There’s been a lot of speculation following the arrest of Conor Fitzpatrick (aka “Pompompurin”) once it began to really sink in for some people that law enforcement has both the RaidForums BreachForums databases.
One development that has contributed to the anxiety some people may be feeling is that the Dutch police have sent out thousands of emails and hundreds of postal letters to those whose identities they know. They have also made “stop” interviews in person with young kids. Their stated goal is to encourage people to stop committing cybercrime by letting them know that they are not anonymous, are known to law enforcement, and could face charges or ruin their lives.
This is not the first time that Dutch police have reached out to hackers to try to discourage them. In 2021, they posted messages on XSS.is and RaidForums that ended, “Everyone makes mistakes. We are waiting for yours.” In light of what we learned from the FBI’s affidavit in Fitzpatrick’s case, they didn’t have long to wait.
But did their 2021 intervention dissuade anyone from criminal activity, or did it just tick people off? They do not report whether their 2021 had any detectable benefit. And in the press release for the current intervention, they write (machine translated):
With the intervention, the police are sending a clear signal to users that it does not stop with the arrest of (main) suspects, but that customers and other parties involved are not anonymous online either. Within cybercrime, alternative interventions are increasingly opted for instead of going through the criminal justice system. By deploying alternative interventions, an attempt is made to prevent and disrupt cybercrime, in many cases in addition to investigation and prosecution.
But will the current interventions have any of its desired effect?
Databox and Three Others Arrested
Coverage of the police campaign has linked it to the arrest of three people in January of this year. Their arrests (but not their names) were announced in February. Of note, their activities and arrests were reportedly linked to an earlier arrest in November 2022 of a RaidForums user known as “Databox.” Databox had made himself a priority target for law enforcement by allegedly stealing the GIS (Gebühren Info Service GmbH) data of nine million Austrians and putting it up for sale on RaidForums in May of 2020. An investigation later revealed that this was probably a human error leak by a GIS subcontractor that Databox discovered and not a hack, yet it was still reported as “stolen data.”
Databox, who was 25 at the time of his arrest and a resident of Almere, reportedly had around 130,000 databases on a server of his seized by law enforcement. Die Press reported, “In addition to Austria, the data came from the Netherlands, Thailand, China, Colombia, and Great Britain, among others. He also offered patient data – from the other nations mentioned – as the Dutch authorities announced in a broadcast on Wednesday.” Databox was suspected of four types of crimes: possession or making non-public data available, possession of phishing software and hacker tools, computer trespass and habitual money laundering. According to om.nl, the habitual money laundering related to cryptocurrency transactions totalling 450,000 euros in 2022.
But how did law enforcement get from Databox to the three arrested in January? It is not totally clear from the police press release, but some information is available.
DataBreaches has been able to uncover more information about two of those arrested in January. The primary suspect of the three, who had been described as a 21-year-old man in Zandvoort, had a day job in cybersecurity working for Hadrian Security. He also donated many hours each week at the whitehat DIVD Foundation. Gainfully employed by day, a volunteer at night, and a blackhat and ransomware operator at all other hours? The police claim that he had 550,000 euros in bitcoins, a shoebox with 45,000 euros in cash, and 35 terabytes of data that they seized.
DataBreaches has learned that his name is Pepijn van der S., also known as @xstplanet on Twitter, xstp on Github, and Pepijn V. on LinkedIn, where his header reads “BECAUSE hackers know hackers best.”
According to reporting by Sebastian Brommersma and Gerald Jansen, van der S. had a difficult childhood. Rogier Fischer from Hadrian told the reporters, “At a bad time, he hacked into his high school’s digital systems.” van der S. was arrested and wound up in the Hack_Right program, a police initiative diversion program to try to get young hackers on the right path. van der S. completed the program and started pursuing lawful work in the field. He also completed DIVD’s training program for young people.
To say that people were shocked to be told that van der S. was involved in extortion, money laundering, and other crimes would be an understatement.
While the police press statement didn’t detail the alleged connections between the individuals and RaidForums, Follow the Money learned that the three plus Databox communicated via forums and Telegram. A cybersecurity expert was more explicit:
‘All arrested hackers are part of a club around Pepijn and the hacker from Almere,’ says cybersecurity specialist Rickey Gevers (not related to Victor) to Follow the Money. ‘I was told that by hackers who once belonged to this club and have now stepped out of crime. This is a group of hackers with a core of three or four and a few others around it.’ Gevers had been keeping an eye on the group for some time.
The hackers stood out because they offered databases that were only interesting to the Dutch. They did this on the Raidforums website, a kind of online marketplace for hacked data that offers thousands of databases containing the personal data of millions of people from all over the world.
In April 2022, US authorities took the site offline. Gevers says that the group sometimes called him spontaneously in the middle of the night: ‘That was quite bizarre. Suddenly I was in a group of about eight hackers. I think they wanted to troll me.’
DataBreaches has also learned that the other 21-year-old arrested in January has been identified as “Emir S.”
On April 20, van der S. and Emir S. will appear in court. The prosecutor will reportedly update the court on its investigation and ask the court to extend the pre-trial detention.
In rough translation, the two 21-year-old men are suspected of (and this may change):
- From 18-8-20 to 26-10-21 in Almere and/or Amsterdam and/or United Kingdom threat (of bitcoins)
- From 18-8-20 to 23-1-23 in Almere and/or Amsterdam and/or United Kingdom make available/disclose non-public data of crime originating from profit
- From 18-8-20 to 23-1-23 in Almere and/or Amsterdam and/or Zandvoort and/or in the United Kingdom (conspiring to hack into computers)
- From 1-5-22 to 13-5-22 in Almere and/or Amsterdam and/or United Kingdom extortion (from 24,588 bitcoins at that time with a value of approximately 754,851 US dollars)
- On 23-1-23 in Rotterdam (conspiring in computer crime)
- From 1-3-20 to 23-1-23 in, among other things, Amsterdam. habitual laundering of, among other things, approximately 2,496,548.80 euros (cryptocurrency).
- On 23-1-23 in Rotterdam non-cash payment instrument falsely manufactured/sold / in possession.
The charges as summarized above do not specifically mention RaidForums or BreachForums, but we have yet to see the final and formal charges. And according to Follow the Money, the bond between Databox and the other three”is so close that the 25-year-old man from Almere is also a suspect in the investigation into the three.”
DataBreaches will continue to monitor developments in this case.
If you have any information relating to these cases or suspects, you can reach DataBreaches on Signal at +1-516-776-7756.
Names were edited post-publication to be more consistent with European methods of reporting on suspects.