Members of GnosticPlayers arrested and charged as members of ShinyHunters? (with Update1)
As previously reported on DataBreaches, Sebastien Raoult, a French national, was arrested at Rabat airport in Morocco as he prepared to board a flight to Brussels. His detention was at the request of the U.S. via a “Red Notice” issued by Interpol at the U.S.’s request. Since his arrest, Raoult has reportedly been held in Tiflet 2 prison in Morocco as the U.S. seeks his extradition to the U.S. on charges related to his alleged participation in ShinyHunters.
Much of what we know about Raoult’s detention was previously reported by L’OBS, who seemed to be able to get more information on the charges than this site has been able to get from inquiries to U.S. law enforcement. Even as of this weekend, there is no publicly available filing seeking extradition and no press release from the Department of Justice. Direct inquiries to the DOJ’s Western District of Washington State office did not produce any information. The involvement of the Western District of Washington strongly suggests, however, that one of the victims in the case is Microsoft, which has its headquarters in the Western District of Washington State. In May 2020, ShinyHunters announced that they had exfiltrated 500 GB of Microsoft’s source code from a Microsoft GitHub.
While U.S. law enforcement remains noncommunicative, DataBreaches has been able to piece together a bit more about Raoult, aka “Sezyo,” and three of the four others who were reportedly questioned in France at the FBI’s request.
Raoult has been described by news outlets as being a computer science student at Epitech Nancy, although L’OBS described him as a former student, reporting that Raoult had decided in December to stop his studies to “run the world”. Did Roualt just take time off from his studies to travel the world or did he actually quit school altogether? An inquiry sent to Epitech Nancy did not receive an immediate reply. None of the French news sources seem to report whether Raoult had any job or income to support a lifestyle of traveling for months and seemingly buying a lot of shoes.
In any event, while Raoult sits in jail in Morocco awaiting the government’s decision about the U.S. extradition request, and Raoult’s lawyer attempts to convince Morocco to extradite his client to France and not the U.S., DataBreaches was able to find out a bit more about the four others in France who were reportedly questioned.
On June 2, a Twitter user calling himself “ProsoxW3b” tweeted, “[email protected] #FreeSezyo”
@SezyoKzn FreeSezyo ??
— Prosox (@ProsoxW3b) June 2, 2022
In a chat via direct messages on Twitter, Prosox, whose real name is Nassim Benhaddou, told DataBreaches that he was arrested on May 31 by the French police (OCLCTIC) and FBI. Although he stated he was arrested by the FBI, the FBI could not have arrested him in France, but they could (and reportedly did) accompany the French agents during their questioning of Benhaddou. The FBI’s presence is not unusual in such cases.
When asked whether he was charged for a role with ShinyHunters or with GnosticPlayers, Benhaddou stated that he was charged for what they claim was his role with ShinyHunters. “For Gnosticplayer it’s another matter,” he told DataBreaches. DataBreaches was already aware of Benhaddou’s alleged past involvement with GnosticPlayers and arrests stemming from that group’s activities.
As to what the FBI’s alleges about him, he told DataBreaches:
I’m not really with this group [ShinyHunters] the fbi even thought I was the one coding all the scripts but everything I did was never meant to imply that I was involved with this group
Asked whether he was worried about the charges, Benhaddou replied that he was not worried, but “Just my only problem I could never leave France in peace,” which he explained was because of any “red notice” that might have been issued about him by the U.S.
Benhaddou initially told DataBreaches that he would not tell his blogger who the other three individuals were that were questioned by the French police and FBI. But when DataBreaches later mentioned that based on the fact that he was one of the four, the others likely included Gabriel Kimiaie-Asadi Bildstein and Maxime Thalet-Fischer (both of whom were associated with GnosticPlayers and both of whom were allegedly arrested in the past), Benhaddou stated that yes, Bildstein (whom he referred to as “Gabriel”) was arrested too.
