SIM Swapping, Crypto Theft, and Sentencing in the United States

As you know from the title of my blog, "CyberCrime & Doing Time," I'm very interested in cybercrime and the criminal justice system. This week I've been looking at SIM Swapping cases and wanted to share what I learned from reading the sentencing memos sentencing transcript for Ricky Handschumacher.

Ricky was one of the members of "The Community" - a group of six OGUsers/HackForums punks who decided to go into the crypto theft business. They haunted crypto community forums gathering data on people who over-shared about their crypto earnings and then did the social media intelligence (SOCMINT) work to id their target, assess their holdings, get their online credentials, and then pay a phone company contractor or employee to SIM Swap their device and steal their crypto.

They stole over $50 Million dollars.

Ricky was the last guy to get sentenced.  The other members of the group (not their phone store patsies, but the core group) were: 

• Conor Freeman, 20, of Dublin, Ireland.  Conor was sentenced to three years in Ireland.
• Colton Jurisic, 20, of Dubuque, Iowa. He was sentenced to 42 months and restitution in the amount of $9,517,129.
• Reyad Gafar Abbas, 19, of Rochester, New York.  He was sentenced to 24 months and restitution in the amount of $310,791.
• Garrett Endicott, 21, of Warrensburg, Missouri.  He was sentenced to 10 months and restitution in the amount of $121,549.
• Ryan Stevenson, 26, of West Haven, Connecticut.  He got two years probation.  Minor player.

Ricky pleads guilty to a single count of "18 USC § 1349 - Conspiracy to Commit Wire Fraud" and in exchange the court agrees to drop several additional charges of: 
18 USC §§ 1343 and 2 - Wire Fraud, Aiding and Abetting 
18 USC §§ 1028A(a)(1) and 2 - Aggravated Identity Theft, Aiding and Abetting

Anyway, Guilty plea is received, family all lines up to say what a good boy Ricky is, blah blah blah, and how he was such a good boy while he was out on bond.

Sentencing Guidelines 

Here's how our sentencing Guidelines work ...

The base crimes each have a number of "sentencing points" that they are assigned.  Then there are a whole host of modifications that can be applied based on other factors.  This score is then further modified by how many prior criminal convictions the individuals have.

Conspiracy to Commit Wire Fraud has a base score of 7.  With no criminal history, that would give a sentence of 0-6 months. But that would be a crime with no victims, no losses, and the most basic conspiracy.  All of the other factors add points. 

The following modifications are then applied.

+2 - the number of victims matter.  In this case, they are charging "ten or more victims." 

Ricky's score is now a 9.  Sentencing guideline: 4-10 months.

+2 - sophisticated means. Because this was a high-tech crime with a lot of technology and a lot of moving parts.

Ricky's score is now an 11.  Sentencing guideline: 8-14 months. 

+2 illicit authentication.  To curb identity theft and the flippant use of stolen credentials, crimes that involve stolen identities get an automatic +2. 

Ricky's score is now a 13.  Sentencing guideline: 12-18 months.

+18 - Theft of between $3.5 million and $9.5 million.  The two greatest "adjustments" in the sentencing world are Number of Victims, and Amount Stolen. This is a huge modification, however, they stole a lot of money!  Many victims lined up to say they lost 100% of their life savings.  One of them even appeared at the Sentencing hearing and said so.  He told the court he had lost everything, and had been waiting FOUR YEARS for justice to be served.  It definitely needs consideration.  

Ricky's score is suddenly a 31.  108-135 months.  That's 9 to 11 years.

-3 - Because Ricky was cooperative and accepted responsibility for his crimes, apologizing to the court and to the victims, his sentencing guideline score is dropped by three points.  That's huge, actually.

Ricky's score is now 28.  78-97 months. 

In their sentencing memo, the prosecution says they would be happy to accept the "mid-point" of that range and asks for an 88 month sentence.

The Judge Speaks

The judge in this case is The Honorable Denise Page Hood in the Eastern District of Michigan.  I appreciate that she puts a great deal of explanation in before rendering her verdict.  She shares with us each of the things she is charged with considering as she builds her decision on what sentence to impose.  All of the following is quoted from the Sentencing Transcript available on PACER, although the emphasis added is mine.  

1. "The factors I'm supposed to consider are these: The nature and circumstances of the offense and the history and characteristics of the Defendant, and I'm satisfied that, while I don't think that -- well, I think the age of the other individuals involved really didn't have anything to do with you. What it really has to do with is whether or not you were a more mature person and maybe should have had some other indication of this wrongdoing and made a better judgment than someone who perhaps is still young and a bit naive might be. Like I know one of the people, I was convinced that person was much more naive than other individuals involved in this. You, however, aren't one of those.

