Two US men have been charged with hacking a US Drug Enforcement Agency (DEA) online portal that taps into 16 different federal law enforcement databases. Both are suspected of being part of a larger criminal organization that specializes in using fake emergency data requests from compromised police and government email accounts to publicly threaten and extort their victims.
Prosecutors for the Eastern District of New York today opened criminal complaints against Sagar Steven Singh – also known as “cry” — a 19-year-old from Pawtucket, Rhode Island; and Nicholas Ceraolo25, of Queens, NY, who also allegedly went to the handles “Prisoner“and”Ominous.”
The Justice Department said Singh and Ceraolo belonged to a group of cybercriminals known to its members as “ViLE,” which specializes in obtaining personal information about third-party victims, which they then use to harass, threaten or extort victims, a practice known as “doxing.”
“ViLE cooperated, and members regularly shared tactics and illegally obtained information with each other,” prosecutors charged.
The government alleges that the defendants and other members of ViLE used a variety of methods to obtain victims’ personal information, including:
-misleading customer service employees;
-submitting fraudulent legal process to social media companies to obtain users’ registration information;
-co-opting and corrupting corporate insiders;
-searching public and private online databases;
-accessing a non-public United States government database without authorization
-illegal use of official email accounts belonging to other countries.
The complaint says once they got the victim’s information, Singh and Ceraolo would post the information in an online forum. The government only refers to this community as “Forum-1,” stating that it was overseen by the head of ViLE (referred to in the CC-1 complaint).
“Victims were tricked into paying CC-1 to have their information removed from Forum-1,” prosecutors said. “Singh also uses the threat of revealing personal information to extort victims into giving him access to their social media accounts, which Singh then resells.”
Sources tell KrebsOnSecurity that in addition to being members of ViLE, Weep and Ominous are or are staff members for Doxbin, a highly toxic online community that provides a forum for digging up people’s personal information and posting it publicly. This is supported by the Doxbin administrator’s claimed responsibility for a high-profile intrusion into the DEA’s law enforcement data-sharing portal last year.
A screenshot of alleged access to the Drug Enforcement Agency’s intelligence-sharing portal, shared by “KT,” the current administrator of the doxing and harassment community Doxbin.
The government alleged that on May 7, 2022, Singh used stolen credentials to log into a US federal government portal without authorization. The complaint did not specify which agency portal was hacked, but it said the portal included access to law enforcement databases that track narcotics seizures in the United States.
On May 12, 2022, KrebsOnSecurity reported that hackers gained access to a DEA portal that tapped into 16 different federal law enforcement databases. As reported at the time, here’s the inside scoop on how that hack went down KTthe current administrator of Doxbin and the individual identified in the government’s complaint as “CC-1.”
In fact, a screenshot of the ViLE group’s website includes the group’s official roster, listing KT at the top, followed by Weep and Ominus.
A screenshot of the website for the cybercriminal group “ViLE.” Photo: USDOJ.
In March 2022, KrebsOnSecurity warned that many cybercrime groups have succeeded in fraudulent Emergency Data Requests (EDRs), where hackers use compromised police and government email accounts to file warrantless data requests with social media and mobile telephony companies provider, confirming that the information requested cannot wait. for a warrant as it relates to an urgent matter of life and death.
That story showed that the former owner of Doxbin was also part of a teenage hacking group that specialized in offering fake EDRs as a service on the dark web.
Prosecutors say they tied Singh to the government portal hack because he connected to it from an Internet address he previously used to access a social media account registered in his name. When they raided Singh’s residence on September 8, 2022 and seized his devices, Homeland Security investigators found a cellular phone and laptop that allegedly “contained extensive evidence of Portal access.”
The complaint alleges that between February 2022 and May 2022, Ceraolo used an official email account belonging to a Bangladeshi police officer to impersonate a police officer in communications on social media platforms based in in the US.
“In these communications, Ceraolo requested personal information about the users of these platforms, under the false pretense that the users were committing crimes or were in life-threatening danger,” the complaint said.
For example, on or about March 13, 2022, Ceraolo allegedly used a Bangladeshi police email account to falsely state that an EDR target had sent bomb threats, distributed child pornography and threatened Bangladeshi government officials.
On or about May 9, 2022, the government said, Singh sent a friend screenshots of text messages between him and someone he had doxed on Doxbin and was trying to extort money for their Instagram handle. The data includes the victim’s Social Security number, driver’s license number, cellphone number, and home address.
“Any resemblance?” Singh allegedly wrote to the victim. “You’re gonna comply to me if you don’t want anything bad to happen to your parents. . . I have every detail of your parents. . . which allows me to do whatever I wish to them in a malicious way.”
None of the defendants could immediately be reached for comment. KT, Doxbin’s current administrator, declined a request for comment on the charges.
Ceraolo is a self-described security researcher who has been credited many news over the years in discovering security vulnerabilities in AT&T, T-Mobile, Comcast and Cox Communications.
Ceraolo’s stated partner in most of these discoveries — a 30-year-old Connecticut man named Ryan “Phobia” Stevenson — was charged in 2019 with being part of a group that stole millions of dollars worth of cryptocurrencies through SIM replacementa crime that involves tricking a mobile provider into routing a target’s calls and text messages to another device.
In 2018, KrebsOnSecurity detailed how Stevenson earned bug bounty rewards and public recognition from leading telecom companies for finding and reporting security holes on their websites, all the time. secretly peddling the same vulnerabilities to cybercriminals.
According to the Justice Department, if convicted Ceraolo faces up to 20 years in prison for conspiracy to commit wire fraud; Both Ceraolo and Singh face five years in prison for conspiracy to commit computer intrusions.
A copy of the complaint against Ceraolo and Singh is here (PDF).