The Amsterdam police have arrested three men on suspicion of, among other things, data theft from companies, extortion and money laundering. They were already arrested on January 23, but the arrests were only announced today because of the investigation.
The suspects are a 21-year-old man from Zandvoort, a 21-year-old man from Rotterdam and an 18-year-old man of no fixed abode. The suspects were in possession of tens of millions of people’s privacy-sensitive data. This concerns, for example, dates of birth, bank account numbers, credit cards, passwords, license plates, social security numbers, passport data, addresses and telephone numbers.
In March 2021, the police cybercrime team launched an investigation after a report of data theft and blackmail at a large Dutch company. The investigation revealed that several national and international companies have fallen victim to hacking and data theft in recent years.
Threatening emails with payment in bitcoin
After the hackers had gained access to the companies’ data, they received an email to make a payment in bitcoin. If a company did not pay, it threatened to make the data public and destroy the digital network.
Many companies eventually paid. Some companies suffered millions of euros in damage. The ransom amounted to more than 100,000 euros per company, with an outlier of more than 700,000 euros.
In many cases, the stolen data was sold after payment of the ransom. The blackmail has probably yielded the main suspect 2.5 million euros in recent years.
Sjoerd Bakker, director of Ticketcounter, was one of the victims. “I am very relieved,” he says to NOS after the news about the arrests became known. “I received an email saying I was given 72 hours to pay 7 bitcoins, which was about $300,000 at the time.”
Baker did not pay. He filed a report and reported a data breach to the Dutch Data Protection Authority:
The datasets sold to other criminals can still be misused to this day, says Barend Frans, digital specialist at the Amsterdam police. “As far as we know, the abuse has been contained.” Nevertheless, Frans warns of the dangers.
“The risk is that a cybercriminal will use the stolen data to entrap you. They can pose as a certain company, such as a bank employee, and know your data.”
To prevent internet scams, Frans advises using a password manager and two-step verification.