Vietnam's Massive CAPTCHA crackers vs. Microsoft DCU

Earlier this month, Microsoft's Digital Crimes Unit was featured in a WIRED article by Lily Hay Newman - Microsoft’s Digital Crime Unit Goes Deep on How It Disrupts Cybercrime. In part, the article discusses MS-DCU's case against the hackers that they call Storm-1152. According to DCU, Storm-1152 used their CAPTCHA-cracking capabilities to assist other criminals in the massive creation of Microsoft email accounts, such as Hotmail and Outlook accounts. How many? How about 750 MILLION email accounts created for illicit purposes! In their announcement about Storm-1152, DCU's Amy Hogan-Burney calls out several of the websites run by the group, including Hotmailbox[.]me, 1stCAPTCHA[.]com, AnyCAPTCHA[.]com, and NoneCAPTCHA[.]com.   (I'm not familiar with NoneCAPTCHA, but it looks like it was just a redirect domain to 1stCAPTCHA.)  Amy shares that the group is based in Vietnam and names three of their operators: Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen.

hotmailbox[.]me

1stCaptcha[.]com

AnyCaptcha[.]com

Some example code is still on github that illustrates how these massive CAPTCHA solvers were used.  For example "CuongPhan1408" has a 1stCaptcha written in GoLang and shows examples in his code of solving Discord account creations using "HCaptchaTaskProxyless" and using "FunCaptchaTaskProxyless" to defeat Microsoft's Live signups.  FunCaptcha is the tool created by Arkose Labs which is currently used by Microsoft to confirm that emails are only created by humans. 

Github user HecTran12 shares code that links to the now-seized-by-Microsoft website 1stcaptcha[.]com which could previously be installed with "pip install 1stcaptcha." HecTran12's FunCaptcha example solves Outlook[.]com captchas to make new Outlook accounts. 

Github user "Xtekky" shares his AnyCaptcha[.]com-based code called "Outlook Gen" which is Python code that links to the Microsoft-seized website "AnyCaptcha[.]com" to create Outlook accounts in volume.  The code has 45 stars and 15 forks on Github.

Clearly the USERS of Outlook Gen, based on the forks, included many people from many parts of the world.  XTekky has many interesting tools on his Telegram and Discord channels, including "tools" for creating views and likes on TikTok using bots. He demonstrates by sharing a "why so many likes?" video on his TikTok which has been liked 912,400 times.  This relies on his TikTok Slider CAPTCHA Solver, which he claims has 100% accuracy in defeating the TikTok captcha.  XTekky also has a Discord "Question-based" CAPTCHA solver, which uses OpenAI's ChatGPT to solve the questions and provide the answers.  

With three major CAPTCHA-solving tools taken down by Microsoft, what's filling their place?  Based on examining new starring and forking from Github users who liked the old projects, it looks like Russia-based "AntiCaptchaOfficial" is the likely leader.  It claims to solve images with text, Recaptcha v2/v3 Enterprise or non-Enterprise, Funcaptcha Arcoselabs, GeeTest and hCaptcha Enterprise or non-Enterprise, and currently charges rates averaging $0.0005 per solved CAPTCHA. That would be 2,000 account creations per $1. 

Microsoft credits Arkose Labs with their help in investigating the case against Storm-1152, but if the stats page at "anti-Captcha[.]com" can be believed, their site is currently cracking 10,000+ Arkose Labs CAPTCHAs per minute.  Only reCAPTCHA v2 is experiencing more cracks per minute (currently 19,000+). Arkose should be pleased that they are one of the most expensive CAPTCHAs to solve.  Anti-Captcha is currently charging $3 per 1,000.  Their website claims that they are helping disadvantaged workers around the world. 

"With your help, they now have a choice between working in toxic factory conditions or on a computer." 

Their stories don't seem to say "Rather than work in a toxic factory, I help cybercriminals commit fraud and theft by making fake accounts on Outlook, Google, TikTok, Discord and more."

China continues Pig-Butchering Crack-down

One of my techniques for keeping current on Cybercrime trends is having an "interesting" collection of international news ticklers. This story came to me via X:CyberScamMonitor via a QQ account called "onCambodia." @CyberScamMonitor is a Twitter/X account and Substack account dedicated to tracking online scam and gambling operations in Southeast Asia and documenting human trafficking and human rights abuses. Great work and a strong recommendation to follow if you wish to learn more about the links between #CryptoScams and #PigButchering.

I apologize to the original journalist as I have been unable so far to find the original to give them full credit. For reference, the Chinese article I refer to provides the source as 来源：鲁中晨报 (Source: Luzhong Morning News). The headline is: "Chinese woman was arrested after returning to China! Uncovering the financial backers of a fraud syndicate in Sihanoukville." If anyone has a link to the Luzhong Morning News version, please comment and I will update! This post is mostly just a retelling of their story in English!

