Published by The Lawfare Institute
in Cooperation With
This summer, the cases of two cyber criminals posed a stark contrast in rehabilitation and recidivism.
In 2011, invite-only Russian cybercrime forums offered a new product for sale—Citadel. A malware toolkit, Citadel was designed to infect computers and steal account information and personal identifying information (PII). Citadel was widely used; the Department of Justice estimates that over 11 million computers were infected, resulting in more than $500 million in losses. As suggested by its frequent use, Citadel required upkeep—and Mark Vartanyan was its mechanic.
Known by the moniker “Kolypto,” Vartanyan worked to update and patch Citadel from August 2012 to January 2013 when he was living in Ukraine and from April 2014 to June 2014 when he was living in Norway.
Brian Krebs recently wrote a fascinating article about how the authorities identified Vartanyan. In October 2014, Vartanyan was arrested in Norway, where he spent two years in prison before being extradited to the United States. On March 3, 2017, he pled guilty to one count of computer fraud.
Vartanyan is not the first person to face Citadel-related charges in the United States. Dimitry Belorossov, a 22-year-old Russian national, bought access to Citadel and used it to operate and control a botnet of over 7,000 infected computers. He used the botnet to steal account credentials and PII. According to the Justice Department press release, the Citadel malware investigation is ongoing.
The court followed the recommendation of the prosecutors, who asked for a reduced sentence because he was remorseful and assisted the government. Assistant U.S. Attorney Steven Grimberg said that he “rarely come[s] across an individual who has been as sorry for his role as Mark Vartanyan.”
Grimberg isn’t the only person who feels this way. Vartanyan worked at a healthcare technology company in Norway prior to his arrest. The CEO of that company regularly visited Vartanyan in the Norwegian prison, offered to fly to the United States for the sentencing hearing, and intends to rehire Vartanyan upon his release. The CEO also reached out to a pastor in Roswell, Georgia—near where Vartanyan was in custody—and asked the pastor to visit Vartanyan. The pastor did so and, based on his interactions with Vartanyan, returned regularly.
The cause of Vartanyan’s behavior change? A come-to-Jesus moment—literally. He experienced a conversion that led to a re-orientation of his life. When Vartanyan addressed the court during the sentencing hearing, he said that “an enormous weight lifted when he understood through prayer that he could accept what he’d done and help make things right.”
In a bizarre and multifaceted case, twins Muneeb and Sohaib Akhter and a co-conspirator, Musaddiq Ishaq, worked together to hack private and government systems. The Akhters were wunderkinds. At 19, they became the youngest people to graduate from George Mason University.
Ishaq’s mother ran an internet based cosmetics company. Meeting in the company warehouse, the three conspirators devised a plan to steal the cosmetics customers’ card numbers and identifying information. Around the same time, Muneeb was in contact via the dark net with an individual from a hacking collective. The collective hoped to recruit Muneeb, and Muneeb believed that a successful hack of the cosmetic company would prove his value to the collective, which he hoped to join.
The plan was rather simple. Muneeb entered the warehouse and placed a keystroke logger on one of the company’s computers. That keystroke logger revealed the necessary credentials to log into the company’s system: a username and password.
Muneeb gave the username and password to an individual from the hacking collective, who wrote and installed code designed to collect information from the checkout page (credit card numbers and identifying information) and send it to an email account ending in “.ru” (associated with computers that access the internet in Russia).
Shortly after, Muneeb used the username and login to access the system and adjust the code so that it sent the stolen information not to the designated “.ru” email address but to an email address that Muneeb had set up solely for this purpose.
While the hack was simple, the execution was not perfect. Muneeb’s adjustment to the code created technical glitches on the website. Ishaq’s mother hired a specialist who found and removed the code.
Muneeb tried again and the trio successfully collected information for over a month. Soon, they were flying domestically, registering for conferences, and staying in hotels—all on the dime of those customers. They also used the stolen information to buy goods and resell them online via Craigslist and tried to sell flights on the “dark net.” Additionally, Muneeb gave the stolen information sent to his email to the individual from the collective, who sold the information to other people via the dark net and cut Muneeb a portion of the proceeds. Overall, they used over 40 people’s information to purchase over $30,000 in goods and services from more than 20 businesses.
The Akhter brothers did not just harm private individuals but also orchestrated several hacks of U.S. government systems, obtaining positions that involved access to government information for the purpose of using that information for their personal gain.
