Pierluigi Paganini February 27, 2023

The Dutch police arrested three individuals as a result of an investigation into computer trespass, data theft, extortion, extortion, and money laundering.

The Dutch police announced the arrest of three men as the result of an extensive investigation into computer trespass, data theft, extortion, extortion, and money laundering

The suspects were arrested by the Amsterdam police arrested on January 23, 2023.

A prime suspect is a 21-year-old man from Zandvoort, the other two men arrested are a 21-year-old man from Rotterdam and an 18-year-old man of no fixed abode. 

The Dutch police started the investigation in March 2021 following a complaint of data theft and threats from a large Dutch company. The investigation revealed that probably thousands of national and international small and large organizations were hacked by the suspects that also attempted to extort money from the victims. It has been estimated that crooks have stolen the sensitive data of millions of individuals.

“During the course of the investigation, it has become clear that probably thousands of small and large companies and institutions, both national and international, have fallen victim to computer intrusion (hacking) in recent years and subsequently theft and handling of data. Tens of millions of privacy-sensitive personal data have fallen into the hands of criminals as a result of this theft and trade.” reads the press release published by the Dutch Police.

Compromised data include names, addresses, telephone numbers, dates of birth, bank account numbers, credit cards, passwords, license plates, citizen service numbers or passport data. 

The huge trove of data stolen by cybercriminals can be used by threat actors to conduct a broad range of illegal activities, from identity theft to financial scams.

The group demanded a Bitcoin payment from the affected companies and threatened to publish the stolen information online or destroy their infrastructure. The ransom demanded from the victims ranged between €100,000 and €700,000. The bad news is that the gang ended up selling the stolen data despite the victims have paid the ransom.

“The impact for the affected companies is enormous. This not only concerns financial damage, but also damage to the image and all the extra efforts to restore systems. Even companies that have their security in order can be affected by these types of facts.” concludes the report. “On top of that there are the consequences for the people at these companies on a personal level. They feel responsible for something that often happened through no fault of their own.” 

The worst aspect of this story is that one of the three men reportedly works as an “ethical hacker” for Dutch security organization DIVD, or Dutch Institute for Vulnerability Disclosure. The Dutch Institute for Vulnerability Disclosure (DIVD) foundation is a foundation established in 2019 with the aim of making the digital world safer by conducting research into vulnerabilities in information systems, reporting vulnerabilities found to those involved and offering assistance in resolving them.

“One of the men arrested had access to all kinds of sensitive information because he worked on confidential cybercrime investigations as a DIVD researcher, according to Dutch public broadcasting company NOS.” reported The Register. “You don’t just get access to information at DIVD, so he played it very cleverly,” the anonymous source told NOS. “You only get access to information if you really cooperate with an investigation.”

“A DIVD spokesperson told the broadcaster that the organization had “no indications” the suspect had abused his access to personal data. “We are just as shocked as everyone else,” a DIVD spokesperson said.”

At the end of November 2022, the Amsterdam police arrested a 25-year-old man from Almere who is suspected of having stolen or traded the personal data of tens of millions of people around the world.

The investigation into the activity of the man was launched by the Austrian Federal Criminal Investigation Service which spotted the man offering a dataset on a cybercrime forum in May 2020.

The man was offering a dataset containing millions of addresses and personal data from the Geburen Info Service GmbH (GIS), which maintains an archive of broadcasting reception equipment (TV, radio etc.) in the country and collects the viewing and listening fees from the citizens.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)