26
Aug 20

Confessions of an ID Theft Kingpin, Part I

At the height of his cybercriminal career, the hacker known as “Hieupc” was earning $125,000 a month running a bustling identity theft service that siphoned consumer dossiers from some of the world’s top data brokers. That is, until his greed and ambition played straight into an elaborate snare set by the U.S. Secret Service. Now, after more than seven years in prison Hieupc is back in his home country and hoping to convince other would-be cybercrooks to use their computer skills for good.

Hieu Minh Ngo, in his teens.

For several years beginning around 2010, a lone teenager in Vietnam named Hieu Minh Ngo ran one of the Internet’s most profitable and popular services for selling “fullz,” stolen identity records that included a consumer’s name, date of birth, Social Security number and email and physical address.

Ngo got his treasure trove of consumer data by hacking and social engineering his way into a string of major data brokers. By the time the Secret Service caught up with him in 2013, he’d made over $3 million selling fullz data to identity thieves and organized crime rings operating throughout the United States.

Matt O’Neill is the Secret Service agent who in February 2013 successfully executed a scheme to lure Ngo out of Vietnam and into Guam, where the young hacker was arrested and sent to the mainland U.S. to face prosecution. O’Neill now heads the agency’s Global Investigative Operations Center, which supports investigations into transnational organized criminal groups.

O’Neill said he opened the investigation into Ngo’s identity theft business after reading about it in a 2011 KrebsOnSecurity story, “How Much is Your Identity Worth?” According to O’Neill, what’s remarkable about Ngo is that to this day his name is virtually unknown among the pantheon of infamous convicted cybercriminals, the majority of whom were busted for trafficking in huge quantities of stolen credit cards.

Ngo’s businesses enabled an entire generation of cybercriminals to commit an estimated $1 billion worth of new account fraud, and to sully the credit histories of countless Americans in the process.

“I don’t know of any other cybercriminal who has caused more material financial harm to more Americans than Ngo,” O’Neill told KrebsOnSecurity. “He was selling the personal information on more than 200 million Americans and allowing anyone to buy it for pennies apiece.”

Freshly released from the U.S. prison system and deported back to Vietnam, Ngo is currently finishing up a mandatory three-week COVID-19 quarantine at a government-run facility. He contacted KrebsOnSecurity from inside this facility with the stated aim of telling his little-known story, and to warn others away from following in his footsteps.

BEGINNINGS

Ten years ago, then 19-year-old hacker Ngo was a regular on the Vietnamese-language computer hacking forums. Ngo says he came from a middle-class family that owned an electronics store, and that his parents bought him a computer when he was around 12 years old. From then on out, he was hooked.

In his late teens, he traveled to New Zealand to study English at a university there. By that time, he was already an administrator of several dark web hacker forums, and between his studies he discovered a vulnerability in the school’s network that exposed payment card data.

“I did contact the IT technician there to fix it, but nobody cared so I hacked the whole system,” Ngo recalled. “Then I used the same vulnerability to hack other websites. I was stealing lots of credit cards.”

Ngo said he decided to use the card data to buy concert and event tickets from Ticketmaster, and then sell the tickets at a New Zealand auction site called TradeMe. The university later learned of the intrusion and Ngo’s role in it, and the Auckland police got involved. Ngo’s travel visa was not renewed after his first semester ended, and in retribution he attacked the university’s site, shutting it down for at least two days.

Ngo said he started taking classes again back in Vietnam, but soon found he was spending most of his time on cybercrime forums.

“I went from hacking for fun to hacking for profits when I saw how easy it was to make money stealing customer databases,” Ngo said. “I was hanging out with some of my friends from the underground forums and we talked about planning a new criminal activity.”

“My friends said doing credit cards and bank information is very dangerous, so I started thinking about selling identities,” Ngo continued. “At first I thought well, it’s just information, maybe it’s not that bad because it’s not related to bank accounts directly. But I was wrong, and the money I started making very fast just blinded me to a lot of things.”

MICROBILT

His first big target was a consumer credit reporting company in New Jersey called MicroBilt.