"I have here also that I think that the nature and circumstances the offense are serious, because there's a lot of money stolen, and it's stolen from individuals who, number one, are unsuspecting, and, number two, some of them are like Mr. S.S., who is here in court today, that this was not, you know, some organization or anything. It was an individual and their personal money, their, as he describes it, his life savings that were involved, and I think that makes it a little bit different than stealing from a company that might have some other means of recovering that than an individual. I'm also satisfied that it seemed like kind of a we're going to go out there and just do these things. We're just going to hack. We don't have any sense of caring very much, until it's over, about people who might be involved in this and where the money might be coming from and where it might go, and so, to some extent, on the part of everybody involved, it seemed like it was kind of a relaxed look at what you were doing and just kind of like a greed thing. I mean it wasn't -- particularly in your case, it wasn't that you were destitute or anything. You had some education, and you had the ability to have a job. So it wasn't that you couldn't go out and make money on your own, and that is kind of the nature of these kind of things, but I think it's a very serious offense in this particular scheme of things.

2. I'm also to look at the history and characteristics of the Defendant, and, for that, I would note that in the scheme of people who come into court,  you're on the young end of that. You may not think you are, but you really are on the young end of those people who commit crimes within our system.

I'm satisfied that you had a decent childhood. I had some notes here that you were and athlete and well-integrated into your experiences as a youth, and, also, that, unlike some other people, you did not seem to be someone who was just, you know, isolating themselves and unliked by others and, therefore, kind of a person who might reach out to do something like this because of a bad situation that they were in. Not that that excuses that behavior, which is exactly what I told them, that it doesn't excuse that behavior.

I'm also satisfied that -- I don't know whether it's better or worse that there are hackers out there that don't know one another, and maybe that adds a little bit to the frivolousness and the unaccountability of it relative to one another. Otherwise, I don't think there's anything in your history or characteristics that is a negative to you. I had one thing I wanted to note here. Okay, I wanted to note that it does not appear that you have any physical problems or that you have any mental health diagnosis or received any mental health treatment. It does not appear that you have any substance abuse problems.

It appears that you graduated from high school and that you were able to have some employment, including an employment from July of 2019, on Paragraph 44, until – at least at the time that this report was written, and that prior to that, that you have worked -- you had been unemployed for a time but that you were also employed by the city of Port Richey, and, prior to that, in a grocery store, and for the short period of time that you've been an adult, that's a significant amount, as far as I'm concerned, of employment.

The other thing I want to say is thatI'm to consider whether or not the sentence that I'm going to craft will reflect the seriousness of the offense. I've already spoken to that. Promotes respect for the law and provides just punishment, and I'm sure that you're aware now of the seriousness of the offense. That may be enough to promote respect for the law. I don't know that. You know, I don't know that in these particular kind of instances whether people look at it and say, you know, I've been involved in this. It was easy. I just happened to get caught. I'm never going to get caught again because of the nature of how this is done and how hard it is to investigate and to find out what each person involved in it is doing. So I don't know that my sentence will promote respect for the law, but at least I have taken it into consideration.

I'm also to fashion a sentence that provides just punishment, and I know that in all of the cases during the pandemic, where people have been on bond, they have noted I've been, you know, really good, in quotes, on pretrial release, and that shows that I am rehabilitated, and, to some extent, that may be true. To the other extent, the opportunity was that you would not be on pretrial release and you would be in custody where everyone else is attempting to get out of custody because of Covid-19. So I see that people would be, to a very great extent, well-behaved on pretrial release at this time, especially when they don't want to be incarcerated. So I don't give that a lot of weight. I know it's a long time to wait, but I'm sure it is far less onerous conditions than if you were waiting in jail to be able to proceed.

5. I'm also to consider whether or not I will afford adequate deterrence to criminal conduct, and I recognize that this may have been an opportunistic crime, but it's still illegal. You still have to answer for it, and some of it, the deterrence, I think, is not only deterring yourself, meaning that something happens to you that makes you not want to do this ever again even if you think the opportunity to be caught is very small, and it's going to become less small. The Government is going to get better at uncovering this type of crime and uncovering it earlier, but I also think that we deter others by letting them know that we're not going to just let this kind of crime go unaddressed

6. I'm also to fashion a sentence that protects the public from the further crimes of the  Defendant, and I will do that in this case by requiring, since it's your first contact with law enforcement, and to some extent the presentence report indicates it's a deviation from your otherwise law-abiding life, that you will have to participate in the Computer Internet Monitoring Program for the entire time that you're connected to the Court by being incarcerated, if you're put in a halfway house, or while you're on supervised release, and you'll have to abide by that agreement, which addresses all of the computers to which you would have any contact, okay, and it allows them to not only search but at reasonable times and places, but to also be for you to provide other people using the computers with the understanding if you're using their computer, it's subject to search as well.

 
7. I'm to fashion a sentence that provides you with needed education and vocational training, medical care, or other correctional treatment in the most effective manner, and it does not appear that you're unhealthy, or, as I said, have any mental health or substance abuse concerns. I know you have a high school diploma, and you have had some employment that's consistent with that, and so I would note that you should have the opportunity to engage in any programs that you think are beneficial to you to enhance that, but I don't have any that I'm going to particularly point out.

