French justice has obviously made good progress in the case of the data leak from Ledger’s customer database. According to the newsletter specializing in cryptocurrencies The Big Whale, a suspect was indeed extradited to France last fall.
Upon his arrival in France, Davide M., a 28-year-old Portuguese, was indicted for six offenses, including organized fraud, criminal association as well as various computer hacking offenses, information including ZDNet.fr also had confirmation.
Sophisticated phishing campaigns
The French company Ledger, one of the few unicorns in France, had suffered several security incidents in 2020. It first reported in July a hack of its e-commerce database. Then, a few months later, in April and June, she discovered two more data thefts linked to her e-commerce service provider, Shopify. This latest hack resulted in the sale of 292,000 customer information on a black market. An extremely harmful theft, which had led to particularly elaborate phishing campaigns, with for example the sending of counterfeit Ledger products by post.
But in January 2021, when the investigation was at a standstill, Ledger was contacted via Twitter by a surfer, explains The Big Whale. The latter spotted suspicious messages on Telegram groups. A man talks about the resale of databases… including those of the specialist in crypto safes.
This first suspect is identified by the American FBI. This is Tassilo H. Known online under the pseudonyms of Tass, BigBoy or Pokeball, this 22-year-old Austrian was immediately prosecuted in the United States, where he resides, for identity theft and electronic fraud. As explained in the indictment unveiled by American justice in February 2021, he is suspected of having bribed with an accomplice in Portugal a Filipino subcontractor of an e-commerce platform, contacted on the chat of assistance.
Suspicious transactions of a few hundred dollars
According to American justice, several messages attest from May 2019 to questionable transactions of a few hundred dollars, with a view to fraudulently obtaining customer data files. In addition, false positive opinions on the service of the subcontractor were also granted. Stolen data files, customer names, addresses and emails, invoices and payment methods were exported via Google drive links or screenshots.
A shady traffic that continued until September 2020. The Canadian giant Shopify, partner of Ledger for its e-commerce activities, had deplored the behavior of two “rogue employees” of its support team, who had harmed a total of 200 of its customers.
For American justice, the stolen customer data – 3,000 files were found on the computer of the young Austrian – would then have allowed the two respondents to create false e-commerce pages or would have been resold. According to The Big Whale, the fraudulent sales would have brought in a total of 150,000 euros.
Judicial information in progress
First on the spot, American justice has already closed the case. Tassilo H. was indeed convicted of wire fraud on February 25, 2022. He was then sentenced to three years of probation, with the obligation to compensate Shopify for nearly $52,000. But in turn, his statements have meanwhile allowed French justice to also move forward on the case by identifying his Portuguese partner, the man who was extradited and indicted in France.
Currently in detention, the latter unsuccessfully requested his release last December. According to our information, this self-taught geek explained to the courts that he had only been a simple intermediary, the Ledger customer data files having been sold to an unidentified third party. The judicial investigation, still in progress and followed in Paris by the examining magistrate Elise Treguer, will perhaps make it possible to know more on this point.