Spanish Alcasec hacker can take 3 years in prison for data theft of more than 550,000 people

The National Court Prosecutor requests Three years in prison For José Luis Huertas, known as Alcasec, for attacking the website of the neutral judicial point of CGPJ. The computer pirate managed to extract bank data of more than 571 thousand taxpayersAn attack that allowed him to make millionaire profits selling this information.

The accusation applies to highly qualified mitigating circumstance of late confessionwhich reduces the request for continuous illegal access penalty to computer systems and the discovery and dissemination of secrets. His collaboration with justice led to Confiscation of 863,000 euros of the sale of stolen data.

The others involved in the case

The situation is different for the other two defendants. TO Daniel BaílloAnother hacker involved, the prosecutor requests 4 years and 4 months in prison for a continuous crime of illegal access to computer systems and another of secret discovery. In addition, it is considered a necessary employee for the dissemination of secrets attributed to Alcasec.

The third defendant, Juan Carlos O.incur a penalty of 3 years and 4 months in prison Be the material author of a crime of discovery of secrets. According to the investigation, the latter bought 1,247,727 records No value of 109,876 euros with the intention of benefiting with them.

The system access method

The sophisticated attack began In October 2021, when Alcaasec hired two mass storage systems With a Lithuan company that uses an email account created during your minority to hide your identity.

For illicit enrichmentobtained from Baíllo to Stolen digital certificate issued by FNMT to DGT. This certificate allowed you to connect remote to traffic systems and access the police network through an internal DGT IP address.

Using these credentials, 876 connections to the National Police portal between July 2022 and the date of its detection. These facts are being investigated separately in the Instruction Court 50 of Madrid.

Infiltration of the judicial system

Once inside the police intranet, Alcasec obtained credentials from a national police officer and managed to navigate SARA (application system and network for administration).

This access allowed him to connect to the neutral judicial point site of CGPJ, from which he obtained the credentials of a user of a Bilbau court, who used to verify the operation of the system.

Together with Baíllo, they created a False website Pretending to be the PNJ access portal to capture more credentials. Baíllo hired the malicious domain “CGPJ-pnj.com” with a subdomain that points to an IP address located in Russia.

The theft of massive data

After accessing the NPC with the captured credentials, the Alcasec He sent communications to different courts with connections that redirect to his false pagethus obtaining the words of other users of the judicial system.

With the credentials of two judicial employees who fell into the trap, 438,099 applications In the web service “Extended Banking Accounts” of the Fiscal Agency, followed by a second attack.

CGPJ blocked the accounts committed to detecting suspicious activity and led the facts to the knowledge of the National Court. With the help of the National Center for Cryptology, the simulated page was blocked.

The scope of the attack and the sale of data

According to CCN, the entities affected by data theft were the Cadastre, to Tax Agency, to DGT, or INE, to Social Security, or sepe the National Police. The Fiscal Agency confirmed that these mass consultations affected 571,210 singular peoplewhile individualized consultations previously affected 373 NIF numbersSome belong to people with public relevance.

To market stolen data, Alcasec created the portal USMSwhere 574,908 records extracted from PNJ. Transactions were made through the Plisio cryptocurrency payment portal.

ADVERTISING

The portal, which even had 17 databases For sale, I had 1,746 registered usersof which 518 purchases made corresponding to more than 30 million records soldgenerating a recipe for 1,866,175 euros.