The story told, in my opinion, should have the headline "Diligent Police Task Force won't stop tracking Fraudsters!" This story features the Yiyuan County Police who started with a telecom fraud case in their jurisdiction and followed it until they had wrapped up the entire organization and seized 200 million yuan from the criminals, 1/4th of it in cash, but also in real estate, luxury cars, watches, and liquour. That's over $28 Million USD! The case started with a local business who found that one of their employees had sent out 38 million yuan in just a few days. The employee was being extorted after installing a porn-dating app on his phone -- when the criminals learned where he worked they demanded that he send money from his company as well. 

 The case was taken up by the "3.01" Task Force. Yiyuan County is administered as part of Zibo City in Shandong Province of China. Police officers from county, city, and provincial level work together on the 3.01 Task Force.  (Shandong is in the east of China, across the Yellow Sea from South Korea.) The deputy magistrate of Yiyuan, Zhang Xiuguang (张秀光), takes an approach to cybercrime that reminds me of the work of the Garda National Economic Crimes Bureau in Ireland!  Zhang says "Since we established the task force, we have firmly believed that we must recover the losses and hit the core.  From catching the first culprit, we will not withdraw our troops until the case is solved!"

(map of Zibo City from medical article by Lili Liu and Ling Wang)

The case dragged on at a very slow pace, Yiyuan deputy director of public safety Ma Wencheng (马文成) described it as involving the tracing of funds from thousands of accounts and peeling back each account like peeling layers from bamboo shoots. Even with a 100 person task force, very little progress was being made, but that changed with a key arrest on 31AUG2022. The key piece of evidence as a suspicious mobile phone number. Among all of the hundreds of thousands of scraps of evidence, there was a telephone number belonging to a woman in Cambodia. Recognizing that Cambodia is the home of many telecom fraud rings, the head analyst for the task force, Lu Lu, focused on the owner of that number. The decision was made to wait for her to return to China. The police have assigned this key figure the alias Xie Xiaofang. When they learned that Xie was returning to China, the task force rushed to Zhengzhou in Henan Province and arrested her as she was leaving quarantine.

As she was questioned, Xie Xiaofang revealed that her #PigButchering group was based in the Chinatown setion of Sihanoukville, Cambodia. Her job within the organization was laundering the money, but she claimed despite her key role, she only knew middle managers in the gang, and then only by alias. The 3.01 Task Force team began tracking each person traveling to China from Sihanoukville and asking Xie Xiaofang to identify them. Within a few weeks, they had mapped out the leadership of the organization. On 17SEP2022, the team traveled to Jiangxi, Yunnan, Fujian, and other places, arresting two more key members and seven others, followed in quick succession by dozens more, eventually totaling 135 arrests. At this point, the Shandong Provincial Public Security Department thought it was time to reward their team.  The photo below shows the public ceremony where all of the local dignitaries publicly praised the work of the 3.01 Task Force, who had at this point seized 8.5 million yuan (about $1.1 million) and had key leaders of the gang in custody. 

(source: https://zibo.sdchina.com/show/4733923.html ) 

But the team was not done yet. As they interrogated those who had been arrested so far, they realized that there was still a bigger boss. The police assigned him the alias Tang Xiaowei, but they were cautioned by their current detainees that this guy has a "very strong sense of anti-reconnaissance." He only uses cash. He doesn't use mobile phones. He doesn't use credit cards.  He doesn't have a fixed address. But he was known to have a favorite place in Xiamen.  The head analyst, Lu Lu, however, believed that Tang would know about the arrests and would be looking for a way to get out of the country safely, and in the mountains of evidence, Lu Lu believed there was a clue to his exit point. Someone under their surveillance had arranged for a large party in "an Internet celebrity hotel" in Guilin, Guangxi. Lu Lu was confident this would be for Tang. 

Speeding down the highway for nearly 1200 miles with members of the 3.01 task force, Lu Lu's vehicle fell into a pit related to some road construction, but they acquired another vehicle and continued on through the night. They arrived just in time to arrest Tang and his closest associates!  It turned out that Tang and his gang were leaving for the coast that morning where a boat was waiting to smuggle them out of the country and back to Cambodia!  They had the actual top kingpin in their hands and now they could finally pull apart the entire organization.  

Based on the information they acquired, additional arrest teams were sent to Beijing, Shanghai, Tianjin, Guangxi, Hebei, Henan, Guizhou and other cities where 18 teams assigned to different roles for the organization were arrested.  Three technical teams, 1 "payment on behalf" gang, and 14 "point running" gangs totaling 197 additional criminal suspects.  Boxes and suitcases loaded with cash were seized.

While the case that started with the Yiyuan County Police investigating one employee who seemed to be embezzling funds, it led to 38 million yuan ($5.3 million USD) being returned to citizens in Yiyuan and Zibo City and has spawned countless additional investigations as the national and international connections are still being traced. 

