker Ngo was a regular on the
Vietnamese-language computer hacking forums. Ngo says he came from a
middle-class family that owned an electronics store, and that his
parents bought him a computer when he was around 12 years old. From then
on out, he was hooked.
In his late teens, he traveled to New Zealand to study English at a
university there. By that time, he was already an administrator of
several dark web hacker forums, and between his studies he discovered a
vulnerability in the school’s network that exposed payment card data.
“I did contact the IT technician there to fix it, but nobody cared so
I hacked the whole system,” Ngo recalled. “Then I used the same
vulnerability to hack other websites. I was stealing lots of credit
cards.”
Ngo said he decided to use the card data to buy concert and event tickets from Ticketmaster, and then sell the tickets at a New Zealand auction site called TradeMe.
The university later learned of the intrusion and Ngo’s role in it, and
the Auckland police got involved. Ngo’s travel visa was not renewed
after his first semester ended, and in retribution he attacked the university’s site, shutting it down for at least two days.
Ngo said he started taking classes again back in Vietnam, but soon found he was spending most of his time on cybercrime forums.
“I went from hacking for fun to hacking for profits when I saw how easy it was to make money stealing customer databases,”
Ngo said. “I was hanging out with some of my friends from the
underground forums and we talked about planning a new criminal
activity.”....
....
MUCH MORE