On April 30, the Department of Justice announced the indictment of twin brothers Muneeb and Sohaib Akhter, 23, of Springfield, Virginia. They were charged with aggravated identity theft, conspiracy to commit wire fraud, conspiracy to access a protected computer without authorization, access of a protected computer without authorization, conspiracy to access a government computer without authorization, false statements, and obstruction of justice.
According to the indictment, beginning in or about March 2014, the Akhter brothers and coconspirators hacked into the website of a cosmetics company and stole its customers’ credit card and personal information. They used the stolen information to purchase goods and services, including flights, hotel reservations, and attendance at professional conferences. In addition, the brothers and coconspirators devised a scheme to hack into computer systems at the U.S. Department of State to access network traffic and to obtain passport information.
Court filings inspected by DataBreaches.net provide additional details on their scheme. The affidavit signed by DHS Special Agent Gershon Ross in support of the criminal complaint states that in June, 2014, Ross learned that Muneeb Akhter, who was then a DHS contractor, was boasting about hacking several e-commerce sites, including Subway, Starbucks, and an unspecified airline. Ross questioned Muneeb Akhter the next day, and Muneeb Akhter gave him a sworn statement admitting that he had created a computer code to gain unauthorized access to several e-commerce websites including KMart, Shell Gasoline, Whole Foods, Starbucks, and Dunkin Donuts. The code allowed him to add funds to gift cards without having to expend any actual funds. Muneeb would later tell an unindicted co-conspirator that there really was no such code.
When federal agents executed a search warrant in July, 2014, they seized Akhter’s phone, which provided evidence of numerous calls between the brothers and the unindicted co-conspirator. The three allegedly discussed their acquisition and possession of fraudulently obtained credit card numbers, and also discussed their use of credit card numbers and related account information that they had fraudulently obtained from an e-commerce cosmetics company called Shea Terra Organics. The twins’ mother is the registered owner of that web site. The government alleges her darling sons allegedly stole her customer’s information by installing key loggers that collected payment information and then inserting code that had the information emailed to them. Shea Terra is referred to as Victim Company 1 in the grand jury indictment.
Victim Company 2 was described as a company in Rockville Maryland that aggregates data and information about federal government contracts and packages it in products used by federal agencies and private contractors. The twins had been hired as contractors by the firm.
Muneeb began working at General Dynamics in June, 2014 and began working as an Information Technology Security Specialist at DHS (insert facepalm here), which is where Special Agent Ross first heard of his boasts.
From October 2014 – February 2015, Sohaib Akhter was a contact employee for ActioNet, a contractor for the State Department, and as noted above, some of the charges stem from the brothers’ activities while he was employed for them.
In a stupid criminals aspect to the case, Ross notes that when he searched Facebook for information on the twins, he found a Facebook page that appeared to be for Sohaib Akhter. That page had an image a United Airlines boarding pass for “Sohaib Akhter” departing January 19, 2015, from Washington, DC, to San Francisco, CA, on United Airlines flight 782. United Airlines confirmed that the flight was paid for with an American Express card. The card owner told Ross that s/he had not authorized that purchase, that the account had been closed as a result of credit card fraud, and that the card had been previously used to make purchases on the Shea Terra web site.
That wasn’t the only image found on Facebook that would come back to bite the defendants. Another image showed them together at the 2014 TechConnect World Innovation Conference & Expo. They had paid for their registration with stolen credit card information.
Muneeb Akhter faces a maximum penalty of 59 years in prison if convicted on all counts, and Sohaib Akhter faces a maximum penalty of 39 years in prison if convicted on all counts. They are, of course, presumed innocent until convicted.
h/t, Arrest Tracker