27
Aug 20

Confessions of an ID Theft Kingpin, Part II

Yesterday’s piece told the tale of Hieu Minh Ngo, a hacker the U.S. Secret Service described as someone who caused more material financial harm to more Americans than any other convicted cybercriminal. Ngo was recently deported back to his home country after serving more than seven years in prison for running multiple identity theft services. He now says he wants to use his experience to convince other cybercriminals to use their skills for good. Here’s a look at what happened after he got busted.

Hieu Minh Ngo, 29, in a recent photo.

Part I of this series ended with Ngo in handcuffs after disembarking a flight from his native Vietnam to Guam, where he believed he was going to meet another cybercriminal who’d promised to hook him up with the mother of all consumer data caches.

Ngo had been making more than $125,000 a month reselling ill-gotten access to some of the biggest data brokers on the planet. But the Secret Service discovered his various accounts at these data brokers and had them shut down one by one. Ngo became obsessed with restarting his business and maintaining his previous income. By this time, his ID theft services had earned roughly USD $3 million.

As this was going on, Secret Service agents used an intermediary to trick Ngo into thinking he’d trodden on the turf of another cybercriminal. From Part I:

The Secret Service contacted Ngo through an intermediary in the United Kingdom — a known, convicted cybercriminal who agreed to play along. The U.K.-based collaborator told Ngo he had personally shut down Ngo’s access to Experian because he had been there first and Ngo was interfering with his business.

“The U.K. guy told Ngo, ‘Hey, you’re treading on my turf, and I decided to lock you out. But as long as you’re paying a vig through me, your access won’t go away’,” the Secret Service’s Matt O’Neill recalled.

After several months of conversing with his apparent U.K.-based tormentor, Ngo agreed to meet him in Guam to finalize the deal. But immediately after stepping off of the plane in Guam, he was apprehended by Secret Service agents.

“One of the names of his identity theft services was findget[.]me,” O’Neill said. “We took that seriously, and we did like he asked.”

In an interview with KrebsOnSecurity, Ngo said he spent about two months in a Guam jail awaiting transfer to the United States. A month passed before he was allowed a 10 minute phone call to his family and explain what he’d gotten himself into.

“This was a very tough time,” Ngo said. “They were so sad and they were crying a lot.”

First stop on his prosecution tour was New Jersey, where he ultimately pleaded guilty to hacking into MicroBilt, the first of several data brokers whose consumer databases would power different iterations of his identity theft service over the years.

Next came New Hampshire, where another guilty plea forced him to testify in three different trials against identity thieves who had used his services for years. Among them was Lance Ealy, a serial ID thief from Dayton, Ohio who used Ngo’s service to purchase more than 350 “fullz” — a term used to describe a package of everything one would need to steal someone’s identity, including their Social Security number, mother’s maiden name, birth date, address, phone number, email address, bank account information and passwords.

Ealy used Ngo’s service primarily to conduct tax refund fraud with the U.S. Internal Revenue Service (IRS), claiming huge refunds in the names of ID theft victims who first learned of the fraud when they went to file their taxes and found someone else had beat them to it.

Ngo’s cooperation with the government ultimately led to 20 arrests, with a dozen of those defendants lured into the open by O’Neill and other Secret Service agents posing as Ngo.

The Secret Service had difficulty pinning down the exact amount of financial damage inflicted by Ngo’s various ID theft services over the years, primarily because those services only kept records of what customers searched for — not which records they purchased.

But based on the records they did have, the government estimated that Ngo’s service enabled approximately $1.1 billion in new account fraud at banks and retailers throughout the United States, and roughly $64 million in tax refund fraud with the states and the IRS.

“We interviewed a number of Ngo’s customers, who were pretty open about why they were using his services,” O’Neill said. “Many of them told us the same thing: Buying identities was so much better for them than stolen payment card data, because card data could be used once or twice before it was no good to them anymore. But identities could be used over and over again for years.”

