Was a hack of a U.S. retailer used to develop an ISIL hit list of American military members and government employees? According to a federal complaint unsealed today, it appears it was. From the Department of Justice: Malaysian authorities have detained Kosovo citizen Ardit Ferizi in Malaysia on a U.S. provisional arrest warrant alleging that he provided material support to the Islamic State of Iraq and the Levant (ISIL), a designated foreign terrorist organization, and committed computer hacking and identity theft violations in conjunction with the theft and release of personally identifiable information (PII) of U.S. service members and federal employees. The criminal complaint was unsealed today. The United States is seeking his extradition to the U.S. Attorney’s Office of the Eastern District of Virginia to stand trial. The charges were announced by Assistant Attorney General for National Security John P. Carlin, U.S. Attorney Dana J. Boente of the Eastern District of Virginia and Assistant Director in Charge Paul Abbate of the FBI’s Washington, D.C.’s Field Office. As alleged in the criminal complaint, Ferizi, also known by his hacking moniker “Th3Dir3ctorY,” is believed to be the leader of a Kosovar internet hacking group called Kosova Hacker’s Security (KHS). Ferizi hacked into the computer system of a victim company located in the United States and stole the PII of thousands of individuals. He then provided the PII of over 1,000 U.S. service members and federal employees to ISIL to be used against those employees. Between June and August 2015, Ferizi provided unlawfully obtained PII to ISIL member Junaid Hussain, aka Abu Hussain al-Britani. On Aug. 11, 2015, in the name of the Islamic State Hacking Division (ISHD), Hussain posted a tweet titled “NEW: U.S. Military AND Government HACKED by the Islamic State Hacking Division!” which contained a hyperlink to a 30-page document. That document stated, in part, that “we are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!” The next 27 pages of the document contained the names, e-mail addresses, e-mail passwords, locations and phone numbers for approximately 1,351 U.S. military and other government personnel. This posting was intended to provide ISIL supporters in the United States and elsewhere with the PII belonging to the listed government employees for the purpose of encouraging terrorist attacks against those individuals. “As alleged, Ardit Ferizi is a terrorist hacker who provided material support to ISIL by stealing the personally identifiable information of U.S. service members and federal employees and providing it to ISIL for use against those employees,” said Assistant Attorney General Carlin. “This case is a first of its kind and, with these charges, we seek to hold Ferizi accountable for his theft of this information and his role in ISIL’s targeting of U.S. government employees. This arrest demonstrates our resolve to confront and disrupt ISIL’s efforts to target Americans, in whatever form and wherever they occur.” “National security is compromised by computer intrusions, and Ferizi is charged with obtaining the personal identifying information of U.S. military and government personnel and providing it to ISIL,” said U.S. Attorney Boente. “We will investigate and prosecute these cyber-attacks to fullest extent of the law.” If convicted, the defendant faces up to 35 years. The charges and allegations in the indictment are merely accusations, and the defendant is presumed innocent unless and until proven guilty. The investigation is being conducted by the FBI. The case is being prosecuted by Trial Attorney Gregory Gonzalez of the National Security Division’s Counterterrorism Section and Assistant U.S. Attorney Lynn Haaland of the Eastern District of Virginia. The Assistant Attorney General, U.S. Attorney and FBI Assistant Director thanked the Malaysian authorities for their assistance in this matter. In the affidavit accompanying the criminal complaint, Kevin M. Gallagher of the FBI states that on June 13, Ferizi allegedly hacked a dedicated server leased by an unnamed U.S. retailer. The server was located in Phoenix, Arizona, and owned by an unnamed hosting company. After creating a user account for “KHS” (Kosovo Hackers Security?), Ferizi allegedly accessed and acquired the personal information of 100,000 customers, including their names, addresses, email addresses, countries, phone numbers, usernames, and passwords. The access continued through July 15, with the hacker actually leaving notes for the administrator and at one point, demanding BTC and using an email account, [email protected], to communicate with them. The affidavit provides a lot of interesting detail, including the fact that it appears that Ferizi allegedly used SQL injection to gain access to the server.
