In a somewhat surpising turn of events, the Australian hacker known as “DR32” learned his sentence in a Colorado federal court this week. It was not the sentence most people might have expected.
David Kee Crees, a 26 year-old Australian, who had also been known online as “Abdilo,” “Notavirus,” “Surivaton”, and “Grey Hat Mafia’s Bitch,” had been extradited to the U.S. to face a 22-count grand jury indictment filed in 2021. The indictment covered a period from approximately June 2020 to July 2021. Court filings referred to seven unnamed victims and a ransomware group that Crees allegedly compromised.
Much of the supporting affidavit for the extradition request cited Crees’ interactions and sales of data to an undercover agent. Of note, it appeared that the case arose from an investigation by the U.S. Department of Homeland Security’s Homeland Security Investigations. During that time, DHS/HSI used undercover agents who made deals with Crees and investigated his claims. Excerpts from Crees’ interactions with the undercover agents were quoted in the affidavit. While one agent would make deals with Crees, a second undercover agent would reportedly send the payments to Crees. Excerpts quoted in the supporting documentation reveal that Crees revealed a lot of personal details about himself to the undercover agent.
Although the Adelaide court approved the U.S. extradition request in August 2022, Crees didn’t actually appear in federal court in Denver until February 2024 for his arraignment. He was detained in a federal detention center pending trial, but with his trial scheduled for August, 2025, Crees changed his plea and pleaded guilty in January of this year.
As part of the plea deal, Crees pleaded guilty to Counts 1-14:
Counts 1 -7 were violation of 18 U.S.C. §§ 1030(a)(2)(C), 1030(b), 1030(c)(2)(B)(i) & 2: Access a protected computer without authorization for private financial gain
Counts 8-14 were violation of 18 U.S.C. §§ 1030(a)(5)(A), 1030(b), 1030(c)(4)(A)(i)(I) & 2: Cause damage to a protected computer without authorization, causing loss of at least $5,000
Sentence
In a decision that may shock many, on May 14, Crees was sentenced to time served by U.S. District Court Judge Daniel D. Domenico.
Crees had been detained in Australia for two years pending his extradition here, and then he had been in a federal detention center from February 2024 until now, but just time served for a case that started with 22 counts?
Because most of the court filings in this case are sealed, it is not publicly known why the government dropped counts 15-22 and why the court determined that time served was appropriate.
Crees was also sentenced to supervised release with standard conditions and some special conditions of release for a term of one (1) year as to all counts, to run concurrently, following his release from prison. He was also ordered to pay a special assessment fee of $1,400.00.
In another surprising aspect of the judgment, there was no restitution to victims ordered. There was, however, this:
The defendant shall forfeit the defendant’s interest in the following property to the United States: a money judgment in the amount of $245,056.92.
So why such a light sentence? Is there a matter of national security or homeland security that resulted in the government not wanting certain things to be made public if this case went to trial? Because so many of the files are sealed or restricted, it seems likely that there might be some sensitive hacks or incidents that the government would not want revealed.
This post will be updated if more information becomes available.