This is what COULD happen if we follow the model of the brave Yiyuan Police (the same model which the Garda National Economic Crime Bureaus follows!)  DON'T STOP.  DON'T take your local arrests and be happy with them.  FOLLOW EVERY LEAD.  

We'll close with this quote from Zhang Xiuguan ... 

"No matter how far you run, the Yiyuan police are not afraid of hardships and dangers.  They will catch you no matter how far you go!" 

Resources:

• https://mp.weixin.qq.com/s/IZJMXYTkKF8H0lksAHNOjQ
• https://twitter.com/johnwSEAP/status/1729426989310980377
• https://zibo.sdchina.com/show/4733923.html

Mirror Trading International's Cornelius Johannes Steynberg and his $3.4 Billion USD Default Judgement

Some of you may have heard that students in UAB's Investigating Online Crimes class have been researching Crypto Investment Scam websites.  You can find a list of some of the sites we've identified so far on URLScan.io using our tag "CryptoScam" (as of this writing we have 3600+ sites on the list -- hosting companies and registrars, please take action!) 

Mirror Trading International and a $3.4 Billion Fine

You may have never heard of the U.S. Government agency, the Commodity Futures Trading Commission, but that doesn't mean they don't have power.  Last week the CFTC announced an order of default judgment against Cornelius Johannes Steynberg of Stellenbosch, Western Cape, South Africa. The order states that Steynberg must pay $1,733,838,372 USD in restitution and an additional $1,733,838,372 as a civil monetary penalty for defrauding 23,000 Americans of 29,421 Bitcoin.  (That's $3.4 Billion USD, or R63.6 Billion South African Rand.)

I'm proud to say that this action was brought in part by the Alabama Securities Commission, who joined Texas, North Carolina, and Mississippi in taking action.  I've met their director (who just retired this week! Thank you Joe Borg for 30 years of service!) and some of their investigators and they fight hard to protect the citizens of Alabama from fraud. 

Mirror Trading International claimed that their members could earn 10% per month in interest on their investments.  A typical ad of theirs boasted of this advantage over traditional bank accounts and other investment vehicles: 

Ponzi Scam or Affiliate Program: Tomato / Tomato

Like many other Crypto Investment Scams, MTI was an affiliate program.  MTI encouraged members to create an account, after which they would be granted an affiliate code. By sharing a link to the main MTI website using their affiliate code, anyone who clicked the link and made an investment would begin generating "passive weekly income" to the member. 

Dozens of webpages, Telegram channels, and Facebook pages were filled with ads claiming how easy it was to earn money.  Here's one that was shared on a Facebook page operated by affiliate "Themba2000." 

This affiliate regularly posted updates supposedly showing how much money they were earning, as well as testimonials where the people they had recruited supposedly thanked them for their newfound financial freedom:

Like many other Crypto Investment Scams, the affiliates were encouraged to share videos claiming that Artificial Intelligence-based training was part of the secret of their success: 

South Africa's Court Order Outlines a Problem: Greed

While the terms of the South African court order against MTI may seem like victim-shaming, Greed is truly one of the factors involved in many of these Crypto Investment Scams.

"People all over the world, and South Africans are no exception, are bewitched and fascinated by any idea or scheme promising, in most cases, instant wealth, new homes, new cars, holidays abroad and all material possessions that can be acquired with an abundance of money. A further attraction of these schemes is the perception that the money will keep rolling in with little or no effort by the participants, the hardest part being to count one's money." 

The conclusion of that case summarized their findings as follows: 

[137] MTI's business clearly amounted to an unlawful ponzi-scheme, i.e. a fraudulent investing scam promising high rates of return to investors and generating returns for earlier investors with investments taken from later investors. 

[138] It would appear that there is no pool of member bitcoin, Trade 300 does not exist, the artificial intelligence bot never existed or traded and the remarkable trading results presented to investors were prima facie false. 

(ordered by A De Wet, Acting Judge of the High Court) 

What?  The AI Magic Bitcoin Genie isn't real?  I'm shocked!

Scammers or Victims:  Why Not Both? 

Unfortunately, many of the people who became involved in the scam are innocent victims while others made fake Facebook accounts in order to scam others into signing up.  As long as they signed up others, they had a good chance of making money, until the whole scheme collapsed.  It took about five minutes to find fifty affiliates with a simple Facebook search:

So will everyone get their money back?  Highly unlikely. 

Steynberg Arrested in Brazil

Mr. Steynberg was arrested in 2022 by the Brazilian Military Police of the state of Goias: 

https://www.pm.go.gov.br/giro-prende-foragido-internacional-responsavel-por-fraude-milionaria/

Assurances from MTI CEO Steynberg: I am not a Ponzi Scheme!

