At the trial of the two hackers prosecuted for sextortion

Beginning of February 2019. Particularly threatening messages land on French Internet users’ messengers. “You are probably wondering why you are receiving this email. I am a hacker who hacked your device a few months ago. I have set up a virus on the adult (porn) site and guess what, you visited this site for fun (you know what I mean).”

In a long message, the hacker then claimed to have recorded a video in double screen, that of his victim – during the consultation of the pornographic site – and that coming from the webcam. A video that we imagine is compromising and that will be sent to loved ones, family and colleagues. Unless a ransom of a few hundred euros is paid.

In 2019, millions of French people received this kind of messages, a scam style then very fashionable. As told by Libération, part of them could be the work of two young Frenchmen, Augustin I. and Jordan R., prosecuted this week before the Paris criminal court for extortion, attempted extortion, access and maintenance in an automated data processing system, as well as laundering.

From the bluff

In reality, these threats were a bluff. Of course, there have been videos, but they have not been exploited by hackers There is also, most of the time, no hacking of the target terminal. But out of the ten million targeted email addresses, about 600 Internet users would have fallen for the panel, according to one of the statements of one of the two hackers.

A significant number of victims who would have made it possible to fraudulently accumulate up to the equivalent of about 400,000 euros in bitcoins over the first six months of the year 2019, the period of prevention of the procedure. After the fact, looking at the transactions on the virtual currency wallets, the investigators estimated that the crypto-porn scam, carried out by several groups of cybercriminals, had extracted the equivalent of 1.3 million euros.

Aged 25, Augustin I. and Jordan R. are playing big in court. The first, a tall, thin man with the false airs of François Fillon, wants to resume studies in computer science. The second will soon be a father, and after obtaining a certification in web development, he held two positions before snagging a well-paid job in a company gravitating around video games. “I have somewhat fulfilled my childhood dream”” he assures.

Homemade malware

According to the prosecution, the two suspects, then barely 20 years old, had developed a well-established technique to deceive their victims. First of all, a homemade malicious software, Varenyky, developed by Augustin I., had allowed them to build up a network of zombie machines. The targets had been deceived by phishing messages announcing the sending of an invoice or a package. This malware, coded in C++, was a variant of Tinynuke, the first creation of the young man.

The botnet of 1300 machines, managed by Jordan R., was then used to send mass ransom demands, first directed to addresses orange.fr . An operator particularly targeted because one of the defendants had identified a way to bypass the anti-spam filter, and because the hackers had decided to attack only French Internet users, for fear of American justice.

The Varenyky malware also had a webcam activation feature, tested for several days. It was triggered after detecting keywords in the victim. But given the too high number of false positives and the impossibility of linking each video to its victim, the hackers assured that they had not tried to exploit the feature.$

Money trail

To trace the two involved, the investigators first followed the money trail. By taking an interest in the bitcoin addresses sent in the ransom demand messages, they discover that one of the wallets has already been shared on a GitHub page by a developer calling for donations. This is Jordan R.

Following this thread, the police then look into his bank account. She then notices an outgoing transfer to the account of Augustin I., a young man already targeted by another cybercrime investigation to the detriment of a French bank. It then remains to arrest the suspects, targeted by a search warrant from April 2019, who live in Ukraine.

Jordan R. will be the first arrested at Roissy airport, on his return to France at the beginning of September 2019. A few months later, Augustin I. goes to his turn, presenting himself at the police station of the 15th arrondissement of Paris. Not without first throwing his computer in the Vistula, in Poland. Four days of hearings are scheduled for this trial.