An at large hacker who allegedly accessed a U.S. federal law enforcement database that gave him and his co-conspirator access to information “on anyone in the U.S.” has been arrested in Florida and released on bail, according to court records reviewed by Motherboard. The U.S. Attorney's Office told Motherboard that the suspect surrendered himself.
Nicholas Ceraolo, 25, is from Queens, New York, but made his first appearance in a courtroom in the Middle District of Florida, Tampa, on Wednesday, 02:12pm with his counsel, according to the records.
Do you know anything else about this case? Do you know which U.S. federal law enforcement tool was breached? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
Ceraolo and co-conspirator Sagar Steven Singh, 19, are charged with conspiracy to commit computer intrusions which carries a potential five years imprisonment. On top of that, Ceraolo faces 20 years in prison for conspiracy to commit wire fraud.
“I can request information on anyone in the US doesn’t matter who, nobody is safe,” Singh wrote in one message included in a press release from the United States Attorney’s Office for the Eastern District of New York. As well as breaking into the federal U.S. law enforcement database, the release describes the pair using a compromised Bangladeshi police officer’s email to fraudulently request data from a social media company, and using it try to buy services from a facial recognition company which does not sell products to the general public. The hackers allegedly used gathered information to then extort and dox specific people.
The Florida court records also provide some new details on the case against the two alleged hackers. According to a criminal complaint written by a Department of Homeland Security Special Agent, authorities conducted search warrants against Singh’s and Ceraolo’s homes in September and May, respectively. There, authorities seized laptops and mobile phones that included many of the incriminating messages used in the complaint behind these charges. On Singh’s phone, authorities found screenshots of the U.S. federal law enforcement portal. On Ceraolo’s, they found evidence of a wish to hack into a social media company that runs a popular online game.
Singh sent others a previously downloaded guide to using the federal law enforcement portal, a PowerPoint presentation that described the purpose and some of the capabilities of the portal, and a related phone number and email address, according to the complaint.
Singh said he could “get any of that [information] just by calling this number or emailing them to request for information,” the complaint says.
John Marzulli, public information officer at the U.S. Attorney's Office, told Motherboard in an email that "Ceraolo surrendered in Florida and was released on a bond." Ceraolo will be arraigned in Brooklyn Federal Court on March 23 at 2pm, he added.
The court records say Ceraolo has been set a bond of $10,000 with his travel restricted to the Middle District of Florida and the Eastern District of New York. Ceraolo’s federal public defender did not immediately respond to a request for comment. Neither did the Department of Justice prosecutor assigned to the case.
Update: This piece has been updated to include more information from the U.S. Attorney’s Office.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.