At the peak of his cybercriminal “career”, the hacker known as “Hieupc” made about $ 125,000 a month through a service that sells detailed personal information. This information was obtained by Hieupc from leading data brokers in the world. It was the same, until his greed led him to fall into a trap elaborated by the US Secret Service. Now, after more than 7 years in prison, Hieupc has been returned to his hometown, and he hopes to persuade others to use his computer skills for good.
Within a few years, starting around 2010, Ngo Minh Hieu was the only one behind one of the most popular and profitable services on the Internet in terms of sale. “Fullz” – stolen identity data sets including a customer’s name, date of birth, social security number (SSN), email address and physical address.
Ngo Minh Hieu acquired this “treasure” of customer data by hacking and combining social engineering with a chain of leading data brokers. Before he was arrested by the US Secret Service in 2013, he made more than $ 3 million just by selling data to identity thieves and organized crime lines across the United States.
Matt O’Neill is an agent of the US Secret Service who successfully created a lure to lure Hieupc out of Vietnam to Guam Island in February 2013. Here, the young hacker was immediately arrested and escorted back to the US and prosecuted. Currently, Mr. O’Neill heads the Global Investigation Mission Center (GIOC), a unit under the Secret Service with the mission of assisting in investigating transnational organized crime groups.
O’Neill said, he became interested and opened an investigation into Hieupc’s identity data business after reading the article. “How much is your identity worth?” (How Much is Your Identity Worth?) By Brian Krebs, which mentions a website of Hieu. According to Mr. O’Neill, the strangest thing about Hieupc is that his name is almost unknown in the “temple” of convicted cybercriminals, most of whom are traffickers. stolen credit card information. The information that Hieupc sells has enabled many other cybercriminals to commit credit fraud cases by creating new accounts with an estimated value of up to $ 1 billion, and thereby also degrading. Take the credit history of countless Americans in the process.
In reply to the KrebsonSecurity page, Mr. O’Neil said: “I do not know a cybercriminal that has caused real financial harm to more Americans than Hieu. He has sold the personal information of more than 200 million Americans and allows anyone to buy them for just a few pennies for a set. “
Recently released from the US prison system and deported back to Vietnam, Ngo Minh Hieu is currently completing a mandatory quarantine process due to the Covid-19 translation. In the quarantine facility, Hieu contacted the KrebsonSecurity site with the aim of telling his little-known story, and to warn others not to follow in his footsteps.
Ten years ago, 19-year-old hacker Hieupc frequently visited Vietnamese hacking forums. Hieu said, he comes from a middle-class family, owns an electronics store. He was bought by his parents for the computer when he was about 12 years old. Immediately, the computer attracted Hieu’s attention.
During the last years of his teenage years, Hieu came to New Zealand to learn English. During this time, he was the admin of several hacker forums on the dark web, and in the midst of school, Hieu discovered a hole in the school system that would reveal payment card information. As Hieu recalled: “I contacted the IT technician there to fix it, but no one cared so I hacked the whole system. I then used the same vulnerability to hack other websites. I took a lot of credit cards. ”
Hieu said that he decided to use the obtained card data to buy event and concert tickets from Ticketmaster, and then resell the tickets at a New Zealand auction site called TradeMe. The University then discovered the intrusion and Hieu’s role, and so the Auckland police began to investigate. Hieu’s tourist visa was then not renewed when the first semester ended, and in retaliation, he attacked the school’s website, causing it to crash for at least 2 days.
According to Hieu, he then started to study again in Vietnam, but soon realized he was spending most of his time on cybercrime forums. Hieu said: “I moved from hacking for fun to hacking to make money when I found it so easy to make money by stealing customer data. When I was talking to a few acquaintances on underground forums, we talked about devising a new crime plan. “
“My friends say it’s dangerous to make credit cards and bank account information, so I started thinking about selling identity sets.” Continue to understand: “At first I just thought that it was just information, maybe not too bad because it has nothing to do with the bank account directly. But I was wrong, and the money I started quickly earning was blinding me on so many issues. ”
MicroBilt: Big goal in the early stage of career
Hieu’s first big goal was a consumer credit reporting company in New Jersey called MicroBilt. Hieu said: “I hacked into their platform and stole customer databases, from there I was able to log in as their customer and access the databases of consumers. I have been in their systems for almost a year without them knowing. ”
Shortly after accessing MicroBilt’s system, according to Hieu, he built the page Superget.infoA advertised website sells records of personal consumer information. According to Hieu, initially his system is quite manual, the buyer needs to request the specific statuses or information sets they need, then he will do a manual search.
Hieu’s website superget.info while in operation.
Hieu recalled: “I tried to have more records at the same time, but my internet speed in Vietnam was very slow back then. I can’t download everything because the database is too huge. So I just manually searched for anyone who needed to buy an identity. “
But then, he soon figured out how to use more powerful servers in the US to automate the process of gathering larger amounts of consumer information from MicroBilt’s system, as well as from private companies. other data. In the article from KrebsonSecurity from 2011 about Hieu’s website mentioned:
“Superget allows its users to find specific individuals by name, city and state. Each “credit” on the site costs $ 1, and a successful search for someone’s social security number (SSN) or date of birth costs 3 credit points. The more credits you buy, the cheaper the search will cost: 6 credits costs $ 4.99; 35 credits cost $ 20.99; and 100.99 USD will earn you 230 credits. Customers with special needs can use the “agent” package, which costs $ 500.99 for 1,500 credits and $ 1000.99 for 3,500 credits.