8. I also have to consider the kinds of sentences available, and that is the 78 to 97 months of incarceration, and that it will be followed by a term of supervised release, and I'm also to consider the need to avoid unwarranted sentencing disparities among defendants with similar records having been found guilty of similar kinds of conduct, and I have these other codefendants, all of whom seem to have various roles in conducting this conspiracy, and I think that my sentence will reflect how I think the various roles and the history and characteristics and other factors have impacted those people, all of whom, so far, have received a sentence that is below the guideline range. 

9. I'm also to consider the need to provide restitution to any victims of the offense, and I am going to order a restitution against you relative to this. I will also recommend that the amount that you're forfeiting go against the restitution, but, you know, part of it is that, you know, the amount of restitution is really high, and I think it's really difficult for anybody, although you're a young person and so are the others, to pay back seven-and-a-half-million dollars. That's a tremendous amount of money, and the amount that it is apparent that you're forfeiting doesn't really approach that. It doesn't approach $7 million, and so, you know, the Court is always wondering what happened to the money that was stolen away from people and whether or not people have spent it or they hid it away, especially if there's nothing really apparent. There is, in some cases, something apparent to show for it, but I have considered that as well.

I've said in the other sentences, because in the other instances, people also ask for  noncustodial sentences, that I don't think that a noncustodial sentence is appropriate in these cases. I mean we think, kind of like we do in other kinds of cyber crimes, that you don't see what's happening. It's not done with some -- it's not like you went in and robbed a place where some people were standing there and you had to deal with the actual people that you might be stealing the money from, or had to confront an actual bank teller who might be afraid or anything like this. This is kind of done on your own on the computer. You don't really have any real people in front of you. It's not maybe very -- it does not seem very personal to the people committing the crime, but it's really personal against the people that the crime is committed, and so I don't think that a noncustodial sentence is appropriate.  Even with the halfway house and the like, I don't think it's appropriate, and I think you can tell that from the other sentences that I've imposed.

The Sentence

And, therefore -- but I should also say that I think the 78 to 97 months is driven, as many as of these monetary crimes are, by the amounts of loss, and I think, in this particular instance, where I have people before me and you who don't have prior serious offenses or any offenses at all, that I give credit for that in most other instances of fashioning a sentence, and the credit for it actually goes to the amount of time that you have to be incarcerated usually, and I don't see any reason why I shouldn't do that in this particular instance. In all of these instances, I think I have before me people who have the ability to do one of two things. They can grow and become productive members of society and attempt to pay back the victims the money that was, you know, secretly stolen from them and computers used to do that, and, therefore, I think that a sentence within the guideline range is too much for the charges that I'm presented with here for the reasons that I've stated.

 
And, therefore, with respect to Count 1 of the indictment, pursuant to the Sentencing Reform Act of 1984, the Court, having considered the advisory guidelines and the factors contained in 18 U.S.C. §3553(a), commits the Defendant to the custody of the Bureau of Prisons for a term of 48 months. And, upon release from imprisonment, the Defendant will be placed on supervised release for a term of three years. 

... I'm ordering that you pay that restitution to the clerk of the court for disbursement to the victims identified below in the amounts below for a combined restitution order of $7,681,570.03, which is due immediately. While on supervised release, payments must be made at a rate and schedule determined by the probation department, approved by the Court, and they are going to these victims:
Victim with initials D.M. in the amount of $116,387.12;
Mr. S.S. in the amount of $1,967,146.57;
And S.B. in the amount of $5,598,036.34.

Thoughts on Sentencing 

I am always frustrated when judges choose to depart from the recommended sentence, especially in a way that I feel does not take cybercrime seriously.  As we look at the rationale behind the sentence though, I think it boils down to this:

In the world of Big Crypto and with the pathetic security in place that means a kid in a phone shop can facilitate a $5.5 Million theft, how do we balance the trivial means of stealing that money with the fact that someone's life savings have been destroyed?

In this case, restitution will start with the fact that Ricky is giving up 38 BTC and 900 Ethereum from what he stole.  At the time of this writing that is about $1.8 Million.  How is a kid with a high school degree and a criminal record going to pay back the other $5.8 Million?  He's not.  The parole board will come up with a garnishment of future wages, but if he ends up in a minimum wage job, that is likely to be repaid at a rate of $100 per month, so the victims will get the rest of their money slowly over the next four thousand eight hundred years or so.

I would really like to hear your thoughts on this.  Feel free to comment below.  Thank you!

Hushpuppi Pleads Guilty: Sentence Estimate? 11-14 Years

On July 27, 2021, Ramon Olorunwa Abbas, also known as Hushpuppi, decided that his best plan would be to avoid spending the rest of his life in prison was to plead guilty.  I've actually never seen a plea agreement with so much redacting, but we can still see SOME of what he is pleading to in the 29 page plea agreement that was posted today on PACER, the Public Access to Court Electronic Records.

"Beginning no later than or about January 18, 2019 through on or about June 9, 2020, defendant knowingly combined, agreed, and conspired with multiple other persons ("coconspirators") to conduct financial transactions into, within, and outside the United States involving property that represented the proceeds of wire fraud.   ... The coconspirators targeted multiple victims and laundered and/or attempted to launder funds fraudulently obtained, and attempted to be fraudulently obtained, through bank cyber-heists, business email compromise ("BEC") frauds, and other fraud schemes."