O’Neill said he still marvels at the fact that Ngo’s name is practically unknown when compared to the world’s most infamous credit card thieves, some of whom were responsible for stealing hundreds of millions of cards from big box retail merchants.

“I don’t know of anyone who has come close to causing more material harm than Ngo did to the average American,” O’Neill said. “But most people have probably never heard of him.”

Ngo said he wasn’t surprised that his services were responsible for so much financial damage. But he was utterly unprepared to hear about the human toll. Throughout the court proceedings, Ngo sat through story after dreadful story of how his work had ruined the financial lives of people harmed by his services.

“When I was running the service, I didn’t really care because I didn’t know my customers and I didn’t know much about what they were doing with it,” Ngo said. “But during my case, the federal court received like 13,000 letters from victims who complained they lost their houses, jobs, or could no longer afford to buy a home or maintain their financial life because of me. That made me feel really bad, and I realized I’d been a terrible person.”

Even as he bounced from one federal detention facility to the next, Ngo always seemed to encounter ID theft victims wherever he went, including prison guards, healthcare workers and counselors.

“When I was in jail at Beaumont, Texas I talked to one of the correctional officers there who shared with me a story about her friend who lost her identity and then lost everything after that,” Ngo recalled. “Her whole life fell apart. I don’t know if that lady was one of my victims, but that story made me feel sick. I know now that what I was doing was just evil.”

Ngo’s former ID theft service usearching[.]info.

The Vietnamese hacker was released from prison a few months ago, and is now finishing up a mandatory three-week COVID-19 quarantine in a government-run facility near Ho Chi Minh city. In the final months of his detention, Ngo started reading everything he could get his hands on about computer and Internet security, and even authored a lengthy guide written for the average Internet user with advice about how to avoid getting hacked or becoming the victim of identity theft.

Ngo said while he would like to one day get a job working in some cybersecurity role, he’s in no hurry to do so. He’s already had at least one job offer in Vietnam, but he turned it down. He says he’s not ready to work yet, but is looking forward to spending time with his family — and specifically with his dad, who was recently diagnosed with Stage 4 cancer.

Longer term, Ngo says, he wants to mentor young people and help guide them on the right path, and away from cybercrime. He’s been brutally honest about his crimes and the destruction he’s caused. His LinkedIn profile states up front that he’s a convicted cybercriminal.

“I hope my work can help to change the minds of somebody, and if at least one person can change and turn to do good, I’m happy,” Ngo said. “It’s time for me to do something right, to give back to the world, because I know I can do something like this.”

Still, the recidivism rate among cybercriminals tends to be extremely high, and it would be easy for him to slip back into his old ways. After all, few people know as well as he does how best to exploit access to identity data.

O’Neill said he believes Ngo probably will keep his nose clean. But he added that Ngo’s service if it existed today probably would be even more successful and lucrative given the sheer number of scammers involved in using stolen identity data to defraud states and the federal government out of pandemic assistance loans and unemployment insurance benefits.

“It doesn’t appear he’s looking to get back into that life of crime,” O’Neill said. “But I firmly believe the people doing fraudulent small business loans and unemployment claims cut their teeth on his website. He was definitely the new coin of the realm.”

Ngo maintains he has zero interest in doing anything that might send him back to prison.

“Prison is a difficult place, but it gave me time to think about my life and my choices,” he said. “I am committing myself to do good and be better every day. I now know that money is just a part of life. It’s not everything and it can’t bring you true happiness. I hope those cybercriminals out there can learn from my experience. I hope they stop what they are doing and instead use their skills to help make the world better.”

Tags: , , , , ,

67 comments

  1. What he did was terrible but at least he has remorse and will keep others from following his path in the future. Better then most who get released and pick up huge contracts with security companies. I wont name names but for many cyber crime has been the best thing they ever did. For this kid he realizes the costs of his actions.