“Our databases are updated DAILY,” advertised by the owner of this website. “About 99%, almost 100 & Americans can be found, more than any other website on the internet right now.”
Hieu’s intrusion into MicroBilt’s system was finally discovered, and the company immediately pushed him out of its systems. But according to this hacker, he then hacked in through another vulnerability. “I hacked into their system and the situation got messy for months.”, Hieu said, “They can discover (my accounts) and fix it, but I’ll find a new vulnerability again and hack them again.”
Court Ventures and Experian
That cat-and-mouse game continued until Hieu found a more stable and reliable source of consumer data: an American company called Court Ventures, with the ability to compile credit records from court documents. Hieu is not interested in this kind of data, what he noticed about Court Ventures is the data sharing agreement with the U.S. data broker. Info Search, with access to even more sensitive consumer records.
Using fake documents and sweet words, Hieu was able to convince Court Ventures that he was a private investigator living in America. He said: “At first, when I registered they asked for some documents to verify. So I simply used some social engineering skills and passed the security test smoothly. “. Then, in March 2012, something more “amazing” happened: Court Ventures was acquired by Experian – one of the three largest consumer credit institutions in America. And after nine months since this acquisition, Hieu was able to maintain access to the database. He says: “After that, the database was placed under Experian’s control. I paid Experian quite a bit of money, thousands of dollars per month. ”.
While it is impossible to know if anyone at Experian ever had the necessary interest in the merged accounts from Court Ventures, it is probably not difficult to pinpoint an account absurdity like those of Hieu. First of all, he often pays monthly bills for customer data requests via wire transfers from countless bank accounts around the world, but mostly from newly created accounts. in financial institutions in China, Malaysia and Singapore.
Mr. O’Neill said that the website that sells identity information of Hieu generates tens of thousands of queries every month. As an example, the first bill Court Ventures sent him in December 2010 was for 60,000 queries. Up to the time Experian acquired this company, Hieu’s service has attracted more than 1,400 regular customers with an average of 160,000 queries per month.
But more importantly, Hieu’s profit margin is very large. Mr. O’Neill said: “His service is plagued. Court Ventures’s side charges him 14 cents per search, but he charges the client about $ 1 per query. ”
By that time, Mr. O’Neill and colleagues at the Secret Service had obtained dozens of subpoenas related to Hieu’s identity theft service, including one that gave them access to the email account he uses to communicate with his customers as well as webmasters. Agents then discovered several emails Hieu sent to an accomplice, including instructions on how to pay Experian via wire transfer from various Asian banks.
Working with the Secret Service, the Experian side quickly deleted Hieu’s accounts. Seeing the opportunity, the agents were able to contact Hieu through a middleman in the UK – a well-known convicted cybercriminal who agreed to follow orders from this agency. This person then told Hieu that he had discontinued Hieu’s access to Experian himself because he had done the same service before, and that Hieu’s business had affected him.
Mr. O’Neill recalled: “The guy in England said to Hieu,‘ Hey, you are stepping on my lawn, so I decided to lock you out. But if you pay me a percentage, you won’t lose access anymore. ” The cyber criminal in Britain, acting at the behest of the US Secret Service and British authorities, told Hieu that, if he wanted to keep access, he had to agree to meet in person. But Hieu was also wise enough not to immediately ask questions.
Instead, he tried to access another huge database. With the same method as when trying to access Court Ventures, Hieu already has a living account a company called TLO – another data brokerage firm, which deals in access to particularly sensitive and detailed information about most Americans.
TLO services are usually provided to law enforcement agencies in the US and a limited number of professionals have been considered, who can present a legitimate reason to access information such as so. TLO was acquired by Trans Union, one of America’s three largest consumer credit reporting organizations, in 2014.
In a short time, Hieu used the access at TLO to once again create a service that sells identity information, under the name usearching.info. This website also got customer information from a payday loan company (a form of short-term loan) that Hieu had hacked. Hieu said that this website immediately provided him with about 1,000 complete sets of records fullz everyday.
Another Hieu website – usearching.info
The magic power of the fairy blurred Hieupc’s mind
By that time, Hieu was already a millionaire: self-operated websites and resale agreements with three Russian-language shops for cybercriminals earned him more than $ 3 million. Hieu told his parents that his money came from helping companies develop websites, and used the money he earned to pay off the family’s debt (the electronics store went bankrupt, and one the family member borrowed a substantial amount but has not returned it later). But mainly, according to Hieu, he spent money on many frivolous things, even though he also said that he did not use money on alcohol or drugs. “I spend money on travel and cars and so many other stupid things.” – Hieu said.
By the time the TLO had also blocked access to the account with Hieu, the Secret Service once again took advantage of the opportunity for their British hands and feet to find a way to put Hieu in the loop. Mr. O’Neill said: “That guy told Hieu that it was he who blocked his account, and he can do it forever. So if he really wants to extend access to every place he has ever visited, he has to agree to meet up and establish a stronger partnership. ”
After a few months of discussion, Hieu finally agreed to meet the British on the island of Guam to complete the agreement. Hieu said, at that time he understood that Guam was part of the American territory, but he did not notice the possibility that the whole thing was just an elaborate trap of the law enforcement agency. Hieu said: “I was too desperate to have a stable database, and I was blinded by greed, and then acted crazy without thinking. Many people told me ‘Don’t go!’, But I told them I had to try it to see what happens. ”
But, as soon as he stepped off the plane in Guam, Hieu was immediately arrested by US agents. Mr. O’Neill joked: “One of the services that sold his identity was findget.me (find get me – find me). We did seriously what he asked for. ”