Three men have been charged in connection with what prosecutors are calling one of the largest data breaches in US history, after they allegedly hacked multiple email servers in an ambitious spam campaign.
Two Vietnamese men living in the Netherlands – one of whom was subsequently extradited to the States – and one Canadian are accused of carrying out the largest ever breach of names and email addresses.
Between February 2009 and June 2012, 28-year-old Viet Quoc Nguyen is alleged to have hacked at least eight US-based email service providers and stolen “proprietary marketing data” including over one billion email addresses, according to a Department of Justice release.
Then, alongside 25-year-old Giang Hoang Vu, he’s said to have used the stolen addresses to spam tens of millions of users.
David-Manuel Santos Da Silva, 33, of Montreal, Canada, was indicted last week for striking an affiliate marketing deal with Nguyen by which the latter would receive a commission for every sale generated from traffic he funneled via spam links to Da Silva’s Marketbay.com site.
Between roughly May 2009 and October 2011 the two men made $2m from such activities, the DoJ claimed.
Vu was arrested by Dutch police in 2012, extradited to the States last year, and pleaded guilty to conspiracy to commit computer fraud in February. Da Silva was apparently arrested last month, while Nguyen is still at large.
“This case reflects the cutting-edge problems posed by today’s cybercrime cases, where the hackers didn’t target just a single company; they infiltrated most of the country’s email distribution firms,” said acting US attorney John Horn in a statement.
“And the scope of the intrusion is unnerving, in that the hackers didn’t stop after stealing the companies’ proprietary data – they then hijacked the companies’ own distribution platforms to send out bulk emails and reaped the profits from email traffic directed to specific websites.”
Imperva CTO Amichai Shulman argued that the arrests prove that investigators can co-ordinate international cyber crime cases effectively.
“It should bring up the question – why do we need to wait for a massive data breach to blow up in public in order for that to happen?” he told Infosecurity.
“My personal belief is that if enough resources are put up against small breaches as well as large breaches in what symbolizes a ‘zero tolerance’ policy against cyber violation we’d see the number of attacks decrease significantly over a short period of time.”
Eset security specialist Mark James claimed that one of the firms hacked was US email marketing giant Epsilon in 2011.
“Hopefully this will turn out to be a success and will go on to many more successful cases showing that the fight against cybercrime is not always a losing battle,” he added in emailed comment to Infosecurity.
“With over one billion email addresses stolen and making more than $2 million from this particular operation there was certainly some big fish involved.”