“I was hacking into their platform and stealing their customer database so I could use their customer logins to access their [consumer] databases,” Ngo said. “I was in their systems for almost a year without them knowing.”

Very soon after gaining access to MicroBilt, Ngo says, he stood up Superget[.]info, a website that advertised the sale of individual consumer records. Ngo said initially his service was quite manual, requiring customers to request specific states or consumers they wanted information on, and he would conduct the lookups by hand.

Ngo’s former identity theft service, superget[.]info

“I was trying to get more records at once, but the speed of our Internet in Vietnam then was very slow,” Ngo recalled. “I couldn’t download it because the database was so huge. So I just manually search for whoever need identities.”

But Ngo would soon work out how to use more powerful servers in the United States to automate the collection of larger amounts of consumer data from MicroBilt’s systems, and from other data brokers. As I wrote of Ngo’s service back in November 2011:

“Superget lets users search for specific individuals by name, city, and state. Each “credit” costs USD$1, and a successful hit on a Social Security number or date of birth costs 3 credits each. The more credits you buy, the cheaper the searches are per credit: Six credits cost $4.99; 35 credits cost $20.99, and $100.99 buys you 230 credits. Customers with special needs can avail themselves of the “reseller plan,” which promises 1,500 credits for $500.99, and 3,500 credits for $1000.99.

“Our Databases are updated EVERY DAY,” the site’s owner enthuses. “About 99% nearly 100% US people could be found, more than any sites on the internet now.”

Ngo’s intrusion into MicroBilt eventually was detected, and the company kicked him out of their systems. But he says he got back in using another vulnerability.

“I was hacking them and it was back and forth for months,” Ngo said. “They would discover [my accounts] and fix it, and I would discover a new vulnerability and hack them again.”

COURT (AD)VENTURES, AND EXPERIAN

This game of cat and mouse continued until Ngo found a much more reliable and stable source of consumer data: A U.S. based company called Court Ventures, which aggregated public records from court documents. Ngo wasn’t interested in the data collected by Court Ventures, but rather in its data sharing agreement with a third-party data broker called U.S. Info Search, which had access to far more sensitive consumer records.

Using forged documents and more than a few lies, Ngo was able to convince Court Ventures that he was a private investigator based in the United States.

“At first [when] I sign up they asked for some documents to verify,” Ngo said. “So I just used some skill about social engineering and went through the security check.”

Then, in March 2012, something even more remarkable happened: Court Ventures was purchased by Experian, one of the big three major consumer credit bureaus in the United States. And for nine months after the acquisition, Ngo was able to maintain his access.

“After that, the database was under control by Experian,” he said. “I was paying Experian good money, thousands of dollars a month.”

Whether anyone at Experian ever performed due diligence on the accounts grandfathered in from Court Ventures is unclear. But it wouldn’t have taken a rocket surgeon to figure out that this particular customer was up to something fishy.

For one thing, Ngo paid the monthly invoices for his customers’ data requests using wire transfers from a multitude of banks around the world, but mostly from new accounts at financial institutions in China, Malaysia and Singapore.

O’Neill said Ngo’s identity theft website generated tens of thousands of queries each month. For example, the first invoice Court Ventures sent Ngo in December 2010 was for 60,000 queries. By the time Experian acquired the company, Ngo’s service had attracted more than 1,400 regular customers, and was averaging 160,000 monthly queries.

More importantly, Ngo’s profit margins were enormous.

“His service was quite the racket,” he said. “Court Ventures charged him 14 cents per lookup, but he charged his customers about $1 for each query.”

By this time, O’Neill and his fellow Secret Service agents had served dozens of subpoenas tied to Ngo’s identity theft service, including one that granted them access to the email account he used to communicate with customers and administer his site. The agents discovered several emails from Ngo instructing an accomplice to pay Experian using wire transfers from different Asian banks.

