The biggest hurdle to catching cybercriminals is usually that they are hard to identify or connect to alleged crimes.
Sometimes, a suspect is identified but nobody knows where they are.
And then there is the rarer but frustrating situation where the authorities are sure they know the identity of an attacker, and where they live, but still can’t apprehend them.
This seems to be the case with Behzad Mesri, alleged by US prosecutors to be behind May’s spectacular attack on HBO that resulted in the leaking of 1.5TB of data, including un-aired episodes of several popular shows, a Games of Thrones script, staff contacts, account credentials, and financial data.
Quite a haul, that reportedly came with a gloating ransom note demanding “our 6-month salary in bitcoin,” equivalent to $6m (£4.5m).
The barrier to arresting Mesri – who allegedly used the online alias “Skote Vahshat” – is that he lives in Iran, a country the US has notoriously poor relations with, let alone anything resembling an extradition agreement.
If they did somehow nab him, the indictment submitted to the United States District Court in Manhattan suggests he’d be quite a catch.
This claims Mesri is connected to an Iranian hacking group calling itself the Turk Black Hat Security Team, which appears to be well known within Iran.
Says the indictment:
As a member of that group, Mesri conducted hundreds of website defacements…against websites in the US and elsewhere.
HBO wasn’t his only target, it seems.
He accessed HBO’s content by compromising multiple user accounts, it adds, which at least reduces the troubling possibility that the attack was aided by a malicious insider who is still in place.
Is publicly pursuing a man beyond reach a cry in the dark?
This is significant. Most countries have something similar, but none has the abstract menace of the FBI’s – being added to it is still a powerful way of signalling that the US will pursue a suspect for as long as it takes to hold them to account.
As acting US attorney Joon H. Kim put it:
The memory of American law enforcement is very long.
Which might suggest that the US thinks that making his status public will act as a deterrent to other hackers, and perhaps even to Iran itself, to hacking conducted from inside Iran’s borders.
Still, there’s a risk that by adding a suspect on the list, this boosts their notoriety and prestige within hacking circles.
The irony is that Mesri’s alleged activities did little apparent harm to HBO’s business, indeed a separate sequence of accidental leaks of show episodes by the company’s business partners was probably more damaging.
The great HBO hack won’t be remembered as another Sony Pictures disaster by any means – but it might come to be viewed as the moment the US decided to demystify hacking by making it personal.