In particular, he admits that he helped launder the money:

•  stolen from a bank in Malta (which we know is the Bank of Valetta from public news sources which was hacked by North Korean hackers) and 
• the BEC funds stolen from a law firm in New York State, 
• and the funds stolen from two companies located in the UK. (one of which was likely an English Premier League Club, from previous court filings.)

"Defendant admits" that he conspired to launder the funds, and that he knew they were funds that were the proceeds of fraud.  "Defendant also admits the truth of the allegations in Overt Acts 1 to 17."

Overt Acts 1 to 17

What were these Overt Acts 1 to 17?  These are from a previous court filing.  The first set, Overt Acts 1 - 12, all make reference to "UIUC-1" who we now believe is Ghaleb Alaumary, then age 37, from Mississauga, Canada.

Overt Act No. 1 - 18JAN2019 - ABBAS provides bank account information for a bank in Romania to be used to receive a 5 Million Euro wire transfer

Overt Act No. 2 - 18JAN2019 - ABBAS confirms via electronic message that the Romanian bank account is "for large amounts" 

Overt Act 3 - 18JAN2019 - ABBAS confirms that he will clear the funds from the Romanian account right away.

Overt Act 4 - 10FEB2019 - ABBAS provides another bank account, this time in Bulgaria, to receive an additional 5 million Euros.

Overt Act 5 - 12FEB2019 - ABBAS is informed the first 500,000 Euros have been deposited to Romania and confirms he will let his people know.

Overt Act 6 - 12FEB2019 - ABBAS confirms he is ready to receive more funds in the Romanian account. "Yes please"

Overt Act 7 - 12FEB2019 - ABBAS sends a screenshot of the Romanian Bank account to UICC-1, showing the IBAN numbers, Account numbers, and account balance for the account.

Overt Act 8 - 13FEB2019 - ABBAS sends a new screenshot of the Romanian Bank account to UICC-1.

Overt Act 9 - 10MAR2019 - UICC-1 asks for a bank account in Dubai that can receive "5m" saying "Brother I need it now or we will lose our chance pls."  ABBAS sends him the information for a Dubai bank account.

Overt Act 10 - 08MAY2019 - UICC-1 asks for an account that can "handle millions and not block" and Hushpuppi gives him the details of a bank account in Mexico.

Overt Act 11 - 13MAY2019 - UICC-1 tells ABBAS that the Mexican bank account will receive 100 Million pounds from an English Premier League Club and 200 Million pounds from a victim UK company and wants to know if he can proceed.  Abbas seems to express concern here, saying these accounts "cost a lot of money now to open." 

Overt Act 12 - 13MAY2019 - UICC-1 tells ABBAS that he has "10 more to do" after the Premier League Club job and says he will need to use each bank account for 2 contracts. 

Overt Act 13 - 15OCT2019 - Abbas "or a coconspirator" induce the Victim Law Firm to send $922,857.76 from their Quontic Bank account in New York to a Chase Account.

Overt Act 14 - 17OCT2019 - ABBAS sends a screenshot to UICC-1 showing a wire transfer of $396,050 from the Chase Account to a CIBC account in the name of UICC-2. 

Overt Act 15 - 17OCT2019 - UICC-2 was in California and informed by UICC-1 to look for the wire transfer to the CIBC Account

Overt Act 16 - 17OCT2019 - UICC-2 confirmed they had received the funds

Overt Act 17 - 17OCT2019 - UICC-1 told ABBAS that they $396,050 from the Chase account had been received into the CIBC account.

---

The Qatari Scam and the Watch

Hushpuppi also admits that he conspired to defraud a Qatari construction company that was seeking funds to build an international school.  Hushpuppi used the alias "Malik" and offered to help them open a bank account in the United States where a $15 Million loan could be deposited.  He arranged for a coconspirator to open a Wells Fargo bank account in Canoga Park, California, after creating a fictitious company with the Los Angeles County Registrar.  Then another coconspirator in Nigeria created a false "power of attorney" document and sent that information to Wells Fargo in December of 2019.  The victim was convinced that he needed to deposit funds into the account in order to secure the $15 Million loan.  However, after depositing $330,000, Hushpuppi and his colleagues stole the money, sending $230,000 to a Wells Fargo account belonging to a luxury watch seller and $100,000 to a Capital One bank account belonging to another co-conspirator.  

That's how Hushpuppi came to have a Richard Mille RM11-03 watch (co-created by Richard Mille Engineer Fabrice Namura and McLaren Automotive design director Rob Melville).  The watch was picked up in New York by one person, then flown from JFK Airport in New York to the UAE by another person, who delivered the watch to Hush on January 4, 2020, who immediately posted it on Instagram, calling it a New Year's present to himself.

