The judge of the National Court, José Luis Calama, has proposed that three people be tried for the cyber attack committed in October last year on the Judicial Neutral Point (PNJ), the telecommunications network that connects the judiciary with other state institutions and from which it is managed provide the General Council of Justice (CGPJ). The judge classifies the matter as a continuing crime of disclosing secrets (Articles 197.2, 3 and 6 of the Penal Code), which consisted of accessing data using the passwords of two judicial officials, obtained illegally, as well as half a million taxpayers who were vacuumed up and later sold. The court also charged two of the defendants with the crime of illegal access to computer systems (Article 197 to 1), while a separate case was opened against the third for the crime of fraud, with the aim of investigating the complaints of the taxpayers concerned.
The PNJ suffered two cyberattacks on October 18 and 20, 2022. In both cases, in accordance with Judge Calama’s order to stop the investigation, the passwords of two officials of two criminal courts in Bilbao were illegally obtained to access the tax authority’s (AEAT) database of “advanced accounts”. On the first day, they managed to extract the bank details of 438,000 taxpayers, and on the second day they obtained those of 137,186 citizens. The phishing campaign, which targeted justice administration officials and made it possible to illegally obtain credentials used in the attack, used a malicious domain (cgpj-pnj.com) owned by a company, Eranet International Limited, registered in Hong Kong (China). All the stolen material was transferred to two servers hosted in Lithuania and then, as Judge Calama described, sold to third parties via the USM platform with cryptocurrency payments.
More information
The investigation, which was carried out in strict secrecy for several months, led to the arrest of three people who the court now wants to bring to the dock. Two of them, José Luis Huertas, alias Alcasec, and Daniel Baíllo, alias Kermit, are said to have obtained information about the PNJ and its functioning and created templates to simulate its website, with which they managed to impersonate this platform. They also launched phishing campaigns to illegally obtain credentials to access the NPC.
Huertas, 19, was arrested in Madrid last March and released in May after cooperating with justice by confessing the facts. Calama believes that he is the one who “disseminated, disclosed and transferred to third parties” the data obtained through the cyberattack and “combined them with other data obtained illegally from other public administrations and private entities.” According to the judge, these events were carried out for a lucrative purpose that generated “at least” 1,866,175.73 euros.
Baíllo, 29, was arrested in Cartagena (Murcia). He is said to have contracted the domain cgpj-pnj.com, which was used to carry out the phishing campaign that obtained illegal access keys to the computer systems of officials at two courts in Bilbao. He operates under the pseudonym “Theskull77” on the two largest Russian cybercrime forums in the world, Exploit.in and xss.is, and specializes in selling access to banking networks or in selling access to which Baíllo is alleged to have sold access on information systems of Spanish companies.
What influences the most is what happens next. So you don’t miss anything, subscribe.
Subscribe to
In the statement that José Luis Huertas made before the judge on April 3, he explained that the idea of attacking the NPC arose when he and his partner (referring to the identity of the user “theskull”) were doing it inside discovered The police system has a connection to the PNJ. According to his statement, “Theskull” provided him with the digital certificate of an official from the General Directorate of Traffic and with this ID they managed to access the police web environment and the PNJ. They then create a fake website called “cgpj-pnj.com,” which they use to obtain more login information and exfiltrate data from AEAT Extended accounts.
The third detainee, Juan Carlos Ortega, is credited with purchasing the material obtained in the cyberattack. Allegedly, between 7:04 p.m. on October 20, 2022 and 4:46 p.m. the next day, 30 data packages containing a large amount of personal and banking information of Spanish taxpayers were obtained. The judge’s order states that this defendant had been illegally obtaining information from Spanish citizens on the US SMS service using the digital identity “lonastrump” since at least September 2021.
Through two digital identities in the messaging application Telegram, it manages and coordinates a network of 188 contacts engaged in cybercrime activities and with whom it associates illegal acts. Calama emphasizes that in 2022 he had cryptocurrencies worth 1,237,637 euros or more in eight Bitcoin wallets, although he was not aware of any means of support. In 2022 and 2023 he would have acquired various movable and immovable assets with a value at his home, items worth more than 500,000 euros, as well as medium and high quality jewelry and watches, as well as 2,750 euros in cash were confiscated.
During the search of his home in Dos Hermanas (Seville), weapons and ammunition were also seized, including a shotgun with overlapping barrels; a 9mm Parabellum submachine gun with two magazines; a STAR brand pistol, 22″ caliber, with magazine; 26 rounds of ammunition in 22 inch caliber; and 11 rounds of 7.65″ caliber ammunition. The National Court has stayed in favor of the courts of Dos Hermanas if the acts were crimes of illegal possession of weapons and crimes of depositing military weapons and ammunition.
Subscribe to continue reading
Read without limits