Jonathan Nguyen, 23, of Windham, N.H., was charged this week in federal court for carrying out a scheme to steal personal information and turn it into profits, the FBI said.
This is how the operation was allegedly conducted.
First, Nguyen, and others involved in the fraudulent financial scheme used Bitcoin to purchase names, addresses, dates of birth, Social Security numbers, email addresses, passwords, credit card account numbers, expiration dates, and other kinds of Personally Identifiable Information (PII), according to the FBI, which cited the charging document.
Next, they allegedly turned the stolen information into cash. One way they did this was to purchase tickets to sporting events and gift cards, the FBI said, noting that these were then sold for profit.
Nguyen and his collaborators also created e-commerce websites for fake companies and “obtained payment-card processing capabilities for these sham companies in order to cash out the stolen credit cards,” the FBI added.
The scammers were tech-savvy enough to get around the fraud-detection mechanisms used by internet merchants, according to the FBI.
“This case is an excellent example of how stolen data can be monetized,” Inga Goddijn, executive vice president of Risk Based Security, told Fox News.
“We have a tendency to assume the malicious actors that steal data are also the ones using the data for illicit purposes. While that can happen, it's more likely the pilfered data will be sold to others -- who in turn use that data in schemes like those Mr. Nguyen is alleged to have perpetrated,” Goddijn said.
Mounir Hahad, head of the Juniper Threat Labs at Juniper Networks, echoed Goddijn’s comments.
“Most criminals engaged in stealing PII information or payment card information tend to auction it on the dark web and never attempt to profit from it directly. They know the more involved they are with the stolen information, the more risky it gets,” Hahad told Fox News.
“In this case, we’re looking at the other side of the equation: what do people who purchase this kind of information do with it?”
However, the alleged use of legitimate payment processing systems could have left them vulnerable, Hahad said.
“Creating sham web sites to use the credit cards may not have been the smartest move, though, because such an approach usually requires engaging with a legitimate payment processing service whose audit logs will keep traces of all transactions. In the U.S., those audit logs would be at the reach of law enforcement given the proper warrants,” Hahad said.
The charge of conspiracy to commit wire fraud, access-device fraud, and identity theft provides for a sentence of up to five years in prison, up to three years of supervised release and a fine of up to $250,000, the FBI said.
The defendant is presumed to be innocent unless and until proven guilty, the FBI said.