An Australian man, 24, who sparked a global law enforcement operation for allegedly creating and selling spyware purchased by domestic violence perpetrators and other criminals, has been charged by the AFP.
Article continues below
The man, who was 15 years old when he allegedly created the Remote Access Trojan (RAT), was scheduled to appear in Brisbane Magistrates Court on 29 July, 2022. The matter was adjourned until 19 August 2022.
In a world first for any law enforcement agency, the AFP was not only able to identify the alleged Australian offenders who bought the RAT but also identified the Australian victims who were targeted.
AFP investigators served a summons on the man at his Melbourne home on 6 July, 2022, to face six charges for his alleged role in creating, selling and administering the RAT between 2013 and 2019.
A woman, 42, who lives at the same Frankston home as the man, was served a summons to face one count of dealing with the proceeds of crime. She also faced Brisbane Magistrates Court on 29 July, 2022.
It will be alleged the Frankston man engaged with a network of individuals and sold the spyware, named Imminent Monitor (IM), to more than 14,500 individuals across 128 countries.
The AFP identified there were 201 individuals in Australia who bought the RAT. A statistically high percentage of Australia-based PayPal purchasers of IM RAT (14.2%) are named as respondents on domestic violence orders. Additionally, one of these purchasers is also registered on the Child Sex Offender Register.
Of the 14 individuals, 11 bought the RAT during the active period of their domestic violence order (DVO) or within two years a DVO was issued.
Once the RAT was installed on a victim’s computer, users could control a victim’s computer; steal their personal information or spy on them by turning on webcams and microphones on devices – all without their knowledge.
It could also log key strokes – meaning users could see what was being written in emails and other documents – such as the home address of a victim.
The spyware could be installed a number of ways, including phishing (duping a victim into opening an email or text message).
The AFP believes there were tens of thousands of victims globally.
In Australia, the AFP identified 44 victims. In October 2019, the AFP released an intelligence bulletin to Australian state and territory partners about a number of suspects in their jurisdictions.
AFP investigations are ongoing and it would be inappropriate to elaborate further.
The RAT cost about AUD$35 (US$25) and was allegedly advertised on a forum dedicated to hacking. It will be alleged the man made between $300,000 and $400,000 from selling the malware.
Financial analysis showed that most of the money raised from allegedly selling the RAT paid for the man’s food delivery services and other consumable and disposable items.
Operation Cepheus began when the AFP received information from cyber security firm Palo Alto Networks and the FBI about a suspicious RAT in 2017.
The information sparked a global investigation, which included more than a dozen law enforcement agencies in Europe. Eighty-five search warrants were executed globally, with 434 devices seized and 13 people arrested for using the RAT for alleged criminality.
A team of five AFP cybercrime investigators worked on gathering critical intelligence as well as shutting down the RAT. Once the AFP shut down the RAT in 2019, it stopped operating on all devices across the globe.
The same year, the AFP received admissible evidence from overseas law enforcement agencies that enabled the Australian man to be arrested.
The AFP-led investigation executed two search warrants in 2019 at the man’s then home in Brisbane. Investigators seized a number of devices including a custom-built computer containing code consistent with the development and use of the RAT.
Tips to protect yourself from remote access trojan malware:
Be aware of the infection signs:
• Your internet connection is unusually slow;
• Unknown processes are running in your system (visible in the Process tab in Task Manager);
• Your files are modified or deleted without your permission;
• Unknown programs are installed on your device (visible in the Add or Remove Programs tab in the Control Panel).
Protect yourself:
• Ensure that your security software and operating system are up to date;
• Ensure that your device’s firewall is active;
• Only download apps and software from sources you can trust;
• Cover your webcam when not in use;
• Regularly back up your data;
• Be wary while browsing the internet and do not click on suspicious links, pop ups or dialogue boxes;
• Keep your web browser up to date and configured to alert new window is opened or anything is downloaded;
• Do not click on links and attachments within unexpected or suspicious emails.
What to do if infected with the malware:
• Disconnect your device from the network as soon as possible, in order to prevent additional malicious activity;
• Install security software from a trustworthy source;
• Run a full scan of your device and remove threats by using a security software;
• Once you think the infection has been removed, change the passwords for your online accounts and check your banking activity. Report anything unusual to your bank and, as needed, to the Report Cyber website;
• Learn how to protect your computer from future infections and avoid data loss. ■