The case of a hacker who allegedly provided ISIS with a “kill list” Americans — ranging from diplomats to lowly bureaucrats, according to an NBC News review — shows that online intrusions can put a lot more than your credit rating at risk.
That was the message Friday from the Justice Department’s top counter-terrorism prosecutor, who said in a speech that “crowdsourcing terrorism” is a new phenomenon — and a real threat.
"Hackers a world away can intrude into our homes with the push of a button, to steal from us, to gather intelligence that can be used against us, and even to try hurt or kill us," John Carlin said at the Roger Williams University Law School in Providence, Rhode Island.
"We have long warned about the convergence of terrorism and the cyber threat, but this case is a first of its kind."
Carlin’s comments came a day after the Justice Department charged Ardit Ferizi, a Kosovo hacker living in Malaysia, with giving ISIS 1,351 out of 100,000 names stolen from the Phoenix server of an unnamed U.S. retailer. A social media guru for the terror group disseminated it with the threat to "strike at your neck in your own lands."
The people on the list ranged from soldiers to bureaucrats and were tied to the State Department, foreign embassies, the armed services, NASA, USAID and even local agencies like the New York City school system and an Alabama health agency.
While people from U.S. allies like Australia and the United Kingdom were also included, the overwhelming majority were Americans.
One person on the list, a social-services provider in Maryland, told NBC News he was surprised to get a call from the FBI about a month ago but said it had not caused him much worry.
“They said they didn’t think it was a high-level risk,” he said. “I was a little more vigilant at first. But then I kind of forgot about it.”
A couple of the people on the list claimed they were not aware of it. One person who worked for a local agency in the New York area had the deputy police chief in his hometown call to decline comment.
Ferizi, alleged to be an ISIS sympathizer, was arrested early Friday, Malaysia time, and will be transported to Virginia for arraignment. He faces charges of providing material support to ISIS along with computer related offenses.
The criminal complaint filed by the U.S. attorney in Alexandria, Virginia, says Ferizi, who uses the alias "Th3Dir3ctorY," stole the personal information of "approximately 100,000 people" from the retailer on June 13 — then stripped out those he believed were from the military or government.
Evan Kohlmann of Flashpoint Intelligence, an NBC News counterterrorism analyst, surmised that Ferizi simply zeroed in on emails that ended in .gov and .mil, regardless of their actual job description. He called the scheme “crude but effective.”
Before the hack, Ferizi had already been in contact with Junaid Hussain, also known as Hussain al Brittani, a British-born hacker and ISIS social media guru, the complaint says.
Authorities believe Hussain inspired a number of "lone wolf" attacks in the U.S., including the ambush of a Prophet Mohammed cartoon contest in Garland, Texas. He allegedly communicated over the Internet with Usaama Rahim, who was on his way to kill cops when he was shot to death by the FBI and Boston Police, and with four men in New York and New Jersey who expressed allegiance to ISIS and were later indicted.
In July, Ferizi supplied the list to Hussain, who distributed it Aug. 11 under the rubric of the "Islamic State Hacktivist Division” with a threat attached:
“O Crusaders, as you continue your aggression towards the Islamic State and your bombing campaign against the Muslims, know that we are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!"
Thirteen days later, Hussain was killed in a U.S. Predator attack near Raqqa, Syria, the purported capital of the Islamic State.
In the weeks before and after the distribution of the list, the complaint alleges, Ferizi communicated with the hosting service of the company, threatening that if they removed his malware, "bad things will happen to you," including publishing the names of "every client on this Server."
At one point, he tried to blackmail the company by demanding "two bitcoin," approximately $500, in return for stopping his attacks and revealing how he had carried them out, the court papers say.