An Alberta-based online weed dispensary was hacked by someone who threatened to reveal customers’ identities if he wasn't paid $1,000 in Bitcoin.
JJ Meds sells cannabis by mail to anyone aged 19 and older via its website. One of the dispensary’s owners, Jay, told VICE the company received an email from firstname.lastname@example.org at around 10 AM on March 4 that said “I've found a critical security issue with your site (jjmeds.com) that allows a user to remotely keep the webpage offline. This is a very serious issue that will definitely impact your sales if someone decides to exploit it.” The email asked for a response. When he didn't immediately receive one, the hacker followed up with another email that said JJ Meds customers’ IDs would be revealed if he wasn't paid $1,000 in Bitcoin within 48 hours.
The email, which VICE has viewed, had the subject line “Critical Security Issue - READ NOW JJMEDS!”
It said, “I have obtained access to every image every image every uploaded to jjmeds.com. We are demanding $1,000 worth of Bitcoin within 48 hours or else we will be releasing all of your customers identification to Reddit/most of the internet, including the RCMP.”
The email provided links to screenshots of customer IDs the hacker had obtained.
“You have been violating your customers trust for a very long time by not deleting these,” it said.
“I advise that you make the payment otherwise your customers will never trust you again. Think about your future and make the right decision. I expect to hear back from you very soon.”
But before the 48 hours was up, the hacker created a Reddit thread that said JJMEDS IS SELLING YOUR ID ON DARKNET MARKETS, with links to screenshots of 10-20 customer IDs, and posted in a chat group on Discord, a chat app used by gamers.
“This person claimed he had worked for us and that we owe him $5,000 and if he didn’t get that $5,000, he would leak all that information,” Jay told VICE. The person claimed he was 16 years old.
Jay, who doesn't want his last name used because he operates an illegal dispensary, said that’s a “blatant lie” and that everyone who started working at JJ Meds a year ago is still with the company. He said no minors have ever worked for the company. Even if he had wanted to pay the bounty, he told VICE, “I don’t even know how bitcoins work.”
He said JJ Meds immediately shut down its website and permanently removed all photos of IDs. They also hired a security expert to remove malware from the site and are working on moving the site to a more secure server. According to the expert, there were malicious codes injected into the site, allowing for plug-ins to be hacked and securely locked directories to be accessed.
“There is no proof that all the IDs are offline or that there are any zipped files out there,” Jay wrote in a message to customers.
He believes the person or people who did this have personal reasons.
“For $1,000, something doesn’t add up here. It sounds like somebody who was very angry at us,” he said.
Jay said JJ Meds requires proof of IDs as protection against scammers who may try to place orders and then dispute those orders to get a refund and because of the legal consequences of selling weed to minors. Under Canada’s proposed regulations for legal cannabis, people who sell to minors could go to jail for up to 14 years.
“IDs are a form of proof that we reasonable took action to prevent sales to minors. We do not have an offsite copy of any IDs, on our computers or on the cloud,” Jay said.
He told VICE he’s the last few days have been “really tough.”
“I still haven’t been able to sleep properly,” he said. He noted that the company isn’t making tons of money, the way some dispensaries are, in part because their prices are low—they sell ounces of weed for $99 which is far below the standard range which is usually a minimum of $150. He said they’d be lucky to crack $100,000 a year in profit, and that’s split between three owners and staff.
“We don’t know if we can continue on operating in this manner because suddenly our eyes have been opened in a very difficult way.”
Follow Manisha Krishnan on Twitter.