Indictment Unsealed and Additional Defendant Charged on One of the Largest Reported Data Breaches in U.S. History
ATLANTA—A criminal indictment was unsealed yesterday against Viet Quoc Nguyen and Giang Hoang Vu, both citizens of Vietnam, who resided for a period of time in the Netherlands, for their role in a massive data breach of e-mail Service Providers all over the United States. In addition, a federal grand jury returned an indictment this week against David-Manuel Santos Da Silva, a citizen of Canada, who is charged with conspiring with Nguyen and others to money launder the proceeds of Nguyen’s computer hacking offenses.
“This case reflects the cutting-edge problems posed by today’s cybercrime cases, where the hackers didn’t target just a single company; they infiltrated most of the country’s e-mail distribution firms,” said Acting U.S. Attorney John Horn. “And the scope of the intrusion is unnerving, in that the hackers didn’t stop after stealing the companies’ proprietary data—they then hijacked the companies’ own distribution platforms to send out bulk e-mails and reaped the profits from e-mail traffic directed to specific websites.”
“These men—operating from Vietnam, the Netherlands, and Canada—are accused of carrying out the largest data breach of names and e-mail addresses in the history of the Internet,” said Assistant Attorney General Caldwell. “The defendants allegedly made millions of dollars by stealing over a billion e-mail addresses from e-mail service providers. This case again demonstrates the resolve of the Department of Justice to bring accused cyber hackers from overseas to face justice in the United States.”
J. Britt Johnson, Special Agent in Charge, FBI Atlanta Field Office, stated: “Large scale and sophisticated international cyber hacking rings are becoming more problematic for both the law enforcement community that is faced with the challenges of identifying them and laying hands on them, but also the Fortune 500 companies that are so often their targets. The federal indictments, apprehensions, and extradition in this case represents several years of hard work as the FBI and its cadre of cyber trained agents and technical experts acted quickly to stop the ongoing damage to the numerous victim companies as a result of these individuals’ hacking activities. In August, 2012, the FBI, with the assistance of its legal attachés stationed abroad, and in conjunction with Dutch law enforcement officials, executed a search warrant in the Netherlands that disrupted continued compromises of those companies while allowing U.S. authorities to advance its investigation. That investigation targeted not only the hackers but the businesses that helped monetize the data that was stolen from those victim companies. This case further reflects the productive partnership of the FBI and the U.S. Secret Service in aggressively addressing this 21st century crime problem.”
“Our success in this case and other similar investigations is a result of our close work with our law enforcement partners,” said Reginald Moore, Special Agent in Charge of the Atlanta Field Office. “The Secret Service worked closely with the Department of Justice and the FBI to share information and resources that ultimately brought these cyber criminals to justice. This case demonstrates there is no such thing as anonymity for those engaging in data theft and fraudulent schemes.”
“Those individuals who line their pockets with money gained through deceiving others should know they will not go undetected and will be held accountable,” stated Special Agent in Charge, Veronica F. Hyman-Pillot. “IRS Criminal Investigation is committed to unraveling financial transactions to ensure that those who engage in these illegal activities are vigorously investigated and brought to justice.”
According to Acting U.S. Attorney Horn, the charges, and other information presented in court: Between approximately February 2009 and June 2012, Viet Quoc Nguyen allegedly hacked into at least eight e-mail Service Providers (ESPs) all over the United States, including two ESPs based in the Northern District of Georgia, and stole confidential information, including proprietary marketing data containing over one billion e-mail addresses.
e-mail Service Providers are companies that generally offer legitimate e-mail marketing or bulk e-mail services to their clients. Clients hire ESPs to assist with sending bulk e-mails to customers or potential customers who have opted to receive such e-mails. “Spam,” by contrast, is a commonly-used term for unsolicited e-mail. ESPs generally take affirmative steps to ensure that their e-mail campaigns are not blocked or classified as “spam” by the recipients’ e-mail programs.