    • Boy, you are such a gullible one…
      Yay, he has remorse because he said so.
      That fixes everything, I guess.
      I mean, losing your life earnings would be just fine to you as long as the criminal would just say he was sorry while fucking a thousand dollar hooker with your money.

      • At some point though, it isn’t on the bad actors, but on the design of the system. If how we authenticate people is so insanely easy to circumvent – it should be no surprise when some individuals abuse it. If the ecosystem invites abuse, it is up to society to change the ecosystem.

        • Do you tell rape victims they should have worn looser pants, or stayed in their home, or only go out when escorted by a man. You sir are victim blaming. I suspect you commit crimes when you see an opportunity and just say – he left the mower in the yard, to bad.

          • Mahhn, read that comment again. There was no blaming of the victims – the human beings who were actually harmed. He/she specifically said “the ecosystem”, not the people. Like if this “defund the cops” nonsense goes anywhere, and there were no cops around, then someone is raped, the no-law-enforcement ecosystem could be blamed… not the victim.

          • That’s the dumbest analogy I have ever read. Any inclination to use your brain? Then ask yourself why the database owner isn’t responsible for the harm they make possible.

          • I work in an anti-fraud capacity, and have to disagree with you. The previous post was basically saying that since the current system has few (and weak) controls, it’s not surprising that criminals would exploit the weaknesses in the system. As a result, the system should be re-configured or enhanced to improve the controls to the point where it increases the difficulty and work required to get past them.

            That’s a basic tenet of fraud controls: you can’t prevent 100% of the fraud, but you should make it difficult and onerous enough to discourage committing fraud.

            The poster wasn’t excusing the fraudsters; they were pointing out that the controls were weak enough that it made it easy and profitable for criminals to steal the data. And that part is entirely predictable (i.e. “not surprising”).

            • Thanks for your reply, Ben (and your original response, Rob).

              It’s sad that we live at a time where people leap to conclusions so rapidly without taking a little time to process what is actually being said.

              Bad guys exist, and need to be dealt with whenever we come across them. We should also endeavor to make it harder for them to be successful.

              ASB

    • “this kid he realizes the costs of his actions.”

      Kid? He is 29.

      • Based on what I’ve seen of people 30 and older, this one is still a kid. That he spent a good portion of this 20s in jail means that maturity wise. . .he’s pretty much still a kid from the perspective of society at large. Which means while it’s likely he feels genuine remorse, he may still not have a developed delayed gratification ability.

      • Yes, he’s now 29, but he spent ~7 years in prison, too. He was 22 at the time. Not a “child” but certainly still relatively young, having started his activities even earlier than that.

    • Don’t believe him….crook forever after these heinous crimes and he is still sitting On his money whilst others suffer…..no sympathy for this demonic greedy a Vietnamese pig. Its all about take as much as you can with them. To even think robbing people like this shows you what he is….sociopath.

  2. Very interesting story. Thank you!

  3. we need to give people better options in society

  4. The “ lengthy guide” referred to in the article is blocked.

    The link to the LinkedIn page works fine, but the document itself seems to be blocked with the message:
    “Requests to the server have been blocked by an extension.”

    Anyone know if this guide is legitimate and if so where is can be obtained?

    • I had no problems viewing it on LinkedIn. If you expand to full screen, there’s a download button.

      @BrianKrebs, Thanks for a great article. One never knows the hearts and minds of people like this, but I want to believe he will stay on the good side. As @Jay noted, besides jail time, what type of restitution occurred? Were any funds recovered to help the victims or at least to serve as a deterrent?

    • Sounds like you got a browser “add on”(extension) that is blocking at least some of your links. Might be time to review them, and see if you can turn them off, remove them, or make some adjustments to allow more content.

    • Stephan B Feibish

      A malicious .pdf file is one of the best ways to get into your computer system.

  5. The Sunshine State

    I doubt this Ngo guy will go on the straight and narrow course of no longer breaking the law . Once a narcissist always a narcissist!

