The United States Department of Justice (DOJ) has unsealed indictments against two Vietnamese citizens and one Canadian for their roles in what it described as “the largest data breach of names and email addresses in the history of the internet”.
According to the indictments, 28-year-old Viet Quoc Nguyen and 25-year-old Giang Hoang Vu, both from Vietnam but living in the Netherlands, hacked into at least eight email service providers in the US, stealing more than a billion email addresses.
The pair then allegedly used the email addresses to send spam to millions of recipients, netting millions of dollars in the process from an affiliate marketing arrangement between Da Silva and Nguyen.
Vu was apprehended by Dutch law enforcement officers in Deventer, Netherlands, in 2012 before being extradited to the US in March 2014. At a hearing on 5 February 2015, he pleaded guilty to conspiracy to commit computer fraud. According to the DOJ, he will face sentencing on 21 April.
Nguyen has so far evaded capture but a third man, Canadian David-Manuel Santos Da Silva, was arrested on 12 February in Ft. Lauderdale. He was indicted on 4 March for conspiracy to commit money laundering.
Prosecutors claim Vu and Nguyen spammed the misappropriated email addresses with messages promoting products marketed by Marketbay.com, a site owned by 21 Celsius, a company co-owned by Da Silva.
According to the DOJ’s statement, over the course of two years, Nguyen and Da Silva received around $2 million for the sale of products from Nguyen’s affiliate marketing activities, and also reports that Da Silva was aware that the email addresses used by Vu and Nguyen were stolen.
While the ultimate fate of the three men is unknown at this point, the United States Secret Service was upbeat about the case, with Special Agent in Charge Reginald Moore saying:
Our success in this case and other similar investigations is a result of our close work with our law enforcement partners. The Secret Service worked closely with the Department of Justice and the FBI to share information and resources that ultimately brought these cyber criminals to justice. This case demonstrates there is no such thing as anonymity for those engaging in data theft and fraudulent schemes.
Though the Justice Department declined to name the affected email service providers in its statement, it is now known that one victim was US email marketing firm Epsilon.
The DOJ statement mentions:
The data breach was the largest in U.S. history and was the subject of a Congressional inquiry in June 2011.
Security blogger Brian Krebs saw the significance of the date as it matched up with a 2 June, 2011 House Energy and Commerce Committee panel on the data breaches at Epsilon and Sony.
Reaching out to Epsilon for comment, Krebs was informed that:
Epsilon confirms that it is among the victims of the cybercrime referenced in the Department of Justice's indictment unsealed on March 5 against three individuals for their roles in hacking email service providers throughout the United States.
We are pleased with the outcome of the investigation carried out by the U.S. Secret Service and the resulting indictment by the Department of Justice, and thank them for bringing this criminal activity to prosecution.
Data protection is, and always has been, the top priority at Epsilon, and businesses and law enforcement must work together to prevent this type of criminal activity.