Two men, one of whom previously presented themselves as an independent security researcher to Motherboard, allegedly went on a wide spanning hacking spree that included breaking into a federal U.S. law enforcement database; using a compromised Bangladeshi police officer’s email to fraudulently requesting user data from a social media company; and even trying to buy services from a facial recognition company which doesn’t sell products to the wider public.
The news highlights hackers' continued interest in accessing novel sources of personal information, and the extreme risk in what can happen when hackers compromise those databases or accounts.
“I can request information on anyone in the US doesn’t matter who, nobody is safe,” one of the hackers allegedly wrote to a contact.
Do you know anything else about this case? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
Sagar Steven Singh, 19, was arrested in Rhode Island on Tuesday; Nicholas Ceraolo, 25, remains at large with his location listed as Queens, New York, a press release from the United States Attorney’s Office for the Eastern District of New York says. “Singh and Ceraolo unlawfully used a police officer’s stolen password to access a restricted database maintained by a federal law enforcement agency that contains (among other data) detailed, nonpublic records of narcotics and currency seizures, as well as law enforcement intelligence reports,” it states.
Ceraolo previously provided Motherboard with details on the underground SIM swapping community, where hackers hijack phone numbers to steal victims’ cryptocurrency or their valuable social media handles. One 2020 article focused on how SIM swappers phished telecom company employees to access internal tools; another showed that SIM swappers had escalated from bribing employees to using remote desktop software to gain direct access to T-Mobile, AT&T, and Sprint tools.
Ceraolo was also a member of a hacking group called “ViLE,” according to the prosecutors’ press release. In a screenshot included in the release, ViLE’s website included an illustration of a hanging girl. At the time of writing, the website is protected by a login screen in the style of an early Windows computer. ViLE’s members sought out peoples’ personal information, such as physical addresses, telephone numbers, and Social Security Numbers, and then doxed these people, the release adds. Victims could then pay to have their information removed from ViLE’s website, the release reads.
That pursuit of personal information is what allegedly drew Singh and Ceraolo to breaking into various law enforcement accounts. In one case, the pair allegedly used a police officer’s credentials to access a web portal maintained by a U.S. federal law enforcement agency.
At one point, Singh wrote to a contact “that portal had some fucking potent tools,” according to the press release. Five search tools were accessible through the portal, the release reads.
Nearly immediately, Singh used this new access to gain information about and then extort specific people, the feds allege. “You’re gonna comply to me if you don’t want anything negative to happen to your parents,” he allegedly wrote to one victim. The victim then sold their Instagram accounts and provided the money to Singh, according to the release.
Beyond access to the U.S. federal law enforcement database, Ceraolo allegedly accessed the official email address of a Bangladeshi police official between February 2022 and May 2022. With that email account, he then allegedly posed as the officer and requested information about a specific person from an unnamed social media platform. Posing as officials and requesting data from social networks has become a powerful service in the underground hacking community, with scammers sometimes creating fake legal demands. In another case from an online gaming platform, Ceraolo’s attempts at fraud failed, according to the release.
Ceraolo also allegedly used the compromised Bangladeshi email account “to attempt to purchase a license from a facial recognition company whose services are not available to the general public.” Clearview AI, a tool that is popular among law enforcement for facial recognition services, did not immediately respond to Motherboard’s request for comment.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.