“Mr. Zilterio” is hardly shy about the havoc he wreaks at his computer. “Blackmailing is just a hobby for us, not a business. We like to be famous,” he says in an e-mail interview with MSNBC.com. For over a year, Zilterio has been hacking into online companies and financial institutions, stealing data, then demanding extortion payments. Nine firms have paid him $150,000 “quiet money,” he claims. While the money may in fact be a fantasy — there’s no proof anyone has paid — the crimes are quite real, and he’s being sought by the FBI for extortion.
The e-mails always look the same, as if cut-and-pasted by someone on an assembly line: “I hate to inform you that your account has been hacked.” Tens of thousands of Internet users have received a note beginning like that from Zilterio, whose real identity is a mystery. It’s followed by personal details, such as name, address, e-mail address, and credit card numbers — and finally, the name of the Web site where the data was taken.
“This site has a very weak security protection system and the database with credit cards and other personal information is not protected at all,” Zilterio’s e-mails continue, in a transparent attempt to shift the blame for his crime. It’s their fault, because the company rejected his offer of “help,” the e-mails say. “Top management ... doesn’t care about their customers — you. They care only about their money.”
Of course, Zilterio cares about the money too. In four high-profile extortion attempts which have been made public since October, he’s demanded close to $100,000. None of the victims paid.
Zilterio sent an unnerving e-mail to many of the 350,000 customers at Webcertificate.com last fall. Just a month ago, people who shopped at electronics retailer TheNerds.net got their share of Zilterio spam. He’s still threatening to release data taken from LinkLine, a small Internet service provider. And in April, Zilterio sent e-mails to reporters announcing he had stolen data from Fahnestock & Co. a stock brokerage.
All four firms have indicated they are working with federal authorities, including the U.S. Secret Service and the FBI, to help track down Zilterio.
The FBI declined to discuss its ongoing investigations while the Secret Service said it had no current investigation of Zilterio.
But there are more than the four rather public extortion attempts. Mark Burnett, a private investigator hired by one of Zilterio’s victims, told MSNBC.com that several other extortion attempts have been kept quiet, and at least one victim has chosen to negotiate with the criminal. Another source familiar with the hunt for Zilterio said investigators believe he might be responsible for hundreds of computer break-ins.
Zilterio said he has stolen data from over 15 companies, claiming nine have paid him off — eight U.S. companies, and one in Europe, to the tune of $150,000.
“Usually they pay $15-20,000. We ask for 30-40, but they pay only 50 percent of our request,” he said.
Thousands of bank statements taken
Zilterio also claimed his latest victim was a small mid-America bank named Home National Bank. In part to establish his identity, Zilterio told MSNBC.com he had accessed critical data at Homenational.com, the online arm of Home National Bank, a bank with 11 branches in Kansas, Oklahoma and Arizona. In an e-mail to MSNBC.com, Zilterio sent some of the data he had allegedly taken from the bank to prove he had accessed their systems.
In the e-mail were thousands of customer bank statements, similar to the monthly statements mailed to homes and businesses. They included Social Security numbers, checking and savings account numbers, balance information — even lists of ATM withdrawals and cleared checks.
MSNBC.com provided the data to Home National to seek verification, but Home National’s director of operations, Joe Spiser, said the bank had “no comment” on the alleged incident.
The data revealed very personal details — the amount of one customer’s Social Security check was visible, and another customer, sporting a balance of $99,000, ordered new checks for $41.50.
Zilterio claimed to have 500 megabytes worth of these bank statements. He said he had tried to contact Home National, but had yet to hear back from the company.
Zilterio was relatively generous with his replies after initially contacting MSNBC.com, admittedly looking for publicity.
“I do want fame only for one reason,” he wrote. “To show our future clients, that we don’t play a game, but all we offer is for real.”
Zilterio, he claimed, is actually a group of eight hackers — three in Moscow, and five elsewhere in Russia. “Mr. Zilterio,” the correspondent and appointed spokesperson, wrote in good, even colloquial English, suggesting he’s either well educated, or lying.
As usual, the alleged computer criminal offered twisted logic to defend his actions. Essentially: Web sites don’t care about security, and if we break in, it’s their fault.
On a Web site devoted to the group’s effort, there’s an extortionist’s manifesto, of sorts:
“The situation with online security is very and very dangerous now. Almost 75 percent of all big e-commerce sites can be breaken in less than 2 hours. Customers should not trust these sites, but they do. These online shops and banks don’t pay enough to their software developers and technical directors maybe. We don’t know why, but this is what we have now.
Our mission is to help companies to protect their customers’ data. There are many skilled hackers in our team. We can break almost any modern computer system, including online banks and big online shops. When we get access to such systems we notify their owners about it. Some companies are ready to cooperate and they get our help. We send them instructions about how to improve their systems and later we track the process of this improvement. These companies care about their customers.
But some Internet sites don’t want to cooperate. In this case we notify all their customers about existing security loopholes. We do it to protect people against further lost of personal information. This is our mission.”
The Web site was removed soon after it was viewed by MSNBC.com.