TLO

Working with the Secret Service, Experian quickly zeroed in on Ngo’s accounts and shut them down. Aware of an opportunity here, the Secret Service contacted Ngo through an intermediary in the United Kingdom — a known, convicted cybercriminal who agreed to play along. The U.K.-based collaborator told Ngo he had personally shut down Ngo’s access to Experian because he had been there first and Ngo was interfering with his business.

“The U.K. guy told Ngo, ‘Hey, you’re treading on my turf, and I decided to lock you out. But as long as you’re paying a vig through me, your access won’t go away’,” O’Neill recalled.

The U.K. cybercriminal, acting at the behest of the Secret Service and U.K. authorities, told Ngo that if he wanted to maintain his access, he could agree to meet up in person. But Ngo didn’t immediately bite on the offer.

Instead, he weaseled his way into another huge data store. In much the same way he’d gained access to Court Ventures, Ngo got an account at a company called TLO, another data broker that sells access to extremely detailed and sensitive information on most Americans.

TLO’s service is accessible to law enforcement agencies and to a limited number of vetted professionals who can demonstrate they have a lawful reason to access such information. In 2014, TLO was acquired by Trans Union, one of the other three big U.S. consumer credit reporting bureaus.

And for a short time, Ngo used his access to TLO to power a new iteration of his business — an identity theft service rebranded as usearching[.]info. This site also pulled consumer data from a payday loan company that Ngo hacked into, as documented in my Sept. 2012 story, ID Theft Service Tied to Payday Loan Sites. Ngo said the hacked payday loans site gave him instant access to roughly 1,000 new fullz records each day.

Ngo’s former ID theft service usearching[.]info.

BLINDED BY GREED

By this time, Ngo was a multi-millionaire: His various sites and reselling agreements with three Russian-language cybercriminal stores online had earned him more than USD $3 million. He told his parents his money came from helping companies develop websites, and even used some of his ill-gotten gains to pay off the family’s debts (its electronics business had gone belly up, and a family member had borrowed but never paid back a significant sum of money).

But mostly, Ngo said, he spent his money on frivolous things, although he says he’s never touched drugs or alcohol.

“I spent it on vacations and cars and a lot of other stupid stuff,” he said.

When TLO locked Ngo out of his account there, the Secret Service used it as another opportunity for their cybercriminal mouthpiece in the U.K. to turn the screws on Ngo yet again.

“He told Ngo he’d locked him out again, and the he could do this all day long,” O’Neill said. “And if he truly wanted lasting access to all of these places he used to have access to, he would agree to meet and form a more secure partnership.”

After several months of conversing with his apparent U.K.-based tormentor, Ngo agreed to meet him in Guam to finalize the deal. Ngo says he understood at the time that Guam is an unincorporated territory of the United States, but that he discounted the chances that this was all some kind of elaborate law enforcement sting operation.

“I was so desperate to have a stable database, and I got blinded by greed and started acting crazy without thinking,” Ngo said. “Lots of people told me ‘Don’t go!,’ but I told them I have to try and see what’s going on.”

But immediately after stepping off of the plane in Guam, he was apprehended by Secret Service agents.

“One of the names of his identity theft services was findget[.]me,” O’Neill said. “We took that seriously, and we did like he asked.”

This is Part I of a multi-part series. Part II in this series is available at this link.

Tags: , , , , , , , , , , , ,

43 comments

  1. Once again you’re on top of the story, Brian. I fear, though, that the young’uns will be more inspired than fearful about going into this “business”.

    • All he learned was to be more careful from now on. He is out after 7 years and his victims are probably *still* trying to fix their stolen identity and records.

  2. These pretzels are making me thirsty. 😉

  3. Very good article, can’t wait for part 2! About time some of these hackers came clean and told others to use their skills for good.

    • What “skills”? The overwhelming majority of criminal hackers are just that – “hacks”. They may be clever and persistent, but I’ve spent my career working with people whose programming and networking skills could run circles around your average cybercriminal. The difference was that my colleagues had ethics, and didn’t need 7 years in federal prison to suddenly grow some semblance of a conscience.

      If these guys were employable, they’d be employed. They’d already be productive, and they’d be making a good living at it. But they’re crooks. The only difference is that they use computers to steal instead of guns.