When Mirror Trading was first accused of being a Ponzi Scheme by the Texas Securities Commission, their CEO replied to queries using a form letter like this one, shared by Global Crypto in a story called "MTI Announces It Is Working With the FSCA": 

Dear Kratika,

I unfortunately only received your email this morning, Tuesday 14 July 2020.

As I have declared to the Texas Commissioner in writing, I wish to state and declare from the outset that Mirror Trading International (Pty) Ltd (hereinafter referred to as “MTI”), a privately held company registered in the Republic of South Africa, is not a Ponzi scheme (new money feeding old) or a scam, with which a holder of funds suddenly disappears.

It is also most unfortunate that because MTI is operating in the online passive income building industry, which has a notorious and demonstrated reputation for scams and Ponzi schemes, and, due to the nature and Modus-Operandi of the robust MTI referral-based business model, that MTI is automatically by default behaviour of the media and some regulators, and maybe the behaviours of some members, is being perceived by associative conclusion that MTI is but another of these.

This unfortunate and misinformed perception is far from the reality of what MTI is as a newly formed (15 month old) highly innovative referral-business and brand that the founders would like to see growing over many years into a global, iconic and heritage brand in the market trading sector.

For instance, the Texas Commissions states that …The actual value of the commissions depends on their success in recruiting new investors and multilevel marketers. … While this may apply to Ponzi schemes, this is not correct for MTI.

Daily trading returns using top regulated trading brokers determine the quantum of rewards, which can vary and if there is a negative trading day, there are no rewards. The point is that with MTI, that the funding of MTI referral payments is derived from daily trading profits and not from the funds of new members.

Another important point which differentiates MTI from Ponzi’s and scams is that members have full control over their funds (Bitcoin) at all times. Members are able to add or withdraw their funds (Bitcoin) at any time, with no complications and no fees. If you do research, you will find not a single member of the 75,000+ MTI members worldwide has ever complained or not been able to withdraw their BTC whenever they have opted to.  

It is the aim of MTI and its innovative, unique referral-based business model and MTI’s operating Modus Operandi of trading on world markets to generate real growth and returns on a daily basis, to work with and co-operate with regulators in every regard, in the process of taking MTI along a path that will see MTI fully and properly regulated.
There are three reasons for this.

1. My Founding Vision for MTI: Build a preferred iconic and heritage global brand in the financial services sector that delivers sustainable growth and value creation for all stakeholders, including for the little man in the street:
2. Professional and Compliant:  Ensure that MTI is a professionally managed business and brand that is regulatory compliant and which delivers sustainable growth and value creation for all stakeholders. My team and I are committed to this.
3. Change the reputation of the on-line passive income generating industry: We and myself personally, are extremely tired of this industry having a negative and darkly clouded reputation. And yes, some 99.9% of online passive income building services are scams and  / or Ponzi’s. I am personally very driven to be part of changing this perception once and for all, by showing and demonstrating to regulators, to the media and to consumers that such a business model can on a Bona Fida basis, exist, successfully operate and grow on an organic and sustainable basis, which is what MTI is doing.

To this end, MTI will in the coming period be placing great emphasis on engaging with and working with any regulator with a clear purpose at all times;  be fully compliant as a professionally managed company and brand that delivers sustainable growth and value creation to its stakeholders, and which intends to be around for many years to come.

MTI is already in discussion with the South Africa Financial Services Conduct Authority (FSCA) and will be meeting with the FSCA in a week’s time. MTI is also fully committed to co-operating with the Texas State Securities board and is in correspondence with them on this matter.

We trust that the above gives you some insight into MTI.

Should you wish to correspond further, please use my private email address: [REDACTED]
Your sincerely,

Johann Steynberg
Chief Executive Officer
Mirror Trading International (Pty) Ltd
South Africa

Watching a Crypto Investment Scam WhatsApp Group

If your online accounts are like mine, almost every day I'm "force joined" to a new Telegram group where a crypto investment scammer tries to tell everyone how great their scam investment site is. This week, I started getting added to WhatsApp Crypto Investment Scams. 

I thought I'd share the experience with you, in case you were curious. 

When you are Force-joined to a WhatsApp group, the first thing that is displayed is information about who added you to the group.

In my case, +856 20 29 725 893 created the group, and then I was added to the group by +856 20 29 728 289.  The +856 should be a clue to whether these are the advisors they claim to be, as +856 is the international calling code for Laos. A third Laos number then removes the group creator, another Laos administrator, and a South African adminstrator (+27 is South Africa).  They must have added a US-numbered administrator, (we don't see other people being added), because the +1 (346) number then changed the "Subject" of the group to be "BTC Nuggets 02th Team."   02th.  As in, the Second team created by a non-English speaker.  1st ... 02th ... 3rd? 

Then we get our first message from "Tricia Storti" our second theoretically American admin +1 (530), American.  See? (530 is the Area Code for extreme NorthEastern California.) 

Tricia's first post introduces our Crypto Investment Scam website name and begins the process of helping us all lose our money to "FileCoin" (or is it FILcoin? they can't seem to decide.)

