On April 18, DataBreaches reported that more details had emerged on the arrest of three men by Dutch police in January. The three were suspected of hacking and extorting victims in the Netherlands and elsewhere, obtaining and selling data online, and money laundering. A fourth person linked to the suspects known as “DataBox” had previously been arrested in November 2022 and had been detained with restrictions until the arrest of the other three in January. DataBox, whose real name is Erkan Sezgin, has subsequently been sentenced in a separate case, and may be facing other charges in connection with alleged crimes by the others.
According to the police statement in April about the other three, the prosecution’s prime suspect was a 21-year old man in Zandvoort. A media report at the time revealed that he was employed by Hadrian Security and that he also donated many hours each week at the Dutch Institute for Vulnerability Disclosure (DIVD) Foundation, where he would responsibly disclose vulnerabilities and help entities secure themselves.
His name was reported as Pepijn van der S. With a little OSINT research, DataBreaches found and reported some of his usernames and accounts. DataBreaches also discovered the full names of all three suspects, but consistent with Dutch authorities, only reported their first names and last initials at the time.
Days later, DataBreaches obtained other filings from the prosecutor and was somewhat stunned to spot some email addresses and other details that she recognized as being associated with a hacker she had been chatting with online since 2021.
Less than 24 hours later, DataBreaches would get absolute confirmation that Pepijn Van der Stap was the blackhat hacker she knew as “Umbreon.”
Since his arrest, Van der Stap has been detained. DataBreaches has heard from him on a fairly frequent basis by phone since April. He is not allowed to have any computer or internet access. Over the last two months, we have discussed his current situation, his treatment, his past, and his thoughts and hopes for the future.
In this post, DataBreaches will start to relate some of what we have discussed. Because Van der Stap has neither been tried nor sentenced yet and his calls may be monitored, there are certain questions he cannot answer now or cannot answer in detail now. We will get to those questions or details in the future.
The interview for this article was conducted by phone, in English, over days, and was recorded, but because the phone quality was poor and broke up at times, the following has been edited for clarity and length.
D: Let’s start with aliases. I knew you as Espeon and then Umbreon. What were some of the other usernames that people might have known you by?
P: There were several that I used. I cannot give you all of them now, but they included Lizardom, Egoshin, Espeon, Umbreon, Togepi, OFTF, and Rekt.
D: I also knew you from RAIDForums and BreachForums, but what other forums did you frequent?
P: I was on a bulletin board called Baphomet (no connection to the Baphomet who is the administrator on BreachForums), and I was also on Sinister[.]ly, HackForums, Leakforums, and Maza.
D: A Dutch media report I read described you as an “inverted cyber-Batman” because you were working at Hadrian Security during the day, DIVD at night, and according to the police, on dark matters at other hours of the night. Do you think “inverted cyber-Batman” is a good description of you?
P: Media reporting on me has been exaggerated at times. I was never like Mr. Robot or ZeroCool. I was not trying to expose any companies for corporate greed or anything and I was not acting out of some ideology. I don’t have a cool cape or gadgets and this is not a joking matter. I’m just a person and I made mistakes.
Any suggestion that I was up all night hacking is also wrong. I was exhausted from my day job and volunteer work and was trying to sleep at night.
The majority of my criminal hacking activities took place before I started doing lawful work. I had already started cutting back on blackhat hacking before I started working for whitehat entities. Once I began working in legitimate jobs, I really started dedicating my skills to ethical purposes. For about 16 months before my arrest, I was not engaged in much illegal activity and wanted to get out altogether. But as much as I wanted to get out, it felt impossible at times.
Note: Van der Stap estimates that in his volunteer work with DIVD, he made about 300,000 responsible disclosures to help entities secure themselves and he’s very proud of that. He also claims that he never misused access or any information he obtained while working with either group. Investigations by both organizations have reportedly found no evidence of any misuse of access or information. Some of his colleagues continue to support him as a person although they were all shocked to learn of his illegal activities and immediately terminated his access to their systems and his roles with them.
