The first — and so far, only — person to have been arrested and charged as a member of “thedarkoverlord” pleaded guilty today in federal court in Missouri. Nathan Francis Wyatt, 39, of Wellingborough, Northamptonshire in the U.K. was sentenced by Judge Judge Ronnie L. White to 60 months in prison and almost $1.5 million in restitution.
Wyatt, who used screen names including “Crafty Cockney” and “Mas,” had been indicted by a grand jury in November, 2017, and charged for his role in thedarkoverlord attacks against five victim entities in Missouri and Atlanta. The indictment had contained 6 counts: 1 count of conspiracy, 2 counts of aggravated identity theft, and 3 counts of threatening to damage a protected computer. Wyatt was extradited to the U.S. in December, 2019, and had been in custody since then in the St. Charles jail.
Most of the government’s evidence against Wyatt came from Wyatt himself — he opened a PayPal account, registered a phone account, a Gmail account, a Twitter account, and a virtual private network that were all used as part of the scheme to hack and extort victims — and he created them all using information that led straight back to him.
The government was represented by Gwendolyn Eleanor Carroll of the U.S. Attorney’s Office in St. Louis and Laura Kathleen Bernstein of the U.S. Department of Justice Criminal Division.
Some of the evidence against Wyatt has been documented in extensive previous coverage of him by this site, but some of the evidence had been under seal, including some very threatening messages TDO sent to victims in this case. While the public was already aware that thedarkoverlord often researched their victims and would refer to their family members in ways that suggested future harassment or harm, the government’s filing contained examples not previously revealed. From the presentencing filing:
…. one ransom demand, which is redacted here, threatened, “[w]e imagine that the same, careful, delicate care you give your patients, you also give your beautiful wife. What was her name? S******? S.M.V. (***-**-****)? Let’s hope that she stays beautiful and that nothing unfortunate happens to her. Who knows? It’s bound to happen with you leaving her alone all the time over there on [address] (Parcel ID **-**-**-**-***-****.**). We heard that it is for sale and maybe we will check it out sometime.” Gov’t Sealed Exhibit A. The letter went on to list details about the owner’s children, and even included threats to the owner’s parents: “[y]our elderly parents do not need this sort of stress in their golden years. What were their names again?,” and then listed the full names and social security numbers of the victim’s parents. PSR ¶ 23; Gov’t Sealed Exhibit A.
In another example cited by the government, the daughter of one of the victims was on the receiving end of frightening communications that used a telephone account registered by Wyatt:
hi [K] you look peaceful….by the way did your daddy tell you he refused to pay us when we stole his company files..in 4 days we will be releasing for sale thousands of patient info. including yours… 19 in febuary?…weve all had a look and we all think your hot. soon some really evil men will be looking at you..possibly thru your window. your father is also looking at multiple felonies..so say good bye to the house.. all bcs daddy wouldnt pay a much smaller sum to make all this go away. Daddys fucked you [K]….And incest is a crime… sweetdreams Gov’t Sealed Exhibit C.
Note that the government did not claim that Wyatt wrote or transmitted all of the threats. But he was charged with being part of the conspiracy that did engage in those behaviors and a phone used in the conspiracy was registered in his name.
Wyatt pleaded guilty to the one count of conspiracy in exchange for the government dropping the other five counts of aggravated identity theft and fraud activity connected to computers. He was represented by Brocca L. Morrison and Rachel Marissa Korenblat of the federal public defender’s office.
Throughout most of the hearing, which was held by Zoom conference because of the pandemic, Wyatt confined himself to quietly answering, “Yes, Your Honor,” or “No, Your Honor” when the judge would ask him questions.
After accepting Wyatt’s guilty plea, both the defense and prosecution made statements about sentencing recommendations, having previously agreed on the guidelines’ application to the case.
Wyatt’s counsel noted that they couldn’t really contact much family because he had no family in the U.S., but his long-time partner had written a letter to the court describing Wyatt’s character as a loving father and devoted partner. The defense also noted how Wyatt had medical issues, and had only recently been diagnosed with Asperger’s Disorder. Prior to proper diagnosis, medication, and counseling, he had admittedly made bad decisions in a serious case. As his lawyer noted, Wyatt was caught because he registered accounts in his own name. He was not a sophisticated criminal, while thedarkoverlord was a sophisticated criminal operation. According to his lawyer, Wyatt was not the person who orchestrated TDO. He had great remorse and shame for what he had done, but especially for what he had done to his family who he had “left in the lurch.”
When given an opportunity to speak, Wyatt struggled to compose himself. He admitted that he had mental problems that had led to bad decisions, but now that he was medicated, he was beginning to recognize when he was experiencing mania. But more than anything, he just wanted to go home to his family and never see another computer ever again.
Judge White imposed a sentence of 60 months. The judge did not seem swayed by defense counsel’s argument that most defendants get measures like half-way houses or incentive programs that reduce their total time in jail, and that Wyatt would wind up serving at least 85% of his sentence.
Wyatt was also sentenced to $1,467,048.07 in restitution:
- Athens Orthopedic: $877,585.00
- Midwest Orthopedic Group: $68,564.63
- Prosthetics & Orthotics: $205,033.03
- Quest Records: $208,500.00
- PatrickSmith: $82,365.41
- Hanover Insurance: $25,000.00
The restitution does not include any ransom payments for clinics, as none of the clinics had paid any ransom, although TDO had made ransom demands between $75,000 and $300,000 in bitcoin. Apart from Hanover Insurance, the other victims had been identified by DataBreaches.net in a prior post even though they had not been named in the indictment.
A few comments:
- Nothing in the government’s case suggested that Wyatt was the threat actor calling himself “Arnie.” Nor did they ever suggest he was the public spokesperson for the group. The government’s claim was that Wyatt arranged for services that were used as part of the conspiracy, knowing that they would be used to hack and extort, and that he benefited financially by his role. He was also responsible for at least one threat (the rap threat previously reported). His actions also enabled others to operate anonymously. But it seems like the government recognized what this site has maintained all along: Wyatt was a facilitator of a serious criminal operation, but he was not the brains or the spokesperson or leader of TDO in 2016 or during the lengthy period when he was in jail.
- A government filing in this case states that other TDO actors have not yet been apprehended. Did Wyatt cooperate with them and give them any information or leads? The government won’t say, of course.
- Earlier today, the U.S. Department of Health & Human Services announced that it had settled charges against Athens Orthopedic for systemic violations of HIPAA — violations that also contributed to the hack at issue in the Wyatt case. Athens Orthopedic will pay $1.5 million and agreed to a corrective action plan and two years of monitoring.
This post will be updated to add links to government coverage if they should issue a press release.
Update: From DOJ, their press release.
Update 2: As I had thought, the other victim awarded restitution was Quest Records, and the post has been edited to reflect that. The post was also lightly edited to replace “communicator” with “public spokesperson and to more accurately reflect the role played by the person who tweeted for TDO and who was interviewed by journalists in 2016.