But wait ... I didn't want to get a hundred WhatsApp messages a day from a new scammer.  That's ok ... all of Tricia's bot-controlled fake Americans are here to make you realize how special it is that you got added to the group.  They blather on non-stop about how great it is ... just so you might wonder (if you were a complete idiot), "Is it possible that I've been accidentally added to a WhatsApp Group that will teach me how to get rich trading Crypto Currency?" 

Seriously.  I can't believe they think anyone is stupid enough to fall for this ... but then I look at the BILLIONS OF DOLLARS being stolen in Crypto Investment Scams and realize they wouldn't spend all of this time and money doing this if somewhere it wasn't making them a profit. 

Just as you might be wondering, "But how will being in this group make me rich?" none other than the FOUNDER HIMSELF, the one and only BERNIE McTERNAN jumps into the conversation to explain how!

(In case you wondering if these were totally made up names, yes, they are. But they are based in reality.  McTernan occurs at a rate of 1 in every 519,000 people in the USA.  Storti is Italian.  1 in every 12,000 or so people there is named Storti.  1 in every 365,000 people in the USA.) 

But does it really work?  Well, our straight man "~ FKK" is going to ask the burning questions that are on every potential victim's mind ... and receive honest, trustworthy answers from current investor LOLO!

See?  LOLO has been in the game for 3 months "without finding anything wrong" and he can "withdraw money successfully every time!"  He's made $70,000 thanks to Bernie Analyst! 

You might still have doubts ... just like FKK!   "Wow is this true?"  But it isn't just totally real LOLO who has had great success.  Totally real totally unsolicited testimonial person Josh Perreault ALSO has made withdrawals successfully!  

Now we KNOW that it's real, right? Not you! You are too smart for that!  You're probably thinking "But I've never heard of these people!  What company is this?  Are they reputable?"  Funny that you are thinking this, because Totally Real Person Andrew Woolley is having those same doubts ... 

There you have it! Filecoin Foundation has been around since 2019, they are headquartered in London and have branches in the US, Vanuatu and Australia.  And look!  They even have an ID Number!  OOOOOOH!  Who could possibly doubt now??!?!?!

Totally Real Person JIJIT assures us that this is an American Company, and then FKK, our favorite Straight Man, asks for a website.  Conveniently, Tricia is there to demonstrate her excellent customer service by replying within two minutes!

FileCoinProtocol[.]com 

Oops!  Did NameSilo actually kill a fraud domain?  No, the scammers use "m.filecoinprotocol[.]com" as their primary site, so that if you try the domain name, or the "www" it will look like the site is unavailable. 

The Amazing Tricia-the-Scammer is right there with the answer! 

"BTC seconds contract is a two-way financial investment product. No matter which direction you buy, as long as you buy in the right direction, you can make a profit. The bitcoin second contract investment we currently trade is suitable for all types of investors, whether you are a novice or an experienced investor. Each transaction lasts 180seconds. After 180 seconds, if the analyst's investment forecast is correct, you can make an immediate profit." 

But why would they do that?  For a commission ... nothing suspicious here ... these Totally Real People explain it to each other:

And eventually, after much more banter, the TRADING starts!  Tricia gives our first instruction, and our Totally Real Veteran Trader Josh jumps right in!  (Perhaps not realizing we've already killed the website.) 

All of the Totally Real People quickly share their successful profits!

But, there is one little problem ... 

If ONLY ADMINS can send messages, then, NONE OF THE TOTALLY REAL PEOPLE CAN BE REAL PEOPLE!  

But that doesn't stop us having more imaginary conversations to demonstrate how trustworthy things are.  Tricia had some exciting news today ... VIP Traders don't have to pay the 20% commission!  They keep ALL OF THE MONEY!  (But there is a $10,000 minimum investment, of course) 

How big is the group?  In addition to the 237 current members, there are also (if you choose Group Info and scroll ALL THE WAY DOWN), over 550 "Past Participants" (with all of their telephone numbers exposed as well.)

Those are the people who were Force-Joined to the group and then LEFT the group.  Hopefully they remember to hit "REPORT AND EXIT" so that WhatsApp's team knows these guys are scammers!

For our "Actors" in the play above, none of their telephone numbers correspond to a real phone carrier, except Bernie, who uses T-Mobile. 

Bernie = 346.971.2587 = T-Mobile 
Tricia = 530.435.9207 = Peerless-NSR-ATLC
Josh = 903.636.6515 = Sinch Voice-NSR-10X
Shannon = 438.577-5300 = IXICA Communications 
JIJIT = 873.920.8211 = IXICA Communications
LOLO = 403.694.7067 = ISP Telecom 
Zachary Brook = 343578.0586 = ISP Telecom 
FKK = 985.775.6255 = Sinch Voice NSR 
Andrew = 716.502.2145 = Sinch Voice NSR 
Kevin = 937.966.2921 = Sinch Voice NSR 

Sure would be sad if all of those telephone numbers and WhatsApp numbers were terminated ... 