Hushpuppi boasted on Instagram: "Quarter a million dollar watch as New Years gift to they self #RichardMille #RM1103 #EpainThem

As for the $100,000 that went to "Coconspirator D?"  Hush instructed them to send two cashier's checks one for $40,000 and one for $10,000 and use them to buy Hush a St. Kitts passport and a Nevis citizenship and passport.  He received his passport in February 2020.  The rest of the funds were converted to Naira.

Later, Hush and his coconspirators made another play at the Qatari businessman and convinced him that he had to pay "taxes" on the $15,000,000 imaginary loan in order to receive it.  To pay his taxes, the Qatari victim sent $299,983.58 into a bank account in Kenya. 

The Penalties of Crime

Altogether, in the Plea Agreement Hush agrees that he and his co-conspirators stole: 

• $14,700,000 from a Foreign Financial Institution
• $7,740,000 from UK victim companies
• $922,857.76 from the New York Law Firm
• and $809,983.58 from the Qatari victims.

"Defendant admits that all of the money laundering described above was sophisticated, extensive, and involved multiple persons." 

In the United States there are Sentencing Guidelines that are supposed to be used by the judge to ensure that sentences are standardized and consistent across different courts.  These sentencing guidelines are explained in the U.S. laws and each judge and prosecutor in Federal Courts is well aware of these guidelines.

The defendant agrees that these are fair interpretations of how to determine a sentence:

• Underlying Offense Level:  7 Points 
• Fraud Scheme outside the U.S. using Sophisticated Means:  +2 Points 
• Conviction under 18 USC § 1956 (which is the law on Money Laundering):  + 2 Points 
• Sophisticated Money Laundering: +2 Points 
• Financial Losses between $9.5 Million and $25 Million:  +20 points 

===============

Total Sentencing Guideline Points: 33 Points

According to the Sentencing Guidelines Table available on the United States Sentencing Commission website, a 33 Point offense with no previous criminal history SHOULD indicate a sentence of between 135 and 168 months, or 11 1/4 to 14 years.

Hushpuppi and his lawyer both understand this and have signed the plea agreement anyway.  While there may be extenuating circumstances lying behind some of the redacted pages, here is Hushpuppi's signature to these terms:

However, who is to say what else may be stated in the plea agreement behind all of the Redaction markings? Seven pages of the 29 page document look like this!  

For comparison, Ghaleb Alaumary, in many ways the man who HushPuppi was working for, pled guilty to his crimes in November 17, 2020.  The sentencing guidelines were similar, however Alaumary received a stiffer penalty for the amount of money stolen.  He has not yet been sentenced, but under the sentencing guidelines, Alaumary has a "35 offense level" which makes the recommendation 14 to 17.5 years in prison.  Alaumary had previous criminal convictions, however those were in Canada, and I am unsure whether they would alter the sentencing guidelines in a U.S. court.

Alaumary's Guilty Plea Sentencing Guidelines calculation

Hacking, Carding, SWATting and OCD: The Case of Mir Islam

There can be no argument that Mir Islam is a hideous Internet Troll.  Part of a group of hackers who participated in elaborate scams that combined social engineering, hacking, and gaining credit reports under false pretenses to expose the personally identifiable information of "at least 50 celebrities" on the website "exposed.su."

On July 11, 2016, Islam was given a 2-year sentence for "SWATting and Doxing" Arizona victims.  On the Justice.gov website press release of the sentence (see: https://www.justice.gov/usao-dc/pr/new-york-man-sentenced-24-months-prison-internet-offenses-including-doxing-swatting ) it mentions that his false 9-1-1 calls to summon SWAT teams unnecessarily involved cases against at least 20 celebrities and state and federal officials, including an Assistant United States Attorney and a Congressman from Michigan.

The world's top cybersecurity journalist, Brian Krebs, was among the victims of Islam's group after revealing on his blog the methods used by the group to dox celebrities including Arnold Schwartzenegger, Ashton Kutcher, and Jay Z, and government officials including FBI Directory Robert Mueller, CIA Director John Brennan, and First Lady Michelle Obama.  Krebs revealed the methods at KrebsOnSecurity in 2013 -- Credit Reports Sold for Cheap in the Underweb.

JoshTheGod's prior Experience as a Credit Card Thief

Like so many other young cyber criminals,  Mir Islam had been active in the carding scene, stealing and selling credit card information, and after his arrest tried to work a deal to be an informant. And like Albert Gonzalez, Max Vision, and so many other cybercriminals, was a disaster as an informant.  Under the Alias of JoshTheGod, "Josh" had been previously arrested, tried, convicted, and sentenced for Attempted Access Device Fraud, Conspiracy to Commit Access Device Fraud, Aggravated Identity Theft, and Conspiracy to Commit Computer Intrusion.   He was a member of a group called "UGNazi" and admitted to being a co-founder of the credit card trading website "Carders.org."