  4. 7 years of free meals and accommodation and after that a green card and job with US government… And imbeciles say crime doesn’t pay. I guess it’s time to break bad.

    • I don’t know what article you read, but this kid was deported to Vietnam, not given a green card. No mention of his employer, either.

    • He’s not currently employed, and says he’s taking time off to be with his family before working on projects to steer kids away from cybercrime. I believe he’s being earnest and truthful. We’ll see, I guess. He states up front in his Linkedin profile that he’s a convicted cybercriminal. Anyway, some of this will be clearer in Part II.

    • No, that’s Russia. They go out of their way to employ criminals.

      He was deported back to Vietnam and is currently in quarantine.

    • tumadre: I’ll pass on THAT kind of “free meals and accommodation”…. not tempting at all.

      Oh, and what about my mother???

  5. What’s a rocket surgeon?

  6. The Sunshine State

    I can’t wait for part two !

  7. I hope Darknet Diaries will do a podcast with him! Does anyone know how to reach Jack?

  8. Not a lot of difference between what he did and all the companies gathering and selling our info in the first place.

  9. Funny, but it seems like I was reading just the other day that another gang was caught buying credit reports from a reporting agency. I must be getting old.

  10. 100k bucks a month, the dude must be upper rich. He’s smart though

  11. Wow! What a story

  12. The guy is very smart only that he was consumed by greed

  13. Hey gr8 story. I can’t wait for 2morrow’s part deux. Luv the rocket surgery expression.

  14. “I did contact the IT technician there to fix it, but nobody cared so I hacked the whole system,” Ngo recalled.

    I did contact the bank about their lack of security, but nobody cared so I robbed the whole bank.

    I did contact the store about their poor service, but nobody cared so I burned it down.

    Criminal mindset justifications are always remarkably shallow and show the level of evil intent.

  15. Part 2 is coming soon

  16. Thanks for the article!

    I’d like to see an article about extradition treaties/issues with the U.S. and hackers.

    It seems like few Asian and eastern European countries have extradition treaties with the US.

    Every country has hackers and the US has some very skilled ones, too, but ours and other western countries’ hackers get arrested and can’t successfully bribe police/intel services (as far as we know).

    The US and other western intelligence agencies have identified many of the worst hackers in Russia and other countries. But the enabling governments allow their hackers to operate and sometimes the governments take cuts of the criminal proceeds.

    This reminds me of “Letters of Marque” from the middle ages through roughly the 1800s. A letter of marque from a government authorized one of its citizens to steal stuff on the high seas, i.e., piracy. If you were caught you couldn’t be hung for piracy if you had a letter of marque, which showed you were authorized by the state. You had to share the stolen stuff with your state.

    Today, Russia and other Asian countries seem to operate on the same, though less formal, “principle.”

    In Russia, as long as you don’t hack your fellow citizens, the government doesn’t seem to care and often takes a cut (like Krebs described in his book Spam Nation and like other cases in the Ukraine described in detail elsewhere).

    There would be far fewer threats and financial loss from hacking if Asian and eastern European countries would extradite their hackers.

    One big difference, of course, between today’s international hackers and 17th century piracy is the latter didn’t steal from within other counties’ borders, mainly in international waters.

    Today’s hackers reach across the world and take money from people’s homes and business.

    Eventually, there might need to be military penalties for a government’s failure to extradite (i.e., harbor) hackers rampaging western counties.

  17. Was Molina Healthcare hacked? I received 2 calls from robo claiming to be them. The company says they never called me.

  18. Well there is more students working with electronics what do you think was going to happen that is why everything should be learned by text books everything is based on computers laptops tablets and phones we play games on our phones people are stealing our in formation google peoples back round everything pops up even who your dating where do these people get so much information on a person you go to jail and your all over the internet where do citizens have the rights not to let these people post us all over the place. Hell I can not even go inside a building a put a application in person its all online with my information s.s n address everything who knows who is hacking our accounts and our information and using it in another country our taxes our banking everything is through electronics and he is not the only one out there so sad

  19. Great article, Brian!

    It’s always interesting to see the story behind how a criminal became so big and then gets caught.