There’s an update to the case involving Ardit Ferizi, whose criminal history and conviction for hacking and providing material support to a terrorist organization have been covered previously. Just last month, Ferizi had been sentenced to 20 years in prison, but was granted a reduction to time served plus 10 years supervised release, to be served in Kosovo. And he would have been on his way home, except that the FBI discovered that while he had been in prison, he had continued his criminal activities. The following is a press release, issued today by the U.S. Attorney’s Office for the Northern District of California. SAN FRANCISCO – A federal complaint was unsealed today charging Ardit Ferizi with wire fraud and aggravated identity theft, announced United States Attorney David L. Anderson and Federal Bureau of Investigation, Special Agent in Charge Rachel L. Rojas, of the Jacksonville, Florida, FBI Division. Ardit Ferizi, 25, a Kosovo citizen, last resided in Malaysia before being brought to the Eastern District of Virginia (EDVA) in 2016 to face federal criminal charges. Ferizi pleaded guilty to unauthorized access of computer information and to providing material support to a foreign terrorist group by providing personally identifiable information of United States government personnel to the Islamic State of Iraq and al-Sham (ISIS). He was sentenced to 20 years incarceration in the federal Bureau of Prisons. According to the complaint, Ferizi’s sentence was reduced in December 2020 to time-served, plus 10 years of supervised release to be served in Kosovo, following the granting of a motion for compassionate release by an EDVA federal judge. Ferizi was awaiting deportation when the FBI determined he continued his criminal activities and had committed multiple new federal offenses while incarcerated at the Federal Correctional Institute in Terre Haute, Indiana. “We allege Ferizi provided access to personal information of U.S. citizens, even as he was serving his prison sentence for providing similar information to ISIS,” said U.S. Attorney Anderson. “Ferizi’s alleged criminal conduct continued in prison notwithstanding his petition for an early prison release.” “Ardit Ferizi is an admitted criminal who endangered the lives of over 1,000 Americans by sharing their personal information with members of a dangerous terrorist organization,” said Special Agent in Charge Rojas, in charge of the FBI Jacksonville Division. “The FBI has never wavered in our commitment to seek justice for his innocent victims, and we will continue to vigorously investigate him and anyone else who is intent on harming our nation and citizens.” According to an FBI agent’s affidavit filed in support of the criminal complaint, in 2017 and 2018 Ferizi had been involved in multiple fraudulent schemes from prison by coordinating with a family member who was operating Ferizi’s email accounts while Ferizi was incarcerated. Ferizi instructed the family member to “keep my email alive and not expiring” and passed his email addresses and passwords on to his family member. The FBI was able to determine that at least one email account included large databases of stolen personally identifiable information, extensive lists of stolen email accounts, partial credit card numbers, passwords, and other confidential information. According to the complaint affidavit, the databases of stolen personal information were the fruits of Ferizi’s criminal hacking activity. Based on an IP address resolving to Kosovo, login activity to Ferizi’s other e-mail accounts, and other investigative information, it was determined the family member downloaded the databases of stolen information to liquidate the proceeds of Ferizi’s previous criminal hacking activity. In the course of these new crimes, Ferizi and his family member are alleged to have used electronic services of Google, PayPal, and Coinbase, each of which is located in the Northern District of California. The affidavit further alleges that Ferizi continued to communicate with others to further this scheme while in custody. It is alleged that electronic communications were used to further the scheme and that personal data and information used belonged to real individuals who were victimized. Ferizi is charged with one count of aggravated identity theft in violation of Title 18, United States Code, Section 1028A, and one count of wire fraud in violation of Title 18, United States Code, Section 1343. If convicted of wire fraud, he faces a maximum penalty of 20 years in prison and a fine of $250,000. If convicted of aggravated identity theft, he faces a mandatory penalty of 2 years in prison in addition to the punishment imposed for a wire fraud conviction. However, any sentence following conviction would be imposed by the court only after consideration of the U.S. Sentencing Guidelines and the federal statute governing imposition of a sentence, 18 U.S.C. § 3553. The charges contained in the criminal complaint are mere allegations. As in any criminal case, the defendant is presumed innocent unless and until proven guilty in a court of law. Ferizi currently is in federal custody and will be transported to the Northern District of California to face the new federal charges. His initial federal court appearance to face the new charges has not yet been scheduled. The Corporate Fraud Strike Force of the Northern District of California U.S. Attorney’s Office is prosecuting the case. The prosecution is the result of an investigation by the Federal Bureau of Investigation Jacksonville and Washington field offices. Further Information: Case #: CR 21-mj-70014 (Complaint posted on U.S. Attorney’s website, see below.)
