Account Takeover Fraud , Blockchain & Cryptocurrency , Cybercrime
Singapore Man Charged in Large-Scale Cryptomining Scheme
Prosecutors Say Suspect Stole IDs and Cloud Resources to Mine Virtual CurrenciesA Singapore man allegedly ran a large-scale, illegal cryptomining scheme that involved using stolen identities to access Amazon and Google cloud computing resources, according to a 14-count indictment unsealed by the U.S. Justice Department this week.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Ho Jun Jia, who also goes by the name Matthew Ho, faces charges of wire fraud, access device fraud and aggravated identity theft, according to the U.S. Attorney's Office for the Western District of Washington in Seattle, which is overseeing the case. If convicted on all counts, he faces up to 30 years in federal prison.
Ho was arrested by police in Singapore on Sept. 26 and remains in custody there. He is also being investigated for violation of Singapore laws, U.S. authorities say.
Running Up the Bill
Over the course of about six months, Ho allegedly ran up about $5 million worth of Amazon Web Services bills by stealing one person's identity and accessing the computing power for his cryptomining scheme, prosecutors say. At one point, the victim's company paid some of the bills before the fraud was uncovered, authorities say.
"Ho consumed more than $5 million in unpaid cloud computing services with his mining operation and, for a brief period, was one of Amazon Web Services largest consumers of data usage by volume," prosecutors say.
In addition, he stole other identities to access other AWS accounts as well as Google Cloud Platform resources and services, prosecutors say.
Stealing IDs
In the indictment, prosecutors alleged that Ho stole the credentials of three individuals to help run his cryptomining scheme between October 2017 and February 2018.
The victims of identity theft include a California video game developer who’s also the founder of an "E-sports" tournament, a resident of Texas and the owner of a tech company in India, prosecutors say.
The indictment doesn't specify how Ho, along with several accomplices, first obtained the stolen identities. Once he allegedly had access to their credit card numbers, however, he began creating fake Gmail accounts that spoofed their actual accounts along with creating phony driver's licenses as well, prosecutors say.
Ho then allegedly began contacting AWS and Google to create accounts that would allow him to access various cloud services, prosecutors say. In addition, he used social-engineering techniques to request more services from these providers, defer payments and hide his activities, authorities say.
"Ho employed social engineering techniques to trick providers into approving heightened privileges and benefits, including elevated levels of cloud computing services and deferred billing accommodations, and to deflect inquiries from service providers regarding questionable data usage and mounting unpaid subscription balances," according to the indictment.
Using the victim's credit cards, Ho allegedly also opened up other AWS and Google accounts with fictitious names to tap into even more cloud resources, prosecutors say.
Illegal Cryptomining
Once Ho and others accessed the Amazon and Google cloud service, he allegedly started using that computing power to mine cryptocurrencies, including bitcoin and ethereum, according to the indictment. Much of this illegal cryptomining, prosecutors allege, was done at the height of the cryptocurrency market in 2017 and 2018, when bitcoin traded at over $19,000.
Ho allegedly advertised, exchanged and sold the cryptocurrency he obtained through this mining operation on various exchange platforms, according to the indictment. He also allegedly used social media, especially Facebook, to advertise and attract attention to his cryptocurrency reserves, prosecutors say.
Ho used the names "Prefinity" and "Ethereum Vendor" to sell the fraudulently generated cryptocurrency on peer-to-peer marketplaces such as LocalBitcoins and LocalEthereum, according to the indictment.
The indictment does not indicate how much money Ho and others allegedly collected from this scheme or why the cryptomining stopped in February 2018.
Cryptomining Shift
In a report released in April, researchers at IBM found that many cybercriminals have turned to new malware-based cryptojacking schemes to illegally mine for bitcoin and other virtual currencies.
In one example from September, researchers at security firm Guardicore found a resurgence in the cryptomining botnet called Smominru, which has been around since at least 2017, and has resurfaced this year with a new campaign that has infected 90,000 devices in the U.S. China and Russia (see: Cryptoming Botnet Smominru Returns With a Vengeance).