Capital One Hacking Indictment Lists Cryptojacking as Motive

The indictment cites three other victims that all “rented or contracted for computer servers” from the same cloud-computing company used by Capital One: a state agency, a telecom, and a public research university.

by Nicole Brodeur, The Seattle Times / August 29, 2019
Shutterstock

(TNS) — Suspected Capital One hacker Paige Thompson was indicted Wednesday, accused of not only penetrating the servers of a cloud-computing company, but of stealing data and using stolen computer power to “mine” cryptocurrency for her own benefit — a practice known as “cryptojacking.”

Thompson, 33, a former Amazon software engineer who was living in Seattle’s Beacon Hill neighborhood, faces penalties of up to 25 years in prison on one count of wire fraud and one count of computer fraud and abuse.

Thompson was arrested July 29 for allegedly hacking into Capital One’s computer system, accessing credit-card applications and compromising the personal data of more than 100 million people.

Wednesday’s indictment cites three other victims that all “rented or contracted for computer servers” from the same cloud-computing company used by Capital One: A state agency (not in the state of Washington); a telecommunications conglomerate located outside the United States; and a public research university in another state.

While authorities have not named the involved cloud-computing company, Thompson previously worked for Amazon Web Services, which provides cloud services to Capital One among other customers. Only four victims are described in the indictment, though it notes she is suspected of stealing data from 30 entities.

The indictment states that Thompson sought to exploit the fact that customers of the cloud-computing company had misconfigured web-application firewalls on the rented servers. She created scanning software that allowed her to identify those customers, and used outside commands to penetrate and access their servers.

The goal, the indictment read, was “to use the access in other ways for (Thompson’s) own benefit, including by using those servers for ‘cryptojacking.’”

Investigators have found no evidence that Thompson sold or disseminated any of the information she accessed. She is scheduled to be arraigned on the indictment in U.S. District Court in Seattle on Sept. 5.

The indictment comes days after Thompson, a transgender woman, appeared in federal court seeking to be released from the Federal Detention Center in SeaTac and be placed in a halfway house. She is being housed in the men’s wing of the detention center, and her attorney argued the facility is “not equipped” to care for someone with gender dysphoria.

Judge Michelle Peterson denied Thompson’s request, agreeing with federal prosecutors that she poses a serious flight risk. Thompson has no stable residence or local family ties, is unemployed, and has a history of drug abuse and mental-health issues. She has made threats to kill herself and shoot up the office of a California social media company, according to authorities.

Peterson noted Thompson’s “erratic and bizarre behavior” (Thompson’s screen name is actually “erratic”), but also her technical skill.

“You are highly talented,” Peterson told Thompson, “and have the means and ability to create havoc in our banking system.”

©2019 The Seattle Times. Distributed by Tribune Content Agency, LLC.

Platforms & Programs