The case of the volunteer from the Dutch Institute for Vulnerability Disclosure (DIVD) implicated in a case of data theft and extortion has just found its judicial conclusion. As reported by Bleeping computer, Pepijn Van der Stap, a former Dutch cybersecurity professional, has just been sentenced to four years in prison, one of which was suspended – the prosecution had requested six years.
The Amsterdam court also ordered this 21-year-old to pay around 300,000 euros in fines and compensation to the victims. The judges estimated that he had laundered the equivalent of 1.5 million euros in cryptocurrency.
Arrested in January
Arrested in January 2023, Pepijn Van der Stap was prosecuted for a series of hacks and ransomware attacks – Tortilla ransomware is mentioned by the prosecution – carried out between winter 2020 and January 2023 against Dutch and British organizations.
Last spring, his indictment caused a stir. He was in fact active at DIVD, a non-governmental organization of security researchers dedicated to reporting computer vulnerabilities.
According to the public prosecutor, the young Dutchman had started offering databases for sale on RaidForums in January 2021, under various pseudonyms (Lizardom, Umbreon or even Espeon, for example). Or ultimately data concerning millions of people, noted the court.
Millions of data
The police also found phishing templates, lists of username and password pairs, as well as ransom demand text templates on his computer.
In a recent interview with the Databreaches site, the young Dutchman recounted his criminal journey. “I wasn’t really motivated by money,” adding that I did not systematically disclose the data of victims who had not paid a ransom, preferring to “move on” rather than sell them.
The young man also said he wanted to put an end to his criminal activities in the year preceding his arrest. And to specify that he was proud of his voluntary activities at the DIVD and of having been relieved to no longer have “to live a double life”.