SIM Swapping, Crypto Theft, and Sentencing in the United States

As you know from the title of my blog, "CyberCrime & Doing Time," I'm very interested in cybercrime and the criminal justice system. This week I've been looking at SIM Swapping cases and wanted to share what I learned from reading the sentencing memos sentencing transcript for Ricky Handschumacher.

Ricky was one of the members of "The Community" - a group of six OGUsers/HackForums punks who decided to go into the crypto theft business. They haunted crypto community forums gathering data on people who over-shared about their crypto earnings and then did the social media intelligence (SOCMINT) work to id their target, assess their holdings, get their online credentials, and then pay a phone company contractor or employee to SIM Swap their device and steal their crypto.

They stole over $50 Million dollars.

Ricky was the last guy to get sentenced.  The other members of the group (not their phone store patsies, but the core group) were: 

• Conor Freeman, 20, of Dublin, Ireland.  Conor was sentenced to three years in Ireland.
• Colton Jurisic, 20, of Dubuque, Iowa. He was sentenced to 42 months and restitution in the amount of $9,517,129.
• Reyad Gafar Abbas, 19, of Rochester, New York.  He was sentenced to 24 months and restitution in the amount of $310,791.
• Garrett Endicott, 21, of Warrensburg, Missouri.  He was sentenced to 10 months and restitution in the amount of $121,549.
• Ryan Stevenson, 26, of West Haven, Connecticut.  He got two years probation.  Minor player.

Ricky pleads guilty to a single count of "18 USC § 1349 - Conspiracy to Commit Wire Fraud" and in exchange the court agrees to drop several additional charges of: 
18 USC §§ 1343 and 2 - Wire Fraud, Aiding and Abetting 
18 USC §§ 1028A(a)(1) and 2 - Aggravated Identity Theft, Aiding and Abetting

Anyway, Guilty plea is received, family all lines up to say what a good boy Ricky is, blah blah blah, and how he was such a good boy while he was out on bond.

Sentencing Guidelines 

Here's how our sentencing Guidelines work ...

The base crimes each have a number of "sentencing points" that they are assigned.  Then there are a whole host of modifications that can be applied based on other factors.  This score is then further modified by how many prior criminal convictions the individuals have.

Conspiracy to Commit Wire Fraud has a base score of 7.  With no criminal history, that would give a sentence of 0-6 months. But that would be a crime with no victims, no losses, and the most basic conspiracy.  All of the other factors add points. 

The following modifications are then applied.

+2 - the number of victims matter.  In this case, they are charging "ten or more victims." 

Ricky's score is now a 9.  Sentencing guideline: 4-10 months.

+2 - sophisticated means. Because this was a high-tech crime with a lot of technology and a lot of moving parts.

Ricky's score is now an 11.  Sentencing guideline: 8-14 months. 

+2 illicit authentication.  To curb identity theft and the flippant use of stolen credentials, crimes that involve stolen identities get an automatic +2. 

Ricky's score is now a 13.  Sentencing guideline: 12-18 months.

+18 - Theft of between $3.5 million and $9.5 million.  The two greatest "adjustments" in the sentencing world are Number of Victims, and Amount Stolen. This is a huge modification, however, they stole a lot of money!  Many victims lined up to say they lost 100% of their life savings.  One of them even appeared at the Sentencing hearing and said so.  He told the court he had lost everything, and had been waiting FOUR YEARS for justice to be served.  It definitely needs consideration.  

Ricky's score is suddenly a 31.  108-135 months.  That's 9 to 11 years.

-3 - Because Ricky was cooperative and accepted responsibility for his crimes, apologizing to the court and to the victims, his sentencing guideline score is dropped by three points.  That's huge, actually.

Ricky's score is now 28.  78-97 months. 

In their sentencing memo, the prosecution says they would be happy to accept the "mid-point" of that range and asks for an 88 month sentence.

The Judge Speaks

The judge in this case is The Honorable Denise Page Hood in the Eastern District of Michigan.  I appreciate that she puts a great deal of explanation in before rendering her verdict.  She shares with us each of the things she is charged with considering as she builds her decision on what sentence to impose.  All of the following is quoted from the Sentencing Transcript available on PACER, although the emphasis added is mine.  

1. "The factors I'm supposed to consider are these: The nature and circumstances of the offense and the history and characteristics of the Defendant, and I'm satisfied that, while I don't think that -- well, I think the age of the other individuals involved really didn't have anything to do with you. What it really has to do with is whether or not you were a more mature person and maybe should have had some other indication of this wrongdoing and made a better judgment than someone who perhaps is still young and a bit naive might be. Like I know one of the people, I was convinced that person was much more naive than other individuals involved in this. You, however, aren't one of those.