    • How do you know he’s a narcissist? Not all criminals are narcissists, obviously. Throwing around your armchair psychological diagnoses isn’t fair or particularly smart in my opinion. He was caught, he’s been punished by the government, he served his time. Everyone deserves a second chance. He was a teenager when he committed his crimes, so let’s give him a chance to straighten himself out.

      • The Sunshine State

        That’s right, cyber-crime is about “social engineering”, which means manipulation and control

        Narcissistic personality disorder

        Narcissistic personality disorder involves a pattern of self-centered, arrogant thinking and behavior, a lack of empathy and consideration for other people, and an excessive need for “admiration”. Others often describe people with NPD as cocky, “manipulative, selfish, patronizing, and demanding”.

        Dr Sunshine State will see you now !

  6. Was he totally stripped off every single penny, properties, bank accounts, purchases made with the ill gotten proceeds of his dirty business? Not a single sentence makes mention of any such thing. That’s why these criminals continue their game…..there’s “no game over” for them because the consequences amount to a slap on the face….7 year jail sentence??!! Give me a break….

    • security (and expert witness) vet

      …you have to look at his sentencing order to see if he had to disgorge all gains…if he had any money left at that point…what district was he sentenced in?

  7. As bad as identity theft is, I’m a bit puzzled by testimonies of lives being ruined by it. If the banks, IRS, or whatever institution cause harm to someone who’s had his/her identity stolen, then they should revise their security, identification, and claim procedure. It’s their fault for not having a good response to those cases which are bound to happen anyway, and putting those person in difficult situations.

    More often than not, thieves are able to gain money by deceiving the institution about their identity. It should never fall back on the person’s shoulders.

    • I agree!

    • “should” doesn’t always translate to “does”. it “should” be their fault and they “should” reimburse you promptly, but unfortunately it’s just not that easy. when it happened to me, my bank account was taken to $-850 by them, then when I told the bank, that account was frozen for a month. try paying rent with that.

      • …you clearly have the wrong bank…when my account had a similar problem they immediately credited me the amount, gave me a new account, etc…time to change banks…

    • I meant to include this anecdote in the story, but the Secret Service’s O’Neill shared a story from an interview with one of Ngo’s victims who said the tax refund fraud committed in her name caused the student loan she was seeking for her son to be denied because the school thought she was making way more than what she claimed on the forms. As a consequence, they were not able to afford the cost of sending the kid to college.

      I’m sure there are countless other stories like that of people who suffer one setback because of fraud that leads to a cascading series of other setbacks that really have a negative, long-lasting impact on their lives.

      • set back for sure but you are no longer a “kid” when you’re going to college.

        there are so many ways to get funding or grants under your own name (not your mothers) its hard for me to believe that kept the kid from going to college.

        Obviously feel for anyone that has that happen but i get tired of hearing “i cant afford to send my kid to college”… ummm make them pay for it?

        If we have a problem with the cost being to high (that you dont want to pay) then that is a general issue with higher ed.

  8. “I don’t know of anyone who has come close to causing more material harm than Ngo did to the average American”

    And now he’s free. And guess what? He’s going to end up with a well-paid job in the cybersecurity sector!

    Nothing to worry about. Go back to sleep.

    • I dunno why everyone here is so inclined on the fact that he will end up working with a cyber security company ?? Just because he was able to social engineer his way to certain high profile databases doesnt make him a kid IT prodigy even a 13 yr old with enough criminal motive can do that much….

  9. If he hasn’t done his cybercriming, he still coulda gotten a good paying IT security gig, and not lost seven years of his life to boot.

    • There is no entry level IT security job that he could have landed during his early days, that would pay 125,000 PER MONTH! At least we don’t have any listed on our site.

  10. Many of us, when we were young, we were drawn to computers, to writing code, to getting under the covers and figuring out things that others don’t or can’t. I think many of us understand this guy and sympathize with him. Living in Vietnam, a 3rd world country with limited options, he went down a bad path but also helped out his family along the way. 99% of us are not good people or bad people – we’re just people who make choices. I see nothing about this guy that screams out “hardened criminal”. I see a smart, curious guy who crossed a line, got in over his head, and now regrets it.

