Today’s part of the interview with the hacker known as “Umbreon” is brought to you by the letter “R.” In this case,”R” is for Restitution, Remorse and Regrets, and Reparations. As with previous segments, this was conducted by telephone over days and weeks. The transcript has been edited for length and clarity.
For those joining this series of interviews in progress, Umbreon (Pepijn van der S.) was arrested in the Netherlands in January of 2023 and has been detained since then, awaiting trial on a number of charges. When given the opportunity in June to request the court consider home detention while awaiting trial, he told the court he wanted to stay in prison so he could continue the therapy he was getting. He remains in detention awaiting trial later this month.
Part 1 of this interview series can be found here, and Part 2 can be found here.
Restitution
“Restitution” generally means restoring something lost or stolen to its proper owner or recompensing them for any loss. In criminal hacking cases, restitution usually involves the court figuring out how much money a criminal stole from their victims, and what other costs the victims incurred as a result of the criminal activity — and then ordering the defendant, if convicted, to repay the victims.
Dissent (D): I understand that you do not know for sure how much restitution you will be ordered to pay your victims because although you’ve seen numbers on extortion amounts per victim, you haven’t seen any numbers on what other costs they incurred in incident response. Is that correct?
Pepijn (P): Yes. But I also know the prosecution has double-counted some funds that went into a mixer and then came back out. I do not know how much of that I can prove, but I know they have overestimated how much I got.
D: Some of your crimes were committed with other people. When the court figures out restitution, do they just take a share of the proceeds of the crime and assign it to you, or do they hold you responsible for paying the entire amount by yourself if they haven’t caught or charged anyone else yet?
P: I will be held responsible for the full amount a victim lost if I was the only one suspected of being involved in their incident.
D: Assuming you don’t have all that money at the time you are sentenced, do you just pay it out over time?
P: Yes. As I said in court during the last hearing, I just wish that the victims could all have been paid back already, to at least start to relieve the financial stress they suffered.
Remorse/Regrets
D: In past interviews and chats, you mentioned “shame” a lot, and just now, you seemed to feel badly about the stress experienced by your victims. Have you been feeling a lot of remorse or regrets?
P: Yes.
D: You previously told me that you had come to understand the impact of your actions on your victims. Thinking about the victims in this case, when did you first find out about that impact?
P: I actually started understanding it from my work at DIVD seeing what people went through with incident response. When I got experience working with people doing incident response, I got a better understanding of what victims went through.
D: Was there anything in particular about the victims in this case that really got to you or got through to you?
P: When I saw the police findings on the victims in this case, I read about people being fired or others working 24/7, and people experiencing personal problems like sleepless nights and panic attacks, even impact on their whole families. That really got to me.
D: But why didn’t you already understand, in general, the impact of such attacks on victims? In an earlier interview, you talked about feeling shame after police came to talk to you about the impact of your attack on a man’s business. You were about 12 at that time. And then in going through files about you from Halt that I obtained, I see that you said something similar in 2019 when you were in Hack_Right — how you wrote that you were shocked to discover the impact of your actions and that something you had done might have also impacted health care entities. Back then, you also wrote an apology letter to your victim and asked to meet with your victim to apologize in person. It all seems very similar to what you are saying again now.
So why is this time any different? To be blunt: why should people believe you now when you say you now understand victim impact when you said you understood when you were 12, and when you said you understood when you were 18 and in trouble again. Why should anyone believe you now?
P: It’s going to be hard to believe. The people I’ve hurt will be skeptical because they owe me nothing, yet I’m asking for their forgiveness. I can’t forgive myself for 100% of my actions. The victims of my crimes should know that it wasn’t personal and that I am genuinely sorry. I am working hard on issues that contributed to my slipping back, and I will continue working on them for as long as it takes. I know that I will have to prove myself over a long period of time, and it’s not something I can fix just with words. I recognize the gravity of my actions and have been open about what I’ve done, not trying to fight the charges and telling the prosecution what I did and not holding back on what I did. It would be peaceful to look in the mirror and live with myself. As for my family, friends, and the people I have impacted, they shouldn’t live with the shame or problems I have brought upon them.
D: But why should anyone believe you won’t relapse and start hacking again? What’s different this time? You say you’ve been getting therapy to deal with issues that contributed to you hacking. Okay, but is there any other thing you are doing or will do to keep yourself out of trouble in the future?
P: Well, it wasn’t quite black and white like that where I went from one day to suddenly doing illegal things again. It was over time. When I was active, I was somewhat self-destructive and not getting myself help or therapy. That’s changed now and I feel really better mentally. But I also offered to be monitored if it would make people feel that I was being watched to make sure I wouldn’t get in trouble again. I offered to have all my internet activity logged and monitored if it would make people feel safer. The prosecution said that wasn’t really practical for them, but I made a serious offer and I meant it. If someone comes up with another idea, I would consider it.
D: Still talking about remorse and regrets: did you feel any guilt about hacking the victims before or while you were hacking them?
P: I usually did not feel guilty about hacking the victims while I was hacking them. If anything, it would feel exciting. One reason I didn’t feel guilt about some of them was that a number of them were gaming sites that were no longer owned, so I felt nothing. But if I wound up spending a lot of time in a victim’s system, I would start to feel guilty because then I felt more like an APT (advanced persistent threat).
