IT Security: Hacker alleged to have blackmailed PC users

Luis Mijangos, 31, of Santa Ana, California, was arrested without incident at his residence by special agents with the Federal Bureau of Investigation.

The arrest of Mijangos, which was pursuant to a criminal complaint filed last week in United States District Court, follows a six-month FBI investigation into his involvement in computer hacking, identity fraud and video voyeurism (is that really an offence or have the FBI made it up?).

FBI computer forensics experts have determined Mijangos infected more than 100 computers that were used by approximately 230 individuals, at least 44 of whom were juveniles.

The affidavit in support of the complaint outlines a series of schemes that all involve Mijangos using peer-to-peer networks to infect computers around the world with malicious computer code. Mijangos induced victims to download the malware onto their computers by making the files appear to be popular songs. After the victims downloaded the malware, Mijangos was able to control their computers, allowing him to send instant messages containing malware from those computers to other people in the victims’ address books. These later victims thought they were receiving messages from friends or family members.

Mijangos infected victim computers for a variety of purposes, according to the complaint, that outlines several types of criminal conduct.

Once he had control of a computer, Mijangos searched for sexually explicit or intimate images and videos of women, typically young women and girls in various states of undress or engaged in sexual acts with their partners. Mijangos contacted the female victims, informing them that he was in possession of intimate images and videos and threatening to distribute those stolen images and videos to every addressee in the victims' contact lists unless they made additional videos for him. Mijangos also told his victims that, because he controlled their computers, he would know if they attempted to contact the authorities, and he threatened to retaliate against them by releasing the images and videos if they called the police. According to the affidavit, Mijangos told one victim that she did not want to “mess” with a team of hackers.

Mijangos also installed a “keylogger” on victims’ computers that allowed him to record every key that was struck on the keyboards of the infected computers. Because the users of those compromised computers were unaware that their computers had been infected, they continued to use their computers to engage in commercial and social activities. Mijangos used the keylogger to steal credit card numbers and personal identifying information that he used to engage in identity theft and to purchase merchandise, the affidavit states.

Mijangos also used stolen usernames and passwords to access victims’ e-mail and social networking sites to further his extortion scheme. After hacking e-mail accounts belonging to victims’ boyfriends, Mijangos contacted women and teenage girls and, pretending to be their boyfriends, asked them to create pornographic videos for him. Once he had those videos, Mijangos again contacted the victims, this time using an alias, to demand more pornographic videos under threats of distributing the videos previously sent to him.

With his control of the victims’ computers and all of their functions, Mijangos was able to remotely access victims’ webcams and to turn them on from time to time in an attempt to catch the victims in intimate situations. Occasionally he was successful.

During the execution of a search warrant at his residence, Mijangos was interviewed by FBI agents. According to the affidavit, Mijangos acknowledged that he hacked into computers, but claimed that he did so at the request of boyfriends and husbands who sought to determine whether the women were cheating on them. Mijangos acknowledged that he asked for additional sexual videos but only to determine whether the women would actually do it. Mijangos also admitted his involvement with an international network of hackers and his participation in credit card fraud.

No plea has yet been entered.