Auction, credit card fraud
The group’s name, Zilterio, has no special meaning, he said.
“Zilterio — just a name. FBI asked me the same. Maybe you work for them?” he answered.
And extortion is just their hobby, he said. The group spends most of its time engaging in other computer crimes, like “auctions fraud, credit card fraud, direct bank hacking,” though he admits it’s recently become harder to run fake electronics funds transfers through the U.S. system. That means most of their money comes from credit card fraud.
He also claimed the group gained income the old-fashioned way, promising protection to any firm which paid them off.
“We never reveal information about companies who cooperate with us,” he wrote, and again couldn’t provide any evidence that anyone had cooperated with them. “We help them to protect their systems against future possible attacks. And we monitors their systems in the future.”
Not afraid of FBI
The group has done just about everything — except, until now, granting an interview — to call attention to itself. With each extortion attempt come dozens of clues: e-mail addresses, IP addresses, computer logs. Is the group afraid of getting caught? After all, last year, Russians Alexei Ivanov and Vasily Gorshkov were arrested in Seattle for extorting Internet companies after they were lured to the U.S. by FBI agents.
Not at all, Zilterio said, taking a potshot at the FBI.
“Several FBI agents tried to catch me and my partners. They are not professionals, as we see for now. They even can’t do a detailed tracing of bank transactions,” he said.
There may be truth to that claim, said Burnett, a private investigator who was hired to hunt for Zilterio after the group stole information from a firm that provides data to “financial companies.” He declined to name the victim.
“He had the information for each customer of each of those companies,” Burnett said. “In all, he was asking for probably $200k-$300k in extortion money. None of these companies paid him and all worked with the FBI.”
But the FBI didn’t work with Burnett.
“What was interesting through all this was the lack of effort on the FBI’s part. They did very little investigation themselves,” Burnett said. “Most of the investigation work was done by myself. I tracked him down to a prepaid dialup ISP account in Ukraine. I had very strong evidence backing this all up, but I never heard anything more from the FBI about it,” he said. “It’s quite amazing that with all the e-mail accounts, break-ins, domain registrations, web hosting, etc. there must be a ton of evidence to track this guy down. .... I’d say the FBI is seriously dropping the ball on this case.”
Zilterio may be smart, but he — or they — is not perfect. Burnett said bank investigators have tracked and stopped any number of electronics transfers Zilterio attempted, including attacks on well-known banking Web sites.
During the Webcertificate.com incident, Zilterio mistook temporary Webcertificate.com numbers for credit card numbers. Repeated attempts to embarrass the company with e-mails to customers actually backfired, since the Webcertificate numbers were easily voided. A $45,000 payment demand was ignored because the stolen data was almost worthless, according to the company.
At other times, Zilterio’s actions have seemed a bit random, as if chaos was more the goal than financial gain.
On the group’s now-vanished Web site, Zilterio hinted he was behind the Egghead.com credit card hack in December 2000, perhaps the most famous e-commerce credit card heist. Initially, the firm suggested 3.7 million card numbers were taken, but later, indicated a far fewer number had actually been downloaded. Still, the incident was costly for card-issuing bank, as many customers demanded replacement credit cards.
Zilterio even seemed a bit naive during negotiations with Fahnestock. According to an e-mail exchange he provided to MSNBC.com, he believed the company when it suggested his extortion terms were “reasonable” and it would pay for protection, “but then decided to refuse,” he said, seemingly unaware that the firm might have been merely stringing him along in cooperating with an FBI investigation, as other firms have done.
Passport as insurance
The exchange shows how unsophisticated the operation can be. As security that the data wouldn’t be released after payment, Zilterio offered Fahnestock “an ensurance document from me. It will contain my name, copy of my passport and you will send money to my personal account. If I try to do something with this info in the future, you will forward this document to FBI and I will have problems, as you understand. But if you will forward this document to cops before you pay me — my friends will send this info to public. Even if cops will catch me.”
The exchange happened in December, but Zilterio didn’t follow through on a threat until April 1, when several reporters received e-mails claiming Fahnestock data had been compromised.
Then last month, when Zilterio sent e-mails to customers of TheNerds.net, he had yet to make any demands on the company. TheNerds.net site operator Jeremy Schneiderman was left confused, merely assuming an extortion note may come eventually. But as of June 19, no demand had been made on TheNerds.net. A spokesperson for Fahnestock said the firm hadn’t heard anything more from the criminal since the April 1 e-mail.
“My guess is he’s sending out a couple of e-mails saying ‘Here’s what I can do to you,’” Schneiderman said when the hack was first announced.
More extortion attempts coming?
And that is likely the reason he contacted MSNBC.com recently. Zilterio claimed to have information about a “very big and very famous U.S. payment system,” but declined to prove any details. If Zilterio has progressed from stealing meaningless Webcertificate numbers last August to thousands of bank statement records this spring, it’s conceivable he has committed more sophisticated crimes. But merely embarrassing the companies hasn’t worked in many cases — hence, perhaps, a new strategy for turning computer wits into dirty money. Zilterio just hasn’t revealed what that is yet.