He was arrested as part of  a massive action announced on June 26, 2012, that also included 404myth (Christian Cangeopol of Georgia), Cubby (Mark Caparelli of San Diego, CA), Kabraxis314 (Sean Harper of Albuquerque, New Mexico), kool+kake (Alex Hatala of Jacksonville, Florida), OxideDox (Joshua Hicks of Bronx, NY), xVisceral (Michael Hogue of Tucson, AZ), IwearaMAGNUM (Peter Ketchum of Pittsfield, MA), theboner1 (Steven Hansen of Wisconsin) (and two minors). The case also involved 13 other arrests overseas.

FBI Press Release (Click to open)

 What were those charges based on?   Here's some from the charging document, filed May 28, 2013:

"From at least in or about 2009, through at least in or about June 2012, [the defendant and others] did willfully and knowingly did combine, conspire, confederate, and agree together and with each other to commit offenses under Title 18, United States Code Section 1029(a) to . . . "

• (in 2010) Purchase at least 20 computer servers over the Internet using stolen credit card information belonging to other individuals
• (in 2011) establish an Internet forum for other co-conspirators to buy, sell, and exchange stolen credit card information
• (in Feb 2012) possess stolen credit card information belonging to OVER 50,000 OTHER INDIVIDUALS
• use stolen bank account numbers to fraudulently make purchases
• launch coordinated attacks on computer systems for the purpose of disabling those systems including (Jan 2012 - DDOS attacks against the Ultimate Fighting Championship; DDOS attacks against Coach, Inc; June 2012 - DDOS attacks against the Wounded Warrior Project

The FBI Press Release also projected what charges Mr. Islam may be facing:

10 years for Access Device Fraud and 15 years for Affecting Transactions with unauthorized devices.

Aggravated Identity Theft

Under the law, identity theft is considered a FELONY if the perpetrator is found to have been involved in "the production or transfer of MORE THAN FIVE identification documents."

Quick math check.  50,000 credit cards > 5.  Ok, we're good.

Despite the fact that the criminal code, 18 U.S. Code § 1028A -- Aggravated Identity Theft, was SPECIFICALLY CREATED via the "Identity Theft Penalty Enhancement Act of 2004" to give a MANDATORY SENTENCE of 2 years imprisonment in addition to any other sentence received, Mir Islam was convicted of Aggravated Identity Theft and sentenced to ONE DAY imprisonment and three years supervised release.  Wait!?!?!  How did we get from "probably 10-15 years" to ONE DAY?

Did I mention that the two year sentence is MANDATORY?  Let's make that even more clear:

(b) CONSECUTIVE SENTENCE -- Notwithstanding any other provision of law -- 

(1) a court SHALL NOT PLACE ON PROBATION any person convicted of a violation of this section.

(2) except as provided in paragraph (4), no term of imprisonment imposed on a person under this section shall run concurrently with any other term of imprisonment imposed on the person under any other provision of law, including any term of imprisonment imposed for the felony during with the means of identification was transferred, possessed, or used; 

(3) in determining any term of imprisonment to be imposed for the felony during which the means of identification was transferred, possessed, or used, a court shall not in any way reduce the term to be imposed for such crime so as to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section;

Gee!  It almost sounds like a person who commits Aggravated Identity Theft is not supposed to get Probation or a Reduced Sentence!   In fact, in 2015, the Congressional Research Service was specifically asked to examine this statute.  Their conclusion was that "More than half of the judges responding to the United States Sentencing Commission sruvey felt that the two-year mandatory minimum penalty was generally appropriate."  While they fell short of wildly praising the statute, they summarized their report as being "mildly complimentary of the provision." (see "Mandatory Minimum Sentencing: Federal Aggravated Identity Theft")

Unfortunately, in order for the Mandatory term to be considered in effect, the corresponding Felony has to receive a sentence of "greater than one year" (which is why we see so many sentences of "a year and a day".)  As part of a plea agreement, he agreed to the dramatically reduced sentence of ONE DAY for the carding charges, in exchange for cooperating in good faith with the Southern District of New York's office to cooperate to try to identify further co-conspirators in his case.  Because it was the desire of law enforcement to use Mr. Islam as a source, he was given a sentence of ONE DAY for the carding charges, meaning that the intention of the legislators was entirely thwarted.  Rather than cooperating, the Prosecution's sentencing memo indicates that Islam was "toying with his FBI handlers, and continued his criminal activity in the Exposed conspiracy and his cyber-stalking." 

One of the conditions of his supervised release was set as "No Use of Computer or Internet Access without the Permission of the Parole Officer," which condition Mir Islam agreed to and swore to obey before a judge on June 26, 2012.   

JoshTheGod Re-Offends

On June 10, 2013, US District Judge approved that the defendant's bail be modified to include mandatory mental health treatment, and that the defendant BE ALLOWED TO PROCESS CREDIT CARD TRANSACTIONS AT HIS PLACE OF EMPLOYMENT and be allowed to possess a computer and access the Internet under the supervision of a case agent. (See PACER -- Case 1:12-cr-00810-KMW Document 26)

Great idea. Let's give a convicted credit card criminal permission to process credit cards at work.  After all, it's been more than a year since he was arrested for STEALING FIFTY THOUSAND CREDIT CARDS and running a forum for selling them on the Internet.