"I have here also that I think that the nature and circumstances the offense are serious, because there's a lot of money stolen, and it's stolen from individuals who, number one, are unsuspecting, and, number two, some of them are like Mr. S.S., who is here in court today, that this was not, you know, some organization or anything. It was an individual and their personal money, their, as he describes it, his life savings that were involved, and I think that makes it a little bit different than stealing from a company that might have some other means of recovering that than an individual. I'm also satisfied that it seemed like kind of a we're going to go out there and just do these things. We're just going to hack. We don't have any sense of caring very much, until it's over, about people who might be involved in this and where the money might be coming from and where it might go, and so, to some extent, on the part of everybody involved, it seemed like it was kind of a relaxed look at what you were doing and just kind of like a greed thing. I mean it wasn't -- particularly in your case, it wasn't that you were destitute or anything. You had some education, and you had the ability to have a job. So it wasn't that you couldn't go out and make money on your own, and that is kind of the nature of these kind of things, but I think it's a very serious offense in this particular scheme of things.

2. I'm also to look at the history and characteristics of the Defendant, and, for that, I would note that in the scheme of people who come into court,  you're on the young end of that. You may not think you are, but you really are on the young end of those people who commit crimes within our system.

I'm satisfied that you had a decent childhood. I had some notes here that you were and athlete and well-integrated into your experiences as a youth, and, also, that, unlike some other people, you did not seem to be someone who was just, you know, isolating themselves and unliked by others and, therefore, kind of a person who might reach out to do something like this because of a bad situation that they were in. Not that that excuses that behavior, which is exactly what I told them, that it doesn't excuse that behavior.

I'm also satisfied that -- I don't know whether it's better or worse that there are hackers out there that don't know one another, and maybe that adds a little bit to the frivolousness and the unaccountability of it relative to one another. Otherwise, I don't think there's anything in your history or characteristics that is a negative to you. I had one thing I wanted to note here. Okay, I wanted to note that it does not appear that you have any physical problems or that you have any mental health diagnosis or received any mental health treatment. It does not appear that you have any substance abuse problems.

It appears that you graduated from high school and that you were able to have some employment, including an employment from July of 2019, on Paragraph 44, until – at least at the time that this report was written, and that prior to that, that you have worked -- you had been unemployed for a time but that you were also employed by the city of Port Richey, and, prior to that, in a grocery store, and for the short period of time that you've been an adult, that's a significant amount, as far as I'm concerned, of employment.

The other thing I want to say is thatI'm to consider whether or not the sentence that I'm going to craft will reflect the seriousness of the offense. I've already spoken to that. Promotes respect for the law and provides just punishment, and I'm sure that you're aware now of the seriousness of the offense. That may be enough to promote respect for the law. I don't know that. You know, I don't know that in these particular kind of instances whether people look at it and say, you know, I've been involved in this. It was easy. I just happened to get caught. I'm never going to get caught again because of the nature of how this is done and how hard it is to investigate and to find out what each person involved in it is doing. So I don't know that my sentence will promote respect for the law, but at least I have taken it into consideration.

I'm also to fashion a sentence that provides just punishment, and I know that in all of the cases during the pandemic, where people have been on bond, they have noted I've been, you know, really good, in quotes, on pretrial release, and that shows that I am rehabilitated, and, to some extent, that may be true. To the other extent, the opportunity was that you would not be on pretrial release and you would be in custody where everyone else is attempting to get out of custody because of Covid-19. So I see that people would be, to a very great extent, well-behaved on pretrial release at this time, especially when they don't want to be incarcerated. So I don't give that a lot of weight. I know it's a long time to wait, but I'm sure it is far less onerous conditions than if you were waiting in jail to be able to proceed.

5. I'm also to consider whether or not I will afford adequate deterrence to criminal conduct, and I recognize that this may have been an opportunistic crime, but it's still illegal. You still have to answer for it, and some of it, the deterrence, I think, is not only deterring yourself, meaning that something happens to you that makes you not want to do this ever again even if you think the opportunity to be caught is very small, and it's going to become less small. The Government is going to get better at uncovering this type of crime and uncovering it earlier, but I also think that we deter others by letting them know that we're not going to just let this kind of crime go unaddressed

6. I'm also to fashion a sentence that protects the public from the further crimes of the  Defendant, and I will do that in this case by requiring, since it's your first contact with law enforcement, and to some extent the presentence report indicates it's a deviation from your otherwise law-abiding life, that you will have to participate in the Computer Internet Monitoring Program for the entire time that you're connected to the Court by being incarcerated, if you're put in a halfway house, or while you're on supervised release, and you'll have to abide by that agreement, which addresses all of the computers to which you would have any contact, okay, and it allows them to not only search but at reasonable times and places, but to also be for you to provide other people using the computers with the understanding if you're using their computer, it's subject to search as well.

