Suspected CapitalOne hacker, Paige Thompson, was indicted by a federal grand jury on Aug 28, 2019, on numerous computer crime charges. The charges included stealing data from at least 30 organizations and using hacked servers to mine cryptocurrency.
Thompson, a 33-year-old software engineer in Seattle, was arrested last month on suspicion of retrieving as many as 100 million CapitalOne credit card applications after illegally taking advantage of a misconfigured Amazon server.
The indictment unsealed on Wednesday revealed the full scale of the government’s allegations against Thompson. Court documents filed by the U.S. Attorney’s Office in Seattle also revealed that the investigators found ‘multiple terabytes of data’. That data was allegedly stolen from more than 30 organizations between March and July.
She supposedly gained access to company computer login details, stolen from open Amazon servers, and then abused control over those computers to both steal data and use up processing power to mine cryptocurrency. This kind of illegal mining is usually referred to as cryptojacking.
The indictment states;
“The evidence recovered from Thompson’s residence suggests that Thompson intruded into servers operated, rented, or contracted by over 30 companies, educational institutions, and other entities.”
CapitalOne noticed After She Bragged on GitHub
The Department of Justice says Thompson’s arrest came after she allegedly boasted on a code-sharing site GitHub that she’d stolen CapitalOne data. On July 17, an anonymous GitHub user notified CapitalOne that it might have suffered a data breach.
CapitalOne publicized the data breach on July 29. In addition to the compromised PII from credit card applications, including phone numbers, email and home addresses, full names, and dates of birth, the company said that 140,000 Social Security numbers and 80,000 linked bank accounts, among other data, were also exposed.
The Scale of the Operations
The federal grand jury indictment charges Thompson with one count each of wire fraud, and computer crime and abuse.
It is now apparent she used her access to at least three victims’ cloud computing servers to illegally mine cryptocurrency.
The other victim organizations have not been named yet. However, the indictment has described some of the victims, referring to a state agency and a public research university located in states that are not Washington.
There is also a mention of a telecommunications conglomerate located outside the US that provides services predominantly to customers in Europe, Asia, Africa, and Oceania.
The charges in the indictment carry penalties of up to 25 years in prison. The 33-year-old software engineer is due to be arraigned on the indictment on Sept. 5, 2019.
Comments