DutchNews.nl reports:
Amsterdam’s cyber crime police team has arrested three young men as part of a major investigation into hacking, data theft, blackmail and money laundering involving the private details of tens of millions of people. The three, aged 21 and 18, were picked up on January 23 and two have been restricted to contact with their lawyers only, in the interests of the investigation, police said.
Read more at DutchNews.nl.
According to the police, the suspects are a 21-year-old man from Zandvoort (prime suspect), a 21-year-old man from Rotterdam, and an 18-year-old man of no fixed abode. The investigation was opened in March 2021 following a report of data theft and threats at a large Dutch company. The police state:
During the course of the investigation it has become clear that probably thousands of small and large companies and institutions, both national and international, have fallen victim to computer intrusion (hacking) in recent years and subsequently theft and handling of data. Tens of millions of privacy-sensitive personal data have fallen into the hands of criminals as a result of this theft and trade.
The suspects allegedly engaged in the types of extortion demands we have read about many times over the past years:
After illegally accessing the data on the systems of the affected companies, these companies receive a threatening message by email stating that they must pay in bitcoins. If a company does not pay, it threatens to destroy the company’s digital infrastructure or to make the data public. Many companies have felt compelled to pay in hopes of protecting their data. The total damage for companies runs into the many millions. As far as we know, the ransom demanded per company has risen to more than 100,000 euros, with a peak of more than 700,000 euros. Moreover, in many cases, the stolen data is still sold online, even though the affected companies have paid.
The entire police statement can be found here.
DutchNews.nl also noted that broadcaster NOS reported that one of the three suspects also worked for the data security organisation DIVD or Dutch Institute for Vulnerability Disclosure. NOS reports:
In an internal Slack message, DIVD reports that there are “no indications” that the man has abused his access. “We immediately blocked him and denied him access to our systems,” writes the organization’s crisis manager. “We are just as shocked as everyone else,” says a DIVD spokesman.
In the internal message, the crisis manager describes the arrested hacker as a “nice colleague of whom we had no indications that he was involved in matters that conflict with our code of conduct.”
Comment: DataBreaches has reported on DIVD and its researchers a number of times over the past years. If this individual did not misuse access and abuse trust, well, that’s a relief, but obviously, DIVD will be considering how to prevent any such situations going forward. It would be a shame, though, if entities who can really benefit from their skills and help lose trust in them based on this situation. Having collaborated with one of their team on a number of investigations into health data leaks over the past few years, and having read other work of theirs, my trust in them and respect for them is unwavering.
Update: DIVD has issued the following statement:
On Thursday, February 23, at around 5:00 PM, news broke of the arrest of three young Dutch hackers in connection with a significant data theft and extortion case. One of them was an active volunteer for DIVD in the past year. We are deeply shocked by the facts that have come to light.
The mission of DIVD is to make the internet safer. The allegations against the volunteer are entirely at odds with this mission. It should be clear that we had no knowledge of any criminal activities by the volunteer, nor did we suspect he was involved in such activities.
As soon as we learned of his arrest, we formed a crisis team, blocking the volunteer’s account and denying him access to DIVD systems. Shortly after that, we launched an internal investigation to determine if DIVD knowledge or resources were used in violation of the DIVD code of conduct. No concrete evidence of such abuse was found. DIVD is not part of the police investigation, and they have not requested us for any data.
Volunteering for DIVD as a helpful hacker is never compatible with cybercrime. We have suspended the volunteer’s membership.
More than 100 volunteers are active as helpful hackers at DIVD. They have all endorsed our code of conduct. Anyone who violates this code is immediately suspended and is no longer welcome at DIVD. We have accomplished a great deal together over the past years, and we are very sorry that the actions of one volunteer have now cast a shadow on our work.