A key member of the ShinyHunters cybercrime group is facing three years in the slammer and being forced to return $5 million in criminal proceeds.
Sebastien Raoult, 22, was in charge of developing websites for ShinyHunters that mimicked the real login pages of major brands. The group would send phishing emails to employees directing them to the fake sites Raoult made, which then harvested the credentials victims entered.
From there, the group would break into victims’ accounts to steal sensitive, personal, and financial data, before selling it on various dark web marketplaces and cybercrime forums. In some cases, ShinyHunters would also demand a ransom payment from the owner of the stolen data, threatening to leak it if a payment wasn’t made.
The stolen data would be searched for additional credentials that granted access to additional data held on companies’ networks and third party services such as cloud storage providers.
The French national worked for ShinyHunters for more than two years, according to the US Attorney’s Office for the Western District of Washington. According to estimates, the large volume of sales during this period netted the group more than $6 million.
“For over two years, Mr. Raoult participated in extensive computer hacking that caused millions of dollars in losses to victim companies and unmeasurable additional losses to hundreds of millions of individuals whose data was sold to other criminals,” said Sarah Vogel of the Western District of Washington.
“Mr Raoult’s motive was pure greed. He sold hacked data. He stole people’s cryptocurrency. He even sold his hacking tools so that he could profit while other hackers attacked additional victims.”
More than 60 companies are thought to have been breached by the gang. While they haven’t received official props for the attacks, ShinyHunters has laid claim to quite a few high-profile incidents including AT&T Wireless and Microsoft.
“The lengths to which Mr. Raoult and his co-conspirators went to steal personal and financial information are remarkably devious, and he played a substantial part in the scheme by creating code and phishing websites,” said Richard A Collodi, special agent in charge of the FBI’s Seattle field office.
“Thanks to the diligent work of federal and international law enforcement, Mr Raoult will be held accountable for his cybercrimes, which caused millions of dollars of harm to companies and customers.”
Raoult told the court he understood the significance of his crimes and promised to give up cybercrime, saying he didn’t want to further disappoint his family.
US District Judge Robert S Lasnik said he believed the gravity of Raoult’s sentence had “gotten through to [him]” but still asked his family to monitor his activities when he returns to France to ensure he doesn’t return to criminality.
Raoult was extradited to the US in late December 2022 after he was arrested in Morocco earlier that year. France declined to extradite him back so the US was ultimately able to agree to extradition with Morocco.
The three-year sentence is broken down into 12 months for the conspiracy to commit wire fraud charge and 24 months for the aggravated identity theft charge, with credit for the time Raoult served while jailed in Morocco, according to court documents [PDF].
He will be under supervised release for a further 36 months after his sentence is served.
Also included on the original indictment [PDF] were Gabriel Kimiaie-Asadi Bildstein, 23, of Tarbes, France, and Abdel-Hakim El Ahmadi, 23, of Lyon, France, though they have yet to be sentenced. ®