Anti-Phishing, DMARC , Card Not Present Fraud , Cybercrime

Hacker Who Sold Financial Data Receives 10-Year Sentence

Grant West a 'One Man Cybercrime Wave,' Judge Says; Bitcoins Still Missing
Hacker Who Sold Financial Data Receives 10-Year Sentence
Grant West pleaded guilty to conspiracy to commit fraud and computer misuse, among other charges. (Photo: Met Police)

An English man who hacked into more than a dozen businesses, stole payment card information, ran phishing campaigns that spoofed 100 different businesses, sold people's financial details and published "how to" guides for hackers and fraudsters has been sent to prison.

See Also: Strengthening Microsoft 365 with Human-centric Security

Grant West, 26, from Sheerness, England, admitted to multiple offenses, including conspiracy to commit fraud, computer misuse, as well as various drug offenses.

On Wednesday at Southwark Crown Court in London, Judge Michael Gledhill sentenced West to serve 10 years and eight months in prison. Gledhill called West a "a one man cybercrime wave" and noted that £1.6 million ($2.1 million) of cryptocurrency into which he converted his illicit profits remains unaccounted for, BBC reports.

"When such inadequate security is confronted with a criminal of your skills and ambition it is totally unfit for purpose and worthless," the judge reportedly told West on Friday. "This case should be a wake-up call to customers, companies and the computer industry to the very real threat of cybercrime."

West admitted to targeting more than 100 businesses worldwide via phishing attacks in a bid to steal their customers' email addresses and passwords.

Police say West began trading on darknet sites in March 2015 and ultimately logged more than 47,000 sales from his online shop.

"This prosecution was able to prove that Grant West was the prolific cyber hacker known as Courvoisier. West was caught by police conducting attacks on company websites," says Sarah Jennings, a specialist prosecutor in the London Crown Prosecution Service's complex casework unit.

Courvoisier was tied to at least 47,000 sales via darknet marketplaces, including AlphaBay. (Source: Met Police)

"He sold the lists of financial information to make money and even used stolen credit card details to pay for holidays, food and shopping," Jennings says. "In the end, West had no alternative but to plead guilty due to the overwhelming evidence."

Brute-Force Attacks via Sentry MBA

Prosecutors say West used Sentry MBA, a popular credential-stuffing attack tool, to launch brute-force attacks against the websites of Uber, grocery store chains Asda and Sainsbury's, mobile phone giant T-Mobile, the British Cardiovascular Society, bookmakers Coral Betting and Ladbrokes, as well as a Finnish bitcoin exchange, among others.

The main interface for Windows brute-force hacking tool Sentry MBA. (Source: Shape Security)

Using the online handle "Courvoisier" - a brand of cognac - West sold stolen information on various dark web sites, including Alphabay, police say. Such dark web, aka darknet, sites can only be reached using the anonymizing Tor browser. But they are not immune to being monitored and seized by authorities, as the takedown of Alphabay and Hansa in July 2017 demonstrated (see One Simple Error Led to AlphaBay Admin's Downfall).

Prosecutors told the court that information sold by West led to the theft of £84,000 ($112,000) from accounts held at Barclays, leading to cleanup and remediation expenses of £300,000 ($400,000) for the bank; and that his actions also led to losses of £400,000 ($533,000) for British Airways after accounts for its Avios reward program were hacked, BBC reports.

London's Metropolitan Police Service says West illicitly profited from these deals in the form of bitcoin cryptocurrency, which he stored in multiple accounts.

Arrested on a Train

Following a two-year investigation, West was arrested in September 2017 while traveling in a first-class rail carriage to his home in Kent, after visiting his then girlfriend, Rachael Brookes, 26, in Wales. Authorities said West was accessing darknet marketplace sites at the time of his arrest.

Rachael Brookes, West's former girlfriend, on March 7 pleaded guilty to unauthorized use of computer material and on May 2 was sentenced to a two-year community order. (Photo: Met Police)

After arresting West, police raided his home and various storage units he'd rented, where they found an SD card containing 63,000 credit and debit card details, 78 million email addresses with passwords and information stolen from more than 500 businesses. Police also seized half a kilogram (1.1 pounds) of cannabis, £25,000 ($33,000) in cash, and more than £500,000 worth of bitcoins.

"This is the first time we have seized a cryptocurrency and we are determined to remain one step ahead of cybercriminals who believe they can act with impunity," says Detective Chief Superintendent Mick Gallagher, head of the Met's organized crime command.

Earlier this month, Brookes - now West's ex-girlfriend - pleaded guilty to using two people's stolen details to buy a bikini online, the Guardian reported. She received a two-year community order, meaning she'll avoid jail time in return for community service and meeting an imposed curfew.

Phishing Attack Spoofed 'Just Eat'

One of West's corporate victims was Just Eat, an online food order and delivery service. In the last six months of 2015, West ran a phishing campaign - disguised as legitimate communications from Just Eat - that he targeted at 165,000 individuals whose email address details he'd obtained. Just Eat said it had to spend £200,000 ($266,000) in response to the attacks.

West used fake emails that appeared to be from Just Eat to obtain victims' personal details. (Source: Met Police)

West launched some attacks from Brookes's laptop, on which he stored stolen usernames, email addresses and passwords - known as "fullz" - for more than 100,000 individuals, police say.

The Met Police say they launched their investigation into West's activities after receiving a referral from Action Fraud, the U.K.'s national fraud and cybercrime reporting center (see FBI to DDoS Victims: Please Come Forward).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.