March 6, 2015

U.S. federal prosecutors in Atlanta today unsealed indictments against two Vietnamese men and a Canadian citizen in connection with what’s being called “one of the largest reported data breaches in U.S. history.” The government isn’t naming the victims in this case, but all signs point to the 2011 hack of Texas-based email marketing giant Epsilon.

epsilonThe government alleges the defendants made more than $2 million blasting out spam to more than one billion email addresses stolen from several email service providers (ESPs), companies that manage customer email marketing on behalf of major corporate brands.  The indictments further allege that the men sent the junk missives by hijacking the email servers used by these ESPs.

“This case reflects the cutting-edge problems posed by today’s cybercrime cases, where the hackers didn’t target just a single company; they infiltrated most of the country’s email distribution firms,” said Acting U.S. Attorney John Horn.  “And the scope of the intrusion is unnerving, in that the hackers didn’t stop after stealing the companies’ proprietary data—they then hijacked the companies’ own distribution platforms to send out bulk emails and reaped the profits from email traffic directed to specific websites.”

To be clear, prosecutors haven’t specifically outed Epsilon as the victim, nor did they name any of the other email service providers (ESPs) allegedly harmed by the defendants. But a press release issued today Horn’s office states that “the data breach into certain ESPs was the subject of a congressional inquiry and testimony before a U.S House of Representatives subcommittee on June 2, 2011.”

That date aligns with a June 2, 2011 House Energy and Commerce Committee panel on the data breaches at Sony and Epsilon. Epsilon officials could not be immediately reached for comment.

Update, 11:27 p.m. ET: Epsilon confirmed that it is among the victims in this case. See the end of this story for their full statement.

Original story:

In early April 2011, customers at dozens of Fortune 500 companies began complaining of receiving spam to email addresses they’d created specifically for use with those companies. On April 2, 2011, Epsilon started notifying consumers that hackers had stolen customer email addresses and names belonging to a “subset of its clients.”

Those clients were ESPs that send email to customers on behalf of some the biggest firms in the world. Epsilon didn’t name which ESPs were impacted, but the voluminous complaints from consumers about spam indicated that those ESPs served a broad range of major companies, including JP Morgan Chase, U.S. Bank, Barclays, Kroger, McDonalds, Walgreens, and Honda, to name but a few.

A scam web site that tried to sell copies of Adobe Reader.

A scam web site that tried to sell copies of Adobe Reader.

As I noted in that April 2011 story, consumers had complained of received junk email with links to sites that tried to sell versions of software made by Adobe Systems Inc. Some of the sites reportedly even tried to sell copies of Adobe Reader — software that Adobe gives away for free.

Sure enough, the men indicted today are accused of hacking into a major ESP to steal more than a billion email addresses, which they allegedly used to promote knockoff versions of Adobe software (among other dubious products).

Prosecutors in Atlanta today unsealed indictments against Viet Quoc Nguyen and Giang Hoang Vu, both citizens of Vietnam who resided for a period of time in the Netherlands. The government also unsealed an indictment against David-Manuel Santos Da Silva, a Canadian citizen who was charged with conspiring with Nguyen and others to launder the proceeds of Nguyen’s alleged computer hacking offenses.

The government alleges that Nguyen used various methods — including targeted email phishing campaigns — to trick recipients at email marketing firms into clicking links to sites which attempted to exploit browser vulnerabilities in a bid to install malicious software. For more on those targeted attacks, see my Nov. 24, 2010 story, Spear Phishing Attacks Snag E-Mail Marketers.

A copy of one spear phishing email sent to ESP employees in Nov. 2010.

A copy of one spear phishing email sent to ESP employees in Nov. 2010.

“Nguyen’s phishing campaigns allegedly delivered malware, which allowed him backdoor access to the ESP employees’ computer systems and enabled him to steal sensitive information, including the employees’ access credentials for the ESP’s computer systems,” the government alleged. “Using stolen access credentials, Nguyen was not only able to allegedly steal confidential information by downloading the information from the ESPs’ computer systems to a server that he controlled in the Netherlands, but was also able to utilize the ESPs’ computer systems to launch spam attacks on tens of millions of stolen email addresses.”

Nguyen, in undated Facebook profile photo.

Prosecutors released this photo of Nguyen, in undated Facebook profile photo.

Vu allegedly assisted in the spamming. Da Silva allegedly helped launder the proceeds of the spam campaigns. Prosecutors say Da Silva ran an affiliate marketing firm called Marketbay.com, and that through that service he provided Vu and Nguyen a way to monetize their spam campaigns.

If recipients of the spam emails clicked through and paid for the products advertised in the junk email, those customers would be directed through Marketbay’s affiliate links. According to the government, Da Silva knew Vu and Nguyen were using stolen email addresses and hijacked ESPs to drum up sales, which prosecutors allege generated more than $2 million for the men.

Vu was arrested by Dutch authorities in 2012 and was later extradited to the United States. He has pleaded guilty to conspiracy to commit computer fraud, and is slated to be sentenced in April 2015.

Da Silva was arrested in Ft. Lauderdale, Fla. on Feb. 12, and is expected to make his first appearance today before a federal magistrate in Atlanta. Nguyen is not in custody and remains a fugitive.