After I was more active and it was easy to break into systems, it didn’t feel exciting anymore and I didn’t even know why I was really doing it. And at some point, I began to realize that my skills were so good that if my intentions ever became really bad, then I could have done tremendous damage on a major scale. When I realized that, I became somewhat scared of myself. It left me anxious and confused. I even walked away from some operations because of that.
D: When you walked away, did you let the victims know that you had been in their systems and what you did?
P: Not always, but in some cases, I reached out to them anonymously to let them know what I had found with a little bit of advice on how to address the issues. Usually, I added my concerns that the issue could also be present elsewhere in their network.
D: Did you feel guilty about extorting victims during all the time you were active? And were you threatening to call their family members or anything like that in the notes?
P: I didn’t really feel guilty because I was just using a template and changing the victims’ names and entering sample data. I didn’t really feel what I was writing. And I wasn’t threatening them personally or contacting families or anything. The note might talk about us going to the media and how if they were in the EU, the GDPR fine could be more than what we were asking in ransom.
D: Some ransomware groups use sites like zoominfo.com to get a sense of what a firm was worth to figure out how much to demand. Did you ever do anything like that?
P: Maybe once or twice. I usually just made up a number.
D: So in the present court case: are there any victims that you (still) don’t feel guilty about hacking? Are there any that you still don’t feel guilty about attempting to extort?
P: No, I do feel guilty about hacking and attempting to extort all of those.
D: You leaked some of the data you hacked. Did you ever feel guilty at the time about leaking private data publicly or do you feel guilty at all now about leaking data?
P: I didn’t leak data frequently, and I felt guilty while I was doing it.
D: Were you leaking data that people had paid you and you had promised not to leak?
P: No. Not that I’m aware of.
D: Without naming any victims or giving any details that might identify them, can you say if there’s one victim or situation that really made you feel the most guilt?
P: Yes. There is one case in particular that really bothers me because I know that an employee really suffered from what I did. They were a small company and I may have caused stress and problems for them for many months.
Reparations
“Reparations” is defined as the act or process of making amends for a wrong. There’s more to reparations than just paying restitution. To make reparations involves understanding what else happened to the victims as a result of one’s actions and trying to figure out how to make them whole again. Not all harms are financial or can be dealt with by money.
D: Apart from the issue of financial restitution, and apart from the issue of whether any of your victims would be willing to meet with you individually and in person — which is something you would be willing to do and would like to do — How on earth can you possibly make those victims whole again? If they had to lay off employees or if people got fired because of the incident, how do you make amends for that? If they had nightmares and panic attacks, and still find themselves highly anxious, how do you make amends for that or make them whole again? What thought have you given to reparations at this point?
P: There is no magic word to be said. All I can do is offer support and be committed to making amends to them.
D: Offer support how? If they tell you what they are dealing with, will you feel tempted to offer them advice or help on securing their network? You were very helpful with DIVD and now here are people you are motivated to help. Are you going to be tempted to do more than just listen to them? Will you be tempted to try to give them advice?
P: No, I will not try to help the victims technically. I won’t work in cyber security again. That’s very inappropriate. I’ve broken the trust of the security sector, and I shocked many people with my actions. But thinking about some of the victims, it would be nice if the cybersecurity sector promoted awareness of resources such as OWASP SKF, which I learned about during my ethical journey. It can provide practical guidance and best practices for companies and organizations that want to be secure.
But you asked how I can make people whole again. That question goes through my mind daily. I can’t do that alone, even though I wish I could. As part of my amends, I would like to serve my time in prison to show I am committed to giving the victims justice and have given society a feeling of safety. Their well-being and health do matter to me. I want to hear the victims and be more empathic towards the pain I’ve caused them if they’d allow me. Making amends isn’t enough to restore trust and may never be. I would be there for them — 100%, but I know it will be hard to convince them that it would be safe to talk to me.
D: And talking will probably not be enough to really help restore them or make amends for what you did to them, even though you hope to ask them individually and directly what you can do to help make things up to them. But you also mentioned what you have done to your family and friends, and how you don’t want to ever do anything that would upset them so much or hurt them so much again. Have you thought about the reparations question with respect to your family and friends? How do you make them whole again for any harm from what you have done?
P: For one, I think by now it has played a role in their lives on a personal level. They were shocked and I think the only thing I could do now is not put them through this again and be transparent with them and maybe that would balance things out. Truly I do want to make everything right. It’s going to take time. I feel badly that some people felt guilty because they felt they could have done more to prevent all this, but if someone doesn’t want help, you can try everything but it won’t work.
D: Are there any family or friends with whom you have not yet made things right or feel you can’t make things right?
P: There are several people that I haven’t been able to reach out to and others who I haven’t been able to listen to to learn what they are going through.
D: Is there anything I’ve neglected to ask you that you wish I had asked for this part?
P: Yes. In the long term, I am going to ask for help on restorative mediation, which helps offenders and victims connect if they are willing to talk to the other party. I hope to show my victims that it was nothing personal and I hope that I can help them heal from what I did to them.
End Note: Umbreon’s trial will be on October 20 in Amsterdam. There are aspects to his case that have not been included in these interviews to date. Once they are part of the public record in court, DataBreaches may be able to provide more details and information. If you have something specific you would like Umbreon to address or talk about, send your questions to breaches@databreaches[.]net.
Update: One sentence in the Restitution section was edited post-publication to make it clear that Pepijn was explaining what he would owe to victims if he was the only suspect involved with them.