DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Three Men Arrested In Hacking And Spamming Scheme; Targeted Personal Information Of 60 Million People

Posted on December 15, 2015 by Dissent

Three men from Florida, New Jersey, and Maryland were charged today with a wide-ranging computer hacking and identity theft scheme that compromised the personally identifiable information (PII) of millions of people and generated more than $2 million in illegal profits, U.S. Attorney Paul J. Fishman announced.

Timothy Edward Livingston, 30, of Boca Raton, Florida; Tomasz Chmielarz, 32, of Rutherford, New Jersey; and Devin James McArthur, 27, of Ellicott City, Maryland, are charged by indictment with conspiracy to commit fraud and related activity in connection with computers and conspiracy to commit wire fraud. Livingston and Chmielarz are also charged with conspiracy to commit fraud and related activity in connection with electronic mail.

According to the indictment:

Beginning as early as 2011, Livingston and others allegedly operated A Whole Lot of Nothing LLC — a business that specialized in sending unsolicited, or “spam,” emails on behalf of its clients. Livingston’s clients included legitimate businesses, such as insurance companies that wished to send bulk emails to advertise their businesses, as well as illegal entities, such as online pharmacies that sold narcotics without prescriptions. Typically, Livingston charged $5 to $9 for each spam email that resulted in a completed transaction for a client.

Many internet service providers used spam filters to prevent spam from reaching their customers’ email accounts. Beginning in January 2012, Livingston allegedly solicited Chmielarz to write computer programs to send spam in a manner that would conceal the true origin of the email and bypass spam filters. Livingston and Chmielarz started using proxy servers to send out spam messages using botnets to hide the true origin of the spam, help them remain anonymous, and to evade anti-spam filters and other spam blocking techniques. Livingston also registered certain websites used in the spam campaigns in the name of his alias, “Mark Lloyd,” to avoid detection.

Livingston and Chmielarz allegedly hacked into the email accounts of individuals and compromised and seized control of the mail servers of some of the corporate victims to further their spam campaigns. They created custom software designed to hack into the email accounts of customers of a company identified in the indictment as “Corporate Victim 1.” Once the email account software gained access to a Corporate Victim 1 user’s account, it created sub-accounts on the account and used them to send out spam. Livingston and Chmielarz programmed the email account software to access the mail server of Corporate Victim 1 through proxy servers to obscure their true identities. This allowed them to send out massive amounts of spam without identifying themselves as the senders, and instead using Corporate Victim 1’s mail servers and customer accounts.

Livingston and Chmielarz also allegedly created custom software that leveraged vulnerabilities in the websites of a number of corporations, including one identified in the indictment as “Corporate Victim 2” (the web form software), which allowed Livingston and Chmielarz to use Corporate Victim 2’s email servers to send out spam that appeared to be from Corporate Victim 2, but in reality was from Livingston and his conspirators.

Livingston, Chmielarz and McArthur also worked together to steal the confidential business information of the corporate victims, including databases containing the PII of millions of Americans, so that they could use that information in spam campaigns. In May of 2013, Livingston and Chmielarz discussed stealing confidential business information from “Corporate Victim 3,” as identified in the indictment. In an online chat, Livingston told Chmielarz, “here is the site I need scrapped (sic),” and provided Chmielarz with an address for Corporate Victim 3’s website and the login credentials for an employee. “Scraping” is a technique employed to extract large amount of data from websites.

In another online chat, Livingston told Chmielarz that the database they were going to steal from Corporate Victim 3 contained 10 million records. Livingston subsequently paid Chmielarz to write a computer program to steal the database.

From February 2014 through February 2015, McArthur worked as a sales representative at a corporation identified in the indictment as “Corporate Victim 4.” In a series of online chats in August 2014, Livingston, Chmielarz, and McArthur discussed using McArthur’s position at Corporate Victim 4 to steal confidential business information, including the PII of millions of the company’s customers.

On Aug.11, 2014, McArthur allegedly provided Livingston with access to a remote administration tool on a computer with access to the computer network of Corporate Victim 4 without authorization from his employer. McArthur gave Livingston and Chmielarz access to Corporate Victim 4’s computer network using the remote administration tool to steal the names, addresses, phone numbers, and email addresses of potential customers, current customers, and former customers. The defendants and others could use that information to send spam to those individuals.

Livingston told defendant Chmielarz that he estimated that Corporate Victim 4’s database had records for 50 million people; Livingston also discussed the technical challenges associated with stealing such a large volume of data from Corporate Victim 4.

In an online chat dated Sept. 3, 2014, Livingston and McArthur discussed the contents of the database that they had stolen from Corporate Victim 4. McArthur estimated that they had succeeded in stealing 24.5 million records.

The maximum potential penalties for each count are as follows:

Count Defendants Violation Maximum Penalty
1 Livingston

Chmielarz

McArthur

Conspiracy to Commit Fraud and Related Activity in Connection with Computers Five years in prison and a fine in an amount the greater of $250,000 or twice the gain or loss from the offense
2 Livingston

Chmielarz

McArthur

Conspiracy to Commit Wire Fraud 20 years in prison and a fine in an amount the greater of $250,000 or twice the gain or loss from the offense
3 Livingston

Chmielarz

 

Conspiracy to Commit Fraud and Related Activity in Connection with Electronic Mail Five years in prison and a fine in an amount the greater of $250,000 or twice the gain or loss from the offense

The indictment also notices the forfeiture of $299,653 from several bank accounts, a 2006 Ferrari F430 two-door Spider Convertible and a 2009 Cadillac Escalade SUV.

U.S. Attorney Fishman credited special agents of the FBI’s Cyber Division, under the direction of Special Agent in Charge Richard M. Frankel in Newark, with the investigation leading to today’s arrests.

The government is represented by Assistant U.S. Attorneys Daniel V. Shapiro of the Computer Hacking and Intellectual Property Section of the Economic Crimes Unit and Peter Gaeta of the Asset Forfeiture-Money Laundering Unit.

The charges and allegations contained in the indictment are merely accusations and the defendants are considered innocent unless and until proven guilty.

Defense counsel:

Livingston: Jeffrey Cox Esq., Boca Raton, Florida

Chmielarz: Michael Koribanics Esq., Clifton, New Jersey

SOURCE: U.S. Attorney’s Office, District of New Jersey

Download livington_timothy_et_al._indictment.pdf (1.86 MB)
Category: HackID TheftU.S.

Post navigation

← Update: OkHello (FINALLY) secures its leaking database (Update2)
PA: Rivers Casino Hit With Computer Virus →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.