    • > we’re just people who make choices

      yeah, it’s a shame that this profile does not delve on how he got into hacking and what were his reasons, justifications or cultural parameters that allow him to get into it. To me, someone who also started in computer ‘early’ also in a 3rd world country, I don’t think my values would allow me to do that.

  11. My thoughts are he admits his wrong doing. I’m sure those who keep authority over him used many tactics to get to the end result of what they wanted. Our gov will frame someone in a sec to saves theirs. I’m curious I be heard of at least 2 to 3 big time hackers get caught. News parade them for the masses. And where does those pallets of cash those bank accounts seized when all said and done who’s pockets does all the assets cash and goods end up. I see.cover up of the highest. The victim s of it never get their justice and spend a lifetime trying to recover. The criminal elite in power reap the spoils. Always question always look deeper. Not all is as they make it look. Nothing last forever history repeats.

  12. I know what this kid was wrong an unexcused but who are we to judge him he was good at what he did he did prison time but tell me who has not been caught up on something. And did time and people do get things taken from them from people like him he is not the only one who is a hacker there is people who hacks into computers phones so if this kid realizes what he did and not looked at the out come of people losing there homes jobs i can tell you i am glad to see that he now see’s how it effects peoples life and he is willing to make something good come out of him and do what is right people can not change the past only the future there is no one out there that can. Say i did nothing wrong in there life because i have and i learned from it and do i have regrets no because i would have not done it at all if i had regrets but will i do it again no because i no the consequences and i am much older

  13. The fact that you can buy essentially fullz from these bureaus needs fixing.
    These small-fry bureaus are a front for the big 3 providers. Both make a living from indexing every application form, under the guise of credit checking or fraud prevention. EVERY FORM, EVERY _RENEWAL_. EVERYTHING. With the world shifting online we made their prolificacy far more abundant than was ever cost effective on paper. Paper didn’t have cookies either.

    A similar dossier is available for pennies from either type of bureau. Your bank, insurance company, employer, and any other background checker want to know your salary declarations, if you have loans and how you use your credit cards, or had a court appearance, or have lived at an above average number of addresses, so they can risk model you.
    Note “_they_ can risk model you” – not the credit bureau. The checker and the data collection are symbiotic, not an independent risk score.
    If you gave an SSN and value got back a score and a risk scale “550 – 1k 0.5% : 2k 1% : 5k 20% ” for example, nobody would care.

    However that model would put some liability on the credit bureau, and that’s the last thing they want. They just want your data. 😀

  14. Everyone wants to be rich, some people just dont give a rats ass about how they obtain those riches.

  15. I dont understand how in the USA they have all these industries to check up in one another but what they do is house your personal information for resale!

  16. Its the End of the prosperity and wealth.
    Rats are hungry coz no more left overs rats will be starving or start attacing people violant ways.
    Good example blc lives matter

  17. Do bad today remorse later. Where is character and integrity?

  18. Joseph Dougherty

    He may feel remorse; I’ve known criminals who have. And some who have genuinely reformed themselves.

    We can’t know. Over time his actions will either support or contradict his claims.

    I hope he has reformed.

  19. I feel old because of this story.

    Well Krebs I’v been with you for 7+ years and your stories really are the best around. Shame on that newspaper for getting rid of your cyber security articles…you are quite good. You should have gone into journalism not that bull liberal arts major to save time and money. I remember this story and Lance trying to commit “fraud” during his trial. Makes me feel old and experienced. Let this be a lesson to other profit hungry cyber criminals set a success limit that sets you up for life and then quit because actions have reactions. It is only matter of time before people contact the state enough for them to get serious about what you’ve done. That being said fraud isn’t a real crime because everyone lies it is just the least you can and should do to be successful in business.

