On the peak of his cybercriminal profession, the hacker often known as “Hieupc” was incomes $125,000 a month working a bustling identification theft service that siphoned shopper dossiers from a few of the world’s high information brokers. That’s, till his greed and ambition performed straight into an elaborate snare set by the U.S. Secret Service. Now, after greater than seven years in jail Hieupc is again in his house nation and hoping to persuade different would-be cybercrooks to make use of their laptop expertise for good.
For a number of years starting round 2010, a lone teenager in Vietnam named Hieu Minh Ngo ran one of many Web’s most worthwhile and in style providers for promoting “fullz,” stolen identification information that included a shopper’s identify, date of start, Social Safety quantity and e mail and bodily tackle.
Ngo obtained his treasure trove of shopper information by hacking and social engineering his means right into a string of main information brokers. By the point the Secret Service caught up with him in 2013, he’d revamped $three million promoting fullz information to identification thieves and arranged crime rings working all through america.
Matt O’Neill is the Secret Service agent who in February 2013 efficiently executed a scheme to lure Ngo out of Vietnam and into Guam, the place the younger hacker was arrested and despatched to the mainland U.S. to face prosecution. O’Neill now heads the company’s International Investigative Operations Heart, which helps investigations into transnational organized legal teams.
O’Neill mentioned he opened the investigation into Ngo’s identification theft enterprise after studying about it in a 2011 KrebsOnSecurity story, “How Much is Your Identity Worth?” In response to O’Neill, what’s outstanding about Ngo is that to at the present time his identify is nearly unknown among the many pantheon of notorious convicted cybercriminals, nearly all of whom had been busted for trafficking in big portions of stolen bank cards.
Ngo’s companies enabled a whole era of cybercriminals to commit an estimated $1 billion worth of new account fraud, and to sully the credit score histories of numerous Individuals within the course of.
“I don’t know of any other cybercriminal who has caused more material financial harm to more Americans than Ngo,” O’Neill informed KrebsOnSecurity. “He was selling the personal information on more than 200 million Americans and allowing anyone to buy it for pennies apiece.”
Freshly launched from the U.S. jail system and deported again to Vietnam, Ngo is presently ending up a compulsory three-week COVID-19 quarantine at a government-run facility. He contacted KrebsOnSecurity from inside this facility with the said intention of telling his little-known story, and to warn others away from following in his footsteps.
Ten years in the past, then 19-year-old hacker Ngo was a daily on the Vietnamese-language laptop hacking boards. Ngo says he got here from a middle-class household that owned an electronics retailer, and that his mother and father purchased him a pc when he was round 12 years outdated. From then on out, he was hooked.
In his late teenagers, he traveled to New Zealand to check English at a college there. By that point, he was already an administrator of a number of darkish net hacker boards, and between his research he found a vulnerability within the faculty’s community that uncovered fee card information.
“I did contact the IT technician there to fix it, but nobody cared so I hacked the whole system,” Ngo recalled. “Then I used the same vulnerability to hack other websites. I was stealing lots of credit cards.”
Ngo mentioned he determined to make use of the cardboard information to purchase live performance and occasion tickets from Ticketmaster, after which promote the tickets at a New Zealand public sale web site known as TradeMe. The college later discovered of the intrusion and Ngo’s position in it, and the Auckland police obtained concerned. Ngo’s journey visa was not renewed after his first semester ended, and in retribution he attacked the college’s web site, shutting it down for at the very least two days.
Ngo mentioned he began taking courses once more again in Vietnam, however quickly discovered he was spending most of his time on cybercrime boards.
“I went from hacking for fun to hacking for profits when I saw how easy it was to make money stealing customer databases,” Ngo mentioned. “I was hanging out with some of my friends from the underground forums and we talked about planning a new criminal activity.”
“My friends said doing credit cards and bank information is very dangerous, so I started thinking about selling identities,” Ngo continued. “At first I thought well, it’s just information, maybe it’s not that bad because it’s not related to bank accounts directly. But I was wrong, and the money I started making very fast just blinded me to a lot of things.”
