Three Dutch men have been arrested on suspicion of participating in a major cyber-extortion campaign affecting tens of millions of victims.
A 21-year-old from Zandvoort is the prime suspect, alongside a 21-year-old from Rotterdam and an 18-year-old of no fixed abode, according to the Dutch police.
An investigation into their alleged activities began in March 2021 and uncovered evidence of attacks on thousands of organizations – both domestic and global.
After gaining initial access into targeted companies and stealing sensitive customer information, the men allegedly extorted their victims by threatening to destroy their “digital infrastructure” or to leak the info publicly, in a similar manner to ransomware actors.
However, Dutch police claimed that “in many cases” the hackers sold the stolen data even after receiving a ransom payment.
Ransom demands were in the €100,000–€700,0000 ($106,000–$740,000) range, with one report claiming the prime suspect made as much as €2.5m ($2.6m) over the past few years.
Among the data stolen by the trio are names, addresses and telephone numbers, dates of birth, bank account numbers, credit card details, passwords, license plate numbers, national ID numbers and passport data, the police claimed.
These attacks caused financial and reputational harm to the compromised companies and distress to the individuals whose information was stolen and sold on the cybercrime underground.
Among those breached were hospitality firms, training institutes, online stores, software companies and even social media providers, the police said.
After it is taken from the breached firms, captured data is increasingly processed before onward sale, to add further value to cyber-criminals looking to use it for follow-on phishing or fraud.
“The investigation shows that a special computer code is used to refine stolen data,” the police report revealed.
“Stolen databases are made especially suitable by such data refining to approach specifically selected victims for, for example, phishing, chat tricks, bank help desk fraud or identity fraud. For example, a database can be filtered on Dutch people born in the 1940s and 1950s.”