The Dutch police announced the arrests of three men for their suspected involvement in what appears to be one of the biggest data extortion cases to date. The criminal scheme saw personal data belonging to tens of millions of people stolen and caused millions of euros worth of damage.
The police started an investigation in March 2021 following a report of a data theft from a large Dutch company. During a two-year investigation the police learned that the suspects victimized thousands of businesses, including educational institutions, software companies, hospitality businesses, web shops, online ticket vendors, and institutions connected to critical infrastructure and services.
The data stolen during the hacks included names, addresses, phone numbers, dates of birth, bank account numbers, credit card numbers, passwords, license plates, citizen identification numbers, and passport information of tens of millions of people.
The three men aged between 18 and 21 and a 25 year-old suspect arrested in 2022 are accused of unauthorized computer access, data theft, extortion and blackmail, and money laundering. The suspect arrested last year was allegedly involved in a data theft incident regarding Geburen Info Service GmbH (GIS), which collects television license fees on behalf of the Austrian government. It is likely that the dataset in that breach includes information about almost every Austrian citizen.
Once an organization was breached and its data stolen, the thieves threatened the victim to destroy its digital infrastructure or make the stolen information public if a ransom was not paid. The threat actors demanded between €100,000 and €700,000, depending on the size of the organization they hacked. The group's suspected leader is believed to have made more than €2.5 million alone.
Officials said that even if the ransom was paid the stolen data was often sold online for profit.
Dutch news agency NOS reported that one of the three suspects is a security researcher who worked for the Dutch Institute for Vulnerability Disclosure (DIVD), a platform to report vulnerabilities, supported by volunteers. DIVD said in a statement that it had no knowledge of the individual's actions and that they are now investigating if the volunteer misused any of its resources.