[BreachExchange] Timonium hacker stole cryptocurrency, scammed influencers and avoided the feds — until he crossed his partners

Thu Oct 21 08:47:17 EDT 2021

https://www.baltimoresun.com/news/crime/bs-md-cr-chikri-hacker-swatting-20211019-3rjgptx3ifeeze3h6urq6orbpu-story.html

In the summer of 2019, the father of 20-year-old Jordan K. Milleson got a
phone call. The person on the other line told him that his son was a hacker
named “Chikri” who had stolen $20,000 from the caller.

Soon after, someone called Baltimore County Police and said he’d shot
someone at the Milleson home, and that he was armed and would shoot police
if confronted.

There was no such crisis unfolding — the call what was is known as
“swatting,” deceiving law enforcement to send a SWAT team by calling in an
emergency. And federal prosecutors say it came about because Milleson, who
had been hacking the social media pages and cryptocurrency accounts of
influencers and others for years through phishing e-mails, was ripping off
his co-conspirators, too.

Milleson, 22, pleaded guilty to federal identity theft charges in May and
was sentenced to two years in prison; on Tuesday, Kyelle Bryan, a
20-year-old Brooklyn, New York-based hacker who sent police to Milleson’s
home, pleaded guilty to a charge that also will send him to prison for two
years.

According to their plea agreements, Bryan and the others sought to learn
Milleson’s true identity, first determining he also went by the name
“Chikrit” and then learning his personal information. The indictment and
plea deal list a handful of anonymous victims, some they described as
influential or with large followings.

Milleson was charged with hacking two unidentified prominent social media
accounts in September 2017, which each had “hundreds of thousands of
followers,” his plea agreement says. Milleson’s attorney, federal public
defender Brendan Hurson, declined to comment Tuesday.

Prosecutors say that on June 14, 2019, someone working for a cryptocurrency
investment firm lost access to their phone as a result of what’s known as a
SIM swapping attack. Milleson was able to access the person’s digital
currency account, and transferred $2,182 out of the account, according to
his plea agreement.

SIM swapping allows a “scammer who knows your account password (to) call
customer care and ask to have the SIM card linked to your phone number
changed to a new SIM card and device, effectively taking over your phone
number,” according to the technology news website CNET.

Three days later, Milleson registered a fraudulent internet domain to
deceive others to believe it was associated with a wireless telephone
provider, in order to steal login credentials, prosecutors said. Milleson,
Bryan and others were able to gain access to the wireless provider’s
computer network through a victim who worked for the provider. The men then
took control of three people’s phones.

One of the victims, who is not identified in court documents, was the owner
of a digital currency investment and social media marketing company. The
hackers divided up tasks and took control of his digital currency exchange
account, and took $16,847.

But Milleson didn’t follow through on sharing the proceeds.

“You better hope no one has info on you,” Bryan warned in a chat among the
co-conspirators, then asked others if they “had Chikri’s ‘dox’”
information, referring to having personal information about someone.

Milleson was arrested in July 2020, and was interviewed and admitted to
taking part in numerous SIM swaps and crytocurrency thefts, which he
believed aggregated to about $200,000 worth of cryptocurrency.
Investigators weren’t able to confirm that amount.

Bryan faced several counts related to the hacking and swatting incidents,
but pleaded guilty to an aggravated identity theft charge, which carries a
mandatory penalty of two years in prison, which is also the maximum penalty.

Prosecutors read details of the swatting incidents into the statement of
facts.

U.S. District Court Judge James K. Bredar expressed disdain over the
sentence.

“Do you really think two years in prison is appropriate for what you just
described?” he asked Assistant U.S. Attorney Christopher Rigali, saying
that police officers and others had been put in danger by the swatting
incidents.

“I don’t agree with it, but it’s not up to me,” Bredar said later.

Bryan’s attorney, Richard Bardos, told Bredar that his client had matured
and grown since the hacking incidents. He’s been on pre-trial home
detention since his arrest, and restricted from using any device that can
connect to the Internet. Bryan declined to comment after Tuesday’s hearing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211021/f53b5ccd/attachment.html>