Federal Database Hack
Prior to the cosmetic company hack, Muneeb and Sohaib worked as contractors for a company that aggregates data on federal government contracts and then sells that data to government agencies and private contractors. The twins asked for access to the company’s data. The CEO told them they could have access only if they paid for it. Rather than paying, Muneeb hacked the system and gained access to the entire database.
Months after the hack, the CEO emailed Muneeb because the CEO was receiving 10 “undeliverable” emails every second. The email made it clear that he believed Muneeb’s actions on the server caused this. In fact, Muneeb had programmed the company’s servers to vote for him in an online contest and had sent out over 10,000 emails to George Mason University students in order to get more votes. Muneeb responded to the CEO’s email by apologizing for his actions but warning that if the CEO reported his unauthorized access/use to authorities, the company’s access to federal data would be revoked.
State Department Hack
The brothers went on to find other employment. Sohaib worked for ActioNet and provided IT support to the State Department, particularly the Bureau of Consular Affairs. While working on their systems, Sohaib accessed Passport Lockbox, a database that contains electronic copies of passport applications and processes payments, without authorization. He accessed the information of 62 individuals, including a DHS Special Agent investigating the twins. Sohaib did not just view the information but copied it and saved it for his own use.
Then Sohaib went a step further and downloaded malware onto the State Department’s computers. The malware would allow Sohaib access and control over the State Department’s network, something he wanted in order to unilaterally approve visa applications and have access to the passport information. Once he had these, he planned to sell visas and passports on various black markets.
However, Sohaib received notice that he would soon be transferred to another section, which meant he would lose access to this portion of the State Department’s network. In order to retain access, he attempted to install a gumstix that would collect data from the network and transmit it to the twins. It would also allow the twins to remotely access the network. Muneeb programmed the gumstix and Sohaib took it to the State department. Sohaib attempted to install it in a wall where it would go undetected but did not bring a sufficiently powerful drill to make it through the wall's metal siding. He broke the gumstix in the process, putting an end to the potentially devastating plan.
Department of Homeland Security
Though their work had been riddled with errors, Muneeb’s ego was what resulted in their downfall. After leaving his previous employment, Muneeb was hired as a contractor for the Department of Homeland Security. While talking to his co-workers, he bragged that he was able to hack into the networks of large retailers—including Whole Foods, Starbucks, and Dunkin’ Donuts—and add value to gift cards. Muneeb claimed he achieved this hack via bit-squatting. This would be the first hack of its kind.
But their hack was not special. It was the same scheme used in the internet-cosmetic company hack described above. But Muneeb was not ready to admit that. Instead, after a coworker reported him to DHS, Muneeb repeated the gift card bit-squatting story to the DHS agent who questioned him. When the agent offered him a position as a “hacker for the government” if he detailed how he committed the hack, he wrote down a false story. The twins’ house was searched shortly thereafter.
Muneeb even peddled the story to a Washington Post reporter. That article features a revealing quote from Muneeb: “I’m surprised at how the intelligence community actually works. I expected them to see my skill set and think, ‘This guy could be used for a lot of things.’ Instead, I’m going to be charged with something.”
Sohaib told the government Muneeb was blowing smoke, and on April 30, 2015, the twins were arrested. Shortly after their arrest, each twin pled guilty: Muneeb to conspiracy to commit wire fraud, conspiracy to access a protected computer without authorization, access of a protected computer without authorization, conspiracy to access a government computer without authorization, making a false statement, and obstruction of justice; and Sohaib to conspiracy to commit wire fraud, conspiracy to access a protected computer without authorization, and conspiracy to access a government computer without authorization. They were sentenced to 39 months and 24 months in prison respectively.
After serving his prison sentence, Muneeb violated the terms of his supervised release. He failed to report employment, specifically that he had started his own IT/cyber security firm and was actively recruiting employees. He also committed a new crime—using the credit cards of others without their authorization to purchase $2,500 of goods for himself. In addition, he contacted a felon, his co-conspirator Ishaq.
Ishaq pled guilty to one count of conspiracy to commit access device fraud. This May, the court granted Ishaq early termination of his supervised release—Ishaq served only one of the three years to which he was sentenced.
On July 7, 2017, Muneeb was sent back to prison for 15 months and ordered to receive mental health counseling. Upon his release, he will be under supervised release for three years. During the hearing, the government reminded the court that this was not the first time Muneeb ran afoul of the law after he was arrested: He had previously tampered with an Alexandria Detention Center computer by creating and running an unauthorized program that allowed inmates to send private messages to one another.