Cybercrooks busted for multimillion-dollar identity fraud

A trio of Australians has been charged with identity theft that netted AUD $11 million (USD $7.41m, £5.73m) – ill-gotten loot they allegedly ripped off by hacking into businesses and modifying their payrolls, pension payments (known as superannuation in Australia) and credit card details.

According to ABC News, police arrested the alleged cyber-robber – an unidentified 31-year-old man, formerly of Adelaide – at a library in Sydney’s Green Square earlier this week.

His alleged cyber accomplices were 32-year-old Jason Lees and 28-year-old Emily Walker, both arrested in the Adelaide suburb of Seaton. According to Walker’s Facebook profile, they’re a couple.

New South Wales police reportedly said that the unidentified 31-year-old man allegedly stole more than 80 personal and financial profiles so as to use them in identity fraud in South Australia from early 2019, and then in NSW from August 2019. He’s been charged with 24 fraud-related charges in Newtown Local Court. Walker and Lees have been charged with money laundering and deception.

(What’s the difference between lies, deception and fraud, you well may ask if you’re not Australian? Under Australian criminal law, not all lies are deception, and not all deceptions amount to fraud, according to the law firm Sydney Criminal Lawyers. Here’s the law firm’s explanation.)

According to ABC News, the police prosecutor, Senior Sergeant Mike Tolson, told the court that the prosecution anticipates bringing hundreds of additional charges.

The stolen data came from businesses and organizations targeted for their employees’ data, including staff names, addresses and birthdates. The defendants allegedly used the details to set up hundreds of bank accounts into which they then allegedly deposited money.

Tolson:

All of the stolen identity has come from intruding upon businesses.

The defendants allegedly used multiple cryptocurrency accounts to launder more than $18 million, Tolson told the court:

However, one of the wallets that has been identified alone contains more than $18 million in transactions […] and multiple withdrawal accounts.

The prosecutor said that last month, police seized nine computers, their hard drives, and six mobile phones during a raid on the couple’s home. Next week, the court will consider an application for bail.

Investigators called the crimes “sophisticated and complex.” NSW Police Force Cybercrime Squad commander Detective Superintendent Matthew Craft said that it’s a timely reminder to beef up cybersecurity defenses:

Identity information is a valuable commodity on the black market and dark web, and anyone who stores this data needs to ensure it is protected.

Ripped-off payment card details – like these! – do indeed sell like hot cakes on the dark web, where carders snap them up, slap them onto new cards, and go on mad spending sprees on somebody else’s dime.

In December 2019, we also found out exactly how fast those hot cakes get sold: two hours, it turns out. That’s how long it took somebody – or something, if it turns out to have been an automated bot – to find, and use, a credit card posted by a security researcher.

Check your statements

Regularly checking your credit card and other financial statements means you’ll spot fishy charges before they cling to you.

We the consumers aren’t typically held responsible for fraudulent activity – but only when we report bad charges in a timely fashion. Don’t delay, if you don’t want to get stuck paying for somebody else’s baby lions and/or Lamborghinis.

Latest Naked Security podcast