Hacker Who Handed Over U.S. Government Data to Islamic State Sentenced to 20 Years in Prison

Ivan David Gomez Arce / CC 2.0

In a groundbreaking moment in the fight for stronger cybersecurity, the United States on Friday sentenced a hacker on charges relating to terrorism for the first time. Ardit Ferizi, a 21-year-old Kosovo citizen, was sentenced by a U.S. judge to 20 years in prison for a 2015 hack that exposed the information of thousands of U.S. government employees.

Wang Wei of The Hacker News reports:

[Ferizi] obtained the data by hacking into the US web hosting company’s servers on June 13, 2015.

Ferizi then filtered out over 1,300 US military and government employees’ information from the stolen data and then handed them over to Junaid Hussain, according to court filings.

The stolen data contains personally identifiable information (PII), which includes names, email addresses, passwords, locations and phone numbers of US military service members and government workers.

The information was then published online by Hussain, a British jihadi reportedly responsible for the creation of the Islamic State Hacking Division. The stolen information was presented as a “hit list.” Hussain, who was killed by a drone strike last year after posting the information obtained by Ferizi, included this message alongside the “hit list”:

We are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the Khilafah, who soon with the permission of Allah will strike at your necks in your own lands!

Stephen Schwartz of The Weekly Standard

explains the international cooperation that resulted in the capture and conviction of Ferizi. “Ferizi was arrested in Malaysia, where he was studying computer science and hacking assiduously, in September 2015, on a U.S. request,” Schwartz writes. “After his detention, he was handed over to American jurisdiction, and his trial commenced in January. Malaysian authorities assisted the inquiry.”

Online, Schwartz adds, Ferizi went by the name “Th3Dir3ctorY” and apparently tried to blackmail the company in charge of the hacked U.S. database “into paying for its stolen data,” which is “a common hacker practice.”

This is the first time the U.S. has successfully convicted a hacker for terrorist actions, and government officials hope that Ferizi’s two-decade sentence will send a message to other cyberterrorists.

“The 20-year term isn’t as tough as it could have been (Ferizi was facing a maximum of 35 years), but American officials still see it as a warning,” writes Jon Fingas of engadget. “This isn’t going to deter the most committed [Islamic State] hackers (at least not those operating from [Islamic State]-occupied territories), but it may give pause to others who are still considering cyberattacks.”

“This case represents the first time we have seen the very real and dangerous national security cyberthreat that results from the combination of terrorism and hacking,” said John Carlin, assistant attorney general for National Security. “This successful prosecution also sends a message to those around the world that, if you provide material support to designated foreign terrorist organizations and assist them with their deadly attack planning, you will have nowhere to hide. As this case shows, we will reach halfway around the world if necessary to hold accountable those who engage in this type of activity.”

—Posted by Emma Niles