D: On numerous occasions in our chats before you were ever arrested, you had mentioned suffering from Post Traumatic Stress Disorder (PTSD), panic attacks, flashbacks, insomnia, migraine headaches, anxiety, and paranoia. You said that at times, your anxiety was so severe that you’d temporarily lose consciousness. I would guess that being arrested and not knowing what you will be sentenced to would be very stressful, but in the past few weeks, you have sounded a lot stronger and with better mood and better mental health. Do you still have all the problems you told me about in the past?
P: Migraines and panic attacks were unwelcome companions of my life at one point. But the walls that have confined me here physically have been a catalyst for self-reflection and growth. I have been getting EMDR therapy for my PTSD, and it has already helped me a lot. I am also treated by a prison psychiatrist who has worked with me to create a medication treatment plan that has also reduced thoughts of self-harm and nightmares. And I am working to become more rational and think differently about some things.
Nowadays, I sleep 7-8 hours every night, whereas I used to be unable to sleep more than 1-2 hours even when I really needed sleep and wanted it.
Not having to live a double life and worry about OpSec and getting help has enabled me to experience so much more peace. I have a great support network and I am so grateful for all the support I am receiving.
D: Let’s talk about some of the charges against you. You are facing a number of charges:
- Breaking into the servers of 11 companies and institutions together with others in the period of 18 August 2020 to 23 January and subsequently taking data for himself
- Extorting a large foreign telecom company together with others in the period of 1 May 2022 to 13 May 2022
- Intimidating 11 companies together with others in the period 18 August 2020 to 26 October 2021 by threatening to disclose confidential data unless a payment was made
- Possessing datasets with stolen, non-public, personal data of 12 companies together with others in the period 18 August 2020 to 23 January 2023 and offering these for sale on online forums like Raidforums, and
- Money laundering approximately 2.5 million euros in cryptocurrency and over 46.000 euros in cash together with others in the period of 1 March 2020 to 23 January 2023.
In one phone call, you commented that at the beginning, you and others were accused of hacking many more companies than you had actually hacked because investigators found databases on your devices. You stated, and as many in the hacking community know from their own experiences, many of the databases found on your devices were not the result of your hacks but were databases you collected or acquired from others.
Another claim was that when the police arrested you, you had 550,000 euros in bitcoins and a shoebox with 45,000 euros in cash. In our chats, I never got the sense that you really cared much about money, so why did you want all that money and what did you do with it?
P: The amount of money they claimed was exaggerated somewhat. And no, I really wasn’t motivated by money. I spent some on storage, but that’s all I can really say at this point.
D: One report indicated that healthcare institutions were also affected. Did you ever attack any healthcare entities?
P: No. I read the report that mentioned that and I think there was just a misunderstanding. Someone (not me) found a healthcare site with a responsible disclosure policy and they made some DNS queries, but that was all.
D: So you never attacked the healthcare sector. Did you ever attack critical infrastructure?
D: In February, the police claimed that in some cases, even when victims paid a ransom, the stolen data was still sold. Did you ever sell data after victims paid any ransom?
P: If I extorted a victim and they paid, then no, I never sold their data. If their data wound up sold, maybe someone else hacked them too, or someone else sold their data, but I never did that, no.
D: While we’re on the topic of extortion, if a victim wouldn’t pay you, did you always leak their data or sell it?
P: No. Often I would just shred their data and move on.
D: Why would you shred their data?
P: Because data takes up storage and I wasn’t motivated to sell their data. As I mentioned before, I wasn’t motivated by money. My hacking was me pushing myself to prove to myself that I could do things. And to escape stress and trauma I had never really dealt with.
D: You recently made a life-changing decision to confess to your crimes so you wouldn’t be carrying all that stress and worry around for the rest of your life. You had a 6-hour meeting with the police. Can you say anything about that at this point?
P: I was questioned by two officers who were reading questions that had been written down for the meeting. It was all recorded on camera, and as Dutch law requires, my lawyer was with me. When we started, they started out with them asking me questions, but I started giving them a chronology I had prepared to help them understand how things happened. They asked questions throughout our meeting.
D: About how many victims or attacks did you tell them about? And what year did you start your chronology with?
P: More than 10 attacks but less than 100. My chronology started in 2013.
D: Why 2013? Was that when you first engaged in any criminal hacking?