    • regarding bull liberal. having access to the arts does not preclude having practical access to the hard sciences. your sneering at a full education reveals your narrow understanding of what layered, considered education is, and how it works.

  20. The “kid” sure is a dangerous hacker, but he’s not the only one guilty. Data mining agencies are giant honeypots that can’t secure data they collect. They’re arguably even a greater culprit. If not Ngo another hacker would wreck them. Victims should write letters to Equifax, TransUnion, etc. or better yet have them served by a lawyer.

    Philosophically speaking, the core of the issue is the loss of privacy that so many in US seem to be oblivious to.

  21. Everyone complains about the hacker, which they should – but these companies with all our information should ABSOLUTELY be liable for lax security practices. There should be certain criteria, security practices, audit and compliance to EVEN be allowed to possess it.

  22. The security folk are to blame – no one else. They are incompetent – like the TRUMPS

  23. Writing letters to the credit bureau? Elsewhere U will find stories of how fruitless that was.

    Remember the Equifax breech and Congress inquiry yielding credit monitoring which cost the company pennies? (for all of one year.) A real solution would be allow customers access to all the data, receive emails if acnt inquired upon, ability to block access, and a few more items. Congress U elected got bought out by a company who is very happy with themselves selling data, which is does to the government too.

  24. Just look at that smug smiling picture. I bet he was quite the popular young plaything in prison, with those sweet soft DSL’s. For all of the despicable crimes he did, tearing people’s lives apart, ruining families, destroying people’s livelihoods and very sanity with Identity Theft, I hope he got violently raped in prison every night for all 7 years. Deserves the death penalty, this one.

  25. Hieu Minh Ngo was sentenced 13 years in prison, he spent 7 years there, and got out in Nov 2019. I wonder why they release him early? Can anyone tell me? 

  26. Dennis the Menace

    My hope is that the only real lesson that he learned from his totally inadequate prison term is that he shouldn’t leave the comfortable, safe, and prosecution free confines of his home in Vietnam next time.

  27. “Ngo in handcuffs after disembarking a flight from his native Vietnam to Guam… then New Jersey… next came New Hampshire…” Geez, this must have awhile back. Today, his corrupt Trial Lawyers of America and ACLU Lawyers would just put a black ski-mask and black BLM hoodie on him and he’d be back on the streets in a matter of minutes, complete with wads of Soros cash in his pockets (not to mention a loving pat on the fanny)!

  28. Karma is a Bitch

    Hell NO. This POS gets to skate after RUINING countless people’s lives. His KARMA is gonna bite him in the ass. Maybe when he has his life RUINED by his own kind, he may have remorse. He’s a SOCIOPATH! This low life scum deserves LIFE in a US federal prison. No good time, no early parole,nothing. Straight HARD time .He and the other no good, sleazy, slimy, hackers RUINED people’s lives. So they could ILLEGALLY make $$ and fed their INSECURE little devolved egos. People worked to build their lives and they were victimized by these slimy,sleazy cretins. They deserve the death penalty. I know several people who were victimized by hackers. One never recovered and had a mental breakdown and is now in an institution. Others never fully recovered and probably never will. Because trash like Mr Ngo traipsed all over the world FRAUDULENTLY using other people’s ID’s and $$$$. He needs to be EXECUTED.

    • You don’t know a whole lot about karma do you? Let’s just say I’d work on that hate and anger if I were you.

  29. No, karma’s a b sounds like he’s been screwed before and paid the price. Reading the comments section reminds me of the old saying” a conservative is a liberal who’s been mugged”. And that not many here have been mugged.

  30. Is there a process where we can request permission to add your articles to our internal training and awareness program for our users (with full credit and acknowledgements as to the source of the material, etc.). We put out a quarterly MIS newsletter and would like to point back to localized PDFs on our intranet (most users do not have internet access). Our administration has given the green light to be able to print out any articles permitted so that our users can take them home and have the information to be able to visit your site to read about other topics.