A hacker detained in Malaysia now faces extradition to the US under indictment for providing material support to the Islamic State, which US Department of Justice (DOJ) officials are calling a “first of its kind” case.
It’s certainly not a typical case of the US seeking extradition of an individual for cybercrimes.
Rather, it looks like the US has opened a judicial front in a global war against the Islamic State that extends from battlefields in Syria and Iraq, into cyberspace and on social media.
According to the DOJ and FBI, Kosovo citizen Ardit Ferizi allegedly hacked into the servers of a US web hosting company and stole personal information of over 1,300 US service members and federal employees.
Rather than use the personal data for identity theft, Ferizi allegedly handed it over to a member of the Islamic State (also known as ISIS or ISIL).
The names, email addresses, passwords, phone numbers and locations of US military and federal personnel ended up in the possession of a British citizen named Junaid Hussain, the leader of the Islamic State Hacking Division.
Hussain, who was reportedly killed by a US drone strike in Syria this August, publicized the information on Twitter with instructions that sympathizers of the Islamic State should kill the US service members “in their own lands.”
Ferizi’s alleged crimes, as described by the DOJ in the official indictment, involved stealing personally identifiable information (PII) of 100,000 customers of an unnamed US online retailer.
Ferizi was able to sift through the trove of PII to find the identities of 1,351 US federal employees and military service members.
Ferizi, claimed by the US to be a member of the group called Kosova Hacker’s Security, allegedly used Twitter to communicate with Hussain (known as Abu Hussain Al-Britani) and another member of the Islamic State, named Tariq Hamayun (Abu Muslim Al-Britani).
According to the indictment, Ferizi first reached out to Hamayun in April 2015 with offers to lend his technical skills to the Islamic State, including providing the group with a computer script for publicizing online propaganda that could “never get deleted.”
From June to August 2015, Ferizi allegedly gained administrator access to the web hosting company’s servers using an account with the initials “KHS,” which the DOJ believes stands for Kosova Hacker’s Security.
At one point, the hosting company discovered malware on its server that gave KHS unfettered access, and received a message from “An Albanian hacker” threatening “bad things will happen to you.”
After the hosting company contacted the FBI, investigators discovered the IP address assigned to a Malaysia-based ISP, which led them to Ferizi.
As explained in the indictment, the FBI believes Ferizi used an attack method known as SQL injection, which allows an attacker to use a form field on a website to enter a command string that is executed on the server.
In a press release, Assistant Attorney General for National Security John P. Carlin called Ferizi a “terrorist hacker” and said the US will “confront and disrupt the Islamic State’s efforts to target Americans, in whatever form and wherever they occur.”
If Ferizi’s extradition to the US is successful, he would face prosecution in the Eastern District of Virginia.
Ferizi’s alleged crimes carry a sentence of up to 35 years.