P: No, but it was when I got into the cyber-realm and a particular scene.
D: After that meeting with the police, did you feel more anxious because now you had given evidence against yourself, or did you feel less anxious?
P: I was euphoric after I confessed. I remember being driven back to the prison by transport and looking out the window and smiling, and writing myself a note about going home.
D: By “home,” did you mean your own home, your mother’s home, or your prison cell?
P: I was thinking of prison and when I re-read my journal later and saw that I had written “home,” that was a surprise.
D: So telling the truth reduced your anxiety greatly. But let’s go back in time before you were arrested: on a day-to-day basis, were you lying to your family, friends, and colleagues about all your activities? And were you lying to yourself to justify what you were doing?
P: They really had no idea what I had done or was doing. I didn’t really even need to lie to them because I wasn’t being asked a lot of questions. But I did lie to them at times, and one of the things I am glad about now is that going forward, I can be more honest with the people I worked with.
As to trying to justify things to myself, I wasn’t really trying to justify it as much as doing it to escape from stress and trauma I had experienced. I was trying to feel safe. I’ve never been able to define myself. I was always trying to prove myself to myself. But in the beginning, yes, I sometimes tried to tell myself that the good I was doing balanced out the bad, but it’s really not possible to rationalize that. You can’t compensate for something you’ve done.
In retrospect, I think I’ve learned some valuable insights, including the devastating impact hackers have on companies and society as a whole. I regret some things very much, but regrets don’t always translate into compensation. I want to be more honest now about myself, apologize to the people I lied to or hurt, and try to figure out how to make amends.
D: That sounds contradictory. First you said you can’t really compensate people for things you’ve done. Then you talk about trying to figure out how to make amends.
P: Yes, but I can apologize, own what I did, and try to be honest with everyone, especially the people I worked with.
D: You recently told me that you became more paranoid while working at Hadrian, but I didn’t quite understand why lawful work would make you more paranoid. Can you try to explain it?
P: Working at Hadrian and volunteering at DIVD made me more paranoid about keeping up appearances, and I actually felt more pressure and paranoia because I was working such long hours. I wanted to cut out blackhat hacking altogether, but I would still log in to blackhat accounts so that no one would start asking questions about where I was or what I was doing.
So yes, I was doing more lawful work and much less illegal work but I became more paranoid about getting caught. The paranoia became so extreme that I was expecting a knock on the door at any time.
D: Do you think if you had told your family or others sooner, you might have gotten totally out of the blackhat activities sooner?
P: I think if I had been willing to tell them that I needed help, deal with the shame, but let them help me, yes. I realized that now that I see how much great support I am getting from so many people. I just wasn’t brave enough at the time to admit everything and ask for help.
Yeah, I should have asked people sooner. They would have been there.
D: You were arrested on January 23, and I’m sure people are wondering how you got caught. The police press release said they had opened an investigation into the hacking of Dutch companies two years before the January arrests. Did the police not know who you were until they arrested “DataBox” in November of 2022 and seized his devices? Was your OpSec that good?
P: I can confidently say that I would have caught myself in 3 minutes using OSINT research. I think the police may have known my name 1-2 years ago and I know another suspect knew my name in 2019, so maybe that gave them my name. Sifting through RAIDForums might have helped them a bit, but my OpSec was good enough to keep me under the radar for the most part. There are other things that I cannot say at this time.
D: What was your immediate reaction after the arrest?
P: When I was arrested, they blindfolded me and walked me out. I got almost no sleep for the next four days in jail and had such severe panic attacks that I froze. I was not even allowed to call anyone for a month. Only after I was able to start calling people and start getting treatment did I start to do better.
Earlier today, Van der Stap was back in court for a second pro forma hearing. To the court’s likely shock, he did not request to be released home on bond. He asked to stay in prison because he feels the treatment he is getting there is beneficial and if he leaves, he’d have to start over with another therapist.
He also found out today that his trial will be in October.
In future posts, we will dive into some of the issues raised in this post in more depth and get into other questions as well. If you have something specific you would like Van der Stap to address or talk about, you can send your questions to breaches@databreaches[.]net.
The spelling of Zandvoort was corrected post-publication. Thanks to the reader who pointed out my error.