The indictment against Da Silva is here (PDF). The Nguyen indictment is at this link (PDF).

Update: As noted in the update above, Epsilon responded to a request for comment with the following statement:

“Epsilon confirms that it is among the victims of the cybercrime referenced in the Department of Justice’s indictment unsealed on March 5 against three individuals for their roles in hacking email service providers throughout the United States.  We are pleased with the outcome of the investigation carried out by the U. S. Secret Service and the resulting indictment by the Department of Justice, and thank them for bringing this criminal activity to prosecution.  Data protection is,and always has been, the top priority at Epsilon, and businesses and law enforcement must work together to prevent this type of criminal activity.”


22 thoughts on “Feds Indict Three in 2011 Epsilon Hack

  1. itsmeitsmeitsddp

    These three need to be prosecuted and made an example of so that future conmen/hackers might think twice before stealing personal info or credit card info.

    Who am I kidding, these thugs wont stop.

  2. Duff

    If these people want to work with junk mail so much maybe we should give them jobs with the post office, talk about junk mail. Save money on jails and keep them away from computers since obviously the post office can’t deliver the mail to the right place anyway.

    1. !m a d3rp to ju5t l!k3 you

      you don’t think much, do you? uh, for one thing your financial information comes and goes through the post office and that only gives them hidden access to it.

      next time try visualizing life in the big picture.

      you’re learning though and that’s what we like about you.

      learn by doing. keep up the good work!

    1. Rick Blaine

      Gee, and to think 50k Americans in Vietnam war died for this guy!

      1. Austin

        The yanks died for their own country for the so called domino theory of communism spreading around the world. Kennedy ordered to kill president Ngo dinh Diem of Vietnam so US forces can come in and station there.
        The yanks grow the seed then run away after got hand shake with china, these kids were born and trained by US, this is the consequence of American life style.
        What goes around, comes around.
        That’s it.

        1. Rick Blaine

          Your response sounds like Commie-speak to me. Oh well.

  3. Dave Horsfall

    It’s not clear whether the alleged perps are in the USA or not. And I see that one of them is a fan of The Who 🙂

    1. BrianKrebs Post author

      As the story says, two of the men are in custody in the US. One is at large (meaning, they don’t know where he is).

      1. !m a d3rp to ju5t l!k3 you

        he’s probably over in iraq and or syria with IS doing financial support for the daesh now as he’s got the other 2 guys money now that they’re in custody. one can only hope. I like dreamin’, don’t you?

  4. Tom

    It’s time these script kiddies got a taste of real justice … the harm they do is real and needs to be punished accordingly!

  5. Mike

    I find it interesting that a few individuals that do these sorts of things are seen as criminals and yet the world is perfectly alright if some established company starts doing the same thing.

    Seems kinda two-faced to me.

    1. Rick Blaine

      I agree….Sadly, “He who holds the gold makes the rules”

  6. Tim

    Burglary and home invasion has been illegal for years but simple prosecution hasn’t stopped that crime either. Absolutely prosecute, but don’t think that will deter anyone who believes that they are smarter than the rest of us. We still lock our doors and turn on alarm systems and so should we with our digital homes and businesses. Train users. Patch systems immediately. Monitor traffic continuously. Physically secure your servers. Use VPN away from your secure network. Different safeguards. Different technology.

  7. Eaglewerks

    Some observations:
    The 2 and a half year-old Nguyen indictment, unsealed recently, does not give much information other than to suggest the two individuals of Vietnamese heritage, one being Mr. Nguyen, were living, at times, in The Netherlands and Vietnam.

    The Vietnam / Netherlands connection goes back centuries, to the late 1600’s. The Netherlands has been very active in the modern development of Vietnam, much more so than any other “western power.”

    Mr. Nguyen’s entire name is actually more popular world-wide than is the generic Mr. Smith surname in the United States or England. It may be difficult to identify the correct Mr. Nguyen unless the authorities have excellent DNA samples.

    The Mr. Nguyen pictured is a very attractive young man and will be very popular with some guards and many bubbas at any location of incarceration.

    If he could be trusted, Mr. Nguyen’s expertise could be of use to many large corporations and governments around the world.

  8. Noobly

    Spammers hacking spammers — what will they think of next?

  9. chipopo

    I all my experience I can vouch epsilon have one of the worst design firewall policies and layout

  10. Jason

    Do you need hackers for hire? Do you need to keep an eye on your spouse by gaining access to their emails? As a parent do you want to know what your kids do on a daily basis on social networks ( This includes facebook, twitter , instagram, whatsapp, WeChat and others to make sure they’re not getting into trouble? Whatever it is, Ranging from Bank Jobs, Flipping cash, Criminal records, DMV, Taxes, Name it, We can get the job done. We’re a group of professional hackers with 25 Years+ experience. Contact at hacksville147@gmail.com … Send an email and Its done. Its that easy, try us out today.

  11. Sundra

    So these spammers basically stole from their fellow spammers? That’s pretty ironic It’s just weird because there are bigger companies that are doing the same thing, but nobody’s indicting them of anything because they’re hiding behind the mantle of legitimacy.

  12. Josef

    It says three indictments but I see links and names for only two. I waited thinking this was an oversight but it has been a month… any updates on the third party?

Comments are closed.