Three indicted for breaching Email Service Providers, monetizing stolen data

Viet Quoc Nguyen and Giang Hoang Vu, both citizens of Vietnam who resided for a period of time in the Netherlands, have been indicted on Friday for their role in a massive data breach of Email Service Providers all over the United States. In addition, a federal grand jury returned an indictment last week week against David-Manuel Santos Da Silva, a citizen of Canada, who is charged with conspiring with Nguyen and others to money launder the proceeds of Nguyen’s computer hacking offenses.

According to Acting U.S. Attorney John Horn, between approximately February 2009 and June 2012, Viet Quoc Nguyen allegedly hacked into at least eight Email Service Providers (ESPs) all over the United States, and stole confidential information, including proprietary marketing data containing over one billion email addresses.

Email Service Providers are companies that generally offer legitimate email marketing or bulk email services to their clients. Clients hire ESPs to assist with sending bulk emails to customers or potential customers who have opted to receive such emails.

Nguyen allegedly hacked into the ESPs’ computer databases and, in conjunction with Vu, used his unauthorized access to launch spam attacks on tens of millions of email recipients. The indictment alleges that Nguyen used phishing emails laden with malware directed at employees of the ESPs to gain unauthorized access into the ESPs’ computer databases.

Vu, 25, was arrested by Dutch law enforcement in Deventer, Netherlands, in 2012 and extradited to the United States. He pleaded guilty to conspiracy to commit computer fraud and is scheduled to be sentenced on April 21, 2015.

Viet Quoc Nguyen is not in custody and remains a fugitive.

On Wednesday March 4, 2015, David-Manuel Santos Da Silva, 33, of Montreal, Canada, was indicted by a federal grand jury for conspiracy to commit money laundering with Nguyen and others. Da Silva was arrested last month at Ft. Lauderdale International Airport, in Florida.

It is alleged that Da Silva, the co-owner, President and a Director of 21 Celsius, Inc., a Canadian corporation that ran Marketbay.com, entered into an affiliate marketing arrangement with Nguyen that allowed him to generate revenue from his computer hacks.

Da Silva allegedly knew that Nguyen was spamming to stolen email addresses in order to direct high volumes of internet traffic to his affiliate marketing websites with Marketbay.com. Da Silva allegedly conspired with Nguyen and others to promote Nguyen’s hacking and spamming activities by providing him with a platform, through Marketbay.com, to generate sales commission from his computer hacks into the ESPs. Between approximately May 2009 and October 2011, Nguyen and Da Silva received approximately $2 million for the sale of products derived from Nguyen’s affiliate marketing activities.

According to Brian Krebs, Epsilon has confirmed that they were one of the companies hit by these attackers back in 2011.

“This case involves a massive amount of data and the individuals involved not only stole what is thought to be the largest haul of names and email address in the history of the internet but then went on to utilise the infrastructure of the targeted companies distribution platforms to send out bulk emails. All of this was thought to be untraceable by the perpetrators but as we see here this was not the case, with the large companies having the tastiest fruits for plunder it’s no surprise that these cyber hacking rings are becoming harder to find and prosecute,” commented Mark James, security specialist at ESET. “Hopefully this will turn out to be a success and will go on to many more successful cases showing that the fight against cybercrime is not always a losing battle.”