A 29-year-old cybercriminal assumed the guise of a prominent California video-game developer and eSports tournament organizer to throw authorities off his cryptomining track, according to an indictment unsealed on Wednesday.
Matthew Ho, a citizen of Singapore, allegedly used the developer’s stolen identity and credit-card information to open multiple cloud accounts at Amazon Web Services, and then proceeded to use the computing resources to mine cryptocurrency, including Bitcoin and Ethereum.
Because the California developer is a large existing AWS customer, Ho was allegedly able to appropriate that legitimacy, according to the indictment. The indictment also claims that he registered a phony domain meant to spoof a second company recently acquired by the developer’s organization, and set up a fictitious persona named Daniel Piers in order to communicate with AWS.
As a result, he “created a web of phony email accounts and used social-engineering techniques to trick cloud-computing providers to approve heightened account privileges, increased computer processing power and storage, and deferred billing [he consumed more than $5 million in unpaid cloud computing].”
At one point, Ho’s cloud reach was so large, he allegedly became AWS’ largest consumer of data services for a certain period, according to the indictment.
Meanwhile, the indictment claims that Ho also set up accounts on several cryptocurrency exchanges in order to convert the virtual currency into cash, marketing his exchange services via a Facebook account and other social-media presences. One Facebook message from December 2017 for instance read, “ETH/BTC levels are at an all-time low since March when ETH cost around $36…what’s your move?”
In the months his campaign was active (roughly Oct. 2017 to Feb. 2018), Ho also allegedly used the identities of a Texas resident and the founder of a tech company in India, and, in addition to AWS, opened cloud services accounts with Google Cloud Services.
Ho was arrested on Sept. 26 in Singapore and he will be extradited to be tried in the Western District of Washington State. The indictment features 14 counts of wrongdoing including accusations of wire fraud (punishable by up to 20 years in prison); access device fraud (punishable by up to 10 years in prison); and aggravated identity theft (punishable by a mandatory two years in prison to run consecutive to any other sentence imposed in the case).
This fraudulent approach is in many ways more efficient for cybercriminals than other malicious mining tactics, which typically involve installing cryptomining malware on unsuspecting victims’ machines. The issue with that approach is the sheer volume of infected machines needed to harvest enough cryptocurrency to make the malware development and campaign effort worthwhile, given the CPU-intensive nature of the mining process. The value of Bitcoin and plummeted after hitting record highs at the end of 2017 ($20,000 per BTC), trading at $4,000 at the beginning of 2019. The value has been volatile since then, though as of this writing Bitcoin’s value is on the rise.
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.
