Two individuals have been prosecuted for their suspected participation in last year's breach of the Drug Enforcement Agency's (DEA) online platform, as revealed by Gizmodo.
2022 DEA Portal Breach
The US Department of Justice (DOJ) said in a news statement published earlier this week that Sagar Steven Singh and Nicholas Ceraolo stole the credentials of a police officer in order to get access to a federal law enforcement database, which they then exploited to extort victims.
In a report by The Verge, authorities said Singh, 19, and Ceraolo, 25, are members of the hacking gang Vile. They often take personal information from victims before threatening to dox them online if they do not get paid.
The DOJ does not specify which agency Singh and Ceraolo allegedly breached. Still, it does note the site in question includes "detailed, nonpublic records of narcotics and currency seizures, as well as law enforcement intelligence reports." This is consistent with a claim from Krebs on Security, suggesting the attack is connected to the DEA.
Taunting Victims
The lawsuit alleges that Singh utilized information obtained from the federal site to threaten his victims, including writing to one individual and threatening to harm their family unless they provided him access credentials to their Instagram accounts. He then intimidated the victim by including his or her social security number, driver's license number, residential address, and other personal information he obtained from a government database.
Singh reportedly said to the victim, "Through [the] portal, I can request information on anyone in the US doesn't matter who, nobody is safe. You're gonna comply to me if you don't want anything negative to happen to your parents."
Ceraolo, meanwhile, utilized the web to gain the email address of a Bangladeshi police officer. He reportedly posed as the officer and persuaded an unidentified social networking platform to reveal the home address, email address, and phone number of a particular user under the premise that the victim participated in kid extortion and blackmail and threatened the Bangladeshi government.
Ceraolo apparently tried to con both a well-known gaming platform and a face recognition firm in the same manner, but both turned down his demands.
Several sources have identified Ceraolo as a security researcher, citing his work identifying flaws at telecommunications companies, including T-Mobile, AT&T, and Cox Communications, as noted by Krebs on Security. In May 2022, law enforcement searched Ceraolo's house; in September, they searched Singh's home.
Although Singh was arrested in Pawtucket, Rhode Island, on Tuesday, Mar. 14, Ceraolo turned himself in immediately after the DOJ published its allegations.
The US claims that Ceraolo may spend a maximum of 20 years in prison for his role in a conspiracy to conduct wire fraud and that he and Singh could spend an additional five years in jail for their roles in a conspiracy to commit cyber intrusions.