Bildstein had been actively involved in Raid Forums during GnosticPlayers’ heyday, and had been fairly open about his mental health challenges. In past chats with DataBreaches, Gabriel stated that he had been arrested many times for hacking, but always got off lightly because of his age. He also acknowledged that he was addicted to hacking and couldn’t stay away from it for long. Perhaps one of the more interesting insights he had about himself was that maybe French law enforcement didn’t do him any favors by letting him off so lightly each time. Bildstein is about 23 years old now, and if he is charged for being involved in ShinyHunters and convicted, he might not get off lightly, although his documented mental health issues would likely come into play. Any attempt by the U.S. to extradite him would likely fail (or should fail) due to his medical history that includes hospitalization.
DataBreaches was unable to reach Bildstein to ask him to confirm or deny Benhaddou’s claim that he had been arrested recently. (SEE UPDATE BELOW POST)
As to Thalet-Fischer, Benhaddou said he did not know whether he had been arrested, and DataBreaches has no contact info for him to be able to seek confirmation or denial.
Benhaddou would not tell DataBreaches the identity of the fourth person who had been questioned, saying only that the fourth person was not really famous (suggesting that DataBreaches would not know him).
Based solely on L’OBS’s reporting and Benhaddou’s statements to DataBreaches, it appears that so far, at least three people may have been arrested and charged with being part of ShinyHunters: Raoult, BenHaddou, and Bildstein. Thalet-Fischer was allegedly questioned, but we do not know if he was arrested, and we do not know the identity of the fourth French national who was questioned.
But what we also know — at least from the fact that DataBreaches has been in contact with them, the individual in control of the ShinyHunters account has neither been questioned nor arrested.
A search of PACER conducted last night found no unsealed cases against Raoult, BenHaddou, Bildstein, or Thalet-Fischer. Nor are there any publicly retrievable red notices for those names.
As far as charges against Raoult are concerned, our only source at this point is L’OBS reporting:
The United States is seeking his extradition on charges of “conspiracy to commit electronic fraud and abuse”, “electronic fraud” and “serious identity theft”. According to the FBI investigation, these offenses were allegedly committed from French IP addresses, but also more recently from Moroccan IP addresses, which would be linked to Sébastien Raoult. American investigators also reportedly got their hands on conversations attributed to the Frenchman on platforms in which he mentioned the said hacks.
Raoult’s online presence does not reflect anyone with any highly developed skills or any serious attempt at opsec, which would be consistent with what sounds like a failure to hide his real IP addresses. In fact, his apparent lack of decent opsec makes claims of his participation in ShinyHunters as an “important” member a bit suspect. Is it possible that Raoult was someone on the fringes of GnosticPlayers or ShinyHunters? Yes. Would he have been an “important” player as the FBI reportedly claimed? So far, that seems unlikely. DataBreaches looks forward to seeing the FBI’s sworn affirmation and support for their extradition request whenever it is unsealed.
DataBreaches will continue to follow developments in this case and will update or correct this post as needed.
UPDATE 1: DataBreaches was able to contact Bildstein, who informs DataBreaches that he was arrested but was released after telling the officer that he was not involved in the Microsoft incident, an alleged phishing incident, or ShinyHunters. They will be examining his devices, but he understands from the officer questioning him that Raoult was also charged with involvement in the Microsoft incident and a phishing incident. Both Benhaddou and Bildstein tell DataBreaches they were not involved in ShinyHunters (although they were involved in GnosticPlayers).
Bildstein’s statement to DataBreaches does seem to confirm our hypothesis that Microsoft was the victim (or one of several victims) that resulted in the Western District of Washington State seeking the Interpol “Red Notice.”
As to the third person questioned in France, DataBreaches still has no confirmation that Fischer was even questioned, but now has a pretty good guess as to who the fourth person in France might be. They will not be identified here until there is some confirmation. To date, French law enforcement has not responded to an inquiry by DataBreaches seeking confirmation of certain claims.