He didn't quite make it 90 days.  He was re-arrested on September 4, 2013. 

His new case, (1:15-cr-00067-RDM) opens up with charges of Violations of 18 USC Section 371 (Conspiracy) 18 USC Section 844(e) (Threatening and Conveying False Information Concerning Use of Explosive), and 18 USC Section 2261A(2) (Stalking).

The Conspiracy charges include that he was still doing identity theft  and wire fraud (18 USC Sections 1343, 1030(a)(2), 1028(a)(7), 1028(b)(2)(B), and that once again it was "Aggravated Identity Theft" level -- "15 or more devices which are unauthorized access devices, to wit, social security numbers" -- 1029(a)(3) and 1029(c)(1)(A)(i). And that he used those SSNs to obtain a thing of value - 42USC Section 408(a)(7)(B), and that he accessed a computer without authorization (18 USC 1030(a)(2)(A) and 1030(c)(2)(A), and that he "devised a scheme to defraud and obtain property by means of materially false and fraudulent pretenses" (18 USC Section 1343) and that he used a "deadly or dangerous weapon to assault, impede, intimidate or interfere with an officer of empoyee of hte US Government" -- 18 USC Section 111(a), 111(b), and thta he transmitted a threat to injure the person of another via interstate commerce -- 18 USC Section 875c.

Some of the particulars from this second round of charges include:

• March 2013 - purchasing stolen credit reports for US and State government officials and public celebrities from Exposed.su
• March 22, 2013 - began stalking "A.R.T" (the Arizona cheerleader) via email, Facebook, Instagram, Text message, and telephone calls, and making false Twitter accounts in A.R.T's name.
• March 23, 2013 - called in bomb threats to University of Arizona
• March 31, 2013 - "Swatting" a US Government employee in Massachusetts
• April 2013 - buying more credit reports for US and State government officials and public celebrities from "exposed.re"
• April 19, 2013 - "Swatting" T.L. a state government official in California
• April 27, 2013 - "Swatting" M.R. (that would be Mike Rogers, Congressman of Michigan)
• July 22, 2013, bought more credit reports from "exposed.ws" 
• August 12, 2013 - uploaded many sets of "Dox" to "exposed.ws" on a server in Washington DC

Mental Illness and Reducing Sentence

This week the sentence finally came down on Mir Islam.  He was sentenced to 24 months in prison to be followed by 36 months of supervised release, during which he will be required to participate in Education/Vocational training approved by Probations, participate in a Mental Health Treatment program, and consent to disclosing a list of all computer systems and internet capable devices and allowing them to be forensically searched or to have computer/internet monitoring program installed.

Why?   Partly because of an amazing 82 page "Defendant's Memorandum in Aid of Sentencing" that begins with:

Mr. Islam has matured immensely during his 34 months of incarceration and has taken great strides to atone for his behavior and overcome the mental health issues that contributed to it.  Accordingly, it is respectfully submitted that a sentence of time served and 36 months of supervised release would represent a sentence that is sufficient, but not greater than necessary to meet the purposes of sentencing reflected in 18 USC Section § 3353(a).  Such as sentence would be longer than many if not most sentences in similar cases, and would adequately punish conduct by an immature and mentally-ill teenager who, by the government's own admission, has earned a departure from the applicable guidelines range.

The memo then goes on to talk about his "Good Time Served" (meaning he was a model prisoner, which is not unexpected, given lack of access to a computer or telephone).  He then argues that the "doxing" was not really so bad, since "The Secret Files" were only accessible during three short periods, for 8 days, 20 days, and 20 days.

(Click to visit KrebsOnSecurity, source of this image)

He also claims that "Doxing" is not illegal (citing this The Daily Beast article, where all good legal theories should come from) and that we should consider the "veneer of legality, especially as perceived by the immature minds of the teenage co-conspirators."  He goes on to say that we should consider the "misguided but public-minded spirit and desire for attention not uncommon among teenagers."  Would that be the "public-minded spirit" that caused so many SWAT teams to waste their time and place innocent people in danger?   Just in the University of Arizona case, testimony was given that FIFTY-FOUR OFFICERS were involved in searching for the non-existent bomb while classes were canceled and students, staff and faculty faced the fear (and inconvenience) of potential death during the ensuing lockdown.

While the defense admits that swatting was "extremely traumatic and dangerous" he claims that "in the online gaming communities in which Islam practically lived and breathed, swatting was an unfortunately common tactic used by competitive gamers to harass their opponents."  Because of this we are to understand that this would have been considered "normal" behavior by "teenagers immersed in this new online world."

In the case of the swatting of an Assistant US Attorney, the government provides a transcript of the 9-1-1 call:

"Hello my wife is dead.  I shot her and now she's dead.  I don't know what to do.
I'm having thoughts of hurting people and I don't know what to do.  If anyone comes in my house I might shoot them.  I am just letting you know now if I see any police outside my house I will start shooting.  I will not be taken alive.  Mark my words. I am not going to prison for the rest of my life.  I will not.  Don't worry about where I am at in the house. If any cops are outside in my yard or on the street I will start shooting.  By the way I have a police scanner right next to me and I can hear everything and you guys  think I'm joking.  I will shoot anyone who comes near my property.  I see cars outside my house I swear I will shoot.  I am not playing.  I am not fucking around. I will shot them.  You know I work with the police a lot but I am not afraid to shoot them."

