A cybercriminal covered all his tracks—and then he verified his PayPal account

At the beginning of May, a San Francisco-based tech firm called Scale AI contacted the FBI after discovering its internal computer network had been hacked. Roughly $40,000 had been drained out of its accounts, $140 at a time.

The company, which processes code for autonomous vehicles, had been under attack for months, according to an FBI affidavit obtained by Quartz. The skillful hacker was diligent in covering his tracks, except for one small detail: He used his real phone number to verify his PayPal account.

Countless numbers of people and companies are victimized by cyber attacks each year. By some estimates, annual losses due to cybercrime could reach $6 trillion by 2021. And the US is the world’s top target. Law enforcement is under constant pressure to keep up with fast-changing technologies and the corresponding strategies hackers use to breach the latest safeguards and protections. But with just about every aspect of modern life networked together in one way or another, it is extremely difficult to carry out a cybercrime today without leaving clues.

Milan Patel, a former top FBI cybercrime investigator, said those small mistakes are often what lead to a hacker’s capture.

“Whether it’s verifying a PayPal account, or that one time where their VPN wasn’t working and they decided to use their regular IP address at home, there’s always some little thing that catches them up,” Patel, now retired and working in the private cybersecurity sector, told Quartz. “There are so many artifacts left behind in a digital heist.”

Patel said that every cybercriminal has a real life outside of what they’re doing online. “It’s only a matter of time before you connect their underground life to their real life to figure out who they are,” he said.

The first attack on Scale AI occurred in early 2019, when someone broke into its back-end database and began diverting legitimate payments to an anonymous PayPal account linked to a fake name. About 100 such deposits, for $140 each, were made during this period. The account was linked to “[email protected],” and the intrusions had come from an IP address that resolved to a location in Thailand.

Although Scale AI tightened its security protocols following the incident, whitelisting known IP addresses and restricting others, a second set of intrusions occurred a short time later. This time the hacker managed to alter 30 bonus payments of $140 each, once again funneling them to a PayPal account maintained by “Bruno Day.”

At the end of June, Scale AI was hit again. Approximately $15,000 in bonus payments were siphoned off during this latest intrusion, but these went to a different PayPal account, one linked to “[email protected]

That’s when the FBI dug into PayPal’s logs and transaction history for both accounts. Between February and June, the one registered to “Bruno Day” had received more than 190 payments from Scale AI, for a total of more than $26,000. The one linked to dragonball844 revealed the subscriber’s name as “Victor Montoya,” and that it received more than 70 payments from Scale AI for more than $13,000.

Neither of the names were real, and didn’t provide any answers. A heavily redacted complaint filed in federal court says an internal investigation by Scale AI revealed “the destruction of payment database logs.” Whoever did it had used a VPN to access the system from Thailand.

But both of the PayPal accounts had been verified with the same mobile phone number, which the FBI traced back to Shariq Shahab Hashme, a 25-year-old computer engineer who, it turns out, worked for Scale AI. Compounding the problem for Hashme, the PayPal accounts were linked to two Bank of America accounts, one in Hashme’s name, that had both been accessed from IP addresses in Thailand around the time of the hacking incidents.

Scale AI is a Silicon Valley “unicorn.” The company was founded by Alex Wang, a former engineer at Quora, and has raised more than $120 million in funding with investments from top-tier venture capital firms such as Y Combinator and individual investments from, among others, Dropbox founder Drew Houston and Twitch founder Justin Kan.

Hashme, who is a UK citizen, had to leave the US when his work visa expired in April, according to court filings. Hashme continued working for the company as a contractor from abroad. On Aug. 7, the FBI got a tip that Hashme would soon be flying back to the US. He was arrested after touching down at San Francisco International Airport on Aug. 10.

“Scale AI has been cooperating with authorities in the investigation and arrest of a former employee,” a company spokesperson told Quartz. “This individual has been terminated from Scale. Since this is a confidential employee matter, Scale cannot discuss or provide further details, however, we can confirm that customer data and employee safety have not been at risk.”





For Android Mobile users Ilwareed Online has an App available on Google Play Store, with this App you can get the latest News and Political Analysis every minute.
Download Ilwareed Now.

Follow us on Twitter #ilwareed and Facebook #ilwareedonline