DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Dutch hacking suspects to be in court April 20; Dutch police try to warn others to “stop cybercrime”

Posted on April 18, 2023 by Dissent

There’s been a lot of speculation following the arrest of Conor Fitzpatrick (aka “Pompompurin”) once it began to really sink in for some people that law enforcement has both the RaidForums BreachForums databases.

One development that has contributed to the anxiety some people may be feeling is that the Dutch police have sent out thousands of emails and hundreds of postal letters to those whose identities they know. They have also made “stop” interviews in person with young kids. Their stated goal is to encourage people to stop committing cybercrime by letting them know that they are not anonymous, are known to law enforcement, and could face charges or ruin their lives.

This is not the first time that Dutch police have reached out to hackers to try to discourage them. In 2021, they posted messages on XSS.is and RaidForums that ended, “Everyone makes mistakes. We are waiting for yours.”  In light of what we learned from the FBI’s affidavit in Fitzpatrick’s case, they didn’t have long to wait.

But did their 2021 intervention dissuade anyone from criminal activity, or did it just tick people off? They do not report whether their 2021 had any detectable benefit. And in the press release for the current intervention, they write (machine translated):

With the intervention, the police are sending a clear signal to users that it does not stop with the arrest of (main) suspects, but that customers and other parties involved are not anonymous online either. Within cybercrime, alternative interventions are increasingly opted for instead of going through the criminal justice system. By deploying alternative interventions, an attempt is made to prevent and disrupt cybercrime, in many cases in addition to investigation and prosecution.

But will the current interventions have any of its desired effect?

Databox and Three Others Arrested

Coverage of the police campaign has linked it to the arrest of three people in January of this year. Their arrests (but not their names) were announced in February. Of note, their activities and arrests were reportedly linked to an earlier arrest in November 2022 of a RaidForums user known as “Databox.” Databox had made himself a priority target for law enforcement by allegedly stealing the GIS (Gebühren Info Service GmbH) data of nine million Austrians and putting it up for sale on RaidForums in May of 2020. An investigation later revealed that this was probably a human error leak by a GIS subcontractor that Databox discovered and not a hack, yet it was still reported as “stolen data.”

Databox, who was 25 at the time of his arrest and a resident of Almere, reportedly had around 130,000 databases on a server of his seized by law enforcement. Die Press reported, “In addition to Austria, the data came from the Netherlands, Thailand, China, Colombia, and Great Britain, among others. He also offered patient data – from the other nations mentioned – as the Dutch authorities announced in a broadcast on Wednesday.”  Databox was suspected of four types of crimes: possession or making non-public data available, possession of phishing software and hacker tools, computer trespass and habitual money laundering.  According to om.nl, the habitual money laundering related to cryptocurrency transactions totalling   450,000 euros in 2022.

But how did law enforcement get from Databox to the three arrested in January?  It is not totally clear from the police press release, but some information is available.

DataBreaches has been able to uncover more information about two of those arrested in January. The primary suspect of the three, who had been described as a 21-year-old man in Zandvoort, had a day job in cybersecurity working for Hadrian Security. He also donated many hours each week at the whitehat DIVD Foundation. Gainfully employed by day, a volunteer at night, and a blackhat and ransomware operator at all other hours?  The police claim that he had 550,000 euros in bitcoins, a shoebox with 45,000 euros in cash, and 35 terabytes of data that they seized.

DataBreaches has learned that his name is Pepijn van der S., also known as @xstplanet on Twitter, xstp on Github, and Pepijn V. on LinkedIn, where his header reads “BECAUSE hackers know hackers best.”

According to reporting by Sebastian Brommersma and Gerald Jansen, van der S. had a difficult childhood. Rogier Fischer from Hadrian told the reporters, “At a bad time, he hacked into his high school’s digital systems.”  van der S. was arrested and wound up in the Hack_Right program, a police initiative diversion program to try to get young hackers on the right path. van der S. completed the program and started pursuing lawful work in the field. He also completed DIVD’s training program for young people.

To say that people were shocked to be told that van der S. was involved in extortion, money laundering, and other crimes would be an understatement.

While the police press statement didn’t detail the alleged connections between the individuals and RaidForums, Follow the Money learned that the three plus Databox communicated via forums and Telegram. A cybersecurity expert was more explicit:

‘All arrested hackers are part of a club around Pepijn and the hacker from Almere,’ says cybersecurity specialist Rickey Gevers (not related to Victor) to Follow the Money. ‘I was told that by hackers who once belonged to this club and have now stepped out of crime. This is a group of hackers with a core of three or four and a few others around it.’ Gevers had been keeping an eye on the group for some time.

The hackers stood out because they offered databases that were only interesting to the Dutch. They did this on the Raidforums website, a kind of online marketplace for hacked data that offers thousands of databases containing the personal data of millions of people from all over the world.

In April 2022, US authorities took the site offline. Gevers says that the group sometimes called him spontaneously in the middle of the night: ‘That was quite bizarre. Suddenly I was in a group of about eight hackers. I think they wanted to troll me.’

DataBreaches has also learned that the other 21-year-old arrested in January has been identified as “Emir S.”

Preliminary Charges

On April 20, van der S. and Emir S. will appear in court. The prosecutor will reportedly update the court on its investigation and ask the court to extend the pre-trial detention.

In rough translation, the two 21-year-old men are suspected of (and this may change):

  • From 18-8-20 to 26-10-21 in Almere and/or Amsterdam and/or United Kingdom threat (of bitcoins)
  • From 18-8-20 to 23-1-23 in Almere and/or Amsterdam and/or United Kingdom make available/disclose non-public data of crime originating from profit
  • From 18-8-20 to 23-1-23 in Almere and/or Amsterdam and/or Zandvoort and/or in the United Kingdom (conspiring to hack into computers)
  • From 1-5-22 to 13-5-22 in Almere and/or Amsterdam and/or United Kingdom extortion (from 24,588 bitcoins at that time with a value of approximately 754,851 US dollars)
  • On 23-1-23 in Rotterdam (conspiring in computer crime)
  • From 1-3-20 to 23-1-23 in, among other things, Amsterdam. habitual laundering of, among other things, approximately 2,496,548.80 euros (cryptocurrency).
  • On 23-1-23 in Rotterdam non-cash payment instrument falsely manufactured/sold / in possession.

The charges as summarized above do not specifically mention RaidForums or BreachForums, but we have yet to see the final and formal charges. And according to Follow the Money, the bond between Databox and the other three”is so close that the 25-year-old man from Almere is also a suspect in the investigation into the three.”

DataBreaches will continue to monitor developments in this case.

If you have any information relating to these cases or suspects, you can reach DataBreaches on Signal at +1-516-776-7756.


Names were edited post-publication to be more consistent with European methods of reporting on suspects.

Category: Commentaries and AnalysesHackOf Note

Post navigation

← Hackers Stole School Data. The District Left Teachers in the Dark
Capita IT breach gets worse as Black Basta claims it’s now selling off stolen data →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • US Customs and Border Protection Plans to Photograph Everyone Exiting the US by Car
  • Google agrees to pay Texas $1.4 billion data privacy settlement
  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.