Dutch police have announced that they have arrested three individuals in connection with “massive” criminal activity, including data theft, extortion and money laundering.
Suspects include two 21-year-old men from Zandvoort and Rotterdam and an 18-year-old man without permanent residency. The arrest he made on January 23, 2023.
Hackers are estimated to have stolen the personal data of tens of millions of individuals. This included names, addresses, phone numbers, dates of birth, bank account numbers, credit cards, passwords, license plates, social security numbers and passport details.
Politie’s cybercrime team says it launched an investigation almost two years ago in March 2021 after a large Dutch company suffered a security breach.
While the names of the companies have not been disclosed, companies attacked at the time included RDC, Shell, and Ticketcounter, the last of which was also extorted.
“In the course of the investigation, it became clear that thousands of companies and institutions, both large and small, both domestically and internationally, had in recent years been victims of computer intrusions (hacks) and subsequent data theft and manipulation. ‘ said the agent.
The series of attacks targeted a wide range of verticals spanning catering, training institutions, e-commerce, software, social media, and critical infrastructure.
Politie described it as a “sophisticated” operation, in which the attackers demanded bitcoin payments from the affected companies, and either published the stolen information online or destroyed their digital infrastructure. threatened and caused millions of dollars in damages.
The ransom demanded by each company is said to be between €100,000 and €700,000. To make matters worse, the suspect ended up selling the data even though the company paid for it.
The sensitivity of the looted information means it can be used to conduct social engineering attacks and various types of fraudulent activities.
Politie warns that “data theft and trading is a huge revenue model for criminals.” “We are not just extorting companies. The data we obtain is processed to make deals with other criminals.”
He further noted that such stolen datasets are refined and filtered for easy searching in order to find compelling targets and launch convincing attacks.
“Street searches and surveillance are no longer necessary,” law enforcement said. “Pushing the button in front of the computer is enough.”
