The hacker who broke into jail and had to stay for 7 years

A 27-year-old Michigan man who tried to hack a “Get out of jail early” card for his friend is now going to be in jail himself for 87 months – 7 years 3 months.

On Thursday, US Attorney Matthew Schneider’s office announced that besides the jail term and 3 years of supervised release to follow, Konrads Voits is giving up all his bitcoins, some of his electronics—including a laptop—an integrated circuit component, and several mobile phones.

In total, Voits has been ordered to pay restitution in the amount of $238,517.

That will be going to Washtenaw County, whose jail network Voits hacked in an attempt to alter his buddy’s prison record. In December, Voits pleaded guilty to damaging a protected computer.

The Attorney General’s office says Voits used a classic phishing scheme laced with typosquatting. According to his guilty plea, in January 2017, Voits set up a phishing domain. It looked just like a legitimate county domain name for Washtenaw, except Voits swapped the final W for a double V.

Then, he called and emailed employees of Washtenaw County, claiming that he was “Daniel Greene” and that he needed help with court records. Over the phone, he pretended to be “T.L.” or “A.B.”, a county IT employee. The emails tried to entice employees into clicking on a hyperlink so they’d be whisked off to Voits’s malware-poisoned site, while the object of the phone calls was to get his victims to type that phishing site domain into their browsers so as to download an executable malware file.

It was to “upgrade the county’s jail system,” Voits claimed.

Voits hit the jackpot when he called county jail employees, posing as members of the jail’s IT staff, and tricked workers into installing a fake update package for the county jail’s application.

Voits got full access to the county network, including to the XJail system—which is a program used to monitor and track county prison inmates—as well as to search warrant affidavits, internal discipline records, and personal information of county employees. Voits managed to steal passwords, user names, email addresses and other personal information of more than 1,600 county employees.

Once he had full access to the county’s network, he accessed jail records for several inmates and altered the record of at least one of them to try to get him out early.

According to the guilty plea, mopping up after Voits’s intrusion was heinous and costly. The county had to hire an incident response company to suss out the extent of the damage he had caused, reimage numerous hard drives, verify the accuracy of the electronic records for nearly every single current inmate, and purchase ID theft protection for the 1600 employees whose data Voits got his hands on.

The AP reports that Voits’s scheme was thwarted by an employee who checked records by hand. The attorney general’s office didn’t give details beyond the fact that the county’s IT employees responded quickly.

As a result, Voits’s plan failed: nobody was released early, though jail employees and county IT employees had to put in extra hours to investigate and to clean it all up.