Card Not Present Fraud , Fraud Management & Cybercrime , Governance & Risk Management
Hacker Twins Get Light SentencesComputer Prodigies Pleaded Guilty to State Department Intrusion, Fraud
Twin brothers Muneeb and Sohaib Akhter, 23, of Springfield, Va., faced the prospect of serving decades in prison after they pleaded guilty to a number of hacking-related charges, including accessing U.S. State Department systems to steal passport and visa information, as well as stealing 3,000 payment cards and committing about $30,000 in fraud (see Twins Plead Guilty to Hacking Schemes).
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
But at an Oct. 2 hearing in federal court, Judge T.S. Ellis III sentenced Muneeb Akhter, who had faced up to 50 years in prison, to serve a 39-month sentence, and Sohaib Akhter, who faced up to 30 years in prison, to serve a two-year sentence. The sentences are unusual for the United States, which often imposes much harsher sentences for computer crimes compared to its European counterparts (see Young Hackers: Jail Time Appropriate?).
Muneeb Akhter pleaded guilty in June alongside brother Sohaib Akhter, both 23, after they were accused of multiple schemes that included illegally accessing U.S. Department of State passport and visa information and downloading malware onto the agency's networks; hacking into an e-commerce firm; as well as using stolen payment card data to purchase everything from airline tickets and hotel stays to computers and registration for professional IT conferences. And despite the relatively lenient sentences, they nevertheless represent a stark shift in fortunes for the brothers, who both graduated from George Mason University at the age of 19 - the youngest in their class that year - and who had been lauded as being computer prodigies, before pleading guilty in June to some of the charges filed against them.
"The Akhter brothers' misuse of their computer skills harmed numerous individuals and companies, and their efforts to gain clandestine access to State Department systems represented a threat to national security," says Dana J. Boente, U.S. Attorney for the Eastern District of Virginia. "Electronic barriers are no less real, or legitimate, than physical ones. This prosecution sends a clear message to anyone else attempting to weaken the cybersecurity of institutions or use computers to commit crimes."
National Security Concerns
Sohaib Akhter, a former U.S. government contractor, received a two-year sentence, as prosecutors had requested, based in part on national security grounds (see How Many Contractors Run Fed IT?). "Sohaib Akhter used his contract position at the State Department to illegally access, and in some circumstances download and remove, sensitive passport information belonging to 62 different individuals, including coworkers, acquaintances, [a] CEO ... and even a [Department of Homeland Security] special agent investigating the crimes for which the defendant will be sentenced," prosecutors wrote in a memorandum to the court.
Meanwhile, prosecutors had pushed for a six-year sentence for Muneeb Akhter, arguing that "the defendant's repeated misuse of his computer skills demonstrates that he remains a substantial threat to the personal security of numerous individuals, as well as a threat to national security." Instead, however, Muneeb Akhter received just a 39-month sentence.
Muneeb Akhter's relatively lenient sentence may be related to a Sept. 29 pre-sentencing court document filed by his defense counsel - attorney Joseph J. McCarthy of Delaney, McCarthy & Colton P.C. - which highlighted how Akhter had previously been the CEO and president of his own company, Warden Systems, and won a contract worth approximately $190,000 from the U.S. Defense Advanced Research Projects Agency shortly after graduating with an undergraduate degree from George Mason University. According to the court document, the DARPA contract ran from November 2012 to February 2013. Shortly thereafter, when Akhter's maternal grandmother had difficulty making mortgage payments, Akhter applied $135,000 of what he'd earned from the contract to help her pay off her mortgage on the house, where he lived with his mother and siblings.
Akhter's defense counsel also highlighted how as an undergraduate, Akhter had worked as a teaching assistant and used $7,000 earned from that job to help two fellow students pay for books and tuition. "True, these two students were young women in whom Mr. Akhter had interest," McCarthy said in the court filing. "True also, however, both of these young women terminated what Mr. Akhter understood to be friendships once he paid their tuition bills. Counsel believe these gestures reveal a gullible side of Mr. Akhter's character, expressed by a repetitive willingness to assist others at his own expense, also lost in the government's narrative."
The relatively lenient sentences may also be related, in part, to the letters of support that were written for both men by a number of individuals, including their mother and father, grandmother, sister and extended family and friends, according to court documents. They show too that the director of software for optical equipment company Thorlabs Imaging Systems wrote that his company had employed Sohaib Akhter as a contract employee since mid-September and that he had been "a positive addition to the team."
Finally, in a Sept. 21 court document, Muneeb Akhter argued that prosecutors' recommended six-year sentence was "unprecedented" and violated the terms of the plea bargain that he had signed.
The brothers were first indicted by a federal grand jury on April 30 via a 12-count indictment, which charged them with wire fraud, unauthorized computer access and conspiring to access a government computer without authorization. The government said the pair also targeted a DHS agent who was investigating them, with Muneeb Akhter telling his brother that the agent's personal details would be "extremely valuable to criminals and that he could either use the information himself or sell it on the 'dark net,'" according to court documents.
Muneeb Akhter also faced additional charges involving unauthorized computer access, making a false statement and obstructing justice. "Beginning in or about March 2014, Muneeb Akhter hacked into the website of a cosmetics company and stole thousands of its customers' credit card and personal information," according to a U.S. Department of Justice statement. "The Akhter brothers and co-conspirators used the stolen information to purchase goods and services, including flights, hotel reservations and attendance at professional conferences. Muneeb Akhter also provided stolen information to an individual he met on the 'dark net,' who sold the information to other dark-net users and gave Akhter a share of the profits."
As part of his plea agreement, Muneeb Akhter pleaded guilty to six of the charges filed against him, including conspiracy to commit wire fraud, unauthorized access to a computer, conspiracy to access a government computer without authorization, making a false statement as well as obstructing justice by purchasing an airline ticket for a co-conspirator to allow him to flee to the Republic of Malta, to avoid having to talk to federal investigators.
In a statement of facts, Sohaib Akhter agreed with three of the charges filed again him, confirming that the brothers - together with a third man, named in court documents as Musaddiq Ishaq - defrauded multiple businesses, including U.S. Airways and Expedia, for a total of about $30,000. Prosecutors didn't immediately respond to a request for comment about whether Ishaq faces any related charges.