Student hacker jailed for multi-million pound global blackmail conspiracy

Twenty-four-year-old student Zain Qaiser, of Barking in Essex, was a member of an international, Russian-speaking organised crime group that made massive profits from victims in more than 20 countries. The investigation identified that Qaiser received more than £700,000 through his financial accounts for his part in this global campaign of malware and blackmail. However, the total is likely to have been as much as £4 million. 

Qaiser spent the money on high-end hotel accommodation, prostitutes, gambling, drugs and luxury items, including a £5,000 Rolex watch. In just one ten-month period, he spent £68,000 gambling in a London casino, despite being unemployed and living with his family. 

He bought advertising traffic from pornographic websites, using the online name K!NG, on behalf of the crime group, using fraudulent identities and bogus companies to pose as legitimate online advertising agencies in a process of social engineering. Once advertising space was secured, the crime group would host and post advertisements laced with malicious software, known as malware.    

When users clicked on the ads they were redirected to another website, hosting highly-sophisticated malware strains, including the Angler Exploit Kit (AEK) – believed to have been created, managed and marketed by one of Qaiser’s Russian-speaking associates. Users with any vulnerabilities would subsequently be infected with a malicious payload. 

One of those malicious payloads was software called Reveton – a type of malware that would lock a user’s browser. Once locked, the infected device would display a message purporting to be from a law enforcement or a government agency, which claimed an offence had been committed and the victim had to pay a fine of up to $1,000 to unlock their device. 

The campaign infected millions of computers worldwide across multiple jurisdictions. 

Ransom demands were made by Qaiser through a complex process of virtual and crypto-currency money laundering. Blackmailed victims would be directed to pay the ransom demand using a prescribed virtual currency, which would then be laundered using a variety of methods and an international network of illegitimate financial service providers. 

For example, one of Qaiser’s international accomplices in the US transferred ransom payments onto pre-loaded credit cards in fraudulent identities, withdrew that cash at locations throughout the US, converted it into crypto-currency, and transferred it to Qaiser. 

Some online advertising agencies that sold Qaiser the advertising traffic realised what he was doing and tried to stop him. He responded by blackmailing them and their businesses, hitting at least two agencies with DDoS (distributed denial of service) attacks. Qaiser told one company director: “I’ll first kill your server, then send child porn spam abuses.” 

These attacks cost the companies at least £500,000 through lost revenue and mitigation costs. 

Qaiser, a computer science student, was hugely useful to the crime group. Using his command of the English language and knowledge of the online advertising industry, in conjunction with basic social engineering techniques, he could convince advertising agencies he was a legitimate customer. 

He employed a variety of bogus companies and fake identity documents, such as passports procured from his online criminal associates, to persistently acquire new internet traffic and advertising space to conduct his criminal activities. 

Qaiser’s offending is thought to have started in at least September 2012 and lasted until he was remanded in custody in December 2018. He was first arrested in July 2014 and charged in February 2017. 

NCA investigators later identified a series of financial accounts linked to Qaiser, including an overseas crypto-currency account. Cumulatively, these accounts received in excess of £100,000, despite him having no job and declaring no earnings. Qaiser was subsequently arrested in December 2018 on suspicion of money laundering while on bail for the previous offences. 

Qaiser admitted 11 offences, including blackmail, fraud, money laundering and computer misuse, and was jailed at Kingston Crown Court. 

Nigel Leary, NCA senior investigating officer, said: “This was one of the most sophisticated, serious and organised cybercrime groups the NCA has ever investigated. The group owned and operated the Angler Exploit Kit – one of the most successful and closely guarded pieces of malicious software ever developed by the cybercrime community. 

“This was an extremely long-running, complex cybercrime investigation in which we worked with partners in the US, Canada, Europe and the Crown Prosecution Service. The FBI and the US Secret Service have both arrested people in relation to this global malware campaign. 

“The investigation demonstrates that cyber criminals cannot operate from behind a veil of anonymity, and that the NCA has the tenacity and specialist skills to catch them and bring them to justice. The international law enforcement community will continue to work together to counter the threat of borderless cybercrime.” 

News of Qaiser’s conviction comes as a survey by anti-virus company Symantec reveals that one third of British consumers experienced some form of cybercrime in the past year and a similar number expect to become victims again in the next 12 months. 

Despite this, most Britons say they are willing to accept certain risks to their online privacy for the sake of convenience, happily giving away certain personal information, such as their location and internet search history, to companies.  

“The introduction of the General Data Protection Regulation (GDPR) in the EU put data privacy on the agenda and significantly increased consumers’ awareness of their privacy rights,” said Nick Shaw, EMEA vice-president and general manager at Symantec subsidiary, Norton. “Yet, consumers are still willing to trade their personal data out of convenience and to get more perks.” 

Samir Kapuria, executive vice–president and general manager of consumer digital safety at Symantec, added: “Our cyber safety is inherently tied to trust. Most consumers are aware their data is being captured from the websites they visit, the social media they share and the apps they use, and trust their information is being properly secured. 

“However, these same consumers are often unaware how and why data is captured and what companies do with it. The sheer amount of personal information being collected about us shows no signs of slowing and there is greater value placed on it than ever before.”  

The report found 60 per cent of consumers believe they are equally or more likely to experience cybercrime than they are to get the flu.