His first huge goal was a shopper credit score reporting firm in New Jersey known as MicroBilt.
“I was hacking into their platform and stealing their customer database so I could use their customer logins to access their [consumer] databases,” Ngo mentioned. “I was in their systems for almost a year without them knowing.”
Very quickly after getting access to MicroBilt, Ngo says, he stood up Superget[.]information, an internet site that marketed the sale of particular person shopper information. Ngo mentioned initially his service was fairly guide, requiring clients to request particular states or shoppers they wished info on, and he would conduct the lookups by hand.
“I was trying to get more records at once, but the speed of our Internet in Vietnam then was very slow,” Ngo recalled. “I couldn’t download it because the database was so huge. So I just manually search for whoever need identities.”
However Ngo would quickly work out the right way to use extra highly effective servers in america to automate the gathering of bigger quantities of shopper information from MicroBilt’s methods, and from different information brokers. As I wrote of Ngo’s service again in November 2011:
“Superget lets users search for specific individuals by name, city, and state. Each “credit” prices USD$1, and a profitable hit on a Social Safety quantity or date of start prices three credit every. The extra credit you purchase, the cheaper the searches are per credit score: Six credit value $4.99; 35 credit value $20.99, and $100.99 buys you 230 credit. Clients with particular wants can avail themselves of the “reseller plan,” which guarantees 1,500 credit for $500.99, and three,500 credit for $1000.99.
“Our Databases are updated EVERY DAY,” the location’s proprietor enthuses. “About 99% nearly 100% US people could be found, more than any sites on the internet now.”
Ngo’s intrusion into MicroBilt ultimately was detected, and the corporate kicked him out of their methods. However he says he obtained again in utilizing one other vulnerability.
“I was hacking them and it was back and forth for months,” Ngo mentioned. “They would discover [my accounts] and fix it, and I would discover a new vulnerability and hack them again.”
COURT (AD)VENTURES, AND EXPERIAN
This sport of cat and mouse continued till Ngo discovered a way more dependable and steady supply of shopper information: A U.S. based mostly firm known as Courtroom Ventures, which aggregated public information from court docket paperwork. Ngo wasn’t within the information collected by Courtroom Ventures, however fairly in its information sharing settlement with a third-party information dealer known as U.S. Information Search, which had entry to way more delicate shopper information.
Utilizing cast paperwork and quite a lot of lies, Ngo was in a position to persuade Courtroom Ventures that he was a non-public investigator based mostly in america.
“At first [when] I sign up they asked for some documents to verify,” Ngo mentioned. “So I just used some skill about social engineering and went through the security check.”
Then, in March 2012, one thing much more outstanding occurred: Courtroom Ventures was bought by Experian, one of many huge three main shopper credit score bureaus in america. And for 9 months after the acquisition, Ngo was in a position to keep his entry.
“After that, the database was under control by Experian,” he mentioned. “I was paying Experian good money, thousands of dollars a month.”
Whether or not anybody at Experian ever carried out due diligence on the accounts grandfathered in from Courtroom Ventures is unclear. However it wouldn’t have taken a rocket surgeon to determine that this specific buyer was as much as one thing fishy.
For one factor, Ngo paid the month-to-month invoices for his clients’ information requests utilizing wire transfers from a mess of banks around the globe, however largely from new accounts at monetary establishments in China, Malaysia and Singapore.
O’Neill mentioned Ngo’s identification theft web site generated tens of 1000’s of queries every month. For instance, the primary bill Courtroom Ventures despatched Ngo in December 2010 was for 60,000 queries. By the point Experian acquired the corporate, Ngo’s service had attracted greater than 1,400 common clients, and was averaging 160,000 month-to-month queries.
Extra importantly, Ngo’s revenue margins had been huge.
“His service was quite the racket,” he mentioned. “Court Ventures charged him 14 cents per lookup, but he charged his customers about $1 for each query.”
By this time, O’Neill and his fellow Secret Service brokers had served dozens of subpoenas tied to Ngo’s identification theft service, together with one which granted them entry to the e-mail account he used to speak with clients and administer his web site. The brokers found a number of emails from Ngo instructing an confederate to pay Experian utilizing wire transfers from totally different Asian banks.
