CONCORD, NH – Hieu Minh Ngo, 25, of Vietnam, was sentenced July 14 in U.S. District Court in Concord to 13 years in prison for hacking into U.S. business computers, stealing personal information of approximately 200 million Americans and selling it to other cybercriminals.
Ngo made nearly $2 million from his scheme. The Internal Revenue Service has confirmed that 13,673 U.S. citizens, whose stolen “personally identifiably information” (PII) was sold on Ngo’s websites, have been victimized through the filing of $65 million in fraudulent individual income tax returns. The case was investigated by the U.S. Secret Service’s Manchester Resident Office.
Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, Acting U.S. Attorney Donald Feith of the District of New Hampshire and Director Joseph P. Clancy of the U.S. Secret Service made the announcement Tuesday.
Ngo was sentenced by U.S. District Court Judge Paul J. Barbadoro of the District of New Hampshire after previously pleading guilty to federal charges brought in the District of New Hampshire and the District of New Jersey, including wire fraud, identity fraud, access device fraud and four counts of computer fraud and abuse.
“From his home in Vietnam, Ngo used Internet marketplaces to offer for sale millions of stolen identities of U.S. citizens to more than a thousand cyber criminals scattered throughout the world,” said Caldwell. “Criminals buy and sell stolen identity information because they see it as a low-risk, high-reward proposition. Identifying and prosecuting cybercriminals like Ngo is one of the ways we’re working to change that cost-benefit analysis.”
Feith said this case demonstrates that identity theft continues to be a “worldwide threat” with the potential to “touch every one of us,” including residents of New Hampshire.
According to a report on this case by reporter Brian Krebs via his blog, Krebs On Security, Ngo posed as a private investigator operating out of Singapore and was able to contract with Court Ventures by paying for access to consumer records by sending cash wire transfers from a bank in Singapore. “Through that contract, Ngo was able to make available to his clients access to the U.S. Info Search database containing Social Security, date of birth and other records on more than 200 million Americans.”
The site goes on to explain that Court Ventures was purchased in March of 2012 by credit reporting company Experian, a transaction which allowed Ngo to “siphon” consumer data from the credit reporting company.
According to admissions made in connection with his guilty plea, from 2007 to 2013, Ngo operated online marketplaces from his home in Vietnam, including “superget.info” and “findget.me,” to sell packages of stolen PII. These packages, known as “fullz,” typically included a person’s name, date of birth, social security number, bank account number and bank routing number.
Ngo also admitted to acquiring and offering for sale stolen payment card data, which typically included the victim’s payment card number, expiration date, CVV number, name, address and phone number. Ngo admitted that he obtained some of the stolen PII by hacking into a New Jersey-based business and stealing customer information. In addition to selling the “fullz,” Ngo admitted to offering buyers the ability to query online databases for the stolen PII of specific individuals. Specifically, Ngo admitted that he offered access to PII for 200 million U.S. citizens, and that more than 1,300 customers from around the world conducted more than three million “queries” through the third-party databases maintained on his websites.
You can read Ngo’s guilty plea below, from March 3, 2014, during which he discusses with the judge among other things, “voices” in his head.
You’re one click away! Sign up for our free newsletter and never miss another thing