The computer attack had forced the Directorate General of Public Finance to lock more seriously the access of individuals to their personal space. Four years later, this tax credit fraud case is nearing its judicial conclusion. After two days of hearing, Monday 20 and Tuesday 21 March, the magistrates of the 13e correctional chamber of the Paris court have just deliberated their decision on May 15, learned ZDNet.fr.
Two French people in their forties are being prosecuted in this judicial hacking file, revealed at the time by The chained Duck. More specifically, they are suspected of having committed two offences, namely an attack on an automated personal data processing system implemented by the State committed as an organized gang, and an organized fraud.
Charges which resulted in requisitions against the two defendants, three years in prison, two of which were suspended. For its part, the defense – only one defendant was represented by a lawyer, Me Jean-François Morant – admitted the computer hacking, but pleaded for release on the scam.
Purchases of username-password pairs
At the beginning of the summer of 2019, the general direction of public finances had been alerted by several individuals. The latter had just discovered the falsification of their declarations. Someone had added large sums to one of the annexes to the package, such as 249,000 euros for work, giving rise to a tax credit.
The administration, which had initially worried about a possible sabotage or an operation aimed at discrediting it, quickly understood the modus operandi of the attackers. As noted in its press release on August 20, 2019, the latter were based on the prior hacking of 11,000 private email accounts.
The two defendants had indeed obtained access to these Free and Orange messaging systems thanks to username-password lists. In addition to free lists, representing approximately 90% of hacked messaging, a handful of additional combo-lists had been purchased for a hundred euros.
Automated attack
According to the prosecution, this raw material had thus made it possible to feed a large-scale fraud attempt against approximately 2,000 taxpayers. One of the two defendants, a 45-year-old computer scientist, had carefully prepared for two weeks to automate the attack using a free online trial service, Leapwork.
Thanks to this application, the computer scientist had indeed set up a sequence of actions to be carried out, ranging from the resolution of a captcha to the deletion of messages on hacked e-mails through automatic clicks. A process that ultimately made it possible to obtain the tax number of victims of e-mail box hacking and to reset their password used on the tax site.
Once the fraudulent access to the particular space was obtained, the program made it possible to modify on the fly an appendix to the tax return relating to the tax credit for work, and finally to modify the bank identity statement associated with the account. “The declaration could not be finalized if there was no IBAN”, specifies at the helm the computer scientist, an experienced engineer who had worked in California and freelanced from Ile-de-France.
The complex logistics of bank identity statements
A fictitious statement was then added to the process to compensate for the lack of communication of a bank identity statement by individuals who were victims of hacking. A computer attack that finally stopped there. “We realize that there are logistical problems and that it is once again blabla”, summarizes the computer scientist in front of the judges.
According to the prosecution, it was his accomplice, a consultant for the pharmaceutical industry living in the North of France, who was to open bank accounts in Belgium to raise funds. But this hacktivist in his free time – trolling for the defendant, cyberharassment for the prosecution – considered by the tax authorities as the prime contractor for the operation, will come up against this complicated logistical maneuver. Only an account will ultimately be opened with false identity documents purchased online.
225,000 euros in damage
In the meantime, the tax administration, which became aware of the intrusions, temporarily closed access to its service while it identified the flaw. According to his lawyer, Me Renaud Le Gunehec, the 1,109 falsified declarations identified were entitled to nearly 3,900 euros in tax credit, on average.
Either a hoard, remained theoretical, of more than 4 million euros. But even if this heist did not succeed, it still cost the administration dearly. She calculated her damage at more than 225,000 euros. A sum corresponding to the salary of the 2,620 hours worked to resolve the crisis, and the 20,000 euros in non-pecuniary damage requested.
The investigation, entrusted to the DGSI in view of the sensitivity of the victim, an essential service operator, had made it possible to identify between the beginning of May and the end of June 2019 a flood of suspicious IP addresses from a virtual private network. . The IT specialist’s IP address was also identified in the batch, no doubt due to brownouts in his VPN.
As for his accomplice, with whom he maintained extensive correspondence, he was also the “zero patient” of the operation. His tax return was the first to have been modified, ticking almost all the codes corresponding to work. Let the prosecution be a way to test the fraud process.
Intense activity on the black markets
Beyond the intrusions on the site of the tax administration, the investigation will also shed light on the intense activity on the black markets of the two suspects. “They were aiming for the jackpot”, sums up the deputy prosecutor Johanna Brousse. Members of phishing groups on Telegram messaging, they thus seem to be interested in scams relating to the false certification of cars or the false declaration of employees. One of the two is finally suspected of having tried to phish customers of a bank.
So many avenues of investigation ultimately left aside by the DGSI, because deemed outside of its core business, hacking cases targeting state networks or operators of vital importance. “I don’t recognize myself in this period: I withdrew into myself and there was this comfort of being outside of reality”, explains the computer scientist about these troubled escapades on the black markets.
“We were in a kind of collective neurosis,” adds the second defendant, the consultant. However, “you earn quite a good living, you even have property income” – rental income from several apartments – the president of the court is surprised. “The trigger was a certain form of boredom”, analyzes this man with thinning hair, marked by his stay in detention.
Before minimizing the scale of the activities carried out. “You have to imagine these exchanges as a great brainstorming,” he says. “If we take the discussions from A to Z, it gives the impression that we had created an empire. But there was a big gap between what we did and what we said. »