Court squeezes $1 million back from convicted phisher

Wooo, fancy – a guy who phished more than 100 companies out of nearly £1m (around $1.1m) in cryptocurrency used some of that money to sit his butt down in a first-class carriage on the train. That’s how they caught him, actually – with “his fingers on the keyboard” as he was logging in to a dark web account on a train between Wales and London back in September 2017.

Flash forward two years, and Wooo-HOOOOO, it’s payback time!

As in, literal payback. London’s Metropolitan Police announced on Friday that Grant West, who was 25 when police arrested him on that train and who is now 27, has not only been jailed for fraud after carrying out attacks on more than 100 major brands worldwide, including Apple, Uber, Sainsbury’s, Groupon, T-Mobile, Ladbrokes, Vitality, the British Cardiovascular Society and the Finnish Bitcoin exchange.

He’s also been ordered to pay back the money he ripped off.

Goodbye, cryptocurrency: when Southwark Crown Court gave West ten years and eight months jail time, the judge also said that his ill-gotten loot would be sold and that the victims will receive compensation.

I therefore order a confiscation of that amount, £915,305.77, to be paid as a way of compensation to the losers.

Some of it’s frozen and being held by the FBI, and all of it’s fluctuating madly, as cryptocurrencies do, which has made it tough to figure out exactly how much to give victims.

West has to agree to release the funds from his accounts, but there’s not much of a choice there: he’d be looking at four additional years in jail if he were to refuse, the judge said.

West did, in fact, agree to give up the money, which reportedly included ethereum, bitcoin and other cryptocurrencies. Unfortunately, victims won’t be able to claw back the money West blew on his fancy travel: besides his first-class train habits, he also blew the money on holidays, food, shopping and household goods.

West admitted to charges including conspiracy to defraud, possession of criminal property, unauthorized modification of computer material, and drug offenses.

Dirty deeds done in the dark

This is how he got all that money: as the Met tells it, West wasn’t an elite hacker. But while he just ran a phishing scam, it was a sophisticated one: his convincing come-on managed to trick even computer-savvy people, including at least one software engineer.

West first started trading on the dark web in March 2015 and completed more than 47,000 sales of people’s financial data in the form of “fullz”: slang for a complete set of records that can be used to commit fraud. He did his work using the handle “Courvoisier”.

Besides selling victims’ financial data, West also sold cannabis and “how to” guides instructing others how to carry out cyberattacks.

Then, between July and December 2015, West ran the phishing scam masquerading as online takeaway service Just Eat, in an attempt to get at the personal details of 165,000 customers. The Met says that he didn’t succeed in getting the financial data, but his actions still cost the company about £200,000 (USD $244,769).

Just Eat’s computer systems or network hadn’t been breached, but details of those compromised accounts flooded the dark web.

As the software developer victim described it to the BBC in November 2015, West’s scam email asked some Just Eat customers to fill out a survey in exchange for £10.

To do so, they were told to click on a link that brought them to a phony site that convincingly masqueraded as the real Just Eat website and which asked for a username and password.

At the end of the survey, customers were asked to enter their personal bank and credit card details in order to get that £10 credit. It wasn’t until he got to this point that the software developer realized it was a scam – the forgery was that convincing.

After police arrested West, they found financial data belonging to more than 100,000 people on his girlfriend’s laptop – the device he used to carry out his attacks. They also found an SD card from West’s home address, in Kent. On that card, they found about 78 million individual usernames and passwords, as well as 63,000 credit and debit card details.

They also seized £25,000 cash and half a kilogram of cannabis in storage units that West rented in Kent.

Detective Chief Inspector Kirsty Goldsmith, head of the Met’s Cyber Crime Unit, said in a press release that West’s arrest and conviction is just one example of how the dark web isn’t dark enough to hide crooks from computer-savvy cops:

The MPS is committed to ensuring that individuals who are committing criminality on the Dark Web are identified, prosecuted and their criminal assets are seized.

What to do?

The Met reminded people to use strong passwords in order to reduce your chance of being victimized by somebody like West. Watch our straight-talking tips on how to choose decent passwords.

And, of course, one password isn’t enough. You need to have a different password for each online account you have.

Nobody expects you to remember a grocery list worth of complicated passwords, and that’s why we believe in using password managers to create them and/or to store them all and fill them in.

Of course, this isn’t just about strong passwords. You also have to spot, sidestep and report phishing email. Be wary of any link that arrives in an email. You can defend yourself by turning on multi-factor authentication (2FA) everywhere it’s offered.

It’s also a good idea to use a desktop password manager that checks the validity of domains before offering to autofill credentials. If it doesn’t offer to fill in your credentials, that could be a clue that something isn’t right about a site.