Youthful prank, right?

The defense then moves on to address the cyberstalking of A.R.T., which he admits "subjected her to emotional distress, anxiety, and fear for her safety" and was "extremely serious."  HOWEVER, he goes on, "Islam was suffering from untreated obsessive-compulsive disorder (OCD) which fueled his obsession for A.R.T. and drove him to try to contact her through any and all means."  Islam "believed at the time that he had communicated and developed a relationship with A.R.T. through weeks of online conversations, causing him extreme confusion and anxiety with her refusal to interact with him in the non-virtual world."

The document then goes on to explain Islam's life, immigrating at age six from Bangladesh to Bronx, New York. They say he had untreated bipolar disorder, chronic depression, OCD, and ADHD, which led to him dropping out of high school to spend 15-18 hours per day online without interruption or parental intervention.  They then go on to explain his "carding" as a "seductive playground that allowed them to purchase food and electronics with stolen credit card numbers" and that Islam viewed these activities as "adolescent pranks."

Next we turn to his prison hardships, including the fact that he was denied a lower bunk even though he was a restless sleeper (which the defense says led to a herniated disc, nerve damage, and chronic pain after falling from a top bunk.)  He also claims he was given "vitamins contaminated by mold" that damaged his cartilage in his wrists and knees, discolored his skin, and exacerbated his chronic pain.  That is some mighty powerful Vitamin Mold!  Islam also filed charges against the prison for denying him Kosher food.  (These examples are to use the sentencing reduction of "Harsh conditions of confinement."  Not sure if "denied lower bunk" and "given moldy vitamins" are what that the term "Harsh conditions" normally means.)

CyberCrime: The World Where Sentencing Guidelines Don't Matter At All

The strongest and most unforgivable argument the defense makes is that Section 3553(a) directs courts to consider the need to avoid unwarranted sentencing disparities.  In the government's sentencing memo they had made the assertion that they were "unaware of any individuals sentenced for conduct similar to Islam's."  The defense jumps on that and waves it in their faces!  The defense  argues that because Hector "Sabu" Monsegur of Lulzsec got RIDICULOUS [my term] sentencing departures (a 97% reduction in the minimum sentencing) and that Sabu and JoshTheGod were both people who violated their release conditions and were remanded back into custody for very similar crimes, the Federal Government themselves had basically established precedence that hacker sentencing guidelines are worthless and not to be taken at face value.

The defense also argues "The need to avoid unwarranted sectencing disparities" with regard to other swatting cases.  They cite Tollis (1 year and 1 day for numerous swattings of schools and universities) and James Eli Shiffer (15 months for multiple doxing, swatting, and cyberstalking incidents.)  That argument is strengthened even more by the government's failure to observer proper sentencing for many of those arrested at the same time as Islam.  The defense gives examples  including Christian Cangeopol (3 years probation), Harper (time served), Joshua Hicks (2 years probation), Michael Hogue (5 years probation) and Peter Ketchum (2 years probation).  The LulzSec slap-on-the-wrist cases were also used in the Defense's argument - Cody Krestsinger (1 year imprisonment, 1 year home detention), Raynoldo Rivera (1 year and 1 day, 13 months home detention), Matthew Flannery (15 months home detention) and Hector Xavier Monsegur, already mentioned, (7 months.)

 Part of the Defendant's package was a letter to the judge praising Mir Islam for being a successful graduate of The Focus Forward class, where he studied the book A Long Way Gone and learned public speaking, conflict resolution, and resume writing skills.  He brought "light-hearted humor and laughter to class discussions" and "displayed humility, opening up to the group about the frustration and disappointment he felt about finding himself in this situation."  

Would that be the same "light-hearted humor" that he used when telling University of Arizona police that he was holding a rifle to the head of a woman that he was planning to kill if he did not receive $50,000 in ransom, and that he had placed explosives in eight campus buildings and was going to blow them up and start shooting?

Mir himself wrote a letter to the judge about how he wants to make a project "similar to PayPal" to help the members of my society stop getting ripped off.  Excuse me.  You can read his letter while I go get a tissue:

Chance of Re-offending?

Really?   This letter comes from the kid who arranged a ONE DAY sentence for all of his credit card crimes in exchange for giving his "Full Cooperation" to the SDNY FBI Office. Despite the prosecution's Sentencing Memo pointing out that "Based on Islam's duplicity in his SNY case, any expression of remorse or contrition by Islam should be viewed with a great deal of skepticism" the judge chose to ignore this and issue Yet Another Slap On The Wrist.

 Anyone taking bets on how many months it takes for Mir Islam to re-offend when he is released?  Put me down for "thirty-days or less."