On September 27, the U.S. Department of Justice announced that Sébastien Raoult (aka “Sezyo Kaizen”), a 22-year-old French national who had been extradited to the U.S., pleaded guilty to two of nine counts alleging fraud and aggravated identity theft. DataBreaches had been covering his case since he was detained in Morocco on a red notice from the U.S. France never attempted to get him extradited to France although he was one of multiple people arrested on the same day in France on suspicion of involvement with ShinyHunters.
The others were all arrested in France, questioned, and released. At least one of them had also been indicted here in the U.S. with Raoult, and yet, despite being picked up multiple times by French authorities for hacking, he was released yet again, presumably because of a mental health diagnosis. France doesn’t seem to have prosecuted a number of people allegedly involved with Gnostic Players or ShinyHunters, and the U.S. wound up prosecuting a relatively low-level person.
Using a conspiracy charge, the U.S. held Raoult responsible for millions of dollars in damages, even if he played a relatively small role in any particular victim incident.
When Raoult was first extradited, he was confident he would be acquitted at trial and pleaded not guilty. In a change of mind this summer, he pleaded guilty.
Over the past year or more, DataBreaches has remained in touch with Paul Raoult, Sébastien’s father. DataBreaches asked him how they were all doing in light of the new plea. He responded, via email (translated):
We are doing well, thank you. It’s true that we had to absorb this change in Sébastien’s defense strategy. But we were already informed, as we were able to discuss it with Sébastien and his lawyers during our stay in Seattle at the end of August.
Sébastien had a large rock threatening to fall on his head. He did what was necessary to minimize the risks. By pleading guilty, the prosecutor agreed to only charge him with 2 out of the 9 counts. So, the maximum sentence becomes 27 years for one (computer fraud) and a mandatory 2 years for the other (identity theft). These are indeed the maximum sentences, and the prosecutor is only seeking 84 months. So, in principle, we’re looking at a range between 2 and 7 years. Now it will be up to the judge to pronounce the sentence on January 11th, after hearing the various arguments.
Sébastien is quite satisfied. Since his arrest in May 2022, he has been living in anticipation, unable to plan or envision anything for the future. After January 11th, he will know how much more time he has to spend in prison. Depending on this duration, he can start taking control of his life again, either by continuing his studies or by requesting a family reunification to serve the rest of his sentence in France or exploring other possibilities. The main goal, after January 11th, will be to prepare for his rehabilitation and to move forward from this rather traumatic experience.
The judge, of course, is not bound to accept what the prosecution requests. But whatever the sentence is — and the ID theft part is a mandatory two-year sentence to be served after the other sentence and not concurrent with it — anyone convicted of a felony in a federal court must serve 85% of their sentence. He will likely be credited with time served in detention from his arrest until his sentencing. But will he be allowed to serve his sentence in France? DataBreaches has not seen anyone permitted to do that in other hacking-related federal cases such as the cases of Sébastien Vachons-Desjardins and Nathan Wyatt, but perhaps Raoult will have better luck with that.