    Looking forward to part 2.

  20. It sickens me how much crime scum like this can do and get a slap on the wrist (10 years for billions in crime (victims)).
    I hope someone finds him and he gets what he deserves.
    Because there is no justice in the legal system, only taxes (fines/skimming off of criminals gains from victims) and time outs (short jail time), but no justice.

  21. Hieu Minh Ngo (Hieupc)

    One thing that I want to say to all Americans and to all the people that I might have hurt or harm in the past – I am terribly sorry, please forgive me… I am living each day with regrets and with each day is passed, I really can not wait to do what I can to give back to the world with love..

  22. I really enjoyed reading this article. Sharing!

  23. …and what about Experian who acquired a company that had been compromised and allowed it to continue for 9 months! Where was their cyber due diligence during the acquisition process? The article doesn’t detail it as specifically, but perhaps Trans Union is guilty of this as well? A good lesson to any executives that are involved in M&A activities!

  24. About those extradition agreements – it’s a two way street. Okay, you can extradite a Vietnamese to the US but then Vietnam can get an American extradited to Vietnam (just as an example) that’s why getting him to Guam was key. It’s basic and not necessarily blocked by a foreign nation – often by the US.

  25. The problem is not the cyber criminals. The problem is the U.S. Credit System being tied to Social Security Numbers which are handed out like candy. Credit should be tied to a user account which is secured with a rotating key (like an Authenticate App does for logging into various internet services). Experian and Equifax leaked (was hacked out of) most of America’s identities and instead of leveling them the government fined them peanuts. Then Facebook gets farmed for not so personal data and they hammer Facebook. Is the government really that interested in protecting consumers? If they were they would STOP and outlaw Social Security # and otherwise public information being the key tie in to establish financial accounts.

    • One way of doing this is to have something similar to a Public/Private Key asymmetric encryption.

      When apply for credit/loans, a person could use a public SSN.

      Only at the verification step, the person can use his private SSN to verify his identity. The verification step can be going through a centralized ID/SSO system.

      Some countries like Singapore has already implemented this though a system called Singpass. When you apply for a bank account here, you would fill in the form with your ID/SSN/NRIC normally, but there exists a verification step at the end where you go through the government’s Singpass system to verify your ID. In this case, the gov hold your private key instead of yourself. Singpass would verify the request by sending an OTP push request through Singpass mobile app on your phone.

  26. One thing that might help (slightly) is to not give your SSN to anyone who asks for it unless they can demonstrate a CLEAR need to have it. Example – every doctor I see wants my SSN, and I tell them no, you can’t have it because Uncle Sam is going to be paying you, I’m on Medicare. The expressions of shock on their faces are priceless, but I have yet to be turned away. Doctor’s offices and hospitals have minimal (if any) IT security, but they can’t send you an e-mail because of HIPPA. I sure hope their medical skills are better than their IT skills . . .

  27. Changes are bound to occur in every human at every point in time but every sector have got a role to play right from the educational sector, parents and organizations, in reference to Sam’s comment negligence on those organizations is nothing but lack of competence and inability to take up responsibilities from the employee.
    Secondly, learning to use any form of gadgets is not wrong but consciously introducing the new ones /young folks into it is where many failed to played to their role. Selah

  28. ‘TLO was acquired by Trans Union, one of the other three big U.S. consumer credit reporting bureaus.”
    I do not condone the selling of ID info, that being said, these bureaus are one of the biggest problems and obviously not up to solutions. They are the data aggregators keeping detailed personal information making it a “one-stop shop” for hackers and then when a consumer gets bitten, they make life hell for the victim instead of trying to fix the problem. The real corruption is legal.

  29. Great article. Very interesting to see a young person from a developing country like Vietnam so capable of manipulating PII. I hope talent like this finds it’s way to lawful opportunities, but the lure of quick riches and bad judgement could stymie that.

Leave a comment