At the beginning of February 2019. Particularly threatening messages landed on French Internet users’ messaging services. “You are probably wondering why you are receiving this email. I am a hacker who hacked your device a few months ago. I put a virus on the adult (porn) site and guess what, you visited this site for fun (you know what I mean).”
In a long message, the hacker then claimed to have recorded a double screen video, that of his victim – during the consultation of the pornographic site – and that coming from the webcam. A video that we imagine to be compromising and which will be sent to loved ones, family and colleagues. Unless a ransom of a few hundred euros is paid.
In 2019, millions of French people received this type of message, a style of scam that was very popular at the time. As reported by Libération, some of them could be the work of two young French people, Augustin I. and Jordan R., prosecuted this week before the Paris criminal court for extortion, attempted extortion, access and maintenance in a automated data processing system, as well as laundering.
A bluff
In reality, these threats were a bluff. Certainly, there were videos, but they were not exploited by hackers. Nor, most of the time, was there any hacking of the target terminal. But out of the ten million email addresses targeted, around 600 Internet users fell into the trap, according to one of the statements of one of the two hackers.
A significant number of victims who would have made it possible to fraudulently accumulate up to the equivalent of approximately 400,000 euros in bitcoins over the first six months of 2019, the prevention period of the procedure. Afterwards, looking at the transactions on the virtual currency wallets, investigators estimated that the crypto-porn scam, carried out by several groups of cybercriminals, had extracted the equivalent of 1.3 million euros.
Aged 25, Augustin I. and Jordan R. play big in court. The first, a tall, thin man with the false air of François Fillon, wants to resume his studies in IT. The second will soon be a father, and after obtaining a certification in web development, he worked in two positions before landing a well-paid job in a company revolving around video games. “I kind of realized my childhood dream,” he assures.
Homemade malware
According to the prosecution, the two suspects, then barely 20 years old, had developed a well-established technique to deceive their victims. First of all, homemade malware, Varenyky, developed by Augustin I., allowed them to create a network of zombie machines. The targets had been deceived by phishing messages announcing the sending of an invoice or a package. This malware, coded in C++, was a variant of Tinynuke, the young man’s first creation.
The botnet of 1,300 machines, managed by Jordan R., was then used to send mass ransom demands, first directed to orange.fr addresses. An operator particularly targeted because one of the suspects had identified a way to circumvent the anti-spam filter, and because the pirates had decided to only attack French Internet users, for fear of American justice. .
The Varenyky malware also had a webcam activation feature, tested for several days. It was triggered after detecting key words in the victim. But given the too high number of false positives and the impossibility of linking each video to its victim, the hackers assured that they had not attempted to exploit the functionality.$
Money trail
To trace the two suspects, investigators first followed the money trail. By looking at the bitcoin addresses sent in the ransom messages, they discovered that one of the wallets had already been shared on a GitHub page by a developer calling for donations. This is Jordan R.
Following this thread, the police then look into his bank account. She then notices an outgoing transfer to the account of Augustin I., a young man already targeted by another cybercrime investigation against a French bank. All that remains is to arrest the suspects, targeted by a search warrant from April 2019, who live in Ukraine.
Jordan R. will be the first arrested at Roissy airport, upon his return to France at the beginning of September 2019. A few months later, Augustin I. goes in turn, presenting himself at the police station in the 15th arrondissement of Paris. Not without first throwing his computer into the Vistula, in Poland. Four days of hearings are scheduled for this trial.