Nguyen allegedly hacked into the ESPs’ computer databases and, in conjunction with Vu, used his unauthorized access to launch spam attacks on tens of millions of e-mail recipients. The data breach into certain ESPs was the subject of a congressional inquiry and testimony before a U.S House of Representatives subcommittee on June 2, 2011.
The indictment alleges that Nguyen used various methods to gain unauthorized access into the ESPs’ computer databases. In some instances Nguyen allegedly directed e-mail phishing campaigns at employees of the ESPs, which are fraudulent e-mails designed to resemble e-mails from trustworthy persons or entities, but in fact are designed to trick the recipients into clicking a link on the e-mail. Nguyen’s phishing campaigns allegedly delivered malware, which allowed him backdoor access to the ESP employees’ computer systems and enabled him to steal sensitive information, including the employees’ access credentials for the ESPs’ computer systems. Using stolen access credentials, Nguyen was not only able to allegedly steal confidential information by downloading the information from the ESPs’ computer systems to a server that he controlled in the Netherlands, but was also able to utilize the ESPs’ computer systems to launch spam attacks on tens of millions of stolen e-mail addresses.
A federal grand jury returned a 29-count sealed indictment against Nguyen, 28, and Vu, 25, on October 3, 2012. The indictment was unsealed in its entirety for the first time yesterday. Vu was arrested by Dutch law enforcement in Deventer, Netherlands, in 2012 and extradited to the United States in March 2014. On February 5, 2015, Vu pleaded guilty to conspiracy to commit computer fraud. He is scheduled to be sentenced on April 21, 2015, at 10:00 a.m., before the Honorable Timothy C. Batten Sr. Viet Quoc Nguyen is not in custody and remains a fugitive.
On Wednesday March 4, 2015, David-Manuel Santos Da Silva, 33, of Montreal, Canada, was indicted by a federal grand jury for conspiracy to commit money laundering with Nguyen and others. Da Silva was arrested by criminal complaint at Ft. Lauderdale International Airport, in Florida, on February 12, 2015, and will be arraigned today at 3:00 p.m., before U.S. Magistrate Judge E. Clayton Scofield III, in Atlanta, Georgia.
It is alleged that Da Silva, the co-owner, President and a Director of 21 Celsius, Inc., a Canadian corporation that ran Marketbay.com, entered into an affiliate marketing arrangement with Nguyen that allowed him to generate revenue from his computer hacks. As an affiliate marketer, Nguyen allegedly received a commission on sales generated from Internet traffic that he directed to websites promoting specific products. Nguyen allegedly used his computer hacks into the ESPs to direct “spam” attacks to tens of millions of stolen e-mail addresses. The unsolicited e-mails received through Nguyen’s and Vu’s spam attacks enticed the recipients by promoting specific products and providing hyperlinks for the recipients to purchase the products. The hyperlinks directed the recipients to one of Nguyen’s affiliate marketing websites associated with Marketbay.com.
Da Silva allegedly knew that Nguyen was spamming to stolen e-mail addresses in order to direct high volumes of Internet traffic to his affiliate marketing websites with Marketbay.com. Da Silva allegedly conspired with Nguyen and others to promote Nguyen’s hacking and spamming activities by providing him with a platform, through Marketbay.com, to generate sales commission from his computer hacks into the ESPs. Between approximately May 2009 and October 2011, Nguyen and Da Silva received approximately $2 million for the sale of products derived from Nguyen’s affiliate marketing activities.
Members of the public are reminded that the indictments only contains charges. The defendants are presumed innocent of the charges and it will be the government’s burden to prove the defendants’ guilt beyond a reasonable doubt at trial.
This case is being investigated by the Federal Bureau of Investigation with the valuable assistance of the United States Secret Service and Internal Revenue Service Criminal Investigation. Law enforcement in the Netherlands also provided valuable assistance.
Assistant United States Attorney Steven D. Grimberg and Trial Attorney Peter Roman with the U.S. Department of Justice Computer Crime and Intellectual Property Section are prosecuting the case.