This article was originally published on VICE Australia.
It was their ticket to life in the fast lane. A team of Indonesian hackers allegedly broke into the popular online ticketing site Tiket.com, stealing some Rp 4.1 billion ($308,000 USD) worth of airline tickets for the low-cost carrier Citilink. The mostly teenage hackers then sold the stolen tickets on Facebook, using the funds to buy expensive motorcycles, the group's self-confessed leader told reporters at a press conference on Tuesday.
"I bought a Ducati and went on a shopping spree," Haikal, 19, told local media. "I didn't invest the money in anything."
Haikal led a group of hackers known as "Gangtengers Crew"—a play on the word "ganteng" or "handsome"—and was admittedly behind more than 4,000 websites in Indonesian and abroad. The 19-year-old, who only completed middle school, reportedly taught himself how to exploit the kind of weak security measures found on sites like Tiket.com.
"He is quite sophisticated and the website was also not that hard to hack," Adj. Comr. Idam Wasiadi, of the National Police's Criminal Investigation Department's (Bareskrim) cyber crime division, told local media.
Haikal's crew consisted of likeminded young men, police said. Two of those arrested had just finished high school, another was a college dropout who spent al day playing video games, National Police Spokesman Brig. Gen. Rikwanto told CNN Indonesia. Together, they successfully hacked the websites of the National Police and the ride hailing app GO-JEK.
"He's hacked around 4,600 sites, but not all of them for profit," Rikwanto said. "He'd hack them and show it to his friends, as a way to show off."
The hack itself was actually quite simple. Haikal and his crew broke into the company's website and located the airline tickets reserved for travel agents. Travel agencies typically pay for the tickets in advance and then sell them to their customers. The hackers then allegedly stole the booking numbers and resold them on Facebook.
Tiket.com's parent company Global Network noticed the suspicious activity and reported it to the police. They hackers were caught a short time later.
The four members of "Gangtengers Crew" face up to 12 years in prison under Indonesia's Electronic Information and Transactions Law (ITE). Only Haikal was named by the National Police. The other three alleged hackers remained anonymous.
Haikal pocketed Rp 600 million ($45,000 USD) in the heist. The other three took home about the same amount.
Citilink, a subsidiary of the state-owned carrier Garuda Indonesia, said that none of its customers private data was compromised in the hack. Tiket.com was able to recover Rp 1.9 billion ($142,546 USD) of the stolen funds.