Hieu Minh Ngo
Ngô Minh Hiếu (born 8 October 1989) is a Vietnamese hacker and identity thief. He was convicted in the United States of stealing hundreds of thousands of persons' personally identifiable information and in 2015 was sentenced to 13 years in U.S. federal prison.[2] He has recently been recruited by Vietnam’s National Cybersecurity Center (NCSC) as a technical expert.[3][4]
Hieu Minh Ngo | |
---|---|
Born | October 8, 1989 |
Nationality | Vietnamese |
Other names | Hieupc [1] |
Occupation | hacker and identity thief |
Known for | sentenced to 13 years in U.S. federal prison [2] |
Computer crimes
Ngô Minh Hiếu is a Vietnamese national.[5]
In his late teens, he traveled to New Zealand to study English at a university there. By that time, he was already an administrator of several dark web hacker forums, and between his studies he discovered a vulnerability in the school’s network that exposed payment card data. “I did contact the IT technician there to fix it, but nobody cared so I hacked the whole system,” Ngô recalled. “Then I used the same vulnerability to hack other websites. I was stealing lots of credit cards.” Ngô said he decided to use the card data to buy concert and event tickets from Ticketmaster, and then sell the tickets at a New Zealand auction site called TradeMe. The university later learned of the intrusion and Ngô’s role in it, and the Auckland police got involved.[1] Ngô’s travel visa was not renewed after his first semester ended, and in retribution he attacked the university’s site, shutting it down for at least two days.[1]
From 2007 to 2013, he operated a "massive international hacking and identity theft scheme from his home in Vietnam" in which he stole personally identifiable information (such as names, Social Security numbers, and bank account data) of 200 million U.S. citizens.[6] Ngô obtained this data by hacking companies' databases, then advertised and offered (on two websites he operated, which were later shuttered) the stolen information for purchase by other cybercriminals.[7] Ngô was also able to obtain data from Court Ventures, an Experian subsidiary,[8][9] by "posing as a private investigator operating out of Singapore."[10]
Ngo made nearly $2 million from his scheme.[5][6][2] The Internal Revenue Service has confirmed that 13,673 U.S. citizens, whose stolen PII was sold on Ngo’s websites, have been victimized through the filing of $65 million in fraudulent individual income tax returns. [11]
Prosecution, sentence, and release
In February 2013, Ngô Minh Hiếu entered the United States territory and was arrested[6] after U.S. Secret Service investigators lured Hiếu to Guam "to consummate a business deal with a man he believed could deliver huge volumes of consumers' personal and financial data for resale."[10] He subsequently pleaded guilty to federal crimes: (1) wire fraud, (2) identity fraud, (3) access device fraud, and (4) four counts of computer fraud and abuse. Ngô had been facing more than 24 years in federal prison, but his sentence was lightened because he cooperated with investigators to secure the arrest of at least a dozen of his U.S.-based customers.[12][13]
The Secret Service had difficulty pinning down the exact amount of financial damage inflicted by Ngo’s various ID theft services over the years, primarily because those services only kept records of what customers searched for — not which records they purchased. But based on the records they did have, the government estimated that Ngo’s service enabled approximately $1.1 billion in new account fraud at banks and retailers throughout the United States, and roughly $65 million in tax refund fraud with the states and the IRS. [14]
In July 2015, U.S. District Judge Paul J. Barbadoro sentenced Hiếu, then age 25, to 13 years in prison.[5][6]The Bureau of Prisons lists his register number as 03664-093 and his release date was 11/20/2019. In the final months of his detention, Ngô started reading everything he could get his hands on about computer and Internet security, and even authored a lengthy guide written for the average Internet user with advice about how to avoid getting hacked or becoming the victim of identity theft.
Longer term, Ngô says, he wants to mentor young people and help guide them on the right path, and away from cybercrime. He’s been brutally honest about his crimes and the destruction he’s caused. His LinkedIn profile states up front that he’s a convicted cybercriminal.
References
- "Confessions of an ID Theft Kingpin, Part I". Krebs on Security. August 26, 2020.
- "Hacker Việt trộm dữ liệu của 200 triệu người Mỹ lĩnh 13 năm tù". VnExpress. July 15, 2015.
- "Vietnam's National Cybersecurity Center hires former cybercriminal". VnExpress. December 5, 2020. Retrieved December 5, 2020.
- "Hacker Hieupc đầu quân cho Trung tâm Giám sát an toàn không gian mạng quốc gia". Tuổi Trẻ. December 4, 2020. Retrieved December 5, 2020.
- Vietnamese National Sentenced to 13 Years in Prison for Operating a Massive International Hacking and Identity Theft Scheme (press release), U.S. Department of Justice, Office of Public Affairs (July 14, 2015).
- James Eng, Hacker Gets 13 Years in Prison for Massive International ID Theft, NBC News (July 14, 2015).
- Alyssa Bereznak (July 14, 2015). "This 25-Year-Old Vietnamese Man Stole the Identities of Nearly 200 Million Americans". Yahoo.com.
- Poeter, Damon (2013-10-22). "Experian Confirms Subsidiary's Data Sold to ID Theft Operation". PCMag.com. Retrieved 2015-07-15.
- Osborne, Charlie (2014-04-14). "200M consumer records exposed in Experian security lapse". CNET. Retrieved 2015-07-15.
- "Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records". Krebs on Security. March 10, 2014.
- "Vietnamese National Sentenced to 13 Years in Prison for Operating a Massive International Hacking and Identity Theft Scheme". FBI. July 14, 2015.
- "ID Theft Service Proprietor Gets 13 Years". July 15, 2015.
- "Convicted Tax Fraudster & Fugitive Caught". March 19, 2015.
- "Confessions of an ID Theft Kingpin, Part II". Krebs on Security. August 27, 2020.