AP reports: A computer hacker serving 20 years for giving the Islamic State group the personal data of more than 1,300 U.S. government and military personnel has been granted compassionate release because of the coronavirus pandemic and will be placed in ICE custody for prompt deportation, a federal judge ordered Thursday. U.S. District Judge Leonie M. Brinkema in Alexandria signed the order reducing the sentence of Ardit Ferizi to time served. Read more on AP News.
Update: Ferizi has been sentenced to 20 years, Reuter reports. I’ll upload DOJ’s press release when it’s available. Original report: AP reports that Ardit Ferizi, also known as “Th3Dir3ctorY,” is scheduled to be sentenced today. Ferizi had pleaded guilty in June to assisting the Islamic State, and is the first person convicted of both hacking and terrorism charges. Ferizi hacked a private company and pulled out the names, email passwords and phone numbers of more than 1,300 people with .gov and .mil addresses. The Islamic State published the names with a threat to attack. Prosecutors want a maximum sentence of 25 years. Defense lawyers say Ferizi meant no real harm and are asking for a six-year sentence. This post will be updated if he is sentenced today in the Eastern District of Virginia. Although Ferizi’s case involves terrorism as well as hacking issues and Ferizi had waived extradition from Malaysia, I imagine Lauri Love’s legal team will be watching the sentencing closely. Love is appealing a U.K. judge’s decision to extradite him to the U.S., where he has been indicted on hacking charges in the same federal court as well as two other federal courts here.
There’s an update to a previously reported prosecution. From the DOJ: Ardit Ferizi, aka Th3Dir3ctorY, 20, a citizen of Kosovo, pleaded guilty today before U.S. District Judge Leonie M. Brinkemaof the Eastern District of Virginia to providing material support to the Islamic State of Iraq and the Levant (ISIL), a designated foreign terrorist organization, and accessing a protected computer without authorization and obtaining information. “Ferizi admitted to stealing the personally identifiable information of over 1,000 U.S. servicemembers and federal employees, and providing it to ISIL with the understanding that they would incite terrorist attacks against those individuals,” said Assistant Attorney General Carlin. “The case against Ferizi is the first of its kind, representing the nexus of the terror and cyber threats. The National Security Division will continue to use an all-tools approach to combat this ever-evolving blended threat, and we will identify, disrupt and prosecute any individual who provides material support to ISIL, no matter how they do so.” Ferizi, who was detained by Malaysian authorities on a provisional arrest warrant on behalf of the United States, was charged by criminal complaint on Oct. 6, 2015. The criminal complaint was unsealed on Oct. 15, 2015. Ferizi subsequently waived extradition. Ferizi admitted that on or about June 13, 2015, he gained administrator-level access to a server that maintained the website of a victim company located in the United States, which also contained databases with personally identifiable information (PII) belonging to tens of thousands of the victim company’s customers. Between June and August 2015, Ferizi provided unlawfully-obtained PII to ISIL member Junaid Hussain, aka Abu Hussain al-Britani, he admitted. According to the statement of facts, on Aug. 11, 2015, in the name of the Islamic State Hacking Division (ISHD), Hussain posted a tweet that contained a document with the PII of approximately 1,300 U.S. military and other personnel that Ferizi had taken from the victim company and provided to Hussain. The document stated, in part, that “we are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!” Ferizi admitted that he provided the PII to ISIL with the understanding that ISIL would use the PII to “hit them hard.”