Working with the Secret Service, Experian rapidly zeroed in on Ngo’s accounts and shut them down. Conscious of a possibility right here, the Secret Service contacted Ngo by way of an middleman in the UK — a identified, convicted cybercriminal who agreed to play alongside. The UK.-based collaborator informed Ngo he had personally shut down Ngo’s entry to Experian as a result of he had been there first and Ngo was interfering together with his enterprise.
“The UK. guy told Ngo, ‘Hey, you’re treading on my turf, and I decided to lock you out. But as long as you’re paying a vig through me, your access won’t go away’,” O’Neill recalled.
The UK. cybercriminal, appearing on the behest of the Secret Service and UK. authorities, informed Ngo that if he wished to keep up his entry, he may agree to fulfill up in individual. However Ngo didn’t instantly chew on the provide.
As a substitute, he weaseled his means into one other big information retailer. In a lot the identical means he’d gained entry to Courtroom Ventures, Ngo obtained an account at an organization known as TLO, one other information dealer that sells entry to extraordinarily detailed and delicate info on most Individuals.
TLO’s service is accessible to legislation enforcement businesses and to a restricted variety of vetted professionals who can reveal they’ve a lawful motive to entry such info. In 2014, TLO was acquired by Trans Union, one of many different three huge U.S. shopper credit score reporting bureaus.
And for a short while, Ngo used his entry to TLO to energy a brand new iteration of his enterprise — an identification theft service rebranded as usearching[.]information. This web site additionally pulled shopper information from a payday loan firm that Ngo hacked into, as documented in my Sept. 2012 story, ID Theft Service Tied to Payday loan Websites. Ngo mentioned the hacked payday loans web site gave him prompt entry to roughly 1,000 new fullz information every day.
BLINDED BY GREED
By this time, Ngo was a multi-millionaire: His numerous websites and reselling agreements with three Russian-language cybercriminal shops on-line had earned him greater than USD $three million. He informed his mother and father his cash got here from serving to firms develop web sites, and even used a few of his ill-gotten beneficial properties to repay the household’s money owed (its electronics enterprise had gone stomach up, and a member of the family had borrowed however by no means paid again a big sum of cash).
However largely, Ngo mentioned, he spent his cash on frivolous issues, though he says he’s by no means touched medication or alcohol.
“I spent it on vacations and cars and a lot of other stupid stuff,” he mentioned.
When TLO locked Ngo out of his account there, the Secret Service used it as one other alternative for his or her cybercriminal mouthpiece within the UK. to show the screws on Ngo but once more.
“He told Ngo he’d locked him out again, and the he could do this all day long,” O’Neill mentioned. “And if he truly wanted lasting access to all of these places he used to have access to, he would agree to meet and form a more secure partnership.”
After a number of months of conversing together with his obvious UK.-based tormentor, Ngo agreed to fulfill him in Guam to finalize the deal. Ngo says he understood on the time that Guam is an unincorporated territory of america, however that he discounted the probabilities that this was all some form of elaborate legislation enforcement sting operation.
“I was so desperate to have a stable database, and I got blinded by greed and started acting crazy without thinking,” Ngo mentioned. “Lots of people told me ‘Don’t go!,’ but I told them I have to try and see what’s going on.”
However instantly after stepping off of the airplane in Guam, he was apprehended by Secret Service brokers.
“One of many names of his identification theft providers was findget[.]me,” O’Neill mentioned. “We took that seriously, and we did like he asked.”
That is Half I of a multi-part sequence. Verify again tomorrow (Aug. 27) for Half II, which is able to study what investigators discovered following Ngo’s arrest, and delve into his newer effort to proper the wrongs he’s accomplished.
Tags: Courtroom Ventures, Experian, Findget, International Investigative Operations Heart, Hieu Minh Ngo, hieupc, Matt O’Neill, MicroBilt, Superget, TLO, Trans Union, U.S. Information Search, U.S. Secret Service