 
7. I'm to fashion a sentence that provides you with needed education and vocational training, medical care, or other correctional treatment in the most effective manner, and it does not appear that you're unhealthy, or, as I said, have any mental health or substance abuse concerns. I know you have a high school diploma, and you have had some employment that's consistent with that, and so I would note that you should have the opportunity to engage in any programs that you think are beneficial to you to enhance that, but I don't have any that I'm going to particularly point out.

8. I also have to consider the kinds of sentences available, and that is the 78 to 97 months of incarceration, and that it will be followed by a term of supervised release, and I'm also to consider the need to avoid unwarranted sentencing disparities among defendants with similar records having been found guilty of similar kinds of conduct, and I have these other codefendants, all of whom seem to have various roles in conducting this conspiracy, and I think that my sentence will reflect how I think the various roles and the history and characteristics and other factors have impacted those people, all of whom, so far, have received a sentence that is below the guideline range. 

9. I'm also to consider the need to provide restitution to any victims of the offense, and I am going to order a restitution against you relative to this. I will also recommend that the amount that you're forfeiting go against the restitution, but, you know, part of it is that, you know, the amount of restitution is really high, and I think it's really difficult for anybody, although you're a young person and so are the others, to pay back seven-and-a-half-million dollars. That's a tremendous amount of money, and the amount that it is apparent that you're forfeiting doesn't really approach that. It doesn't approach $7 million, and so, you know, the Court is always wondering what happened to the money that was stolen away from people and whether or not people have spent it or they hid it away, especially if there's nothing really apparent. There is, in some cases, something apparent to show for it, but I have considered that as well.

I've said in the other sentences, because in the other instances, people also ask for  noncustodial sentences, that I don't think that a noncustodial sentence is appropriate in these cases. I mean we think, kind of like we do in other kinds of cyber crimes, that you don't see what's happening. It's not done with some -- it's not like you went in and robbed a place where some people were standing there and you had to deal with the actual people that you might be stealing the money from, or had to confront an actual bank teller who might be afraid or anything like this. This is kind of done on your own on the computer. You don't really have any real people in front of you. It's not maybe very -- it does not seem very personal to the people committing the crime, but it's really personal against the people that the crime is committed, and so I don't think that a noncustodial sentence is appropriate.  Even with the halfway house and the like, I don't think it's appropriate, and I think you can tell that from the other sentences that I've imposed.

The Sentence

And, therefore -- but I should also say that I think the 78 to 97 months is driven, as many as of these monetary crimes are, by the amounts of loss, and I think, in this particular instance, where I have people before me and you who don't have prior serious offenses or any offenses at all, that I give credit for that in most other instances of fashioning a sentence, and the credit for it actually goes to the amount of time that you have to be incarcerated usually, and I don't see any reason why I shouldn't do that in this particular instance. In all of these instances, I think I have before me people who have the ability to do one of two things. They can grow and become productive members of society and attempt to pay back the victims the money that was, you know, secretly stolen from them and computers used to do that, and, therefore, I think that a sentence within the guideline range is too much for the charges that I'm presented with here for the reasons that I've stated.

 
And, therefore, with respect to Count 1 of the indictment, pursuant to the Sentencing Reform Act of 1984, the Court, having considered the advisory guidelines and the factors contained in 18 U.S.C. §3553(a), commits the Defendant to the custody of the Bureau of Prisons for a term of 48 months. And, upon release from imprisonment, the Defendant will be placed on supervised release for a term of three years. 

... I'm ordering that you pay that restitution to the clerk of the court for disbursement to the victims identified below in the amounts below for a combined restitution order of $7,681,570.03, which is due immediately. While on supervised release, payments must be made at a rate and schedule determined by the probation department, approved by the Court, and they are going to these victims:
Victim with initials D.M. in the amount of $116,387.12;
Mr. S.S. in the amount of $1,967,146.57;
And S.B. in the amount of $5,598,036.34.

Thoughts on Sentencing 

I am always frustrated when judges choose to depart from the recommended sentence, especially in a way that I feel does not take cybercrime seriously.  As we look at the rationale behind the sentence though, I think it boils down to this:

In the world of Big Crypto and with the pathetic security in place that means a kid in a phone shop can facilitate a $5.5 Million theft, how do we balance the trivial means of stealing that money with the fact that someone's life savings have been destroyed?

In this case, restitution will start with the fact that Ricky is giving up 38 BTC and 900 Ethereum from what he stole.  At the time of this writing that is about $1.8 Million.  How is a kid with a high school degree and a criminal record going to pay back the other $5.8 Million?  He's not.  The parole board will come up with a garnishment of future wages, but if he ends up in a minimum wage job, that is likely to be repaid at a rate of $100 per month, so the victims will get the rest of their money slowly over the next four thousand eight hundred years or so.

I would really like to hear your thoughts on this.  Feel free to comment below.  Thank you!